add content

2019-05-08 14:53:59 +03:00
parent fdb66ec988
commit 840f37da49
122 changed files with 5873 additions and 0 deletions
--- a/sec-policy/selinux-rspamd/files/rspamd.fc
+++ b/sec-policy/selinux-rspamd/files/rspamd.fc
@@ -0,0 +1,9 @@
+/usr/bin/rspamd.*		--	gen_context(system_u:object_r:rspamd_exec_t,s0)
+
+/etc/rspamd(/.*)?		gen_context(system_u:object_r:rspamd_conf_t,s0)
+
+/var/lib/rspamd(/.*)?		gen_context(system_u:object_r:rspamd_var_lib_t,s0)
+
+/var/log/rspamd(/.*)?		gen_context(system_u:object_r:rspamd_log_t,s0)
+
+/var/run/rspamd(/.*)?		gen_context(system_u:object_r:rspamd_var_run_t,s0)
--- a/sec-policy/selinux-rspamd/files/rspamd.if
+++ b/sec-policy/selinux-rspamd/files/rspamd.if
@@ -0,0 +1,325 @@
+
+## <summary>policy for rspamd</summary>
+
+########################################
+## <summary>
+##	Execute rspamd_exec_t in the rspamd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rspamd_domtrans',`
+	gen_require(`
+		type rspamd_t, rspamd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, rspamd_exec_t, rspamd_t)
+')
+
+######################################
+## <summary>
+##	Execute rspamd in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_exec',`
+	gen_require(`
+		type rspamd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, rspamd_exec_t)
+')
+########################################
+## <summary>
+##	Read rspamd's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`rspamd_read_log',`
+	gen_require(`
+		type rspamd_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, rspamd_log_t, rspamd_log_t)
+')
+
+########################################
+## <summary>
+##	Append to rspamd log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_append_log',`
+	gen_require(`
+		type rspamd_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, rspamd_log_t, rspamd_log_t)
+')
+
+########################################
+## <summary>
+##	Manage rspamd log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_manage_log',`
+	gen_require(`
+		type rspamd_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, rspamd_log_t, rspamd_log_t)
+	manage_files_pattern($1, rspamd_log_t, rspamd_log_t)
+	manage_lnk_files_pattern($1, rspamd_log_t, rspamd_log_t)
+')
+
+########################################
+## <summary>
+##	Search rspamd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_search_lib',`
+	gen_require(`
+		type rspamd_var_lib_t;
+	')
+
+	allow $1 rspamd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read rspamd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_read_lib_files',`
+	gen_require(`
+		type rspamd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, rspamd_var_lib_t, rspamd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage rspamd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_manage_lib_files',`
+	gen_require(`
+		type rspamd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, rspamd_var_lib_t, rspamd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage rspamd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_manage_lib_dirs',`
+	gen_require(`
+		type rspamd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, rspamd_var_lib_t, rspamd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read rspamd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_read_pid_files',`
+	gen_require(`
+		type rspamd_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, rspamd_var_run_t, rspamd_var_run_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an rspamd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`rspamd_admin',`
+	gen_require(`
+		type rspamd_t;
+		type rspamd_log_t;
+		type rspamd_var_lib_t;
+		type rspamd_var_run_t;
+	')
+
+	allow $1 rspamd_t:process { signal_perms };
+	ps_process_pattern($1, rspamd_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 rspamd_t:process ptrace;
+    ')
+
+	logging_search_logs($1)
+	admin_pattern($1, rspamd_log_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, rspamd_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, rspamd_var_run_t)
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
+
+############################################################################
+# network.if
+############################################################################
+
+########################################
+## <summary>
+##      Bind TCP sockets to the rspamd worker port.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_rspamd_wrkr_port',`
+        gen_require(`
+                type rspamd_wrkr_port_t;
+        ')
+
+        allow $1 rspamd_wrkr_port_t:tcp_socket name_bind;
+
+')
+
+########################################
+## <summary>
+##      Bind TCP sockets to the rspamd controller port.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_rspamd_cntrllr_port',`
