* [refpolicy] [PATCH 1/1] cron: optional_policy for mta_* interfaces
[not found] <1B50C12ACFF4CB42B90D2581155DF50205B4A14D@Exchange10.columbia.tresys.com>
@ 2017-08-29 16:04 ` David Sugar
2017-08-29 23:02 ` Chris PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: David Sugar @ 2017-08-29 16:04 UTC (permalink / raw)
To: refpolicy
Patch to allow turning off of the mta module and still have cron module available.
---
cron.te | 24 ++++++++++++++++++------
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/cron.te b/cron.te
index 7807dac..5302630 100644
--- a/cron.te
+++ b/cron.te
@@ -43,7 +43,9 @@ application_executable_file(anacron_exec_t)
type cron_spool_t;
files_type(cron_spool_t)
-mta_system_content(cron_spool_t)
+optional_policy(`
+ mta_system_content(cron_spool_t)
+')
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -74,14 +76,18 @@ init_script_file(crond_initrc_exec_t)
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
files_poly_parent(crond_tmp_t)
-mta_system_content(crond_tmp_t)
+optional_policy(`
+ mta_system_content(crond_tmp_t)
+')
type crond_unit_t;
init_unit_file(crond_unit_t)
type crond_var_run_t;
files_pid_file(crond_var_run_t)
-mta_system_content(crond_var_run_t)
+optional_policy(`
+ mta_system_content(crond_var_run_t)
+')
type crontab_exec_t;
application_executable_file(crontab_exec_t)
@@ -98,7 +104,9 @@ typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
type system_cron_spool_t, cron_spool_type;
files_type(system_cron_spool_t)
-mta_system_content(system_cron_spool_t)
+optional_policy(`
+ mta_system_content(system_cron_spool_t)
+')
type system_cronjob_t alias system_crond_t;
init_daemon_domain(system_cronjob_t, anacron_exec_t)
@@ -122,12 +130,16 @@ typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t uncon
typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
files_type(user_cron_spool_t)
ubac_constrained(user_cron_spool_t)
-mta_system_content(user_cron_spool_t)
+optional_policy(`
+ mta_system_content(user_cron_spool_t)
+')
type user_cron_spool_log_t;
logging_log_file(user_cron_spool_log_t)
ubac_constrained(user_cron_spool_log_t)
-mta_system_content(user_cron_spool_log_t)
+optional_policy(`
+ mta_system_content(user_cron_spool_log_t)
+')
ifdef(`enable_mcs',`
init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
--
2.13.5
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [refpolicy] [PATCH 1/1] cron: optional_policy for mta_* interfaces
2017-08-29 16:04 ` [refpolicy] [PATCH 1/1] cron: optional_policy for mta_* interfaces David Sugar
@ 2017-08-29 23:02 ` Chris PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2017-08-29 23:02 UTC (permalink / raw)
To: refpolicy
On 08/29/2017 12:04 PM, David Sugar via refpolicy wrote:
>
> Patch to allow turning off of the mta module and still have cron module available.
> ---
> cron.te | 24 ++++++++++++++++++------
> 1 file changed, 18 insertions(+), 6 deletions(-)
>
> diff --git a/cron.te b/cron.te
> index 7807dac..5302630 100644
> --- a/cron.te
> +++ b/cron.te
> @@ -43,7 +43,9 @@ application_executable_file(anacron_exec_t)
>
> type cron_spool_t;
> files_type(cron_spool_t)
> -mta_system_content(cron_spool_t)
> +optional_policy(`
> + mta_system_content(cron_spool_t)
> +')
>
> type cron_var_lib_t;
> files_type(cron_var_lib_t)
> @@ -74,14 +76,18 @@ init_script_file(crond_initrc_exec_t)
> type crond_tmp_t;
> files_tmp_file(crond_tmp_t)
> files_poly_parent(crond_tmp_t)
> -mta_system_content(crond_tmp_t)
> +optional_policy(`
> + mta_system_content(crond_tmp_t)
> +')
>
> type crond_unit_t;
> init_unit_file(crond_unit_t)
>
> type crond_var_run_t;
> files_pid_file(crond_var_run_t)
> -mta_system_content(crond_var_run_t)
> +optional_policy(`
> + mta_system_content(crond_var_run_t)
> +')
>
> type crontab_exec_t;
> application_executable_file(crontab_exec_t)
> @@ -98,7 +104,9 @@ typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
>
> type system_cron_spool_t, cron_spool_type;
> files_type(system_cron_spool_t)
> -mta_system_content(system_cron_spool_t)
> +optional_policy(`
> + mta_system_content(system_cron_spool_t)
> +')
>
> type system_cronjob_t alias system_crond_t;
> init_daemon_domain(system_cronjob_t, anacron_exec_t)
> @@ -122,12 +130,16 @@ typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t uncon
> typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
> files_type(user_cron_spool_t)
> ubac_constrained(user_cron_spool_t)
> -mta_system_content(user_cron_spool_t)
> +optional_policy(`
> + mta_system_content(user_cron_spool_t)
> +')
>
> type user_cron_spool_log_t;
> logging_log_file(user_cron_spool_log_t)
> ubac_constrained(user_cron_spool_log_t)
> -mta_system_content(user_cron_spool_log_t)
> +optional_policy(`
> + mta_system_content(user_cron_spool_log_t)
> +')
>
> ifdef(`enable_mcs',`
> init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
These would need to be moved here, after this ifdef block.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-08-29 23:02 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <1B50C12ACFF4CB42B90D2581155DF50205B4A14D@Exchange10.columbia.tresys.com>
2017-08-29 16:04 ` [refpolicy] [PATCH 1/1] cron: optional_policy for mta_* interfaces David Sugar
2017-08-29 23:02 ` Chris PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.