[selinux-policy: 965/3172] more broken symptoms

[Daniel J Walsh]

commit 15c235f75c197feebd761f71cfd75f770443d7a5
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Nov 11 22:21:32 2005 +0000

    more broken symptoms

 refpolicy/policy/modules/admin/rpm.te     |   12 ++++++------
 refpolicy/policy/modules/services/cron.te |    4 ++--
 refpolicy/policy/modules/services/mta.te  |    9 +++++++++
 refpolicy/policy/modules/system/init.if   |   15 ++++++++++-----
 4 files changed, 27 insertions(+), 13 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index e2aa635..7d00dad 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -322,14 +322,14 @@ seutil_domtrans_restorecon(rpm_script_t)
 
 userdom_use_all_user_fd(rpm_script_t)
 
-ifdef(`distro_redhat',`
-	optional_policy(`mta.te',`
-		mta_send_mail(rpm_script_t)
-	')
-')
-
 ifdef(`targeted_policy',`
 	unconfined_domain_template(rpm_script_t)
+',`
+	ifdef(`distro_redhat',`
+		optional_policy(`mta.te',`
+			mta_send_mail(rpm_script_t)
+		')
+	')
 ')
 
 tunable_policy(`allow_execmem',`
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 9ea0e72..f23fbd0 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -130,8 +130,6 @@ miscfiles_read_localization(crond_t)
 
 userdom_use_unpriv_users_fd(crond_t)
 
-mta_send_mail(crond_t)
-
 ifdef(`distro_redhat', `
 	# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
 	# via redirection of standard out.
@@ -164,6 +162,8 @@ ifdef(`targeted_policy',`
 	allow crond_t crond_tmp_t:dir create_dir_perms;
 	allow crond_t crond_tmp_t:file create_file_perms;
 	files_create_tmp_files(crond_t, crond_tmp_t, { file dir })
+
+	mta_send_mail(crond_t)
 ')
 
 tunable_policy(`fcron_crond', `
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 0a46adb..51a4b2a 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -105,6 +105,15 @@ sysnet_dns_name_resolve(system_mail_t)
 
 userdom_use_sysadm_terms(system_mail_t)
 
+ifdef(`hide_broken_symptoms',`
+	# Red Hat systems seem to have a stray
+	# fds open from the initrd
+	ifdef(`distro_redhat',`
+		kernel_dontaudit_use_fd(system_mail_t)
+		storage_dontaudit_read_fixed_disk(system_mail_t)
+	')
+')
+
 ifdef(`targeted_policy',`
 	typealias system_mail_t alias sysadm_mail_t;
 
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 6b38b03..93d6de5 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -32,11 +32,16 @@ interface(`init_domain',`
 	allow $1 init_t:fifo_file rw_file_perms;
 	allow $1 init_t:process sigchld;
 
-	# Red Hat systems seem to have a stray
-	# fd open from the initrd
-	optional_policy(`distro_redhat',`
-		kernel_dontaudit_use_fd($1)
-		files_dontaudit_read_root_file($1)
+	# Red Hat systems seem to have stray
+	# fds open from the initrd
+	ifdef(`hide_broken_symptoms',`
+		# Red Hat systems seem to have a stray
+		# fds open from the initrd
+		ifdef(`distro_redhat',`
+			kernel_dontaudit_use_fd($1)
+			storage_dontaudit_read_fixed_disk($1)
+			files_dontaudit_read_root_file($1)
+		')
 	')
 ')