From 5f91aae26b6b0e02c9fabcc5dcf9f4b3e9eedbfe Mon Sep 17 00:00:00 2001 From: Konstantin Ryabitsev Date: Fri, 15 Jun 2018 15:11:23 -0400 Subject: Contribute SELinux policy for EL7 This adds a SELinux policy suitable for RHEL/CentOS 7. It assumes the following: - public-inbox-httpd and public-inbox-nntpd are running via systemd on sane ports (119 and 80/8080) - /var/lib/public-inbox is the location for mainrepos - /var/run/public-inbox is the location for PERL_INLINE_DIRECTORY - /var/log/public-inbox is the location for logs - mail delivery is done via postfix-pipe or public-inbox-watch via the provided example systemd service Signed-off-by: Konstantin Ryabitsev --- contrib/selinux/el7/publicinbox.fc | 8 +++ contrib/selinux/el7/publicinbox.te | 112 +++++++++++++++++++++++++++++++++++++ 2 files changed, 120 insertions(+) create mode 100644 contrib/selinux/el7/publicinbox.fc create mode 100644 contrib/selinux/el7/publicinbox.te (limited to 'contrib') diff --git a/contrib/selinux/el7/publicinbox.fc b/contrib/selinux/el7/publicinbox.fc new file mode 100644 index 00000000..c8ada2d0 --- /dev/null +++ b/contrib/selinux/el7/publicinbox.fc @@ -0,0 +1,8 @@ +/usr/(local/)?bin/public-inbox-httpd -- gen_context(system_u:object_r:publicinbox_daemon_exec_t,s0) +/usr/(local/)?bin/public-inbox-nntpd -- gen_context(system_u:object_r:publicinbox_daemon_exec_t,s0) +/usr/(local/)?bin/public-inbox-watch -- gen_context(system_u:object_r:publicinbox_deliver_exec_t,s0) +/usr/(local/)?bin/public-inbox-mda -- gen_context(system_u:object_r:publicinbox_deliver_exec_t,s0) + +/var/lib/public-inbox(/.*)? gen_context(system_u:object_r:publicinbox_var_lib_t,s0) +/var/run/public-inbox(/.*)? gen_context(system_u:object_r:publicinbox_var_run_t,s0) +/var/log/public-inbox(/.*)? gen_context(system_u:object_r:publicinbox_log_t,s0) diff --git a/contrib/selinux/el7/publicinbox.te b/contrib/selinux/el7/publicinbox.te new file mode 100644 index 00000000..ef5c1204 --- /dev/null +++ b/contrib/selinux/el7/publicinbox.te @@ -0,0 +1,112 @@ +################## +# This policy allows running public-inbox-httpd and public-inbox-nntpd +# on reasonable ports (119 for nntpd and 80/443/8080 for httpd) +# +# It also allows delivering mail via postfix-pipe to public-inbox-mda +# +# Author: Konstantin Ryabitsev +# +policy_module(publicinbox, 1.0.3) + +require { + type postfix_pipe_t; + type spamc_t; + type spamd_t; +} + +################## +# Declarations + +type publicinbox_daemon_t; +type publicinbox_daemon_exec_t; +init_daemon_domain(publicinbox_daemon_t, publicinbox_daemon_exec_t) + +type publicinbox_var_lib_t; +files_type(publicinbox_var_lib_t) + +type publicinbox_log_t; +logging_log_file(publicinbox_log_t) + +type publicinbox_var_run_t; +files_tmp_file(publicinbox_var_run_t) + +type publicinbox_tmp_t; +files_tmp_file(publicinbox_tmp_t) + +type publicinbox_deliver_t; +type publicinbox_deliver_exec_t; +init_daemon_domain(publicinbox_deliver_t, publicinbox_deliver_exec_t) + +# Uncomment to put these domains into permissive mode +#permissive publicinbox_daemon_t; +#permissive publicinbox_deliver_t; + +################## +# Daemons