[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Tue, 02 Oct 2012 18:24:01
Message-Id:	`1349201071.42314e38a4ebeca9d1fa617e33e26f2b8257bcff.SwifT@gentoo`

1

commit:     42314e38a4ebeca9d1fa617e33e26f2b8257bcff

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Sat Sep 29 11:19:26 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Tue Oct  2 18:04:31 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=42314e38

7

8

Changes to the exim policy module and relevant dependencies

9

10

Ported from Fedora with changes

11

12

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

13

14

---

15

 policy/modules/contrib/dovecot.if |   20 ++++++++

16

 policy/modules/contrib/dovecot.te |    2 +-

17

 policy/modules/contrib/exim.fc    |   14 ++++--

18

 policy/modules/contrib/exim.if    |   65 +++++++++++++++++++++----

19

 policy/modules/contrib/exim.te    |   94 ++++++++++++++++++++++++-------------

20

 5 files changed, 148 insertions(+), 47 deletions(-)

21

22

diff --git a/policy/modules/contrib/dovecot.if b/policy/modules/contrib/dovecot.if

23

index cf53f3d..34733ad 100644

24

--- a/policy/modules/contrib/dovecot.if

25

+++ b/policy/modules/contrib/dovecot.if

26

@@ -1,5 +1,25 @@

27

 ## <summary>POP and IMAP mail server.</summary>

28

29

+#######################################

30

+## <summary>

31

+##	Connect to dovecot using a unix

32

+##	domain stream socket.

33

+## </summary>

34

+## <param name="domain">

35

+##	<summary>

36

+##	Domain allowed access.

37

+##	</summary>

38

+## </param>

39

+#

40

+interface(`dovecot_stream_connect',`

41

+	gen_require(`

42

+		type dovecot_t, dovecot_var_run_t;

43

+	')

44

+

45

+	files_search_pids($1)

46

+	stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t)

47

+')

48

+

49

 ########################################

50

 ## <summary>

51

 ##	Connect to dovecot using a unix

52

53

diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te

54

index da39b02..f5f0b6f 100644

55

--- a/policy/modules/contrib/dovecot.te

56

+++ b/policy/modules/contrib/dovecot.te

57

@@ -1,4 +1,4 @@

58

-policy_module(dovecot, 1.14.4)

59

+policy_module(dovecot, 1.14.5)

60

61

 ########################################

62

#

63

64

diff --git a/policy/modules/contrib/exim.fc b/policy/modules/contrib/exim.fc

65

index 298f066..fd99946 100644

66

--- a/policy/modules/contrib/exim.fc

67

+++ b/policy/modules/contrib/exim.fc

68

@@ -1,8 +1,14 @@

69

-/usr/sbin/exim[0-9]?		--	gen_context(system_u:object_r:exim_exec_t,s0)

70

-/var/log/exim[0-9]?(/.*)?		gen_context(system_u:object_r:exim_log_t,s0)

71

+/etc/rc\.d/init\.d/exim	--	gen_context(system_u:object_r:exim_initrc_exec_t,s0)

72

+

73

+/usr/sbin/exim[0-9]?	--	gen_context(system_u:object_r:exim_exec_t,s0)

74

+/usr/sbin/exim_tidydb	--	gen_context(system_u:object_r:exim_exec_t,s0)

75

+

76

+/var/log/exim[0-9]?(/.*)?	gen_context(system_u:object_r:exim_log_t,s0)

77

+

78

 /var/run/exim[0-9]?\.pid	--	gen_context(system_u:object_r:exim_var_run_t,s0)

79

-/var/spool/exim[0-9]?(/.*)?		gen_context(system_u:object_r:exim_spool_t,s0)

80

+

81

+/var/spool/exim[0-9]?(/.*)?	gen_context(system_u:object_r:exim_spool_t,s0)

82

83

 ifdef(`distro_debian',`

84

-/var/run/exim[0-9]?(/.*)?		gen_context(system_u:object_r:exim_var_run_t,s0)

85

+/var/run/exim[0-9]?(/.*)?	gen_context(system_u:object_r:exim_var_run_t,s0)

86

')

87

88

diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if

89

index 6bef7f8..ae630d5 100644

90

--- a/policy/modules/contrib/exim.if

91

+++ b/policy/modules/contrib/exim.if

92

@@ -1,4 +1,4 @@

93

-## <summary>Exim mail transfer agent</summary>

94

+## <summary>Mail transfer agent.</summary>

95

96

 ########################################

97

 ## <summary>

98

@@ -15,13 +15,14 @@ interface(`exim_domtrans',`

99

 		type exim_t, exim_exec_t;

100

')

101

102

+	corecmd_search_bin($1)

103

 	domtrans_pattern($1, exim_exec_t, exim_t)

104

')

105

106

 ########################################

107

 ## <summary>

108

-##	Do not audit attempts to read, 

109

-##	exim tmp files

110

+##	Do not audit attempts to read exim

111

+##	temporary tmp files.

112

 ## </summary>

113

 ## <param name="domain">

114

 ##	<summary>

115

@@ -39,7 +40,7 @@ interface(`exim_dontaudit_read_tmp_files',`

116

117

 ########################################

118

 ## <summary>

119

-##	Allow domain to read, exim tmp files

120

+##	Read exim temporary files.

121

 ## </summary>

122

 ## <param name="domain">

123

 ##	<summary>

124

@@ -58,7 +59,7 @@ interface(`exim_read_tmp_files',`

125

126

 ########################################

127

 ## <summary>

128

-##	Read exim PID files.

129

+##	Read exim pid files.

130

 ## </summary>

131

 ## <param name="domain">

132

 ##	<summary>

133

@@ -77,7 +78,7 @@ interface(`exim_read_pid_files',`

134

135

 ########################################

136

 ## <summary>

137

-##	Allow the specified domain to read exim's log files.

138

+##	Read exim log files.

139

 ## </summary>

140

 ## <param name="domain">

141

 ##	<summary>

142

@@ -97,8 +98,7 @@ interface(`exim_read_log',`

143

144

 ########################################

145

 ## <summary>

146

-##	Allow the specified domain to append

147

-##	exim log files.

148

+##	Append exim log files.

149

 ## </summary>

150

 ## <param name="domain">

151

 ## 	<summary>

152

@@ -117,7 +117,8 @@ interface(`exim_append_log',`

153

154

 ########################################

155

 ## <summary>

156

-##	Allow the specified domain to manage exim's log files.

157

+##	Create, read, write, and delete

158

+##	exim log files.

159

 ## </summary>

160

 ## <param name="domain">

161

 ##	<summary>

162

@@ -138,7 +139,7 @@ interface(`exim_manage_log',`

163

 ########################################

164

 ## <summary>

165

 ##	Create, read, write, and delete

166

-##	exim spool dirs.

167

+##	exim spool directories.

168

 ## </summary>

169

 ## <param name="domain">

170

 ##	<summary>

171

@@ -194,3 +195,47 @@ interface(`exim_manage_spool_files',`

172

 	manage_files_pattern($1, exim_spool_t, exim_spool_t)

173

 	files_search_spool($1)

174

')

175

+

176

+########################################

177

+## <summary>

178

+##	All of the rules required to

179

+##	administrate an exim environment.

180

+## </summary>

181

+## <param name="domain">

182

+##	<summary>

183

+##	Domain allowed access.

184

+##	</summary>

185

+## </param>

186

+## <param name="role">

187

+##	<summary>

188

+##	Role allowed access.