+        gen_require(`
+                type rspamd_cntrllr_port_t;
+        ')
+
+        allow $1 rspamd_cntrllr_port_t:tcp_socket name_bind;
+
+')
+
+########################################
+## <summary>
+##      Bind TCP sockets to the rspamd proxy port.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_rspamd_prx_port',`
+        gen_require(`
+                type rspamd_prx_port_t;
+        ')
+
+        allow $1 rspamd_prx_port_t:tcp_socket name_bind;
+
+')
+
+########################################
+## <summary>
+##      Make a TCP connection to the rspamd worker port.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`corenet_tcp_connect_rspamd_wrkr_port',`
+        gen_require(`
+                type rspamd_wrkr_port_t;
+        ')
+
+        allow $1 rspamd_wrkr_port_t:tcp_socket name_connect;
+')
+
+
--- a/sec-policy/selinux-rspamd/files/rspamd.te
+++ b/sec-policy/selinux-rspamd/files/rspamd.te
@@ -0,0 +1,120 @@
+policy_module(rspamd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type rspamd_t;
+type rspamd_exec_t;
+init_daemon_domain(rspamd_t, rspamd_exec_t)
+
+#permissive rspamd_t;
+
+type rspamd_conf_t;
+files_type(rspamd_conf_t)
+
+type rspamd_tmpfs_t;
+files_tmpfs_file(rspamd_tmpfs_t)
+
+type rspamd_log_t;
+logging_log_file(rspamd_log_t)
+
+type rspamd_var_lib_t;
+files_type(rspamd_var_lib_t)
+
+type rspamd_var_run_t;
+files_pid_file(rspamd_var_run_t)
+
+type rspamd_wrkr_port_t;
+corenet_port(rspamd_wrkr_port_t)
+#portcon tcp     11333   gen_context(system_u:object_r:rspamd_wrkr_port_t,s0)
+
+type rspamd_cntrllr_port_t;
+corenet_port(rspamd_cntrllr_port_t)
+#portcon tcp     11334   gen_context(system_u:object_r:rspamd_cntrllr_port_t,s0)
+
+type rspamd_prx_port_t;
+corenet_port(rspamd_prx_port_t)
+#portcon tcp     11332   gen_context(system_u:object_r:rspamd_prx_port_t,s0)
+
+########################################
+#
+# rspamd local policy
+#
+#allow rspamd_t self:capability { chown setgid setuid };
+#allow rspamd_t self:process { fork setrlimit signal_perms };
+allow rspamd_t self:unix_stream_socket create_stream_socket_perms;
+
+allow rspamd_t self:fifo_file rw_fifo_file_perms;
+allow rspamd_t self:capability { chown dac_override dac_read_search kill net_bind_service setgid setuid };
+allow rspamd_t self:process { getsched setrlimit signal execmem };
+allow rspamd_t self:tcp_socket { listen accept };
+
+corenet_tcp_bind_generic_node(rspamd_t)
+corenet_udp_bind_generic_node(rspamd_t)
+corenet_tcp_bind_rspamd_wrkr_port(rspamd_t)
+corenet_tcp_bind_rspamd_cntrllr_port(rspamd_t)
+corenet_tcp_bind_rspamd_prx_port(rspamd_t)
+corenet_tcp_connect_http_port(rspamd_t)
+corenet_tcp_connect_smtp_port(rspamd_t)
+corenet_tcp_connect_redis_port(rspamd_t)
+
+kernel_read_kernel_sysctls(rspamd_t)
+
+allow rspamd_t rspamd_conf_t:file map;
+list_dirs_pattern(rspamd_t, rspamd_conf_t, rspamd_conf_t)
+read_files_pattern(rspamd_t, rspamd_conf_t, rspamd_conf_t)
+read_lnk_files_pattern(rspamd_t, rspamd_conf_t, rspamd_conf_t)
+
+allow rspamd_t rspamd_tmpfs_t:file map;
+manage_files_pattern(rspamd_t, rspamd_tmpfs_t, rspamd_tmpfs_t)
+fs_tmpfs_filetrans(rspamd_t, rspamd_tmpfs_t, file)
+
+manage_dirs_pattern(rspamd_t, rspamd_log_t, rspamd_log_t)
+manage_files_pattern(rspamd_t, rspamd_log_t, rspamd_log_t)
+manage_lnk_files_pattern(rspamd_t, rspamd_log_t, rspamd_log_t)
+logging_log_filetrans(rspamd_t, rspamd_log_t, { dir file lnk_file })
+
+files_list_var(rspamd_t)
+allow rspamd_t rspamd_var_lib_t:file map;
+manage_dirs_pattern(rspamd_t, rspamd_var_lib_t, rspamd_var_lib_t)
+manage_files_pattern(rspamd_t, rspamd_var_lib_t, rspamd_var_lib_t)
+manage_lnk_files_pattern(rspamd_t, rspamd_var_lib_t, rspamd_var_lib_t)
+manage_sock_files_pattern(rspamd_t, rspamd_var_lib_t, rspamd_var_lib_t)
+files_var_lib_filetrans(rspamd_t, rspamd_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(rspamd_t, rspamd_var_run_t, rspamd_var_run_t)
+manage_files_pattern(rspamd_t, rspamd_var_run_t, rspamd_var_run_t)
+manage_lnk_files_pattern(rspamd_t, rspamd_var_run_t, rspamd_var_run_t)
+files_pid_filetrans(rspamd_t, rspamd_var_run_t, { dir file lnk_file })
+
+userdom_use_user_ptys(rspamd_t)
+domain_use_interactive_fds(rspamd_t)
+
+#files_read_etc_files(rspamd_t)
+files_read_usr_files(rspamd_t)
+files_map_usr_files(rspamd_t)
+
+files_dontaudit_list_var(rspamd_t)
+
+auth_use_nsswitch(rspamd_t)
+
+logging_send_syslog_msg(rspamd_t)
+
+miscfiles_read_localization(rspamd_t)
+
+sysnet_dns_name_resolve(rspamd_t)
+
+optional_policy(`
+        gen_require(`
+                type exim_t;
+        ')
+
+	corenet_tcp_connect_rspamd_wrkr_port(exim_t)
+
+')
+
+optional_policy(`
+	clamav_stream_connect(rspamd_t)
+')