- allow dovecot to search mountpoints

2007-08-15 00:55:49 +00:00 · 2007-08-15 00:55:49 +00:00 · 7f6883ca6e
parent 0354c22269
commit 7f6883ca6e
2 changed files with 378 additions and 96 deletions
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -2616,7 +2616,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.5/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/kernel/files.if	2007-08-09 14:25:41.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/kernel/files.if	2007-08-14 08:15:36.000000000 -0400
@@ -343,8 +343,7 @@
 
 ########################################
@ -2667,7 +2667,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ')
 
 ########################################
-@@ -3323,6 +3339,24 @@
+@@ -885,6 +901,8 @@
+ 		attribute file_type;
+ 	')
+ 
+	# Have to be able to read badly labeled files like file_context and ld.so.cache
+	files_read_all_files($1)
+ 	allow $1 { file_type $2 }:dir list_dir_perms;
+ 	relabel_dirs_pattern($1,{ file_type $2 },{ file_type $2 })
+ 	relabel_files_pattern($1,{ file_type $2 },{ file_type $2 })
+@@ -1106,6 +1124,24 @@
+ 
+ ########################################
+ ## <summary>
+##	search all mount points.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_search_all_mountpoints',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	allow $1 mountpoint:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+ ##	List the contents of the root directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -3323,6 +3359,24 @@
 
 ########################################
 ## <summary>
@ -2692,7 +2726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ##	Get the attributes of files in /usr.
 ## </summary>
 ## <param name="domain">
-@@ -3381,7 +3415,7 @@
+@@ -3381,7 +3435,7 @@
 
 ########################################
 ## <summary>
@ -2701,7 +2735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3389,17 +3423,17 @@
+@@ -3389,17 +3443,17 @@
 ##	</summary>
 ## </param>
 #
@ -2722,7 +2756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3407,12 +3441,12 @@
+@@ -3407,12 +3461,12 @@
 ##	</summary>
 ## </param>
 #
@ -2737,7 +2771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ')
 
 ########################################
-@@ -4043,7 +4077,7 @@
+@@ -4043,7 +4097,7 @@
 		type var_t, var_lock_t;
 	')
 
@ -2746,7 +2780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ')
 
 ########################################
-@@ -4560,6 +4594,8 @@
+@@ -4560,6 +4614,8 @@
 	# Need to give access to /selinux/member
 	selinux_compute_member($1)
 
@ -2755,7 +2789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 	# Need sys_admin capability for mounting
 	allow $1 self:capability { chown fsetid sys_admin };
 
-@@ -4582,6 +4618,11 @@
+@@ -4582,6 +4638,11 @@
 	# Default type for mountpoints
 	allow $1 poly_t:dir { create mounton };
 	fs_unmount_xattr_fs($1)
@ -2767,7 +2801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ')
 
 ########################################
-@@ -4619,3 +4660,28 @@
+@@ -4619,3 +4680,28 @@
 
 	allow $1 { file_type -security_file_type }:dir manage_dir_perms;
 ')
@ -3467,7 +3501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.5/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/apache.te	2007-08-07 10:24:54.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/apache.te	2007-08-14 10:30:04.000000000 -0400
@@ -30,6 +30,13 @@
 
 ## <desc>
@ -4156,8 +4190,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
 /var/log/clamav/clamav.*	--	gen_context(system_u:object_r:clamd_var_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.0.5/policy/modules/services/clamav.te
 --- nsaserefpolicy/policy/modules/services/clamav.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/clamav.te	2007-08-07 09:39:49.000000000 -0400
-@@ -74,17 +74,19 @@
+++ serefpolicy-3.0.5/policy/modules/services/clamav.te	2007-08-13 19:29:14.000000000 -0400
+@@ -74,17 +74,20 @@
 manage_files_pattern(clamd_t,clamd_var_lib_t,clamd_var_lib_t)
 
 # log files
@ -4177,10 +4211,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
 kernel_dontaudit_list_proc(clamd_t)
 kernel_read_sysctl(clamd_t)
 +kernel_read_kernel_sysctls(clamd_t)
+kernel_read_system_state(clamd_t)
 
 corenet_all_recvfrom_unlabeled(clamd_t)
 corenet_all_recvfrom_netlabel(clamd_t)
-@@ -208,9 +210,12 @@
+@@ -208,9 +211,12 @@
 files_tmp_filetrans(clamscan_t,clamscan_tmp_t,{ file dir })
 
