Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
Date: Mon, 27 Feb 2017 11:40:36
Message-Id: 1488192242.c12405c1bbcaeb1558c3f053671710738138e463.perfinion@gentoo
1 commit: c12405c1bbcaeb1558c3f053671710738138e463
2 Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
3 AuthorDate: Sat Feb 25 15:17:52 2017 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Mon Feb 27 10:44:02 2017 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c12405c1
7
8 MTA fixes from Russell Coker.
9
10 policy/modules/contrib/clamav.te | 11 +++++++++--
11 policy/modules/contrib/courier.if | 4 ++--
12 policy/modules/contrib/courier.te | 6 +++++-
13 policy/modules/contrib/dkim.if | 18 ++++++++++++++++++
14 policy/modules/contrib/dkim.te | 14 +++++++++++---
15 policy/modules/contrib/dovecot.fc | 3 +++
16 policy/modules/contrib/dovecot.te | 13 ++++++++++---
17 policy/modules/contrib/milter.if | 18 ++++++++++++++++++
18 policy/modules/contrib/milter.te | 10 +++++++++-
19 policy/modules/contrib/mta.fc | 1 +
20 policy/modules/contrib/mta.te | 8 +++++++-
21 policy/modules/contrib/perdition.fc | 2 +-
22 policy/modules/contrib/perdition.te | 19 +++++++++++++++----
23 policy/modules/contrib/postfix.fc | 30 +++++++++++++++---------------
24 policy/modules/contrib/postfix.te | 26 +++++++++++++++++++++++++-
25 policy/modules/contrib/postfixpolicyd.te | 18 +++++++++++++++---
26 policy/modules/contrib/postgrey.te | 7 +++++--
27 policy/modules/contrib/procmail.fc | 1 +
28 policy/modules/contrib/procmail.te | 7 ++++++-
29 policy/modules/contrib/spamassassin.fc | 1 +
30 policy/modules/contrib/spamassassin.te | 3 ++-
31 21 files changed, 179 insertions(+), 41 deletions(-)
32
33 diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te
34 index f2664e82..11e568a6 100644
35 --- a/policy/modules/contrib/clamav.te
36 +++ b/policy/modules/contrib/clamav.te
37 @@ -1,4 +1,4 @@
38 -policy_module(clamav, 1.14.0)
39 +policy_module(clamav, 1.14.1)
40
41 ## <desc>
42 ## <p>
43 @@ -73,7 +73,7 @@ logging_log_file(freshclam_var_log_t)
44 # Clamd local policy
45 #
46
47 -allow clamd_t self:capability { dac_override kill setgid setuid };
48 +allow clamd_t self:capability { chown fowner fsetid kill setgid setuid dac_override };
49 dontaudit clamd_t self:capability sys_tty_config;
50 allow clamd_t self:process signal;
51 allow clamd_t self:fifo_file rw_fifo_file_perms;
52 @@ -107,6 +107,8 @@ kernel_dontaudit_list_proc(clamd_t)
53 kernel_read_sysctl(clamd_t)
54 kernel_read_kernel_sysctls(clamd_t)
55 kernel_read_system_state(clamd_t)
56 +kernel_read_vm_sysctls(clamd_t)
57 +kernel_read_vm_overcommit_sysctl(clamd_t)
58
59 corecmd_exec_shell(clamd_t)
60
61 @@ -128,6 +130,7 @@ corenet_tcp_bind_clamd_port(clamd_t)
62
63 dev_read_rand(clamd_t)
64 dev_read_urand(clamd_t)
65 +dev_read_sysfs(clamd_t)
66
67 domain_use_interactive_fds(clamd_t)
68
69 @@ -215,6 +218,10 @@ corenet_sendrecv_http_client_packets(freshclam_t)
