Small set of updates to contrib modules.
Sven Vermeulen (4):
Be able to display dovecot errors
Remove transition to ldconfig
Adding mta as mail server
Adding interfaces for handling cron log files
cron.if | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
dovecot.te | 1 +
mta.fc | 2 +
portage.if | 4 +--
4 files changed, 87 insertions(+), 3 deletions(-)
--
1.7.8.6
When the dovecot service is started, it might display the failures
(configuration file failures, or permission errors) but only when allowed to
write to the user terminals.
Signed-off-by: Sven Vermeulen <[email protected]>
---
dovecot.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/dovecot.te b/dovecot.te
index 2017ffc..1a55371 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -152,6 +152,7 @@ miscfiles_read_generic_certs(dovecot_t)
miscfiles_read_localization(dovecot_t)
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
+userdom_use_user_terminals(dovecot_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(dovecot_t)
--
1.7.8.6
Up until now, we had ldconfig_t as the only domain that the portage compile
domains (like portage_sandbox_t) can transition towards. But this is not
necessary, and even lead to a few hickups (like sandbox requiring ptrace towards
the ldconfig domain).
Remove the domain transition, and just execute ldconfig when needed. Everything
remains within the sandbox domain.
Signed-off-by: Sven Vermeulen <[email protected]>
---
portage.if | 4 +---
1 files changed, 1 insertions(+), 3 deletions(-)
diff --git a/portage.if b/portage.if
index 1ae194e..67e8c12 100644
--- a/portage.if
+++ b/portage.if
@@ -177,9 +177,7 @@ interface(`portage_compile_domain',`
libs_exec_lib_files($1)
# some config scripts use ldd
libs_exec_ld_so($1)
- # this violates the idea of sandbox, but
- # regular sandbox allows it
- libs_domtrans_ldconfig($1)
+ libs_exec_ldconfig($1)
logging_send_syslog_msg($1)
--
1.7.8.6
Adding the locations of Exim to the mta.fc file.
Signed-off-by: Sven Vermeulen <[email protected]>
---
mta.fc | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/mta.fc b/mta.fc
index dc894b4..6ba6c2b 100644
--- a/mta.fc
+++ b/mta.fc
@@ -19,6 +19,7 @@ HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
/usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/exim -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -28,6 +29,7 @@ HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
/var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/var/spool/exim(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
--
1.7.8.6
Adding interfaces for a named file transition, create, setattr and write
privileges on cron log files. Will be used for the system logger domain later.
Signed-off-by: Sven Vermeulen <[email protected]>
---
cron.if | 83 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 83 insertions(+), 0 deletions(-)
diff --git a/cron.if b/cron.if
index 2981f1f..e6259bd 100644
--- a/cron.if
+++ b/cron.if
@@ -409,6 +409,89 @@ interface(`cron_sigchld',`
########################################
## <summary>
+## Set the attributes of cron log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_setattr_log_files',`
+ gen_require(`
+ type cron_log_t;
+ ')
+
+ allow $1 cron_log_t:file setattr_file_perms;
+')
+
+########################################
+## <summary>
+## Create cron log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_create_log_files',`
+ gen_require(`
+ type cron_log_t;
+ ')
+
+ allow $1 cron_log_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Write to cron log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_write_log_files',`
+ gen_require(`
+ type cron_log_t;
+ ')
+
+ allow $1 cron_log_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+## Create specified objects in generic
+## log directories with the cron log file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`cron_generic_log_filetrans_log',`
+ gen_require(`
+ type cron_log_t;
+ ')
+
+ logging_log_filetrans($1, cron_log_t, $2, $3)
+')
+
+########################################
+## <summary>
## Read cron daemon unnamed pipes.
## </summary>
## <param name="domain">
--
1.7.8.6