From 9ea85eaa8b6a52df1e7c13d6e2d20f4b8444f7f1 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: May 20 2010 12:36:38 +0000 Subject: Sendmail patch from Dan Walsh. --- diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if index 306a2b1..e4f4051 100644 --- a/policy/modules/services/sendmail.if +++ b/policy/modules/services/sendmail.if @@ -253,6 +253,24 @@ interface(`sendmail_manage_tmp_files',` ######################################## ## +## Execute sendmail in the unconfined sendmail domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`sendmail_domtrans_unconfined',` + gen_require(` + type unconfined_sendmail_t; + ') + + mta_sendmail_domtrans($1, unconfined_sendmail_t) +') + +######################################## +## ## Execute sendmail in the unconfined sendmail domain, and ## allow the specified role the unconfined sendmail domain, ## and use the caller's terminal. diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te index c1d2297..43edd99 100644 --- a/policy/modules/services/sendmail.te +++ b/policy/modules/services/sendmail.te @@ -1,5 +1,5 @@ -policy_module(sendmail, 1.10.1) +policy_module(sendmail, 1.10.2) ######################################## # @@ -30,7 +30,7 @@ role system_r types unconfined_sendmail_t; # allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config }; -allow sendmail_t self:process { setrlimit signal signull }; +allow sendmail_t self:process { setsched setpgid setrlimit signal signull }; allow sendmail_t self:fifo_file rw_fifo_file_perms; allow sendmail_t self:unix_stream_socket create_stream_socket_perms; allow sendmail_t self:unix_dgram_socket create_socket_perms; @@ -72,6 +72,7 @@ fs_search_auto_mountpoints(sendmail_t) fs_rw_anon_inodefs_files(sendmail_t) term_dontaudit_use_console(sendmail_t) +term_dontaudit_use_generic_ptys(sendmail_t) # for piping mail to a command corecmd_exec_shell(sendmail_t) @@ -133,6 +134,7 @@ optional_policy(` optional_policy(` fail2ban_read_lib_files(sendmail_t) + fail2ban_rw_stream_sockets(sendmail_t) ') optional_policy(`