[selinux-policy/f17] Fix spamd policy
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Jun 22 15:25:32 UTC 2012
commit a66fe883a08924b812a253b1f30ee2a9e392fbc1
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Jun 22 17:25:05 2012 +0200
Fix spamd policy
policy-F16.patch | 107 +++++++++++++++++++++++++++++++-----------------------
1 files changed, 62 insertions(+), 45 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 978c58c..9d2e9a7 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -120048,7 +120048,7 @@ index ad15fde..12202e1 100644
init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te
-index db843e2..4389e81 100644
+index db843e2..92203d0 100644
--- a/policy/modules/services/postgrey.te
+++ b/policy/modules/services/postgrey.te
@@ -16,7 +16,7 @@ type postgrey_initrc_exec_t;
@@ -120060,6 +120060,15 @@ index db843e2..4389e81 100644
type postgrey_var_lib_t;
files_type(postgrey_var_lib_t)
+@@ -80,6 +80,8 @@ files_getattr_tmp_dirs(postgrey_t)
+ fs_getattr_all_fs(postgrey_t)
+ fs_search_auto_mountpoints(postgrey_t)
+
++auth_read_passwd(postgrey_t)
++
+ logging_send_syslog_msg(postgrey_t)
+
+ miscfiles_read_localization(postgrey_t)
diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc
index 2d82c6d..ff2c96a 100644
--- a/policy/modules/services/ppp.fc
@@ -129057,10 +129066,10 @@ index c954f31..82fc7f6 100644
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
-index ec1eb1e..171aea4 100644
+index ec1eb1e..1ee5862 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
-@@ -6,56 +6,123 @@ policy_module(spamassassin, 2.4.0)
+@@ -6,56 +6,41 @@ policy_module(spamassassin, 2.4.0)
#
## <desc>
@@ -129113,6 +129122,36 @@ index ec1eb1e..171aea4 100644
-typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
-files_tmp_file(spamc_tmp_t)
-ubac_constrained(spamc_tmp_t)
++
++type spamd_update_t;
++type spamd_update_exec_t;
++application_domain(spamd_update_t, spamd_update_exec_t)
++cron_system_entry(spamd_update_t, spamd_update_exec_t)
++role system_r types spamd_update_t;
+
+ type spamd_t;
+ type spamd_exec_t;
+ init_daemon_domain(spamd_t, spamd_exec_t)
+
++type spamd_compiled_t;
++files_type(spamd_compiled_t)
++
++type spamd_initrc_exec_t;
++init_script_file(spamd_initrc_exec_t)
++
++type spamd_log_t;
++logging_log_file(spamd_log_t)
++
+ type spamd_spool_t;
+-files_type(spamd_spool_t)
++files_spool_file(spamd_spool_t)
+
+ type spamd_tmp_t;
+ files_tmp_file(spamd_tmp_t)
+@@ -67,6 +52,89 @@ files_type(spamd_var_lib_t)
+ type spamd_var_run_t;
+ files_pid_file(spamd_var_run_t)
+
+ifdef(`distro_redhat',`
+ # spamassassin client executable
+ type spamc_t;
@@ -129196,32 +129235,10 @@ index ec1eb1e..171aea4 100644
+ ubac_constrained(spamc_tmp_t)
+')
+
-+type spamd_update_t;
-+type spamd_update_exec_t;
-+application_domain(spamd_update_t, spamd_update_exec_t)
-+cron_system_entry(spamd_update_t, spamd_update_exec_t)
-+role system_r types spamd_update_t;
-
- type spamd_t;
- type spamd_exec_t;
- init_daemon_domain(spamd_t, spamd_exec_t)
-
-+type spamd_compiled_t;
-+files_type(spamd_compiled_t)
-+
-+type spamd_initrc_exec_t;
-+init_script_file(spamd_initrc_exec_t)
-+
-+type spamd_log_t;
-+logging_log_file(spamd_log_t)
-+
- type spamd_spool_t;
--files_type(spamd_spool_t)
-+files_spool_file(spamd_spool_t)
-
- type spamd_tmp_t;
- files_tmp_file(spamd_tmp_t)
-@@ -102,12 +169,14 @@ manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+ ##############################
+ #
+ # Standalone program local policy
+@@ -102,12 +170,14 @@ manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
@@ -129236,7 +129253,7 @@ index ec1eb1e..171aea4 100644
# this should probably be removed
corecmd_list_bin(spamassassin_t)
-@@ -148,6 +217,9 @@ tunable_policy(`spamassassin_can_network',`
+@@ -148,6 +218,9 @@ tunable_policy(`spamassassin_can_network',`
corenet_udp_sendrecv_all_ports(spamassassin_t)
corenet_tcp_connect_all_ports(spamassassin_t)
corenet_sendrecv_all_client_packets(spamassassin_t)
