diff options
Diffstat (limited to 'policy/modules/contrib/mta.if')
-rw-r--r-- | policy/modules/contrib/mta.if | 1119 |
1 files changed, 0 insertions, 1119 deletions
diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if deleted file mode 100644 index 48a28450..00000000 --- a/policy/modules/contrib/mta.if +++ /dev/null @@ -1,1119 +0,0 @@ -## <summary>Common e-mail transfer agent policy.</summary> - -######################################## -## <summary> -## MTA stub interface. No access allowed. -## </summary> -## <param name="domain" unused="true"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_stub',` - gen_require(` - type sendmail_exec_t; - ') -') - -####################################### -## <summary> -## The template to define a mail domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`mta_base_mail_template',` - gen_require(` - attribute user_mail_domain; - type sendmail_exec_t; - ') - - ######################################## - # - # Declarations - # - - type $1_mail_t, user_mail_domain; - application_domain($1_mail_t, sendmail_exec_t) - - type $1_mail_tmp_t; - files_tmp_file($1_mail_tmp_t) - - ######################################## - # - # Declarations - # - - manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) - manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) - files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir }) - - auth_use_nsswitch($1_mail_t) - - optional_policy(` - postfix_domtrans_user_mail_handler($1_mail_t) - ') -') - -######################################## -## <summary> -## Role access for mta. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role. -## </summary> -## </param> -# -interface(`mta_role',` - gen_require(` - attribute mta_user_agent; - attribute_role user_mail_roles; - type user_mail_t, sendmail_exec_t, mail_home_t; - type user_mail_tmp_t, mail_home_rw_t; - ') - - roleattribute $1 user_mail_roles; - - # this is something i need to fix - # i dont know if and why it is needed - # will role attribute work? - role $1 types mta_user_agent; - - domtrans_pattern($2, sendmail_exec_t, user_mail_t) - allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms; - - allow $2 { user_mail_t mta_user_agent }:process { ptrace signal_perms }; - ps_process_pattern($2, { user_mail_t mta_user_agent }) - - allow $2 mail_home_t:file { manage_file_perms relabel_file_perms }; - userdom_user_home_dir_filetrans($2, mail_home_t, file, ".esmtp_queue") - userdom_user_home_dir_filetrans($2, mail_home_t, file, ".forward") - userdom_user_home_dir_filetrans($2, mail_home_t, file, ".mailrc") - userdom_user_home_dir_filetrans($2, mail_home_t, file, "dead.letter") - - allow $2 mail_home_rw_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms }; - allow $2 mail_home_rw_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir") - userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir") - - allow $2 user_mail_tmp_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 user_mail_tmp_t:file { manage_file_perms relabel_file_perms }; - - optional_policy(` - exim_run($2, $1) - ') - - optional_policy(` - mailman_run($2, $1) - ') -') - -######################################## -## <summary> -## Make the specified domain usable for a mail server. -## </summary> -## <param name="type"> -## <summary> -## Type to be used as a mail server domain. -## </summary> -## </param> -## <param name="entry_point"> -## <summary> -## Type of the program to be used as an entry point to this domain. -## </summary> -## </param> -# -interface(`mta_mailserver',` - gen_require(` - attribute mailserver_domain; - ') - - init_daemon_domain($1, $2) - typeattribute $1 mailserver_domain; -') - -######################################## -## <summary> -## Make the specified type a MTA executable file. -## </summary> -## <param name="type"> -## <summary> -## Type to be used as a mail client. -## </summary> -## </param> -# -interface(`mta_agent_executable',` - gen_require(` - attribute mta_exec_type; - ') - - typeattribute $1 mta_exec_type; - - application_executable_file($1) -') - -####################################### -## <summary> -## Read mta mail home files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_read_mail_home_files',` - gen_require(` - type mail_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 mail_home_t:file read_file_perms; -') - -####################################### -## <summary> -## Create, read, write, and delete -## mta mail home files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_manage_mail_home_files',` - gen_require(` - type mail_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 mail_home_t:file manage_file_perms; -') - -######################################## -## <summary> -## Create specified objects in user home -## directories with the generic mail -## home type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`mta_home_filetrans_mail_home',` - gen_require(` - type