1 |
commit: c12405c1bbcaeb1558c3f053671710738138e463 |
2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
3 |
AuthorDate: Sat Feb 25 15:17:52 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Feb 27 10:44:02 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c12405c1 |
7 |
|
8 |
MTA fixes from Russell Coker. |
9 |
|
10 |
policy/modules/contrib/clamav.te | 11 +++++++++-- |
11 |
policy/modules/contrib/courier.if | 4 ++-- |
12 |
policy/modules/contrib/courier.te | 6 +++++- |
13 |
policy/modules/contrib/dkim.if | 18 ++++++++++++++++++ |
14 |
policy/modules/contrib/dkim.te | 14 +++++++++++--- |
15 |
policy/modules/contrib/dovecot.fc | 3 +++ |
16 |
policy/modules/contrib/dovecot.te | 13 ++++++++++--- |
17 |
policy/modules/contrib/milter.if | 18 ++++++++++++++++++ |
18 |
policy/modules/contrib/milter.te | 10 +++++++++- |
19 |
policy/modules/contrib/mta.fc | 1 + |
20 |
policy/modules/contrib/mta.te | 8 +++++++- |
21 |
policy/modules/contrib/perdition.fc | 2 +- |
22 |
policy/modules/contrib/perdition.te | 19 +++++++++++++++---- |
23 |
policy/modules/contrib/postfix.fc | 30 +++++++++++++++--------------- |
24 |
policy/modules/contrib/postfix.te | 26 +++++++++++++++++++++++++- |
25 |
policy/modules/contrib/postfixpolicyd.te | 18 +++++++++++++++--- |
26 |
policy/modules/contrib/postgrey.te | 7 +++++-- |
27 |
policy/modules/contrib/procmail.fc | 1 + |
28 |
policy/modules/contrib/procmail.te | 7 ++++++- |
29 |
policy/modules/contrib/spamassassin.fc | 1 + |
30 |
policy/modules/contrib/spamassassin.te | 3 ++- |
31 |
21 files changed, 179 insertions(+), 41 deletions(-) |
32 |
|
33 |
diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te |
34 |
index f2664e82..11e568a6 100644 |
35 |
--- a/policy/modules/contrib/clamav.te |
36 |
+++ b/policy/modules/contrib/clamav.te |
37 |
@@ -1,4 +1,4 @@ |
38 |
-policy_module(clamav, 1.14.0) |
39 |
+policy_module(clamav, 1.14.1) |
40 |
|
41 |
## <desc> |
42 |
## <p> |
43 |
@@ -73,7 +73,7 @@ logging_log_file(freshclam_var_log_t) |
44 |
# Clamd local policy |
45 |
# |
46 |
|
47 |
-allow clamd_t self:capability { dac_override kill setgid setuid }; |
48 |
+allow clamd_t self:capability { chown fowner fsetid kill setgid setuid dac_override }; |
49 |
dontaudit clamd_t self:capability sys_tty_config; |
50 |
allow clamd_t self:process signal; |
51 |
allow clamd_t self:fifo_file rw_fifo_file_perms; |
52 |
@@ -107,6 +107,8 @@ kernel_dontaudit_list_proc(clamd_t) |
53 |
kernel_read_sysctl(clamd_t) |
54 |
kernel_read_kernel_sysctls(clamd_t) |
55 |
kernel_read_system_state(clamd_t) |
56 |
+kernel_read_vm_sysctls(clamd_t) |
57 |
+kernel_read_vm_overcommit_sysctl(clamd_t) |
58 |
|
59 |
corecmd_exec_shell(clamd_t) |
60 |
|
61 |
@@ -128,6 +130,7 @@ corenet_tcp_bind_clamd_port(clamd_t) |
62 |
|
63 |
dev_read_rand(clamd_t) |
64 |
dev_read_urand(clamd_t) |
65 |
+dev_read_sysfs(clamd_t) |
66 |
|
67 |
domain_use_interactive_fds(clamd_t) |
68 |
|
69 |
@@ -215,6 +218,10 @@ corenet_sendrecv_http_client_packets(freshclam_t) |
70 |
corenet_tcp_connect_http_port(freshclam_t) |
71 |
corenet_tcp_sendrecv_http_port(freshclam_t) |
72 |
|
73 |
+corenet_sendrecv_http_cache_client_packets(freshclam_t) |
74 |
+corenet_tcp_connect_http_cache_port(freshclam_t) |
75 |
+corenet_tcp_sendrecv_http_cache_port(freshclam_t) |
76 |
+ |
77 |
corenet_sendrecv_squid_client_packets(freshclam_t) |
78 |
corenet_tcp_connect_squid_port(freshclam_t) |
79 |
corenet_tcp_sendrecv_squid_port(freshclam_t) |
80 |
|
81 |
diff --git a/policy/modules/contrib/courier.if b/policy/modules/contrib/courier.if |
82 |
index 10f820fc..db4d192b 100644 |
83 |
--- a/policy/modules/contrib/courier.if |
84 |
+++ b/policy/modules/contrib/courier.if |
85 |
@@ -65,11 +65,11 @@ interface(`courier_domtrans_authdaemon',` |
86 |
# |
87 |
interface(`courier_stream_connect_authdaemon',` |
88 |
gen_require(` |
89 |
- type courier_authdaemon_t, courier_spool_t; |
90 |
+ type courier_authdaemon_t, courier_var_run_t; |
91 |
') |
92 |
|
93 |
files_search_spool($1) |
94 |
- stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t) |
95 |
+ stream_connect_pattern($1, courier_var_run_t, courier_var_run_t, courier_authdaemon_t) |
96 |
') |
97 |
|
98 |
######################################## |
99 |
|
100 |
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te |
101 |
index 176bd5c2..31ee1073 100644 |
102 |
--- a/policy/modules/contrib/courier.te |
103 |
+++ b/policy/modules/contrib/courier.te |
104 |
@@ -1,4 +1,4 @@ |
105 |
-policy_module(courier, 1.16.0) |
106 |
+policy_module(courier, 1.16.1) |
107 |
|
108 |
######################################## |
109 |
# |
110 |
@@ -101,6 +101,8 @@ allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_pe |
111 |
|
112 |
can_exec(courier_authdaemon_t, courier_exec_t) |
113 |
|
114 |
+corecmd_exec_shell(courier_authdaemon_t) |
115 |
+ |
116 |
domtrans_pattern(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t) |
117 |
|
118 |
dev_read_urand(courier_authdaemon_t) |
119 |
@@ -187,6 +189,8 @@ miscfiles_read_localization(courier_tcpd_t) |
120 |
|
121 |
kernel_read_kernel_sysctls(courier_sqwebmail_t) |
122 |
|
123 |
+dev_read_urand(courier_sqwebmail_t) |
124 |
+ |
125 |
optional_policy(` |
126 |
cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t) |
127 |
') |
128 |
|
129 |
diff --git a/policy/modules/contrib/dkim.if b/policy/modules/contrib/dkim.if |
130 |
index 61e1f192..059e495a 100644 |
131 |
--- a/policy/modules/contrib/dkim.if |
132 |
+++ b/policy/modules/contrib/dkim.if |
133 |
@@ -2,6 +2,24 @@ |
134 |
|
135 |
######################################## |
136 |
## <summary> |
137 |
+## Allow a domain to talk to dkim via Unix domain socket |
138 |
+## </summary> |
139 |
+## <param name="domain"> |
140 |
+## <summary> |
141 |
+## Domain allowed access. |
142 |
+## </summary> |
143 |
+## </param> |
144 |
+# |
145 |
+interface(`dkim_stream_connect',` |
146 |
+ gen_require(` |
147 |
+ type dkim_milter_data_t, dkim_milter_t; |
148 |
+ ') |
149 |
+ |
150 |
+ stream_connect_pattern($1, dkim_milter_data_t, dkim_milter_data_t, dkim_milter_t) |
151 |
+') |
152 |
+ |
153 |
+######################################## |
154 |
+## <summary> |
155 |
## All of the rules required to |
156 |
## administrate an dkim environment. |
157 |
## </summary> |
158 |
|
159 |
diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te |
160 |
index 9ef8d760..5ffc618b 100644 |
161 |
--- a/policy/modules/contrib/dkim.te |
162 |
+++ b/policy/modules/contrib/dkim.te |
163 |
@@ -1,4 +1,4 @@ |
164 |
-policy_module(dkim, 1.5.0) |
165 |
+policy_module(dkim, 1.5.1) |
166 |
|
167 |
######################################## |
168 |
# |
169 |
@@ -20,15 +20,23 @@ init_daemon_pid_file(dkim_milter_data_t, dir, "opendkim") |
170 |
# Local policy |
171 |
# |
172 |
|
173 |
-allow dkim_milter_t self:capability { setgid setuid }; |
174 |
-allow dkim_milter_t self:process signal; |
175 |
+allow dkim_milter_t self:capability { dac_override setgid setuid }; |
176 |
+allow dkim_milter_t self:process { signal signull }; |
177 |
allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms; |
178 |
|
179 |
read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) |
180 |
|
181 |
kernel_read_kernel_sysctls(dkim_milter_t) |
182 |
+kernel_read_vm_sysctls(dkim_milter_t) |
183 |
+kernel_read_vm_overcommit_sysctl(dkim_milter_t) |
184 |
+ |
185 |
+corenet_udp_bind_generic_node(dkim_milter_t) |
186 |
+corenet_udp_bind_all_unreserved_ports(dkim_milter_t) |
187 |
+corenet_dontaudit_udp_bind_all_ports(dkim_milter_t) |
188 |
|
189 |
dev_read_urand(dkim_milter_t) |
190 |
+# for cpu/online |
191 |
+dev_read_sysfs(dkim_milter_t) |
192 |
|
193 |
files_search_spool(dkim_milter_t) |
194 |
|
195 |
|
196 |
diff --git a/policy/modules/contrib/dovecot.fc b/policy/modules/contrib/dovecot.fc |
197 |
index a8119188..c2f5734e 100644 |
198 |
--- a/policy/modules/contrib/dovecot.fc |
199 |
+++ b/policy/modules/contrib/dovecot.fc |
200 |
@@ -15,10 +15,13 @@ |
201 |
|
202 |
/etc/ssl/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) |
203 |
|
204 |
