1 ## <summary>Policy common to all email tranfer agents.</summary>
3 ########################################
5 ## MTA stub interface. No access allowed.
7 ## <param name="domain" optional="true">
13 interface(`mta_stub',`
19 #######################################
21 ## Basic mail transfer agent domain template.
25 ## This template creates a derived domain which is
26 ## a email transfer agent, which sends mail on
27 ## behalf of the user.
30 ## This is the basic types and rules, common
31 ## to the system agent and user agents.
34 ## <param name="domain_prefix">
36 ## The prefix of the domain (e.g., user
37 ## is the prefix for user_t).
41 template(`mta_base_mail_template',`
43 ##############################
45 # $1_mail_t declarations
48 type $1_mail_t, user_mail_domain;
49 domain_type($1_mail_t)
50 domain_entry_file($1_mail_t,sendmail_exec_t)
53 files_tmp_file($1_mail_tmp_t)
55 ##############################
57 # $1_mail_t local policy
60 allow $1_mail_t self:capability { setuid setgid chown };
61 allow $1_mail_t self:process { signal_perms setrlimit };
62 allow $1_mail_t self:tcp_socket create_socket_perms;
65 can_exec($1_mail_t, sendmail_exec_t)
66 allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms;
68 kernel_read_kernel_sysctls($1_mail_t)
70 corenet_non_ipsec_sendrecv($1_mail_t)
71 corenet_tcp_sendrecv_all_if($1_mail_t)
72 corenet_tcp_sendrecv_all_nodes($1_mail_t)
73 corenet_tcp_sendrecv_all_ports($1_mail_t)
74 corenet_tcp_connect_all_ports($1_mail_t)
75 corenet_tcp_connect_smtp_port($1_mail_t)
76 corenet_sendrecv_smtp_client_packets($1_mail_t)
78 corecmd_exec_bin($1_mail_t)
79 corecmd_search_sbin($1_mail_t)
81 files_read_etc_files($1_mail_t)
82 files_search_spool($1_mail_t)
83 # It wants to check for nscd
84 files_dontaudit_search_pids($1_mail_t)
86 libs_use_ld_so($1_mail_t)
87 libs_use_shared_libs($1_mail_t)
89 logging_send_syslog_msg($1_mail_t)
91 miscfiles_read_localization($1_mail_t)
93 sysnet_read_config($1_mail_t)
94 sysnet_dns_name_resolve($1_mail_t)
97 nis_use_ypbind($1_mail_t)
101 nscd_socket_use($1_mail_t)
105 postfix_domtrans_user_mail_handler($1_mail_t)
109 procmail_exec($1_mail_t)
113 qmail_domtrans_inject($1_mail_t)
118 type etc_mail_t, mail_spool_t, mqueue_spool_t;
121 manage_dirs_pattern($1_mail_t,$1_mail_tmp_t,$1_mail_tmp_t)
122 manage_files_pattern($1_mail_t,$1_mail_tmp_t,$1_mail_tmp_t)
123 files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
125 allow $1_mail_t etc_mail_t:dir { getattr search };
127 # Write to /var/spool/mail and /var/spool/mqueue.
128 manage_files_pattern($1_mail_t,mail_spool_t,mail_spool_t)
129 manage_files_pattern($1_mail_t,mqueue_spool_t,mqueue_spool_t)
131 # Check available space.
132 fs_getattr_xattr_fs($1_mail_t)
134 files_read_etc_runtime_files($1_mail_t)
136 # Write to /var/log/sendmail.st
137 sendmail_manage_log($1_mail_t)
138 sendmail_create_log($1_mail_t)
143 #######################################
145 ## The per role template for the mta module.
149 ## This template creates a derived domain which is
150 ## a email transfer agent, which sends mail on
151 ## behalf of the user.
154 ## This template is invoked automatically for each user, and
155 ## generally does not need to be invoked directly
156 ## by policy writers.
159 ## <param name="userdomain_prefix">
161 ## The prefix of the user domain (e.g., user
162 ## is the prefix for user_t).
165 ## <param name="user_domain">
167 ## The type of the user domain.
170 ## <param name="user_role">
172 ## The role associated with the user domain.
176 template(`mta_per_role_template',`
178 ##############################
183 mta_base_mail_template($1)
184 role $3 types $1_mail_t;
186 ##############################
188 # $1_mail_t local policy
191 # Transition from the user domain to the derived domain.
