1 |
commit: b7cab4f7955034ccbfc097c0214f5b6071e2d6f4 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Sat Aug 23 19:01:16 2014 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Aug 23 19:01:16 2014 +0000 |
6 |
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b7cab4f7 |
7 |
|
8 |
Initial policy |
9 |
|
10 |
--- |
11 |
policy/modules/contrib/mail.fc | 7 +++ |
12 |
policy/modules/contrib/mail.if | 99 ++++++++++++++++++++++++++++++++++++++++++ |
13 |
policy/modules/contrib/mail.te | 85 ++++++++++++++++++++++++++++++++++++ |
14 |
3 files changed, 191 insertions(+) |
15 |
|
16 |
diff --git a/policy/modules/contrib/mail.fc b/policy/modules/contrib/mail.fc |
17 |
new file mode 100644 |
18 |
index 0000000..1f0437e |
19 |
--- /dev/null |
20 |
+++ b/policy/modules/contrib/mail.fc |
21 |
@@ -0,0 +1,7 @@ |
22 |
+HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) |
23 |
+HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) |
24 |
+ |
25 |
+/etc/mail(/.*)? gen_context(system_u:object_r:mail_etc_t,s0) |
26 |
+ |
27 |
+# Only effective files are labeled as sendmail_exec_t, esp. symlinks should remain bin_t |
28 |
+/usr/sbin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) |
29 |
|
30 |
diff --git a/policy/modules/contrib/mail.if b/policy/modules/contrib/mail.if |
31 |
new file mode 100644 |
32 |
index 0000000..e451d9c |
33 |
--- /dev/null |
34 |
+++ b/policy/modules/contrib/mail.if |
35 |
@@ -0,0 +1,99 @@ |
36 |
+## <summary>Common e-mail infrastructure policy</summary> |
37 |
+ |
38 |
+######################################### |
39 |
+## <summary> |
40 |
+## Role access for mail access and usage |
41 |
+##</summary> |
42 |
+## <param name="role"> |
43 |
+## <summary> |
44 |
+## Role allowed access |
45 |
+## </summary> |
46 |
+## </param> |
47 |
+## <param name="domain"> |
48 |
+## <summary> |
49 |
+## User domain for the role |
50 |
+## </summary> |
51 |
+## </param> |
52 |
+# |
53 |
+interface(`mail_role',` |
54 |
+ gen_require(` |
55 |
+ attribute_role user_sendmail_roles; |
56 |
+ type mail_home_rw_t; |
57 |
+ type sendmail_exec_t; |
58 |
+ type user_sendmail_t; |
59 |
+ ') |
60 |
+ |
61 |
+ roleattribute $1 user_sendmail_roles; |
62 |
+ |
63 |
+ domtrans_pattern($2, sendmail_exec_t, user_sendmail_t) |
64 |
+ |
65 |
+ allow $2 user_sendmail_t:process { ptrace signal_perms }; |
66 |
+ ps_process_pattern($2, user_sendmail_t) |
67 |
+ |
68 |
+ allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms }; |
69 |
+ allow $2 mail_home_rw_t:dir { manage_dir_perms relabel_dir_perms }; |
70 |
+ userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir") |
71 |
+ userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir") |
72 |
+') |
73 |
+ |
74 |
+######################################### |
75 |
+## <summary> |
76 |
+## Mark the type as a mail content type (mail generated by or for a mail user agent) |
77 |
+## </summary> |
78 |
+## <param name="type"> |
79 |
+## <summary> |
80 |
+## Type to mark as mail content |
81 |
+## </summary> |
82 |
+## </param> |
83 |
+# |
84 |
+interface(`mail_content_type',` |
85 |
+ gen_require(` |
86 |
+ attribute mail_content; |
87 |
+ ') |
88 |
+ |
89 |
+ typeattribute $1 mail_content; |
90 |
+') |
91 |
+ |
92 |
+######################################### |
93 |
+## <summary> |
94 |
+## Mark the type as a mail user agent domain |
95 |
+## </summary> |
96 |
+## <param name="domain"> |
97 |
+## <summary> |
98 |
+## Domain to be assigned the mail_user_agent attribute |
99 |
+## </summary> |
100 |
+## </param> |
101 |
+# |
102 |
+interface(`mail_user_agent_type',` |
103 |
+ gen_require(` |
104 |
+ attribute mail_user_agent; |
105 |
+ ') |
106 |
+ |
107 |
+ typeattribute $1 mail_user_agent; |
108 |
+') |
109 |
+ |
110 |
+######################################### |
111 |
+## <summary> |
112 |
+## Assign all privileges for the domain to act as a mail user agent (MUA) |
113 |
