From 246839f3d2d130dea261f3393f60ef6d7eee8a8d Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Tue, 30 Aug 2005 20:47:41 +0000
Subject: [PATCH] fix up most of mta attribute insanity

---
 refpolicy/policy/modules/admin/logrotate.if   |  18 ++
 refpolicy/policy/modules/kernel/kernel.if     |  19 ++
 refpolicy/policy/modules/services/cron.if     |  36 +++-
 refpolicy/policy/modules/services/mta.if      | 108 ++++++++--
 refpolicy/policy/modules/services/mta.te      | 191 +++++++-----------
 refpolicy/policy/modules/services/sendmail.te |  18 +-
 refpolicy/policy/modules/system/userdomain.if |  17 ++
 7 files changed, 268 insertions(+), 139 deletions(-)

diff --git a/refpolicy/policy/modules/admin/logrotate.if b/refpolicy/policy/modules/admin/logrotate.if
index 134a886c..cff68d4f 100644
--- a/refpolicy/policy/modules/admin/logrotate.if
+++ b/refpolicy/policy/modules/admin/logrotate.if
@@ -82,3 +82,21 @@ interface(`logrotate_dontaudit_use_fd',`
 
 	dontaudit $1 logrotate_t:fd use;
 ')
+
+########################################
+## <summary>
+##	Read a logrotate temporary files.
+## </summary>
+## <param name="domain">
+##	The type of the process to not audit.
+## </param>
+#
+interface(`logrotate_read_tmp_files',`
+	gen_require(`
+		type logrotate_tmp_t;
+		class file r_file_perms;
+	')
+
+	files_search_tmp($1)
+	allow $1 logrotate_tmp_t:file r_file_perms;
+')
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index f4de889e..c147b454 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -553,6 +553,25 @@ interface(`kernel_dontaudit_getattr_message_if',`
 	dontaudit $1 proc_kmsg_t:file getattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to search the network
+##	state directory.
+## </summary>
+## <param name="domain">
+##	The process type reading the state.
+## </param>
+##
+#
+interface(`kernel_dontaudit_search_network_state',`
+	gen_require(`
+		type proc_net_t;
+		class dir search;
+	')
+
+	allow $1 proc_net_t:dir search;
+')
+
 ########################################
 ## <summary>
 ##	Allow caller to read the network state information.
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index cde33f0b..ec5f5aea 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -314,6 +314,23 @@ interface(`cron_system_entry',`
 	allow $1 crond_t:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Send a SIGCHLD signal to the cron daemon.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`cron_sigchld',`
+	gen_require(`
+		type crond_t;
+		class process sigchld;
+	')
+
+	allow $1 crond_t:process sigchld;
+')
+
 ########################################
 ## <summary>
 ##	Read a cron daemon unnamed pipe
@@ -331,7 +348,6 @@ interface(`cron_read_pipe',`
 	allow $1 crond_t:file r_file_perms;
 ')
 
-
 ########################################
 ## <summary>
 ##	Read and write the cron daemon log files.
@@ -367,3 +383,21 @@ interface(`cron_search_spool',`
 	files_search_spool($1)
 	allow $1 cron_spool_t:dir search;
 ')
+
+########################################
+## <summary>
+##	Read temporary files from the system cron jobs.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`cron_read_system_job_tmp_files',`
+	gen_require(`
+		type system_crond_tmp_t;
+		class file r_file_perms;
+	')
+
+	files_search_tmp($1)
+	allow $1 system_crond_tmp_t:file r_file_perms;
+')
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 6409e530..e6efcbd3 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -28,7 +28,7 @@
 ## </param>
 #
 template(`mta_per_userdomain_template',`
-	type $1_mail_t; # , user_mail_domain
+	type $1_mail_t;
 	domain_type($1_mail_t)
 	role $3 types $1_mail_t;
 
@@ -59,6 +59,11 @@ template(`mta_per_userdomain_template',`
 	allow $1_mail_t $2:fifo_file rw_file_perms;
 	allow $1_mail_t $2:process sigchld;
 