policy + +domain_use_interactive_fds(publicinbox_daemon_t) +files_read_etc_files(publicinbox_daemon_t) +miscfiles_read_localization(publicinbox_daemon_t) +allow publicinbox_daemon_t self:tcp_socket create_stream_socket_perms; +allow publicinbox_daemon_t self:tcp_socket { accept listen }; + +# Need to be able to manage and exec them for Inline::C +manage_files_pattern(publicinbox_daemon_t, publicinbox_var_run_t, publicinbox_var_run_t) +exec_files_pattern(publicinbox_daemon_t, publicinbox_var_run_t, publicinbox_var_run_t) + +# Logging +append_files_pattern(publicinbox_daemon_t, publicinbox_log_t, publicinbox_log_t) +create_files_pattern(publicinbox_daemon_t, publicinbox_log_t, publicinbox_log_t) +setattr_files_pattern(publicinbox_daemon_t, publicinbox_log_t, publicinbox_log_t) +logging_log_filetrans(publicinbox_daemon_t, publicinbox_log_t, { file dir }) + +# Run on httpd and nntp ports (called innd_port_t) +corenet_tcp_bind_generic_node(publicinbox_daemon_t) +corenet_tcp_bind_http_port(publicinbox_daemon_t) +corenet_tcp_bind_http_cache_port(publicinbox_daemon_t) +corenet_tcp_bind_innd_port(publicinbox_daemon_t) + +# Allow reading anything publicinbox_var_lib_t +list_dirs_pattern(publicinbox_daemon_t, publicinbox_var_lib_t, publicinbox_var_lib_t) +read_files_pattern(publicinbox_daemon_t, publicinbox_var_lib_t, publicinbox_var_lib_t) + +# The daemon doesn't need to write to this dir +dontaudit publicinbox_daemon_t publicinbox_var_lib_t:file write; + +# Allow executing bin (for git, mostly) +corecmd_exec_bin(publicinbox_daemon_t) + +# Manage our tmp files +manage_dirs_pattern(publicinbox_daemon_t, publicinbox_tmp_t, publicinbox_tmp_t) +manage_files_pattern(publicinbox_daemon_t, publicinbox_tmp_t, publicinbox_tmp_t) +files_tmp_filetrans(publicinbox_daemon_t, publicinbox_tmp_t, { file dir }) + +################## +# mda/watch policy +# +# Allow transitioning to deliver_t from postfix pipe +domtrans_pattern(postfix_pipe_t, publicinbox_deliver_exec_t, publicinbox_deliver_t) +postfix_rw_inherited_master_pipes(publicinbox_deliver_t) +postfix_read_spool_files(publicinbox_deliver_t) + +files_read_etc_files(publicinbox_deliver_t) + +# Allow managing anything in publicinbox_var_lib_t +manage_dirs_pattern(publicinbox_deliver_t, publicinbox_var_lib_t, publicinbox_var_lib_t) +manage_files_pattern(publicinbox_deliver_t, publicinbox_var_lib_t, publicinbox_var_lib_t) + +# Allow executing bin (for git, mostly) +corecmd_exec_bin(publicinbox_deliver_t) + +# git-fast-import wants to access system state and other bits +kernel_dontaudit_read_system_state(publicinbox_deliver_t) + +# Allow using spamc +spamassassin_domtrans_client(publicinbox_deliver_t) +manage_files_pattern(spamc_t, publicinbox_var_lib_t, publicinbox_var_lib_t) +read_files_pattern(spamd_t, publicinbox_var_lib_t, publicinbox_var_lib_t) + +# Manage our tmp files +manage_dirs_pattern(publicinbox_deliver_t, publicinbox_tmp_t, publicinbox_tmp_t) +manage_files_pattern(publicinbox_deliver_t, publicinbox_tmp_t, publicinbox_tmp_t) +files_tmp_filetrans(publicinbox_deliver_t, publicinbox_tmp_t, { file dir }) -- cgit v1.2.3-24-ge0c7