From aa7c463e5d5399773d659c3d68902433a644b2b5 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 13 Oct 2008 13:36:50 +0000 Subject: [PATCH] trunk: a pile of misc fixes. --- policy/modules/services/automount.if | 8 ++------ policy/modules/services/bind.if | 10 ++++++++++ policy/modules/services/mta.if | 20 ++++++++++++++++++++ policy/modules/services/mta.te | 2 +- policy/modules/services/ntp.if | 2 +- policy/modules/services/oident.if | 12 ++++++------ policy/modules/services/oident.te | 2 +- policy/modules/services/postfix.te | 22 ++++++---------------- policy/modules/services/sasl.if | 5 +++++ policy/modules/services/virt.if | 4 ++-- policy/modules/system/init.te | 4 ---- policy/modules/system/pcmcia.te | 5 +++-- 12 files changed, 57 insertions(+), 39 deletions(-) diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if index d4c517de..89bccaac 100644 --- a/policy/modules/services/automount.if +++ b/policy/modules/services/automount.if @@ -30,12 +30,8 @@ interface(`automount_domtrans',` ## # interface(`automount_exec_config',` - gen_require(` - type automount_etc_t; - ') - - corecmd_search_bin($1) - can_exec($1, automount_etc_t) + refpolicywarn(`$0(): has been deprecated, please use files_exec_etc_files() instead.') + files_exec_etc_files($1) ') ######################################## diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if index 52f2d2cc..0c671980 100644 --- a/policy/modules/services/bind.if +++ b/policy/modules/services/bind.if @@ -265,6 +265,16 @@ interface(`bind_udp_chat_named',` ## Domain allowed access. ## ## +## +## +## Role allowed access. +## +## +## +## +## The type of the terminal. +## +## ## # interface(`bind_admin',` diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if index a47a55d7..f5c6a87a 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -584,6 +584,26 @@ interface(`mta_read_aliases',` allow $1 etc_aliases_t:file read_file_perms; ') +######################################## +## +## Create, read, write, and delete mail address aliases. +## +## +## +## Domain allowed access. +## +## +# +interface(`mta_manage_aliases',` + gen_require(` + type etc_aliases_t; + ') + + files_search_etc($1) + manage_files_pattern($1, etc_aliases_t, etc_aliases_t) + manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t) +') + ######################################## ## ## Type transition files created in /etc diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te index a0f10f8f..2c29ac0c 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -1,5 +1,5 @@ -policy_module(mta, 1.10.1) +policy_module(mta, 1.10.2) ######################################## # diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if index 87dbda38..d47ebff4 100644 --- a/policy/modules/services/ntp.if +++ b/policy/modules/services/ntp.if @@ -74,7 +74,7 @@ interface(`ntp_domtrans_ntpdate',` interface(`ntp_admin',` gen_require(` type ntpd_t, ntpd_tmp_t, ntpd_log_t; - type ntpd_key_t, ntpd_var_lib_t, ntpd_var_run_t; + type ntpd_key_t, ntpd_var_run_t; type ntpd_initrc_exec_t; ') diff --git a/policy/modules/services/oident.if b/policy/modules/services/oident.if index 7cff0d82..c9beafe5 100644 --- a/policy/modules/services/oident.if +++ b/policy/modules/services/oident.if @@ -39,7 +39,7 @@ ## ## # -template(`oidentd_per_role_template', ` +template(`oident_per_role_template', ` ######################################## # @@ -51,17 +51,17 @@ template(`oidentd_per_role_template', ` ') type $1_oidentd_home_t, oidentd_user_content_type; - userdom_user_home_content($1, oidentd_$1_content_t) + userdom_user_home_content($1, $1_oidentd_home_t) - typeattribute oidentd_$1_content_t oidentd_user_content_type; + typeattribute $1_oidentd_home_t oidentd_user_content_type; ######################################## # # Oident daemon shared policy # - allow $2 oidentd_$1_content_t:file manage_file_perms; - allow $2 oidentd_$1_content_t:file relabel_file_perms; + allow $2 $1_oidentd_home_t:file manage_file_perms; + allow $2 $1_oidentd_home_t:file relabel_file_perms; ') ######################################## @@ -75,7 +75,7 @@ template(`oidentd_per_role_template', ` ## ## # -interface(`oidentd_read_all_user_content', ` +interface(`oident_read_all_user_content', ` gen_require(` attribute oidentd_user_content_type; ') diff --git a/policy/modules/services/oident.te b/policy/modules/services/oident.te index 2b8070c1..e0898bec 100644 --- a/policy/modules/services/oident.te +++ b/policy/modules/services/oident.te @@ -56,7 +56,7 @@ miscfiles_read_localization(oidentd_t) sysnet_read_config(oidentd_t) -oidentd_read_all_user_content(oidentd_t) +oident_read_all_user_content(oidentd_t) optional_policy(` nis_use_ypbind(oidentd_t) diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 8c11bf2d..3f2cb82c 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -182,6 +182,12 @@ seutil_dontaudit_search_config(postfix_master_t) mta_rw_aliases(postfix_master_t) mta_read_sendmail_bin(postfix_master_t) +ifdef(`distro_redhat',` + # for newer main.cf that uses /etc/aliases + mta_manage_aliases(postfix_master_t) + mta_etc_filetrans_aliases(postfix_master_t) +') + optional_policy(` cyrus_stream_connect(postfix_master_t) ') @@ -199,22 +205,6 @@ optional_policy(` sendmail_signal(postfix_master_t) ') -########################################################### -# -# Partially converted rules. THESE ARE ONLY TEMPORARY -# - -ifdef(`distro_redhat',` - # for newer main.cf that uses /etc/aliases - allow postfix_master_t etc_aliases_t:dir manage_dir_perms; - allow postfix_master_t etc_aliases_t:file manage_file_perms; - allow postfix_master_t etc_aliases_t:lnk_file manage_lnk_file_perms; - mta_etc_filetrans_aliases(postfix_master_t) - filetrans_pattern(postfix_master_t, postfix_etc_t, etc_aliases_t, { dir file lnk_file }) -') - -# end partially converted rules - ######################################## # # Postfix bounce local policy diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if index 5a70491a..f1aea88a 100644 --- a/policy/modules/services/sasl.if +++ b/policy/modules/services/sasl.if @@ -29,6 +29,11 @@ interface(`sasl_connect',` ## Domain allowed access. ## ## +## +## +## Role allowed access. +## +## ## # interface(`sasl_admin',` diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if index efc0fb6f..d4542a80 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if @@ -68,7 +68,7 @@ interface(`virt_read_pid_files',` ## ## # -interface(`virt_manage_pids_files',` +interface(`virt_manage_pid_files',` gen_require(` type virt_var_run_t; ') @@ -167,7 +167,7 @@ interface(`virt_read_log',` # interface(`virt_append_log',` gen_require(` - type var_log_t, virt_log_t; + type virt_log_t; ') logging_search_logs($1) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 3e03dac8..ab73da54 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -535,10 +535,6 @@ optional_policy(` apache_list_modules(initrc_t) ') -optional_policy(` - automount_exec_config(initrc_t) -') - optional_policy(` bind_read_config(initrc_t) diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te index 6de3bb85..d5b93910 100644 --- a/policy/modules/system/pcmcia.te +++ b/policy/modules/system/pcmcia.te @@ -136,5 +136,6 @@ optional_policy(` # Create device files in /tmp. # cjp: why is this created all over the place? -allow cardmgr_t { var_run_t cardmgr_var_run_t tmp_t }:dir rw_dir_perms; -type_transition cardmgr_t { var_run_t cardmgr_var_run_t tmp_t }:{ chr_file blk_file } cardmgr_dev_t; +files_pid_filetrans(cardmgr_t, cardmgr_dev_t, { chr_file blk_file }) +files_tmp_filetrans(cardmgr_t, cardmgr_dev_t, { chr_file blk_file }) +filetrans_pattern(cardmgr_t, cardmgr_var_run_t, cardmgr_dev_t, { chr_file blk_file })