[selinux-policy: 976/3172] stray procmail execs

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:29:21 UTC 2010 

commit 1dad083d2cab9241c3769c10c5ae880783047215
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Nov 15 20:27:49 2005 +0000

    stray procmail execs

 refpolicy/policy/modules/services/mta.if      |    4 ++--
 refpolicy/policy/modules/services/mta.te      |   10 +++++-----
 refpolicy/policy/modules/services/procmail.if |   18 ++++++++++++++++++
 3 files changed, 25 insertions(+), 7 deletions(-)
---
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index ce05c76..40a9180 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -145,11 +145,11 @@ template(`mta_per_userdomain_template',`
 		postfix_list_spool($1_mail_t)
 	')
 
-	ifdef(`TODO',`
 	optional_policy(`procmail.te',`
-		procmail_execute($1_mail_t)
+		procmail_exec($1_mail_t)
 	')
 
+	ifdef(`TODO',`
 	# Read user temporary files.
 	allow $1_mail_t $1_tmp_t:file r_file_perms;
 	dontaudit $1_mail_t $1_tmp_t:file append;
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 51a4b2a..6f0ffe3 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
 
-policy_module(mta,1.0)
+policy_module(mta,1.0.1)
 
 ########################################
 #
@@ -207,6 +207,10 @@ optional_policy(`postfix.te',`
 	type_transition postfix_master_t postfix_etc_t:dir etc_aliases_t;
 ')
 
+optional_policy(`procmail.te',`
+	procmail_exec(system_mail_t)
+')
+
 optional_policy(`sendmail.te',`
 	sendmail_stub(system_mail_t)
 
@@ -222,10 +226,6 @@ optional_policy(`sendmail.te',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`procmail.te',`
-	procmail_exec(system_mail_t)
-')
-
 optional_policy(`sendmail.te',`
 	allow system_mail_t { var_t var_spool_t }:dir getattr;
 	dontaudit system_mail_t userpty_type:chr_file { getattr read write };
diff --git a/refpolicy/policy/modules/services/procmail.if b/refpolicy/policy/modules/services/procmail.if
index 4d702db..7ef5d71 100644
--- a/refpolicy/policy/modules/services/procmail.if
+++ b/refpolicy/policy/modules/services/procmail.if
@@ -22,3 +22,21 @@ interface(`procmail_domtrans',`
 	allow procmail_t $1:fifo_file rw_file_perms;
 	allow procmail_t $1:process sigchld;
 ')
+
+########################################
+## <summary>
+##	Execute procmail in the caller domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`procmail_exec',`
+	gen_require(`
+		type procmail_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	can_exec($1,procmail_exec_t)
+')

More information about the scm-commits mailing list