[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Jason Zaman Mon, 23 Jan 2017 07:44:45 -0800

commit:     045e19bda47a4abb2725672b0da50dafaaf85739
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan  5 19:12:45 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jan 23 12:56:05 2017 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=045e19bd


update exim module

 policy/modules/contrib/exim.fc | 14 +++++++-------
 policy/modules/contrib/exim.if |  8 ++++----
 policy/modules/contrib/exim.te | 25 +++++++++++++------------
 3 files changed, 24 insertions(+), 23 deletions(-)

diff --git a/policy/modules/contrib/exim.fc b/policy/modules/contrib/exim.fc
index 9e04a0d..842cb34 100644
--- a/policy/modules/contrib/exim.fc
+++ b/policy/modules/contrib/exim.fc
@@ -1,13 +1,13 @@
 /etc/rc\.d/init\.d/exim[0-9]?  --      
gen_context(system_u:object_r:exim_initrc_exec_t,s0)
 
-/usr/sbin/exim[0-9]?   --      gen_context(system_u:object_r:exim_exec_t,s0)
-/usr/sbin/exim_tidydb  --      gen_context(system_u:object_r:exim_exec_t,s0)
+/run/exim[0-9]?(/.*)?                  
gen_context(system_u:object_r:exim_pid_t,s0)
+/run/exim[0-9]?\.pid           --      
gen_context(system_u:object_r:exim_pid_t,s0)
 
-/var/lib/exim[0-9]?(/.*)?      gen_context(system_u:object_r:exim_var_lib_t,s0)
+/usr/sbin/exim[0-9]?           --      
gen_context(system_u:object_r:exim_exec_t,s0)
+/usr/sbin/exim_tidydb          --      
gen_context(system_u:object_r:exim_exec_t,s0)
 
-/var/log/exim[0-9]?(/.*)?      gen_context(system_u:object_r:exim_log_t,s0)
+/var/lib/exim[0-9]?(/.*)?              
gen_context(system_u:object_r:exim_var_lib_t,s0)
 
-/run/exim[0-9]?(/.*)?  gen_context(system_u:object_r:exim_var_run_t,s0)
-/run/exim[0-9]?\.pid   --      gen_context(system_u:object_r:exim_var_run_t,s0)
+/var/log/exim[0-9]?(/.*)?              
gen_context(system_u:object_r:exim_log_t,s0)
 
-/var/spool/exim[0-9]?(/.*)?    gen_context(system_u:object_r:exim_spool_t,s0)
+/var/spool/exim[0-9]?(/.*)?            
gen_context(system_u:object_r:exim_spool_t,s0)

diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if
index 51655bb..c75f5fa 100644
--- a/policy/modules/contrib/exim.if
+++ b/policy/modules/contrib/exim.if
@@ -96,10 +96,10 @@ interface(`exim_read_tmp_files',`
 #
 interface(`exim_read_pid_files',`
        gen_require(`
-               type exim_var_run_t;
+               type exim_pid_t;
        ')
 
-       allow $1 exim_var_run_t:file read_file_perms;
+       allow $1 exim_pid_t:file read_file_perms;
        files_search_pids($1)
 ')
 
@@ -281,7 +281,7 @@ interface(`exim_manage_var_lib_files',`
 interface(`exim_admin',`
        gen_require(`
                type exim_t, exim_spool_t, exim_log_t;
-               type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;
+               type exim_pid_t, exim_initrc_exec_t, exim_tmp_t;
                type exim_keytab_t;
        ')
 
@@ -300,7 +300,7 @@ interface(`exim_admin',`
        admin_pattern($1, exim_log_t)
 
        files_search_pids($1)
-       admin_pattern($1, exim_var_run_t)
+       admin_pattern($1, exim_pid_t)
 
        files_search_tmp($1)
        admin_pattern($1, exim_tmp_t)

diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index b8de337..5f2810f 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -54,17 +54,18 @@ files_type(exim_var_lib_t)
 type exim_log_t;
 logging_log_file(exim_log_t)
 
+type exim_pid_t;
+typealias exim_pid_t alias exim_var_run_t;
+files_pid_file(exim_pid_t)
+
 type exim_spool_t;
 files_type(exim_spool_t)
 
 type exim_tmp_t;
 files_tmp_file(exim_tmp_t)
 
-type exim_var_run_t;
-files_pid_file(exim_var_run_t)
-
 ifdef(`distro_debian',`
-       init_daemon_pid_file(exim_var_run_t, dir, "exim4")
+       init_daemon_pid_file(exim_pid_t, dir, "exim4")
 ')
 
 ########################################
@@ -72,21 +73,25 @@ ifdef(`distro_debian',`
 # Local policy
 #
 
-allow exim_t self:capability { chown dac_override dac_read_search fowner 
setuid setgid sys_resource };
+allow exim_t self:capability { chown dac_override fowner setuid setgid 
sys_resource };
 allow exim_t self:process { setrlimit setpgid };
 allow exim_t self:fifo_file rw_fifo_file_perms;
 allow exim_t self:unix_stream_socket { accept listen };
 allow exim_t self:tcp_socket { accept listen };
 
-allow exim_t exim_keytab_t:file read_file_perms;
+can_exec(exim_t, exim_exec_t)
 
-manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t)
+allow exim_t exim_keytab_t:file read_file_perms;
 
 append_files_pattern(exim_t, exim_log_t, exim_log_t)
 create_files_pattern(exim_t, exim_log_t, exim_log_t)
 setattr_files_pattern(exim_t, exim_log_t, exim_log_t)
 logging_log_filetrans(exim_t, exim_log_t, file)
 
+manage_dirs_pattern(exim_t, exim_pid_t, exim_pid_t)
+manage_files_pattern(exim_t, exim_pid_t, exim_pid_t)
+files_pid_filetrans(exim_t, exim_pid_t, { dir file })
+
 manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t)
 manage_files_pattern(exim_t, exim_spool_t, exim_spool_t)
 manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t)
@@ -96,11 +101,7 @@ manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t)
 manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t)
 files_tmp_filetrans(exim_t, exim_tmp_t, { dir file })
 
-manage_dirs_pattern(exim_t, exim_var_run_t, exim_var_run_t)
-manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t)
-files_pid_filetrans(exim_t, exim_var_run_t, { dir file })
-
-can_exec(exim_t, exim_exec_t)
+manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t)
 
 kernel_read_crypto_sysctls(exim_t)
 kernel_read_kernel_sysctls(exim_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Reply via email to