more fix

2005-11-09 15:51:22 +00:00 · 2005-11-09 15:51:22 +00:00 · d3f715d228
commit d3f715d228
parent 3e639ab08b
4 changed files with 19 additions and 7 deletions
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@ -188,6 +188,8 @@ optional_policy(`postfix.te',`
 	allow system_mail_t etc_aliases_t:fifo_file create_file_perms;
 	files_create_etc_config(system_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })

+	domain_use_wide_inherit_fd(system_mail_t)
+
 	optional_policy(`crond.te',`
 		cron_crw_tcp_socket(system_mail_t)
 	')
@ -204,6 +206,10 @@ optional_policy(`sendmail.te',`
 	# sendmail -q 
 	allow system_mail_t mqueue_spool_t:dir rw_dir_perms;
 	allow system_mail_t mqueue_spool_t:file create_file_perms;
+
+	# FIXME:
+	allow system_mail_t sendmail_log_t:file manage_file_perms;
+	logging_create_log(system_mail_t,sendmail_log_t)
 ')

 ifdef(`TODO',`
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@ -35,6 +35,10 @@ allow sendmail_t self:fifo_file rw_file_perms;
 allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
 allow sendmail_t self:unix_dgram_socket create_socket_perms;

+allow sendmail_t sendmail_log_t:file create_file_perms;
+allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
+logging_create_log(sendmail_t,sendmail_log_t,{ file dir })
+
 kernel_read_kernel_sysctl(sendmail_t)
 # for piping mail to a command
 kernel_read_system_state(sendmail_t)
@ -102,10 +106,6 @@ ifdef(`targeted_policy',`
 	term_dontaudit_use_generic_pty(sendmail_t)
 	files_dontaudit_read_root_file(sendmail_t)
 ',`
-	allow sendmail_t sendmail_log_t:file create_file_perms;
-	allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
-	logging_create_log(sendmail_t,sendmail_log_t,{ file dir })
-
 	allow sendmail_t sendmail_tmp_t:dir create_dir_perms;
 	allow sendmail_t sendmail_tmp_t:file create_file_perms;
 	files_create_tmp_files(sendmail_t, sendmail_tmp_t, { file dir })
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@ -292,9 +292,9 @@ kernel_read_kernel_sysctl(syslogd_t)
 kernel_read_proc_symlinks(syslogd_t)
 kernel_send_syslog_msg_from(devlog_t,syslogd_t)
 # Allow access to /proc/kmsg for syslog-ng
-kernel_read_messages(klogd_t)
-kernel_clear_ring_buffer(klogd_t)
-kernel_change_ring_buffer_level(klogd_t)
+kernel_read_messages(syslogd_t)
+kernel_clear_ring_buffer(syslogd_t)
+kernel_change_ring_buffer_level(syslogd_t)

 dev_create_dev_node(syslogd_t,devlog_t,sock_file)
 dev_read_sysfs(syslogd_t)
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@ -32,6 +32,8 @@ ifdef(`targeted_policy',`
 	# macros and domains from the "strict" policy.
 	typealias unconfined_t alias { secadm_t sysadm_t };

+	files_create_boot_flag(unconfined_t)
+
 	init_domtrans_script(unconfined_t)

 	libs_domtrans_ldconfig(unconfined_t)
@ -104,6 +106,10 @@ ifdef(`targeted_policy',`
 		su_per_userdomain_template(sysadm,unconfined_t,system_r)
 	')

+	optional_policy(`usermanage.te',`
+		usermanage_domtrans_admin_passwd(unconfined_t)
+	')
+
 	optional_policy(`webalizer.te',`
 		webalizer_domtrans(unconfined_t)
 	')