[refpolicy] [PATCH 7/9] Added new "lda" module for email local delivery agents such as maildrop and procmail

All of lore.kernel.org
 help / color / mirror / Atom feed

From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 7/9] Added new "lda" module for email local delivery agents such as maildrop and procmail
Date: Fri, 7 Sep 2012 09:12:08 -0400	[thread overview]
Message-ID: <5049F2A8.6020202@tresys.com> (raw)
In-Reply-To: <1346794648-27101-7-git-send-email-bigon@debian.org>

On 09/04/12 17:37, Laurent Bigonville wrote:
> From: Russell Coker <russell@coker.com.au>

I'm not adverse to something like this, but it would need some more work, since there already is a procmail policy.  That policy would need to be removed and compatibility would have to be preserved.
 
> ---
>  courier.if |   19 +++++++
>  lda.fc     |    9 ++++
>  lda.if     |   41 +++++++++++++++
>  lda.te     |  162 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  postfix.te |    6 ++-
>  5 files changed, 236 insertions(+), 1 deletion(-)
>  create mode 100644 lda.fc
>  create mode 100644 lda.if
>  create mode 100644 lda.te
> 
> diff --git a/courier.if b/courier.if
> index 9971337..be99138 100644
> --- a/courier.if
> +++ b/courier.if
> @@ -106,6 +106,25 @@ interface(`courier_domtrans_authdaemon',`
>  
>  ########################################
>  ## <summary>
> +##	Act as a client for the courier authdaemon
> +## </summary>
> +## <param name="prefix">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`courier_authdaemon_client',`
> +	gen_require(`
> +		type courier_authdaemon_t, courier_etc_t, courier_var_run_t;
> +	')
> +	allow $1 courier_authdaemon_t:unix_stream_socket connectto;
> +	allow $1 courier_etc_t:dir search;
> +	allow $1 courier_var_run_t:sock_file write;
> +')
> +
> +########################################
> +## <summary>
>  ##	Execute the courier POP3 and IMAP server with
>  ##	a domain transition.
>  ## </summary>
> diff --git a/lda.fc b/lda.fc
> new file mode 100644
> index 0000000..f5745ae
> --- /dev/null
> +++ b/lda.fc
> @@ -0,0 +1,9 @@
> +
> +/usr/bin/procmail	--	gen_context(system_u:object_r:lda_exec_t,s0)
> +/usr/bin/maildrop	--	gen_context(system_u:object_r:lda_exec_t,s0)
> +/usr/sbin/deliverquota.maildrop	--	gen_context(system_u:object_r:lda_exec_t,s0)
> +/usr/lib/dovecot/deliver --	gen_context(system_u:object_r:lda_exec_t,s0)
> +/usr/bin/mailbot	--	gen_context(system_u:object_r:lda_exec_t,s0)
> +
> +/etc/courier/maildroprc	--	gen_context(system_u:object_r:lda_etc_t,s0)
> +/var/log/maildrop.log	--	gen_context(system_u:object_r:lda_log_t,s0)
> diff --git a/lda.if b/lda.if
> new file mode 100644
> index 0000000..ec97dc8
> --- /dev/null
> +++ b/lda.if
> @@ -0,0 +1,41 @@
> +## <summary>mail delivery agent</summary>
> +
> +########################################
> +## <summary>
> +##	Execute lda with a domain transition.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`lda_domtrans',`
> +	gen_require(`
> +		type lda_exec_t, lda_t;
> +	')
> +
> +	files_search_usr($1)
> +	corecmd_search_bin($1)
> +	domtrans_pattern($1,lda_exec_t,lda_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Execute lda in the caller domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`lda_exec',`
> +	gen_require(`
> +		type lda_exec_t;
> +	')
> +
> +	files_search_usr($1)
> +	corecmd_search_bin($1)
> +	can_exec($1,lda_exec_t)
> +')
> diff --git a/lda.te b/lda.te
> new file mode 100644
> index 0000000..d9bc95d
> --- /dev/null
> +++ b/lda.te
> @@ -0,0 +1,162 @@
> +
> +policy_module(lda, 1.9.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type lda_t;
> +typealias lda_t alias procmail_t;
> +type lda_exec_t;
> +typealias lda_exec_t alias procmail_exec_t;
> +application_domain(lda_t,lda_exec_t)
> +role system_r types lda_t;
> +
> +type lda_tmp_t;
> +typealias lda_tmp_t alias procmail_tmp_t;
> +files_tmp_file(lda_tmp_t)
> +
> +type lda_etc_t;
> +files_config_file(lda_etc_t)
> +
> +type lda_log_t;
> +logging_log_file(lda_log_t)
> +manage_files_pattern(lda_t,lda_log_t,lda_log_t)
> +logging_log_filetrans(lda_t,lda_log_t,file)
> +
