[gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <swift@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:mailinfra commit in: policy/modules/contrib/
Date:	Sun, 24 Aug 2014 08:02:57
Message-Id:	`1408820476.b7cab4f7955034ccbfc097c0214f5b6071e2d6f4.swift@gentoo`

1

commit:     b7cab4f7955034ccbfc097c0214f5b6071e2d6f4

2

Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

3

AuthorDate: Sat Aug 23 19:01:16 2014 +0000

4

Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>

5

CommitDate: Sat Aug 23 19:01:16 2014 +0000

6

URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b7cab4f7

7

8

Initial policy

9

10

---

11

 policy/modules/contrib/mail.fc |  7 +++

12

 policy/modules/contrib/mail.if | 99 ++++++++++++++++++++++++++++++++++++++++++

13

 policy/modules/contrib/mail.te | 85 ++++++++++++++++++++++++++++++++++++

14

 3 files changed, 191 insertions(+)

15

16

diff --git a/policy/modules/contrib/mail.fc b/policy/modules/contrib/mail.fc

17

new file mode 100644

18

index 0000000..1f0437e

19

--- /dev/null

20

+++ b/policy/modules/contrib/mail.fc

21

@@ -0,0 +1,7 @@

22

+HOME_DIR/Maildir(/.*)?		gen_context(system_u:object_r:mail_home_rw_t,s0)

23

+HOME_DIR/\.maildir(/.*)?		gen_context(system_u:object_r:mail_home_rw_t,s0)

24

+

25

+/etc/mail(/.*)?		gen_context(system_u:object_r:mail_etc_t,s0)

26

+

27

+# Only effective files are labeled as sendmail_exec_t, esp. symlinks should remain bin_t

28

+/usr/sbin/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)

29

30

diff --git a/policy/modules/contrib/mail.if b/policy/modules/contrib/mail.if

31

new file mode 100644

32

index 0000000..e451d9c

33

--- /dev/null

34

+++ b/policy/modules/contrib/mail.if

35

@@ -0,0 +1,99 @@

36

+## <summary>Common e-mail infrastructure policy</summary>

37

+

38

+#########################################

39

+## <summary>

40

+##	Role access for mail access and usage

41

+##</summary>

42

+## <param name="role">

43

+##	<summary>

44

+##	Role allowed access

45

+##	</summary>

46

+## </param>

47

+## <param name="domain">

48

+##	<summary>

49

+##	User domain for the role

50

+##	</summary>

51

+## </param>

52

+#

53

+interface(`mail_role',`

54

+	gen_require(`

55

+		attribute_role user_sendmail_roles;

56

+		type mail_home_rw_t;

57

+		type sendmail_exec_t;

58

+		type user_sendmail_t;

59

+	')

60

+

61

+	roleattribute $1 user_sendmail_roles;

62

+

63

+	domtrans_pattern($2, sendmail_exec_t, user_sendmail_t)

64

+

65

+	allow $2 user_sendmail_t:process { ptrace signal_perms };

66

+	ps_process_pattern($2, user_sendmail_t)

67

+

68

+	allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms };

69

+	allow $2 mail_home_rw_t:dir { manage_dir_perms relabel_dir_perms };

70

+	userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir")

71

+	userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir")

72

+')

73

+

74

+#########################################

75

+## <summary>

76

+##	Mark the type as a mail content type (mail generated by or for a mail user agent)

77

+## </summary>

78

+## <param name="type">

79

+##	<summary>

80

+##	Type to mark as mail content

81

+##	</summary>

82

+## </param>

83

+#

84

+interface(`mail_content_type',`

85

+	gen_require(`

86

+		attribute mail_content;

87

+	')

88

+

89

+	typeattribute $1 mail_content;

90

+')

91

+

92

+#########################################

93

+## <summary>

94

+##	Mark the type as a mail user agent domain

95

+## </summary>

96

+## <param name="domain">

97

+##	<summary>

98

+##	Domain to be assigned the mail_user_agent attribute

99

+##	</summary>

100

+## </param>

101

+#

102

+interface(`mail_user_agent_type',`

103

+	gen_require(`

104

+		attribute mail_user_agent;

