commit: add661402e877f3191bc9c7438b4bd5181991eb7 Author: Kenton Groombridge <me <AT> concord <DOT> sh> AuthorDate: Sun Nov 7 01:13:43 2021 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Thu Nov 11 21:26:50 2021 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=add66140
mta, spamassassin: fixes for rspamd rspamc needs to be able to read the mail spool when learning spam and ham. Signed-off-by: Kenton Groombridge <me <AT> concord.sh> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/services/mta.if | 36 +++++++++++++++++++++++++++++++++ policy/modules/services/spamassassin.te | 3 +++ 2 files changed, 39 insertions(+) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if index 939ed4b7..c3c6069d 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -789,6 +789,42 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',` dontaudit $1 mailserver_delivery:tcp_socket { read write }; ') +####################################### +## <summary> +## Allow listing the mail spool. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`mta_list_spool',` + gen_require(` + type mail_spool_t; + ') + + allow $1 mail_spool_t:dir list_dir_perms; +') + +####################################### +## <summary> +## Allow reading mail spool symlinks. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`mta_read_spool_symlinks',` + gen_require(` + type mail_spool_t; + ') + + allow $1 mail_spool_t:lnk_file read; +') + ####################################### ## <summary> ## Do not audit attempts to read diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te index 4bd18541..89f7c70b 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -183,6 +183,7 @@ allow spamc_t self:fifo_file rw_fifo_file_perms; allow spamc_t self:unix_dgram_socket sendto; allow spamc_t self:unix_stream_socket { accept connectto listen }; allow spamc_t self:tcp_socket { accept listen }; +dontaudit spamc_t self:capability dac_read_search; manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) @@ -266,7 +267,9 @@ optional_policy(` optional_policy(` mta_send_mail(spamc_t) mta_getattr_spool(spamc_t) + mta_list_spool(spamc_t) mta_read_spool_files(spamc_t) + mta_read_spool_symlinks(spamc_t) mta_read_config(spamc_t) mta_read_queue(spamc_t) sendmail_rw_pipes(spamc_t)