From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-495735-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 9C89E1381FE
	for <garchives@archives.gentoo.org>; Mon, 13 Aug 2012 19:28:39 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 6B6C421C03D;
	Mon, 13 Aug 2012 19:28:07 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id 2C23121C03D
	for <gentoo-commits@lists.gentoo.org>; Mon, 13 Aug 2012 19:28:07 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 566521B4023
	for <gentoo-commits@lists.gentoo.org>; Mon, 13 Aug 2012 19:28:06 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by hornbill.gentoo.org (Postfix) with ESMTP id 6BB77E5440
	for <gentoo-commits@lists.gentoo.org>; Mon, 13 Aug 2012 19:28:04 +0000 (UTC)
From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be>
Message-ID: <1344885553.b8e9b79b5b4a8586f0b7a2dc1b208c8e4227471e.SwifT@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/postfix.fc policy/modules/contrib/postfix.if policy/modules/contrib/postfix.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: SwifT
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: b8e9b79b5b4a8586f0b7a2dc1b208c8e4227471e
X-VCS-Branch: master
Date: Mon, 13 Aug 2012 19:28:04 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 94e80a82-d5ca-4a1a-a09e-f182328468c4
X-Archives-Hash: f3f99a0e747205e2b2a32538434d724c

commit:     b8e9b79b5b4a8586f0b7a2dc1b208c8e4227471e
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 11 13:46:48 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Aug 13 19:19:13 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b8e9b79b

Undo previous changes, not properly documented

---
 policy/modules/contrib/postfix.fc |    2 +-
 policy/modules/contrib/postfix.if |   60 -------------------------------------
 policy/modules/contrib/postfix.te |    5 +--
 3 files changed, 2 insertions(+), 65 deletions(-)

diff --git a/policy/modules/contrib/postfix.fc b/policy/modules/contrib/postfix.fc
index 2461792..7c97884 100644
--- a/policy/modules/contrib/postfix.fc
+++ b/policy/modules/contrib/postfix.fc
@@ -44,7 +44,7 @@
 
 /var/spool/postfix(/.*)?	gen_context(system_u:object_r:postfix_spool_t,s0)
 /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
-/var/spool/postfix/pid(/.*)?	gen_context(system_u:object_r:postfix_var_run_t,s0)
+/var/spool/postfix/pid/.*	gen_context(system_u:object_r:postfix_var_run_t,s0)
 /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
 /var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
 /var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)

diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if
index 4c6d5f0..46bee12 100644
--- a/policy/modules/contrib/postfix.if
+++ b/policy/modules/contrib/postfix.if
@@ -57,7 +57,6 @@ template(`postfix_domain_template',`
 	allow postfix_$1_t postfix_spool_t:dir list_dir_perms;
 
 	allow postfix_$1_t postfix_var_run_t:file manage_file_perms;
-	allow postfix_$1_t postfix_var_run_t:dir rw_dir_perms;
 	files_pid_filetrans(postfix_$1_t, postfix_var_run_t, file)
 
 	kernel_read_system_state(postfix_$1_t)
@@ -360,39 +359,6 @@ interface(`postfix_run_map',`
 
 ########################################
 ## <summary>
-##     Execute postfix_$1 in the postfix_$1 domain, and
-##     allow the specified role the postfix_$1 domain.
-## </summary>
-## <param name="subdomain">
-##      <summary>
-##      Postfix subdomain, like master, postqueue, map, ...
-##      </summary>
-## </param>
-## <param name="domain">
-##     <summary>
-##     Domain allowed to transition.
-##     </summary>
-## </param>
-## <param name="role">
-##     <summary>
-##     Role allowed access.
-##     </summary>
-## </param>
-## <rolecap/>
-#
-interface(`postfix_run',`
-       gen_require(`
-               type postfix_$1_t;
-               type postfix_$1_exec_t;
-       ')
-
-       postfix_domtrans_$1($2)
-       role $3 types postfix_$1_t;
-')
-
-
-########################################
-## <summary>
 ##	Execute the master postfix program in the
 ##	postfix_master domain.
 ## </summary>
@@ -429,32 +395,6 @@ interface(`postfix_exec_master',`
 	can_exec($1, postfix_master_exec_t)
 ')
 
-########################################
-## <summary>
-##     Execute the master postfix programs in the
-##     master domain.
-## </summary>
-## <param name="role">
-##     <summary>
-##     Role allowed access.
-##     </summary>
-## </param>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-#
-interface(`postfix_run_master',`
-       gen_require(`
-               type postfix_master_exec_t;
-               type postfix_master_t;
-       ')
-
-       role $1 types { postfix_master_exec_t postfix_master_t };
-       postfix_domtrans_master($2)
-')
-
 #######################################
 ## <summary>
 ##	Connect to postfix master process using a unix domain stream socket.

diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 1cc9b99..a1e0f60 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -93,7 +93,7 @@ mta_mailserver_delivery(postfix_virtual_t)
 #
 
 # chown is to set the correct ownership of queue dirs
-allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config dac_read_search fowner fsetid };
+allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
 allow postfix_master_t self:fifo_file rw_fifo_file_perms;
 allow postfix_master_t self:tcp_socket create_stream_socket_perms;
 allow postfix_master_t self:udp_socket create_socket_perms;
@@ -201,8 +201,6 @@ optional_policy(`
 
 optional_policy(`
 	mysql_stream_connect(postfix_master_t)
-	mysql_stream_connect(postfix_cleanup_t)
-	mysql_stream_connect(postfix_local_t)
 ')
 
 optional_policy(`
@@ -591,7 +589,6 @@ corecmd_exec_bin(postfix_smtpd_t)
 # for OpenSSL certificates
 files_read_usr_files(postfix_smtpd_t)
 mta_read_aliases(postfix_smtpd_t)
-mta_read_config(postfix_smtpd_t)
 
 optional_policy(`
 	dovecot_stream_connect_auth(postfix_smtpd_t)