From b36142421bfcdea7286b4735d54e000accbe9f06 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Nov 25 2008 16:20:06 +0000 Subject: - Allow postfix_smtpd to getattr on directories and file systems --- diff --git a/policy-20080710.patch b/policy-20080710.patch index 50e9ce4..328e226 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -8358,16 +8358,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.5.13/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-10-17 08:49:14.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te 2008-11-24 10:49:49.000000000 -0500 -@@ -21,7 +21,6 @@ ++++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te 2008-11-25 09:48:18.000000000 -0500 +@@ -21,7 +21,7 @@ # Use xattrs for the following filesystem types. # Requires that a security xattr handler exist for the filesystem. -fs_use_xattr ecryptfs gen_context(system_u:object_r:fs_t,s0); ++fs_use_xattr btrfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0); -@@ -76,6 +75,11 @@ +@@ -76,6 +76,11 @@ allow cpusetfs_t self:filesystem associate; genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0) @@ -8379,7 +8380,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type eventpollfs_t; fs_type(eventpollfs_t) # change to task SID 20060628 -@@ -141,6 +145,8 @@ +@@ -141,6 +146,8 @@ fs_noxattr_type(vmblock_t) files_mountpoint(vmblock_t) genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0) @@ -8388,7 +8389,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type vxfs_t; fs_noxattr_type(vxfs_t) -@@ -241,6 +247,7 @@ +@@ -241,6 +248,7 @@ genfscon lustre / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) @@ -16980,7 +16981,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +files_type(mailscanner_spool_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.5.13/policy/modules/services/mta.fc --- nsaserefpolicy/policy/modules/services/mta.fc 2008-10-17 08:49:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/mta.fc 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/mta.fc 2008-11-25 08:45:03.000000000 -0500 +@@ -1,4 +1,4 @@ +-/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0) ++/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) + + /etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) + /etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) @@ -22,7 +22,3 @@ /var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) @@ -16991,7 +16998,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -#') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.5.13/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2008-10-17 08:49:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/mta.if 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/mta.if 2008-11-25 10:14:27.000000000 -0500 @@ -133,6 +133,15 @@ sendmail_create_log($1_mail_t) ') @@ -17042,6 +17049,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') +@@ -786,7 +803,7 @@ + files_search_spool($1) + allow $1 mail_spool_t:dir list_dir_perms; + allow $1 mail_spool_t:file setattr; +- rw_files_pattern($1, mail_spool_t, mail_spool_t) ++ manage_files_pattern($1, mail_spool_t, mail_spool_t) + read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) + ') + @@ -893,6 +910,25 @@ ######################################## @@ -20786,7 +20802,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.13/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/postfix.te 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/postfix.te 2008-11-25 08:33:46.000000000 -0500 @@ -6,6 +6,14 @@ # Declarations # @@ -21042,7 +21058,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix qmgr local policy -@@ -543,6 +622,10 @@ +@@ -540,9 +619,18 @@ + + # for OpenSSL certificates + files_read_usr_files(postfix_smtpd_t) ++ ++# postfix checks the size of all mounted file systems ++fs_getattr_all_dirs(postfix_smtpd_t) ++fs_getattr_all_fs(postfix_smtpd_t) ++ mta_read_aliases(postfix_smtpd_t) optional_policy(` @@ -21053,7 +21077,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mailman_read_data_files(postfix_smtpd_t) ') -@@ -569,7 +652,7 @@ +@@ -569,7 +657,7 @@ files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir }) # connect to master process @@ -24031,7 +24055,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.5.13/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/sendmail.te 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/sendmail.te 2008-11-25 10:39:57.000000000 -0500 @@ -20,13 +20,17 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -24121,22 +24145,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` clamav_search_lib(sendmail_t) + clamav_stream_connect(sendmail_t) - ') - - optional_policy(` -- postfix_exec_master(sendmail_t) -+ cyrus_stream_connect(sendmail_t) +') + +optional_policy(` -+ kerberos_keytab_template(sendmail, sendmail_t) ++ cyrus_stream_connect(sendmail_t) +') + +optional_policy(` -+ munin_dontaudit_search_lib(sendmail_t) ++ kerberos_keytab_template(sendmail, sendmail_t) +') + +optional_policy(` ++ munin_dontaudit_search_lib(sendmail_t) + ') + + optional_policy(` +- postfix_exec_master(sendmail_t) + postfix_domtrans_postdrop(sendmail_t) + postfix_domtrans_master(sendmail_t) postfix_read_config(sendmail_t) @@ -24149,7 +24173,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -126,24 +157,25 @@ +@@ -126,24 +157,29 @@ ') optional_policy(` @@ -24161,6 +24185,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` ++ uucp_domtrans_uux(sendmail_t) ++') ++ ++optional_policy(` udev_read_db(sendmail_t) ') @@ -27826,7 +27854,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.13/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/xserver.te 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/xserver.te 2008-11-25 11:13:22.000000000 -0500 @@ -8,6 +8,14 @@ ## @@ -28325,7 +28353,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`TODO',` # Need to further investigate these permissions and # perhaps define derived types. -@@ -544,3 +746,70 @@ +@@ -544,3 +746,73 @@ # allow pam_t xdm_t:fifo_file { getattr ioctl write }; ') dnl end TODO @@ -28347,6 +28375,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow xauth_t xauth_home_t:file manage_file_perms; +userdom_user_home_dir_filetrans($1, xauth_t, xauth_home_t, file) + ++manage_dirs_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) ++manage_files_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) ++ +manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) +manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) +files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir }) @@ -29522,8 +29553,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.5.13/policy/modules/system/ipsec.fc --- nsaserefpolicy/policy/modules/system/ipsec.fc 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/ipsec.fc 2008-11-24 10:49:49.000000000 -0500 -@@ -26,6 +26,7 @@ ++++ serefpolicy-3.5.13/policy/modules/system/ipsec.fc 2008-11-25 09:56:24.000000000 -0500 +@@ -16,6 +16,8 @@ + /usr/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) + /usr/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) + ++/usr/libexec/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) ++/usr/libexec/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) + /usr/libexec/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0) + /usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) + /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) +@@ -26,6 +28,7 @@ /usr/local/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/local/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) @@ -32717,7 +32757,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-11-25 10:39:06.000000000 -0500 @@ -28,10 +28,14 @@ class context contains; ') @@ -33338,7 +33378,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # # User domain Local policy -@@ -699,188 +668,199 @@ +@@ -699,188 +668,200 @@ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -33562,6 +33602,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - # to allow monitoring of pcmcia status - pcmcia_read_pid($1_t) + mta_rw_spool($1_usertype) ++ mta_manage_queue($1_usertype) ') optional_policy(` @@ -33618,7 +33659,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -902,9 +882,7 @@ +@@ -902,9 +883,7 @@ ## # template(`userdom_login_user_template', ` @@ -33629,7 +33670,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_base_user_template($1) -@@ -930,74 +908,77 @@ +@@ -930,74 +909,77 @@ allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; dontaudit $1_t self:process setrlimit; @@ -33740,7 +33781,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1031,9 +1012,6 @@ +@@ -1031,9 +1013,6 @@ domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; @@ -33750,7 +33791,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol typeattribute $1_tty_device_t user_ttynode; ############################## -@@ -1042,12 +1020,32 @@ +@@ -1042,12 +1021,32 @@ # # privileged home directory writers @@ -33789,7 +33830,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` loadkeys_run($1_t,$1_r,$1_tty_device_t) -@@ -1079,7 +1077,9 @@ +@@ -1079,7 +1078,9 @@ userdom_restricted_user_template($1) @@ -33799,7 +33840,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -1087,14 +1087,16 @@ +@@ -1087,14 +1088,16 @@ # authlogin_per_role_template($1, $1_t, $1_r) @@ -33821,7 +33862,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1102,28 +1104,19 @@ +@@ -1102,28 +1105,19 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -33854,7 +33895,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1134,8 +1127,7 @@ +@@ -1134,8 +1128,7 @@ ## ## ##

@@ -33864,7 +33905,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

##

## This template creates a user domain, types, and -@@ -1157,8 +1149,8 @@ +@@ -1157,8 +1150,8 @@ # Declarations # @@ -33874,7 +33915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -1167,11 +1159,10 @@ +@@ -1167,11 +1160,10 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -33887,7 +33928,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -1189,36 +1180,41 @@ +@@ -1189,36 +1181,41 @@ ') ') @@ -33942,7 +33983,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1263,8 +1259,7 @@ +@@ -1263,8 +1260,7 @@ # # Inherit rules for ordinary users. @@ -33952,7 +33993,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol typeattribute $1_t privhome; domain_obj_id_change_exemption($1_t) -@@ -1295,8 +1290,6 @@ +@@ -1295,8 +1291,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -33961,7 +34002,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1318,8 +1311,6 @@ +@@ -1318,8 +1312,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -33970,7 +34011,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1374,13 +1365,6 @@ +@@ -1374,13 +1366,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -33984,7 +34025,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1432,6 +1416,7 @@ +@@ -1432,6 +1417,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -33992,7 +34033,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1461,10 +1446,6 @@ +@@ -1461,10 +1447,6 @@ seutil_run_semanage($1,$2,$3) seutil_run_setfiles($1, $2, $3) @@ -34003,7 +34044,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` aide_run($1,$2, $3) ') -@@ -1484,6 +1465,14 @@ +@@ -1484,6 +1466,14 @@ optional_policy(` netlabel_run_mgmt($1,$2, $3) ') @@ -34018,7 +34059,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1741,11 +1730,15 @@ +@@ -1741,11 +1731,15 @@ # template(`userdom_user_home_content',` gen_require(` @@ -34037,7 +34078,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1841,11 +1834,11 @@ +@@ -1841,11 +1835,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -34051,7 +34092,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1875,11 +1868,11 @@ +@@ -1875,11 +1869,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -34065,7 +34106,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1923,12 +1916,12 @@ +@@ -1923,12 +1917,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -34081,7 +34122,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1958,10 +1951,11 @@ +@@ -1958,10 +1952,11 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -34095,7 +34136,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1993,11 +1987,47 @@ +@@ -1993,11 +1988,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -34145,7 +34186,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2029,10 +2059,10 @@ +@@ -2029,10 +2060,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -34158,7 +34199,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2062,11 +2092,11 @@ +@@ -2062,11 +2093,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -34172,7 +34213,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2096,11 +2126,11 @@ +@@ -2096,11 +2127,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -34187,7 +34228,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2130,10 +2160,14 @@ +@@ -2130,10 +2161,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -34204,7 +34245,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2163,11 +2197,11 @@ +@@ -2163,11 +2198,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -34218,7 +34259,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2197,11 +2231,11 @@ +@@ -2197,11 +2232,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -34232,7 +34273,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2231,10 +2265,10 @@ +@@ -2231,10 +2266,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -34245,7 +34286,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2266,12 +2300,12 @@ +@@ -2266,12 +2301,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -34261,7 +34302,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2303,10 +2337,10 @@ +@@ -2303,10 +2338,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -34274,7 +34315,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2338,12 +2372,12 @@ +@@ -2338,12 +2373,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -34290,7 +34331,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2375,12 +2409,12 @@ +@@ -2375,12 +2410,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -34306,7 +34347,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2412,12 +2446,12 @@ +@@ -2412,12 +2447,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -34322,7 +34363,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2462,11 +2496,11 @@ +@@ -2462,11 +2497,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -34336,7 +34377,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2511,11 +2545,11 @@ +@@ -2511,11 +2546,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -34350,7 +34391,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2555,11 +2589,11 @@ +@@ -2555,11 +2590,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -34364,7 +34405,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2589,11 +2623,11 @@ +@@ -2589,11 +2624,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -34378,7 +34419,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2623,11 +2657,11 @@ +@@ -2623,11 +2658,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -34392,7 +34433,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2659,10 +2693,10 @@ +@@ -2659,10 +2694,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -34405,7 +34446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2694,10 +2728,10 @@ +@@ -2694,10 +2729,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -34418,7 +34459,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2727,12 +2761,12 @@ +@@ -2727,12 +2762,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -34434,7 +34475,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2764,10 +2798,10 @@ +@@ -2764,10 +2799,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -34447,7 +34488,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2799,10 +2833,10 @@ +@@ -2799,10 +2834,10 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -34460,7 +34501,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2832,12 +2866,12 @@ +@@ -2832,12 +2867,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -34476,7 +34517,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2869,10 +2903,10 @@ +@@ -2869,10 +2904,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -34489,7 +34530,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2904,12 +2938,12 @@ +@@ -2904,12 +2939,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -34505,7 +34546,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2941,11 +2975,11 @@ +@@ -2941,11 +2976,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -34519,7 +34560,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2977,11 +3011,11 @@ +@@ -2977,11 +3012,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -34533,7 +34574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3013,11 +3047,11 @@ +@@ -3013,11 +3048,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -34547,7 +34588,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3049,11 +3083,11 @@ +@@ -3049,11 +3084,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -34561,7 +34602,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3085,11 +3119,11 @@ +@@ -3085,11 +3120,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -34575,7 +34616,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3134,10 +3168,10 @@ +@@ -3134,10 +3169,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -34588,7 +34629,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_tmp($2) ') -@@ -3178,19 +3212,19 @@ +@@ -3178,19 +3213,19 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -34612,7 +34653,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

##

## This is a templated interface, and should only -@@ -3211,13 +3245,13 @@ +@@ -3211,13 +3246,13 @@ # template(`userdom_rw_user_tmpfs_files',` gen_require(` @@ -34630,7 +34671,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4616,11 +4650,11 @@ +@@ -4616,11 +4651,11 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -34644,7 +34685,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4640,6 +4674,14 @@ +@@ -4640,6 +4675,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -34659,7 +34700,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4677,6 +4719,8 @@ +@@ -4677,6 +4720,8 @@ ') dontaudit $1 { home_dir_type home_type }:dir search_dir_perms; @@ -34668,7 +34709,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4721,6 +4765,25 @@ +@@ -4721,6 +4766,25 @@ ######################################## ##

@@ -34694,7 +34735,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4946,7 +5009,7 @@ +@@ -4946,7 +5010,7 @@ ######################################## ## @@ -34703,7 +34744,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5318,7 +5381,7 @@ +@@ -5318,7 +5382,7 @@ ######################################## ## @@ -34712,7 +34753,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5326,18 +5389,17 @@ +@@ -5326,18 +5390,17 @@ ## ## # @@ -34735,7 +34776,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5345,17 +5407,17 @@ +@@ -5345,17 +5408,17 @@ ## ## # @@ -34757,7 +34798,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5363,18 +5425,18 @@ +@@ -5363,18 +5426,18 @@ ## ## # @@ -34781,7 +34822,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5382,9 +5444,46 @@ +@@ -5382,9 +5445,46 @@ ## ## # @@ -34830,7 +34871,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') allow $1 userdomain:process getattr; -@@ -5447,6 +5546,24 @@ +@@ -5447,6 +5547,24 @@ ######################################## ## @@ -34855,7 +34896,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send a SIGCHLD signal to all user domains. ## ## -@@ -5483,6 +5600,42 @@ +@@ -5483,6 +5601,42 @@ ######################################## ## @@ -34898,7 +34939,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send a dbus message to all user domains. ## ## -@@ -5513,3 +5666,546 @@ +@@ -5513,3 +5667,546 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 29a315b..d635568 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.5.13 -Release: 24%{?dist} +Release: 25%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -457,6 +457,9 @@ exit 0 %endif %changelog +* Tue Nov 25 2008 Dan Walsh 3.5.13-25 +- Allow postfix_smtpd to getattr on directories and file systems + * Mon Nov 24 2008 Dan Walsh 3.5.13-24 - Fix certwatch creating cache