commit: b1bdc46e60bb68eb54844d999197cddfed0ec5ad
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 24 09:23:27 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:03:49 2014 +0000
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b1bdc46e
Create mta wrapper
Also temporarily rename the mta policy (instead of removing it) so we
can consult it during development of the new mail infrastructure policy.
---
policy/modules/contrib/{mta.fc => mta.fc.orig} | 0
policy/modules/contrib/mta.if | 544 ++++++-------------------
policy/modules/contrib/{mta.if => mta.if.orig} | 0
policy/modules/contrib/mta.te | 408 -------------------
policy/modules/contrib/{mta.te => mta.te.orig} | 0
5 files changed, 121 insertions(+), 831 deletions(-)
diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc.orig
similarity index 100%
rename from policy/modules/contrib/mta.fc
rename to policy/modules/contrib/mta.fc.orig
diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if
index 48a2845..57c2e33 100644
--- a/policy/modules/contrib/mta.if
+++ b/policy/modules/contrib/mta.if
@@ -1,20 +1,7 @@
-## <summary>Common e-mail transfer agent policy.</summary>
-
-########################################
-## <summary>
-## MTA stub interface. No access allowed.
-## </summary>
-## <param name="domain" unused="true">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
+## <summary>Wrapper for common e-mail transfer agent policy.</summary>
#
-interface(`mta_stub',`
- gen_require(`
- type sendmail_exec_t;
- ')
-')
+# The mta policy is no longer supported in Gentoo and has been deprecated
+# in favor of the mail policy.
#######################################
## <summary>
@@ -27,41 +14,12 @@ interface(`mta_stub',`
## </param>
#
template(`mta_base_mail_template',`
- gen_require(`
- attribute user_mail_domain;
- type sendmail_exec_t;
- ')
-
- ########################################
- #
- # Declarations
- #
-
- type $1_mail_t, user_mail_domain;
- application_domain($1_mail_t, sendmail_exec_t)
-
- type $1_mail_tmp_t;
- files_tmp_file($1_mail_tmp_t)
-
- ########################################
- #
- # Declarations
- #
-
- manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
- manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
- files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
-
- auth_use_nsswitch($1_mail_t)
-
- optional_policy(`
- postfix_domtrans_user_mail_handler($1_mail_t)
- ')
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
-## Role access for mta.
+## Role access for mta (deprecated, use mail_role instead).
## </summary>
## <param name="role">
## <summary>
@@ -82,46 +40,14 @@ interface(`mta_role',`
type user_mail_tmp_t, mail_home_rw_t;
')
- roleattribute $1 user_mail_roles;
-
- # this is something i need to fix
- # i dont know if and why it is needed
- # will role attribute work?
- role $1 types mta_user_agent;
+ refpolicywarn(`$0($*) has been deprecated. Please use mail_role
instead.')
- domtrans_pattern($2, sendmail_exec_t, user_mail_t)
- allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
-
- allow $2 { user_mail_t mta_user_agent }:process { ptrace signal_perms };
- ps_process_pattern($2, { user_mail_t mta_user_agent })
-
- allow $2 mail_home_t:file { manage_file_perms relabel_file_perms };
- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".esmtp_queue")
- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".forward")
- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".mailrc")
- userdom_user_home_dir_filetrans($2, mail_home_t, file, "dead.letter")
-
- allow $2 mail_home_rw_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms };
- allow $2 mail_home_rw_t:lnk_file { manage_lnk_file_perms
relabel_lnk_file_perms };
- userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir")
- userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir")
-
- allow $2 user_mail_tmp_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 user_mail_tmp_t:file { manage_file_perms relabel_file_perms };
-
- optional_policy(`
- exim_run($2, $1)
- ')
-
- optional_policy(`
- mailman_run($2, $1)
- ')
+ mail_role($1, $2)
')
########################################
## <summary>
-## Make the specified domain usable for a mail server.
+## Make the specified domain usable for a mail server (deprecated, use
mail_*_agent_type instead).
## </summary>
## <param name="type">
## <summary>
@@ -139,13 +65,13 @@ interface(`mta_mailserver',`
attribute mailserver_domain;
')
- init_daemon_domain($1, $2)
- typeattribute $1 mailserver_domain;
+ refpolicywarn(`$0($*) is deprecated, use mail_*_agent_type instead.
Defaulting to mail_transfer_agent_type.')
+ mail_transfer_agent_type($1)
')
########################################
## <summary>
-## Make the specified type a MTA executable file.
+## Make the specified type a MTA executable file (deprecated).
## </summary>
## <param name="type">
## <summary>
@@ -154,18 +80,13 @@ interface(`mta_mailserver',`
## </param>
#
interface(`mta_agent_executable',`
- gen_require(`
- attribute mta_exec_type;
- ')
-
- typeattribute $1 mta_exec_type;
-
+ refpolicywarn(`$0($*) is deprecated.')
application_executable_file($1)
')
#######################################
## <summary>
-## Read mta mail home files.
