[selinux-policy: 1418/3172] patch from dan Tue, 02 May 2006 10:08:17 -0400, includes pyzor, bug 1541

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:07:57 UTC 2010 

commit e993594365aa53b2ff734da4df1128c690917ee5
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed May 3 19:58:01 2006 +0000

    patch from dan Tue, 02 May 2006 10:08:17 -0400, includes pyzor, bug 1541

 refpolicy/Changelog                               |    1 +
 refpolicy/policy/modules/apps/cdrecord.if         |    2 +-
 refpolicy/policy/modules/apps/cdrecord.te         |    2 +-
 refpolicy/policy/modules/apps/evolution.if        |    2 +-
 refpolicy/policy/modules/apps/evolution.te        |    2 +-
 refpolicy/policy/modules/apps/mono.te             |    4 +-
 refpolicy/policy/modules/apps/mozilla.if          |    2 +-
 refpolicy/policy/modules/apps/mozilla.te          |    2 +-
 refpolicy/policy/modules/apps/thunderbird.if      |    2 +-
 refpolicy/policy/modules/apps/thunderbird.te      |    2 +-
 refpolicy/policy/modules/kernel/corenetwork.if.in |   74 +++++++++++++
 refpolicy/policy/modules/kernel/corenetwork.te.in |    3 +-
 refpolicy/policy/modules/kernel/corenetwork.te.m4 |    6 +-
 refpolicy/policy/modules/kernel/filesystem.if     |   32 +++++-
 refpolicy/policy/modules/kernel/filesystem.te     |    2 +-
 refpolicy/policy/modules/services/amavis.te       |    6 +-
 refpolicy/policy/modules/services/automount.te    |    3 +-
 refpolicy/policy/modules/services/cyrus.if        |   22 ++++
 refpolicy/policy/modules/services/cyrus.te        |    2 +-
 refpolicy/policy/modules/services/postfix.te      |   10 ++-
 refpolicy/policy/modules/services/procmail.te     |    8 +-
 refpolicy/policy/modules/services/pyzor.fc        |    9 ++
 refpolicy/policy/modules/services/pyzor.if        |   46 ++++++++
 refpolicy/policy/modules/services/pyzor.te        |  116 +++++++++++++++++++++
 refpolicy/policy/modules/services/rpc.te          |    7 +-
 refpolicy/policy/modules/services/spamassassin.te |   24 ++---
 refpolicy/policy/modules/system/authlogin.te      |    4 +-
 refpolicy/policy/modules/system/libraries.fc      |    7 +-
 refpolicy/policy/modules/system/libraries.te      |    2 +-
 refpolicy/policy/modules/system/lvm.te            |    5 +-
 refpolicy/policy/modules/system/mount.te          |    4 +-
 refpolicy/policy/modules/system/selinuxutil.te    |    6 +-
 refpolicy/policy/modules/system/sysnetwork.te     |    3 +-
 refpolicy/policy/modules/system/unconfined.if     |   21 ++++
 refpolicy/policy/modules/system/unconfined.te     |    2 +-
 refpolicy/policy/modules/system/xen.fc            |    1 +
 refpolicy/policy/modules/system/xen.if            |   47 ++++++++-
 refpolicy/policy/modules/system/xen.te            |   41 +++++++-
 38 files changed, 485 insertions(+), 49 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 1fdb984..e8ad926 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -71,6 +71,7 @@
 	perdition
 	postgrey
 	pxe
+	pyzor (Dan Walsh)
 	qmail (Petre Rodan)
 	resmgr
 	rhgb
diff --git a/refpolicy/policy/modules/apps/cdrecord.if b/refpolicy/policy/modules/apps/cdrecord.if
index 34644d6..f756bc4 100644
--- a/refpolicy/policy/modules/apps/cdrecord.if
+++ b/refpolicy/policy/modules/apps/cdrecord.if
@@ -152,7 +152,7 @@ template(`cdrecord_per_userdomain_template', `
 		files_dontaudit_list_tmp($1_cdrecord_t)
 		files_dontaudit_list_home($1_cdrecord_t)
 		fs_dontaudit_list_removable($1_cdrecord_t)
-		fs_donaudit_read_removable_files($1_cdrecord_t)
+		fs_dontaudit_read_removable_files($1_cdrecord_t)
 		userdom_dontaudit_list_user_tmp($1,$1_cdrecord_t)
 		userdom_dontaudit_read_user_tmp_files($1,$1_cdrecord_t)
 		userdom_dontaudit_list_user_home_dirs($1,$1_cdrecord_t)
diff --git a/refpolicy/policy/modules/apps/cdrecord.te b/refpolicy/policy/modules/apps/cdrecord.te
index 24ed72c..8785b3c 100644
--- a/refpolicy/policy/modules/apps/cdrecord.te
+++ b/refpolicy/policy/modules/apps/cdrecord.te
@@ -1,5 +1,5 @@
 
