[refpolicy] [PATCH 0/3] Introduce mutt policy

[refpolicy] [PATCH 0/3] Introduce mutt policy

[Sven Vermeulen]

Please find in the following e-mails an initial policy for the mutt
application (terminal e-mail client). The set of mails is structured as
follows:
	- the mutt definition (.te, .if, .fc)
	- adding mutt_role to unprivuser, staff and sysadm
	- update gpg.te to grant it rw access to mutt's tmp files

Comments are of course always appreciated.

Wkr,
	Sven Vermeulen

[refpolicy] [PATCH 1/3] Initial policy for the mutt e-mail client

[Sven Vermeulen]

The mutt e-mail client is a terminal-based e-mail client. This is a first
policy in an effort to support mutt within its own domain.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/apps/mutt.fc |    6 +++
 policy/modules/apps/mutt.if |   76 ++++++++++++++++++++++++++++++++++++++++++
 policy/modules/apps/mutt.te |   77 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 159 insertions(+), 0 deletions(-)
 create mode 100644 policy/modules/apps/mutt.fc
 create mode 100644 policy/modules/apps/mutt.if
 create mode 100644 policy/modules/apps/mutt.te

diff --git a/policy/modules/apps/mutt.fc b/policy/modules/apps/mutt.fc
new file mode 100644
index 0000000..847f1a8
--- /dev/null
+++ b/policy/modules/apps/mutt.fc
@@ -0,0 +1,6 @@
+HOME_DIR/\.mutt(/.*)?     gen_context(system_u:object_r:mutt_home_t,s0)
+HOME_DIR/\.muttrc      -- gen_context(system_u:object_r:mutt_conf_t,s0)
+
+/etc/mutt(/.*)?           gen_context(system_u:object_r:mutt_sys_conf_t,s0)
+
+/usr/bin/mutt          -- gen_context(system_u:object_r:mutt_exec_t,s0)
diff --git a/policy/modules/apps/mutt.if b/policy/modules/apps/mutt.if
new file mode 100644
index 0000000..3756720
--- /dev/null
+++ b/policy/modules/apps/mutt.if
@@ -0,0 +1,76 @@
+## <summary>Mutt e-mail client</summary>
+
+#######################################
+## <summary>
+##      The role for the mutt application.
+## </summary>
+## <param name="user_role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+## <param name="user_domain">
+##      <summary>
+##      The type of the user domain.
+##      </summary>
+## </param>
+#
+interface(`mutt_role',`
+	gen_require(`
+		type mutt_t, mutt_exec_t, mutt_home_t, mutt_conf_t, mutt_sys_conf_t;
+		type mutt_tmp_t;
+	')
+
+	#######################################
+	#
+	# Declarations
+	#
+	
+	role $1 types mutt_t;
+
+	############################
+	#
+	# Policy
+	#
+
+	manage_dirs_pattern($2, mutt_home_t, mutt_home_t)
+	manage_files_pattern($2, mutt_home_t, mutt_home_t)
+	
+	manage_dirs_pattern($2, mutt_conf_t, mutt_conf_t)
+	manage_files_pattern($2, mutt_conf_t, mutt_conf_t)
+
+	relabel_dirs_pattern($2, mutt_home_t, mutt_home_t)
+	relabel_files_pattern($2, mutt_home_t, mutt_home_t)
+	
