fix up most of mta attribute insanity
This commit is contained in:
parent
451c1e3d59
commit
246839f3d2
@ -82,3 +82,21 @@ interface(`logrotate_dontaudit_use_fd',`
|
|||||||
|
|
||||||
dontaudit $1 logrotate_t:fd use;
|
dontaudit $1 logrotate_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read a logrotate temporary files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process to not audit.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`logrotate_read_tmp_files',`
|
||||||
|
gen_require(`
|
||||||
|
type logrotate_tmp_t;
|
||||||
|
class file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_tmp($1)
|
||||||
|
allow $1 logrotate_tmp_t:file r_file_perms;
|
||||||
|
')
|
||||||
|
@ -553,6 +553,25 @@ interface(`kernel_dontaudit_getattr_message_if',`
|
|||||||
dontaudit $1 proc_kmsg_t:file getattr;
|
dontaudit $1 proc_kmsg_t:file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to search the network
|
||||||
|
## state directory.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The process type reading the state.
|
||||||
|
## </param>
|
||||||
|
##
|
||||||
|
#
|
||||||
|
interface(`kernel_dontaudit_search_network_state',`
|
||||||
|
gen_require(`
|
||||||
|
type proc_net_t;
|
||||||
|
class dir search;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 proc_net_t:dir search;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Allow caller to read the network state information.
|
## Allow caller to read the network state information.
|
||||||
|
@ -314,6 +314,23 @@ interface(`cron_system_entry',`
|
|||||||
allow $1 crond_t:process sigchld;
|
allow $1 crond_t:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Send a SIGCHLD signal to the cron daemon.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`cron_sigchld',`
|
||||||
|
gen_require(`
|
||||||
|
type crond_t;
|
||||||
|
class process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 crond_t:process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read a cron daemon unnamed pipe
|
## Read a cron daemon unnamed pipe
|
||||||
@ -331,7 +348,6 @@ interface(`cron_read_pipe',`
|
|||||||
allow $1 crond_t:file r_file_perms;
|
allow $1 crond_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read and write the cron daemon log files.
|
## Read and write the cron daemon log files.
|
||||||
@ -367,3 +383,21 @@ interface(`cron_search_spool',`
|
|||||||
files_search_spool($1)
|
files_search_spool($1)
|
||||||
allow $1 cron_spool_t:dir search;
|
allow $1 cron_spool_t:dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read temporary files from the system cron jobs.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`cron_read_system_job_tmp_files',`
|
||||||
|
gen_require(`
|
||||||
|
type system_crond_tmp_t;
|
||||||
|
class file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_tmp($1)
|
||||||
|
allow $1 system_crond_tmp_t:file r_file_perms;
|
||||||
|
')
|
||||||
|
@ -28,7 +28,7 @@
|
|||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
template(`mta_per_userdomain_template',`
|
template(`mta_per_userdomain_template',`
|
||||||
type $1_mail_t; # , user_mail_domain
|
type $1_mail_t;
|
||||||
domain_type($1_mail_t)
|
domain_type($1_mail_t)
|
||||||
role $3 types $1_mail_t;
|
role $3 types $1_mail_t;
|
||||||
|
|
||||||
@ -59,6 +59,11 @@ template(`mta_per_userdomain_template',`
|
|||||||
allow $1_mail_t $2:fifo_file rw_file_perms;
|
allow $1_mail_t $2:fifo_file rw_file_perms;
|
||||||
allow $1_mail_t $2:process sigchld;
|
allow $1_mail_t $2:process sigchld;
|
||||||
|
|
||||||
|
# For when the user wants to send mail via port 25 localhost
|
||||||
|
kernel_tcp_recvfrom($2)
|
||||||
|
allow $2 mailserver_domain:tcp_socket { connectto recvfrom };
|
||||||
|
allow mailserver_domain $2:tcp_socket { acceptfrom recvfrom };
|
||||||
|
|
||||||
kernel_read_kernel_sysctl($1_mail_t)
|
kernel_read_kernel_sysctl($1_mail_t)
|
||||||
|
|
||||||
corenet_tcp_sendrecv_all_if($1_mail_t)
|
corenet_tcp_sendrecv_all_if($1_mail_t)
|
||||||
@ -78,6 +83,8 @@ template(`mta_per_userdomain_template',`
|
|||||||
|
|
||||||
files_read_etc_files($1_mail_t)
|
files_read_etc_files($1_mail_t)
|
||||||
files_search_spool($1_mail_t)
|
files_search_spool($1_mail_t)
|
||||||
|
# It wants to check for nscd
|
||||||
|
files_dontaudit_search_pids($1_mail_t)
|
||||||
|
|
||||||
logging_send_syslog_msg($1_mail_t)
|
logging_send_syslog_msg($1_mail_t)
|
||||||
|
|
||||||
@ -86,6 +93,8 @@ template(`mta_per_userdomain_template',`
|
|||||||
sysnet_read_config($1_mail_t)
|
sysnet_read_config($1_mail_t)
|
||||||
|
|
||||||
userdom_use_user_terminals($1,$1_mail_t)
|
userdom_use_user_terminals($1,$1_mail_t)
