rpms/selinux-policy/F-8 policy-20070703.patch, 1.121, 1.122 selinux-policy.spec, 1.567, 1.568
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Nov 6 16:46:50 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv12409
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Tue Nov 6 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-46
- Allow sendmail to interact with winbind
- Allow dovecot to write log files
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.121
retrieving revision 1.122
diff -u -r1.121 -r1.122
--- policy-20070703.patch 5 Nov 2007 20:47:14 -0000 1.121
+++ policy-20070703.patch 6 Nov 2007 16:46:45 -0000 1.122
@@ -4027,7 +4027,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.8/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-10-30 20:49:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-11-06 10:14:30.000000000 -0500
@@ -6,6 +6,22 @@
# Declarations
#
@@ -5098,7 +5098,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.0.8/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/amavis.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/amavis.te 2007-11-06 10:56:06.000000000 -0500
@@ -65,6 +65,7 @@
# Spool Files
manage_dirs_pattern(amavis_t,amavis_spool_t,amavis_spool_t)
@@ -7556,8 +7556,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.0.8/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dovecot.fc 2007-10-29 23:59:29.000000000 -0400
-@@ -17,16 +17,19 @@
++++ serefpolicy-3.0.8/policy/modules/services/dovecot.fc 2007-11-06 10:57:52.000000000 -0500
+@@ -17,19 +17,24 @@
ifdef(`distro_debian', `
/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
@@ -7577,6 +7577,11 @@
/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
++/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
++
+ /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.0.8/policy/modules/services/dovecot.if
--- nsaserefpolicy/policy/modules/services/dovecot.if 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dovecot.if 2007-10-29 23:59:29.000000000 -0400
@@ -7626,7 +7631,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.0.8/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dovecot.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dovecot.te 2007-11-06 10:58:42.000000000 -0500
@@ -15,6 +15,12 @@
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -7640,7 +7645,17 @@
type dovecot_cert_t;
files_type(dovecot_cert_t)
-@@ -46,8 +52,6 @@
+@@ -27,6 +33,9 @@
+ type dovecot_spool_t;
+ files_type(dovecot_spool_t)
+
++type dovecot_var_log_t;
++logging_log_file(dovecot_var_log_t)
++
+ # /var/lib/dovecot holds SSL parameters file
+ type dovecot_var_lib_t;
+ files_type(dovecot_var_lib_t)
+@@ -46,8 +55,6 @@
allow dovecot_t self:tcp_socket create_stream_socket_perms;
allow dovecot_t self:unix_dgram_socket create_socket_perms;
allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -7649,7 +7664,18 @@
domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
allow dovecot_t dovecot_cert_t:dir list_dir_perms;
-@@ -67,6 +71,8 @@
+@@ -59,6 +66,10 @@
+
+ can_exec(dovecot_t, dovecot_exec_t)
+
++# log files
++manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
++logging_log_filetrans(dovecot_t, dovecot_var_log_t, file)
++
+ manage_dirs_pattern(dovecot_t,dovecot_spool_t,dovecot_spool_t)
+ manage_files_pattern(dovecot_t,dovecot_spool_t,dovecot_spool_t)
+ manage_lnk_files_pattern(dovecot_t,dovecot_spool_t,dovecot_spool_t)
+@@ -67,6 +78,8 @@
manage_sock_files_pattern(dovecot_t,dovecot_var_run_t,dovecot_var_run_t)
files_pid_filetrans(dovecot_t,dovecot_var_run_t,file)
@@ -7658,7 +7684,7 @@
kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)
-@@ -99,7 +105,7 @@
+@@ -99,7 +112,7 @@
files_dontaudit_list_default(dovecot_t)
# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
files_read_etc_runtime_files(dovecot_t)
@@ -7667,7 +7693,7 @@
init_getattr_utmp(dovecot_t)
-@@ -111,9 +117,6 @@
+@@ -111,9 +124,6 @@
miscfiles_read_certs(dovecot_t)
miscfiles_read_localization(dovecot_t)
@@ -7677,7 +7703,7 @@
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
userdom_dontaudit_search_sysadm_home_dirs(dovecot_t)
userdom_priveleged_home_dir_manager(dovecot_t)
-@@ -125,10 +128,6 @@
+@@ -125,10 +135,6 @@
')
optional_policy(`
@@ -7688,7 +7714,7 @@
seutil_sigchld_newrole(dovecot_t)
')
-@@ -145,33 +144,40 @@
+@@ -145,33 +151,40 @@
# dovecot auth local policy
#
@@ -7731,7 +7757,7 @@
files_read_usr_symlinks(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
-@@ -185,12 +191,50 @@
+@@ -185,12 +198,50 @@
seutil_dontaudit_search_config(dovecot_auth_t)
@@ -7749,12 +7775,12 @@
+
+optional_policy(`
+ nis_authenticate(dovecot_auth_t)
-+')
+ ')
+
+optional_policy(`
+ postfix_create_pivate_sockets(dovecot_auth_t)
+ postfix_search_spool(dovecot_auth_t)
- ')
++')
+
+# for gssapi (kerberos)
+userdom_list_unpriv_users_tmp(dovecot_auth_t)
@@ -8849,8 +8875,35 @@
+files_type(mailscanner_spool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.8/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mta.if 2007-10-31 07:35:43.000000000 -0400
-@@ -142,6 +142,12 @@
++++ serefpolicy-3.0.8/policy/modules/services/mta.if 2007-11-06 10:45:33.000000000 -0500
+@@ -87,6 +87,8 @@
+ # It wants to check for nscd
+ files_dontaudit_search_pids($1_mail_t)
+
++ auth_use_nsswitch($1_mail_t)
++
+ libs_use_ld_so($1_mail_t)
+ libs_use_shared_libs($1_mail_t)
+
+@@ -94,17 +96,6 @@
+
+ miscfiles_read_localization($1_mail_t)
+
+- sysnet_read_config($1_mail_t)
+- sysnet_dns_name_resolve($1_mail_t)
+-
+- optional_policy(`
+- nis_use_ypbind($1_mail_t)
+- ')
+-
+- optional_policy(`
+- nscd_socket_use($1_mail_t)
+- ')
+-
+ optional_policy(`
+ postfix_domtrans_user_mail_handler($1_mail_t)
+ ')
+@@ -142,6 +133,12 @@
sendmail_create_log($1_mail_t)
')
@@ -8863,7 +8916,7 @@
')
#######################################
-@@ -226,6 +232,15 @@
+@@ -226,6 +223,15 @@
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_mail_t)
fs_manage_cifs_symlinks($1_mail_t)
@@ -8879,7 +8932,7 @@
')
optional_policy(`
-@@ -314,6 +329,24 @@
+@@ -314,6 +320,24 @@
########################################
## <summary>
@@ -8904,7 +8957,7 @@
## Modified mailserver interface for
## sendmail daemon use.
## </summary>
-@@ -392,6 +425,7 @@
+@@ -392,6 +416,7 @@
allow $1 mail_spool_t:dir list_dir_perms;
create_files_pattern($1,mail_spool_t,mail_spool_t)
read_files_pattern($1,mail_spool_t,mail_spool_t)
@@ -8912,7 +8965,7 @@
create_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
-@@ -436,6 +470,24 @@
+@@ -436,6 +461,24 @@
########################################
## <summary>
@@ -8937,7 +8990,7 @@
## Send mail from the system.
## </summary>
## <param name="domain">
-@@ -447,20 +499,18 @@
+@@ -447,20 +490,18 @@
interface(`mta_send_mail',`
gen_require(`
attribute mta_user_agent;
@@ -8964,7 +9017,7 @@
')
########################################
-@@ -595,6 +645,25 @@
+@@ -595,6 +636,25 @@
files_search_etc($1)
allow $1 etc_aliases_t:file { rw_file_perms setattr };
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.567
retrieving revision 1.568
diff -u -r1.567 -r1.568
--- selinux-policy.spec 5 Nov 2007 20:47:14 -0000 1.567
+++ selinux-policy.spec 6 Nov 2007 16:46:45 -0000 1.568
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 45%{?dist}
+Release: 46%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -379,6 +379,10 @@
%endif
%changelog
+* Tue Nov 6 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-46
+- Allow sendmail to interact with winbind
+- Allow dovecot to write log files
+
* Thu Nov 2 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-45
- Allow system_mail_t to domtrans to exim_t
More information about the fedora-extras-commits
mailing list