192 domtrans_pattern($2, sendmail_exec_t, $1_mail_t)
193 allow $2 sendmail_exec_t:lnk_file { getattr read };
195 domain_use_interactive_fds($1_mail_t)
197 userdom_use_user_terminals($1,$1_mail_t)
198 # Write to the user domain tty. cjp: why?
199 userdom_use_user_terminals($1,mta_user_agent)
200 # Create dead.letter in user home directories.
201 userdom_manage_user_home_content_files($1,$1_mail_t)
202 userdom_user_home_dir_filetrans_user_home_content($1,$1_mail_t,file)
203 # for reading .forward - maybe we need a new type for it?
204 # also for delivering mail to maildir
205 userdom_manage_user_home_content_dirs($1,mailserver_delivery)
206 userdom_manage_user_home_content_files($1,mailserver_delivery)
207 userdom_manage_user_home_content_symlinks($1,mailserver_delivery)
208 userdom_manage_user_home_content_pipes($1,mailserver_delivery)
209 userdom_manage_user_home_content_sockets($1,mailserver_delivery)
210 userdom_user_home_dir_filetrans_user_home_content($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
211 # Read user temporary files.
212 userdom_read_user_tmp_files($1,$1_mail_t)
213 userdom_dontaudit_append_user_tmp_files($1,$1_mail_t)
214 # cjp: this should probably be read all user tmp
215 # files in an appropriate place for mta_user_agent
216 userdom_read_user_tmp_files($1,mta_user_agent)
218 tunable_policy(`use_samba_home_dirs',`
219 fs_manage_cifs_files($1_mail_t)
220 fs_manage_cifs_symlinks($1_mail_t)
224 allow $1_mail_t self:capability dac_override;
226 # Read user temporary files.
227 # postfix seems to need write access if the file handle is opened read/write
228 userdom_rw_user_tmp_files($1,$1_mail_t)
230 postfix_read_config($1_mail_t)
231 postfix_list_spool($1_mail_t)
235 ########################################
237 ## Provide extra permissions for admin users
240 ## <param name="userdomain_prefix">
242 ## The prefix of the user domain (e.g., user
243 ## is the prefix for user_t).
246 ## <param name="user_domain">
248 ## The type of the user domain.
253 template(`mta_admin_template',`
258 ifdef(`strict_policy',`
259 # allow the sysadmin to do "mail someone < /home/user/whatever"
260 userdom_read_unpriv_users_home_content_files($1_mail_t)
265 attribute mta_user_agent;
269 allow mta_user_agent $2:fifo_file { read write };
271 manage_dirs_pattern($1_mail_t,etc_aliases_t,etc_aliases_t)
272 manage_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t)
273 manage_lnk_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t)
274 manage_fifo_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t)
275 manage_sock_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t)
276 files_etc_filetrans($1_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })
278 # postfix needs this for newaliases
279 files_getattr_tmp_dirs($1_mail_t)
281 postfix_exec_master($1_mail_t)
283 ifdef(`distro_redhat',`
284 # compatability for old default main.cf
285 postfix_config_filetrans($1_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file })
290 ########################################
292 ## Make the specified domain usable for a mail server.
294 ## <param name="type">
296 ## Type to be used as a mail server domain.
300 interface(`mta_mailserver',`
302 attribute mailserver_domain;
305 init_daemon_domain($1,$2)
306 typeattribute $1 mailserver_domain;
309 ########################################
311 ## Modified mailserver interface for
312 ## sendmail daemon use.
316 ## A modified MTA mail server interface for
317 ## the sendmail program. It's design does
318 ## not fit well with policy, and using the
319 ## regular interface causes a type_transition
320 ## conflict if direct running of init scripts
324 ## This interface should most likely only be used
325 ## by the sendmail policy.
328 ## <param name="domain">
330 ## The type to be used for the mail server.
333 ## <param name="entry_point">
335 ## The type to be used for the domain entry point program.
338 interface(`mta_sendmail_mailserver',`
340 attribute mailserver_domain;
341 type sendmail_exec_t;
344 init_system_domain($1,sendmail_exec_t)
345 typeattribute $1 mailserver_domain;
348 #######################################
350 ## Make a type a mailserver type used
353 ## <param name="domain">
355 ## Mail server domain type used for sending mail.
