commit: 3f0e0524d443adce4e2c4ce3d460e2d35dc12ec5
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Jan 2 17:21:24 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 2 17:21:24 2015 +0000
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3f0e0524
Merge with upstream done, remove gentoo specifics
---
policy/modules/contrib/courier.fc | 5 -----
policy/modules/contrib/courier.if | 38 --------------------------------------
policy/modules/contrib/courier.te | 19 +------------------
3 files changed, 1 insertion(+), 61 deletions(-)
diff --git a/policy/modules/contrib/courier.fc
b/policy/modules/contrib/courier.fc
index c0f288b..2f017a0 100644
--- a/policy/modules/contrib/courier.fc
+++ b/policy/modules/contrib/courier.fc
@@ -30,8 +30,3 @@
/var/spool/authdaemon(/.*)?
gen_context(system_u:object_r:courier_spool_t,s0)
/var/spool/courier(/.*)?
gen_context(system_u:object_r:courier_spool_t,s0)
-
-ifdef(`distro_gentoo',`
-# Default location for authdaemon socket, should be /var/run imo but meh
-/var/lib/courier/authdaemon(/.*)?
gen_context(system_u:object_r:courier_var_run_t,s0)
-')
diff --git a/policy/modules/contrib/courier.if
b/policy/modules/contrib/courier.if
index 0705659..10f820f 100644
--- a/policy/modules/contrib/courier.if
+++ b/policy/modules/contrib/courier.if
@@ -188,41 +188,3 @@ interface(`courier_rw_spool_pipes',`
files_search_var($1)
allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
')
-
-########################################
-## <summary>
-## Allow read/write operations on an inherited stream socket
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`courier_authdaemon_rw_inherited_stream_sockets',`
- gen_require(`
- type courier_authdaemon_t;
- ')
- allow $1 courier_authdaemon_t:unix_stream_socket { read write };
-')
-
-
-########################################
-## <summary>
-## Connect to Authdaemon using a unix domain stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`courier_authdaemon_stream_connect',`
- gen_require(`
- type courier_authdaemon_t, courier_var_run_t;
- ')
-
- stream_connect_pattern($1, courier_var_run_t, courier_var_run_t,
courier_authdaemon_t)
-')
diff --git a/policy/modules/contrib/courier.te
b/policy/modules/contrib/courier.te
index 2171e04..dd23992 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -194,23 +194,6 @@ optional_policy(`
ifdef(`distro_gentoo',`
########################################
#
- # Courier imap/pop daemon policy
- #
-
- # Switch after succesfull authentication (bug 534030)
- allow courier_pop_t self:capability { setuid setgid };
-
- # Executes script /usr/lib64/courier-imap/courier-imapd.indirect after
authentication and to start user session (bug 534030)
- corecmd_exec_shell(courier_pop_t)
-
- # Locate authdaemon socket and communicate with authdaemon (bug 534030)
- stream_connect_pattern(courier_pop_t, courier_var_lib_t,
courier_var_run_t, courier_authdaemon_t)
-
- # Manage maildir of users (bug 534030)
- mta_manage_mail_home_rw_content(courier_pop_t)
-
- ########################################
- #
# Courier tcpd daemon policy
#
@@ -223,6 +206,6 @@ ifdef(`distro_gentoo',`
#
# Grant authdaemon getattr rights on security_t so that it can check if
SELinux is enabled (needed through pam support) (bug 534030)
- # selinux_getattr_fs(courier_authdaemon_t)
+ # Handled through pam use
auth_use_pam(courier_authdaemon_t)
')
