procmail uses /tmp files

Wants to send signull to itself Can exec ls Read spamassinn_lib_dirs New directory for spamassin /var/lib/ pyzor uses tmp files
2007-03-07 21:33:22 +00:00 · 2007-03-07 21:33:22 +00:00 · 59bedc1886
parent 7aefc69117
commit 59bedc1886
7 changed files with 73 additions and 6 deletions
--- a/1
+++ b/1
@ -1,3 +1,4 @@
+- Patch for procmail, spamassassin, and pyzor updates from Dan Walsh.
 - Patch for setroubleshoot for validating file contexts from Dan Walsh.
 - Patch for gssd fixes from Dan Walsh.
 - Patch for lvm fixes from Dan Walsh.
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@ -1,5 +1,5 @@

-policy_module(procmail,1.4.0)
+policy_module(procmail,1.4.1)

 ########################################
 #
@ -12,19 +12,25 @@ domain_type(procmail_t)
 domain_entry_file(procmail_t,procmail_exec_t)
 role system_r types procmail_t;

+type procmail_tmp_t;
+files_tmp_file(procmail_tmp_t)
+
 ########################################
 #
 # Local policy
 #

 allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
-allow procmail_t self:process { setsched signal };
+allow procmail_t self:process { setsched signal signull };
 allow procmail_t self:fifo_file rw_fifo_file_perms;
 allow procmail_t self:unix_stream_socket create_socket_perms;
 allow procmail_t self:unix_dgram_socket create_socket_perms;
 allow procmail_t self:tcp_socket create_stream_socket_perms;
 allow procmail_t self:udp_socket create_socket_perms;

+allow procmail_t procmail_tmp_t:file manage_file_perms;
+files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
+
 kernel_read_system_state(procmail_t)
 kernel_read_kernel_sysctls(procmail_t)

@ -50,6 +56,7 @@ auth_use_nsswitch(procmail_t)
 corecmd_exec_bin(procmail_t)
 corecmd_exec_shell(procmail_t)
 corecmd_dontaudit_search_sbin(procmail_t)
+corecmd_exec_ls(procmail_t)

 files_read_etc_files(procmail_t)
 files_read_etc_runtime_files(procmail_t)
@ -115,8 +122,7 @@ optional_policy(`
 optional_policy(`
 	corenet_udp_bind_generic_port(procmail_t)

-	files_getattr_tmp_dirs(procmail_t)
-
 	spamassassin_exec(procmail_t)
 	spamassassin_exec_client(procmail_t)
+	spamassassin_read_lib_files(procmail_t)
 ')
--- a/policy/modules/services/pyzor.if
+++ b/policy/modules/services/pyzor.if
@ -64,6 +64,10 @@ interface(`pyzor_exec',`
 ## </param>
 #
 template(`pyzor_per_role_template',`
+	gen_require(`
+		type pyzord_t;
+	')
+
 	type $1_pyzor_home_t;
 	userdom_user_home_content($1,$1_pyzor_home_t)

--- a/policy/modules/services/pyzor.te
+++ b/policy/modules/services/pyzor.te
@ -1,5 +1,5 @@

-policy_module(pyzor,1.1.1)
+policy_module(pyzor,1.1.2)

 ########################################
 #
@ -23,6 +23,9 @@ files_type(pyzor_etc_t)
 type pyzord_log_t;
 logging_log_file(pyzord_log_t)

+type pyzor_tmp_t;
+files_tmp_file(pyzor_tmp_t)
+
 type pyzor_var_lib_t;
 files_type(pyzor_var_lib_t)

@ -37,6 +40,10 @@ allow pyzor_t pyzor_var_lib_t:dir list_dir_perms;
 read_files_pattern(pyzor_t,pyzor_var_lib_t,pyzor_var_lib_t)
 files_search_var_lib(pyzor_t)

+manage_files_pattern(pyzor_t,pyzor_tmp_t,pyzor_tmp_t)
+manage_dirs_pattern(pyzor_t,pyzor_tmp_t,pyzor_tmp_t)
+files_tmp_filetrans(pyzor_t, pyzor_tmp_t, { file dir })
+
 kernel_read_kernel_sysctls(pyzor_t)  
 kernel_read_system_state(pyzor_t)

--- a/policy/modules/services/spamassassin.fc
+++ b/policy/modules/services/spamassassin.fc
@ -6,6 +6,8 @@

 /usr/sbin/spamd		--	gen_context(system_u:object_r:spamd_exec_t,s0)

+/var/lib/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_lib_t,s0)
+
 /var/spool/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_spool_t,s0)

 ifdef(`strict_policy',`
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@ -460,6 +460,45 @@ template(`spamassassin_domtrans_user_local_client',`
 	domtrans_pattern($2,spamassassin_exec_t,$1_spamassassin_t)
 ')

+########################################
+## <summary>
+##	read spamd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`spamassassin_read_lib_files',`
+	gen_require(`
+		type spamd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	spamd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`spamassassin_manage_lib_files',`
+	gen_require(`
+		type spamd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
+')
+
 ########################################
 ## <summary>
 ##      Read temporary spamd file.
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@ -1,5 +1,5 @@

-policy_module(spamassassin,1.5.1)
+policy_module(spamassassin,1.5.2)

 ########################################
 #
@ -20,6 +20,10 @@ files_type(spamd_spool_t)
 type spamd_tmp_t;
 files_tmp_file(spamd_tmp_t)

+# var/lib files
+type spamd_var_lib_t;
+files_type(spamd_var_lib_t)
+
 type spamd_var_run_t;
 files_pid_file(spamd_var_run_t)

@ -61,6 +65,10 @@ manage_dirs_pattern(spamd_t,spamd_tmp_t,spamd_tmp_t)
 manage_files_pattern(spamd_t,spamd_tmp_t,spamd_tmp_t)
 files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })

+# var/lib files for spamd
+allow spamd_t spamd_var_lib_t:dir list_dir_perms;
+read_files_pattern(spamd_t,spamd_var_lib_t,spamd_var_lib_t)
+
 manage_files_pattern(spamd_t,spamd_var_run_t,spamd_var_run_t)
 files_pid_filetrans(spamd_t,spamd_var_run_t,file)