From c155e042d8ce818b3ab4c7db3e0c2fd7ece4381b Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Fri, 8 Jan 2010 10:37:37 -0500
Subject: [PATCH] Sendmail patch from Dan Walsh.

---
 policy/modules/services/sendmail.if | 132 +++++++++++++++++++++++++++-
 policy/modules/services/sendmail.te |  78 +++++++++++-----
 2 files changed, 187 insertions(+), 23 deletions(-)

diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if
index 8b588311c..306a2b191 100644
--- a/policy/modules/services/sendmail.if
+++ b/policy/modules/services/sendmail.if
@@ -16,6 +16,25 @@ interface(`sendmail_stub',`
 	')
 ')
 
+########################################
+## <summary>
+##	Allow attempts to read and write to
+##	sendmail unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sendmail_rw_pipes',`
+	gen_require(`
+		type sendmail_t;
+	')
+
+	allow $1 sendmail_t:fifo_file rw_fifo_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Domain transition to sendmail.
@@ -33,12 +52,36 @@ interface(`sendmail_domtrans',`
 
 	mta_sendmail_domtrans($1, sendmail_t)
 
-	allow $1 sendmail_t:fd use;
 	allow sendmail_t $1:fd use;
 	allow sendmail_t $1:fifo_file rw_file_perms;
 	allow sendmail_t $1:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Execute the sendmail program in the sendmail domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the sendmail domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_run',`
+	gen_require(`
+		type sendmail_t;
+	')
+
+	sendmail_domtrans($1)
+	role $2 types sendmail_t;
+')
+
 ########################################
 ## <summary>
 ##	Send generic signals to sendmail.
@@ -74,6 +117,26 @@ interface(`sendmail_rw_tcp_sockets',`
 
 	allow $1 sendmail_t:tcp_socket { read write };
 ')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	sendmail TCP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sendmail_dontaudit_rw_tcp_sockets',`
+	gen_require(`
+		type sendmail_t;
+	')
+
+	dontaudit $1 sendmail_t:tcp_socket { read write };
+')
+
 ########################################
 ## <summary>
 ##	Read and write sendmail unix_stream_sockets.
@@ -89,7 +152,26 @@ interface(`sendmail_rw_unix_stream_sockets',`
 		type sendmail_t;
 	')
 
-	allow $1 sendmail_t:unix_stream_socket { read write };
+	allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	sendmail unix_stream_sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
+	gen_require(`
+		type sendmail_t;
+	')
+
+	dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
 ')
 
 ########################################
@@ -149,3 +231,49 @@ interface(`sendmail_create_log',`
 
 	logging_log_filetrans($1, sendmail_log_t, file)
 ')
+
+########################################
+## <summary>
+##	Manage sendmail tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sendmail_manage_tmp_files',`
+	gen_require(`
+		type sendmail_tmp_t;
+	')
+
+	files_search_tmp($1)
+	manage_files_pattern($1, sendmail_tmp_t, sendmail_tmp_t)
+')
+
+########################################
+## <summary>
+##	Execute sendmail in the unconfined sendmail domain, and
+##	allow the specified role the unconfined sendmail domain,
+##	and use the caller's terminal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_run_unconfined',`
+	gen_require(`
+		type unconfined_sendmail_t;
+	')
+
+	sendmail_domtrans_unconfined($1)
+	role $2 types unconfined_sendmail_t;
+')
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
index f3f0d44c3..c1d229755 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -1,5 +1,5 @@
 
-policy_module(sendmail, 1.10.0)
+policy_module(sendmail, 1.10.1)
 
 ########################################
 #
@@ -20,13 +20,17 @@ mta_sendmail_mailserver(sendmail_t)
 mta_mailserver_delivery(sendmail_t)
 mta_mailserver_sender(sendmail_t)
 
+type unconfined_sendmail_t;
+application_domain(unconfined_sendmail_t, sendmail_exec_t)
+role system_r types unconfined_sendmail_t;
+
 ########################################
 #
 # Sendmail local policy
 #
 
-allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config };
-allow sendmail_t self:process signal;
+allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
+allow sendmail_t self:process { setrlimit signal signull };
 allow sendmail_t self:fifo_file rw_fifo_file_perms;
 allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
 allow sendmail_t self:unix_dgram_socket create_socket_perms;
@@ -44,6 +48,7 @@ files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir })
 allow sendmail_t sendmail_var_run_t:file manage_file_perms;
 files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
 
+kernel_read_network_state(sendmail_t)
 kernel_read_kernel_sysctls(sendmail_t)
 # for piping mail to a command
 kernel_read_system_state(sendmail_t)
@@ -64,15 +69,18 @@ dev_read_sysfs(sendmail_t)
 
 fs_getattr_all_fs(sendmail_t)
 fs_search_auto_mountpoints(sendmail_t)
+fs_rw_anon_inodefs_files(sendmail_t)
 
 term_dontaudit_use_console(sendmail_t)
 
 # for piping mail to a command
 corecmd_exec_shell(sendmail_t)
+corecmd_exec_bin(sendmail_t)
 
 domain_use_interactive_fds(sendmail_t)
 
 files_read_etc_files(sendmail_t)
+files_read_usr_files(sendmail_t)
 files_search_spool(sendmail_t)
 # for piping mail to a command
 files_read_etc_runtime_files(sendmail_t)
@@ -89,6 +97,7 @@ auth_use_nsswitch(sendmail_t)
 libs_read_lib_files(sendmail_t)
 
 logging_send_syslog_msg(sendmail_t)
+logging_dontaudit_write_generic_logs(sendmail_t)
 
 miscfiles_read_certs(sendmail_t)
 miscfiles_read_localization(sendmail_t)
@@ -99,13 +108,35 @@ userdom_dontaudit_search_user_home_dirs(sendmail_t)
 mta_read_config(sendmail_t)
 mta_etc_filetrans_aliases(sendmail_t)
 # Write to /etc/aliases and /etc/mail.
-mta_rw_aliases(sendmail_t)
+mta_manage_aliases(sendmail_t)
 # Write to /var/spool/mail and /var/spool/mqueue.
 mta_manage_queue(sendmail_t)
 mta_manage_spool(sendmail_t)
+mta_sendmail_exec(sendmail_t)
+
+optional_policy(`
+	cron_read_pipes(sendmail_t)
+')
 
 optional_policy(`
 	clamav_search_lib(sendmail_t)
+	clamav_stream_connect(sendmail_t)
+')
+
+optional_policy(`
+	cyrus_stream_connect(sendmail_t)
+')
+
+optional_policy(`
+	exim_domtrans(sendmail_t)
+')
+
+optional_policy(`
+	fail2ban_read_lib_files(sendmail_t)
+')
+
+optional_policy(`
+	kerberos_keytab_template(sendmail, sendmail_t)
 ')
 
 optional_policy(`
@@ -113,38 +144,43 @@ optional_policy(`
 ')
 
 optional_policy(`
-	postfix_exec_master(sendmail_t)
+	munin_dontaudit_search_lib(sendmail_t)
+')
+
+optional_policy(`
+	postfix_domtrans_master(sendmail_t)
 	postfix_read_config(sendmail_t)
 	postfix_search_spool(sendmail_t)
 ')
 
 optional_policy(`
 	procmail_domtrans(sendmail_t)
+	procmail_rw_tmp_files(sendmail_t)
 ')
 
 optional_policy(`
 	seutil_sigchld_newrole(sendmail_t)
 ')
 
+optional_policy(`
+	sasl_connect(sendmail_t)
+')
+
 optional_policy(`
 	udev_read_db(sendmail_t)
 ')
 
-ifdef(`TODO',`
-allow sendmail_t etc_mail_t:dir rw_dir_perms;
-allow sendmail_t etc_mail_t:file manage_file_perms;
-# for the start script to run make -C /etc/mail
-allow initrc_t etc_mail_t:dir rw_dir_perms;
-allow initrc_t etc_mail_t:file manage_file_perms;
-allow system_mail_t initrc_t:fd use;
-allow system_mail_t initrc_t:fifo_file write;
+optional_policy(`
+	uucp_domtrans_uux(sendmail_t)
+')
 
-# When sendmail runs as user_mail_domain, it needs some extra permissions
-# to update /etc/mail/statistics.
-allow user_mail_domain etc_mail_t:file rw_file_perms;
+########################################
+#
+# Unconfined sendmail local policy
+# Allow unconfined domain to run newalias and have transitions work
+#
 
-# Silently deny attempts to access /root.
-dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search };
-
-dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
-') dnl end TODO
+optional_policy(`
+	mta_etc_filetrans_aliases(unconfined_sendmail_t)
+	unconfined_domain(unconfined_sendmail_t)
+')