[refpolicy] [PATCH 0/7] Updates on contrib

[refpolicy] [PATCH 0/7] Updates on contrib

[Sven Vermeulen]

Another set of updates for the contrib module. 

Sven Vermeulen (7):
  Moving sandbox code to sandbox section
  Allow sandbox to log violations
  Fix typo in clockspeed comment
  Support openvpn status file
  Asterisk voicemail messages are generated from tmp
  Make rtkit calls optional
  Gentoo installs dovecot certs in /etc/ssl/dovecot

 asterisk.te   |    1 +
 clockspeed.if |    2 +-
 dovecot.fc    |    2 ++
 openvpn.fc    |    1 +
 openvpn.if    |    4 ++--
 openvpn.te    |    6 ++++++
 portage.te    |   14 +++++++++-----
 pulseaudio.te |    6 ++++--
 8 files changed, 26 insertions(+), 10 deletions(-)

-- 
1.7.8.6

[refpolicy] [PATCH 1/7] Moving sandbox code to sandbox section

[Sven Vermeulen]

Some portage_sandbox_t code is sitting in the main portage_t section. Moving
this to its own sandbox location.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 portage.te |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/portage.te b/portage.te
index 7d2fc08..074828c 100644
--- a/portage.te
+++ b/portage.te
@@ -176,11 +176,6 @@ dontaudit portage_fetch_t portage_devpts_t:chr_file { read write };
 # transition to sandbox for compiling
 domain_trans(portage_t, portage_exec_t, portage_sandbox_t)
 corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t)
-allow portage_sandbox_t portage_t:fd use;
-allow portage_sandbox_t portage_t:fifo_file rw_fifo_file_perms;
-allow portage_sandbox_t portage_t:process sigchld;
-allow portage_sandbox_t self:process ptrace;
-dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
 
 # run scripts out of the build directory
 can_exec(portage_t, portage_tmp_t)
@@ -338,6 +333,12 @@ optional_policy(`
 # - SELinux-enforced sandbox
 #
 
+allow portage_sandbox_t portage_t:fd use;
+allow portage_sandbox_t portage_t:fifo_file rw_fifo_file_perms;
+allow portage_sandbox_t portage_t:process sigchld;
+allow portage_sandbox_t self:process ptrace;
+dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
+
 portage_compile_domain(portage_sandbox_t)
 
 auth_use_nsswitch(portage_sandbox_t)
-- 
1.7.8.6

[refpolicy] [PATCH 2/7] Allow sandbox to log violations

[Sven Vermeulen]

When the sandbox (running in portage_sandbox_t) detects a violation, it will try
to log this into /var/log/sandbox. However, the portage_sandbox_t domain
currently is not allowed to do anything with this logs. As a result, the
violations are not logged.

Allow the portage_sandbox_t domain to generate logs (as portage_log_t) as well
as clean them up (sandbox will remove older violation logs if the process id
of the current violation would result in an existing log file to be
overwritten).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 portage.te |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/portage.te b/portage.te
index 074828c..ebb3139 100644
--- a/portage.te
+++ b/portage.te
@@ -339,6 +339,9 @@ allow portage_sandbox_t portage_t:process sigchld;
 allow portage_sandbox_t self:process ptrace;
 dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
 
+allow portage_sandbox_t portage_log_t:file manage_file_perms;
+logging_log_filetrans(portage_sandbox_t, portage_log_t, file)
+
 portage_compile_domain(portage_sandbox_t)
 
 auth_use_nsswitch(portage_sandbox_t)
-- 
1.7.8.6

[refpolicy] [PATCH 3/7] Fix typo in clockspeed comment

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 clockspeed.if |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/clockspeed.if b/clockspeed.if
index b6a51d7..2cb7bf7 100644
--- a/clockspeed.if
+++ b/clockspeed.if
@@ -3,7 +3,7 @@
 ########################################
 ## <summary>
 ##	Execute clockspeed utilities in
-$$	the clockspeed_cli domain.
+##	the clockspeed_cli domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-- 
1.7.8.6

[refpolicy] [PATCH 4/7] Support openvpn status file

[Sven Vermeulen]

