## Policy common to all email tranfer agents. ######################################## ## ## MTA stub interface. No access allowed. ## ## ## N/A ## # interface(`mta_stub',` gen_require(` type sendmail_exec_t; ') ') ####################################### ## ## Basic mail transfer agent domain template. ## ## ##

## This template creates a derived domain which is ## a email transfer agent, which sends mail on ## behalf of the user. ##

##

## This is the basic types and rules, common ## to the system agent and user agents. ##

##
## ## The prefix of the domain (e.g., user ## is the prefix for user_t). ## # template(`mta_base_mail_template',` gen_require(` attribute user_mail_domain; type sendmail_exec_t; ') ############################## # # $1_mail_t declarations # type $1_mail_t, user_mail_domain; domain_type($1_mail_t) domain_entry_file($1_mail_t,sendmail_exec_t) type $1_mail_tmp_t; files_tmp_file($1_mail_tmp_t) ############################## # # $1_mail_t local policy # allow $1_mail_t self:capability { setuid setgid chown }; allow $1_mail_t self:process { signal_perms setrlimit }; allow $1_mail_t self:tcp_socket create_socket_perms; # re-exec itself can_exec($1_mail_t, sendmail_exec_t) allow $1_mail_t sendmail_exec_t:lnk_file r_file_perms; kernel_read_kernel_sysctl($1_mail_t) corenet_tcp_sendrecv_all_if($1_mail_t) corenet_raw_sendrecv_all_if($1_mail_t) corenet_tcp_sendrecv_all_nodes($1_mail_t) corenet_raw_sendrecv_all_nodes($1_mail_t) corenet_tcp_sendrecv_all_ports($1_mail_t) corenet_non_ipsec_sendrecv($1_mail_t) corenet_tcp_bind_all_nodes($1_mail_t) corenet_tcp_connect_all_ports($1_mail_t) corenet_tcp_connect_smtp_port($1_mail_t) corecmd_exec_bin($1_mail_t) corecmd_search_sbin($1_mail_t) files_read_etc_files($1_mail_t) files_search_spool($1_mail_t) # It wants to check for nscd files_dontaudit_search_pids($1_mail_t) libs_use_ld_so($1_mail_t) libs_use_shared_libs($1_mail_t) logging_send_syslog_msg($1_mail_t) miscfiles_read_localization($1_mail_t) sysnet_read_config($1_mail_t) sysnet_dns_name_resolve($1_mail_t) optional_policy(`nis',` nis_use_ypbind($1_mail_t) ') optional_policy(`nscd',` nscd_use_socket($1_mail_t) ') optional_policy(`postfix',` postfix_domtrans_user_mail_handler($1_mail_t) ') optional_policy(`procmail',` procmail_exec($1_mail_t) ') optional_policy(`sendmail',` gen_require(` type etc_mail_t, mail_spool_t, mqueue_spool_t; ') allow $1_mail_t $1_mail_tmp_t:dir create_dir_perms; allow $1_mail_t $1_mail_tmp_t:file create_file_perms; files_create_tmp_files($1_mail_t, $1_mail_tmp_t, { file dir }) allow $1_mail_t etc_mail_t:dir { getattr search }; # Write to /var/spool/mail and /var/spool/mqueue. allow $1_mail_t mail_spool_t:dir rw_dir_perms; allow $1_mail_t mail_spool_t:file create_file_perms; allow $1_mail_t mqueue_spool_t:dir rw_dir_perms; allow $1_mail_t mqueue_spool_t:file create_file_perms; # Check available space. fs_getattr_xattr_fs($1_mail_t) files_read_etc_runtime_files($1_mail_t) # Write to /var/log/sendmail.st sendmail_manage_log($1_mail_t) sendmail_create_log($1_mail_t) ') ifdef(`TODO',` ifdef(`qmail.te', ` allow $1_mail_t qmail_etc_t:dir search; allow $1_mail_t qmail_etc_t:{ file lnk_file } read; ') ') dnl end TODO ') ####################################### ## ## The per user domain template for the mta module. ## ## ##

## This template creates a derived domain which is ## a email transfer agent, which sends mail on ## behalf of the user. ##

