From ca935486ee0a7dfcd95eaf52ff0b90ccdcce5e8a Mon Sep 17 00:00:00 2001
From: mgrepl <mgrepl@avalanche.(none)>
Date: Aug 02 2010 11:41:53 +0000
Subject: - Fixes for logwatch-mail policy

- Fixes for boinc policy

---

diff --git a/policy-F13.patch b/policy-F13.patch
index 7b1352e..7c7f67b 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -592,7 +592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
 +/var/run/epylog\.pid	--	gen_context(system_u:object_r:logwatch_var_run_t,s0)    
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.7.19/policy/modules/admin/logwatch.te
 --- nsaserefpolicy/policy/modules/admin/logwatch.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/logwatch.te	2010-07-23 13:46:17.112389035 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/logwatch.te	2010-08-02 08:55:03.161641361 +0200
 @@ -20,6 +20,9 @@
  type logwatch_tmp_t;
  files_tmp_file(logwatch_tmp_t)
@@ -614,23 +614,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
  kernel_read_fs_sysctls(logwatch_t)
  kernel_read_kernel_sysctls(logwatch_t)
  kernel_read_system_state(logwatch_t)
-@@ -93,8 +100,15 @@
+@@ -93,8 +100,8 @@
  sysnet_exec_ifconfig(logwatch_t)
  
  userdom_dontaudit_search_user_home_dirs(logwatch_t)
 +userdom_dontaudit_list_admin_dir(logwatch_t)
  
