|
@@ -1,22 +1,22 @@
|
1
|
|
-policy_module(postsrsd, 1.0.0)
|
2
|
|
-
|
3
|
|
-gen_require(`
|
4
|
|
- type http_cache_port_t;
|
5
|
|
-')
|
|
1
|
+policy_module(postsrsd, 1.1.0)
|
6
|
2
|
|
7
|
3
|
type postsrsd_t;
|
8
|
4
|
type postsrsd_exec_t;
|
|
5
|
+type postsrsd_var_lib_t;
|
|
6
|
+type postsrsd_secret_t;
|
|
7
|
+
|
9
|
8
|
init_daemon_domain(postsrsd_t, postsrsd_exec_t)
|
10
|
9
|
|
11
|
|
-type postsrsd_secret_t;
|
12
|
10
|
files_type(postsrsd_secret_t)
|
|
11
|
+files_type(postsrsd_var_lib_t)
|
13
|
12
|
|
14
|
13
|
miscfiles_read_localization(postsrsd_t)
|
15
|
14
|
auth_use_nsswitch(postsrsd_t)
|
16
|
15
|
logging_send_syslog_msg(postsrsd_t)
|
17
|
|
-allow postsrsd_t self:capability { setuid sys_chroot };
|
|
16
|
+allow postsrsd_t self:capability { setuid sys_chroot dac_override dac_read_search };
|
18
|
17
|
# 10001 and 10002 are labelled http_cache_port_t for whatever reason,
|
19
|
18
|
# no point arguing with that...
|
20
|
19
|
corenet_tcp_bind_http_cache_port(postsrsd_t)
|
21
|
20
|
allow postsrsd_t self:tcp_socket server_stream_socket_perms;
|
22
|
|
-allow postsrsd_t postsrsd_secret_t:file read_file_perms;
|
|
21
|
+read_files_pattern(postsrsd_t, postsrsd_secret_t, postsrsd_secret_t)
|
|
22
|
+manage_files_pattern(postsrsd_t, postsrsd_var_lib_t, postsrsd_var_lib_t)
|