[selinux-policy: 608/3172] fix up most of mta attribute insanity
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:57:13 UTC 2010
commit 246839f3d2d130dea261f3393f60ef6d7eee8a8d
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Aug 30 20:47:41 2005 +0000
fix up most of mta attribute insanity
refpolicy/policy/modules/admin/logrotate.if | 18 +++
refpolicy/policy/modules/kernel/kernel.if | 19 +++
refpolicy/policy/modules/services/cron.if | 36 +++++-
refpolicy/policy/modules/services/mta.if | 108 +++++++++++++---
refpolicy/policy/modules/services/mta.te | 175 +++++++++----------------
refpolicy/policy/modules/services/sendmail.te | 18 ++-
refpolicy/policy/modules/system/userdomain.if | 17 +++
7 files changed, 260 insertions(+), 131 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/logrotate.if b/refpolicy/policy/modules/admin/logrotate.if
index 134a886..cff68d4 100644
--- a/refpolicy/policy/modules/admin/logrotate.if
+++ b/refpolicy/policy/modules/admin/logrotate.if
@@ -82,3 +82,21 @@ interface(`logrotate_dontaudit_use_fd',`
dontaudit $1 logrotate_t:fd use;
')
+
+########################################
+## <summary>
+## Read a logrotate temporary files.
+## </summary>
+## <param name="domain">
+## The type of the process to not audit.
+## </param>
+#
+interface(`logrotate_read_tmp_files',`
+ gen_require(`
+ type logrotate_tmp_t;
+ class file r_file_perms;
+ ')
+
+ files_search_tmp($1)
+ allow $1 logrotate_tmp_t:file r_file_perms;
+')
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index f4de889..c147b45 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -555,6 +555,25 @@ interface(`kernel_dontaudit_getattr_message_if',`
########################################
## <summary>
+## Do not audit attempts to search the network
+## state directory.
+## </summary>
+## <param name="domain">
+## The process type reading the state.
+## </param>
+##
+#
+interface(`kernel_dontaudit_search_network_state',`
+ gen_require(`
+ type proc_net_t;
+ class dir search;
+ ')
+
+ allow $1 proc_net_t:dir search;
+')
+
+########################################
+## <summary>
## Allow caller to read the network state information.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index cde33f0..ec5f5ae 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -316,6 +316,23 @@ interface(`cron_system_entry',`
########################################
## <summary>
+## Send a SIGCHLD signal to the cron daemon.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`cron_sigchld',`
+ gen_require(`
+ type crond_t;
+ class process sigchld;
+ ')
+
+ allow $1 crond_t:process sigchld;
+')
+
+########################################
+## <summary>
## Read a cron daemon unnamed pipe
## </summary>
## <param name="domain">
@@ -331,7 +348,6 @@ interface(`cron_read_pipe',`
allow $1 crond_t:file r_file_perms;
')
-
########################################
## <summary>
## Read and write the cron daemon log files.
@@ -367,3 +383,21 @@ interface(`cron_search_spool',`
files_search_spool($1)
allow $1 cron_spool_t:dir search;
')
+
+########################################
+## <summary>
+## Read temporary files from the system cron jobs.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`cron_read_system_job_tmp_files',`
+ gen_require(`
+ type system_crond_tmp_t;
+ class file r_file_perms;
+ ')
+
+ files_search_tmp($1)
+ allow $1 system_crond_tmp_t:file r_file_perms;
+')
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 6409e53..e6efcbd 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -28,7 +28,7 @@
## </param>
#
template(`mta_per_userdomain_template',`
- type $1_mail_t; # , user_mail_domain
+ type $1_mail_t;
domain_type($1_mail_t)
role $3 types $1_mail_t;
@@ -59,6 +59,11 @@ template(`mta_per_userdomain_template',`
allow $1_mail_t $2:fifo_file rw_file_perms;
allow $1_mail_t $2:process sigchld;
+ # For when the user wants to send mail via port 25 localhost
+ kernel_tcp_recvfrom($2)
+ allow $2 mailserver_domain:tcp_socket { connectto recvfrom };
+ allow mailserver_domain $2:tcp_socket { acceptfrom recvfrom };
+
kernel_read_kernel_sysctl($1_mail_t)
corenet_tcp_sendrecv_all_if($1_mail_t)
@@ -78,6 +83,8 @@ template(`mta_per_userdomain_template',`
files_read_etc_files($1_mail_t)
files_search_spool($1_mail_t)
+ # It wants to check for nscd
+ files_dontaudit_search_pids($1_mail_t)
logging_send_syslog_msg($1_mail_t)
@@ -86,6 +93,8 @@ template(`mta_per_userdomain_template',`
sysnet_read_config($1_mail_t)
userdom_use_user_terminals($1,$1_mail_t)
+ # Write to the user domain tty. cjp: why?
