commit: 59c8beea03614be56f98381144d1bb695d882d2e
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 23 19:01:16 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:03:49 2014 +0000
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=59c8beea
Mail Infrastructure Policy
The mail infrastructure policy uses the common mail infrastructure
terminology for its attributes, and provides a common interface for mail
related infrastructure to use SELinux.
---
policy/modules/contrib/mail.fc | 7 +
policy/modules/contrib/mail.if | 770 +++++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/mail.te | 91 +++++
3 files changed, 868 insertions(+)
diff --git a/policy/modules/contrib/mail.fc b/policy/modules/contrib/mail.fc
new file mode 100644
index 0000000..1f0437e
--- /dev/null
+++ b/policy/modules/contrib/mail.fc
@@ -0,0 +1,7 @@
+HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/\.maildir(/.*)?
gen_context(system_u:object_r:mail_home_rw_t,s0)
+
+/etc/mail(/.*)? gen_context(system_u:object_r:mail_etc_t,s0)
+
+# Only effective files are labeled as sendmail_exec_t, esp. symlinks should
remain bin_t
+/usr/sbin/sendmail --
gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/policy/modules/contrib/mail.if b/policy/modules/contrib/mail.if
new file mode 100644
index 0000000..b6badab
--- /dev/null
+++ b/policy/modules/contrib/mail.if
@@ -0,0 +1,770 @@
+## <summary>Common e-mail infrastructure policy</summary>
+
+#########################################
+## <summary>
+## Role access for mail access and usage
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`mail_role',`
+ gen_require(`
+ attribute_role user_sendmail_roles;
+ attribute mail_submission_agent;
+ type mail_home_rw_t;
+ type mail_home_t;
+ type sendmail_exec_t;
+ type user_sendmail_t;
+ ')
+
+ roleattribute $1 user_sendmail_roles;
+ role $1 types mail_submission_agent;
+
+ # End users can invoke sendmail to send e-mails
+ domtrans_pattern($2, sendmail_exec_t, user_sendmail_t)
+
+ allow $2 user_sendmail_t:process { ptrace signal_perms };
+ ps_process_pattern($2, user_sendmail_t)
+
+ allow $2 mail_home_t:file { manage_file_perms relabel_file_perms };
+ userdom_user_home_dir_filetrans($2, mail_home_t, file, ".forward")
+ userdom_user_home_dir_filetrans($2, mail_home_t, file, ".mailrc")
+
+ allow $2 mail_home_rw_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms };
+ allow $2 mail_home_rw_t:lnk_file { manage_lnk_file_perms
relabel_lnk_file_perms };
+ userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir")
+ userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir")
+
+ optional_policy(`
+ exim_run($2, $1)
+ ')
+
+ optional_policy(`
+ mailman_run($2, $1)
+ ')
+')
+
+#########################################
+## <summary>
+## Execute sendmail and interact with the system_sendmail_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to execute and transition
+## </summary>
+## </param>
+#
+interface(`mail_run_sendmail',`
+ gen_require(`
+ type system_sendmail_t;
+ ')
+
+ mail_domtrans_sendmail($1)
+
+ allow $1 system_sendmail_t:process { signal };
+')
+
+#########################################
+## <summary>
+## Execute sendmail and transition to the system_sendmail_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to execute and transition
+## </summary>
+## </param>
+#
+interface(`mail_domtrans_sendmail',`
+ gen_require(`
+ type system_sendmail_t;
+ type sendmail_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, sendmail_exec_t, system_sendmail_t)
+')
+
+#########################################
+## <summary>
+## Execute sendmail in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_exec_sendmail',`
+ gen_require(`
+ type sendmail_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, sendmail_exec_t)
+')
+
+#########################################
+## <summary>
+## Mark the type as a mail content type (mail generated by or for a mail
user agent)
+## </summary>
+## <param name="type">
+## <summary>
+## Type to mark as mail content
+## </summary>
+## </param>
+#
+interface(`mail_content_type',`
+ gen_require(`
+ attribute mail_content;
+ ')
+
+ typeattribute $1 mail_content;
+')
+
+#########################################
+## <summary>
+## Mark the type as a mail deliver agent domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be assigned the mail_delivery_agent attribute
+## </summary>
+## </param>
+#
+interface(`mail_delivery_agent_type',`
+ gen_require(`
+ attribute mail_delivery_agent;
+ ')
+
+ typeattribute $1 mail_delivery_agent;
+')
+
+#########################################
+## <summary>
+## Assign all privileges for the domain to act as a mail delivery agent
(MDA)
+## </summary>
+## <param name="domain">
+## <summary>
+## Type or attribute to assign MDA privileges to
+## </summary>
+## </param>
+#
+interface(`mail_delivery_agent_privs',`
+ gen_require(`
+ type mail_home_rw_t;
+ type mail_etc_t;
+ ')
+
+ # Read mail settings
+ read_files_pattern($1, mail_etc_t, mail_etc_t)
+ # Manage user mail files
+ manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
+')
+
+#########################################
+## <summary>
+## Mark the type as a mail submission agent domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be assigned the mail_submission_agent attribute
+## </summary>
+## </param>
+#
+interface(`mail_submission_agent_type',`
+ gen_require(`
+ attribute mail_submission_agent;
+ ')
+
+ typeattribute $1 mail_submission_agent;
+')
+
+#########################################
+## <summary>
+## Mark the type as a mail transfer agent domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be assigned the mail_transfer_agent attribute
+## </summary>
+## </param>
+#
+interface(`mail_transfer_agent_type',`
+ gen_require(`
+ attribute mail_transfer_agent;
+ ')
+
+ typeattribute $1 mail_transfer_agent;
+')
+
+#########################################
+## <summary>
+## Assign all privileges for the domain to act as a mail transfer agent
(MTA)
+## </summary>
+## <param name="domain">
+## <summary>
+## Type or attribute to assign MTA privileges to
+## </summary>
+## </param>
+#
+interface(`mail_transfer_agent_privs',`
+ gen_require(`
+ type mail_etc_t;
+ ')
+
+ read_files_pattern($1, mail_etc_t, mail_etc_t)
+')
+
+#########################################
+## <summary>
+## Mark the type as a mail user agent domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be assigned the mail_user_agent attribute
+## </summary>
+## </param>
+#
+interface(`mail_user_agent_type',`
+ gen_require(`
+ attribute mail_user_agent;
+ ')
+
+ typeattribute $1 mail_user_agent;
+')
+
+#########################################
+## <summary>
+## Assign all privileges for the domain to act as a mail user agent (MUA)
+## </summary>
+## <param name="domain">
+## <summary>
+## Type or attribute to assign MUA privileges to
+## </summary>
+## </param>
+#
+interface(`mail_user_agent_privs',`
+ gen_require(`
+ type mail_home_rw_t;
+ ')
+
+ # Manage user mail files
+ manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
+
+ # Call sendmail to send out mails
+ domtrans_pattern($1, sendmail_exec_t, user_sendmail_t)
+')
+
+#########################################
+## <summary>
+## Read mail aliases files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_read_aliases',`
+ gen_require(`
+ type mail_etc_t;
+ type mail_aliases_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 mail_etc_t:dir list_dir_perms;
+ allow $1 mail_etc_t:lnk_file read_lnk_file_perms;
+ allow $1 mail_aliases_t:file read_file_perms;
+')
+
+#########################################
+## <summary>
+## Create specified object in generic etc directories with the mail
aliases type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## The object class of the object being created
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created
+## </summary>
+## </param>
+#
+interface(`mail_generic_etc_filetrans_aliases',`
+ gen_require(`
+ type mail_aliases_t;
+ ')
+
+ files_etc_filetrans($1, mail_aliases_t, $2, $3)
+')
+
+#########################################
+## <summary>
+## Create specified object in the specified directory type with the mail
aliases type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="dir_type">
+## <summary>
+## Directory to transition on
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## The object class of the object being created
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created
+## </summary>
+## </param>
+#
+interface(`mail_spec_filetrans_aliases',`
+ gen_require(`
+ type mail_aliases_t;
+ ')
+
+ filetrans_pattern($1, $2, mail_aliases_t, $3, $4)
+')
+
+#########################################
+## <summary>
+## Manage mail aliases files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_manage_aliases',`
+ gen_require(`
+ type mail_etc_t;
+ type mail_aliases_t;
+ ')
+
+ files_search_etc($1)
+ manage_files_pattern($1, { mail_aliases_t mail_etc_t }, mail_aliases_t)
+ manage_lnk_files_pattern($1, { mail_aliases_t mail_etc_t },
mail_aliases_t)
+')
+
+#########################################
