clean up most of the mta hacks
This commit is contained in:
Chris PeBenito
parent
08cd98b7c1
commit
1504ff3e42
@ -519,3 +519,20 @@ interface(`cron_read_system_job_tmp_files',`
|
||||
files_search_tmp($1)
|
||||
allow $1 system_crond_tmp_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to append temporary
|
||||
## files from the system cron jobs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`cron_dontaudit_append_system_job_tmp_files',`
|
||||
gen_require(`
|
||||
type system_crond_tmp_t;
|
||||
')
|
||||
|
||||
dontaudit $1 system_crond_tmp_t:file append;
|
||||
')
|
||||
|
||||
@ -26,8 +26,7 @@ interface(`mta_stub',`
|
||||
## </p>
|
||||
## <p>
|
||||
## This is the basic types and rules, common
|
||||
## to the system agent and user agents, and
|
||||
## is not useful by itself.
|
||||
## to the system agent and user agents.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain_prefix">
|
||||
@ -238,6 +237,52 @@ template(`mta_per_userdomain_template',`
|
||||
') dnl end TODO
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Provide extra permissions for admin users
|
||||
## mail domain.
|
||||
## </summary>
|
||||
## <param name="userdomain_prefix">
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </param>
|
||||
## <param name="user_domain">
|
||||
## The type of the user domain.
|
||||
## </param>
|
||||
#
|
||||
template(`mta_admin_template',`
|
||||
ifdef(`strict_policy',`
|
||||
# allow the sysadmin to do "mail someone < /home/user/whatever"
|
||||
userdom_read_unpriv_user_home_files($1_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`postfix',`
|
||||
gen_require(`
|
||||
attribute mta_user_agent;
|
||||
type etc_aliases_t;
|
||||
')
|
||||
|
||||
allow mta_user_agent $2:fifo_file { read write };
|
||||
|
||||
allow $1_mail_t etc_aliases_t:dir create_dir_perms;
|
||||
allow $1_mail_t etc_aliases_t:file create_file_perms;
|
||||
allow $1_mail_t etc_aliases_t:lnk_file create_lnk_perms;
|
||||
allow $1_mail_t etc_aliases_t:sock_file create_file_perms;
|
||||
allow $1_mail_t etc_aliases_t:fifo_file create_file_perms;
|
||||
files_create_etc_config($1_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })
|
||||
|
||||
# postfix needs this for newaliases
|
||||
files_getattr_tmp_dir($1_mail_t)
|
||||
|
||||
postfix_exec_master($1_mail_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# compatability for old default main.cf
|
||||
postfix_create_config($1_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file })
|
||||
')
|
||||
')
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# mta_mailserver(domain,entrypointtype)
|
||||
|
||||
@ -97,8 +97,6 @@ ifdef(`targeted_policy',`
|
||||
|
||||
files_exec_etc_files(system_mail_t)
|
||||
|
||||
libs_use_ld_so(system_mail_t)
|
||||
libs_use_shared_libs(system_mail_t)
|
||||
libs_exec_ld_so(system_mail_t)
|
||||
libs_exec_lib_files(system_mail_t)
|
||||
# ')
|
||||
@ -116,12 +114,15 @@ optional_policy(`apache',`
|
||||
')
|
||||
|
||||
optional_policy(`arpwatch',`
|
||||
arpwatch_rw_tmp_files(system_mail_t)
|
||||
arpwatch_manage_tmp_files(system_mail_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
arpwatch_dontaudit_rw_packet_socket(system_mail_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`cron',`
|
||||
cron_read_system_job_tmp_files(system_mail_t)
|
||||
cron_read_system_job_tmp_files(mta_user_agent)
|
||||
')
|
||||
|
||||
optional_policy(`cvs',`
|
||||
@ -133,8 +134,6 @@ optional_policy(`logrotate',`
|
||||
')
|
||||
|
||||
optional_policy(`postfix',`
|
||||
postfix_stub(system_mail_t)
|
||||
|
||||
allow system_mail_t etc_aliases_t:dir create_dir_perms;
|
||||
