All of lore.kernel.org
 help / color / mirror / Atom feed
* policy patch for FC5 anti-virus and Postgrey
@ 2006-06-21 12:02 Russell Coker
  2006-06-21 13:17 ` Daniel J Walsh
  2006-06-21 22:16 ` Russell Coker
  0 siblings, 2 replies; 3+ messages in thread
From: Russell Coker @ 2006-06-21 12:02 UTC (permalink / raw)
  To: SE-Linux

[-- Attachment #1: Type: text/plain, Size: 1194 bytes --]

The attached policy patch and patch for one of the config files used in the 
RPM build process allow a FC5 system to correctly operate with Amavis and 
Postgrey.

These patches allow running a Postfix mail server with every sensible 
anti-spam measure on FC5 in enforcing mode.

If you know of any anti-spam measure other than CR which doesn't work with 
this then please let me know.  I'm running a bunch of mail servers and am 
always looking for new ways of protecting them.

If you apply all of the patch modules-targeted.conf.diff then the result will 
be a policy rpm that can't conveniently be installed with the current code 
that's in FC5.  You have to remove the amavis and clamav modules first.  
Doing this exposed a policy bug in that unconfined_t couldn't kill 
unlabeled_t processes or see their context, so I fixed that bug in the policy 
patch too.

Let me know if you would like a patch for rawhide to do the same things.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: rjc.diff --]
[-- Type: text/x-diff, Size: 12233 bytes --]

diff -ru serefpolicy-2.2.43.orig/policy/modules/kernel/kernel.if serefpolicy-2.2.43/policy/modules/kernel/kernel.if
--- serefpolicy-2.2.43.orig/policy/modules/kernel/kernel.if	2006-05-27 04:02:58.000000000 +1000
+++ serefpolicy-2.2.43/policy/modules/kernel/kernel.if	2006-06-18 19:45:10.000000000 +1000
@@ -1942,6 +1942,24 @@
 
 ########################################
 ## <summary>
+##	Allow caller to stat unlabeled processes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_getattr_unlabeled_procs',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:process getattr;
+')
+
+########################################
+## <summary>
 ##	Allow caller to relabel unlabeled files.
 ## </summary>
 ## <param name="domain">
diff -ru serefpolicy-2.2.43.orig/policy/modules/services/amavis.fc serefpolicy-2.2.43/policy/modules/services/amavis.fc
--- serefpolicy-2.2.43.orig/policy/modules/services/amavis.fc	2006-06-18 09:46:14.000000000 +1000
+++ serefpolicy-2.2.43/policy/modules/services/amavis.fc	2006-06-18 12:08:11.000000000 +1000
@@ -7,6 +7,6 @@
 /var/amavis(/.*)?			gen_context(system_u:object_r:amavis_var_lib_t,s0)
 /var/lib/amavis(/.*)?			gen_context(system_u:object_r:amavis_var_lib_t,s0)
 /var/log/amavisd\.log		--	gen_context(system_u:object_r:amavis_var_log_t,s0)
-/var/run/amavis(d)?(/.*)?		gen_context(system_u:object_r:amavis_var_run_t,s0)
+/var/run/amavis(d)?/.+			gen_context(system_u:object_r:amavis_var_run_t,s0)
 /var/spool/amavisd(/.*)?		gen_context(system_u:object_r:amavis_spool_t,s0)
 /var/virusmails(/.*)?			gen_context(system_u:object_r:amavis_quarantine_t,s0)
diff -ru serefpolicy-2.2.43.orig/policy/modules/services/amavis.te serefpolicy-2.2.43/policy/modules/services/amavis.te
--- serefpolicy-2.2.43.orig/policy/modules/services/amavis.te	2006-06-18 09:46:14.000000000 +1000
+++ serefpolicy-2.2.43/policy/modules/services/amavis.te	2006-06-18 09:51:11.000000000 +1000
@@ -50,6 +50,7 @@
 allow amavis_t self:unix_stream_socket create_stream_socket_perms;
 allow amavis_t self:unix_dgram_socket create_socket_perms;
 allow amavis_t self:tcp_socket { listen accept };
+allow amavis_t proc_t:lnk_file read;
 
 # configuration files
 allow amavis_t amavis_etc_t:dir r_dir_perms;
@@ -62,10 +63,11 @@
 allow amavis_t amavis_quarantine_t:dir create_dir_perms;
 
 # Spool Files
+files_search_spool(amavis_t)
 allow amavis_t amavis_spool_t:dir manage_dir_perms;
 allow amavis_t amavis_spool_t:file manage_file_perms;
 allow amavis_t amavis_spool_t:sock_file create_file_perms;
-files_spool_filetrans(amavis_t,amavis_spool_t,{ dir file })
+type_transition amavis_t amavis_spool_t:sock_file amavis_var_run_t;
 
 # tmp files
 allow amavis_t amavis_tmp_t:file create_file_perms;
@@ -76,8 +78,6 @@
 allow amavis_t amavis_var_lib_t:file create_file_perms;
 allow amavis_t amavis_var_lib_t:sock_file create_file_perms;
 allow amavis_t amavis_var_lib_t:dir create_dir_perms;
-files_var_filetrans(amavis_t,amavis_var_lib_t,{ file dir sock_file })
-files_var_lib_filetrans(amavis_t,amavis_var_lib_t,file)
 
 # log files
 allow amavis_t amavis_var_log_t:file create_file_perms;
diff -ru serefpolicy-2.2.43.orig/policy/modules/services/clamav.fc serefpolicy-2.2.43/policy/modules/services/clamav.fc
--- serefpolicy-2.2.43.orig/policy/modules/services/clamav.fc	2006-05-27 04:02:58.000000000 +1000
+++ serefpolicy-2.2.43/policy/modules/services/clamav.fc	2006-06-18 09:47:19.000000000 +1000
@@ -8,8 +8,10 @@
 /usr/sbin/clamd			--	gen_context(system_u:object_r:clamd_exec_t,s0)
 
 /var/run/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_run_t,s0)
-/var/run/clamav/clamd.ctl	-s	gen_context(system_u:object_r:clamd_sock_t,s0)
+/var/run/clamav/clamd.ctl	-s	gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/run/amavis(d)?/clamd.pid	--	gen_context(system_u:object_r:clamd_var_run_t,s0)
 /var/lib/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_lib_t,s0)
 /var/log/clamav			-d	gen_context(system_u:object_r:clamd_var_log_t,s0)
 /var/log/clamav/clamav.*	--	gen_context(system_u:object_r:clamd_var_log_t,s0)
 /var/log/clamav/freshclam.*	--	gen_context(system_u:object_r:freshclam_var_log_t,s0)
+/var/spool/amavisd/clamd.sock	-s	gen_context(system_u:object_r:clamd_var_run_t)
diff -ru serefpolicy-2.2.43.orig/policy/modules/services/clamav.if serefpolicy-2.2.43/policy/modules/services/clamav.if
--- serefpolicy-2.2.43.orig/policy/modules/services/clamav.if	2006-05-27 04:02:58.000000000 +1000
+++ serefpolicy-2.2.43/policy/modules/services/clamav.if	2006-06-18 09:47:19.000000000 +1000
@@ -35,11 +35,11 @@
 #
 interface(`clamav_stream_connect',`
 	gen_require(`
-		type clamd_t, clamd_sock_t, clamd_var_run_t;
+		type clamd_t, clamd_var_run_t;
 	')
 
 	allow $1 clamd_var_run_t:dir search;
-	allow $1 clamd_sock_t:sock_file write;
+	allow $1 clamd_var_run_t:sock_file write;
 	allow $1 clamd_t:unix_stream_socket connectto;
 ')
 
@@ -84,3 +84,21 @@
 	allow clamscan_t $1:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Access /var/lib/clamav
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`access_clam_home',`
+	gen_require(`
+		type clamd_var_lib_t;
+	')
+
+	allow $1 clamd_var_lib_t:dir search;
+')
+
diff -ru serefpolicy-2.2.43.orig/policy/modules/services/clamav.te serefpolicy-2.2.43/policy/modules/services/clamav.te
--- serefpolicy-2.2.43.orig/policy/modules/services/clamav.te	2006-06-18 09:46:14.000000000 +1000
+++ serefpolicy-2.2.43/policy/modules/services/clamav.te	2006-06-18 11:44:36.000000000 +1000
@@ -15,10 +15,6 @@
 type clamd_etc_t;
 files_type(clamd_etc_t)
 
-# named socket type
-type clamd_sock_t;
-files_type(clamd_sock_t)
-
 # tmp files
 type clamd_tmp_t;
 files_tmp_file(clamd_tmp_t)
@@ -34,6 +30,7 @@
 # pid files
 type clamd_var_run_t;
 files_pid_file(clamd_var_run_t)
+typealias clamd_var_run_t alias clamd_sock_t;
 
 type clamscan_t;
 type clamscan_exec_t;
@@ -74,12 +71,6 @@
 	amavis_read_spool_file(clamd_t)
 ')
 
-# socket file
-allow clamd_t clamd_sock_t:file manage_file_perms;
-allow clamd_t clamd_sock_t:sock_file manage_file_perms;
-allow clamd_t clamd_sock_t:dir rw_dir_perms;
-files_pid_filetrans(clamd_t,clamd_sock_t,sock_file)
-
 # tmp files
 allow clamd_t clamd_tmp_t:file create_file_perms;
 allow clamd_t clamd_tmp_t:dir create_dir_perms;
@@ -87,14 +78,10 @@
 
 # var/lib files for clamd
 allow clamd_t clamd_var_lib_t:file create_file_perms;
-allow clamd_t clamd_var_lib_t:sock_file create_file_perms;
 allow clamd_t clamd_var_lib_t:dir create_dir_perms;
-files_var_filetrans(clamd_t,clamd_var_lib_t,{ file dir sock_file })
-files_var_lib_filetrans(clamd_t,clamd_var_lib_t,file)
 
 # log files
 allow clamd_t clamd_var_log_t:file create_file_perms;
-allow clamd_t clamd_var_log_t:sock_file create_file_perms;
 allow clamd_t clamd_var_log_t:dir { rw_dir_perms setattr };
 logging_log_filetrans(clamd_t,clamd_var_log_t,file)
 logging_send_syslog_msg(clamd_t)
@@ -163,10 +150,7 @@
 
 # var/lib files together with clamd
 allow freshclam_t clamd_var_lib_t:file create_file_perms;
-allow freshclam_t clamd_var_lib_t:sock_file create_file_perms;
 allow freshclam_t clamd_var_lib_t:dir create_dir_perms;
-files_var_filetrans(freshclam_t,clamd_var_lib_t,{ file dir sock_file })
-files_var_lib_filetrans(freshclam_t,clamd_var_lib_t,file)
 
 # pidfiles- var/run together with clamd
 allow freshclam_t clamd_var_run_t:file manage_file_perms;
@@ -176,7 +160,6 @@
 
 # log files (own logfiles only)
 allow freshclam_t freshclam_var_log_t:file create_file_perms;
-allow freshclam_t freshclam_var_log_t:sock_file create_file_perms;
 allow freshclam_t freshclam_var_log_t:dir { rw_dir_perms setattr };
 allow freshclam_t clamd_var_log_t:dir search;
 logging_log_filetrans(freshclam_t,freshclam_var_log_t,file)
@@ -230,7 +213,6 @@
 
 # var/lib files together with clamd
 allow clamscan_t clamd_var_lib_t:file r_file_perms;
-allow clamscan_t clamd_var_lib_t:sock_file rw_file_perms;
 allow clamscan_t clamd_var_lib_t:dir r_dir_perms;
 
 # tmp files
diff -ru serefpolicy-2.2.43.orig/policy/modules/services/postfix.te serefpolicy-2.2.43/policy/modules/services/postfix.te
--- serefpolicy-2.2.43.orig/policy/modules/services/postfix.te	2006-06-18 09:46:14.000000000 +1000
+++ serefpolicy-2.2.43/policy/modules/services/postfix.te	2006-06-21 06:46:57.000000000 +1000
@@ -604,3 +604,7 @@
 	sasl_connect(postfix_smtpd_t)
 ')
 
+optional_policy(`
+	postgrey_socket_access(postfix_smtpd_t)
+')
+
diff -ru serefpolicy-2.2.43.orig/policy/modules/services/postgrey.fc serefpolicy-2.2.43/policy/modules/services/postgrey.fc
--- serefpolicy-2.2.43.orig/policy/modules/services/postgrey.fc	2006-05-27 04:02:58.000000000 +1000
+++ serefpolicy-2.2.43/policy/modules/services/postgrey.fc	2006-06-18 20:12:44.000000000 +1000
@@ -4,5 +4,6 @@
 /usr/sbin/postgrey	--	gen_context(system_u:object_r:postgrey_exec_t,s0)
 
 /var/run/postgrey\.pid	--	gen_context(system_u:object_r:postgrey_var_run_t,s0)
+/var/run/postgrey/socket -s	gen_context(system_u:object_r:postgrey_var_run_t,s0)
 
 /var/lib/postgrey(/.*)?		gen_context(system_u:object_r:postgrey_var_lib_t,s0)
diff -ru serefpolicy-2.2.43.orig/policy/modules/services/postgrey.if serefpolicy-2.2.43/policy/modules/services/postgrey.if
--- serefpolicy-2.2.43.orig/policy/modules/services/postgrey.if	2006-05-27 04:02:58.000000000 +1000
+++ serefpolicy-2.2.43/policy/modules/services/postgrey.if	2006-06-21 06:46:14.000000000 +1000
@@ -1 +1,20 @@
 ## <summary>Postfix grey-listing server</summary>
+
+########################################
+## <summary>
+##      Write to postgrey socket
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to talk to postgrey
+##      </summary>
+## </param>
+#
+interface(`postgrey_socket_access',`
+        gen_require(`
+                type postgrey_var_run_t, postgrey_t;
+        ')
+
+        allow $1 postgrey_var_run_t:sock_file write;
+')
+
diff -ru serefpolicy-2.2.43.orig/policy/modules/services/postgrey.te serefpolicy-2.2.43/policy/modules/services/postgrey.te
--- serefpolicy-2.2.43.orig/policy/modules/services/postgrey.te	2006-05-27 04:02:58.000000000 +1000
+++ serefpolicy-2.2.43/policy/modules/services/postgrey.te	2006-06-18 20:21:56.000000000 +1000
@@ -18,6 +18,8 @@
 
 type postgrey_var_run_t;
 files_pid_file(postgrey_var_run_t)
+files_pid_filetrans(postgrey_t, postgrey_var_run_t, sock_file)
+allow postgrey_t postgrey_var_run_t:sock_file manage_file_perms;
 
 ########################################
 #
diff -ru serefpolicy-2.2.43.orig/policy/modules/services/procmail.te serefpolicy-2.2.43/policy/modules/services/procmail.te
--- serefpolicy-2.2.43.orig/policy/modules/services/procmail.te	2006-05-27 04:02:58.000000000 +1000
+++ serefpolicy-2.2.43/policy/modules/services/procmail.te	2006-06-18 09:47:19.000000000 +1000
@@ -112,3 +112,7 @@
 	spamassassin_exec(procmail_t)
 	spamassassin_exec_client(procmail_t)
 ')
+
+optional_policy(`
+	access_clam_home(procmail_t)
+')
diff -ru serefpolicy-2.2.43.orig/policy/modules/system/unconfined.if serefpolicy-2.2.43/policy/modules/system/unconfined.if
--- serefpolicy-2.2.43.orig/policy/modules/system/unconfined.if	2006-06-18 09:46:14.000000000 +1000
+++ serefpolicy-2.2.43/policy/modules/system/unconfined.if	2006-06-18 19:45:44.000000000 +1000
@@ -86,6 +86,11 @@
 	optional_policy(`
 		storage_unconfined($1)
 	')
+
+	optional_policy(`
+		kernel_getattr_unlabeled_procs($1)
+		kernel_kill_unlabeled($1)
+	')
 ')
 
 ########################################
diff -ru serefpolicy-2.2.43.orig/policy/support/misc_macros.spt serefpolicy-2.2.43/policy/support/misc_macros.spt
--- serefpolicy-2.2.43.orig/policy/support/misc_macros.spt	2006-06-18 09:46:14.000000000 +1000
+++ serefpolicy-2.2.43/policy/support/misc_macros.spt	2006-06-18 09:47:19.000000000 +1000
@@ -37,7 +37,7 @@
 #
 # gen_context(context,mls_sensitivity,[mcs_categories])
 #
-define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')') dnl
+define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')')dnl
 
 ########################################
 #

[-- Attachment #3: modules-targeted.conf.diff --]
[-- Type: text/x-diff, Size: 642 bytes --]

--- modules-targeted.conf.orig	2006-06-18 12:41:13.000000000 +1000
+++ modules-targeted.conf	2006-06-18 13:19:02.000000000 +1000
@@ -1053,16 +1053,16 @@
 # Layer: services
 # Module: amavis
 #
-# Anti-virus
+# Amavis anti-virus framework for Email virus scanning
 # 
-amavis = module
+amavis = base
 
 # Layer: services
 # Module: clamav
 #
 # ClamAV Virus Scanner
 # 
-clamav = module
+clamav = base
 
 # Layer: system
 # Module: setrans
@@ -1078,3 +1078,10 @@
 # Policy for OPENVPN full-featured SSL VPN solution
 # 
 openvpn = base
+
+# Layer: services
+# Module: postgrey
+#
+# Policy for Postfix Gray-listing daemon
+# 
+postgrey = base

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-06-21 22:16 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-06-21 12:02 policy patch for FC5 anti-virus and Postgrey Russell Coker
2006-06-21 13:17 ` Daniel J Walsh
2006-06-21 22:16 ` Russell Coker

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.