1 |
commit: 64debadb4fefed518ddcfaa318a085c095e6f2d1 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Sat Sep 29 10:42:08 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Oct 2 18:04:25 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=64debadb |
7 |
|
8 |
Changes to the evolution policy module |
9 |
|
10 |
Use role attributes |
11 |
Module clean up |
12 |
|
13 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
14 |
|
15 |
--- |
16 |
policy/modules/contrib/evolution.fc | 22 +--- |
17 |
policy/modules/contrib/evolution.if | 65 ++++++------- |
18 |
policy/modules/contrib/evolution.te | 182 +++++++++++------------------------ |
19 |
3 files changed, 94 insertions(+), 175 deletions(-) |
20 |
|
21 |
diff --git a/policy/modules/contrib/evolution.fc b/policy/modules/contrib/evolution.fc |
22 |
index c011277..16f2656 100644 |
23 |
--- a/policy/modules/contrib/evolution.fc |
24 |
+++ b/policy/modules/contrib/evolution.fc |
25 |
@@ -1,21 +1,11 @@ |
26 |
-# |
27 |
-# HOME_DIR/ |
28 |
-# |
29 |
+HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) |
30 |
+HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) |
31 |
|
32 |
-HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) |
33 |
-HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) |
34 |
+/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0) |
35 |
|
36 |
-# |
37 |
-# /tmp |
38 |
-# |
39 |
-/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0) |
40 |
- |
41 |
-# |
42 |
-# /usr |
43 |
-# |
44 |
-/usr/bin/evolution.* -- gen_context(system_u:object_r:evolution_exec_t,s0) |
45 |
+/usr/bin/evolution.* -- gen_context(system_u:object_r:evolution_exec_t,s0) |
46 |
|
47 |
/usr/libexec/evolution/.*evolution-alarm-notify.* -- gen_context(system_u:object_r:evolution_alarm_exec_t,s0) |
48 |
/usr/libexec/evolution/.*evolution-exchange-storage.* -- gen_context(system_u:object_r:evolution_exchange_exec_t,s0) |
49 |
-/usr/libexec/evolution-data-server.* -- gen_context(system_u:object_r:evolution_server_exec_t,s0) |
50 |
-/usr/libexec/evolution-webcal.* -- gen_context(system_u:object_r:evolution_webcal_exec_t,s0) |
51 |
+/usr/libexec/evolution-data-server.* -- gen_context(system_u:object_r:evolution_server_exec_t,s0) |
52 |
+/usr/libexec/evolution-webcal.* -- gen_context(system_u:object_r:evolution_webcal_exec_t,s0) |
53 |
|
54 |
diff --git a/policy/modules/contrib/evolution.if b/policy/modules/contrib/evolution.if |
55 |
index 1cb204c..0c0a0eb 100644 |
56 |
--- a/policy/modules/contrib/evolution.if |
57 |
+++ b/policy/modules/contrib/evolution.if |
58 |
@@ -1,8 +1,8 @@ |
59 |
-## <summary>Evolution email client</summary> |
60 |
+## <summary>Evolution email client.</summary> |
61 |
|
62 |
######################################## |
63 |
## <summary> |
64 |
-## Role access for evolution |
65 |
+## Role access for evolution. |
66 |
## </summary> |
67 |
## <param name="role"> |
68 |
## <summary> |
69 |
@@ -17,16 +17,16 @@ |
70 |
# |
71 |
interface(`evolution_role',` |
72 |
gen_require(` |
73 |
+ attribute_role evolution_roles; |
74 |
type evolution_t, evolution_exec_t, evolution_home_t; |
75 |
type evolution_alarm_t, evolution_alarm_exec_t; |
76 |
type evolution_exchange_t, evolution_exchange_exec_t; |
77 |
- type evolution_exchange_orbit_tmp_t; |
78 |
+ type evolution_exchange_orbit_tmp_t, evolution_orbit_tmp_t; |
79 |
type evolution_server_t, evolution_server_exec_t; |
80 |
type evolution_webcal_t, evolution_webcal_exec_t; |
81 |
') |
82 |
|
83 |
- role $1 types { evolution_t evolution_alarm_t evolution_exchange_t }; |
84 |
- role $1 types { evolution_server_t evolution_webcal_t }; |
85 |
+ roleattribute $1 evolution_roles; |
86 |
|
87 |
domtrans_pattern($2, evolution_exec_t, evolution_t) |
88 |
domtrans_pattern($2, evolution_alarm_exec_t, evolution_alarm_t) |
89 |
@@ -34,51 +34,48 @@ interface(`evolution_role',` |
90 |
domtrans_pattern($2, evolution_server_exec_t, evolution_server_t) |
91 |
domtrans_pattern($2, evolution_webcal_exec_t, evolution_webcal_t) |
