---
dkim.fc | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/dkim.fc b/dkim.fc
index 832c158..3a68a26 100644
--- a/dkim.fc
+++ b/dkim.fc
@@ -1,21 +1,21 @@
-/etc/opendkim/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+/etc/opendkim/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
/etc/rc\.d/init\.d/((opendkim)|(dkim-milter)) -- gen_context(system_u:object_r:dkim_milter_initrc_exec_t,s0)
-/usr/bin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
-/usr/bin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/bin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/bin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
-/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
-/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
-/var/db/dkim(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+/var/db/dkim(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
-/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
-/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
-/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
-/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
-/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
-/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
--
2.14.1
- add filecontexts
- define key as security file
- access to private postfix socket
---
dkim.fc | 4 ++++
dkim.te | 16 +++++++++++++---
2 files changed, 17 insertions(+), 3 deletions(-)
diff --git a/dkim.fc b/dkim.fc
index 3a68a26..621180a 100644
--- a/dkim.fc
+++ b/dkim.fc
@@ -5,6 +5,8 @@
/usr/bin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
/usr/bin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/lib/systemd/system/opendkim\.service -- gen_context(system_u:object_r:dkim_milter_unit_t,s0)
+
/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
@@ -12,6 +14,8 @@
/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/spool/postfix/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+
/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/dkim.te b/dkim.te
index 5451389..c853c1c 100644
--- a/dkim.te
+++ b/dkim.te
@@ -11,7 +11,10 @@ type dkim_milter_initrc_exec_t;
init_script_file(dkim_milter_initrc_exec_t)
type dkim_milter_private_key_t;
-files_type(dkim_milter_private_key_t)
+files_security_file(dkim_milter_private_key_t)
+
+type dkim_milter_unit_t;
+init_unit_file(dkim_milter_unit_t)
init_daemon_pid_file(dkim_milter_data_t, dir, "opendkim")
@@ -27,7 +30,6 @@ allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
kernel_read_kernel_sysctls(dkim_milter_t)
-kernel_read_vm_sysctls(dkim_milter_t)
kernel_read_vm_overcommit_sysctl(dkim_milter_t)
corenet_udp_bind_generic_node(dkim_milter_t)
@@ -38,6 +40,14 @@ dev_read_urand(dkim_milter_t)
# for cpu/online
dev_read_sysfs(dkim_milter_t)
+files_read_usr_files(dkim_milter_t)
files_search_spool(dkim_milter_t)
-mta_read_config(dkim_milter_t)
+optional_policy(`
+ mta_read_config(dkim_milter_t)
+')
+
+optional_policy(`
+ # set up unix socket
+ postfix_search_spool(dkim_milter_t)
+')
--
2.14.1
On 09/10/2017 10:48 AM, Christian G?ttsche via refpolicy wrote:
> ---
> dkim.fc | 24 ++++++++++++------------
> 1 file changed, 12 insertions(+), 12 deletions(-)
>
> diff --git a/dkim.fc b/dkim.fc
> index 832c158..3a68a26 100644
> --- a/dkim.fc
> +++ b/dkim.fc
> @@ -1,21 +1,21 @@
> -/etc/opendkim/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
> +/etc/opendkim/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
>
> /etc/rc\.d/init\.d/((opendkim)|(dkim-milter)) -- gen_context(system_u:object_r:dkim_milter_initrc_exec_t,s0)
>
> -/usr/bin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
> -/usr/bin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
> +/usr/bin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
> +/usr/bin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
>
> -/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
> -/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
> +/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
> +/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
>
> -/var/db/dkim(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
> +/var/db/dkim(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
>
> -/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
> +/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
>
> -/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
> -/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
> -/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
> +/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
> +/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
> +/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
>
> -/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
> +/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
>
> -/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
> +/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
Merged.
--
Chris PeBenito
On 09/10/2017 10:48 AM, Christian G?ttsche via refpolicy wrote:
> - add filecontexts
> - define key as security file
> - access to private postfix socket
> ---
> dkim.fc | 4 ++++
> dkim.te | 16 +++++++++++++---
> 2 files changed, 17 insertions(+), 3 deletions(-)
>
> diff --git a/dkim.fc b/dkim.fc
> index 3a68a26..621180a 100644
> --- a/dkim.fc
> +++ b/dkim.fc
> @@ -5,6 +5,8 @@
> /usr/bin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
> /usr/bin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
>
> +/usr/lib/systemd/system/opendkim\.service -- gen_context(system_u:object_r:dkim_milter_unit_t,s0)
> +
> /usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
> /usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
>
> @@ -12,6 +14,8 @@
>
> /var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
>
> +/var/spool/postfix/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
> +
> /run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
> /run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
> /run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
> diff --git a/dkim.te b/dkim.te
> index 5451389..c853c1c 100644
> --- a/dkim.te
> +++ b/dkim.te
> @@ -11,7 +11,10 @@ type dkim_milter_initrc_exec_t;
> init_script_file(dkim_milter_initrc_exec_t)
>
> type dkim_milter_private_key_t;
> -files_type(dkim_milter_private_key_t)
> +files_security_file(dkim_milter_private_key_t)
> +
> +type dkim_milter_unit_t;
> +init_unit_file(dkim_milter_unit_t)
>
> init_daemon_pid_file(dkim_milter_data_t, dir, "opendkim")
>
> @@ -27,7 +30,6 @@ allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
> read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
>
> kernel_read_kernel_sysctls(dkim_milter_t)
> -kernel_read_vm_sysctls(dkim_milter_t)
> kernel_read_vm_overcommit_sysctl(dkim_milter_t)
>
> corenet_udp_bind_generic_node(dkim_milter_t)
> @@ -38,6 +40,14 @@ dev_read_urand(dkim_milter_t)
> # for cpu/online
> dev_read_sysfs(dkim_milter_t)
>
> +files_read_usr_files(dkim_milter_t)
> files_search_spool(dkim_milter_t)
>
> -mta_read_config(dkim_milter_t)
> +optional_policy(`
> + mta_read_config(dkim_milter_t)
> +')
> +
> +optional_policy(`
> + # set up unix socket
> + postfix_search_spool(dkim_milter_t)
> +')
Merged.
--
Chris PeBenito