* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-08-24 8:02 Sven Vermeulen
0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-08-24 8:02 UTC (permalink / raw
To: gentoo-commits
commit: b7cab4f7955034ccbfc097c0214f5b6071e2d6f4
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 23 19:01:16 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Aug 23 19:01:16 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b7cab4f7
Initial policy
---
policy/modules/contrib/mail.fc | 7 +++
policy/modules/contrib/mail.if | 99 ++++++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/mail.te | 85 ++++++++++++++++++++++++++++++++++++
3 files changed, 191 insertions(+)
diff --git a/policy/modules/contrib/mail.fc b/policy/modules/contrib/mail.fc
new file mode 100644
index 0000000..1f0437e
--- /dev/null
+++ b/policy/modules/contrib/mail.fc
@@ -0,0 +1,7 @@
+HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+
+/etc/mail(/.*)? gen_context(system_u:object_r:mail_etc_t,s0)
+
+# Only effective files are labeled as sendmail_exec_t, esp. symlinks should remain bin_t
+/usr/sbin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/policy/modules/contrib/mail.if b/policy/modules/contrib/mail.if
new file mode 100644
index 0000000..e451d9c
--- /dev/null
+++ b/policy/modules/contrib/mail.if
@@ -0,0 +1,99 @@
+## <summary>Common e-mail infrastructure policy</summary>
+
+#########################################
+## <summary>
+## Role access for mail access and usage
+##</summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`mail_role',`
+ gen_require(`
+ attribute_role user_sendmail_roles;
+ type mail_home_rw_t;
+ type sendmail_exec_t;
+ type user_sendmail_t;
+ ')
+
+ roleattribute $1 user_sendmail_roles;
+
+ domtrans_pattern($2, sendmail_exec_t, user_sendmail_t)
+
+ allow $2 user_sendmail_t:process { ptrace signal_perms };
+ ps_process_pattern($2, user_sendmail_t)
+
+ allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms };
+ allow $2 mail_home_rw_t:dir { manage_dir_perms relabel_dir_perms };
+ userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir")
+ userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir")
+')
+
+#########################################
+## <summary>
+## Mark the type as a mail content type (mail generated by or for a mail user agent)
+## </summary>
+## <param name="type">
+## <summary>
+## Type to mark as mail content
+## </summary>
+## </param>
+#
+interface(`mail_content_type',`
+ gen_require(`
+ attribute mail_content;
+ ')
+
+ typeattribute $1 mail_content;
+')
+
+#########################################
+## <summary>
+## Mark the type as a mail user agent domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be assigned the mail_user_agent attribute
+## </summary>
+## </param>
+#
+interface(`mail_user_agent_type',`
+ gen_require(`
+ attribute mail_user_agent;
+ ')
+
+ typeattribute $1 mail_user_agent;
+')
+
+#########################################
+## <summary>
+## Assign all privileges for the domain to act as a mail user agent (MUA)
+## </summary>
+## <param name="domain">
+## <summary>
+## Type or attribute to assign MUA privileges to
+## </summary>
+## </param>
+#
+interface(`mail_user_agent_privs',`
+ gen_require(`
+ type mail_home_rw_t;
+ ')
+
+ # Manage user mail files
+ manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
+
+ # Call sendmail to send out mails
+ domtrans_pattern($1, sendmail_exec_t, user_sendmail_t)
+')
diff --git a/policy/modules/contrib/mail.te b/policy/modules/contrib/mail.te
new file mode 100644
index 0000000..68af687
--- /dev/null
+++ b/policy/modules/contrib/mail.te
@@ -0,0 +1,85 @@
+policy_module(mailinfra, 1.0)
+
+# This will become the new mta when finished. For now, use a different name
+
+#########################################
+#
+# Declarations
+#
+
+# Domain attributes, see http://en.wikipedia.org/wiki/Email_agent_%28infrastructure%29
+attribute mail_user_agent;
+attribute mail_submission_agent;
+attribute mail_transfer_agent;
+attribute mail_delivery_agent;
+attribute mail_retrieval_agent;
+
+# Resource attributes
+attribute mail_content;
+
+# Access to user-based sendmail
+attribute_role user_sendmail_roles;
+
+# TODO deleteme
+attribute mta_exec_type;
+type system_mail_t;
+application_type(system_mail_t)
+attribute mta_user_agent;
+type mail_spool_t;
+attribute user_mail_domain;
+attribute mailserver_domain;
+attribute mailserver_sender;
+attribute mailserver_delivery;
+
+# Generic domain types
+type sendmail_exec_t;
+
+type user_sendmail_t;
+userdom_user_application_domain(user_sendmail_t, sendmail_exec_t)
+role user_sendmail_roles types user_sendmail_t;
+
+type system_sendmail_t;
+
+# Generic types
+type mail_aliases_t alias etc_aliases_t;
+files_type(mail_aliases_t)
+
+type mail_etc_t alias etc_mail_t;
+files_config_file(mail_etc_t)
+
+type mail_home_rw_t;
+userdom_user_home_content(mail_home_rw_t)
+
+#########################################
+#
+# Mail User Agent policy
+#
+
+mail_user_agent_privs(mail_user_agent)
+
+#########################################
+#
+# User-based sendmail domain
+#
+
+allow user_sendmail_t mail_content:file { read_file_perms append_file_perms };
+
+miscfiles_read_localization(user_sendmail_t)
+
+# Postfix implementation specifics
+ifdef(`use_postfix',`
+ # TODO Bring this into a postfix_sendmail_privs interface
+ allow user_sendmail_t self:process { setrlimit };
+ allow user_sendmail_t self:tcp_socket create_socket_perms;
+ allow user_sendmail_t self:unix_dgram_socket create_socket_perms;
+
+ kernel_read_network_state(user_sendmail_t)
+
+ auth_use_nsswitch(user_sendmail_t)
+
+ logging_send_syslog_msg(user_sendmail_t)
+
+ postfix_domtrans_postdrop(user_sendmail_t)
+ postfix_read_config(user_sendmail_t)
+ postfix_read_spool_files(user_sendmail_t)
+')
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-08-24 8:02 Sven Vermeulen
0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-08-24 8:02 UTC (permalink / raw
To: gentoo-commits
commit: a2d1f61b74fda94cd0553ba94174bace791cbeee
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 23 19:15:48 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Aug 23 19:15:48 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a2d1f61b
Introduce postfix_user_sendmail_privs
---
policy/modules/contrib/postfix.if | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if
index 8e7d1e7..2e1df2c 100644
--- a/policy/modules/contrib/postfix.if
+++ b/policy/modules/contrib/postfix.if
@@ -756,3 +756,33 @@ interface(`postfix_admin',`
can_exec($1, postfix_showq_exec_t)
')
')
+
+# ifdef distro_gentoo
+
+#########################################
+## <summary>
+## Assign privileges for Postfix sendmail
+## </summary>
+## <param name="domain:>
+## <summary>
+## Domain to assign privileges to
+## </summary>
+## </param>
+#
+interface(`postfix_user_sendmail_privs',`
+ allow $1 self:process { setrlimit };
+ allow $1 self:tcp_socket create_socket_perms;
+ allow $1 self:unix_dgram_socket create_socket_perms;
+
+ kernel_read_network_state($1)
+
+ logging_send_syslog_msg($1)
+
+ auth_use_nsswitch($1)
+
+ optional_policy(`
+ postfix_domtrans_postdrop($1)
+ postfix_read_config($1)
+ postfix_read_spool_files($1)
+ ')
+')
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-08-24 8:02 Sven Vermeulen
0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-08-24 8:02 UTC (permalink / raw
To: gentoo-commits
commit: d79c9c8d3840afdece3a9b93b5d426d611e14819
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 23 19:16:31 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Aug 23 19:16:31 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d79c9c8d
Use postfix_user_sendmail_privs
---
policy/modules/contrib/mail.te | 15 +--------------
1 file changed, 1 insertion(+), 14 deletions(-)
diff --git a/policy/modules/contrib/mail.te b/policy/modules/contrib/mail.te
index 68af687..aad451d 100644
--- a/policy/modules/contrib/mail.te
+++ b/policy/modules/contrib/mail.te
@@ -68,18 +68,5 @@ miscfiles_read_localization(user_sendmail_t)
# Postfix implementation specifics
ifdef(`use_postfix',`
- # TODO Bring this into a postfix_sendmail_privs interface
- allow user_sendmail_t self:process { setrlimit };
- allow user_sendmail_t self:tcp_socket create_socket_perms;
- allow user_sendmail_t self:unix_dgram_socket create_socket_perms;
-
- kernel_read_network_state(user_sendmail_t)
-
- auth_use_nsswitch(user_sendmail_t)
-
- logging_send_syslog_msg(user_sendmail_t)
-
- postfix_domtrans_postdrop(user_sendmail_t)
- postfix_read_config(user_sendmail_t)
- postfix_read_spool_files(user_sendmail_t)
+ postfix_user_sendmail_privs(user_sendmail_t)
')
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-09-21 14:08 Sven Vermeulen
0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-09-21 14:08 UTC (permalink / raw
To: gentoo-commits
commit: c2dd56c2dde1ba447b12a65ba12ac3decf2f16cd
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 31 16:52:34 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:03:38 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c2dd56c2
Allow salt to call grub-mkconfig
---
policy/modules/contrib/salt.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 279edfb..8388253 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -294,6 +294,10 @@ optional_policy(`
')
optional_policy(`
+ bootloader_domtrans(salt_minion_t)
+')
+
+optional_policy(`
mount_domtrans(salt_minion_t)
')
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-09-21 14:08 Sven Vermeulen
0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-09-21 14:08 UTC (permalink / raw
To: gentoo-commits
commit: b1bdc46e60bb68eb54844d999197cddfed0ec5ad
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 24 09:23:27 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:03:49 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b1bdc46e
Create mta wrapper
Also temporarily rename the mta policy (instead of removing it) so we
can consult it during development of the new mail infrastructure policy.
---
policy/modules/contrib/{mta.fc => mta.fc.orig} | 0
policy/modules/contrib/mta.if | 544 ++++++-------------------
policy/modules/contrib/{mta.if => mta.if.orig} | 0
policy/modules/contrib/mta.te | 408 -------------------
policy/modules/contrib/{mta.te => mta.te.orig} | 0
5 files changed, 121 insertions(+), 831 deletions(-)
diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc.orig
similarity index 100%
rename from policy/modules/contrib/mta.fc
rename to policy/modules/contrib/mta.fc.orig
diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if
index 48a2845..57c2e33 100644
--- a/policy/modules/contrib/mta.if
+++ b/policy/modules/contrib/mta.if
@@ -1,20 +1,7 @@
-## <summary>Common e-mail transfer agent policy.</summary>
-
-########################################
-## <summary>
-## MTA stub interface. No access allowed.
-## </summary>
-## <param name="domain" unused="true">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
+## <summary>Wrapper for common e-mail transfer agent policy.</summary>
#
-interface(`mta_stub',`
- gen_require(`
- type sendmail_exec_t;
- ')
-')
+# The mta policy is no longer supported in Gentoo and has been deprecated
+# in favor of the mail policy.
#######################################
## <summary>
@@ -27,41 +14,12 @@ interface(`mta_stub',`
## </param>
#
template(`mta_base_mail_template',`
- gen_require(`
- attribute user_mail_domain;
- type sendmail_exec_t;
- ')
-
- ########################################
- #
- # Declarations
- #
-
- type $1_mail_t, user_mail_domain;
- application_domain($1_mail_t, sendmail_exec_t)
-
- type $1_mail_tmp_t;
- files_tmp_file($1_mail_tmp_t)
-
- ########################################
- #
- # Declarations
- #
-
- manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
- manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
- files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
-
- auth_use_nsswitch($1_mail_t)
-
- optional_policy(`
- postfix_domtrans_user_mail_handler($1_mail_t)
- ')
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
-## Role access for mta.
+## Role access for mta (deprecated, use mail_role instead).
## </summary>
## <param name="role">
## <summary>
@@ -82,46 +40,14 @@ interface(`mta_role',`
type user_mail_tmp_t, mail_home_rw_t;
')
- roleattribute $1 user_mail_roles;
-
- # this is something i need to fix
- # i dont know if and why it is needed
- # will role attribute work?
- role $1 types mta_user_agent;
+ refpolicywarn(`$0($*) has been deprecated. Please use mail_role instead.')
- domtrans_pattern($2, sendmail_exec_t, user_mail_t)
- allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
-
- allow $2 { user_mail_t mta_user_agent }:process { ptrace signal_perms };
- ps_process_pattern($2, { user_mail_t mta_user_agent })
-
- allow $2 mail_home_t:file { manage_file_perms relabel_file_perms };
- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".esmtp_queue")
- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".forward")
- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".mailrc")
- userdom_user_home_dir_filetrans($2, mail_home_t, file, "dead.letter")
-
- allow $2 mail_home_rw_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms };
- allow $2 mail_home_rw_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
- userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir")
- userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir")
-
- allow $2 user_mail_tmp_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 user_mail_tmp_t:file { manage_file_perms relabel_file_perms };
-
- optional_policy(`
- exim_run($2, $1)
- ')
-
- optional_policy(`
- mailman_run($2, $1)
- ')
+ mail_role($1, $2)
')
########################################
## <summary>
-## Make the specified domain usable for a mail server.
+## Make the specified domain usable for a mail server (deprecated, use mail_*_agent_type instead).
## </summary>
## <param name="type">
## <summary>
@@ -139,13 +65,13 @@ interface(`mta_mailserver',`
attribute mailserver_domain;
')
- init_daemon_domain($1, $2)
- typeattribute $1 mailserver_domain;
+ refpolicywarn(`$0($*) is deprecated, use mail_*_agent_type instead. Defaulting to mail_transfer_agent_type.')
+ mail_transfer_agent_type($1)
')
########################################
## <summary>
-## Make the specified type a MTA executable file.
+## Make the specified type a MTA executable file (deprecated).
## </summary>
## <param name="type">
## <summary>
@@ -154,18 +80,13 @@ interface(`mta_mailserver',`
## </param>
#
interface(`mta_agent_executable',`
- gen_require(`
- attribute mta_exec_type;
- ')
-
- typeattribute $1 mta_exec_type;
-
+ refpolicywarn(`$0($*) is deprecated.')
application_executable_file($1)
')
#######################################
## <summary>
-## Read mta mail home files.
+## Read mta mail home files (deprecated, use mail_read_home_files instead).
## </summary>
## <param name="domain">
## <summary>
@@ -174,18 +95,14 @@ interface(`mta_agent_executable',`
## </param>
#
interface(`mta_read_mail_home_files',`
- gen_require(`
- type mail_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 mail_home_t:file read_file_perms;
+ refpolicywarn(`$0($*) is deprecated, use mail_read_home_files instead.')
+ mail_read_home_files($1)
')
#######################################
## <summary>
## Create, read, write, and delete
-## mta mail home files.
+## mta mail home files (deprecated, use mail_manage_home_files instead).
## </summary>
## <param name="domain">
## <summary>
@@ -194,19 +111,15 @@ interface(`mta_read_mail_home_files',`
## </param>
#
interface(`mta_manage_mail_home_files',`
- gen_require(`
- type mail_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 mail_home_t:file manage_file_perms;
+ refpolicywarn(`$0($*) is deprecated, use mail_manage_home_files instead.')
+ mail_manage_home_files($1)
')
########################################
## <summary>
## Create specified objects in user home
## directories with the generic mail
-## home type.
+## home type (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -225,17 +138,14 @@ interface(`mta_manage_mail_home_files',`
## </param>
#
interface(`mta_home_filetrans_mail_home',`
- gen_require(`
- type mail_home_t;
- ')
-
- userdom_user_home_dir_filetrans($1, mail_home_t, $2, $3)
+ refpolicywarn(`$0($*) is deprecated, use the proper mail * agent type declarations. Defaulting to delivery agent.')
+ mail_delivery_agent_privs($1)
')
#######################################
## <summary>
## Create, read, write, and delete
-## mta mail home rw content.
+## mta mail home rw content (deprecated, use mail_manage_home_rw).
## </summary>
## <param name="domain">
## <summary>
@@ -244,21 +154,15 @@ interface(`mta_home_filetrans_mail_home',`
## </param>
#
interface(`mta_manage_mail_home_rw_content',`
- gen_require(`
- type mail_home_rw_t;
- ')
-
- userdom_search_user_home_dirs($1)
- manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
- manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
- manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ refpolicywarn(`$0($*) is deprecated, use mail_manage_home_rw instead')
+ mail_manage_home_rw($1)
')
########################################
## <summary>
## Create specified objects in user home
## directories with the generic mail
-## home rw type.
+## home rw type (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -277,16 +181,13 @@ interface(`mta_manage_mail_home_rw_content',`
## </param>
#
interface(`mta_home_filetrans_mail_home_rw',`
- gen_require(`
- type mail_home_rw_t;
- ')
-
- userdom_user_home_dir_filetrans($1, mail_home_rw_t, $2, $3)
+ refpolicywarn(`$0($*) is deprecated, use the proper mail * agent type declarations. Defaulting to delivery agent.')
+ mail_delivery_agent_privs($1)
')
########################################
## <summary>
-## Make the specified type by a system MTA.
+## Make the specified type by a system MTA (deprecated, use mail_content_type instead).
## </summary>
## <param name="type">
## <summary>
@@ -295,17 +196,14 @@ interface(`mta_home_filetrans_mail_home_rw',`
## </param>
#
interface(`mta_system_content',`
- gen_require(`
- attribute mailcontent_type;
- ')
-
- typeattribute $1 mailcontent_type;
+ refpolicywarn(`$0($*) is deprecated, use mail_content_type instead.')
+ mail_content_type($1)
')
########################################
## <summary>
## Modified mailserver interface for
-## sendmail daemon use.
+## sendmail daemon use (deprecated).
## </summary>
## <desc>
## <p>
@@ -328,20 +226,15 @@ interface(`mta_system_content',`
## </param>
#
interface(`mta_sendmail_mailserver',`
- gen_require(`
- attribute mailserver_domain;
- type sendmail_exec_t;
- ')
-
- init_system_domain($1, sendmail_exec_t)
+ refpolicywarn(`$0($*) is deprecated, use the proper mail * agent type declarations. Defaulting to transfer agent.')
+ mail_transfer_agent_type($1)
- typeattribute $1 mailserver_domain;
')
#######################################
## <summary>
## Make a type a mailserver type used
-## for sending mail.
+## for sending mail (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -350,17 +243,14 @@ interface(`mta_sendmail_mailserver',`
## </param>
#
interface(`mta_mailserver_sender',`
- gen_require(`
- attribute mailserver_sender;
- ')
-
- typeattribute $1 mailserver_sender;
+ refpolicywarn(`$0($*) is deprecated, use the proper mail * agent type declarations. Defaulting to submission agent.')
+ mail_submission_agent_type($1)
')
#######################################
## <summary>
## Make a type a mailserver type used
-## for delivering mail to local users.
+## for delivering mail to local users (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -369,18 +259,15 @@ interface(`mta_mailserver_sender',`
## </param>
#
interface(`mta_mailserver_delivery',`
- gen_require(`
- attribute mailserver_delivery;
- ')
-
- typeattribute $1 mailserver_delivery;
+ refpolicywarn(`$0($*) is deprecated, use mail_delivery_agent_type instead')
+ mail_delivery_agent_type($1)
')
#######################################
## <summary>
## Make a type a mailserver type used
## for sending mail on behalf of local
-## users to the local mail spool.
+## users to the local mail spool (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -389,16 +276,13 @@ interface(`mta_mailserver_delivery',`
## </param>
#
interface(`mta_mailserver_user_agent',`
- gen_require(`
- attribute mta_user_agent;
- ')
-
- typeattribute $1 mta_user_agent;
+ refpolicywarn(`$0($*) is deprecated, use mail_delivery_agent_type instead')
+ mail_delivery_agent_type($1)
')
########################################
## <summary>
-## Send mail from the system.
