[selinux-policy: 1008/3172] patch from dan
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:32:07 UTC 2010
commit 78510c55e89642b1b08f6ec55cad0445b80ccf14
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Nov 29 21:51:24 2005 +0000
patch from dan
refpolicy/Makefile | 1 -
refpolicy/policy/modules/admin/su.if | 1 +
refpolicy/policy/modules/admin/su.te | 2 +-
refpolicy/policy/modules/services/cups.te | 2 +-
refpolicy/policy/modules/services/dovecot.te | 4 +++-
refpolicy/policy/modules/services/privoxy.fc | 2 ++
refpolicy/policy/modules/services/privoxy.te | 7 ++++++-
refpolicy/policy/modules/services/procmail.te | 3 ++-
refpolicy/policy/modules/services/sasl.te | 4 +++-
9 files changed, 19 insertions(+), 7 deletions(-)
---
diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index ce14018..433d80f 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -53,7 +53,6 @@ DISTRO = redhat
# run init scripts, instead of requring run_init.
# This is a build option, as role transitions do
# not work in conditional policy.
-# This option will be impled as y for redhat policies.
DIRECT_INITRC=y
# Build monolithic policy. Putting n here
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index b310268..9fd6679 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -57,6 +57,7 @@ template(`su_restricted_domain_template', `
domain_use_wide_inherit_fd($1_su_t)
files_read_etc_files($1_su_t)
+ files_read_etc_runtime_files($1_su_t)
files_search_var_lib($1_su_t)
init_dontaudit_use_fd($1_su_t)
diff --git a/refpolicy/policy/modules/admin/su.te b/refpolicy/policy/modules/admin/su.te
index 56158eb..65aaf77 100644
--- a/refpolicy/policy/modules/admin/su.te
+++ b/refpolicy/policy/modules/admin/su.te
@@ -1,5 +1,5 @@
-policy_module(su,1.0)
+policy_module(su,1.0.1)
########################################
#
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index 041da68..62862a3 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -632,7 +632,7 @@ ifdef(`targeted_policy', `
allow initrc_t cupsd_t:dbus send_msg;
allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg;
allow unconfined_t cupsd_config_t:dbus send_msg;
- allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read;
+ allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file r_file_perms;
term_use_generic_pty(cupsd_config_t)
')
diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te
index 187d09b..718dc0f 100644
--- a/refpolicy/policy/modules/services/dovecot.te
+++ b/refpolicy/policy/modules/services/dovecot.te
@@ -1,5 +1,5 @@
-policy_module(dovecot,1.0.1)
+policy_module(dovecot,1.0.2)
########################################
#
@@ -159,8 +159,10 @@ kernel_read_system_state(dovecot_auth_t)
dev_read_urand(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
+auth_use_nsswitch(dovecot_auth_t)
files_read_etc_files(dovecot_auth_t)
+files_read_etc_runtime_files(dovecot_auth_t)
files_search_pids(dovecot_auth_t)
libs_use_ld_so(dovecot_auth_t)
diff --git a/refpolicy/policy/modules/services/privoxy.fc b/refpolicy/policy/modules/services/privoxy.fc
index f8f42d3..79e1e13 100644
--- a/refpolicy/policy/modules/services/privoxy.fc
+++ b/refpolicy/policy/modules/services/privoxy.fc
@@ -1,4 +1,6 @@
+/etc/privoxy/user\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
+
/usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0)
/var/log/privoxy(/.*)? gen_context(system_u:object_r:privoxy_log_t,s0)
diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te
index f112cb0..5b2780c 100644
--- a/refpolicy/policy/modules/services/privoxy.te
+++ b/refpolicy/policy/modules/services/privoxy.te
@@ -1,5 +1,5 @@
-policy_module(privoxy,1.0)
+policy_module(privoxy,1.0.1)
########################################
#
@@ -10,6 +10,9 @@ type privoxy_t; # web_client_domain
type privoxy_exec_t;
init_daemon_domain(privoxy_t,privoxy_exec_t)
+type privoxy_etc_rw_t;
+files_type(privoxy_etc_rw_t)
+
type privoxy_log_t;
logging_log_file(privoxy_log_t)
@@ -25,6 +28,8 @@ allow privoxy_t self:capability { setgid setuid };
dontaudit privoxy_t self:capability sys_tty_config;
allow privoxy_t self:tcp_socket create_stream_socket_perms;
+allow privoxy_t privoxy_etc_rw_t:file rw_file_perms;
+
allow privoxy_t privoxy_log_t:file create_file_perms;
allow privoxy_t privoxy_log_t:dir rw_dir_perms;
logging_create_log(privoxy_t,privoxy_log_t)
diff --git a/refpolicy/policy/modules/services/procmail.te b/refpolicy/policy/modules/services/procmail.te
index bc9e604..3862316 100644
--- a/refpolicy/policy/modules/services/procmail.te
+++ b/refpolicy/policy/modules/services/procmail.te
@@ -1,5 +1,5 @@
-policy_module(procmail,1.0.0)
+policy_module(procmail,1.0.1)
########################################
#
@@ -38,6 +38,7 @@ corenet_tcp_sendrecv_all_ports(procmail_t)
corenet_udp_sendrecv_all_ports(procmail_t)
corenet_tcp_bind_all_nodes(procmail_t)
corenet_udp_bind_all_nodes(procmail_t)
+corenet_tcp_connect_spamd_port(procmail_t)
dev_read_urand(procmail_t)
diff --git a/refpolicy/policy/modules/services/sasl.te b/refpolicy/policy/modules/services/sasl.te
index 514a0a2..2baadce 100644
--- a/refpolicy/policy/modules/services/sasl.te
+++ b/refpolicy/policy/modules/services/sasl.te
@@ -1,5 +1,5 @@
-policy_module(sasl,1.0)
+policy_module(sasl,1.0.1)
########################################
#
@@ -50,10 +50,12 @@ fs_search_auto_mountpoints(saslauthd_t)
term_dontaudit_use_console(saslauthd_t)
auth_domtrans_chk_passwd(saslauthd_t)
+auth_use_nsswitch(saslauthd_t)
domain_use_wide_inherit_fd(saslauthd_t)
files_read_etc_files(saslauthd_t)
+files_read_etc_runtime_files(saslauthd_t)
files_search_var_lib(saslauthd_t)
files_dontaudit_getattr_home_dir(saslauthd_t)
More information about the scm-commits
mailing list