public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-08-24  8:02 Sven Vermeulen
  0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-08-24  8:02 UTC (permalink / raw
  To: gentoo-commits

commit:     b7cab4f7955034ccbfc097c0214f5b6071e2d6f4
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 23 19:01:16 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Aug 23 19:01:16 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b7cab4f7

Initial policy

---
 policy/modules/contrib/mail.fc |  7 +++
 policy/modules/contrib/mail.if | 99 ++++++++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/mail.te | 85 ++++++++++++++++++++++++++++++++++++
 3 files changed, 191 insertions(+)

diff --git a/policy/modules/contrib/mail.fc b/policy/modules/contrib/mail.fc
new file mode 100644
index 0000000..1f0437e
--- /dev/null
+++ b/policy/modules/contrib/mail.fc
@@ -0,0 +1,7 @@
+HOME_DIR/Maildir(/.*)?		gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/\.maildir(/.*)?		gen_context(system_u:object_r:mail_home_rw_t,s0)
+
+/etc/mail(/.*)?		gen_context(system_u:object_r:mail_etc_t,s0)
+
+# Only effective files are labeled as sendmail_exec_t, esp. symlinks should remain bin_t
+/usr/sbin/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)

diff --git a/policy/modules/contrib/mail.if b/policy/modules/contrib/mail.if
new file mode 100644
index 0000000..e451d9c
--- /dev/null
+++ b/policy/modules/contrib/mail.if
@@ -0,0 +1,99 @@
+## <summary>Common e-mail infrastructure policy</summary>
+
+#########################################
+## <summary>
+##	Role access for mail access and usage
+##</summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`mail_role',`
+	gen_require(`
+		attribute_role user_sendmail_roles;
+		type mail_home_rw_t;
+		type sendmail_exec_t;
+		type user_sendmail_t;
+	')
+
+	roleattribute $1 user_sendmail_roles;
+
+	domtrans_pattern($2, sendmail_exec_t, user_sendmail_t)
+
+	allow $2 user_sendmail_t:process { ptrace signal_perms };
+	ps_process_pattern($2, user_sendmail_t)
+
+	allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms };
+	allow $2 mail_home_rw_t:dir { manage_dir_perms relabel_dir_perms };
+	userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir")
+	userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir")
+')
+
+#########################################
+## <summary>
+##	Mark the type as a mail content type (mail generated by or for a mail user agent)
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to mark as mail content
+##	</summary>
+## </param>
+#
+interface(`mail_content_type',`
+	gen_require(`
+		attribute mail_content;
+	')
+
+	typeattribute $1 mail_content;
+')
+
+#########################################
+## <summary>
+##	Mark the type as a mail user agent domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to be assigned the mail_user_agent attribute
+##	</summary>
+## </param>
+#
+interface(`mail_user_agent_type',`
+	gen_require(`
+		attribute mail_user_agent;
+	')
+
+	typeattribute $1 mail_user_agent;
+')
+
+#########################################
+## <summary>
+##	Assign all privileges for the domain to act as a mail user agent (MUA)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type or attribute to assign MUA privileges to
+##	</summary>
+## </param>
+#
+interface(`mail_user_agent_privs',`
+	gen_require(`
+		type mail_home_rw_t;
+	')
+
+	# Manage user mail files
+	manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
+	manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+	manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
+
+	# Call sendmail to send out mails
+	domtrans_pattern($1, sendmail_exec_t, user_sendmail_t)
+')

diff --git a/policy/modules/contrib/mail.te b/policy/modules/contrib/mail.te
new file mode 100644
index 0000000..68af687
--- /dev/null
+++ b/policy/modules/contrib/mail.te
@@ -0,0 +1,85 @@
+policy_module(mailinfra, 1.0)
+
+# This will become the new mta when finished. For now, use a different name
+
+#########################################
+#
+# Declarations
+#
+
+# Domain attributes, see http://en.wikipedia.org/wiki/Email_agent_%28infrastructure%29
+attribute mail_user_agent;
+attribute mail_submission_agent;
+attribute mail_transfer_agent;
+attribute mail_delivery_agent;
+attribute mail_retrieval_agent;
+
+# Resource attributes
+attribute mail_content;
+
+# Access to user-based sendmail
+attribute_role user_sendmail_roles;
+
+# TODO deleteme
+attribute mta_exec_type;
+type system_mail_t;
+application_type(system_mail_t)
+attribute mta_user_agent;
+type mail_spool_t;
+attribute user_mail_domain;
+attribute mailserver_domain;
+attribute mailserver_sender;
+attribute mailserver_delivery;
+
+# Generic domain types
+type sendmail_exec_t;
+
+type user_sendmail_t;
+userdom_user_application_domain(user_sendmail_t, sendmail_exec_t)
+role user_sendmail_roles types user_sendmail_t;
+
+type system_sendmail_t;
+
+# Generic types
+type mail_aliases_t alias etc_aliases_t;
+files_type(mail_aliases_t)
+
+type mail_etc_t alias etc_mail_t;
+files_config_file(mail_etc_t)
+
+type mail_home_rw_t;
+userdom_user_home_content(mail_home_rw_t)
+
+#########################################
+#
+# Mail User Agent policy
+#
+
+mail_user_agent_privs(mail_user_agent)
+
+#########################################
+#
+# User-based sendmail domain
+#
+
+allow user_sendmail_t mail_content:file { read_file_perms append_file_perms };
+
+miscfiles_read_localization(user_sendmail_t)
+
+# Postfix implementation specifics
+ifdef(`use_postfix',`
+	# TODO Bring this into a postfix_sendmail_privs interface
+	allow user_sendmail_t self:process { setrlimit };
+	allow user_sendmail_t self:tcp_socket create_socket_perms;
+	allow user_sendmail_t self:unix_dgram_socket create_socket_perms;
+
+	kernel_read_network_state(user_sendmail_t)
+
+	auth_use_nsswitch(user_sendmail_t)
+
+	logging_send_syslog_msg(user_sendmail_t)
+
+	postfix_domtrans_postdrop(user_sendmail_t)
+	postfix_read_config(user_sendmail_t)
+	postfix_read_spool_files(user_sendmail_t)
+')


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-08-24  8:02 Sven Vermeulen
  0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-08-24  8:02 UTC (permalink / raw
  To: gentoo-commits

commit:     a2d1f61b74fda94cd0553ba94174bace791cbeee
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 23 19:15:48 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Aug 23 19:15:48 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a2d1f61b

Introduce postfix_user_sendmail_privs

---
 policy/modules/contrib/postfix.if | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if
index 8e7d1e7..2e1df2c 100644
--- a/policy/modules/contrib/postfix.if
+++ b/policy/modules/contrib/postfix.if
@@ -756,3 +756,33 @@ interface(`postfix_admin',`
 		can_exec($1, postfix_showq_exec_t)
 	')
 ')
+
+# ifdef distro_gentoo
+
+#########################################
+## <summary>
+##	Assign privileges for Postfix sendmail
+## </summary>
+## <param name="domain:>
+##	<summary>
+##	Domain to assign privileges to
+##	</summary>
+## </param>
+#
+interface(`postfix_user_sendmail_privs',`
+	allow $1 self:process { setrlimit };
+	allow $1 self:tcp_socket create_socket_perms;
+	allow $1 self:unix_dgram_socket create_socket_perms;
+
+	kernel_read_network_state($1)
+
+	logging_send_syslog_msg($1)
+
+	auth_use_nsswitch($1)
+
+	optional_policy(`
+		postfix_domtrans_postdrop($1)
+		postfix_read_config($1)
+		postfix_read_spool_files($1)
+	')
+')


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-08-24  8:02 Sven Vermeulen
  0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-08-24  8:02 UTC (permalink / raw
  To: gentoo-commits

commit:     d79c9c8d3840afdece3a9b93b5d426d611e14819
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 23 19:16:31 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Aug 23 19:16:31 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d79c9c8d

Use postfix_user_sendmail_privs

---
 policy/modules/contrib/mail.te | 15 +--------------
 1 file changed, 1 insertion(+), 14 deletions(-)

diff --git a/policy/modules/contrib/mail.te b/policy/modules/contrib/mail.te
index 68af687..aad451d 100644
--- a/policy/modules/contrib/mail.te
+++ b/policy/modules/contrib/mail.te
@@ -68,18 +68,5 @@ miscfiles_read_localization(user_sendmail_t)
 
 # Postfix implementation specifics
 ifdef(`use_postfix',`
-	# TODO Bring this into a postfix_sendmail_privs interface
-	allow user_sendmail_t self:process { setrlimit };
-	allow user_sendmail_t self:tcp_socket create_socket_perms;
-	allow user_sendmail_t self:unix_dgram_socket create_socket_perms;
-
-	kernel_read_network_state(user_sendmail_t)
-
-	auth_use_nsswitch(user_sendmail_t)
-
-	logging_send_syslog_msg(user_sendmail_t)
-
-	postfix_domtrans_postdrop(user_sendmail_t)
-	postfix_read_config(user_sendmail_t)
-	postfix_read_spool_files(user_sendmail_t)
+	postfix_user_sendmail_privs(user_sendmail_t)
 ')


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-09-21 14:08 Sven Vermeulen
  0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-09-21 14:08 UTC (permalink / raw
  To: gentoo-commits

commit:     c2dd56c2dde1ba447b12a65ba12ac3decf2f16cd
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 31 16:52:34 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:03:38 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c2dd56c2

Allow salt to call grub-mkconfig

---
 policy/modules/contrib/salt.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 279edfb..8388253 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -294,6 +294,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	bootloader_domtrans(salt_minion_t)
+')
+
+optional_policy(`
 	mount_domtrans(salt_minion_t)
 ')
 


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-09-21 14:08 Sven Vermeulen
  0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-09-21 14:08 UTC (permalink / raw
  To: gentoo-commits

commit:     4d37fd81193690bd67e183eb41c93570a62a099d
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 27 14:26:11 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:03:49 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4d37fd81

Fix postfix - enable output on terminals for debugging and troubleshooting

---
 policy/modules/contrib/postfix.te | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index a953646..c27fbf1 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -805,11 +805,25 @@ userdom_home_filetrans_user_home_dir(postfix_virtual_t)
 userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, { file dir })
 
 ifdef(`distro_gentoo',`
+
+	#####################################
+	#
+	# postfix_t policy
+	#
+
 	# Not made part of mail infra anymore (previously mta_mailserver_domain)
 	init_daemon_domain(postfix_t, postfix_master_exec_t)
 
 	#####################################
 	#
+	# postfix_master_t policy
+	#
+
+	# Output in case of start or status failure (rc-service postfix status)
+	userdom_use_user_terminals(postfix_master_t)
+
+	#####################################
+	#
 	# Local postfix postdrop policy
 	#
 


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-09-21 14:08 Sven Vermeulen
  0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-09-21 14:08 UTC (permalink / raw
  To: gentoo-commits

commit:     251e3aeab13af9ef95032c5b207b5b3a165c1307
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 31 18:38:21 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:03:38 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=251e3aea

Allow salt minion to read SELinux configuration

The rlpkg command, before executing setfiles (which involves a domain
transition), parses the SELinux configuration file.

---
 policy/modules/contrib/salt.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 8388253..05dffec 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -311,6 +311,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	seutil_read_config(salt_minion_t)
+')
+
+optional_policy(`
 	shutdown_domtrans(salt_minion_t)
 ')
 


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-09-21 14:08 Sven Vermeulen
  0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-09-21 14:08 UTC (permalink / raw
  To: gentoo-commits

commit:     3ba24f9c26c69e486257adb89d64f8bb7ada6837
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 30 20:28:02 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:03:49 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3ba24f9c

Fix postfix - Add smtpd as MTA

---
 policy/modules/contrib/postfix.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 9fb72dc..5e7b319 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -835,4 +835,5 @@ ifdef(`distro_gentoo',`
 	#
 	mail_delivery_agent_type(postfix_local_t)
 	mail_submission_agent_type(postfix_postdrop_t)
+	mail_transfer_agent_type(postfix_smtpd_t)
 ')


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-09-21 14:08 Sven Vermeulen
  0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-09-21 14:08 UTC (permalink / raw
  To: gentoo-commits

commit:     b1bdc46e60bb68eb54844d999197cddfed0ec5ad
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 24 09:23:27 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:03:49 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b1bdc46e

Create mta wrapper

Also temporarily rename the mta policy (instead of removing it) so we
can consult it during development of the new mail infrastructure policy.

---
 policy/modules/contrib/{mta.fc => mta.fc.orig} |   0
 policy/modules/contrib/mta.if                  | 544 ++++++-------------------
 policy/modules/contrib/{mta.if => mta.if.orig} |   0
 policy/modules/contrib/mta.te                  | 408 -------------------
 policy/modules/contrib/{mta.te => mta.te.orig} |   0
 5 files changed, 121 insertions(+), 831 deletions(-)

diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc.orig
similarity index 100%
rename from policy/modules/contrib/mta.fc
rename to policy/modules/contrib/mta.fc.orig

diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if
index 48a2845..57c2e33 100644
--- a/policy/modules/contrib/mta.if
+++ b/policy/modules/contrib/mta.if
@@ -1,20 +1,7 @@
-## <summary>Common e-mail transfer agent policy.</summary>
-
-########################################
-## <summary>
-##	MTA stub interface.  No access allowed.
-## </summary>
-## <param name="domain" unused="true">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
+## <summary>Wrapper for common e-mail transfer agent policy.</summary>
 #
-interface(`mta_stub',`
-	gen_require(`
-		type sendmail_exec_t;
-	')
-')
+# The mta policy is no longer supported in Gentoo and has been deprecated
+# in favor of the mail policy.
 
 #######################################
 ## <summary>
@@ -27,41 +14,12 @@ interface(`mta_stub',`
 ## </param>
 #
 template(`mta_base_mail_template',`
-	gen_require(`
-		attribute user_mail_domain;
-		type sendmail_exec_t;
-	')
-
-	########################################
-	#
-	# Declarations
-	#
-
-	type $1_mail_t, user_mail_domain;
-	application_domain($1_mail_t, sendmail_exec_t)
-
-	type $1_mail_tmp_t;
-	files_tmp_file($1_mail_tmp_t)
-
-	########################################
-	#
-	# Declarations
-	#
-
-	manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
-	manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
-	files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
-
-	auth_use_nsswitch($1_mail_t)
-
-	optional_policy(`
-		postfix_domtrans_user_mail_handler($1_mail_t)
-	')
+	refpolicywarn(`$0($*) has been deprecated.')
 ')
 
 ########################################
 ## <summary>
-##	Role access for mta.
+##	Role access for mta (deprecated, use mail_role instead).
 ## </summary>
 ## <param name="role">
 ##	<summary>
@@ -82,46 +40,14 @@ interface(`mta_role',`
 		type user_mail_tmp_t, mail_home_rw_t;
 	')
 
-	roleattribute $1 user_mail_roles;
-
-	# this is something i need to fix
-	# i dont know if and why it is needed
-	# will role attribute work?
-	role $1 types mta_user_agent;
+	refpolicywarn(`$0($*) has been deprecated. Please use mail_role instead.')
 
-	domtrans_pattern($2, sendmail_exec_t, user_mail_t)
-	allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
-
-	allow $2 { user_mail_t mta_user_agent }:process { ptrace signal_perms };
-	ps_process_pattern($2, { user_mail_t mta_user_agent })
-
-	allow $2 mail_home_t:file { manage_file_perms relabel_file_perms };
-	userdom_user_home_dir_filetrans($2, mail_home_t, file, ".esmtp_queue")
-	userdom_user_home_dir_filetrans($2, mail_home_t, file, ".forward")
-	userdom_user_home_dir_filetrans($2, mail_home_t, file, ".mailrc")
-	userdom_user_home_dir_filetrans($2, mail_home_t, file, "dead.letter")
-
-	allow $2 mail_home_rw_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms };
-	allow $2 mail_home_rw_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-	userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir")
-	userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir")
-
-	allow $2 user_mail_tmp_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 user_mail_tmp_t:file { manage_file_perms relabel_file_perms };
-
-	optional_policy(`
-		exim_run($2, $1)
-	')
-
-	optional_policy(`
-		mailman_run($2, $1)
-	')
+	mail_role($1, $2)
 ')
 
 ########################################
 ## <summary>
-##	Make the specified domain usable for a mail server.
+##	Make the specified domain usable for a mail server (deprecated, use mail_*_agent_type instead).
 ## </summary>
 ## <param name="type">
 ##	<summary>
@@ -139,13 +65,13 @@ interface(`mta_mailserver',`
 		attribute mailserver_domain;
 	')
 
-	init_daemon_domain($1, $2)
-	typeattribute $1 mailserver_domain;
+	refpolicywarn(`$0($*) is deprecated, use mail_*_agent_type instead. Defaulting to mail_transfer_agent_type.')
+	mail_transfer_agent_type($1)
 ')
 
 ########################################
 ## <summary>
-##	Make the specified type a MTA executable file.
+##	Make the specified type a MTA executable file (deprecated).
 ## </summary>
 ## <param name="type">
 ##	<summary>
@@ -154,18 +80,13 @@ interface(`mta_mailserver',`
 ## </param>
 #
 interface(`mta_agent_executable',`
-	gen_require(`
-		attribute mta_exec_type;
-	')
-
-	typeattribute $1 mta_exec_type;
-
+	refpolicywarn(`$0($*) is deprecated.')
 	application_executable_file($1)
 ')
 
 #######################################
 ## <summary>
-##	Read mta mail home files.
+##	Read mta mail home files (deprecated, use mail_read_home_files instead).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -174,18 +95,14 @@ interface(`mta_agent_executable',`
 ## </param>
 #
 interface(`mta_read_mail_home_files',`
-	gen_require(`
-		type mail_home_t;
-	')
-
-	userdom_search_user_home_dirs($1)
-	allow $1 mail_home_t:file read_file_perms;
+	refpolicywarn(`$0($*) is deprecated, use mail_read_home_files instead.')
+	mail_read_home_files($1)
 ')
 
 #######################################
 ## <summary>
 ##	Create, read, write, and delete
-##	mta mail home files.
+##	mta mail home files (deprecated, use mail_manage_home_files instead).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -194,19 +111,15 @@ interface(`mta_read_mail_home_files',`
 ## </param>
 #
 interface(`mta_manage_mail_home_files',`
-	gen_require(`
-		type mail_home_t;
-	')
-
-	userdom_search_user_home_dirs($1)
-	allow $1 mail_home_t:file manage_file_perms;
+	refpolicywarn(`$0($*) is deprecated, use mail_manage_home_files instead.')
+	mail_manage_home_files($1)
 ')
 
 ########################################
 ## <summary>
 ##	Create specified objects in user home
 ##	directories with the generic mail
-##	home type.
+##	home type (deprecated).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -225,17 +138,14 @@ interface(`mta_manage_mail_home_files',`
 ## </param>
 #
 interface(`mta_home_filetrans_mail_home',`
-	gen_require(`
-		type mail_home_t;
-	')
-
-	userdom_user_home_dir_filetrans($1, mail_home_t, $2, $3)
+	refpolicywarn(`$0($*) is deprecated, use the proper mail * agent type declarations. Defaulting to delivery agent.')
+	mail_delivery_agent_privs($1)
 ')
 
 #######################################
 ## <summary>
 ##	Create, read, write, and delete
-##	mta mail home rw content.
+##	mta mail home rw content (deprecated, use mail_manage_home_rw).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -244,21 +154,15 @@ interface(`mta_home_filetrans_mail_home',`
 ## </param>
 #
 interface(`mta_manage_mail_home_rw_content',`
-	gen_require(`
-		type mail_home_rw_t;
-	')
-
-	userdom_search_user_home_dirs($1)
-	manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
-	manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
-	manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+	refpolicywarn(`$0($*) is deprecated, use mail_manage_home_rw instead')
+	mail_manage_home_rw($1)
 ')
 
 ########################################
 ## <summary>
 ##	Create specified objects in user home
 ##	directories with the generic mail
-##	home rw type.
+##	home rw type (deprecated).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -277,16 +181,13 @@ interface(`mta_manage_mail_home_rw_content',`
 ## </param>
 #
 interface(`mta_home_filetrans_mail_home_rw',`
-	gen_require(`
-		type mail_home_rw_t;
-	')
-
-	userdom_user_home_dir_filetrans($1, mail_home_rw_t, $2, $3)
+	refpolicywarn(`$0($*) is deprecated, use the proper mail * agent type declarations. Defaulting to delivery agent.')
+	mail_delivery_agent_privs($1)
 ')
 