mail_home_t; - ') - - userdom_user_home_dir_filetrans($1, mail_home_t, $2, $3) -') - -####################################### -## <summary> -## Create, read, write, and delete -## mta mail home rw content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_manage_mail_home_rw_content',` - gen_require(` - type mail_home_rw_t; - ') - - userdom_search_user_home_dirs($1) - manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t) - manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t) - manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t) -') - -######################################## -## <summary> -## Create specified objects in user home -## directories with the generic mail -## home rw type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`mta_home_filetrans_mail_home_rw',` - gen_require(` - type mail_home_rw_t; - ') - - userdom_user_home_dir_filetrans($1, mail_home_rw_t, $2, $3) -') - -######################################## -## <summary> -## Make the specified type by a system MTA. -## </summary> -## <param name="type"> -## <summary> -## Type to be used as a mail client. -## </summary> -## </param> -# -interface(`mta_system_content',` - gen_require(` - attribute mailcontent_type; - ') - - typeattribute $1 mailcontent_type; -') - -######################################## -## <summary> -## Modified mailserver interface for -## sendmail daemon use. -## </summary> -## <desc> -## <p> -## A modified MTA mail server interface for -## the sendmail program. It's design does -## not fit well with policy, and using the -## regular interface causes a type_transition -## conflict if direct running of init scripts -## is enabled. -## </p> -## <p> -## This interface should most likely only be used -## by the sendmail policy. -## </p> -## </desc> -## <param name="domain"> -## <summary> -## The type to be used for the mail server. -## </summary> -## </param> -# -interface(`mta_sendmail_mailserver',` - gen_require(` - attribute mailserver_domain; - type sendmail_exec_t; - ') - - init_system_domain($1, sendmail_exec_t) - - typeattribute $1 mailserver_domain; -') - -####################################### -## <summary> -## Make a type a mailserver type used -## for sending mail. -## </summary> -## <param name="domain"> -## <summary> -## Mail server domain type used for sending mail. -## </summary> -## </param> -# -interface(`mta_mailserver_sender',` - gen_require(` - attribute mailserver_sender; - ') - - typeattribute $1 mailserver_sender; -') - -####################################### -## <summary> -## Make a type a mailserver type used -## for delivering mail to local users. -## </summary> -## <param name="domain"> -## <summary> -## Mail server domain type used for delivering mail. -## </summary> -## </param> -# -interface(`mta_mailserver_delivery',` - gen_require(` - attribute mailserver_delivery; - ') - - typeattribute $1 mailserver_delivery; -') - -####################################### -## <summary> -## Make a type a mailserver type used -## for sending mail on behalf of local -## users to the local mail spool. -## </summary> -## <param name="domain"> -## <summary> -## Mail server domain type used for sending local mail. -## </summary> -## </param> -# -interface(`mta_mailserver_user_agent',` - gen_require(` - attribute mta_user_agent; - ') - - typeattribute $1 mta_user_agent; -') - -######################################## -## <summary> -## Send mail from the system. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`mta_send_mail',` - gen_require(` - type system_mail_t; - attribute mta_exec_type; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mta_exec_type, system_mail_t) - - allow $1 mta_exec_type:lnk_file read_lnk_file_perms; - - ifdef(`distro_gentoo',` - gen_require(` - attribute mta_user_agent; - ') - - dontaudit mta_user_agent $1:fd use; - ') -') - -######################################## -## <summary> -## Execute send mail in a specified domain. -## </summary> -## <desc> -## <p> -## Execute send mail in a specified domain. -## </p> -## <p> -## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -## </p> -## </desc> -## <param name="source_domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="target_domain"> -## <summary> -## Domain to transition to. -## </summary> -## </param> -# -interface(`mta_sendmail_domtrans',` - gen_require(` - type sendmail_exec_t; - ') - - corecmd_search_bin($1) - domain_auto_trans($1, sendmail_exec_t, $2) - - allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms; -') - -######################################## -## <summary> -## Send signals to system mail. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -# -interface(`mta_signal_system_mail',` - gen_require(` - type system_mail_t; - ') - - allow $1 system_mail_t:process signal; -') - -######################################## -## <summary> -## Send kill signals to system mail. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_kill_system_mail',` - gen_require(` - type system_mail_t; - ') - - allow $1 system_mail_t:process sigkill; -') - -######################################## -## <summary> -## Execute sendmail in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_sendmail_exec',` - gen_require(` - type sendmail_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, sendmail_exec_t) -') - -######################################## -## <summary> -## Read mail server configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`mta_read_config',` - gen_require(` - type etc_mail_t; - ') - - files_search_etc($1) - allow $1 etc_mail_t:dir list_dir_perms; - allow $1 etc_mail_t:file read_file_perms; - allow $1 etc_mail_t:lnk_file read_lnk_file_perms; -') - -######################################## -## <summary> -## Write mail server configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`mta_write_config',` - gen_require(` - type etc_mail_t; - ') - - files_search_etc($1) - write_files_pattern($1, etc_mail_t, etc_mail_t) -') - -######################################## -## <summary> -## Read mail address alias files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_read_aliases',` - gen_require(` - type etc_aliases_t; - ') - - files_search_etc($1) - allow $1 etc_aliases_t:file read_file_perms; - - ifdef(`distro_gentoo',` - gen_require(` - type etc_mail_t; - ') - - search_dirs_pattern($1, etc_mail_t, etc_aliases_t) - read_files_pattern($1, etc_mail_t, etc_aliases_t) - ') -') - -######################################## -## <summary> -## Create, read, write, and delete -## mail address alias content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_manage_aliases',` - gen_require(` - type etc_aliases_t; - ') - - files_search_etc($1) - manage_files_pattern($1, etc_aliases_t, etc_aliases_t) - manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t) - - ifdef(`distro_gentoo',` - gen_require(` - type etc_mail_t; - ') - - search_dirs_pattern($1, etc_mail_t, etc_aliases_t) - manage_files_pattern($1, etc_mail_t, etc_aliases_t) - manage_lnk_files_pattern($1, etc_mail_t, etc_aliases_t) - ') -') - -######################################## -## <summary> -## Create specified object in generic -## etc directories with the mail address -## alias type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object"> -## <summary> -## The object class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`mta_etc_filetrans_aliases',` - gen_require(` - type etc_aliases_t; - ') - - files_etc_filetrans($1, etc_aliases_t, $2, $3) -') - -######################################## -## <summary> -## Create specified objects in specified -## directories with a type transition to -## the mail address alias type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="file_type"> -## <summary> -## Directory to transition on. -## </summary> -## </param> -## <param name="object"> -## <summary> -## The object class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`mta_spec_filetrans_aliases',` - gen_require(` - type etc_aliases_t; - ') - - filetrans_pattern($1, $2, etc_aliases_t, $3, $4) -') - -######################################## -## <summary> -## Read and write mail alias files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`mta_rw_aliases',` - gen_require(` - type etc_aliases_t; - ') - - files_search_etc($1) - allow $1 etc_aliases_t:file rw_file_perms; - - ifdef(`distro_gentoo',` - gen_require(` - type etc_mail_t; - ') - - search_dirs_pattern($1, etc_mail_t, etc_aliases_t) - rw_files_pattern($1, etc_mail_t, etc_aliases_t) - ') -') - -####################################### -## <summary> -## Do not audit attempts to read -## and write TCP sockets of mail -## delivery domains. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`mta_dontaudit_rw_delivery_tcp_sockets',` - gen_require(` - attribute mailserver_delivery; - ') - - dontaudit $1 mailserver_delivery:tcp_socket { read write }; -') - -####################################### -## <summary> -## Connect to all mail servers over TCP. (Deprecated) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_tcp_connect_all_mailservers',` - refpolicywarn(`$0($*) has been deprecated.') -') - -####################################### -## <summary> -## Do not audit attempts to read -## mail spool symlinks. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`mta_dontaudit_read_spool_symlinks',` - gen_require(` - type mail_spool_t; - ') - - dontaudit $1 mail_spool_t:lnk_file read; -') - -######################################## -## <summary> -## Get attributes of mail spool content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_getattr_spool',` - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - allow $1 mail_spool_t:dir list_dir_perms; - getattr_files_pattern($1, mail_spool_t, mail_spool_t) - read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) -') - -######################################## -## <summary> -## Do not audit attempts to get -## attributes of mail spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`mta_dontaudit_getattr_spool_files',` - gen_require(` - type