[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Tue, 02 Oct 2012 18:22:20
Message-Id:	`1349201045.0c73e54aade5e6be1e473425a16555c41597ef8b.SwifT@gentoo`

1

commit:     0c73e54aade5e6be1e473425a16555c41597ef8b

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Sat Sep 29 09:30:13 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Tue Oct  2 18:04:05 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0c73e54a

7

8

Changes to the dovecot policy module

9

10

Ported from Fedora with changes

11

12

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

13

14

---

15

 policy/modules/contrib/dovecot.fc |   52 ++++------

16

 policy/modules/contrib/dovecot.if |   42 +++++----

17

 policy/modules/contrib/dovecot.te |  194 +++++++++++++++++++++++--------------

18

 policy/modules/contrib/postfix.if |   37 +++++++

19

 policy/modules/contrib/postfix.te |    2 +-

20

 5 files changed, 200 insertions(+), 127 deletions(-)

21

22

diff --git a/policy/modules/contrib/dovecot.fc b/policy/modules/contrib/dovecot.fc

23

index a5f968d..8fb4470 100644

24

--- a/policy/modules/contrib/dovecot.fc

25

+++ b/policy/modules/contrib/dovecot.fc

26

@@ -1,46 +1,32 @@

27

+/etc/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_etc_t,s0)

28

+/etc/dovecot/passwd.*	gen_context(system_u:object_r:dovecot_passwd_t,s0)

29

30

-#

31

-# /etc

32

-#

33

-/etc/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_etc_t,s0)

34

-/etc/dovecot\.conf.*			gen_context(system_u:object_r:dovecot_etc_t,s0)

35

-/etc/dovecot\.passwd.*			gen_context(system_u:object_r:dovecot_passwd_t,s0)

36

+/etc/dovecot\.conf.*	gen_context(system_u:object_r:dovecot_etc_t,s0)

37

+/etc/dovecot\.passwd.*	gen_context(system_u:object_r:dovecot_passwd_t,s0)

38

39

-/etc/pki/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_cert_t,s0)

40

-/etc/rc\.d/init\.d/dovecot	--	gen_context(system_u:object_r:dovecot_initrc_exec_t,s0)

41

+/etc/pki/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_cert_t,s0)

42

43

-# Debian uses /etc/dovecot/

44

-ifdef(`distro_debian',`

45

-/etc/dovecot/passwd.*			gen_context(system_u:object_r:dovecot_passwd_t,s0)

46

-')

47

+/etc/rc\.d/init\.d/dovecot	--	gen_context(system_u:object_r:dovecot_initrc_exec_t,s0)

48

49

-#

50

-# /usr

51

-#

52

-/usr/sbin/dovecot		--	gen_context(system_u:object_r:dovecot_exec_t,s0)

53

+/usr/sbin/dovecot	--	gen_context(system_u:object_r:dovecot_exec_t,s0)

54

55

-/usr/share/ssl/certs/dovecot\.pem --	gen_context(system_u:object_r:dovecot_cert_t,s0)

56

-/usr/share/ssl/private/dovecot\.pem --	gen_context(system_u:object_r:dovecot_cert_t,s0)

57

+/usr/share/ssl/certs/dovecot\.pem	--	gen_context(system_u:object_r:dovecot_cert_t,s0)

58

+/usr/share/ssl/private/dovecot\.pem	--	gen_context(system_u:object_r:dovecot_cert_t,s0)

59

60

-ifdef(`distro_debian', `

61

+/usr/lib/dovecot/deliver	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)

62

 /usr/lib/dovecot/dovecot-auth	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)

63

-')

64

65

-ifdef(`distro_redhat', `

66

-/usr/libexec/dovecot/auth 	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)

67

+/usr/libexec/dovecot/auth	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)

68

 /usr/libexec/dovecot/deliver	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)

69

-/usr/libexec/dovecot/deliver-lda --	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)

