LinuxLists.cc - [refpolicy] [ mta patch 1/1] This is what i think would probably have to be modifies to make mail home work.

2010-04-05 15:35:46

Subject: [refpolicy] [ mta patch 1/1] This is what i think would probably have to be modifies to make mail home work.

It builds but it is untested. I think that qmail may also need this access but i could not find
any evidence of this.

Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 3fd227b... 5b7268e... M policy/modules/roles/staff.te
:100644 100644 2ed3c67... c918465... M policy/modules/roles/sysadm.te
:100644 100644 b0be6d2... 62a1760... M policy/modules/roles/unprivuser.te
:100644 100644 5c3d708... 193c77e... M policy/modules/services/courier.te
:100644 100644 9f16e2e... 96e362c... M policy/modules/services/dovecot.te
:100644 100644 fccf3f8... 1d6660a... M policy/modules/services/exim.te
:100644 100644 256166a... f39f7f4... M policy/modules/services/mta.fc
:100644 100644 44e782e... 910f1aa... M policy/modules/services/mta.if
:100644 100644 797d86b... bab7d6f... M policy/modules/services/mta.te
:100644 100644 1343621... 69d6180... M policy/modules/services/procmail.fc
:100644 100644 f68e025... 20580d3... M policy/modules/services/procmail.if
:100644 100644 a51bbf6... ff1470a... M policy/modules/services/procmail.te
policy/modules/roles/staff.te | 7 ++
policy/modules/roles/sysadm.te | 7 ++
policy/modules/roles/unprivuser.te | 7 ++
policy/modules/services/courier.te | 4 +-
policy/modules/services/dovecot.te | 18 +---
policy/modules/services/exim.te | 4 +
policy/modules/services/mta.fc | 9 ++-
policy/modules/services/mta.if | 170 +++++++++++++++++++++++++++++++++++
policy/modules/services/mta.te | 16 ++--
policy/modules/services/procmail.fc | 12 ++-
policy/modules/services/procmail.if | 61 +++++++++++++
policy/modules/services/procmail.te | 13 ++--
12 files changed, 293 insertions(+), 35 deletions(-)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 3fd227b..5b7268e 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -93,6 +93,8 @@ optional_policy(`

optional_policy(`
mta_role(staff_r, staff_t)
+ mta_manage_mail_home(staff_t)
+ mta_relabel_mail_home(staff_t)
')

optional_policy(`
@@ -105,6 +107,11 @@ optional_policy(`
')

optional_policy(`
+ procmail_manage_user_content_files(staff_t)
+ procmail_relabel_user_content_files(staff_t)
+')
+
+optional_policy(`
pyzor_role(staff_r, staff_t)
')

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 2ed3c67..c918465 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -264,6 +264,8 @@ optional_policy(`

optional_policy(`
mta_role(sysadm_r, sysadm_t)
+ mta_manage_mail_home(sysadm_t)
+ mta_relabel_mail_home(sysadm_t)
')

optional_policy(`
@@ -308,6 +310,11 @@ optional_policy(`
')

optional_policy(`
+ procmail_manage_user_content_files(sysadm_t)
+ procmail_relabel_user_content_files(sysadm_t)
+')
+
+optional_policy(`
pyzor_role(sysadm_r, sysadm_t)
')

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index b0be6d2..62a1760 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -87,6 +87,8 @@ optional_policy(`

optional_policy(`
mta_role(user_r, user_t)
+ mta_manage_mail_home(user_t)
+ mta_relabel_mail_home(user_t)
')

optional_policy(`
@@ -99,6 +101,11 @@ optional_policy(`
')

optional_policy(`
+ procmail_manage_user_content_files(user_t)
+ procmail_relabel_user_content_files(user_t)
+')
+
+optional_policy(`
pyzor_role(user_r, user_t)
')

diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
index 5c3d708..193c77e 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -101,12 +101,12 @@ miscfiles_read_localization(courier_pop_t)
courier_domtrans_authdaemon(courier_pop_t)

# do the actual work (read the Maildir)
-userdom_manage_user_home_content_files(courier_pop_t)
+mta_manage_mail_home(courier_pop_t)
+mta_user_home_filetrans_mail_home(courier_pop_t)
# cjp: the fact that this is different for pop vs imap means that
# there should probably be a courier_pop_t and courier_imap_t
# this should also probably be a separate type too instead of
# the regular home dir
-userdom_manage_user_home_content_dirs(courier_pop_t)

########################################
#
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 9f16e2e..96e362c 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -128,15 +128,12 @@ miscfiles_read_certs(dovecot_t)
miscfiles_read_localization(dovecot_t)

userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
-userdom_manage_user_home_content_dirs(dovecot_t)
-userdom_manage_user_home_content_files(dovecot_t)
-userdom_manage_user_home_content_symlinks(dovecot_t)
-userdom_manage_user_home_content_pipes(dovecot_t)
-userdom_manage_user_home_content_sockets(dovecot_t)
-userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })

mta_manage_spool(dovecot_t)