189

+##	</summary>

190

+## </param>

191

+## <rolecap/>

192

+#

193

+interface(`exim_admin',`

194

+	gen_require(`

195

+		type exim_t, exim_spool_t, exim_log_t;

196

+		type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;

197

+	')

198

+

199

+	allow $1 exim_t:process { ptrace signal_perms };

200

+	ps_process_pattern($1, exim_t)

201

+

202

+	init_labeled_script_domtrans($1, exim_initrc_exec_t)

203

+	domain_system_change_exemption($1)

204

+	role_transition $2 exim_initrc_exec_t system_r;

205

+	allow $2 system_r;

206

+

207

+	files_search_spool($1)

208

+	admin_pattern($1, exim_spool_t)

209

+

210

+	logging_search_logs($1)

211

+	admin_pattern($1, exim_log_t)

212

+

213

+	files_search_pids($1)

214

+	admin_pattern($1, exim_var_run_t)

215

+

216

+	files_search_tmp($1)

217

+	admin_pattern($1, exim_tmp_t)

218

+')

219

220

diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te

221

index f28f64b..f50794d 100644

222

--- a/policy/modules/contrib/exim.te

223

+++ b/policy/modules/contrib/exim.te

224

@@ -1,4 +1,4 @@

225

-policy_module(exim, 1.5.0)

226

+policy_module(exim, 1.5.1)

227

228

 ########################################

229

#

230

@@ -6,23 +6,26 @@ policy_module(exim, 1.5.0)

231

#

232

233

 ## <desc>

234

-## <p>

235

-## Allow exim to connect to databases (postgres, mysql)

236

-## </p>

237

+##	<p>

238

+##	Determine whether exim can connect to

239

+##	databases.

240

+##	</p>

241

 ## </desc>

242

 gen_tunable(exim_can_connect_db, false)

243

244

 ## <desc>

245

-## <p>

246

-## Allow exim to read unprivileged user files.

247

-## </p>

248

+##	<p>

249

+##	Determine whether exim can read generic

250

+##	user content files.

251

+##	</p>

252

 ## </desc>

253

 gen_tunable(exim_read_user_files, false)

254

255

 ## <desc>

256

-## <p>

257

-## Allow exim to create, read, write, and delete

258

-## unprivileged user files.

259

+##	<p>

260

+##	Determine whether exim can create,

261

+##	read, write, and delete generic user

262

+##	content files.

263

 ## </p>

264

 ## </desc>

265

 gen_tunable(exim_manage_user_files, false)

266

@@ -35,6 +38,9 @@ mta_mailserver_user_agent(exim_t)

267

 application_executable_file(exim_exec_t)

268

 mta_agent_executable(exim_exec_t)

269

270

+type exim_initrc_exec_t;

271

+init_script_file(exim_initrc_exec_t)

272

+

273

 type exim_log_t;

274

 logging_log_file(exim_log_t)

275

276

@@ -49,33 +55,34 @@ files_pid_file(exim_var_run_t)

277

278

 ########################################

279

#

280

-# exim local policy

281

+# Local policy

282

#

283

284

 allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource };

285

 allow exim_t self:process { setrlimit setpgid };

286

 allow exim_t self:fifo_file rw_fifo_file_perms;

287

-allow exim_t self:unix_stream_socket create_stream_socket_perms;

288

-allow exim_t self:tcp_socket create_stream_socket_perms;

289

-allow exim_t self:udp_socket create_socket_perms;

290

-

291

-can_exec(exim_t, exim_exec_t)

292

+allow exim_t self:unix_stream_socket { accept listen };

293

+allow exim_t self:tcp_socket { accept listen };

294

295

-manage_files_pattern(exim_t, exim_log_t, exim_log_t)

296

-logging_log_filetrans(exim_t, exim_log_t, { file dir })

297

+append_files_pattern(exim_t, exim_log_t, exim_log_t)

298

+create_files_pattern(exim_t, exim_log_t, exim_log_t)

299

+setattr_files_pattern(exim_t, exim_log_t, exim_log_t)

300

+logging_log_filetrans(exim_t, exim_log_t, file)

301

302

 manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t)

303

 manage_files_pattern(exim_t, exim_spool_t, exim_spool_t)

304

 manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t)

305

-files_spool_filetrans(exim_t, exim_spool_t, { file dir sock_file })

306

+files_spool_filetrans(exim_t, exim_spool_t, { dir file sock_file })

307

308

 manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t)

309

 manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t)

310

-files_tmp_filetrans(exim_t, exim_tmp_t, { file dir })

311

+files_tmp_filetrans(exim_t, exim_tmp_t, { dir file })

312

313

 manage_dirs_pattern(exim_t, exim_var_run_t, exim_var_run_t)

314

 manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t)

315

-files_pid_filetrans(exim_t, exim_var_run_t, { file dir })

316

+files_pid_filetrans(exim_t, exim_var_run_t, { dir file })

317

+

318

+can_exec(exim_t, exim_exec_t)

319

320

 kernel_read_kernel_sysctls(exim_t)

321

 kernel_read_network_state(exim_t)

322

@@ -91,24 +98,32 @@ corenet_tcp_sendrecv_generic_node(exim_t)

323

 corenet_udp_sendrecv_generic_node(exim_t)

324

 corenet_tcp_sendrecv_all_ports(exim_t)

325

 corenet_tcp_bind_generic_node(exim_t)

326

+

327

+corenet_sendrecv_smtp_server_packets(exim_t)

328

 corenet_tcp_bind_smtp_port(exim_t)

329

+

330

+corenet_sendrecv_amavisd_send_server_packets(exim_t)

331

 corenet_tcp_bind_amavisd_send_port(exim_t)

332

+

333

+corenet_sendrecv_auth_client_packets(exim_t)

334

 corenet_tcp_connect_auth_port(exim_t)

335

+

336

+corenet_sendrecv_smtp_client_packets(exim_t)

337

 corenet_tcp_connect_smtp_port(exim_t)

338

-corenet_tcp_connect_ldap_port(exim_t)

339

+

340

+corenet_sendrecv_inetd_child_client_packets(exim_t)

341

 corenet_tcp_connect_inetd_child_port(exim_t)

342

-# connect to spamassassin

343

+

344

+corenet_sendrecv_spamd_client_packets(exim_t)

345

 corenet_tcp_connect_spamd_port(exim_t)

346

347

 dev_read_rand(exim_t)

348

 dev_read_urand(exim_t)

349

350

-# Init script handling

351

 domain_use_interactive_fds(exim_t)

352

353

 files_search_usr(exim_t)

354

 files_search_var(exim_t)

355

-files_read_etc_files(exim_t)

356

 files_read_etc_runtime_files(exim_t)

357

 files_getattr_all_mountpoints(exim_t)

358

359

@@ -130,10 +145,15 @@ mta_manage_spool(exim_t)

360

 mta_mailserver_delivery(exim_t)

361

362

 tunable_policy(`exim_can_connect_db',`

363

-	corenet_tcp_connect_mysqld_port(exim_t)

364

-	corenet_sendrecv_mysqld_client_packets(exim_t)

365

-	corenet_tcp_connect_postgresql_port(exim_t)

366

-	corenet_sendrecv_postgresql_client_packets(exim_t)

367

+	corenet_sendrecv_gds_db_client_packets(exim_t)

368

+	corenet_tcp_connect_gds_db_port(exim_t)

369

+	corenet_tcp_sendrecv_gds_db_port(exim_t)

370

+	corenet_sendrecv_mssql_client_packets(exim_t)

371

+	corenet_tcp_connect_mssql_port(exim_t)

372

+	corenet_tcp_sendrecv_mssql_port(exim_t)

373

+	corenet_sendrecv_oracledb_client_packets(exim_t)

374

+	corenet_tcp_connect_oracledb_port(exim_t)

375

+	corenet_tcp_sendrecv_oracledb_port(exim_t)

376

')

377

378

 tunable_policy(`exim_read_user_files',`

379

@@ -162,6 +182,10 @@ optional_policy(`

380

')

381

382

 optional_policy(`

383

+	dovecot_stream_connect(exim_t)

384

+')

385

+

386

+optional_policy(`

387

 	kerberos_keytab_template(exim, exim_t)

388

')

389

390

@@ -171,14 +195,23 @@ optional_policy(`

391

')

392

393

 optional_policy(`

394

+	nagios_search_spool(exim_t)

395

+')

396

+

397

+optional_policy(`

398

 	tunable_policy(`exim_can_connect_db',`

399

+		mysql_rw_db_sockets(exim_t)

400

 		mysql_stream_connect(exim_t)

401

+		mysql_tcp_connect(exim_t)

402

')

403

')

404

405

 optional_policy(`

406

+	postgresql_unpriv_client(exim_t)

407

+

408

 	tunable_policy(`exim_can_connect_db',`

409

 		postgresql_stream_connect(exim_t)

410

+		postgresql_tcp_connect(exim_t)

411

')

412

')

413

414

@@ -191,9 +224,6 @@ optional_policy(`

415

')

416

417

 optional_policy(`

418

-	# https://bugzilla.redhat.com/show_bug.cgi?id=512710

419

-	# uses sendmail for outgoing mail and exim

420

-	# for incoming mail

421

 	sendmail_manage_tmp_files(exim_t)

422

')

1	commit: 42314e38a4ebeca9d1fa617e33e26f2b8257bcff
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Sat Sep 29 11:19:26 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Tue Oct 2 18:04:31 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=42314e38
7
8	Changes to the exim policy module and relevant dependencies
9
10	Ported from Fedora with changes
11
12	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
13
14	---
15	policy/modules/contrib/dovecot.if \| 20 ++++++++
16	policy/modules/contrib/dovecot.te \| 2 +-
17	policy/modules/contrib/exim.fc \| 14 ++++--
18	policy/modules/contrib/exim.if \| 65 +++++++++++++++++++++----
19	policy/modules/contrib/exim.te \| 94 ++++++++++++++++++++++++-------------
20	5 files changed, 148 insertions(+), 47 deletions(-)
21
22	diff --git a/policy/modules/contrib/dovecot.if b/policy/modules/contrib/dovecot.if
23	index cf53f3d..34733ad 100644
24	--- a/policy/modules/contrib/dovecot.if
25	+++ b/policy/modules/contrib/dovecot.if
26	@@ -1,5 +1,25 @@
27	## <summary>POP and IMAP mail server.</summary>
28
29	+#######################################
30	+## <summary>
31	+## Connect to dovecot using a unix
32	+## domain stream socket.
33	+## </summary>
34	+## <param name="domain">
35	+## <summary>
36	+## Domain allowed access.
37	+## </summary>
38	+## </param>
39	+#
40	+interface(`dovecot_stream_connect',`
41	+ gen_require(`
42	+ type dovecot_t, dovecot_var_run_t;
43	+ ')
44	+
45	+ files_search_pids($1)
46	+ stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t)
47	+')
48	+
49	########################################
50	## <summary>
51	## Connect to dovecot using a unix
52
53	diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
54	index da39b02..f5f0b6f 100644
55	--- a/policy/modules/contrib/dovecot.te
56	+++ b/policy/modules/contrib/dovecot.te
57	@@ -1,4 +1,4 @@
58	-policy_module(dovecot, 1.14.4)
59	+policy_module(dovecot, 1.14.5)
60
61	########################################
62	#
63
64	diff --git a/policy/modules/contrib/exim.fc b/policy/modules/contrib/exim.fc
65	index 298f066..fd99946 100644
66	--- a/policy/modules/contrib/exim.fc
67	+++ b/policy/modules/contrib/exim.fc
68	@@ -1,8 +1,14 @@
69	-/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
70	-/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
71	+/etc/rc\.d/init\.d/exim -- gen_context(system_u:object_r:exim_initrc_exec_t,s0)
72	+
73	+/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
74	+/usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0)
75	+
76	+/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
77	+
78	/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
79	-/var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
80	+
81	+/var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
82
