1 |
commit: 42314e38a4ebeca9d1fa617e33e26f2b8257bcff |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Sat Sep 29 11:19:26 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Oct 2 18:04:31 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=42314e38 |
7 |
|
8 |
Changes to the exim policy module and relevant dependencies |
9 |
|
10 |
Ported from Fedora with changes |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/dovecot.if | 20 ++++++++ |
16 |
policy/modules/contrib/dovecot.te | 2 +- |
17 |
policy/modules/contrib/exim.fc | 14 ++++-- |
18 |
policy/modules/contrib/exim.if | 65 +++++++++++++++++++++---- |
19 |
policy/modules/contrib/exim.te | 94 ++++++++++++++++++++++++------------- |
20 |
5 files changed, 148 insertions(+), 47 deletions(-) |
21 |
|
22 |
diff --git a/policy/modules/contrib/dovecot.if b/policy/modules/contrib/dovecot.if |
23 |
index cf53f3d..34733ad 100644 |
24 |
--- a/policy/modules/contrib/dovecot.if |
25 |
+++ b/policy/modules/contrib/dovecot.if |
26 |
@@ -1,5 +1,25 @@ |
27 |
## <summary>POP and IMAP mail server.</summary> |
28 |
|
29 |
+####################################### |
30 |
+## <summary> |
31 |
+## Connect to dovecot using a unix |
32 |
+## domain stream socket. |
33 |
+## </summary> |
34 |
+## <param name="domain"> |
35 |
+## <summary> |
36 |
+## Domain allowed access. |
37 |
+## </summary> |
38 |
+## </param> |
39 |
+# |
40 |
+interface(`dovecot_stream_connect',` |
41 |
+ gen_require(` |
42 |
+ type dovecot_t, dovecot_var_run_t; |
43 |
+ ') |
44 |
+ |
45 |
+ files_search_pids($1) |
46 |
+ stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t) |
47 |
+') |
48 |
+ |
49 |
######################################## |
50 |
## <summary> |
51 |
## Connect to dovecot using a unix |
52 |
|
53 |
diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te |
54 |
index da39b02..f5f0b6f 100644 |
55 |
--- a/policy/modules/contrib/dovecot.te |
56 |
+++ b/policy/modules/contrib/dovecot.te |
57 |
@@ -1,4 +1,4 @@ |
58 |
-policy_module(dovecot, 1.14.4) |
59 |
+policy_module(dovecot, 1.14.5) |
60 |
|
61 |
######################################## |
62 |
# |
63 |
|
64 |
diff --git a/policy/modules/contrib/exim.fc b/policy/modules/contrib/exim.fc |
65 |
index 298f066..fd99946 100644 |
66 |
--- a/policy/modules/contrib/exim.fc |
67 |
+++ b/policy/modules/contrib/exim.fc |
68 |
@@ -1,8 +1,14 @@ |
69 |
-/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0) |
70 |
-/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0) |
71 |
+/etc/rc\.d/init\.d/exim -- gen_context(system_u:object_r:exim_initrc_exec_t,s0) |
72 |
+ |
73 |
+/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0) |
74 |
+/usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0) |
75 |
+ |
76 |
+/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0) |
77 |
+ |
78 |
/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0) |
79 |
-/var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0) |
80 |
+ |
81 |
+/var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0) |
82 |
|
83 |
ifdef(`distro_debian',` |
84 |
-/var/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0) |
85 |
+/var/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0) |
86 |
') |
87 |
|
88 |
diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if |
89 |
index 6bef7f8..ae630d5 100644 |
90 |
--- a/policy/modules/contrib/exim.if |
91 |
+++ b/policy/modules/contrib/exim.if |
92 |
@@ -1,4 +1,4 @@ |
93 |
-## <summary>Exim mail transfer agent</summary> |
94 |
+## <summary>Mail transfer agent.</summary> |
95 |
|
96 |
######################################## |
97 |
## <summary> |
98 |
@@ -15,13 +15,14 @@ interface(`exim_domtrans',` |
99 |
type exim_t, exim_exec_t; |
100 |
') |
101 |
