From 16e596af823737d7132989d82f250480a2fa53d1 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: May 20 2008 21:20:59 +0000 Subject: - More fixes for spamassassin --- diff --git a/policy-20071130.patch b/policy-20071130.patch index 880f710..a806e2a 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -23099,8 +23099,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.3.1/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2008-02-26 08:23:10.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/sendmail.if 2008-05-08 11:06:32.000000000 -0400 -@@ -149,3 +149,85 @@ ++++ serefpolicy-3.3.1/policy/modules/services/sendmail.if 2008-05-20 16:49:39.433100000 -0400 +@@ -149,3 +149,104 @@ logging_log_filetrans($1,sendmail_log_t,file) ') @@ -23186,6 +23186,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send + role $2 types unconfined_sendmail_t; + allow unconfined_sendmail_t $3:chr_file rw_file_perms; +') ++ ++######################################## ++## ++## Allow attempts to read and write to ++## sendmail unnamed pipes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`sendmail_rw_pipes',` ++ gen_require(` ++ type sendmail_t; ++ ') ++ ++ allow $1 sendmail_t:fifo_file rw_fifo_file_perms; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.3.1/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2008-02-26 08:23:10.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/sendmail.te 2008-05-08 11:06:32.000000000 -0400 @@ -23912,7 +23931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.3.1/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2008-02-26 08:23:10.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/spamassassin.fc 2008-05-08 11:06:32.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/spamassassin.fc 2008-05-20 16:49:22.009675000 -0400 @@ -1,4 +1,4 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:user_spamassassin_home_t,s0) @@ -23930,7 +23949,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +/var/log/spamd\.log -- gen_context(system_u:object_r:spamd_log_t,s0) + /var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) - /var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) +-/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) ++/var/run/spamass-milter.* gen_context(system_u:object_r:spamd_var_run_t,s0) +/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) @@ -24508,7 +24528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.3.1/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-02-26 08:23:10.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/spamassassin.te 2008-05-20 15:17:39.975695000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/spamassassin.te 2008-05-20 17:09:45.819685000 -0400 @@ -21,8 +21,10 @@ gen_tunable(spamd_enable_home_dirs,true) @@ -24638,7 +24658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') optional_policy(` -@@ -212,3 +260,206 @@ +@@ -212,3 +260,214 @@ optional_policy(` udev_read_db(spamd_t) ') @@ -24673,9 +24693,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +files_tmp_filetrans(spamassassin_t, user_spamassassin_tmp_t, { file dir }) + +kernel_read_kernel_sysctls(spamassassin_t) ++kernel_read_system_state(spamassassin_t) + +dev_read_urand(spamassassin_t) + ++files_list_var_lib(spamassassin_t) ++read_files_pattern(spamassassin_t,spamd_var_lib_t,spamd_var_lib_t) ++ +fs_search_auto_mountpoints(spamassassin_t) + +# this should probably be removed @@ -24693,6 +24717,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +files_read_usr_files(spamassassin_t) +files_dontaudit_search_var(spamassassin_t) + ++auth_use_nsswitch(spamassassin_t) ++ +libs_use_ld_so(spamassassin_t) +libs_use_shared_libs(spamassassin_t) + @@ -24707,6 +24733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + +userdom_use_unpriv_users_fds(spamassassin_t) +userdom_search_user_home_dirs(user,spamassassin_t) ++userdom_list_user_files(user, spamassassin_t) +# cjp: this really should just be the +# terminal specific to the role +userdom_use_unpriv_users_ptys(spamassassin_t) @@ -24755,6 +24782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +optional_policy(` + mta_read_config(spamassassin_t) + sendmail_stub(spamassassin_t) ++ sendmail_rw_pipes(spamassassin_t) +') + +############################## diff --git a/selinux-policy.spec b/selinux-policy.spec index 5dcb867..78a370e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 54%{?dist} +Release: 55%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -385,6 +385,9 @@ exit 0 %endif %changelog +* Tue May 20 2008 Dan Walsh 3.3.1-55 +- More fixes for spamassassin + * Tue May 20 2008 Dan Walsh 3.3.1-54 - Allow spamassassin_t to be run by system_r