From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 28 Oct 2011 09:43:14 -0400
Subject: [refpolicy] [PATCH v2 1/3] Initial policy for the mutt e-mail
 client
In-Reply-To: <20111003200329.GB7198@siphos.be>
References: <20111003200247.GA7198@siphos.be> <20111003200329.GB7198@siphos.be>
Message-ID: <4EAAB172.1010805@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 10/03/11 16:03, Sven Vermeulen wrote:
> diff --git a/mutt.if b/mutt.if
> new file mode 100644
> index 0000000..59f96e7
> --- /dev/null
> +++ b/mutt.if
> @@ -0,0 +1,68 @@
> +## <summary>Mutt e-mail client</summary>
> +
> +#######################################
> +## <summary>
> +##      The role for using the mutt application.
> +## </summary>
> +## <param name="role">
> +##      <summary>
> +##      The role associated with the user domain.
> +##      </summary>
> +## </param>
> +## <param name="domain">
> +##      <summary>
> +##      The user domain.
> +##      </summary>
> +## </param>
> +#
> +interface(`mutt_role',`
> +	gen_require(`
> +		type mutt_t, mutt_exec_t, mutt_home_t, mutt_conf_t, mutt_etc_t;
> +		type mutt_tmp_t;
> +	')
> +
> +	role $1 types mutt_t;
> +
> +	domtrans_pattern($2, mutt_exec_t, mutt_t)
> +	
> +	allow $2 mutt_t:process { ptrace signal_perms };
> +
> +	manage_dirs_pattern($2, mutt_home_t, mutt_home_t)
> +	manage_files_pattern($2, mutt_home_t, mutt_home_t)
> +	
> +	manage_dirs_pattern($2, mutt_conf_t, mutt_conf_t)
> +	manage_files_pattern($2, mutt_conf_t, mutt_conf_t)
> +
> +	relabel_dirs_pattern($2, mutt_home_t, mutt_home_t)
> +	relabel_files_pattern($2, mutt_home_t, mutt_home_t)
> +	
> +	relabel_dirs_pattern($2, mutt_conf_t, mutt_conf_t)
> +	relabel_files_pattern($2, mutt_conf_t, mutt_conf_t)

This should be ordered by the type names, rather than the pattern name.

> +	relabel_dirs_pattern($2, mutt_tmp_t, mutt_tmp_t)
> +	relabel_files_pattern($2, mutt_tmp_t, mutt_tmp_t)
> +
> +	ps_process_pattern($2, mutt_t)
> +')	
> +
> +#######################################
> +## <summary>
> +##      Allow other domains to handle mutt's temporary files (used for instance
> +##      for e-mail drafts)
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      The domain that is allowed read/write access to the temporary files
> +##      </summary>
> +## </param>
> +#
> +interface(`mutt_rw_tmp_files',`
> +	gen_require(`
> +		type mutt_tmp_t;
> +	')
> +
> +	# The use of rw_files_pattern here is not needed, since this incurs the open privilege as well
> +	allow $1 mutt_tmp_t:dir search_dir_perms;
> +	allow $1 mutt_tmp_t:file { read write };
> +	files_search_tmp($1)
> +')
> diff --git a/mutt.te b/mutt.te
> new file mode 100644
> index 0000000..60faae9
> --- /dev/null
> +++ b/mutt.te
> @@ -0,0 +1,100 @@
> +policy_module(mutt, 1.0.0)
> +
> +############################
> +# 
> +# Declarations
> +#
> +
> +## <desc>
> +## <p>
> +##   Be able to manage user files (needed to support attachment handling)
> +## </p>
> +## </desc>
> +gen_tunable(mutt_manage_user_content, false)
> +
> +type mutt_t;
> +type mutt_exec_t;
> +application_domain(mutt_t, mutt_exec_t)
> +ubac_constrained(mutt_t)
> +
> +type mutt_conf_t;
> +userdom_user_home_content(mutt_conf_t)
> +
> +type mutt_etc_t;
> +files_config_file(mutt_etc_t)
> +
> +type mutt_home_t;
> +userdom_user_home_content(mutt_home_t)
> +
> +type mutt_tmp_t;
> +files_tmp_file(mutt_tmp_t)
> +ubac_constrained(mutt_tmp_t)

I put in a new userdom interface that replaces the above two calls.

> +############################
> +#
> +# Local Policy Rules
> +#
> +
> +allow mutt_t self:process signal_perms;
> +allow mutt_t self:fifo_file rw_fifo_file_perms;
> +
> +manage_dirs_pattern(mutt_t, mutt_home_t, mutt_home_t)
> +manage_files_pattern(mutt_t, mutt_home_t, mutt_home_t)
> +userdom_user_home_dir_filetrans(mutt_t, mutt_home_t, { dir file })
> +
> +manage_dirs_pattern(mutt_t, mutt_tmp_t, mutt_tmp_t)
> +manage_files_pattern(mutt_t, mutt_tmp_t, mutt_tmp_t)
> +files_tmp_filetrans(mutt_t, mutt_tmp_t, { file dir })
> +
> +read_files_pattern(mutt_t, mutt_etc_t, mutt_etc_t)
> +
> +read_files_pattern(mutt_t, mutt_conf_t, mutt_conf_t)
> +
> +

Extra whitespace, and out of order rules above.

> +kernel_read_system_state(mutt_t)
> +
> +corecmd_exec_bin(mutt_t)
> +corecmd_exec_shell(mutt_t)
> +
> +corenet_all_recvfrom_netlabel(mutt_t)
> +corenet_all_recvfrom_unlabeled(mutt_t)
> +corenet_sendrecv_pop_client_packets(mutt_t)
> +corenet_sendrecv_smtp_client_packets(mutt_t)
> +corenet_tcp_bind_generic_node(mutt_t)
> +corenet_tcp_connect_pop_port(mutt_t)
> +corenet_tcp_connect_smtp_port(mutt_t)
> +corenet_tcp_sendrecv_generic_if(mutt_t)
> +corenet_tcp_sendrecv_generic_node(mutt_t)
> +corenet_tcp_sendrecv_pop_port(mutt_t)
> +corenet_tcp_sendrecv_smtp_port(mutt_t)
> +
> +dev_read_rand(mutt_t)
> +dev_read_urand(mutt_t)
> +
> +domain_use_interactive_fds(mutt_t)
> +
> +files_read_usr_files(mutt_t)
> +
> +
> +auth_use_nsswitch(mutt_t)
> +
> +miscfiles_read_localization(mutt_t)
> +
> +userdom_manage_xdg_cache_home(mutt_t)
> +userdom_read_xdg_config_home(mutt_t)
> +userdom_search_user_home_content(mutt_t)
> +userdom_use_user_terminals(mutt_t)
> +
> +optional_policy(`
> +	gpg_domtrans(mutt_t)
> +')
> +
> +tunable_policy(`mutt_manage_user_content',`
> +	# Needed for handling attachments
> +	userdom_manage_user_home_content_files(mutt_t)
> +	userdom_manage_user_home_content_dirs(mutt_t)
> +')
> +
> +tunable_policy(`gentoo_try_dontaudit',`
> +	kernel_dontaudit_search_sysctl(mutt_t)
> +')

Please remove the test rules.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com