- Update to latest milter code from Paul Howarth

2009-04-24 13:16:13 +00:00 · 2009-04-24 13:16:13 +00:00 · 35ed99a81f
commit 35ed99a81f
parent db0dafaaeb
1 changed files with 87 additions and 56 deletions
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -779,7 +779,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/sbin/readahead.*	--	gen_context(system_u:object_r:readahead_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te
 --- nsaserefpolicy/policy/modules/admin/readahead.te	2009-01-05 15:39:44.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te	2009-04-23 17:21:40.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te	2009-04-24 09:02:26.000000000 -0400
@@ -24,7 +24,7 @@
 allow readahead_t self:capability { fowner dac_override dac_read_search };
@ -801,7 +801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 init_getattr_initctl(readahead_t)
 logging_send_syslog_msg(readahead_t)
-+logging_send_audit_msgs(readahead_t)
+logging_set_audit_parameters(readahead_t)
 logging_dontaudit_search_audit_config(readahead_t)
 miscfiles_read_localization(readahead_t)
@ -5035,6 +5035,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
 /dev/ub[a-c]		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/usb.+		-c	gen_context(system_u:object_r:usb_device_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.12/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2009-03-05 12:28:56.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/kernel/devices.if	2009-04-24 09:05:52.000000000 -0400
@@ -2268,6 +2268,25 @@
 ########################################
 ## <summary>
 +##	Delete the null device (/dev/null).
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`dev_delete_null',`
 +	gen_require(`
 +		type device_t, null_device_t;
 +	')
 +
 +	allow $1 device_t:dir del_entry_dir_perms;
 +	allow $1 null_device_t:chr_file unlink;
 +')
 +
 +########################################
 +## <summary>
 ##	Read and write to the null device (/dev/null).
 ## </summary>
 ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.12/policy/modules/kernel/devices.te
 --- nsaserefpolicy/policy/modules/kernel/devices.te	2009-03-05 12:28:57.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/kernel/devices.te	2009-04-23 09:44:57.000000000 -0400
@ -14835,7 +14864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.te serefpolicy-3.6.12/policy/modules/services/milter.te
 --- nsaserefpolicy/policy/modules/services/milter.te	2008-11-25 09:01:08.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/milter.te	2009-04-24 07:22:01.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/milter.te	2009-04-24 08:31:02.000000000 -0400
@@ -14,6 +14,12 @@
 milter_template(regex)
 milter_template(spamass)
@ -14849,18 +14878,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # milter-regex local policy
-@@ -21,6 +27,10 @@
+@@ -41,6 +47,10 @@
 #   http://www.benzedrine.cx/milter-regex.html
 #
 +# The milter runs from /var/lib/spamass-milter
 +files_search_var_lib(spamass_milter_t);
 +allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
 +
 # It removes any existing socket (not owned by root) whilst running as root
 # and then calls setgid() and setuid() to drop privileges
 allow regex_milter_t self:capability { setuid setgid dac_override };
@@ -41,6 +51,10 @@
 #   http://savannah.nongnu.org/projects/spamass-milt/
 #
@ -19956,7 +19974,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.12/policy/modules/services/razor.te
 --- nsaserefpolicy/policy/modules/services/razor.te	2009-01-19 11:07:32.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/razor.te	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/razor.te	2009-04-24 08:32:37.000000000 -0400
@@ -6,6 +6,32 @@
 # Declarations
 #
@ -19990,12 +20008,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 type razor_exec_t;
 corecmd_executable_file(razor_exec_t)
-@@ -122,3 +148,5 @@
+@@ -102,6 +128,8 @@
- optional_policy(`
+ manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
- 	nscd_socket_use(razor_t)
+ files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
- ')
+ 
 +auth_use_nsswitch(razor_t)
 +
 logging_send_syslog_msg(razor_t)
 userdom_search_user_home_dirs(razor_t)
@@ -120,5 +148,7 @@
 ')
 optional_policy(`
 -	nscd_socket_use(razor_t)
 +	milter_manage_spamass_state(razor_t)
 +')
 +
 ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.12/policy/modules/services/ricci.te
 --- nsaserefpolicy/policy/modules/services/ricci.te	2009-01-19 11:06:49.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/services/ricci.te	2009-04-23 09:44:57.000000000 -0400
@ -21822,7 +21852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te
 --- nsaserefpolicy/policy/modules/services/spamassassin.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te	2009-04-24 07:23:40.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te	2009-04-24 08:31:39.000000000 -0400
@@ -20,6 +20,35 @@
 ## </desc>
 gen_tunable(spamd_enable_home_dirs, true)
@ -21935,7 +21965,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 miscfiles_read_localization(spamc_t)
 # cjp: this should probably be removed:
-@@ -265,31 +324,35 @@
+@@ -265,13 +324,16 @@
 sysnet_read_config(spamc_t)
@ -21950,21 +21980,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	fs_manage_nfs_dirs(spamc_t)
 +	fs_manage_nfs_files(spamc_t)
 +	fs_manage_nfs_symlinks(spamc_t)
- ')
+')
- 
+
 -optional_policy(`
 -	# Allow connection to spamd socket above
 -	evolution_stream_connect(spamc_t)
 +tunable_policy(`use_samba_home_dirs',`
 +	fs_manage_cifs_dirs(spamc_t)
 +	fs_manage_cifs_files(spamc_t)
 +	fs_manage_cifs_symlinks(spamc_t)
 ')
 optional_policy(`
@@ -280,16 +342,21 @@
 ')
 optional_policy(`
 -	nis_use_ypbind(spamc_t)
-+	# Allow connection to spamd socket above
+	milter_manage_spamass_state(spamc_t)
 +	evolution_stream_connect(spamc_t)
 ')
 optional_policy(`
@ -21983,7 +22013,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -301,7 +364,7 @@
+@@ -301,7 +368,7 @@
 # setuids to the user running spamc.  Comment this if you are not
 # using this ability.
@ -21992,7 +22022,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dontaudit spamd_t self:capability sys_tty_config;
 allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow spamd_t self:fd use;
-@@ -317,10 +380,13 @@
+@@ -317,10 +384,13 @@
 allow spamd_t self:unix_stream_socket connectto;
 allow spamd_t self:tcp_socket create_stream_socket_perms;
 allow spamd_t self:udp_socket create_socket_perms;
@ -22007,7 +22037,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
 manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -329,10 +395,11 @@
+@@ -329,10 +399,11 @@
 # var/lib files for spamd
 allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@ -22020,7 +22050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
 kernel_read_all_sysctls(spamd_t)
-@@ -382,22 +449,27 @@
+@@ -382,22 +453,27 @@
 init_dontaudit_rw_utmp(spamd_t)
@ -22052,7 +22082,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	fs_manage_cifs_files(spamd_t)
 ')
-@@ -415,6 +487,7 @@
+@@ -415,6 +491,7 @@
 optional_policy(`
 	dcc_domtrans_client(spamd_t)
@ -22060,7 +22090,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	dcc_stream_connect_dccifd(spamd_t)
 ')
-@@ -424,10 +497,6 @@
+@@ -424,10 +501,6 @@
 ')
 optional_policy(`
@ -22071,7 +22101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	postfix_read_config(spamd_t)
 ')
-@@ -442,6 +511,10 @@
+@@ -442,6 +515,10 @@
 optional_policy(`
 	razor_domtrans(spamd_t)
@ -22082,7 +22112,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -454,5 +527,9 @@
+@@ -454,5 +531,9 @@
 ')
 optional_policy(`
@ -25882,7 +25912,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/init.te	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/init.te	2009-04-24 08:59:22.000000000 -0400
@@ -17,6 +17,20 @@
 ## </desc>
 gen_tunable(init_upstart,false)
@ -26020,7 +26050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
-@@ -270,16 +308,19 @@
+@@ -270,16 +308,20 @@
 dev_rw_sysfs(initrc_t)
 dev_list_usbfs(initrc_t)
 dev_read_framebuffer(initrc_t)
@ -26032,6 +26062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -dev_read_lvm_control(initrc_t)
 +dev_rw_lvm_control(initrc_t)
 dev_delete_lvm_control_dev(initrc_t)
 +dev_delete_null(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
 # Wants to remove udev.tbl:
@ -26041,7 +26072,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -328,7 +369,7 @@
+@@ -328,7 +370,7 @@
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
@ -26050,7 +26081,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -343,14 +384,14 @@
+@@ -343,14 +385,14 @@
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -26067,7 +26098,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_exec_etc_files(initrc_t)
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
-@@ -366,7 +407,9 @@
+@@ -366,7 +408,9 @@
 libs_rw_ld_so_cache(initrc_t)
 libs_exec_lib_files(initrc_t)
@ -26077,7 +26108,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 logging_send_syslog_msg(initrc_t)
 logging_manage_generic_logs(initrc_t)
 logging_read_all_logs(initrc_t)
-@@ -451,7 +494,7 @@
+@@ -451,7 +495,7 @@
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -26086,7 +26117,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	files_dontaudit_read_root_files(initrc_t)
 	selinux_set_enforce_mode(initrc_t)
-@@ -465,6 +508,7 @@
+@@ -465,6 +509,7 @@
 	storage_raw_read_fixed_disk(initrc_t)
 	storage_raw_write_fixed_disk(initrc_t)
@ -26094,7 +26125,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
 	# wants to read /.fonts directory
-@@ -498,6 +542,7 @@
+@@ -498,6 +543,7 @@
 	optional_policy(`
 		#for /etc/rc.d/init.d/nfs to create /etc/exports
 		rpc_write_exports(initrc_t)
@ -26102,7 +26133,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 	optional_policy(`
-@@ -516,6 +561,33 @@
+@@ -516,6 +562,33 @@
 	')
 ')
@ -26136,7 +26167,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -570,6 +642,10 @@
+@@ -570,6 +643,10 @@
 	dbus_read_config(initrc_t)
 	optional_policy(`
@ -26147,7 +26178,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 		networkmanager_dbus_chat(initrc_t)
 	')
 ')
-@@ -591,6 +667,10 @@
+@@ -591,6 +668,10 @@
 ')
 optional_policy(`
@ -26158,7 +26189,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	dev_read_usbfs(initrc_t)
 	# init scripts run /etc/hotplug/usb.rc
-@@ -647,6 +727,11 @@
+@@ -647,6 +728,11 @@
 ')
 optional_policy(`
@ -26170,7 +26201,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	mailman_list_data(initrc_t)
 	mailman_read_data_symlinks(initrc_t)
 ')
-@@ -655,12 +740,6 @@
+@@ -655,12 +741,6 @@
 	mta_read_config(initrc_t)
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
@ -26183,7 +26214,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	ifdef(`distro_redhat',`
-@@ -719,8 +798,6 @@
+@@ -719,8 +799,6 @@
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
@ -26192,7 +26223,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -733,10 +810,12 @@
+@@ -733,10 +811,12 @@
 	squid_manage_logs(initrc_t)
 ')
@ -26205,7 +26236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -754,6 +833,11 @@
+@@ -754,6 +834,11 @@
 	uml_setattr_util_sockets(initrc_t)
 ')
@ -26217,7 +26248,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	unconfined_domain(initrc_t)
-@@ -765,6 +849,13 @@
+@@ -765,6 +850,13 @@
 	optional_policy(`
 		mono_domtrans(initrc_t)
 	')
@ -26231,7 +26262,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -790,3 +881,35 @@
+@@ -790,3 +882,35 @@
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -26811,7 +26842,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.12/policy/modules/system/logging.if
 --- nsaserefpolicy/policy/modules/system/logging.if	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/logging.if	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/logging.if	2009-04-24 09:01:14.000000000 -0400
@@ -623,7 +623,7 @@
 	')