[selinux-policy: 790/3172] add spamassassin
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:13:18 UTC 2010
commit f932d8e3cb66ab8a09441a82924b0b76a638bd89
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Sat Oct 22 23:50:23 2005 +0000
add spamassassin
refpolicy/Changelog | 1 +
refpolicy/policy/global_tunables | 3 +
refpolicy/policy/modules/services/mta.fc | 3 +-
refpolicy/policy/modules/services/mta.if | 18 +++
refpolicy/policy/modules/services/sendmail.fc | 2 -
refpolicy/policy/modules/services/spamassassin.fc | 11 ++
refpolicy/policy/modules/services/spamassassin.if | 3 +
refpolicy/policy/modules/services/spamassassin.te | 158 +++++++++++++++++++++
refpolicy/policy/modules/system/libraries.if | 23 +++-
refpolicy/policy/modules/system/userdomain.if | 5 +-
10 files changed, 218 insertions(+), 9 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 3b73d58..732188f 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -12,6 +12,7 @@
networkmanager
pegasus
radius
+ spamassassin
xdm
* Wed Oct 19 2005 Chris PeBenito <selinux at tresys.com> - 20051019
diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index 3af5cad..933d75c 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -101,6 +101,9 @@ gen_tunable(read_untrusted_content,false)
## Allow ssh to run from inetd instead of as a daemon.
gen_tunable(run_ssh_inetd,false)
+## Allow user spamassassin clients to use the network.
+gen_tunable(spamassassin_can_network,false)
+
## Allow squid to connect to all ports, not just
## HTTP, FTP, and Gopher ports.
gen_tunable(squid_connect_any,false)
diff --git a/refpolicy/policy/modules/services/mta.fc b/refpolicy/policy/modules/services/mta.fc
index 494c989..72c5818 100644
--- a/refpolicy/policy/modules/services/mta.fc
+++ b/refpolicy/policy/modules/services/mta.fc
@@ -1,12 +1,11 @@
/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
+/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
-ifdef(`sendmail.te',`',`
/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail(.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-')
/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index fffbc96..c452cf0 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -331,6 +331,24 @@ interface(`mta_exec',`
########################################
## <summary>
+## Read mail server configuration.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`mta_read_config',`
+ gen_require(`
+ type etc_mail_t;
+ ')
+
+ files_search_etc($1)
+ allow spamd_t etc_mail_t:dir list_dir_perms;
+ allow spamd_t etc_mail_t:file r_file_perms;
+')
+
+########################################
+## <summary>
## Read mail address aliases.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/services/sendmail.fc b/refpolicy/policy/modules/services/sendmail.fc
index be5c537..a86ec50 100644
--- a/refpolicy/policy/modules/services/sendmail.fc
+++ b/refpolicy/policy/modules/services/sendmail.fc
@@ -1,5 +1,3 @@
-# sendmail file contexts
-/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
/var/log/sendmail\.st -- gen_context(system_u:object_r:sendmail_log_t,s0)
/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0)
diff --git a/refpolicy/policy/modules/services/spamassassin.fc b/refpolicy/policy/modules/services/spamassassin.fc
new file mode 100644
index 0000000..cea35a5
--- /dev/null
+++ b/refpolicy/policy/modules/services/spamassassin.fc
@@ -0,0 +1,11 @@
+
+/usr/bin/sa-learn -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
+/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+
+/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
+
+ifdef(`targeted_policy',`',`
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
+')
diff --git a/refpolicy/policy/modules/services/spamassassin.if b/refpolicy/policy/modules/services/spamassassin.if
new file mode 100644
index 0000000..ee9932a
--- /dev/null
+++ b/refpolicy/policy/modules/services/spamassassin.if
@@ -0,0 +1,3 @@
+## <summary>Filter used for removing unsolicited email.</summary>
+
+# cjp: TODO: integrate old spamassassin_macros.te
diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te
new file mode 100644
index 0000000..dd8b86d
--- /dev/null
+++ b/refpolicy/policy/modules/services/spamassassin.te
@@ -0,0 +1,158 @@
+
+policy_module(spamassassin,0.9)
+
+########################################
+#
+# Declarations
+#
+
+# spamassassin client executable
+type spamc_exec_t;
+files_type(spamc_exec_t)
+
+type spamd_t;
+type spamd_exec_t;
+init_daemon_domain(spamd_t,spamd_exec_t)
+
+type spamd_tmp_t;
+files_tmp_file(spamd_tmp_t)
+
+type spamd_var_run_t;
+files_pid_file(spamd_var_run_t)
+
+type spamassassin_exec_t;
+files_type(spamassassin_exec_t)
+
+########################################
+#
+# Spamassassin daemon local policy
+#
+
+# Spamassassin, when run as root and using per-user config files,
+# setuids to the user running spamc. Comment this if you are not
+# using this ability.
