[refpolicy] [PATCH v2 0/6] Postfix (and a few mta) policy updates

[refpolicy] [PATCH v2 0/6] Postfix (and a few mta) policy updates

[Sven Vermeulen]

This patchset updates the postfix (and mta) policy with various changes.

Changes since v1
----------------

- Use manage_files_pattern instead of two allow rules (thanks to Dominick Grift)
- Drop comment about possible deprecation and just use the two locations in the
  file contexts (thanks to Mika Pfl?ger)

Sven Vermeulen (6):
  Mark the pid directory as a pid directory
  Add in transitions for queue types when the queues are created
  Fix typo in interface postfix_exec_postqueue
  Allow maildelivery to use dotlock files in the mail spool
  Allow postfix local to change ownership of mailfiles
  Use libexec location for postfix binaries

 mta.te     |    4 +---
 nagios.te  |    2 +-
 postfix.fc |    6 ++----
 postfix.if |   20 ++++++++++++++++++--
 postfix.te |   17 ++++++++++++++++-
 5 files changed, 38 insertions(+), 11 deletions(-)

-- 
1.7.8.6

[refpolicy] [PATCH v2 1/6] Mark the pid directory as a pid directory

[Sven Vermeulen]

Currently, the policy has the pid directory itself marked as the postfix_spool_t
type. However, when mails are delivered, several postfix daemons need to
add/remove their PID files. It makes much more sense to mark this location as
postfix_var_run_t rather than having file transitions for all these daemons when
they write their PID file.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 postfix.fc |    2 +-
 postfix.if |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/postfix.fc b/postfix.fc
index 1ddfa16..90bf84e 100644
--- a/postfix.fc
+++ b/postfix.fc
@@ -46,7 +46,7 @@ ifdef(`distro_redhat', `
 
 /var/spool/postfix(/.*)?	gen_context(system_u:object_r:postfix_spool_t,s0)
 /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
-/var/spool/postfix/pid/.*	gen_context(system_u:object_r:postfix_var_run_t,s0)
+/var/spool/postfix/pid(/.*)?	gen_context(system_u:object_r:postfix_var_run_t,s0)
 /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
 /var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
 /var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
diff --git a/postfix.if b/postfix.if
index 46bee12..00e30cb 100644
--- a/postfix.if
+++ b/postfix.if
@@ -56,7 +56,7 @@ template(`postfix_domain_template',`
 
 	allow postfix_$1_t postfix_spool_t:dir list_dir_perms;
 
-	allow postfix_$1_t postfix_var_run_t:file manage_file_perms;
+	manage_files_pattern(postfix_$1_t, postfix_var_run_t, postfix_var_run_t)
 	files_pid_filetrans(postfix_$1_t, postfix_var_run_t, file)
 
 	kernel_read_system_state(postfix_$1_t)
-- 
1.7.8.6

[refpolicy] [PATCH v2 2/6] Add in transitions for queue types when the queues are created

[Sven Vermeulen]

At startup, postfix creates the missing queue directories inside
/var/spool/postfix. This is done by the master process. However, since the
/var/spool/postfix directory is labeled postfix_spool_t and there were no named
file transitions, all created queues became postfix_spool_t. This meant that an
administrator had to relabel the directories afterwards.

This patch adds in the necessary named file transitions for those directories,
create privileges for the master domain and setattr (to change directory
ownership).

Also add in the fowner capability for the master domain, needed for running
chown on the queue's.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 postfix.te |   16 +++++++++++++++-
 1 files changed, 15 insertions(+), 1 deletions(-)

diff --git a/postfix.te b/postfix.te
index a1e0f60..d691ed1 100644
--- a/postfix.te
+++ b/postfix.te
@@ -93,7 +93,7 @@ mta_mailserver_delivery(postfix_virtual_t)
 #
 
 # chown is to set the correct ownership of queue dirs
-allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
+allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config fowner };
 allow postfix_master_t self:fifo_file rw_fifo_file_perms;
 allow postfix_master_t self:tcp_socket create_stream_socket_perms;
 allow postfix_master_t self:udp_socket create_socket_perms;
@@ -112,15 +112,21 @@ allow postfix_master_t postfix_postdrop_exec_t:file getattr;
 
 allow postfix_master_t postfix_postqueue_exec_t:file getattr;
 
+create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t)
 manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
 manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+setattr_dirs_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_private_t, dir, "private")
 
 domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
 
 allow postfix_master_t postfix_prng_t:file rw_file_perms;
 
+create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_public_t)
 manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
 manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
+setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
+filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public")
 
 domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
 
@@ -131,14 +137,22 @@ files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
 
 allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
 allow postfix_master_t postfix_spool_bounce_t:file getattr;
+filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_bounce_t, dir, "bounce")
 
 manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
 manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
 manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
+filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush")
 
+create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t)
 delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
+
+create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
+setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t)
+filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid")
 
 kernel_read_all_sysctls(postfix_master_t)
 
-- 
1.7.8.6

[refpolicy] [PATCH v2 3/6] Fix typo in interface postfix_exec_postqueue

[Sven Vermeulen]

To allow domains to execute the postqueue command, they should use
postfix_exec_postqueue, not posftix_exec_postqueue.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 nagios.te  |    2 +-
 postfix.if |   18 +++++++++++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/nagios.te b/nagios.te
index c3e2a2d..b8127bc 100644
--- a/nagios.te
+++ b/nagios.te
@@ -300,7 +300,7 @@ optional_policy(`
 
 optional_policy(`
 	postfix_stream_connect_master(nagios_mail_plugin_t)
-	posftix_exec_postqueue(nagios_mail_plugin_t)
+	postfix_exec_postqueue(nagios_mail_plugin_t)
 ')
 
