New policy for Pop-before-smtp daemon
David Hampton
hampton at employees.org
Wed Mar 16 13:19:07 UTC 2005
Here's a new policy to support the pop-before-smtp daemon from
http://people.FreeBSD.org/~sheldonh/popb4smtp-nodb.tar.gz . I'd
appreciate any feedback on these files or tips on how to write better
policies. Thanks.
David
P.S. This policy is based on the selinux-policy-strict-sources-1.22.1-2
rpm on my FC3 system.
-------------- next part --------------
# popb4smtp
/usr/local/sbin/popb4smtp-watch -- system_u:object_r:popb4smtp_watch_exec_t
/usr/local/sbin/popb4smtp-clean -- system_u:object_r:popb4smtp_clean_exec_t
/var/db/popb4smtp(/.*)? system_u:object_r:popb4smtp_db_t
/var/run/popb4smtp-watch.pid -- system_u:object_r:popb4smtp_watch_var_run_t
/var/run/popb4smtp-clean.pid -- system_u:object_r:popb4smtp_clean_var_run_t
-------------- next part --------------
#DESC popb4smtp - SMTP mail authentication based upon POP logs
#
# Author: David Hampton <hampton at employees.org>
# Depends: mta.te
#
# This policy supports one of the two pop-before-smtp daemons
# references in the Exim v4 FAQ at http://www.exim.org. This daemon
# can be found at
# http://people.FreeBSD.org/~sheldonh/popb4smtp-nodb.tar.gz
type popb4smtp_db_t, file_type, sysadmfile;
#
# popb4smtp_watch - Watch the pop log and update database
#
daemon_domain(popb4smtp_watch, `, privlog')
domain_auto_trans(initrc_t, popb4smtp_watch_exec_t, popb4smtp_watch_t)
# Read the logs and write the database
r_dir_file(popb4smtp_watch_t, var_log_t)
create_dir_file(popb4smtp_watch_t, popb4smtp_db_t)
allow popb4smtp_watch_t sbin_t:dir search;
allow popb4smtp_watch_t {random_device_t urandom_device_t}:chr_file r_file_perms;
# logging
allow popb4smtp_watch_t self:unix_dgram_socket { connect create write };
# Allow access for the MTA exim to do auth checks
r_dir_file(mail_server_domain, popb4smtp_db_t)
#
# popb4smtp_clean - Periodically clean database
#
daemon_domain(popb4smtp_clean, `, privlog')
domain_auto_trans(initrc_t, popb4smtp_clean_exec_t, popb4smtp_clean_t)
create_dir_file(popb4smtp_clean_t, popb4smtp_db_t)
allow popb4smtp_clean_t sbin_t:dir search;
allow popb4smtp_clean_t {random_device_t urandom_device_t}:chr_file r_file_perms;
# logging
allow popb4smtp_clean_t self:unix_dgram_socket { connect create write };
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20050316/9da563d2/attachment.sig>
More information about the fedora-selinux-list
mailing list