|
||||||
|
# Write to the user domain tty. cjp: why?
|
||||||
|
userdom_use_user_terminals($1,mta_user_agent)
|
||||||
|
|
||||||
tunable_policy(`use_dns',`
|
tunable_policy(`use_dns',`
|
||||||
allow $1_mail_t self:udp_socket create_socket_perms;
|
allow $1_mail_t self:udp_socket create_socket_perms;
|
||||||
@ -113,14 +122,6 @@ template(`mta_per_userdomain_template',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
allow $1_mail_t device_t:dir search;
|
|
||||||
|
|
||||||
# It wants to check for nscd
|
|
||||||
dontaudit $1_mail_t var_run_t:dir search;
|
|
||||||
|
|
||||||
# For when the user wants to send mail via port 25 localhost
|
|
||||||
can_tcp_connect($1_t, mail_server_domain)
|
|
||||||
|
|
||||||
# Read user temporary files.
|
# Read user temporary files.
|
||||||
allow $1_mail_t $1_tmp_t:file r_file_perms;
|
allow $1_mail_t $1_tmp_t:file r_file_perms;
|
||||||
dontaudit $1_mail_t $1_tmp_t:file append;
|
dontaudit $1_mail_t $1_tmp_t:file append;
|
||||||
@ -129,26 +130,21 @@ template(`mta_per_userdomain_template',`
|
|||||||
allow $1_mail_t $1_tmp_t:file write;
|
allow $1_mail_t $1_tmp_t:file write;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
# cjp: why?
|
||||||
allow mta_user_agent $1_tmp_t:file r_file_perms;
|
allow mta_user_agent $1_tmp_t:file r_file_perms;
|
||||||
|
|
||||||
# Write to the user domain tty.
|
|
||||||
allow mta_user_agent $1_tty_device_t:chr_file rw_file_perms;
|
|
||||||
allow mta_user_agent devpts_t:dir r_dir_perms;
|
|
||||||
allow mta_user_agent $1_devpts_t:chr_file rw_file_perms;
|
|
||||||
|
|
||||||
# Inherit and use descriptors from gnome-pty-helper.
|
# Inherit and use descriptors from gnome-pty-helper.
|
||||||
ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
|
ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
|
||||||
|
|
||||||
# Create dead.letter in user home directories.
|
# Create dead.letter in user home directories.
|
||||||
file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
|
file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
|
||||||
|
|
||||||
# if you do not want to allow dead.letter then use the following instead
|
# if you do not want to allow dead.letter then use the following instead
|
||||||
#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
|
#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
|
||||||
#allow $1_mail_t $1_home_t:file r_file_perms;
|
#allow $1_mail_t $1_home_t:file r_file_perms;
