diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 0db398e..dcda94c 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -20,6 +20,7 @@ finger ftp kudzu + mailman radvd sasl webalizer diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te index 6a28a61..31569ea 100644 --- a/refpolicy/policy/modules/admin/logrotate.te +++ b/refpolicy/policy/modules/admin/logrotate.te @@ -156,6 +156,12 @@ optional_policy(`samba.te',` samba_exec_log(logrotate_t) ') +optional_policy(`mailman.te',` + mailman_exec(logrotate_t) + mailman_search_data(logrotate_t) + mailman_manage_log(logrotate_t) +') + optional_policy(`mysql.te',` mysql_read_config(logrotate_t) mysql_search_db_dir(logrotate_t) diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if index 816feae..d5526ee 100644 --- a/refpolicy/policy/modules/admin/su.if +++ b/refpolicy/policy/modules/admin/su.if @@ -197,3 +197,19 @@ template(`su_per_userdomain_template',` ') dnl end TODO ') ') + +####################################### +## +## Execute su in the caller domain. +## +## +## Domain allowed access. +## +# +interface(`su_exec',` + gen_require(` + type su_exec_t; + ') + + can_exec($1,su_exec_t) +') diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if index 27f19cc..4f41c3e 100644 --- a/refpolicy/policy/modules/services/apache.if +++ b/refpolicy/policy/modules/services/apache.if @@ -321,7 +321,7 @@ interface(`apache_domtrans',` ## Send a null signal to apache. ## ## -## The type of the process performing this action. +## Domain allowed access. ## # interface(`apache_signull',` @@ -334,6 +334,38 @@ interface(`apache_signull',` ######################################## ## +## Send a SIGCHLD signal to apache. +## +## +## Domain allowed access. +## +# +interface(`apache_sigchld',` + gen_require(` + type httpd_t; + ') + + allow $1 httpd_t:process sigchld; +') + +######################################## +## +## Inherit and use file descriptors from Apache. +## +## +## Domain allowed access. +## +# +interface(`apache_use_fd',` + gen_require(` + type httpd_t; + ') + + allow $1 httpd_t:fd use; +') + +######################################## +## ## Allow the specified domain to read ## apache configuration files. ## @@ -369,3 +401,20 @@ interface(`apache_list_modules',` allow $1 httpd_modules_t:dir r_dir_perms; ') + +######################################## +## +## Do not audit attempts to append to the +## Apache logs. +## +## +## Domain to not audit. +## +# +interface(`apache_dontaudit_append_log',` + gen_require(` + type httpd_log_t; + ') + + dontaudit $1 httpd_log_t:file append; +') diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index c91a0fa..e96d8c9 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -334,6 +334,13 @@ optional_policy(`kerberos.te',` kerberos_use(httpd_t) ') +optional_policy(`mailman.te',` + mailman_signal_cgi(httpd_t) + mailman_domtrans_cgi(httpd_t) + # should have separate types for public and private archives + mailman_read_archive(httpd_t) +') + optional_policy(`mta.te',` # apache should set close-on-exec dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; @@ -586,6 +593,10 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_execute_cifs_files(httpd_suexec_t) ') +optional_policy(`mailman.te',` + mailman_domtrans_cgi(httpd_suexec_t) +') + optional_policy(`mount.te',` tunable_policy(`httpd_can_network_connect',` mount_send_nfs_client_request(httpd_suexec_t) diff --git a/refpolicy/policy/modules/services/mailman.fc b/refpolicy/policy/modules/services/mailman.fc new file mode 100644 index 0000000..839017f --- /dev/null +++ b/refpolicy/policy/modules/services/mailman.fc @@ -0,0 +1,33 @@ +/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) + +/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) +/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0) +/var/log/mailman(/.