Re: trivial mail server patch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2/11/20 10:13 PM, Russell Coker wrote:
This patch against git refpolicy has a bunch of trivial patches related to
mail servers.  I think it's ready for merging.

Please inline patch and add signed-off-by

--- refpolicy-2.20200209.orig/policy/modules/services/mailman.fc
+++ refpolicy-2.20200209/policy/modules/services/mailman.fc
@@ -23,6 +23,7 @@
 /usr/lib/mailman/mail/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 /usr/lib/mailman/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 /usr/lib/mailman/scripts/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/etc/mailman/postfix-to-mailman.py	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)

Please move up with other /etc lines.



--- refpolicy-2.20200209.orig/policy/modules/services/mta.if
+++ refpolicy-2.20200209/policy/modules/services/mta.if
@@ -251,6 +251,7 @@ interface(`mta_manage_mail_home_rw_conte
 	userdom_search_user_home_dirs($1)
 	manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
 	manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+	allow $1 mail_home_rw_t:file map;
 	manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
 ')
@@ -867,6 +868,7 @@ interface(`mta_read_spool_files',` files_search_spool($1)
 	read_files_pattern($1, mail_spool_t, mail_spool_t)
+	allow $1 mail_spool_t:file map;
 ')
########################################
@@ -949,6 +951,7 @@ interface(`mta_manage_spool',`
 	files_search_spool($1)
 	manage_dirs_pattern($1, mail_spool_t, mail_spool_t)
 	manage_files_pattern($1, mail_spool_t, mail_spool_t)
+	allow $1 mail_spool_t:file map;
 	manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
 ')

So you're saying that in general these files are all mmaped?


Index: refpolicy-2.20200209/policy/modules/services/spamassassin.if
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/services/spamassassin.if
+++ refpolicy-2.20200209/policy/modules/services/spamassassin.if
@@ -433,3 +433,22 @@ interface(`spamassassin_admin',`
 	# sa-update
 	spamassassin_run_update($1, $2)
 ')
+
+########################################
+## <summary>
+##	Get SA service status
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`spamassassin_service_reload',`
+	gen_require(`
+		type spamassassin_unit_t;
+	')
+
+	allow $1 spamassassin_unit_t:service { status reload };
+')

Need 2 interfaces

Index: refpolicy-2.20200209/policy/modules/services/spamassassin.te
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/services/spamassassin.te
+++ refpolicy-2.20200209/policy/modules/services/spamassassin.te
@@ -22,6 +22,7 @@ gen_tunable(spamassassin_can_network, fa
 gen_tunable(spamd_enable_home_dirs, false)
type spamd_update_t;
+typealias spamd_update_t alias { spamd_gpg_t };
 type spamd_update_exec_t;
 init_system_domain(spamd_update_t, spamd_update_exec_t)
@@ -62,9 +63,6 @@ files_type(spamd_compiled_t)
 type spamd_etc_t;
 files_config_file(spamd_etc_t)
-type spamd_gpg_t;
-domain_type(spamd_gpg_t)

Why are you dropping this?


--
Chris PeBenito



[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux