Another set of updates for the contrib module.
Sven Vermeulen (7):
Moving sandbox code to sandbox section
Allow sandbox to log violations
Fix typo in clockspeed comment
Support openvpn status file
Asterisk voicemail messages are generated from tmp
Make rtkit calls optional
Gentoo installs dovecot certs in /etc/ssl/dovecot
asterisk.te | 1 +
clockspeed.if | 2 +-
dovecot.fc | 2 ++
openvpn.fc | 1 +
openvpn.if | 4 ++--
openvpn.te | 6 ++++++
portage.te | 14 +++++++++-----
pulseaudio.te | 6 ++++--
8 files changed, 26 insertions(+), 10 deletions(-)
--
1.7.8.6
Some portage_sandbox_t code is sitting in the main portage_t section. Moving
this to its own sandbox location.
Signed-off-by: Sven Vermeulen <[email protected]>
---
portage.te | 11 ++++++-----
1 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/portage.te b/portage.te
index 7d2fc08..074828c 100644
--- a/portage.te
+++ b/portage.te
@@ -176,11 +176,6 @@ dontaudit portage_fetch_t portage_devpts_t:chr_file { read write };
# transition to sandbox for compiling
domain_trans(portage_t, portage_exec_t, portage_sandbox_t)
corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t)
-allow portage_sandbox_t portage_t:fd use;
-allow portage_sandbox_t portage_t:fifo_file rw_fifo_file_perms;
-allow portage_sandbox_t portage_t:process sigchld;
-allow portage_sandbox_t self:process ptrace;
-dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
# run scripts out of the build directory
can_exec(portage_t, portage_tmp_t)
@@ -338,6 +333,12 @@ optional_policy(`
# - SELinux-enforced sandbox
#
+allow portage_sandbox_t portage_t:fd use;
+allow portage_sandbox_t portage_t:fifo_file rw_fifo_file_perms;
+allow portage_sandbox_t portage_t:process sigchld;
+allow portage_sandbox_t self:process ptrace;
+dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
+
portage_compile_domain(portage_sandbox_t)
auth_use_nsswitch(portage_sandbox_t)
--
1.7.8.6
When the sandbox (running in portage_sandbox_t) detects a violation, it will try
to log this into /var/log/sandbox. However, the portage_sandbox_t domain
currently is not allowed to do anything with this logs. As a result, the
violations are not logged.
Allow the portage_sandbox_t domain to generate logs (as portage_log_t) as well
as clean them up (sandbox will remove older violation logs if the process id
of the current violation would result in an existing log file to be
overwritten).
Signed-off-by: Sven Vermeulen <[email protected]>
---
portage.te | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/portage.te b/portage.te
index 074828c..ebb3139 100644
--- a/portage.te
+++ b/portage.te
@@ -339,6 +339,9 @@ allow portage_sandbox_t portage_t:process sigchld;
allow portage_sandbox_t self:process ptrace;
dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
+allow portage_sandbox_t portage_log_t:file manage_file_perms;
+logging_log_filetrans(portage_sandbox_t, portage_log_t, file)
+
portage_compile_domain(portage_sandbox_t)
auth_use_nsswitch(portage_sandbox_t)
--
1.7.8.6
Signed-off-by: Sven Vermeulen <[email protected]>
---
clockspeed.if | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/clockspeed.if b/clockspeed.if
index b6a51d7..2cb7bf7 100644
--- a/clockspeed.if
+++ b/clockspeed.if
@@ -3,7 +3,7 @@
########################################
## <summary>
## Execute clockspeed utilities in
-$$ the clockspeed_cli domain.
+## the clockspeed_cli domain.
## </summary>
## <param name="domain">
## <summary>
--
1.7.8.6
OpenVPN uses a status file that it constantly writes to (rather than append, as
used for the other log files). As this is less of a log file and more of a state
file, create a separate type and allow openvpn_t manage rights on it.
