fee48647ac
67effb0483be01c6c63f6b0d8d595b082e4b8097d6689d9545afc3d3f3c5e77a59e50ccf8723317759c7dc1db54e9bf16d4f95198bf40792622c63bc20842cdc7cc4d792d448
405 lines
11 KiB
Plaintext
405 lines
11 KiB
Plaintext
policy_module(dcc, 1.9.1)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type cdcc_t;
|
|
type cdcc_exec_t;
|
|
application_domain(cdcc_t, cdcc_exec_t)
|
|
role system_r types cdcc_t;
|
|
|
|
type cdcc_tmp_t;
|
|
files_tmp_file(cdcc_tmp_t)
|
|
|
|
type dcc_client_t;
|
|
type dcc_client_exec_t;
|
|
application_domain(dcc_client_t, dcc_client_exec_t)
|
|
role system_r types dcc_client_t;
|
|
|
|
type dcc_client_map_t;
|
|
files_type(dcc_client_map_t)
|
|
|
|
type dcc_client_tmp_t;
|
|
files_tmp_file(dcc_client_tmp_t)
|
|
|
|
type dcc_dbclean_t;
|
|
type dcc_dbclean_exec_t;
|
|
application_domain(dcc_dbclean_t, dcc_dbclean_exec_t)
|
|
role system_r types dcc_dbclean_t;
|
|
|
|
type dcc_dbclean_tmp_t;
|
|
files_tmp_file(dcc_dbclean_tmp_t)
|
|
|
|
type dcc_var_t;
|
|
files_type(dcc_var_t)
|
|
|
|
type dcc_var_run_t;
|
|
files_type(dcc_var_run_t)
|
|
|
|
type dccd_t;
|
|
type dccd_exec_t;
|
|
init_daemon_domain(dccd_t, dccd_exec_t)
|
|
|
|
type dccd_tmp_t;
|
|
files_tmp_file(dccd_tmp_t)
|
|
|
|
type dccd_var_run_t;
|
|
files_pid_file(dccd_var_run_t)
|
|
|
|
type dccifd_t;
|
|
type dccifd_exec_t;
|
|
init_daemon_domain(dccifd_t, dccifd_exec_t)
|
|
|
|
type dccifd_tmp_t;
|
|
files_tmp_file(dccifd_tmp_t)
|
|
|
|
type dccifd_var_run_t;
|
|
files_pid_file(dccifd_var_run_t)
|
|
|
|
type dccm_t;
|
|
type dccm_exec_t;
|
|
init_daemon_domain(dccm_t, dccm_exec_t)
|
|
|
|
type dccm_tmp_t;
|
|
files_tmp_file(dccm_tmp_t)
|
|
|
|
type dccm_var_run_t;
|
|
files_pid_file(dccm_var_run_t)
|
|
|
|
# NOTE: DCC has writeable files in /etc/dcc that should probably be in
|
|
# /var/lib/dcc. For now this policy supports both directories being
|
|
# writable.
|
|
|
|
# cjp: dccifd and dccm should be merged, as
|
|
# they have the same rules.
|
|
|
|
########################################
|
|
#
|
|
# dcc daemon controller local policy
|
|
#
|
|
|
|
allow cdcc_t self:capability { setuid setgid };
|
|
allow cdcc_t self:unix_dgram_socket create_socket_perms;
|
|
allow cdcc_t self:udp_socket create_socket_perms;
|
|
|
|
manage_dirs_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t)
|
|
manage_files_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t)
|
|
files_tmp_filetrans(cdcc_t, cdcc_tmp_t, { file dir })
|
|
|
|
allow cdcc_t dcc_client_map_t:file rw_file_perms;
|
|
|
|
# Access files in /var/dcc. The map file can be updated
|
|
allow cdcc_t dcc_var_t:dir list_dir_perms;
|
|
read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
|
|
read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(cdcc_t)
|
|
corenet_all_recvfrom_netlabel(cdcc_t)
|
|
corenet_udp_sendrecv_generic_if(cdcc_t)
|
|
corenet_udp_sendrecv_generic_node(cdcc_t)
|
|
corenet_udp_sendrecv_all_ports(cdcc_t)
|
|
|
|
files_read_etc_files(cdcc_t)
|
|
files_read_etc_runtime_files(cdcc_t)
|
|
|
|
auth_use_nsswitch(cdcc_t)
|
|
|
|
logging_send_syslog_msg(cdcc_t)
|
|
|
|
miscfiles_read_localization(cdcc_t)
|
|
|
|
userdom_use_user_terminals(cdcc_t)
|
|
|
|
########################################
|
|
#
|
|
# dcc procmail interface local policy
|
|
#
|
|
|
|
allow dcc_client_t self:capability { setuid setgid };
|
|
allow dcc_client_t self:unix_dgram_socket create_socket_perms;
|
|
allow dcc_client_t self:udp_socket create_socket_perms;
|
|
|
|
allow dcc_client_t dcc_client_map_t:file rw_file_perms;
|
|
|
|
manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
|
|
manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
|
|
files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
|
|
|
|
# Access files in /var/dcc. The map file can be updated
|
|
allow dcc_client_t dcc_var_t:dir list_dir_perms;
|
|
manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
|
|
read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
|
|
|
|
kernel_read_system_state(dcc_client_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(dcc_client_t)
|
|
corenet_all_recvfrom_netlabel(dcc_client_t)
|
|
corenet_udp_sendrecv_generic_if(dcc_client_t)
|
|
corenet_udp_sendrecv_generic_node(dcc_client_t)
|
|
corenet_udp_sendrecv_all_ports(dcc_client_t)
|
|
corenet_udp_bind_generic_node(dcc_client_t)
|
|
|
|
files_read_etc_files(dcc_client_t)
|
|
files_read_etc_runtime_files(dcc_client_t)
|
|
|
|
fs_getattr_all_fs(dcc_client_t)
|
|
|
|
auth_use_nsswitch(dcc_client_t)
|
|
|
|
logging_send_syslog_msg(dcc_client_t)
|
|
|
|
miscfiles_read_localization(dcc_client_t)
|
|
|
|
userdom_use_user_terminals(dcc_client_t)
|
|
|
|
optional_policy(`
|
|
amavis_read_spool_files(dcc_client_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
spamassassin_read_spamd_tmp_files(dcc_client_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Database cleanup tool local policy
|
|
#
|
|
|
|
allow dcc_dbclean_t self:unix_dgram_socket create_socket_perms;
|
|
allow dcc_dbclean_t self:udp_socket create_socket_perms;
|
|
|
|
allow dcc_dbclean_t dcc_client_map_t:file rw_file_perms;
|
|
|
|
manage_dirs_pattern(dcc_dbclean_t, dcc_dbclean_tmp_t, dcc_dbclean_tmp_t)
|
|
manage_files_pattern(dcc_dbclean_t, dcc_dbclean_tmp_t, dcc_dbclean_tmp_t)
|
|
files_tmp_filetrans(dcc_dbclean_t, dcc_dbclean_tmp_t, { file dir })
|
|
|
|
manage_dirs_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
|
|
manage_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
|
|
manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
|
|
|
|
kernel_read_system_state(dcc_dbclean_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(dcc_dbclean_t)
|
|
corenet_all_recvfrom_netlabel(dcc_dbclean_t)
|
|
corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
|
|
corenet_udp_sendrecv_generic_node(dcc_dbclean_t)
|
|
corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
|
|
|
|
files_read_etc_files(dcc_dbclean_t)
|
|
files_read_etc_runtime_files(dcc_dbclean_t)
|
|
|
|
auth_use_nsswitch(dcc_dbclean_t)
|
|
|
|
logging_send_syslog_msg(dcc_dbclean_t)
|
|
|
|
miscfiles_read_localization(dcc_dbclean_t)
|
|
|
|
userdom_use_user_terminals(dcc_dbclean_t)
|
|
|
|
########################################
|
|
#
|
|
# Server daemon local policy
|
|
#
|
|
|
|
allow dccd_t self:capability net_admin;
|
|
dontaudit dccd_t self:capability sys_tty_config;
|
|
allow dccd_t self:process signal_perms;
|
|
allow dccd_t self:unix_stream_socket create_socket_perms;
|
|
allow dccd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
|
|
allow dccd_t self:udp_socket create_socket_perms;
|
|
|
|
allow dccd_t dcc_client_map_t:file rw_file_perms;
|
|
|
|
# Access files in /var/dcc. The map file can be updated
|
|
allow dccd_t dcc_var_t:dir list_dir_perms;
|
|
read_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
|
|
read_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
|
|
|
|
# Runs the dbclean program
|
|
domtrans_pattern(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t)
|
|
corecmd_search_bin(dccd_t)
|
|
|
|
# Updating dcc_db, flod, ...
|
|
manage_dirs_pattern(dccd_t, dcc_var_t, dcc_var_t)
|
|
manage_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
|
|
manage_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
|
|
|
|
manage_dirs_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t)
|
|
manage_files_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t)
|
|
files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir })
|
|
|
|
manage_dirs_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t)
|
|
manage_files_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t)
|
|
files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file })
|
|
|
|
kernel_read_system_state(dccd_t)
|
|
kernel_read_kernel_sysctls(dccd_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(dccd_t)
|
|
corenet_all_recvfrom_netlabel(dccd_t)
|
|
corenet_udp_sendrecv_generic_if(dccd_t)
|
|
corenet_udp_sendrecv_generic_node(dccd_t)
|
|
corenet_udp_sendrecv_all_ports(dccd_t)
|
|
corenet_udp_bind_generic_node(dccd_t)
|
|
corenet_udp_bind_dcc_port(dccd_t)
|
|
corenet_sendrecv_dcc_server_packets(dccd_t)
|
|
|
|
dev_read_sysfs(dccd_t)
|
|
|
|
domain_use_interactive_fds(dccd_t)
|
|
|
|
files_read_etc_files(dccd_t)
|
|
files_read_etc_runtime_files(dccd_t)
|
|
|
|
fs_getattr_all_fs(dccd_t)
|
|
fs_search_auto_mountpoints(dccd_t)
|
|
|
|
auth_use_nsswitch(dccd_t)
|
|
|
|
logging_send_syslog_msg(dccd_t)
|
|
|
|
miscfiles_read_localization(dccd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(dccd_t)
|
|
userdom_dontaudit_search_user_home_dirs(dccd_t)
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(dccd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(dccd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Spamassassin and general MTA persistent client local policy
|
|
#
|
|
|
|
dontaudit dccifd_t self:capability sys_tty_config;
|
|
allow dccifd_t self:process signal_perms;
|
|
allow dccifd_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow dccifd_t self:unix_dgram_socket create_socket_perms;
|
|
allow dccifd_t self:udp_socket create_socket_perms;
|
|
|
|
allow dccifd_t dcc_client_map_t:file rw_file_perms;
