- Allow cron to run unconfined apps
This commit is contained in:
Daniel J Walsh
parent
91c2fa9d31
commit
194f6c15a0
@ -1565,3 +1565,10 @@ munin = module
|
||||
#
|
||||
bitlbee = module
|
||||
|
||||
# Layer: services
|
||||
# Module: soundserver
|
||||
#
|
||||
# sound server for network audio server programs, nasd, yiff, etc</summary>
|
||||
#
|
||||
soundserver = module
|
||||
|
||||
|
||||
@ -109,6 +109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.2.4/M
|
||||
endef
|
||||
|
||||
# create-base-per-role-tmpl modulenames,outputfile
|
||||
Binary files nsaserefpolicy/man/ru/man8/samba_selinux.8.gz and serefpolicy-3.2.4/man/ru/man8/samba_selinux.8.gz differ
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.2.4/policy/flask/access_vectors
|
||||
--- nsaserefpolicy/policy/flask/access_vectors 2007-08-11 06:22:29.000000000 -0400
|
||||
+++ serefpolicy-3.2.4/policy/flask/access_vectors 2007-12-13 17:37:33.000000000 -0500
|
||||
@ -703,7 +704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.2.4/policy/modules/admin/kudzu.te
|
||||
--- nsaserefpolicy/policy/modules/admin/kudzu.te 2007-10-12 08:56:09.000000000 -0400
|
||||
+++ serefpolicy-3.2.4/policy/modules/admin/kudzu.te 2007-12-13 17:37:33.000000000 -0500
|
||||
+++ serefpolicy-3.2.4/policy/modules/admin/kudzu.te 2007-12-18 10:07:53.000000000 -0500
|
||||
@@ -21,8 +21,8 @@
|
||||
# Local policy
|
||||
#
|
||||
@ -732,19 +733,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.t
|
||||
# kudzu will telinit to make init re-read
|
||||
# the inittab after configuring serial consoles
|
||||
init_telinit(kudzu_t)
|
||||
@@ -140,30 +143,3 @@
|
||||
optional_policy(`
|
||||
udev_read_db(kudzu_t)
|
||||
@@ -142,28 +145,6 @@
|
||||
')
|
||||
-
|
||||
-optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
- # cjp: this was originally in the else block
|
||||
- # of ifdef userhelper.te, but it seems to
|
||||
- # make more sense here. also, require
|
||||
- # blocks curently do not work in the
|
||||
- # else block of optionals
|
||||
- unconfined_domain(kudzu_t)
|
||||
-')
|
||||
+ unconfined_domtrans(kudzu_t)
|
||||
unconfined_domain(kudzu_t)
|
||||
')
|
||||
-
|
||||
-ifdef(`TODO',`
|
||||
-allow kudzu_t modules_conf_t:file unlink;
|
||||
@ -3405,6 +3405,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
|
||||
+optional_policy(`
|
||||
+ xserver_xdm_rw_shm(wine_t)
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.4/policy/modules/kernel/corecommands.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500
|
||||
+++ serefpolicy-3.2.4/policy/modules/kernel/corecommands.fc 2007-12-18 11:39:23.000000000 -0500
|
||||
@@ -127,6 +127,8 @@
|
||||
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
|
||||
+/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
+
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
@@ -147,7 +149,7 @@
|
||||
/usr/lib(64)?/cups/backend(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/cups/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
-/usr/lib(64)?/cups/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
+/usr/lib(64)?/cups/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -186,6 +188,8 @@
|
||||
/usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
+/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
+/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
|
||||
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.2.4/policy/modules/kernel/corecommands.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-11-14 08:17:58.000000000 -0500
|
||||
+++ serefpolicy-3.2.4/policy/modules/kernel/corecommands.if 2007-12-13 17:37:34.000000000 -0500
|
||||
@ -3418,8 +3448,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
|
||||
########################################
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.4/policy/modules/kernel/corenetwork.te.in
|
||||
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-11-29 13:29:34.000000000 -0500
|
||||
+++ serefpolicy-3.2.4/policy/modules/kernel/corenetwork.te.in 2007-12-13 17:37:34.000000000 -0500
|
||||
@@ -133,6 +133,7 @@
|
||||
+++ serefpolicy-3.2.4/policy/modules/kernel/corenetwork.te.in 2007-12-18 14:43:53.000000000 -0500
|
||||
@@ -122,6 +122,7 @@
|
||||
