* [refpolicy] [PATCH] Make several calls to mta interfaces optional
@ 2016-12-15 21:06 Guido Trentalancia
2016-12-16 0:31 ` Chris PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: Guido Trentalancia @ 2016-12-15 21:06 UTC (permalink / raw)
To: refpolicy
Make several calls to mta interfaces optional policy.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
policy/modules/contrib/arpwatch.te | 4 +++-
policy/modules/contrib/cvs.te | 6 ++++--
policy/modules/contrib/fail2ban.te | 6 ++++--
policy/modules/contrib/mojomojo.te | 4 +++-
policy/modules/contrib/nagios.te | 8 +++++---
policy/modules/contrib/nut.te | 4 +++-
policy/modules/contrib/smokeping.te | 6 ++++--
7 files changed, 26 insertions(+), 12 deletions(-)
diff -pru a/policy/modules/contrib/arpwatch.te b/policy/modules/contrib/arpwatch.te
--- a/policy/modules/contrib/arpwatch.te 2016-10-29 16:29:19.662325285 +0200
+++ b/policy/modules/contrib/arpwatch.te 2016-12-15 21:15:19.541555771 +0100
@@ -74,7 +74,9 @@ miscfiles_read_localization(arpwatch_t)
userdom_dontaudit_search_user_home_dirs(arpwatch_t)
userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
-mta_send_mail(arpwatch_t)
+optional_policy(`
+ mta_send_mail(arpwatch_t)
+')
optional_policy(`
seutil_sigchld_newrole(arpwatch_t)
diff -pru a/policy/modules/contrib/cvs.te b/policy/modules/contrib/cvs.te
--- a/policy/modules/contrib/cvs.te 2016-08-14 21:28:11.474519297 +0200
+++ b/policy/modules/contrib/cvs.te 2016-12-15 21:18:39.993733559 +0100
@@ -91,8 +91,6 @@ logging_send_audit_msgs(cvs_t)
miscfiles_read_localization(cvs_t)
-mta_send_mail(cvs_t)
-
userdom_dontaudit_search_user_home_dirs(cvs_t)
# cjp: typeattribute doesnt work in conditionals yet
@@ -109,6 +107,10 @@ optional_policy(`
kerberos_dontaudit_write_config(cvs_t)
')
+optional_policy(`
+ mta_send_mail(cvs_t)
+')
+
########################################
#
# CVSWeb local policy
diff -pru a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te
--- a/policy/modules/contrib/fail2ban.te 2016-08-14 21:28:11.486519481 +0200
+++ b/policy/modules/contrib/fail2ban.te 2016-12-15 21:20:06.429675340 +0100
@@ -99,8 +99,6 @@ miscfiles_read_localization(fail2ban_t)
sysnet_manage_config(fail2ban_t)
sysnet_etc_filetrans_config(fail2ban_t)
-mta_send_mail(fail2ban_t)
-
optional_policy(`
apache_read_log(fail2ban_t)
')
@@ -118,6 +116,10 @@ optional_policy(`
')
optional_policy(`
+ mta_send_mail(fail2ban_t)
+')
+
+optional_policy(`
shorewall_domtrans(fail2ban_t)
')
diff -pru a/policy/modules/contrib/mojomojo.te b/policy/modules/contrib/mojomojo.te
--- a/policy/modules/contrib/mojomojo.te 2016-08-14 21:28:11.520520004 +0200
+++ b/policy/modules/contrib/mojomojo.te 2016-12-15 21:14:25.131966201 +0100
@@ -22,4 +22,6 @@ files_search_var_lib(httpd_mojomojo_scri
sysnet_dns_name_resolve(httpd_mojomojo_script_t)
-mta_send_mail(httpd_mojomojo_script_t)
+optional_policy(`
+ mta_send_mail(httpd_mojomojo_script_t)
+')
diff -pru a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te
--- a/policy/modules/contrib/nagios.te 2016-08-14 21:28:11.525520081 +0200
+++ b/policy/modules/contrib/nagios.te 2016-12-15 21:25:16.399065452 +0100
@@ -158,9 +158,11 @@ miscfiles_read_localization(nagios_t)
userdom_dontaudit_use_unpriv_user_fds(nagios_t)
