[selinux-policy/f17] Fix spamd policy

Miroslav Grepl mgrepl at fedoraproject.org
Fri Jun 22 15:25:32 UTC 2012 

commit a66fe883a08924b812a253b1f30ee2a9e392fbc1
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Fri Jun 22 17:25:05 2012 +0200

    Fix spamd policy

 policy-F16.patch |  107 +++++++++++++++++++++++++++++++-----------------------
 1 files changed, 62 insertions(+), 45 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 978c58c..9d2e9a7 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -120048,7 +120048,7 @@ index ad15fde..12202e1 100644
  	init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te
-index db843e2..4389e81 100644
+index db843e2..92203d0 100644
 --- a/policy/modules/services/postgrey.te
 +++ b/policy/modules/services/postgrey.te
 @@ -16,7 +16,7 @@ type postgrey_initrc_exec_t;
@@ -120060,6 +120060,15 @@ index db843e2..4389e81 100644
  
  type postgrey_var_lib_t;
  files_type(postgrey_var_lib_t)
+@@ -80,6 +80,8 @@ files_getattr_tmp_dirs(postgrey_t)
+ fs_getattr_all_fs(postgrey_t)
+ fs_search_auto_mountpoints(postgrey_t)
+ 
++auth_read_passwd(postgrey_t)
++
+ logging_send_syslog_msg(postgrey_t)
+ 
+ miscfiles_read_localization(postgrey_t)
 diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc
 index 2d82c6d..ff2c96a 100644
 --- a/policy/modules/services/ppp.fc
@@ -129057,10 +129066,10 @@ index c954f31..82fc7f6 100644
 +	admin_pattern($1, spamd_var_run_t)
  ')
 diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
-index ec1eb1e..171aea4 100644
+index ec1eb1e..1ee5862 100644
 --- a/policy/modules/services/spamassassin.te
 +++ b/policy/modules/services/spamassassin.te
-@@ -6,56 +6,123 @@ policy_module(spamassassin, 2.4.0)
+@@ -6,56 +6,41 @@ policy_module(spamassassin, 2.4.0)
  #
  
  ## <desc>
@@ -129113,6 +129122,36 @@ index ec1eb1e..171aea4 100644
 -typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
 -files_tmp_file(spamc_tmp_t)
 -ubac_constrained(spamc_tmp_t)
++
++type spamd_update_t;
++type spamd_update_exec_t;
++application_domain(spamd_update_t, spamd_update_exec_t)
++cron_system_entry(spamd_update_t, spamd_update_exec_t)
++role system_r types spamd_update_t;
+ 
+ type spamd_t;
+ type spamd_exec_t;
+ init_daemon_domain(spamd_t, spamd_exec_t)
+ 
++type spamd_compiled_t;
++files_type(spamd_compiled_t)
++
++type spamd_initrc_exec_t;
++init_script_file(spamd_initrc_exec_t)
++
++type spamd_log_t;
++logging_log_file(spamd_log_t)
++
+ type spamd_spool_t;
+-files_type(spamd_spool_t)
++files_spool_file(spamd_spool_t)
+ 
+ type spamd_tmp_t;
+ files_tmp_file(spamd_tmp_t)
+@@ -67,6 +52,89 @@ files_type(spamd_var_lib_t)
+ type spamd_var_run_t;
+ files_pid_file(spamd_var_run_t)
+ 
 +ifdef(`distro_redhat',`
 +	# spamassassin client executable
 +	type spamc_t;
@@ -129196,32 +129235,10 @@ index ec1eb1e..171aea4 100644
 +	ubac_constrained(spamc_tmp_t)
 +')
 +
-+type spamd_update_t;
-+type spamd_update_exec_t;
-+application_domain(spamd_update_t, spamd_update_exec_t)
-+cron_system_entry(spamd_update_t, spamd_update_exec_t)
-+role system_r types spamd_update_t;
- 
- type spamd_t;
- type spamd_exec_t;
- init_daemon_domain(spamd_t, spamd_exec_t)
- 
-+type spamd_compiled_t;
-+files_type(spamd_compiled_t)
-+
-+type spamd_initrc_exec_t;
-+init_script_file(spamd_initrc_exec_t)
-+
-+type spamd_log_t;
-+logging_log_file(spamd_log_t)
-+
- type spamd_spool_t;
--files_type(spamd_spool_t)
-+files_spool_file(spamd_spool_t)
- 
- type spamd_tmp_t;
- files_tmp_file(spamd_tmp_t)
-@@ -102,12 +169,14 @@ manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+ ##############################
+ #
+ # Standalone program local policy
+@@ -102,12 +170,14 @@ manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
  manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
  manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
  userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
@@ -129236,7 +129253,7 @@ index ec1eb1e..171aea4 100644
  
  # this should probably be removed
  corecmd_list_bin(spamassassin_t)
-@@ -148,6 +217,9 @@ tunable_policy(`spamassassin_can_network',`
+@@ -148,6 +218,9 @@ tunable_policy(`spamassassin_can_network',`
  	corenet_udp_sendrecv_all_ports(spamassassin_t)
  	corenet_tcp_connect_all_ports(spamassassin_t)
  	corenet_sendrecv_all_client_packets(spamassassin_t)
@@ -129246,7 +129263,7 @@ index ec1eb1e..171aea4 100644
  
  	sysnet_read_config(spamassassin_t)
  ')
-@@ -158,18 +230,6 @@ tunable_policy(`spamd_enable_home_dirs',`
+@@ -158,18 +231,6 @@ tunable_policy(`spamd_enable_home_dirs',`
  	userdom_manage_user_home_content_symlinks(spamd_t)
  ')
  