 ########################################
 ## <summary>
-##	Make the specified type by a system MTA.
+##	Make the specified type by a system MTA (deprecated, use mail_content_type instead).
 ## </summary>
 ## <param name="type">
 ##	<summary>
@@ -295,17 +196,14 @@ interface(`mta_home_filetrans_mail_home_rw',`
 ## </param>
 #
 interface(`mta_system_content',`
-	gen_require(`
-		attribute mailcontent_type;
-	')
-
-	typeattribute $1 mailcontent_type;
+	refpolicywarn(`$0($*) is deprecated, use mail_content_type instead.')
+	mail_content_type($1)
 ')
 
 ########################################
 ## <summary>
 ##	Modified mailserver interface for
-##	sendmail daemon use.
+##	sendmail daemon use (deprecated).
 ## </summary>
 ## <desc>
 ##	<p>
@@ -328,20 +226,15 @@ interface(`mta_system_content',`
 ## </param>
 #
 interface(`mta_sendmail_mailserver',`
-	gen_require(`
-		attribute mailserver_domain;
-		type sendmail_exec_t;
-	')
-
-	init_system_domain($1, sendmail_exec_t)
+	refpolicywarn(`$0($*) is deprecated, use the proper mail * agent type declarations. Defaulting to transfer agent.')
+	mail_transfer_agent_type($1)
 
-	typeattribute $1 mailserver_domain;
 ')
 
 #######################################
 ## <summary>
 ##	Make a type a mailserver type used
-##	for sending mail.
+##	for sending mail (deprecated).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -350,17 +243,14 @@ interface(`mta_sendmail_mailserver',`
 ## </param>
 #
 interface(`mta_mailserver_sender',`
-	gen_require(`
-		attribute mailserver_sender;
-	')
-
-	typeattribute $1 mailserver_sender;
+	refpolicywarn(`$0($*) is deprecated, use the proper mail * agent type declarations. Defaulting to submission agent.')
+	mail_submission_agent_type($1)
 ')
 
 #######################################
 ## <summary>
 ##	Make a type a mailserver type used
-##	for delivering mail to local users.
+##	for delivering mail to local users (deprecated).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -369,18 +259,15 @@ interface(`mta_mailserver_sender',`
 ## </param>
 #
 interface(`mta_mailserver_delivery',`
-	gen_require(`
-		attribute mailserver_delivery;
-	')
-
-	typeattribute $1 mailserver_delivery;
+	refpolicywarn(`$0($*) is deprecated, use mail_delivery_agent_type instead')
+	mail_delivery_agent_type($1)
 ')
 
 #######################################
 ## <summary>
 ##	Make a type a mailserver type used
 ##	for sending mail on behalf of local
-##	users to the local mail spool.
+##	users to the local mail spool (deprecated).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -389,16 +276,13 @@ interface(`mta_mailserver_delivery',`
 ## </param>
 #
 interface(`mta_mailserver_user_agent',`
-	gen_require(`
-		attribute mta_user_agent;
-	')
-
-	typeattribute $1 mta_user_agent;
+	refpolicywarn(`$0($*) is deprecated, use mail_delivery_agent_type instead')
+	mail_delivery_agent_type($1)
 ')
 
 ########################################
 ## <summary>
-##	Send mail from the system.
+##	Send mail from the system (deprecated).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -407,23 +291,8 @@ interface(`mta_mailserver_user_agent',`
 ## </param>
 #
 interface(`mta_send_mail',`
-	gen_require(`
-		type system_mail_t;
-		attribute mta_exec_type;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, mta_exec_type, system_mail_t)
-
-	allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
-
-	ifdef(`distro_gentoo',`
-		gen_require(`
-			attribute mta_user_agent;
-		')
-
-		dontaudit mta_user_agent $1:fd use;
-	')
+	refpolicywarn(`$0($*) is deprecated, use mail_domtrans_sendmail instead')
+	mail_domtrans_sendmail($1)
 ')
 
 ########################################
@@ -452,19 +321,12 @@ interface(`mta_send_mail',`
 ## </param>
 #
 interface(`mta_sendmail_domtrans',`
-	gen_require(`
-		type sendmail_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domain_auto_trans($1, sendmail_exec_t, $2)
-
-	allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms;
+	refpolicywarn(`$0($*) is deprecated.')
 ')
 
 ########################################
 ## <summary>
-##	Send signals to system mail.
+##	Send signals to system mail (deprecated).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -474,11 +336,8 @@ interface(`mta_sendmail_domtrans',`
 #
 #
 interface(`mta_signal_system_mail',`
-	gen_require(`
-		type system_mail_t;
-	')
-
-	allow $1 system_mail_t:process signal;
+	refpolicywarn(`$0($*) is deprecated, mail_run_sendmail instead')
+	mail_run_sendmail($1)
 ')
 
 ########################################
@@ -492,11 +351,7 @@ interface(`mta_signal_system_mail',`
 ## </param>
 #
 interface(`mta_kill_system_mail',`
-	gen_require(`
-		type system_mail_t;
-	')
-
-	allow $1 system_mail_t:process sigkill;
+	refpolicywarn(`$0($*) is deprecated.')
 ')
 
 ########################################
@@ -510,17 +365,13 @@ interface(`mta_kill_system_mail',`
 ## </param>
 #
 interface(`mta_sendmail_exec',`
-	gen_require(`
-		type sendmail_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	can_exec($1, sendmail_exec_t)
+	refpolicywarn(`$0($*) is deprecated, use mail_exec_sendmail instead.')
+	mail_exec_sendmail($1)
 ')
 
 ########################################
 ## <summary>
-##	Read mail server configuration content.
+##	Read mail server configuration content (deprecated).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -530,19 +381,13 @@ interface(`mta_sendmail_exec',`
 ## <rolecap/>
 #
 interface(`mta_read_config',`
-	gen_require(`
-		type etc_mail_t;
-	')
-
-	files_search_etc($1)
-	allow $1 etc_mail_t:dir list_dir_perms;
-	allow $1 etc_mail_t:file read_file_perms;
-	allow $1 etc_mail_t:lnk_file read_lnk_file_perms;
+	refpolicywarn(`$0($*) is deprecated, use mail_read_etc instead.')
+	mail_read_etc($1)
 ')
 
 ########################################
 ## <summary>
-##	Write mail server configuration files.
+##	Write mail server configuration files (deprecated).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -552,17 +397,13 @@ interface(`mta_read_config',`
 ## <rolecap/>
 #
 interface(`mta_write_config',`
-	gen_require(`
-		type etc_mail_t;
-	')
-
-	files_search_etc($1)
-	write_files_pattern($1, etc_mail_t, etc_mail_t)
+	refpolicywarn(`$0($*) is deprecated, use mail_rw_etc instead.')
+	mail_rw_etc($1)
 ')
 
 ########################################
 ## <summary>
-##	Read mail address alias files.
+##	Read mail address alias files (deprecated).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -571,21 +412,8 @@ interface(`mta_write_config',`
 ## </param>
 #
 interface(`mta_read_aliases',`
-	gen_require(`
-		type etc_aliases_t;
-	')
-
-	files_search_etc($1)
-	allow $1 etc_aliases_t:file read_file_perms;
-
-	ifdef(`distro_gentoo',`
-		gen_require(`
-			type etc_mail_t;
-		')
-
-		search_dirs_pattern($1, etc_mail_t, etc_aliases_t)
-		read_files_pattern($1, etc_mail_t, etc_aliases_t)
-	')
+	refpolicywarn(`$0($*) is deprecated, use mail_read_aliases instead.')
+	mail_read_aliases($1)
 ')
 
 ########################################
@@ -600,30 +428,15 @@ interface(`mta_read_aliases',`
 ## </param>
 #
 interface(`mta_manage_aliases',`
-	gen_require(`
-		type etc_aliases_t;
-	')
-
-	files_search_etc($1)
-	manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
-	manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
-	
-	ifdef(`distro_gentoo',`
-		gen_require(`
-			type etc_mail_t;
-		')
-
-		search_dirs_pattern($1, etc_mail_t, etc_aliases_t)
-		manage_files_pattern($1, etc_mail_t, etc_aliases_t)
-		manage_lnk_files_pattern($1, etc_mail_t, etc_aliases_t)
-	')
+	refpolicywarn(`$0($*) is deprecated, use mail_manage_aliases instead.')
+	mail_manage_aliases($1)
 ')
 
 ########################################
 ## <summary>
 ##	Create specified object in generic
 ##	etc directories with the mail address
-##	alias type.
+##	alias type (deprecated).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -642,18 +455,15 @@ interface(`mta_manage_aliases',`
 ## </param>
 #
 interface(`mta_etc_filetrans_aliases',`
-	gen_require(`
-		type etc_aliases_t;
-	')
-
-	files_etc_filetrans($1, etc_aliases_t, $2, $3)
+	refpolicywarn(`$0($*) is deprecated, use mail_generic_etc_filetrans_aliases instead.')
+	mail_generic_etc_filetrans_aliases($1, $2, $3)
 ')
 
 ########################################
 ## <summary>
 ##	Create specified objects in specified
 ##	directories with a type transition to
-##	the mail address alias type.
+##	the mail address alias type (deprecated).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -677,47 +487,15 @@ interface(`mta_etc_filetrans_aliases',`
 ## </param>
 #
 interface(`mta_spec_filetrans_aliases',`
-	gen_require(`
-		type etc_aliases_t;
-	')
-
-	filetrans_pattern($1, $2, etc_aliases_t, $3, $4)
-')
-
-########################################
-## <summary>
-##	Read and write mail alias files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`mta_rw_aliases',`
-	gen_require(`
-		type etc_aliases_t;
-	')
-
-	files_search_etc($1)
-	allow $1 etc_aliases_t:file rw_file_perms;
-
-	ifdef(`distro_gentoo',`
-		gen_require(`
-			type etc_mail_t;
-		')
-
-		search_dirs_pattern($1, etc_mail_t, etc_aliases_t)
-		rw_files_pattern($1, etc_mail_t, etc_aliases_t)
-	')
+	refpolicywarn(`$0($*) is deprecated, use mail_spec_filetrans_aliases instead.')
+	mail_spec_filetrans_aliases($1, $2, $3, $4)
 ')
 
 #######################################
 ## <summary>
 ##	Do not audit attempts to read
 ##	and write TCP sockets of mail
-##	delivery domains.
+##	delivery domains (deprecated).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -726,11 +504,8 @@ interface(`mta_rw_aliases',`
 ## </param>
 #
 interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
-	gen_require(`
-		attribute mailserver_delivery;
-	')
-
-	dontaudit $1 mailserver_delivery:tcp_socket { read write };
+	refpolicywarn(`$0($*) is deprecated, use mail_dontaudit_rw_delivery_agent_tcp_sockets instead.')
+	mail_dontaudit_rw_delivery_agent_tcp_sockets($1)
 ')
 