+	# For when the user wants to send mail via port 25 localhost
+	kernel_tcp_recvfrom($2)
+	allow $2 mailserver_domain:tcp_socket { connectto recvfrom };
+	allow mailserver_domain $2:tcp_socket { acceptfrom recvfrom };
+
 	kernel_read_kernel_sysctl($1_mail_t)
 
 	corenet_tcp_sendrecv_all_if($1_mail_t)
@@ -78,6 +83,8 @@ template(`mta_per_userdomain_template',`
 
 	files_read_etc_files($1_mail_t)
 	files_search_spool($1_mail_t)
+	# It wants to check for nscd
+	files_dontaudit_search_pids($1_mail_t)
 
 	logging_send_syslog_msg($1_mail_t)
 
@@ -86,6 +93,8 @@ template(`mta_per_userdomain_template',`
 	sysnet_read_config($1_mail_t)
 
 	userdom_use_user_terminals($1,$1_mail_t)
+	# Write to the user domain tty. cjp: why?
+	userdom_use_user_terminals($1,mta_user_agent)
 
 	tunable_policy(`use_dns',`
 		allow $1_mail_t self:udp_socket create_socket_perms;
@@ -113,14 +122,6 @@ template(`mta_per_userdomain_template',`
 	')
 
 	ifdef(`TODO',`
-	allow $1_mail_t device_t:dir search;
-
-	# It wants to check for nscd
-	dontaudit $1_mail_t var_run_t:dir search;
-
-	# For when the user wants to send mail via port 25 localhost
-	can_tcp_connect($1_t, mail_server_domain)
-
 	# Read user temporary files.
 	allow $1_mail_t $1_tmp_t:file r_file_perms;
 	dontaudit $1_mail_t $1_tmp_t:file append;
@@ -129,26 +130,21 @@ template(`mta_per_userdomain_template',`
 		allow $1_mail_t $1_tmp_t:file write;
 	')
 
+	# cjp: why?
 	allow mta_user_agent $1_tmp_t:file r_file_perms;
 
-	# Write to the user domain tty.
-	allow mta_user_agent $1_tty_device_t:chr_file rw_file_perms;
-	allow mta_user_agent devpts_t:dir r_dir_perms;
-	allow mta_user_agent $1_devpts_t:chr_file rw_file_perms;
-
 	# Inherit and use descriptors from gnome-pty-helper.
 	ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
 
 	# Create dead.letter in user home directories.
 	file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
-
 	# if you do not want to allow dead.letter then use the following instead
 	#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
 	#allow $1_mail_t $1_home_t:file r_file_perms;
 
 	# for reading .forward - maybe we need a new type for it?
 	# also for delivering mail to maildir
-	file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t)
+	file_type_auto_trans(mailserver_delivery, $1_home_dir_t, $1_home_t)
 
 	ifdef(`qmail.te', `
 		allow $1_mail_t qmail_etc_t:dir search;
@@ -167,6 +163,9 @@ interface(`mta_mailserver',`
 		attribute mailserver_domain;
 	')
 
+	# For when the user wants to send mail via port 25 localhost
+	kernel_tcp_recvfrom($1)
+
 	init_daemon_domain($1,$2)
 	typeattribute $1 mailserver_domain;
 ')
@@ -202,10 +201,65 @@ interface(`mta_sendmail_mailserver',`
 		type sendmail_exec_t;
 	')
 
+	# For when the user wants to send mail via port 25 localhost
+	kernel_tcp_recvfrom($1)
+
 	init_system_domain($1,sendmail_exec_t)
 	typeattribute $1 mailserver_domain;
 ')
 
+#######################################
+## <summary>
+##	Make a type a mailserver type used
+##	for sending mail.
+## </summary>
+## <param name="domain">
+##	Mail server domain type used for sending mail.
+## </param>
+#
+interface(`mta_mailserver_sender',`
+	gen_require(`
+		attribute mailserver_sender;
+	')
+
+	typeattribute $1 mailserver_sender;
+')
+
+#######################################
+## <summary>
+##	Make a type a mailserver type used
+##	for delivering mail to local users.
+## </summary>
+## <param name="domain">
+##	Mail server domain type used for delivering mail.
+## </param>
+#
+interface(`mta_mailserver_delivery',`
+	gen_require(`
+		attribute mailserver_delivery;
+	')
+
+	typeattribute $1 mailserver_delivery;
+')
+
+#######################################
+## <summary>
+##	Make a type a mailserver type used
+##	for sending mail on behalf of local
+##	users to the local mail spool.
+## </summary>
+## <param name="domain">
+##	Mail server domain type used for sending local mail.
+## </param>
+#
+interface(`mta_mailserver_user_agent',`
+	gen_require(`
+		attribute mailserver_user_agent;
+	')
+
+	typeattribute $1 mailserver_user_agent;
+')
+
 #######################################
 #
 # mta_send_mail(domain)
@@ -332,6 +386,28 @@ interface(`mta_rw_spool',`
 	allow $1 mail_spool_t:file { rw_file_perms setattr };
 ')
 
