diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 8e0730b..38b36c6 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -14,6 +14,7 @@ networkmanager pegasus postfix + procmail radius rpc spamassassin diff --git a/refpolicy/policy/modules.conf b/refpolicy/policy/modules.conf index fa7af3c..d3c8605 100644 --- a/refpolicy/policy/modules.conf +++ b/refpolicy/policy/modules.conf @@ -704,19 +704,19 @@ lpd = base # avahi = base -# Layer: system -# Module: unconfined +# Layer: services +# Module: procmail # -# The unconfined domain. +# Procmail mail delivery agent # -unconfined = base +procmail = base # Layer: system -# Module: authlogin +# Module: unconfined # -# Common policy for authentication and user login. +# The unconfined domain. # -authlogin = base +unconfined = base # Layer: system # Module: selinuxutil @@ -866,3 +866,10 @@ libraries = base # miscfiles = base +# Layer: system +# Module: authlogin +# +# Common policy for authentication and user login. +# +authlogin = base + diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index f797e16..ce05c76 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -536,6 +536,23 @@ interface(`mta_manage_spool',` ') ####################################### +## +## Do not audit attempts to read and +## write the mail queue. +## +## +## Domain to not audit. +## +# +interface(`mta_dontaudit_rw_queue',` + gen_require(` + type mqueue_spool_t; + ') + + dontaudit $1 mqueue_spool_t:file { getattr read write }; +') + +####################################### # # mta_manage_queue(domain) # diff --git a/refpolicy/policy/modules/services/postfix.if b/refpolicy/policy/modules/services/postfix.if index 1a6a435..76d526a 100644 --- a/refpolicy/policy/modules/services/postfix.if +++ b/refpolicy/policy/modules/services/postfix.if @@ -177,6 +177,42 @@ interface(`postfix_read_config',` ######################################## ## +## Do not audit attempts to read and +## write postfix local delivery +## TCP sockets. +## +## +## Domain to not audit. +## +# +interface(`postfix_dontaudit_rw_local_tcp_socket',` + gen_require(` + type postfix_local_t; + ') + + dontaudit $1 postfix_local_t:tcp_socket { read write }; +') + +######################################## +## +## Do not audit attempts to use +## postfix master process file +## file descriptors. +## +## +## Domain to not audit. +## +# +interface(`postfix_dontaudit_use_fd',` + gen_require(` + type postfix_master_t; + ') + + dontaudit $1 postfix_master_t:fd use; +') + +######################################## +## ## Execute postfix_map in the postfix_map domain. ## ## diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te index eec36bd..d59b072 100644 --- a/refpolicy/policy/modules/services/postfix.te +++ b/refpolicy/policy/modules/services/postfix.te @@ -1,5 +1,5 @@ -policy_module(postfix,1.0) +policy_module(postfix,1.0.1) ######################################## # @@ -306,14 +306,9 @@ mta_delete_spool(postfix_local_t) # For reading spamassasin mta_read_config(postfix_local_t) -ifdef(`TODO',` -optional_policy(`procmail.te', ` - domain_auto_trans(postfix_local_t, procmail_exec_t, procmail_t) - # for a bug in the postfix local program - dontaudit procmail_t postfix_local_t:tcp_socket { read write }; - dontaudit procmail_t postfix_master_t:fd use; +optional_policy(`procmail.te',` + procmail_domtrans(postfix_local_t) ') -') dnl end TODO ######################################## # @@ -430,11 +425,9 @@ allow postfix_pipe_t postfix_private_t:sock_file write; allow postfix_pipe_t postfix_spool_t:dir search; allow postfix_pipe_t postfix_spool_t:file rw_file_perms; -ifdef(`TODO',` -optional_policy(`procmail.te', ` -domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t) +optional_policy(`procmail.te',` + procmail_domtrans(postfix_pipe_t) ') -') dnl end TODO ######################################## # diff --git a/refpolicy/policy/modules/services/procmail.fc b/refpolicy/policy/modules/services/procmail.fc new file mode 100644 index 0000000..5c335d4 --- /dev/null +++ b/refpolicy/policy/modules/services/procmail.fc @@ -0,0 +1,2 @@ + +/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0) diff --git a/refpolicy/policy/modules/services/procmail.if b/refpolicy/policy/modules/services/procmail.if new file mode 100644 index 0000000..4d702db --- /dev/null +++ b/refpolicy/policy/modules/services/procmail.if @@ -0,0 +1,24 @@ +## Procmail mail delivery agent + +######################################## +## +## Execute procmail with a domain transition. +## +## +## Domain allowed access. +## +# +interface(`procmail_domtrans',` + gen_require(` + type procmail_exec_t, procmail_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + domain_auto_trans($1,procmail_exec_t,procmail_t) + + allow $1 procmail_t:fd use; + allow procmail_t $1:fd use; + allow procmail_t $1:fifo_file rw_file_perms; + allow procmail_t $1:process sigchld; +') diff --git a/refpolicy/policy/modules/services/procmail.te b/refpolicy/policy/modules/services/procmail.te new file mode 100644 index 0000000..1c32914 --- /dev/null +++ b/refpolicy/policy/modules/services/procmail.te @@ -0,0 +1,105 @@ + +policy_module(procmail,1.0.0) + +######################################## +# +# Declarations +# + +# privhome only works until we define a different type for maildir +type procmail_t, privhome; +type procmail_exec_t; +domain_type(procmail_t) +domain_entry_file(procmail_t,procmail_exec_t) +role system_r types procmail_t; + +######################################## +# +# Local policy +# + +allow procmail_t self:capability { sys_nice chown setuid setgid dac_override }; +allow procmail_t self:process { setsched fork sigchld signal }; +allow procmail_t self:fifo_file rw_file_perms; +allow procmail_t self:unix_stream_socket create_socket_perms; +allow procmail_t self:unix_dgram_socket create_socket_perms; +allow procmail_t self:tcp_socket create_stream_socket_perms; +allow procmail_t self:udp_socket create_socket_perms; + +kernel_read_system_state(procmail_t) +kernel_read_kernel_sysctl(procmail_t) + +corenet_tcp_sendrecv_all_if(procmail_t) +corenet_raw_sendrecv_all_if(procmail_t) +corenet_udp_sendrecv_all_if(procmail_t) +corenet_tcp_sendrecv_all_nodes(procmail_t) +corenet_udp_sendrecv_all_nodes(procmail_t) +corenet_raw_sendrecv_all_nodes(procmail_t) +corenet_tcp_sendrecv_all_ports(procmail_t) +corenet_udp_sendrecv_all_ports(procmail_t) +corenet_tcp_bind_all_nodes(procmail_t) +corenet_udp_bind_all_nodes(procmail_t) + +dev_read_urand(procmail_t) + +fs_getattr_xattr_fs(procmail_t) + +auth_use_nsswitch(procmail_t) + +corecmd_exec_bin(procmail_t) +corecmd_exec_shell(procmail_t) +corecmd_dontaudit_search_sbin(procmail_t) + +files_read_etc_files(procmail_t) +files_read_etc_runtime_files(procmail_t) +files_search_pids(procmail_t) +# for spamassasin +files_read_usr_files(procmail_t) + +libs_use_ld_so(procmail_t) +libs_use_shared_libs(procmail_t) + +miscfiles_read_localization(procmail_t) + +userdom_priveleged_home_dir_manager(procmail_t) +# Do not audit attempts to access /root. +userdom_dontaudit_search_sysadm_home_dir(procmail_t) + +mta_manage_spool(procmail_t) + +ifdef(`hide_broken_symptoms',` + mta_dontaudit_rw_queue(procmail_t) +') + +ifdef(`targeted_policy', ` + corenet_udp_bind_generic_port(procmail_t) + files_getattr_tmp_dir(procmail_t) +') + +optional_policy(`logging.te',` + logging_send_syslog_msg(procmail_t) +') + +optional_policy(`nscd.te',` + nscd_use_socket(procmail_t) +') + +optional_policy(`postfix.te',` + # for