From 6f8cda967342ed28a5783550efdb566436530cdd Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 11 Apr 2006 15:28:37 +0000 Subject: [PATCH] add courier, bug 1520 --- refpolicy/policy/modules/services/courier.fc | 21 +++ refpolicy/policy/modules/services/courier.if | 146 ++++++++++++++++++ refpolicy/policy/modules/services/courier.te | 141 +++++++++++++++++ refpolicy/policy/modules/system/userdomain.if | 43 ++++++ refpolicy/policy/modules/system/userdomain.te | 2 +- 5 files changed, 352 insertions(+), 1 deletion(-) create mode 100644 refpolicy/policy/modules/services/courier.fc create mode 100644 refpolicy/policy/modules/services/courier.if create mode 100644 refpolicy/policy/modules/services/courier.te diff --git a/refpolicy/policy/modules/services/courier.fc b/refpolicy/policy/modules/services/courier.fc new file mode 100644 index 00000000..3009c739 --- /dev/null +++ b/refpolicy/policy/modules/services/courier.fc @@ -0,0 +1,21 @@ +/etc/courier(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) + +/usr/bin/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) + +/usr/sbin/courierlogger -- gen_context(system_u:object_r:courier_exec_t,s0) +/usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0) +/usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) + +/usr/lib(64)?/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) +/usr/lib(64)?/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0) +/usr/lib(64)?/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +/usr/lib(64)?/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +/usr/lib(64)?/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0) +/usr/lib(64)?/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +/usr/lib(64)?/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +/usr/lib(64)?/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) +/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0) + +/var/lib/courier(/.*)? -- gen_context(system_u:object_r:courier_var_lib_t,s0) + +/var/run/courier(/.*)? -- gen_context(system_u:object_r:courier_var_run_t,s0) diff --git a/refpolicy/policy/modules/services/courier.if b/refpolicy/policy/modules/services/courier.if new file mode 100644 index 00000000..d16c3f8e --- /dev/null +++ b/refpolicy/policy/modules/services/courier.if @@ -0,0 +1,146 @@ +## Courier IMAP and POP3 email servers + +######################################## +## +## Template for creating courier server processes. +## +## +## +## Prefix name of the server process. +## +## +# +template(`courier_domain_template',` + + ############################## + # + # Declarations + # + + type courier_$1_t; + type courier_$1_exec_t; + init_daemon_domain(courier_$1_t,courier_$1_exec_t) + + ############################## + # + # Declarations + # + + allow courier_$1_t self:capability dac_override; + dontaudit courier_$1_t self:capability sys_tty_config; + allow courier_$1_t self:process { setpgid signal_perms }; + allow courier_$1_t self:fifo_file { read write getattr }; + allow courier_$1_t self:tcp_socket create_stream_socket_perms; + allow courier_$1_t self:udp_socket create_socket_perms; + + can_exec(courier_$1_t, courier_$1_exec_t) + + allow courier_$1_t courier_etc_t:file r_file_perms; + allow courier_$1_t courier_etc_t:dir r_dir_perms; + + allow courier_$1_t courier_var_run_t:dir rw_dir_perms; + allow courier_$1_t courier_var_run_t:file create_file_perms; + allow courier_$1_t courier_var_run_t:lnk_file create_lnk_perms; + allow courier_$1_t courier_var_run_t:sock_file create_file_perms; + files_search_pids(courier_$1_t) + + kernel_read_system_state(courier_$1_t) + kernel_read_kernel_sysctls(courier_$1_t) + + corecmd_exec_bin(courier_$1_t) + + corenet_tcp_sendrecv_generic_if(courier_$1_t) + corenet_udp_sendrecv_generic_if(courier_$1_t) + corenet_raw_sendrecv_generic_if(courier_$1_t) + corenet_tcp_sendrecv_all_nodes(courier_$1_t) + corenet_udp_sendrecv_all_nodes(courier_$1_t) + corenet_raw_sendrecv_all_nodes(courier_$1_t) + corenet_tcp_sendrecv_all_ports(courier_$1_t) + corenet_udp_sendrecv_all_ports(courier_$1_t) + corenet_non_ipsec_sendrecv(courier_$1_t) + corenet_tcp_bind_all_nodes(courier_$1_t) + corenet_udp_bind_all_nodes(courier_$1_t) + + dev_read_sysfs(courier_$1_t) + + domain_use_interactive_fds(courier_$1_t) + + files_read_etc_files(courier_$1_t) + files_read_etc_runtime_files(courier_$1_t) + files_read_usr_files(courier_$1_t) + + fs_getattr_xattr_fs(courier_$1_t) + fs_search_auto_mountpoints(courier_$1_t) + + term_dontaudit_use_console(courier_$1_t) + + init_use_fds(courier_$1_t) + init_use_script_ptys(courier_$1_t) + + libs_use_ld_so(courier_$1_t) + libs_use_shared_libs(courier_$1_t) + + logging_send_syslog_msg(courier_$1_t) + + sysnet_read_config(courier_$1_t) + + userdom_dontaudit_use_unpriv_user_fds(courier_$1_t) + + ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_ttys(courier_$1_t) + term_dontaudit_use_generic_ptys(courier_$1_t) + files_dontaudit_read_root_files(courier_$1_t) + ') + + optional_policy(` + seutil_sigchld_newrole(courier_$1_t) + ') + + optional_policy(` + udev_read_db(courier_$1_t) + ') +') + +######################################## +## +## Execute the courier authentication daemon with +## a domain transition. +## +## +## +## Domain allowed access. +## +## +# +interface(`courier_domtrans_authdaemon',` + gen_require(` + type courier_authdaemon_t, courier_authdaemon_exec_t; + ') + + domain_auto_trans($1, courier_authdaemon_exec_t, courier_authdaemon_t) + allow courier_authdaemon_t $1:fd use; + allow courier_authdaemon_t $1:fifo_file rw_file_perms; + allow courier_authdaemon_t $1:process sigchld; +') + +######################################## +## +## Execute the courier POP3 and IMAP server with +## a domain