[selinux-policy/f13/master] - Fixes for logwatch-mail policy - Fixes for boinc policy
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Aug 2 11:42:24 UTC 2010
commit ca935486ee0a7dfcd95eaf52ff0b90ccdcce5e8a
Author: mgrepl <mgrepl at avalanche.(none)>
Date: Mon Aug 2 13:41:53 2010 +0200
- Fixes for logwatch-mail policy
- Fixes for boinc policy
policy-F13.patch | 243 ++++++++++++++++++++++++++++++++++++++++++------------
1 files changed, 190 insertions(+), 53 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index 7b1352e..7c7f67b 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -592,7 +592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
+/var/run/epylog\.pid -- gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.7.19/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/logwatch.te 2010-07-23 13:46:17.112389035 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/logwatch.te 2010-08-02 08:55:03.161641361 +0200
@@ -20,6 +20,9 @@
type logwatch_tmp_t;
files_tmp_file(logwatch_tmp_t)
@@ -614,23 +614,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
kernel_read_fs_sysctls(logwatch_t)
kernel_read_kernel_sysctls(logwatch_t)
kernel_read_system_state(logwatch_t)
-@@ -93,8 +100,15 @@
+@@ -93,8 +100,8 @@
sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t)
+userdom_dontaudit_list_admin_dir(logwatch_t)
-mta_send_mail(logwatch_t)
+
+ ifdef(`distro_redhat',`
+ files_search_all(logwatch_t)
+@@ -146,3 +153,26 @@
+ samba_read_log(logwatch_t)
+ samba_read_share_files(logwatch_t)
+ ')
++
++
+# bug 614698
+#mta_send_mail(logwatch_t)
+mta_base_mail_template(logwatch)
+mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
+role system_r types logwatch_mail_t;
-+logging_read_all_logs(logwatch_mail_t)
++
++#######################################
++#
++# Local logwatch-mail policy
++#
++
++allow logwatch_mail_t self:capability { dac_read_search dac_override };
++
++
+manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t)
-
- ifdef(`distro_redhat',`
- files_search_all(logwatch_t)
++
++logging_read_all_logs(logwatch_mail_t)
++
++
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.7.19/policy/modules/admin/mcelog.te
--- nsaserefpolicy/policy/modules/admin/mcelog.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/admin/mcelog.te 2010-05-28 09:41:59.952610471 +0200
@@ -4597,8 +4617,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.19/policy/modules/apps/kdumpgui.te
--- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/kdumpgui.te 2010-06-08 15:04:19.920622331 +0200
-@@ -0,0 +1,68 @@
++++ serefpolicy-3.7.19/policy/modules/apps/kdumpgui.te 2010-07-28 15:15:45.207071864 +0200
+@@ -0,0 +1,69 @@
+policy_module(kdumpgui,1.0.0)
+
+########################################
@@ -4628,6 +4648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui
+corecmd_exec_shell(kdumpgui_t)
+consoletype_exec(kdumpgui_t)
+
++kernel_read_debugfs(kdumpgui_t)
+kernel_read_system_state(kdumpgui_t)
+kernel_read_network_state(kdumpgui_t)
+
@@ -15577,14 +15598,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.fc serefpolicy-3.7.19/policy/modules/services/boinc.fc
--- nsaserefpolicy/policy/modules/services/boinc.fc 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/boinc.fc 2010-05-28 09:42:00.067610962 +0200
-@@ -0,0 +1,6 @@
++++ serefpolicy-3.7.19/policy/modules/services/boinc.fc 2010-07-28 14:59:48.452071586 +0200
+@@ -0,0 +1,8 @@
+
-+/etc/rc\.d/init\.d/boinc_client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/boinc_client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
+
-+/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
++/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
+
-+/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
++/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
++/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
++/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.if serefpolicy-3.7.19/policy/modules/services/boinc.if
