[refpolicy] [PATCH 0/4] Smaller contrib updates

[refpolicy] [PATCH 0/4] Smaller contrib updates

[Sven Vermeulen]

Small set of updates to contrib modules.

Sven Vermeulen (4):
  Be able to display dovecot errors
  Remove transition to ldconfig
  Adding mta as mail server
  Adding interfaces for handling cron log files

 cron.if    |   83 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 dovecot.te |    1 +
 mta.fc     |    2 +
 portage.if |    4 +--
 4 files changed, 87 insertions(+), 3 deletions(-)

-- 
1.7.8.6

[refpolicy] [PATCH 1/4] Be able to display dovecot errors

[Sven Vermeulen]

When the dovecot service is started, it might display the failures
(configuration file failures, or permission errors) but only when allowed to
write to the user terminals.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 dovecot.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/dovecot.te b/dovecot.te
index 2017ffc..1a55371 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -152,6 +152,7 @@ miscfiles_read_generic_certs(dovecot_t)
 miscfiles_read_localization(dovecot_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
+userdom_use_user_terminals(dovecot_t)
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(dovecot_t)
-- 
1.7.8.6

[refpolicy] [PATCH 2/4] Remove transition to ldconfig

[Sven Vermeulen]

Up until now, we had ldconfig_t as the only domain that the portage compile
domains (like portage_sandbox_t) can transition towards. But this is not
necessary, and even lead to a few hickups (like sandbox requiring ptrace towards
the ldconfig domain).

Remove the domain transition, and just execute ldconfig when needed. Everything
remains within the sandbox domain.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 portage.if |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

diff --git a/portage.if b/portage.if
index 1ae194e..67e8c12 100644
--- a/portage.if
+++ b/portage.if
@@ -177,9 +177,7 @@ interface(`portage_compile_domain',`
 	libs_exec_lib_files($1)
 	# some config scripts use ldd
 	libs_exec_ld_so($1)
-	# this violates the idea of sandbox, but
-	# regular sandbox allows it
-	libs_domtrans_ldconfig($1)
+	libs_exec_ldconfig($1)
 
 	logging_send_syslog_msg($1)
 
-- 
1.7.8.6

[refpolicy] [PATCH 3/4] Adding mta as mail server

[Sven Vermeulen]

Adding the locations of Exim to the mta.fc file.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 mta.fc |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/mta.fc b/mta.fc
index dc894b4..6ba6c2b 100644
--- a/mta.fc
+++ b/mta.fc
@@ -19,6 +19,7 @@ HOME_DIR/Maildir(/.*)?	gen_context(system_u:object_r:mail_home_rw_t,s0)
 /usr/lib/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/lib/courier/bin/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 
+/usr/sbin/exim	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/sbin/rmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/sbin/sendmail\.postfix	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/sbin/sendmail(\.sendmail)?	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -28,6 +29,7 @@ HOME_DIR/Maildir(/.*)?	gen_context(system_u:object_r:mail_home_rw_t,s0)
 
 /var/qmail/bin/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 
+/var/spool/exim(/.*)?	gen_context(system_u:object_r:mail_spool_t,s0)
 /var/spool/imap(/.*)?	gen_context(system_u:object_r:mail_spool_t,s0)
 /var/spool/(client)?mqueue(/.*)?	gen_context(system_u:object_r:mqueue_spool_t,s0)
 /var/spool/mqueue\.in(/.*)?	gen_context(system_u:object_r:mqueue_spool_t,s0)
-- 
1.7.8.6

[refpolicy] [PATCH 4/4] Adding interfaces for handling cron log files

[Sven Vermeulen]

Adding interfaces for a named file transition, create, setattr and write
privileges on cron log files. Will be used for the system logger domain later.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 cron.if |   83 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 83 insertions(+), 0 deletions(-)

diff --git a/cron.if b/cron.if
index 2981f1f..e6259bd 100644
--- a/cron.if
+++ b/cron.if
@@ -409,6 +409,89 @@ interface(`cron_sigchld',`
 
 ########################################
 ## <summary>
+##	Set the attributes of cron log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_setattr_log_files',`
+	gen_require(`
+		type cron_log_t;
+	')
+
+	allow $1 cron_log_t:file setattr_file_perms;
+')
+
+########################################
+## <summary>
+##	Create cron log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_create_log_files',`
+	gen_require(`
+		type cron_log_t;
+	')
+
+	allow $1 cron_log_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+##	Write to cron log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_write_log_files',`
+	gen_require(`
+		type cron_log_t;
+	')
+
+	allow $1 cron_log_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+##	Create specified objects in generic
+##	log directories with the cron log file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`cron_generic_log_filetrans_log',`
+	gen_require(`
+		type cron_log_t;
+	')
+
+	logging_log_filetrans($1, cron_log_t, $2, $3)
+')
+
+########################################
+## <summary>
 ##	Read cron daemon unnamed pipes.
 ## </summary>
 ## <param name="domain">
-- 
1.7.8.6