pull in part of fedora mta changes

policy/modules/services/mta.fc

@@ -1,4 +1,4 @@
-/bin/mail		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
+/bin/mail(x)?		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 
 /etc/aliases		--	gen_context(system_u:object_r:etc_aliases_t,s0)
 /etc/aliases\.db	--	gen_context(system_u:object_r:etc_aliases_t,s0)
@@ -9,11 +9,15 @@ ifdef(`distro_redhat',`
 /etc/postfix/aliases.*		gen_context(system_u:object_r:etc_aliases_t,s0)
 ')
 
+/usr/bin/esmtp    		-- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
 /usr/lib(64)?/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/lib/courier/bin/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 
 /usr/sbin/rmail		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/sbin/sendmail\.postfix --	gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/ssmtp 		-- gen_context(system_u:object_r:sendmail_exec_t,s0)
 
 /var/mail(/.*)?			gen_context(system_u:object_r:mail_spool_t,s0)
 
@@ -22,7 +26,3 @@ ifdef(`distro_redhat',`
 /var/spool/imap(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
 /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
 /var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
-
-#ifdef(`postfix.te', `', `
-#/var/spool/postfix(/.*)?	gen_context(system_u:object_r:mail_spool_t,s0)
-#')

policy/modules/services/mta.if

@@ -93,6 +93,12 @@ template(`mta_base_mail_template',`
 
 	miscfiles_read_localization($1_mail_t)
 
+	optional_policy(`
+		exim_read_log($1_mail_t)
+		exim_append_log($1_mail_t)
+		exim_manage_spool_files($1_mail_t)
+	')
+
 	optional_policy(`
 		postfix_domtrans_user_mail_handler($1_mail_t)
 	')
@@ -130,6 +136,9 @@ template(`mta_base_mail_template',`
 		sendmail_create_log($1_mail_t)
 	')
 
+	optional_policy(`
+		uucp_manage_spool($1_mail_t)
+	')
 ')
 
 ########################################
@@ -307,6 +316,7 @@ interface(`mta_mailserver_delivery',`
 
 	optional_policy(`
 		dovecot_manage_spool($1)
+		dovecot_domtrans_deliver($1)
 	')
 
 	optional_policy(`
@@ -444,6 +454,25 @@ interface(`mta_read_config',`
 	read_lnk_files_pattern($1, etc_mail_t, etc_mail_t)
 ')
 
+########################################
+## <summary>
+##	write mail server configuration.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mta_write_config',`
+	gen_require(`
+		type etc_mail_t;
+	')
+
+	write_files_pattern($1, etc_mail_t, etc_mail_t)
+')
+
 ########################################
 ## <summary>
 ##	Read mail address aliases.
@@ -591,8 +620,8 @@ interface(`mta_getattr_spool',`
 
 	files_search_spool($1)
 	allow $1 mail_spool_t:dir list_dir_perms;
-	allow $1 mail_spool_t:lnk_file read;
+	getattr_files_pattern($1, mail_spool_t, mail_spool_t)
-	allow $1 mail_spool_t:file getattr;
+	read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
 ')
 
 ########################################
@@ -612,7 +641,7 @@ interface(`mta_dontaudit_getattr_spool_files',`
 	')
 
 	files_dontaudit_search_spool($1)
-	dontaudit $1 mail_spool_t:dir search;
+	dontaudit $1 mail_spool_t:dir search_dir_perms;
 	dontaudit $1 mail_spool_t:lnk_file read;
 	dontaudit $1 mail_spool_t:file getattr;
 ')
@@ -806,6 +835,7 @@ interface(`mta_manage_queue',`
 	')
 
 	files_search_spool($1)
+	manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t)
 	manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
 ')
 

policy/modules/services/mta.te

@@ -1,5 +1,5 @@
 
-policy_module(mta, 2.1.2)
+policy_module(mta, 2.1.3)
 
 ########################################
 #
@@ -47,20 +47,27 @@ ubac_constrained(user_mail_tmp_t)
 #
 
 # newalias required this, not sure if it is needed in 'if' file
-allow system_mail_t self:capability { dac_override };
+allow system_mail_t self:capability { dac_override fowner };
+allow system_mail_t self:fifo_file rw_fifo_file_perms;
 
 read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
+read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
 
 allow system_mail_t mta_exec_type:file entrypoint;
 
-allow system_mail_t mailcontent_type:file read_file_perms;
+can_exec(system_mail_t, mta_exec_type)
 
 kernel_read_system_state(system_mail_t)
 kernel_read_network_state(system_mail_t)
 
+dev_read_sysfs(system_mail_t)
 dev_read_rand(system_mail_t)
 dev_read_urand(system_mail_t)
 
+fs_rw_anon_inodefs_files(system_mail_t)
+
+selinux_getattr_fs(system_mail_t)
+
 init_use_script_ptys(system_mail_t)
 
 userdom_use_user_terminals(system_mail_t)
@@ -85,15 +92,35 @@ optional_policy(`
 	')
 ')
 
+optional_policy(`
+	clamav_stream_connect(system_mail_t)
+	clamav_append_log(system_mail_t)
+')
+
 optional_policy(`
 	cron_read_system_job_tmp_files(system_mail_t)
 	cron_dontaudit_write_pipes(system_mail_t)
 ')
 
+optional_policy(`
+	courier_manage_spool_dirs(system_mail_t)
+	courier_manage_spool_files(system_mail_t)
+	courier_rw_spool_pipes(system_mail_t)
+')
+
 optional_policy(`
 	cvs_read_data(system_mail_t)
 ')
 
+optional_policy(`
+	exim_domtrans(system_mail_t)
+	exim_manage_log(system_mail_t)
+')
+
+optional_policy(`
+	fail2ban_append_log(system_mail_t)
+')
+
 optional_policy(`
 	logrotate_read_tmp_files(system_mail_t)
 ')
@@ -132,10 +159,6 @@ optional_policy(`
 		# compatability for old default main.cf
 		postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
 	')
-
-	optional_policy(`
-		cron_rw_tcp_sockets(system_mail_t)
-	')
 ')
 
 optional_policy(`