LinuxLists.cc - [refpolicy] [ mta patch (Retry) 1/1] This is what i think would probably have to be modified to make mail home work.

2010-04-05 16:45:28

Subject: [refpolicy] [ mta patch (Retry) 1/1] This is what i think would probably have to be modified to make mail home work.

Previous patch had minor issues:

move relabel/manager mail home for user domains to mta_role.
allow mta role to manage ~/.forward.
make ~/.forward userdomain user home content.
allow unconfined_t to manage/relabel oidentd and procmail user home content.
add some more file context specifications for the different mail formats.

Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 3fd227b... 4bb5869... M policy/modules/roles/staff.te
:100644 100644 2ed3c67... 029e06d... M policy/modules/roles/sysadm.te
:100644 100644 b0be6d2... d3a5988... M policy/modules/roles/unprivuser.te
:100644 100644 5c3d708... 193c77e... M policy/modules/services/courier.te
:100644 100644 9f16e2e... 96e362c... M policy/modules/services/dovecot.te
:100644 100644 fccf3f8... 1d6660a... M policy/modules/services/exim.te
:100644 100644 256166a... 2df2d17... M policy/modules/services/mta.fc
:100644 100644 44e782e... 1146303... M policy/modules/services/mta.if
:100644 100644 797d86b... 4d235be... M policy/modules/services/mta.te
:100644 100644 1343621... 69d6180... M policy/modules/services/procmail.fc
:100644 100644 f68e025... 20580d3... M policy/modules/services/procmail.if
:100644 100644 a51bbf6... ff1470a... M policy/modules/services/procmail.te
:100644 100644 df25576... eed82b5... M policy/modules/system/unconfined.te
policy/modules/roles/staff.te | 5 +
policy/modules/roles/sysadm.te | 5 +
policy/modules/roles/unprivuser.te | 5 +
policy/modules/services/courier.te | 4 +-
policy/modules/services/dovecot.te | 18 +---
policy/modules/services/exim.te | 4 +
policy/modules/services/mta.fc | 14 ++-
policy/modules/services/mta.if | 178 ++++++++++++++++++++++++++++++++++-
policy/modules/services/mta.te | 17 ++--
policy/modules/services/procmail.fc | 12 ++-
policy/modules/services/procmail.if | 61 ++++++++++++
policy/modules/services/procmail.te | 13 ++-
policy/modules/system/unconfined.te | 10 ++
13 files changed, 309 insertions(+), 37 deletions(-)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 3fd227b..4bb5869 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -105,6 +105,11 @@ optional_policy(`
')

optional_policy(`
+ procmail_manage_user_content_files(staff_t)
+ procmail_relabel_user_content_files(staff_t)
+')
+
+optional_policy(`
pyzor_role(staff_r, staff_t)
')

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 2ed3c67..029e06d 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -308,6 +308,11 @@ optional_policy(`
')

optional_policy(`
+ procmail_manage_user_content_files(sysadm_t)
+ procmail_relabel_user_content_files(sysadm_t)
+')
+
+optional_policy(`
pyzor_role(sysadm_r, sysadm_t)
')

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index b0be6d2..d3a5988 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -99,6 +99,11 @@ optional_policy(`
')

optional_policy(`
+ procmail_manage_user_content_files(user_t)
+ procmail_relabel_user_content_files(user_t)
+')
+
+optional_policy(`
pyzor_role(user_r, user_t)
')

diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
index 5c3d708..193c77e 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -101,12 +101,12 @@ miscfiles_read_localization(courier_pop_t)
courier_domtrans_authdaemon(courier_pop_t)

# do the actual work (read the Maildir)
-userdom_manage_user_home_content_files(courier_pop_t)
+mta_manage_mail_home(courier_pop_t)
+mta_user_home_filetrans_mail_home(courier_pop_t)
# cjp: the fact that this is different for pop vs imap means that
# there should probably be a courier_pop_t and courier_imap_t
# this should also probably be a separate type too instead of
# the regular home dir
-userdom_manage_user_home_content_dirs(courier_pop_t)

########################################
#
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 9f16e2e..96e362c 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -128,15 +128,12 @@ miscfiles_read_certs(dovecot_t)
miscfiles_read_localization(dovecot_t)

userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
-userdom_manage_user_home_content_dirs(dovecot_t)
-userdom_manage_user_home_content_files(dovecot_t)
-userdom_manage_user_home_content_symlinks(dovecot_t)
-userdom_manage_user_home_content_pipes(dovecot_t)
-userdom_manage_user_home_content_sockets(dovecot_t)
-userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })

mta_manage_spool(dovecot_t)

+mta_manage_mail_home(dovecot_t)
+mta_user_home_filetrans_mail_home(dovecot_t)
+
optional_policy(`
kerberos_keytab_template(dovecot, dovecot_t)
')
@@ -255,13 +252,6 @@ files_search_tmp(dovecot_deliver_t)

fs_getattr_all_fs(dovecot_deliver_t)

-userdom_manage_user_home_content_dirs(dovecot_deliver_t)
-userdom_manage_user_home_content_files(dovecot_deliver_t)
-userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
-userdom_manage_user_home_content_pipes(dovecot_deliver_t)
-userdom_manage_user_home_content_sockets(dovecot_deliver_t)
-userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
-
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(dovecot_t)
fs_manage_nfs_symlinks(dovecot_t)
@@ -274,4 +264,6 @@ tunable_policy(`use_samba_home_dirs',`

optional_policy(`
mta_manage_spool(dovecot_deliver_t)
+ mta_manage_mail_home(dovecot_deliver_t)
+ mta_user_home_filetrans_mail_home(dovecot_deliver_t)
')
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index fccf3f8..1d6660a 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -130,6 +130,10 @@ mta_read_config(exim_t)
mta_manage_spool(exim_t)
mta_mailserver_delivery(exim_t)

+# Not sure about this but makes sense.
+mta_manage_mail_home(exim_t)
+mta_user_home_filetrans_mail_home(exim_t)
+
tunable_policy(`exim_can_connect_db',`
corenet_tcp_connect_mysqld_port(exim_t)
corenet_sendrecv_mysqld_client_packets(exim_t)
diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc
index 256166a..2df2d17 100644
--- a/policy/modules/services/mta.fc
+++ b/policy/modules/services/mta.fc
@@ -1,4 +1,7 @@
HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
+HOME_DIR/\.mbox -- gen_context(system_u:object_r:mail_home_t,s0)
+HOME_DIR/Mail(/.*)? gen_context(system_u:object_r:mail_home_t,s0)
+HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_t,s0)

/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)

@@ -7,9 +10,6 @@ HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
/etc/mail/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
/etc/mail/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
-ifdef(`distro_redhat',`
-/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
-')

/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)

@@ -28,3 +28,11 @@ ifdef(`distro_redhat',`
/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+
+ifdef(`distro_redhat',`
+/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
+/root/\.mbox -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/Mail(/.*)? gen_context(system_u:object_r:mail_home_t,s0)
+/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_t,s0)
+/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
+')
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 44e782e..1146303 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -162,7 +162,7 @@ template(`mta_base_mail_template',`
interface(`mta_role',`
gen_require(`
attribute mta_user_agent;
- type user_mail_t, sendmail_exec_t;
+ type user_mail_t, sendmail_exec_t, mail_forward_t;
')

role $1 types { user_mail_t mta_user_agent };
@@ -174,6 +174,12 @@ interface(`mta_role',`
allow mta_user_agent $2:fd use;
allow mta_user_agent $2:process sigchld;
allow mta_user_agent $2:fifo_file { read write };
+
+ manage_files_pattern($2, mail_forward_t, mail_forward_t)
+ relabel_files_pattern($2, mail_forward_t, mail_forward_t)
+
+ mta_manage_mail_home($2)
+ mta_relabel_mail_home($2)
')