|
||||||
|
|
||||||
# for reading .forward - maybe we need a new type for it?
|
# for reading .forward - maybe we need a new type for it?
|
||||||
# also for delivering mail to maildir
|
# also for delivering mail to maildir
|
||||||
file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t)
|
file_type_auto_trans(mailserver_delivery, $1_home_dir_t, $1_home_t)
|
||||||
|
|
||||||
ifdef(`qmail.te', `
|
ifdef(`qmail.te', `
|
||||||
allow $1_mail_t qmail_etc_t:dir search;
|
allow $1_mail_t qmail_etc_t:dir search;
|
||||||
@ -167,6 +163,9 @@ interface(`mta_mailserver',`
|
|||||||
attribute mailserver_domain;
|
attribute mailserver_domain;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
# For when the user wants to send mail via port 25 localhost
|
||||||
|
kernel_tcp_recvfrom($1)
|
||||||
|
|
||||||
init_daemon_domain($1,$2)
|
init_daemon_domain($1,$2)
|
||||||
typeattribute $1 mailserver_domain;
|
typeattribute $1 mailserver_domain;
|
||||||
')
|
')
|
||||||
@ -202,10 +201,65 @@ interface(`mta_sendmail_mailserver',`
|
|||||||
type sendmail_exec_t;
|
type sendmail_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
# For when the user wants to send mail via port 25 localhost
|
||||||
|
kernel_tcp_recvfrom($1)
|
||||||
|
|
||||||
init_system_domain($1,sendmail_exec_t)
|
init_system_domain($1,sendmail_exec_t)
|
||||||
typeattribute $1 mailserver_domain;
|
typeattribute $1 mailserver_domain;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## Make a type a mailserver type used
|
||||||
|
## for sending mail.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Mail server domain type used for sending mail.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`mta_mailserver_sender',`
|
||||||
|
gen_require(`
|
||||||
|
attribute mailserver_sender;
|
||||||
|
')
|
||||||
|
|
||||||
|
typeattribute $1 mailserver_sender;
|
||||||
|
')
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## Make a type a mailserver type used
|
||||||
|
## for delivering mail to local users.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Mail server domain type used for delivering mail.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`mta_mailserver_delivery',`
|
||||||
|
gen_require(`
|
||||||
|
attribute mailserver_delivery;
|
||||||
|
')
|
||||||
|
|
||||||
|
typeattribute $1 mailserver_delivery;
|
||||||
|
')
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## Make a type a mailserver type used
|
||||||
|
## for sending mail on behalf of local
|
||||||
|
## users to the local mail spool.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Mail server domain type used for sending local mail.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`mta_mailserver_user_agent',`
|
||||||
|
gen_require(`
|
||||||
|
attribute mailserver_user_agent;
|
||||||
|
')
|
||||||
|
|
||||||
|
typeattribute $1 mailserver_user_agent;
|
||||||
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# mta_send_mail(domain)
|
# mta_send_mail(domain)
|
||||||
@ -332,6 +386,28 @@ interface(`mta_rw_spool',`
|
|||||||
allow $1 mail_spool_t:file { rw_file_perms setattr };
|
allow $1 mail_spool_t:file { rw_file_perms setattr };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, and write the mail spool.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`mta_append_spool',`
|
||||||
|
gen_require(`
|
||||||
|
type mail_spool_t;
|
||||||
|
class dir ra_dir_perms;
|
||||||
|
class lnk_file { getattr read };
|
||||||
|
class file create_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_spool($1)
|
||||||
|
allow $1 mail_spool_t:dir ra_dir_perms;
|
||||||
|
allow $1 mail_spool_t:lnk_file { getattr read };
|
||||||
|
allow $1 mail_spool_t:file create_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# mta_manage_spool(domain)
|
# mta_manage_spool(domain)
|
||||||
|
@ -6,14 +6,17 @@ policy_module(mta,1.0)
|
