1 |
commit: 0c73e54aade5e6be1e473425a16555c41597ef8b |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Sat Sep 29 09:30:13 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Oct 2 18:04:05 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0c73e54a |
7 |
|
8 |
Changes to the dovecot policy module |
9 |
|
10 |
Ported from Fedora with changes |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/dovecot.fc | 52 ++++------ |
16 |
policy/modules/contrib/dovecot.if | 42 +++++---- |
17 |
policy/modules/contrib/dovecot.te | 194 +++++++++++++++++++++++-------------- |
18 |
policy/modules/contrib/postfix.if | 37 +++++++ |
19 |
policy/modules/contrib/postfix.te | 2 +- |
20 |
5 files changed, 200 insertions(+), 127 deletions(-) |
21 |
|
22 |
diff --git a/policy/modules/contrib/dovecot.fc b/policy/modules/contrib/dovecot.fc |
23 |
index a5f968d..8fb4470 100644 |
24 |
--- a/policy/modules/contrib/dovecot.fc |
25 |
+++ b/policy/modules/contrib/dovecot.fc |
26 |
@@ -1,46 +1,32 @@ |
27 |
+/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0) |
28 |
+/etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) |
29 |
|
30 |
-# |
31 |
-# /etc |
32 |
-# |
33 |
-/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0) |
34 |
-/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0) |
35 |
-/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) |
36 |
+/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0) |
37 |
+/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) |
38 |
|
39 |
-/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) |
40 |
-/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0) |
41 |
+/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) |
42 |
|
43 |
-# Debian uses /etc/dovecot/ |
44 |
-ifdef(`distro_debian',` |
45 |
-/etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) |
46 |
-') |
47 |
+/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0) |
48 |
|
49 |
-# |
50 |
-# /usr |
51 |
-# |
52 |
-/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0) |
53 |
+/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0) |
54 |
|
55 |
-/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) |
56 |
-/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) |
57 |
+/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) |
58 |
+/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) |
59 |
|
60 |
-ifdef(`distro_debian', ` |
61 |
+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) |
62 |
/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) |
63 |
-') |
64 |
|
65 |
-ifdef(`distro_redhat', ` |
66 |
-/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) |
67 |
+/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) |
68 |
/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) |
69 |
-/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) |
70 |
-/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) |
71 |
-') |
72 |
+/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) |
73 |
+/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) |
74 |
|
75 |
-# |
76 |
-# /var |
77 |
-# |
78 |
-/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) |
79 |
+/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) |
80 |
+/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) |
81 |
|
82 |
-/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) |
83 |
+/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) |
84 |
|
85 |
-/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0) |
86 |
-/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) |
87 |
+/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0) |
88 |
+/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) |
89 |
|
90 |
