From: domg472@gmail.com (Dominick Grift) Date: Mon, 5 Apr 2010 17:35:46 +0200 Subject: [refpolicy] [ mta patch 1/1] This is what i think would probably have to be modifies to make mail home work. Message-ID: <20100405153540.GA3152@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com It builds but it is untested. I think that qmail may also need this access but i could not find any evidence of this. Signed-off-by: Dominick Grift --- :100644 100644 3fd227b... 5b7268e... M policy/modules/roles/staff.te :100644 100644 2ed3c67... c918465... M policy/modules/roles/sysadm.te :100644 100644 b0be6d2... 62a1760... M policy/modules/roles/unprivuser.te :100644 100644 5c3d708... 193c77e... M policy/modules/services/courier.te :100644 100644 9f16e2e... 96e362c... M policy/modules/services/dovecot.te :100644 100644 fccf3f8... 1d6660a... M policy/modules/services/exim.te :100644 100644 256166a... f39f7f4... M policy/modules/services/mta.fc :100644 100644 44e782e... 910f1aa... M policy/modules/services/mta.if :100644 100644 797d86b... bab7d6f... M policy/modules/services/mta.te :100644 100644 1343621... 69d6180... M policy/modules/services/procmail.fc :100644 100644 f68e025... 20580d3... M policy/modules/services/procmail.if :100644 100644 a51bbf6... ff1470a... M policy/modules/services/procmail.te policy/modules/roles/staff.te | 7 ++ policy/modules/roles/sysadm.te | 7 ++ policy/modules/roles/unprivuser.te | 7 ++ policy/modules/services/courier.te | 4 +- policy/modules/services/dovecot.te | 18 +--- policy/modules/services/exim.te | 4 + policy/modules/services/mta.fc | 9 ++- policy/modules/services/mta.if | 170 +++++++++++++++++++++++++++++++++++ policy/modules/services/mta.te | 16 ++-- policy/modules/services/procmail.fc | 12 ++- policy/modules/services/procmail.if | 61 +++++++++++++ policy/modules/services/procmail.te | 13 ++-- 12 files changed, 293 insertions(+), 35 deletions(-) diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index 3fd227b..5b7268e 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -93,6 +93,8 @@ optional_policy(` optional_policy(` mta_role(staff_r, staff_t) + mta_manage_mail_home(staff_t) + mta_relabel_mail_home(staff_t) ') optional_policy(` @@ -105,6 +107,11 @@ optional_policy(` ') optional_policy(` + procmail_manage_user_content_files(staff_t) + procmail_relabel_user_content_files(staff_t) +') + +optional_policy(` pyzor_role(staff_r, staff_t) ') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 2ed3c67..c918465 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -264,6 +264,8 @@ optional_policy(` optional_policy(` mta_role(sysadm_r, sysadm_t) + mta_manage_mail_home(sysadm_t) + mta_relabel_mail_home(sysadm_t) ') optional_policy(` @@ -308,6 +310,11 @@ optional_policy(` ') optional_policy(` + procmail_manage_user_content_files(sysadm_t) + procmail_relabel_user_content_files(sysadm_t) +') + +optional_policy(` pyzor_role(sysadm_r, sysadm_t) ') diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index b0be6d2..62a1760 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -87,6 +87,8 @@ optional_policy(` optional_policy(` mta_role(user_r, user_t) + mta_manage_mail_home(user_t) + mta_relabel_mail_home(user_t) ') optional_policy(` @@ -99,6 +101,11 @@ optional_policy(` ') optional_policy(` + procmail_manage_user_content_files(user_t) + procmail_relabel_user_content_files(user_t) +') + +optional_policy(` pyzor_role(user_r, user_t) ') diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te index 5c3d708..193c77e 100644 --- a/policy/modules/services/courier.te +++ b/policy/modules/services/courier.te @@ -101,12 +101,12 @@ miscfiles_read_localization(courier_pop_t) courier_domtrans_authdaemon(courier_pop_t) # do the actual work (read the Maildir) -userdom_manage_user_home_content_files(courier_pop_t) +mta_manage_mail_home(courier_pop_t) +mta_user_home_filetrans_mail_home(courier_pop_t) # cjp: the fact that this is different for pop vs imap means that # there should probably be a courier_pop_t and courier_imap_t # this should also probably be a separate type too instead of # the regular home dir -userdom_manage_user_home_content_dirs(courier_pop_t) ######################################## # diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te index 9f16e2e..96e362c 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -128,15 +128,12 @@ miscfiles_read_certs(dovecot_t) miscfiles_read_localization(dovecot_t) userdom_dontaudit_use_unpriv_user_fds(dovecot_t) -userdom_manage_user_home_content_dirs(dovecot_t) -userdom_manage_user_home_content_files(dovecot_t) -userdom_manage_user_home_content_symlinks(dovecot_t) -userdom_manage_user_home_content_pipes(dovecot_t) -userdom_manage_user_home_content_sockets(dovecot_t) -userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file }) mta_manage_spool(dovecot_t) +mta_manage_mail_home(dovecot_t) +mta_user_home_filetrans_mail_home(dovecot_t) + optional_policy(` kerberos_keytab_template(dovecot, dovecot_t) ') @@ -255,13 +252,6 @@ files_search_tmp(dovecot_deliver_t) fs_getattr_all_fs(dovecot_deliver_t) -userdom_manage_user_home_content_dirs(dovecot_deliver_t) -userdom_manage_user_home_content_files(dovecot_deliver_t) -userdom_manage_user_home_content_symlinks(dovecot_deliver_t) -userdom_manage_user_home_content_pipes(dovecot_deliver_t) -userdom_manage_user_home_content_sockets(dovecot_deliver_t) -userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) - tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(dovecot_t) fs_manage_nfs_symlinks(dovecot_t) @@ -274,4 +264,6 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` mta_manage_spool(dovecot_deliver_t) + mta_manage_mail_home(dovecot_deliver_t) + mta_user_home_filetrans_mail_home(dovecot_deliver_t) ') diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te index fccf3f8..1d6660a 100644 --- a/policy/modules/services/exim.te +++ b/policy/modules/services/exim.te @@ -130,6 +130,10 @@ mta_read_config(exim_t) mta_manage_spool(exim_t) mta_mailserver_delivery(exim_t) +# Not sure about this but makes sense. +mta_manage_mail_home(exim_t) +mta_user_home_filetrans_mail_home(exim_t) + tunable_policy(`exim_can_connect_db',` corenet_tcp_connect_mysqld_port(exim_t) corenet_sendrecv_mysqld_client_packets(exim_t) diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc index 256166a..f39f7f4 100644 --- a/policy/modules/services/mta.fc +++ b/policy/modules/services/mta.fc @@ -1,4 +1,5 @@ HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) +HOME_DIR/Mail(/.*)? gen_context(system_u:object_r:mail_home_t,s0) /bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) @@ -7,9 +8,6 @@ HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) /etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0) /etc/mail/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) /etc/mail/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) -ifdef(`distro_redhat',` -/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0) -') /usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) @@ -28,3 +26,8 @@ ifdef(`distro_redhat',` /var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) + +ifdef(`distro_redhat',` +/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0) +/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) +') diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if index 44e782e..910f1aa 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -498,6 +498,51 @@ interface(`mta_manage_aliases',` ######################################## ## +## Create, read, write, and delete +## dirs, files, pipes, lnk files and +## sock files mail home content. +## +## +## +## Domain allowed access. +## +## +# +interface(`mta_manage_mail_home',` + gen_require(` + type mail_home_t; + ') + + userdom_search_user_home_dirs($1) + manage_dirs_pattern($1, mail_home_t, mail_home_t) + manage_files_pattern($1, mail_home_t, mail_home_t) + manage_lnk_files_pattern($1, mail_home_t, mail_home_t) + manage_sock_files_pattern($1, mail_home_t, mail_home_t) + manage_fifo_files_pattern($1, mail_home_t, mail_home_t) +') + +######################################## +## +## Create, read, write, and delete +## mail home files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mta_manage_mail_home_files',` + gen_require(` + type mail_home_t; + ') + + userdom_search_user_home_dirs($1) + manage_files_pattern($1, mail_home_t, mail_home_t) +') + +######################################## +## ## Type transition files created in /etc ## to the mail address aliases type. ## @@ -517,6 +562,47 @@ interface(`mta_etc_filetrans_aliases',` ######################################## ## +## Type transition dirs, files, pipes +## lnk files and sock files created in +## user home directories to the mail +## home type. +## +## +## +## Domain allowed access. +## +## +# +interface(`mta_user_home_filetrans_mail_home',` + gen_require(` + type mail_home_t; + ') + + userdom_user_home_content_filetrans($1, mail_home_t, { dir file fifo_file lnk_file sock_file }) +') + +######################################## +## +## Type transition files created in +## user home directories to the mail +## home type. +## +## +## +## Domain allowed access. +## +## +# +interface(`mta_user_home_filetrans_mail_home_files',` + gen_require(` + type mail_home_t; + ') + + userdom_user_home_content_filetrans($1, mail_home_t, file) +') + +######################################## +## ## Read and write mail aliases. ## ## @@ -860,3 +946,87 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') + +######################################## +## +## Read mail home content. +## +## +## +## Domain allowed access. +## +## +# +interface(`mta_read_mail_home',` + gen_require(` + type procmail_home_t; + ') + + search_dirs_pattern($1, mail_home_t, mail_home_t) + read_fifo_files_pattern($1, mail_home_t, mail_home_t) + read_files_pattern($1, mail_home_t, mail_home_t) + read_lnk_files_pattern($1, mail_home_t, mail_home_t) + read_sock_files_pattern($1, mail_home_t, mail_home_t) + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Relabel mail home content. +## +## +## +## Domain allowed access. +## +## +# +interface(`mta_relabel_mail_home',` + gen_require(` + type mail_home_t; + ') + + relabel_dirs_pattern($1, mail_home_t, mail_home_t) + relabel_fifo_files_pattern($1, mail_home_t, mail_home_t) + relabel_files_pattern($1, mail_home_t, mail_home_t) + relabel_lnk_files_pattern($1, mail_home_t, mail_home_t) + relabel_sock_files_pattern($1, mail_home_t, mail_home_t) + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Read mail home files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mta_read_mail_home_files',` + gen_require(` + type procmail_home_t; + ') + + allow $1 mail_home_t:file read_file_perms; + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Relabel mail home files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mta_relabel_mail_home_files',` + gen_require(` + type mail_home_t; + ') + + allow $1 mail_home_t:file relabel_file_perms; + userdom_search_user_home_dirs($1) +') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te index 797d86b..bab7d6f 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -44,6 +44,10 @@ typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t }; ubac_constrained(user_mail_t) ubac_constrained(user_mail_tmp_t) +# postfix, sendmail, exim, qmail, procmail, courier +type mail_home_t; +userdom_user_home_content(mail_home_t) + ######################################## # # System mail local policy @@ -256,16 +260,12 @@ userdom_use_user_terminals(user_mail_t) # Write to the user domain tty. cjp: why? userdom_use_user_terminals(mta_user_agent) # Create dead.letter in user home directories. -userdom_manage_user_home_content_files(user_mail_t) -userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file) +mta_manage_mail_home_files(user_mail_t) +mta_user_home_filetrans_mail_home_files(user_mail_t) # for reading .forward - maybe we need a new type for it? # also for delivering mail to maildir -userdom_manage_user_home_content_dirs(mailserver_delivery) -userdom_manage_user_home_content_files(mailserver_delivery) -userdom_manage_user_home_content_symlinks(mailserver_delivery) -userdom_manage_user_home_content_pipes(mailserver_delivery) -userdom_manage_user_home_content_sockets(mailserver_delivery) -userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file }) +mta_manage_mail_home(mailserver_delivery) +mta_user_home_filetrans_mail_home(mailserver_delivery) # Read user temporary files. userdom_read_user_tmp_files(user_mail_t) userdom_dontaudit_append_user_tmp_files(user_mail_t) diff --git a/policy/modules/services/procmail.fc b/policy/modules/services/procmail.fc index 1343621..69d6180 100644 --- a/policy/modules/services/procmail.fc +++ b/policy/modules/services/procmail.fc @@ -1,5 +1,11 @@ +HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0) -/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0) +/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0) + +/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0) +/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) + +ifdef(`distro_redhat',` +/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0) +') -/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0) -/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) diff --git a/policy/modules/services/procmail.if b/policy/modules/services/procmail.if index f68e025..20580d3 100644 --- a/policy/modules/services/procmail.if +++ b/policy/modules/services/procmail.if @@ -77,3 +77,64 @@ interface(`procmail_rw_tmp_files',` files_search_tmp($1) rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) ') + +######################################## +## +## Read procmail user home content +## files. +## +## +## +## Domain allowed access. +## +## +# +interface(`procmail_read_user_content_files',` + gen_require(` + type procmail_home_t; + ') + + allow $1 procmail_home_t:file read_file_perms; + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Create, read, write, and delete +## procmail home content files. +## +## +## +## Domain allowed access. +## +## +# +interface(`procmail_manage_user_content_files',` + gen_require(` + type procmail_home_t; + ') + + allow $1 procmail_home_t:file manage_file_perms; + userdom_search_user_home_dirs($1) +') + +######################################## +## +## Relabel procmail user home content +## files. +## +## +## +## Domain allowed access. +## +## +# +interface(`procmail_relabel_user_content_files',` + gen_require(` + type procmail_home_t; + ') + + allow $1 procmail_home_t:file relabel_file_perms; + userdom_search_user_home_dirs($1) +') + diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te index a51bbf6..ff1470a 100644 --- a/policy/modules/services/procmail.te +++ b/policy/modules/services/procmail.te @@ -11,6 +11,9 @@ type procmail_exec_t; application_domain(procmail_t, procmail_exec_t) role system_r types procmail_t; +type procmail_home_t; +userdom_user_home_content(procmail_home_t) + type procmail_log_t; logging_log_file(procmail_log_t) @@ -32,6 +35,8 @@ allow procmail_t self:udp_socket create_socket_perms; can_exec(procmail_t, procmail_exec_t) +procmail_read_user_content_files(procmail_t) + # Write log to /var/log/procmail.log or /var/log/procmail/.* allow procmail_t procmail_log_t:dir setattr; create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) @@ -81,12 +86,8 @@ logging_send_syslog_msg(procmail_t) miscfiles_read_localization(procmail_t) # only works until we define a different type for maildir -userdom_manage_user_home_content_dirs(procmail_t) -userdom_manage_user_home_content_files(procmail_t) -userdom_manage_user_home_content_symlinks(procmail_t) -userdom_manage_user_home_content_pipes(procmail_t) -userdom_manage_user_home_content_sockets(procmail_t) -userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file }) +mta_manage_mail_home(procmail_t) +mta_user_home_filetrans_mail_home(procmail_t) # Do not audit attempts to access /root. userdom_dontaudit_search_user_home_dirs(procmail_t) -- 1.7.0.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100405/d5a66725/attachment.bin