[selinux-policy: 2190/3172] pull in part of fedora mta changes
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:14:31 UTC 2010
commit 363e8fb98aaf02f4401720b6040857cd98074ea3
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Jul 29 10:59:09 2009 -0400
pull in part of fedora mta changes
policy/modules/services/mta.fc | 10 +++++-----
policy/modules/services/mta.if | 36 +++++++++++++++++++++++++++++++++---
policy/modules/services/mta.te | 37 ++++++++++++++++++++++++++++++-------
3 files changed, 68 insertions(+), 15 deletions(-)
---
diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc
index 16ec200..5193fc3 100644
--- a/policy/modules/services/mta.fc
+++ b/policy/modules/services/mta.fc
@@ -1,4 +1,4 @@
-/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
@@ -9,11 +9,15 @@ ifdef(`distro_redhat',`
/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
')
+/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
@@ -22,7 +26,3 @@ ifdef(`distro_redhat',`
/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
-
-#ifdef(`postfix.te', `', `
-#/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
-#')
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 6641292..9b9dd2d 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -94,6 +94,12 @@ template(`mta_base_mail_template',`
miscfiles_read_localization($1_mail_t)
optional_policy(`
+ exim_read_log($1_mail_t)
+ exim_append_log($1_mail_t)
+ exim_manage_spool_files($1_mail_t)
+ ')
+
+ optional_policy(`
postfix_domtrans_user_mail_handler($1_mail_t)
')
@@ -130,6 +136,9 @@ template(`mta_base_mail_template',`
sendmail_create_log($1_mail_t)
')
+ optional_policy(`
+ uucp_manage_spool($1_mail_t)
+ ')
')
########################################
@@ -307,6 +316,7 @@ interface(`mta_mailserver_delivery',`
optional_policy(`
dovecot_manage_spool($1)
+ dovecot_domtrans_deliver($1)
')
optional_policy(`
@@ -446,6 +456,25 @@ interface(`mta_read_config',`
########################################
## <summary>
+## write mail server configuration.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mta_write_config',`
+ gen_require(`
+ type etc_mail_t;
+ ')
+
+ write_files_pattern($1, etc_mail_t, etc_mail_t)
+')
+
+########################################
+## <summary>
## Read mail address aliases.
## </summary>
## <param name="domain">
@@ -591,8 +620,8 @@ interface(`mta_getattr_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
- allow $1 mail_spool_t:lnk_file read;
- allow $1 mail_spool_t:file getattr;
+ getattr_files_pattern($1, mail_spool_t, mail_spool_t)
+ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
########################################
@@ -612,7 +641,7 @@ interface(`mta_dontaudit_getattr_spool_files',`
')
files_dontaudit_search_spool($1)
- dontaudit $1 mail_spool_t:dir search;
+ dontaudit $1 mail_spool_t:dir search_dir_perms;
dontaudit $1 mail_spool_t:lnk_file read;
dontaudit $1 mail_spool_t:file getattr;
')
@@ -806,6 +835,7 @@ interface(`mta_manage_queue',`
')
files_search_spool($1)
+ manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t)
manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 5c33cd6..992fd4a 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
-policy_module(mta, 2.1.2)
+policy_module(mta, 2.1.3)
########################################
#
@@ -47,20 +47,27 @@ ubac_constrained(user_mail_tmp_t)
#
# newalias required this, not sure if it is needed in 'if' file
-allow system_mail_t self:capability { dac_override };
+allow system_mail_t self:capability { dac_override fowner };
+allow system_mail_t self:fifo_file rw_fifo_file_perms;
read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
+read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
allow system_mail_t mta_exec_type:file entrypoint;
-allow system_mail_t mailcontent_type:file read_file_perms;
+can_exec(system_mail_t, mta_exec_type)
kernel_read_system_state(system_mail_t)
kernel_read_network_state(system_mail_t)
+dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
+fs_rw_anon_inodefs_files(system_mail_t)
+
+selinux_getattr_fs(system_mail_t)
+
init_use_script_ptys(system_mail_t)
userdom_use_user_terminals(system_mail_t)
@@ -86,15 +93,35 @@ optional_policy(`
')
optional_policy(`
+ clamav_stream_connect(system_mail_t)
+ clamav_append_log(system_mail_t)
+')
+
+optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
')
optional_policy(`
+ courier_manage_spool_dirs(system_mail_t)
+ courier_manage_spool_files(system_mail_t)
+ courier_rw_spool_pipes(system_mail_t)
+')
+
+optional_policy(`
cvs_read_data(system_mail_t)
')
optional_policy(`
+ exim_domtrans(system_mail_t)
+ exim_manage_log(system_mail_t)
+')
+
+optional_policy(`
+ fail2ban_append_log(system_mail_t)
+')
+
+optional_policy(`
logrotate_read_tmp_files(system_mail_t)
')
@@ -132,10 +159,6 @@ optional_policy(`
# compatability for old default main.cf
postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
')
-
- optional_policy(`
- cron_rw_tcp_sockets(system_mail_t)
- ')
')
optional_policy(`
More information about the scm-commits
mailing list