-/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) |
91 |
+/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) |
92 |
|
93 |
diff --git a/policy/modules/contrib/dovecot.if b/policy/modules/contrib/dovecot.if |
94 |
index e1d7dc5..cf53f3d 100644 |
95 |
--- a/policy/modules/contrib/dovecot.if |
96 |
+++ b/policy/modules/contrib/dovecot.if |
97 |
@@ -1,8 +1,9 @@ |
98 |
-## <summary>Dovecot POP and IMAP mail server</summary> |
99 |
+## <summary>POP and IMAP mail server.</summary> |
100 |
|
101 |
######################################## |
102 |
## <summary> |
103 |
-## Connect to dovecot auth unix domain stream socket. |
104 |
+## Connect to dovecot using a unix |
105 |
+## domain stream socket. |
106 |
## </summary> |
107 |
## <param name="domain"> |
108 |
## <summary> |
109 |
@@ -16,12 +17,14 @@ interface(`dovecot_stream_connect_auth',` |
110 |
type dovecot_auth_t, dovecot_var_run_t; |
111 |
') |
112 |
|
113 |
+ files_search_pids($1) |
114 |
stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t) |
115 |
') |
116 |
|
117 |
######################################## |
118 |
## <summary> |
119 |
-## Execute dovecot_deliver in the dovecot_deliver domain. |
120 |
+## Execute dovecot_deliver in the |
121 |
+## dovecot_deliver domain. |
122 |
## </summary> |
123 |
## <param name="domain"> |
124 |
## <summary> |
125 |
@@ -34,12 +37,14 @@ interface(`dovecot_domtrans_deliver',` |
126 |
type dovecot_deliver_t, dovecot_deliver_exec_t; |
127 |
') |
128 |
|
129 |
+ corecmd_search_bin($1) |
130 |
domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t) |
131 |
') |
132 |
|
133 |
######################################## |
134 |
## <summary> |
135 |
-## Create, read, write, and delete the dovecot spool files. |
136 |
+## Create, read, write, and delete |
137 |
+## dovecot spool files. |
138 |
## </summary> |
139 |
## <param name="domain"> |
140 |
## <summary> |
141 |
@@ -52,13 +57,15 @@ interface(`dovecot_manage_spool',` |
142 |
type dovecot_spool_t; |
143 |
') |
144 |
|
145 |
+ files_search_spool($1) |
146 |
manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t) |
147 |
manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t) |
148 |
') |
149 |
|
150 |
######################################## |
151 |
## <summary> |
152 |
-## Do not audit attempts to delete dovecot lib files. |
153 |
+## Do not audit attempts to delete |
154 |
+## dovecot lib files. |
155 |
## </summary> |
156 |
## <param name="domain"> |
157 |
## <summary> |
158 |
@@ -76,8 +83,8 @@ interface(`dovecot_dontaudit_unlink_lib_files',` |
159 |
|
160 |
######################################## |
161 |
## <summary> |
162 |
-## All of the rules required to administrate |
163 |
-## an dovecot environment |
164 |
+## All of the rules required to |
165 |
+## administrate an dovecot environment. |
166 |
## </summary> |
167 |
## <param name="domain"> |
168 |
## <summary> |
169 |
@@ -86,19 +93,17 @@ interface(`dovecot_dontaudit_unlink_lib_files',` |
170 |
## </param> |
171 |
## <param name="role"> |
172 |
## <summary> |
173 |
-## The role to be allowed to manage the dovecot domain. |
174 |
+## Role allowed access. |
175 |
## </summary> |
176 |
## </param> |
177 |
## <rolecap/> |
178 |
# |
179 |
interface(`dovecot_admin',` |
180 |
gen_require(` |
181 |
- type dovecot_t, dovecot_etc_t, dovecot_log_t; |
182 |
- type dovecot_spool_t, dovecot_var_lib_t; |
183 |
- type dovecot_var_run_t; |
184 |
- |
185 |
- type dovecot_cert_t, dovecot_passwd_t; |
186 |
- type dovecot_initrc_exec_t; |
187 |
+ type dovecot_t, dovecot_etc_t, dovecot_var_log_t; |
188 |
+ type dovecot_spool_t, dovecot_var_lib_t, dovecot_initrc_exec_t; |
189 |
+ type dovecot_var_run_t, dovecot_cert_t, dovecot_passwd_t; |
