[selinux-policy/f16] - Allow postfix to connect to spampd - Add spamd_port_t for 10026, 10027 ports - Add support for spa
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Aug 1 12:56:52 UTC 2012
commit 3563687d05206ea8165b07be437b518d19783785
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Aug 1 14:56:05 2012 +0200
- Allow postfix to connect to spampd
- Add spamd_port_t for 10026, 10027 ports
- Add support for spampd and treat it as spamd_t policy
- Allow hplip_t to send notification dbus messages to users
- Allow freshclam to update databases thru HTTP proxy
- Make deltacloudd_t as nsswitch_domain
- Fix cloudform labeling
policy-F16.patch | 134 +++++++++++++++++++++++++++++++--------------------
selinux-policy.spec | 11 ++++-
2 files changed, 91 insertions(+), 54 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 7bfc69d..5e5e3c5 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -14685,7 +14685,7 @@ index 4f3b542..f4e36ee 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..688d361 100644
+index 99b71cb..15c10d3 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
@@ -14919,7 +14919,8 @@ index 99b71cb..688d361 100644
+network_port(snmp, tcp,161-162,s0, udp,161-162,s0, tcp,199,s0, tcp, 1161, s0)
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
- network_port(spamd, tcp,783,s0)
+-network_port(spamd, tcp,783,s0)
++network_port(spamd, tcp,783,s0, tcp, 10026, s0, tcp, 10027, s0)
network_port(speech, tcp,8036,s0)
-network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
+network_port(squid, tcp,3128,s0, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
@@ -30536,7 +30537,7 @@ index 1f11572..9eb2461 100644
')
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index f758323..c78e22d 100644
+index f758323..146313e 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,9 +1,23 @@
@@ -30650,7 +30651,7 @@ index f758323..c78e22d 100644
')
########################################
-@@ -178,10 +208,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+@@ -178,10 +208,17 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
# log files (own logfiles only)
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
@@ -30661,6 +30662,7 @@ index f758323..c78e22d 100644
logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
+kernel_read_kernel_sysctls(freshclam_t)
++kernel_read_network_state(freshclam_t)
+kernel_read_system_state(freshclam_t)
+
+corecmd_exec_shell(freshclam_t)
@@ -30669,15 +30671,16 @@ index f758323..c78e22d 100644
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +225,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
+@@ -189,6 +226,8 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
+corenet_tcp_connect_clamd_port(freshclam_t)
++corenet_tcp_connect_squid_port(freshclam_t)
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -207,16 +244,18 @@ miscfiles_read_localization(freshclam_t)
+@@ -207,16 +246,18 @@ miscfiles_read_localization(freshclam_t)
clamav_stream_connect(freshclam_t)
@@ -30700,7 +30703,7 @@ index f758323..c78e22d 100644
########################################
#
# clamscam local policy
-@@ -242,15 +281,33 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+@@ -242,15 +283,33 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
@@ -30734,7 +30737,7 @@ index f758323..c78e22d 100644
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
-@@ -264,10 +321,15 @@ miscfiles_read_public_files(clamscan_t)
+@@ -264,10 +323,15 @@ miscfiles_read_public_files(clamscan_t)
clamav_stream_connect(clamscan_t)
@@ -30878,10 +30881,10 @@ index 0000000..6451167
+')
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
new file mode 100644
-index 0000000..a861db8
+index 0000000..ad67313
--- /dev/null
+++ b/policy/modules/services/cloudform.te
-@@ -0,0 +1,238 @@
+@@ -0,0 +1,240 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -30992,6 +30995,8 @@ index 0000000..a861db8
+corenet_tcp_bind_generic_node(deltacloudd_t)
+corenet_tcp_bind_generic_port(deltacloudd_t)
+
++auth_use_nsswitch(deltacloudd_t)
++
+files_read_usr_files(deltacloudd_t)
+
+logging_send_syslog_msg(deltacloudd_t)
@@ -34060,7 +34065,7 @@ index 305ddf4..173cd16 100644
admin_pattern($1, ptal_etc_t)
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..5972414 100644
+index 0f28095..d9ca30f 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -34303,9 +34308,11 @@ index 0f28095..5972414 100644
logging_send_syslog_msg(hplip_t)
