mirror of
https://github.com/SELinuxProject/refpolicy
synced 2025-01-11 01:29:25 +00:00
fix up most of mta attribute insanity
This commit is contained in:
parent
451c1e3d59
commit
246839f3d2
@ -82,3 +82,21 @@ interface(`logrotate_dontaudit_use_fd',`
|
||||
|
||||
dontaudit $1 logrotate_t:fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read a logrotate temporary files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`logrotate_read_tmp_files',`
|
||||
gen_require(`
|
||||
type logrotate_tmp_t;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
files_search_tmp($1)
|
||||
allow $1 logrotate_tmp_t:file r_file_perms;
|
||||
')
|
||||
|
@ -553,6 +553,25 @@ interface(`kernel_dontaudit_getattr_message_if',`
|
||||
dontaudit $1 proc_kmsg_t:file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to search the network
|
||||
## state directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The process type reading the state.
|
||||
## </param>
|
||||
##
|
||||
#
|
||||
interface(`kernel_dontaudit_search_network_state',`
|
||||
gen_require(`
|
||||
type proc_net_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
allow $1 proc_net_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow caller to read the network state information.
|
||||
|
@ -314,6 +314,23 @@ interface(`cron_system_entry',`
|
||||
allow $1 crond_t:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send a SIGCHLD signal to the cron daemon.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`cron_sigchld',`
|
||||
gen_require(`
|
||||
type crond_t;
|
||||
class process sigchld;
|
||||
')
|
||||
|
||||
allow $1 crond_t:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read a cron daemon unnamed pipe
|
||||
@ -331,7 +348,6 @@ interface(`cron_read_pipe',`
|
||||
allow $1 crond_t:file r_file_perms;
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write the cron daemon log files.
|
||||
@ -367,3 +383,21 @@ interface(`cron_search_spool',`
|
||||
files_search_spool($1)
|
||||
allow $1 cron_spool_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read temporary files from the system cron jobs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`cron_read_system_job_tmp_files',`
|
||||
gen_require(`
|
||||
type system_crond_tmp_t;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
files_search_tmp($1)
|
||||
allow $1 system_crond_tmp_t:file r_file_perms;
|
||||
')
|
||||
|
@ -28,7 +28,7 @@
|
||||
## </param>
|
||||
#
|
||||
template(`mta_per_userdomain_template',`
|
||||
type $1_mail_t; # , user_mail_domain
|
||||
type $1_mail_t;
|
||||
domain_type($1_mail_t)
|
||||
role $3 types $1_mail_t;
|
||||
|
||||
@ -59,6 +59,11 @@ template(`mta_per_userdomain_template',`
|
||||
allow $1_mail_t $2:fifo_file rw_file_perms;
|
||||
allow $1_mail_t $2:process sigchld;
|
||||
|
||||
# For when the user wants to send mail via port 25 localhost
|
||||
kernel_tcp_recvfrom($2)
|
||||
allow $2 mailserver_domain:tcp_socket { connectto recvfrom };
|
||||
allow mailserver_domain $2:tcp_socket { acceptfrom recvfrom };
|
||||
|
||||
kernel_read_kernel_sysctl($1_mail_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if($1_mail_t)
|
||||
@ -78,6 +83,8 @@ template(`mta_per_userdomain_template',`
|
||||
|
||||
files_read_etc_files($1_mail_t)
|
||||
files_search_spool($1_mail_t)
|
||||
# It wants to check for nscd
|
||||
files_dontaudit_search_pids($1_mail_t)
|
||||
|
||||
logging_send_syslog_msg($1_mail_t)
|
||||
|
||||
@ -86,6 +93,8 @@ template(`mta_per_userdomain_template',`
|
||||
sysnet_read_config($1_mail_t)
|
||||
|
||||
userdom_use_user_terminals($1,$1_mail_t)
|
||||
# Write to the user domain tty. cjp: why?
|
||||
userdom_use_user_terminals($1,mta_user_agent)
|
||||
|
||||
tunable_policy(`use_dns',`
|
||||
allow $1_mail_t self:udp_socket create_socket_perms;
|
||||
@ -113,14 +122,6 @@ template(`mta_per_userdomain_template',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow $1_mail_t device_t:dir search;
|
||||
|
||||
# It wants to check for nscd
|
||||
dontaudit $1_mail_t var_run_t:dir search;
|
||||
|
||||
# For when the user wants to send mail via port 25 localhost
|
||||
can_tcp_connect($1_t, mail_server_domain)
