* [refpolicy] [PATCH v2 0/3] Introduce mutt policy
@ 2011-10-03 20:02 Sven Vermeulen
2011-10-03 20:03 ` [refpolicy] [PATCH v2 1/3] Initial policy for the mutt e-mail client Sven Vermeulen
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Sven Vermeulen @ 2011-10-03 20:02 UTC (permalink / raw)
To: refpolicy
lease find in the following e-mails an initial policy for the mutt
application (terminal e-mail client). The set of mails contains:
- the mutt definition (.te, .if, .fc)
- adding mutt_role to unprivuser, staff and sysadm
- update gpg.te to grant it rw access to mutt's tmp files
Wrt to the previous attempt, the patch tackled most of the received comments
(only the introduction of mutt_gpg_t as in Dominick's definition is withheld
since I can't test it out here).
Wkr,
Sven Vermeulen
^ permalink raw reply [flat|nested] 7+ messages in thread* [refpolicy] [PATCH v2 1/3] Initial policy for the mutt e-mail client 2011-10-03 20:02 [refpolicy] [PATCH v2 0/3] Introduce mutt policy Sven Vermeulen @ 2011-10-03 20:03 ` Sven Vermeulen 2011-10-28 13:43 ` Christopher J. PeBenito 2011-10-03 20:03 ` [refpolicy] [PATCH v2 2/3] Allow gpg to read/write mutt e-mail files (for signing) Sven Vermeulen 2011-10-03 20:04 ` [refpolicy] [PATCH v2 3/3] Allow users, staff and sysadm to use mutt Sven Vermeulen 2 siblings, 1 reply; 7+ messages in thread From: Sven Vermeulen @ 2011-10-03 20:03 UTC (permalink / raw) To: refpolicy The mutt e-mail client is a terminal-based e-mail client. It is rich in features (with many additional feature-patches lurking on the internet) so it is assumed that this policy will grow in the future. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> --- mutt.fc | 10 ++++++ mutt.if | 68 ++++++++++++++++++++++++++++++++++++++++++ mutt.te | 100 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 178 insertions(+), 0 deletions(-) create mode 100644 mutt.fc create mode 100644 mutt.if create mode 100644 mutt.te diff --git a/mutt.fc b/mutt.fc new file mode 100644 index 0000000..9d64529 --- /dev/null +++ b/mutt.fc @@ -0,0 +1,10 @@ +HOME_DIR/\.mutt(/.*)? gen_context(system_u:object_r:mutt_home_t,s0) +HOME_DIR/\.muttrc -- gen_context(system_u:object_r:mutt_conf_t,s0) +HOME_DIR/\.mutt_cache -- gen_context(system_u:object_r:mutt_home_t,s0) +HOME_DIR/\.mutt_certificates -- gen_context(system_u:object_r:mutt_home_t,s0) + +/etc/Muttrc -- gen_context(system_u:object_r:mutt_etc_t,s0) +/etc/Muttrc\.local -- gen_context(system_u:object_r:mutt_etc_t,s0) +/etc/mutt(/.*)? gen_context(system_u:object_r:mutt_etc_t,s0) + +/usr/bin/mutt -- gen_context(system_u:object_r:mutt_exec_t,s0) diff --git a/mutt.if b/mutt.if new file mode 100644 index 0000000..59f96e7 --- /dev/null +++ b/mutt.if @@ -0,0 +1,68 @@ +## <summary>Mutt e-mail client</summary> + +####################################### +## <summary> +## The role for using the mutt application. +## </summary> +## <param name="role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## The user domain. +## </summary> +## </param> +# +interface(`mutt_role',` + gen_require(` + type mutt_t, mutt_exec_t, mutt_home_t, mutt_conf_t, mutt_etc_t; + type mutt_tmp_t; + ') + + role $1 types mutt_t; + + domtrans_pattern($2, mutt_exec_t, mutt_t) + + allow $2 mutt_t:process { ptrace signal_perms }; + + manage_dirs_pattern($2, mutt_home_t, mutt_home_t) + manage_files_pattern($2, mutt_home_t, mutt_home_t) + + manage_dirs_pattern($2, mutt_conf_t, mutt_conf_t) + manage_files_pattern($2, mutt_conf_t, mutt_conf_t) + + relabel_dirs_pattern($2, mutt_home_t, mutt_home_t) + relabel_files_pattern($2, mutt_home_t, mutt_home_t) + + relabel_dirs_pattern($2, mutt_conf_t, mutt_conf_t) + relabel_files_pattern($2, mutt_conf_t, mutt_conf_t) + + relabel_dirs_pattern($2, mutt_tmp_t, mutt_tmp_t) + relabel_files_pattern($2, mutt_tmp_t, mutt_tmp_t) + + ps_process_pattern($2, mutt_t) +') + +####################################### +## <summary> +## Allow other domains to handle mutt's temporary files (used for instance +## for e-mail drafts) +## </summary> +## <param name="domain"> +## <summary> +## The domain that is allowed read/write access to the temporary files +## </summary> +## </param> +# +interface(`mutt_rw_tmp_files',` + gen_require(` + type mutt_tmp_t; + ') + + # The use of rw_files_pattern here is not needed, since this incurs the open privilege as well + allow $1 mutt_tmp_t:dir search_dir_perms; + allow $1 mutt_tmp_t:file { read write }; + files_search_tmp($1) +') diff --git a/mutt.te b/mutt.te new file mode 100644 index 0000000..60faae9 --- /dev/null +++ b/mutt.te @@ -0,0 +1,100 @@ +policy_module(mutt, 1.0.0) + +############################ +# +# Declarations +# + +## <desc> +## <p> +## Be able to manage user files (needed to support attachment handling) +## </p> +## </desc> +gen_tunable(mutt_manage_user_content, false) + +type mutt_t; +type mutt_exec_t; +application_domain(mutt_t, mutt_exec_t) +ubac_constrained(mutt_t) + +type mutt_conf_t; +userdom_user_home_content(mutt_conf_t) + +type mutt_etc_t; +files_config_file(mutt_etc_t) + +type mutt_home_t; +userdom_user_home_content(mutt_home_t) + +type mutt_tmp_t; +files_tmp_file(mutt_tmp_t) +ubac_constrained(mutt_tmp_t) + +############################ +# +# Local Policy Rules +# + +allow mutt_t self:process signal_perms; +allow mutt_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(mutt_t, mutt_home_t, mutt_home_t) +manage_files_pattern(mutt_t, mutt_home_t, mutt_home_t) +userdom_user_home_dir_filetrans(mutt_t, mutt_home_t, { dir file }) + +manage_dirs_pattern(mutt_t, mutt_tmp_t, mutt_tmp_t) +manage_files_pattern(mutt_t, mutt_tmp_t, mutt_tmp_t) +files_tmp_filetrans(mutt_t, mutt_tmp_t, { file dir }) + +read_files_pattern(mutt_t, mutt_etc_t, mutt_etc_t) + +read_files_pattern(mutt_t, mutt_conf_t, mutt_conf_t) + + +kernel_read_system_state(mutt_t) + +corecmd_exec_bin(mutt_t) +corecmd_exec_shell(mutt_t) + +corenet_all_recvfrom_netlabel(mutt_t) +corenet_all_recvfrom_unlabeled(mutt_t) +corenet_sendrecv_pop_client_packets(mutt_t) +corenet_sendrecv_smtp_client_packets(mutt_t) +corenet_tcp_bind_generic_node(mutt_t) +corenet_tcp_connect_pop_port(mutt_t) +corenet_tcp_connect_smtp_port(mutt_t) +corenet_tcp_sendrecv_generic_if(mutt_t) +corenet_tcp_sendrecv_generic_node(mutt_t) +corenet_tcp_sendrecv_pop_port(mutt_t) +corenet_tcp_sendrecv_smtp_port(mutt_t) + +dev_read_rand(mutt_t) +dev_read_urand(mutt_t) + +domain_use_interactive_fds(mutt_t) + +files_read_usr_files(mutt_t) + + +auth_use_nsswitch(mutt_t) + +miscfiles_read_localization(mutt_t) + +userdom_manage_xdg_cache_home(mutt_t) +userdom_read_xdg_config_home(mutt_t) +userdom_search_user_home_content(mutt_t) +userdom_use_user_terminals(mutt_t) + +optional_policy(` + gpg_domtrans(mutt_t) +') + +tunable_policy(`mutt_manage_user_content',` + # Needed for handling attachments + userdom_manage_user_home_content_files(mutt_t) + userdom_manage_user_home_content_dirs(mutt_t) +') + +tunable_policy(`gentoo_try_dontaudit',` + kernel_dontaudit_search_sysctl(mutt_t) +') -- 1.7.3.4 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH v2 1/3] Initial policy for the mutt e-mail client 2011-10-03 20:03 ` [refpolicy] [PATCH v2 1/3] Initial policy for the mutt e-mail client Sven Vermeulen @ 2011-10-28 