-policy_module(cdrecord,1.0.2)
+policy_module(cdrecord,1.0.3)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/apps/evolution.if b/refpolicy/policy/modules/apps/evolution.if
index 22b4231..7bc383e 100644
--- a/refpolicy/policy/modules/apps/evolution.if
+++ b/refpolicy/policy/modules/apps/evolution.if
@@ -303,7 +303,7 @@ template(`evolution_per_userdomain_template',`
 		files_dontaudit_list_tmp($1_evolution_t)
 		files_dontaudit_list_home($1_evolution_t)
 		fs_dontaudit_list_removable($1_evolution_t)
-		fs_donaudit_read_removable_files($1_evolution_t)
+		fs_dontaudit_read_removable_files($1_evolution_t)
 		userdom_dontaudit_list_user_tmp($1,$1_evolution_t)
 		userdom_dontaudit_read_user_tmp_files($1,$1_evolution_t)
 		userdom_dontaudit_list_user_home_dirs($1,$1_evolution_t)
diff --git a/refpolicy/policy/modules/apps/evolution.te b/refpolicy/policy/modules/apps/evolution.te
index 9aa32cf..1df5cfb 100644
--- a/refpolicy/policy/modules/apps/evolution.te
+++ b/refpolicy/policy/modules/apps/evolution.te
@@ -1,5 +1,5 @@
 
-policy_module(evolution,1.0.1)
+policy_module(evolution,1.0.2)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/apps/mono.te b/refpolicy/policy/modules/apps/mono.te
index c680ffc..a30fc76 100644
--- a/refpolicy/policy/modules/apps/mono.te
+++ b/refpolicy/policy/modules/apps/mono.te
@@ -1,5 +1,5 @@
 
-policy_module(mono,1.1.2)
+policy_module(mono,1.1.3)
 
 ########################################
 #
@@ -20,7 +20,7 @@ domain_entry_file(mono_t,mono_exec_t)
 ifdef(`targeted_policy',`
 	allow mono_t self:process { execheap execmem };
 	unconfined_domain_noaudit(mono_t)
-	role system_r types mono_t;
+	unconfined_dbus_chat(mono_t)
 
 	init_dbus_chat_script(mono_t)
 
diff --git a/refpolicy/policy/modules/apps/mozilla.if b/refpolicy/policy/modules/apps/mozilla.if
index 3fc2844..74bfc53 100644
--- a/refpolicy/policy/modules/apps/mozilla.if
+++ b/refpolicy/policy/modules/apps/mozilla.if
@@ -249,7 +249,7 @@ template(`mozilla_per_userdomain_template',`
 		files_dontaudit_list_tmp($1_mozilla_t)
 		files_dontaudit_list_home($1_mozilla_t)
 		fs_dontaudit_list_removable($1_mozilla_t)
-		fs_donaudit_read_removable_files($1_mozilla_t)
+		fs_dontaudit_read_removable_files($1_mozilla_t)
 		userdom_dontaudit_list_user_tmp($1,$1_mozilla_t)
 		userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t)
 		userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
diff --git a/refpolicy/policy/modules/apps/mozilla.te b/refpolicy/policy/modules/apps/mozilla.te
index 7d7e7ef..d5001e6 100644
--- a/refpolicy/policy/modules/apps/mozilla.te
+++ b/refpolicy/policy/modules/apps/mozilla.te
@@ -1,5 +1,5 @@
 
-policy_module(mozilla,1.0.1)
+policy_module(mozilla,1.0.2)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/apps/thunderbird.if b/refpolicy/policy/modules/apps/thunderbird.if
index 2d2080c..54cee7e 100644
--- a/refpolicy/policy/modules/apps/thunderbird.if
+++ b/refpolicy/policy/modules/apps/thunderbird.if
@@ -216,7 +216,7 @@ template(`thunderbird_per_userdomain_template',`
 		files_dontaudit_list_home($1_thunderbird_t)
 
 		fs_dontaudit_list_removable($1_thunderbird_t)
-		fs_donaudit_read_removable_files($1_thunderbird_t)
+		fs_dontaudit_read_removable_files($1_thunderbird_t)
 
 		userdom_dontaudit_list_user_tmp($1,$1_thunderbird_t)
 		userdom_dontaudit_read_user_tmp_files($1,$1_thunderbird_t)
diff --git a/refpolicy/policy/modules/apps/thunderbird.te b/refpolicy/policy/modules/apps/thunderbird.te
index 917a627..ccd3ff0 100644
--- a/refpolicy/policy/modules/apps/thunderbird.te
+++ b/refpolicy/policy/modules/apps/thunderbird.te
@@ -1,5 +1,5 @@
 