OpenVPN uses a status file that it constantly writes to (rather than append, as
used for the other log files). As this is less of a log file and more of a state
file, create a separate type and allow openvpn_t manage rights on it.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 openvpn.fc |    1 +
 openvpn.if |    4 ++--
 openvpn.te |    6 ++++++
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/openvpn.fc b/openvpn.fc
index 9f86d3d..db5adfe 100644
--- a/openvpn.fc
+++ b/openvpn.fc
@@ -5,6 +5,7 @@
 
 /usr/sbin/openvpn	--	gen_context(system_u:object_r:openvpn_exec_t,s0)
 
+/var/log/openvpn-status\.log	--	gen_context(system_u:object_r:openvpn_status_t,s0)
 /var/log/openvpn.*	gen_context(system_u:object_r:openvpn_var_log_t,s0)
 
 /var/run/openvpn(/.*)?	gen_context(system_u:object_r:openvpn_var_run_t,s0)
diff --git a/openvpn.if b/openvpn.if
index c11f537..03f4e60 100644
--- a/openvpn.if
+++ b/openvpn.if
@@ -142,7 +142,7 @@ interface(`openvpn_read_config',`
 #
 interface(`openvpn_admin',`
 	gen_require(`
-		type openvpn_t, openvpn_etc_t, openvpn_var_log_t;
+		type openvpn_t, openvpn_etc_t, openvpn_var_log_t, openvpn_status_t;
 		type openvpn_var_run_t, openvpn_initrc_exec_t, openvpn_etc_rw_t;
 	')
 
@@ -158,7 +158,7 @@ interface(`openvpn_admin',`
 	admin_pattern($1, { openvpn_etc_t openvpn_etc_rw_t })
 
 	logging_list_logs($1)
-	admin_pattern($1, openvpn_var_log_t)
+	admin_pattern($1, { openvpn_status_t openvpn_var_log_t })
 
 	files_list_pids($1)
 	admin_pattern($1, openvpn_var_run_t)
diff --git a/openvpn.te b/openvpn.te
index 58607b0..9643979 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -29,6 +29,9 @@ files_config_file(openvpn_etc_rw_t)
 type openvpn_initrc_exec_t;
 init_script_file(openvpn_initrc_exec_t)
 
+type openvpn_status_t;
+logging_log_file(openvpn_status_t)
+
 type openvpn_var_log_t;
 logging_log_file(openvpn_var_log_t)
 
@@ -53,6 +56,9 @@ allow openvpn_t openvpn_etc_t:dir list_dir_perms;
 allow openvpn_t openvpn_etc_t:file read_file_perms;
 allow openvpn_t openvpn_etc_t:lnk_file read_lnk_file_perms;
 
+allow openvpn_t openvpn_status_t:file manage_file_perms;
+logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
+
 manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
 filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
 
-- 
1.7.8.6

[refpolicy] [PATCH 5/7] Asterisk voicemail messages are generated from tmp

[Sven Vermeulen]

When asterisk creates a voicemail message to send to the end user, the message
recording is a temporary file (labeled asterisk_tmp_t) which is then picked up
by the system mailer. Hence, we need to mark asterisk_tmp_t as
mta_system_content().

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 asterisk.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/asterisk.te b/asterisk.te
index 084b4a9..ac8543a 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -164,6 +164,7 @@ optional_policy(`
 
 optional_policy(`
 	mta_send_mail(asterisk_t)
+	mta_system_content(asterisk_tmp_t)
 ')
 
 optional_policy(`
-- 
1.7.8.6

[refpolicy] [PATCH 6/7] Make rtkit calls optional

[Sven Vermeulen]

The rtkit module is not a mandatory component for pulseaudio, so should be
within an optional_policy() clause.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 pulseaudio.te |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/pulseaudio.te b/pulseaudio.te
index 99e371b..b42f0f7 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -224,8 +224,6 @@ pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth")
 pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie")
 pulseaudio_signull(pulseaudio_client)
 
-rtkit_scheduled(pulseaudio_client)
-
 # TODO: ~/.cache
 userdom_manage_user_home_content_files(pulseaudio_client)
 
