commit: b7cab4f7955034ccbfc097c0214f5b6071e2d6f4
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 23 19:01:16 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Aug 23 19:01:16 2014 +0000
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b7cab4f7
Initial policy
---
policy/modules/contrib/mail.fc | 7 +++
policy/modules/contrib/mail.if | 99 ++++++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/mail.te | 85 ++++++++++++++++++++++++++++++++++++
3 files changed, 191 insertions(+)
diff --git a/policy/modules/contrib/mail.fc b/policy/modules/contrib/mail.fc
new file mode 100644
index 0000000..1f0437e
--- /dev/null
+++ b/policy/modules/contrib/mail.fc
@@ -0,0 +1,7 @@
+HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/\.maildir(/.*)?
gen_context(system_u:object_r:mail_home_rw_t,s0)
+
+/etc/mail(/.*)? gen_context(system_u:object_r:mail_etc_t,s0)
+
+# Only effective files are labeled as sendmail_exec_t, esp. symlinks should
remain bin_t
+/usr/sbin/sendmail --
gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/policy/modules/contrib/mail.if b/policy/modules/contrib/mail.if
new file mode 100644
index 0000000..e451d9c
--- /dev/null
+++ b/policy/modules/contrib/mail.if
@@ -0,0 +1,99 @@
+## <summary>Common e-mail infrastructure policy</summary>
+
+#########################################
+## <summary>
+## Role access for mail access and usage
+##</summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`mail_role',`
+ gen_require(`
+ attribute_role user_sendmail_roles;
+ type mail_home_rw_t;
+ type sendmail_exec_t;
+ type user_sendmail_t;
+ ')
+
+ roleattribute $1 user_sendmail_roles;
+
+ domtrans_pattern($2, sendmail_exec_t, user_sendmail_t)
+
+ allow $2 user_sendmail_t:process { ptrace signal_perms };
+ ps_process_pattern($2, user_sendmail_t)
+
+ allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms };
+ allow $2 mail_home_rw_t:dir { manage_dir_perms relabel_dir_perms };
+ userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir")
+ userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir")
+')
+
+#########################################
+## <summary>
+## Mark the type as a mail content type (mail generated by or for a mail
user agent)
+## </summary>
+## <param name="type">
+## <summary>
+## Type to mark as mail content
+## </summary>
+## </param>
+#
+interface(`mail_content_type',`
+ gen_require(`
+ attribute mail_content;
+ ')
+
+ typeattribute $1 mail_content;
+')
+
+#########################################
+## <summary>
+## Mark the type as a mail user agent domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be assigned the mail_user_agent attribute
+## </summary>
+## </param>
+#
+interface(`mail_user_agent_type',`
+ gen_require(`
+ attribute mail_user_agent;
+ ')
+
+ typeattribute $1 mail_user_agent;
+')
+
+#########################################
+## <summary>
+## Assign all privileges for the domain to act as a mail user agent (MUA)
+## </summary>
+## <param name="domain">
+## <summary>
+## Type or attribute to assign MUA privileges to
+## </summary>
+## </param>
+#
+interface(`mail_user_agent_privs',`
+ gen_require(`
+ type mail_home_rw_t;
+ ')
+
+ # Manage user mail files
+ manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
+
+ # Call sendmail to send out mails
+ domtrans_pattern($1, sendmail_exec_t, user_sendmail_t)
+')
diff --git a/policy/modules/contrib/mail.te b/policy/modules/contrib/mail.te
new file mode 100644
index 0000000..68af687
--- /dev/null
+++ b/policy/modules/contrib/mail.te
@@ -0,0 +1,85 @@
+policy_module(mailinfra, 1.0)
+
+# This will become the new mta when finished. For now, use a different name
+
+#########################################
+#
+# Declarations
+#
+
+# Domain attributes, see
http://en.wikipedia.org/wiki/Email_agent_%28infrastructure%29
+attribute mail_user_agent;
+attribute mail_submission_agent;
+attribute mail_transfer_agent;
+attribute mail_delivery_agent;
+attribute mail_retrieval_agent;
+
+# Resource attributes
+attribute mail_content;
+
+# Access to user-based sendmail
+attribute_role user_sendmail_roles;
+
+# TODO deleteme
+attribute mta_exec_type;
+type system_mail_t;
+application_type(system_mail_t)
+attribute mta_user_agent;
+type mail_spool_t;
+attribute user_mail_domain;
+attribute mailserver_domain;
+attribute mailserver_sender;
+attribute mailserver_delivery;
+
+# Generic domain types
+type sendmail_exec_t;
+
+type user_sendmail_t;
+userdom_user_application_domain(user_sendmail_t, sendmail_exec_t)
+role user_sendmail_roles types user_sendmail_t;
+
+type system_sendmail_t;
+
+# Generic types
+type mail_aliases_t alias etc_aliases_t;
+files_type(mail_aliases_t)
+
+type mail_etc_t alias etc_mail_t;
+files_config_file(mail_etc_t)
+
+type mail_home_rw_t;
+userdom_user_home_content(mail_home_rw_t)
+
+#########################################
+#
+# Mail User Agent policy
+#
+
+mail_user_agent_privs(mail_user_agent)
+
+#########################################
+#
+# User-based sendmail domain
+#
+
+allow user_sendmail_t mail_content:file { read_file_perms append_file_perms };
+
+miscfiles_read_localization(user_sendmail_t)
+
+# Postfix implementation specifics
+ifdef(`use_postfix',`
+ # TODO Bring this into a postfix_sendmail_privs interface
+ allow user_sendmail_t self:process { setrlimit };
+ allow user_sendmail_t self:tcp_socket create_socket_perms;
+ allow user_sendmail_t self:unix_dgram_socket create_socket_perms;
+
+ kernel_read_network_state(user_sendmail_t)
+
+ auth_use_nsswitch(user_sendmail_t)
+
+ logging_send_syslog_msg(user_sendmail_t)
+
+ postfix_domtrans_postdrop(user_sendmail_t)
+ postfix_read_config(user_sendmail_t)
+ postfix_read_spool_files(user_sendmail_t)
+')