|
||||
|
||||
# Read user temporary files.
|
||||
allow $1_mail_t $1_tmp_t:file r_file_perms;
|
||||
dontaudit $1_mail_t $1_tmp_t:file append;
|
||||
@ -129,26 +130,21 @@ template(`mta_per_userdomain_template',`
|
||||
allow $1_mail_t $1_tmp_t:file write;
|
||||
')
|
||||
|
||||
# cjp: why?
|
||||
allow mta_user_agent $1_tmp_t:file r_file_perms;
|
||||
|
||||
# Write to the user domain tty.
|
||||
allow mta_user_agent $1_tty_device_t:chr_file rw_file_perms;
|
||||
allow mta_user_agent devpts_t:dir r_dir_perms;
|
||||
allow mta_user_agent $1_devpts_t:chr_file rw_file_perms;
|
||||
|
||||
# Inherit and use descriptors from gnome-pty-helper.
|
||||
ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
|
||||
|
||||
# Create dead.letter in user home directories.
|
||||
file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
|
||||
|
||||
# if you do not want to allow dead.letter then use the following instead
|
||||
#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
|
||||
#allow $1_mail_t $1_home_t:file r_file_perms;
|
||||
|
||||
# for reading .forward - maybe we need a new type for it?
|
||||
# also for delivering mail to maildir
|
||||
file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t)
|
||||
file_type_auto_trans(mailserver_delivery, $1_home_dir_t, $1_home_t)
|
||||
|
||||
ifdef(`qmail.te', `
|
||||
allow $1_mail_t qmail_etc_t:dir search;
|
||||
@ -167,6 +163,9 @@ interface(`mta_mailserver',`
|
||||
attribute mailserver_domain;
|
||||
')
|
||||
|
||||
# For when the user wants to send mail via port 25 localhost
|
||||
kernel_tcp_recvfrom($1)
|
||||
|
||||
init_daemon_domain($1,$2)
|
||||
typeattribute $1 mailserver_domain;
|
||||
')
|
||||
@ -202,10 +201,65 @@ interface(`mta_sendmail_mailserver',`
|
||||
type sendmail_exec_t;
|
||||
')
|
||||
|
||||
# For when the user wants to send mail via port 25 localhost
|
||||
kernel_tcp_recvfrom($1)
|
||||
|
||||
init_system_domain($1,sendmail_exec_t)
|
||||
typeattribute $1 mailserver_domain;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Make a type a mailserver type used
|
||||
## for sending mail.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Mail server domain type used for sending mail.
|
||||
## </param>
|
||||
#
|
||||
interface(`mta_mailserver_sender',`
|
||||
gen_require(`
|
||||
attribute mailserver_sender;
|
||||
')
|
||||
|
||||
typeattribute $1 mailserver_sender;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Make a type a mailserver type used
|
||||
## for delivering mail to local users.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Mail server domain type used for delivering mail.
|
||||
## </param>
|
||||
#
|
||||
interface(`mta_mailserver_delivery',`
|
||||
gen_require(`
|
||||
attribute mailserver_delivery;
|
||||
')
|
||||
|
||||
typeattribute $1 mailserver_delivery;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Make a type a mailserver type used
|
||||
## for sending mail on behalf of local
|
||||
## users to the local mail spool.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Mail server domain type used for sending local mail.
