Update the spamassassin module in order to better support the rules updating script; this achieved by employing two distinct domains for increased security and network isolation: a first domain is used for fetching the updated rules from the network and second domain is used for verifying the GPG signatures of the received rules.

The rules update feature is now controlled by a boolean
for increased flexibility (it overrides the generic
networking boolean).

The specific file type for the spamassassin update feature
temporary files has been removed: just use spamd_tmp_t instead
of spamd_update_tmp_t and add a corresponding alias.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>

2 files changed, 86 insertions, 25 deletions

diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
index 86afba2d..f351aefb 100644
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -30,15 +30,18 @@ template(`spamassassin_role',`
 	gen_require(`
 		type spamc_t, spamc_exec_t, spamc_tmp_t;
 		type spamassassin_t, spamassassin_exec_t, spamd_home_t;
+		type spamd_update_t, spamd_update_exec_t;
+		type spamd_update_gpg_t;
 		type spamassassin_home_t, spamassassin_tmp_t;
 	')
 
-	role $4 types { spamc_t spamassassin_t };
+	role $4 types { spamc_t spamassassin_t spamd_update_t spamd_update_gpg_t };
 
 	domtrans_pattern($3, spamassassin_exec_t, spamassassin_t)
 	domtrans_pattern($3, spamc_exec_t, spamc_t)
+	domtrans_pattern($3, spamd_update_exec_t, spamd_update_t)
 
-	admin_process_pattern($3, { spamc_t spamassassin_t })
+	admin_process_pattern($3, { spamc_t spamassassin_t spamd_update_t })
 
 	allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
 	allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:file { manage_file_perms relabel_file_perms };
@@ -461,7 +464,7 @@ interface(`spamassassin_admin',`
 		type spamd_t, spamd_tmp_t, spamd_log_t;
 		type spamd_spool_t, spamd_var_lib_t, spamd_runtime_t;
 		type spamd_initrc_exec_t, spamassassin_unit_t;
-		type spamd_update_t, spamd_update_t, spamd_update_tmp_t;
+		type spamd_update_t;
 	')
 
 	admin_process_pattern($1, { spamd_t spamd_update_t spamd_update_t })
@@ -469,7 +472,7 @@ interface(`spamassassin_admin',`
 	init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t, spamassassin_unit_t)
 
 	files_list_tmp($1)
-	admin_pattern($1, { spamd_tmp_t spamd_update_tmp_t })
+	admin_pattern($1, spamd_tmp_t)
 
 	logging_list_logs($1)
 	admin_pattern($1, spamd_log_t)
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index d2fb5599..244b6884 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -24,18 +24,22 @@ gen_tunable(spamd_enable_home_dirs, false)
 
 ## <desc>
 ##	<p>
+##	Determine whether spamassassin
+##	can update the rules using the
+##	network.
+##	</p>
+## </desc>
+gen_tunable(spamassassin_network_update, true)
+
+## <desc>
+##	<p>
 ##	Determine whether extra rules should
 ##	be enabled to support rspamd.
 ##	</p>
 ## </desc>
 gen_tunable(rspamd_spamd, false)
 
-type spamd_update_t;
-type spamd_update_exec_t;
-init_system_domain(spamd_update_t, spamd_update_exec_t)
-
-type spamd_update_tmp_t;
-files_tmp_file(spamd_update_tmp_t)
+attribute_role spamd_update_roles;
 
 type spamassassin_t;
 type spamassassin_exec_t;
@@ -88,6 +92,7 @@ files_type(spamd_spool_t)
 
 type spamd_tmp_t;
 files_tmp_file(spamd_tmp_t)
+typealias spamd_tmp_t alias spamd_update_tmp_t;
 
 type spamd_tmpfs_t;
 files_tmpfs_file(spamd_tmpfs_t)
@@ -95,6 +100,16 @@ files_tmpfs_file(spamd_tmpfs_t)
 type spamd_var_lib_t;
 files_type(spamd_var_lib_t)
 
+type spamd_update_t;
+type spamd_update_exec_t;
+application_domain(spamd_update_t, spamd_update_exec_t)
+role spamd_update_roles types spamd_update_t;
+
+type spamd_update_gpg_t;
+typealias spamd_update_gpg_t alias spamd_gpg_t;
+domain_type(spamd_update_gpg_t)
+role system_r types spamd_update_gpg_t;
+
 ########################################
 #
 # Standalone local policy
@@ -513,33 +528,25 @@ optional_policy(`
 # Update local policy
 #
 
