fix up most of mta attribute insanity

This commit is contained in:
Chris PeBenito 2005-08-30 20:47:41 +00:00
parent 451c1e3d59
commit 246839f3d2
7 changed files with 268 additions and 139 deletions

View File

@ -82,3 +82,21 @@ interface(`logrotate_dontaudit_use_fd',`
dontaudit $1 logrotate_t:fd use; dontaudit $1 logrotate_t:fd use;
') ')
########################################
## <summary>
## Read a logrotate temporary files.
## </summary>
## <param name="domain">
## The type of the process to not audit.
## </param>
#
interface(`logrotate_read_tmp_files',`
gen_require(`
type logrotate_tmp_t;
class file r_file_perms;
')
files_search_tmp($1)
allow $1 logrotate_tmp_t:file r_file_perms;
')

View File

@ -553,6 +553,25 @@ interface(`kernel_dontaudit_getattr_message_if',`
dontaudit $1 proc_kmsg_t:file getattr; dontaudit $1 proc_kmsg_t:file getattr;
') ')
########################################
## <summary>
## Do not audit attempts to search the network
## state directory.
## </summary>
## <param name="domain">
## The process type reading the state.
## </param>
##
#
interface(`kernel_dontaudit_search_network_state',`
gen_require(`
type proc_net_t;
class dir search;
')
allow $1 proc_net_t:dir search;
')
######################################## ########################################
## <summary> ## <summary>
## Allow caller to read the network state information. ## Allow caller to read the network state information.

View File

@ -314,6 +314,23 @@ interface(`cron_system_entry',`
allow $1 crond_t:process sigchld; allow $1 crond_t:process sigchld;
') ')
########################################
## <summary>
## Send a SIGCHLD signal to the cron daemon.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`cron_sigchld',`
gen_require(`
type crond_t;
class process sigchld;
')
allow $1 crond_t:process sigchld;
')
######################################## ########################################
## <summary> ## <summary>
## Read a cron daemon unnamed pipe ## Read a cron daemon unnamed pipe
@ -331,7 +348,6 @@ interface(`cron_read_pipe',`
allow $1 crond_t:file r_file_perms; allow $1 crond_t:file r_file_perms;
') ')
######################################## ########################################
## <summary> ## <summary>
## Read and write the cron daemon log files. ## Read and write the cron daemon log files.
@ -367,3 +383,21 @@ interface(`cron_search_spool',`
files_search_spool($1) files_search_spool($1)
allow $1 cron_spool_t:dir search; allow $1 cron_spool_t:dir search;
') ')
########################################
## <summary>
## Read temporary files from the system cron jobs.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
type system_crond_tmp_t;
class file r_file_perms;
')
files_search_tmp($1)
allow $1 system_crond_tmp_t:file r_file_perms;
')

