[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/

Sat, 06 Feb 2021 19:21:24 -0800 

commit:     b3afcd57276f8844ab25af288948cca8c543abfa
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Feb  2 16:34:44 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb  6 21:15:10 2021 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b3afcd57

dovecot, postfix: add missing accesses

postfix_pipe_t requires reading dovecot configuration and connecting to
dovecot stream sockets if configured to use dovecot for local mail
delivery.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/dovecot.if | 22 ++++++++++++++++++++++
 policy/modules/services/postfix.te |  2 ++
 2 files changed, 24 insertions(+)

diff --git a/policy/modules/services/dovecot.if 
b/policy/modules/services/dovecot.if
index 1aa28f47..ec66a893 100644
--- a/policy/modules/services/dovecot.if
+++ b/policy/modules/services/dovecot.if
@@ -61,6 +61,28 @@ interface(`dovecot_domtrans_deliver',`
        domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)
 ')
 
+########################################
+## <summary>
+##     Read dovecot configuration content.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dovecot_read_config',`
+       gen_require(`
+               type dovecot_etc_t;
+       ')
+
+       files_search_etc($1)
+       allow $1 dovecot_etc_t:dir list_dir_perms;
+       allow $1 dovecot_etc_t:file read_file_perms;
+       allow $1 dovecot_etc_t:lnk_file read_lnk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##     Create, read, write, and delete

diff --git a/policy/modules/services/postfix.te 
b/policy/modules/services/postfix.te
index 5e25fa75..05c0b4a5 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -596,6 +596,8 @@ corecmd_exec_bin(postfix_pipe_t)
 
 optional_policy(`
        dovecot_domtrans_deliver(postfix_pipe_t)
+       dovecot_read_config(postfix_pipe_t)
+       dovecot_stream_connect(postfix_pipe_t)
 ')
 
 optional_policy(`

Reply via email to