big cleanup of mta

2005-11-28 20:25:36 +00:00 · 2005-11-28 20:25:36 +00:00 · 08cd98b7c1
commit 08cd98b7c1
parent 5d5ea8d002
3 changed files with 165 additions and 151 deletions
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@ -14,6 +14,130 @@ interface(`mta_stub',`
 	')
 ')

+#######################################
+## <summary>
+##	Basic mail transfer agent domain template.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domain which is
+##	a email transfer agent, which sends mail on
+##	behalf of the user.
+##	</p>
+##	<p>
+##	This is the basic types and rules, common
+##	to the system agent and user agents, and
+##	is not useful by itself.
+##	</p>
+## </desc>
+## <param name="domain_prefix">
+##	The prefix of the domain (e.g., user
+##	is the prefix for user_t).
+## </param>
+#
+template(`mta_base_mail_template',`
+
+	##############################
+	#
+	# $1_mail_t declarations
+	#
+
+	type $1_mail_t, user_mail_domain;
+	domain_type($1_mail_t)
+	domain_entry_file($1_mail_t,sendmail_exec_t)
+
+	optional_policy(`sendmail',`
+		type $1_mail_tmp_t;
+		files_tmp_file($1_mail_tmp_t)
+
+		sendmail_stub($1_mail_t)
+	')
+
+	##############################
+	#
+	# $1_mail_t local policy
+	#
+
+	allow $1_mail_t self:capability { setuid setgid chown };
+	allow $1_mail_t self:process { signal_perms setrlimit };
+	allow $1_mail_t self:tcp_socket create_socket_perms;
+
+	# re-exec itself
+	can_exec($1_mail_t, sendmail_exec_t)
+	allow $1_mail_t sendmail_exec_t:lnk_file r_file_perms;
+
+	kernel_read_kernel_sysctl($1_mail_t)
+
+	corenet_tcp_sendrecv_all_if($1_mail_t)
+	corenet_raw_sendrecv_all_if($1_mail_t)
+	corenet_tcp_sendrecv_all_nodes($1_mail_t)
+	corenet_raw_sendrecv_all_nodes($1_mail_t)
+	corenet_tcp_sendrecv_all_ports($1_mail_t)
+	corenet_tcp_bind_all_nodes($1_mail_t)
+	corenet_tcp_connect_all_ports($1_mail_t)
+	corenet_tcp_connect_smtp_port($1_mail_t)
+
+	corecmd_exec_bin($1_mail_t)
+	corecmd_search_sbin($1_mail_t)
+
+	files_read_etc_files($1_mail_t)
+	files_search_spool($1_mail_t)
+	# It wants to check for nscd
+	files_dontaudit_search_pids($1_mail_t)
+
+	libs_use_ld_so($1_mail_t)
+	libs_use_shared_libs($1_mail_t)
+
+	logging_send_syslog_msg($1_mail_t)
+
+	miscfiles_read_localization($1_mail_t)
+
+	sysnet_read_config($1_mail_t)
+	sysnet_dns_name_resolve($1_mail_t)
+
+	optional_policy(`nis',`
+		nis_use_ypbind($1_mail_t)
+	')
+
+	optional_policy(`nscd',`
+		nscd_use_socket($1_mail_t)
+	')
+
+	optional_policy(`procmail',`
+		procmail_exec($1_mail_t)
+	')
+
+	optional_policy(`sendmail',`
+		allow $1_mail_t $1_mail_tmp_t:dir create_dir_perms;
+		allow $1_mail_t $1_mail_tmp_t:file create_file_perms;
+		files_create_tmp_files($1_mail_t, $1_mail_tmp_t, { file dir })
+
+		allow $1_mail_t etc_mail_t:dir { getattr search };
+
+		# Write to /var/spool/mail and /var/spool/mqueue.
+		allow $1_mail_t mail_spool_t:dir rw_dir_perms;
+		allow $1_mail_t mail_spool_t:file create_file_perms;
+		allow $1_mail_t mqueue_spool_t:dir rw_dir_perms;
+		allow $1_mail_t mqueue_spool_t:file create_file_perms;
+
+		# Check available space.
+		fs_getattr_xattr_fs($1_mail_t)
+
+		files_read_etc_runtime_files($1_mail_t)
+
+		# Write to /var/log/sendmail.st
+		sendmail_manage_log($1_mail_t)
+		sendmail_create_log($1_mail_t)
+	')
+
+	ifdef(`TODO',`
+	ifdef(`qmail.te', `
+		allow $1_mail_t qmail_etc_t:dir search;
+		allow $1_mail_t qmail_etc_t:{ file lnk_file } read;
+	')
+	') dnl end TODO
+')
+
 #######################################
 ## <summary>
 ##	The per user domain template for the mta module.
@ -47,26 +171,14 @@ template(`mta_per_userdomain_template',`
 		type sendmail_exec_t;
 	')

