[selinux-policy: 2049/3172] trunk: 10 patches from dan.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:01:56 UTC 2010
commit 5843d066b6311809840dac88a1297683988b368d
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Nov 11 16:38:34 2008 +0000
trunk: 10 patches from dan.
policy/modules/services/aide.if | 4 +-
policy/modules/services/aide.te | 2 +-
policy/modules/services/arpwatch.fc | 1 +
policy/modules/services/arpwatch.if | 42 ++++++++++++++++++++++
policy/modules/services/arpwatch.te | 5 ++-
policy/modules/services/asterisk.fc | 1 +
policy/modules/services/asterisk.if | 52 +++++++++++++++++++++++++++
policy/modules/services/asterisk.te | 5 ++-
policy/modules/services/bind.fc | 2 +-
policy/modules/services/bind.if | 35 ++++++++++++++----
policy/modules/services/bind.te | 4 ++-
policy/modules/services/inetd.fc | 2 +
policy/modules/services/inetd.te | 4 ++-
policy/modules/services/lpd.fc | 3 ++
policy/modules/services/lpd.te | 2 +-
policy/modules/services/postgrey.fc | 4 ++
policy/modules/services/postgrey.if | 66 +++++++++++++++++++++++++++++++++--
policy/modules/services/postgrey.te | 20 +++++++++-
policy/modules/services/privoxy.fc | 2 +
policy/modules/services/privoxy.if | 17 +++++++--
policy/modules/services/privoxy.te | 6 +++-
policy/modules/services/qmail.te | 10 +++++-
policy/modules/services/roundup.fc | 2 +
policy/modules/services/roundup.if | 38 ++++++++++++++++++++
policy/modules/services/roundup.te | 5 ++-
25 files changed, 306 insertions(+), 28 deletions(-)
---
diff --git a/policy/modules/services/aide.if b/policy/modules/services/aide.if
index 5b8def1..592d5c4 100644
--- a/policy/modules/services/aide.if
+++ b/policy/modules/services/aide.if
@@ -64,8 +64,8 @@ interface(`aide_admin',`
ps_process_pattern($1, aide_t)
files_list_etc($1)
- manage_files_pattern($1, aide_db_t, aide_db_t)
+ admin_pattern($1, aide_db_t)
logging_list_logs($1)
- manage_files_pattern($1, aide_log_t, aide_log_t)
+ admin_pattern($1, aide_log_t)
')
diff --git a/policy/modules/services/aide.te b/policy/modules/services/aide.te
index aa3692c..155eb2b 100644
--- a/policy/modules/services/aide.te
+++ b/policy/modules/services/aide.te
@@ -1,5 +1,5 @@
-policy_module(aide, 1.4.1)
+policy_module(aide, 1.4.2)
########################################
#
diff --git a/policy/modules/services/arpwatch.fc b/policy/modules/services/arpwatch.fc
index 6318f23..a86a6c7 100644
--- a/policy/modules/services/arpwatch.fc
+++ b/policy/modules/services/arpwatch.fc
@@ -1,3 +1,4 @@
+/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
#
# /usr
diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if
index 5757c34..92e2dc8 100644
--- a/policy/modules/services/arpwatch.if
+++ b/policy/modules/services/arpwatch.if
@@ -90,3 +90,45 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
dontaudit $1 arpwatch_t:packet_socket { read write };
')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an arpwatch environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the arpwatch domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`arpwatch_admin',`
+ gen_require(`
+ type arpwatch_t, arpwatch_tmp_t;
+ type arpwatch_data_t, arpwatch_var_run_t;
+ type arpwatch_initrc_exec_t;
+ ')
+
+ allow $1 arpwatch_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, arpwatch_t)
+
+ init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 arpwatch_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, arpwatch_tmp_t)
