From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 45F291393DD for ; Sun, 24 Aug 2014 08:02:57 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1FA73E085B; Sun, 24 Aug 2014 08:02:56 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 7A8E0E085B for ; Sun, 24 Aug 2014 08:02:55 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 3242633DCAE for ; Sun, 24 Aug 2014 08:02:54 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id D37A63C78 for ; Sun, 24 Aug 2014 08:02:52 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1408820476.b7cab4f7955034ccbfc097c0214f5b6071e2d6f4.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/mail.fc policy/modules/contrib/mail.if policy/modules/contrib/mail.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: b7cab4f7955034ccbfc097c0214f5b6071e2d6f4 X-VCS-Branch: mailinfra Date: Sun, 24 Aug 2014 08:02:52 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: f5a3ec50-c344-44dd-85e5-6b4a41511cac X-Archives-Hash: bcf152cee842dece8f86c7eee1d90105 commit: b7cab4f7955034ccbfc097c0214f5b6071e2d6f4 Author: Sven Vermeulen siphos be> AuthorDate: Sat Aug 23 19:01:16 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Sat Aug 23 19:01:16 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b7cab4f7 Initial policy --- policy/modules/contrib/mail.fc | 7 +++ policy/modules/contrib/mail.if | 99 ++++++++++++++++++++++++++++++++++++++++++ policy/modules/contrib/mail.te | 85 ++++++++++++++++++++++++++++++++++++ 3 files changed, 191 insertions(+) diff --git a/policy/modules/contrib/mail.fc b/policy/modules/contrib/mail.fc new file mode 100644 index 0000000..1f0437e --- /dev/null +++ b/policy/modules/contrib/mail.fc @@ -0,0 +1,7 @@ +HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) +HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) + +/etc/mail(/.*)? gen_context(system_u:object_r:mail_etc_t,s0) + +# Only effective files are labeled as sendmail_exec_t, esp. symlinks should remain bin_t +/usr/sbin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) diff --git a/policy/modules/contrib/mail.if b/policy/modules/contrib/mail.if new file mode 100644 index 0000000..e451d9c --- /dev/null +++ b/policy/modules/contrib/mail.if @@ -0,0 +1,99 @@ +## Common e-mail infrastructure policy + +######################################### +## +## Role access for mail access and usage +## +## +## +## Role allowed access +## +## +## +## +## User domain for the role +## +## +# +interface(`mail_role',` + gen_require(` + attribute_role user_sendmail_roles; + type mail_home_rw_t; + type sendmail_exec_t; + type user_sendmail_t; + ') + + roleattribute $1 user_sendmail_roles; + + domtrans_pattern($2, sendmail_exec_t, user_sendmail_t) + + allow $2 user_sendmail_t:process { ptrace signal_perms }; + ps_process_pattern($2, user_sendmail_t) + + allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms }; + allow $2 mail_home_rw_t:dir { manage_dir_perms relabel_dir_perms }; + userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir") + userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir") +') + +######################################### +## +## Mark the type as a mail content type (mail generated by or for a mail user agent) +## +## +## +## Type to mark as mail content +## +## +# +interface(`mail_content_type',` + gen_require(` + attribute mail_content; + ') + + typeattribute $1 mail_content; +') + +######################################### +## +## Mark the type as a mail user agent domain +## +## +## +## Domain to be assigned the mail_user_agent attribute +## +## +# +interface(`mail_user_agent_type',` + gen_require(` + attribute mail_user_agent; + ') + + typeattribute $1 mail_user_agent; +') + +######################################### +## +## Assign all privileges for the domain to act as a mail user agent (MUA) +## +## +## +## Type or attribute to assign MUA privileges to +## +## +# +interface(`mail_user_agent_privs',` + gen_require(` + type mail_home_rw_t; + ') + + # Manage user mail files + manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t) + manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t) + manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t) + userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir") + userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir") + + # Call sendmail to send out mails + domtrans_pattern($1, sendmail_exec_t, user_sendmail_t) +') diff --git a/policy/modules/contrib/mail.te b/policy/modules/contrib/mail.te new file mode 100644 index 0000000..68af687 --- /dev/null +++ b/policy/modules/contrib/mail.te @@ -0,0 +1,85 @@ +policy_module(mailinfra, 1.0) + +# This will become the new mta when finished. For now, use a different name + +######################################### +# +# Declarations +# + +# Domain attributes, see http://en.wikipedia.org/wiki/Email_agent_%28infrastructure%29 +attribute mail_user_agent; +attribute mail_submission_agent; +attribute mail_transfer_agent; +attribute mail_delivery_agent; +attribute mail_retrieval_agent; + +# Resource attributes +attribute mail_content; + +# Access to user-based sendmail +attribute_role user_sendmail_roles; + +# TODO deleteme +attribute mta_exec_type; +type system_mail_t; +application_type(system_mail_t) +attribute mta_user_agent; +type mail_spool_t; +attribute user_mail_domain; +attribute mailserver_domain; +attribute mailserver_sender; +attribute mailserver_delivery; + +# Generic domain types +type sendmail_exec_t; + +type user_sendmail_t; +userdom_user_application_domain(user_sendmail_t, sendmail_exec_t) +role user_sendmail_roles types user_sendmail_t; + +type system_sendmail_t; + +# Generic types +type mail_aliases_t alias etc_aliases_t; +files_type(mail_aliases_t) + +type mail_etc_t alias etc_mail_t; +files_config_file(mail_etc_t) + +type mail_home_rw_t; +userdom_user_home_content(mail_home_rw_t) + +######################################### +# +# Mail User Agent policy +# + +mail_user_agent_privs(mail_user_agent) + +######################################### +# +# User-based sendmail domain +# + +allow user_sendmail_t mail_content:file { read_file_perms append_file_perms }; + +miscfiles_read_localization(user_sendmail_t) + +# Postfix implementation specifics +ifdef(`use_postfix',` + # TODO Bring this into a postfix_sendmail_privs interface + allow user_sendmail_t self:process { setrlimit }; + allow user_sendmail_t self:tcp_socket create_socket_perms; + allow user_sendmail_t self:unix_dgram_socket create_socket_perms; + + kernel_read_network_state(user_sendmail_t) + + auth_use_nsswitch(user_sendmail_t) + + logging_send_syslog_msg(user_sendmail_t) + + postfix_domtrans_postdrop(user_sendmail_t) + postfix_read_config(user_sendmail_t) + postfix_read_spool_files(user_sendmail_t) +')