Fedora 8 odds and sods

Paul Howarth paul at city-fan.org
Wed Jan 16 16:46:07 UTC 2008 

Today I've done a bit of a clean-up of the local policy modules I've had 
in use over the last couple of Fedora releases, removing bits that are 
no longer needed and consolidating the remaining ones into a single 
"localmisc" module. The results of this is:

policy_module(localmisc, 0.1.34)

require {
         attribute mailserver_delivery;
         type depmod_t;
         type httpd_t;
         type load_policy_t;
         type procmail_t;
         type procmail_tmp_t;
         type pptp_t;
         type restorecon_t;
         type sendmail_t;
         type setfiles_t;
         type soundd_port_t;
         type squid_t;
         type useradd_t;
         type var_t;
};

# ========================================
# Things that probably need to go upstream
# ========================================

# Milter sockets, why did this work before?
#allow sendmail_t initrc_t:unix_stream_socket { read write connectto };
init_stream_connect_script(mailserver_delivery)
init_rw_script_stream_sockets(mailserver_delivery)

# Allow misc command output to be sent to a pipe, needed for rpm scriptlets
# Probably not needed since Fedora 8
#unconfined_rw_pipes(depmod_t)
#unconfined_rw_pipes(load_policy_t)
#unconfined_rw_pipes(setfiles_t)
#unconfined_rw_pipes(useradd_t)

# Allow pptp to manage its own processes
allow pptp_t self:process signal;

# Allow sendmail to read procmail tempfiles for forwarding
# (would need a new interface in procmail.if to do this properly)
allow sendmail_t procmail_tmp_t:file { read write getattr ioctl };

# Not sure what this is, needed when network is congested
allow sendmail_t self:process signull;

# ==============
# Local oddities
# ==============

# Allow restorecon to restore file contexts via the /var/www -> /srv/www 
symlink
allow restorecon_t var_t:lnk_file read;

# Allow httpd to read /var/www -> /srv/www symlink
allow httpd_t var_t:lnk_file { getattr read };

# Allow squid to connect to websites on port 8000 (defined in policy as 
soundd_port_t)
allow squid_t soundd_port_t:tcp_socket name_connect;



Not a lot left there, so I thought I'd post them here in their entirety 
for discussion and hopefully inclusion (at least in part) in a future 
policy update.

Paul.

More information about the fedora-selinux-list mailing list