Signed-off-by: Sven Vermeulen <[email protected]>
---
openvpn.fc | 1 +
openvpn.if | 4 ++--
openvpn.te | 6 ++++++
3 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/openvpn.fc b/openvpn.fc
index 9f86d3d..db5adfe 100644
--- a/openvpn.fc
+++ b/openvpn.fc
@@ -5,6 +5,7 @@
/usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0)
+/var/log/openvpn-status\.log -- gen_context(system_u:object_r:openvpn_status_t,s0)
/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0)
/var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0)
diff --git a/openvpn.if b/openvpn.if
index c11f537..03f4e60 100644
--- a/openvpn.if
+++ b/openvpn.if
@@ -142,7 +142,7 @@ interface(`openvpn_read_config',`
#
interface(`openvpn_admin',`
gen_require(`
- type openvpn_t, openvpn_etc_t, openvpn_var_log_t;
+ type openvpn_t, openvpn_etc_t, openvpn_var_log_t, openvpn_status_t;
type openvpn_var_run_t, openvpn_initrc_exec_t, openvpn_etc_rw_t;
')
@@ -158,7 +158,7 @@ interface(`openvpn_admin',`
admin_pattern($1, { openvpn_etc_t openvpn_etc_rw_t })
logging_list_logs($1)
- admin_pattern($1, openvpn_var_log_t)
+ admin_pattern($1, { openvpn_status_t openvpn_var_log_t })
files_list_pids($1)
admin_pattern($1, openvpn_var_run_t)
diff --git a/openvpn.te b/openvpn.te
index 58607b0..9643979 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -29,6 +29,9 @@ files_config_file(openvpn_etc_rw_t)
type openvpn_initrc_exec_t;
init_script_file(openvpn_initrc_exec_t)
+type openvpn_status_t;
+logging_log_file(openvpn_status_t)
+
type openvpn_var_log_t;
logging_log_file(openvpn_var_log_t)
@@ -53,6 +56,9 @@ allow openvpn_t openvpn_etc_t:dir list_dir_perms;
allow openvpn_t openvpn_etc_t:file read_file_perms;
allow openvpn_t openvpn_etc_t:lnk_file read_lnk_file_perms;
+allow openvpn_t openvpn_status_t:file manage_file_perms;
+logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
+
manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
--
1.7.8.6
When asterisk creates a voicemail message to send to the end user, the message
recording is a temporary file (labeled asterisk_tmp_t) which is then picked up
by the system mailer. Hence, we need to mark asterisk_tmp_t as
mta_system_content().
Signed-off-by: Sven Vermeulen <[email protected]>
---
asterisk.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/asterisk.te b/asterisk.te
index 084b4a9..ac8543a 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -164,6 +164,7 @@ optional_policy(`
optional_policy(`
mta_send_mail(asterisk_t)
+ mta_system_content(asterisk_tmp_t)
')
optional_policy(`
--
1.7.8.6
The rtkit module is not a mandatory component for pulseaudio, so should be
within an optional_policy() clause.
Signed-off-by: Sven Vermeulen <[email protected]>
---
pulseaudio.te | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/pulseaudio.te b/pulseaudio.te
index 99e371b..b42f0f7 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -224,8 +224,6 @@ pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth")
pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie")
pulseaudio_signull(pulseaudio_client)
-rtkit_scheduled(pulseaudio_client)
-
# TODO: ~/.cache
userdom_manage_user_home_content_files(pulseaudio_client)
@@ -249,3 +247,7 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
pulseaudio_dbus_chat(pulseaudio_client)
')
+
+optional_policy(`
+ rtkit_scheduled(pulseaudio_client)
+')
--
1.7.8.6
Signed-off-by: Sven Vermeulen <[email protected]>
---
dovecot.fc | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/dovecot.fc b/dovecot.fc
index 499f1fc..c880070 100644
--- a/dovecot.fc
+++ b/dovecot.fc
@@ -13,6 +13,8 @@
/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
+/etc/ssl/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
+
/usr/lib/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
--
1.7.8.6
On Thu, 2012-11-22 at 20:21 +0100, Sven Vermeulen wrote:
> Some portage_sandbox_t code is sitting in the main portage_t section. Moving