+/usr/lib/dovecot/anvil -- gen_context(system_u:object_r:dovecot_exec_t,s0) |
205 |
/usr/lib/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) |
206 |
/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) |
207 |
/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) |
208 |
/usr/lib/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) |
209 |
+/usr/lib/dovecot/log -- gen_context(system_u:object_r:dovecot_exec_t,s0) |
210 |
+/usr/lib/dovecot/ssl-params -- gen_context(system_u:object_r:dovecot_exec_t,s0) |
211 |
|
212 |
/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) |
213 |
/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) |
214 |
|
215 |
diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te |
216 |
index 1701e3f0..d18f9adc 100644 |
217 |
--- a/policy/modules/contrib/dovecot.te |
218 |
+++ b/policy/modules/contrib/dovecot.te |
219 |
@@ -1,4 +1,4 @@ |
220 |
-policy_module(dovecot, 1.19.0) |
221 |
+policy_module(dovecot, 1.19.1) |
222 |
|
223 |
######################################## |
224 |
# |
225 |
@@ -92,7 +92,7 @@ miscfiles_read_localization(dovecot_domain) |
226 |
# Local policy |
227 |
# |
228 |
|
229 |
-allow dovecot_t self:capability { chown dac_override dac_read_search fsetid kill setgid setuid sys_chroot }; |
230 |
+allow dovecot_t self:capability { chown dac_override dac_read_search fsetid kill setgid setuid sys_chroot sys_resource }; |
231 |
dontaudit dovecot_t self:capability sys_tty_config; |
232 |
allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched }; |
233 |
allow dovecot_t self:tcp_socket { accept listen }; |
234 |
@@ -159,6 +159,8 @@ files_search_spool(dovecot_t) |
235 |
files_dontaudit_list_default(dovecot_t) |
236 |
files_dontaudit_search_all_dirs(dovecot_t) |
237 |
files_search_all_mountpoints(dovecot_t) |
238 |
+files_list_usr(dovecot_t) |
239 |
+files_read_usr_files(dovecot_t) |
240 |
|
241 |
fs_getattr_all_fs(dovecot_t) |
242 |
fs_getattr_all_dirs(dovecot_t) |
243 |
@@ -241,6 +243,8 @@ manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) |
244 |
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) |
245 |
|
246 |
allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; |
247 |
+allow dovecot_auth_t dovecot_var_run_t:file manage_file_perms; |
248 |
+allow dovecot_auth_t dovecot_var_run_t:fifo_file write_fifo_file_perms; |
249 |
manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) |
250 |
|
251 |
allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; |
252 |
@@ -249,6 +253,9 @@ files_search_pids(dovecot_auth_t) |
253 |
files_read_usr_files(dovecot_auth_t) |
254 |
files_read_var_lib_files(dovecot_auth_t) |
255 |
|
256 |
+selinux_get_enforce_mode(dovecot_auth_t) |
257 |
+selinux_get_fs_mount(dovecot_auth_t) |
258 |
+ |
259 |
auth_domtrans_chk_passwd(dovecot_auth_t) |
260 |
auth_use_nsswitch(dovecot_auth_t) |
261 |
|
262 |
@@ -256,7 +263,7 @@ init_rw_utmp(dovecot_auth_t) |
263 |
|
264 |
logging_send_audit_msgs(dovecot_auth_t) |
265 |
|
266 |
-seutil_dontaudit_search_config(dovecot_auth_t) |
267 |
+seutil_search_default_contexts(dovecot_auth_t) |
268 |
|
269 |
sysnet_use_ldap(dovecot_auth_t) |
270 |
|
271 |
|
272 |
diff --git a/policy/modules/contrib/milter.if b/policy/modules/contrib/milter.if |
273 |
index cba62db1..ffb58f9f 100644 |
274 |
--- a/policy/modules/contrib/milter.if |
275 |
+++ b/policy/modules/contrib/milter.if |
276 |
@@ -97,3 +97,21 @@ interface(`milter_manage_spamass_state',` |
277 |
manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t) |
278 |
manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) |
279 |
') |
280 |
+ |
281 |
+######################################## |
282 |
+## <summary> |
283 |
+## Get the attributes of the spamassissin milter data dir. |
284 |
+## </summary> |
285 |
+## <param name="domain"> |
286 |
+## <summary> |
287 |
+## Domain allowed access. |
288 |
+## </summary> |
289 |
+## </param> |
290 |
+# |
291 |
+interface(`milter_getattr_data_dir',` |
292 |
+ gen_require(` |
293 |
+ type spamass_milter_data_t; |
294 |
+ ') |