-allow spamd_update_t self:capability dac_read_search;
+allow spamd_update_t self:capability { dac_override dac_read_search };
 allow spamd_update_t self:process signal;
 allow spamd_update_t self:fifo_file manage_fifo_file_perms;
 allow spamd_update_t self:unix_stream_socket create_stream_socket_perms;
 
-manage_dirs_pattern(spamd_update_t, spamd_update_tmp_t, spamd_update_tmp_t)
-manage_files_pattern(spamd_update_t, spamd_update_tmp_t, spamd_update_tmp_t)
-files_tmp_filetrans(spamd_update_t, spamd_update_tmp_t, { file dir })
+manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
+manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
+files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir })
 
 manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
 manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
 manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
+files_var_lib_filetrans(spamd_update_t, spamd_var_lib_t, { file dir })
 
-kernel_search_fs_sysctls(spamd_update_t)
-kernel_read_system_state(spamd_update_t)
+kernel_dontaudit_search_sysctl(spamd_update_t)
 
 corecmd_exec_bin(spamd_update_t)
 corecmd_exec_shell(spamd_update_t)
 
-corenet_all_recvfrom_netlabel(spamd_update_t)
-corenet_tcp_sendrecv_generic_if(spamd_update_t)
-corenet_tcp_sendrecv_generic_node(spamd_update_t)
-corenet_sendrecv_http_client_packets(spamd_update_t)
-corenet_tcp_connect_http_port(spamd_update_t)
-corenet_tcp_bind_generic_node(spamd_update_t)
-corenet_udp_bind_generic_node(spamd_update_t)
-
 dev_read_urand(spamd_update_t)
 
 domain_use_interactive_fds(spamd_update_t)
@@ -558,10 +565,61 @@ userdom_use_inherited_user_terminals(spamd_update_t)
 userdom_dontaudit_search_user_home_dirs(spamd_update_t)
 userdom_dontaudit_search_user_home_content(spamd_update_t)
 
+tunable_policy(`spamassassin_network_update',`
+	corenet_all_recvfrom_netlabel(spamd_update_t)
+	corenet_tcp_sendrecv_generic_if(spamd_update_t)
+	corenet_tcp_sendrecv_generic_node(spamd_update_t)
+	corenet_tcp_bind_generic_node(spamd_update_t)
+	corenet_udp_bind_generic_node(spamd_update_t)
+	corenet_sendrecv_http_client_packets(spamd_update_t)
+	corenet_tcp_connect_http_port(spamd_update_t)
+')
+
 optional_policy(`
 	cron_system_entry(spamd_update_t, spamd_update_exec_t)
 ')
 
 optional_policy(`
-	gpg_exec(spamd_update_t)
+	gpg_spec_domtrans(spamd_update_t, spamd_update_gpg_t)
+')
+
+optional_policy(`
+	mta_read_config(spamd_update_t)
+')
+
+########################################
+#
+# GPG local policy
+#
+
+allow spamd_update_gpg_t self:process setrlimit;
+
+allow spamd_update_gpg_t spamd_update_t:fd use;
+allow spamd_update_gpg_t spamd_update_t:fifo_file rw_fifo_file_perms;
+allow spamd_update_gpg_t spamd_update_t:process sigchld;
+
+manage_dirs_pattern(spamd_update_gpg_t, spamd_tmp_t, spamd_tmp_t)
+manage_files_pattern(spamd_update_gpg_t, spamd_tmp_t, spamd_tmp_t)
+files_tmp_filetrans(spamd_update_gpg_t, spamd_tmp_t, { file dir })
+
+kernel_dontaudit_search_sysctl(spamd_update_gpg_t)
+
+files_read_usr_files(spamd_update_gpg_t)
+
+miscfiles_read_localization(spamd_update_gpg_t)
+
+userdom_use_unpriv_users_fds(spamd_update_gpg_t)
+userdom_use_inherited_user_terminals(spamd_update_gpg_t)
+
+optional_policy(`
+	gpg_entry_type(spamd_update_gpg_t)
+	gpg_exec(spamd_update_gpg_t)
+	gpg_dontaudit_getattr_gpg_runtime_dirs(spamd_update_gpg_t)
+	gpg_dontaudit_search_user_secrets_dirs(spamd_update_gpg_t)
+	gpg_agent_entry_type(spamd_update_gpg_t)
+	gpg_agent_exec(spamd_update_gpg_t)
+')
+
+optional_policy(`
+	mta_manage_config(spamd_update_gpg_t)
 ')