+## Send mail from the system (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -407,23 +291,8 @@ interface(`mta_mailserver_user_agent',`
## </param>
#
interface(`mta_send_mail',`
- gen_require(`
- type system_mail_t;
- attribute mta_exec_type;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, mta_exec_type, system_mail_t)
-
- allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
-
- ifdef(`distro_gentoo',`
- gen_require(`
- attribute mta_user_agent;
- ')
-
- dontaudit mta_user_agent $1:fd use;
- ')
+ refpolicywarn(`$0($*) is deprecated, use mail_domtrans_sendmail instead')
+ mail_domtrans_sendmail($1)
')
########################################
@@ -452,19 +321,12 @@ interface(`mta_send_mail',`
## </param>
#
interface(`mta_sendmail_domtrans',`
- gen_require(`
- type sendmail_exec_t;
- ')
-
- corecmd_search_bin($1)
- domain_auto_trans($1, sendmail_exec_t, $2)
-
- allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms;
+ refpolicywarn(`$0($*) is deprecated.')
')
########################################
## <summary>
-## Send signals to system mail.
+## Send signals to system mail (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -474,11 +336,8 @@ interface(`mta_sendmail_domtrans',`
#
#
interface(`mta_signal_system_mail',`
- gen_require(`
- type system_mail_t;
- ')
-
- allow $1 system_mail_t:process signal;
+ refpolicywarn(`$0($*) is deprecated, mail_run_sendmail instead')
+ mail_run_sendmail($1)
')
########################################
@@ -492,11 +351,7 @@ interface(`mta_signal_system_mail',`
## </param>
#
interface(`mta_kill_system_mail',`
- gen_require(`
- type system_mail_t;
- ')
-
- allow $1 system_mail_t:process sigkill;
+ refpolicywarn(`$0($*) is deprecated.')
')
########################################
@@ -510,17 +365,13 @@ interface(`mta_kill_system_mail',`
## </param>
#
interface(`mta_sendmail_exec',`
- gen_require(`
- type sendmail_exec_t;
- ')
-
- corecmd_search_bin($1)
- can_exec($1, sendmail_exec_t)
+ refpolicywarn(`$0($*) is deprecated, use mail_exec_sendmail instead.')
+ mail_exec_sendmail($1)
')
########################################
## <summary>
-## Read mail server configuration content.
+## Read mail server configuration content (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -530,19 +381,13 @@ interface(`mta_sendmail_exec',`
## <rolecap/>
#
interface(`mta_read_config',`
- gen_require(`
- type etc_mail_t;
- ')
-
- files_search_etc($1)
- allow $1 etc_mail_t:dir list_dir_perms;
- allow $1 etc_mail_t:file read_file_perms;
- allow $1 etc_mail_t:lnk_file read_lnk_file_perms;
+ refpolicywarn(`$0($*) is deprecated, use mail_read_etc instead.')
+ mail_read_etc($1)
')
########################################
## <summary>
-## Write mail server configuration files.
+## Write mail server configuration files (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -552,17 +397,13 @@ interface(`mta_read_config',`
## <rolecap/>
#
interface(`mta_write_config',`
- gen_require(`
- type etc_mail_t;
- ')
-
- files_search_etc($1)
- write_files_pattern($1, etc_mail_t, etc_mail_t)
+ refpolicywarn(`$0($*) is deprecated, use mail_rw_etc instead.')
+ mail_rw_etc($1)
')
########################################
## <summary>
-## Read mail address alias files.
+## Read mail address alias files (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -571,21 +412,8 @@ interface(`mta_write_config',`
## </param>
#
interface(`mta_read_aliases',`
- gen_require(`
- type etc_aliases_t;
- ')
-
- files_search_etc($1)
- allow $1 etc_aliases_t:file read_file_perms;
-
- ifdef(`distro_gentoo',`
- gen_require(`
- type etc_mail_t;
- ')
-
- search_dirs_pattern($1, etc_mail_t, etc_aliases_t)
- read_files_pattern($1, etc_mail_t, etc_aliases_t)
- ')
+ refpolicywarn(`$0($*) is deprecated, use mail_read_aliases instead.')
+ mail_read_aliases($1)
')
########################################
@@ -600,30 +428,15 @@ interface(`mta_read_aliases',`
## </param>
#
interface(`mta_manage_aliases',`
- gen_require(`
- type etc_aliases_t;
- ')
-
- files_search_etc($1)
- manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
- manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
-
- ifdef(`distro_gentoo',`
- gen_require(`
- type etc_mail_t;
- ')
-
- search_dirs_pattern($1, etc_mail_t, etc_aliases_t)
- manage_files_pattern($1, etc_mail_t, etc_aliases_t)
- manage_lnk_files_pattern($1, etc_mail_t, etc_aliases_t)
- ')
+ refpolicywarn(`$0($*) is deprecated, use mail_manage_aliases instead.')
+ mail_manage_aliases($1)
')
########################################
## <summary>
## Create specified object in generic
## etc directories with the mail address
-## alias type.
+## alias type (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -642,18 +455,15 @@ interface(`mta_manage_aliases',`
## </param>
#
interface(`mta_etc_filetrans_aliases',`
- gen_require(`
- type etc_aliases_t;
- ')
-
- files_etc_filetrans($1, etc_aliases_t, $2, $3)
+ refpolicywarn(`$0($*) is deprecated, use mail_generic_etc_filetrans_aliases instead.')
+ mail_generic_etc_filetrans_aliases($1, $2, $3)
')
########################################
## <summary>
## Create specified objects in specified
## directories with a type transition to
-## the mail address alias type.
+## the mail address alias type (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -677,47 +487,15 @@ interface(`mta_etc_filetrans_aliases',`
## </param>
#
interface(`mta_spec_filetrans_aliases',`
- gen_require(`
- type etc_aliases_t;
- ')
-
- filetrans_pattern($1, $2, etc_aliases_t, $3, $4)
-')
-
-########################################
-## <summary>
-## Read and write mail alias files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`mta_rw_aliases',`
- gen_require(`
- type etc_aliases_t;
- ')
-
- files_search_etc($1)
- allow $1 etc_aliases_t:file rw_file_perms;
-
- ifdef(`distro_gentoo',`
- gen_require(`
- type etc_mail_t;
- ')
-
- search_dirs_pattern($1, etc_mail_t, etc_aliases_t)
- rw_files_pattern($1, etc_mail_t, etc_aliases_t)
- ')
+ refpolicywarn(`$0($*) is deprecated, use mail_spec_filetrans_aliases instead.')
+ mail_spec_filetrans_aliases($1, $2, $3, $4)
')
#######################################
## <summary>
## Do not audit attempts to read
## and write TCP sockets of mail
-## delivery domains.
+## delivery domains (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -726,11 +504,8 @@ interface(`mta_rw_aliases',`
## </param>
#
interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
- gen_require(`
- attribute mailserver_delivery;
- ')
-
- dontaudit $1 mailserver_delivery:tcp_socket { read write };
+ refpolicywarn(`$0($*) is deprecated, use mail_dontaudit_rw_delivery_agent_tcp_sockets instead.')
+ mail_dontaudit_rw_delivery_agent_tcp_sockets($1)
')
#######################################
@@ -750,7 +525,7 @@ interface(`mta_tcp_connect_all_mailservers',`
#######################################
## <summary>
## Do not audit attempts to read
-## mail spool symlinks.
+## mail spool symlinks (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -759,16 +534,13 @@ interface(`mta_tcp_connect_all_mailservers',`
## </param>
#
interface(`mta_dontaudit_read_spool_symlinks',`
- gen_require(`
- type mail_spool_t;
- ')
-
- dontaudit $1 mail_spool_t:lnk_file read;
+ refpolicywarn(`$0($*) is deprecated, use mail_dontaudit_read_queue_symlinks instead.')
+ mail_dontaudit_read_queue_symlinks($1)
')
########################################
## <summary>
-## Get attributes of mail spool content.
+## Get attributes of mail spool content (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -777,20 +549,14 @@ interface(`mta_dontaudit_read_spool_symlinks',`
## </param>
#
interface(`mta_getattr_spool',`
- gen_require(`
- type mail_spool_t;
- ')
-
- files_search_spool($1)
- allow $1 mail_spool_t:dir list_dir_perms;
- getattr_files_pattern($1, mail_spool_t, mail_spool_t)
- read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
+ refpolicywarn(`$0($*) is deprecated, use mail_getattr_queue instead.')
+ mail_getattr_queue($1)
')
########################################
## <summary>
## Do not audit attempts to get
-## attributes of mail spool files.
+## attributes of mail spool files (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -799,14 +565,8 @@ interface(`mta_getattr_spool',`
## </param>
#
interface(`mta_dontaudit_getattr_spool_files',`
- gen_require(`
- type mail_spool_t;
- ')
-
- files_dontaudit_search_spool($1)
- dontaudit $1 mail_spool_t:dir search_dir_perms;
- dontaudit $1 mail_spool_t:lnk_file read_lnk_file_perms;
- dontaudit $1 mail_spool_t:file getattr_file_perms;
+ refpolicywarn(`$0($*) is deprecated, use mail_dontaudit_getattr_queue instead.')
+ mail_dontaudit_getattr_queue($1)
')
#######################################
@@ -837,17 +597,13 @@ interface(`mta_dontaudit_getattr_spool_files',`
## </param>
#
interface(`mta_spool_filetrans',`
- gen_require(`
- type mail_spool_t;
- ')
-
- files_search_spool($1)
- filetrans_pattern($1, mail_spool_t, $2, $3, $4)
+ refpolicywarn(`$0($*) is deprecated, use mail_queue_filetrans instead.')
+ mail_queue_filetrans($1, $2, $3, $4)
')
#######################################
## <summary>
-## Read mail spool files.
