[selinux-policy: 1325/3172] add qmail
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:59:59 UTC 2010
commit 65e131f0c7a70d59f21d14e7b3b171e23c0188e2
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Apr 5 15:32:38 2006 +0000
add qmail
refpolicy/Changelog | 1 +
refpolicy/policy/modules/kernel/corecommands.fc | 5 +
refpolicy/policy/modules/kernel/corecommands.te | 2 +-
refpolicy/policy/modules/services/mta.fc | 6 +-
refpolicy/policy/modules/services/mta.if | 10 +-
refpolicy/policy/modules/services/mta.te | 6 +-
refpolicy/policy/modules/services/qmail.fc | 47 ++++
refpolicy/policy/modules/services/qmail.if | 209 +++++++++++++++
refpolicy/policy/modules/services/qmail.te | 313 +++++++++++++++++++++++
refpolicy/policy/modules/services/ucspitcp.te | 4 +-
refpolicy/policy/modules/system/daemontools.fc | 4 +
refpolicy/policy/modules/system/daemontools.te | 6 +-
12 files changed, 601 insertions(+), 12 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index b4df0f5..5077bda 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -40,6 +40,7 @@
games
mozilla
mplayer
+ qmail (Petre Rodan)
rhgb
thunderbird
tor (Erich Schubert)
diff --git a/refpolicy/policy/modules/kernel/corecommands.fc b/refpolicy/policy/modules/kernel/corecommands.fc
index 3fbafa0..a2c59dd 100644
--- a/refpolicy/policy/modules/kernel/corecommands.fc
+++ b/refpolicy/policy/modules/kernel/corecommands.fc
@@ -164,6 +164,7 @@ ifdef(`distro_gentoo',`
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/.*-.*-linux-gnu/binutils-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
')
ifdef(`distro_redhat', `
@@ -221,6 +222,10 @@ ifdef(`distro_suse', `
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
+/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
+/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/var/qmail/rc -- gen_context(system_u:object_r:bin_t,s0)
+
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
diff --git a/refpolicy/policy/modules/kernel/corecommands.te b/refpolicy/policy/modules/kernel/corecommands.te
index 5b418df..d166d62 100644
--- a/refpolicy/policy/modules/kernel/corecommands.te
+++ b/refpolicy/policy/modules/kernel/corecommands.te
@@ -1,5 +1,5 @@
-policy_module(corecommands,1.3.6)
+policy_module(corecommands,1.3.7)
########################################
#
diff --git a/refpolicy/policy/modules/services/mta.fc b/refpolicy/policy/modules/services/mta.fc
index 7a677d6..14ff65c 100644
--- a/refpolicy/policy/modules/services/mta.fc
+++ b/refpolicy/policy/modules/services/mta.fc
@@ -1,6 +1,6 @@
/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
-/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
+/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
ifdef(`distro_redhat',`
/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
@@ -14,8 +14,10 @@ ifdef(`distro_redhat',`
/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
-/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
+/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
#ifdef(`postfix.te', `', `
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 3bac4bd..b0d0784 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -112,6 +112,10 @@ template(`mta_base_mail_template',`
')
optional_policy(`
+ qmail_domtrans_inject($1_mail_t)
+ ')
+
+ optional_policy(`
gen_require(`
type etc_mail_t, mail_spool_t, mqueue_spool_t;
')
@@ -138,12 +142,6 @@ template(`mta_base_mail_template',`
sendmail_create_log($1_mail_t)
')
- ifdef(`TODO',`
- ifdef(`qmail.te', `
- allow $1_mail_t qmail_etc_t:dir search;
- allow $1_mail_t qmail_etc_t:{ file lnk_file } read;
- ')
- ') dnl end TODO
')
