From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-509331-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id BB5D1138200
	for <garchives@archives.gentoo.org>; Thu, 27 Sep 2012 18:07:35 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 24F9421C0B7;
	Thu, 27 Sep 2012 18:05:18 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id D399121C0B7
	for <gentoo-commits@lists.gentoo.org>; Thu, 27 Sep 2012 18:05:17 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id CC43A33D742
	for <gentoo-commits@lists.gentoo.org>; Thu, 27 Sep 2012 18:05:16 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by hornbill.gentoo.org (Postfix) with ESMTP id B5638E5455
	for <gentoo-commits@lists.gentoo.org>; Thu, 27 Sep 2012 18:05:14 +0000 (UTC)
From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be>
Message-ID: <1348768514.e6dd59dd7be416a1fbc538f9776c5e5179132526.SwifT@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/cyrus.fc policy/modules/contrib/cyrus.if policy/modules/contrib/cyrus.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: SwifT
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: e6dd59dd7be416a1fbc538f9776c5e5179132526
X-VCS-Branch: master
Date: Thu, 27 Sep 2012 18:05:14 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: d40babb9-df40-4eaf-b88a-d65185757fcd
X-Archives-Hash: 3f42479c7477a8ef2187217c5e3da357

commit:     e6dd59dd7be416a1fbc538f9776c5e5179132526
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Wed Sep 26 11:00:47 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Sep 27 17:55:14 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e6dd59dd

Changes to the cyrus policy module

Ported from Fedora with changes

Make file context catch cyrus-imapd for init script
Add file context for cyrus pid file and socket in /var/run
Module clean up

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

---
 policy/modules/contrib/cyrus.fc |   11 +++++---
 policy/modules/contrib/cyrus.if |   15 ++++++-----
 policy/modules/contrib/cyrus.te |   47 ++++++++++++++++----------------------
 3 files changed, 35 insertions(+), 38 deletions(-)

diff --git a/policy/modules/contrib/cyrus.fc b/policy/modules/contrib/cyrus.fc
index 8f99a5a..ca70600 100644
--- a/policy/modules/contrib/cyrus.fc
+++ b/policy/modules/contrib/cyrus.fc
@@ -1,7 +1,10 @@
-/etc/rc\.d/init\.d/cyrus		--	gen_context(system_u:object_r:cyrus_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/cyrus.*	--	gen_context(system_u:object_r:cyrus_initrc_exec_t,s0)
 
-/usr/lib/cyrus/master			--	gen_context(system_u:object_r:cyrus_exec_t,s0)
+/usr/lib/cyrus/master	--	gen_context(system_u:object_r:cyrus_exec_t,s0)
 /usr/lib/cyrus-imapd/cyrus-master	--	gen_context(system_u:object_r:cyrus_exec_t,s0)
 
-/var/imap(/.*)?					gen_context(system_u:object_r:cyrus_var_lib_t,s0)
-/var/lib/imap(/.*)?				gen_context(system_u:object_r:cyrus_var_lib_t,s0)
+/var/imap(/.*)?	gen_context(system_u:object_r:cyrus_var_lib_t,s0)
+
+/var/lib/imap(/.*)?	gen_context(system_u:object_r:cyrus_var_lib_t,s0)
+
+/var/run/cyrus.*	gen_context(system_u:object_r:cyrus_var_run_t,s0)

diff --git a/policy/modules/contrib/cyrus.if b/policy/modules/contrib/cyrus.if
index e4e86d0..6508280 100644
--- a/policy/modules/contrib/cyrus.if
+++ b/policy/modules/contrib/cyrus.if
@@ -1,9 +1,9 @@
-## <summary>Cyrus is an IMAP service intended to be run on sealed servers</summary>
+## <summary>Cyrus is an IMAP service intended to be run on sealed servers.</summary>
 
 ########################################
 ## <summary>
-##	Allow caller to create, read, write,
-##	and delete cyrus data files.
+##	Create, read, write, and delete
+##	cyrus data files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -22,7 +22,8 @@ interface(`cyrus_manage_data',`
 
 ########################################
 ## <summary>
-##	Connect to Cyrus using a unix domain stream socket.
+##	Connect to Cyrus using a unix
+##	domain stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -41,8 +42,8 @@ interface(`cyrus_stream_connect',`
 