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
|
||||
network_port(monopd, tcp,1234,s0)
|
||||
network_port(msnp, tcp,1863,s0, udp,1863,s0)
|
||||
+network_port(munin, tcp,4949,s0, udp,4949,s0)
|
||||
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
|
||||
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
|
||||
network_port(nessus, tcp,1241,s0)
|
||||
@@ -133,6 +134,7 @@
|
||||
network_port(pegasus_http, tcp,5988,s0)
|
||||
network_port(pegasus_https, tcp,5989,s0)
|
||||
network_port(postfix_policyd, tcp,10031,s0)
|
||||
@ -3448,7 +3486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
||||
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.2.4/policy/modules/kernel/devices.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-29 18:02:31.000000000 -0400
|
||||
+++ serefpolicy-3.2.4/policy/modules/kernel/devices.if 2007-12-13 17:37:34.000000000 -0500
|
||||
+++ serefpolicy-3.2.4/policy/modules/kernel/devices.if 2007-12-18 10:39:31.000000000 -0500
|
||||
@@ -65,7 +65,7 @@
|
||||
|
||||
relabelfrom_dirs_pattern($1,device_t,device_node)
|
||||
@ -3484,7 +3522,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
||||
## Delete a directory in the device directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -667,6 +686,7 @@
|
||||
@@ -649,6 +668,7 @@
|
||||
')
|
||||
|
||||
getattr_blk_files_pattern($1,device_t,device_node)
|
||||
+
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -667,6 +687,7 @@
|
||||
')
|
||||
|
||||
dontaudit $1 device_node:blk_file getattr;
|
||||
@ -3492,7 +3538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -704,6 +724,7 @@
|
||||
@@ -704,6 +725,7 @@
|
||||
')
|
||||
|
||||
dontaudit $1 device_node:chr_file getattr;
|
||||
@ -3500,7 +3546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2787,6 +2808,97 @@
|
||||
@@ -2787,6 +2809,97 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -4924,6 +4970,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.2.4/policy/modules/services/bitlbee.te
|
||||
--- nsaserefpolicy/policy/modules/services/bitlbee.te 2007-09-17 15:56:47.000000000 -0400
|
||||
+++ serefpolicy-3.2.4/policy/modules/services/bitlbee.te 2007-12-18 09:56:33.000000000 -0500
|
||||
@@ -54,6 +54,9 @@
|
||||
corenet_tcp_connect_msnp_port(bitlbee_t)
|
||||
corenet_tcp_sendrecv_msnp_port(bitlbee_t)
|
||||
|
||||
+dev_read_rand(bitlbee_t)
|
||||
+dev_read_urand(bitlbee_t)
|
||||
+
|
||||
files_read_etc_files(bitlbee_t)
|
||||
files_search_pids(bitlbee_t)
|
||||
# grant read-only access to the user help files
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.2.4/policy/modules/services/bluetooth.fc
|
||||
--- nsaserefpolicy/policy/modules/services/bluetooth.fc 2006-11-16 17:15:20.000000000 -0500
|
||||
+++ serefpolicy-3.2.4/policy/modules/services/bluetooth.fc 2007-12-13 17:37:34.000000000 -0500
|
||||
@ -6118,7 +6177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.2.4/policy/modules/services/dovecot.te
|
||||
--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-12-04 11:02:50.000000000 -0500
|
||||
+++ serefpolicy-3.2.4/policy/modules/services/dovecot.te 2007-12-13 17:37:34.000000000 -0500
|
||||
+++ serefpolicy-3.2.4/policy/modules/services/dovecot.te 2007-12-18 11:01:04.000000000 -0500
|
||||
@@ -15,6 +15,12 @@
|
||||
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
|
||||
role system_r types dovecot_auth_t;
|
||||
@ -6218,7 +6277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ postfix_manage_pivate_sockets(dovecot_auth_t)
|
||||
+ postfix_manage_private_sockets(dovecot_auth_t)
|
||||
+ postfix_search_spool(dovecot_auth_t)
|
||||
')
|
||||
+
|
||||
@ -6465,6 +6524,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
|
||||
+ exim_manage_var_lib(exim_lib_update_t)
|
||||
+')
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.2.4/policy/modules/services/fail2ban.fc
|
||||
--- nsaserefpolicy/policy/modules/services/fail2ban.fc 2007-10-12 08:56:07.000000000 -0400
|
||||
+++ serefpolicy-3.2.4/policy/modules/services/fail2ban.fc 2007-12-18 11:18:22.000000000 -0500
|
||||
@@ -1,3 +1,4 @@
|
||||
/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
|
||||
+/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
|
||||
/var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
