From: pebenito@ieee.org (Chris PeBenito)
Date: Mon, 11 Sep 2017 20:07:03 -0400
Subject: [refpolicy] [PATCH 1/3] postfix: Some table drivers (notably
 cdb) need to mmap() their databases
In-Reply-To: <20170911031829.4163-1-aranea@aixah.de>
References: <20170911031829.4163-1-aranea@aixah.de>
Message-ID: <14ff76a7-842d-aab5-b954-5aabc6aa717d@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/10/2017 11:18 PM, Luis Ressel via refpolicy wrote:
> This change also grants exim (the other caller of the mta_read_aliases
> interface) to map the mail aliases, but that seems minor enough not to
> warrant the creation of a new interface.

While trivial, I'd prefer a separate interface, so any future users of 
the interface don't get an extra permission they might not need.


> ---
>   mta.if     | 2 +-
>   postfix.te | 4 ++--
>   2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/mta.if b/mta.if
> index 2b99dd5..8565982 100644
> --- a/mta.if
> +++ b/mta.if
> @@ -586,7 +586,7 @@ interface(`mta_read_aliases',`
>   	')
>   
>   	files_search_etc($1)
> -	allow $1 etc_aliases_t:file read_file_perms;
> +	allow $1 etc_aliases_t:file { read_file_perms map };
>   ')
>   
>   ########################################
> diff --git a/postfix.te b/postfix.te
> index 84e0b5e..eb4af6c 100644
> --- a/postfix.te
> +++ b/postfix.te
> @@ -115,7 +115,7 @@ allow postfix_domain self:fifo_file rw_fifo_file_perms;
>   allow postfix_domain self:unix_stream_socket { accept connectto listen };
>   
>   allow postfix_domain postfix_etc_t:dir list_dir_perms;
> -allow postfix_domain postfix_etc_t:file read_file_perms;
> +allow postfix_domain postfix_etc_t:file { read_file_perms map };
>   allow postfix_domain postfix_etc_t:lnk_file read_lnk_file_perms;
>   
>   allow postfix_domain postfix_master_t:file read_file_perms;
> @@ -489,7 +489,7 @@ allow postfix_map_t self:capability { dac_override setgid setuid };
>   allow postfix_map_t self:tcp_socket { accept listen };
>   
>   allow postfix_map_t postfix_etc_t:dir manage_dir_perms;
> -allow postfix_map_t postfix_etc_t:file manage_file_perms;
> +allow postfix_map_t postfix_etc_t:file { manage_file_perms map };
>   allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms;
>   
>   manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
> 


-- 
Chris PeBenito