##

## This template is invoked automatically for each user, and ## generally does not need to be invoked directly ## by policy writers. ##

##
## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## The type of the user domain. ## ## ## The role associated with the user domain. ## # template(`mta_per_userdomain_template',` gen_require(` attribute mailserver_domain, mta_user_agent; attribute mailserver_delivery, user_mail_domain; type sendmail_exec_t; ') mta_base_mail_template($1) role $3 types $1_mail_t; ############################## # # $1_mail_t local policy # # Transition from the user domain to the derived domain. domain_auto_trans($2, sendmail_exec_t, $1_mail_t) allow $2 sendmail_exec_t:lnk_file { getattr read }; allow $2 $1_mail_t:fd use; allow $1_mail_t $2:fd use; allow $1_mail_t $2:fifo_file rw_file_perms; allow $1_mail_t $2:process sigchld; # For when the user wants to send mail via port 25 localhost kernel_tcp_recvfrom($2) allow $2 mailserver_domain:tcp_socket { connectto recvfrom }; allow mailserver_domain $2:tcp_socket { acceptfrom recvfrom }; domain_use_wide_inherit_fd($1_mail_t) userdom_use_user_terminals($1,$1_mail_t) # Write to the user domain tty. cjp: why? userdom_use_user_terminals($1,mta_user_agent) # Create dead.letter in user home directories. userdom_manage_user_home_subdir_files($1,$1_mail_t) userdom_create_user_home($1,$1_mail_t,file) # for reading .forward - maybe we need a new type for it? # also for delivering mail to maildir userdom_manage_user_home_subdirs($1,mailserver_delivery) userdom_manage_user_home_subdir_files($1,mailserver_delivery) userdom_manage_user_home_subdir_symlinks($1,mailserver_delivery) userdom_manage_user_home_subdir_pipes($1,mailserver_delivery) userdom_manage_user_home_subdir_sockets($1,mailserver_delivery) userdom_create_user_home($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file }) tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files($1_mail_t) fs_manage_cifs_symlinks($1_mail_t) ') optional_policy(`postfix',` allow $1_mail_t self:capability dac_override; postfix_read_config($1_mail_t) postfix_list_spool($1_mail_t) ') ifdef(`TODO',` # Read user temporary files. allow $1_mail_t $1_tmp_t:file r_file_perms; dontaudit $1_mail_t $1_tmp_t:file append; ifdef(`postfix.te',` # postfix seems to need write access if the file handle is opened read/write allow $1_mail_t $1_tmp_t:file write; ') allow mta_user_agent $1_tmp_t:file r_file_perms; # if you do not want to allow dead.letter then use the following instead #allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms; #allow $1_mail_t $1_home_t:file r_file_perms; ') dnl end TODO ') ######################################## ## ## Provide extra permissions for admin users ## mail domain. ## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## The type of the user domain. ## # template(`mta_admin_template',` ifdef(`strict_policy',` # allow the sysadmin to do "mail someone < /home/user/whatever" userdom_read_unpriv_user_home_files($1_mail_t) ') optional_policy(`postfix',` gen_require(` attribute mta_user_agent; type etc_aliases_t; ') allow mta_user_agent $2:fifo_file { read write }; allow $1_mail_t etc_aliases_t:dir create_dir_perms; allow $1_mail_t etc_aliases_t:file create_file_perms; allow $1_mail_t etc_aliases_t:lnk_file create_lnk_perms; allow $1_mail_t etc_aliases_t:sock_file create_file_perms; allow $1_mail_t etc_aliases_t:fifo_file create_file_perms; files_create_etc_config($1_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file }) # postfix needs this for newaliases files_getattr_tmp_dir($1_mail_t) postfix_exec_master($1_mail_t) ifdef(`distro_redhat',` # compatability for old default main.cf postfix_create_config($1_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file }) ') ') ') ####################################### # # mta_mailserver(domain,entrypointtype) # interface(`mta_mailserver',` gen_require(` attribute mailserver_domain; ') # For when the user wants to send mail via port 25 localhost kernel_tcp_recvfrom($1) init_daemon_domain($1,$2) typeattribute $1 mailserver_domain; ') ######################################## ## ## Modified mailserver interface for ## sendmail daemon use. ## ## ##

