diff options
author | Kenton Groombridge <me@concord.sh> | 2021-02-02 11:34:44 -0500 |
---|---|---|
committer | Jason Zaman <perfinion@gentoo.org> | 2021-02-06 13:15:10 -0800 |
commit | b3afcd57276f8844ab25af288948cca8c543abfa (patch) | |
tree | a850fa62263cc781ae94241c42d4ed66af5837b5 | |
parent | Update Changelog and VERSION for release 2.20210203. (diff) | |
download | hardened-refpolicy-b3afcd57276f8844ab25af288948cca8c543abfa.tar.gz hardened-refpolicy-b3afcd57276f8844ab25af288948cca8c543abfa.tar.bz2 hardened-refpolicy-b3afcd57276f8844ab25af288948cca8c543abfa.zip |
dovecot, postfix: add missing accesses
postfix_pipe_t requires reading dovecot configuration and connecting to
dovecot stream sockets if configured to use dovecot for local mail
delivery.
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
-rw-r--r-- | policy/modules/services/dovecot.if | 22 | ||||
-rw-r--r-- | policy/modules/services/postfix.te | 2 |
2 files changed, 24 insertions, 0 deletions
diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if index 1aa28f47..ec66a893 100644 --- a/policy/modules/services/dovecot.if +++ b/policy/modules/services/dovecot.if @@ -63,6 +63,28 @@ interface(`dovecot_domtrans_deliver',` ######################################## ## <summary> +## Read dovecot configuration content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`dovecot_read_config',` + gen_require(` + type dovecot_etc_t; + ') + + files_search_etc($1) + allow $1 dovecot_etc_t:dir list_dir_perms; + allow $1 dovecot_etc_t:file read_file_perms; + allow $1 dovecot_etc_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> ## Create, read, write, and delete ## dovecot spool files. ## </summary> diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 5e25fa75..05c0b4a5 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -596,6 +596,8 @@ corecmd_exec_bin(postfix_pipe_t) optional_policy(` dovecot_domtrans_deliver(postfix_pipe_t) + dovecot_read_config(postfix_pipe_t) + dovecot_stream_connect(postfix_pipe_t) ') optional_policy(` |