83	ifdef(`distro_debian',`
84	-/var/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0)
85	+/var/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0)
86	')
87
88	diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if
89	index 6bef7f8..ae630d5 100644
90	--- a/policy/modules/contrib/exim.if
91	+++ b/policy/modules/contrib/exim.if
92	@@ -1,4 +1,4 @@
93	-## <summary>Exim mail transfer agent</summary>
94	+## <summary>Mail transfer agent.</summary>
95
96	########################################
97	## <summary>
98	@@ -15,13 +15,14 @@ interface(`exim_domtrans',`
99	type exim_t, exim_exec_t;
100	')
101
102	+ corecmd_search_bin($1)
103	domtrans_pattern($1, exim_exec_t, exim_t)
104	')
105
106	########################################
107	## <summary>
108	-## Do not audit attempts to read,
109	-## exim tmp files
110	+## Do not audit attempts to read exim
111	+## temporary tmp files.
112	## </summary>
113	## <param name="domain">
114	## <summary>
115	@@ -39,7 +40,7 @@ interface(`exim_dontaudit_read_tmp_files',`
116
117	########################################
118	## <summary>
119	-## Allow domain to read, exim tmp files
120	+## Read exim temporary files.
121	## </summary>
122	## <param name="domain">
123	## <summary>
124	@@ -58,7 +59,7 @@ interface(`exim_read_tmp_files',`
125
126	########################################
127	## <summary>
128	-## Read exim PID files.
129	+## Read exim pid files.
130	## </summary>
131	## <param name="domain">
132	## <summary>
133	@@ -77,7 +78,7 @@ interface(`exim_read_pid_files',`
134
135	########################################
136	## <summary>
137	-## Allow the specified domain to read exim's log files.
138	+## Read exim log files.
139	## </summary>
140	## <param name="domain">
141	## <summary>
142	@@ -97,8 +98,7 @@ interface(`exim_read_log',`
143
144	########################################
145	## <summary>
146	-## Allow the specified domain to append
147	-## exim log files.
148	+## Append exim log files.
149	## </summary>
150	## <param name="domain">
151	## <summary>
152	@@ -117,7 +117,8 @@ interface(`exim_append_log',`
153
154	########################################
155	## <summary>
156	-## Allow the specified domain to manage exim's log files.
157	+## Create, read, write, and delete
158	+## exim log files.
159	## </summary>
160	## <param name="domain">
161	## <summary>
162	@@ -138,7 +139,7 @@ interface(`exim_manage_log',`
163	########################################
164	## <summary>
165	## Create, read, write, and delete
166	-## exim spool dirs.
167	+## exim spool directories.
168	## </summary>
169	## <param name="domain">
170	## <summary>
171	@@ -194,3 +195,47 @@ interface(`exim_manage_spool_files',`
172	manage_files_pattern($1, exim_spool_t, exim_spool_t)
173	files_search_spool($1)
174	')
175	+
176	+########################################
177	+## <summary>
178	+## All of the rules required to
179	+## administrate an exim environment.
180	+## </summary>
181	+## <param name="domain">
182	+## <summary>
183	+## Domain allowed access.
184	+## </summary>
185	+## </param>
186	+## <param name="role">
187	+## <summary>
188	+## Role allowed access.
189	+## </summary>
190	+## </param>
191	+## <rolecap/>
192	+#
193	+interface(`exim_admin',`
194	+ gen_require(`
195	+ type exim_t, exim_spool_t, exim_log_t;
196	+ type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;
197	+ ')
198	+
199	+ allow $1 exim_t:process { ptrace signal_perms };
200	+ ps_process_pattern($1, exim_t)
201	+
202	+ init_labeled_script_domtrans($1, exim_initrc_exec_t)
203	+ domain_system_change_exemption($1)
204	+ role_transition $2 exim_initrc_exec_t system_r;
205	+ allow $2 system_r;
206	+
207	+ files_search_spool($1)
208	+ admin_pattern($1, exim_spool_t)
209	+
210	+ logging_search_logs($1)
211	+ admin_pattern($1, exim_log_t)
212	+
213	+ files_search_pids($1)
214	+ admin_pattern($1, exim_var_run_t)
215	+
216	+ files_search_tmp($1)
217	+ admin_pattern($1, exim_tmp_t)
218	+')
219
220	diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
221	index f28f64b..f50794d 100644
222	--- a/policy/modules/contrib/exim.te
223	+++ b/policy/modules/contrib/exim.te
224	@@ -1,4 +1,4 @@
225	-policy_module(exim, 1.5.0)
226	+policy_module(exim, 1.5.1)
227
228	########################################
229	#
230	@@ -6,23 +6,26 @@ policy_module(exim, 1.5.0)
231	#
232
233	## <desc>
234	-## <p>
235	-## Allow exim to connect to databases (postgres, mysql)
236	-## </p>
237	+## <p>
238	+## Determine whether exim can connect to
239	+## databases.
240	+## </p>
241	## </desc>
242	gen_tunable(exim_can_connect_db, false)
243
244	## <desc>
245	-## <p>
246	-## Allow exim to read unprivileged user files.
247	-## </p>
248	+## <p>
249	+## Determine whether exim can read generic
250	+## user content files.
251	+## </p>
252	## </desc>
253	gen_tunable(exim_read_user_files, false)
254
255	## <desc>
256	-## <p>
257	-## Allow exim to create, read, write, and delete
258	-## unprivileged user files.
259	+## <p>
260	+## Determine whether exim can create,
261	+## read, write, and delete generic user
262	+## content files.
263	## </p>
264	## </desc>
265	gen_tunable(exim_manage_user_files, false)
266	@@ -35,6 +38,9 @@ mta_mailserver_user_agent(exim_t)
267	application_executable_file(exim_exec_t)
268	mta_agent_executable(exim_exec_t)
269
270	+type exim_initrc_exec_t;
271	+init_script_file(exim_initrc_exec_t)
272	+
273	type exim_log_t;
274	logging_log_file(exim_log_t)
275
276	@@ -49,33 +55,34 @@ files_pid_file(exim_var_run_t)
277
278	########################################
279	#
280	-# exim local policy
281	+# Local policy
282	#
283
284	allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource };
285	allow exim_t self:process { setrlimit setpgid };
286	allow exim_t self:fifo_file rw_fifo_file_perms;
287	-allow exim_t self:unix_stream_socket create_stream_socket_perms;
288	-allow exim_t self:tcp_socket create_stream_socket_perms;
289	-allow exim_t self:udp_socket create_socket_perms;
290	-
291	-can_exec(exim_t, exim_exec_t)
292	+allow exim_t self:unix_stream_socket { accept listen };
293	+allow exim_t self:tcp_socket { accept listen };
294
295	-manage_files_pattern(exim_t, exim_log_t, exim_log_t)
296	-logging_log_filetrans(exim_t, exim_log_t, { file dir })
297	+append_files_pattern(exim_t, exim_log_t, exim_log_t)
298	+create_files_pattern(exim_t, exim_log_t, exim_log_t)
299	+setattr_files_pattern(exim_t, exim_log_t, exim_log_t)
300	+logging_log_filetrans(exim_t, exim_log_t, file)
301
302	manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t)
303	manage_files_pattern(exim_t, exim_spool_t, exim_spool_t)
304	manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t)
305	-files_spool_filetrans(exim_t, exim_spool_t, { file dir sock_file })
306	+files_spool_filetrans(exim_t, exim_spool_t, { dir file sock_file })
307
308	manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t)
309	manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t)
310	-files_tmp_filetrans(exim_t, exim_tmp_t, { file dir })
