| 1 |
commit: 227ac578689c940b436cff32d99ff2a3ba075a50 |
| 2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 3 |
AuthorDate: Sat Nov 17 20:58:53 2012 +0000 |
| 4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 5 |
CommitDate: Wed Nov 21 21:01:05 2012 +0000 |
| 6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=227ac578 |
| 7 |
|
| 8 |
Reintroduce postfix_var_run_t for pid directory and fowner capability |
| 9 |
|
| 10 |
In August 21, a few changes were made to the postfix module that were reverted |
| 11 |
somewhere in the last few months. Reintroducing these changes: |
| 12 |
|
| 13 |
- Add in the fowner capability for the master domain, needed for running |
| 14 |
chown on the queue's. |
| 15 |
- Mark the pid directory as a pid directory |
| 16 |
|
| 17 |
See http://oss.tresys.com/pipermail/refpolicy/2012-August/005475.html for more |
| 18 |
information. |
| 19 |
|
| 20 |
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be> |
| 21 |
|
| 22 |
--- |
| 23 |
policy/modules/contrib/postfix.fc | 2 +- |
| 24 |
policy/modules/contrib/postfix.te | 4 ++-- |
| 25 |
2 files changed, 3 insertions(+), 3 deletions(-) |
| 26 |
|
| 27 |
diff --git a/policy/modules/contrib/postfix.fc b/policy/modules/contrib/postfix.fc |
| 28 |
index 7d0b138..76e1469 100644 |
| 29 |
--- a/policy/modules/contrib/postfix.fc |
| 30 |
+++ b/policy/modules/contrib/postfix.fc |
| 31 |
@@ -50,7 +50,7 @@ |
| 32 |
/var/spool/postfix/deferred(/.*)? -d gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) |
| 33 |
/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) |
| 34 |
/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) |
| 35 |
-/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) |
| 36 |
+/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0) |
| 37 |
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) |
| 38 |
/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0) |
| 39 |
/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) |
| 40 |
|
| 41 |
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te |
| 42 |
index 23cf5cd..14f739d 100644 |
| 43 |
--- a/policy/modules/contrib/postfix.te |
| 44 |
+++ b/policy/modules/contrib/postfix.te |
| 45 |
@@ -123,7 +123,7 @@ allow postfix_domain postfix_master_t:process sigchld; |
| 46 |
|
| 47 |
allow postfix_domain postfix_spool_t:dir list_dir_perms; |
| 48 |
|
| 49 |
-allow postfix_domain postfix_var_run_t:file manage_file_perms; |
| 50 |
+manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t) |
| 51 |
files_pid_filetrans(postfix_domain, postfix_var_run_t, file) |
| 52 |
|
| 53 |
kernel_read_system_state(postfix_domain) |
| 54 |
@@ -198,7 +198,7 @@ domain_use_interactive_fds(postfix_user_domains) |
| 55 |
# Master local policy |
| 56 |
# |
| 57 |
|
| 58 |
-allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; |
| 59 |
+allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid net_bind_service sys_tty_config }; |
| 60 |
allow postfix_master_t self:capability2 block_suspend; |
| 61 |
allow postfix_master_t self:process setrlimit; |
| 62 |
allow postfix_master_t self:tcp_socket create_stream_socket_perms; |
Archives