295 |
+ |
296 |
+ allow $1 spamass_milter_data_t:dir getattr; |
297 |
+') |
298 |
|
299 |
diff --git a/policy/modules/contrib/milter.te b/policy/modules/contrib/milter.te |
300 |
index 7c4b347d..8295ca64 100644 |
301 |
--- a/policy/modules/contrib/milter.te |
302 |
+++ b/policy/modules/contrib/milter.te |
303 |
@@ -1,4 +1,4 @@ |
304 |
-policy_module(milter, 1.6.0) |
305 |
+policy_module(milter, 1.6.1) |
306 |
|
307 |
######################################## |
308 |
# |
309 |
@@ -94,15 +94,23 @@ mta_read_config(regex_milter_t) |
310 |
# |
311 |
|
312 |
allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms; |
313 |
+allow spamass_milter_t self:process sigkill; |
314 |
|
315 |
kernel_read_system_state(spamass_milter_t) |
316 |
+kernel_read_vm_overcommit_sysctl(spamass_milter_t) |
317 |
|
318 |
corecmd_exec_shell(spamass_milter_t) |
319 |
|
320 |
+dev_read_sysfs(spamass_milter_t) |
321 |
+ |
322 |
files_search_var_lib(spamass_milter_t) |
323 |
|
324 |
mta_send_mail(spamass_milter_t) |
325 |
|
326 |
optional_policy(` |
327 |
+ postfix_search_spool(spamass_milter_t) |
328 |
+') |
329 |
+ |
330 |
+optional_policy(` |
331 |
spamassassin_domtrans_client(spamass_milter_t) |
332 |
') |
333 |
|
334 |
diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc |
335 |
index 24681349..dd9f799a 100644 |
336 |
--- a/policy/modules/contrib/mta.fc |
337 |
+++ b/policy/modules/contrib/mta.fc |
338 |
@@ -3,6 +3,7 @@ HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0) |
339 |
HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0) |
340 |
HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0) |
341 |
HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) |
342 |
+HOME_DIR/DovecotMail(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) |
343 |
HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) |
344 |
|
345 |
/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) |
346 |
|
347 |
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te |
348 |
index f7280b11..22308885 100644 |
349 |
--- a/policy/modules/contrib/mta.te |
350 |
+++ b/policy/modules/contrib/mta.te |
351 |
@@ -1,4 +1,4 @@ |
352 |
-policy_module(mta, 2.8.2) |
353 |
+policy_module(mta, 2.8.3) |
354 |
|
355 |
######################################## |
356 |
# |
357 |
@@ -199,6 +199,7 @@ selinux_getattr_fs(system_mail_t) |
358 |
term_dontaudit_use_unallocated_ttys(system_mail_t) |
359 |
|
360 |
init_use_script_ptys(system_mail_t) |
361 |
+init_use_fds(system_mail_t) |
362 |
|
363 |
userdom_use_user_terminals(system_mail_t) |
364 |
|
365 |
@@ -233,6 +234,7 @@ optional_policy(` |
366 |
cron_read_system_job_tmp_files(system_mail_t) |
367 |
cron_dontaudit_write_pipes(system_mail_t) |
368 |
cron_rw_system_job_stream_sockets(system_mail_t) |
369 |
+ cron_rw_tmp_files(system_mail_t) |
370 |
') |
371 |
|
372 |
optional_policy(` |
373 |
@@ -294,6 +296,10 @@ optional_policy(` |
374 |
smartmon_read_tmp_files(system_mail_t) |
375 |
') |
376 |
|
377 |
+optional_policy(` |
378 |
+ unconfined_use_fds(system_mail_t) |
379 |
+') |
380 |
+ |
381 |
######################################## |
382 |
# |
383 |
# MTA user agent local policy |
384 |
|
385 |
diff --git a/policy/modules/contrib/perdition.fc b/policy/modules/contrib/perdition.fc |
386 |
index 156232f8..a7d2a8be 100644 |
387 |
--- a/policy/modules/contrib/perdition.fc |
388 |
+++ b/policy/modules/contrib/perdition.fc |
389 |
@@ -2,6 +2,6 @@ |
390 |
|
391 |
/etc/perdition(/.*)? gen_context(system_u:object_r:perdition_etc_t,s0) |
392 |
|
393 |
-/usr/sbin/perdition -- gen_context(system_u:object_r:perdition_exec_t,s0) |
394 |
+/usr/sbin/perdition.* -- gen_context(system_u:object_r:perdition_exec_t,s0) |
395 |
|
396 |
/run/perdition\.pid -- gen_context(system_u:object_r:perdition_var_run_t,s0) |
397 |
|
398 |
diff --git a/policy/modules/contrib/perdition.te b/policy/modules/contrib/perdition.te |
399 |
index 15023cee..2975c2cc 100644 |
400 |
--- a/policy/modules/contrib/perdition.te |
401 |
+++ b/policy/modules/contrib/perdition.te |