|
||||
## </param>
|
||||
#
|
||||
interface(`mta_mailserver_user_agent',`
|
||||
gen_require(`
|
||||
attribute mailserver_user_agent;
|
||||
')
|
||||
|
||||
typeattribute $1 mailserver_user_agent;
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# mta_send_mail(domain)
|
||||
@ -332,6 +386,28 @@ interface(`mta_rw_spool',`
|
||||
allow $1 mail_spool_t:file { rw_file_perms setattr };
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Create, read, and write the mail spool.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`mta_append_spool',`
|
||||
gen_require(`
|
||||
type mail_spool_t;
|
||||
class dir ra_dir_perms;
|
||||
class lnk_file { getattr read };
|
||||
class file create_file_perms;
|
||||
')
|
||||
|
||||
files_search_spool($1)
|
||||
allow $1 mail_spool_t:dir ra_dir_perms;
|
||||
allow $1 mail_spool_t:lnk_file { getattr read };
|
||||
allow $1 mail_spool_t:file create_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# mta_manage_spool(domain)
|
||||
|
@ -6,14 +6,17 @@ policy_module(mta,1.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
attribute mta_user_agent;
|
||||
attribute mailserver_delivery;
|
||||
attribute mailserver_domain;
|
||||
attribute mailserver_sender;
|
||||
|
||||
type etc_aliases_t;
|
||||
files_type(etc_aliases_t)
|
||||
|
||||
type etc_mail_t;
|
||||
files_type(etc_mail_t)
|
||||
|
||||
attribute mailserver_domain;
|
||||
|
||||
type mqueue_spool_t;
|
||||
files_type(mqueue_spool_t)
|
||||
|
||||
@ -23,7 +26,7 @@ files_type(mail_spool_t)
|
||||
type sendmail_exec_t;
|
||||
files_type(sendmail_exec_t)
|
||||
|
||||
type system_mail_t; #, user_mail_domain
|
||||
type system_mail_t;
|
||||
domain_type(system_mail_t)
|
||||
role system_r types system_mail_t;
|
||||
|
||||
@ -66,12 +69,14 @@ fs_getattr_xattr_fs(system_mail_t)
|
||||
|
||||
init_use_script_pty(system_mail_t)
|
||||
|
||||
files_read_etc_runtime_files(system_mail_t)
|
||||
files_read_etc_files(system_mail_t)
|
||||
files_read_etc_runtime_files(system_mail_t)
|
||||
files_search_spool(system_mail_t)
|
||||
# It wants to check for nscd
|
||||
files_dontaudit_search_pids(system_mail_t)
|
||||
|
||||
corecmd_exec_bin(system_mail_t)
|
||||
corecmd_search_sbin(system_mail_t)
|
||||
|
||||
libs_use_ld_so(system_mail_t)
|
||||
libs_use_shared_libs(system_mail_t)
|
||||
@ -82,74 +87,9 @@ miscfiles_read_localization(system_mail_t)
|
||||
|
||||
sysnet_read_config(system_mail_t)
|
||||
|
||||
tunable_policy(`use_dns',`
|
||||
allow system_mail_t self:udp_socket create_socket_perms;
|
||||
corenet_udp_sendrecv_all_if(system_mail_t)
|
||||
corenet_udp_sendrecv_all_nodes(system_mail_t)
|
||||
corenet_udp_bind_all_nodes(system_mail_t)
|
||||
corenet_udp_sendrecv_dns_port(system_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(system_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket(system_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`procmail.te',`
|
||||
procmail_exec(system_mail_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
optional_policy(`sendmail.te',`
|
||||
allow system_mail_t etc_mail_t:dir { getattr search };
|
||||
|
||||
kernel_read_system_state(system_mail_t)
|
||||
|
||||
fs_getattr_xattr_fs(system_mail_t)
|
||||
|
||||
files_read_etc_runtime_files(system_mail_t)
|
||||
|
||||
dontaudit system_mail_t proc_net_t:dir search;
|
||||
|
||||
allow system_mail_t var_t:dir getattr;
|
||||
allow system_mail_t var_spool_t:dir getattr;
|
||||
dontaudit system_mail_t userpty_type:chr_file { getattr read write };
|
||||
|
||||
# sendmail -q
|
||||
allow system_mail_t mqueue_spool_t:dir rw_dir_perms;
|
||||
allow system_mail_t mqueue_spool_t:file create_file_perms;
|
||||
|
||||
optional_policy(`crond.te', `
|
||||
dontaudit system_mail_t system_crond_tmp_t:file append;
|
||||
')
|
||||
')
|
||||
|
||||
allow system_mail_t device_t:dir search;
|
||||
allow system_mail_t { var_t var_spool_t }:dir search;
|
||||
allow system_mail_t sbin_t:dir search;
|
||||
|
||||
# Transition from a system domain to the derived domain.
|
||||
domain_auto_trans(privmail, sendmail_exec_t, system_mail_t)
|
||||
allow privmail sendmail_exec_t:lnk_file { getattr read };