View File

@ -28,7 +28,7 @@
## </param> ## </param>
# #
template(`mta_per_userdomain_template',` template(`mta_per_userdomain_template',`
type $1_mail_t; # , user_mail_domain type $1_mail_t;
domain_type($1_mail_t) domain_type($1_mail_t)
role $3 types $1_mail_t; role $3 types $1_mail_t;
@ -59,6 +59,11 @@ template(`mta_per_userdomain_template',`
allow $1_mail_t $2:fifo_file rw_file_perms; allow $1_mail_t $2:fifo_file rw_file_perms;
allow $1_mail_t $2:process sigchld; allow $1_mail_t $2:process sigchld;
# For when the user wants to send mail via port 25 localhost
kernel_tcp_recvfrom($2)
allow $2 mailserver_domain:tcp_socket { connectto recvfrom };
allow mailserver_domain $2:tcp_socket { acceptfrom recvfrom };
kernel_read_kernel_sysctl($1_mail_t) kernel_read_kernel_sysctl($1_mail_t)
corenet_tcp_sendrecv_all_if($1_mail_t) corenet_tcp_sendrecv_all_if($1_mail_t)
@ -78,6 +83,8 @@ template(`mta_per_userdomain_template',`
files_read_etc_files($1_mail_t) files_read_etc_files($1_mail_t)
files_search_spool($1_mail_t) files_search_spool($1_mail_t)
# It wants to check for nscd
files_dontaudit_search_pids($1_mail_t)
logging_send_syslog_msg($1_mail_t) logging_send_syslog_msg($1_mail_t)
@ -86,6 +93,8 @@ template(`mta_per_userdomain_template',`
sysnet_read_config($1_mail_t) sysnet_read_config($1_mail_t)
userdom_use_user_terminals($1,$1_mail_t) userdom_use_user_terminals($1,$1_mail_t)
# Write to the user domain tty. cjp: why?
userdom_use_user_terminals($1,mta_user_agent)
tunable_policy(`use_dns',` tunable_policy(`use_dns',`
allow $1_mail_t self:udp_socket create_socket_perms; allow $1_mail_t self:udp_socket create_socket_perms;
@ -113,14 +122,6 @@ template(`mta_per_userdomain_template',`
') ')
ifdef(`TODO',` ifdef(`TODO',`
allow $1_mail_t device_t:dir search;
# It wants to check for nscd
dontaudit $1_mail_t var_run_t:dir search;
# For when the user wants to send mail via port 25 localhost
can_tcp_connect($1_t, mail_server_domain)
# Read user temporary files. # Read user temporary files.
allow $1_mail_t $1_tmp_t:file r_file_perms; allow $1_mail_t $1_tmp_t:file r_file_perms;
dontaudit $1_mail_t $1_tmp_t:file append; dontaudit $1_mail_t $1_tmp_t:file append;
@ -129,26 +130,21 @@ template(`mta_per_userdomain_template',`
allow $1_mail_t $1_tmp_t:file write; allow $1_mail_t $1_tmp_t:file write;
') ')
# cjp: why?
allow mta_user_agent $1_tmp_t:file r_file_perms; allow mta_user_agent $1_tmp_t:file r_file_perms;
# Write to the user domain tty.
allow mta_user_agent $1_tty_device_t:chr_file rw_file_perms;
allow mta_user_agent devpts_t:dir r_dir_perms;
allow mta_user_agent $1_devpts_t:chr_file rw_file_perms;
# Inherit and use descriptors from gnome-pty-helper. # Inherit and use descriptors from gnome-pty-helper.
ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;') ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
# Create dead.letter in user home directories. # Create dead.letter in user home directories.
file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file) file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
# if you do not want to allow dead.letter then use the following instead # if you do not want to allow dead.letter then use the following instead
#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms; #allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
#allow $1_mail_t $1_home_t:file r_file_perms; #allow $1_mail_t $1_home_t:file r_file_perms;
# for reading .forward - maybe we need a new type for it? # for reading .forward - maybe we need a new type for it?
# also for delivering mail to maildir # also for delivering mail to maildir
file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t) file_type_auto_trans(mailserver_delivery, $1_home_dir_t, $1_home_t)
ifdef(`qmail.te', ` ifdef(`qmail.te', `
allow $1_mail_t qmail_etc_t:dir search; allow $1_mail_t qmail_etc_t:dir search;
@ -167,6 +163,9 @@ interface(`mta_mailserver',`
attribute mailserver_domain; attribute mailserver_domain;
') ')
# For when the user wants to send mail via port 25 localhost
kernel_tcp_recvfrom($1)
init_daemon_domain($1,$2) init_daemon_domain($1,$2)
typeattribute $1 mailserver_domain; typeattribute $1 mailserver_domain;
') ')
@ -202,10 +201,65 @@ interface(`mta_sendmail_mailserver',`
type sendmail_exec_t; type sendmail_exec_t;
') ')
# For when the user wants to send mail via port 25 localhost
kernel_tcp_recvfrom($1)
init_system_domain($1,sendmail_exec_t) init_system_domain($1,sendmail_exec_t)
typeattribute $1 mailserver_domain; typeattribute $1 mailserver_domain;
') ')
#######################################
## <summary>
## Make a type a mailserver type used
## for sending mail.
## </summary>
## <param name="domain">
## Mail server domain type used for sending mail.
## </param>
#
interface(`mta_mailserver_sender',`
gen_require(`
attribute mailserver_sender;
')
typeattribute $1 mailserver_sender;
')
#######################################
## <summary>
## Make a type a mailserver type used
## for delivering mail to local users.
## </summary>
## <param name="domain">
## Mail server domain type used for delivering mail.
## </param>
#
interface(`mta_mailserver_delivery',`
gen_require(`
attribute mailserver_delivery;
')
typeattribute $1 mailserver_delivery;
')
#######################################
## <summary>
## Make a type a mailserver type used
## for sending mail on behalf of local
## users to the local mail spool.
## </summary>
## <param name="domain">
## Mail server domain type used for sending local mail.
## </param>
#
interface(`mta_mailserver_user_agent',`
gen_require(`
attribute mailserver_user_agent;
')
typeattribute $1 mailserver_user_agent;
')
####################################### #######################################
# #
# mta_send_mail(domain) # mta_send_mail(domain)
@ -332,6 +386,28 @@ interface(`mta_rw_spool',`
allow $1 mail_spool_t:file { rw_file_perms setattr }; allow $1 mail_spool_t:file { rw_file_perms setattr };
') ')
#######################################
## <summary>
## Create, read, and write the mail spool.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`mta_append_spool',`
gen_require(`
type mail_spool_t;
class dir ra_dir_perms;
class lnk_file { getattr read };
class file create_file_perms;
')
files_search_spool($1)
allow $1 mail_spool_t:dir ra_dir_perms;
allow $1 mail_spool_t:lnk_file { getattr read };
allow $1 mail_spool_t:file create_file_perms;
')
####################################### #######################################
# #
# mta_manage_spool(domain) # mta_manage_spool(domain)

View File

@ -6,14 +6,17 @@ policy_module(mta,1.0)
# Declarations # Declarations
# #
attribute mta_user_agent;
attribute mailserver_delivery;
attribute mailserver_domain;
attribute mailserver_sender;
type etc_aliases_t; type etc_aliases_t;
files_type(etc_aliases_t) files_type(etc_aliases_t)
type etc_mail_t; type etc_mail_t;
files_type(etc_mail_t) files_type(etc_mail_t)
attribute mailserver_domain;
type mqueue_spool_t; type mqueue_spool_t;
files_type(mqueue_spool_t) files_type(mqueue_spool_t)
@ -23,7 +26,7 @@ files_type(mail_spool_t)
type sendmail_exec_t; type sendmail_exec_t;
files_type(sendmail_exec_t) files_type(sendmail_exec_t)
type system_mail_t; #, user_mail_domain type system_mail_t;
domain_type(system_mail_t) domain_type(system_mail_t)
role system_r types system_mail_t; role system_r types system_mail_t;
@ -66,12 +69,14 @@ fs_getattr_xattr_fs(system_mail_t)
init_use_script_pty(system_mail_t) init_use_script_pty(system_mail_t)
files_read_etc_runtime_files(system_mail_t)
files_read_etc_files(system_mail_t) files_read_etc_files(system_mail_t)
files_read_etc_runtime_files(system_mail_t)
files_search_spool(system_mail_t)
# It wants to check for nscd # It wants to check for nscd
files_dontaudit_search_pids(system_mail_t) files_dontaudit_search_pids(system_mail_t)
corecmd_exec_bin(system_mail_t) corecmd_exec_bin(system_mail_t)
corecmd_search_sbin(system_mail_t)
libs_use_ld_so(system_mail_t) libs_use_ld_so(system_mail_t)
libs_use_shared_libs(system_mail_t) libs_use_shared_libs(system_mail_t)
@ -82,74 +87,9 @@ miscfiles_read_localization(system_mail_t)
sysnet_read_config(system_mail_t) sysnet_read_config(system_mail_t)
tunable_policy(`use_dns',` userdom_use_sysadm_terms(system_mail_t)
allow system_mail_t self:udp_socket create_socket_perms;
corenet_udp_sendrecv_all_if(system_mail_t)
corenet_udp_sendrecv_all_nodes(system_mail_t)
corenet_udp_bind_all_nodes(system_mail_t)
corenet_udp_sendrecv_dns_port(system_mail_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(system_mail_t)
')
optional_policy(`nscd.te',`
nscd_use_socket(system_mail_t)
')
optional_policy(`procmail.te',`
procmail_exec(system_mail_t)
')
ifdef(`TODO',`
optional_policy(`sendmail.te',`
allow system_mail_t etc_mail_t:dir { getattr search };
kernel_read_system_state(system_mail_t)
fs_getattr_xattr_fs(system_mail_t)
files_read_etc_runtime_files(system_mail_t)
dontaudit system_mail_t proc_net_t:dir search;
allow system_mail_t var_t:dir getattr;
allow system_mail_t var_spool_t:dir getattr;
dontaudit system_mail_t userpty_type:chr_file { getattr read write };
# sendmail -q
allow system_mail_t mqueue_spool_t:dir rw_dir_perms;
allow system_mail_t mqueue_spool_t:file create_file_perms;
optional_policy(`crond.te', `
dontaudit system_mail_t system_crond_tmp_t:file append;
')
')
allow system_mail_t device_t:dir search;
allow system_mail_t { var_t var_spool_t }:dir search;
allow system_mail_t sbin_t:dir search;
# Transition from a system domain to the derived domain.
domain_auto_trans(privmail, sendmail_exec_t, system_mail_t)
allow privmail sendmail_exec_t:lnk_file { getattr read };
optional_policy(`crond.te',`
# Read cron temporary files.
allow system_mail_t system_crond_tmp_t:file r_file_perms;
allow mta_user_agent system_crond_tmp_t:file r_file_perms;
')
ifdef(`qmail.te', `
allow system_mail_t qmail_etc_t:dir search;
allow system_mail_t qmail_etc_t:{ file lnk_file } read;
')
ifdef(`targeted_policy',` ifdef(`targeted_policy',`
allow system_mail_t { var_t var_spool_t }:dir getattr;
allow system_mail_t etc_mail_t:file r_file_perms; allow system_mail_t etc_mail_t:file r_file_perms;
allow system_mail_t mail_spool_t:dir create_dir_perms; allow system_mail_t mail_spool_t:dir create_dir_perms;
@ -174,63 +114,76 @@ ifdef(`targeted_policy', `
libs_exec_ld_so(system_mail_t) libs_exec_ld_so(system_mail_t)
libs_exec_lib_files(system_mail_t) libs_exec_lib_files(system_mail_t)
') ')
',`