+## <summary>
+## Do not audit attempts to read and write TCP sockets of mail delivery
agents
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain not to audit
+## </summary>
+## </param>
+#
+interface(`mail_dontaudit_rw_delivery_agent_tcp_sockets',`
+ gen_require(`
+ attribute mail_delivery_agent;
+ ')
+
+ dontaudit $1 mail_delivery_agent:tcp_socket { read write };
+')
+
+#########################################
+## <summary>
+## Read mail configuration / miscellaneous files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_read_etc',`
+ gen_require(`
+ type mail_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 mail_etc_t:dir list_dir_perms;
+ allow $1 mail_etc_t:file read_file_perms;
+ allow $1 mail_etc_t:lnk_file read_lnk_file_perms;
+')
+
+#########################################
+## <summary>
+## Read and write mail configuration / miscellaneous files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_rw_etc',`
+ gen_require(`
+ type mail_etc_t;
+ ')
+
+ files_search_etc($1)
+ write_files_pattern($1, mail_etc_t, mail_etc_t)
+')
+
+#########################################
+## <summary>
+## Read mail home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_read_home_files',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 mail_home_t:file read_file_perms;
+')
+
+#########################################
+## <summary>
+## Manage mail home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_manage_home_files',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 mail_home_t:file manage_file_perms;
+')
+
+#########################################
+## <summary>
+## Manage mail read/write home resources (files accessible and manageable
+## by the mail domains).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_manage_home_rw',`
+ gen_require(`
+ type mail_home_rw_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+')
+
+#########################################
+## <summary>
+## Get attributes of the mail queue content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_getattr_queue',`
+ gen_require(`
+ type mail_queue_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 mail_queue_t:dir list_dir_perms;
+ getattr_files_pattern($1, mail_queue_t, mail_queue_t)
+ read_lnk_files_pattern($1, mail_queue_t, mail_queue_t)
+')
+
+#########################################
+## <summary>
+## Do not audit getting the attributes of the mail queue content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_dontaudit_getattr_queue',`
+ gen_require(`
+ type mail_queue_t;
+ ')
+
+ files_dontaudit_search_queue($1)
+ dontaudit $1 mail_queue_t:dir list_dir_perms;
+ dontaudit $1 mail_queue_t:lnk_file read_lnk_file_perms;
+ dontaudit $1 mail_queue_t:file getattr_file_perms;
+')
+
+#########################################
+## <summary>
+## Search through mail queue directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_search_queue',`
+ gen_require(`
+ type mail_queue_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 mail_queue_t:dir search_dir_perms;
+')
+
+#########################################
+## <summary>
+## List mail queue directory content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_list_queue',`
+ gen_require(`
+ type mail_queue_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 mail_queue_t:dir list_dir_perms;
+')
+
+#########################################
+## <summary>
+## Read mail queue files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_read_queue_files',`
+ gen_require(`
+ type mail_queue_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1, mail_queue_t, mail_queue_t)
+')
+
+#########################################
+## <summary>
+## Do not audit attempts to read the mail queue symlinks
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`mail_dontaudit_read_queue_symlinks',`
+ gen_require(`
+ type mail_queue_t;
+ ')
+
+ dontaudit $1 mail_queue_t:lnk_file read_lnk_file_perms;
+')
+
+#########################################
+## <summary>
+## Read and write mail queue files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_rw_queue_files',`
+ gen_require(`
+ type mail_queue_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 mail_queue_t:dir list_dir_perms;
+ allow $1 mail_queue_t:file rw_file_perms;
+ allow $1 mail_queue_t:lnk_file read_lnk_file_perms;
+')
+
+#########################################
+## <summary>
+## Do not audit attempts to read and write mail queue files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain not to audit
+## </summary>
+## </param>
