add courier, bug 1520
This commit is contained in:
parent
f82f22cf7c
commit
6f8cda9673
|
@ -0,0 +1,21 @@
|
|||
/etc/courier(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
|
||||
|
||||
/usr/bin/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
|
||||
|
||||
/usr/sbin/courierlogger -- gen_context(system_u:object_r:courier_exec_t,s0)
|
||||
/usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0)
|
||||
/usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
|
||||
|
||||
/usr/lib(64)?/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
|
||||
/usr/lib(64)?/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
|
||||
/usr/lib(64)?/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
|
||||
/usr/lib(64)?/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
|
||||
/usr/lib(64)?/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0)
|
||||
/usr/lib(64)?/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
|
||||
/usr/lib(64)?/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
|
||||
/usr/lib(64)?/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
|
||||
/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
|
||||
|
||||
/var/lib/courier(/.*)? -- gen_context(system_u:object_r:courier_var_lib_t,s0)
|
||||
|
||||
/var/run/courier(/.*)? -- gen_context(system_u:object_r:courier_var_run_t,s0)
|
|
@ -0,0 +1,146 @@
|
|||
## <summary>Courier IMAP and POP3 email servers</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Template for creating courier server processes.
|
||||
## </summary>
|
||||
## <param name="prefix">
|
||||
## <summary>
|
||||
## Prefix name of the server process.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`courier_domain_template',`
|
||||
|
||||
##############################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type courier_$1_t;
|
||||
type courier_$1_exec_t;
|
||||
init_daemon_domain(courier_$1_t,courier_$1_exec_t)
|
||||
|
||||
##############################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
allow courier_$1_t self:capability dac_override;
|
||||
dontaudit courier_$1_t self:capability sys_tty_config;
|
||||
allow courier_$1_t self:process { setpgid signal_perms };
|
||||
allow courier_$1_t self:fifo_file { read write getattr };
|
||||
allow courier_$1_t self:tcp_socket create_stream_socket_perms;
|
||||
allow courier_$1_t self:udp_socket create_socket_perms;
|
||||
|
||||
can_exec(courier_$1_t, courier_$1_exec_t)
|
||||
|
||||
allow courier_$1_t courier_etc_t:file r_file_perms;
|
||||
allow courier_$1_t courier_etc_t:dir r_dir_perms;
|
||||
|
||||
allow courier_$1_t courier_var_run_t:dir rw_dir_perms;
|
||||
allow courier_$1_t courier_var_run_t:file create_file_perms;
|
||||
allow courier_$1_t courier_var_run_t:lnk_file create_lnk_perms;
|
||||
allow courier_$1_t courier_var_run_t:sock_file create_file_perms;
|
||||
files_search_pids(courier_$1_t)
|
||||
|
||||
kernel_read_system_state(courier_$1_t)
|
||||
kernel_read_kernel_sysctls(courier_$1_t)
|
||||
|
||||
corecmd_exec_bin(courier_$1_t)
|
||||
|
||||
corenet_tcp_sendrecv_generic_if(courier_$1_t)
|
||||
corenet_udp_sendrecv_generic_if(courier_$1_t)
|
||||
corenet_raw_sendrecv_generic_if(courier_$1_t)
|
||||
corenet_tcp_sendrecv_all_nodes(courier_$1_t)
|
||||
corenet_udp_sendrecv_all_nodes(courier_$1_t)
|
||||
corenet_raw_sendrecv_all_nodes(courier_$1_t)
|
||||
corenet_tcp_sendrecv_all_ports(courier_$1_t)
|
||||
corenet_udp_sendrecv_all_ports(courier_$1_t)
|
||||
corenet_non_ipsec_sendrecv(courier_$1_t)
|
||||
corenet_tcp_bind_all_nodes(courier_$1_t)
|
||||
corenet_udp_bind_all_nodes(courier_$1_t)
|
||||
|
||||
dev_read_sysfs(courier_$1_t)
|
||||
|
||||
domain_use_interactive_fds(courier_$1_t)
|
||||
|
||||
files_read_etc_files(courier_$1_t)
|
||||
files_read_etc_runtime_files(courier_$1_t)
|
||||
files_read_usr_files(courier_$1_t)
|
||||
|
||||
fs_getattr_xattr_fs(courier_$1_t)
|
||||
fs_search_auto_mountpoints(courier_$1_t)
|
||||
|
||||
term_dontaudit_use_console(courier_$1_t)
|
||||
|
||||
init_use_fds(courier_$1_t)
|
||||
init_use_script_ptys(courier_$1_t)
|
||||
|
||||
libs_use_ld_so(courier_$1_t)
|
||||
libs_use_shared_libs(courier_$1_t)
|
||||
|
||||
logging_send_syslog_msg(courier_$1_t)
|
||||
|
||||
sysnet_read_config(courier_$1_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(courier_$1_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(courier_$1_t)
|
||||
term_dontaudit_use_generic_ptys(courier_$1_t)
|
||||
files_dontaudit_read_root_files(courier_$1_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(courier_$1_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_read_db(courier_$1_t)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute the courier authentication daemon with
