- Allow cronjobs to read exim_spool_t

2009-08-22 11:51:13 +00:00 · 2009-08-22 11:51:13 +00:00 · 8e64d7d393
commit 8e64d7d393
parent c5f5b5dbcb
2 changed files with 38 additions and 22 deletions
--- a/policy-F12.patch
+++ b/policy-F12.patch
@ -3539,16 +3539,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +miscfiles_read_localization(ptchown_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.28/policy/modules/apps/pulseaudio.te
 --- nsaserefpolicy/policy/modules/apps/pulseaudio.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.28/policy/modules/apps/pulseaudio.te	2009-08-21 18:56:07.000000000 -0400
+++ serefpolicy-3.6.28/policy/modules/apps/pulseaudio.te	2009-08-22 07:48:07.000000000 -0400
-@@ -22,6 +22,7 @@
+@@ -22,6 +22,9 @@
 allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
 allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
 allow pulseaudio_t self:udp_socket create_socket_perms;
 +allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
 +
 +can_exec(pulseaudio_t, pulseaudio_exec_t)
 kernel_read_kernel_sysctls(pulseaudio_t)
-@@ -47,6 +48,7 @@
+@@ -47,6 +50,7 @@
 fs_rw_anon_inodefs_files(pulseaudio_t)
 fs_getattr_tmpfs(pulseaudio_t)
@ -3556,15 +3558,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 term_use_all_user_ttys(pulseaudio_t)
 term_use_all_user_ptys(pulseaudio_t)
-@@ -81,12 +83,15 @@
+@@ -78,6 +82,15 @@
- ')
+ 	policykit_domtrans_auth(pulseaudio_t)
- 
+ 	policykit_read_lib(pulseaudio_t)
- optional_policy(`
+ 	policykit_read_reload(pulseaudio_t)
-+	rpm_dbus_chat(pulseaudio_t)
+	policykit_dbus_chat(pulseaudio_t)
 +')
 +
 +optional_policy(`
- 	udev_read_db(pulseaudio_t)
+	rtkit_daemon_system_domain(pulseaudio_t)
 +')
 +
 +optional_policy(`
 +	rpm_dbus_chat(pulseaudio_t)
 ')
 optional_policy(`
@@ -85,8 +98,7 @@
 ')
 optional_policy(`
@ -10536,7 +10546,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.28/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.28/policy/modules/services/cron.te	2009-08-21 18:56:07.000000000 -0400
+++ serefpolicy-3.6.28/policy/modules/services/cron.te	2009-08-22 07:19:25.000000000 -0400
@@ -38,6 +38,10 @@
 type cron_var_lib_t;
 files_type(cron_var_lib_t)
@ -10811,18 +10821,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# via redirection of standard out.
 	optional_policy(`
 		rpm_manage_log(system_cronjob_t)
-@@ -419,6 +490,10 @@
+@@ -419,6 +490,14 @@
 ')
 optional_policy(`
 +	dbus_system_bus_client(system_cronjob_t)
 +')
 +
 +optional_policy(`
 +	exim_read_spool_files(system_cronjob_t)
 +')
 +
 +optional_policy(`
 	ftp_read_log(system_cronjob_t)
 ')
-@@ -429,11 +504,20 @@
+@@ -429,11 +508,20 @@
 ')
 optional_policy(`
@ -10843,7 +10857,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -445,9 +529,11 @@
+@@ -445,9 +533,11 @@
 ')	
 optional_policy(`
@ -10857,7 +10871,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -461,8 +547,7 @@
+@@ -461,8 +551,7 @@
 ')
 optional_policy(`
@ -10867,7 +10881,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -470,24 +555,17 @@
+@@ -470,24 +559,17 @@
 ')
 optional_policy(`
@ -10895,7 +10909,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow cronjob_t self:process { signal_perms setsched };
 allow cronjob_t self:fifo_file rw_fifo_file_perms;
 allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
-@@ -571,6 +649,9 @@
+@@ -571,6 +653,9 @@
 userdom_manage_user_home_content_sockets(cronjob_t)
 #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
@ -10905,7 +10919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`fcron_crond', `
 	allow crond_t user_cron_spool_t:file manage_file_perms;
 ')
-@@ -590,13 +671,5 @@
+@@ -590,13 +675,5 @@
 #
 optional_policy(`
@ -15532,8 +15546,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/libexec/rtkit-daemon	--	gen_context(system_u:object_r:rtkit_daemon_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.if serefpolicy-3.6.28/policy/modules/services/rtkit_daemon.if
 --- nsaserefpolicy/policy/modules/services/rtkit_daemon.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.28/policy/modules/services/rtkit_daemon.if	2009-08-21 18:56:07.000000000 -0400
+++ serefpolicy-3.6.28/policy/modules/services/rtkit_daemon.if	2009-08-22 07:45:49.000000000 -0400
-@@ -0,0 +1,64 @@
+@@ -0,0 +1,63 @@
 +
 +## <summary>policy for rtkit_daemon</summary>
 +
@ -15580,8 +15594,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +########################################
 +## <summary>
-+##	Send and receive messages from
+##	Allow rtkit to control scheduling for your process
 +##	rtkit_daemon over dbus.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.28
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -475,6 +475,9 @@ exit 0
 %endif
 %changelog
 * Sat Aug 22 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-5
 - Allow cronjobs to read exim_spool_t
 * Fri Aug 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.28-4
 - Add ABRT policy