> this to its own sandbox location.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> portage.te | 11 ++++++-----
> 1 files changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/portage.te b/portage.te
> index 7d2fc08..074828c 100644
> --- a/portage.te
> +++ b/portage.te
> @@ -176,11 +176,6 @@ dontaudit portage_fetch_t portage_devpts_t:chr_file { read write };
> # transition to sandbox for compiling
> domain_trans(portage_t, portage_exec_t, portage_sandbox_t)
> corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t)
> -allow portage_sandbox_t portage_t:fd use;
> -allow portage_sandbox_t portage_t:fifo_file rw_fifo_file_perms;
> -allow portage_sandbox_t portage_t:process sigchld;
> -allow portage_sandbox_t self:process ptrace;
> -dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
>
> # run scripts out of the build directory
> can_exec(portage_t, portage_tmp_t)
> @@ -338,6 +333,12 @@ optional_policy(`
> # - SELinux-enforced sandbox
> #
>
> +allow portage_sandbox_t portage_t:fd use;
> +allow portage_sandbox_t portage_t:fifo_file rw_fifo_file_perms;
> +allow portage_sandbox_t portage_t:process sigchld;
> +allow portage_sandbox_t self:process ptrace;
> +dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
> +
> portage_compile_domain(portage_sandbox_t)
>
> auth_use_nsswitch(portage_sandbox_t)
I guess i could merge this but this could be better
instead of domain_trans(portage_t, portage_exec_t, portage_sandbox_t)
you could use: spec_domtrans_pattern(portage_t, portage_exec_t,
portage_sandbox_t)
That allows you to be able to remove:
+allow portage_sandbox_t portage_t:fd use;
+allow portage_sandbox_t portage_t:fifo_file rw_fifo_file_perms;
+allow portage_sandbox_t portage_t:process sigchld;
Since that is included in the spec_domtrans_pattern()
it also allows you to remove the explicit setexec since that is also
included in this pattern.
If you do that then the ordering of rules is also cleaned up
since self rules should be on top.
On Thu, 2012-11-22 at 20:21 +0100, Sven Vermeulen wrote:
> When the sandbox (running in portage_sandbox_t) detects a violation, it will try
> to log this into /var/log/sandbox. However, the portage_sandbox_t domain
> currently is not allowed to do anything with this logs. As a result, the
> violations are not logged.
>
> Allow the portage_sandbox_t domain to generate logs (as portage_log_t) as well
> as clean them up (sandbox will remove older violation logs if the process id
> of the current violation would result in an existing log file to be
> overwritten).
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> portage.te | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/portage.te b/portage.te
> index 074828c..ebb3139 100644
> --- a/portage.te
> +++ b/portage.te
> @@ -339,6 +339,9 @@ allow portage_sandbox_t portage_t:process sigchld;
> allow portage_sandbox_t self:process ptrace;
> dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
>
> +allow portage_sandbox_t portage_log_t:file manage_file_perms;
> +logging_log_filetrans(portage_sandbox_t, portage_log_t, file)
> +
Would be nice if we would be able to tighten this up just a little bit.
Would this work:
allow portage_sandbox_t portage_log_t:file { create_file_perms
delete_file_perms setattr_file_perms append_file_perms };
That would leave out the write permission. Not very useful since sandbox
can still delete the whole file but still
If it is undesired or if that will not work then i will merge this as is
> portage_compile_domain(portage_sandbox_t)
>
> auth_use_nsswitch(portage_sandbox_t)
On Thu, 2012-11-22 at 20:21 +0100, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> clockspeed.if | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/clockspeed.if b/clockspeed.if
> index b6a51d7..2cb7bf7 100644
> --- a/clockspeed.if
> +++ b/clockspeed.if
> @@ -3,7 +3,7 @@
> ########################################
> ## <summary>
> ## Execute clockspeed utilities in
> -$$ the clockspeed_cli domain.
> +## the clockspeed_cli domain.
