New policy for pyzor

Tue Mar 22 01:23:14 UTC 2005

This is a new strict policy for the pyzor spam filter.  It is based on
the selinux-policy-strict-sources-1.23.2-1 fedora RPM.  This policy
requires the definition of a pyzor reserved port that was in the
net_contexts diff I sent last Wednesday.  Please let me know if there
are any problems with or changes needed to this policy.

David

-------------- next part --------------
/etc/pyzor(/.*)?			system_u:object_r:pyzor_etc_t
/usr/bin/pyzor			--	system_u:object_r:pyzor_exec_t
/usr/bin/pyzord			--	system_u:object_r:pyzord_exec_t
/var/lib/pyzord(/.*)?			system_u:object_r:pyzor_var_lib_t
/var/log/pyzord.log		--	system_u:object_r:pyzord_log_t
HOME_DIR/\.pyzor(/.*)?			system_u:object_r:ROLE_pyzor_home_t
-------------- next part --------------
#
# Pyzor - Pyzor is a collaborative, networked system to detect and
#         block spam using identifying digests of messages.
#
# Author:  David Hampton <hampton at employees.org>
#

##########
# common definitions for pyzord and all flavors of pyzor
##########
define(`pyzor_base_domain',`

# Networking
can_network_client_tcp($1_t, http_port_t);
can_network_udp($1_t, pyzor_port_t);
can_resolve($1_t);

general_proc_read_access($1_t)

tmp_domain($1)

allow $1_t bin_t:dir { getattr search };
allow $1_t bin_t:file getattr;
allow $1_t lib_t:file { getattr read };
allow $1_t { var_t var_lib_t var_run_t }:dir search;
uses_shlib($1_t)

# Python does a getattr on this file
allow $1_t pyzor_exec_t:file getattr;

# mktemp and other randoms
allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms;

# Allow access to various files in the /etc/directory including mtab
# and nsswitch
allow $1_t { etc_t etc_runtime_t }:file { getattr read };
read_locale($1_t)
')

#
# Define a user domain for a pyzor
#
# Note: expects to be called with an argument of user, sysadm

define(`pyzor_domain',`
type $1_pyzor_t, domain, privlog, nscd_client_domain;
role $1_r types $1_pyzor_t;
domain_auto_trans($1_t, pyzor_exec_t, $1_pyzor_t)

pyzor_base_domain($1_pyzor)

# Per-user config/data files
home_domain($1, pyzor)

# System config files
r_dir_file($1_pyzor_t, pyzor_etc_t)

# System data files
r_dir_file($1_pyzor_t, pyzor_var_lib_t);

allow $1_pyzor_t self:unix_stream_socket create_stream_socket_perms;

# Allow pyzor to be run by hand.  Needed by any action other than
# invocation from a spam filter.
allow $1_pyzor_t $1_devpts_t:chr_file rw_file_perms;
allow $1_pyzor_t sshd_t:fd use;
')
-------------- next part --------------
#
# Pyzor - Pyzor is a collaborative, networked system to detect and
#         block spam using identifying digests of messages.
#
# Author:  David Hampton <hampton at employees.org>
#

# NOTE: This policy is based upon the FC3 pyzor rpm from ATrpms.
# Pyzor normally dumps everything into $HOME/.pyzor.  By putting the
# following line to the spamassassin config file:
#
#	pyzor_options --homedir /etc/pyzor
#
# the various files will be put into appropriate directories.
# (I.E. The log file into /var/log, etc.)  This policy will work
# either way.

type pyzor_port_t, port_type, reserved_port_type;

##########
# pyzor daemon
##########
daemon_domain(pyzord, `, privlog, nscd_client_domain')
pyzor_base_domain(pyzord)
allow pyzord_t pyzor_port_t:udp_socket name_bind;
home_domain_access(pyzord_t, sysadm, pyzor)
log_domain(pyzord)

# Read shared daemon/client config file
r_dir_file(pyzord_t, pyzor_etc_t)

# Write shared daemon/client data dir
allow pyzord_t var_lib_t:dir search;
create_dir_file(pyzord_t, pyzor_var_lib_t)

##########
# Pyzor query application - from system_r applictions
##########
type pyzor_t, domain, privlog, daemon;
type pyzor_exec_t, file_type, sysadmfile, exec_type;
role system_r types pyzor_t;

pyzor_base_domain(pyzor)

# System config/data files
etcdir_domain(pyzor)
var_lib_domain(pyzor)

##########
##########

#
# Some spam filters executes the pyzor code directly.  Allow them access here.
#
ifdef(`spamd.te',`
domain_auto_trans(spamd_t, pyzor_exec_t, pyzor_t);
# pyzor needs access to the email spamassassin is checking
allow pyzor_t spamd_tmp_t:file r_file_perms;
')