From 08cd98b7c1ea34a3f6b060218ca4002dc6905417 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Nov 28 2005 20:25:36 +0000
Subject: big cleanup of mta



---

diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index cb7f1b8..3b8eebd 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -16,7 +16,7 @@ interface(`mta_stub',`
 
 #######################################
 ## <summary>
-##	The per user domain template for the mta module.
+##	Basic mail transfer agent domain template.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -25,34 +25,33 @@ interface(`mta_stub',`
 ##	behalf of the user.
 ##	</p>
 ##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
+##	This is the basic types and rules, common
+##	to the system agent and user agents, and
+##	is not useful by itself.
 ##	</p>
 ## </desc>
-## <param name="userdomain_prefix">
-##	The prefix of the user domain (e.g., user
+## <param name="domain_prefix">
+##	The prefix of the domain (e.g., user
 ##	is the prefix for user_t).
 ## </param>
-## <param name="user_domain">
-##	The type of the user domain.
-## </param>
-## <param name="user_role">
-##	The role associated with the user domain.
-## </param>
 #
-template(`mta_per_userdomain_template',`
-	gen_require(`
-		attribute mailserver_domain, mta_user_agent, user_mail_domain;
-		type sendmail_exec_t;
-	')
+template(`mta_base_mail_template',`
+
+	##############################
+	#
+	# $1_mail_t declarations
+	#
 
 	type $1_mail_t, user_mail_domain;
 	domain_type($1_mail_t)
-	role $3 types $1_mail_t;
+	domain_entry_file($1_mail_t,sendmail_exec_t)
 
-	type $1_mail_tmp_t;
-	files_tmp_file($1_mail_tmp_t)
+	optional_policy(`sendmail',`
+		type $1_mail_tmp_t;
+		files_tmp_file($1_mail_tmp_t)
+
+		sendmail_stub($1_mail_t)
+	')
 
 	##############################
 	#
@@ -67,20 +66,6 @@ template(`mta_per_userdomain_template',`
 	can_exec($1_mail_t, sendmail_exec_t)
 	allow $1_mail_t sendmail_exec_t:lnk_file r_file_perms;
 
-	# Transition from the user domain to the derived domain.
-	domain_auto_trans($2, sendmail_exec_t, $1_mail_t)
-	allow $2 sendmail_exec_t:lnk_file { getattr read };
-
-	allow $2 $1_mail_t:fd use;
-	allow $1_mail_t $2:fd use;
-	allow $1_mail_t $2:fifo_file rw_file_perms;
-	allow $1_mail_t $2:process sigchld;
-
-	# For when the user wants to send mail via port 25 localhost
-	kernel_tcp_recvfrom($2)
-	allow $2 mailserver_domain:tcp_socket { connectto recvfrom };
-	allow mailserver_domain $2:tcp_socket { acceptfrom recvfrom };
-
 	kernel_read_kernel_sysctl($1_mail_t)
 
 	corenet_tcp_sendrecv_all_if($1_mail_t)
@@ -90,11 +75,7 @@ template(`mta_per_userdomain_template',`
 	corenet_tcp_sendrecv_all_ports($1_mail_t)
 	corenet_tcp_bind_all_nodes($1_mail_t)
 	corenet_tcp_connect_all_ports($1_mail_t)
-
-	domain_use_wide_inherit_fd($1_mail_t)
-
-	libs_use_ld_so($1_mail_t)
-	libs_use_shared_libs($1_mail_t)
+	corenet_tcp_connect_smtp_port($1_mail_t)
 
 	corecmd_exec_bin($1_mail_t)
 	corecmd_search_sbin($1_mail_t)
@@ -104,6 +85,9 @@ template(`mta_per_userdomain_template',`
 	# It wants to check for nscd
 	files_dontaudit_search_pids($1_mail_t)
 
+	libs_use_ld_so($1_mail_t)
+	libs_use_shared_libs($1_mail_t)
+
 	logging_send_syslog_msg($1_mail_t)
 
 	miscfiles_read_localization($1_mail_t)
@@ -111,6 +95,106 @@ template(`mta_per_userdomain_template',`
 	sysnet_read_config($1_mail_t)
 	sysnet_dns_name_resolve($1_mail_t)
 