########################################
@@ -498,6 +504,51 @@ interface(`mta_manage_aliases',`

########################################
## <summary>
+## Create, read, write, and delete
+## dirs, files, pipes, lnk files and
+## sock files mail home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_manage_mail_home',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ manage_dirs_pattern($1, mail_home_t, mail_home_t)
+ manage_files_pattern($1, mail_home_t, mail_home_t)
+ manage_lnk_files_pattern($1, mail_home_t, mail_home_t)
+ manage_sock_files_pattern($1, mail_home_t, mail_home_t)
+ manage_fifo_files_pattern($1, mail_home_t, mail_home_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## mail home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_manage_mail_home_files',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, mail_home_t, mail_home_t)
+')
+
+########################################
+## <summary>
## Type transition files created in /etc
## to the mail address aliases type.
## </summary>
@@ -517,6 +568,47 @@ interface(`mta_etc_filetrans_aliases',`

########################################
## <summary>
+## Type transition dirs, files, pipes
+## lnk files and sock files created in
+## user home directories to the mail
+## home type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_user_home_filetrans_mail_home',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ userdom_user_home_content_filetrans($1, mail_home_t, { dir file fifo_file lnk_file sock_file })
+')
+
+########################################
+## <summary>
+## Type transition files created in
+## user home directories to the mail
+## home type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_user_home_filetrans_mail_home_files',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ userdom_user_home_content_filetrans($1, mail_home_t, file)
+')
+
+########################################
+## <summary>
## Read and write mail aliases.
## </summary>
## <param name="domain">
@@ -860,3 +952,87 @@ interface(`mta_rw_user_mail_stream_sockets',`

allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
+
+########################################
+## <summary>
+## Read mail home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_read_mail_home',`
+ gen_require(`
+ type procmail_home_t;
+ ')
+
+ search_dirs_pattern($1, mail_home_t, mail_home_t)
+ read_fifo_files_pattern($1, mail_home_t, mail_home_t)
+ read_files_pattern($1, mail_home_t, mail_home_t)
+ read_lnk_files_pattern($1, mail_home_t, mail_home_t)
+ read_sock_files_pattern($1, mail_home_t, mail_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Relabel mail home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_relabel_mail_home',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ relabel_dirs_pattern($1, mail_home_t, mail_home_t)
+ relabel_fifo_files_pattern($1, mail_home_t, mail_home_t)
+ relabel_files_pattern($1, mail_home_t, mail_home_t)
+ relabel_lnk_files_pattern($1, mail_home_t, mail_home_t)
+ relabel_sock_files_pattern($1, mail_home_t, mail_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Read mail home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_read_mail_home_files',`
+ gen_require(`
+ type procmail_home_t;
+ ')
+
+ allow $1 mail_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Relabel mail home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_relabel_mail_home_files',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ allow $1 mail_home_t:file relabel_file_perms;
+ userdom_search_user_home_dirs($1)
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 797d86b..4d235be 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -22,7 +22,7 @@ type etc_mail_t;
files_config_file(etc_mail_t)

type mail_forward_t;
-files_type(mail_forward_t)
+userdom_user_home_content(mail_forward_t)

type mqueue_spool_t;
files_mountpoint(mqueue_spool_t)
@@ -44,6 +44,9 @@ typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
ubac_constrained(user_mail_t)
ubac_constrained(user_mail_tmp_t)

+type mail_home_t;
+userdom_user_home_content(mail_home_t)
+
########################################
#
# System mail local policy
@@ -256,16 +259,12 @@ userdom_use_user_terminals(user_mail_t)
# Write to the user domain tty. cjp: why?
userdom_use_user_terminals(mta_user_agent)
# Create dead.letter in user home directories.
-userdom_manage_user_home_content_files(user_mail_t)
-userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
+mta_manage_mail_home_files(user_mail_t)
+mta_user_home_filetrans_mail_home_files(user_mail_t)
# for reading .forward - maybe we need a new type for it?
# also for delivering mail to maildir
-userdom_manage_user_home_content_dirs(mailserver_delivery)
-userdom_manage_user_home_content_files(mailserver_delivery)
-userdom_manage_user_home_content_symlinks(mailserver_delivery)
-userdom_manage_user_home_content_pipes(mailserver_delivery)
-userdom_manage_user_home_content_sockets(mailserver_delivery)
-userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file })
+mta_manage_mail_home(mailserver_delivery)
+mta_user_home_filetrans_mail_home(mailserver_delivery)
# Read user temporary files.
userdom_read_user_tmp_files(user_mail_t)
userdom_dontaudit_append_user_tmp_files(user_mail_t)
diff --git a/policy/modules/services/procmail.fc b/policy/modules/services/procmail.fc
index 1343621..69d6180 100644
--- a/policy/modules/services/procmail.fc
+++ b/policy/modules/services/procmail.fc
@@ -1,5 +1,11 @@
+HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0)

-/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
+/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
+
+/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
+/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)
+
+ifdef(`distro_redhat',`
+/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0)
+')

-/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
-/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)
diff --git a/policy/modules/services/procmail.if b/policy/modules/services/procmail.if
index f68e025..20580d3 100644
--- a/policy/modules/services/procmail.if
+++ b/policy/modules/services/procmail.if
@@ -77,3 +77,64 @@ interface(`procmail_rw_tmp_files',`
files_search_tmp($1)
rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
')
+
+########################################
+## <summary>
+## Read procmail user home content
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`procmail_read_user_content_files',`
+ gen_require(`
+ type procmail_home_t;
+ ')
+
+ allow $1 procmail_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## procmail home content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`procmail_manage_user_content_files',`
+ gen_require(`
+ type procmail_home_t;
+ ')
+
+ allow $1 procmail_home_t:file manage_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Relabel procmail user home content
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`procmail_relabel_user_content_files',`
+ gen_require(`
+ type procmail_home_t;
+ ')
+
+ allow $1 procmail_home_t:file relabel_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
index a51bbf6..ff1470a 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -11,6 +11,9 @@ type procmail_exec_t;
application_domain(procmail_t, procmail_exec_t)
role system_r types procmail_t;

+type procmail_home_t;
+userdom_user_home_content(procmail_home_t)
+
type procmail_log_t;
logging_log_file(procmail_log_t)

@@ -32,6 +35,8 @@ allow procmail_t self:udp_socket create_socket_perms;

can_exec(procmail_t, procmail_exec_t)

+procmail_read_user_content_files(procmail_t)
+
# Write log to /var/log/procmail.log or /var/log/procmail/.*
allow procmail_t procmail_log_t:dir setattr;
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
@@ -81,12 +86,8 @@ logging_send_syslog_msg(procmail_t)
miscfiles_read_localization(procmail_t)

