115 lines
3 KiB
Text
115 lines
3 KiB
Text
policy_module(sasl, 1.15.1)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow sasl to read shadow
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(saslauthd_read_shadow, false)
|
|
|
|
type saslauthd_t;
|
|
type saslauthd_exec_t;
|
|
init_daemon_domain(saslauthd_t, saslauthd_exec_t)
|
|
|
|
type saslauthd_initrc_exec_t;
|
|
init_script_file(saslauthd_initrc_exec_t)
|
|
|
|
type saslauthd_keytab_t;
|
|
files_type(saslauthd_keytab_t)
|
|
|
|
type saslauthd_var_run_t;
|
|
files_pid_file(saslauthd_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
allow saslauthd_t self:capability { setgid setuid sys_nice };
|
|
dontaudit saslauthd_t self:capability sys_tty_config;
|
|
allow saslauthd_t self:process { setsched signal_perms };
|
|
allow saslauthd_t self:fifo_file rw_fifo_file_perms;
|
|
allow saslauthd_t self:unix_dgram_socket create_socket_perms;
|
|
allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow saslauthd_t self:tcp_socket create_socket_perms;
|
|
|
|
allow saslauthd_t saslauthd_keytab_t:file read_file_perms;
|
|
|
|
manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
|
|
manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
|
|
manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
|
|
files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, { file dir })
|
|
allow saslauthd_t saslauthd_var_run_t:file map;
|
|
|
|
kernel_read_kernel_sysctls(saslauthd_t)
|
|
kernel_read_system_state(saslauthd_t)
|
|
kernel_rw_afs_state(saslauthd_t)
|
|
|
|
#577519
|
|
corecmd_exec_bin(saslauthd_t)
|
|
|
|
corenet_all_recvfrom_netlabel(saslauthd_t)
|
|
corenet_tcp_sendrecv_generic_if(saslauthd_t)
|
|
corenet_tcp_sendrecv_generic_node(saslauthd_t)
|
|
corenet_tcp_sendrecv_all_ports(saslauthd_t)
|
|
corenet_tcp_connect_ldap_port(saslauthd_t)
|
|
corenet_tcp_connect_pop_port(saslauthd_t)
|
|
corenet_tcp_connect_zarafa_port(saslauthd_t)
|
|
corenet_sendrecv_pop_client_packets(saslauthd_t)
|
|
|
|
dev_read_urand(saslauthd_t)
|
|
|
|
fs_getattr_all_fs(saslauthd_t)
|
|
fs_search_auto_mountpoints(saslauthd_t)
|
|
|
|
selinux_compute_access_vector(saslauthd_t)
|
|
|
|
auth_use_pam(saslauthd_t)
|
|
|
|
domain_use_interactive_fds(saslauthd_t)
|
|
|
|
files_dontaudit_read_etc_runtime_files(saslauthd_t)
|
|
files_search_var_lib(saslauthd_t)
|
|
files_dontaudit_getattr_home_dir(saslauthd_t)
|
|
files_dontaudit_getattr_tmp_dirs(saslauthd_t)
|
|
|
|
init_dontaudit_stream_connect_script(saslauthd_t)
|
|
|
|
logging_send_syslog_msg(saslauthd_t)
|
|
|
|
miscfiles_read_generic_certs(saslauthd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(saslauthd_t)
|
|
userdom_dontaudit_search_user_home_dirs(saslauthd_t)
|
|
|
|
# cjp: typeattribute doesnt work in conditionals
|
|
auth_can_read_shadow_passwords(saslauthd_t)
|
|
tunable_policy(`saslauthd_read_shadow',`
|
|
allow saslauthd_t self:capability { dac_read_search };
|
|
auth_tunable_read_shadow(saslauthd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
kerberos_read_keytab(saslauthd_t)
|
|
kerberos_manage_host_rcache(saslauthd_t)
|
|
kerberos_tmp_filetrans_host_rcache(saslauthd_t)
|
|
kerberos_use(saslauthd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mysql_search_db(saslauthd_t)
|
|
mysql_stream_connect(saslauthd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(saslauthd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(saslauthd_t)
|
|
')
|