New policy for Pop-before-smtp daemon

David Hampton hampton at
Wed Mar 16 13:19:07 UTC 2005

Here's a new policy to support the pop-before-smtp daemon from .  I'd
appreciate any feedback on these files or tips on how to write better
policies.  Thanks.


P.S.  This policy is based on the selinux-policy-strict-sources-1.22.1-2
rpm on my FC3 system.
-------------- next part --------------
# popb4smtp
/usr/local/sbin/popb4smtp-watch		--	system_u:object_r:popb4smtp_watch_exec_t
/usr/local/sbin/popb4smtp-clean		--	system_u:object_r:popb4smtp_clean_exec_t
/var/db/popb4smtp(/.*)?				system_u:object_r:popb4smtp_db_t
/var/run/		--	system_u:object_r:popb4smtp_watch_var_run_t
/var/run/		--	system_u:object_r:popb4smtp_clean_var_run_t
-------------- next part --------------
#DESC popb4smtp - SMTP mail authentication based upon POP logs
# Author:  David Hampton <hampton at>
# Depends: mta.te
# This policy supports one of the two pop-before-smtp daemons
# references in the Exim v4 FAQ at  This daemon
# can be found at

type popb4smtp_db_t, file_type, sysadmfile;

# popb4smtp_watch - Watch the pop log and update database
daemon_domain(popb4smtp_watch, `, privlog')
domain_auto_trans(initrc_t, popb4smtp_watch_exec_t, popb4smtp_watch_t)

# Read the logs and write the database
r_dir_file(popb4smtp_watch_t, var_log_t)
create_dir_file(popb4smtp_watch_t, popb4smtp_db_t)

allow popb4smtp_watch_t sbin_t:dir search;
allow popb4smtp_watch_t {random_device_t urandom_device_t}:chr_file r_file_perms;

# logging
allow popb4smtp_watch_t self:unix_dgram_socket { connect create write };

# Allow access for the MTA exim to do auth checks
r_dir_file(mail_server_domain, popb4smtp_db_t)

# popb4smtp_clean - Periodically clean database
daemon_domain(popb4smtp_clean, `, privlog')
domain_auto_trans(initrc_t, popb4smtp_clean_exec_t, popb4smtp_clean_t)

create_dir_file(popb4smtp_clean_t, popb4smtp_db_t)

allow popb4smtp_clean_t sbin_t:dir search;
allow popb4smtp_clean_t {random_device_t urandom_device_t}:chr_file r_file_perms;

# logging
allow popb4smtp_clean_t self:unix_dgram_socket { connect create write };
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the fedora-selinux-list mailing list