policy/modules/services/mta.te

   1 policy_module(mta, 2.3.0)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 attribute mailcontent_type;
   9 attribute mta_exec_type;
  10 attribute mta_user_agent;
  11 attribute mailserver_delivery;
  12 attribute mailserver_domain;
  13 attribute mailserver_sender;
  14
  15 attribute user_mail_domain;
  16
  17 type etc_aliases_t;
  18 files_type(etc_aliases_t)
  19
  20 type etc_mail_t;
  21 files_config_file(etc_mail_t)
  22
  23 type mail_home_t alias mail_forward_t;
  24 userdom_user_home_content(mail_home_t)
  25
  26 type mqueue_spool_t;
  27 files_mountpoint(mqueue_spool_t)
  28 files_spool_file(mqueue_spool_t)
  29
  30 type mail_spool_t;
  31 files_mountpoint(mail_spool_t)
  32 files_spool_file(mail_spool_t)
  33
  34 type sendmail_exec_t;
  35 mta_agent_executable(sendmail_exec_t)
  36
  37 mta_base_mail_template(system)
  38 role system_r types system_mail_t;
  39
  40 mta_base_mail_template(user)
  41 typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
  42 typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
  43 typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t };
  44 typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
  45 ubac_constrained(user_mail_t)
  46 ubac_constrained(user_mail_tmp_t)
  47
  48 ########################################
  49 #
  50 # System mail local policy
  51 #
  52
  53 # newalias required this, not sure if it is needed in 'if' file
  54 allow system_mail_t self:capability { dac_override fowner };
  55
  56 allow system_mail_t mail_home_t:file manage_file_perms;
  57
  58 read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
  59
  60 dev_read_sysfs(system_mail_t)
  61 dev_read_rand(system_mail_t)
  62 dev_read_urand(system_mail_t)
  63
  64 files_read_usr_files(system_mail_t)
  65
  66 fs_rw_anon_inodefs_files(system_mail_t)
  67
  68 selinux_getattr_fs(system_mail_t)
  69
  70 term_dontaudit_use_unallocated_ttys(system_mail_t)
  71
  72 init_use_script_ptys(system_mail_t)
  73 init_dontaudit_rw_stream_socket(system_mail_t)
  74
  75 userdom_use_inherited_user_terminals(system_mail_t)
  76 userdom_dontaudit_search_user_home_dirs(system_mail_t)
  77 userdom_dontaudit_list_admin_dir(system_mail_t)
  78
  79 allow system_mail_t mail_home_t:file manage_file_perms;
  80 userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
  81
  82 logging_append_all_logs(system_mail_t)
  83
  84 optional_policy(`
  85         apache_read_squirrelmail_data(system_mail_t)
  86         apache_append_squirrelmail_data(system_mail_t)
  87
  88         # apache should set close-on-exec
  89         apache_dontaudit_append_log(system_mail_t)
  90         apache_dontaudit_rw_stream_sockets(system_mail_t)
  91         apache_dontaudit_rw_tcp_sockets(system_mail_t)
  92         apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
  93         apache_dontaudit_rw_tmp_files(system_mail_t)
  94
  95         # apache should set close-on-exec
  96         apache_dontaudit_rw_stream_sockets(mta_user_agent)
  97         apache_dontaudit_rw_sys_script_stream_sockets(mta_user_agent)
  98         apache_append_log(mta_user_agent)
  99 ')
 100
 101 optional_policy(`
 102         arpwatch_manage_tmp_files(system_mail_t)
 103 ')
 104
 105 optional_policy(`
 106         bugzilla_search_content(system_mail_t)
 107         bugzilla_dontaudit_rw_stream_sockets(system_mail_t)
 108 ')
 109
 110 optional_policy(`
 111         clamav_stream_connect(system_mail_t)
 112         clamav_append_log(system_mail_t)
 113 ')
 114
 115 optional_policy(`
 116         courier_stream_connect_authdaemon(system_mail_t)
 117 ')
 118
 119 optional_policy(`
 120         cron_read_system_job_tmp_files(system_mail_t)
 121         cron_dontaudit_write_pipes(system_mail_t)
 122         cron_rw_system_job_stream_sockets(system_mail_t)
 123         cron_rw_inherited_spool_files(system_mail_t)
 124         cron_rw_inherited_user_spool_files(system_mail_t)
 125 ')
 126
 127 optional_policy(`
 128         courier_manage_spool_dirs(system_mail_t)
 129         courier_manage_spool_files(system_mail_t)
 130         courier_rw_spool_pipes(system_mail_t)
 131 ')
 132
 133 optional_policy(`
