Marc Schwartz (via MN) wrote:
On Wed, 2006-06-21 at 16:53 +0100, Paul Howarth wrote:
> Marc Schwartz (via MN) wrote:
<snip>
>> The current modules then are:
>>
>> # semodule -l
>> amavis 1.0.4
>> clamav 1.0.1
>> myclamscan 0.2.0
>> mydcc 0.1.3
>> mypyzor 0.2.1
>> procmail 0.5.3
>> pyzor 1.0.1
>>
>>
>> No msgs are being reported by avclist subsequent to the above changes.
>> Specifically nothing wrt the postfix manpage weirdness.
>>
>> All else appears to be OK so far.
> Can you try restarting postfix? I think the manpage thing happened at
> that point.
Interesting. Recalling that, I had re-booted before my reply above and
had no msgs. However doing a service restart post-boot using
system-config-services, I get:
type=AVC msg=audit(1150906621.693:641): avc: denied { read } for pid=12784
comm="postfix" name=".fonts.cache-2" dev=hdc7 ino=427877
scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:user_home_t:s0
tclass=file
type=SYSCALL msg=audit(1150906621.693:641): arch=40000003 syscall=11 success=yes exit=0
a0=9e14f80 a1=9dfb478 a2=9e14f98 a3=9e14e68 items=2 pid=12784 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="postfix"
exe="/usr/sbin/postfix"
type=AVC_PATH msg=audit(1150906621.693:641):
path="/root/.rh-fontconfig/.fonts.cache-2"
type=CWD msg=audit(1150906621.693:641): cwd="/"
type=PATH msg=audit(1150906621.693:641): item=0 name="/usr/sbin/postfix"
flags=101 inode=3132499 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1150906621.693:641): item=1 flags=101 inode=754491 dev=16:07
mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1150906621.829:642): avc: denied { read } for pid=12796
comm="postfix" name=".fonts.cache-2" dev=hdc7 ino=427877
scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:user_home_t:s0
tclass=file
type=SYSCALL msg=audit(1150906621.829:642): arch=40000003 syscall=11 success=yes exit=0
a0=9e15318 a1=9e00e50 a2=9e14f98 a3=9e14d00 items=2 pid=12796 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="postfix"
exe="/usr/sbin/postfix"
type=AVC_PATH msg=audit(1150906621.829:642):
path="/root/.rh-fontconfig/.fonts.cache-2"
type=CWD msg=audit(1150906621.829:642): cwd="/"
type=PATH msg=audit(1150906621.829:642): item=0 name="/usr/sbin/postfix"
flags=101 inode=3132499 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1150906621.829:642): item=1 flags=101 inode=754491 dev=16:07
mode=0100755 ouid=0 ogid=0 rdev=00:00
Which seems to not involve the man pages, but font caches for some
reason.
That's just completely weird. I wonder if it's a filehandle left open
from somewhere. I wonder how to diagnose this further? Since the types
aren't consistent, they can't even be dontaudit-ed. I trust nothing has
broken anyway?
> Once that's done I'd like to try out the dcc and razor
modules that are
> now in rawhide. That will involve going back to permissive mode for a
> while though.
OK, I've attached the dcc and razor policy files from the current FC5
selinux-policy package. Try installing those, put selinux in permissive
mode, do a restorecon on all of your dcc and razor files/directories and
see what happens.
Paul.
/etc/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
/etc/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0)
/etc/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
/usr/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0)
/usr/bin/dccproc -- gen_context(system_u:object_r:dcc_client_exec_t,s0)
/usr/libexec/dcc/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
/usr/libexec/dcc/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
/usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
/usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
/var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
/var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
/var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0)
/var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
/var/run/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0)
## <summary>Distributed checksum clearinghouse spam filtering</summary>
########################################
## <summary>
## Execute cdcc in the cdcc domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dcc_domtrans_cdcc',`
gen_require(`
type cdcc_t, cdcc_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,cdcc_exec_t,cdcc_t)
allow cdcc_t $1:fd use;
allow cdcc_t $1:fifo_file rw_file_perms;
allow cdcc_t $1:process sigchld;
')
########################################
## <summary>
## Execute cdcc in the cdcc domain, and
## allow the specified role the cdcc domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the cdcc domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow the cdcc domain to use.
