[selinux-policy: 2671/3172] MTA patch from Dan Walsh.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:57:31 UTC 2010
commit e19b8d1c2e671a937d3d23a0166b147c3a2ad6d7
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed May 19 09:00:39 2010 -0400
MTA patch from Dan Walsh.
policy/modules/services/mta.if | 39 +++++++++++++++++++++++++++++++++++++++
policy/modules/services/mta.te | 7 ++++++-
2 files changed, 45 insertions(+), 1 deletions(-)
---
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 44e782e..c57356a 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -356,6 +356,7 @@ interface(`mta_send_mail',`
')
allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
+ corecmd_read_bin_symlinks($1)
domtrans_pattern($1, mta_exec_type, system_mail_t)
allow mta_user_agent $1:fd use;
@@ -400,6 +401,25 @@ interface(`mta_sendmail_domtrans',`
########################################
## <summary>
+## Send system mail client a signal
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+#
+interface(`mta_signal_system_mail',`
+ gen_require(`
+ type system_mail_t;
+ ')
+
+ allow $1 system_mail_t:process signal;
+')
+
+########################################
+## <summary>
## Execute sendmail in the caller domain.
## </summary>
## <param name="domain">
@@ -765,6 +785,25 @@ interface(`mta_search_queue',`
#######################################
## <summary>
+## List the mail queue.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_list_queue',`
+ gen_require(`
+ type mqueue_spool_t;
+ ')
+
+ allow $1 mqueue_spool_t:dir list_dir_perms;
+ files_search_spool($1)
+')
+
+#######################################
+## <summary>
## Read the mail queue.
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 797d86b..29f117c 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
-policy_module(mta, 2.2.1)
+policy_module(mta, 2.2.2)
########################################
#
@@ -71,10 +71,14 @@ dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
+files_read_usr_files(system_mail_t)
+
fs_rw_anon_inodefs_files(system_mail_t)
selinux_getattr_fs(system_mail_t)
+term_dontaudit_use_unallocated_ttys(system_mail_t)
+
init_use_script_ptys(system_mail_t)
userdom_use_user_terminals(system_mail_t)
@@ -107,6 +111,7 @@ optional_policy(`
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
+ cron_rw_system_job_stream_sockets(system_mail_t)
')
optional_policy(`
More information about the scm-commits
mailing list