Create amavis_initrc_domtrans.
Call amavis_initrc_domtrans from amavis_admin.
Remove obsolete require.
Allow domains to search bin to enable run amavis executable.
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 db18f31... 22523cd... M policy/modules/services/amavis.if
policy/modules/services/amavis.if | 22 ++++++++++++++++++++--
1 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
index db18f31..22523cd 100644
--- a/policy/modules/services/amavis.if
+++ b/policy/modules/services/amavis.if
@@ -18,11 +18,30 @@ interface(`amavis_domtrans',`
type amavis_t, amavis_exec_t;
')
+ corecmd_search_bin($1)
domtrans_pattern($1, amavis_exec_t, amavis_t)
')
########################################
## <summary>
+## Execute amavis server in the amavis domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`amavis_initrc_domtrans',`
+ gen_require(`
+ type afs_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, amavis_initrc_exec_t)
+')
+
+########################################
+## <summary>
## Read amavis spool files.
## </summary>
## <param name="domain">
@@ -209,13 +228,12 @@ interface(`amavis_admin',`
type amavis_t, amavis_tmp_t, amavis_var_log_t;
type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t;
type amavis_etc_t, amavis_quarantine_t;
- type amavis_initrc_exec_t;
')
allow $1 amavis_t:process { ptrace signal_perms };
ps_process_pattern($1, amavis_t)
- init_labeled_script_domtrans($1, amavis_initrc_exec_t)
+ amavis_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 amavis_initrc_exec_t system_r;
allow $2 system_r;
--
1.6.6.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100224/282db56f/attachment.bin
On Wed, 2010-02-24 at 13:00 +0100, Dominick Grift wrote:
> Create amavis_initrc_domtrans.
> Call amavis_initrc_domtrans from amavis_admin.
> Remove obsolete require.
> Allow domains to search bin to enable run amavis executable.
Merged. Fixed copy/paste error in amavis_initrc_domtrans(). Put
amavis_initrc_exec_t back into the amavis_admin() interface, since its
still explicitly used in the interface.
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> :100644 100644 db18f31... 22523cd... M policy/modules/services/amavis.if
> policy/modules/services/amavis.if | 22 ++++++++++++++++++++--
> 1 files changed, 20 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
> index db18f31..22523cd 100644
> --- a/policy/modules/services/amavis.if
> +++ b/policy/modules/services/amavis.if
> @@ -18,11 +18,30 @@ interface(`amavis_domtrans',`
> type amavis_t, amavis_exec_t;
> ')
>
> + corecmd_search_bin($1)
> domtrans_pattern($1, amavis_exec_t, amavis_t)
> ')
>
> ########################################
> ## <summary>
> +## Execute amavis server in the amavis domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The type of the process performing this action.
> +## </summary>
> +## </param>
> +#
> +interface(`amavis_initrc_domtrans',`
> + gen_require(`
> + type afs_initrc_exec_t;
> + ')
> +
> + init_labeled_script_domtrans($1, amavis_initrc_exec_t)
> +')
> +
> +########################################
> +## <summary>
> ## Read amavis spool files.
> ## </summary>
> ## <param name="domain">
> @@ -209,13 +228,12 @@ interface(`amavis_admin',`
> type amavis_t, amavis_tmp_t, amavis_var_log_t;
> type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t;
> type amavis_etc_t, amavis_quarantine_t;
> - type amavis_initrc_exec_t;
> ')
>
> allow $1 amavis_t:process { ptrace signal_perms };
> ps_process_pattern($1, amavis_t)
>
> - init_labeled_script_domtrans($1, amavis_initrc_exec_t)
> + amavis_initrc_domtrans($1)
> domain_system_change_exemption($1)
> role_transition $2 amavis_initrc_exec_t system_r;
> allow $2 system_r;
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150