From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 29 Aug 2017 19:02:43 -0400 Subject: [refpolicy] [PATCH 1/1] cron: optional_policy for mta_* interfaces In-Reply-To: <1B50C12ACFF4CB42B90D2581155DF50205B4A1B8@Exchange10.columbia.tresys.com> References: <1B50C12ACFF4CB42B90D2581155DF50205B4A14D@Exchange10.columbia.tresys.com> <1B50C12ACFF4CB42B90D2581155DF50205B4A1B8@Exchange10.columbia.tresys.com> Message-ID: <7a6724ba-761d-9907-a72e-26ad209aebc9@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/29/2017 12:04 PM, David Sugar via refpolicy wrote: > > Patch to allow turning off of the mta module and still have cron module available. > --- > cron.te | 24 ++++++++++++++++++------ > 1 file changed, 18 insertions(+), 6 deletions(-) > > diff --git a/cron.te b/cron.te > index 7807dac..5302630 100644 > --- a/cron.te > +++ b/cron.te > @@ -43,7 +43,9 @@ application_executable_file(anacron_exec_t) > > type cron_spool_t; > files_type(cron_spool_t) > -mta_system_content(cron_spool_t) > +optional_policy(` > + mta_system_content(cron_spool_t) > +') > > type cron_var_lib_t; > files_type(cron_var_lib_t) > @@ -74,14 +76,18 @@ init_script_file(crond_initrc_exec_t) > type crond_tmp_t; > files_tmp_file(crond_tmp_t) > files_poly_parent(crond_tmp_t) > -mta_system_content(crond_tmp_t) > +optional_policy(` > + mta_system_content(crond_tmp_t) > +') > > type crond_unit_t; > init_unit_file(crond_unit_t) > > type crond_var_run_t; > files_pid_file(crond_var_run_t) > -mta_system_content(crond_var_run_t) > +optional_policy(` > + mta_system_content(crond_var_run_t) > +') > > type crontab_exec_t; > application_executable_file(crontab_exec_t) > @@ -98,7 +104,9 @@ typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; > > type system_cron_spool_t, cron_spool_type; > files_type(system_cron_spool_t) > -mta_system_content(system_cron_spool_t) > +optional_policy(` > + mta_system_content(system_cron_spool_t) > +') > > type system_cronjob_t alias system_crond_t; > init_daemon_domain(system_cronjob_t, anacron_exec_t) > @@ -122,12 +130,16 @@ typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t uncon > typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; > files_type(user_cron_spool_t) > ubac_constrained(user_cron_spool_t) > -mta_system_content(user_cron_spool_t) > +optional_policy(` > + mta_system_content(user_cron_spool_t) > +') > > type user_cron_spool_log_t; > logging_log_file(user_cron_spool_log_t) > ubac_constrained(user_cron_spool_log_t) > -mta_system_content(user_cron_spool_log_t) > +optional_policy(` > + mta_system_content(user_cron_spool_log_t) > +') > > ifdef(`enable_mcs',` > init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) These would need to be moved here, after this ifdef block. -- Chris PeBenito