70

-/usr/libexec/dovecot/dovecot-auth --	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)

71

-')

72

+/usr/libexec/dovecot/deliver-lda	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)

73

+/usr/libexec/dovecot/dovecot-auth	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)

74

75

-#

76

-# /var

77

-#

78

-/var/run/dovecot(-login)?(/.*)?		gen_context(system_u:object_r:dovecot_var_run_t,s0)

79

+/var/run/dovecot(-login)?(/.*)?	gen_context(system_u:object_r:dovecot_var_run_t,s0)

80

+/var/run/dovecot/login/ssl-parameters.dat	--	gen_context(system_u:object_r:dovecot_var_lib_t,s0)

81

82

-/var/lib/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_var_lib_t,s0)

83

+/var/lib/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_var_lib_t,s0)

84

85

-/var/log/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_var_log_t,s0)

86

-/var/log/dovecot\.log.*			gen_context(system_u:object_r:dovecot_var_log_t,s0)

87

+/var/log/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_var_log_t,s0)

88

+/var/log/dovecot\.log.*	gen_context(system_u:object_r:dovecot_var_log_t,s0)

89

90

-/var/spool/dovecot(/.*)?		gen_context(system_u:object_r:dovecot_spool_t,s0)

91

+/var/spool/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_spool_t,s0)

92

93

diff --git a/policy/modules/contrib/dovecot.if b/policy/modules/contrib/dovecot.if

94

index e1d7dc5..cf53f3d 100644

95

--- a/policy/modules/contrib/dovecot.if

96

+++ b/policy/modules/contrib/dovecot.if

97

@@ -1,8 +1,9 @@

98

-## <summary>Dovecot POP and IMAP mail server</summary>

99

+## <summary>POP and IMAP mail server.</summary>

100

101

 ########################################

102

 ## <summary>

103

-##	Connect to dovecot auth unix domain stream socket.

104

+##	Connect to dovecot using a unix

105

+##	domain stream socket.

106

 ## </summary>

107

 ## <param name="domain">

108

 ##	<summary>

109

@@ -16,12 +17,14 @@ interface(`dovecot_stream_connect_auth',`

110

 		type dovecot_auth_t, dovecot_var_run_t;

111

')

112

113

+	files_search_pids($1)

114

 	stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t)

115

')

116

117

 ########################################

118

 ## <summary>

119

-##	Execute dovecot_deliver in the dovecot_deliver domain.

120

+##	Execute dovecot_deliver in the

121

+##	dovecot_deliver domain.

122

 ## </summary>

123

 ## <param name="domain">

124

 ##	<summary>

125

@@ -34,12 +37,14 @@ interface(`dovecot_domtrans_deliver',`

126

 		type dovecot_deliver_t, dovecot_deliver_exec_t;

127

')

128

129

+	corecmd_search_bin($1)

130

 	domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)

131

')

132

133

 ########################################

134

 ## <summary>

135

-##	Create, read, write, and delete the dovecot spool files.

136

+##	Create, read, write, and delete

137

+##	dovecot spool files.

138

 ## </summary>

139

 ## <param name="domain">

140

 ##	<summary>

141

@@ -52,13 +57,15 @@ interface(`dovecot_manage_spool',`

142

 		type dovecot_spool_t;

143

')

144

145

+	files_search_spool($1)

146

 	manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)

147

 	manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)

148

')

149

150

 ########################################

151

 ## <summary>

152

-##	Do not audit attempts to delete dovecot lib files.

153

+##	Do not audit attempts to delete

154

+##	dovecot lib files.

155

 ## </summary>

156

 ## <param name="domain">

157

 ##	<summary>

158

@@ -76,8 +83,8 @@ interface(`dovecot_dontaudit_unlink_lib_files',`

159

160

 ########################################

161

 ## <summary>

162

-##	All of the rules required to administrate

163

-##	an dovecot environment

164

+##	All of the rules required to

165

+##	administrate an dovecot environment.