402 |
@@ -1,4 +1,4 @@ |
403 |
-policy_module(perdition, 1.10.0) |
404 |
+policy_module(perdition, 1.10.1) |
405 |
|
406 |
######################################## |
407 |
# |
408 |
@@ -23,7 +23,7 @@ files_pid_file(perdition_var_run_t) |
409 |
# Local policy |
410 |
# |
411 |
|
412 |
-allow perdition_t self:capability { setgid setuid }; |
413 |
+allow perdition_t self:capability { chown dac_override fowner setgid setuid }; |
414 |
dontaudit perdition_t self:capability sys_tty_config; |
415 |
allow perdition_t self:process signal_perms; |
416 |
allow perdition_t self:tcp_socket { accept listen }; |
417 |
@@ -33,7 +33,8 @@ allow perdition_t perdition_etc_t:file read_file_perms; |
418 |
allow perdition_t perdition_etc_t:lnk_file read_lnk_file_perms; |
419 |
|
420 |
manage_files_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t) |
421 |
-files_pid_filetrans(perdition_t, perdition_var_run_t, file) |
422 |
+manage_dirs_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t) |
423 |
+files_pid_filetrans(perdition_t, perdition_var_run_t, { file dir }) |
424 |
|
425 |
kernel_read_kernel_sysctls(perdition_t) |
426 |
kernel_list_proc(perdition_t) |
427 |
@@ -45,12 +46,17 @@ corenet_tcp_sendrecv_generic_if(perdition_t) |
428 |
corenet_tcp_sendrecv_generic_node(perdition_t) |
429 |
corenet_tcp_sendrecv_all_ports(perdition_t) |
430 |
corenet_tcp_bind_generic_node(perdition_t) |
431 |
- |
432 |
+corenet_tcp_connect_pop_port(perdition_t) |
433 |
corenet_sendrecv_pop_server_packets(perdition_t) |
434 |
corenet_tcp_bind_pop_port(perdition_t) |
435 |
corenet_tcp_sendrecv_pop_port(perdition_t) |
436 |
+corenet_tcp_connect_sieve_port(perdition_t) |
437 |
+corenet_sendrecv_sieve_server_packets(perdition_t) |
438 |
+corenet_tcp_bind_sieve_port(perdition_t) |
439 |
+corenet_tcp_sendrecv_sieve_port(perdition_t) |
440 |
|
441 |
dev_read_sysfs(perdition_t) |
442 |
+dev_read_urand(perdition_t) |
443 |
|
444 |
domain_use_interactive_fds(perdition_t) |
445 |
|
446 |
@@ -67,6 +73,11 @@ userdom_dontaudit_use_unpriv_user_fds(perdition_t) |
447 |
userdom_dontaudit_search_user_home_dirs(perdition_t) |
448 |
|
449 |
optional_policy(` |
450 |
+ mysql_tcp_connect(perdition_t) |
451 |
+ mysql_stream_connect(perdition_t) |
452 |
+') |
453 |
+ |
454 |
+optional_policy(` |
455 |
seutil_sigchld_newrole(perdition_t) |
456 |
') |
457 |
|
458 |
|
459 |
diff --git a/policy/modules/contrib/postfix.fc b/policy/modules/contrib/postfix.fc |
460 |
index b71d8442..707b5be0 100644 |
461 |
--- a/policy/modules/contrib/postfix.fc |
462 |
+++ b/policy/modules/contrib/postfix.fc |
463 |
@@ -1,24 +1,24 @@ |
464 |
-/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0) |
465 |
+/etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0) |
466 |
/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) |
467 |
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) |
468 |
|
469 |
/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0) |
470 |
|
471 |
# Remove catch-all so that .so files remain lib_t |
472 |
-#/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) |
473 |
-/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) |
474 |
-/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) |
475 |
-/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) |
476 |
-/usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) |
477 |
-/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) |
478 |
-/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0) |
479 |
-/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) |
480 |
-/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) |
481 |
-/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) |
482 |
-/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) |
483 |
-/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) |
484 |
-/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) |
485 |
-/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) |
486 |
+#/usr/lib/postfix/(sbin/)?.* -- gen_context(system_u:object_r:postfix_exec_t,s0) |
