From: bigon@debian.org (Laurent Bigonville) Date: Tue, 4 Sep 2012 23:37:26 +0200 Subject: [refpolicy] [PATCH 7/9] Added new "lda" module for email local delivery agents such as maildrop and procmail In-Reply-To: <1346794648-27101-1-git-send-email-bigon@debian.org> References: <1346794648-27101-1-git-send-email-bigon@debian.org> Message-ID: <1346794648-27101-7-git-send-email-bigon@debian.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com From: Russell Coker --- courier.if | 19 +++++++ lda.fc | 9 ++++ lda.if | 41 +++++++++++++++ lda.te | 162 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ postfix.te | 6 ++- 5 files changed, 236 insertions(+), 1 deletion(-) create mode 100644 lda.fc create mode 100644 lda.if create mode 100644 lda.te diff --git a/courier.if b/courier.if index 9971337..be99138 100644 --- a/courier.if +++ b/courier.if @@ -106,6 +106,25 @@ interface(`courier_domtrans_authdaemon',` ######################################## ## +## Act as a client for the courier authdaemon +## +## +## +## Domain allowed access. +## +## +# +interface(`courier_authdaemon_client',` + gen_require(` + type courier_authdaemon_t, courier_etc_t, courier_var_run_t; + ') + allow $1 courier_authdaemon_t:unix_stream_socket connectto; + allow $1 courier_etc_t:dir search; + allow $1 courier_var_run_t:sock_file write; +') + +######################################## +## ## Execute the courier POP3 and IMAP server with ## a domain transition. ## diff --git a/lda.fc b/lda.fc new file mode 100644 index 0000000..f5745ae --- /dev/null +++ b/lda.fc @@ -0,0 +1,9 @@ + +/usr/bin/procmail -- gen_context(system_u:object_r:lda_exec_t,s0) +/usr/bin/maildrop -- gen_context(system_u:object_r:lda_exec_t,s0) +/usr/sbin/deliverquota.maildrop -- gen_context(system_u:object_r:lda_exec_t,s0) +/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:lda_exec_t,s0) +/usr/bin/mailbot -- gen_context(system_u:object_r:lda_exec_t,s0) + +/etc/courier/maildroprc -- gen_context(system_u:object_r:lda_etc_t,s0) +/var/log/maildrop.log -- gen_context(system_u:object_r:lda_log_t,s0) diff --git a/lda.if b/lda.if new file mode 100644 index 0000000..ec97dc8 --- /dev/null +++ b/lda.if @@ -0,0 +1,41 @@ +## mail delivery agent + +######################################## +## +## Execute lda with a domain transition. +## +## +## +## Domain allowed access. +## +## +# +interface(`lda_domtrans',` + gen_require(` + type lda_exec_t, lda_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1,lda_exec_t,lda_t) +') + +######################################## +## +## Execute lda in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`lda_exec',` + gen_require(` + type lda_exec_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + can_exec($1,lda_exec_t) +') diff --git a/lda.te b/lda.te new file mode 100644 index 0000000..d9bc95d --- /dev/null +++ b/lda.te @@ -0,0 +1,162 @@ + +policy_module(lda, 1.9.0) + +######################################## +# +# Declarations +# + +type lda_t; +typealias lda_t alias procmail_t; +type lda_exec_t; +typealias lda_exec_t alias procmail_exec_t; +application_domain(lda_t,lda_exec_t) +role system_r types lda_t; + +type lda_tmp_t; +typealias lda_tmp_t alias procmail_tmp_t; +files_tmp_file(lda_tmp_t) + +type lda_etc_t; +files_config_file(lda_etc_t) + +type lda_log_t; +logging_log_file(lda_log_t) +manage_files_pattern(lda_t,lda_log_t,lda_log_t) +logging_log_filetrans(lda_t,lda_log_t,file) + + +######################################## +# +# Local policy +# + +allow lda_t self:capability { sys_nice chown setuid setgid dac_override }; +allow lda_t self:process { setsched