From 1504ff3e428d4c23c3b054184b2f1daaf4ce331a Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Nov 28 2005 22:19:08 +0000
Subject: clean up most of the mta hacks



---

diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index f3ce31e..6777f82 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -519,3 +519,20 @@ interface(`cron_read_system_job_tmp_files',`
 	files_search_tmp($1)
 	allow $1 system_crond_tmp_t:file r_file_perms;
 ')
+
+########################################
+## <summary>
+##	Do not audit attempts to append temporary
+##	files from the system cron jobs.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`cron_dontaudit_append_system_job_tmp_files',`
+	gen_require(`
+		type system_crond_tmp_t;
+	')
+
+	dontaudit $1 system_crond_tmp_t:file append;
+')
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 3b8eebd..3b89e10 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -26,8 +26,7 @@ interface(`mta_stub',`
 ##	</p>
 ##	<p>
 ##	This is the basic types and rules, common
-##	to the system agent and user agents, and
-##	is not useful by itself.
+##	to the system agent and user agents.
 ##	</p>
 ## </desc>
 ## <param name="domain_prefix">
@@ -238,6 +237,52 @@ template(`mta_per_userdomain_template',`
 	') dnl end TODO
 ')
 
+########################################
+## <summary>
+##	Provide extra permissions for admin users
+##	mail domain.
+## </summary>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
+## <param name="user_domain">
+##	The type of the user domain.
+## </param>
+#
+template(`mta_admin_template',`
+	ifdef(`strict_policy',`
+		# allow the sysadmin to do "mail someone < /home/user/whatever"
+		userdom_read_unpriv_user_home_files($1_mail_t)
+	')
+
+	optional_policy(`postfix',`
+		gen_require(`
+			attribute mta_user_agent;
+			type etc_aliases_t;
+		')
+
+		allow mta_user_agent $2:fifo_file { read write };
+
+		allow $1_mail_t etc_aliases_t:dir create_dir_perms;
+		allow $1_mail_t etc_aliases_t:file create_file_perms;
+		allow $1_mail_t etc_aliases_t:lnk_file create_lnk_perms;
+		allow $1_mail_t etc_aliases_t:sock_file create_file_perms;
+		allow $1_mail_t etc_aliases_t:fifo_file create_file_perms;
+		files_create_etc_config($1_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })
+
+		# postfix needs this for newaliases
+		files_getattr_tmp_dir($1_mail_t)
+
+		postfix_exec_master($1_mail_t)
+
+		ifdef(`distro_redhat',`
+			# compatability for old default main.cf
+			postfix_create_config($1_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file })
+		')
+	')
+')
+
 #######################################
 #
 # mta_mailserver(domain,entrypointtype)
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 13c7b27..cc1cdb6 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -97,8 +97,6 @@ ifdef(`targeted_policy',`
 
 		files_exec_etc_files(system_mail_t)
 
-		libs_use_ld_so(system_mail_t)
-		libs_use_shared_libs(system_mail_t)
 		libs_exec_ld_so(system_mail_t)
 		libs_exec_lib_files(system_mail_t)
 #	')
@@ -116,12 +114,15 @@ optional_policy(`apache',`
 ')
 
 optional_policy(`arpwatch',`
-	arpwatch_rw_tmp_files(system_mail_t)
+	arpwatch_manage_tmp_files(system_mail_t)
+
+	ifdef(`hide_broken_symptoms', `
+		arpwatch_dontaudit_rw_packet_socket(system_mail_t)
+	')
 ')
 
 optional_policy(`cron',`
 	cron_read_system_job_tmp_files(system_mail_t)
-	cron_read_system_job_tmp_files(mta_user_agent)
 ')
 
 optional_policy(`cvs',`
@@ -133,8 +134,6 @@ optional_policy(`logrotate',`
 ')
 
 optional_policy(`postfix',`
-	postfix_stub(system_mail_t)
-
 	allow system_mail_t etc_aliases_t:dir create_dir_perms;
 	allow system_mail_t etc_aliases_t:file create_file_perms;
 	allow system_mail_t etc_aliases_t:lnk_file create_lnk_perms;
@@ -144,40 +143,39 @@ optional_policy(`postfix',`
 
 	domain_use_wide_inherit_fd(system_mail_t)
 
-	optional_policy(`crond',`
-		cron_crw_tcp_socket(system_mail_t)
-	')
+	# postfix needs this for newaliases
+	files_getattr_tmp_dir(system_mail_t)
 
-	allow mta_user_agent sysadm_t:fifo_file { read write };
-	type_transition postfix_master_t postfix_etc_t:dir etc_aliases_t;
+	postfix_exec_master(system_mail_t)
 
-	# postfix needs this for newaliases
-	allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr;
+	ifdef(`distro_redhat',`
+		# compatability for old default main.cf
+		postfix_create_config(system_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file })
+	')
+
+	optional_policy(`cron',`
+		cron_crw_tcp_socket(system_mail_t)
+	')
 ')
 
-ifdef(`TODO',`
 optional_policy(`sendmail',`
-	dontaudit system_mail_t userpty_type:chr_file { getattr read write };
+	userdom_dontaudit_use_unpriv_user_pty(system_mail_t)
 
-	optional_policy(`crond',`
-		dontaudit system_mail_t system_crond_tmp_t:file append;
+	optional_policy(`cron',`
+		cron_dontaudit_append_system_job_tmp_files(system_mail_t)
 	')
 ')
 
-ifdef(`strict_policy',`
-	# allow the sysadmin to do "mail someone < /home/user/whatever"
-	allow sysadm_mail_t user_home_dir_type:dir search;
-	r_dir_file(sysadm_mail_t, user_home_type)
-')
-') dnl end TODO
+# should break this up among sections:
 
 optional_policy(`arpwatch',`
 	# why is mail delivered to a directory of type arpwatch_data_t?
 	arpwatch_search_data(mailserver_delivery)
-	arpwatch_manage_tmp_files(system_mail_t)
 	arpwatch_manage_tmp_files(mta_user_agent)
 	ifdef(`hide_broken_symptoms', `
-		arpwatch_dontaudit_rw_packet_socket(system_mail_t)
 		arpwatch_dontaudit_rw_packet_socket(mta_user_agent)
 	')
+	optional_policy(`cron',`
+		cron_read_system_job_tmp_files(mta_user_agent)
+	')
 ')
diff --git a/refpolicy/policy/modules/services/postfix.if b/refpolicy/policy/modules/services/postfix.if
index d7ff365..f773241 100644
--- a/refpolicy/policy/modules/services/postfix.if
+++ b/refpolicy/policy/modules/services/postfix.if
@@ -177,6 +177,37 @@ interface(`postfix_read_config',`
 
 ########################################
 ## <summary>
+##	Create files with the specified type in
+##	the postfix configuration directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+## <param name="private type">
+##	The type of the object to be created.
+## </param>
+## <param name="object" optional="true">
+##	The object class of the object being created.  If
+##	no class is specified, file will be used.
+## </param>
+#
+interface(`postfix_create_config',`
+	gen_require(`
+		type postfix_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 postfix_etc_t:dir rw_dir_perms;
+
+	ifelse(`$3',`',`
+		type_transition $1 postfix_etc_t:file $2;
+	',`
+		type_transition $1 postfix_etc_t:$3 $2;
+	')
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to read and
 ##	write postfix local delivery
 ##	TCP sockets.
@@ -281,6 +312,23 @@ interface(`postfix_domtrans_master',`
 
 ########################################
 ## <summary>
+##	Execute the master postfix program in the
+##	caller domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`postfix_exec_master',`
+	gen_require(`
+		type postfix_master_exec_t;
+	')
+
+	can_exec($1,postfix_master_exec_t)
+')
+
+########################################
+## <summary>
 ##	Search postfix mail spool directories.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te
index 7dc4ef2..53a331d 100644
--- a/refpolicy/policy/modules/services/postfix.te
+++ b/refpolicy/policy/modules/services/postfix.te
@@ -197,41 +197,7 @@ ifdef(`distro_redhat',`
 	allow postfix_master_t etc_aliases_t:lnk_file create_lnk_perms;
 	allow postfix_master_t etc_aliases_t:sock_file create_file_perms;
 	allow postfix_master_t etc_aliases_t:fifo_file create_file_perms;
-	type_transition postfix_master_t postfix_etc_t:{ file lnk_file sock_file fifo_file } etc_aliases_t;
-')
-
-# postfix needs this for newaliases
-allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr;
-
-can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t)
-
-allow sysadm_mail_t etc_aliases_t:dir create_dir_perms;
-allow sysadm_mail_t etc_aliases_t:file create_file_perms;
-allow sysadm_mail_t etc_aliases_t:lnk_file create_lnk_perms;
-allow sysadm_mail_t etc_aliases_t:sock_file create_file_perms;
-allow sysadm_mail_t etc_aliases_t:fifo_file create_file_perms;
-files_create_etc_config(system_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })
-
-
-ifdef(`distro_redhat',`
-	# compatability for old default main.cf
-	allow { sysadm_mail_t system_mail_t } etc_aliases_t:dir create_dir_perms;
-	allow { sysadm_mail_t system_mail_t } etc_aliases_t:file create_file_perms;
-	allow { sysadm_mail_t system_mail_t } etc_aliases_t:lnk_file create_lnk_perms;
-	allow { sysadm_mail_t system_mail_t } etc_aliases_t:sock_file create_file_perms;
-	allow { sysadm_mail_t system_mail_t } etc_aliases_t:fifo_file create_file_perms;
-
-	allow { sysadm_mail_t system_mail_t } postfix_etc_t:dir rw_dir_perms;
-	type_transition { sysadm_mail_t system_mail_t } postfix_etc_t:{ file lnk_file sock_file fifo_file } etc_aliases_t;
-
-	allow { sysadm_mail_t system_mail_t } etc_aliases_t:dir create_dir_perms;
-	allow { sysadm_mail_t system_mail_t } etc_aliases_t:file create_file_perms;
-	allow { sysadm_mail_t system_mail_t } etc_aliases_t:lnk_file create_lnk_perms;
-	allow { sysadm_mail_t system_mail_t } etc_aliases_t:sock_file create_file_perms;
-	allow { sysadm_mail_t system_mail_t } etc_aliases_t:fifo_file create_file_perms;
-
-	allow { sysadm_mail_t system_mail_t } postfix_etc_t:dir rw_dir_perms;
-	type_transition { sysadm_mail_t system_mail_t } postfix_etc_t:{ file lnk_file sock_file fifo_file } etc_aliases_t;
+	type_transition postfix_master_t postfix_etc_t:{ dir file lnk_file sock_file fifo_file } etc_aliases_t;
 ')
 
 # end partially converted rules
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index c4cb1f4..c2362ec 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -906,7 +906,11 @@ template(`admin_user_template',`
 	seutil_manage_binary_pol($1_t)
 
 	optional_policy(`cron',`
-		cron_admin_template($1)
+		cron_admin_template($1,$1_t,$1_r)
+	')
+
+	optional_policy(`mta',`
+		mta_admin_template($1,$1_t,$1_r)
 	')
 
 	ifdef(`TODO',`
@@ -2389,6 +2393,27 @@ interface(`userdom_setattr_unpriv_user_pty',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to use unprivileged
+##	user ptys.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_dontaudit_use_unpriv_user_pty',`
+	ifdef(`targeted_policy',`
+		term_dontaudit_use_generic_pty($1)
+	',`
+		gen_require(`
+			attribute user_ptynode;
+		')
+
+		dontaudit $1 user_ptynode:chr_file rw_file_perms;
+	')
+')
+
+########################################
+## <summary>
 ##	Read all unprivileged users temporary directories.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index c7950a8..a5edddb 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.0.2)
+policy_module(userdomain,1.0.3)
 
 ########################################
 #