+#######################################
+## <summary>
+##	Create, read, and write the mail spool.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`mta_append_spool',`
+	gen_require(`
+		type mail_spool_t;
+		class dir ra_dir_perms;
+		class lnk_file { getattr read };
+		class file create_file_perms;
+	')
+
+	files_search_spool($1)
+	allow $1 mail_spool_t:dir ra_dir_perms;
+	allow $1 mail_spool_t:lnk_file { getattr read };
+	allow $1 mail_spool_t:file create_file_perms;
+')
+
 #######################################
 #
 # mta_manage_spool(domain)
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 6c2ea5b2..3a112e90 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -6,14 +6,17 @@ policy_module(mta,1.0)
 # Declarations
 #
 
+attribute mta_user_agent;
+attribute mailserver_delivery;
+attribute mailserver_domain;
+attribute mailserver_sender;
+
 type etc_aliases_t;
 files_type(etc_aliases_t)
 
 type etc_mail_t;
 files_type(etc_mail_t)
 
-attribute mailserver_domain;
-
 type mqueue_spool_t;
 files_type(mqueue_spool_t)
 
@@ -23,7 +26,7 @@ files_type(mail_spool_t)
 type sendmail_exec_t;
 files_type(sendmail_exec_t)
 
-type system_mail_t; #, user_mail_domain
+type system_mail_t;
 domain_type(system_mail_t)
 role system_r types system_mail_t;
 
@@ -66,12 +69,14 @@ fs_getattr_xattr_fs(system_mail_t)
 
 init_use_script_pty(system_mail_t)
 
-files_read_etc_runtime_files(system_mail_t)
 files_read_etc_files(system_mail_t)
+files_read_etc_runtime_files(system_mail_t)
+files_search_spool(system_mail_t)
 # It wants to check for nscd
 files_dontaudit_search_pids(system_mail_t)
 
 corecmd_exec_bin(system_mail_t)
+corecmd_search_sbin(system_mail_t)
 
 libs_use_ld_so(system_mail_t)
 libs_use_shared_libs(system_mail_t)
@@ -82,74 +87,9 @@ miscfiles_read_localization(system_mail_t)
 
 sysnet_read_config(system_mail_t)
 
-tunable_policy(`use_dns',`
-	allow system_mail_t self:udp_socket create_socket_perms;
-	corenet_udp_sendrecv_all_if(system_mail_t)
-	corenet_udp_sendrecv_all_nodes(system_mail_t)
-	corenet_udp_bind_all_nodes(system_mail_t)
-	corenet_udp_sendrecv_dns_port(system_mail_t)
-')
-
-optional_policy(`nis.te',`
-	nis_use_ypbind(system_mail_t)
-')
-
-optional_policy(`nscd.te',`
-	nscd_use_socket(system_mail_t)
-')
-
-optional_policy(`procmail.te',`
-	procmail_exec(system_mail_t)
-')
-
-ifdef(`TODO',`
-
-optional_policy(`sendmail.te',`
-	allow system_mail_t etc_mail_t:dir { getattr search };
-
-	kernel_read_system_state(system_mail_t)
-
-	fs_getattr_xattr_fs(system_mail_t)
-
-	files_read_etc_runtime_files(system_mail_t)
-
-	dontaudit system_mail_t proc_net_t:dir search;
-
-	allow system_mail_t var_t:dir getattr;
-	allow system_mail_t var_spool_t:dir getattr;
-	dontaudit system_mail_t userpty_type:chr_file { getattr read write };
-
-	# sendmail -q 
-	allow system_mail_t mqueue_spool_t:dir rw_dir_perms;
-	allow system_mail_t mqueue_spool_t:file create_file_perms;
-
-	optional_policy(`crond.te', `
-		dontaudit system_mail_t system_crond_tmp_t:file append;
-	')
-')
-
-allow system_mail_t device_t:dir search;
-allow system_mail_t { var_t var_spool_t }:dir search;
-allow system_mail_t sbin_t:dir search;
-
-# Transition from a system domain to the derived domain.
-domain_auto_trans(privmail, sendmail_exec_t, system_mail_t)
-allow privmail sendmail_exec_t:lnk_file { getattr read };
-
-optional_policy(`crond.te',`
-	# Read cron temporary files.
-	allow system_mail_t system_crond_tmp_t:file r_file_perms;
-	allow mta_user_agent system_crond_tmp_t:file r_file_perms;
-')
-
-ifdef(`qmail.te', `
-	allow system_mail_t qmail_etc_t:dir search;
-	allow system_mail_t qmail_etc_t:{ file lnk_file } read;
-')
-
-ifdef(`targeted_policy', `
-	allow system_mail_t { var_t var_spool_t }:dir getattr;
+userdom_use_sysadm_terms(system_mail_t)
 
