[PATCH] Contribute SELinux policy for EL7

[PATCH] Contribute SELinux policy for EL7

[Konstantin Ryabitsev]

This adds a SELinux policy suitable for RHEL/CentOS 7. It assumes the
following:

- public-inbox-httpd and public-inbox-nntpd are running via systemd
  on sane ports (119 and 80/8080)
- /var/lib/public-inbox is the location for mainrepos
- /var/run/public-inbox is the location for PERL_INLINE_DIRECTORY
- /var/log/public-inbox is the location for logs
- mail delivery is done via postfix-pipe (if you're using
  public-inbox-watch, you shouldn't need to worry about this)

Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
---
 contrib/selinux/el7/publicinbox.fc |   7 +++
 contrib/selinux/el7/publicinbox.te | 101 +++++++++++++++++++++++++++++++++++++
 2 files changed, 108 insertions(+)
 create mode 100644 contrib/selinux/el7/publicinbox.fc
 create mode 100644 contrib/selinux/el7/publicinbox.te

diff --git a/contrib/selinux/el7/publicinbox.fc b/contrib/selinux/el7/publicinbox.fc
new file mode 100644
index 0000000..13ca949
--- /dev/null
+++ b/contrib/selinux/el7/publicinbox.fc
@@ -0,0 +1,7 @@
+/usr/(local/)?bin/public-inbox-httpd    -- gen_context(system_u:object_r:publicinbox_daemon_exec_t,s0)
+/usr/(local/)?bin/public-inbox-nntpd    -- gen_context(system_u:object_r:publicinbox_daemon_exec_t,s0)
+/usr/(local/)?bin/public-inbox-mda      -- gen_context(system_u:object_r:publicinbox_deliver_exec_t,s0)
+
+/var/lib/public-inbox(/.*)?                gen_context(system_u:object_r:publicinbox_var_lib_t,s0)
+/var/run/public-inbox(/.*)?                gen_context(system_u:object_r:publicinbox_var_run_t,s0)
+/var/log/public-inbox(/.*)?                gen_context(system_u:object_r:publicinbox_log_t,s0)
diff --git a/contrib/selinux/el7/publicinbox.te b/contrib/selinux/el7/publicinbox.te
new file mode 100644
index 0000000..d4feb98
--- /dev/null
+++ b/contrib/selinux/el7/publicinbox.te
@@ -0,0 +1,101 @@
+##################
+# This policy allows running public-inbox-httpd and public-inbox-nntpd
+# on reasonable ports (119 for nntpd and 80/443/8080 for httpd)
+#
+# It also allows delivering mail via postfix-pipe to public-inbox-mda
+#
+# Author: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
+#
+policy_module(publicinbox, 1.0.0)
+
+require {
+    type postfix_pipe_t;
+    type spamc_t;
+    type spamd_t;
+}
+
+##################
+# Declarations
+
+type publicinbox_daemon_t;
+type publicinbox_daemon_exec_t;
+init_daemon_domain(publicinbox_daemon_t, publicinbox_daemon_exec_t)
+
+type publicinbox_var_lib_t;
+files_type(publicinbox_var_lib_t)
+
+type publicinbox_log_t;
+logging_log_file(publicinbox_log_t)
+
+type publicinbox_var_run_t;
+files_tmp_file(publicinbox_var_run_t)
+
+type publicinbox_deliver_t;
+type publicinbox_deliver_exec_t;
+domain_type(publicinbox_deliver_t)
+domain_entry_file(publicinbox_deliver_t, publicinbox_deliver_exec_t)
+role system_r types publicinbox_deliver_t;
+
+#permissive publicinbox_daemon_t;
+#permissive publicinbox_deliver_t;
+
+##################
+# Daemons policy
+
+domain_use_interactive_fds(publicinbox_daemon_t)
+files_read_etc_files(publicinbox_daemon_t)
+miscfiles_read_localization(publicinbox_daemon_t)
+allow publicinbox_daemon_t self:tcp_socket create_stream_socket_perms;
+allow publicinbox_daemon_t self:tcp_socket { accept listen };
+
+# Need to be able to manage and exec runtime files for inline::c
+manage_files_pattern(publicinbox_daemon_t, publicinbox_var_run_t, publicinbox_var_run_t)
+exec_files_pattern(publicinbox_daemon_t, publicinbox_var_run_t, publicinbox_var_run_t)
+
+# Logging
+append_files_pattern(publicinbox_daemon_t, publicinbox_log_t, publicinbox_log_t)
+create_files_pattern(publicinbox_daemon_t, publicinbox_log_t, publicinbox_log_t)
+setattr_files_pattern(publicinbox_daemon_t, publicinbox_log_t, publicinbox_log_t)
+logging_log_filetrans(publicinbox_daemon_t, publicinbox_log_t, { file dir })
+
+# Run on http/httpcache and innd ports
+corenet_tcp_bind_generic_node(publicinbox_daemon_t)
+corenet_tcp_bind_http_port(publicinbox_daemon_t)
+corenet_tcp_bind_http_cache_port(publicinbox_daemon_t)
+corenet_tcp_bind_innd_port(publicinbox_daemon_t)
+
+# Allow reading anything publicinbox_var_lib_t
+list_dirs_pattern(publicinbox_daemon_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
+read_files_pattern(publicinbox_daemon_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
+
+# The daemon doesn't need to write to this dir, so ignore these AVCs
+dontaudit publicinbox_daemon_t publicinbox_var_lib_t:file write;
+
+# Allow executing bin (for git, mostly)
+corecmd_exec_bin(publicinbox_daemon_t)
+
+##################
+# MDA policy
+# This allows transitioning from postfix_pipe_t to publicinbox_deliver_t
+#
+domtrans_pattern(postfix_pipe_t, publicinbox_deliver_exec_t, publicinbox_deliver_t)
+postfix_rw_inherited_master_pipes(publicinbox_deliver_t)
+postfix_read_spool_files(publicinbox_deliver_t)
+
+files_read_etc_files(publicinbox_deliver_t)
+
+# Allow managing anything in publicinbox_var_lib_t
+manage_dirs_pattern(publicinbox_deliver_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
+manage_files_pattern(publicinbox_deliver_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
+
+# Allow executing bin (for git, mostly)
+corecmd_exec_bin(publicinbox_deliver_t)
+
+# git-fast-import wants to access system state and other bits, so ignore these AVCs
+kernel_dontaudit_read_system_state(publicinbox_deliver_t)
+
+# Allow using spamc via domain transition
+spamassassin_domtrans_client(publicinbox_deliver_t)
+manage_files_pattern(spamc_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
+read_files_pattern(spamd_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
+
-- 
2.13.6