359 interface(`mta_mailserver_sender',`
361 attribute mailserver_sender;
364 typeattribute $1 mailserver_sender;
367 #######################################
369 ## Make a type a mailserver type used
370 ## for delivering mail to local users.
372 ## <param name="domain">
374 ## Mail server domain type used for delivering mail.
378 interface(`mta_mailserver_delivery',`
380 attribute mailserver_delivery;
384 typeattribute $1 mailserver_delivery;
386 allow $1 mail_spool_t:dir list_dir_perms;
387 create_files_pattern($1,mail_spool_t,mail_spool_t)
388 read_files_pattern($1,mail_spool_t,mail_spool_t)
389 create_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
390 read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
393 dovecot_manage_spool($1)
397 # so MTA can access /var/lib/mailman/mail/wrapper
398 files_search_var_lib($1)
401 mailman_read_data_symlinks($1)
405 #######################################
407 ## Make a type a mailserver type used
408 ## for sending mail on behalf of local
409 ## users to the local mail spool.
411 ## <param name="domain">
413 ## Mail server domain type used for sending local mail.
417 interface(`mta_mailserver_user_agent',`
419 attribute mta_user_agent;
422 typeattribute $1 mta_user_agent;
425 # apache should set close-on-exec
426 apache_dontaudit_rw_stream_sockets($1)
427 apache_dontaudit_rw_sys_script_stream_sockets($1)
431 ########################################
433 ## Send mail from the system.
435 ## <param name="domain">
437 ## Domain allowed access.
441 interface(`mta_send_mail',`
443 attribute mta_user_agent;
444 type system_mail_t, sendmail_exec_t;
447 allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms;
448 domain_auto_trans($1, sendmail_exec_t, system_mail_t)
450 allow $1 system_mail_t:fd use;
451 allow system_mail_t $1:fd use;
452 allow system_mail_t $1:fifo_file rw_file_perms;
453 allow system_mail_t $1:process sigchld;
455 allow mta_user_agent $1:fd use;
456 allow mta_user_agent $1:process sigchld;
457 allow mta_user_agent $1:fifo_file { read write };
460 ########################################
462 ## Execute send mail in a specified domain.
466 ## Execute send mail in a specified domain.
469 ## No interprocess communication (signals, pipes,
470 ## etc.) is provided by this interface since
471 ## the domains are not owned by this module.
474 ## <param name="source_domain">
476 ## Domain to transition from.
479 ## <param name="target_domain">
481 ## Domain to transition to.
485 interface(`mta_sendmail_domtrans',`
487 type sendmail_exec_t;
491 corecmd_read_sbin_symlinks($1)
492 domain_auto_trans($1,sendmail_exec_t,$2)
495 ########################################
497 ## Execute sendmail in the caller domain.
499 ## <param name="domain">
501 ## Domain allowed access.
505 interface(`mta_sendmail_exec',`
507 type sendmail_exec_t;
510 can_exec($1, sendmail_exec_t)
513 ########################################
515 ## Read mail server configuration.
517 ## <param name="domain">
519 ## Domain allowed access.
524 interface(`mta_read_config',`
530 allow $1 etc_mail_t:dir list_dir_perms;
531 read_files_pattern($1,etc_mail_t,etc_mail_t)
532 read_lnk_files_pattern($1,etc_mail_t,etc_mail_t)
535 ########################################
537 ## Read mail address aliases.
539 ## <param name="domain">
541 ## Domain allowed access.
545 interface(`mta_read_aliases',`
551 allow $1 etc_aliases_t:file read_file_perms;
554 ########################################
556 ## Type transition files created in /etc
557 ## to the mail address aliases type.
559 ## <param name="domain">
561 ## Domain allowed access.
565 interface(`mta_etc_filetrans_aliases',`
570 files_etc_filetrans($1,etc_aliases_t, file)
573 ########################################
575 ## Read and write mail aliases.
577 ## <param name="domain">
579 ## Domain allowed access.
584 interface(`mta_rw_aliases',`
590 allow $1 etc_aliases_t:file { rw_file_perms setattr };
593 #######################################
595 ## Do not audit attempts to read and write TCP
596 ## sockets of mail delivery domains.
598 ## <param name="domain">
600 ## Mail server domain.
604 interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
606 attribute mailserver_delivery;
609 dontaudit $1 mailserver_delivery:tcp_socket { read write };
612 #######################################
614 ## Connect to all mail servers over TCP. (Deprecated)
616 ## <param name="domain">
618 ## Mail server domain.
