From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-510562-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 1195B138010
	for <garchives@archives.gentoo.org>; Tue,  2 Oct 2012 18:23:39 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 2C21D21C00E;
	Tue,  2 Oct 2012 18:11:18 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id DE65A21C011
	for <gentoo-commits@lists.gentoo.org>; Tue,  2 Oct 2012 18:11:12 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 36B0F33D383
	for <gentoo-commits@lists.gentoo.org>; Tue,  2 Oct 2012 18:11:03 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by hornbill.gentoo.org (Postfix) with ESMTP id 863E5E5451
	for <gentoo-commits@lists.gentoo.org>; Tue,  2 Oct 2012 18:11:00 +0000 (UTC)
From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be>
Message-ID: <1349201153.96b4fba13ba34b1a70bbf39a8a374e34712d8bab.SwifT@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/fetchmail.fc policy/modules/contrib/fetchmail.if policy/modules/contrib/fetchmail.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: SwifT
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 96b4fba13ba34b1a70bbf39a8a374e34712d8bab
X-VCS-Branch: master
Date: Tue,  2 Oct 2012 18:11:00 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 926806e9-633b-44d8-8102-c90b9fe695ef
X-Archives-Hash: 0e32ca8bf56a1776a802479cb09b8601

commit:     96b4fba13ba34b1a70bbf39a8a374e34712d8bab
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Oct  1 07:52:36 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Oct  2 18:05:53 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=96b4fba1

Changes to the fetchmail policy module

Ported from Fedora with changes
Added init script file type

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/contrib/fetchmail.fc |   22 +++++++------------
 policy/modules/contrib/fetchmail.if |   20 ++++++++++++++---
 policy/modules/contrib/fetchmail.te |   40 ++++++++++++++++------------------
 3 files changed, 43 insertions(+), 39 deletions(-)

diff --git a/policy/modules/contrib/fetchmail.fc b/policy/modules/contrib/fetchmail.fc
index 39928d5..5e3e57c 100644
--- a/policy/modules/contrib/fetchmail.fc
+++ b/policy/modules/contrib/fetchmail.fc
@@ -1,19 +1,13 @@
+HOME_DIR/\.fetchmailrc	--	gen_context(system_u:object_r:fetchmail_home_t,s0)
 
-#
-# /etc
-#
+/etc/fetchmailrc	--	gen_context(system_u:object_r:fetchmail_etc_t,s0)
 
-/etc/fetchmailrc		--	gen_context(system_u:object_r:fetchmail_etc_t,s0)
+/etc/rc\.d/init\.d/fetchmail	--	gen_context(system_u:object_r:fetchmail_initrc_exec_t,s0)
 
-#
-# /usr
-#
+/usr/bin/fetchmail	--	gen_context(system_u:object_r:fetchmail_exec_t,s0)
 
-/usr/bin/fetchmail		--	gen_context(system_u:object_r:fetchmail_exec_t,s0)
+/var/lib/fetchmail(/.*)?	gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
 
-#
-# /var
-#
-/var/lib/fetchmail(/.*)?		gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
-/var/mail/\.fetchmail-UIDL-cache --	gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
-/var/run/fetchmail/.*		--	gen_context(system_u:object_r:fetchmail_var_run_t,s0)
+/var/mail/\.fetchmail-UIDL-cache	--	gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
+
+/var/run/fetchmail/.*	--	gen_context(system_u:object_r:fetchmail_var_run_t,s0)

diff --git a/policy/modules/contrib/fetchmail.if b/policy/modules/contrib/fetchmail.if
index 6537214..6ed7490 100644
--- a/policy/modules/contrib/fetchmail.if
+++ b/policy/modules/contrib/fetchmail.if
@@ -1,28 +1,40 @@
-## <summary>Remote-mail retrieval and forwarding utility</summary>
+## <summary>Remote-mail retrieval and forwarding utility.</summary>
 
 ########################################
 ## <summary>
-##	All of the rules required to administrate 
-##	an fetchmail environment
+##	All of the rules required to
+##	administrate an fetchmail environment.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
 ## <rolecap/>
 #
 interface(`fetchmail_admin',`
 	gen_require(`
 		type fetchmail_t, fetchmail_etc_t, fetchmail_uidl_cache_t;
-		type fetchmail_var_run_t;
+		type fetchmail_var_run_t, fetchmail_initrc_exec_t;
 	')
 
+	init_labeled_script_domtrans($1, fetchmail_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 fetchmail_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	allow $1 fetchmail_t:process { ptrace signal_perms };
 	ps_process_pattern($1, fetchmail_t)
 
 	files_list_etc($1)
 	admin_pattern($1, fetchmail_etc_t)
 
