diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc index 16ec200..5193fc3 100644 --- a/policy/modules/services/mta.fc +++ b/policy/modules/services/mta.fc @@ -1,4 +1,4 @@ -/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) /etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) /etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) @@ -9,11 +9,15 @@ ifdef(`distro_redhat',` /etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0) ') +/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) + /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) @@ -22,7 +26,3 @@ ifdef(`distro_redhat',` /var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) - -#ifdef(`postfix.te', `', ` -#/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) -#') diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if index 6641292..9b9dd2d 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -94,6 +94,12 @@ template(`mta_base_mail_template',` miscfiles_read_localization($1_mail_t) optional_policy(` + exim_read_log($1_mail_t) + exim_append_log($1_mail_t) + exim_manage_spool_files($1_mail_t) + ') + + optional_policy(` postfix_domtrans_user_mail_handler($1_mail_t) ') @@ -130,6 +136,9 @@ template(`mta_base_mail_template',` sendmail_create_log($1_mail_t) ') + optional_policy(` + uucp_manage_spool($1_mail_t) + ') ') ######################################## @@ -307,6 +316,7 @@ interface(`mta_mailserver_delivery',` optional_policy(` dovecot_manage_spool($1) + dovecot_domtrans_deliver($1) ') optional_policy(` @@ -446,6 +456,25 @@ interface(`mta_read_config',` ######################################## ## +## write mail server configuration. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`mta_write_config',` + gen_require(` + type etc_mail_t; + ') + + write_files_pattern($1, etc_mail_t, etc_mail_t) +') + +######################################## +## ## Read mail address aliases. ## ## @@ -591,8 +620,8 @@ interface(`mta_getattr_spool',` files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; - allow $1 mail_spool_t:lnk_file read; - allow $1 mail_spool_t:file getattr; + getattr_files_pattern($1, mail_spool_t, mail_spool_t) + read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') ######################################## @@ -612,7 +641,7 @@ interface(`mta_dontaudit_getattr_spool_files',` ') files_dontaudit_search_spool($1) - dontaudit $1 mail_spool_t:dir search; + dontaudit $1 mail_spool_t:dir search_dir_perms; dontaudit $1 mail_spool_t:lnk_file read; dontaudit $1 mail_spool_t:file getattr; ') @@ -806,6 +835,7 @@ interface(`mta_manage_queue',` ') files_search_spool($1) + manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t) manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t) ') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te index 5c33cd6..992fd4a 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -1,5 +1,5 @@ -policy_module(mta, 2.1.2) +policy_module(mta, 2.1.3) ######################################## # @@ -47,20 +47,27 @@ ubac_constrained(user_mail_tmp_t) # # newalias required this, not sure if it is needed in 'if' file -allow system_mail_t self:capability { dac_override }; +allow system_mail_t self:capability { dac_override fowner }; +allow system_mail_t self:fifo_file rw_fifo_file_perms; read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t) +read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) allow system_mail_t mta_exec_type:file entrypoint; -allow system_mail_t mailcontent_type:file read_file_perms; +can_exec(system_mail_t, mta_exec_type) kernel_read_system_state(system_mail_t) kernel_read_network_state(system_mail_t) +dev_read_sysfs(system_mail_t) dev_read_rand(system_mail_t) dev_read_urand(system_mail_t) +fs_rw_anon_inodefs_files(system_mail_t) + +selinux_getattr_fs(system_mail_t) + init_use_script_ptys(system_mail_t) userdom_use_user_terminals(system_mail_t) @@ -86,15 +93,35 @@ optional_policy(` ') optional_policy(` + clamav_stream_connect(system_mail_t) + clamav_append_log(system_mail_t) +') + +optional_policy(` cron_read_system_job_tmp_files(system_mail_t) cron_dontaudit_write_pipes(system_mail_t) ') optional_policy(` + courier_manage_spool_dirs(system_mail_t) + courier_manage_spool_files(system_mail_t) + courier_rw_spool_pipes(system_mail_t) +') + +optional_policy(` cvs_read_data(system_mail_t) ') optional_policy(` + exim_domtrans(system_mail_t) + exim_manage_log(system_mail_t) +') + +optional_policy(` + fail2ban_append_log(system_mail_t) +') + +optional_policy(` logrotate_read_tmp_files(system_mail_t) ') @@ -132,10 +159,6 @@ optional_policy(` # compatability for old default main.cf postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file }) ') - - optional_policy(` - cron_rw_tcp_sockets(system_mail_t) - ') ') optional_policy(`