166

 ## </summary>

167

 ## <param name="domain">

168

 ##	<summary>

169

@@ -86,19 +93,17 @@ interface(`dovecot_dontaudit_unlink_lib_files',`

170

 ## </param>

171

 ## <param name="role">

172

 ##	<summary>

173

-##	The role to be allowed to manage the dovecot domain.

174

+##	Role allowed access.

175

 ##	</summary>

176

 ## </param>

177

 ## <rolecap/>

178

#

179

 interface(`dovecot_admin',`

180

 	gen_require(`

181

-		type dovecot_t, dovecot_etc_t, dovecot_log_t;

182

-		type dovecot_spool_t, dovecot_var_lib_t;

183

-		type dovecot_var_run_t;

184

-

185

-		type dovecot_cert_t, dovecot_passwd_t;

186

-		type dovecot_initrc_exec_t;

187

+		type dovecot_t, dovecot_etc_t, dovecot_var_log_t;

188

+		type dovecot_spool_t, dovecot_var_lib_t, dovecot_initrc_exec_t;

189

+		type dovecot_var_run_t, dovecot_cert_t, dovecot_passwd_t;

190

+		type dovecot_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t;

191

')

192

193

 	allow $1 dovecot_t:process { ptrace signal_perms };

194

@@ -113,18 +118,19 @@ interface(`dovecot_admin',`

195

 	admin_pattern($1, dovecot_etc_t)

196

197

 	logging_list_logs($1)

198

-	admin_pattern($1, dovecot_log_t)

199

+	admin_pattern($1, dovecot_var_log_t)

200

201

 	files_list_spool($1)

202

 	admin_pattern($1, dovecot_spool_t)

203

204

+	files_search_tmp($1)

205

+	admin_pattern($1, { dovecot_tmp_t dovecot_auth_tmp_t dovecot_deliver_tmp_t })

206

+

207

 	files_list_var_lib($1)

208

 	admin_pattern($1, dovecot_var_lib_t)

209

210

 	files_list_pids($1)

211

 	admin_pattern($1, dovecot_var_run_t)

212

213

-	admin_pattern($1, dovecot_cert_t)

214

-

215

-	admin_pattern($1, dovecot_passwd_t)

216

+	admin_pattern($1, { dovecot_cert_t dovecot_passwd_t })

217

')

218

219

diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te

220

index 44f4a6b..da39b02 100644

221

--- a/policy/modules/contrib/dovecot.te

222

+++ b/policy/modules/contrib/dovecot.te

223

@@ -1,9 +1,10 @@

224

-policy_module(dovecot, 1.14.3)

225

+policy_module(dovecot, 1.14.4)

226

227

 ########################################

228

#

229

 # Declarations

230

#

231

+

232

 type dovecot_t;

233

 type dovecot_exec_t;

234

 init_daemon_domain(dovecot_t, dovecot_exec_t)

235

@@ -18,7 +19,7 @@ type dovecot_auth_tmp_t;

236

 files_tmp_file(dovecot_auth_tmp_t)

237

238

 type dovecot_cert_t;

239

-files_type(dovecot_cert_t)

240

+miscfiles_cert_type(dovecot_cert_t)

241

242

 type dovecot_deliver_t;

243

 type dovecot_deliver_exec_t;

244

@@ -26,6 +27,9 @@ domain_type(dovecot_deliver_t)

245

 domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)

246

 role system_r types dovecot_deliver_t;

247

248

+type dovecot_deliver_tmp_t;

249

+files_tmp_file(dovecot_deliver_tmp_t)

250

+

251

 type dovecot_etc_t;

252

 files_config_file(dovecot_etc_t)

253

254

@@ -41,7 +45,6 @@ files_type(dovecot_spool_t)

255

 type dovecot_tmp_t;

256

 files_tmp_file(dovecot_tmp_t)

257

258

-# /var/lib/dovecot holds SSL parameters file

259

 type dovecot_var_lib_t;

260

 files_type(dovecot_var_lib_t)

261

262

@@ -53,52 +56,50 @@ files_pid_file(dovecot_var_run_t)

263

264

 ########################################

265

#

266

-# dovecot local policy

267

+# Local policy

268

#

269

270

-allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };

271

+allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot };

272

 dontaudit dovecot_t self:capability sys_tty_config;

273

 allow dovecot_t self:capability2 block_suspend;

274

-allow dovecot_t self:process { setrlimit signal_perms getcap setcap };

275

+allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };

276

 allow dovecot_t self:fifo_file rw_fifo_file_perms;

277

 allow dovecot_t self:tcp_socket create_stream_socket_perms;

278

 allow dovecot_t self:unix_dgram_socket create_socket_perms;

279

 allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };

280

281

-domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)

282

-

283

-allow dovecot_t dovecot_auth_t:process signal;

284

-

285

-allow dovecot_t dovecot_cert_t:dir list_dir_perms;

286

-read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)

287

-read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)

288

-

289

-allow dovecot_t dovecot_etc_t:file read_file_perms;

290

-files_search_etc(dovecot_t)

291

-

292

-can_exec(dovecot_t, dovecot_exec_t)

293

+allow dovecot_t { dovecot_etc_t dovecot_cert_t }:dir list_dir_perms;

294

+read_files_pattern(dovecot_t, { dovecot_etc_t dovecot_cert_t }, { dovecot_etc_t dovecot_cert_t })

295

+read_lnk_files_pattern(dovecot_t, { dovecot_etc_t dovecot_cert_t }, { dovecot_etc_t dovecot_cert_t })

296

297

 manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)

298

 manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)

299

 files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })

300

301

-# Allow dovecot to create and read SSL parameters file

302

 manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)

303

-files_search_var_lib(dovecot_t)

304

-files_read_var_symlinks(dovecot_t)

305

306

 manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)

307

-manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)

308

+append_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)

309

+create_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)

310

+setattr_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)

311

 logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })

312

313

 manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)

314

 manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)

315

 manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)

316

317

+manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)

318

 manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)

319

 manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)

320

 manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)

321

-files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)

322

+manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)

323

+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file })

324

+

325

+can_exec(dovecot_t, dovecot_exec_t)

326

+

327

+allow dovecot_t dovecot_auth_t:process signal;

328

+

329

+domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)

330

331

 kernel_read_kernel_sysctls(dovecot_t)

332

 kernel_read_system_state(dovecot_t)

333

@@ -109,34 +110,38 @@ corenet_tcp_sendrecv_generic_if(dovecot_t)

334

 corenet_tcp_sendrecv_generic_node(dovecot_t)

335

 corenet_tcp_sendrecv_all_ports(dovecot_t)

336

 corenet_tcp_bind_generic_node(dovecot_t)

337

+

338

+corenet_sendrecv_mail_server_packets(dovecot_t)

339

 corenet_tcp_bind_mail_port(dovecot_t)

340

+corenet_sendrecv_pop_server_packets(dovecot_t)

341

 corenet_tcp_bind_pop_port(dovecot_t)

342

+corenet_sendrecv_sieve_server_packets(dovecot_t)

343

 corenet_tcp_bind_sieve_port(dovecot_t)

344

+

345

+corenet_sendrecv_all_client_packets(dovecot_t)

346

 corenet_tcp_connect_all_ports(dovecot_t)

347

 corenet_tcp_connect_postgresql_port(dovecot_t)

348

-corenet_sendrecv_pop_server_packets(dovecot_t)

349

-corenet_sendrecv_all_client_packets(dovecot_t)

350

+

351

+corecmd_exec_bin(dovecot_t)

352

353

 dev_read_sysfs(dovecot_t)

354

 dev_read_urand(dovecot_t)

355

356

-fs_getattr_all_fs(dovecot_t)