+
+allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
+dontaudit spamd_t self:capability sys_tty_config;
+allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow spamd_t self:fd use;
+allow spamd_t self:fifo_file rw_file_perms;
+allow spamd_t self:shm create_shm_perms;
+allow spamd_t self:sem create_sem_perms;
+allow spamd_t self:msgq create_msgq_perms;
+allow spamd_t self:msg { send receive };
+allow spamd_t self:unix_dgram_socket create_socket_perms;
+allow spamd_t self:unix_stream_socket create_stream_socket_perms;
+allow spamd_t self:unix_dgram_socket sendto;
+allow spamd_t self:unix_stream_socket connectto;
+allow spamd_t self:tcp_socket create_stream_socket_perms;
+allow spamd_t self:udp_socket create_socket_perms;
+
+allow spamd_t spamd_tmp_t:dir create_dir_perms;
+allow spamd_t spamd_tmp_t:file create_file_perms;
+files_create_tmp_files(spamd_t, spamd_tmp_t, { file dir })
+
+allow spamd_t spamd_var_run_t:file create_file_perms;
+allow spamd_t spamd_var_run_t:dir rw_dir_perms;
+files_create_pid(spamd_t,spamd_var_run_t)
+
+kernel_read_all_sysctl(spamd_t)
+kernel_read_system_state(spamd_t)
+
+corenet_tcp_sendrecv_all_if(spamd_t)
+corenet_udp_sendrecv_all_if(spamd_t)
+corenet_raw_sendrecv_all_if(spamd_t)
+corenet_tcp_sendrecv_all_nodes(spamd_t)
+corenet_udp_sendrecv_all_nodes(spamd_t)
+corenet_raw_sendrecv_all_nodes(spamd_t)
+corenet_tcp_bind_all_nodes(spamd_t)
+corenet_udp_bind_all_nodes(spamd_t)
+corenet_tcp_sendrecv_all_ports(spamd_t)
+corenet_tcp_bind_spamd_port(spamd_t)
+
+dev_read_sysfs(spamd_t)
+dev_read_urand(spamd_t)
+
+fs_getattr_all_fs(spamd_t)
+fs_search_auto_mountpoints(spamd_t)
+
+term_dontaudit_use_console(spamd_t)
+
+auth_dontaudit_read_shadow(spamd_t)
+
+corecmd_exec_bin(spamd_t)
+corecmd_search_sbin(spamd_t)
+
+domain_use_wide_inherit_fd(spamd_t)
+
+files_read_usr_files(spamd_t)
+files_read_etc_files(spamd_t)
+files_read_etc_runtime_files(spamd_t)
+
+init_use_fd(spamd_t)
+init_use_script_pty(spamd_t)
+init_dontaudit_rw_script_pid(spamd_t)
+
+libs_use_ld_so(spamd_t)
+libs_use_shared_libs(spamd_t)
+# Various Perl bits
+libs_use_lib(spamd_t)
+
+logging_send_syslog_msg(spamd_t)
+
+miscfiles_read_localization(spamd_t)
+
+sysnet_read_config(spamd_t)
+
+userdom_use_unpriv_users_fd(spamd_t)
+userdom_search_unpriv_user_home_dirs(spamd_t)
+userdom_dontaudit_search_sysadm_home_dir(spamd_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_tty(spamd_t)
+ term_dontaudit_use_generic_pty(spamd_t)
+ files_dontaudit_read_root_file(spamd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files(spamd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(spamd_t)
+')
+
+optional_policy(`cron.te',`
+ cron_system_entry(spamd_t,spamd_exec_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(spamd_t)
+')
+
+optional_policy(`selinuxutil.te',`
+ seutil_sigchld_newrole(spamd_t)
+')
+
+optional_policy(`sendmail.te',`
+ sendmail_stub(spamd_t)
+ mta_read_config(spamd_t)
+')
+
+optional_policy(`udev.te', `
+ udev_read_db(spamd_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+ rhgb_domain(spamd_t)
+')
+
+optional_policy(`amavis.te', `
+# for bayes tokens
+allow spamd_t var_lib_t:dir { getattr search };
+allow spamd_t amavisd_lib_t:dir rw_dir_perms;
+allow spamd_t amavisd_lib_t:file create_file_perms;
+allow spamd_t amavisd_lib_t:lnk_file create_lnk_perms;
+')
+') dnl end TODO
diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if
index a511e26..9b1da6a 100644
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@@ -197,6 +197,26 @@ interface(`libs_exec_lib_files',`
########################################
## <summary>
+## Load and execute functions from generic
+## lib files as shared libraries.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`libs_use_lib',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ files_list_usr($1)
+ allow $1 lib_t:dir r_dir_perms;
+ allow $1 lib_t:lnk_file r_file_perms;
+ allow $1 lib_t:file rx_file_perms;
+')
+
+########################################
+## <summary>
## Relabel files to the type used in library directories.
## </summary>
## <param name="domain">
@@ -223,9 +243,6 @@ interface(`libs_relabelto_lib_files',`
interface(`libs_use_shared_libs',`
gen_require(`
type lib_t, shlib_t, texrel_shlib_t;
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- class file { rx_file_perms execmod };
')
files_list_usr($1)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index a8c077d..541f199 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -1799,7 +1799,7 @@ interface(`userdom_dontaudit_search_sysadm_home_dir',`
type sysadm_home_dir_t;
')
- dontaudit $1 sysadm_home_dir_t:dir { getattr search };
+ dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
')
########################################
@@ -2223,7 +2223,8 @@ interface(`userdom_search_unpriv_user_home_dirs',`
attribute user_home_dir_type;
')
- allow $1 user_home_dir_type:dir search;
+ files_search_home($1)
+ allow $1 user_home_dir_type:dir search_dir_perms;
')
########################################
More information about the scm-commits
mailing list