selinux-refpolicy/policy/modules/services/mta.if

906 lines
20 KiB
Plaintext

## <summary>Policy common to all email tranfer agents.</summary>
########################################
## <summary>
## MTA stub interface. No access allowed.
## </summary>
## <param name="domain" optional="true">
## <summary>
## N/A
## </summary>
## </param>
#
interface(`mta_stub',`
gen_require(`
type sendmail_exec_t;
')
')
#######################################
## <summary>
## Basic mail transfer agent domain template.
## </summary>
## <desc>
## <p>
## This template creates a derived domain which is
## a email transfer agent, which sends mail on
## behalf of the user.
## </p>
## <p>
## This is the basic types and rules, common
## to the system agent and user agents.
## </p>
## </desc>
## <param name="domain_prefix">
## <summary>
## The prefix of the domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
#
template(`mta_base_mail_template',`
gen_require(`
attribute user_mail_domain;
type sendmail_exec_t;
')
##############################
#
# $1_mail_t declarations
#
type $1_mail_t, user_mail_domain;
application_domain($1_mail_t,sendmail_exec_t)
type $1_mail_tmp_t;
files_tmp_file($1_mail_tmp_t)
##############################
#
# $1_mail_t local policy
#
allow $1_mail_t self:capability { setuid setgid chown };
allow $1_mail_t self:process { signal_perms setrlimit };
allow $1_mail_t self:tcp_socket create_socket_perms;
# re-exec itself
can_exec($1_mail_t, sendmail_exec_t)
allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms;
kernel_read_kernel_sysctls($1_mail_t)
corenet_all_recvfrom_unlabeled($1_mail_t)
corenet_all_recvfrom_netlabel($1_mail_t)
corenet_tcp_sendrecv_all_if($1_mail_t)
corenet_tcp_sendrecv_all_nodes($1_mail_t)
corenet_tcp_sendrecv_all_ports($1_mail_t)
corenet_tcp_connect_all_ports($1_mail_t)
corenet_tcp_connect_smtp_port($1_mail_t)
corenet_sendrecv_smtp_client_packets($1_mail_t)
corecmd_exec_bin($1_mail_t)
files_read_etc_files($1_mail_t)
files_search_spool($1_mail_t)
# It wants to check for nscd
files_dontaudit_search_pids($1_mail_t)
libs_use_ld_so($1_mail_t)
libs_use_shared_libs($1_mail_t)
logging_send_syslog_msg($1_mail_t)
miscfiles_read_localization($1_mail_t)
sysnet_read_config($1_mail_t)
sysnet_dns_name_resolve($1_mail_t)
optional_policy(`
nis_use_ypbind($1_mail_t)
')
optional_policy(`
nscd_socket_use($1_mail_t)
')
optional_policy(`
postfix_domtrans_user_mail_handler($1_mail_t)
')
optional_policy(`
procmail_exec($1_mail_t)
')
optional_policy(`
qmail_domtrans_inject($1_mail_t)
')
optional_policy(`
gen_require(`
type etc_mail_t, mail_spool_t, mqueue_spool_t;
')
manage_dirs_pattern($1_mail_t,$1_mail_tmp_t,$1_mail_tmp_t)
manage_files_pattern($1_mail_t,$1_mail_tmp_t,$1_mail_tmp_t)
files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
allow $1_mail_t etc_mail_t:dir { getattr search };
# Write to /var/spool/mail and /var/spool/mqueue.
manage_files_pattern($1_mail_t,mail_spool_t,mail_spool_t)
manage_files_pattern($1_mail_t,mqueue_spool_t,mqueue_spool_t)
# Check available space.
fs_getattr_xattr_fs($1_mail_t)
files_read_etc_runtime_files($1_mail_t)
# Write to /var/log/sendmail.st
sendmail_manage_log($1_mail_t)
sendmail_create_log($1_mail_t)
')
')