 134         cvs_read_data(system_mail_t)
 135 ')
 136
 137 optional_policy(`
 138         fail2ban_append_log(system_mail_t)
 139         fail2ban_dontaudit_leaks(system_mail_t)
 140         fail2ban_rw_inherited_tmp_files(system_mail_t)
 141 ')
 142
 143 optional_policy(`
 144         logrotate_read_tmp_files(system_mail_t)
 145 ')
 146
 147 optional_policy(`
 148         logwatch_read_tmp_files(system_mail_t)
 149 ')
 150
 151 optional_policy(`
 152         # newaliases runs as system_mail_t when the sendmail initscript does a restart
 153         milter_getattr_all_sockets(system_mail_t)
 154 ')
 155
 156 optional_policy(`
 157         munin_dontaudit_leaks(system_mail_t)
 158 ')
 159
 160 optional_policy(`
 161         nagios_read_tmp_files(system_mail_t)
 162 ')
 163
 164 optional_policy(`
 165         manage_dirs_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
 166         manage_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
 167         manage_lnk_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
 168         manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
 169         manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
 170         files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
 171
 172         domain_use_interactive_fds(system_mail_t)
 173 ')
 174
 175 optional_policy(`
 176         qmail_domtrans_inject(system_mail_t)
 177         qmail_manage_spool_dirs(system_mail_t)
 178         qmail_manage_spool_files(system_mail_t)
 179         qmail_rw_spool_pipes(system_mail_t)
 180 ')
 181
 182 optional_policy(`
 183         sxid_read_log(system_mail_t)
 184 ')
 185
 186 optional_policy(`
 187         userdom_dontaudit_use_user_ptys(system_mail_t)
 188
 189         optional_policy(`
 190                 cron_dontaudit_append_system_job_tmp_files(system_mail_t)
 191         ')
 192 ')
 193
 194 optional_policy(`
 195         spamd_stream_connect(system_mail_t)
 196 ')
 197
 198 optional_policy(`
 199         smartmon_read_tmp_files(system_mail_t)
 200 ')
 201
 202 # should break this up among sections:
 203
 204 optional_policy(`
 205         # why is mail delivered to a directory of type arpwatch_data_t?
 206         arpwatch_search_data(mailserver_delivery)
 207         arpwatch_manage_tmp_files(mta_user_agent)
 208
 209         optional_policy(`
 210                 cron_read_system_job_tmp_files(mta_user_agent)
 211         ')
 212 ')
 213
 214 ifdef(`hide_broken_symptoms',`
 215         domain_dontaudit_leaks(user_mail_domain)
 216         domain_dontaudit_leaks(mta_user_agent)
 217 ')
 218
 219 ########################################
 220 #
 221 # Mailserver delivery local policy
 222 #
 223
 224 allow mailserver_delivery mail_spool_t:dir list_dir_perms;
 225 create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
 226 read_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
 227 append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
 228 create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
 229 read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
 230
 231 userdom_search_admin_dir(mailserver_delivery)
 232 read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t)
 233
 234 read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
 235
 236 optional_policy(`
 237         dovecot_manage_spool(mailserver_delivery)
 238         dovecot_domtrans_deliver(mailserver_delivery)
 239 ')
 240
 241 optional_policy(`
 242         logwatch_search_cache_dir(mailserver_delivery)
 243 ')
 244
 245 optional_policy(`
 246         # so MTA can access /var/lib/mailman/mail/wrapper
 247         files_search_var_lib(mailserver_delivery)
 248
 249         mailman_domtrans(mailserver_delivery)
 250         mailman_read_data_symlinks(mailserver_delivery)
 251 ')
 252
 253 optional_policy(`
 254         postfix_rw_master_pipes(mailserver_delivery)
 255 ')
 256
 257 optional_policy(`
 258         uucp_domtrans_uux(mailserver_delivery)
 259 ')
 260
 261 ########################################
 262 #
 263 # User send mail local policy
 264 #
 265
 266
 267 domain_use_interactive_fds(user_mail_t)
 268
 269 userdom_use_inherited_user_terminals(user_mail_t)
 270 # Write to the user domain tty. cjp: why?