+#
+interface(`mail_dontaudit_rw_queue_files',`
+ gen_require(`
+ type mail_queue_t;
+ ')
+
+ files_search_spool($1)
+ dontaudit $1 mail_queue_t:dir search_dir_perms;
+ dontaudit $1 mail_queue_t:file rw_file_perms;
+')
+
+#########################################
+## <summary>
+## Create specified objects in the mail queue directory with a specified
type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="target_type">
+## <summary>
+## The type of the object to be created
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## The class of the object being created
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created
+## </summary>
+## </param>
+#
+interface(`mail_queue_filetrans',`
+ gen_require(`
+ type mail_queue_t;
+ ')
+
+ files_search_spool($1)
+ filetrans_pattern($1, mail_queue_t, $2, $3, $4)
+')
+
+#########################################
+## <summary>
+## Delete mail queue files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_delete_queue_files',`
+ gen_require(`
+ type mail_queue_t;
+ ')
+
+ files_search_spool($1)
+ delete_files_pattern($1, mail_queue_t, mail_queue_t)
+')
+
+#########################################
+## <summary>
+## Manage mail queue files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_manage_queue_files',`
+ gen_require(`
+ type mail_queue_t;
+ ')
+
+ files_search_spool($1)
+
+ allow $1 mail_queue_t:dir list_dir_perms;
+ allow $1 mail_queue_t:lnk_file read_lnk_file_perms;
+ manage_files_pattern($1, mail_queue_t, mail_queue_t)
+')
+
+#########################################
+## <summary>
+## Manage mail queue resources
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_manage_queue',`
+ gen_require(`
+ type mail_queue_t;
+ ')
+
+ files_search_spool($1)
+
+ manage_dirs_pattern($1, mail_queue_t, mail_queue_t)
+ manage_files_pattern($1, mail_queue_t, mail_queue_t)
+ manage_lnk_files_pattern($1, mail_queue_t, mail_queue_t)
+')
+
+#########################################
+## <summary>
+## Read sendmail binary
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mail_read_sendmail_executable',`
+ gen_require(`
+ type sendmail_exec_t;
+ ')
+
+ allow $1 sendmail_exec_t:file read_file_perms;
+')
+
+
diff --git a/policy/modules/contrib/mail.te b/policy/modules/contrib/mail.te
new file mode 100644
index 0000000..71bc6a4
--- /dev/null
+++ b/policy/modules/contrib/mail.te
@@ -0,0 +1,91 @@
+policy_module(mailinfra, 1.0)
+
+# This will become the new mta when finished. For now, use a different name
+
+#########################################
+#
+# Declarations
+#
+
+# Domain attributes, see
http://en.wikipedia.org/wiki/Email_agent_%28infrastructure%29
+attribute mail_user_agent;
+attribute mail_submission_agent;
+attribute mail_transfer_agent;
+attribute mail_delivery_agent;
+attribute mail_retrieval_agent;
+
+# Resource attributes
+attribute mail_content;
+
+# Access to user-based sendmail
+attribute_role user_sendmail_roles;
+
+# TODO deleteme
+attribute mta_exec_type;
+type system_mail_t;
+application_type(system_mail_t)
+attribute mta_user_agent;
+attribute user_mail_domain;
+attribute mailserver_domain;
+attribute mailserver_sender;
+attribute mailserver_delivery;
+
+# Generic domain types
+type sendmail_exec_t;
+
+type user_sendmail_t;
+userdom_user_application_domain(user_sendmail_t, sendmail_exec_t)
+role user_sendmail_roles types user_sendmail_t;
+
+type system_sendmail_t;
+application_domain(system_sendmail_t, sendmail_exec_t)
+
+# Generic types
+type mail_aliases_t alias etc_aliases_t;
+files_type(mail_aliases_t)
+
+type mail_etc_t alias etc_mail_t;
+files_config_file(mail_etc_t)
+
+# Files manageable by end user but read-only for the mail_*_agent domains
+type mail_home_t;
+userdom_user_home_content(mail_home_t)
+
+type mail_home_rw_t;
+userdom_user_home_content(mail_home_rw_t)
+
+type mail_queue_t;
+files_mountpoint(mail_queue_t)
+
+#########################################
+#
+# Mail Delivery Agent policy
+#
+
+mail_delivery_agent_privs(mail_delivery_agent)
+
+#########################################
+#
+# Mail Transfer Agent policy
+#
+
+mail_transfer_agent_privs(mail_transfer_agent)
+
+#########################################
+#
+# Mail User Agent policy
+#
+
+mail_user_agent_privs(mail_user_agent)
+
+#########################################
+#
+# User-based sendmail domain
+#
+
+allow user_sendmail_t mail_content:file { read_file_perms append_file_perms };
+
+# Postfix implementation specifics
+ifdef(`use_postfix',`
+ postfix_user_sendmail_privs(user_sendmail_t)
+')
