All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] [PATCH 1/1] cron: optional_policy for mta_* interfaces
       [not found] <1B50C12ACFF4CB42B90D2581155DF50205B4A14D@Exchange10.columbia.tresys.com>
@ 2017-08-29 16:04 ` David Sugar
  2017-08-29 23:02   ` Chris PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: David Sugar @ 2017-08-29 16:04 UTC (permalink / raw)
  To: refpolicy


Patch to allow turning off of the mta module and still have cron module available.
---
 cron.te | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/cron.te b/cron.te
index 7807dac..5302630 100644
--- a/cron.te
+++ b/cron.te
@@ -43,7 +43,9 @@ application_executable_file(anacron_exec_t)

 type cron_spool_t;
 files_type(cron_spool_t)
-mta_system_content(cron_spool_t)
+optional_policy(`
+       mta_system_content(cron_spool_t)
+')

 type cron_var_lib_t;
 files_type(cron_var_lib_t)
@@ -74,14 +76,18 @@ init_script_file(crond_initrc_exec_t)
 type crond_tmp_t;
 files_tmp_file(crond_tmp_t)
 files_poly_parent(crond_tmp_t)
-mta_system_content(crond_tmp_t)
+optional_policy(`
+       mta_system_content(crond_tmp_t)
+')

 type crond_unit_t;
 init_unit_file(crond_unit_t)

 type crond_var_run_t;
 files_pid_file(crond_var_run_t)
-mta_system_content(crond_var_run_t)
+optional_policy(`
+       mta_system_content(crond_var_run_t)
+')

 type crontab_exec_t;
 application_executable_file(crontab_exec_t)
@@ -98,7 +104,9 @@ typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };

 type system_cron_spool_t, cron_spool_type;
 files_type(system_cron_spool_t)
-mta_system_content(system_cron_spool_t)
+optional_policy(`
+       mta_system_content(system_cron_spool_t)
+')

 type system_cronjob_t alias system_crond_t;
 init_daemon_domain(system_cronjob_t, anacron_exec_t)
@@ -122,12 +130,16 @@ typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t uncon
 typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
 files_type(user_cron_spool_t)
 ubac_constrained(user_cron_spool_t)
-mta_system_content(user_cron_spool_t)
+optional_policy(`
+       mta_system_content(user_cron_spool_t)
+')

 type user_cron_spool_log_t;
 logging_log_file(user_cron_spool_log_t)
 ubac_constrained(user_cron_spool_log_t)
-mta_system_content(user_cron_spool_log_t)
+optional_policy(`
+       mta_system_content(user_cron_spool_log_t)
+')

 ifdef(`enable_mcs',`
        init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
--
2.13.5

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* [refpolicy] [PATCH 1/1] cron: optional_policy for mta_* interfaces
  2017-08-29 16:04 ` [refpolicy] [PATCH 1/1] cron: optional_policy for mta_* interfaces David Sugar
@ 2017-08-29 23:02   ` Chris PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2017-08-29 23:02 UTC (permalink / raw)
  To: refpolicy

On 08/29/2017 12:04 PM, David Sugar via refpolicy wrote:
> 
> Patch to allow turning off of the mta module and still have cron module available.
> ---
>   cron.te | 24 ++++++++++++++++++------
>   1 file changed, 18 insertions(+), 6 deletions(-)
> 
> diff --git a/cron.te b/cron.te
> index 7807dac..5302630 100644
> --- a/cron.te
> +++ b/cron.te
> @@ -43,7 +43,9 @@ application_executable_file(anacron_exec_t)
> 
>   type cron_spool_t;
>   files_type(cron_spool_t)
> -mta_system_content(cron_spool_t)
> +optional_policy(`
> +       mta_system_content(cron_spool_t)
> +')
> 
>   type cron_var_lib_t;
>   files_type(cron_var_lib_t)
> @@ -74,14 +76,18 @@ init_script_file(crond_initrc_exec_t)
>   type crond_tmp_t;
>   files_tmp_file(crond_tmp_t)
>   files_poly_parent(crond_tmp_t)
> -mta_system_content(crond_tmp_t)
> +optional_policy(`
> +       mta_system_content(crond_tmp_t)
> +')
> 
>   type crond_unit_t;
>   init_unit_file(crond_unit_t)
> 
>   type crond_var_run_t;
>   files_pid_file(crond_var_run_t)
> -mta_system_content(crond_var_run_t)
> +optional_policy(`
> +       mta_system_content(crond_var_run_t)
> +')
> 
>   type crontab_exec_t;
>   application_executable_file(crontab_exec_t)
> @@ -98,7 +104,9 @@ typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
> 
>   type system_cron_spool_t, cron_spool_type;
>   files_type(system_cron_spool_t)
> -mta_system_content(system_cron_spool_t)
> +optional_policy(`
> +       mta_system_content(system_cron_spool_t)
> +')
> 
>   type system_cronjob_t alias system_crond_t;
>   init_daemon_domain(system_cronjob_t, anacron_exec_t)
> @@ -122,12 +130,16 @@ typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t uncon
>   typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
>   files_type(user_cron_spool_t)
>   ubac_constrained(user_cron_spool_t)
> -mta_system_content(user_cron_spool_t)
> +optional_policy(`
> +       mta_system_content(user_cron_spool_t)
> +')
> 
>   type user_cron_spool_log_t;
>   logging_log_file(user_cron_spool_log_t)
>   ubac_constrained(user_cron_spool_log_t)
> -mta_system_content(user_cron_spool_log_t)
> +optional_policy(`
> +       mta_system_content(user_cron_spool_log_t)
> +')
> 
>   ifdef(`enable_mcs',`
>          init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)

These would need to be moved here, after this ifdef block.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-08-29 23:02 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <1B50C12ACFF4CB42B90D2581155DF50205B4A14D@Exchange10.columbia.tresys.com>
2017-08-29 16:04 ` [refpolicy] [PATCH 1/1] cron: optional_policy for mta_* interfaces David Sugar
2017-08-29 23:02   ` Chris PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.