| 1 |
commit: 64429db34991a38dec86976e2c9bd3dbb6bdd3f6 |
| 2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
| 3 |
AuthorDate: Sun Oct 28 18:41:08 2012 +0000 |
| 4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 5 |
CommitDate: Mon Oct 29 14:48:28 2012 +0000 |
| 6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=64429db3 |
| 7 |
|
| 8 |
Move mailscanner content to mailscanner module |
| 9 |
|
| 10 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
| 11 |
|
| 12 |
--- |
| 13 |
policy/modules/contrib/clamav.fc | 1 - |
| 14 |
policy/modules/contrib/clamav.te | 2 +- |
| 15 |
policy/modules/contrib/mailscanner.fc | 2 ++ |
| 16 |
policy/modules/contrib/mailscanner.if | 26 +++++++++++++++++++++++++- |
| 17 |
policy/modules/contrib/mailscanner.te | 10 ++++++++-- |
| 18 |
5 files changed, 36 insertions(+), 5 deletions(-) |
| 19 |
|
| 20 |
diff --git a/policy/modules/contrib/clamav.fc b/policy/modules/contrib/clamav.fc |
| 21 |
index 7d93529..dcaa045 100644 |
| 22 |
--- a/policy/modules/contrib/clamav.fc |
| 23 |
+++ b/policy/modules/contrib/clamav.fc |
| 24 |
@@ -24,4 +24,3 @@ |
| 25 |
/var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0) |
| 26 |
|
| 27 |
/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) |
| 28 |
-/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) |
| 29 |
|
| 30 |
diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te |
| 31 |
index b5843df..5320a93 100644 |
| 32 |
--- a/policy/modules/contrib/clamav.te |
| 33 |
+++ b/policy/modules/contrib/clamav.te |
| 34 |
@@ -1,4 +1,4 @@ |
| 35 |
-policy_module(clamav, 1.10.4) |
| 36 |
+policy_module(clamav, 1.10.5) |
| 37 |
|
| 38 |
## <desc> |
| 39 |
## <p> |
| 40 |
|
| 41 |
diff --git a/policy/modules/contrib/mailscanner.fc b/policy/modules/contrib/mailscanner.fc |
| 42 |
index 827e22e..3698276 100644 |
| 43 |
--- a/policy/modules/contrib/mailscanner.fc |
| 44 |
+++ b/policy/modules/contrib/mailscanner.fc |
| 45 |
@@ -9,3 +9,5 @@ |
| 46 |
/usr/sbin/MailScanner -- gen_context(system_u:object_r:mscan_exec_t,s0) |
| 47 |
|
| 48 |
/var/run/MailScanner\.pid -- gen_context(system_u:object_r:mscan_var_run_t,s0) |
| 49 |
+ |
| 50 |
+/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mscan_spool_t,s0) |
| 51 |
|
| 52 |
diff --git a/policy/modules/contrib/mailscanner.if b/policy/modules/contrib/mailscanner.if |
| 53 |
index 462209d..0293f34 100644 |
| 54 |
--- a/policy/modules/contrib/mailscanner.if |
| 55 |
+++ b/policy/modules/contrib/mailscanner.if |
| 56 |
@@ -2,6 +2,27 @@ |
| 57 |
|
| 58 |
######################################## |
| 59 |
## <summary> |
| 60 |
+## Create, read, write, and delete |
| 61 |
+## mscan spool content. |
| 62 |
+## </summary> |
| 63 |
+## <param name="domain"> |
| 64 |
+## <summary> |
| 65 |
+## Domain allowed access. |
| 66 |
+## </summary> |
| 67 |
+## </param> |
| 68 |
+# |
| 69 |
+interface(`mscan_manage_spool_content',` |
| 70 |
+ gen_require(` |
| 71 |
+ type mscan_spool_t; |
| 72 |
+ ') |
| 73 |
+ |
| 74 |
+ files_search_spool($1) |
| 75 |
+ manage_dirs_pattern($1, mscan_spool_t, mscan_spool_t) |
| 76 |
+ manage_files_pattern($1, mscan_spool_t, mscan_spool_t) |
| 77 |
+') |
| 78 |
+ |
| 79 |
+######################################## |
| 80 |
+## <summary> |
| 81 |
## All of the rules required to |
| 82 |
## administrate an mscan environment |
| 83 |
## </summary> |
| 84 |
@@ -20,7 +41,7 @@ |
| 85 |
interface(`mscan_admin',` |
| 86 |
gen_require(` |
| 87 |
type mscan_t, mscan_etc_t, mscan_initrc_exec_t; |
| 88 |
- type mscan_var_run_t; |
| 89 |
+ type mscan_var_run_t, mscan_spool_t; |
| 90 |
') |
| 91 |
|
| 92 |
allow $1 mscan_t:process { ptrace signal_perms }; |
| 93 |
@@ -36,4 +57,7 @@ interface(`mscan_admin',` |
| 94 |
|
| 95 |
files_search_pids($1 |
| 96 |
admin_pattern($1, mscan_var_run_t) |
| 97 |
+ |
| 98 |
+ files_search_spool($1) |
| 99 |
+ admin_pattern($1, mscan_spool_t) |
| 100 |
') |
| 101 |
|
| 102 |
diff --git a/policy/modules/contrib/mailscanner.te b/policy/modules/contrib/mailscanner.te |
| 103 |
index d5651c7..725ba32 100644 |
| 104 |
--- a/policy/modules/contrib/mailscanner.te |
| 105 |
+++ b/policy/modules/contrib/mailscanner.te |
| 106 |
@@ -1,4 +1,4 @@ |
| 107 |
-policy_module(mailscanner, 1.0.1) |
| 108 |
+policy_module(mailscanner, 1.0.2) |
| 109 |
|
| 110 |
######################################## |
| 111 |
# |
| 112 |
@@ -15,6 +15,9 @@ init_script_file(mscan_initrc_exec_t) |
| 113 |
type mscan_etc_t; |
| 114 |
files_config_file(mscan_etc_t) |
| 115 |
|
| 116 |
+type mscan_spool_t; |
| 117 |
+files_type(mscan_spool_t) |
| 118 |
+ |
| 119 |
type mscan_tmp_t; |
| 120 |
files_tmp_file(mscan_tmp_t) |
| 121 |
|
| 122 |
@@ -35,6 +38,10 @@ read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t) |
| 123 |
manage_files_pattern(mscan_t, mscan_var_run_t, mscan_var_run_t) |
| 124 |
files_pid_filetrans(mscan_t, mscan_var_run_t, file) |
| 125 |
|
| 126 |
+manage_dirs_pattern(mscan_t, mscan_spool_t, mscan_spool_t) |
| 127 |
+manage_files_pattern(mscan_t, mscan_spool_t, mscan_spool_t) |
| 128 |
+files_spool_filetrans(mscan_t, mscan_spool_t, dir) |
| 129 |
+ |
| 130 |
manage_dirs_pattern(mscan_t, mscan_tmp_t, mscan_tmp_t) |
| 131 |
manage_files_pattern(mscan_t, mscan_tmp_t, mscan_tmp_t) |
| 132 |
files_tmp_filetrans(mscan_t, mscan_tmp_t, { dir file }) |
| 133 |
@@ -78,7 +85,6 @@ miscfiles_read_localization(mscan_t) |
| 134 |
|
| 135 |
optional_policy(` |
| 136 |
clamav_domtrans_clamscan(mscan_t) |
| 137 |
- clamav_manage_pid_content(mscan_t) |
| 138 |
') |
| 139 |
|
| 140 |
optional_policy(` |
Archives