--- nsaserefpolicy/policy/modules/services/boinc.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.7.19/policy/modules/services/boinc.if 2010-06-25 14:56:43.461388526 +0200
@@ -15742,8 +15765,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.19/policy/modules/services/boinc.te
--- nsaserefpolicy/policy/modules/services/boinc.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-07-09 10:05:19.736135219 +0200
-@@ -0,0 +1,100 @@
++++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-07-28 14:59:48.453071939 +0200
+@@ -0,0 +1,148 @@
+
+policy_module(boinc,1.0.0)
+
@@ -15770,13 +15793,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+type boinc_var_lib_t;
+files_type(boinc_var_lib_t)
+
++type boinc_project_t;
++domain_type(boinc_project_t)
++role system_r types boinc_project_t;
++
++permissive boinc_project_t;
++
++type boinc_project_var_lib_t;
++files_type(boinc_project_var_lib_t)
++
+########################################
+#
+# boinc local policy
+#
+
+allow boinc_t self:capability { kill };
-+allow boinc_t self:process { execmem ptrace fork setsched signal signull sigkill sigstop };
++allow boinc_t self:process { setsched };
+
+allow boinc_t self:fifo_file rw_fifo_file_perms;
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
@@ -15796,10 +15828,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+files_var_lib_filetrans(boinc_t, boinc_var_lib_t, { file dir } )
+
-+kernel_read_network_state(boinc_t)
++manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++
+kernel_read_system_state(boinc_t)
-+kernel_read_kernel_sysctls(boinc_t)
-+kernel_search_vm_sysctl(boinc_t)
+
+corecmd_exec_bin(boinc_t)
+corecmd_exec_shell(boinc_t)
@@ -15844,6 +15876,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+sysnet_dns_name_resolve(boinc_t)
+
+mta_send_mail(boinc_t)
++
++########################################
++#
++# boinc-projects local policy
++#
++
++domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
++
++allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigstop };
++allow boinc_project_t self:process { execmem execstack };
++
++allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
++exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { file dir })
++
++allow boinc_project_t boinc_project_var_lib_t:file execmod;
++
++allow boinc_project_t boinc_t:shm rw_shm_perms;
++allow boinc_project_t boinc_tmpfs_t:file { read write };
++
++rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
++
++kernel_read_system_state(boinc_project_t)
++kernel_read_kernel_sysctls(boinc_project_t)
++kernel_search_vm_sysctl(boinc_project_t)
++kernel_read_network_state(boinc_project_t)
++
++corenet_tcp_connect_boinc_port(boinc_project_t)
++
++dev_rw_xserver_misc(boinc_t)
++
++files_getattr_all_dirs(boinc_t)
++files_getattr_all_files(boinc_t)
++files_dontaudit_search_home(boinc_t)
++
++miscfiles_read_localization(boinc_project_t)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.fc serefpolicy-3.7.19/policy/modules/services/bugzilla.fc
--- nsaserefpolicy/policy/modules/services/bugzilla.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.7.19/policy/modules/services/bugzilla.fc 2010-05-28 09:42:00.069610831 +0200
@@ -22508,8 +22579,39 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.19/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/mta.if 2010-07-27 14:17:07.890822686 +0200
-@@ -220,6 +220,25 @@
++++ serefpolicy-3.7.19/policy/modules/services/mta.if 2010-08-02 09:11:21.173641481 +0200
+@@ -144,6 +144,30 @@
+ ')
+ ')
+
++#######################################
++## <summary>
++## Type transition files created in calling dir
++## to the mail address aliases type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Directory to transition on.
++## </summary>
++## </param>
++#
++interface(`mta_filetrans_aliases',`
++ gen_require(`
++ type etc_aliases_t;
++ ')
++
++ filetrans_pattern($1, $2, etc_aliases_t, file)
++')
++
+ ########################################
+ ## <summary>
+ ## Role access for mta
+@@ -220,6 +244,25 @@
application_executable_file($1)
')
