From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 1/3] Initial policy for the mutt e-mail client
Date: Tue, 16 Aug 2011 14:11:18 -0400 [thread overview]
Message-ID: <4E4AB2C6.6060506@tresys.com> (raw)
In-Reply-To: <20110813185621.GB18948@siphos.be>
On 8/13/2011 2:56 PM, Sven Vermeulen wrote:
> The mutt e-mail client is a terminal-based e-mail client. This is a first
> policy in an effort to support mutt within its own domain.
In general it looks good; there are a couple comments below.
> Signed-off-by: Sven Vermeulen<sven.vermeulen@siphos.be>
> ---
> policy/modules/apps/mutt.fc | 6 +++
> policy/modules/apps/mutt.if | 76 ++++++++++++++++++++++++++++++++++++++++++
> policy/modules/apps/mutt.te | 77 +++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 159 insertions(+), 0 deletions(-)
> create mode 100644 policy/modules/apps/mutt.fc
> create mode 100644 policy/modules/apps/mutt.if
> create mode 100644 policy/modules/apps/mutt.te
>
> diff --git a/policy/modules/apps/mutt.fc b/policy/modules/apps/mutt.fc
> new file mode 100644
> index 0000000..847f1a8
> --- /dev/null
> +++ b/policy/modules/apps/mutt.fc
> @@ -0,0 +1,6 @@
> +HOME_DIR/\.mutt(/.*)? gen_context(system_u:object_r:mutt_home_t,s0)
> +HOME_DIR/\.muttrc -- gen_context(system_u:object_r:mutt_conf_t,s0)
> +
> +/etc/mutt(/.*)? gen_context(system_u:object_r:mutt_sys_conf_t,s0)
> +
> +/usr/bin/mutt -- gen_context(system_u:object_r:mutt_exec_t,s0)
> diff --git a/policy/modules/apps/mutt.if b/policy/modules/apps/mutt.if
> new file mode 100644
> index 0000000..3756720
> --- /dev/null
> +++ b/policy/modules/apps/mutt.if
> @@ -0,0 +1,76 @@
> +##<summary>Mutt e-mail client</summary>
> +
> +#######################################
> +##<summary>
> +## The role for the mutt application.
> +##</summary>
> +##<param name="user_role">
> +##<summary>
> +## The role associated with the user domain.
> +##</summary>
> +##</param>
> +##<param name="user_domain">
> +##<summary>
> +## The type of the user domain.
> +##</summary>
> +##</param>
> +#
> +interface(`mutt_role',`
> + gen_require(`
> + type mutt_t, mutt_exec_t, mutt_home_t, mutt_conf_t, mutt_sys_conf_t;
> + type mutt_tmp_t;
> + ')
> +
> + #######################################
> + #
> + # Declarations
> + #
> +
> + role $1 types mutt_t;
> +
> + ############################
> + #
> + # Policy
> + #
> +
> + manage_dirs_pattern($2, mutt_home_t, mutt_home_t)
> + manage_files_pattern($2, mutt_home_t, mutt_home_t)
> +
> + manage_dirs_pattern($2, mutt_conf_t, mutt_conf_t)
> + manage_files_pattern($2, mutt_conf_t, mutt_conf_t)
> +
> + relabel_dirs_pattern($2, mutt_home_t, mutt_home_t)
> + relabel_files_pattern($2, mutt_home_t, mutt_home_t)
> +
> + relabel_dirs_pattern($2, mutt_conf_t, mutt_conf_t)
> + relabel_files_pattern($2, mutt_conf_t, mutt_conf_t)
> +
> + domtrans_pattern($2, mutt_exec_t, mutt_t)
> +
> + allow $2 mutt_t:process signal;
> + ps_process_pattern($2, mutt_t)
> +')
> +
> +#######################################
> +##<summary>
> +## Allow other domains to read/write mutt's temporary files (used for instance
> +## for e-mail drafts)
> +##</summary>
> +##<param name="target_domain">
I'd prefer to keep this as "domain", for consistency, since there isn't
something like a "source_domain" parameter.
> +##<summary>
> +## The type of the target domain that is allowed access.
"Domain allowed access."
> +##</summary>
> +##</param>
> +#
> +interface(`mutt_rw_tmp_files',`
> + gen_require(`
> + type mutt_tmp_t;
> + ')
> +
> + ############################
> + #
> + # Policy
> + #
No need for this comment block.