70 corenet_tcp_connect_http_port(freshclam_t)
71 corenet_tcp_sendrecv_http_port(freshclam_t)
72
73 +corenet_sendrecv_http_cache_client_packets(freshclam_t)
74 +corenet_tcp_connect_http_cache_port(freshclam_t)
75 +corenet_tcp_sendrecv_http_cache_port(freshclam_t)
76 +
77 corenet_sendrecv_squid_client_packets(freshclam_t)
78 corenet_tcp_connect_squid_port(freshclam_t)
79 corenet_tcp_sendrecv_squid_port(freshclam_t)
80
81 diff --git a/policy/modules/contrib/courier.if b/policy/modules/contrib/courier.if
82 index 10f820fc..db4d192b 100644
83 --- a/policy/modules/contrib/courier.if
84 +++ b/policy/modules/contrib/courier.if
85 @@ -65,11 +65,11 @@ interface(`courier_domtrans_authdaemon',`
86 #
87 interface(`courier_stream_connect_authdaemon',`
88 gen_require(`
89 - type courier_authdaemon_t, courier_spool_t;
90 + type courier_authdaemon_t, courier_var_run_t;
91 ')
92
93 files_search_spool($1)
94 - stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
95 + stream_connect_pattern($1, courier_var_run_t, courier_var_run_t, courier_authdaemon_t)
96 ')
97
98 ########################################
99
100 diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
101 index 176bd5c2..31ee1073 100644
102 --- a/policy/modules/contrib/courier.te
103 +++ b/policy/modules/contrib/courier.te
104 @@ -1,4 +1,4 @@
105 -policy_module(courier, 1.16.0)
106 +policy_module(courier, 1.16.1)
107
108 ########################################
109 #
110 @@ -101,6 +101,8 @@ allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_pe
111
112 can_exec(courier_authdaemon_t, courier_exec_t)
113
114 +corecmd_exec_shell(courier_authdaemon_t)
115 +
116 domtrans_pattern(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t)
117
118 dev_read_urand(courier_authdaemon_t)
119 @@ -187,6 +189,8 @@ miscfiles_read_localization(courier_tcpd_t)
120
121 kernel_read_kernel_sysctls(courier_sqwebmail_t)
122
123 +dev_read_urand(courier_sqwebmail_t)
124 +
125 optional_policy(`
126 cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t)
127 ')
128
129 diff --git a/policy/modules/contrib/dkim.if b/policy/modules/contrib/dkim.if
130 index 61e1f192..059e495a 100644
131 --- a/policy/modules/contrib/dkim.if
132 +++ b/policy/modules/contrib/dkim.if
133 @@ -2,6 +2,24 @@
134
135 ########################################
136 ## <summary>
137 +## Allow a domain to talk to dkim via Unix domain socket
138 +## </summary>
139 +## <param name="domain">
140 +## <summary>
141 +## Domain allowed access.
142 +## </summary>
143 +## </param>
144 +#
145 +interface(`dkim_stream_connect',`
146 + gen_require(`
147 + type dkim_milter_data_t, dkim_milter_t;
148 + ')
149 +
150 + stream_connect_pattern($1, dkim_milter_data_t, dkim_milter_data_t, dkim_milter_t)
151 +')
152 +
153 +########################################
154 +## <summary>
155 ## All of the rules required to
156 ## administrate an dkim environment.
