misc small email changes (#704)

* Small changes to courier, dovecot, exim, postfix, amd sendmail policy.

Signed-off-by: Russell Coker <russell@coker.com.au>

* Removed an obsolete patch

Signed-off-by: Russell Coker <russell@coker.com.au>

* Added interfaces cron_rw_inherited_tmp_files and systemd_dontaudit_connect_machined

Signed-off-by: Russell Coker <russell@coker.com.au>

* Use create_stream_socket_perms for unix connection to itself

Signed-off-by: Russell Coker <russell@coker.com.au>

* Removed unconfined_run_to

Signed-off-by: Russell Coker <russell@coker.com.au>

* Remove change for it to run from a user session

Signed-off-by: Russell Coker <russell@coker.com.au>

* Changed userdom_use_user_ttys to userdom_use_inherited_user_terminals and
moved it out of the postfix section

Signed-off-by: Russell Coker <russell@coker.com.au>

---------

Signed-off-by: Russell Coker <russell@coker.com.au>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>

9 files changed, 70 insertions, 5 deletions

diff --git a/policy/modules/services/courier.fc b/policy/modules/services/courier.fc
index 0f56d60d8..28594264f 100644
--- a/policy/modules/services/courier.fc
+++ b/policy/modules/services/courier.fc
@@ -23,8 +23,8 @@
 /usr/lib/courier/courier/courierpop.*	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
 /usr/lib/courier/courier/imaplogin	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
 /usr/lib/courier/courier/pcpd	--	gen_context(system_u:object_r:courier_pcp_exec_t,s0)
-/usr/lib/courier/imapd	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/pop3d	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/imapd.*	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/pop3d.*	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
 /usr/lib/courier/rootcerts(/.*)?	gen_context(system_u:object_r:courier_etc_t,s0)
 /usr/lib/courier/sqwebmail/cleancache\.pl	--	gen_context(system_u:object_r:courier_sqwebmail_exec_t,s0)
 /usr/lib/courier-imap/couriertcpd	--	gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
index 00ca1db6e..b5fa0c163 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -96,6 +96,8 @@ allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_pe
 
 can_exec(courier_authdaemon_t, courier_exec_t)
 
+kernel_getattr_proc(courier_authdaemon_t)
+
 corecmd_exec_shell(courier_authdaemon_t)
 
 domtrans_pattern(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t)
@@ -112,6 +114,7 @@ libs_read_lib_files(courier_authdaemon_t)
 miscfiles_read_localization(courier_authdaemon_t)
 
 selinux_getattr_fs(courier_authdaemon_t)
+seutil_search_default_contexts(courier_authdaemon_t)
 
 userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
 
@@ -129,20 +132,34 @@ dev_read_rand(courier_pcp_t)
 # POP3/IMAP local policy
 #
 
-allow courier_pop_t self:capability { setgid setuid };
+allow courier_pop_t self:capability { chown dac_read_search fowner setgid setuid };
+dontaudit courier_pop_t self:capability fsetid;
+allow courier_pop_t self:unix_stream_socket create_stream_socket_perms;
+allow courier_pop_t self:process setrlimit;
+
 allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
 allow courier_pop_t courier_authdaemon_t:process sigchld;
 
 allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
 
-allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
+allow courier_pop_t courier_var_lib_t:dir rw_dir_perms;
+allow courier_pop_t courier_var_lib_t:file manage_file_perms;
 
+allow courier_pop_t courier_etc_t:file map;
+
+can_exec(courier_pop_t, courier_exec_t)
+can_exec(courier_pop_t, courier_tcpd_exec_t)
 stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t, courier_authdaemon_t)
 
 domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
 
 corecmd_exec_shell(courier_pop_t)
+corenet_tcp_bind_generic_node(courier_pop_t)
+corenet_tcp_bind_pop_port(courier_pop_t)
+
+files_search_var_lib(courier_pop_t)
 
+miscfiles_read_generic_certs(courier_pop_t)
 miscfiles_read_localization(courier_pop_t)
 
 mta_manage_mail_home_rw_content(courier_pop_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 370478770..11ffbb177 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -216,6 +216,7 @@ optional_policy(`
 	mta_manage_mail_home_rw_content(dovecot_t)
 	mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
 	mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
+	mta_home_filetrans_mail_home_rw(dovecot_t, dir, "mail")
 ')
 
 optional_policy(`
@@ -269,6 +270,8 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
 
 kernel_dontaudit_getattr_proc(dovecot_auth_t)
 
+kernel_getattr_proc(dovecot_auth_t)
+
 files_search_runtime(dovecot_auth_t)
 files_read_usr_files(dovecot_auth_t)
 files_read_var_lib_files(dovecot_auth_t)
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index 5e001b37b..80d828466 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -72,7 +72,7 @@ ifdef(`distro_debian',`
 # Local policy
 #
 
-allow exim_t self:capability { chown dac_override fowner setgid setuid sys_resource };
+allow exim_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_resource };
 allow exim_t self:process { setrlimit setpgid };
 allow exim_t self:fifo_file rw_fifo_file_perms;
 allow exim_t self:unix_stream_socket { accept listen };
@@ -192,6 +192,7 @@ optional_policy(`
 
 optional_policy(`
 	cron_read_pipes(exim_t)
+	cron_rw_inherited_tmp_files(exim_t)
 	cron_rw_system_job_pipes(exim_t)
 	cron_use_system_job_fds(exim_t)
 ')
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index cdc3cf590..1c15a6b20 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -268,6 +268,7 @@ interface(`mta_manage_mail_home_rw_content',`
 	manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
 	allow $1 mail_home_rw_t:file map;
 	manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+	allow $1 mail_home_rw_t:{ dir file } watch;
 ')
 
 ########################################
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 63c8562ae..1099ccab5 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -15,6 +15,7 @@ attribute mailserver_sender;
 attribute user_mail_domain;
 
 attribute_role user_mail_roles;
+attribute_role admin_mail_roles;
 
 type etc_aliases_t;
 files_type(etc_aliases_t)
@@ -44,6 +45,10 @@ mta_base_mail_template(user)
 userdom_user_application_type(user_mail_t)
 role user_mail_roles types user_mail_t;
 
+mta_base_mail_template(admin)
+userdom_user_application_type(admin_mail_t)
+role admin_mail_roles types admin_mail_t;
+
 userdom_user_tmp_file(user_mail_tmp_t)
 
 ########################################
@@ -435,3 +440,30 @@ ifdef(`distro_gentoo',`
 		at_rw_inherited_job_log_files(system_mail_t)
 	')
 ')
+
+########################################
+#
+# Admin local policy
+#
+
+manage_files_pattern(admin_mail_t, mail_home_t, mail_home_t)
+userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, ".esmtp_queue")
+userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, ".forward")
+userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, ".mailrc")
+userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, "dead.letter")
+
+dev_read_sysfs(admin_mail_t)
+
+userdom_use_user_terminals(admin_mail_t)
+
+files_etc_filetrans(admin_mail_t, etc_aliases_t, file)
+allow admin_mail_t etc_aliases_t:file manage_file_perms;
+
+optional_policy(`
+	allow admin_mail_t self:capability dac_override;
+
+	userdom_rw_user_tmp_files(admin_mail_t)
+
+	postfix_read_config(admin_mail_t)
+	postfix_list_spool(admin_mail_t)
+')
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
index 847022bf4..5168017b9 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -50,6 +50,9 @@ template(`postfix_domain_template',`
 	can_exec(postfix_$1_t, postfix_$1_exec_t)
 
 	auth_use_nsswitch(postfix_$1_t)
+	ifdef(`init_systemd',`
+		systemd_dontaudit_connect_machined(postfix_$1_t)
+	')
 ')
 
 #######################################
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 528a84de9..f327af47a 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -516,9 +516,12 @@ manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
 files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir })
 
 kernel_read_kernel_sysctls(postfix_map_t)
+kernel_read_network_state(postfix_map_t)
 kernel_dontaudit_list_proc(postfix_map_t)
 kernel_dontaudit_read_system_state(postfix_map_t)
 
+dev_read_urand(postfix_map_t)
+
 corenet_all_recvfrom_netlabel(postfix_map_t)
 corenet_tcp_sendrecv_generic_if(postfix_map_t)
 corenet_tcp_sendrecv_generic_node(postfix_map_t)
@@ -745,6 +748,7 @@ allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
 allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
 
 allow postfix_showq_t postfix_spool_t:file read_file_perms;
+allow postfix_showq_t postfix_postqueue_t:unix_stream_socket { read write };
 
 term_use_all_ptys(postfix_showq_t)
 term_use_all_ttys(postfix_showq_t)
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
index f12dd77cd..ba31f3e3a 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -194,6 +194,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	userdom_use_inherited_user_terminals(sendmail_t)
+')
+
+optional_policy(`
 	uucp_domtrans_uux(sendmail_t)
 ')