92 |
|
93 |
- ps_process_pattern($2, evolution_t) |
94 |
- ps_process_pattern($2, evolution_alarm_t) |
95 |
- ps_process_pattern($2, evolution_exchange_t) |
96 |
- ps_process_pattern($2, evolution_server_t) |
97 |
- ps_process_pattern($2, evolution_webcal_t) |
98 |
+ ps_process_pattern($2, { evolution_t evolution_alarm_t evolution_exchange_t }) |
99 |
+ ps_process_pattern($2, { evolution_server_t evolution_webcal_t }) |
100 |
|
101 |
allow evolution_t $2:dir search; |
102 |
allow evolution_t $2:file read; |
103 |
allow evolution_t $2:lnk_file read; |
104 |
- allow evolution_t $2:unix_stream_socket connectto; |
105 |
|
106 |
- allow $2 evolution_t:unix_stream_socket connectto; |
107 |
- allow $2 evolution_t:process noatsecure; |
108 |
- allow $2 evolution_t:process signal_perms; |
109 |
+ allow $2 evolution_t:process { noatsecure ptrace signal_perms }; |
110 |
|
111 |
- # Access .evolution |
112 |
- allow $2 evolution_home_t:dir manage_dir_perms; |
113 |
- allow $2 evolution_home_t:file manage_file_perms; |
114 |
- allow $2 evolution_home_t:lnk_file manage_lnk_file_perms; |
115 |
- allow $2 evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto }; |
116 |
+ allow $2 evolution_home_t:dir { relabel_dir_perms manage_dir_perms }; |
117 |
+ allow $2 evolution_home_t:file { relabel_file_perms manage_file_perms }; |
118 |
+ allow $2 evolution_home_t:lnk_file { relabel_lnk_file_perms manage_lnk_file_perms }; |
119 |
|
120 |
- allow evolution_exchange_t $2:unix_stream_socket connectto; |
121 |
+ allow { evolution_t evolution_exchange_t } $2:unix_stream_socket connectto; |
122 |
|
123 |
- # Clock applet talks to exchange (FIXME: Needs policy) |
124 |
- allow $2 evolution_exchange_t:unix_stream_socket connectto; |
125 |
- allow $2 evolution_exchange_orbit_tmp_t:sock_file write; |
126 |
+ stream_connect_pattern($2, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) |
127 |
+ stream_connect_pattern($2, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t) |
128 |
') |
129 |
|
130 |
######################################## |
131 |
## <summary> |
132 |
-## Create objects in users evolution home folders. |
133 |
+## Create objects in the evolution home |
134 |
+## directories with a private type. |
135 |
## </summary> |
136 |
## <param name="domain"> |
137 |
## <summary> |
138 |
## Domain allowed access. |
139 |
## </summary> |
140 |
## </param> |
141 |
-## <param name="file_type"> |
142 |
+## <param name="private_type"> |
143 |
## <summary> |
144 |
## Private file type. |
145 |
## </summary> |
146 |
## </param> |
147 |
-## <param name="class"> |
148 |
+## <param name="object_class"> |
149 |
## <summary> |
150 |
-## The object class of the object being created. |
151 |
+## Class of the object being created. |
152 |
+## </summary> |
153 |
+## </param> |
154 |
+## <param name="name" optional="true"> |
155 |
+## <summary> |
156 |
+## The name of the object being created. |
157 |
## </summary> |
158 |
## </param> |
159 |
# |
160 |
@@ -87,13 +84,14 @@ interface(`evolution_home_filetrans',` |
161 |
type evolution_home_t; |
162 |
') |
163 |
|
164 |
- allow $1 evolution_home_t:dir rw_dir_perms; |
165 |
- type_transition $1 evolution_home_t:$3 $2; |
166 |
+ userdom_search_user_home_dirs($1) |
167 |
+ filetrans_pattern($1, evolution_home_t, $2, $3, $4) |
168 |
') |
169 |
|
170 |
######################################## |
171 |
## <summary> |
172 |
-## Connect to evolution unix stream socket. |
173 |
+## Connect to evolution using a unix |
174 |
+## domain stream socket. |
175 |
## </summary> |
176 |
## <param name="domain"> |
177 |
## <summary> |
178 |
@@ -103,11 +101,12 @@ interface(`evolution_home_filetrans',` |
179 |
# |
180 |
interface(`evolution_stream_connect',` |
181 |
gen_require(` |
182 |
- type evolution_t, evolution_home_t; |
183 |
+ type evolution_t, evolution_orbit_tmp_t; |
184 |
') |
185 |
|
186 |
- allow $1 evolution_t:unix_stream_socket connectto; |
187 |
- allow $1 evolution_home_t:dir search; |
