[people/stevee/selinux-policy.git] / refpolicy / policy / modules / services / mta.te


policy_module(mta,1.3.3)

########################################
#
# Declarations
#

attribute mta_user_agent;
attribute mailserver_delivery;
attribute mailserver_domain;
attribute mailserver_sender;

attribute user_mail_domain;

type etc_aliases_t;
files_type(etc_aliases_t)

type etc_mail_t;
files_config_file(etc_mail_t)

type mqueue_spool_t;
files_type(mqueue_spool_t)

type mail_spool_t;
files_type(mail_spool_t)

type sendmail_exec_t;
files_type(sendmail_exec_t)

mta_base_mail_template(system)
role system_r types system_mail_t;

# cjp: need to resolve this, but require{}
# does not work in the else part of the optional
#ifdef(`strict_policy',`
#	optional_policy(`',`
#		init_system_domain(system_mail_t,sendmail_exec_t)
#	')
#')

########################################
#
# System mail local policy
#

# newalias required this, not sure if it is needed in 'if' file
allow system_mail_t self:capability { dac_override };

allow system_mail_t etc_mail_t:dir { getattr search };
allow system_mail_t etc_mail_t:file r_file_perms;

kernel_read_system_state(system_mail_t)
kernel_read_network_state(system_mail_t)

dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)

fs_read_eventpollfs(system_mail_t)

init_use_script_ptys(system_mail_t)

userdom_use_sysadm_terms(system_mail_t)

ifdef(`targeted_policy',`
	typealias system_mail_t alias sysadm_mail_t;

	allow system_mail_t mail_spool_t:dir create_dir_perms;
	allow system_mail_t mail_spool_t:file create_file_perms;
	allow system_mail_t mail_spool_t:lnk_file create_lnk_perms;
	allow system_mail_t mail_spool_t:fifo_file rw_file_perms;

	allow system_mail_t mqueue_spool_t:dir create_dir_perms;
	allow system_mail_t mqueue_spool_t:file create_file_perms;
	allow system_mail_t mqueue_spool_t:lnk_file create_lnk_perms;

	# for reading .forward - maybe we need a new type for it?
	# also for delivering mail to maildir
	# cjp: fix this to generic_user interfaces
	userdom_manage_user_home_content_dirs(user,mailserver_delivery)
	userdom_manage_generic_user_home_content_files(mailserver_delivery)
	userdom_manage_generic_user_home_content_symlinks(mailserver_delivery)
	userdom_manage_generic_user_home_content_sockets(mailserver_delivery)
	userdom_manage_generic_user_home_content_pipes(mailserver_delivery)
	userdom_generic_user_home_dir_filetrans_generic_user_home_content(mailserver_delivery,{ dir file lnk_file sock_file fifo_file })

# cjp: another require-in-else to resolve
#	optional_policy(`',`
		corecmd_exec_all_executables(system_mail_t)

		files_exec_etc_files(system_mail_t)

		libs_exec_ld_so(system_mail_t)
		libs_exec_lib_files(system_mail_t)
#	')
')

optional_policy(`
	apache_read_squirrelmail_data(system_mail_t)
	apache_append_squirrelmail_data(system_mail_t)

	# apache should set close-on-exec
	apache_dontaudit_append_log(system_mail_t)
	apache_dontaudit_rw_stream_sockets(system_mail_t)
	apache_dontaudit_rw_tcp_sockets(system_mail_t)
	apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
')

optional_policy(`
	arpwatch_manage_tmp_files(system_mail_t)

	ifdef(`hide_broken_symptoms', `
		arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
	')
')

optional_policy(`
	cron_read_system_job_tmp_files(system_mail_t)
	cron_dontaudit_write_pipes(system_mail_t)
')

optional_policy(`
	cvs_read_data(system_mail_t)
')

optional_policy(`
	logrotate_read_tmp_files(system_mail_t)
')

optional_policy(`
	logwatch_read_tmp_files(system_mail_t)
')

optional_policy(`
	nagios_read_tmp_files(system_mail_t)
')

optional_policy(`
	allow system_mail_t etc_aliases_t:dir create_dir_perms;
	allow system_mail_t etc_aliases_t:file create_file_perms;
	allow system_mail_t etc_aliases_t:lnk_file create_lnk_perms;
	allow system_mail_t etc_aliases_t:sock_file create_file_perms;
	allow system_mail_t etc_aliases_t:fifo_file create_file_perms;
	files_etc_filetrans(system_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })

	domain_use_interactive_fds(system_mail_t)

	# postfix needs this for newaliases
	files_getattr_tmp_dirs(system_mail_t)

	postfix_exec_master(system_mail_t)
	postfix_read_config(system_mail_t)
	postfix_search_spool(system_mail_t)

	ifdef(`distro_redhat',`
		# compatability for old default main.cf
		postfix_config_filetrans(system_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file })
	')

	optional_policy(`
		cron_rw_tcp_sockets(system_mail_t)
	')
')

optional_policy(`
	qmail_domtrans_inject(system_mail_t)
')

optional_policy(`
	userdom_dontaudit_use_unpriv_users_ptys(system_mail_t)

	optional_policy(`
		cron_dontaudit_append_system_job_tmp_files(system_mail_t)
	')
')

optional_policy(`
	smartmon_read_tmp_files(system_mail_t)
')

