[selinux-policy: 733/3172] add mailman
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:08:12 UTC 2010
commit 799a0b43cd32771020738ffd286f3998224b393f
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Oct 11 15:36:53 2005 +0000
add mailman
refpolicy/Changelog | 1 +
refpolicy/policy/modules/admin/logrotate.te | 6 +
refpolicy/policy/modules/admin/su.if | 16 ++
refpolicy/policy/modules/services/apache.if | 51 +++++-
refpolicy/policy/modules/services/apache.te | 11 +
refpolicy/policy/modules/services/mailman.fc | 33 ++++
refpolicy/policy/modules/services/mailman.if | 254 +++++++++++++++++++++++++
refpolicy/policy/modules/services/mailman.te | 113 +++++++++++
refpolicy/policy/modules/services/mta.if | 59 ++++--
refpolicy/policy/modules/system/init.te | 5 +
refpolicy/policy/modules/system/userdomain.if | 19 ++-
11 files changed, 549 insertions(+), 19 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 0db398e..dcda94c 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -20,6 +20,7 @@
finger
ftp
kudzu
+ mailman
radvd
sasl
webalizer
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index 6a28a61..31569ea 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -156,6 +156,12 @@ optional_policy(`samba.te',`
samba_exec_log(logrotate_t)
')
+optional_policy(`mailman.te',`
+ mailman_exec(logrotate_t)
+ mailman_search_data(logrotate_t)
+ mailman_manage_log(logrotate_t)
+')
+
optional_policy(`mysql.te',`
mysql_read_config(logrotate_t)
mysql_search_db_dir(logrotate_t)
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index 816feae..d5526ee 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -197,3 +197,19 @@ template(`su_per_userdomain_template',`
') dnl end TODO
')
')
+
+#######################################
+## <summary>
+## Execute su in the caller domain.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`su_exec',`
+ gen_require(`
+ type su_exec_t;
+ ')
+
+ can_exec($1,su_exec_t)
+')
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index 27f19cc..4f41c3e 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -321,7 +321,7 @@ interface(`apache_domtrans',`
## Send a null signal to apache.
## </summary>
## <param name="domain">
-## The type of the process performing this action.
+## Domain allowed access.
## </param>
#
interface(`apache_signull',`
@@ -334,6 +334,38 @@ interface(`apache_signull',`
########################################
## <summary>
+## Send a SIGCHLD signal to apache.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`apache_sigchld',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ allow $1 httpd_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from Apache.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`apache_use_fd',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ allow $1 httpd_t:fd use;
+')
+
+########################################
+## <summary>
## Allow the specified domain to read
## apache configuration files.
## </summary>
@@ -369,3 +401,20 @@ interface(`apache_list_modules',`
allow $1 httpd_modules_t:dir r_dir_perms;
')
+
+########################################
+## <summary>
+## Do not audit attempts to append to the
+## Apache logs.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`apache_dontaudit_append_log',`
+ gen_require(`
+ type httpd_log_t;
+ ')
+
+ dontaudit $1 httpd_log_t:file append;
+')
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index c91a0fa..e96d8c9 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -334,6 +334,13 @@ optional_policy(`kerberos.te',`
kerberos_use(httpd_t)
')
+optional_policy(`mailman.te',`
+ mailman_signal_cgi(httpd_t)
+ mailman_domtrans_cgi(httpd_t)
+ # should have separate types for public and private archives
+ mailman_read_archive(httpd_t)
+')
+
optional_policy(`mta.te',`
# apache should set close-on-exec
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
