diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index 7d78871ac..1752cddcb 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -33,6 +33,9 @@ domain_type(system_mail_t) domain_entry_file(system_mail_t,sendmail_exec_t) role system_r types system_mail_t; +type system_mail_tmp_t; +files_tmp_file(system_mail_tmp_t) + # cjp: need to resolve this, but require{} # does not work in the else part of the optional #ifdef(`targeted_policy',`',` @@ -57,6 +60,10 @@ allow system_mail_t etc_mail_t:file r_file_perms; can_exec(system_mail_t, sendmail_exec_t) allow system_mail_t sendmail_exec_t:lnk_file r_file_perms; +allow system_mail_t system_mail_tmp_t:dir create_dir_perms; +allow system_mail_t system_mail_tmp_t:file create_file_perms; +files_create_tmp_files(system_mail_t, system_mail_tmp_t, { file dir }) + kernel_read_kernel_sysctl(system_mail_t) kernel_read_system_state(system_mail_t) kernel_read_network_state(system_mail_t) diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te index 4b4f98d7b..f8eac9df1 100644 --- a/refpolicy/policy/modules/services/ssh.te +++ b/refpolicy/policy/modules/services/ssh.te @@ -31,6 +31,9 @@ files_type(sshd_key_t) ifdef(`targeted_policy',` unconfined_alias_domain(sshd_t) init_system_domain(sshd_t,sshd_exec_t) + + type sshd_var_run_t; + files_type(sshd_var_run_t) ',` # Type for the ssh-agent executable. type ssh_agent_exec_t;