rpms/selinux-policy/F-7 policy-20070501.patch, 1.72, 1.73 selinux-policy.spec, 1.502, 1.503

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Thu Nov 1 18:15:49 UTC 2007 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv22753

Modified Files:
	policy-20070501.patch selinux-policy.spec 
Log Message:
* Thu Nov 1 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-53
- Allow spamd to create nfs/cifs files


policy-20070501.patch:

Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.72
retrieving revision 1.73
diff -u -r1.72 -r1.73
--- policy-20070501.patch	31 Oct 2007 00:03:45 -0000	1.72
+++ policy-20070501.patch	1 Nov 2007 18:15:45 -0000	1.73
@@ -2181,7 +2181,16 @@
  /lib/udev/devices	-d		gen_context(system_u:object_r:device_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.6.4/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/devices.if	2007-09-22 08:13:07.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/devices.if	2007-11-01 14:04:31.000000000 -0400
+@@ -65,7 +65,7 @@
+ 
+ 	relabelfrom_dirs_pattern($1,device_t,device_node)
+ 	relabelfrom_files_pattern($1,device_t,device_node)
+-	relabelfrom_lnk_files_pattern($1,device_t,device_node)
++	relabelfrom_lnk_files_pattern($1,device_t,{ device_t device_node })
+ 	relabelfrom_fifo_files_pattern($1,device_t,device_node)
+ 	relabelfrom_sock_files_pattern($1,device_t,device_node)
+ 	relabel_blk_files_pattern($1,device_t,{ device_t device_node })
 @@ -1306,6 +1306,44 @@
  
  ########################################
@@ -6881,7 +6890,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-2.6.4/policy/modules/services/mta.if
 --- nsaserefpolicy/policy/modules/services/mta.if	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/mta.if	2007-09-13 13:07:23.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/mta.if	2007-10-31 07:39:32.000000000 -0400
 @@ -226,6 +226,15 @@
  	tunable_policy(`use_samba_home_dirs',`
  		fs_manage_cifs_files($1_mail_t)
@@ -6898,7 +6907,7 @@
  	')
  
  	optional_policy(`
-@@ -316,6 +325,25 @@
+@@ -316,6 +325,42 @@
  
  ########################################
  ## <summary>
@@ -6918,13 +6927,30 @@
 +	typeattribute $1 mailclient_exec_type;
 +')
 +
++########################################
++## <summary>
++##	Make the specified type readable for a system_mail_t
++## </summary>
++## <param name="type">
++##	<summary>
++##	Type to be used as a mail client.
++##	</summary>
++## </param>
++#
++interface(`mta_mailcontent',`
++	gen_require(`
++		attribute mailcontent_type;
++	')
++
++	typeattribute $1 mailcontent_type;
++')
 +
 +########################################
 +## <summary>
  ##	Modified mailserver interface for
  ##	sendmail daemon use.
  ## </summary>
-@@ -394,6 +422,7 @@
+@@ -394,6 +439,7 @@
  	allow $1 mail_spool_t:dir list_dir_perms;
  	create_files_pattern($1,mail_spool_t,mail_spool_t)
  	read_files_pattern($1,mail_spool_t,mail_spool_t)
@@ -6932,7 +6958,7 @@
  	create_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
  	read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
  
-@@ -449,11 +478,12 @@
+@@ -449,11 +495,12 @@
  interface(`mta_send_mail',`
  	gen_require(`
  		attribute mta_user_agent;
@@ -6948,7 +6974,7 @@
  
  	allow $1 system_mail_t:fd use;
  	allow system_mail_t $1:fd use;
-@@ -847,6 +877,25 @@
+@@ -847,6 +894,25 @@
  	manage_files_pattern($1,mqueue_spool_t,mqueue_spool_t)
  ')
  
@@ -6976,16 +7002,17 @@
  ##	Read sendmail binary.
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.6.4/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/mta.te	2007-10-22 11:09:41.000000000 -0400
-@@ -6,6 +6,7 @@
++++ serefpolicy-2.6.4/policy/modules/services/mta.te	2007-10-31 07:38:22.000000000 -0400
+@@ -6,6 +6,8 @@
  # Declarations
  #
  
++attribute mailcontent_type;
 +attribute mailclient_exec_type;
  attribute mta_user_agent;
  attribute mailserver_delivery;
  attribute mailserver_domain;
-@@ -26,7 +27,8 @@
+@@ -26,7 +28,8 @@
  files_type(mail_spool_t)
  
  type sendmail_exec_t;
@@ -6995,7 +7022,12 @@
  
  mta_base_mail_template(system)
  role system_r types system_mail_t;
-@@ -52,9 +54,12 @@
+@@ -48,13 +51,17 @@
+ allow system_mail_t self:capability { dac_override };
+ 
+ read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t)
++read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type)
+ 
  kernel_read_system_state(system_mail_t)
  kernel_read_network_state(system_mail_t)
  
@@ -7008,7 +7040,7 @@
  init_use_script_ptys(system_mail_t)
  
  userdom_use_sysadm_terms(system_mail_t)
-@@ -89,14 +94,20 @@
+@@ -89,14 +96,20 @@
  ')
  
  optional_policy(`
@@ -7029,7 +7061,7 @@
  ')
  
  optional_policy(`
-@@ -109,6 +120,7 @@
+@@ -109,6 +122,7 @@
  
  optional_policy(`
  	cron_read_system_job_tmp_files(system_mail_t)
@@ -7037,7 +7069,7 @@
  	cron_dontaudit_write_pipes(system_mail_t)
  ')
  
-@@ -117,6 +129,10 @@
+@@ -117,6 +131,10 @@
  ')
  
  optional_policy(`
@@ -8363,7 +8395,7 @@
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-2.6.4/policy/modules/services/ppp.te
 --- nsaserefpolicy/policy/modules/services/ppp.te	2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/ppp.te	2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/ppp.te	2007-10-31 07:37:19.000000000 -0400
 @@ -155,7 +155,7 @@
  
  files_exec_etc_files(pppd_t)
@@ -8373,6 +8405,15 @@
  files_dontaudit_write_etc_files(pppd_t)
  
  # for scripts
+@@ -202,6 +202,8 @@
+ 
+ optional_policy(`
+ 	mta_send_mail(pppd_t)
++	mta_mailcontent(pppd_etc_t)
++	mta_mailcontent(pppd_etc_rw_t)
+ ')
+ 
+ optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.6.4/policy/modules/services/procmail.te
 --- nsaserefpolicy/policy/modules/services/procmail.te	2007-05-07 14:51:01.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/services/procmail.te	2007-08-07 09:42:35.000000000 -0400
@@ -8793,7 +8834,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-2.6.4/policy/modules/services/rpc.if
 --- nsaserefpolicy/policy/modules/services/rpc.if	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/rpc.if	2007-10-30 19:57:49.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/rpc.if	2007-10-30 20:54:04.000000000 -0400
 @@ -89,8 +89,11 @@
  	# bind to arbitary unused ports
  	corenet_tcp_bind_generic_port($1_t)
@@ -10217,7 +10258,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.6.4/policy/modules/services/spamassassin.te
 --- nsaserefpolicy/policy/modules/services/spamassassin.te	2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/spamassassin.te	2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/spamassassin.te	2007-11-01 13:43:45.000000000 -0400
 @@ -6,14 +6,12 @@
  # Declarations
  #
@@ -10251,9 +10292,12 @@
  
  ########################################
  #
-@@ -87,8 +85,9 @@
+@@ -85,10 +83,11 @@
+ 
+ # var/lib files for spamd
  allow spamd_t spamd_var_lib_t:dir list_dir_perms;
- read_files_pattern(spamd_t,spamd_var_lib_t,spamd_var_lib_t)
+-read_files_pattern(spamd_t,spamd_var_lib_t,spamd_var_lib_t)
++manage_files_pattern(spamd_t,spamd_var_lib_t,spamd_var_lib_t)
  