157 ## </summary>
158
159 diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te
160 index 9ef8d760..5ffc618b 100644
161 --- a/policy/modules/contrib/dkim.te
162 +++ b/policy/modules/contrib/dkim.te
163 @@ -1,4 +1,4 @@
164 -policy_module(dkim, 1.5.0)
165 +policy_module(dkim, 1.5.1)
166
167 ########################################
168 #
169 @@ -20,15 +20,23 @@ init_daemon_pid_file(dkim_milter_data_t, dir, "opendkim")
170 # Local policy
171 #
172
173 -allow dkim_milter_t self:capability { setgid setuid };
174 -allow dkim_milter_t self:process signal;
175 +allow dkim_milter_t self:capability { dac_override setgid setuid };
176 +allow dkim_milter_t self:process { signal signull };
177 allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
178
179 read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
180
181 kernel_read_kernel_sysctls(dkim_milter_t)
182 +kernel_read_vm_sysctls(dkim_milter_t)
183 +kernel_read_vm_overcommit_sysctl(dkim_milter_t)
184 +
185 +corenet_udp_bind_generic_node(dkim_milter_t)
186 +corenet_udp_bind_all_unreserved_ports(dkim_milter_t)
187 +corenet_dontaudit_udp_bind_all_ports(dkim_milter_t)
188
189 dev_read_urand(dkim_milter_t)
190 +# for cpu/online
191 +dev_read_sysfs(dkim_milter_t)
192
193 files_search_spool(dkim_milter_t)
194
195
196 diff --git a/policy/modules/contrib/dovecot.fc b/policy/modules/contrib/dovecot.fc
197 index a8119188..c2f5734e 100644
198 --- a/policy/modules/contrib/dovecot.fc
199 +++ b/policy/modules/contrib/dovecot.fc
200 @@ -15,10 +15,13 @@
201
202 /etc/ssl/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
203
204 +/usr/lib/dovecot/anvil -- gen_context(system_u:object_r:dovecot_exec_t,s0)
205 /usr/lib/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
206 /usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
207 /usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
208 /usr/lib/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
209 +/usr/lib/dovecot/log -- gen_context(system_u:object_r:dovecot_exec_t,s0)
210 +/usr/lib/dovecot/ssl-params -- gen_context(system_u:object_r:dovecot_exec_t,s0)
211
212 /usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
213 /usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
214
215 diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
216 index 1701e3f0..d18f9adc 100644
217 --- a/policy/modules/contrib/dovecot.te
218 +++ b/policy/modules/contrib/dovecot.te
219 @@ -1,4 +1,4 @@
220 -policy_module(dovecot, 1.19.0)
221 +policy_module(dovecot, 1.19.1)
222
223 ########################################
224 #
225 @@ -92,7 +92,7 @@ miscfiles_read_localization(dovecot_domain)
226 # Local policy
227 #
228
229 -allow dovecot_t self:capability { chown dac_override dac_read_search fsetid kill setgid setuid sys_chroot };
230 +allow dovecot_t self:capability { chown dac_override dac_read_search fsetid kill setgid setuid sys_chroot sys_resource };
231 dontaudit dovecot_t self:capability sys_tty_config;
232 allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
233 allow dovecot_t self:tcp_socket { accept listen };
234 @@ -159,6 +159,8 @@ files_search_spool(dovecot_t)
235 files_dontaudit_list_default(dovecot_t)
236 files_dontaudit_search_all_dirs(dovecot_t)
237 files_search_all_mountpoints(dovecot_t)
238 +files_list_usr(dovecot_t)
239 +files_read_usr_files(dovecot_t)
240
241 fs_getattr_all_fs(dovecot_t)
242 fs_getattr_all_dirs(dovecot_t)
243 @@ -241,6 +243,8 @@ manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
244 files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
245
246 allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
247 +allow dovecot_auth_t dovecot_var_run_t:file manage_file_perms;
248 +allow dovecot_auth_t dovecot_var_run_t:fifo_file write_fifo_file_perms;
249 manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
250
251 allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
252 @@ -249,6 +253,9 @@ files_search_pids(dovecot_auth_t)
253 files_read_usr_files(dovecot_auth_t)
254 files_read_var_lib_files(dovecot_auth_t)
255
256 +selinux_get_enforce_mode(dovecot_auth_t)
257 +selinux_get_fs_mount(dovecot_auth_t)
258 +
259 auth_domtrans_chk_passwd(dovecot_auth_t)
260 auth_use_nsswitch(dovecot_auth_t)
261
262 @@ -256,7 +263,7 @@ init_rw_utmp(dovecot_auth_t)
263
264 logging_send_audit_msgs(dovecot_auth_t)
265
266 -seutil_dontaudit_search_config(dovecot_auth_t)
267 +seutil_search_default_contexts(dovecot_auth_t)
268
269 sysnet_use_ldap(dovecot_auth_t)
270
271
272 diff --git a/policy/modules/contrib/milter.if b/policy/modules/contrib/milter.if
273 index cba62db1..ffb58f9f 100644
274 --- a/policy/modules/contrib/milter.if
275 +++ b/policy/modules/contrib/milter.if
276 @@ -97,3 +97,21 @@ interface(`milter_manage_spamass_state',`
277 manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
278 manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
279 ')
280 +
281 +########################################
282 +## <summary>
283 +## Get the attributes of the spamassissin milter data dir.