 -mta_send_mail(logwatch_t)
+ 
+ ifdef(`distro_redhat',`
+ 	files_search_all(logwatch_t)
+@@ -146,3 +153,26 @@
+ 	samba_read_log(logwatch_t)
+ 	samba_read_share_files(logwatch_t)
+ ')
++
++
 +# bug 614698
 +#mta_send_mail(logwatch_t)
 +mta_base_mail_template(logwatch)
 +mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
 +role system_r types logwatch_mail_t;
-+logging_read_all_logs(logwatch_mail_t)
++
++#######################################
++#
++# Local logwatch-mail policy
++#
++
++allow logwatch_mail_t self:capability { dac_read_search dac_override };
++
++
 +manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t)
- 
- ifdef(`distro_redhat',`
- 	files_search_all(logwatch_t)
++
++logging_read_all_logs(logwatch_mail_t)
++
++
++
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.7.19/policy/modules/admin/mcelog.te
 --- nsaserefpolicy/policy/modules/admin/mcelog.te	2010-04-13 20:44:37.000000000 +0200
 +++ serefpolicy-3.7.19/policy/modules/admin/mcelog.te	2010-05-28 09:41:59.952610471 +0200
@@ -4597,8 +4617,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.19/policy/modules/apps/kdumpgui.te
 --- nsaserefpolicy/policy/modules/apps/kdumpgui.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/kdumpgui.te	2010-06-08 15:04:19.920622331 +0200
-@@ -0,0 +1,68 @@
++++ serefpolicy-3.7.19/policy/modules/apps/kdumpgui.te	2010-07-28 15:15:45.207071864 +0200
+@@ -0,0 +1,69 @@
 +policy_module(kdumpgui,1.0.0)
 +
 +########################################
@@ -4628,6 +4648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui
 +corecmd_exec_shell(kdumpgui_t)
 +consoletype_exec(kdumpgui_t)
 +
++kernel_read_debugfs(kdumpgui_t)   
 +kernel_read_system_state(kdumpgui_t)
 +kernel_read_network_state(kdumpgui_t)
 +
@@ -15577,14 +15598,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.fc serefpolicy-3.7.19/policy/modules/services/boinc.fc
 --- nsaserefpolicy/policy/modules/services/boinc.fc	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/boinc.fc	2010-05-28 09:42:00.067610962 +0200
-@@ -0,0 +1,6 @@
++++ serefpolicy-3.7.19/policy/modules/services/boinc.fc	2010-07-28 14:59:48.452071586 +0200
+@@ -0,0 +1,8 @@
 +
-+/etc/rc\.d/init\.d/boinc_client		--  gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/boinc_client		-- 	gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
 +
-+/usr/bin/boinc_client				--	gen_context(system_u:object_r:boinc_exec_t,s0)
++/usr/bin/boinc_client			--	gen_context(system_u:object_r:boinc_exec_t,s0)
 +
-+/var/lib/boinc(/.*)?					gen_context(system_u:object_r:boinc_var_lib_t,s0)
++/var/lib/boinc(/.*)?				gen_context(system_u:object_r:boinc_var_lib_t,s0)
++/var/lib/boinc/projects(/.*)?			gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
++/var/lib/boinc/slots(/.*)?          	 	gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.if serefpolicy-3.7.19/policy/modules/services/boinc.if
 --- nsaserefpolicy/policy/modules/services/boinc.if	1970-01-01 01:00:00.000000000 +0100
 +++ serefpolicy-3.7.19/policy/modules/services/boinc.if	2010-06-25 14:56:43.461388526 +0200
@@ -15742,8 +15765,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.19/policy/modules/services/boinc.te
 --- nsaserefpolicy/policy/modules/services/boinc.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/boinc.te	2010-07-09 10:05:19.736135219 +0200
-@@ -0,0 +1,100 @@
++++ serefpolicy-3.7.19/policy/modules/services/boinc.te	2010-07-28 14:59:48.453071939 +0200
+@@ -0,0 +1,148 @@
 +
 +policy_module(boinc,1.0.0)
 +
@@ -15770,13 +15793,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
 +type boinc_var_lib_t;
 +files_type(boinc_var_lib_t)
 +
++type boinc_project_t;
++domain_type(boinc_project_t)
++role system_r types boinc_project_t;
++
++permissive boinc_project_t;
++
++type boinc_project_var_lib_t;
++files_type(boinc_project_var_lib_t)
++
 +########################################
 +#
 +# boinc local policy
 +#
 +
 +allow boinc_t self:capability { kill };
-+allow boinc_t self:process { execmem ptrace fork setsched signal signull sigkill sigstop };
++allow boinc_t self:process { setsched };
 +
 +allow boinc_t self:fifo_file rw_fifo_file_perms;
 +allow boinc_t self:unix_stream_socket create_stream_socket_perms;
@@ -15796,10 +15828,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
 +manage_files_pattern(boinc_t, boinc_var_lib_t,  boinc_var_lib_t)
 +files_var_lib_filetrans(boinc_t, boinc_var_lib_t, { file dir } )
 +
-+kernel_read_network_state(boinc_t)
++manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
++
 +kernel_read_system_state(boinc_t)
-+kernel_read_kernel_sysctls(boinc_t)
-+kernel_search_vm_sysctl(boinc_t)
 +
 +corecmd_exec_bin(boinc_t)
 +corecmd_exec_shell(boinc_t)
@@ -15844,6 +15876,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
 +sysnet_dns_name_resolve(boinc_t)
 +
 +mta_send_mail(boinc_t)
++
++########################################
++#
++# boinc-projects local policy
++#
++
++domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
++
++allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigstop };
++allow boinc_project_t self:process { execmem execstack };
++
++allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
++exec_files_pattern(boinc_project_t, boinc_project_var_lib_t,  boinc_project_var_lib_t)
++manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t,  boinc_project_var_lib_t)
++manage_files_pattern(boinc_project_t, boinc_project_var_lib_t,  boinc_project_var_lib_t)
++files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { file dir })
++
++allow boinc_project_t boinc_project_var_lib_t:file execmod;
++
++allow boinc_project_t boinc_t:shm rw_shm_perms;
++allow boinc_project_t boinc_tmpfs_t:file { read write };
++
++rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
++
++kernel_read_system_state(boinc_project_t)
++kernel_read_kernel_sysctls(boinc_project_t)
++kernel_search_vm_sysctl(boinc_project_t)
++kernel_read_network_state(boinc_project_t)
++
++corenet_tcp_connect_boinc_port(boinc_project_t)
++
++dev_rw_xserver_misc(boinc_t)
++
++files_getattr_all_dirs(boinc_t)
++files_getattr_all_files(boinc_t)
++files_dontaudit_search_home(boinc_t)
++
++miscfiles_read_localization(boinc_project_t)
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.fc serefpolicy-3.7.19/policy/modules/services/bugzilla.fc
 --- nsaserefpolicy/policy/modules/services/bugzilla.fc	1970-01-01 01:00:00.000000000 +0100
 +++ serefpolicy-3.7.19/policy/modules/services/bugzilla.fc	2010-05-28 09:42:00.069610831 +0200
@@ -22508,8 +22579,39 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.19/policy/modules/services/mta.if
 --- nsaserefpolicy/policy/modules/services/mta.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/mta.if	2010-07-27 14:17:07.890822686 +0200
-@@ -220,6 +220,25 @@
++++ serefpolicy-3.7.19/policy/modules/services/mta.if	2010-08-02 09:11:21.173641481 +0200
+@@ -144,6 +144,30 @@
+ 	')
+ ')
+ 
++#######################################
++## <summary>
++## 	Type transition files created in calling dir 
++## 	to the mail address aliases type.
++## </summary>
++## 	<param name="domain">
++## 	<summary>
++## 	Domain allowed access.
++## 	</summary>
++## </param>
++## <param name="domain">
++## 	<summary>
++## 	Directory to transition on.
++## 	</summary>
++## </param>
++#
++interface(`mta_filetrans_aliases',`
++	    gen_require(`
++       		type etc_aliases_t;
++    ')
++
++	filetrans_pattern($1, $2, etc_aliases_t, file)
++')
++
+ ########################################
+ ## <summary>
+ ##	Role access for mta
+@@ -220,6 +244,25 @@
  	application_executable_file($1)
  ')
  