188 |
+ |
189 |
+ files_search_tmp($1) |
190 |
+ stream_connect_pattern($1, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) |
191 |
') |
192 |
|
193 |
######################################## |
194 |
|
195 |
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te |
196 |
index 1c536fe..32607f8 100644 |
197 |
--- a/policy/modules/contrib/evolution.te |
198 |
+++ b/policy/modules/contrib/evolution.te |
199 |
@@ -1,21 +1,25 @@ |
200 |
-policy_module(evolution, 2.3.1) |
201 |
+policy_module(evolution, 2.3.2) |
202 |
|
203 |
######################################## |
204 |
# |
205 |
# Declarations |
206 |
# |
207 |
|
208 |
+attribute_role evolution_roles; |
209 |
+ |
210 |
type evolution_t; |
211 |
type evolution_exec_t; |
212 |
typealias evolution_t alias { user_evolution_t staff_evolution_t sysadm_evolution_t }; |
213 |
typealias evolution_t alias { auditadm_evolution_t secadm_evolution_t }; |
214 |
userdom_user_application_domain(evolution_t, evolution_exec_t) |
215 |
+role evolution_roles types evolution_t; |
216 |
|
217 |
type evolution_alarm_t; |
218 |
type evolution_alarm_exec_t; |
219 |
typealias evolution_alarm_t alias { user_evolution_alarm_t staff_evolution_alarm_t sysadm_evolution_alarm_t }; |
220 |
typealias evolution_alarm_t alias { auditadm_evolution_alarm_t secadm_evolution_alarm_t }; |
221 |
userdom_user_application_domain(evolution_alarm_t, evolution_alarm_exec_t) |
222 |
+role evolution_roles types evolution_alarm_t; |
223 |
|
224 |
type evolution_alarm_tmpfs_t; |
225 |
typealias evolution_alarm_tmpfs_t alias { user_evolution_alarm_tmpfs_t staff_evolution_alarm_tmpfs_t sysadm_evolution_alarm_tmpfs_t }; |
226 |
@@ -32,6 +36,7 @@ type evolution_exchange_exec_t; |
227 |
typealias evolution_exchange_t alias { user_evolution_exchange_t staff_evolution_exchange_t sysadm_evolution_exchange_t }; |
228 |
typealias evolution_exchange_t alias { auditadm_evolution_exchange_t secadm_evolution_exchange_t }; |
229 |
userdom_user_application_domain(evolution_exchange_t, evolution_exchange_exec_t) |
230 |
+role evolution_roles types evolution_exchange_t; |
231 |
|
232 |
type evolution_exchange_tmpfs_t; |
233 |
typealias evolution_exchange_tmpfs_t alias { user_evolution_exchange_tmpfs_t staff_evolution_exchange_tmpfs_t sysadm_evolution_exchange_tmpfs_t }; |
234 |
@@ -63,6 +68,7 @@ type evolution_server_exec_t; |
235 |
typealias evolution_server_t alias { user_evolution_server_t staff_evolution_server_t sysadm_evolution_server_t }; |
236 |
typealias evolution_server_t alias { auditadm_evolution_server_t secadm_evolution_server_t }; |
237 |
userdom_user_application_domain(evolution_server_t, evolution_server_exec_t) |
238 |
+role evolution_roles types evolution_server_t; |
239 |
|
240 |
type evolution_server_orbit_tmp_t; |
241 |
typealias evolution_server_orbit_tmp_t alias { user_evolution_server_orbit_tmp_t staff_evolution_server_orbit_tmp_t sysadm_evolution_server_orbit_tmp_t }; |
242 |
@@ -79,6 +85,7 @@ type evolution_webcal_exec_t; |
243 |
typealias evolution_webcal_t alias { user_evolution_webcal_t staff_evolution_webcal_t sysadm_evolution_webcal_t }; |
244 |
typealias evolution_webcal_t alias { auditadm_evolution_webcal_t secadm_evolution_webcal_t }; |
245 |
userdom_user_application_domain(evolution_webcal_t, evolution_webcal_exec_t) |
246 |
+role evolution_roles types evolution_webcal_t; |
247 |
|
248 |
type evolution_webcal_tmpfs_t; |
249 |
typealias evolution_webcal_tmpfs_t alias { user_evolution_webcal_tmpfs_t staff_evolution_webcal_tmpfs_t sysadm_evolution_webcal_tmpfs_t }; |
250 |
@@ -87,7 +94,7 @@ userdom_user_tmpfs_file(evolution_webcal_tmpfs_t) |
251 |
|
252 |
######################################## |
253 |
# |
254 |
-# Evolution local policy |
255 |
+# Local policy |
256 |
# |
257 |
|
258 |
allow evolution_t self:capability { setuid setgid sys_nice }; |
259 |
@@ -96,21 +103,9 @@ allow evolution_t self:fifo_file rw_file_perms; |
260 |
allow evolution_t self:tcp_socket create_socket_perms; |
