The attached patches tighten the fetchmail policy somewhat, by restricting network access to specific ports. It also affects (very slightly) access to etc_t and fetchmail_etc_t files... basically just removing "lock", since it isn't required. Please apply.
--- fetchmail.te.orig 2005-03-23 17:23:49.000000000 -0600
+++ fetchmail.te 2005-03-27 21:34:29.000000000 -0600
@@ -2,6 +2,7 @@
#
# Author: Greg Norris <haphazard@xxxxxxxxx>
# X-Debian-Packages: fetchmail
+# Depends: mta.te
#
# Note: This policy is only required when running fetchmail in daemon mode.
@@ -17,12 +18,13 @@
allow fetchmail_t self:process setrlimit;
# network-related goodies
-can_network(fetchmail_t)
+can_network_client_tcp(fetchmail_t, { dns_port_t pop_port_t smtp_port_t })
+can_network_udp(fetchmail_t, dns_port_t)
allow fetchmail_t self:unix_dgram_socket create_socket_perms;
allow fetchmail_t self:unix_stream_socket create_stream_socket_perms;
# file access
-allow fetchmail_t etc_t:file r_file_perms;
-allow fetchmail_t fetchmail_etc_t:file r_file_perms;
+allow fetchmail_t etc_t:file { read getattr ioctl };
+allow fetchmail_t fetchmail_etc_t:file { read getattr ioctl };
allow fetchmail_t mail_spool_t:dir search;
file_type_auto_trans(fetchmail_t, mail_spool_t, fetchmail_uidl_cache_t, file)
--- network.te.orig 2005-03-25 17:28:18.000000000 -0600 +++ network.te 2005-03-25 17:29:36.000000000 -0600 @@ -35,6 +35,7 @@ ifdef(`perdition.te', `define(`use_pop')') ifdef(`dovecot.te', `define(`use_pop')') ifdef(`uwimapd.te', `define(`use_pop')') +ifdef(`fetchmail.te', `define(`use_pop')') ifdef(`use_pop', ` type pop_port_t, port_type, reserved_port_type; ')
Attachment:
signature.asc
Description: Digital signature