@@ -586,6 +593,10 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_execute_cifs_files(httpd_suexec_t)
')
+optional_policy(`mailman.te',`
+ mailman_domtrans_cgi(httpd_suexec_t)
+')
+
optional_policy(`mount.te',`
tunable_policy(`httpd_can_network_connect',`
mount_send_nfs_client_request(httpd_suexec_t)
diff --git a/refpolicy/policy/modules/services/mailman.fc b/refpolicy/policy/modules/services/mailman.fc
new file mode 100644
index 0000000..839017f
--- /dev/null
+++ b/refpolicy/policy/modules/services/mailman.fc
@@ -0,0 +1,33 @@
+/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+
+/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
+/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
+/var/log/mailman(/.*)? gen_context(system_u:object_r:mailman_log_t,s0)
+/var/run/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
+
+#
+# distro_debian
+#
+ifdef(`distro_debian', `
+/etc/cron\.daily/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/etc/cron\.monthly/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+
+/usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+')
+
+#
+# distro_redhat
+#
+ifdef(`distro_redhat', `
+/etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
+
+/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+
+/var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
+/var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
+')
diff --git a/refpolicy/policy/modules/services/mailman.if b/refpolicy/policy/modules/services/mailman.if
new file mode 100644
index 0000000..a3f1d8c
--- /dev/null
+++ b/refpolicy/policy/modules/services/mailman.if
@@ -0,0 +1,254 @@
+## <summary>Mailman is for managing electronic mail discussion and e-newsletter lists</summary>
+
+#######################################
+## <summary>
+## The template to define a mailmain domain.
+## </summary>
+## <desc>
+## <p>
+## This template creates a domain to be used for
+## a new mailman daemon.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The type of daemon to be used eg, cgi would give mailman_cgi_
+## </param>
+#
+template(`mailman_domain_template', `
+ type mailman_$1_t;
+ domain_type(mailman_$1_t)
+ role system_r types mailman_$1_t;
+
+ type mailman_$1_exec_t;
+ domain_entry_file(mailman_$1_t, mailman_$1_exec_t)
+
+ type mailman_$1_tmp_t;
+ files_tmp_file(mailman_$1_tmp_t)
+
+ allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms;
+ allow mailman_$1_t self:tcp_socket create_stream_socket_perms;
+ allow mailman_$1_t self:udp_socket create_socket_perms;
+
+ allow mailman_$1_t mailman_data_t:dir create_dir_perms;
+ allow mailman_$1_t mailman_data_t:file create_file_perms;
+ allow mailman_$1_t mailman_data_t:lnk_file create_lnk_perms;
+
+ allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
+ allow mailman_$1_t mailman_lock_t:file create_file_perms;
+ files_create_lock(mailman_$1_t,mailman_lock_t)
+
+ allow mailman_$1_t mailman_log_t:dir rw_dir_perms;
+ allow mailman_$1_t mailman_log_t:file create_file_perms;
+ logging_create_log(mailman_$1_t,mailman_log_t)
+
+ allow mailman_$1_t mailman_$1_tmp_t:dir create_dir_perms;
+ allow mailman_$1_t mailman_$1_tmp_t:file create_file_perms;
+ files_create_tmp_files(mailman_$1_t, mailman_$1_tmp_t, { file dir })
+
+ kernel_read_kernel_sysctl(mailman_$1_t)
+ kernel_read_system_state(mailman_$1_t)
+
+ corenet_tcp_sendrecv_all_if(mailman_$1_t)
+ corenet_udp_sendrecv_all_if(mailman_$1_t)
+ corenet_raw_sendrecv_all_if(mailman_$1_t)
+ corenet_tcp_sendrecv_all_nodes(mailman_$1_t)
+ corenet_udp_sendrecv_all_nodes(mailman_$1_t)
+ corenet_raw_sendrecv_all_nodes(mailman_$1_t)
+ corenet_tcp_sendrecv_all_ports(mailman_$1_t)
+ corenet_udp_sendrecv_all_ports(mailman_$1_t)
+ corenet_tcp_bind_all_nodes(mailman_$1_t)
+ corenet_udp_bind_all_nodes(mailman_$1_t)
+ corenet_tcp_connect_smtp_port(mailman_$1_t)
+
