From: pebenito@ieee.org (Chris PeBenito)
Date: Tue, 29 Aug 2017 19:02:43 -0400
Subject: [refpolicy] [PATCH 1/1] cron: optional_policy for mta_*
 interfaces
In-Reply-To: <1B50C12ACFF4CB42B90D2581155DF50205B4A1B8@Exchange10.columbia.tresys.com>
References: <1B50C12ACFF4CB42B90D2581155DF50205B4A14D@Exchange10.columbia.tresys.com>
	<1B50C12ACFF4CB42B90D2581155DF50205B4A1B8@Exchange10.columbia.tresys.com>
Message-ID: <7a6724ba-761d-9907-a72e-26ad209aebc9@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/29/2017 12:04 PM, David Sugar via refpolicy wrote:
> 
> Patch to allow turning off of the mta module and still have cron module available.
> ---
>   cron.te | 24 ++++++++++++++++++------
>   1 file changed, 18 insertions(+), 6 deletions(-)
> 
> diff --git a/cron.te b/cron.te
> index 7807dac..5302630 100644
> --- a/cron.te
> +++ b/cron.te
> @@ -43,7 +43,9 @@ application_executable_file(anacron_exec_t)
> 
>   type cron_spool_t;
>   files_type(cron_spool_t)
> -mta_system_content(cron_spool_t)
> +optional_policy(`
> +       mta_system_content(cron_spool_t)
> +')
> 
>   type cron_var_lib_t;
>   files_type(cron_var_lib_t)
> @@ -74,14 +76,18 @@ init_script_file(crond_initrc_exec_t)
>   type crond_tmp_t;
>   files_tmp_file(crond_tmp_t)
>   files_poly_parent(crond_tmp_t)
> -mta_system_content(crond_tmp_t)
> +optional_policy(`
> +       mta_system_content(crond_tmp_t)
> +')
> 
>   type crond_unit_t;
>   init_unit_file(crond_unit_t)
> 
>   type crond_var_run_t;
>   files_pid_file(crond_var_run_t)
> -mta_system_content(crond_var_run_t)
> +optional_policy(`
> +       mta_system_content(crond_var_run_t)
> +')
> 
>   type crontab_exec_t;
>   application_executable_file(crontab_exec_t)
> @@ -98,7 +104,9 @@ typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
> 
>   type system_cron_spool_t, cron_spool_type;
>   files_type(system_cron_spool_t)
> -mta_system_content(system_cron_spool_t)
> +optional_policy(`
> +       mta_system_content(system_cron_spool_t)
> +')
> 
>   type system_cronjob_t alias system_crond_t;
>   init_daemon_domain(system_cronjob_t, anacron_exec_t)
> @@ -122,12 +130,16 @@ typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t uncon
>   typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
>   files_type(user_cron_spool_t)
>   ubac_constrained(user_cron_spool_t)
> -mta_system_content(user_cron_spool_t)
> +optional_policy(`
> +       mta_system_content(user_cron_spool_t)
> +')
> 
>   type user_cron_spool_log_t;
>   logging_log_file(user_cron_spool_log_t)
>   ubac_constrained(user_cron_spool_log_t)
> -mta_system_content(user_cron_spool_log_t)
> +optional_policy(`
> +       mta_system_content(user_cron_spool_log_t)
> +')
> 
>   ifdef(`enable_mcs',`
>          init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)

These would need to be moved here, after this ifdef block.

-- 
Chris PeBenito