-policy_module(thunderbird,1.0.1)
+policy_module(thunderbird,1.0.2)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in
index 1dd66cf..a458c00 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@@ -1244,6 +1244,80 @@ interface(`corenet_non_ipsec_sendrecv',`
 
 ########################################
 ## <summary>
+##	Bind TCP sockets to all RPC ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_bind_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	allow $1 rpc_port_type:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to bind TCP sockets to all RPC ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_bind_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	dontaudit $1 rpc_port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to all RPC ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_bind_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	allow $1 rpc_port_type:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to bind UDP sockets to all RPC ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	dontaudit $1 rpc_port_type:udp_socket name_bind;
+')
+
+########################################
+## <summary>
 ##	Unconfined access to network objects.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in
index 2a1a061..6e26352 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.te.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
 
-policy_module(corenetwork,1.1.6)
+policy_module(corenetwork,1.1.7)
 
 ########################################
 #
@@ -10,6 +10,7 @@ attribute netif_type;
 attribute node_type;
 attribute port_type;
 attribute reserved_port_type;
+attribute rpc_port_type;
 
 attribute corenet_unconfined_type;
 
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.m4 b/refpolicy/policy/modules/kernel/corenetwork.te.m4
index 1cc4569..6665896 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.te.m4
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.m4
@@ -46,7 +46,11 @@ ifelse($4,`',`',`determine_reserved_capability_depend(shiftn(3,$*))')dnl end inn
 ') dnl end determine reserved capability depend
 
 define(`declare_ports',`dnl
-ifelse(eval($3 < 1024),1,`typeattribute $1 reserved_port_type;',`dnl')
+ifelse(eval($3 < 1024),1,`
+typeattribute $1 reserved_port_type;
+#bindresvport in glibc starts searching for reserved ports at 600
+ifelse(eval($3 >= 600),1,`typeattribute $1 rpc_port_type;',`dnl')
+',`dnl')
 portcon $2 $3 gen_context(system_u:object_r:$1,$4)
 ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
 ')
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 3312c1e..7777254 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -609,7 +609,7 @@ interface(`fs_read_noxattr_fs_files',`
 		attribute noxattrfs;
 	')
 
-	allow $1 noxattrfs:dir search;
+	allow $1 noxattrfs:dir search_dir_perms;
 	allow $1 noxattrfs:file r_file_perms;
 
 ')
@@ -629,7 +629,7 @@ interface(`fs_read_noxattr_fs_symlinks',`
 		attribute noxattrfs;
 	')
 
-	allow $1 noxattrfs:dir search;
+	allow $1 noxattrfs:dir search_dir_perms;
 	allow $1 noxattrfs:lnk_file r_file_perms;
 ')
 
@@ -1491,7 +1491,7 @@ interface(`fs_read_removable_files',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_donaudit_read_removable_files',`
+interface(`fs_dontaudit_read_removable_files',`
 	gen_require(`
 		type removable_t;
 	')
@@ -3204,3 +3204,29 @@ interface(`fs_unconfined',`
 
 	typeattribute $1 filesystem_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Relabel all objets from filesystems that
+##	do not support extended attributes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabelfrom_noxattr_fs',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	allow $1 noxattrfs:dir { list_dir_perms relabelfrom };
+	allow $1 noxattrfs:file { getattr relabelfrom };
+	allow $1 noxattrfs:lnk_file { getattr relabelfrom };
+	allow $1 noxattrfs:fifo_file { getattr relabelfrom };
+	allow $1 noxattrfs:sock_file { getattr relabelfrom };
+	allow $1 noxattrfs:blk_file { getattr relabelfrom };
+	allow $1 noxattrfs:chr_file { getattr relabelfrom };
+')
+
diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
index f947f63..ce37304 100644
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
 
-policy_module(filesystem,1.3.6)
+policy_module(filesystem,1.3.7)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/services/amavis.te b/refpolicy/policy/modules/services/amavis.te
index c084736..6481205 100644
--- a/refpolicy/policy/modules/services/amavis.te
+++ b/refpolicy/policy/modules/services/amavis.te
@@ -1,5 +1,5 @@
 
-policy_module(amavis,1.0.0)
+policy_module(amavis,1.0.1)
 
 ########################################
 #
@@ -143,6 +143,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	pyzor_domtrans(amavis_t)
+')
+
+optional_policy(`
 	spamassassin_exec(amavis_t)
 	spamassassin_exec_client(amavis_t)
 ')
diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te
index 62b2baf..65fc610 100644
--- a/refpolicy/policy/modules/services/automount.te
+++ b/refpolicy/policy/modules/services/automount.te
@@ -1,5 +1,5 @@
 