+## Read mta mail home files (deprecated, use mail_read_home_files instead).
## </summary>
## <param name="domain">
## <summary>
@@ -174,18 +95,14 @@ interface(`mta_agent_executable',`
## </param>
#
interface(`mta_read_mail_home_files',`
- gen_require(`
- type mail_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 mail_home_t:file read_file_perms;
+ refpolicywarn(`$0($*) is deprecated, use mail_read_home_files instead.')
+ mail_read_home_files($1)
')
#######################################
## <summary>
## Create, read, write, and delete
-## mta mail home files.
+## mta mail home files (deprecated, use mail_manage_home_files instead).
## </summary>
## <param name="domain">
## <summary>
@@ -194,19 +111,15 @@ interface(`mta_read_mail_home_files',`
## </param>
#
interface(`mta_manage_mail_home_files',`
- gen_require(`
- type mail_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 mail_home_t:file manage_file_perms;
+ refpolicywarn(`$0($*) is deprecated, use mail_manage_home_files
instead.')
+ mail_manage_home_files($1)
')
########################################
## <summary>
## Create specified objects in user home
## directories with the generic mail
-## home type.
+## home type (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -225,17 +138,14 @@ interface(`mta_manage_mail_home_files',`
## </param>
#
interface(`mta_home_filetrans_mail_home',`
- gen_require(`
- type mail_home_t;
- ')
-
- userdom_user_home_dir_filetrans($1, mail_home_t, $2, $3)
+ refpolicywarn(`$0($*) is deprecated, use the proper mail * agent type
declarations. Defaulting to delivery agent.')
+ mail_delivery_agent_privs($1)
')
#######################################
## <summary>
## Create, read, write, and delete
-## mta mail home rw content.
+## mta mail home rw content (deprecated, use mail_manage_home_rw).
## </summary>
## <param name="domain">
## <summary>
@@ -244,21 +154,15 @@ interface(`mta_home_filetrans_mail_home',`
## </param>
#
interface(`mta_manage_mail_home_rw_content',`
- gen_require(`
- type mail_home_rw_t;
- ')
-
- userdom_search_user_home_dirs($1)
- manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
- manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
- manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ refpolicywarn(`$0($*) is deprecated, use mail_manage_home_rw instead')
+ mail_manage_home_rw($1)
')
########################################
## <summary>
## Create specified objects in user home
## directories with the generic mail
-## home rw type.
+## home rw type (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -277,16 +181,13 @@ interface(`mta_manage_mail_home_rw_content',`
## </param>
#
interface(`mta_home_filetrans_mail_home_rw',`
- gen_require(`
- type mail_home_rw_t;
- ')
-
- userdom_user_home_dir_filetrans($1, mail_home_rw_t, $2, $3)
+ refpolicywarn(`$0($*) is deprecated, use the proper mail * agent type
declarations. Defaulting to delivery agent.')
+ mail_delivery_agent_privs($1)
')
########################################
## <summary>
-## Make the specified type by a system MTA.
+## Make the specified type by a system MTA (deprecated, use
mail_content_type instead).
## </summary>
## <param name="type">
## <summary>
@@ -295,17 +196,14 @@ interface(`mta_home_filetrans_mail_home_rw',`
## </param>
#
interface(`mta_system_content',`
- gen_require(`
- attribute mailcontent_type;
- ')
-
- typeattribute $1 mailcontent_type;
+ refpolicywarn(`$0($*) is deprecated, use mail_content_type instead.')
+ mail_content_type($1)
')
########################################
## <summary>
## Modified mailserver interface for
-## sendmail daemon use.
+## sendmail daemon use (deprecated).
## </summary>
## <desc>
## <p>
@@ -328,20 +226,15 @@ interface(`mta_system_content',`
## </param>
#
interface(`mta_sendmail_mailserver',`
- gen_require(`
- attribute mailserver_domain;
- type sendmail_exec_t;
- ')
-
- init_system_domain($1, sendmail_exec_t)
+ refpolicywarn(`$0($*) is deprecated, use the proper mail * agent type
declarations. Defaulting to transfer agent.')
+ mail_transfer_agent_type($1)
- typeattribute $1 mailserver_domain;
')
#######################################
## <summary>
## Make a type a mailserver type used
-## for sending mail.
+## for sending mail (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -350,17 +243,14 @@ interface(`mta_sendmail_mailserver',`
## </param>
#
interface(`mta_mailserver_sender',`
- gen_require(`
- attribute mailserver_sender;
- ')
-
- typeattribute $1 mailserver_sender;
+ refpolicywarn(`$0($*) is deprecated, use the proper mail * agent type
declarations. Defaulting to submission agent.')
+ mail_submission_agent_type($1)
')
#######################################
## <summary>
## Make a type a mailserver type used
-## for delivering mail to local users.