 +manage_dirs_pattern(spamd_t,spamd_var_run_t,spamd_var_run_t)
  manage_files_pattern(spamd_t,spamd_var_run_t,spamd_var_run_t)
@@ -10270,7 +10314,20 @@
  corenet_sendrecv_razor_client_packets(spamd_t)
  corenet_sendrecv_spamd_server_packets(spamd_t)
  # spamassassin 3.1 needs this for its
-@@ -192,6 +192,11 @@
+@@ -167,10 +167,12 @@
+ ')
+ 
+ tunable_policy(`use_nfs_home_dirs',`
++	fs_manage_nfs_dirs(spamd_t)
+ 	fs_manage_nfs_files(spamd_t)
+ ')
+ 
+ tunable_policy(`use_samba_home_dirs',`
++	fs_manage_cifs_dirs(spamd_t)
+ 	fs_manage_cifs_files(spamd_t)
+ ')
+ 
+@@ -192,6 +194,11 @@
  ')
  
  optional_policy(`
@@ -13352,7 +13409,7 @@
  allow ifconfig_t self:udp_socket create_socket_perms;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-2.6.4/policy/modules/system/udev.te
 --- nsaserefpolicy/policy/modules/system/udev.te	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/udev.te	2007-10-18 17:22:16.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/udev.te	2007-11-01 14:06:28.000000000 -0400
 @@ -18,11 +18,6 @@
  type udev_etc_t alias etc_udev_t;
  files_config_file(udev_etc_t)
@@ -13453,7 +13510,7 @@
  	hal_dgram_send(udev_t)
  ')
  
-@@ -194,5 +219,28 @@
+@@ -194,5 +219,32 @@
  ')
  
  optional_policy(`
@@ -13478,6 +13535,10 @@
 +')
 +
 +optional_policy(`
++	unconfined_domain(udev_t)
++')
++
++optional_policy(`
  	xserver_read_xdm_pid(udev_t)
  ')
 +
@@ -13597,7 +13658,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.6.4/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/unconfined.te	2007-10-19 16:20:02.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/unconfined.te	2007-11-01 13:55:00.000000000 -0400
 @@ -6,6 +6,15 @@
  # Declarations
  #
@@ -13675,7 +13736,7 @@
  ')
  
  ########################################
-@@ -200,10 +215,22 @@
+@@ -200,8 +215,21 @@
  #
  
  ifdef(`targeted_policy',`
@@ -13685,19 +13746,18 @@
 +
  	allow unconfined_execmem_t self:process { execstack execmem };
  	unconfined_domain_noaudit(unconfined_execmem_t)
- 
- 	optional_policy(`
++	allow unconfined_execmem_t unconfined_t:process transition;
++
++	optional_policy(`
 +		avahi_dbus_chat(unconfined_execmem_t)
 +	')
 +
 +	optional_policy(`
 +		hal_dbus_chat(unconfined_execmem_t)
 +	')
-+
-+	optional_policy(`
- 		dbus_stub(unconfined_execmem_t)
  
- 		init_dbus_chat_script(unconfined_execmem_t)
+ 	optional_policy(`
+ 		dbus_stub(unconfined_execmem_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.6.4/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-05-07 14:51:02.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/system/userdomain.if	2007-10-09 17:05:07.000000000 -0400


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.502
retrieving revision 1.503
diff -u -r1.502 -r1.503
--- selinux-policy.spec	30 Oct 2007 21:02:59 -0000	1.502
+++ selinux-policy.spec	1 Nov 2007 18:15:45 -0000	1.503
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.6.4
-Release: 51%{?dist}
+Release: 53%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -361,6 +361,13 @@
 %endif
 
 %changelog
+* Thu Nov 1 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-53
+- Allow spamd to create nfs/cifs files
+
+* Wed Oct 31 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-52
+- Allow sendmail to read ppp config files
+- Allow spamd to write to spamd_var_lib_t
+
 * Tue Oct 30 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-51
 - Allow fd passing
 - dontaudit rpm_rw_pipes

More information about the fedora-extras-commits mailing list