+ifdef(`targeted_policy',`
 	allow system_mail_t etc_mail_t:file r_file_perms;
 
 	allow system_mail_t mail_spool_t:dir create_dir_perms;
@@ -174,63 +114,76 @@ ifdef(`targeted_policy', `
 		libs_exec_ld_so(system_mail_t)
 		libs_exec_lib_files(system_mail_t)
 	')
-',`
-	optional_policy(`sendmail.te', `
-		# sendmail has an ugly design, the one process parses input from the user and
-		# then does system things with it.
-		domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t)
-	')
+')
 
+tunable_policy(`use_dns',`
+	allow system_mail_t self:udp_socket create_socket_perms;
+	corenet_udp_sendrecv_all_if(system_mail_t)
+	corenet_udp_sendrecv_all_nodes(system_mail_t)
+	corenet_udp_bind_all_nodes(system_mail_t)
+	corenet_udp_sendrecv_dns_port(system_mail_t)
+')
+
+optional_policy(`cron.te',`
+	cron_read_system_job_tmp_files(system_mail_t)
+')
+
+optional_policy(`logrotate.te',`
+	logrotate_read_tmp_files(system_mail_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(system_mail_t)
+')
+
+optional_policy(`nscd.te',`
+	nscd_use_socket(system_mail_t)
+')
+
+optional_policy(`procmail.te',`
+	procmail_exec(system_mail_t)
+')
+
+optional_policy(`sendmail.te',`
+	allow system_mail_t etc_mail_t:dir { getattr search };
+
+	# sendmail -q 
+	allow system_mail_t mqueue_spool_t:dir rw_dir_perms;
+	allow system_mail_t mqueue_spool_t:file create_file_perms;
+')
+
+ifdef(`TODO',`
+optional_policy(`sendmail.te',`
+	allow system_mail_t { var_t var_spool_t }:dir getattr;
+	dontaudit system_mail_t userpty_type:chr_file { getattr read write };
+
+	optional_policy(`crond.te', `
+		dontaudit system_mail_t system_crond_tmp_t:file append;
+	')
+')
+
+ifdef(`targeted_policy',`
+	allow system_mail_t { var_t var_spool_t }:dir getattr;
+',`
 	# allow the sysadmin to do "mail someone < /home/user/whatever"
 	allow sysadm_mail_t user_home_dir_type:dir search;
 	r_dir_file(sysadm_mail_t, user_home_type)
 ')
 
-# for a mail server process that does things in response to a user command
-allow mta_user_agent userdomain:process sigchld;
-allow mta_user_agent { userdomain privfd }:fd use;
-ifdef(`crond.te', `
-allow mta_user_agent crond_t:process sigchld;
-')
-allow mta_user_agent sysadm_t:fifo_file { read write };
+allow system_mail_t privmail:fd use;
+allow system_mail_t privmail:process sigchld;
+allow system_mail_t privmail:fifo_file { read write };
 
-allow { system_mail_t mta_user_agent } privmail:fd use;
-allow { system_mail_t mta_user_agent } privmail:process sigchld;
-allow { system_mail_t mta_user_agent } privmail:fifo_file { read write };
-allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write };
+optional_policy(`arpwatch.te',`
+	allow system_mail_t arpwatch_tmp_t:file rw_file_perms;
 
