diff options
| author | Chris PeBenito <cpebenito@tresys.com> | 2009-07-21 10:10:17 -0400 |
|---|---|---|
| committer | Chris PeBenito <cpebenito@tresys.com> | 2009-07-21 10:10:17 -0400 |
| commit | 92f08c71307d1c70f51f847e730f2e5784bd07fb (patch) | |
| tree | 4cce9a3a4c0aeaffb19f720e4688bd7b35273324 /policy/modules/services | |
| parent | 1847443ea3508393988d31ee49fc50ed26fc39fe (diff) | |
mailman patch from dan.
Diffstat (limited to 'policy/modules/services')
| -rw-r--r-- | policy/modules/services/mailman.fc | 1 | ||||
| -rw-r--r-- | policy/modules/services/mailman.if | 27 | ||||
| -rw-r--r-- | policy/modules/services/mailman.te | 35 |
3 files changed, 53 insertions, 10 deletions
diff --git a/policy/modules/services/mailman.fc b/policy/modules/services/mailman.fc index 92afb445..3de6c18d 100644 --- a/policy/modules/services/mailman.fc +++ b/policy/modules/services/mailman.fc @@ -27,6 +27,7 @@ ifdef(`distro_redhat', ` /usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) /usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) +/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) /usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) /var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) diff --git a/policy/modules/services/mailman.if b/policy/modules/services/mailman.if index 547ddebe..9ad4c4e5 100644 --- a/policy/modules/services/mailman.if +++ b/policy/modules/services/mailman.if @@ -31,6 +31,12 @@ template(`mailman_domain_template', ` allow mailman_$1_t self:tcp_socket create_stream_socket_perms; allow mailman_$1_t self:udp_socket create_socket_perms; + files_search_spool(mailman_$1_t) + + manage_dirs_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) + manage_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) + manage_lnk_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) + manage_dirs_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) manage_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) manage_lnk_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) @@ -190,7 +196,9 @@ interface(`mailman_read_data_files',` type mailman_data_t; ') + list_dirs_pattern($1, mailman_data_t, mailman_data_t) read_files_pattern($1, mailman_data_t, mailman_data_t) + read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) ') ####################################### @@ -209,6 +217,7 @@ interface(`mailman_manage_data_files',` type mailman_data_t; ') + manage_dirs_pattern($1, mailman_data_t, mailman_data_t) manage_files_pattern($1, mailman_data_t, mailman_data_t) ') @@ -250,6 +259,24 @@ interface(`mailman_read_data_symlinks',` ####################################### ## <summary> +## Read mailman logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mailman_read_log',` + gen_require(` + type mailman_log_t; + ') + + read_files_pattern($1, mailman_log_t, mailman_log_t) +') + +####################################### +## <summary> ## Append to mailman logs. ## </summary> ## <param name="domain"> diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te index 052b569b..823078df 100644 --- a/policy/modules/services/mailman.te +++ b/policy/modules/services/mailman.te @@ -1,5 +1,5 @@ -policy_module(mailman, 1.6.4) +policy_module(mailman, 1.6.5) ######################################## # @@ -53,10 +53,8 @@ optional_policy(` apache_use_fds(mailman_cgi_t) apache_dontaudit_append_log(mailman_cgi_t) apache_search_sys_script_state(mailman_cgi_t) - - optional_policy(` - nscd_socket_use(mailman_cgi_t) - ') + apache_read_config(mailman_cgi_t) + apache_dontaudit_rw_stream_sockets(mailman_cgi_t) ') ######################################## @@ -65,15 +63,26 @@ optional_policy(` # allow mailman_mail_t self:unix_dgram_socket create_socket_perms; +allow mailman_mail_t self:process { signal signull }; +allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config }; + +manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) +manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) +manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) + +files_search_spool(mailman_mail_t) + +fs_rw_anon_inodefs_files(mailman_mail_t) mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) +mta_dontaudit_rw_queue(mailman_mail_t) -ifdef(`TODO',` optional_policy(` - allow mailman_mail_t qmail_spool_t:file { read ioctl getattr }; - # do we really need this? - allow mailman_mail_t qmail_lspawn_t:fifo_file write; + cron_read_pipes(mailman_mail_t) ') + +optional_policy(` + postfix_search_spool(mailman_mail_t) ') ######################################## @@ -103,8 +112,14 @@ seutil_dontaudit_search_config(mailman_queue_t) # knows mailman well should test this out and send the changes userdom_search_user_home_dirs(mailman_queue_t) -su_exec(mailman_queue_t) +optional_policy(` + apache_read_config(mailman_queue_t) +') optional_policy(` cron_system_entry(mailman_queue_t, mailman_queue_exec_t) ') + +optional_policy(` + su_exec(mailman_queue_t) +')
\ No newline at end of file |