-	type $1_mail_t, user_mail_domain;
-	domain_type($1_mail_t)
+	mta_base_mail_template($1)
 	role $3 types $1_mail_t;

-	type $1_mail_tmp_t;
-	files_tmp_file($1_mail_tmp_t)
-
 	##############################
 	#
 	# $1_mail_t local policy
 	#

-	allow $1_mail_t self:capability { setuid setgid chown };
-	allow $1_mail_t self:process { signal_perms setrlimit };
-	allow $1_mail_t self:tcp_socket create_socket_perms;
-
-	# re-exec itself
-	can_exec($1_mail_t, sendmail_exec_t)
-	allow $1_mail_t sendmail_exec_t:lnk_file r_file_perms;
-
 	# Transition from the user domain to the derived domain.
 	domain_auto_trans($2, sendmail_exec_t, $1_mail_t)
 	allow $2 sendmail_exec_t:lnk_file { getattr read };
@ -81,36 +193,8 @@ template(`mta_per_userdomain_template',`
 	allow $2 mailserver_domain:tcp_socket { connectto recvfrom };
 	allow mailserver_domain $2:tcp_socket { acceptfrom recvfrom };

-	kernel_read_kernel_sysctl($1_mail_t)
-
-	corenet_tcp_sendrecv_all_if($1_mail_t)
-	corenet_raw_sendrecv_all_if($1_mail_t)
-	corenet_tcp_sendrecv_all_nodes($1_mail_t)
-	corenet_raw_sendrecv_all_nodes($1_mail_t)
-	corenet_tcp_sendrecv_all_ports($1_mail_t)
-	corenet_tcp_bind_all_nodes($1_mail_t)
-	corenet_tcp_connect_all_ports($1_mail_t)
-
 	domain_use_wide_inherit_fd($1_mail_t)

-	libs_use_ld_so($1_mail_t)
-	libs_use_shared_libs($1_mail_t)
-
-	corecmd_exec_bin($1_mail_t)
-	corecmd_search_sbin($1_mail_t)
-
-	files_read_etc_files($1_mail_t)
-	files_search_spool($1_mail_t)
-	# It wants to check for nscd
-	files_dontaudit_search_pids($1_mail_t)
-
-	logging_send_syslog_msg($1_mail_t)
-
-	miscfiles_read_localization($1_mail_t)
-
-	sysnet_read_config($1_mail_t)
-	sysnet_dns_name_resolve($1_mail_t)
-
 	userdom_use_user_terminals($1,$1_mail_t)
 	# Write to the user domain tty. cjp: why?
 	userdom_use_user_terminals($1,mta_user_agent)
@ -131,24 +215,12 @@ template(`mta_per_userdomain_template',`
 		fs_manage_cifs_symlinks($1_mail_t)
 	')

-	optional_policy(`nis',`
-		nis_use_ypbind($1_mail_t)
-	')
-
-	optional_policy(`nscd',`
-		nscd_use_socket($1_mail_t)
-	')
-
 	optional_policy(`postfix',`
 		allow $1_mail_t self:capability dac_override;
 		postfix_read_config($1_mail_t)
 		postfix_list_spool($1_mail_t)
 	')