+	files_search_var_lib($1)
 	admin_pattern($1, fetchmail_uidl_cache_t)
 
 	files_list_pids($1)

diff --git a/policy/modules/contrib/fetchmail.te b/policy/modules/contrib/fetchmail.te
index ac6626e..e4706e2 100644
--- a/policy/modules/contrib/fetchmail.te
+++ b/policy/modules/contrib/fetchmail.te
@@ -1,4 +1,4 @@
-policy_module(fetchmail, 1.12.0)
+policy_module(fetchmail, 1.12.1)
 
 ########################################
 #
@@ -10,12 +10,18 @@ type fetchmail_exec_t;
 init_daemon_domain(fetchmail_t, fetchmail_exec_t)
 application_executable_file(fetchmail_exec_t)
 
-type fetchmail_var_run_t;
-files_pid_file(fetchmail_var_run_t)
+type fetchmail_initrc_exec_t;
+init_script_file(fetchmail_initrc_exec_t)
 
 type fetchmail_etc_t;
 files_config_file(fetchmail_etc_t)
 
+type fetchmail_home_t;
+userdom_user_home_content(fetchmail_home_t)
+
+type fetchmail_var_run_t;
+files_pid_file(fetchmail_var_run_t)
+
 type fetchmail_uidl_cache_t;
 files_type(fetchmail_uidl_cache_t)
 
@@ -26,20 +32,18 @@ files_type(fetchmail_uidl_cache_t)
 
 dontaudit fetchmail_t self:capability sys_tty_config;
 allow fetchmail_t self:process { signal_perms setrlimit };
-allow fetchmail_t self:unix_dgram_socket create_socket_perms;
-allow fetchmail_t self:unix_stream_socket create_stream_socket_perms;
-allow fetchmail_t self:netlink_route_socket r_netlink_socket_perms;
-allow fetchmail_t self:tcp_socket create_socket_perms;
-allow fetchmail_t self:udp_socket create_socket_perms;
+allow fetchmail_t self:unix_stream_socket { accept listen };
 
 allow fetchmail_t fetchmail_etc_t:file read_file_perms;
 
+read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
+
 allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
 mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
 
 manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
 manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
-files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, { dir file })
+files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, dir)
 
 kernel_read_kernel_sysctls(fetchmail_t)
 kernel_list_proc(fetchmail_t)
@@ -47,28 +51,22 @@ kernel_getattr_proc_files(fetchmail_t)
 kernel_read_proc_symlinks(fetchmail_t)
 kernel_dontaudit_read_system_state(fetchmail_t)
 
-#looks like it uses system command - calls uname
 corecmd_exec_bin(fetchmail_t)
 corecmd_exec_shell(fetchmail_t)
 
 corenet_all_recvfrom_unlabeled(fetchmail_t)
 corenet_all_recvfrom_netlabel(fetchmail_t)
 corenet_tcp_sendrecv_generic_if(fetchmail_t)
-corenet_udp_sendrecv_generic_if(fetchmail_t)
 corenet_tcp_sendrecv_generic_node(fetchmail_t)
-corenet_udp_sendrecv_generic_node(fetchmail_t)
-corenet_tcp_sendrecv_dns_port(fetchmail_t)
-corenet_udp_sendrecv_dns_port(fetchmail_t)
-corenet_tcp_sendrecv_pop_port(fetchmail_t)
-corenet_tcp_sendrecv_smtp_port(fetchmail_t)
-corenet_tcp_connect_all_ports(fetchmail_t)
+corenet_tcp_sendrecv_all_ports(fetchmail_t)
+
 corenet_sendrecv_all_client_packets(fetchmail_t)
+corenet_tcp_connect_all_ports(fetchmail_t)
 
 dev_read_sysfs(fetchmail_t)
 dev_read_rand(fetchmail_t)
 dev_read_urand(fetchmail_t)
 
-files_read_etc_files(fetchmail_t)
 files_read_etc_runtime_files(fetchmail_t)
 files_dontaudit_search_home(fetchmail_t)
 
@@ -77,15 +75,15 @@ fs_search_auto_mountpoints(fetchmail_t)
 
 domain_use_interactive_fds(fetchmail_t)
 
+auth_use_nsswitch(fetchmail_t)
+
 logging_send_syslog_msg(fetchmail_t)
 
 miscfiles_read_localization(fetchmail_t)
 miscfiles_read_generic_certs(fetchmail_t)
 
-sysnet_read_config(fetchmail_t)
-
 userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
-userdom_dontaudit_search_user_home_dirs(fetchmail_t)
+userdom_search_user_home_dirs(fetchmail_t)
 
 optional_policy(`
 	procmail_domtrans(fetchmail_t)