commit: 0d4b9fb48fc13aa0e545fdc17905a1060db3c5ef
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Thu Sep 28 13:57:18 2023 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct 6 15:31:45 2023 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d4b9fb4
misc small email changes (#704)
* Small changes to courier, dovecot, exim, postfix, amd sendmail policy.
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* Removed an obsolete patch
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* Added interfaces cron_rw_inherited_tmp_files and
systemd_dontaudit_connect_machined
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* Use create_stream_socket_perms for unix connection to itself
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* Removed unconfined_run_to
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* Remove change for it to run from a user session
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* Changed userdom_use_user_ttys to userdom_use_inherited_user_terminals and
moved it out of the postfix section
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
---------
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/services/courier.fc | 4 ++--
policy/modules/services/courier.te | 21 +++++++++++++++++++--
policy/modules/services/dovecot.te | 3 +++
policy/modules/services/exim.te | 3 ++-
policy/modules/services/mta.if | 1 +
policy/modules/services/mta.te | 32 ++++++++++++++++++++++++++++++++
policy/modules/services/postfix.if | 3 +++
policy/modules/services/postfix.te | 4 ++++
policy/modules/services/sendmail.te | 4 ++++
9 files changed, 70 insertions(+), 5 deletions(-)
diff --git a/policy/modules/services/courier.fc
b/policy/modules/services/courier.fc
index 0f56d60d8..28594264f 100644
--- a/policy/modules/services/courier.fc
+++ b/policy/modules/services/courier.fc
@@ -23,8 +23,8 @@
/usr/lib/courier/courier/courierpop.* --
gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib/courier/courier/imaplogin --
gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib/courier/courier/pcpd --
gen_context(system_u:object_r:courier_pcp_exec_t,s0)
-/usr/lib/courier/imapd --
gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/pop3d --
gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/imapd.* --
gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/pop3d.* --
gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib/courier/rootcerts(/.*)?
gen_context(system_u:object_r:courier_etc_t,s0)
/usr/lib/courier/sqwebmail/cleancache\.pl --
gen_context(system_u:object_r:courier_sqwebmail_exec_t,s0)
/usr/lib/courier-imap/couriertcpd --
gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
diff --git a/policy/modules/services/courier.te
b/policy/modules/services/courier.te
index 00ca1db6e..b5fa0c163 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -96,6 +96,8 @@ allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket
rw_stream_socket_pe
can_exec(courier_authdaemon_t, courier_exec_t)
+kernel_getattr_proc(courier_authdaemon_t)
+
corecmd_exec_shell(courier_authdaemon_t)
domtrans_pattern(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t)
@@ -112,6 +114,7 @@ libs_read_lib_files(courier_authdaemon_t)
miscfiles_read_localization(courier_authdaemon_t)
selinux_getattr_fs(courier_authdaemon_t)
+seutil_search_default_contexts(courier_authdaemon_t)
userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
@@ -129,20 +132,34 @@ dev_read_rand(courier_pcp_t)
# POP3/IMAP local policy
#
-allow courier_pop_t self:capability { setgid setuid };
+allow courier_pop_t self:capability { chown dac_read_search fowner setgid
setuid };
+dontaudit courier_pop_t self:capability fsetid;
+allow courier_pop_t self:unix_stream_socket create_stream_socket_perms;
+allow courier_pop_t self:process setrlimit;
+
allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
allow courier_pop_t courier_authdaemon_t:process sigchld;
allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket }
rw_stream_socket_perms;
-allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
+allow courier_pop_t courier_var_lib_t:dir rw_dir_perms;
+allow courier_pop_t courier_var_lib_t:file manage_file_perms;
+allow courier_pop_t courier_etc_t:file map;
+
+can_exec(courier_pop_t, courier_exec_t)
+can_exec(courier_pop_t, courier_tcpd_exec_t)
stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t,
courier_authdaemon_t)
domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t,
courier_authdaemon_t)
corecmd_exec_shell(courier_pop_t)
+corenet_tcp_bind_generic_node(courier_pop_t)
+corenet_tcp_bind_pop_port(courier_pop_t)
+
+files_search_var_lib(courier_pop_t)
+miscfiles_read_generic_certs(courier_pop_t)
miscfiles_read_localization(courier_pop_t)
mta_manage_mail_home_rw_content(courier_pop_t)
diff --git a/policy/modules/services/dovecot.te
b/policy/modules/services/dovecot.te
index 370478770..11ffbb177 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -216,6 +216,7 @@ optional_policy(`
