From 88bc7af316b4442772c375d60e295046801b47be Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 10 May 2006 18:42:22 +0000 Subject: [PATCH] fix sendmail_exec_t encapsulation breakage --- refpolicy/policy/modules/services/mta.if | 38 ++++++++++++++++++- refpolicy/policy/modules/services/sendmail.if | 6 +-- 2 files changed, 39 insertions(+), 5 deletions(-) diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 70f6fdfc..46037c02 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -474,6 +474,41 @@ interface(`mta_send_mail',` allow mta_user_agent $1:fifo_file { read write }; ') +######################################## +## +## Execute send mail in a specified domain. +## +## +##

+## Execute send mail in a specified domain. +##

+##

+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##

+##
+## +## +## Domain to transition from. +## +## +## +## +## Domain to transition to. +## +## +# +interface(`mta_sendmail_domtrans',` + gen_require(` + type sendmail_exec_t; + ') + + files_search_usr($1) + corecmd_read_sbin_symlinks($1) + domain_auto_trans($1,sendmail_exec_t,$2) +') + ######################################## ## ## Execute sendmail in the caller domain. @@ -484,12 +519,13 @@ interface(`mta_send_mail',` ## ## # -interface(`mta_exec',` +interface(`mta_sendmail_exec',` gen_require(` type sendmail_exec_t; ') can_exec($1, sendmail_exec_t) + errprint(`bah $1'__endline__) ') ######################################## diff --git a/refpolicy/policy/modules/services/sendmail.if b/refpolicy/policy/modules/services/sendmail.if index 6af71b95..28a0ca6f 100644 --- a/refpolicy/policy/modules/services/sendmail.if +++ b/refpolicy/policy/modules/services/sendmail.if @@ -28,12 +28,10 @@ interface(`sendmail_stub',` # interface(`sendmail_domtrans',` gen_require(` - type sendmail_exec_t, sendmail_t; + type sendmail_t; ') - files_search_usr($1) - corecmd_search_sbin($1) - domain_auto_trans($1,sendmail_exec_t,sendmail_t) + mta_sendmail_domtrans($1,sendmail_t) allow $1 sendmail_t:fd use; allow sendmail_t $1:fd use;