+## for delivering mail to local users (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -369,18 +259,15 @@ interface(`mta_mailserver_sender',`
## </param>
#
interface(`mta_mailserver_delivery',`
- gen_require(`
- attribute mailserver_delivery;
- ')
-
- typeattribute $1 mailserver_delivery;
+ refpolicywarn(`$0($*) is deprecated, use mail_delivery_agent_type
instead')
+ mail_delivery_agent_type($1)
')
#######################################
## <summary>
## Make a type a mailserver type used
## for sending mail on behalf of local
-## users to the local mail spool.
+## users to the local mail spool (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -389,16 +276,13 @@ interface(`mta_mailserver_delivery',`
## </param>
#
interface(`mta_mailserver_user_agent',`
- gen_require(`
- attribute mta_user_agent;
- ')
-
- typeattribute $1 mta_user_agent;
+ refpolicywarn(`$0($*) is deprecated, use mail_delivery_agent_type
instead')
+ mail_delivery_agent_type($1)
')
########################################
## <summary>
-## Send mail from the system.
+## Send mail from the system (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -407,23 +291,8 @@ interface(`mta_mailserver_user_agent',`
## </param>
#
interface(`mta_send_mail',`
- gen_require(`
- type system_mail_t;
- attribute mta_exec_type;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, mta_exec_type, system_mail_t)
-
- allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
-
- ifdef(`distro_gentoo',`
- gen_require(`
- attribute mta_user_agent;
- ')
-
- dontaudit mta_user_agent $1:fd use;
- ')
+ refpolicywarn(`$0($*) is deprecated, use mail_domtrans_sendmail
instead')
+ mail_domtrans_sendmail($1)
')
########################################
@@ -452,19 +321,12 @@ interface(`mta_send_mail',`
## </param>
#
interface(`mta_sendmail_domtrans',`
- gen_require(`
- type sendmail_exec_t;
- ')
-
- corecmd_search_bin($1)
- domain_auto_trans($1, sendmail_exec_t, $2)
-
- allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms;
+ refpolicywarn(`$0($*) is deprecated.')
')
########################################
## <summary>
-## Send signals to system mail.
+## Send signals to system mail (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -474,11 +336,8 @@ interface(`mta_sendmail_domtrans',`
#
#
interface(`mta_signal_system_mail',`
- gen_require(`
- type system_mail_t;
- ')
-
- allow $1 system_mail_t:process signal;
+ refpolicywarn(`$0($*) is deprecated, mail_run_sendmail instead')
+ mail_run_sendmail($1)
')
########################################
@@ -492,11 +351,7 @@ interface(`mta_signal_system_mail',`
## </param>
#
interface(`mta_kill_system_mail',`
- gen_require(`
- type system_mail_t;
- ')
-
- allow $1 system_mail_t:process sigkill;
+ refpolicywarn(`$0($*) is deprecated.')
')
########################################
@@ -510,17 +365,13 @@ interface(`mta_kill_system_mail',`
## </param>
#
interface(`mta_sendmail_exec',`
- gen_require(`
- type sendmail_exec_t;
- ')
-
- corecmd_search_bin($1)
- can_exec($1, sendmail_exec_t)
+ refpolicywarn(`$0($*) is deprecated, use mail_exec_sendmail instead.')
+ mail_exec_sendmail($1)
')
########################################
## <summary>
-## Read mail server configuration content.
+## Read mail server configuration content (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -530,19 +381,13 @@ interface(`mta_sendmail_exec',`
## <rolecap/>
#
interface(`mta_read_config',`
- gen_require(`
- type etc_mail_t;
- ')
-
- files_search_etc($1)
- allow $1 etc_mail_t:dir list_dir_perms;
- allow $1 etc_mail_t:file read_file_perms;
- allow $1 etc_mail_t:lnk_file read_lnk_file_perms;
+ refpolicywarn(`$0($*) is deprecated, use mail_read_etc instead.')
+ mail_read_etc($1)
')
########################################
## <summary>
-## Write mail server configuration files.
+## Write mail server configuration files (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -552,17 +397,13 @@ interface(`mta_read_config',`
## <rolecap/>
#
interface(`mta_write_config',`
- gen_require(`
- type etc_mail_t;
- ')
-
- files_search_etc($1)
- write_files_pattern($1, etc_mail_t, etc_mail_t)
+ refpolicywarn(`$0($*) is deprecated, use mail_rw_etc instead.')
+ mail_rw_etc($1)
')
########################################
## <summary>
-## Read mail address alias files.
+## Read mail address alias files (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -571,21 +412,8 @@ interface(`mta_write_config',`
## </param>
#
interface(`mta_read_aliases',`
- gen_require(`
- type etc_aliases_t;
- ')
-
- files_search_etc($1)
- allow $1 etc_aliases_t:file read_file_perms;
-
- ifdef(`distro_gentoo',`
- gen_require(`
- type etc_mail_t;
- ')
-
- search_dirs_pattern($1, etc_mail_t, etc_aliases_t)
- read_files_pattern($1, etc_mail_t, etc_aliases_t)
- ')
+ refpolicywarn(`$0($*) is deprecated, use mail_read_aliases instead.')
+ mail_read_aliases($1)
')
########################################
@@ -600,30 +428,15 @@ interface(`mta_read_aliases',`
## </param>
#
interface(`mta_manage_aliases',`
- gen_require(`
- type etc_aliases_t;
- ')
-
- files_search_etc($1)
- manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
- manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
-
- ifdef(`distro_gentoo',`
- gen_require(`
- type etc_mail_t;
- ')
-
- search_dirs_pattern($1, etc_mail_t, etc_aliases_t)
- manage_files_pattern($1, etc_mail_t, etc_aliases_t)
- manage_lnk_files_pattern($1, etc_mail_t, etc_aliases_t)
- ')
+ refpolicywarn(`$0($*) is deprecated, use mail_manage_aliases instead.')
+ mail_manage_aliases($1)
')
########################################
## <summary>
## Create specified object in generic
## etc directories with the mail address
-## alias type.
+## alias type (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -642,18 +455,15 @@ interface(`mta_manage_aliases',`
## </param>
#
interface(`mta_etc_filetrans_aliases',`
- gen_require(`
- type etc_aliases_t;
- ')
-
- files_etc_filetrans($1, etc_aliases_t, $2, $3)
+ refpolicywarn(`$0($*) is deprecated, use
mail_generic_etc_filetrans_aliases instead.')
+ mail_generic_etc_filetrans_aliases($1, $2, $3)
')
########################################
## <summary>
## Create specified objects in specified
## directories with a type transition to
-## the mail address alias type.
+## the mail address alias type (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -677,47 +487,15 @@ interface(`mta_etc_filetrans_aliases',`
## </param>
#
interface(`mta_spec_filetrans_aliases',`
- gen_require(`
- type etc_aliases_t;
- ')
-
- filetrans_pattern($1, $2, etc_aliases_t, $3, $4)
-')
-
-########################################
-## <summary>
-## Read and write mail alias files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`mta_rw_aliases',`
- gen_require(`
- type etc_aliases_t;
- ')
-
- files_search_etc($1)
- allow $1 etc_aliases_t:file rw_file_perms;
-
- ifdef(`distro_gentoo',`
- gen_require(`
- type etc_mail_t;
- ')
-
- search_dirs_pattern($1, etc_mail_t, etc_aliases_t)
- rw_files_pattern($1, etc_mail_t, etc_aliases_t)
- ')
+ refpolicywarn(`$0($*) is deprecated, use mail_spec_filetrans_aliases
instead.')
+ mail_spec_filetrans_aliases($1, $2, $3, $4)
')
#######################################
## <summary>
## Do not audit attempts to read
## and write TCP sockets of mail
-## delivery domains.
+## delivery domains (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -726,11 +504,8 @@ interface(`mta_rw_aliases',`
## </param>
#
interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
- gen_require(`
- attribute mailserver_delivery;
- ')
-
- dontaudit $1 mailserver_delivery:tcp_socket { read write };
+ refpolicywarn(`$0($*) is deprecated, use
mail_dontaudit_rw_delivery_agent_tcp_sockets instead.')
+ mail_dontaudit_rw_delivery_agent_tcp_sockets($1)
')
#######################################
@@ -750,7 +525,7 @@ interface(`mta_tcp_connect_all_mailservers',`
#######################################
## <summary>
## Do not audit attempts to read
-## mail spool symlinks.
+## mail spool symlinks (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -759,16 +534,13 @@ interface(`mta_tcp_connect_all_mailservers',`
## </param>
#
interface(`mta_dontaudit_read_spool_symlinks',`
- gen_require(`
- type mail_spool_t;
- ')
-
- dontaudit $1 mail_spool_t:lnk_file read;
+ refpolicywarn(`$0($*) is deprecated, use
mail_dontaudit_read_queue_symlinks instead.')
+ mail_dontaudit_read_queue_symlinks($1)
')
########################################
## <summary>
-## Get attributes of mail spool content.
+## Get attributes of mail spool content (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -777,20 +549,14 @@ interface(`mta_dontaudit_read_spool_symlinks',`
## </param>
#
interface(`mta_getattr_spool',`
- gen_require(`
- type mail_spool_t;
- ')
-
- files_search_spool($1)
- allow $1 mail_spool_t:dir list_dir_perms;
- getattr_files_pattern($1, mail_spool_t, mail_spool_t)
- read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
+ refpolicywarn(`$0($*) is deprecated, use mail_getattr_queue instead.')
+ mail_getattr_queue($1)
')
########################################
## <summary>
## Do not audit attempts to get
-## attributes of mail spool files.
+## attributes of mail spool files (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -799,14 +565,8 @@ interface(`mta_getattr_spool',`
## </param>
#
interface(`mta_dontaudit_getattr_spool_files',`
- gen_require(`
- type mail_spool_t;
- ')
-
- files_dontaudit_search_spool($1)
- dontaudit $1 mail_spool_t:dir search_dir_perms;
- dontaudit $1 mail_spool_t:lnk_file read_lnk_file_perms;
- dontaudit $1 mail_spool_t:file getattr_file_perms;
+ refpolicywarn(`$0($*) is deprecated, use mail_dontaudit_getattr_queue
instead.')
+ mail_dontaudit_getattr_queue($1)
')
#######################################
@@ -837,17 +597,13 @@ interface(`mta_dontaudit_getattr_spool_files',`
## </param>
#
interface(`mta_spool_filetrans',`
- gen_require(`
- type mail_spool_t;
- ')
-
- files_search_spool($1)
- filetrans_pattern($1, mail_spool_t, $2, $3, $4)
+ refpolicywarn(`$0($*) is deprecated, use mail_queue_filetrans instead.')
+ mail_queue_filetrans($1, $2, $3, $4)
')
#######################################
## <summary>
-## Read mail spool files.
+## Read mail spool files (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -856,17 +612,13 @@ interface(`mta_spool_filetrans',`
## </param>
#
interface(`mta_read_spool_files',`
- gen_require(`
- type mail_spool_t;
- ')
-
- files_search_spool($1)
- read_files_pattern($1, mail_spool_t, mail_spool_t)
+ refpolicywarn(`$0($*) is deprecated, use mail_read_queue_files
instead.')
+ mail_read_queue_files($1)
')
########################################
## <summary>
-## Read and write mail spool files.
+## Read and write mail spool files (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -875,19 +627,13 @@ interface(`mta_read_spool_files',`
## </param>
#
interface(`mta_rw_spool',`
- gen_require(`
- type mail_spool_t;
- ')
-
- files_search_spool($1)
- allow $1 mail_spool_t:dir list_dir_perms;
- allow $1 mail_spool_t:file rw_file_perms;
- allow $1 mail_spool_t:lnk_file read_lnk_file_perms;
+ refpolicywarn(`$0($*) is deprecated, use mail_rw_queue_files instead.')
+ mail_rw_queue_files($1)
')
#######################################
## <summary>
-## Create, read, and write mail spool files.
+## Create, read, and write mail spool files (deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -896,19 +642,13 @@ interface(`mta_rw_spool',`
## </param>
#
interface(`mta_append_spool',`
- gen_require(`
- type mail_spool_t;
- ')
-
- files_search_spool($1)
- allow $1 mail_spool_t:dir list_dir_perms;
- manage_files_pattern($1, mail_spool_t, mail_spool_t)
- allow $1 mail_spool_t:lnk_file read_lnk_file_perms;
+ refpolicywarn(`$0($*) is deprecated, use mail_manage_queue_files
instead.')
+ mail_manage_queue_files($1)
')
#######################################
## <summary>
-## Delete mail spool files.
+## Delete mail spool files (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -917,18 +657,14 @@ interface(`mta_append_spool',`
## </param>
#
interface(`mta_delete_spool',`
- gen_require(`
- type mail_spool_t;
- ')
-
- files_search_spool($1)
- delete_files_pattern($1, mail_spool_t, mail_spool_t)
+ refpolicywarn(`$0($*) is deprecated, use mail_delete_queue_files
instead.')
+ mail_delete_queue_files($1)
')
########################################
## <summary>
## Create, read, write, and delete
-## mail spool content.
+## mail spool content (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -937,21 +673,15 @@ interface(`mta_delete_spool',`
## </param>
#
interface(`mta_manage_spool',`
- gen_require(`
- type mail_spool_t;
- ')
-
- files_search_spool($1)
- manage_dirs_pattern($1, mail_spool_t, mail_spool_t)
- manage_files_pattern($1, mail_spool_t, mail_spool_t)
- manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
+ refpolicywarn(`$0($*) is deprecated, use mail_manage_queue instead.')
+ mail_manage_queue($1)
')
#######################################
## <summary>
## Create specified objects in the
## mail queue spool directory with a
-## private type.
+## private type (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -975,17 +705,13 @@ interface(`mta_manage_spool',`
## </param>
#
interface(`mta_queue_filetrans',`
- gen_require(`
- type mqueue_spool_t;
- ')
-
- files_search_spool($1)
- filetrans_pattern($1, mqueue_spool_t, $2, $3, $4)
+ refpolicywarn(`$0($*) is deprecated, use mail_queue_filetrans instead.')
+ mail_queue_filetrans($1, $2, $3, $4)
')
########################################
## <summary>
-## Search mail queue directories.
+## Search mail queue directories (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -994,17 +720,13 @@ interface(`mta_queue_filetrans',`
## </param>
#
interface(`mta_search_queue',`
- gen_require(`
- type mqueue_spool_t;
- ')
-
- files_search_spool($1)
- allow $1 mqueue_spool_t:dir search_dir_perms;
+ refpolicywarn(`$0($*) is deprecated, use mail_search_queue instead.')
+ mail_search_queue($1)
')
#######################################
## <summary>
-## List mail queue directories.
+## List mail queue directories (deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -1013,17 +735,13 @@ interface(`mta_search_queue',`
## </param>
#
interface(`mta_list_queue',`
- gen_require(`
- type mqueue_spool_t;
- ')
-
- files_search_spool($1)
- allow $1 mqueue_spool_t:dir list_dir_perms;
+ refpolicywarn(`$0($*) is deprecated, use mail_list_queue instead.')
+ mail_list_queue($1)
')
#######################################
## <summary>
-## Read mail queue files.
+## Read mail queue files (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -1032,18 +750,14 @@ interface(`mta_list_queue',`
## </param>
#
interface(`mta_read_queue',`
- gen_require(`
- type mqueue_spool_t;
- ')
-
- files_search_spool($1)
- read_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
+ refpolicywarn(`$0($*) is deprecated, use mail_read_queue_files
instead.')
+ mail_read_queue_files($1)
')
#######################################
## <summary>
## Do not audit attempts to read and
-## write mail queue content.
+## write mail queue content (deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -1052,18 +766,14 @@ interface(`mta_read_queue',`
## </param>
#
interface(`mta_dontaudit_rw_queue',`
- gen_require(`
- type mqueue_spool_t;
- ')
-
- dontaudit $1 mqueue_spool_t:dir search_dir_perms;
- dontaudit $1 mqueue_spool_t:file rw_file_perms;
+ refpolicywarn(`$0($*) is deprecated, use mail_dontaudit_rw_queue_files
instead.')
+ mail_dontaudit_rw_queue_files($1)
')
########################################
## <summary>
## Create, read, write, and delete
-## mail queue content.
+## mail queue content (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -1072,18 +782,13 @@ interface(`mta_dontaudit_rw_queue',`
## </param>
#
interface(`mta_manage_queue',`
- gen_require(`
- type mqueue_spool_t;
- ')
-
- files_search_spool($1)
- manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t)
- manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
+ refpolicywarn(`$0($*) is deprecated, use mail_manage_queue instead.')
+ mail_manage_queue($1)
')
#######################################
## <summary>
-## Read sendmail binary.
+## Read sendmail binary (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -1092,17 +797,14 @@ interface(`mta_manage_queue',`
## </param>
#
interface(`mta_read_sendmail_bin',`
- gen_require(`
- type sendmail_exec_t;
- ')
-
- allow $1 sendmail_exec_t:file read_file_perms;
+ refpolicywarn(`$0($*) is deprecated, use mail_read_sendmail_executable
instead.')
+ mail_read_sendmail_executable($1)
')
#######################################
## <summary>
## Read and write unix domain stream
-## sockets of all base mail domains.
+## sockets of all base mail domains (deprecated).
## </summary>
## <param name="domain">
## <summary>
@@ -1111,9 +813,5 @@ interface(`mta_read_sendmail_bin',`
## </param>
#
interface(`mta_rw_user_mail_stream_sockets',`
- gen_require(`
- attribute user_mail_domain;
- ')
-
- allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
+ refpolicywarn(`$0($*) is deprecated.')
')
diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if.orig
similarity index 100%
copy from policy/modules/contrib/mta.if
copy to policy/modules/contrib/mta.if.orig
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 51b3bbb..e2048ee 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,410 +1,2 @@
policy_module(mta, 2.8.0)
-########################################
-#
-# Declarations
-#
-
-attribute mailcontent_type;
-attribute mta_exec_type;
-attribute mta_user_agent;
-attribute mailserver_delivery;
-attribute mailserver_domain;
-attribute mailserver_sender;
-
-attribute user_mail_domain;
-
-attribute_role user_mail_roles;
-
-type etc_aliases_t;
-files_type(etc_aliases_t)
-
-type etc_mail_t;
-files_config_file(etc_mail_t)
-
-type mail_home_t alias mail_forward_t;
-userdom_user_home_content(mail_home_t)
-
-type mail_home_rw_t;
-userdom_user_home_content(mail_home_rw_t)
-
-type mqueue_spool_t;
-files_mountpoint(mqueue_spool_t)
-
-type mail_spool_t;
-files_mountpoint(mail_spool_t)
-
-type sendmail_exec_t;
-mta_agent_executable(sendmail_exec_t)
-
-mta_base_mail_template(system)
-role system_r types system_mail_t;
-
-mta_base_mail_template(user)
-typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
-typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
-userdom_user_application_type(user_mail_t)
-role user_mail_roles types user_mail_t;
-
-typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t };
-typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
-userdom_user_tmp_file(user_mail_tmp_t)
-
-########################################
-#
-# Common base mail policy
-#
-
-allow user_mail_domain self:capability { setuid setgid chown };
-allow user_mail_domain self:process { signal_perms setrlimit };
-allow user_mail_domain self:fifo_file rw_fifo_file_perms;
-
-allow user_mail_domain mta_exec_type:file entrypoint;
-
-allow user_mail_domain mail_home_t:file { append_file_perms read_file_perms };
-
-manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
-manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
-manage_lnk_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
-userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir,
"Maildir")
-userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir,
".maildir")
-
-read_files_pattern(user_mail_domain, { etc_mail_t etc_aliases_t }, {
etc_mail_t etc_aliases_t })
-
-manage_files_pattern(user_mail_domain, { mqueue_spool_t mail_spool_t }, {
mqueue_spool_t mail_spool_t })
-read_lnk_files_pattern(user_mail_domain, { mqueue_spool_t mail_spool_t }, {
mqueue_spool_t mail_spool_t })
-
-allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms;
-
-can_exec(user_mail_domain, { mta_exec_type sendmail_exec_t })
-
-kernel_read_crypto_sysctls(user_mail_domain)
-kernel_read_system_state(user_mail_domain)
-kernel_read_kernel_sysctls(user_mail_domain)
-kernel_read_network_state(user_mail_domain)
-kernel_request_load_module(user_mail_domain)
-
-corenet_all_recvfrom_netlabel(user_mail_domain)
-corenet_tcp_sendrecv_generic_if(user_mail_domain)
-corenet_tcp_sendrecv_generic_node(user_mail_domain)
-
-corenet_sendrecv_all_client_packets(user_mail_domain)
-corenet_tcp_connect_all_ports(user_mail_domain)
-corenet_tcp_sendrecv_all_ports(user_mail_domain)
-
-corecmd_exec_bin(user_mail_domain)
-
-dev_read_urand(user_mail_domain)
-
-domain_use_interactive_fds(user_mail_domain)
-
-files_read_etc_runtime_files(user_mail_domain)
-files_read_usr_files(user_mail_domain)
-files_search_spool(user_mail_domain)
-files_dontaudit_search_pids(user_mail_domain)
-
-fs_getattr_all_fs(user_mail_domain)
-
-init_dontaudit_rw_utmp(user_mail_domain)
-
-logging_send_syslog_msg(user_mail_domain)
-
-miscfiles_read_localization(user_mail_domain)
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(user_mail_domain)
- fs_manage_cifs_files(user_mail_domain)
- fs_read_cifs_symlinks(user_mail_domain)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(user_mail_domain)
- fs_manage_nfs_files(user_mail_domain)
- fs_read_nfs_symlinks(user_mail_domain)
-')
-
-optional_policy(`
- courier_manage_spool_dirs(user_mail_domain)
- courier_manage_spool_files(user_mail_domain)
- courier_rw_spool_pipes(user_mail_domain)
-')
-
-optional_policy(`
- exim_domtrans(user_mail_domain)
- exim_manage_log(user_mail_domain)
- exim_manage_spool_files(user_mail_domain)
- exim_read_var_lib_files(user_mail_domain)
-')
-
-optional_policy(`
- files_getattr_tmp_dirs(user_mail_domain)
-
- postfix_exec_master(user_mail_domain)
- postfix_read_config(user_mail_domain)
- postfix_search_spool(user_mail_domain)
- postfix_rw_inherited_master_pipes(user_mail_domain)
-
- ifdef(`distro_redhat',`
- postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir
file lnk_file sock_file fifo_file })
- ')
-')
-
-optional_policy(`
- procmail_exec(user_mail_domain)
-')
-
-optional_policy(`
- qmail_domtrans_inject(user_mail_domain)
-')
-
-optional_policy(`
- sendmail_manage_log(user_mail_domain)
- sendmail_log_filetrans_sendmail_log(user_mail_domain, file)
-')
-
-optional_policy(`
- uucp_manage_spool(user_mail_domain)
-')
-
-########################################
-#
-# System local policy
-#
-
-allow system_mail_t self:capability { dac_override fowner };
-
-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
-
-read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
-
-allow system_mail_t mail_home_t:file manage_file_perms;
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file,
".esmtp_queue")
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".forward")
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".mailrc")
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file,
"dead.letter")
-
-allow system_mail_t user_mail_domain:dir list_dir_perms;
-allow system_mail_t user_mail_domain:file read_file_perms;
-allow system_mail_t user_mail_domain:lnk_file read_lnk_file_perms;
-
-corecmd_exec_shell(system_mail_t)
-
-dev_read_rand(system_mail_t)
-dev_read_sysfs(system_mail_t)
-
-fs_rw_anon_inodefs_files(system_mail_t)
-
-selinux_getattr_fs(system_mail_t)
-
-term_dontaudit_use_unallocated_ttys(system_mail_t)
-
-init_use_script_ptys(system_mail_t)
-
-userdom_use_user_terminals(system_mail_t)
-
-optional_policy(`
- apache_read_squirrelmail_data(system_mail_t)
- apache_append_squirrelmail_data(system_mail_t)
- apache_dontaudit_append_log(system_mail_t)
- apache_dontaudit_rw_stream_sockets(system_mail_t)
- apache_dontaudit_rw_tcp_sockets(system_mail_t)
- apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
-')
-
-optional_policy(`
- arpwatch_manage_tmp_files(system_mail_t)
-
- ifdef(`hide_broken_symptoms',`
- arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
- ')
-')
-
-optional_policy(`