#######################################
## <summary>
## The per role template for the mta module.
## </summary>
## <desc>
## <p>
## This template creates a derived domain which is
## a email transfer agent, which sends mail on
## behalf of the user.
## </p>
## <p>
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
#
template(`mta_per_role_template',`
gen_require(`
attribute mta_user_agent;
attribute mailserver_delivery;
')
##############################
#
# Declarations
#
mta_base_mail_template($1)
role $3 types $1_mail_t;
##############################
#
# $1_mail_t local policy
#
# Transition from the user domain to the derived domain.
domtrans_pattern($2, sendmail_exec_t, $1_mail_t)
allow $2 sendmail_exec_t:lnk_file { getattr read };
domain_use_interactive_fds($1_mail_t)
userdom_use_user_terminals($1,$1_mail_t)
# Write to the user domain tty. cjp: why?
userdom_use_user_terminals($1,mta_user_agent)
# Create dead.letter in user home directories.
userdom_manage_user_home_content_files($1,$1_mail_t)
userdom_user_home_dir_filetrans_user_home_content($1,$1_mail_t,file)
# for reading .forward - maybe we need a new type for it?
# also for delivering mail to maildir
userdom_manage_user_home_content_dirs($1,mailserver_delivery)
userdom_manage_user_home_content_files($1,mailserver_delivery)
userdom_manage_user_home_content_symlinks($1,mailserver_delivery)
userdom_manage_user_home_content_pipes($1,mailserver_delivery)
userdom_manage_user_home_content_sockets($1,mailserver_delivery)
userdom_user_home_dir_filetrans_user_home_content($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
# Read user temporary files.
userdom_read_user_tmp_files($1,$1_mail_t)
userdom_dontaudit_append_user_tmp_files($1,$1_mail_t)
# cjp: this should probably be read all user tmp
# files in an appropriate place for mta_user_agent
userdom_read_user_tmp_files($1,mta_user_agent)
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_mail_t)
fs_manage_cifs_symlinks($1_mail_t)
')
optional_policy(`
allow $1_mail_t self:capability dac_override;
# Read user temporary files.
# postfix seems to need write access if the file handle is opened read/write
userdom_rw_user_tmp_files($1,$1_mail_t)
postfix_read_config($1_mail_t)
postfix_list_spool($1_mail_t)
')
')
########################################
## <summary>
## Provide extra permissions for admin users
## mail domain.
## </summary>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
## <rolecap/>
#
template(`mta_admin_template',`
gen_require(`
type $1_mail_t;
')
ifdef(`strict_policy',`
# allow the sysadmin to do "mail someone < /home/user/whatever"
userdom_read_unpriv_users_home_content_files($1_mail_t)
')
optional_policy(`
gen_require(`
attribute mta_user_agent;
type etc_aliases_t;
')
allow mta_user_agent $2:fifo_file { read write };
manage_dirs_pattern($1_mail_t,etc_aliases_t,etc_aliases_t)
manage_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t)
manage_lnk_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t)
manage_fifo_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t)
manage_sock_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t)
files_etc_filetrans($1_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })
# postfix needs this for newaliases
files_getattr_tmp_dirs($1_mail_t)
postfix_exec_master($1_mail_t)
ifdef(`distro_redhat',`
# compatability for old default main.cf
postfix_config_filetrans($1_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file })
')
')
')
########################################
## <summary>
## Make the specified domain usable for a mail server.
## </summary>
## <param name="type">
## <summary>
## Type to be used as a mail server domain.
## </summary>
## </param>
#
interface(`mta_mailserver',`
gen_require(`
attribute mailserver_domain;
')
init_daemon_domain($1,$2)
typeattribute $1 mailserver_domain;
')
########################################
## <summary>
## Modified mailserver interface for
## sendmail daemon use.
## </summary>
## <desc>
## <p>
## A modified MTA mail server interface for
## the sendmail program. It's design does
## not fit well with policy, and using the
## regular interface causes a type_transition
## conflict if direct running of init scripts
## is enabled.
## </p>
## <p>
## This interface should most likely only be used
## by the sendmail policy.
## </p>
## </desc>
## <param name="domain">
## <summary>
## The type to be used for the mail server.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## The type to be used for the domain entry point program.
