diff --git a/refpolicy/Makefile b/refpolicy/Makefile index ce14018a..433d80fe 100644 --- a/refpolicy/Makefile +++ b/refpolicy/Makefile @@ -53,7 +53,6 @@ DISTRO = redhat # run init scripts, instead of requring run_init. # This is a build option, as role transitions do # not work in conditional policy. -# This option will be impled as y for redhat policies. DIRECT_INITRC=y # Build monolithic policy. Putting n here diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if index b310268d..9fd66791 100644 --- a/refpolicy/policy/modules/admin/su.if +++ b/refpolicy/policy/modules/admin/su.if @@ -57,6 +57,7 @@ template(`su_restricted_domain_template', ` domain_use_wide_inherit_fd($1_su_t) files_read_etc_files($1_su_t) + files_read_etc_runtime_files($1_su_t) files_search_var_lib($1_su_t) init_dontaudit_use_fd($1_su_t) diff --git a/refpolicy/policy/modules/admin/su.te b/refpolicy/policy/modules/admin/su.te index 56158ebc..65aaf77d 100644 --- a/refpolicy/policy/modules/admin/su.te +++ b/refpolicy/policy/modules/admin/su.te @@ -1,5 +1,5 @@ -policy_module(su,1.0) +policy_module(su,1.0.1) ######################################## # diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te index 041da68b..62862a33 100644 --- a/refpolicy/policy/modules/services/cups.te +++ b/refpolicy/policy/modules/services/cups.te @@ -632,7 +632,7 @@ ifdef(`targeted_policy', ` allow initrc_t cupsd_t:dbus send_msg; allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg; allow unconfined_t cupsd_config_t:dbus send_msg; - allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read; + allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file r_file_perms; term_use_generic_pty(cupsd_config_t) ') diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te index 187d09b7..718dc0f3 100644 --- a/refpolicy/policy/modules/services/dovecot.te +++ b/refpolicy/policy/modules/services/dovecot.te @@ -1,5 +1,5 @@ -policy_module(dovecot,1.0.1) +policy_module(dovecot,1.0.2) ######################################## # @@ -159,8 +159,10 @@ kernel_read_system_state(dovecot_auth_t) dev_read_urand(dovecot_auth_t) auth_domtrans_chk_passwd(dovecot_auth_t) +auth_use_nsswitch(dovecot_auth_t) files_read_etc_files(dovecot_auth_t) +files_read_etc_runtime_files(dovecot_auth_t) files_search_pids(dovecot_auth_t) libs_use_ld_so(dovecot_auth_t) diff --git a/refpolicy/policy/modules/services/privoxy.fc b/refpolicy/policy/modules/services/privoxy.fc index f8f42d32..79e1e132 100644 --- a/refpolicy/policy/modules/services/privoxy.fc +++ b/refpolicy/policy/modules/services/privoxy.fc @@ -1,4 +1,6 @@ +/etc/privoxy/user\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0) + /usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0) /var/log/privoxy(/.*)? gen_context(system_u:object_r:privoxy_log_t,s0) diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te index f112cb0f..5b2780c5 100644 --- a/refpolicy/policy/modules/services/privoxy.te +++ b/refpolicy/policy/modules/services/privoxy.te @@ -1,5 +1,5 @@ -policy_module(privoxy,1.0) +policy_module(privoxy,1.0.1) ######################################## # @@ -10,6 +10,9 @@ type privoxy_t; # web_client_domain type privoxy_exec_t; init_daemon_domain(privoxy_t,privoxy_exec_t) +type privoxy_etc_rw_t; +files_type(privoxy_etc_rw_t) + type privoxy_log_t; logging_log_file(privoxy_log_t) @@ -25,6 +28,8 @@ allow privoxy_t self:capability { setgid setuid }; dontaudit privoxy_t self:capability sys_tty_config; allow privoxy_t self:tcp_socket create_stream_socket_perms; +allow privoxy_t privoxy_etc_rw_t:file rw_file_perms; + allow privoxy_t privoxy_log_t:file create_file_perms; allow privoxy_t privoxy_log_t:dir rw_dir_perms; logging_create_log(privoxy_t,privoxy_log_t) diff --git a/refpolicy/policy/modules/services/procmail.te b/refpolicy/policy/modules/services/procmail.te index bc9e6048..38623165 100644 --- a/refpolicy/policy/modules/services/procmail.te +++ b/refpolicy/policy/modules/services/procmail.te @@ -1,5 +1,5 @@ -policy_module(procmail,1.0.0) +policy_module(procmail,1.0.1) ######################################## # @@ -38,6 +38,7 @@ corenet_tcp_sendrecv_all_ports(procmail_t) corenet_udp_sendrecv_all_ports(procmail_t) corenet_tcp_bind_all_nodes(procmail_t) corenet_udp_bind_all_nodes(procmail_t) +corenet_tcp_connect_spamd_port(procmail_t) dev_read_urand(procmail_t) diff --git a/refpolicy/policy/modules/services/sasl.te b/refpolicy/policy/modules/services/sasl.te index 514a0a2f..2baadce8 100644 --- a/refpolicy/policy/modules/services/sasl.te +++ b/refpolicy/policy/modules/services/sasl.te @@ -1,5 +1,5 @@ -policy_module(sasl,1.0) +policy_module(sasl,1.0.1) ######################################## # @@ -50,10 +50,12 @@ fs_search_auto_mountpoints(saslauthd_t) term_dontaudit_use_console(saslauthd_t) auth_domtrans_chk_passwd(saslauthd_t) +auth_use_nsswitch(saslauthd_t) domain_use_wide_inherit_fd(saslauthd_t) files_read_etc_files(saslauthd_t) +files_read_etc_runtime_files(saslauthd_t) files_search_var_lib(saslauthd_t) files_dontaudit_getattr_home_dir(saslauthd_t)