From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 15 Dec 2016 19:31:14 -0500 Subject: [refpolicy] [PATCH] Make several calls to mta interfaces optional In-Reply-To: <1481835980.24835.4.camel@trentalancia.net> References: <1481835980.24835.4.camel@trentalancia.net> Message-ID: <6d4ec841-e11c-a8e6-5d1d-77c0ec092d62@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/15/16 16:06, Guido Trentalancia via refpolicy wrote: > Make several calls to mta interfaces optional policy. Merged. > Signed-off-by: Guido Trentalancia > --- > policy/modules/contrib/arpwatch.te | 4 +++- > policy/modules/contrib/cvs.te | 6 ++++-- > policy/modules/contrib/fail2ban.te | 6 ++++-- > policy/modules/contrib/mojomojo.te | 4 +++- > policy/modules/contrib/nagios.te | 8 +++++--- > policy/modules/contrib/nut.te | 4 +++- > policy/modules/contrib/smokeping.te | 6 ++++-- > 7 files changed, 26 insertions(+), 12 deletions(-) > > diff -pru a/policy/modules/contrib/arpwatch.te b/policy/modules/contrib/arpwatch.te > --- a/policy/modules/contrib/arpwatch.te 2016-10-29 16:29:19.662325285 +0200 > +++ b/policy/modules/contrib/arpwatch.te 2016-12-15 21:15:19.541555771 +0100 > @@ -74,7 +74,9 @@ miscfiles_read_localization(arpwatch_t) > userdom_dontaudit_search_user_home_dirs(arpwatch_t) > userdom_dontaudit_use_unpriv_user_fds(arpwatch_t) > > -mta_send_mail(arpwatch_t) > +optional_policy(` > + mta_send_mail(arpwatch_t) > +') > > optional_policy(` > seutil_sigchld_newrole(arpwatch_t) > diff -pru a/policy/modules/contrib/cvs.te b/policy/modules/contrib/cvs.te > --- a/policy/modules/contrib/cvs.te 2016-08-14 21:28:11.474519297 +0200 > +++ b/policy/modules/contrib/cvs.te 2016-12-15 21:18:39.993733559 +0100 > @@ -91,8 +91,6 @@ logging_send_audit_msgs(cvs_t) > > miscfiles_read_localization(cvs_t) > > -mta_send_mail(cvs_t) > - > userdom_dontaudit_search_user_home_dirs(cvs_t) > > # cjp: typeattribute doesnt work in conditionals yet > @@ -109,6 +107,10 @@ optional_policy(` > kerberos_dontaudit_write_config(cvs_t) > ') > > +optional_policy(` > + mta_send_mail(cvs_t) > +') > + > ######################################## > # > # CVSWeb local policy > diff -pru a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te > --- a/policy/modules/contrib/fail2ban.te 2016-08-14 21:28:11.486519481 +0200 > +++ b/policy/modules/contrib/fail2ban.te 2016-12-15 21:20:06.429675340 +0100 > @@ -99,8 +99,6 @@ miscfiles_read_localization(fail2ban_t) > sysnet_manage_config(fail2ban_t) > sysnet_etc_filetrans_config(fail2ban_t) > > -mta_send_mail(fail2ban_t) > - > optional_policy(` > apache_read_log(fail2ban_t) > ') > @@ -118,6 +116,10 @@ optional_policy(` > ') > > optional_policy(` > + mta_send_mail(fail2ban_t) > +') > + > +optional_policy(` > shorewall_domtrans(fail2ban_t) > ') > > diff -pru a/policy/modules/contrib/mojomojo.te b/policy/modules/contrib/mojomojo.te > --- a/policy/modules/contrib/mojomojo.te 2016-08-14 21:28:11.520520004 +0200 > +++ b/policy/modules/contrib/mojomojo.te 2016-12-15 21:14:25.131966201 +0100 > @@ -22,4 +22,6 @@ files_search_var_lib(httpd_mojomojo_scri > > sysnet_dns_name_resolve(httpd_mojomojo_script_t) > > -mta_send_mail(httpd_mojomojo_script_t) > +optional_policy(` > + mta_send_mail(httpd_mojomojo_script_t) > +') > diff -pru a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te > --- a/policy/modules/contrib/nagios.te 2016-08-14 21:28:11.525520081 +0200 > +++ b/policy/modules/contrib/nagios.te 2016-12-15 21:25:16.399065452 +0100 > @@ -158,9 +158,11 @@ miscfiles_read_localization(nagios_t) > userdom_dontaudit_use_unpriv_user_fds(nagios_t) > userdom_dontaudit_search_user_home_dirs(nagios_t) > > -mta_send_mail(nagios_t) > -mta_signal_system_mail(nagios_t) > -mta_kill_system_mail(nagios_t) > +optional_policy(` > + mta_send_mail(nagios_t) > + mta_signal_system_mail(nagios_t) > + mta_kill_system_mail(nagios_t) > +') > > optional_policy(` > netutils_kill_ping(nagios_t) > diff -pru a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te > --- a/policy/modules/contrib/nut.te 2016-08-14 21:28:11.530520158 +0200 > +++ b/policy/modules/contrib/nut.te 2016-12-15 21:26:09.709650446 +0100 > @@ -116,7 +116,9 @@ term_write_all_terms(nut_upsmon_t) > > auth_use_nsswitch(nut_upsmon_t) > > -mta_send_mail(nut_upsmon_t) > +optional_policy(` > + mta_send_mail(nut_upsmon_t) > +') > > optional_policy(` > shutdown_domtrans(nut_upsmon_t) > diff -pru a/policy/modules/contrib/smokeping.te b/policy/modules/contrib/smokeping.te > --- a/policy/modules/contrib/smokeping.te 2016-08-14 21:28:11.572520803 +0200 > +++ b/policy/modules/contrib/smokeping.te 2016-12-15 21:21:00.183261822 +0100 > @@ -49,10 +49,12 @@ logging_send_syslog_msg(smokeping_t) > > miscfiles_read_localization(smokeping_t) > > -mta_send_mail(smokeping_t) > - > netutils_domtrans_ping(smokeping_t) > > +optional_policy(` > + mta_send_mail(smokeping_t) > +') > + > ####################################### > # > # Cgi local policy -- Chris PeBenito