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow lda_t self:capability { sys_nice chown setuid setgid dac_override };
> +allow lda_t self:process { setsched signal signull };
> +allow lda_t self:fifo_file rw_fifo_file_perms;
> +allow lda_t self:unix_stream_socket create_socket_perms;
> +allow lda_t self:unix_dgram_socket create_socket_perms;
> +allow lda_t self:tcp_socket create_stream_socket_perms;
> +allow lda_t self:udp_socket create_socket_perms;
> +read_files_pattern(lda_t,lda_etc_t,lda_etc_t)
> +read_lnk_files_pattern(lda_t,lda_etc_t,lda_etc_t)
> +
> +can_exec(lda_t,lda_exec_t)
> +
> +allow lda_t lda_tmp_t:file manage_file_perms;
> +files_tmp_filetrans(lda_t, lda_tmp_t, file)
> +
> +kernel_read_system_state(lda_t)
> +kernel_read_kernel_sysctls(lda_t)
> +
> +corenet_all_recvfrom_unlabeled(lda_t)
> +corenet_all_recvfrom_netlabel(lda_t)
> +corenet_tcp_sendrecv_all_if(lda_t)
> +corenet_udp_sendrecv_all_if(lda_t)
> +corenet_tcp_sendrecv_all_nodes(lda_t)
> +corenet_udp_sendrecv_all_nodes(lda_t)
> +corenet_tcp_sendrecv_all_ports(lda_t)
> +corenet_udp_sendrecv_all_ports(lda_t)
> +corenet_udp_bind_all_nodes(lda_t)
> +corenet_tcp_connect_spamd_port(lda_t)
> +corenet_sendrecv_spamd_client_packets(lda_t)
> +corenet_sendrecv_comsat_client_packets(lda_t)
> +
> +dev_read_urand(lda_t)
> +
> +fs_getattr_xattr_fs(lda_t)
> +fs_search_auto_mountpoints(lda_t)
> +fs_rw_anon_inodefs_files(lda_t)
> +
> +auth_use_nsswitch(lda_t)
> +
> +corecmd_exec_bin(lda_t)
> +corecmd_exec_shell(lda_t)
> +
> +files_read_etc_files(lda_t)
> +files_read_etc_runtime_files(lda_t)
> +files_search_pids(lda_t)
> +# for spamassasin
> +files_read_usr_files(lda_t)
> +
> +libs_use_ld_so(lda_t)
> +libs_use_shared_libs(lda_t)
> +
> +logging_send_syslog_msg(lda_t)
> +
> +miscfiles_read_localization(lda_t)
> +
> +# only works until we define a different type for maildir
> +userdom_manage_user_home_content_dirs(lda_t)
> +userdom_manage_user_home_content_files(lda_t)
> +userdom_user_home_dir_filetrans_user_home_content(lda_t, { dir file })
> +
> +optional_policy(`
> +	gen_require(`
> +		bool daemon_access_unconfined_home;
> +	')
> +#	tunable_policy(`daemon_access_unconfined_home', `
> +#		unconfined_write_home_content_files(lda_t)
> +#	')
> +')
> +
> +mta_manage_spool(lda_t)
> +
> +ifdef(`hide_broken_symptoms',`
> +	mta_dontaudit_rw_queue(lda_t)
> +')
> +
> +tunable_policy(`use_nfs_home_dirs',`
> +	fs_manage_nfs_dirs(lda_t)
> +	fs_manage_nfs_files(lda_t)
> +	fs_manage_nfs_symlinks(lda_t)
> +')
> +
> +tunable_policy(`use_samba_home_dirs',`
> +	fs_manage_cifs_dirs(lda_t)
> +	fs_manage_cifs_files(lda_t)
> +	fs_manage_cifs_symlinks(lda_t)
> +')
> +
> +optional_policy(`
> +	clamav_domtrans_clamscan(lda_t)
> +	clamav_search_lib(lda_t)
> +')
> +
> +optional_policy(`
> +	courier_authdaemon_client(lda_t)
> +')
> +
> +optional_policy(`
> +	munin_dontaudit_search_lib(lda_t)
> +')
> +
> +optional_policy(`
> +	# for a bug in the postfix local program
> +	postfix_dontaudit_rw_local_tcp_sockets(lda_t)
> +	postfix_dontaudit_use_fds(lda_t)
> +	postfix_read_spool_files(lda_t)
> +	postfix_read_local_state(lda_t)
> +	postfix_read_master_state(lda_t)
> +')
> +
> +optional_policy(`
> +	pyzor_domtrans(lda_t)
> +')
> +
> +optional_policy(`
> +	mta_read_config(lda_t)
> +	sendmail_domtrans(lda_t)
> +	sendmail_rw_tcp_sockets(lda_t)
> +	sendmail_rw_unix_stream_sockets(lda_t)
> +')
> +
> +optional_policy(`
> +	corenet_udp_bind_generic_port(lda_t)
> +	corenet_dontaudit_udp_bind_all_ports(lda_t)
> +
> +	spamassassin_exec(lda_t)
> +	spamassassin_exec_client(lda_t)
> +	spamassassin_read_lib_files(lda_t)
> +')
> +
> diff --git a/postfix.te b/postfix.te
> index f358c69..221a5d1 100644
> --- a/postfix.te
> +++ b/postfix.te
> @@ -319,7 +319,7 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> -	procmail_domtrans(postfix_local_t)
> +	lda_domtrans(postfix_local_t)
>  ')
>  
>  ########################################
> @@ -425,6 +425,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	lda_domtrans(postfix_pipe_t)
> +')
> +
> +optional_policy(`
>  	mailman_domtrans_queue(postfix_pipe_t)
>  ')


