trunk: 3 patches from dan.

This commit is contained in:
Chris PeBenito 2009-06-30 19:27:21 +00:00
parent 45b975db5b
commit bb88161284
8 changed files with 309 additions and 21 deletions

View File

@ -6,6 +6,7 @@
/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0)
#
# /usr
@ -17,19 +18,22 @@
ifdef(`distro_debian', `
/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
')
ifdef(`distro_redhat', `
/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
')
#
# /var
#
/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
# this is a hard link to /var/lib/dovecot/ssl-parameters.dat
/var/run/dovecot/login/ssl-parameters.dat gen_context(system_u:object_r:dovecot_var_lib_t,s0)
/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)

View File

@ -1,5 +1,42 @@
## <summary>Dovecot POP and IMAP mail server</summary>
########################################
## <summary>
## Connect to dovecot auth unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`dovecot_stream_connect_auth',`
gen_require(`
type dovecot_auth_t, dovecot_var_run_t;
')
stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t)
')
########################################
## <summary>
## Execute dovecot_deliver in the dovecot_deliver domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dovecot_domtrans_deliver',`
gen_require(`
type dovecot_deliver_t, dovecot_deliver_exec_t;
')
domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)
')
########################################
## <summary>
## Create, read, write, and delete the dovecot spool files.
@ -36,3 +73,58 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
dontaudit $1 dovecot_var_lib_t:file unlink;
')
########################################
## <summary>
## All of the rules required to administrate
## an dovecot environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the dovecot domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`dovecot_admin',`
gen_require(`
type dovecot_t, dovecot_etc_t, dovecot_log_t;
type dovecot_spool_t, dovecot_var_lib_t;
type dovecot_var_run_t;
type dovecot_cert_t, dovecot_passwd_t;
type dovecot_initrc_exec_t;
')
allow $1 dovecot_t:process { ptrace signal_perms };
ps_process_pattern($1, dovecot_t)
init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dovecot_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, dovecot_etc_t)
logging_list_logs($1)
admin_pattern($1, dovecot_log_t)
files_list_spool($1)
admin_pattern($1, dovecot_spool_t)
files_list_var_lib($1)
admin_pattern($1, dovecot_var_lib_t)
files_list_pids($1)
admin_pattern($1, dovecot_var_run_t)
admin_pattern($1, dovecot_cert_t)
admin_pattern($1, dovecot_passwd_t)
')

View File

@ -1,5 +1,5 @@
policy_module(dovecot, 1.10.2)
policy_module(dovecot, 1.10.3)
########################################
#
@ -15,12 +15,24 @@ domain_type(dovecot_auth_t)
domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
type dovecot_auth_tmp_t;
files_tmp_file(dovecot_auth_tmp_t)
type dovecot_cert_t;
files_type(dovecot_cert_t)
type dovecot_deliver_t;
type dovecot_deliver_exec_t;
domain_type(dovecot_deliver_t)
domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
role system_r types dovecot_deliver_t;
type dovecot_etc_t;
files_config_file(dovecot_etc_t)
type dovecot_initrc_exec_t;
init_script_file(dovecot_initrc_exec_t)
type dovecot_passwd_t;
files_type(dovecot_passwd_t)
@ -31,6 +43,9 @@ files_type(dovecot_spool_t)
type dovecot_var_lib_t;
files_type(dovecot_var_lib_t)
type dovecot_var_log_t;
logging_log_file(dovecot_var_log_t)
type dovecot_var_run_t;
files_pid_file(dovecot_var_run_t)
@ -58,6 +73,9 @@ files_search_etc(dovecot_t)
can_exec(dovecot_t, dovecot_exec_t)
manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
logging_log_filetrans(dovecot_t, dovecot_var_log_t, file)
manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
@ -98,7 +116,7 @@ files_search_tmp(dovecot_t)
files_dontaudit_list_default(dovecot_t)
# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
files_read_etc_runtime_files(dovecot_t)
files_getattr_all_mountpoints(dovecot_t)
files_search_all_mountpoints(dovecot_t)
init_getattr_utmp(dovecot_t)
@ -120,7 +138,7 @@ userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file
mta_manage_spool(dovecot_t)
optional_policy(`
kerberos_use(dovecot_t)
kerberos_keytab_template(dovecot, dovecot_t)
')
optional_policy(`
@ -140,25 +158,35 @@ optional_policy(`
# dovecot auth local policy
#
allow dovecot_auth_t self:capability { setgid setuid };
allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
allow dovecot_auth_t self:process signal_perms;
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
allow dovecot_auth_t dovecot_passwd_t:file read_file_perms;
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
# Allow dovecot to create and read SSL parameters file
manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
files_search_var_lib(dovecot_t)
files_read_var_symlinks(dovecot_t)
allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
dovecot_stream_connect_auth(dovecot_auth_t)
kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)
logging_send_audit_msgs(dovecot_auth_t)
logging_send_syslog_msg(dovecot_auth_t)
dev_read_urand(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
@ -167,6 +195,7 @@ auth_use_nsswitch(dovecot_auth_t)
files_read_etc_files(dovecot_auth_t)
files_read_etc_runtime_files(dovecot_auth_t)
files_search_pids(dovecot_auth_t)
files_read_usr_files(dovecot_auth_t)
files_read_usr_symlinks(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
@ -182,5 +211,52 @@ optional_policy(`
')
optional_policy(`
logging_send_syslog_msg(dovecot_auth_t)
mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
')
optional_policy(`
nis_authenticate(dovecot_auth_t)
')
optional_policy(`
postfix_search_spool(dovecot_auth_t)
')
########################################
#
# dovecot deliver local policy
#
allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
kernel_read_all_sysctls(dovecot_deliver_t)
kernel_read_system_state(dovecot_deliver_t)
files_read_etc_files(dovecot_deliver_t)
files_read_etc_runtime_files(dovecot_deliver_t)
auth_use_nsswitch(dovecot_deliver_t)
logging_send_syslog_msg(dovecot_deliver_t)
miscfiles_read_localization(dovecot_deliver_t)
dovecot_stream_connect_auth(dovecot_deliver_t)
files_search_tmp(dovecot_deliver_t)
fs_getattr_all_fs(dovecot_deliver_t)
userdom_manage_user_home_content_dirs(dovecot_deliver_t)
userdom_manage_user_home_content_files(dovecot_deliver_t)
userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
userdom_manage_user_home_content_pipes(dovecot_deliver_t)
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
')