*)? gen_context(system_u:object_r:mailman_log_t,s0) +/var/run/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) + +# +# distro_debian +# +ifdef(`distro_debian', ` +/etc/cron\.daily/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) +/etc/cron\.monthly/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) + +/usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) +/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +') + +# +# distro_redhat +# +ifdef(`distro_redhat', ` +/etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) + +/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) +/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) +/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) + +/var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) +/var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) +') diff --git a/refpolicy/policy/modules/services/mailman.if b/refpolicy/policy/modules/services/mailman.if new file mode 100644 index 0000000..a3f1d8c --- /dev/null +++ b/refpolicy/policy/modules/services/mailman.if @@ -0,0 +1,254 @@ +## Mailman is for managing electronic mail discussion and e-newsletter lists + +####################################### +## +## The template to define a mailmain domain. +## +## +## +## This template creates a domain to be used for +## a new mailman daemon. +## +## +## +## The type of daemon to be used eg, cgi would give mailman_cgi_ +## +# +template(`mailman_domain_template', ` + type mailman_$1_t; + domain_type(mailman_$1_t) + role system_r types mailman_$1_t; + + type mailman_$1_exec_t; + domain_entry_file(mailman_$1_t, mailman_$1_exec_t) + + type mailman_$1_tmp_t; + files_tmp_file(mailman_$1_tmp_t) + + allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms; + allow mailman_$1_t self:tcp_socket create_stream_socket_perms; + allow mailman_$1_t self:udp_socket create_socket_perms; + + allow mailman_$1_t mailman_data_t:dir create_dir_perms; + allow mailman_$1_t mailman_data_t:file create_file_perms; + allow mailman_$1_t mailman_data_t:lnk_file create_lnk_perms; + + allow mailman_$1_t mailman_lock_t:dir rw_dir_perms; + allow mailman_$1_t mailman_lock_t:file create_file_perms; + files_create_lock(mailman_$1_t,mailman_lock_t) + + allow mailman_$1_t mailman_log_t:dir rw_dir_perms; + allow mailman_$1_t mailman_log_t:file create_file_perms; + logging_create_log(mailman_$1_t,mailman_log_t) + + allow mailman_$1_t mailman_$1_tmp_t:dir create_dir_perms; + allow mailman_$1_t mailman_$1_tmp_t:file create_file_perms; + files_create_tmp_files(mailman_$1_t, mailman_$1_tmp_t, { file dir }) + + kernel_read_kernel_sysctl(mailman_$1_t) + kernel_read_system_state(mailman_$1_t) + + corenet_tcp_sendrecv_all_if(mailman_$1_t) + corenet_udp_sendrecv_all_if(mailman_$1_t) + corenet_raw_sendrecv_all_if(mailman_$1_t) + corenet_tcp_sendrecv_all_nodes(mailman_$1_t) + corenet_udp_sendrecv_all_nodes(mailman_$1_t) + corenet_raw_sendrecv_all_nodes(mailman_$1_t) + corenet_tcp_sendrecv_all_ports(mailman_$1_t) + corenet_udp_sendrecv_all_ports(mailman_$1_t) + corenet_tcp_bind_all_nodes(mailman_$1_t) + corenet_udp_bind_all_nodes(mailman_$1_t) + corenet_tcp_connect_smtp_port(mailman_$1_t) + + fs_getattr_xattr_fs(mailman_$1_t) + + corecmd_exec_bin(mailman_$1_t) + corecmd_exec_sbin(mailman_$1_t) + + domain_exec_all_entry_files(mailman_$1_t) + + files_exec_etc_files(mailman_$1_t) + files_list_usr(mailman_$1_t) + files_list_var(mailman_$1_t) + files_list_var_lib(mailman_$1_t) + files_read_var_lib_symlinks(mailman_$1_t) + files_read_etc_runtime_files(mailman_$1_t) + + libs_use_ld_so(mailman_$1_t) + libs_use_shared_libs(mailman_$1_t) + libs_exec_ld_so(mailman_$1_t) + libs_exec_lib_files(mailman_$1_t) + + miscfiles_read_localization(mailman_$1_t) + + sysnet_read_config(mailman_$1_t) + + optional_policy(`mount.te',` + mount_send_nfs_client_request(mailman_$1_t) + ') + + optional_policy(`nis.te',` + nis_use_ypbind(mailman_$1_t) + ') +') + +####################################### +## +## Execute mailman in the mailman domain. +## +## +## Domain allowed access. +## +# +interface(`mailman_domtrans',` + gen_require(` + type mailman_mail_exec_t, mailman_mail_t; + ') + + domain_auto_trans($1, mailman_mail_exec_t, mailman_mail_t) + + allow $1 mailman_mail_t:fd use; + allow mailman_mail_t $1:fd use; + allow mailman_mail_t $1:fifo_file rw_file_perms; + allow mailman_mail_t $1:process sigchld; +') + +####################################### +## +## Execute mailman CGI scripts in the +## mailman CGI domain. +## +## +## Domain allowed access. +## +# +interface(`mailman_domtrans_cgi',` + gen_require(` + type mailman_cgi_exec_t, mailman_cgi_t; + ') + + domain_auto_trans($1, mailman_cgi_exec_t, mailman_cgi_t) + + allow $1 mailman_cgi_t:fd use; + allow mailman_cgi_t $1:fd use; + allow mailman_cgi_t $1:fifo_file rw_file_perms; + allow mailman_cgi_t $1:process sigchld; +') + +####################################### +## +## Execute mailman in the caller domain. +## +## +## Domain allowd access. +## +# +interface(`mailman_exec',` + gen_require(` + type mailman_mail_exec_t; + ') + + can_exec($1,mailman_mail_exec_t) +') + +####################################### +## +## Send generic signals to the mailman cgi domain. +## +## +## Domain allowed access. +## +# +interface(`mailman_signal_cgi',` + gen_require(` + type mailman_cgi_t; + ') + + allow $1 mailman_cgi_t:process signal; +') + +####################################### +## +## Allow domain to search data directories. +## +## +## Domain allowed access. +## +# +interface(`mailman_search_data',` + gen_require(` + type mailman_data_t; + ') + + allow $1 mailman_data_t:dir search; +') + +####################################### +## +## List the contents of mailman data directories. +## +## +## Domain allowed access. +## +# +interface(`mailman_list_data',` + gen_require(` + type mailman_data_t; + ') + + allow $1 mailman_data_t:dir r_dir_perms; +') + +####################################### +## +## Allow read acces to mailman data symbolic links. +## +## +## Domain allowed access. +## +# +interface(`mailman_read_data_symlinks',` + gen_require(` + type mailman_data_t; + ') + + allow $1 mailman_data_t:dir search; + allow $1 mailman_data_t:lnk_file read; +') + +####################################### +## +## Create, read, write, and delete +## mailman logs. +## +## +## Domain allowed access. +## +# +interface(`mailman_manage_log',` + gen_require(` + type mailman_log_t; + ') + + allow $1 mailman_log_t:dir rw_dir_perms; + allow $1 mailman_log_t:file create_file_perms; + allow $1 mailman_log_t:lnk_file create_lnk_perms; +') + +####################################### +## +## Allow domain to read mailman archive files. +## +## +## Domain allowed access. +## +# +interface(`mailman_read_archive',` + gen_require(` + type mailman_archive_t; + ') + + allow $1 mailman_archive_t:dir { getattr read search }; + allow $1 mailman_archive_t:file { read getattr }; + allow $1 mailman_archive_t:lnk_file { getattr read }; +') diff --git a/refpolicy/policy/modules/services/mailman.te b/refpolicy/policy/modules/services/mailman.te new file mode 100644 index 0000000..3e3613b --- /dev/null +++ b/refpolicy/policy/modules/services/mailman.te @@ -0,0 +1,113 @@ + +policy_module(mailman,1.0) + +######################################## +# +# Declarations +# + +mailman_domain_template(cgi) + +type mailman_data_t; +files_type(mailman_data_t) + +type mailman_archive_t; +files_type(mailman_archive_t) + +type mailman_log_t; +logging_log_file(mailman_log_t) + +type mailman_lock_t; +files_lock_file(mailman_lock_t) + +mailman_domain_template(mail) +init_daemon_domain(mailman_mail_t,mailman_mail_exec_t) + +mailman_domain_template(queue) + +######################################## +# +# Mailman CGI local policy +# + +# cjp: the template invocation for queue should be +# in the below optional policy; however, there are no +# optionals for file contexts yet, so it is promoted +# to global scope until such facilities exist. + +optional_policy(`apache.te',` + allow mailman_cgi_t mailman_archive_t:dir create_dir_perms; + allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms; + allow mailman_cgi_t mailman_archive_t:file create_file_perms; + + kernel_tcp_recvfrom(mailman_cgi_t) + + term_use_controlling_term(mailman_cgi_t) + + files_search_spool(mailman_cgi_t) + + mta_tcp_connect_all_mailservers(mailman_cgi_t) + + apache_sigchld(mailman_cgi_t) + apache_use_fd(mailman_cgi_t) + apache_dontaudit_append_log(mailman_cgi_t) +') + +######################################## +# +# Mailman mail local policy +# + +allow mailman_mail_t self:unix_dgram_socket create_socket_perms; + +mta_dontaudit_rw_delivery_tcp_socket(mailman_mail_t) + +ifdef(`TODO',` +optional_policy(`qmail.te', ` + allow mailman_mail_t qmail_spool_t:file { read ioctl getattr }; + # do we really need this? + allow mailman_mail_t qmail_lspawn_t:fifo_file write; +') +') + +######################################## +# +# Mailman queue