Re: add a transition rule

[Paul Howarth <paul city-fan org>]

Hi Vadym,

On 19/07/09 04:35, Vadym Chepkov wrote:
> I have a script, executed by apache, which is running in httpd_svn_script_t domain. This script calls svn-mailer(bin_t) which in turns calls /usr/sbin/sendmail.sendmail(sendmail_exec_t) and since there is no transition defined, sendmail still runs in httpd_svn_script_t and I get humongous amount of avc's. What would be the proper rule to add to the local policy to make sendmail running in the proper domain, sendmail_t?
> And for that matter if httpd_can_sendmail -->  on, shouldn't it be happening automatically? Thank you.
>
> Sincerely yours,
>    Vadym Chepkov

I'm just back off vacation and saw your email. Funnily enough I wrote an 
svnmailer policy a few weeks ago, so it would be interesting to compare 
notes:

I've actually split it into two modules, svnmailer for the policy 
itself, and svnmailer-extras for additional interfaces needed in other 
policy modules. I find this arrangement is easier to manage when getting 
policy merged upstream.

I made my hook scripts httpd_sys_script_exec_t and transition from there 
to httpd_svnmailer_script_t via a domtrans. The svn repository itself is 
httpd_sys_content_rw_t.

Paul.

/usr/bin/svn-mailer		--	gen_context(system_u:object_r:httpd_svnmailer_script_exec_t,s0)
/var/log/svnmailer(/.*)?		gen_context(system_u:object_r:svnmailer_log_t,s0)

## <summary>policy for svn-mailer</summary>

########################################
## <summary>
##	Execute a domain transition to run svn-mailer.
## </summary>
## <param name="domain">
## <summary>
##	Domain allowed to transition.
## </summary>
## </param>
#
interface(`svnmailer_domtrans',`
	gen_require(`
		type httpd_svnmailer_script_t, httpd_svnmailer_script_exec_t;
	')

	domain_auto_trans($1, httpd_svnmailer_script_exec_t, httpd_svnmailer_script_t)

	allow httpd_svnmailer_script_t $1:fd use;
	allow httpd_svnmailer_script_t $1:fifo_file rw_file_perms;
	allow httpd_svnmailer_script_t $1:process sigchld;
')

########################################
## <summary>
##	Allow the specified domain to manage
##	svnmailer log files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`svnmailer_manage_log',`
	gen_require(`
		type svnmailer_log_t;
	')

	logging_log_filetrans($1, svnmailer_log_t, { file dir })
	manage_dirs_pattern($1, svnmailer_log_t, svnmailer_log_t)
	manage_files_pattern($1, svnmailer_log_t, svnmailer_log_t)
')

policy_module(svnmailer,0.1.4)

########################################
#
# Declarations
#

# log files
type svnmailer_log_t;
logging_log_file(svnmailer_log_t)

# tmp files
type svnmailer_tmp_t;
files_tmp_file(svnmailer_tmp_t)

########################################
#
# svnmailer local policy
#

# Use of svnmailer requires httpd_enable_cgi to be set
#
# Underlying subversion repo is expected to be httpd_sys_content_rw_t
# (served via mod_dav_svn), with hooks directory and its contents
# labeled httpd_sys_script_exec_t
#
# svnmailer output should be redirected to svnmailer_log_t,
# e.g. in hooks/post-commit:
# /usr/bin/svn-mailer --commit --repository "${REPOS}" --revision "${REV}" \
#     --background 2>>/var/log/svnmailer/my-repo.log

apache_content_template(svnmailer)

# log files
manage_dirs_pattern(httpd_svnmailer_script_t, svnmailer_log_t, svnmailer_log_t)
manage_files_pattern(httpd_svnmailer_script_t, svnmailer_log_t, svnmailer_log_t)
logging_log_filetrans(httpd_svnmailer_script_t, svnmailer_log_t, { file dir })

# tmp files
manage_dirs_pattern(httpd_svnmailer_script_t, svnmailer_tmp_t, svnmailer_tmp_t)
manage_files_pattern(httpd_svnmailer_script_t, svnmailer_tmp_t, svnmailer_tmp_t)
files_tmp_filetrans(httpd_svnmailer_script_t, svnmailer_tmp_t, { file dir })

# repository data lives in httpd-writable files and dirs
apache_read_sys_content(httpd_svnmailer_script_t)
apache_read_sys_content_rw(httpd_svnmailer_script_t)
# leaked file descriptors again (we need read access but not write)
apache_dontaudit_rw_sys_content_rw_files(httpd_svnmailer_script_t)

# svn-mailer looks for and does getattr on locale (in /usr/bin when it finds it)
corecmd_getattr_bin_files(httpd_svnmailer_script_t)
corecmd_read_bin_symlinks(httpd_svnmailer_script_t)
corecmd_search_bin(httpd_svnmailer_script_t)

# svn-mailer can act as an SMTP client...
corenet_tcp_connect_smtp_port(httpd_svnmailer_script_t)
corenet_sendrecv_smtp_client_packets(httpd_svnmailer_script_t)

# ... or it can send mail using /usr/sbin/sendmail
mta_send_mail(httpd_svnmailer_script_t)

########################################
## <summary>
##	Read apache system read/write content.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`apache_read_sys_content_rw',`
	gen_require(`
		type httpd_sys_content_rw_t;
	')

	allow $1 httpd_sys_content_rw_t:dir list_dir_perms;
	read_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t)
	read_lnk_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t)
')

########################################
## <summary>
##      Do not audit attempts to read and write Apache
##      system read/write content files.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`apache_dontaudit_rw_sys_content_rw_files',`
	gen_require(`
		type httpd_sys_content_rw_t;
	')

	dontaudit $1 httpd_sys_content_rw_t:file { read write };
')

policy_module(svnmailer-extras, 0.0.9)

########################################
#
# svnmailer additional policy
# (for rules that should be in other modules)
#

require {
	type httpd_t;
	type httpd_sys_script_t;
}

# svnmailer is usually called from the post-commit hook of subversion
# using mod_dav_svn, which will be running in the httpd_sys_script_t domain
svnmailer_domtrans(httpd_sys_script_t)

# the log file can capture errors from httpd and svn-mailer
svnmailer_manage_log(httpd_sys_script_t)