|||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
attribute mta_user_agent;
|
||||||
|
attribute mailserver_delivery;
|
||||||
|
attribute mailserver_domain;
|
||||||
|
attribute mailserver_sender;
|
||||||
|
|
||||||
type etc_aliases_t;
|
type etc_aliases_t;
|
||||||
files_type(etc_aliases_t)
|
files_type(etc_aliases_t)
|
||||||
|
|
||||||
type etc_mail_t;
|
type etc_mail_t;
|
||||||
files_type(etc_mail_t)
|
files_type(etc_mail_t)
|
||||||
|
|
||||||
attribute mailserver_domain;
|
|
||||||
|
|
||||||
type mqueue_spool_t;
|
type mqueue_spool_t;
|
||||||
files_type(mqueue_spool_t)
|
files_type(mqueue_spool_t)
|
||||||
|
|
||||||
@ -23,7 +26,7 @@ files_type(mail_spool_t)
|
|||||||
type sendmail_exec_t;
|
type sendmail_exec_t;
|
||||||
files_type(sendmail_exec_t)
|
files_type(sendmail_exec_t)
|
||||||
|
|
||||||
type system_mail_t; #, user_mail_domain
|
type system_mail_t;
|
||||||
domain_type(system_mail_t)
|
domain_type(system_mail_t)
|
||||||
role system_r types system_mail_t;
|
role system_r types system_mail_t;
|
||||||
|
|
||||||
@ -66,12 +69,14 @@ fs_getattr_xattr_fs(system_mail_t)
|
|||||||
|
|
||||||
init_use_script_pty(system_mail_t)
|
init_use_script_pty(system_mail_t)
|
||||||
|
|
||||||
files_read_etc_runtime_files(system_mail_t)
|
|
||||||
files_read_etc_files(system_mail_t)
|
files_read_etc_files(system_mail_t)
|
||||||
|
files_read_etc_runtime_files(system_mail_t)
|
||||||
|
files_search_spool(system_mail_t)
|
||||||
# It wants to check for nscd
|
# It wants to check for nscd
|
||||||
files_dontaudit_search_pids(system_mail_t)
|
files_dontaudit_search_pids(system_mail_t)
|
||||||
|
|
||||||
corecmd_exec_bin(system_mail_t)
|
corecmd_exec_bin(system_mail_t)
|
||||||
|
corecmd_search_sbin(system_mail_t)
|
||||||
|
|
||||||
libs_use_ld_so(system_mail_t)
|
libs_use_ld_so(system_mail_t)
|
||||||
libs_use_shared_libs(system_mail_t)
|
libs_use_shared_libs(system_mail_t)
|
||||||
@ -82,74 +87,9 @@ miscfiles_read_localization(system_mail_t)
|
|||||||
|
|
||||||
sysnet_read_config(system_mail_t)
|
sysnet_read_config(system_mail_t)
|
||||||
|
|
||||||
tunable_policy(`use_dns',`
|
userdom_use_sysadm_terms(system_mail_t)
|
||||||
allow system_mail_t self:udp_socket create_socket_perms;
|
|
||||||
corenet_udp_sendrecv_all_if(system_mail_t)
|
|
||||||
corenet_udp_sendrecv_all_nodes(system_mail_t)
|
|
||||||
corenet_udp_bind_all_nodes(system_mail_t)
|
|
||||||
corenet_udp_sendrecv_dns_port(system_mail_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`nis.te',`
|
|
||||||
nis_use_ypbind(system_mail_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`nscd.te',`
|
|
||||||
nscd_use_socket(system_mail_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`procmail.te',`
|
|
||||||
procmail_exec(system_mail_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
ifdef(`TODO',`
|
|
||||||
|
|
||||||
optional_policy(`sendmail.te',`
|
|
||||||
allow system_mail_t etc_mail_t:dir { getattr search };
|
|
||||||
|
|
||||||
kernel_read_system_state(system_mail_t)
|
|
||||||
|
|
||||||
fs_getattr_xattr_fs(system_mail_t)
|
|
||||||
|
|
||||||
files_read_etc_runtime_files(system_mail_t)
|
|
||||||
|
|
||||||
dontaudit system_mail_t proc_net_t:dir search;
|
|
||||||
|
|
||||||
allow system_mail_t var_t:dir getattr;
|
|
||||||
allow system_mail_t var_spool_t:dir getattr;
|
|
||||||
dontaudit system_mail_t userpty_type:chr_file { getattr read write };
|
|
||||||
|
|
||||||
# sendmail -q
|
|
||||||
allow system_mail_t mqueue_spool_t:dir rw_dir_perms;
|
|
||||||
allow system_mail_t mqueue_spool_t:file create_file_perms;
|
|
||||||
|
|
||||||
optional_policy(`crond.te', `
|
|
||||||
dontaudit system_mail_t system_crond_tmp_t:file append;
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
allow system_mail_t device_t:dir search;
|
|
||||||
allow system_mail_t { var_t var_spool_t }:dir search;
|
|
||||||
allow system_mail_t sbin_t:dir search;
