From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1560528-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 6853F158089
	for <garchives@archives.gentoo.org>; Fri,  6 Oct 2023 16:44:42 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 733102BC045;
	Fri,  6 Oct 2023 16:44:38 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 53B5A2BC045
	for <gentoo-commits@lists.gentoo.org>; Fri,  6 Oct 2023 16:44:38 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 6E594335D17
	for <gentoo-commits@lists.gentoo.org>; Fri,  6 Oct 2023 16:44:37 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 3AB9B9F1
	for <gentoo-commits@lists.gentoo.org>; Fri,  6 Oct 2023 16:44:34 +0000 (UTC)
From: "Kenton Groombridge" <concord@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Kenton Groombridge" <concord@gentoo.org>
Message-ID: <1696606305.0d4b9fb48fc13aa0e545fdc17905a1060db3c5ef.concord@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/services/courier.fc policy/modules/services/courier.te policy/modules/services/dovecot.te policy/modules/services/exim.te policy/modules/services/mta.if policy/modules/services/mta.te policy/modules/services/postfix.if policy/modules/services/postfix.te policy/modules/services/sendmail.te
X-VCS-Directories: policy/modules/services/
X-VCS-Committer: concord
X-VCS-Committer-Name: Kenton Groombridge
X-VCS-Revision: 0d4b9fb48fc13aa0e545fdc17905a1060db3c5ef
X-VCS-Branch: master
Date: Fri,  6 Oct 2023 16:44:34 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 54dd20ee-8756-402b-ba52-092a50484b48
X-Archives-Hash: 6987862f2e05424a56a583b9d92043cc

commit:     0d4b9fb48fc13aa0e545fdc17905a1060db3c5ef
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Thu Sep 28 13:57:18 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct  6 15:31:45 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d4b9fb4

misc small email changes (#704)

* Small changes to courier, dovecot, exim, postfix, amd sendmail policy.

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* Removed an obsolete patch

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* Added interfaces cron_rw_inherited_tmp_files and systemd_dontaudit_connect_machined

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* Use create_stream_socket_perms for unix connection to itself

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* Removed unconfined_run_to

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* Remove change for it to run from a user session

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* Changed userdom_use_user_ttys to userdom_use_inherited_user_terminals and
moved it out of the postfix section

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

---------

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/courier.fc  |  4 ++--
 policy/modules/services/courier.te  | 21 +++++++++++++++++++--
 policy/modules/services/dovecot.te  |  3 +++
 policy/modules/services/exim.te     |  3 ++-
 policy/modules/services/mta.if      |  1 +
 policy/modules/services/mta.te      | 32 ++++++++++++++++++++++++++++++++
 policy/modules/services/postfix.if  |  3 +++
 policy/modules/services/postfix.te  |  4 ++++
 policy/modules/services/sendmail.te |  4 ++++
 9 files changed, 70 insertions(+), 5 deletions(-)

diff --git a/policy/modules/services/courier.fc b/policy/modules/services/courier.fc
index 0f56d60d8..28594264f 100644
--- a/policy/modules/services/courier.fc
+++ b/policy/modules/services/courier.fc
@@ -23,8 +23,8 @@
 /usr/lib/courier/courier/courierpop.*	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
 /usr/lib/courier/courier/imaplogin	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
 /usr/lib/courier/courier/pcpd	--	gen_context(system_u:object_r:courier_pcp_exec_t,s0)
-/usr/lib/courier/imapd	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/pop3d	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/imapd.*	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/pop3d.*	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
 /usr/lib/courier/rootcerts(/.*)?	gen_context(system_u:object_r:courier_etc_t,s0)
 /usr/lib/courier/sqwebmail/cleancache\.pl	--	gen_context(system_u:object_r:courier_sqwebmail_exec_t,s0)
 /usr/lib/courier-imap/couriertcpd	--	gen_context(system_u:object_r:courier_tcpd_exec_t,s0)

diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
index 00ca1db6e..b5fa0c163 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -96,6 +96,8 @@ allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_pe
 
 can_exec(courier_authdaemon_t, courier_exec_t)
 
+kernel_getattr_proc(courier_authdaemon_t)
+
 corecmd_exec_shell(courier_authdaemon_t)
 
 domtrans_pattern(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t)
@@ -112,6 +114,7 @@ libs_read_lib_files(courier_authdaemon_t)
 miscfiles_read_localization(courier_authdaemon_t)
 
 selinux_getattr_fs(courier_authdaemon_t)
+seutil_search_default_contexts(courier_authdaemon_t)
 
 userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
 
@@ -129,20 +132,34 @@ dev_read_rand(courier_pcp_t)
 # POP3/IMAP local policy
 #
 
-allow courier_pop_t self:capability { setgid setuid };
+allow courier_pop_t self:capability { chown dac_read_search fowner setgid setuid };
+dontaudit courier_pop_t self:capability fsetid;
+allow courier_pop_t self:unix_stream_socket create_stream_socket_perms;
+allow courier_pop_t self:process setrlimit;
+
 allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
 allow courier_pop_t courier_authdaemon_t:process sigchld;
 
 allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
 
-allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
+allow courier_pop_t courier_var_lib_t:dir rw_dir_perms;
+allow courier_pop_t courier_var_lib_t:file manage_file_perms;
 