 # var/lib files together with clamd
@ -4194,7 +4229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
 kernel_read_kernel_sysctls(clamscan_t)
 
 files_read_etc_files(clamscan_t)
-@@ -228,3 +233,7 @@
+@@ -228,3 +234,7 @@
 optional_policy(`
 	apache_read_sys_content(clamscan_t)
 ')
@ -5143,7 +5178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.0.5/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/dovecot.te	2007-08-07 09:39:49.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/dovecot.te	2007-08-14 08:15:55.000000000 -0400
@@ -15,6 +15,12 @@
 domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
 role system_r types dovecot_auth_t;
@ -5175,6 +5210,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 kernel_read_kernel_sysctls(dovecot_t)
 kernel_read_system_state(dovecot_t)
 
+@@ -99,7 +105,7 @@
+ files_dontaudit_list_default(dovecot_t)
+ # Dovecot now has quota support and it uses getmntent() to find the mountpoints.
+ files_read_etc_runtime_files(dovecot_t)
+-files_getattr_all_mountpoints(dovecot_t)
+files_search_all_mountpoints(dovecot_t)
+ 
+ init_getattr_utmp(dovecot_t)
+ 
@@ -111,9 +117,6 @@
 miscfiles_read_certs(dovecot_t)
 miscfiles_read_localization(dovecot_t)
@ -5238,7 +5282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 files_read_usr_symlinks(dovecot_auth_t)
 files_search_tmp(dovecot_auth_t)
 files_read_var_lib_files(dovecot_t)
-@@ -185,12 +190,41 @@
+@@ -185,12 +190,46 @@
 
 seutil_dontaudit_search_config(dovecot_auth_t)
 
@ -5259,6 +5303,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +	postfix_search_spool(dovecot_auth_t)
 +')
 +
+# for gssapi (kerberos)
+userdom_list_unpriv_users_tmp(dovecot_auth_t) 
+userdom_read_unpriv_users_tmp_files(dovecot_auth_t) 
+userdom_read_unpriv_users_tmp_symlinks(dovecot_auth_t) 
 +
 +########################################
 +#
@ -5283,6 +5331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +optional_policy(`
 +	mta_manage_spool(dovecot_deliver_t)
 ')
+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.0.5/policy/modules/services/ftp.te
 --- nsaserefpolicy/policy/modules/services/ftp.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.5/policy/modules/services/ftp.te	2007-08-07 09:39:49.000000000 -0400
@ -5704,8 +5753,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.0.5/policy/modules/services/mailman.te
 --- nsaserefpolicy/policy/modules/services/mailman.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/mailman.te	2007-08-07 09:39:49.000000000 -0400
-@@ -96,6 +96,7 @@
+++ serefpolicy-3.0.5/policy/modules/services/mailman.te	2007-08-13 19:39:48.000000000 -0400
+@@ -55,6 +55,7 @@
+ 	apache_use_fds(mailman_cgi_t)
+ 	apache_dontaudit_append_log(mailman_cgi_t)
+ 	apache_search_sys_script_state(mailman_cgi_t)
+	apache_read_config(mailman_cgi_t)
+ 
+ 	optional_policy(`
+ 		nscd_socket_use(mailman_cgi_t)
+@@ -96,6 +97,7 @@
 kernel_read_proc_symlinks(mailman_queue_t)
 
 auth_domtrans_chk_passwd(mailman_queue_t)
@ -6003,7 +6060,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.5/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/networkmanager.te	2007-08-10 15:24:52.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/networkmanager.te	2007-08-13 06:44:14.000000000 -0400
+@@ -20,7 +20,7 @@
+ 
+ # networkmanager will ptrace itself if gdb is installed
+ # and it receives a unexpected signal (rh bug #204161) 
+-allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
+allow NetworkManager_t self:capability { chown kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
+ dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
+ allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
+ allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
@@ -41,6 +41,8 @@
 kernel_read_kernel_sysctls(NetworkManager_t)
 kernel_load_module(NetworkManager_t)
@ -6169,8 +6235,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.fc serefpolicy-3.0.5/policy/modules/services/ntp.fc
 --- nsaserefpolicy/policy/modules/services/ntp.fc	2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/ntp.fc	2007-08-07 09:39:49.000000000 -0400
-@@ -17,3 +17,7 @@
+++ serefpolicy-3.0.5/policy/modules/services/ntp.fc	2007-08-11 23:28:27.000000000 -0400
+@@ -17,3 +17,8 @@
 /var/log/xntpd.*		--	gen_context(system_u:object_r:ntpd_log_t,s0)
 
