From 1b39decc1050a94b55c8c2afec690ae9e8a3dadf Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Sep 23 2010 12:59:22 +0000 Subject: The process and capability IPC goes on top of local policy. The process and capability IPC goes on top of local policy. --- diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 300f1ff..17ee8e2 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -107,10 +107,10 @@ mta_mailserver_delivery(postfix_virtual_t) # chown is to set the correct ownership of queue dirs allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; +allow postfix_master_t self:process setrlimit; allow postfix_master_t self:fifo_file rw_fifo_file_perms; allow postfix_master_t self:tcp_socket create_stream_socket_perms; allow postfix_master_t self:udp_socket create_socket_perms; -allow postfix_master_t self:process setrlimit; allow postfix_master_t postfix_etc_t:dir rw_dir_perms; allow postfix_master_t postfix_etc_t:file rw_file_perms; @@ -284,8 +284,8 @@ optional_policy(` # Postfix local local policy # -allow postfix_local_t self:fifo_file rw_fifo_file_perms; allow postfix_local_t self:process { setsched setrlimit }; +allow postfix_local_t self:fifo_file rw_fifo_file_perms; # connect to master process stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t) @@ -424,8 +424,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m # Postfix pipe local policy # -allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; allow postfix_pipe_t self:process setrlimit; +allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) @@ -656,8 +656,8 @@ optional_policy(` # Postfix virtual local policy # -allow postfix_virtual_t self:fifo_file rw_fifo_file_perms; allow postfix_virtual_t self:process { setsched setrlimit }; +allow postfix_virtual_t self:fifo_file rw_fifo_file_perms; allow postfix_virtual_t postfix_spool_t:file rw_file_perms; diff --git a/policy/modules/services/postfixpolicyd.te b/policy/modules/services/postfixpolicyd.te index 7257526..fbd2728 100644 --- a/policy/modules/services/postfixpolicyd.te +++ b/policy/modules/services/postfixpolicyd.te @@ -23,9 +23,9 @@ files_pid_file(postfix_policyd_var_run_t) # Local Policy # -allow postfix_policyd_t self:tcp_socket create_stream_socket_perms; allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid }; allow postfix_policyd_t self:process setrlimit; +allow postfix_policyd_t self:tcp_socket create_stream_socket_perms; allow postfix_policyd_t self:unix_dgram_socket { connect create write}; allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms; diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te index 1b01d75..7653c35 100644 --- a/policy/modules/services/qmail.te +++ b/policy/modules/services/qmail.te @@ -72,8 +72,8 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) # this component preprocesses mail from stdin and invokes qmail-queue # -allow qmail_inject_t self:fifo_file write_fifo_file_perms; allow qmail_inject_t self:process signal_perms; +allow qmail_inject_t self:fifo_file write_fifo_file_perms; allow qmail_inject_t qmail_queue_exec_t:file read_file_perms; @@ -91,8 +91,8 @@ qmail_read_config(qmail_inject_t) # this component delivers a mail message # -allow qmail_local_t self:fifo_file write_file_perms; allow qmail_local_t self:process signal_perms; +allow qmail_local_t self:fifo_file write_file_perms; allow qmail_local_t self:unix_stream_socket create_stream_socket_perms; manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) @@ -160,9 +160,9 @@ files_search_tmp(qmail_lspawn_t) allow qmail_queue_t qmail_lspawn_t:fd use; allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms; +allow qmail_queue_t qmail_smtpd_t:process sigchld; allow qmail_queue_t qmail_smtpd_t:fd use; allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms; -allow qmail_queue_t qmail_smtpd_t:process sigchld; manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) @@ -288,8 +288,8 @@ miscfiles_read_localization(qmail_splogger_t) allow qmail_start_t self:capability { setgid setuid }; dontaudit qmail_start_t self:capability sys_tty_config; -allow qmail_start_t self:fifo_file rw_fifo_file_perms; allow qmail_start_t self:process signal_perms; +allow qmail_start_t self:fifo_file rw_fifo_file_perms; can_exec(qmail_start_t, qmail_start_exec_t)