487 |
+/usr/lib/postfix/(sbin/)?cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) |
488 |
+/usr/lib/postfix/(sbin/)?local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) |
489 |
+/usr/lib/postfix/(sbin/)?master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) |
490 |
+/usr/lib/postfix/(sbin/)?pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) |
491 |
+/usr/lib/postfix/(sbin/)?(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) |
492 |
+/usr/lib/postfix/(sbin/)?showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0) |
493 |
+/usr/lib/postfix/(sbin/)?smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) |
494 |
+/usr/lib/postfix/(sbin/)?lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) |
495 |
+/usr/lib/postfix/(sbin/)?scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) |
496 |
+/usr/lib/postfix/(sbin/)?smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) |
497 |
+/usr/lib/postfix/(sbin/)?bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) |
498 |
+/usr/lib/postfix/(sbin/)?pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) |
499 |
+/usr/lib/postfix/(sbin/)?virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) |
500 |
|
501 |
/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) |
502 |
/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) |
503 |
|
504 |
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te |
505 |
index 74cb3d7e..94ac8471 100644 |
506 |
--- a/policy/modules/contrib/postfix.te |
507 |
+++ b/policy/modules/contrib/postfix.te |
508 |
@@ -1,4 +1,4 @@ |
509 |
-policy_module(postfix, 1.17.0) |
510 |
+policy_module(postfix, 1.17.1) |
511 |
|
512 |
######################################## |
513 |
# |
514 |
@@ -172,6 +172,7 @@ optional_policy(` |
515 |
# |
516 |
|
517 |
allow postfix_server_domain self:capability { dac_override setgid setuid }; |
518 |
+allow postfix_master_t self:process getsched; |
519 |
|
520 |
allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; |
521 |
|
522 |
@@ -272,6 +273,7 @@ corenet_udp_sendrecv_generic_node(postfix_master_t) |
523 |
corenet_tcp_sendrecv_all_ports(postfix_master_t) |
524 |
corenet_udp_sendrecv_all_ports(postfix_master_t) |
525 |
corenet_tcp_bind_generic_node(postfix_master_t) |
526 |
+corenet_udp_bind_generic_node(postfix_master_t) |
527 |
|
528 |
corenet_sendrecv_amavisd_send_server_packets(postfix_master_t) |
529 |
corenet_tcp_bind_amavisd_send_port(postfix_master_t) |
530 |
@@ -302,6 +304,8 @@ mcs_file_read_all(postfix_master_t) |
531 |
|
532 |
term_dontaudit_search_ptys(postfix_master_t) |
533 |
|
534 |
+hostname_exec(postfix_master_t) |
535 |
+ |
536 |
miscfiles_read_man_pages(postfix_master_t) |
537 |
|
538 |
seutil_sigchld_newrole(postfix_master_t) |
539 |
@@ -326,6 +330,11 @@ optional_policy(` |
540 |
|
541 |
optional_policy(` |
542 |
mailman_manage_data_files(postfix_master_t) |
543 |
+ mailman_search_data(postfix_pipe_t) |
544 |
+') |
545 |
+ |
546 |
+optional_policy(` |
547 |
+ milter_getattr_data_dir(postfix_master_t) |
548 |
') |
549 |
|
550 |
optional_policy(` |
551 |
@@ -371,6 +380,7 @@ allow postfix_cleanup_t self:process setrlimit; |
552 |
|
553 |
allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms; |
554 |
allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms; |
555 |
+allow postfix_cleanup_t postfix_smtpd_t:fd use; |
556 |
|
557 |
allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms; |
558 |
allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms; |
559 |
@@ -397,6 +407,10 @@ corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t) |
560 |
mta_read_aliases(postfix_cleanup_t) |
561 |
|
562 |
optional_policy(` |
563 |
+ dkim_stream_connect(postfix_cleanup_t) |
564 |
+') |
565 |
+ |
566 |
+optional_policy(` |
567 |
mailman_read_data_files(postfix_cleanup_t) |
568 |
') |
569 |
|
570 |
@@ -432,6 +446,7 @@ tunable_policy(`postfix_local_write_mail_spool',` |
571 |
optional_policy(` |
572 |
clamav_search_lib(postfix_local_t) |
573 |
clamav_exec_clamscan(postfix_local_t) |