 #######################################
@@ -750,7 +525,7 @@ interface(`mta_tcp_connect_all_mailservers',`
 #######################################
 ## <summary>
 ##	Do not audit attempts to read
-##	mail spool symlinks.
+##	mail spool symlinks (deprecated).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -759,16 +534,13 @@ interface(`mta_tcp_connect_all_mailservers',`
 ## </param>
 #
 interface(`mta_dontaudit_read_spool_symlinks',`
-	gen_require(`
-		type mail_spool_t;
-	')
-
-	dontaudit $1 mail_spool_t:lnk_file read;
+	refpolicywarn(`$0($*) is deprecated, use mail_dontaudit_read_queue_symlinks instead.')
+	mail_dontaudit_read_queue_symlinks($1)
 ')
 
 ########################################
 ## <summary>
-##	Get attributes of mail spool content.
+##	Get attributes of mail spool content (deprecated).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -777,20 +549,14 @@ interface(`mta_dontaudit_read_spool_symlinks',`
 ## </param>
 #
 interface(`mta_getattr_spool',`
-	gen_require(`
-		type mail_spool_t;
-	')
-
-	files_search_spool($1)
-	allow $1 mail_spool_t:dir list_dir_perms;
-	getattr_files_pattern($1, mail_spool_t, mail_spool_t)
-	read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
+	refpolicywarn(`$0($*) is deprecated, use mail_getattr_queue instead.')
+	mail_getattr_queue($1)
 ')
 
 ########################################
 ## <summary>
 ##	Do not audit attempts to get
-##	attributes of mail spool files.
+##	attributes of mail spool files (deprecated).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -799,14 +565,8 @@ interface(`mta_getattr_spool',`
 ## </param>
 #
 interface(`mta_dontaudit_getattr_spool_files',`
-	gen_require(`
-		type mail_spool_t;
-	')
-
-	files_dontaudit_search_spool($1)
-	dontaudit $1 mail_spool_t:dir search_dir_perms;
-	dontaudit $1 mail_spool_t:lnk_file read_lnk_file_perms;
-	dontaudit $1 mail_spool_t:file getattr_file_perms;
+	refpolicywarn(`$0($*) is deprecated, use mail_dontaudit_getattr_queue instead.')
+	mail_dontaudit_getattr_queue($1)
 ')
 
 #######################################
@@ -837,17 +597,13 @@ interface(`mta_dontaudit_getattr_spool_files',`
 ## </param>
 #
 interface(`mta_spool_filetrans',`
-	gen_require(`
-		type mail_spool_t;
-	')
-
-	files_search_spool($1)
-	filetrans_pattern($1, mail_spool_t, $2, $3, $4)
+	refpolicywarn(`$0($*) is deprecated, use mail_queue_filetrans instead.')
+	mail_queue_filetrans($1, $2, $3, $4)
 ')
 
 #######################################
 ## <summary>
-##  Read mail spool files.
+##  Read mail spool files (deprecated).
 ## </summary>
 ## <param name="domain">
 ##  <summary>
@@ -856,17 +612,13 @@ interface(`mta_spool_filetrans',`
 ## </param>
 #
 interface(`mta_read_spool_files',`
-	gen_require(`
-		type mail_spool_t;
-	')
-
-	files_search_spool($1)
-	read_files_pattern($1, mail_spool_t, mail_spool_t)
+	refpolicywarn(`$0($*) is deprecated, use mail_read_queue_files instead.')
+	mail_read_queue_files($1)
 ')
 
 ########################################
 ## <summary>
-##	Read and write mail spool files.
+##	Read and write mail spool files (deprecated).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -875,19 +627,13 @@ interface(`mta_read_spool_files',`
 ## </param>
 #
 interface(`mta_rw_spool',`
-	gen_require(`
-		type mail_spool_t;
-	')
-
-	files_search_spool($1)
-	allow $1 mail_spool_t:dir list_dir_perms;
-	allow $1 mail_spool_t:file rw_file_perms;
-	allow $1 mail_spool_t:lnk_file read_lnk_file_perms;
+	refpolicywarn(`$0($*) is deprecated, use mail_rw_queue_files instead.')
+	mail_rw_queue_files($1)
 ')
 
 #######################################
 ## <summary>
-##	Create, read, and write mail spool files.
+##	Create, read, and write mail spool files (deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -896,19 +642,13 @@ interface(`mta_rw_spool',`
 ## </param>
 #
 interface(`mta_append_spool',`
-	gen_require(`
-		type mail_spool_t;
-	')
-
-	files_search_spool($1)
-	allow $1 mail_spool_t:dir list_dir_perms;
-	manage_files_pattern($1, mail_spool_t, mail_spool_t)
-	allow $1 mail_spool_t:lnk_file read_lnk_file_perms;
+	refpolicywarn(`$0($*) is deprecated, use mail_manage_queue_files instead.')
+	mail_manage_queue_files($1)
 ')
 
 #######################################
 ## <summary>
-##	Delete mail spool files.
+##	Delete mail spool files (deprecated).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -917,18 +657,14 @@ interface(`mta_append_spool',`
 ## </param>
 #
 interface(`mta_delete_spool',`
-	gen_require(`
-		type mail_spool_t;
-	')
-
-	files_search_spool($1)
-	delete_files_pattern($1, mail_spool_t, mail_spool_t)
+	refpolicywarn(`$0($*) is deprecated, use mail_delete_queue_files instead.')
+	mail_delete_queue_files($1)
 ')
 
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
-##	mail spool content.
+##	mail spool content (deprecated).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -937,21 +673,15 @@ interface(`mta_delete_spool',`
 ## </param>
 #
 interface(`mta_manage_spool',`
-	gen_require(`
-		type mail_spool_t;
-	')
-
-	files_search_spool($1)
-	manage_dirs_pattern($1, mail_spool_t, mail_spool_t)
-	manage_files_pattern($1, mail_spool_t, mail_spool_t)
-	manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
+	refpolicywarn(`$0($*) is deprecated, use mail_manage_queue instead.')
+	mail_manage_queue($1)
 ')
 
 #######################################
 ## <summary>
 ##	Create specified objects in the
 ##	mail queue spool directory with a
-##	private type.
+##	private type (deprecated).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -975,17 +705,13 @@ interface(`mta_manage_spool',`
 ## </param>
 #
 interface(`mta_queue_filetrans',`
-	gen_require(`
-		type mqueue_spool_t;
-	')
-
-	files_search_spool($1)
-	filetrans_pattern($1, mqueue_spool_t, $2, $3, $4)
+	refpolicywarn(`$0($*) is deprecated, use mail_queue_filetrans instead.')
+	mail_queue_filetrans($1, $2, $3, $4)
 ')
 
 ########################################
 ## <summary>
-##	Search mail queue directories.
+##	Search mail queue directories (deprecated).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -994,17 +720,13 @@ interface(`mta_queue_filetrans',`
 ## </param>
 #
 interface(`mta_search_queue',`
-	gen_require(`
-		type mqueue_spool_t;
-	')
-
-	files_search_spool($1)
-	allow $1 mqueue_spool_t:dir search_dir_perms;
+	refpolicywarn(`$0($*) is deprecated, use mail_search_queue instead.')
+	mail_search_queue($1)
 ')
 
 #######################################
 ## <summary>
-##	List mail queue directories.
+##	List mail queue directories (deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1013,17 +735,13 @@ interface(`mta_search_queue',`
 ## </param>
 #
 interface(`mta_list_queue',`
-	gen_require(`
-		type mqueue_spool_t;
-	')
-
-	files_search_spool($1)
-	allow $1 mqueue_spool_t:dir list_dir_perms;
+	refpolicywarn(`$0($*) is deprecated, use mail_list_queue instead.')
+	mail_list_queue($1)
 ')
 
 #######################################
 ## <summary>
-##	Read mail queue files.
+##	Read mail queue files (deprecated).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1032,18 +750,14 @@ interface(`mta_list_queue',`
 ## </param>
 #
 interface(`mta_read_queue',`
-	gen_require(`
-		type mqueue_spool_t;
-	')
-
-	files_search_spool($1)
-	read_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
+	refpolicywarn(`$0($*) is deprecated, use mail_read_queue_files instead.')
+	mail_read_queue_files($1)
 ')
 
 #######################################
 ## <summary>
 ##	Do not audit attempts to read and
-##	write mail queue content.
+##	write mail queue content (deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1052,18 +766,14 @@ interface(`mta_read_queue',`
 ## </param>
 #
 interface(`mta_dontaudit_rw_queue',`
-	gen_require(`
-		type mqueue_spool_t;
-	')
-
-	dontaudit $1 mqueue_spool_t:dir search_dir_perms;
-	dontaudit $1 mqueue_spool_t:file rw_file_perms;
+	refpolicywarn(`$0($*) is deprecated, use mail_dontaudit_rw_queue_files instead.')
+	mail_dontaudit_rw_queue_files($1)
 ')
 
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
-##	mail queue content.
+##	mail queue content (deprecated).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1072,18 +782,13 @@ interface(`mta_dontaudit_rw_queue',`
 ## </param>
 #
 interface(`mta_manage_queue',`
-	gen_require(`
-		type mqueue_spool_t;
-	')
-
-	files_search_spool($1)
-	manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t)
-	manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
+	refpolicywarn(`$0($*) is deprecated, use mail_manage_queue instead.')
+	mail_manage_queue($1)
 ')
 
 #######################################
 ## <summary>
-##	Read sendmail binary.
+##	Read sendmail binary (deprecated).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1092,17 +797,14 @@ interface(`mta_manage_queue',`
 ## </param>
 #
 interface(`mta_read_sendmail_bin',`
-	gen_require(`
-		type sendmail_exec_t;
-	')
-
-	allow $1 sendmail_exec_t:file read_file_perms;
+	refpolicywarn(`$0($*) is deprecated, use mail_read_sendmail_executable instead.')
+	mail_read_sendmail_executable($1)
 ')
 
 #######################################
 ## <summary>
 ##	Read and write unix domain stream
-##	sockets of all base mail domains.
+##	sockets of all base mail domains (deprecated).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1111,9 +813,5 @@ interface(`mta_read_sendmail_bin',`
 ## </param>
 #
 interface(`mta_rw_user_mail_stream_sockets',`
-	gen_require(`
-		attribute user_mail_domain;
-	')
-
-	allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
+	refpolicywarn(`$0($*) is deprecated.')
 ')

diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if.orig
similarity index 100%
copy from policy/modules/contrib/mta.if
copy to policy/modules/contrib/mta.if.orig

diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 51b3bbb..e2048ee 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,410 +1,2 @@
 policy_module(mta, 2.8.0)
 