|
102 |
+ corecmd_search_bin($1) |
103 |
domtrans_pattern($1, exim_exec_t, exim_t) |
104 |
') |
105 |
|
106 |
######################################## |
107 |
## <summary> |
108 |
-## Do not audit attempts to read, |
109 |
-## exim tmp files |
110 |
+## Do not audit attempts to read exim |
111 |
+## temporary tmp files. |
112 |
## </summary> |
113 |
## <param name="domain"> |
114 |
## <summary> |
115 |
@@ -39,7 +40,7 @@ interface(`exim_dontaudit_read_tmp_files',` |
116 |
|
117 |
######################################## |
118 |
## <summary> |
119 |
-## Allow domain to read, exim tmp files |
120 |
+## Read exim temporary files. |
121 |
## </summary> |
122 |
## <param name="domain"> |
123 |
## <summary> |
124 |
@@ -58,7 +59,7 @@ interface(`exim_read_tmp_files',` |
125 |
|
126 |
######################################## |
127 |
## <summary> |
128 |
-## Read exim PID files. |
129 |
+## Read exim pid files. |
130 |
## </summary> |
131 |
## <param name="domain"> |
132 |
## <summary> |
133 |
@@ -77,7 +78,7 @@ interface(`exim_read_pid_files',` |
134 |
|
135 |
######################################## |
136 |
## <summary> |
137 |
-## Allow the specified domain to read exim's log files. |
138 |
+## Read exim log files. |
139 |
## </summary> |
140 |
## <param name="domain"> |
141 |
## <summary> |
142 |
@@ -97,8 +98,7 @@ interface(`exim_read_log',` |
143 |
|
144 |
######################################## |
145 |
## <summary> |
146 |
-## Allow the specified domain to append |
147 |
-## exim log files. |
148 |
+## Append exim log files. |
149 |
## </summary> |
150 |
## <param name="domain"> |
151 |
## <summary> |
152 |
@@ -117,7 +117,8 @@ interface(`exim_append_log',` |
153 |
|
154 |
######################################## |
155 |
## <summary> |
156 |
-## Allow the specified domain to manage exim's log files. |
157 |
+## Create, read, write, and delete |
158 |
+## exim log files. |
159 |
## </summary> |
160 |
## <param name="domain"> |
161 |
## <summary> |
162 |
@@ -138,7 +139,7 @@ interface(`exim_manage_log',` |
163 |
######################################## |
164 |
## <summary> |
165 |
## Create, read, write, and delete |
166 |
-## exim spool dirs. |
167 |
+## exim spool directories. |
168 |
## </summary> |
169 |
## <param name="domain"> |
170 |
## <summary> |
171 |
@@ -194,3 +195,47 @@ interface(`exim_manage_spool_files',` |
172 |
manage_files_pattern($1, exim_spool_t, exim_spool_t) |
173 |
files_search_spool($1) |
174 |
') |
175 |
+ |
176 |
+######################################## |
177 |
+## <summary> |
178 |
+## All of the rules required to |
179 |
+## administrate an exim environment. |
180 |
+## </summary> |
181 |
+## <param name="domain"> |
182 |
+## <summary> |
183 |
+## Domain allowed access. |
184 |
+## </summary> |
185 |
+## </param> |
186 |
+## <param name="role"> |
187 |
+## <summary> |
188 |
+## Role allowed access. |
189 |
+## </summary> |
190 |
+## </param> |
191 |
+## <rolecap/> |
192 |
+# |
193 |
+interface(`exim_admin',` |
194 |
+ gen_require(` |
195 |
+ type exim_t, exim_spool_t, exim_log_t; |
196 |
+ type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t; |
197 |
+ ') |
198 |
+ |
199 |
+ allow $1 exim_t:process { ptrace signal_perms }; |
200 |
+ ps_process_pattern($1, exim_t) |
201 |
+ |
202 |
+ init_labeled_script_domtrans($1, exim_initrc_exec_t) |
203 |
+ domain_system_change_exemption($1) |
204 |
+ role_transition $2 exim_initrc_exec_t system_r; |
205 |
+ allow $2 system_r; |
206 |
+ |
207 |
+ files_search_spool($1) |
208 |
+ admin_pattern($1, exim_spool_t) |
209 |
+ |
210 |
+ logging_search_logs($1) |
211 |
+ admin_pattern($1, exim_log_t) |
212 |
+ |
213 |
+ files_search_pids($1) |
214 |
+ admin_pattern($1, exim_var_run_t) |
