New policy for Pop-before-smtp daemon

David Hampton hampton at employees.org
Wed Mar 16 13:19:07 UTC 2005 

Here's a new policy to support the pop-before-smtp daemon from
http://people.FreeBSD.org/~sheldonh/popb4smtp-nodb.tar.gz .  I'd
appreciate any feedback on these files or tips on how to write better
policies.  Thanks.

David

P.S.  This policy is based on the selinux-policy-strict-sources-1.22.1-2
rpm on my FC3 system.
-------------- next part --------------
# popb4smtp
/usr/local/sbin/popb4smtp-watch		--	system_u:object_r:popb4smtp_watch_exec_t
/usr/local/sbin/popb4smtp-clean		--	system_u:object_r:popb4smtp_clean_exec_t
/var/db/popb4smtp(/.*)?				system_u:object_r:popb4smtp_db_t
/var/run/popb4smtp-watch.pid		--	system_u:object_r:popb4smtp_watch_var_run_t
/var/run/popb4smtp-clean.pid		--	system_u:object_r:popb4smtp_clean_var_run_t
-------------- next part --------------
#DESC popb4smtp - SMTP mail authentication based upon POP logs
#
# Author:  David Hampton <hampton at employees.org>
# Depends: mta.te
#
# This policy supports one of the two pop-before-smtp daemons
# references in the Exim v4 FAQ at http://www.exim.org.  This daemon
# can be found at
# http://people.FreeBSD.org/~sheldonh/popb4smtp-nodb.tar.gz

type popb4smtp_db_t, file_type, sysadmfile;

#
# popb4smtp_watch - Watch the pop log and update database
#
daemon_domain(popb4smtp_watch, `, privlog')
domain_auto_trans(initrc_t, popb4smtp_watch_exec_t, popb4smtp_watch_t)

# Read the logs and write the database
r_dir_file(popb4smtp_watch_t, var_log_t)
create_dir_file(popb4smtp_watch_t, popb4smtp_db_t)

allow popb4smtp_watch_t sbin_t:dir search;
allow popb4smtp_watch_t {random_device_t urandom_device_t}:chr_file r_file_perms;

# logging
allow popb4smtp_watch_t self:unix_dgram_socket { connect create write };

# Allow access for the MTA exim to do auth checks
r_dir_file(mail_server_domain, popb4smtp_db_t)


#
# popb4smtp_clean - Periodically clean database
#
daemon_domain(popb4smtp_clean, `, privlog')
domain_auto_trans(initrc_t, popb4smtp_clean_exec_t, popb4smtp_clean_t)

create_dir_file(popb4smtp_clean_t, popb4smtp_db_t)

allow popb4smtp_clean_t sbin_t:dir search;
allow popb4smtp_clean_t {random_device_t urandom_device_t}:chr_file r_file_perms;

# logging
allow popb4smtp_clean_t self:unix_dgram_socket { connect create write };
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20050316/9da563d2/attachment.sig>

More information about the fedora-selinux-list mailing list