|
||||
/var/run/fail2ban\.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.2.4/policy/modules/services/ftp.if
|
||||
--- nsaserefpolicy/policy/modules/services/ftp.if 2007-10-12 08:56:07.000000000 -0400
|
||||
+++ serefpolicy-3.2.4/policy/modules/services/ftp.if 2007-12-13 17:37:34.000000000 -0500
|
||||
@ -6931,6 +6998,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.2.4/policy/modules/services/mailman.if
|
||||
--- nsaserefpolicy/policy/modules/services/mailman.if 2007-12-04 11:02:50.000000000 -0500
|
||||
+++ serefpolicy-3.2.4/policy/modules/services/mailman.if 2007-12-18 11:04:17.000000000 -0500
|
||||
@@ -211,6 +211,7 @@
|
||||
type mailman_data_t;
|
||||
')
|
||||
|
||||
+ manage_dirs_pattern($1,mailman_data_t,mailman_data_t)
|
||||
manage_files_pattern($1,mailman_data_t,mailman_data_t)
|
||||
')
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.2.4/policy/modules/services/mailman.te
|
||||
--- nsaserefpolicy/policy/modules/services/mailman.te 2007-12-04 11:02:50.000000000 -0500
|
||||
+++ serefpolicy-3.2.4/policy/modules/services/mailman.te 2007-12-13 17:37:34.000000000 -0500
|
||||
@ -7274,6 +7352,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
|
||||
smartmon_read_tmp_files(system_mail_t)
|
||||
')
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.2.4/policy/modules/services/munin.fc
|
||||
--- nsaserefpolicy/policy/modules/services/munin.fc 2007-04-30 10:41:38.000000000 -0400
|
||||
+++ serefpolicy-3.2.4/policy/modules/services/munin.fc 2007-12-18 14:51:15.000000000 -0500
|
||||
@@ -8,4 +8,5 @@
|
||||
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
|
||||
/var/log/munin.* -- gen_context(system_u:object_r:munin_log_t,s0)
|
||||
/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
|
||||
-/var/www/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
|
||||
+/var/www/html/munin(/.*)? gen_context(system_u:object_r:http_munin_content_t,s0)
|
||||
+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:http_munin_script_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.2.4/policy/modules/services/munin.te
|
||||
--- nsaserefpolicy/policy/modules/services/munin.te 2007-11-15 13:40:14.000000000 -0500
|
||||
+++ serefpolicy-3.2.4/policy/modules/services/munin.te 2007-12-18 14:50:13.000000000 -0500
|
||||
@@ -37,6 +37,9 @@
|
||||
allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow munin_t self:tcp_socket create_stream_socket_perms;
|
||||
allow munin_t self:udp_socket create_socket_perms;
|
||||
+allow munin_t self:fifo_file create_fifo_file_perms;
|
||||
+
|
||||
+can_exec(munin_t, munin_exec_t)
|
||||
|
||||
allow munin_t munin_etc_t:dir list_dir_perms;
|
||||
read_files_pattern(munin_t,munin_etc_t,munin_etc_t)
|
||||
@@ -73,6 +76,7 @@
|
||||
corenet_udp_sendrecv_all_nodes(munin_t)
|
||||
corenet_tcp_sendrecv_all_ports(munin_t)
|
||||
corenet_udp_sendrecv_all_ports(munin_t)
|
||||
+corenet_tcp_connect_munin_port(munin_t)
|
||||
|
||||
dev_read_sysfs(munin_t)
|
||||
dev_read_urand(munin_t)
|
||||
@@ -118,3 +122,9 @@
|
||||
optional_policy(`
|
||||
udev_read_db(munin_t)
|
||||
')
|
||||
+
|
||||
+#============= http munin policy ==============
|
||||
+apache_content_template(munin)
|
||||
+
|
||||
+manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
|
||||
+manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.2.4/policy/modules/services/mysql.fc
|
||||
--- nsaserefpolicy/policy/modules/services/mysql.fc 2006-11-16 17:15:20.000000000 -0500
|
||||
+++ serefpolicy-3.2.4/policy/modules/services/mysql.fc 2007-12-13 17:37:34.000000000 -0500
|
||||
@ -8222,7 +8341,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.2.4/policy/modules/services/postfix.if
|
||||
--- nsaserefpolicy/policy/modules/services/postfix.if 2007-12-04 11:02:50.000000000 -0500
|
||||
+++ serefpolicy-3.2.4/policy/modules/services/postfix.if 2007-12-13 17:37:34.000000000 -0500
|
||||
+++ serefpolicy-3.2.4/policy/modules/services/postfix.if 2007-12-18 11:00:59.000000000 -0500
|
||||
@@ -416,7 +416,7 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`postfix_create_pivate_sockets',`
|
||||
+interface(`postfix_create_private_sockets',`
|
||||
gen_require(`
|
||||
type postfix_private_t;
|
||||
')
|
||||
@@ -427,6 +427,26 @@