a bug in the postfix local program + postfix_dontaudit_rw_local_tcp_socket(procmail_t) + postfix_dontaudit_use_fd(procmail_t) +') + +optional_policy(`sendmail.te',` + mta_read_config(procmail_t) + sendmail_rw_tcp_socket(procmail_t) +') + +optional_policy(`spamassassin.te',` + corenet_udp_bind_generic_port(procmail_t) + + files_getattr_tmp_dir(procmail_t) + + spamassassin_exec(procmail_t) + spamassassin_exec_client(procmail_t) +') diff --git a/refpolicy/policy/modules/services/sendmail.if b/refpolicy/policy/modules/services/sendmail.if index 8e109e5..0f03e70 100644 --- a/refpolicy/policy/modules/services/sendmail.if +++ b/refpolicy/policy/modules/services/sendmail.if @@ -19,15 +19,12 @@ interface(`sendmail_stub',` ## Domain transition to sendmail. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`sendmail_domtrans',` gen_require(` type sendmail_exec_t, sendmail_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') files_search_usr($1) @@ -40,3 +37,18 @@ interface(`sendmail_domtrans',` allow sendmail_t $1:process sigchld; ') +######################################## +## +## Read and write sendmail TCP sockets. +## +## +## Domain allowed access. +## +# +interface(`sendmail_rw_tcp_socket',` + gen_require(` + type sendmail_t; + ') + + allow $1 sendmail_t:tcp_socket { read write }; +') diff --git a/refpolicy/policy/modules/services/spamassassin.if b/refpolicy/policy/modules/services/spamassassin.if index ee9932a..1b56c32 100644 --- a/refpolicy/policy/modules/services/spamassassin.if +++ b/refpolicy/policy/modules/services/spamassassin.if @@ -1,3 +1,38 @@ ## Filter used for removing unsolicited email. # cjp: TODO: integrate old spamassassin_macros.te + +######################################## +## +## Execute the standalone spamassassin +## program in the caller directory. +## +## +## Domain allowed access. +## +# +interface(`spamassassin_exec',` + gen_require(` + type spamassassin_exec_t; + ') + + can_exec($1,spamassassin_exec_t) + +') + +######################################## +## +## Execute the spamassassin client +## program in the caller directory. +## +## +## Domain allowed access. +## +# +interface(`spamassassin_exec_client',` + gen_require(` + type spamc_exec_t; + ') + + can_exec($1,spamc_exec_t) +') diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if index 087902e..2057f82 100644 --- a/refpolicy/policy/modules/system/corecommands.if +++ b/refpolicy/policy/modules/system/corecommands.if @@ -245,6 +245,23 @@ interface(`corecmd_search_sbin',` ') ######################################## +## +## Do not audit attempts to search +## sbin directories. +## +## +## Domain to not audit. +## +# +interface(`corecmd_dontaudit_search_sbin',` + gen_require(` + type sbin_t; + ') + + dontaudit $1 sbin_t:dir search_dir_perms; +') + +######################################## # # corecmd_list_sbin(domain) # diff --git a/refpolicy/policy/modules/system/corecommands.te b/refpolicy/policy/modules/system/corecommands.te index 83ee798..2dde3dc 100644 --- a/refpolicy/policy/modules/system/corecommands.te +++ b/refpolicy/policy/modules/system/corecommands.te @@ -12,11 +12,6 @@ policy_module(corecommands,1.0.1) type bin_t; files_type(bin_t) -ifdef(`targeted_policy',` - # cjp: temporary until procmail is added - typealias bin_t alias procmail_exec_t; -') - # # sbin_t is the type of files in the system sbin directories. # diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index c7b547c..34dd0b7 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -2827,7 +2827,7 @@ interface(`files_search_pids',` ') allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:dir search; + allow $1 var_run_t:dir search_dir_perms; ') ########################################