Allow initrc_t to set attributes on sendmail pid file

diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if
index e918b168456c7d7dfa86184150b260555d5425b9..ca74cd907cd81b421c793230e64117674ac8da8f 100644 (file)
--- a/policy/modules/services/sendmail.if
+++ b/policy/modules/services/sendmail.if
@@ -310,6 +310,25 @@ interface(`sendmail_run_unconfined',`
        role $2 types unconfined_sendmail_t;
 ')
 
+########################################
+## <summary>
+##     Set the attributes of sendmail pid files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`sendmail_setattr_pid_files',`
+       gen_require(`
+               type sendmail_var_run_t;
+       ')
+
+       allow $1 sendmail_var_run_t:file setattr_file_perms;
+       files_search_pids($1)
+')
+
 ########################################
 ## <summary>
 ##     All of the rules required to administrate

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 4e87d4961d51c5a74f9306999cce9f2d9a967fd9..96f0ddfc7e1b1e4c6d9a7192af34500e1663d929 100644 (file)
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1053,7 +1053,6 @@ optional_policy(`
        mta_read_config(initrc_t)
        mta_write_config(initrc_t)
        mta_dontaudit_read_spool_symlinks(initrc_t)
-')
 
 optional_policy(`
        ifdef(`distro_redhat',`
@@ -1141,6 +1140,10 @@ optional_policy(`
        samba_read_winbind_pid(initrc_t)
 ')
 
+optional_policy(`
+       sendmail_setattr_pid_files(initrc_t)
+')
+
 optional_policy(`
        # shorewall-init script run /var/lib/shorewall/firewall
        shorewall_lib_domtrans(initrc_t)