[refpolicy] [PATCH v2 0/4] Smaller contrib updates

[refpolicy] [PATCH v2 0/4] Smaller contrib updates

[Sven Vermeulen]

Smaller set of updates on contrib modules, slight change in
cron_create_log_files to use create_files_pattern to support cron_log_t marked
directories as well.

Sven Vermeulen (4):
  Be able to display dovecot errors
  Remove transition to ldconfig
  Adding mta as mail server
  Adding interfaces for handling cron log files

 cron.if    |   83 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 dovecot.te |    1 +
 mta.fc     |    2 +
 portage.if |    4 +--
 4 files changed, 87 insertions(+), 3 deletions(-)

-- 
1.7.8.6

[refpolicy] [PATCH v2 1/4] Be able to display dovecot errors

[Sven Vermeulen]

When the dovecot service is started, it might display the failures
(configuration file failures, or permission errors) but only when allowed to
write to the user terminals.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 dovecot.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/dovecot.te b/dovecot.te
index 2017ffc..1a55371 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -152,6 +152,7 @@ miscfiles_read_generic_certs(dovecot_t)
 miscfiles_read_localization(dovecot_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
+userdom_use_user_terminals(dovecot_t)
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(dovecot_t)
-- 
1.7.8.6

[refpolicy] [PATCH v2 2/4] Remove transition to ldconfig

[Sven Vermeulen]

Up until now, we had ldconfig_t as the only domain that the portage compile
domains (like portage_sandbox_t) can transition towards. But this is not
necessary, and even lead to a few hickups (like sandbox requiring ptrace towards
the ldconfig domain).

Remove the domain transition, and just execute ldconfig when needed. Everything
remains within the sandbox domain.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 portage.if |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

diff --git a/portage.if b/portage.if
index 1ae194e..67e8c12 100644
--- a/portage.if
+++ b/portage.if
@@ -177,9 +177,7 @@ interface(`portage_compile_domain',`
 	libs_exec_lib_files($1)
 	# some config scripts use ldd
 	libs_exec_ld_so($1)
-	# this violates the idea of sandbox, but
-	# regular sandbox allows it
-	libs_domtrans_ldconfig($1)
+	libs_exec_ldconfig($1)
 
 	logging_send_syslog_msg($1)
 
-- 
1.7.8.6

[refpolicy] [PATCH v2 3/4] Adding mta as mail server

[Sven Vermeulen]

Adding the locations of Exim to the mta.fc file.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 mta.fc |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/mta.fc b/mta.fc
index dc894b4..6ba6c2b 100644
--- a/mta.fc
+++ b/mta.fc
@@ -19,6 +19,7 @@ HOME_DIR/Maildir(/.*)?	gen_context(system_u:object_r:mail_home_rw_t,s0)
 /usr/lib/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/lib/courier/bin/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 
+/usr/sbin/exim	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/sbin/rmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/sbin/sendmail\.postfix	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/sbin/sendmail(\.sendmail)?	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -28,6 +29,7 @@ HOME_DIR/Maildir(/.*)?	gen_context(system_u:object_r:mail_home_rw_t,s0)
 
 /var/qmail/bin/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 
+/var/spool/exim(/.*)?	gen_context(system_u:object_r:mail_spool_t,s0)
 /var/spool/imap(/.*)?	gen_context(system_u:object_r:mail_spool_t,s0)
 /var/spool/(client)?mqueue(/.*)?	gen_context(system_u:object_r:mqueue_spool_t,s0)
 /var/spool/mqueue\.in(/.*)?	gen_context(system_u:object_r:mqueue_spool_t,s0)
-- 
1.7.8.6

[refpolicy] [PATCH v2 4/4] Adding interfaces for handling cron log files

[Sven Vermeulen]

Adding interfaces for a named file transition, create, setattr and write
privileges on cron log files. Will be used for the system logger domain later.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 cron.if |   83 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 83 insertions(+), 0 deletions(-)

diff --git a/cron.if b/cron.if
index 2981f1f..a1ecb7f 100644
--- a/cron.if
+++ b/cron.if
@@ -409,6 +409,89 @@ interface(`cron_sigchld',`
 
 ########################################
 ## <summary>
+##	Set the attributes of cron log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_setattr_log_files',`
+	gen_require(`
+		type cron_log_t;
+	')
+
+	allow $1 cron_log_t:file setattr_file_perms;
+')
+
+########################################
+## <summary>
+##	Create cron log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_create_log_files',`
+	gen_require(`
+		type cron_log_t;
+	')
+
+	create_files_pattern($1, cron_log_t, cron_log_t)
+')
+
+########################################
+## <summary>
+##	Write to cron log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_write_log_files',`
+	gen_require(`
+		type cron_log_t;
+	')
+
+	allow $1 cron_log_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+##	Create specified objects in generic
+##	log directories with the cron log file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`cron_generic_log_filetrans_log',`
+	gen_require(`
+		type cron_log_t;
+	')
+
+	logging_log_filetrans($1, cron_log_t, $2, $3)
+')
+
+########################################
+## <summary>
 ##	Read cron daemon unnamed pipes.
 ## </summary>
 ## <param name="domain">
-- 
1.7.8.6

[refpolicy] [PATCH v2 1/4] Be able to display dovecot errors

[Dominick Grift]

