lease find in the following e-mails an initial policy for the mutt
application (terminal e-mail client). The set of mails contains:
- the mutt definition (.te, .if, .fc)
- adding mutt_role to unprivuser, staff and sysadm
- update gpg.te to grant it rw access to mutt's tmp files
Wrt to the previous attempt, the patch tackled most of the received comments
(only the introduction of mutt_gpg_t as in Dominick's definition is withheld
since I can't test it out here).
Wkr,
Sven Vermeulen
The mutt e-mail client is a terminal-based e-mail client. It is rich in
features (with many additional feature-patches lurking on the internet)
so it is assumed that this policy will grow in the future.
Signed-off-by: Sven Vermeulen <[email protected]>
---
mutt.fc | 10 ++++++
mutt.if | 68 ++++++++++++++++++++++++++++++++++++++++++
mutt.te | 100 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 178 insertions(+), 0 deletions(-)
create mode 100644 mutt.fc
create mode 100644 mutt.if
create mode 100644 mutt.te
diff --git a/mutt.fc b/mutt.fc
new file mode 100644
index 0000000..9d64529
--- /dev/null
+++ b/mutt.fc
@@ -0,0 +1,10 @@
+HOME_DIR/\.mutt(/.*)? gen_context(system_u:object_r:mutt_home_t,s0)
+HOME_DIR/\.muttrc -- gen_context(system_u:object_r:mutt_conf_t,s0)
+HOME_DIR/\.mutt_cache -- gen_context(system_u:object_r:mutt_home_t,s0)
+HOME_DIR/\.mutt_certificates -- gen_context(system_u:object_r:mutt_home_t,s0)
+
+/etc/Muttrc -- gen_context(system_u:object_r:mutt_etc_t,s0)
+/etc/Muttrc\.local -- gen_context(system_u:object_r:mutt_etc_t,s0)
+/etc/mutt(/.*)? gen_context(system_u:object_r:mutt_etc_t,s0)
+
+/usr/bin/mutt -- gen_context(system_u:object_r:mutt_exec_t,s0)
diff --git a/mutt.if b/mutt.if
new file mode 100644
index 0000000..59f96e7
--- /dev/null
+++ b/mutt.if
@@ -0,0 +1,68 @@
+## <summary>Mutt e-mail client</summary>
+
+#######################################
+## <summary>
+## The role for using the mutt application.
+## </summary>
+## <param name="role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## The user domain.
+## </summary>
+## </param>
+#
+interface(`mutt_role',`
+ gen_require(`
+ type mutt_t, mutt_exec_t, mutt_home_t, mutt_conf_t, mutt_etc_t;
+ type mutt_tmp_t;
+ ')
+
+ role $1 types mutt_t;
+
+ domtrans_pattern($2, mutt_exec_t, mutt_t)
+
+ allow $2 mutt_t:process { ptrace signal_perms };
+
+ manage_dirs_pattern($2, mutt_home_t, mutt_home_t)
+ manage_files_pattern($2, mutt_home_t, mutt_home_t)
+
+ manage_dirs_pattern($2, mutt_conf_t, mutt_conf_t)
+ manage_files_pattern($2, mutt_conf_t, mutt_conf_t)
+
+ relabel_dirs_pattern($2, mutt_home_t, mutt_home_t)
+ relabel_files_pattern($2, mutt_home_t, mutt_home_t)
+
+ relabel_dirs_pattern($2, mutt_conf_t, mutt_conf_t)
+ relabel_files_pattern($2, mutt_conf_t, mutt_conf_t)
+
+ relabel_dirs_pattern($2, mutt_tmp_t, mutt_tmp_t)
+ relabel_files_pattern($2, mutt_tmp_t, mutt_tmp_t)
+
+ ps_process_pattern($2, mutt_t)
+')
+
+#######################################
+## <summary>
+## Allow other domains to handle mutt's temporary files (used for instance
+## for e-mail drafts)
