diff options
Diffstat (limited to 'policy/modules/services/sasl.te')
-rw-r--r-- | policy/modules/services/sasl.te | 117 |
1 files changed, 117 insertions, 0 deletions
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te new file mode 100644 index 000000000..231d6b2b6 --- /dev/null +++ b/policy/modules/services/sasl.te @@ -0,0 +1,117 @@ +policy_module(sasl, 1.19.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether sasl can +## read shadow files. +## </p> +## </desc> +gen_tunable(allow_saslauthd_read_shadow, false) + +type saslauthd_t; +type saslauthd_exec_t; +init_daemon_domain(saslauthd_t, saslauthd_exec_t) + +type saslauthd_initrc_exec_t; +init_script_file(saslauthd_initrc_exec_t) + +type saslauthd_keytab_t; +files_type(saslauthd_keytab_t) + +type saslauthd_var_run_t; +files_pid_file(saslauthd_var_run_t) + +######################################## +# +# Local policy +# + +allow saslauthd_t self:capability { setgid setuid sys_nice }; +dontaudit saslauthd_t self:capability sys_tty_config; +allow saslauthd_t self:process { setsched signal_perms }; +allow saslauthd_t self:fifo_file rw_fifo_file_perms; +allow saslauthd_t self:unix_stream_socket { accept listen }; + +allow saslauthd_t saslauthd_keytab_t:file read_file_perms; + +manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) +manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) +manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) +files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, { file dir }) + +kernel_read_kernel_sysctls(saslauthd_t) +kernel_read_system_state(saslauthd_t) +kernel_rw_afs_state(saslauthd_t) + +corenet_all_recvfrom_unlabeled(saslauthd_t) +corenet_all_recvfrom_netlabel(saslauthd_t) +corenet_tcp_sendrecv_generic_if(saslauthd_t) +corenet_tcp_sendrecv_generic_node(saslauthd_t) + +corenet_sendrecv_pop_client_packets(saslauthd_t) +corenet_tcp_connect_pop_port(saslauthd_t) +corenet_tcp_sendrecv_pop_port(saslauthd_t) + +corenet_sendrecv_zarafa_client_packets(saslauthd_t) +corenet_tcp_connect_zarafa_port(saslauthd_t) +corenet_tcp_sendrecv_zarafa_port(saslauthd_t) + +corecmd_exec_bin(saslauthd_t) + +dev_read_urand(saslauthd_t) + +domain_use_interactive_fds(saslauthd_t) + +files_dontaudit_read_etc_runtime_files(saslauthd_t) +files_dontaudit_getattr_home_dir(saslauthd_t) +files_dontaudit_getattr_tmp_dirs(saslauthd_t) + +fs_getattr_all_fs(saslauthd_t) +fs_search_auto_mountpoints(saslauthd_t) + +selinux_compute_access_vector(saslauthd_t) + +auth_use_pam(saslauthd_t) + +init_dontaudit_stream_connect_script(saslauthd_t) + +logging_send_syslog_msg(saslauthd_t) + +miscfiles_read_localization(saslauthd_t) +miscfiles_read_generic_certs(saslauthd_t) + +seutil_dontaudit_read_config(saslauthd_t) + +userdom_dontaudit_use_unpriv_user_fds(saslauthd_t) +userdom_dontaudit_search_user_home_dirs(saslauthd_t) + +auth_can_read_shadow_passwords(saslauthd_t) +tunable_policy(`allow_saslauthd_read_shadow',` + allow saslauthd_t self:capability dac_override; + auth_tunable_read_shadow(saslauthd_t) +') + +optional_policy(` + kerberos_read_keytab(saslauthd_t) + kerberos_manage_host_rcache(saslauthd_t) + kerberos_tmp_filetrans_host_rcache(saslauthd_t, file, "host_0") + kerberos_use(saslauthd_t) +') + +optional_policy(` + mysql_stream_connect(saslauthd_t) + mysql_tcp_connect(saslauthd_t) +') + +optional_policy(` + seutil_sigchld_newrole(saslauthd_t) +') + +optional_policy(` + udev_read_db(saslauthd_t) +') |