@@ -129246,7 +129263,7 @@ index ec1eb1e..171aea4 100644
sysnet_read_config(spamassassin_t)
')
-@@ -158,18 +230,6 @@ tunable_policy(`spamd_enable_home_dirs',`
+@@ -158,18 +231,6 @@ tunable_policy(`spamd_enable_home_dirs',`
userdom_manage_user_home_content_symlinks(spamd_t)
')
@@ -129265,7 +129282,7 @@ index ec1eb1e..171aea4 100644
optional_policy(`
# Write pid file and socket in ~/.evolution/cache/tmp
evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
-@@ -184,6 +244,8 @@ optional_policy(`
+@@ -184,6 +245,8 @@ optional_policy(`
optional_policy(`
mta_read_config(spamassassin_t)
sendmail_stub(spamassassin_t)
@@ -129274,7 +129291,7 @@ index ec1eb1e..171aea4 100644
')
########################################
-@@ -206,15 +268,32 @@ allow spamc_t self:unix_stream_socket connectto;
+@@ -206,15 +269,32 @@ allow spamc_t self:unix_stream_socket connectto;
allow spamc_t self:tcp_socket create_stream_socket_perms;
allow spamc_t self:udp_socket create_socket_perms;
@@ -129307,7 +129324,7 @@ index ec1eb1e..171aea4 100644
corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
-@@ -226,6 +305,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
+@@ -226,6 +306,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
corenet_udp_sendrecv_all_ports(spamc_t)
corenet_tcp_connect_all_ports(spamc_t)
corenet_sendrecv_all_client_packets(spamc_t)
@@ -129315,7 +129332,7 @@ index ec1eb1e..171aea4 100644
fs_search_auto_mountpoints(spamc_t)
-@@ -244,9 +324,14 @@ files_read_usr_files(spamc_t)
+@@ -244,9 +325,14 @@ files_read_usr_files(spamc_t)
files_dontaudit_search_var(spamc_t)
# cjp: this may be removable:
files_list_home(spamc_t)
@@ -129330,7 +129347,7 @@ index ec1eb1e..171aea4 100644
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
-@@ -254,27 +339,35 @@ seutil_read_config(spamc_t)
+@@ -254,27 +340,35 @@ seutil_read_config(spamc_t)
sysnet_read_config(spamc_t)
@@ -129372,7 +129389,7 @@ index ec1eb1e..171aea4 100644
')
########################################
-@@ -286,7 +379,7 @@ optional_policy(`
+@@ -286,7 +380,7 @@ optional_policy(`
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -129381,7 +129398,7 @@ index ec1eb1e..171aea4 100644
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -302,10 +395,17 @@ allow spamd_t self:unix_dgram_socket sendto;
+@@ -302,10 +396,17 @@ allow spamd_t self:unix_dgram_socket sendto;
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
@@ -129400,7 +129417,7 @@ index ec1eb1e..171aea4 100644
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -314,11 +414,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+@@ -314,11 +415,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -129418,7 +129435,7 @@ index ec1eb1e..171aea4 100644
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
-@@ -367,23 +471,23 @@ files_read_var_lib_files(spamd_t)
+@@ -367,23 +472,23 @@ files_read_var_lib_files(spamd_t)
init_dontaudit_rw_utmp(spamd_t)
@@ -129450,7 +129467,7 @@ index ec1eb1e..171aea4 100644
')
optional_policy(`
-@@ -399,7 +503,9 @@ optional_policy(`
+@@ -399,7 +504,9 @@ optional_policy(`
')
optional_policy(`
@@ -129460,7 +129477,7 @@ index ec1eb1e..171aea4 100644
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -408,25 +514,17 @@ optional_policy(`
+@@ -408,25 +515,17 @@ optional_policy(`
')
optional_policy(`
@@ -129488,7 +129505,7 @@ index ec1eb1e..171aea4 100644
postgresql_stream_connect(spamd_t)
')
-@@ -437,6 +535,10 @@ optional_policy(`
+@@ -437,6 +536,10 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
@@ -129499,7 +129516,7 @@ index ec1eb1e..171aea4 100644
')
optional_policy(`
-@@ -444,6 +546,7 @@ optional_policy(`
+@@ -444,6 +547,7 @@ optional_policy(`
')
optional_policy(`
@@ -129507,7 +129524,7 @@ index ec1eb1e..171aea4 100644
sendmail_stub(spamd_t)
mta_read_config(spamd_t)
')
-@@ -451,3 +554,51 @@ optional_policy(`
+@@ -451,3 +555,51 @@ optional_policy(`
optional_policy(`
udev_read_db(spamd_t)
')
More information about the scm-commits
mailing list