Re: [PATCH] Contribute SELinux policy for EL7

[Eric Wong]

Konstantin Ryabitsev <konstantin@linuxfoundation.org> wrote:
> This adds a SELinux policy suitable for RHEL/CentOS 7. It assumes the
> following:

I'm not familiar with SELinux myself, but I'm inclined to accept
a version of this if it helps people who use it.

Some questions, below...

> - public-inbox-httpd and public-inbox-nntpd are running via systemd
>  on sane ports (119 and 80/8080)
> - /var/lib/public-inbox is the location for mainrepos
> - /var/run/public-inbox is the location for PERL_INLINE_DIRECTORY
> - /var/log/public-inbox is the location for logs
> - mail delivery is done via postfix-pipe (if you're using
>  public-inbox-watch, you shouldn't need to worry about this)

So nothing is needed for public-inbox-watch at all?

> --- /dev/null
> +++ b/contrib/selinux/el7/publicinbox.fc
> @@ -0,0 +1,7 @@
> +/usr/(local/)?bin/public-inbox-httpd    -- gen_context(system_u:object_r:publicinbox_daemon_exec_t,s0)
> +/usr/(local/)?bin/public-inbox-nntpd    -- gen_context(system_u:object_r:publicinbox_daemon_exec_t,s0)
> +/usr/(local/)?bin/public-inbox-mda      -- gen_context(system_u:object_r:publicinbox_deliver_exec_t,s0)

Is it possible to use "\" or similar to wrap long lines?

(same comments applies to the .te file; I need to use a gigantic font)

<snip>

> --- /dev/null
> +++ b/contrib/selinux/el7/publicinbox.te
> @@ -0,0 +1,101 @@
> +##################
> +# This policy allows running public-inbox-httpd and public-inbox-nntpd
> +# on reasonable ports (119 for nntpd and 80/443/8080 for httpd)
> +#
> +# It also allows delivering mail via postfix-pipe to public-inbox-mda
> +#
> +# Author: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
> +#
> +policy_module(publicinbox, 1.0.0)

Is that 1.0.0 tied to public-inbox versions itself or
independent of public-inbox versioning?