+## </summary> |
114 |
+## <param name="domain"> |
115 |
+## <summary> |
116 |
+## Type or attribute to assign MUA privileges to |
117 |
+## </summary> |
118 |
+## </param> |
119 |
+# |
120 |
+interface(`mail_user_agent_privs',` |
121 |
+ gen_require(` |
122 |
+ type mail_home_rw_t; |
123 |
+ ') |
124 |
+ |
125 |
+ # Manage user mail files |
126 |
+ manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t) |
127 |
+ manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t) |
128 |
+ manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t) |
129 |
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir") |
130 |
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir") |
131 |
+ |
132 |
+ # Call sendmail to send out mails |
133 |
+ domtrans_pattern($1, sendmail_exec_t, user_sendmail_t) |
134 |
+') |
135 |
|
136 |
diff --git a/policy/modules/contrib/mail.te b/policy/modules/contrib/mail.te |
137 |
new file mode 100644 |
138 |
index 0000000..68af687 |
139 |
--- /dev/null |
140 |
+++ b/policy/modules/contrib/mail.te |
141 |
@@ -0,0 +1,85 @@ |
142 |
+policy_module(mailinfra, 1.0) |
143 |
+ |
144 |
+# This will become the new mta when finished. For now, use a different name |
145 |
+ |
146 |
+######################################### |
147 |
+# |
148 |
+# Declarations |
149 |
+# |
150 |
+ |
151 |
+# Domain attributes, see http://en.wikipedia.org/wiki/Email_agent_%28infrastructure%29 |
152 |
+attribute mail_user_agent; |
153 |
+attribute mail_submission_agent; |
154 |
+attribute mail_transfer_agent; |
155 |
+attribute mail_delivery_agent; |
156 |
+attribute mail_retrieval_agent; |
157 |
+ |
158 |
+# Resource attributes |
159 |
+attribute mail_content; |
160 |
+ |
161 |
+# Access to user-based sendmail |
162 |
+attribute_role user_sendmail_roles; |
163 |
+ |
164 |
+# TODO deleteme |
165 |
+attribute mta_exec_type; |
166 |
+type system_mail_t; |
167 |
+application_type(system_mail_t) |
168 |
+attribute mta_user_agent; |
169 |
+type mail_spool_t; |
170 |
+attribute user_mail_domain; |
171 |
+attribute mailserver_domain; |
172 |
+attribute mailserver_sender; |
173 |
+attribute mailserver_delivery; |
174 |
+ |
175 |
+# Generic domain types |
176 |
+type sendmail_exec_t; |
177 |
+ |
178 |
+type user_sendmail_t; |
179 |
+userdom_user_application_domain(user_sendmail_t, sendmail_exec_t) |
180 |
+role user_sendmail_roles types user_sendmail_t; |
181 |
+ |
182 |
+type system_sendmail_t; |
183 |
+ |
184 |
+# Generic types |
185 |
+type mail_aliases_t alias etc_aliases_t; |
186 |
+files_type(mail_aliases_t) |
187 |
+ |
188 |
+type mail_etc_t alias etc_mail_t; |
189 |
+files_config_file(mail_etc_t) |
190 |
+ |
191 |
+type mail_home_rw_t; |
192 |
+userdom_user_home_content(mail_home_rw_t) |
193 |
+ |
194 |
+######################################### |
195 |
+# |
196 |
+# Mail User Agent policy |
197 |
+# |
198 |
+ |
199 |
+mail_user_agent_privs(mail_user_agent) |
200 |
+ |
201 |
+######################################### |
202 |
+# |
203 |
+# User-based sendmail domain |
204 |
+# |
205 |
+ |
206 |
+allow user_sendmail_t mail_content:file { read_file_perms append_file_perms }; |
207 |
+ |
208 |
+miscfiles_read_localization(user_sendmail_t) |
209 |
+ |
210 |
+# Postfix implementation specifics |
211 |
+ifdef(`use_postfix',` |
212 |
+ # TODO Bring this into a postfix_sendmail_privs interface |
213 |
+ allow user_sendmail_t self:process { setrlimit }; |
214 |
+ allow user_sendmail_t self:tcp_socket create_socket_perms; |
215 |
+ allow user_sendmail_t self:unix_dgram_socket create_socket_perms; |
216 |
+ |
217 |
+ kernel_read_network_state(user_sendmail_t) |
218 |
+ |
219 |
+ auth_use_nsswitch(user_sendmail_t) |
220 |
+ |
221 |
+ logging_send_syslog_msg(user_sendmail_t) |
222 |
+ |
223 |
+ postfix_domtrans_postdrop(user_sendmail_t) |
224 |
+ postfix_read_config(user_sendmail_t) |
225 |
+ postfix_read_spool_files(user_sendmail_t) |
226 |
+') |