[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Sat, 25 Feb 2017 14:52:08
Message-Id:	`1488034254.232701f0d9090cd34c22f350a7dfbda7c58a0ea0.perfinion@gentoo`

1

commit:     232701f0d9090cd34c22f350a7dfbda7c58a0ea0

2

Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>

3

AuthorDate: Fri Feb 24 01:58:41 2017 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sat Feb 25 14:50:54 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=232701f0

7

8

mailman: Fixes from Russell Coker.

9

10

 policy/modules/contrib/cron.if    |  18 +++++++

11

 policy/modules/contrib/cron.te    |   2 +-

12

 policy/modules/contrib/mailman.fc |  24 ++++-----

13

 policy/modules/contrib/mailman.te | 100 +++++++++++++++++++++++++++++++++++---

14

 policy/modules/contrib/mta.if     |  18 +++++++

15

 policy/modules/contrib/mta.te     |   2 +-

16

 6 files changed, 143 insertions(+), 21 deletions(-)

17

18

diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if

19

index 6737f53c..5739d4f0 100644

20

--- a/policy/modules/contrib/cron.if

21

+++ b/policy/modules/contrib/cron.if

22

@@ -705,6 +705,24 @@ interface(`cron_manage_system_spool',`

23

24

 ########################################

25

 ## <summary>

26

+##      Read and write crond temporary files.

27

+## </summary>

28

+## <param name="domain">

29

+##      <summary>

30

+##      Domain allowed access.

31

+##      </summary>

32

+## </param>

33

+#

34

+interface(`cron_rw_tmp_files',`

35

+	gen_require(`

36

+		type crond_tmp_t;

37

+	')

38

+

39

+	allow $1 crond_tmp_t:file rw_file_perms;

40

+')

41

+

42

+########################################

43

+## <summary>

44

 ##	Read system cron job lib files.

45

 ## </summary>

46

 ## <param name="domain">

47

48

diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te

49

index 3513e1f2..b51524a4 100644

50

--- a/policy/modules/contrib/cron.te

51

+++ b/policy/modules/contrib/cron.te

52

@@ -1,4 +1,4 @@

53

-policy_module(cron, 2.11.1)

54

+policy_module(cron, 2.11.2)

55

56

 gen_require(`

57

 	class passwd rootok;

58

59

diff --git a/policy/modules/contrib/mailman.fc b/policy/modules/contrib/mailman.fc

60

index 1a226daf..d5734fc9 100644

61

--- a/policy/modules/contrib/mailman.fc

62

+++ b/policy/modules/contrib/mailman.fc

63

@@ -2,11 +2,11 @@

64

65

 /etc/mailman.*	gen_context(system_u:object_r:mailman_data_t,s0)

66

67

-/usr/lib/mailman.*/bin/mailmanctl	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)

68

-/usr/lib/mailman.*/bin/mm-handler.*	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)

69

-/usr/lib/mailman.*/cron/.*	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)

70

+/usr/lib/mailman/bin/mailmanctl	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)

71

+/usr/lib/mailman/bin/mm-handler.*	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)

72

+/usr/lib/mailman/cron/.*	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)

73

 /var/lib/mailman.*	gen_context(system_u:object_r:mailman_data_t,s0)

74

-/var/lib/mailman.*/archives(/.*)?	gen_context(system_u:object_r:mailman_archive_t,s0)

75

+/var/lib/mailman/archives(/.*)?	gen_context(system_u:object_r:mailman_archive_t,s0)

76

77

 /var/lock/mailman.*	gen_context(system_u:object_r:mailman_lock_t,s0)

78

 /var/lock/subsys/mailman.*	--	gen_context(system_u:object_r:mailman_lock_t,s0)

79

@@ -17,16 +17,16 @@

80

81

 /var/spool/mailman.*	gen_context(system_u:object_r:mailman_data_t,s0)

82

83

-/usr/lib/cgi-bin/mailman.*/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)

84

-/usr/lib/mailman.*/bin/qrunner	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)

85

-/usr/lib/mailman.*/cgi-bin/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)

86

-/usr/lib/mailman.*/mail/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)

87

-/usr/lib/mailman.*/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)

88

-/usr/lib/mailman.*/scripts/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)

