2020-02-12 03:13:24

by Russell Coker

[permalink] [raw]
Subject: trivial mail server patch

This patch against git refpolicy has a bunch of trivial patches related to
mail servers. I think it's ready for merging.

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/


Attachments:
mta.diff (9.80 kB)

2020-02-16 15:34:57

by Chris PeBenito

[permalink] [raw]
Subject: Re: trivial mail server patch

On 2/11/20 10:13 PM, Russell Coker wrote:
> This patch against git refpolicy has a bunch of trivial patches related to
> mail servers. I think it's ready for merging.

Please inline patch and add signed-off-by

> --- refpolicy-2.20200209.orig/policy/modules/services/mailman.fc
> +++ refpolicy-2.20200209/policy/modules/services/mailman.fc
> @@ -23,6 +23,7 @@
> /usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> /usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> /usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> +/etc/mailman/postfix-to-mailman.py -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)

Please move up with other /etc lines.



> --- refpolicy-2.20200209.orig/policy/modules/services/mta.if
> +++ refpolicy-2.20200209/policy/modules/services/mta.if
> @@ -251,6 +251,7 @@ interface(`mta_manage_mail_home_rw_conte
> userdom_search_user_home_dirs($1)
> manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
> manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
> + allow $1 mail_home_rw_t:file map;
> manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
> ')
>
> @@ -867,6 +868,7 @@ interface(`mta_read_spool_files',`
>
> files_search_spool($1)
> read_files_pattern($1, mail_spool_t, mail_spool_t)
> + allow $1 mail_spool_t:file map;
> ')
>
> ########################################
> @@ -949,6 +951,7 @@ interface(`mta_manage_spool',`
> files_search_spool($1)
> manage_dirs_pattern($1, mail_spool_t, mail_spool_t)
> manage_files_pattern($1, mail_spool_t, mail_spool_t)
> + allow $1 mail_spool_t:file map;
> manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
> ')

So you're saying that in general these files are all mmaped?


> Index: refpolicy-2.20200209/policy/modules/services/spamassassin.if
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/services/spamassassin.if
> +++ refpolicy-2.20200209/policy/modules/services/spamassassin.if
> @@ -433,3 +433,22 @@ interface(`spamassassin_admin',`
> # sa-update
> spamassassin_run_update($1, $2)
> ')
> +
> +########################################
> +## <summary>
> +## Get SA service status
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`spamassassin_service_reload',`
> + gen_require(`
> + type spamassassin_unit_t;
> + ')
> +
> + allow $1 spamassassin_unit_t:service { status reload };
> +')

Need 2 interfaces

> Index: refpolicy-2.20200209/policy/modules/services/spamassassin.te
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/services/spamassassin.te
> +++ refpolicy-2.20200209/policy/modules/services/spamassassin.te
> @@ -22,6 +22,7 @@ gen_tunable(spamassassin_can_network, fa
> gen_tunable(spamd_enable_home_dirs, false)
>
> type spamd_update_t;
> +typealias spamd_update_t alias { spamd_gpg_t };
> type spamd_update_exec_t;
> init_system_domain(spamd_update_t, spamd_update_exec_t)
>
> @@ -62,9 +63,6 @@ files_type(spamd_compiled_t)
> type spamd_etc_t;
> files_config_file(spamd_etc_t)
>
> -type spamd_gpg_t;
> -domain_type(spamd_gpg_t)

Why are you dropping this?


--
Chris PeBenito