[refpolicy] services_razor.patch

[refpolicy] services_razor.patch

[Daniel J Walsh]

http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_razor.patch

Consolodated with spam

[refpolicy] services_razor.patch

[Christopher J. PeBenito]

On Thu, 2009-11-12 at 16:54 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_razor.patch
> 
> Consolodated with spam

I need more information on this consolidation.


-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] services_razor.patch

[Daniel J Walsh]

On 01/07/2010 09:01 AM, Christopher J. PeBenito wrote:
> On Thu, 2009-11-12 at 16:54 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_razor.patch
>>
>> Consolodated with spam
> 
> I need more information on this consolidation.
> 
> 

I believe we went way over board of the Least Priv, when it came to handling spam.  I think that spamassassin, razor, pyzor, 

should all be consolidated into one spam handling plicy spamd_t for services spamc_t for client apps.

Trying to get all of the different spam handlers to work together created a huge spaghetti of shared access, with little if any additional security.

typealias spamc_t alias pyzor_t;
typealias spamc_t alias razor_t;
typealias spamc_t alias spamassassin_t;

+	typealias spamd_t alias pyzord_t;

My overall patch has something like this in it.
grep -r "typealias.*spam" policy-F13.patch 
+	typealias spamc_t alias pyzor_t;
+	typealias spamc_exec_t alias pyzor_exec_t;
+	typealias spamd_t alias pyzord_t;
+	typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t;
+	typealias spamd_exec_t alias pyzord_exec_t;
+	typealias spamc_tmp_t alias pyzor_tmp_t;
+	typealias spamd_log_t alias pyzor_log_t;
+	typealias spamd_log_t alias pyzord_log_t;
+	typealias spamd_var_lib_t alias pyzor_var_lib_t;
+	typealias spamd_etc_t alias pyzor_etc_t;
+	typealias spamc_home_t alias pyzor_home_t;
+	typealias spamc_home_t alias user_pyzor_home_t;
+	typealias spamc_t alias razor_t;
+	typealias spamc_exec_t alias razor_exec_t;
+	typealias spamd_log_t alias razor_log_t;
+	typealias spamd_var_lib_t alias razor_var_lib_t;
+	typealias spamd_etc_t alias razor_etc_t;
+	typealias spamc_home_t alias razor_home_t;
+	typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+	typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+	typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+	typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+typealias spamc_exec_t  alias spamassassin_exec_t;
+typealias spamc_t alias spamassassin_t;
+typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
+typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
+typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t };
+typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t };
+typealias spamc_tmp_t alias spamassassin_tmp_t;
+typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
+typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
+typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
+typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
 typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
 typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };