[selinux-policy: 2671/3172] MTA patch from Dan Walsh.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:57:31 UTC 2010 

commit e19b8d1c2e671a937d3d23a0166b147c3a2ad6d7
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed May 19 09:00:39 2010 -0400

    MTA patch from Dan Walsh.

 policy/modules/services/mta.if |   39 +++++++++++++++++++++++++++++++++++++++
 policy/modules/services/mta.te |    7 ++++++-
 2 files changed, 45 insertions(+), 1 deletions(-)
---
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 44e782e..c57356a 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -356,6 +356,7 @@ interface(`mta_send_mail',`
 	')
 
 	allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
+	corecmd_read_bin_symlinks($1)
 	domtrans_pattern($1, mta_exec_type, system_mail_t)
 
 	allow mta_user_agent $1:fd use;
@@ -400,6 +401,25 @@ interface(`mta_sendmail_domtrans',`
 
 ########################################
 ## <summary>
+##	Send system mail client a signal
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`mta_signal_system_mail',`
+	gen_require(`
+		type system_mail_t;
+	')
+
+	allow $1 system_mail_t:process signal;
+')
+
+########################################
+## <summary>
 ##	Execute sendmail in the caller domain.
 ## </summary>
 ## <param name="domain">
@@ -765,6 +785,25 @@ interface(`mta_search_queue',`
 
 #######################################
 ## <summary>
+##	List the mail queue.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_list_queue',`
+	gen_require(`
+		type mqueue_spool_t;
+	')
+
+	allow $1 mqueue_spool_t:dir list_dir_perms;
+	files_search_spool($1)
+')
+
+#######################################
+## <summary>
 ##	Read the mail queue.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 797d86b..29f117c 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
 
-policy_module(mta, 2.2.1)
+policy_module(mta, 2.2.2)
 
 ########################################
 #
@@ -71,10 +71,14 @@ dev_read_sysfs(system_mail_t)
 dev_read_rand(system_mail_t)
 dev_read_urand(system_mail_t)
 
+files_read_usr_files(system_mail_t)
+
 fs_rw_anon_inodefs_files(system_mail_t)
 
 selinux_getattr_fs(system_mail_t)
 
+term_dontaudit_use_unallocated_ttys(system_mail_t)
+
 init_use_script_ptys(system_mail_t)
 
 userdom_use_user_terminals(system_mail_t)
@@ -107,6 +111,7 @@ optional_policy(`
 optional_policy(`
 	cron_read_system_job_tmp_files(system_mail_t)
 	cron_dontaudit_write_pipes(system_mail_t)
+	cron_rw_system_job_stream_sockets(system_mail_t)
 ')
 
 optional_policy(`

More information about the scm-commits mailing list