## </summary>
## </param>
#
interface(`dcc_run_cdcc',`
gen_require(`
type cdcc_t;
')
dcc_domtrans_cdcc($1)
role $2 types cdcc_t;
allow cdcc_t $3:chr_file rw_term_perms;
')
########################################
## <summary>
## Execute dcc_client in the dcc_client domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dcc_domtrans_client',`
gen_require(`
type dcc_client_t, dcc_client_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,dcc_client_exec_t,dcc_client_t)
allow dcc_client_t $1:fd use;
allow dcc_client_t $1:fifo_file rw_file_perms;
allow dcc_client_t $1:process sigchld;
')
########################################
## <summary>
## Execute dcc_client in the dcc_client domain, and
## allow the specified role the dcc_client domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the dcc_client domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow the dcc_client domain to use.
## </summary>
## </param>
#
interface(`dcc_run_client',`
gen_require(`
type dcc_client_t;
')
dcc_domtrans_client($1)
role $2 types dcc_client_t;
allow dcc_client_t $3:chr_file rw_term_perms;
')
########################################
## <summary>
## Execute dbclean in the dcc_dbclean domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dcc_domtrans_dbclean',`
gen_require(`
type dcc_dbclean_t, dcc_dbclean_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,dcc_dbclean_exec_t,dcc_dbclean_t)
allow dcc_dbclean_t $1:fd use;
allow dcc_dbclean_t $1:fifo_file rw_file_perms;
allow dcc_dbclean_t $1:process sigchld;
')
########################################
## <summary>
## Execute dbclean in the dcc_dbclean domain, and
## allow the specified role the dcc_dbclean domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the dcc_dbclean domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow the dcc_dbclean domain to use.
## </summary>
## </param>
#
interface(`dcc_run_dbclean',`
gen_require(`
type dcc_dbclean_t;
')
dcc_domtrans_dbclean($1)
role $2 types dcc_dbclean_t;
allow dcc_dbclean_t $3:chr_file rw_term_perms;
')
########################################
## <summary>
## Connect to dccifd over a unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dcc_stream_connect_dccifd',`
gen_require(`
type dcc_var_t, dccifd_var_run_t, dccifd_t;
')
files_search_var($1)
allow $1 dcc_var_t:dir search;
allow $1 dccifd_var_run_t:sock_file { getattr write };
allow $1 dccifd_t:unix_stream_socket connectto;
')
policy_module(dcc,1.0.0)
########################################
#
# Declarations
#
type cdcc_t;
type cdcc_exec_t;
domain_type(cdcc_t)
domain_entry_file(cdcc_t,cdcc_exec_t)
role system_r types cdcc_t;
type cdcc_tmp_t;
files_tmp_file(cdcc_tmp_t)
type dcc_client_t;
type dcc_client_exec_t;
domain_type(dcc_client_t)
domain_entry_file(dcc_client_t,dcc_client_exec_t)
role system_r types dcc_client_t;
type dcc_client_map_t;
files_type(dcc_client_map_t)
type dcc_client_tmp_t;
files_tmp_file(dcc_client_tmp_t)
type dcc_dbclean_t;
type dcc_dbclean_exec_t;
domain_type(dcc_dbclean_t)
domain_entry_file(dcc_dbclean_t,dcc_dbclean_exec_t)
role system_r types dcc_dbclean_t;
type dcc_dbclean_tmp_t;
files_tmp_file(dcc_dbclean_tmp_t)
type dcc_var_t;
files_type(dcc_var_t)
type dcc_var_run_t;
files_type(dcc_var_run_t)
type dccd_t;
type dccd_exec_t;
init_daemon_domain(dccd_t,dccd_exec_t)
type dccd_tmp_t;
files_tmp_file(dccd_tmp_t)
type dccd_var_run_t;
files_pid_file(dccd_var_run_t)
type dccifd_t;
type dccifd_exec_t;
init_daemon_domain(dccifd_t,dccifd_exec_t)
type dccifd_tmp_t;
files_tmp_file(dccifd_tmp_t)
type dccifd_var_run_t;
files_pid_file(dccifd_var_run_t)
type dccm_t;
type dccm_exec_t;
init_daemon_domain(dccm_t,dccm_exec_t)
type dccm_tmp_t;
files_tmp_file(dccm_tmp_t)
type dccm_var_run_t;
files_pid_file(dccm_var_run_t)
# NOTE: DCC has writeable files in /etc/dcc that should probably be in
# /var/lib/dcc. For now this policy supports both directories being
# writable.
# cjp: dccifd and dccm should be merged, as
# they have the same rules.
########################################
#
# dcc daemon controller local policy
#
allow cdcc_t self:capability setuid;
allow cdcc_t self:unix_dgram_socket create_socket_perms;
allow cdcc_t self:udp_socket create_socket_perms;
allow cdcc_t cdcc_tmp_t:dir manage_dir_perms;
allow cdcc_t cdcc_tmp_t:file create_file_perms;
files_tmp_filetrans(cdcc_t, cdcc_tmp_t, { file dir })
allow cdcc_t dcc_client_map_t:file rw_file_perms;
# Access files in /var/dcc. The map file can be updated
allow cdcc_t dcc_var_t:dir r_dir_perms;
allow cdcc_t dcc_var_t:file r_file_perms;
allow cdcc_t dcc_var_t:lnk_file { getattr read };
corenet_non_ipsec_sendrecv(cdcc_t)
corenet_udp_sendrecv_generic_if(cdcc_t)
corenet_udp_sendrecv_all_nodes(cdcc_t)
corenet_udp_sendrecv_all_ports(cdcc_t)
files_read_etc_files(cdcc_t)
files_read_etc_runtime_files(cdcc_t)
libs_use_ld_so(cdcc_t)
libs_use_shared_libs(cdcc_t)
logging_send_syslog_msg(cdcc_t)
miscfiles_read_localization(cdcc_t)
sysnet_read_config(cdcc_t)
sysnet_dns_name_resolve(cdcc_t)
optional_policy(`
nscd_socket_use(cdcc_t)
')
########################################
#
# dcc procmail interface local policy
#
allow dcc_client_t self:capability setuid;
allow dcc_client_t self:unix_dgram_socket create_socket_perms;
allow dcc_client_t self:udp_socket create_socket_perms;
allow dcc_client_t dcc_client_map_t:file rw_file_perms;
allow dcc_client_t dcc_client_tmp_t:dir manage_dir_perms;
allow dcc_client_t dcc_client_tmp_t:file create_file_perms;
files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
# Access files in /var/dcc. The map file can be updated
allow dcc_client_t dcc_var_t:dir r_dir_perms;
allow dcc_client_t dcc_var_t:file r_file_perms;
allow dcc_client_t dcc_var_t:lnk_file { getattr read };
corenet_non_ipsec_sendrecv(dcc_client_t)
corenet_udp_sendrecv_generic_if(dcc_client_t)
corenet_udp_sendrecv_all_nodes(dcc_client_t)
corenet_udp_sendrecv_all_ports(dcc_client_t)
files_read_etc_files(dcc_client_t)
files_read_etc_runtime_files(dcc_client_t)
libs_use_ld_so(dcc_client_t)
libs_use_shared_libs(dcc_client_t)
logging_send_syslog_msg(dcc_client_t)
miscfiles_read_localization(dcc_client_t)
sysnet_read_config(dcc_client_t)
sysnet_dns_name_resolve(dcc_client_t)
optional_policy(`
nscd_socket_use(dcc_client_t)
')
########################################
#
# Database cleanup tool local policy
#
allow dcc_dbclean_t self:unix_dgram_socket create_socket_perms;
allow dcc_dbclean_t self:udp_socket create_socket_perms;
allow dcc_dbclean_t dcc_client_map_t:file rw_file_perms;
allow dcc_dbclean_t dcc_dbclean_tmp_t:dir manage_dir_perms;
allow dcc_dbclean_t dcc_dbclean_tmp_t:file create_file_perms;
files_tmp_filetrans(dcc_dbclean_t, dcc_dbclean_tmp_t, { file dir })
allow dcc_dbclean_t dcc_var_t:dir manage_dir_perms;
allow dcc_dbclean_t dcc_var_t:file manage_file_perms;
allow dcc_dbclean_t dcc_var_t:lnk_file create_lnk_perms;
kernel_read_system_state(dcc_dbclean_t)
corenet_non_ipsec_sendrecv(dcc_dbclean_t)
corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
corenet_udp_sendrecv_all_nodes(dcc_dbclean_t)
corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
files_read_etc_files(dcc_dbclean_t)
files_read_etc_runtime_files(dcc_dbclean_t)
libs_use_ld_so(dcc_dbclean_t)
libs_use_shared_libs(dcc_dbclean_t)
logging_send_syslog_msg(dcc_dbclean_t)
miscfiles_read_localization(dcc_dbclean_t)
sysnet_read_config(dcc_dbclean_t)
sysnet_dns_name_resolve(dcc_dbclean_t)
optional_policy(`
nscd_socket_use(dcc_dbclean_t)
')
########################################
#
# Server daemon local policy
#
allow dccd_t self:capability net_admin;
dontaudit dccd_t self:capability sys_tty_config;
allow dccd_t self:process signal_perms;
allow dccd_t self:unix_stream_socket create_socket_perms;
allow dccd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow dccd_t self:udp_socket create_socket_perms;
allow dccd_t dcc_client_map_t:file rw_file_perms;
# Access files in /var/dcc. The map file can be updated
allow dccd_t dcc_var_t:dir r_dir_perms;
allow dccd_t dcc_var_t:file r_file_perms;
allow dccd_t dcc_var_t:lnk_file { getattr read };
# Runs the dbclean program
domain_auto_trans(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t)
corecmd_search_bin(dccd_t)
allow dcc_dbclean_t dccd_t:fd use;
allow dcc_dbclean_t dccd_t:fifo_file rw_file_perms;
allow dcc_dbclean_t dccd_t:process sigchld;
# Updating dcc_db, flod, ...
allow dccd_t dcc_var_t:dir manage_dir_perms;
allow dccd_t dcc_var_t:file manage_file_perms;
allow dccd_t dcc_var_t:lnk_file create_lnk_perms;
allow dccd_t dccd_tmp_t:dir manage_dir_perms;
allow dccd_t dccd_tmp_t:file create_file_perms;
files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir })
allow dccd_t dccd_var_run_t:file create_file_perms;
allow dccd_t dccd_var_run_t:dir rw_dir_perms;
files_pid_filetrans(dccd_t,dccd_var_run_t,file)
kernel_read_system_state(dccd_t)
kernel_read_kernel_sysctls(dccd_t)
corenet_non_ipsec_sendrecv(dccd_t)
corenet_udp_sendrecv_generic_if(dccd_t)
corenet_udp_sendrecv_all_nodes(dccd_t)
corenet_udp_sendrecv_all_ports(dccd_t)
corenet_udp_bind_all_nodes(dccd_t)
corenet_udp_bind_dcc_port(dccd_t)
dev_read_sysfs(dccd_t)
domain_use_interactive_fds(dccd_t)
files_read_etc_files(dccd_t)
files_read_etc_runtime_files(dccd_t)
fs_getattr_all_fs(dccd_t)
fs_search_auto_mountpoints(dccd_t)
term_dontaudit_use_console(dccd_t)
init_use_fds(dccd_t)
init_use_script_ptys(dccd_t)
libs_use_ld_so(dccd_t)
libs_use_shared_libs(dccd_t)
logging_send_syslog_msg(dccd_t)
miscfiles_read_localization(dccd_t)
sysnet_read_config(dccd_t)
sysnet_dns_name_resolve(dccd_t)
userdom_dontaudit_use_unpriv_user_fds(dccd_t)
userdom_dontaudit_search_sysadm_home_dirs(dccd_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(dccd_t)
term_dontaudit_use_generic_ptys(dccd_t)
files_dontaudit_read_root_files(dccd_t)
')
optional_policy(`
nscd_socket_use(dccd_t)
')
optional_policy(`
seutil_sigchld_newrole(dccd_t)
')
optional_policy(`
udev_read_db(dccd_t)
')
########################################
#
# Spamassassin and general MTA persistent client local policy
#
dontaudit dccifd_t self:capability sys_tty_config;
allow dccifd_t self:process signal_perms;
allow dccifd_t self:unix_stream_socket create_stream_socket_perms;
allow dccifd_t self:unix_dgram_socket create_socket_perms;
allow dccifd_t self:udp_socket create_socket_perms;
allow dccifd_t dcc_client_map_t:file rw_file_perms;
# Updating dcc_db, flod, ...
allow dccifd_t dcc_var_t:dir manage_dir_perms;
allow dccifd_t dcc_var_t:{ file sock_file fifo_file } manage_file_perms;
allow dccifd_t dcc_var_t:lnk_file create_lnk_perms;
allow dccifd_t dccifd_tmp_t:dir manage_dir_perms;
allow dccifd_t dccifd_tmp_t:file manage_file_perms;
files_tmp_filetrans(dccifd_t, dccifd_tmp_t, { file dir })
allow dccifd_t dccifd_var_run_t:file manage_file_perms;
allow dccifd_t dccifd_var_run_t:sock_file manage_file_perms;
allow dccifd_t dcc_var_t:dir rw_dir_perms;
type_transition dccifd_t dcc_var_t:{ file sock_file } dccifd_var_run_t;
allow dccifd_t dccifd_var_run_t:file manage_file_perms;
allow dccifd_t dccifd_var_run_t:dir rw_dir_perms;
files_pid_filetrans(dccifd_t,dccifd_var_run_t,file)
kernel_read_system_state(dccifd_t)
kernel_read_kernel_sysctls(dccifd_t)
corenet_non_ipsec_sendrecv(dccifd_t)
corenet_udp_sendrecv_generic_if(dccifd_t)
corenet_udp_sendrecv_all_nodes(dccifd_t)
corenet_udp_sendrecv_all_ports(dccifd_t)
corenet_udp_bind_all_nodes(dccifd_t)
dev_read_sysfs(dccifd_t)
domain_use_interactive_fds(dccifd_t)
files_read_etc_files(dccifd_t)
files_read_etc_runtime_files(dccifd_t)
fs_getattr_all_fs(dccifd_t)
fs_search_auto_mountpoints(dccifd_t)
term_dontaudit_use_console(dccifd_t)
init_use_fds(dccifd_t)
init_use_script_ptys(dccifd_t)
libs_use_ld_so(dccifd_t)
libs_use_shared_libs(dccifd_t)
logging_send_syslog_msg(dccifd_t)
miscfiles_read_localization(dccifd_t)
sysnet_read_config(dccifd_t)
sysnet_dns_name_resolve(dccifd_t)
userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
userdom_dontaudit_search_sysadm_home_dirs(dccifd_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(dccifd_t)
term_dontaudit_use_generic_ptys(dccifd_t)
files_dontaudit_read_root_files(dccifd_t)
')
optional_policy(`
nscd_socket_use(dccifd_t)
')
optional_policy(`
seutil_sigchld_newrole(dccifd_t)
')
optional_policy(`
udev_read_db(dccifd_t)
')
########################################
#
# sendmail milter client local policy
#
dontaudit dccm_t self:capability sys_tty_config;
allow dccm_t self:process signal_perms;
allow dccm_t self:unix_stream_socket create_stream_socket_perms;
allow dccm_t self:unix_dgram_socket create_socket_perms;
allow dccm_t self:udp_socket create_socket_perms;
allow dccm_t dcc_client_map_t:file rw_file_perms;
allow dccm_t dcc_var_t:dir manage_dir_perms;
allow dccm_t dcc_var_t:{ file sock_file fifo_file } create_file_perms;
allow dccm_t dcc_var_t:lnk_file create_lnk_perms;
allow dccm_t dccm_tmp_t:dir manage_dir_perms;
allow dccm_t dccm_tmp_t:file manage_file_perms;
files_tmp_filetrans(dccm_t, dccm_tmp_t, { file dir })
allow dccm_t dccm_var_run_t:file manage_file_perms;
allow dccm_t dccm_var_run_t:sock_file manage_file_perms;
allow dccm_t dcc_var_run_t:dir rw_dir_perms;
type_transition dccm_t dcc_var_run_t:{ file sock_file } dccm_var_run_t;
allow dccm_t dccm_var_run_t:file manage_file_perms;
allow dccm_t dccm_var_run_t:dir rw_dir_perms;
files_pid_filetrans(dccm_t,dccm_var_run_t,file)
kernel_read_system_state(dccm_t)
kernel_read_kernel_sysctls(dccm_t)
corenet_non_ipsec_sendrecv(dccm_t)
corenet_udp_sendrecv_generic_if(dccm_t)
corenet_udp_sendrecv_all_nodes(dccm_t)
corenet_udp_sendrecv_all_ports(dccm_t)
dev_read_sysfs(dccm_t)
domain_use_interactive_fds(dccm_t)
files_read_etc_files(dccm_t)
files_read_etc_runtime_files(dccm_t)
fs_getattr_all_fs(dccm_t)
fs_search_auto_mountpoints(dccm_t)
term_dontaudit_use_console(dccm_t)
init_use_fds(dccm_t)
init_use_script_ptys(dccm_t)
libs_use_ld_so(dccm_t)
libs_use_shared_libs(dccm_t)
logging_send_syslog_msg(dccm_t)
miscfiles_read_localization(dccm_t)
sysnet_read_config(dccm_t)
sysnet_dns_name_resolve(dccm_t)
userdom_dontaudit_use_unpriv_user_fds(dccm_t)
userdom_dontaudit_search_sysadm_home_dirs(dccm_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(dccm_t)
term_dontaudit_use_generic_ptys(dccm_t)
files_dontaudit_read_root_files(dccm_t)
')
optional_policy(`
nscd_socket_use(dccm_t)
')
optional_policy(`
seutil_sigchld_newrole(dccm_t)
')
optional_policy(`
udev_read_db(dccm_t)
')
ifdef(`strict_policy',`
HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:ROLE_razor_home_t,s0)
')
/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0)
/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0)
/var/log/razor-agent.log -- gen_context(system_u:object_r:razor_log_t,s0)
