From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 04 Mar 2010 09:28:11 -0500 Subject: [refpolicy] [ amavis patch 1/1] Various amavis fixes. In-Reply-To: <20100224120039.GA4752@localhost.localdomain> References: <20100224120039.GA4752@localhost.localdomain> Message-ID: <1267712891.11679.10.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2010-02-24 at 13:00 +0100, Dominick Grift wrote: > Create amavis_initrc_domtrans. > Call amavis_initrc_domtrans from amavis_admin. > Remove obsolete require. > Allow domains to search bin to enable run amavis executable. Merged. Fixed copy/paste error in amavis_initrc_domtrans(). Put amavis_initrc_exec_t back into the amavis_admin() interface, since its still explicitly used in the interface. > Signed-off-by: Dominick Grift > --- > :100644 100644 db18f31... 22523cd... M policy/modules/services/amavis.if > policy/modules/services/amavis.if | 22 ++++++++++++++++++++-- > 1 files changed, 20 insertions(+), 2 deletions(-) > > diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if > index db18f31..22523cd 100644 > --- a/policy/modules/services/amavis.if > +++ b/policy/modules/services/amavis.if > @@ -18,11 +18,30 @@ interface(`amavis_domtrans',` > type amavis_t, amavis_exec_t; > ') > > + corecmd_search_bin($1) > domtrans_pattern($1, amavis_exec_t, amavis_t) > ') > > ######################################## > ## > +## Execute amavis server in the amavis domain. > +## > +## > +## > +## The type of the process performing this action. > +## > +## > +# > +interface(`amavis_initrc_domtrans',` > + gen_require(` > + type afs_initrc_exec_t; > + ') > + > + init_labeled_script_domtrans($1, amavis_initrc_exec_t) > +') > + > +######################################## > +## > ## Read amavis spool files. > ## > ## > @@ -209,13 +228,12 @@ interface(`amavis_admin',` > type amavis_t, amavis_tmp_t, amavis_var_log_t; > type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t; > type amavis_etc_t, amavis_quarantine_t; > - type amavis_initrc_exec_t; > ') > > allow $1 amavis_t:process { ptrace signal_perms }; > ps_process_pattern($1, amavis_t) > > - init_labeled_script_domtrans($1, amavis_initrc_exec_t) > + amavis_initrc_domtrans($1) > domain_system_change_exemption($1) > role_transition $2 amavis_initrc_exec_t system_r; > allow $2 system_r; > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150