From 6fea4d499b3e7ca10b73bbbb3c32bbd7f7373989 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Wed, 11 Dec 2024 10:55:06 +0100
Subject: [PATCH] Allow sendmail to map mail server configuration files

Fixes:
type=PROCTITLE msg=audit(11/15/2024 02:41:04.796:891) : proctitle=sendmail: startup with localhost
type=MMAP msg=audit(11/15/2024 02:41:04.796:891) : fd=5 flags=MAP_SHARED
type=SYSCALL msg=audit(11/15/2024 02:41:04.796:891) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x896 a2=PROT_READ a3=MAP_SHARED items=0 ppid=12782 pid=12850 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=smmsp sgid=smmsp fsgid=smmsp tty=(none) ses=unset comm=sendmail exe=/usr/sbin/sendmail.sendmail subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(11/15/2024 02:41:04.796:891) : avc:  denied  { map } for  pid=12850 comm=sendmail path=/etc/mail/access.cdb dev="vda2" ino=16783732 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:etc_mail_t:s0 tclass=file permissive=0

Related: https://issues.redhat.com/browse/RHEL-54014
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/modules/contrib/mta.if      | 19 +++++++++++++++++++
 policy/modules/contrib/sendmail.te |  1 +
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if
index 80738621b3..9cecbef637 100644
--- a/policy/modules/contrib/mta.if
+++ b/policy/modules/contrib/mta.if
@@ -524,6 +524,25 @@ interface(`mta_read_config',`
 	read_lnk_files_pattern($1, etc_mail_t, etc_mail_t)
 ')
 
+########################################
+## <summary>
+##	Mmap mail server configuration.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mta_map_config',`
+	gen_require(`
+		type etc_mail_t;
+	')
+
+	allow $1 etc_mail_t:file map;
+')
+
 ########################################
 ## <summary>
 ##	write mail server configuration.
diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te
index d3b70e081b..16c69a69d6 100644
--- a/policy/modules/contrib/sendmail.te
+++ b/policy/modules/contrib/sendmail.te
@@ -126,6 +126,7 @@ userdom_read_user_home_content_files(sendmail_t)
 userdom_dontaudit_list_user_home_dirs(sendmail_t)
 
 mta_read_config(sendmail_t)
+mta_map_config(sendmail_t)
 mta_etc_filetrans_aliases(sendmail_t)
 # Write to /etc/aliases and /etc/mail.
 mta_map_aliases(sendmail_t)