261 |
allow evolution_t self:udp_socket create_socket_perms; |
262 |
|
263 |
-allow evolution_t evolution_alarm_t:dir search_dir_perms; |
264 |
-allow evolution_t evolution_alarm_t:file read; |
265 |
- |
266 |
-allow evolution_t evolution_alarm_t:unix_stream_socket connectto; |
267 |
-allow evolution_t evolution_alarm_orbit_tmp_t:sock_file write; |
268 |
- |
269 |
-can_exec(evolution_t, evolution_alarm_exec_t) |
270 |
- |
271 |
-allow evolution_t evolution_exchange_t:unix_stream_socket connectto; |
272 |
-allow evolution_t evolution_exchange_orbit_tmp_t:sock_file write; |
273 |
- |
274 |
allow evolution_t evolution_home_t:dir manage_dir_perms; |
275 |
allow evolution_t evolution_home_t:file manage_file_perms; |
276 |
allow evolution_t evolution_home_t:lnk_file manage_lnk_file_perms; |
277 |
-userdom_search_user_home_dirs(evolution_t) |
278 |
|
279 |
allow evolution_t evolution_orbit_tmp_t:dir manage_dir_perms; |
280 |
allow evolution_t evolution_orbit_tmp_t:file manage_file_perms; |
281 |
@@ -120,14 +115,6 @@ allow evolution_server_t evolution_orbit_tmp_t:dir manage_dir_perms; |
282 |
allow evolution_server_t evolution_orbit_tmp_t:file manage_file_perms; |
283 |
files_tmp_filetrans(evolution_server_t, evolution_orbit_tmp_t, { dir file }) |
284 |
|
285 |
-allow evolution_t evolution_server_t:dir search_dir_perms; |
286 |
-allow evolution_t evolution_server_t:file read; |
287 |
- |
288 |
-allow evolution_t evolution_server_t:unix_stream_socket connectto; |
289 |
-allow evolution_t evolution_server_orbit_tmp_t:sock_file write; |
290 |
- |
291 |
-can_exec(evolution_t, evolution_server_exec_t) |
292 |
- |
293 |
allow evolution_t evolution_tmpfs_t:dir rw_dir_perms; |
294 |
allow evolution_t evolution_tmpfs_t:file manage_file_perms; |
295 |
allow evolution_t evolution_tmpfs_t:lnk_file manage_lnk_file_perms; |
296 |
@@ -135,16 +122,22 @@ allow evolution_t evolution_tmpfs_t:sock_file manage_sock_file_perms; |
297 |
allow evolution_t evolution_tmpfs_t:fifo_file manage_fifo_file_perms; |
298 |
fs_tmpfs_filetrans(evolution_t, evolution_tmpfs_t, { dir file lnk_file sock_file fifo_file }) |
299 |
|
300 |
-#FIXME check to see if really needed |
301 |
+allow evolution_t { evolution_alarm_t evolution_server_t }:dir search_dir_perms; |
302 |
+allow evolution_t { evolution_alarm_t evolution_server_t }:file read_file_perms; |
303 |
+ |
304 |
+stream_connect_pattern(evolution_t, evolution_alarm_orbit_tmp_t, evolution_alarm_orbit_tmp_t, evolution_alarm_t) |
305 |
+stream_connect_pattern(evolution_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t) |
306 |
+stream_connect_pattern(evolution_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t) |
307 |
+ |
308 |
+can_exec(evolution_t, { evolution_alarm_exec_t evolution_server_exec_t }) |
309 |
+ |
310 |
kernel_read_kernel_sysctls(evolution_t) |
311 |
kernel_read_system_state(evolution_t) |
312 |
-# Allow netstat |
313 |
kernel_read_network_state(evolution_t) |
314 |
kernel_read_net_sysctls(evolution_t) |
315 |
|
316 |
-corecmd_exec_shell(evolution_t) |
317 |
-# Run various programs |
318 |
corecmd_exec_bin(evolution_t) |
319 |
+corecmd_exec_shell(evolution_t) |
320 |
|
321 |
corenet_all_recvfrom_unlabeled(evolution_t) |
322 |
corenet_all_recvfrom_netlabel(evolution_t) |
323 |
@@ -153,29 +146,23 @@ corenet_udp_sendrecv_generic_if(evolution_t) |
324 |
corenet_raw_sendrecv_generic_if(evolution_t) |
325 |
corenet_tcp_sendrecv_generic_node(evolution_t) |
326 |
corenet_udp_sendrecv_generic_node(evolution_t) |
327 |
-corenet_tcp_sendrecv_pop_port(evolution_t) |
328 |
-corenet_udp_sendrecv_pop_port(evolution_t) |
329 |
-corenet_tcp_sendrecv_smtp_port(evolution_t) |
330 |
-corenet_udp_sendrecv_smtp_port(evolution_t) |
331 |
-corenet_tcp_sendrecv_innd_port(evolution_t) |
332 |
-corenet_udp_sendrecv_innd_port(evolution_t) |
333 |
-corenet_tcp_sendrecv_ldap_port(evolution_t) |
334 |
-corenet_udp_sendrecv_ldap_port(evolution_t) |
335 |
-corenet_tcp_sendrecv_ipp_port(evolution_t) |
336 |
-corenet_udp_sendrecv_ipp_port(evolution_t) |
337 |
-corenet_tcp_connect_pop_port(evolution_t) |
338 |
-corenet_tcp_connect_smtp_port(evolution_t) |
339 |
-corenet_tcp_connect_innd_port(evolution_t) |
340 |
-corenet_tcp_connect_ldap_port(evolution_t) |
341 |
-corenet_tcp_connect_ipp_port(evolution_t) |
342 |
+corenet_tcp_sendrecv_all_ports(evolution_t) |
343 |
+corenet_udp_sendrecv_all_ports(evolution_t) |
344 |
+ |
345 |
corenet_sendrecv_pop_client_packets(evolution_t) |
346 |
+corenet_tcp_connect_pop_port(evolution_t) |
347 |
+ |
348 |
corenet_sendrecv_smtp_client_packets(evolution_t) |
349 |
+corenet_tcp_connect_smtp_port(evolution_t) |
350 |
+ |
351 |
corenet_sendrecv_innd_client_packets(evolution_t) |
352 |
+corenet_tcp_connect_innd_port(evolution_t) |
353 |
+ |
354 |
corenet_sendrecv_ldap_client_packets(evolution_t) |
355 |
+corenet_tcp_connect_ldap_port(evolution_t) |
356 |
+ |
357 |
corenet_sendrecv_ipp_client_packets(evolution_t) |
358 |
-# not sure about this bind |
359 |
-corenet_udp_bind_generic_node(evolution_t) |
360 |
-corenet_udp_bind_generic_port(evolution_t) |
361 |
+corenet_tcp_connect_ipp_port(evolution_t) |
362 |
|
363 |
dev_read_urand(evolution_t) |
364 |
|
365 |
@@ -183,8 +170,6 @@ domain_dontaudit_read_all_domains_state(evolution_t) |
366 |
|
367 |
files_read_etc_files(evolution_t) |
368 |
files_read_usr_files(evolution_t) |
369 |
-files_read_usr_symlinks(evolution_t) |
370 |
-files_read_var_files(evolution_t) |
371 |
|
372 |
fs_search_auto_mountpoints(evolution_t) |
373 |
|
374 |
@@ -202,10 +187,8 @@ userdom_manage_user_tmp_dirs(evolution_t) |
375 |
userdom_manage_user_tmp_sockets(evolution_t) |
376 |
userdom_manage_user_tmp_files(evolution_t) |
377 |
userdom_use_user_terminals(evolution_t) |
378 |
-# FIXME: suppress access to .local/.icons/.themes until properly implemented |
379 |
-# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) |
380 |
-# until properly implemented |
381 |
userdom_dontaudit_read_user_home_content_files(evolution_t) |
382 |
+userdom_search_user_home_dirs(evolution_t) |
383 |
|
384 |
mta_read_config(evolution_t) |
385 |
|
386 |
@@ -276,7 +259,6 @@ optional_policy(` |
387 |
automount_read_state(evolution_t) |
388 |
') |
389 |
|
390 |
-# Allow printing the mail |
391 |
optional_policy(` |
392 |
cups_read_rw_config(evolution_t) |
393 |
') |
394 |
@@ -290,7 +272,6 @@ optional_policy(` |
395 |
gnome_stream_connect_gconf(evolution_t) |
396 |
') |
397 |
|
398 |
-# Encrypt mail |
399 |
optional_policy(` |
400 |
gpg_domtrans(evolution_t) |
401 |
gpg_signal(evolution_t) |
402 |
@@ -305,7 +286,6 @@ optional_policy(` |
403 |
mozilla_domtrans(evolution_t) |
404 |
') |
405 |
|
406 |
-# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing) |
407 |
optional_policy(` |
408 |
nis_use_ypbind(evolution_t) |
409 |
') |
410 |
@@ -314,13 +294,10 @@ optional_policy(` |
411 |
nscd_socket_use(evolution_t) |
412 |
') |
413 |
|
414 |
-### Junk mail filtering (start spamd) |
415 |
optional_policy(` |
416 |
spamassassin_exec_spamd(evolution_t) |
417 |
spamassassin_domtrans_client(evolution_t) |
418 |
spamassassin_domtrans_local_client(evolution_t) |
419 |
- # Allow evolution to signal the daemon |
420 |
- # FIXME: Now evolution can read spamd temp files |
421 |
spamassassin_read_spamd_tmp_files(evolution_t) |
422 |
spamassassin_signal_spamd(evolution_t) |
423 |
spamassassin_dontaudit_getattr_spamd_tmp_sockets(evolution_t) |
424 |
@@ -328,15 +305,12 @@ optional_policy(` |
425 |
|
426 |
######################################## |
427 |
# |
428 |
-# Evolution alarm local policy |
429 |
+# Alarm local policy |
430 |
# |
431 |
|
432 |
allow evolution_alarm_t self:process { signal getsched }; |
433 |
allow evolution_alarm_t self:fifo_file rw_fifo_file_perms; |
434 |
|
435 |
-allow evolution_alarm_t evolution_t:unix_stream_socket connectto; |
436 |
-allow evolution_alarm_t evolution_orbit_tmp_t:sock_file write; |
437 |
- |
438 |
