From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 13 Oct 2008 11:10:03 -0400
Subject: [refpolicy] services_cyrus.patch
In-Reply-To: <48EFBBDF.1040204@redhat.com>
References: <48DA9C28.8000109@redhat.com>
	<1223575785.2165.138.camel@gorn.columbia.tresys.com>
	<48EFBBDF.1040204@redhat.com>
Message-ID: <1223910603.21012.11.camel@gorn>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, 2008-10-10 at 16:32 -0400, Daniel J Walsh wrote:
> 
> Add _admin support and kerberos_keytab.

Merged.

> 
> 
> 
> 
> 
> plain text
> document
> attachment
> (services_cyrus.patch)
> 
> --- nsaserefpolicy/policy/modules/services/cyrus.fc     2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cyrus.fc 2008-10-10 16:08:15.000000000 -0400
> @@ -1,3 +1,4 @@
> +/etc/rc\.d/init\.d/cyrus       --      gen_context(system_u:object_r:cyrus_initrc_exec_t,s0)
>  
>  /usr/lib(64)?/cyrus-imapd/cyrus-master --      gen_context(system_u:object_r:cyrus_exec_t,s0)
>  
> --- nsaserefpolicy/policy/modules/services/cyrus.if     2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cyrus.if 2008-10-10 16:08:15.000000000 -0400
> @@ -39,3 +39,47 @@
>         files_search_var_lib($1)
>         stream_connect_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t, cyrus_t)
>  ')
> +
> +########################################
> +## <summary>
> +##     All of the rules required to administrate 
> +##     an cyrus environment
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +## <param name="role">
> +##     <summary>
> +##     The role to be allowed to manage the cyrus domain.
> +##     </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`cyrus_admin',`
> +       gen_require(`
> +               type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t;
> +               type cyrus_var_run_t;
> +               type cyrus_initrc_exec_t;
> +       ')
> +
> +       allow $1 cyrus_t:process { ptrace signal_perms };
> +       ps_process_pattern($1, cyrus_t)
> +               
> +       init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
> +       domain_system_change_exemption($1)
> +       role_transition $2 cyrus_initrc_exec_t system_r;
> +       allow $2 system_r;
> +
> +       files_list_tmp($1)
> +       admin_pattern($1, cyrus_tmp_t)
> +
> +       files_list_var_lib($1)
> +       admin_pattern($1, cyrus_var_lib_t)
> +
> +       files_list_pids($1)
> +       admin_pattern($1, cyrus_var_run_t)
> +')
> +
> +
> --- nsaserefpolicy/policy/modules/services/cyrus.te     2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cyrus.te 2008-10-10 16:08:15.000000000 -0400
> @@ -10,6 +10,9 @@
>  type cyrus_exec_t;
>  init_daemon_domain(cyrus_t, cyrus_exec_t)
>  
> +type cyrus_initrc_exec_t;
> +init_script_file(cyrus_initrc_exec_t)
> +
>  type cyrus_tmp_t;
>  files_tmp_file(cyrus_tmp_t)
>  
> @@ -120,7 +123,7 @@
>  ')
>  
>  optional_policy(`
> -       kerberos_use(cyrus_t)
> +       kerberos_keytab_template(cyrus, cyrus_t)
>  ')
>  
>  optional_policy(`
> 


-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150