+	relabel_dirs_pattern($2, mutt_conf_t, mutt_conf_t)
+	relabel_files_pattern($2, mutt_conf_t, mutt_conf_t)
+
+	domtrans_pattern($2, mutt_exec_t, mutt_t)
+
+	allow $2 mutt_t:process signal;
+	ps_process_pattern($2, mutt_t)
+')	
+
+#######################################
+## <summary>
+##      Allow other domains to read/write mutt's temporary files (used for instance
+##      for e-mail drafts)
+## </summary>
+## <param name="target_domain">
+##      <summary>
+##      The type of the target domain that is allowed access.
+##      </summary>
+## </param>
+#
+interface(`mutt_rw_tmp_files',`
+	gen_require(`
+		type mutt_tmp_t;
+	')
+
+	############################
+	#
+	# Policy
+	#
+
+	rw_files_pattern($1, mutt_tmp_t, mutt_tmp_t)
+')
diff --git a/policy/modules/apps/mutt.te b/policy/modules/apps/mutt.te
new file mode 100644
index 0000000..2aef456
--- /dev/null
+++ b/policy/modules/apps/mutt.te
@@ -0,0 +1,77 @@
+policy_module(mutt, 1.0.0)
+
+############################
+# 
+# Declarations
+# 
+
+type mutt_t;
+type mutt_exec_t;
+application_domain(mutt_t, mutt_exec_t)
+ubac_constrained(mutt_t)
+
+type mutt_conf_t;
+userdom_user_home_content(mutt_conf_t)
+
+type mutt_home_t;
+userdom_user_home_content(mutt_home_t)
+
+type mutt_sys_conf_t;
+files_type(mutt_sys_conf_t)
+
+type mutt_tmp_t;
+files_tmp_file(mutt_tmp_t)
+ubac_constrained(mutt_tmp_t)
+
+############################
+# 
+# Local Policy Rules
+#
+
+allow mutt_t self:process signal_perms;
+allow mutt_t self:fifo_file { getattr read write };
+
+manage_dirs_pattern(mutt_t, mutt_home_t, mutt_home_t)
+manage_files_pattern(mutt_t, mutt_home_t, mutt_home_t)
+userdom_user_home_dir_filetrans(mutt_t, mutt_home_t, dir)
+
+manage_dirs_pattern(mutt_t, mutt_tmp_t, mutt_tmp_t)
+manage_files_pattern(mutt_t, mutt_tmp_t, mutt_tmp_t)
+manage_fifo_files_pattern(mutt_t, mutt_tmp_t, mutt_tmp_t)
+files_tmp_filetrans(mutt_t, mutt_tmp_t, { file dir })
+files_search_tmp(mutt_t)
+
+read_files_pattern(mutt_t, mutt_sys_conf_t, mutt_sys_conf_t)
+read_files_pattern(mutt_t, mutt_conf_t, mutt_conf_t)
+search_dirs_pattern(mutt_t, mutt_sys_conf_t, mutt_sys_conf_t)
+
+
+corecmd_exec_bin(mutt_t)
+corecmd_exec_shell(mutt_t)
+
+corenet_sendrecv_pop_client_packets(mutt_t)
+corenet_sendrecv_smtp_client_packets(mutt_t)
+corenet_tcp_connect_pop_port(mutt_t)
+corenet_tcp_connect_smtp_port(mutt_t)
+
+dev_read_rand(mutt_t)
+dev_read_urand(mutt_t)
+
+domain_use_interactive_fds(mutt_t)
+
+files_read_usr_files(mutt_t)
+
+
+auth_use_nsswitch(mutt_t)
+
+miscfiles_read_localization(mutt_t)
+
+# Allow the user to deal with e-mail attachments
+userdom_manage_user_home_content_files(mutt_t)
+userdom_search_user_home_content(mutt_t)
+userdom_use_user_terminals(mutt_t)
+
+optional_policy(`
+	gpg_domtrans(mutt_t)
+')
+
-- 
1.7.3.4