 /var/run/ntpd\.pid		--	gen_context(system_u:object_r:ntpd_var_run_t,s0)
@ -6178,16 +6244,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
 +/etc/ntp/crypto(/.*)?         gen_context(system_u:object_r:ntpd_key_t,s0)
 +/etc/ntp/keys              -- gen_context(system_u:object_r:ntpd_key_t,s0)
 +
+/etc/rc\.d/init\.d/ntpd	--	gen_context(system_u:object_r:ntpd_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.0.5/policy/modules/services/ntp.if
 --- nsaserefpolicy/policy/modules/services/ntp.if	2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/ntp.if	2007-08-10 15:57:31.000000000 -0400
-@@ -53,3 +53,41 @@
+++ serefpolicy-3.0.5/policy/modules/services/ntp.if	2007-08-11 07:50:33.000000000 -0400
+@@ -53,3 +53,59 @@
 	corecmd_search_bin($1)
 	domtrans_pattern($1,ntpdate_exec_t,ntpd_t)
 ')
 +
 +########################################
 +## <summary>
+##	Execute ntp server in the ntpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`ntp_script_domtrans',`
+	gen_require(`
+		type ntpd_script_exec_t;
+	')
+
+	init_script_domtrans_spec($1,ntpd_script_exec_t)
+')
+
+########################################
+## <summary>
 +##	Allow the specified domain to manage
 +##	ntp pid file
 +## </summary>
@ -6225,18 +6310,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.0.5/policy/modules/services/ntp.te
 --- nsaserefpolicy/policy/modules/services/ntp.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/ntp.te	2007-08-07 09:39:49.000000000 -0400
-@@ -25,6 +25,9 @@
+++ serefpolicy-3.0.5/policy/modules/services/ntp.te	2007-08-11 07:40:43.000000000 -0400
+@@ -25,6 +25,12 @@
 type ntpdate_exec_t;
 init_system_domain(ntpd_t,ntpdate_exec_t)
 
 +type ntpd_key_t;
 +files_type(ntpd_key_t)
+
+type ntpd_script_exec_t;
+init_script_type(ntpd_script_exec_t)
 +
 ########################################
 #
 # Local policy
-@@ -36,6 +39,7 @@
+@@ -36,6 +42,7 @@
 dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
 allow ntpd_t self:process { signal_perms setcap setsched setrlimit };
 allow ntpd_t self:fifo_file { read write getattr };
@ -6244,7 +6332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
 allow ntpd_t self:unix_dgram_socket create_socket_perms;
 allow ntpd_t self:unix_stream_socket create_socket_perms;
 allow ntpd_t self:tcp_socket create_stream_socket_perms;
-@@ -49,6 +53,8 @@
+@@ -49,6 +56,8 @@
 manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t)
 logging_log_filetrans(ntpd_t,ntpd_log_t,{ file dir })
 
@ -6253,7 +6341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
 # for some reason it creates a file in /tmp
 manage_dirs_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t)
 manage_files_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t)
-@@ -82,6 +88,8 @@
+@@ -82,6 +91,8 @@
 
 fs_getattr_all_fs(ntpd_t)
 fs_search_auto_mountpoints(ntpd_t)
@ -6262,7 +6350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
 
 auth_use_nsswitch(ntpd_t)
 
-@@ -107,6 +115,8 @@
+@@ -107,6 +118,8 @@
 
 sysnet_read_config(ntpd_t)
 