105

+	')

106

+

107

+	typeattribute $1 mail_user_agent;

108

+')

109

+

110

+#########################################

111

+## <summary>

112

+##	Assign all privileges for the domain to act as a mail user agent (MUA)

113

+## </summary>

114

+## <param name="domain">

115

+##	<summary>

116

+##	Type or attribute to assign MUA privileges to

117

+##	</summary>

118

+## </param>

119

+#

120

+interface(`mail_user_agent_privs',`

121

+	gen_require(`

122

+		type mail_home_rw_t;

123

+	')

124

+

125

+	# Manage user mail files

126

+	manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)

127

+	manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)

128

+	manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)

129

+	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")

130

+	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")

131

+

132

+	# Call sendmail to send out mails

133

+	domtrans_pattern($1, sendmail_exec_t, user_sendmail_t)

134

+')

135

136

diff --git a/policy/modules/contrib/mail.te b/policy/modules/contrib/mail.te

137

new file mode 100644

138

index 0000000..68af687

139

--- /dev/null

140

+++ b/policy/modules/contrib/mail.te

141

@@ -0,0 +1,85 @@

142

+policy_module(mailinfra, 1.0)

143

+

144

+# This will become the new mta when finished. For now, use a different name

145

+

146

+#########################################

147

+#

148

+# Declarations

149

+#

150

+

151

+# Domain attributes, see http://en.wikipedia.org/wiki/Email_agent_%28infrastructure%29

152

+attribute mail_user_agent;

153

+attribute mail_submission_agent;

154

+attribute mail_transfer_agent;

155

+attribute mail_delivery_agent;

156

+attribute mail_retrieval_agent;

157

+

158

+# Resource attributes

159

+attribute mail_content;

160

+

161

+# Access to user-based sendmail

162

+attribute_role user_sendmail_roles;

163

+

164

+# TODO deleteme

165

+attribute mta_exec_type;

166

+type system_mail_t;

167

+application_type(system_mail_t)

168

+attribute mta_user_agent;

169

+type mail_spool_t;

170

+attribute user_mail_domain;

171

+attribute mailserver_domain;

172

+attribute mailserver_sender;

173

+attribute mailserver_delivery;

174

+

175

+# Generic domain types

176

+type sendmail_exec_t;

177

+

178

+type user_sendmail_t;

179

+userdom_user_application_domain(user_sendmail_t, sendmail_exec_t)

180

+role user_sendmail_roles types user_sendmail_t;

181

+

182

+type system_sendmail_t;

183

+

184

+# Generic types

185

+type mail_aliases_t alias etc_aliases_t;

186

+files_type(mail_aliases_t)

187

+

188

+type mail_etc_t alias etc_mail_t;

189

+files_config_file(mail_etc_t)

190

+

191

+type mail_home_rw_t;

192

+userdom_user_home_content(mail_home_rw_t)

193

+

194

+#########################################

195

+#

196

+# Mail User Agent policy

197

+#

198

+

199

+mail_user_agent_privs(mail_user_agent)

200

+

201

+#########################################

202

+#

203

+# User-based sendmail domain

204

+#

205

+

206

+allow user_sendmail_t mail_content:file { read_file_perms append_file_perms };

207

+

208

+miscfiles_read_localization(user_sendmail_t)

209

+

210

+# Postfix implementation specifics

211

+ifdef(`use_postfix',`

212

+	# TODO Bring this into a postfix_sendmail_privs interface

213

+	allow user_sendmail_t self:process { setrlimit };

214

+	allow user_sendmail_t self:tcp_socket create_socket_perms;

215

+	allow user_sendmail_t self:unix_dgram_socket create_socket_perms;

216

+

217

+	kernel_read_network_state(user_sendmail_t)

218

+

219

+	auth_use_nsswitch(user_sendmail_t)

