add procmail
This commit is contained in:
parent
801b2a7a88
commit
3e6c816ddd
@ -14,6 +14,7 @@
|
||||
networkmanager
|
||||
pegasus
|
||||
postfix
|
||||
procmail
|
||||
radius
|
||||
rpc
|
||||
spamassassin
|
||||
|
@ -704,6 +704,13 @@ lpd = base
|
||||
#
|
||||
avahi = base
|
||||
|
||||
# Layer: services
|
||||
# Module: procmail
|
||||
#
|
||||
# Procmail mail delivery agent
|
||||
#
|
||||
procmail = base
|
||||
|
||||
# Layer: system
|
||||
# Module: unconfined
|
||||
#
|
||||
@ -711,13 +718,6 @@ avahi = base
|
||||
#
|
||||
unconfined = base
|
||||
|
||||
# Layer: system
|
||||
# Module: authlogin
|
||||
#
|
||||
# Common policy for authentication and user login.
|
||||
#
|
||||
authlogin = base
|
||||
|
||||
# Layer: system
|
||||
# Module: selinuxutil
|
||||
#
|
||||
@ -866,3 +866,10 @@ libraries = base
|
||||
#
|
||||
miscfiles = base
|
||||
|
||||
# Layer: system
|
||||
# Module: authlogin
|
||||
#
|
||||
# Common policy for authentication and user login.
|
||||
#
|
||||
authlogin = base
|
||||
|
||||
|
@ -535,6 +535,23 @@ interface(`mta_manage_spool',`
|
||||
allow $1 mail_spool_t:file manage_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read and
|
||||
## write the mail queue.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`mta_dontaudit_rw_queue',`
|
||||
gen_require(`
|
||||
type mqueue_spool_t;
|
||||
')
|
||||
|
||||
dontaudit $1 mqueue_spool_t:file { getattr read write };
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# mta_manage_queue(domain)
|
||||
|
@ -175,6 +175,42 @@ interface(`postfix_read_config',`
|
||||
files_search_etc($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read and
|
||||
## write postfix local delivery
|
||||
## TCP sockets.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`postfix_dontaudit_rw_local_tcp_socket',`
|
||||
gen_require(`
|
||||
type postfix_local_t;
|
||||
')
|
||||
|
||||
dontaudit $1 postfix_local_t:tcp_socket { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to use
|
||||
## postfix master process file
|
||||
## file descriptors.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`postfix_dontaudit_use_fd',`
|
||||
gen_require(`
|
||||
type postfix_master_t;
|
||||
')
|
||||
|
||||
dontaudit $1 postfix_master_t:fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute postfix_map in the postfix_map domain.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(postfix,1.0)
|
||||
policy_module(postfix,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -306,14 +306,9 @@ mta_delete_spool(postfix_local_t)
|
||||
# For reading spamassasin
|
||||
mta_read_config(postfix_local_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`procmail.te', `
|
||||
domain_auto_trans(postfix_local_t, procmail_exec_t, procmail_t)
|
||||
# for a bug in the postfix local program
|
||||
dontaudit procmail_t postfix_local_t:tcp_socket { read write };
|
||||
dontaudit procmail_t postfix_master_t:fd use;
|
||||
optional_policy(`procmail.te',`
|
||||
procmail_domtrans(postfix_local_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -430,11 +425,9 @@ allow postfix_pipe_t postfix_private_t:sock_file write;
|
||||
allow postfix_pipe_t postfix_spool_t:dir search;
|
||||
allow postfix_pipe_t postfix_spool_t:file rw_file_perms;
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`procmail.te', `
|
||||
domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t)
|
||||
optional_policy(`procmail.te',`
|
||||
procmail_domtrans(postfix_pipe_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
|
2
refpolicy/policy/modules/services/procmail.fc
Normal file
2
refpolicy/policy/modules/services/procmail.fc
Normal file
@ -0,0 +1,2 @@
|
||||
|
||||
/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
|
24
refpolicy/policy/modules/services/procmail.if
Normal file
24
refpolicy/policy/modules/services/procmail.if
Normal file
@ -0,0 +1,24 @@
|
||||
## <summary>Procmail mail delivery agent</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute procmail with a domain transition.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`procmail_domtrans',`
|
||||
gen_require(`
|
||||
type procmail_exec_t, procmail_t;
|
||||
')
|
||||
|
||||
files_search_usr($1)
|
||||
corecmd_search_bin($1)
|
||||
domain_auto_trans($1,procmail_exec_t,procmail_t)
|
||||
|
||||
allow $1 procmail_t:fd use;
|
||||
allow procmail_t $1:fd use;
|
||||
allow procmail_t $1:fifo_file rw_file_perms;
|
||||
allow procmail_t $1:process sigchld;
|
||||
')
|
105
refpolicy/policy/modules/services/procmail.te
Normal file
105
refpolicy/policy/modules/services/procmail.te
Normal file
@ -0,0 +1,105 @@
|
||||
|
||||
policy_module(procmail,1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
# privhome only works until we define a different type for maildir
|
||||
type procmail_t, privhome;
|
||||
type procmail_exec_t;
|
||||
domain_type(procmail_t)
|
||||
domain_entry_file(procmail_t,procmail_exec_t)
|
||||
role system_r types procmail_t;
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
|
||||
allow procmail_t self:process { setsched fork sigchld signal };
|
||||
allow procmail_t self:fifo_file rw_file_perms;
|
||||