local policy +# + +allow mailman_queue_t self:capability { setgid setuid }; +allow mailman_queue_t self:process signal; +allow mailman_queue_t self:fifo_file rw_file_perms; +allow mailman_queue_t self:unix_dgram_socket create_socket_perms; +allow mailman_queue_t self:netlink_route_socket r_netlink_socket_perms; + +allow mailman_queue_t mailman_archive_t:dir create_dir_perms; +allow mailman_queue_t mailman_archive_t:file create_file_perms; +allow mailman_queue_t mailman_archive_t:lnk_file create_lnk_perms; + +kernel_read_proc_symlinks(mailman_queue_t) +kernel_tcp_recvfrom(mailman_queue_t) + +auth_domtrans_chk_passwd(mailman_queue_t) + +files_dontaudit_search_pids(mailman_queue_t) + +# for su +seutil_dontaudit_search_config(mailman_queue_t) + +# some of the following could probably be changed to dontaudit, someone who +# knows mailman well should test this out and send the changes +userdom_search_sysadm_home_dir(mailman_queue_t) +userdom_getattr_sysadm_home_dir(mailman_queue_t) + +mta_tcp_connect_all_mailservers(mailman_queue_t) + +su_exec(mailman_queue_t) + +optional_policy(`cron.te',` + cron_system_entry(mailman_queue_t,mailman_queue_exec_t) +') + +optional_policy(`nscd.te',` + nscd_use_socket(mailman_queue_t) +') diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 1bc0177..2d7e33c 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -232,6 +232,14 @@ interface(`mta_mailserver_delivery',` ') typeattribute $1 mailserver_delivery; + + optional_policy(`mailman.te',` + # so MTA can access /var/lib/mailman/mail/wrapper + files_search_var_lib($1) + + mailman_domtrans($1) + mailman_read_data_symlinks($1) + ') ') ####################################### @@ -281,22 +289,6 @@ interface(`mta_send_mail',` ') ####################################### -## -## Connect to all mail servers over TCP. -## -## -## Mail server domain. -## -# -interface(`mta_tcp_connect_all_mailservers',` - gen_require(` - attribute mailserver_domain; - ') - - allow $1 mailserver_domain:tcp_socket { connectto recvfrom }; -') - -####################################### # # mta_exec(domain) # @@ -342,6 +334,41 @@ interface(`mta_rw_aliases',` ####################################### ## +## Do not audit attempts to read and write TCP +## sockets of mail delivery domains. +## +## +## Mail server domain. +## +# +interface(`mta_dontaudit_rw_delivery_tcp_socket',` + gen_require(` + attribute mailserver_domain; + ') + + dontaudit $1 mailserver_delivery:tcp_socket { read write }; +') + +####################################### +## +## Connect to all mail servers over TCP. +## +## +## Mail server domain. +## +# +interface(`mta_tcp_connect_all_mailservers',` + gen_require(` + attribute mailserver_domain; + ') + + allow $1 mailserver_domain:tcp_socket { connectto recvfrom }; + allow mailserver_domain $1:tcp_socket { acceptfrom recvfrom }; + kernel_tcp_recvfrom($1) +') + +####################################### +## ## Do not audit attempts to read a symlink ## in the mail spool. ## diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index da36dfa..8513036 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -492,6 +492,11 @@ optional_policy(`lvm.te',` dev_create_generic_chr_file(initrc_t) ') +optional_policy(`mailman.te',` + mailman_list_data(initrc_t) + mailman_read_data_symlinks(initrc_t) +') + optional_policy(`mta.te',` mta_dontaudit_read_spool_symlink(initrc_t) ') diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 912c027..227f6fd 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -1746,6 +1746,23 @@ interface(`userdom_rw_sysadm_pipe',` ######################################## ## +## Get the attributes of the sysadm users +## home directory. +## +## +## Domain to not audit. +## +# +interface(`userdom_getattr_sysadm_home_dir',` + gen_require(` + type sysadm_home_dir_t; + ') + + allow $1 sysadm_home_dir_t:dir getattr; +') + +######################################## +## ## Search the sysadm users home directory. ## ## @@ -1755,10 +1772,8 @@ interface(`userdom_rw_sysadm_pipe',` interface(`userdom_search_sysadm_home_dir',` gen_require(` type sysadm_home_dir_t; - class dir search; ') - files_search_home($1) allow $1 sysadm_home_dir_t:dir search; ')
+## This template creates a domain to be used for +## a new mailman daemon. +##