Chris PeBenito 31b7c0
#DESC MTA - Mail agents
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Author: Russell Coker <russell@coker.com.au>
Chris PeBenito 31b7c0
# X-Debian-Packages: postfix exim sendmail sendmail-wide
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# policy for all mail servers, including allowing user to send mail from the
Chris PeBenito 31b7c0
# command-line and for cron jobs to use sendmail -t
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# sendmail_exec_t is the type of /usr/sbin/sendmail
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# define sendmail_exec_t if sendmail.te does not do it for us
Chris PeBenito 31b7c0
ifdef(`sendmail.te', `', `
Chris PeBenito 31b7c0
type sendmail_exec_t, file_type, exec_type, sysadmfile;
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# create a system_mail_t domain for daemons, init scripts, etc when they run
Chris PeBenito 31b7c0
# "mail user@domain"
Chris PeBenito 31b7c0
mail_domain(system)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
ifdef(`targeted_policy', `
Chris PeBenito 31b7c0
# rules are currently defined in sendmail.te, but it is not included in 
Chris PeBenito 31b7c0
# targeted policy.  We could move these rules permanantly here.
Chris PeBenito 31b7c0
ifdef(`postfix.te', `', `can_exec_any(system_mail_t)')
Chris PeBenito 31b7c0
allow system_mail_t self:dir search;
Chris PeBenito 31b7c0
allow system_mail_t self:lnk_file read;
Chris PeBenito 31b7c0
r_dir_file(system_mail_t, { proc_t proc_net_t })
Chris PeBenito 31b7c0
allow system_mail_t fs_t:filesystem getattr;
Chris PeBenito 31b7c0
allow system_mail_t { var_t var_spool_t }:dir getattr;
Chris PeBenito 31b7c0
create_dir_file(system_mail_t, mqueue_spool_t)
Chris PeBenito 31b7c0
create_dir_file(system_mail_t, mail_spool_t)
Chris PeBenito 31b7c0
allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
Chris PeBenito 31b7c0
allow system_mail_t etc_mail_t:file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# for reading .forward - maybe we need a new type for it?
Chris PeBenito 31b7c0
# also for delivering mail to maildir
Chris PeBenito 31b7c0
file_type_auto_trans(mta_delivery_agent, user_home_dir_t, user_home_t)
Chris PeBenito 31b7c0
', `
Chris PeBenito 31b7c0
ifdef(`sendmail.te', `
Chris PeBenito 31b7c0
# sendmail has an ugly design, the one process parses input from the user and
Chris PeBenito 31b7c0
# then does system things with it.  But the sendmail_launch_t domain works
Chris PeBenito 31b7c0
# around this.
Chris PeBenito 31b7c0
domain_auto_trans(initrc_t, sendmail_exec_t, system_mail_t)
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
allow initrc_t sendmail_exec_t:lnk_file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# allow the sysadmin to do "mail someone < /home/user/whatever"
Chris PeBenito 31b7c0
allow sysadm_mail_t user_home_dir_type:dir search;
Chris PeBenito 31b7c0
r_dir_file(sysadm_mail_t, user_home_type)
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
# for a mail server process that does things in response to a user command
Chris PeBenito 31b7c0
allow mta_user_agent userdomain:process sigchld;
Chris PeBenito 31b7c0
allow mta_user_agent { userdomain privfd }:fd use;
Chris PeBenito 31b7c0
ifdef(`crond.te', `
Chris PeBenito 31b7c0
allow mta_user_agent crond_t:process sigchld;
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
allow mta_user_agent sysadm_t:fifo_file { read write };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow { system_mail_t mta_user_agent } privmail:fd use;
Chris PeBenito 31b7c0
allow { system_mail_t mta_user_agent } privmail:process sigchld;
Chris PeBenito 31b7c0
allow { system_mail_t mta_user_agent } privmail:fifo_file { read write };
Chris PeBenito 31b7c0
allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow mta_delivery_agent home_root_t:dir { getattr search };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# for /var/spool/mail
Chris PeBenito 31b7c0
ra_dir_create_file(mta_delivery_agent, mail_spool_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# for piping mail to a command
Chris PeBenito 31b7c0
can_exec(mta_delivery_agent, shell_exec_t)
Chris PeBenito 31b7c0
allow mta_delivery_agent bin_t:dir search;
Chris PeBenito 31b7c0
allow mta_delivery_agent bin_t:lnk_file read;
Chris PeBenito 31b7c0
allow mta_delivery_agent devtty_t:chr_file rw_file_perms;
Chris PeBenito 31b7c0
allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow system_mail_t etc_runtime_t:file { getattr read };
Chris PeBenito 31b7c0
allow system_mail_t { random_device_t urandom_device_t }:chr_file { getattr read };
Chris PeBenito 31b7c0
ifdef(`targeted_policy', `
Chris PeBenito 31b7c0
typealias system_mail_t alias sysadm_mail_t;
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0