optional_policy(`sendmail.te', `
# sendmail has an ugly design, the one process parses input from the user and
# then does system things with it.
domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t)
') ')
tunable_policy(`use_dns',`
allow system_mail_t self:udp_socket create_socket_perms;
corenet_udp_sendrecv_all_if(system_mail_t)
corenet_udp_sendrecv_all_nodes(system_mail_t)
corenet_udp_bind_all_nodes(system_mail_t)
corenet_udp_sendrecv_dns_port(system_mail_t)
')
optional_policy(`cron.te',`
cron_read_system_job_tmp_files(system_mail_t)
')
optional_policy(`logrotate.te',`
logrotate_read_tmp_files(system_mail_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(system_mail_t)
')
optional_policy(`nscd.te',`
nscd_use_socket(system_mail_t)
')
optional_policy(`procmail.te',`
procmail_exec(system_mail_t)
')
optional_policy(`sendmail.te',`
allow system_mail_t etc_mail_t:dir { getattr search };
# sendmail -q
allow system_mail_t mqueue_spool_t:dir rw_dir_perms;
allow system_mail_t mqueue_spool_t:file create_file_perms;
')
ifdef(`TODO',`
optional_policy(`sendmail.te',`
allow system_mail_t { var_t var_spool_t }:dir getattr;
dontaudit system_mail_t userpty_type:chr_file { getattr read write };
optional_policy(`crond.te', `
dontaudit system_mail_t system_crond_tmp_t:file append;
')
')
ifdef(`targeted_policy',`
allow system_mail_t { var_t var_spool_t }:dir getattr;
',`
# allow the sysadmin to do "mail someone < /home/user/whatever" # allow the sysadmin to do "mail someone < /home/user/whatever"
allow sysadm_mail_t user_home_dir_type:dir search; allow sysadm_mail_t user_home_dir_type:dir search;
r_dir_file(sysadm_mail_t, user_home_type) r_dir_file(sysadm_mail_t, user_home_type)
') ')
# for a mail server process that does things in response to a user command allow system_mail_t privmail:fd use;
allow mta_user_agent userdomain:process sigchld; allow system_mail_t privmail:process sigchld;
allow mta_user_agent { userdomain privfd }:fd use; allow system_mail_t privmail:fifo_file { read write };
ifdef(`crond.te', `
allow mta_user_agent crond_t:process sigchld;
')
allow mta_user_agent sysadm_t:fifo_file { read write };
allow { system_mail_t mta_user_agent } privmail:fd use; optional_policy(`arpwatch.te',`
allow { system_mail_t mta_user_agent } privmail:process sigchld; allow system_mail_t arpwatch_tmp_t:file rw_file_perms;
allow { system_mail_t mta_user_agent } privmail:fifo_file { read write };
allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write };
ifdef(`arpwatch.te', `
# why is mail delivered to a directory of type arpwatch_data_t?
allow mta_delivery_agent arpwatch_data_t:dir search;
allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms;
ifdef(`hide_broken_symptoms', ` ifdef(`hide_broken_symptoms', `
dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write }; dontaudit system_mail_t arpwatch_t:packet_socket { read write };
') ')
')dnl end if arpwatch.te
allow mta_delivery_agent home_root_t:dir { getattr search };
# for /var/spool/mail
ra_dir_create_file(mta_delivery_agent, mail_spool_t)
# for piping mail to a command
can_exec(mta_delivery_agent, shell_exec_t)
allow mta_delivery_agent bin_t:dir search;
allow mta_delivery_agent bin_t:lnk_file read;
allow mta_delivery_agent { etc_runtime_t proc_t }:file r_file_perms;
# Transition from a system domain to the derived domain.
domain_auto_trans(privmail, sendmail_exec_t, system_mail_t)
allow privmail sendmail_exec_t:lnk_file r_file_perms;
ifdef(`crond.te', `
# Read cron temporary files.
allow system_mail_t system_crond_tmp_t:file r_file_perms;
allow mta_user_agent system_crond_tmp_t:file r_file_perms;
') ')
optional_policy(`logrotate.te', ` optional_policy(`qmail.te',`
allow { system_mail_t mta_user_agent } logrotate_tmp_t:file r_file_perms; allow system_mail_t qmail_etc_t:dir search;
allow system_mail_t qmail_etc_t:{ file lnk_file } read;
') ')
') dnl end TODO ') dnl end TODO

