Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <sven.vermeulen@××××××.be>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Thu, 01 Nov 2012 21:42:24
Message-Id: 1351803277.b88cdf0ca896b7db7e9262a76bbb6b9a6ae01ffa.SwifT@gentoo
1 commit: b88cdf0ca896b7db7e9262a76bbb6b9a6ae01ffa
2 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3 AuthorDate: Thu Nov 1 20:54:37 2012 +0000
4 Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5 CommitDate: Thu Nov 1 20:54:37 2012 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b88cdf0c
7
8 Reshuffle gentoo specific courier changes
9
10 ---
11 policy/modules/contrib/courier.if | 82 ++++++++++++++++++------------------
12 policy/modules/contrib/courier.te | 34 +++++++++------
13 2 files changed, 62 insertions(+), 54 deletions(-)
14
15 diff --git a/policy/modules/contrib/courier.if b/policy/modules/contrib/courier.if
16 index 0d8806b..0705659 100644
17 --- a/policy/modules/contrib/courier.if
18 +++ b/policy/modules/contrib/courier.if
19 @@ -2,7 +2,7 @@
20
21 #######################################
22 ## <summary>
23 -## The template to define a courier domain.
24 +## The template to define a courier domain.
25 ## </summary>
26 ## <param name="domain_prefix">
27 ## <summary>
28 @@ -15,7 +15,7 @@ template(`courier_domain_template',`
29 attribute courier_domain;
30 ')
31
32 - #######################################
33 + ########################################
34 #
35 # Declarations
36 #
37 @@ -24,7 +24,7 @@ template(`courier_domain_template',`
38 type courier_$1_exec_t;
39 init_daemon_domain(courier_$1_t, courier_$1_exec_t)
40
41 - #######################################
42 + ########################################
43 #
44 # Policy
45 #
46 @@ -74,44 +74,6 @@ interface(`courier_stream_connect_authdaemon',`
47
48 ########################################
49 ## <summary>
50 -## Allow read/write operations on an inherited stream socket
51 -## </summary>
52 -## <param name="domain">
53 -## <summary>
54 -## Domain allowed access.
55 -## </summary>
56 -## </param>
57 -## <rolecap/>
58 -#
59 -interface(`courier_authdaemon_rw_inherited_stream_sockets',`
60 - gen_require(`
61 - type courier_authdaemon_t;
62 - ')
63 - allow $1 courier_authdaemon_t:unix_stream_socket { read write };
64 -')
65 -
66 -
67 -########################################
68 -## <summary>
69 -## Connect to Authdaemon using a unix domain stream socket.
70 -## </summary>
71 -## <param name="domain">
72 -## <summary>
73 -## Domain allowed access.
74 -## </summary>
75 -## </param>
76 -## <rolecap/>
77 -#
78 -interface(`courier_authdaemon_stream_connect',`
79 - gen_require(`
80 - type courier_authdaemon_t, courier_var_run_t;
81 - ')
82 -
83 - stream_connect_pattern($1, courier_var_run_t, courier_var_run_t, courier_authdaemon_t)
84 -')
85 -
86 -########################################
87 -## <summary>
88 ## Execute the courier POP3 and IMAP
89 ## server with a domain transition.
90 ## </summary>
91 @@ -226,3 +188,41 @@ interface(`courier_rw_spool_pipes',`
92 files_search_var($1)
93 allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
94 ')
95 +
96 +########################################
97 +## <summary>
98 +## Allow read/write operations on an inherited stream socket
99 +## </summary>
100 +## <param name="domain">
101 +## <summary>
102 +## Domain allowed access.
103 +## </summary>
104 +## </param>
105 +## <rolecap/>
106 +#
107 +interface(`courier_authdaemon_rw_inherited_stream_sockets',`
108 + gen_require(`
109 + type courier_authdaemon_t;
110 + ')
111 + allow $1 courier_authdaemon_t:unix_stream_socket { read write };
112 +')
113 +
114 +
115 +########################################
116 +## <summary>
117 +## Connect to Authdaemon using a unix domain stream socket.
118 +## </summary>
119 +## <param name="domain">
120 +## <summary>
121 +## Domain allowed access.
122 +## </summary>
123 +## </param>
124 +## <rolecap/>
125 +#
126 +interface(`courier_authdaemon_stream_connect',`
127 + gen_require(`
128 + type courier_authdaemon_t, courier_var_run_t;
129 + ')
130 +
131 + stream_connect_pattern($1, courier_var_run_t, courier_var_run_t, courier_authdaemon_t)
132 +')
133
134 diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
135 index ca5aed1..cf44dcd 100644
136 --- a/policy/modules/contrib/courier.te
137 +++ b/policy/modules/contrib/courier.te
138 @@ -99,8 +99,6 @@ allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms;
139 allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
140 allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms;
141
142 -read_lnk_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
143 -
144 can_exec(courier_authdaemon_t, courier_exec_t)
145
146 domtrans_pattern(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t)
147 @@ -118,6 +116,10 @@ miscfiles_read_localization(courier_authdaemon_t)
148
149 userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
150
151 +ifdef(`distro_gentoo',`
152 + read_lnk_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
153 +')
154 +
155 ########################################
156 #
157 # Calendar (PCP) local policy
158 @@ -139,19 +141,21 @@ allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_s
159
160 allow courier_pop_t courier_var_lib_t:file { read write };
161
162 -# TODO Correct this, mentioning "var_lib_t" here is not done.
163 -search_dirs_pattern(courier_pop_t, var_lib_t, courier_var_lib_t)
164 -read_lnk_files_pattern(courier_pop_t, var_lib_t, courier_var_lib_t)
165 -
166 domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
167
168 miscfiles_read_localization(courier_pop_t)
169
170 -courier_authdaemon_rw_inherited_stream_sockets(courier_pop_t)
171 -
172 userdom_manage_user_home_content_files(courier_pop_t)
173 userdom_manage_user_home_content_dirs(courier_pop_t)
174
175 +ifdef(`distro_gentoo',`
176 + files_search_var_lib(courier_pop_t)
177 + search_dirs_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)
178 + read_lnk_files_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)
179 +
180 + courier_authdaemon_rw_inherited_stream_sockets(courier_pop_t)
181 +')
182 +
183 ########################################
184 #
185 # TCPd local policy
186 @@ -182,8 +186,10 @@ dev_read_urand(courier_tcpd_t)
187
188 miscfiles_read_localization(courier_tcpd_t)
189
190 -courier_authdaemon_stream_connect(courier_tcpd_t)
191 -courier_domtrans_authdaemon(courier_tcpd_t)
192 +ifdef(`distro_gentoo',`
193 + courier_authdaemon_stream_connect(courier_tcpd_t)
194 + courier_domtrans_authdaemon(courier_tcpd_t)
195 +')
196
197 ########################################
198 #
199 @@ -192,10 +198,12 @@ courier_domtrans_authdaemon(courier_tcpd_t)
200
201 kernel_read_kernel_sysctls(courier_sqwebmail_t)
202
203 -optional_policy(`
204 - cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t)
205 +ifdef(`distro_gentoo',`
206 + optional_policy(`
207 + mysql_stream_connect(courier_authdaemon_t)
208 + ')
209 ')
210
211 optional_policy(`
212 - mysql_stream_connect(courier_authdaemon_t)
213 + cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t)
214 ')
Report Message
Find on MARC Find on Google Groups