+ fs_getattr_xattr_fs(mailman_$1_t)
+
+ corecmd_exec_bin(mailman_$1_t)
+ corecmd_exec_sbin(mailman_$1_t)
+
+ domain_exec_all_entry_files(mailman_$1_t)
+
+ files_exec_etc_files(mailman_$1_t)
+ files_list_usr(mailman_$1_t)
+ files_list_var(mailman_$1_t)
+ files_list_var_lib(mailman_$1_t)
+ files_read_var_lib_symlinks(mailman_$1_t)
+ files_read_etc_runtime_files(mailman_$1_t)
+
+ libs_use_ld_so(mailman_$1_t)
+ libs_use_shared_libs(mailman_$1_t)
+ libs_exec_ld_so(mailman_$1_t)
+ libs_exec_lib_files(mailman_$1_t)
+
+ miscfiles_read_localization(mailman_$1_t)
+
+ sysnet_read_config(mailman_$1_t)
+
+ optional_policy(`mount.te',`
+ mount_send_nfs_client_request(mailman_$1_t)
+ ')
+
+ optional_policy(`nis.te',`
+ nis_use_ypbind(mailman_$1_t)
+ ')
+')
+
+#######################################
+## <summary>
+## Execute mailman in the mailman domain.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`mailman_domtrans',`
+ gen_require(`
+ type mailman_mail_exec_t, mailman_mail_t;
+ ')
+
+ domain_auto_trans($1, mailman_mail_exec_t, mailman_mail_t)
+
+ allow $1 mailman_mail_t:fd use;
+ allow mailman_mail_t $1:fd use;
+ allow mailman_mail_t $1:fifo_file rw_file_perms;
+ allow mailman_mail_t $1:process sigchld;
+')
+
+#######################################
+## <summary>
+## Execute mailman CGI scripts in the
+## mailman CGI domain.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`mailman_domtrans_cgi',`
+ gen_require(`
+ type mailman_cgi_exec_t, mailman_cgi_t;
+ ')
+
+ domain_auto_trans($1, mailman_cgi_exec_t, mailman_cgi_t)
+
+ allow $1 mailman_cgi_t:fd use;
+ allow mailman_cgi_t $1:fd use;
+ allow mailman_cgi_t $1:fifo_file rw_file_perms;
+ allow mailman_cgi_t $1:process sigchld;
+')
+
+#######################################
+## <summary>
+## Execute mailman in the caller domain.
+## </summary>
+## <param name="domain">
+## Domain allowd access.
+## </param>
+#
+interface(`mailman_exec',`
+ gen_require(`
+ type mailman_mail_exec_t;
+ ')
+
+ can_exec($1,mailman_mail_exec_t)
+')
+
+#######################################
+## <summary>
+## Send generic signals to the mailman cgi domain.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`mailman_signal_cgi',`
+ gen_require(`
+ type mailman_cgi_t;
+ ')
+
+ allow $1 mailman_cgi_t:process signal;
+')
+
+#######################################
+## <summary>
+## Allow domain to search data directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`mailman_search_data',`
+ gen_require(`
+ type mailman_data_t;
+ ')
+
+ allow $1 mailman_data_t:dir search;
+')
+
+#######################################
+## <summary>
+## List the contents of mailman data directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`mailman_list_data',`
+ gen_require(`
+ type mailman_data_t;
+ ')
+
+ allow $1 mailman_data_t:dir r_dir_perms;
+')
+
+#######################################
+## <summary>
+## Allow read acces to mailman data symbolic links.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`mailman_read_data_symlinks',`
+ gen_require(`
+ type mailman_data_t;
+ ')
+
+ allow $1 mailman_data_t:dir search;
+ allow $1 mailman_data_t:lnk_file read;
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete
+## mailman logs.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`mailman_manage_log',`
+ gen_require(`
+ type mailman_log_t;
+ ')
+
+ allow $1 mailman_log_t:dir rw_dir_perms;
+ allow $1 mailman_log_t:file create_file_perms;
+ allow $1 mailman_log_t:lnk_file create_lnk_perms;
+')
+
+#######################################
+## <summary>
+## Allow domain to read mailman archive files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`mailman_read_archive',`
+ gen_require(`
+ type mailman_archive_t;
+ ')
+
+ allow $1 mailman_archive_t:dir { getattr read search };
+ allow $1 mailman_archive_t:file { read getattr };
