From: Daniel J Walsh <dwalsh@redhat.com>
To: russell@coker.com.au
Cc: SE-Linux <selinux@tycho.nsa.gov>
Subject: Re: policy patch for FC5 anti-virus and Postgrey
Date: Wed, 21 Jun 2006 09:17:46 -0400 [thread overview]
Message-ID: <449946F9.50809@redhat.com> (raw)
In-Reply-To: <200606212202.51319.russell@coker.com.au>
Russell Coker wrote:
> The attached policy patch and patch for one of the config files used in the
> RPM build process allow a FC5 system to correctly operate with Amavis and
> Postgrey.
>
> These patches allow running a Postfix mail server with every sensible
> anti-spam measure on FC5 in enforcing mode.
>
> If you know of any anti-spam measure other than CR which doesn't work with
> this then please let me know. I'm running a bunch of mail servers and am
> always looking for new ways of protecting them.
>
> If you apply all of the patch modules-targeted.conf.diff then the result will
> be a policy rpm that can't conveniently be installed with the current code
> that's in FC5. You have to remove the amavis and clamav modules first.
> Doing this exposed a policy bug in that unconfined_t couldn't kill
> unlabeled_t processes or see their context, so I fixed that bug in the policy
> patch too.
>
> Let me know if you would like a patch for rawhide to do the same things.
>
Yes.
>
> ------------------------------------------------------------------------
>
> diff -ru serefpolicy-2.2.43.orig/policy/modules/kernel/kernel.if serefpolicy-2.2.43/policy/modules/kernel/kernel.if
> --- serefpolicy-2.2.43.orig/policy/modules/kernel/kernel.if 2006-05-27 04:02:58.000000000 +1000
> +++ serefpolicy-2.2.43/policy/modules/kernel/kernel.if 2006-06-18 19:45:10.000000000 +1000
> @@ -1942,6 +1942,24 @@
>
> ########################################
> ## <summary>
> +## Allow caller to stat unlabeled processes.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`kernel_getattr_unlabeled_procs',`
> + gen_require(`
> + type unlabeled_t;
> + ')
> +
> + allow $1 unlabeled_t:process getattr;
> +')
> +
> +########################################
> +## <summary>
> ## Allow caller to relabel unlabeled files.
> ## </summary>
> ## <param name="domain">
> diff -ru serefpolicy-2.2.43.orig/policy/modules/services/amavis.fc serefpolicy-2.2.43/policy/modules/services/amavis.fc
> --- serefpolicy-2.2.43.orig/policy/modules/services/amavis.fc 2006-06-18 09:46:14.000000000 +1000
> +++ serefpolicy-2.2.43/policy/modules/services/amavis.fc 2006-06-18 12:08:11.000000000 +1000
> @@ -7,6 +7,6 @@
> /var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
> /var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
> /var/log/amavisd\.log -- gen_context(system_u:object_r:amavis_var_log_t,s0)
> -/var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0)
> +/var/run/amavis(d)?/.+ gen_context(system_u:object_r:amavis_var_run_t,s0)
> /var/spool/amavisd(/.*)? gen_context(system_u:object_r:amavis_spool_t,s0)
> /var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0)
> diff -ru serefpolicy-2.2.43.orig/policy/modules/services/amavis.te serefpolicy-2.2.43/policy/modules/services/amavis.te
> --- serefpolicy-2.2.43.orig/policy/modules/services/amavis.te 2006-06-18 09:46:14.000000000 +1000
> +++ serefpolicy-2.2.43/policy/modules/services/amavis.te 2006-06-18 09:51:11.000000000 +1000
> @@ -50,6 +50,7 @@
> allow amavis_t self:unix_stream_socket create_stream_socket_perms;
> allow amavis_t self:unix_dgram_socket create_socket_perms;
> allow amavis_t self:tcp_socket { listen accept };
> +allow amavis_t proc_t:lnk_file read;
>
> # configuration files
> allow amavis_t amavis_etc_t:dir r_dir_perms;
> @@ -62,10 +63,11 @@
> allow amavis_t amavis_quarantine_t:dir create_dir_perms;
>
> # Spool Files
> +files_search_spool(amavis_t)
> allow amavis_t amavis_spool_t:dir manage_dir_perms;
> allow amavis_t amavis_spool_t:file manage_file_perms;
> allow amavis_t amavis_spool_t:sock_file create_file_perms;
> -files_spool_filetrans(amavis_t,amavis_spool_t,{ dir file })
> +type_transition amavis_t amavis_spool_t:sock_file amavis_var_run_t;
>
> # tmp files
> allow amavis_t amavis_tmp_t:file create_file_perms;
> @@ -76,8 +78,6 @@
> allow amavis_t amavis_var_lib_t:file create_file_perms;
> allow amavis_t amavis_var_lib_t:sock_file create_file_perms;
> allow amavis_t amavis_var_lib_t:dir create_dir_perms;
> -files_var_filetrans(amavis_t,amavis_var_lib_t,{ file dir sock_file })
> -files_var_lib_filetrans(amavis_t,amavis_var_lib_t,file)
>
> # log files
> allow amavis_t amavis_var_log_t:file create_file_perms;
> diff -ru serefpolicy-2.2.43.orig/policy/modules/services/clamav.fc serefpolicy-2.2.43/policy/modules/services/clamav.fc
> --- serefpolicy-2.2.43.orig/policy/modules/services/clamav.fc 2006-05-27 04:02:58.000000000 +1000
> +++ serefpolicy-2.2.43/policy/modules/services/clamav.fc 2006-06-18 09:47:19.000000000 +1000
> @@ -8,8 +8,10 @@
> /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
>
> /var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
> -/var/run/clamav/clamd.ctl -s gen_context(system_u:object_r:clamd_sock_t,s0)
> +/var/run/clamav/clamd.ctl -s gen_context(system_u:object_r:clamd_var_run_t,s0)
> +/var/run/amavis(d)?/clamd.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
> /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
> /var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0)
> /var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0)
> /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
> +/var/spool/amavisd/clamd.sock -s gen_context(system_u:object_r:clamd_var_run_t)
> diff -ru serefpolicy-2.2.43.orig/policy/modules/services/clamav.if serefpolicy-2.2.43/policy/modules/services/clamav.if
> --- serefpolicy-2.2.43.orig/policy/modules/services/clamav.if 2006-05-27 04:02:58.000000000 +1000
> +++ serefpolicy-2.2.43/policy/modules/services/clamav.if 2006-06-18 09:47:19.000000000 +1000
> @@ -35,11 +35,11 @@
> #
> interface(`clamav_stream_connect',`
> gen_require(`
> - type clamd_t, clamd_sock_t, clamd_var_run_t;
> + type clamd_t, clamd_var_run_t;
> ')
>
> allow $1 clamd_var_run_t:dir search;
> - allow $1 clamd_sock_t:sock_file write;
> + allow $1 clamd_var_run_t:sock_file write;
> allow $1 clamd_t:unix_stream_socket connectto;
> ')
>
> @@ -84,3 +84,21 @@
> allow clamscan_t $1:process sigchld;
> ')
>
> +########################################
> +## <summary>
> +## Access /var/lib/clamav
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`access_clam_home',`
> + gen_require(`
> + type clamd_var_lib_t;
> + ')
> +
> + allow $1 clamd_var_lib_t:dir search;
> +')
> +
> diff -ru serefpolicy-2.2.43.orig/policy/modules/services/clamav.te serefpolicy-2.2.43/policy/modules/services/clamav.te
> --- serefpolicy-2.2.43.orig/policy/modules/services/clamav.te 2006-06-18 09:46:14.000000000 +1000
> +++ serefpolicy-2.2.43/policy/modules/services/clamav.te 2006-06-18 11:44:36.000000000 +1000
> @@ -15,10 +15,6 @@
> type clamd_etc_t;
> files_type(clamd_etc_t)
>
> -# named socket type
> -type clamd_sock_t;
> -files_type(clamd_sock_t)
> -
> # tmp files
> type clamd_tmp_t;
> files_tmp_file(clamd_tmp_t)
> @@ -34,6 +30,7 @@
> # pid files
> type clamd_var_run_t;
> files_pid_file(clamd_var_run_t)
> +typealias clamd_var_run_t alias clamd_sock_t;
>
> type clamscan_t;
> type clamscan_exec_t;
> @@ -74,12 +71,6 @@
> amavis_read_spool_file(clamd_t)
> ')
>
> -# socket file
> -allow clamd_t clamd_sock_t:file manage_file_perms;
> -allow clamd_t clamd_sock_t:sock_file manage_file_perms;
> -allow clamd_t clamd_sock_t:dir rw_dir_perms;
> -files_pid_filetrans(clamd_t,clamd_sock_t,sock_file)
> -
> # tmp files
> allow clamd_t clamd_tmp_t:file create_file_perms;
> allow clamd_t clamd_tmp_t:dir create_dir_perms;
> @@ -87,14 +78,10 @@
>
> # var/lib files for clamd
> allow clamd_t clamd_var_lib_t:file create_file_perms;
> -allow clamd_t clamd_var_lib_t:sock_file create_file_perms;
> allow clamd_t clamd_var_lib_t:dir create_dir_perms;
> -files_var_filetrans(clamd_t,clamd_var_lib_t,{ file dir sock_file })
> -files_var_lib_filetrans(clamd_t,clamd_var_lib_t,file)
>
> # log files
> allow clamd_t clamd_var_log_t:file create_file_perms;
> -allow clamd_t clamd_var_log_t:sock_file create_file_perms;
> allow clamd_t clamd_var_log_t:dir { rw_dir_perms setattr };
> logging_log_filetrans(clamd_t,clamd_var_log_t,file)
> logging_send_syslog_msg(clamd_t)
> @@ -163,10 +150,7 @@
>
> # var/lib files together with clamd
> allow freshclam_t clamd_var_lib_t:file create_file_perms;
> -allow freshclam_t clamd_var_lib_t:sock_file create_file_perms;
> allow freshclam_t clamd_var_lib_t:dir create_dir_perms;
> -files_var_filetrans(freshclam_t,clamd_var_lib_t,{ file dir sock_file })
> -files_var_lib_filetrans(freshclam_t,clamd_var_lib_t,file)
>
> # pidfiles- var/run together with clamd
> allow freshclam_t clamd_var_run_t:file manage_file_perms;
> @@ -176,7 +160,6 @@
>
> # log files (own logfiles only)
> allow freshclam_t freshclam_var_log_t:file create_file_perms;
> -allow freshclam_t freshclam_var_log_t:sock_file create_file_perms;
> allow freshclam_t freshclam_var_log_t:dir { rw_dir_perms setattr };
> allow freshclam_t clamd_var_log_t:dir search;
> logging_log_filetrans(freshclam_t,freshclam_var_log_t,file)
> @@ -230,7 +213,6 @@
>
> # var/lib files together with clamd
> allow clamscan_t clamd_var_lib_t:file r_file_perms;
> -allow clamscan_t clamd_var_lib_t:sock_file rw_file_perms;
> allow clamscan_t clamd_var_lib_t:dir r_dir_perms;
>
> # tmp files
> diff -ru serefpolicy-2.2.43.orig/policy/modules/services/postfix.te serefpolicy-2.2.43/policy/modules/services/postfix.te
> --- serefpolicy-2.2.43.orig/policy/modules/services/postfix.te 2006-06-18 09:46:14.000000000 +1000
> +++ serefpolicy-2.2.43/policy/modules/services/postfix.te 2006-06-21 06:46:57.000000000 +1000
> @@ -604,3 +604,7 @@
> sasl_connect(postfix_smtpd_t)
> ')
>
> +optional_policy(`
> + postgrey_socket_access(postfix_smtpd_t)
> +')
> +
> diff -ru serefpolicy-2.2.43.orig/policy/modules/services/postgrey.fc serefpolicy-2.2.43/policy/modules/services/postgrey.fc
> --- serefpolicy-2.2.43.orig/policy/modules/services/postgrey.fc 2006-05-27 04:02:58.000000000 +1000
> +++ serefpolicy-2.2.43/policy/modules/services/postgrey.fc 2006-06-18 20:12:44.000000000 +1000
> @@ -4,5 +4,6 @@
> /usr/sbin/postgrey -- gen_context(system_u:object_r:postgrey_exec_t,s0)
>
> /var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0)
> +/var/run/postgrey/socket -s gen_context(system_u:object_r:postgrey_var_run_t,s0)
>
> /var/lib/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_lib_t,s0)
> diff -ru serefpolicy-2.2.43.orig/policy/modules/services/postgrey.if serefpolicy-2.2.43/policy/modules/services/postgrey.if
> --- serefpolicy-2.2.43.orig/policy/modules/services/postgrey.if 2006-05-27 04:02:58.000000000 +1000
> +++ serefpolicy-2.2.43/policy/modules/services/postgrey.if 2006-06-21 06:46:14.000000000 +1000
> @@ -1 +1,20 @@
> ## <summary>Postfix grey-listing server</summary>
> +
> +########################################
> +## <summary>
> +## Write to postgrey socket
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to talk to postgrey
> +## </summary>
> +## </param>
> +#
> +interface(`postgrey_socket_access',`
> + gen_require(`
> + type postgrey_var_run_t, postgrey_t;
> + ')
> +
> + allow $1 postgrey_var_run_t:sock_file write;
> +')
> +
> diff -ru serefpolicy-2.2.43.orig/policy/modules/services/postgrey.te serefpolicy-2.2.43/policy/modules/services/postgrey.te
> --- serefpolicy-2.2.43.orig/policy/modules/services/postgrey.te 2006-05-27 04:02:58.000000000 +1000
> +++ serefpolicy-2.2.43/policy/modules/services/postgrey.te 2006-06-18 20:21:56.000000000 +1000
> @@ -18,6 +18,8 @@
>
> type postgrey_var_run_t;
> files_pid_file(postgrey_var_run_t)
> +files_pid_filetrans(postgrey_t, postgrey_var_run_t, sock_file)
> +allow postgrey_t postgrey_var_run_t:sock_file manage_file_perms;
>
> ########################################
> #
> diff -ru serefpolicy-2.2.43.orig/policy/modules/services/procmail.te serefpolicy-2.2.43/policy/modules/services/procmail.te
> --- serefpolicy-2.2.43.orig/policy/modules/services/procmail.te 2006-05-27 04:02:58.000000000 +1000
> +++ serefpolicy-2.2.43/policy/modules/services/procmail.te 2006-06-18 09:47:19.000000000 +1000
> @@ -112,3 +112,7 @@
> spamassassin_exec(procmail_t)
> spamassassin_exec_client(procmail_t)
> ')
> +
> +optional_policy(`
> + access_clam_home(procmail_t)
> +')
> diff -ru serefpolicy-2.2.43.orig/policy/modules/system/unconfined.if serefpolicy-2.2.43/policy/modules/system/unconfined.if
> --- serefpolicy-2.2.43.orig/policy/modules/system/unconfined.if 2006-06-18 09:46:14.000000000 +1000
> +++ serefpolicy-2.2.43/policy/modules/system/unconfined.if 2006-06-18 19:45:44.000000000 +1000
> @@ -86,6 +86,11 @@
> optional_policy(`
> storage_unconfined($1)
> ')
> +
> + optional_policy(`
> + kernel_getattr_unlabeled_procs($1)
> + kernel_kill_unlabeled($1)
> + ')
> ')
>
> ########################################
> diff -ru serefpolicy-2.2.43.orig/policy/support/misc_macros.spt serefpolicy-2.2.43/policy/support/misc_macros.spt
> --- serefpolicy-2.2.43.orig/policy/support/misc_macros.spt 2006-06-18 09:46:14.000000000 +1000
> +++ serefpolicy-2.2.43/policy/support/misc_macros.spt 2006-06-18 09:47:19.000000000 +1000
> @@ -37,7 +37,7 @@
> #
> # gen_context(context,mls_sensitivity,[mcs_categories])
> #
> -define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')') dnl
> +define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')')dnl
>
> ########################################
> #
>
> ------------------------------------------------------------------------
>
> --- modules-targeted.conf.orig 2006-06-18 12:41:13.000000000 +1000
> +++ modules-targeted.conf 2006-06-18 13:19:02.000000000 +1000
> @@ -1053,16 +1053,16 @@
> # Layer: services
> # Module: amavis
> #
> -# Anti-virus
> +# Amavis anti-virus framework for Email virus scanning
> #
> -amavis = module
> +amavis = base
>
> # Layer: services
> # Module: clamav
> #
> # ClamAV Virus Scanner
> #
> -clamav = module
> +clamav = base
>
> # Layer: system
> # Module: setrans
> @@ -1078,3 +1078,10 @@
> # Policy for OPENVPN full-featured SSL VPN solution
> #
> openvpn = base
> +
> +# Layer: services
> +# Module: postgrey
> +#
> +# Policy for Postfix Gray-listing daemon
> +#
> +postgrey = base
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2006-06-21 13:17 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-21 12:02 policy patch for FC5 anti-virus and Postgrey Russell Coker
2006-06-21 13:17 ` Daniel J Walsh [this message]
2006-06-21 22:16 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=449946F9.50809@redhat.com \
--to=dwalsh@redhat.com \
--cc=russell@coker.com.au \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.