diff options
| author |   David Sugar <dsugar@tresys.com> | 2017-08-30 16:07:07 +0000 |
|---|---|---|
| committer |   Luis Ressel <aranea@aixah.de> | 2017-09-09 00:48:51 +0200 |
| commit | a43e66289e81dcc53f4069387a15929f67db476f (patch) | |
| tree | 8a639b0d2a93bf42e9732d22e32c1e4a9e108769 | |
| parent | wm: consolidate networkmanger interface calls into single optional (diff) | |
| download | hardened-refpolicy-a43e6628.tar.gz hardened-refpolicy-a43e6628.tar.bz2 hardened-refpolicy-a43e6628.zip | |
cron: optional_policy for mta_* interfaces
Patch to allow turning off of the mta module and still have cron module available.
This version consolidates all mta_* interface uses into single optional block.
| -rw-r--r-- | policy/modules/contrib/cron.te | 26 |
1 files changed, 17 insertions, 9 deletions
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te index 27467232a..a8818d565 100644 --- a/policy/modules/contrib/cron.te +++ b/policy/modules/contrib/cron.te @@ -43,7 +43,6 @@ application_executable_file(anacron_exec_t) type cron_spool_t; files_type(cron_spool_t) -mta_system_content(cron_spool_t) type cron_var_lib_t; files_type(cron_var_lib_t) @@ -74,14 +73,12 @@ init_script_file(crond_initrc_exec_t) type crond_tmp_t; files_tmp_file(crond_tmp_t) files_poly_parent(crond_tmp_t) -mta_system_content(crond_tmp_t) type crond_unit_t; init_unit_file(crond_unit_t) type crond_var_run_t; files_pid_file(crond_var_run_t) -mta_system_content(crond_var_run_t) type crontab_exec_t; application_executable_file(crontab_exec_t) @@ -98,7 +95,6 @@ typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; type system_cron_spool_t, cron_spool_type; files_type(system_cron_spool_t) -mta_system_content(system_cron_spool_t) type system_cronjob_t alias system_crond_t; init_daemon_domain(system_cronjob_t, anacron_exec_t) @@ -122,7 +118,23 @@ typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t uncon typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; files_type(user_cron_spool_t) ubac_constrained(user_cron_spool_t) -mta_system_content(user_cron_spool_t) + +type user_cron_spool_log_t; +logging_log_file(user_cron_spool_log_t) +ubac_constrained(user_cron_spool_log_t) + +ifdef(`enable_mcs',` + init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) +') + +optional_policy(` + mta_system_content(cron_spool_t) + mta_system_content(crond_tmp_t) + mta_system_content(crond_var_run_t) + mta_system_content(system_cron_spool_t) + mta_system_content(user_cron_spool_t) + mta_system_content(user_cron_spool_log_t) +') ifdef(`distro_gentoo',` # Logging for atd jobs @@ -132,10 +144,6 @@ ifdef(`distro_gentoo',` logging_syslog_managed_log_file(cron_log_t, "cron.log") ') -ifdef(`enable_mcs',` - init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) -') - ############################## # # Common crontab local policy |