+
+ files_list_var($1)
+ admin_pattern($1, arpwatch_data_t)
+
+ files_list_pids($1)
+ admin_pattern($1, arpwatch_var_run_t)
+')
diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
index 27bf9ad..0edf99b 100644
--- a/policy/modules/services/arpwatch.te
+++ b/policy/modules/services/arpwatch.te
@@ -1,5 +1,5 @@
-policy_module(arpwatch, 1.6.1)
+policy_module(arpwatch, 1.6.2)
########################################
#
@@ -13,6 +13,9 @@ init_daemon_domain(arpwatch_t, arpwatch_exec_t)
type arpwatch_data_t;
files_type(arpwatch_data_t)
+type arpwatch_initrc_exec_t;
+init_script_file(arpwatch_initrc_exec_t)
+
type arpwatch_tmp_t;
files_tmp_file(arpwatch_tmp_t)
diff --git a/policy/modules/services/asterisk.fc b/policy/modules/services/asterisk.fc
index fabece5..b4889d4 100644
--- a/policy/modules/services/asterisk.fc
+++ b/policy/modules/services/asterisk.fc
@@ -1,4 +1,5 @@
/etc/asterisk(/.*)? gen_context(system_u:object_r:asterisk_etc_t,s0)
+/etc/rc\.d/init\.d/asterisk -- gen_context(system_u:object_r:asterisk_initrc_exec_t,s0)
/usr/sbin/asterisk -- gen_context(system_u:object_r:asterisk_exec_t,s0)
diff --git a/policy/modules/services/asterisk.if b/policy/modules/services/asterisk.if
index 3ff41f2..85a7e27 100644
--- a/policy/modules/services/asterisk.if
+++ b/policy/modules/services/asterisk.if
@@ -1 +1,53 @@
## <summary>Asterisk IP telephony server</summary>
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an asterisk environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the asterisk domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`asterisk_admin',`
+ gen_require(`
+ type asterisk_t, asterisk_var_run_t, asterisk_spool_t;
+ type asterisk_etc_t, asterisk_tmp_t, asterisk_log_t;
+ type asterisk_var_lib_t;
+ type asterisk_initrc_exec_t;
+ ')
+
+ allow $1 asterisk_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, asterisk_t)
+
+ init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 asterisk_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, asterisk_tmp_t)
+
+ files_list_etc($1)
+ admin_pattern($1, asterisk_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, asterisk_log_t)
+
+ files_list_spool($1)
+ admin_pattern($1, asterisk_spool_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, asterisk_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, asterisk_var_run_t)
+')
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
index 6f1f982..d40cae5 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@@ -1,5 +1,5 @@
-policy_module(asterisk, 1.5.1)
+policy_module(asterisk, 1.5.2)
########################################
#
@@ -13,6 +13,9 @@ init_daemon_domain(asterisk_t, asterisk_exec_t)
type asterisk_etc_t;
files_config_file(asterisk_etc_t)
+type asterisk_initrc_exec_t;
+init_script_file(asterisk_initrc_exec_t)
+
type asterisk_log_t;
logging_log_file(asterisk_log_t)
diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
index 7347588..2464c6c 100644
--- a/policy/modules/services/bind.fc
+++ b/policy/modules/services/bind.fc
@@ -1,4 +1,4 @@
-/etc/rc.d/init.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
index c28e4d9..728901d 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -261,19 +261,18 @@ interface(`bind_udp_chat_named',`
## </param>
## <param name="role">
## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal.
