This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 485537 - Add policy for RT's email gateway interface
Add policy for RT's email gateway interface
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-13 19:16 EST by Dax Kelson
Modified: 2009-09-04 11:45 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-04 11:45:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dax Kelson 2009-02-13 19:16:46 EST
Description of problem:

The very popular Request Tracker (packaged by Fedora now) has an email interface that allows ticket creation/commenting via email. To use it your properly configure your MTA, and then have the lines like the following in /etc/aliases:

courseware: "|/usr/sbin/rt-mailgate --queue courseware --action correspond --url https://rt.gurulabs.com/rt3/"

courseware-comment: "|/usr/sbin/rt-mailgate --queue courseware --action comment --url https://rt.gurulabs.com/rt3/"

I use Postfix for my MTA, and I had to write the following policy to:

1. Allow Postfix to execute /usr/sbin/rt-mailgate from /etc/aliases.

2. Allow Apache to send email (seems to be a dup/reopen of bug 426583)

FIXME: Make policy work with other shipped MTAs sendmail and Exim.

--------------------------------------

####### begin rt-mailgate.fc #########
/usr/sbin/rt-mailgate   --      gen_context(system_u:object_r:rt-mailgate_exec_t,s0)

####### begin rt-mailgate.te #########
policy_module(rt-mailgate,1.0.0)

########################################
#
# Declarations
#

gen_require(`
        type postfix_local_t, postfix_postdrop_t, httpd_t, httpd_log_t, system_mail_t;
')

type rt-mailgate_t;
type rt-mailgate_exec_t;
application_domain(rt-mailgate_t, rt-mailgate_exec_t)
role system_r types rt-mailgate_t;


type rt-mailgate_tmp_t;
files_tmp_file(rt-mailgate_tmp_t)

########################################
#
# rt-mailgate local policy
#

# Allow postfix to execute rt-mailgate
allow postfix_local_t rt-mailgate_exec_t:file { read execute ioctl execute_no_trans getattr };

# Needed for Apache to be able send email
allow postfix_postdrop_t httpd_log_t:file getattr;
allow system_mail_t httpd_t:file read;

## internal communication is often done using fifo and unix sockets.
allow rt-mailgate_t self:fifo_file rw_file_perms;
allow rt-mailgate_t self:unix_stream_socket create_stream_socket_perms;

files_read_etc_files(rt-mailgate_t)

libs_use_ld_so(rt-mailgate_t)
libs_use_shared_libs(rt-mailgate_t)

miscfiles_read_localization(rt-mailgate_t)


allow rt-mailgate_t rt-mailgate_tmp_t:file manage_file_perms;
allow rt-mailgate_t rt-mailgate_tmp_t:dir create_dir_perms;
files_tmp_filetrans(rt-mailgate_t,rt-mailgate_tmp_t, { file dir })

sysnet_dns_name_resolve(rt-mailgate_t)
corenet_all_recvfrom_unlabeled(rt-mailgate_t)

allow rt-mailgate_t self:tcp_socket create_stream_socket_perms;
corenet_tcp_sendrecv_all_if(rt-mailgate_t)
corenet_tcp_sendrecv_all_nodes(rt-mailgate_t)
corenet_tcp_sendrecv_all_ports(rt-mailgate_t)
corenet_tcp_connect_http_port(rt-mailgate_t)
Comment 1 Daniel Walsh 2009-03-13 13:38:38 EDT
We usually do not add confinement between releases.  Please submit this policy to upstream and then we can put it in Fedora and eventually RHEL6.
Comment 2 Dax Kelson 2009-03-17 12:00:19 EDT
Can you change this to "Fedora Rawhide"? I tried changing the bug product and I was given a permission denied.
Comment 3 Daniel Walsh 2009-04-13 10:42:16 EDT
Dax, the policy you submitted never actually transition to rt-mailgate_t, at least that I can see.  So it looks like everything is just running in the postfix_local_t domain?
Comment 4 Dax Kelson 2009-04-13 11:37:07 EDT
Oops.

Could you add the policy so that /usr/sbin/rt-mailgate transitions to rt-mailgate_t?
Comment 5 Daniel Walsh 2009-05-01 14:15:50 EDT
Well I don't know if you want this to transition from a user domain or init.

init_daemon_domain(rt-mailgate_t, rt-mailgate_exec_t)
role system_r types rt-mailgate_t;


Works for starting from init

gen_require(`
type unconfined_t;
role unconfined_r;
')

domtrans_pattern(unconfined_t, rt-mailgate_exec_t, rt-mailgate_t)
role unconifned_r types rt-mailgate_t;
Comment 6 Bug Zapper 2009-06-09 07:23:25 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.