[selinux-policy: 1019/3172] clean up
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:33:03 UTC 2010
commit fc0e8ce91a5fc9ab1a58064a58dae10e734219f6
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Dec 5 20:18:20 2005 +0000
clean up
refpolicy/policy/modules/services/mta.if | 4 ++
refpolicy/policy/modules/services/mta.te | 2 +-
refpolicy/policy/modules/services/postfix.if | 52 +++++++++++++++++++++-----
refpolicy/policy/modules/services/postfix.te | 7 +++-
4 files changed, 53 insertions(+), 12 deletions(-)
---
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 8abdaba..29ef578 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -103,6 +103,10 @@ template(`mta_base_mail_template',`
nscd_use_socket($1_mail_t)
')
+ optional_policy(`postfix',`
+ postfix_domtrans_user_mail_handler($1_mail_t)
+ ')
+
optional_policy(`procmail',`
procmail_exec($1_mail_t)
')
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index cc1cdb6..b9ff82f 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
-policy_module(mta,1.0.2)
+policy_module(mta,1.0.3)
########################################
#
diff --git a/refpolicy/policy/modules/services/postfix.if b/refpolicy/policy/modules/services/postfix.if
index f773241..d4afb66 100644
--- a/refpolicy/policy/modules/services/postfix.if
+++ b/refpolicy/policy/modules/services/postfix.if
@@ -132,22 +132,37 @@ template(`postfix_server_domain_template',`
')
template(`postfix_user_domain_template',`
+ gen_require(`
+ attribute postfix_user_domains, postfix_user_domtrans;
+ ')
+
postfix_domain_template($1)
+ typeattribute postfix_$1_t postfix_user_domains;
+
allow postfix_$1_t self:capability dac_override;
- domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t)
- allow user_mail_domain postfix_$1_t:fd use;
- allow postfix_$1_t user_mail_domain:fd use;
- allow postfix_$1_t user_mail_domain:fifo_file rw_file_perms;
- allow postfix_$1_t user_mail_domain:process sigchld;
+ domain_auto_trans(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
+ allow postfix_user_domtrans postfix_$1_t:fd use;
+ allow postfix_$1_t postfix_user_domtrans:fd use;
+ allow postfix_$1_t postfix_user_domtrans:fifo_file rw_file_perms;
+ allow postfix_$1_t postfix_user_domtrans:process sigchld;
- # this is replaced by run interfaces
- role sysadm_r types postfix_$1_t;
- allow postfix_$1_t userdomain:process sigchld;
- allow postfix_$1_t userdomain:fifo_file { write getattr };
- allow postfix_$1_t { userdomain privfd }:fd use;
+ domain_use_wide_inherit_fd(postfix_$1_t)
+')
+template(`postfix_per_userdomain_template',`
+ gen_require(`
+ attribute postfix_user_domains;
+ ')
+
+ # cjp: perhaps this should actually be $3
+ # instead of just sysadm_r?
+ #role sysadm_r types postfix_user_domains;
+
+ allow postfix_user_domains $2:process sigchld;
+ allow postfix_user_domains $2:fifo_file { write getattr };
+ allow postfix_user_domains $2:fd use;
')
template(`postfix_public_domain_template',`
@@ -360,3 +375,20 @@ interface(`postfix_list_spool',`
allow $1 postfix_spool_t:dir list_dir_perms;
files_search_spool($1)
')
+
+########################################
+## <summary>
+## Execute postfix user mail programs
+## in their respective domains.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`postfix_domtrans_user_mail_handler',`
+ gen_require(`
+ attribute postfix_user_domtrans;
+ ')
+
+ typeattribute $1 postfix_user_domtrans;
+')
diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te
index 963bce3..6cbbec1 100644
--- a/refpolicy/policy/modules/services/postfix.te
+++ b/refpolicy/policy/modules/services/postfix.te
@@ -1,11 +1,16 @@
-policy_module(postfix,1.0.2)
+policy_module(postfix,1.0.3)
########################################
#
# Declarations
#
+attribute postfix_user_domains;
+# domains that transition to the
+# postfix user domains
+attribute postfix_user_domtrans;
+
postfix_public_domain_template(bounce)
type postfix_spool_bounce_t;
More information about the scm-commits
mailing list