|
||||
|
||||
optional_policy(`crond.te',`
|
||||
# Read cron temporary files.
|
||||
allow system_mail_t system_crond_tmp_t:file r_file_perms;
|
||||
allow mta_user_agent system_crond_tmp_t:file r_file_perms;
|
||||
')
|
||||
|
||||
ifdef(`qmail.te', `
|
||||
allow system_mail_t qmail_etc_t:dir search;
|
||||
allow system_mail_t qmail_etc_t:{ file lnk_file } read;
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
allow system_mail_t { var_t var_spool_t }:dir getattr;
|
||||
userdom_use_sysadm_terms(system_mail_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
allow system_mail_t etc_mail_t:file r_file_perms;
|
||||
|
||||
allow system_mail_t mail_spool_t:dir create_dir_perms;
|
||||
@ -174,63 +114,76 @@ ifdef(`targeted_policy', `
|
||||
libs_exec_ld_so(system_mail_t)
|
||||
libs_exec_lib_files(system_mail_t)
|
||||
')
|
||||
',`
|
||||
optional_policy(`sendmail.te', `
|
||||
# sendmail has an ugly design, the one process parses input from the user and
|
||||
# then does system things with it.
|
||||
domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t)
|
||||
')
|
||||
')
|
||||
|
||||
tunable_policy(`use_dns',`
|
||||
allow system_mail_t self:udp_socket create_socket_perms;
|
||||
corenet_udp_sendrecv_all_if(system_mail_t)
|
||||
corenet_udp_sendrecv_all_nodes(system_mail_t)
|
||||
corenet_udp_bind_all_nodes(system_mail_t)
|
||||
corenet_udp_sendrecv_dns_port(system_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`cron.te',`
|
||||
cron_read_system_job_tmp_files(system_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`logrotate.te',`
|
||||
logrotate_read_tmp_files(system_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(system_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket(system_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`procmail.te',`
|
||||
procmail_exec(system_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`sendmail.te',`
|
||||
allow system_mail_t etc_mail_t:dir { getattr search };
|
||||
|
||||
# sendmail -q
|
||||
allow system_mail_t mqueue_spool_t:dir rw_dir_perms;
|
||||
allow system_mail_t mqueue_spool_t:file create_file_perms;
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`sendmail.te',`
|
||||
allow system_mail_t { var_t var_spool_t }:dir getattr;
|
||||
dontaudit system_mail_t userpty_type:chr_file { getattr read write };
|
||||
|
||||
optional_policy(`crond.te', `
|
||||
dontaudit system_mail_t system_crond_tmp_t:file append;
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
allow system_mail_t { var_t var_spool_t }:dir getattr;
|
||||
',`
|
||||
# allow the sysadmin to do "mail someone < /home/user/whatever"
|
||||
allow sysadm_mail_t user_home_dir_type:dir search;
|
||||
r_dir_file(sysadm_mail_t, user_home_type)
|
||||
')
|
||||
|
||||
# for a mail server process that does things in response to a user command
|
||||
allow mta_user_agent userdomain:process sigchld;
|
||||
allow mta_user_agent { userdomain privfd }:fd use;
|
||||
ifdef(`crond.te', `
|
||||
allow mta_user_agent crond_t:process sigchld;
|
||||
')
|
||||
allow mta_user_agent sysadm_t:fifo_file { read write };
|
||||
allow system_mail_t privmail:fd use;
|
||||
allow system_mail_t privmail:process sigchld;
|
||||
allow system_mail_t privmail:fifo_file { read write };
|
||||
|
||||
allow { system_mail_t mta_user_agent } privmail:fd use;
|
||||
allow { system_mail_t mta_user_agent } privmail:process sigchld;
|
||||
allow { system_mail_t mta_user_agent } privmail:fifo_file { read write };
|
||||
allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write };
|
||||
optional_policy(`arpwatch.te',`
|
||||
allow system_mail_t arpwatch_tmp_t:file rw_file_perms;