+	optional_policy(`nis',`
+		nis_use_ypbind($1_mail_t)
+	')
+
+	optional_policy(`nscd',`
+		nscd_use_socket($1_mail_t)
+	')
+
+	optional_policy(`procmail',`
+		procmail_exec($1_mail_t)
+	')
+
+	optional_policy(`sendmail',`
+		allow $1_mail_t $1_mail_tmp_t:dir create_dir_perms;
+		allow $1_mail_t $1_mail_tmp_t:file create_file_perms;
+		files_create_tmp_files($1_mail_t, $1_mail_tmp_t, { file dir })
+
+		allow $1_mail_t etc_mail_t:dir { getattr search };
+
+		# Write to /var/spool/mail and /var/spool/mqueue.
+		allow $1_mail_t mail_spool_t:dir rw_dir_perms;
+		allow $1_mail_t mail_spool_t:file create_file_perms;
+		allow $1_mail_t mqueue_spool_t:dir rw_dir_perms;
+		allow $1_mail_t mqueue_spool_t:file create_file_perms;
+
+		# Check available space.
+		fs_getattr_xattr_fs($1_mail_t)
+
+		files_read_etc_runtime_files($1_mail_t)
+
+		# Write to /var/log/sendmail.st
+		sendmail_manage_log($1_mail_t)
+		sendmail_create_log($1_mail_t)
+	')
+
+	ifdef(`TODO',`
+	ifdef(`qmail.te', `
+		allow $1_mail_t qmail_etc_t:dir search;
+		allow $1_mail_t qmail_etc_t:{ file lnk_file } read;
+	')
+	') dnl end TODO
+')
+
+#######################################
+## <summary>
+##	The per user domain template for the mta module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domain which is
+##	a email transfer agent, which sends mail on
+##	behalf of the user.
+##	</p>
+##	<p>
+##	This template is invoked automatically for each user, and
+##	generally does not need to be invoked directly
+##	by policy writers.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
+## <param name="user_domain">
+##	The type of the user domain.
+## </param>
+## <param name="user_role">
+##	The role associated with the user domain.
+## </param>
+#
+template(`mta_per_userdomain_template',`
+	gen_require(`
+		attribute mailserver_domain, mta_user_agent, user_mail_domain;
+		type sendmail_exec_t;
+	')
+
+	mta_base_mail_template($1)
+	role $3 types $1_mail_t;
+
+	##############################
+	#
+	# $1_mail_t local policy
+	#
+
+	# Transition from the user domain to the derived domain.
+	domain_auto_trans($2, sendmail_exec_t, $1_mail_t)
+	allow $2 sendmail_exec_t:lnk_file { getattr read };
+
+	allow $2 $1_mail_t:fd use;
+	allow $1_mail_t $2:fd use;
+	allow $1_mail_t $2:fifo_file rw_file_perms;
+	allow $1_mail_t $2:process sigchld;
+
+	# For when the user wants to send mail via port 25 localhost
+	kernel_tcp_recvfrom($2)
+	allow $2 mailserver_domain:tcp_socket { connectto recvfrom };
+	allow mailserver_domain $2:tcp_socket { acceptfrom recvfrom };
+
+	domain_use_wide_inherit_fd($1_mail_t)
+
 	userdom_use_user_terminals($1,$1_mail_t)
 	# Write to the user domain tty. cjp: why?
 	userdom_use_user_terminals($1,mta_user_agent)
@@ -131,24 +215,12 @@ template(`mta_per_userdomain_template',`
 		fs_manage_cifs_symlinks($1_mail_t)
 	')
 
-	optional_policy(`nis',`
-		nis_use_ypbind($1_mail_t)
-	')
-
-	optional_policy(`nscd',`
-		nscd_use_socket($1_mail_t)
-	')
-
 	optional_policy(`postfix',`
 		allow $1_mail_t self:capability dac_override;
 		postfix_read_config($1_mail_t)
 		postfix_list_spool($1_mail_t)
 	')
 