|
|
||||||
|
|
||||||
# Transition from a system domain to the derived domain.
|
|
||||||
domain_auto_trans(privmail, sendmail_exec_t, system_mail_t)
|
|
||||||
allow privmail sendmail_exec_t:lnk_file { getattr read };
|
|
||||||
|
|
||||||
optional_policy(`crond.te',`
|
|
||||||
# Read cron temporary files.
|
|
||||||
allow system_mail_t system_crond_tmp_t:file r_file_perms;
|
|
||||||
allow mta_user_agent system_crond_tmp_t:file r_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
ifdef(`qmail.te', `
|
|
||||||
allow system_mail_t qmail_etc_t:dir search;
|
|
||||||
allow system_mail_t qmail_etc_t:{ file lnk_file } read;
|
|
||||||
')
|
|
||||||
|
|
||||||
ifdef(`targeted_policy',`
|
ifdef(`targeted_policy',`
|
||||||
allow system_mail_t { var_t var_spool_t }:dir getattr;
|
|
||||||
|
|
||||||
allow system_mail_t etc_mail_t:file r_file_perms;
|
allow system_mail_t etc_mail_t:file r_file_perms;
|
||||||
|
|
||||||
allow system_mail_t mail_spool_t:dir create_dir_perms;
|
allow system_mail_t mail_spool_t:dir create_dir_perms;
|
||||||
@ -174,63 +114,76 @@ ifdef(`targeted_policy', `
|
|||||||
libs_exec_ld_so(system_mail_t)
|
libs_exec_ld_so(system_mail_t)
|
||||||
libs_exec_lib_files(system_mail_t)
|
libs_exec_lib_files(system_mail_t)
|
||||||
')
|
')
|
||||||
',`
|
|
||||||
optional_policy(`sendmail.te', `
|
|
||||||
# sendmail has an ugly design, the one process parses input from the user and
|
|
||||||
# then does system things with it.
|
|
||||||
domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
|
tunable_policy(`use_dns',`
|
||||||
|
allow system_mail_t self:udp_socket create_socket_perms;
|
||||||
|
corenet_udp_sendrecv_all_if(system_mail_t)
|
||||||
|
corenet_udp_sendrecv_all_nodes(system_mail_t)
|
||||||
|
corenet_udp_bind_all_nodes(system_mail_t)
|
||||||
|
corenet_udp_sendrecv_dns_port(system_mail_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`cron.te',`
|
||||||
|
cron_read_system_job_tmp_files(system_mail_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`logrotate.te',`
|
||||||
|
logrotate_read_tmp_files(system_mail_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`nis.te',`
|
||||||
|
nis_use_ypbind(system_mail_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`nscd.te',`
|
||||||
|
nscd_use_socket(system_mail_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`procmail.te',`
|
||||||
|
procmail_exec(system_mail_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`sendmail.te',`
|
||||||
|
allow system_mail_t etc_mail_t:dir { getattr search };
|
||||||
|
|
||||||
|
# sendmail -q
|
||||||
|
allow system_mail_t mqueue_spool_t:dir rw_dir_perms;
|
||||||
|
allow system_mail_t mqueue_spool_t:file create_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
ifdef(`TODO',`
|
||||||
|
optional_policy(`sendmail.te',`
|
||||||
|
allow system_mail_t { var_t var_spool_t }:dir getattr;
|
||||||