-policy_module(automount,1.2.2)
+policy_module(automount,1.2.3)
 
 ########################################
 #
@@ -86,6 +86,7 @@ corenet_dontaudit_tcp_connect_all_reserved_ports(automount_t)
 # Automount execs showmount when you browse /net.  This is required until
 # Someone writes a showmount policy
 corenet_tcp_bind_reserved_port(automount_t)
+corenet_tcp_bind_all_rpc_ports(automount_t)
 
 dev_read_sysfs(automount_t)
 # for SSP
diff --git a/refpolicy/policy/modules/services/cyrus.if b/refpolicy/policy/modules/services/cyrus.if
index 49647a4..30d552e 100644
--- a/refpolicy/policy/modules/services/cyrus.if
+++ b/refpolicy/policy/modules/services/cyrus.if
@@ -20,3 +20,25 @@ interface(`cyrus_manage_data',`
 	allow $1 cyrus_var_lib_t:dir rw_dir_perms;
 	allow $1 cyrus_var_lib_t:file manage_file_perms;
 ')
+
+
+########################################
+## <summary>
+##	Connect to Cyrus using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cyrus_stream_connect',`
+	gen_require(`
+		type cyrus_t, cyrus_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 cyrus_var_lib_t:dir search;
+	allow $1 cyrus_var_lib_t:sock_file write;
+	allow $1 cyrus_t:unix_stream_socket connectto;
+')
diff --git a/refpolicy/policy/modules/services/cyrus.te b/refpolicy/policy/modules/services/cyrus.te
index 08ff84e..bf2924b 100644
--- a/refpolicy/policy/modules/services/cyrus.te
+++ b/refpolicy/policy/modules/services/cyrus.te
@@ -1,5 +1,5 @@
 
-policy_module(cyrus,1.1.0)
+policy_module(cyrus,1.1.1)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te
index ec3a724..94db81e 100644
--- a/refpolicy/policy/modules/services/postfix.te
+++ b/refpolicy/policy/modules/services/postfix.te
@@ -1,5 +1,5 @@
 
-policy_module(postfix,1.2.3)
+policy_module(postfix,1.2.4)
 
 ########################################
 #
@@ -172,6 +172,10 @@ mta_rw_aliases(postfix_master_t)
 mta_read_sendmail_bin(postfix_master_t)
 
 optional_policy(`
+	cyrus_stream_connect(postfix_master_t)
+')
+
+optional_policy(`
 #	for postalias
 	mailman_manage_data_files(postfix_master_t)
 ')
@@ -390,6 +394,7 @@ allow postfix_pickup_t postfix_private_t:sock_file write;
 allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms;
 allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms;
 
+postfix_list_spool(postfix_pickup_t)
 allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms;
 allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms;
 allow postfix_pickup_t postfix_spool_maildrop_t:file unlink;
@@ -430,6 +435,7 @@ allow postfix_postdrop_t self:udp_socket create_socket_perms;
 allow postfix_postdrop_t postfix_public_t:dir search;
 allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms;
 
+postfix_list_spool(postfix_postdrop_t)
 allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
 allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
 
@@ -538,6 +544,8 @@ allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_per
 
 allow postfix_showq_t postfix_spool_t:file r_file_perms;
 
+postfix_list_spool(postfix_showq_t)
+
 allow postfix_showq_t postfix_spool_maildrop_t:dir { getattr read search };
 allow postfix_showq_t postfix_spool_maildrop_t:file { read getattr };
 allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
diff --git a/refpolicy/policy/modules/services/procmail.te b/refpolicy/policy/modules/services/procmail.te
index e3a8433..faa439c 100644
--- a/refpolicy/policy/modules/services/procmail.te
+++ b/refpolicy/policy/modules/services/procmail.te
@@ -1,5 +1,5 @@
 
-policy_module(procmail,1.2.0)
+policy_module(procmail,1.2.1)
 
 ########################################
 #
@@ -94,14 +94,18 @@ optional_policy(`
 ')
 
 optional_policy(`
+	pyzor_domtrans(procmail_t)
+')
+
+optional_policy(`
 	mta_read_config(procmail_t)
+	sendmail_domtrans(procmail_t)
 	sendmail_rw_tcp_sockets(procmail_t)
 	sendmail_rw_unix_stream_sockets(procmail_t)
 ')
 
 optional_policy(`
 	corenet_udp_bind_generic_port(procmail_t)
-	corenet_tcp_connect_spamd_port(procmail_t)
 
 	files_getattr_tmp_dirs(procmail_t)
 
