General Policy for sendmail


The sendmail program is allowed to:
- accept messages to be delivered
- pass those messages on to procmail
- call smrsh to execute user scripts
- send and receive messages to and from the network
- bind to port 25
- read the sendmail configuration files located in /etc/mail
- read and append to sendmail log files located in 
  /var/log/maillog.  

The system boot process is allowed to start the sendmail 
program as a daemon.

The system administrator is allowed to:
- start and stop the sendmail daemon process
- create and modify sendmail configuration files
- modify and execute his own scripts.  

Users are allowed to:  
- send messages
- modify and execute user scripts

Script processes are allowed to:  
- execute scripts
- append to the user's files.

The following new types were defined:
mqueue_spool_t         mail queue spool file
etc_mail_t             mail files in /etc
sendmail_t             sendmail daemon process
sendmail_statistics_t  statistics file
sendmail_tmp_t         temporary files
sendmail_var_log_t     log files located in /var/log
sendmail_var_run_t     process id file in /var/run
user_mail_t            mail user process
sysadmin_mail_t        mail sysadmin process
user_mail_tmp_t        user mail temporary files
sysadmin_mail_tmp_t    sysadmin mail temporary files
procmail_exec_t        procmail executeable file
procmail_t             procmail process
user_smrsh_t           user script process
sysadmin_smrsh_t       sysadmin script process
smrsh_exec_t           smrsh executeable file
etc_smrsh_t            /etc/smrsh directory.

No new roles are defined in the sendmail policy.  However, 
three new types are added to the user (user_r) role:  
user_mail_t            user mode mail
procmail_t             procmail
user_smrsh_t           user script
And, three new types are added to the sysadm (sysadmr_r) role:
sysadm_mail_t          sysadm mode mail
procmail_t             procmail
sysadmin_smrsh_t       system administrator script.
Policy Stated Using Type Definitions

A process of type sendmail_t (the sendmail daemon) is allowed to:
- connect to the network and bind to port 25,
- write to files of type etc_aliases_t (/etc/aliases)
- create files of type etc_mail_t (/etc/mail)
- write to files of type mqueue_spool_t (/var/spool/mqueue)
- read files of type dot_forward_t ( `dot forward' files )
- read files of type user_home_t and sysadm_home_t (files in 
  the home directories of the user and the system administrator).
The policy also disables auditing of write access denials to 
utmp.

A process of type procmail_t allowed to:
- communicate with the sendmail daemon (sendmail_t)
- write to files of type mail_spool_t

A process of type user_smrsh_t or sysadmin_smrsh_t is allowed to:
- communicate with sendmail (sendmail_t),
- execute files of type etc_smrsh_t (programs in /etc/smrsh)
- execute scripts
- append to files of type user_home_t or sysadmin_smrsh_t (home 
  directory files)
- read off the pipe from the shell

A sendmail process running in user mode ( type user_mail_t) is 
allowed to:
- write to files of type mqueue_spool_t (/var/spool/mqueue).
- write to files of type sendmail_var_log_t (/var/log/maillog)
- read and write files of type sendmail_statistics_t 
(/etc/mail/statistics)
- read from the user's shell space - this allows communication 
  with the shell
- read and write files of type user_tmp_t 
- create the dead.letter file in user home directories
- read files of type etc_mail_t (all files in /etc/mail)
- read files of type dot_forward_t (the user's `dot forward' 
  file)
- send mail to sysadmin and vice versa

In addition a sendmail process running with type sysadmin_t 
is allowed to read and write files of type sysadmin_tmp_t.


The following transitions are allowed in daemon mode:
sendmail_t     to  procmail_t
sendmail_t     to  user_smrsh_t
sendmail_t     to  sysadm_smrsh_t.

The following transitions are allowed in user mode:
user_mail_t    to  procmail_t
user_mail_t    to  user_smrsh_t
user_mail_t    to  sysadm_smrsh_t
sysadm_mail_t  to  procmail_t
sysadm_mail_t  to  sysadm_smrsh_t
sysadm_mail_t  to  user_smrsh_t.
These transitions are accomplished using the execve_secure 
system call which takes the place of the original execve 
call.  The parameters for this call are taken from two 
configuration files:
    /etc/security/sendmail_context
    /etc/security/smrsh_context.

Everything not explicitly allowed by the policy is denied.