Fixes for squid, dovecot, and snmp from Dan Walsh.

Changelog

@@ -1,3 +1,4 @@
+- Fixes for squid, dovecot, and snmp from Dan Walsh.
 - Miscellaneous consolekit fixes from Dan Walsh.
 - Patch to have avahi use the nsswitch interface rather than individual
   permissions from Dan Walsh.

policy/modules/kernel/corenetwork.te.in

@@ -1,5 +1,5 @@
 
-policy_module(corenetwork,1.2.7)
+policy_module(corenetwork,1.2.8)
 
 ########################################
 #
@@ -141,6 +141,7 @@ network_port(ssh, tcp,22,s0)
 network_port(soundd, tcp,8000,s0, tcp,9433,s0)
 type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
 type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
+network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
 network_port(swat, tcp,901,s0)
 network_port(syslogd, udp,514,s0)
 network_port(telnetd, tcp,23,s0)

policy/modules/services/dovecot.te

@@ -1,5 +1,5 @@
 
-policy_module(dovecot,1.5.0)
+policy_module(dovecot,1.5.1)
 
 ########################################
 #
@@ -46,6 +46,7 @@ allow dovecot_t self:fifo_file rw_fifo_file_perms;
 allow dovecot_t self:tcp_socket create_stream_socket_perms;
 allow dovecot_t self:unix_dgram_socket create_socket_perms;
 allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow dovecot_t self:netlink_route_socket r_netlink_socket_perms;
 
 domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
 
@@ -136,6 +137,10 @@ optional_policy(`
 	seutil_sigchld_newrole(dovecot_t)
 ')
 
+optional_policy(`
+	squid_dontaudit_search_cache(dovecot_t)
+')
+
 optional_policy(`
 	udev_read_db(dovecot_t)
 ')

policy/modules/services/snmp.te

@@ -1,5 +1,5 @@
 
-policy_module(snmp,1.4.0)
+policy_module(snmp,1.4.1)
 
 ########################################
 #
@@ -133,6 +133,10 @@ optional_policy(`
 	cups_read_rw_config(snmpd_t)
 ')
 
+optional_policy(`
+	mta_read_config(snmpd_t)
+')
+
 optional_policy(`
 	nis_use_ypbind(snmpd_t)
 ')
@@ -149,6 +153,10 @@ optional_policy(`
 	seutil_sigchld_newrole(snmpd_t)
 ')
 
+optional_policy(`
+	squid_read_config(snmpd_t)
+')
+
 optional_policy(`
 	udev_read_db(snmpd_t)
 ')

policy/modules/services/squid.if

@@ -19,6 +19,25 @@ interface(`squid_domtrans',`
 	domtrans_pattern($1,squid_exec_t,squid_t)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to search squid cache dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`squid_dontaudit_search_cache',`
+	gen_require(`
+		type squid_cache_t;
+	')
+
+	dontaudit $1 squid_cache_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read squid configuration file.
@@ -36,7 +55,7 @@ interface(`squid_read_config',`
 	')
 
 	files_search_etc($1)
-	allow $1 squid_conf_t:file read_file_perms;
+	read_files_pattern($1, squid_conf_t, squid_conf_t)
 ')
 
 ########################################

policy/modules/services/squid.te

@@ -1,5 +1,5 @@
 
-policy_module(squid,1.3.0)
+policy_module(squid,1.3.1)
 
 ########################################
 #
@@ -89,6 +89,8 @@ corenet_udp_bind_http_cache_port(squid_t)
 corenet_tcp_bind_ftp_port(squid_t)
 corenet_tcp_bind_gopher_port(squid_t)
 corenet_udp_bind_gopher_port(squid_t)
+corenet_tcp_bind_squid_port(squid_t)
+corenet_udp_bind_squid_port(squid_t)
 corenet_tcp_connect_ftp_port(squid_t)
 corenet_tcp_connect_gopher_port(squid_t)
 corenet_tcp_connect_http_port(squid_t)
@@ -98,6 +100,8 @@ corenet_sendrecv_ftp_client_packets(squid_t)
 corenet_sendrecv_gopher_client_packets(squid_t)
 corenet_sendrecv_http_cache_server_packets(squid_t)
 corenet_sendrecv_http_cache_client_packets(squid_t)
+corenet_sendrecv_squid_client_packets(squid_t)
+corenet_sendrecv_squid_server_packets(squid_t)
 
 dev_read_sysfs(squid_t)
 dev_read_urand(squid_t)