Smaller set of updates on contrib modules, slight change in
cron_create_log_files to use create_files_pattern to support cron_log_t marked
directories as well.
Sven Vermeulen (4):
Be able to display dovecot errors
Remove transition to ldconfig
Adding mta as mail server
Adding interfaces for handling cron log files
cron.if | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
dovecot.te | 1 +
mta.fc | 2 +
portage.if | 4 +--
4 files changed, 87 insertions(+), 3 deletions(-)
--
1.7.8.6
When the dovecot service is started, it might display the failures
(configuration file failures, or permission errors) but only when allowed to
write to the user terminals.
Signed-off-by: Sven Vermeulen <[email protected]>
---
dovecot.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/dovecot.te b/dovecot.te
index 2017ffc..1a55371 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -152,6 +152,7 @@ miscfiles_read_generic_certs(dovecot_t)
miscfiles_read_localization(dovecot_t)
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
+userdom_use_user_terminals(dovecot_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(dovecot_t)
--
1.7.8.6
Up until now, we had ldconfig_t as the only domain that the portage compile
domains (like portage_sandbox_t) can transition towards. But this is not
necessary, and even lead to a few hickups (like sandbox requiring ptrace towards
the ldconfig domain).
Remove the domain transition, and just execute ldconfig when needed. Everything
remains within the sandbox domain.
Signed-off-by: Sven Vermeulen <[email protected]>
---
portage.if | 4 +---
1 files changed, 1 insertions(+), 3 deletions(-)
diff --git a/portage.if b/portage.if
index 1ae194e..67e8c12 100644
--- a/portage.if
+++ b/portage.if
@@ -177,9 +177,7 @@ interface(`portage_compile_domain',`
libs_exec_lib_files($1)
# some config scripts use ldd
libs_exec_ld_so($1)
- # this violates the idea of sandbox, but
- # regular sandbox allows it
- libs_domtrans_ldconfig($1)
+ libs_exec_ldconfig($1)
logging_send_syslog_msg($1)
--
1.7.8.6
Adding the locations of Exim to the mta.fc file.
Signed-off-by: Sven Vermeulen <[email protected]>
---
mta.fc | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/mta.fc b/mta.fc
index dc894b4..6ba6c2b 100644
--- a/mta.fc
+++ b/mta.fc
@@ -19,6 +19,7 @@ HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
/usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/exim -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -28,6 +29,7 @@ HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
/var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/var/spool/exim(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
--
1.7.8.6
Adding interfaces for a named file transition, create, setattr and write
privileges on cron log files. Will be used for the system logger domain later.
Signed-off-by: Sven Vermeulen <[email protected]>
---
cron.if | 83 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 83 insertions(+), 0 deletions(-)
diff --git a/cron.if b/cron.if
index 2981f1f..a1ecb7f 100644
--- a/cron.if
+++ b/cron.if
@@ -409,6 +409,89 @@ interface(`cron_sigchld',`
########################################
## <summary>
+## Set the attributes of cron log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_setattr_log_files',`
+ gen_require(`
+ type cron_log_t;
+ ')
+
+ allow $1 cron_log_t:file setattr_file_perms;
+')
+
+########################################
+## <summary>
+## Create cron log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_create_log_files',`
+ gen_require(`
+ type cron_log_t;
+ ')
+
+ create_files_pattern($1, cron_log_t, cron_log_t)
+')
+
+########################################
+## <summary>
+## Write to cron log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_write_log_files',`
+ gen_require(`
+ type cron_log_t;
+ ')
+
+ allow $1 cron_log_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+## Create specified objects in generic
+## log directories with the cron log file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`cron_generic_log_filetrans_log',`
+ gen_require(`
+ type cron_log_t;
+ ')
+
+ logging_log_filetrans($1, cron_log_t, $2, $3)
+')
