diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 38c0c70..f5387ab 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -2,6 +2,7 @@ build phase instead of during the generation phase. - DISTRO=redhat now implies DIRECT_INITRC=y. - Added policies: + cyrus dovecot distcc diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 4457dc0..10d17a8 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -143,6 +143,10 @@ tunable_policy(`fcron_crond', ` allow crond_t system_cron_spool_t:file create_file_perms; ') +optional_policy(`cyrus.te',` + cyrus_manage_data(system_crond_t) +') + optional_policy(`inn.te',` inn_manage_log(system_crond_t) inn_manage_pid(system_crond_t) diff --git a/refpolicy/policy/modules/services/cyrus.fc b/refpolicy/policy/modules/services/cyrus.fc new file mode 100644 index 0000000..86a9d7e --- /dev/null +++ b/refpolicy/policy/modules/services/cyrus.fc @@ -0,0 +1,4 @@ + +/usr/lib(64)?/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0) + +/var/lib/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0) diff --git a/refpolicy/policy/modules/services/cyrus.if b/refpolicy/policy/modules/services/cyrus.if new file mode 100644 index 0000000..ec53160 --- /dev/null +++ b/refpolicy/policy/modules/services/cyrus.if @@ -0,0 +1,20 @@ +## Cyrus is an IMAP service intended to be run on sealed servers + +######################################## +## +## Allow caller to create, read, write, +## and delete cyrus data files. +## +## +## Domain allowed access. +## +# +interface(`cyrus_manage_data',` + gen_require(` + type cyrus_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 cyrus_var_lib_t:dir rw_dir_perms; + allow $1 cyrus_var_lib_t:file manage_file_perms; +') diff --git a/refpolicy/policy/modules/services/cyrus.te b/refpolicy/policy/modules/services/cyrus.te new file mode 100644 index 0000000..2a84c78 --- /dev/null +++ b/refpolicy/policy/modules/services/cyrus.te @@ -0,0 +1,146 @@ + +policy_module(cyrus,1.0) + +######################################## +# +# Declarations +# + +type cyrus_t; +type cyrus_exec_t; +init_daemon_domain(cyrus_t,cyrus_exec_t) + +type cyrus_tmp_t; +files_tmp_file(cyrus_tmp_t) + +type cyrus_var_lib_t; +files_type(cyrus_var_lib_t) + +type cyrus_var_run_t; +files_pid_file(cyrus_var_run_t) + +######################################## +# +# Local policy +# + +allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource }; +dontaudit cyrus_t self:capability sys_tty_config; +allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow cyrus_t self:process setrlimit; +allow cyrus_t self:fd use; +allow cyrus_t self:fifo_file rw_file_perms; +allow cyrus_t self:shm create_shm_perms; +allow cyrus_t self:sem create_sem_perms; +allow cyrus_t self:msgq create_msgq_perms; +allow cyrus_t self:msg { send receive }; +allow cyrus_t self:unix_dgram_socket create_socket_perms; +allow cyrus_t self:unix_stream_socket create_stream_socket_perms; +allow cyrus_t self:unix_dgram_socket sendto; +allow cyrus_t self:unix_stream_socket connectto; +allow cyrus_t self:tcp_socket create_stream_socket_perms; +allow cyrus_t self:udp_socket create_socket_perms; + +allow cyrus_t cyrus_tmp_t:dir create_dir_perms; +allow cyrus_t cyrus_tmp_t:file create_file_perms; +files_create_tmp_files(cyrus_t, cyrus_tmp_t, { file dir }) + +allow cyrus_t cyrus_var_lib_t:dir create_dir_perms; +allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms; + +allow cyrus_t cyrus_var_run_t:dir rw_dir_perms; +allow cyrus_t cyrus_var_run_t:sock_file create_file_perms; +allow cyrus_t cyrus_var_run_t:file create_file_perms; +files_create_pid(cyrus_t,cyrus_var_run_t,{ file sock_file }) + +kernel_read_kernel_sysctl(cyrus_t) +kernel_read_system_state(cyrus_t) +kernel_read_all_sysctl(cyrus_t) + +corenet_tcp_sendrecv_all_if(cyrus_t) +corenet_udp_sendrecv_all_if(cyrus_t) +corenet_raw_sendrecv_all_if(cyrus_t) +corenet_tcp_sendrecv_all_nodes(cyrus_t) +corenet_udp_sendrecv_all_nodes(cyrus_t) +corenet_raw_sendrecv_all_nodes(cyrus_t) +corenet_tcp_sendrecv_all_ports(cyrus_t) +corenet_udp_sendrecv_all_ports(cyrus_t) +corenet_tcp_bind_all_nodes(cyrus_t) +corenet_udp_bind_all_nodes(cyrus_t) +corenet_tcp_bind_mail_port(cyrus_t) +corenet_tcp_bind_pop_port(cyrus_t) +corenet_tcp_connect_all_ports(cyrus_t) + +dev_read_rand(cyrus_t) +dev_read_urand(cyrus_t) +dev_read_sysfs(cyrus_t) + +fs_getattr_all_fs(cyrus_t) +fs_search_auto_mountpoints(cyrus_t) + +term_dontaudit_use_console(cyrus_t) + +corecmd_exec_bin(cyrus_t) + +domain_use_wide_inherit_fd(cyrus_t) + +files_list_var_lib(cyrus_t) +files_read_etc_files(cyrus_t) +files_read_etc_runtime_files(cyrus_t) +files_create_pid(cyrus_t,cyrus_var_run_t) + +init_use_fd(cyrus_t) + +libs_use_ld_so(cyrus_t) +libs_use_shared_libs(cyrus_t) +libs_exec_lib_files(cyrus_t) + +logging_send_syslog_msg(cyrus_t) + +miscfiles_read_localization(cyrus_t) +miscfiles_read_certs(cyrus_t) + +sysnet_read_config(cyrus_t) + +userdom_dontaudit_use_unpriv_user_fd(cyrus_t) +userdom_dontaudit_search_sysadm_home_dir(cyrus_t) +userdom_use_unpriv_users_fd(cyrus_t) +userdom_use_sysadm_pty(cyrus_t) + +mta_manage_spool(cyrus_t) + +ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_tty(cyrus_t) + term_dontaudit_use_generic_pty(cyrus_t) + files_dontaudit_read_root_file(cyrus_t) +') + +optional_policy(`cron.te',` + cron_system_entry(cyrus_t,cyrus_exec_t) +') + +optional_policy(`mount.te',` + mount_send_nfs_client_request(cyrus_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(cyrus_t) +') + +optional_policy(`sasl.te',` + sasl_connect(cyrus_t) +') + +optional_policy(`selinuxutil.te',` + seutil_sigchld_newrole(cyrus_t) +') + +optional_policy(`udev.te',` + udev_read_db(cyrus_t) +') + +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(cyrus_t) +') +') diff --git a/refpolicy/policy/modules/services/mta.fc b/refpolicy/policy/modules/services/mta.fc index 59c4189..494c989 100644 --- a/refpolicy/policy/modules/services/mta.fc +++ b/refpolicy/policy/modules/services/mta.fc @@ -10,8 +10,8 @@ ifdef(`sendmail.te',`',` /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) - /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) ifdef(`postfix.te', `', ` diff --git a/refpolicy/policy/modules/services/sasl.if b/refpolicy/policy/modules/services/sasl.if index 3cba13b..d085472 100644 --- a/refpolicy/policy/modules/services/sasl.if +++ b/refpolicy/policy/modules/services/sasl.if @@ -1 +1,20 @@ ## SASL authentication server + +######################################## +## +## Connect to SASL. +## +## +## Domain allowed access. +## +# +interface(`sasl_connect',` + gen_require(` + type saslauthd_t, saslauthd_var_run_t; + ') + + files_search_pids($1) + allow $1 saslauthd_var_run_t:dir search; + allow $1 saslauthd_var_run_t:sock_file { read write }; + allow $1 saslauthd_t:unix_stream_socket connectto; +') diff --git a/refpolicy/policy/modules/system/corecommands.fc b/refpolicy/policy/modules/system/corecommands.fc index 6f1686d..1c00508 100644 --- a/refpolicy/policy/modules/system/corecommands.fc +++ b/refpolicy/policy/modules/system/corecommands.fc @@ -74,6 +74,7 @@ ifdef(`distro_suse', ` /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/sftp-server -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:sbin_t,s0)