From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 0E2AF1381F3 for ; Wed, 14 Nov 2012 19:35:19 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 18F8DE06D9; Wed, 14 Nov 2012 19:35:09 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 969F6E06D9 for ; Wed, 14 Nov 2012 19:35:08 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 40F0233DB0F for ; Wed, 14 Nov 2012 19:35:07 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 9CC22E5436 for ; Wed, 14 Nov 2012 19:35:05 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1352921601.682d8946d13ce9bb5e5ec4faef96077c9f08c359.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/postfix.if X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 682d8946d13ce9bb5e5ec4faef96077c9f08c359 X-VCS-Branch: master Date: Wed, 14 Nov 2012 19:35:05 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: a657f971-eb4b-446f-b4cd-f67fff5cd6b2 X-Archives-Hash: 46c07a53793d8f78041a3cc8364ca3cd commit: 682d8946d13ce9bb5e5ec4faef96077c9f08c359 Author: Sven Vermeulen siphos be> AuthorDate: Wed Nov 14 19:33:21 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Wed Nov 14 19:33:21 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=682d8946 Grant postfix admins execute (no trans) rights on showq When postfix is down, postfix admins can still view the queue through the local process in a fallback mode (local file access instead of through daemons). This requires the admin execute rights on the postqueue command, which triggers the showq command. See also https://bugs.gentoo.org/show_bug.cgi?id=428686 --- policy/modules/contrib/postfix.if | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if index 69cf332..98ef6c8 100644 --- a/policy/modules/contrib/postfix.if +++ b/policy/modules/contrib/postfix.if @@ -740,4 +740,12 @@ interface(`postfix_admin',` admin_pattern($1, { postfix_server_tmp_content postfix_map_tmp_t }) postfix_run_map($1, $2) + + ifdef(`distro_gentoo',` + gen_require(` + type postfix_showq_exec_t; + ') + + can_exec($1, postfix_showq_exec_t) + ') ')