@@ -22535,7 +22637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ########################################
  ## <summary>
  ##	Make the specified type by a system MTA.
-@@ -335,6 +354,7 @@
+@@ -335,6 +378,7 @@
  		# apache should set close-on-exec
  		apache_dontaudit_rw_stream_sockets($1)
  		apache_dontaudit_rw_sys_script_stream_sockets($1)
@@ -22543,7 +22645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  	')
  ')
  
-@@ -356,11 +376,35 @@
+@@ -356,11 +400,35 @@
  	')
  
  	allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
@@ -22579,7 +22681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ')
  
  ########################################
-@@ -390,12 +434,15 @@
+@@ -390,12 +458,15 @@
  #
  interface(`mta_sendmail_domtrans',`
  	gen_require(`
@@ -22599,7 +22701,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ')
  
  ########################################
-@@ -454,7 +501,8 @@
+@@ -454,7 +525,8 @@
  		type etc_mail_t;
  	')
  
@@ -22609,7 +22711,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ')
  
  ########################################
-@@ -678,7 +726,7 @@
+@@ -678,7 +750,7 @@
  	files_search_spool($1)
  	allow $1 mail_spool_t:dir list_dir_perms;
  	allow $1 mail_spool_t:file setattr;
@@ -22618,7 +22720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  	read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
  ')
  
-@@ -765,6 +813,25 @@
+@@ -765,6 +837,25 @@
  
  #######################################
  ## <summary>
@@ -22646,7 +22748,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.19/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/mta.te	2010-07-27 14:16:43.658073525 +0200
++++ serefpolicy-3.7.19/policy/modules/services/mta.te	2010-08-02 10:29:35.492641359 +0200
 @@ -23,6 +23,7 @@
  
  type mail_forward_t;
@@ -22717,7 +22819,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ')
  
  optional_policy(`
-@@ -126,6 +144,7 @@
+@@ -120,12 +138,13 @@
+ ')
+ 
+ optional_policy(`
+-	exim_domtrans(system_mail_t)
+-	exim_manage_log(system_mail_t)
++	exim_domtrans(user_mail_domain)
++	exim_manage_log(user_mail_domain)
+ ')
  
  optional_policy(`
  	fail2ban_append_log(system_mail_t)
@@ -22736,6 +22846,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  	nagios_read_tmp_files(system_mail_t)
  ')
  
