Merge pull request #850 from lquidfire/main

This is a policy for the ARC milter
SELinuxProject · Jan 13, 2025 · 6186373 · 6186373
2 parents aa1d9dd + 5601c47
commit 6186373
Show file tree

Hide file tree

Showing 6 changed files with 161 additions and 0 deletions.
diff --git a/policy/modules/admin/cloudinit.te b/policy/modules/admin/cloudinit.te
@@ -706,6 +706,10 @@ optional_policy(`
 	oident_admin(cloud_init_t, system_r)
 ')
 
+optional_policy(`
+	openarc_admin(cloud_init_t, system_r)
+')
+
 optional_policy(`
 	openct_admin(cloud_init_t, system_r)
 ')

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
@@ -749,6 +749,10 @@ optional_policy(`
 	ooffice_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r)
 ')
 
+optional_policy(`
+	openarc_admin(sysadm_t, sysadm_r)
+')
+
 optional_policy(`
 	openct_admin(sysadm_t, sysadm_r)
 ')

diff --git a/policy/modules/services/openarc.fc b/policy/modules/services/openarc.fc
@@ -0,0 +1,13 @@
+/etc/openarc/keys(/.*)?                         gen_context(system_u:object_r:openarc_milter_private_key_t,s0)
+
+/etc/rc\.d/init\.d/openarc                  --	gen_context(system_u:object_r:openarc_milter_initrc_exec_t,s0)
+
+/usr/bin/openarc                            --	gen_context(system_u:object_r:openarc_milter_exec_t,s0)
+
+/usr/lib/systemd/system/openarc\.service	--	gen_context(system_u:object_r:openarc_milter_unit_t,s0)
+
+/usr/sbin/openarc                           --	gen_context(system_u:object_r:openarc_milter_exec_t,s0)
+
+/run/openarc(/.*)?                              gen_context(system_u:object_r:openarc_milter_data_t,s0)
+
+/var/run/openarc(/.*)?                          gen_context(system_u:object_r:openarc_milter_data_t,s0)
diff --git a/policy/modules/services/openarc.if b/policy/modules/services/openarc.if
@@ -0,0 +1,74 @@
+## <summary>Authenticated Received Chain milter.</summary>
+
+########################################
+## <summary>
+##	Allow a domain to talk to OpenARC via Unix domain socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openarc_stream_connect',`
+	gen_require(`
+		type openarc_milter_data_t, openarc_milter_t;
+	')
+
+	stream_connect_pattern($1, openarc_milter_data_t, openarc_milter_data_t, openarc_milter_t)
+')
+
+########################################
+## <summary>
+##	Reload the openarc service (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openarc_reload',`
+	gen_require(`
+		type openarc_milter_unit_t;
+		class service { reload status };
+	')
+
+	allow $1 openarc_milter_unit_t:service { reload status };
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an OpenARC environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`openarc_admin',`
+	gen_require(`
+		type openarc_milter_t, openarc_milter_initrc_exec_t, openarc_milter_private_key_t;
+		type openarc_milter_data_t;
+	')
+
+	allow $1 openarc_milter_t:process { ptrace signal_perms };
+	ps_process_pattern($1, openarc_milter_t)
+
+	init_startstop_service($1, $2, openarc_milter_t, openarc_milter_initrc_exec_t)
+
+	files_search_etc($1)
+	admin_pattern($1, openarc_milter_private_key_t)
+
+	files_search_runtime($1)
+	admin_pattern($1, openarc_milter_data_t)
+')
diff --git a/policy/modules/services/openarc.te b/policy/modules/services/openarc.te
@@ -0,0 +1,62 @@
+policy_module(openarc)
+
+########################################
+#
+# Declarations
+#
+
+milter_template(openarc)
+
+type openarc_milter_initrc_exec_t;
+init_script_file(openarc_milter_initrc_exec_t)
+
+type openarc_milter_private_key_t;
+files_security_file(openarc_milter_private_key_t)
+
+type openarc_milter_unit_t;
+init_unit_file(openarc_milter_unit_t)
+
+init_daemon_runtime_file(openarc_milter_data_t, dir, "openarc")
+
+########################################
+#
+# Local policy
+#
+
+allow openarc_milter_t self:capability { dac_override dac_read_search setgid setuid };
+allow openarc_milter_t self:process { getsched signal signull };
+allow openarc_milter_t self:unix_stream_socket create_stream_socket_perms;
+
+read_files_pattern(openarc_milter_t, openarc_milter_private_key_t, openarc_milter_private_key_t)
+
+# /proc/sys/kernel/ngroups_max
+kernel_read_kernel_sysctls(openarc_milter_t)
+kernel_read_vm_overcommit_sysctl(openarc_milter_t)
+
+corecmd_exec_shell(openarc_milter_t)
+
+corenet_udp_bind_generic_node(openarc_milter_t)
+corenet_udp_bind_all_unreserved_ports(openarc_milter_t)
+corenet_udp_bind_generic_port(openarc_milter_t)
+
+dev_read_urand(openarc_milter_t)
+# for cpu/online
+dev_read_sysfs(openarc_milter_t)
+
+files_runtime_filetrans(openarc_milter_t, openarc_milter_data_t, { dir file })
+files_read_usr_files(openarc_milter_t)
+files_search_spool(openarc_milter_t)
+
+miscfiles_read_generic_certs(openarc_milter_t)
+
+# Allow OpenARC to send a message to Postmaster in case of an invalid ARC signature.
+mta_sendmail_exec(openarc_milter_t)
+
+optional_policy(`
+	mta_read_config(openarc_milter_t)
+')
+
+optional_policy(`
+	# set up unix socket
+	postfix_search_spool(openarc_milter_t)
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
@@ -418,6 +418,10 @@ optional_policy(`
 	dkim_stream_connect(postfix_cleanup_t)
 ')
 
+optional_policy(`
+	openarc_stream_connect(postfix_cleanup_t)
+')
+
 optional_policy(`
 	mailman_read_data_files(postfix_cleanup_t)
 ')