diff --git a/refpolicy/policy/modules/services/pyzor.fc b/refpolicy/policy/modules/services/pyzor.fc
new file mode 100644
index 0000000..0fdbe3a
--- /dev/null
+++ b/refpolicy/policy/modules/services/pyzor.fc
@@ -0,0 +1,9 @@
+HOME_DIR/\.pyzor(/.*)?		gen_context(system_u:object_r:ROLE_pyzor_home_t,s0)
+
+/etc/pyzor(/.*)?		gen_context(system_u:object_r:pyzor_etc_t, s0)
+
+/usr/bin/pyzor		--	gen_context(system_u:object_r:pyzor_exec_t,s0)
+/usr/bin/pyzord		--	gen_context(system_u:object_r:pyzord_exec_t,s0)
+
+/var/lib/pyzord(/.*)?		gen_context(system_u:object_r:pyzor_var_lib_t,s0)
+/var/log/pyzord.log	--	gen_context(system_u:object_r:pyzord_log_t,s0)
diff --git a/refpolicy/policy/modules/services/pyzor.if b/refpolicy/policy/modules/services/pyzor.if
new file mode 100644
index 0000000..9d38ba1
--- /dev/null
+++ b/refpolicy/policy/modules/services/pyzor.if
@@ -0,0 +1,46 @@
+## <summary>Pyzor is a distributed, collaborative spam detection and filtering network.</summary>
+
+########################################
+## <summary>
+##	Execute pyzor with a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pyzor_domtrans',`
+	gen_require(`
+		type pyzor_exec_t, pyzor_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	domain_auto_trans($1,pyzor_exec_t,pyzor_t)
+
+	allow $1 pyzor_t:fd use;
+	allow pyzor_t $1:fd use;
+	allow pyzor_t $1:fifo_file rw_file_perms;
+	allow pyzor_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute pyzor in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pyzor_exec',`
+	gen_require(`
+		type pyzor_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	can_exec($1,pyzor_exec_t)
+')
diff --git a/refpolicy/policy/modules/services/pyzor.te b/refpolicy/policy/modules/services/pyzor.te
new file mode 100644
index 0000000..72f9ffa
--- /dev/null
+++ b/refpolicy/policy/modules/services/pyzor.te
@@ -0,0 +1,116 @@
+
+policy_module(pyzor,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type pyzor_t;
+type pyzor_exec_t;
+domain_type(pyzor_t)
+domain_entry_file(pyzor_t,pyzor_exec_t)
+role system_r types pyzor_t;
+
+type pyzord_t;
+type pyzord_exec_t;
+domain_type(pyzord_t)
+init_daemon_domain(pyzord_t,pyzord_exec_t)
+
+type pyzor_etc_t;
+files_type(pyzor_etc_t)
+
+type pyzord_log_t;
+logging_log_file(pyzord_log_t)
+
+type pyzor_var_lib_t;
+files_type(pyzor_var_lib_t)
+
+########################################
+#
+# Pyzor local policy
+#
+
+allow pyzor_t pyzor_var_lib_t:dir r_dir_perms;
+allow pyzor_t pyzor_var_lib_t:file r_file_perms;
+files_search_var_lib(pyzor_t)
+
+files_read_etc_files(pyzor_t)
+
+auth_use_nsswitch(pyzor_t)
+
+libs_use_ld_so(pyzor_t)
+libs_use_shared_libs(pyzor_t)
+
+miscfiles_read_localization(pyzor_t)
+
+optional_policy(`
+	amavis_manage_lib_files(pyzor_t)
+')
+
+optional_policy(`
+	spamassassin_read_spamd_tmp_files(pyzor_t)
+')
+
+########################################
+#
+# Pyzord local policy
+#
+
+allow pyzord_t self:udp_socket create_socket_perms;
+
+allow pyzord_t pyzor_var_lib_t:file create_file_perms;
+allow pyzord_t pyzor_var_lib_t:dir { rw_dir_perms setattr };
+files_var_lib_filetrans(pyzord_t,pyzor_var_lib_t,{ file dir })
+
+allow pyzord_t pyzor_etc_t:file create_file_perms;
+allow pyzord_t pyzor_etc_t:dir r_dir_perms;
+
+can_exec(pyzord_t,pyzor_exec_t)
+
+allow pyzord_t pyzord_log_t:file create_file_perms;
+allow pyzord_t pyzord_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(pyzord_t,pyzord_log_t, { file dir } )
+
+kernel_read_kernel_sysctls(pyzord_t)
+kernel_read_system_state(pyzord_t)
+
+dev_read_urand(pyzord_t)
+
+corecmd_exec_bin(pyzord_t)
+
+corenet_raw_sendrecv_all_if(pyzord_t)
+corenet_udp_sendrecv_all_if(pyzord_t)
+corenet_udp_sendrecv_all_nodes(pyzord_t)
+corenet_raw_sendrecv_all_nodes(pyzord_t)
+corenet_udp_sendrecv_all_ports(pyzord_t)
+corenet_non_ipsec_sendrecv(pyzord_t)
+corenet_udp_bind_all_nodes(pyzord_t)
+corenet_udp_bind_pyzor_port(pyzord_t)
+
+files_read_etc_files(pyzord_t)
+
+term_dontaudit_use_generic_ptys(pyzord_t)
+
+auth_use_nsswitch(pyzord_t)
+
+libs_use_ld_so(pyzord_t)
+libs_use_shared_libs(pyzord_t)
+
+miscfiles_read_localization(pyzord_t)
+
+# only works until we define a different type for maildir
+userdom_priveleged_home_dir_manager(pyzord_t)
+# Do not audit attempts to access /root.
+userdom_dontaudit_search_sysadm_home_dirs(pyzord_t)
+userdom_dontaudit_search_staff_home_dirs(pyzord_t)
+
+mta_manage_spool(pyzord_t)
+
+optional_policy(`
+	logging_send_syslog_msg(pyzord_t)
+')
+
+optional_policy(`
+	nscd_socket_use(pyzord_t)
+')
diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te
index 731fe26..1f55f3f 100644
--- a/refpolicy/policy/modules/services/rpc.te
+++ b/refpolicy/policy/modules/services/rpc.te
@@ -1,5 +1,5 @@
 
