[selinux-policy: 1835/3172] trunk: add exim from dan.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:43:45 UTC 2010 

commit 6bf8bf4f5c40b9d4b07a8767736c2ab9989119a3
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Oct 24 15:07:40 2007 +0000

    trunk: add exim from dan.

 Changelog                       |    2 +
 policy/modules/services/exim.fc |    4 +
 policy/modules/services/exim.if |  156 +++++++++++++++++++++++++++++++++++++++
 policy/modules/services/exim.te |  113 ++++++++++++++++++++++++++++
 4 files changed, 275 insertions(+), 0 deletions(-)
---
diff --git a/Changelog b/Changelog
index f1d19ab..05343f2 100644
--- a/Changelog
+++ b/Changelog
@@ -8,6 +8,8 @@
   strict policy if the unconfined module is not present.  If it is, it will
   behave like the targeted policy.  Added an unconfined role to have a mix
   of confined and unconfined users.
+- Added modules:
+	exim (Dan Walsh)
 
 * Fri Sep 28 2007 Chris PeBenito <selinux at tresys.com> - 20070928
 - Add support for setting the unknown permissions handling.
diff --git a/policy/modules/services/exim.fc b/policy/modules/services/exim.fc
new file mode 100644
index 0000000..8df1594
--- /dev/null
+++ b/policy/modules/services/exim.fc
@@ -0,0 +1,4 @@
+/usr/sbin/exim		--	gen_context(system_u:object_r:exim_exec_t,s0)
+/var/log/exim(/.*)?		gen_context(system_u:object_r:exim_log_t,s0)
+/var/run/exim.pid	--	gen_context(system_u:object_r:exim_var_run_t,s0)
+/var/spool/exim(/.*)?		gen_context(system_u:object_r:exim_spool_t,s0)
diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if
new file mode 100644
index 0000000..dcec818
--- /dev/null
+++ b/policy/modules/services/exim.if
@@ -0,0 +1,156 @@
+## <summary>Exim mail transfer agent</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run exim.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`exim_domtrans',`
+	gen_require(`
+		type exim_t, exim_exec_t;
+	')
+
+	domtrans_pattern($1, exim_exec_t, exim_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read, 
+##	exim tmp files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`exim_dontaudit_read_tmp_files',`
+	gen_require(`
+		type exim_tmp_t;
+	')
+
+	dontaudit $1 exim_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow domain to read, exim tmp files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`exim_read_tmp_files',`
+	gen_require(`
+		type exim_tmp_t;
+	')
+
+	allow $1 exim_tmp_t:file read_file_perms;
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Read exim PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`exim_read_pid_files',`
+	gen_require(`
+		type exim_var_run_t;
+	')
+
+	allow $1 exim_var_run_t:file read_file_perms;
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read exim's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`exim_read_log',`
+	gen_require(`
+		type exim_log_t;
+	')
+
+	read_files_pattern($1, exim_log_t, exim_log_t)
+	logging_search_logs($1)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	exim log files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed to transition.
+## 	</summary>
+## </param>
+#
+interface(`exim_append_log',`
+	gen_require(`
+		type exim_log_t;
+	')
+
+	append_files_pattern($1, exim_log_t, exim_log_t)
+	logging_search_logs($1)
+')
+
+########################################
+## <summary>
+##	Read exim spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`exim_read_spool_files',`
+	gen_require(`
+		type exim_spool_t;
+	')
+
+	allow $1 exim_spool_t:file read_file_perms;
+	allow $1 exim_spool_t:dir list_dir_perms;
+	files_search_spool($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	exim spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`exim_manage_spool_files',`
+	gen_require(`
+		type exim_spool_t;
+	')
+
+	manage_files_pattern($1, exim_spool_t, exim_spool_t)
+	files_search_spool($1)
+')
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
new file mode 100644
index 0000000..cf4b4f9
--- /dev/null
+++ b/policy/modules/services/exim.te
@@ -0,0 +1,113 @@
+
+policy_module(exim,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow exim to read unprivileged user files.
+## </p>
+## </desc>
+gen_tunable(exim_read_user_files,false)
+
+## <desc>
+## <p>
+## Allow exim to create, read, write, and delete
+## unprivileged user files.
+## </p>
+## </desc>
+gen_tunable(exim_manage_user_files,false)
+
+type exim_t;
+type exim_exec_t;
+init_daemon_domain(exim_t, exim_exec_t)
+
+type exim_log_t;
+logging_log_file(exim_log_t)
+
+type exim_spool_t;
+files_type(exim_spool_t)
+
+type exim_tmp_t;
+files_tmp_file(exim_tmp_t)
+
+type exim_var_run_t;
+files_pid_file(exim_var_run_t)
+
+########################################
+#
+# exim local policy
+#
+
+allow exim_t self:capability { dac_override dac_read_search setuid setgid };
+allow exim_t self:fifo_file rw_fifo_file_perms;
+allow exim_t self:unix_stream_socket create_stream_socket_perms;
+allow exim_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(exim_t,exim_exec_t)
+
+manage_files_pattern(exim_t, exim_log_t, exim_log_t)
+logging_log_filetrans(exim_t, exim_log_t, { file dir })
+
+manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t)
+manage_files_pattern(exim_t, exim_spool_t, exim_spool_t)
+manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t)
+files_spool_filetrans(exim_t,exim_spool_t, { file dir sock_file })
+
+manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t)
+manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t)
+files_tmp_filetrans(exim_t, exim_tmp_t, { file dir })
+
+manage_dirs_pattern(exim_t, exim_var_run_t, exim_var_run_t)
+manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t)
+files_pid_filetrans(exim_t, exim_var_run_t, { file dir })
+
+kernel_read_kernel_sysctls(exim_t)
+
+corecmd_search_bin(exim_t)
+
+corenet_all_recvfrom_unlabeled(exim_t)
+corenet_tcp_sendrecv_all_if(exim_t)
+corenet_tcp_sendrecv_all_nodes(exim_t)
+corenet_tcp_sendrecv_all_ports(exim_t)
+corenet_tcp_bind_all_nodes(exim_t)
+corenet_tcp_bind_smtp_port(exim_t)
+corenet_tcp_bind_amavisd_send_port(exim_t)
+corenet_tcp_connect_auth_port(exim_t)
+corenet_tcp_connect_inetd_child_port(exim_t)
+
+# Init script handling
+domain_use_interactive_fds(exim_t)
+
+files_read_etc_files(exim_t)
+
+auth_use_nsswitch(exim_t)
+
+libs_use_ld_so(exim_t)
+libs_use_shared_libs(exim_t)
+
+logging_send_syslog_msg(exim_t)
+
+miscfiles_read_localization(exim_t)
+
+sysnet_dns_name_resolve(exim_t)
+
+userdom_dontaudit_search_sysadm_home_dirs(exim_t)
+userdom_dontaudit_search_generic_user_home_dirs(exim_t)
+
+mta_read_aliases(exim_t)
+mta_rw_spool(exim_t)
+
+tunable_policy(`exim_read_user_files',`
+	userdom_read_unpriv_users_home_content_files(exim_t)
+	userdom_read_unpriv_users_tmp_files(exim_t)
+')
+
+tunable_policy(`exim_manage_user_files',`
+	userdom_manage_unpriv_users_home_content_dirs(exim_t)
+	userdom_read_unpriv_users_tmp_files(exim_t)
+	userdom_write_unpriv_users_tmp_files(exim_t)
+')

More information about the scm-commits mailing list