From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [ mta patch 1/1] This is what i think would probably have to be modifies to make mail home work.
Date: Mon, 5 Apr 2010 17:35:46 +0200 [thread overview]
Message-ID: <20100405153540.GA3152@localhost.localdomain> (raw)
It builds but it is untested. I think that qmail may also need this access but i could not find
any evidence of this.
Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 3fd227b... 5b7268e... M policy/modules/roles/staff.te
:100644 100644 2ed3c67... c918465... M policy/modules/roles/sysadm.te
:100644 100644 b0be6d2... 62a1760... M policy/modules/roles/unprivuser.te
:100644 100644 5c3d708... 193c77e... M policy/modules/services/courier.te
:100644 100644 9f16e2e... 96e362c... M policy/modules/services/dovecot.te
:100644 100644 fccf3f8... 1d6660a... M policy/modules/services/exim.te
:100644 100644 256166a... f39f7f4... M policy/modules/services/mta.fc
:100644 100644 44e782e... 910f1aa... M policy/modules/services/mta.if
:100644 100644 797d86b... bab7d6f... M policy/modules/services/mta.te
:100644 100644 1343621... 69d6180... M policy/modules/services/procmail.fc
:100644 100644 f68e025... 20580d3... M policy/modules/services/procmail.if
:100644 100644 a51bbf6... ff1470a... M policy/modules/services/procmail.te
policy/modules/roles/staff.te | 7 ++
policy/modules/roles/sysadm.te | 7 ++
policy/modules/roles/unprivuser.te | 7 ++
policy/modules/services/courier.te | 4 +-
policy/modules/services/dovecot.te | 18 +---
policy/modules/services/exim.te | 4 +
policy/modules/services/mta.fc | 9 ++-
policy/modules/services/mta.if | 170 +++++++++++++++++++++++++++++++++++
policy/modules/services/mta.te | 16 ++--
policy/modules/services/procmail.fc | 12 ++-
policy/modules/services/procmail.if | 61 +++++++++++++
policy/modules/services/procmail.te | 13 ++--
12 files changed, 293 insertions(+), 35 deletions(-)
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 3fd227b..5b7268e 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -93,6 +93,8 @@ optional_policy(`
optional_policy(`
mta_role(staff_r, staff_t)
+ mta_manage_mail_home(staff_t)
+ mta_relabel_mail_home(staff_t)
')
optional_policy(`
@@ -105,6 +107,11 @@ optional_policy(`
')
optional_policy(`
+ procmail_manage_user_content_files(staff_t)
+ procmail_relabel_user_content_files(staff_t)
+')
+
+optional_policy(`
pyzor_role(staff_r, staff_t)
')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 2ed3c67..c918465 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -264,6 +264,8 @@ optional_policy(`
optional_policy(`
mta_role(sysadm_r, sysadm_t)
+ mta_manage_mail_home(sysadm_t)
+ mta_relabel_mail_home(sysadm_t)
')
optional_policy(`
@@ -308,6 +310,11 @@ optional_policy(`
')
optional_policy(`
+ procmail_manage_user_content_files(sysadm_t)
+ procmail_relabel_user_content_files(sysadm_t)
+')
+
+optional_policy(`
pyzor_role(sysadm_r, sysadm_t)
')
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index b0be6d2..62a1760 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -87,6 +87,8 @@ optional_policy(`
optional_policy(`
mta_role(user_r, user_t)
+ mta_manage_mail_home(user_t)
+ mta_relabel_mail_home(user_t)
')
optional_policy(`
@@ -99,6 +101,11 @@ optional_policy(`
')
optional_policy(`
+ procmail_manage_user_content_files(user_t)
+ procmail_relabel_user_content_files(user_t)
+')
+
+optional_policy(`
pyzor_role(user_r, user_t)
')
diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
index 5c3d708..193c77e 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -101,12 +101,12 @@ miscfiles_read_localization(courier_pop_t)
courier_domtrans_authdaemon(courier_pop_t)
# do the actual work (read the Maildir)
-userdom_manage_user_home_content_files(courier_pop_t)
+mta_manage_mail_home(courier_pop_t)
+mta_user_home_filetrans_mail_home(courier_pop_t)
# cjp: the fact that this is different for pop vs imap means that
# there should probably be a courier_pop_t and courier_imap_t
# this should also probably be a separate type too instead of
# the regular home dir
-userdom_manage_user_home_content_dirs(courier_pop_t)
########################################
#
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 9f16e2e..96e362c 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -128,15 +128,12 @@ miscfiles_read_certs(dovecot_t)
miscfiles_read_localization(dovecot_t)
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
-userdom_manage_user_home_content_dirs(dovecot_t)
-userdom_manage_user_home_content_files(dovecot_t)
-userdom_manage_user_home_content_symlinks(dovecot_t)
-userdom_manage_user_home_content_pipes(dovecot_t)
-userdom_manage_user_home_content_sockets(dovecot_t)
-userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
mta_manage_spool(dovecot_t)
+mta_manage_mail_home(dovecot_t)
+mta_user_home_filetrans_mail_home(dovecot_t)
+
optional_policy(`
kerberos_keytab_template(dovecot, dovecot_t)
')
@@ -255,13 +252,6 @@ files_search_tmp(dovecot_deliver_t)
fs_getattr_all_fs(dovecot_deliver_t)
-userdom_manage_user_home_content_dirs(dovecot_deliver_t)
-userdom_manage_user_home_content_files(dovecot_deliver_t)
-userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
-userdom_manage_user_home_content_pipes(dovecot_deliver_t)
-userdom_manage_user_home_content_sockets(dovecot_deliver_t)
-userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
-
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(dovecot_t)
fs_manage_nfs_symlinks(dovecot_t)
@@ -274,4 +264,6 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
+ mta_manage_mail_home(dovecot_deliver_t)
+ mta_user_home_filetrans_mail_home(dovecot_deliver_t)
')
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index fccf3f8..1d6660a 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -130,6 +130,10 @@ mta_read_config(exim_t)
mta_manage_spool(exim_t)
mta_mailserver_delivery(exim_t)
+# Not sure about this but makes sense.