+mta_manage_mail_home(dovecot_t)
+mta_user_home_filetrans_mail_home(dovecot_t)
+
optional_policy(`
kerberos_keytab_template(dovecot, dovecot_t)
')
@@ -255,13 +252,6 @@ files_search_tmp(dovecot_deliver_t)

fs_getattr_all_fs(dovecot_deliver_t)

-userdom_manage_user_home_content_dirs(dovecot_deliver_t)
-userdom_manage_user_home_content_files(dovecot_deliver_t)
-userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
-userdom_manage_user_home_content_pipes(dovecot_deliver_t)
-userdom_manage_user_home_content_sockets(dovecot_deliver_t)
-userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
-
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(dovecot_t)
fs_manage_nfs_symlinks(dovecot_t)
@@ -274,4 +264,6 @@ tunable_policy(`use_samba_home_dirs',`

optional_policy(`
mta_manage_spool(dovecot_deliver_t)
+ mta_manage_mail_home(dovecot_deliver_t)
+ mta_user_home_filetrans_mail_home(dovecot_deliver_t)
')
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index fccf3f8..1d6660a 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -130,6 +130,10 @@ mta_read_config(exim_t)
mta_manage_spool(exim_t)
mta_mailserver_delivery(exim_t)

+# Not sure about this but makes sense.
+mta_manage_mail_home(exim_t)
+mta_user_home_filetrans_mail_home(exim_t)
+
tunable_policy(`exim_can_connect_db',`
corenet_tcp_connect_mysqld_port(exim_t)
corenet_sendrecv_mysqld_client_packets(exim_t)
diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc
index 256166a..f39f7f4 100644
--- a/policy/modules/services/mta.fc
+++ b/policy/modules/services/mta.fc
@@ -1,4 +1,5 @@
HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
+HOME_DIR/Mail(/.*)? gen_context(system_u:object_r:mail_home_t,s0)

/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)

@@ -7,9 +8,6 @@ HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
/etc/mail/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
/etc/mail/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
-ifdef(`distro_redhat',`
-/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
-')

/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)

@@ -28,3 +26,8 @@ ifdef(`distro_redhat',`
/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+
+ifdef(`distro_redhat',`
+/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
+/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
+')
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 44e782e..910f1aa 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -498,6 +498,51 @@ interface(`mta_manage_aliases',`

########################################
## <summary>
+## Create, read, write, and delete
+## dirs, files, pipes, lnk files and
+## sock files mail home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_manage_mail_home',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ manage_dirs_pattern($1, mail_home_t, mail_home_t)
+ manage_files_pattern($1, mail_home_t, mail_home_t)
+ manage_lnk_files_pattern($1, mail_home_t, mail_home_t)
+ manage_sock_files_pattern($1, mail_home_t, mail_home_t)
+ manage_fifo_files_pattern($1, mail_home_t, mail_home_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## mail home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_manage_mail_home_files',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, mail_home_t, mail_home_t)
+')
+
+########################################
+## <summary>
## Type transition files created in /etc
## to the mail address aliases type.
## </summary>
@@ -517,6 +562,47 @@ interface(`mta_etc_filetrans_aliases',`

########################################
## <summary>
+## Type transition dirs, files, pipes
+## lnk files and sock files created in
+## user home directories to the mail
+## home type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_user_home_filetrans_mail_home',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ userdom_user_home_content_filetrans($1, mail_home_t, { dir file fifo_file lnk_file sock_file })
+')
+
+########################################
+## <summary>
+## Type transition files created in
+## user home directories to the mail
+## home type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_user_home_filetrans_mail_home_files',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ userdom_user_home_content_filetrans($1, mail_home_t, file)
+')
+
+########################################
+## <summary>
## Read and write mail aliases.
## </summary>
## <param name="domain">
@@ -860,3 +946,87 @@ interface(`mta_rw_user_mail_stream_sockets',`

allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
+
+########################################
+## <summary>
+## Read mail home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_read_mail_home',`
+ gen_require(`
+ type procmail_home_t;
+ ')
+
+ search_dirs_pattern($1, mail_home_t, mail_home_t)
+ read_fifo_files_pattern($1, mail_home_t, mail_home_t)
+ read_files_pattern($1, mail_home_t, mail_home_t)
+ read_lnk_files_pattern($1, mail_home_t, mail_home_t)
+ read_sock_files_pattern($1, mail_home_t, mail_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Relabel mail home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_relabel_mail_home',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ relabel_dirs_pattern($1, mail_home_t, mail_home_t)
+ relabel_fifo_files_pattern($1, mail_home_t, mail_home_t)
+ relabel_files_pattern($1, mail_home_t, mail_home_t)
+ relabel_lnk_files_pattern($1, mail_home_t, mail_home_t)
+ relabel_sock_files_pattern($1, mail_home_t, mail_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Read mail home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_read_mail_home_files',`
+ gen_require(`
+ type procmail_home_t;
+ ')
+
+ allow $1 mail_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Relabel mail home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_relabel_mail_home_files',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ allow $1 mail_home_t:file relabel_file_perms;
+ userdom_search_user_home_dirs($1)
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 797d86b..bab7d6f 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -44,6 +44,10 @@ typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
ubac_constrained(user_mail_t)
ubac_constrained(user_mail_tmp_t)

+# postfix, sendmail, exim, qmail, procmail, courier
+type mail_home_t;
+userdom_user_home_content(mail_home_t)
+
########################################
#
# System mail local policy
@@ -256,16 +260,12 @@ userdom_use_user_terminals(user_mail_t)
# Write to the user domain tty. cjp: why?
userdom_use_user_terminals(mta_user_agent)
# Create dead.letter in user home directories.
-userdom_manage_user_home_content_files(user_mail_t)
-userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
+mta_manage_mail_home_files(user_mail_t)
+mta_user_home_filetrans_mail_home_files(user_mail_t)
# for reading .forward - maybe we need a new type for it?
# also for delivering mail to maildir
-userdom_manage_user_home_content_dirs(mailserver_delivery)
-userdom_manage_user_home_content_files(mailserver_delivery)
-userdom_manage_user_home_content_symlinks(mailserver_delivery)
-userdom_manage_user_home_content_pipes(mailserver_delivery)
-userdom_manage_user_home_content_sockets(mailserver_delivery)
-userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file })
+mta_manage_mail_home(mailserver_delivery)
+mta_user_home_filetrans_mail_home(mailserver_delivery)
# Read user temporary files.
userdom_read_user_tmp_files(user_mail_t)
userdom_dontaudit_append_user_tmp_files(user_mail_t)
diff --git a/policy/modules/services/procmail.fc b/policy/modules/services/procmail.fc
index 1343621..69d6180 100644
--- a/policy/modules/services/procmail.fc
+++ b/policy/modules/services/procmail.fc
@@ -1,5 +1,11 @@
+HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0)

-/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
+/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
+
+/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
+/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)
+
+ifdef(`distro_redhat',`
+/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0)
+')

-/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
-/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)
diff --git a/policy/modules/services/procmail.if b/policy/modules/services/procmail.if
index f68e025..20580d3 100644
--- a/policy/modules/services/procmail.if
+++ b/policy/modules/services/procmail.if
@@ -77,3 +77,64 @@ interface(`procmail_rw_tmp_files',`
files_search_tmp($1)
rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
')
+
+########################################
+## <summary>
+## Read procmail user home content
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`procmail_read_user_content_files',`
+ gen_require(`
+ type procmail_home_t;
+ ')
+
+ allow $1 procmail_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## procmail home content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`procmail_manage_user_content_files',`
+ gen_require(`
+ type procmail_home_t;
+ ')
+
+ allow $1 procmail_home_t:file manage_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Relabel procmail user home content
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`procmail_relabel_user_content_files',`
+ gen_require(`
+ type procmail_home_t;
+ ')
+
+ allow $1 procmail_home_t:file relabel_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
index a51bbf6..ff1470a 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -11,6 +11,9 @@ type procmail_exec_t;
application_domain(procmail_t, procmail_exec_t)
role system_r types procmail_t;

+type procmail_home_t;
+userdom_user_home_content(procmail_home_t)
+
type procmail_log_t;
logging_log_file(procmail_log_t)

@@ -32,6 +35,8 @@ allow procmail_t self:udp_socket create_socket_perms;

can_exec(procmail_t, procmail_exec_t)

+procmail_read_user_content_files(procmail_t)
+
# Write log to /var/log/procmail.log or /var/log/procmail/.*
allow procmail_t procmail_log_t:dir setattr;
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
@@ -81,12 +86,8 @@ logging_send_syslog_msg(procmail_t)
miscfiles_read_localization(procmail_t)

# only works until we define a different type for maildir
-userdom_manage_user_home_content_dirs(procmail_t)
-userdom_manage_user_home_content_files(procmail_t)
-userdom_manage_user_home_content_symlinks(procmail_t)
-userdom_manage_user_home_content_pipes(procmail_t)
-userdom_manage_user_home_content_sockets(procmail_t)
-userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
+mta_manage_mail_home(procmail_t)
+mta_user_home_filetrans_mail_home(procmail_t)

# Do not audit attempts to access /root.
userdom_dontaudit_search_user_home_dirs(procmail_t)
--
1.7.0.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100405/d5a66725/attachment.bin