[selinux-policy: 2162/3172] mailman patch from dan.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:12:07 UTC 2010 

commit 92f08c71307d1c70f51f847e730f2e5784bd07fb
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Jul 21 10:10:17 2009 -0400

    mailman patch from dan.

 policy/modules/services/mailman.fc |    1 +
 policy/modules/services/mailman.if |   27 +++++++++++++++++++++++++++
 policy/modules/services/mailman.te |   35 +++++++++++++++++++++++++----------
 3 files changed, 53 insertions(+), 10 deletions(-)
---
diff --git a/policy/modules/services/mailman.fc b/policy/modules/services/mailman.fc
index 92afb44..3de6c18 100644
--- a/policy/modules/services/mailman.fc
+++ b/policy/modules/services/mailman.fc
@@ -27,6 +27,7 @@ ifdef(`distro_redhat', `
 
 /usr/lib/mailman/bin/qrunner	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
 /usr/lib/mailman/cgi-bin/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/mail/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 /usr/lib/mailman/scripts/mailman --	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 
 /var/spool/mailman(/.*)?		gen_context(system_u:object_r:mailman_data_t,s0)
diff --git a/policy/modules/services/mailman.if b/policy/modules/services/mailman.if
index 547ddeb..9ad4c4e 100644
--- a/policy/modules/services/mailman.if
+++ b/policy/modules/services/mailman.if
@@ -31,6 +31,12 @@ template(`mailman_domain_template', `
 	allow mailman_$1_t self:tcp_socket create_stream_socket_perms;
 	allow mailman_$1_t self:udp_socket create_socket_perms;
 
+	files_search_spool(mailman_$1_t)
+
+	manage_dirs_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
+	manage_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
+	manage_lnk_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
+
 	manage_dirs_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
 	manage_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
 	manage_lnk_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
@@ -190,7 +196,9 @@ interface(`mailman_read_data_files',`
 		type mailman_data_t;
 	')
 
+	list_dirs_pattern($1, mailman_data_t, mailman_data_t)
 	read_files_pattern($1, mailman_data_t, mailman_data_t)
+	read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
 ')
 
 #######################################
@@ -209,6 +217,7 @@ interface(`mailman_manage_data_files',`
 		type mailman_data_t;
 	')
 
+	manage_dirs_pattern($1, mailman_data_t, mailman_data_t)
 	manage_files_pattern($1, mailman_data_t, mailman_data_t)
 ')
 
@@ -250,6 +259,24 @@ interface(`mailman_read_data_symlinks',`
 
 #######################################
 ## <summary>
+##	Read mailman logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailman_read_log',`
+	gen_require(`
+		type mailman_log_t;
+	')
+
+	read_files_pattern($1, mailman_log_t, mailman_log_t)
+')
+
+#######################################
+## <summary>
 ##	Append to mailman logs.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
index 052b569..823078d 100644
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
@@ -1,5 +1,5 @@
 
-policy_module(mailman, 1.6.4)
+policy_module(mailman, 1.6.5)
 
 ########################################
 #
@@ -53,10 +53,8 @@ optional_policy(`
 	apache_use_fds(mailman_cgi_t)
 	apache_dontaudit_append_log(mailman_cgi_t)
 	apache_search_sys_script_state(mailman_cgi_t)
-
-	optional_policy(`
-		nscd_socket_use(mailman_cgi_t)
-	')
+	apache_read_config(mailman_cgi_t)
+	apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
 ')
 
 ########################################
@@ -65,15 +63,26 @@ optional_policy(`
 #
 
 allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
+allow mailman_mail_t self:process { signal signull };
+allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
+
+manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+
+files_search_spool(mailman_mail_t)
+
+fs_rw_anon_inodefs_files(mailman_mail_t)
 
 mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
+mta_dontaudit_rw_queue(mailman_mail_t)
 
-ifdef(`TODO',`
 optional_policy(`
-	allow mailman_mail_t qmail_spool_t:file { read ioctl getattr };
-	# do we really need this?
-	allow mailman_mail_t qmail_lspawn_t:fifo_file write;
+	cron_read_pipes(mailman_mail_t)
 ')
+
+optional_policy(`
+	postfix_search_spool(mailman_mail_t)
 ')
 
 ########################################
@@ -103,8 +112,14 @@ seutil_dontaudit_search_config(mailman_queue_t)
 # knows mailman well should test this out and send the changes
 userdom_search_user_home_dirs(mailman_queue_t)
 
-su_exec(mailman_queue_t)
+optional_policy(`
+	apache_read_config(mailman_queue_t)
+')
 
 optional_policy(`
 	cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
 ')
+
+optional_policy(`
+	su_exec(mailman_queue_t)
+')
\ No newline at end of file

More information about the scm-commits mailing list