[selinux-policy: 790/3172] add spamassassin

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:13:18 UTC 2010 

commit f932d8e3cb66ab8a09441a82924b0b76a638bd89
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Sat Oct 22 23:50:23 2005 +0000

    add spamassassin

 refpolicy/Changelog                               |    1 +
 refpolicy/policy/global_tunables                  |    3 +
 refpolicy/policy/modules/services/mta.fc          |    3 +-
 refpolicy/policy/modules/services/mta.if          |   18 +++
 refpolicy/policy/modules/services/sendmail.fc     |    2 -
 refpolicy/policy/modules/services/spamassassin.fc |   11 ++
 refpolicy/policy/modules/services/spamassassin.if |    3 +
 refpolicy/policy/modules/services/spamassassin.te |  158 +++++++++++++++++++++
 refpolicy/policy/modules/system/libraries.if      |   23 +++-
 refpolicy/policy/modules/system/userdomain.if     |    5 +-
 10 files changed, 218 insertions(+), 9 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 3b73d58..732188f 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -12,6 +12,7 @@
 	networkmanager
 	pegasus
 	radius
+	spamassassin
 	xdm
 
 * Wed Oct 19 2005 Chris PeBenito <selinux at tresys.com> - 20051019
diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index 3af5cad..933d75c 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -101,6 +101,9 @@ gen_tunable(read_untrusted_content,false)
 ## Allow ssh to run from inetd instead of as a daemon.
 gen_tunable(run_ssh_inetd,false)
 
+## Allow user spamassassin clients to use the network.
+gen_tunable(spamassassin_can_network,false)
+
 ## Allow squid to connect to all ports, not just
 ## HTTP, FTP, and Gopher ports.
 gen_tunable(squid_connect_any,false)
diff --git a/refpolicy/policy/modules/services/mta.fc b/refpolicy/policy/modules/services/mta.fc
index 494c989..72c5818 100644
--- a/refpolicy/policy/modules/services/mta.fc
+++ b/refpolicy/policy/modules/services/mta.fc
@@ -1,12 +1,11 @@
 
 /etc/aliases			--	gen_context(system_u:object_r:etc_aliases_t,s0)
 /etc/aliases\.db		--	gen_context(system_u:object_r:etc_aliases_t,s0)
+/etc/mail(/.*)?				gen_context(system_u:object_r:etc_mail_t,s0)
 
-ifdef(`sendmail.te',`',`
 /usr/lib(64)?/sendmail		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 
 /usr/sbin/sendmail(.sendmail)?	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
-')
 
 /var/mail(/.*)?				gen_context(system_u:object_r:mail_spool_t,s0)
 
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index fffbc96..c452cf0 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -331,6 +331,24 @@ interface(`mta_exec',`
 
 ########################################
 ## <summary>
+##	Read mail server configuration.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`mta_read_config',`
+	gen_require(`
+		type etc_mail_t;
+	')
+
+	files_search_etc($1)
+	allow spamd_t etc_mail_t:dir list_dir_perms;
+	allow spamd_t etc_mail_t:file r_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read mail address aliases.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/services/sendmail.fc b/refpolicy/policy/modules/services/sendmail.fc
index be5c537..a86ec50 100644
--- a/refpolicy/policy/modules/services/sendmail.fc
+++ b/refpolicy/policy/modules/services/sendmail.fc
@@ -1,5 +1,3 @@
-# sendmail file contexts
-/etc/mail(/.*)?				gen_context(system_u:object_r:etc_mail_t,s0)
 
 /var/log/sendmail\.st		--	gen_context(system_u:object_r:sendmail_log_t,s0)
 /var/log/mail(/.*)?			gen_context(system_u:object_r:sendmail_log_t,s0)
diff --git a/refpolicy/policy/modules/services/spamassassin.fc b/refpolicy/policy/modules/services/spamassassin.fc
new file mode 100644
index 0000000..cea35a5
--- /dev/null
+++ b/refpolicy/policy/modules/services/spamassassin.fc
@@ -0,0 +1,11 @@
+
+/usr/bin/sa-learn	--	gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/spamc		--	gen_context(system_u:object_r:spamc_exec_t,s0)
+/usr/bin/spamd		--	gen_context(system_u:object_r:spamd_exec_t,s0)
+
+/usr/sbin/spamd		--	gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/spamassassin	--	gen_context(system_u:object_r:spamassassin_exec_t,s0)
+
+ifdef(`targeted_policy',`',`
+HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
+')
diff --git a/refpolicy/policy/modules/services/spamassassin.if b/refpolicy/policy/modules/services/spamassassin.if
new file mode 100644
index 0000000..ee9932a
--- /dev/null
+++ b/refpolicy/policy/modules/services/spamassassin.if
@@ -0,0 +1,3 @@
+## <summary>Filter used for removing unsolicited email.</summary>
+
+# cjp: TODO: integrate old spamassassin_macros.te
diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te
new file mode 100644
index 0000000..dd8b86d
--- /dev/null
+++ b/refpolicy/policy/modules/services/spamassassin.te
@@ -0,0 +1,158 @@
+
+policy_module(spamassassin,0.9)
+
+########################################
+#
+# Declarations
+#
+
+# spamassassin client executable
+type spamc_exec_t;
+files_type(spamc_exec_t)
+
+type spamd_t;
+type spamd_exec_t;
+init_daemon_domain(spamd_t,spamd_exec_t)
+
+type spamd_tmp_t;
+files_tmp_file(spamd_tmp_t)
+
+type spamd_var_run_t;
+files_pid_file(spamd_var_run_t)
+
+type spamassassin_exec_t;
+files_type(spamassassin_exec_t)
+
+########################################
+#
+# Spamassassin daemon local policy
+#
+
+# Spamassassin, when run as root and using per-user config files,
+# setuids to the user running spamc.  Comment this if you are not
+# using this ability.
+
+allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
+dontaudit spamd_t self:capability sys_tty_config;
+allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow spamd_t self:fd use;
+allow spamd_t self:fifo_file rw_file_perms;
+allow spamd_t self:shm create_shm_perms;
+allow spamd_t self:sem create_sem_perms;
+allow spamd_t self:msgq create_msgq_perms;
+allow spamd_t self:msg { send receive };
+allow spamd_t self:unix_dgram_socket create_socket_perms;
+allow spamd_t self:unix_stream_socket create_stream_socket_perms;
+allow spamd_t self:unix_dgram_socket sendto;
+allow spamd_t self:unix_stream_socket connectto;
+allow spamd_t self:tcp_socket create_stream_socket_perms;
+allow spamd_t self:udp_socket create_socket_perms;
+
+allow spamd_t spamd_tmp_t:dir create_dir_perms;
+allow spamd_t spamd_tmp_t:file create_file_perms;
+files_create_tmp_files(spamd_t, spamd_tmp_t, { file dir })
+
+allow spamd_t spamd_var_run_t:file create_file_perms;
+allow spamd_t spamd_var_run_t:dir rw_dir_perms;
+files_create_pid(spamd_t,spamd_var_run_t)
+
+kernel_read_all_sysctl(spamd_t)
+kernel_read_system_state(spamd_t)
+
+corenet_tcp_sendrecv_all_if(spamd_t)
+corenet_udp_sendrecv_all_if(spamd_t)
+corenet_raw_sendrecv_all_if(spamd_t)
+corenet_tcp_sendrecv_all_nodes(spamd_t)
+corenet_udp_sendrecv_all_nodes(spamd_t)
+corenet_raw_sendrecv_all_nodes(spamd_t)
+corenet_tcp_bind_all_nodes(spamd_t)
+corenet_udp_bind_all_nodes(spamd_t)
+corenet_tcp_sendrecv_all_ports(spamd_t)
+corenet_tcp_bind_spamd_port(spamd_t)
+
+dev_read_sysfs(spamd_t)
+dev_read_urand(spamd_t)
+
+fs_getattr_all_fs(spamd_t)
+fs_search_auto_mountpoints(spamd_t)
+
+term_dontaudit_use_console(spamd_t)
+
+auth_dontaudit_read_shadow(spamd_t)
+
+corecmd_exec_bin(spamd_t)
+corecmd_search_sbin(spamd_t)
+
+domain_use_wide_inherit_fd(spamd_t)
+
+files_read_usr_files(spamd_t)
+files_read_etc_files(spamd_t)
+files_read_etc_runtime_files(spamd_t)
+
+init_use_fd(spamd_t)
+init_use_script_pty(spamd_t)
+init_dontaudit_rw_script_pid(spamd_t)
+
+libs_use_ld_so(spamd_t)
+libs_use_shared_libs(spamd_t)
+# Various Perl bits
+libs_use_lib(spamd_t)
+
+logging_send_syslog_msg(spamd_t)
+
+miscfiles_read_localization(spamd_t)
+
+sysnet_read_config(spamd_t)
+
+userdom_use_unpriv_users_fd(spamd_t)
+userdom_search_unpriv_user_home_dirs(spamd_t)
+userdom_dontaudit_search_sysadm_home_dir(spamd_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_tty(spamd_t)
+	term_dontaudit_use_generic_pty(spamd_t)
+	files_dontaudit_read_root_file(spamd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_files(spamd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_files(spamd_t)
+')
+
+optional_policy(`cron.te',`
+	cron_system_entry(spamd_t,spamd_exec_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(spamd_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(spamd_t)
+')
+
+optional_policy(`sendmail.te',`
+	sendmail_stub(spamd_t)
+	mta_read_config(spamd_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(spamd_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(spamd_t)
+')
+
+optional_policy(`amavis.te', `
+# for bayes tokens
+allow spamd_t var_lib_t:dir { getattr search };
+allow spamd_t amavisd_lib_t:dir rw_dir_perms;
+allow spamd_t amavisd_lib_t:file create_file_perms;
+allow spamd_t amavisd_lib_t:lnk_file create_lnk_perms;
+')
+') dnl end TODO
diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if
index a511e26..9b1da6a 100644
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@@ -197,6 +197,26 @@ interface(`libs_exec_lib_files',`
 
 ########################################
 ## <summary>
+##	Load and execute functions from generic
+##	lib files as shared libraries.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`libs_use_lib',`
+	gen_require(`
+		type lib_t;
+	')
+
+	files_list_usr($1)
+	allow $1 lib_t:dir r_dir_perms;
+	allow $1 lib_t:lnk_file r_file_perms;
+	allow $1 lib_t:file rx_file_perms;
+')
+
+########################################
+## <summary>
 ##	Relabel files to the type used in library directories.
 ## </summary>
 ## <param name="domain">
@@ -223,9 +243,6 @@ interface(`libs_relabelto_lib_files',`
 interface(`libs_use_shared_libs',`
 	gen_require(`
 		type lib_t, shlib_t, texrel_shlib_t;
-		class dir r_dir_perms;
-		class lnk_file r_file_perms;
-		class file { rx_file_perms execmod };
 	')
 
 	files_list_usr($1)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index a8c077d..541f199 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -1799,7 +1799,7 @@ interface(`userdom_dontaudit_search_sysadm_home_dir',`
 		type sysadm_home_dir_t;
 	')
 
-	dontaudit $1 sysadm_home_dir_t:dir { getattr search };
+	dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -2223,7 +2223,8 @@ interface(`userdom_search_unpriv_user_home_dirs',`
 		attribute user_home_dir_type;
 	')
 
-	allow $1 user_home_dir_type:dir search;
+	files_search_home($1)
+	allow $1 user_home_dir_type:dir search_dir_perms;
 ')
 
 ########################################

More information about the scm-commits mailing list