From: bigon@debian.org (Laurent Bigonville)
Date: Tue,  4 Sep 2012 23:37:26 +0200
Subject: [refpolicy] [PATCH 7/9] Added new "lda" module for email local
	delivery agents such as maildrop and procmail
In-Reply-To: <1346794648-27101-1-git-send-email-bigon@debian.org>
References: <1346794648-27101-1-git-send-email-bigon@debian.org>
Message-ID: <1346794648-27101-7-git-send-email-bigon@debian.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

From: Russell Coker <russell@coker.com.au>

---
 courier.if |   19 +++++++
 lda.fc     |    9 ++++
 lda.if     |   41 +++++++++++++++
 lda.te     |  162 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 postfix.te |    6 ++-
 5 files changed, 236 insertions(+), 1 deletion(-)
 create mode 100644 lda.fc
 create mode 100644 lda.if
 create mode 100644 lda.te

diff --git a/courier.if b/courier.if
index 9971337..be99138 100644
--- a/courier.if
+++ b/courier.if
@@ -106,6 +106,25 @@ interface(`courier_domtrans_authdaemon',`
 
 ########################################
 ## <summary>
+##	Act as a client for the courier authdaemon
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`courier_authdaemon_client',`
+	gen_require(`
+		type courier_authdaemon_t, courier_etc_t, courier_var_run_t;
+	')
+	allow $1 courier_authdaemon_t:unix_stream_socket connectto;
+	allow $1 courier_etc_t:dir search;
+	allow $1 courier_var_run_t:sock_file write;
+')
+
+########################################
+## <summary>
 ##	Execute the courier POP3 and IMAP server with
 ##	a domain transition.
 ## </summary>
diff --git a/lda.fc b/lda.fc
new file mode 100644
index 0000000..f5745ae
--- /dev/null
+++ b/lda.fc
@@ -0,0 +1,9 @@
+
+/usr/bin/procmail	--	gen_context(system_u:object_r:lda_exec_t,s0)
+/usr/bin/maildrop	--	gen_context(system_u:object_r:lda_exec_t,s0)
+/usr/sbin/deliverquota.maildrop	--	gen_context(system_u:object_r:lda_exec_t,s0)
+/usr/lib/dovecot/deliver --	gen_context(system_u:object_r:lda_exec_t,s0)
+/usr/bin/mailbot	--	gen_context(system_u:object_r:lda_exec_t,s0)
+
+/etc/courier/maildroprc	--	gen_context(system_u:object_r:lda_etc_t,s0)
+/var/log/maildrop.log	--	gen_context(system_u:object_r:lda_log_t,s0)
diff --git a/lda.if b/lda.if
new file mode 100644
index 0000000..ec97dc8
--- /dev/null
+++ b/lda.if
@@ -0,0 +1,41 @@
+## <summary>mail delivery agent</summary>
+
+########################################
+## <summary>
+##	Execute lda with a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lda_domtrans',`
+	gen_require(`
+		type lda_exec_t, lda_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	domtrans_pattern($1,lda_exec_t,lda_t)
+')
+
+########################################
+## <summary>
+##	Execute lda in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lda_exec',`
+	gen_require(`
+		type lda_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	can_exec($1,lda_exec_t)
+')
diff --git a/lda.te b/lda.te
new file mode 100644
index 0000000..d9bc95d
--- /dev/null
+++ b/lda.te
@@ -0,0 +1,162 @@
+
+policy_module(lda, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type lda_t;
+typealias lda_t alias procmail_t;
+type lda_exec_t;
+typealias lda_exec_t alias procmail_exec_t;
+application_domain(lda_t,lda_exec_t)
+role system_r types lda_t;
+
+type lda_tmp_t;
+typealias lda_tmp_t alias procmail_tmp_t;
+files_tmp_file(lda_tmp_t)
+
+type lda_etc_t;
+files_config_file(lda_etc_t)
+
+type lda_log_t;
+logging_log_file(lda_log_t)
+manage_files_pattern(lda_t,lda_log_t,lda_log_t)
+logging_log_filetrans(lda_t,lda_log_t,file)
+
+
+########################################
+#
+# Local policy
+#
+
+allow lda_t self:capability { sys_nice chown setuid setgid dac_override };
+allow lda_t self:process { setsched signal signull };
+allow lda_t self:fifo_file rw_fifo_file_perms;
+allow lda_t self:unix_stream_socket create_socket_perms;
+allow lda_t self:unix_dgram_socket create_socket_perms;
+allow lda_t self:tcp_socket create_stream_socket_perms;
+allow lda_t self:udp_socket create_socket_perms;
+read_files_pattern(lda_t,lda_etc_t,lda_etc_t)
+read_lnk_files_pattern(lda_t,lda_etc_t,lda_etc_t)
+
+can_exec(lda_t,lda_exec_t)
+
+allow lda_t lda_tmp_t:file manage_file_perms;
+files_tmp_filetrans(lda_t, lda_tmp_t, file)
+
+kernel_read_system_state(lda_t)
+kernel_read_kernel_sysctls(lda_t)
+
+corenet_all_recvfrom_unlabeled(lda_t)
+corenet_all_recvfrom_netlabel(lda_t)
+corenet_tcp_sendrecv_all_if(lda_t)
+corenet_udp_sendrecv_all_if(lda_t)
+corenet_tcp_sendrecv_all_nodes(lda_t)
+corenet_udp_sendrecv_all_nodes(lda_t)
+corenet_tcp_sendrecv_all_ports(lda_t)
+corenet_udp_sendrecv_all_ports(lda_t)
+corenet_udp_bind_all_nodes(lda_t)
+corenet_tcp_connect_spamd_port(lda_t)
+corenet_sendrecv_spamd_client_packets(lda_t)
+corenet_sendrecv_comsat_client_packets(lda_t)
+
+dev_read_urand(lda_t)
+
+fs_getattr_xattr_fs(lda_t)
+fs_search_auto_mountpoints(lda_t)
+fs_rw_anon_inodefs_files(lda_t)
+
+auth_use_nsswitch(lda_t)
+
+corecmd_exec_bin(lda_t)
+corecmd_exec_shell(lda_t)
+
+files_read_etc_files(lda_t)
+files_read_etc_runtime_files(lda_t)
+files_search_pids(lda_t)
+# for spamassasin
+files_read_usr_files(lda_t)
+
+libs_use_ld_so(lda_t)
+libs_use_shared_libs(lda_t)
+
+logging_send_syslog_msg(lda_t)
+
+miscfiles_read_localization(lda_t)
+
+# only works until we define a different type for maildir
+userdom_manage_user_home_content_dirs(lda_t)
+userdom_manage_user_home_content_files(lda_t)
+userdom_user_home_dir_filetrans_user_home_content(lda_t, { dir file })
+
+optional_policy(`
+	gen_require(`
+		bool daemon_access_unconfined_home;
+	')
+#	tunable_policy(`daemon_access_unconfined_home', `
+#		unconfined_write_home_content_files(lda_t)
+#	')
+')
+
+mta_manage_spool(lda_t)
+
+ifdef(`hide_broken_symptoms',`
+	mta_dontaudit_rw_queue(lda_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(lda_t)
+	fs_manage_nfs_files(lda_t)
+	fs_manage_nfs_symlinks(lda_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(lda_t)
+	fs_manage_cifs_files(lda_t)
+	fs_manage_cifs_symlinks(lda_t)
+')
+
+optional_policy(`
+	clamav_domtrans_clamscan(lda_t)
+	clamav_search_lib(lda_t)
+')
+
+optional_policy(`
+	courier_authdaemon_client(lda_t)
+')
+
+optional_policy(`
+	munin_dontaudit_search_lib(lda_t)
+')
+
+optional_policy(`
+	# for a bug in the postfix local program
+	postfix_dontaudit_rw_local_tcp_sockets(lda_t)
+	postfix_dontaudit_use_fds(lda_t)
+	postfix_read_spool_files(lda_t)
+	postfix_read_local_state(lda_t)
+	postfix_read_master_state(lda_t)
+')
+
+optional_policy(`
+	pyzor_domtrans(lda_t)
+')
+
+optional_policy(`
+	mta_read_config(lda_t)
+	sendmail_domtrans(lda_t)
+	sendmail_rw_tcp_sockets(lda_t)
+	sendmail_rw_unix_stream_sockets(lda_t)
+')
+
+optional_policy(`
+	corenet_udp_bind_generic_port(lda_t)
+	corenet_dontaudit_udp_bind_all_ports(lda_t)
+
+	spamassassin_exec(lda_t)
+	spamassassin_exec_client(lda_t)
+	spamassassin_read_lib_files(lda_t)
+')
+
diff --git a/postfix.te b/postfix.te
index f358c69..221a5d1 100644
--- a/postfix.te
+++ b/postfix.te
@@ -319,7 +319,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	procmail_domtrans(postfix_local_t)
+	lda_domtrans(postfix_local_t)
 ')
 
 ########################################
@@ -425,6 +425,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	lda_domtrans(postfix_pipe_t)
+')
+
+optional_policy(`
 	mailman_domtrans_queue(postfix_pipe_t)
 ')
 
-- 
1.7.10.4