@@ -129265,7 +129282,7 @@ index ec1eb1e..171aea4 100644
  optional_policy(`
  	# Write pid file and socket in ~/.evolution/cache/tmp
  	evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
-@@ -184,6 +244,8 @@ optional_policy(`
+@@ -184,6 +245,8 @@ optional_policy(`
  optional_policy(`
  	mta_read_config(spamassassin_t)
  	sendmail_stub(spamassassin_t)
@@ -129274,7 +129291,7 @@ index ec1eb1e..171aea4 100644
  ')
  
  ########################################
-@@ -206,15 +268,32 @@ allow spamc_t self:unix_stream_socket connectto;
+@@ -206,15 +269,32 @@ allow spamc_t self:unix_stream_socket connectto;
  allow spamc_t self:tcp_socket create_stream_socket_perms;
  allow spamc_t self:udp_socket create_socket_perms;
  
@@ -129307,7 +129324,7 @@ index ec1eb1e..171aea4 100644
  
  corenet_all_recvfrom_unlabeled(spamc_t)
  corenet_all_recvfrom_netlabel(spamc_t)
-@@ -226,6 +305,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
+@@ -226,6 +306,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
  corenet_udp_sendrecv_all_ports(spamc_t)
  corenet_tcp_connect_all_ports(spamc_t)
  corenet_sendrecv_all_client_packets(spamc_t)
@@ -129315,7 +129332,7 @@ index ec1eb1e..171aea4 100644
  
  fs_search_auto_mountpoints(spamc_t)
  
-@@ -244,9 +324,14 @@ files_read_usr_files(spamc_t)
+@@ -244,9 +325,14 @@ files_read_usr_files(spamc_t)
  files_dontaudit_search_var(spamc_t)
  # cjp: this may be removable:
  files_list_home(spamc_t)
@@ -129330,7 +129347,7 @@ index ec1eb1e..171aea4 100644
  miscfiles_read_localization(spamc_t)
  
  # cjp: this should probably be removed:
-@@ -254,27 +339,35 @@ seutil_read_config(spamc_t)
+@@ -254,27 +340,35 @@ seutil_read_config(spamc_t)
  
  sysnet_read_config(spamc_t)
  
@@ -129372,7 +129389,7 @@ index ec1eb1e..171aea4 100644
  ')
  
  ########################################
-@@ -286,7 +379,7 @@ optional_policy(`
+@@ -286,7 +380,7 @@ optional_policy(`
  # setuids to the user running spamc.  Comment this if you are not
  # using this ability.
  
@@ -129381,7 +129398,7 @@ index ec1eb1e..171aea4 100644
  dontaudit spamd_t self:capability sys_tty_config;
  allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow spamd_t self:fd use;
-@@ -302,10 +395,17 @@ allow spamd_t self:unix_dgram_socket sendto;
+@@ -302,10 +396,17 @@ allow spamd_t self:unix_dgram_socket sendto;
  allow spamd_t self:unix_stream_socket connectto;
  allow spamd_t self:tcp_socket create_stream_socket_perms;
  allow spamd_t self:udp_socket create_socket_perms;
@@ -129400,7 +129417,7 @@ index ec1eb1e..171aea4 100644
  files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
  
  manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -314,11 +414,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+@@ -314,11 +415,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
  
  # var/lib files for spamd
  allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -129418,7 +129435,7 @@ index ec1eb1e..171aea4 100644
  
  kernel_read_all_sysctls(spamd_t)
  kernel_read_system_state(spamd_t)
-@@ -367,23 +471,23 @@ files_read_var_lib_files(spamd_t)
+@@ -367,23 +472,23 @@ files_read_var_lib_files(spamd_t)
  
  init_dontaudit_rw_utmp(spamd_t)
  
@@ -129450,7 +129467,7 @@ index ec1eb1e..171aea4 100644
  ')
  
  optional_policy(`
-@@ -399,7 +503,9 @@ optional_policy(`
+@@ -399,7 +504,9 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -129460,7 +129477,7 @@ index ec1eb1e..171aea4 100644
  	dcc_stream_connect_dccifd(spamd_t)
  ')
  
-@@ -408,25 +514,17 @@ optional_policy(`
+@@ -408,25 +515,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -129488,7 +129505,7 @@ index ec1eb1e..171aea4 100644
  	postgresql_stream_connect(spamd_t)
  ')
  
-@@ -437,6 +535,10 @@ optional_policy(`
+@@ -437,6 +536,10 @@ optional_policy(`
  
  optional_policy(`
  	razor_domtrans(spamd_t)
@@ -129499,7 +129516,7 @@ index ec1eb1e..171aea4 100644
  ')
  
  optional_policy(`
-@@ -444,6 +546,7 @@ optional_policy(`
+@@ -444,6 +547,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -129507,7 +129524,7 @@ index ec1eb1e..171aea4 100644
  	sendmail_stub(spamd_t)
  	mta_read_config(spamd_t)
  ')
-@@ -451,3 +554,51 @@ optional_policy(`
+@@ -451,3 +555,51 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(spamd_t)
  ')

More information about the scm-commits mailing list