1 |
commit: b88cdf0ca896b7db7e9262a76bbb6b9a6ae01ffa |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Thu Nov 1 20:54:37 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Thu Nov 1 20:54:37 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b88cdf0c |
7 |
|
8 |
Reshuffle gentoo specific courier changes |
9 |
|
10 |
--- |
11 |
policy/modules/contrib/courier.if | 82 ++++++++++++++++++------------------ |
12 |
policy/modules/contrib/courier.te | 34 +++++++++------ |
13 |
2 files changed, 62 insertions(+), 54 deletions(-) |
14 |
|
15 |
diff --git a/policy/modules/contrib/courier.if b/policy/modules/contrib/courier.if |
16 |
index 0d8806b..0705659 100644 |
17 |
--- a/policy/modules/contrib/courier.if |
18 |
+++ b/policy/modules/contrib/courier.if |
19 |
@@ -2,7 +2,7 @@ |
20 |
|
21 |
####################################### |
22 |
## <summary> |
23 |
-## The template to define a courier domain. |
24 |
+## The template to define a courier domain. |
25 |
## </summary> |
26 |
## <param name="domain_prefix"> |
27 |
## <summary> |
28 |
@@ -15,7 +15,7 @@ template(`courier_domain_template',` |
29 |
attribute courier_domain; |
30 |
') |
31 |
|
32 |
- ####################################### |
33 |
+ ######################################## |
34 |
# |
35 |
# Declarations |
36 |
# |
37 |
@@ -24,7 +24,7 @@ template(`courier_domain_template',` |
38 |
type courier_$1_exec_t; |
39 |
init_daemon_domain(courier_$1_t, courier_$1_exec_t) |
40 |
|
41 |
- ####################################### |
42 |
+ ######################################## |
43 |
# |
44 |
# Policy |
45 |
# |
46 |
@@ -74,44 +74,6 @@ interface(`courier_stream_connect_authdaemon',` |
47 |
|
48 |
######################################## |
49 |
## <summary> |
50 |
-## Allow read/write operations on an inherited stream socket |
51 |
-## </summary> |
52 |
-## <param name="domain"> |
53 |
-## <summary> |
54 |
-## Domain allowed access. |
55 |
-## </summary> |
56 |
-## </param> |
57 |
-## <rolecap/> |
58 |
-# |
59 |
-interface(`courier_authdaemon_rw_inherited_stream_sockets',` |
60 |
- gen_require(` |
61 |
- type courier_authdaemon_t; |
62 |
- ') |
63 |
- allow $1 courier_authdaemon_t:unix_stream_socket { read write }; |
64 |
-') |
65 |
- |
66 |
- |
67 |
-######################################## |
68 |
-## <summary> |
69 |
-## Connect to Authdaemon using a unix domain stream socket. |
70 |
-## </summary> |
71 |
-## <param name="domain"> |
72 |
-## <summary> |
73 |
-## Domain allowed access. |
74 |
-## </summary> |
75 |
-## </param> |
76 |
-## <rolecap/> |
77 |
-# |
78 |
-interface(`courier_authdaemon_stream_connect',` |
79 |
- gen_require(` |
80 |
- type courier_authdaemon_t, courier_var_run_t; |
81 |
- ') |
82 |
- |
83 |
- stream_connect_pattern($1, courier_var_run_t, courier_var_run_t, courier_authdaemon_t) |
84 |
-') |
85 |
- |
86 |
-######################################## |
87 |
-## <summary> |
88 |
## Execute the courier POP3 and IMAP |
89 |
## server with a domain transition. |
90 |
## </summary> |
91 |
@@ -226,3 +188,41 @@ interface(`courier_rw_spool_pipes',` |
92 |
files_search_var($1) |
93 |
allow $1 courier_spool_t:fifo_file rw_fifo_file_perms; |
94 |
') |
95 |
+ |
96 |
+######################################## |
97 |
+## <summary> |
98 |
+## Allow read/write operations on an inherited stream socket |
99 |
+## </summary> |
100 |
+## <param name="domain"> |
101 |
+## <summary> |
102 |
+## Domain allowed access. |
103 |
+## </summary> |
104 |
+## </param> |
105 |
+## <rolecap/> |
106 |
+# |
107 |
+interface(`courier_authdaemon_rw_inherited_stream_sockets',` |
108 |
+ gen_require(` |
109 |
+ type courier_authdaemon_t; |
110 |
+ ') |
111 |
+ allow $1 courier_authdaemon_t:unix_stream_socket { read write }; |
112 |
+') |
113 |
+ |
114 |
+ |
115 |
+######################################## |
116 |
+## <summary> |
117 |
+## Connect to Authdaemon using a unix domain stream socket. |
118 |
+## </summary> |
119 |
+## <param name="domain"> |
120 |
+## <summary> |
121 |
+## Domain allowed access. |
122 |
+## </summary> |
123 |
+## </param> |
124 |
+## <rolecap/> |
125 |
+# |
126 |
+interface(`courier_authdaemon_stream_connect',` |
127 |
+ gen_require(` |
128 |
+ type courier_authdaemon_t, courier_var_run_t; |
129 |
+ ') |
130 |
+ |
131 |
+ stream_connect_pattern($1, courier_var_run_t, courier_var_run_t, courier_authdaemon_t) |
132 |
+') |
133 |
|
134 |
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te |
135 |
index ca5aed1..cf44dcd 100644 |
136 |
--- a/policy/modules/contrib/courier.te |
137 |
+++ b/policy/modules/contrib/courier.te |
138 |
@@ -99,8 +99,6 @@ allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms; |
139 |
allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; |
140 |
allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms; |
141 |
|
142 |
-read_lnk_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) |
143 |
- |
144 |
can_exec(courier_authdaemon_t, courier_exec_t) |
145 |
|
146 |
domtrans_pattern(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t) |
147 |
@@ -118,6 +116,10 @@ miscfiles_read_localization(courier_authdaemon_t) |
148 |
|
149 |
userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t) |
150 |
|
151 |
+ifdef(`distro_gentoo',` |
152 |
+ read_lnk_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) |
153 |
+') |
154 |
+ |
155 |
######################################## |
156 |
# |
157 |
# Calendar (PCP) local policy |
158 |
@@ -139,19 +141,21 @@ allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_s |
159 |
|
160 |
allow courier_pop_t courier_var_lib_t:file { read write }; |
161 |
|
162 |
-# TODO Correct this, mentioning "var_lib_t" here is not done. |
163 |
-search_dirs_pattern(courier_pop_t, var_lib_t, courier_var_lib_t) |
164 |
-read_lnk_files_pattern(courier_pop_t, var_lib_t, courier_var_lib_t) |
165 |
- |
166 |
domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t) |
167 |
|
168 |
miscfiles_read_localization(courier_pop_t) |
169 |
|
170 |
-courier_authdaemon_rw_inherited_stream_sockets(courier_pop_t) |
171 |
- |
172 |
userdom_manage_user_home_content_files(courier_pop_t) |
173 |
userdom_manage_user_home_content_dirs(courier_pop_t) |
174 |
|
175 |
+ifdef(`distro_gentoo',` |
176 |
+ files_search_var_lib(courier_pop_t) |
177 |
+ search_dirs_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t) |
178 |
+ read_lnk_files_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t) |
179 |
+ |
180 |
+ courier_authdaemon_rw_inherited_stream_sockets(courier_pop_t) |
181 |
+') |
182 |
+ |
183 |
######################################## |
184 |
# |
185 |
# TCPd local policy |
186 |
@@ -182,8 +186,10 @@ dev_read_urand(courier_tcpd_t) |
187 |
|
188 |
miscfiles_read_localization(courier_tcpd_t) |
189 |
|
190 |
-courier_authdaemon_stream_connect(courier_tcpd_t) |
191 |
-courier_domtrans_authdaemon(courier_tcpd_t) |
192 |
+ifdef(`distro_gentoo',` |
193 |
+ courier_authdaemon_stream_connect(courier_tcpd_t) |
194 |
+ courier_domtrans_authdaemon(courier_tcpd_t) |
195 |
+') |
196 |
|
197 |
######################################## |
198 |
# |
199 |
@@ -192,10 +198,12 @@ courier_domtrans_authdaemon(courier_tcpd_t) |
200 |
|
201 |
kernel_read_kernel_sysctls(courier_sqwebmail_t) |
202 |
|
203 |
-optional_policy(` |
204 |
- cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t) |
205 |
+ifdef(`distro_gentoo',` |
206 |
+ optional_policy(` |
207 |
+ mysql_stream_connect(courier_authdaemon_t) |
208 |
+ ') |
209 |
') |
210 |
|
211 |
optional_policy(` |
212 |
- mysql_stream_connect(courier_authdaemon_t) |
213 |
+ cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t) |
214 |
') |