+## The role to be allowed to manage the bind domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`bind_admin',`
gen_require(`
- type named_t, ndc_t;
+ type named_t, named_tmp_t, named_log_t;
+ type named_conf_t, named_var_run_t;
+ type named_cache_t, named_zone_t;
+ type dnssec_t, ndc_t;
+ type named_initrc_exec_t;
')
allow $1 named_t:process { ptrace signal_perms };
@@ -282,5 +281,25 @@ interface(`bind_admin',`
allow $1 ndc_t:process { ptrace signal_perms };
ps_process_pattern($1, ndc_t)
- bind_run_ndc($1, $2, $3)
+ bind_run_ndc($1, $2)
+
+ domain_system_change_exemption($1)
+ role_transition $2 named_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, named_tmp_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, named_log_t)
+
+ files_list_etc($1)
+ admin_pattern($1, named_conf_t)
+
+ admin_pattern($1, named_cache_t)
+ admin_pattern($1, named_zone_t)
+ admin_pattern($1, dnssec_t)
+
+ files_list_pids($1)
+ admin_pattern($1, named_var_run_t)
')
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 77dfd18..72f6279 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -1,5 +1,5 @@
-policy_module(bind, 1.8.1)
+policy_module(bind, 1.8.2)
########################################
#
@@ -242,6 +242,8 @@ sysnet_dns_name_resolve(ndc_t)
userdom_use_user_terminals(ndc_t)
+term_dontaudit_use_console(ndc_t)
+
# for /etc/rndc.key
ifdef(`distro_redhat',`
allow ndc_t named_conf_t:dir search;
diff --git a/policy/modules/services/inetd.fc b/policy/modules/services/inetd.fc
index b460519..a43de46 100644
--- a/policy/modules/services/inetd.fc
+++ b/policy/modules/services/inetd.fc
@@ -1,6 +1,8 @@
/usr/sbin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
/usr/sbin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
+/usr/local/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
+
/usr/sbin/inetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
/usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
/usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
index faeadf0..441c7ab 100644
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
@@ -1,5 +1,5 @@
-policy_module(inetd, 1.8.1)
+policy_module(inetd, 1.8.2)
########################################
#
@@ -136,6 +136,7 @@ corecmd_read_bin_symlinks(inetd_t)
domain_use_interactive_fds(inetd_t)
files_read_etc_files(inetd_t)
+files_read_etc_runtime_files(inetd_t)
logging_send_syslog_msg(inetd_t)
@@ -219,6 +220,7 @@ dev_read_urand(inetd_child_t)
fs_getattr_xattr_fs(inetd_child_t)
files_read_etc_files(inetd_child_t)
+files_read_etc_runtime_files(inetd_child_t)
auth_use_nsswitch(inetd_child_t)
diff --git a/policy/modules/services/lpd.fc b/policy/modules/services/lpd.fc
index fafcfb0..a6704a2 100644
--- a/policy/modules/services/lpd.fc
+++ b/policy/modules/services/lpd.fc
@@ -22,11 +22,14 @@
/usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
+
/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
#
# /var
#
/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
+/var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
/var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0)
/var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0)
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index 0dd55e8..a37c4fe 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -1,5 +1,5 @@
-policy_module(lpd, 1.10.1)
+policy_module(lpd, 1.10.2)
########################################
#
diff --git a/policy/modules/services/postgrey.fc b/policy/modules/services/postgrey.fc
index f04d5ba..6f82963 100644
--- a/policy/modules/services/postgrey.fc
+++ b/policy/modules/services/postgrey.fc
@@ -1,5 +1,7 @@
/etc/postgrey(/.*)? gen_context(system_u:object_r:postgrey_etc_t,s0)
+/etc/rc\.d/init\.d/postgrey -- gen_context(system_u:object_r:postgrey_initrc_exec_t,s0)
+
/usr/sbin/postgrey -- gen_context(system_u:object_r:postgrey_exec_t,s0)
@@ -7,3 +9,5 @@