284 +## </summary>
285 +## <param name="domain">
286 +## <summary>
287 +## Domain allowed access.
288 +## </summary>
289 +## </param>
290 +#
291 +interface(`milter_getattr_data_dir',`
292 + gen_require(`
293 + type spamass_milter_data_t;
294 + ')
295 +
296 + allow $1 spamass_milter_data_t:dir getattr;
297 +')
298
299 diff --git a/policy/modules/contrib/milter.te b/policy/modules/contrib/milter.te
300 index 7c4b347d..8295ca64 100644
301 --- a/policy/modules/contrib/milter.te
302 +++ b/policy/modules/contrib/milter.te
303 @@ -1,4 +1,4 @@
304 -policy_module(milter, 1.6.0)
305 +policy_module(milter, 1.6.1)
306
307 ########################################
308 #
309 @@ -94,15 +94,23 @@ mta_read_config(regex_milter_t)
310 #
311
312 allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
313 +allow spamass_milter_t self:process sigkill;
314
315 kernel_read_system_state(spamass_milter_t)
316 +kernel_read_vm_overcommit_sysctl(spamass_milter_t)
317
318 corecmd_exec_shell(spamass_milter_t)
319
320 +dev_read_sysfs(spamass_milter_t)
321 +
322 files_search_var_lib(spamass_milter_t)
323
324 mta_send_mail(spamass_milter_t)
325
326 optional_policy(`
327 + postfix_search_spool(spamass_milter_t)
328 +')
329 +
330 +optional_policy(`
331 spamassassin_domtrans_client(spamass_milter_t)
332 ')
333
334 diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc
335 index 24681349..dd9f799a 100644
336 --- a/policy/modules/contrib/mta.fc
337 +++ b/policy/modules/contrib/mta.fc
338 @@ -3,6 +3,7 @@ HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
339 HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
340 HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
341 HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
342 +HOME_DIR/DovecotMail(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
343 HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
344
345 /etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
346
347 diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
348 index f7280b11..22308885 100644
349 --- a/policy/modules/contrib/mta.te
350 +++ b/policy/modules/contrib/mta.te
351 @@ -1,4 +1,4 @@
352 -policy_module(mta, 2.8.2)
353 +policy_module(mta, 2.8.3)
354
355 ########################################
356 #
357 @@ -199,6 +199,7 @@ selinux_getattr_fs(system_mail_t)
358 term_dontaudit_use_unallocated_ttys(system_mail_t)
359
360 init_use_script_ptys(system_mail_t)
361 +init_use_fds(system_mail_t)
362
363 userdom_use_user_terminals(system_mail_t)
364
365 @@ -233,6 +234,7 @@ optional_policy(`
366 cron_read_system_job_tmp_files(system_mail_t)
367 cron_dontaudit_write_pipes(system_mail_t)
368 cron_rw_system_job_stream_sockets(system_mail_t)
369 + cron_rw_tmp_files(system_mail_t)
370 ')
371
372 optional_policy(`
373 @@ -294,6 +296,10 @@ optional_policy(`
374 smartmon_read_tmp_files(system_mail_t)
375 ')
376
377 +optional_policy(`
378 + unconfined_use_fds(system_mail_t)
379 +')
380 +
381 ########################################
382 #
383 # MTA user agent local policy
384
385 diff --git a/policy/modules/contrib/perdition.fc b/policy/modules/contrib/perdition.fc
386 index 156232f8..a7d2a8be 100644
387 --- a/policy/modules/contrib/perdition.fc
388 +++ b/policy/modules/contrib/perdition.fc
389 @@ -2,6 +2,6 @@
390
391 /etc/perdition(/.*)? gen_context(system_u:object_r:perdition_etc_t,s0)
392
393 -/usr/sbin/perdition -- gen_context(system_u:object_r:perdition_exec_t,s0)
394 +/usr/sbin/perdition.* -- gen_context(system_u:object_r:perdition_exec_t,s0)
395
396 /run/perdition\.pid -- gen_context(system_u:object_r:perdition_var_run_t,s0)
397
398 diff --git a/policy/modules/contrib/perdition.te b/policy/modules/contrib/perdition.te