+ allow $1 mailman_archive_t:lnk_file { getattr read };
+')
diff --git a/refpolicy/policy/modules/services/mailman.te b/refpolicy/policy/modules/services/mailman.te
new file mode 100644
index 0000000..3e3613b
--- /dev/null
+++ b/refpolicy/policy/modules/services/mailman.te
@@ -0,0 +1,113 @@
+
+policy_module(mailman,1.0)
+
+########################################
+#
+# Declarations
+#
+
+mailman_domain_template(cgi)
+
+type mailman_data_t;
+files_type(mailman_data_t)
+
+type mailman_archive_t;
+files_type(mailman_archive_t)
+
+type mailman_log_t;
+logging_log_file(mailman_log_t)
+
+type mailman_lock_t;
+files_lock_file(mailman_lock_t)
+
+mailman_domain_template(mail)
+init_daemon_domain(mailman_mail_t,mailman_mail_exec_t)
+
+mailman_domain_template(queue)
+
+########################################
+#
+# Mailman CGI local policy
+#
+
+# cjp: the template invocation for queue should be
+# in the below optional policy; however, there are no
+# optionals for file contexts yet, so it is promoted
+# to global scope until such facilities exist.
+
+optional_policy(`apache.te',`
+ allow mailman_cgi_t mailman_archive_t:dir create_dir_perms;
+ allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
+ allow mailman_cgi_t mailman_archive_t:file create_file_perms;
+
+ kernel_tcp_recvfrom(mailman_cgi_t)
+
+ term_use_controlling_term(mailman_cgi_t)
+
+ files_search_spool(mailman_cgi_t)
+
+ mta_tcp_connect_all_mailservers(mailman_cgi_t)
+
+ apache_sigchld(mailman_cgi_t)
+ apache_use_fd(mailman_cgi_t)
+ apache_dontaudit_append_log(mailman_cgi_t)
+')
+
+########################################
+#
+# Mailman mail local policy
+#
+
+allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
+
+mta_dontaudit_rw_delivery_tcp_socket(mailman_mail_t)
+
+ifdef(`TODO',`
+optional_policy(`qmail.te', `
+ allow mailman_mail_t qmail_spool_t:file { read ioctl getattr };
+ # do we really need this?
+ allow mailman_mail_t qmail_lspawn_t:fifo_file write;
+')
+')
+
+########################################
+#
+# Mailman queue local policy
+#
+
+allow mailman_queue_t self:capability { setgid setuid };
+allow mailman_queue_t self:process signal;
+allow mailman_queue_t self:fifo_file rw_file_perms;
+allow mailman_queue_t self:unix_dgram_socket create_socket_perms;
+allow mailman_queue_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow mailman_queue_t mailman_archive_t:dir create_dir_perms;
+allow mailman_queue_t mailman_archive_t:file create_file_perms;
+allow mailman_queue_t mailman_archive_t:lnk_file create_lnk_perms;
+
+kernel_read_proc_symlinks(mailman_queue_t)
+kernel_tcp_recvfrom(mailman_queue_t)
+
+auth_domtrans_chk_passwd(mailman_queue_t)
+
+files_dontaudit_search_pids(mailman_queue_t)
+
+# for su
+seutil_dontaudit_search_config(mailman_queue_t)
+
+# some of the following could probably be changed to dontaudit, someone who
+# knows mailman well should test this out and send the changes
+userdom_search_sysadm_home_dir(mailman_queue_t)
+userdom_getattr_sysadm_home_dir(mailman_queue_t)
+
+mta_tcp_connect_all_mailservers(mailman_queue_t)
+
+su_exec(mailman_queue_t)
+
+optional_policy(`cron.te',`
+ cron_system_entry(mailman_queue_t,mailman_queue_exec_t)
+')
+
+optional_policy(`nscd.te',`
+ nscd_use_socket(mailman_queue_t)
+')
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 1bc0177..2d7e33c 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -232,6 +232,14 @@ interface(`mta_mailserver_delivery',`
')
typeattribute $1 mailserver_delivery;
+
+ optional_policy(`mailman.te',`
+ # so MTA can access /var/lib/mailman/mail/wrapper
+ files_search_var_lib($1)
+
+ mailman_domtrans($1)
+ mailman_read_data_symlinks($1)
+ ')
')
#######################################
@@ -281,22 +289,6 @@ interface(`mta_send_mail',`
')
#######################################
-## <summary>
-## Connect to all mail servers over TCP.