-########################################
-#
-# Declarations
-#
-
-attribute mailcontent_type;
-attribute mta_exec_type;
-attribute mta_user_agent;
-attribute mailserver_delivery;
-attribute mailserver_domain;
-attribute mailserver_sender;
-
-attribute user_mail_domain;
-
-attribute_role user_mail_roles;
-
-type etc_aliases_t;
-files_type(etc_aliases_t)
-
-type etc_mail_t;
-files_config_file(etc_mail_t)
-
-type mail_home_t alias mail_forward_t;
-userdom_user_home_content(mail_home_t)
-
-type mail_home_rw_t;
-userdom_user_home_content(mail_home_rw_t)
-
-type mqueue_spool_t;
-files_mountpoint(mqueue_spool_t)
-
-type mail_spool_t;
-files_mountpoint(mail_spool_t)
-
-type sendmail_exec_t;
-mta_agent_executable(sendmail_exec_t)
-
-mta_base_mail_template(system)
-role system_r types system_mail_t;
-
-mta_base_mail_template(user)
-typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
-typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
-userdom_user_application_type(user_mail_t)
-role user_mail_roles types user_mail_t;
-
-typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t };
-typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
-userdom_user_tmp_file(user_mail_tmp_t)
-
-########################################
-#
-# Common base mail policy
-#
-
-allow user_mail_domain self:capability { setuid setgid chown };
-allow user_mail_domain self:process { signal_perms setrlimit };
-allow user_mail_domain self:fifo_file rw_fifo_file_perms;
-
-allow user_mail_domain mta_exec_type:file entrypoint;
-
-allow user_mail_domain mail_home_t:file { append_file_perms read_file_perms };
-
-manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
-manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
-manage_lnk_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
-userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, "Maildir")
-userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, ".maildir")
-
-read_files_pattern(user_mail_domain, { etc_mail_t etc_aliases_t }, { etc_mail_t etc_aliases_t })
-
-manage_files_pattern(user_mail_domain, { mqueue_spool_t mail_spool_t }, { mqueue_spool_t mail_spool_t })
-read_lnk_files_pattern(user_mail_domain, { mqueue_spool_t mail_spool_t }, { mqueue_spool_t mail_spool_t })
-
-allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms;
-
-can_exec(user_mail_domain, { mta_exec_type sendmail_exec_t })
-
-kernel_read_crypto_sysctls(user_mail_domain)
-kernel_read_system_state(user_mail_domain)
-kernel_read_kernel_sysctls(user_mail_domain)
-kernel_read_network_state(user_mail_domain)
-kernel_request_load_module(user_mail_domain)
-
-corenet_all_recvfrom_netlabel(user_mail_domain)
-corenet_tcp_sendrecv_generic_if(user_mail_domain)
-corenet_tcp_sendrecv_generic_node(user_mail_domain)
-
-corenet_sendrecv_all_client_packets(user_mail_domain)
-corenet_tcp_connect_all_ports(user_mail_domain)
-corenet_tcp_sendrecv_all_ports(user_mail_domain)
-
-corecmd_exec_bin(user_mail_domain)
-
-dev_read_urand(user_mail_domain)
-
-domain_use_interactive_fds(user_mail_domain)
-
-files_read_etc_runtime_files(user_mail_domain)
-files_read_usr_files(user_mail_domain)
-files_search_spool(user_mail_domain)
-files_dontaudit_search_pids(user_mail_domain)
-
-fs_getattr_all_fs(user_mail_domain)
-
-init_dontaudit_rw_utmp(user_mail_domain)
-
-logging_send_syslog_msg(user_mail_domain)
-
-miscfiles_read_localization(user_mail_domain)
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(user_mail_domain)
-	fs_manage_cifs_files(user_mail_domain)
-	fs_read_cifs_symlinks(user_mail_domain)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(user_mail_domain)
-	fs_manage_nfs_files(user_mail_domain)
-	fs_read_nfs_symlinks(user_mail_domain)
-')
-
-optional_policy(`
-	courier_manage_spool_dirs(user_mail_domain)
-	courier_manage_spool_files(user_mail_domain)
-	courier_rw_spool_pipes(user_mail_domain)
-')
-
-optional_policy(`
-	exim_domtrans(user_mail_domain)
-	exim_manage_log(user_mail_domain)
-	exim_manage_spool_files(user_mail_domain)
-	exim_read_var_lib_files(user_mail_domain)
-')
-
-optional_policy(`
-	files_getattr_tmp_dirs(user_mail_domain)
-
-	postfix_exec_master(user_mail_domain)
-	postfix_read_config(user_mail_domain)
-	postfix_search_spool(user_mail_domain)
-	postfix_rw_inherited_master_pipes(user_mail_domain)
-
-	ifdef(`distro_redhat',`
-		postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
-	')
-')
-
-optional_policy(`
-	procmail_exec(user_mail_domain)
-')
-
-optional_policy(`
-	qmail_domtrans_inject(user_mail_domain)
-')
-
-optional_policy(`
-	sendmail_manage_log(user_mail_domain)
-	sendmail_log_filetrans_sendmail_log(user_mail_domain, file)
-')
-
-optional_policy(`
-	uucp_manage_spool(user_mail_domain)
-')
-
-########################################
-#
-# System local policy
-#
-
-allow system_mail_t self:capability { dac_override fowner };
-
-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
-
-read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
-
-allow system_mail_t mail_home_t:file manage_file_perms;
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".esmtp_queue")
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".forward")
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".mailrc")
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, "dead.letter")
-
-allow system_mail_t user_mail_domain:dir list_dir_perms;
-allow system_mail_t user_mail_domain:file read_file_perms;
-allow system_mail_t user_mail_domain:lnk_file read_lnk_file_perms;
-
-corecmd_exec_shell(system_mail_t)
-
-dev_read_rand(system_mail_t)
-dev_read_sysfs(system_mail_t)
-
-fs_rw_anon_inodefs_files(system_mail_t)
-
-selinux_getattr_fs(system_mail_t)
-
-term_dontaudit_use_unallocated_ttys(system_mail_t)
-
-init_use_script_ptys(system_mail_t)
-
-userdom_use_user_terminals(system_mail_t)
-
-optional_policy(`
-	apache_read_squirrelmail_data(system_mail_t)
-	apache_append_squirrelmail_data(system_mail_t)
-	apache_dontaudit_append_log(system_mail_t)
-	apache_dontaudit_rw_stream_sockets(system_mail_t)
-	apache_dontaudit_rw_tcp_sockets(system_mail_t)
-	apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
-')
-
-optional_policy(`
-	arpwatch_manage_tmp_files(system_mail_t)
-
-	ifdef(`hide_broken_symptoms',`
-		arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
-	')
-')
-
-optional_policy(`
-	bugzilla_search_content(system_mail_t)
-	bugzilla_dontaudit_rw_stream_sockets(system_mail_t)
-')
-
-optional_policy(`
-	clamav_stream_connect(system_mail_t)
-	clamav_append_log(system_mail_t)
-')
-
-optional_policy(`
-	cron_read_system_job_tmp_files(system_mail_t)
-	cron_dontaudit_write_pipes(system_mail_t)
-	cron_rw_system_job_stream_sockets(system_mail_t)
-')
-
-optional_policy(`
-	courier_stream_connect_authdaemon(system_mail_t)
-')
-
-optional_policy(`
-	cvs_read_data(system_mail_t)
-')
-
-optional_policy(`
-	fail2ban_dontaudit_rw_stream_sockets(system_mail_t)
-	fail2ban_append_log(system_mail_t)
-	fail2ban_rw_inherited_tmp_files(system_mail_t)
-')
-
-optional_policy(`
-	logrotate_read_tmp_files(system_mail_t)
-')
-
-optional_policy(`
-	logwatch_read_tmp_files(system_mail_t)
-')
-
-optional_policy(`
-	milter_getattr_all_sockets(system_mail_t)
-')
-
-optional_policy(`
-	nagios_read_tmp_files(system_mail_t)
-')
-
-optional_policy(`
-	manage_dirs_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
-	manage_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
-	manage_lnk_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
-	manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
-	manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
-	files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
-')
-
-optional_policy(`
-	sxid_read_log(system_mail_t)
-')
-
-optional_policy(`
-	userdom_dontaudit_use_user_ptys(system_mail_t)
-
-	optional_policy(`
-		cron_dontaudit_append_system_job_tmp_files(system_mail_t)
-	')
-')
-
-optional_policy(`
-	spamassassin_stream_connect_spamd(system_mail_t)
-')
-
-optional_policy(`
-	smartmon_read_tmp_files(system_mail_t)
-')
-
-########################################
-#
-# MTA user agent local policy
-#
-
-userdom_use_user_terminals(mta_user_agent)
-
-optional_policy(`
-	apache_append_log(mta_user_agent)
-')
-
-optional_policy(`
-	arpwatch_manage_tmp_files(mta_user_agent)
-
-	ifdef(`hide_broken_symptoms',`
-		arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
-	')
-
-	optional_policy(`
-		cron_read_system_job_tmp_files(mta_user_agent)
-	')
-')
-
-########################################
-#
-# Mailserver delivery local policy
-#
-
-allow mailserver_delivery self:fifo_file rw_fifo_file_perms;
-
-allow mailserver_delivery mail_spool_t:dir list_dir_perms;
-create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-read_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-
-manage_dirs_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
-manage_files_pattern(mailserver_delivery, { mail_home_t mail_home_rw_t }, { mail_home_t mail_home_rw_t })
-manage_lnk_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".esmtp_queue")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".forward")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".mailrc")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, "dead.letter")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, "Maildir")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, ".maildir")
-
-read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(mailserver_delivery)
-	fs_manage_cifs_files(mailserver_delivery)
-	fs_read_cifs_symlinks(mailserver_delivery)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(mailserver_delivery)
-	fs_manage_nfs_files(mailserver_delivery)
-	fs_read_nfs_symlinks(mailserver_delivery)
-')
-
-optional_policy(`
-	arpwatch_search_data(mailserver_delivery)
-')
-
-optional_policy(`
-	dovecot_manage_spool(mailserver_delivery)
-	dovecot_domtrans_deliver(mailserver_delivery)
-')
-
-optional_policy(`
-	files_search_var_lib(mailserver_delivery)
-
-	mailman_domtrans(mailserver_delivery)
-	mailman_read_data_symlinks(mailserver_delivery)
-')
-
-optional_policy(`
-	postfix_rw_inherited_master_pipes(mailserver_delivery)
-')
-
-optional_policy(`
-	uucp_domtrans_uux(mailserver_delivery)
-')
-
-########################################
-#
-# User local policy
-#
-
-manage_files_pattern(user_mail_t, mail_home_t, mail_home_t)
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".esmtp_queue")
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".forward")
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".mailrc")
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, "dead.letter")
-
-dev_read_sysfs(user_mail_t)
-
-userdom_use_user_terminals(user_mail_t)
-
-optional_policy(`
-	allow user_mail_t self:capability dac_override;
-
-	userdom_rw_user_tmp_files(user_mail_t)
-
-	postfix_read_config(user_mail_t)
-	postfix_list_spool(user_mail_t)
-')
-
-ifdef(`distro_gentoo',`
-	optional_policy(`
-		at_rw_inherited_job_log_files(system_mail_t)
-	')
-')

diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te.orig
similarity index 100%
copy from policy/modules/contrib/mta.te
copy to policy/modules/contrib/mta.te.orig


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-09-21 14:08 Sven Vermeulen
  0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-09-21 14:08 UTC (permalink / raw
  To: gentoo-commits

commit:     1c501dac3ddb0146421f840bb4a9bbab2fc8532d
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 31 18:38:21 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:03:49 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1c501dac

Allow salt minion to read SELinux configuration

The rlpkg command, before executing setfiles (which involves a domain
transition), parses the SELinux configuration file.