622 interface(`mta_tcp_connect_all_mailservers',`
623 refpolicywarn(`$0($*) has been deprecated.')
626 #######################################
628 ## Do not audit attempts to read a symlink
629 ## in the mail spool.
631 ## <param name="domain">
633 ## Domain allowed access.
637 interface(`mta_dontaudit_read_spool_symlinks',`
642 dontaudit $1 mail_spool_t:lnk_file read;
645 ########################################
647 ## Get the attributes of mail spool files.
649 ## <param name="domain">
651 ## Domain allowed access.
655 interface(`mta_getattr_spool',`
660 files_search_spool($1)
661 allow $1 mail_spool_t:dir list_dir_perms;
662 allow $1 mail_spool_t:lnk_file read;
663 allow $1 mail_spool_t:file getattr;
666 ########################################
668 ## Do not audit attempts to get the attributes
669 ## of mail spool files.
671 ## <param name="domain">
673 ## Domain to not audit.
677 interface(`mta_dontaudit_getattr_spool_files',`
682 files_dontaudit_search_spool($1)
683 dontaudit $1 mail_spool_t:dir search;
684 dontaudit $1 mail_spool_t:lnk_file read;
685 dontaudit $1 mail_spool_t:file getattr;
688 #######################################
690 ## Create private objects in the
691 ## mail spool directory.
693 ## <param name="domain">
695 ## Domain allowed access.
698 ## <param name="private type">
700 ## The type of the object to be created.
703 ## <param name="object">
705 ## The object class of the object being created.
709 interface(`mta_spool_filetrans',`
714 files_search_spool($1)
715 filetrans_pattern($1,mail_spool_t,$2,$3)
718 ########################################
720 ## Read and write the mail spool.
722 ## <param name="domain">
724 ## Domain allowed access.
728 interface(`mta_rw_spool',`
733 files_search_spool($1)
734 allow $1 mail_spool_t:dir list_dir_perms;
735 allow $1 mail_spool_t:file setattr;
736 rw_files_pattern($1,mail_spool_t,mail_spool_t)
737 read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
740 #######################################
742 ## Create, read, and write the mail spool.
744 ## <param name="domain">
746 ## Domain allowed access.
750 interface(`mta_append_spool',`
755 files_search_spool($1)
756 allow $1 mail_spool_t:dir list_dir_perms;
757 create_files_pattern($1,mail_spool_t,mail_spool_t)
758 write_files_pattern($1,mail_spool_t,mail_spool_t)
759 read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
762 #######################################
764 ## Delete from the mail spool.
766 ## <param name="domain">
768 ## Domain allowed access.
772 interface(`mta_delete_spool',`
777 files_search_spool($1)
778 delete_files_pattern($1,mail_spool_t,mail_spool_t)
781 ########################################
783 ## Create, read, write, and delete mail spool files.
785 ## <param name="domain">
787 ## Domain allowed access.
791 interface(`mta_manage_spool',`
796 files_search_spool($1)
797 manage_dirs_pattern($1,mail_spool_t,mail_spool_t)
798 manage_files_pattern($1,mail_spool_t,mail_spool_t)
799 manage_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
802 #######################################
804 ## Do not audit attempts to read and
805 ## write the mail queue.
807 ## <param name="domain">
809 ## Domain to not audit.
813 interface(`mta_dontaudit_rw_queue',`
818 dontaudit $1 mqueue_spool_t:dir search_dir_perms;
819 dontaudit $1 mqueue_spool_t:file { getattr read write };
822 ########################################
824 ## Create, read, write, and delete
827 ## <param name="domain">
829 ## Domain allowed access.
833 interface(`mta_manage_queue',`
838 files_search_spool($1)
839 manage_files_pattern($1,mqueue_spool_t,mqueue_spool_t)
842 #######################################
844 ## Read sendmail binary.
846 ## <param name="domain">
848 ## Domain allowed access.
852 # cjp: added for postfix
853 interface(`mta_read_sendmail_bin',`
855 type sendmail_exec_t;
858 allow $1 sendmail_exec_t:file read_file_perms;
861 #######################################
863 ## Read and write unix domain stream sockets
864 ## of user mail domains.
866 ## <param name="domain">
868 ## Domain allowed access.
872 interface(`mta_rw_user_mail_stream_sockets',`
874 attribute user_mail_domain;
877 allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;