399 index 15023cee..2975c2cc 100644
400 --- a/policy/modules/contrib/perdition.te
401 +++ b/policy/modules/contrib/perdition.te
402 @@ -1,4 +1,4 @@
403 -policy_module(perdition, 1.10.0)
404 +policy_module(perdition, 1.10.1)
405
406 ########################################
407 #
408 @@ -23,7 +23,7 @@ files_pid_file(perdition_var_run_t)
409 # Local policy
410 #
411
412 -allow perdition_t self:capability { setgid setuid };
413 +allow perdition_t self:capability { chown dac_override fowner setgid setuid };
414 dontaudit perdition_t self:capability sys_tty_config;
415 allow perdition_t self:process signal_perms;
416 allow perdition_t self:tcp_socket { accept listen };
417 @@ -33,7 +33,8 @@ allow perdition_t perdition_etc_t:file read_file_perms;
418 allow perdition_t perdition_etc_t:lnk_file read_lnk_file_perms;
419
420 manage_files_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t)
421 -files_pid_filetrans(perdition_t, perdition_var_run_t, file)
422 +manage_dirs_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t)
423 +files_pid_filetrans(perdition_t, perdition_var_run_t, { file dir })
424
425 kernel_read_kernel_sysctls(perdition_t)
426 kernel_list_proc(perdition_t)
427 @@ -45,12 +46,17 @@ corenet_tcp_sendrecv_generic_if(perdition_t)
428 corenet_tcp_sendrecv_generic_node(perdition_t)
429 corenet_tcp_sendrecv_all_ports(perdition_t)
430 corenet_tcp_bind_generic_node(perdition_t)
431 -
432 +corenet_tcp_connect_pop_port(perdition_t)
433 corenet_sendrecv_pop_server_packets(perdition_t)
434 corenet_tcp_bind_pop_port(perdition_t)
435 corenet_tcp_sendrecv_pop_port(perdition_t)
436 +corenet_tcp_connect_sieve_port(perdition_t)
437 +corenet_sendrecv_sieve_server_packets(perdition_t)
438 +corenet_tcp_bind_sieve_port(perdition_t)
439 +corenet_tcp_sendrecv_sieve_port(perdition_t)
440
441 dev_read_sysfs(perdition_t)
442 +dev_read_urand(perdition_t)
443
444 domain_use_interactive_fds(perdition_t)
445
446 @@ -67,6 +73,11 @@ userdom_dontaudit_use_unpriv_user_fds(perdition_t)
447 userdom_dontaudit_search_user_home_dirs(perdition_t)
448
449 optional_policy(`
450 + mysql_tcp_connect(perdition_t)
451 + mysql_stream_connect(perdition_t)
452 +')
453 +
454 +optional_policy(`
455 seutil_sigchld_newrole(perdition_t)
456 ')
457
458
459 diff --git a/policy/modules/contrib/postfix.fc b/policy/modules/contrib/postfix.fc
460 index b71d8442..707b5be0 100644
461 --- a/policy/modules/contrib/postfix.fc
462 +++ b/policy/modules/contrib/postfix.fc
463 @@ -1,24 +1,24 @@
464 -/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
465 +/etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0)
466 /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
467 /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
468
469 /etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
470
471 # Remove catch-all so that .so files remain lib_t
472 -#/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
473 -/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
474 -/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
475 -/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
476 -/usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
477 -/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
478 -/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
479 -/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
480 -/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
481 -/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
482 -/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
483 -/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
484 -/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
485 -/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