-	optional_policy(`procmail',`
-		procmail_exec($1_mail_t)
-	')
-
 	ifdef(`TODO',`
 	# Read user temporary files.
 	allow $1_mail_t $1_tmp_t:file r_file_perms;
@@ -158,21 +230,11 @@ template(`mta_per_userdomain_template',`
 		allow $1_mail_t $1_tmp_t:file write;
 	')
 
-	# cjp: why?
 	allow mta_user_agent $1_tmp_t:file r_file_perms;
 
-	# Inherit and use descriptors from gnome-pty-helper.
-	ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
-
 	# if you do not want to allow dead.letter then use the following instead
 	#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
 	#allow $1_mail_t $1_home_t:file r_file_perms;
-
-	ifdef(`qmail.te', `
-		allow $1_mail_t qmail_etc_t:dir search;
-		allow $1_mail_t qmail_etc_t:{ file lnk_file } read;
-	')
-
 	') dnl end TODO
 ')
 
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index bc00f29..13c7b27 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
 
-policy_module(mta,1.0.1)
+policy_module(mta,1.0.2)
 
 ########################################
 #
@@ -28,17 +28,12 @@ files_type(mail_spool_t)
 type sendmail_exec_t;
 files_type(sendmail_exec_t)
 
-type system_mail_t, user_mail_domain;
-domain_type(system_mail_t)
-domain_entry_file(system_mail_t,sendmail_exec_t)
+mta_base_mail_template(system)
 role system_r types system_mail_t;
 
-type system_mail_tmp_t;
-files_tmp_file(system_mail_tmp_t)
-
 # cjp: need to resolve this, but require{}
 # does not work in the else part of the optional
-#ifdef(`targeted_policy',`',`
+#ifdef(`strict_policy',`
 #	optional_policy(`sendmail',`',`
 #		init_system_domain(system_mail_t,sendmail_exec_t)
 #	')
@@ -49,60 +44,17 @@ files_tmp_file(system_mail_tmp_t)
 # System mail local policy
 #
 
-allow system_mail_t self:capability { setuid setgid chown };
-allow system_mail_t self:process { signal_perms setrlimit };
-allow system_mail_t self:tcp_socket create_socket_perms;
-
 allow system_mail_t etc_mail_t:dir { getattr search };
 allow system_mail_t etc_mail_t:file r_file_perms;
 
-# re-exec itself
-can_exec(system_mail_t, sendmail_exec_t)
-allow system_mail_t sendmail_exec_t:lnk_file r_file_perms;
-
-allow system_mail_t system_mail_tmp_t:dir create_dir_perms;
-allow system_mail_t system_mail_tmp_t:file create_file_perms;
-files_create_tmp_files(system_mail_t, system_mail_tmp_t, { file dir })
-
-kernel_read_kernel_sysctl(system_mail_t)
 kernel_read_system_state(system_mail_t)
 kernel_read_network_state(system_mail_t)
 
-corenet_tcp_sendrecv_all_if(system_mail_t)
-corenet_raw_sendrecv_all_if(system_mail_t)
-corenet_tcp_sendrecv_all_nodes(system_mail_t)
-corenet_raw_sendrecv_all_nodes(system_mail_t)
-corenet_tcp_sendrecv_all_ports(system_mail_t)
-corenet_tcp_bind_all_nodes(system_mail_t)
-corenet_tcp_connect_smtp_port(system_mail_t)
-corenet_tcp_connect_all_ports(system_mail_t)
-
 dev_read_rand(system_mail_t)
 dev_read_urand(system_mail_t)
 
-fs_getattr_xattr_fs(system_mail_t)
-
 init_use_script_pty(system_mail_t)
 
