[selinux-policy: 1002/3172] big cleanup of mta
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:31:36 UTC 2010
commit 08cd98b7c1ea34a3f6b060218ca4002dc6905417
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Nov 28 20:25:36 2005 +0000
big cleanup of mta
refpolicy/policy/modules/services/mta.if | 184 +++++++++++++++++--------
refpolicy/policy/modules/services/mta.te | 95 +------------
refpolicy/policy/modules/services/sendmail.if | 33 +++++
3 files changed, 163 insertions(+), 149 deletions(-)
---
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index cb7f1b8..3b8eebd 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -16,7 +16,7 @@ interface(`mta_stub',`
#######################################
## <summary>
-## The per user domain template for the mta module.
+## Basic mail transfer agent domain template.
## </summary>
## <desc>
## <p>
@@ -25,34 +25,33 @@ interface(`mta_stub',`
## behalf of the user.
## </p>
## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
+## This is the basic types and rules, common
+## to the system agent and user agents, and
+## is not useful by itself.
## </p>
## </desc>
-## <param name="userdomain_prefix">
-## The prefix of the user domain (e.g., user
+## <param name="domain_prefix">
+## The prefix of the domain (e.g., user
## is the prefix for user_t).
## </param>
-## <param name="user_domain">
-## The type of the user domain.
-## </param>
-## <param name="user_role">
-## The role associated with the user domain.
-## </param>
#
-template(`mta_per_userdomain_template',`
- gen_require(`
- attribute mailserver_domain, mta_user_agent, user_mail_domain;
- type sendmail_exec_t;
- ')
+template(`mta_base_mail_template',`
+
+ ##############################
+ #
+ # $1_mail_t declarations
+ #
type $1_mail_t, user_mail_domain;
domain_type($1_mail_t)
- role $3 types $1_mail_t;
+ domain_entry_file($1_mail_t,sendmail_exec_t)
- type $1_mail_tmp_t;
- files_tmp_file($1_mail_tmp_t)
+ optional_policy(`sendmail',`
+ type $1_mail_tmp_t;
+ files_tmp_file($1_mail_tmp_t)
+
+ sendmail_stub($1_mail_t)
+ ')
##############################
#
@@ -67,20 +66,6 @@ template(`mta_per_userdomain_template',`
can_exec($1_mail_t, sendmail_exec_t)
allow $1_mail_t sendmail_exec_t:lnk_file r_file_perms;
- # Transition from the user domain to the derived domain.
- domain_auto_trans($2, sendmail_exec_t, $1_mail_t)
- allow $2 sendmail_exec_t:lnk_file { getattr read };
-
- allow $2 $1_mail_t:fd use;
- allow $1_mail_t $2:fd use;
- allow $1_mail_t $2:fifo_file rw_file_perms;
- allow $1_mail_t $2:process sigchld;
-
- # For when the user wants to send mail via port 25 localhost
- kernel_tcp_recvfrom($2)
- allow $2 mailserver_domain:tcp_socket { connectto recvfrom };
- allow mailserver_domain $2:tcp_socket { acceptfrom recvfrom };
-
kernel_read_kernel_sysctl($1_mail_t)
corenet_tcp_sendrecv_all_if($1_mail_t)
@@ -90,11 +75,7 @@ template(`mta_per_userdomain_template',`
corenet_tcp_sendrecv_all_ports($1_mail_t)
corenet_tcp_bind_all_nodes($1_mail_t)
corenet_tcp_connect_all_ports($1_mail_t)
-
- domain_use_wide_inherit_fd($1_mail_t)
-
- libs_use_ld_so($1_mail_t)
- libs_use_shared_libs($1_mail_t)
+ corenet_tcp_connect_smtp_port($1_mail_t)
corecmd_exec_bin($1_mail_t)
corecmd_search_sbin($1_mail_t)
@@ -104,6 +85,9 @@ template(`mta_per_userdomain_template',`
# It wants to check for nscd
files_dontaudit_search_pids($1_mail_t)
+ libs_use_ld_so($1_mail_t)
+ libs_use_shared_libs($1_mail_t)
+
logging_send_syslog_msg($1_mail_t)
miscfiles_read_localization($1_mail_t)
@@ -111,6 +95,106 @@ template(`mta_per_userdomain_template',`
sysnet_read_config($1_mail_t)
sysnet_dns_name_resolve($1_mail_t)
+ optional_policy(`nis',`
+ nis_use_ypbind($1_mail_t)
+ ')
+
+ optional_policy(`nscd',`
+ nscd_use_socket($1_mail_t)
+ ')
+
+ optional_policy(`procmail',`
+ procmail_exec($1_mail_t)
+ ')
+
+ optional_policy(`sendmail',`
+ allow $1_mail_t $1_mail_tmp_t:dir create_dir_perms;
+ allow $1_mail_t $1_mail_tmp_t:file create_file_perms;
+ files_create_tmp_files($1_mail_t, $1_mail_tmp_t, { file dir })
+
+ allow $1_mail_t etc_mail_t:dir { getattr search };
+
+ # Write to /var/spool/mail and /var/spool/mqueue.
