diff --git a/policy-F16.patch b/policy-F16.patch index 25b10b5..2b57579 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -22925,7 +22925,7 @@ index 0000000..bd83148 +## No Interfaces diff --git a/policy/modules/roles/sysadm_secadm.te b/policy/modules/roles/sysadm_secadm.te new file mode 100644 -index 0000000..2cc4c43 +index 0000000..e45e8b0 --- /dev/null +++ b/policy/modules/roles/sysadm_secadm.te @@ -0,0 +1,23 @@ @@ -22938,7 +22938,7 @@ index 0000000..2cc4c43 + +gen_require(` + type sysadm_t; -+ ole sysadm_r; ++ role sysadm_r; +') + +userdom_security_admin_template(sysadm_t, sysadm_r) @@ -46849,7 +46849,7 @@ index 256166a..71e7a36 100644 +/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if -index 343cee3..7ae15f4 100644 +index 343cee3..ff6a8c7 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -37,9 +37,9 @@ interface(`mta_stub',` @@ -46863,7 +46863,7 @@ index 343cee3..7ae15f4 100644 gen_require(` attribute user_mail_domain; type sendmail_exec_t; -@@ -56,92 +56,11 @@ template(`mta_base_mail_template',` +@@ -56,92 +56,15 @@ template(`mta_base_mail_template',` type $1_mail_tmp_t; files_tmp_file($1_mail_tmp_t) @@ -46903,7 +46903,7 @@ index 343cee3..7ae15f4 100644 + files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir }) auth_use_nsswitch($1_mail_t) -- + - init_dontaudit_rw_utmp($1_mail_t) - - logging_send_syslog_msg($1_mail_t) @@ -46916,9 +46916,9 @@ index 343cee3..7ae15f4 100644 - exim_manage_spool_files($1_mail_t) - ') - -- optional_policy(` -- postfix_domtrans_user_mail_handler($1_mail_t) -- ') + optional_policy(` + postfix_domtrans_user_mail_handler($1_mail_t) + ') - - optional_policy(` - procmail_exec($1_mail_t) @@ -46959,7 +46959,7 @@ index 343cee3..7ae15f4 100644 ') ######################################## -@@ -158,6 +77,7 @@ template(`mta_base_mail_template',` +@@ -158,6 +81,7 @@ template(`mta_base_mail_template',` ## User domain for the role ## ## @@ -46967,7 +46967,7 @@ index 343cee3..7ae15f4 100644 # interface(`mta_role',` gen_require(` -@@ -169,11 +89,19 @@ interface(`mta_role',` +@@ -169,11 +93,19 @@ interface(`mta_role',` # Transition from the user domain to the derived domain. domtrans_pattern($2, sendmail_exec_t, user_mail_t) @@ -46988,7 +46988,7 @@ index 343cee3..7ae15f4 100644 ') ######################################## -@@ -220,6 +148,25 @@ interface(`mta_agent_executable',` +@@ -220,6 +152,25 @@ interface(`mta_agent_executable',` application_executable_file($1) ') @@ -47014,7 +47014,7 @@ index 343cee3..7ae15f4 100644 ######################################## ## ## Make the specified type by a system MTA. -@@ -306,10 +253,11 @@ interface(`mta_mailserver_sender',` +@@ -306,10 +257,11 @@ interface(`mta_mailserver_sender',` interface(`mta_mailserver_delivery',` gen_require(` attribute mailserver_delivery; @@ -47027,7 +47027,7 @@ index 343cee3..7ae15f4 100644 ') ####################################### -@@ -330,12 +278,6 @@ interface(`mta_mailserver_user_agent',` +@@ -330,12 +282,6 @@ interface(`mta_mailserver_user_agent',` ') typeattribute $1 mta_user_agent; @@ -47040,7 +47040,7 @@ index 343cee3..7ae15f4 100644 ') ######################################## -@@ -350,9 +292,8 @@ interface(`mta_mailserver_user_agent',` +@@ -350,9 +296,8 @@ interface(`mta_mailserver_user_agent',` # interface(`mta_send_mail',` gen_require(` @@ -47051,7 +47051,7 @@ index 343cee3..7ae15f4 100644 ') allow $1 mta_exec_type:lnk_file read_lnk_file_perms; -@@ -391,12 +332,19 @@ interface(`mta_send_mail',` +@@ -391,12 +336,19 @@ interface(`mta_send_mail',` # interface(`mta_sendmail_domtrans',` gen_require(` @@ -47073,7 +47073,7 @@ index 343cee3..7ae15f4 100644 ') ######################################## -@@ -409,7 +357,6 @@ interface(`mta_sendmail_domtrans',` +@@ -409,7 +361,6 @@ interface(`mta_sendmail_domtrans',` ## ## # @@ -47081,7 +47081,7 @@ index 343cee3..7ae15f4 100644 interface(`mta_signal_system_mail',` gen_require(` type system_mail_t; -@@ -420,6 +367,24 @@ interface(`mta_signal_system_mail',` +@@ -420,6 +371,24 @@ interface(`mta_signal_system_mail',` ######################################## ## @@ -47106,7 +47106,7 @@ index 343cee3..7ae15f4 100644 ## Execute sendmail in the caller domain. ## ## -@@ -438,6 +403,26 @@ interface(`mta_sendmail_exec',` +@@ -438,6 +407,26 @@ interface(`mta_sendmail_exec',` ######################################## ## @@ -47133,7 +47133,7 @@ index 343cee3..7ae15f4 100644 ## Read mail server configuration. ## ## -@@ -474,7 +459,8 @@ interface(`mta_write_config',` +@@ -474,7 +463,8 @@ interface(`mta_write_config',` type etc_mail_t; ') @@ -47143,7 +47143,7 @@ index 343cee3..7ae15f4 100644 ') ######################################## -@@ -494,6 +480,7 @@ interface(`mta_read_aliases',` +@@ -494,6 +484,7 @@ interface(`mta_read_aliases',` files_search_etc($1) allow $1 etc_aliases_t:file read_file_perms; @@ -47151,7 +47151,7 @@ index 343cee3..7ae15f4 100644 ') ######################################## -@@ -532,7 +519,7 @@ interface(`mta_etc_filetrans_aliases',` +@@ -532,7 +523,7 @@ interface(`mta_etc_filetrans_aliases',` type etc_aliases_t; ') @@ -47160,7 +47160,7 @@ index 343cee3..7ae15f4 100644 ') ######################################## -@@ -552,7 +539,7 @@ interface(`mta_rw_aliases',` +@@ -552,7 +543,7 @@ interface(`mta_rw_aliases',` ') files_search_etc($1) @@ -47169,7 +47169,7 @@ index 343cee3..7ae15f4 100644 ') ####################################### -@@ -646,8 +633,8 @@ interface(`mta_dontaudit_getattr_spool_files',` +@@ -646,8 +637,8 @@ interface(`mta_dontaudit_getattr_spool_files',` files_dontaudit_search_spool($1) dontaudit $1 mail_spool_t:dir search_dir_perms; @@ -47180,7 +47180,7 @@ index 343cee3..7ae15f4 100644 ') ####################################### -@@ -677,7 +664,26 @@ interface(`mta_spool_filetrans',` +@@ -677,7 +668,26 @@ interface(`mta_spool_filetrans',` ') files_search_spool($1) @@ -47208,7 +47208,7 @@ index 343cee3..7ae15f4 100644 ') ######################################## -@@ -697,8 +703,8 @@ interface(`mta_rw_spool',` +@@ -697,8 +707,8 @@ interface(`mta_rw_spool',` files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; @@ -47219,7 +47219,7 @@ index 343cee3..7ae15f4 100644 read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') -@@ -838,7 +844,7 @@ interface(`mta_dontaudit_rw_queue',` +@@ -838,7 +848,7 @@ interface(`mta_dontaudit_rw_queue',` ') dontaudit $1 mqueue_spool_t:dir search_dir_perms; @@ -47228,7 +47228,7 @@ index 343cee3..7ae15f4 100644 ') ######################################## -@@ -864,6 +870,36 @@ interface(`mta_manage_queue',` +@@ -864,6 +874,36 @@ interface(`mta_manage_queue',` ####################################### ## @@ -47265,7 +47265,7 @@ index 343cee3..7ae15f4 100644 ## Read sendmail binary. ## ## -@@ -899,3 +935,114 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -899,3 +939,114 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -47381,7 +47381,7 @@ index 343cee3..7ae15f4 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te -index 64268e4..ab8c4e4 100644 +index 64268e4..8fd5f8a 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -20,14 +20,16 @@ files_type(etc_aliases_t) @@ -47658,7 +47658,7 @@ index 64268e4..ab8c4e4 100644 # Read user temporary files. # postfix seems to need write access if the file handle is opened read/write userdom_rw_user_tmp_files(user_mail_t) -@@ -292,3 +303,115 @@ optional_policy(` +@@ -292,3 +303,114 @@ optional_policy(` postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -47747,7 +47747,6 @@ index 64268e4..ab8c4e4 100644 + postfix_exec_master(user_mail_domain) + postfix_read_config(user_mail_domain) + postfix_search_spool(user_mail_domain) -+ postfix_domtrans_user_mail_handler(user_mail_domain) + postfix_rw_master_pipes(user_mail_domain) + + ifdef(`distro_redhat',`