[refpolicy] [PATCH 2/3] Allow users, staff and sysadm to use mutt

[Sven Vermeulen]

Allow the end user domains to use the mutt application.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/roles/staff.te      |    4 ++++
 policy/modules/roles/sysadm.te     |    4 ++++
 policy/modules/roles/unprivuser.te |    4 ++++
 3 files changed, 12 insertions(+), 0 deletions(-)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 2be17d2..9f5f4ba 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -125,6 +125,10 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
+		mutt_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
 		pyzor_role(staff_r, staff_t)
 	')
 
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 0f96353..f62250f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -452,5 +452,9 @@ ifndef(`distro_redhat',`
 	optional_policy(`
 		java_role(sysadm_r, sysadm_t)
 	')
+
+	optional_policy(`
+		mutt_role(sysadm_r, sysadm_t)
+	')
 ')
 
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 7e9da77..da9db34 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -102,6 +102,10 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
+		mutt_role(user_r, user_t)
+	')
+
+	optional_policy(`
 		postgresql_role(user_r, user_t)
 	')
 
-- 
1.7.3.4

[refpolicy] [PATCH 3/3] Allow gpg to read/write mutt e-mail files (for signing)

[Sven Vermeulen]

The mutt e-mail files are stored as mutt_tmp_t. As such, gpg needs to be able
to read/write to mutt_tmp_t.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/apps/gpg.te |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index 9050e8c..f145c05 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -147,6 +147,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	mutt_rw_tmp_files(gpg_t)
+')
+
+optional_policy(`
 	xserver_use_xdm_fds(gpg_t)
 	xserver_rw_xdm_pipes(gpg_t)
 ')
-- 
1.7.3.4

[refpolicy] [PATCH 1/3] Initial policy for the mutt e-mail client

[Christopher J. PeBenito]

On 8/13/2011 2:56 PM, Sven Vermeulen wrote:
> The mutt e-mail client is a terminal-based e-mail client. This is a first
> policy in an effort to support mutt within its own domain.

In general it looks good; there are a couple comments below.

> Signed-off-by: Sven Vermeulen<sven.vermeulen@siphos.be>
> ---
>   policy/modules/apps/mutt.fc |    6 +++
>   policy/modules/apps/mutt.if |   76 ++++++++++++++++++++++++++++++++++++++++++
>   policy/modules/apps/mutt.te |   77 +++++++++++++++++++++++++++++++++++++++++++
>   3 files changed, 159 insertions(+), 0 deletions(-)
>   create mode 100644 policy/modules/apps/mutt.fc
>   create mode 100644 policy/modules/apps/mutt.if
>   create mode 100644 policy/modules/apps/mutt.te
>
> diff --git a/policy/modules/apps/mutt.fc b/policy/modules/apps/mutt.fc
> new file mode 100644
> index 0000000..847f1a8
> --- /dev/null
> +++ b/policy/modules/apps/mutt.fc
> @@ -0,0 +1,6 @@
> +HOME_DIR/\.mutt(/.*)?     gen_context(system_u:object_r:mutt_home_t,s0)
> +HOME_DIR/\.muttrc      -- gen_context(system_u:object_r:mutt_conf_t,s0)
> +
> +/etc/mutt(/.*)?           gen_context(system_u:object_r:mutt_sys_conf_t,s0)
> +
> +/usr/bin/mutt          -- gen_context(system_u:object_r:mutt_exec_t,s0)
> diff --git a/policy/modules/apps/mutt.if b/policy/modules/apps/mutt.if
> new file mode 100644
> index 0000000..3756720
> --- /dev/null
> +++ b/policy/modules/apps/mutt.if
> @@ -0,0 +1,76 @@
> +##<summary>Mutt e-mail client</summary>
> +
> +#######################################
> +##<summary>
> +##      The role for the mutt application.
> +##</summary>
> +##<param name="user_role">
> +##<summary>
> +##      The role associated with the user domain.
> +##</summary>
> +##</param>
> +##<param name="user_domain">
> +##<summary>
> +##      The type of the user domain.
> +##</summary>
> +##</param>
> +#
> +interface(`mutt_role',`
> +	gen_require(`
> +		type mutt_t, mutt_exec_t, mutt_home_t, mutt_conf_t, mutt_sys_conf_t;
> +		type mutt_tmp_t;
> +	')
> +
> +	#######################################
> +	#
> +	# Declarations
> +	#
> +	
> +	role $1 types mutt_t;
> +
> +	############################
> +	#
> +	# Policy
> +	#
> +
> +	manage_dirs_pattern($2, mutt_home_t, mutt_home_t)
> +	manage_files_pattern($2, mutt_home_t, mutt_home_t)
> +	
> +	manage_dirs_pattern($2, mutt_conf_t, mutt_conf_t)
> +	manage_files_pattern($2, mutt_conf_t, mutt_conf_t)
> +
> +	relabel_dirs_pattern($2, mutt_home_t, mutt_home_t)
> +	relabel_files_pattern($2, mutt_home_t, mutt_home_t)
> +	
> +	relabel_dirs_pattern($2, mutt_conf_t, mutt_conf_t)
> +	relabel_files_pattern($2, mutt_conf_t, mutt_conf_t)
> +
> +	domtrans_pattern($2, mutt_exec_t, mutt_t)
> +
> +	allow $2 mutt_t:process signal;
> +	ps_process_pattern($2, mutt_t)
> +')	
> +
> +#######################################
> +##<summary>
> +##      Allow other domains to read/write mutt's temporary files (used for instance
> +##      for e-mail drafts)
> +##</summary>
> +##<param name="target_domain">

I'd prefer to keep this as "domain", for consistency, since there isn't 
something like a "source_domain" parameter.