@@ -249,3 +247,7 @@ tunable_policy(`use_samba_home_dirs',`
 optional_policy(`
 	pulseaudio_dbus_chat(pulseaudio_client)
 ')
+
+optional_policy(`
+	rtkit_scheduled(pulseaudio_client)
+')
-- 
1.7.8.6

[refpolicy] [PATCH 7/7] Gentoo installs dovecot certs in /etc/ssl/dovecot

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 dovecot.fc |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/dovecot.fc b/dovecot.fc
index 499f1fc..c880070 100644
--- a/dovecot.fc
+++ b/dovecot.fc
@@ -13,6 +13,8 @@
 /usr/share/ssl/certs/dovecot\.pem	--	gen_context(system_u:object_r:dovecot_cert_t,s0)
 /usr/share/ssl/private/dovecot\.pem	--	gen_context(system_u:object_r:dovecot_cert_t,s0)
 
+/etc/ssl/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_cert_t,s0)
+
 /usr/lib/dovecot/auth	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
 /usr/lib/dovecot/deliver	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
 /usr/lib/dovecot/dovecot-auth	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
-- 
1.7.8.6

[refpolicy] [PATCH 1/7] Moving sandbox code to sandbox section

[grift]

On Thu, 2012-11-22 at 20:21 +0100, Sven Vermeulen wrote:
> Some portage_sandbox_t code is sitting in the main portage_t section. Moving
> this to its own sandbox location.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  portage.te |   11 ++++++-----
>  1 files changed, 6 insertions(+), 5 deletions(-)
> 
> diff --git a/portage.te b/portage.te
> index 7d2fc08..074828c 100644
> --- a/portage.te
> +++ b/portage.te
> @@ -176,11 +176,6 @@ dontaudit portage_fetch_t portage_devpts_t:chr_file { read write };
>  # transition to sandbox for compiling
>  domain_trans(portage_t, portage_exec_t, portage_sandbox_t)
>  corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t)
> -allow portage_sandbox_t portage_t:fd use;
> -allow portage_sandbox_t portage_t:fifo_file rw_fifo_file_perms;
> -allow portage_sandbox_t portage_t:process sigchld;
> -allow portage_sandbox_t self:process ptrace;
> -dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
>  
>  # run scripts out of the build directory
>  can_exec(portage_t, portage_tmp_t)
> @@ -338,6 +333,12 @@ optional_policy(`
>  # - SELinux-enforced sandbox
>  #
>  
> +allow portage_sandbox_t portage_t:fd use;
> +allow portage_sandbox_t portage_t:fifo_file rw_fifo_file_perms;
> +allow portage_sandbox_t portage_t:process sigchld;
> +allow portage_sandbox_t self:process ptrace;
> +dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
> +
>  portage_compile_domain(portage_sandbox_t)
>  
>  auth_use_nsswitch(portage_sandbox_t)

I guess i could merge this but this could be better

instead of domain_trans(portage_t, portage_exec_t, portage_sandbox_t)
you could use: spec_domtrans_pattern(portage_t, portage_exec_t,
portage_sandbox_t)

That allows you to be able to remove:

+allow portage_sandbox_t portage_t:fd use;
+allow portage_sandbox_t portage_t:fifo_file rw_fifo_file_perms;
+allow portage_sandbox_t portage_t:process sigchld;

Since that is included in the spec_domtrans_pattern()

it also allows you to remove the explicit setexec since that is also
included in this pattern.

If you do that then the ordering of rules is also cleaned up
since self rules should be on top.

[refpolicy] [PATCH 2/7] Allow sandbox to log violations

[grift]

On Thu, 2012-11-22 at 20:21 +0100, Sven Vermeulen wrote:
> When the sandbox (running in portage_sandbox_t) detects a violation, it will try
> to log this into /var/log/sandbox. However, the portage_sandbox_t domain
> currently is not allowed to do anything with this logs. As a result, the
> violations are not logged.
> 
> Allow the portage_sandbox_t domain to generate logs (as portage_log_t) as well
> as clean them up (sandbox will remove older violation logs if the process id
> of the current violation would result in an existing log file to be
> overwritten).
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  portage.te |    3 +++
>  1 files changed, 3 insertions(+), 0 deletions(-)
> 
> diff --git a/portage.te b/portage.te
> index 074828c..ebb3139 100644
> --- a/portage.te
> +++ b/portage.te
> @@ -339,6 +339,9 @@ allow portage_sandbox_t portage_t:process sigchld;
>  allow portage_sandbox_t self:process ptrace;
>  dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
>  
> +allow portage_sandbox_t portage_log_t:file manage_file_perms;
> +logging_log_filetrans(portage_sandbox_t, portage_log_t, file)
> +

Would be nice if we would be able to tighten this up just a little bit.

