add content

2019-05-08 14:53:59 +03:00
parent fdb66ec988
commit 840f37da49
122 changed files with 5873 additions and 0 deletions
--- a/sec-policy/selinux-rspamd/Manifest
+++ b/sec-policy/selinux-rspamd/Manifest
@@ -0,0 +1,6 @@
+AUX rspamd.fc 359 BLAKE2B 5b559490f203545c60fdaad7b9b5446c467f73312b5fa62716de5850aaf2b18b2610e36903dce0f3711ef6070c8132752a74b2161b49a1ae2770dfca7bffd4dd SHA512 5b8feaf54ea3437b12b9bad8d9f47fa52dc2f0b8993043c6d37b3e4179b36afdb047eec38294c271adbfc2c7e112f205de64c36aea71055777c3747a9fe25ea0
+AUX rspamd.if 6518 BLAKE2B 3c1a62ab074e8ff0e46aec72804ef67022589cc7d40f9bfce45350b9396fb336d121bd407af2e6dea905e0b71c3609c21ef72d3dd24df46f26f8e22188333552 SHA512 79dd3e7ecf5b80f2e60f28a887ab69b037097427472c2b12a2960b325aec9d3ed60b5c11518287512a9a439b99880857aec3446a30383f30c1be1035e03d9798
+AUX rspamd.te 3621 BLAKE2B b155e0f160627b81be85208950468d483e2a1a6eddb0d43671ca5adb15f637c675f54fe24ff17811d14c0f34211afc4b6c2c8e08077f928b59e5ae36d44d8b61 SHA512 71540931c4e6e1eed253f60d2118df36788fb59a9dfe200ffa03d7be2afcc0eb97773a6cda0e38f91ccd254a53df3e4dbc33e1f0a3529f6ae92f9c689e88e95d
+DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42
+DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5
+EBUILD selinux-rspamd-2.20180701-r1.ebuild 387 BLAKE2B 029838949f858eccc5ffd50ef22ad623253db4494b881e150ecaab40b4c5976a7d483fa96f7591e748f6401bd1fdf270b514f26bd6810034a4084dd9f7029468 SHA512 16894cabddda31b87d354f7a34d4f0877027db0c381bd4347c5a540e34e4b848f5053f037454577c7f2e2e575a2bfeb36106b39107fa442192633662fcd1e4f3
--- a/sec-policy/selinux-rspamd/files/rspamd.fc
+++ b/sec-policy/selinux-rspamd/files/rspamd.fc
@@ -0,0 +1,9 @@
+/usr/bin/rspamd.*		--	gen_context(system_u:object_r:rspamd_exec_t,s0)
+
+/etc/rspamd(/.*)?		gen_context(system_u:object_r:rspamd_conf_t,s0)
+
+/var/lib/rspamd(/.*)?		gen_context(system_u:object_r:rspamd_var_lib_t,s0)
+
+/var/log/rspamd(/.*)?		gen_context(system_u:object_r:rspamd_log_t,s0)
+
+/var/run/rspamd(/.*)?		gen_context(system_u:object_r:rspamd_var_run_t,s0)
--- a/sec-policy/selinux-rspamd/files/rspamd.if
+++ b/sec-policy/selinux-rspamd/files/rspamd.if
@@ -0,0 +1,325 @@
+
+## <summary>policy for rspamd</summary>
+
+########################################
+## <summary>
+##	Execute rspamd_exec_t in the rspamd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rspamd_domtrans',`
+	gen_require(`
+		type rspamd_t, rspamd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, rspamd_exec_t, rspamd_t)
+')
+
+######################################
+## <summary>
+##	Execute rspamd in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_exec',`
+	gen_require(`
+		type rspamd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, rspamd_exec_t)
+')
+########################################
+## <summary>
+##	Read rspamd's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`rspamd_read_log',`
+	gen_require(`
+		type rspamd_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, rspamd_log_t, rspamd_log_t)
+')
+
+########################################
+## <summary>
+##	Append to rspamd log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_append_log',`
+	gen_require(`
+		type rspamd_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, rspamd_log_t, rspamd_log_t)
+')
+
+########################################
+## <summary>
+##	Manage rspamd log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_manage_log',`
+	gen_require(`
+		type rspamd_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, rspamd_log_t, rspamd_log_t)
+	manage_files_pattern($1, rspamd_log_t, rspamd_log_t)
+	manage_lnk_files_pattern($1, rspamd_log_t, rspamd_log_t)
+')
+
+########################################
+## <summary>
+##	Search rspamd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_search_lib',`
+	gen_require(`
+		type rspamd_var_lib_t;
+	')
+
+	allow $1 rspamd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read rspamd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_read_lib_files',`
+	gen_require(`
+		type rspamd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, rspamd_var_lib_t, rspamd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage rspamd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_manage_lib_files',`
+	gen_require(`
+		type rspamd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, rspamd_var_lib_t, rspamd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage rspamd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_manage_lib_dirs',`
+	gen_require(`
+		type rspamd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, rspamd_var_lib_t, rspamd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read rspamd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_read_pid_files',`
+	gen_require(`
+		type rspamd_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, rspamd_var_run_t, rspamd_var_run_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an rspamd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`rspamd_admin',`
+	gen_require(`
+		type rspamd_t;
+		type rspamd_log_t;
+		type rspamd_var_lib_t;
+		type rspamd_var_run_t;
+	')
+
+	allow $1 rspamd_t:process { signal_perms };
+	ps_process_pattern($1, rspamd_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 rspamd_t:process ptrace;
+    ')
+
+	logging_search_logs($1)
+	admin_pattern($1, rspamd_log_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, rspamd_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, rspamd_var_run_t)
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
+
+############################################################################
+# network.if
+############################################################################
+
+########################################
+## <summary>
+##      Bind TCP sockets to the rspamd worker port.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_rspamd_wrkr_port',`
+        gen_require(`
+                type rspamd_wrkr_port_t;
+        ')
+
+        allow $1 rspamd_wrkr_port_t:tcp_socket name_bind;
+
+')
+
+########################################
+## <summary>
+##      Bind TCP sockets to the rspamd controller port.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_rspamd_cntrllr_port',`
+        gen_require(`
+                type rspamd_cntrllr_port_t;
+        ')
+
+        allow $1 rspamd_cntrllr_port_t:tcp_socket name_bind;
+
+')
+
+########################################
+## <summary>
+##      Bind TCP sockets to the rspamd proxy port.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_rspamd_prx_port',`
+        gen_require(`
+                type rspamd_prx_port_t;
+        ')
+
+        allow $1 rspamd_prx_port_t:tcp_socket name_bind;
+
+')
+
+########################################
+## <summary>
+##      Make a TCP connection to the rspamd worker port.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`corenet_tcp_connect_rspamd_wrkr_port',`
+        gen_require(`
+                type rspamd_wrkr_port_t;
+        ')
+
+        allow $1 rspamd_wrkr_port_t:tcp_socket name_connect;
+')
+
+
--- a/sec-policy/selinux-rspamd/files/rspamd.te
+++ b/sec-policy/selinux-rspamd/files/rspamd.te
@@ -0,0 +1,120 @@
+policy_module(rspamd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type rspamd_t;
+type rspamd_exec_t;
+init_daemon_domain(rspamd_t, rspamd_exec_t)
+
+#permissive rspamd_t;
+
+type rspamd_conf_t;
+files_type(rspamd_conf_t)
+
+type rspamd_tmpfs_t;
+files_tmpfs_file(rspamd_tmpfs_t)
+
+type rspamd_log_t;
+logging_log_file(rspamd_log_t)
+
+type rspamd_var_lib_t;
+files_type(rspamd_var_lib_t)
+
+type rspamd_var_run_t;
