From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id DD547138010 for ; Thu, 27 Sep 2012 18:08:33 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4232421C0B3; Thu, 27 Sep 2012 18:05:21 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 009AB21C0B3 for ; Thu, 27 Sep 2012 18:05:15 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 30EE433D73D for ; Thu, 27 Sep 2012 18:05:15 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 91FB4E544D for ; Thu, 27 Sep 2012 18:05:12 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1348767821.9ac4996bc64521e17c6f491a581ad323cbcb3f51.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/courier.fc policy/modules/contrib/courier.if policy/modules/contrib/courier.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 9ac4996bc64521e17c6f491a581ad323cbcb3f51 X-VCS-Branch: master Date: Thu, 27 Sep 2012 18:05:12 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 109933e4-1477-4029-b7a3-9892791fcb71 X-Archives-Hash: 65dcca9c7d994b96f7868fe3bf115a89 commit: 9ac4996bc64521e17c6f491a581ad323cbcb3f51 Author: Dominick Grift gmail com> AuthorDate: Tue Sep 25 10:46:31 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Thu Sep 27 17:43:41 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9ac4996b Changes to the courier policy module Use type attribute for courier domain for efficiency Module clean up Signed-off-by: Dominick Grift gmail.com> Signed-off-by: Sven Vermeulen siphos.be> --- policy/modules/contrib/courier.fc | 44 +++++++------- policy/modules/contrib/courier.if | 109 ++++++++++------------------------ policy/modules/contrib/courier.te | 120 ++++++++++++++++++++++++------------ 3 files changed, 132 insertions(+), 141 deletions(-) diff --git a/policy/modules/contrib/courier.fc b/policy/modules/contrib/courier.fc index 1ae79c0..c0f77f7 100644 --- a/policy/modules/contrib/courier.fc +++ b/policy/modules/contrib/courier.fc @@ -1,33 +1,31 @@ -/etc/courier(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) -/etc/courier-imap(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) +/etc/courier(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) +/etc/courier-imaP(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) -/usr/bin/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +/usr/bin/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -/usr/sbin/authdaemond -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) -/usr/sbin/courier-imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -/usr/sbin/courierlogger -- gen_context(system_u:object_r:courier_exec_t,s0) -/usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0) -/usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) -/usr/sbin/imaplogin -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) +/usr/sbin/authdaemond -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) +/usr/sbin/courier-imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +/usr/sbin/courierlogger -- gen_context(system_u:object_r:courier_exec_t,s0) +/usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0) +/usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) +/usr/sbin/imaplogin -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) -/usr/lib/courier/(courier-)?authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) -/usr/lib/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0) +/usr/lib/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) +/usr/lib/courier/courier-authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) +/usr/lib/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0) /usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) /usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -/usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0) -/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) +/usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0) +/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) /usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0) - -ifdef(`distro_gentoo',` /usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) -') -/var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) -/var/lib/courier-imap(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) +/var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) +/var/lib/courier-imap(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) -/var/run/courier(/.*)? gen_context(system_u:object_r:courier_var_run_t,s0) +/var/run/courier(/.*)? gen_context(system_u:object_r:courier_var_run_t,s0) -/var/spool/authdaemon(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) -/var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) +/var/spool/authdaemon(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) +/var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) diff --git a/policy/modules/contrib/courier.if b/policy/modules/contrib/courier.if index 459763f..a1ab38b 100644 --- a/policy/modules/contrib/courier.if +++ b/policy/modules/contrib/courier.if @@ -1,97 +1,43 @@ -## Courier IMAP and POP3 email servers +## Courier IMAP and POP3 email servers. -######################################## +####################################### ## -## Template for creating courier server processes. +## The template to define a courier domain. ## -## +## ## -## Prefix name of the server process. +## Domain prefix to be used. ## ## # template(`courier_domain_template',` + gen_require(` + attribute courier_domain; + ') - ############################## + ####################################### # # Declarations # - type courier_$1_t; + type courier_$1_t, courier_domain; type courier_$1_exec_t; init_daemon_domain(courier_$1_t, courier_$1_exec_t) - ############################## + ####################################### # - # Declarations + # Policy # - allow courier_$1_t self:capability dac_override; - dontaudit courier_$1_t self:capability sys_tty_config; - allow courier_$1_t self:process { setpgid signal_perms }; - allow courier_$1_t self:fifo_file { read write getattr }; - allow courier_$1_t self:tcp_socket create_stream_socket_perms; - allow courier_$1_t self:udp_socket create_socket_perms; - can_exec(courier_$1_t, courier_$1_exec_t) - - read_files_pattern(courier_$1_t, courier_etc_t, courier_etc_t) - allow courier_$1_t courier_etc_t:dir list_dir_perms; - - manage_dirs_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) - manage_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) - manage_lnk_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) - manage_sock_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) - files_search_pids(courier_$1_t) - files_pid_filetrans(courier_$1_t, courier_var_run_t, dir) - - kernel_read_system_state(courier_$1_t) - kernel_read_kernel_sysctls(courier_$1_t) - - corecmd_exec_bin(courier_$1_t) - corecmd_exec_shell(courier_$1_t) - - corenet_all_recvfrom_unlabeled(courier_$1_t) - corenet_all_recvfrom_netlabel(courier_$1_t) - corenet_tcp_sendrecv_generic_if(courier_$1_t) - corenet_udp_sendrecv_generic_if(courier_$1_t) - corenet_tcp_sendrecv_generic_node(courier_$1_t) - corenet_udp_sendrecv_generic_node(courier_$1_t) - corenet_tcp_sendrecv_all_ports(courier_$1_t) - corenet_udp_sendrecv_all_ports(courier_$1_t) - - dev_read_sysfs(courier_$1_t) - - domain_use_interactive_fds(courier_$1_t) - - files_read_etc_files(courier_$1_t) - files_read_etc_runtime_files(courier_$1_t) - files_read_usr_files(courier_$1_t) - - fs_getattr_xattr_fs(courier_$1_t) - fs_search_auto_mountpoints(courier_$1_t) - - logging_send_syslog_msg(courier_$1_t) - - sysnet_read_config(courier_$1_t) - - userdom_dontaudit_use_unpriv_user_fds(courier_$1_t) - - optional_policy(` - seutil_sigchld_newrole(courier_$1_t) - ') - - optional_policy(` - udev_read_db(courier_$1_t) - ') ') ######################################## ## -## Execute the courier authentication daemon with -## a domain transition. +## Execute the courier authentication +## daemon with a domain transition. ## -## +## ## ## Domain allowed to transition. ## @@ -102,6 +48,7 @@ interface(`courier_domtrans_authdaemon',` type courier_authdaemon_t, courier_authdaemon_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t) ') @@ -145,10 +92,10 @@ interface(`courier_authdaemon_stream_connect',` ######################################## ## -## Execute the courier POP3 and IMAP server with -## a domain transition. +## Execute the courier POP3 and IMAP +## server with a domain transition. ## -## +## ## ## Domain allowed to transition. ## @@ -159,14 +106,15 @@ interface(`courier_domtrans_pop',` type courier_pop_t, courier_pop_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, courier_pop_exec_t, courier_pop_t) ') ######################################## ## -## Read