From: Dan Walsh <dwalsh@redhat.com>
Date: Fri, 2 Dec 2011 19:07:37 +0000 (-0500)
Subject: Allow initrc_t to set attributes on sendmail pid file
X-Git-Tag: 000~48
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6edcf286e8f8a0957dac148f6715c140bd983a4e;p=people%2Fstevee%2Fselinux-policy.git

Allow initrc_t to set attributes on sendmail pid file
---

diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if
index e918b168..ca74cd90 100644
--- a/policy/modules/services/sendmail.if
+++ b/policy/modules/services/sendmail.if
@@ -310,6 +310,25 @@ interface(`sendmail_run_unconfined',`
 	role $2 types unconfined_sendmail_t;
 ')
 
+########################################
+## <summary>
+##	Set the attributes of sendmail pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sendmail_setattr_pid_files',`
+	gen_require(`
+		type sendmail_var_run_t;
+	')
+
+	allow $1 sendmail_var_run_t:file setattr_file_perms;
+	files_search_pids($1)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to administrate
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 4e87d496..96f0ddfc 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1053,7 +1053,6 @@ optional_policy(`
 	mta_read_config(initrc_t)
 	mta_write_config(initrc_t)
 	mta_dontaudit_read_spool_symlinks(initrc_t)
-')
 
 optional_policy(`
 	ifdef(`distro_redhat',`
@@ -1141,6 +1140,10 @@ optional_policy(`
 	samba_read_winbind_pid(initrc_t)
 ')
 
+optional_policy(`
+	sendmail_setattr_pid_files(initrc_t)
+')
+
 optional_policy(`
 	# shorewall-init script run /var/lib/shorewall/firewall
 	shorewall_lib_domtrans(initrc_t)