# should break this up among sections:

optional_policy(`
	# why is mail delivered to a directory of type arpwatch_data_t?
	arpwatch_search_data(mailserver_delivery)
	arpwatch_manage_tmp_files(mta_user_agent)
	ifdef(`hide_broken_symptoms', `
		arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
	')
	optional_policy(`
		cron_read_system_job_tmp_files(mta_user_agent)
	')
')

ifdef(`TODO',`
# for the start script to run make -C /etc/mail
allow initrc_t etc_mail_t:dir rw_dir_perms;
allow initrc_t etc_mail_t:file create_file_perms;
')
Commit	Line	Data
6b93833b	1
fb63d0b5	2	policy_module(mta,1.3.3)
6b93833b	3
075c4fda CP	4	########################################
	5	#
	6	# Declarations
	7	#
	8
246839f3 CP	9	attribute mta_user_agent;
	10	attribute mailserver_delivery;
	11	attribute mailserver_domain;
	12	attribute mailserver_sender;
	13
04926d07 CP	14	attribute user_mail_domain;
04926d07 CP	15
6b93833b	16	type etc_aliases_t;
8fd36732	17	files_type(etc_aliases_t)
6b93833b CP	18
6b93833b CP	19	type etc_mail_t;
9bbc757a	20	files_config_file(etc_mail_t)
6b93833b CP	21
6b93833b CP	22	type mqueue_spool_t;
8fd36732	23	files_type(mqueue_spool_t)
6b93833b CP	24
6b93833b CP	25	type mail_spool_t;
8fd36732	26	files_type(mail_spool_t)
075c4fda CP	27
075c4fda CP	28	type sendmail_exec_t;
8fd36732	29	files_type(sendmail_exec_t)
075c4fda	30
08cd98b7	31	mta_base_mail_template(system)
075c4fda CP	32	role system_r types system_mail_t;
075c4fda CP	33
12ae7557 CP	34	# cjp: need to resolve this, but require{}
12ae7557 CP	35	# does not work in the else part of the optional
08cd98b7	36	#ifdef(`strict_policy',`
bb7170f6	37	# optional_policy(`',`
12ae7557 CP	38	# init_system_domain(system_mail_t,sendmail_exec_t)
	39	# ')
	40	#')
7bba9d31	41
075c4fda CP	42	########################################
	43	#
	44	# System mail local policy
	45	#
	46
8cf67141 CP	47	# newalias required this, not sure if it is needed in 'if' file
	48	allow system_mail_t self:capability { dac_override };
	49
f13da83f	50	allow system_mail_t etc_mail_t:dir { getattr search };
e8d0a659 CP	51	allow system_mail_t etc_mail_t:file r_file_perms;
e8d0a659 CP	52
075c4fda CP	53	kernel_read_system_state(system_mail_t)
	54	kernel_read_network_state(system_mail_t)
	55
98a8ead4	56	dev_read_rand(system_mail_t)
f0c985ca	57	dev_read_urand(system_mail_t)
075c4fda	58
93727e3f CP	59	fs_read_eventpollfs(system_mail_t)
93727e3f CP	60
1815bad1	61	init_use_script_ptys(system_mail_t)
075c4fda	62
246839f3 CP	63	userdom_use_sysadm_terms(system_mail_t)
	64
	65	ifdef(`targeted_policy',`
fe9d17fe CP	66	typealias system_mail_t alias sysadm_mail_t;
fe9d17fe CP	67
246839f3 CP	68	allow system_mail_t mail_spool_t:dir create_dir_perms;
	69	allow system_mail_t mail_spool_t:file create_file_perms;
	70	allow system_mail_t mail_spool_t:lnk_file create_lnk_perms;
	71	allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
	72
	73	allow system_mail_t mqueue_spool_t:dir create_dir_perms;
	74	allow system_mail_t mqueue_spool_t:file create_file_perms;
	75	allow system_mail_t mqueue_spool_t:lnk_file create_lnk_perms;
	76
88dd3896 CP	77	# for reading .forward - maybe we need a new type for it?
	78	# also for delivering mail to maildir
	79	# cjp: fix this to generic_user interfaces
103fe280 CP	80	userdom_manage_user_home_content_dirs(user,mailserver_delivery)
	81	userdom_manage_generic_user_home_content_files(mailserver_delivery)
	82	userdom_manage_generic_user_home_content_symlinks(mailserver_delivery)
	83	userdom_manage_generic_user_home_content_sockets(mailserver_delivery)
	84	userdom_manage_generic_user_home_content_pipes(mailserver_delivery)
	85	userdom_generic_user_home_dir_filetrans_generic_user_home_content(mailserver_delivery,{ dir file lnk_file sock_file fifo_file })
88dd3896	86
af4752bc	87	# cjp: another require-in-else to resolve
bb7170f6	88	# optional_policy(`',`
fb63d0b5	89	corecmd_exec_all_executables(system_mail_t)