View File

@ -6,8 +6,10 @@ policy_module(sendmail,1.0)
# Declarations # Declarations
# #
type sendmail_t; #, mta_delivery_agent, mail_server_sender', nosysadm) type sendmail_t;
mta_sendmail_mailserver(sendmail_t) mta_sendmail_mailserver(sendmail_t)
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
type sendmail_log_t; type sendmail_log_t;
logging_log_file(sendmail_log_t) logging_log_file(sendmail_log_t)
@ -40,8 +42,8 @@ allow sendmail_t sendmail_var_run_t:file { getattr create read write append seta
files_create_pid(sendmail_t,sendmail_var_run_t) files_create_pid(sendmail_t,sendmail_var_run_t)
kernel_read_kernel_sysctl(sendmail_t) kernel_read_kernel_sysctl(sendmail_t)
kernel_list_proc(sendmail_t) # for piping mail to a command
kernel_read_proc_symlinks(sendmail_t) kernel_read_system_state(sendmail_t)
corenet_tcp_sendrecv_all_if(sendmail_t) corenet_tcp_sendrecv_all_if(sendmail_t)
corenet_raw_sendrecv_all_if(sendmail_t) corenet_raw_sendrecv_all_if(sendmail_t)
@ -63,10 +65,15 @@ fs_search_auto_mountpoints(sendmail_t)
term_dontaudit_use_console(sendmail_t) term_dontaudit_use_console(sendmail_t)
# for piping mail to a command
corecmd_exec_shell(sendmail_t)
domain_use_wide_inherit_fd(sendmail_t) domain_use_wide_inherit_fd(sendmail_t)
files_read_etc_files(sendmail_t) files_read_etc_files(sendmail_t)
files_search_spool(sendmail_t) files_search_spool(sendmail_t)
# for piping mail to a command
files_read_etc_runtime_files(sendmail_t)
init_use_fd(sendmail_t) init_use_fd(sendmail_t)
init_use_script_pty(sendmail_t) init_use_script_pty(sendmail_t)
@ -121,6 +128,11 @@ optional_policy(`rhgb.te', `
rhgb_domain(sendmail_t) rhgb_domain(sendmail_t)
') ')
optional_policy(`arpwatch.te',`
# why is mail delivered to a directory of type arpwatch_data_t?
allow mta_delivery_agent arpwatch_data_t:dir search;
')
# #
# Need this transition to create /etc/aliases.db # Need this transition to create /etc/aliases.db
# #

View File

@ -1860,6 +1860,23 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal; allow $1 userdomain:process signal;
') ')
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`userdom_sigcld_all_users',`
gen_require(`
attribute userdomain;
class process sigchld;
')
allow $1 userdomain:process sigghld;
')
######################################## ########################################
## <summary> ## <summary>
## Unconfined access to user domains. ## Unconfined access to user domains.