diff -ru serefpolicy-2.3.2.orig/policy/modules/kernel/kernel.if serefpolicy-2.3.2/policy/modules/kernel/kernel.if
--- serefpolicy-2.3.2.orig/policy/modules/kernel/kernel.if 2006-07-16 13:34:12.000000000 +1000
+++ serefpolicy-2.3.2/policy/modules/kernel/kernel.if 2006-07-16 19:48:19.000000000 +1000
@@ -1942,6 +1942,24 @@
########################################
##
+## Allow caller to stat unlabeled processes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_getattr_unlabeled_procs',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:process getattr;
+')
+
+########################################
+##
## Allow caller to relabel unlabeled files.
##
##
diff -ru serefpolicy-2.3.2.orig/policy/modules/services/amavis.fc serefpolicy-2.3.2/policy/modules/services/amavis.fc
--- serefpolicy-2.3.2.orig/policy/modules/services/amavis.fc 2006-07-09 19:51:24.000000000 +1000
+++ serefpolicy-2.3.2/policy/modules/services/amavis.fc 2006-07-16 19:48:19.000000000 +1000
@@ -7,6 +7,6 @@
/var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
/var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
/var/log/amavisd\.log -- gen_context(system_u:object_r:amavis_var_log_t,s0)
-/var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0)
+/var/run/amavis(d)?/.+ gen_context(system_u:object_r:amavis_var_run_t,s0)
/var/spool/amavisd(/.*)? gen_context(system_u:object_r:amavis_spool_t,s0)
/var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0)
diff -ru serefpolicy-2.3.2.orig/policy/modules/services/amavis.te serefpolicy-2.3.2/policy/modules/services/amavis.te
--- serefpolicy-2.3.2.orig/policy/modules/services/amavis.te 2006-07-09 19:51:24.000000000 +1000
+++ serefpolicy-2.3.2/policy/modules/services/amavis.te 2006-07-16 19:48:19.000000000 +1000
@@ -50,6 +50,7 @@
allow amavis_t self:unix_stream_socket create_stream_socket_perms;
allow amavis_t self:unix_dgram_socket create_socket_perms;
allow amavis_t self:tcp_socket { listen accept };
+allow amavis_t proc_t:lnk_file read;
# configuration files
allow amavis_t amavis_etc_t:dir r_dir_perms;
@@ -62,10 +63,11 @@
allow amavis_t amavis_quarantine_t:dir create_dir_perms;
# Spool Files
+files_search_spool(amavis_t)
allow amavis_t amavis_spool_t:dir manage_dir_perms;
allow amavis_t amavis_spool_t:file manage_file_perms;
allow amavis_t amavis_spool_t:sock_file manage_file_perms;
-files_spool_filetrans(amavis_t,amavis_spool_t,{ dir file })
+type_transition amavis_t amavis_spool_t:sock_file amavis_var_run_t;
# tmp files
allow amavis_t amavis_tmp_t:file create_file_perms;
@@ -76,8 +78,6 @@
allow amavis_t amavis_var_lib_t:file create_file_perms;
allow amavis_t amavis_var_lib_t:sock_file create_file_perms;
allow amavis_t amavis_var_lib_t:dir create_dir_perms;
-files_var_filetrans(amavis_t,amavis_var_lib_t,{ file dir sock_file })
-files_var_lib_filetrans(amavis_t,amavis_var_lib_t,file)
# log files
allow amavis_t amavis_var_log_t:file create_file_perms;
diff -ru serefpolicy-2.3.2.orig/policy/modules/services/clamav.fc serefpolicy-2.3.2/policy/modules/services/clamav.fc
--- serefpolicy-2.3.2.orig/policy/modules/services/clamav.fc 2006-07-09 19:51:24.000000000 +1000
+++ serefpolicy-2.3.2/policy/modules/services/clamav.fc 2006-07-16 19:48:22.000000000 +1000
@@ -8,8 +8,10 @@
/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
/var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
-/var/run/clamav/clamd.ctl -s gen_context(system_u:object_r:clamd_sock_t,s0)
+/var/run/clamav/clamd.ctl -s gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/run/amavis(d)?/clamd.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
+/var/spool/amavisd/clamd.sock -s gen_context(system_u:object_r:clamd_var_run_t)
diff -ru serefpolicy-2.3.2.orig/policy/modules/services/clamav.if serefpolicy-2.3.2/policy/modules/services/clamav.if
--- serefpolicy-2.3.2.orig/policy/modules/services/clamav.if 2006-07-09 19:51:24.000000000 +1000
+++ serefpolicy-2.3.2/policy/modules/services/clamav.if 2006-07-16 19:51:04.000000000 +1000
@@ -35,11 +35,11 @@
#
interface(`clamav_stream_connect',`
gen_require(`
- type clamd_t, clamd_sock_t, clamd_var_run_t;
+ type clamd_t, clamd_var_run_t;
')
allow $1 clamd_var_run_t:dir search;
- allow $1 clamd_sock_t:sock_file write;
+ allow $1 clamd_var_run_t:sock_file write;
allow $1 clamd_t:unix_stream_socket connectto;
')
@@ -102,3 +102,22 @@
allow clamscan_t $1:fifo_file rw_file_perms;
allow clamscan_t $1:process sigchld;
')
+
+########################################
+##
+## Access /var/lib/clamav
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`access_clam_home',`
+ gen_require(`
+ type clamd_var_lib_t;
+ ')
+
+ allow $1 clamd_var_lib_t:dir search;
+')
+
diff -ru serefpolicy-2.3.2.orig/policy/modules/services/clamav.te serefpolicy-2.3.2/policy/modules/services/clamav.te
--- serefpolicy-2.3.2.orig/policy/modules/services/clamav.te 2006-07-09 19:51:24.000000000 +1000
+++ serefpolicy-2.3.2/policy/modules/services/clamav.te 2006-07-16 19:48:22.000000000 +1000
@@ -15,10 +15,6 @@
type clamd_etc_t;
files_type(clamd_etc_t)
-# named socket type
-type clamd_sock_t;
-files_type(clamd_sock_t)
-
# tmp files
type clamd_tmp_t;
files_tmp_file(clamd_tmp_t)
@@ -34,6 +30,7 @@
# pid files
type clamd_var_run_t;
files_pid_file(clamd_var_run_t)
+typealias clamd_var_run_t alias clamd_sock_t;
type clamscan_t;
type clamscan_exec_t;
@@ -67,12 +64,6 @@
allow clamd_t clamd_etc_t:file r_file_perms;
allow clamd_t clamd_etc_t:lnk_file { getattr read };
-# socket file
-allow clamd_t clamd_sock_t:file manage_file_perms;
-allow clamd_t clamd_sock_t:sock_file manage_file_perms;
-allow clamd_t clamd_sock_t:dir rw_dir_perms;
-files_pid_filetrans(clamd_t,clamd_sock_t,sock_file)
-
# tmp files
allow clamd_t clamd_tmp_t:file create_file_perms;
allow clamd_t clamd_tmp_t:dir create_dir_perms;
@@ -80,14 +71,10 @@
# var/lib files for clamd
allow clamd_t clamd_var_lib_t:file create_file_perms;
-allow clamd_t clamd_var_lib_t:sock_file create_file_perms;
allow clamd_t clamd_var_lib_t:dir create_dir_perms;
-files_var_filetrans(clamd_t,clamd_var_lib_t,{ file dir sock_file })
-files_var_lib_filetrans(clamd_t,clamd_var_lib_t,file)
# log files
allow clamd_t clamd_var_log_t:file create_file_perms;
-allow clamd_t clamd_var_log_t:sock_file create_file_perms;
allow clamd_t clamd_var_log_t:dir { rw_dir_perms setattr };
logging_log_filetrans(clamd_t,clamd_var_log_t,file)
@@ -161,10 +148,7 @@
# var/lib files together with clamd
allow freshclam_t clamd_var_lib_t:file create_file_perms;
-allow freshclam_t clamd_var_lib_t:sock_file create_file_perms;
allow freshclam_t clamd_var_lib_t:dir create_dir_perms;
-files_var_filetrans(freshclam_t,clamd_var_lib_t,{ file dir sock_file })
