From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id E6E0E138010 for ; Tue, 2 Oct 2012 18:22:20 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A9C6921C00D; Tue, 2 Oct 2012 18:11:12 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 4F00221C01C for ; Tue, 2 Oct 2012 18:11:02 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id B9E6D33D732 for ; Tue, 2 Oct 2012 18:11:00 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 5B957E5445 for ; Tue, 2 Oct 2012 18:10:59 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1349201045.0c73e54aade5e6be1e473425a16555c41597ef8b.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/dovecot.fc policy/modules/contrib/dovecot.if policy/modules/contrib/dovecot.te policy/modules/contrib/postfix.if policy/modules/contrib/postfix.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 0c73e54aade5e6be1e473425a16555c41597ef8b X-VCS-Branch: master Date: Tue, 2 Oct 2012 18:10:59 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: dd95b4de-9c02-4c07-94e0-87294ba42b8b X-Archives-Hash: 3430eb490b24ff866fc886b1b0b5cdd8 commit: 0c73e54aade5e6be1e473425a16555c41597ef8b Author: Dominick Grift gmail com> AuthorDate: Sat Sep 29 09:30:13 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Tue Oct 2 18:04:05 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0c73e54a Changes to the dovecot policy module Ported from Fedora with changes Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/dovecot.fc | 52 ++++------ policy/modules/contrib/dovecot.if | 42 +++++---- policy/modules/contrib/dovecot.te | 194 +++++++++++++++++++++++-------------- policy/modules/contrib/postfix.if | 37 +++++++ policy/modules/contrib/postfix.te | 2 +- 5 files changed, 200 insertions(+), 127 deletions(-) diff --git a/policy/modules/contrib/dovecot.fc b/policy/modules/contrib/dovecot.fc index a5f968d..8fb4470 100644 --- a/policy/modules/contrib/dovecot.fc +++ b/policy/modules/contrib/dovecot.fc @@ -1,46 +1,32 @@ +/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0) +/etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) -# -# /etc -# -/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0) -/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0) -/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) +/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0) +/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) -/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) -/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0) +/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) -# Debian uses /etc/dovecot/ -ifdef(`distro_debian',` -/etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) -') +/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0) -# -# /usr -# -/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0) +/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0) -/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) -/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) +/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) +/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) -ifdef(`distro_debian', ` +/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) /usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -') -ifdef(`distro_redhat', ` -/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) +/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) /usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) -/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) -/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -') +/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) +/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -# -# /var -# -/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) +/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) +/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) -/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) +/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) -/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0) -/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) +/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0) +/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) -/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) +/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) diff --git a/policy/modules/contrib/dovecot.if b/policy/modules/contrib/dovecot.if index e1d7dc5..cf53f3d 100644 --- a/policy/modules/contrib/dovecot.if +++ b/policy/modules/contrib/dovecot.if @@ -1,8 +1,9 @@ -## Dovecot POP and IMAP mail server +## POP and IMAP mail server. ######################################## ## -## Connect to dovecot auth unix domain stream socket. +## Connect to dovecot using a unix +## domain stream socket. ## ## ## @@ -16,12 +17,14 @@ interface(`dovecot_stream_connect_auth',` type dovecot_auth_t, dovecot_var_run_t; ') + files_search_pids($1) stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t) ') ######################################## ## -## Execute dovecot_deliver in the dovecot_deliver domain. +## Execute dovecot_deliver in the +## dovecot_deliver domain. ## ## ## @@ -34,12 +37,14 @@ interface(`dovecot_domtrans_deliver',` type dovecot_deliver_t, dovecot_deliver_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t) ') ######################################## ## -## Create, read, write, and delete the dovecot spool files. +## Create, read, write, and delete +## dovecot spool files. ## ## ## @@ -52,13 +57,15 @@ interface(`dovecot_manage_spool',` type dovecot_spool_t; ') + files_search_spool($1) manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t) manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t) ') ######################################## ## -## Do not audit attempts to delete dovecot lib files. +## Do not audit attempts to delete +## dovecot lib files. ## ## ## @@ -76,8 +83,8 @@ interface(`dovecot_dontaudit_unlink_lib_files',` ######################################## ## -## All of the rules required to administrate -## an dovecot environment +## All of the rules required to +## administrate an dovecot environment. ## ## ## @@ -86,19 +93,17 @@ interface(`dovecot_dontaudit_unlink_lib_files',` ## ## ## -## The role to be allowed to manage the dovecot domain. +## Role allowed access. ## ## ## # interface(`dovecot_admin',` gen_require(` - type dovecot_t, dovecot_etc_t, dovecot_log_t; - type dovecot_spool_t, dovecot_var_lib_t; - type dovecot_var_run_t; - - type dovecot_cert_t, dovecot_passwd_t; - type dovecot_initrc_exec_t; + type dovecot_t, dovecot_etc_t, dovecot_var_log_t; + type dovecot_spool_t, dovecot_var_lib_t, dovecot_initrc_exec_t; + type dovecot_var_run_t, dovecot_cert_t, dovecot_passwd_t; + type dovecot_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t; ') allow $1 dovecot_t:process { ptrace signal_perms }; @@ -113,18 +118,19 @@ interface(`dovecot_admin',` admin_pattern($1, dovecot_etc_t) logging_list_logs($1) - admin_pattern($1, dovecot_log_t) + admin_pattern($1, dovecot_var_log_t) files_list_spool($1) admin_pattern($1, dovecot_spool_t) + files_search_tmp($1) + admin_pattern($1, { dovecot_tmp_t dovecot_auth_tmp_t dovecot_deliver_tmp_t }) + files_list_var_lib($1) admin_pattern($1, dovecot_var_lib_t) files_list_pids($1) admin_pattern($1, dovecot_var_run_t) - admin_pattern($1, dovecot_cert_t) - - admin_pattern($1, dovecot_passwd_t) + admin_pattern($1, { dovecot_cert_t dovecot_passwd_t }) ') diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te index 44f4a6b..da39b02 100644 --- a/policy/modules/contrib/dovecot.te +++ b/policy/modules/contrib/dovecot.te @@ -1,9 +1,10 @@ -policy_module(dovecot, 1.14.3) +policy_module(dovecot, 1.14.4) ######################################## # # Declarations # + type dovecot_t; type dovecot_exec_t; init_daemon_domain(dovecot_t, dovecot_exec_t) @@ -18,7 +19,7 @@ type dovecot_auth_tmp_t; files_tmp_file(dovecot_auth_tmp_t) type dovecot_cert_t; -files_type(dovecot_cert_t) +miscfiles_cert_type(dovecot_cert_t) type dovecot_deliver_t; type dovecot_deliver_exec_t; @@ -26,6 +27,9 @@ domain_type(dovecot_deliver_t) domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t) role system_r types dovecot_deliver_t; +type dovecot_deliver_tmp_t; +files_tmp_file(dovecot_deliver_tmp_t) + type dovecot_etc_t; files_config_file(dovecot_etc_t) @@ -41,7 +45,6 @@ files_type(dovecot_spool_t) type dovecot_tmp_t; files_tmp_file(dovecot_tmp_t) -# /var/lib/dovecot holds SSL parameters file type dovecot_var_lib_t; files_type(dovecot_var_lib_t) @@ -53,52 +56,50 @@ files_pid_file(dovecot_var_run_t) ######################################## # -# dovecot local policy +# Local policy # -allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot }; +allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot }; dontaudit dovecot_t self:capability sys_tty_config; allow dovecot_t self:capability2 block_suspend; -allow dovecot_t self:process { setrlimit signal_perms getcap setcap }; +allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched }; allow dovecot_t self:fifo_file rw_fifo_file_perms; allow dovecot_t self:tcp_socket create_stream_socket_perms; allow dovecot_t self:unix_dgram_socket create_socket_perms; allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto }; -domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) - -allow dovecot_t dovecot_auth_t:process signal; - -allow dovecot_t dovecot_cert_t:dir list_dir_perms; -read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) -read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) - -allow dovecot_t dovecot_etc_t:file read_file_perms; -files_search_etc(dovecot_t) - -can_exec(dovecot_t, dovecot_exec_t) +allow dovecot_t { dovecot_etc_t dovecot_cert_t }:dir list_dir_perms; +read_files_pattern(dovecot_t, { dovecot_etc_t dovecot_cert_t }, { dovecot_etc_t dovecot_cert_t }) +read_lnk_files_pattern(dovecot_t, { dovecot_etc_t dovecot_cert_t }, { dovecot_etc_t dovecot_cert_t }) manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir }) -# Allow dovecot to create and read SSL parameters file manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t) -files_search_var_lib(dovecot_t) -files_read_var_symlinks(dovecot_t) manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) -manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) +append_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) +create_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) +setattr_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir }) manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) +manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) -files_pid_filetrans(dovecot_t, dovecot_var_run_t, file) +manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) +files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file }) + +can_exec(dovecot_t, dovecot_exec_t) + +allow dovecot_t dovecot_auth_t:process signal; + +domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) kernel_read_kernel_sysctls(dovecot_t) kernel_read_system_state(dovecot_t) @@ -109,34 +110,38 @@ corenet_tcp_sendrecv_generic_if(dovecot_t) corenet_tcp_sendrecv_generic_node(dovecot_t) corenet_tcp_sendrecv_all_ports(dovecot_t) corenet_tcp_bind_generic_node(dovecot_t) + +corenet_sendrecv_mail_server_packets(dovecot_t) corenet_tcp_bind_mail_port(dovecot_t) +corenet_sendrecv_pop_server_packets(dovecot_t) corenet_tcp_bind_pop_port(dovecot_t) +corenet_sendrecv_sieve_server_packets(dovecot_t) corenet_tcp_bind_sieve_port(dovecot_t) + +corenet_sendrecv_all_client_packets(dovecot_t) corenet_tcp_connect_all_ports(dovecot_t) corenet_tcp_connect_postgresql_port(dovecot_t) -corenet_sendrecv_pop_server_packets(dovecot_t) -corenet_sendrecv_all_client_packets(dovecot_t) + +corecmd_exec_bin(dovecot_t) dev_read_sysfs(dovecot_t) dev_read_urand(dovecot_t) -fs_getattr_all_fs(dovecot_t) -fs_getattr_all_dirs(dovecot_t) -fs_search_auto_mountpoints(dovecot_t) -fs_list_inotifyfs(dovecot_t) - -corecmd_exec_bin(dovecot_t) - domain_use_interactive_fds(dovecot_t) -files_read_etc_files(dovecot_t) +files_read_etc_runtime_files(dovecot_t) +files_read_var_lib_files(dovecot_t) +files_read_var_symlinks(dovecot_t) files_search_spool(dovecot_t) -files_search_tmp(dovecot_t) files_dontaudit_list_default(dovecot_t) -# Dovecot now has quota support and it uses getmntent() to find the mountpoints. -files_read_etc_runtime_files(dovecot_t) +files_dontaudit_search_all_dirs(dovecot_t) files_search_all_mountpoints(dovecot_t) +fs_getattr_all_fs(dovecot_t) +fs_getattr_all_dirs(dovecot_t) +fs_search_auto_mountpoints(dovecot_t) +fs_list_inotifyfs(dovecot_t) + init_getattr_utmp(dovecot_t) auth_use_nsswitch(dovecot_t) @@ -156,8 +161,21 @@ userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file mta_manage_spool(dovecot_t) +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(dovecot_t) + fs_manage_nfs_files(dovecot_t) + fs_manage_nfs_symlinks(dovecot_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(dovecot_t) + fs_manage_cifs_files(dovecot_t) + fs_manage_cifs_symlinks(dovecot_t) +') + optional_policy(` kerberos_keytab_template(dovecot, dovecot_t) + kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0") ') optional_policy(` @@ -165,6 +183,15 @@ optional_policy(` ') optional_policy(` + postfix_manage_private_sockets(dovecot_t) + postfix_search_spool(dovecot_t) +') + +optional_policy(` + sendmail_domtrans(dovecot_t) +') + +optional_policy(` seutil_sigchld_newrole(dovecot_t) ') @@ -178,49 +205,47 @@ optional_policy(` ######################################## # -# dovecot auth local policy +# Auth local policy # -allow dovecot_auth_t self:capability { chown dac_override setgid setuid }; -allow dovecot_auth_t self:process { signal_perms getcap setcap }; +allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice }; +allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap }; allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; -allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; -allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; - -allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; +allow dovecot_auth_t self:unix_stream_socket { accept connectto listen }; read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) +read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t) +read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t) + manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) -dovecot_stream_connect_auth(dovecot_auth_t) + +allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; kernel_read_all_sysctls(dovecot_auth_t) kernel_read_system_state(dovecot_auth_t) -logging_send_audit_msgs(dovecot_auth_t) -logging_send_syslog_msg(dovecot_auth_t) - dev_read_urand(dovecot_auth_t) +dev_search_sysfs(dovecot_auth_t) -auth_domtrans_chk_passwd(dovecot_auth_t) -auth_use_nsswitch(dovecot_auth_t) - -files_read_etc_files(dovecot_auth_t) files_read_etc_runtime_files(dovecot_auth_t) files_search_pids(dovecot_auth_t) files_read_usr_files(dovecot_auth_t) -files_read_usr_symlinks(dovecot_auth_t) files_read_var_lib_files(dovecot_auth_t) -files_search_tmp(dovecot_auth_t) -files_read_var_lib_files(dovecot_t) + +auth_domtrans_chk_passwd(dovecot_auth_t) +auth_use_nsswitch(dovecot_auth_t) init_rw_utmp(dovecot_auth_t) +logging_send_audit_msgs(dovecot_auth_t) +logging_send_syslog_msg(dovecot_auth_t) + miscfiles_read_localization(dovecot_auth_t) seutil_dontaudit_search_config(dovecot_auth_t) @@ -228,9 +253,6 @@ seutil_dontaudit_search_config(dovecot_auth_t) sysnet_use_ldap(dovecot_auth_t) optional_policy(` - kerberos_use(dovecot_auth_t) - - # for gssapi (kerberos) userdom_list_user_tmp(dovecot_auth_t) userdom_read_user_tmp_files(dovecot_auth_t) userdom_read_user_tmp_symlinks(dovecot_auth_t) @@ -239,6 +261,8 @@ optional_policy(` optional_policy(` mysql_search_db(dovecot_auth_t) mysql_stream_connect(dovecot_auth_t) + mysql_read_config(dovecot_auth_t) + mysql_tcp_connect(dovecot_auth_t) ') optional_policy(` @@ -246,39 +270,56 @@ optional_policy(` ') optional_policy(` + postfix_manage_private_sockets(dovecot_auth_t) + postfix_rw_inherited_master_pipes(dovecot_deliver_t) postfix_search_spool(dovecot_auth_t) ') ######################################## # -# dovecot deliver local policy +# Deliver local policy # -allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; -allow dovecot_deliver_t dovecot_t:process signull; +allow dovecot_deliver_t self:fifo_file rw_fifo_file_perms; + +allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms; +read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t) +read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t) + +allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; + +append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) + +manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t) +manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t) +files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) -allow dovecot_deliver_t dovecot_etc_t:file read_file_perms; allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; +read_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t) +read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t) + +stream_connect_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t, { dovecot_t dovecot_auth_t }) + +can_exec(dovecot_deliver_t, dovecot_deliver_exec_t) + +allow dovecot_deliver_t dovecot_t:process signull; kernel_read_all_sysctls(dovecot_deliver_t) kernel_read_system_state(dovecot_deliver_t) -files_read_etc_files(dovecot_deliver_t) +corecmd_exec_bin(dovecot_deliver_t) + files_read_etc_runtime_files(dovecot_deliver_t) +fs_getattr_all_fs(dovecot_deliver_t) + auth_use_nsswitch(dovecot_deliver_t) +logging_search_logs(dovecot_deliver_t) logging_send_syslog_msg(dovecot_deliver_t) -logging_search_logs(dovecot_auth_t) miscfiles_read_localization(dovecot_deliver_t) -dovecot_stream_connect_auth(dovecot_deliver_t) - -files_search_tmp(dovecot_deliver_t) - -fs_getattr_all_fs(dovecot_deliver_t) - userdom_manage_user_home_content_dirs(dovecot_deliver_t) userdom_manage_user_home_content_files(dovecot_deliver_t) userdom_manage_user_home_content_symlinks(dovecot_deliver_t) @@ -290,20 +331,23 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(dovecot_deliver_t) fs_manage_nfs_files(dovecot_deliver_t) fs_manage_nfs_symlinks(dovecot_deliver_t) - fs_manage_nfs_dirs(dovecot_t) - fs_manage_nfs_files(dovecot_t) - fs_manage_nfs_symlinks(dovecot_t) ') tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(dovecot_deliver_t) fs_manage_cifs_files(dovecot_deliver_t) fs_manage_cifs_symlinks(dovecot_deliver_t) - fs_manage_cifs_dirs(dovecot_t) - fs_manage_cifs_files(dovecot_t) - fs_manage_cifs_symlinks(dovecot_t) ') optional_policy(` mta_manage_spool(dovecot_deliver_t) + mta_read_queue(dovecot_deliver_t) +') + +optional_policy(` + postfix_use_fds_master(dovecot_deliver_t) +') + +optional_policy(` + sendmail_domtrans(dovecot_deliver_t) ') diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if index 0ab180c..a4f9973 100644 --- a/policy/modules/contrib/postfix.if +++ b/policy/modules/contrib/postfix.if @@ -277,6 +277,25 @@ interface(`postfix_read_local_state',` ######################################## ## +## Read and write inherited postfix master pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`postfix_rw_inherited_master_pipes',` + gen_require(` + type postfix_master_t; + ') + + allow $1 postfix_master_t:fd use; + allow $1 postfix_master_t:fifo_file { getattr write append lock ioctl read }; +') + +######################################## +## ## Allow domain to read postfix master process state ## ## @@ -295,6 +314,24 @@ interface(`postfix_read_master_state',` ######################################## ## +## Use postfix master file descriptors. +## +## +## +## Domain allowed access. +## +## +# +interface(`postfix_use_fds_master',` + gen_require(` + type postfix_master_t; + ') + + allow $1 postfix_master_t:fd use; +') + +######################################## +## ## Do not audit attempts to use ## postfix master process file ## file descriptors. diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te index d0cf61b..19b27f3 100644 --- a/policy/modules/contrib/postfix.te +++ b/policy/modules/contrib/postfix.te @@ -1,4 +1,4 @@ -policy_module(postfix, 1.14.2) +policy_module(postfix, 1.14.3) ######################################## #