From 3563687d05206ea8165b07be437b518d19783785 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Aug 01 2012 12:56:05 +0000 Subject: - Allow postfix to connect to spampd - Add spamd_port_t for 10026, 10027 ports - Add support for spampd and treat it as spamd_t policy - Allow hplip_t to send notification dbus messages to users - Allow freshclam to update databases thru HTTP proxy - Make deltacloudd_t as nsswitch_domain - Fix cloudform labeling --- diff --git a/policy-F16.patch b/policy-F16.patch index 7bfc69d..5e5e3c5 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -14685,7 +14685,7 @@ index 4f3b542..f4e36ee 100644 corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 99b71cb..688d361 100644 +index 99b71cb..15c10d3 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -11,11 +11,15 @@ attribute netif_type; @@ -14919,7 +14919,8 @@ index 99b71cb..688d361 100644 +network_port(snmp, tcp,161-162,s0, udp,161-162,s0, tcp,199,s0, tcp, 1161, s0) type socks_port_t, port_type; dnl network_port(socks) # no defined portcon network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) - network_port(spamd, tcp,783,s0) +-network_port(spamd, tcp,783,s0) ++network_port(spamd, tcp,783,s0, tcp, 10026, s0, tcp, 10027, s0) network_port(speech, tcp,8036,s0) -network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp +network_port(squid, tcp,3128,s0, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp @@ -30536,7 +30537,7 @@ index 1f11572..9eb2461 100644 ') diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te -index f758323..c78e22d 100644 +index f758323..146313e 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -1,9 +1,23 @@ @@ -30650,7 +30651,7 @@ index f758323..c78e22d 100644 ') ######################################## -@@ -178,10 +208,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) +@@ -178,10 +208,17 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) # log files (own logfiles only) manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) @@ -30661,6 +30662,7 @@ index f758323..c78e22d 100644 logging_log_filetrans(freshclam_t, freshclam_var_log_t, file) +kernel_read_kernel_sysctls(freshclam_t) ++kernel_read_network_state(freshclam_t) +kernel_read_system_state(freshclam_t) + +corecmd_exec_shell(freshclam_t) @@ -30669,15 +30671,16 @@ index f758323..c78e22d 100644 corenet_all_recvfrom_unlabeled(freshclam_t) corenet_all_recvfrom_netlabel(freshclam_t) corenet_tcp_sendrecv_generic_if(freshclam_t) -@@ -189,6 +225,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t) +@@ -189,6 +226,8 @@ corenet_tcp_sendrecv_generic_node(freshclam_t) corenet_tcp_sendrecv_all_ports(freshclam_t) corenet_tcp_sendrecv_clamd_port(freshclam_t) corenet_tcp_connect_http_port(freshclam_t) +corenet_tcp_connect_clamd_port(freshclam_t) ++corenet_tcp_connect_squid_port(freshclam_t) corenet_sendrecv_http_client_packets(freshclam_t) dev_read_rand(freshclam_t) -@@ -207,16 +244,18 @@ miscfiles_read_localization(freshclam_t) +@@ -207,16 +246,18 @@ miscfiles_read_localization(freshclam_t) clamav_stream_connect(freshclam_t) @@ -30700,7 +30703,7 @@ index f758323..c78e22d 100644 ######################################## # # clamscam local policy -@@ -242,15 +281,33 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir }) +@@ -242,15 +283,33 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir }) manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t) allow clamscan_t clamd_var_lib_t:dir list_dir_perms; @@ -30734,7 +30737,7 @@ index f758323..c78e22d 100644 files_read_etc_files(clamscan_t) files_read_etc_runtime_files(clamscan_t) -@@ -264,10 +321,15 @@ miscfiles_read_public_files(clamscan_t) +@@ -264,10 +323,15 @@ miscfiles_read_public_files(clamscan_t) clamav_stream_connect(clamscan_t) @@ -30878,10 +30881,10 @@ index 0000000..6451167 +') diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te new file mode 100644 -index 0000000..a861db8 +index 0000000..ad67313 --- /dev/null +++ b/policy/modules/services/cloudform.te -@@ -0,0 +1,238 @@ +@@ -0,0 +1,240 @@ +policy_module(cloudform, 1.0) +######################################## +# @@ -30992,6 +30995,8 @@ index 0000000..a861db8 +corenet_tcp_bind_generic_node(deltacloudd_t) +corenet_tcp_bind_generic_port(deltacloudd_t) + ++auth_use_nsswitch(deltacloudd_t) ++ +files_read_usr_files(deltacloudd_t) + +logging_send_syslog_msg(deltacloudd_t) @@ -34060,7 +34065,7 @@ index 305ddf4..173cd16 100644 admin_pattern($1, ptal_etc_t) diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te -index 0f28095..5972414 100644 +index 0f28095..d9ca30f 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) @@ -34303,9 +34308,11 @@ index 0f28095..5972414 100644 logging_send_syslog_msg(hplip_t) -@@ -696,8 +736,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) +@@ -695,9 +735,12 @@ sysnet_read_config(hplip_t) + userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_user_home_dirs(hplip_t) userdom_dontaudit_search_user_home_content(hplip_t) ++userdom_dbus_send_all_users(hplip_t) -lpd_read_config(hplip_t) -lpd_manage_spool(hplip_t) @@ -52345,7 +52352,7 @@ index 46bee12..76b68b5 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") +') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te -index a32c4b3..6550576 100644 +index a32c4b3..fc74b0a 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1) @@ -52470,7 +52477,16 @@ index a32c4b3..6550576 100644 corenet_tcp_bind_generic_node(postfix_master_t) corenet_tcp_bind_amavisd_send_port(postfix_master_t) corenet_tcp_bind_smtp_port(postfix_master_t) -@@ -167,6 +184,10 @@ corecmd_exec_bin(postfix_master_t) +@@ -157,6 +174,8 @@ corenet_tcp_connect_all_ports(postfix_master_t) + corenet_sendrecv_amavisd_send_server_packets(postfix_master_t) + corenet_sendrecv_smtp_server_packets(postfix_master_t) + corenet_sendrecv_all_client_packets(postfix_master_t) ++# for spampd ++corenet_tcp_bind_spamd_port(postfix_master_t) + + # for a find command + selinux_dontaudit_search_fs(postfix_master_t) +@@ -167,6 +186,10 @@ corecmd_exec_bin(postfix_master_t) domain_use_interactive_fds(postfix_master_t) files_read_usr_files(postfix_master_t) @@ -52481,7 +52497,7 @@ index a32c4b3..6550576 100644 term_dontaudit_search_ptys(postfix_master_t) -@@ -220,13 +241,17 @@ allow postfix_bounce_t self:capability dac_read_search; +@@ -220,13 +243,17 @@ allow postfix_bounce_t self:capability dac_read_search; allow postfix_bounce_t self:tcp_socket create_socket_perms; allow postfix_bounce_t postfix_public_t:sock_file write; @@ -52500,7 +52516,7 @@ index a32c4b3..6550576 100644 manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) -@@ -243,12 +268,17 @@ stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, +@@ -243,12 +270,17 @@ stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) @@ -52518,7 +52534,7 @@ index a32c4b3..6550576 100644 allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms; corecmd_exec_bin(postfix_cleanup_t) -@@ -264,7 +294,6 @@ optional_policy(` +@@ -264,7 +296,6 @@ optional_policy(` # Postfix local local policy # @@ -52526,7 +52542,7 @@ index a32c4b3..6550576 100644 allow postfix_local_t self:process { setsched setrlimit }; # connect to master process -@@ -273,6 +302,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post +@@ -273,6 +304,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post # for .forward - maybe we need a new type for it? rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t) @@ -52535,7 +52551,7 @@ index a32c4b3..6550576 100644 allow postfix_local_t postfix_spool_t:file rw_file_perms; corecmd_exec_shell(postfix_local_t) -@@ -286,10 +317,15 @@ mta_read_aliases(postfix_local_t) +@@ -286,10 +319,15 @@ mta_read_aliases(postfix_local_t) mta_delete_spool(postfix_local_t) # For reading spamassasin mta_read_config(postfix_local_t) @@ -52554,7 +52570,7 @@ index a32c4b3..6550576 100644 optional_policy(` clamav_search_lib(postfix_local_t) -@@ -297,6 +333,10 @@ optional_policy(` +@@ -297,6 +335,10 @@ optional_policy(` ') optional_policy(` @@ -52565,7 +52581,7 @@ index a32c4b3..6550576 100644 # for postalias mailman_manage_data_files(postfix_local_t) mailman_append_log(postfix_local_t) -@@ -304,9 +344,22 @@ optional_policy(` +@@ -304,9 +346,22 @@ optional_policy(` ') optional_policy(` @@ -52588,7 +52604,7 @@ index a32c4b3..6550576 100644 ######################################## # # Postfix map local policy -@@ -379,18 +432,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p +@@ -379,18 +434,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) @@ -52614,7 +52630,7 @@ index a32c4b3..6550576 100644 allow postfix_pipe_t self:process setrlimit; write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -401,6 +460,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) +@@ -401,6 +462,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) @@ -52623,7 +52639,7 @@ index a32c4b3..6550576 100644 optional_policy(` dovecot_domtrans_deliver(postfix_pipe_t) ') -@@ -420,6 +481,7 @@ optional_policy(` +@@ -420,6 +483,7 @@ optional_policy(` optional_policy(` spamassassin_domtrans_client(postfix_pipe_t) @@ -52631,7 +52647,7 @@ index a32c4b3..6550576 100644 ') optional_policy(` -@@ -436,11 +498,18 @@ allow postfix_postdrop_t self:capability sys_resource; +@@ -436,11 +500,18 @@ allow postfix_postdrop_t self:capability sys_resource; allow postfix_postdrop_t self:tcp_socket create; allow postfix_postdrop_t self:udp_socket create_socket_perms; @@ -52650,7 +52666,7 @@ index a32c4b3..6550576 100644 corenet_udp_sendrecv_generic_if(postfix_postdrop_t) corenet_udp_sendrecv_generic_node(postfix_postdrop_t) -@@ -487,8 +556,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t +@@ -487,8 +558,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) # to write the mailq output, it really should not need read access! @@ -52661,7 +52677,7 @@ index a32c4b3..6550576 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -519,7 +588,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) +@@ -519,7 +590,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; @@ -52674,7 +52690,7 @@ index a32c4b3..6550576 100644 corecmd_exec_bin(postfix_qmgr_t) -@@ -539,7 +612,9 @@ postfix_list_spool(postfix_showq_t) +@@ -539,7 +614,9 @@ postfix_list_spool(postfix_showq_t) allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; @@ -52685,16 +52701,19 @@ index a32c4b3..6550576 100644 # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -558,6 +633,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms; +@@ -558,6 +635,11 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms; allow postfix_smtp_t postfix_spool_t:file rw_file_perms; +rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + ++# for spampd ++corenet_tcp_connect_spamd_port(postfix_master_t) ++ files_search_all_mountpoints(postfix_smtp_t) optional_policy(` -@@ -565,6 +642,14 @@ optional_policy(` +@@ -565,6 +647,14 @@ optional_policy(` ') optional_policy(` @@ -52709,7 +52728,7 @@ index a32c4b3..6550576 100644 milter_stream_connect_all(postfix_smtp_t) ') -@@ -581,17 +666,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, +@@ -581,17 +671,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) # for prng_exch @@ -52736,7 +52755,7 @@ index a32c4b3..6550576 100644 ') optional_policy(` -@@ -599,6 +692,11 @@ optional_policy(` +@@ -599,6 +697,11 @@ optional_policy(` ') optional_policy(` @@ -52748,7 +52767,7 @@ index a32c4b3..6550576 100644 postgrey_stream_connect(postfix_smtpd_t) ') -@@ -611,7 +709,6 @@ optional_policy(` +@@ -611,7 +714,6 @@ optional_policy(` # Postfix virtual local policy # @@ -52756,7 +52775,7 @@ index a32c4b3..6550576 100644 allow postfix_virtual_t self:process { setsched setrlimit }; allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -630,3 +727,8 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +732,8 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -58769,7 +58788,7 @@ index 82cb169..f9c229f 100644 + samba_systemctl($1) ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..fa11366 100644 +index e30bb63..901d365 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -85,6 +85,9 @@ files_config_file(samba_etc_t) @@ -59054,16 +59073,17 @@ index e30bb63..fa11366 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -783,7 +807,7 @@ allow winbind_t self:udp_socket create_socket_perms; +@@ -783,7 +807,8 @@ allow winbind_t self:udp_socket create_socket_perms; allow winbind_t nmbd_t:process { signal signull }; -allow winbind_t nmbd_var_run_t:file read_file_perms; +read_files_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t) ++samba_stream_connect_nmbd(winbind_t) allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -806,15 +830,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -806,15 +831,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -59085,7 +59105,7 @@ index e30bb63..fa11366 100644 kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) -@@ -833,6 +858,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) +@@ -833,6 +859,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -59093,7 +59113,7 @@ index e30bb63..fa11366 100644 corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -850,10 +876,14 @@ domain_use_interactive_fds(winbind_t) +@@ -850,10 +877,14 @@ domain_use_interactive_fds(winbind_t) files_read_etc_files(winbind_t) files_read_usr_symlinks(winbind_t) @@ -59108,7 +59128,7 @@ index e30bb63..fa11366 100644 userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_manage_user_home_content_dirs(winbind_t) -@@ -863,6 +893,12 @@ userdom_manage_user_home_content_pipes(winbind_t) +@@ -863,6 +894,12 @@ userdom_manage_user_home_content_pipes(winbind_t) userdom_manage_user_home_content_sockets(winbind_t) userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) @@ -59121,7 +59141,7 @@ index e30bb63..fa11366 100644 optional_policy(` kerberos_use(winbind_t) ') -@@ -904,7 +940,7 @@ logging_send_syslog_msg(winbind_helper_t) +@@ -904,7 +941,7 @@ logging_send_syslog_msg(winbind_helper_t) miscfiles_read_localization(winbind_helper_t) @@ -59130,7 +59150,7 @@ index e30bb63..fa11366 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -922,6 +958,18 @@ optional_policy(` +@@ -922,6 +959,18 @@ optional_policy(` # optional_policy(` @@ -59149,7 +59169,7 @@ index e30bb63..fa11366 100644 type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -932,9 +980,12 @@ optional_policy(` +@@ -932,9 +981,12 @@ optional_policy(` allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -60476,15 +60496,16 @@ index 93fe7bf..4a15633 100644 allow $1 soundd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc -index 6b3abf9..a785741 100644 +index 6b3abf9..77d6c8e 100644 --- a/policy/modules/services/spamassassin.fc +++ b/policy/modules/services/spamassassin.fc -@@ -1,15 +1,28 @@ +@@ -1,15 +1,31 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) +/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) + +/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) /usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0) @@ -60495,6 +60516,7 @@ index 6b3abf9..a785741 100644 +/usr/bin/sa-update -- gen_context(system_u:object_r:spamd_update_exec_t,s0) /usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) ++/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0) +/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0) +/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0) @@ -60508,6 +60530,7 @@ index 6b3abf9..a785741 100644 /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) ++/var/spool/spampd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if @@ -60724,7 +60747,7 @@ index c954f31..eb3c330 100644 + admin_pattern($1, spamd_var_run_t) ') diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te -index ec1eb1e..1c3a4bb 100644 +index ec1eb1e..b59c5c2 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -6,56 +6,101 @@ policy_module(spamassassin, 2.4.0) @@ -61030,7 +61053,7 @@ index ec1eb1e..1c3a4bb 100644 files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -@@ -314,11 +414,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) +@@ -314,11 +414,17 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -61044,16 +61067,21 @@ index ec1eb1e..1c3a4bb 100644 +manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) + ++read_files_pattern(spamd_t, spamc_home_t, spamc_home_t) ++ +can_exec(spamd_t, spamd_exec_t) kernel_read_all_sysctls(spamd_t) kernel_read_system_state(spamd_t) -@@ -367,22 +471,31 @@ files_read_var_lib_files(spamd_t) +@@ -367,22 +473,34 @@ files_read_var_lib_files(spamd_t) init_dontaudit_rw_utmp(spamd_t) +auth_use_nsswitch(spamd_t) + ++libs_use_ld_so(spamd_t) ++libs_use_shared_libs(spamd_t) ++ logging_send_syslog_msg(spamd_t) miscfiles_read_localization(spamd_t) @@ -61084,7 +61112,7 @@ index ec1eb1e..1c3a4bb 100644 fs_manage_cifs_files(spamd_t) ') -@@ -399,7 +512,9 @@ optional_policy(` +@@ -399,7 +517,9 @@ optional_policy(` ') optional_policy(` @@ -61094,7 +61122,7 @@ index ec1eb1e..1c3a4bb 100644 dcc_stream_connect_dccifd(spamd_t) ') -@@ -408,25 +523,17 @@ optional_policy(` +@@ -408,25 +528,17 @@ optional_policy(` ') optional_policy(` @@ -61122,7 +61150,7 @@ index ec1eb1e..1c3a4bb 100644 postgresql_stream_connect(spamd_t) ') -@@ -437,6 +544,10 @@ optional_policy(` +@@ -437,6 +549,10 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) @@ -61133,7 +61161,7 @@ index ec1eb1e..1c3a4bb 100644 ') optional_policy(` -@@ -444,6 +555,7 @@ optional_policy(` +@@ -444,6 +560,7 @@ optional_policy(` ') optional_policy(` @@ -61141,7 +61169,7 @@ index ec1eb1e..1c3a4bb 100644 sendmail_stub(spamd_t) mta_read_config(spamd_t) ') -@@ -451,3 +563,51 @@ optional_policy(` +@@ -451,3 +568,51 @@ optional_policy(` optional_policy(` udev_read_db(spamd_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 63e2ba6..e649847 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 90%{?dist} +Release: 91%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,15 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Aug 1 2012 Miroslav Grepl 3.10.0-91 +- Allow postfix to connect to spampd +- Add spamd_port_t for 10026, 10027 ports +- Add support for spampd and treat it as spamd_t policy +- Allow hplip_t to send notification dbus messages to users +- Allow freshclam to update databases thru HTTP proxy +- Make deltacloudd_t as nsswitch_domain +- Fix cloudform labeling + * Mon Jul 2 2012 Miroslav Grepl 3.10.0-90 - Allow systemd-tmpfiles to delete boot flags - Add support for lightdm