/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
+/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0)
#
# /usr
/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
ifdef(`distro_debian', `
-/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
')
ifdef(`distro_redhat', `
/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
')
#
# /var
#
/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
-# this is a hard link to /var/lib/dovecot/ssl-parameters.dat
-/var/run/dovecot/login/ssl-parameters.dat gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
+
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
## <summary>Dovecot POP and IMAP mail server</summary>
+########################################
+## <summary>
+## Connect to dovecot auth unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dovecot_stream_connect_auth',`
+ gen_require(`
+ type dovecot_auth_t, dovecot_var_run_t;
+ ')
+
+ stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t)
+')
+
+########################################
+## <summary>
+## Execute dovecot_deliver in the dovecot_deliver domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dovecot_domtrans_deliver',`
+ gen_require(`
+ type dovecot_deliver_t, dovecot_deliver_exec_t;
+ ')
+
+ domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)
+')
+
########################################
## <summary>
## Create, read, write, and delete the dovecot spool files.
dontaudit $1 dovecot_var_lib_t:file unlink;
')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an dovecot environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the dovecot domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dovecot_admin',`
+ gen_require(`
+ type dovecot_t, dovecot_etc_t, dovecot_log_t;
+ type dovecot_spool_t, dovecot_var_lib_t;
+ type dovecot_var_run_t;
+
+ type dovecot_cert_t, dovecot_passwd_t;
+ type dovecot_initrc_exec_t;
+ ')
+
+ allow $1 dovecot_t:process { ptrace signal_perms };
+ ps_process_pattern($1, dovecot_t)
+
+ init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 dovecot_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, dovecot_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, dovecot_log_t)
+
+ files_list_spool($1)
+ admin_pattern($1, dovecot_spool_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, dovecot_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, dovecot_var_run_t)
+
+ admin_pattern($1, dovecot_cert_t)
+
+ admin_pattern($1, dovecot_passwd_t)
+')
-policy_module(dovecot, 1.10.2)
+policy_module(dovecot, 1.10.3)
########################################
#
domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
+type dovecot_auth_tmp_t;
+files_tmp_file(dovecot_auth_tmp_t)
+
type dovecot_cert_t;
files_type(dovecot_cert_t)
+type dovecot_deliver_t;
+type dovecot_deliver_exec_t;
+domain_type(dovecot_deliver_t)
+domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
+role system_r types dovecot_deliver_t;
+
type dovecot_etc_t;
files_config_file(dovecot_etc_t)
+type dovecot_initrc_exec_t;
+init_script_file(dovecot_initrc_exec_t)
+
type dovecot_passwd_t;
files_type(dovecot_passwd_t)
type dovecot_var_lib_t;
files_type(dovecot_var_lib_t)
+type dovecot_var_log_t;
+logging_log_file(dovecot_var_log_t)
+
type dovecot_var_run_t;
files_pid_file(dovecot_var_run_t)
can_exec(dovecot_t, dovecot_exec_t)
+manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+logging_log_filetrans(dovecot_t, dovecot_var_log_t, file)
+
manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
files_dontaudit_list_default(dovecot_t)
# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
files_read_etc_runtime_files(dovecot_t)
-files_getattr_all_mountpoints(dovecot_t)
+files_search_all_mountpoints(dovecot_t)
init_getattr_utmp(dovecot_t)
mta_manage_spool(dovecot_t)
optional_policy(`
- kerberos_use(dovecot_t)
+ kerberos_keytab_template(dovecot, dovecot_t)
')
optional_policy(`
# dovecot auth local policy
#
-allow dovecot_auth_t self:capability { setgid setuid };
+allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
allow dovecot_auth_t self:process signal_perms;
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
+allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
+
+read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
-allow dovecot_auth_t dovecot_passwd_t:file read_file_perms;
+manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
+manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
