commit 29ce0009bcc7701577c3a64bcc777994f89f2a28
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Oct 21 15:38:22 2005 +0000
add dovecot
refpolicy/Changelog | 1 +
refpolicy/policy/modules/services/dovecot.fc | 35 +++++
refpolicy/policy/modules/services/dovecot.if | 22 +++
refpolicy/policy/modules/services/dovecot.te | 190 ++++++++++++++++++++++++++
refpolicy/policy/modules/services/mta.if | 4 +
refpolicy/policy/modules/system/authlogin.if | 5 +-
refpolicy/policy/modules/system/init.if | 17 +++
7 files changed, 272 insertions(+), 2 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 85402f9..38c0c70 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -2,6 +2,7 @@
build phase instead of during the generation phase.
- DISTRO=redhat now implies DIRECT_INITRC=y.
- Added policies:
+ dovecot
distcc
* Wed Oct 19 2005 Chris PeBenito <selinux at tresys.com> - 20051019
diff --git a/refpolicy/policy/modules/services/dovecot.fc b/refpolicy/policy/modules/services/dovecot.fc
new file mode 100644
index 0000000..0b5a513
--- /dev/null
+++ b/refpolicy/policy/modules/services/dovecot.fc
@@ -0,0 +1,35 @@
+
+#
+# /etc
+#
+/etc/dovecot.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0)
+/etc/dovecot.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
+
+/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0)
+
+/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
+/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
+
+ifdef(`distro_debian', `
+/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+')
+
+ifdef(`distro_redhat', `
+/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+')
+
+#
+# /var
+#
+/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
+
+/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
+
+
+
+
diff --git a/refpolicy/policy/modules/services/dovecot.if b/refpolicy/policy/modules/services/dovecot.if
new file mode 100644
index 0000000..49ef250
--- /dev/null
+++ b/refpolicy/policy/modules/services/dovecot.if
@@ -0,0 +1,22 @@
+## <summary>Dovecot POP and IMAP mail server</summary>
+
+########################################
+## <summary>
+## Create, read, write, and delete the dovecot spool files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`dovecot_manage_spool',`
+ gen_require(`
+ type dovecot_spool_t;
+ class dir rw_dir_perms;
+ class file create_file_perms;
+ class lnk_file create_lnk_perms;
+ ')
+
+ allow $1 dovecot_spool_t:dir rw_dir_perms;
+ allow $1 dovecot_spool_t:file create_file_perms;
+ allow $1 dovecot_spool_t:lnk_file create_lnk_perms;
+')
diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te
new file mode 100644
index 0000000..78c88d1
--- /dev/null
+++ b/refpolicy/policy/modules/services/dovecot.te
@@ -0,0 +1,190 @@
+
+policy_module(dovecot,1.0)
+
+########################################
+#
+# Declarations
+#
+type dovecot_t; #, privhome;
+type dovecot_exec_t;
+init_daemon_domain(dovecot_t,dovecot_exec_t)
+
+type dovecot_cert_t;
+files_type(dovecot_cert_t)
+
+type dovecot_etc_t; #, usercanread;
+files_type(dovecot_etc_t)
+
+type dovecot_passwd_t;
+files_type(dovecot_passwd_t)
+
+type dovecot_spool_t;
+files_type(dovecot_spool_t)
+
+type dovecot_var_run_t;
+files_pid_file(dovecot_var_run_t)
+
+type dovecot_auth_t;
+type dovecot_auth_exec_t;
+domain_type(dovecot_auth_t)
+domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
+role system_r types dovecot_auth_t;
+
+########################################
+#
+# dovecot local policy
+#
+allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
+dontaudit dovecot_t self:capability sys_tty_config;
+allow dovecot_t self:process { setrlimit signal_perms };
+allow dovecot_t self:fifo_file rw_file_perms;
+allow dovecot_t self:tcp_socket create_stream_socket_perms;
+allow dovecot_t self:unix_dgram_socket create_socket_perms;
+allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
+
+domain_auto_trans(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
+allow dovecot_t dovecot_auth_t:fd use;
+allow dovecot_auth_t dovecot_t:process sigchld;
+allow dovecot_auth_t dovecot_t:fd use;
+allow dovecot_auth_t dovecot_t:fifo_file { ioctl read write getattr lock append };
+
+allow dovecot_t dovecot_cert_t:dir { getattr read search };
+allow dovecot_t dovecot_cert_t:file { read getattr ioctl lock };
+allow dovecot_t dovecot_cert_t:lnk_file { getattr read };
+
+allow dovecot_t dovecot_etc_t:file { getattr read };
+files_search_etc(dovecot_t)
+
+can_exec(dovecot_t, dovecot_exec_t)
+
+allow dovecot_t dovecot_spool_t:dir create_dir_perms;
+allow dovecot_t dovecot_spool_t:file create_file_perms;
+allow dovecot_t dovecot_spool_t:lnk_file create_lnk_perms;
+
+allow dovecot_t dovecot_var_run_t:file create_file_perms;
+allow dovecot_t dovecot_var_run_t:sock_file create_file_perms;
+allow dovecot_t dovecot_var_run_t:dir rw_dir_perms;
+files_create_pid(dovecot_t,dovecot_var_run_t)
+
+kernel_read_kernel_sysctl(dovecot_t)
+kernel_read_system_state(dovecot_t)
+
+corenet_tcp_sendrecv_all_if(dovecot_t)
+corenet_raw_sendrecv_all_if(dovecot_t)
+corenet_tcp_sendrecv_all_nodes(dovecot_t)
+corenet_raw_sendrecv_all_nodes(dovecot_t)
+corenet_tcp_sendrecv_all_ports(dovecot_t)
+corenet_tcp_bind_all_nodes(dovecot_t)
+
+dev_read_sysfs(dovecot_t)
+dev_read_urand(dovecot_t)
+
+fs_getattr_all_fs(dovecot_t)
+fs_search_auto_mountpoints(dovecot_t)
+
+term_dontaudit_use_console(dovecot_t)
+
+corecmd_exec_bin(dovecot_t)
+
+domain_use_wide_inherit_fd(dovecot_t)
+
+files_read_etc_files(dovecot_t)
+files_search_spool(dovecot_t)
+files_search_tmp(dovecot_t)
+
+init_use_fd(dovecot_t)
+init_use_script_pty(dovecot_t)
+init_getattr_script_pids(dovecot_t)
+
+libs_use_ld_so(dovecot_t)
+libs_use_shared_libs(dovecot_t)
+
+logging_send_syslog_msg(dovecot_t)
+
+miscfiles_read_certs(dovecot_t)
+miscfiles_read_localization(dovecot_t)
+
+sysnet_read_config(dovecot_t)
+sysnet_use_ldap(dovecot_auth_t)
+
+userdom_dontaudit_use_unpriv_user_fd(dovecot_t)
+userdom_dontaudit_search_sysadm_home_dir(dovecot_t)
+
+mta_append_spool(dovecot_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_tty(dovecot_t)
+ term_dontaudit_use_generic_pty(dovecot_t)
+ files_dontaudit_read_root_file(dovecot_t)
+')
+
+optional_policy(`kerberos.te',`
+ kerberos_use(dovecot_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(dovecot_t)
+')
+
+optional_policy(`selinuxutil.te',`
+ seutil_sigchld_newrole(dovecot_t)
+')
+
+optional_policy(`udev.te',`
+ udev_read_db(dovecot_t)
+')
+
+########################################
+#
+# dovecot auth local policy
+#
+allow dovecot_auth_t self:capability { setgid setuid };
+allow dovecot_auth_t self:process signal_perms;
+allow dovecot_auth_t self:fifo_file rw_file_perms;
+allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
+allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
+
+allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
+
+allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
+
+kernel_read_all_sysctl(dovecot_auth_t)
+kernel_read_system_state(dovecot_auth_t)
+
+dev_read_urand(dovecot_auth_t)
+
+auth_domtrans_chk_passwd(dovecot_auth_t)
+
+files_read_etc_files(dovecot_auth_t)
+files_search_pids(dovecot_auth_t)
+
+libs_use_ld_so(dovecot_auth_t)
+libs_use_shared_libs(dovecot_auth_t)
+
+miscfiles_read_localization(dovecot_auth_t)
+
+seutil_dontaudit_search_config(dovecot_auth_t)
+
+sysnet_dns_name_resolve(dovecot_auth_t)
+
+optional_policy(`kerberos.te',`
+ kerberos_use(dovecot_auth_t)
+')
+
+optional_policy(`logging.te',`
+ logging_send_syslog_msg(dovecot_auth_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(dovecot_auth_t)
+')
+
+optional_policy(`nscd.te',`
+ nscd_use_socket(dovecot_auth_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+ rhgb_domain(dovecot_t)
+')
+')
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 4ac148d..fffbc96 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -252,6 +252,10 @@ interface(`mta_mailserver_delivery',`
typeattribute $1 mailserver_delivery;
+ optional_policy(`dovecot.te',`
+ dovecot_manage_spool($1)
+ ')
+
optional_policy(`mailman.te',`
# so MTA can access /var/lib/mailman/mail/wrapper
files_search_var_lib($1)
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index ff4289a..5dc7695 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -77,6 +77,7 @@ template(`authlogin_per_userdomain_template',`
logging_send_syslog_msg($1_chkpwd_t)
+ miscfiles_read_certs($1_chkpwd_t)
miscfiles_read_localization($1_chkpwd_t)
seutil_read_config($1_chkpwd_t)
@@ -108,7 +109,6 @@ template(`authlogin_per_userdomain_template',`
ifdef(`TODO',`
can_winbind($1)
- r_dir_file($1, cert_t)
')
')
@@ -229,6 +229,8 @@ interface(`auth_domtrans_chk_passwd',`
dev_read_rand($1)
dev_read_urand($1)
+ miscfiles_read_certs($1)
+
sysnet_dns_name_resolve($1)
sysnet_use_ldap($1)
@@ -242,7 +244,6 @@ interface(`auth_domtrans_chk_passwd',`
ifdef(`TODO',`
can_winbind($1)
- r_dir_file($1, cert_t)
dontaudit $1 shadow_t:file { getattr read };
')
')
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index a75d182..29fe566 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -667,6 +667,23 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
+## Get the attributes of init script process id files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`init_getattr_script_pids',`
+ gen_require(`
+ type initrc_var_run_t;
+ class file getattr;
+ ')
+
+ allow $1 initrc_var_run_t:file getattr;
+')
+
+########################################
+## <summary>
## List the contents of an init script
## process id directory.
## </summary>