+## Read mail spool files (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -856,17 +612,13 @@ interface(`mta_spool_filetrans',`
## </param>
#
interface(`mta_read_spool_files',`
- gen_require(`
- type mail_spool_t;
- ')
-
- files_search_spool($1)
- read_files_pattern($1, mail_spool_t, mail_spool_t)
+ refpolicywarn(`$0($*) is deprecated, use mail_read_queue_files instead.')
+ mail_read_queue_files($1)
')
########################################
## <summary>
-## Read and write mail spool files.
+## Read and write mail spool files (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -875,19 +627,13 @@ interface(`mta_read_spool_files',`
## </param>
#
interface(`mta_rw_spool',`
- gen_require(`
- type mail_spool_t;
- ')
-
- files_search_spool($1)
- allow $1 mail_spool_t:dir list_dir_perms;
- allow $1 mail_spool_t:file rw_file_perms;
- allow $1 mail_spool_t:lnk_file read_lnk_file_perms;
+ refpolicywarn(`$0($*) is deprecated, use mail_rw_queue_files instead.')
+ mail_rw_queue_files($1)
')
#######################################
## <summary>
-## Create, read, and write mail spool files.
+## Create, read, and write mail spool files (deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -896,19 +642,13 @@ interface(`mta_rw_spool',`
## </param>
#
interface(`mta_append_spool',`
- gen_require(`
- type mail_spool_t;
- ')
-
- files_search_spool($1)
- allow $1 mail_spool_t:dir list_dir_perms;
- manage_files_pattern($1, mail_spool_t, mail_spool_t)
- allow $1 mail_spool_t:lnk_file read_lnk_file_perms;
+ refpolicywarn(`$0($*) is deprecated, use mail_manage_queue_files instead.')
+ mail_manage_queue_files($1)
')
#######################################
## <summary>
-## Delete mail spool files.
+## Delete mail spool files (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -917,18 +657,14 @@ interface(`mta_append_spool',`
## </param>
#
interface(`mta_delete_spool',`
- gen_require(`
- type mail_spool_t;
- ')
-
- files_search_spool($1)
- delete_files_pattern($1, mail_spool_t, mail_spool_t)
+ refpolicywarn(`$0($*) is deprecated, use mail_delete_queue_files instead.')
+ mail_delete_queue_files($1)
')
########################################
## <summary>
## Create, read, write, and delete
-## mail spool content.
+## mail spool content (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -937,21 +673,15 @@ interface(`mta_delete_spool',`
## </param>
#
interface(`mta_manage_spool',`
- gen_require(`
- type mail_spool_t;
- ')
-
- files_search_spool($1)
- manage_dirs_pattern($1, mail_spool_t, mail_spool_t)
- manage_files_pattern($1, mail_spool_t, mail_spool_t)
- manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
+ refpolicywarn(`$0($*) is deprecated, use mail_manage_queue instead.')
+ mail_manage_queue($1)
')
#######################################
## <summary>
## Create specified objects in the
## mail queue spool directory with a
-## private type.
+## private type (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -975,17 +705,13 @@ interface(`mta_manage_spool',`
## </param>
#
interface(`mta_queue_filetrans',`
- gen_require(`
- type mqueue_spool_t;
- ')
-
- files_search_spool($1)
- filetrans_pattern($1, mqueue_spool_t, $2, $3, $4)
+ refpolicywarn(`$0($*) is deprecated, use mail_queue_filetrans instead.')
+ mail_queue_filetrans($1, $2, $3, $4)
')
########################################
## <summary>
-## Search mail queue directories.
+## Search mail queue directories (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -994,17 +720,13 @@ interface(`mta_queue_filetrans',`
## </param>
#
interface(`mta_search_queue',`
- gen_require(`
- type mqueue_spool_t;
- ')
-
- files_search_spool($1)
- allow $1 mqueue_spool_t:dir search_dir_perms;
+ refpolicywarn(`$0($*) is deprecated, use mail_search_queue instead.')
+ mail_search_queue($1)
')
#######################################
## <summary>
-## List mail queue directories.
+## List mail queue directories (deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -1013,17 +735,13 @@ interface(`mta_search_queue',`
## </param>
#
interface(`mta_list_queue',`
- gen_require(`
- type mqueue_spool_t;
- ')
-
- files_search_spool($1)
- allow $1 mqueue_spool_t:dir list_dir_perms;
+ refpolicywarn(`$0($*) is deprecated, use mail_list_queue instead.')
+ mail_list_queue($1)
')
#######################################
## <summary>
-## Read mail queue files.
+## Read mail queue files (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -1032,18 +750,14 @@ interface(`mta_list_queue',`
## </param>
#
interface(`mta_read_queue',`
- gen_require(`
- type mqueue_spool_t;
- ')
-
- files_search_spool($1)
- read_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
+ refpolicywarn(`$0($*) is deprecated, use mail_read_queue_files instead.')
+ mail_read_queue_files($1)
')
#######################################
## <summary>
## Do not audit attempts to read and
-## write mail queue content.
+## write mail queue content (deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -1052,18 +766,14 @@ interface(`mta_read_queue',`
## </param>
#
interface(`mta_dontaudit_rw_queue',`
- gen_require(`
- type mqueue_spool_t;
- ')
-
- dontaudit $1 mqueue_spool_t:dir search_dir_perms;
- dontaudit $1 mqueue_spool_t:file rw_file_perms;
+ refpolicywarn(`$0($*) is deprecated, use mail_dontaudit_rw_queue_files instead.')
+ mail_dontaudit_rw_queue_files($1)
')
########################################
## <summary>
## Create, read, write, and delete
-## mail queue content.
+## mail queue content (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -1072,18 +782,13 @@ interface(`mta_dontaudit_rw_queue',`
## </param>
#
interface(`mta_manage_queue',`
- gen_require(`
- type mqueue_spool_t;
- ')
-
- files_search_spool($1)
- manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t)
- manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
+ refpolicywarn(`$0($*) is deprecated, use mail_manage_queue instead.')
+ mail_manage_queue($1)
')
#######################################
## <summary>
-## Read sendmail binary.
+## Read sendmail binary (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -1092,17 +797,14 @@ interface(`mta_manage_queue',`
## </param>
#
interface(`mta_read_sendmail_bin',`
- gen_require(`
- type sendmail_exec_t;
- ')
-
- allow $1 sendmail_exec_t:file read_file_perms;
+ refpolicywarn(`$0($*) is deprecated, use mail_read_sendmail_executable instead.')
+ mail_read_sendmail_executable($1)
')
#######################################
## <summary>
## Read and write unix domain stream
-## sockets of all base mail domains.
+## sockets of all base mail domains (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -1111,9 +813,5 @@ interface(`mta_read_sendmail_bin',`
## </param>
#
interface(`mta_rw_user_mail_stream_sockets',`
- gen_require(`
- attribute user_mail_domain;
- ')
-
- allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
+ refpolicywarn(`$0($*) is deprecated.')
')
diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if.orig
similarity index 100%
copy from policy/modules/contrib/mta.if
copy to policy/modules/contrib/mta.if.orig
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 51b3bbb..e2048ee 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,410 +1,2 @@
policy_module(mta, 2.8.0)
-########################################
-#
-# Declarations
-#
-
-attribute mailcontent_type;
-attribute mta_exec_type;
-attribute mta_user_agent;
-attribute mailserver_delivery;
-attribute mailserver_domain;
-attribute mailserver_sender;
-
-attribute user_mail_domain;
-
-attribute_role user_mail_roles;
-
-type etc_aliases_t;
-files_type(etc_aliases_t)
-
-type etc_mail_t;
-files_config_file(etc_mail_t)
-
-type mail_home_t alias mail_forward_t;
-userdom_user_home_content(mail_home_t)
-
-type mail_home_rw_t;
-userdom_user_home_content(mail_home_rw_t)
-
-type mqueue_spool_t;
-files_mountpoint(mqueue_spool_t)
-
-type mail_spool_t;
-files_mountpoint(mail_spool_t)
-
-type sendmail_exec_t;
-mta_agent_executable(sendmail_exec_t)
-
-mta_base_mail_template(system)
-role system_r types system_mail_t;
-
-mta_base_mail_template(user)
-typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
-typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
-userdom_user_application_type(user_mail_t)
-role user_mail_roles types user_mail_t;
-
-typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t };
-typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
-userdom_user_tmp_file(user_mail_tmp_t)
-
-########################################
-#
-# Common base mail policy
-#
-
-allow user_mail_domain self:capability { setuid setgid chown };
-allow user_mail_domain self:process { signal_perms setrlimit };
-allow user_mail_domain self:fifo_file rw_fifo_file_perms;
-
-allow user_mail_domain mta_exec_type:file entrypoint;
-
-allow user_mail_domain mail_home_t:file { append_file_perms read_file_perms };
-
-manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
-manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
-manage_lnk_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
-userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, "Maildir")
-userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, ".maildir")
-
-read_files_pattern(user_mail_domain, { etc_mail_t etc_aliases_t }, { etc_mail_t etc_aliases_t })
-
-manage_files_pattern(user_mail_domain, { mqueue_spool_t mail_spool_t }, { mqueue_spool_t mail_spool_t })
-read_lnk_files_pattern(user_mail_domain, { mqueue_spool_t mail_spool_t }, { mqueue_spool_t mail_spool_t })
-
-allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms;
-
-can_exec(user_mail_domain, { mta_exec_type sendmail_exec_t })
-
-kernel_read_crypto_sysctls(user_mail_domain)
-kernel_read_system_state(user_mail_domain)
-kernel_read_kernel_sysctls(user_mail_domain)
-kernel_read_network_state(user_mail_domain)
-kernel_request_load_module(user_mail_domain)
-
-corenet_all_recvfrom_netlabel(user_mail_domain)
-corenet_tcp_sendrecv_generic_if(user_mail_domain)
-corenet_tcp_sendrecv_generic_node(user_mail_domain)
-
-corenet_sendrecv_all_client_packets(user_mail_domain)
-corenet_tcp_connect_all_ports(user_mail_domain)
-corenet_tcp_sendrecv_all_ports(user_mail_domain)
