---
dkim.fc | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/dkim.fc b/dkim.fc
index 621180ab..08b65263 100644
--- a/dkim.fc
+++ b/dkim.fc
@@ -1,25 +1,25 @@
-/etc/opendkim/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+/etc/opendkim/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
/etc/rc\.d/init\.d/((opendkim)|(dkim-milter)) -- gen_context(system_u:object_r:dkim_milter_initrc_exec_t,s0)
-/usr/bin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
-/usr/bin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/bin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/bin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
/usr/lib/systemd/system/opendkim\.service -- gen_context(system_u:object_r:dkim_milter_unit_t,s0)
-/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
-/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
-/var/db/dkim(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+/var/db/dkim(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
-/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
-/var/spool/postfix/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/spool/postfix/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
-/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
-/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
-/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
-/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
-/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
--
2.15.1
---
dkim.te | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/dkim.te b/dkim.te
index 4ddefbf8..29880efb 100644
--- a/dkim.te
+++ b/dkim.te
@@ -23,23 +23,24 @@ init_daemon_pid_file(dkim_milter_data_t, dir, "opendkim")
# Local policy
#
-allow dkim_milter_t self:capability { dac_override setgid setuid };
+allow dkim_milter_t self:capability { dac_read_search dac_override setgid setuid };
allow dkim_milter_t self:process { signal signull };
allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
+# /proc/sys/kernel/ngroups_max
kernel_read_kernel_sysctls(dkim_milter_t)
kernel_read_vm_overcommit_sysctl(dkim_milter_t)
corenet_udp_bind_generic_node(dkim_milter_t)
corenet_udp_bind_all_unreserved_ports(dkim_milter_t)
-corenet_dontaudit_udp_bind_all_ports(dkim_milter_t)
dev_read_urand(dkim_milter_t)
# for cpu/online
dev_read_sysfs(dkim_milter_t)
+files_pid_filetrans(dkim_milter_t, dkim_milter_data_t, { dir file })
files_read_usr_files(dkim_milter_t)
files_search_spool(dkim_milter_t)
--
2.15.1
On 01/01/2018 06:22 AM, Christian G?ttsche via refpolicy wrote:
> ---
> dkim.fc | 26 +++++++++++++-------------
> 1 file changed, 13 insertions(+), 13 deletions(-)
>
> diff --git a/dkim.fc b/dkim.fc
> index 621180ab..08b65263 100644
> --- a/dkim.fc
> +++ b/dkim.fc
> @@ -1,25 +1,25 @@
> -/etc/opendkim/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
> +/etc/opendkim/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
>
> /etc/rc\.d/init\.d/((opendkim)|(dkim-milter)) -- gen_context(system_u:object_r:dkim_milter_initrc_exec_t,s0)
>
> -/usr/bin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
> -/usr/bin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
> +/usr/bin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
> +/usr/bin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
>
> /usr/lib/systemd/system/opendkim\.service -- gen_context(system_u:object_r:dkim_milter_unit_t,s0)
>
> -/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
> -/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
> +/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
> +/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
>
> -/var/db/dkim(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
> +/var/db/dkim(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
>
> -/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
> +/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
>
> -/var/spool/postfix/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
> +/var/spool/postfix/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
>
> -/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
> -/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
> -/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
> +/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
> +/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
> +/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
>
> -/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
> +/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
>
> -/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
> +/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
Merged.
--
Chris PeBenito
On 01/01/2018 06:22 AM, Christian G?ttsche via refpolicy wrote:
> ---
> dkim.te | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/dkim.te b/dkim.te
> index 4ddefbf8..29880efb 100644
> --- a/dkim.te
> +++ b/dkim.te
> @@ -23,23 +23,24 @@ init_daemon_pid_file(dkim_milter_data_t, dir, "opendkim")
> # Local policy
> #
>
> -allow dkim_milter_t self:capability { dac_override setgid setuid };
> +allow dkim_milter_t self:capability { dac_read_search dac_override setgid setuid };
> allow dkim_milter_t self:process { signal signull };
> allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
>
> read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
>
> +# /proc/sys/kernel/ngroups_max
> kernel_read_kernel_sysctls(dkim_milter_t)
> kernel_read_vm_overcommit_sysctl(dkim_milter_t)
>
> corenet_udp_bind_generic_node(dkim_milter_t)
> corenet_udp_bind_all_unreserved_ports(dkim_milter_t)
> -corenet_dontaudit_udp_bind_all_ports(dkim_milter_t)
>
> dev_read_urand(dkim_milter_t)
> # for cpu/online
> dev_read_sysfs(dkim_milter_t)
>
> +files_pid_filetrans(dkim_milter_t, dkim_milter_data_t, { dir file })
> files_read_usr_files(dkim_milter_t)
> files_search_spool(dkim_milter_t)
Merged.
--
Chris PeBenito