On 2/11/20 10:13 PM, Russell Coker wrote:
This patch against git refpolicy has a bunch of trivial patches related to mail servers. I think it's ready for merging.
Please inline patch and add signed-off-by
--- refpolicy-2.20200209.orig/policy/modules/services/mailman.fc +++ refpolicy-2.20200209/policy/modules/services/mailman.fc @@ -23,6 +23,7 @@ /usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) /usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) /usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/etc/mailman/postfix-to-mailman.py -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
Please move up with other /etc lines.
--- refpolicy-2.20200209.orig/policy/modules/services/mta.if +++ refpolicy-2.20200209/policy/modules/services/mta.if @@ -251,6 +251,7 @@ interface(`mta_manage_mail_home_rw_conte userdom_search_user_home_dirs($1) manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t) manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t) + allow $1 mail_home_rw_t:file map; manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t) ')@@ -867,6 +868,7 @@ interface(`mta_read_spool_files',` files_search_spool($1)read_files_pattern($1, mail_spool_t, mail_spool_t) + allow $1 mail_spool_t:file map; ')########################################@@ -949,6 +951,7 @@ interface(`mta_manage_spool',` files_search_spool($1) manage_dirs_pattern($1, mail_spool_t, mail_spool_t) manage_files_pattern($1, mail_spool_t, mail_spool_t) + allow $1 mail_spool_t:file map; manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ')
So you're saying that in general these files are all mmaped?
Index: refpolicy-2.20200209/policy/modules/services/spamassassin.if
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/services/spamassassin.if
+++ refpolicy-2.20200209/policy/modules/services/spamassassin.if
@@ -433,3 +433,22 @@ interface(`spamassassin_admin',`
# sa-update
spamassassin_run_update($1, $2)
')
+
+########################################
+## <summary>
+## Get SA service status
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`spamassassin_service_reload',`
+ gen_require(`
+ type spamassassin_unit_t;
+ ')
+
+ allow $1 spamassassin_unit_t:service { status reload };
+')
Need 2 interfaces
Index: refpolicy-2.20200209/policy/modules/services/spamassassin.te =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/spamassassin.te +++ refpolicy-2.20200209/policy/modules/services/spamassassin.te @@ -22,6 +22,7 @@ gen_tunable(spamassassin_can_network, fa gen_tunable(spamd_enable_home_dirs, false)type spamd_update_t;+typealias spamd_update_t alias { spamd_gpg_t }; type spamd_update_exec_t; init_system_domain(spamd_update_t, spamd_update_exec_t)@@ -62,9 +63,6 @@ files_type(spamd_compiled_t)type spamd_etc_t; files_config_file(spamd_etc_t)-type spamd_gpg_t;-domain_type(spamd_gpg_t)
Why are you dropping this? -- Chris PeBenito
