From: dwalsh@redhat.com (Daniel J Walsh) Date: Mon, 05 Apr 2010 13:07:34 -0400 Subject: [refpolicy] [ mta patch (Retry) 1/1] This is what i think would probably have to be modified to make mail home work. In-Reply-To: <20100405164525.GA5402@localhost.localdomain> References: <20100405164525.GA5402@localhost.localdomain> Message-ID: <4BBA18D6.1060003@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/05/2010 12:45 PM, Dominick Grift wrote: In line comments > Previous patch had minor issues: > > move relabel/manager mail home for user domains to mta_role. > allow mta role to manage ~/.forward. > make ~/.forward userdomain user home content. > allow unconfined_t to manage/relabel oidentd and procmail user home content. > add some more file context specifications for the different mail formats. > > Signed-off-by: Dominick Grift > --- > :100644 100644 3fd227b... 4bb5869... M policy/modules/roles/staff.te > :100644 100644 2ed3c67... 029e06d... M policy/modules/roles/sysadm.te > :100644 100644 b0be6d2... d3a5988... M policy/modules/roles/unprivuser.te > :100644 100644 5c3d708... 193c77e... M policy/modules/services/courier.te > :100644 100644 9f16e2e... 96e362c... M policy/modules/services/dovecot.te > :100644 100644 fccf3f8... 1d6660a... M policy/modules/services/exim.te > :100644 100644 256166a... 2df2d17... M policy/modules/services/mta.fc > :100644 100644 44e782e... 1146303... M policy/modules/services/mta.if > :100644 100644 797d86b... 4d235be... M policy/modules/services/mta.te > :100644 100644 1343621... 69d6180... M policy/modules/services/procmail.fc > :100644 100644 f68e025... 20580d3... M policy/modules/services/procmail.if > :100644 100644 a51bbf6... ff1470a... M policy/modules/services/procmail.te > :100644 100644 df25576... eed82b5... M policy/modules/system/unconfined.te > policy/modules/roles/staff.te | 5 + > policy/modules/roles/sysadm.te | 5 + > policy/modules/roles/unprivuser.te | 5 + > policy/modules/services/courier.te | 4 +- > policy/modules/services/dovecot.te | 18 +--- > policy/modules/services/exim.te | 4 + > policy/modules/services/mta.fc | 14 ++- > policy/modules/services/mta.if | 178 ++++++++++++++++++++++++++++++++++- > policy/modules/services/mta.te | 17 ++-- > policy/modules/services/procmail.fc | 12 ++- > policy/modules/services/procmail.if | 61 ++++++++++++ > policy/modules/services/procmail.te | 13 ++- > policy/modules/system/unconfined.te | 10 ++ > 13 files changed, 309 insertions(+), 37 deletions(-) > > diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te > index 3fd227b..4bb5869 100644 > --- a/policy/modules/roles/staff.te > +++ b/policy/modules/roles/staff.te > @@ -105,6 +105,11 @@ optional_policy(` > ') > > optional_policy(` > + procmail_manage_user_content_files(staff_t) > + procmail_relabel_user_content_files(staff_t) > +') > + > I think you should add userdom_user_home_content(procmail_home_t) then you will not need this. > +optional_policy(` > pyzor_role(staff_r, staff_t) > ') > > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te > index 2ed3c67..029e06d 100644 > --- a/policy/modules/roles/sysadm.te > +++ b/policy/modules/roles/sysadm.te > @@ -308,6 +308,11 @@ optional_policy(` > ') > > optional_policy(` > + procmail_manage_user_content_files(sysadm_t) > + procmail_relabel_user_content_files(sysadm_t) > +') > + > +optional_policy(` > pyzor_role(sysadm_r, sysadm_t) > ') > > DITTO > diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te > index b0be6d2..d3a5988 100644 > --- a/policy/modules/roles/unprivuser.te > +++ b/policy/modules/roles/unprivuser.te > @@ -99,6 +99,11 @@ optional_policy(` > ') > > optional_policy(` > + procmail_manage_user_content_files(user_t) > + procmail_relabel_user_content_files(user_t) > +') > + > DITTO > +optional_policy(` > pyzor_role(user_r, user_t) > ') > > diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te > index 5c3d708..193c77e 100644 > --- a/policy/modules/services/courier.te > +++ b/policy/modules/services/courier.te > @@ -101,12 +101,12 @@ miscfiles_read_localization(courier_pop_t) > courier_domtrans_authdaemon(courier_pop_t) > > # do the actual work (read the Maildir) > -userdom_manage_user_home_content_files(courier_pop_t) > +mta_manage_mail_home(courier_pop_t) > +mta_user_home_filetrans_mail_home(courier_pop_t) > # cjp: the fact that this is different for pop vs imap means that > # there should probably be a courier_pop_t and courier_imap_t > # this should also probably be a separate type too instead of > # the regular home dir > -userdom_manage_user_home_content_dirs(courier_pop_t) > > ######################################## > # > diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te > index 9f16e2e..96e362c 100644 > --- a/policy/modules/services/dovecot.te > +++ b/policy/modules/services/dovecot.te > @@ -128,15 +128,12 @@ miscfiles_read_certs(dovecot_t) > miscfiles_read_localization(dovecot_t) > > userdom_dontaudit_use_unpriv_user_fds(dovecot_t) > -userdom_manage_user_home_content_dirs(dovecot_t) > -userdom_manage_user_home_content_files(dovecot_t) > -userdom_manage_user_home_content_symlinks(dovecot_t) > -userdom_manage_user_home_content_pipes(dovecot_t) > -userdom_manage_user_home_content_sockets(dovecot_t) > -userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file }) > > mta_manage_spool(dovecot_t) > > +mta_manage_mail_home(dovecot_t) > +mta_user_home_filetrans_mail_home(dovecot_t) > + > optional_policy(` > kerberos_keytab_template(dovecot, dovecot_t) > ') > @@ -255,13 +252,6 @@ files_search_tmp(dovecot_deliver_t) > > fs_getattr_all_fs(dovecot_deliver_t) > > -userdom_manage_user_home_content_dirs(dovecot_deliver_t) > -userdom_manage_user_home_content_files(dovecot_deliver_t) > -userdom_manage_user_home_content_symlinks(dovecot_deliver_t) > -userdom_manage_user_home_content_pipes(dovecot_deliver_t) > -userdom_manage_user_home_content_sockets(dovecot_deliver_t) > -userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) > - > tunable_policy(`use_nfs_home_dirs',` > fs_manage_nfs_files(dovecot_t) > fs_manage_nfs_symlinks(dovecot_t) > @@ -274,4 +264,6 @@ tunable_policy(`use_samba_home_dirs',` > > optional_policy(` > mta_manage_spool(dovecot_deliver_t) > + mta_manage_mail_home(dovecot_deliver_t) > + mta_user_home_filetrans_mail_home(dovecot_deliver_t) > ') > diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te > index fccf3f8..1d6660a 100644 > --- a/policy/modules/services/exim.te > +++ b/policy/modules/services/exim.te > @@ -130,6 +130,10 @@ mta_read_config(exim_t) > mta_manage_spool(exim_t) > mta_mailserver_delivery(exim_t) > > +# Not sure about this but makes sense. > +mta_manage_mail_home(exim_t) > +mta_user_home_filetrans_mail_home(exim_t) > + > tunable_policy(`exim_can_connect_db',` > corenet_tcp_connect_mysqld_port(exim_t) > corenet_sendrecv_mysqld_client_packets(exim_t) > diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc > index 256166a..2df2d17 100644 > --- a/policy/modules/services/mta.fc > +++ b/policy/modules/services/mta.fc > @@ -1,4 +1,7 @@ > HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) > +HOME_DIR/\.mbox -- gen_context(system_u:object_r:mail_home_t,s0) > +HOME_DIR/Mail(/.*)? gen_context(system_u:object_r:mail_home_t,s0) > +HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_t,s0) > > /bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) > > @@ -7,9 +10,6 @@ HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) > /etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0) > /etc/mail/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) > /etc/mail/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) > -ifdef(`distro_redhat',` > -/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0) > -') > > /usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) > > @@ -28,3 +28,11 @@ ifdef(`distro_redhat',` > /var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) > /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) > /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) > + > +ifdef(`distro_redhat',` > +/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0) > +/root/\.mbox -- gen_context(system_u:object_r:mail_home_t,s0) > +/root/Mail(/.*)? gen_context(system_u:object_r:mail_home_t,s0) > +/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_t,s0) > +/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) > +') > Not sure this should be redhat only. > diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if > index 44e782e..1146303 100644 > --- a/policy/modules/services/mta.if > +++ b/policy/modules/services/mta.if > @@ -162,7 +162,7 @@ template(`mta_base_mail_template',` > interface(`mta_role',` > gen_require(` > attribute mta_user_agent; > - type user_mail_t, sendmail_exec_t; > + type user_mail_t, sendmail_exec_t, mail_forward_t; > ') > > role $1 types { user_mail_t mta_user_agent }; > @@ -174,6 +174,12 @@ interface(`mta_role',` > allow mta_user_agent $2:fd use; > allow mta_user_agent $2:process sigchld; > allow mta_user_agent $2:fifo_file { read write }; > + > + manage_files_pattern($2, mail_forward_t, mail_forward_t) > + relabel_files_pattern($2, mail_forward_t, mail_forward_t) > + > + mta_manage_mail_home($2) > + mta_relabel_mail_home($2) > ') > > ######################################## > @@ -498,6 +504,51 @@ interface(`mta_manage_aliases',` > > ######################################## > ## > +## Create, read, write, and delete > +## dirs, files, pipes, lnk files and > +## sock files mail home content. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`mta_manage_mail_home',` > + gen_require(` > + type mail_home_t; > + ') > + > + userdom_search_user_home_dirs($1) > + manage_dirs_pattern($1, mail_home_t, mail_home_t) > + manage_files_pattern($1, mail_home_t, mail_home_t) > + manage_lnk_files_pattern($1, mail_home_t, mail_home_t) > + manage_sock_files_pattern($1, mail_home_t, mail_home_t) > + manage_fifo_files_pattern($1, mail_home_t, mail_home_t) > +') > + > +######################################## > +## > +## Create, read, write, and delete > +## mail home files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`mta_manage_mail_home_files',` > + gen_require(` > + type mail_home_t; > + ') > + > + userdom_search_user_home_dirs($1) > + manage_files_pattern($1, mail_home_t, mail_home_t) > +') > + > +######################################## > +## > ## Type transition files created in /etc > ## to the mail address aliases type. > ## > @@ -517,6 +568,47 @@ interface(`mta_etc_filetrans_aliases',` > > ######################################## > ## > +## Type transition dirs, files, pipes > +## lnk files and sock files created in > +## user home directories to the mail > +## home type. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`mta_user_home_filetrans_mail_home',` > + gen_require(` > + type mail_home_t; > + ') > + > + userdom_user_home_content_filetrans($1, mail_home_t, { dir file fifo_file lnk_file sock_file }) > +') > + > +######################################## > +## > +## Type transition files created in > +## user home directories to the mail > +## home type. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`mta_user_home_filetrans_mail_home_files',` > + gen_require(` > + type mail_home_t; > + ') > + > + userdom_user_home_content_filetrans($1, mail_home_t, file) > +') > + > +######################################## > +## > ## Read and write mail aliases. > ## > ## > @@ -860,3 +952,87 @@ interface(`mta_rw_user_mail_stream_sockets',` > > allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; > ') > + > +######################################## > +## > +## Read mail home content. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`mta_read_mail_home',` > + gen_require(` > + type procmail_home_t; > + ') > + > + search_dirs_pattern($1, mail_home_t, mail_home_t) > + read_fifo_files_pattern($1, mail_home_t, mail_home_t) > + read_files_pattern($1, mail_home_t, mail_home_t) > + read_lnk_files_pattern($1, mail_home_t, mail_home_t) > + read_sock_files_pattern($1, mail_home_t, mail_home_t) > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Relabel mail home content. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`mta_relabel_mail_home',` > + gen_require(` > + type mail_home_t; > + ') > + > + relabel_dirs_pattern($1, mail_home_t, mail_home_t) > + relabel_fifo_files_pattern($1, mail_home_t, mail_home_t) > + relabel_files_pattern($1, mail_home_t, mail_home_t) > + relabel_lnk_files_pattern($1, mail_home_t, mail_home_t) > + relabel_sock_files_pattern($1, mail_home_t, mail_home_t) > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Read mail home files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`mta_read_mail_home_files',` > + gen_require(` > + type procmail_home_t; > + ') > + > + allow $1 mail_home_t:file read_file_perms; > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Relabel mail home files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`mta_relabel_mail_home_files',` > + gen_require(` > + type mail_home_t; > + ') > + > + allow $1 mail_home_t:file relabel_file_perms; > + userdom_search_user_home_dirs($1) > +') > diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te > index 797d86b..4d235be 100644 > --- a/policy/modules/services/mta.te > +++ b/policy/modules/services/mta.te > @@ -22,7 +22,7 @@ type etc_mail_t; > files_config_file(etc_mail_t) > > type mail_forward_t; > -files_type(mail_forward_t) > +userdom_user_home_content(mail_forward_t) > > type mqueue_spool_t; > files_mountpoint(mqueue_spool_t) > @@ -44,6 +44,9 @@ typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t }; > ubac_constrained(user_mail_t) > ubac_constrained(user_mail_tmp_t) > > +type mail_home_t; > +userdom_user_home_content(mail_home_t) > + > ######################################## > # > # System mail local policy > @@ -256,16 +259,12 @@ userdom_use_user_terminals(user_mail_t) > # Write to the user domain tty. cjp: why? > userdom_use_user_terminals(mta_user_agent) > # Create dead.letter in user home directories. > -userdom_manage_user_home_content_files(user_mail_t) > -userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file) > +mta_manage_mail_home_files(user_mail_t) > +mta_user_home_filetrans_mail_home_files(user_mail_t) > # for reading .forward - maybe we need a new type for it? > # also for delivering mail to maildir > -userdom_manage_user_home_content_dirs(mailserver_delivery) > -userdom_manage_user_home_content_files(mailserver_delivery) > -userdom_manage_user_home_content_symlinks(mailserver_delivery) > -userdom_manage_user_home_content_pipes(mailserver_delivery) > -userdom_manage_user_home_content_sockets(mailserver_delivery) > -userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file }) > +mta_manage_mail_home(mailserver_delivery) > +mta_user_home_filetrans_mail_home(mailserver_delivery) > # Read user temporary files. > userdom_read_user_tmp_files(user_mail_t) > userdom_dontaudit_append_user_tmp_files(user_mail_t) > diff --git a/policy/modules/services/procmail.fc b/policy/modules/services/procmail.fc > index 1343621..69d6180 100644 > --- a/policy/modules/services/procmail.fc > +++ b/policy/modules/services/procmail.fc > @@ -1,5 +1,11 @@ > +HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0) > > -/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0) > +/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0) > + > +/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0) > +/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) > + > +ifdef(`distro_redhat',` > +/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0) > +') > > -/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0) > -/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) > diff --git a/policy/modules/services/procmail.if b/policy/modules/services/procmail.if > index f68e025..20580d3 100644 > --- a/policy/modules/services/procmail.if > +++ b/policy/modules/services/procmail.if > @@ -77,3 +77,64 @@ interface(`procmail_rw_tmp_files',` > files_search_tmp($1) > rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) > ') > + > +######################################## > +## > +## Read procmail user home content > +## files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`procmail_read_user_content_files',` > + gen_require(` > + type procmail_home_t; > + ') > + > + allow $1 procmail_home_t:file read_file_perms; > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Create, read, write, and delete > +## procmail home content files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`procmail_manage_user_content_files',` > + gen_require(` > + type procmail_home_t; > + ') > + > + allow $1 procmail_home_t:file manage_file_perms; > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > +## Relabel procmail user home content > +## files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`procmail_relabel_user_content_files',` > + gen_require(` > + type procmail_home_t; > + ') > + > + allow $1 procmail_home_t:file relabel_file_perms; > + userdom_search_user_home_dirs($1) > +') > + > diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te > index a51bbf6..ff1470a 100644 > --- a/policy/modules/services/procmail.te > +++ b/policy/modules/services/procmail.te > @@ -11,6 +11,9 @@ type procmail_exec_t; > application_domain(procmail_t, procmail_exec_t) > role system_r types procmail_t; > > +type procmail_home_t; > +userdom_user_home_content(procmail_home_t) > + > type procmail_log_t; > logging_log_file(procmail_log_t) > > @@ -32,6 +35,8 @@ allow procmail_t self:udp_socket create_socket_perms; > > can_exec(procmail_t, procmail_exec_t) > > +procmail_read_user_content_files(procmail_t) > + > # Write log to /var/log/procmail.log or /var/log/procmail/.* > allow procmail_t procmail_log_t:dir setattr; > create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) > @@ -81,12 +86,8 @@ logging_send_syslog_msg(procmail_t) > miscfiles_read_localization(procmail_t) > > # only works until we define a different type for maildir > -userdom_manage_user_home_content_dirs(procmail_t) > -userdom_manage_user_home_content_files(procmail_t) > -userdom_manage_user_home_content_symlinks(procmail_t) > -userdom_manage_user_home_content_pipes(procmail_t) > -userdom_manage_user_home_content_sockets(procmail_t) > -userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file }) > +mta_manage_mail_home(procmail_t) > +mta_user_home_filetrans_mail_home(procmail_t) > > # Do not audit attempts to access /root. > userdom_dontaudit_search_user_home_dirs(procmail_t) > diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te > index df25576..eed82b5 100644 > --- a/policy/modules/system/unconfined.te > +++ b/policy/modules/system/unconfined.te > @@ -147,6 +147,11 @@ optional_policy(` > ') > > optional_policy(` > + oident_manage_user_content(unconfined_t) > + oident_relabel_user_content(unconfined_t) > +') > + > +optional_policy(` > prelink_run(unconfined_t, unconfined_r) > ') > > @@ -161,6 +166,11 @@ optional_policy(` > ') > > optional_policy(` > + procmail_manage_user_content_files(unconfined_t) > + procmail_relabel_user_content_files(unconfined_t) > +') > + > +optional_policy(` > pyzor_role(unconfined_r, unconfined_t) > ') > > > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100405/28820c0d/attachment-0001.html