spammer-block/systemd.service/SElinux/spammer-block_policy.te at master · HQJaTu/spammer-block · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
policy_module(spammer-block_policy, 1.0.0)

########################################
#
# Declarations
#

type spammerblock_t;
type spammerblock_exec_t;
init_daemon_domain(spammerblock_t, spammerblock_exec_t)

#permissive spammerblock_t;

########################################
#
# spammer-block local policy
#

require {
    # Types used
    type system_dbusd_var_run_t;
    type system_dbusd_t;
    type kernel_t;
    type user_devpts_t;
    type sssd_t;
    type sssd_var_lib_t;
    type sssd_public_t;
    type passwd_file_t;
    type user_home_t;
    type user_home_dir_t;
    type net_conf_t;
    type smtp_port_t;
    type tmp_t;
    type syslogd_var_run_t;
    type node_t;
    type proc_t;
    type sysfs_t;
    type systemd_userdbd_t;
    type systemd_userdbd_runtime_t;
    type cert_t;

    # Noise:
    type abrt_etc_t;
    type admin_home_t;
    type arpwatch_data_t;
    type bacula_spool_t;
    type boot_t;
    type chronyd_var_lib_t;
    type colord_var_lib_t;
    type configfs_t;
    type debugfs_t;
    type default_t;
    type device_t;
    type dkim_milter_data_t;
    type dnsmasq_lease_t;
    type dosfs_t;
    type etc_runtime_t;
    type fusefs_t;
    type geoclue_var_lib_t;
    type glusterd_var_run_t;
    type home_root_t;
    type hugetlbfs_t;
    type mail_spool_t;
    type named_cache_t;
    type named_conf_t;
    type named_zone_t;
    type postfix_spool_t;
    type postgresql_db_t;
    type print_spool_t;
    type public_content_t;
    type redis_var_lib_t;
    type saslauthd_var_run_t;
    type security_t;
    type slapd_db_t;
    type squid_cache_t;
    type sysctl_fs_t;
    type tmpfs_t;
    type unlabeled_t;
    type user_tmp_t;
    type var_lib_nfs_t;
    type var_run_t;
    type var_t;
    type systemd_machined_t;

    # Classes used
    class file { execute setattr read lock create execute_no_trans write getattr unlink append };
    class chr_file { append read write };
    class dbus { acquire_svc send_msg };
}

allow spammerblock_t self:fifo_file rw_fifo_file_perms;
allow spammerblock_t self:unix_stream_socket create_stream_socket_perms;

domain_use_interactive_fds(spammerblock_t)

files_read_etc_files(spammerblock_t)

miscfiles_read_localization(spammerblock_t)

#
# Added
#

allow spammerblock_t self:capability { dac_read_search };
allow spammerblock_t self:tcp_socket { bind connect create read write };

# Core functionality
allow spammerblock_t proc_t:file { read open };
allow spammerblock_t sysfs_t:file { read open };
allow spammerblock_t var_run_t:dir { open read write };
allow spammerblock_t cert_t:dir { search };
allow spammerblock_t cert_t:file { open read getattr };
allow spammerblock_t hugetlbfs_t:dir { open read write };

# Enables SELinux domain transitions to occur under no_new_privs (NNP).
# Explanation:
# NNP states "No new privileges!", however, during SElinux context transition
# from spammerblock_exec_t to spammerblock_t, the process will counter-intitively
# gain new privileges. We need to allow this one-time privilege escalation.
allow init_t spammerblock_t:process2 nnp_transition;

# D-Bus
allow spammerblock_t self:unix_dgram_socket { create getattr getopt setopt write };
allow spammerblock_t system_dbusd_var_run_t:dir { search };
allow spammerblock_t system_dbusd_var_run_t:sock_file { write };
allow spammerblock_t system_dbusd_t:dbus { acquire_svc send_msg };
allow spammerblock_t system_dbusd_t:unix_stream_socket { connectto sendto };
allow spammerblock_t init_t:dbus { send_msg };
allow init_t spammerblock_t:dbus { send_msg };
allow spammerblock_t self:dbus { send_msg };

# D-Bus: Systemd watchdog
allow spammerblock_t kernel_t:unix_dgram_socket { sendto };
allow spammerblock_t kernel_t:unix_stream_socket { connectto };

