diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index cb7f1b8..3b8eebd 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -16,7 +16,7 @@ interface(`mta_stub',` ####################################### ## -## The per user domain template for the mta module. +## Basic mail transfer agent domain template. ## ## ##

@@ -25,34 +25,33 @@ interface(`mta_stub',` ## behalf of the user. ##

##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. +## This is the basic types and rules, common +## to the system agent and user agents, and +## is not useful by itself. ##

##
-## -## The prefix of the user domain (e.g., user +## +## The prefix of the domain (e.g., user ## is the prefix for user_t). ## -## -## The type of the user domain. -## -## -## The role associated with the user domain. -## # -template(`mta_per_userdomain_template',` - gen_require(` - attribute mailserver_domain, mta_user_agent, user_mail_domain; - type sendmail_exec_t; - ') +template(`mta_base_mail_template',` + + ############################## + # + # $1_mail_t declarations + # type $1_mail_t, user_mail_domain; domain_type($1_mail_t) - role $3 types $1_mail_t; + domain_entry_file($1_mail_t,sendmail_exec_t) - type $1_mail_tmp_t; - files_tmp_file($1_mail_tmp_t) + optional_policy(`sendmail',` + type $1_mail_tmp_t; + files_tmp_file($1_mail_tmp_t) + + sendmail_stub($1_mail_t) + ') ############################## # @@ -67,20 +66,6 @@ template(`mta_per_userdomain_template',` can_exec($1_mail_t, sendmail_exec_t) allow $1_mail_t sendmail_exec_t:lnk_file r_file_perms; - # Transition from the user domain to the derived domain. - domain_auto_trans($2, sendmail_exec_t, $1_mail_t) - allow $2 sendmail_exec_t:lnk_file { getattr read }; - - allow $2 $1_mail_t:fd use; - allow $1_mail_t $2:fd use; - allow $1_mail_t $2:fifo_file rw_file_perms; - allow $1_mail_t $2:process sigchld; - - # For when the user wants to send mail via port 25 localhost - kernel_tcp_recvfrom($2) - allow $2 mailserver_domain:tcp_socket { connectto recvfrom }; - allow mailserver_domain $2:tcp_socket { acceptfrom recvfrom }; - kernel_read_kernel_sysctl($1_mail_t) corenet_tcp_sendrecv_all_if($1_mail_t) @@ -90,11 +75,7 @@ template(`mta_per_userdomain_template',` corenet_tcp_sendrecv_all_ports($1_mail_t) corenet_tcp_bind_all_nodes($1_mail_t) corenet_tcp_connect_all_ports($1_mail_t) - - domain_use_wide_inherit_fd($1_mail_t) - - libs_use_ld_so($1_mail_t) - libs_use_shared_libs($1_mail_t) + corenet_tcp_connect_smtp_port($1_mail_t) corecmd_exec_bin($1_mail_t) corecmd_search_sbin($1_mail_t) @@ -104,6 +85,9 @@ template(`mta_per_userdomain_template',` # It wants to check for nscd files_dontaudit_search_pids($1_mail_t) + libs_use_ld_so($1_mail_t) + libs_use_shared_libs($1_mail_t) + logging_send_syslog_msg($1_mail_t) miscfiles_read_localization($1_mail_t) @@ -111,6 +95,106 @@ template(`mta_per_userdomain_template',` sysnet_read_config($1_mail_t) sysnet_dns_name_resolve($1_mail_t) + optional_policy(`nis',` + nis_use_ypbind($1_mail_t) + ') + + optional_policy(`nscd',` + nscd_use_socket($1_mail_t) + ') + + optional_policy(`procmail',` + procmail_exec($1_mail_t) + ') + + optional_policy(`sendmail',` + allow $1_mail_t $1_mail_tmp_t:dir create_dir_perms; + allow $1_mail_t $1_mail_tmp_t:file create_file_perms; + files_create_tmp_files($1_mail_t, $1_mail_tmp_t, { file dir }) + + allow $1_mail_t etc_mail_t:dir { getattr search }; + + # Write to /var/spool/mail and /var/spool/mqueue. + allow $1_mail_t mail_spool_t:dir rw_dir_perms; + allow $1_mail_t mail_spool_t:file create_file_perms; + allow $1_mail_t mqueue_spool_t:dir rw_dir_perms; + allow $1_mail_t mqueue_spool_t:file create_file_perms; + + # Check available space. + fs_getattr_xattr_fs($1_mail_t) + + files_read_etc_runtime_files($1_mail_t) + + # Write to /var/log/sendmail.st + sendmail_manage_log($1_mail_t) + sendmail_create_log($1_mail_t) + ') + + ifdef(`TODO',` + ifdef(`qmail.te', ` + allow $1_mail_t qmail_etc_t:dir search; + allow $1_mail_t qmail_etc_t:{ file lnk_file } read; + ') + ') dnl end TODO +') + +####################################### +## +## The per user domain template for the mta module. +## +## +##

+## This template creates a derived domain which is +## a email transfer agent, which sends mail on +## behalf of the user. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+##
+## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## The type of the user domain. +## +## +## The role associated with the user domain. +## +# +template(`mta_per_userdomain_template',` + gen_require(` + attribute mailserver_domain, mta_user_agent, user_mail_domain; + type sendmail_exec_t; + ') + + mta_base_mail_template($1) + role $3 types $1_mail_t; + + ############################## + # + # $1_mail_t local policy + # + + # Transition from the user domain to the derived domain. + domain_auto_trans($2, sendmail_exec_t, $1_mail_t) + allow $2 sendmail_exec_t:lnk_file { getattr read }; + + allow $2 $1_mail_t:fd use; + allow $1_mail_t $2:fd use; + allow $1_mail_t $2:fifo_file rw_file_perms; + allow $1_mail_t $2:process sigchld; + + # For when the user wants to send mail via port 25 localhost + kernel_tcp_recvfrom($2) + allow $2 mailserver_domain:tcp_socket { connectto recvfrom }; + allow mailserver_domain $2:tcp_socket { acceptfrom recvfrom }; + + domain_use_wide_inherit_fd($1_mail_t) + userdom_use_user_terminals($1,$1_mail_t) # Write to the user domain tty. cjp: why? userdom_use_user_terminals($1,mta_user_agent) @@ -131,24 +215,12 @@ template(`mta_per_userdomain_template',` fs_manage_cifs_symlinks($1_mail_t) ') - optional_policy(`nis',` - nis_use_ypbind($1_mail_t) - ') - - optional_policy(`nscd',` - nscd_use_socket($1_mail_t) - ') - optional_policy(`postfix',` allow $1_mail_t self:capability dac_override; postfix_read_config($1_mail_t) postfix_list_spool($1_mail_t) ') - optional_policy(`procmail',` - procmail_exec($1_mail_t) - ') - ifdef(`TODO',` # Read user temporary files. allow $1_mail_t $1_tmp_t:file r_file_perms; @@ -158,21 +230,11 @@ template(`mta_per_userdomain_template',` allow $1_mail_t $1_tmp_t:file write; ') - # cjp: why? allow mta_user_agent $1_tmp_t:file r_file_perms; - # Inherit and use descriptors from gnome-pty-helper. - ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;') - # if you do not want to allow dead.letter then use the following instead #allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms; #allow $1_mail_t $1_home_t:file r_file_perms; - - ifdef(`qmail.te', ` - allow $1_mail_t qmail_etc_t:dir search; - allow $1_mail_t qmail_etc_t:{ file lnk_file } read; - ') - ') dnl end TODO ') diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index bc00f29..13c7b27 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -1,5 +1,5 @@ -policy_module(mta,1.0.1) +policy_module(mta,1.0.2) ######################################## # @@ -28,17 +28,12 @@ files_type(mail_spool_t) type sendmail_exec_t; files_type(sendmail_exec_t) -type system_mail_t, user_mail_domain; -domain_type(system_mail_t) -domain_entry_file(system_mail_t,sendmail_exec_t) +mta_base_mail_template(system) role system_r types system_mail_t; -type system_mail_tmp_t; -files_tmp_file(system_mail_tmp_t) - # cjp: need to resolve this, but require{} # does not work in the else part of the optional -#ifdef(`targeted_policy',`',` +#ifdef(`strict_policy',` # optional_policy(`sendmail',`',` # init_system_domain(system_mail_t,sendmail_exec_t) # ') @@ -49,60 +44,17 @@ files_tmp_file(system_mail_tmp_t) # System mail local policy # -allow system_mail_t self:capability { setuid setgid chown }; -allow system_mail_t self:process { signal_perms setrlimit }; -allow system_mail_t self:tcp_socket create_socket_perms; - allow system_mail_t etc_mail_t:dir { getattr search }; allow system_mail_t etc_mail_t:file r_file_perms; -# re-exec itself -can_exec(system_mail_t, sendmail_exec_t) -allow system_mail_t sendmail_exec_t:lnk_file r_file_perms; - -allow system_mail_t system_mail_tmp_t:dir create_dir_perms; -allow system_mail_t system_mail_tmp_t:file create_file_perms; -files_create_tmp_files(system_mail_t, system_mail_tmp_t, { file dir }) - -kernel_read_kernel_sysctl(system_mail_t) kernel_read_system_state(system_mail_t) kernel_read_network_state(system_mail_t) -corenet_tcp_sendrecv_all_if(system_mail_t) -corenet_raw_sendrecv_all_if(system_mail_t) -corenet_tcp_sendrecv_all_nodes(system_mail_t) -corenet_raw_sendrecv_all_nodes(system_mail_t) -corenet_tcp_sendrecv_all_ports(system_mail_t) -corenet_tcp_bind_all_nodes(system_mail_t) -corenet_tcp_connect_smtp_port(system_mail_t) -corenet_tcp_connect_all_ports(system_mail_t) - dev_read_rand(system_mail_t) dev_read_urand(system_mail_t) -fs_getattr_xattr_fs(system_mail_t) - init_use_script_pty(system_mail_t) -files_read_etc_files(system_mail_t) -files_read_etc_runtime_files(system_mail_t) -files_search_spool(system_mail_t) -# It wants to check for nscd -files_dontaudit_search_pids(system_mail_t) - -corecmd_exec_bin(system_mail_t) -corecmd_search_sbin(system_mail_t) - -libs_use_ld_so(system_mail_t) -libs_use_shared_libs(system_mail_t) - -logging_send_syslog_msg(system_mail_t) - -miscfiles_read_localization(system_mail_t) - -sysnet_read_config(system_mail_t) -sysnet_dns_name_resolve(system_mail_t) - userdom_use_sysadm_terms(system_mail_t) ifdef(`hide_broken_symptoms',` @@ -169,6 +121,7 @@ optional_policy(`arpwatch',` optional_policy(`cron',` cron_read_system_job_tmp_files(system_mail_t) + cron_read_system_job_tmp_files(mta_user_agent) ') optional_policy(`cvs',` @@ -179,14 +132,6 @@ optional_policy(`logrotate',` logrotate_read_tmp_files(system_mail_t) ') -optional_policy(`nis',` - nis_use_ypbind(system_mail_t) -') - -optional_policy(`nscd',` - nscd_use_socket(system_mail_t) -') - optional_policy(`postfix',` postfix_stub(system_mail_t) @@ -205,29 +150,13 @@ optional_policy(`postfix',` allow mta_user_agent sysadm_t:fifo_file { read write }; type_transition postfix_master_t postfix_etc_t:dir etc_aliases_t; -') - -optional_policy(`procmail',` - procmail_exec(system_mail_t) -') - -optional_policy(`sendmail',` - sendmail_stub(system_mail_t) - - allow system_mail_t etc_mail_t:dir { getattr search }; - # sendmail -q - allow system_mail_t mqueue_spool_t:dir rw_dir_perms; - allow system_mail_t mqueue_spool_t:file create_file_perms; - - # FIXME: - allow system_mail_t sendmail_log_t:file manage_file_perms; - logging_create_log(system_mail_t,sendmail_log_t) + # postfix needs this for newaliases + allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr; ') ifdef(`TODO',` optional_policy(`sendmail',` - allow system_mail_t { var_t var_spool_t }:dir getattr; dontaudit system_mail_t userpty_type:chr_file { getattr read write }; optional_policy(`crond',` @@ -235,23 +164,13 @@ optional_policy(`sendmail',` ') ') -ifdef(`targeted_policy',` - allow system_mail_t { var_t var_spool_t }:dir getattr; -',` +ifdef(`strict_policy',` # allow the sysadmin to do "mail someone < /home/user/whatever" allow sysadm_mail_t user_home_dir_type:dir search; r_dir_file(sysadm_mail_t, user_home_type) ') - - -optional_policy(`qmail',` - allow system_mail_t qmail_etc_t:dir search; - allow system_mail_t qmail_etc_t:{ file lnk_file } read; -') ') dnl end TODO -allow mta_user_agent system_crond_tmp_t:file { read getattr }; - optional_policy(`arpwatch',` # why is mail delivered to a directory of type arpwatch_data_t? arpwatch_search_data(mailserver_delivery) diff --git a/refpolicy/policy/modules/services/sendmail.if b/refpolicy/policy/modules/services/sendmail.if index 0f03e70..51d2e28 100644 --- a/refpolicy/policy/modules/services/sendmail.if +++ b/refpolicy/policy/modules/services/sendmail.if @@ -52,3 +52,36 @@ interface(`sendmail_rw_tcp_socket',` allow $1 sendmail_t:tcp_socket { read write }; ') + +######################################## +## +## Create, read, write, and delete sendmail logs. +## +## +## Domain allowed access. +## +# +interface(`sendmail_manage_log',` + gen_require(` + type sendmail_log_t; + ') + + logging_search_logs($1) + allow $1 sendmail_log_t:file manage_file_perms; +') + +######################################## +## +## Create sendmail logs with the correct type. +## +## +## Domain allowed access. +## +# +interface(`sendmail_create_log',` + gen_require(` + type sendmail_log_t; + ') + + logging_create_log($1,sendmail_log_t,file) +')