Add is a policy for the ARC milter

This policy file particularly targets OpenARC. The OpenARC milter is both an open source library for adding Authenticated Received Chain (ARC) support to applications, and an example filter application using the milter protocol. Signed-off-by: lquidfire <[email protected]>
SELinuxProject · Jan 11, 2025 · 5601c47 · 5601c47
1 parent aa1d9dd
commit 5601c47
Show file tree

Hide file tree

Showing 6 changed files with 161 additions and 0 deletions.
diff --git a/policy/modules/admin/cloudinit.te b/policy/modules/admin/cloudinit.te
@@ -706,6 +706,10 @@ optional_policy(`
 	oident_admin(cloud_init_t, system_r)
 ')
 
+optional_policy(`
+	openarc_admin(cloud_init_t, system_r)
+')
+
 optional_policy(`
 	openct_admin(cloud_init_t, system_r)
 ')

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
@@ -749,6 +749,10 @@ optional_policy(`
 	ooffice_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r)
 ')
 
+optional_policy(`
+	openarc_admin(sysadm_t, sysadm_r)
+')
+
 optional_policy(`
 	openct_admin(sysadm_t, sysadm_r)
 ')

diff --git a/policy/modules/services/openarc.fc b/policy/modules/services/openarc.fc
@@ -0,0 +1,13 @@
+/etc/openarc/keys(/.*)?                         gen_context(system_u:object_r:openarc_milter_private_key_t,s0)
+
+/etc/rc\.d/init\.d/openarc                  --	gen_context(system_u:object_r:openarc_milter_initrc_exec_t,s0)
+
+/usr/bin/openarc                            --	gen_context(system_u:object_r:openarc_milter_exec_t,s0)
+
+/usr/lib/systemd/system/openarc\.service	--	gen_context(system_u:object_r:openarc_milter_unit_t,s0)
+
+/usr/sbin/openarc                           --	gen_context(system_u:object_r:openarc_milter_exec_t,s0)
+
+/run/openarc(/.*)?                              gen_context(system_u:object_r:openarc_milter_data_t,s0)
+
+/var/run/openarc(/.*)?                          gen_context(system_u:object_r:openarc_milter_data_t,s0)
diff --git a/policy/modules/services/openarc.if b/policy/modules/services/openarc.if
@@ -0,0 +1,74 @@
+## <summary>Authenticated Received Chain milter.</summary>
+
+########################################
+## <summary>
+##	Allow a domain to talk to OpenARC via Unix domain socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openarc_stream_connect',`
+	gen_require(`
+		type openarc_milter_data_t, openarc_milter_t;
+	')
+
+	stream_connect_pattern($1, openarc_milter_data_t, openarc_milter_data_t, openarc_milter_t)
+')
+
+########################################
+## <summary>
+##	Reload the openarc service (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openarc_reload',`
+	gen_require(`
+		type openarc_milter_unit_t;
+		class service { reload status };
+	')
+
+	allow $1 openarc_milter_unit_t:service { reload status };
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an OpenARC environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`openarc_admin',`
+	gen_require(`
+		type openarc_milter_t, openarc_milter_initrc_exec_t, openarc_milter_private_key_t;
+		type openarc_milter_data_t;
+	')
+
+	allow $1 openarc_milter_t:process { ptrace signal_perms };
+	ps_process_pattern($1, openarc_milter_t)
+
+	init_startstop_service($1, $2, openarc_milter_t, openarc_milter_initrc_exec_t)
+
+	files_search_etc($1)
+	admin_pattern($1, openarc_milter_private_key_t)
+
+	files_search_runtime($1)
+	admin_pattern($1, openarc_milter_data_t)
+')
diff --git a/policy/modules/services/openarc.te b/policy/modules/services/openarc.te
@@ -0,0 +1,62 @@
+policy_module(openarc)
+
+########################################
+#
+# Declarations
+#
+
+milter_template(openarc)
+
+type openarc_milter_initrc_exec_t;
+init_script_file(openarc_milter_initrc_exec_t)
+
+type openarc_milter_private_key_t;
+files_security_file(openarc_milter_private_key_t)
+
+type openarc_milter_unit_t;
+init_unit_file(openarc_milter_unit_t)
+
+init_daemon_runtime_file(openarc_milter_data_t, dir, "openarc")
+
+########################################
+#
+# Local policy
+#
+
+allow openarc_milter_t self:capability { dac_override dac_read_search setgid setuid };
+allow openarc_milter_t self:process { getsched signal signull };
+allow openarc_milter_t self:unix_stream_socket create_stream_socket_perms;
+
+read_files_pattern(openarc_milter_t, openarc_milter_private_key_t, openarc_milter_private_key_t)
+
+# /proc/sys/kernel/ngroups_max
+kernel_read_kernel_sysctls(openarc_milter_t)
+kernel_read_vm_overcommit_sysctl(openarc_milter_t)
+
+corecmd_exec_shell(openarc_milter_t)
+
+corenet_udp_bind_generic_node(openarc_milter_t)
+corenet_udp_bind_all_unreserved_ports(openarc_milter_t)
+corenet_udp_bind_generic_port(openarc_milter_t)
+
+dev_read_urand(openarc_milter_t)
+# for cpu/online
+dev_read_sysfs(openarc_milter_t)
+
+files_runtime_filetrans(openarc_milter_t, openarc_milter_data_t, { dir file })
+files_read_usr_files(openarc_milter_t)
+files_search_spool(openarc_milter_t)
+
+miscfiles_read_generic_certs(openarc_milter_t)
+
+# Allow OpenARC to send a message to Postmaster in case of an invalid ARC signature.
+mta_sendmail_exec(openarc_milter_t)
+
+optional_policy(`
+	mta_read_config(openarc_milter_t)
+')
+
+optional_policy(`
+	# set up unix socket
+	postfix_search_spool(openarc_milter_t)
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
@@ -418,6 +418,10 @@ optional_policy(`
 	dkim_stream_connect(postfix_cleanup_t)
 ')
 
+optional_policy(`
+	openarc_stream_connect(postfix_cleanup_t)
+')
+
 optional_policy(`
 	mailman_read_data_files(postfix_cleanup_t)
 ')