From: pebenito@ieee.org (Chris PeBenito)
Date: Mon, 11 Sep 2017 19:04:36 -0400
Subject: [refpolicy] [PATCH 2/2] dkim: update
In-Reply-To: <20170910144814.4477-2-cgzones@googlemail.com>
References: <20170910144814.4477-1-cgzones@googlemail.com>
	<20170910144814.4477-2-cgzones@googlemail.com>
Message-ID: <76599065-059d-1676-84a6-f87edd71b2ce@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/10/2017 10:48 AM, Christian G?ttsche via refpolicy wrote:
> - add filecontexts
> - define key as security file
> - access to private postfix socket
> ---
>   dkim.fc |  4 ++++
>   dkim.te | 16 +++++++++++++---
>   2 files changed, 17 insertions(+), 3 deletions(-)
> 
> diff --git a/dkim.fc b/dkim.fc
> index 3a68a26..621180a 100644
> --- a/dkim.fc
> +++ b/dkim.fc
> @@ -5,6 +5,8 @@
>   /usr/bin/dkim-filter		--	gen_context(system_u:object_r:dkim_milter_exec_t,s0)
>   /usr/bin/opendkim		--	gen_context(system_u:object_r:dkim_milter_exec_t,s0)
>   
> +/usr/lib/systemd/system/opendkim\.service	--	gen_context(system_u:object_r:dkim_milter_unit_t,s0)
> +
>   /usr/sbin/dkim-filter		--	gen_context(system_u:object_r:dkim_milter_exec_t,s0)
>   /usr/sbin/opendkim		--	gen_context(system_u:object_r:dkim_milter_exec_t,s0)
>   
> @@ -12,6 +14,8 @@
>   
>   /var/lib/dkim-milter(/.*)?		gen_context(system_u:object_r:dkim_milter_data_t,s0)
>   
> +/var/spool/postfix/opendkim(/.*)?	gen_context(system_u:object_r:dkim_milter_data_t,s0)
> +
>   /run/dkim-filter(/.*)?			gen_context(system_u:object_r:dkim_milter_data_t,s0)
>   /run/dkim-milter(/.*)?			gen_context(system_u:object_r:dkim_milter_data_t,s0)
>   /run/dkim-milter\.pid		--	gen_context(system_u:object_r:dkim_milter_data_t,s0)
> diff --git a/dkim.te b/dkim.te
> index 5451389..c853c1c 100644
> --- a/dkim.te
> +++ b/dkim.te
> @@ -11,7 +11,10 @@ type dkim_milter_initrc_exec_t;
>   init_script_file(dkim_milter_initrc_exec_t)
>   
>   type dkim_milter_private_key_t;
> -files_type(dkim_milter_private_key_t)
> +files_security_file(dkim_milter_private_key_t)
> +
> +type dkim_milter_unit_t;
> +init_unit_file(dkim_milter_unit_t)
>   
>   init_daemon_pid_file(dkim_milter_data_t, dir, "opendkim")
>   
> @@ -27,7 +30,6 @@ allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
>   read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
>   
>   kernel_read_kernel_sysctls(dkim_milter_t)
> -kernel_read_vm_sysctls(dkim_milter_t)
>   kernel_read_vm_overcommit_sysctl(dkim_milter_t)
>   
>   corenet_udp_bind_generic_node(dkim_milter_t)
> @@ -38,6 +40,14 @@ dev_read_urand(dkim_milter_t)
>   # for cpu/online
>   dev_read_sysfs(dkim_milter_t)
>   
> +files_read_usr_files(dkim_milter_t)
>   files_search_spool(dkim_milter_t)
>   
> -mta_read_config(dkim_milter_t)
> +optional_policy(`
> +	mta_read_config(dkim_milter_t)
> +')
> +
> +optional_policy(`
> +	# set up unix socket
> +	postfix_search_spool(dkim_milter_t)
> +')

Merged.

-- 
Chris PeBenito