---
 policy/modules/contrib/salt.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 05dffec..856f8da 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -319,6 +319,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	seutil_read_config(salt_minion_t)
+')
+
+optional_policy(`
 	usermanage_run_groupadd(salt_minion_t, salt_minion_roles)
 	usermanage_run_passwd(salt_minion_t, salt_minion_roles)
 	usermanage_run_useradd(salt_minion_t, salt_minion_roles)


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-09-21 14:08 Sven Vermeulen
  0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-09-21 14:08 UTC (permalink / raw
  To: gentoo-commits

commit:     4145ef161fac67cee2ce0048213830be75b767c4
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 27 14:11:43 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:03:49 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4145ef16

Fix postfix - make postfix_t launchable from init

---
 policy/modules/contrib/postfix.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index afc1fde..a953646 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -805,6 +805,9 @@ userdom_home_filetrans_user_home_dir(postfix_virtual_t)
 userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, { file dir })
 
 ifdef(`distro_gentoo',`
+	# Not made part of mail infra anymore (previously mta_mailserver_domain)
+	init_daemon_domain(postfix_t, postfix_master_exec_t)
+
 	#####################################
 	#
 	# Local postfix postdrop policy


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-09-21 14:08 Sven Vermeulen
  0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-09-21 14:08 UTC (permalink / raw
  To: gentoo-commits

commit:     f5bf00584ecda77ddf39a181d073bb43af75f909
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 23 19:15:48 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:03:49 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f5bf0058

sendmail - Introduce postfix_user_sendmail_privs

The postfix_user_sendmail_privs interface is used to add the proper set
of permissions to the (user|system)_sendmail_t domains.

---
 policy/modules/contrib/postfix.if | 49 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)

diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if
index 8e7d1e7..a51026e 100644
--- a/policy/modules/contrib/postfix.if
+++ b/policy/modules/contrib/postfix.if
@@ -756,3 +756,52 @@ interface(`postfix_admin',`
 		can_exec($1, postfix_showq_exec_t)
 	')
 ')
+
+# ifdef distro_gentoo
+
+#########################################
+## <summary>
+##	Assign privileges for Postfix sendmail
+## </summary>
+## <desc>
+##	<p>
+##	The privileges are extensive as many postfix commands are symbolic
+##	links to the sendmail application. Example is the mailq command.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to assign privileges to
+##	</summary>
+## </param>
+#
+interface(`postfix_user_sendmail_privs',`
+	gen_require(`
+		type postfix_postdrop_t;
+	')
+	allow $1 self:process { setrlimit };
+	allow $1 self:tcp_socket create_socket_perms;
+	allow $1 self:unix_dgram_socket create_socket_perms;
+
+	allow postfix_postdrop_t $1:unix_stream_socket rw_socket_perms;
+
+	kernel_read_network_state($1)
+
+	domain_use_interactive_fds($1)
+
+	logging_send_syslog_msg($1)
+
+	auth_use_nsswitch($1)
+
+	miscfiles_read_localization($1)
+
+	userdom_use_user_terminals($1)
+
+	optional_policy(`
+		postfix_exec_postqueue($1)
+		postfix_domtrans_postdrop($1)
+		postfix_read_config($1)
+		postfix_read_spool_files($1)
+		postfix_stream_connect_master($1)
+	')
+')


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-09-21 14:08 Sven Vermeulen
  0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-09-21 14:08 UTC (permalink / raw
  To: gentoo-commits

commit:     d19a66489fb983fe2eb6ce302eaafaff840b8d8b
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 24 09:12:01 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:03:49 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d19a6648

Fix postfix - Add local as MDA

---
 policy/modules/contrib/postfix.te | 65 ++++++++++++++++++++++-----------------
 1 file changed, 36 insertions(+), 29 deletions(-)

diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index c27fbf1..9fb72dc 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -40,7 +40,7 @@ type postfix_keytab_t;
 files_type(postfix_keytab_t)
 
 postfix_server_domain_template(local)
-mta_mailserver_delivery(postfix_local_t)
+#mta_mailserver_delivery(postfix_local_t)
 
 type postfix_map_t;
 type postfix_map_exec_t;
@@ -52,7 +52,7 @@ files_tmp_file(postfix_map_tmp_t)
 
 postfix_domain_template(master)
 typealias postfix_master_t alias postfix_t;
-mta_mailserver(postfix_t, postfix_master_exec_t)
+#mta_mailserver(postfix_t, postfix_master_exec_t)
 
 type postfix_initrc_exec_t;
 init_script_file(postfix_initrc_exec_t)
@@ -62,10 +62,10 @@ postfix_server_domain_template(pickup)
 postfix_server_domain_template(pipe)
 
 postfix_user_domain_template(postdrop)
-mta_mailserver_user_agent(postfix_postdrop_t)
+#mta_mailserver_user_agent(postfix_postdrop_t)
 
 postfix_user_domain_template(postqueue)
-mta_mailserver_user_agent(postfix_postqueue_t)
+#mta_mailserver_user_agent(postfix_postqueue_t)
 
 type postfix_private_t;
 files_type(postfix_private_t)
@@ -78,7 +78,7 @@ postfix_server_domain_template(qmgr)
 postfix_user_domain_template(showq)
 
 postfix_server_domain_template(smtp)
-mta_mailserver_sender(postfix_smtp_t)
+#mta_mailserver_sender(postfix_smtp_t)
 
 postfix_server_domain_template(smtpd)
 
@@ -101,7 +101,7 @@ type postfix_data_t;
 files_type(postfix_data_t)
 
 postfix_server_domain_template(virtual)
-mta_mailserver_delivery(postfix_virtual_t)
+#mta_mailserver_delivery(postfix_virtual_t)
 
 ########################################
 #
@@ -307,13 +307,13 @@ miscfiles_read_man_pages(postfix_master_t)
 seutil_sigchld_newrole(postfix_master_t)
 seutil_dontaudit_search_config(postfix_master_t)
 
-mta_manage_aliases(postfix_master_t)
-mta_etc_filetrans_aliases(postfix_master_t, file, "aliases")
-mta_etc_filetrans_aliases(postfix_master_t, file, "aliases.db")
-mta_etc_filetrans_aliases(postfix_master_t, file, "aliasesdb-stamp")
-mta_spec_filetrans_aliases(postfix_master_t, postfix_etc_t, file)
-mta_read_sendmail_bin(postfix_master_t)
-mta_getattr_spool(postfix_master_t)
+#mta_manage_aliases(postfix_master_t)
+#mta_etc_filetrans_aliases(postfix_master_t, file, "aliases")
+#mta_etc_filetrans_aliases(postfix_master_t, file, "aliases.db")
+#mta_etc_filetrans_aliases(postfix_master_t, file, "aliasesdb-stamp")
+#mta_spec_filetrans_aliases(postfix_master_t, postfix_etc_t, file)
+#mta_read_sendmail_bin(postfix_master_t)
+#mta_getattr_spool(postfix_master_t)
 
 optional_policy(`
 	cyrus_stream_connect(postfix_master_t)
@@ -394,7 +394,7 @@ corenet_sendrecv_kismet_client_packets(postfix_cleanup_t)
 corenet_tcp_connect_kismet_port(postfix_cleanup_t)
 corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t)
 
-mta_read_aliases(postfix_cleanup_t)
+#mta_read_aliases(postfix_cleanup_t)
 
 optional_policy(`
 	mailman_read_data_files(postfix_cleanup_t)
@@ -420,13 +420,13 @@ corecmd_exec_bin(postfix_local_t)
 
 logging_dontaudit_search_logs(postfix_local_t)
 
-mta_delete_spool(postfix_local_t)
-mta_read_aliases(postfix_local_t)
-mta_read_config(postfix_local_t)
-mta_send_mail(postfix_local_t)
+#mta_delete_spool(postfix_local_t)
+#mta_read_aliases(postfix_local_t)
+#mta_read_config(postfix_local_t)
+#mta_send_mail(postfix_local_t)
 
 tunable_policy(`postfix_local_write_mail_spool',`
-	mta_manage_spool(postfix_local_t)
+	#mta_manage_spool(postfix_local_t)
 ')
 
 optional_policy(`
@@ -569,10 +569,10 @@ optional_policy(`
 	mailman_domtrans_queue(postfix_pipe_t)
 ')
 
-optional_policy(`
-	mta_manage_spool(postfix_pipe_t)
-	mta_send_mail(postfix_pipe_t)
-')
+#optional_policy(`
+	#mta_manage_spool(postfix_pipe_t)
+	#mta_send_mail(postfix_pipe_t)
+#')
 
 optional_policy(`
 	spamassassin_domtrans_client(postfix_pipe_t)
@@ -602,7 +602,7 @@ mcs_file_write_all(postfix_postdrop_t)
 term_dontaudit_use_all_ptys(postfix_postdrop_t)
 term_dontaudit_use_all_ttys(postfix_postdrop_t)
 
-mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
+#mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
 
 optional_policy(`
 	apache_dontaudit_rw_fifo_file(postfix_postdrop_t)
@@ -752,7 +752,7 @@ corecmd_exec_bin(postfix_smtpd_t)
 fs_getattr_all_dirs(postfix_smtpd_t)
 fs_getattr_all_fs(postfix_smtpd_t)
 
-mta_read_aliases(postfix_smtpd_t)
+#mta_read_aliases(postfix_smtpd_t)
 
 optional_policy(`
 	dovecot_stream_connect_auth(postfix_smtpd_t)
@@ -793,10 +793,10 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
 
 corecmd_exec_bin(postfix_virtual_t)
 
-mta_read_aliases(postfix_virtual_t)
-mta_delete_spool(postfix_virtual_t)
-mta_read_config(postfix_virtual_t)
-mta_manage_spool(postfix_virtual_t)
+#mta_read_aliases(postfix_virtual_t)
+#mta_delete_spool(postfix_virtual_t)
+#mta_read_config(postfix_virtual_t)
+#mta_manage_spool(postfix_virtual_t)
 
 userdom_manage_user_home_dirs(postfix_virtual_t)
 userdom_manage_user_home_content_dirs(postfix_virtual_t)
@@ -828,4 +828,11 @@ ifdef(`distro_gentoo',`
 	#
 
 	rw_sock_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
+
+	#####################################
+	#
+	# Integrate with mailinfra
+	#
+	mail_delivery_agent_type(postfix_local_t)
+	mail_submission_agent_type(postfix_postdrop_t)
 ')


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-09-21 14:08 Sven Vermeulen
  0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-09-21 14:08 UTC (permalink / raw
  To: gentoo-commits

commit:     4fb68436661883dd99e77f361845e544c45e4d30
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 30 22:13:36 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:03:49 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4fb68436

Fix mutt - make MUA and assign content type to tmp files

---
 policy/modules/contrib/mutt.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/contrib/mutt.te b/policy/modules/contrib/mutt.te
index 393b943..805a763 100644
--- a/policy/modules/contrib/mutt.te
+++ b/policy/modules/contrib/mutt.te
@@ -8,6 +8,7 @@ policy_module(mutt, 1.0.0)
 type mutt_t;
 type mutt_exec_t;
 application_domain(mutt_t, mutt_exec_t)
+mail_user_agent_type(mutt_t)
 ubac_constrained(mutt_t)
 
 type mutt_conf_t;
@@ -21,6 +22,7 @@ userdom_user_home_content(mutt_home_t)
 
 type mutt_tmp_t;
 files_tmp_file(mutt_tmp_t)
+mail_content_type(mutt_tmp_t)
 ubac_constrained(mutt_tmp_t)
 
 ############################


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-09-21 14:08 Sven Vermeulen
  0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-09-21 14:08 UTC (permalink / raw
  To: gentoo-commits

commit:     59c8beea03614be56f98381144d1bb695d882d2e
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 23 19:01:16 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:03:49 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=59c8beea

Mail Infrastructure Policy

The mail infrastructure policy uses the common mail infrastructure
terminology for its attributes, and provides a common interface for mail
related infrastructure to use SELinux.

---
 policy/modules/contrib/mail.fc |   7 +
 policy/modules/contrib/mail.if | 770 +++++++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/mail.te |  91 +++++
 3 files changed, 868 insertions(+)

diff --git a/policy/modules/contrib/mail.fc b/policy/modules/contrib/mail.fc
new file mode 100644
index 0000000..1f0437e
--- /dev/null
+++ b/policy/modules/contrib/mail.fc
@@ -0,0 +1,7 @@
+HOME_DIR/Maildir(/.*)?		gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/\.maildir(/.*)?		gen_context(system_u:object_r:mail_home_rw_t,s0)
+
+/etc/mail(/.*)?		gen_context(system_u:object_r:mail_etc_t,s0)
+
+# Only effective files are labeled as sendmail_exec_t, esp. symlinks should remain bin_t
+/usr/sbin/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)

