additions for cron and mta

2005-05-12 20:50:09 +00:00 · 2005-05-12 20:50:09 +00:00 · 075c4fdaf1
commit 075c4fdaf1
parent fd9deeb8ee
12 changed files with 656 additions and 91 deletions
--- a/refpolicy/policy/modules/kernel/bootloader.if
+++ b/refpolicy/policy/modules/kernel/bootloader.if
@ -1,5 +1,33 @@
 # Copyright (C) 2005 Tresys Technology, LLC

+########################################
+#
+# bootloader_search_bootloader_data_directory(domain)
+#
+define(`bootloader_search_bootloader_data_directory',`
+requires_block_template(`$0'_depend)
+allow $1 boot_t:dir search;
+')
+
+define(`bootloader_search_bootloader_data_directory_depend',`
+type boot_t;
+class dir search;
+')
+
+########################################
+#
+# bootloader_ignore_search_bootloader_data_directory(domain)
+#
+define(`bootloader_ignore_search_bootloader_data_directory',`
+requires_block_template(`$0'_depend)
+dontaudit $1 boot_t:dir search;
+')
+
+define(`bootloader_ignore_search_bootloader_data_directory_depend',`
+type boot_t;
+class dir search;
+')
+
 ########################################
 #
 # bootloader_install_kernel(domain)
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@ -781,3 +781,25 @@ define(`filesystem_get_all_filesystems_attributes_depend',`
 attribute fs_type;
 class filesystem getattr;
 ')
+
+########################################
+#
+# filesystem_get_all_file_attributes(type)
+#
+define(`filesystem_get_all_file_attributes',`
+requires_block_template(`$0'_depend)
+allow $1 fs_type:dir { search getattr };
+allow $1 fs_type:file getattr;
+allow $1 fs_type:lnk_file getattr;
+allow $1 fs_type:fifo_file getattr;
+allow $1 fs_type:sock_file getattr;
+')
+
+define(`filesystem_get_all_file_attributes_depend',`
+attribute fs_type;
+class dir { search getattr };
+class file getattr;
+class lnk_file getattr;
+class fifo_file getattr;
+class sock_file getattr;
+')
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@ -61,6 +61,7 @@ genfscon usbdevfs / system_u:object_r:usbfs_t

 type proc_t;
 files_make_mountpoint(proc_t)
+filesystem_make_filesystem(proc_t)
 genfscon proc / system_u:object_r:proc_t
 genfscon proc /sysvipc system_u:object_r:proc_t

--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@ -41,13 +41,19 @@ allow $1_crond_t self:unix_dgram_socket { create ioctl read getattr write setatt
 # for this purpose.
 allow $1_crond_t $1_cron_spool_t:file entrypoint;

-ifdef(`fcron.te', `
-allow crond_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-')
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond 
+# via setexeccon.  There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+allow crond_t $1_crond_t:process transition;
+dontaudit crond_t $1_crond_t:process { noatsecure siginh rlimitinh };

 kernel_read_system_state($1_crond_t)
 kernel_read_kernel_sysctl($1_crond_t)

+# ps does not need to access /boot when run from cron
+bootloader_ignore_search_bootloader_data_directory($1_crond_t)
+
 corenetwork_network_tcp_on_all_interfaces($1_crond_t)
 corenetwork_network_raw_on_all_interfaces($1_crond_t)
 corenetwork_network_udp_on_all_interfaces($1_crond_t)
@ -67,6 +73,8 @@ domain_execute_all_entrypoint_programs($1_crond_t)

 files_read_general_application_resources($1_crond_t)
 files_execute_system_config_script($1_crond_t)
+# for nscd:
+files_ignore_search_runtime_data_directory($1_crond_t)

 corecommands_execute_general_programs($1_crond_t)
 corecommands_execute_system_programs($1_crond_t)
@ -74,13 +82,20 @@ corecommands_execute_system_programs($1_crond_t)
 libraries_use_dynamic_loader($1_crond_t)
 libraries_read_shared_libraries($1_crond_t)
 libraries_execute_library_scripts($1_crond_t)
+libraries_execute_dynamic_loader($1_crond_t)

 files_read_runtime_system_config($1_crond_t)

+logging_search_system_log_directory($1_crond_t)
+
 selinux_read_config($1_crond_t)

 miscfiles_read_localization($1_crond_t)

+tunable_policy(`fcron_crond', `
+allow crond_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
 ifdef(`TODO',`
 # Access user files and dirs.
 allow $1_crond_t home_root_t:dir search;
@ -91,12 +106,6 @@ can_exec($1_crond_t, $1_home_t)

 file_type_auto_trans($1_crond_t, tmp_t, $1_tmp_t)