-@@ -696,8 +736,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -695,9 +735,12 @@ sysnet_read_config(hplip_t)
+ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
++userdom_dbus_send_all_users(hplip_t)
-lpd_read_config(hplip_t)
-lpd_manage_spool(hplip_t)
@@ -52345,7 +52352,7 @@ index 46bee12..76b68b5 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..6550576 100644
+index a32c4b3..fc74b0a 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
@@ -52470,7 +52477,16 @@ index a32c4b3..6550576 100644
corenet_tcp_bind_generic_node(postfix_master_t)
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
corenet_tcp_bind_smtp_port(postfix_master_t)
-@@ -167,6 +184,10 @@ corecmd_exec_bin(postfix_master_t)
+@@ -157,6 +174,8 @@ corenet_tcp_connect_all_ports(postfix_master_t)
+ corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
+ corenet_sendrecv_smtp_server_packets(postfix_master_t)
+ corenet_sendrecv_all_client_packets(postfix_master_t)
++# for spampd
++corenet_tcp_bind_spamd_port(postfix_master_t)
+
+ # for a find command
+ selinux_dontaudit_search_fs(postfix_master_t)
+@@ -167,6 +186,10 @@ corecmd_exec_bin(postfix_master_t)
domain_use_interactive_fds(postfix_master_t)
files_read_usr_files(postfix_master_t)
@@ -52481,7 +52497,7 @@ index a32c4b3..6550576 100644
term_dontaudit_search_ptys(postfix_master_t)
-@@ -220,13 +241,17 @@ allow postfix_bounce_t self:capability dac_read_search;
+@@ -220,13 +243,17 @@ allow postfix_bounce_t self:capability dac_read_search;
allow postfix_bounce_t self:tcp_socket create_socket_perms;
allow postfix_bounce_t postfix_public_t:sock_file write;
@@ -52500,7 +52516,7 @@ index a32c4b3..6550576 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -243,12 +268,17 @@ stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t,
+@@ -243,12 +270,17 @@ stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t,
rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
@@ -52518,7 +52534,7 @@ index a32c4b3..6550576 100644
allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
corecmd_exec_bin(postfix_cleanup_t)
-@@ -264,7 +294,6 @@ optional_policy(`
+@@ -264,7 +296,6 @@ optional_policy(`
# Postfix local local policy
#
@@ -52526,7 +52542,7 @@ index a32c4b3..6550576 100644
allow postfix_local_t self:process { setsched setrlimit };
# connect to master process
-@@ -273,6 +302,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+@@ -273,6 +304,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
# for .forward - maybe we need a new type for it?
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
@@ -52535,7 +52551,7 @@ index a32c4b3..6550576 100644
allow postfix_local_t postfix_spool_t:file rw_file_perms;
corecmd_exec_shell(postfix_local_t)
-@@ -286,10 +317,15 @@ mta_read_aliases(postfix_local_t)
+@@ -286,10 +319,15 @@ mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
@@ -52554,7 +52570,7 @@ index a32c4b3..6550576 100644
optional_policy(`
clamav_search_lib(postfix_local_t)
-@@ -297,6 +333,10 @@ optional_policy(`
+@@ -297,6 +335,10 @@ optional_policy(`
')
optional_policy(`
@@ -52565,7 +52581,7 @@ index a32c4b3..6550576 100644
# for postalias
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
-@@ -304,9 +344,22 @@ optional_policy(`
+@@ -304,9 +346,22 @@ optional_policy(`
')
optional_policy(`
@@ -52588,7 +52604,7 @@ index a32c4b3..6550576 100644
########################################
#
# Postfix map local policy
-@@ -379,18 +432,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -379,18 +434,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
@@ -52614,7 +52630,7 @@ index a32c4b3..6550576 100644
allow postfix_pipe_t self:process setrlimit;
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +460,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +462,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -52623,7 +52639,7 @@ index a32c4b3..6550576 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +481,7 @@ optional_policy(`
+@@ -420,6 +483,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -52631,7 +52647,7 @@ index a32c4b3..6550576 100644
')
optional_policy(`
-@@ -436,11 +498,18 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +500,18 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -52650,7 +52666,7 @@ index a32c4b3..6550576 100644
corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
-@@ -487,8 +556,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +558,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
# to write the mailq output, it really should not need read access!
@@ -52661,7 +52677,7 @@ index a32c4b3..6550576 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -519,7 +588,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +590,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -52674,7 +52690,7 @@ index a32c4b3..6550576 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +612,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +614,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -52685,16 +52701,19 @@ index a32c4b3..6550576 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +633,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+@@ -558,6 +635,11 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
+rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+
++# for spampd
++corenet_tcp_connect_spamd_port(postfix_master_t)
++
files_search_all_mountpoints(postfix_smtp_t)
optional_policy(`
-@@ -565,6 +642,14 @@ optional_policy(`
+@@ -565,6 +647,14 @@ optional_policy(`
')
optional_policy(`
@@ -52709,7 +52728,7 @@ index a32c4b3..6550576 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -581,17 +666,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
+@@ -581,17 +671,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
# for prng_exch
@@ -52736,7 +52755,7 @@ index a32c4b3..6550576 100644
')
optional_policy(`
-@@ -599,6 +692,11 @@ optional_policy(`
+@@ -599,6 +697,11 @@ optional_policy(`
')
optional_policy(`
@@ -52748,7 +52767,7 @@ index a32c4b3..6550576 100644
postgrey_stream_connect(postfix_smtpd_t)
')
-@@ -611,7 +709,6 @@ optional_policy(`
+@@ -611,7 +714,6 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -52756,7 +52775,7 @@ index a32c4b3..6550576 100644
allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +727,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +732,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -58769,7 +58788,7 @@ index 82cb169..f9c229f 100644
+ samba_systemctl($1)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..fa11366 100644
+index e30bb63..901d365 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -85,6 +85,9 @@ files_config_file(samba_etc_t)
@@ -59054,16 +59073,17 @@ index e30bb63..fa11366 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -783,7 +807,7 @@ allow winbind_t self:udp_socket create_socket_perms;
+@@ -783,7 +807,8 @@ allow winbind_t self:udp_socket create_socket_perms;
allow winbind_t nmbd_t:process { signal signull };
-allow winbind_t nmbd_var_run_t:file read_file_perms;
+read_files_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t)
++samba_stream_connect_nmbd(winbind_t)
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -806,15 +830,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +831,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -59085,7 +59105,7 @@ index e30bb63..fa11366 100644
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +858,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +859,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -59093,7 +59113,7 @@ index e30bb63..fa11366 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -850,10 +876,14 @@ domain_use_interactive_fds(winbind_t)
+@@ -850,10 +877,14 @@ domain_use_interactive_fds(winbind_t)
files_read_etc_files(winbind_t)
files_read_usr_symlinks(winbind_t)
@@ -59108,7 +59128,7 @@ index e30bb63..fa11366 100644
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
-@@ -863,6 +893,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
+@@ -863,6 +894,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
userdom_manage_user_home_content_sockets(winbind_t)
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
@@ -59121,7 +59141,7 @@ index e30bb63..fa11366 100644
optional_policy(`
kerberos_use(winbind_t)
')
-@@ -904,7 +940,7 @@ logging_send_syslog_msg(winbind_helper_t)
+@@ -904,7 +941,7 @@ logging_send_syslog_msg(winbind_helper_t)
miscfiles_read_localization(winbind_helper_t)
@@ -59130,7 +59150,7 @@ index e30bb63..fa11366 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -922,6 +958,18 @@ optional_policy(`
+@@ -922,6 +959,18 @@ optional_policy(`
#
optional_policy(`
@@ -59149,7 +59169,7 @@ index e30bb63..fa11366 100644
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -932,9 +980,12 @@ optional_policy(`
+@@ -932,9 +981,12 @@ optional_policy(`
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -60476,15 +60496,16 @@ index 93fe7bf..4a15633 100644
allow $1 soundd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc
-index 6b3abf9..a785741 100644
+index 6b3abf9..77d6c8e 100644
--- a/policy/modules/services/spamassassin.fc
+++ b/policy/modules/services/spamassassin.fc
-@@ -1,15 +1,28 @@
+@@ -1,15 +1,31 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+
+/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
@@ -60495,6 +60516,7 @@ index 6b3abf9..a785741 100644
+/usr/bin/sa-update -- gen_context(system_u:object_r:spamd_update_exec_t,s0)
/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
++/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
@@ -60508,6 +60530,7 @@ index 6b3abf9..a785741 100644
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
++/var/spool/spampd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
@@ -60724,7 +60747,7 @@ index c954f31..eb3c330 100644
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
-index ec1eb1e..1c3a4bb 100644
+index ec1eb1e..b59c5c2 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -6,56 +6,101 @@ policy_module(spamassassin, 2.4.0)
@@ -61030,7 +61053,7 @@ index ec1eb1e..1c3a4bb 100644
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -314,11 +414,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+@@ -314,11 +414,17 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -61044,16 +61067,21 @@ index ec1eb1e..1c3a4bb 100644
+manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
+
++read_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
++
+can_exec(spamd_t, spamd_exec_t)
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
-@@ -367,22 +471,31 @@ files_read_var_lib_files(spamd_t)
+@@ -367,22 +473,34 @@ files_read_var_lib_files(spamd_t)
init_dontaudit_rw_utmp(spamd_t)
+auth_use_nsswitch(spamd_t)
+
++libs_use_ld_so(spamd_t)
++libs_use_shared_libs(spamd_t)
++
logging_send_syslog_msg(spamd_t)
miscfiles_read_localization(spamd_t)
@@ -61084,7 +61112,7 @@ index ec1eb1e..1c3a4bb 100644
fs_manage_cifs_files(spamd_t)
')
-@@ -399,7 +512,9 @@ optional_policy(`
+@@ -399,7 +517,9 @@ optional_policy(`
')
optional_policy(`
@@ -61094,7 +61122,7 @@ index ec1eb1e..1c3a4bb 100644
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -408,25 +523,17 @@ optional_policy(`
+@@ -408,25 +528,17 @@ optional_policy(`
')
optional_policy(`
@@ -61122,7 +61150,7 @@ index ec1eb1e..1c3a4bb 100644
postgresql_stream_connect(spamd_t)
')
-@@ -437,6 +544,10 @@ optional_policy(`
+@@ -437,6 +549,10 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
@@ -61133,7 +61161,7 @@ index ec1eb1e..1c3a4bb 100644
')
optional_policy(`
-@@ -444,6 +555,7 @@ optional_policy(`
+@@ -444,6 +560,7 @@ optional_policy(`
')
optional_policy(`
@@ -61141,7 +61169,7 @@ index ec1eb1e..1c3a4bb 100644
sendmail_stub(spamd_t)
mta_read_config(spamd_t)
')
-@@ -451,3 +563,51 @@ optional_policy(`
+@@ -451,3 +568,51 @@ optional_policy(`
optional_policy(`
udev_read_db(spamd_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 63e2ba6..e649847 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 90%{?dist}
+Release: 91%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Aug 1 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-91
+- Allow postfix to connect to spampd
+- Add spamd_port_t for 10026, 10027 ports
+- Add support for spampd and treat it as spamd_t policy
+- Allow hplip_t to send notification dbus messages to users
+- Allow freshclam to update databases thru HTTP proxy
+- Make deltacloudd_t as nsswitch_domain
+- Fix cloudform labeling
+
* Mon Jul 2 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-90
- Allow systemd-tmpfiles to delete boot flags
- Add support for lightdm
More information about the scm-commits
mailing list