89

+/usr/lib/cgi-bin/mailman/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)

90

+/usr/lib/mailman/bin/qrunner	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)

91

+/usr/lib/mailman/cgi-bin/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)

92

+/usr/lib/mailman/mail/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)

93

+/usr/lib/mailman/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)

94

+/usr/lib/mailman/scripts/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)

95

96

-/usr/mailman.*/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)

97

+/usr/mailman/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)

98

99

-/usr/share/doc/mailman.*/mm-handler.*	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)

100

+/usr/share/doc/mailman/mm-handler.*	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)

101

102

 ifdef(`distro_gentoo',`

103

 # Bug 536666

104

105

diff --git a/policy/modules/contrib/mailman.te b/policy/modules/contrib/mailman.te

106

index 7421ce3a..3de43d20 100644

107

--- a/policy/modules/contrib/mailman.te

108

+++ b/policy/modules/contrib/mailman.te

109

@@ -1,4 +1,4 @@

110

-policy_module(mailman, 1.12.0)

111

+policy_module(mailman, 1.12.1)

112

113

 ########################################

114

#

115

@@ -91,12 +91,39 @@ miscfiles_read_localization(mailman_domain)

116

 # CGI local policy

117

#

118

119

+allow mailman_cgi_t self:unix_dgram_socket { create connect };

120

+

121

+allow mailman_cgi_t mailman_archive_t:dir search_dir_perms;

122

+allow mailman_cgi_t mailman_archive_t:file read_file_perms;

123

+

124

+allow mailman_cgi_t mailman_data_t:dir rw_dir_perms;

125

+allow mailman_cgi_t mailman_data_t:file manage_file_perms;

126

+allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms;

127

+

128

+allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms;

129

+allow mailman_cgi_t mailman_lock_t:file manage_file_perms;

130

+

131

+allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms };

132

+allow mailman_cgi_t mailman_log_t:dir search_dir_perms;

133

+

134

+kernel_read_crypto_sysctls(mailman_cgi_t)

135

+kernel_read_system_state(mailman_cgi_t)

136

+

137

+corecmd_exec_bin(mailman_cgi_t)

138

+

139

 dev_read_urand(mailman_cgi_t)

140

141

+files_search_locks(mailman_cgi_t)

142

+

143

 term_use_controlling_term(mailman_cgi_t)

144

145

 libs_dontaudit_write_lib_dirs(mailman_cgi_t)

146

147

+logging_search_logs(mailman_cgi_t)

148

+

149

+miscfiles_read_localization(mailman_cgi_t)

150

+

151

+

152

 optional_policy(`

153

 	apache_sigchld(mailman_cgi_t)

154

 	apache_use_fds(mailman_cgi_t)

155

@@ -116,24 +143,61 @@ optional_policy(`

156

#

157

158

 allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config };

159

-allow mailman_mail_t self:process { signal signull };

160

+allow mailman_mail_t self:process { signal signull setsched };

161

+

162

+allow mailman_mail_t mailman_archive_t:dir manage_dir_perms;

163

+allow mailman_mail_t mailman_archive_t:file manage_file_perms;

164

+allow mailman_mail_t mailman_archive_t:lnk_file manage_lnk_file_perms;

165

+

166

+allow mailman_mail_t mailman_data_t:dir rw_dir_perms;

167

+allow mailman_mail_t mailman_data_t:file manage_file_perms;

168

+allow mailman_mail_t mailman_data_t:lnk_file read_lnk_file_perms;

169

+

170

+allow mailman_mail_t mailman_lock_t:dir rw_dir_perms;

171

+allow mailman_mail_t mailman_lock_t:file manage_file_perms;

172

+

173

+allow mailman_mail_t mailman_log_t:dir search;

174

+allow mailman_mail_t mailman_log_t:file read_file_perms;

175

+

176

+domtrans_pattern(mailman_mail_t, mailman_queue_exec_t, mailman_queue_t)

177

+allow mailman_mail_t mailman_queue_exec_t:file ioctl;

178

+

179

+can_exec(mailman_mail_t, mailman_mail_exec_t)

180

181

 manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)

182

 manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)

183

 files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })

184

185

-corenet_sendrecv_innd_client_packets(mailman_mail_t)

186

-corenet_tcp_connect_innd_port(mailman_mail_t)

187

-corenet_tcp_sendrecv_innd_port(mailman_mail_t)

188

+kernel_read_system_state(mailman_mail_t)

189

190

+corenet_tcp_connect_smtp_port(mailman_mail_t)

191

 corenet_sendrecv_spamd_client_packets(mailman_mail_t)

192

+corenet_sendrecv_innd_client_packets(mailman_mail_t)

193

+corenet_tcp_connect_innd_port(mailman_mail_t)

194

 corenet_tcp_connect_spamd_port(mailman_mail_t)

195

+corenet_tcp_sendrecv_innd_port(mailman_mail_t)

196

 corenet_tcp_sendrecv_spamd_port(mailman_mail_t)

197

198

 dev_read_urand(mailman_mail_t)

199

200

+corecmd_exec_bin(mailman_mail_t)

201

+

202

+files_search_locks(mailman_mail_t)

203

+

204

 fs_rw_anon_inodefs_files(mailman_mail_t)

205

206

+# this is far from ideal, but systemd reduces the importance of initrc_t

207

+init_signal_script(mailman_mail_t)

208

+init_signull_script(mailman_mail_t)

209

+

210

+# for python .path file

211

+libs_read_lib_files(mailman_mail_t)

212

+

213

+logging_search_logs(mailman_mail_t)

214

+

215

+miscfiles_read_localization(mailman_mail_t)

216

+

217

+mta_use_mailserver_fds(mailman_mail_t)

218

 mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)

219

 mta_dontaudit_rw_queue(mailman_mail_t)

220

221

@@ -159,18 +223,40 @@ allow mailman_queue_t self:capability { setgid setuid };

222

 allow mailman_queue_t self:process { setsched signal_perms };

223

 allow mailman_queue_t self:fifo_file rw_fifo_file_perms;

224

225

+allow mailman_queue_t mailman_archive_t:dir manage_dir_perms;

226

+allow mailman_queue_t mailman_archive_t:file manage_file_perms;

227

+

228

+allow mailman_queue_t mailman_data_t:dir rw_dir_perms;

229

+allow mailman_queue_t mailman_data_t:file manage_file_perms;

230

+allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms;

231

+

232

+allow mailman_queue_t mailman_lock_t:dir rw_dir_perms;

233

+allow mailman_queue_t mailman_lock_t:file manage_file_perms;

234

+

235

+allow mailman_queue_t mailman_log_t:dir list_dir_perms;

236

+allow mailman_queue_t mailman_log_t:file manage_file_perms;

237

+

238

+kernel_read_system_state(mailman_queue_t)

239

+

240

+auth_domtrans_chk_passwd(mailman_queue_t)

241

+

242

+corecmd_read_bin_files(mailman_queue_t)

243

+corecmd_read_bin_symlinks(mailman_queue_t)

244

 corenet_sendrecv_innd_client_packets(mailman_queue_t)

245

 corenet_tcp_connect_innd_port(mailman_queue_t)

246

 corenet_tcp_sendrecv_innd_port(mailman_queue_t)

247

248

-auth_domtrans_chk_passwd(mailman_queue_t)

249

-

250

 files_dontaudit_search_pids(mailman_queue_t)

251

+files_search_locks(mailman_queue_t)

252

+

253

+miscfiles_read_localization(mailman_queue_t)

254

255

 seutil_dontaudit_search_config(mailman_queue_t)

256

257

 userdom_search_user_home_dirs(mailman_queue_t)

258

259

+cron_rw_tmp_files(mailman_queue_t)

260

+

261

 optional_policy(`

262

 	apache_read_config(mailman_queue_t)

263

')

264

265

diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if

266

index a5034276..7e268b80 100644

267

--- a/policy/modules/contrib/mta.if

268

+++ b/policy/modules/contrib/mta.if

269

@@ -338,6 +338,24 @@ interface(`mta_sendmail_mailserver',`

270

 	typeattribute $1 mailserver_domain;

271

')

272

273

+########################################

274

+## <summary>

275

+##	Inherit FDs from mailserver_domain domains

276

+## </summary>

277

+## <param name="type">

278

+##	<summary>

279

+##	Type for a list server or delivery agent that inherits fds

280

+##	</summary>

281

+## </param>

282

+#

283

+interface(`mta_use_mailserver_fds',`

284

+	gen_require(`

285

+		attribute mailserver_domain;