-# Permit a transition from the crond_t domain to this domain.
-# The transition is requested explicitly by the modified crond 
-# via execve_secure.  There is no way to set up an automatic
-# transition, since crontabs are configuration files, not executables.
-domain_trans(crond_t, shell_exec_t, $1_crond_t)
-
 ifdef(`mta.te', `
 domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
 allow $1_crond_t sendmail_exec_t:lnk_file { getattr read };
@ -111,17 +120,9 @@ can_ypbind($1_crond_t)
 allow $1_crond_t var_spool_t:dir search;
 allow $1_crond_t var_t:dir r_dir_perms;
 allow $1_crond_t var_t:file { getattr read ioctl };
-allow $1_crond_t var_log_t:dir search;

-can_exec($1_crond_t, ld_so_t)
-
-# ps does not need to access /boot when run from cron
-dontaudit $1_crond_t boot_t:dir search;
 # quiet other ps operations
 dontaudit $1_crond_t domain:dir { getattr search };
-# for nscd
-dontaudit $1_crond_t var_run_t:dir search;
-
 ') dnl endif TODO

 ##############################
@ -139,6 +140,11 @@ allow crond_t $1_cron_spool_t:file { getattr read };
 allow $1_crontab_t self:capability { setuid setgid chown dac_override };
 allow $1_crontab_t self:process { sigkill sigstop signull signal };

+# create files in /var/spool/cron
+allow $1_crontab_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow $1_crontab_t cron_spool_t:dir { getattr search read write add_name remove_name };
+type_transition $1_crontab_t $1_cron_spool_t:file system_crond_tmp_t;
+
 # crontab signals crond by updating the mtime on the spooldir
 allow $1_crontab_t cron_spool_t:dir setattr;

@ -174,10 +180,8 @@ file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file })

 # Use the type when creating files in /var/spool/cron.
 allow sysadm_crontab_t $1_cron_spool_t:file { getattr read };
-allow $1_crontab_t { var_t var_spool_t }:dir { getattr search };
-file_type_auto_trans($1_crontab_t, cron_spool_t, $1_cron_spool_t, file)

-ifdef(`fcron.te', `
+tunable_policy(`fcron_crond', `
 # fcron wants an instant update of a crontab change for the administrator
 # also crontab does a security check for crontab -u
 ifelse(`$1', `sysadm', `
@ -199,7 +203,9 @@ allow $1_crontab_t $1_home_t:file r_file_perms;
 dontaudit $1_crontab_t $1_home_dir_t:dir write;

 # Access terminals.
-access_terminal($1_crontab_t, $1);
+allow $1_crontab_t devpts_t:dir { read search getattr };
+allow $1_crontab_t $1_tty_device_t:chr_file { read write getattr ioctl };
+allow $1_crontab_t $1_devpts_t:chr_file { read write getattr ioctl };

 # Inherit and use descriptors from gnome-pty-helper.
 ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;')
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@ -2,9 +2,6 @@

 policy_module(consoletype, 1.0)

-# NB The constraints file has some entries for crond_t, this makes it
-# different from all other domains...
-
 ########################################
 #
 # Declarations
@ -19,7 +16,7 @@ bool cron_can_relabel false;
 type cron_spool_t;
 files_make_file(cron_spool_t)

-type crond_t; #, privmail, privfd, nscd_client_domain
+type crond_t; #, privmail, nscd_client_domain
 type crond_exec_t;
 domain_make_daemon_domain(crond_t,crond_exec_t)
 domain_make_file_descriptors_widely_inheritable(crond_t)
@ -42,6 +39,9 @@ domain_make_daemon_domain(system_crond_t,anacron_exec_t)
 corecommands_make_shell_entrypoint(system_crond_t)
 role system_r types system_crond_t;

+type system_crond_lock_t;
+files_make_lock_file(system_crond_lock_t)
+
 type system_crond_tmp_t;
 files_make_temporary_file(system_crond_tmp_t)

@ -74,6 +74,9 @@ allow crond_t crond_tmp_t:dir { create read getattr lock setattr ioctl link unli
 allow crond_t crond_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
 files_create_private_tmp_data(crond_t, crond_tmp_t, { file dir })

+allow crond_t system_cron_spool_t:dir { getattr search read };
+allow crond_t system_cron_spool_t:file { getattr read };
+
 kernel_read_kernel_sysctl(crond_t)
 kernel_read_hardware_state(crond_t)
 kernel_get_selinuxfs_mount_point(crond_t)
@ -96,6 +99,9 @@ domain_use_widely_inheritable_file_descriptors(crond_t)

 files_read_general_system_config(crond_t)

+corecommands_execute_shell(crond_t)
+corecommands_read_system_programs_directory(crond_t)
+
 libraries_use_dynamic_loader(crond_t)
 libraries_read_shared_libraries(crond_t)

@ -110,6 +116,10 @@ miscfiles_read_localization(crond_t)
 # need auth_chkpwd to check for locked accounts.
 authlogin_check_password_transition(crond_t)