+files_pid_file(rspamd_var_run_t)
+
+type rspamd_wrkr_port_t;
+corenet_port(rspamd_wrkr_port_t)
+#portcon tcp     11333   gen_context(system_u:object_r:rspamd_wrkr_port_t,s0)
+
+type rspamd_cntrllr_port_t;
+corenet_port(rspamd_cntrllr_port_t)
+#portcon tcp     11334   gen_context(system_u:object_r:rspamd_cntrllr_port_t,s0)
+
+type rspamd_prx_port_t;
+corenet_port(rspamd_prx_port_t)
+#portcon tcp     11332   gen_context(system_u:object_r:rspamd_prx_port_t,s0)
+
+########################################
+#
+# rspamd local policy
+#
+#allow rspamd_t self:capability { chown setgid setuid };
+#allow rspamd_t self:process { fork setrlimit signal_perms };
+allow rspamd_t self:unix_stream_socket create_stream_socket_perms;
+
+allow rspamd_t self:fifo_file rw_fifo_file_perms;
+allow rspamd_t self:capability { chown dac_override dac_read_search kill net_bind_service setgid setuid };
+allow rspamd_t self:process { getsched setrlimit signal execmem };
+allow rspamd_t self:tcp_socket { listen accept };
+
+corenet_tcp_bind_generic_node(rspamd_t)
+corenet_udp_bind_generic_node(rspamd_t)
+corenet_tcp_bind_rspamd_wrkr_port(rspamd_t)
+corenet_tcp_bind_rspamd_cntrllr_port(rspamd_t)
+corenet_tcp_bind_rspamd_prx_port(rspamd_t)
+corenet_tcp_connect_http_port(rspamd_t)
+corenet_tcp_connect_smtp_port(rspamd_t)
+corenet_tcp_connect_redis_port(rspamd_t)
+
+kernel_read_kernel_sysctls(rspamd_t)
+
+allow rspamd_t rspamd_conf_t:file map;
+list_dirs_pattern(rspamd_t, rspamd_conf_t, rspamd_conf_t)
+read_files_pattern(rspamd_t, rspamd_conf_t, rspamd_conf_t)
+read_lnk_files_pattern(rspamd_t, rspamd_conf_t, rspamd_conf_t)
+
+allow rspamd_t rspamd_tmpfs_t:file map;
+manage_files_pattern(rspamd_t, rspamd_tmpfs_t, rspamd_tmpfs_t)
+fs_tmpfs_filetrans(rspamd_t, rspamd_tmpfs_t, file)
+
+manage_dirs_pattern(rspamd_t, rspamd_log_t, rspamd_log_t)
+manage_files_pattern(rspamd_t, rspamd_log_t, rspamd_log_t)
+manage_lnk_files_pattern(rspamd_t, rspamd_log_t, rspamd_log_t)
+logging_log_filetrans(rspamd_t, rspamd_log_t, { dir file lnk_file })
+
+files_list_var(rspamd_t)
+allow rspamd_t rspamd_var_lib_t:file map;
+manage_dirs_pattern(rspamd_t, rspamd_var_lib_t, rspamd_var_lib_t)
+manage_files_pattern(rspamd_t, rspamd_var_lib_t, rspamd_var_lib_t)
+manage_lnk_files_pattern(rspamd_t, rspamd_var_lib_t, rspamd_var_lib_t)
+manage_sock_files_pattern(rspamd_t, rspamd_var_lib_t, rspamd_var_lib_t)
+files_var_lib_filetrans(rspamd_t, rspamd_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(rspamd_t, rspamd_var_run_t, rspamd_var_run_t)
+manage_files_pattern(rspamd_t, rspamd_var_run_t, rspamd_var_run_t)
+manage_lnk_files_pattern(rspamd_t, rspamd_var_run_t, rspamd_var_run_t)
+files_pid_filetrans(rspamd_t, rspamd_var_run_t, { dir file lnk_file })
+
+userdom_use_user_ptys(rspamd_t)
+domain_use_interactive_fds(rspamd_t)
+
+#files_read_etc_files(rspamd_t)
+files_read_usr_files(rspamd_t)
+files_map_usr_files(rspamd_t)
+
+files_dontaudit_list_var(rspamd_t)
+
+auth_use_nsswitch(rspamd_t)
+
+logging_send_syslog_msg(rspamd_t)
+
+miscfiles_read_localization(rspamd_t)
+
+sysnet_dns_name_resolve(rspamd_t)
+
+optional_policy(`
+        gen_require(`
+                type exim_t;
+        ')
+
+	corenet_tcp_connect_rspamd_wrkr_port(exim_t)
+
+')
+
+optional_policy(`
+	clamav_stream_connect(rspamd_t)
+')
--- a/sec-policy/selinux-rspamd/selinux-rspamd-2.20180701-r1.ebuild
+++ b/sec-policy/selinux-rspamd/selinux-rspamd-2.20180701-r1.ebuild
@@ -0,0 +1,20 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+EAPI="5"
+
+IUSE=""
+MODS="rspamd"
+POLICY_FILES="rspamd.te rspamd.fc rspamd.if"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for rspamd"
+
+RDEPEND="sec-policy/selinux-base-policy"
+
+if [[ $PV == 9999* ]] ; then
+        KEYWORDS=""
+else
+        KEYWORDS="amd64 x86"
+fi