|
|
|
|
# Updating dcc_db, flod, ...
|
|
manage_dirs_pattern(dccifd_t, dcc_var_t, dcc_var_t)
|
|
manage_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
|
|
manage_lnk_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
|
|
manage_fifo_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
|
|
manage_sock_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
|
|
|
|
manage_dirs_pattern(dccifd_t, dccifd_tmp_t, dccifd_tmp_t)
|
|
manage_files_pattern(dccifd_t, dccifd_tmp_t, dccifd_tmp_t)
|
|
files_tmp_filetrans(dccifd_t, dccifd_tmp_t, { file dir })
|
|
|
|
manage_files_pattern(dccifd_t, dccifd_var_run_t, dccifd_var_run_t)
|
|
manage_sock_files_pattern(dccifd_t, dccifd_var_run_t, dccifd_var_run_t)
|
|
filetrans_pattern(dccifd_t, dcc_var_t, dccifd_var_run_t, { file sock_file })
|
|
files_pid_filetrans(dccifd_t, dccifd_var_run_t, file)
|
|
|
|
kernel_read_system_state(dccifd_t)
|
|
kernel_read_kernel_sysctls(dccifd_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(dccifd_t)
|
|
corenet_all_recvfrom_netlabel(dccifd_t)
|
|
corenet_udp_sendrecv_generic_if(dccifd_t)
|
|
corenet_udp_sendrecv_generic_node(dccifd_t)
|
|
corenet_udp_sendrecv_all_ports(dccifd_t)
|
|
|
|
dev_read_sysfs(dccifd_t)
|
|
|
|
domain_use_interactive_fds(dccifd_t)
|
|
|
|
files_read_etc_files(dccifd_t)
|
|
files_read_etc_runtime_files(dccifd_t)
|
|
|
|
fs_getattr_all_fs(dccifd_t)
|
|
fs_search_auto_mountpoints(dccifd_t)
|
|
|
|
auth_use_nsswitch(dccifd_t)
|
|
|
|
logging_send_syslog_msg(dccifd_t)
|
|
|
|
miscfiles_read_localization(dccifd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
|
|
userdom_dontaudit_search_user_home_dirs(dccifd_t)
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(dccifd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(dccifd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# sendmail milter client local policy
|
|
#
|
|
|
|
dontaudit dccm_t self:capability sys_tty_config;
|
|
allow dccm_t self:process signal_perms;
|
|
allow dccm_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow dccm_t self:unix_dgram_socket create_socket_perms;
|
|
allow dccm_t self:udp_socket create_socket_perms;
|
|
|
|
allow dccm_t dcc_client_map_t:file rw_file_perms;
|
|
|
|
manage_dirs_pattern(dccm_t, dcc_var_t, dcc_var_t)
|
|
manage_files_pattern(dccm_t, dcc_var_t, dcc_var_t)
|
|
manage_lnk_files_pattern(dccm_t, dcc_var_t, dcc_var_t)
|
|
manage_fifo_files_pattern(dccm_t, dcc_var_t, dcc_var_t)
|
|
manage_sock_files_pattern(dccm_t, dcc_var_t, dcc_var_t)
|
|
|
|
manage_dirs_pattern(dccm_t, dccm_tmp_t, dccm_tmp_t)
|
|
manage_files_pattern(dccm_t, dccm_tmp_t, dccm_tmp_t)
|
|
files_tmp_filetrans(dccm_t, dccm_tmp_t, { file dir })
|
|
|
|
manage_files_pattern(dccm_t, dccm_var_run_t, dccm_var_run_t)
|
|
manage_sock_files_pattern(dccm_t, dccm_var_run_t, dccm_var_run_t)
|
|
filetrans_pattern(dccm_t, dcc_var_run_t, dccm_var_run_t, { file sock_file })
|
|
files_pid_filetrans(dccm_t, dccm_var_run_t, file)
|
|
|
|
kernel_read_system_state(dccm_t)
|
|
kernel_read_kernel_sysctls(dccm_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(dccm_t)
|
|
corenet_all_recvfrom_netlabel(dccm_t)
|
|
corenet_udp_sendrecv_generic_if(dccm_t)
|
|
corenet_udp_sendrecv_generic_node(dccm_t)
|
|
corenet_udp_sendrecv_all_ports(dccm_t)
|
|
|
|
dev_read_sysfs(dccm_t)
|
|
|
|
domain_use_interactive_fds(dccm_t)
|
|
|
|
files_read_etc_files(dccm_t)
|
|
files_read_etc_runtime_files(dccm_t)
|
|
|
|
fs_getattr_all_fs(dccm_t)
|
|
fs_search_auto_mountpoints(dccm_t)
|
|
|
|
auth_use_nsswitch(dccm_t)
|
|
|
|
logging_send_syslog_msg(dccm_t)
|
|
|
|
miscfiles_read_localization(dccm_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(dccm_t)
|
|
userdom_dontaudit_search_user_home_dirs(dccm_t)
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(dccm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(dccm_t)
|
|
')
|