/var/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0)
/var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0)
+
+/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0)
diff --git a/policy/modules/services/postgrey.if b/policy/modules/services/postgrey.if
index 90f7a87..1600536 100644
--- a/policy/modules/services/postgrey.if
+++ b/policy/modules/services/postgrey.if
@@ -12,10 +12,70 @@
#
interface(`postgrey_stream_connect',`
gen_require(`
- type postgrey_var_run_t, postgrey_t;
+ type postgrey_var_run_t, postgrey_t, postgrey_spool_t;
')
- allow $1 postgrey_t:unix_stream_socket connectto;
- allow $1 postgrey_var_run_t:sock_file write;
+ stream_connect_pattern($1, postgrey_var_run_t, postgrey_var_run_t, postgrey_t)
+ stream_connect_pattern($1, postgrey_spool_t, postgrey_spool_t, postgrey_t)
files_search_pids($1)
')
+
+########################################
+## <summary>
+## Search the spool directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`postgrey_search_spool',`
+ gen_require(`
+ type postgrey_spool_t;
+ ')
+
+ allow $1 postgrey_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an postgrey environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the postgrey domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`postgrey_admin',`
+ gen_require(`
+ type postgrey_t, postgrey_etc_t;
+ type postgrey_var_lib_t, postgrey_var_run_t;
+ type postgrey_initrc_exec_t;
+ ')
+
+ allow $1 postgrey_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postgrey_t)
+
+ init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 postgrey_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, postgrey_etc_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, postgrey_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, postgrey_var_run_t)
+')
diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te
index 7c40fed..f0d4951 100644
--- a/policy/modules/services/postgrey.te
+++ b/policy/modules/services/postgrey.te
@@ -1,5 +1,5 @@
-policy_module(postgrey, 1.5.1)
+policy_module(postgrey, 1.5.2)
########################################
#
@@ -13,6 +13,12 @@ init_daemon_domain(postgrey_t, postgrey_exec_t)
type postgrey_etc_t;
files_config_file(postgrey_etc_t)
+type postgrey_initrc_exec_t;
+init_script_file(postgrey_initrc_exec_t)
+
+type postgrey_spool_t;
+files_type(postgrey_spool_t)
+
type postgrey_var_lib_t;
files_type(postgrey_var_lib_t)
@@ -24,15 +30,21 @@ files_pid_file(postgrey_var_run_t)
# Local policy
#
-allow postgrey_t self:capability { chown setgid setuid };
+allow postgrey_t self:capability { chown dac_override setgid setuid };
dontaudit postgrey_t self:capability sys_tty_config;
allow postgrey_t self:process signal_perms;
allow postgrey_t self:tcp_socket create_stream_socket_perms;
+allow postgrey_t self:fifo_file create_fifo_file_perms;
allow postgrey_t postgrey_etc_t:dir list_dir_perms;
read_files_pattern(postgrey_t, postgrey_etc_t, postgrey_etc_t)
read_lnk_files_pattern(postgrey_t, postgrey_etc_t, postgrey_etc_t)
+manage_dirs_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+
manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
@@ -82,6 +94,10 @@ optional_policy(`
')
optional_policy(`
+ postfix_read_config(postgrey_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(postgrey_t)
')
diff --git a/policy/modules/services/privoxy.fc b/policy/modules/services/privoxy.fc
index 79e1e13..7985e38 100644
--- a/policy/modules/services/privoxy.fc
+++ b/policy/modules/services/privoxy.fc
@@ -1,5 +1,7 @@
/etc/privoxy/user\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
+/etc/privoxy/default\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
+/etc/rc\.d/init\.d/privoxy -- gen_context(system_u:object_r:privoxy_initrc_exec_t,s0)
/usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0)
diff --git a/policy/modules/services/privoxy.if b/policy/modules/services/privoxy.if