Would this work:
allow portage_sandbox_t portage_log_t:file { create_file_perms
delete_file_perms setattr_file_perms append_file_perms };

That would leave out the write permission. Not very useful since sandbox
can still delete the whole file but still

If it is undesired or if that will not work then i will merge this as is

>  portage_compile_domain(portage_sandbox_t)
>  
>  auth_use_nsswitch(portage_sandbox_t)

[refpolicy] [PATCH 3/7] Fix typo in clockspeed comment

[grift]

On Thu, 2012-11-22 at 20:21 +0100, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  clockspeed.if |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/clockspeed.if b/clockspeed.if
> index b6a51d7..2cb7bf7 100644
> --- a/clockspeed.if
> +++ b/clockspeed.if
> @@ -3,7 +3,7 @@
>  ########################################
>  ## <summary>
>  ##	Execute clockspeed utilities in
> -$$	the clockspeed_cli domain.
> +##	the clockspeed_cli domain.
>  ## </summary>
>  ## <param name="domain">
>  ##	<summary>

Merged , thanks

[refpolicy] [PATCH 4/7] Support openvpn status file

[grift]

On Thu, 2012-11-22 at 20:21 +0100, Sven Vermeulen wrote:
> OpenVPN uses a status file that it constantly writes to (rather than append, as
> used for the other log files). As this is less of a log file and more of a state
> file, create a separate type and allow openvpn_t manage rights on it.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  openvpn.fc |    1 +
>  openvpn.if |    4 ++--
>  openvpn.te |    6 ++++++
>  3 files changed, 9 insertions(+), 2 deletions(-)
> 
> diff --git a/openvpn.fc b/openvpn.fc
> index 9f86d3d..db5adfe 100644
> --- a/openvpn.fc
> +++ b/openvpn.fc
> @@ -5,6 +5,7 @@
>  
>  /usr/sbin/openvpn	--	gen_context(system_u:object_r:openvpn_exec_t,s0)
>  
> +/var/log/openvpn-status\.log	--	gen_context(system_u:object_r:openvpn_status_t,s0)
>  /var/log/openvpn.*	gen_context(system_u:object_r:openvpn_var_log_t,s0)
>  
>  /var/run/openvpn(/.*)?	gen_context(system_u:object_r:openvpn_var_run_t,s0)
> diff --git a/openvpn.if b/openvpn.if
> index c11f537..03f4e60 100644
> --- a/openvpn.if
> +++ b/openvpn.if
> @@ -142,7 +142,7 @@ interface(`openvpn_read_config',`
>  #
>  interface(`openvpn_admin',`
>  	gen_require(`
> -		type openvpn_t, openvpn_etc_t, openvpn_var_log_t;
> +		type openvpn_t, openvpn_etc_t, openvpn_var_log_t, openvpn_status_t;
>  		type openvpn_var_run_t, openvpn_initrc_exec_t, openvpn_etc_rw_t;
>  	')
>  
> @@ -158,7 +158,7 @@ interface(`openvpn_admin',`
>  	admin_pattern($1, { openvpn_etc_t openvpn_etc_rw_t })
>  
>  	logging_list_logs($1)
> -	admin_pattern($1, openvpn_var_log_t)
> +	admin_pattern($1, { openvpn_status_t openvpn_var_log_t })
>  
>  	files_list_pids($1)
>  	admin_pattern($1, openvpn_var_run_t)
> diff --git a/openvpn.te b/openvpn.te
> index 58607b0..9643979 100644
> --- a/openvpn.te
> +++ b/openvpn.te
> @@ -29,6 +29,9 @@ files_config_file(openvpn_etc_rw_t)
>  type openvpn_initrc_exec_t;
>  init_script_file(openvpn_initrc_exec_t)
>  
> +type openvpn_status_t;
> +logging_log_file(openvpn_status_t)
> +
>  type openvpn_var_log_t;
>  logging_log_file(openvpn_var_log_t)
>  
> @@ -53,6 +56,9 @@ allow openvpn_t openvpn_etc_t:dir list_dir_perms;
>  allow openvpn_t openvpn_etc_t:file read_file_perms;
>  allow openvpn_t openvpn_etc_t:lnk_file read_lnk_file_perms;
>  
> +allow openvpn_t openvpn_status_t:file manage_file_perms;
> +logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
> +
>  manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
>  filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
>  

