From 5a8c36f3904c36d1a3ca1b03a4b0fc97315fec97 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 16 May 2019 08:57:36 -0400 Subject: [PATCH] logrotate: Make MTA optional. Signed-off-by: Chris PeBenito --- policy/modules/admin/logrotate.te | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index 698371bdd..d649509b0 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -29,8 +29,6 @@ files_type(logrotate_var_lib_t) type logrotate_unit_t; init_unit_file(logrotate_unit_t) -mta_base_mail_template(logrotate) -role system_r types logrotate_mail_t; ######################################## # @@ -131,8 +129,6 @@ userdom_use_user_terminals(logrotate_t) userdom_list_user_home_dirs(logrotate_t) userdom_use_unpriv_users_fds(logrotate_t) -mta_sendmail_domtrans(logrotate_t, logrotate_mail_t) - ifdef(`distro_debian',` allow logrotate_t logrotate_tmp_t:file relabel_file_perms; can_exec(logrotate_t, logrotate_exec_t) @@ -279,10 +275,18 @@ optional_policy(` # Mail local policy # -allow logrotate_mail_t logrotate_t:fd use; -allow logrotate_mail_t logrotate_t:fifo_file rw_fifo_file_perms; -allow logrotate_mail_t logrotate_t:process sigchld; +optional_policy(` + mta_base_mail_template(logrotate) + role system_r types logrotate_mail_t; -manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) + allow logrotate_mail_t logrotate_t:fd use; + allow logrotate_mail_t logrotate_t:fifo_file rw_fifo_file_perms; + allow logrotate_mail_t logrotate_t:process sigchld; + + manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) + + mta_sendmail_domtrans(logrotate_t, logrotate_mail_t) + + logging_read_all_logs(logrotate_mail_t) +') -logging_read_all_logs(logrotate_mail_t)