Description: Mailman patches
Author: Russell Coker <[email protected]>
Last-Update: 2017-02-21
Index: refpolicy-2.20170221/policy/modules/contrib/mailman.te
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/contrib/mailman.te
+++ refpolicy-2.20170221/policy/modules/contrib/mailman.te
@@ -91,11 +91,31 @@ miscfiles_read_localization(mailman_doma
# CGI local policy
#
-dev_read_urand(mailman_cgi_t)
+allow mailman_cgi_t self:unix_dgram_socket { create connect };
-term_use_controlling_term(mailman_cgi_t)
+allow mailman_cgi_t mailman_data_t:dir rw_dir_perms;
+allow mailman_cgi_t mailman_data_t:file manage_file_perms;
+allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms;
+
+allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms };
+allow mailman_cgi_t mailman_log_t:dir search_dir_perms;
+
+allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms;
+allow mailman_cgi_t mailman_lock_t:file manage_file_perms;
+allow mailman_cgi_t mailman_archive_t:dir search_dir_perms;
+allow mailman_cgi_t mailman_archive_t:file read_file_perms;
+
+kernel_read_crypto_sysctls(mailman_cgi_t)
+kernel_read_system_state(mailman_cgi_t)
+
+corecmd_exec_bin(mailman_cgi_t)
+dev_read_urand(mailman_cgi_t)
+files_search_locks(mailman_cgi_t)
libs_dontaudit_write_lib_dirs(mailman_cgi_t)
+logging_search_logs(mailman_cgi_t)
+miscfiles_read_localization(mailman_cgi_t)
+term_use_controlling_term(mailman_cgi_t)
optional_policy(`
apache_sigchld(mailman_cgi_t)
@@ -118,21 +138,55 @@ optional_policy(`
allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config };
allow mailman_mail_t self:process { signal signull };
+allow mailman_mail_t mailman_data_t:dir rw_dir_perms;
+allow mailman_mail_t mailman_data_t:file manage_file_perms;
+allow mailman_mail_t mailman_data_t:lnk_file read_lnk_file_perms;
+
+allow mailman_mail_t mailman_log_t:dir search;
+allow mailman_mail_t mailman_log_t:file read_file_perms;
+
+allow mailman_mail_t mailman_archive_t:dir manage_dir_perms;
+allow mailman_mail_t mailman_archive_t:file manage_file_perms;
+allow mailman_mail_t mailman_archive_t:lnk_file manage_lnk_file_perms;
+
+allow mailman_mail_t self:process setsched;
+
+domain_auto_transition_pattern(mailman_mail_t, mailman_queue_exec_t, mailman_queue_t)
+allow mailman_mail_t mailman_queue_exec_t:file ioctl;
+
+can_exec(mailman_mail_t, mailman_mail_exec_t)
+
manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
-corenet_sendrecv_innd_client_packets(mailman_mail_t)
-corenet_tcp_connect_innd_port(mailman_mail_t)
-corenet_tcp_sendrecv_innd_port(mailman_mail_t)
+allow mailman_mail_t mailman_lock_t:dir rw_dir_perms;
+allow mailman_mail_t mailman_lock_t:file manage_file_perms;
+
+kernel_read_system_state(mailman_mail_t)
+corenet_tcp_connect_smtp_port(mailman_mail_t)
corenet_sendrecv_spamd_client_packets(mailman_mail_t)
+corenet_sendrecv_innd_client_packets(mailman_mail_t)
+corenet_tcp_connect_innd_port(mailman_mail_t)
corenet_tcp_connect_spamd_port(mailman_mail_t)
+corenet_tcp_sendrecv_innd_port(mailman_mail_t)
corenet_tcp_sendrecv_spamd_port(mailman_mail_t)
dev_read_urand(mailman_mail_t)
+corecmd_exec_bin(mailman_mail_t)
+files_search_locks(mailman_mail_t)
fs_rw_anon_inodefs_files(mailman_mail_t)
+inherit_mailserver_fd(mailman_mail_t)
+# this is far from ideal, but systemd reduces the importance of initrc_t
+init_signal_script(mailman_mail_t)
+init_signull_script(mailman_mail_t)
+# for python .path file
+libs_read_lib_files(mailman_mail_t)
+
+logging_search_logs(mailman_mail_t)
+miscfiles_read_localization(mailman_mail_t)
mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
mta_dontaudit_rw_queue(mailman_mail_t)
@@ -159,16 +213,33 @@ allow mailman_queue_t self:capability {
allow mailman_queue_t self:process { setsched signal_perms };
allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
+allow mailman_queue_t mailman_data_t:dir rw_dir_perms;
+allow mailman_queue_t mailman_data_t:file manage_file_perms;
+allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms;
+
+allow mailman_queue_t mailman_log_t:dir list_dir_perms;
+allow mailman_queue_t mailman_log_t:file manage_file_perms;
+
+allow mailman_queue_t mailman_archive_t:dir manage_dir_perms;
+allow mailman_queue_t mailman_archive_t:file manage_file_perms;
+
+allow mailman_queue_t mailman_lock_t:dir rw_dir_perms;
+allow mailman_queue_t mailman_lock_t:file manage_file_perms;
+
+kernel_read_system_state(mailman_queue_t)
+
+auth_domtrans_chk_passwd(mailman_queue_t)
+corecmd_read_bin_files(mailman_queue_t)
+corecmd_read_bin_symlinks(mailman_queue_t)
corenet_sendrecv_innd_client_packets(mailman_queue_t)
corenet_tcp_connect_innd_port(mailman_queue_t)
corenet_tcp_sendrecv_innd_port(mailman_queue_t)
-auth_domtrans_chk_passwd(mailman_queue_t)
-
files_dontaudit_search_pids(mailman_queue_t)
-
+files_search_locks(mailman_queue_t)
+miscfiles_read_localization(mailman_queue_t)
+read_write_crond_tmp(mailman_queue_t)
seutil_dontaudit_search_config(mailman_queue_t)
-
userdom_search_user_home_dirs(mailman_queue_t)
optional_policy(`
Index: refpolicy-2.20170221/policy/modules/contrib/mta.if
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/contrib/mta.if
+++ refpolicy-2.20170221/policy/modules/contrib/mta.if
@@ -286,6 +286,24 @@ interface(`mta_home_filetrans_mail_home_
########################################
## <summary>
+## Inherit FDs from mailserver_domain domains
+## </summary>
+## <param name="type">
+## <summary>
+## Type for a list server or delivery agent that inherits fds
+## </summary>
+## </param>
+#
+interface(`inherit_mailserver_fd',`
+ gen_require(`
+ attribute mailserver_domain;
+ ')
+
+ allow $1 mailserver_domain:fd use;
+')
+
+########################################
+## <summary>
## Make the specified type by a system MTA.
## </summary>
## <param name="type">
Index: refpolicy-2.20170221/policy/modules/contrib/mailman.fc
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/contrib/mailman.fc
+++ refpolicy-2.20170221/policy/modules/contrib/mailman.fc
@@ -2,11 +2,11 @@
/etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
-/usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
/var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
-/var/lib/mailman.*/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
+/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
/var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0)
/var/lock/subsys/mailman.* -- gen_context(system_u:object_r:mailman_lock_t,s0)
@@ -17,13 +17,13 @@
/var/spool/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
-/usr/lib/cgi-bin/mailman.*/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-/usr/lib/mailman.*/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-/usr/lib/mailman.*/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-/usr/lib/mailman.*/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/mailman.*/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/share/doc/mailman.*/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/share/doc/mailman/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
Index: refpolicy-2.20170220/policy/modules/contrib/cron.if
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/contrib/cron.if
+++ refpolicy-2.20170220/policy/modules/contrib/cron.if
@@ -910,3 +824,21 @@ interface(`cron_manage_system_spool',`
files_search_spool($1)
manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
')
+
+########################################
+## <summary>
+## Access temporary files crond creates for script output
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`read_write_crond_tmp',`
+ gen_require(`
+ type crond_tmp_t;
+ ')
+
+ allow $1 crond_tmp_t:file rw_file_perms;
+')
On 02/21/17 03:33, Russell Coker via refpolicy wrote:
>
> Description: Mailman patches
> Author: Russell Coker <[email protected]>
> Last-Update: 2017-02-21
>
> Index: refpolicy-2.20170221/policy/modules/contrib/mailman.te
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/contrib/mailman.te
> +++ refpolicy-2.20170221/policy/modules/contrib/mailman.te
> @@ -91,11 +91,31 @@ miscfiles_read_localization(mailman_doma
> # CGI local policy
> #
>
> -dev_read_urand(mailman_cgi_t)
> +allow mailman_cgi_t self:unix_dgram_socket { create connect };
>
> -term_use_controlling_term(mailman_cgi_t)
> +allow mailman_cgi_t mailman_data_t:dir rw_dir_perms;
> +allow mailman_cgi_t mailman_data_t:file manage_file_perms;
> +allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms;
> +