-policy_module(rpc,1.2.2)
+policy_module(rpc,1.2.3)
 
 ########################################
 #
@@ -52,6 +52,9 @@ kernel_read_sysctl(rpcd_t)
 corenet_udp_bind_generic_port(rpcd_t)
 corenet_udp_bind_reserved_port(rpcd_t)
 
+dev_read_urand(rpcd_t)
+dev_read_rand(rpcd_t)
+
 fs_list_rpc(rpcd_t)
 fs_read_rpc_files(rpcd_t)
 fs_read_rpc_symlinks(rpcd_t)
@@ -61,6 +64,8 @@ term_use_controlling_term(rpcd_t)
 # cjp: this should really have its own type
 files_manage_mounttab(rpcd_t)
 
+miscfiles_read_certs(rpcd_t)
+
 seutil_dontaudit_search_config(rpcd_t)
 
 portmap_udp_chat(rpcd_t) 
diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te
index e8c4a39..7a79a7d 100644
--- a/refpolicy/policy/modules/services/spamassassin.te
+++ b/refpolicy/policy/modules/services/spamassassin.te
@@ -1,5 +1,5 @@
 
-policy_module(spamassassin,1.3.3)
+policy_module(spamassassin,1.3.4)
 
 ########################################
 #
@@ -139,11 +139,11 @@ tunable_policy(`use_samba_home_dirs',`
 ')
 
 optional_policy(`
-	cron_system_entry(spamd_t,spamd_exec_t)
+	amavis_manage_lib_files(spamd_t)
 ')
 
 optional_policy(`
-	amavis_manage_lib_files(spamd_t)
+	cron_system_entry(spamd_t,spamd_exec_t)
 ')
 
 optional_policy(`
@@ -155,6 +155,14 @@ optional_policy(`
 ')
 
 optional_policy(`
+	postgresql_stream_connect(spamd_t)
+')
+
+optional_policy(`
+	pyzor_domtrans(spamd_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(spamd_t)
 ')
 
@@ -166,13 +174,3 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(spamd_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`
-# for bayes tokens
-allow spamd_t var_lib_t:dir { getattr search };
-allow spamd_t amavisd_lib_t:dir rw_dir_perms;
-allow spamd_t amavisd_lib_t:file create_file_perms;
-allow spamd_t amavisd_lib_t:lnk_file create_lnk_perms;
-')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 9a72969..ee05883 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
 
-policy_module(authlogin,1.3.2)
+policy_module(authlogin,1.3.3)
 
 ########################################
 #
@@ -188,6 +188,8 @@ storage_getattr_scsi_generic_dev(pam_console_t)
 storage_setattr_scsi_generic_dev(pam_console_t)
 
 term_use_console(pam_console_t)
+term_use_all_user_ttys(pam_console_t)
+term_use_all_user_ptys(pam_console_t)
 term_setattr_console(pam_console_t)
 term_getattr_unallocated_ttys(pam_console_t)
 term_setattr_unallocated_ttys(pam_console_t)
diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc
index e459ef7..55ef8f4 100644
--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@@ -75,6 +75,7 @@ ifdef(`distro_gentoo',`
 