 ######################################
diff --git a/postfix.if b/postfix.if
index 00e30cb..d92b038 100644
--- a/postfix.if
+++ b/postfix.if
@@ -454,7 +454,8 @@ interface(`postfix_domtrans_postqueue',`
 
 #######################################
 ## <summary>
-##	Execute the master postqueue in the caller domain.
+##	Execute the master postqueue in the caller domain. (Deprecated)
+##	Please use postfix_exec_postqueue instead
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -463,6 +464,21 @@ interface(`postfix_domtrans_postqueue',`
 ## </param>
 #
 interface(`posftix_exec_postqueue',`
+	refpolicywarn(`$0($*) has been deprecated.')
+	postfix_exec_postqueue($1)
+')
+
+#######################################
+## <summary>
+##	Execute the master postqueue in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postfix_exec_postqueue',`
 	gen_require(`
 		type postfix_postqueue_exec_t;
 	')
-- 
1.7.8.6

[refpolicy] [PATCH v2 4/6] Allow maildelivery to use dotlock files in the mail spool

[Sven Vermeulen]

When a mail delivery server wants to append mails to the users' mail spool file,
it might also use dotlock files in order to "lock" access to the mail spool
file. This requires the domain file managing rights (create/write/remove) within
the mta_spool_t resource.

Note that this isn't needed if only fcntl locking is used, but most mail
delivery services use dotlock locking as well. Also, since the lock files are
named <username>.lock we cannot create file transitions (towards a lock type) as
we cannot mention the filenames up front.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 mta.te |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

diff --git a/mta.te b/mta.te
index 84a7d66..9b0ff1d 100644
--- a/mta.te
+++ b/mta.te
@@ -214,9 +214,7 @@ optional_policy(`
 #
 
 allow mailserver_delivery mail_spool_t:dir list_dir_perms;
-create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-read_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+manage_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
 create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
 read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
 
-- 
1.7.8.6

[refpolicy] [PATCH v2 5/6] Allow postfix local to change ownership of mailfiles

[Sven Vermeulen]

When the postfix local service delivers a file to a user mailbox, but that
mailbox doesn't exist, then the service creates the mailbox and wants to change
the ownership of the file. This needs the chown capability.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 postfix.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/postfix.te b/postfix.te
index d691ed1..e50742e 100644
--- a/postfix.te
+++ b/postfix.te
@@ -278,6 +278,7 @@ optional_policy(`
 # Postfix local local policy
 #
 
+allow postfix_local_t self:capability chown;
 allow postfix_local_t self:fifo_file rw_fifo_file_perms;
 allow postfix_local_t self:process { setsched setrlimit };
 
-- 
1.7.8.6

[refpolicy] [PATCH v2 6/6] Use libexec location for postfix binaries

[Sven Vermeulen]

Recent postfix releases have their binaries at /usr/libexec instead of /usr/lib.
This patch removes the ifdef for distro_redhat since, even for distributions
that would still have the old locations, having the definitions for the contexts
loaded doesn't hurt.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 postfix.fc |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

diff --git a/postfix.fc b/postfix.fc
index 90bf84e..2461792 100644
--- a/postfix.fc
+++ b/postfix.fc
@@ -1,6 +1,5 @@
 # postfix
 /etc/postfix(/.*)?		gen_context(system_u:object_r:postfix_etc_t,s0)
-ifdef(`distro_redhat', `
 /usr/libexec/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
 /usr/libexec/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
 /usr/libexec/postfix/lmtp --	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
@@ -15,7 +14,6 @@ ifdef(`distro_redhat', `
 /usr/libexec/postfix/bounce --	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
 /usr/libexec/postfix/pipe --	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
 /usr/libexec/postfix/virtual --	gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
-', `
 /usr/lib/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
 /usr/lib/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
 /usr/lib/postfix/local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
@@ -29,7 +27,7 @@ ifdef(`distro_redhat', `
 /usr/lib/postfix/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
 /usr/lib/postfix/pipe	--	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
 /usr/lib/postfix/virtual --	gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
-')
+
 /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
 /etc/postfix/prng_exch	--	gen_context(system_u:object_r:postfix_prng_t,s0)
 /usr/sbin/postcat	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
-- 
1.7.8.6

[refpolicy] [PATCH v2 0/6] Postfix (and a few mta) policy updates

[Christopher J. PeBenito]

On 08/13/12 15:02, Sven Vermeulen wrote:
> This patchset updates the postfix (and mta) policy with various changes.
> 
> Changes since v1
> ----------------
> 
> - Use manage_files_pattern instead of two allow rules (thanks to Dominick Grift)
> - Drop comment about possible deprecation and just use the two locations in the
>   file contexts (thanks to Mika Pfl??ger)
> 
> Sven Vermeulen (6):
>   Mark the pid directory as a pid directory
>   Add in transitions for queue types when the queues are created
>   Fix typo in interface postfix_exec_postqueue
>   Allow maildelivery to use dotlock files in the mail spool
>   Allow postfix local to change ownership of mailfiles
>   Use libexec location for postfix binaries

This set is merged.
 
>  mta.te     |    4 +---
>  nagios.te  |    2 +-
>  postfix.fc |    6 ++----
>  postfix.if |   20 ++++++++++++++++++--
>  postfix.te |   17 ++++++++++++++++-
>  5 files changed, 38 insertions(+), 11 deletions(-)
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com