- bugzilla_search_content(system_mail_t)
- bugzilla_dontaudit_rw_stream_sockets(system_mail_t)
-')
-
-optional_policy(`
- clamav_stream_connect(system_mail_t)
- clamav_append_log(system_mail_t)
-')
-
-optional_policy(`
- cron_read_system_job_tmp_files(system_mail_t)
- cron_dontaudit_write_pipes(system_mail_t)
- cron_rw_system_job_stream_sockets(system_mail_t)
-')
-
-optional_policy(`
- courier_stream_connect_authdaemon(system_mail_t)
-')
-
-optional_policy(`
- cvs_read_data(system_mail_t)
-')
-
-optional_policy(`
- fail2ban_dontaudit_rw_stream_sockets(system_mail_t)
- fail2ban_append_log(system_mail_t)
- fail2ban_rw_inherited_tmp_files(system_mail_t)
-')
-
-optional_policy(`
- logrotate_read_tmp_files(system_mail_t)
-')
-
-optional_policy(`
- logwatch_read_tmp_files(system_mail_t)
-')
-
-optional_policy(`
- milter_getattr_all_sockets(system_mail_t)
-')
-
-optional_policy(`
- nagios_read_tmp_files(system_mail_t)
-')
-
-optional_policy(`
- manage_dirs_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
- manage_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
- manage_lnk_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
- manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
- manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
- files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file
sock_file fifo_file })
-')
-
-optional_policy(`
- sxid_read_log(system_mail_t)
-')
-
-optional_policy(`
- userdom_dontaudit_use_user_ptys(system_mail_t)
-
- optional_policy(`
- cron_dontaudit_append_system_job_tmp_files(system_mail_t)
- ')
-')
-
-optional_policy(`
- spamassassin_stream_connect_spamd(system_mail_t)
-')
-
-optional_policy(`
- smartmon_read_tmp_files(system_mail_t)
-')
-
-########################################
-#
-# MTA user agent local policy
-#
-
-userdom_use_user_terminals(mta_user_agent)
-
-optional_policy(`
- apache_append_log(mta_user_agent)
-')
-
-optional_policy(`
- arpwatch_manage_tmp_files(mta_user_agent)
-
- ifdef(`hide_broken_symptoms',`
- arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
- ')
-
- optional_policy(`
- cron_read_system_job_tmp_files(mta_user_agent)
- ')
-')
-
-########################################
-#
-# Mailserver delivery local policy
-#
-
-allow mailserver_delivery self:fifo_file rw_fifo_file_perms;
-
-allow mailserver_delivery mail_spool_t:dir list_dir_perms;
-create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-read_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-
-manage_dirs_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
-manage_files_pattern(mailserver_delivery, { mail_home_t mail_home_rw_t }, {
mail_home_t mail_home_rw_t })
-manage_lnk_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file,
".esmtp_queue")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file,
".forward")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file,
".mailrc")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file,
"dead.letter")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir,
"Maildir")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir,
".maildir")
-
-read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mailserver_delivery)
- fs_manage_cifs_files(mailserver_delivery)
- fs_read_cifs_symlinks(mailserver_delivery)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mailserver_delivery)
- fs_manage_nfs_files(mailserver_delivery)
- fs_read_nfs_symlinks(mailserver_delivery)
-')
-
-optional_policy(`
- arpwatch_search_data(mailserver_delivery)
-')
-
-optional_policy(`
- dovecot_manage_spool(mailserver_delivery)
- dovecot_domtrans_deliver(mailserver_delivery)
-')
-
-optional_policy(`
- files_search_var_lib(mailserver_delivery)
-
- mailman_domtrans(mailserver_delivery)
- mailman_read_data_symlinks(mailserver_delivery)
-')
-
-optional_policy(`
- postfix_rw_inherited_master_pipes(mailserver_delivery)
-')
-
-optional_policy(`
- uucp_domtrans_uux(mailserver_delivery)
-')
-
-########################################
-#
-# User local policy
-#
-
-manage_files_pattern(user_mail_t, mail_home_t, mail_home_t)
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".esmtp_queue")
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".forward")
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".mailrc")
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, "dead.letter")
-
-dev_read_sysfs(user_mail_t)
-
-userdom_use_user_terminals(user_mail_t)
-
-optional_policy(`
- allow user_mail_t self:capability dac_override;
-
- userdom_rw_user_tmp_files(user_mail_t)
-
- postfix_read_config(user_mail_t)
- postfix_list_spool(user_mail_t)
-')
-
-ifdef(`distro_gentoo',`
- optional_policy(`
- at_rw_inherited_job_log_files(system_mail_t)
- ')
-')
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te.orig
similarity index 100%
copy from policy/modules/contrib/mta.te
copy to policy/modules/contrib/mta.te.orig