> +# Need to be able to manage and exec runtime files for inline::c

correct capitalization should be: "Inline::C"

<snip>

> +# Run on http/httpcache and innd ports

innd?

Re: [PATCH] Contribute SELinux policy for EL7

[Konstantin Ryabitsev]

On Wed, May 30, 2018 at 03:15:24AM +0000, Eric Wong wrote:
>> - public-inbox-httpd and public-inbox-nntpd are running via systemd
>>  on sane ports (119 and 80/8080)
>> - /var/lib/public-inbox is the location for mainrepos
>> - /var/run/public-inbox is the location for PERL_INLINE_DIRECTORY
>> - /var/log/public-inbox is the location for logs
>> - mail delivery is done via postfix-pipe (if you're using
>>  public-inbox-watch, you shouldn't need to worry about this)
>
>So nothing is needed for public-inbox-watch at all?

I'd considered writing something for it, but decided to limit myself to
what I can actually cover via personal experience. In addition, my
assumption is that people who are most likely to be running
public-inbox-watch are not going to be running it as a system-level
daemon (since in that case they are more likely to set up
public-inbox-mda), but as a regular user inside screen -- and therefore
wouldn't benefit from SELinux anyway.

The priority was to cover network-listening daemons, since they are the
most exposed and running them unconfined should be avoided on an SELinux
system.

>> --- /dev/null
>> +++ b/contrib/selinux/el7/publicinbox.fc
>> @@ -0,0 +1,7 @@
>> +/usr/(local/)?bin/public-inbox-httpd    -- gen_context(system_u:object_r:publicinbox_daemon_exec_t,s0)
>> +/usr/(local/)?bin/public-inbox-nntpd    -- gen_context(system_u:object_r:publicinbox_daemon_exec_t,s0)
>> +/usr/(local/)?bin/public-inbox-mda      -- gen_context(system_u:object_r:publicinbox_deliver_exec_t,s0)
>
>Is it possible to use "\" or similar to wrap long lines?
>
>(same comments applies to the .te file; I need to use a gigantic font)

I know what you mean, but I'm trying to stick with the upstream policy
style, which doesn't use such approach (e.g. see
https://github.com/TresysTechnology/refpolicy/tree/master/policy/modules/system).
Theoretically, m4 supports doing that, but if the ultimate goal is to
include it into the upstream policy, then I feel we should stick to the
formatting style used there.

>> +policy_module(publicinbox, 1.0.0)
>
>Is that 1.0.0 tied to public-inbox versions itself or
>independent of public-inbox versioning?

Fully independent.

>> +# Run on http/httpcache and innd ports
>
>innd?

Innd is the nntp daemon, and the 119/tcp port is labeled as innd_port_t,
so just sticking with that nomenclature here.

I'll send a second patch iteration in the near future, as I've missed a
thing or two in the current one.

-K

Re: [PATCH] Contribute SELinux policy for EL7

[Eric Wong]

Konstantin Ryabitsev <konstantin@linuxfoundation.org> wrote:
> On Wed, May 30, 2018 at 03:15:24AM +0000, Eric Wong wrote:
> > > - public-inbox-httpd and public-inbox-nntpd are running via systemd
> > >  on sane ports (119 and 80/8080)
> > > - /var/lib/public-inbox is the location for mainrepos
> > > - /var/run/public-inbox is the location for PERL_INLINE_DIRECTORY
> > > - /var/log/public-inbox is the location for logs
> > > - mail delivery is done via postfix-pipe (if you're using
> > >  public-inbox-watch, you shouldn't need to worry about this)
> > 
> > So nothing is needed for public-inbox-watch at all?
> 
> I'd considered writing something for it, but decided to limit myself to
> what I can actually cover via personal experience. In addition, my
> assumption is that people who are most likely to be running
> public-inbox-watch are not going to be running it as a system-level
> daemon (since in that case they are more likely to set up
> public-inbox-mda), but as a regular user inside screen -- and therefore
> wouldn't benefit from SELinux anyway.

Ah, ok. I was wondering why you thought that, and then I
realized I forgot to include a public-inbox-watch.service
example for systemd.  Anyways I run -watch via systemd,
but screen works, too.  Will add an example -watch.service
file in a separate patch.