+mta_manage_mail_home(exim_t)
+mta_user_home_filetrans_mail_home(exim_t)
+
tunable_policy(`exim_can_connect_db',`
corenet_tcp_connect_mysqld_port(exim_t)
corenet_sendrecv_mysqld_client_packets(exim_t)
diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc
index 256166a..f39f7f4 100644
--- a/policy/modules/services/mta.fc
+++ b/policy/modules/services/mta.fc
@@ -1,4 +1,5 @@
HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
+HOME_DIR/Mail(/.*)? gen_context(system_u:object_r:mail_home_t,s0)
/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -7,9 +8,6 @@ HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
/etc/mail/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
/etc/mail/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
-ifdef(`distro_redhat',`
-/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
-')
/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -28,3 +26,8 @@ ifdef(`distro_redhat',`
/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+
+ifdef(`distro_redhat',`
+/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
+/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
+')
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 44e782e..910f1aa 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -498,6 +498,51 @@ interface(`mta_manage_aliases',`
########################################
## <summary>
+## Create, read, write, and delete
+## dirs, files, pipes, lnk files and
+## sock files mail home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_manage_mail_home',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ manage_dirs_pattern($1, mail_home_t, mail_home_t)
+ manage_files_pattern($1, mail_home_t, mail_home_t)
+ manage_lnk_files_pattern($1, mail_home_t, mail_home_t)
+ manage_sock_files_pattern($1, mail_home_t, mail_home_t)
+ manage_fifo_files_pattern($1, mail_home_t, mail_home_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## mail home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_manage_mail_home_files',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, mail_home_t, mail_home_t)
+')
+
+########################################
+## <summary>
## Type transition files created in /etc
## to the mail address aliases type.
## </summary>
@@ -517,6 +562,47 @@ interface(`mta_etc_filetrans_aliases',`
########################################
## <summary>
+## Type transition dirs, files, pipes
+## lnk files and sock files created in
+## user home directories to the mail
+## home type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_user_home_filetrans_mail_home',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ userdom_user_home_content_filetrans($1, mail_home_t, { dir file fifo_file lnk_file sock_file })
+')
+
+########################################
+## <summary>
+## Type transition files created in
+## user home directories to the mail
+## home type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_user_home_filetrans_mail_home_files',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ userdom_user_home_content_filetrans($1, mail_home_t, file)
+')
+
+########################################
+## <summary>
## Read and write mail aliases.
## </summary>
## <param name="domain">
@@ -860,3 +946,87 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
+
+########################################
+## <summary>
+## Read mail home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_read_mail_home',`
+ gen_require(`
+ type procmail_home_t;
+ ')
+
+ search_dirs_pattern($1, mail_home_t, mail_home_t)
+ read_fifo_files_pattern($1, mail_home_t, mail_home_t)
+ read_files_pattern($1, mail_home_t, mail_home_t)
+ read_lnk_files_pattern($1, mail_home_t, mail_home_t)
+ read_sock_files_pattern($1, mail_home_t, mail_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Relabel mail home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_relabel_mail_home',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ relabel_dirs_pattern($1, mail_home_t, mail_home_t)
+ relabel_fifo_files_pattern($1, mail_home_t, mail_home_t)
+ relabel_files_pattern($1, mail_home_t, mail_home_t)
+ relabel_lnk_files_pattern($1, mail_home_t, mail_home_t)
+ relabel_sock_files_pattern($1, mail_home_t, mail_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Read mail home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_read_mail_home_files',`
+ gen_require(`
+ type procmail_home_t;
+ ')
+
+ allow $1 mail_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Relabel mail home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_relabel_mail_home_files',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ allow $1 mail_home_t:file relabel_file_perms;
+ userdom_search_user_home_dirs($1)
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 797d86b..bab7d6f 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -44,6 +44,10 @@ typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
ubac_constrained(user_mail_t)
ubac_constrained(user_mail_tmp_t)
+# postfix, sendmail, exim, qmail, procmail, courier
+type mail_home_t;
+userdom_user_home_content(mail_home_t)
+
########################################
#
# System mail local policy
@@ -256,16 +260,12 @@ userdom_use_user_terminals(user_mail_t)
# Write to the user domain tty. cjp: why?
userdom_use_user_terminals(mta_user_agent)
# Create dead.letter in user home directories.
-userdom_manage_user_home_content_files(user_mail_t)
-userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
+mta_manage_mail_home_files(user_mail_t)
+mta_user_home_filetrans_mail_home_files(user_mail_t)
# for reading .forward - maybe we need a new type for it?
# also for delivering mail to maildir
-userdom_manage_user_home_content_dirs(mailserver_delivery)
-userdom_manage_user_home_content_files(mailserver_delivery)
-userdom_manage_user_home_content_symlinks(mailserver_delivery)
-userdom_manage_user_home_content_pipes(mailserver_delivery)
-userdom_manage_user_home_content_sockets(mailserver_delivery)
-userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file })
+mta_manage_mail_home(mailserver_delivery)
+mta_user_home_filetrans_mail_home(mailserver_delivery)
# Read user temporary files.
userdom_read_user_tmp_files(user_mail_t)
userdom_dontaudit_append_user_tmp_files(user_mail_t)
diff --git a/policy/modules/services/procmail.fc b/policy/modules/services/procmail.fc
index 1343621..69d6180 100644
--- a/policy/modules/services/procmail.fc
+++ b/policy/modules/services/procmail.fc
@@ -1,5 +1,11 @@
+HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0)
-/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
+/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
+
+/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
+/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)
+
+ifdef(`distro_redhat',`
+/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0)
+')
-/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
-/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)
diff --git a/policy/modules/services/procmail.if b/policy/modules/services/procmail.if
index f68e025..20580d3 100644
--- a/policy/modules/services/procmail.if
+++ b/policy/modules/services/procmail.if
@@ -77,3 +77,64 @@ interface(`procmail_rw_tmp_files',`
files_search_tmp($1)
rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
')
+
+########################################
+## <summary>
+## Read procmail user home content
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`procmail_read_user_content_files',`
+ gen_require(`
+ type procmail_home_t;
+ ')
+
+ allow $1 procmail_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## procmail home content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`procmail_manage_user_content_files',`
+ gen_require(`
+ type procmail_home_t;
+ ')
+
+ allow $1 procmail_home_t:file manage_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Relabel procmail user home content
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`procmail_relabel_user_content_files',`
+ gen_require(`
+ type procmail_home_t;
+ ')
+
+ allow $1 procmail_home_t:file relabel_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
index a51bbf6..ff1470a 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -11,6 +11,9 @@ type procmail_exec_t;
application_domain(procmail_t, procmail_exec_t)
role system_r types procmail_t;
+type procmail_home_t;
+userdom_user_home_content(procmail_home_t)
+
type procmail_log_t;
logging_log_file(procmail_log_t)
@@ -32,6 +35,8 @@ allow procmail_t self:udp_socket create_socket_perms;
can_exec(procmail_t, procmail_exec_t)
+procmail_read_user_content_files(procmail_t)
+
# Write log to /var/log/procmail.log or /var/log/procmail/.*
allow procmail_t procmail_log_t:dir setattr;
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
@@ -81,12 +86,8 @@ logging_send_syslog_msg(procmail_t)
miscfiles_read_localization(procmail_t)
# only works until we define a different type for maildir
-userdom_manage_user_home_content_dirs(procmail_t)
-userdom_manage_user_home_content_files(procmail_t)
-userdom_manage_user_home_content_symlinks(procmail_t)
-userdom_manage_user_home_content_pipes(procmail_t)
-userdom_manage_user_home_content_sockets(procmail_t)
-userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
+mta_manage_mail_home(procmail_t)
+mta_user_home_filetrans_mail_home(procmail_t)
# Do not audit attempts to access /root.
userdom_dontaudit_search_user_home_dirs(procmail_t)
--
1.7.0.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100405/d5a66725/attachment.bin
reply other threads:[~2010-04-05 15:35 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100405153540.GA3152@localhost.localdomain \
--to=domg472@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.