diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index e2aa6350..7d00dad2 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -322,14 +322,14 @@ seutil_domtrans_restorecon(rpm_script_t) userdom_use_all_user_fd(rpm_script_t) -ifdef(`distro_redhat',` - optional_policy(`mta.te',` - mta_send_mail(rpm_script_t) - ') -') - ifdef(`targeted_policy',` unconfined_domain_template(rpm_script_t) +',` + ifdef(`distro_redhat',` + optional_policy(`mta.te',` + mta_send_mail(rpm_script_t) + ') + ') ') tunable_policy(`allow_execmem',` diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 9ea0e725..f23fbd0e 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -130,8 +130,6 @@ miscfiles_read_localization(crond_t) userdom_use_unpriv_users_fd(crond_t) -mta_send_mail(crond_t) - ifdef(`distro_redhat', ` # Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. @@ -164,6 +162,8 @@ ifdef(`targeted_policy',` allow crond_t crond_tmp_t:dir create_dir_perms; allow crond_t crond_tmp_t:file create_file_perms; files_create_tmp_files(crond_t, crond_tmp_t, { file dir }) + + mta_send_mail(crond_t) ') tunable_policy(`fcron_crond', ` diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index 0a46adb6..51a4b2ac 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -105,6 +105,15 @@ sysnet_dns_name_resolve(system_mail_t) userdom_use_sysadm_terms(system_mail_t) +ifdef(`hide_broken_symptoms',` + # Red Hat systems seem to have a stray + # fds open from the initrd + ifdef(`distro_redhat',` + kernel_dontaudit_use_fd(system_mail_t) + storage_dontaudit_read_fixed_disk(system_mail_t) + ') +') + ifdef(`targeted_policy',` typealias system_mail_t alias sysadm_mail_t; diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 6b38b034..93d6de5c 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -32,11 +32,16 @@ interface(`init_domain',` allow $1 init_t:fifo_file rw_file_perms; allow $1 init_t:process sigchld; - # Red Hat systems seem to have a stray - # fd open from the initrd - optional_policy(`distro_redhat',` - kernel_dontaudit_use_fd($1) - files_dontaudit_read_root_file($1) + # Red Hat systems seem to have stray + # fds open from the initrd + ifdef(`hide_broken_symptoms',` + # Red Hat systems seem to have a stray + # fds open from the initrd + ifdef(`distro_redhat',` + kernel_dontaudit_use_fd($1) + storage_dontaudit_read_fixed_disk($1) + files_dontaudit_read_root_file($1) + ') ') ')