## <summary>A distributed, collaborative, spam detection and filtering
network.</summary>
## <desc>
## <p>
## A distributed, collaborative, spam detection and filtering network.
## </p>
## <p>
## This policy will work with either the ATrpms provided config
## file in /etc/razor, or with the default of dumping everything into
## $HOME/.razor.
## </p>
## </desc>
#######################################
## <summary>
## Template to create types and rules common to
## all razor domains.
## </summary>
## <param name="prefix">
## <summary>
## The prefix of the domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
#
template(`razor_common_domain_template',`
allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem
execstack execheap };
allow $1_t self:fd use;
allow $1_t self:fifo_file rw_file_perms;
allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:unix_dgram_socket sendto;
allow $1_t self:unix_stream_socket connectto;
allow $1_t self:shm create_shm_perms;
allow $1_t self:sem create_sem_perms;
allow $1_t self:msgq create_msgq_perms;
allow $1_t self:msg { send receive };
allow $1_t self:tcp_socket create_socket_perms;
# Read system config file
allow $1_t razor_etc_t:dir list_dir_perms;
allow $1_t razor_etc_t:file read_file_perms;
allow $1_t razor_etc_t:lnk_file { getattr read };
allow $1_t razor_log_t:dir manage_dir_perms;
allow $1_t razor_log_t:file manage_file_perms;
allow $1_t razor_log_t:lnk_file create_lnk_perms;
logging_log_filetrans($1_t,razor_log_t,file)
allow $1_t razor_var_lib_t:dir manage_dir_perms;
allow $1_t razor_var_lib_t:file manage_file_perms;
allow $1_t razor_var_lib_t:lnk_file create_lnk_perms;
files_search_var_lib($1_t)
# Razor is one executable and several symlinks
allow $1_t razor_exec_t:{ file lnk_file } { getattr read };
kernel_read_system_state($1_t)
kernel_read_network_state($1_t)
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
kernel_read_kernel_sysctls($1_t)
corecmd_exec_bin($1_t)
corenet_tcp_sendrecv_generic_if($1_t)
corenet_raw_sendrecv_generic_if($1_t)
corenet_tcp_sendrecv_all_nodes($1_t)
corenet_raw_sendrecv_all_nodes($1_t)
corenet_tcp_sendrecv_razor_port($1_t)
corenet_non_ipsec_sendrecv($1_t)
corenet_tcp_bind_all_nodes($1_t)
# mktemp and other randoms
dev_read_rand($1_t)
dev_read_urand($1_t)
files_search_pids($1_t)
# Allow access to various files in the /etc/directory including mtab
# and nsswitch
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
fs_search_auto_mountpoints($1_t)
libs_use_ld_so($1_t)
libs_use_shared_libs($1_t)
libs_read_lib_files($1_t)
miscfiles_read_localization($1_t)
sysnet_read_config($1_t)
sysnet_dns_name_resolve($1_t)
userdom_use_unpriv_users_fds($1_t)
optional_policy(`
nis_use_ypbind($1_t)
')
')
#######################################
## <summary>
## The per user domain template for the razor module.
## </summary>
## <desc>
## <p>
## The per user domain template for the razor module.
## </p>
## <p>
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
#
template(`razor_per_userdomain_template',`
type $1_razor_t;
domain_type($1_razor_t)
domain_entry_file($1_razor_t,razor_exec_t)
razor_common_domain_template($1_razor)
role $3 types $1_razor_t;
type $1_razor_home_t alias $1_razor_rw_t;
files_poly_member($1_razor_home_t)
userdom_user_home_content($1,$1_razor_home_t)
type $1_razor_tmp_t;
files_tmp_file($1_razor_tmp_t)
##############################
#
# Local policy
#
allow $1_razor_t self:unix_stream_socket create_stream_socket_perms;
allow $1_razor_t $1_razor_home_t:dir manage_dir_perms;
allow $1_razor_t $1_razor_home_t:file manage_file_perms;
allow $1_razor_t $1_razor_home_t:lnk_file create_lnk_perms;
userdom_user_home_dir_filetrans($1,$1_razor_t,$1_razor_home_t,dir)
allow $1_razor_t $1_razor_tmp_t:dir create_dir_perms;
allow $1_razor_t $1_razor_tmp_t:file create_file_perms;
files_tmp_filetrans($1_razor_t, $1_razor_tmp_t, { file dir })
domain_auto_trans($2, razor_exec_t, $1_razor_t)
allow $1_razor_t $2:fd use;
allow $1_razor_t $2:fifo_file rw_file_perms;
allow $1_razor_t $2:process sigchld;
allow $2 $1_razor_home_t:dir manage_dir_perms;
allow $2 $1_razor_home_t:file manage_file_perms;
allow $2 $1_razor_home_t:lnk_file create_lnk_perms;
allow $2 $1_razor_home_t:{ dir file lnk_file } { relabelfrom relabelto };
logging_send_syslog_msg($1_razor_t)
userdom_search_user_home_dirs($1,$1_razor_t)
# Allow razor to be run by hand. Needed by any action other than
# invocation from a spam filter.
userdom_use_user_terminals($1,$1_razor_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_razor_t)
fs_manage_nfs_files($1_razor_t)
fs_manage_nfs_symlinks($1_razor_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs($1_razor_t)
fs_manage_cifs_files($1_razor_t)
fs_manage_cifs_symlinks($1_razor_t)
')
optional_policy(`
nscd_socket_use($1_razor_t)
')
')
########################################
## <summary>
## Execute razor in the system razor domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`razor_domtrans',`
gen_require(`
type razor_t, razor_exec_t;
')
domain_auto_trans($1, razor_exec_t, razor_t)
allow razor_t $1:fd use;
allow razor_t $1:fifo_file rw_file_perms;
allow razor_t $1:process sigchld;
')
policy_module(razor,1.0.0)
########################################
#
# Declarations
#
type razor_t;
type razor_exec_t;
domain_type(razor_t)
domain_entry_file(razor_t,razor_exec_t)
razor_common_domain_template(razor)
role system_r types razor_t;
type razor_etc_t;
files_config_file(razor_etc_t)
type razor_log_t;
logging_log_file(razor_log_t)
type razor_var_lib_t;
files_type(razor_var_lib_t)
########################################
#
# Local policy
#
allow razor_t self:tcp_socket create_socket_perms;
allow razor_t razor_etc_t:dir create_dir_perms;
allow razor_t razor_etc_t:file create_file_perms;
allow razor_t razor_etc_t:lnk_file create_lnk_perms;
files_search_etc(razor_t)
allow razor_t razor_log_t:file create_file_perms;
logging_log_filetrans(razor_t,razor_log_t,file)
allow razor_t razor_var_lib_t:file create_file_perms;
allow razor_t razor_var_lib_t:dir rw_dir_perms;
files_var_lib_filetrans(razor_t,razor_var_lib_t,file)
corenet_non_ipsec_sendrecv(razor_t)
corenet_tcp_sendrecv_generic_if(razor_t)
corenet_raw_sendrecv_generic_if(razor_t)
corenet_tcp_sendrecv_all_nodes(razor_t)
corenet_raw_sendrecv_all_nodes(razor_t)
corenet_tcp_sendrecv_razor_port(razor_t)
corenet_tcp_bind_all_nodes(razor_t)
corenet_tcp_connect_razor_port(razor_t)
sysnet_read_config(razor_t)
optional_policy(`
logging_send_syslog_msg(razor_t)
')
optional_policy(`
nscd_socket_use(razor_t)
')