> + rw_files_pattern($1, mutt_tmp_t, mutt_tmp_t)
> +')
> diff --git a/policy/modules/apps/mutt.te b/policy/modules/apps/mutt.te
> new file mode 100644
> index 0000000..2aef456
> --- /dev/null
> +++ b/policy/modules/apps/mutt.te
> @@ -0,0 +1,77 @@
> +policy_module(mutt, 1.0.0)
> +
> +############################
> +#
> +# Declarations
> +#
> +
> +type mutt_t;
> +type mutt_exec_t;
> +application_domain(mutt_t, mutt_exec_t)
> +ubac_constrained(mutt_t)
> +
> +type mutt_conf_t;
> +userdom_user_home_content(mutt_conf_t)
> +
> +type mutt_home_t;
> +userdom_user_home_content(mutt_home_t)
> +
> +type mutt_sys_conf_t;
> +files_type(mutt_sys_conf_t)
files_config_file() seems more appropriate.
> +type mutt_tmp_t;
> +files_tmp_file(mutt_tmp_t)
> +ubac_constrained(mutt_tmp_t)
> +
> +############################
> +#
> +# Local Policy Rules
> +#
> +
> +allow mutt_t self:process signal_perms;
> +allow mutt_t self:fifo_file { getattr read write };
> +
> +manage_dirs_pattern(mutt_t, mutt_home_t, mutt_home_t)
> +manage_files_pattern(mutt_t, mutt_home_t, mutt_home_t)
> +userdom_user_home_dir_filetrans(mutt_t, mutt_home_t, dir)
> +
> +manage_dirs_pattern(mutt_t, mutt_tmp_t, mutt_tmp_t)
> +manage_files_pattern(mutt_t, mutt_tmp_t, mutt_tmp_t)
> +manage_fifo_files_pattern(mutt_t, mutt_tmp_t, mutt_tmp_t)
> +files_tmp_filetrans(mutt_t, mutt_tmp_t, { file dir })
> +files_search_tmp(mutt_t)
This shouldn't be necessary due to the files_tmp_filetrans().
> +
> +read_files_pattern(mutt_t, mutt_sys_conf_t, mutt_sys_conf_t)
> +read_files_pattern(mutt_t, mutt_conf_t, mutt_conf_t)
Excessive permissions since there are no mutt_conf_t dirs. A raw allow
rule for reading the file should be sufficient.
> +search_dirs_pattern(mutt_t, mutt_sys_conf_t, mutt_sys_conf_t)
This shouldn't be necessary due to the read_files_pattern(mutt_t,
mutt_sys_conf_t, mutt_sys_conf_t).
> +
> +
> +corecmd_exec_bin(mutt_t)
> +corecmd_exec_shell(mutt_t)
> +
> +corenet_sendrecv_pop_client_packets(mutt_t)
> +corenet_sendrecv_smtp_client_packets(mutt_t)
> +corenet_tcp_connect_pop_port(mutt_t)
> +corenet_tcp_connect_smtp_port(mutt_t)
> +
> +dev_read_rand(mutt_t)
> +dev_read_urand(mutt_t)
> +
> +domain_use_interactive_fds(mutt_t)
> +
> +files_read_usr_files(mutt_t)
> +
> +
> +auth_use_nsswitch(mutt_t)
> +
> +miscfiles_read_localization(mutt_t)
> +
> +# Allow the user to deal with e-mail attachments
> +userdom_manage_user_home_content_files(mutt_t)
> +userdom_search_user_home_content(mutt_t)
I'd prefer that this be tunable.
> +userdom_use_user_terminals(mutt_t)
> +
> +optional_policy(`
> + gpg_domtrans(mutt_t)
> +')
> +
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2011-08-16 18:11 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-13 18:55 [refpolicy] [PATCH 0/3] Introduce mutt policy Sven Vermeulen
2011-08-13 18:56 ` [refpolicy] [PATCH 1/3] Initial policy for the mutt e-mail client Sven Vermeulen
2011-08-16 18:11 ` Christopher J. PeBenito [this message]
2011-08-13 18:57 ` [refpolicy] [PATCH 2/3] Allow users, staff and sysadm to use mutt Sven Vermeulen
2011-08-13 18:57 ` [refpolicy] [PATCH 3/3] Allow gpg to read/write mutt e-mail files (for signing) Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E4AB2C6.6060506@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.