1 |
commit: a7aab0b2275f1883f1908bb036520a7a6616a94f |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Fri Sep 28 10:49:33 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Fri Sep 28 17:47:56 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a7aab0b2 |
7 |
|
8 |
Changes to the dkim policy module |
9 |
|
10 |
Add init script file |
11 |
Add dkim_admin() |
12 |
Module clean up |
13 |
|
14 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
15 |
|
16 |
--- |
17 |
policy/modules/contrib/dkim.fc | 19 +++++++++++-------- |
18 |
policy/modules/contrib/dkim.if | 38 ++++++++++++++++++++++++++++++++++++++ |
19 |
policy/modules/contrib/dkim.te | 6 ++++-- |
20 |
3 files changed, 53 insertions(+), 10 deletions(-) |
21 |
|
22 |
diff --git a/policy/modules/contrib/dkim.fc b/policy/modules/contrib/dkim.fc |
23 |
index bf4321a..eebcf5d 100644 |
24 |
--- a/policy/modules/contrib/dkim.fc |
25 |
+++ b/policy/modules/contrib/dkim.fc |
26 |
@@ -1,14 +1,17 @@ |
27 |
/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) |
28 |
-/etc/opendkim/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) |
29 |
+/etc/opendkim/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) |
30 |
|
31 |
-/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) |
32 |
-/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) |
33 |
+/etc/rc\.d/init\.d/((opendkim)|(dkim-milter)) -- gen_context(system_u:object_r:dkim_milter_initrc_exec_t,s0) |
34 |
|
35 |
-/var/db/dkim(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) |
36 |
+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) |
37 |
+/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) |
38 |
|
39 |
-/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) |
40 |
-/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) |
41 |
+/var/db/dkim(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) |
42 |
+ |
43 |
+/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) |
44 |
+/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) |
45 |
/var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0) |
46 |
-/var/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) |
47 |
|
48 |
-/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) |
49 |
+/var/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) |
50 |
+ |
51 |
+/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) |
52 |
|
53 |
diff --git a/policy/modules/contrib/dkim.if b/policy/modules/contrib/dkim.if |
54 |
index 32d108a..386e494 100644 |
55 |
--- a/policy/modules/contrib/dkim.if |
56 |
+++ b/policy/modules/contrib/dkim.if |
57 |
@@ -1 +1,39 @@ |
58 |
## <summary>DomainKeys Identified Mail milter.</summary> |
59 |
+ |
60 |
+######################################## |
61 |
+## <summary> |
62 |
+## All of the rules required to |
63 |
+## administrate an dkim environment. |
64 |
+## </summary> |
65 |
+## <param name="domain"> |
66 |
+## <summary> |
67 |
+## Domain allowed access. |
68 |
+## </summary> |
69 |
+## </param> |
70 |
+## <param name="role"> |
71 |
+## <summary> |
72 |
+## Role allowed access. |
73 |
+## </summary> |
74 |
+## </param> |
75 |
+## <rolecap/> |
76 |
+# |
77 |
+interface(`dkim_admin',` |
78 |
+ gen_require(` |
79 |
+ type dkim_milter_t, dkim_milter_initrc_exec_t, dkim_milter_private_key_t; |
80 |
+ type dkim_milter_data_t; |
81 |
+ ') |
82 |
+ |
83 |
+ allow $1 dkim_milter_t:process { ptrace signal_perms }; |
84 |
+ ps_process_pattern($1, dkim_milter_t) |
85 |
+ |
86 |
+ init_labeled_script_domtrans($1, dkim_milter_initrc_exec_t) |
87 |
+ domain_system_change_exemption($1) |
88 |
+ role_transition $2 dkim_milter_initrc_exec_t system_r; |
89 |
+ allow $2 system_r; |
90 |
+ |
91 |
+ files_search_etc($1) |
92 |
+ admin_pattern($1, dkim_milter_private_key_t) |
93 |
+ |
94 |
+ files_search_pids($1) |
95 |
+ admin_pattern($1, dkim_milter_data_t) |
96 |
+') |
97 |
|
98 |
diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te |
99 |
index cc1199e..30f4578 100644 |
100 |
--- a/policy/modules/contrib/dkim.te |
101 |
+++ b/policy/modules/contrib/dkim.te |
102 |
@@ -1,4 +1,4 @@ |
103 |
-policy_module(dkim, 1.1.0) |
104 |
+policy_module(dkim, 1.1.1) |
105 |
|
106 |
######################################## |
107 |
# |
108 |
@@ -7,7 +7,9 @@ policy_module(dkim, 1.1.0) |
109 |
|
110 |
milter_template(dkim) |
111 |
|
112 |
-# Type for the private key of dkim-filter |
113 |
+type dkim_milter_initrc_exec_t; |
114 |
+init_script_file(dkim_milter_initrc_exec_t) |
115 |
+ |
116 |
type dkim_milter_private_key_t; |
117 |
files_type(dkim_milter_private_key_t) |