-
-corecmd_exec_bin(user_mail_domain)
-
-dev_read_urand(user_mail_domain)
-
-domain_use_interactive_fds(user_mail_domain)
-
-files_read_etc_runtime_files(user_mail_domain)
-files_read_usr_files(user_mail_domain)
-files_search_spool(user_mail_domain)
-files_dontaudit_search_pids(user_mail_domain)
-
-fs_getattr_all_fs(user_mail_domain)
-
-init_dontaudit_rw_utmp(user_mail_domain)
-
-logging_send_syslog_msg(user_mail_domain)
-
-miscfiles_read_localization(user_mail_domain)
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(user_mail_domain)
- fs_manage_cifs_files(user_mail_domain)
- fs_read_cifs_symlinks(user_mail_domain)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(user_mail_domain)
- fs_manage_nfs_files(user_mail_domain)
- fs_read_nfs_symlinks(user_mail_domain)
-')
-
-optional_policy(`
- courier_manage_spool_dirs(user_mail_domain)
- courier_manage_spool_files(user_mail_domain)
- courier_rw_spool_pipes(user_mail_domain)
-')
-
-optional_policy(`
- exim_domtrans(user_mail_domain)
- exim_manage_log(user_mail_domain)
- exim_manage_spool_files(user_mail_domain)
- exim_read_var_lib_files(user_mail_domain)
-')
-
-optional_policy(`
- files_getattr_tmp_dirs(user_mail_domain)
-
- postfix_exec_master(user_mail_domain)
- postfix_read_config(user_mail_domain)
- postfix_search_spool(user_mail_domain)
- postfix_rw_inherited_master_pipes(user_mail_domain)
-
- ifdef(`distro_redhat',`
- postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
- ')
-')
-
-optional_policy(`
- procmail_exec(user_mail_domain)
-')
-
-optional_policy(`
- qmail_domtrans_inject(user_mail_domain)
-')
-
-optional_policy(`
- sendmail_manage_log(user_mail_domain)
- sendmail_log_filetrans_sendmail_log(user_mail_domain, file)
-')
-
-optional_policy(`
- uucp_manage_spool(user_mail_domain)
-')
-
-########################################
-#
-# System local policy
-#
-
-allow system_mail_t self:capability { dac_override fowner };
-
-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
-
-read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
-
-allow system_mail_t mail_home_t:file manage_file_perms;
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".esmtp_queue")
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".forward")
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".mailrc")
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, "dead.letter")
-
-allow system_mail_t user_mail_domain:dir list_dir_perms;
-allow system_mail_t user_mail_domain:file read_file_perms;
-allow system_mail_t user_mail_domain:lnk_file read_lnk_file_perms;
-
-corecmd_exec_shell(system_mail_t)
-
-dev_read_rand(system_mail_t)
-dev_read_sysfs(system_mail_t)
-
-fs_rw_anon_inodefs_files(system_mail_t)
-
-selinux_getattr_fs(system_mail_t)
-
-term_dontaudit_use_unallocated_ttys(system_mail_t)
-
-init_use_script_ptys(system_mail_t)
-
-userdom_use_user_terminals(system_mail_t)
-
-optional_policy(`
- apache_read_squirrelmail_data(system_mail_t)
- apache_append_squirrelmail_data(system_mail_t)
- apache_dontaudit_append_log(system_mail_t)
- apache_dontaudit_rw_stream_sockets(system_mail_t)
- apache_dontaudit_rw_tcp_sockets(system_mail_t)
- apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
-')
-
-optional_policy(`
- arpwatch_manage_tmp_files(system_mail_t)
-
- ifdef(`hide_broken_symptoms',`
- arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
- ')
-')
-
-optional_policy(`
- bugzilla_search_content(system_mail_t)
- bugzilla_dontaudit_rw_stream_sockets(system_mail_t)
-')
-
-optional_policy(`
- clamav_stream_connect(system_mail_t)
- clamav_append_log(system_mail_t)
-')
-
-optional_policy(`
- cron_read_system_job_tmp_files(system_mail_t)
- cron_dontaudit_write_pipes(system_mail_t)
- cron_rw_system_job_stream_sockets(system_mail_t)
-')
-
-optional_policy(`
- courier_stream_connect_authdaemon(system_mail_t)
-')
-
-optional_policy(`
- cvs_read_data(system_mail_t)
-')
-
-optional_policy(`
- fail2ban_dontaudit_rw_stream_sockets(system_mail_t)
- fail2ban_append_log(system_mail_t)
- fail2ban_rw_inherited_tmp_files(system_mail_t)
-')
-
-optional_policy(`
- logrotate_read_tmp_files(system_mail_t)
-')
-
-optional_policy(`
- logwatch_read_tmp_files(system_mail_t)
-')
-
-optional_policy(`
- milter_getattr_all_sockets(system_mail_t)
-')
-
-optional_policy(`
- nagios_read_tmp_files(system_mail_t)
-')
-
-optional_policy(`
- manage_dirs_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
- manage_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
- manage_lnk_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
- manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
- manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
- files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
-')
-
-optional_policy(`
- sxid_read_log(system_mail_t)
-')
-
-optional_policy(`
- userdom_dontaudit_use_user_ptys(system_mail_t)
-
- optional_policy(`
- cron_dontaudit_append_system_job_tmp_files(system_mail_t)
- ')
-')
-
-optional_policy(`
- spamassassin_stream_connect_spamd(system_mail_t)
-')
-
-optional_policy(`
- smartmon_read_tmp_files(system_mail_t)
-')
-
-########################################
-#
-# MTA user agent local policy
-#
-
-userdom_use_user_terminals(mta_user_agent)
-
-optional_policy(`
- apache_append_log(mta_user_agent)
-')
-
-optional_policy(`
- arpwatch_manage_tmp_files(mta_user_agent)
-
- ifdef(`hide_broken_symptoms',`
- arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
- ')
-
- optional_policy(`
- cron_read_system_job_tmp_files(mta_user_agent)
- ')
-')
-
-########################################
-#
-# Mailserver delivery local policy
-#
-
-allow mailserver_delivery self:fifo_file rw_fifo_file_perms;
-
-allow mailserver_delivery mail_spool_t:dir list_dir_perms;
-create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-read_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-
-manage_dirs_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
-manage_files_pattern(mailserver_delivery, { mail_home_t mail_home_rw_t }, { mail_home_t mail_home_rw_t })
-manage_lnk_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".esmtp_queue")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".forward")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".mailrc")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, "dead.letter")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, "Maildir")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, ".maildir")
-
-read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mailserver_delivery)
- fs_manage_cifs_files(mailserver_delivery)
- fs_read_cifs_symlinks(mailserver_delivery)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mailserver_delivery)
- fs_manage_nfs_files(mailserver_delivery)
- fs_read_nfs_symlinks(mailserver_delivery)
-')
-
-optional_policy(`
- arpwatch_search_data(mailserver_delivery)
-')
-
-optional_policy(`
- dovecot_manage_spool(mailserver_delivery)
- dovecot_domtrans_deliver(mailserver_delivery)
-')
-
-optional_policy(`
- files_search_var_lib(mailserver_delivery)
-
- mailman_domtrans(mailserver_delivery)
- mailman_read_data_symlinks(mailserver_delivery)
-')
-
-optional_policy(`
- postfix_rw_inherited_master_pipes(mailserver_delivery)
-')
-
-optional_policy(`
- uucp_domtrans_uux(mailserver_delivery)
-')
-
-########################################
-#
-# User local policy
-#
-
-manage_files_pattern(user_mail_t, mail_home_t, mail_home_t)
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".esmtp_queue")
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".forward")
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".mailrc")
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, "dead.letter")
-
-dev_read_sysfs(user_mail_t)
-
-userdom_use_user_terminals(user_mail_t)
-
-optional_policy(`
- allow user_mail_t self:capability dac_override;
-
- userdom_rw_user_tmp_files(user_mail_t)
-
- postfix_read_config(user_mail_t)
- postfix_list_spool(user_mail_t)
-')
-
-ifdef(`distro_gentoo',`
- optional_policy(`
- at_rw_inherited_job_log_files(system_mail_t)
- ')
-')
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te.orig
similarity index 100%
copy from policy/modules/contrib/mta.te
copy to policy/modules/contrib/mta.te.orig
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-09-21 14:08 Sven Vermeulen
0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-09-21 14:08 UTC (permalink / raw
To: gentoo-commits
commit: 4d37fd81193690bd67e183eb41c93570a62a099d
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 27 14:26:11 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:03:49 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4d37fd81
Fix postfix - enable output on terminals for debugging and troubleshooting
---
policy/modules/contrib/postfix.te | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index a953646..c27fbf1 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -805,11 +805,25 @@ userdom_home_filetrans_user_home_dir(postfix_virtual_t)
userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, { file dir })
ifdef(`distro_gentoo',`
+
+ #####################################
+ #
+ # postfix_t policy
+ #
+
# Not made part of mail infra anymore (previously mta_mailserver_domain)
init_daemon_domain(postfix_t, postfix_master_exec_t)
#####################################
#
+ # postfix_master_t policy
+ #
+
+ # Output in case of start or status failure (rc-service postfix status)
+ userdom_use_user_terminals(postfix_master_t)
+
+ #####################################
+ #
# Local postfix postdrop policy
#
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-09-21 14:08 Sven Vermeulen
0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-09-21 14:08 UTC (permalink / raw
To: gentoo-commits
commit: 251e3aeab13af9ef95032c5b207b5b3a165c1307
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 31 18:38:21 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:03:38 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=251e3aea
Allow salt minion to read SELinux configuration
The rlpkg command, before executing setfiles (which involves a domain
transition), parses the SELinux configuration file.
---
policy/modules/contrib/salt.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 8388253..05dffec 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -311,6 +311,10 @@ optional_policy(`
')
optional_policy(`
+ seutil_read_config(salt_minion_t)
+')
+
+optional_policy(`
shutdown_domtrans(salt_minion_t)
')
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-09-21 14:08 Sven Vermeulen
0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-09-21 14:08 UTC (permalink / raw
To: gentoo-commits
commit: 3ba24f9c26c69e486257adb89d64f8bb7ada6837
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 30 20:28:02 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:03:49 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3ba24f9c
Fix postfix - Add smtpd as MTA
---
policy/modules/contrib/postfix.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 9fb72dc..5e7b319 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -835,4 +835,5 @@ ifdef(`distro_gentoo',`
#
mail_delivery_agent_type(postfix_local_t)
mail_submission_agent_type(postfix_postdrop_t)
+ mail_transfer_agent_type(postfix_smtpd_t)
')
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-09-21 14:08 Sven Vermeulen
0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-09-21 14:08 UTC (permalink / raw
To: gentoo-commits
commit: 1c501dac3ddb0146421f840bb4a9bbab2fc8532d
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 31 18:38:21 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:03:49 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1c501dac
Allow salt minion to read SELinux configuration
The rlpkg command, before executing setfiles (which involves a domain
transition), parses the SELinux configuration file.
---
policy/modules/contrib/salt.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 05dffec..856f8da 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -319,6 +319,10 @@ optional_policy(`
')
optional_policy(`
+ seutil_read_config(salt_minion_t)
+')
+
+optional_policy(`
usermanage_run_groupadd(salt_minion_t, salt_minion_roles)
usermanage_run_passwd(salt_minion_t, salt_minion_roles)
usermanage_run_useradd(salt_minion_t, salt_minion_roles)
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-09-21 14:08 Sven Vermeulen
0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-09-21 14:08 UTC (permalink / raw
To: gentoo-commits
commit: 4145ef161fac67cee2ce0048213830be75b767c4
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 27 14:11:43 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:03:49 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4145ef16
Fix postfix - make postfix_t launchable from init
---
policy/modules/contrib/postfix.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index afc1fde..a953646 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -805,6 +805,9 @@ userdom_home_filetrans_user_home_dir(postfix_virtual_t)
userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, { file dir })
ifdef(`distro_gentoo',`
+ # Not made part of mail infra anymore (previously mta_mailserver_domain)
+ init_daemon_domain(postfix_t, postfix_master_exec_t)
+
#####################################
#
# Local postfix postdrop policy
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-09-21 14:08 Sven Vermeulen
0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-09-21 14:08 UTC (permalink / raw
To: gentoo-commits
commit: f5bf00584ecda77ddf39a181d073bb43af75f909
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 23 19:15:48 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:03:49 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f5bf0058
sendmail - Introduce postfix_user_sendmail_privs
The postfix_user_sendmail_privs interface is used to add the proper set
of permissions to the (user|system)_sendmail_t domains.
---
policy/modules/contrib/postfix.if | 49 +++++++++++++++++++++++++++++++++++++++
1 file changed, 49 insertions(+)
diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if
index 8e7d1e7..a51026e 100644
--- a/policy/modules/contrib/postfix.if
+++ b/policy/modules/contrib/postfix.if
@@ -756,3 +756,52 @@ interface(`postfix_admin',`
can_exec($1, postfix_showq_exec_t)
')
')
+
+# ifdef distro_gentoo
+
+#########################################
+## <summary>
+## Assign privileges for Postfix sendmail
+## </summary>
+## <desc>
+## <p>
+## The privileges are extensive as many postfix commands are symbolic
+## links to the sendmail application. Example is the mailq command.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to assign privileges to
+## </summary>
+## </param>
+#
+interface(`postfix_user_sendmail_privs',`
+ gen_require(`
+ type postfix_postdrop_t;
+ ')
+ allow $1 self:process { setrlimit };
+ allow $1 self:tcp_socket create_socket_perms;
+ allow $1 self:unix_dgram_socket create_socket_perms;
+
+ allow postfix_postdrop_t $1:unix_stream_socket rw_socket_perms;
+
+ kernel_read_network_state($1)
+
+ domain_use_interactive_fds($1)
+
+ logging_send_syslog_msg($1)
+
+ auth_use_nsswitch($1)
+
+ miscfiles_read_localization($1)
+
+ userdom_use_user_terminals($1)
+
+ optional_policy(`
+ postfix_exec_postqueue($1)
+ postfix_domtrans_postdrop($1)
+ postfix_read_config($1)
+ postfix_read_spool_files($1)
+ postfix_stream_connect_master($1)
+ ')
+')
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-09-21 14:08 Sven Vermeulen
0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-09-21 14:08 UTC (permalink / raw
To: gentoo-commits
commit: d19a66489fb983fe2eb6ce302eaafaff840b8d8b
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 24 09:12:01 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:03:49 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d19a6648
Fix postfix - Add local as MDA
---
policy/modules/contrib/postfix.te | 65 ++++++++++++++++++++++-----------------
1 file changed, 36 insertions(+), 29 deletions(-)
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index c27fbf1..9fb72dc 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -40,7 +40,7 @@ type postfix_keytab_t;
files_type(postfix_keytab_t)
postfix_server_domain_template(local)
-mta_mailserver_delivery(postfix_local_t)
+#mta_mailserver_delivery(postfix_local_t)
type postfix_map_t;
type postfix_map_exec_t;
@@ -52,7 +52,7 @@ files_tmp_file(postfix_map_tmp_t)
postfix_domain_template(master)
typealias postfix_master_t alias postfix_t;
-mta_mailserver(postfix_t, postfix_master_exec_t)
+#mta_mailserver(postfix_t, postfix_master_exec_t)
type postfix_initrc_exec_t;
init_script_file(postfix_initrc_exec_t)
@@ -62,10 +62,10 @@ postfix_server_domain_template(pickup)
postfix_server_domain_template(pipe)
postfix_user_domain_template(postdrop)
-mta_mailserver_user_agent(postfix_postdrop_t)
+#mta_mailserver_user_agent(postfix_postdrop_t)
postfix_user_domain_template(postqueue)
-mta_mailserver_user_agent(postfix_postqueue_t)
+#mta_mailserver_user_agent(postfix_postqueue_t)
type postfix_private_t;
files_type(postfix_private_t)
@@ -78,7 +78,7 @@ postfix_server_domain_template(qmgr)
postfix_user_domain_template(showq)
postfix_server_domain_template(smtp)
-mta_mailserver_sender(postfix_smtp_t)
+#mta_mailserver_sender(postfix_smtp_t)
postfix_server_domain_template(smtpd)
@@ -101,7 +101,7 @@ type postfix_data_t;
files_type(postfix_data_t)
postfix_server_domain_template(virtual)
-mta_mailserver_delivery(postfix_virtual_t)
+#mta_mailserver_delivery(postfix_virtual_t)
########################################
#
@@ -307,13 +307,13 @@ miscfiles_read_man_pages(postfix_master_t)
seutil_sigchld_newrole(postfix_master_t)
seutil_dontaudit_search_config(postfix_master_t)
-mta_manage_aliases(postfix_master_t)
-mta_etc_filetrans_aliases(postfix_master_t, file, "aliases")
-mta_etc_filetrans_aliases(postfix_master_t, file, "aliases.db")
-mta_etc_filetrans_aliases(postfix_master_t, file, "aliasesdb-stamp")
-mta_spec_filetrans_aliases(postfix_master_t, postfix_etc_t, file)
-mta_read_sendmail_bin(postfix_master_t)
-mta_getattr_spool(postfix_master_t)
+#mta_manage_aliases(postfix_master_t)
+#mta_etc_filetrans_aliases(postfix_master_t, file, "aliases")
+#mta_etc_filetrans_aliases(postfix_master_t, file, "aliases.db")
+#mta_etc_filetrans_aliases(postfix_master_t, file, "aliasesdb-stamp")
+#mta_spec_filetrans_aliases(postfix_master_t, postfix_etc_t, file)
+#mta_read_sendmail_bin(postfix_master_t)
+#mta_getattr_spool(postfix_master_t)
optional_policy(`
cyrus_stream_connect(postfix_master_t)
@@ -394,7 +394,7 @@ corenet_sendrecv_kismet_client_packets(postfix_cleanup_t)
corenet_tcp_connect_kismet_port(postfix_cleanup_t)
corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t)
-mta_read_aliases(postfix_cleanup_t)
+#mta_read_aliases(postfix_cleanup_t)
optional_policy(`
mailman_read_data_files(postfix_cleanup_t)
@@ -420,13 +420,13 @@ corecmd_exec_bin(postfix_local_t)
logging_dontaudit_search_logs(postfix_local_t)
-mta_delete_spool(postfix_local_t)
-mta_read_aliases(postfix_local_t)
-mta_read_config(postfix_local_t)
-mta_send_mail(postfix_local_t)
+#mta_delete_spool(postfix_local_t)
+#mta_read_aliases(postfix_local_t)
+#mta_read_config(postfix_local_t)
+#mta_send_mail(postfix_local_t)
tunable_policy(`postfix_local_write_mail_spool',`
- mta_manage_spool(postfix_local_t)
+ #mta_manage_spool(postfix_local_t)
')
optional_policy(`
@@ -569,10 +569,10 @@ optional_policy(`
mailman_domtrans_queue(postfix_pipe_t)
')
-optional_policy(`
- mta_manage_spool(postfix_pipe_t)
- mta_send_mail(postfix_pipe_t)
-')
+#optional_policy(`
+ #mta_manage_spool(postfix_pipe_t)
+ #mta_send_mail(postfix_pipe_t)
+#')
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -602,7 +602,7 @@ mcs_file_write_all(postfix_postdrop_t)
term_dontaudit_use_all_ptys(postfix_postdrop_t)
term_dontaudit_use_all_ttys(postfix_postdrop_t)
-mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
+#mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
optional_policy(`
apache_dontaudit_rw_fifo_file(postfix_postdrop_t)
@@ -752,7 +752,7 @@ corecmd_exec_bin(postfix_smtpd_t)
fs_getattr_all_dirs(postfix_smtpd_t)
fs_getattr_all_fs(postfix_smtpd_t)
-mta_read_aliases(postfix_smtpd_t)
+#mta_read_aliases(postfix_smtpd_t)
optional_policy(`
dovecot_stream_connect_auth(postfix_smtpd_t)
@@ -793,10 +793,10 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
corecmd_exec_bin(postfix_virtual_t)
-mta_read_aliases(postfix_virtual_t)
-mta_delete_spool(postfix_virtual_t)
-mta_read_config(postfix_virtual_t)
-mta_manage_spool(postfix_virtual_t)
+#mta_read_aliases(postfix_virtual_t)
+#mta_delete_spool(postfix_virtual_t)
+#mta_read_config(postfix_virtual_t)
+#mta_manage_spool(postfix_virtual_t)
userdom_manage_user_home_dirs(postfix_virtual_t)
userdom_manage_user_home_content_dirs(postfix_virtual_t)
@@ -828,4 +828,11 @@ ifdef(`distro_gentoo',`
#
rw_sock_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
+
+ #####################################
+ #
+ # Integrate with mailinfra
+ #
+ mail_delivery_agent_type(postfix_local_t)
+ mail_submission_agent_type(postfix_postdrop_t)
')
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-09-21 14:08 Sven Vermeulen
0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-09-21 14:08 UTC (permalink / raw
To: gentoo-commits
commit: 4fb68436661883dd99e77f361845e544c45e4d30
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 30 22:13:36 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:03:49 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4fb68436
Fix mutt - make MUA and assign content type to tmp files
---
policy/modules/contrib/mutt.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/mutt.te b/policy/modules/contrib/mutt.te
index 393b943..805a763 100644
--- a/policy/modules/contrib/mutt.te
+++ b/policy/modules/contrib/mutt.te
@@ -8,6 +8,7 @@ policy_module(mutt, 1.0.0)
type mutt_t;
type mutt_exec_t;
application_domain(mutt_t, mutt_exec_t)
+mail_user_agent_type(mutt_t)
ubac_constrained(mutt_t)
type mutt_conf_t;
@@ -21,6 +22,7 @@ userdom_user_home_content(mutt_home_t)
type mutt_tmp_t;
files_tmp_file(mutt_tmp_t)
+mail_content_type(mutt_tmp_t)
ubac_constrained(mutt_tmp_t)
############################
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
@ 2014-09-21 14:08 Sven Vermeulen
0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-09-21 14:08 UTC (permalink / raw
To: gentoo-commits
commit: 59c8beea03614be56f98381144d1bb695d882d2e
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 23 19:01:16 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:03:49 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=59c8beea
Mail Infrastructure Policy
The mail infrastructure policy uses the common mail infrastructure
terminology for its attributes, and provides a common interface for mail
related infrastructure to use SELinux.