220

+

221

+	logging_send_syslog_msg(user_sendmail_t)

222

+

223

+	postfix_domtrans_postdrop(user_sendmail_t)

224

+	postfix_read_config(user_sendmail_t)

225

+	postfix_read_spool_files(user_sendmail_t)

226

+')

1	commit: b7cab4f7955034ccbfc097c0214f5b6071e2d6f4
2	Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3	AuthorDate: Sat Aug 23 19:01:16 2014 +0000
4	Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
5	CommitDate: Sat Aug 23 19:01:16 2014 +0000
6	URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b7cab4f7
7
8	Initial policy
9
10	---
11	policy/modules/contrib/mail.fc \| 7 +++
12	policy/modules/contrib/mail.if \| 99 ++++++++++++++++++++++++++++++++++++++++++
13	policy/modules/contrib/mail.te \| 85 ++++++++++++++++++++++++++++++++++++
14	3 files changed, 191 insertions(+)
15
16	diff --git a/policy/modules/contrib/mail.fc b/policy/modules/contrib/mail.fc
17	new file mode 100644
18	index 0000000..1f0437e
19	--- /dev/null
20	+++ b/policy/modules/contrib/mail.fc
21	@@ -0,0 +1,7 @@
22	+HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
23	+HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
24	+
25	+/etc/mail(/.*)? gen_context(system_u:object_r:mail_etc_t,s0)
26	+
27	+# Only effective files are labeled as sendmail_exec_t, esp. symlinks should remain bin_t
28	+/usr/sbin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
29
30	diff --git a/policy/modules/contrib/mail.if b/policy/modules/contrib/mail.if
31	new file mode 100644
32	index 0000000..e451d9c
33	--- /dev/null
34	+++ b/policy/modules/contrib/mail.if
35	@@ -0,0 +1,99 @@
36	+## <summary>Common e-mail infrastructure policy</summary>
37	+
38	+#########################################
39	+## <summary>
40	+## Role access for mail access and usage
41	+##</summary>
42	+## <param name="role">
43	+## <summary>
44	+## Role allowed access
45	+## </summary>
46	+## </param>
47	+## <param name="domain">
48	+## <summary>
49	+## User domain for the role
50	+## </summary>
51	+## </param>
52	+#
53	+interface(`mail_role',`
54	+ gen_require(`
55	+ attribute_role user_sendmail_roles;
56	+ type mail_home_rw_t;
57	+ type sendmail_exec_t;
58	+ type user_sendmail_t;
59	+ ')
60	+
61	+ roleattribute $1 user_sendmail_roles;
62	+
63	+ domtrans_pattern($2, sendmail_exec_t, user_sendmail_t)
64	+
65	+ allow $2 user_sendmail_t:process { ptrace signal_perms };
66	+ ps_process_pattern($2, user_sendmail_t)
67	+
68	+ allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms };
69	+ allow $2 mail_home_rw_t:dir { manage_dir_perms relabel_dir_perms };
70	+ userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir")
71	+ userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir")
72	+')
73	+
74	+#########################################
75	+## <summary>
76	+## Mark the type as a mail content type (mail generated by or for a mail user agent)
77	+## </summary>
78	+## <param name="type">
79	+## <summary>
80	+## Type to mark as mail content
81	+## </summary>
82	+## </param>
83	+#
84	+interface(`mail_content_type',`
85	+ gen_require(`
86	+ attribute mail_content;
87	+ ')
88	+
89	+ typeattribute $1 mail_content;
90	+')
91	+
92	+#########################################
93	+## <summary>
94	+## Mark the type as a mail user agent domain
95	+## </summary>
96	+## <param name="domain">
97	+## <summary>
98	+## Domain to be assigned the mail_user_agent attribute
99	+## </summary>
100	+## </param>
101	+#
102	+interface(`mail_user_agent_type',`
103	+ gen_require(`
104	+ attribute mail_user_agent;
105	+ ')
106	+
107	+ typeattribute $1 mail_user_agent;
108	+')
109	+