486 +#/usr/lib/postfix/(sbin/)?.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
487 +/usr/lib/postfix/(sbin/)?cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
488 +/usr/lib/postfix/(sbin/)?local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
489 +/usr/lib/postfix/(sbin/)?master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
490 +/usr/lib/postfix/(sbin/)?pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
491 +/usr/lib/postfix/(sbin/)?(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
492 +/usr/lib/postfix/(sbin/)?showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
493 +/usr/lib/postfix/(sbin/)?smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
494 +/usr/lib/postfix/(sbin/)?lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
495 +/usr/lib/postfix/(sbin/)?scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
496 +/usr/lib/postfix/(sbin/)?smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
497 +/usr/lib/postfix/(sbin/)?bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
498 +/usr/lib/postfix/(sbin/)?pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
499 +/usr/lib/postfix/(sbin/)?virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
500
501 /usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
502 /usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
503
504 diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
505 index 74cb3d7e..94ac8471 100644
506 --- a/policy/modules/contrib/postfix.te
507 +++ b/policy/modules/contrib/postfix.te
508 @@ -1,4 +1,4 @@
509 -policy_module(postfix, 1.17.0)
510 +policy_module(postfix, 1.17.1)
511
512 ########################################
513 #
514 @@ -172,6 +172,7 @@ optional_policy(`
515 #
516
517 allow postfix_server_domain self:capability { dac_override setgid setuid };
518 +allow postfix_master_t self:process getsched;
519
520 allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
521
522 @@ -272,6 +273,7 @@ corenet_udp_sendrecv_generic_node(postfix_master_t)
523 corenet_tcp_sendrecv_all_ports(postfix_master_t)
524 corenet_udp_sendrecv_all_ports(postfix_master_t)
525 corenet_tcp_bind_generic_node(postfix_master_t)
526 +corenet_udp_bind_generic_node(postfix_master_t)
527
528 corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
529 corenet_tcp_bind_amavisd_send_port(postfix_master_t)
530 @@ -302,6 +304,8 @@ mcs_file_read_all(postfix_master_t)
531
532 term_dontaudit_search_ptys(postfix_master_t)
533
534 +hostname_exec(postfix_master_t)
535 +
536 miscfiles_read_man_pages(postfix_master_t)
537
538 seutil_sigchld_newrole(postfix_master_t)
539 @@ -326,6 +330,11 @@ optional_policy(`
540
541 optional_policy(`
542 mailman_manage_data_files(postfix_master_t)
543 + mailman_search_data(postfix_pipe_t)
544 +')
545 +
546 +optional_policy(`
547 + milter_getattr_data_dir(postfix_master_t)
548 ')
549
550 optional_policy(`
551 @@ -371,6 +380,7 @@ allow postfix_cleanup_t self:process setrlimit;
552
553 allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms;
554 allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
555 +allow postfix_cleanup_t postfix_smtpd_t:fd use;
556
557 allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
558 allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
559 @@ -397,6 +407,10 @@ corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t)
560 mta_read_aliases(postfix_cleanup_t)
561
562 optional_policy(`
563 + dkim_stream_connect(postfix_cleanup_t)
564 +')
565 +
566 +optional_policy(`
567 mailman_read_data_files(postfix_cleanup_t)
568 ')
569
570 @@ -432,6 +446,7 @@ tunable_policy(`postfix_local_write_mail_spool',`
571 optional_policy(`