Not sure if this is worth it and where other modules store this file but
i merged it with some minor clean up, thanks

[refpolicy] [PATCH 4/7] Support openvpn status file

[grift]

On Tue, 2012-11-27 at 14:35 +0100, grift wrote:
> On Thu, 2012-11-22 at 20:21 +0100, Sven Vermeulen wrote:
> > OpenVPN uses a status file that it constantly writes to (rather than append, as
> > used for the other log files). As this is less of a log file and more of a state
> > file, create a separate type and allow openvpn_t manage rights on it.
> > 
> > Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> > ---
> >  openvpn.fc |    1 +
> >  openvpn.if |    4 ++--
> >  openvpn.te |    6 ++++++
> >  3 files changed, 9 insertions(+), 2 deletions(-)
> > 
> > diff --git a/openvpn.fc b/openvpn.fc
> > index 9f86d3d..db5adfe 100644
> > --- a/openvpn.fc
> > +++ b/openvpn.fc
> > @@ -5,6 +5,7 @@
> >  
> >  /usr/sbin/openvpn	--	gen_context(system_u:object_r:openvpn_exec_t,s0)
> >  
> > +/var/log/openvpn-status\.log	--	gen_context(system_u:object_r:openvpn_status_t,s0)
> >  /var/log/openvpn.*	gen_context(system_u:object_r:openvpn_var_log_t,s0)
> >  
> >  /var/run/openvpn(/.*)?	gen_context(system_u:object_r:openvpn_var_run_t,s0)
> > diff --git a/openvpn.if b/openvpn.if
> > index c11f537..03f4e60 100644
> > --- a/openvpn.if
> > +++ b/openvpn.if
> > @@ -142,7 +142,7 @@ interface(`openvpn_read_config',`
> >  #
> >  interface(`openvpn_admin',`
> >  	gen_require(`
> > -		type openvpn_t, openvpn_etc_t, openvpn_var_log_t;
> > +		type openvpn_t, openvpn_etc_t, openvpn_var_log_t, openvpn_status_t;
> >  		type openvpn_var_run_t, openvpn_initrc_exec_t, openvpn_etc_rw_t;
> >  	')
> >  
> > @@ -158,7 +158,7 @@ interface(`openvpn_admin',`
> >  	admin_pattern($1, { openvpn_etc_t openvpn_etc_rw_t })
> >  
> >  	logging_list_logs($1)
> > -	admin_pattern($1, openvpn_var_log_t)
> > +	admin_pattern($1, { openvpn_status_t openvpn_var_log_t })
> >  
> >  	files_list_pids($1)
> >  	admin_pattern($1, openvpn_var_run_t)
> > diff --git a/openvpn.te b/openvpn.te
> > index 58607b0..9643979 100644
> > --- a/openvpn.te
> > +++ b/openvpn.te
> > @@ -29,6 +29,9 @@ files_config_file(openvpn_etc_rw_t)
> >  type openvpn_initrc_exec_t;
> >  init_script_file(openvpn_initrc_exec_t)
> >  
> > +type openvpn_status_t;
> > +logging_log_file(openvpn_status_t)
> > +
> >  type openvpn_var_log_t;
> >  logging_log_file(openvpn_var_log_t)
> >  
> > @@ -53,6 +56,9 @@ allow openvpn_t openvpn_etc_t:dir list_dir_perms;
> >  allow openvpn_t openvpn_etc_t:file read_file_perms;
> >  allow openvpn_t openvpn_etc_t:lnk_file read_lnk_file_perms;
> >  
> > +allow openvpn_t openvpn_status_t:file manage_file_perms;
> > +logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
> > +
> >  manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
> >  filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
> >  
> 
> Not sure if this is worth it and where other modules store this file but
> i merged it with some minor clean up, thanks
> 

I meant "other distributions" 

[refpolicy] [PATCH 5/7] Asterisk voicemail messages are generated from tmp

[grift]

On Thu, 2012-11-22 at 20:21 +0100, Sven Vermeulen wrote:
> When asterisk creates a voicemail message to send to the end user, the message
> recording is a temporary file (labeled asterisk_tmp_t) which is then picked up
> by the system mailer. Hence, we need to mark asterisk_tmp_t as
> mta_system_content().
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  asterisk.te |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/asterisk.te b/asterisk.te
> index 084b4a9..ac8543a 100644
> --- a/asterisk.te
> +++ b/asterisk.te
> @@ -164,6 +164,7 @@ optional_policy(`
>  
>  optional_policy(`
>  	mta_send_mail(asterisk_t)
> +	mta_system_content(asterisk_tmp_t)
>  ')
>  
>  optional_policy(`

Merged, thanks

[refpolicy] [PATCH 6/7] Make rtkit calls optional

[grift]

On Thu, 2012-11-22 at 20:21 +0100, Sven Vermeulen wrote:
> The rtkit module is not a mandatory component for pulseaudio, so should be
> within an optional_policy() clause.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  pulseaudio.te |    6 ++++--
>  1 files changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/pulseaudio.te b/pulseaudio.te
> index 99e371b..b42f0f7 100644
> --- a/pulseaudio.te
> +++ b/pulseaudio.te
> @@ -224,8 +224,6 @@ pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth")
>  pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie")
>  pulseaudio_signull(pulseaudio_client)
>  
> -rtkit_scheduled(pulseaudio_client)
> -
>  # TODO: ~/.cache
>  userdom_manage_user_home_content_files(pulseaudio_client)
>  
> @@ -249,3 +247,7 @@ tunable_policy(`use_samba_home_dirs',`
>  optional_policy(`
>  	pulseaudio_dbus_chat(pulseaudio_client)
>  ')
> +
> +optional_policy(`
> +	rtkit_scheduled(pulseaudio_client)
> +')

Is it not mandatory? Merged, Thanks

[refpolicy] [PATCH 7/7] Gentoo installs dovecot certs in /etc/ssl/dovecot

[grift]

On Thu, 2012-11-22 at 20:21 +0100, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  dovecot.fc |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/dovecot.fc b/dovecot.fc
> index 499f1fc..c880070 100644
> --- a/dovecot.fc
> +++ b/dovecot.fc
> @@ -13,6 +13,8 @@
>  /usr/share/ssl/certs/dovecot\.pem	--	gen_context(system_u:object_r:dovecot_cert_t,s0)
>  /usr/share/ssl/private/dovecot\.pem	--	gen_context(system_u:object_r:dovecot_cert_t,s0)
>  
> +/etc/ssl/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_cert_t,s0)
> +
>  /usr/lib/dovecot/auth	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
>  /usr/lib/dovecot/deliver	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
>  /usr/lib/dovecot/dovecot-auth	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)

Merged, thanks

[refpolicy] [PATCH 2/7] Allow sandbox to log violations

[Sven Vermeulen]

On Tue, Nov 27, 2012 at 1:59 PM, grift <dominick.grift@gmail.com> wrote:

> > +allow portage_sandbox_t portage_log_t:file manage_file_perms;
> > +logging_log_filetrans(portage_sandbox_t, portage_log_t, file)
> > +
>
> Would be nice if we would be able to tighten this up just a little bit.
>
> Would this work:
> allow portage_sandbox_t portage_log_t:file { create_file_perms
> delete_file_perms setattr_file_perms append_file_perms };
>
> That would leave out the write permission. Not very useful since sandbox
> can still delete the whole file but still
>

That works as well apparently (auditallow'ed the write and didn't saw it in
the logs). I'll try with those privileges here in our repository and send
it up again later with those changes.

Wkr,
  Sven Vermeulen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20121127/5f3507ae/attachment.html