++
++policy_module(exim, 1.0.0)
+
+########################################
+#
@@ -5726,14 +5629,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
+
+type exim_t;
+type exim_exec_t;
-+domain_type(exim_t)
-+init_daemon_domain(exim_t, exim_exec_t)
++mta_mailserver(exim_t, exim_exec_t)
++mta_mailserver_user_agent(exim_t)
++application_executable_file(exim_exec_t)
++mta_mailclient(exim_exec_t)
+
+type exim_script_exec_t;
+init_script_type(exim_script_exec_t)
+
-+type exim_tmp_t;
-+files_tmp_file(exim_tmp_t)
++type exim_spool_t;
++files_type(exim_spool_t)
+
+type exim_var_run_t;
+files_pid_file(exim_var_run_t)
@@ -5741,78 +5646,153 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
+type exim_log_t;
+logging_log_file(exim_log_t)
+
-+type exim_spool_t;
-+files_type(exim_spool_t)
++########################################
++#
++# exim booleans
++#
++
++##
++##
++## Allow exim to connect to databases (postgres, mysql)
++##
++##
++gen_tunable(exim_can_connect_db, false)
++
++##
++##
++## Allow exim to read files in users homedirectories
++##
++##
++gen_tunable(exim_read_user_files, false)
++
++##
++##
++## Allow exim to manage files in users homedirectories
++##
++##
++gen_tunable(exim_manage_user_files, false)
+
+########################################
+#
+# exim local policy
+#
+
-+allow exim_t self:capability { dac_override dac_read_search setuid setgid };
-+
-+## internal communication is often done using fifo and unix sockets.
++allow exim_t self:capability { sys_resource dac_override dac_read_search setuid setgid fowner chown };
++allow exim_t self:process { setrlimit setpgid };
+allow exim_t self:fifo_file rw_file_perms;
++allow exim_t self:tcp_socket create_stream_socket_perms;
++allow exim_t self:udp_socket create_socket_perms;
+allow exim_t self:unix_stream_socket create_stream_socket_perms;
+
-+allow exim_t exim_tmp_t:file manage_file_perms;
-+allow exim_t exim_tmp_t:dir create_dir_perms;
-+files_tmp_filetrans(exim_t,exim_tmp_t, { file dir })
++corenet_all_recvfrom_unlabeled(exim_t)
++corenet_all_recvfrom_netlabel(exim_t)
++corenet_udp_sendrecv_all_if(exim_t)
++corenet_udp_sendrecv_all_nodes(exim_t)
++corenet_tcp_sendrecv_all_if(exim_t)
++corenet_tcp_sendrecv_all_nodes(exim_t)
++corenet_tcp_bind_all_nodes(exim_t)
++corenet_tcp_bind_amavisd_send_port(exim_t)
++corenet_tcp_bind_smtp_port(exim_t)
++corenet_tcp_connect_smtp_port(exim_t)
++corenet_tcp_sendrecv_smtp_port(exim_t)
++corenet_sendrecv_smtp_server_packets(exim_t)
++corenet_sendrecv_all_client_packets(exim_t)
+
-+allow exim_t exim_var_run_t:file manage_file_perms;
-+allow exim_t exim_var_run_t:dir manage_dir_perms;
-+files_pid_filetrans(exim_t,exim_var_run_t, { file dir })
++# make identd connections
++corenet_tcp_connect_auth_port(exim_t)
++corenet_tcp_sendrecv_auth_port(exim_t)
+
-+allow exim_t exim_log_t:file manage_file_perms;
-+allow exim_t exim_log_t:dir { rw_dir_perms setattr };
-+logging_log_filetrans(exim_t,exim_log_t,{ file dir })
++# connect to spamassassin
++corenet_tcp_connect_spamd_port(exim_t)
++corenet_tcp_sendrecv_spamd_port(exim_t)
+
-+allow exim_t exim_spool_t:dir manage_dir_perms;
-+allow exim_t exim_spool_t:file manage_file_perms;
-+allow exim_t exim_spool_t:sock_file create_file_perms;
-+files_spool_filetrans(exim_t,exim_spool_t, { file dir sock_file })
++libs_use_ld_so(exim_t)
++libs_read_lib_files(exim_t)
++libs_exec_lib_files(exim_t)
++libs_use_shared_libs(exim_t)
++libs_legacy_use_shared_libs(exim_t)
++
++# PID files
++manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t)
++files_pid_filetrans(exim_t, exim_var_run_t, file)
+
+auth_use_nsswitch(exim_t)
+
-+can_exec(exim_t,exim_exec_t)
++# Exim uses BerkeleyDB, which checks /var/tmp but doesn't actually use it
++files_dontaudit_getattr_tmp_dirs(exim_t)
++files_search_usr(exim_t)
++files_search_var(exim_t)
++files_read_etc_files(exim_t)
++
++fs_getattr_xattr_fs(exim_t)
++
++kernel_read_kernel_sysctls(exim_t)
++kernel_dontaudit_read_system_state(exim_t)
++
++miscfiles_read_localization(exim_t)
++miscfiles_read_certs(exim_t)
++
++mta_read_aliases(exim_t)
++mta_read_config(exim_t)
++mta_rw_spool(exim_t)
++mta_mailserver_delivery(exim_t)
+
+# Init script handling
+domain_use_interactive_fds(exim_t)
+
-+files_read_etc_files(exim_t)
++can_exec(exim_t,exim_exec_t)
+
-+sysnet_dns_name_resolve(exim_t)
-+corenet_all_recvfrom_unlabeled(exim_t)
++exim_create_spool(exim_t)
++exim_manage_spool(exim_t)
++allow exim_t exim_spool_t:sock_file create_file_perms;
++files_spool_filetrans(exim_t,exim_spool_t, { file dir sock_file })
+
-+allow exim_t self:tcp_socket create_stream_socket_perms;
-+corenet_tcp_sendrecv_all_if(exim_t)
-+corenet_tcp_sendrecv_all_nodes(exim_t)
-+corenet_tcp_sendrecv_all_ports(exim_t)
-+corenet_tcp_bind_all_nodes(exim_t)
-+corenet_tcp_bind_smtp_port(exim_t)
-+corenet_tcp_bind_amavisd_send_port(exim_t)
-+corenet_tcp_connect_auth_port(exim_t)
-+corenet_tcp_connect_inetd_child_port(exim_t)
++## logging
++logging_send_syslog_msg(exim_t)
++exim_manage_logs(exim_t)
++logging_log_filetrans(exim_t, exim_log_t, { file dir })
+
+corecmd_search_bin(exim_t)
+
-+libs_use_ld_so(exim_t)
-+libs_use_shared_libs(exim_t)
-+logging_send_syslog_msg(exim_t)
++# TLS sessions need entropy
++dev_read_urand(exim_t)
++dev_read_rand(exim_t)
+
-+miscfiles_read_localization(exim_t)
++tunable_policy(`exim_can_connect_db',`
++ corenet_tcp_connect_mysqld_port(exim_t)
++ corenet_sendrecv_mysqld_client_packets(exim_t)
++ corenet_tcp_connect_postgresql_port(exim_t)
++ corenet_sendrecv_postgresql_client_packets(exim_t)
++')
+
-+kernel_read_kernel_sysctls(exim_t)
++optional_policy(`
++ tunable_policy(`exim_can_connect_db',`
++ mysql_stream_connect(exim_t)
++ ')
++')
+
-+mta_mailclient(exim_exec_t)
-+mta_read_aliases(exim_t)
-+mta_rw_spool(exim_t)
++optional_policy(`
++ tunable_policy(`exim_can_connect_db',`
++ postgresql_stream_connect(exim_t)
++ ')
++')
++
++optional_policy(`
++ mailman_read_data_files(exim_t)
++ mailman_domtrans(exim_t)
++')
+
-+userdom_dontaudit_search_sysadm_home_dirs(exim_t)
-+userdom_dontaudit_search_generic_user_home_dirs(exim_t)
++optional_policy(`
++ procmail_domtrans(exim_t)
++')
+
-+bool exim_read_user_files false;
-+bool exim_manage_user_files false;
++optional_policy(`
++ sasl_connect(exim_t)
++')
++
++optional_policy(`
++ cyrus_stream_connect(exim_t)
++')
+
+if (exim_read_user_files) {
+ userdom_read_unpriv_users_home_content_files(exim_t)
@@ -5825,9 +5805,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
+ userdom_write_unpriv_users_tmp_files(exim_t)
+}
+
++## receipt & validation
++
++optional_policy(`
++ clamav_domtrans_clamscan(exim_t)
++ clamav_stream_connect(exim_t)
++')
++
++optional_policy(`
++ spamassassin_exec(exim_t)
++ spamassassin_exec_client(exim_t)
++')
++
++# courier authdaemon; authdaemon doesn't have a type for its UNIX domain
++# socket, nor a public interface for it yet.
++ifdef(`TODO', `
++optional_policy(`
++ gen_require(`
++ type courier_var_run_t;
++ ')
++ files_search_pids(exim_t)
++ stream_connect_pattern(exim_t, courier_var_run_t, courier_var_run_t)
++')
++')
++
++# Debian uses a template based config generator which generates config
++# files under /var
++ifdef(`distro_debian',`
++ type exim_lib_t;
++ files_config_file(exim_lib_t)
++ exim_read_lib(exim_t)
++
++ type exim_lib_update_t;
++ type exim_lib_update_exec_t;
++ init_domain(exim_lib_update_t, exim_lib_update_exec_t)
++ domain_entry_file(exim_lib_update_t, exim_lib_update_exec_t)
++ mta_read_lib(exim_lib_update_t)
++ exim_manage_var_lib(exim_lib_update_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.6.4/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/ftp.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/ftp.te 2007-10-04 10:58:50.000000000 -0400
@@ -88,6 +88,7 @@
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
@@ -5836,7 +5855,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
allow ftpd_t ftpd_etc_t:file read_file_perms;
-@@ -156,6 +157,7 @@
+@@ -105,9 +106,10 @@
+ manage_sock_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
+ fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
++manage_dirs_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
+ manage_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
+ manage_sock_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
+-files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
++files_pid_filetrans(ftpd_t,ftpd_var_run_t,{ file dir} )
+
+ # proftpd requires the client side to bind a socket so that
+ # it can stat the socket to perform access control decisions,
+@@ -122,6 +124,7 @@
+
+ kernel_read_kernel_sysctls(ftpd_t)
+ kernel_read_system_state(ftpd_t)
++kernel_search_network_state(ftpd_t)
+
+ dev_read_sysfs(ftpd_t)
+ dev_read_urand(ftpd_t)
+@@ -156,6 +159,7 @@
auth_use_nsswitch(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t)
@@ -5844,7 +5883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
# Append to /var/log/wtmp.
auth_append_login_records(ftpd_t)
#kerberized ftp requires the following
-@@ -167,6 +169,8 @@
+@@ -167,6 +171,8 @@
libs_use_ld_so(ftpd_t)
libs_use_shared_libs(ftpd_t)
@@ -5853,7 +5892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
logging_send_syslog_msg(ftpd_t)
miscfiles_read_localization(ftpd_t)
-@@ -223,10 +227,15 @@
+@@ -223,10 +229,15 @@
userdom_manage_all_users_home_content_dirs(ftpd_t)
userdom_manage_all_users_home_content_files(ftpd_t)
userdom_manage_all_users_home_content_symlinks(ftpd_t)
@@ -5871,8 +5910,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-2.6.4/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/hal.fc 2007-09-11 15:14:23.000000000 -0400
-@@ -2,15 +2,22 @@
++++ serefpolicy-2.6.4/policy/modules/services/hal.fc 2007-10-05 09:47:34.000000000 -0400
+@@ -2,15 +2,25 @@
/etc/hal/device\.d/printer_remove\.hal -- gen_context(system_u:object_r:hald_exec_t,s0)
/etc/hal/capability\.d/printer_update\.hal -- gen_context(system_u:object_r:hald_exec_t,s0)
@@ -5900,6 +5939,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
+
+/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0)
++
++/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
++/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-2.6.4/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/hal.if 2007-08-07 09:42:35.000000000 -0400
@@ -6004,7 +6046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.6.4/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/hal.te 2007-09-21 14:56:10.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/hal.te 2007-10-05 09:47:20.000000000 -0400
@@ -61,8 +61,6 @@
# For backwards compatibility with older kernels
allow hald_t self:netlink_socket create_socket_perms;
@@ -6610,7 +6652,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
## Read sendmail binary.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.6.4/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/mta.te 2007-09-13 13:02:46.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/mta.te 2007-10-06 08:53:21.000000000 -0400
@@ -6,6 +6,7 @@
# Declarations
#
@@ -6629,7 +6671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
mta_base_mail_template(system)
role system_r types system_mail_t;
-@@ -52,6 +54,7 @@
+@@ -52,9 +54,12 @@
kernel_read_system_state(system_mail_t)
kernel_read_network_state(system_mail_t)
@@ -6637,7 +6679,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
-@@ -91,12 +94,14 @@
++fs_rw_anon_inodefs_files(system_mail_t)
++
+ init_use_script_ptys(system_mail_t)
+
+ userdom_use_sysadm_terms(system_mail_t)
+@@ -91,12 +96,14 @@
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
apache_append_squirrelmail_data(system_mail_t)
@@ -6652,7 +6699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -109,6 +114,7 @@
+@@ -109,6 +116,7 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
@@ -10031,6 +10078,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.
corecmd_list_bin(xfs_t)
dev_read_sysfs(xfs_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-2.6.4/policy/modules/services/xserver.fc
+--- nsaserefpolicy/policy/modules/services/xserver.fc 2007-05-07 14:51:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/xserver.fc 2007-10-02 11:51:15.000000000 -0400
+@@ -92,7 +92,7 @@
+ /var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+ /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
+
+-/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+ /var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+ /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+ /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.6.4/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/xserver.if 2007-08-07 09:42:35.000000000 -0400
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 40cc08e..17945c6 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.6.4
-Release: 46%{?dist}
+Release: 47%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -361,6 +361,9 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init
%endif
%changelog
+* Thu Oct 4 2007 Dan Walsh 2.6.4-47
+- Fixes for proftp
+
* Mon Oct 1 2007 Dan Walsh 2.6.4-46
- Allow smbcontrol to work on terminal windows