Here's a new policy to support the pop-before-smtp daemon from http://people.FreeBSD.org/~sheldonh/popb4smtp-nodb.tar.gz . I'd appreciate any feedback on these files or tips on how to write better policies. Thanks. David P.S. This policy is based on the selinux-policy-strict-sources-1.22.1-2 rpm on my FC3 system.
# popb4smtp /usr/local/sbin/popb4smtp-watch -- system_u:object_r:popb4smtp_watch_exec_t /usr/local/sbin/popb4smtp-clean -- system_u:object_r:popb4smtp_clean_exec_t /var/db/popb4smtp(/.*)? system_u:object_r:popb4smtp_db_t /var/run/popb4smtp-watch.pid -- system_u:object_r:popb4smtp_watch_var_run_t /var/run/popb4smtp-clean.pid -- system_u:object_r:popb4smtp_clean_var_run_t
#DESC popb4smtp - SMTP mail authentication based upon POP logs # # Author: David Hampton <hampton@xxxxxxxxxxxxx> # Depends: mta.te # # This policy supports one of the two pop-before-smtp daemons # references in the Exim v4 FAQ at http://www.exim.org. This daemon # can be found at # http://people.FreeBSD.org/~sheldonh/popb4smtp-nodb.tar.gz type popb4smtp_db_t, file_type, sysadmfile; # # popb4smtp_watch - Watch the pop log and update database # daemon_domain(popb4smtp_watch, `, privlog') domain_auto_trans(initrc_t, popb4smtp_watch_exec_t, popb4smtp_watch_t) # Read the logs and write the database r_dir_file(popb4smtp_watch_t, var_log_t) create_dir_file(popb4smtp_watch_t, popb4smtp_db_t) allow popb4smtp_watch_t sbin_t:dir search; allow popb4smtp_watch_t {random_device_t urandom_device_t}:chr_file r_file_perms; # logging allow popb4smtp_watch_t self:unix_dgram_socket { connect create write }; # Allow access for the MTA exim to do auth checks r_dir_file(mail_server_domain, popb4smtp_db_t) # # popb4smtp_clean - Periodically clean database # daemon_domain(popb4smtp_clean, `, privlog') domain_auto_trans(initrc_t, popb4smtp_clean_exec_t, popb4smtp_clean_t) create_dir_file(popb4smtp_clean_t, popb4smtp_db_t) allow popb4smtp_clean_t sbin_t:dir search; allow popb4smtp_clean_t {random_device_t urandom_device_t}:chr_file r_file_perms; # logging allow popb4smtp_clean_t self:unix_dgram_socket { connect create write };
Attachment:
signature.asc
Description: This is a digitally signed message part