> > Is it possible to use "\" or similar to wrap long lines?
> > 
> > (same comments applies to the .te file; I need to use a gigantic font)
> 
> I know what you mean, but I'm trying to stick with the upstream policy
> style, which doesn't use such approach (e.g. see
> https://github.com/TresysTechnology/refpolicy/tree/master/policy/modules/system).
> Theoretically, m4 supports doing that, but if the ultimate goal is to
> include it into the upstream policy, then I feel we should stick to the
> formatting style used there.

Fair enough.  There was a comment or two in the .te file which
should've been wrapped, at least.

> > > +# Run on http/httpcache and innd ports
> > 
> > innd?
> 
> Innd is the nntp daemon, and the 119/tcp port is labeled as innd_port_t,
> so just sticking with that nomenclature here.

Odd that they assume innd is the only 119 user, but they use
"http" instead of "apache" for 80.  Oh well, I suppose there
could be a comment clarifying we mean NNTP to not confuse people
into thinking we depend on innd.

> I'll send a second patch iteration in the near future, as I've missed a
> thing or two in the current one.

Sure thing, thanks.

[PATCH v2] Contribute SELinux policy for EL7

[Konstantin Ryabitsev]

[-- Attachment #1: Type: text/plain, Size: 6323 bytes --]

This adds a SELinux policy suitable for RHEL/CentOS 7. It assumes the
following:

- public-inbox-httpd and public-inbox-nntpd are running via systemd
  on sane ports (119 and 80/8080)
- /var/lib/public-inbox is the location for mainrepos
- /var/run/public-inbox is the location for PERL_INLINE_DIRECTORY
- /var/log/public-inbox is the location for logs
- mail delivery is done via postfix-pipe or public-inbox-watch via
  the provided example systemd service

Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
---
 contrib/selinux/el7/publicinbox.fc |   8 ++
 contrib/selinux/el7/publicinbox.te | 113 +++++++++++++++++++++++++++++
 2 files changed, 121 insertions(+)
 create mode 100644 contrib/selinux/el7/publicinbox.fc
 create mode 100644 contrib/selinux/el7/publicinbox.te

