From mboxrd@z Thu Jan  1 00:00:00 1970
From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 7 Sep 2012 09:12:08 -0400
Subject: [refpolicy] [PATCH 7/9] Added new "lda" module for email local
 delivery agents such as maildrop and procmail
In-Reply-To: <1346794648-27101-7-git-send-email-bigon@debian.org>
References: <1346794648-27101-1-git-send-email-bigon@debian.org>
	<1346794648-27101-7-git-send-email-bigon@debian.org>
Message-ID: <5049F2A8.6020202@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/04/12 17:37, Laurent Bigonville wrote:
> From: Russell Coker <russell@coker.com.au>

I'm not adverse to something like this, but it would need some more work, since there already is a procmail policy.  That policy would need to be removed and compatibility would have to be preserved.
 
> ---
>  courier.if |   19 +++++++
>  lda.fc     |    9 ++++
>  lda.if     |   41 +++++++++++++++
>  lda.te     |  162 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  postfix.te |    6 ++-
>  5 files changed, 236 insertions(+), 1 deletion(-)
>  create mode 100644 lda.fc
>  create mode 100644 lda.if
>  create mode 100644 lda.te
> 
> diff --git a/courier.if b/courier.if
> index 9971337..be99138 100644
> --- a/courier.if
> +++ b/courier.if
> @@ -106,6 +106,25 @@ interface(`courier_domtrans_authdaemon',`
>  
>  ########################################
>  ## <summary>
> +##	Act as a client for the courier authdaemon
> +## </summary>
> +## <param name="prefix">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`courier_authdaemon_client',`
> +	gen_require(`
> +		type courier_authdaemon_t, courier_etc_t, courier_var_run_t;
> +	')
> +	allow $1 courier_authdaemon_t:unix_stream_socket connectto;
> +	allow $1 courier_etc_t:dir search;
> +	allow $1 courier_var_run_t:sock_file write;
> +')
> +
> +########################################
> +## <summary>
>  ##	Execute the courier POP3 and IMAP server with
>  ##	a domain transition.
>  ## </summary>
> diff --git a/lda.fc b/lda.fc
> new file mode 100644
> index 0000000..f5745ae
> --- /dev/null
> +++ b/lda.fc
> @@ -0,0 +1,9 @@
> +
> +/usr/bin/procmail	--	gen_context(system_u:object_r:lda_exec_t,s0)
> +/usr/bin/maildrop	--	gen_context(system_u:object_r:lda_exec_t,s0)
> +/usr/sbin/deliverquota.maildrop	--	gen_context(system_u:object_r:lda_exec_t,s0)
> +/usr/lib/dovecot/deliver --	gen_context(system_u:object_r:lda_exec_t,s0)
> +/usr/bin/mailbot	--	gen_context(system_u:object_r:lda_exec_t,s0)
> +
> +/etc/courier/maildroprc	--	gen_context(system_u:object_r:lda_etc_t,s0)
> +/var/log/maildrop.log	--	gen_context(system_u:object_r:lda_log_t,s0)
> diff --git a/lda.if b/lda.if
> new file mode 100644
> index 0000000..ec97dc8
> --- /dev/null
> +++ b/lda.if
> @@ -0,0 +1,41 @@
> +## <summary>mail delivery agent</summary>
> +
> +########################################
> +## <summary>
> +##	Execute lda with a domain transition.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`lda_domtrans',`
> +	gen_require(`
> +		type lda_exec_t, lda_t;
> +	')
> +
> +	files_search_usr($1)
> +	corecmd_search_bin($1)
> +	domtrans_pattern($1,lda_exec_t,lda_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Execute lda in the caller domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`lda_exec',`
> +	gen_require(`
> +		type lda_exec_t;
> +	')
> +
> +	files_search_usr($1)
> +	corecmd_search_bin($1)
> +	can_exec($1,lda_exec_t)
> +')
> diff --git a/lda.te b/lda.te
> new file mode 100644
> index 0000000..d9bc95d
> --- /dev/null
> +++ b/lda.te
> @@ -0,0 +1,162 @@
> +
> +policy_module(lda, 1.9.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type lda_t;
> +typealias lda_t alias procmail_t;
> +type lda_exec_t;
> +typealias lda_exec_t alias procmail_exec_t;
> +application_domain(lda_t,lda_exec_t)
> +role system_r types lda_t;
> +
> +type lda_tmp_t;
> +typealias lda_tmp_t alias procmail_tmp_t;
> +files_tmp_file(lda_tmp_t)
> +
> +type lda_etc_t;
> +files_config_file(lda_etc_t)
> +
> +type lda_log_t;
> +logging_log_file(lda_log_t)
> +manage_files_pattern(lda_t,lda_log_t,lda_log_t)
> +logging_log_filetrans(lda_t,lda_log_t,file)
> +
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow lda_t self:capability { sys_nice chown setuid setgid dac_override };
> +allow lda_t self:process { setsched signal signull };
> +allow lda_t self:fifo_file rw_fifo_file_perms;
> +allow lda_t self:unix_stream_socket create_socket_perms;
> +allow lda_t self:unix_dgram_socket create_socket_perms;
> +allow lda_t self:tcp_socket create_stream_socket_perms;
> +allow lda_t self:udp_socket create_socket_perms;
> +read_files_pattern(lda_t,lda_etc_t,lda_etc_t)
> +read_lnk_files_pattern(lda_t,lda_etc_t,lda_etc_t)
> +
> +can_exec(lda_t,lda_exec_t)
> +
> +allow lda_t lda_tmp_t:file manage_file_perms;
> +files_tmp_filetrans(lda_t, lda_tmp_t, file)
> +
> +kernel_read_system_state(lda_t)
> +kernel_read_kernel_sysctls(lda_t)
> +
> +corenet_all_recvfrom_unlabeled(lda_t)
> +corenet_all_recvfrom_netlabel(lda_t)
> +corenet_tcp_sendrecv_all_if(lda_t)
> +corenet_udp_sendrecv_all_if(lda_t)
> +corenet_tcp_sendrecv_all_nodes(lda_t)
> +corenet_udp_sendrecv_all_nodes(lda_t)
> +corenet_tcp_sendrecv_all_ports(lda_t)
> +corenet_udp_sendrecv_all_ports(lda_t)
> +corenet_udp_bind_all_nodes(lda_t)
> +corenet_tcp_connect_spamd_port(lda_t)
> +corenet_sendrecv_spamd_client_packets(lda_t)
> +corenet_sendrecv_comsat_client_packets(lda_t)
> +
> +dev_read_urand(lda_t)
> +
> +fs_getattr_xattr_fs(lda_t)
> +fs_search_auto_mountpoints(lda_t)
> +fs_rw_anon_inodefs_files(lda_t)
> +
> +auth_use_nsswitch(lda_t)
> +
> +corecmd_exec_bin(lda_t)
> +corecmd_exec_shell(lda_t)
> +
> +files_read_etc_files(lda_t)
> +files_read_etc_runtime_files(lda_t)
> +files_search_pids(lda_t)
> +# for spamassasin
> +files_read_usr_files(lda_t)
> +
> +libs_use_ld_so(lda_t)
> +libs_use_shared_libs(lda_t)
> +
> +logging_send_syslog_msg(lda_t)
> +
> +miscfiles_read_localization(lda_t)
> +
> +# only works until we define a different type for maildir
> +userdom_manage_user_home_content_dirs(lda_t)
> +userdom_manage_user_home_content_files(lda_t)
> +userdom_user_home_dir_filetrans_user_home_content(lda_t, { dir file })
> +
> +optional_policy(`
> +	gen_require(`
> +		bool daemon_access_unconfined_home;
> +	')
> +#	tunable_policy(`daemon_access_unconfined_home', `
> +#		unconfined_write_home_content_files(lda_t)
> +#	')
> +')
> +
> +mta_manage_spool(lda_t)
> +
> +ifdef(`hide_broken_symptoms',`
> +	mta_dontaudit_rw_queue(lda_t)
> +')
> +
> +tunable_policy(`use_nfs_home_dirs',`
> +	fs_manage_nfs_dirs(lda_t)
> +	fs_manage_nfs_files(lda_t)
> +	fs_manage_nfs_symlinks(lda_t)
> +')
> +
> +tunable_policy(`use_samba_home_dirs',`
> +	fs_manage_cifs_dirs(lda_t)
> +	fs_manage_cifs_files(lda_t)
> +	fs_manage_cifs_symlinks(lda_t)
> +')
> +
> +optional_policy(`
> +	clamav_domtrans_clamscan(lda_t)
> +	clamav_search_lib(lda_t)
> +')
> +
> +optional_policy(`
> +	courier_authdaemon_client(lda_t)
> +')
> +
> +optional_policy(`
> +	munin_dontaudit_search_lib(lda_t)
> +')
> +
> +optional_policy(`
> +	# for a bug in the postfix local program
> +	postfix_dontaudit_rw_local_tcp_sockets(lda_t)
> +	postfix_dontaudit_use_fds(lda_t)
> +	postfix_read_spool_files(lda_t)
> +	postfix_read_local_state(lda_t)
> +	postfix_read_master_state(lda_t)
> +')
> +
> +optional_policy(`
> +	pyzor_domtrans(lda_t)
> +')
> +
> +optional_policy(`
> +	mta_read_config(lda_t)
> +	sendmail_domtrans(lda_t)
> +	sendmail_rw_tcp_sockets(lda_t)
> +	sendmail_rw_unix_stream_sockets(lda_t)
> +')
> +
> +optional_policy(`
> +	corenet_udp_bind_generic_port(lda_t)
> +	corenet_dontaudit_udp_bind_all_ports(lda_t)
> +
> +	spamassassin_exec(lda_t)
> +	spamassassin_exec_client(lda_t)
> +	spamassassin_read_lib_files(lda_t)
> +')
> +
> diff --git a/postfix.te b/postfix.te
> index f358c69..221a5d1 100644
> --- a/postfix.te
> +++ b/postfix.te
> @@ -319,7 +319,7 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> -	procmail_domtrans(postfix_local_t)
> +	lda_domtrans(postfix_local_t)
>  ')
>  
>  ########################################
> @@ -425,6 +425,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	lda_domtrans(postfix_pipe_t)
> +')
> +
> +optional_policy(`
>  	mailman_domtrans_queue(postfix_pipe_t)
>  ')


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com