diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if index 44e782e..c57356a 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -356,6 +356,7 @@ interface(`mta_send_mail',` ') allow $1 mta_exec_type:lnk_file read_lnk_file_perms; + corecmd_read_bin_symlinks($1) domtrans_pattern($1, mta_exec_type, system_mail_t) allow mta_user_agent $1:fd use; @@ -400,6 +401,25 @@ interface(`mta_sendmail_domtrans',` ######################################## ## +## Send system mail client a signal +## +## +## +## Domain allowed access. +## +## +# +# +interface(`mta_signal_system_mail',` + gen_require(` + type system_mail_t; + ') + + allow $1 system_mail_t:process signal; +') + +######################################## +## ## Execute sendmail in the caller domain. ## ## @@ -765,6 +785,25 @@ interface(`mta_search_queue',` ####################################### ## +## List the mail queue. +## +## +## +## Domain allowed access. +## +## +# +interface(`mta_list_queue',` + gen_require(` + type mqueue_spool_t; + ') + + allow $1 mqueue_spool_t:dir list_dir_perms; + files_search_spool($1) +') + +####################################### +## ## Read the mail queue. ## ## diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te index 797d86b..29f117c 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -1,5 +1,5 @@ -policy_module(mta, 2.2.1) +policy_module(mta, 2.2.2) ######################################## # @@ -71,10 +71,14 @@ dev_read_sysfs(system_mail_t) dev_read_rand(system_mail_t) dev_read_urand(system_mail_t) +files_read_usr_files(system_mail_t) + fs_rw_anon_inodefs_files(system_mail_t) selinux_getattr_fs(system_mail_t) +term_dontaudit_use_unallocated_ttys(system_mail_t) + init_use_script_ptys(system_mail_t) userdom_use_user_terminals(system_mail_t) @@ -107,6 +111,7 @@ optional_policy(` optional_policy(` cron_read_system_job_tmp_files(system_mail_t) cron_dontaudit_write_pipes(system_mail_t) + cron_rw_system_job_stream_sockets(system_mail_t) ') optional_policy(`