Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 21927 Details for
Bug 34674
qmail policy files
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
type enforcement
qmail.te (text/plain), 7.44 KB, created by
petre rodan (RETIRED)
on 2003-12-09 07:25:53 UTC
(
hide
)
Description:
type enforcement
Filename:
MIME Type:
Creator:
petre rodan (RETIRED)
Created:
2003-12-09 07:25:53 UTC
Size:
7.44 KB
patch
obsolete
>#DESC Qmail - Mail server ># ># Author: Russell Coker <russell@coker.com.au> ># X-Debian-Packages: qmail-src qmail ># Depends: inetd.te mta.te ># > > ># Type for files created during execution of qmail. >type qmail_var_run_t, file_type, sysadmfile, pidfile; > >type etc_qmail_t, file_type, sysadmfile; > >allow inetd_t smtp_port_t:tcp_socket name_bind; > >type qmail_exec_t, file_type, sysadmfile, exec_type; >type qmail_spool_t, file_type, sysadmfile; >type var_qmail_t, file_type, sysadmfile; > >define(`qmaild_sub_domain', ` >daemon_sub_domain($1, $2, `$3') >allow $2_t etc_qmail_t:dir { getattr search }; >allow $2_t etc_qmail_t:{ lnk_file file } { getattr read }; >allow $2_t var_spool_t:dir search; >allow $2_t console_device_t:chr_file rw_file_perms; >allow $2_t fs_t:filesystem getattr; >') > >################################# ># ># Rules for the qmail_$1_t domain. ># ># qmail_$1_exec_t is the type of the qmail_$1 executables. ># >define(`qmail_daemon_domain', ` >qmaild_sub_domain(qmail_start_t, qmail_$1, `$2') >allow qmail_$1_t qmail_start_t:fifo_file { read write }; >')dnl > > >daemon_base_domain(qmail_start) > >allow qmail_start_t self:capability { setgid setuid }; >allow qmail_start_t { bin_t sbin_t }:dir search; >allow qmail_start_t etc_qmail_t:dir search; >allow qmail_start_t etc_qmail_t:file { getattr read }; >can_exec(qmail_start_t, qmail_start_exec_t) >allow qmail_start_t qmail_start_t:fifo_file { getattr read write }; > >qmail_daemon_domain(lspawn, `, mta_delivery_agent') >allow qmail_lspawn_t self:fifo_file { read write }; >allow qmail_lspawn_t self:capability { setuid setgid }; >allow qmail_lspawn_t self:process { fork signal_perms }; >allow qmail_lspawn_t sbin_t:dir search; >can_exec(qmail_lspawn_t, qmail_exec_t) >allow qmail_lspawn_t self:unix_stream_socket create_socket_perms; >allow qmail_lspawn_t qmail_spool_t:dir search; >allow qmail_lspawn_t qmail_spool_t:file { read getattr }; >allow qmail_lspawn_t etc_t:file { getattr read }; >allow qmail_lspawn_t tmp_t:dir getattr; >dontaudit qmail_lspawn_t user_home_dir_type:dir { getattr search }; > >qmail_daemon_domain(send) >rw_dir_create_file(qmail_send_t, qmail_spool_t) >allow qmail_send_t qmail_spool_t:fifo_file read; >allow qmail_send_t self:process { fork signal_perms }; >allow qmail_send_t self:fifo_file write; >domain_auto_trans(qmail_send_t, qmail_queue_exec_t, qmail_queue_t) >allow qmail_send_t sbin_t:dir search; > >qmail_daemon_domain(splogger) >allow qmail_splogger_t self:unix_dgram_socket create_socket_perms; >allow qmail_splogger_t etc_t:lnk_file read; >dontaudit qmail_splogger_t initrc_t:fd use; >read_locale(qmail_splogger_t) > >qmail_daemon_domain(rspawn) >allow qmail_rspawn_t qmail_spool_t:dir search; >allow qmail_rspawn_t qmail_spool_t:file rw_file_perms; >allow qmail_rspawn_t self:process { fork signal_perms }; >allow qmail_rspawn_t self:fifo_file read; >allow qmail_rspawn_t { bin_t sbin_t }:dir search; > >qmaild_sub_domain(qmail_rspawn_t, qmail_remote) >allow qmail_rspawn_t qmail_remote_exec_t:file read; >can_network(qmail_remote_t) >allow qmail_remote_t qmail_spool_t:dir search; >allow qmail_remote_t qmail_spool_t:file rw_file_perms; >allow qmail_remote_t resolv_conf_t:file { getattr read }; >allow qmail_remote_t self:tcp_socket create_socket_perms; >allow qmail_remote_t self:udp_socket create_socket_perms; > >qmail_daemon_domain(clean) >allow qmail_clean_t qmail_spool_t:dir rw_dir_perms; >allow qmail_clean_t qmail_spool_t:file { unlink read getattr }; > ># privhome will do until we get a separate maildir type >qmaild_sub_domain(qmail_lspawn_t, qmail_local, `, privhome, mta_delivery_agent') >allow qmail_lspawn_t qmail_local_exec_t:file read; >allow qmail_local_t self:process { fork signal_perms }; >domain_auto_trans(qmail_local_t, qmail_queue_exec_t, qmail_queue_t) >allow qmail_local_t qmail_queue_exec_t:file read; >allow qmail_local_t qmail_spool_t:file { ioctl read }; >allow qmail_local_t self:fifo_file write; >allow qmail_local_t sbin_t:dir search; >allow qmail_local_t self:unix_stream_socket create_stream_socket_perms; >allow qmail_local_t etc_t:file { getattr read }; > ># for piping mail to a command >can_exec(qmail_local_t, shell_exec_t) >allow qmail_local_t bin_t:dir search; >allow qmail_local_t bin_t:lnk_file read; >allow qmail_local_t devtty_t:chr_file rw_file_perms; >allow qmail_local_t { etc_runtime_t proc_t }:file { getattr read }; > >ifdef(`tcpd.te', ` >qmaild_sub_domain(tcpd_t, qmail_tcp_env) ># bug >can_exec(tcpd_t, tcpd_exec_t) >', ` >qmaild_sub_domain(inetd_t, qmail_tcp_env) >') >allow qmail_tcp_env_t inetd_t:fd use; >allow qmail_tcp_env_t inetd_t:tcp_socket { read write getattr }; >allow qmail_tcp_env_t inetd_t:process sigchld; >allow qmail_tcp_env_t resolv_conf_t:file { read getattr }; >allow qmail_tcp_env_t sbin_t:dir search; >can_network(qmail_tcp_env_t) > >qmaild_sub_domain(qmail_tcp_env_t, qmail_smtpd) >allow qmail_tcp_env_t qmail_smtpd_exec_t:file read; >can_network(qmail_smtpd_t) >allow qmail_smtpd_t inetd_t:fd use; >allow qmail_smtpd_t inetd_t:tcp_socket { read write }; >allow qmail_smtpd_t inetd_t:process sigchld; >allow qmail_smtpd_t self:process { fork signal_perms }; >allow qmail_smtpd_t self:fifo_file write; >allow qmail_smtpd_t self:tcp_socket create_socket_perms; >allow qmail_smtpd_t sbin_t:dir search; >domain_auto_trans(qmail_smtpd_t, qmail_queue_exec_t, qmail_queue_t) >allow qmail_smtpd_t qmail_queue_exec_t:file read; > >qmaild_sub_domain(user_mail_domain, qmail_inject, `, mta_user_agent') >allow qmail_inject_t self:process { fork signal_perms }; >allow qmail_inject_t self:fifo_file { write }; >allow qmail_inject_t sbin_t:dir search; >role sysadm_r types qmail_inject_t; >in_user_role(qmail_inject_t) > >qmaild_sub_domain(userdomain, qmail_qread, `, mta_user_agent') >in_user_role(qmail_qread_t) >role sysadm_r types qmail_qread_t; >r_dir_file(qmail_qread_t, qmail_spool_t) >allow qmail_qread_t self:capability dac_override; >allow qmail_qread_t privfd:fd use; > >qmaild_sub_domain(qmail_inject_t, qmail_queue, `, mta_user_agent') >role sysadm_r types qmail_queue_t; >in_user_role(qmail_queue_t) >allow qmail_inject_t qmail_queue_exec_t:file read; >rw_dir_create_file(qmail_queue_t, qmail_spool_t) >allow qmail_queue_t qmail_spool_t:fifo_file { read write }; >allow qmail_queue_t { qmail_start_t qmail_lspawn_t }:fd use; >allow qmail_queue_t qmail_lspawn_t:fifo_file write; >allow qmail_queue_t qmail_start_t:fifo_file { read write }; >allow qmail_queue_t privfd:fd use; >allow qmail_queue_t crond_t:fifo_file { read write }; >allow qmail_queue_t inetd_t:fd use; >allow qmail_queue_t inetd_t:tcp_socket { read write }; >allow qmail_queue_t sysadm_t:fd use; >allow qmail_queue_t sysadm_t:fifo_file write; > >allow user_crond_t etc_qmail_t:dir search; >allow user_crond_t etc_qmail_t:file read; > >qmaild_sub_domain(user_crond_t, qmail_serialmail) >in_user_role(qmail_serialmail_t) >can_network(qmail_serialmail_t) >can_exec(qmail_serialmail_t, qmail_serialmail_exec_t) >allow qmail_serialmail_t self:process { fork signal_perms }; >allow qmail_serialmail_t proc_t:file { getattr read }; >allow qmail_serialmail_t { resolv_conf_t etc_runtime_t }:file { getattr read }; >allow qmail_serialmail_t home_root_t:dir search; >allow qmail_serialmail_t user_home_dir_type:dir { search read getattr }; >rw_dir_create_file(qmail_serialmail_t, user_home_type) >allow qmail_serialmail_t self:fifo_file { read write }; >allow qmail_serialmail_t self:udp_socket create_socket_perms; >allow qmail_serialmail_t self:tcp_socket create_socket_perms; >allow qmail_serialmail_t privfd:fd use; >allow qmail_serialmail_t crond_t:fifo_file { read write ioctl }; >allow qmail_serialmail_t devtty_t:chr_file { read write }; > ># for tcpclient >can_exec(qmail_serialmail_t, bin_t) >allow qmail_serialmail_t bin_t:dir search; >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=21927">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 34674
:
21454
|
21455
| 21927 |
21928