@ -6271,7 +6359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
 userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
 userdom_list_sysadm_home_dirs(ntpd_t)
 userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
-@@ -126,9 +136,14 @@
+@@ -126,9 +139,14 @@
 ')
 
 optional_policy(`
@ -6653,7 +6741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.0.5/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/postfix.te	2007-08-07 09:39:49.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/postfix.te	2007-08-13 19:37:24.000000000 -0400
@@ -83,6 +83,12 @@
 type postfix_var_run_t;
 files_pid_file(postfix_var_run_t)
@ -6697,7 +6785,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 ###########################################################
 #
 # Partially converted rules.  THESE ARE ONLY TEMPORARY
-@@ -377,7 +396,7 @@
+@@ -263,6 +282,8 @@
+ 
+ files_read_etc_files(postfix_local_t)
+ 
+logging_dontaudit_search_logs(postfix_local_t)
+
+ mta_read_aliases(postfix_local_t)
+ mta_delete_spool(postfix_local_t)
+ # For reading spamassasin
+@@ -377,7 +398,7 @@
 # Postfix pipe local policy
 #
 
@ -6706,7 +6803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 
 write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)
 
-@@ -386,6 +405,10 @@
+@@ -386,6 +407,10 @@
 rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
 
 optional_policy(`
@ -6717,7 +6814,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 	procmail_domtrans(postfix_pipe_t)
 ')
 
-@@ -426,6 +449,11 @@
+@@ -426,6 +451,11 @@
 	cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
 ')
 
@ -6729,7 +6826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 optional_policy(`
 	ppp_use_fds(postfix_postqueue_t)
 	ppp_sigchld(postfix_postqueue_t)
-@@ -505,8 +533,6 @@
+@@ -505,8 +535,6 @@
 # Postfix smtp delivery local policy
 #
 
@ -6738,7 +6835,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 # connect to master process
 stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
 
-@@ -514,6 +540,8 @@
+@@ -514,6 +542,8 @@
 
 allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
 
@ -6747,7 +6844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 optional_policy(`
 	cyrus_stream_connect(postfix_smtp_t)
 ')
-@@ -538,9 +566,45 @@
+@@ -538,9 +568,45 @@
 mta_read_aliases(postfix_smtpd_t)
 
 optional_policy(`
@ -7024,7 +7121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
 	fs_search_auto_mountpoints($1_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.5/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/rpc.te	2007-08-07 09:39:49.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/rpc.te	2007-08-13 07:08:48.000000000 -0400
@@ -59,10 +59,14 @@
 manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
 files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@ -7083,18 +7180,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
 kernel_read_network_state(gssd_t)
 kernel_read_network_state_symlinks(gssd_t)	
 kernel_search_network_sysctl(gssd_t)	
-@@ -158,6 +171,11 @@
- 
- miscfiles_read_certs(gssd_t)
- 
-+ifdef(`targeted_policy',`
-+	# Manage the users kerberos tgt file
-+	files_manage_generic_tmp_files(gssd_t) 
-+')
-+
- tunable_policy(`allow_gssd_read_tmp',`
- 	userdom_list_unpriv_users_tmp(gssd_t) 
- 	userdom_read_unpriv_users_tmp_files(gssd_t) 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.0.5/policy/modules/services/rshd.te
 --- nsaserefpolicy/policy/modules/services/rshd.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.5/policy/modules/services/rshd.te	2007-08-07 09:39:49.000000000 -0400
@ -7923,7 +8008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.0.5/policy/modules/services/ssh.te
 --- nsaserefpolicy/policy/modules/services/ssh.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/ssh.te	2007-08-07 09:39:49.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/ssh.te	2007-08-14 20:40:43.000000000 -0400
@@ -24,7 +24,7 @@
 
 # Type for the ssh-agent executable.
@ -7933,7 +8018,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 
 # ssh client executable.
 type ssh_exec_t;
-@@ -100,6 +100,11 @@
+@@ -73,6 +73,8 @@
+ manage_sock_files_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t)
+ files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
+ 
+fs_search_auto_mountpoints(sshd_t)
+
+ kernel_search_key(sshd_t)
+ kernel_link_key(sshd_t)
+ 
+@@ -100,6 +102,11 @@
 	userdom_use_unpriv_users_ptys(sshd_t)
 ')
 
