[selinux-policy: 965/3172] more broken symptoms
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:28:24 UTC 2010
commit 15c235f75c197feebd761f71cfd75f770443d7a5
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Nov 11 22:21:32 2005 +0000
more broken symptoms
refpolicy/policy/modules/admin/rpm.te | 12 ++++++------
refpolicy/policy/modules/services/cron.te | 4 ++--
refpolicy/policy/modules/services/mta.te | 9 +++++++++
refpolicy/policy/modules/system/init.if | 15 ++++++++++-----
4 files changed, 27 insertions(+), 13 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index e2aa635..7d00dad 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -322,14 +322,14 @@ seutil_domtrans_restorecon(rpm_script_t)
userdom_use_all_user_fd(rpm_script_t)
-ifdef(`distro_redhat',`
- optional_policy(`mta.te',`
- mta_send_mail(rpm_script_t)
- ')
-')
-
ifdef(`targeted_policy',`
unconfined_domain_template(rpm_script_t)
+',`
+ ifdef(`distro_redhat',`
+ optional_policy(`mta.te',`
+ mta_send_mail(rpm_script_t)
+ ')
+ ')
')
tunable_policy(`allow_execmem',`
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 9ea0e72..f23fbd0 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -130,8 +130,6 @@ miscfiles_read_localization(crond_t)
userdom_use_unpriv_users_fd(crond_t)
-mta_send_mail(crond_t)
-
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
@@ -164,6 +162,8 @@ ifdef(`targeted_policy',`
allow crond_t crond_tmp_t:dir create_dir_perms;
allow crond_t crond_tmp_t:file create_file_perms;
files_create_tmp_files(crond_t, crond_tmp_t, { file dir })
+
+ mta_send_mail(crond_t)
')
tunable_policy(`fcron_crond', `
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 0a46adb..51a4b2a 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -105,6 +105,15 @@ sysnet_dns_name_resolve(system_mail_t)
userdom_use_sysadm_terms(system_mail_t)
+ifdef(`hide_broken_symptoms',`
+ # Red Hat systems seem to have a stray
+ # fds open from the initrd
+ ifdef(`distro_redhat',`
+ kernel_dontaudit_use_fd(system_mail_t)
+ storage_dontaudit_read_fixed_disk(system_mail_t)
+ ')
+')
+
ifdef(`targeted_policy',`
typealias system_mail_t alias sysadm_mail_t;
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 6b38b03..93d6de5 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -32,11 +32,16 @@ interface(`init_domain',`
allow $1 init_t:fifo_file rw_file_perms;
allow $1 init_t:process sigchld;
- # Red Hat systems seem to have a stray
- # fd open from the initrd
- optional_policy(`distro_redhat',`
- kernel_dontaudit_use_fd($1)
- files_dontaudit_read_root_file($1)
+ # Red Hat systems seem to have stray
+ # fds open from the initrd
+ ifdef(`hide_broken_symptoms',`
+ # Red Hat systems seem to have a stray
+ # fds open from the initrd
+ ifdef(`distro_redhat',`
+ kernel_dontaudit_use_fd($1)
+ storage_dontaudit_read_fixed_disk($1)
+ files_dontaudit_read_root_file($1)
+ ')
')
')
More information about the scm-commits
mailing list