From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS3215 2.6.0.0/16 X-Spam-Status: No, score=-3.2 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_NONE,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.0 Received: from mail-qk0-x243.google.com (mail-qk0-x243.google.com [IPv6:2607:f8b0:400d:c09::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id DBAA21F42D for ; Thu, 24 May 2018 19:03:18 +0000 (UTC) Received: by mail-qk0-x243.google.com with SMTP id n207-v6so2173986qke.3 for ; Thu, 24 May 2018 12:03:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=google; h=date:from:to:subject:message-id:mime-version:content-disposition :content-transfer-encoding:user-agent; bh=LVpzsAuQ9fsMgxPyMN3nk0kIq1Q2V8n9ln4wHJkOL4M=; b=T37NYvwlvvzIdaPSrpb6tbRrw1Kh935Zh3vaxviU+OEI1VB9zAchnE3c2qEtp7qdLE e4my/QExud5G1HTDjXczr2Fe4FhQV8WcCwm19uIrfzHhrHjgHvngKQs2aUfdlsumu0FG FetmfMcZZANwyPf43hAJIjni6sc2PyKlx2UKU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-disposition:content-transfer-encoding:user-agent; bh=LVpzsAuQ9fsMgxPyMN3nk0kIq1Q2V8n9ln4wHJkOL4M=; b=WXOB+Jm+KxSC2eD2Mjq6L4P3mEbiUdmyB+rfi+SKwJe5VLRfRf+el6zebzdiBc+PR6 pLVQB447+kyZo5T02Qy3zMxglUwa6MIqSy8NmNi6oFhy86SXKj7hgHjAbq/KyRzdEuQi t9vrwB+fjaYaAtwDEWWaGRRWArYz+EBxQVsBdhJVpLDdi867kIvorCu2g+U98fmlcW2I Q7S/ERNRnEow7cbVPQDHGisepvz4DH/kyzpM9hrToLqbyNVHCVequjCfFYd+vsSE0JLo Tf7RUqjSPmSw49yY+IxSQhrrEZB5p1vGvElkzr2C9OCIsFNMWeb4o5T2klI2BvmdjN0P pxyA== X-Gm-Message-State: ALKqPwfzAHJBCHL4YK8eg71hcC7SzQXXy4HgULw6lD3kU4MzdgOBqfbf y69nrhJooJFtT6xreXgy+SV5Kjza4To= X-Google-Smtp-Source: ADUXVKI+ecHEVMlhoySEwgEun/nxm2XNUm9KmwaA+EXe81l0NOTLDDT9WYa5rUOPaisqiMsCd3sc+Q== X-Received: by 2002:a37:328c:: with SMTP id y134-v6mr8065644qky.411.1527188589752; Thu, 24 May 2018 12:03:09 -0700 (PDT) Received: from work (modemcable221.121-21-96.mc.videotron.ca. [96.21.121.221]) by smtp.gmail.com with ESMTPSA id m6-v6sm3421625qkh.82.2018.05.24.12.03.08 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 24 May 2018 12:03:09 -0700 (PDT) Date: Thu, 24 May 2018 15:03:06 -0400 From: Konstantin Ryabitsev To: meta@public-inbox.org Subject: [PATCH] Contribute SELinux policy for EL7 Message-ID: <20180524190306.GA23233@work> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Mutt/1.9.1 (2017-09-22) List-Id: This adds a SELinux policy suitable for RHEL/CentOS 7. It assumes the following: - public-inbox-httpd and public-inbox-nntpd are running via systemd on sane ports (119 and 80/8080) - /var/lib/public-inbox is the location for mainrepos - /var/run/public-inbox is the location for PERL_INLINE_DIRECTORY - /var/log/public-inbox is the location for logs - mail delivery is done via postfix-pipe (if you're using public-inbox-watch, you shouldn't need to worry about this) Signed-off-by: Konstantin Ryabitsev --- contrib/selinux/el7/publicinbox.fc | 7 +++ contrib/selinux/el7/publicinbox.te | 101 +++++++++++++++++++++++++++++++++= ++++ 2 files changed, 108 insertions(+) create mode 100644 contrib/selinux/el7/publicinbox.fc create mode 100644 contrib/selinux/el7/publicinbox.te diff --git a/contrib/selinux/el7/publicinbox.fc b/contrib/selinux/el7/publi= cinbox.fc new file mode 100644 index 0000000..13ca949 --- /dev/null +++ b/contrib/selinux/el7/publicinbox.fc @@ -0,0 +1,7 @@ +/usr/(local/)?bin/public-inbox-httpd -- gen_context(system_u:object_r:p= ublicinbox_daemon_exec_t,s0) +/usr/(local/)?bin/public-inbox-nntpd -- gen_context(system_u:object_r:p= ublicinbox_daemon_exec_t,s0) +/usr/(local/)?bin/public-inbox-mda -- gen_context(system_u:object_r:p= ublicinbox_deliver_exec_t,s0) + +/var/lib/public-inbox(/.*)? gen_context(system_u:object_r:p= ublicinbox_var_lib_t,s0) +/var/run/public-inbox(/.*)? gen_context(system_u:object_r:p= ublicinbox_var_run_t,s0) +/var/log/public-inbox(/.*)? gen_context(system_u:object_r:p= ublicinbox_log_t,s0) diff --git a/contrib/selinux/el7/publicinbox.te b/contrib/selinux/el7/publi= cinbox.te new file mode 100644 index 0000000..d4feb98 --- /dev/null +++ b/contrib/selinux/el7/publicinbox.te @@ -0,0 +1,101 @@ +################## +# This policy allows running public-inbox-httpd and public-inbox-nntpd +# on reasonable ports (119 for nntpd and 80/443/8080 for httpd) +# +# It also allows delivering mail via postfix-pipe to public-inbox-mda +# +# Author: Konstantin Ryabitsev +# +policy_module(publicinbox, 1.0.0) + +require { + type postfix_pipe_t; + type spamc_t; + type spamd_t; +} + +################## +# Declarations + +type publicinbox_daemon_t; +type publicinbox_daemon_exec_t; +init_daemon_domain(publicinbox_daemon_t, publicinbox_daemon_exec_t) + +type publicinbox_var_lib_t; +files_type(publicinbox_var_lib_t) + +type publicinbox_log_t; +logging_log_file(publicinbox_log_t) + +type publicinbox_var_run_t; +files_tmp_file(publicinbox_var_run_t) + +type publicinbox_deliver_t; +type publicinbox_deliver_exec_t; +domain_type(publicinbox_deliver_t) +domain_entry_file(publicinbox_deliver_t, publicinbox_deliver_exec_t) +role system_r types publicinbox_deliver_t; + +#permissive publicinbox_daemon_t; +#permissive publicinbox_deliver_t; + +################## +# Daemons policy + +domain_use_interactive_fds(publicinbox_daemon_t) +files_read_etc_files(publicinbox_daemon_t) +miscfiles_read_localization(publicinbox_daemon_t) +allow publicinbox_daemon_t self:tcp_socket create_stream_socket_perms; +allow publicinbox_daemon_t self:tcp_socket { accept listen }; + +# Need to be able to manage and exec runtime files for inline::c +manage_files_pattern(publicinbox_daemon_t, publicinbox_var_run_t, publicin= box_var_run_t) +exec_files_pattern(publicinbox_daemon_t, publicinbox_var_run_t, publicinbo= x_var_run_t) + +# Logging +append_files_pattern(publicinbox_daemon_t, publicinbox_log_t, publicinbox_= log_t) +create_files_pattern(publicinbox_daemon_t, publicinbox_log_t, publicinbox_= log_t) +setattr_files_pattern(publicinbox_daemon_t, publicinbox_log_t, publicinbox= _log_t) +logging_log_filetrans(publicinbox_daemon_t, publicinbox_log_t, { file dir = }) + +# Run on http/httpcache and innd ports +corenet_tcp_bind_generic_node(publicinbox_daemon_t) +corenet_tcp_bind_http_port(publicinbox_daemon_t) +corenet_tcp_bind_http_cache_port(publicinbox_daemon_t) +corenet_tcp_bind_innd_port(publicinbox_daemon_t) + +# Allow reading anything publicinbox_var_lib_t +list_dirs_pattern(publicinbox_daemon_t, publicinbox_var_lib_t, publicinbox= _var_lib_t) +read_files_pattern(publicinbox_daemon_t, publicinbox_var_lib_t, publicinbo= x_var_lib_t) + +# The daemon doesn't need to write to this dir, so ignore these AVCs +dontaudit publicinbox_daemon_t publicinbox_var_lib_t:file write; + +# Allow executing bin (for git, mostly) +corecmd_exec_bin(publicinbox_daemon_t) + +################## +# MDA policy +# This allows transitioning from postfix_pipe_t to publicinbox_deliver_t +# +domtrans_pattern(postfix_pipe_t, publicinbox_deliver_exec_t, publicinbox_d= eliver_t) +postfix_rw_inherited_master_pipes(publicinbox_deliver_t) +postfix_read_spool_files(publicinbox_deliver_t) + +files_read_etc_files(publicinbox_deliver_t) + +# Allow managing anything in publicinbox_var_lib_t +manage_dirs_pattern(publicinbox_deliver_t, publicinbox_var_lib_t, publicin= box_var_lib_t) +manage_files_pattern(publicinbox_deliver_t, publicinbox_var_lib_t, publici= nbox_var_lib_t) + +# Allow executing bin (for git, mostly) +corecmd_exec_bin(publicinbox_deliver_t) + +# git-fast-import wants to access system state and other bits, so ignore t= hese AVCs +kernel_dontaudit_read_system_state(publicinbox_deliver_t) + +# Allow using spamc via domain transition +spamassassin_domtrans_client(publicinbox_deliver_t) +manage_files_pattern(spamc_t, publicinbox_var_lib_t, publicinbox_var_lib_t) +read_files_pattern(spamd_t, publicinbox_var_lib_t, publicinbox_var_lib_t) + --=20 2.13.6