Changes to the exim policy module and relevant dependencies

Ported from Fedora with changes

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>

1 files changed, 62 insertions, 32 deletions

diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index f28f64b9..f50794dc 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -1,4 +1,4 @@
-policy_module(exim, 1.5.0)
+policy_module(exim, 1.5.1)
 
 ########################################
 #
@@ -6,23 +6,26 @@ policy_module(exim, 1.5.0)
 #
 
 ## <desc>
-## <p>
-## Allow exim to connect to databases (postgres, mysql)
-## </p>
+##	<p>
+##	Determine whether exim can connect to
+##	databases.
+##	</p>
 ## </desc>
 gen_tunable(exim_can_connect_db, false)
 
 ## <desc>
-## <p>
-## Allow exim to read unprivileged user files.
-## </p>
+##	<p>
+##	Determine whether exim can read generic
+##	user content files.
+##	</p>
 ## </desc>
 gen_tunable(exim_read_user_files, false)
 
 ## <desc>
-## <p>
-## Allow exim to create, read, write, and delete
-## unprivileged user files.
+##	<p>
+##	Determine whether exim can create,
+##	read, write, and delete generic user
+##	content files.
 ## </p>
 ## </desc>
 gen_tunable(exim_manage_user_files, false)
@@ -35,6 +38,9 @@ mta_mailserver_user_agent(exim_t)
 application_executable_file(exim_exec_t)
 mta_agent_executable(exim_exec_t)
 
+type exim_initrc_exec_t;
+init_script_file(exim_initrc_exec_t)
+
 type exim_log_t;
 logging_log_file(exim_log_t)
 
@@ -49,33 +55,34 @@ files_pid_file(exim_var_run_t)
 
 ########################################
 #
-# exim local policy
+# Local policy
 #
 
 allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource };
 allow exim_t self:process { setrlimit setpgid };
 allow exim_t self:fifo_file rw_fifo_file_perms;
-allow exim_t self:unix_stream_socket create_stream_socket_perms;
-allow exim_t self:tcp_socket create_stream_socket_perms;
-allow exim_t self:udp_socket create_socket_perms;
-
-can_exec(exim_t, exim_exec_t)
+allow exim_t self:unix_stream_socket { accept listen };
+allow exim_t self:tcp_socket { accept listen };
 
-manage_files_pattern(exim_t, exim_log_t, exim_log_t)
-logging_log_filetrans(exim_t, exim_log_t, { file dir })
+append_files_pattern(exim_t, exim_log_t, exim_log_t)
+create_files_pattern(exim_t, exim_log_t, exim_log_t)
+setattr_files_pattern(exim_t, exim_log_t, exim_log_t)
+logging_log_filetrans(exim_t, exim_log_t, file)
 
 manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t)
 manage_files_pattern(exim_t, exim_spool_t, exim_spool_t)
 manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t)
-files_spool_filetrans(exim_t, exim_spool_t, { file dir sock_file })
+files_spool_filetrans(exim_t, exim_spool_t, { dir file sock_file })
 
 manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t)
 manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t)
-files_tmp_filetrans(exim_t, exim_tmp_t, { file dir })
+files_tmp_filetrans(exim_t, exim_tmp_t, { dir file })
 
 manage_dirs_pattern(exim_t, exim_var_run_t, exim_var_run_t)
 manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t)
-files_pid_filetrans(exim_t, exim_var_run_t, { file dir })
+files_pid_filetrans(exim_t, exim_var_run_t, { dir file })
+
+can_exec(exim_t, exim_exec_t)
 
 kernel_read_kernel_sysctls(exim_t)
 kernel_read_network_state(exim_t)
@@ -91,24 +98,32 @@ corenet_tcp_sendrecv_generic_node(exim_t)
 corenet_udp_sendrecv_generic_node(exim_t)
 corenet_tcp_sendrecv_all_ports(exim_t)
 corenet_tcp_bind_generic_node(exim_t)
+
+corenet_sendrecv_smtp_server_packets(exim_t)
 corenet_tcp_bind_smtp_port(exim_t)
+
+corenet_sendrecv_amavisd_send_server_packets(exim_t)
 corenet_tcp_bind_amavisd_send_port(exim_t)
+
+corenet_sendrecv_auth_client_packets(exim_t)
 corenet_tcp_connect_auth_port(exim_t)
+
+corenet_sendrecv_smtp_client_packets(exim_t)
 corenet_tcp_connect_smtp_port(exim_t)
-corenet_tcp_connect_ldap_port(exim_t)
+
+corenet_sendrecv_inetd_child_client_packets(exim_t)
 corenet_tcp_connect_inetd_child_port(exim_t)
-# connect to spamassassin
+
+corenet_sendrecv_spamd_client_packets(exim_t)
 corenet_tcp_connect_spamd_port(exim_t)
 
 dev_read_rand(exim_t)
 dev_read_urand(exim_t)
 
-# Init script handling
 domain_use_interactive_fds(exim_t)
 
 files_search_usr(exim_t)
 files_search_var(exim_t)
-files_read_etc_files(exim_t)
 files_read_etc_runtime_files(exim_t)
 files_getattr_all_mountpoints(exim_t)
 
@@ -130,10 +145,15 @@ mta_manage_spool(exim_t)
 mta_mailserver_delivery(exim_t)
 
 tunable_policy(`exim_can_connect_db',`
-	corenet_tcp_connect_mysqld_port(exim_t)
-	corenet_sendrecv_mysqld_client_packets(exim_t)
-	corenet_tcp_connect_postgresql_port(exim_t)
-	corenet_sendrecv_postgresql_client_packets(exim_t)
+	corenet_sendrecv_gds_db_client_packets(exim_t)
+	corenet_tcp_connect_gds_db_port(exim_t)
+	corenet_tcp_sendrecv_gds_db_port(exim_t)
+	corenet_sendrecv_mssql_client_packets(exim_t)
+	corenet_tcp_connect_mssql_port(exim_t)
+	corenet_tcp_sendrecv_mssql_port(exim_t)
+	corenet_sendrecv_oracledb_client_packets(exim_t)
+	corenet_tcp_connect_oracledb_port(exim_t)
+	corenet_tcp_sendrecv_oracledb_port(exim_t)
 ')
 
 tunable_policy(`exim_read_user_files',`
@@ -162,6 +182,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dovecot_stream_connect(exim_t)
+')
+
+optional_policy(`
 	kerberos_keytab_template(exim, exim_t)
 ')
 
@@ -171,14 +195,23 @@ optional_policy(`
 ')
 
 optional_policy(`
+	nagios_search_spool(exim_t)
+')
+
+optional_policy(`
 	tunable_policy(`exim_can_connect_db',`
+		mysql_rw_db_sockets(exim_t)
 		mysql_stream_connect(exim_t)
+		mysql_tcp_connect(exim_t)
 	')
 ')
 
 optional_policy(`
+	postgresql_unpriv_client(exim_t)
+
 	tunable_policy(`exim_can_connect_db',`
 		postgresql_stream_connect(exim_t)
+		postgresql_tcp_connect(exim_t)
 	')
 ')
 
@@ -191,9 +224,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	# https://bugzilla.redhat.com/show_bug.cgi?id=512710
-	# uses sendmail for outgoing mail and exim
-	# for incoming mail
 	sendmail_manage_tmp_files(exim_t)
 ')