+
+########################################
+## <summary>
## Read cron daemon unnamed pipes.
## </summary>
## <param name="domain">
--
1.7.8.6
On Mon, 2012-10-29 at 19:53 +0100, Sven Vermeulen wrote:
> When the dovecot service is started, it might display the failures
> (configuration file failures, or permission errors) but only when allowed to
> write to the user terminals.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> dovecot.te | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/dovecot.te b/dovecot.te
> index 2017ffc..1a55371 100644
> --- a/dovecot.te
> +++ b/dovecot.te
> @@ -152,6 +152,7 @@ miscfiles_read_generic_certs(dovecot_t)
> miscfiles_read_localization(dovecot_t)
>
> userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
> +userdom_use_user_terminals(dovecot_t)
>
> tunable_policy(`use_nfs_home_dirs',`
> fs_manage_nfs_dirs(dovecot_t)
applied, thanks
On Mon, 2012-10-29 at 19:53 +0100, Sven Vermeulen wrote:
> Up until now, we had ldconfig_t as the only domain that the portage compile
> domains (like portage_sandbox_t) can transition towards. But this is not
> necessary, and even lead to a few hickups (like sandbox requiring ptrace towards
> the ldconfig domain).
>
> Remove the domain transition, and just execute ldconfig when needed. Everything
> remains within the sandbox domain.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> portage.if | 4 +---
> 1 files changed, 1 insertions(+), 3 deletions(-)
>
> diff --git a/portage.if b/portage.if
> index 1ae194e..67e8c12 100644
> --- a/portage.if
> +++ b/portage.if
> @@ -177,9 +177,7 @@ interface(`portage_compile_domain',`
> libs_exec_lib_files($1)
> # some config scripts use ldd
> libs_exec_ld_so($1)
> - # this violates the idea of sandbox, but
> - # regular sandbox allows it
> - libs_domtrans_ldconfig($1)
> + libs_exec_ldconfig($1)
>
> logging_send_syslog_msg($1)
>
applied, thanks
On Mon, 2012-10-29 at 19:53 +0100, Sven Vermeulen wrote:
> Adding the locations of Exim to the mta.fc file.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> mta.fc | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/mta.fc b/mta.fc
> index dc894b4..6ba6c2b 100644
> --- a/mta.fc
> +++ b/mta.fc
> @@ -19,6 +19,7 @@ HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
> /usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
> /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
>
> +/usr/sbin/exim -- gen_context(system_u:object_r:sendmail_exec_t,s0)
> /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
> /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
> /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
> @@ -28,6 +29,7 @@ HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
>
> /var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
>
> +/var/spool/exim(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
> /var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
> /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
> /var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
We have a exim module
On Mon, 2012-10-29 at 19:53 +0100, Sven Vermeulen wrote:
> Adding interfaces for a named file transition, create, setattr and write
> privileges on cron log files. Will be used for the system logger domain later.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> cron.if | 83 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 1 files changed, 83 insertions(+), 0 deletions(-)
>
> diff --git a/cron.if b/cron.if
> index 2981f1f..a1ecb7f 100644
> --- a/cron.if
> +++ b/cron.if
> @@ -409,6 +409,89 @@ interface(`cron_sigchld',`
>
> ########################################
> ## <summary>
> +## Set the attributes of cron log files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`cron_setattr_log_files',`
> + gen_require(`
> + type cron_log_t;
> + ')
> +
> + allow $1 cron_log_t:file setattr_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Create cron log files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`cron_create_log_files',`
> + gen_require(`
> + type cron_log_t;
> + ')
> +
> + create_files_pattern($1, cron_log_t, cron_log_t)
> +')
> +
> +########################################
> +## <summary>
> +## Write to cron log files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`cron_write_log_files',`
> + gen_require(`
> + type cron_log_t;
> + ')
> +
> + allow $1 cron_log_t:file write_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Create specified objects in generic
> +## log directories with the cron log file type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## Class of the object being created.
> +## </summary>
> +## </param>
> +## <param name="name" optional="true">
> +## <summary>
> +## The name of the object being created.
> +## </summary>
> +## </param>
> +#
> +interface(`cron_generic_log_filetrans_log',`
> + gen_require(`
> + type cron_log_t;
> + ')
> +
> + logging_log_filetrans($1, cron_log_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
> ## Read cron daemon unnamed pipes.
> ## </summary>
> ## <param name="domain">
applied thanks