 ########################################
 ## <summary>
-##	All of the rules required to administrate 
-##	an cyrus environment
+##	All of the rules required to
+##	administrate an cyrus environment.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -51,7 +52,7 @@ interface(`cyrus_stream_connect',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	The role to be allowed to manage the cyrus domain.
+##	Role allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>

diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te
index 097fdcc..93ddb95 100644
--- a/policy/modules/contrib/cyrus.te
+++ b/policy/modules/contrib/cyrus.te
@@ -1,4 +1,4 @@
-policy_module(cyrus, 1.12.0)
+policy_module(cyrus, 1.12.1)
 
 ########################################
 #
@@ -37,22 +37,18 @@ allow cyrus_t self:shm create_shm_perms;
 allow cyrus_t self:sem create_sem_perms;
 allow cyrus_t self:msgq create_msgq_perms;
 allow cyrus_t self:msg { send receive };
-allow cyrus_t self:unix_dgram_socket create_socket_perms;
-allow cyrus_t self:unix_stream_socket create_stream_socket_perms;
 allow cyrus_t self:unix_dgram_socket sendto;
-allow cyrus_t self:unix_stream_socket connectto;
-allow cyrus_t self:tcp_socket create_stream_socket_perms;
-allow cyrus_t self:udp_socket create_socket_perms;
+allow cyrus_t self:unix_stream_socket { accept connectto listen };
+allow cyrus_t self:tcp_socket { accept listen };
 
 manage_dirs_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t)
 manage_files_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t)
-files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { file dir })
+files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { dir file })
 
 manage_dirs_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
 manage_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
 manage_lnk_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
 manage_sock_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
-files_pid_filetrans(cyrus_t, cyrus_var_run_t, file)
 
 manage_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t)
 manage_sock_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t)
@@ -65,37 +61,40 @@ kernel_read_all_sysctls(cyrus_t)
 corenet_all_recvfrom_unlabeled(cyrus_t)
 corenet_all_recvfrom_netlabel(cyrus_t)
 corenet_tcp_sendrecv_generic_if(cyrus_t)
-corenet_udp_sendrecv_generic_if(cyrus_t)
 corenet_tcp_sendrecv_generic_node(cyrus_t)
-corenet_udp_sendrecv_generic_node(cyrus_t)
 corenet_tcp_sendrecv_all_ports(cyrus_t)
-corenet_udp_sendrecv_all_ports(cyrus_t)
 corenet_tcp_bind_generic_node(cyrus_t)
+
+corenet_sendrecv_mail_server_packets(cyrus_t)
 corenet_tcp_bind_mail_port(cyrus_t)
+
+corenet_sendrecv_lmtp_server_packets(cyrus_t)
 corenet_tcp_bind_lmtp_port(cyrus_t)
+
+corenet_sendrecv_pop_server_packets(cyrus_t)
 corenet_tcp_bind_pop_port(cyrus_t)
+
+corenet_sendrecv_sieve_server_packets(cyrus_t)
 corenet_tcp_bind_sieve_port(cyrus_t)
-corenet_tcp_connect_all_ports(cyrus_t)
-corenet_sendrecv_mail_server_packets(cyrus_t)
-corenet_sendrecv_pop_server_packets(cyrus_t)
-corenet_sendrecv_lmtp_server_packets(cyrus_t)
+
 corenet_sendrecv_all_client_packets(cyrus_t)
+corenet_tcp_connect_all_ports(cyrus_t)
+
+corecmd_exec_bin(cyrus_t)
 
 dev_read_rand(cyrus_t)
 dev_read_urand(cyrus_t)
 dev_read_sysfs(cyrus_t)
 
-fs_getattr_all_fs(cyrus_t)
-fs_search_auto_mountpoints(cyrus_t)
-
-corecmd_exec_bin(cyrus_t)
-
 domain_use_interactive_fds(cyrus_t)
 
 files_list_var_lib(cyrus_t)
-files_read_etc_files(cyrus_t)
 files_read_etc_runtime_files(cyrus_t)
 files_read_usr_files(cyrus_t)
+files_dontaudit_write_usr_dirs(cyrus_t)
+
+fs_getattr_all_fs(cyrus_t)
+fs_search_auto_mountpoints(cyrus_t)
 
 auth_use_nsswitch(cyrus_t)
 
@@ -106,8 +105,6 @@ logging_send_syslog_msg(cyrus_t)
 miscfiles_read_localization(cyrus_t)
 miscfiles_read_generic_certs(cyrus_t)
 
-sysnet_read_config(cyrus_t)
-
 userdom_use_unpriv_users_fds(cyrus_t)
 userdom_dontaudit_search_user_home_dirs(cyrus_t)
 
@@ -123,10 +120,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	ldap_stream_connect(cyrus_t)
-')
-
-optional_policy(`
 	sasl_connect(cyrus_t)
 ')