574 |
+ clamav_stream_connect(postfix_smtpd_t) |
575 |
') |
576 |
|
577 |
optional_policy(` |
578 |
@@ -549,6 +564,7 @@ allow postfix_pipe_t self:process setrlimit; |
579 |
|
580 |
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) |
581 |
|
582 |
+write_sock_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t) |
583 |
write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t) |
584 |
|
585 |
rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) |
586 |
@@ -567,6 +583,7 @@ optional_policy(` |
587 |
|
588 |
optional_policy(` |
589 |
mailman_domtrans_queue(postfix_pipe_t) |
590 |
+ mailman_domtrans(postfix_pipe_t) |
591 |
') |
592 |
|
593 |
optional_policy(` |
594 |
@@ -596,6 +613,9 @@ manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool |
595 |
|
596 |
allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; |
597 |
|
598 |
+# for /var/spool/postfix/public/pickup |
599 |
+stream_connect_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t, postfix_master_t) |
600 |
+ |
601 |
mcs_file_read_all(postfix_postdrop_t) |
602 |
mcs_file_write_all(postfix_postdrop_t) |
603 |
|
604 |
@@ -654,6 +674,10 @@ optional_policy(` |
605 |
ppp_sigchld(postfix_postqueue_t) |
606 |
') |
607 |
|
608 |
+optional_policy(` |
609 |
+ userdom_sigchld_all_users(postfix_postqueue_t) |
610 |
+') |
611 |
+ |
612 |
######################################## |
613 |
# |
614 |
# Qmgr local policy |
615 |
|
616 |
diff --git a/policy/modules/contrib/postfixpolicyd.te b/policy/modules/contrib/postfixpolicyd.te |
617 |
index 621e1817..be84e714 100644 |
618 |
--- a/policy/modules/contrib/postfixpolicyd.te |
619 |
+++ b/policy/modules/contrib/postfixpolicyd.te |
620 |
@@ -1,4 +1,4 @@ |
621 |
-policy_module(postfixpolicyd, 1.5.0) |
622 |
+policy_module(postfixpolicyd, 1.5.1) |
623 |
|
624 |
######################################## |
625 |
# |
626 |
@@ -15,6 +15,9 @@ files_config_file(postfix_policyd_conf_t) |
627 |
type postfix_policyd_initrc_exec_t; |
628 |
init_script_file(postfix_policyd_initrc_exec_t) |
629 |
|
630 |
+type postfix_policyd_tmp_t; |
631 |
+files_type(postfix_policyd_tmp_t) |
632 |
+ |
633 |
type postfix_policyd_var_run_t; |
634 |
files_pid_file(postfix_policyd_var_run_t) |
635 |
|
636 |
@@ -23,8 +26,8 @@ files_pid_file(postfix_policyd_var_run_t) |
637 |
# Local policy |
638 |
# |
639 |
|
640 |
-allow postfix_policyd_t self:capability { setgid setuid sys_chroot sys_resource }; |
641 |
-allow postfix_policyd_t self:process setrlimit; |
642 |
+allow postfix_policyd_t self:capability { chown sys_chroot sys_resource setgid setuid }; |
643 |
+allow postfix_policyd_t self:process { setrlimit signal signull }; |
644 |
allow postfix_policyd_t self:tcp_socket { accept listen }; |
645 |
|
646 |
allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms; |
647 |
@@ -34,6 +37,13 @@ allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms; |
648 |
manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t) |
649 |
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file) |
650 |
|
651 |
+allow postfix_policyd_t postfix_policyd_tmp_t:{ file sock_file } manage_file_perms; |
652 |
+files_tmp_filetrans(postfix_policyd_t, postfix_policyd_tmp_t, { file sock_file }) |
653 |
+ |
654 |
+kernel_search_network_sysctl(postfix_policyd_t) |
655 |
+ |
656 |
+corecmd_exec_bin(postfix_policyd_t) |
657 |
+ |
658 |
corenet_all_recvfrom_unlabeled(postfix_policyd_t) |
659 |
corenet_tcp_sendrecv_generic_if(postfix_policyd_t) |
660 |
corenet_tcp_sendrecv_generic_node(postfix_policyd_t) |
661 |
@@ -47,6 +57,8 @@ corenet_sendrecv_mysqld_server_packets(postfix_policyd_t) |
662 |
corenet_tcp_bind_mysqld_port(postfix_policyd_t) |
663 |
corenet_tcp_sendrecv_mysqld_port(postfix_policyd_t) |
664 |
|
665 |
+dev_read_urand(postfix_policyd_t) |
666 |
+ |
667 |
files_read_etc_files(postfix_policyd_t) |
668 |
files_read_usr_files(postfix_policyd_t) |
669 |
|
670 |
|
671 |
diff --git a/policy/modules/contrib/postgrey.te b/policy/modules/contrib/postgrey.te |
672 |
index ab5a8d3a..4fe73487 100644 |