+ allow $1_mail_t mail_spool_t:dir rw_dir_perms;
+ allow $1_mail_t mail_spool_t:file create_file_perms;
+ allow $1_mail_t mqueue_spool_t:dir rw_dir_perms;
+ allow $1_mail_t mqueue_spool_t:file create_file_perms;
+
+ # Check available space.
+ fs_getattr_xattr_fs($1_mail_t)
+
+ files_read_etc_runtime_files($1_mail_t)
+
+ # Write to /var/log/sendmail.st
+ sendmail_manage_log($1_mail_t)
+ sendmail_create_log($1_mail_t)
+ ')
+
+ ifdef(`TODO',`
+ ifdef(`qmail.te', `
+ allow $1_mail_t qmail_etc_t:dir search;
+ allow $1_mail_t qmail_etc_t:{ file lnk_file } read;
+ ')
+ ') dnl end TODO
+')
+
+#######################################
+## <summary>
+## The per user domain template for the mta module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domain which is
+## a email transfer agent, which sends mail on
+## behalf of the user.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="user_domain">
+## The type of the user domain.
+## </param>
+## <param name="user_role">
+## The role associated with the user domain.
+## </param>
+#
+template(`mta_per_userdomain_template',`
+ gen_require(`
+ attribute mailserver_domain, mta_user_agent, user_mail_domain;
+ type sendmail_exec_t;
+ ')
+
+ mta_base_mail_template($1)
+ role $3 types $1_mail_t;
+
+ ##############################
+ #
+ # $1_mail_t local policy
+ #
+
+ # Transition from the user domain to the derived domain.
+ domain_auto_trans($2, sendmail_exec_t, $1_mail_t)
+ allow $2 sendmail_exec_t:lnk_file { getattr read };
+
+ allow $2 $1_mail_t:fd use;
+ allow $1_mail_t $2:fd use;
+ allow $1_mail_t $2:fifo_file rw_file_perms;
+ allow $1_mail_t $2:process sigchld;
+
+ # For when the user wants to send mail via port 25 localhost
+ kernel_tcp_recvfrom($2)
+ allow $2 mailserver_domain:tcp_socket { connectto recvfrom };
+ allow mailserver_domain $2:tcp_socket { acceptfrom recvfrom };
+
+ domain_use_wide_inherit_fd($1_mail_t)
+
userdom_use_user_terminals($1,$1_mail_t)