# Users:
allow spammerblock_t sssd_t:unix_stream_socket { connectto };
allow spammerblock_t sssd_var_lib_t:dir { search };
allow spammerblock_t sssd_var_lib_t:sock_file { write };
allow spammerblock_t sssd_public_t:dir { search };
allow spammerblock_t sssd_public_t:file { getattr open read map };
allow spammerblock_t passwd_file_t:file { getattr open read };
allow spammerblock_t systemd_userdbd_t:unix_stream_socket { connectto };
allow spammerblock_t systemd_userdbd_runtime_t:dir { open read getattr search };
allow spammerblock_t systemd_userdbd_runtime_t:lnk_file { read };
allow spammerblock_t systemd_userdbd_runtime_t:sock_file { write };

# Users' homedirs:
allow spammerblock_t user_home_dir_t:dir { getattr search };
allow spammerblock_t user_home_t:dir { open read watch getattr search };
allow spammerblock_t user_home_t:file { ioctl open read };
allow spammerblock_t user_home_t:lnk_file { read };

# Stdout / Stderr
allow spammerblock_t user_devpts_t:chr_file { append read write getattr ioctl };

# Jourlnald
allow spammerblock_t syslogd_var_run_t:dir { search };
allow spammerblock_t syslogd_var_run_t:sock_file { write };
allow spammerblock_t node_t:tcp_socket { node_bind };

# Send mail via SMTP
allow spammerblock_t net_conf_t:file { getattr open read };
allow spammerblock_t net_conf_t:lnk_file { read };
allow spammerblock_t smtp_port_t:tcp_socket { name_connect };
allow spammerblock_t systemd_machined_t:unix_stream_socket { connectto };

# GlibC requires access to /tmp
allow spammerblock_t tmp_t:file { open map create unlink write execute };
allow spammerblock_t tmp_t:dir { add_name remove_name write };
allow spammerblock_t tmpfs_t:dir { write };
allow spammerblock_t tmpfs_t:file { open read write map execute };


# Noise:
# Python is very touchy-feely and loves accessing lots of unrelated files and directories.
dontaudit spammerblock_t abrt_etc_t:dir { getattr search };
dontaudit spammerblock_t admin_home_t:dir { getattr search };
dontaudit spammerblock_t arpwatch_data_t:dir { getattr search };
dontaudit spammerblock_t bacula_spool_t:dir { getattr search };
dontaudit spammerblock_t boot_t:dir { getattr search };
dontaudit spammerblock_t chronyd_var_lib_t:dir { getattr search };
dontaudit spammerblock_t colord_var_lib_t:dir { getattr search };
dontaudit spammerblock_t configfs_t:dir { getattr search };
dontaudit spammerblock_t debugfs_t:dir { getattr search };
dontaudit spammerblock_t default_t:dir { getattr search };
dontaudit spammerblock_t device_t:dir { getattr search };
dontaudit spammerblock_t dkim_milter_data_t:dir { getattr search };
dontaudit spammerblock_t dnsmasq_lease_t:dir { getattr search };
dontaudit spammerblock_t dosfs_t:dir { getattr search };
dontaudit spammerblock_t etc_runtime_t:dir { getattr search };
dontaudit spammerblock_t fusefs_t:dir { getattr search };
dontaudit spammerblock_t geoclue_var_lib_t:dir { getattr search };
dontaudit spammerblock_t glusterd_var_run_t:dir { getattr search };
dontaudit spammerblock_t home_root_t:dir { getattr search };
dontaudit spammerblock_t hugetlbfs_t:dir { getattr search };
dontaudit spammerblock_t mail_spool_t:dir { getattr search };
dontaudit spammerblock_t named_cache_t:dir { getattr search };
dontaudit spammerblock_t named_conf_t:dir { getattr search };
dontaudit spammerblock_t named_zone_t:dir { getattr search };
dontaudit spammerblock_t postfix_spool_t:dir { getattr search };
dontaudit spammerblock_t postgresql_db_t:dir { getattr search };
dontaudit spammerblock_t print_spool_t:dir { getattr search };
dontaudit spammerblock_t public_content_t:dir { getattr search };
dontaudit spammerblock_t redis_var_lib_t:dir { getattr search };
dontaudit spammerblock_t saslauthd_var_run_t:dir { getattr search };
dontaudit spammerblock_t security_t:dir { getattr search };
dontaudit spammerblock_t slapd_db_t:dir { getattr search };
dontaudit spammerblock_t squid_cache_t:dir { getattr search };
dontaudit spammerblock_t sysctl_fs_t:dir { getattr search };
dontaudit spammerblock_t tmpfs_t:dir { getattr search };
dontaudit spammerblock_t unlabeled_t:dir { getattr search };
dontaudit spammerblock_t user_tmp_t:dir { getattr search };
dontaudit spammerblock_t var_lib_nfs_t:dir { getattr search };
dontaudit spammerblock_t var_t:dir { getattr search };