[patch] refpolicy: exim policy fixes

All of lore.kernel.org
 help / color / mirror / Atom feed

* [patch] refpolicy: exim policy fixes
@ 2008-02-20 10:00 Devin Carraway
  2008-03-04 18:16 ` Christopher J. PeBenito
  0 siblings, 1 reply; 3+ messages in thread
From: Devin Carraway @ 2008-02-20 10:00 UTC (permalink / raw)
  To: selinux


[-- Attachment #1.1: Type: text/plain, Size: 1000 bytes --]

Here are a handful of localized fixes to the Exim policy, based on SVN head
refpolicy and Debian Sid:

.fc:

- Debian uses a version-numbered naming scheme for exim binaries and
  directories; tolerate a trailing digit, e.g. "/var/lib/exim4".
- var_run_t labels a PID file if it's there, but not a directory.

.te:

- add missing fowner/chown perms by exim_t on itself
- grant readonly access to var_lib_t, to read runtime-generated conf
- grant read on /dev/{u,}random; Exim may use either depending on the context
  and how it was built
- dontaudit on reads to /proc/stat (read but not used, probably indirectly via
  a libc call)
- grant missing TCP send/recv to the SMTP & identd ports; grant missing SMTP
  connect (identd was already there)
- grant connect/sendrecv to LDAP, where the local mail accounts are often
  defined

-- 
Devin  \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2

[-- Attachment #1.2: exim-refpolicy-fixes-20080220.patch --]
[-- Type: text/x-diff, Size: 2314 bytes --]

Index: exim.te
===================================================================
--- exim.te	(revision 2617)
+++ exim.te	(working copy)
@@ -42,7 +42,7 @@
 # exim local policy
 #
 
-allow exim_t self:capability { dac_override dac_read_search setuid setgid };
+allow exim_t self:capability { dac_override dac_read_search setuid setgid fowner chown };
 allow exim_t self:fifo_file rw_fifo_file_perms;
 allow exim_t self:unix_stream_socket create_stream_socket_perms;
 allow exim_t self:tcp_socket create_stream_socket_perms;
@@ -65,18 +65,30 @@
 manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t)
 files_pid_filetrans(exim_t, exim_var_run_t, { file dir })
 
+files_read_var_lib_files(exim_t)
+
+dev_read_rand(exim_t)
+dev_read_urand(exim_t)
+
 kernel_read_kernel_sysctls(exim_t)
 
+kernel_dontaudit_read_system_state(exim_t)
+
 corecmd_search_bin(exim_t)
 
 corenet_all_recvfrom_unlabeled(exim_t)
 corenet_tcp_sendrecv_all_if(exim_t)
 corenet_tcp_sendrecv_all_nodes(exim_t)
 corenet_tcp_sendrecv_all_ports(exim_t)
+corenet_tcp_sendrecv_smtp_port(exim_t)
+corenet_tcp_sendrecv_auth_port(exim_t)
+corenet_tcp_sendrecv_ldap_port(exim_t)
 corenet_tcp_bind_all_nodes(exim_t)
 corenet_tcp_bind_smtp_port(exim_t)
 corenet_tcp_bind_amavisd_send_port(exim_t)
 corenet_tcp_connect_auth_port(exim_t)
+corenet_tcp_connect_smtp_port(exim_t)
+corenet_tcp_connect_ldap_port(exim_t)
 corenet_tcp_connect_inetd_child_port(exim_t)
 
 # Init script handling
Index: exim.fc
===================================================================
--- exim.fc	(revision 2617)
+++ exim.fc	(working copy)
@@ -1,4 +1,5 @@
-/usr/sbin/exim		--	gen_context(system_u:object_r:exim_exec_t,s0)
-/var/log/exim(/.*)?		gen_context(system_u:object_r:exim_log_t,s0)
-/var/run/exim.pid	--	gen_context(system_u:object_r:exim_var_run_t,s0)
-/var/spool/exim(/.*)?		gen_context(system_u:object_r:exim_spool_t,s0)
+/usr/sbin/exim[0-9]?		--	gen_context(system_u:object_r:exim_exec_t,s0)
+/var/log/exim[0-9]?(/.*)?		gen_context(system_u:object_r:exim_log_t,s0)
+/var/run/exim[0-9]?\.pid	--	gen_context(system_u:object_r:exim_var_run_t,s0)
+/var/run/exim[0-9]?(/.*)?	  	gen_context(system_u:object_r:exim_var_run_t,s0)
+/var/spool/exim[0-9]?(/.*)?		gen_context(system_u:object_r:exim_spool_t,s0)