#######################################
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 534bddc..369e0e8 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
-policy_module(mta,1.3.0)
+policy_module(mta,1.3.1)
########################################
#
@@ -162,6 +162,10 @@ optional_policy(`
')
optional_policy(`
+ qmail_domtrans_inject(system_mail_t)
+')
+
+optional_policy(`
userdom_dontaudit_use_unpriv_users_ptys(system_mail_t)
optional_policy(`
diff --git a/refpolicy/policy/modules/services/qmail.fc b/refpolicy/policy/modules/services/qmail.fc
new file mode 100644
index 0000000..0055e54
--- /dev/null
+++ b/refpolicy/policy/modules/services/qmail.fc
@@ -0,0 +1,47 @@
+
+/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0)
+/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0)
+
+/var/qmail/bin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
+/var/qmail/bin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
+/var/qmail/bin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0)
+/var/qmail/bin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0)
+/var/qmail/bin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
+/var/qmail/bin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0)
+/var/qmail/bin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0)
+/var/qmail/bin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
+/var/qmail/bin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
+/var/qmail/bin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
+/var/qmail/bin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
+/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
+/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+
+/var/qmail/control(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+
+/var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
+
+ifdef(`distro_debian', `
+/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+
+/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+
+#/usr/local/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0)
+
+/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
+/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
+/usr/sbin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0)
+/usr/sbin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0)
+/usr/sbin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
+/usr/sbin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0)
+/usr/sbin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0)
+/usr/sbin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
+/usr/sbin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
+/usr/sbin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
+/usr/sbin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
+/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
+
+/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+
+/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
+')
+
diff --git a/refpolicy/policy/modules/services/qmail.if b/refpolicy/policy/modules/services/qmail.if
new file mode 100644
index 0000000..a9ac709
--- /dev/null
+++ b/refpolicy/policy/modules/services/qmail.if
@@ -0,0 +1,209 @@
+## <summary>Qmail Mail Server</summary>
+
+#######################################
+## <summary>
+## The per user domain template for qmail
+## </summary>
+## <desc>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`qmail_per_userdomain_template',`
+ gen_require(`
+ attribute qmail_user_domains;
+ ')
+
+ role $3 types qmail_user_domains;
+
+ qmail_domtrans_inject($2)
+
+ allow qmail_user_domains $2:process sigchld;
+ allow qmail_user_domains $2:fifo_file { write getattr };