allow evolution_alarm_t evolution_alarm_tmpfs_t:dir rw_dir_perms; |
439 |
allow evolution_alarm_t evolution_alarm_tmpfs_t:file manage_file_perms; |
440 |
allow evolution_alarm_t evolution_alarm_tmpfs_t:lnk_file manage_lnk_file_perms; |
441 |
@@ -344,16 +318,13 @@ allow evolution_alarm_t evolution_alarm_tmpfs_t:sock_file manage_sock_file_perms |
442 |
allow evolution_alarm_t evolution_alarm_tmpfs_t:fifo_file manage_fifo_file_perms; |
443 |
fs_tmpfs_filetrans(evolution_alarm_t, evolution_alarm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) |
444 |
|
445 |
-allow evolution_alarm_t evolution_exchange_t:unix_stream_socket connectto; |
446 |
-allow evolution_alarm_t evolution_exchange_orbit_tmp_t:sock_file write; |
447 |
- |
448 |
-# Access evolution home |
449 |
allow evolution_alarm_t evolution_home_t:dir manage_dir_perms; |
450 |
allow evolution_alarm_t evolution_home_t:file manage_file_perms; |
451 |
allow evolution_alarm_t evolution_home_t:lnk_file manage_lnk_file_perms; |
452 |
|
453 |
-allow evolution_alarm_t evolution_server_t:unix_stream_socket connectto; |
454 |
-allow evolution_alarm_t evolution_server_orbit_tmp_t:sock_file write; |
455 |
+stream_connect_pattern(evolution_alarm_t, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) |
456 |
+stream_connect_pattern(evolution_alarm_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t) |
457 |
+stream_connect_pattern(evolution_alarm_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t) |
458 |
|
459 |
dev_read_urand(evolution_alarm_t) |
460 |
|
461 |
@@ -364,16 +335,11 @@ fs_search_auto_mountpoints(evolution_alarm_t) |
462 |
|
463 |
miscfiles_read_localization(evolution_alarm_t) |
464 |
|
465 |
-# Access evolution home |
466 |
userdom_search_user_home_dirs(evolution_alarm_t) |
467 |
-# FIXME: suppress access to .local/.icons/.themes until properly implemented |
468 |
-# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) |
469 |
-# until properly implemented |
470 |
userdom_dontaudit_read_user_home_content_files(evolution_alarm_t) |
471 |
|
472 |
xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t) |
473 |
|
474 |
-# Access evolution home |
475 |
tunable_policy(`use_nfs_home_dirs',` |
476 |
fs_manage_nfs_files(evolution_alarm_t) |
477 |
') |
478 |
@@ -396,30 +362,18 @@ optional_policy(` |
479 |
|
480 |
######################################## |
481 |
# |
482 |
-# Evolution exchange connector local policy |
483 |
+# Exchange local policy |
484 |
# |
485 |
|
486 |
allow evolution_exchange_t self:process getsched; |
487 |
allow evolution_exchange_t self:fifo_file rw_fifo_file_perms; |
488 |
- |
489 |
allow evolution_exchange_t self:tcp_socket create_socket_perms; |
490 |
allow evolution_exchange_t self:udp_socket create_socket_perms; |
491 |
|
492 |
-allow evolution_exchange_t evolution_t:unix_stream_socket connectto; |
493 |
-allow evolution_exchange_t evolution_orbit_tmp_t:sock_file write; |
494 |
- |
495 |
-allow evolution_exchange_t evolution_alarm_t:unix_stream_socket connectto; |
496 |
-allow evolution_exchange_t evolution_alarm_orbit_tmp_t:sock_file write; |
497 |
- |
498 |
-# Access evolution home |
499 |
allow evolution_exchange_t evolution_home_t:dir manage_dir_perms; |
500 |
allow evolution_exchange_t evolution_home_t:file manage_file_perms; |
501 |
allow evolution_exchange_t evolution_home_t:lnk_file manage_lnk_file_perms; |
502 |
|
503 |
-allow evolution_exchange_t evolution_server_t:unix_stream_socket connectto; |
504 |
-allow evolution_exchange_t evolution_server_orbit_tmp_t:sock_file write; |
505 |
- |
506 |
-# /tmp/.exchange-$USER |
507 |
allow evolution_exchange_t evolution_exchange_tmp_t:dir manage_dir_perms; |
508 |
allow evolution_exchange_t evolution_exchange_tmp_t:file manage_file_perms; |
509 |
files_tmp_filetrans(evolution_exchange_t, evolution_exchange_tmp_t, { file dir }) |
510 |
@@ -431,10 +385,13 @@ allow evolution_exchange_t evolution_exchange_tmpfs_t:sock_file manage_sock_file |
511 |
allow evolution_exchange_t evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms; |
512 |
fs_tmpfs_filetrans(evolution_exchange_t, evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file }) |
513 |
|
514 |
+stream_connect_pattern(evolution_exchange_t, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) |
515 |
+stream_connect_pattern(evolution_exchange_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t) |
516 |
+stream_connect_pattern(evolution_exchange_t, evolution_alarm_orbit_tmp_t, evolution_alarm_orbit_tmp_t, evolution_alarm_t) |
517 |
+ |
518 |
kernel_read_network_state(evolution_exchange_t) |
519 |
kernel_read_net_sysctls(evolution_exchange_t) |
520 |
|
521 |
-# Allow netstat |
522 |
corecmd_exec_bin(evolution_exchange_t) |
523 |
|
524 |
dev_read_urand(evolution_exchange_t) |
525 |
@@ -442,22 +399,16 @@ dev_read_urand(evolution_exchange_t) |
526 |
files_read_etc_files(evolution_exchange_t) |
527 |
files_read_usr_files(evolution_exchange_t) |
528 |
|
529 |
-# Access evolution home |
530 |
fs_search_auto_mountpoints(evolution_exchange_t) |
531 |
|
532 |
miscfiles_read_localization(evolution_exchange_t) |
533 |
|
534 |
userdom_write_user_tmp_sockets(evolution_exchange_t) |
535 |
-# Access evolution home |
536 |
userdom_search_user_home_dirs(evolution_exchange_t) |
537 |
-# FIXME: suppress access to .local/.icons/.themes until properly implemented |
538 |
-# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) |
539 |
-# until properly implemented |
540 |
userdom_dontaudit_read_user_home_content_files(evolution_exchange_t) |
541 |
|
542 |
xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t) |
543 |
|
544 |
-# Access evolution home |
545 |
tunable_policy(`use_nfs_home_dirs',` |
546 |
fs_manage_nfs_files(evolution_exchange_t) |
547 |
') |
548 |
@@ -476,72 +427,57 @@ optional_policy(` |
549 |
|
550 |
######################################## |
551 |
# |
552 |
-# Evolution data server local policy |
553 |
+# Server local policy |
554 |
# |
555 |
|
556 |
allow evolution_server_t self:process { getsched signal }; |
557 |
|
558 |
allow evolution_server_t self:fifo_file { read write }; |
559 |
-allow evolution_server_t self:unix_stream_socket { accept connectto }; |
560 |
-# Talk to ldap (address book), |
561 |
-# Obtain weather data via http (read server name from xml file in /usr) |
562 |
+allow evolution_server_t self:unix_stream_socket { accept connectto listen }; |
563 |
allow evolution_server_t self:tcp_socket create_socket_perms; |
564 |
|
565 |
-allow evolution_server_t evolution_t:unix_stream_socket connectto; |
566 |
-allow evolution_server_t evolution_orbit_tmp_t:sock_file write; |
567 |
- |
568 |
-allow evolution_server_t evolution_exchange_t:unix_stream_socket connectto; |
569 |
-allow evolution_server_t evolution_exchange_orbit_tmp_t:sock_file write; |
570 |
- |
571 |
-# Access evolution home |
572 |
allow evolution_server_t evolution_home_t:dir manage_dir_perms; |
573 |
allow evolution_server_t evolution_home_t:file manage_file_perms; |
574 |
allow evolution_server_t evolution_home_t:lnk_file manage_lnk_file_perms; |
575 |
|
576 |
-allow evolution_server_t evolution_alarm_t:unix_stream_socket connectto; |
577 |
-allow evolution_server_t evolution_alarm_orbit_tmp_t:sock_file write; |
578 |
+stream_connect_pattern(evolution_server_t, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) |
579 |
+stream_connect_pattern(evolution_server_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t) |
580 |
+stream_connect_pattern(evolution_server_t, evolution_alarm_orbit_tmp_t, evolution_alarm_orbit_tmp_t, evolution_alarm_t) |
581 |
|
582 |
kernel_read_system_state(evolution_server_t) |
583 |
|
584 |
corecmd_exec_shell(evolution_server_t) |
585 |
|
586 |
-# Obtain weather data via http (read server name from xml file in /usr) |
587 |
corenet_all_recvfrom_unlabeled(evolution_server_t) |
588 |
corenet_all_recvfrom_netlabel(evolution_server_t) |
589 |
corenet_tcp_sendrecv_generic_if(evolution_server_t) |
590 |
