[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/

Jason Zaman Thu, 11 Nov 2021 13:27:48 -0800

commit:     add661402e877f3191bc9c7438b4bd5181991eb7
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sun Nov  7 01:13:43 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=add66140


mta, spamassassin: fixes for rspamd

rspamc needs to be able to read the mail spool when learning spam and
ham.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/mta.if          | 36 +++++++++++++++++++++++++++++++++
 policy/modules/services/spamassassin.te |  3 +++
 2 files changed, 39 insertions(+)

diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 939ed4b7..c3c6069d 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -789,6 +789,42 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
        dontaudit $1 mailserver_delivery:tcp_socket { read write };
 ')
 
+#######################################
+## <summary>
+##     Allow listing the mail spool.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`mta_list_spool',`
+       gen_require(`
+               type mail_spool_t;
+       ')
+
+       allow $1 mail_spool_t:dir list_dir_perms;
+')
+
+#######################################
+## <summary>
+##     Allow reading mail spool symlinks.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`mta_read_spool_symlinks',`
+       gen_require(`
+               type mail_spool_t;
+       ')
+
+       allow $1 mail_spool_t:lnk_file read;
+')
+
 #######################################
 ## <summary>
 ##     Do not audit attempts to read

diff --git a/policy/modules/services/spamassassin.te 
b/policy/modules/services/spamassassin.te
index 4bd18541..89f7c70b 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -183,6 +183,7 @@ allow spamc_t self:fifo_file rw_fifo_file_perms;
 allow spamc_t self:unix_dgram_socket sendto;
 allow spamc_t self:unix_stream_socket { accept connectto listen };
 allow spamc_t self:tcp_socket { accept listen };
+dontaudit spamc_t self:capability dac_read_search;
 
 manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
 manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
@@ -266,7 +267,9 @@ optional_policy(`
 optional_policy(`
        mta_send_mail(spamc_t)
        mta_getattr_spool(spamc_t)
+       mta_list_spool(spamc_t)
        mta_read_spool_files(spamc_t)
+       mta_read_spool_symlinks(spamc_t)
        mta_read_config(spamc_t)
        mta_read_queue(spamc_t)
        sendmail_rw_pipes(spamc_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/

Reply via email to