## </summary>
## </param>
interface(`mta_sendmail_mailserver',`
gen_require(`
attribute mailserver_domain;
type sendmail_exec_t;
')
init_system_domain($1,sendmail_exec_t)
typeattribute $1 mailserver_domain;
')
#######################################
## <summary>
## Make a type a mailserver type used
## for sending mail.
## </summary>
## <param name="domain">
## <summary>
## Mail server domain type used for sending mail.
## </summary>
## </param>
#
interface(`mta_mailserver_sender',`
gen_require(`
attribute mailserver_sender;
')
typeattribute $1 mailserver_sender;
')
#######################################
## <summary>
## Make a type a mailserver type used
## for delivering mail to local users.
## </summary>
## <param name="domain">
## <summary>
## Mail server domain type used for delivering mail.
## </summary>
## </param>
#
interface(`mta_mailserver_delivery',`
gen_require(`
attribute mailserver_delivery;
type mail_spool_t;
')
typeattribute $1 mailserver_delivery;
allow $1 mail_spool_t:dir list_dir_perms;
create_files_pattern($1,mail_spool_t,mail_spool_t)
read_files_pattern($1,mail_spool_t,mail_spool_t)
create_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
optional_policy(`
dovecot_manage_spool($1)
')
optional_policy(`
# so MTA can access /var/lib/mailman/mail/wrapper
files_search_var_lib($1)
mailman_domtrans($1)
mailman_read_data_symlinks($1)
')
')
#######################################
## <summary>
## Make a type a mailserver type used
## for sending mail on behalf of local
## users to the local mail spool.
## </summary>
## <param name="domain">
## <summary>
## Mail server domain type used for sending local mail.
## </summary>
## </param>
#
interface(`mta_mailserver_user_agent',`
gen_require(`
attribute mta_user_agent;
')
typeattribute $1 mta_user_agent;
optional_policy(`
# apache should set close-on-exec
apache_dontaudit_rw_stream_sockets($1)
apache_dontaudit_rw_sys_script_stream_sockets($1)
')
')
########################################
## <summary>
## Send mail from the system.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mta_send_mail',`
gen_require(`
attribute mta_user_agent;
type system_mail_t, sendmail_exec_t;
')
allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms;
domain_auto_trans($1, sendmail_exec_t, system_mail_t)
allow $1 system_mail_t:fd use;
allow system_mail_t $1:fd use;
allow system_mail_t $1:fifo_file rw_file_perms;
allow system_mail_t $1:process sigchld;
allow mta_user_agent $1:fd use;
allow mta_user_agent $1:process sigchld;
allow mta_user_agent $1:fifo_file { read write };
')
########################################
## <summary>
## Execute send mail in a specified domain.
## </summary>
## <desc>
## <p>
## Execute send mail in a specified domain.
## </p>
## <p>
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
## </p>
## </desc>
## <param name="source_domain">
## <summary>
## Domain to transition from.
## </summary>
## </param>
## <param name="target_domain">
## <summary>
## Domain to transition to.
## </summary>
## </param>
#
interface(`mta_sendmail_domtrans',`
gen_require(`
type sendmail_exec_t;
')
files_search_usr($1)
corecmd_read_bin_symlinks($1)
domain_auto_trans($1,sendmail_exec_t,$2)
')
########################################
## <summary>
## Execute sendmail in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mta_sendmail_exec',`
gen_require(`
type sendmail_exec_t;
')
can_exec($1, sendmail_exec_t)
')
########################################
## <summary>
## Read mail server configuration.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`mta_read_config',`
gen_require(`
type etc_mail_t;
')
files_search_etc($1)
allow $1 etc_mail_t:dir list_dir_perms;
read_files_pattern($1,etc_mail_t,etc_mail_t)
read_lnk_files_pattern($1,etc_mail_t,etc_mail_t)
')
########################################
## <summary>
## Read mail address aliases.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mta_read_aliases',`
gen_require(`
type etc_aliases_t;
')
files_search_etc($1)
allow $1 etc_aliases_t:file read_file_perms;
')
########################################
## <summary>
## Type transition files created in /etc
## to the mail address aliases type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mta_etc_filetrans_aliases',`
gen_require(`
type etc_aliases_t;
')
files_etc_filetrans($1,etc_aliases_t, file)
')
########################################
## <summary>
## Read and write mail aliases.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`mta_rw_aliases',`
gen_require(`
type etc_aliases_t;
')
files_search_etc($1)
allow $1 etc_aliases_t:file { rw_file_perms setattr };
')