corenet_tcp_sendrecv_generic_node(evolution_server_t) |
591 |
-corenet_tcp_sendrecv_http_port(evolution_server_t) |
592 |
+ |
593 |
+corenet_sendrecv_http_cache_client_packets(evolution_server_t) |
594 |
corenet_tcp_sendrecv_http_cache_port(evolution_server_t) |
595 |
corenet_tcp_connect_http_cache_port(evolution_server_t) |
596 |
-corenet_tcp_connect_http_port(evolution_server_t) |
597 |
+ |
598 |
corenet_sendrecv_http_client_packets(evolution_server_t) |
599 |
-corenet_sendrecv_http_cache_client_packets(evolution_server_t) |
600 |
+corenet_tcp_sendrecv_http_port(evolution_server_t) |
601 |
+corenet_tcp_connect_http_port(evolution_server_t) |
602 |
|
603 |
dev_read_urand(evolution_server_t) |
604 |
|
605 |
files_read_etc_files(evolution_server_t) |
606 |
-# Obtain weather data via http (read server name from xml file in /usr) |
607 |
files_read_usr_files(evolution_server_t) |
608 |
|
609 |
fs_search_auto_mountpoints(evolution_server_t) |
610 |
|
611 |
miscfiles_read_localization(evolution_server_t) |
612 |
-# Look in /etc/pki |
613 |
miscfiles_read_generic_certs(evolution_server_t) |
614 |
|
615 |
-# Talk to ldap (address book) |
616 |
sysnet_read_config(evolution_server_t) |
617 |
sysnet_dns_name_resolve(evolution_server_t) |
618 |
sysnet_use_ldap(evolution_server_t) |
619 |
|
620 |
-# Access evolution home |
621 |
userdom_search_user_home_dirs(evolution_server_t) |
622 |
-# FIXME: suppress access to .local/.icons/.themes until properly implemented |
623 |
-# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) |
624 |
-# until properly implemented |
625 |
userdom_dontaudit_read_user_home_content_files(evolution_server_t) |
626 |
|
627 |
-# Access evolution home |
628 |
tunable_policy(`use_nfs_home_dirs',` |
629 |
fs_manage_nfs_files(evolution_server_t) |
630 |
') |
631 |
@@ -560,12 +496,11 @@ optional_policy(` |
632 |
|
633 |
######################################## |
634 |
# |
635 |
-# Evolution webcal local policy |
636 |
+# Webcal local policy |
637 |
# |
638 |
|
639 |
allow evolution_webcal_t self:tcp_socket create_socket_perms; |
640 |
|
641 |
-# X/evolution common stuff |
642 |
allow evolution_webcal_t evolution_webcal_tmpfs_t:dir rw_dir_perms; |
643 |
allow evolution_webcal_t evolution_webcal_tmpfs_t:file manage_file_perms; |
644 |
allow evolution_webcal_t evolution_webcal_tmpfs_t:lnk_file manage_lnk_file_perms; |
645 |
@@ -576,25 +511,20 @@ fs_tmpfs_filetrans(evolution_webcal_t, evolution_webcal_tmpfs_t, { dir file lnk_ |
646 |
corenet_all_recvfrom_unlabeled(evolution_webcal_t) |
647 |
corenet_all_recvfrom_netlabel(evolution_webcal_t) |
648 |
corenet_tcp_sendrecv_generic_if(evolution_webcal_t) |
649 |
-corenet_raw_sendrecv_generic_if(evolution_webcal_t) |
650 |
corenet_tcp_sendrecv_generic_node(evolution_webcal_t) |
651 |
-corenet_raw_sendrecv_generic_node(evolution_webcal_t) |
652 |
+ |
653 |
corenet_tcp_sendrecv_http_port(evolution_webcal_t) |
654 |
-corenet_tcp_sendrecv_http_cache_port(evolution_webcal_t) |
655 |
-corenet_tcp_connect_http_cache_port(evolution_webcal_t) |
656 |
corenet_tcp_connect_http_port(evolution_webcal_t) |
657 |
corenet_sendrecv_http_client_packets(evolution_webcal_t) |
658 |
+ |
659 |
+corenet_tcp_sendrecv_http_cache_port(evolution_webcal_t) |
660 |
+corenet_tcp_connect_http_cache_port(evolution_webcal_t) |
661 |
corenet_sendrecv_http_cache_client_packets(evolution_webcal_t) |
662 |
|
663 |
-# Networking capability - connect to website and handle ics link |
664 |
sysnet_read_config(evolution_webcal_t) |
665 |
sysnet_dns_name_resolve(evolution_webcal_t) |
666 |
|
667 |
-# Search home directory (?) |
668 |
userdom_search_user_home_dirs(evolution_webcal_t) |
669 |
-# FIXME: suppress access to .local/.icons/.themes until properly implemented |
670 |
-# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) |
671 |
-# until properly implemented |
672 |
userdom_dontaudit_read_user_home_content_files(evolution_webcal_t) |
673 |
|
674 |
xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t) |