+tunable_policy(`fcron_crond', `
+allow crond_t system_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
 tunable_policy(`targeted_policy', `
 terminal_ignore_use_general_physical_terminal(crond_t)
 terminal_ignore_use_general_pseudoterminal(crond_t)
@ -121,29 +131,24 @@ udev_read_database(crond_t)
 ')

 ifdef(`TODO',`
-allow crond_t proc_t:dir r_dir_perms;
-allow crond_t proc_t:lnk_file read;
-dontaudit crond_t unpriv_userdomain:fd use;
+# NB The constraints file has some entries for crond_t, this makes it
+# different from all other domains...
+
+allow crond_t unpriv_userdomain:fd use;
 allow crond_t autofs_t:dir { search getattr };
 dontaudit crond_t sysadm_home_dir_t:dir search;
+
 optional_policy(`rhgb.te', `
 allow crond_t rhgb_t:process sigchld;
 allow crond_t rhgb_t:fd use;
 allow crond_t rhgb_t:fifo_file { read write };
 ')

-
-allow crond_t unpriv_userdomain:fd use;
 can_ypbind(crond_t)
 ifdef(`automount.te', `
 allow crond_t autofs_t:dir { search getattr };
 ')

-
-# for finding binaries and /bin/sh
-allow crond_t { bin_t sbin_t }:dir search;
-allow crond_t { bin_t sbin_t }:lnk_file read;
-
 # Read from /var/spool/cron.
 allow crond_t var_lib_t:dir search;
 allow crond_t var_spool_t:dir r_dir_perms;
@ -159,9 +164,6 @@ allow crond_t sysadm_home_dir_t:dir r_dir_perms;
 allow crond_t home_root_t:dir { getattr search };
 allow crond_t user_home_dir_type:dir r_dir_perms;

-# Run a shell.
-can_exec(crond_t, shell_exec_t)
-
 ifdef(`distro_redhat', `
 # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
 # via redirection of standard out.
@ -199,10 +201,40 @@ allow system_crond_t system_cron_spool_t:file entrypoint;

 allow system_crond_t system_cron_spool_t:file { getattr read };

+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond 
+# via setexeccon.  There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+allow crond_t system_crond_t:process transition;
+dontaudit crond_t system_crond_t:process { noatsecure siginh rlimitinh };
+
+# Write /var/lock/makewhatis.lock.
+allow system_crond_t system_crond_lock_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+files_create_private_lock_file(system_crond_t,system_crond_lock_t)
+
+# write temporary files
+allow system_crond_t system_crond_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+files_create_private_tmp_data(system_crond_t,system_crond_tmp_t)
+
+# write temporary files in crond tmp dir:
+allow system_crond_t crond_tmp_t:dir { getattr search read write add_name remove_name };
+type_transition system_crond_t crond_tmp_t:file system_crond_tmp_t;
+
+# Read from /var/spool/cron.
+allow system_crond_t cron_spool_t:dir { getattr search read };
+allow system_crond_t cron_spool_t:file { getattr read };
+
+# Access crond log files
+allow system_crond_t crond_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+logging_create_private_log(system_crond_t,crond_log_t)
+
 kernel_read_kernel_sysctl(system_crond_t)
 kernel_read_system_state(system_crond_t)
 kernel_read_software_raid_state(system_crond_t)

+# ps does not need to access /boot when run from cron
+bootloader_ignore_search_bootloader_data_directory(system_crond_t)
+
 corenetwork_network_tcp_on_all_interfaces(system_crond_t)
 corenetwork_network_raw_on_all_interfaces(system_crond_t)
 corenetwork_network_udp_on_all_interfaces(system_crond_t)
@ -219,6 +251,7 @@ devices_get_all_character_device_attributes(system_crond_t)
 devices_get_pseudorandom_data(system_crond_t)

 filesystem_get_all_filesystems_attributes(system_crond_t)
+filesystem_get_all_file_attributes(system_crond_t)

 init_use_file_descriptors(system_crond_t)
 init_script_use_file_descriptors(system_crond_t)
@ -234,6 +267,8 @@ files_read_runtime_system_config(system_crond_t)
 files_read_all_directories(system_crond_t)
 files_get_all_file_attributes(system_crond_t)
 files_read_general_application_resources(system_crond_t)
+# for nscd:
+files_ignore_search_runtime_data_directory(system_crond_t)

 corecommands_execute_general_programs(system_crond_t)
 corecommands_execute_system_programs(system_crond_t)
@ -241,6 +276,7 @@ corecommands_execute_system_programs(system_crond_t)
 libraries_use_dynamic_loader(system_crond_t)
 libraries_read_shared_libraries(system_crond_t)
 libraries_execute_library_scripts(system_crond_t)
+libraries_execute_dynamic_loader(system_crond_t)

 logging_read_system_logs(system_crond_t)
 logging_send_system_log_message(system_crond_t)
@ -265,16 +301,6 @@ selinux_read_file_contexts(system_crond_t)

 ifdef(`TODO',`

-ifdef(`fcron.te', `
-allow crond_t system_cron_spool_t:file create_file_perms;
-')
-
-# Permit a transition from the crond_t domain to this domain.
-# The transition is requested explicitly by the modified crond 
-# via execve_secure.  There is no way to set up an automatic
-# transition, since crontabs are configuration files, not executables.
-domain_trans(crond_t, shell_exec_t, system_crond_t)
-
 ifdef(`mta.te', `
 domain_auto_trans(system_crond_t, sendmail_exec_t, system_mail_t)
 allow system_crond_t sendmail_exec_t:lnk_file { getattr read };
@ -286,55 +312,25 @@ allow mta_user_agent system_crond_t:fd use;
 r_dir_file(system_mail_t, crond_tmp_t)
 ')

-# This domain is granted permissions common to most domains.
-
 can_ypbind(system_crond_t)
 allow system_crond_t var_spool_t:dir search;

 allow system_crond_t var_t:dir r_dir_perms;
 allow system_crond_t var_t:file { getattr read ioctl };

-can_exec(system_crond_t, ld_so_t)
-
-# ps does not need to access /boot when run from cron
-dontaudit system_crond_t boot_t:dir search;
 # quiet other ps operations
 dontaudit system_crond_t domain:dir { getattr search };
-# for nscd
-dontaudit system_crond_t var_run_t:dir search;
-
-allow system_crond_t proc_t:filesystem getattr;
-allow system_crond_t usbdevfs_t:filesystem getattr;

 allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;

-# Access log files
-file_type_auto_trans(system_crond_t, var_log_t, crond_log_t, file)
-
-allow crond_t system_cron_spool_t:dir r_dir_perms;
-allow crond_t system_cron_spool_t:file r_file_perms;
-
-# Read from /var/spool/cron.
-allow system_crond_t cron_spool_t:dir r_dir_perms;
-allow system_crond_t cron_spool_t:file r_file_perms;
-
 # Write to /var/lib/slocate.db.
 allow system_crond_t var_lib_t:dir rw_dir_perms;
 allow system_crond_t var_lib_t:file create_file_perms;

-# Write /var/lock/makewhatis.lock.
-lock_domain(system_crond)
-
 # for if /var/mail is a symlink
 allow { system_crond_t crond_t } mail_spool_t:lnk_file read;
 allow crond_t mail_spool_t:dir search;

-# Stat any file and search any directory for find.
-allow system_crond_t fs_type:notdevfile_class_set getattr;
-
-# Create temporary files.
-file_type_auto_trans(system_crond_t, { tmp_t crond_tmp_t }, system_crond_tmp_t)
-
 # Access other spool directories like
 # /var/spool/anacron and /var/spool/slrnpull.
 allow system_crond_t var_spool_t:file create_file_perms;
@ -344,14 +340,6 @@ allow system_crond_t var_spool_t:dir rw_dir_perms;
 dontaudit system_crond_t unlabeled_t:dir r_dir_perms;
 dontaudit system_crond_t unlabeled_t:file r_file_perms;

-#
-# reading /var/spool/cron/mailman
-#
-allow system_crond_t devpts_t:filesystem getattr;
-allow system_crond_t sysfs_t:filesystem getattr;
-allow system_crond_t tmpfs_t:filesystem getattr;
-allow system_crond_t rpc_pipefs_t:filesystem getattr;
-
 #
 #  These rules are here to allow system cron jobs to su
 #
@ -366,8 +354,6 @@ allow system_crond_su_t crond_t:fifo_file ioctl;
 #
 allow system_crond_t initctl_t:fifo_file write;
 dontaudit userdomain system_crond_t:fd use;
-
-allow system_crond_t removable_t:filesystem { getattr };
 #
 # Required for webalizer
 #
@ -375,4 +361,10 @@ ifdef(`apache.te', `
 allow system_crond_t httpd_log_t:file { getattr read };
 ')

+tunable_policy(`distro_redhat', `
+optional_policy(`rpm.te', `
+allow system_crond_t rpm_log_t:file create_file_perms;
+')
+')
+
 ') dnl end TODO
--- a/refpolicy/policy/modules/services/mta.fc
+++ b/refpolicy/policy/modules/services/mta.fc
@ -3,9 +3,11 @@
 /etc/aliases			--	system_u:object_r:etc_aliases_t
 /etc/aliases\.db		--	system_u:object_r:etc_aliases_t

-/usr/lib(64)?/sendmail		--	system_u:object_r:sendmail_exec_t
+ifdef(`sendmail.te',`',`
+/usr/lib(64)?/sendmail		--	system_u:object_r:mta_exec_t

-/usr/sbin/sendmail(.sendmail)?	--	system_u:object_r:sendmail_exec_t
+/usr/sbin/sendmail(.sendmail)?	--	system_u:object_r:mta_exec_t
+')

 /var/mail(/.*)?				system_u:object_r:mail_spool_t

--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@ -9,16 +9,175 @@
 define(`mta_per_userdomain_template',`
 requires_block_template(`$0'_depend)

-type $1_mail_t;
+type $1_mail_t; # , user_mail_domain, nscd_client_domain;
 domain_make_domain($1_mail_t)
+role $1_r types $1_mail_t;

 type $1_mail_tmp_t;
 files_make_temporary_file($1_mail_tmp_t)

+##############################
+#
+# $1_mail_t local policy
+#
+
+allow $1_mail_t self:capability { setuid setgid chown };
+allow $1_mail_t self:process { sigkill sigstop signull signal setrlimit };
+
+# tcp networking
+allow $1_mail_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
+
+# re-exec itself
+allow $1_mail_t sendmail_exec_t:file { getattr read execute execute_no_trans };
+allow $1_mail_t sendmail_exec_t:lnk_file { getattr read };
+
+# Transition from the user domain to the derived domain.
+allow $1_t sendmail_exec_t:file { getattr read execute execute_no_trans };
+allow $1_t sendmail_exec_t:lnk_file { getattr read };
+allow $1_t $1_mail_t:process transition;
+type_transition $1_t sendmail_exec_t:file $1_mail_t;
+
+kernel_read_kernel_sysctl($1_mail_t)
+
+corenetwork_network_tcp_on_all_interfaces($1_mail_t)
+corenetwork_network_raw_on_all_interfaces($1_mail_t)
+corenetwork_network_tcp_on_all_nodes($1_mail_t)
+corenetwork_network_raw_on_all_nodes($1_mail_t)
+corenetwork_network_tcp_on_all_ports($1_mail_t)
+corenetwork_bind_tcp_on_all_nodes($1_mail_t)
+
+domain_use_widely_inheritable_file_descriptors($1_mail_t)
+
+libraries_use_dynamic_loader($1_mail_t)
+libraries_read_shared_libraries($1_mail_t)
+
+corecommands_execute_general_programs($1_mail_t)
+
+files_read_general_system_config($1_mail_t)
+
 logging_send_system_log_message($1_mail_t)

+miscfiles_read_localization($1_mail_t)
+
+sysnetwork_read_network_config($1_mail_t)
+
+tunable_policy(`use_dns',`
+allow $1_mail_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+corenetwork_network_udp_on_all_interfaces($1_mail_t)
+corenetwork_network_udp_on_all_nodes($1_mail_t)
+corenetwork_bind_udp_on_all_nodes($1_mail_t)
+corenetwork_network_udp_on_dns_port($1_mail_t)
+')
+
+optional_policy(`procmail.te',`
+procmail_execute($1_mail_t)
+')
+
+ifdef(`TODO',`
+
+can_ypbind($1_mail_t)
+
+allow $1_mail_t device_t:dir search;
+allow $1_mail_t { var_t var_spool_t }:dir search;
+allow $1_mail_t sbin_t:dir search;
+
+# It wants to check for nscd
+dontaudit $1_mail_t var_run_t:dir search;
+
+# For when the user wants to send mail via port 25 localhost
+can_tcp_connect($1_t, mail_server_domain)
+
+# Read user temporary files.
+allow $1_mail_t $1_tmp_t:file r_file_perms;
+dontaudit $1_mail_t $1_tmp_t:file append;
+ifdef(`postfix.te', `
+# postfix seems to need write access if the file handle is opened read/write
+allow $1_mail_t $1_tmp_t:file write;
+')dnl end if postfix
+
+allow mta_user_agent $1_tmp_t:file { read getattr };
+
+# Write to the user domain tty.
+allow mta_user_agent $1_tty_device_t:chr_file { read write getattr ioctl };
+allow mta_user_agent devpts_t:dir { read search getattr };
+allow mta_user_agent $1_devpts_t:chr_file { read write getattr ioctl };
+
+allow $1_mail_t $1_tty_device_t:chr_file { read write getattr ioctl };
+allow $1_mail_t devpts_t:dir { read search getattr };
+allow $1_mail_t $1_devpts_t:chr_file { read write getattr ioctl };
+
+# Inherit and use descriptors from gnome-pty-helper.
+ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
+
+# Create dead.letter in user home directories.
+file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
+
+if (use_samba_home_dirs) {
+rw_dir_create_file($1_mail_t, cifs_t)
+}
+
+# if you do not want to allow dead.letter then use the following instead
+#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
+#allow $1_mail_t $1_home_t:file r_file_perms;
+
+# for reading .forward - maybe we need a new type for it?
+# also for delivering mail to maildir
+file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t)
+
+ifdef(`qmail.te', `
+allow $1_mail_t qmail_etc_t:dir search;
+allow $1_mail_t qmail_etc_t:{ file lnk_file } read;
+')dnl end if qmail
+
+') dnl end TODO
 ')