246839f3 CP	90
	91	files_exec_etc_files(system_mail_t)
	92
246839f3 CP	93	libs_exec_ld_so(system_mail_t)
246839f3 CP	94	libs_exec_lib_files(system_mail_t)
af4752bc	95	# ')
246839f3 CP	96	')
246839f3 CP	97
bb7170f6	98	optional_policy(`
e749cd12 CP	99	apache_read_squirrelmail_data(system_mail_t)
	100	apache_append_squirrelmail_data(system_mail_t)
	101
	102	# apache should set close-on-exec
	103	apache_dontaudit_append_log(system_mail_t)
1815bad1 CP	104	apache_dontaudit_rw_stream_sockets(system_mail_t)
	105	apache_dontaudit_rw_tcp_sockets(system_mail_t)
	106	apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
e749cd12 CP	107	')
e749cd12 CP	108
bb7170f6	109	optional_policy(`
1504ff3e CP	110	arpwatch_manage_tmp_files(system_mail_t)
	111
	112	ifdef(`hide_broken_symptoms', `
1815bad1	113	arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
1504ff3e	114	')
e8d0a659 CP	115	')
e8d0a659 CP	116
bb7170f6	117	optional_policy(`
246839f3	118	cron_read_system_job_tmp_files(system_mail_t)
1815bad1	119	cron_dontaudit_write_pipes(system_mail_t)
246839f3 CP	120	')
246839f3 CP	121
bb7170f6	122	optional_policy(`
93070cba CP	123	cvs_read_data(system_mail_t)
	124	')
	125
bb7170f6	126	optional_policy(`
246839f3 CP	127	logrotate_read_tmp_files(system_mail_t)
	128	')
	129
bb7170f6	130	optional_policy(`
020cbefc CP	131	logwatch_read_tmp_files(system_mail_t)
	132	')
	133
f1e604bb CP	134	optional_policy(`
	135	nagios_read_tmp_files(system_mail_t)
	136	')
	137
bb7170f6	138	optional_policy(`
04926d07 CP	139	allow system_mail_t etc_aliases_t:dir create_dir_perms;
	140	allow system_mail_t etc_aliases_t:file create_file_perms;
	141	allow system_mail_t etc_aliases_t:lnk_file create_lnk_perms;
	142	allow system_mail_t etc_aliases_t:sock_file create_file_perms;
	143	allow system_mail_t etc_aliases_t:fifo_file create_file_perms;
103fe280	144	files_etc_filetrans(system_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })
04926d07	145
15722ec9	146	domain_use_interactive_fds(system_mail_t)
d3f715d2	147
1504ff3e	148	# postfix needs this for newaliases
9e04f5c5	149	files_getattr_tmp_dirs(system_mail_t)
725926c5	150
1504ff3e	151	postfix_exec_master(system_mail_t)
b0d2243c CP	152	postfix_read_config(system_mail_t)
b0d2243c CP	153	postfix_search_spool(system_mail_t)
7bba9d31	154
1504ff3e CP	155	ifdef(`distro_redhat',`
1504ff3e CP	156	# compatability for old default main.cf
103fe280	157	postfix_config_filetrans(system_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file })
1504ff3e CP	158	')
1504ff3e CP	159
bb7170f6	160	optional_policy(`
e1ee92b2	161	cron_rw_tcp_sockets(system_mail_t)
1504ff3e	162	')
246839f3 CP	163	')
246839f3 CP	164
65e131f0 CP	165	optional_policy(`
	166	qmail_domtrans_inject(system_mail_t)
	167	')
	168
bb7170f6	169	optional_policy(`
1815bad1	170	userdom_dontaudit_use_unpriv_users_ptys(system_mail_t)
df00b2e2	171
bb7170f6	172	optional_policy(`
1504ff3e	173	cron_dontaudit_append_system_job_tmp_files(system_mail_t)
df00b2e2	174	')
7bba9d31	175	')
075c4fda	176
bb7170f6	177	optional_policy(`
1815bad1	178	smartmon_read_tmp_files(system_mail_t)
871b6855 CP	179	')
871b6855 CP	180
1504ff3e	181	# should break this up among sections:
725926c5	182
bb7170f6	183	optional_policy(`
4483ee84	184	# why is mail delivered to a directory of type arpwatch_data_t?
725926c5	185	arpwatch_search_data(mailserver_delivery)
4483ee84 CP	186	arpwatch_manage_tmp_files(mta_user_agent)
4483ee84 CP	187	ifdef(`hide_broken_symptoms', `
1815bad1	188	arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
4483ee84	189	')
bb7170f6	190	optional_policy(`
1504ff3e CP	191	cron_read_system_job_tmp_files(mta_user_agent)
1504ff3e CP	192	')
4483ee84	193	')
a77e6524 CP	194
	195	ifdef(`TODO',`
	196	# for the start script to run make -C /etc/mail
	197	allow initrc_t etc_mail_t:dir rw_dir_perms;
	198	allow initrc_t etc_mail_t:file create_file_perms;
	199	')