From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 13 Oct 2008 11:10:03 -0400
Subject: [refpolicy] services_cyrus.patch
In-Reply-To: <48EFBBDF.1040204@redhat.com>
References: <48DA9C28.8000109@redhat.com>
<1223575785.2165.138.camel@gorn.columbia.tresys.com>
<48EFBBDF.1040204@redhat.com>
Message-ID: <1223910603.21012.11.camel@gorn>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On Fri, 2008-10-10 at 16:32 -0400, Daniel J Walsh wrote:
>
> Add _admin support and kerberos_keytab.
Merged.
>
>
>
>
>
> plain text
> document
> attachment
> (services_cyrus.patch)
>
> --- nsaserefpolicy/policy/modules/services/cyrus.fc 2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cyrus.fc 2008-10-10 16:08:15.000000000 -0400
> @@ -1,3 +1,4 @@
> +/etc/rc\.d/init\.d/cyrus -- gen_context(system_u:object_r:cyrus_initrc_exec_t,s0)
>
> /usr/lib(64)?/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0)
>
> --- nsaserefpolicy/policy/modules/services/cyrus.if 2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cyrus.if 2008-10-10 16:08:15.000000000 -0400
> @@ -39,3 +39,47 @@
> files_search_var_lib($1)
> stream_connect_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t, cyrus_t)
> ')
> +
> +########################################
> +##
> +## All of the rules required to administrate
> +## an cyrus environment
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +##
> +##
> +## The role to be allowed to manage the cyrus domain.
> +##
> +##
> +##
> +#
> +interface(`cyrus_admin',`
> + gen_require(`
> + type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t;
> + type cyrus_var_run_t;
> + type cyrus_initrc_exec_t;
> + ')
> +
> + allow $1 cyrus_t:process { ptrace signal_perms };
> + ps_process_pattern($1, cyrus_t)
> +
> + init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
> + domain_system_change_exemption($1)
> + role_transition $2 cyrus_initrc_exec_t system_r;
> + allow $2 system_r;
> +
> + files_list_tmp($1)
> + admin_pattern($1, cyrus_tmp_t)
> +
> + files_list_var_lib($1)
> + admin_pattern($1, cyrus_var_lib_t)
> +
> + files_list_pids($1)
> + admin_pattern($1, cyrus_var_run_t)
> +')
> +
> +
> --- nsaserefpolicy/policy/modules/services/cyrus.te 2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.12/policy/modules/services/cyrus.te 2008-10-10 16:08:15.000000000 -0400
> @@ -10,6 +10,9 @@
> type cyrus_exec_t;
> init_daemon_domain(cyrus_t, cyrus_exec_t)
>
> +type cyrus_initrc_exec_t;
> +init_script_file(cyrus_initrc_exec_t)
> +
> type cyrus_tmp_t;
> files_tmp_file(cyrus_tmp_t)
>
> @@ -120,7 +123,7 @@
> ')
>
> optional_policy(`
> - kerberos_use(cyrus_t)
> + kerberos_keytab_template(cyrus, cyrus_t)
> ')
>
> optional_policy(`
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150