> +allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms };
> +allow mailman_cgi_t mailman_log_t:dir search_dir_perms;
> +
> +allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms;
> +allow mailman_cgi_t mailman_lock_t:file manage_file_perms;
>
> +allow mailman_cgi_t mailman_archive_t:dir search_dir_perms;
> +allow mailman_cgi_t mailman_archive_t:file read_file_perms;
> +
> +kernel_read_crypto_sysctls(mailman_cgi_t)
> +kernel_read_system_state(mailman_cgi_t)
> +
> +corecmd_exec_bin(mailman_cgi_t)
> +dev_read_urand(mailman_cgi_t)
> +files_search_locks(mailman_cgi_t)
> libs_dontaudit_write_lib_dirs(mailman_cgi_t)
> +logging_search_logs(mailman_cgi_t)
> +miscfiles_read_localization(mailman_cgi_t)
> +term_use_controlling_term(mailman_cgi_t)
>
> optional_policy(`
> apache_sigchld(mailman_cgi_t)
> @@ -118,21 +138,55 @@ optional_policy(`
> allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config };
> allow mailman_mail_t self:process { signal signull };
>
> +allow mailman_mail_t mailman_data_t:dir rw_dir_perms;
> +allow mailman_mail_t mailman_data_t:file manage_file_perms;
> +allow mailman_mail_t mailman_data_t:lnk_file read_lnk_file_perms;
> +
> +allow mailman_mail_t mailman_log_t:dir search;
> +allow mailman_mail_t mailman_log_t:file read_file_perms;
> +
> +allow mailman_mail_t mailman_archive_t:dir manage_dir_perms;
> +allow mailman_mail_t mailman_archive_t:file manage_file_perms;
> +allow mailman_mail_t mailman_archive_t:lnk_file manage_lnk_file_perms;
> +
> +allow mailman_mail_t self:process setsched;
> +
> +domain_auto_transition_pattern(mailman_mail_t, mailman_queue_exec_t, mailman_queue_t)
> +allow mailman_mail_t mailman_queue_exec_t:file ioctl;
> +
> +can_exec(mailman_mail_t, mailman_mail_exec_t)
> +
> manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
> manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
> files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
>
> -corenet_sendrecv_innd_client_packets(mailman_mail_t)
> -corenet_tcp_connect_innd_port(mailman_mail_t)
> -corenet_tcp_sendrecv_innd_port(mailman_mail_t)
> +allow mailman_mail_t mailman_lock_t:dir rw_dir_perms;
> +allow mailman_mail_t mailman_lock_t:file manage_file_perms;
> +
> +kernel_read_system_state(mailman_mail_t)
>
> +corenet_tcp_connect_smtp_port(mailman_mail_t)
> corenet_sendrecv_spamd_client_packets(mailman_mail_t)
> +corenet_sendrecv_innd_client_packets(mailman_mail_t)
> +corenet_tcp_connect_innd_port(mailman_mail_t)
> corenet_tcp_connect_spamd_port(mailman_mail_t)
> +corenet_tcp_sendrecv_innd_port(mailman_mail_t)
> corenet_tcp_sendrecv_spamd_port(mailman_mail_t)
>
> dev_read_urand(mailman_mail_t)
> +corecmd_exec_bin(mailman_mail_t)
>
> +files_search_locks(mailman_mail_t)
> fs_rw_anon_inodefs_files(mailman_mail_t)
> +inherit_mailserver_fd(mailman_mail_t)
> +# this is far from ideal, but systemd reduces the importance of initrc_t
> +init_signal_script(mailman_mail_t)
> +init_signull_script(mailman_mail_t)
> +# for python .path file
> +libs_read_lib_files(mailman_mail_t)
> +
> +logging_search_logs(mailman_mail_t)
> +miscfiles_read_localization(mailman_mail_t)
>
> mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
> mta_dontaudit_rw_queue(mailman_mail_t)
> @@ -159,16 +213,33 @@ allow mailman_queue_t self:capability {
> allow mailman_queue_t self:process { setsched signal_perms };
> allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
>
> +allow mailman_queue_t mailman_data_t:dir rw_dir_perms;
> +allow mailman_queue_t mailman_data_t:file manage_file_perms;
> +allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms;
> +
> +allow mailman_queue_t mailman_log_t:dir list_dir_perms;
> +allow mailman_queue_t mailman_log_t:file manage_file_perms;
> +
> +allow mailman_queue_t mailman_archive_t:dir manage_dir_perms;
> +allow mailman_queue_t mailman_archive_t:file manage_file_perms;
> +
> +allow mailman_queue_t mailman_lock_t:dir rw_dir_perms;
> +allow mailman_queue_t mailman_lock_t:file manage_file_perms;
> +
> +kernel_read_system_state(mailman_queue_t)
> +
> +auth_domtrans_chk_passwd(mailman_queue_t)
> +corecmd_read_bin_files(mailman_queue_t)
> +corecmd_read_bin_symlinks(mailman_queue_t)
> corenet_sendrecv_innd_client_packets(mailman_queue_t)
> corenet_tcp_connect_innd_port(mailman_queue_t)
> corenet_tcp_sendrecv_innd_port(mailman_queue_t)
>
> -auth_domtrans_chk_passwd(mailman_queue_t)
> -
> files_dontaudit_search_pids(mailman_queue_t)
> -
> +files_search_locks(mailman_queue_t)
> +miscfiles_read_localization(mailman_queue_t)
> +read_write_crond_tmp(mailman_queue_t)
> seutil_dontaudit_search_config(mailman_queue_t)
> -
> userdom_search_user_home_dirs(mailman_queue_t)
>
> optional_policy(`
> Index: refpolicy-2.20170221/policy/modules/contrib/mta.if
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/contrib/mta.if
> +++ refpolicy-2.20170221/policy/modules/contrib/mta.if
> @@ -286,6 +286,24 @@ interface(`mta_home_filetrans_mail_home_
>
> ########################################
> ## <summary>
> +## Inherit FDs from mailserver_domain domains
> +## </summary>
> +## <param name="type">
> +## <summary>
> +## Type for a list server or delivery agent that inherits fds
> +## </summary>
> +## </param>
> +#
> +interface(`inherit_mailserver_fd',`
> + gen_require(`
> + attribute mailserver_domain;
> + ')
> +
> + allow $1 mailserver_domain:fd use;
> +')
> +
> +########################################
> +## <summary>
> ## Make the specified type by a system MTA.
> ## </summary>
> ## <param name="type">
> Index: refpolicy-2.20170221/policy/modules/contrib/mailman.fc
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/contrib/mailman.fc
> +++ refpolicy-2.20170221/policy/modules/contrib/mailman.fc
> @@ -2,11 +2,11 @@
>
> /etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
>
> -/usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> -/usr/lib/mailman.*/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> -/usr/lib/mailman.*/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
> +/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> +/usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> +/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
> /var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
> -/var/lib/mailman.*/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
> +/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
>
> /var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0)
> /var/lock/subsys/mailman.* -- gen_context(system_u:object_r:mailman_lock_t,s0)
> @@ -17,13 +17,13 @@
>
> /var/spool/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
>
> -/usr/lib/cgi-bin/mailman.*/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
> -/usr/lib/mailman.*/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
> -/usr/lib/mailman.*/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
> -/usr/lib/mailman.*/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> -/usr/lib/mailman.*/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> -/usr/lib/mailman.*/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> +/usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
> +/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
> +/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
> +/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> +/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> +/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
>
> -/usr/mailman.*/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> +/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
>
> -/usr/share/doc/mailman.*/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> +/usr/share/doc/mailman/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> Index: refpolicy-2.20170220/policy/modules/contrib/cron.if
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/contrib/cron.if
> +++ refpolicy-2.20170220/policy/modules/contrib/cron.if
> @@ -910,3 +824,21 @@ interface(`cron_manage_system_spool',`
> files_search_spool($1)
> manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
> ')
> +
> +########################################
> +## <summary>
> +## Access temporary files crond creates for script output
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`read_write_crond_tmp',`
> + gen_require(`
> + type crond_tmp_t;
> + ')
> +
> + allow $1 crond_tmp_t:file rw_file_perms;
> +')
Merged, though I renamed some interfaces and moved lines around.
--
Chris PeBenito