+@@ -156,15 +179,15 @@
+ 	domain_use_interactive_fds(system_mail_t)
+ 
+ 	# postfix needs this for newaliases
+-	files_getattr_tmp_dirs(system_mail_t)
++	files_getattr_tmp_dirs(user_mail_domain)
+ 
+-	postfix_exec_master(system_mail_t)
+-	postfix_read_config(system_mail_t)
+-	postfix_search_spool(system_mail_t)
++	postfix_exec_master(user_mail_domain)
++	postfix_read_config(user_mail_domain)
++	postfix_search_spool(user_mail_domain)
+ 
+ 	ifdef(`distro_redhat',`
+ 		# compatability for old default main.cf
+-		postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
++		postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
+ 	')
+ ')
+ 
 @@ -185,6 +208,10 @@
  ')
  
@@ -22825,7 +22956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
 +/var/www/html/munin/cgi(/.*)?		gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.7.19/policy/modules/services/munin.if
 --- nsaserefpolicy/policy/modules/services/munin.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/munin.if	2010-07-14 11:31:58.190159729 +0200
++++ serefpolicy-3.7.19/policy/modules/services/munin.if	2010-08-02 09:03:40.662642033 +0200
 @@ -43,6 +43,24 @@
  	files_search_etc($1)
  ')
@@ -22851,7 +22982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
  #######################################
  ## <summary>
  ##	Append to the munin log.
-@@ -102,6 +120,56 @@
+@@ -102,6 +120,58 @@
  	dontaudit $1 munin_var_lib_t:dir search_dir_perms;
  ')
  
@@ -22898,6 +23029,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
 +	
 +	read_lnk_files_pattern(munin_$1_plugin_t, munin_etc_t, munin_etc_t)
 +
++	manage_files_pattern(munin_$1_plugin_t, munin_var_lib_t, munin_var_lib_t)
++
 +	kernel_read_system_state(munin_$1_plugin_t)
 +
 +	corecmd_exec_bin(munin_$1_plugin_t)
@@ -22910,7 +23043,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
  ##	All of the rules required to administrate 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.19/policy/modules/services/munin.te
 --- nsaserefpolicy/policy/modules/services/munin.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/munin.te	2010-07-21 09:12:00.666135102 +0200
++++ serefpolicy-3.7.19/policy/modules/services/munin.te	2010-08-02 09:03:13.550641907 +0200
 @@ -28,12 +28,26 @@
  type munin_var_run_t alias lrrd_var_run_t;
  files_pid_file(munin_var_run_t)
@@ -22971,7 +23104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
  ')
  
  optional_policy(`
-@@ -164,3 +185,157 @@
+@@ -164,3 +185,160 @@
  optional_policy(`
  	udev_read_db(munin_t)
  ')
@@ -22993,6 +23126,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
 +
 +files_read_etc_files(munin_disk_plugin_t)
 +files_read_etc_runtime_files(munin_disk_plugin_t)
++files_read_usr_files(munin_disk_plugin_t)
 +
 +fs_getattr_all_fs(munin_disk_plugin_t)
 +
@@ -23025,6 +23159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
 +dev_read_urand(munin_mail_plugin_t)
 +
 +files_read_etc_files(munin_mail_plugin_t)
++files_read_usr_files(munin_mail_plugin_t)
 +
 +fs_getattr_all_fs(munin_mail_plugin_t)
 +
@@ -23065,6 +23200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
 +fs_getattr_all_fs(munin_services_plugin_t)
 +
 +files_read_etc_files(munin_services_plugin_t)
++files_read_usr_files(munin_services_plugin_t)
 +
 +sysnet_read_config(munin_services_plugin_t)
 +
@@ -26911,7 +27047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.19/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/postfix.te	2010-07-21 09:58:36.071135157 +0200
++++ serefpolicy-3.7.19/policy/modules/services/postfix.te	2010-08-02 09:16:41.169891320 +0200
 @@ -6,6 +6,15 @@
  # Declarations
  #
@@ -27047,15 +27183,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  term_dontaudit_search_ptys(postfix_master_t)
  