# only works until we define a different type for maildir
-userdom_manage_user_home_content_dirs(procmail_t)
-userdom_manage_user_home_content_files(procmail_t)
-userdom_manage_user_home_content_symlinks(procmail_t)
-userdom_manage_user_home_content_pipes(procmail_t)
-userdom_manage_user_home_content_sockets(procmail_t)
-userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
+mta_manage_mail_home(procmail_t)
+mta_user_home_filetrans_mail_home(procmail_t)

# Do not audit attempts to access /root.
userdom_dontaudit_search_user_home_dirs(procmail_t)
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index df25576..eed82b5 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -147,6 +147,11 @@ optional_policy(`
')

optional_policy(`
+ oident_manage_user_content(unconfined_t)
+ oident_relabel_user_content(unconfined_t)
+')
+
+optional_policy(`
prelink_run(unconfined_t, unconfined_r)
')

@@ -161,6 +166,11 @@ optional_policy(`
')

optional_policy(`
+ procmail_manage_user_content_files(unconfined_t)
+ procmail_relabel_user_content_files(unconfined_t)
+')
+
+optional_policy(`
pyzor_role(unconfined_r, unconfined_t)
')

--
1.7.0.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100405/4e4d5d6c/attachment-0001.bin

2010-04-05 17:07:34

by Daniel Walsh

[permalink] [raw]

Subject: [refpolicy] [ mta patch (Retry) 1/1] This is what i think would probably have to be modified to make mail home work.

