1 |
commit: 3f0e0524d443adce4e2c4ce3d460e2d35dc12ec5 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Fri Jan 2 17:21:24 2015 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Jan 2 17:21:24 2015 +0000 |
6 |
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3f0e0524 |
7 |
|
8 |
Merge with upstream done, remove gentoo specifics |
9 |
|
10 |
--- |
11 |
policy/modules/contrib/courier.fc | 5 ----- |
12 |
policy/modules/contrib/courier.if | 38 -------------------------------------- |
13 |
policy/modules/contrib/courier.te | 19 +------------------ |
14 |
3 files changed, 1 insertion(+), 61 deletions(-) |
15 |
|
16 |
diff --git a/policy/modules/contrib/courier.fc b/policy/modules/contrib/courier.fc |
17 |
index c0f288b..2f017a0 100644 |
18 |
--- a/policy/modules/contrib/courier.fc |
19 |
+++ b/policy/modules/contrib/courier.fc |
20 |
@@ -30,8 +30,3 @@ |
21 |
|
22 |
/var/spool/authdaemon(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) |
23 |
/var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) |
24 |
- |
25 |
-ifdef(`distro_gentoo',` |
26 |
-# Default location for authdaemon socket, should be /var/run imo but meh |
27 |
-/var/lib/courier/authdaemon(/.*)? gen_context(system_u:object_r:courier_var_run_t,s0) |
28 |
-') |
29 |
|
30 |
diff --git a/policy/modules/contrib/courier.if b/policy/modules/contrib/courier.if |
31 |
index 0705659..10f820f 100644 |
32 |
--- a/policy/modules/contrib/courier.if |
33 |
+++ b/policy/modules/contrib/courier.if |
34 |
@@ -188,41 +188,3 @@ interface(`courier_rw_spool_pipes',` |
35 |
files_search_var($1) |
36 |
allow $1 courier_spool_t:fifo_file rw_fifo_file_perms; |
37 |
') |
38 |
- |
39 |
-######################################## |
40 |
-## <summary> |
41 |
-## Allow read/write operations on an inherited stream socket |
42 |
-## </summary> |
43 |
-## <param name="domain"> |
44 |
-## <summary> |
45 |
-## Domain allowed access. |
46 |
-## </summary> |
47 |
-## </param> |
48 |
-## <rolecap/> |
49 |
-# |
50 |
-interface(`courier_authdaemon_rw_inherited_stream_sockets',` |
51 |
- gen_require(` |
52 |
- type courier_authdaemon_t; |
53 |
- ') |
54 |
- allow $1 courier_authdaemon_t:unix_stream_socket { read write }; |
55 |
-') |
56 |
- |
57 |
- |
58 |
-######################################## |
59 |
-## <summary> |
60 |
-## Connect to Authdaemon using a unix domain stream socket. |
61 |
-## </summary> |
62 |
-## <param name="domain"> |
63 |
-## <summary> |
64 |
-## Domain allowed access. |
65 |
-## </summary> |
66 |
-## </param> |
67 |
-## <rolecap/> |
68 |
-# |
69 |
-interface(`courier_authdaemon_stream_connect',` |
70 |
- gen_require(` |
71 |
- type courier_authdaemon_t, courier_var_run_t; |
72 |
- ') |
73 |
- |
74 |
- stream_connect_pattern($1, courier_var_run_t, courier_var_run_t, courier_authdaemon_t) |
75 |
-') |
76 |
|
77 |
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te |
78 |
index 2171e04..dd23992 100644 |
79 |
--- a/policy/modules/contrib/courier.te |
80 |
+++ b/policy/modules/contrib/courier.te |
81 |
@@ -194,23 +194,6 @@ optional_policy(` |
82 |
ifdef(`distro_gentoo',` |
83 |
######################################## |
84 |
# |
85 |
- # Courier imap/pop daemon policy |
86 |
- # |
87 |
- |
88 |
- # Switch after succesfull authentication (bug 534030) |
89 |
- allow courier_pop_t self:capability { setuid setgid }; |
90 |
- |
91 |
- # Executes script /usr/lib64/courier-imap/courier-imapd.indirect after authentication and to start user session (bug 534030) |
92 |
- corecmd_exec_shell(courier_pop_t) |
93 |
- |
94 |
- # Locate authdaemon socket and communicate with authdaemon (bug 534030) |
95 |
- stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_run_t, courier_authdaemon_t) |
96 |
- |
97 |
- # Manage maildir of users (bug 534030) |
98 |
- mta_manage_mail_home_rw_content(courier_pop_t) |
99 |
- |
100 |
- ######################################## |
101 |
- # |
102 |
# Courier tcpd daemon policy |
103 |
# |
104 |
|
105 |
@@ -223,6 +206,6 @@ ifdef(`distro_gentoo',` |
106 |
# |
107 |
|
108 |
# Grant authdaemon getattr rights on security_t so that it can check if SELinux is enabled (needed through pam support) (bug 534030) |
109 |
- # selinux_getattr_fs(courier_authdaemon_t) |
110 |
+ # Handled through pam use |
111 |
auth_use_pam(courier_authdaemon_t) |
112 |
') |