-@@ -181,6 +205,7 @@
+@@ -181,6 +205,8 @@
  
  mta_rw_aliases(postfix_master_t)
  mta_read_sendmail_bin(postfix_master_t)
 +mta_getattr_spool(postfix_master_t)
++mta_filetrans_aliases(postfix_master_t, postfix_etc_t)
  
  ifdef(`distro_redhat',`
  	# for newer main.cf that uses /etc/aliases
-@@ -193,6 +218,10 @@
+@@ -193,6 +219,10 @@
  ')
  
  optional_policy(`
@@ -27066,7 +27203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  #	for postalias
  	mailman_manage_data_files(postfix_master_t)
  ')
-@@ -202,6 +231,10 @@
+@@ -202,6 +232,10 @@
  ')
  
  optional_policy(`
@@ -27077,7 +27214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  	sendmail_signal(postfix_master_t)
  ')
  
-@@ -219,6 +252,7 @@
+@@ -219,6 +253,7 @@
  manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
  manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
  manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
@@ -27085,7 +27222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
  manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -240,11 +274,18 @@
+@@ -240,11 +275,18 @@
  manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
  manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
  manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
@@ -27104,7 +27241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ########################################
  #
  # Postfix local local policy
-@@ -253,10 +294,6 @@
+@@ -253,10 +295,6 @@
  allow postfix_local_t self:fifo_file rw_fifo_file_perms;
  allow postfix_local_t self:process { setsched setrlimit };
  
@@ -27115,7 +27252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  # connect to master process
  stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
  
-@@ -270,18 +307,35 @@
+@@ -270,18 +308,35 @@
  
  files_read_etc_files(postfix_local_t)
  
@@ -27151,7 +27288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ')
  
  optional_policy(`
-@@ -292,8 +346,7 @@
+@@ -292,8 +347,7 @@
  #
  # Postfix map local policy
  #
@@ -27161,7 +27298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
  allow postfix_map_t self:unix_dgram_socket create_socket_perms;
  allow postfix_map_t self:tcp_socket create_stream_socket_perms;
-@@ -340,14 +393,15 @@
+@@ -340,14 +394,15 @@
  
  miscfiles_read_localization(postfix_map_t)
  
@@ -27181,7 +27318,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ########################################
  #
  # Postfix pickup local policy
-@@ -372,6 +426,7 @@
+@@ -372,6 +427,7 @@
  #
  
  allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
@@ -27189,7 +27326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
  
-@@ -379,6 +434,12 @@
+@@ -379,6 +435,12 @@
  
  rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
  
@@ -27202,7 +27339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  optional_policy(`
  	procmail_domtrans(postfix_pipe_t)
  ')
-@@ -388,6 +449,16 @@
+@@ -388,6 +450,16 @@
  ')
  
  optional_policy(`
@@ -27219,7 +27356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  	uucp_domtrans_uux(postfix_pipe_t)
  ')
  
-@@ -415,6 +486,10 @@
+@@ -415,6 +487,10 @@
  mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
  
  optional_policy(`
@@ -27230,7 +27367,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  	cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
  ')
  
-@@ -424,8 +499,11 @@
+@@ -424,8 +500,11 @@
  ')
  
  optional_policy(`
@@ -27244,7 +27381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ')
  
  #######################################
-@@ -451,6 +529,17 @@
+@@ -451,6 +530,17 @@
  init_sigchld_script(postfix_postqueue_t)
  init_use_script_fds(postfix_postqueue_t)
  
@@ -27262,7 +27399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ########################################
  #
  # Postfix qmgr local policy
-@@ -464,6 +553,7 @@
+@@ -464,6 +554,7 @@
  manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
  manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
  manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
@@ -27270,7 +27407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
  allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
-@@ -499,13 +589,14 @@
+@@ -499,13 +590,14 @@
  #
  
  # connect to master process
@@ -27286,7 +27423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  optional_policy(`
  	cyrus_stream_connect(postfix_smtp_t)
-@@ -535,9 +626,18 @@
+@@ -535,9 +627,18 @@
  
  # for OpenSSL certificates
  files_read_usr_files(postfix_smtpd_t)
@@ -27305,7 +27442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  	mailman_read_data_files(postfix_smtpd_t)
  ')
  
-@@ -559,20 +659,22 @@
+@@ -559,20 +660,22 @@
  
  allow postfix_virtual_t postfix_spool_t:file rw_file_perms;