@ -7945,7 +8039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 optional_policy(`
 	daemontools_service_domain(sshd_t, sshd_exec_t)
 ')
-@@ -119,7 +124,12 @@
+@@ -119,7 +126,12 @@
 ')
 
 optional_policy(`
@ -9189,8 +9283,139 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.0.5/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/init.if	2007-08-07 09:39:49.000000000 -0400
-@@ -1250,7 +1250,7 @@
+++ serefpolicy-3.0.5/policy/modules/system/init.if	2007-08-11 23:38:19.000000000 -0400
+@@ -538,18 +538,19 @@
+ #
+ interface(`init_spec_domtrans_script',`
+ 	gen_require(`
+-		type initrc_t, initrc_exec_t;
+		type initrc_t;
+		attribute initscript;
+ 	')
+ 
+ 	files_list_etc($1)
+-	spec_domtrans_pattern($1,initrc_exec_t,initrc_t)
+	spec_domtrans_pattern($1,initscript,initrc_t)
+ 
+ 	ifdef(`enable_mcs',`
+-		range_transition $1 initrc_exec_t:process s0;
+		range_transition $1 initscript:process s0;
+ 	')
+ 
+ 	ifdef(`enable_mls',`
+-		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+		range_transition $1 initscript:process s0 - mls_systemhigh;
+ 	')
+ ')
+ 
+@@ -565,18 +566,46 @@
+ #
+ interface(`init_domtrans_script',`
+ 	gen_require(`
+-		type initrc_t, initrc_exec_t;
+		type initrc_t;
+		attribute initscript;
+ 	')
+ 
+ 	files_list_etc($1)
+-	domtrans_pattern($1,initrc_exec_t,initrc_t)
+	domtrans_pattern($1,initscript,initrc_t)
+ 
+ 	ifdef(`enable_mcs',`
+-		range_transition $1 initrc_exec_t:process s0;
+		range_transition $1 initscript:process s0;
+ 	')
+ 
+ 	ifdef(`enable_mls',`
+-		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+		range_transition $1 initscript:process s0 - mls_systemhigh;
+	')
+')
+
+########################################
+## <summary>
+##	Execute init a specific script with an automatic domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_script_domtrans_spec',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	files_list_etc($1)
+	domtrans_pattern($1,$2,initrc_t)
+
+	ifdef(`enable_mcs',`
+		range_transition $1 $2:process s0;
+	')
+
+	ifdef(`enable_mls',`
+		range_transition $1 $2:process s0 - mls_systemhigh;
+ 	')
+ ')
+ 
+@@ -607,11 +636,11 @@
+ # cjp: added for gentoo integrated run_init
+ interface(`init_script_file_domtrans',`
+ 	gen_require(`
+-		type initrc_exec_t;
+		attribute initscript;
+ 	')
+ 
+ 	files_list_etc($1)
+-	domain_auto_trans($1,initrc_exec_t,$2)
+	domain_auto_trans($1,initscript,$2)
+ ')
+ 
+ ########################################
+@@ -682,11 +711,11 @@
+ #
+ interface(`init_getattr_script_files',`
+ 	gen_require(`
+-		type initrc_exec_t;
+		attribute initscript;
+ 	')
+ 
+ 	files_list_etc($1)
+-	allow $1 initrc_exec_t:file getattr;
+	allow $1 initscript:file getattr;
+ ')
+ 
+ ########################################
+@@ -701,11 +730,11 @@
+ #
+ interface(`init_exec_script_files',`
+ 	gen_require(`
+-		type initrc_exec_t;
+		attribute initscript;
+ 	')
+ 
+ 	files_list_etc($1)
+-	can_exec($1,initrc_exec_t)
+	can_exec($1,initscript)
+ ')
+ 
+ ########################################
+@@ -1028,11 +1057,11 @@
+ #
+ interface(`init_read_script_files',`
+ 	gen_require(`
+-		type initrc_exec_t;
+		attribute initscript;
+ 	')
+ 
+ 	files_search_etc($1)
+-	allow $1 initrc_exec_t:file read_file_perms;
+	allow $1 initscript:file read_file_perms;
+ ')
+ 
+ ########################################
+@@ -1250,7 +1279,7 @@
 		type initrc_var_run_t;
 	')
 
@ -9199,7 +9424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 ')
 
