diff options
| author |   Dominick Grift <dominick.grift@gmail.com> | 2012-10-01 09:52:36 +0200 |
|---|---|---|
| committer |   Sven Vermeulen <sven.vermeulen@siphos.be> | 2012-10-02 20:05:53 +0200 |
| commit | 96b4fba13ba34b1a70bbf39a8a374e34712d8bab (patch) | |
| tree | 7efae43b4e14be9e6f126e4a700648704e56f03a /policy | |
| parent | fcoemon XML clean up (diff) | |
| download | hardened-refpolicy-96b4fba13ba34b1a70bbf39a8a374e34712d8bab.tar.gz hardened-refpolicy-96b4fba13ba34b1a70bbf39a8a374e34712d8bab.tar.bz2 hardened-refpolicy-96b4fba13ba34b1a70bbf39a8a374e34712d8bab.zip | |
Changes to the fetchmail policy module
Ported from Fedora with changes
Added init script file type
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
Diffstat (limited to 'policy')
| -rw-r--r-- | policy/modules/contrib/fetchmail.fc | 22 | ||||
| -rw-r--r-- | policy/modules/contrib/fetchmail.if | 20 | ||||
| -rw-r--r-- | policy/modules/contrib/fetchmail.te | 40 |
3 files changed, 43 insertions, 39 deletions
diff --git a/policy/modules/contrib/fetchmail.fc b/policy/modules/contrib/fetchmail.fc index 39928d5a..5e3e57cc 100644 --- a/policy/modules/contrib/fetchmail.fc +++ b/policy/modules/contrib/fetchmail.fc @@ -1,19 +1,13 @@ +HOME_DIR/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t,s0) -# -# /etc -# +/etc/fetchmailrc -- gen_context(system_u:object_r:fetchmail_etc_t,s0) -/etc/fetchmailrc -- gen_context(system_u:object_r:fetchmail_etc_t,s0) +/etc/rc\.d/init\.d/fetchmail -- gen_context(system_u:object_r:fetchmail_initrc_exec_t,s0) -# -# /usr -# +/usr/bin/fetchmail -- gen_context(system_u:object_r:fetchmail_exec_t,s0) -/usr/bin/fetchmail -- gen_context(system_u:object_r:fetchmail_exec_t,s0) +/var/lib/fetchmail(/.*)? gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0) -# -# /var -# -/var/lib/fetchmail(/.*)? gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0) -/var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0) -/var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0) +/var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0) + +/var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0) diff --git a/policy/modules/contrib/fetchmail.if b/policy/modules/contrib/fetchmail.if index 6537214c..6ed74904 100644 --- a/policy/modules/contrib/fetchmail.if +++ b/policy/modules/contrib/fetchmail.if @@ -1,28 +1,40 @@ -## <summary>Remote-mail retrieval and forwarding utility</summary> +## <summary>Remote-mail retrieval and forwarding utility.</summary> ######################################## ## <summary> -## All of the rules required to administrate -## an fetchmail environment +## All of the rules required to +## administrate an fetchmail environment. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> ## <rolecap/> # interface(`fetchmail_admin',` gen_require(` type fetchmail_t, fetchmail_etc_t, fetchmail_uidl_cache_t; - type fetchmail_var_run_t; + type fetchmail_var_run_t, fetchmail_initrc_exec_t; ') + init_labeled_script_domtrans($1, fetchmail_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 fetchmail_initrc_exec_t system_r; + allow $2 system_r; + + allow $1 fetchmail_t:process { ptrace signal_perms }; ps_process_pattern($1, fetchmail_t) files_list_etc($1) admin_pattern($1, fetchmail_etc_t) + files_search_var_lib($1) admin_pattern($1, fetchmail_uidl_cache_t) files_list_pids($1) diff --git a/policy/modules/contrib/fetchmail.te b/policy/modules/contrib/fetchmail.te