1 |
commit: 045e19bda47a4abb2725672b0da50dafaaf85739 |
2 |
Author: cgzones <cgzones <AT> googlemail <DOT> com> |
3 |
AuthorDate: Thu Jan 5 19:12:45 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Jan 23 12:56:05 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=045e19bd |
7 |
|
8 |
update exim module |
9 |
|
10 |
policy/modules/contrib/exim.fc | 14 +++++++------- |
11 |
policy/modules/contrib/exim.if | 8 ++++---- |
12 |
policy/modules/contrib/exim.te | 25 +++++++++++++------------ |
13 |
3 files changed, 24 insertions(+), 23 deletions(-) |
14 |
|
15 |
diff --git a/policy/modules/contrib/exim.fc b/policy/modules/contrib/exim.fc |
16 |
index 9e04a0d..842cb34 100644 |
17 |
--- a/policy/modules/contrib/exim.fc |
18 |
+++ b/policy/modules/contrib/exim.fc |
19 |
@@ -1,13 +1,13 @@ |
20 |
/etc/rc\.d/init\.d/exim[0-9]? -- gen_context(system_u:object_r:exim_initrc_exec_t,s0) |
21 |
|
22 |
-/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0) |
23 |
-/usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0) |
24 |
+/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_pid_t,s0) |
25 |
+/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_pid_t,s0) |
26 |
|
27 |
-/var/lib/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_lib_t,s0) |
28 |
+/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0) |
29 |
+/usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0) |
30 |
|
31 |
-/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0) |
32 |
+/var/lib/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_lib_t,s0) |
33 |
|
34 |
-/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0) |
35 |
-/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0) |
36 |
+/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0) |
37 |
|
38 |
-/var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0) |
39 |
+/var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0) |
40 |
|
41 |
diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if |
42 |
index 51655bb..c75f5fa 100644 |
43 |
--- a/policy/modules/contrib/exim.if |
44 |
+++ b/policy/modules/contrib/exim.if |
45 |
@@ -96,10 +96,10 @@ interface(`exim_read_tmp_files',` |
46 |
# |
47 |
interface(`exim_read_pid_files',` |
48 |
gen_require(` |
49 |
- type exim_var_run_t; |
50 |
+ type exim_pid_t; |
51 |
') |
52 |
|
53 |
- allow $1 exim_var_run_t:file read_file_perms; |
54 |
+ allow $1 exim_pid_t:file read_file_perms; |
55 |
files_search_pids($1) |
56 |
') |
57 |
|
58 |
@@ -281,7 +281,7 @@ interface(`exim_manage_var_lib_files',` |
59 |
interface(`exim_admin',` |
60 |
gen_require(` |
61 |
type exim_t, exim_spool_t, exim_log_t; |
62 |
- type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t; |
63 |
+ type exim_pid_t, exim_initrc_exec_t, exim_tmp_t; |
64 |
type exim_keytab_t; |
65 |
') |
66 |
|
67 |
@@ -300,7 +300,7 @@ interface(`exim_admin',` |
68 |
admin_pattern($1, exim_log_t) |
69 |
|
70 |
files_search_pids($1) |
71 |
- admin_pattern($1, exim_var_run_t) |
72 |
+ admin_pattern($1, exim_pid_t) |
73 |
|
74 |
files_search_tmp($1) |
75 |
admin_pattern($1, exim_tmp_t) |
76 |
|
77 |
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te |
78 |
index b8de337..5f2810f 100644 |
79 |
--- a/policy/modules/contrib/exim.te |
80 |
+++ b/policy/modules/contrib/exim.te |
81 |
@@ -54,17 +54,18 @@ files_type(exim_var_lib_t) |
82 |
type exim_log_t; |
83 |
logging_log_file(exim_log_t) |
84 |
|
85 |
+type exim_pid_t; |
86 |
+typealias exim_pid_t alias exim_var_run_t; |
87 |
+files_pid_file(exim_pid_t) |
88 |
+ |
89 |
type exim_spool_t; |
90 |
files_type(exim_spool_t) |
91 |
|
92 |
type exim_tmp_t; |
93 |
files_tmp_file(exim_tmp_t) |
94 |
|
95 |
-type exim_var_run_t; |
96 |
-files_pid_file(exim_var_run_t) |
97 |
- |
98 |
ifdef(`distro_debian',` |
99 |
- init_daemon_pid_file(exim_var_run_t, dir, "exim4") |
100 |
+ init_daemon_pid_file(exim_pid_t, dir, "exim4") |
101 |
') |
102 |
|
103 |
######################################## |
104 |
@@ -72,21 +73,25 @@ ifdef(`distro_debian',` |
105 |
# Local policy |
106 |
# |
107 |
|
108 |
-allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource }; |
109 |
+allow exim_t self:capability { chown dac_override fowner setuid setgid sys_resource }; |
110 |
allow exim_t self:process { setrlimit setpgid }; |
111 |
allow exim_t self:fifo_file rw_fifo_file_perms; |
112 |
allow exim_t self:unix_stream_socket { accept listen }; |
113 |
allow exim_t self:tcp_socket { accept listen }; |
114 |
|
115 |
-allow exim_t exim_keytab_t:file read_file_perms; |
116 |
+can_exec(exim_t, exim_exec_t) |
117 |
|
118 |
-manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t) |
119 |
+allow exim_t exim_keytab_t:file read_file_perms; |
120 |
|
121 |
append_files_pattern(exim_t, exim_log_t, exim_log_t) |
122 |
create_files_pattern(exim_t, exim_log_t, exim_log_t) |
123 |
setattr_files_pattern(exim_t, exim_log_t, exim_log_t) |
124 |
logging_log_filetrans(exim_t, exim_log_t, file) |
125 |
|
126 |
+manage_dirs_pattern(exim_t, exim_pid_t, exim_pid_t) |
127 |
+manage_files_pattern(exim_t, exim_pid_t, exim_pid_t) |
128 |
+files_pid_filetrans(exim_t, exim_pid_t, { dir file }) |
129 |
+ |
130 |
manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t) |
131 |
manage_files_pattern(exim_t, exim_spool_t, exim_spool_t) |
132 |
manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t) |
133 |
@@ -96,11 +101,7 @@ manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t) |
134 |
manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t) |
135 |
files_tmp_filetrans(exim_t, exim_tmp_t, { dir file }) |
136 |
|
137 |
-manage_dirs_pattern(exim_t, exim_var_run_t, exim_var_run_t) |
138 |
-manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t) |
139 |
-files_pid_filetrans(exim_t, exim_var_run_t, { dir file }) |
140 |
- |
141 |
-can_exec(exim_t, exim_exec_t) |
142 |
+manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t) |
143 |
|
144 |
kernel_read_crypto_sysctls(exim_t) |
145 |
kernel_read_kernel_sysctls(exim_t) |