diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index f3ce31e..6777f82 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -519,3 +519,20 @@ interface(`cron_read_system_job_tmp_files',` files_search_tmp($1) allow $1 system_crond_tmp_t:file r_file_perms; ') + +######################################## +## +## Do not audit attempts to append temporary +## files from the system cron jobs. +## +## +## Domain to not audit. +## +# +interface(`cron_dontaudit_append_system_job_tmp_files',` + gen_require(` + type system_crond_tmp_t; + ') + + dontaudit $1 system_crond_tmp_t:file append; +') diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 3b8eebd..3b89e10 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -26,8 +26,7 @@ interface(`mta_stub',` ##

##

## This is the basic types and rules, common -## to the system agent and user agents, and -## is not useful by itself. +## to the system agent and user agents. ##

## ## @@ -238,6 +237,52 @@ template(`mta_per_userdomain_template',` ') dnl end TODO ') +######################################## +## +## Provide extra permissions for admin users +## mail domain. +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## The type of the user domain. +## +# +template(`mta_admin_template',` + ifdef(`strict_policy',` + # allow the sysadmin to do "mail someone < /home/user/whatever" + userdom_read_unpriv_user_home_files($1_mail_t) + ') + + optional_policy(`postfix',` + gen_require(` + attribute mta_user_agent; + type etc_aliases_t; + ') + + allow mta_user_agent $2:fifo_file { read write }; + + allow $1_mail_t etc_aliases_t:dir create_dir_perms; + allow $1_mail_t etc_aliases_t:file create_file_perms; + allow $1_mail_t etc_aliases_t:lnk_file create_lnk_perms; + allow $1_mail_t etc_aliases_t:sock_file create_file_perms; + allow $1_mail_t etc_aliases_t:fifo_file create_file_perms; + files_create_etc_config($1_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file }) + + # postfix needs this for newaliases + files_getattr_tmp_dir($1_mail_t) + + postfix_exec_master($1_mail_t) + + ifdef(`distro_redhat',` + # compatability for old default main.cf + postfix_create_config($1_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file }) + ') + ') +') + ####################################### # # mta_mailserver(domain,entrypointtype) diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index 13c7b27..cc1cdb6 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -97,8 +97,6 @@ ifdef(`targeted_policy',` files_exec_etc_files(system_mail_t) - libs_use_ld_so(system_mail_t) - libs_use_shared_libs(system_mail_t) libs_exec_ld_so(system_mail_t) libs_exec_lib_files(system_mail_t) # ') @@ -116,12 +114,15 @@ optional_policy(`apache',` ') optional_policy(`arpwatch',` - arpwatch_rw_tmp_files(system_mail_t) + arpwatch_manage_tmp_files(system_mail_t) + + ifdef(`hide_broken_symptoms', ` + arpwatch_dontaudit_rw_packet_socket(system_mail_t) + ') ') optional_policy(`cron',` cron_read_system_job_tmp_files(system_mail_t) - cron_read_system_job_tmp_files(mta_user_agent) ') optional_policy(`cvs',` @@ -133,8 +134,6 @@ optional_policy(`logrotate',` ') optional_policy(`postfix',` - postfix_stub(system_mail_t) - allow system_mail_t etc_aliases_t:dir create_dir_perms; allow system_mail_t etc_aliases_t:file create_file_perms; allow system_mail_t etc_aliases_t:lnk_file create_lnk_perms; @@ -144,40 +143,39 @@ optional_policy(`postfix',` domain_use_wide_inherit_fd(system_mail_t) - optional_policy(`crond',` - cron_crw_tcp_socket(system_mail_t) - ') + # postfix needs this for newaliases + files_getattr_tmp_dir(system_mail_t) - allow mta_user_agent sysadm_t:fifo_file { read write }; - type_transition postfix_master_t postfix_etc_t:dir etc_aliases_t; + postfix_exec_master(system_mail_t) - # postfix needs this for newaliases - allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr; + ifdef(`distro_redhat',` + # compatability for old default main.cf + postfix_create_config(system_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file }) + ') + + optional_policy(`cron',` + cron_crw_tcp_socket(system_mail_t) + ') ') -ifdef(`TODO',` optional_policy(`sendmail',` - dontaudit system_mail_t userpty_type:chr_file { getattr read write }; + userdom_dontaudit_use_unpriv_user_pty(system_mail_t) - optional_policy(`crond',` - dontaudit system_mail_t system_crond_tmp_t:file append; + optional_policy(`cron',` + cron_dontaudit_append_system_job_tmp_files(system_mail_t) ') ') -ifdef(`strict_policy',` - # allow the sysadmin to do "mail someone < /home/user/whatever" - allow sysadm_mail_t user_home_dir_type:dir search; - r_dir_file(sysadm_mail_t, user_home_type) -') -') dnl end TODO +# should break this up among sections: optional_policy(`arpwatch',` # why is mail delivered to a directory of type arpwatch_data_t? arpwatch_search_data(mailserver_delivery) - arpwatch_manage_tmp_files(system_mail_t) arpwatch_manage_tmp_files(mta_user_agent) ifdef(`hide_broken_symptoms', ` - arpwatch_dontaudit_rw_packet_socket(system_mail_t) arpwatch_dontaudit_rw_packet_socket(mta_user_agent) ') + optional_policy(`cron',` + cron_read_system_job_tmp_files(mta_user_agent) + ') ') diff --git a/refpolicy/policy/modules/services/postfix.if b/refpolicy/policy/modules/services/postfix.if index d7ff365..f773241 100644 --- a/refpolicy/policy/modules/services/postfix.if +++ b/refpolicy/policy/modules/services/postfix.if @@ -177,6 +177,37 @@ interface(`postfix_read_config',` ######################################## ## +## Create files with the specified type in +## the postfix configuration directories. +## +## +## Domain allowed access. +## +## +## The type of the object to be created. +## +## +## The object class of the object being created. If +## no class is specified, file will be used. +## +# +interface(`postfix_create_config',` + gen_require(` + type postfix_etc_t; + ') + + files_search_etc($1) + allow $1 postfix_etc_t:dir rw_dir_perms; + + ifelse(`$3',`',` + type_transition $1 postfix_etc_t:file $2; + ',` + type_transition $1 postfix_etc_t:$3 $2; + ') +') + +######################################## +## ## Do not audit attempts to read and ## write postfix local delivery ## TCP sockets. @@ -281,6 +312,23 @@ interface(`postfix_domtrans_master',` ######################################## ## +## Execute the master postfix program in the +## caller domain. +## +## +## Domain allowed access. +## +# +interface(`postfix_exec_master',` + gen_require(` + type postfix_master_exec_t; + ') + + can_exec($1,postfix_master_exec_t) +') + +######################################## +## ## Search postfix mail spool directories. ## ## diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te index 7dc4ef2..53a331d 100644 --- a/refpolicy/policy/modules/services/postfix.te +++ b/refpolicy/policy/modules/services/postfix.te @@ -197,41 +197,7 @@ ifdef(`distro_redhat',` allow postfix_master_t etc_aliases_t:lnk_file create_lnk_perms; allow postfix_master_t etc_aliases_t:sock_file create_file_perms; allow postfix_master_t etc_aliases_t:fifo_file create_file_perms; - type_transition postfix_master_t postfix_etc_t:{ file lnk_file sock_file fifo_file } etc_aliases_t; -') - -# postfix needs this for newaliases -allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr; - -can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t) - -allow sysadm_mail_t etc_aliases_t:dir create_dir_perms; -allow sysadm_mail_t etc_aliases_t:file create_file_perms; -allow sysadm_mail_t etc_aliases_t:lnk_file create_lnk_perms; -allow sysadm_mail_t etc_aliases_t:sock_file create_file_perms; -allow sysadm_mail_t etc_aliases_t:fifo_file create_file_perms; -files_create_etc_config(system_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file }) - - -ifdef(`distro_redhat',` - # compatability for old default main.cf - allow { sysadm_mail_t system_mail_t } etc_aliases_t:dir create_dir_perms; - allow { sysadm_mail_t system_mail_t } etc_aliases_t:file create_file_perms; - allow { sysadm_mail_t system_mail_t } etc_aliases_t:lnk_file create_lnk_perms; - allow { sysadm_mail_t system_mail_t } etc_aliases_t:sock_file create_file_perms; - allow { sysadm_mail_t system_mail_t } etc_aliases_t:fifo_file create_file_perms; - - allow { sysadm_mail_t system_mail_t } postfix_etc_t:dir rw_dir_perms; - type_transition { sysadm_mail_t system_mail_t } postfix_etc_t:{ file lnk_file sock_file fifo_file } etc_aliases_t; - - allow { sysadm_mail_t system_mail_t } etc_aliases_t:dir create_dir_perms; - allow { sysadm_mail_t system_mail_t } etc_aliases_t:file create_file_perms; - allow { sysadm_mail_t system_mail_t } etc_aliases_t:lnk_file create_lnk_perms; - allow { sysadm_mail_t system_mail_t } etc_aliases_t:sock_file create_file_perms; - allow { sysadm_mail_t system_mail_t } etc_aliases_t:fifo_file create_file_perms; - - allow { sysadm_mail_t system_mail_t } postfix_etc_t:dir rw_dir_perms; - type_transition { sysadm_mail_t system_mail_t } postfix_etc_t:{ file lnk_file sock_file fifo_file } etc_aliases_t; + type_transition postfix_master_t postfix_etc_t:{ dir file lnk_file sock_file fifo_file } etc_aliases_t; ') # end partially converted rules diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index c4cb1f4..c2362ec 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -906,7 +906,11 @@ template(`admin_user_template',` seutil_manage_binary_pol($1_t) optional_policy(`cron',` - cron_admin_template($1) + cron_admin_template($1,$1_t,$1_r) + ') + + optional_policy(`mta',` + mta_admin_template($1,$1_t,$1_r) ') ifdef(`TODO',` @@ -2389,6 +2393,27 @@ interface(`userdom_setattr_unpriv_user_pty',` ######################################## ## +## Do not audit attempts to use unprivileged +## user ptys. +## +## +## Domain allowed access. +## +# +interface(`userdom_dontaudit_use_unpriv_user_pty',` + ifdef(`targeted_policy',` + term_dontaudit_use_generic_pty($1) + ',` + gen_require(` + attribute user_ptynode; + ') + + dontaudit $1 user_ptynode:chr_file rw_file_perms; + ') +') + +######################################## +## ## Read all unprivileged users temporary directories. ## ## diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index c7950a8..a5edddb 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,1.0.2) +policy_module(userdomain,1.0.3) ######################################## #