13:43 ` Christopher J. PeBenito 0 siblings, 0 replies; 7+ messages in thread From: Christopher J. PeBenito @ 2011-10-28 13:43 UTC (permalink / raw) To: refpolicy On 10/03/11 16:03, Sven Vermeulen wrote: > diff --git a/mutt.if b/mutt.if > new file mode 100644 > index 0000000..59f96e7 > --- /dev/null > +++ b/mutt.if > @@ -0,0 +1,68 @@ > +## <summary>Mutt e-mail client</summary> > + > +####################################### > +## <summary> > +## The role for using the mutt application. > +## </summary> > +## <param name="role"> > +## <summary> > +## The role associated with the user domain. > +## </summary> > +## </param> > +## <param name="domain"> > +## <summary> > +## The user domain. > +## </summary> > +## </param> > +# > +interface(`mutt_role',` > + gen_require(` > + type mutt_t, mutt_exec_t, mutt_home_t, mutt_conf_t, mutt_etc_t; > + type mutt_tmp_t; > + ') > + > + role $1 types mutt_t; > + > + domtrans_pattern($2, mutt_exec_t, mutt_t) > + > + allow $2 mutt_t:process { ptrace signal_perms }; > + > + manage_dirs_pattern($2, mutt_home_t, mutt_home_t) > + manage_files_pattern($2, mutt_home_t, mutt_home_t) > + > + manage_dirs_pattern($2, mutt_conf_t, mutt_conf_t) > + manage_files_pattern($2, mutt_conf_t, mutt_conf_t) > + > + relabel_dirs_pattern($2, mutt_home_t, mutt_home_t) > + relabel_files_pattern($2, mutt_home_t, mutt_home_t) > + > + relabel_dirs_pattern($2, mutt_conf_t, mutt_conf_t) > + relabel_files_pattern($2, mutt_conf_t, mutt_conf_t) This should be ordered by the type names, rather than the pattern name. > + relabel_dirs_pattern($2, mutt_tmp_t, mutt_tmp_t) > + relabel_files_pattern($2, mutt_tmp_t, mutt_tmp_t) > + > + ps_process_pattern($2, mutt_t) > +') > + > +####################################### > +## <summary> > +## Allow other domains to handle mutt's temporary files (used for instance > +## for e-mail drafts) > +## </summary> > +## <param name="domain"> > +## <summary> > +## The domain that is allowed read/write access to the temporary files > +## </summary> > +## </param> > +# > +interface(`mutt_rw_tmp_files',` > + gen_require(` > + type mutt_tmp_t; > + ') > + > + # The use of rw_files_pattern here is not needed, since this incurs the open privilege as well > + allow $1 mutt_tmp_t:dir search_dir_perms; > + allow $1 mutt_tmp_t:file { read write }; > + files_search_tmp($1) > +') > diff --git a/mutt.te b/mutt.te > new file mode 100644 > index 0000000..60faae9 > --- /dev/null > +++ b/mutt.te > @@ -0,0 +1,100 @@ > +policy_module(mutt, 1.0.0) > + > +############################ > +# > +# Declarations > +# > + > +## <desc> > +## <p> > +## Be able to manage user files (needed to support attachment handling) > +## </p> > +## </desc> > +gen_tunable(mutt_manage_user_content, false) > + > +type mutt_t; > +type mutt_exec_t; > +application_domain(mutt_t, mutt_exec_t) > +ubac_constrained(mutt_t) > + > +type mutt_conf_t; > +userdom_user_home_content(mutt_conf_t) > + > +type mutt_etc_t; > +files_config_file(mutt_etc_t) > + > +type mutt_home_t; > +userdom_user_home_content(mutt_home_t) > + > +type mutt_tmp_t; > +files_tmp_file(mutt_tmp_t) > +ubac_constrained(mutt_tmp_t) I put in a new userdom interface that replaces the above two calls. > +############################ > +# > +# Local Policy Rules > +# > + > +allow mutt_t self:process signal_perms; > +allow mutt_t self:fifo_file rw_fifo_file_perms; > + > +manage_dirs_pattern(mutt_t, mutt_home_t, mutt_home_t) > +manage_files_pattern(mutt_t, mutt_home_t, mutt_home_t) > +userdom_user_home_dir_filetrans(mutt_t, mutt_home_t, { dir file }) > + > +manage_dirs_pattern(mutt_t, mutt_tmp_t, mutt_tmp_t) > +manage_files_pattern(mutt_t, mutt_tmp_t, mutt_tmp_t) > +files_tmp_filetrans(mutt_t, mutt_tmp_t, { file dir }) > + > +read_files_pattern(mutt_t, mutt_etc_t, mutt_etc_t) > + > +read_files_pattern(mutt_t, mutt_conf_t, mutt_conf_t) > + > + Extra whitespace, and out of order rules above. > +kernel_read_system_state(mutt_t) > + > +corecmd_exec_bin(mutt_t) > +corecmd_exec_shell(mutt_t) > + > +corenet_all_recvfrom_netlabel(mutt_t) > +corenet_all_recvfrom_unlabeled(mutt_t) > +corenet_sendrecv_pop_client_packets(mutt_t) > +corenet_sendrecv_smtp_client_packets(mutt_t) > +corenet_tcp_bind_generic_node(mutt_t) > +corenet_tcp_connect_pop_port(mutt_t) > +corenet_tcp_connect_smtp_port(mutt_t) > +corenet_tcp_sendrecv_generic_if(mutt_t) > +corenet_tcp_sendrecv_generic_node(mutt_t) > +corenet_tcp_sendrecv_pop_port(mutt_t) > +corenet_tcp_sendrecv_smtp_port(mutt_t) > + > +dev_read_rand(mutt_t) > +dev_read_urand(mutt_t) > + > +domain_use_interactive_fds(mutt_t) > + > +files_read_usr_files(mutt_t) > + > + > +auth_use_nsswitch(mutt_t) > + > +miscfiles_read_localization(mutt_t) > + > +userdom_manage_xdg_cache_home(mutt_t) > +userdom_read_xdg_config_home(mutt_t) > +userdom_search_user_home_content(mutt_t) > +userdom_use_user_terminals(mutt_t) > + > +optional_policy(` > + gpg_domtrans(mutt_t) > +') > + > +tunable_policy(`mutt_manage_user_content',` > + # Needed for handling attachments > + userdom_manage_user_home_content_files(mutt_t) > + userdom_manage_user_home_content_dirs(mutt_t) > +') > + > +tunable_policy(`gentoo_try_dontaudit',` > + kernel_dontaudit_search_sysctl(mutt_t) > +') Please remove the test rules. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH v2 2/3] Allow gpg to read/write mutt e-mail files (for signing) 2011-10-03 20:02 [refpolicy] [PATCH v2 0/3] Introduce mutt policy Sven Vermeulen 2011-10-03 20:03 ` [refpolicy] [PATCH v2 1/3] Initial policy for the mutt e-mail client Sven Vermeulen @ 2011-10-03 20:03 ` Sven Vermeulen 2011-10-03 20:04 ` [refpolicy] [PATCH v2 3/3] Allow users, staff and sysadm to use mutt Sven Vermeulen 2 siblings, 0 replies; 7+ messages in thread From: Sven Vermeulen @ 2011-10-03 20:03 UTC (permalink / raw) To: refpolicy The mutt e-mail files are stored as mutt_tmp_t. As such, gpg needs to be able to read/write to mutt_tmp_t. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> --- gpg.te | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/gpg.te b/gpg.te index ebd6791..898bc21 100644 --- a/gpg.te +++ b/gpg.te @@ -147,6 +147,10 @@ optional_policy(` ') optional_policy(` + mutt_rw_tmp_files(gpg_t) +') + +optional_policy(` xserver_use_xdm_fds(gpg_t) xserver_rw_xdm_pipes(gpg_t) ') -- 1.7.3.4 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH v2 3/3] Allow users, staff and sysadm to use mutt 2011-10-03 20:02 [refpolicy] [PATCH v2 0/3] Introduce mutt policy Sven Vermeulen 2011-10-03 20:03 ` [refpolicy] [PATCH v2 1/3] Initial policy for the mutt e-mail client Sven Vermeulen 2011-10-03 20:03 ` [refpolicy] [PATCH v2 2/3] Allow gpg to read/write mutt e-mail files (for signing) Sven Vermeulen @ 2011-10-03 20:04 ` Sven Vermeulen 2011-10-28 13:38 ` Christopher J. PeBenito 2 siblings, 1 reply; 7+ messages in thread From: Sven Vermeulen @ 2011-10-03 20:04 UTC (permalink / raw) To: refpolicy Allow the end user domains to use the mutt application. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> --- policy/modules/roles/staff.te | 4 ++++ policy/modules/roles/sysadm.te | 4 ++++ policy/modules/roles/unprivuser.te | 4 ++++ 3 files changed, 12 insertions(+), 0 deletions(-) diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index c10c3d6..8f0f92f 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -129,6 +129,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + mutt_role(staff_r, staff_t) + ') + + optional_policy(` pyzor_role(staff_r, staff_t) ') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 954417f..edee69a 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -461,5 +461,9 @@ ifndef(`distro_redhat',` optional_policy(` java_role(sysadm_r, sysadm_t) ') + + optional_policy(` + mutt_role(sysadm_r, sysadm_t) + ') ') diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index c576b6c..ba76cb7 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -106,6 +106,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + mutt_role(user_r, user_t) + ') + + optional_policy(` postgresql_role(user_r, user_t) ') -- 1.7.3.4 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH v2 3/3] Allow users, staff and sysadm to use mutt 2011-10-03 20:04 ` [refpolicy] [PATCH v2 3/3] Allow users, staff and sysadm to use mutt Sven Vermeulen @ 2011-10-28 13:38 ` Christopher J. PeBenito 2011-10-28 16:30 ` Sven Vermeulen 0 siblings, 1 reply; 7+ messages in thread From: Christopher J. PeBenito @ 2011-10-28 13:38 UTC (permalink / raw) To: refpolicy On 10/03/11 16:04, Sven Vermeulen wrote: > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te > index 954417f..edee69a 100644 > --- a/policy/modules/roles/sysadm.te > +++ b/policy/modules/roles/sysadm.te > @@ -461,5 +461,9 @@ ifndef(`distro_redhat',` > optional_policy(` > java_role(sysadm_r, sysadm_t) > ') > + > + optional_policy(` > + mutt_role(sysadm_r, sysadm_t) > + ') > ') Does sysadm really need this? They should be using their staff role for that. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH v2 3/3] Allow users, staff and sysadm to use mutt 2011-10-28 13:38 ` Christopher J. PeBenito @ 2011-10-28 16:30 ` Sven Vermeulen 0 siblings, 0 replies; 7+ messages in thread From: Sven Vermeulen @ 2011-10-28 16:30 UTC (permalink / raw) To: refpolicy On Fri, Oct 28, 2011 at 09:38:19AM -0400, Christopher J. PeBenito wrote: > On 10/03/11 16:04, Sven Vermeulen wrote: > > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te > > index 954417f..edee69a 100644 > > --- a/policy/modules/roles/sysadm.te > > +++ b/policy/modules/roles/sysadm.te > > @@ -461,5 +461,9 @@ ifndef(`distro_redhat',` > > optional_policy(` > > java_role(sysadm_r, sysadm_t) > > ') > > + > > + optional_policy(` > > + mutt_role(sysadm_r, sysadm_t) > > + ') > > ') > > Does sysadm really need this? They should be using their staff role for that. Need? Perhaps not (or not in a reference policy). I "need" it when I log on as root directly (which here means the SELinux root user which is immediately on the sysadm_r role) and need to read the local (system-generated) mails. But I might be just too lazy to newrole here towards staff_r. I'll drop it from the patch set. Wkr, Sven Vermeulen ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2011-10-28 16:30 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2011-10-03 20:02 [refpolicy] [PATCH v2 0/3] Introduce mutt policy Sven Vermeulen 2011-10-03 20:03 ` [refpolicy] [PATCH v2 1/3] Initial policy for the mutt e-mail client Sven Vermeulen 2011-10-28 13:43 ` Christopher J. PeBenito 2011-10-03 20:03 ` [refpolicy] [PATCH v2 2/3] Allow gpg to read/write mutt e-mail files (for signing) Sven Vermeulen 2011-10-03 20:04 ` [refpolicy] [PATCH v2 3/3] Allow users, staff and sysadm to use mutt Sven Vermeulen 2011-10-28 13:38 ` Christopher J. PeBenito 2011-10-28 16:30 ` Sven Vermeulen
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.