diff --git a/policy/modules/contrib/mail.if b/policy/modules/contrib/mail.if
new file mode 100644
index 0000000..b6badab
--- /dev/null
+++ b/policy/modules/contrib/mail.if
@@ -0,0 +1,770 @@
+## <summary>Common e-mail infrastructure policy</summary>
+
+#########################################
+## <summary>
+##	Role access for mail access and usage
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`mail_role',`
+	gen_require(`
+		attribute_role user_sendmail_roles;
+		attribute mail_submission_agent;
+		type mail_home_rw_t;
+		type mail_home_t;
+		type sendmail_exec_t;
+		type user_sendmail_t;
+	')
+
+	roleattribute $1 user_sendmail_roles;
+	role $1 types mail_submission_agent;
+
+	# End users can invoke sendmail to send e-mails
+	domtrans_pattern($2, sendmail_exec_t, user_sendmail_t)
+
+	allow $2 user_sendmail_t:process { ptrace signal_perms };
+	ps_process_pattern($2, user_sendmail_t)
+
+	allow $2 mail_home_t:file { manage_file_perms relabel_file_perms };
+	userdom_user_home_dir_filetrans($2, mail_home_t, file, ".forward")
+	userdom_user_home_dir_filetrans($2, mail_home_t, file, ".mailrc")
+
+	allow $2 mail_home_rw_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms };
+	allow $2 mail_home_rw_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+	userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir")
+	userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir")
+
+	optional_policy(`
+		exim_run($2, $1)
+	')
+
+	optional_policy(`
+		mailman_run($2, $1)
+	')
+')
+
+#########################################
+## <summary>
+##	Execute sendmail and interact with the system_sendmail_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to execute and transition
+##	</summary>
+## </param>
+#
+interface(`mail_run_sendmail',`
+	gen_require(`
+		type system_sendmail_t;
+	')
+
+	mail_domtrans_sendmail($1)
+
+	allow $1 system_sendmail_t:process { signal };
+')
+
+#########################################
+## <summary>
+##	Execute sendmail and transition to the system_sendmail_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to execute and transition
+##	</summary>
+## </param>
+#
+interface(`mail_domtrans_sendmail',`
+	gen_require(`
+		type system_sendmail_t;
+		type sendmail_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, sendmail_exec_t, system_sendmail_t)
+')
+
+#########################################
+## <summary>
+##	Execute sendmail in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`mail_exec_sendmail',`
+	gen_require(`
+		type sendmail_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, sendmail_exec_t)
+')
+
+#########################################
+## <summary>
+##	Mark the type as a mail content type (mail generated by or for a mail user agent)
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to mark as mail content
+##	</summary>
+## </param>
+#
+interface(`mail_content_type',`
+	gen_require(`
+		attribute mail_content;
+	')
+
+	typeattribute $1 mail_content;
+')
+
+#########################################
+## <summary>
+##	Mark the type as a mail deliver agent domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to be assigned the mail_delivery_agent attribute
+##	</summary>
+## </param>
+#
+interface(`mail_delivery_agent_type',`
+	gen_require(`
+		attribute mail_delivery_agent;
+	')
+
+	typeattribute $1 mail_delivery_agent;
+')
+
+#########################################
+## <summary>
+##	Assign all privileges for the domain to act as a mail delivery agent (MDA)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type or attribute to assign MDA privileges to
+##	</summary>
+## </param>
+#
+interface(`mail_delivery_agent_privs',`
+	gen_require(`
+		type mail_home_rw_t;
+		type mail_etc_t;
+	')
+
+	# Read mail settings
+	read_files_pattern($1, mail_etc_t, mail_etc_t)
+	# Manage user mail files
+	manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
+	manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+	manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
+')
+
+#########################################
+## <summary>
+##	Mark the type as a mail submission agent domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to be assigned the mail_submission_agent attribute
+##	</summary>
+## </param>
+#
+interface(`mail_submission_agent_type',`
+	gen_require(`
+		attribute mail_submission_agent;
+	')
+
+	typeattribute $1 mail_submission_agent;
+')
+
+#########################################
+## <summary>
+##	Mark the type as a mail transfer agent domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to be assigned the mail_transfer_agent attribute
+##	</summary>
+## </param>
+#
+interface(`mail_transfer_agent_type',`
+	gen_require(`
+		attribute mail_transfer_agent;
+	')
+
+	typeattribute $1 mail_transfer_agent;
+')
+
+#########################################
+## <summary>
+##	Assign all privileges for the domain to act as a mail transfer agent (MTA)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type or attribute to assign MTA privileges to
+##	</summary>
+## </param>
+#
+interface(`mail_transfer_agent_privs',`
+	gen_require(`
+		type mail_etc_t;
+	')
+
+	read_files_pattern($1, mail_etc_t, mail_etc_t)
+')
+
+#########################################
+## <summary>
+##	Mark the type as a mail user agent domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to be assigned the mail_user_agent attribute
+##	</summary>
+## </param>
+#
+interface(`mail_user_agent_type',`
+	gen_require(`
+		attribute mail_user_agent;
+	')
+
+	typeattribute $1 mail_user_agent;
+')
+
+#########################################
+## <summary>
+##	Assign all privileges for the domain to act as a mail user agent (MUA)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type or attribute to assign MUA privileges to
+##	</summary>
+## </param>
+#
+interface(`mail_user_agent_privs',`
+	gen_require(`
+		type mail_home_rw_t;
+	')
+
+	# Manage user mail files
+	manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
+	manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+	manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
+
+	# Call sendmail to send out mails
+	domtrans_pattern($1, sendmail_exec_t, user_sendmail_t)
+')
+
+#########################################
+## <summary>
+##	Read mail aliases files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`mail_read_aliases',`
+	gen_require(`
+		type mail_etc_t;
+		type mail_aliases_t;
+	')
+
+	files_search_etc($1)
+	allow $1 mail_etc_t:dir list_dir_perms;
+	allow $1 mail_etc_t:lnk_file read_lnk_file_perms;
+	allow $1 mail_aliases_t:file read_file_perms;
+')
+
+#########################################
+## <summary>
+##	Create specified object in generic etc directories with the mail aliases type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	The object class of the object being created
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created
+##	</summary>
+## </param>
+#
+interface(`mail_generic_etc_filetrans_aliases',`
+	gen_require(`
+		type mail_aliases_t;
+	')
+
+	files_etc_filetrans($1, mail_aliases_t, $2, $3)
+')
+
+#########################################
+## <summary>
+##	Create specified object in the specified directory type with the mail aliases type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="dir_type">
+##	<summary>
+##	Directory to transition on
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	The object class of the object being created
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created
+##	</summary>
+## </param>
+#
+interface(`mail_spec_filetrans_aliases',`
+	gen_require(`
+		type mail_aliases_t;
+	')
+
+	filetrans_pattern($1, $2, mail_aliases_t, $3, $4)
+')
+
+#########################################
+## <summary>
+##	Manage mail aliases files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`mail_manage_aliases',`
+	gen_require(`
+		type mail_etc_t;
+		type mail_aliases_t;
+	')
+
+	files_search_etc($1)
+	manage_files_pattern($1, { mail_aliases_t mail_etc_t }, mail_aliases_t)
+	manage_lnk_files_pattern($1, { mail_aliases_t mail_etc_t }, mail_aliases_t)
+')
+
+#########################################
+## <summary>
+##	Do not audit attempts to read and write TCP sockets of mail delivery agents
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain not to audit
+##	</summary>
+## </param>
+#
+interface(`mail_dontaudit_rw_delivery_agent_tcp_sockets',`
+	gen_require(`
+		attribute mail_delivery_agent;
+	')
+
+	dontaudit $1 mail_delivery_agent:tcp_socket { read write };
+')
+
+#########################################
+## <summary>
+##	Read mail configuration / miscellaneous files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`mail_read_etc',`
+	gen_require(`
+		type mail_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 mail_etc_t:dir list_dir_perms;
+	allow $1 mail_etc_t:file read_file_perms;
+	allow $1 mail_etc_t:lnk_file read_lnk_file_perms;
+')
+
+#########################################
+## <summary>
+##	Read and write mail configuration / miscellaneous files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`mail_rw_etc',`
+	gen_require(`
+		type mail_etc_t;
+	')
+
+	files_search_etc($1)
+	write_files_pattern($1, mail_etc_t, mail_etc_t)
+')
+
+#########################################
+## <summary>
+##	Read mail home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`mail_read_home_files',`
+	gen_require(`
+		type mail_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 mail_home_t:file read_file_perms;
+')
+
+#########################################
+## <summary>
+##	Manage mail home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`mail_manage_home_files',`
+	gen_require(`
+		type mail_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 mail_home_t:file manage_file_perms;
+')
+
+#########################################
+## <summary>
+##	Manage mail read/write home resources (files accessible and manageable
+##	by the mail domains).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`mail_manage_home_rw',`
+	gen_require(`
+		type mail_home_rw_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
+	manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+	manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+')
+
+#########################################
+## <summary>
+##	Get attributes of the mail queue content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`mail_getattr_queue',`
+	gen_require(`
+		type mail_queue_t;
+	')
+
+	files_search_spool($1)
+	allow $1 mail_queue_t:dir list_dir_perms;
+	getattr_files_pattern($1, mail_queue_t, mail_queue_t)
+	read_lnk_files_pattern($1, mail_queue_t, mail_queue_t)
+')
+
+#########################################
+## <summary>
+##	Do not audit getting the attributes of the mail queue content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`mail_dontaudit_getattr_queue',`
+	gen_require(`
+		type mail_queue_t;
+	')
+
+	files_dontaudit_search_queue($1)
+	dontaudit $1 mail_queue_t:dir list_dir_perms;
+	dontaudit $1 mail_queue_t:lnk_file read_lnk_file_perms;
+	dontaudit $1 mail_queue_t:file getattr_file_perms;
+')
+
+#########################################
+## <summary>
+##	Search through mail queue directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`mail_search_queue',`
+	gen_require(`
+		type mail_queue_t;
+	')
+
+	files_search_spool($1)
+	allow $1 mail_queue_t:dir search_dir_perms;
+')
+
+#########################################
+## <summary>
+##	List mail queue directory content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`mail_list_queue',`
+	gen_require(`
+		type mail_queue_t;
+	')
+
+	files_search_spool($1)
+	allow $1 mail_queue_t:dir list_dir_perms;
+')
+
+#########################################
+## <summary>
+##	Read mail queue files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`mail_read_queue_files',`
+	gen_require(`
+		type mail_queue_t;
+	')
+
+	files_search_spool($1)
+	read_files_pattern($1, mail_queue_t, mail_queue_t)
+')
+
+#########################################
+## <summary>
+##	Do not audit attempts to read the mail queue symlinks
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit
+##	</summary>
+## </param>
+#
+interface(`mail_dontaudit_read_queue_symlinks',`
+	gen_require(`
+		type mail_queue_t;
+	')
+
+	dontaudit $1 mail_queue_t:lnk_file read_lnk_file_perms;
+')
+
+#########################################
+## <summary>
+##	Read and write mail queue files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`mail_rw_queue_files',`
+	gen_require(`
+		type mail_queue_t;
+	')
+
+	files_search_spool($1)
+	allow $1 mail_queue_t:dir list_dir_perms;
+	allow $1 mail_queue_t:file rw_file_perms;
+	allow $1 mail_queue_t:lnk_file read_lnk_file_perms;
+')
+
+#########################################
+## <summary>
+##	Do not audit attempts to read and write mail queue files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain not to audit
+##	</summary>
+## </param>
+#
+interface(`mail_dontaudit_rw_queue_files',`
+	gen_require(`
+		type mail_queue_t;
+	')
+
+	files_search_spool($1)
+	dontaudit $1 mail_queue_t:dir search_dir_perms;
+	dontaudit $1 mail_queue_t:file rw_file_perms;
+')
+
+#########################################
+## <summary>
+##	Create specified objects in the mail queue directory with a specified type
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="target_type">
+##	<summary>
+##	The type of the object to be created
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	The class of the object being created
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created
+##	</summary>
+## </param>
+#
+interface(`mail_queue_filetrans',`
+	gen_require(`
+		type mail_queue_t;
+	')
+
+	files_search_spool($1)
+	filetrans_pattern($1, mail_queue_t, $2, $3, $4)
+')
+
+#########################################
+## <summary>
+##	Delete mail queue files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`mail_delete_queue_files',`
+	gen_require(`
+		type mail_queue_t;
+	')
+
+	files_search_spool($1)
+	delete_files_pattern($1, mail_queue_t, mail_queue_t)
+')
+
+#########################################
+## <summary>
+##	Manage mail queue files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`mail_manage_queue_files',`
+	gen_require(`
+		type mail_queue_t;
+	')
+
+	files_search_spool($1)
+	
+	allow $1 mail_queue_t:dir list_dir_perms;
+	allow $1 mail_queue_t:lnk_file read_lnk_file_perms;
+	manage_files_pattern($1, mail_queue_t, mail_queue_t)
+')
+
+#########################################
+## <summary>
+##	Manage mail queue resources
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`mail_manage_queue',`
+	gen_require(`
+		type mail_queue_t;
+	')
+
+	files_search_spool($1)
+
+	manage_dirs_pattern($1, mail_queue_t, mail_queue_t)
+	manage_files_pattern($1, mail_queue_t, mail_queue_t)
+	manage_lnk_files_pattern($1, mail_queue_t, mail_queue_t)
+')
+
+#########################################
+## <summary>
+##	Read sendmail binary
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`mail_read_sendmail_executable',`
+	gen_require(`
+		type sendmail_exec_t;
+	')
+
+	allow $1 sendmail_exec_t:file read_file_perms;
+')
+
+

diff --git a/policy/modules/contrib/mail.te b/policy/modules/contrib/mail.te
new file mode 100644
index 0000000..71bc6a4
--- /dev/null
+++ b/policy/modules/contrib/mail.te
@@ -0,0 +1,91 @@
+policy_module(mailinfra, 1.0)
+
+# This will become the new mta when finished. For now, use a different name
+
+#########################################
+#
+# Declarations
+#
+
+# Domain attributes, see http://en.wikipedia.org/wiki/Email_agent_%28infrastructure%29
+attribute mail_user_agent;
+attribute mail_submission_agent;
+attribute mail_transfer_agent;
+attribute mail_delivery_agent;
+attribute mail_retrieval_agent;
+
+# Resource attributes
+attribute mail_content;
+
+# Access to user-based sendmail
+attribute_role user_sendmail_roles;
+
+# TODO deleteme
+attribute mta_exec_type;
+type system_mail_t;
+application_type(system_mail_t)
+attribute mta_user_agent;
+attribute user_mail_domain;
+attribute mailserver_domain;
+attribute mailserver_sender;
+attribute mailserver_delivery;
+
+# Generic domain types
+type sendmail_exec_t;
+
+type user_sendmail_t;
+userdom_user_application_domain(user_sendmail_t, sendmail_exec_t)
+role user_sendmail_roles types user_sendmail_t;
+
+type system_sendmail_t;
+application_domain(system_sendmail_t, sendmail_exec_t)
+
+# Generic types
+type mail_aliases_t alias etc_aliases_t;
+files_type(mail_aliases_t)
+
+type mail_etc_t alias etc_mail_t;
+files_config_file(mail_etc_t)
+
+# Files manageable by end user but read-only for the mail_*_agent domains
+type mail_home_t;
+userdom_user_home_content(mail_home_t)
+
+type mail_home_rw_t;
+userdom_user_home_content(mail_home_rw_t)
+
+type mail_queue_t;
+files_mountpoint(mail_queue_t)
+
+#########################################
+#
+# Mail Delivery Agent policy
+#
+
+mail_delivery_agent_privs(mail_delivery_agent)
+
+#########################################
+#
+# Mail Transfer Agent policy
+#
+
+mail_transfer_agent_privs(mail_transfer_agent)
+
+#########################################
+#
+# Mail User Agent policy
+#
+
+mail_user_agent_privs(mail_user_agent)
+
+#########################################
+#
+# User-based sendmail domain
+#
+
+allow user_sendmail_t mail_content:file { read_file_perms append_file_perms };
+
+# Postfix implementation specifics
+ifdef(`use_postfix',`
+	postfix_user_sendmail_privs(user_sendmail_t)
+')


^ permalink raw reply related	[flat|nested] 14+ messages in thread

end of thread, other threads:[~2014-09-21 14:08 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-09-21 14:08 [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/ Sven Vermeulen
  -- strict thread matches above, loose matches on Subject: below --
2014-09-21 14:08 Sven Vermeulen
2014-09-21 14:08 Sven Vermeulen
2014-09-21 14:08 Sven Vermeulen
2014-09-21 14:08 Sven Vermeulen
2014-09-21 14:08 Sven Vermeulen
2014-09-21 14:08 Sven Vermeulen
2014-09-21 14:08 Sven Vermeulen
2014-09-21 14:08 Sven Vermeulen
2014-09-21 14:08 Sven Vermeulen
2014-09-21 14:08 Sven Vermeulen
2014-08-24  8:02 Sven Vermeulen
2014-08-24  8:02 Sven Vermeulen
2014-08-24  8:02 Sven Vermeulen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox