On Tue, Mar 04, 2008 at 01:16:20PM -0500, Christopher J. PeBenito wrote: > On Wed, 2008-02-20 at 02:00 -0800, Devin Carraway wrote: > > Here are a handful of localized fixes to the Exim policy, based on SVN > > head refpolicy and Debian Sid: > > Merged with two exceptions. These look good. Tested successfully from svn trunk. > > - grant readonly access to var_lib_t, to read runtime-generated conf > > This seems questionable. It sounds like there should be a specific type > for this. Agreed; I had a discrete type and entrypoints for the runtime config generators in my original exim policy submission a few months ago, but that wans't among the bits that got merged. I can resubmit that portion as a discrete patch. I'm still trying to determine, though, whether the runtime config is necessary outside of Debian/Ubuntu. > > corenet_tcp_sendrecv_all_if(exim_t) > > corenet_tcp_sendrecv_all_nodes(exim_t) > > corenet_tcp_sendrecv_all_ports(exim_t) > > +corenet_tcp_sendrecv_smtp_port(exim_t) > > +corenet_tcp_sendrecv_auth_port(exim_t) > > +corenet_tcp_sendrecv_ldap_port(exim_t) > > This is redundant since it can already sendrecv all ports. Hm, okay. My own testing had suggested all_ports was actually acting like all-nonpriveleged-ports, but now that I recheck I can't verify the behavior, and current svn trunk can make & use outbound SMTP just fine. Thanks. -- Devin \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2
Attachment:
signature.asc
Description: Digital signature