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

next prev parent reply	other threads:[~2012-09-07 13:12 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-09-04 21:37 [refpolicy] [PATCH 1/9] Mark use of deprecated interfaces that are not providing replacement as errors Laurent Bigonville
2012-09-04 21:37 ` [refpolicy] [PATCH 2/9] Allow saslauthd_t to talk to mysqld via TCP Laurent Bigonville
2012-09-07 12:54   ` Christopher J. PeBenito
2012-09-04 21:37 ` [refpolicy] [PATCH 3/9] Policykit debian fixes Laurent Bigonville
2012-09-07 12:52   ` Christopher J. PeBenito
2012-09-04 21:37 ` [refpolicy] [PATCH 4/9] Quota policy adjustments: * Allow quota_t to load kernel modules Laurent Bigonville
2012-09-07 12:58   ` Christopher J. PeBenito
2012-09-04 21:37 ` [refpolicy] [PATCH 5/9] Label /usr/lib/udisks/udisks-helper-* with bin_t Laurent Bigonville
2012-09-07 13:07   ` Christopher J. PeBenito
2012-09-07 13:12     ` Sven Vermeulen
2012-09-09 12:06       ` Guido Trentalancia
2012-09-04 21:37 ` [refpolicy] [PATCH 6/9] Include policy for the iodine IP over DNS tunnel daemon Laurent Bigonville
2012-09-04 22:03   ` Dominick Grift
2012-09-04 22:15     ` Dominick Grift
2012-09-08 12:22   ` [refpolicy] [PATCH v2 " Laurent Bigonville
2012-09-08 14:12     ` Dominick Grift
2012-10-09 12:28     ` Dominick Grift
2012-09-04 21:37 ` [refpolicy] [PATCH 7/9] Added new "lda" module for email local delivery agents such as maildrop and procmail Laurent Bigonville
2012-09-07 13:12   ` Christopher J. PeBenito [this message]
2012-09-04 21:37 ` [refpolicy] [PATCH 8/9] Fix djbdns ports Laurent Bigonville
2012-09-07 13:15   ` Christopher J. PeBenito
2012-09-04 21:37 ` [refpolicy] [PATCH 9/9] Add dirmngr support Laurent Bigonville
2012-09-07 13:23   ` Christopher J. PeBenito
2012-10-09 12:53   ` Dominick Grift
2012-09-05 17:49 ` [refpolicy] [PATCH 1/9] Mark use of deprecated interfaces that are not providing replacement as errors Christopher J. PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5049F2A8.6020202@tresys.com \
    --to=cpebenito@tresys.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.