policy_module(mta,1.0) ######################################## # # Declarations # attribute mta_user_agent; attribute mailserver_delivery; attribute mailserver_domain; attribute mailserver_sender; attribute user_mail_domain; type etc_aliases_t; files_type(etc_aliases_t) type etc_mail_t; files_config_file(etc_mail_t) type mqueue_spool_t; files_type(mqueue_spool_t) type mail_spool_t; files_type(mail_spool_t) type sendmail_exec_t; files_type(sendmail_exec_t) type system_mail_t, user_mail_domain; domain_type(system_mail_t) domain_entry_file(system_mail_t,sendmail_exec_t) role system_r types system_mail_t; # cjp: need to resolve this, but require{} # does not work in the else part of the optional #ifdef(`targeted_policy',`',` # optional_policy(`sendmail.te',`',` # init_system_domain(system_mail_t,sendmail_exec_t) # ') #') ######################################## # # System mail local policy # allow system_mail_t self:capability { setuid setgid chown }; allow system_mail_t self:process { signal_perms setrlimit }; allow system_mail_t self:tcp_socket create_socket_perms; # re-exec itself can_exec(system_mail_t, sendmail_exec_t) allow system_mail_t sendmail_exec_t:lnk_file r_file_perms; kernel_read_kernel_sysctl(system_mail_t) kernel_read_system_state(system_mail_t) kernel_read_network_state(system_mail_t) corenet_tcp_sendrecv_all_if(system_mail_t) corenet_raw_sendrecv_all_if(system_mail_t) corenet_tcp_sendrecv_all_nodes(system_mail_t) corenet_raw_sendrecv_all_nodes(system_mail_t) corenet_tcp_sendrecv_all_ports(system_mail_t) corenet_tcp_bind_all_nodes(system_mail_t) dev_read_rand(system_mail_t) dev_read_urand(system_mail_t) fs_getattr_xattr_fs(system_mail_t) init_use_script_pty(system_mail_t) files_read_etc_files(system_mail_t) files_read_etc_runtime_files(system_mail_t) files_search_spool(system_mail_t) # It wants to check for nscd files_dontaudit_search_pids(system_mail_t) corecmd_exec_bin(system_mail_t) corecmd_search_sbin(system_mail_t) libs_use_ld_so(system_mail_t) libs_use_shared_libs(system_mail_t) logging_send_syslog_msg(system_mail_t) miscfiles_read_localization(system_mail_t) sysnet_read_config(system_mail_t) sysnet_dns_name_resolve(system_mail_t) userdom_use_sysadm_terms(system_mail_t) ifdef(`targeted_policy',` typealias system_mail_t alias sysadm_mail_t; allow system_mail_t etc_mail_t:file r_file_perms; allow system_mail_t mail_spool_t:dir create_dir_perms; allow system_mail_t mail_spool_t:file create_file_perms; allow system_mail_t mail_spool_t:lnk_file create_lnk_perms; allow system_mail_t mail_spool_t:fifo_file rw_file_perms; allow system_mail_t mqueue_spool_t:dir create_dir_perms; allow system_mail_t mqueue_spool_t:file create_file_perms; allow system_mail_t mqueue_spool_t:lnk_file create_lnk_perms; # for reading .forward - maybe we need a new type for it? # also for delivering mail to maildir # cjp: fix this to generic_user interfaces userdom_manage_user_home_subdirs(user,mailserver_delivery) userdom_manage_user_home_subdir_files(user,mailserver_delivery) userdom_manage_user_home_subdir_symlinks(user,mailserver_delivery) userdom_manage_user_home_subdir_pipes(user,mailserver_delivery) userdom_manage_user_home_subdir_sockets(user,mailserver_delivery) userdom_create_user_home(user,mailserver_delivery,{ dir file lnk_file fifo_file sock_file }) # cjp: another require-in-else to resolve # optional_policy(`postfix.te',`',` corecmd_exec_bin(system_mail_t) corecmd_exec_sbin(system_mail_t) domain_exec_all_entry_files(system_mail_t) files_exec_etc_files(system_mail_t) libs_use_ld_so(system_mail_t) libs_use_shared_libs(system_mail_t) libs_exec_ld_so(system_mail_t) libs_exec_lib_files(system_mail_t) # ') ') optional_policy(`apache.te',` apache_read_squirrelmail_data(system_mail_t) apache_append_squirrelmail_data(system_mail_t) # apache should set close-on-exec apache_dontaudit_append_log(system_mail_t) apache_dontaudit_rw_stream_socket(system_mail_t) apache_dontaudit_rw_tcp_socket(system_mail_t) apache_dontaudit_rw_sys_script_stream_socket(system_mail_t) ') optional_policy(`cron.te',` cron_read_system_job_tmp_files(system_mail_t) ') optional_policy(`cvs.te',` cvs_read_data(system_mail_t) ') optional_policy(`logrotate.te',` logrotate_read_tmp_files(system_mail_t) ') optional_policy(`nis.te',` nis_use_ypbind(system_mail_t) ') optional_policy(`nscd.te',` nscd_use_socket(system_mail_t) ') optional_policy(`postfix.te',` postfix_stub(system_mail_t) allow system_mail_t etc_aliases_t:dir create_dir_perms; allow system_mail_t etc_aliases_t:file create_file_perms; allow system_mail_t etc_aliases_t:lnk_file create_lnk_perms; allow system_mail_t etc_aliases_t:sock_file create_file_perms; allow system_mail_t etc_aliases_t:fifo_file create_file_perms; files_create_etc_config(system_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file }) optional_policy(`crond.te',` cron_crw_tcp_socket(system_mail_t) ') ') optional_policy(`sendmail.te',` sendmail_stub(system_mail_t) allow system_mail_t etc_mail_t:dir { getattr search }; # sendmail -q allow system_mail_t mqueue_spool_t:dir rw_dir_perms; allow system_mail_t mqueue_spool_t:file create_file_perms; ') ifdef(`TODO',` optional_policy(`procmail.te',` procmail_exec(system_mail_t) ') optional_policy(`sendmail.te',` allow system_mail_t { var_t var_spool_t }:dir getattr; dontaudit system_mail_t userpty_type:chr_file { getattr read write }; optional_policy(`crond.te', ` dontaudit system_mail_t system_crond_tmp_t:file append; ') ') ifdef(`targeted_policy',` allow system_mail_t { var_t var_spool_t }:dir getattr; ',` # allow the sysadmin to do "mail someone < /home/user/whatever" allow sysadm_mail_t user_home_dir_type:dir search; r_dir_file(sysadm_mail_t, user_home_type) ') optional_policy(`qmail.te',` allow system_mail_t qmail_etc_t:dir search; allow system_mail_t qmail_etc_t:{ file lnk_file } read; ') optional_policy(`arpwatch.te',` # why is mail delivered to a directory of type arpwatch_data_t? arpwatch_search_data_dir(mta_delivery_agent) arpwatch_manage_tmp_files(system_mail_t) arpwatch_manage_tmp_files(mta_user_agent) ifdef(`hide_broken_symptoms', ` arpwatch_dontaudit_rw_packet_socket(system_mail_t) arpwatch_dontaudit_rw_packet_socket(mta_user_agent) ') ') ') dnl end TODO