add content

2019-05-08 14:53:59 +03:00
parent fdb66ec988
commit 840f37da49
122 changed files with 5873 additions and 0 deletions
--- a/sec-policy/selinux-rspamd/files/rspamd.if
+++ b/sec-policy/selinux-rspamd/files/rspamd.if
@@ -0,0 +1,325 @@
+
+## <summary>policy for rspamd</summary>
+
+########################################
+## <summary>
+##	Execute rspamd_exec_t in the rspamd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rspamd_domtrans',`
+	gen_require(`
+		type rspamd_t, rspamd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, rspamd_exec_t, rspamd_t)
+')
+
+######################################
+## <summary>
+##	Execute rspamd in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_exec',`
+	gen_require(`
+		type rspamd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, rspamd_exec_t)
+')
+########################################
+## <summary>
+##	Read rspamd's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`rspamd_read_log',`
+	gen_require(`
+		type rspamd_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, rspamd_log_t, rspamd_log_t)
+')
+
+########################################
+## <summary>
+##	Append to rspamd log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_append_log',`
+	gen_require(`
+		type rspamd_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, rspamd_log_t, rspamd_log_t)
+')
+
+########################################
+## <summary>
+##	Manage rspamd log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_manage_log',`
+	gen_require(`
+		type rspamd_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, rspamd_log_t, rspamd_log_t)
+	manage_files_pattern($1, rspamd_log_t, rspamd_log_t)
+	manage_lnk_files_pattern($1, rspamd_log_t, rspamd_log_t)
+')
+
+########################################
+## <summary>
+##	Search rspamd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_search_lib',`
+	gen_require(`
+		type rspamd_var_lib_t;
+	')
+
+	allow $1 rspamd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read rspamd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_read_lib_files',`
+	gen_require(`
+		type rspamd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, rspamd_var_lib_t, rspamd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage rspamd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_manage_lib_files',`
+	gen_require(`
+		type rspamd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, rspamd_var_lib_t, rspamd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage rspamd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_manage_lib_dirs',`
+	gen_require(`
+		type rspamd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, rspamd_var_lib_t, rspamd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read rspamd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rspamd_read_pid_files',`
+	gen_require(`
+		type rspamd_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, rspamd_var_run_t, rspamd_var_run_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an rspamd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`rspamd_admin',`
+	gen_require(`
+		type rspamd_t;
+		type rspamd_log_t;
+		type rspamd_var_lib_t;
+		type rspamd_var_run_t;
+	')
+
+	allow $1 rspamd_t:process { signal_perms };
+	ps_process_pattern($1, rspamd_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 rspamd_t:process ptrace;
+    ')
+
+	logging_search_logs($1)
+	admin_pattern($1, rspamd_log_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, rspamd_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, rspamd_var_run_t)
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
+
+############################################################################
+# network.if
+############################################################################
+
+########################################
+## <summary>
+##      Bind TCP sockets to the rspamd worker port.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_rspamd_wrkr_port',`
+        gen_require(`
+                type rspamd_wrkr_port_t;
+        ')
+
+        allow $1 rspamd_wrkr_port_t:tcp_socket name_bind;
+
+')
+
+########################################
+## <summary>
+##      Bind TCP sockets to the rspamd controller port.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_rspamd_cntrllr_port',`
+        gen_require(`
+                type rspamd_cntrllr_port_t;
+        ')
+
+        allow $1 rspamd_cntrllr_port_t:tcp_socket name_bind;
+
+')
+
+########################################
+## <summary>
+##      Bind TCP sockets to the rspamd proxy port.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_rspamd_prx_port',`
+        gen_require(`
+                type rspamd_prx_port_t;
+        ')
+
+        allow $1 rspamd_prx_port_t:tcp_socket name_bind;
+
+')
+
+########################################
+## <summary>
+##      Make a TCP connection to the rspamd worker port.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`corenet_tcp_connect_rspamd_wrkr_port',`
+        gen_require(`
+                type rspamd_wrkr_port_t;
+        ')
+
+        allow $1 rspamd_wrkr_port_t:tcp_socket name_connect;
+')
+
+