sympa, mta, exim: Revise interfaces.

Revise interfaces added as part of sympa work.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
This commit is contained in:
Chris PeBenito 2022-10-10 10:09:18 -04:00
parent be2ba4e473
commit 3fd5341bff
6 changed files with 14 additions and 33 deletions

View File

@ -253,7 +253,6 @@ optional_policy(`
optional_policy(`
# each of these should probably be for mailserver_delivery or mailserver_domain
sympa_append_var_files(exim_t)
sympa_append_inherited_var_files(exim_t)
sympa_read_var_files(exim_t)
sympa_use_fd(exim_t)
')

View File

@ -815,13 +815,13 @@ interface(`mta_read_spool_symlinks',`
## </summary>
## </param>
#
interface(`mta_rw_delivery_fifos',`
interface(`mta_rw_inherited_delivery_pipes',`
gen_require(`
attribute mailserver_delivery;
')
allow $1 mailserver_delivery:fd use;
allow $1 mailserver_delivery:fifo_file { getattr read write };
allow $1 mailserver_delivery:fifo_file rw_inherited_fifo_file_perms;
')

View File

@ -298,8 +298,8 @@ optional_policy(`
')
optional_policy(`
sympa_append_var_files(system_mail_t)
sympa_dontaudit_tcp_rw(system_mail_t)
sympa_append_inherited_var_files(system_mail_t)
symba_dontaudit_rw_inherited_tcp_sockets(system_mail_t)
')
optional_policy(`
@ -393,7 +393,7 @@ optional_policy(`
')
optional_policy(`
sympa_dontaudit_tcp_rw(mailserver_delivery)
symba_dontaudit_rw_inherited_tcp_sockets(mailserver_delivery)
sympa_domtrans(mailserver_delivery)
')

View File

@ -1,5 +1,4 @@
## <summary>Sympa mailing list manager</summary>
##
## <desc>
## Sympa is a popular mailing list manager.
## https://www.sympa.org/
@ -15,12 +14,13 @@
## </summary>
## </param>
#
interface(`sympa_append_var_files',`
interface(`sympa_append_inherited_var_files',`
gen_require(`
type sympa_var_t;
type sympa_t, sympa_var_t;
')
allow $1 sympa_var_t:file { append getattr };
allow $1 sympa_t:fd use;
allow $1 sympa_var_t:file append_inherited_file_perms;
')
########################################
@ -57,8 +57,7 @@ interface(`sympa_manage_var_files',`
type sympa_var_t;
')
allow $1 sympa_var_t:dir rw_dir_perms;
allow $1 sympa_var_t:file manage_file_perms;
manage_files_pattern($1, sympa_var_t, sympa_var_t)
')
########################################
@ -97,24 +96,6 @@ interface(`sympa_domtrans',`
domain_auto_transition_pattern($1, sympa_exec_t, sympa_t)
')
########################################
## <summary>
## Use file handles inherited from sympa
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sympa_use_fd',`
gen_require(`
type sympa_t;
')
allow $1 sympa_t:fd use;
')
########################################
## <summary>
## Dontaudit access to inherited sympa tcp sockets
@ -125,7 +106,7 @@ interface(`sympa_use_fd',`
## </summary>
## </param>
#
interface(`sympa_dontaudit_tcp_rw',`
interface(`symba_dontaudit_rw_inherited_tcp_sockets',`
gen_require(`
type sympa_t;
')

View File

@ -78,7 +78,7 @@ optional_policy(`
optional_policy(`
mta_read_config(sympa_t)
mta_send_mail(sympa_t)
mta_rw_delivery_fifos(sympa_t)
mta_rw_inherited_delivery_pipes(sympa_t)
')
optional_policy(`

View File

@ -155,6 +155,7 @@ define(`mmap_read_file_perms',`{ getattr open map read ioctl }')
define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }')
define(`mmap_exec_file_perms',`{ getattr open map read execute ioctl }')
define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }')
define(`append_inherited_file_perms',`{ getattr append lock ioctl }')
define(`append_file_perms',`{ getattr open append lock ioctl }')
define(`write_inherited_file_perms',`{ getattr write append lock ioctl }')
define(`write_file_perms',`{ getattr open write append lock ioctl }')