This adds a SELinux policy suitable for RHEL/CentOS 7. It assumes the following:
- public-inbox-httpd and public-inbox-nntpd are running via systemd on sane ports (119 and 80/8080) - /var/lib/public-inbox is the location for mainrepos - /var/run/public-inbox is the location for PERL_INLINE_DIRECTORY - /var/log/public-inbox is the location for logs - mail delivery is done via postfix-pipe (if you're using public-inbox-watch, you shouldn't need to worry about this) Signed-off-by: Konstantin Ryabitsev <[email protected]> --- contrib/selinux/el7/publicinbox.fc | 7 +++ contrib/selinux/el7/publicinbox.te | 101 +++++++++++++++++++++++++++++++++++++ 2 files changed, 108 insertions(+) create mode 100644 contrib/selinux/el7/publicinbox.fc create mode 100644 contrib/selinux/el7/publicinbox.te diff --git a/contrib/selinux/el7/publicinbox.fc b/contrib/selinux/el7/publicinbox.fc new file mode 100644 index 0000000..13ca949 --- /dev/null +++ b/contrib/selinux/el7/publicinbox.fc @@ -0,0 +1,7 @@ +/usr/(local/)?bin/public-inbox-httpd -- gen_context(system_u:object_r:publicinbox_daemon_exec_t,s0) +/usr/(local/)?bin/public-inbox-nntpd -- gen_context(system_u:object_r:publicinbox_daemon_exec_t,s0) +/usr/(local/)?bin/public-inbox-mda -- gen_context(system_u:object_r:publicinbox_deliver_exec_t,s0) + +/var/lib/public-inbox(/.*)? gen_context(system_u:object_r:publicinbox_var_lib_t,s0) +/var/run/public-inbox(/.*)? gen_context(system_u:object_r:publicinbox_var_run_t,s0) +/var/log/public-inbox(/.*)? gen_context(system_u:object_r:publicinbox_log_t,s0) diff --git a/contrib/selinux/el7/publicinbox.te b/contrib/selinux/el7/publicinbox.te new file mode 100644 index 0000000..d4feb98 --- /dev/null +++ b/contrib/selinux/el7/publicinbox.te @@ -0,0 +1,101 @@ +################## +# This policy allows running public-inbox-httpd and public-inbox-nntpd +# on reasonable ports (119 for nntpd and 80/443/8080 for httpd) +# +# It also allows delivering mail via postfix-pipe to public-inbox-mda +# +# Author: Konstantin Ryabitsev <[email protected]> +# +policy_module(publicinbox, 1.0.0) + +require { + type postfix_pipe_t; + type spamc_t; + type spamd_t; +} + +################## +# Declarations + +type publicinbox_daemon_t; +type publicinbox_daemon_exec_t; +init_daemon_domain(publicinbox_daemon_t, publicinbox_daemon_exec_t) + +type publicinbox_var_lib_t; +files_type(publicinbox_var_lib_t) + +type publicinbox_log_t; +logging_log_file(publicinbox_log_t) + +type publicinbox_var_run_t; +files_tmp_file(publicinbox_var_run_t) + +type publicinbox_deliver_t; +type publicinbox_deliver_exec_t; +domain_type(publicinbox_deliver_t) +domain_entry_file(publicinbox_deliver_t, publicinbox_deliver_exec_t) +role system_r types publicinbox_deliver_t; + +#permissive publicinbox_daemon_t; +#permissive publicinbox_deliver_t; + +################## +# Daemons policy + +domain_use_interactive_fds(publicinbox_daemon_t) +files_read_etc_files(publicinbox_daemon_t) +miscfiles_read_localization(publicinbox_daemon_t) +allow publicinbox_daemon_t self:tcp_socket create_stream_socket_perms; +allow publicinbox_daemon_t self:tcp_socket { accept listen }; + +# Need to be able to manage and exec runtime files for inline::c +manage_files_pattern(publicinbox_daemon_t, publicinbox_var_run_t, publicinbox_var_run_t) +exec_files_pattern(publicinbox_daemon_t, publicinbox_var_run_t, publicinbox_var_run_t) + +# Logging +append_files_pattern(publicinbox_daemon_t, publicinbox_log_t, publicinbox_log_t) +create_files_pattern(publicinbox_daemon_t, publicinbox_log_t, publicinbox_log_t) +setattr_files_pattern(publicinbox_daemon_t, publicinbox_log_t, publicinbox_log_t) +logging_log_filetrans(publicinbox_daemon_t, publicinbox_log_t, { file dir }) + +# Run on http/httpcache and innd ports +corenet_tcp_bind_generic_node(publicinbox_daemon_t) +corenet_tcp_bind_http_port(publicinbox_daemon_t) +corenet_tcp_bind_http_cache_port(publicinbox_daemon_t) +corenet_tcp_bind_innd_port(publicinbox_daemon_t) + +# Allow reading anything publicinbox_var_lib_t +list_dirs_pattern(publicinbox_daemon_t, publicinbox_var_lib_t, publicinbox_var_lib_t) +read_files_pattern(publicinbox_daemon_t, publicinbox_var_lib_t, publicinbox_var_lib_t) + +# The daemon doesn't need to write to this dir, so ignore these AVCs +dontaudit publicinbox_daemon_t publicinbox_var_lib_t:file write; + +# Allow executing bin (for git, mostly) +corecmd_exec_bin(publicinbox_daemon_t) + +################## +# MDA policy +# This allows transitioning from postfix_pipe_t to publicinbox_deliver_t +# +domtrans_pattern(postfix_pipe_t, publicinbox_deliver_exec_t, publicinbox_deliver_t) +postfix_rw_inherited_master_pipes(publicinbox_deliver_t) +postfix_read_spool_files(publicinbox_deliver_t) + +files_read_etc_files(publicinbox_deliver_t) + +# Allow managing anything in publicinbox_var_lib_t +manage_dirs_pattern(publicinbox_deliver_t, publicinbox_var_lib_t, publicinbox_var_lib_t) +manage_files_pattern(publicinbox_deliver_t, publicinbox_var_lib_t, publicinbox_var_lib_t) + +# Allow executing bin (for git, mostly) +corecmd_exec_bin(publicinbox_deliver_t) + +# git-fast-import wants to access system state and other bits, so ignore these AVCs +kernel_dontaudit_read_system_state(publicinbox_deliver_t) + +# Allow using spamc via domain transition +spamassassin_domtrans_client(publicinbox_deliver_t) +manage_files_pattern(spamc_t, publicinbox_var_lib_t, publicinbox_var_lib_t) +read_files_pattern(spamd_t, publicinbox_var_lib_t, publicinbox_var_lib_t) + -- 2.13.6
