From 78510c55e89642b1b08f6ec55cad0445b80ccf14 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Tue, 29 Nov 2005 21:51:24 +0000
Subject: [PATCH] patch from dan

---
 refpolicy/Makefile                            | 1 -
 refpolicy/policy/modules/admin/su.if          | 1 +
 refpolicy/policy/modules/admin/su.te          | 2 +-
 refpolicy/policy/modules/services/cups.te     | 2 +-
 refpolicy/policy/modules/services/dovecot.te  | 4 +++-
 refpolicy/policy/modules/services/privoxy.fc  | 2 ++
 refpolicy/policy/modules/services/privoxy.te  | 7 ++++++-
 refpolicy/policy/modules/services/procmail.te | 3 ++-
 refpolicy/policy/modules/services/sasl.te     | 4 +++-
 9 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index ce14018a..433d80fe 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -53,7 +53,6 @@ DISTRO = redhat
 # run init scripts, instead of requring run_init.
 # This is a build option, as role transitions do
 # not work in conditional policy.
-# This option will be impled as y for redhat policies.
 DIRECT_INITRC=y
 
 # Build monolithic policy.  Putting n here
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index b310268d..9fd66791 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -57,6 +57,7 @@ template(`su_restricted_domain_template', `
 	domain_use_wide_inherit_fd($1_su_t)
 
 	files_read_etc_files($1_su_t)
+	files_read_etc_runtime_files($1_su_t)
 	files_search_var_lib($1_su_t)
 
 	init_dontaudit_use_fd($1_su_t)
diff --git a/refpolicy/policy/modules/admin/su.te b/refpolicy/policy/modules/admin/su.te
index 56158ebc..65aaf77d 100644
--- a/refpolicy/policy/modules/admin/su.te
+++ b/refpolicy/policy/modules/admin/su.te
@@ -1,5 +1,5 @@
 
-policy_module(su,1.0)
+policy_module(su,1.0.1)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index 041da68b..62862a33 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -632,7 +632,7 @@ ifdef(`targeted_policy', `
 	allow initrc_t cupsd_t:dbus send_msg;
 	allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg;
 	allow unconfined_t cupsd_config_t:dbus send_msg;
-	allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read;
+	allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file r_file_perms;
 	term_use_generic_pty(cupsd_config_t)
 ')
 
diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te
index 187d09b7..718dc0f3 100644
--- a/refpolicy/policy/modules/services/dovecot.te
+++ b/refpolicy/policy/modules/services/dovecot.te
@@ -1,5 +1,5 @@
 
-policy_module(dovecot,1.0.1)
+policy_module(dovecot,1.0.2)
 
 ########################################
 #
@@ -159,8 +159,10 @@ kernel_read_system_state(dovecot_auth_t)
 dev_read_urand(dovecot_auth_t)
 
 auth_domtrans_chk_passwd(dovecot_auth_t)
+auth_use_nsswitch(dovecot_auth_t)
 
 files_read_etc_files(dovecot_auth_t)
+files_read_etc_runtime_files(dovecot_auth_t)
 files_search_pids(dovecot_auth_t)
 
 libs_use_ld_so(dovecot_auth_t)
diff --git a/refpolicy/policy/modules/services/privoxy.fc b/refpolicy/policy/modules/services/privoxy.fc
index f8f42d32..79e1e132 100644
--- a/refpolicy/policy/modules/services/privoxy.fc
+++ b/refpolicy/policy/modules/services/privoxy.fc
@@ -1,4 +1,6 @@
 
+/etc/privoxy/user\.action --	gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
+
 /usr/sbin/privoxy	--	gen_context(system_u:object_r:privoxy_exec_t,s0)
 
 /var/log/privoxy(/.*)?		gen_context(system_u:object_r:privoxy_log_t,s0)
diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te
index f112cb0f..5b2780c5 100644
--- a/refpolicy/policy/modules/services/privoxy.te
+++ b/refpolicy/policy/modules/services/privoxy.te
@@ -1,5 +1,5 @@
 
-policy_module(privoxy,1.0)
+policy_module(privoxy,1.0.1)
 
 ########################################
 #
@@ -10,6 +10,9 @@ type privoxy_t; # web_client_domain
 type privoxy_exec_t;
 init_daemon_domain(privoxy_t,privoxy_exec_t)
 
+type privoxy_etc_rw_t;
+files_type(privoxy_etc_rw_t)
+
 type privoxy_log_t;
 logging_log_file(privoxy_log_t)
 
@@ -25,6 +28,8 @@ allow privoxy_t self:capability { setgid setuid };
 dontaudit privoxy_t self:capability sys_tty_config;
 allow privoxy_t self:tcp_socket create_stream_socket_perms;
 
+allow privoxy_t privoxy_etc_rw_t:file rw_file_perms;
+
 allow privoxy_t privoxy_log_t:file create_file_perms;
 allow privoxy_t privoxy_log_t:dir rw_dir_perms;
 logging_create_log(privoxy_t,privoxy_log_t)
diff --git a/refpolicy/policy/modules/services/procmail.te b/refpolicy/policy/modules/services/procmail.te
index bc9e6048..38623165 100644
--- a/refpolicy/policy/modules/services/procmail.te
+++ b/refpolicy/policy/modules/services/procmail.te
@@ -1,5 +1,5 @@
 
-policy_module(procmail,1.0.0)
+policy_module(procmail,1.0.1)
 
 ########################################
 #
@@ -38,6 +38,7 @@ corenet_tcp_sendrecv_all_ports(procmail_t)
 corenet_udp_sendrecv_all_ports(procmail_t)
 corenet_tcp_bind_all_nodes(procmail_t)
 corenet_udp_bind_all_nodes(procmail_t)
+corenet_tcp_connect_spamd_port(procmail_t)
 
 dev_read_urand(procmail_t)
 
diff --git a/refpolicy/policy/modules/services/sasl.te b/refpolicy/policy/modules/services/sasl.te
index 514a0a2f..2baadce8 100644
--- a/refpolicy/policy/modules/services/sasl.te
+++ b/refpolicy/policy/modules/services/sasl.te
@@ -1,5 +1,5 @@
 
-policy_module(sasl,1.0)
+policy_module(sasl,1.0.1)
 
 ########################################
 #
@@ -50,10 +50,12 @@ fs_search_auto_mountpoints(saslauthd_t)
 term_dontaudit_use_console(saslauthd_t)
 
 auth_domtrans_chk_passwd(saslauthd_t)
+auth_use_nsswitch(saslauthd_t)
 
 domain_use_wide_inherit_fd(saslauthd_t)
 
 files_read_etc_files(saslauthd_t)
+files_read_etc_runtime_files(saslauthd_t)
 files_search_var_lib(saslauthd_t)
 files_dontaudit_getattr_home_dir(saslauthd_t)