-	optional_policy(`procmail',`
-		procmail_exec($1_mail_t)
-	')
-
 	ifdef(`TODO',`
 	# Read user temporary files.
 	allow $1_mail_t $1_tmp_t:file r_file_perms;
@ -158,21 +230,11 @@ template(`mta_per_userdomain_template',`
 		allow $1_mail_t $1_tmp_t:file write;
 	')

-	# cjp: why?
 	allow mta_user_agent $1_tmp_t:file r_file_perms;

-	# Inherit and use descriptors from gnome-pty-helper.
-	ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
-
 	# if you do not want to allow dead.letter then use the following instead
 	#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
 	#allow $1_mail_t $1_home_t:file r_file_perms;
-
-	ifdef(`qmail.te', `
-		allow $1_mail_t qmail_etc_t:dir search;
-		allow $1_mail_t qmail_etc_t:{ file lnk_file } read;
-	')
-
 	') dnl end TODO
 ')

--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@ -1,5 +1,5 @@

-policy_module(mta,1.0.1)
+policy_module(mta,1.0.2)

 ########################################
 #
@ -28,17 +28,12 @@ files_type(mail_spool_t)
 type sendmail_exec_t;
 files_type(sendmail_exec_t)

-type system_mail_t, user_mail_domain;
-domain_type(system_mail_t)
-domain_entry_file(system_mail_t,sendmail_exec_t)
+mta_base_mail_template(system)
 role system_r types system_mail_t;

-type system_mail_tmp_t;
-files_tmp_file(system_mail_tmp_t)
-
 # cjp: need to resolve this, but require{}
 # does not work in the else part of the optional
-#ifdef(`targeted_policy',`',`
+#ifdef(`strict_policy',`
 #	optional_policy(`sendmail',`',`
 #		init_system_domain(system_mail_t,sendmail_exec_t)
 #	')
@ -49,60 +44,17 @@ files_tmp_file(system_mail_tmp_t)
 # System mail local policy
 #

-allow system_mail_t self:capability { setuid setgid chown };
-allow system_mail_t self:process { signal_perms setrlimit };
-allow system_mail_t self:tcp_socket create_socket_perms;
-
 allow system_mail_t etc_mail_t:dir { getattr search };
 allow system_mail_t etc_mail_t:file r_file_perms;

-# re-exec itself
-can_exec(system_mail_t, sendmail_exec_t)
-allow system_mail_t sendmail_exec_t:lnk_file r_file_perms;
-
-allow system_mail_t system_mail_tmp_t:dir create_dir_perms;
-allow system_mail_t system_mail_tmp_t:file create_file_perms;
-files_create_tmp_files(system_mail_t, system_mail_tmp_t, { file dir })
-
-kernel_read_kernel_sysctl(system_mail_t)
 kernel_read_system_state(system_mail_t)
 kernel_read_network_state(system_mail_t)

-corenet_tcp_sendrecv_all_if(system_mail_t)
-corenet_raw_sendrecv_all_if(system_mail_t)
-corenet_tcp_sendrecv_all_nodes(system_mail_t)
-corenet_raw_sendrecv_all_nodes(system_mail_t)
-corenet_tcp_sendrecv_all_ports(system_mail_t)
-corenet_tcp_bind_all_nodes(system_mail_t)
-corenet_tcp_connect_smtp_port(system_mail_t)
-corenet_tcp_connect_all_ports(system_mail_t)
-
 dev_read_rand(system_mail_t)
 dev_read_urand(system_mail_t)

-fs_getattr_xattr_fs(system_mail_t)
-
 init_use_script_pty(system_mail_t)