---
policy/modules/contrib/mail.fc | 7 +
policy/modules/contrib/mail.if | 770 +++++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/mail.te | 91 +++++
3 files changed, 868 insertions(+)
diff --git a/policy/modules/contrib/mail.fc b/policy/modules/contrib/mail.fc
new file mode 100644
index 0000000..1f0437e
--- /dev/null
+++ b/policy/modules/contrib/mail.fc
@@ -0,0 +1,7 @@
+HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+
+/etc/mail(/.*)? gen_context(system_u:object_r:mail_etc_t,s0)
+
+# Only effective files are labeled as sendmail_exec_t, esp. symlinks should remain bin_t
+/usr/sbin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/policy/modules/contrib/mail.if b/policy/modules/contrib/mail.if
new file mode 100644
index 0000000..b6badab
--- /dev/null
+++ b/policy/modules/contrib/mail.if
@@ -0,0 +1,770 @@
+## <summary>Common e-mail infrastructure policy</summary>
+
+#########################################
+## <summary>
+## Role access for mail access and usage
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`mail_role',`
+ gen_require(`
+ attribute_role user_sendmail_roles;
+ attribute mail_submission_agent;
+ type mail_home_rw_t;
+ type mail_home_t;
+ type sendmail_exec_t;
+ type user_sendmail_t;
+ ')
+
+ roleattribute $1 user_sendmail_roles;
+ role $1 types mail_submission_agent;
+
+ # End users can invoke sendmail to send e-mails
+ domtrans_pattern($2, sendmail_exec_t, user_sendmail_t)
+
+ allow $2 user_sendmail_t:process { ptrace signal_perms };
+ ps_process_pattern($2, user_sendmail_t)
+
+ allow $2 mail_home_t:file { manage_file_perms relabel_file_perms };
+ userdom_user_home_dir_filetrans($2, mail_home_t, file, ".forward")
+ userdom_user_home_dir_filetrans($2, mail_home_t, file, ".mailrc")
+
+ allow $2 mail_home_rw_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms };
+ allow $2 mail_home_rw_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir")
+ userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir")
+
+ optional_policy(`
+ exim_run($2, $1)
+ ')
+
+ optional_policy(`
+ mailman_run($2, $1)
+ ')
+')
+
+#########################################
+## <summary>
+## Execute sendmail and interact with the system_sendmail_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to execute and transition
+## </summary>
+## </param>
+#
+interface(`mail_run_sendmail',`
+ gen_require(`
+ type system_sendmail_t;
+ ')
+
+ mail_domtrans_sendmail($1)
+
+ allow $1 system_sendmail_t:process { signal };
+')
+
+#########################################
+## <summary>
+## Execute sendmail and transition to the system_sendmail_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to execute and transition
+## </summary>
+## </param>
+#
+interface(`mail_domtrans_sendmail',`
+ gen_require(`
+ type system_sendmail_t;
+ type sendmail_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, sendmail_exec_t, system_sendmail_t)
+')
+
+#########################################
+## <summary>
+## Execute sendmail in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_exec_sendmail',`
+ gen_require(`
+ type sendmail_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, sendmail_exec_t)
+')
+
+#########################################
+## <summary>
+## Mark the type as a mail content type (mail generated by or for a mail user agent)
+## </summary>
+## <param name="type">
+## <summary>
+## Type to mark as mail content
+## </summary>
+## </param>
+#
+interface(`mail_content_type',`
+ gen_require(`
+ attribute mail_content;
+ ')
+
+ typeattribute $1 mail_content;
+')
+
+#########################################
+## <summary>
+## Mark the type as a mail deliver agent domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be assigned the mail_delivery_agent attribute
+## </summary>
+## </param>
+#
+interface(`mail_delivery_agent_type',`
+ gen_require(`
+ attribute mail_delivery_agent;
+ ')
+
+ typeattribute $1 mail_delivery_agent;
+')
+
+#########################################
+## <summary>
+## Assign all privileges for the domain to act as a mail delivery agent (MDA)
+## </summary>
+## <param name="domain">
+## <summary>
+## Type or attribute to assign MDA privileges to
+## </summary>
+## </param>
+#
+interface(`mail_delivery_agent_privs',`
+ gen_require(`
+ type mail_home_rw_t;
+ type mail_etc_t;
+ ')
+
+ # Read mail settings
+ read_files_pattern($1, mail_etc_t, mail_etc_t)
+ # Manage user mail files
+ manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
+')
+
+#########################################
+## <summary>
+## Mark the type as a mail submission agent domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be assigned the mail_submission_agent attribute
+## </summary>
+## </param>
+#
+interface(`mail_submission_agent_type',`
+ gen_require(`
+ attribute mail_submission_agent;
+ ')
+
+ typeattribute $1 mail_submission_agent;
+')
+
+#########################################
+## <summary>
+## Mark the type as a mail transfer agent domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be assigned the mail_transfer_agent attribute
+## </summary>
+## </param>
+#
+interface(`mail_transfer_agent_type',`
+ gen_require(`
+ attribute mail_transfer_agent;
+ ')
+
+ typeattribute $1 mail_transfer_agent;
+')
+
+#########################################
+## <summary>
+## Assign all privileges for the domain to act as a mail transfer agent (MTA)
+## </summary>
+## <param name="domain">
+## <summary>
+## Type or attribute to assign MTA privileges to
+## </summary>
+## </param>
+#
+interface(`mail_transfer_agent_privs',`
+ gen_require(`
+ type mail_etc_t;
+ ')
+
+ read_files_pattern($1, mail_etc_t, mail_etc_t)
+')
+
+#########################################
+## <summary>
+## Mark the type as a mail user agent domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be assigned the mail_user_agent attribute
+## </summary>
+## </param>
+#
+interface(`mail_user_agent_type',`
+ gen_require(`
+ attribute mail_user_agent;
+ ')
+
+ typeattribute $1 mail_user_agent;
+')
+
+#########################################
+## <summary>
+## Assign all privileges for the domain to act as a mail user agent (MUA)
+## </summary>
+## <param name="domain">
+## <summary>
+## Type or attribute to assign MUA privileges to
+## </summary>
+## </param>
+#
+interface(`mail_user_agent_privs',`
+ gen_require(`
+ type mail_home_rw_t;
+ ')
+
+ # Manage user mail files
+ manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
+
+ # Call sendmail to send out mails
+ domtrans_pattern($1, sendmail_exec_t, user_sendmail_t)
+')
+
+#########################################
+## <summary>
+## Read mail aliases files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_read_aliases',`
+ gen_require(`
+ type mail_etc_t;
+ type mail_aliases_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 mail_etc_t:dir list_dir_perms;
+ allow $1 mail_etc_t:lnk_file read_lnk_file_perms;
+ allow $1 mail_aliases_t:file read_file_perms;
+')
+
+#########################################
+## <summary>
+## Create specified object in generic etc directories with the mail aliases type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## The object class of the object being created
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created
+## </summary>
+## </param>
+#
+interface(`mail_generic_etc_filetrans_aliases',`
+ gen_require(`
+ type mail_aliases_t;
+ ')
+
+ files_etc_filetrans($1, mail_aliases_t, $2, $3)
+')
+
+#########################################
+## <summary>
+## Create specified object in the specified directory type with the mail aliases type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="dir_type">
+## <summary>
+## Directory to transition on
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## The object class of the object being created
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created
+## </summary>
+## </param>
+#
+interface(`mail_spec_filetrans_aliases',`
+ gen_require(`
+ type mail_aliases_t;
+ ')
+
+ filetrans_pattern($1, $2, mail_aliases_t, $3, $4)
+')
+
+#########################################
+## <summary>
+## Manage mail aliases files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_manage_aliases',`
+ gen_require(`
+ type mail_etc_t;
+ type mail_aliases_t;
+ ')
+
+ files_search_etc($1)
+ manage_files_pattern($1, { mail_aliases_t mail_etc_t }, mail_aliases_t)
+ manage_lnk_files_pattern($1, { mail_aliases_t mail_etc_t }, mail_aliases_t)
+')
+
+#########################################
+## <summary>
+## Do not audit attempts to read and write TCP sockets of mail delivery agents
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain not to audit
+## </summary>
+## </param>
+#
+interface(`mail_dontaudit_rw_delivery_agent_tcp_sockets',`
+ gen_require(`
+ attribute mail_delivery_agent;
+ ')
+
+ dontaudit $1 mail_delivery_agent:tcp_socket { read write };
+')
+
+#########################################
+## <summary>
+## Read mail configuration / miscellaneous files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_read_etc',`
+ gen_require(`
+ type mail_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 mail_etc_t:dir list_dir_perms;