357

-fs_getattr_all_dirs(dovecot_t)

358

-fs_search_auto_mountpoints(dovecot_t)

359

-fs_list_inotifyfs(dovecot_t)

360

-

361

-corecmd_exec_bin(dovecot_t)

362

-

363

 domain_use_interactive_fds(dovecot_t)

364

365

-files_read_etc_files(dovecot_t)

366

+files_read_etc_runtime_files(dovecot_t)

367

+files_read_var_lib_files(dovecot_t)

368

+files_read_var_symlinks(dovecot_t)

369

 files_search_spool(dovecot_t)

370

-files_search_tmp(dovecot_t)

371

 files_dontaudit_list_default(dovecot_t)

372

-# Dovecot now has quota support and it uses getmntent() to find the mountpoints.

373

-files_read_etc_runtime_files(dovecot_t)

374

+files_dontaudit_search_all_dirs(dovecot_t)

375

 files_search_all_mountpoints(dovecot_t)

376

377

+fs_getattr_all_fs(dovecot_t)

378

+fs_getattr_all_dirs(dovecot_t)

379

+fs_search_auto_mountpoints(dovecot_t)

380

+fs_list_inotifyfs(dovecot_t)

381

+

382

 init_getattr_utmp(dovecot_t)

383

384

 auth_use_nsswitch(dovecot_t)

385

@@ -156,8 +161,21 @@ userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file

386

387

 mta_manage_spool(dovecot_t)

388

389

+tunable_policy(`use_nfs_home_dirs',`

390

+	fs_manage_nfs_dirs(dovecot_t)

391

+	fs_manage_nfs_files(dovecot_t)

392

+	fs_manage_nfs_symlinks(dovecot_t)

393

+')

394

+

395

+tunable_policy(`use_samba_home_dirs',`

396

+	fs_manage_cifs_dirs(dovecot_t)

397

+	fs_manage_cifs_files(dovecot_t)

398

+	fs_manage_cifs_symlinks(dovecot_t)

399

+')

400

+

401

 optional_policy(`

402

 	kerberos_keytab_template(dovecot, dovecot_t)

403

+	kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0")

404

')

405

406

 optional_policy(`

407

@@ -165,6 +183,15 @@ optional_policy(`

408

')

409

410

 optional_policy(`

411

+	postfix_manage_private_sockets(dovecot_t)

412

+	postfix_search_spool(dovecot_t)

413

+')

414

+

415

+optional_policy(`

416

+	sendmail_domtrans(dovecot_t)

417

+')

418

+

419

+optional_policy(`

420

 	seutil_sigchld_newrole(dovecot_t)

421

')

422

423

@@ -178,49 +205,47 @@ optional_policy(`

424

425

 ########################################

426

#

427

-# dovecot auth local policy

428

+# Auth local policy

429

#

430

431

-allow dovecot_auth_t self:capability { chown dac_override setgid setuid };

432

-allow dovecot_auth_t self:process { signal_perms getcap setcap };

433

+allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice };

434

+allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap };

435

 allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;

436

-allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;

437

-allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;

438

-

439

-allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };

440

+allow dovecot_auth_t self:unix_stream_socket { accept connectto listen };

441

442

 read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)

443

444

+read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)

445

+read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)

446

+

447

 manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)

448

 manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)

449

 files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })

450

451

 allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;

452

 manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)

453

-dovecot_stream_connect_auth(dovecot_auth_t)

454

+

455

+allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };

456

457

 kernel_read_all_sysctls(dovecot_auth_t)

458

 kernel_read_system_state(dovecot_auth_t)

459

460

-logging_send_audit_msgs(dovecot_auth_t)

461

-logging_send_syslog_msg(dovecot_auth_t)

462

-

463

 dev_read_urand(dovecot_auth_t)

464

+dev_search_sysfs(dovecot_auth_t)

465

466

-auth_domtrans_chk_passwd(dovecot_auth_t)

467

-auth_use_nsswitch(dovecot_auth_t)

468

-

469

-files_read_etc_files(dovecot_auth_t)

470

 files_read_etc_runtime_files(dovecot_auth_t)

471

 files_search_pids(dovecot_auth_t)

472

 files_read_usr_files(dovecot_auth_t)

473

-files_read_usr_symlinks(dovecot_auth_t)

474

 files_read_var_lib_files(dovecot_auth_t)

475

-files_search_tmp(dovecot_auth_t)

476

-files_read_var_lib_files(dovecot_t)

477

+

478

+auth_domtrans_chk_passwd(dovecot_auth_t)

479

+auth_use_nsswitch(dovecot_auth_t)

480

481

 init_rw_utmp(dovecot_auth_t)

482

483

+logging_send_audit_msgs(dovecot_auth_t)

484

+logging_send_syslog_msg(dovecot_auth_t)

485

+

486

 miscfiles_read_localization(dovecot_auth_t)

487

488

 seutil_dontaudit_search_config(dovecot_auth_t)

489

@@ -228,9 +253,6 @@ seutil_dontaudit_search_config(dovecot_auth_t)

490

 sysnet_use_ldap(dovecot_auth_t)

491

492

 optional_policy(`

493

-	kerberos_use(dovecot_auth_t)

494

-

495

-	# for gssapi (kerberos)

496

 	userdom_list_user_tmp(dovecot_auth_t)

497

 	userdom_read_user_tmp_files(dovecot_auth_t)

498

 	userdom_read_user_tmp_symlinks(dovecot_auth_t)

499

@@ -239,6 +261,8 @@ optional_policy(`

500

 optional_policy(`

501

 	mysql_search_db(dovecot_auth_t)

502

 	mysql_stream_connect(dovecot_auth_t)

503

+	mysql_read_config(dovecot_auth_t)

504

+	mysql_tcp_connect(dovecot_auth_t)

505

')

506

507

 optional_policy(`

508

@@ -246,39 +270,56 @@ optional_policy(`

509

')

510

511

 optional_policy(`

512

+	postfix_manage_private_sockets(dovecot_auth_t)

513

+	postfix_rw_inherited_master_pipes(dovecot_deliver_t)

514

 	postfix_search_spool(dovecot_auth_t)

515

')

516

517

 ########################################

518

#

519

-# dovecot deliver local policy

520

+# Deliver local policy

521

#

522

-allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;

523

524

-allow dovecot_deliver_t dovecot_t:process signull;

525

+allow dovecot_deliver_t self:fifo_file rw_fifo_file_perms;

526

+

527

+allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms;

528

+read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)

529

+read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)

530

+

531

+allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;

532

+

533

+append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)

534

+

535

+manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)

536

+manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)

537

+files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })

538

539

-allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;

540

 allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;

541

+read_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)

542

+read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)

543

+

544

+stream_connect_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t, { dovecot_t dovecot_auth_t })

545

+

546

+can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)

547

+

548

+allow dovecot_deliver_t dovecot_t:process signull;

549

550

 kernel_read_all_sysctls(dovecot_deliver_t)

551

 kernel_read_system_state(dovecot_deliver_t)

552

553

-files_read_etc_files(dovecot_deliver_t)

554

+corecmd_exec_bin(dovecot_deliver_t)

555

+

556

 files_read_etc_runtime_files(dovecot_deliver_t)

557

558

+fs_getattr_all_fs(dovecot_deliver_t)

559

+

560

 auth_use_nsswitch(dovecot_deliver_t)

561

562

+logging_search_logs(dovecot_deliver_t)

563

 logging_send_syslog_msg(dovecot_deliver_t)

564

-logging_search_logs(dovecot_auth_t)

565

566

 miscfiles_read_localization(dovecot_deliver_t)

567

568

-dovecot_stream_connect_auth(dovecot_deliver_t)

569

-

570

-files_search_tmp(dovecot_deliver_t)