On 04/05/2010 12:45 PM, Dominick Grift wrote:
In line comments
> Previous patch had minor issues:
>
> move relabel/manager mail home for user domains to mta_role.
> allow mta role to manage ~/.forward.
> make ~/.forward userdomain user home content.
> allow unconfined_t to manage/relabel oidentd and procmail user home content.
> add some more file context specifications for the different mail formats.
>
> Signed-off-by: Dominick Grift<[email protected]>
> ---
> :100644 100644 3fd227b... 4bb5869... M policy/modules/roles/staff.te
> :100644 100644 2ed3c67... 029e06d... M policy/modules/roles/sysadm.te
> :100644 100644 b0be6d2... d3a5988... M policy/modules/roles/unprivuser.te
> :100644 100644 5c3d708... 193c77e... M policy/modules/services/courier.te
> :100644 100644 9f16e2e... 96e362c... M policy/modules/services/dovecot.te
> :100644 100644 fccf3f8... 1d6660a... M policy/modules/services/exim.te
> :100644 100644 256166a... 2df2d17... M policy/modules/services/mta.fc
> :100644 100644 44e782e... 1146303... M policy/modules/services/mta.if
> :100644 100644 797d86b... 4d235be... M policy/modules/services/mta.te
> :100644 100644 1343621... 69d6180... M policy/modules/services/procmail.fc
> :100644 100644 f68e025... 20580d3... M policy/modules/services/procmail.if
> :100644 100644 a51bbf6... ff1470a... M policy/modules/services/procmail.te
> :100644 100644 df25576... eed82b5... M policy/modules/system/unconfined.te
> policy/modules/roles/staff.te | 5 +
> policy/modules/roles/sysadm.te | 5 +
> policy/modules/roles/unprivuser.te | 5 +
> policy/modules/services/courier.te | 4 +-
> policy/modules/services/dovecot.te | 18 +---
> policy/modules/services/exim.te | 4 +
> policy/modules/services/mta.fc | 14 ++-
> policy/modules/services/mta.if | 178 ++++++++++++++++++++++++++++++++++-
> policy/modules/services/mta.te | 17 ++--
> policy/modules/services/procmail.fc | 12 ++-
> policy/modules/services/procmail.if | 61 ++++++++++++
> policy/modules/services/procmail.te | 13 ++-
> policy/modules/system/unconfined.te | 10 ++
> 13 files changed, 309 insertions(+), 37 deletions(-)
>
> diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
> index 3fd227b..4bb5869 100644
> --- a/policy/modules/roles/staff.te
> +++ b/policy/modules/roles/staff.te
> @@ -105,6 +105,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + procmail_manage_user_content_files(staff_t)
> + procmail_relabel_user_content_files(staff_t)
> +')
> +
>
I think you should add userdom_user_home_content(procmail_home_t) then
you will not need this.
> +optional_policy(`
> pyzor_role(staff_r, staff_t)
> ')
>
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 2ed3c67..029e06d 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -308,6 +308,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + procmail_manage_user_content_files(sysadm_t)
> + procmail_relabel_user_content_files(sysadm_t)
> +')
> +
> +optional_policy(`
> pyzor_role(sysadm_r, sysadm_t)
> ')
>
>
DITTO
> diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> index b0be6d2..d3a5988 100644
> --- a/policy/modules/roles/unprivuser.te
> +++ b/policy/modules/roles/unprivuser.te
> @@ -99,6 +99,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + procmail_manage_user_content_files(user_t)
> + procmail_relabel_user_content_files(user_t)
> +')
> +
>
DITTO
> +optional_policy(`
> pyzor_role(user_r, user_t)
> ')
>
> diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
> index 5c3d708..193c77e 100644
> --- a/policy/modules/services/courier.te
> +++ b/policy/modules/services/courier.te
> @@ -101,12 +101,12 @@ miscfiles_read_localization(courier_pop_t)
> courier_domtrans_authdaemon(courier_pop_t)
>
> # do the actual work (read the Maildir)
> -userdom_manage_user_home_content_files(courier_pop_t)
> +mta_manage_mail_home(courier_pop_t)
> +mta_user_home_filetrans_mail_home(courier_pop_t)
> # cjp: the fact that this is different for pop vs imap means that
> # there should probably be a courier_pop_t and courier_imap_t
> # this should also probably be a separate type too instead of
> # the regular home dir
> -userdom_manage_user_home_content_dirs(courier_pop_t)
>
> ########################################
> #
> diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
> index 9f16e2e..96e362c 100644
> --- a/policy/modules/services/dovecot.te
> +++ b/policy/modules/services/dovecot.te
> @@ -128,15 +128,12 @@ miscfiles_read_certs(dovecot_t)
> miscfiles_read_localization(dovecot_t)
>
> userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
> -userdom_manage_user_home_content_dirs(dovecot_t)
> -userdom_manage_user_home_content_files(dovecot_t)
> -userdom_manage_user_home_content_symlinks(dovecot_t)
> -userdom_manage_user_home_content_pipes(dovecot_t)
> -userdom_manage_user_home_content_sockets(dovecot_t)
> -userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
>
> mta_manage_spool(dovecot_t)
>
> +mta_manage_mail_home(dovecot_t)
> +mta_user_home_filetrans_mail_home(dovecot_t)
> +
> optional_policy(`
> kerberos_keytab_template(dovecot, dovecot_t)
> ')
> @@ -255,13 +252,6 @@ files_search_tmp(dovecot_deliver_t)
>
> fs_getattr_all_fs(dovecot_deliver_t)
>
> -userdom_manage_user_home_content_dirs(dovecot_deliver_t)
> -userdom_manage_user_home_content_files(dovecot_deliver_t)
> -userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
> -userdom_manage_user_home_content_pipes(dovecot_deliver_t)
> -userdom_manage_user_home_content_sockets(dovecot_deliver_t)
> -userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
> -
> tunable_policy(`use_nfs_home_dirs',`
> fs_manage_nfs_files(dovecot_t)
> fs_manage_nfs_symlinks(dovecot_t)
> @@ -274,4 +264,6 @@ tunable_policy(`use_samba_home_dirs',`
>
> optional_policy(`
> mta_manage_spool(dovecot_deliver_t)
> + mta_manage_mail_home(dovecot_deliver_t)
> + mta_user_home_filetrans_mail_home(dovecot_deliver_t)
> ')
> diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
> index fccf3f8..1d6660a 100644
> --- a/policy/modules/services/exim.te
> +++ b/policy/modules/services/exim.te
> @@ -130,6 +130,10 @@ mta_read_config(exim_t)
> mta_manage_spool(exim_t)
> mta_mailserver_delivery(exim_t)
>
> +# Not sure about this but makes sense.
> +mta_manage_mail_home(exim_t)
> +mta_user_home_filetrans_mail_home(exim_t)
> +
> tunable_policy(`exim_can_connect_db',`
> corenet_tcp_connect_mysqld_port(exim_t)
> corenet_sendrecv_mysqld_client_packets(exim_t)
> diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc
> index 256166a..2df2d17 100644
> --- a/policy/modules/services/mta.fc
> +++ b/policy/modules/services/mta.fc
> @@ -1,4 +1,7 @@
> HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
> +HOME_DIR/\.mbox -- gen_context(system_u:object_r:mail_home_t,s0)
> +HOME_DIR/Mail(/.*)? gen_context(system_u:object_r:mail_home_t,s0)
> +HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_t,s0)
>
> /bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
>
> @@ -7,9 +10,6 @@ HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
> /etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
> /etc/mail/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
> /etc/mail/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
> -ifdef(`distro_redhat',`
> -/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
> -')
>
> /usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
>
> @@ -28,3 +28,11 @@ ifdef(`distro_redhat',`
> /var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
> /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
> /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
> +
> +ifdef(`distro_redhat',`
> +/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
> +/root/\.mbox -- gen_context(system_u:object_r:mail_home_t,s0)
> +/root/Mail(/.*)? gen_context(system_u:object_r:mail_home_t,s0)
> +/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_t,s0)
> +/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
> +')
>
Not sure this should be redhat only.
> diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
> index 44e782e..1146303 100644
> --- a/policy/modules/services/mta.if
> +++ b/policy/modules/services/mta.if
> @@ -162,7 +162,7 @@ template(`mta_base_mail_template',`
> interface(`mta_role',`
> gen_require(`
> attribute mta_user_agent;
> - type user_mail_t, sendmail_exec_t;
> + type user_mail_t, sendmail_exec_t, mail_forward_t;
> ')
>
> role $1 types { user_mail_t mta_user_agent };
> @@ -174,6 +174,12 @@ interface(`mta_role',`
> allow mta_user_agent $2:fd use;
> allow mta_user_agent $2:process sigchld;
> allow mta_user_agent $2:fifo_file { read write };
> +
> + manage_files_pattern($2, mail_forward_t, mail_forward_t)
> + relabel_files_pattern($2, mail_forward_t, mail_forward_t)
> +
> + mta_manage_mail_home($2)
> + mta_relabel_mail_home($2)
> ')
>
> ########################################
> @@ -498,6 +504,51 @@ interface(`mta_manage_aliases',`
>
> ########################################
> ##<summary>
> +## Create, read, write, and delete
> +## dirs, files, pipes, lnk files and
> +## sock files mail home content.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`mta_manage_mail_home',`
> + gen_require(`
> + type mail_home_t;
> + ')
> +
> + userdom_search_user_home_dirs($1)
> + manage_dirs_pattern($1, mail_home_t, mail_home_t)
> + manage_files_pattern($1, mail_home_t, mail_home_t)
> + manage_lnk_files_pattern($1, mail_home_t, mail_home_t)
> + manage_sock_files_pattern($1, mail_home_t, mail_home_t)
> + manage_fifo_files_pattern($1, mail_home_t, mail_home_t)
> +')
> +
> +########################################
> +##<summary>
> +## Create, read, write, and delete
> +## mail home files.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`mta_manage_mail_home_files',`
> + gen_require(`
> + type mail_home_t;
> + ')
> +
> + userdom_search_user_home_dirs($1)
> + manage_files_pattern($1, mail_home_t, mail_home_t)
> +')
> +
> +########################################
> +##<summary>
> ## Type transition files created in /etc
> ## to the mail address aliases type.
> ##</summary>
> @@ -517,6 +568,47 @@ interface(`mta_etc_filetrans_aliases',`
>
> ########################################
> ##<summary>
> +## Type transition dirs, files, pipes
> +## lnk files and sock files created in
> +## user home directories to the mail
> +## home type.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`mta_user_home_filetrans_mail_home',`
> + gen_require(`
> + type mail_home_t;
> + ')
> +
> + userdom_user_home_content_filetrans($1, mail_home_t, { dir file fifo_file lnk_file sock_file })
> +')
> +
> +########################################
> +##<summary>
> +## Type transition files created in
> +## user home directories to the mail
> +## home type.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`mta_user_home_filetrans_mail_home_files',`
> + gen_require(`
> + type mail_home_t;
> + ')
> +
> + userdom_user_home_content_filetrans($1, mail_home_t, file)
> +')
> +
> +########################################
> +##<summary>
> ## Read and write mail aliases.
> ##</summary>
> ##<param name="domain">
> @@ -860,3 +952,87 @@ interface(`mta_rw_user_mail_stream_sockets',`
>
> allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
> ')
> +
> +########################################
> +##<summary>
> +## Read mail home content.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`mta_read_mail_home',`
> + gen_require(`
> + type procmail_home_t;
> + ')
> +
> + search_dirs_pattern($1, mail_home_t, mail_home_t)
> + read_fifo_files_pattern($1, mail_home_t, mail_home_t)
> + read_files_pattern($1, mail_home_t, mail_home_t)
> + read_lnk_files_pattern($1, mail_home_t, mail_home_t)
> + read_sock_files_pattern($1, mail_home_t, mail_home_t)
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +##<summary>
> +## Relabel mail home content.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`mta_relabel_mail_home',`
> + gen_require(`
> + type mail_home_t;
> + ')
> +
> + relabel_dirs_pattern($1, mail_home_t, mail_home_t)
> + relabel_fifo_files_pattern($1, mail_home_t, mail_home_t)
> + relabel_files_pattern($1, mail_home_t, mail_home_t)
> + relabel_lnk_files_pattern($1, mail_home_t, mail_home_t)
> + relabel_sock_files_pattern($1, mail_home_t, mail_home_t)
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +##<summary>
> +## Read mail home files.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`mta_read_mail_home_files',`
> + gen_require(`
> + type procmail_home_t;
> + ')
> +
> + allow $1 mail_home_t:file read_file_perms;
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +##<summary>
> +## Relabel mail home files.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`mta_relabel_mail_home_files',`
> + gen_require(`
> + type mail_home_t;
> + ')
> +
> + allow $1 mail_home_t:file relabel_file_perms;
> + userdom_search_user_home_dirs($1)
> +')
> diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
> index 797d86b..4d235be 100644
> --- a/policy/modules/services/mta.te
> +++ b/policy/modules/services/mta.te
> @@ -22,7 +22,7 @@ type etc_mail_t;
> files_config_file(etc_mail_t)
>
> type mail_forward_t;
> -files_type(mail_forward_t)
> +userdom_user_home_content(mail_forward_t)
>
> type mqueue_spool_t;
> files_mountpoint(mqueue_spool_t)
> @@ -44,6 +44,9 @@ typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
> ubac_constrained(user_mail_t)
> ubac_constrained(user_mail_tmp_t)
>
> +type mail_home_t;
> +userdom_user_home_content(mail_home_t)
> +
> ########################################
> #
> # System mail local policy
> @@ -256,16 +259,12 @@ userdom_use_user_terminals(user_mail_t)
> # Write to the user domain tty. cjp: why?
> userdom_use_user_terminals(mta_user_agent)
> # Create dead.letter in user home directories.
> -userdom_manage_user_home_content_files(user_mail_t)
> -userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
> +mta_manage_mail_home_files(user_mail_t)
> +mta_user_home_filetrans_mail_home_files(user_mail_t)
> # for reading .forward - maybe we need a new type for it?
> # also for delivering mail to maildir
> -userdom_manage_user_home_content_dirs(mailserver_delivery)
> -userdom_manage_user_home_content_files(mailserver_delivery)
> -userdom_manage_user_home_content_symlinks(mailserver_delivery)
> -userdom_manage_user_home_content_pipes(mailserver_delivery)
> -userdom_manage_user_home_content_sockets(mailserver_delivery)
> -userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file })
> +mta_manage_mail_home(mailserver_delivery)
> +mta_user_home_filetrans_mail_home(mailserver_delivery)
> # Read user temporary files.
> userdom_read_user_tmp_files(user_mail_t)
> userdom_dontaudit_append_user_tmp_files(user_mail_t)
> diff --git a/policy/modules/services/procmail.fc b/policy/modules/services/procmail.fc
> index 1343621..69d6180 100644
> --- a/policy/modules/services/procmail.fc
> +++ b/policy/modules/services/procmail.fc
> @@ -1,5 +1,11 @@
> +HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0)
>
> -/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
> +/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
> +
> +/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
> +/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)
> +
> +ifdef(`distro_redhat',`
> +/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0)
> +')
>
> -/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
> -/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)
> diff --git a/policy/modules/services/procmail.if b/policy/modules/services/procmail.if
> index f68e025..20580d3 100644
> --- a/policy/modules/services/procmail.if
> +++ b/policy/modules/services/procmail.if
> @@ -77,3 +77,64 @@ interface(`procmail_rw_tmp_files',`
> files_search_tmp($1)
> rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
> ')
> +
> +########################################
> +##<summary>
> +## Read procmail user home content
> +## files.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`procmail_read_user_content_files',`
> + gen_require(`
> + type procmail_home_t;
> + ')
> +
> + allow $1 procmail_home_t:file read_file_perms;
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +##<summary>
> +## Create, read, write, and delete
> +## procmail home content files.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`procmail_manage_user_content_files',`
> + gen_require(`
> + type procmail_home_t;
> + ')
> +
> + allow $1 procmail_home_t:file manage_file_perms;
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +##<summary>
> +## Relabel procmail user home content
> +## files.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`procmail_relabel_user_content_files',`
> + gen_require(`
> + type procmail_home_t;
> + ')
> +
> + allow $1 procmail_home_t:file relabel_file_perms;
> + userdom_search_user_home_dirs($1)
> +')
> +
> diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
> index a51bbf6..ff1470a 100644
> --- a/policy/modules/services/procmail.te
> +++ b/policy/modules/services/procmail.te
> @@ -11,6 +11,9 @@ type procmail_exec_t;
> application_domain(procmail_t, procmail_exec_t)
> role system_r types procmail_t;
>
> +type procmail_home_t;
> +userdom_user_home_content(procmail_home_t)
> +
> type procmail_log_t;
> logging_log_file(procmail_log_t)
>
> @@ -32,6 +35,8 @@ allow procmail_t self:udp_socket create_socket_perms;
>
> can_exec(procmail_t, procmail_exec_t)
>
> +procmail_read_user_content_files(procmail_t)
> +
> # Write log to /var/log/procmail.log or /var/log/procmail/.*
> allow procmail_t procmail_log_t:dir setattr;
> create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
> @@ -81,12 +86,8 @@ logging_send_syslog_msg(procmail_t)
> miscfiles_read_localization(procmail_t)
>
> # only works until we define a different type for maildir
> -userdom_manage_user_home_content_dirs(procmail_t)
> -userdom_manage_user_home_content_files(procmail_t)
> -userdom_manage_user_home_content_symlinks(procmail_t)
> -userdom_manage_user_home_content_pipes(procmail_t)
> -userdom_manage_user_home_content_sockets(procmail_t)
> -userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
> +mta_manage_mail_home(procmail_t)
> +mta_user_home_filetrans_mail_home(procmail_t)
>
> # Do not audit attempts to access /root.
> userdom_dontaudit_search_user_home_dirs(procmail_t)
> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> index df25576..eed82b5 100644
> --- a/policy/modules/system/unconfined.te
> +++ b/policy/modules/system/unconfined.te
> @@ -147,6 +147,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + oident_manage_user_content(unconfined_t)
> + oident_relabel_user_content(unconfined_t)
> +')
> +
> +optional_policy(`
> prelink_run(unconfined_t, unconfined_r)
> ')
>
> @@ -161,6 +166,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + procmail_manage_user_content_files(unconfined_t)
> + procmail_relabel_user_content_files(unconfined_t)
> +')
> +
> +optional_policy(`
> pyzor_role(unconfined_r, unconfined_t)
> ')
>
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100405/28820c0d/attachment-0001.html