+allow courier_pop_t courier_etc_t:file map;
+
+can_exec(courier_pop_t, courier_exec_t)
+can_exec(courier_pop_t, courier_tcpd_exec_t)
 stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t, courier_authdaemon_t)
 
 domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
 
 corecmd_exec_shell(courier_pop_t)
+corenet_tcp_bind_generic_node(courier_pop_t)
+corenet_tcp_bind_pop_port(courier_pop_t)
+
+files_search_var_lib(courier_pop_t)
 
+miscfiles_read_generic_certs(courier_pop_t)
 miscfiles_read_localization(courier_pop_t)
 
 mta_manage_mail_home_rw_content(courier_pop_t)

diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 370478770..11ffbb177 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -216,6 +216,7 @@ optional_policy(`
 	mta_manage_mail_home_rw_content(dovecot_t)
 	mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
 	mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
+	mta_home_filetrans_mail_home_rw(dovecot_t, dir, "mail")
 ')
 
 optional_policy(`
@@ -269,6 +270,8 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
 
 kernel_dontaudit_getattr_proc(dovecot_auth_t)
 
+kernel_getattr_proc(dovecot_auth_t)
+
 files_search_runtime(dovecot_auth_t)
 files_read_usr_files(dovecot_auth_t)
 files_read_var_lib_files(dovecot_auth_t)

diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index 5e001b37b..80d828466 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -72,7 +72,7 @@ ifdef(`distro_debian',`
 # Local policy
 #
 
-allow exim_t self:capability { chown dac_override fowner setgid setuid sys_resource };
+allow exim_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_resource };
 allow exim_t self:process { setrlimit setpgid };
 allow exim_t self:fifo_file rw_fifo_file_perms;
 allow exim_t self:unix_stream_socket { accept listen };
@@ -192,6 +192,7 @@ optional_policy(`
 
 optional_policy(`
 	cron_read_pipes(exim_t)
+	cron_rw_inherited_tmp_files(exim_t)
 	cron_rw_system_job_pipes(exim_t)
 	cron_use_system_job_fds(exim_t)
 ')

diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index cdc3cf590..1c15a6b20 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -268,6 +268,7 @@ interface(`mta_manage_mail_home_rw_content',`
 	manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
 	allow $1 mail_home_rw_t:file map;
 	manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+	allow $1 mail_home_rw_t:{ dir file } watch;
 ')
 
 ########################################

diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 63c8562ae..1099ccab5 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -15,6 +15,7 @@ attribute mailserver_sender;
 attribute user_mail_domain;
 
 attribute_role user_mail_roles;
+attribute_role admin_mail_roles;
 
 type etc_aliases_t;
 files_type(etc_aliases_t)
@@ -44,6 +45,10 @@ mta_base_mail_template(user)
 userdom_user_application_type(user_mail_t)
 role user_mail_roles types user_mail_t;
 
+mta_base_mail_template(admin)
+userdom_user_application_type(admin_mail_t)
+role admin_mail_roles types admin_mail_t;
+
 userdom_user_tmp_file(user_mail_tmp_t)
 
 ########################################
@@ -435,3 +440,30 @@ ifdef(`distro_gentoo',`
 		at_rw_inherited_job_log_files(system_mail_t)
 	')
 ')
+
+########################################
+#
+# Admin local policy
+#
+
+manage_files_pattern(admin_mail_t, mail_home_t, mail_home_t)
+userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, ".esmtp_queue")
+userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, ".forward")
+userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, ".mailrc")
+userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, "dead.letter")
+
+dev_read_sysfs(admin_mail_t)
+
+userdom_use_user_terminals(admin_mail_t)
+
+files_etc_filetrans(admin_mail_t, etc_aliases_t, file)
+allow admin_mail_t etc_aliases_t:file manage_file_perms;
+
+optional_policy(`
+	allow admin_mail_t self:capability dac_override;
+
+	userdom_rw_user_tmp_files(admin_mail_t)
+
+	postfix_read_config(admin_mail_t)
+	postfix_list_spool(admin_mail_t)
+')

diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
index 847022bf4..5168017b9 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -50,6 +50,9 @@ template(`postfix_domain_template',`
 	can_exec(postfix_$1_t, postfix_$1_exec_t)
 
 	auth_use_nsswitch(postfix_$1_t)
+	ifdef(`init_systemd',`
+		systemd_dontaudit_connect_machined(postfix_$1_t)
+	')
 ')
 
 #######################################

diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 528a84de9..f327af47a 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -516,9 +516,12 @@ manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
 files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir })
 
 kernel_read_kernel_sysctls(postfix_map_t)
+kernel_read_network_state(postfix_map_t)
 kernel_dontaudit_list_proc(postfix_map_t)
 kernel_dontaudit_read_system_state(postfix_map_t)
 
+dev_read_urand(postfix_map_t)
+
 corenet_all_recvfrom_netlabel(postfix_map_t)
 corenet_tcp_sendrecv_generic_if(postfix_map_t)
 corenet_tcp_sendrecv_generic_node(postfix_map_t)
@@ -745,6 +748,7 @@ allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
 allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
 
 allow postfix_showq_t postfix_spool_t:file read_file_perms;
+allow postfix_showq_t postfix_postqueue_t:unix_stream_socket { read write };
 
 term_use_all_ptys(postfix_showq_t)
 term_use_all_ttys(postfix_showq_t)

diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
index f12dd77cd..ba31f3e3a 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -193,6 +193,10 @@ optional_policy(`
 	sasl_connect(sendmail_t)
 ')
 
+optional_policy(`
+	userdom_use_inherited_user_terminals(sendmail_t)
+')
+
 optional_policy(`
 	uucp_domtrans_uux(sendmail_t)
 ')