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [patch] refpolicy: exim policy fixes
  2008-02-20 10:00 [patch] refpolicy: exim policy fixes Devin Carraway
@ 2008-03-04 18:16 ` Christopher J. PeBenito
  2008-03-05 10:20   ` Devin Carraway
  0 siblings, 1 reply; 3+ messages in thread
From: Christopher J. PeBenito @ 2008-03-04 18:16 UTC (permalink / raw)
  To: Devin Carraway; +Cc: selinux

On Wed, 2008-02-20 at 02:00 -0800, Devin Carraway wrote:
> Here are a handful of localized fixes to the Exim policy, based on SVN
> head refpolicy and Debian Sid:

Merged with two exceptions.

> - grant readonly access to var_lib_t, to read runtime-generated conf

This seems questionable.  It sounds like there should be a specific type
for this.

>  corenet_tcp_sendrecv_all_if(exim_t)
>  corenet_tcp_sendrecv_all_nodes(exim_t)
>  corenet_tcp_sendrecv_all_ports(exim_t)
> +corenet_tcp_sendrecv_smtp_port(exim_t)
> +corenet_tcp_sendrecv_auth_port(exim_t)
> +corenet_tcp_sendrecv_ldap_port(exim_t)

This is redundant since it can already sendrecv all ports.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [patch] refpolicy: exim policy fixes
  2008-03-04 18:16 ` Christopher J. PeBenito
@ 2008-03-05 10:20   ` Devin Carraway
  0 siblings, 0 replies; 3+ messages in thread
From: Devin Carraway @ 2008-03-05 10:20 UTC (permalink / raw)
  To: Christopher J. PeBenito; +Cc: selinux

[-- Attachment #1: Type: text/plain, Size: 1571 bytes --]

On Tue, Mar 04, 2008 at 01:16:20PM -0500, Christopher J. PeBenito wrote:
> On Wed, 2008-02-20 at 02:00 -0800, Devin Carraway wrote:
> > Here are a handful of localized fixes to the Exim policy, based on SVN
> > head refpolicy and Debian Sid:
> 
> Merged with two exceptions.

These look good.  Tested successfully from svn trunk.

> > - grant readonly access to var_lib_t, to read runtime-generated conf
> 
> This seems questionable.  It sounds like there should be a specific type
> for this.

Agreed; I had a discrete type and entrypoints for the runtime config
generators in my original exim policy submission a few months ago, but that
wans't among the bits that got merged.  I can resubmit that portion as a
discrete patch.  I'm still trying to determine, though, whether the runtime
config is necessary outside of Debian/Ubuntu.

> >  corenet_tcp_sendrecv_all_if(exim_t)
> >  corenet_tcp_sendrecv_all_nodes(exim_t)
> >  corenet_tcp_sendrecv_all_ports(exim_t)
> > +corenet_tcp_sendrecv_smtp_port(exim_t)
> > +corenet_tcp_sendrecv_auth_port(exim_t)
> > +corenet_tcp_sendrecv_ldap_port(exim_t)
> 
> This is redundant since it can already sendrecv all ports.

Hm, okay.  My own testing had suggested all_ports was actually acting like
all-nonpriveleged-ports, but now that I recheck I can't verify the behavior,
and current svn trunk can make & use outbound SMTP just fine.

Thanks.

-- 
Devin  \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2008-03-05 10:21 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-02-20 10:00 [patch] refpolicy: exim policy fixes Devin Carraway
2008-03-04 18:16 ` Christopher J. PeBenito
2008-03-05 10:20   ` Devin Carraway

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.