215 |
+ |
216 |
+ files_search_tmp($1) |
217 |
+ admin_pattern($1, exim_tmp_t) |
218 |
+') |
219 |
|
220 |
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te |
221 |
index f28f64b..f50794d 100644 |
222 |
--- a/policy/modules/contrib/exim.te |
223 |
+++ b/policy/modules/contrib/exim.te |
224 |
@@ -1,4 +1,4 @@ |
225 |
-policy_module(exim, 1.5.0) |
226 |
+policy_module(exim, 1.5.1) |
227 |
|
228 |
######################################## |
229 |
# |
230 |
@@ -6,23 +6,26 @@ policy_module(exim, 1.5.0) |
231 |
# |
232 |
|
233 |
## <desc> |
234 |
-## <p> |
235 |
-## Allow exim to connect to databases (postgres, mysql) |
236 |
-## </p> |
237 |
+## <p> |
238 |
+## Determine whether exim can connect to |
239 |
+## databases. |
240 |
+## </p> |
241 |
## </desc> |
242 |
gen_tunable(exim_can_connect_db, false) |
243 |
|
244 |
## <desc> |
245 |
-## <p> |
246 |
-## Allow exim to read unprivileged user files. |
247 |
-## </p> |
248 |
+## <p> |
249 |
+## Determine whether exim can read generic |
250 |
+## user content files. |
251 |
+## </p> |
252 |
## </desc> |
253 |
gen_tunable(exim_read_user_files, false) |
254 |
|
255 |
## <desc> |
256 |
-## <p> |
257 |
-## Allow exim to create, read, write, and delete |
258 |
-## unprivileged user files. |
259 |
+## <p> |
260 |
+## Determine whether exim can create, |
261 |
+## read, write, and delete generic user |
262 |
+## content files. |
263 |
## </p> |
264 |
## </desc> |
265 |
gen_tunable(exim_manage_user_files, false) |
266 |
@@ -35,6 +38,9 @@ mta_mailserver_user_agent(exim_t) |
267 |
application_executable_file(exim_exec_t) |
268 |
mta_agent_executable(exim_exec_t) |
269 |
|
270 |
+type exim_initrc_exec_t; |
271 |
+init_script_file(exim_initrc_exec_t) |
272 |
+ |
273 |
type exim_log_t; |
274 |
logging_log_file(exim_log_t) |
275 |
|
276 |
@@ -49,33 +55,34 @@ files_pid_file(exim_var_run_t) |
277 |
|
278 |
######################################## |
279 |
# |
280 |
-# exim local policy |
281 |
+# Local policy |
282 |
# |
283 |
|
284 |
allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource }; |
285 |
allow exim_t self:process { setrlimit setpgid }; |
286 |
allow exim_t self:fifo_file rw_fifo_file_perms; |
287 |
-allow exim_t self:unix_stream_socket create_stream_socket_perms; |
288 |
-allow exim_t self:tcp_socket create_stream_socket_perms; |
289 |
-allow exim_t self:udp_socket create_socket_perms; |
290 |
- |
291 |
-can_exec(exim_t, exim_exec_t) |
292 |
+allow exim_t self:unix_stream_socket { accept listen }; |
293 |
+allow exim_t self:tcp_socket { accept listen }; |
294 |
|
295 |
-manage_files_pattern(exim_t, exim_log_t, exim_log_t) |
296 |
-logging_log_filetrans(exim_t, exim_log_t, { file dir }) |
297 |
+append_files_pattern(exim_t, exim_log_t, exim_log_t) |
298 |
+create_files_pattern(exim_t, exim_log_t, exim_log_t) |
299 |
+setattr_files_pattern(exim_t, exim_log_t, exim_log_t) |
300 |
+logging_log_filetrans(exim_t, exim_log_t, file) |
301 |
|
302 |
manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t) |
303 |
manage_files_pattern(exim_t, exim_spool_t, exim_spool_t) |
304 |
manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t) |
305 |
-files_spool_filetrans(exim_t, exim_spool_t, { file dir sock_file }) |
306 |
+files_spool_filetrans(exim_t, exim_spool_t, { dir file sock_file }) |
307 |
|
308 |
manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t) |
309 |
manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t) |
310 |
-files_tmp_filetrans(exim_t, exim_tmp_t, { file dir }) |
311 |
+files_tmp_filetrans(exim_t, exim_tmp_t, { dir file }) |
312 |
|
313 |
manage_dirs_pattern(exim_t, exim_var_run_t, exim_var_run_t) |
314 |
manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t) |
