[selinux-policy: 1906/3172] trunk: Exim updates on Debian from Devin Carrawy.

[Daniel J Walsh]

commit d57a094347949aee977db69dea63d7d9b5577153
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Mar 4 18:25:13 2008 +0000

    trunk: Exim updates on Debian from Devin Carrawy.

 Changelog                       |    1 +
 policy/modules/services/exim.fc |   12 ++++++++----
 policy/modules/services/exim.te |   11 +++++++++--
 3 files changed, 18 insertions(+), 6 deletions(-)
---
diff --git a/Changelog b/Changelog
index f4ed5d7..729781f 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Exim updates on Debian from Devin Carrawy.
 - Pam and samba updates from Stefan Schulze Frielinghaus.
 - Backup update on Debian from Vaclav Ovsik.
 - Cracklib update on Debian from Vaclav Ovsik.
diff --git a/policy/modules/services/exim.fc b/policy/modules/services/exim.fc
index 8df1594..ad4e0a0 100644
--- a/policy/modules/services/exim.fc
+++ b/policy/modules/services/exim.fc
@@ -1,4 +1,8 @@
-/usr/sbin/exim		--	gen_context(system_u:object_r:exim_exec_t,s0)
-/var/log/exim(/.*)?		gen_context(system_u:object_r:exim_log_t,s0)
-/var/run/exim.pid	--	gen_context(system_u:object_r:exim_var_run_t,s0)
-/var/spool/exim(/.*)?		gen_context(system_u:object_r:exim_spool_t,s0)
+/usr/sbin/exim[0-9]?		--	gen_context(system_u:object_r:exim_exec_t,s0)
+/var/log/exim[0-9]?(/.*)?		gen_context(system_u:object_r:exim_log_t,s0)
+/var/run/exim[0-9]?\.pid	--	gen_context(system_u:object_r:exim_var_run_t,s0)
+/var/spool/exim[0-9]?(/.*)?		gen_context(system_u:object_r:exim_spool_t,s0)
+
+ifdef(`distro_debian',`
+/var/run/exim[0-9]?(/.*)?	  	gen_context(system_u:object_r:exim_var_run_t,s0)
+')
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index cf4b4f9..d6360c0 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -1,5 +1,5 @@
 
-policy_module(exim,1.0.0)
+policy_module(exim,1.0.1)
 
 ########################################
 #
@@ -42,7 +42,7 @@ files_pid_file(exim_var_run_t)
 # exim local policy
 #
 
-allow exim_t self:capability { dac_override dac_read_search setuid setgid };
+allow exim_t self:capability { dac_override dac_read_search setuid setgid fowner chown };
 allow exim_t self:fifo_file rw_fifo_file_perms;
 allow exim_t self:unix_stream_socket create_stream_socket_perms;
 allow exim_t self:tcp_socket create_stream_socket_perms;
@@ -67,6 +67,8 @@ files_pid_filetrans(exim_t, exim_var_run_t, { file dir })
 
 kernel_read_kernel_sysctls(exim_t)
 
+kernel_dontaudit_read_system_state(exim_t)
+
 corecmd_search_bin(exim_t)
 
 corenet_all_recvfrom_unlabeled(exim_t)
@@ -77,8 +79,13 @@ corenet_tcp_bind_all_nodes(exim_t)
 corenet_tcp_bind_smtp_port(exim_t)
 corenet_tcp_bind_amavisd_send_port(exim_t)
 corenet_tcp_connect_auth_port(exim_t)
+corenet_tcp_connect_smtp_port(exim_t)
+corenet_tcp_connect_ldap_port(exim_t)
 corenet_tcp_connect_inetd_child_port(exim_t)
 
+dev_read_rand(exim_t)
+dev_read_urand(exim_t)
+
 # Init script handling
 domain_use_interactive_fds(exim_t)