clean up patch from Serge Fri, 10 Feb 2006 18:01:06 -0600
This commit is contained in:
parent
b0d2243c21
commit
807a7778d1
@ -224,6 +224,12 @@ template(`mta_per_userdomain_template',`
|
|||||||
userdom_manage_user_home_subdir_pipes($1,mailserver_delivery)
|
userdom_manage_user_home_subdir_pipes($1,mailserver_delivery)
|
||||||
userdom_manage_user_home_subdir_sockets($1,mailserver_delivery)
|
userdom_manage_user_home_subdir_sockets($1,mailserver_delivery)
|
||||||
userdom_filetrans_user_home($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
|
userdom_filetrans_user_home($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
|
||||||
|
# Read user temporary files.
|
||||||
|
userdom_read_user_tmp_files($1,$1_mail_t)
|
||||||
|
userdom_dontaudit_append_user_tmp_files($1,$1_mail_t)
|
||||||
|
# cjp: this should probably be read all user tmp
|
||||||
|
# files in an appropriate place for mta_user_agent
|
||||||
|
userdom_read_user_tmp_files($1,mta_user_agent)
|
||||||
|
|
||||||
tunable_policy(`use_samba_home_dirs',`
|
tunable_policy(`use_samba_home_dirs',`
|
||||||
fs_manage_cifs_files($1_mail_t)
|
fs_manage_cifs_files($1_mail_t)
|
||||||
@ -232,21 +238,17 @@ template(`mta_per_userdomain_template',`
|
|||||||
|
|
||||||
optional_policy(`postfix',`
|
optional_policy(`postfix',`
|
||||||
allow $1_mail_t self:capability dac_override;
|
allow $1_mail_t self:capability dac_override;
|
||||||
|
|
||||||
|
# Read user temporary files.
|
||||||
|
# postfix seems to need write access if the file handle is opened read/write
|
||||||
|
userdom_rw_user_tmp_files($1,$1_mail_t)
|
||||||
|
|
||||||
postfix_read_config($1_mail_t)
|
postfix_read_config($1_mail_t)
|
||||||
postfix_list_spool($1_mail_t)
|
postfix_list_spool($1_mail_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
# Read user temporary files.
|
|
||||||
allow $1_mail_t $1_tmp_t:file r_file_perms;
|
|
||||||
dontaudit $1_mail_t $1_tmp_t:file append;
|
|
||||||
ifdef(`postfix.te',`
|
|
||||||
# postfix seems to need write access if the file handle is opened read/write
|
|
||||||
allow $1_mail_t $1_tmp_t:file write;
|
|
||||||
')
|
|
||||||
|
|
||||||
allow mta_user_agent $1_tmp_t:file r_file_perms;
|
|
||||||
|
|
||||||
# if you do not want to allow dead.letter then use the following instead
|
# if you do not want to allow dead.letter then use the following instead
|
||||||
#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
|
#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
|
||||||
#allow $1_mail_t $1_home_t:file r_file_perms;
|
#allow $1_mail_t $1_home_t:file r_file_perms;
|
||||||
|
@ -157,11 +157,10 @@ template(`postfix_user_domain_template',`
|
|||||||
template(`postfix_per_userdomain_template',`
|
template(`postfix_per_userdomain_template',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute postfix_user_domains;
|
attribute postfix_user_domains;
|
||||||
|
type postfix_postdrop_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
# cjp: perhaps this should actually be $3
|
role $3 types postfix_postdrop_t;
|
||||||
# instead of just sysadm_r?
|
|
||||||
#role sysadm_r types postfix_user_domains;
|
|
||||||
|
|
||||||
allow postfix_user_domains $2:process sigchld;
|
allow postfix_user_domains $2:process sigchld;
|
||||||
allow postfix_user_domains $2:fifo_file { write getattr };
|
allow postfix_user_domains $2:fifo_file { write getattr };
|
||||||
|
@ -1915,6 +1915,76 @@ template(`userdom_dontaudit_read_user_tmp_files',`
|
|||||||
dontaudit $2 $1_tmp_t:file r_file_perms;
|
dontaudit $2 $1_tmp_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to append users
|
||||||
|
## temporary files.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Do not audit attempts to append users
|
||||||
|
## temporary files.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## <summary>
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain to not audit.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_dontaudit_append_user_tmp_files',`
|
||||||
|
gen_require(`
|
||||||
|
type $1_tmp_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $2 $1_tmp_t:file append;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read and write user temporary files.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Read and write user temporary files.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is a templated interface, and should only
|
||||||
|
## be called from a per-userdomain template.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="userdomain_prefix">
|
||||||
|
## <summary>
|
||||||
|
## The prefix of the user domain (e.g., user
|
||||||
|
## is the prefix for user_t).
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
template(`userdom_rw_user_tmp_files',`
|
||||||
|
gen_require(`
|
||||||
|
type $1_tmp_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_tmp($2)
|
||||||
|
allow $2 $1_tmp_t:dir r_dir_perms;
|
||||||
|
allow $2 $1_tmp_t:file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read user
|
## Read user
|
||||||
|
Loading…
Reference in New Issue
Block a user