On Mon, 2012-10-29 at 19:53 +0100, Sven Vermeulen wrote:
> When the dovecot service is started, it might display the failures
> (configuration file failures, or permission errors) but only when allowed to
> write to the user terminals.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  dovecot.te |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/dovecot.te b/dovecot.te
> index 2017ffc..1a55371 100644
> --- a/dovecot.te
> +++ b/dovecot.te
> @@ -152,6 +152,7 @@ miscfiles_read_generic_certs(dovecot_t)
>  miscfiles_read_localization(dovecot_t)
>  
>  userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
> +userdom_use_user_terminals(dovecot_t)
>  
>  tunable_policy(`use_nfs_home_dirs',`
>  	fs_manage_nfs_dirs(dovecot_t)

applied, thanks

[refpolicy] [PATCH v2 2/4] Remove transition to ldconfig

[Dominick Grift]

On Mon, 2012-10-29 at 19:53 +0100, Sven Vermeulen wrote:
> Up until now, we had ldconfig_t as the only domain that the portage compile
> domains (like portage_sandbox_t) can transition towards. But this is not
> necessary, and even lead to a few hickups (like sandbox requiring ptrace towards
> the ldconfig domain).
> 
> Remove the domain transition, and just execute ldconfig when needed. Everything
> remains within the sandbox domain.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  portage.if |    4 +---
>  1 files changed, 1 insertions(+), 3 deletions(-)
> 
> diff --git a/portage.if b/portage.if
> index 1ae194e..67e8c12 100644
> --- a/portage.if
> +++ b/portage.if
> @@ -177,9 +177,7 @@ interface(`portage_compile_domain',`
>  	libs_exec_lib_files($1)
>  	# some config scripts use ldd
>  	libs_exec_ld_so($1)
> -	# this violates the idea of sandbox, but
> -	# regular sandbox allows it
> -	libs_domtrans_ldconfig($1)
> +	libs_exec_ldconfig($1)
>  
>  	logging_send_syslog_msg($1)
>  
applied, thanks

[refpolicy] [PATCH v2 3/4] Adding mta as mail server

[Dominick Grift]

On Mon, 2012-10-29 at 19:53 +0100, Sven Vermeulen wrote:
> Adding the locations of Exim to the mta.fc file.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  mta.fc |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/mta.fc b/mta.fc
> index dc894b4..6ba6c2b 100644
> --- a/mta.fc
> +++ b/mta.fc
> @@ -19,6 +19,7 @@ HOME_DIR/Maildir(/.*)?	gen_context(system_u:object_r:mail_home_rw_t,s0)
>  /usr/lib/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
>  /usr/lib/courier/bin/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
>  
> +/usr/sbin/exim	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
>  /usr/sbin/rmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
>  /usr/sbin/sendmail\.postfix	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
>  /usr/sbin/sendmail(\.sendmail)?	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
> @@ -28,6 +29,7 @@ HOME_DIR/Maildir(/.*)?	gen_context(system_u:object_r:mail_home_rw_t,s0)
>  
>  /var/qmail/bin/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
>  
> +/var/spool/exim(/.*)?	gen_context(system_u:object_r:mail_spool_t,s0)
>  /var/spool/imap(/.*)?	gen_context(system_u:object_r:mail_spool_t,s0)
>  /var/spool/(client)?mqueue(/.*)?	gen_context(system_u:object_r:mqueue_spool_t,s0)
>  /var/spool/mqueue\.in(/.*)?	gen_context(system_u:object_r:mqueue_spool_t,s0)

We have a exim module

[refpolicy] [PATCH v2 4/4] Adding interfaces for handling cron log files

[Dominick Grift]

On Mon, 2012-10-29 at 19:53 +0100, Sven Vermeulen wrote:
> Adding interfaces for a named file transition, create, setattr and write
> privileges on cron log files. Will be used for the system logger domain later.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  cron.if |   83 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  1 files changed, 83 insertions(+), 0 deletions(-)
> 
> diff --git a/cron.if b/cron.if
> index 2981f1f..a1ecb7f 100644
> --- a/cron.if
> +++ b/cron.if
> @@ -409,6 +409,89 @@ interface(`cron_sigchld',`
>  
>  ########################################
>  ## <summary>
> +##	Set the attributes of cron log files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`cron_setattr_log_files',`
> +	gen_require(`
> +		type cron_log_t;
> +	')
> +
> +	allow $1 cron_log_t:file setattr_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Create cron log files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`cron_create_log_files',`
> +	gen_require(`
> +		type cron_log_t;
> +	')
> +
> +	create_files_pattern($1, cron_log_t, cron_log_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Write to cron log files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`cron_write_log_files',`
> +	gen_require(`
> +		type cron_log_t;
> +	')
> +
> +	allow $1 cron_log_t:file write_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Create specified objects in generic
> +##	log directories with the cron log file type.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="object_class">
> +##	<summary>
> +##	Class of the object being created.
> +##	</summary>
> +## </param>
> +## <param name="name" optional="true">
> +##	<summary>
> +##	The name of the object being created.
> +##	</summary>
> +## </param>
> +#
> +interface(`cron_generic_log_filetrans_log',`
> +	gen_require(`
> +		type cron_log_t;
> +	')
> +
> +	logging_log_filetrans($1, cron_log_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
>  ##	Read cron daemon unnamed pipes.
>  ## </summary>
>  ## <param name="domain">

applied thanks