From: pebenito@ieee.org (Chris PeBenito)
Date: Thu, 15 Dec 2016 19:31:14 -0500
Subject: [refpolicy] [PATCH] Make several calls to mta interfaces
	optional
In-Reply-To: <1481835980.24835.4.camel@trentalancia.net>
References: <1481835980.24835.4.camel@trentalancia.net>
Message-ID: <6d4ec841-e11c-a8e6-5d1d-77c0ec092d62@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/15/16 16:06, Guido Trentalancia via refpolicy wrote:
> Make several calls to mta interfaces optional policy.

Merged.



> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/contrib/arpwatch.te  |    4 +++-
>  policy/modules/contrib/cvs.te       |    6 ++++--
>  policy/modules/contrib/fail2ban.te  |    6 ++++--
>  policy/modules/contrib/mojomojo.te  |    4 +++-
>  policy/modules/contrib/nagios.te    |    8 +++++---
>  policy/modules/contrib/nut.te       |    4 +++-
>  policy/modules/contrib/smokeping.te |    6 ++++--
>  7 files changed, 26 insertions(+), 12 deletions(-)
>
> diff -pru a/policy/modules/contrib/arpwatch.te b/policy/modules/contrib/arpwatch.te
> --- a/policy/modules/contrib/arpwatch.te	2016-10-29 16:29:19.662325285 +0200
> +++ b/policy/modules/contrib/arpwatch.te	2016-12-15 21:15:19.541555771 +0100
> @@ -74,7 +74,9 @@ miscfiles_read_localization(arpwatch_t)
>  userdom_dontaudit_search_user_home_dirs(arpwatch_t)
>  userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
>
> -mta_send_mail(arpwatch_t)
> +optional_policy(`
> +	mta_send_mail(arpwatch_t)
> +')
>
>  optional_policy(`
>  	seutil_sigchld_newrole(arpwatch_t)
> diff -pru a/policy/modules/contrib/cvs.te b/policy/modules/contrib/cvs.te
> --- a/policy/modules/contrib/cvs.te	2016-08-14 21:28:11.474519297 +0200
> +++ b/policy/modules/contrib/cvs.te	2016-12-15 21:18:39.993733559 +0100
> @@ -91,8 +91,6 @@ logging_send_audit_msgs(cvs_t)
>
>  miscfiles_read_localization(cvs_t)
>
> -mta_send_mail(cvs_t)
> -
>  userdom_dontaudit_search_user_home_dirs(cvs_t)
>
>  # cjp: typeattribute doesnt work in conditionals yet
> @@ -109,6 +107,10 @@ optional_policy(`
>  	kerberos_dontaudit_write_config(cvs_t)
>  ')
>
> +optional_policy(`
> +	mta_send_mail(cvs_t)
> +')
> +
>  ########################################
>  #
>  # CVSWeb local policy
> diff -pru a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te
> --- a/policy/modules/contrib/fail2ban.te	2016-08-14 21:28:11.486519481 +0200
> +++ b/policy/modules/contrib/fail2ban.te	2016-12-15 21:20:06.429675340 +0100
> @@ -99,8 +99,6 @@ miscfiles_read_localization(fail2ban_t)
>  sysnet_manage_config(fail2ban_t)
>  sysnet_etc_filetrans_config(fail2ban_t)
>
> -mta_send_mail(fail2ban_t)
> -
>  optional_policy(`
>  	apache_read_log(fail2ban_t)
>  ')
> @@ -118,6 +116,10 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	mta_send_mail(fail2ban_t)
> +')
> +
> +optional_policy(`
>  	shorewall_domtrans(fail2ban_t)
>  ')
>
> diff -pru a/policy/modules/contrib/mojomojo.te b/policy/modules/contrib/mojomojo.te
> --- a/policy/modules/contrib/mojomojo.te	2016-08-14 21:28:11.520520004 +0200
> +++ b/policy/modules/contrib/mojomojo.te	2016-12-15 21:14:25.131966201 +0100
> @@ -22,4 +22,6 @@ files_search_var_lib(httpd_mojomojo_scri
>
>  sysnet_dns_name_resolve(httpd_mojomojo_script_t)
>
> -mta_send_mail(httpd_mojomojo_script_t)
> +optional_policy(`
> +	mta_send_mail(httpd_mojomojo_script_t)
> +')
> diff -pru a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te
> --- a/policy/modules/contrib/nagios.te	2016-08-14 21:28:11.525520081 +0200
> +++ b/policy/modules/contrib/nagios.te	2016-12-15 21:25:16.399065452 +0100
> @@ -158,9 +158,11 @@ miscfiles_read_localization(nagios_t)
>  userdom_dontaudit_use_unpriv_user_fds(nagios_t)
>  userdom_dontaudit_search_user_home_dirs(nagios_t)
>
> -mta_send_mail(nagios_t)
> -mta_signal_system_mail(nagios_t)
> -mta_kill_system_mail(nagios_t)
> +optional_policy(`
> +	mta_send_mail(nagios_t)
> +	mta_signal_system_mail(nagios_t)
> +	mta_kill_system_mail(nagios_t)
> +')
>
>  optional_policy(`
>  	netutils_kill_ping(nagios_t)
> diff -pru a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te
> --- a/policy/modules/contrib/nut.te	2016-08-14 21:28:11.530520158 +0200
> +++ b/policy/modules/contrib/nut.te	2016-12-15 21:26:09.709650446 +0100
> @@ -116,7 +116,9 @@ term_write_all_terms(nut_upsmon_t)
>
>  auth_use_nsswitch(nut_upsmon_t)
>
> -mta_send_mail(nut_upsmon_t)
> +optional_policy(`
> +	mta_send_mail(nut_upsmon_t)
> +')
>
>  optional_policy(`
>  	shutdown_domtrans(nut_upsmon_t)
> diff -pru a/policy/modules/contrib/smokeping.te b/policy/modules/contrib/smokeping.te
> --- a/policy/modules/contrib/smokeping.te	2016-08-14 21:28:11.572520803 +0200
> +++ b/policy/modules/contrib/smokeping.te	2016-12-15 21:21:00.183261822 +0100
> @@ -49,10 +49,12 @@ logging_send_syslog_msg(smokeping_t)
>
>  miscfiles_read_localization(smokeping_t)
>
> -mta_send_mail(smokeping_t)
> -
>  netutils_domtrans_ping(smokeping_t)
>
> +optional_policy(`
> +	mta_send_mail(smokeping_t)
> +')
> +
>  #######################################
>  #
>  # Cgi local policy



-- 
Chris PeBenito