diff --git a/Changelog b/Changelog
index c04f3bbd..b9f3917e 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Patch for procmail, spamassassin, and pyzor updates from Dan Walsh.
- Patch for setroubleshoot for validating file contexts from Dan Walsh.
- Patch for gssd fixes from Dan Walsh.
- Patch for lvm fixes from Dan Walsh.
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
index 870f6cf6..77d54373 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -1,5 +1,5 @@
-policy_module(procmail,1.4.0)
+policy_module(procmail,1.4.1)
########################################
#
@@ -12,19 +12,25 @@ domain_type(procmail_t)
domain_entry_file(procmail_t,procmail_exec_t)
role system_r types procmail_t;
+type procmail_tmp_t;
+files_tmp_file(procmail_tmp_t)
+
########################################
#
# Local policy
#
allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
-allow procmail_t self:process { setsched signal };
+allow procmail_t self:process { setsched signal signull };
allow procmail_t self:fifo_file rw_fifo_file_perms;
allow procmail_t self:unix_stream_socket create_socket_perms;
allow procmail_t self:unix_dgram_socket create_socket_perms;
allow procmail_t self:tcp_socket create_stream_socket_perms;
allow procmail_t self:udp_socket create_socket_perms;
+allow procmail_t procmail_tmp_t:file manage_file_perms;
+files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
+
kernel_read_system_state(procmail_t)
kernel_read_kernel_sysctls(procmail_t)
@@ -50,6 +56,7 @@ auth_use_nsswitch(procmail_t)
corecmd_exec_bin(procmail_t)
corecmd_exec_shell(procmail_t)
corecmd_dontaudit_search_sbin(procmail_t)
+corecmd_exec_ls(procmail_t)
files_read_etc_files(procmail_t)
files_read_etc_runtime_files(procmail_t)
@@ -115,8 +122,7 @@ optional_policy(`
optional_policy(`
corenet_udp_bind_generic_port(procmail_t)
- files_getattr_tmp_dirs(procmail_t)
-
spamassassin_exec(procmail_t)
spamassassin_exec_client(procmail_t)
+ spamassassin_read_lib_files(procmail_t)
')
diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if
index 0b98efe8..5ee2ba4a 100644
--- a/policy/modules/services/pyzor.if
+++ b/policy/modules/services/pyzor.if
@@ -64,6 +64,10 @@ interface(`pyzor_exec',`
##
#
template(`pyzor_per_role_template',`
+ gen_require(`
+ type pyzord_t;
+ ')
+
type $1_pyzor_home_t;
userdom_user_home_content($1,$1_pyzor_home_t)
diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
index f89dd6f8..bbf655d5 100644
--- a/policy/modules/services/pyzor.te
+++ b/policy/modules/services/pyzor.te
@@ -1,5 +1,5 @@
-policy_module(pyzor,1.1.1)
+policy_module(pyzor,1.1.2)
########################################
#
@@ -23,6 +23,9 @@ files_type(pyzor_etc_t)
type pyzord_log_t;
logging_log_file(pyzord_log_t)
+type pyzor_tmp_t;
+files_tmp_file(pyzor_tmp_t)
+
type pyzor_var_lib_t;
files_type(pyzor_var_lib_t)
@@ -37,6 +40,10 @@ allow pyzor_t pyzor_var_lib_t:dir list_dir_perms;
read_files_pattern(pyzor_t,pyzor_var_lib_t,pyzor_var_lib_t)
files_search_var_lib(pyzor_t)
+manage_files_pattern(pyzor_t,pyzor_tmp_t,pyzor_tmp_t)
+manage_dirs_pattern(pyzor_t,pyzor_tmp_t,pyzor_tmp_t)
+files_tmp_filetrans(pyzor_t, pyzor_tmp_t, { file dir })
+
kernel_read_kernel_sysctls(pyzor_t)
kernel_read_system_state(pyzor_t)
diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc
index 3da71077..471cf9fc 100644
--- a/policy/modules/services/spamassassin.fc
+++ b/policy/modules/services/spamassassin.fc
@@ -6,6 +6,8 @@
/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
+
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
ifdef(`strict_policy',`
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
index 6723760a..304224e5 100644
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -460,6 +460,45 @@ template(`spamassassin_domtrans_user_local_client',`
domtrans_pattern($2,spamassassin_exec_t,$1_spamassassin_t)
')
+########################################
+##
+## read spamd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`spamassassin_read_lib_files',`
+ gen_require(`
+ type spamd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## spamd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`spamassassin_manage_lib_files',`
+ gen_require(`
+ type spamd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
+')
+
########################################
##
## Read temporary spamd file.
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index b1643ce5..7d0717e1 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -1,5 +1,5 @@
-policy_module(spamassassin,1.5.1)
+policy_module(spamassassin,1.5.2)
########################################
#
@@ -20,6 +20,10 @@ files_type(spamd_spool_t)
type spamd_tmp_t;
files_tmp_file(spamd_tmp_t)
+# var/lib files
+type spamd_var_lib_t;
+files_type(spamd_var_lib_t)
+
type spamd_var_run_t;
files_pid_file(spamd_var_run_t)
@@ -61,6 +65,10 @@ manage_dirs_pattern(spamd_t,spamd_tmp_t,spamd_tmp_t)
manage_files_pattern(spamd_t,spamd_tmp_t,spamd_tmp_t)
files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+# var/lib files for spamd
+allow spamd_t spamd_var_lib_t:dir list_dir_perms;
+read_files_pattern(spamd_t,spamd_var_lib_t,spamd_var_lib_t)
+
manage_files_pattern(spamd_t,spamd_var_run_t,spamd_var_run_t)
files_pid_filetrans(spamd_t,spamd_var_run_t,file)