190 |
+ type dovecot_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t; |
191 |
') |
192 |
|
193 |
allow $1 dovecot_t:process { ptrace signal_perms }; |
194 |
@@ -113,18 +118,19 @@ interface(`dovecot_admin',` |
195 |
admin_pattern($1, dovecot_etc_t) |
196 |
|
197 |
logging_list_logs($1) |
198 |
- admin_pattern($1, dovecot_log_t) |
199 |
+ admin_pattern($1, dovecot_var_log_t) |
200 |
|
201 |
files_list_spool($1) |
202 |
admin_pattern($1, dovecot_spool_t) |
203 |
|
204 |
+ files_search_tmp($1) |
205 |
+ admin_pattern($1, { dovecot_tmp_t dovecot_auth_tmp_t dovecot_deliver_tmp_t }) |
206 |
+ |
207 |
files_list_var_lib($1) |
208 |
admin_pattern($1, dovecot_var_lib_t) |
209 |
|
210 |
files_list_pids($1) |
211 |
admin_pattern($1, dovecot_var_run_t) |
212 |
|
213 |
- admin_pattern($1, dovecot_cert_t) |
214 |
- |
215 |
- admin_pattern($1, dovecot_passwd_t) |
216 |
+ admin_pattern($1, { dovecot_cert_t dovecot_passwd_t }) |
217 |
') |
218 |
|
219 |
diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te |
220 |
index 44f4a6b..da39b02 100644 |
221 |
--- a/policy/modules/contrib/dovecot.te |
222 |
+++ b/policy/modules/contrib/dovecot.te |
223 |
@@ -1,9 +1,10 @@ |
224 |
-policy_module(dovecot, 1.14.3) |
225 |
+policy_module(dovecot, 1.14.4) |
226 |
|
227 |
######################################## |
228 |
# |
229 |
# Declarations |
230 |
# |
231 |
+ |
232 |
type dovecot_t; |
233 |
type dovecot_exec_t; |
234 |
init_daemon_domain(dovecot_t, dovecot_exec_t) |
235 |
@@ -18,7 +19,7 @@ type dovecot_auth_tmp_t; |
236 |
files_tmp_file(dovecot_auth_tmp_t) |
237 |
|
238 |
type dovecot_cert_t; |
239 |
-files_type(dovecot_cert_t) |
240 |
+miscfiles_cert_type(dovecot_cert_t) |
241 |
|
242 |
type dovecot_deliver_t; |
243 |
type dovecot_deliver_exec_t; |
244 |
@@ -26,6 +27,9 @@ domain_type(dovecot_deliver_t) |
245 |
domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t) |
246 |
role system_r types dovecot_deliver_t; |
247 |
|
248 |
+type dovecot_deliver_tmp_t; |
249 |
+files_tmp_file(dovecot_deliver_tmp_t) |
250 |
+ |
251 |
type dovecot_etc_t; |
252 |
files_config_file(dovecot_etc_t) |
253 |
|
254 |
@@ -41,7 +45,6 @@ files_type(dovecot_spool_t) |
255 |
type dovecot_tmp_t; |
256 |
files_tmp_file(dovecot_tmp_t) |
257 |
|
258 |
-# /var/lib/dovecot holds SSL parameters file |
259 |
type dovecot_var_lib_t; |
260 |
files_type(dovecot_var_lib_t) |
261 |
|
262 |
@@ -53,52 +56,50 @@ files_pid_file(dovecot_var_run_t) |
263 |
|
264 |
######################################## |
265 |
# |
266 |
-# dovecot local policy |
267 |
+# Local policy |
268 |
# |
269 |
|
270 |
-allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot }; |
271 |
+allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot }; |
272 |
dontaudit dovecot_t self:capability sys_tty_config; |
273 |
allow dovecot_t self:capability2 block_suspend; |
274 |
-allow dovecot_t self:process { setrlimit signal_perms getcap setcap }; |
275 |
+allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched }; |
276 |
allow dovecot_t self:fifo_file rw_fifo_file_perms; |
277 |
allow dovecot_t self:tcp_socket create_stream_socket_perms; |
278 |
allow dovecot_t self:unix_dgram_socket create_socket_perms; |
279 |
allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto }; |
280 |
|
281 |
-domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) |
282 |
- |
283 |
-allow dovecot_t dovecot_auth_t:process signal; |
284 |
- |
285 |
-allow dovecot_t dovecot_cert_t:dir list_dir_perms; |
286 |
-read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) |
287 |
-read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) |
288 |
- |
289 |
-allow dovecot_t dovecot_etc_t:file read_file_perms; |