#######################################
## <summary>
## Do not audit attempts to read and write TCP
## sockets of mail delivery domains.
## </summary>
## <param name="domain">
## <summary>
## Mail server domain.
## </summary>
## </param>
#
interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
gen_require(`
attribute mailserver_delivery;
')
dontaudit $1 mailserver_delivery:tcp_socket { read write };
')
#######################################
## <summary>
## Connect to all mail servers over TCP. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Mail server domain.
## </summary>
## </param>
#
interface(`mta_tcp_connect_all_mailservers',`
refpolicywarn(`$0($*) has been deprecated.')
')
#######################################
## <summary>
## Do not audit attempts to read a symlink
## in the mail spool.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mta_dontaudit_read_spool_symlinks',`
gen_require(`
type mail_spool_t;
')
dontaudit $1 mail_spool_t:lnk_file read;
')
########################################
## <summary>
## Get the attributes of mail spool files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mta_getattr_spool',`
gen_require(`
type mail_spool_t;
')
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
allow $1 mail_spool_t:lnk_file read;
allow $1 mail_spool_t:file getattr;
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of mail spool files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`mta_dontaudit_getattr_spool_files',`
gen_require(`
type mail_spool_t;
')
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search;
dontaudit $1 mail_spool_t:lnk_file read;
dontaudit $1 mail_spool_t:file getattr;
')
#######################################
## <summary>
## Create private objects in the
## mail spool directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="private type">
## <summary>
## The type of the object to be created.
## </summary>
## </param>
## <param name="object">
## <summary>
## The object class of the object being created.
## </summary>
## </param>
#
interface(`mta_spool_filetrans',`
gen_require(`
type mail_spool_t;
')
files_search_spool($1)
filetrans_pattern($1,mail_spool_t,$2,$3)
')
########################################
## <summary>
## Read and write the mail spool.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mta_rw_spool',`
gen_require(`
type mail_spool_t;
')
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
allow $1 mail_spool_t:file setattr;
rw_files_pattern($1,mail_spool_t,mail_spool_t)
read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
')
#######################################
## <summary>
## Create, read, and write the mail spool.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mta_append_spool',`
gen_require(`
type mail_spool_t;
')
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
create_files_pattern($1,mail_spool_t,mail_spool_t)
write_files_pattern($1,mail_spool_t,mail_spool_t)
read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
')
#######################################
## <summary>
## Delete from the mail spool.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mta_delete_spool',`
gen_require(`
type mail_spool_t;
')
files_search_spool($1)
delete_files_pattern($1,mail_spool_t,mail_spool_t)
')
########################################
## <summary>
## Create, read, write, and delete mail spool files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mta_manage_spool',`
gen_require(`
type mail_spool_t;
')
files_search_spool($1)
manage_dirs_pattern($1,mail_spool_t,mail_spool_t)
manage_files_pattern($1,mail_spool_t,mail_spool_t)
manage_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
')
########################################
## <summary>
## Search mail queue dirs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mta_search_queue',`
gen_require(`
type mqueue_spool_t;
')
files_search_spool($1)
allow $1 mqueue_spool_t:dir search_dir_perms;
')
#######################################
## <summary>
## Do not audit attempts to read and
## write the mail queue.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`mta_dontaudit_rw_queue',`
gen_require(`
type mqueue_spool_t;
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
dontaudit $1 mqueue_spool_t:file { getattr read write };
')
########################################
## <summary>
## Create, read, write, and delete
## mail queue files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mta_manage_queue',`
gen_require(`
type mqueue_spool_t;
')
files_search_spool($1)
manage_files_pattern($1,mqueue_spool_t,mqueue_spool_t)
')
#######################################
## <summary>
## Read sendmail binary.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
# cjp: added for postfix
interface(`mta_read_sendmail_bin',`
gen_require(`
type sendmail_exec_t;
')
allow $1 sendmail_exec_t:file read_file_perms;
')
#######################################
## <summary>
## Read and write unix domain stream sockets
## of user mail domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mta_rw_user_mail_stream_sockets',`
gen_require(`
attribute user_mail_domain;
')
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')