+ allow qmail_user_domains $2:fd use;
+
+')
+
+########################################
+## <summary>
+## Template for qmail parent/sub-domain pairs
+## </summary>
+## <param name="child_prefix">
+## <summary>
+## The prefix of the child domain
+## </summary>
+## </param>
+## <param name="parent_domain">
+## <summary>
+## The name of the parent domain.
+## </summary>
+## </param>
+#
+template(`qmail_child_domain_template',`
+ type $1_t;
+ domain_type($1_t)
+ type $1_exec_t;
+ domain_entry_file($1_t,$1_exec_t)
+ domain_auto_trans($2, $1_exec_t, $1_t)
+ role system_r types $1_t;
+
+ allow $1_t self:process signal_perms;
+
+ allow $1_t $2:fd use;
+ allow $1_t $2:fifo_file rw_file_perms;
+ allow $1_t $2:process sigchld;
+
+ allow $1_t qmail_etc_t:dir { getattr read search };
+ allow $1_t qmail_etc_t:file { getattr read };
+ allow $1_t qmail_etc_t:lnk_file { getattr read };
+
+ allow $1_t qmail_start_t:fd use;
+
+ kernel_list_proc($2)
+ kernel_read_proc_symlinks($2)
+
+ corecmd_search_bin($1_t)
+
+ files_search_var($1_t)
+
+ fs_getattr_xattr_fs($1_t)
+
+ libs_use_ld_so($1_t)
+ libs_use_shared_libs($1_t)
+
+ miscfiles_read_localization($1_t)
+')
+
+########################################
+## <summary>
+## Transition to qmail_inject_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`qmail_domtrans_inject',`
+ gen_require(`
+ type qmail_inject_t;
+ type qmail_inject_exec_t;
+ ')
+
+ domain_auto_trans($1, qmail_inject_exec_t, qmail_inject_t)
+ allow qmail_inject_t $1:fd use;
+ allow qmail_inject_t $1:fifo_file { read write };
+ allow qmail_inject_t $1:process sigchld;
+
+ ifdef(`distro_debian',`
+ files_search_usr($1)
+ corecmd_search_sbin($1)
+ ',`
+ files_search_var($1)
+ corecmd_search_bin($1)
+ ')
+')
+
+########################################
+## <summary>
+## Transition to qmail_queue_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`qmail_domtrans_queue',`
+ gen_require(`
+ type qmail_queue_t;
+ type qmail_queue_exec_t;
+ ')
+
+ domain_auto_trans($1, qmail_queue_exec_t, qmail_queue_t)
+
+ allow qmail_queue_t $1:fd use;
+ allow qmail_queue_t $1:fifo_file { read write };
+ allow qmail_queue_t $1:process sigchld;
+
+ ifdef(`distro_debian',`
+ files_search_usr($1)
+ corecmd_search_sbin($1)
+ ',`
+ files_search_var($1)
+ corecmd_search_bin($1)
+ ')
+')
+
+########################################
+## <summary>
+## Read qmail configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qmail_read_config',`
+ gen_require(`
+ type qmail_etc_t;
+ ')
+
+ allow $1 qmail_etc_t:dir { getattr read search };
+ allow $1 qmail_etc_t:file { getattr read };
+ allow $1 qmail_etc_t:lnk_file { getattr read };
+ files_search_var($1)
+
+ ifdef(`distro_debian',`
+ # handle /etc/qmail
+ files_search_etc($1)
+ ')
+')
+
+########################################
+## <summary>
+## Define the specified domain as a qmail-smtp service.
+## Needed by antivirus/antispam filters.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The type associated with the process program.
+## </summary>
+## </param>
+#
+interface(`qmail_smtpd_service_domain',`
+ gen_require(`
+ type qmail_smtpd_t;
+ ')
+
+ domain_auto_trans(qmail_smtpd_t, $2, $1)
+
+ allow $1 qmail_smtpd_t:fd use;
+ allow $1 qmail_smtpd_t:fifo_file { read write };
+ allow $1 qmail_smtpd_t:process sigchld;
+')
diff --git a/refpolicy/policy/modules/services/qmail.te b/refpolicy/policy/modules/services/qmail.te
new file mode 100644
index 0000000..5209a06
--- /dev/null
+++ b/refpolicy/policy/modules/services/qmail.te
@@ -0,0 +1,313 @@
+
+policy_module(qmail,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute qmail_user_domains;
+
+type qmail_alias_home_t;
+files_type(qmail_alias_home_t)
+
+qmail_child_domain_template(qmail_clean, qmail_start_t)
+
+type qmail_etc_t;
+files_type(qmail_etc_t)
+
+type qmail_exec_t;
+files_type(qmail_exec_t)
+
+type qmail_inject_t, qmail_user_domains;
+type qmail_inject_exec_t;
+domain_type(qmail_inject_t)
+domain_entry_file(qmail_inject_t,qmail_inject_exec_t)
+mta_mailserver_user_agent(qmail_inject_t)
+role system_r types qmail_inject_t;
+
+qmail_child_domain_template(qmail_local, qmail_lspawn_t)
+mta_mailserver_delivery(qmail_local_t)
+
+qmail_child_domain_template(qmail_lspawn, qmail_start_t)
+mta_mailserver_delivery(qmail_lspawn_t)
+
+qmail_child_domain_template(qmail_queue, qmail_inject_t)
+typeattribute qmail_queue_t qmail_user_domains;
+mta_mailserver_user_agent(qmail_queue_t)
+
+qmail_child_domain_template(qmail_remote, qmail_rspawn_t)
+mta_mailserver_sender(qmail_remote_t)
+
+qmail_child_domain_template(qmail_rspawn, qmail_start_t)
+
+qmail_child_domain_template(qmail_send, qmail_start_t)
+
+qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
+
+qmail_child_domain_template(qmail_splogger, qmail_start_t)
+
+type qmail_spool_t;
+files_type(qmail_spool_t)
+
+type qmail_start_t;
+type qmail_start_exec_t;
+init_daemon_domain(qmail_start_t,qmail_start_exec_t)
+
+type qmail_tcp_env_t;
+type qmail_tcp_env_exec_t;
+domain_type(qmail_tcp_env_t)
+domain_entry_file(qmail_tcp_env_t,qmail_tcp_env_exec_t)
+
+########################################
+#
+# qmail-clean local policy
+# this component cleans up the queue directory
+#
+
+allow qmail_clean_t qmail_spool_t:dir rw_dir_perms;
+allow qmail_clean_t qmail_spool_t:file { unlink read getattr };
+
+########################################
+#
+# qmail-inject local policy
+# this component preprocesses mail from stdin and invokes qmail-queue
+#
+
+allow qmail_inject_t self:fifo_file write;
+allow qmail_inject_t self:process signal_perms;
+
+allow qmail_inject_t qmail_queue_exec_t:file read;
+
+corecmd_search_bin(qmail_inject_t)
+corecmd_search_sbin(qmail_inject_t)
+
+files_search_var(qmail_inject_t)
+
+libs_use_ld_so(qmail_inject_t)
+libs_use_shared_libs(qmail_inject_t)
+
+qmail_read_config(qmail_inject_t)
+
+########################################
+#
+# qmail-local local policy
+# this component delivers a mail message
+#
+
+allow qmail_local_t self:fifo_file write;
+allow qmail_local_t self:process signal_perms;
+allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
+
+allow qmail_local_t qmail_alias_home_t:dir create_dir_perms;
+allow qmail_local_t qmail_alias_home_t:file create_file_perms;
+
+allow qmail_local_t qmail_queue_exec_t:file read;
+
+allow qmail_local_t qmail_spool_t:file r_file_perms;
+
+kernel_read_system_state(qmail_local_t)
+
+corecmd_exec_shell(qmail_local_t)
+corecmd_search_sbin(qmail_local_t)
+
+files_read_etc_files(qmail_local_t)
+files_read_etc_runtime_files(qmail_local_t)
+
+mta_append_spool(qmail_local_t)
+
+qmail_domtrans_queue(qmail_local_t)
+
+########################################
+#
+# qmail-lspawn local policy
+# this component schedules local deliveries
+#
+
+allow qmail_lspawn_t self:capability { setuid setgid };
+allow qmail_lspawn_t self:process signal_perms;
+allow qmail_lspawn_t self:fifo_file { read write };
+allow qmail_lspawn_t self:unix_stream_socket create_socket_perms;
+
+can_exec(qmail_lspawn_t, qmail_exec_t)
+
+allow qmail_lspawn_t qmail_local_exec_t:file read;
+
+allow qmail_lspawn_t qmail_spool_t:dir search;
+allow qmail_lspawn_t qmail_spool_t:file { read getattr };
+
+corecmd_search_sbin(qmail_lspawn_t)
+
