[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Jason Zaman Thu, 14 Sep 2017 20:43:58 -0700

commit:     d1ae8f61ff2f9b933afff01404579acb96deedf7
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Tue Sep 12 09:18:57 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 19:34:44 2017 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d1ae8f61


milter: update

- add initrc filecontext
- drop generic dontaudit macro
- sort some permissions

 policy/modules/contrib/milter.fc |  2 ++
 policy/modules/contrib/milter.te | 15 ++++++++++-----
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/policy/modules/contrib/milter.fc b/policy/modules/contrib/milter.fc
index 93104017..42fe5e94 100644
--- a/policy/modules/contrib/milter.fc
+++ b/policy/modules/contrib/milter.fc
@@ -1,3 +1,5 @@
+/etc/rc\.d/init\.d/spamass-milter --   
gen_context(system_u:object_r:spamass_milter_initrc_exec_t,s0)
+
 /usr/bin/milter-greylist       --      
gen_context(system_u:object_r:greylist_milter_exec_t,s0)
 /usr/bin/sqlgrey               --      
gen_context(system_u:object_r:greylist_milter_exec_t,s0)
 /usr/bin/milter-regex          --      
gen_context(system_u:object_r:regex_milter_exec_t,s0)

diff --git a/policy/modules/contrib/milter.te b/policy/modules/contrib/milter.te
index d0e9c1b0..a299b8e1 100644
--- a/policy/modules/contrib/milter.te
+++ b/policy/modules/contrib/milter.te
@@ -12,6 +12,9 @@ milter_template(greylist)
 milter_template(regex)
 milter_template(spamass)
 
+type spamass_milter_initrc_exec_t;
+init_script_file(spamass_milter_initrc_exec_t)
+
 type spamass_milter_state_t;
 files_type(spamass_milter_state_t)
 
@@ -23,8 +26,6 @@ files_type(spamass_milter_state_t)
 allow milter_domains self:fifo_file rw_fifo_file_perms;
 allow milter_domains self:tcp_socket { accept listen };
 
-kernel_dontaudit_read_system_state(milter_domains)
-
 corenet_all_recvfrom_unlabeled(milter_domains)
 corenet_all_recvfrom_netlabel(milter_domains)
 corenet_tcp_sendrecv_generic_if(milter_domains)
@@ -44,7 +45,7 @@ logging_send_syslog_msg(milter_domains)
 #
 
 allow greylist_milter_t self:capability { chown dac_override setgid setuid 
sys_nice };
-allow greylist_milter_t self:process { setsched getsched };
+allow greylist_milter_t self:process { getsched setsched };
 
 files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
 
@@ -93,8 +94,10 @@ mta_read_config(regex_milter_t)
 # spamass local policy
 #
 
-allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
 allow spamass_milter_t self:process sigkill;
+allow spamass_milter_t self:unix_stream_socket { accept listen };
+
+allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
 
 kernel_read_system_state(spamass_milter_t)
 kernel_read_vm_overcommit_sysctl(spamass_milter_t)
@@ -105,7 +108,9 @@ dev_read_sysfs(spamass_milter_t)
 
 files_search_var_lib(spamass_milter_t)
 
-mta_send_mail(spamass_milter_t)
+optional_policy(`
+       mta_send_mail(spamass_milter_t)
+')
 
 optional_policy(`
        postfix_search_spool(spamass_milter_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Reply via email to