From: cgzones@googlemail.com (=?UTF-8?q?Christian=20G=C3=B6ttsche?=)
Date: Sun, 10 Sep 2017 16:55:23 +0200
Subject: [refpolicy] [PATCH 2/2] milter: update
In-Reply-To: <20170910145523.5213-1-cgzones@googlemail.com>
References: <20170910145523.5213-1-cgzones@googlemail.com>
Message-ID: <20170910145523.5213-2-cgzones@googlemail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

- add initrc filecontext
- remove unnecessary permissions
---
 milter.fc |  2 ++
 milter.te | 16 ++++++----------
 2 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/milter.fc b/milter.fc
index 9310401..42fe5e9 100644
--- a/milter.fc
+++ b/milter.fc
@@ -1,3 +1,5 @@
+/etc/rc\.d/init\.d/spamass-milter --	gen_context(system_u:object_r:spamass_milter_initrc_exec_t,s0)
+
 /usr/bin/milter-greylist	--	gen_context(system_u:object_r:greylist_milter_exec_t,s0)
 /usr/bin/sqlgrey		--	gen_context(system_u:object_r:greylist_milter_exec_t,s0)
 /usr/bin/milter-regex		--	gen_context(system_u:object_r:regex_milter_exec_t,s0)
diff --git a/milter.te b/milter.te
index d0e9c1b..a908466 100644
--- a/milter.te
+++ b/milter.te
@@ -12,6 +12,9 @@ milter_template(greylist)
 milter_template(regex)
 milter_template(spamass)
 
+type spamass_milter_initrc_exec_t;
+init_script_file(spamass_milter_initrc_exec_t)
+
 type spamass_milter_state_t;
 files_type(spamass_milter_state_t)
 
@@ -23,8 +26,6 @@ files_type(spamass_milter_state_t)
 allow milter_domains self:fifo_file rw_fifo_file_perms;
 allow milter_domains self:tcp_socket { accept listen };
 
-kernel_dontaudit_read_system_state(milter_domains)
-
 corenet_all_recvfrom_unlabeled(milter_domains)
 corenet_all_recvfrom_netlabel(milter_domains)
 corenet_tcp_sendrecv_generic_if(milter_domains)
@@ -44,7 +45,7 @@ logging_send_syslog_msg(milter_domains)
 #
 
 allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
-allow greylist_milter_t self:process { setsched getsched };
+allow greylist_milter_t self:process { getsched setsched };
 
 files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
 
@@ -93,20 +94,15 @@ mta_read_config(regex_milter_t)
 # spamass local policy
 #
 
-allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
 allow spamass_milter_t self:process sigkill;
+allow spamass_milter_t self:unix_stream_socket { accept listen };
 
-kernel_read_system_state(spamass_milter_t)
-kernel_read_vm_overcommit_sysctl(spamass_milter_t)
+allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
 
 corecmd_exec_shell(spamass_milter_t)
 
-dev_read_sysfs(spamass_milter_t)
-
 files_search_var_lib(spamass_milter_t)
 
-mta_send_mail(spamass_milter_t)
-
 optional_policy(`
 	postfix_search_spool(spamass_milter_t)
 ')
-- 
2.14.1