1 |
commit: 227ac578689c940b436cff32d99ff2a3ba075a50 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Sat Nov 17 20:58:53 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Wed Nov 21 21:01:05 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=227ac578 |
7 |
|
8 |
Reintroduce postfix_var_run_t for pid directory and fowner capability |
9 |
|
10 |
In August 21, a few changes were made to the postfix module that were reverted |
11 |
somewhere in the last few months. Reintroducing these changes: |
12 |
|
13 |
- Add in the fowner capability for the master domain, needed for running |
14 |
chown on the queue's. |
15 |
- Mark the pid directory as a pid directory |
16 |
|
17 |
See http://oss.tresys.com/pipermail/refpolicy/2012-August/005475.html for more |
18 |
information. |
19 |
|
20 |
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be> |
21 |
|
22 |
--- |
23 |
policy/modules/contrib/postfix.fc | 2 +- |
24 |
policy/modules/contrib/postfix.te | 4 ++-- |
25 |
2 files changed, 3 insertions(+), 3 deletions(-) |
26 |
|
27 |
diff --git a/policy/modules/contrib/postfix.fc b/policy/modules/contrib/postfix.fc |
28 |
index 7d0b138..76e1469 100644 |
29 |
--- a/policy/modules/contrib/postfix.fc |
30 |
+++ b/policy/modules/contrib/postfix.fc |
31 |
@@ -50,7 +50,7 @@ |
32 |
/var/spool/postfix/deferred(/.*)? -d gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) |
33 |
/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) |
34 |
/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) |
35 |
-/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) |
36 |
+/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0) |
37 |
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) |
38 |
/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0) |
39 |
/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) |
40 |
|
41 |
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te |
42 |
index 23cf5cd..14f739d 100644 |
43 |
--- a/policy/modules/contrib/postfix.te |
44 |
+++ b/policy/modules/contrib/postfix.te |
45 |
@@ -123,7 +123,7 @@ allow postfix_domain postfix_master_t:process sigchld; |
46 |
|
47 |
allow postfix_domain postfix_spool_t:dir list_dir_perms; |
48 |
|
49 |
-allow postfix_domain postfix_var_run_t:file manage_file_perms; |
50 |
+manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t) |
51 |
files_pid_filetrans(postfix_domain, postfix_var_run_t, file) |
52 |
|
53 |
kernel_read_system_state(postfix_domain) |
54 |
@@ -198,7 +198,7 @@ domain_use_interactive_fds(postfix_user_domains) |
55 |
# Master local policy |
56 |
# |
57 |
|
58 |
-allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; |
59 |
+allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid net_bind_service sys_tty_config }; |
60 |
allow postfix_master_t self:capability2 block_suspend; |
61 |
allow postfix_master_t self:process setrlimit; |
62 |
allow postfix_master_t self:tcp_socket create_stream_socket_perms; |