-files_read_etc_files(system_mail_t)
-files_read_etc_runtime_files(system_mail_t)
-files_search_spool(system_mail_t)
-# It wants to check for nscd
-files_dontaudit_search_pids(system_mail_t)
-
-corecmd_exec_bin(system_mail_t)
-corecmd_search_sbin(system_mail_t)
-
-libs_use_ld_so(system_mail_t)
-libs_use_shared_libs(system_mail_t)
-
-logging_send_syslog_msg(system_mail_t)
-
-miscfiles_read_localization(system_mail_t)
-
-sysnet_read_config(system_mail_t)
-sysnet_dns_name_resolve(system_mail_t)
-
 userdom_use_sysadm_terms(system_mail_t)
 
 ifdef(`hide_broken_symptoms',`
@@ -169,6 +121,7 @@ optional_policy(`arpwatch',`
 
 optional_policy(`cron',`
 	cron_read_system_job_tmp_files(system_mail_t)
+	cron_read_system_job_tmp_files(mta_user_agent)
 ')
 
 optional_policy(`cvs',`
@@ -179,14 +132,6 @@ optional_policy(`logrotate',`
 	logrotate_read_tmp_files(system_mail_t)
 ')
 
-optional_policy(`nis',`
-	nis_use_ypbind(system_mail_t)
-')
-
-optional_policy(`nscd',`
-	nscd_use_socket(system_mail_t)
-')
-
 optional_policy(`postfix',`
 	postfix_stub(system_mail_t)
 
@@ -205,29 +150,13 @@ optional_policy(`postfix',`
 
 	allow mta_user_agent sysadm_t:fifo_file { read write };
 	type_transition postfix_master_t postfix_etc_t:dir etc_aliases_t;
-')
-
-optional_policy(`procmail',`
-	procmail_exec(system_mail_t)
-')
-
-optional_policy(`sendmail',`
-	sendmail_stub(system_mail_t)
-
-	allow system_mail_t etc_mail_t:dir { getattr search };
 
-	# sendmail -q 
-	allow system_mail_t mqueue_spool_t:dir rw_dir_perms;
-	allow system_mail_t mqueue_spool_t:file create_file_perms;
-
-	# FIXME:
-	allow system_mail_t sendmail_log_t:file manage_file_perms;
-	logging_create_log(system_mail_t,sendmail_log_t)
+	# postfix needs this for newaliases
+	allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr;
 ')
 
 ifdef(`TODO',`
 optional_policy(`sendmail',`
-	allow system_mail_t { var_t var_spool_t }:dir getattr;
 	dontaudit system_mail_t userpty_type:chr_file { getattr read write };
 
 	optional_policy(`crond',`
@@ -235,23 +164,13 @@ optional_policy(`sendmail',`
 	')
 ')
 
-ifdef(`targeted_policy',`
-	allow system_mail_t { var_t var_spool_t }:dir getattr;
-',`
+ifdef(`strict_policy',`
 	# allow the sysadmin to do "mail someone < /home/user/whatever"
 	allow sysadm_mail_t user_home_dir_type:dir search;
 	r_dir_file(sysadm_mail_t, user_home_type)
 ')
-
-
-optional_policy(`qmail',`
-	allow system_mail_t qmail_etc_t:dir search;
-	allow system_mail_t qmail_etc_t:{ file lnk_file } read;
-')
 ') dnl end TODO
 
-allow mta_user_agent system_crond_tmp_t:file { read getattr };
-
 optional_policy(`arpwatch',`
 	# why is mail delivered to a directory of type arpwatch_data_t?
 	arpwatch_search_data(mailserver_delivery)
diff --git a/refpolicy/policy/modules/services/sendmail.if b/refpolicy/policy/modules/services/sendmail.if
index 0f03e70..51d2e28 100644
--- a/refpolicy/policy/modules/services/sendmail.if
+++ b/refpolicy/policy/modules/services/sendmail.if
@@ -52,3 +52,36 @@ interface(`sendmail_rw_tcp_socket',`
 
 	allow $1 sendmail_t:tcp_socket { read write };
 ')
+
+########################################
+## <summary>
+##	Create, read, write, and delete sendmail logs.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`sendmail_manage_log',`
+	gen_require(`
+		type sendmail_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 sendmail_log_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Create sendmail logs with the correct type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`sendmail_create_log',`
+	gen_require(`
+		type sendmail_log_t;
+	')
+
+	logging_create_log($1,sendmail_log_t,file)
+')