 /usr/(.*/)?lib(64)?(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libsipphoneapi\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ati-fglrx/.*\.so(\..*)?	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libGLU\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libjs\.so.*     		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -84,9 +85,9 @@ ifdef(`distro_gentoo',`
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)*              --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.*            --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
+/usr/(local/)?.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:shlib_t,s0)
 /usr/(local/)?lib(64)?/wine/.*\.so  	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?lib/libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/local/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:shlib_t,s0)
 
 /usr/NX/lib/libXcomp.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/NX/lib/libjpeg.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -195,10 +196,12 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* --	gen_context(system_u:object_r:textre
 
 # Java, Sun Microsystems (JPackage SRPM)
 /usr/(.*/)?jre.*/libdeploy.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(.*/)?jre.*/libjvm.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?(.*/)?jre.*/libjvm.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?Adobe/.*\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 ') dnl end distro_redhat
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index ba068be..3617fc0 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -1,5 +1,5 @@
 
-policy_module(libraries,1.3.5)
+policy_module(libraries,1.3.6)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 1628962..18b8a36 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -1,5 +1,5 @@
 
-policy_module(lvm,1.3.1)
+policy_module(lvm,1.3.2)
 
 ########################################
 #
@@ -205,9 +205,10 @@ dev_create_generic_dirs(lvm_t)
 fs_getattr_xattr_fs(lvm_t)
 fs_search_auto_mountpoints(lvm_t)
 fs_read_tmpfs_symlinks(lvm_t)
-fs_donaudit_read_removable_files(lvm_t)
+fs_dontaudit_read_removable_files(lvm_t)
 
 storage_relabel_fixed_disk(lvm_t)
+storage_dontaudit_read_removable_device(lvm_t)
 # LVM creates block devices in /dev/mapper or /dev/<vg>
 # depending on its version
 # LVM(2) needs to create directores (/dev/mapper, /dev/<vg>)
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 8c9c181..779b2e6 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -1,5 +1,5 @@
 
-policy_module(mount,1.3.4)
+policy_module(mount,1.3.5)
 
 ########################################
 #
@@ -127,6 +127,8 @@ optional_policy(`
 	corenet_udp_bind_generic_port(mount_t)
 	corenet_tcp_bind_reserved_port(mount_t)
 	corenet_udp_bind_reserved_port(mount_t)
+	corenet_tcp_bind_all_rpc_ports(mount_t)
+	corenet_udp_bind_all_rpc_ports(mount_t)
 	corenet_tcp_connect_all_ports(mount_t)
 
 	fs_search_rpc(mount_t)
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index ae09a1c..57d13e8 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
 
-policy_module(selinuxutil,1.2.4)
+policy_module(selinuxutil,1.2.5)
 
 gen_require(`
 	bool secure_mode;
@@ -393,6 +393,8 @@ logging_send_syslog_msg(restorecon_t)
 userdom_use_all_users_fds(restorecon_t)
 
 files_relabel_all_files(restorecon_t)
+fs_relabelfrom_noxattr_fs(restorecon_t)
+
 files_list_all(restorecon_t)
 # this is to satisfy the assertion:
 auth_relabelto_shadow(restorecon_t)
@@ -427,6 +429,7 @@ files_pid_filetrans(restorecond_t,restorecond_var_run_t, file)
 
 auth_relabel_all_files_except_shadow(restorecond_t )
 auth_read_all_files_except_shadow(restorecond_t)
+fs_relabelfrom_noxattr_fs(restorecond_t)
 
 kernel_use_fds(restorecond_t)
 kernel_rw_pipes(restorecond_t)
@@ -627,6 +630,7 @@ files_read_etc_runtime_files(setfiles_t)
 files_read_etc_files(setfiles_t)
 files_list_all(setfiles_t)
 files_relabel_all_files(setfiles_t)
+fs_relabelfrom_noxattr_fs(setfiles_t)
 
 logging_send_syslog_msg(setfiles_t)
 
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 65e8c5d..757d842 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -1,5 +1,5 @@
 
-policy_module(sysnetwork,1.1.2)
+policy_module(sysnetwork,1.1.3)
 
 ########################################
 #
@@ -286,6 +286,7 @@ kernel_use_fds(ifconfig_t)
 kernel_read_system_state(ifconfig_t)
 kernel_read_network_state(ifconfig_t)
 kernel_search_network_sysctl(ifconfig_t)
+kernel_rw_net_sysctls(ifconfig_t)
 
 corenet_rw_tun_tap_dev(ifconfig_t)
 
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index 236e7ff..ded1e2d 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -381,6 +381,27 @@ interface(`unconfined_dbus_send',`
 