## A modified MTA mail server interface for ## the sendmail program. It's design does ## not fit well with policy, and using the ## regular interface causes a type_transition ## conflict if direct running of init scripts ## is enabled. ##

##

## This interface should most likely only be used ## by the sendmail policy. ##

##
## ## The type to be used for the mail server. ## ## ## The type to be used for the domain entry point program. ## interface(`mta_sendmail_mailserver',` gen_require(` attribute mailserver_domain; type sendmail_exec_t; ') # For when the user wants to send mail via port 25 localhost kernel_tcp_recvfrom($1) init_system_domain($1,sendmail_exec_t) typeattribute $1 mailserver_domain; ') ####################################### ## ## Make a type a mailserver type used ## for sending mail. ## ## ## Mail server domain type used for sending mail. ## # interface(`mta_mailserver_sender',` gen_require(` attribute mailserver_sender; ') typeattribute $1 mailserver_sender; ') ####################################### ## ## Make a type a mailserver type used ## for delivering mail to local users. ## ## ## Mail server domain type used for delivering mail. ## # interface(`mta_mailserver_delivery',` gen_require(` attribute mailserver_delivery; type mail_spool_t; ') typeattribute $1 mailserver_delivery; allow $1 mail_spool_t:dir ra_dir_perms; allow $1 mail_spool_t:file { create ioctl read getattr lock append }; allow $1 mail_spool_t:lnk_file { create read getattr }; optional_policy(`dovecot',` dovecot_manage_spool($1) ') optional_policy(`mailman',` # so MTA can access /var/lib/mailman/mail/wrapper files_search_var_lib($1) mailman_domtrans($1) mailman_read_data_symlinks($1) ') ') ####################################### ## ## Make a type a mailserver type used ## for sending mail on behalf of local ## users to the local mail spool. ## ## ## Mail server domain type used for sending local mail. ## # interface(`mta_mailserver_user_agent',` gen_require(` attribute mta_user_agent; ') typeattribute $1 mta_user_agent; optional_policy(`apache',` # apache should set close-on-exec apache_dontaudit_rw_stream_socket($1) apache_dontaudit_rw_sys_script_stream_socket($1) ') ') ####################################### # # mta_send_mail(domain) # interface(`mta_send_mail',` gen_require(` attribute mta_user_agent; type system_mail_t, sendmail_exec_t; ') allow $1 sendmail_exec_t:lnk_file r_file_perms; domain_auto_trans($1, sendmail_exec_t, system_mail_t) allow $1 system_mail_t:fd use; allow system_mail_t $1:fd use; allow system_mail_t $1:fifo_file rw_file_perms; allow system_mail_t $1:process sigchld; allow mta_user_agent $1:fd use; allow mta_user_agent $1:process sigchld; allow mta_user_agent $1:fifo_file { read write }; ') ####################################### # # mta_exec(domain) # interface(`mta_exec',` gen_require(` type sendmail_exec_t; ') can_exec($1, sendmail_exec_t) ') ######################################## ## ## Read mail server configuration. ## ## ## The type of the process performing this action. ## # interface(`mta_read_config',` gen_require(` type etc_mail_t; ') files_search_etc($1) allow $1 etc_mail_t:dir list_dir_perms; allow $1 etc_mail_t:file r_file_perms; allow $1 etc_mail_t:lnk_file { getattr read }; ') ######################################## ## ## Read mail address aliases. ## ## ## The type of the process performing this action. ## # interface(`mta_read_aliases',` gen_require(` type etc_aliases_t; class file r_file_perms; ') files_search_etc($1) allow $1 etc_aliases_t:file r_file_perms; ') ####################################### # # mta_rw_aliases(domain) # interface(`mta_rw_aliases',` gen_require(` type etc_aliases_t; class file { rw_file_perms setattr }; ') files_search_etc($1) allow $1 etc_aliases_t:file { rw_file_perms setattr }; ') ####################################### ## ## Do