572 clamav_search_lib(postfix_local_t)
573 clamav_exec_clamscan(postfix_local_t)
574 + clamav_stream_connect(postfix_smtpd_t)
575 ')
576
577 optional_policy(`
578 @@ -549,6 +564,7 @@ allow postfix_pipe_t self:process setrlimit;
579
580 write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
581
582 +write_sock_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
583 write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
584
585 rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
586 @@ -567,6 +583,7 @@ optional_policy(`
587
588 optional_policy(`
589 mailman_domtrans_queue(postfix_pipe_t)
590 + mailman_domtrans(postfix_pipe_t)
591 ')
592
593 optional_policy(`
594 @@ -596,6 +613,9 @@ manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool
595
596 allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
597
598 +# for /var/spool/postfix/public/pickup
599 +stream_connect_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t, postfix_master_t)
600 +
601 mcs_file_read_all(postfix_postdrop_t)
602 mcs_file_write_all(postfix_postdrop_t)
603
604 @@ -654,6 +674,10 @@ optional_policy(`
605 ppp_sigchld(postfix_postqueue_t)
606 ')
607
608 +optional_policy(`
609 + userdom_sigchld_all_users(postfix_postqueue_t)
610 +')
611 +
612 ########################################
613 #
614 # Qmgr local policy
615
616 diff --git a/policy/modules/contrib/postfixpolicyd.te b/policy/modules/contrib/postfixpolicyd.te
617 index 621e1817..be84e714 100644
618 --- a/policy/modules/contrib/postfixpolicyd.te
619 +++ b/policy/modules/contrib/postfixpolicyd.te
620 @@ -1,4 +1,4 @@
621 -policy_module(postfixpolicyd, 1.5.0)
622 +policy_module(postfixpolicyd, 1.5.1)
623
624 ########################################
625 #
626 @@ -15,6 +15,9 @@ files_config_file(postfix_policyd_conf_t)
627 type postfix_policyd_initrc_exec_t;
628 init_script_file(postfix_policyd_initrc_exec_t)
629
630 +type postfix_policyd_tmp_t;
631 +files_type(postfix_policyd_tmp_t)
632 +
633 type postfix_policyd_var_run_t;
634 files_pid_file(postfix_policyd_var_run_t)
635
636 @@ -23,8 +26,8 @@ files_pid_file(postfix_policyd_var_run_t)
637 # Local policy
638 #
639
640 -allow postfix_policyd_t self:capability { setgid setuid sys_chroot sys_resource };
641 -allow postfix_policyd_t self:process setrlimit;
642 +allow postfix_policyd_t self:capability { chown sys_chroot sys_resource setgid setuid };
643 +allow postfix_policyd_t self:process { setrlimit signal signull };
644 allow postfix_policyd_t self:tcp_socket { accept listen };
645
646 allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms;
647 @@ -34,6 +37,13 @@ allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms;
648 manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
649 files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
650
651 +allow postfix_policyd_t postfix_policyd_tmp_t:{ file sock_file } manage_file_perms;
652 +files_tmp_filetrans(postfix_policyd_t, postfix_policyd_tmp_t, { file sock_file })
653 +
654 +kernel_search_network_sysctl(postfix_policyd_t)
655 +
656 +corecmd_exec_bin(postfix_policyd_t)
657 +
658 corenet_all_recvfrom_unlabeled(postfix_policyd_t)
659 corenet_tcp_sendrecv_generic_if(postfix_policyd_t)
660 corenet_tcp_sendrecv_generic_node(postfix_policyd_t)
661 @@ -47,6 +57,8 @@ corenet_sendrecv_mysqld_server_packets(postfix_policyd_t)
662 corenet_tcp_bind_mysqld_port(postfix_policyd_t)
663 corenet_tcp_sendrecv_mysqld_port(postfix_policyd_t)
664
665 +dev_read_urand(postfix_policyd_t)
666 +
667 files_read_etc_files(postfix_policyd_t)
668 files_read_usr_files(postfix_policyd_t)
669
670
671 diff --git a/policy/modules/contrib/postgrey.te b/policy/modules/contrib/postgrey.te
672 index ab5a8d3a..4fe73487 100644
673 --- a/policy/modules/contrib/postgrey.te
674 +++ b/policy/modules/contrib/postgrey.te
675 @@ -1,4 +1,4 @@
676 -policy_module(postgrey, 1.11.0)
677 +policy_module(postgrey, 1.11.1)
678
679 ########################################
680 #
681 @@ -34,6 +34,8 @@ dontaudit postgrey_t self:capability sys_tty_config;
682 allow postgrey_t self:process signal_perms;
683 allow postgrey_t self:fifo_file create_fifo_file_perms;
684 allow postgrey_t self:tcp_socket create_stream_socket_perms;
685 +allow postgrey_t self:netlink_route_socket r_netlink_socket_perms;
686 +allow postgrey_t self:udp_socket { connect connected_socket_perms };
687
688 allow postgrey_t postgrey_etc_t:dir list_dir_perms;
689 allow postgrey_t postgrey_etc_t:file read_file_perms;
690 @@ -55,7 +57,8 @@ files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file })
691 kernel_read_system_state(postgrey_t)
692 kernel_read_kernel_sysctls(postgrey_t)
693
694 -corecmd_search_bin(postgrey_t)
695 +corecmd_read_bin_files(postgrey_t)
696 +corecmd_exec_bin(postgrey_t)
697
698 corenet_all_recvfrom_unlabeled(postgrey_t)
699 corenet_all_recvfrom_netlabel(postgrey_t)
700
701 diff --git a/policy/modules/contrib/procmail.fc b/policy/modules/contrib/procmail.fc
702 index bdff6c93..dac08916 100644
703 --- a/policy/modules/contrib/procmail.fc
704 +++ b/policy/modules/contrib/procmail.fc
705 @@ -1,5 +1,6 @@
706 HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0)
707
708 +/usr/bin/maildrop -- gen_context(system_u:object_r:procmail_exec_t,s0)
709 /usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
710
711 /var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
712
713 diff --git a/policy/modules/contrib/procmail.te b/policy/modules/contrib/procmail.te
714 index 8a842661..cdd23cc9 100644
715 --- a/policy/modules/contrib/procmail.te
716 +++ b/policy/modules/contrib/procmail.te
717 @@ -1,4 +1,4 @@
718 -policy_module(procmail, 1.14.0)
719 +policy_module(procmail, 1.14.1)
720
721 ########################################
722 #
723 @@ -96,6 +96,11 @@ optional_policy(`
724 ')
725
726 optional_policy(`
727 + courier_read_config(procmail_t)
728 + courier_stream_connect_authdaemon(procmail_t)
729 +')
730 +
731 +optional_policy(`
732 cyrus_stream_connect(procmail_t)
733 ')
734
735
736 diff --git a/policy/modules/contrib/spamassassin.fc b/policy/modules/contrib/spamassassin.fc
737 index de27cda7..58dce766 100644
738 --- a/policy/modules/contrib/spamassassin.fc
739 +++ b/policy/modules/contrib/spamassassin.fc
740 @@ -23,6 +23,7 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0)
741 /var/log/mimedefang.* -- gen_context(system_u:object_r:spamd_log_t,s0)
742
743 /run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
744 +/run/spamassassin\.pid gen_context(system_u:object_r:spamd_var_run_t,s0)
745
746 /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
747 /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
748
749 diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
750 index 4a9153ce..2f770d2d 100644
751 --- a/policy/modules/contrib/spamassassin.te
752 +++ b/policy/modules/contrib/spamassassin.te
753 @@ -1,4 +1,4 @@
754 -policy_module(spamassassin, 2.10.0)
755 +policy_module(spamassassin, 2.10.1)
756
757 ########################################
758 #
759 @@ -46,6 +46,7 @@ type spamc_exec_t;
760 typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
761 typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
762 userdom_user_application_domain(spamc_t, spamc_exec_t)
763 +role system_r types spamc_t;
764
765 type spamc_tmp_t;
766 typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
Report Message
Find on MARC Find on Google Groups