 define(`mta_per_userdomain_template_depend',`

 ')
+
+#######################################
+#
+# mta_make_mailserver_domain(domain,entrypointtype)
+#
+define(`mta_execute',`
+requires_block_template(`$0'_depend)
+domain_make_daemon_domain($1,$2)
+typeattribute $1 mailserver_domain;
+')
+
+define(`mta_execute_depend',`
+attribute mailserver_domain;
+')
+
+#######################################
+#
+# mta_transition(domain)
+#
+define(`mta_transition',`
+requires_block_template(`$0'_depend)
+allow $1 sendmail_exec_t:file { getattr read execute };
+allow $1 system_mail_t:process transition;
+type_transition $1 sendmail_exec_t:file hwmta_t;
+dontaudit $1 system_mail_t:process { noatsecure siginh rlimitinh };
+')
+
+define(`mta_transition_depend',`
+type system_mail_t, sendmail_exec_t;
+class file { getattr read execute };
+class process { transition noatsecure siginh rlimitinh };
+')
+
+#######################################
+#
+# mta_execute(domain)
+#
+define(`mta_execute',`
+requires_block_template(`$0'_depend)
+allow $1 sendmail_exec_t:file { getattr read execute execute_no_trans };
+')
+
+define(`mta_execute_depend',`
+type sendmail_exec_t;
+class file { getattr read execute execute_no_trans };
+')
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@ -2,6 +2,11 @@

 policy_module(mta,1.0)

+########################################
+#
+# Declarations
+#
+
 type etc_aliases_t;
 files_make_file(etc_aliases_t)

@ -13,3 +18,180 @@ files_make_file(mqueue_spool_t)

 type mail_spool_t;
 files_make_file(mail_spool_t)
+
+type sendmail_exec_t;
+files_make_file(sendmail_exec_t)
+
+type system_mail_t; #, user_mail_domain, nscd_client_domain;
+domain_make_domain(system_mail_t)
+role system_r types system_mail_t;
+
+########################################
+#
+# System mail local policy
+#
+
+allow system_mail_t self:capability { setuid setgid chown };
+allow system_mail_t self:process { sigkill sigstop signull signal setrlimit };
+
+allow system_mail_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
+
+# re-exec itself
+allow system_mail_t sendmail_exec_t:file { getattr read execute execute_no_trans };
+allow system_mail_t sendmail_exec_t:lnk_file { getattr read };
+
+kernel_read_kernel_sysctl(system_mail_t)
+kernel_read_system_state(system_mail_t)
+kernel_read_network_state(system_mail_t)
+
+corenetwork_network_tcp_on_all_interfaces(system_mail_t)
+corenetwork_network_raw_on_all_interfaces(system_mail_t)
+corenetwork_network_tcp_on_all_nodes(system_mail_t)
+corenetwork_network_raw_on_all_nodes(system_mail_t)
+corenetwork_bind_tcp_on_all_nodes(system_mail_t)
+corenetwork_network_tcp_on_all_ports(system_mail_t)
+
+devices_get_pseudorandom_data(system_mail_t)
+
+filesystem_get_persistent_filesystem_attributes(system_mail_t)
+
+init_script_use_pseudoterminal(system_mail_t)
+
+files_read_runtime_system_config(system_mail_t)
+files_read_general_system_config(system_mail_t)
+# It wants to check for nscd
+files_ignore_search_runtime_data_directory(system_mail_t)
+
+corecommands_execute_general_programs(system_mail_t)
+
+libraries_use_dynamic_loader(system_mail_t)
+libraries_read_shared_libraries(system_mail_t)
+
+logging_send_system_log_message(system_mail_t)
+
+miscfiles_read_localization(system_mail_t)
+
+sysnetwork_read_network_config(system_mail_t)
+
+tunable_policy(`use_dns',`
+allow system_mail_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+corenetwork_network_udp_on_all_interfaces(system_mail_t)
+corenetwork_network_udp_on_all_nodes(system_mail_t)
+corenetwork_bind_udp_on_all_nodes(system_mail_t)
+corenetwork_network_udp_on_dns_port(system_mail_t)
+')
+
+optional_policy(`procmail.te',`
+procmail_execute(system_mail_t)
+')
+
+ifdef(`TODO',`
+
+
+
+can_ypbind(system_mail_t)
+
+allow system_mail_t device_t:dir search;
+allow system_mail_t { var_t var_spool_t }:dir search;
+allow system_mail_t sbin_t:dir search;
+
+# Transition from a system domain to the derived domain.
+domain_auto_trans(privmail, sendmail_exec_t, system_mail_t)
+allow privmail sendmail_exec_t:lnk_file { getattr read };
+
+ifdef(`crond.te', `
+# Read cron temporary files.
+allow system_mail_t system_crond_tmp_t:file { read getattr ioctl };
+allow mta_user_agent system_crond_tmp_t:file { read getattr };
+')
+
+ifdef(`qmail.te', `
+allow system_mail_t qmail_etc_t:dir search;
+allow system_mail_t qmail_etc_t:{ file lnk_file } read;
+')dnl end if qmail
+
+ifdef(`targeted_policy', `
+# rules are currently defined in sendmail.te, but it is not included in 
+# targeted policy.  We could move these rules permanantly here.
+
+ifdef(`postfix.te', `', `
+domain_execute_all_entrypoint_programs(system_mail_t)
+files_execute_system_config_script(system_mail_t)
+corecommands_execute_general_programs(system_mail_t)
+corecommands_execute_system_programs(system_mail_t)
+libraries_use_dynamic_loader(system_mail_t)
+libraries_read_shared_libraries(system_mail_t)
+libraries_execute_dynamic_loader(system_mail_t)
+libraries_execute_library_scripts(system_mail_t)
+')
+
+allow system_mail_t { var_t var_spool_t }:dir getattr;
+
+allow system_mail_t mqueue_spool_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+allow system_mail_t mqueue_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow system_mail_t mqueue_spool_t:lnk_file { create read getattr setattr link unlink rename };
+
+allow system_mail_t mail_spool_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+allow system_mail_t mail_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow system_mail_t mail_spool_t:lnk_file { create read getattr setattr link unlink rename };
+
+allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
+allow system_mail_t etc_mail_t:file { getattr read };
+', ` dnl if not targeted policy:
+ifdef(`sendmail.te', `
+# sendmail has an ugly design, the one process parses input from the user and
+# then does system things with it.
+domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t)
+', `
+domain_auto_trans(initrc_t, sendmail_exec_t, system_mail_t)
+') dnl end if sendmail.te
+
+# allow the sysadmin to do "mail someone < /home/user/whatever"
+allow sysadm_mail_t user_home_dir_type:dir search;
+r_dir_file(sysadm_mail_t, user_home_type)
+') dnl end ifdef targeted_policy
+
+# for a mail server process that does things in response to a user command
+allow mta_user_agent userdomain:process sigchld;
+allow mta_user_agent { userdomain privfd }:fd use;
+ifdef(`crond.te', `
+allow mta_user_agent crond_t:process sigchld;
+')
+allow mta_user_agent sysadm_t:fifo_file { read write };
+
+allow { system_mail_t mta_user_agent } privmail:fd use;
+allow { system_mail_t mta_user_agent } privmail:process sigchld;
+allow { system_mail_t mta_user_agent } privmail:fifo_file { read write };
+allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write };
+
+ifdef(`arpwatch.te', `
+# why is mail delivered to a directory of type arpwatch_data_t?
+allow mta_delivery_agent arpwatch_data_t:dir search;
+allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms;
+ifdef(`hide_broken_symptoms', `
+dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write };
+')
+')dnl end if arpwatch.te
+
+allow mta_delivery_agent home_root_t:dir { getattr search };
+
+# for /var/spool/mail
+ra_dir_create_file(mta_delivery_agent, mail_spool_t)
+
+# for piping mail to a command
+can_exec(mta_delivery_agent, shell_exec_t)
+allow mta_delivery_agent bin_t:dir search;
+allow mta_delivery_agent bin_t:lnk_file read;
+allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read };
+
+# Transition from a system domain to the derived domain.
+domain_auto_trans(privmail, sendmail_exec_t, system_mail_t)
+allow privmail sendmail_exec_t:lnk_file { getattr read };
+
+ifdef(`crond.te', `
+# Read cron temporary files.
+allow system_mail_t system_crond_tmp_t:file { read getattr ioctl };
+allow mta_user_agent system_crond_tmp_t:file { read getattr };
+')
+
+') dnl end TODO
--- a/refpolicy/policy/modules/system/clock.if
+++ b/refpolicy/policy/modules/system/clock.if
@ -1,5 +1,37 @@
 # Copyright (C) 2005 Tresys Technology, LLC

+#######################################
+#
+# clock_transition(domain)
+#
+define(`clock_transition',`
+requires_block_template(`$0'_depend)
+allow $1 hwclock_exec_t:file { getattr read execute };
+allow $1 hwclock_t:process transition;
+type_transition $1 hwclock_exec_t:file hwclock_t;
+dontaudit $1 hwclock_t:process { noatsecure siginh rlimitinh };
+')
+
+define(`clock_transition_depend',`
+type hwclock_t, hwclock_exec_t;
+class file { getattr read execute };
+class process { transition noatsecure siginh rlimitinh };
+')
+
+#######################################
+#
+# clock_execute(domain)
+#
+define(`clock_execute',`
+requires_block_template(`$0'_depend)
+allow $1 hwclock_exec_t:file { getattr read execute execute_no_trans };
+')
+
+define(`clock_execute_depend',`
+type hwclock_exec_t;
+class file { getattr read execute execute_no_trans };
+')
+
 #######################################
 #
 # clock_modify_drift_records(domain)
--- a/refpolicy/policy/modules/system/corecommands.if
+++ b/refpolicy/policy/modules/system/corecommands.if
@ -13,6 +13,34 @@ define(`corecommands_make_shell_entrypoint_depend',`
 type shell_exec_t;
 ')

+########################################
+#
+# corecommands_search_general_programs_directory(domain)
+#
+define(`corecommands_search_general_programs_directory',`
+requires_block_template(`$0'_depend)
+allow $1 bin_t:dir search;
+')
+
+define(`corecommands_search_general_programs_directory_depend',`
+type bin_t;
+class dir search;
+')
+
+########################################
+#
+# corecommands_read_general_programs_directory(domain)
+#
+define(`corecommands_read_general_programs_directory',`
+requires_block_template(`$0'_depend)
+allow $1 bin_t:dir { getattr search read };
+')
+
+define(`corecommands_read_general_programs_directory_depend',`
+type bin_t;
+class dir { getattr search read };
+')
+
 ########################################
 #
 # corecommands_execute_general_programs(domain)
@ -31,6 +59,34 @@ class lnk_file { getattr read };
 class file { getattr read execute execute_no_trans };
 ')

+########################################
+#
+# corecommands_search_system_programs_directory(domain)
+#
+define(`corecommands_search_system_programs_directory',`
+requires_block_template(`$0'_depend)
+allow $1 sbin_t:dir search;
+')
+
+define(`corecommands_search_system_programs_directory_depend',`
+type sbin_t;
+class dir search;
+')
+
+########################################
+#
+# corecommands_read_system_programs_directory(domain)
+#
+define(`corecommands_read_system_programs_directory',`
+requires_block_template(`$0'_depend)
+allow $1 sbin_t:dir { getattr search read };
+')
+
+define(`corecommands_read_system_programs_directory_depend',`
+type sbin_t;
+class dir { getattr search read };
+')
+
 ########################################
 #
 # corecommands_execute_system_programs(domain)
@ -67,6 +123,24 @@ class lnk_file { getattr read };
 class file { getattr read execute execute_no_trans };
 ')

+########################################
+#
+# corecommands_shell_transition(domain)
+#
+define(`corecommands_shell_transition',`
+requires_block_template(`$0'_depend)
+allow $1 bin_t:dir { getattr search read };
+allow $1 bin_t:lnk_file { getattr read };
+allow $1 shell_exec_t:file { getattr read execute };
+')
+
+define(`corecommands_shell_transition_depend',`
+type bin_t, shell_exec_t;
+class dir { getattr search read };
+class lnk_file { getattr read };
+class file { getattr read execute };
+')
+
 ########################################
 #
 # corecommands_chroot(domain)
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@ -15,6 +15,20 @@ define(`files_make_file_depend',`
 attribute file_type;
 ')

+########################################
+#
+# files_make_lock_file(type)
+#
+define(`files_make_lock_file',`
+requires_block_template(`$0'_depend)
+files_make_file($1)
+typeattribute $1 lockfile;
+')
+
+define(`files_make_lock_file_depend',`
+attribute lockfile;
+')
+
 ########################################
 #
 # files_make_mountpoint(type)
@ -632,6 +646,26 @@ class dir { getattr search read write add_name remove_name };
 class file { getattr unlink };
 ')

+########################################
+#
+# files_create_private_lock_file(domain,private_type,[object class(es)])
+#
+define(`files_create_private_lock_file',`
+requires_block_template(`$0'_depend)
+allow $1 var_t:dir search;
+allow $1 var_lock_t:dir { getattr search read write add_name remove_name };
+ifelse(`$3',`',`
+type_transition $1 var_lock_t:file $2;
+',`
+type_transition $1 var_lock_t:$3 $2;
+')
+')
+
+define(`files_create_private_lock_file_depend',`
+type var_t, var_lock_t;
+class dir { getattr search read write add_name };
+')
+
 ########################################
 #
 # files_search_runtime_data_directory(domain)
@ -647,6 +681,20 @@ type var_t, var_run_t;
 class dir search;
 ')

+########################################
+#
+# files_ignore_search_runtime_data_directory(domain)
+#
+define(`files_ignore_search_runtime_data_directory',`
+requires_block_template(`$0'_depend)
+allow $1 var_run_t:dir search;
+')
+
+define(`files_ignore_search_runtime_data_directory_depend',`
+type var_run_t;
+class dir search;
+')
+
 ########################################
 #
 # files_read_runtime_data_directory(domain)
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@ -37,6 +37,25 @@ type ld_so_t, ld_so_cache_t;
 class file { execute execmod };
 ')

+########################################
+#
+# libraries_execute_dynamic_loader(domain)
+#
+define(`libraries_execute_dynamic_loader',`
+requires_block_template(`$0'_depend)
+allow $1 lib_t:dir { getattr read search };
+allow $1 lib_t:lnk_file { getattr read };
+allow $1 ld_so_t:lnk_file { getattr read };
+allow $1 ld_so_t:file { getattr read execute execute_no_trans };
+')
+
+define(`libraries_execute_dynamic_loader_depend',`
+type lib_t, ld_so_t;
+class dir { getattr read search };
+class lnk_file { getattr read };
+class file { getattr read execute execute_no_trans };
+')
+
 ########################################
 #
 # libraries_modify_dynamic_loader_cache(domain)