|
||||
## a domain transition.
|
||||
## </summary>
|
||||
## <param name="prefix">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`courier_domtrans_authdaemon',`
|
||||
gen_require(`
|
||||
type courier_authdaemon_t, courier_authdaemon_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1, courier_authdaemon_exec_t, courier_authdaemon_t)
|
||||
allow courier_authdaemon_t $1:fd use;
|
||||
allow courier_authdaemon_t $1:fifo_file rw_file_perms;
|
||||
allow courier_authdaemon_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute the courier POP3 and IMAP server with
|
||||
## a domain transition.
|
||||
## </summary>
|
||||
## <param name="prefix">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`courier_domtrans_pop',`
|
||||
gen_require(`
|
||||
type courier_pop_t, courier_pop_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1, courier_pop_exec_t, courier_pop_t)
|
||||
allow courier_pop_t $1:fd use;
|
||||
allow courier_pop_t $1:fifo_file rw_file_perms;
|
||||
allow courier_pop_t $1:process sigchld;
|
||||
')
|
|
@ -0,0 +1,141 @@
|
|||
|
||||
policy_module(courier,1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
courier_domain_template(authdaemon)
|
||||
|
||||
type courier_etc_t;
|
||||
files_type(courier_etc_t)
|
||||
|
||||
courier_domain_template(pcp)
|
||||
|
||||
courier_domain_template(pop)
|
||||
|
||||
courier_domain_template(tcpd)
|
||||
|
||||
type courier_var_lib_t;
|
||||
files_type(courier_var_lib_t)
|
||||
|
||||
type courier_var_run_t;
|
||||
files_pid_file(courier_var_run_t)
|
||||
|
||||
type courier_exec_t;
|
||||
files_type(courier_exec_t)
|
||||
|
||||
courier_domain_template(sqwebmail)
|
||||
typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t;
|
||||
|
||||
########################################
|
||||
#
|
||||
# Authdaemon local policy
|
||||
#
|
||||
|
||||
allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config };
|
||||
allow courier_authdaemon_t self:unix_stream_socket connectto;
|
||||
|
||||
can_exec(courier_authdaemon_t, courier_exec_t)
|
||||
|
||||
allow courier_authdaemon_t courier_tcpd_t:fd use;
|
||||
allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
|
||||
allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
|
||||
|
||||
allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
|
||||
allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms;
|
||||
allow courier_authdaemon_t courier_tcpd_t:process sigchld;
|
||||
allow courier_authdaemon_t courier_tcpd_t:fd use;
|
||||
allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
|
||||
allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
|
||||
|
||||
corecmd_search_sbin(courier_authdaemon_t)
|
||||
|
||||
# for SSP
|
||||
dev_read_urand(courier_authdaemon_t)
|
||||
|
||||
files_getattr_tmp_dirs(courier_authdaemon_t)
|
||||
|
||||
auth_domtrans_chk_passwd(courier_authdaemon_t)
|
||||
|
||||
libs_read_lib_files(courier_authdaemon_t)
|
||||
|
||||
miscfiles_read_localization(courier_authdaemon_t)
|
||||
|
||||
# should not be needed!
|
||||
userdom_search_unpriv_users_home_dirs(courier_authdaemon_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(courier_authdaemon_t)
|
||||
|
||||
courier_domtrans_pop(courier_authdaemon_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Calendar (PCP) local policy
|
||||
#
|
||||
|
||||
allow courier_pcp_t self:capability { setuid setgid };
|
||||
|
||||
dev_read_rand(courier_pcp_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# POP3/IMAP local policy
|
||||
#
|
||||
|
||||
allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
|
||||
allow courier_pop_t courier_authdaemon_t:process sigchld;
|
||||
|
||||
allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
|
||||
|
||||
# inherits file handle - should it?
|
||||
allow courier_pop_t courier_var_lib_t:file { read write };
|
||||
|
||||
miscfiles_read_localization(courier_pop_t)
|
||||
|
||||
courier_domtrans_authdaemon(courier_pop_t)
|
||||
|
||||
# do the actual work (read the Maildir)
|
||||
userdom_manage_unpriv_users_home_content_files(courier_pop_t)
|
||||
# cjp: the fact that this is different for pop vs imap means that
|
||||
# there should probably be a courier_pop_t and courier_imap_t
|
||||
# this should also probably be a separate type too instead of
|
||||
# the regular home dir
|
||||
userdom_manage_unpriv_users_home_content_dirs(courier_pop_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# TCPd local policy
|
||||
#
|
||||
|
||||
allow courier_tcpd_t self:capability kill;
|
||||
|
||||
can_exec(courier_tcpd_t, courier_exec_t)
|
||||
|
||||
allow courier_tcpd_t courier_var_lib_t:dir rw_dir_perms;
|
||||
allow courier_tcpd_t courier_var_lib_t:file manage_file_perms;
|
||||
allow courier_tcpd_t courier_var_lib_t:lnk_file create_lnk_perms;
|
||||
files_search_var_lib(courier_tcpd_t)
|
||||
|
||||
corecmd_search_sbin(courier_tcpd_t)
|
||||
|
||||
corenet_tcp_bind_pop_port(courier_tcpd_t)
|
||||
|
||||
# for TLS
|
||||
dev_read_rand(courier_tcpd_t)
|
||||
dev_read_urand(courier_tcpd_t)
|
||||
|
||||
miscfiles_read_localization(courier_tcpd_t)
|
||||
|
||||
courier_domtrans_pop(courier_tcpd_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Webmail local policy
|
||||
#
|
||||
|
||||
kernel_read_kernel_sysctls(courier_sqwebmail_t)
|
||||
|
||||
optional_policy(`
|
||||
cron_system_entry(courier_sqwebmail_t,courier_sqwebmail_exec_t)
|
||||
')
|
|
@ -4350,6 +4350,49 @@ interface(`userdom_read_unpriv_users_home_content_files',`
|
|||
allow $1 user_home_type:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete directories in
|
||||
## unprivileged users home directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_manage_unpriv_users_home_content_dirs',`
|
||||
gen_require(`
|
||||
attribute user_home_dir_type, user_home_type;
|
||||
')
|
||||
|
||||
files_search_home($1)
|
||||
allow $1 user_home_dir_type:dir search_dir_perms;
|
||||
allow $1 user_home_type:dir manage_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete files in
|
||||
## unprivileged users home directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_manage_unpriv_users_home_content_files',`
|
||||
gen_require(`
|
||||
attribute user_home_dir_type, user_home_type;
|
||||
')
|
||||
|
||||
files_search_home($1)
|
||||
allow $1 user_home_dir_type:dir search_dir_perms;
|
||||
allow $1 user_home_type:dir rw_dir_perms;
|
||||
allow $1 user_home_type:file manage_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Set the attributes of user ptys.
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(userdomain,1.3.9)
|
||||
policy_module(userdomain,1.3.10)
|
||||
|
||||
gen_require(`
|
||||
role sysadm_r, staff_r, user_r;
|
||||
|
|
Loading…
Reference in New Issue