@@ -22535,7 +22637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
########################################
## <summary>
## Make the specified type by a system MTA.
-@@ -335,6 +354,7 @@
+@@ -335,6 +378,7 @@
# apache should set close-on-exec
apache_dontaudit_rw_stream_sockets($1)
apache_dontaudit_rw_sys_script_stream_sockets($1)
@@ -22543,7 +22645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
')
-@@ -356,11 +376,35 @@
+@@ -356,11 +400,35 @@
')
allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
@@ -22579,7 +22681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
########################################
-@@ -390,12 +434,15 @@
+@@ -390,12 +458,15 @@
#
interface(`mta_sendmail_domtrans',`
gen_require(`
@@ -22599,7 +22701,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
########################################
-@@ -454,7 +501,8 @@
+@@ -454,7 +525,8 @@
type etc_mail_t;
')
@@ -22609,7 +22711,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
########################################
-@@ -678,7 +726,7 @@
+@@ -678,7 +750,7 @@
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
allow $1 mail_spool_t:file setattr;
@@ -22618,7 +22720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -765,6 +813,25 @@
+@@ -765,6 +837,25 @@
#######################################
## <summary>
@@ -22646,7 +22748,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.19/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/mta.te 2010-07-27 14:16:43.658073525 +0200
++++ serefpolicy-3.7.19/policy/modules/services/mta.te 2010-08-02 10:29:35.492641359 +0200
@@ -23,6 +23,7 @@
type mail_forward_t;
@@ -22717,7 +22819,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -126,6 +144,7 @@
+@@ -120,12 +138,13 @@
+ ')
+
+ optional_policy(`
+- exim_domtrans(system_mail_t)
+- exim_manage_log(system_mail_t)
++ exim_domtrans(user_mail_domain)
++ exim_manage_log(user_mail_domain)
+ ')
optional_policy(`
fail2ban_append_log(system_mail_t)
@@ -22736,6 +22846,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
nagios_read_tmp_files(system_mail_t)
')
+@@ -156,15 +179,15 @@
+ domain_use_interactive_fds(system_mail_t)
+
+ # postfix needs this for newaliases
+- files_getattr_tmp_dirs(system_mail_t)
++ files_getattr_tmp_dirs(user_mail_domain)
+
+- postfix_exec_master(system_mail_t)
+- postfix_read_config(system_mail_t)
+- postfix_search_spool(system_mail_t)
++ postfix_exec_master(user_mail_domain)
++ postfix_read_config(user_mail_domain)
++ postfix_search_spool(user_mail_domain)
+
+ ifdef(`distro_redhat',`
+ # compatability for old default main.cf
+- postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
++ postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
+ ')
+ ')
+
@@ -185,6 +208,10 @@
')
@@ -22825,7 +22956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.7.19/policy/modules/services/munin.if
--- nsaserefpolicy/policy/modules/services/munin.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/munin.if 2010-07-14 11:31:58.190159729 +0200
++++ serefpolicy-3.7.19/policy/modules/services/munin.if 2010-08-02 09:03:40.662642033 +0200
@@ -43,6 +43,24 @@
files_search_etc($1)
')
@@ -22851,7 +22982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
#######################################
## <summary>
## Append to the munin log.
-@@ -102,6 +120,56 @@
+@@ -102,6 +120,58 @@
dontaudit $1 munin_var_lib_t:dir search_dir_perms;
')
@@ -22898,6 +23029,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
+
+ read_lnk_files_pattern(munin_$1_plugin_t, munin_etc_t, munin_etc_t)
+
++ manage_files_pattern(munin_$1_plugin_t, munin_var_lib_t, munin_var_lib_t)
++
+ kernel_read_system_state(munin_$1_plugin_t)
+
+ corecmd_exec_bin(munin_$1_plugin_t)
@@ -22910,7 +23043,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.19/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/munin.te 2010-07-21 09:12:00.666135102 +0200
++++ serefpolicy-3.7.19/policy/modules/services/munin.te 2010-08-02 09:03:13.550641907 +0200
@@ -28,12 +28,26 @@
type munin_var_run_t alias lrrd_var_run_t;
files_pid_file(munin_var_run_t)
@@ -22971,7 +23104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
')
optional_policy(`
-@@ -164,3 +185,157 @@
+@@ -164,3 +185,160 @@
optional_policy(`
udev_read_db(munin_t)
')
@@ -22993,6 +23126,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
+
+files_read_etc_files(munin_disk_plugin_t)
+files_read_etc_runtime_files(munin_disk_plugin_t)
++files_read_usr_files(munin_disk_plugin_t)
+
+fs_getattr_all_fs(munin_disk_plugin_t)
+