userdom_dontaudit_search_user_home_dirs(nagios_t)
-mta_send_mail(nagios_t)
-mta_signal_system_mail(nagios_t)
-mta_kill_system_mail(nagios_t)
+optional_policy(`
+ mta_send_mail(nagios_t)
+ mta_signal_system_mail(nagios_t)
+ mta_kill_system_mail(nagios_t)
+')
optional_policy(`
netutils_kill_ping(nagios_t)
diff -pru a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te
--- a/policy/modules/contrib/nut.te 2016-08-14 21:28:11.530520158 +0200
+++ b/policy/modules/contrib/nut.te 2016-12-15 21:26:09.709650446 +0100
@@ -116,7 +116,9 @@ term_write_all_terms(nut_upsmon_t)
auth_use_nsswitch(nut_upsmon_t)
-mta_send_mail(nut_upsmon_t)
+optional_policy(`
+ mta_send_mail(nut_upsmon_t)
+')
optional_policy(`
shutdown_domtrans(nut_upsmon_t)
diff -pru a/policy/modules/contrib/smokeping.te b/policy/modules/contrib/smokeping.te
--- a/policy/modules/contrib/smokeping.te 2016-08-14 21:28:11.572520803 +0200
+++ b/policy/modules/contrib/smokeping.te 2016-12-15 21:21:00.183261822 +0100
@@ -49,10 +49,12 @@ logging_send_syslog_msg(smokeping_t)
miscfiles_read_localization(smokeping_t)
-mta_send_mail(smokeping_t)
-
netutils_domtrans_ping(smokeping_t)
+optional_policy(`
+ mta_send_mail(smokeping_t)
+')
+
#######################################
#
# Cgi local policy
^ permalink raw reply [flat|nested] 2+ messages in thread
* [refpolicy] [PATCH] Make several calls to mta interfaces optional
2016-12-15 21:06 [refpolicy] [PATCH] Make several calls to mta interfaces optional Guido Trentalancia
@ 2016-12-16 0:31 ` Chris PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2016-12-16 0:31 UTC (permalink / raw)
To: refpolicy
On 12/15/16 16:06, Guido Trentalancia via refpolicy wrote:
> Make several calls to mta interfaces optional policy.
Merged.
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
> policy/modules/contrib/arpwatch.te | 4 +++-
> policy/modules/contrib/cvs.te | 6 ++++--
> policy/modules/contrib/fail2ban.te | 6 ++++--
> policy/modules/contrib/mojomojo.te | 4 +++-
> policy/modules/contrib/nagios.te | 8 +++++---
> policy/modules/contrib/nut.te | 4 +++-
> policy/modules/contrib/smokeping.te | 6 ++++--
> 7 files changed, 26 insertions(+), 12 deletions(-)
>
> diff -pru a/policy/modules/contrib/arpwatch.te b/policy/modules/contrib/arpwatch.te
> --- a/policy/modules/contrib/arpwatch.te 2016-10-29 16:29:19.662325285 +0200
> +++ b/policy/modules/contrib/arpwatch.te 2016-12-15 21:15:19.541555771 +0100
> @@ -74,7 +74,9 @@ miscfiles_read_localization(arpwatch_t)
> userdom_dontaudit_search_user_home_dirs(arpwatch_t)
> userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
>
> -mta_send_mail(arpwatch_t)
> +optional_policy(`
> + mta_send_mail(arpwatch_t)
> +')
>
> optional_policy(`
> seutil_sigchld_newrole(arpwatch_t)
> diff -pru a/policy/modules/contrib/cvs.te b/policy/modules/contrib/cvs.te
> --- a/policy/modules/contrib/cvs.te 2016-08-14 21:28:11.474519297 +0200
> +++ b/policy/modules/contrib/cvs.te 2016-12-15 21:18:39.993733559 +0100
> @@ -91,8 +91,6 @@ logging_send_audit_msgs(cvs_t)
>
> miscfiles_read_localization(cvs_t)
>
> -mta_send_mail(cvs_t)
> -
> userdom_dontaudit_search_user_home_dirs(cvs_t)
>
> # cjp: typeattribute doesnt work in conditionals yet
> @@ -109,6 +107,10 @@ optional_policy(`
> kerberos_dontaudit_write_config(cvs_t)