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain that is allowed read/write access to the temporary files
+## </summary>
+## </param>
+#
+interface(`mutt_rw_tmp_files',`
+ gen_require(`
+ type mutt_tmp_t;
+ ')
+
+ # The use of rw_files_pattern here is not needed, since this incurs the open privilege as well
+ allow $1 mutt_tmp_t:dir search_dir_perms;
+ allow $1 mutt_tmp_t:file { read write };
+ files_search_tmp($1)
+')
diff --git a/mutt.te b/mutt.te
new file mode 100644
index 0000000..60faae9
--- /dev/null
+++ b/mutt.te
@@ -0,0 +1,100 @@
+policy_module(mutt, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Be able to manage user files (needed to support attachment handling)
+## </p>
+## </desc>
+gen_tunable(mutt_manage_user_content, false)
+
+type mutt_t;
+type mutt_exec_t;
+application_domain(mutt_t, mutt_exec_t)
+ubac_constrained(mutt_t)
+
+type mutt_conf_t;
+userdom_user_home_content(mutt_conf_t)
+
+type mutt_etc_t;
+files_config_file(mutt_etc_t)
+
+type mutt_home_t;
+userdom_user_home_content(mutt_home_t)
+
+type mutt_tmp_t;
+files_tmp_file(mutt_tmp_t)
+ubac_constrained(mutt_tmp_t)
+
+############################
+#
+# Local Policy Rules
+#
+
+allow mutt_t self:process signal_perms;
+allow mutt_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(mutt_t, mutt_home_t, mutt_home_t)
+manage_files_pattern(mutt_t, mutt_home_t, mutt_home_t)
+userdom_user_home_dir_filetrans(mutt_t, mutt_home_t, { dir file })
+
+manage_dirs_pattern(mutt_t, mutt_tmp_t, mutt_tmp_t)
+manage_files_pattern(mutt_t, mutt_tmp_t, mutt_tmp_t)
+files_tmp_filetrans(mutt_t, mutt_tmp_t, { file dir })
+
+read_files_pattern(mutt_t, mutt_etc_t, mutt_etc_t)
+
+read_files_pattern(mutt_t, mutt_conf_t, mutt_conf_t)
+
+
+kernel_read_system_state(mutt_t)
+
+corecmd_exec_bin(mutt_t)
+corecmd_exec_shell(mutt_t)
+
+corenet_all_recvfrom_netlabel(mutt_t)
+corenet_all_recvfrom_unlabeled(mutt_t)
+corenet_sendrecv_pop_client_packets(mutt_t)
+corenet_sendrecv_smtp_client_packets(mutt_t)
+corenet_tcp_bind_generic_node(mutt_t)
+corenet_tcp_connect_pop_port(mutt_t)
+corenet_tcp_connect_smtp_port(mutt_t)
+corenet_tcp_sendrecv_generic_if(mutt_t)
+corenet_tcp_sendrecv_generic_node(mutt_t)
+corenet_tcp_sendrecv_pop_port(mutt_t)
+corenet_tcp_sendrecv_smtp_port(mutt_t)
+
+dev_read_rand(mutt_t)
+dev_read_urand(mutt_t)
+
+domain_use_interactive_fds(mutt_t)
+
+files_read_usr_files(mutt_t)
+
+
+auth_use_nsswitch(mutt_t)
+
+miscfiles_read_localization(mutt_t)
+
+userdom_manage_xdg_cache_home(mutt_t)
+userdom_read_xdg_config_home(mutt_t)
+userdom_search_user_home_content(mutt_t)
+userdom_use_user_terminals(mutt_t)
+
+optional_policy(`
+ gpg_domtrans(mutt_t)
+')
+
+tunable_policy(`mutt_manage_user_content',`
+ # Needed for handling attachments
+ userdom_manage_user_home_content_files(mutt_t)
+ userdom_manage_user_home_content_dirs(mutt_t)
+')
+
+tunable_policy(`gentoo_try_dontaudit',`
+ kernel_dontaudit_search_sysctl(mutt_t)
+')
--
1.7.3.4
The mutt e-mail files are stored as mutt_tmp_t. As such, gpg needs to be
able to read/write to mutt_tmp_t.
Signed-off-by: Sven Vermeulen <[email protected]>
---
gpg.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/gpg.te b/gpg.te
index ebd6791..898bc21 100644
--- a/gpg.te
+++ b/gpg.te
@@ -147,6 +147,10 @@ optional_policy(`
')
optional_policy(`
+ mutt_rw_tmp_files(gpg_t)
+')
+
+optional_policy(`
xserver_use_xdm_fds(gpg_t)
xserver_rw_xdm_pipes(gpg_t)
')
--
1.7.3.4
Allow the end user domains to use the mutt application.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/roles/staff.te | 4 ++++
policy/modules/roles/sysadm.te | 4 ++++
policy/modules/roles/unprivuser.te | 4 ++++
3 files changed, 12 insertions(+), 0 deletions(-)
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index c10c3d6..8f0f92f 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -129,6 +129,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ mutt_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
pyzor_role(staff_r, staff_t)
')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 954417f..edee69a 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -461,5 +461,9 @@ ifndef(`distro_redhat',`
optional_policy(`
java_role(sysadm_r, sysadm_t)
')
+
+ optional_policy(`
+ mutt_role(sysadm_r, sysadm_t)
+ ')
')
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index c576b6c..ba76cb7 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -106,6 +106,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ mutt_role(user_r, user_t)
+ ')
+
+ optional_policy(`
postgresql_role(user_r, user_t)
')
--
1.7.3.4
On 10/03/11 16:04, Sven Vermeulen wrote:
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 954417f..edee69a 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -461,5 +461,9 @@ ifndef(`distro_redhat',`
> optional_policy(`
> java_role(sysadm_r, sysadm_t)
> ')
> +
> + optional_policy(`
> + mutt_role(sysadm_r, sysadm_t)
> + ')
> ')
Does sysadm really need this? They should be using their staff role for that.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 10/03/11 16:03, Sven Vermeulen wrote:
> diff --git a/mutt.if b/mutt.if
> new file mode 100644
> index 0000000..59f96e7
> --- /dev/null
> +++ b/mutt.if
> @@ -0,0 +1,68 @@
> +## <summary>Mutt e-mail client</summary>
> +
> +#######################################
> +## <summary>
> +## The role for using the mutt application.
> +## </summary>
> +## <param name="role">
> +## <summary>
> +## The role associated with the user domain.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## The user domain.
> +## </summary>
> +## </param>
> +#
> +interface(`mutt_role',`
> + gen_require(`
> + type mutt_t, mutt_exec_t, mutt_home_t, mutt_conf_t, mutt_etc_t;
> + type mutt_tmp_t;
> + ')
> +
> + role $1 types mutt_t;
> +
> + domtrans_pattern($2, mutt_exec_t, mutt_t)
> +
> + allow $2 mutt_t:process { ptrace signal_perms };
> +
> + manage_dirs_pattern($2, mutt_home_t, mutt_home_t)
> + manage_files_pattern($2, mutt_home_t, mutt_home_t)
> +
> + manage_dirs_pattern($2, mutt_conf_t, mutt_conf_t)
> + manage_files_pattern($2, mutt_conf_t, mutt_conf_t)
> +
> + relabel_dirs_pattern($2, mutt_home_t, mutt_home_t)
> + relabel_files_pattern($2, mutt_home_t, mutt_home_t)
> +
> + relabel_dirs_pattern($2, mutt_conf_t, mutt_conf_t)
> + relabel_files_pattern($2, mutt_conf_t, mutt_conf_t)
This should be ordered by the type names, rather than the pattern name.
> + relabel_dirs_pattern($2, mutt_tmp_t, mutt_tmp_t)
> + relabel_files_pattern($2, mutt_tmp_t, mutt_tmp_t)
> +
> + ps_process_pattern($2, mutt_t)
> +')
> +
> +#######################################
> +## <summary>
> +## Allow other domains to handle mutt's temporary files (used for instance
> +## for e-mail drafts)
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The domain that is allowed read/write access to the temporary files
> +## </summary>
> +## </param>
> +#
> +interface(`mutt_rw_tmp_files',`
> + gen_require(`
> + type mutt_tmp_t;
> + ')
> +
> + # The use of rw_files_pattern here is not needed, since this incurs the open privilege as well
> + allow $1 mutt_tmp_t:dir search_dir_perms;
> + allow $1 mutt_tmp_t:file { read write };
> + files_search_tmp($1)
> +')
> diff --git a/mutt.te b/mutt.te
> new file mode 100644
> index 0000000..60faae9
> --- /dev/null
> +++ b/mutt.te
> @@ -0,0 +1,100 @@
> +policy_module(mutt, 1.0.0)
> +
> +############################
> +#
> +# Declarations
> +#
> +
> +## <desc>
> +## <p>
> +## Be able to manage user files (needed to support attachment handling)
> +## </p>
> +## </desc>
> +gen_tunable(mutt_manage_user_content, false)
> +
> +type mutt_t;
> +type mutt_exec_t;
> +application_domain(mutt_t, mutt_exec_t)
> +ubac_constrained(mutt_t)
> +
> +type mutt_conf_t;
> +userdom_user_home_content(mutt_conf_t)
> +
> +type mutt_etc_t;
> +files_config_file(mutt_etc_t)
> +
> +type mutt_home_t;
> +userdom_user_home_content(mutt_home_t)
> +
> +type mutt_tmp_t;
> +files_tmp_file(mutt_tmp_t)
> +ubac_constrained(mutt_tmp_t)
I put in a new userdom interface that replaces the above two calls.
> +############################
> +#
> +# Local Policy Rules
> +#
> +
> +allow mutt_t self:process signal_perms;
> +allow mutt_t self:fifo_file rw_fifo_file_perms;
> +
> +manage_dirs_pattern(mutt_t, mutt_home_t, mutt_home_t)
> +manage_files_pattern(mutt_t, mutt_home_t, mutt_home_t)
> +userdom_user_home_dir_filetrans(mutt_t, mutt_home_t, { dir file })
> +
> +manage_dirs_pattern(mutt_t, mutt_tmp_t, mutt_tmp_t)
> +manage_files_pattern(mutt_t, mutt_tmp_t, mutt_tmp_t)
> +files_tmp_filetrans(mutt_t, mutt_tmp_t, { file dir })
> +
> +read_files_pattern(mutt_t, mutt_etc_t, mutt_etc_t)
> +
> +read_files_pattern(mutt_t, mutt_conf_t, mutt_conf_t)
> +
> +
Extra whitespace, and out of order rules above.
> +kernel_read_system_state(mutt_t)
> +
> +corecmd_exec_bin(mutt_t)
> +corecmd_exec_shell(mutt_t)
> +
> +corenet_all_recvfrom_netlabel(mutt_t)
> +corenet_all_recvfrom_unlabeled(mutt_t)
> +corenet_sendrecv_pop_client_packets(mutt_t)
> +corenet_sendrecv_smtp_client_packets(mutt_t)
> +corenet_tcp_bind_generic_node(mutt_t)
> +corenet_tcp_connect_pop_port(mutt_t)
> +corenet_tcp_connect_smtp_port(mutt_t)
> +corenet_tcp_sendrecv_generic_if(mutt_t)
> +corenet_tcp_sendrecv_generic_node(mutt_t)
> +corenet_tcp_sendrecv_pop_port(mutt_t)
> +corenet_tcp_sendrecv_smtp_port(mutt_t)
> +
> +dev_read_rand(mutt_t)
> +dev_read_urand(mutt_t)
> +
> +domain_use_interactive_fds(mutt_t)
> +
> +files_read_usr_files(mutt_t)
> +
> +
> +auth_use_nsswitch(mutt_t)
> +
> +miscfiles_read_localization(mutt_t)
> +
> +userdom_manage_xdg_cache_home(mutt_t)
> +userdom_read_xdg_config_home(mutt_t)
> +userdom_search_user_home_content(mutt_t)
> +userdom_use_user_terminals(mutt_t)
> +
> +optional_policy(`
> + gpg_domtrans(mutt_t)
> +')
> +
> +tunable_policy(`mutt_manage_user_content',`
> + # Needed for handling attachments
> + userdom_manage_user_home_content_files(mutt_t)
> + userdom_manage_user_home_content_dirs(mutt_t)
> +')
> +
> +tunable_policy(`gentoo_try_dontaudit',`
> + kernel_dontaudit_search_sysctl(mutt_t)
> +')
Please remove the test rules.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Fri, Oct 28, 2011 at 09:38:19AM -0400, Christopher J. PeBenito wrote:
> On 10/03/11 16:04, Sven Vermeulen wrote:
> > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> > index 954417f..edee69a 100644
> > --- a/policy/modules/roles/sysadm.te
> > +++ b/policy/modules/roles/sysadm.te
> > @@ -461,5 +461,9 @@ ifndef(`distro_redhat',`
> > optional_policy(`
> > java_role(sysadm_r, sysadm_t)
> > ')
> > +
> > + optional_policy(`
> > + mutt_role(sysadm_r, sysadm_t)
> > + ')
> > ')
>
> Does sysadm really need this? They should be using their staff role for that.
Need? Perhaps not (or not in a reference policy). I "need" it when I log on as
root directly (which here means the SELinux root user which is immediately on
the sysadm_r role) and need to read the local (system-generated) mails.
But I might be just too lazy to newrole here towards staff_r.
I'll drop it from the patch set.
Wkr,
Sven Vermeulen