clean up patch from Serge Fri, 10 Feb 2006 18:01:06 -0600

This commit is contained in:
Chris PeBenito 2006-02-14 20:39:45 +00:00
parent b0d2243c21
commit 807a7778d1
3 changed files with 84 additions and 13 deletions

View File

@ -224,6 +224,12 @@ template(`mta_per_userdomain_template',`
userdom_manage_user_home_subdir_pipes($1,mailserver_delivery) userdom_manage_user_home_subdir_pipes($1,mailserver_delivery)
userdom_manage_user_home_subdir_sockets($1,mailserver_delivery) userdom_manage_user_home_subdir_sockets($1,mailserver_delivery)
userdom_filetrans_user_home($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file }) userdom_filetrans_user_home($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
# Read user temporary files.
userdom_read_user_tmp_files($1,$1_mail_t)
userdom_dontaudit_append_user_tmp_files($1,$1_mail_t)
# cjp: this should probably be read all user tmp
# files in an appropriate place for mta_user_agent
userdom_read_user_tmp_files($1,mta_user_agent)
tunable_policy(`use_samba_home_dirs',` tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_mail_t) fs_manage_cifs_files($1_mail_t)
@ -232,21 +238,17 @@ template(`mta_per_userdomain_template',`
optional_policy(`postfix',` optional_policy(`postfix',`
allow $1_mail_t self:capability dac_override; allow $1_mail_t self:capability dac_override;
# Read user temporary files.
# postfix seems to need write access if the file handle is opened read/write
userdom_rw_user_tmp_files($1,$1_mail_t)
postfix_read_config($1_mail_t) postfix_read_config($1_mail_t)
postfix_list_spool($1_mail_t) postfix_list_spool($1_mail_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`
# Read user temporary files.
allow $1_mail_t $1_tmp_t:file r_file_perms;
dontaudit $1_mail_t $1_tmp_t:file append;
ifdef(`postfix.te',`
# postfix seems to need write access if the file handle is opened read/write
allow $1_mail_t $1_tmp_t:file write;
')
allow mta_user_agent $1_tmp_t:file r_file_perms;
# if you do not want to allow dead.letter then use the following instead # if you do not want to allow dead.letter then use the following instead
#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms; #allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
#allow $1_mail_t $1_home_t:file r_file_perms; #allow $1_mail_t $1_home_t:file r_file_perms;

View File

@ -157,11 +157,10 @@ template(`postfix_user_domain_template',`
template(`postfix_per_userdomain_template',` template(`postfix_per_userdomain_template',`
gen_require(` gen_require(`
attribute postfix_user_domains; attribute postfix_user_domains;
type postfix_postdrop_t;
') ')
# cjp: perhaps this should actually be $3 role $3 types postfix_postdrop_t;
# instead of just sysadm_r?
#role sysadm_r types postfix_user_domains;
allow postfix_user_domains $2:process sigchld; allow postfix_user_domains $2:process sigchld;
allow postfix_user_domains $2:fifo_file { write getattr }; allow postfix_user_domains $2:fifo_file { write getattr };

View File

@ -1915,6 +1915,76 @@ template(`userdom_dontaudit_read_user_tmp_files',`
dontaudit $2 $1_tmp_t:file r_file_perms; dontaudit $2 $1_tmp_t:file r_file_perms;
') ')
########################################
## <summary>
## Do not audit attempts to append users
## temporary files.
## </summary>
## <desc>
## <p>
## Do not audit attempts to append users
## temporary files.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
type $1_tmp_t;
')
dontaudit $2 $1_tmp_t:file append;
')
########################################
## <summary>
## Read and write user temporary files.
## </summary>
## <desc>
## <p>
## Read and write user temporary files.
## </p>
## <p>
## This is a templated interface, and should only
## be called from a per-userdomain template.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
type $1_tmp_t;
')
files_search_tmp($2)
allow $2 $1_tmp_t:dir r_dir_perms;
allow $2 $1_tmp_t:file rw_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Read user ## Read user