[selinux-policy/f18] Add sandboxX calling as optional
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Sep 4 08:21:53 UTC 2012
commit 215b49cd8e67666655c2ae519da8a2a0426e2191
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Sep 4 10:21:44 2012 +0200
Add sandboxX calling as optional
policy_contrib-rawhide.patch | 67 +++++++++++++++++++++++-------------------
1 files changed, 37 insertions(+), 30 deletions(-)
---
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 0d47838..330cc14 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -13442,7 +13442,7 @@ index 305ddf4..11d010a 100644
+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat")
')
diff --git a/cups.te b/cups.te
-index e5a8924..4965460 100644
+index e5a8924..85f20ad 100644
--- a/cups.te
+++ b/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -13755,11 +13755,8 @@ index e5a8924..4965460 100644
dev_read_sysfs(hplip_t)
dev_rw_printer(hplip_t)
-@@ -682,9 +707,11 @@ corecmd_exec_bin(hplip_t)
-
- domain_use_interactive_fds(hplip_t)
-
--files_read_etc_files(hplip_t)
+@@ -685,6 +710,9 @@ domain_use_interactive_fds(hplip_t)
+ files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
+files_dontaudit_write_usr_dirs(hplip_t)
@@ -13768,7 +13765,7 @@ index e5a8924..4965460 100644
logging_send_syslog_msg(hplip_t)
-@@ -695,9 +722,12 @@ sysnet_read_config(hplip_t)
+@@ -695,9 +723,12 @@ sysnet_read_config(hplip_t)
userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -13783,7 +13780,7 @@ index e5a8924..4965460 100644
optional_policy(`
dbus_system_bus_client(hplip_t)
-@@ -743,7 +773,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -743,7 +774,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -13791,7 +13788,7 @@ index e5a8924..4965460 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -760,7 +789,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -760,7 +790,6 @@ fs_search_auto_mountpoints(ptal_t)
domain_use_interactive_fds(ptal_t)
@@ -17399,7 +17396,7 @@ index e1d7dc5..df96c0d 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/dovecot.te b/dovecot.te
-index 2df7766..086a1a8 100644
+index 2df7766..dd26869 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -17430,19 +17427,20 @@ index 2df7766..086a1a8 100644
type dovecot_tmp_t;
files_tmp_file(dovecot_tmp_t)
-@@ -56,9 +59,9 @@ files_pid_file(dovecot_var_run_t)
+@@ -56,9 +59,10 @@ files_pid_file(dovecot_var_run_t)
# dovecot local policy
#
-allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
+allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot };
++allow dovecot self:capability2 block_suspend;
dontaudit dovecot_t self:capability sys_tty_config;
-allow dovecot_t self:process { setrlimit signal_perms getcap setcap };
+allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
allow dovecot_t self:fifo_file rw_fifo_file_perms;
allow dovecot_t self:tcp_socket create_stream_socket_perms;
allow dovecot_t self:unix_dgram_socket create_socket_perms;
-@@ -72,7 +75,9 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms;
+@@ -72,7 +76,9 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms;
read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
@@ -17453,7 +17451,7 @@ index 2df7766..086a1a8 100644
files_search_etc(dovecot_t)
can_exec(dovecot_t, dovecot_exec_t)
-@@ -94,15 +99,16 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+@@ -94,15 +100,16 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
@@ -17472,7 +17470,7 @@ index 2df7766..086a1a8 100644
corenet_all_recvfrom_netlabel(dovecot_t)
corenet_tcp_sendrecv_generic_if(dovecot_t)
corenet_tcp_sendrecv_generic_node(dovecot_t)
-@@ -110,6 +116,7 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
+@@ -110,6 +117,7 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
corenet_tcp_bind_generic_node(dovecot_t)
corenet_tcp_bind_mail_port(dovecot_t)
corenet_tcp_bind_pop_port(dovecot_t)
@@ -17480,7 +17478,7 @@ index 2df7766..086a1a8 100644
corenet_tcp_bind_sieve_port(dovecot_t)
corenet_tcp_connect_all_ports(dovecot_t)
corenet_tcp_connect_postgresql_port(dovecot_t)
-@@ -128,13 +135,14 @@ corecmd_exec_bin(dovecot_t)
+@@ -128,13 +136,14 @@ corecmd_exec_bin(dovecot_t)
domain_use_interactive_fds(dovecot_t)
@@ -17496,7 +17494,7 @@ index 2df7766..086a1a8 100644
init_getattr_utmp(dovecot_t)
-@@ -145,6 +153,7 @@ logging_send_syslog_msg(dovecot_t)
+@@ -145,6 +154,7 @@ logging_send_syslog_msg(dovecot_t)
miscfiles_read_generic_certs(dovecot_t)
miscfiles_read_localization(dovecot_t)
@@ -17504,7 +17502,7 @@ index 2df7766..086a1a8 100644
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
userdom_manage_user_home_content_dirs(dovecot_t)
userdom_manage_user_home_content_files(dovecot_t)
-@@ -153,6 +162,7 @@ userdom_manage_user_home_content_pipes(dovecot_t)
+@@ -153,6 +163,7 @@ userdom_manage_user_home_content_pipes(dovecot_t)
userdom_manage_user_home_content_sockets(dovecot_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
@@ -17512,7 +17510,7 @@ index 2df7766..086a1a8 100644
mta_manage_spool(dovecot_t)
optional_policy(`
-@@ -160,10 +170,24 @@ optional_policy(`
+@@ -160,10 +171,24 @@ optional_policy(`
')
optional_policy(`
@@ -17537,7 +17535,7 @@ index 2df7766..086a1a8 100644
seutil_sigchld_newrole(dovecot_t)
')
-@@ -180,8 +204,8 @@ optional_policy(`
+@@ -180,8 +205,8 @@ optional_policy(`
# dovecot auth local policy
#
@@ -17548,7 +17546,7 @@ index 2df7766..086a1a8 100644
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-@@ -190,6 +214,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
+@@ -190,6 +215,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
@@ -17558,7 +17556,7 @@ index 2df7766..086a1a8 100644
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -201,22 +228,25 @@ dovecot_stream_connect_auth(dovecot_auth_t)
+@@ -201,22 +229,25 @@ dovecot_stream_connect_auth(dovecot_auth_t)
kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)
@@ -17586,7 +17584,7 @@ index 2df7766..086a1a8 100644
init_rw_utmp(dovecot_auth_t)
-@@ -224,6 +254,8 @@ miscfiles_read_localization(dovecot_auth_t)
+@@ -224,6 +255,8 @@ miscfiles_read_localization(dovecot_auth_t)
seutil_dontaudit_search_config(dovecot_auth_t)
@@ -17595,7 +17593,7 @@ index 2df7766..086a1a8 100644
optional_policy(`
kerberos_use(dovecot_auth_t)
-@@ -236,6 +268,8 @@ optional_policy(`
+@@ -236,6 +269,8 @@ optional_policy(`
optional_policy(`
mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
@@ -17604,7 +17602,7 @@ index 2df7766..086a1a8 100644
')
optional_policy(`
-@@ -243,6 +277,8 @@ optional_policy(`
+@@ -243,6 +278,8 @@ optional_policy(`
')
optional_policy(`
@@ -17613,7 +17611,7 @@ index 2df7766..086a1a8 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -250,23 +286,42 @@ optional_policy(`
+@@ -250,23 +287,42 @@ optional_policy(`
#
# dovecot deliver local policy
#
@@ -17659,7 +17657,7 @@ index 2df7766..086a1a8 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -283,24 +338,21 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+@@ -283,24 +339,21 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
@@ -30786,7 +30784,7 @@ index ee72cbe..bf5fc09 100644
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+')
diff --git a/milter.te b/milter.te
-index 26101cb..01ef5a5 100644
+index 26101cb..f3861c3 100644
--- a/milter.te
+++ b/milter.te
@@ -9,6 +9,13 @@ policy_module(milter, 1.4.0)
@@ -30870,6 +30868,15 @@ index 26101cb..01ef5a5 100644
########################################
#
# milter-regex local policy
+@@ -88,6 +136,8 @@ corecmd_exec_shell(spamass_milter_t)
+ corecmd_read_bin_symlinks(spamass_milter_t)
+ corecmd_search_bin(spamass_milter_t)
+
++auth_use_nsswitch(spamass_milter_t)
++
+ mta_send_mail(spamass_milter_t)
+
+ # The main job of the milter is to pipe spam through spamc and act on the result
diff --git a/mock.fc b/mock.fc
new file mode 100644
index 0000000..8d0e473
@@ -53099,7 +53106,7 @@ index 0000000..ad91dbe
+')
diff --git a/sandbox.te b/sandbox.te
new file mode 100644
-index 0000000..8213fab
+index 0000000..ea26d67
--- /dev/null
+++ b/sandbox.te
@@ -0,0 +1,63 @@
@@ -53138,6 +53145,7 @@ index 0000000..8213fab
+ sandbox_exec_file(sandbox_domain)
+ sandbox_manage_content(sandbox_domain)
+ sandbox_dontaudit_mounton(sandbox_domain)
++ sandbox_manage_tmpfs_files(sandbox_domain)
+')
+
+gen_require(`
@@ -53164,8 +53172,7 @@ index 0000000..8213fab
+
+mta_dontaudit_read_spool_symlinks(sandbox_domain)
+
-+sandbox_manage_tmpfs_files(sandbox_domain)
-+sandbox_manage_content(sandbox_domain)
++
diff --git a/sandboxX.fc b/sandboxX.fc
new file mode 100644
index 0000000..6caef63
More information about the scm-commits
mailing list