index af6312e..1da26dc 100644
--- a/policy/modules/services/privoxy.if
+++ b/policy/modules/services/privoxy.if
@@ -10,23 +10,34 @@
## Domain allowed access.
## </summary>
## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
## <rolecap/>
#
interface(`privoxy_admin',`
gen_require(`
type privoxy_t, privoxy_log_t;
type privoxy_etc_rw_t, privoxy_var_run_t;
+ type privoxy_initrc_exec_t;
')
allow $1 privoxy_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, privoxy_t)
+ init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 privoxy_initrc_exec_t system_r;
+ allow $2 system_r;
+
logging_list_logs($1)
- manage_files_pattern($1, privoxy_log_t, privoxy_log_t)
+ admin_pattern($1, privoxy_log_t)
files_list_etc($1)
- manage_files_pattern($1, privoxy_etc_rw_t, privoxy_etc_rw_t)
+ admin_pattern($1, privoxy_etc_rw_t)
files_list_pids($1)
- manage_files_pattern($1, privoxy_var_run_t, privoxy_var_run_t)
+ admin_pattern($1, privoxy_var_run_t)
')
diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te
index 5c6323b..cb15d24 100644
--- a/policy/modules/services/privoxy.te
+++ b/policy/modules/services/privoxy.te
@@ -1,5 +1,5 @@
-policy_module(privoxy, 1.7.1)
+policy_module(privoxy, 1.7.2)
########################################
#
@@ -10,6 +10,9 @@ type privoxy_t; # web_client_domain
type privoxy_exec_t;
init_daemon_domain(privoxy_t, privoxy_exec_t)
+type privoxy_initrc_exec_t;
+init_script_file(privoxy_initrc_exec_t)
+
type privoxy_etc_rw_t;
files_type(privoxy_etc_rw_t)
@@ -50,6 +53,7 @@ corenet_tcp_bind_http_cache_port(privoxy_t)
corenet_tcp_connect_http_port(privoxy_t)
corenet_tcp_connect_http_cache_port(privoxy_t)
corenet_tcp_connect_ftp_port(privoxy_t)
+corenet_tcp_connect_pgpkeyserver_port(privoxy_t)
corenet_tcp_connect_tor_port(privoxy_t)
corenet_sendrecv_http_cache_client_packets(privoxy_t)
corenet_sendrecv_http_cache_server_packets(privoxy_t)
diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te
index 1da1661..3fb1e48 100644
--- a/policy/modules/services/qmail.te
+++ b/policy/modules/services/qmail.te
@@ -1,5 +1,5 @@
-policy_module(qmail, 1.4.1)
+policy_module(qmail, 1.4.2)
########################################
#
@@ -121,6 +121,10 @@ mta_append_spool(qmail_local_t)
qmail_domtrans_queue(qmail_local_t)
+optional_policy(`
+ spamassassin_domtrans_client(qmail_local_t)
+')
+
########################################
#
# qmail-lspawn local policy
@@ -252,6 +256,10 @@ optional_policy(`
')
optional_policy(`
+ kerberos_keytab_template(qmail, qmail_smtpd_t)
+')
+
+optional_policy(`
ucspitcp_service_domain(qmail_smtpd_t, qmail_smtpd_exec_t)
')
diff --git a/policy/modules/services/roundup.fc b/policy/modules/services/roundup.fc
index 0b5ac58..d61e6d3 100644
--- a/policy/modules/services/roundup.fc
+++ b/policy/modules/services/roundup.fc
@@ -1,3 +1,5 @@
+/etc/rc\.d/init\.d/roundup -- gen_context(system_u:object_r:roundup_initrc_exec_t,s0)
+
#
# /usr
#
diff --git a/policy/modules/services/roundup.if b/policy/modules/services/roundup.if
index f93997c..30c4b75 100644
--- a/policy/modules/services/roundup.if
+++ b/policy/modules/services/roundup.if
@@ -1 +1,39 @@
## <summary>Roundup Issue Tracking System policy</summary>
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an roundup environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the roundup domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`roundup_admin',`
+ gen_require(`
+ type roundup_t, roundup_var_lib_t, roundup_var_run_t;
+ type roundup_initrc_exec_t;
+ ')
+
+ allow $1 roundup_t:process { ptrace signal_perms };
+ ps_process_pattern($1, roundup_t)
+
+ init_labeled_script_domtrans($1, roundup_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 roundup_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_var_lib($1)
+ admin_pattern($1, roundup_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, roundup_var_run_t)
+')
diff --git a/policy/modules/services/roundup.te b/policy/modules/services/roundup.te
index 1325aa7..174a5d3 100644
--- a/policy/modules/services/roundup.te
+++ b/policy/modules/services/roundup.te
@@ -1,5 +1,5 @@
-policy_module(roundup, 1.5.1)
+policy_module(roundup, 1.5.2)
########################################
#
@@ -10,6 +10,9 @@ type roundup_t;
type roundup_exec_t;
init_daemon_domain(roundup_t, roundup_exec_t)
+type roundup_initrc_exec_t;
+init_script_file(roundup_initrc_exec_t)
+
type roundup_var_run_t;
files_pid_file(roundup_var_run_t)
More information about the scm-commits
mailing list