[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: New policy for Pop-before-smtp daemon



On Thursday 17 March 2005 00:19, David Hampton <hampton employees org> wrote:
> Here's a new policy to support the pop-before-smtp daemon from
> http://people.FreeBSD.org/~sheldonh/popb4smtp-nodb.tar.gz .  I'd
> appreciate any feedback on these files or tips on how to write better
> policies.  Thanks.

All policy that you publish should use the proper locations of files as used 
in packaged software.  /usr/local is only for things that the administrator 
compiles themself and generally shouldn't appear in .fc files.

daemon_domain() has the domain_auto_trans() rule to allow running from 
initrc_t.

This daemon does not need two domains, just give it one, things will be a lot 
easier and no less secure.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page
--- popb4smtp.te.old	2005-04-22 01:00:40.000000000 +1000
+++ popb4smtp.te	2005-04-22 01:03:34.000000000 +1000
@@ -14,7 +14,6 @@
 # popb4smtp_watch - Watch the pop log and update database
 #
 daemon_domain(popb4smtp_watch, `, privlog')
-domain_auto_trans(initrc_t, popb4smtp_watch_exec_t, popb4smtp_watch_t)
 
 # Read the logs and write the database
 r_dir_file(popb4smtp_watch_t, var_log_t)
@@ -24,7 +23,7 @@
 allow popb4smtp_watch_t {random_device_t urandom_device_t}:chr_file r_file_perms;
 
 # logging
-allow popb4smtp_watch_t self:unix_dgram_socket { connect create write };
+allow popb4smtp_watch_t self:unix_dgram_socket create_socket_perms;
 
 # Allow access for the MTA exim to do auth checks
 r_dir_file(mail_server_domain, popb4smtp_db_t)
@@ -34,7 +33,6 @@
 # popb4smtp_clean - Periodically clean database
 #
 daemon_domain(popb4smtp_clean, `, privlog')
-domain_auto_trans(initrc_t, popb4smtp_clean_exec_t, popb4smtp_clean_t)
 
 create_dir_file(popb4smtp_clean_t, popb4smtp_db_t)
 

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]