From c8c51853bf44f0ba52f8539f5fcfcfc2838ff418 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 22 2009 21:23:32 +0000 Subject: - Allow sendmail setpgid - Allow dovecot to read nfs homedirs --- diff --git a/policy-F12.patch b/policy-F12.patch index 2419eea..b0b998f 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -15973,7 +15973,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2009-12-17 11:20:45.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2009-12-22 15:39:34.000000000 -0500 @@ -56,7 +56,7 @@ allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot }; @@ -16046,7 +16046,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow dovecot_deliver_t dovecot_etc_t:file read_file_perms; allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; -@@ -260,3 +274,14 @@ +@@ -260,3 +274,18 @@ optional_policy(` mta_manage_spool(dovecot_deliver_t) ') @@ -16054,11 +16054,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files(dovecot_deliver_t) + fs_manage_nfs_symlinks(dovecot_deliver_t) ++ fs_manage_nfs_files(dovecot_t) ++ fs_manage_nfs_symlinks(dovecot_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_files(dovecot_deliver_t) + fs_manage_cifs_symlinks(dovecot_deliver_t) ++ fs_manage_cifs_files(dovecot_t) ++ fs_manage_cifs_symlinks(dovecot_t) +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.32/policy/modules/services/exim.te @@ -24184,7 +24188,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.32/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/sendmail.te 2009-12-17 11:20:47.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/sendmail.te 2009-12-22 14:56:01.000000000 -0500 @@ -20,13 +20,17 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -24201,7 +24205,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config }; -allow sendmail_t self:process signal; +allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config }; -+allow sendmail_t self:process { setrlimit signal signull }; ++allow sendmail_t self:process { setpgid setrlimit signal signull }; allow sendmail_t self:fifo_file rw_fifo_file_perms; allow sendmail_t self:unix_stream_socket create_stream_socket_perms; allow sendmail_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 889d126..9bff916 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 62%{?dist} +Release: 63%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -449,6 +449,10 @@ exit 0 %endif %changelog +* Tue Dec 21 2009 Dan Walsh 3.6.32-63 +- Allow sendmail setpgid +- Allow dovecot to read nfs homedirs + * Tue Dec 21 2009 Dan Walsh 3.6.32-62 - Add label for /var/ekpd - Allow portreserve to look at bin files