+ userdom_use_user_terminals($1,mta_user_agent)
tunable_policy(`use_dns',`
allow $1_mail_t self:udp_socket create_socket_perms;
@@ -113,14 +122,6 @@ template(`mta_per_userdomain_template',`
')
ifdef(`TODO',`
- allow $1_mail_t device_t:dir search;
-
- # It wants to check for nscd
- dontaudit $1_mail_t var_run_t:dir search;
-
- # For when the user wants to send mail via port 25 localhost
- can_tcp_connect($1_t, mail_server_domain)
-
# Read user temporary files.
allow $1_mail_t $1_tmp_t:file r_file_perms;
dontaudit $1_mail_t $1_tmp_t:file append;
@@ -129,26 +130,21 @@ template(`mta_per_userdomain_template',`
allow $1_mail_t $1_tmp_t:file write;
')
+ # cjp: why?
allow mta_user_agent $1_tmp_t:file r_file_perms;
- # Write to the user domain tty.
- allow mta_user_agent $1_tty_device_t:chr_file rw_file_perms;
- allow mta_user_agent devpts_t:dir r_dir_perms;
- allow mta_user_agent $1_devpts_t:chr_file rw_file_perms;
-
# Inherit and use descriptors from gnome-pty-helper.
ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
# Create dead.letter in user home directories.
file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
-
# if you do not want to allow dead.letter then use the following instead
#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
#allow $1_mail_t $1_home_t:file r_file_perms;
# for reading .forward - maybe we need a new type for it?
# also for delivering mail to maildir
- file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t)
+ file_type_auto_trans(mailserver_delivery, $1_home_dir_t, $1_home_t)
ifdef(`qmail.te', `
allow $1_mail_t qmail_etc_t:dir search;
@@ -167,6 +163,9 @@ interface(`mta_mailserver',`
attribute mailserver_domain;
')
+ # For when the user wants to send mail via port 25 localhost
+ kernel_tcp_recvfrom($1)
+
init_daemon_domain($1,$2)
typeattribute $1 mailserver_domain;
')
@@ -202,11 +201,66 @@ interface(`mta_sendmail_mailserver',`
type sendmail_exec_t;
')
+ # For when the user wants to send mail via port 25 localhost
+ kernel_tcp_recvfrom($1)
+
init_system_domain($1,sendmail_exec_t)
typeattribute $1 mailserver_domain;
')
#######################################
+## <summary>
+## Make a type a mailserver type used
+## for sending mail.
+## </summary>
+## <param name="domain">
+## Mail server domain type used for sending mail.
+## </param>
+#
+interface(`mta_mailserver_sender',`
+ gen_require(`
+ attribute mailserver_sender;
+ ')
+
+ typeattribute $1 mailserver_sender;
+')
+
+#######################################
+## <summary>
+## Make a type a mailserver type used
+## for delivering mail to local users.
+## </summary>
+## <param name="domain">
+## Mail server domain type used for delivering mail.
+## </param>
+#
+interface(`mta_mailserver_delivery',`
+ gen_require(`
+ attribute mailserver_delivery;
+ ')
+
+ typeattribute $1 mailserver_delivery;
+')
+
+#######################################
+## <summary>
+## Make a type a mailserver type used
+## for sending mail on behalf of local
+## users to the local mail spool.
+## </summary>
+## <param name="domain">
+## Mail server domain type used for sending local mail.