allow procmail_t self:unix_stream_socket create_socket_perms;
|
||||
allow procmail_t self:unix_dgram_socket create_socket_perms;
|
||||
allow procmail_t self:tcp_socket create_stream_socket_perms;
|
||||
allow procmail_t self:udp_socket create_socket_perms;
|
||||
|
||||
kernel_read_system_state(procmail_t)
|
||||
kernel_read_kernel_sysctl(procmail_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(procmail_t)
|
||||
corenet_raw_sendrecv_all_if(procmail_t)
|
||||
corenet_udp_sendrecv_all_if(procmail_t)
|
||||
corenet_tcp_sendrecv_all_nodes(procmail_t)
|
||||
corenet_udp_sendrecv_all_nodes(procmail_t)
|
||||
corenet_raw_sendrecv_all_nodes(procmail_t)
|
||||
corenet_tcp_sendrecv_all_ports(procmail_t)
|
||||
corenet_udp_sendrecv_all_ports(procmail_t)
|
||||
corenet_tcp_bind_all_nodes(procmail_t)
|
||||
corenet_udp_bind_all_nodes(procmail_t)
|
||||
|
||||
dev_read_urand(procmail_t)
|
||||
|
||||
fs_getattr_xattr_fs(procmail_t)
|
||||
|
||||
auth_use_nsswitch(procmail_t)
|
||||
|
||||
corecmd_exec_bin(procmail_t)
|
||||
corecmd_exec_shell(procmail_t)
|
||||
corecmd_dontaudit_search_sbin(procmail_t)
|
||||
|
||||
files_read_etc_files(procmail_t)
|
||||
files_read_etc_runtime_files(procmail_t)
|
||||
files_search_pids(procmail_t)
|
||||
# for spamassasin
|
||||
files_read_usr_files(procmail_t)
|
||||
|
||||
libs_use_ld_so(procmail_t)
|
||||
libs_use_shared_libs(procmail_t)
|
||||
|
||||
miscfiles_read_localization(procmail_t)
|
||||
|
||||
userdom_priveleged_home_dir_manager(procmail_t)
|
||||
# Do not audit attempts to access /root.
|
||||
userdom_dontaudit_search_sysadm_home_dir(procmail_t)
|
||||
|
||||
mta_manage_spool(procmail_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
mta_dontaudit_rw_queue(procmail_t)
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
corenet_udp_bind_generic_port(procmail_t)
|
||||
files_getattr_tmp_dir(procmail_t)
|
||||
')
|
||||
|
||||
optional_policy(`logging.te',`
|
||||
logging_send_syslog_msg(procmail_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket(procmail_t)
|
||||
')
|
||||
|
||||
optional_policy(`postfix.te',`
|
||||
# for a bug in the postfix local program
|
||||
postfix_dontaudit_rw_local_tcp_socket(procmail_t)
|
||||
postfix_dontaudit_use_fd(procmail_t)
|
||||
')
|
||||
|
||||
optional_policy(`sendmail.te',`
|
||||
mta_read_config(procmail_t)
|
||||
sendmail_rw_tcp_socket(procmail_t)
|
||||
')
|
||||
|
||||
optional_policy(`spamassassin.te',`
|
||||
corenet_udp_bind_generic_port(procmail_t)
|
||||
|
||||
files_getattr_tmp_dir(procmail_t)
|
||||
|
||||
spamassassin_exec(procmail_t)
|
||||
spamassassin_exec_client(procmail_t)
|
||||
')
|
@ -19,15 +19,12 @@ interface(`sendmail_stub',`
|
||||
## Domain transition to sendmail.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`sendmail_domtrans',`
|
||||
gen_require(`
|
||||
type sendmail_exec_t, sendmail_t;
|
||||
class process sigchld;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
files_search_usr($1)
|
||||
@ -40,3 +37,18 @@ interface(`sendmail_domtrans',`
|
||||
allow sendmail_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write sendmail TCP sockets.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`sendmail_rw_tcp_socket',`
|
||||
gen_require(`
|
||||
type sendmail_t;
|
||||
')
|
||||
|
||||
allow $1 sendmail_t:tcp_socket { read write };
|
||||
')
|
||||
|
@ -1,3 +1,38 @@
|
||||
## <summary>Filter used for removing unsolicited email.</summary>
|
||||
|
||||
# cjp: TODO: integrate old spamassassin_macros.te
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute the standalone spamassassin
|
||||
## program in the caller directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`spamassassin_exec',`
|
||||
gen_require(`
|
||||
type spamassassin_exec_t;
|
||||
')
|
||||
|
||||
can_exec($1,spamassassin_exec_t)
|
||||
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute the spamassassin client
|
||||
## program in the caller directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`spamassassin_exec_client',`
|
||||
gen_require(`
|
||||
type spamc_exec_t;
|
||||
')
|
||||
|
||||
can_exec($1,spamc_exec_t)
|
||||
')
|
||||
|
@ -244,6 +244,23 @@ interface(`corecmd_search_sbin',`
|
||||
allow $1 sbin_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to search
|
||||
## sbin directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_dontaudit_search_sbin',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
dontaudit $1 sbin_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# corecmd_list_sbin(domain)
|
||||
|
@ -12,11 +12,6 @@ policy_module(corecommands,1.0.1)
|
||||
type bin_t;
|
||||
files_type(bin_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
# cjp: temporary until procmail is added
|
||||
typealias bin_t alias procmail_exec_t;
|
||||
')
|
||||
|
||||
#
|
||||
# sbin_t is the type of files in the system sbin directories.
|
||||
#
|
||||
|
@ -2827,7 +2827,7 @@ interface(`files_search_pids',`
|
||||
')
|
||||
|
||||
allow $1 var_t:dir search_dir_perms;
|
||||
allow $1 var_run_t:dir search;
|
||||
allow $1 var_run_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
Loading…
Reference in New Issue
Block a user