not audit attempts to read and write TCP ## sockets of mail delivery domains. ## ## ## Mail server domain. ## # interface(`mta_dontaudit_rw_delivery_tcp_socket',` gen_require(` attribute mailserver_delivery; ') dontaudit $1 mailserver_delivery:tcp_socket { read write }; ') ####################################### ## ## Connect to all mail servers over TCP. ## ## ## Mail server domain. ## # interface(`mta_tcp_connect_all_mailservers',` gen_require(` attribute mailserver_domain; ') allow $1 mailserver_domain:tcp_socket { connectto recvfrom }; allow mailserver_domain $1:tcp_socket { acceptfrom recvfrom }; kernel_tcp_recvfrom($1) ') ####################################### ## ## Do not audit attempts to read a symlink ## in the mail spool. ## ## ## Domain allowed access. ## # interface(`mta_dontaudit_read_spool_symlink',` gen_require(` type mail_spool_t; class lnk_file read; ') dontaudit $1 mail_spool_t:lnk_file read; ') ####################################### # # mta_getattr_spool(domain) # interface(`mta_getattr_spool',` gen_require(` type mail_spool_t; class dir r_dir_perms; class file getattr; class lnk_file read; ') files_search_spool($1) allow $1 mail_spool_t:dir r_dir_perms; allow $1 mail_spool_t:lnk_file read; allow $1 mail_spool_t:file getattr; ') ####################################### # # mta_rw_spool(domain) # interface(`mta_rw_spool',` gen_require(` type mail_spool_t; class dir r_dir_perms; class lnk_file { getattr read }; class file { rw_file_perms setattr }; ') files_search_spool($1) allow $1 mail_spool_t:dir r_dir_perms; allow $1 mail_spool_t:lnk_file { getattr read }; allow $1 mail_spool_t:file { rw_file_perms setattr }; ') ####################################### ## ## Create, read, and write the mail spool. ## ## ## Domain allowed access. ## # interface(`mta_append_spool',` gen_require(` type mail_spool_t; class dir ra_dir_perms; class lnk_file { getattr read }; class file create_file_perms; ') files_search_spool($1) allow $1 mail_spool_t:dir ra_dir_perms; allow $1 mail_spool_t:lnk_file { getattr read }; allow $1 mail_spool_t:file create_file_perms; ') ####################################### ## ## Delete from the mail spool. ## ## ## Domain allowed access. ## # interface(`mta_delete_spool',` gen_require(` type mail_spool_t; ') files_search_spool($1) allow $1 mail_spool_t:dir { list_dir_perms write remove_name }; allow $1 mail_spool_t:file unlink; ') ####################################### # # mta_manage_spool(domain) # interface(`mta_manage_spool',` gen_require(` type mail_spool_t; ') files_search_spool($1) allow $1 mail_spool_t:dir manage_dir_perms; allow $1 mail_spool_t:lnk_file create_lnk_perms; allow $1 mail_spool_t:file manage_file_perms; ') ####################################### ## ## Do not audit attempts to read and ## write the mail queue. ## ## ## Domain to not audit. ## # interface(`mta_dontaudit_rw_queue',` gen_require(` type mqueue_spool_t; ') dontaudit $1 mqueue_spool_t:file { getattr read write }; ') ####################################### # # mta_manage_queue(domain) # interface(`mta_manage_queue',` gen_require(` type mqueue_spool_t; class dir rw_dir_perms; class file create_file_perms; ') files_search_spool($1) allow $1 mqueue_spool_t:dir rw_dir_perms; allow $1 mqueue_spool_t:file create_file_perms; ') ####################################### ## ## Read sendmail binary. ## ## ## Domain allowed access. ## # # cjp: added for postfix interface(`mta_read_sendmail_bin',` gen_require(` type sendmail_exec_t; ') allow $1 sendmail_exec_t:file r_file_perms; ') ####################################### ## ## Read and write unix domain stream sockets ## of user mail domains. ## ## ## Domain allowed access. ## # interface(`mta_rw_user_mail_stream_socket',` gen_require(` attribute user_mail_domain; ') allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ')