1 |
commit: 1546335dcf467c2a4d85eb4a956e229e6ff09692 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Tue Dec 30 19:57:17 2014 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Dec 30 19:57:17 2014 +0000 |
6 |
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1546335d |
7 |
|
8 |
Fix bug 534030 - Update on courier policy with documentation in comments |
9 |
|
10 |
--- |
11 |
policy/modules/contrib/courier.te | 36 +++++++++++++++--------------------- |
12 |
1 file changed, 15 insertions(+), 21 deletions(-) |
13 |
|
14 |
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te |
15 |
index 213a094..ba0545c 100644 |
16 |
--- a/policy/modules/contrib/courier.te |
17 |
+++ b/policy/modules/contrib/courier.te |
18 |
@@ -186,42 +186,36 @@ optional_policy(` |
19 |
') |
20 |
|
21 |
ifdef(`distro_gentoo',` |
22 |
- |
23 |
- ######################################## |
24 |
- # |
25 |
- # Courier authdaemon policy |
26 |
- # |
27 |
- read_lnk_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) |
28 |
- |
29 |
- optional_policy(` |
30 |
- mysql_stream_connect(courier_authdaemon_t) |
31 |
- ') |
32 |
- |
33 |
######################################## |
34 |
# |
35 |
# Courier imap/pop daemon policy |
36 |
# |
37 |
|
38 |
- # Switch after succesfull authentication |
39 |
+ # Switch after succesfull authentication (bug 534030) |
40 |
allow courier_pop_t self:capability { setuid setgid }; |
41 |
|
42 |
- files_search_var_lib(courier_pop_t) |
43 |
- search_dirs_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t) |
44 |
- read_lnk_files_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t) |
45 |
- |
46 |
- # Executes script /usr/lib64/courier-imap/courier-imapd.indirect after authentication and to start user session |
47 |
+ # Executes script /usr/lib64/courier-imap/courier-imapd.indirect after authentication and to start user session (bug 534030) |
48 |
corecmd_exec_shell(courier_pop_t) |
49 |
|
50 |
- courier_authdaemon_rw_inherited_stream_sockets(courier_pop_t) |
51 |
+ # Locate authdaemon socket and communicate with authdaemon (bug 534030) |
52 |
+ stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_run_t, courier_authdaemon_t) |
53 |
+ |
54 |
+ # Manage maildir of users (bug 534030) |
55 |
+ mta_manage_mail_home_rw_content(courier_pop_t) |
56 |
|
57 |
######################################## |
58 |
# |
59 |
# Courier tcpd daemon policy |
60 |
# |
61 |
|
62 |
- # Startup of courier-imapd creates /var/run/imapd.pid.lock and imapd.lock |
63 |
+ # Startup of courier-imapd creates /var/run/imapd.pid.lock and imapd.lock (bug 534030) |
64 |
files_pid_filetrans(courier_tcpd_t, courier_var_run_t, file) |
65 |
|
66 |
- courier_authdaemon_stream_connect(courier_tcpd_t) |
67 |
- courier_domtrans_authdaemon(courier_tcpd_t) |
68 |
+ ######################################## |
69 |
+ # |
70 |
+ # Courier authdaemon policy |
71 |
+ # |
72 |
+ |
73 |
+ # Grant authdaemon getattr rights on security_t so that it can check if SELinux is enabled (needed through pam support) (bug 534030) |
74 |
+ selinux_getattr_fs(courier_authdaemon_t) |
75 |
') |