|
||||
|
||||
########################################
|
||||
@ -8235,7 +8363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`postfix_manage_pivate_sockets',`
|
||||
+interface(`postfix_manage_private_sockets',`
|
||||
+ gen_require(`
|
||||
+ type postfix_private_t;
|
||||
+ ')
|
||||
@ -8252,7 +8380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
## </summary>
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.2.4/policy/modules/services/postfix.te
|
||||
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-04 11:02:50.000000000 -0500
|
||||
+++ serefpolicy-3.2.4/policy/modules/services/postfix.te 2007-12-13 17:37:34.000000000 -0500
|
||||
+++ serefpolicy-3.2.4/policy/modules/services/postfix.te 2007-12-18 10:58:24.000000000 -0500
|
||||
@@ -6,6 +6,14 @@
|
||||
# Declarations
|
||||
#
|
||||
@ -8303,7 +8431,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
|
||||
optional_policy(`
|
||||
cyrus_stream_connect(postfix_master_t)
|
||||
@@ -273,6 +288,8 @@
|
||||
@@ -248,6 +263,10 @@
|
||||
|
||||
corecmd_exec_bin(postfix_cleanup_t)
|
||||
|
||||
+optional_policy(`
|
||||
+ mailman_read_data_files(postfix_cleanup_t)
|
||||
+')
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# Postfix local local policy
|
||||
@@ -273,6 +292,8 @@
|
||||
|
||||
files_read_etc_files(postfix_local_t)
|
||||
|
||||
@ -8312,7 +8451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
mta_read_aliases(postfix_local_t)
|
||||
mta_delete_spool(postfix_local_t)
|
||||
# For reading spamassasin
|
||||
@@ -285,6 +302,7 @@
|
||||
@@ -285,6 +306,7 @@
|
||||
optional_policy(`
|
||||
# for postalias
|
||||
mailman_manage_data_files(postfix_local_t)
|
||||
@ -8320,7 +8459,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -346,8 +364,6 @@
|
||||
@@ -295,8 +317,7 @@
|
||||
#
|
||||
# Postfix map local policy
|
||||
#
|
||||
-
|
||||
-allow postfix_map_t self:capability setgid;
|
||||
+allow postfix_map_t self:capability { dac_override setgid setuid };
|
||||
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
|
||||
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -346,8 +367,6 @@
|
||||
|
||||
miscfiles_read_localization(postfix_map_t)
|
||||
|
||||
@ -8329,7 +8478,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
tunable_policy(`read_default_t',`
|
||||
files_list_default(postfix_map_t)
|
||||
files_read_default_files(postfix_map_t)
|
||||
@@ -392,6 +408,10 @@
|
||||
@@ -360,6 +379,11 @@
|
||||
locallogin_dontaudit_use_fds(postfix_map_t)
|
||||
')
|
||||
|
||||
+optional_policy(`
|
||||
+# for postalias
|
||||
+ mailman_manage_data_files(postfix_map_t)
|
||||
+')
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# Postfix pickup local policy
|
||||
@@ -392,6 +416,10 @@
|
||||
rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -8340,7 +8501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
procmail_domtrans(postfix_pipe_t)
|
||||
')
|
||||
|
||||
@@ -400,6 +420,10 @@
|
||||
@@ -400,6 +428,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -8351,7 +8512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
uucp_domtrans_uux(postfix_pipe_t)
|
||||
')
|
||||
|
||||
@@ -532,9 +556,6 @@
|
||||
@@ -532,9 +564,6 @@
|
||||
# connect to master process
|
||||
stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
|
||||
|
||||
@ -8361,7 +8522,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
|
||||
# for prng_exch
|
||||
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
|
||||
allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
|
||||
@@ -557,6 +578,10 @@
|
||||
@@ -557,6 +586,10 @@
|
||||
sasl_connect(postfix_smtpd_t)
|
||||
')
|
||||
|
||||
@ -13821,7 +13982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.4/policy/modules/system/unconfined.te
|
||||
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-12-12 11:35:28.000000000 -0500
|
||||
+++ serefpolicy-3.2.4/policy/modules/system/unconfined.te 2007-12-17 17:05:56.000000000 -0500
|
||||
+++ serefpolicy-3.2.4/policy/modules/system/unconfined.te 2007-12-18 13:42:58.000000000 -0500
|
||||
@@ -9,32 +9,48 @@
|
||||
# usage in this module of types created by these
|
||||
# calls is not correct, however we dont currently
|
||||
|
||||
Loading…
Reference in New Issue
Block a user