[selinux-policy: 1736/3172] Fixes for squid, dovecot, and snmp from Dan Walsh.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:35:01 UTC 2010 

commit b129e2001c1b50414836bb1e7aff3d03aa5df85f
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon May 7 13:45:17 2007 +0000

    Fixes for squid, dovecot, and snmp from Dan Walsh.

 Changelog                               |    1 +
 policy/modules/kernel/corenetwork.te.in |    3 ++-
 policy/modules/services/dovecot.te      |    7 ++++++-
 policy/modules/services/snmp.te         |   10 +++++++++-
 policy/modules/services/squid.if        |   21 ++++++++++++++++++++-
 policy/modules/services/squid.te        |    6 +++++-
 6 files changed, 43 insertions(+), 5 deletions(-)
---
diff --git a/Changelog b/Changelog
index 943f7f0..2290890 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Fixes for squid, dovecot, and snmp from Dan Walsh.
 - Miscellaneous consolekit fixes from Dan Walsh.
 - Patch to have avahi use the nsswitch interface rather than individual
   permissions from Dan Walsh.
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index c2c1672..f5852ef 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
 
-policy_module(corenetwork,1.2.7)
+policy_module(corenetwork,1.2.8)
 
 ########################################
 #
@@ -141,6 +141,7 @@ network_port(ssh, tcp,22,s0)
 network_port(soundd, tcp,8000,s0, tcp,9433,s0)
 type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
 type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
+network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
 network_port(swat, tcp,901,s0)
 network_port(syslogd, udp,514,s0)
 network_port(telnetd, tcp,23,s0)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index c8c5977..c81a948 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -1,5 +1,5 @@
 
-policy_module(dovecot,1.5.0)
+policy_module(dovecot,1.5.1)
 
 ########################################
 #
@@ -46,6 +46,7 @@ allow dovecot_t self:fifo_file rw_fifo_file_perms;
 allow dovecot_t self:tcp_socket create_stream_socket_perms;
 allow dovecot_t self:unix_dgram_socket create_socket_perms;
 allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow dovecot_t self:netlink_route_socket r_netlink_socket_perms;
 
 domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
 
@@ -137,6 +138,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	squid_dontaudit_search_cache(dovecot_t)
+')
+
+optional_policy(`
 	udev_read_db(dovecot_t)
 ')
 
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
index 89f5d2a..8cc09c5 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -1,5 +1,5 @@
 
-policy_module(snmp,1.4.0)
+policy_module(snmp,1.4.1)
 
 ########################################
 #
@@ -134,6 +134,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	mta_read_config(snmpd_t)
+')
+
+optional_policy(`
 	nis_use_ypbind(snmpd_t)
 ')
 
@@ -150,5 +154,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+	squid_read_config(snmpd_t)
+')
+
+optional_policy(`
 	udev_read_db(snmpd_t)
 ')
diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if
index 4769c23..959f98d 100644
--- a/policy/modules/services/squid.if
+++ b/policy/modules/services/squid.if
@@ -21,6 +21,25 @@ interface(`squid_domtrans',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to search squid cache dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`squid_dontaudit_search_cache',`
+	gen_require(`
+		type squid_cache_t;
+	')
+
+	dontaudit $1 squid_cache_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Read squid configuration file.
 ## </summary>
 ## <param name="domain">
@@ -36,7 +55,7 @@ interface(`squid_read_config',`
 	')
 
 	files_search_etc($1)
-	allow $1 squid_conf_t:file read_file_perms;
+	read_files_pattern($1, squid_conf_t, squid_conf_t)
 ')
 
 ########################################
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index d6f2a70..356f465 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -1,5 +1,5 @@
 
-policy_module(squid,1.3.0)
+policy_module(squid,1.3.1)
 
 ########################################
 #
@@ -89,6 +89,8 @@ corenet_udp_bind_http_cache_port(squid_t)
 corenet_tcp_bind_ftp_port(squid_t)
 corenet_tcp_bind_gopher_port(squid_t)
 corenet_udp_bind_gopher_port(squid_t)
+corenet_tcp_bind_squid_port(squid_t)
+corenet_udp_bind_squid_port(squid_t)
 corenet_tcp_connect_ftp_port(squid_t)
 corenet_tcp_connect_gopher_port(squid_t)
 corenet_tcp_connect_http_port(squid_t)
@@ -98,6 +100,8 @@ corenet_sendrecv_ftp_client_packets(squid_t)
 corenet_sendrecv_gopher_client_packets(squid_t)
 corenet_sendrecv_http_cache_server_packets(squid_t)
 corenet_sendrecv_http_cache_client_packets(squid_t)
+corenet_sendrecv_squid_client_packets(squid_t)
+corenet_sendrecv_squid_server_packets(squid_t)
 
 dev_read_sysfs(squid_t)
 dev_read_urand(squid_t)

More information about the scm-commits mailing list