-## </summary>
-## <param name="domain">
-## Mail server domain.
-## </param>
-#
-interface(`mta_tcp_connect_all_mailservers',`
- gen_require(`
- attribute mailserver_domain;
- ')
-
- allow $1 mailserver_domain:tcp_socket { connectto recvfrom };
-')
-
-#######################################
#
# mta_exec(domain)
#
@@ -342,6 +334,41 @@ interface(`mta_rw_aliases',`
#######################################
## <summary>
+## Do not audit attempts to read and write TCP
+## sockets of mail delivery domains.
+## </summary>
+## <param name="domain">
+## Mail server domain.
+## </param>
+#
+interface(`mta_dontaudit_rw_delivery_tcp_socket',`
+ gen_require(`
+ attribute mailserver_domain;
+ ')
+
+ dontaudit $1 mailserver_delivery:tcp_socket { read write };
+')
+
+#######################################
+## <summary>
+## Connect to all mail servers over TCP.
+## </summary>
+## <param name="domain">
+## Mail server domain.
+## </param>
+#
+interface(`mta_tcp_connect_all_mailservers',`
+ gen_require(`
+ attribute mailserver_domain;
+ ')
+
+ allow $1 mailserver_domain:tcp_socket { connectto recvfrom };
+ allow mailserver_domain $1:tcp_socket { acceptfrom recvfrom };
+ kernel_tcp_recvfrom($1)
+')
+
+#######################################
+## <summary>
## Do not audit attempts to read a symlink
## in the mail spool.
## </summary>
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index da36dfa..8513036 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -492,6 +492,11 @@ optional_policy(`lvm.te',`
dev_create_generic_chr_file(initrc_t)
')
+optional_policy(`mailman.te',`
+ mailman_list_data(initrc_t)
+ mailman_read_data_symlinks(initrc_t)
+')
+
optional_policy(`mta.te',`
mta_dontaudit_read_spool_symlink(initrc_t)
')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 912c027..227f6fd 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -1746,6 +1746,23 @@ interface(`userdom_rw_sysadm_pipe',`
########################################
## <summary>
+## Get the attributes of the sysadm users
+## home directory.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`userdom_getattr_sysadm_home_dir',`
+ gen_require(`
+ type sysadm_home_dir_t;
+ ')
+
+ allow $1 sysadm_home_dir_t:dir getattr;
+')
+
+########################################
+## <summary>
## Search the sysadm users home directory.
## </summary>
## <param name="domain">
@@ -1755,10 +1772,8 @@ interface(`userdom_rw_sysadm_pipe',`
interface(`userdom_search_sysadm_home_dir',`
gen_require(`
type sysadm_home_dir_t;
- class dir search;
')
- files_search_home($1)
allow $1 sysadm_home_dir_t:dir search;
')
More information about the scm-commits
mailing list