mta_manage_mail_home_rw_content(dovecot_t)
mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
+ mta_home_filetrans_mail_home_rw(dovecot_t, dir, "mail")
')
optional_policy(`
@@ -269,6 +270,8 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket {
connectto rw_stream_socket_p
kernel_dontaudit_getattr_proc(dovecot_auth_t)
+kernel_getattr_proc(dovecot_auth_t)
+
files_search_runtime(dovecot_auth_t)
files_read_usr_files(dovecot_auth_t)
files_read_var_lib_files(dovecot_auth_t)
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index 5e001b37b..80d828466 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -72,7 +72,7 @@ ifdef(`distro_debian',`
# Local policy
#
-allow exim_t self:capability { chown dac_override fowner setgid setuid
sys_resource };
+allow exim_t self:capability { chown dac_override dac_read_search fowner
setgid setuid sys_resource };
allow exim_t self:process { setrlimit setpgid };
allow exim_t self:fifo_file rw_fifo_file_perms;
allow exim_t self:unix_stream_socket { accept listen };
@@ -192,6 +192,7 @@ optional_policy(`
optional_policy(`
cron_read_pipes(exim_t)
+ cron_rw_inherited_tmp_files(exim_t)
cron_rw_system_job_pipes(exim_t)
cron_use_system_job_fds(exim_t)
')
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index cdc3cf590..1c15a6b20 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -268,6 +268,7 @@ interface(`mta_manage_mail_home_rw_content',`
manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
allow $1 mail_home_rw_t:file map;
manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ allow $1 mail_home_rw_t:{ dir file } watch;
')
########################################
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 63c8562ae..1099ccab5 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -15,6 +15,7 @@ attribute mailserver_sender;
attribute user_mail_domain;
attribute_role user_mail_roles;
+attribute_role admin_mail_roles;
type etc_aliases_t;
files_type(etc_aliases_t)
@@ -44,6 +45,10 @@ mta_base_mail_template(user)
userdom_user_application_type(user_mail_t)
role user_mail_roles types user_mail_t;
+mta_base_mail_template(admin)
+userdom_user_application_type(admin_mail_t)
+role admin_mail_roles types admin_mail_t;
+
userdom_user_tmp_file(user_mail_tmp_t)
########################################
@@ -435,3 +440,30 @@ ifdef(`distro_gentoo',`
at_rw_inherited_job_log_files(system_mail_t)
')
')
+
+########################################
+#
+# Admin local policy
+#
+
+manage_files_pattern(admin_mail_t, mail_home_t, mail_home_t)
+userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file,
".esmtp_queue")
+userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, ".forward")
+userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, ".mailrc")
+userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, "dead.letter")
+
+dev_read_sysfs(admin_mail_t)
+
+userdom_use_user_terminals(admin_mail_t)
+
+files_etc_filetrans(admin_mail_t, etc_aliases_t, file)
+allow admin_mail_t etc_aliases_t:file manage_file_perms;
+
+optional_policy(`
+ allow admin_mail_t self:capability dac_override;
+
+ userdom_rw_user_tmp_files(admin_mail_t)
+
+ postfix_read_config(admin_mail_t)
+ postfix_list_spool(admin_mail_t)
+')
diff --git a/policy/modules/services/postfix.if
b/policy/modules/services/postfix.if
index 847022bf4..5168017b9 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -50,6 +50,9 @@ template(`postfix_domain_template',`
can_exec(postfix_$1_t, postfix_$1_exec_t)
auth_use_nsswitch(postfix_$1_t)
+ ifdef(`init_systemd',`
+ systemd_dontaudit_connect_machined(postfix_$1_t)
+ ')
')
#######################################
diff --git a/policy/modules/services/postfix.te
b/policy/modules/services/postfix.te
index 528a84de9..f327af47a 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -516,9 +516,12 @@ manage_files_pattern(postfix_map_t, postfix_map_tmp_t,
postfix_map_tmp_t)
files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir })
kernel_read_kernel_sysctls(postfix_map_t)
+kernel_read_network_state(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
+dev_read_urand(postfix_map_t)
+
corenet_all_recvfrom_netlabel(postfix_map_t)
corenet_tcp_sendrecv_generic_if(postfix_map_t)
corenet_tcp_sendrecv_generic_node(postfix_map_t)
@@ -745,6 +748,7 @@ allow postfix_showq_t postfix_spool_maildrop_t:file
read_file_perms;
allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
allow postfix_showq_t postfix_spool_t:file read_file_perms;
+allow postfix_showq_t postfix_postqueue_t:unix_stream_socket { read write };
term_use_all_ptys(postfix_showq_t)
term_use_all_ttys(postfix_showq_t)
diff --git a/policy/modules/services/sendmail.te
b/policy/modules/services/sendmail.te
index f12dd77cd..ba31f3e3a 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -193,6 +193,10 @@ optional_policy(`
sasl_connect(sendmail_t)
')
+optional_policy(`
+ userdom_use_inherited_user_terminals(sendmail_t)
+')
+
optional_policy(`
uucp_domtrans_uux(sendmail_t)
')