-ifdef(`arpwatch.te', `
-# why is mail delivered to a directory of type arpwatch_data_t?
-allow mta_delivery_agent arpwatch_data_t:dir search;
-allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms;
-ifdef(`hide_broken_symptoms', `
-dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write };
-')
-')dnl end if arpwatch.te
-
-allow mta_delivery_agent home_root_t:dir { getattr search };
-
-# for /var/spool/mail
-ra_dir_create_file(mta_delivery_agent, mail_spool_t)
-
-# for piping mail to a command
-can_exec(mta_delivery_agent, shell_exec_t)
-allow mta_delivery_agent bin_t:dir search;
-allow mta_delivery_agent bin_t:lnk_file read;
-allow mta_delivery_agent { etc_runtime_t proc_t }:file r_file_perms;
-
-# Transition from a system domain to the derived domain.
-domain_auto_trans(privmail, sendmail_exec_t, system_mail_t)
-allow privmail sendmail_exec_t:lnk_file r_file_perms;
-
-ifdef(`crond.te', `
-# Read cron temporary files.
-allow system_mail_t system_crond_tmp_t:file r_file_perms;
-allow mta_user_agent system_crond_tmp_t:file r_file_perms;
+	ifdef(`hide_broken_symptoms', `
+		dontaudit system_mail_t arpwatch_t:packet_socket { read write };
+	')
 ')
 
-optional_policy(`logrotate.te', `
-	allow { system_mail_t mta_user_agent } logrotate_tmp_t:file r_file_perms;
+optional_policy(`qmail.te',`
+	allow system_mail_t qmail_etc_t:dir search;
+	allow system_mail_t qmail_etc_t:{ file lnk_file } read;
 ')
-
 ') dnl end TODO
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index 05893206..47ce1438 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -6,8 +6,10 @@ policy_module(sendmail,1.0)
 # Declarations
 #
 
-type sendmail_t; #, mta_delivery_agent, mail_server_sender', nosysadm)
+type sendmail_t;
 mta_sendmail_mailserver(sendmail_t)
+mta_mailserver_delivery(sendmail_t)
+mta_mailserver_sender(sendmail_t)
 
 type sendmail_log_t;
 logging_log_file(sendmail_log_t)
@@ -40,8 +42,8 @@ allow sendmail_t sendmail_var_run_t:file { getattr create read write append seta
 files_create_pid(sendmail_t,sendmail_var_run_t)
 
 kernel_read_kernel_sysctl(sendmail_t)
-kernel_list_proc(sendmail_t)
-kernel_read_proc_symlinks(sendmail_t)
+# for piping mail to a command
+kernel_read_system_state(sendmail_t)
 
 corenet_tcp_sendrecv_all_if(sendmail_t)
 corenet_raw_sendrecv_all_if(sendmail_t)
@@ -63,10 +65,15 @@ fs_search_auto_mountpoints(sendmail_t)
 
 term_dontaudit_use_console(sendmail_t)
 
+# for piping mail to a command
+corecmd_exec_shell(sendmail_t)
+
 domain_use_wide_inherit_fd(sendmail_t)
 
 files_read_etc_files(sendmail_t)
 files_search_spool(sendmail_t)
+# for piping mail to a command
+files_read_etc_runtime_files(sendmail_t)
 
 init_use_fd(sendmail_t)
 init_use_script_pty(sendmail_t)
@@ -121,6 +128,11 @@ optional_policy(`rhgb.te', `
 rhgb_domain(sendmail_t)
 ')
 
+optional_policy(`arpwatch.te',`
+	# why is mail delivered to a directory of type arpwatch_data_t?
+	allow mta_delivery_agent arpwatch_data_t:dir search;
+')
+
 #
 #  Need this transition to create /etc/aliases.db 
 #
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 04a37dad..b132ba26 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -1860,6 +1860,23 @@ interface(`userdom_signal_all_users',`
 	allow $1 userdomain:process signal;
 ')
 
+########################################
+## <summary>
+##	Send a SIGCHLD signal to all user domains.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_sigcld_all_users',`
+	gen_require(`
+		attribute userdomain;
+		class process sigchld;
+	')
+
+	allow $1 userdomain:process sigghld;
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to user domains.