- add initrc filecontext
- drop generic dontaudit macro
- sort some permissions
---
milter.fc | 2 ++
milter.te | 15 ++++++++++-----
2 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/milter.fc b/milter.fc
index 9310401..42fe5e9 100644
--- a/milter.fc
+++ b/milter.fc
@@ -1,3 +1,5 @@
+/etc/rc\.d/init\.d/spamass-milter -- gen_context(system_u:object_r:spamass_milter_initrc_exec_t,s0)
+
/usr/bin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
/usr/bin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
/usr/bin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
diff --git a/milter.te b/milter.te
index d0e9c1b..a299b8e 100644
--- a/milter.te
+++ b/milter.te
@@ -12,6 +12,9 @@ milter_template(greylist)
milter_template(regex)
milter_template(spamass)
+type spamass_milter_initrc_exec_t;
+init_script_file(spamass_milter_initrc_exec_t)
+
type spamass_milter_state_t;
files_type(spamass_milter_state_t)
@@ -23,8 +26,6 @@ files_type(spamass_milter_state_t)
allow milter_domains self:fifo_file rw_fifo_file_perms;
allow milter_domains self:tcp_socket { accept listen };
-kernel_dontaudit_read_system_state(milter_domains)
-
corenet_all_recvfrom_unlabeled(milter_domains)
corenet_all_recvfrom_netlabel(milter_domains)
corenet_tcp_sendrecv_generic_if(milter_domains)
@@ -44,7 +45,7 @@ logging_send_syslog_msg(milter_domains)
#
allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
-allow greylist_milter_t self:process { setsched getsched };
+allow greylist_milter_t self:process { getsched setsched };
files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
@@ -93,8 +94,10 @@ mta_read_config(regex_milter_t)
# spamass local policy
#
-allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
allow spamass_milter_t self:process sigkill;
+allow spamass_milter_t self:unix_stream_socket { accept listen };
+
+allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
kernel_read_system_state(spamass_milter_t)
kernel_read_vm_overcommit_sysctl(spamass_milter_t)
@@ -105,7 +108,9 @@ dev_read_sysfs(spamass_milter_t)
files_search_var_lib(spamass_milter_t)
-mta_send_mail(spamass_milter_t)
+optional_policy(`
+ mta_send_mail(spamass_milter_t)
+')
optional_policy(`
postfix_search_spool(spamass_milter_t)
--
2.14.1
On 09/12/2017 05:18 AM, Christian G?ttsche via refpolicy wrote:
> - add initrc filecontext
> - drop generic dontaudit macro
> - sort some permissions
> ---
> milter.fc | 2 ++
> milter.te | 15 ++++++++++-----
> 2 files changed, 12 insertions(+), 5 deletions(-)
>
> diff --git a/milter.fc b/milter.fc
> index 9310401..42fe5e9 100644
> --- a/milter.fc
> +++ b/milter.fc
> @@ -1,3 +1,5 @@
> +/etc/rc\.d/init\.d/spamass-milter -- gen_context(system_u:object_r:spamass_milter_initrc_exec_t,s0)
> +
> /usr/bin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
> /usr/bin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
> /usr/bin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
> diff --git a/milter.te b/milter.te
> index d0e9c1b..a299b8e 100644
> --- a/milter.te
> +++ b/milter.te
> @@ -12,6 +12,9 @@ milter_template(greylist)
> milter_template(regex)
> milter_template(spamass)
>
> +type spamass_milter_initrc_exec_t;
> +init_script_file(spamass_milter_initrc_exec_t)
> +
> type spamass_milter_state_t;
> files_type(spamass_milter_state_t)
>
> @@ -23,8 +26,6 @@ files_type(spamass_milter_state_t)
> allow milter_domains self:fifo_file rw_fifo_file_perms;
> allow milter_domains self:tcp_socket { accept listen };
>
> -kernel_dontaudit_read_system_state(milter_domains)
> -
> corenet_all_recvfrom_unlabeled(milter_domains)
> corenet_all_recvfrom_netlabel(milter_domains)
> corenet_tcp_sendrecv_generic_if(milter_domains)
> @@ -44,7 +45,7 @@ logging_send_syslog_msg(milter_domains)
> #
>
> allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
> -allow greylist_milter_t self:process { setsched getsched };
> +allow greylist_milter_t self:process { getsched setsched };
>
> files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
>
> @@ -93,8 +94,10 @@ mta_read_config(regex_milter_t)
> # spamass local policy
> #
>
> -allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
> allow spamass_milter_t self:process sigkill;
> +allow spamass_milter_t self:unix_stream_socket { accept listen };
> +
> +allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
>
> kernel_read_system_state(spamass_milter_t)
> kernel_read_vm_overcommit_sysctl(spamass_milter_t)
> @@ -105,7 +108,9 @@ dev_read_sysfs(spamass_milter_t)
>
> files_search_var_lib(spamass_milter_t)
>
> -mta_send_mail(spamass_milter_t)
> +optional_policy(`
> + mta_send_mail(spamass_milter_t)
> +')
>
> optional_policy(`
> postfix_search_spool(spamass_milter_t)
Merged.
--
Chris PeBenito