 271 userdom_use_inherited_user_terminals(mta_user_agent)
 272 # Create dead.letter in user home directories.
 273 userdom_manage_user_home_content_files(user_mail_t)
 274 userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
 275 # for reading .forward - maybe we need a new type for it?
 276 # also for delivering mail to maildir
 277 userdom_manage_user_home_content_dirs(mailserver_delivery)
 278 userdom_manage_user_home_content_files(mailserver_delivery)
 279 userdom_manage_user_home_content_symlinks(mailserver_delivery)
 280 userdom_manage_user_home_content_pipes(mailserver_delivery)
 281 userdom_manage_user_home_content_sockets(mailserver_delivery)
 282 userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file })
 283 # Read user temporary files.
 284 userdom_read_user_tmp_files(user_mail_t)
 285 userdom_dontaudit_append_user_tmp_files(user_mail_t)
 286 # cjp: this should probably be read all user tmp
 287 # files in an appropriate place for mta_user_agent
 288 userdom_read_user_tmp_files(mta_user_agent)
 289
 290 dev_read_sysfs(user_mail_t)
 291
 292 tunable_policy(`use_samba_home_dirs',`
 293         fs_manage_cifs_files(user_mail_t)
 294         fs_manage_cifs_symlinks(user_mail_t)
 295 ')
 296
 297 optional_policy(`
 298         allow user_mail_t self:capability dac_override;
 299
 300         # Read user temporary files.
 301         # postfix seems to need write access if the file handle is opened read/write
 302         userdom_rw_user_tmp_files(user_mail_t)
 303
 304         postfix_read_config(user_mail_t)
 305         postfix_list_spool(user_mail_t)
 306 ')
 307
 308 ########################################
 309 #
 310 # Comman user_mail_domain policy
 311 #
 312
 313 allow user_mail_domain self:fifo_file rw_fifo_file_perms;
 314 allow user_mail_domain mta_exec_type:file entrypoint;
 315
 316 append_files_pattern(user_mail_domain, mail_home_t, mail_home_t)
 317 read_files_pattern(user_mail_domain, mail_home_t, mail_home_t)
 318
 319 read_files_pattern(user_mail_domain, etc_aliases_t, etc_aliases_t)
 320
 321 can_exec(user_mail_domain, mta_exec_type)
 322
 323 allow system_mail_t user_mail_domain:file read_file_perms;
 324
 325 read_files_pattern(user_mail_domain, etc_mail_t, etc_mail_t)
 326
 327 kernel_read_system_state(user_mail_domain)
 328 kernel_read_network_state(user_mail_domain)
 329 kernel_request_load_module(user_mail_domain)
 330
 331 dev_read_urand(user_mail_domain)
 332
 333 files_read_usr_files(user_mail_domain)
 334
 335 optional_policy(`
 336         # postfix needs this for newaliases
 337         files_getattr_tmp_dirs(user_mail_domain)
 338
 339         postfix_exec_master(user_mail_domain)
 340         postfix_read_config(user_mail_domain)
 341         postfix_search_spool(user_mail_domain)
 342
 343         ifdef(`distro_redhat',`
 344                 # compatability for old default main.cf
 345                 postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
 346         ')
 347 ')
 348
 349 optional_policy(`
 350         exim_domtrans(user_mail_domain)
 351         exim_manage_log(user_mail_domain)
 352 ')