286

+	')

287

+

288

+	allow $1 mailserver_domain:fd use;

289

+')

290

+

291

 #######################################

292

 ## <summary>

293

 ##	Make a type a mailserver type used

294

295

diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te

296

index 9a3ee20e..f7280b11 100644

297

--- a/policy/modules/contrib/mta.te

298

+++ b/policy/modules/contrib/mta.te

299

@@ -1,4 +1,4 @@

300

-policy_module(mta, 2.8.1)

301

+policy_module(mta, 2.8.2)

302

303

 ########################################

304

#

1	commit: 232701f0d9090cd34c22f350a7dfbda7c58a0ea0
2	Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
3	AuthorDate: Fri Feb 24 01:58:41 2017 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sat Feb 25 14:50:54 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=232701f0
7
8	mailman: Fixes from Russell Coker.
9
10	policy/modules/contrib/cron.if \| 18 +++++++
11	policy/modules/contrib/cron.te \| 2 +-
12	policy/modules/contrib/mailman.fc \| 24 ++++-----
13	policy/modules/contrib/mailman.te \| 100 +++++++++++++++++++++++++++++++++++---
14	policy/modules/contrib/mta.if \| 18 +++++++
15	policy/modules/contrib/mta.te \| 2 +-
16	6 files changed, 143 insertions(+), 21 deletions(-)
17
18	diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
19	index 6737f53c..5739d4f0 100644
20	--- a/policy/modules/contrib/cron.if
21	+++ b/policy/modules/contrib/cron.if
22	@@ -705,6 +705,24 @@ interface(`cron_manage_system_spool',`
23
24	########################################
25	## <summary>
26	+## Read and write crond temporary files.
27	+## </summary>
28	+## <param name="domain">
29	+## <summary>
30	+## Domain allowed access.
31	+## </summary>
32	+## </param>
33	+#
34	+interface(`cron_rw_tmp_files',`
35	+ gen_require(`
36	+ type crond_tmp_t;
37	+ ')
38	+
39	+ allow $1 crond_tmp_t:file rw_file_perms;
40	+')
41	+
42	+########################################
43	+## <summary>
44	## Read system cron job lib files.
45	## </summary>
46	## <param name="domain">
47
48	diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
49	index 3513e1f2..b51524a4 100644
50	--- a/policy/modules/contrib/cron.te
51	+++ b/policy/modules/contrib/cron.te
52	@@ -1,4 +1,4 @@
53	-policy_module(cron, 2.11.1)
54	+policy_module(cron, 2.11.2)
55
56	gen_require(`
57	class passwd rootok;
58
59	diff --git a/policy/modules/contrib/mailman.fc b/policy/modules/contrib/mailman.fc
60	index 1a226daf..d5734fc9 100644
61	--- a/policy/modules/contrib/mailman.fc
62	+++ b/policy/modules/contrib/mailman.fc
63	@@ -2,11 +2,11 @@
64
65	/etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
66
67	-/usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
68	-/usr/lib/mailman./bin/mm-handler. -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
69	-/usr/lib/mailman./cron/. -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
70	+/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
71	+/usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
72	+/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
73	/var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
74	-/var/lib/mailman./archives(/.)? gen_context(system_u:object_r:mailman_archive_t,s0)
75	+/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
76
77	/var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0)
78	/var/lock/subsys/mailman.* -- gen_context(system_u:object_r:mailman_lock_t,s0)
79	@@ -17,16 +17,16 @@
80
81	/var/spool/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
82
83	-/usr/lib/cgi-bin/mailman./. -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
84	-/usr/lib/mailman.*/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
85	-/usr/lib/mailman./cgi-bin/. -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
86	-/usr/lib/mailman.*/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
87	-/usr/lib/mailman.*/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