+## </param>
+#
+interface(`mta_mailserver_user_agent',`
+ gen_require(`
+ attribute mailserver_user_agent;
+ ')
+
+ typeattribute $1 mailserver_user_agent;
+')
+
+#######################################
#
# mta_send_mail(domain)
#
@@ -333,6 +387,28 @@ interface(`mta_rw_spool',`
')
#######################################
+## <summary>
+## Create, read, and write the mail spool.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`mta_append_spool',`
+ gen_require(`
+ type mail_spool_t;
+ class dir ra_dir_perms;
+ class lnk_file { getattr read };
+ class file create_file_perms;
+ ')
+
+ files_search_spool($1)
+ allow $1 mail_spool_t:dir ra_dir_perms;
+ allow $1 mail_spool_t:lnk_file { getattr read };
+ allow $1 mail_spool_t:file create_file_perms;
+')
+
+#######################################
#
# mta_manage_spool(domain)
#
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 6c2ea5b..3a112e9 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -6,14 +6,17 @@ policy_module(mta,1.0)
# Declarations
#
+attribute mta_user_agent;
+attribute mailserver_delivery;
+attribute mailserver_domain;
+attribute mailserver_sender;
+
type etc_aliases_t;
files_type(etc_aliases_t)
type etc_mail_t;
files_type(etc_mail_t)
-attribute mailserver_domain;
-
type mqueue_spool_t;
files_type(mqueue_spool_t)
@@ -23,7 +26,7 @@ files_type(mail_spool_t)
type sendmail_exec_t;
files_type(sendmail_exec_t)
-type system_mail_t; #, user_mail_domain
+type system_mail_t;
domain_type(system_mail_t)
role system_r types system_mail_t;
@@ -66,12 +69,14 @@ fs_getattr_xattr_fs(system_mail_t)
init_use_script_pty(system_mail_t)
-files_read_etc_runtime_files(system_mail_t)
files_read_etc_files(system_mail_t)
+files_read_etc_runtime_files(system_mail_t)
+files_search_spool(system_mail_t)
# It wants to check for nscd
files_dontaudit_search_pids(system_mail_t)
corecmd_exec_bin(system_mail_t)
+corecmd_search_sbin(system_mail_t)
libs_use_ld_so(system_mail_t)
libs_use_shared_libs(system_mail_t)
@@ -82,6 +87,35 @@ miscfiles_read_localization(system_mail_t)
sysnet_read_config(system_mail_t)
+userdom_use_sysadm_terms(system_mail_t)
+
+ifdef(`targeted_policy',`
+ allow system_mail_t etc_mail_t:file r_file_perms;
+
+ allow system_mail_t mail_spool_t:dir create_dir_perms;
+ allow system_mail_t mail_spool_t:file create_file_perms;
+ allow system_mail_t mail_spool_t:lnk_file create_lnk_perms;
+ allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
+
+ allow system_mail_t mqueue_spool_t:dir create_dir_perms;
+ allow system_mail_t mqueue_spool_t:file create_file_perms;
+ allow system_mail_t mqueue_spool_t:lnk_file create_lnk_perms;
+
+ optional_policy(`postfix.te',`',`
+ corecmd_exec_bin(system_mail_t)
+ corecmd_exec_sbin(system_mail_t)
+
+ domain_exec_all_entry_files(system_mail_t)
+
+ files_exec_etc_files(system_mail_t)
+
+ libs_use_ld_so(system_mail_t)
+ libs_use_shared_libs(system_mail_t)
+ libs_exec_ld_so(system_mail_t)
+ libs_exec_lib_files(system_mail_t)
+ ')
+')
+
tunable_policy(`use_dns',`
allow system_mail_t self:udp_socket create_socket_perms;
corenet_udp_sendrecv_all_if(system_mail_t)
@@ -90,6 +124,14 @@ tunable_policy(`use_dns',`
corenet_udp_sendrecv_dns_port(system_mail_t)
')
+optional_policy(`cron.te',`
+ cron_read_system_job_tmp_files(system_mail_t)
+')
+
+optional_policy(`logrotate.te',`
+ logrotate_read_tmp_files(system_mail_t)
+')
+
optional_policy(`nis.te',`
nis_use_ypbind(system_mail_t)
')
@@ -102,135 +144,46 @@ optional_policy(`procmail.te',`
procmail_exec(system_mail_t)
