rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

mailman patch from dan.

Browse Source
This commit is contained in:
Chris PeBenito 2009-07-21 10:10:17 -04:00
parent 1847443ea3
commit 92f08c7130
3 changed files with 53 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
policy/modules/services/mailman.fc
View File

@ -27,6 +27,7 @@ ifdef(`distro_redhat', `
/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) /usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) /usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) /usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) /var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)

27
policy/modules/services/mailman.if
View File

@ -31,6 +31,12 @@ template(`mailman_domain_template', `
allow mailman_$1_t self:tcp_socket create_stream_socket_perms; allow mailman_$1_t self:tcp_socket create_stream_socket_perms;
allow mailman_$1_t self:udp_socket create_socket_perms; allow mailman_$1_t self:udp_socket create_socket_perms;
files_search_spool(mailman_$1_t)
manage_dirs_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
manage_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
manage_lnk_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
manage_dirs_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) manage_dirs_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
manage_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) manage_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
manage_lnk_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) manage_lnk_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
@ -190,7 +196,9 @@ interface(`mailman_read_data_files',`
type mailman_data_t; type mailman_data_t;
') ')
list_dirs_pattern($1, mailman_data_t, mailman_data_t)
read_files_pattern($1, mailman_data_t, mailman_data_t) read_files_pattern($1, mailman_data_t, mailman_data_t)
read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
') ')
####################################### #######################################
@ -209,6 +217,7 @@ interface(`mailman_manage_data_files',`
type mailman_data_t; type mailman_data_t;
') ')
manage_dirs_pattern($1, mailman_data_t, mailman_data_t)
manage_files_pattern($1, mailman_data_t, mailman_data_t) manage_files_pattern($1, mailman_data_t, mailman_data_t)
') ')
@ -248,6 +257,24 @@ interface(`mailman_read_data_symlinks',`
read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
') ')
#######################################
## <summary>
## Read mailman logs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mailman_read_log',`
gen_require(`
type mailman_log_t;
')
read_files_pattern($1, mailman_log_t, mailman_log_t)
')
####################################### #######################################
## <summary> ## <summary>
## Append to mailman logs. ## Append to mailman logs.

35
policy/modules/services/mailman.te
View File

@ -1,5 +1,5 @@
policy_module(mailman, 1.6.4) policy_module(mailman, 1.6.5)
######################################## ########################################
# #
@ -53,10 +53,8 @@ optional_policy(`
apache_use_fds(mailman_cgi_t) apache_use_fds(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t) apache_dontaudit_append_log(mailman_cgi_t)
apache_search_sys_script_state(mailman_cgi_t) apache_search_sys_script_state(mailman_cgi_t)
apache_read_config(mailman_cgi_t)
optional_policy(` apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
nscd_socket_use(mailman_cgi_t)
')
') ')
######################################## ########################################
@ -65,15 +63,26 @@ optional_policy(`
# #
allow mailman_mail_t self:unix_dgram_socket create_socket_perms; allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
allow mailman_mail_t self:process { signal signull };
allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
files_search_spool(mailman_mail_t)
fs_rw_anon_inodefs_files(mailman_mail_t)
mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
mta_dontaudit_rw_queue(mailman_mail_t)
ifdef(`TODO',`
optional_policy(` optional_policy(`
allow mailman_mail_t qmail_spool_t:file { read ioctl getattr }; cron_read_pipes(mailman_mail_t)
# do we really need this?
allow mailman_mail_t qmail_lspawn_t:fifo_file write;
') ')
optional_policy(`
postfix_search_spool(mailman_mail_t)
') ')
######################################## ########################################
@ -103,8 +112,14 @@ seutil_dontaudit_search_config(mailman_queue_t)
# knows mailman well should test this out and send the changes # knows mailman well should test this out and send the changes
userdom_search_user_home_dirs(mailman_queue_t) userdom_search_user_home_dirs(mailman_queue_t)
su_exec(mailman_queue_t) optional_policy(`
apache_read_config(mailman_queue_t)
')
optional_policy(` optional_policy(`
cron_system_entry(mailman_queue_t, mailman_queue_exec_t) cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
') ')
optional_policy(`
su_exec(mailman_queue_t)
')