|
||||
|
||||
ifdef(`arpwatch.te', `
|
||||
# why is mail delivered to a directory of type arpwatch_data_t?
|
||||
allow mta_delivery_agent arpwatch_data_t:dir search;
|
||||
allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms;
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write };
|
||||
')
|
||||
')dnl end if arpwatch.te
|
||||
|
||||
allow mta_delivery_agent home_root_t:dir { getattr search };
|
||||
|
||||
# for /var/spool/mail
|
||||
ra_dir_create_file(mta_delivery_agent, mail_spool_t)
|
||||
|
||||
# for piping mail to a command
|
||||
can_exec(mta_delivery_agent, shell_exec_t)
|
||||
allow mta_delivery_agent bin_t:dir search;
|
||||
allow mta_delivery_agent bin_t:lnk_file read;
|
||||
allow mta_delivery_agent { etc_runtime_t proc_t }:file r_file_perms;
|
||||
|
||||
# Transition from a system domain to the derived domain.
|
||||
domain_auto_trans(privmail, sendmail_exec_t, system_mail_t)
|
||||
allow privmail sendmail_exec_t:lnk_file r_file_perms;
|
||||
|
||||
ifdef(`crond.te', `
|
||||
# Read cron temporary files.
|
||||
allow system_mail_t system_crond_tmp_t:file r_file_perms;
|
||||
allow mta_user_agent system_crond_tmp_t:file r_file_perms;
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
dontaudit system_mail_t arpwatch_t:packet_socket { read write };
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`logrotate.te', `
|
||||
allow { system_mail_t mta_user_agent } logrotate_tmp_t:file r_file_perms;
|
||||
optional_policy(`qmail.te',`
|
||||
allow system_mail_t qmail_etc_t:dir search;
|
||||
allow system_mail_t qmail_etc_t:{ file lnk_file } read;
|
||||
')
|
||||
|
||||
') dnl end TODO
|
||||
|
@ -6,8 +6,10 @@ policy_module(sendmail,1.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type sendmail_t; #, mta_delivery_agent, mail_server_sender', nosysadm)
|
||||
type sendmail_t;
|
||||
mta_sendmail_mailserver(sendmail_t)
|
||||
mta_mailserver_delivery(sendmail_t)
|
||||
mta_mailserver_sender(sendmail_t)
|
||||
|
||||
type sendmail_log_t;
|
||||
logging_log_file(sendmail_log_t)
|
||||
@ -40,8 +42,8 @@ allow sendmail_t sendmail_var_run_t:file { getattr create read write append seta
|
||||
files_create_pid(sendmail_t,sendmail_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(sendmail_t)
|
||||
kernel_list_proc(sendmail_t)
|
||||
kernel_read_proc_symlinks(sendmail_t)
|
||||
# for piping mail to a command
|
||||
kernel_read_system_state(sendmail_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(sendmail_t)
|
||||
corenet_raw_sendrecv_all_if(sendmail_t)
|
||||
@ -63,10 +65,15 @@ fs_search_auto_mountpoints(sendmail_t)
|
||||
|
||||
term_dontaudit_use_console(sendmail_t)
|
||||
|
||||
# for piping mail to a command
|
||||
corecmd_exec_shell(sendmail_t)
|
||||
|
||||
domain_use_wide_inherit_fd(sendmail_t)
|
||||
|
||||
files_read_etc_files(sendmail_t)
|
||||
files_search_spool(sendmail_t)
|
||||
# for piping mail to a command
|
||||
files_read_etc_runtime_files(sendmail_t)
|
||||
|
||||
init_use_fd(sendmail_t)
|
||||
init_use_script_pty(sendmail_t)
|
||||
@ -121,6 +128,11 @@ optional_policy(`rhgb.te', `
|
||||
rhgb_domain(sendmail_t)
|
||||
')
|
||||
|
||||
optional_policy(`arpwatch.te',`
|
||||
# why is mail delivered to a directory of type arpwatch_data_t?
|
||||
allow mta_delivery_agent arpwatch_data_t:dir search;
|
||||
')
|
||||
|
||||
#
|
||||
# Need this transition to create /etc/aliases.db
|
||||
#
|
||||
|
@ -1860,6 +1860,23 @@ interface(`userdom_signal_all_users',`
|
||||
allow $1 userdomain:process signal;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send a SIGCHLD signal to all user domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_sigcld_all_users',`
|
||||
gen_require(`
|
||||
attribute userdomain;
|
||||
class process sigchld;
|
||||
')
|
||||
|
||||
allow $1 userdomain:process sigghld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Unconfined access to user domains.
|
||||
|
Loading…
Reference in New Issue
Block a user