signal signull }; +allow lda_t self:fifo_file rw_fifo_file_perms; +allow lda_t self:unix_stream_socket create_socket_perms; +allow lda_t self:unix_dgram_socket create_socket_perms; +allow lda_t self:tcp_socket create_stream_socket_perms; +allow lda_t self:udp_socket create_socket_perms; +read_files_pattern(lda_t,lda_etc_t,lda_etc_t) +read_lnk_files_pattern(lda_t,lda_etc_t,lda_etc_t) + +can_exec(lda_t,lda_exec_t) + +allow lda_t lda_tmp_t:file manage_file_perms; +files_tmp_filetrans(lda_t, lda_tmp_t, file) + +kernel_read_system_state(lda_t) +kernel_read_kernel_sysctls(lda_t) + +corenet_all_recvfrom_unlabeled(lda_t) +corenet_all_recvfrom_netlabel(lda_t) +corenet_tcp_sendrecv_all_if(lda_t) +corenet_udp_sendrecv_all_if(lda_t) +corenet_tcp_sendrecv_all_nodes(lda_t) +corenet_udp_sendrecv_all_nodes(lda_t) +corenet_tcp_sendrecv_all_ports(lda_t) +corenet_udp_sendrecv_all_ports(lda_t) +corenet_udp_bind_all_nodes(lda_t) +corenet_tcp_connect_spamd_port(lda_t) +corenet_sendrecv_spamd_client_packets(lda_t) +corenet_sendrecv_comsat_client_packets(lda_t) + +dev_read_urand(lda_t) + +fs_getattr_xattr_fs(lda_t) +fs_search_auto_mountpoints(lda_t) +fs_rw_anon_inodefs_files(lda_t) + +auth_use_nsswitch(lda_t) + +corecmd_exec_bin(lda_t) +corecmd_exec_shell(lda_t) + +files_read_etc_files(lda_t) +files_read_etc_runtime_files(lda_t) +files_search_pids(lda_t) +# for spamassasin +files_read_usr_files(lda_t) + +libs_use_ld_so(lda_t) +libs_use_shared_libs(lda_t) + +logging_send_syslog_msg(lda_t) + +miscfiles_read_localization(lda_t) + +# only works until we define a different type for maildir +userdom_manage_user_home_content_dirs(lda_t) +userdom_manage_user_home_content_files(lda_t) +userdom_user_home_dir_filetrans_user_home_content(lda_t, { dir file }) + +optional_policy(` + gen_require(` + bool daemon_access_unconfined_home; + ') +# tunable_policy(`daemon_access_unconfined_home', ` +# unconfined_write_home_content_files(lda_t) +# ') +') + +mta_manage_spool(lda_t) + +ifdef(`hide_broken_symptoms',` + mta_dontaudit_rw_queue(lda_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(lda_t) + fs_manage_nfs_files(lda_t) + fs_manage_nfs_symlinks(lda_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(lda_t) + fs_manage_cifs_files(lda_t) + fs_manage_cifs_symlinks(lda_t) +') + +optional_policy(` + clamav_domtrans_clamscan(lda_t) + clamav_search_lib(lda_t) +') + +optional_policy(` + courier_authdaemon_client(lda_t) +') + +optional_policy(` + munin_dontaudit_search_lib(lda_t) +') + +optional_policy(` + # for a bug in the postfix local program + postfix_dontaudit_rw_local_tcp_sockets(lda_t) + postfix_dontaudit_use_fds(lda_t) + postfix_read_spool_files(lda_t) + postfix_read_local_state(lda_t) + postfix_read_master_state(lda_t) +') + +optional_policy(` + pyzor_domtrans(lda_t) +') + +optional_policy(` + mta_read_config(lda_t) + sendmail_domtrans(lda_t) + sendmail_rw_tcp_sockets(lda_t) + sendmail_rw_unix_stream_sockets(lda_t) +') + +optional_policy(` + corenet_udp_bind_generic_port(lda_t) + corenet_dontaudit_udp_bind_all_ports(lda_t) + + spamassassin_exec(lda_t) + spamassassin_exec_client(lda_t) + spamassassin_read_lib_files(lda_t) +') + diff --git a/postfix.te b/postfix.te index f358c69..221a5d1 100644 --- a/postfix.te +++ b/postfix.te @@ -319,7 +319,7 @@ optional_policy(` ') optional_policy(` - procmail_domtrans(postfix_local_t) + lda_domtrans(postfix_local_t) ') ######################################## @@ -425,6 +425,10 @@ optional_policy(` ') optional_policy(` + lda_domtrans(postfix_pipe_t) +') + +optional_policy(` mailman_domtrans_queue(postfix_pipe_t) ') -- 1.7.10.4