673 |
--- a/policy/modules/contrib/postgrey.te |
674 |
+++ b/policy/modules/contrib/postgrey.te |
675 |
@@ -1,4 +1,4 @@ |
676 |
-policy_module(postgrey, 1.11.0) |
677 |
+policy_module(postgrey, 1.11.1) |
678 |
|
679 |
######################################## |
680 |
# |
681 |
@@ -34,6 +34,8 @@ dontaudit postgrey_t self:capability sys_tty_config; |
682 |
allow postgrey_t self:process signal_perms; |
683 |
allow postgrey_t self:fifo_file create_fifo_file_perms; |
684 |
allow postgrey_t self:tcp_socket create_stream_socket_perms; |
685 |
+allow postgrey_t self:netlink_route_socket r_netlink_socket_perms; |
686 |
+allow postgrey_t self:udp_socket { connect connected_socket_perms }; |
687 |
|
688 |
allow postgrey_t postgrey_etc_t:dir list_dir_perms; |
689 |
allow postgrey_t postgrey_etc_t:file read_file_perms; |
690 |
@@ -55,7 +57,8 @@ files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file }) |
691 |
kernel_read_system_state(postgrey_t) |
692 |
kernel_read_kernel_sysctls(postgrey_t) |
693 |
|
694 |
-corecmd_search_bin(postgrey_t) |
695 |
+corecmd_read_bin_files(postgrey_t) |
696 |
+corecmd_exec_bin(postgrey_t) |
697 |
|
698 |
corenet_all_recvfrom_unlabeled(postgrey_t) |
699 |
corenet_all_recvfrom_netlabel(postgrey_t) |
700 |
|
701 |
diff --git a/policy/modules/contrib/procmail.fc b/policy/modules/contrib/procmail.fc |
702 |
index bdff6c93..dac08916 100644 |
703 |
--- a/policy/modules/contrib/procmail.fc |
704 |
+++ b/policy/modules/contrib/procmail.fc |
705 |
@@ -1,5 +1,6 @@ |
706 |
HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0) |
707 |
|
708 |
+/usr/bin/maildrop -- gen_context(system_u:object_r:procmail_exec_t,s0) |
709 |
/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0) |
710 |
|
711 |
/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0) |
712 |
|
713 |
diff --git a/policy/modules/contrib/procmail.te b/policy/modules/contrib/procmail.te |
714 |
index 8a842661..cdd23cc9 100644 |
715 |
--- a/policy/modules/contrib/procmail.te |
716 |
+++ b/policy/modules/contrib/procmail.te |
717 |
@@ -1,4 +1,4 @@ |
718 |
-policy_module(procmail, 1.14.0) |
719 |
+policy_module(procmail, 1.14.1) |
720 |
|
721 |
######################################## |
722 |
# |
723 |
@@ -96,6 +96,11 @@ optional_policy(` |
724 |
') |
725 |
|
726 |
optional_policy(` |
727 |
+ courier_read_config(procmail_t) |
728 |
+ courier_stream_connect_authdaemon(procmail_t) |
729 |
+') |
730 |
+ |
731 |
+optional_policy(` |
732 |
cyrus_stream_connect(procmail_t) |
733 |
') |
734 |
|
735 |
|
736 |
diff --git a/policy/modules/contrib/spamassassin.fc b/policy/modules/contrib/spamassassin.fc |
737 |
index de27cda7..58dce766 100644 |
738 |
--- a/policy/modules/contrib/spamassassin.fc |
739 |
+++ b/policy/modules/contrib/spamassassin.fc |
740 |
@@ -23,6 +23,7 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0) |
741 |
/var/log/mimedefang.* -- gen_context(system_u:object_r:spamd_log_t,s0) |
742 |
|
743 |
/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) |
744 |
+/run/spamassassin\.pid gen_context(system_u:object_r:spamd_var_run_t,s0) |
745 |
|
746 |
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) |
747 |
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) |
748 |
|
749 |
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te |
750 |
index 4a9153ce..2f770d2d 100644 |
751 |
--- a/policy/modules/contrib/spamassassin.te |
752 |
+++ b/policy/modules/contrib/spamassassin.te |
753 |
@@ -1,4 +1,4 @@ |
754 |
-policy_module(spamassassin, 2.10.0) |
755 |
+policy_module(spamassassin, 2.10.1) |
756 |
|
757 |
######################################## |
758 |
# |
759 |
@@ -46,6 +46,7 @@ type spamc_exec_t; |
760 |
typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t }; |
761 |
typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t }; |
762 |
userdom_user_application_domain(spamc_t, spamc_exec_t) |
763 |
+role system_r types spamc_t; |
764 |
|
765 |
type spamc_tmp_t; |
766 |
typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; |