transition. +## +## +## +## Domain allowed access. +## +## +# +interface(`courier_domtrans_pop',` + gen_require(` + type courier_pop_t, courier_pop_exec_t; + ') + + domain_auto_trans($1, courier_pop_exec_t, courier_pop_t) + allow courier_pop_t $1:fd use; + allow courier_pop_t $1:fifo_file rw_file_perms; + allow courier_pop_t $1:process sigchld; +') diff --git a/refpolicy/policy/modules/services/courier.te b/refpolicy/policy/modules/services/courier.te new file mode 100644 index 00000000..2aa0cc03 --- /dev/null +++ b/refpolicy/policy/modules/services/courier.te @@ -0,0 +1,141 @@ + +policy_module(courier,1.0.0) + +######################################## +# +# Declarations +# + +courier_domain_template(authdaemon) + +type courier_etc_t; +files_type(courier_etc_t) + +courier_domain_template(pcp) + +courier_domain_template(pop) + +courier_domain_template(tcpd) + +type courier_var_lib_t; +files_type(courier_var_lib_t) + +type courier_var_run_t; +files_pid_file(courier_var_run_t) + +type courier_exec_t; +files_type(courier_exec_t) + +courier_domain_template(sqwebmail) +typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t; + +######################################## +# +# Authdaemon local policy +# + +allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config }; +allow courier_authdaemon_t self:unix_stream_socket connectto; + +can_exec(courier_authdaemon_t, courier_exec_t) + +allow courier_authdaemon_t courier_tcpd_t:fd use; +allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; +allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms; + +allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; +allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms; +allow courier_authdaemon_t courier_tcpd_t:process sigchld; +allow courier_authdaemon_t courier_tcpd_t:fd use; +allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; +allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms; + +corecmd_search_sbin(courier_authdaemon_t) + +# for SSP +dev_read_urand(courier_authdaemon_t) + +files_getattr_tmp_dirs(courier_authdaemon_t) + +auth_domtrans_chk_passwd(courier_authdaemon_t) + +libs_read_lib_files(courier_authdaemon_t) + +miscfiles_read_localization(courier_authdaemon_t) + +# should not be needed! +userdom_search_unpriv_users_home_dirs(courier_authdaemon_t) +userdom_dontaudit_search_sysadm_home_dirs(courier_authdaemon_t) + +courier_domtrans_pop(courier_authdaemon_t) + +######################################## +# +# Calendar (PCP) local policy +# + +allow courier_pcp_t self:capability { setuid setgid }; + +dev_read_rand(courier_pcp_t) + +######################################## +# +# POP3/IMAP local policy +# + +allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms; +allow courier_pop_t courier_authdaemon_t:process sigchld; + +allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; + +# inherits file handle - should it? +allow courier_pop_t courier_var_lib_t:file { read write }; + +miscfiles_read_localization(courier_pop_t) + +courier_domtrans_authdaemon(courier_pop_t) + +# do the actual work (read the Maildir) +userdom_manage_unpriv_users_home_content_files(courier_pop_t) +# cjp: the fact that this is different for pop vs imap means that +# there should probably be a courier_pop_t and courier_imap_t +# this should also probably be a separate type too instead of +# the regular home dir +userdom_manage_unpriv_users_home_content_dirs(courier_pop_t) + +######################################## +# +# TCPd local policy +# + +allow courier_tcpd_t self:capability kill; + +can_exec(courier_tcpd_t, courier_exec_t) + +allow courier_tcpd_t courier_var_lib_t:dir rw_dir_perms; +allow courier_tcpd_t courier_var_lib_t:file manage_file_perms; +allow courier_tcpd_t courier_var_lib_t:lnk_file create_lnk_perms; +files_search_var_lib(courier_tcpd_t) + +corecmd_search_sbin(courier_tcpd_t) + +corenet_tcp_bind_pop_port(courier_tcpd_t) + +# for TLS +dev_read_rand(courier_tcpd_t) +dev_read_urand(courier_tcpd_t) + +miscfiles_read_localization(courier_tcpd_t) + +courier_domtrans_pop(courier_tcpd_t) + +######################################## +# +# Webmail local policy +# + +kernel_read_kernel_sysctls(courier_sqwebmail_t) + +optional_policy(` + cron_system_entry(courier_sqwebmail_t,courier_sqwebmail_exec_t) +') diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index e164247f..6c3834cc 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -4350,6 +4350,49 @@ interface(`userdom_read_unpriv_users_home_content_files',` allow $1 user_home_type:file r_file_perms; ') +######################################## +## +## Create, read, write, and delete directories in +## unprivileged users home directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_unpriv_users_home_content_dirs',` + gen_require(` + attribute user_home_dir_type, user_home_type; + ') + + files_search_home($1) + allow $1 user_home_dir_type:dir search_dir_perms; + allow $1 user_home_type:dir manage_dir_perms; +') + +######################################## +## +## Create, read, write, and delete files in +## unprivileged users home directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_unpriv_users_home_content_files',` + gen_require(` + attribute user_home_dir_type, user_home_type; + ') + + files_search_home($1) + allow $1 user_home_dir_type:dir search_dir_perms; + allow $1 user_home_type:dir rw_dir_perms; + allow $1 user_home_type:file manage_file_perms; +') + ######################################## ## ## Set the attributes of user ptys. diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index ec133d3c..c5a49548 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,1.3.9) +policy_module(userdomain,1.3.10) gen_require(` role sysadm_r, staff_r, user_r;