 ########################################
-@@ -1271,3 +1271,42 @@
+@@ -1271,3 +1300,64 @@
 	files_search_pids($1)
 	allow $1 initrc_var_run_t:file manage_file_perms;
 ')
@ -9242,9 +9467,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +
 +	allow $1 init_t:process ptrace;
 +')
+
+########################################
+## <summary>
+##	Make the specified type usable for initscripts
+##	in a filesystem.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used for files.
+##	</summary>
+## </param>
+#
+interface(`init_script_type',`
+	gen_require(`
+		type initrc_t;
+		attribute initscript;
+	')
+
+	typeattribute $1 initscript;
+	domain_entry_file(initrc_t,$1)
+
+')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.5/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/init.te	2007-08-07 09:39:49.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/init.te	2007-08-11 07:48:04.000000000 -0400
@@ -10,6 +10,20 @@
 # Declarations
 #
@ -9266,7 +9513,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 # used for direct running of init scripts
 # by admin domains
 attribute direct_run_init;
-@@ -73,7 +87,7 @@
+@@ -19,6 +33,8 @@
+ # Mark process types as daemons
+ attribute daemon;
+ 
+attribute initscript;
+
+ #
+ # init_t is the domain of the init process.
+ #
+@@ -45,7 +61,7 @@
+ mls_trusted_object(initctl_t)
+ 
+ type initrc_t;
+-type initrc_exec_t;
+type initrc_exec_t, initscript;
+ domain_type(initrc_t)
+ domain_entry_file(initrc_t,initrc_exec_t)
+ role system_r types initrc_t;
+@@ -73,7 +89,7 @@
 #
 
 # Use capabilities. old rule:
@ -9275,7 +9540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 # is ~sys_module really needed? observed: 
 # sys_boot
 # sys_tty_config
-@@ -189,7 +203,7 @@
+@@ -189,7 +205,7 @@
 #
 
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -9284,7 +9549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
 allow initrc_t self:passwd rootok;
 
-@@ -204,8 +218,7 @@
+@@ -204,10 +220,9 @@
 allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
 term_create_pty(initrc_t,initrc_devpts_t)
 
@ -9292,9 +9557,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 -init_exec(initrc_t)
 +init_telinit(initrc_t)
 
- can_exec(initrc_t,initrc_exec_t)
+-can_exec(initrc_t,initrc_exec_t)
+can_exec(initrc_t,initscript)
 
-@@ -501,6 +514,39 @@
+ manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
+ manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
+@@ -501,6 +516,39 @@
 ')
 
 optional_policy(`
@ -9334,7 +9602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
 ')
-@@ -636,12 +682,6 @@
+@@ -636,12 +684,6 @@
 	mta_read_config(initrc_t)
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
@ -9347,7 +9615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 
 optional_policy(`
 	ifdef(`distro_redhat',`
-@@ -707,6 +747,9 @@
+@@ -707,6 +749,9 @@
 
 	# why is this needed:
 	rpm_manage_db(initrc_t)
@ -9474,17 +9742,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
 +/var/cache/ldconfig(/.*)?			    	gen_context(system_u:object_r:ld_so_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.5/policy/modules/system/libraries.te
 --- nsaserefpolicy/policy/modules/system/libraries.te	2007-08-02 08:17:28.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/libraries.te	2007-08-11 06:57:43.000000000 -0400
-@@ -46,7 +46,7 @@
+++ serefpolicy-3.0.5/policy/modules/system/libraries.te	2007-08-13 07:20:30.000000000 -0400
+@@ -44,9 +44,9 @@
+ # ldconfig local policy
+ #
 
- allow ldconfig_t self:capability sys_chroot;
+-allow ldconfig_t self:capability sys_chroot;
+allow ldconfig_t self:capability { dac_override sys_chroot };
 