+files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
# Allow dovecot to create and read SSL parameters file
manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
files_search_var_lib(dovecot_t)
+files_read_var_symlinks(dovecot_t)
allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
+manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
+dovecot_stream_connect_auth(dovecot_auth_t)
kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)
+logging_send_audit_msgs(dovecot_auth_t)
+logging_send_syslog_msg(dovecot_auth_t)
+
dev_read_urand(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
files_read_etc_files(dovecot_auth_t)
files_read_etc_runtime_files(dovecot_auth_t)
files_search_pids(dovecot_auth_t)
+files_read_usr_files(dovecot_auth_t)
files_read_usr_symlinks(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
')
optional_policy(`
- logging_send_syslog_msg(dovecot_auth_t)
+ mysql_search_db(dovecot_auth_t)
+ mysql_stream_connect(dovecot_auth_t)
+')
+
+optional_policy(`
+ nis_authenticate(dovecot_auth_t)
+')
+
+optional_policy(`
+ postfix_search_spool(dovecot_auth_t)
+')
+
+########################################
+#
+# dovecot deliver local policy
+#
+allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
+
+allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
+allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+
+kernel_read_all_sysctls(dovecot_deliver_t)
+kernel_read_system_state(dovecot_deliver_t)
+
+files_read_etc_files(dovecot_deliver_t)
+files_read_etc_runtime_files(dovecot_deliver_t)
+
+auth_use_nsswitch(dovecot_deliver_t)
+
+logging_send_syslog_msg(dovecot_deliver_t)
+
+miscfiles_read_localization(dovecot_deliver_t)
+
+dovecot_stream_connect_auth(dovecot_deliver_t)
+
+files_search_tmp(dovecot_deliver_t)
+
+fs_getattr_all_fs(dovecot_deliver_t)
+
+userdom_manage_user_home_content_dirs(dovecot_deliver_t)
+userdom_manage_user_home_content_files(dovecot_deliver_t)
+userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
+userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+userdom_manage_user_home_content_sockets(dovecot_deliver_t)
+userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
+
+optional_policy(`
+ mta_manage_spool(dovecot_deliver_t)
')
dontaudit kerneloops_t $1:dbus send_msg;
')
+########################################
+## <summary>
+## Allow domain to manage kerneloops tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kerneloops_manage_tmp_files',`
+ gen_require(`
+ type kerneloops_tmp_t;
+ ')
+
+ manage_files_pattern($1, kerneloops_tmp_t, kerneloops_tmp_t)
+ files_search_tmp($1)
+')
+
########################################
## <summary>
## All of the rules required to administrate
interface(`kerneloops_admin',`
gen_require(`
type kerneloops_t, kerneloops_initrc_exec_t;
+ type kerneloops_tmp_t;
')
allow $1 kerneloops_t:process { ptrace signal_perms };
domain_system_change_exemption($1)
role_transition $2 kerneloops_initrc_exec_t system_r;
allow $2 system_r;
+
+ admin_pattern($1, kerneloops_tmp_t)
')
-policy_module(kerneloops, 1.2.2)
+policy_module(kerneloops, 1.2.3)
########################################
#
type kerneloops_initrc_exec_t;
init_script_file(kerneloops_initrc_exec_t)
+type kerneloops_tmp_t;
+files_tmp_file(kerneloops_tmp_t)
+
########################################
#
# kerneloops local policy
allow kerneloops_t self:capability sys_nice;
allow kerneloops_t self:process { setsched getsched signal };
allow kerneloops_t self:fifo_file rw_file_perms;
-allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t)
+files_tmp_filetrans(kerneloops_t, kerneloops_tmp_t, file)
kernel_read_ring_buffer(kerneloops_t)
files_read_etc_files(kerneloops_t)
+auth_use_nsswitch(kerneloops_t)
+
logging_send_syslog_msg(kerneloops_t)
logging_read_generic_logs(kerneloops_t)
miscfiles_read_localization(kerneloops_t)
-sysnet_dns_name_resolve(kerneloops_t)
-
optional_policy(`
dbus_system_bus_client(kerneloops_t)
dbus_connect_system_bus(kerneloops_t)
+/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
allow $1 nscd_t:process signal;
')
+########################################
+## <summary>
+## Send NSCD the kill signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_kill',`
+ gen_require(`
+ type nscd_t;
+ ')
+
+ allow $1 nscd_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Send signulls to NSCD.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_signull',`
+ gen_require(`
+ type nscd_t;
+ ')
+
+ allow $1 nscd_t:process signull;
+')
+
########################################
## <summary>
## Execute NSCD in the nscd domain.
interface(`nscd_socket_use',`
gen_require(`
type nscd_t, nscd_var_run_t;
- class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
+ class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv };
')
allow $1 self:unix_stream_socket create_socket_perms;
allow $1 nscd_t:nscd { getpwd getgrp gethost };
dontaudit $1 nscd_t:fd use;
- dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
-
+ dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
files_search_pids($1)
stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
dontaudit $1 nscd_var_run_t:file { getattr read };
nscd_domtrans($1)
role $2 types nscd_t;
')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an nscd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the nscd domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`nscd_admin',`
+ gen_require(`
+ type nscd_t, nscd_log_t, nscd_var_run_t;
+ type nscd_initrc_exec_t;
+ ')
+
+ allow $1 nscd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, nscd_t)
+
+ init_labeled_script_domtrans($1, nscd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 nscd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, nscd_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, nscd_var_run_t)
+')
-policy_module(nscd, 1.8.2)
+policy_module(nscd, 1.8.3)
gen_require(`
class nscd all_nscd_perms;
type nscd_exec_t;
init_daemon_domain(nscd_t, nscd_exec_t)
+type nscd_initrc_exec_t;
+init_script_file(nscd_initrc_exec_t)
+
type nscd_log_t;
logging_log_file(nscd_log_t)
# Local policy
#
-allow nscd_t self:capability { kill setgid setuid audit_write };
+allow nscd_t self:capability { kill setgid setuid };
dontaudit nscd_t self:capability sys_tty_config;
-allow nscd_t self:process { getattr setsched signal_perms };
+allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
allow nscd_t self:fifo_file read_fifo_file_perms;
allow nscd_t self:unix_stream_socket create_stream_socket_perms;
allow nscd_t self:unix_dgram_socket create_socket_perms;
allow nscd_t self:netlink_selinux_socket create_socket_perms;
-allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow nscd_t self:tcp_socket create_socket_perms;
allow nscd_t self:udp_socket create_socket_perms;
manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file })
+corecmd_search_bin(nscd_t)
+can_exec(nscd_t, nscd_exec_t)
+
kernel_read_kernel_sysctls(nscd_t)
kernel_list_proc(nscd_t)
kernel_read_proc_symlinks(nscd_t)
corenet_udp_sendrecv_generic_node(nscd_t)
corenet_tcp_sendrecv_all_ports(nscd_t)
corenet_udp_sendrecv_all_ports(nscd_t)
+corenet_udp_bind_generic_node(nscd_t)
corenet_tcp_connect_all_ports(nscd_t)
corenet_sendrecv_all_client_packets(nscd_t)
corenet_rw_tun_tap_dev(nscd_t)
# Needed to read files created by firstboot "/etc/hesiod.conf"
files_read_etc_runtime_files(nscd_t)
+logging_send_audit_msgs(nscd_t)
logging_send_syslog_msg(nscd_t)
miscfiles_read_localization(nscd_t)
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
userdom_dontaudit_search_user_home_dirs(nscd_t)
+optional_policy(`
+ cron_read_system_job_tmp_files(nscd_t)
+')
+
+optional_policy(`
+ kerberos_use(nscd_t)
+')
+
optional_policy(`
udev_read_db(nscd_t)
')
projects / people / stevee / selinux-policy.git / commitdiff