+ allow $1 mail_etc_t:file read_file_perms;
+ allow $1 mail_etc_t:lnk_file read_lnk_file_perms;
+')
+
+#########################################
+## <summary>
+## Read and write mail configuration / miscellaneous files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_rw_etc',`
+ gen_require(`
+ type mail_etc_t;
+ ')
+
+ files_search_etc($1)
+ write_files_pattern($1, mail_etc_t, mail_etc_t)
+')
+
+#########################################
+## <summary>
+## Read mail home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_read_home_files',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 mail_home_t:file read_file_perms;
+')
+
+#########################################
+## <summary>
+## Manage mail home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_manage_home_files',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 mail_home_t:file manage_file_perms;
+')
+
+#########################################
+## <summary>
+## Manage mail read/write home resources (files accessible and manageable
+## by the mail domains).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_manage_home_rw',`
+ gen_require(`
+ type mail_home_rw_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+')
+
+#########################################
+## <summary>
+## Get attributes of the mail queue content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_getattr_queue',`
+ gen_require(`
+ type mail_queue_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 mail_queue_t:dir list_dir_perms;
+ getattr_files_pattern($1, mail_queue_t, mail_queue_t)
+ read_lnk_files_pattern($1, mail_queue_t, mail_queue_t)
+')
+
+#########################################
+## <summary>
+## Do not audit getting the attributes of the mail queue content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_dontaudit_getattr_queue',`
+ gen_require(`
+ type mail_queue_t;
+ ')
+
+ files_dontaudit_search_queue($1)
+ dontaudit $1 mail_queue_t:dir list_dir_perms;
+ dontaudit $1 mail_queue_t:lnk_file read_lnk_file_perms;
+ dontaudit $1 mail_queue_t:file getattr_file_perms;
+')
+
+#########################################
+## <summary>
+## Search through mail queue directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_search_queue',`
+ gen_require(`
+ type mail_queue_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 mail_queue_t:dir search_dir_perms;
+')
+
+#########################################
+## <summary>
+## List mail queue directory content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_list_queue',`
+ gen_require(`
+ type mail_queue_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 mail_queue_t:dir list_dir_perms;
+')
+
+#########################################
+## <summary>
+## Read mail queue files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_read_queue_files',`
+ gen_require(`
+ type mail_queue_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1, mail_queue_t, mail_queue_t)
+')
+
+#########################################
+## <summary>
+## Do not audit attempts to read the mail queue symlinks
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`mail_dontaudit_read_queue_symlinks',`
+ gen_require(`
+ type mail_queue_t;
+ ')
+
+ dontaudit $1 mail_queue_t:lnk_file read_lnk_file_perms;
+')
+
+#########################################
+## <summary>
+## Read and write mail queue files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_rw_queue_files',`
+ gen_require(`
+ type mail_queue_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 mail_queue_t:dir list_dir_perms;
+ allow $1 mail_queue_t:file rw_file_perms;
+ allow $1 mail_queue_t:lnk_file read_lnk_file_perms;
+')
+
+#########################################
+## <summary>
+## Do not audit attempts to read and write mail queue files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain not to audit
+## </summary>
+## </param>
+#
+interface(`mail_dontaudit_rw_queue_files',`
+ gen_require(`
+ type mail_queue_t;
+ ')
+
+ files_search_spool($1)
+ dontaudit $1 mail_queue_t:dir search_dir_perms;
+ dontaudit $1 mail_queue_t:file rw_file_perms;
+')
+
+#########################################
+## <summary>
+## Create specified objects in the mail queue directory with a specified type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="target_type">
+## <summary>
+## The type of the object to be created
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## The class of the object being created
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created
+## </summary>
+## </param>
+#
+interface(`mail_queue_filetrans',`
+ gen_require(`
+ type mail_queue_t;
+ ')
+
+ files_search_spool($1)
+ filetrans_pattern($1, mail_queue_t, $2, $3, $4)
+')
+
+#########################################
+## <summary>
+## Delete mail queue files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_delete_queue_files',`
+ gen_require(`
+ type mail_queue_t;
+ ')
+
+ files_search_spool($1)
+ delete_files_pattern($1, mail_queue_t, mail_queue_t)
+')
+
+#########################################
+## <summary>
+## Manage mail queue files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_manage_queue_files',`
+ gen_require(`
+ type mail_queue_t;
+ ')
+
+ files_search_spool($1)
+
+ allow $1 mail_queue_t:dir list_dir_perms;
+ allow $1 mail_queue_t:lnk_file read_lnk_file_perms;
+ manage_files_pattern($1, mail_queue_t, mail_queue_t)
+')
+
+#########################################
+## <summary>
+## Manage mail queue resources
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_manage_queue',`
+ gen_require(`
+ type mail_queue_t;
+ ')
+
+ files_search_spool($1)
+
+ manage_dirs_pattern($1, mail_queue_t, mail_queue_t)
+ manage_files_pattern($1, mail_queue_t, mail_queue_t)
+ manage_lnk_files_pattern($1, mail_queue_t, mail_queue_t)
+')
+
+#########################################
+## <summary>
+## Read sendmail binary
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_read_sendmail_executable',`
+ gen_require(`
+ type sendmail_exec_t;
+ ')
+
+ allow $1 sendmail_exec_t:file read_file_perms;
+')
+
+
diff --git a/policy/modules/contrib/mail.te b/policy/modules/contrib/mail.te
new file mode 100644
index 0000000..71bc6a4
--- /dev/null
+++ b/policy/modules/contrib/mail.te
@@ -0,0 +1,91 @@
+policy_module(mailinfra, 1.0)
+
+# This will become the new mta when finished. For now, use a different name
+
+#########################################
+#
+# Declarations
+#
+
+# Domain attributes, see http://en.wikipedia.org/wiki/Email_agent_%28infrastructure%29
+attribute mail_user_agent;
+attribute mail_submission_agent;
+attribute mail_transfer_agent;
+attribute mail_delivery_agent;
+attribute mail_retrieval_agent;
+
+# Resource attributes
+attribute mail_content;
+
+# Access to user-based sendmail
+attribute_role user_sendmail_roles;
+
+# TODO deleteme
+attribute mta_exec_type;
+type system_mail_t;
+application_type(system_mail_t)
+attribute mta_user_agent;
+attribute user_mail_domain;
+attribute mailserver_domain;
+attribute mailserver_sender;
+attribute mailserver_delivery;
+
+# Generic domain types
+type sendmail_exec_t;
+
+type user_sendmail_t;
+userdom_user_application_domain(user_sendmail_t, sendmail_exec_t)
+role user_sendmail_roles types user_sendmail_t;
+
+type system_sendmail_t;
+application_domain(system_sendmail_t, sendmail_exec_t)
+
+# Generic types
+type mail_aliases_t alias etc_aliases_t;
+files_type(mail_aliases_t)
+
+type mail_etc_t alias etc_mail_t;
+files_config_file(mail_etc_t)
+
+# Files manageable by end user but read-only for the mail_*_agent domains
+type mail_home_t;
+userdom_user_home_content(mail_home_t)
+
+type mail_home_rw_t;
+userdom_user_home_content(mail_home_rw_t)
+
+type mail_queue_t;
+files_mountpoint(mail_queue_t)
+
+#########################################
+#
+# Mail Delivery Agent policy
+#
+
+mail_delivery_agent_privs(mail_delivery_agent)
+
+#########################################
+#
+# Mail Transfer Agent policy
+#
+
+mail_transfer_agent_privs(mail_transfer_agent)
+
+#########################################
+#
+# Mail User Agent policy
+#
+
+mail_user_agent_privs(mail_user_agent)
+
+#########################################
+#
+# User-based sendmail domain
+#
+
+allow user_sendmail_t mail_content:file { read_file_perms append_file_perms };
+
+# Postfix implementation specifics
+ifdef(`use_postfix',`
+ postfix_user_sendmail_privs(user_sendmail_t)
+')
^ permalink raw reply related [flat|nested] 14+ messages in thread
end of thread, other threads:[~2014-09-21 14:08 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-09-21 14:08 [gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/ Sven Vermeulen
-- strict thread matches above, loose matches on Subject: below --
2014-09-21 14:08 Sven Vermeulen
2014-09-21 14:08 Sven Vermeulen
2014-09-21 14:08 Sven Vermeulen
2014-09-21 14:08 Sven Vermeulen
2014-09-21 14:08 Sven Vermeulen
2014-09-21 14:08 Sven Vermeulen
2014-09-21 14:08 Sven Vermeulen
2014-09-21 14:08 Sven Vermeulen
2014-09-21 14:08 Sven Vermeulen
2014-09-21 14:08 Sven Vermeulen
2014-08-24 8:02 Sven Vermeulen
2014-08-24 8:02 Sven Vermeulen
2014-08-24 8:02 Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox