From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS3215 2.6.0.0/16 X-Spam-Status: No, score=-3.2 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_NONE,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.1 Received: from mail-qt0-x242.google.com (mail-qt0-x242.google.com [IPv6:2607:f8b0:400d:c0d::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id C8C201F403 for ; Fri, 15 Jun 2018 19:11:32 +0000 (UTC) Received: by mail-qt0-x242.google.com with SMTP id h5-v6so9997731qtm.13 for ; Fri, 15 Jun 2018 12:11:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=google; h=date:from:to:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=NC+D2OFauNm762z0MYc8UGpjV7hF7r6d1EFlrswg2Lo=; b=QWE1KlwZ08Xwl/AoQz78U1wOcGnvgiDaq1Sw0TB+vjF8yXQYLrFyfv4eyHn7z8AZk/ YgEhGv5/QilU/1OQclon4i9m8P6DT1WPUzTX/TqJuN7mIaou28wR3TrIA3gOp3+rb0JS wOFsHT1eCMY4TvTbXcPSz68rg2KQIA7nz+4hQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=NC+D2OFauNm762z0MYc8UGpjV7hF7r6d1EFlrswg2Lo=; b=ff0e8Tk1Vnb0YpOsGBaM8W/bh50OhFn/T/Yew9VXr4wHQh9bTuk5mZUucZDXjldKDX eqTQJHCJk+Bs3SddXHHzYa4TKCB23y4srrAxu7MNpx/oqYTzjTbs/0f7306gLDSURAIV lMVfGCHvUti5P/QxwV5ajRWQ1JZKlE8ikpwsB8j/2cl5MqsKwiAid7oZ1Jo4YWddATQx NGkgcr+TDKz587li0JT6LIY6C0+xu+08yxCOV4NXXFiVV0ttilt+BhJBe/yyOejsHcbG SIkUomaN3YX4EdN3dcDT9oVq4dk/wUP7dRKfGyDxfhtqbD+Nh6K/3x+pRNSWI/7A6lk0 /W9A== X-Gm-Message-State: APt69E0I90Ws4UVgs2go+nyOxqjvqnnWu+uiMwBFHzYKRc9mmJWIWJmi RqYqoibj3iEb7T8GXpRCirRxBEWm0j0= X-Google-Smtp-Source: ADUXVKIo7mpk4Nz/TIjFxCKsglNbqbaxGlETbWujld0xTK9aSKFSo8h6wEUYFWToUToidQr49HMNDg== X-Received: by 2002:a0c:9361:: with SMTP id e30-v6mr2603161qve.92.1529089890821; Fri, 15 Jun 2018 12:11:30 -0700 (PDT) Received: from work (modemcable221.121-21-96.mc.videotron.ca. [96.21.121.221]) by smtp.gmail.com with ESMTPSA id o19-v6sm7521609qtc.17.2018.06.15.12.11.28 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 15 Jun 2018 12:11:29 -0700 (PDT) Date: Fri, 15 Jun 2018 15:11:23 -0400 From: Konstantin Ryabitsev To: meta@public-inbox.org Subject: [PATCH v2] Contribute SELinux policy for EL7 Message-ID: <20180615191123.GA6193@work> References: <20180524190306.GA23233@work> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="T4sUOijqQbZv57TR" Content-Disposition: inline In-Reply-To: <20180524190306.GA23233@work> User-Agent: Mutt/1.10.0 (2018-05-17) List-Id: --T4sUOijqQbZv57TR Content-Type: text/plain; charset=utf-8; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable This adds a SELinux policy suitable for RHEL/CentOS 7. It assumes the following: - public-inbox-httpd and public-inbox-nntpd are running via systemd on sane ports (119 and 80/8080) - /var/lib/public-inbox is the location for mainrepos - /var/run/public-inbox is the location for PERL_INLINE_DIRECTORY - /var/log/public-inbox is the location for logs - mail delivery is done via postfix-pipe or public-inbox-watch via the provided example systemd service Signed-off-by: Konstantin Ryabitsev --- contrib/selinux/el7/publicinbox.fc | 8 ++ contrib/selinux/el7/publicinbox.te | 113 +++++++++++++++++++++++++++++ 2 files changed, 121 insertions(+) create mode 100644 contrib/selinux/el7/publicinbox.fc create mode 100644 contrib/selinux/el7/publicinbox.te diff --git a/contrib/selinux/el7/publicinbox.fc b/contrib/selinux/el7/publi= cinbox.fc new file mode 100644 index 0000000..c8ada2d --- /dev/null +++ b/contrib/selinux/el7/publicinbox.fc @@ -0,0 +1,8 @@ +/usr/(local/)?bin/public-inbox-httpd -- gen_context(system_u:object_r:p= ublicinbox_daemon_exec_t,s0) +/usr/(local/)?bin/public-inbox-nntpd -- gen_context(system_u:object_r:p= ublicinbox_daemon_exec_t,s0) +/usr/(local/)?bin/public-inbox-watch -- gen_context(system_u:object_r:p= ublicinbox_deliver_exec_t,s0) +/usr/(local/)?bin/public-inbox-mda -- gen_context(system_u:object_r:p= ublicinbox_deliver_exec_t,s0) + +/var/lib/public-inbox(/.*)? gen_context(system_u:object_r:p= ublicinbox_var_lib_t,s0) +/var/run/public-inbox(/.*)? gen_context(system_u:object_r:p= ublicinbox_var_run_t,s0) +/var/log/public-inbox(/.*)? gen_context(system_u:object_r:p= ublicinbox_log_t,s0) diff --git a/contrib/selinux/el7/publicinbox.te b/contrib/selinux/el7/publi= cinbox.te new file mode 100644 index 0000000..023cf81 --- /dev/null +++ b/contrib/selinux/el7/publicinbox.te @@ -0,0 +1,113 @@ +################## +# This policy allows running public-inbox-httpd and public-inbox-nntpd +# on reasonable ports (119 for nntpd and 80/443/8080 for httpd) +# +# It also allows delivering mail via postfix-pipe to public-inbox-mda +# +# Author: Konstantin Ryabitsev +# +policy_module(publicinbox, 1.0.3) + +require { + type postfix_pipe_t; + type spamc_t; + type spamd_t; +} + +################## +# Declarations + +type publicinbox_daemon_t; +type publicinbox_daemon_exec_t; +init_daemon_domain(publicinbox_daemon_t, publicinbox_daemon_exec_t) + +type publicinbox_var_lib_t; +files_type(publicinbox_var_lib_t) + +type publicinbox_log_t; +logging_log_file(publicinbox_log_t) + +type publicinbox_var_run_t; +files_tmp_file(publicinbox_var_run_t) + +type publicinbox_tmp_t; +files_tmp_file(publicinbox_tmp_t) + +type publicinbox_deliver_t; +type publicinbox_deliver_exec_t; +init_daemon_domain(publicinbox_deliver_t, publicinbox_deliver_exec_t) + +# Uncomment to put these domains into permissive mode +#permissive publicinbox_daemon_t; +#permissive publicinbox_deliver_t; + +################## +# Daemons policy + +domain_use_interactive_fds(publicinbox_daemon_t) +files_read_etc_files(publicinbox_daemon_t) +miscfiles_read_localization(publicinbox_daemon_t) +allow publicinbox_daemon_t self:tcp_socket create_stream_socket_perms; +allow publicinbox_daemon_t self:tcp_socket { accept listen }; + +# Need to be able to manage and exec them for Inline::C +manage_files_pattern(publicinbox_daemon_t, publicinbox_var_run_t, publicin= box_var_run_t) +exec_files_pattern(publicinbox_daemon_t, publicinbox_var_run_t, publicinbo= x_var_run_t) + +# Logging +append_files_pattern(publicinbox_daemon_t, publicinbox_log_t, publicinbox_= log_t) +create_files_pattern(publicinbox_daemon_t, publicinbox_log_t, publicinbox_= log_t) +setattr_files_pattern(publicinbox_daemon_t, publicinbox_log_t, publicinbox= _log_t) +logging_log_filetrans(publicinbox_daemon_t, publicinbox_log_t, { file dir = }) + +# Run on httpd and nntp ports (called innd_port_t) +corenet_tcp_bind_generic_node(publicinbox_daemon_t) +corenet_tcp_bind_http_port(publicinbox_daemon_t) +corenet_tcp_bind_http_cache_port(publicinbox_daemon_t) +corenet_tcp_bind_innd_port(publicinbox_daemon_t) + +# Allow reading anything publicinbox_var_lib_t +list_dirs_pattern(publicinbox_daemon_t, publicinbox_var_lib_t, publicinbox= _var_lib_t) +read_files_pattern(publicinbox_daemon_t, publicinbox_var_lib_t, publicinbo= x_var_lib_t) + +# The daemon doesn't need to write to this dir +dontaudit publicinbox_daemon_t publicinbox_var_lib_t:file write; + +# Allow executing bin (for git, mostly) +corecmd_exec_bin(publicinbox_daemon_t) + +# Manage our tmp files +manage_dirs_pattern(publicinbox_daemon_t, publicinbox_tmp_t, publicinbox_t= mp_t) +manage_files_pattern(publicinbox_daemon_t, publicinbox_tmp_t, publicinbox_= tmp_t) +files_tmp_filetrans(publicinbox_daemon_t, publicinbox_tmp_t, { file dir }) + +################## +# mda/watch policy +# +# Allow transitioning to deliver_t from postfix pipe +domtrans_pattern(postfix_pipe_t, publicinbox_deliver_exec_t, publicinbox_d= eliver_t) +postfix_rw_inherited_master_pipes(publicinbox_deliver_t) +postfix_read_spool_files(publicinbox_deliver_t) + +files_read_etc_files(publicinbox_deliver_t) + +# Allow managing anything in publicinbox_var_lib_t +manage_dirs_pattern(publicinbox_deliver_t, publicinbox_var_lib_t, publicin= box_var_lib_t) +manage_files_pattern(publicinbox_deliver_t, publicinbox_var_lib_t, publici= nbox_var_lib_t) + +# Allow executing bin (for git, mostly) +corecmd_exec_bin(publicinbox_deliver_t) + +# git-fast-import wants to access system state and other bits +kernel_dontaudit_read_system_state(publicinbox_deliver_t) + +# Allow using spamc +spamassassin_domtrans_client(publicinbox_deliver_t) +manage_files_pattern(spamc_t, publicinbox_var_lib_t, publicinbox_var_lib_t) +read_files_pattern(spamd_t, publicinbox_var_lib_t, publicinbox_var_lib_t) + +# Manage our tmp files +manage_dirs_pattern(publicinbox_deliver_t, publicinbox_tmp_t, publicinbox_= tmp_t) +manage_files_pattern(publicinbox_deliver_t, publicinbox_tmp_t, publicinbox= _tmp_t) +files_tmp_filetrans(publicinbox_deliver_t, publicinbox_tmp_t, { file dir }) + --=20 2.17.1 --T4sUOijqQbZv57TR Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQR2vl2yUnHhSB5njDW2xBzjVmSZbAUCWyQPWAAKCRC2xBzjVmSZ bLG4AP9b/t2Y9yJzKiOYswVPSmkqJRU5iv563pi9EaKEP9vDXwD/Q/Abm0pWfD1G +I40KhPLWSUCoIYJCFalNAMNeojjOAM= =yy7C -----END PGP SIGNATURE----- --T4sUOijqQbZv57TR--