> ## </summary>
> ## <param name="domain">
> ## <summary>
Merged , thanks
On Thu, 2012-11-22 at 20:21 +0100, Sven Vermeulen wrote:
> OpenVPN uses a status file that it constantly writes to (rather than append, as
> used for the other log files). As this is less of a log file and more of a state
> file, create a separate type and allow openvpn_t manage rights on it.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> openvpn.fc | 1 +
> openvpn.if | 4 ++--
> openvpn.te | 6 ++++++
> 3 files changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/openvpn.fc b/openvpn.fc
> index 9f86d3d..db5adfe 100644
> --- a/openvpn.fc
> +++ b/openvpn.fc
> @@ -5,6 +5,7 @@
>
> /usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0)
>
> +/var/log/openvpn-status\.log -- gen_context(system_u:object_r:openvpn_status_t,s0)
> /var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0)
>
> /var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0)
> diff --git a/openvpn.if b/openvpn.if
> index c11f537..03f4e60 100644
> --- a/openvpn.if
> +++ b/openvpn.if
> @@ -142,7 +142,7 @@ interface(`openvpn_read_config',`
> #
> interface(`openvpn_admin',`
> gen_require(`
> - type openvpn_t, openvpn_etc_t, openvpn_var_log_t;
> + type openvpn_t, openvpn_etc_t, openvpn_var_log_t, openvpn_status_t;
> type openvpn_var_run_t, openvpn_initrc_exec_t, openvpn_etc_rw_t;
> ')
>
> @@ -158,7 +158,7 @@ interface(`openvpn_admin',`
> admin_pattern($1, { openvpn_etc_t openvpn_etc_rw_t })
>
> logging_list_logs($1)
> - admin_pattern($1, openvpn_var_log_t)
> + admin_pattern($1, { openvpn_status_t openvpn_var_log_t })
>
> files_list_pids($1)
> admin_pattern($1, openvpn_var_run_t)
> diff --git a/openvpn.te b/openvpn.te
> index 58607b0..9643979 100644
> --- a/openvpn.te
> +++ b/openvpn.te
> @@ -29,6 +29,9 @@ files_config_file(openvpn_etc_rw_t)
> type openvpn_initrc_exec_t;
> init_script_file(openvpn_initrc_exec_t)
>
> +type openvpn_status_t;
> +logging_log_file(openvpn_status_t)
> +
> type openvpn_var_log_t;
> logging_log_file(openvpn_var_log_t)
>
> @@ -53,6 +56,9 @@ allow openvpn_t openvpn_etc_t:dir list_dir_perms;
> allow openvpn_t openvpn_etc_t:file read_file_perms;
> allow openvpn_t openvpn_etc_t:lnk_file read_lnk_file_perms;
>
> +allow openvpn_t openvpn_status_t:file manage_file_perms;
> +logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
> +
> manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
> filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
>
Not sure if this is worth it and where other modules store this file but
i merged it with some minor clean up, thanks
On Tue, 2012-11-27 at 14:35 +0100, grift wrote:
> On Thu, 2012-11-22 at 20:21 +0100, Sven Vermeulen wrote:
> > OpenVPN uses a status file that it constantly writes to (rather than append, as
> > used for the other log files). As this is less of a log file and more of a state
> > file, create a separate type and allow openvpn_t manage rights on it.
> >
> > Signed-off-by: Sven Vermeulen <[email protected]>
> > ---
> > openvpn.fc | 1 +
> > openvpn.if | 4 ++--
> > openvpn.te | 6 ++++++
> > 3 files changed, 9 insertions(+), 2 deletions(-)
> >
> > diff --git a/openvpn.fc b/openvpn.fc
> > index 9f86d3d..db5adfe 100644
> > --- a/openvpn.fc
> > +++ b/openvpn.fc
> > @@ -5,6 +5,7 @@
> >
> > /usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0)
> >
> > +/var/log/openvpn-status\.log -- gen_context(system_u:object_r:openvpn_status_t,s0)
> > /var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0)
> >
> > /var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0)
> > diff --git a/openvpn.if b/openvpn.if
> > index c11f537..03f4e60 100644
> > --- a/openvpn.if
> > +++ b/openvpn.if
> > @@ -142,7 +142,7 @@ interface(`openvpn_read_config',`
> > #
> > interface(`openvpn_admin',`
> > gen_require(`
> > - type openvpn_t, openvpn_etc_t, openvpn_var_log_t;
> > + type openvpn_t, openvpn_etc_t, openvpn_var_log_t, openvpn_status_t;
> > type openvpn_var_run_t, openvpn_initrc_exec_t, openvpn_etc_rw_t;
> > ')
> >
> > @@ -158,7 +158,7 @@ interface(`openvpn_admin',`
> > admin_pattern($1, { openvpn_etc_t openvpn_etc_rw_t })
> >
> > logging_list_logs($1)
> > - admin_pattern($1, openvpn_var_log_t)
> > + admin_pattern($1, { openvpn_status_t openvpn_var_log_t })
> >
> > files_list_pids($1)
> > admin_pattern($1, openvpn_var_run_t)
> > diff --git a/openvpn.te b/openvpn.te
> > index 58607b0..9643979 100644
> > --- a/openvpn.te
> > +++ b/openvpn.te
> > @@ -29,6 +29,9 @@ files_config_file(openvpn_etc_rw_t)
> > type openvpn_initrc_exec_t;
> > init_script_file(openvpn_initrc_exec_t)
> >
> > +type openvpn_status_t;
> > +logging_log_file(openvpn_status_t)
> > +
> > type openvpn_var_log_t;
> > logging_log_file(openvpn_var_log_t)
> >
> > @@ -53,6 +56,9 @@ allow openvpn_t openvpn_etc_t:dir list_dir_perms;
> > allow openvpn_t openvpn_etc_t:file read_file_perms;
> > allow openvpn_t openvpn_etc_t:lnk_file read_lnk_file_perms;
> >
> > +allow openvpn_t openvpn_status_t:file manage_file_perms;
> > +logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
> > +
> > manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
> > filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
> >
>
> Not sure if this is worth it and where other modules store this file but
> i merged it with some minor clean up, thanks
>
I meant "other distributions"
On Thu, 2012-11-22 at 20:21 +0100, Sven Vermeulen wrote:
> When asterisk creates a voicemail message to send to the end user, the message
> recording is a temporary file (labeled asterisk_tmp_t) which is then picked up
> by the system mailer. Hence, we need to mark asterisk_tmp_t as
> mta_system_content().
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> asterisk.te | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/asterisk.te b/asterisk.te
> index 084b4a9..ac8543a 100644
> --- a/asterisk.te
> +++ b/asterisk.te
> @@ -164,6 +164,7 @@ optional_policy(`
>
> optional_policy(`
> mta_send_mail(asterisk_t)
> + mta_system_content(asterisk_tmp_t)
> ')
>
> optional_policy(`
Merged, thanks
On Thu, 2012-11-22 at 20:21 +0100, Sven Vermeulen wrote:
> The rtkit module is not a mandatory component for pulseaudio, so should be
> within an optional_policy() clause.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> pulseaudio.te | 6 ++++--
> 1 files changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/pulseaudio.te b/pulseaudio.te
> index 99e371b..b42f0f7 100644
> --- a/pulseaudio.te
> +++ b/pulseaudio.te
> @@ -224,8 +224,6 @@ pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth")
> pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie")
> pulseaudio_signull(pulseaudio_client)
>
> -rtkit_scheduled(pulseaudio_client)
> -
> # TODO: ~/.cache
> userdom_manage_user_home_content_files(pulseaudio_client)
>
> @@ -249,3 +247,7 @@ tunable_policy(`use_samba_home_dirs',`
> optional_policy(`
> pulseaudio_dbus_chat(pulseaudio_client)
> ')
> +
> +optional_policy(`
> + rtkit_scheduled(pulseaudio_client)
> +')
Is it not mandatory? Merged, Thanks
On Thu, 2012-11-22 at 20:21 +0100, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> dovecot.fc | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/dovecot.fc b/dovecot.fc
> index 499f1fc..c880070 100644
> --- a/dovecot.fc
> +++ b/dovecot.fc
> @@ -13,6 +13,8 @@
> /usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
> /usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
>
> +/etc/ssl/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
> +
> /usr/lib/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
> /usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
> /usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
Merged, thanks
On Tue, Nov 27, 2012 at 1:59 PM, grift <[email protected]> wrote:
> > +allow portage_sandbox_t portage_log_t:file manage_file_perms;
> > +logging_log_filetrans(portage_sandbox_t, portage_log_t, file)
> > +
>
> Would be nice if we would be able to tighten this up just a little bit.
>
> Would this work:
> allow portage_sandbox_t portage_log_t:file { create_file_perms
> delete_file_perms setattr_file_perms append_file_perms };
>
> That would leave out the write permission. Not very useful since sandbox
> can still delete the whole file but still
>
That works as well apparently (auditallow'ed the write and didn't saw it in
the logs). I'll try with those privileges here in our repository and send
it up again later with those changes.
Wkr,
Sven Vermeulen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20121127/5f3507ae/attachment.html