From: cgzones@googlemail.com (=?UTF-8?q?Christian=20G=C3=B6ttsche?=)
Date: Sun, 10 Sep 2017 16:48:14 +0200
Subject: [refpolicy] [PATCH 2/2] dkim: update
In-Reply-To: <20170910144814.4477-1-cgzones@googlemail.com>
References: <20170910144814.4477-1-cgzones@googlemail.com>
Message-ID: <20170910144814.4477-2-cgzones@googlemail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

- add filecontexts
- define key as security file
- access to private postfix socket
---
 dkim.fc |  4 ++++
 dkim.te | 16 +++++++++++++---
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/dkim.fc b/dkim.fc
index 3a68a26..621180a 100644
--- a/dkim.fc
+++ b/dkim.fc
@@ -5,6 +5,8 @@
 /usr/bin/dkim-filter		--	gen_context(system_u:object_r:dkim_milter_exec_t,s0)
 /usr/bin/opendkim		--	gen_context(system_u:object_r:dkim_milter_exec_t,s0)
 
+/usr/lib/systemd/system/opendkim\.service	--	gen_context(system_u:object_r:dkim_milter_unit_t,s0)
+
 /usr/sbin/dkim-filter		--	gen_context(system_u:object_r:dkim_milter_exec_t,s0)
 /usr/sbin/opendkim		--	gen_context(system_u:object_r:dkim_milter_exec_t,s0)
 
@@ -12,6 +14,8 @@
 
 /var/lib/dkim-milter(/.*)?		gen_context(system_u:object_r:dkim_milter_data_t,s0)
 
+/var/spool/postfix/opendkim(/.*)?	gen_context(system_u:object_r:dkim_milter_data_t,s0)
+
 /run/dkim-filter(/.*)?			gen_context(system_u:object_r:dkim_milter_data_t,s0)
 /run/dkim-milter(/.*)?			gen_context(system_u:object_r:dkim_milter_data_t,s0)
 /run/dkim-milter\.pid		--	gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/dkim.te b/dkim.te
index 5451389..c853c1c 100644
--- a/dkim.te
+++ b/dkim.te
@@ -11,7 +11,10 @@ type dkim_milter_initrc_exec_t;
 init_script_file(dkim_milter_initrc_exec_t)
 
 type dkim_milter_private_key_t;
-files_type(dkim_milter_private_key_t)
+files_security_file(dkim_milter_private_key_t)
+
+type dkim_milter_unit_t;
+init_unit_file(dkim_milter_unit_t)
 
 init_daemon_pid_file(dkim_milter_data_t, dir, "opendkim")
 
@@ -27,7 +30,6 @@ allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
 read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
 
 kernel_read_kernel_sysctls(dkim_milter_t)
-kernel_read_vm_sysctls(dkim_milter_t)
 kernel_read_vm_overcommit_sysctl(dkim_milter_t)
 
 corenet_udp_bind_generic_node(dkim_milter_t)
@@ -38,6 +40,14 @@ dev_read_urand(dkim_milter_t)
 # for cpu/online
 dev_read_sysfs(dkim_milter_t)
 
+files_read_usr_files(dkim_milter_t)
 files_search_spool(dkim_milter_t)
 
-mta_read_config(dkim_milter_t)
+optional_policy(`
+	mta_read_config(dkim_milter_t)
+')
+
+optional_policy(`
+	# set up unix socket
+	postfix_search_spool(dkim_milter_t)
+')
-- 
2.14.1