more broken symptoms

2005-11-11 22:21:32 +00:00 · 2005-11-11 22:21:32 +00:00 · 15c235f75c
commit 15c235f75c
parent af86646bfe
4 changed files with 27 additions and 13 deletions
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@ -322,14 +322,14 @@ seutil_domtrans_restorecon(rpm_script_t)

 userdom_use_all_user_fd(rpm_script_t)

-ifdef(`distro_redhat',`
+ifdef(`targeted_policy',`
+	unconfined_domain_template(rpm_script_t)
+',`
+	ifdef(`distro_redhat',`
 		optional_policy(`mta.te',`
 			mta_send_mail(rpm_script_t)
 		')
-')
-
-ifdef(`targeted_policy',`
-	unconfined_domain_template(rpm_script_t)
+	')
 ')

 tunable_policy(`allow_execmem',`
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@ -130,8 +130,6 @@ miscfiles_read_localization(crond_t)

 userdom_use_unpriv_users_fd(crond_t)

-mta_send_mail(crond_t)
-
 ifdef(`distro_redhat', `
 	# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
 	# via redirection of standard out.
@ -164,6 +162,8 @@ ifdef(`targeted_policy',`
 	allow crond_t crond_tmp_t:dir create_dir_perms;
 	allow crond_t crond_tmp_t:file create_file_perms;
 	files_create_tmp_files(crond_t, crond_tmp_t, { file dir })
+
+	mta_send_mail(crond_t)
 ')

 tunable_policy(`fcron_crond', `
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@ -105,6 +105,15 @@ sysnet_dns_name_resolve(system_mail_t)

 userdom_use_sysadm_terms(system_mail_t)

+ifdef(`hide_broken_symptoms',`
+	# Red Hat systems seem to have a stray
+	# fds open from the initrd
+	ifdef(`distro_redhat',`
+		kernel_dontaudit_use_fd(system_mail_t)
+		storage_dontaudit_read_fixed_disk(system_mail_t)
+	')
+')
+
 ifdef(`targeted_policy',`
 	typealias system_mail_t alias sysadm_mail_t;

--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@ -32,12 +32,17 @@ interface(`init_domain',`
 	allow $1 init_t:fifo_file rw_file_perms;
 	allow $1 init_t:process sigchld;

+	# Red Hat systems seem to have stray
+	# fds open from the initrd
+	ifdef(`hide_broken_symptoms',`
 		# Red Hat systems seem to have a stray
-	# fd open from the initrd
-	optional_policy(`distro_redhat',`
+		# fds open from the initrd
+		ifdef(`distro_redhat',`
 			kernel_dontaudit_use_fd($1)
+			storage_dontaudit_read_fixed_disk($1)
 			files_dontaudit_read_root_file($1)
 		')
+	')
 ')

 ########################################