From 246839f3d2d130dea261f3393f60ef6d7eee8a8d Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Aug 30 2005 20:47:41 +0000 Subject: fix up most of mta attribute insanity --- diff --git a/refpolicy/policy/modules/admin/logrotate.if b/refpolicy/policy/modules/admin/logrotate.if index 134a886..cff68d4 100644 --- a/refpolicy/policy/modules/admin/logrotate.if +++ b/refpolicy/policy/modules/admin/logrotate.if @@ -82,3 +82,21 @@ interface(`logrotate_dontaudit_use_fd',` dontaudit $1 logrotate_t:fd use; ') + +######################################## +## +## Read a logrotate temporary files. +## +## +## The type of the process to not audit. +## +# +interface(`logrotate_read_tmp_files',` + gen_require(` + type logrotate_tmp_t; + class file r_file_perms; + ') + + files_search_tmp($1) + allow $1 logrotate_tmp_t:file r_file_perms; +') diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index f4de889..c147b45 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -555,6 +555,25 @@ interface(`kernel_dontaudit_getattr_message_if',` ######################################## ## +## Do not audit attempts to search the network +## state directory. +## +## +## The process type reading the state. +## +## +# +interface(`kernel_dontaudit_search_network_state',` + gen_require(` + type proc_net_t; + class dir search; + ') + + allow $1 proc_net_t:dir search; +') + +######################################## +## ## Allow caller to read the network state information. ## ## diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index cde33f0..ec5f5ae 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -316,6 +316,23 @@ interface(`cron_system_entry',` ######################################## ## +## Send a SIGCHLD signal to the cron daemon. +## +## +## Domain allowed access. +## +# +interface(`cron_sigchld',` + gen_require(` + type crond_t; + class process sigchld; + ') + + allow $1 crond_t:process sigchld; +') + +######################################## +## ## Read a cron daemon unnamed pipe ## ## @@ -331,7 +348,6 @@ interface(`cron_read_pipe',` allow $1 crond_t:file r_file_perms; ') - ######################################## ## ## Read and write the cron daemon log files. @@ -367,3 +383,21 @@ interface(`cron_search_spool',` files_search_spool($1) allow $1 cron_spool_t:dir search; ') + +######################################## +## +## Read temporary files from the system cron jobs. +## +## +## Domain allowed access. +## +# +interface(`cron_read_system_job_tmp_files',` + gen_require(` + type system_crond_tmp_t; + class file r_file_perms; + ') + + files_search_tmp($1) + allow $1 system_crond_tmp_t:file r_file_perms; +') diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 6409e53..e6efcbd 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -28,7 +28,7 @@ ## # template(`mta_per_userdomain_template',` - type $1_mail_t; # , user_mail_domain + type $1_mail_t; domain_type($1_mail_t) role $3 types $1_mail_t; @@ -59,6 +59,11 @@ template(`mta_per_userdomain_template',` allow $1_mail_t $2:fifo_file rw_file_perms; allow $1_mail_t $2:process sigchld; + # For when the user wants to send mail via port 25 localhost + kernel_tcp_recvfrom($2) + allow $2 mailserver_domain:tcp_socket { connectto recvfrom }; + allow mailserver_domain $2:tcp_socket { acceptfrom recvfrom }; + kernel_read_kernel_sysctl($1_mail_t) corenet_tcp_sendrecv_all_if($1_mail_t) @@ -78,6 +83,8 @@ template(`mta_per_userdomain_template',` files_read_etc_files($1_mail_t) files_search_spool($1_mail_t) + # It wants to check for nscd + files_dontaudit_search_pids($1_mail_t) logging_send_syslog_msg($1_mail_t) @@ -86,6 +93,8 @@ template(`mta_per_userdomain_template',` sysnet_read_config($1_mail_t) userdom_use_user_terminals($1,$1_mail_t) + # Write to the user domain tty. cjp: why? + userdom_use_user_terminals($1,mta_user_agent) tunable_policy(`use_dns',` allow $1_mail_t self:udp_socket create_socket_perms; @@ -113,14 +122,6 @@ template(`mta_per_userdomain_template',` ') ifdef(`TODO',` - allow $1_mail_t device_t:dir search; - - # It wants to check for nscd - dontaudit $1_mail_t var_run_t:dir search; - - # For when the user wants to send mail via port 25 localhost - can_tcp_connect($1_t, mail_server_domain) - # Read user temporary files. allow $1_mail_t $1_tmp_t:file r_file_perms; dontaudit $1_mail_t $1_tmp_t:file append; @@ -129,26 +130,21 @@ template(`mta_per_userdomain_template',` allow $1_mail_t $1_tmp_t:file write; ') + # cjp: why? allow mta_user_agent $1_tmp_t:file r_file_perms; - # Write to the user domain tty. - allow mta_user_agent $1_tty_device_t:chr_file rw_file_perms; - allow mta_user_agent devpts_t:dir r_dir_perms; - allow mta_user_agent $1_devpts_t:chr_file rw_file_perms; - # Inherit and use descriptors from gnome-pty-helper. ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;') # Create dead.letter in user home directories. file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file) - # if you do not want to allow dead.letter then use the following instead #allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms; #allow $1_mail_t $1_home_t:file r_file_perms; # for reading .forward - maybe we need a new type for it? # also for delivering mail to maildir - file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t) + file_type_auto_trans(mailserver_delivery, $1_home_dir_t, $1_home_t) ifdef(`qmail.te', ` allow $1_mail_t qmail_etc_t:dir search; @@ -167,6 +163,9 @@ interface(`mta_mailserver',` attribute mailserver_domain; ') + # For when the user wants to send mail via port 25 localhost + kernel_tcp_recvfrom($1) + init_daemon_domain($1,$2) typeattribute $1 mailserver_domain; ') @@ -202,11 +201,66 @@ interface(`mta_sendmail_mailserver',` type sendmail_exec_t; ') + # For when the user wants to send mail via port 25 localhost + kernel_tcp_recvfrom($1) + init_system_domain($1,sendmail_exec_t) typeattribute $1 mailserver_domain; ') ####################################### +## +## Make a type a mailserver type used +## for sending mail. +## +## +## Mail server domain type used for sending mail. +## +# +interface(`mta_mailserver_sender',` + gen_require(` + attribute mailserver_sender; + ') + + typeattribute $1 mailserver_sender; +') + +####################################### +## +## Make a type a mailserver type used +## for delivering mail to local users. +## +## +## Mail server domain type used for delivering mail. +## +# +interface(`mta_mailserver_delivery',` + gen_require(` + attribute mailserver_delivery; + ') + + typeattribute $1 mailserver_delivery; +') + +####################################### +## +## Make a type a mailserver type used +## for sending mail on behalf of local +## users to the local mail spool. +## +## +## Mail server domain type used for sending local mail. +## +# +interface(`mta_mailserver_user_agent',` + gen_require(` + attribute mailserver_user_agent; + ') + + typeattribute $1 mailserver_user_agent; +') + +####################################### # # mta_send_mail(domain) # @@ -333,6 +387,28 @@ interface(`mta_rw_spool',` ') ####################################### +## +## Create, read, and write the mail spool. +## +## +## Domain allowed access. +## +# +interface(`mta_append_spool',` + gen_require(` + type mail_spool_t; + class dir ra_dir_perms; + class lnk_file { getattr read }; + class file create_file_perms; + ') + + files_search_spool($1) + allow $1 mail_spool_t:dir ra_dir_perms; + allow $1 mail_spool_t:lnk_file { getattr read }; + allow $1 mail_spool_t:file create_file_perms; +') + +####################################### # # mta_manage_spool(domain) # diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index 6c2ea5b..3a112e9 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -6,14 +6,17 @@ policy_module(mta,1.0) # Declarations # +attribute mta_user_agent; +attribute mailserver_delivery; +attribute mailserver_domain; +attribute mailserver_sender; + type etc_aliases_t; files_type(etc_aliases_t) type etc_mail_t; files_type(etc_mail_t) -attribute mailserver_domain; - type mqueue_spool_t; files_type(mqueue_spool_t) @@ -23,7 +26,7 @@ files_type(mail_spool_t) type sendmail_exec_t; files_type(sendmail_exec_t) -type system_mail_t; #, user_mail_domain +type system_mail_t; domain_type(system_mail_t) role system_r types system_mail_t; @@ -66,12 +69,14 @@ fs_getattr_xattr_fs(system_mail_t) init_use_script_pty(system_mail_t) -files_read_etc_runtime_files(system_mail_t) files_read_etc_files(system_mail_t) +files_read_etc_runtime_files(system_mail_t) +files_search_spool(system_mail_t) # It wants to check for nscd files_dontaudit_search_pids(system_mail_t) corecmd_exec_bin(system_mail_t) +corecmd_search_sbin(system_mail_t) libs_use_ld_so(system_mail_t) libs_use_shared_libs(system_mail_t) @@ -82,6 +87,35 @@ miscfiles_read_localization(system_mail_t) sysnet_read_config(system_mail_t) +userdom_use_sysadm_terms(system_mail_t) + +ifdef(`targeted_policy',` + allow system_mail_t etc_mail_t:file r_file_perms; + + allow system_mail_t mail_spool_t:dir create_dir_perms; + allow system_mail_t mail_spool_t:file create_file_perms; + allow system_mail_t mail_spool_t:lnk_file create_lnk_perms; + allow system_mail_t mail_spool_t:fifo_file rw_file_perms; + + allow system_mail_t mqueue_spool_t:dir create_dir_perms; + allow system_mail_t mqueue_spool_t:file create_file_perms; + allow system_mail_t mqueue_spool_t:lnk_file create_lnk_perms; + + optional_policy(`postfix.te',`',` + corecmd_exec_bin(system_mail_t) + corecmd_exec_sbin(system_mail_t) + + domain_exec_all_entry_files(system_mail_t) + + files_exec_etc_files(system_mail_t) + + libs_use_ld_so(system_mail_t) + libs_use_shared_libs(system_mail_t) + libs_exec_ld_so(system_mail_t) + libs_exec_lib_files(system_mail_t) + ') +') + tunable_policy(`use_dns',` allow system_mail_t self:udp_socket create_socket_perms; corenet_udp_sendrecv_all_if(system_mail_t) @@ -90,6 +124,14 @@ tunable_policy(`use_dns',` corenet_udp_sendrecv_dns_port(system_mail_t) ') +optional_policy(`cron.te',` + cron_read_system_job_tmp_files(system_mail_t) +') + +optional_policy(`logrotate.te',` + logrotate_read_tmp_files(system_mail_t) +') + optional_policy(`nis.te',` nis_use_ypbind(system_mail_t) ') @@ -102,135 +144,46 @@ optional_policy(`procmail.te',` procmail_exec(system_mail_t) ') -ifdef(`TODO',` - optional_policy(`sendmail.te',` allow system_mail_t etc_mail_t:dir { getattr search }; - kernel_read_system_state(system_mail_t) - - fs_getattr_xattr_fs(system_mail_t) - - files_read_etc_runtime_files(system_mail_t) - - dontaudit system_mail_t proc_net_t:dir search; - - allow system_mail_t var_t:dir getattr; - allow system_mail_t var_spool_t:dir getattr; - dontaudit system_mail_t userpty_type:chr_file { getattr read write }; - # sendmail -q allow system_mail_t mqueue_spool_t:dir rw_dir_perms; allow system_mail_t mqueue_spool_t:file create_file_perms; +') + +ifdef(`TODO',` +optional_policy(`sendmail.te',` + allow system_mail_t { var_t var_spool_t }:dir getattr; + dontaudit system_mail_t userpty_type:chr_file { getattr read write }; optional_policy(`crond.te', ` dontaudit system_mail_t system_crond_tmp_t:file append; ') ') -allow system_mail_t device_t:dir search; -allow system_mail_t { var_t var_spool_t }:dir search; -allow system_mail_t sbin_t:dir search; - -# Transition from a system domain to the derived domain. -domain_auto_trans(privmail, sendmail_exec_t, system_mail_t) -allow privmail sendmail_exec_t:lnk_file { getattr read }; - -optional_policy(`crond.te',` - # Read cron temporary files. - allow system_mail_t system_crond_tmp_t:file r_file_perms; - allow mta_user_agent system_crond_tmp_t:file r_file_perms; -') - -ifdef(`qmail.te', ` - allow system_mail_t qmail_etc_t:dir search; - allow system_mail_t qmail_etc_t:{ file lnk_file } read; -') - -ifdef(`targeted_policy', ` +ifdef(`targeted_policy',` allow system_mail_t { var_t var_spool_t }:dir getattr; - - allow system_mail_t etc_mail_t:file r_file_perms; - - allow system_mail_t mail_spool_t:dir create_dir_perms; - allow system_mail_t mail_spool_t:file create_file_perms; - allow system_mail_t mail_spool_t:lnk_file create_lnk_perms; - allow system_mail_t mail_spool_t:fifo_file rw_file_perms; - - allow system_mail_t mqueue_spool_t:dir create_dir_perms; - allow system_mail_t mqueue_spool_t:file create_file_perms; - allow system_mail_t mqueue_spool_t:lnk_file create_lnk_perms; - - optional_policy(`postfix.te',`',` - corecmd_exec_bin(system_mail_t) - corecmd_exec_sbin(system_mail_t) - - domain_exec_all_entry_files(system_mail_t) - - files_exec_etc_files(system_mail_t) - - libs_use_ld_so(system_mail_t) - libs_use_shared_libs(system_mail_t) - libs_exec_ld_so(system_mail_t) - libs_exec_lib_files(system_mail_t) - ') ',` - optional_policy(`sendmail.te', ` - # sendmail has an ugly design, the one process parses input from the user and - # then does system things with it. - domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t) - ') - # allow the sysadmin to do "mail someone < /home/user/whatever" allow sysadm_mail_t user_home_dir_type:dir search; r_dir_file(sysadm_mail_t, user_home_type) ') -# for a mail server process that does things in response to a user command -allow mta_user_agent userdomain:process sigchld; -allow mta_user_agent { userdomain privfd }:fd use; -ifdef(`crond.te', ` -allow mta_user_agent crond_t:process sigchld; -') -allow mta_user_agent sysadm_t:fifo_file { read write }; - -allow { system_mail_t mta_user_agent } privmail:fd use; -allow { system_mail_t mta_user_agent } privmail:process sigchld; -allow { system_mail_t mta_user_agent } privmail:fifo_file { read write }; -allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write }; - -ifdef(`arpwatch.te', ` -# why is mail delivered to a directory of type arpwatch_data_t? -allow mta_delivery_agent arpwatch_data_t:dir search; -allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms; -ifdef(`hide_broken_symptoms', ` -dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write }; -') -')dnl end if arpwatch.te - -allow mta_delivery_agent home_root_t:dir { getattr search }; - -# for /var/spool/mail -ra_dir_create_file(mta_delivery_agent, mail_spool_t) +allow system_mail_t privmail:fd use; +allow system_mail_t privmail:process sigchld; +allow system_mail_t privmail:fifo_file { read write }; -# for piping mail to a command -can_exec(mta_delivery_agent, shell_exec_t) -allow mta_delivery_agent bin_t:dir search; -allow mta_delivery_agent bin_t:lnk_file read; -allow mta_delivery_agent { etc_runtime_t proc_t }:file r_file_perms; +optional_policy(`arpwatch.te',` + allow system_mail_t arpwatch_tmp_t:file rw_file_perms; -# Transition from a system domain to the derived domain. -domain_auto_trans(privmail, sendmail_exec_t, system_mail_t) -allow privmail sendmail_exec_t:lnk_file r_file_perms; - -ifdef(`crond.te', ` -# Read cron temporary files. -allow system_mail_t system_crond_tmp_t:file r_file_perms; -allow mta_user_agent system_crond_tmp_t:file r_file_perms; + ifdef(`hide_broken_symptoms', ` + dontaudit system_mail_t arpwatch_t:packet_socket { read write }; + ') ') -optional_policy(`logrotate.te', ` - allow { system_mail_t mta_user_agent } logrotate_tmp_t:file r_file_perms; +optional_policy(`qmail.te',` + allow system_mail_t qmail_etc_t:dir search; + allow system_mail_t qmail_etc_t:{ file lnk_file } read; ') - ') dnl end TODO diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index 0589320..47ce143 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -6,8 +6,10 @@ policy_module(sendmail,1.0) # Declarations # -type sendmail_t; #, mta_delivery_agent, mail_server_sender', nosysadm) +type sendmail_t; mta_sendmail_mailserver(sendmail_t) +mta_mailserver_delivery(sendmail_t) +mta_mailserver_sender(sendmail_t) type sendmail_log_t; logging_log_file(sendmail_log_t) @@ -40,8 +42,8 @@ allow sendmail_t sendmail_var_run_t:file { getattr create read write append seta files_create_pid(sendmail_t,sendmail_var_run_t) kernel_read_kernel_sysctl(sendmail_t) -kernel_list_proc(sendmail_t) -kernel_read_proc_symlinks(sendmail_t) +# for piping mail to a command +kernel_read_system_state(sendmail_t) corenet_tcp_sendrecv_all_if(sendmail_t) corenet_raw_sendrecv_all_if(sendmail_t) @@ -63,10 +65,15 @@ fs_search_auto_mountpoints(sendmail_t) term_dontaudit_use_console(sendmail_t) +# for piping mail to a command +corecmd_exec_shell(sendmail_t) + domain_use_wide_inherit_fd(sendmail_t) files_read_etc_files(sendmail_t) files_search_spool(sendmail_t) +# for piping mail to a command +files_read_etc_runtime_files(sendmail_t) init_use_fd(sendmail_t) init_use_script_pty(sendmail_t) @@ -121,6 +128,11 @@ optional_policy(`rhgb.te', ` rhgb_domain(sendmail_t) ') +optional_policy(`arpwatch.te',` + # why is mail delivered to a directory of type arpwatch_data_t? + allow mta_delivery_agent arpwatch_data_t:dir search; +') + # # Need this transition to create /etc/aliases.db # diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 04a37da..b132ba2 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -1862,6 +1862,23 @@ interface(`userdom_signal_all_users',` ######################################## ## +## Send a SIGCHLD signal to all user domains. +## +## +## Domain allowed access. +## +# +interface(`userdom_sigcld_all_users',` + gen_require(` + attribute userdomain; + class process sigchld; + ') + + allow $1 userdomain:process sigghld; +') + +######################################## +## ## Unconfined access to user domains. ## ##