index ac6626eb..e4706e27 100644 --- a/policy/modules/contrib/fetchmail.te +++ b/policy/modules/contrib/fetchmail.te @@ -1,4 +1,4 @@ -policy_module(fetchmail, 1.12.0) +policy_module(fetchmail, 1.12.1) ######################################## # @@ -10,12 +10,18 @@ type fetchmail_exec_t; init_daemon_domain(fetchmail_t, fetchmail_exec_t) application_executable_file(fetchmail_exec_t) -type fetchmail_var_run_t; -files_pid_file(fetchmail_var_run_t) +type fetchmail_initrc_exec_t; +init_script_file(fetchmail_initrc_exec_t) type fetchmail_etc_t; files_config_file(fetchmail_etc_t) +type fetchmail_home_t; +userdom_user_home_content(fetchmail_home_t) + +type fetchmail_var_run_t; +files_pid_file(fetchmail_var_run_t) + type fetchmail_uidl_cache_t; files_type(fetchmail_uidl_cache_t) @@ -26,20 +32,18 @@ files_type(fetchmail_uidl_cache_t) dontaudit fetchmail_t self:capability sys_tty_config; allow fetchmail_t self:process { signal_perms setrlimit }; -allow fetchmail_t self:unix_dgram_socket create_socket_perms; -allow fetchmail_t self:unix_stream_socket create_stream_socket_perms; -allow fetchmail_t self:netlink_route_socket r_netlink_socket_perms; -allow fetchmail_t self:tcp_socket create_socket_perms; -allow fetchmail_t self:udp_socket create_socket_perms; +allow fetchmail_t self:unix_stream_socket { accept listen }; allow fetchmail_t fetchmail_etc_t:file read_file_perms; +read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t) + allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms; mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file) manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) -files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, { dir file }) +files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, dir) kernel_read_kernel_sysctls(fetchmail_t) kernel_list_proc(fetchmail_t) @@ -47,28 +51,22 @@ kernel_getattr_proc_files(fetchmail_t) kernel_read_proc_symlinks(fetchmail_t) kernel_dontaudit_read_system_state(fetchmail_t) -#looks like it uses system command - calls uname corecmd_exec_bin(fetchmail_t) corecmd_exec_shell(fetchmail_t) corenet_all_recvfrom_unlabeled(fetchmail_t) corenet_all_recvfrom_netlabel(fetchmail_t) corenet_tcp_sendrecv_generic_if(fetchmail_t) -corenet_udp_sendrecv_generic_if(fetchmail_t) corenet_tcp_sendrecv_generic_node(fetchmail_t) -corenet_udp_sendrecv_generic_node(fetchmail_t) -corenet_tcp_sendrecv_dns_port(fetchmail_t) -corenet_udp_sendrecv_dns_port(fetchmail_t) -corenet_tcp_sendrecv_pop_port(fetchmail_t) -corenet_tcp_sendrecv_smtp_port(fetchmail_t) -corenet_tcp_connect_all_ports(fetchmail_t) +corenet_tcp_sendrecv_all_ports(fetchmail_t) + corenet_sendrecv_all_client_packets(fetchmail_t) +corenet_tcp_connect_all_ports(fetchmail_t) dev_read_sysfs(fetchmail_t) dev_read_rand(fetchmail_t) dev_read_urand(fetchmail_t) -files_read_etc_files(fetchmail_t) files_read_etc_runtime_files(fetchmail_t) files_dontaudit_search_home(fetchmail_t) @@ -77,15 +75,15 @@ fs_search_auto_mountpoints(fetchmail_t) domain_use_interactive_fds(fetchmail_t) +auth_use_nsswitch(fetchmail_t) + logging_send_syslog_msg(fetchmail_t) miscfiles_read_localization(fetchmail_t) miscfiles_read_generic_certs(fetchmail_t) -sysnet_read_config(fetchmail_t) - userdom_dontaudit_use_unpriv_user_fds(fetchmail_t) -userdom_dontaudit_search_user_home_dirs(fetchmail_t) +userdom_search_user_home_dirs(fetchmail_t) optional_policy(` procmail_domtrans(fetchmail_t) |