571

-

572

-fs_getattr_all_fs(dovecot_deliver_t)

573

-

574

 userdom_manage_user_home_content_dirs(dovecot_deliver_t)

575

 userdom_manage_user_home_content_files(dovecot_deliver_t)

576

 userdom_manage_user_home_content_symlinks(dovecot_deliver_t)

577

@@ -290,20 +331,23 @@ tunable_policy(`use_nfs_home_dirs',`

578

 	fs_manage_nfs_dirs(dovecot_deliver_t)

579

 	fs_manage_nfs_files(dovecot_deliver_t)

580

 	fs_manage_nfs_symlinks(dovecot_deliver_t)

581

-	fs_manage_nfs_dirs(dovecot_t)

582

-	fs_manage_nfs_files(dovecot_t)

583

-	fs_manage_nfs_symlinks(dovecot_t)

584

')

585

586

 tunable_policy(`use_samba_home_dirs',`

587

 	fs_manage_cifs_dirs(dovecot_deliver_t)

588

 	fs_manage_cifs_files(dovecot_deliver_t)

589

 	fs_manage_cifs_symlinks(dovecot_deliver_t)

590

-	fs_manage_cifs_dirs(dovecot_t)

591

-	fs_manage_cifs_files(dovecot_t)

592

-	fs_manage_cifs_symlinks(dovecot_t)

593

')

594

595

 optional_policy(`

596

 	mta_manage_spool(dovecot_deliver_t)

597

+	mta_read_queue(dovecot_deliver_t)

598

+')

599

+

600

+optional_policy(`

601

+	postfix_use_fds_master(dovecot_deliver_t)

602

+')

603

+

604

+optional_policy(`

605

+	sendmail_domtrans(dovecot_deliver_t)

606

')

607

608

diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if

609

index 0ab180c..a4f9973 100644

610

--- a/policy/modules/contrib/postfix.if

611

+++ b/policy/modules/contrib/postfix.if

612

@@ -277,6 +277,25 @@ interface(`postfix_read_local_state',`

613

614

 ########################################

615

 ## <summary>

616

+##	Read and write inherited postfix master pipes.

617

+## </summary>

618

+## <param name="domain">

619

+##	<summary>

620

+##	Domain allowed access.

621

+##	</summary>

622

+## </param>

623

+#

624

+interface(`postfix_rw_inherited_master_pipes',`

625

+	gen_require(`

626

+		type postfix_master_t;

627

+	')

628

+

629

+	allow $1 postfix_master_t:fd use;

630

+	allow $1 postfix_master_t:fifo_file { getattr write append lock ioctl read };

631

+')

632

+

633

+########################################

634

+## <summary>

635

 ##	Allow domain to read postfix master process state

636

 ## </summary>

637

 ## <param name="domain">

638

@@ -295,6 +314,24 @@ interface(`postfix_read_master_state',`

639

640

 ########################################

641

 ## <summary>

642

+##	Use postfix master file descriptors.

643

+## </summary>

644

+## <param name="domain">

645

+##	<summary>

646

+##	Domain allowed access.

647

+##	</summary>

648

+## </param>

649

+#

650

+interface(`postfix_use_fds_master',`

651

+	gen_require(`

652

+		type postfix_master_t;

653

+	')

654

+

655

+	allow $1 postfix_master_t:fd use;

656

+')

657

+

658

+########################################

659

+## <summary>

660

 ##	Do not audit attempts to use

661

 ##	postfix master process file

662

 ##	file descriptors.

663

664

diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te

665

index d0cf61b..19b27f3 100644

666

--- a/policy/modules/contrib/postfix.te

667

+++ b/policy/modules/contrib/postfix.te

668

@@ -1,4 +1,4 @@

669

-policy_module(postfix, 1.14.2)

670

+policy_module(postfix, 1.14.3)

671

672

 ########################################

673

#

Gentoo Archives: gentoo-commits