Here are a handful of localized fixes to the Exim policy, based on SVN head
refpolicy and Debian Sid:
.fc:
- Debian uses a version-numbered naming scheme for exim binaries and
directories; tolerate a trailing digit, e.g. "/var/lib/exim4".
- var_run_t labels a PID file if it's there, but not a directory.
.te:
- add missing fowner/chown perms by exim_t on itself
- grant readonly access to var_lib_t, to read runtime-generated conf
- grant read on /dev/{u,}random; Exim may use either depending on the context
and how it was built
- dontaudit on reads to /proc/stat (read but not used, probably indirectly via
a libc call)
- grant missing TCP send/recv to the SMTP & identd ports; grant missing SMTP
connect (identd was already there)
- grant connect/sendrecv to LDAP, where the local mail accounts are often
defined
--
Devin \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2
Index: exim.te
===================================================================
--- exim.te (revision 2617)
+++ exim.te (working copy)
@@ -42,7 +42,7 @@
# exim local policy
#
-allow exim_t self:capability { dac_override dac_read_search setuid setgid };
+allow exim_t self:capability { dac_override dac_read_search setuid setgid fowner chown };
allow exim_t self:fifo_file rw_fifo_file_perms;
allow exim_t self:unix_stream_socket create_stream_socket_perms;
allow exim_t self:tcp_socket create_stream_socket_perms;
@@ -65,18 +65,30 @@
manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t)
files_pid_filetrans(exim_t, exim_var_run_t, { file dir })
+files_read_var_lib_files(exim_t)
+
+dev_read_rand(exim_t)
+dev_read_urand(exim_t)
+
kernel_read_kernel_sysctls(exim_t)
+kernel_dontaudit_read_system_state(exim_t)
+
corecmd_search_bin(exim_t)
corenet_all_recvfrom_unlabeled(exim_t)
corenet_tcp_sendrecv_all_if(exim_t)
corenet_tcp_sendrecv_all_nodes(exim_t)
corenet_tcp_sendrecv_all_ports(exim_t)
+corenet_tcp_sendrecv_smtp_port(exim_t)
+corenet_tcp_sendrecv_auth_port(exim_t)
+corenet_tcp_sendrecv_ldap_port(exim_t)
corenet_tcp_bind_all_nodes(exim_t)
corenet_tcp_bind_smtp_port(exim_t)
corenet_tcp_bind_amavisd_send_port(exim_t)
corenet_tcp_connect_auth_port(exim_t)
+corenet_tcp_connect_smtp_port(exim_t)
+corenet_tcp_connect_ldap_port(exim_t)
corenet_tcp_connect_inetd_child_port(exim_t)
# Init script handling
Index: exim.fc
===================================================================
--- exim.fc (revision 2617)
+++ exim.fc (working copy)
@@ -1,4 +1,5 @@
-/usr/sbin/exim -- gen_context(system_u:object_r:exim_exec_t,s0)
-/var/log/exim(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
-/var/run/exim.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
-/var/spool/exim(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
+/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
+/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
+/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
+/var/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0)
+/var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
Attachment:
signature.asc
Description: Digital signature