> ')
>
> +optional_policy(`
> + mta_send_mail(cvs_t)
> +')
> +
> ########################################
> #
> # CVSWeb local policy
> diff -pru a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te
> --- a/policy/modules/contrib/fail2ban.te 2016-08-14 21:28:11.486519481 +0200
> +++ b/policy/modules/contrib/fail2ban.te 2016-12-15 21:20:06.429675340 +0100
> @@ -99,8 +99,6 @@ miscfiles_read_localization(fail2ban_t)
> sysnet_manage_config(fail2ban_t)
> sysnet_etc_filetrans_config(fail2ban_t)
>
> -mta_send_mail(fail2ban_t)
> -
> optional_policy(`
> apache_read_log(fail2ban_t)
> ')
> @@ -118,6 +116,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + mta_send_mail(fail2ban_t)
> +')
> +
> +optional_policy(`
> shorewall_domtrans(fail2ban_t)
> ')
>
> diff -pru a/policy/modules/contrib/mojomojo.te b/policy/modules/contrib/mojomojo.te
> --- a/policy/modules/contrib/mojomojo.te 2016-08-14 21:28:11.520520004 +0200
> +++ b/policy/modules/contrib/mojomojo.te 2016-12-15 21:14:25.131966201 +0100
> @@ -22,4 +22,6 @@ files_search_var_lib(httpd_mojomojo_scri
>
> sysnet_dns_name_resolve(httpd_mojomojo_script_t)
>
> -mta_send_mail(httpd_mojomojo_script_t)
> +optional_policy(`
> + mta_send_mail(httpd_mojomojo_script_t)
> +')
> diff -pru a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te
> --- a/policy/modules/contrib/nagios.te 2016-08-14 21:28:11.525520081 +0200
> +++ b/policy/modules/contrib/nagios.te 2016-12-15 21:25:16.399065452 +0100
> @@ -158,9 +158,11 @@ miscfiles_read_localization(nagios_t)
> userdom_dontaudit_use_unpriv_user_fds(nagios_t)
> userdom_dontaudit_search_user_home_dirs(nagios_t)
>
> -mta_send_mail(nagios_t)
> -mta_signal_system_mail(nagios_t)
> -mta_kill_system_mail(nagios_t)
> +optional_policy(`
> + mta_send_mail(nagios_t)
> + mta_signal_system_mail(nagios_t)
> + mta_kill_system_mail(nagios_t)
> +')
>
> optional_policy(`
> netutils_kill_ping(nagios_t)
> diff -pru a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te
> --- a/policy/modules/contrib/nut.te 2016-08-14 21:28:11.530520158 +0200
> +++ b/policy/modules/contrib/nut.te 2016-12-15 21:26:09.709650446 +0100
> @@ -116,7 +116,9 @@ term_write_all_terms(nut_upsmon_t)
>
> auth_use_nsswitch(nut_upsmon_t)
>
> -mta_send_mail(nut_upsmon_t)
> +optional_policy(`
> + mta_send_mail(nut_upsmon_t)
> +')
>
> optional_policy(`
> shutdown_domtrans(nut_upsmon_t)
> diff -pru a/policy/modules/contrib/smokeping.te b/policy/modules/contrib/smokeping.te
> --- a/policy/modules/contrib/smokeping.te 2016-08-14 21:28:11.572520803 +0200
> +++ b/policy/modules/contrib/smokeping.te 2016-12-15 21:21:00.183261822 +0100
> @@ -49,10 +49,12 @@ logging_send_syslog_msg(smokeping_t)
>
> miscfiles_read_localization(smokeping_t)
>
> -mta_send_mail(smokeping_t)
> -
> netutils_domtrans_ping(smokeping_t)
>
> +optional_policy(`
> + mta_send_mail(smokeping_t)
> +')
> +
> #######################################
> #
> # Cgi local policy
--
Chris PeBenito
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-12-16 0:31 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-12-15 21:06 [refpolicy] [PATCH] Make several calls to mta interfaces optional Guido Trentalancia
2016-12-16 0:31 ` Chris PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.