290 |
-files_search_etc(dovecot_t) |
291 |
- |
292 |
-can_exec(dovecot_t, dovecot_exec_t) |
293 |
+allow dovecot_t { dovecot_etc_t dovecot_cert_t }:dir list_dir_perms; |
294 |
+read_files_pattern(dovecot_t, { dovecot_etc_t dovecot_cert_t }, { dovecot_etc_t dovecot_cert_t }) |
295 |
+read_lnk_files_pattern(dovecot_t, { dovecot_etc_t dovecot_cert_t }, { dovecot_etc_t dovecot_cert_t }) |
296 |
|
297 |
manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) |
298 |
manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) |
299 |
files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir }) |
300 |
|
301 |
-# Allow dovecot to create and read SSL parameters file |
302 |
manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t) |
303 |
-files_search_var_lib(dovecot_t) |
304 |
-files_read_var_symlinks(dovecot_t) |
305 |
|
306 |
manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) |
307 |
-manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) |
308 |
+append_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) |
309 |
+create_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) |
310 |
+setattr_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) |
311 |
logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir }) |
312 |
|
313 |
manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) |
314 |
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) |
315 |
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) |
316 |
|
317 |
+manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) |
318 |
manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) |
319 |
manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) |
320 |
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) |
321 |
-files_pid_filetrans(dovecot_t, dovecot_var_run_t, file) |
322 |
+manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) |
323 |
+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file }) |
324 |
+ |
325 |
+can_exec(dovecot_t, dovecot_exec_t) |
326 |
+ |
327 |
+allow dovecot_t dovecot_auth_t:process signal; |
328 |
+ |
329 |
+domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) |
330 |
|
331 |
kernel_read_kernel_sysctls(dovecot_t) |
332 |
kernel_read_system_state(dovecot_t) |
333 |
@@ -109,34 +110,38 @@ corenet_tcp_sendrecv_generic_if(dovecot_t) |
334 |
corenet_tcp_sendrecv_generic_node(dovecot_t) |
335 |
corenet_tcp_sendrecv_all_ports(dovecot_t) |
336 |
corenet_tcp_bind_generic_node(dovecot_t) |
337 |
+ |
338 |
+corenet_sendrecv_mail_server_packets(dovecot_t) |
339 |
corenet_tcp_bind_mail_port(dovecot_t) |
340 |
+corenet_sendrecv_pop_server_packets(dovecot_t) |
341 |
corenet_tcp_bind_pop_port(dovecot_t) |
342 |
+corenet_sendrecv_sieve_server_packets(dovecot_t) |
343 |
corenet_tcp_bind_sieve_port(dovecot_t) |
344 |
+ |
345 |
+corenet_sendrecv_all_client_packets(dovecot_t) |
346 |
corenet_tcp_connect_all_ports(dovecot_t) |
347 |
corenet_tcp_connect_postgresql_port(dovecot_t) |
348 |
-corenet_sendrecv_pop_server_packets(dovecot_t) |
349 |
-corenet_sendrecv_all_client_packets(dovecot_t) |
350 |
+ |
351 |
+corecmd_exec_bin(dovecot_t) |
352 |
|
353 |
dev_read_sysfs(dovecot_t) |
354 |
dev_read_urand(dovecot_t) |
355 |
|
356 |
-fs_getattr_all_fs(dovecot_t) |
357 |
-fs_getattr_all_dirs(dovecot_t) |
358 |
-fs_search_auto_mountpoints(dovecot_t) |
359 |
-fs_list_inotifyfs(dovecot_t) |
360 |
- |
361 |
-corecmd_exec_bin(dovecot_t) |
362 |
- |
363 |
domain_use_interactive_fds(dovecot_t) |
364 |
|
365 |
-files_read_etc_files(dovecot_t) |
366 |
+files_read_etc_runtime_files(dovecot_t) |
367 |
+files_read_var_lib_files(dovecot_t) |
368 |
+files_read_var_symlinks(dovecot_t) |
369 |
files_search_spool(dovecot_t) |
370 |
-files_search_tmp(dovecot_t) |
371 |
files_dontaudit_list_default(dovecot_t) |
372 |
-# Dovecot now has quota support and it uses getmntent() to find the mountpoints. |
373 |
-files_read_etc_runtime_files(dovecot_t) |
374 |
+files_dontaudit_search_all_dirs(dovecot_t) |
375 |
files_search_all_mountpoints(dovecot_t) |
376 |
|
377 |
+fs_getattr_all_fs(dovecot_t) |
378 |
+fs_getattr_all_dirs(dovecot_t) |
379 |
+fs_search_auto_mountpoints(dovecot_t) |
380 |
+fs_list_inotifyfs(dovecot_t) |
381 |
+ |
382 |
init_getattr_utmp(dovecot_t) |
383 |
|
384 |
auth_use_nsswitch(dovecot_t) |
385 |
@@ -156,8 +161,21 @@ userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file |
386 |
|
387 |
mta_manage_spool(dovecot_t) |
388 |
|
389 |
+tunable_policy(`use_nfs_home_dirs',` |
390 |
+ fs_manage_nfs_dirs(dovecot_t) |
391 |
+ fs_manage_nfs_files(dovecot_t) |
392 |
+ fs_manage_nfs_symlinks(dovecot_t) |
393 |
+') |
394 |
+ |
395 |
+tunable_policy(`use_samba_home_dirs',` |
396 |
+ fs_manage_cifs_dirs(dovecot_t) |
397 |
+ fs_manage_cifs_files(dovecot_t) |
398 |
+ fs_manage_cifs_symlinks(dovecot_t) |
399 |
+') |
400 |
+ |
401 |
optional_policy(` |
402 |
kerberos_keytab_template(dovecot, dovecot_t) |
403 |
+ kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0") |
404 |
') |
405 |
|
406 |
optional_policy(` |
407 |
@@ -165,6 +183,15 @@ optional_policy(` |
408 |
') |
409 |
|
410 |
optional_policy(` |
411 |
+ postfix_manage_private_sockets(dovecot_t) |
412 |
+ postfix_search_spool(dovecot_t) |
413 |
+') |
414 |
+ |
415 |
+optional_policy(` |
416 |
+ sendmail_domtrans(dovecot_t) |
417 |
+') |
418 |
+ |
419 |
+optional_policy(` |
420 |
seutil_sigchld_newrole(dovecot_t) |
421 |
') |
422 |
|
423 |
@@ -178,49 +205,47 @@ optional_policy(` |
424 |
|
425 |
######################################## |
426 |
# |
427 |
-# dovecot auth local policy |
428 |
+# Auth local policy |
429 |
# |
430 |
|
431 |
-allow dovecot_auth_t self:capability { chown dac_override setgid setuid }; |
432 |
-allow dovecot_auth_t self:process { signal_perms getcap setcap }; |
433 |
+allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice }; |
434 |
+allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap }; |
435 |
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; |
436 |
-allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; |
437 |
-allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; |
438 |
- |
439 |
-allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; |
440 |
+allow dovecot_auth_t self:unix_stream_socket { accept connectto listen }; |
441 |
|
442 |
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) |
443 |
|
444 |
+read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t) |
445 |
+read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t) |
446 |
+ |
447 |
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) |
448 |
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) |
449 |
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) |
450 |
|
451 |
allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; |
452 |
manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) |
453 |
-dovecot_stream_connect_auth(dovecot_auth_t) |
454 |
+ |
455 |
+allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; |
456 |
|
457 |
kernel_read_all_sysctls(dovecot_auth_t) |
458 |
kernel_read_system_state(dovecot_auth_t) |
459 |
|
460 |
-logging_send_audit_msgs(dovecot_auth_t) |
461 |
-logging_send_syslog_msg(dovecot_auth_t) |
462 |
- |
463 |
dev_read_urand(dovecot_auth_t) |
464 |
+dev_search_sysfs(dovecot_auth_t) |
465 |
|
466 |
-auth_domtrans_chk_passwd(dovecot_auth_t) |
467 |
-auth_use_nsswitch(dovecot_auth_t) |
468 |
- |
469 |
-files_read_etc_files(dovecot_auth_t) |
470 |
files_read_etc_runtime_files(dovecot_auth_t) |
471 |
files_search_pids(dovecot_auth_t) |
472 |
files_read_usr_files(dovecot_auth_t) |
473 |
-files_read_usr_symlinks(dovecot_auth_t) |
474 |
files_read_var_lib_files(dovecot_auth_t) |
475 |
-files_search_tmp(dovecot_auth_t) |
476 |
-files_read_var_lib_files(dovecot_t) |
477 |
+ |
478 |
+auth_domtrans_chk_passwd(dovecot_auth_t) |
479 |
+auth_use_nsswitch(dovecot_auth_t) |
480 |
|
481 |
init_rw_utmp(dovecot_auth_t) |
482 |
|
483 |
+logging_send_audit_msgs(dovecot_auth_t) |
484 |
+logging_send_syslog_msg(dovecot_auth_t) |
485 |
+ |
486 |
miscfiles_read_localization(dovecot_auth_t) |
487 |
|
488 |
seutil_dontaudit_search_config(dovecot_auth_t) |
489 |
@@ -228,9 +253,6 @@ seutil_dontaudit_search_config(dovecot_auth_t) |
490 |
sysnet_use_ldap(dovecot_auth_t) |
491 |
|
492 |
optional_policy(` |
493 |
- kerberos_use(dovecot_auth_t) |
494 |
- |
495 |
- # for gssapi (kerberos) |
496 |
userdom_list_user_tmp(dovecot_auth_t) |
497 |
userdom_read_user_tmp_files(dovecot_auth_t) |
498 |
userdom_read_user_tmp_symlinks(dovecot_auth_t) |
499 |
@@ -239,6 +261,8 @@ optional_policy(` |
500 |
optional_policy(` |
501 |
mysql_search_db(dovecot_auth_t) |
502 |
mysql_stream_connect(dovecot_auth_t) |
503 |
+ mysql_read_config(dovecot_auth_t) |
504 |
+ mysql_tcp_connect(dovecot_auth_t) |
505 |
') |
506 |
|
507 |
optional_policy(` |
508 |
@@ -246,39 +270,56 @@ optional_policy(` |
509 |
') |
510 |
|
511 |
optional_policy(` |
512 |
+ postfix_manage_private_sockets(dovecot_auth_t) |
513 |
+ postfix_rw_inherited_master_pipes(dovecot_deliver_t) |
514 |
postfix_search_spool(dovecot_auth_t) |
515 |
') |
516 |
|
517 |
######################################## |
518 |
# |
519 |
-# dovecot deliver local policy |
520 |
+# Deliver local policy |
521 |
# |
522 |
-allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; |
523 |
|
524 |
-allow dovecot_deliver_t dovecot_t:process signull; |
525 |
+allow dovecot_deliver_t self:fifo_file rw_fifo_file_perms; |
526 |
+ |
527 |
+allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms; |
528 |
+read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t) |
529 |
+read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t) |
530 |
+ |
531 |
+allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; |
532 |
+ |
533 |
+append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) |
534 |
+ |
535 |
+manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t) |
536 |
+manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t) |
537 |
+files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) |
538 |
|
539 |
-allow dovecot_deliver_t dovecot_etc_t:file read_file_perms; |
540 |
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; |
541 |
+read_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t) |
542 |
+read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t) |
543 |
+ |
544 |
+stream_connect_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t, { dovecot_t dovecot_auth_t }) |
545 |
+ |
546 |
+can_exec(dovecot_deliver_t, dovecot_deliver_exec_t) |
547 |
+ |
548 |
+allow dovecot_deliver_t dovecot_t:process signull; |
549 |
|
550 |
kernel_read_all_sysctls(dovecot_deliver_t) |
551 |
kernel_read_system_state(dovecot_deliver_t) |
552 |
|
553 |
-files_read_etc_files(dovecot_deliver_t) |
554 |
+corecmd_exec_bin(dovecot_deliver_t) |
555 |
+ |
556 |
files_read_etc_runtime_files(dovecot_deliver_t) |
557 |
|
558 |
+fs_getattr_all_fs(dovecot_deliver_t) |
559 |
+ |
560 |
auth_use_nsswitch(dovecot_deliver_t) |
561 |
|
562 |
+logging_search_logs(dovecot_deliver_t) |
563 |
logging_send_syslog_msg(dovecot_deliver_t) |
564 |