# Write to the user domain tty. cjp: why?
userdom_use_user_terminals($1,mta_user_agent)
@@ -131,24 +215,12 @@ template(`mta_per_userdomain_template',`
fs_manage_cifs_symlinks($1_mail_t)
')
- optional_policy(`nis',`
- nis_use_ypbind($1_mail_t)
- ')
-
- optional_policy(`nscd',`
- nscd_use_socket($1_mail_t)
- ')
-
optional_policy(`postfix',`
allow $1_mail_t self:capability dac_override;
postfix_read_config($1_mail_t)
postfix_list_spool($1_mail_t)
')
- optional_policy(`procmail',`
- procmail_exec($1_mail_t)
- ')
-
ifdef(`TODO',`
# Read user temporary files.
allow $1_mail_t $1_tmp_t:file r_file_perms;
@@ -158,21 +230,11 @@ template(`mta_per_userdomain_template',`
allow $1_mail_t $1_tmp_t:file write;
')
- # cjp: why?
allow mta_user_agent $1_tmp_t:file r_file_perms;
- # Inherit and use descriptors from gnome-pty-helper.
- ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
-
# if you do not want to allow dead.letter then use the following instead
#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
#allow $1_mail_t $1_home_t:file r_file_perms;
-
- ifdef(`qmail.te', `
- allow $1_mail_t qmail_etc_t:dir search;
- allow $1_mail_t qmail_etc_t:{ file lnk_file } read;
- ')
-
') dnl end TODO
')
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index bc00f29..13c7b27 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
-policy_module(mta,1.0.1)
+policy_module(mta,1.0.2)
########################################
#
@@ -28,17 +28,12 @@ files_type(mail_spool_t)
type sendmail_exec_t;
files_type(sendmail_exec_t)
-type system_mail_t, user_mail_domain;
-domain_type(system_mail_t)
-domain_entry_file(system_mail_t,sendmail_exec_t)
+mta_base_mail_template(system)
role system_r types system_mail_t;
-type system_mail_tmp_t;
-files_tmp_file(system_mail_tmp_t)
-
# cjp: need to resolve this, but require{}
# does not work in the else part of the optional
-#ifdef(`targeted_policy',`',`
+#ifdef(`strict_policy',`
# optional_policy(`sendmail',`',`
# init_system_domain(system_mail_t,sendmail_exec_t)
# ')
@@ -49,60 +44,17 @@ files_tmp_file(system_mail_tmp_t)
# System mail local policy
#
-allow system_mail_t self:capability { setuid setgid chown };
-allow system_mail_t self:process { signal_perms setrlimit };
-allow system_mail_t self:tcp_socket create_socket_perms;
-
allow system_mail_t etc_mail_t:dir { getattr search };
allow system_mail_t etc_mail_t:file r_file_perms;
-# re-exec itself
-can_exec(system_mail_t, sendmail_exec_t)
-allow system_mail_t sendmail_exec_t:lnk_file r_file_perms;
-
-allow system_mail_t system_mail_tmp_t:dir create_dir_perms;
-allow system_mail_t system_mail_tmp_t:file create_file_perms;
-files_create_tmp_files(system_mail_t, system_mail_tmp_t, { file dir })
-
-kernel_read_kernel_sysctl(system_mail_t)
kernel_read_system_state(system_mail_t)
kernel_read_network_state(system_mail_t)
-corenet_tcp_sendrecv_all_if(system_mail_t)
-corenet_raw_sendrecv_all_if(system_mail_t)
-corenet_tcp_sendrecv_all_nodes(system_mail_t)
-corenet_raw_sendrecv_all_nodes(system_mail_t)
-corenet_tcp_sendrecv_all_ports(system_mail_t)
-corenet_tcp_bind_all_nodes(system_mail_t)
-corenet_tcp_connect_smtp_port(system_mail_t)
-corenet_tcp_connect_all_ports(system_mail_t)
-
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
-fs_getattr_xattr_fs(system_mail_t)
-
init_use_script_pty(system_mail_t)
-files_read_etc_files(system_mail_t)
-files_read_etc_runtime_files(system_mail_t)
-files_search_spool(system_mail_t)
-# It wants to check for nscd
-files_dontaudit_search_pids(system_mail_t)
-
-corecmd_exec_bin(system_mail_t)
-corecmd_search_sbin(system_mail_t)
-
-libs_use_ld_so(system_mail_t)
-libs_use_shared_libs(system_mail_t)
-
-logging_send_syslog_msg(system_mail_t)
-
-miscfiles_read_localization(system_mail_t)
-
-sysnet_read_config(system_mail_t)
-sysnet_dns_name_resolve(system_mail_t)
-
userdom_use_sysadm_terms(system_mail_t)
ifdef(`hide_broken_symptoms',`
@@ -169,6 +121,7 @@ optional_policy(`arpwatch',`
optional_policy(`cron',`
cron_read_system_job_tmp_files(system_mail_t)
+ cron_read_system_job_tmp_files(mta_user_agent)
')
optional_policy(`cvs',`
@@ -179,14 +132,6 @@ optional_policy(`logrotate',`
logrotate_read_tmp_files(system_mail_t)
')
-optional_policy(`nis',`
- nis_use_ypbind(system_mail_t)
-')
-
-optional_policy(`nscd',`
- nscd_use_socket(system_mail_t)
-')
-
optional_policy(`postfix',`
postfix_stub(system_mail_t)
@@ -205,29 +150,13 @@ optional_policy(`postfix',`
allow mta_user_agent sysadm_t:fifo_file { read write };
type_transition postfix_master_t postfix_etc_t:dir etc_aliases_t;
-')
-
-optional_policy(`procmail',`
- procmail_exec(system_mail_t)
-')
-
-optional_policy(`sendmail',`
- sendmail_stub(system_mail_t)
-
- allow system_mail_t etc_mail_t:dir { getattr search };
- # sendmail -q
- allow system_mail_t mqueue_spool_t:dir rw_dir_perms;
- allow system_mail_t mqueue_spool_t:file create_file_perms;
-
- # FIXME:
- allow system_mail_t sendmail_log_t:file manage_file_perms;
- logging_create_log(system_mail_t,sendmail_log_t)
+ # postfix needs this for newaliases
+ allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr;
')
ifdef(`TODO',`
optional_policy(`sendmail',`
- allow system_mail_t { var_t var_spool_t }:dir getattr;
dontaudit system_mail_t userpty_type:chr_file { getattr read write };
optional_policy(`crond',`
@@ -235,23 +164,13 @@ optional_policy(`sendmail',`
')
')
-ifdef(`targeted_policy',`
- allow system_mail_t { var_t var_spool_t }:dir getattr;
-',`
+ifdef(`strict_policy',`
# allow the sysadmin to do "mail someone < /home/user/whatever"
allow sysadm_mail_t user_home_dir_type:dir search;
r_dir_file(sysadm_mail_t, user_home_type)
')
-
-
-optional_policy(`qmail',`
- allow system_mail_t qmail_etc_t:dir search;
- allow system_mail_t qmail_etc_t:{ file lnk_file } read;
-')
') dnl end TODO
-allow mta_user_agent system_crond_tmp_t:file { read getattr };
-
optional_policy(`arpwatch',`
# why is mail delivered to a directory of type arpwatch_data_t?
arpwatch_search_data(mailserver_delivery)
diff --git a/refpolicy/policy/modules/services/sendmail.if b/refpolicy/policy/modules/services/sendmail.if
index 0f03e70..51d2e28 100644
--- a/refpolicy/policy/modules/services/sendmail.if
+++ b/refpolicy/policy/modules/services/sendmail.if
@@ -52,3 +52,36 @@ interface(`sendmail_rw_tcp_socket',`
allow $1 sendmail_t:tcp_socket { read write };
')
+
+########################################
+## <summary>
+## Create, read, write, and delete sendmail logs.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`sendmail_manage_log',`
+ gen_require(`
+ type sendmail_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 sendmail_log_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Create sendmail logs with the correct type.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`sendmail_create_log',`
+ gen_require(`
+ type sendmail_log_t;
+ ')
+
+ logging_create_log($1,sendmail_log_t,file)
+')
More information about the scm-commits
mailing list