courier config files +## Read courier config files. ## -## +## ## ## Domain allowed access. ## @@ -177,6 +125,7 @@ interface(`courier_read_config',` type courier_etc_t; ') + files_search_etc($1) read_files_pattern($1, courier_etc_t, courier_etc_t) ') @@ -185,7 +134,7 @@ interface(`courier_read_config',` ## Create, read, write, and delete courier ## spool directories. ## -## +## ## ## Domain allowed access. ## @@ -196,6 +145,7 @@ interface(`courier_manage_spool_dirs',` type courier_spool_t; ') + files_search_var($1) manage_dirs_pattern($1, courier_spool_t, courier_spool_t) ') @@ -204,7 +154,7 @@ interface(`courier_manage_spool_dirs',` ## Create, read, write, and delete courier ## spool files. ## -## +## ## ## Domain allowed access. ## @@ -215,6 +165,7 @@ interface(`courier_manage_spool_files',` type courier_spool_t; ') + files_search_var($1) manage_files_pattern($1, courier_spool_t, courier_spool_t) ') @@ -222,7 +173,7 @@ interface(`courier_manage_spool_files',` ## ## Read courier spool files. ## -## +## ## ## Domain allowed access. ## @@ -233,12 +184,13 @@ interface(`courier_read_spool',` type courier_spool_t; ') + files_search_var($1) read_files_pattern($1, courier_spool_t, courier_spool_t) ') ######################################## ## -## Read and write to courier spool pipes. +## Read and write courier spool pipes. ## ## ## @@ -251,5 +203,6 @@ interface(`courier_rw_spool_pipes',` type courier_spool_t; ') + files_search_var($1) allow $1 courier_spool_t:fifo_file rw_fifo_file_perms; ') diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te index b5225ff..54c1623 100644 --- a/policy/modules/contrib/courier.te +++ b/policy/modules/contrib/courier.te @@ -1,24 +1,25 @@ -policy_module(courier, 1.13.0) +policy_module(courier, 1.13.1) ######################################## # # Declarations # +attribute courier_domain; + courier_domain_template(authdaemon) +courier_domain_template(pcp) +courier_domain_template(pop) +courier_domain_template(tcpd) +courier_domain_template(sqwebmail) +typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t; type courier_etc_t; files_config_file(courier_etc_t) -courier_domain_template(pcp) - -courier_domain_template(pop) - type courier_spool_t; files_type(courier_spool_t) -courier_domain_template(tcpd) - type courier_var_lib_t; files_type(courier_var_lib_t) @@ -28,8 +29,56 @@ files_pid_file(courier_var_run_t) type courier_exec_t; mta_agent_executable(courier_exec_t) -courier_domain_template(sqwebmail) -typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t; +######################################## +# +# Common local policy +# + +allow courier_domain self:capability dac_override; +dontaudit courier_domain self:capability sys_tty_config; +allow courier_domain self:process { setpgid signal_perms }; +allow courier_domain self:fifo_file rw_fifo_file_perms; +allow courier_domain self:tcp_socket create_stream_socket_perms; +allow courier_domain self:udp_socket create_socket_perms; + +read_files_pattern(courier_domain, courier_etc_t, courier_etc_t) +allow courier_domain courier_etc_t:dir list_dir_perms; + +manage_dirs_pattern(courier_domain, courier_var_run_t, courier_var_run_t) +manage_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t) +manage_lnk_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t) +manage_sock_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t) +files_pid_filetrans(courier_domain, courier_var_run_t, dir) + +kernel_read_kernel_sysctls(courier_domain) +kernel_read_system_state(courier_domain) + +corecmd_exec_bin(courier_domain) + +dev_read_sysfs(courier_domain) + +domain_use_interactive_fds(courier_domain) + +files_read_etc_files(courier_domain) +files_read_etc_runtime_files(courier_domain) +files_read_usr_files(courier_domain) + +fs_getattr_xattr_fs(courier_domain) +fs_search_auto_mountpoints(courier_domain) + +logging_send_syslog_msg(courier_domain) + +sysnet_read_config(courier_domain) + +userdom_dontaudit_use_unpriv_user_fds(courier_domain) + +optional_policy(` + seutil_sigchld_newrole(courier_domain) +') + +optional_policy(` + udev_read_db(courier_domain) +') ######################################## # @@ -37,34 +86,29 @@ typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t; # allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config }; -allow courier_authdaemon_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow courier_authdaemon_t self:unix_stream_socket { accept connectto listen }; -can_exec(courier_authdaemon_t, courier_exec_t) +create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) +manage_sock_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) -allow courier_authdaemon_t courier_tcpd_t:fd use; -allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; -allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms; +manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t) -allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; -allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms; allow courier_authdaemon_t courier_tcpd_t:process sigchld; allow courier_authdaemon_t courier_tcpd_t:fd use; +allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms; allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; -allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms; +allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms; read_lnk_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) -create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) -manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t) -manage_sock_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) -files_search_spool(courier_authdaemon_t) +can_exec(courier_authdaemon_t, courier_exec_t) -corecmd_search_bin(courier_authdaemon_t) +domtrans_pattern(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t) -# for SSP dev_read_urand(courier_authdaemon_t) files_getattr_tmp_dirs(courier_authdaemon_t) +files_search_spool(courier_authdaemon_t) auth_domtrans_chk_passwd(courier_authdaemon_t) @@ -72,10 +116,7 @@ libs_read_lib_files(courier_authdaemon_t) miscfiles_read_localization(courier_authdaemon_t) -# should not be needed! -userdom_search_user_home_dirs(courier_authdaemon_t) - -courier_domtrans_pop(courier_authdaemon_t) +userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t) ######################################## # @@ -96,24 +137,19 @@ allow courier_pop_t courier_authdaemon_t:process sigchld; allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; -# inherits file handle - should it? allow courier_pop_t courier_var_lib_t:file { read write }; # TODO Correct this, mentioning "var_lib_t" here is not done. search_dirs_pattern(courier_pop_t, var_lib_t, courier_var_lib_t) read_lnk_files_pattern(courier_pop_t, var_lib_t, courier_var_lib_t) +domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t) + miscfiles_read_localization(courier_pop_t) courier_authdaemon_rw_inherited_stream_sockets(courier_pop_t) -courier_domtrans_authdaemon(courier_pop_t) -# do the actual work (read the Maildir) userdom_manage_user_home_content_files(courier_pop_t) -# cjp: the fact that this is different for pop vs imap means that -# there should probably be a courier_pop_t and courier_imap_t -# this should also probably be a separate type too instead of -# the regular home dir userdom_manage_user_home_content_dirs(courier_pop_t) ######################################## @@ -123,25 +159,29 @@ userdom_manage_user_home_content_dirs(courier_pop_t) allow courier_tcpd_t self:capability kill; -can_exec(courier_tcpd_t, courier_exec_t) - manage_files_pattern(courier_tcpd_t, courier_var_lib_t, courier_var_lib_t) manage_lnk_files_pattern(courier_tcpd_t, courier_var_lib_t, courier_var_lib_t) files_search_var_lib(courier_tcpd_t) -corecmd_search_bin(courier_tcpd_t) +can_exec(courier_tcpd_t, courier_exec_t) + +domtrans_pattern(courier_tcpd_t, courier_pop_exec_t, courier_pop_t) +corenet_all_recvfrom_unlabeled(courier_tcpd_t) +corenet_all_recvfrom_netlabel(courier_tcpd_t) +corenet_tcp_sendrecv_generic_if(courier_tcpd_t) +corenet_tcp_sendrecv_generic_node(courier_tcpd_t) corenet_tcp_bind_generic_node(courier_tcpd_t) -corenet_tcp_bind_pop_port(courier_tcpd_t) + corenet_sendrecv_pop_server_packets(courier_tcpd_t) +corenet_tcp_bind_pop_port(courier_tcpd_t) +corenet_tcp_sendrecv_pop_port(courier_tcpd_t) -# for TLS dev_read_rand(courier_tcpd_t) dev_read_urand(courier_tcpd_t) miscfiles_read_localization(courier_tcpd_t) -courier_domtrans_pop(courier_tcpd_t) courier_authdaemon_stream_connect(courier_tcpd_t) courier_domtrans_authdaemon(courier_tcpd_t)