2010-04-05 17:33:20

by domg472

[permalink] [raw]

Subject: [refpolicy] [ mta patch (Retry) 1/1] This is what i think would probably have to be modified to make mail home work.

On Mon, Apr 05, 2010 at 01:07:34PM -0400, Daniel J Walsh wrote:
> On 04/05/2010 12:45 PM, Dominick Grift wrote:
> In line comments
> >Previous patch had minor issues:
> >
> >move relabel/manager mail home for user domains to mta_role.
> >allow mta role to manage ~/.forward.
> >make ~/.forward userdomain user home content.
> >allow unconfined_t to manage/relabel oidentd and procmail user home content.
> >add some more file context specifications for the different mail formats.
> >
> >Signed-off-by: Dominick Grift<[email protected]>
> >---
> >:100644 100644 3fd227b... 4bb5869... M policy/modules/roles/staff.te
> >:100644 100644 2ed3c67... 029e06d... M policy/modules/roles/sysadm.te
> >:100644 100644 b0be6d2... d3a5988... M policy/modules/roles/unprivuser.te
> >:100644 100644 5c3d708... 193c77e... M policy/modules/services/courier.te
> >:100644 100644 9f16e2e... 96e362c... M policy/modules/services/dovecot.te
> >:100644 100644 fccf3f8... 1d6660a... M policy/modules/services/exim.te
> >:100644 100644 256166a... 2df2d17... M policy/modules/services/mta.fc
> >:100644 100644 44e782e... 1146303... M policy/modules/services/mta.if
> >:100644 100644 797d86b... 4d235be... M policy/modules/services/mta.te
> >:100644 100644 1343621... 69d6180... M policy/modules/services/procmail.fc
> >:100644 100644 f68e025... 20580d3... M policy/modules/services/procmail.if
> >:100644 100644 a51bbf6... ff1470a... M policy/modules/services/procmail.te
> >:100644 100644 df25576... eed82b5... M policy/modules/system/unconfined.te
> > policy/modules/roles/staff.te | 5 +
> > policy/modules/roles/sysadm.te | 5 +
> > policy/modules/roles/unprivuser.te | 5 +
> > policy/modules/services/courier.te | 4 +-
> > policy/modules/services/dovecot.te | 18 +---
> > policy/modules/services/exim.te | 4 +
> > policy/modules/services/mta.fc | 14 ++-
> > policy/modules/services/mta.if | 178 ++++++++++++++++++++++++++++++++++-
> > policy/modules/services/mta.te | 17 ++--
> > policy/modules/services/procmail.fc | 12 ++-
> > policy/modules/services/procmail.if | 61 ++++++++++++
> > policy/modules/services/procmail.te | 13 ++-
> > policy/modules/system/unconfined.te | 10 ++
> > 13 files changed, 309 insertions(+), 37 deletions(-)
> >
> >diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
> >index 3fd227b..4bb5869 100644
> >--- a/policy/modules/roles/staff.te
> >+++ b/policy/modules/roles/staff.te
> >@@ -105,6 +105,11 @@ optional_policy(`
> > ')
> >
> > optional_policy(`
> >+ procmail_manage_user_content_files(staff_t)
> >+ procmail_relabel_user_content_files(staff_t)
> >+')
> >+
> I think you should add userdom_user_home_content(procmail_home_t)
> then you will not need this.

I did:

type procmail_home_t;
userdom_user_home_content(procmail_home_t)

But this patch is for refpolicy and afaik refpolicy has that feature not implemented.

So if you were to adopt that this policy, you could ignore the hunk above since in fedora it is already allowed by allowing user domains to manage and relabel all user_home_types.

> >+optional_policy(`
> > pyzor_role(staff_r, staff_t)
> > ')
> >
> >diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> >index 2ed3c67..029e06d 100644
> >--- a/policy/modules/roles/sysadm.te
> >+++ b/policy/modules/roles/sysadm.te
> >@@ -308,6 +308,11 @@ optional_policy(`
> > ')
> >
> > optional_policy(`
> >+ procmail_manage_user_content_files(sysadm_t)
> >+ procmail_relabel_user_content_files(sysadm_t)
> >+')
> >+
> >+optional_policy(`
> > pyzor_role(sysadm_r, sysadm_t)
> > ')
> >
> DITTO

See my comment above

> >diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> >index b0be6d2..d3a5988 100644
> >--- a/policy/modules/roles/unprivuser.te
> >+++ b/policy/modules/roles/unprivuser.te
> >@@ -99,6 +99,11 @@ optional_policy(`
> > ')
> >
> > optional_policy(`
> >+ procmail_manage_user_content_files(user_t)
> >+ procmail_relabel_user_content_files(user_t)
> >+')
> >+
> DITTO

see my comment above

> >+optional_policy(`
> > pyzor_role(user_r, user_t)
> > ')
> >
> >diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
> >index 5c3d708..193c77e 100644
> >--- a/policy/modules/services/courier.te
> >+++ b/policy/modules/services/courier.te
> >@@ -101,12 +101,12 @@ miscfiles_read_localization(courier_pop_t)
> > courier_domtrans_authdaemon(courier_pop_t)
> >
> > # do the actual work (read the Maildir)
> >-userdom_manage_user_home_content_files(courier_pop_t)
> >+mta_manage_mail_home(courier_pop_t)
> >+mta_user_home_filetrans_mail_home(courier_pop_t)
> > # cjp: the fact that this is different for pop vs imap means that
> > # there should probably be a courier_pop_t and courier_imap_t
> > # this should also probably be a separate type too instead of
> > # the regular home dir
> >-userdom_manage_user_home_content_dirs(courier_pop_t)
> >
> > ########################################
> > #
> >diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
> >index 9f16e2e..96e362c 100644
> >--- a/policy/modules/services/dovecot.te
> >+++ b/policy/modules/services/dovecot.te
> >@@ -128,15 +128,12 @@ miscfiles_read_certs(dovecot_t)
> > miscfiles_read_localization(dovecot_t)
> >
> > userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
> >-userdom_manage_user_home_content_dirs(dovecot_t)
> >-userdom_manage_user_home_content_files(dovecot_t)
> >-userdom_manage_user_home_content_symlinks(dovecot_t)
> >-userdom_manage_user_home_content_pipes(dovecot_t)
> >-userdom_manage_user_home_content_sockets(dovecot_t)
> >-userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
> >
> > mta_manage_spool(dovecot_t)
> >
> >+mta_manage_mail_home(dovecot_t)
> >+mta_user_home_filetrans_mail_home(dovecot_t)
> >+
> > optional_policy(`
> > kerberos_keytab_template(dovecot, dovecot_t)
> > ')
> >@@ -255,13 +252,6 @@ files_search_tmp(dovecot_deliver_t)
> >
> > fs_getattr_all_fs(dovecot_deliver_t)
> >
> >-userdom_manage_user_home_content_dirs(dovecot_deliver_t)
> >-userdom_manage_user_home_content_files(dovecot_deliver_t)
> >-userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
> >-userdom_manage_user_home_content_pipes(dovecot_deliver_t)
> >-userdom_manage_user_home_content_sockets(dovecot_deliver_t)
> >-userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
> >-
> > tunable_policy(`use_nfs_home_dirs',`
> > fs_manage_nfs_files(dovecot_t)
> > fs_manage_nfs_symlinks(dovecot_t)
> >@@ -274,4 +264,6 @@ tunable_policy(`use_samba_home_dirs',`
> >
> > optional_policy(`
> > mta_manage_spool(dovecot_deliver_t)
> >+ mta_manage_mail_home(dovecot_deliver_t)
> >+ mta_user_home_filetrans_mail_home(dovecot_deliver_t)
> > ')
> >diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
> >index fccf3f8..1d6660a 100644
> >--- a/policy/modules/services/exim.te
> >+++ b/policy/modules/services/exim.te
> >@@ -130,6 +130,10 @@ mta_read_config(exim_t)
> > mta_manage_spool(exim_t)
> > mta_mailserver_delivery(exim_t)
> >
> >+# Not sure about this but makes sense.
> >+mta_manage_mail_home(exim_t)
> >+mta_user_home_filetrans_mail_home(exim_t)
> >+
> > tunable_policy(`exim_can_connect_db',`
> > corenet_tcp_connect_mysqld_port(exim_t)
> > corenet_sendrecv_mysqld_client_packets(exim_t)
> >diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc
> >index 256166a..2df2d17 100644
> >--- a/policy/modules/services/mta.fc
> >+++ b/policy/modules/services/mta.fc
> >@@ -1,4 +1,7 @@
> > HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
> >+HOME_DIR/\.mbox -- gen_context(system_u:object_r:mail_home_t,s0)
> >+HOME_DIR/Mail(/.*)? gen_context(system_u:object_r:mail_home_t,s0)
> >+HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_t,s0)
> >
> > /bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
> >
> >@@ -7,9 +10,6 @@ HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
> > /etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
> > /etc/mail/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
> > /etc/mail/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
> >-ifdef(`distro_redhat',`
> >-/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
> >-')
> >
> > /usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
> >
> >@@ -28,3 +28,11 @@ ifdef(`distro_redhat',`
> > /var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
> > /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
> > /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
> >+
> >+ifdef(`distro_redhat',`
> >+/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
> >+/root/\.mbox -- gen_context(system_u:object_r:mail_home_t,s0)
> >+/root/Mail(/.*)? gen_context(system_u:object_r:mail_home_t,s0)
> >+/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_t,s0)
> >+/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
> >+')
> Not sure this should be redhat only.
> >diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
> >index 44e782e..1146303 100644
> >--- a/policy/modules/services/mta.if
> >+++ b/policy/modules/services/mta.if
> >@@ -162,7 +162,7 @@ template(`mta_base_mail_template',`
> > interface(`mta_role',`
> > gen_require(`
> > attribute mta_user_agent;
> >- type user_mail_t, sendmail_exec_t;
> >+ type user_mail_t, sendmail_exec_t, mail_forward_t;
> > ')
> >
> > role $1 types { user_mail_t mta_user_agent };
> >@@ -174,6 +174,12 @@ interface(`mta_role',`
> > allow mta_user_agent $2:fd use;
> > allow mta_user_agent $2:process sigchld;
> > allow mta_user_agent $2:fifo_file { read write };
> >+
> >+ manage_files_pattern($2, mail_forward_t, mail_forward_t)
> >+ relabel_files_pattern($2, mail_forward_t, mail_forward_t)
> >+
> >+ mta_manage_mail_home($2)
> >+ mta_relabel_mail_home($2)
> > ')
> >
> > ########################################
> >@@ -498,6 +504,51 @@ interface(`mta_manage_aliases',`
> >
> > ########################################
> > ##<summary>
> >+## Create, read, write, and delete
> >+## dirs, files, pipes, lnk files and
> >+## sock files mail home content.
> >+##</summary>
> >+##<param name="domain">
> >+## <summary>
> >+## Domain allowed access.
> >+## </summary>
> >+##</param>
> >+#
> >+interface(`mta_manage_mail_home',`
> >+ gen_require(`
> >+ type mail_home_t;
> >+ ')
> >+
> >+ userdom_search_user_home_dirs($1)
> >+ manage_dirs_pattern($1, mail_home_t, mail_home_t)
> >+ manage_files_pattern($1, mail_home_t, mail_home_t)
> >+ manage_lnk_files_pattern($1, mail_home_t, mail_home_t)
> >+ manage_sock_files_pattern($1, mail_home_t, mail_home_t)
> >+ manage_fifo_files_pattern($1, mail_home_t, mail_home_t)
> >+')
> >+
> >+########################################
> >+##<summary>
> >+## Create, read, write, and delete
> >+## mail home files.
> >+##</summary>
> >+##<param name="domain">
> >+## <summary>
> >+## Domain allowed access.
> >+## </summary>
> >+##</param>
> >+#
> >+interface(`mta_manage_mail_home_files',`
> >+ gen_require(`
> >+ type mail_home_t;
> >+ ')
> >+
> >+ userdom_search_user_home_dirs($1)
> >+ manage_files_pattern($1, mail_home_t, mail_home_t)
> >+')
> >+
> >+########################################
> >+##<summary>
> > ## Type transition files created in /etc
> > ## to the mail address aliases type.
> > ##</summary>
> >@@ -517,6 +568,47 @@ interface(`mta_etc_filetrans_aliases',`
> >
> > ########################################
> > ##<summary>
> >+## Type transition dirs, files, pipes
> >+## lnk files and sock files created in
> >+## user home directories to the mail
> >+## home type.
> >+##</summary>
> >+##<param name="domain">
> >+## <summary>
> >+## Domain allowed access.
> >+## </summary>
> >+##</param>
> >+#
> >+interface(`mta_user_home_filetrans_mail_home',`
> >+ gen_require(`
> >+ type mail_home_t;
> >+ ')
> >+
> >+ userdom_user_home_content_filetrans($1, mail_home_t, { dir file fifo_file lnk_file sock_file })
> >+')
> >+
> >+########################################
> >+##<summary>
> >+## Type transition files created in
> >+## user home directories to the mail
> >+## home type.
> >+##</summary>
> >+##<param name="domain">
> >+## <summary>
> >+## Domain allowed access.
> >+## </summary>
> >+##</param>
> >+#
> >+interface(`mta_user_home_filetrans_mail_home_files',`
> >+ gen_require(`
> >+ type mail_home_t;
> >+ ')
> >+
> >+ userdom_user_home_content_filetrans($1, mail_home_t, file)
> >+')
> >+
> >+########################################
> >+##<summary>
> > ## Read and write mail aliases.
> > ##</summary>
> > ##<param name="domain">
> >@@ -860,3 +952,87 @@ interface(`mta_rw_user_mail_stream_sockets',`
> >
> > allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
> > ')
> >+
> >+########################################
> >+##<summary>
> >+## Read mail home content.
> >+##</summary>
> >+##<param name="domain">
> >+## <summary>
> >+## Domain allowed access.
> >+## </summary>
> >+##</param>
> >+#
> >+interface(`mta_read_mail_home',`
> >+ gen_require(`
> >+ type procmail_home_t;
> >+ ')
> >+
> >+ search_dirs_pattern($1, mail_home_t, mail_home_t)
> >+ read_fifo_files_pattern($1, mail_home_t, mail_home_t)
> >+ read_files_pattern($1, mail_home_t, mail_home_t)
> >+ read_lnk_files_pattern($1, mail_home_t, mail_home_t)
> >+ read_sock_files_pattern($1, mail_home_t, mail_home_t)
> >+ userdom_search_user_home_dirs($1)
> >+')
> >+
> >+########################################
> >+##<summary>
> >+## Relabel mail home content.
> >+##</summary>
> >+##<param name="domain">
> >+## <summary>
> >+## Domain allowed access.
> >+## </summary>
> >+##</param>
> >+#
> >+interface(`mta_relabel_mail_home',`
> >+ gen_require(`
> >+ type mail_home_t;
> >+ ')
> >+
> >+ relabel_dirs_pattern($1, mail_home_t, mail_home_t)
> >+ relabel_fifo_files_pattern($1, mail_home_t, mail_home_t)
> >+ relabel_files_pattern($1, mail_home_t, mail_home_t)
> >+ relabel_lnk_files_pattern($1, mail_home_t, mail_home_t)
> >+ relabel_sock_files_pattern($1, mail_home_t, mail_home_t)
> >+ userdom_search_user_home_dirs($1)
> >+')
> >+
> >+########################################
> >+##<summary>
> >+## Read mail home files.
> >+##</summary>
> >+##<param name="domain">
> >+## <summary>
> >+## Domain allowed access.
> >+## </summary>
> >+##</param>
> >+#
> >+interface(`mta_read_mail_home_files',`
> >+ gen_require(`
> >+ type procmail_home_t;
> >+ ')
> >+
> >+ allow $1 mail_home_t:file read_file_perms;
> >+ userdom_search_user_home_dirs($1)
> >+')
> >+
> >+########################################
> >+##<summary>
> >+## Relabel mail home files.
> >+##</summary>
> >+##<param name="domain">
> >+## <summary>
> >+## Domain allowed access.
> >+## </summary>
> >+##</param>
> >+#
> >+interface(`mta_relabel_mail_home_files',`
> >+ gen_require(`
> >+ type mail_home_t;
> >+ ')
> >+
> >+ allow $1 mail_home_t:file relabel_file_perms;
> >+ userdom_search_user_home_dirs($1)
> >+')
> >diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
> >index 797d86b..4d235be 100644
> >--- a/policy/modules/services/mta.te
> >+++ b/policy/modules/services/mta.te
> >@@ -22,7 +22,7 @@ type etc_mail_t;
> > files_config_file(etc_mail_t)
> >
> > type mail_forward_t;
> >-files_type(mail_forward_t)
> >+userdom_user_home_content(mail_forward_t)
> >
> > type mqueue_spool_t;
> > files_mountpoint(mqueue_spool_t)
> >@@ -44,6 +44,9 @@ typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
> > ubac_constrained(user_mail_t)
> > ubac_constrained(user_mail_tmp_t)
> >
> >+type mail_home_t;
> >+userdom_user_home_content(mail_home_t)
> >+
> > ########################################
> > #
> > # System mail local policy
> >@@ -256,16 +259,12 @@ userdom_use_user_terminals(user_mail_t)
> > # Write to the user domain tty. cjp: why?
> > userdom_use_user_terminals(mta_user_agent)
> > # Create dead.letter in user home directories.
> >-userdom_manage_user_home_content_files(user_mail_t)
> >-userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
> >+mta_manage_mail_home_files(user_mail_t)
> >+mta_user_home_filetrans_mail_home_files(user_mail_t)
> > # for reading .forward - maybe we need a new type for it?
> > # also for delivering mail to maildir
> >-userdom_manage_user_home_content_dirs(mailserver_delivery)
> >-userdom_manage_user_home_content_files(mailserver_delivery)
> >-userdom_manage_user_home_content_symlinks(mailserver_delivery)
> >-userdom_manage_user_home_content_pipes(mailserver_delivery)
> >-userdom_manage_user_home_content_sockets(mailserver_delivery)
> >-userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file })
> >+mta_manage_mail_home(mailserver_delivery)
> >+mta_user_home_filetrans_mail_home(mailserver_delivery)
> > # Read user temporary files.
> > userdom_read_user_tmp_files(user_mail_t)
> > userdom_dontaudit_append_user_tmp_files(user_mail_t)
> >diff --git a/policy/modules/services/procmail.fc b/policy/modules/services/procmail.fc
> >index 1343621..69d6180 100644
> >--- a/policy/modules/services/procmail.fc
> >+++ b/policy/modules/services/procmail.fc
> >@@ -1,5 +1,11 @@
> >+HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0)
> >
> >-/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
> >+/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
> >+
> >+/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
> >+/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)
> >+
> >+ifdef(`distro_redhat',`
> >+/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0)
> >+')
> >
> >-/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
> >-/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)
> >diff --git a/policy/modules/services/procmail.if b/policy/modules/services/procmail.if
> >index f68e025..20580d3 100644
> >--- a/policy/modules/services/procmail.if
> >+++ b/policy/modules/services/procmail.if
> >@@ -77,3 +77,64 @@ interface(`procmail_rw_tmp_files',`
> > files_search_tmp($1)
> > rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
> > ')
> >+
> >+########################################
> >+##<summary>
> >+## Read procmail user home content
> >+## files.
> >+##</summary>
> >+##<param name="domain">
> >+## <summary>
> >+## Domain allowed access.
> >+## </summary>
> >+##</param>
> >+#
> >+interface(`procmail_read_user_content_files',`
> >+ gen_require(`
> >+ type procmail_home_t;
> >+ ')
> >+
> >+ allow $1 procmail_home_t:file read_file_perms;
> >+ userdom_search_user_home_dirs($1)
> >+')
> >+
> >+########################################
> >+##<summary>
> >+## Create, read, write, and delete
> >+## procmail home content files.
> >+##</summary>
> >+##<param name="domain">
> >+## <summary>
> >+## Domain allowed access.
> >+## </summary>
> >+##</param>
> >+#
> >+interface(`procmail_manage_user_content_files',`
> >+ gen_require(`
> >+ type procmail_home_t;
> >+ ')
> >+
> >+ allow $1 procmail_home_t:file manage_file_perms;
> >+ userdom_search_user_home_dirs($1)
> >+')
> >+
> >+########################################
> >+##<summary>
> >+## Relabel procmail user home content
> >+## files.
> >+##</summary>
> >+##<param name="domain">
> >+## <summary>
> >+## Domain allowed access.
> >+## </summary>
> >+##</param>
> >+#
> >+interface(`procmail_relabel_user_content_files',`
> >+ gen_require(`
> >+ type procmail_home_t;
> >+ ')
> >+
> >+ allow $1 procmail_home_t:file relabel_file_perms;
> >+ userdom_search_user_home_dirs($1)
> >+')
> >+
> >diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
> >index a51bbf6..ff1470a 100644
> >--- a/policy/modules/services/procmail.te
> >+++ b/policy/modules/services/procmail.te
> >@@ -11,6 +11,9 @@ type procmail_exec_t;
> > application_domain(procmail_t, procmail_exec_t)
> > role system_r types procmail_t;
> >
> >+type procmail_home_t;
> >+userdom_user_home_content(procmail_home_t)
> >+
> > type procmail_log_t;
> > logging_log_file(procmail_log_t)
> >
> >@@ -32,6 +35,8 @@ allow procmail_t self:udp_socket create_socket_perms;
> >
> > can_exec(procmail_t, procmail_exec_t)
> >
> >+procmail_read_user_content_files(procmail_t)
> >+
> > # Write log to /var/log/procmail.log or /var/log/procmail/.*
> > allow procmail_t procmail_log_t:dir setattr;
> > create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
> >@@ -81,12 +86,8 @@ logging_send_syslog_msg(procmail_t)
> > miscfiles_read_localization(procmail_t)
> >
> > # only works until we define a different type for maildir
> >-userdom_manage_user_home_content_dirs(procmail_t)
> >-userdom_manage_user_home_content_files(procmail_t)
> >-userdom_manage_user_home_content_symlinks(procmail_t)
> >-userdom_manage_user_home_content_pipes(procmail_t)
> >-userdom_manage_user_home_content_sockets(procmail_t)
> >-userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
> >+mta_manage_mail_home(procmail_t)
> >+mta_user_home_filetrans_mail_home(procmail_t)
> >
> > # Do not audit attempts to access /root.
> > userdom_dontaudit_search_user_home_dirs(procmail_t)
> >diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> >index df25576..eed82b5 100644
> >--- a/policy/modules/system/unconfined.te
> >+++ b/policy/modules/system/unconfined.te
> >@@ -147,6 +147,11 @@ optional_policy(`
> > ')
> >
> > optional_policy(`
> >+ oident_manage_user_content(unconfined_t)
> >+ oident_relabel_user_content(unconfined_t)
> >+')
> >+
> >+optional_policy(`
> > prelink_run(unconfined_t, unconfined_r)
> > ')
> >
> >@@ -161,6 +166,11 @@ optional_policy(`
> > ')
> >
> > optional_policy(`
> >+ procmail_manage_user_content_files(unconfined_t)
> >+ procmail_relabel_user_content_files(unconfined_t)
> >+')
> >+
> >+optional_policy(`
> > pyzor_role(unconfined_r, unconfined_t)
> > ')
> >
> >
> >
> >_______________________________________________
> >refpolicy mailing list
> >refpolicy at oss.tresys.com
> >http://oss.tresys.com/mailman/listinfo/refpolicy
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100405/f563141f/attachment.bin