allow system_mail_t etc_aliases_t:file create_file_perms;
|
||||
allow system_mail_t etc_aliases_t:lnk_file create_lnk_perms;
|
||||
@ -144,40 +143,39 @@ optional_policy(`postfix',`
|
||||
|
||||
domain_use_wide_inherit_fd(system_mail_t)
|
||||
|
||||
optional_policy(`crond',`
|
||||
# postfix needs this for newaliases
|
||||
files_getattr_tmp_dir(system_mail_t)
|
||||
|
||||
postfix_exec_master(system_mail_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# compatability for old default main.cf
|
||||
postfix_create_config(system_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file })
|
||||
')
|
||||
|
||||
optional_policy(`cron',`
|
||||
cron_crw_tcp_socket(system_mail_t)
|
||||
')
|
||||
|
||||
allow mta_user_agent sysadm_t:fifo_file { read write };
|
||||
type_transition postfix_master_t postfix_etc_t:dir etc_aliases_t;
|
||||
|
||||
# postfix needs this for newaliases
|
||||
allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr;
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`sendmail',`
|
||||
dontaudit system_mail_t userpty_type:chr_file { getattr read write };
|
||||
userdom_dontaudit_use_unpriv_user_pty(system_mail_t)
|
||||
|
||||
optional_policy(`crond',`
|
||||
dontaudit system_mail_t system_crond_tmp_t:file append;
|
||||
optional_policy(`cron',`
|
||||
cron_dontaudit_append_system_job_tmp_files(system_mail_t)
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`strict_policy',`
|
||||
# allow the sysadmin to do "mail someone < /home/user/whatever"
|
||||
allow sysadm_mail_t user_home_dir_type:dir search;
|
||||
r_dir_file(sysadm_mail_t, user_home_type)
|
||||
')
|
||||
') dnl end TODO
|
||||
# should break this up among sections:
|
||||
|
||||
optional_policy(`arpwatch',`
|
||||
# why is mail delivered to a directory of type arpwatch_data_t?
|
||||
arpwatch_search_data(mailserver_delivery)
|
||||
arpwatch_manage_tmp_files(system_mail_t)
|
||||
arpwatch_manage_tmp_files(mta_user_agent)
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
arpwatch_dontaudit_rw_packet_socket(system_mail_t)
|
||||
arpwatch_dontaudit_rw_packet_socket(mta_user_agent)
|
||||
')
|
||||
optional_policy(`cron',`
|
||||
cron_read_system_job_tmp_files(mta_user_agent)
|
||||
')
|
||||
')
|
||||
|
||||
@ -175,6 +175,37 @@ interface(`postfix_read_config',`
|
||||
files_search_etc($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create files with the specified type in
|
||||
## the postfix configuration directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
## <param name="private type">
|
||||
## The type of the object to be created.
|
||||
## </param>
|
||||
## <param name="object" optional="true">
|
||||
## The object class of the object being created. If
|
||||
## no class is specified, file will be used.
|
||||
## </param>
|
||||
#
|
||||
interface(`postfix_create_config',`
|
||||
gen_require(`
|
||||
type postfix_etc_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 postfix_etc_t:dir rw_dir_perms;
|
||||
|
||||
ifelse(`$3',`',`
|
||||
type_transition $1 postfix_etc_t:file $2;
|
||||
',`
|
||||
type_transition $1 postfix_etc_t:$3 $2;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read and
|
||||
@ -279,6 +310,23 @@ interface(`postfix_domtrans_master',`
|
||||
allow postfix_master_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute the master postfix program in the
|
||||
## caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`postfix_exec_master',`
|
||||
gen_require(`
|
||||
type postfix_master_exec_t;
|
||||
')
|
||||
|
||||
can_exec($1,postfix_master_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search postfix mail spool directories.
|
||||
|
||||
@ -197,41 +197,7 @@ ifdef(`distro_redhat',`
|
||||
allow postfix_master_t etc_aliases_t:lnk_file create_lnk_perms;
|
||||
allow postfix_master_t etc_aliases_t:sock_file create_file_perms;
|
||||
allow postfix_master_t etc_aliases_t:fifo_file create_file_perms;
|
||||
type_transition postfix_master_t postfix_etc_t:{ file lnk_file sock_file fifo_file } etc_aliases_t;
|
||||
')
|
||||
|
||||
# postfix needs this for newaliases
|
||||
allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr;
|
||||
|
||||
can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t)
|
||||
|
||||
allow sysadm_mail_t etc_aliases_t:dir create_dir_perms;
|
||||
allow sysadm_mail_t etc_aliases_t:file create_file_perms;
|
||||
allow sysadm_mail_t etc_aliases_t:lnk_file create_lnk_perms;
|
||||
allow sysadm_mail_t etc_aliases_t:sock_file create_file_perms;
|
||||
allow sysadm_mail_t etc_aliases_t:fifo_file create_file_perms;
|
||||
files_create_etc_config(system_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })
|
||||
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# compatability for old default main.cf
|
||||
allow { sysadm_mail_t system_mail_t } etc_aliases_t:dir create_dir_perms;
|
||||
allow { sysadm_mail_t system_mail_t } etc_aliases_t:file create_file_perms;
|
||||
allow { sysadm_mail_t system_mail_t } etc_aliases_t:lnk_file create_lnk_perms;
|
||||
allow { sysadm_mail_t system_mail_t } etc_aliases_t:sock_file create_file_perms;
|
||||
allow { sysadm_mail_t system_mail_t } etc_aliases_t:fifo_file create_file_perms;
|
||||
|
||||
allow { sysadm_mail_t system_mail_t } postfix_etc_t:dir rw_dir_perms;
|
||||
type_transition { sysadm_mail_t system_mail_t } postfix_etc_t:{ file lnk_file sock_file fifo_file } etc_aliases_t;
|
||||
|
||||
allow { sysadm_mail_t system_mail_t } etc_aliases_t:dir create_dir_perms;
|
||||
allow { sysadm_mail_t system_mail_t } etc_aliases_t:file create_file_perms;
|
||||
allow { sysadm_mail_t system_mail_t } etc_aliases_t:lnk_file create_lnk_perms;
|
||||
allow { sysadm_mail_t system_mail_t } etc_aliases_t:sock_file create_file_perms;
|
||||
allow { sysadm_mail_t system_mail_t } etc_aliases_t:fifo_file create_file_perms;
|
||||
|
||||
allow { sysadm_mail_t system_mail_t } postfix_etc_t:dir rw_dir_perms;
|
||||
type_transition { sysadm_mail_t system_mail_t } postfix_etc_t:{ file lnk_file sock_file fifo_file } etc_aliases_t;
|
||||
type_transition postfix_master_t postfix_etc_t:{ dir file lnk_file sock_file fifo_file } etc_aliases_t;
|
||||
')
|
||||
|
||||
# end partially converted rules
|
||||
|
||||
@ -906,7 +906,11 @@ template(`admin_user_template',`
|
||||
seutil_manage_binary_pol($1_t)
|
||||
|
||||
optional_policy(`cron',`
|
||||
cron_admin_template($1)
|
||||
cron_admin_template($1,$1_t,$1_r)
|
||||
')
|
||||
|
||||
optional_policy(`mta',`
|
||||
mta_admin_template($1,$1_t,$1_r)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
@ -2387,6 +2391,27 @@ interface(`userdom_setattr_unpriv_user_pty',`
|
||||
allow $1 user_ptynode:chr_file setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to use unprivileged
|
||||
## user ptys.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_dontaudit_use_unpriv_user_pty',`
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_generic_pty($1)
|
||||
',`
|
||||
gen_require(`
|
||||
attribute user_ptynode;
|
||||
')
|
||||
|
||||
dontaudit $1 user_ptynode:chr_file rw_file_perms;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read all unprivileged users temporary directories.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(userdomain,1.0.2)
|
||||
policy_module(userdomain,1.0.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
Loading…
Reference in New Issue
Block a user