Gentoo Archives: gentoo-commits

From: Sven Vermeulen <swift@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Tue, 30 Dec 2014 19:57:54
Message-Id: 1419969437.1546335dcf467c2a4d85eb4a956e229e6ff09692.swift@gentoo
1 commit: 1546335dcf467c2a4d85eb4a956e229e6ff09692
2 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3 AuthorDate: Tue Dec 30 19:57:17 2014 +0000
4 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
5 CommitDate: Tue Dec 30 19:57:17 2014 +0000
6 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1546335d
7
8 Fix bug 534030 - Update on courier policy with documentation in comments
9
10 ---
11 policy/modules/contrib/courier.te | 36 +++++++++++++++---------------------
12 1 file changed, 15 insertions(+), 21 deletions(-)
13
14 diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
15 index 213a094..ba0545c 100644
16 --- a/policy/modules/contrib/courier.te
17 +++ b/policy/modules/contrib/courier.te
18 @@ -186,42 +186,36 @@ optional_policy(`
19 ')
20
21 ifdef(`distro_gentoo',`
22 -
23 - ########################################
24 - #
25 - # Courier authdaemon policy
26 - #
27 - read_lnk_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
28 -
29 - optional_policy(`
30 - mysql_stream_connect(courier_authdaemon_t)
31 - ')
32 -
33 ########################################
34 #
35 # Courier imap/pop daemon policy
36 #
37
38 - # Switch after succesfull authentication
39 + # Switch after succesfull authentication (bug 534030)
40 allow courier_pop_t self:capability { setuid setgid };
41
42 - files_search_var_lib(courier_pop_t)
43 - search_dirs_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)
44 - read_lnk_files_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)
45 -
46 - # Executes script /usr/lib64/courier-imap/courier-imapd.indirect after authentication and to start user session
47 + # Executes script /usr/lib64/courier-imap/courier-imapd.indirect after authentication and to start user session (bug 534030)
48 corecmd_exec_shell(courier_pop_t)
49
50 - courier_authdaemon_rw_inherited_stream_sockets(courier_pop_t)
51 + # Locate authdaemon socket and communicate with authdaemon (bug 534030)
52 + stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_run_t, courier_authdaemon_t)
53 +
54 + # Manage maildir of users (bug 534030)
55 + mta_manage_mail_home_rw_content(courier_pop_t)
56
57 ########################################
58 #
59 # Courier tcpd daemon policy
60 #
61
62 - # Startup of courier-imapd creates /var/run/imapd.pid.lock and imapd.lock
63 + # Startup of courier-imapd creates /var/run/imapd.pid.lock and imapd.lock (bug 534030)
64 files_pid_filetrans(courier_tcpd_t, courier_var_run_t, file)
65
66 - courier_authdaemon_stream_connect(courier_tcpd_t)
67 - courier_domtrans_authdaemon(courier_tcpd_t)
68 + ########################################
69 + #
70 + # Courier authdaemon policy
71 + #
72 +
73 + # Grant authdaemon getattr rights on security_t so that it can check if SELinux is enabled (needed through pam support) (bug 534030)
74 + selinux_getattr_fs(courier_authdaemon_t)
75 ')