@@ -23025,6 +23159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
+dev_read_urand(munin_mail_plugin_t)
+
+files_read_etc_files(munin_mail_plugin_t)
++files_read_usr_files(munin_mail_plugin_t)
+
+fs_getattr_all_fs(munin_mail_plugin_t)
+
@@ -23065,6 +23200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
+fs_getattr_all_fs(munin_services_plugin_t)
+
+files_read_etc_files(munin_services_plugin_t)
++files_read_usr_files(munin_services_plugin_t)
+
+sysnet_read_config(munin_services_plugin_t)
+
@@ -26911,7 +27047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.19/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/postfix.te 2010-07-21 09:58:36.071135157 +0200
++++ serefpolicy-3.7.19/policy/modules/services/postfix.te 2010-08-02 09:16:41.169891320 +0200
@@ -6,6 +6,15 @@
# Declarations
#
@@ -27047,15 +27183,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
term_dontaudit_search_ptys(postfix_master_t)
-@@ -181,6 +205,7 @@
+@@ -181,6 +205,8 @@
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
+mta_getattr_spool(postfix_master_t)
++mta_filetrans_aliases(postfix_master_t, postfix_etc_t)
ifdef(`distro_redhat',`
# for newer main.cf that uses /etc/aliases
-@@ -193,6 +218,10 @@
+@@ -193,6 +219,10 @@
')
optional_policy(`
@@ -27066,7 +27203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
# for postalias
mailman_manage_data_files(postfix_master_t)
')
-@@ -202,6 +231,10 @@
+@@ -202,6 +232,10 @@
')
optional_policy(`
@@ -27077,7 +27214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
sendmail_signal(postfix_master_t)
')
-@@ -219,6 +252,7 @@
+@@ -219,6 +253,7 @@
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
@@ -27085,7 +27222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -240,11 +274,18 @@
+@@ -240,11 +275,18 @@
manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
@@ -27104,7 +27241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix local local policy
-@@ -253,10 +294,6 @@
+@@ -253,10 +295,6 @@
allow postfix_local_t self:fifo_file rw_fifo_file_perms;
allow postfix_local_t self:process { setsched setrlimit };
@@ -27115,7 +27252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
# connect to master process
stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
-@@ -270,18 +307,35 @@
+@@ -270,18 +308,35 @@
files_read_etc_files(postfix_local_t)
@@ -27151,7 +27288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
optional_policy(`
-@@ -292,8 +346,7 @@
+@@ -292,8 +347,7 @@
#
# Postfix map local policy
#
@@ -27161,7 +27298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
-@@ -340,14 +393,15 @@
+@@ -340,14 +394,15 @@
miscfiles_read_localization(postfix_map_t)
@@ -27181,7 +27318,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix pickup local policy
-@@ -372,6 +426,7 @@
+@@ -372,6 +427,7 @@
#
allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
@@ -27189,7 +27326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -379,6 +434,12 @@
+@@ -379,6 +435,12 @@
rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
@@ -27202,7 +27339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
optional_policy(`
procmail_domtrans(postfix_pipe_t)
')
-@@ -388,6 +449,16 @@
+@@ -388,6 +450,16 @@
')
optional_policy(`
@@ -27219,7 +27356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
uucp_domtrans_uux(postfix_pipe_t)
')
-@@ -415,6 +486,10 @@
+@@ -415,6 +487,10 @@
mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
optional_policy(`
@@ -27230,7 +27367,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
-@@ -424,8 +499,11 @@
+@@ -424,8 +500,11 @@
')
optional_policy(`
@@ -27244,7 +27381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
#######################################
-@@ -451,6 +529,17 @@
+@@ -451,6 +530,17 @@
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
@@ -27262,7 +27399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix qmgr local policy
-@@ -464,6 +553,7 @@
+@@ -464,6 +554,7 @@
manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
@@ -27270,7 +27407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
-@@ -499,13 +589,14 @@
+@@ -499,13 +590,14 @@
#
# connect to master process
@@ -27286,7 +27423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
-@@ -535,9 +626,18 @@
+@@ -535,9 +627,18 @@
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -27305,7 +27442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
mailman_read_data_files(postfix_smtpd_t)
')
-@@ -559,20 +659,22 @@
+@@ -559,20 +660,22 @@
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
More information about the scm-commits
mailing list