311	+files_tmp_filetrans(exim_t, exim_tmp_t, { dir file })
312
313	manage_dirs_pattern(exim_t, exim_var_run_t, exim_var_run_t)
314	manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t)
315	-files_pid_filetrans(exim_t, exim_var_run_t, { file dir })
316	+files_pid_filetrans(exim_t, exim_var_run_t, { dir file })
317	+
318	+can_exec(exim_t, exim_exec_t)
319
320	kernel_read_kernel_sysctls(exim_t)
321	kernel_read_network_state(exim_t)
322	@@ -91,24 +98,32 @@ corenet_tcp_sendrecv_generic_node(exim_t)
323	corenet_udp_sendrecv_generic_node(exim_t)
324	corenet_tcp_sendrecv_all_ports(exim_t)
325	corenet_tcp_bind_generic_node(exim_t)
326	+
327	+corenet_sendrecv_smtp_server_packets(exim_t)
328	corenet_tcp_bind_smtp_port(exim_t)
329	+
330	+corenet_sendrecv_amavisd_send_server_packets(exim_t)
331	corenet_tcp_bind_amavisd_send_port(exim_t)
332	+
333	+corenet_sendrecv_auth_client_packets(exim_t)
334	corenet_tcp_connect_auth_port(exim_t)
335	+
336	+corenet_sendrecv_smtp_client_packets(exim_t)
337	corenet_tcp_connect_smtp_port(exim_t)
338	-corenet_tcp_connect_ldap_port(exim_t)
339	+
340	+corenet_sendrecv_inetd_child_client_packets(exim_t)
341	corenet_tcp_connect_inetd_child_port(exim_t)
342	-# connect to spamassassin
343	+
344	+corenet_sendrecv_spamd_client_packets(exim_t)
345	corenet_tcp_connect_spamd_port(exim_t)
346
347	dev_read_rand(exim_t)
348	dev_read_urand(exim_t)
349
350	-# Init script handling
351	domain_use_interactive_fds(exim_t)
352
353	files_search_usr(exim_t)
354	files_search_var(exim_t)
355	-files_read_etc_files(exim_t)
356	files_read_etc_runtime_files(exim_t)
357	files_getattr_all_mountpoints(exim_t)
358
359	@@ -130,10 +145,15 @@ mta_manage_spool(exim_t)
360	mta_mailserver_delivery(exim_t)
361
362	tunable_policy(`exim_can_connect_db',`
363	- corenet_tcp_connect_mysqld_port(exim_t)
364	- corenet_sendrecv_mysqld_client_packets(exim_t)
365	- corenet_tcp_connect_postgresql_port(exim_t)
366	- corenet_sendrecv_postgresql_client_packets(exim_t)
367	+ corenet_sendrecv_gds_db_client_packets(exim_t)
368	+ corenet_tcp_connect_gds_db_port(exim_t)
369	+ corenet_tcp_sendrecv_gds_db_port(exim_t)
370	+ corenet_sendrecv_mssql_client_packets(exim_t)
371	+ corenet_tcp_connect_mssql_port(exim_t)
372	+ corenet_tcp_sendrecv_mssql_port(exim_t)
373	+ corenet_sendrecv_oracledb_client_packets(exim_t)
374	+ corenet_tcp_connect_oracledb_port(exim_t)
375	+ corenet_tcp_sendrecv_oracledb_port(exim_t)
376	')
377
378	tunable_policy(`exim_read_user_files',`
379	@@ -162,6 +182,10 @@ optional_policy(`
380	')
381
382	optional_policy(`
383	+ dovecot_stream_connect(exim_t)
384	+')
385	+
386	+optional_policy(`
387	kerberos_keytab_template(exim, exim_t)
388	')
389
390	@@ -171,14 +195,23 @@ optional_policy(`
391	')
392
393	optional_policy(`
394	+ nagios_search_spool(exim_t)
395	+')
396	+
397	+optional_policy(`
398	tunable_policy(`exim_can_connect_db',`
399	+ mysql_rw_db_sockets(exim_t)
400	mysql_stream_connect(exim_t)
401	+ mysql_tcp_connect(exim_t)
402	')
403	')
404
405	optional_policy(`
406	+ postgresql_unpriv_client(exim_t)
407	+
408	tunable_policy(`exim_can_connect_db',`
409	postgresql_stream_connect(exim_t)
410	+ postgresql_tcp_connect(exim_t)
411	')
412	')
413
414	@@ -191,9 +224,6 @@ optional_policy(`
415	')
416
417	optional_policy(`
418	- # https://bugzilla.redhat.com/show_bug.cgi?id=512710
419	- # uses sendmail for outgoing mail and exim
420	- # for incoming mail
421	sendmail_manage_tmp_files(exim_t)
422	')

Gentoo Archives: gentoo-commits