|
dontaudit system_mail_t userpty_type:chr_file { getattr read write };
|
||||||
|
|
||||||
|
optional_policy(`crond.te', `
|
||||||
|
dontaudit system_mail_t system_crond_tmp_t:file append;
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
|
ifdef(`targeted_policy',`
|
||||||
|
allow system_mail_t { var_t var_spool_t }:dir getattr;
|
||||||
|
',`
|
||||||
# allow the sysadmin to do "mail someone < /home/user/whatever"
|
# allow the sysadmin to do "mail someone < /home/user/whatever"
|
||||||
allow sysadm_mail_t user_home_dir_type:dir search;
|
allow sysadm_mail_t user_home_dir_type:dir search;
|
||||||
r_dir_file(sysadm_mail_t, user_home_type)
|
r_dir_file(sysadm_mail_t, user_home_type)
|
||||||
')
|
')
|
||||||
|
|
||||||
# for a mail server process that does things in response to a user command
|
allow system_mail_t privmail:fd use;
|
||||||
allow mta_user_agent userdomain:process sigchld;
|
allow system_mail_t privmail:process sigchld;
|
||||||
allow mta_user_agent { userdomain privfd }:fd use;
|
allow system_mail_t privmail:fifo_file { read write };
|
||||||
ifdef(`crond.te', `
|
|
||||||
allow mta_user_agent crond_t:process sigchld;
|
|
||||||
')
|
|
||||||
allow mta_user_agent sysadm_t:fifo_file { read write };
|
|
||||||
|
|
||||||
allow { system_mail_t mta_user_agent } privmail:fd use;
|
optional_policy(`arpwatch.te',`
|
||||||
allow { system_mail_t mta_user_agent } privmail:process sigchld;
|
allow system_mail_t arpwatch_tmp_t:file rw_file_perms;
|
||||||
allow { system_mail_t mta_user_agent } privmail:fifo_file { read write };
|
|
||||||
allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write };
|
|
||||||
|
|
||||||
ifdef(`arpwatch.te', `
|
|
||||||
# why is mail delivered to a directory of type arpwatch_data_t?
|
|
||||||
allow mta_delivery_agent arpwatch_data_t:dir search;
|
|
||||||
allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms;
|
|
||||||
ifdef(`hide_broken_symptoms', `
|
ifdef(`hide_broken_symptoms', `
|
||||||
dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write };
|
dontaudit system_mail_t arpwatch_t:packet_socket { read write };
|
||||||
')
|
')
|
||||||
')dnl end if arpwatch.te
|
|
||||||
|
|
||||||
allow mta_delivery_agent home_root_t:dir { getattr search };
|
|
||||||
|
|
||||||
# for /var/spool/mail
|
|
||||||
ra_dir_create_file(mta_delivery_agent, mail_spool_t)
|
|
||||||
|
|
||||||
# for piping mail to a command
|
|
||||||
can_exec(mta_delivery_agent, shell_exec_t)
|
|
||||||
allow mta_delivery_agent bin_t:dir search;
|
|
||||||
allow mta_delivery_agent bin_t:lnk_file read;
|
|
||||||
allow mta_delivery_agent { etc_runtime_t proc_t }:file r_file_perms;
|
|
||||||
|
|
||||||
# Transition from a system domain to the derived domain.
|
|
||||||
domain_auto_trans(privmail, sendmail_exec_t, system_mail_t)
|
|
||||||
allow privmail sendmail_exec_t:lnk_file r_file_perms;
|
|
||||||
|
|
||||||
ifdef(`crond.te', `
|
|
||||||
# Read cron temporary files.
|
|
||||||
allow system_mail_t system_crond_tmp_t:file r_file_perms;
|
|
||||||
allow mta_user_agent system_crond_tmp_t:file r_file_perms;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`logrotate.te', `
|
optional_policy(`qmail.te',`
|
||||||
allow { system_mail_t mta_user_agent } logrotate_tmp_t:file r_file_perms;
|
allow system_mail_t qmail_etc_t:dir search;
|
||||||
|
allow system_mail_t qmail_etc_t:{ file lnk_file } read;
|
||||||
')
|
')
|
||||||
|
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
|
@ -6,8 +6,10 @@ policy_module(sendmail,1.0)
|
|||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
type sendmail_t; #, mta_delivery_agent, mail_server_sender', nosysadm)
|
type sendmail_t;
|
||||||
mta_sendmail_mailserver(sendmail_t)
|
mta_sendmail_mailserver(sendmail_t)
|
||||||
|
mta_mailserver_delivery(sendmail_t)
|
||||||
|
mta_mailserver_sender(sendmail_t)
|
||||||
|
|
||||||
type sendmail_log_t;
|
type sendmail_log_t;
|
||||||
logging_log_file(sendmail_log_t)
|
logging_log_file(sendmail_log_t)
|
||||||
@ -40,8 +42,8 @@ allow sendmail_t sendmail_var_run_t:file { getattr create read write append seta
|
|||||||
files_create_pid(sendmail_t,sendmail_var_run_t)
|
files_create_pid(sendmail_t,sendmail_var_run_t)
|
||||||
|
|
||||||
kernel_read_kernel_sysctl(sendmail_t)
|
kernel_read_kernel_sysctl(sendmail_t)
|
||||||
kernel_list_proc(sendmail_t)
|
# for piping mail to a command
|
||||||
kernel_read_proc_symlinks(sendmail_t)
|
kernel_read_system_state(sendmail_t)
|
||||||
|
|
||||||
corenet_tcp_sendrecv_all_if(sendmail_t)
|
corenet_tcp_sendrecv_all_if(sendmail_t)
|
||||||
corenet_raw_sendrecv_all_if(sendmail_t)
|
corenet_raw_sendrecv_all_if(sendmail_t)
|
||||||
@ -63,10 +65,15 @@ fs_search_auto_mountpoints(sendmail_t)
|
|||||||
|
|
||||||
term_dontaudit_use_console(sendmail_t)
|
term_dontaudit_use_console(sendmail_t)
|
||||||
|
|
||||||
|
# for piping mail to a command
|
||||||
|
corecmd_exec_shell(sendmail_t)
|
||||||
|
|
||||||
domain_use_wide_inherit_fd(sendmail_t)
|
domain_use_wide_inherit_fd(sendmail_t)
|
||||||
|
|
||||||
files_read_etc_files(sendmail_t)
|
files_read_etc_files(sendmail_t)
|
||||||
files_search_spool(sendmail_t)
|
files_search_spool(sendmail_t)
|
||||||
|
# for piping mail to a command
|
||||||
|
files_read_etc_runtime_files(sendmail_t)
|
||||||
|
|
||||||
init_use_fd(sendmail_t)
|
init_use_fd(sendmail_t)
|
||||||
init_use_script_pty(sendmail_t)
|
init_use_script_pty(sendmail_t)
|
||||||
@ -121,6 +128,11 @@ optional_policy(`rhgb.te', `
|
|||||||
rhgb_domain(sendmail_t)
|
rhgb_domain(sendmail_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`arpwatch.te',`
|
||||||
|
# why is mail delivered to a directory of type arpwatch_data_t?
|
||||||
|
allow mta_delivery_agent arpwatch_data_t:dir search;
|
||||||
|
')
|
||||||
|
|
||||||
#
|
#
|
||||||
# Need this transition to create /etc/aliases.db
|
# Need this transition to create /etc/aliases.db
|
||||||
#
|
#
|
||||||
|
@ -1860,6 +1860,23 @@ interface(`userdom_signal_all_users',`
|
|||||||
allow $1 userdomain:process signal;
|
allow $1 userdomain:process signal;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Send a SIGCHLD signal to all user domains.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`userdom_sigcld_all_users',`
|
||||||
|
gen_require(`
|
||||||
|
attribute userdomain;
|
||||||
|
class process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 userdomain:process sigghld;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Unconfined access to user domains.
|
## Unconfined access to user domains.
|
||||||
|
Loading…
Reference in New Issue
Block a user