From eee257cc9014ff278e71c7f9cc08d6c355d31dfb Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Nov 15 2007 15:39:43 +0000
Subject: - Allow spamd to manage razor files


---

diff --git a/policy-20070703.patch b/policy-20070703.patch
index 4cfb659..c81b3c9 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -1708,7 +1708,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.0.8/policy/modules/admin/netutils.te
 --- nsaserefpolicy/policy/modules/admin/netutils.te	2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/netutils.te	2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/netutils.te	2007-11-15 10:23:21.000000000 -0500
+@@ -40,7 +40,7 @@
+ allow netutils_t self:capability { net_admin net_raw setuid setgid };
+ dontaudit netutils_t self:capability sys_tty_config;
+ allow netutils_t self:process { sigkill sigstop signull signal };
+-allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
++allow netutils_t self:netlink_route_socket rw_netlink_socket_perms;
+ allow netutils_t self:packet_socket create_socket_perms;
+ allow netutils_t self:udp_socket create_socket_perms;
+ allow netutils_t self:tcp_socket create_stream_socket_perms;
 @@ -94,9 +94,22 @@
  ')
  
@@ -1732,7 +1741,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
  ########################################
  #
  # Ping local policy
-@@ -113,6 +126,7 @@
+@@ -107,12 +120,14 @@
+ allow ping_t self:tcp_socket create_socket_perms;
+ allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
+ allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
++allow ping_t self:netlink_route_socket r_netlink_socket_perms;
+ 
+ corenet_all_recvfrom_unlabeled(ping_t)
+ corenet_all_recvfrom_netlabel(ping_t)
  corenet_tcp_sendrecv_all_if(ping_t)
  corenet_raw_sendrecv_all_if(ping_t)
  corenet_raw_sendrecv_all_nodes(ping_t)
@@ -1740,6 +1756,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
  corenet_tcp_sendrecv_all_nodes(ping_t)
  corenet_tcp_sendrecv_all_ports(ping_t)
  
+@@ -166,7 +181,7 @@
+ allow traceroute_t self:capability { net_admin net_raw setuid setgid };
+ allow traceroute_t self:rawip_socket create_socket_perms;
+ allow traceroute_t self:packet_socket create_socket_perms;
+-allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
++allow traceroute_t self:netlink_route_socket rw_netlink_socket_perms;
+ allow traceroute_t self:udp_socket create_socket_perms;
+ 
+ kernel_read_system_state(traceroute_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.if serefpolicy-3.0.8/policy/modules/admin/portage.if
 --- nsaserefpolicy/policy/modules/admin/portage.if	2007-10-22 13:21:42.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/admin/portage.if	2007-10-29 23:59:29.000000000 -0400
@@ -2380,7 +2405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if 
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.0.8/policy/modules/admin/vpn.te
 --- nsaserefpolicy/policy/modules/admin/vpn.te	2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/vpn.te	2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/vpn.te	2007-11-14 15:02:28.000000000 -0500
 @@ -22,7 +22,7 @@
  # Local policy
  #
@@ -2409,7 +2434,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te 
  corenet_tcp_connect_all_ports(vpnc_t)
  corenet_sendrecv_all_client_packets(vpnc_t)
  corenet_sendrecv_isakmp_server_packets(vpnc_t)
-@@ -96,7 +98,7 @@
+@@ -90,13 +92,14 @@
+ locallogin_use_fds(vpnc_t)
+ 
+ logging_send_syslog_msg(vpnc_t)
++logging_dontaudit_search_logs(vpnc_t)
+ 
+ miscfiles_read_localization(vpnc_t)
+ 
  seutil_dontaudit_search_config(vpnc_t)
  seutil_use_newrole_fds(vpnc_t)
  
@@ -11253,6 +11285,51 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi
  
  corecmd_exec_bin(radiusd_t)
  corecmd_exec_shell(radiusd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.0.8/policy/modules/services/razor.if
+--- nsaserefpolicy/policy/modules/services/razor.if	2007-10-22 13:21:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/razor.if	2007-11-14 14:07:58.000000000 -0500
+@@ -218,3 +218,41 @@
+ 
+ 	domtrans_pattern($1, razor_exec_t, razor_t)
+ ')
++
++########################################
++## <summary>
++##	Create, read, write, and delete razor files
++##	in a user home subdirectory.
++## </summary>
++## <desc>
++##	<p>
++##	Create, read, write, and delete razor files
++##	in a user home subdirectory.
++##	</p>
++##	<p>
++##	This is a templated interface, and should only
++##	be called from a per-userdomain template.
++##	</p>
++## </desc>
++## <param name="userdomain_prefix">
++##	<summary>
++##	The prefix of the user domain (e.g., user
++##	is the prefix for user_t).
++##	</summary>
++## </param>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++template(`razor_manage_user_home_files',`
++	gen_require(`
++		type $1_home_dir_t, $1_razor_home_t;
++	')
++
++	files_search_home($2)
++	allow $2 $1_home_dir_t:dir search_dir_perms;
++	manage_files_pattern($2,$1_razor_home_t,$1_razor_home_t)
++')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.if serefpolicy-3.0.8/policy/modules/services/remotelogin.if
 --- nsaserefpolicy/policy/modules/services/remotelogin.if	2007-10-22 13:21:39.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/remotelogin.if	2007-10-29 23:59:29.000000000 -0400
@@ -12709,9 +12786,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
  	seutil_sigchld_newrole(soundd_t)
  ')
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.0.8/policy/modules/services/spamassassin.if
+--- nsaserefpolicy/policy/modules/services/spamassassin.if	2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.if	2007-11-14 14:47:36.000000000 -0500
+@@ -286,6 +286,12 @@
+ 		userdom_manage_user_home_content_symlinks($1,spamd_t)
+ 	')
+ 
++	optional_policy(`
++		tunable_policy(`spamd_enable_home_dirs',`
++			razor_manage_user_home_files($1,spamd_t)
++		')
++	')
++
+ 	tunable_policy(`use_nfs_home_dirs',`
+ 		fs_manage_nfs_dirs($1_spamassassin_t)
+ 		fs_manage_nfs_files($1_spamassassin_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.0.8/policy/modules/services/spamassassin.te
 --- nsaserefpolicy/policy/modules/services/spamassassin.te	2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te	2007-11-01 13:43:05.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te	2007-11-14 14:09:01.000000000 -0500
 @@ -81,7 +81,7 @@
  
  # var/lib files for spamd
@@ -14158,7 +14251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.0.8/policy/modules/system/authlogin.fc
 --- nsaserefpolicy/policy/modules/system/authlogin.fc	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc	2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc	2007-11-15 10:15:01.000000000 -0500
 @@ -14,6 +14,7 @@
  /sbin/pam_timestamp_check --	gen_context(system_u:object_r:pam_exec_t,s0)
  /sbin/unix_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
@@ -14167,15 +14260,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  ifdef(`distro_suse', `
  /sbin/unix2_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
  ')
-@@ -40,3 +41,5 @@
+@@ -40,3 +41,6 @@
  /var/run/console(/.*)?	 	gen_context(system_u:object_r:pam_var_console_t,s0)
  
  /var/run/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)
++/var/run/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
 +
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if	2007-11-10 09:11:11.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if	2007-11-15 10:20:36.000000000 -0500
 @@ -26,7 +26,8 @@
  	type $1_chkpwd_t, can_read_shadow_passwords;
  	application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -15737,7 +15831,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 +/etc/rc\.d/init\.d/auditd	--	gen_context(system_u:object_r:auditd_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.8/policy/modules/system/logging.if
 --- nsaserefpolicy/policy/modules/system/logging.if	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/logging.if	2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/logging.if	2007-11-14 15:02:16.000000000 -0500
 @@ -33,8 +33,27 @@
  ## </param>
  #
@@ -18235,7 +18329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-11-14 12:20:47.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-11-14 14:05:33.000000000 -0500
 @@ -29,8 +29,9 @@
  	')
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index bcabe07..f46037c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 54%{?dist}
+Release: 55%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -380,6 +380,9 @@ exit 0
 %endif
 
 %changelog
+* Wed Nov 14 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-55
+- Allow spamd to manage razor files
+
 * Mon Nov 12 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-54
 - Allow cyrus to authenticate via sasl
 - Allow sshd to work in tunnel mode