mail_spool_t; - ') - - files_dontaudit_search_spool($1) - dontaudit $1 mail_spool_t:dir search_dir_perms; - dontaudit $1 mail_spool_t:lnk_file read_lnk_file_perms; - dontaudit $1 mail_spool_t:file getattr_file_perms; -') - -####################################### -## <summary> -## Create specified objects in the -## mail spool directory with a -## private type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="private type"> -## <summary> -## The type of the object to be created. -## </summary> -## </param> -## <param name="object"> -## <summary> -## The object class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`mta_spool_filetrans',` - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - filetrans_pattern($1, mail_spool_t, $2, $3, $4) -') - -####################################### -## <summary> -## Read mail spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_read_spool_files',` - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, mail_spool_t, mail_spool_t) -') - -######################################## -## <summary> -## Read and write mail spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_rw_spool',` - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - allow $1 mail_spool_t:dir list_dir_perms; - allow $1 mail_spool_t:file rw_file_perms; - allow $1 mail_spool_t:lnk_file read_lnk_file_perms; -') - -####################################### -## <summary> -## Create, read, and write mail spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_append_spool',` - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - allow $1 mail_spool_t:dir list_dir_perms; - manage_files_pattern($1, mail_spool_t, mail_spool_t) - allow $1 mail_spool_t:lnk_file read_lnk_file_perms; -') - -####################################### -## <summary> -## Delete mail spool files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_delete_spool',` - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - delete_files_pattern($1, mail_spool_t, mail_spool_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## mail spool content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_manage_spool',` - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, mail_spool_t, mail_spool_t) - manage_files_pattern($1, mail_spool_t, mail_spool_t) - manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t) -') - -####################################### -## <summary> -## Create specified objects in the -## mail queue spool directory with a -## private type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="private type"> -## <summary> -## The type of the object to be created. -## </summary> -## </param> -## <param name="object"> -## <summary> -## The object class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`mta_queue_filetrans',` - gen_require(` - type mqueue_spool_t; - ') - - files_search_spool($1) - filetrans_pattern($1, mqueue_spool_t, $2, $3, $4) -') - -######################################## -## <summary> -## Search mail queue directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_search_queue',` - gen_require(` - type mqueue_spool_t; - ') - - files_search_spool($1) - allow $1 mqueue_spool_t:dir search_dir_perms; -') - -####################################### -## <summary> -## List mail queue directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_list_queue',` - gen_require(` - type mqueue_spool_t; - ') - - files_search_spool($1) - allow $1 mqueue_spool_t:dir list_dir_perms; -') - -####################################### -## <summary> -## Read mail queue files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_read_queue',` - gen_require(` - type mqueue_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, mqueue_spool_t, mqueue_spool_t) -') - -####################################### -## <summary> -## Do not audit attempts to read and -## write mail queue content. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`mta_dontaudit_rw_queue',` - gen_require(` - type mqueue_spool_t; - ') - - dontaudit $1 mqueue_spool_t:dir search_dir_perms; - dontaudit $1 mqueue_spool_t:file rw_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## mail queue content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_manage_queue',` - gen_require(` - type mqueue_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t) - manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t) -') - -####################################### -## <summary> -## Read sendmail binary. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_read_sendmail_bin',` - gen_require(` - type sendmail_exec_t; - ') - - allow $1 sendmail_exec_t:file read_file_perms; -') - -####################################### -## <summary> -## Read and write unix domain stream -## sockets of all base mail domains. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`mta_rw_user_mail_stream_sockets',` - gen_require(` - attribute user_mail_domain; - ') - - allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; -') |