 ########################################
 ## <summary>
+##	Send and receive messages from
+##	unconfined_t over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_dbus_chat',`
+	gen_require(`
+		type unconfined_t;
+		class dbus send_msg;
+	')
+
+	allow $1 unconfined_t:dbus send_msg;
+	allow unconfined_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
 ##	Add an alias type to the unconfined domain.
 ## </summary>
 ## <desc>
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 2f947d5..f522e14 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
 
-policy_module(unconfined,1.3.7)
+policy_module(unconfined,1.3.8)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/system/xen.fc b/refpolicy/policy/modules/system/xen.fc
index 0f4f3d7..e7cf147 100644
--- a/refpolicy/policy/modules/system/xen.fc
+++ b/refpolicy/policy/modules/system/xen.fc
@@ -1,6 +1,7 @@
 /usr/sbin/xenconsoled	--	gen_context(system_u:object_r:xenconsoled_exec_t,s0)
 /usr/sbin/xend		--	gen_context(system_u:object_r:xend_exec_t,s0)
 /usr/sbin/xenstored	--	gen_context(system_u:object_r:xenstored_exec_t,s0)
+/usr/sbin/xm		--	gen_context(system_u:object_r:xm_exec_t,s0)
 
 /var/lib/xen(/.*)?		gen_context(system_u:object_r:xend_var_lib_t,s0)
 /var/lib/xend(/.*)?		gen_context(system_u:object_r:xend_var_lib_t,s0)
diff --git a/refpolicy/policy/modules/system/xen.if b/refpolicy/policy/modules/system/xen.if
index 89f2d22..7393a2a 100644
--- a/refpolicy/policy/modules/system/xen.if
+++ b/refpolicy/policy/modules/system/xen.if
@@ -48,11 +48,12 @@ interface(`xen_append_log',`
 ########################################
 ## <summary>
 ##	Do not audit attempts to read and write
-##	Xen unix domain stream sockets.
+##	Xen unix domain stream sockets.  These
+##	are leaked file descriptors.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to don't audit.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -84,3 +85,45 @@ interface(`xen_stream_connect_xenstore',`
 	allow $1 xenstored_var_run_t:sock_file { getattr write };
 	allow $1 xenstored_t:unix_stream_socket connectto;
 ')
+
+########################################
+## <summary>
+##	Connect to xend over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xen_stream_connect',`
+	gen_require(`
+		type xend_t, xend_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 xend_var_run_t:dir search;
+	allow $1 xend_var_run_t:sock_file { getattr write };
+	allow $1 xend_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run xm.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`xen_domtrans_xm',`
+	gen_requires(`
+		type xm_t, xm_exec_t;
+	')
+
+	domain_auto_trans($1,xm_exec_t,xm_t)
+	allow xm_t $1:fd use;
+	allow xm_t:$1:fifo_file rw_file_perms;
+	allow xm_t $1:process sigchld;
+')
diff --git a/refpolicy/policy/modules/system/xen.te b/refpolicy/policy/modules/system/xen.te
index c25adeb..e4ca619 100644
--- a/refpolicy/policy/modules/system/xen.te
+++ b/refpolicy/policy/modules/system/xen.te
@@ -1,5 +1,5 @@
 
-policy_module(xen,1.0.2)
+policy_module(xen,1.0.3)
 
 ########################################
 #
@@ -54,6 +54,11 @@ role system_r types xenconsoled_t;
 type xenconsoled_var_run_t;
 files_pid_file(xenconsoled_var_run_t)
 
+type xm_t;
+type xm_exec_t;
+domain_type(xm_t)
+init_daemon_domain(xm_t, xm_exec_t)
+
 ########################################
 #
 # xend local policy
@@ -224,3 +229,37 @@ libs_use_shared_libs(xenstored_t)
 miscfiles_read_localization(xenstored_t)
 
 xen_append_log(xenstored_t)
+
+########################################
+#
+# xm local policy
+#
+
+allow xm_t self:capability dac_override;
+# internal communication is often done using fifo and unix sockets.
+allow xm_t self:fifo_file { read write };
+allow xm_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(xm_t)
+kernel_read_kernel_sysctls(xm_t)
+kernel_read_xen_state(xm_t)
+kernel_write_xen_state(xm_t)
+
+corecmd_exec_bin(xm_t)
+corecmd_exec_sbin(xm_t)
+
+dev_read_urand(xm_t)
+
+# Some common macros (you might be able to remove some)
+files_read_etc_files(xm_t)
+
+term_use_all_terms(xm_t)
+
+libs_use_ld_so(xm_t)
+libs_use_shared_libs(xm_t)
+
+miscfiles_read_localization(xm_t)
+
+xen_append_log(xm_t)
+xen_stream_connect(xm_t)
+xen_stream_connect_xenstore(xm_t)

More information about the scm-commits mailing list