> +##<summary>
> +##      The type of the target domain that is allowed access.

"Domain allowed access."

> +##</summary>
> +##</param>
> +#
> +interface(`mutt_rw_tmp_files',`
> +	gen_require(`
> +		type mutt_tmp_t;
> +	')
> +
> +	############################
> +	#
> +	# Policy
> +	#

No need for this comment block.

> +	rw_files_pattern($1, mutt_tmp_t, mutt_tmp_t)
> +')
> diff --git a/policy/modules/apps/mutt.te b/policy/modules/apps/mutt.te
> new file mode 100644
> index 0000000..2aef456
> --- /dev/null
> +++ b/policy/modules/apps/mutt.te
> @@ -0,0 +1,77 @@
> +policy_module(mutt, 1.0.0)
> +
> +############################
> +#
> +# Declarations
> +#
> +
> +type mutt_t;
> +type mutt_exec_t;
> +application_domain(mutt_t, mutt_exec_t)
> +ubac_constrained(mutt_t)
> +
> +type mutt_conf_t;
> +userdom_user_home_content(mutt_conf_t)
> +
> +type mutt_home_t;
> +userdom_user_home_content(mutt_home_t)
> +
> +type mutt_sys_conf_t;
> +files_type(mutt_sys_conf_t)

files_config_file() seems more appropriate.

> +type mutt_tmp_t;
> +files_tmp_file(mutt_tmp_t)
> +ubac_constrained(mutt_tmp_t)
> +
> +############################
> +#
> +# Local Policy Rules
> +#
> +
> +allow mutt_t self:process signal_perms;
> +allow mutt_t self:fifo_file { getattr read write };
> +
> +manage_dirs_pattern(mutt_t, mutt_home_t, mutt_home_t)
> +manage_files_pattern(mutt_t, mutt_home_t, mutt_home_t)
> +userdom_user_home_dir_filetrans(mutt_t, mutt_home_t, dir)
> +
> +manage_dirs_pattern(mutt_t, mutt_tmp_t, mutt_tmp_t)
> +manage_files_pattern(mutt_t, mutt_tmp_t, mutt_tmp_t)
> +manage_fifo_files_pattern(mutt_t, mutt_tmp_t, mutt_tmp_t)
> +files_tmp_filetrans(mutt_t, mutt_tmp_t, { file dir })

> +files_search_tmp(mutt_t)

This shouldn't be necessary due to the files_tmp_filetrans().

> +
> +read_files_pattern(mutt_t, mutt_sys_conf_t, mutt_sys_conf_t)

> +read_files_pattern(mutt_t, mutt_conf_t, mutt_conf_t)

Excessive permissions since there are no mutt_conf_t dirs.  A raw allow 
rule for reading the file should be sufficient.

> +search_dirs_pattern(mutt_t, mutt_sys_conf_t, mutt_sys_conf_t)

This shouldn't be necessary due to the read_files_pattern(mutt_t, 
mutt_sys_conf_t, mutt_sys_conf_t).

> +
> +
> +corecmd_exec_bin(mutt_t)
> +corecmd_exec_shell(mutt_t)
> +
> +corenet_sendrecv_pop_client_packets(mutt_t)
> +corenet_sendrecv_smtp_client_packets(mutt_t)
> +corenet_tcp_connect_pop_port(mutt_t)
> +corenet_tcp_connect_smtp_port(mutt_t)
> +
> +dev_read_rand(mutt_t)
> +dev_read_urand(mutt_t)
> +
> +domain_use_interactive_fds(mutt_t)
> +
> +files_read_usr_files(mutt_t)
> +
> +
> +auth_use_nsswitch(mutt_t)
> +
> +miscfiles_read_localization(mutt_t)
> +
> +# Allow the user to deal with e-mail attachments
> +userdom_manage_user_home_content_files(mutt_t)
> +userdom_search_user_home_content(mutt_t)

I'd prefer that this be tunable.

> +userdom_use_user_terminals(mutt_t)
> +
> +optional_policy(`
> +	gpg_domtrans(mutt_t)
> +')
> +

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com