Changes to the cyrus policy module

Ported from Fedora with changes

Make file context catch cyrus-imapd for init script
Add file context for cyrus pid file and socket in /var/run
Module clean up

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>

1 files changed, 20 insertions, 27 deletions

diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te
index 097fdcc3..93ddb955 100644
--- a/policy/modules/contrib/cyrus.te
+++ b/policy/modules/contrib/cyrus.te
@@ -1,4 +1,4 @@
-policy_module(cyrus, 1.12.0)
+policy_module(cyrus, 1.12.1)
 
 ########################################
 #
@@ -37,22 +37,18 @@ allow cyrus_t self:shm create_shm_perms;
 allow cyrus_t self:sem create_sem_perms;
 allow cyrus_t self:msgq create_msgq_perms;
 allow cyrus_t self:msg { send receive };
-allow cyrus_t self:unix_dgram_socket create_socket_perms;
-allow cyrus_t self:unix_stream_socket create_stream_socket_perms;
 allow cyrus_t self:unix_dgram_socket sendto;
-allow cyrus_t self:unix_stream_socket connectto;
-allow cyrus_t self:tcp_socket create_stream_socket_perms;
-allow cyrus_t self:udp_socket create_socket_perms;
+allow cyrus_t self:unix_stream_socket { accept connectto listen };
+allow cyrus_t self:tcp_socket { accept listen };
 
 manage_dirs_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t)
 manage_files_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t)
-files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { file dir })
+files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { dir file })
 
 manage_dirs_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
 manage_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
 manage_lnk_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
 manage_sock_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
-files_pid_filetrans(cyrus_t, cyrus_var_run_t, file)
 
 manage_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t)
 manage_sock_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t)
@@ -65,37 +61,40 @@ kernel_read_all_sysctls(cyrus_t)
 corenet_all_recvfrom_unlabeled(cyrus_t)
 corenet_all_recvfrom_netlabel(cyrus_t)
 corenet_tcp_sendrecv_generic_if(cyrus_t)
-corenet_udp_sendrecv_generic_if(cyrus_t)
 corenet_tcp_sendrecv_generic_node(cyrus_t)
-corenet_udp_sendrecv_generic_node(cyrus_t)
 corenet_tcp_sendrecv_all_ports(cyrus_t)
-corenet_udp_sendrecv_all_ports(cyrus_t)
 corenet_tcp_bind_generic_node(cyrus_t)
+
+corenet_sendrecv_mail_server_packets(cyrus_t)
 corenet_tcp_bind_mail_port(cyrus_t)
+
+corenet_sendrecv_lmtp_server_packets(cyrus_t)
 corenet_tcp_bind_lmtp_port(cyrus_t)
+
+corenet_sendrecv_pop_server_packets(cyrus_t)
 corenet_tcp_bind_pop_port(cyrus_t)
+
+corenet_sendrecv_sieve_server_packets(cyrus_t)
 corenet_tcp_bind_sieve_port(cyrus_t)
-corenet_tcp_connect_all_ports(cyrus_t)
-corenet_sendrecv_mail_server_packets(cyrus_t)
-corenet_sendrecv_pop_server_packets(cyrus_t)
-corenet_sendrecv_lmtp_server_packets(cyrus_t)
+
 corenet_sendrecv_all_client_packets(cyrus_t)
+corenet_tcp_connect_all_ports(cyrus_t)
+
+corecmd_exec_bin(cyrus_t)
 
 dev_read_rand(cyrus_t)
 dev_read_urand(cyrus_t)
 dev_read_sysfs(cyrus_t)
 
-fs_getattr_all_fs(cyrus_t)
-fs_search_auto_mountpoints(cyrus_t)
-
-corecmd_exec_bin(cyrus_t)
-
 domain_use_interactive_fds(cyrus_t)
 
 files_list_var_lib(cyrus_t)
-files_read_etc_files(cyrus_t)
 files_read_etc_runtime_files(cyrus_t)
 files_read_usr_files(cyrus_t)
+files_dontaudit_write_usr_dirs(cyrus_t)
+
+fs_getattr_all_fs(cyrus_t)
+fs_search_auto_mountpoints(cyrus_t)
 
 auth_use_nsswitch(cyrus_t)
 
@@ -106,8 +105,6 @@ logging_send_syslog_msg(cyrus_t)
 miscfiles_read_localization(cyrus_t)
 miscfiles_read_generic_certs(cyrus_t)
 
-sysnet_read_config(cyrus_t)
-
 userdom_use_unpriv_users_fds(cyrus_t)
 userdom_dontaudit_search_user_home_dirs(cyrus_t)
 
@@ -123,10 +120,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	ldap_stream_connect(cyrus_t)
-')
-
-optional_policy(`
 	sasl_connect(cyrus_t)
 ')