[selinux-policy: 1204/3172] clean up patch from Serge Fri, 10 Feb 2006 18:01:06 -0600
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:49:01 UTC 2010
commit 807a7778d15e8b2365801cb3eb0a52a33cb296bf
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Feb 14 20:39:45 2006 +0000
clean up patch from Serge Fri, 10 Feb 2006 18:01:06 -0600
refpolicy/policy/modules/services/mta.if | 22 ++++----
refpolicy/policy/modules/services/postfix.if | 5 +-
refpolicy/policy/modules/system/userdomain.if | 70 +++++++++++++++++++++++++
3 files changed, 84 insertions(+), 13 deletions(-)
---
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 67198fe..157647e 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -224,6 +224,12 @@ template(`mta_per_userdomain_template',`
userdom_manage_user_home_subdir_pipes($1,mailserver_delivery)
userdom_manage_user_home_subdir_sockets($1,mailserver_delivery)
userdom_filetrans_user_home($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
+ # Read user temporary files.
+ userdom_read_user_tmp_files($1,$1_mail_t)
+ userdom_dontaudit_append_user_tmp_files($1,$1_mail_t)
+ # cjp: this should probably be read all user tmp
+ # files in an appropriate place for mta_user_agent
+ userdom_read_user_tmp_files($1,mta_user_agent)
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_mail_t)
@@ -232,21 +238,17 @@ template(`mta_per_userdomain_template',`
optional_policy(`postfix',`
allow $1_mail_t self:capability dac_override;
- postfix_read_config($1_mail_t)
- postfix_list_spool($1_mail_t)
- ')
- ifdef(`TODO',`
- # Read user temporary files.
- allow $1_mail_t $1_tmp_t:file r_file_perms;
- dontaudit $1_mail_t $1_tmp_t:file append;
- ifdef(`postfix.te',`
+ # Read user temporary files.
# postfix seems to need write access if the file handle is opened read/write
- allow $1_mail_t $1_tmp_t:file write;
+ userdom_rw_user_tmp_files($1,$1_mail_t)
+
+ postfix_read_config($1_mail_t)
+ postfix_list_spool($1_mail_t)
')
- allow mta_user_agent $1_tmp_t:file r_file_perms;
+ ifdef(`TODO',`
# if you do not want to allow dead.letter then use the following instead
#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
#allow $1_mail_t $1_home_t:file r_file_perms;
diff --git a/refpolicy/policy/modules/services/postfix.if b/refpolicy/policy/modules/services/postfix.if
index dab0922..446282e 100644
--- a/refpolicy/policy/modules/services/postfix.if
+++ b/refpolicy/policy/modules/services/postfix.if
@@ -157,11 +157,10 @@ template(`postfix_user_domain_template',`
template(`postfix_per_userdomain_template',`
gen_require(`
attribute postfix_user_domains;
+ type postfix_postdrop_t;
')
- # cjp: perhaps this should actually be $3
- # instead of just sysadm_r?
- #role sysadm_r types postfix_user_domains;
+ role $3 types postfix_postdrop_t;
allow postfix_user_domains $2:process sigchld;
allow postfix_user_domains $2:fifo_file { write getattr };
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index d0e73f3..82c0117 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -1917,6 +1917,76 @@ template(`userdom_dontaudit_read_user_tmp_files',`
########################################
## <summary>
+## Do not audit attempts to append users
+## temporary files.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to append users
+## temporary files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+template(`userdom_dontaudit_append_user_tmp_files',`
+ gen_require(`
+ type $1_tmp_t;
+ ')
+
+ dontaudit $2 $1_tmp_t:file append;
+')
+
+########################################
+## <summary>
+## Read and write user temporary files.
+## </summary>
+## <desc>
+## <p>
+## Read and write user temporary files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_rw_user_tmp_files',`
+ gen_require(`
+ type $1_tmp_t;
+ ')
+
+ files_search_tmp($2)
+ allow $2 $1_tmp_t:dir r_dir_perms;
+ allow $2 $1_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
## Read user
## temporary symbolic links.
## </summary>
More information about the scm-commits
mailing list