')
-ifdef(`TODO',`
-
optional_policy(`sendmail.te',`
allow system_mail_t etc_mail_t:dir { getattr search };
- kernel_read_system_state(system_mail_t)
-
- fs_getattr_xattr_fs(system_mail_t)
-
- files_read_etc_runtime_files(system_mail_t)
-
- dontaudit system_mail_t proc_net_t:dir search;
-
- allow system_mail_t var_t:dir getattr;
- allow system_mail_t var_spool_t:dir getattr;
- dontaudit system_mail_t userpty_type:chr_file { getattr read write };
-
# sendmail -q
allow system_mail_t mqueue_spool_t:dir rw_dir_perms;
allow system_mail_t mqueue_spool_t:file create_file_perms;
+')
+
+ifdef(`TODO',`
+optional_policy(`sendmail.te',`
+ allow system_mail_t { var_t var_spool_t }:dir getattr;
+ dontaudit system_mail_t userpty_type:chr_file { getattr read write };
optional_policy(`crond.te', `
dontaudit system_mail_t system_crond_tmp_t:file append;
')
')
-allow system_mail_t device_t:dir search;
-allow system_mail_t { var_t var_spool_t }:dir search;
-allow system_mail_t sbin_t:dir search;
-
-# Transition from a system domain to the derived domain.
-domain_auto_trans(privmail, sendmail_exec_t, system_mail_t)
-allow privmail sendmail_exec_t:lnk_file { getattr read };
-
-optional_policy(`crond.te',`
- # Read cron temporary files.
- allow system_mail_t system_crond_tmp_t:file r_file_perms;
- allow mta_user_agent system_crond_tmp_t:file r_file_perms;
-')
-
-ifdef(`qmail.te', `
- allow system_mail_t qmail_etc_t:dir search;
- allow system_mail_t qmail_etc_t:{ file lnk_file } read;
-')
-
-ifdef(`targeted_policy', `
+ifdef(`targeted_policy',`
allow system_mail_t { var_t var_spool_t }:dir getattr;
-
- allow system_mail_t etc_mail_t:file r_file_perms;
-
- allow system_mail_t mail_spool_t:dir create_dir_perms;
- allow system_mail_t mail_spool_t:file create_file_perms;
- allow system_mail_t mail_spool_t:lnk_file create_lnk_perms;
- allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
-
- allow system_mail_t mqueue_spool_t:dir create_dir_perms;
- allow system_mail_t mqueue_spool_t:file create_file_perms;
- allow system_mail_t mqueue_spool_t:lnk_file create_lnk_perms;
-
- optional_policy(`postfix.te',`',`
- corecmd_exec_bin(system_mail_t)
- corecmd_exec_sbin(system_mail_t)
-
- domain_exec_all_entry_files(system_mail_t)
-
- files_exec_etc_files(system_mail_t)
-
- libs_use_ld_so(system_mail_t)
- libs_use_shared_libs(system_mail_t)
- libs_exec_ld_so(system_mail_t)
- libs_exec_lib_files(system_mail_t)
- ')
',`
- optional_policy(`sendmail.te', `
- # sendmail has an ugly design, the one process parses input from the user and
- # then does system things with it.
- domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t)
- ')
-
# allow the sysadmin to do "mail someone < /home/user/whatever"
allow sysadm_mail_t user_home_dir_type:dir search;
r_dir_file(sysadm_mail_t, user_home_type)
')
-# for a mail server process that does things in response to a user command
-allow mta_user_agent userdomain:process sigchld;
-allow mta_user_agent { userdomain privfd }:fd use;
-ifdef(`crond.te', `
-allow mta_user_agent crond_t:process sigchld;
-')
-allow mta_user_agent sysadm_t:fifo_file { read write };
-
-allow { system_mail_t mta_user_agent } privmail:fd use;
-allow { system_mail_t mta_user_agent } privmail:process sigchld;
-allow { system_mail_t mta_user_agent } privmail:fifo_file { read write };
-allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write };
-
-ifdef(`arpwatch.te', `
-# why is mail delivered to a directory of type arpwatch_data_t?
-allow mta_delivery_agent arpwatch_data_t:dir search;
-allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms;
-ifdef(`hide_broken_symptoms', `
-dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write };
-')
-')dnl end if arpwatch.te
-
-allow mta_delivery_agent home_root_t:dir { getattr search };
-
-# for /var/spool/mail
-ra_dir_create_file(mta_delivery_agent, mail_spool_t)
+allow system_mail_t privmail:fd use;
+allow system_mail_t privmail:process sigchld;
+allow system_mail_t privmail:fifo_file { read write };
-# for piping mail to a command
-can_exec(mta_delivery_agent, shell_exec_t)
-allow mta_delivery_agent bin_t:dir search;
-allow mta_delivery_agent bin_t:lnk_file read;
-allow mta_delivery_agent { etc_runtime_t proc_t }:file r_file_perms;
+optional_policy(`arpwatch.te',`
+ allow system_mail_t arpwatch_tmp_t:file rw_file_perms;
-# Transition from a system domain to the derived domain.
-domain_auto_trans(privmail, sendmail_exec_t, system_mail_t)
-allow privmail sendmail_exec_t:lnk_file r_file_perms;
-
-ifdef(`crond.te', `
-# Read cron temporary files.
-allow system_mail_t system_crond_tmp_t:file r_file_perms;
-allow mta_user_agent system_crond_tmp_t:file r_file_perms;
+ ifdef(`hide_broken_symptoms', `
+ dontaudit system_mail_t arpwatch_t:packet_socket { read write };
+ ')
')
-optional_policy(`logrotate.te', `
- allow { system_mail_t mta_user_agent } logrotate_tmp_t:file r_file_perms;
+optional_policy(`qmail.te',`
+ allow system_mail_t qmail_etc_t:dir search;
+ allow system_mail_t qmail_etc_t:{ file lnk_file } read;
')
-
') dnl end TODO
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index 0589320..47ce143 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -6,8 +6,10 @@ policy_module(sendmail,1.0)
# Declarations
#
-type sendmail_t; #, mta_delivery_agent, mail_server_sender', nosysadm)
+type sendmail_t;
mta_sendmail_mailserver(sendmail_t)
+mta_mailserver_delivery(sendmail_t)
+mta_mailserver_sender(sendmail_t)
type sendmail_log_t;
logging_log_file(sendmail_log_t)
@@ -40,8 +42,8 @@ allow sendmail_t sendmail_var_run_t:file { getattr create read write append seta
files_create_pid(sendmail_t,sendmail_var_run_t)
kernel_read_kernel_sysctl(sendmail_t)
-kernel_list_proc(sendmail_t)
-kernel_read_proc_symlinks(sendmail_t)
+# for piping mail to a command
+kernel_read_system_state(sendmail_t)
corenet_tcp_sendrecv_all_if(sendmail_t)
corenet_raw_sendrecv_all_if(sendmail_t)
@@ -63,10 +65,15 @@ fs_search_auto_mountpoints(sendmail_t)
term_dontaudit_use_console(sendmail_t)
+# for piping mail to a command
+corecmd_exec_shell(sendmail_t)
+
domain_use_wide_inherit_fd(sendmail_t)
files_read_etc_files(sendmail_t)
files_search_spool(sendmail_t)
+# for piping mail to a command
+files_read_etc_runtime_files(sendmail_t)
init_use_fd(sendmail_t)
init_use_script_pty(sendmail_t)
@@ -121,6 +128,11 @@ optional_policy(`rhgb.te', `
rhgb_domain(sendmail_t)
')
+optional_policy(`arpwatch.te',`
+ # why is mail delivered to a directory of type arpwatch_data_t?
+ allow mta_delivery_agent arpwatch_data_t:dir search;
+')
+
#
# Need this transition to create /etc/aliases.db
#
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 04a37da..b132ba2 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -1862,6 +1862,23 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
+## Send a SIGCHLD signal to all user domains.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`userdom_sigcld_all_users',`
+ gen_require(`
+ attribute userdomain;
+ class process sigchld;
+ ')
+
+ allow $1 userdomain:process sigghld;
+')
+
+########################################
+## <summary>
## Unconfined access to user domains.
## </summary>
## <param name="domain">
More information about the scm-commits
mailing list