[refpolicy] new policy for dkim-filter

Stefan Schulze Frielinghaus <stefan@xxxxxxxxxxxx> · Thu, 10 Sep 2009 21:40:56 +0200

Attached is a new policy for the dkim-filter application.

Chris, is the policy OK/ready for merge?
/usr/sbin/dkim-filter	--	gen_context(system_u:object_r:dkimfilter_exec_t,s0)

/var/db/dkim(/.*)?		gen_context(system_u:object_r:dkimfilter_private_key_t,s0)
/var/run/dkim-filter(/.*)?	gen_context(system_u:object_r:dkimfilter_var_run_t,s0)
########################################
## <summary>
##      Connect to dkim-filter over an unix stream socket.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`dkimfilter_stream_connect',`
	gen_require(`
		type dkimfilter_t, dkimfilter_var_run_t;
	')

	files_search_pids($1)
	stream_connect_pattern($1, dkimfilter_var_run_t, dkimfilter_var_run_t, dkimfilter_t)
')
policy_module(dkimfilter, 1.0.0)

########################################
#
# Declarations
#

type dkimfilter_t;
type dkimfilter_exec_t;
init_daemon_domain(dkimfilter_t, dkimfilter_exec_t)

type dkimfilter_var_run_t;
files_pid_file(dkimfilter_var_run_t)

type dkimfilter_private_key_t;
files_type(dkimfilter_private_key_t)

########################################
#
# Local policy
#

allow dkimfilter_t self:capability { setgid setuid };

read_files_pattern(dkimfilter_t, dkimfilter_private_key_t, dkimfilter_private_key_t)
manage_files_pattern(dkimfilter_t, dkimfilter_var_run_t, dkimfilter_var_run_t)
manage_sock_files_pattern(dkimfilter_t, dkimfilter_var_run_t, dkimfilter_var_run_t)

files_read_etc_files(dkimfilter_t)

libs_read_lib_files(dkimfilter_t)

miscfiles_read_localization(dkimfilter_t)

logging_send_syslog_msg(dkimfilter_t)

dev_read_urand(dkimfilter_t)

kernel_read_kernel_sysctls(dkimfilter_t)

sysnet_dns_name_resolve(dkimfilter_t)

diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
index f3f0d44..c102ecb 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -130,6 +130,10 @@ optional_policy(`
 	udev_read_db(sendmail_t)
 ')
 
+optional_policy(`
+	dkimfilter_stream_connect(sendmail_t)
+')
+
 ifdef(`TODO',`
 allow sendmail_t etc_mail_t:dir rw_dir_perms;
 allow sendmail_t etc_mail_t:file manage_file_perms;




