From 676d12e95fe7584b19119ea4af7bdf56926d5a5f Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Nov 06 2007 16:46:45 +0000 Subject: - Allow sendmail to interact with winbind - Allow dovecot to write log files --- diff --git a/policy-20070703.patch b/policy-20070703.patch index eed5ac4..6f86997 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -4027,7 +4027,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.8/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-10-30 20:49:39.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-11-06 10:14:30.000000000 -0500 @@ -6,6 +6,22 @@ # Declarations # @@ -5098,7 +5098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.0.8/policy/modules/services/amavis.te --- nsaserefpolicy/policy/modules/services/amavis.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/amavis.te 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/amavis.te 2007-11-06 10:56:06.000000000 -0500 @@ -65,6 +65,7 @@ # Spool Files manage_dirs_pattern(amavis_t,amavis_spool_t,amavis_spool_t) @@ -7556,8 +7556,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.0.8/policy/modules/services/dovecot.fc --- nsaserefpolicy/policy/modules/services/dovecot.fc 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/dovecot.fc 2007-10-29 23:59:29.000000000 -0400 -@@ -17,16 +17,19 @@ ++++ serefpolicy-3.0.8/policy/modules/services/dovecot.fc 2007-11-06 10:57:52.000000000 -0500 +@@ -17,19 +17,24 @@ ifdef(`distro_debian', ` /usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) @@ -7577,6 +7577,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) ++/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) ++ + /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.0.8/policy/modules/services/dovecot.if --- nsaserefpolicy/policy/modules/services/dovecot.if 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/dovecot.if 2007-10-29 23:59:29.000000000 -0400 @@ -7626,7 +7631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.0.8/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/dovecot.te 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/dovecot.te 2007-11-06 10:58:42.000000000 -0500 @@ -15,6 +15,12 @@ domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t) role system_r types dovecot_auth_t; @@ -7640,7 +7645,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove type dovecot_cert_t; files_type(dovecot_cert_t) -@@ -46,8 +52,6 @@ +@@ -27,6 +33,9 @@ + type dovecot_spool_t; + files_type(dovecot_spool_t) + ++type dovecot_var_log_t; ++logging_log_file(dovecot_var_log_t) ++ + # /var/lib/dovecot holds SSL parameters file + type dovecot_var_lib_t; + files_type(dovecot_var_lib_t) +@@ -46,8 +55,6 @@ allow dovecot_t self:tcp_socket create_stream_socket_perms; allow dovecot_t self:unix_dgram_socket create_socket_perms; allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -7649,7 +7664,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) allow dovecot_t dovecot_cert_t:dir list_dir_perms; -@@ -67,6 +71,8 @@ +@@ -59,6 +66,10 @@ + + can_exec(dovecot_t, dovecot_exec_t) + ++# log files ++manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) ++logging_log_filetrans(dovecot_t, dovecot_var_log_t, file) ++ + manage_dirs_pattern(dovecot_t,dovecot_spool_t,dovecot_spool_t) + manage_files_pattern(dovecot_t,dovecot_spool_t,dovecot_spool_t) + manage_lnk_files_pattern(dovecot_t,dovecot_spool_t,dovecot_spool_t) +@@ -67,6 +78,8 @@ manage_sock_files_pattern(dovecot_t,dovecot_var_run_t,dovecot_var_run_t) files_pid_filetrans(dovecot_t,dovecot_var_run_t,file) @@ -7658,7 +7684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove kernel_read_kernel_sysctls(dovecot_t) kernel_read_system_state(dovecot_t) -@@ -99,7 +105,7 @@ +@@ -99,7 +112,7 @@ files_dontaudit_list_default(dovecot_t) # Dovecot now has quota support and it uses getmntent() to find the mountpoints. files_read_etc_runtime_files(dovecot_t) @@ -7667,7 +7693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove init_getattr_utmp(dovecot_t) -@@ -111,9 +117,6 @@ +@@ -111,9 +124,6 @@ miscfiles_read_certs(dovecot_t) miscfiles_read_localization(dovecot_t) @@ -7677,7 +7703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove userdom_dontaudit_use_unpriv_user_fds(dovecot_t) userdom_dontaudit_search_sysadm_home_dirs(dovecot_t) userdom_priveleged_home_dir_manager(dovecot_t) -@@ -125,10 +128,6 @@ +@@ -125,10 +135,6 @@ ') optional_policy(` @@ -7688,7 +7714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove seutil_sigchld_newrole(dovecot_t) ') -@@ -145,33 +144,40 @@ +@@ -145,33 +151,40 @@ # dovecot auth local policy # @@ -7731,7 +7757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove files_read_usr_symlinks(dovecot_auth_t) files_search_tmp(dovecot_auth_t) files_read_var_lib_files(dovecot_t) -@@ -185,12 +191,50 @@ +@@ -185,12 +198,50 @@ seutil_dontaudit_search_config(dovecot_auth_t) @@ -7749,12 +7775,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove + +optional_policy(` + nis_authenticate(dovecot_auth_t) -+') + ') + +optional_policy(` + postfix_create_pivate_sockets(dovecot_auth_t) + postfix_search_spool(dovecot_auth_t) - ') ++') + +# for gssapi (kerberos) +userdom_list_unpriv_users_tmp(dovecot_auth_t) @@ -8849,8 +8875,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail +files_type(mailscanner_spool_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.8/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/mta.if 2007-10-31 07:35:43.000000000 -0400 -@@ -142,6 +142,12 @@ ++++ serefpolicy-3.0.8/policy/modules/services/mta.if 2007-11-06 10:45:33.000000000 -0500 +@@ -87,6 +87,8 @@ + # It wants to check for nscd + files_dontaudit_search_pids($1_mail_t) + ++ auth_use_nsswitch($1_mail_t) ++ + libs_use_ld_so($1_mail_t) + libs_use_shared_libs($1_mail_t) + +@@ -94,17 +96,6 @@ + + miscfiles_read_localization($1_mail_t) + +- sysnet_read_config($1_mail_t) +- sysnet_dns_name_resolve($1_mail_t) +- +- optional_policy(` +- nis_use_ypbind($1_mail_t) +- ') +- +- optional_policy(` +- nscd_socket_use($1_mail_t) +- ') +- + optional_policy(` + postfix_domtrans_user_mail_handler($1_mail_t) + ') +@@ -142,6 +133,12 @@ sendmail_create_log($1_mail_t) ') @@ -8863,7 +8916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ####################################### -@@ -226,6 +232,15 @@ +@@ -226,6 +223,15 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files($1_mail_t) fs_manage_cifs_symlinks($1_mail_t) @@ -8879,7 +8932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -314,6 +329,24 @@ +@@ -314,6 +320,24 @@ ######################################## ## @@ -8904,7 +8957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## Modified mailserver interface for ## sendmail daemon use. ## -@@ -392,6 +425,7 @@ +@@ -392,6 +416,7 @@ allow $1 mail_spool_t:dir list_dir_perms; create_files_pattern($1,mail_spool_t,mail_spool_t) read_files_pattern($1,mail_spool_t,mail_spool_t) @@ -8912,7 +8965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. create_lnk_files_pattern($1,mail_spool_t,mail_spool_t) read_lnk_files_pattern($1,mail_spool_t,mail_spool_t) -@@ -436,6 +470,24 @@ +@@ -436,6 +461,24 @@ ######################################## ## @@ -8937,7 +8990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## Send mail from the system. ## ## -@@ -447,20 +499,18 @@ +@@ -447,20 +490,18 @@ interface(`mta_send_mail',` gen_require(` attribute mta_user_agent; @@ -8964,7 +9017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ######################################## -@@ -595,6 +645,25 @@ +@@ -595,6 +636,25 @@ files_search_etc($1) allow $1 etc_aliases_t:file { rw_file_perms setattr }; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 1b6912d..8ec7752 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.8 -Release: 45%{?dist} +Release: 46%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -379,6 +379,10 @@ exit 0 %endif %changelog +* Tue Nov 6 2007 Dan Walsh 3.0.8-46 +- Allow sendmail to interact with winbind +- Allow dovecot to write log files + * Thu Nov 2 2007 Dan Walsh 3.0.8-45 - Allow system_mail_t to domtrans to exim_t