+files_read_etc_files(qmail_lspawn_t)
+files_search_pids(qmail_lspawn_t)
+files_search_tmp(qmail_lspawn_t)
+
+########################################
+#
+# qmail-queue local policy
+# this component places a mail in a delivery queue, later to be processed by qmail-send
+#
+
+allow qmail_queue_t qmail_lspawn_t:fd use;
+allow qmail_queue_t qmail_lspawn_t:fifo_file write;
+
+allow qmail_queue_t qmail_smtpd_t:fd use;
+allow qmail_queue_t qmail_smtpd_t:fifo_file read;
+allow qmail_queue_t qmail_smtpd_t:process sigchld;
+
+allow qmail_queue_t qmail_spool_t:dir create_dir_perms;
+allow qmail_queue_t qmail_spool_t:fifo_file { read write };
+allow qmail_queue_t qmail_spool_t:file create_file_perms;
+
+optional_policy(`
+ daemontools_ipc_domain(qmail_queue_t)
+')
+
+########################################
+#
+# qmail-remote local policy
+# this component sends mail via SMTP
+#
+
+allow qmail_remote_t self:tcp_socket create_socket_perms;
+allow qmail_remote_t self:udp_socket create_socket_perms;
+
+allow qmail_remote_t qmail_spool_t:dir search;
+allow qmail_remote_t qmail_spool_t:file rw_file_perms;
+
+corenet_non_ipsec_sendrecv(qmail_remote_t)
+corenet_tcp_sendrecv_generic_if(qmail_remote_t)
+corenet_udp_sendrecv_generic_if(qmail_remote_t)
+corenet_tcp_sendrecv_generic_node(qmail_remote_t)
+corenet_udp_sendrecv_generic_node(qmail_remote_t)
+corenet_tcp_sendrecv_smtp_port(qmail_remote_t)
+corenet_udp_sendrecv_dns_port(qmail_remote_t)
+corenet_tcp_connect_smtp_port(qmail_remote_t)
+
+dev_read_rand(qmail_remote_t)
+dev_read_urand(qmail_remote_t)
+
+sysnet_read_config(qmail_remote_t)
+
+########################################
+#
+# qmail-rspawn local policy
+# this component scedules remote deliveries
+#
+
+allow qmail_rspawn_t self:process signal_perms;
+allow qmail_rspawn_t self:fifo_file read;
+
+allow qmail_rspawn_t qmail_remote_exec_t:file read;
+
+allow qmail_rspawn_t qmail_spool_t:dir search;
+allow qmail_rspawn_t qmail_spool_t:file rw_file_perms;
+
+corecmd_search_bin(qmail_rspawn_t)
+corecmd_search_sbin(qmail_rspawn_t)
+
+########################################
+#
+# qmail-send local policy
+# this component delivers mail messages from the queue
+#
+
+allow qmail_send_t self:process signal_perms;
+allow qmail_send_t self:fifo_file write;
+
+allow qmail_send_t qmail_spool_t:dir create_dir_perms;
+allow qmail_send_t qmail_spool_t:file create_file_perms;
+allow qmail_send_t qmail_spool_t:fifo_file read;
+
+qmail_domtrans_queue(qmail_send_t)
+
+optional_policy(`
+ daemontools_ipc_domain(qmail_send_t)
+')
+
+########################################
+#
+# qmail-smtpd local policy
+# this component receives mails via SMTP
+#
+
+allow qmail_smtpd_t self:process signal_perms;
+allow qmail_smtpd_t self:fifo_file write;
+allow qmail_smtpd_t self:tcp_socket create_socket_perms;
+
+allow qmail_smtpd_t qmail_queue_exec_t:file read;
+
+dev_read_rand(qmail_smtpd_t)
+dev_read_urand(qmail_smtpd_t)
+
+qmail_domtrans_queue(qmail_smtpd_t)
+
+optional_policy(`
+ daemontools_ipc_domain(qmail_smtpd_t)
+')
+
+optional_policy(`
+ ucspitcp_service_domain(qmail_smtpd_t, qmail_smtpd_exec_t)
+')
+
+########################################
+#
+# splogger local policy
+# this component creates entries in syslog
+#
+
+allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
+
+files_read_etc_files(qmail_splogger_t)
+
+init_dontaudit_use_script_fds(qmail_splogger_t)
+
+miscfiles_read_localization(qmail_splogger_t)
+
+########################################
+#
+# qmail-start local policy
+# this component starts up the mail delivery component
+#
+
+allow qmail_start_t self:capability { setgid setuid };
+dontaudit qmail_start_t self:capability sys_tty_config;
+allow qmail_start_t self:fifo_file { getattr read write };
+allow qmail_start_t self:process signal_perms;
+
+can_exec(qmail_start_t, qmail_start_exec_t)
+
+corecmd_search_bin(qmail_start_t)
+corecmd_search_sbin(qmail_start_t)
+
+files_search_var(qmail_start_t)
+
+libs_use_ld_so(qmail_start_t)
+libs_use_shared_libs(qmail_start_t)
+
+qmail_read_config(qmail_start_t)
+
+optional_policy(`
+ daemontools_service_domain(qmail_start_t, qmail_start_exec_t)
+ daemontools_ipc_domain(qmail_start_t)
+')
+
+########################################
+#
+# tcp-env local policy
+# this component sets up TCP-related environment variables
+#
+
+allow qmail_tcp_env_t qmail_smtpd_exec_t:file read;
+
+corecmd_search_sbin(qmail_tcp_env_t)
+
+sysnet_read_config(qmail_tcp_env_t)
+
+optional_policy(`
+ inetd_tcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
+')
+
+optional_policy(`
+ ucspitcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
+')
diff --git a/refpolicy/policy/modules/services/ucspitcp.te b/refpolicy/policy/modules/services/ucspitcp.te
index 81ee26c..9d59602 100644
--- a/refpolicy/policy/modules/services/ucspitcp.te
+++ b/refpolicy/policy/modules/services/ucspitcp.te
@@ -1,5 +1,5 @@
-policy_module(ucspitcp,1.0.0)
+policy_module(ucspitcp,1.0.1)
########################################
#
@@ -56,6 +56,7 @@ allow ucspitcp_t self:capability { net_bind_service setgid setuid };
allow ucspitcp_t self:fifo_file { read write };
allow ucspitcp_t self:process { fork sigchld };
allow ucspitcp_t self:tcp_socket create_stream_socket_perms;
+allow ucspitcp_t self:udp_socket create_socket_perms;
corecmd_search_bin(ucspitcp_t)
corecmd_search_sbin(ucspitcp_t)
@@ -68,6 +69,7 @@ corenet_tcp_sendrecv_all_ports(ucspitcp_t)
corenet_udp_sendrecv_all_ports(ucspitcp_t)
corenet_non_ipsec_sendrecv(ucspitcp_t)
corenet_tcp_bind_all_nodes(ucspitcp_t)
+corenet_udp_bind_all_nodes(ucspitcp_t)
corenet_tcp_bind_ftp_port(ucspitcp_t)
corenet_tcp_bind_ftp_data_port(ucspitcp_t)
corenet_tcp_bind_http_port(ucspitcp_t)
diff --git a/refpolicy/policy/modules/system/daemontools.fc b/refpolicy/policy/modules/system/daemontools.fc
index 7b7968b..b93222b 100644
--- a/refpolicy/policy/modules/system/daemontools.fc
+++ b/refpolicy/policy/modules/system/daemontools.fc
@@ -36,6 +36,10 @@
/var/dnscache/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
/var/dnscache/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/qmail/supervise(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
+/var/qmail/supervise/.*/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/qmail/supervise/.*/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+
/var/service/.* gen_context(system_u:object_r:svc_svc_t,s0)
/var/service/.*/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
/var/service/.*/log/main(/.*)? gen_context(system_u:object_r:svc_log_t,s0)
diff --git a/refpolicy/policy/modules/system/daemontools.te b/refpolicy/policy/modules/system/daemontools.te
index 0c61729..7f4a387 100644
--- a/refpolicy/policy/modules/system/daemontools.te
+++ b/refpolicy/policy/modules/system/daemontools.te
@@ -1,5 +1,5 @@
-policy_module(daemontools,1.0.0)
+policy_module(daemontools,1.0.1)
########################################
#
@@ -90,6 +90,10 @@ libs_use_shared_libs(svc_run_t)
daemontools_domtrans_multilog(svc_run_t)
daemontools_read_svc(svc_run_t)
+optional_policy(`
+ qmail_read_config(svc_run_t)
+')
+
########################################
#
# local policy for service monitoring programs
More information about the scm-commits
mailing list