315 |
-files_pid_filetrans(exim_t, exim_var_run_t, { file dir }) |
316 |
+files_pid_filetrans(exim_t, exim_var_run_t, { dir file }) |
317 |
+ |
318 |
+can_exec(exim_t, exim_exec_t) |
319 |
|
320 |
kernel_read_kernel_sysctls(exim_t) |
321 |
kernel_read_network_state(exim_t) |
322 |
@@ -91,24 +98,32 @@ corenet_tcp_sendrecv_generic_node(exim_t) |
323 |
corenet_udp_sendrecv_generic_node(exim_t) |
324 |
corenet_tcp_sendrecv_all_ports(exim_t) |
325 |
corenet_tcp_bind_generic_node(exim_t) |
326 |
+ |
327 |
+corenet_sendrecv_smtp_server_packets(exim_t) |
328 |
corenet_tcp_bind_smtp_port(exim_t) |
329 |
+ |
330 |
+corenet_sendrecv_amavisd_send_server_packets(exim_t) |
331 |
corenet_tcp_bind_amavisd_send_port(exim_t) |
332 |
+ |
333 |
+corenet_sendrecv_auth_client_packets(exim_t) |
334 |
corenet_tcp_connect_auth_port(exim_t) |
335 |
+ |
336 |
+corenet_sendrecv_smtp_client_packets(exim_t) |
337 |
corenet_tcp_connect_smtp_port(exim_t) |
338 |
-corenet_tcp_connect_ldap_port(exim_t) |
339 |
+ |
340 |
+corenet_sendrecv_inetd_child_client_packets(exim_t) |
341 |
corenet_tcp_connect_inetd_child_port(exim_t) |
342 |
-# connect to spamassassin |
343 |
+ |
344 |
+corenet_sendrecv_spamd_client_packets(exim_t) |
345 |
corenet_tcp_connect_spamd_port(exim_t) |
346 |
|
347 |
dev_read_rand(exim_t) |
348 |
dev_read_urand(exim_t) |
349 |
|
350 |
-# Init script handling |
351 |
domain_use_interactive_fds(exim_t) |
352 |
|
353 |
files_search_usr(exim_t) |
354 |
files_search_var(exim_t) |
355 |
-files_read_etc_files(exim_t) |
356 |
files_read_etc_runtime_files(exim_t) |
357 |
files_getattr_all_mountpoints(exim_t) |
358 |
|
359 |
@@ -130,10 +145,15 @@ mta_manage_spool(exim_t) |
360 |
mta_mailserver_delivery(exim_t) |
361 |
|
362 |
tunable_policy(`exim_can_connect_db',` |
363 |
- corenet_tcp_connect_mysqld_port(exim_t) |
364 |
- corenet_sendrecv_mysqld_client_packets(exim_t) |
365 |
- corenet_tcp_connect_postgresql_port(exim_t) |
366 |
- corenet_sendrecv_postgresql_client_packets(exim_t) |
367 |
+ corenet_sendrecv_gds_db_client_packets(exim_t) |
368 |
+ corenet_tcp_connect_gds_db_port(exim_t) |
369 |
+ corenet_tcp_sendrecv_gds_db_port(exim_t) |
370 |
+ corenet_sendrecv_mssql_client_packets(exim_t) |
371 |
+ corenet_tcp_connect_mssql_port(exim_t) |
372 |
+ corenet_tcp_sendrecv_mssql_port(exim_t) |
373 |
+ corenet_sendrecv_oracledb_client_packets(exim_t) |
374 |
+ corenet_tcp_connect_oracledb_port(exim_t) |
375 |
+ corenet_tcp_sendrecv_oracledb_port(exim_t) |
376 |
') |
377 |
|
378 |
tunable_policy(`exim_read_user_files',` |
379 |
@@ -162,6 +182,10 @@ optional_policy(` |
380 |
') |
381 |
|
382 |
optional_policy(` |
383 |
+ dovecot_stream_connect(exim_t) |
384 |
+') |
385 |
+ |
386 |
+optional_policy(` |
387 |
kerberos_keytab_template(exim, exim_t) |
388 |
') |
389 |
|
390 |
@@ -171,14 +195,23 @@ optional_policy(` |
391 |
') |
392 |
|
393 |
optional_policy(` |
394 |
+ nagios_search_spool(exim_t) |
395 |
+') |
396 |
+ |
397 |
+optional_policy(` |
398 |
tunable_policy(`exim_can_connect_db',` |
399 |
+ mysql_rw_db_sockets(exim_t) |
400 |
mysql_stream_connect(exim_t) |
401 |
+ mysql_tcp_connect(exim_t) |
402 |
') |
403 |
') |
404 |
|
405 |
optional_policy(` |
406 |
+ postgresql_unpriv_client(exim_t) |
407 |
+ |
408 |
tunable_policy(`exim_can_connect_db',` |
409 |
postgresql_stream_connect(exim_t) |
410 |
+ postgresql_tcp_connect(exim_t) |
411 |
') |
412 |
') |
413 |
|
414 |
@@ -191,9 +224,6 @@ optional_policy(` |
415 |
') |
416 |
|
417 |
optional_policy(` |
418 |
- # https://bugzilla.redhat.com/show_bug.cgi?id=512710 |
419 |
- # uses sendmail for outgoing mail and exim |
420 |
- # for incoming mail |
421 |
sendmail_manage_tmp_files(exim_t) |
422 |
') |