The process and capability IPC goes on top of local policy.

The process and capability IPC goes on top of local policy.
This commit is contained in:
Dominick Grift 2010-09-23 14:06:19 +02:00
parent 8725d6334d
commit 1b39decc10
3 changed files with 9 additions and 9 deletions

View File

@ -107,10 +107,10 @@ mta_mailserver_delivery(postfix_virtual_t)
# chown is to set the correct ownership of queue dirs # chown is to set the correct ownership of queue dirs
allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
allow postfix_master_t self:process setrlimit;
allow postfix_master_t self:fifo_file rw_fifo_file_perms; allow postfix_master_t self:fifo_file rw_fifo_file_perms;
allow postfix_master_t self:tcp_socket create_stream_socket_perms; allow postfix_master_t self:tcp_socket create_stream_socket_perms;
allow postfix_master_t self:udp_socket create_socket_perms; allow postfix_master_t self:udp_socket create_socket_perms;
allow postfix_master_t self:process setrlimit;
allow postfix_master_t postfix_etc_t:dir rw_dir_perms; allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
allow postfix_master_t postfix_etc_t:file rw_file_perms; allow postfix_master_t postfix_etc_t:file rw_file_perms;
@ -284,8 +284,8 @@ optional_policy(`
# Postfix local local policy # Postfix local local policy
# #
allow postfix_local_t self:fifo_file rw_fifo_file_perms;
allow postfix_local_t self:process { setsched setrlimit }; allow postfix_local_t self:process { setsched setrlimit };
allow postfix_local_t self:fifo_file rw_fifo_file_perms;
# connect to master process # connect to master process
stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t) stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
@ -424,8 +424,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m
# Postfix pipe local policy # Postfix pipe local policy
# #
allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
allow postfix_pipe_t self:process setrlimit; allow postfix_pipe_t self:process setrlimit;
allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
@ -656,8 +656,8 @@ optional_policy(`
# Postfix virtual local policy # Postfix virtual local policy
# #
allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
allow postfix_virtual_t self:process { setsched setrlimit }; allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
allow postfix_virtual_t postfix_spool_t:file rw_file_perms; allow postfix_virtual_t postfix_spool_t:file rw_file_perms;

View File

@ -23,9 +23,9 @@ files_pid_file(postfix_policyd_var_run_t)
# Local Policy # Local Policy
# #
allow postfix_policyd_t self:tcp_socket create_stream_socket_perms;
allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid }; allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid };
allow postfix_policyd_t self:process setrlimit; allow postfix_policyd_t self:process setrlimit;
allow postfix_policyd_t self:tcp_socket create_stream_socket_perms;
allow postfix_policyd_t self:unix_dgram_socket { connect create write}; allow postfix_policyd_t self:unix_dgram_socket { connect create write};
allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms; allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms;

View File

@ -72,8 +72,8 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
# this component preprocesses mail from stdin and invokes qmail-queue # this component preprocesses mail from stdin and invokes qmail-queue
# #
allow qmail_inject_t self:fifo_file write_fifo_file_perms;
allow qmail_inject_t self:process signal_perms; allow qmail_inject_t self:process signal_perms;
allow qmail_inject_t self:fifo_file write_fifo_file_perms;
allow qmail_inject_t qmail_queue_exec_t:file read_file_perms; allow qmail_inject_t qmail_queue_exec_t:file read_file_perms;
@ -91,8 +91,8 @@ qmail_read_config(qmail_inject_t)
# this component delivers a mail message # this component delivers a mail message
# #
allow qmail_local_t self:fifo_file write_file_perms;
allow qmail_local_t self:process signal_perms; allow qmail_local_t self:process signal_perms;
allow qmail_local_t self:fifo_file write_file_perms;
allow qmail_local_t self:unix_stream_socket create_stream_socket_perms; allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
@ -160,9 +160,9 @@ files_search_tmp(qmail_lspawn_t)
allow qmail_queue_t qmail_lspawn_t:fd use; allow qmail_queue_t qmail_lspawn_t:fd use;
allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms; allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms;
allow qmail_queue_t qmail_smtpd_t:process sigchld;
allow qmail_queue_t qmail_smtpd_t:fd use; allow qmail_queue_t qmail_smtpd_t:fd use;
allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms; allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms;
allow qmail_queue_t qmail_smtpd_t:process sigchld;
manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
@ -288,8 +288,8 @@ miscfiles_read_localization(qmail_splogger_t)
allow qmail_start_t self:capability { setgid setuid }; allow qmail_start_t self:capability { setgid setuid };
dontaudit qmail_start_t self:capability sys_tty_config; dontaudit qmail_start_t self:capability sys_tty_config;
allow qmail_start_t self:fifo_file rw_fifo_file_perms;
allow qmail_start_t self:process signal_perms; allow qmail_start_t self:process signal_perms;
allow qmail_start_t self:fifo_file rw_fifo_file_perms;
can_exec(qmail_start_t, qmail_start_exec_t) can_exec(qmail_start_t, qmail_start_exec_t)