-logging_search_logs(dovecot_auth_t) |
565 |
|
566 |
miscfiles_read_localization(dovecot_deliver_t) |
567 |
|
568 |
-dovecot_stream_connect_auth(dovecot_deliver_t) |
569 |
- |
570 |
-files_search_tmp(dovecot_deliver_t) |
571 |
- |
572 |
-fs_getattr_all_fs(dovecot_deliver_t) |
573 |
- |
574 |
userdom_manage_user_home_content_dirs(dovecot_deliver_t) |
575 |
userdom_manage_user_home_content_files(dovecot_deliver_t) |
576 |
userdom_manage_user_home_content_symlinks(dovecot_deliver_t) |
577 |
@@ -290,20 +331,23 @@ tunable_policy(`use_nfs_home_dirs',` |
578 |
fs_manage_nfs_dirs(dovecot_deliver_t) |
579 |
fs_manage_nfs_files(dovecot_deliver_t) |
580 |
fs_manage_nfs_symlinks(dovecot_deliver_t) |
581 |
- fs_manage_nfs_dirs(dovecot_t) |
582 |
- fs_manage_nfs_files(dovecot_t) |
583 |
- fs_manage_nfs_symlinks(dovecot_t) |
584 |
') |
585 |
|
586 |
tunable_policy(`use_samba_home_dirs',` |
587 |
fs_manage_cifs_dirs(dovecot_deliver_t) |
588 |
fs_manage_cifs_files(dovecot_deliver_t) |
589 |
fs_manage_cifs_symlinks(dovecot_deliver_t) |
590 |
- fs_manage_cifs_dirs(dovecot_t) |
591 |
- fs_manage_cifs_files(dovecot_t) |
592 |
- fs_manage_cifs_symlinks(dovecot_t) |
593 |
') |
594 |
|
595 |
optional_policy(` |
596 |
mta_manage_spool(dovecot_deliver_t) |
597 |
+ mta_read_queue(dovecot_deliver_t) |
598 |
+') |
599 |
+ |
600 |
+optional_policy(` |
601 |
+ postfix_use_fds_master(dovecot_deliver_t) |
602 |
+') |
603 |
+ |
604 |
+optional_policy(` |
605 |
+ sendmail_domtrans(dovecot_deliver_t) |
606 |
') |
607 |
|
608 |
diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if |
609 |
index 0ab180c..a4f9973 100644 |
610 |
--- a/policy/modules/contrib/postfix.if |
611 |
+++ b/policy/modules/contrib/postfix.if |
612 |
@@ -277,6 +277,25 @@ interface(`postfix_read_local_state',` |
613 |
|
614 |
######################################## |
615 |
## <summary> |
616 |
+## Read and write inherited postfix master pipes. |
617 |
+## </summary> |
618 |
+## <param name="domain"> |
619 |
+## <summary> |
620 |
+## Domain allowed access. |
621 |
+## </summary> |
622 |
+## </param> |
623 |
+# |
624 |
+interface(`postfix_rw_inherited_master_pipes',` |
625 |
+ gen_require(` |
626 |
+ type postfix_master_t; |
627 |
+ ') |
628 |
+ |
629 |
+ allow $1 postfix_master_t:fd use; |
630 |
+ allow $1 postfix_master_t:fifo_file { getattr write append lock ioctl read }; |
631 |
+') |
632 |
+ |
633 |
+######################################## |
634 |
+## <summary> |
635 |
## Allow domain to read postfix master process state |
636 |
## </summary> |
637 |
## <param name="domain"> |
638 |
@@ -295,6 +314,24 @@ interface(`postfix_read_master_state',` |
639 |
|
640 |
######################################## |
641 |
## <summary> |
642 |
+## Use postfix master file descriptors. |
643 |
+## </summary> |
644 |
+## <param name="domain"> |
645 |
+## <summary> |
646 |
+## Domain allowed access. |
647 |
+## </summary> |
648 |
+## </param> |
649 |
+# |
650 |
+interface(`postfix_use_fds_master',` |
651 |
+ gen_require(` |
652 |
+ type postfix_master_t; |
653 |
+ ') |
654 |
+ |
655 |
+ allow $1 postfix_master_t:fd use; |
656 |
+') |
657 |
+ |
658 |
+######################################## |
659 |
+## <summary> |
660 |
## Do not audit attempts to use |
661 |
## postfix master process file |
662 |
## file descriptors. |
663 |
|
664 |
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te |
665 |
index d0cf61b..19b27f3 100644 |
666 |
--- a/policy/modules/contrib/postfix.te |
667 |
+++ b/policy/modules/contrib/postfix.te |
668 |
@@ -1,4 +1,4 @@ |
669 |
-policy_module(postfix, 1.14.2) |
670 |
+policy_module(postfix, 1.14.3) |
671 |
|
672 |
######################################## |
673 |
# |