-files_var_lib_filetrans(freshclam_t,clamd_var_lib_t,file)
# pidfiles- var/run together with clamd
allow freshclam_t clamd_var_run_t:file manage_file_perms;
@@ -174,7 +158,6 @@
# log files (own logfiles only)
allow freshclam_t freshclam_var_log_t:file create_file_perms;
-allow freshclam_t freshclam_var_log_t:sock_file create_file_perms;
allow freshclam_t freshclam_var_log_t:dir { rw_dir_perms setattr };
allow freshclam_t clamd_var_log_t:dir search;
logging_log_filetrans(freshclam_t,freshclam_var_log_t,file)
@@ -234,7 +217,6 @@
# var/lib files together with clamd
allow clamscan_t clamd_var_lib_t:file r_file_perms;
-allow clamscan_t clamd_var_lib_t:sock_file rw_file_perms;
allow clamscan_t clamd_var_lib_t:dir r_dir_perms;
kernel_read_kernel_sysctls(clamscan_t)
diff -ru serefpolicy-2.3.2.orig/policy/modules/services/mailman.te serefpolicy-2.3.2/policy/modules/services/mailman.te
--- serefpolicy-2.3.2.orig/policy/modules/services/mailman.te 2006-07-09 19:51:24.000000000 +1000
+++ serefpolicy-2.3.2/policy/modules/services/mailman.te 2006-07-16 19:48:22.000000000 +1000
@@ -6,7 +6,6 @@
# Declarations
#
-mailman_domain_template(cgi)
type mailman_data_t;
files_type(mailman_data_t)
@@ -25,17 +24,28 @@
mailman_domain_template(queue)
+mailman_domain_template(cgi)
+
########################################
#
# Mailman CGI local policy
#
-# cjp: the template invocation for queue should be
+# cjp: the template invocation for queue and cgi should be
# in the below optional policy; however, there are no
# optionals for file contexts yet, so it is promoted
# to global scope until such facilities exist.
optional_policy(`
+ allow mailman_cgi_t self:netlink_route_socket r_netlink_socket_perms;
+
+ nscd_socket_use(mailman_cgi_t)
+
+ allow mailman_cgi_t urandom_device_t:chr_file { getattr read };
+
+# for python pre-compile foolishness
+ dontaudit mailman_cgi_t lib_t:dir write;
+
allow mailman_cgi_t mailman_archive_t:dir create_dir_perms;
allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
allow mailman_cgi_t mailman_archive_t:file create_file_perms;
diff -ru serefpolicy-2.3.2.orig/policy/modules/services/postfix.te serefpolicy-2.3.2/policy/modules/services/postfix.te
--- serefpolicy-2.3.2.orig/policy/modules/services/postfix.te 2006-07-09 19:51:24.000000000 +1000
+++ serefpolicy-2.3.2/policy/modules/services/postfix.te 2006-07-16 19:48:22.000000000 +1000
@@ -593,3 +593,8 @@
optional_policy(`
sasl_connect(postfix_smtpd_t)
')
+
+optional_policy(`
+ postgrey_socket_access(postfix_smtpd_t)
+')
+
diff -ru serefpolicy-2.3.2.orig/policy/modules/services/postgrey.fc serefpolicy-2.3.2/policy/modules/services/postgrey.fc
--- serefpolicy-2.3.2.orig/policy/modules/services/postgrey.fc 2006-07-09 19:51:24.000000000 +1000
+++ serefpolicy-2.3.2/policy/modules/services/postgrey.fc 2006-07-16 19:48:22.000000000 +1000
@@ -4,5 +4,6 @@
/usr/sbin/postgrey -- gen_context(system_u:object_r:postgrey_exec_t,s0)
/var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0)
+/var/run/postgrey/socket -s gen_context(system_u:object_r:postgrey_var_run_t,s0)
/var/lib/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_lib_t,s0)
diff -ru serefpolicy-2.3.2.orig/policy/modules/services/postgrey.if serefpolicy-2.3.2/policy/modules/services/postgrey.if
--- serefpolicy-2.3.2.orig/policy/modules/services/postgrey.if 2006-07-09 19:51:24.000000000 +1000
+++ serefpolicy-2.3.2/policy/modules/services/postgrey.if 2006-07-16 19:48:22.000000000 +1000
@@ -1 +1,21 @@
## Postfix grey-listing server
+
+########################################
+##
+## Write to postgrey socket
+##
+##
+##
+## Domain allowed to talk to postgrey
+##
+##
+#
+interface(`postgrey_socket_access',`
+ gen_require(`
+ type postgrey_var_run_t, postgrey_t;
+ ')
+
+ allow $1 postgrey_var_run_t:sock_file write;
+ allow $1 postgrey_t:unix_stream_socket connectto;
+')
+
diff -ru serefpolicy-2.3.2.orig/policy/modules/services/postgrey.te serefpolicy-2.3.2/policy/modules/services/postgrey.te
--- serefpolicy-2.3.2.orig/policy/modules/services/postgrey.te 2006-07-09 19:51:24.000000000 +1000
+++ serefpolicy-2.3.2/policy/modules/services/postgrey.te 2006-07-16 19:48:22.000000000 +1000
@@ -18,6 +18,8 @@
type postgrey_var_run_t;
files_pid_file(postgrey_var_run_t)
+files_pid_filetrans(postgrey_t, postgrey_var_run_t, sock_file)
+allow postgrey_t postgrey_var_run_t:sock_file manage_file_perms;
########################################
#
diff -ru serefpolicy-2.3.2.orig/policy/modules/services/procmail.te serefpolicy-2.3.2/policy/modules/services/procmail.te
--- serefpolicy-2.3.2.orig/policy/modules/services/procmail.te 2006-07-09 19:51:24.000000000 +1000
+++ serefpolicy-2.3.2/policy/modules/services/procmail.te 2006-07-16 19:48:22.000000000 +1000
@@ -82,6 +82,10 @@
')
optional_policy(`
+ access_clam_home(procmail_t)
+')
+
+optional_policy(`
logging_send_syslog_msg(procmail_t)
')
diff -ru serefpolicy-2.3.2.orig/policy/modules/services/samba.te serefpolicy-2.3.2/policy/modules/services/samba.te
--- serefpolicy-2.3.2.orig/policy/modules/services/samba.te 2006-07-09 19:51:24.000000000 +1000
+++ serefpolicy-2.3.2/policy/modules/services/samba.te 2006-07-16 19:48:22.000000000 +1000
@@ -186,6 +186,7 @@
allow smbd_t self:udp_socket create_socket_perms;
allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow smbd_t self:netlink_route_socket rw_netlink_socket_perms;
allow smbd_t samba_etc_t:dir rw_dir_perms;
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
@@ -313,6 +314,7 @@
optional_policy(`
cups_read_rw_config(smbd_t)
+ cups_stream_connect(smbd_t)
')
optional_policy(`
diff -ru serefpolicy-2.3.2.orig/policy/modules/system/selinuxutil.te serefpolicy-2.3.2/policy/modules/system/selinuxutil.te
--- serefpolicy-2.3.2.orig/policy/modules/system/selinuxutil.te 2006-07-16 13:34:12.000000000 +1000
+++ serefpolicy-2.3.2/policy/modules/system/selinuxutil.te 2006-07-16 19:48:22.000000000 +1000
@@ -554,6 +554,7 @@
files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
+domain_interactive_fd(semanage_t)
kernel_read_system_state(semanage_t)
kernel_read_kernel_sysctls(semanage_t)
diff -ru serefpolicy-2.3.2.orig/policy/modules/system/unconfined.if serefpolicy-2.3.2/policy/modules/system/unconfined.if
--- serefpolicy-2.3.2.orig/policy/modules/system/unconfined.if 2006-07-09 19:51:24.000000000 +1000
+++ serefpolicy-2.3.2/policy/modules/system/unconfined.if 2006-07-16 19:48:22.000000000 +1000
@@ -86,6 +86,11 @@
optional_policy(`
storage_unconfined($1)
')
+
+ optional_policy(`
+ kernel_getattr_unlabeled_procs($1)
+ kernel_kill_unlabeled($1)
+ ')
')
########################################