88	-/usr/lib/mailman.*/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
89	+/usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
90	+/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
91	+/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
92	+/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
93	+/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
94	+/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
95
96	-/usr/mailman.*/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
97	+/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
98
99	-/usr/share/doc/mailman./mm-handler. -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
100	+/usr/share/doc/mailman/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
101
102	ifdef(`distro_gentoo',`
103	# Bug 536666
104
105	diff --git a/policy/modules/contrib/mailman.te b/policy/modules/contrib/mailman.te
106	index 7421ce3a..3de43d20 100644
107	--- a/policy/modules/contrib/mailman.te
108	+++ b/policy/modules/contrib/mailman.te
109	@@ -1,4 +1,4 @@
110	-policy_module(mailman, 1.12.0)
111	+policy_module(mailman, 1.12.1)
112
113	########################################
114	#
115	@@ -91,12 +91,39 @@ miscfiles_read_localization(mailman_domain)
116	# CGI local policy
117	#
118
119	+allow mailman_cgi_t self:unix_dgram_socket { create connect };
120	+
121	+allow mailman_cgi_t mailman_archive_t:dir search_dir_perms;
122	+allow mailman_cgi_t mailman_archive_t:file read_file_perms;
123	+
124	+allow mailman_cgi_t mailman_data_t:dir rw_dir_perms;
125	+allow mailman_cgi_t mailman_data_t:file manage_file_perms;
126	+allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms;
127	+
128	+allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms;
129	+allow mailman_cgi_t mailman_lock_t:file manage_file_perms;
130	+
131	+allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms };
132	+allow mailman_cgi_t mailman_log_t:dir search_dir_perms;
133	+
134	+kernel_read_crypto_sysctls(mailman_cgi_t)
135	+kernel_read_system_state(mailman_cgi_t)
136	+
137	+corecmd_exec_bin(mailman_cgi_t)
138	+
139	dev_read_urand(mailman_cgi_t)
140
141	+files_search_locks(mailman_cgi_t)
142	+
143	term_use_controlling_term(mailman_cgi_t)
144
145	libs_dontaudit_write_lib_dirs(mailman_cgi_t)
146
147	+logging_search_logs(mailman_cgi_t)
148	+
149	+miscfiles_read_localization(mailman_cgi_t)
150	+
151	+
152	optional_policy(`
153	apache_sigchld(mailman_cgi_t)
154	apache_use_fds(mailman_cgi_t)
155	@@ -116,24 +143,61 @@ optional_policy(`
156	#
157
158	allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config };
159	-allow mailman_mail_t self:process { signal signull };
160	+allow mailman_mail_t self:process { signal signull setsched };
161	+
162	+allow mailman_mail_t mailman_archive_t:dir manage_dir_perms;
163	+allow mailman_mail_t mailman_archive_t:file manage_file_perms;
164	+allow mailman_mail_t mailman_archive_t:lnk_file manage_lnk_file_perms;
165	+
166	+allow mailman_mail_t mailman_data_t:dir rw_dir_perms;
167	+allow mailman_mail_t mailman_data_t:file manage_file_perms;
168	+allow mailman_mail_t mailman_data_t:lnk_file read_lnk_file_perms;
169	+
170	+allow mailman_mail_t mailman_lock_t:dir rw_dir_perms;
171	+allow mailman_mail_t mailman_lock_t:file manage_file_perms;
172	+
173	+allow mailman_mail_t mailman_log_t:dir search;
174	+allow mailman_mail_t mailman_log_t:file read_file_perms;
175	+
176	+domtrans_pattern(mailman_mail_t, mailman_queue_exec_t, mailman_queue_t)
177	+allow mailman_mail_t mailman_queue_exec_t:file ioctl;
178	+
179	+can_exec(mailman_mail_t, mailman_mail_exec_t)
180
181	manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
182	manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
183	files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
184
185	-corenet_sendrecv_innd_client_packets(mailman_mail_t)
186	-corenet_tcp_connect_innd_port(mailman_mail_t)
187	-corenet_tcp_sendrecv_innd_port(mailman_mail_t)
188	+kernel_read_system_state(mailman_mail_t)
189
190	+corenet_tcp_connect_smtp_port(mailman_mail_t)
191	corenet_sendrecv_spamd_client_packets(mailman_mail_t)
192	+corenet_sendrecv_innd_client_packets(mailman_mail_t)
193	+corenet_tcp_connect_innd_port(mailman_mail_t)
194	corenet_tcp_connect_spamd_port(mailman_mail_t)
195	+corenet_tcp_sendrecv_innd_port(mailman_mail_t)
196	corenet_tcp_sendrecv_spamd_port(mailman_mail_t)
197
198	dev_read_urand(mailman_mail_t)
199
200	+corecmd_exec_bin(mailman_mail_t)
201	+
202	+files_search_locks(mailman_mail_t)
203	+
204	fs_rw_anon_inodefs_files(mailman_mail_t)
205
206	+# this is far from ideal, but systemd reduces the importance of initrc_t
207	+init_signal_script(mailman_mail_t)
208	+init_signull_script(mailman_mail_t)
209	+
210	+# for python .path file
211	+libs_read_lib_files(mailman_mail_t)
212	+
213	+logging_search_logs(mailman_mail_t)
214	+
215	+miscfiles_read_localization(mailman_mail_t)
216	+
217	+mta_use_mailserver_fds(mailman_mail_t)
218	mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
219	mta_dontaudit_rw_queue(mailman_mail_t)
220
221	@@ -159,18 +223,40 @@ allow mailman_queue_t self:capability { setgid setuid };
222	allow mailman_queue_t self:process { setsched signal_perms };
223	allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
224
225	+allow mailman_queue_t mailman_archive_t:dir manage_dir_perms;
226	+allow mailman_queue_t mailman_archive_t:file manage_file_perms;
227	+
228	+allow mailman_queue_t mailman_data_t:dir rw_dir_perms;
229	+allow mailman_queue_t mailman_data_t:file manage_file_perms;
230	+allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms;
231	+
232	+allow mailman_queue_t mailman_lock_t:dir rw_dir_perms;
233	+allow mailman_queue_t mailman_lock_t:file manage_file_perms;
234	+
235	+allow mailman_queue_t mailman_log_t:dir list_dir_perms;
236	+allow mailman_queue_t mailman_log_t:file manage_file_perms;
237	+
238	+kernel_read_system_state(mailman_queue_t)
239	+
240	+auth_domtrans_chk_passwd(mailman_queue_t)
241	+
242	+corecmd_read_bin_files(mailman_queue_t)
243	+corecmd_read_bin_symlinks(mailman_queue_t)
244	corenet_sendrecv_innd_client_packets(mailman_queue_t)
245	corenet_tcp_connect_innd_port(mailman_queue_t)
246	corenet_tcp_sendrecv_innd_port(mailman_queue_t)
247
248	-auth_domtrans_chk_passwd(mailman_queue_t)
249	-
250	files_dontaudit_search_pids(mailman_queue_t)
251	+files_search_locks(mailman_queue_t)
252	+
253	+miscfiles_read_localization(mailman_queue_t)
254
255	seutil_dontaudit_search_config(mailman_queue_t)
256
257	userdom_search_user_home_dirs(mailman_queue_t)
258
259	+cron_rw_tmp_files(mailman_queue_t)
260	+
261	optional_policy(`
262	apache_read_config(mailman_queue_t)
263	')
264
265	diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if
266	index a5034276..7e268b80 100644
267	--- a/policy/modules/contrib/mta.if
268	+++ b/policy/modules/contrib/mta.if
269	@@ -338,6 +338,24 @@ interface(`mta_sendmail_mailserver',`
270	typeattribute $1 mailserver_domain;
271	')
272
273	+########################################
274	+## <summary>
275	+## Inherit FDs from mailserver_domain domains
276	+## </summary>
277	+## <param name="type">
278	+## <summary>
279	+## Type for a list server or delivery agent that inherits fds
280	+## </summary>
281	+## </param>
282	+#
283	+interface(`mta_use_mailserver_fds',`
284	+ gen_require(`
285	+ attribute mailserver_domain;
286	+ ')
287	+
288	+ allow $1 mailserver_domain:fd use;
289	+')
290	+
291	#######################################
292	## <summary>
293	## Make a type a mailserver type used
294
295	diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
296	index 9a3ee20e..f7280b11 100644
297	--- a/policy/modules/contrib/mta.te
298	+++ b/policy/modules/contrib/mta.te
299	@@ -1,4 +1,4 @@
300	-policy_module(mta, 2.8.1)
301	+policy_module(mta, 2.8.2)
302
303	########################################
304	#

Gentoo Archives: gentoo-commits