110	+#########################################
111	+## <summary>
112	+## Assign all privileges for the domain to act as a mail user agent (MUA)
113	+## </summary>
114	+## <param name="domain">
115	+## <summary>
116	+## Type or attribute to assign MUA privileges to
117	+## </summary>
118	+## </param>
119	+#
120	+interface(`mail_user_agent_privs',`
121	+ gen_require(`
122	+ type mail_home_rw_t;
123	+ ')
124	+
125	+ # Manage user mail files
126	+ manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
127	+ manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
128	+ manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
129	+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
130	+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
131	+
132	+ # Call sendmail to send out mails
133	+ domtrans_pattern($1, sendmail_exec_t, user_sendmail_t)
134	+')
135
136	diff --git a/policy/modules/contrib/mail.te b/policy/modules/contrib/mail.te
137	new file mode 100644
138	index 0000000..68af687
139	--- /dev/null
140	+++ b/policy/modules/contrib/mail.te
141	@@ -0,0 +1,85 @@
142	+policy_module(mailinfra, 1.0)
143	+
144	+# This will become the new mta when finished. For now, use a different name
145	+
146	+#########################################
147	+#
148	+# Declarations
149	+#
150	+
151	+# Domain attributes, see http://en.wikipedia.org/wiki/Email_agent_%28infrastructure%29
152	+attribute mail_user_agent;
153	+attribute mail_submission_agent;
154	+attribute mail_transfer_agent;
155	+attribute mail_delivery_agent;
156	+attribute mail_retrieval_agent;
157	+
158	+# Resource attributes
159	+attribute mail_content;
160	+
161	+# Access to user-based sendmail
162	+attribute_role user_sendmail_roles;
163	+
164	+# TODO deleteme
165	+attribute mta_exec_type;
166	+type system_mail_t;
167	+application_type(system_mail_t)
168	+attribute mta_user_agent;
169	+type mail_spool_t;
170	+attribute user_mail_domain;
171	+attribute mailserver_domain;
172	+attribute mailserver_sender;
173	+attribute mailserver_delivery;
174	+
175	+# Generic domain types
176	+type sendmail_exec_t;
177	+
178	+type user_sendmail_t;
179	+userdom_user_application_domain(user_sendmail_t, sendmail_exec_t)
180	+role user_sendmail_roles types user_sendmail_t;
181	+
182	+type system_sendmail_t;
183	+
184	+# Generic types
185	+type mail_aliases_t alias etc_aliases_t;
186	+files_type(mail_aliases_t)
187	+
188	+type mail_etc_t alias etc_mail_t;
189	+files_config_file(mail_etc_t)
190	+
191	+type mail_home_rw_t;
192	+userdom_user_home_content(mail_home_rw_t)
193	+
194	+#########################################
195	+#
196	+# Mail User Agent policy
197	+#
198	+
199	+mail_user_agent_privs(mail_user_agent)
200	+
201	+#########################################
202	+#
203	+# User-based sendmail domain
204	+#
205	+
206	+allow user_sendmail_t mail_content:file { read_file_perms append_file_perms };
207	+
208	+miscfiles_read_localization(user_sendmail_t)
209	+
210	+# Postfix implementation specifics
211	+ifdef(`use_postfix',`
212	+ # TODO Bring this into a postfix_sendmail_privs interface
213	+ allow user_sendmail_t self:process { setrlimit };
214	+ allow user_sendmail_t self:tcp_socket create_socket_perms;
215	+ allow user_sendmail_t self:unix_dgram_socket create_socket_perms;
216	+
217	+ kernel_read_network_state(user_sendmail_t)
218	+
219	+ auth_use_nsswitch(user_sendmail_t)
220	+
221	+ logging_send_syslog_msg(user_sendmail_t)
222	+
223	+ postfix_domtrans_postdrop(user_sendmail_t)
224	+ postfix_read_config(user_sendmail_t)
225	+ postfix_read_spool_files(user_sendmail_t)
226	+')

Gentoo Archives: gentoo-commits