On Thursday 17 March 2005 00:19, David Hampton <hampton@xxxxxxxxxxxxx> wrote:
> Here's a new policy to support the pop-before-smtp daemon from
> http://people.FreeBSD.org/~sheldonh/popb4smtp-nodb.tar.gz . I'd
> appreciate any feedback on these files or tips on how to write better
> policies. Thanks.
All policy that you publish should use the proper locations of files as used
in packaged software. /usr/local is only for things that the administrator
compiles themself and generally shouldn't appear in .fc files.
daemon_domain() has the domain_auto_trans() rule to allow running from
initrc_t.
This daemon does not need two domains, just give it one, things will be a lot
easier and no less secure.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--- popb4smtp.te.old 2005-04-22 01:00:40.000000000 +1000
+++ popb4smtp.te 2005-04-22 01:03:34.000000000 +1000
@@ -14,7 +14,6 @@
# popb4smtp_watch - Watch the pop log and update database
#
daemon_domain(popb4smtp_watch, `, privlog')
-domain_auto_trans(initrc_t, popb4smtp_watch_exec_t, popb4smtp_watch_t)
# Read the logs and write the database
r_dir_file(popb4smtp_watch_t, var_log_t)
@@ -24,7 +23,7 @@
allow popb4smtp_watch_t {random_device_t urandom_device_t}:chr_file r_file_perms;
# logging
-allow popb4smtp_watch_t self:unix_dgram_socket { connect create write };
+allow popb4smtp_watch_t self:unix_dgram_socket create_socket_perms;
# Allow access for the MTA exim to do auth checks
r_dir_file(mail_server_domain, popb4smtp_db_t)
@@ -34,7 +33,6 @@
# popb4smtp_clean - Periodically clean database
#
daemon_domain(popb4smtp_clean, `, privlog')
-domain_auto_trans(initrc_t, popb4smtp_clean_exec_t, popb4smtp_clean_t)
create_dir_file(popb4smtp_clean_t, popb4smtp_db_t)
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
