* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/services/, policy/modules/roles/
@ 2025-03-08 23:55 Jason Zaman
0 siblings, 0 replies; only message in thread
From: Jason Zaman @ 2025-03-08 23:55 UTC (permalink / raw
To: gentoo-commits
commit: a15aa40306a62d0256e9ed9b024035d67f7f8863
Author: lquidfire <47566855+lquidfire <AT> users <DOT> noreply <DOT> github <DOT> com>
AuthorDate: Thu Jan 9 09:24:27 2025 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Mar 8 23:01:08 2025 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a15aa403
Add is a policy for the ARC milter
This policy file particularly targets OpenARC. The OpenARC milter is both an open source library for adding Authenticated Received Chain (ARC) support to applications, and an example filter application using the milter protocol.
Signed-off-by: lquidfire <47566855+lquidfire <AT> users.noreply.github.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/admin/cloudinit.te | 4 +++
policy/modules/roles/sysadm.te | 4 +++
policy/modules/services/openarc.fc | 13 +++++++
policy/modules/services/openarc.if | 74 ++++++++++++++++++++++++++++++++++++++
policy/modules/services/openarc.te | 62 ++++++++++++++++++++++++++++++++
policy/modules/services/postfix.te | 4 +++
6 files changed, 161 insertions(+)
diff --git a/policy/modules/admin/cloudinit.te b/policy/modules/admin/cloudinit.te
index 12e02dbc9..ccc1d1a0f 100644
--- a/policy/modules/admin/cloudinit.te
+++ b/policy/modules/admin/cloudinit.te
@@ -706,6 +706,10 @@ optional_policy(`
oident_admin(cloud_init_t, system_r)
')
+optional_policy(`
+ openarc_admin(cloud_init_t, system_r)
+')
+
optional_policy(`
openct_admin(cloud_init_t, system_r)
')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 1c03f869a..b1af04769 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -749,6 +749,10 @@ optional_policy(`
ooffice_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r)
')
+optional_policy(`
+ openarc_admin(sysadm_t, sysadm_r)
+')
+
optional_policy(`
openct_admin(sysadm_t, sysadm_r)
')
diff --git a/policy/modules/services/openarc.fc b/policy/modules/services/openarc.fc
new file mode 100644
index 000000000..a3315600a
--- /dev/null
+++ b/policy/modules/services/openarc.fc
@@ -0,0 +1,13 @@
+/etc/openarc/keys(/.*)? gen_context(system_u:object_r:openarc_milter_private_key_t,s0)
+
+/etc/rc\.d/init\.d/openarc -- gen_context(system_u:object_r:openarc_milter_initrc_exec_t,s0)
+
+/usr/bin/openarc -- gen_context(system_u:object_r:openarc_milter_exec_t,s0)
+
+/usr/lib/systemd/system/openarc\.service -- gen_context(system_u:object_r:openarc_milter_unit_t,s0)
+
+/usr/sbin/openarc -- gen_context(system_u:object_r:openarc_milter_exec_t,s0)
+
+/run/openarc(/.*)? gen_context(system_u:object_r:openarc_milter_data_t,s0)
+
+/var/run/openarc(/.*)? gen_context(system_u:object_r:openarc_milter_data_t,s0)
diff --git a/policy/modules/services/openarc.if b/policy/modules/services/openarc.if
new file mode 100644
index 000000000..ca188094f
--- /dev/null
+++ b/policy/modules/services/openarc.if
@@ -0,0 +1,74 @@
+## <summary>Authenticated Received Chain milter.</summary>
+
+########################################
+## <summary>
+## Allow a domain to talk to OpenARC via Unix domain socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openarc_stream_connect',`
+ gen_require(`
+ type openarc_milter_data_t, openarc_milter_t;
+ ')
+
+ stream_connect_pattern($1, openarc_milter_data_t, openarc_milter_data_t, openarc_milter_t)
+')
+
+########################################
+## <summary>
+## Reload the openarc service (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openarc_reload',`
+ gen_require(`
+ type openarc_milter_unit_t;
+ class service { reload status };
+ ')
+
+ allow $1 openarc_milter_unit_t:service { reload status };
+')
+
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an OpenARC environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`openarc_admin',`
+ gen_require(`
+ type openarc_milter_t, openarc_milter_initrc_exec_t, openarc_milter_private_key_t;
+ type openarc_milter_data_t;
+ ')
+
+ allow $1 openarc_milter_t:process { ptrace signal_perms };
+ ps_process_pattern($1, openarc_milter_t)
+
+ init_startstop_service($1, $2, openarc_milter_t, openarc_milter_initrc_exec_t)
+
+ files_search_etc($1)
+ admin_pattern($1, openarc_milter_private_key_t)
+
+ files_search_runtime($1)
+ admin_pattern($1, openarc_milter_data_t)
+')
diff --git a/policy/modules/services/openarc.te b/policy/modules/services/openarc.te
new file mode 100644
index 000000000..e27555141
--- /dev/null
+++ b/policy/modules/services/openarc.te
@@ -0,0 +1,62 @@
+policy_module(openarc)
+
+########################################
+#
+# Declarations
+#
+
+milter_template(openarc)
+
+type openarc_milter_initrc_exec_t;
+init_script_file(openarc_milter_initrc_exec_t)
+
+type openarc_milter_private_key_t;
+files_security_file(openarc_milter_private_key_t)
+
+type openarc_milter_unit_t;
+init_unit_file(openarc_milter_unit_t)
+
+init_daemon_runtime_file(openarc_milter_data_t, dir, "openarc")
+
+########################################
+#
+# Local policy
+#
+
+allow openarc_milter_t self:capability { dac_override dac_read_search setgid setuid };
+allow openarc_milter_t self:process { getsched signal signull };
+allow openarc_milter_t self:unix_stream_socket create_stream_socket_perms;
+
+read_files_pattern(openarc_milter_t, openarc_milter_private_key_t, openarc_milter_private_key_t)
+
+# /proc/sys/kernel/ngroups_max
+kernel_read_kernel_sysctls(openarc_milter_t)
+kernel_read_vm_overcommit_sysctl(openarc_milter_t)
+
+corecmd_exec_shell(openarc_milter_t)
+
+corenet_udp_bind_generic_node(openarc_milter_t)
+corenet_udp_bind_all_unreserved_ports(openarc_milter_t)
+corenet_udp_bind_generic_port(openarc_milter_t)
+
+dev_read_urand(openarc_milter_t)
+# for cpu/online
+dev_read_sysfs(openarc_milter_t)
+
+files_runtime_filetrans(openarc_milter_t, openarc_milter_data_t, { dir file })
+files_read_usr_files(openarc_milter_t)
+files_search_spool(openarc_milter_t)
+
+miscfiles_read_generic_certs(openarc_milter_t)
+
+# Allow OpenARC to send a message to Postmaster in case of an invalid ARC signature.
+mta_sendmail_exec(openarc_milter_t)
+
+optional_policy(`
+ mta_read_config(openarc_milter_t)
+')
+
+optional_policy(`
+ # set up unix socket
+ postfix_search_spool(openarc_milter_t)
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 352b090ea..b70858934 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -418,6 +418,10 @@ optional_policy(`
dkim_stream_connect(postfix_cleanup_t)
')
+optional_policy(`
+ openarc_stream_connect(postfix_cleanup_t)
+')
+
optional_policy(`
mailman_read_data_files(postfix_cleanup_t)
')
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2025-03-08 23:55 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-03-08 23:55 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/services/, policy/modules/roles/ Jason Zaman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox