From 799a0b43cd32771020738ffd286f3998224b393f Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Oct 11 2005 15:36:53 +0000
Subject: add mailman



---

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 0db398e..dcda94c 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -20,6 +20,7 @@
 	finger
 	ftp
 	kudzu
+	mailman
 	radvd
 	sasl
 	webalizer
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index 6a28a61..31569ea 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -156,6 +156,12 @@ optional_policy(`samba.te',`
 	samba_exec_log(logrotate_t)
 ')
 
+optional_policy(`mailman.te',`
+	mailman_exec(logrotate_t)
+	mailman_search_data(logrotate_t)
+	mailman_manage_log(logrotate_t)
+')
+
 optional_policy(`mysql.te',`
 	mysql_read_config(logrotate_t)
 	mysql_search_db_dir(logrotate_t)
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index 816feae..d5526ee 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -197,3 +197,19 @@ template(`su_per_userdomain_template',`
 		') dnl end TODO
 	')
 ')
+
+#######################################
+## <summary>
+##	Execute su in the caller domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`su_exec',`
+	gen_require(`
+		type su_exec_t;
+	')
+
+	can_exec($1,su_exec_t)
+')
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index 27f19cc..4f41c3e 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -321,7 +321,7 @@ interface(`apache_domtrans',`
 ##	Send a null signal to apache.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`apache_signull',`
@@ -334,6 +334,38 @@ interface(`apache_signull',`
 
 ########################################
 ## <summary>
+##	Send a SIGCHLD signal to apache.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`apache_sigchld',`
+	gen_require(`
+		type httpd_t;
+	')
+
+	allow $1 httpd_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Inherit and use file descriptors from Apache.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`apache_use_fd',`
+	gen_require(`
+		type httpd_t;
+	')
+
+	allow $1 httpd_t:fd use;
+')
+
+########################################
+## <summary>
 ##	Allow the specified domain to read
 ##	apache configuration files.
 ## </summary>
@@ -369,3 +401,20 @@ interface(`apache_list_modules',`
 
 	allow $1 httpd_modules_t:dir r_dir_perms;
 ')
+
+########################################
+## <summary>
+##	Do not audit attempts to append to the
+##	Apache logs.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`apache_dontaudit_append_log',`
+	gen_require(`
+		type httpd_log_t;
+	')
+
+	dontaudit $1 httpd_log_t:file append;
+')
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index c91a0fa..e96d8c9 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -334,6 +334,13 @@ optional_policy(`kerberos.te',`
 	kerberos_use(httpd_t)
 ')
 
+optional_policy(`mailman.te',`
+	mailman_signal_cgi(httpd_t)
+	mailman_domtrans_cgi(httpd_t)
+	# should have separate types for public and private archives
+	mailman_read_archive(httpd_t)
+')
+
 optional_policy(`mta.te',`
 	# apache should set close-on-exec
 	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
@@ -586,6 +593,10 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_execute_cifs_files(httpd_suexec_t)
 ')
 
+optional_policy(`mailman.te',`
+	mailman_domtrans_cgi(httpd_suexec_t)
+')
+
 optional_policy(`mount.te',`
 	tunable_policy(`httpd_can_network_connect',`
 		mount_send_nfs_client_request(httpd_suexec_t)
diff --git a/refpolicy/policy/modules/services/mailman.fc b/refpolicy/policy/modules/services/mailman.fc
new file mode 100644
index 0000000..839017f
--- /dev/null
+++ b/refpolicy/policy/modules/services/mailman.fc
@@ -0,0 +1,33 @@
+/usr/lib/mailman/bin/mailmanctl	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/cron/.*	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+
+/var/lib/mailman(/.*)?			gen_context(system_u:object_r:mailman_data_t,s0)
+/var/lib/mailman/archives(/.*)?		gen_context(system_u:object_r:mailman_archive_t,s0)
+/var/log/mailman(/.*)?			gen_context(system_u:object_r:mailman_log_t,s0)
+/var/run/mailman(/.*)?			gen_context(system_u:object_r:mailman_lock_t,s0)
+
+#
+# distro_debian
+#
+ifdef(`distro_debian', `
+/etc/cron\.daily/mailman 	-- 	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/etc/cron\.monthly/mailman 	-- 	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+
+/usr/lib/cgi-bin/mailman/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/mail/wrapper 	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/mailman/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+')
+
+#
+# distro_redhat
+#
+ifdef(`distro_redhat', `
+/etc/mailman(/.*)?			gen_context(system_u:object_r:mailman_data_t,s0)
+
+/usr/lib/mailman/bin/qrunner	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib/mailman/cgi-bin/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/scripts/mailman --	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+
+/var/lock/mailman(/.*)?			gen_context(system_u:object_r:mailman_lock_t,s0)
+/var/spool/mailman(/.*)?		gen_context(system_u:object_r:mailman_data_t,s0)
+')
diff --git a/refpolicy/policy/modules/services/mailman.if b/refpolicy/policy/modules/services/mailman.if
new file mode 100644
index 0000000..a3f1d8c
--- /dev/null
+++ b/refpolicy/policy/modules/services/mailman.if
@@ -0,0 +1,254 @@
+## <summary>Mailman is for managing electronic mail discussion and e-newsletter lists</summary>
+
+#######################################
+## <summary>
+##	The template to define a mailmain domain.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a domain to be used for
+##	a new mailman daemon.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The type of daemon to be used eg, cgi would give mailman_cgi_
+## </param>
+#
+template(`mailman_domain_template', `
+	type mailman_$1_t;
+	domain_type(mailman_$1_t)
+	role system_r types mailman_$1_t;
+
+	type mailman_$1_exec_t;
+	domain_entry_file(mailman_$1_t, mailman_$1_exec_t)
+
+	type mailman_$1_tmp_t;
+	files_tmp_file(mailman_$1_tmp_t)
+
+	allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms;
+	allow mailman_$1_t self:tcp_socket create_stream_socket_perms;
+	allow mailman_$1_t self:udp_socket create_socket_perms;
+
+	allow mailman_$1_t mailman_data_t:dir create_dir_perms;
+	allow mailman_$1_t mailman_data_t:file create_file_perms;
+	allow mailman_$1_t mailman_data_t:lnk_file create_lnk_perms;
+
+	allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
+	allow mailman_$1_t mailman_lock_t:file create_file_perms;
+	files_create_lock(mailman_$1_t,mailman_lock_t)
+
+	allow mailman_$1_t mailman_log_t:dir rw_dir_perms;
+	allow mailman_$1_t mailman_log_t:file create_file_perms;
+	logging_create_log(mailman_$1_t,mailman_log_t)
+
+	allow mailman_$1_t mailman_$1_tmp_t:dir create_dir_perms;
+	allow mailman_$1_t mailman_$1_tmp_t:file create_file_perms;
+	files_create_tmp_files(mailman_$1_t, mailman_$1_tmp_t, { file dir })
+
+	kernel_read_kernel_sysctl(mailman_$1_t)
+	kernel_read_system_state(mailman_$1_t)
+
+	corenet_tcp_sendrecv_all_if(mailman_$1_t)
+	corenet_udp_sendrecv_all_if(mailman_$1_t)
+	corenet_raw_sendrecv_all_if(mailman_$1_t)
+	corenet_tcp_sendrecv_all_nodes(mailman_$1_t)
+	corenet_udp_sendrecv_all_nodes(mailman_$1_t)
+	corenet_raw_sendrecv_all_nodes(mailman_$1_t)
+	corenet_tcp_sendrecv_all_ports(mailman_$1_t)
+	corenet_udp_sendrecv_all_ports(mailman_$1_t)
+	corenet_tcp_bind_all_nodes(mailman_$1_t)
+	corenet_udp_bind_all_nodes(mailman_$1_t)
+	corenet_tcp_connect_smtp_port(mailman_$1_t)
+
+	fs_getattr_xattr_fs(mailman_$1_t)
+
+	corecmd_exec_bin(mailman_$1_t)
+	corecmd_exec_sbin(mailman_$1_t)
+
+	domain_exec_all_entry_files(mailman_$1_t)
+
+	files_exec_etc_files(mailman_$1_t)
+	files_list_usr(mailman_$1_t)
+	files_list_var(mailman_$1_t)
+	files_list_var_lib(mailman_$1_t)
+	files_read_var_lib_symlinks(mailman_$1_t)
+	files_read_etc_runtime_files(mailman_$1_t)
+
+	libs_use_ld_so(mailman_$1_t)
+	libs_use_shared_libs(mailman_$1_t)
+	libs_exec_ld_so(mailman_$1_t)
+	libs_exec_lib_files(mailman_$1_t)
+
+	miscfiles_read_localization(mailman_$1_t)
+
+	sysnet_read_config(mailman_$1_t)
+
+	optional_policy(`mount.te',`
+		mount_send_nfs_client_request(mailman_$1_t)
+	')
+
+	optional_policy(`nis.te',`
+		nis_use_ypbind(mailman_$1_t)
+	')
+')
+
+#######################################
+## <summary>
+##	Execute mailman in the mailman domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`mailman_domtrans',`
+	gen_require(`
+		type mailman_mail_exec_t, mailman_mail_t;
+	')
+
+	domain_auto_trans($1, mailman_mail_exec_t, mailman_mail_t)
+
+	allow $1 mailman_mail_t:fd use;
+	allow mailman_mail_t $1:fd use;
+	allow mailman_mail_t $1:fifo_file rw_file_perms;
+	allow mailman_mail_t $1:process sigchld;
+')
+
+#######################################
+## <summary>
+##	Execute mailman CGI scripts in the 
+##	mailman CGI domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`mailman_domtrans_cgi',`
+	gen_require(`
+		type mailman_cgi_exec_t, mailman_cgi_t;
+	')
+
+	domain_auto_trans($1, mailman_cgi_exec_t, mailman_cgi_t)
+
+	allow $1 mailman_cgi_t:fd use;
+	allow mailman_cgi_t $1:fd use;
+	allow mailman_cgi_t $1:fifo_file rw_file_perms;
+	allow mailman_cgi_t $1:process sigchld;
+')
+
+#######################################
+## <summary>
+##	Execute mailman in the caller domain.
+## </summary>
+## <param name="domain">
+##	Domain allowd access.
+## </param>
+#
+interface(`mailman_exec',`
+	gen_require(`
+		type mailman_mail_exec_t;
+	')
+
+	can_exec($1,mailman_mail_exec_t)
+')
+
+#######################################
+## <summary>
+##	Send generic signals to the mailman cgi domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`mailman_signal_cgi',`
+	gen_require(`
+		type mailman_cgi_t;
+	')
+
+	allow $1 mailman_cgi_t:process signal;
+')
+
+#######################################
+## <summary>
+##	Allow domain to search data directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`mailman_search_data',`
+	gen_require(`
+		type mailman_data_t;
+	')
+
+	allow $1 mailman_data_t:dir search;
+')
+
+#######################################
+## <summary>
+##	List the contents of mailman data directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`mailman_list_data',`
+	gen_require(`
+		type mailman_data_t;
+	')
+
+	allow $1 mailman_data_t:dir r_dir_perms;
+')
+
+#######################################
+## <summary>
+##	Allow read acces to mailman data symbolic links.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`mailman_read_data_symlinks',`
+	gen_require(`
+		type mailman_data_t;
+	')
+
+	allow $1 mailman_data_t:dir search;
+	allow $1 mailman_data_t:lnk_file read;
+')
+
+#######################################
+## <summary>
+##	Create, read, write, and delete
+##	mailman logs.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`mailman_manage_log',`
+	gen_require(`
+		type mailman_log_t;
+	')
+
+	allow $1 mailman_log_t:dir rw_dir_perms;
+	allow $1 mailman_log_t:file create_file_perms;
+	allow $1 mailman_log_t:lnk_file create_lnk_perms;
+')
+
+#######################################
+## <summary>
+##	Allow domain to read mailman archive files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`mailman_read_archive',`
+	gen_require(`
+		type mailman_archive_t;
+	')
+
+	allow $1 mailman_archive_t:dir { getattr read search };
+	allow $1 mailman_archive_t:file { read getattr };
+	allow $1 mailman_archive_t:lnk_file { getattr read };
+')
diff --git a/refpolicy/policy/modules/services/mailman.te b/refpolicy/policy/modules/services/mailman.te
new file mode 100644
index 0000000..3e3613b
--- /dev/null
+++ b/refpolicy/policy/modules/services/mailman.te
@@ -0,0 +1,113 @@
+
+policy_module(mailman,1.0)
+
+########################################
+#
+# Declarations
+#
+
+mailman_domain_template(cgi)
+
+type mailman_data_t;
+files_type(mailman_data_t)
+
+type mailman_archive_t;
+files_type(mailman_archive_t)
+
+type mailman_log_t;
+logging_log_file(mailman_log_t)
+
+type mailman_lock_t;
+files_lock_file(mailman_lock_t)
+
+mailman_domain_template(mail)
+init_daemon_domain(mailman_mail_t,mailman_mail_exec_t)
+
+mailman_domain_template(queue)
+
+########################################
+#
+# Mailman CGI local policy
+#
+
+# cjp: the template invocation for queue should be
+# in the below optional policy; however, there are no
+# optionals for file contexts yet, so it is promoted
+# to global scope until such facilities exist.
+
+optional_policy(`apache.te',`
+	allow mailman_cgi_t mailman_archive_t:dir create_dir_perms;
+	allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
+	allow mailman_cgi_t mailman_archive_t:file create_file_perms;
+
+	kernel_tcp_recvfrom(mailman_cgi_t)
+
+	term_use_controlling_term(mailman_cgi_t)
+
+	files_search_spool(mailman_cgi_t)
+
+	mta_tcp_connect_all_mailservers(mailman_cgi_t)
+
+	apache_sigchld(mailman_cgi_t)
+	apache_use_fd(mailman_cgi_t)
+	apache_dontaudit_append_log(mailman_cgi_t)
+')
+
+########################################
+#
+# Mailman mail local policy
+#
+
+allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
+
+mta_dontaudit_rw_delivery_tcp_socket(mailman_mail_t)
+
+ifdef(`TODO',`
+optional_policy(`qmail.te', `
+	allow mailman_mail_t qmail_spool_t:file { read ioctl getattr };
+	# do we really need this?
+	allow mailman_mail_t qmail_lspawn_t:fifo_file write;
+')
+')
+
+########################################
+#
+# Mailman queue local policy
+#
+
+allow mailman_queue_t self:capability { setgid setuid };
+allow mailman_queue_t self:process signal;
+allow mailman_queue_t self:fifo_file rw_file_perms;
+allow mailman_queue_t self:unix_dgram_socket create_socket_perms;
+allow mailman_queue_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow mailman_queue_t mailman_archive_t:dir create_dir_perms;
+allow mailman_queue_t mailman_archive_t:file create_file_perms;
+allow mailman_queue_t mailman_archive_t:lnk_file create_lnk_perms;
+
+kernel_read_proc_symlinks(mailman_queue_t)
+kernel_tcp_recvfrom(mailman_queue_t)
+
+auth_domtrans_chk_passwd(mailman_queue_t)
+
+files_dontaudit_search_pids(mailman_queue_t)
+
+# for su
+seutil_dontaudit_search_config(mailman_queue_t)
+
+# some of the following could probably be changed to dontaudit, someone who
+# knows mailman well should test this out and send the changes
+userdom_search_sysadm_home_dir(mailman_queue_t)
+userdom_getattr_sysadm_home_dir(mailman_queue_t)
+
+mta_tcp_connect_all_mailservers(mailman_queue_t)
+
+su_exec(mailman_queue_t)
+
+optional_policy(`cron.te',`
+	cron_system_entry(mailman_queue_t,mailman_queue_exec_t)
+')
+
+optional_policy(`nscd.te',`
+	nscd_use_socket(mailman_queue_t)
+')
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 1bc0177..2d7e33c 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -232,6 +232,14 @@ interface(`mta_mailserver_delivery',`
 	')
 
 	typeattribute $1 mailserver_delivery;
+
+	optional_policy(`mailman.te',`
+		# so MTA can access /var/lib/mailman/mail/wrapper
+		files_search_var_lib($1)
+
+		mailman_domtrans($1)
+		mailman_read_data_symlinks($1)
+	')
 ')
 
 #######################################
@@ -281,22 +289,6 @@ interface(`mta_send_mail',`
 ')
 
 #######################################
-## <summary>
-##	Connect to all mail servers over TCP.
-## </summary>
-## <param name="domain">
-##	Mail server domain.
-## </param>
-#
-interface(`mta_tcp_connect_all_mailservers',`
-	gen_require(`
-		attribute mailserver_domain;
-	')
-
-	allow $1 mailserver_domain:tcp_socket { connectto recvfrom };
-')
-
-#######################################
 #
 # mta_exec(domain)
 #
@@ -342,6 +334,41 @@ interface(`mta_rw_aliases',`
 
 #######################################
 ## <summary>
+##	Do not audit attempts to read and write TCP
+##	sockets of mail delivery domains.
+## </summary>
+## <param name="domain">
+##	Mail server domain.
+## </param>
+#
+interface(`mta_dontaudit_rw_delivery_tcp_socket',`
+	gen_require(`
+		attribute mailserver_domain;
+	')
+
+	dontaudit $1 mailserver_delivery:tcp_socket { read write };
+')
+
+#######################################
+## <summary>
+##	Connect to all mail servers over TCP.
+## </summary>
+## <param name="domain">
+##	Mail server domain.
+## </param>
+#
+interface(`mta_tcp_connect_all_mailservers',`
+	gen_require(`
+		attribute mailserver_domain;
+	')
+
+	allow $1 mailserver_domain:tcp_socket { connectto recvfrom };
+	allow mailserver_domain $1:tcp_socket { acceptfrom recvfrom };
+	kernel_tcp_recvfrom($1)
+')
+
+#######################################
+## <summary>
 ##	Do not audit attempts to read a symlink
 ##	in the mail spool.
 ## </summary>
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index da36dfa..8513036 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -492,6 +492,11 @@ optional_policy(`lvm.te',`
 	dev_create_generic_chr_file(initrc_t)
 ')
 
+optional_policy(`mailman.te',`
+	mailman_list_data(initrc_t)
+	mailman_read_data_symlinks(initrc_t)
+')
+
 optional_policy(`mta.te',`
 	mta_dontaudit_read_spool_symlink(initrc_t)
 ')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 912c027..227f6fd 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -1746,6 +1746,23 @@ interface(`userdom_rw_sysadm_pipe',`
 
 ########################################
 ## <summary>
+##	Get the attributes of the sysadm users
+##	home directory.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`userdom_getattr_sysadm_home_dir',`
+	gen_require(`
+		type sysadm_home_dir_t;
+	')
+
+	allow $1 sysadm_home_dir_t:dir getattr;
+')
+
+########################################
+## <summary>
 ##	Search the sysadm users home directory.
 ## </summary>
 ## <param name="domain">
@@ -1755,10 +1772,8 @@ interface(`userdom_rw_sysadm_pipe',`
 interface(`userdom_search_sysadm_home_dir',`
 	gen_require(`
 		type sysadm_home_dir_t;
-		class dir search;
 	')
 
-	files_search_home($1)
 	allow $1 sysadm_home_dir_t:dir search;
 ')