View File

@ -61,6 +61,25 @@ interface(`kerneloops_dontaudit_dbus_chat',`
dontaudit kerneloops_t $1:dbus send_msg;
')
########################################
## <summary>
## Allow domain to manage kerneloops tmp files
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`kerneloops_manage_tmp_files',`
gen_require(`
type kerneloops_tmp_t;
')
manage_files_pattern($1, kerneloops_tmp_t, kerneloops_tmp_t)
files_search_tmp($1)
')
########################################
## <summary>
## All of the rules required to administrate
@ -81,6 +100,7 @@ interface(`kerneloops_dontaudit_dbus_chat',`
interface(`kerneloops_admin',`
gen_require(`
type kerneloops_t, kerneloops_initrc_exec_t;
type kerneloops_tmp_t;
')
allow $1 kerneloops_t:process { ptrace signal_perms };
@ -90,4 +110,6 @@ interface(`kerneloops_admin',`
domain_system_change_exemption($1)
role_transition $2 kerneloops_initrc_exec_t system_r;
allow $2 system_r;
admin_pattern($1, kerneloops_tmp_t)
')

View File

@ -1,5 +1,5 @@
policy_module(kerneloops, 1.2.2)
policy_module(kerneloops, 1.2.3)
########################################
#
@ -13,6 +13,9 @@ init_daemon_domain(kerneloops_t, kerneloops_exec_t)
type kerneloops_initrc_exec_t;
init_script_file(kerneloops_initrc_exec_t)
type kerneloops_tmp_t;
files_tmp_file(kerneloops_tmp_t)
########################################
#
# kerneloops local policy
@ -21,7 +24,9 @@ init_script_file(kerneloops_initrc_exec_t)
allow kerneloops_t self:capability sys_nice;
allow kerneloops_t self:process { setsched getsched signal };
allow kerneloops_t self:fifo_file rw_file_perms;
allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms;
manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t)
files_tmp_filetrans(kerneloops_t, kerneloops_tmp_t, file)
kernel_read_ring_buffer(kerneloops_t)
@ -38,13 +43,13 @@ corenet_tcp_connect_http_port(kerneloops_t)
files_read_etc_files(kerneloops_t)
auth_use_nsswitch(kerneloops_t)
logging_send_syslog_msg(kerneloops_t)
logging_read_generic_logs(kerneloops_t)
miscfiles_read_localization(kerneloops_t)
sysnet_dns_name_resolve(kerneloops_t)
optional_policy(`
dbus_system_bus_client(kerneloops_t)
dbus_connect_system_bus(kerneloops_t)

View File

@ -1,3 +1,4 @@
/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)

View File

@ -18,6 +18,42 @@ interface(`nscd_signal',`
allow $1 nscd_t:process signal;
')
########################################
## <summary>
## Send NSCD the kill signal.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`nscd_kill',`
gen_require(`
type nscd_t;
')
allow $1 nscd_t:process sigkill;
')
########################################
## <summary>
## Send signulls to NSCD.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`nscd_signull',`
gen_require(`
type nscd_t;
')
allow $1 nscd_t:process signull;
')
########################################
## <summary>
## Execute NSCD in the nscd domain.
@ -70,15 +106,14 @@ interface(`nscd_exec',`
interface(`nscd_socket_use',`
gen_require(`
type nscd_t, nscd_var_run_t;
class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv };
')
allow $1 self:unix_stream_socket create_socket_perms;
allow $1 nscd_t:nscd { getpwd getgrp gethost };
dontaudit $1 nscd_t:fd use;
dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
files_search_pids($1)
stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
dontaudit $1 nscd_var_run_t:file { getattr read };
@ -198,3 +233,41 @@ interface(`nscd_run',`
nscd_domtrans($1)
role $2 types nscd_t;
')
########################################
## <summary>
## All of the rules required to administrate
## an nscd environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the nscd domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`nscd_admin',`
gen_require(`
type nscd_t, nscd_log_t, nscd_var_run_t;
type nscd_initrc_exec_t;
')
allow $1 nscd_t:process { ptrace signal_perms };
ps_process_pattern($1, nscd_t)
init_labeled_script_domtrans($1, nscd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 nscd_initrc_exec_t system_r;
allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, nscd_log_t)
files_list_pids($1)
admin_pattern($1, nscd_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(nscd, 1.8.2)
policy_module(nscd, 1.8.3)
gen_require(`
class nscd all_nscd_perms;
@ -20,6 +20,9 @@ type nscd_t;
type nscd_exec_t;
init_daemon_domain(nscd_t, nscd_exec_t)
type nscd_initrc_exec_t;
init_script_file(nscd_initrc_exec_t)
type nscd_log_t;
logging_log_file(nscd_log_t)
@ -28,14 +31,13 @@ logging_log_file(nscd_log_t)
# Local policy
#
allow nscd_t self:capability { kill setgid setuid audit_write };
allow nscd_t self:capability { kill setgid setuid };
dontaudit nscd_t self:capability sys_tty_config;
allow nscd_t self:process { getattr setsched signal_perms };
allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
allow nscd_t self:fifo_file read_fifo_file_perms;
allow nscd_t self:unix_stream_socket create_stream_socket_perms;
allow nscd_t self:unix_dgram_socket create_socket_perms;
allow nscd_t self:netlink_selinux_socket create_socket_perms;
allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow nscd_t self:tcp_socket create_socket_perms;
allow nscd_t self:udp_socket create_socket_perms;
@ -50,6 +52,9 @@ manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file })
corecmd_search_bin(nscd_t)
can_exec(nscd_t, nscd_exec_t)
kernel_read_kernel_sysctls(nscd_t)
kernel_list_proc(nscd_t)
kernel_read_proc_symlinks(nscd_t)
@ -73,6 +78,7 @@ corenet_tcp_sendrecv_generic_node(nscd_t)
corenet_udp_sendrecv_generic_node(nscd_t)
corenet_tcp_sendrecv_all_ports(nscd_t)
corenet_udp_sendrecv_all_ports(nscd_t)
corenet_udp_bind_generic_node(nscd_t)
corenet_tcp_connect_all_ports(nscd_t)
corenet_sendrecv_all_client_packets(nscd_t)
corenet_rw_tun_tap_dev(nscd_t)
@ -90,6 +96,7 @@ files_read_generic_tmp_symlinks(nscd_t)
# Needed to read files created by firstboot "/etc/hesiod.conf"
files_read_etc_runtime_files(nscd_t)
logging_send_audit_msgs(nscd_t)
logging_send_syslog_msg(nscd_t)
miscfiles_read_localization(nscd_t)
@ -104,6 +111,14 @@ userdom_dontaudit_use_user_terminals(nscd_t)
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
userdom_dontaudit_search_user_home_dirs(nscd_t)
optional_policy(`
cron_read_system_job_tmp_files(nscd_t)
')
optional_policy(`
kerberos_use(nscd_t)
')
optional_policy(`
udev_read_db(nscd_t)
')