diff --git a/contrib/selinux/el7/publicinbox.fc b/contrib/selinux/el7/publicinbox.fc
new file mode 100644
index 0000000..c8ada2d
--- /dev/null
+++ b/contrib/selinux/el7/publicinbox.fc
@@ -0,0 +1,8 @@
+/usr/(local/)?bin/public-inbox-httpd    -- gen_context(system_u:object_r:publicinbox_daemon_exec_t,s0)
+/usr/(local/)?bin/public-inbox-nntpd    -- gen_context(system_u:object_r:publicinbox_daemon_exec_t,s0)
+/usr/(local/)?bin/public-inbox-watch    -- gen_context(system_u:object_r:publicinbox_deliver_exec_t,s0)
+/usr/(local/)?bin/public-inbox-mda      -- gen_context(system_u:object_r:publicinbox_deliver_exec_t,s0)
+
+/var/lib/public-inbox(/.*)?                gen_context(system_u:object_r:publicinbox_var_lib_t,s0)
+/var/run/public-inbox(/.*)?                gen_context(system_u:object_r:publicinbox_var_run_t,s0)
+/var/log/public-inbox(/.*)?                gen_context(system_u:object_r:publicinbox_log_t,s0)
diff --git a/contrib/selinux/el7/publicinbox.te b/contrib/selinux/el7/publicinbox.te
new file mode 100644
index 0000000..023cf81
--- /dev/null
+++ b/contrib/selinux/el7/publicinbox.te
@@ -0,0 +1,113 @@
+##################
+# This policy allows running public-inbox-httpd and public-inbox-nntpd
+# on reasonable ports (119 for nntpd and 80/443/8080 for httpd)
+#
+# It also allows delivering mail via postfix-pipe to public-inbox-mda
+#
+# Author: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
+#
+policy_module(publicinbox, 1.0.3)
+
+require {
+    type postfix_pipe_t;
+    type spamc_t;
+    type spamd_t;
+}
+
+##################
+# Declarations
+
+type publicinbox_daemon_t;
+type publicinbox_daemon_exec_t;
+init_daemon_domain(publicinbox_daemon_t, publicinbox_daemon_exec_t)
+
+type publicinbox_var_lib_t;
+files_type(publicinbox_var_lib_t)
+
+type publicinbox_log_t;
+logging_log_file(publicinbox_log_t)
+
+type publicinbox_var_run_t;
+files_tmp_file(publicinbox_var_run_t)
+
+type publicinbox_tmp_t;
+files_tmp_file(publicinbox_tmp_t)
+
+type publicinbox_deliver_t;
+type publicinbox_deliver_exec_t;
+init_daemon_domain(publicinbox_deliver_t, publicinbox_deliver_exec_t)
+
+# Uncomment to put these domains into permissive mode
+#permissive publicinbox_daemon_t;
+#permissive publicinbox_deliver_t;
+
+##################
+# Daemons policy
+
+domain_use_interactive_fds(publicinbox_daemon_t)
+files_read_etc_files(publicinbox_daemon_t)
+miscfiles_read_localization(publicinbox_daemon_t)
+allow publicinbox_daemon_t self:tcp_socket create_stream_socket_perms;
+allow publicinbox_daemon_t self:tcp_socket { accept listen };
+
+# Need to be able to manage and exec them for Inline::C
+manage_files_pattern(publicinbox_daemon_t, publicinbox_var_run_t, publicinbox_var_run_t)
+exec_files_pattern(publicinbox_daemon_t, publicinbox_var_run_t, publicinbox_var_run_t)
+
+# Logging
+append_files_pattern(publicinbox_daemon_t, publicinbox_log_t, publicinbox_log_t)
+create_files_pattern(publicinbox_daemon_t, publicinbox_log_t, publicinbox_log_t)
+setattr_files_pattern(publicinbox_daemon_t, publicinbox_log_t, publicinbox_log_t)
+logging_log_filetrans(publicinbox_daemon_t, publicinbox_log_t, { file dir })
+
+# Run on httpd and nntp ports (called innd_port_t)
+corenet_tcp_bind_generic_node(publicinbox_daemon_t)
+corenet_tcp_bind_http_port(publicinbox_daemon_t)
+corenet_tcp_bind_http_cache_port(publicinbox_daemon_t)
+corenet_tcp_bind_innd_port(publicinbox_daemon_t)
+
+# Allow reading anything publicinbox_var_lib_t
+list_dirs_pattern(publicinbox_daemon_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
+read_files_pattern(publicinbox_daemon_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
+
+# The daemon doesn't need to write to this dir
+dontaudit publicinbox_daemon_t publicinbox_var_lib_t:file write;
+
+# Allow executing bin (for git, mostly)
+corecmd_exec_bin(publicinbox_daemon_t)
+
+# Manage our tmp files
+manage_dirs_pattern(publicinbox_daemon_t, publicinbox_tmp_t, publicinbox_tmp_t)
+manage_files_pattern(publicinbox_daemon_t, publicinbox_tmp_t, publicinbox_tmp_t)
+files_tmp_filetrans(publicinbox_daemon_t, publicinbox_tmp_t, { file dir })
+
+##################
+# mda/watch policy
+#
+# Allow transitioning to deliver_t from postfix pipe
+domtrans_pattern(postfix_pipe_t, publicinbox_deliver_exec_t, publicinbox_deliver_t)
+postfix_rw_inherited_master_pipes(publicinbox_deliver_t)
+postfix_read_spool_files(publicinbox_deliver_t)
+
+files_read_etc_files(publicinbox_deliver_t)
+
+# Allow managing anything in publicinbox_var_lib_t
+manage_dirs_pattern(publicinbox_deliver_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
+manage_files_pattern(publicinbox_deliver_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
+
+# Allow executing bin (for git, mostly)
+corecmd_exec_bin(publicinbox_deliver_t)
+
+# git-fast-import wants to access system state and other bits
+kernel_dontaudit_read_system_state(publicinbox_deliver_t)
+
+# Allow using spamc
+spamassassin_domtrans_client(publicinbox_deliver_t)
+manage_files_pattern(spamc_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
+read_files_pattern(spamd_t, publicinbox_var_lib_t, publicinbox_var_lib_t)
+
+# Manage our tmp files
+manage_dirs_pattern(publicinbox_deliver_t, publicinbox_tmp_t, publicinbox_tmp_t)
+manage_files_pattern(publicinbox_deliver_t, publicinbox_tmp_t, publicinbox_tmp_t)
+files_tmp_filetrans(publicinbox_deliver_t, publicinbox_tmp_t, { file dir })
+
-- 
2.17.1


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: [PATCH v2] Contribute SELinux policy for EL7

[Eric Wong]

Thanks, applied with additions to MANIFEST