-files_read_etc_files(system_mail_t)
-files_read_etc_runtime_files(system_mail_t)
-files_search_spool(system_mail_t)
-# It wants to check for nscd
-files_dontaudit_search_pids(system_mail_t)
-
-corecmd_exec_bin(system_mail_t)
-corecmd_search_sbin(system_mail_t)
-
-libs_use_ld_so(system_mail_t)
-libs_use_shared_libs(system_mail_t)
-
-logging_send_syslog_msg(system_mail_t)
-
-miscfiles_read_localization(system_mail_t)
-
-sysnet_read_config(system_mail_t)
-sysnet_dns_name_resolve(system_mail_t)
-
 userdom_use_sysadm_terms(system_mail_t)

 ifdef(`hide_broken_symptoms',`
@ -169,6 +121,7 @@ optional_policy(`arpwatch',`

 optional_policy(`cron',`
 	cron_read_system_job_tmp_files(system_mail_t)
+	cron_read_system_job_tmp_files(mta_user_agent)
 ')

 optional_policy(`cvs',`
@ -179,14 +132,6 @@ optional_policy(`logrotate',`
 	logrotate_read_tmp_files(system_mail_t)
 ')

-optional_policy(`nis',`
-	nis_use_ypbind(system_mail_t)
-')
-
-optional_policy(`nscd',`
-	nscd_use_socket(system_mail_t)
-')
-
 optional_policy(`postfix',`
 	postfix_stub(system_mail_t)

@ -205,29 +150,13 @@ optional_policy(`postfix',`

 	allow mta_user_agent sysadm_t:fifo_file { read write };
 	type_transition postfix_master_t postfix_etc_t:dir etc_aliases_t;
-')

-optional_policy(`procmail',`
-	procmail_exec(system_mail_t)
-')
-
-optional_policy(`sendmail',`
-	sendmail_stub(system_mail_t)
-
-	allow system_mail_t etc_mail_t:dir { getattr search };
-
-	# sendmail -q 
-	allow system_mail_t mqueue_spool_t:dir rw_dir_perms;
-	allow system_mail_t mqueue_spool_t:file create_file_perms;
-
-	# FIXME:
-	allow system_mail_t sendmail_log_t:file manage_file_perms;
-	logging_create_log(system_mail_t,sendmail_log_t)
+	# postfix needs this for newaliases
+	allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr;
 ')

 ifdef(`TODO',`
 optional_policy(`sendmail',`
-	allow system_mail_t { var_t var_spool_t }:dir getattr;
 	dontaudit system_mail_t userpty_type:chr_file { getattr read write };

 	optional_policy(`crond',`
@ -235,23 +164,13 @@ optional_policy(`sendmail',`
 	')
 ')

-ifdef(`targeted_policy',`
-	allow system_mail_t { var_t var_spool_t }:dir getattr;
-',`
+ifdef(`strict_policy',`
 	# allow the sysadmin to do "mail someone < /home/user/whatever"
 	allow sysadm_mail_t user_home_dir_type:dir search;
 	r_dir_file(sysadm_mail_t, user_home_type)
 ')
-
-
-optional_policy(`qmail',`
-	allow system_mail_t qmail_etc_t:dir search;
-	allow system_mail_t qmail_etc_t:{ file lnk_file } read;
-')
 ') dnl end TODO

-allow mta_user_agent system_crond_tmp_t:file { read getattr };
-
 optional_policy(`arpwatch',`
 	# why is mail delivered to a directory of type arpwatch_data_t?
 	arpwatch_search_data(mailserver_delivery)
--- a/refpolicy/policy/modules/services/sendmail.if
+++ b/refpolicy/policy/modules/services/sendmail.if
@ -52,3 +52,36 @@ interface(`sendmail_rw_tcp_socket',`

 	allow $1 sendmail_t:tcp_socket { read write };
 ')
+
+########################################
+## <summary>
+##	Create, read, write, and delete sendmail logs.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`sendmail_manage_log',`
+	gen_require(`
+		type sendmail_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 sendmail_log_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Create sendmail logs with the correct type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`sendmail_create_log',`
+	gen_require(`
+		type sendmail_log_t;
+	')
+
+	logging_create_log($1,sendmail_log_t,file)
+')