 -allow ldconfig_t ld_so_cache_t:file manage_file_perms;
 +manage_files_pattern(ldconfig_t,ld_so_cache_t,ld_so_cache_t)
 files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
 
 manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
-@@ -96,4 +96,11 @@
+@@ -62,6 +62,7 @@
+ 
+ domain_use_interactive_fds(ldconfig_t)
+ 
+files_search_home(ldconfig_t)
+ files_search_var_lib(ldconfig_t)
+ files_read_etc_files(ldconfig_t)
+ files_search_tmp(ldconfig_t)
+@@ -96,4 +97,11 @@
 	# and executes ldconfig on it.  If you dont allow this kernel installs 
 	# blow up.
 	rpm_manage_script_tmp_files(ldconfig_t)
@ -9584,7 +9863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 +/var/log/syslog-ng(/.*)?	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.5/policy/modules/system/logging.if
 --- nsaserefpolicy/policy/modules/system/logging.if	2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/logging.if	2007-08-07 09:39:49.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/logging.if	2007-08-13 19:36:18.000000000 -0400
@@ -33,8 +33,13 @@
 ## </param>
 #
@ -10693,7 +10972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.0.5/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/sysnetwork.te	2007-08-10 16:21:05.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/sysnetwork.te	2007-08-11 07:46:16.000000000 -0400
@@ -45,7 +45,7 @@
 dontaudit dhcpc_t self:capability sys_tty_config;
 # for access("/etc/bashrc", X_OK) on Red Hat
@ -10714,7 +10993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 	optional_policy(`
 		networkmanager_dbus_chat(dhcpc_t)
 	')
-@@ -205,7 +209,13 @@
+@@ -205,7 +209,12 @@
 optional_policy(`
 	# dhclient sometimes starts ntpd
 	init_exec_script_files(dhcpc_t)
@ -10723,12 +11002,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 +optional_policy(`
 	ntp_domtrans(dhcpc_t)
 +	ntp_domtrans_ntpdate(dhcpc_t)
-+	ntp_manage_pid(dhcpc_t)
-+	ntp_signal(dhcpc_t)
+	ntp_script_domtrans(dhcpc_t)
 ')
 
 optional_policy(`
-@@ -216,6 +226,7 @@
+@@ -216,6 +225,7 @@
 optional_policy(`
 	seutil_sigchld_newrole(dhcpc_t)
 	seutil_dontaudit_search_config(dhcpc_t)
@ -10736,7 +11014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 ')
 
 optional_policy(`
-@@ -280,6 +291,8 @@
+@@ -280,6 +290,8 @@
 fs_getattr_xattr_fs(ifconfig_t)
 fs_search_auto_mountpoints(ifconfig_t)
 
@ -10849,7 +11127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.5/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/unconfined.if	2007-08-10 15:24:16.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/unconfined.if	2007-08-14 10:30:29.000000000 -0400
@@ -12,14 +12,13 @@
 #
 interface(`unconfined_domain_noaudit',`
@ -10901,7 +11179,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 	read_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t)
 	read_lnk_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t)
 ')
-@@ -601,3 +604,131 @@
+@@ -601,3 +604,132 @@
 
 	allow $1 unconfined_tmp_t:file { getattr write append };
 ')
@ -11000,6 +11278,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +
 +########################################
 +## <summary>
+##	allow attempts to use unconfined ttys and ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`unconfined_use_terminals',`
+	gen_require(`
+		attribute unconfined_terminal;
+	')
+
+	allow $1 unconfined_terminal:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
 +##	Do not audit attempts to use unconfined ttys and ptys.
 +## </summary>
 +## <param name="domain">
@ -11016,23 +11312,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +	dontaudit $1 unconfined_terminal:chr_file rw_term_perms;
 +')
 +
-+########################################
-+## <summary>
-+##	allow attempts to use unconfined ttys and ptys.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`unconfined_use_terminals',`
-+	gen_require(`
-+		attribute unconfined_terminal;
-+	')
-+
-+	allow $1 unconfined_terminal:chr_file rw_term_perms;
-+')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.5/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.5/policy/modules/system/unconfined.te	2007-08-07 09:39:49.000000000 -0400
@ -11230,7 +11509,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +corecmd_exec_all_executables(unconfined_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.5/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/userdomain.if	2007-08-10 13:44:41.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/userdomain.if	2007-08-14 08:45:22.000000000 -0400
@@ -62,6 +62,10 @@
 
 	allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.5
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -360,6 +360,9 @@ exit 0
 %endif

 %changelog
+* Tue Aug 14 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-7
+- allow dovecot to search mountpoints
+
 * Sat Aug 11 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-6
 - Fix Makefile for building policy modules