- Allow sendmail to create etc_aliases_t

This commit is contained in:
Daniel J Walsh 2007-09-06 02:24:18 +00:00
parent bea5486254
commit 601f0f04ee
2 changed files with 41 additions and 32 deletions

View File

@ -3164,7 +3164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.7/policy/modules/services/apache.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.7/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-08-22 07:14:07.000000000 -0400 --- nsaserefpolicy/policy/modules/services/apache.if 2007-08-22 07:14:07.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/apache.if 2007-09-05 07:16:31.000000000 -0400 +++ serefpolicy-3.0.7/policy/modules/services/apache.if 2007-09-05 22:22:33.000000000 -0400
@@ -18,10 +18,6 @@ @@ -18,10 +18,6 @@
attribute httpd_script_exec_type; attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t; type httpd_t, httpd_suexec_t, httpd_log_t;
@ -3409,7 +3409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -1013,46 +1047,143 @@ @@ -1013,46 +1047,141 @@
## </summary> ## </summary>
## </param> ## </param>
# #
@ -3554,8 +3554,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ # Allow $1 to restart the apache service + # Allow $1 to restart the apache service
+ apache_script_domtrans($1) + apache_script_domtrans($1)
+ domain_system_change_exemption($1) + domain_system_change_exemption($1)
+ domain_role_change_exemption($1)
+ domain_obj_id_change_exemption($1)
+ role_transition $2 httpd_script_exec_t system_r; + role_transition $2 httpd_script_exec_t system_r;
+ allow $2 system_r; + allow $2 system_r;
+ +
@ -6184,8 +6182,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
+/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0) +/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.0.7/policy/modules/services/mysql.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.0.7/policy/modules/services/mysql.if
--- nsaserefpolicy/policy/modules/services/mysql.if 2007-05-29 14:10:57.000000000 -0400 --- nsaserefpolicy/policy/modules/services/mysql.if 2007-05-29 14:10:57.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/mysql.if 2007-09-04 16:56:14.000000000 -0400 +++ serefpolicy-3.0.7/policy/modules/services/mysql.if 2007-09-05 22:11:26.000000000 -0400
@@ -157,3 +157,80 @@ @@ -157,3 +157,79 @@
logging_search_logs($1) logging_search_logs($1)
allow $1 mysqld_log_t:file { write append setattr ioctl }; allow $1 mysqld_log_t:file { write append setattr ioctl };
') ')
@ -6241,13 +6239,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
+ type mysqld_script_exec_t; + type mysqld_script_exec_t;
+ ') + ')
+ +
+ allow $1 mysqld_t:process { ptrace signal_perms }; + allow $1 mysqld_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, mysqld_t, mysqld_t)
+ +
+ # Allow $1 to restart the apache service + # Allow $1 to restart the apache service
+ mysql_script_domtrans($1) + mysql_script_domtrans($1)
+ domain_role_change_exemption($1)
+ domain_system_change_exemption($1) + domain_system_change_exemption($1)
+ domain_obj_id_change_exemption($1)
+ role_transition $2 mysqld_script_exec_t system_r; + role_transition $2 mysqld_script_exec_t system_r;
+ allow $2 system_r; + allow $2 system_r;
+ +
@ -7324,8 +7321,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0) +/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.0.7/policy/modules/services/postgresql.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.0.7/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if 2007-05-29 14:10:57.000000000 -0400 --- nsaserefpolicy/policy/modules/services/postgresql.if 2007-05-29 14:10:57.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/postgresql.if 2007-09-05 15:13:11.000000000 -0400 +++ serefpolicy-3.0.7/policy/modules/services/postgresql.if 2007-09-05 22:13:10.000000000 -0400
@@ -113,3 +113,78 @@ @@ -113,3 +113,77 @@
# Some versions of postgresql put the sock file in /tmp # Some versions of postgresql put the sock file in /tmp
allow $1 postgresql_tmp_t:sock_file write; allow $1 postgresql_tmp_t:sock_file write;
') ')
@ -7379,13 +7376,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+ type postgresql_log_t; + type postgresql_log_t;
+ ') + ')
+ +
+ allow $1 postgresql_t:process { ptrace signal_perms }; + allow $1 postgresql_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, postgresql_t, postgresql_t)
+ +
+ # Allow $1 to restart the apache service + # Allow $1 to restart the apache service
+ postgresql_script_domtrans($1) + postgresql_script_domtrans($1)
+ domain_system_change_exemption($1) + domain_system_change_exemption($1)
+ domain_role_change_exemption($1)
+ domain_obj_id_change_exemption($1)
+ role_transition $2 postgresql_script_exec_t system_r; + role_transition $2 postgresql_script_exec_t system_r;
+ allow $2 system_r; + allow $2 system_r;
+ +
@ -10347,7 +10343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.7/policy/modules/system/init.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.7/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2007-08-22 07:14:12.000000000 -0400 --- nsaserefpolicy/policy/modules/system/init.te 2007-08-22 07:14:12.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/system/init.te 2007-09-04 12:01:50.000000000 -0400 +++ serefpolicy-3.0.7/policy/modules/system/init.te 2007-09-05 22:21:18.000000000 -0400
@@ -10,6 +10,20 @@ @@ -10,6 +10,20 @@
# Declarations # Declarations
# #
@ -10418,7 +10414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t) manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t) manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
@@ -496,6 +511,39 @@ @@ -496,6 +511,43 @@
') ')
optional_policy(` optional_policy(`
@ -10449,8 +10445,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+ +
+ tunable_policy(`allow_daemons_use_tty',` + tunable_policy(`allow_daemons_use_tty',`
+ unconfined_use_terminals(daemon) + unconfined_use_terminals(daemon)
+ term_use_all_user_ttys(daemon)
+ term_use_all_user_ptys(daemon)
+ ', ` + ', `
+ unconfined_dontaudit_use_terminals(daemon) + unconfined_dontaudit_use_terminals(daemon)
+ term_dontaudit_use_all_user_ttys(daemon)
+ term_dontaudit_use_all_user_ptys(daemon)
+ ') + ')
+') +')
+ +
@ -10458,7 +10458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
amavis_search_lib(initrc_t) amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t) amavis_setattr_pid_files(initrc_t)
') ')
@@ -631,12 +679,6 @@ @@ -631,12 +683,6 @@
mta_read_config(initrc_t) mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t)
') ')
@ -10471,7 +10471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(` optional_policy(`
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
@@ -702,6 +744,9 @@ @@ -702,6 +748,9 @@
# why is this needed: # why is this needed:
rpm_manage_db(initrc_t) rpm_manage_db(initrc_t)
@ -10720,7 +10720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0) +/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.7/policy/modules/system/logging.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.7/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2007-06-15 14:54:34.000000000 -0400 --- nsaserefpolicy/policy/modules/system/logging.if 2007-06-15 14:54:34.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/system/logging.if 2007-09-04 17:01:26.000000000 -0400 +++ serefpolicy-3.0.7/policy/modules/system/logging.if 2007-09-05 22:22:05.000000000 -0400
@@ -33,8 +33,13 @@ @@ -33,8 +33,13 @@
## </param> ## </param>
# #
@ -11014,12 +11014,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+ type auditd_var_run_t; + type auditd_var_run_t;
+ ') + ')
+ +
+ allow $1 auditd_t:process { ptrace signal_perms }; + allow $1 auditd_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, auditd_t, auditd_t)
+
+ # Allow $1 to restart the apache service + # Allow $1 to restart the apache service
+ audit_script_domtrans($1) + audit_script_domtrans($1)
+ domain_role_change_exemption($1)
+ domain_system_change_exemption($1) + domain_system_change_exemption($1)
+ domain_obj_id_change_exemption($1)
+ role_transition $2 audit_script_exec_t system_r; + role_transition $2 audit_script_exec_t system_r;
+ allow $2 system_r; + allow $2 system_r;
+ +
@ -11068,14 +11068,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+ type var_log_t; + type var_log_t;
+ ') + ')
+ +
+ allow $1 syslogd_t:process { ptrace signal_perms }; + allow $1 syslogd_t:process { ptrace signal_perms getattr };
+ allow $1 klogd_t:process { ptrace signal_perms }; + allow $1 klogd_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, syslogd_t, syslogd_t)
+ read_files_pattern($1, klogd_t, klogd_t)
+ +
+ # Allow $1 to restart the apache service + # Allow $1 to restart the apache service
+ syslog_script_domtrans($1) + syslog_script_domtrans($1)
+ domain_role_change_exemption($1)
+ domain_system_change_exemption($1) + domain_system_change_exemption($1)
+ domain_obj_id_change_exemption($1)
+ role_transition $2 syslog_script_exec_t system_r; + role_transition $2 syslog_script_exec_t system_r;
+ allow $2 system_r; + allow $2 system_r;
+ +
@ -12585,7 +12585,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.7/policy/modules/system/userdomain.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.7/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400 --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/system/userdomain.if 2007-09-04 16:56:00.000000000 -0400 +++ serefpolicy-3.0.7/policy/modules/system/userdomain.if 2007-09-05 22:07:53.000000000 -0400
@@ -45,7 +45,7 @@
type $1_tty_device_t;
term_user_tty($1_t,$1_tty_device_t)
- allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession };
+ allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
allow $1_t self:fd use;
allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -62,6 +62,10 @@ @@ -62,6 +62,10 @@
allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
@ -14025,7 +14034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.
+## <summary>Policy for webadm user</summary> +## <summary>Policy for webadm user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.0.7/policy/modules/users/webadm.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.0.7/policy/modules/users/webadm.te
--- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.7/policy/modules/users/webadm.te 2007-08-31 15:27:24.000000000 -0400 +++ serefpolicy-3.0.7/policy/modules/users/webadm.te 2007-09-05 21:49:04.000000000 -0400
@@ -0,0 +1,42 @@ @@ -0,0 +1,42 @@
+policy_module(webadm,1.0.0) +policy_module(webadm,1.0.0)
+ +

View File

@ -194,8 +194,8 @@ make clean
%if %{BUILD_TARGETED} %if %{BUILD_TARGETED}
# Build targeted policy # Build targeted policy
# Commented out because only targeted ref policy currently builds # Commented out because only targeted ref policy currently builds
%setupCmds targeted mcs n y %setupCmds targeted mcs y y
%installCmds targeted mcs n y %installCmds targeted mcs y y
%endif %endif
%if %{BUILD_MLS} %if %{BUILD_MLS}
@ -207,8 +207,8 @@ make clean
%if %{BUILD_OLPC} %if %{BUILD_OLPC}
# Build targeted policy # Build targeted policy
# Commented out because only targeted ref policy currently builds # Commented out because only targeted ref policy currently builds
%setupCmds olpc mcs n y %setupCmds olpc mcs y y
%installCmds olpc mcs n y %installCmds olpc mcs y y
%endif %endif
make NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs make NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs