commit: c12405c1bbcaeb1558c3f053671710738138e463
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 25 15:17:52 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 10:44:02 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c12405c1
MTA fixes from Russell Coker.
policy/modules/contrib/clamav.te | 11 +++++++++--
policy/modules/contrib/courier.if | 4 ++--
policy/modules/contrib/courier.te | 6 +++++-
policy/modules/contrib/dkim.if | 18 ++++++++++++++++++
policy/modules/contrib/dkim.te | 14 +++++++++++---
policy/modules/contrib/dovecot.fc | 3 +++
policy/modules/contrib/dovecot.te | 13 ++++++++++---
policy/modules/contrib/milter.if | 18 ++++++++++++++++++
policy/modules/contrib/milter.te | 10 +++++++++-
policy/modules/contrib/mta.fc | 1 +
policy/modules/contrib/mta.te | 8 +++++++-
policy/modules/contrib/perdition.fc | 2 +-
policy/modules/contrib/perdition.te | 19 +++++++++++++++----
policy/modules/contrib/postfix.fc | 30 +++++++++++++++---------------
policy/modules/contrib/postfix.te | 26 +++++++++++++++++++++++++-
policy/modules/contrib/postfixpolicyd.te | 18 +++++++++++++++---
policy/modules/contrib/postgrey.te | 7 +++++--
policy/modules/contrib/procmail.fc | 1 +
policy/modules/contrib/procmail.te | 7 ++++++-
policy/modules/contrib/spamassassin.fc | 1 +
policy/modules/contrib/spamassassin.te | 3 ++-
21 files changed, 179 insertions(+), 41 deletions(-)
diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te
index f2664e82..11e568a6 100644
--- a/policy/modules/contrib/clamav.te
+++ b/policy/modules/contrib/clamav.te
@@ -1,4 +1,4 @@
-policy_module(clamav, 1.14.0)
+policy_module(clamav, 1.14.1)
## <desc>
## <p>
@@ -73,7 +73,7 @@ logging_log_file(freshclam_var_log_t)
# Clamd local policy
#
-allow clamd_t self:capability { dac_override kill setgid setuid };
+allow clamd_t self:capability { chown fowner fsetid kill setgid setuid
dac_override };
dontaudit clamd_t self:capability sys_tty_config;
allow clamd_t self:process signal;
allow clamd_t self:fifo_file rw_fifo_file_perms;
@@ -107,6 +107,8 @@ kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
kernel_read_kernel_sysctls(clamd_t)
kernel_read_system_state(clamd_t)
+kernel_read_vm_sysctls(clamd_t)
+kernel_read_vm_overcommit_sysctl(clamd_t)
corecmd_exec_shell(clamd_t)
@@ -128,6 +130,7 @@ corenet_tcp_bind_clamd_port(clamd_t)
dev_read_rand(clamd_t)
dev_read_urand(clamd_t)
+dev_read_sysfs(clamd_t)
domain_use_interactive_fds(clamd_t)
@@ -215,6 +218,10 @@ corenet_sendrecv_http_client_packets(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
corenet_tcp_sendrecv_http_port(freshclam_t)
+corenet_sendrecv_http_cache_client_packets(freshclam_t)
+corenet_tcp_connect_http_cache_port(freshclam_t)
+corenet_tcp_sendrecv_http_cache_port(freshclam_t)
+
corenet_sendrecv_squid_client_packets(freshclam_t)
corenet_tcp_connect_squid_port(freshclam_t)
corenet_tcp_sendrecv_squid_port(freshclam_t)
diff --git a/policy/modules/contrib/courier.if
b/policy/modules/contrib/courier.if
index 10f820fc..db4d192b 100644
--- a/policy/modules/contrib/courier.if
+++ b/policy/modules/contrib/courier.if
@@ -65,11 +65,11 @@ interface(`courier_domtrans_authdaemon',`
#
interface(`courier_stream_connect_authdaemon',`
gen_require(`
- type courier_authdaemon_t, courier_spool_t;
+ type courier_authdaemon_t, courier_var_run_t;
')
files_search_spool($1)
- stream_connect_pattern($1, courier_spool_t, courier_spool_t,
courier_authdaemon_t)
+ stream_connect_pattern($1, courier_var_run_t, courier_var_run_t,
courier_authdaemon_t)
')
########################################
diff --git a/policy/modules/contrib/courier.te
b/policy/modules/contrib/courier.te
index 176bd5c2..31ee1073 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -1,4 +1,4 @@
-policy_module(courier, 1.16.0)
+policy_module(courier, 1.16.1)
########################################
#
@@ -101,6 +101,8 @@ allow courier_authdaemon_t
courier_tcpd_t:unix_stream_socket rw_stream_socket_pe
can_exec(courier_authdaemon_t, courier_exec_t)
+corecmd_exec_shell(courier_authdaemon_t)
+
domtrans_pattern(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t)
dev_read_urand(courier_authdaemon_t)
@@ -187,6 +189,8 @@ miscfiles_read_localization(courier_tcpd_t)
kernel_read_kernel_sysctls(courier_sqwebmail_t)
+dev_read_urand(courier_sqwebmail_t)
+
optional_policy(`
cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t)
')
diff --git a/policy/modules/contrib/dkim.if b/policy/modules/contrib/dkim.if
index 61e1f192..059e495a 100644
--- a/policy/modules/contrib/dkim.if
+++ b/policy/modules/contrib/dkim.if
@@ -2,6 +2,24 @@
########################################
## <summary>
+## Allow a domain to talk to dkim via Unix domain socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dkim_stream_connect',`
+ gen_require(`
+ type dkim_milter_data_t, dkim_milter_t;
+ ')
+
+ stream_connect_pattern($1, dkim_milter_data_t, dkim_milter_data_t,
dkim_milter_t)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an dkim environment.
## </summary>
diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te
index 9ef8d760..5ffc618b 100644
--- a/policy/modules/contrib/dkim.te
+++ b/policy/modules/contrib/dkim.te
@@ -1,4 +1,4 @@
-policy_module(dkim, 1.5.0)
+policy_module(dkim, 1.5.1)
########################################
#
@@ -20,15 +20,23 @@ init_daemon_pid_file(dkim_milter_data_t, dir, "opendkim")
# Local policy
#
-allow dkim_milter_t self:capability { setgid setuid };
-allow dkim_milter_t self:process signal;
+allow dkim_milter_t self:capability { dac_override setgid setuid };
+allow dkim_milter_t self:process { signal signull };
allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
read_files_pattern(dkim_milter_t, dkim_milter_private_key_t,
dkim_milter_private_key_t)
kernel_read_kernel_sysctls(dkim_milter_t)
+kernel_read_vm_sysctls(dkim_milter_t)
+kernel_read_vm_overcommit_sysctl(dkim_milter_t)
+
+corenet_udp_bind_generic_node(dkim_milter_t)
+corenet_udp_bind_all_unreserved_ports(dkim_milter_t)
+corenet_dontaudit_udp_bind_all_ports(dkim_milter_t)
dev_read_urand(dkim_milter_t)
+# for cpu/online
+dev_read_sysfs(dkim_milter_t)
files_search_spool(dkim_milter_t)
diff --git a/policy/modules/contrib/dovecot.fc
b/policy/modules/contrib/dovecot.fc
index a8119188..c2f5734e 100644
--- a/policy/modules/contrib/dovecot.fc
+++ b/policy/modules/contrib/dovecot.fc
@@ -15,10 +15,13 @@
/etc/ssl/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
+/usr/lib/dovecot/anvil -- gen_context(system_u:object_r:dovecot_exec_t,s0)
/usr/lib/dovecot/auth --
gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/lib/dovecot/deliver --
gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
/usr/lib/dovecot/dovecot-auth --
gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/lib/dovecot/dovecot-lda --
gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/lib/dovecot/log -- gen_context(system_u:object_r:dovecot_exec_t,s0)
+/usr/lib/dovecot/ssl-params --
gen_context(system_u:object_r:dovecot_exec_t,s0)
/usr/libexec/dovecot/auth --
gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/libexec/dovecot/deliver --
gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
diff --git a/policy/modules/contrib/dovecot.te
b/policy/modules/contrib/dovecot.te
index 1701e3f0..d18f9adc 100644
--- a/policy/modules/contrib/dovecot.te
+++ b/policy/modules/contrib/dovecot.te
@@ -1,4 +1,4 @@
-policy_module(dovecot, 1.19.0)
+policy_module(dovecot, 1.19.1)
########################################
#
@@ -92,7 +92,7 @@ miscfiles_read_localization(dovecot_domain)
# Local policy
#
-allow dovecot_t self:capability { chown dac_override dac_read_search fsetid
kill setgid setuid sys_chroot };
+allow dovecot_t self:capability { chown dac_override dac_read_search fsetid
kill setgid setuid sys_chroot sys_resource };
dontaudit dovecot_t self:capability sys_tty_config;
allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
allow dovecot_t self:tcp_socket { accept listen };
@@ -159,6 +159,8 @@ files_search_spool(dovecot_t)
files_dontaudit_list_default(dovecot_t)
files_dontaudit_search_all_dirs(dovecot_t)
files_search_all_mountpoints(dovecot_t)
+files_list_usr(dovecot_t)
+files_read_usr_files(dovecot_t)
fs_getattr_all_fs(dovecot_t)
fs_getattr_all_dirs(dovecot_t)
@@ -241,6 +243,8 @@ manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t,
dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
+allow dovecot_auth_t dovecot_var_run_t:file manage_file_perms;
+allow dovecot_auth_t dovecot_var_run_t:fifo_file write_fifo_file_perms;
manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto
rw_stream_socket_perms };
@@ -249,6 +253,9 @@ files_search_pids(dovecot_auth_t)
files_read_usr_files(dovecot_auth_t)
files_read_var_lib_files(dovecot_auth_t)
+selinux_get_enforce_mode(dovecot_auth_t)
+selinux_get_fs_mount(dovecot_auth_t)
+
auth_domtrans_chk_passwd(dovecot_auth_t)
auth_use_nsswitch(dovecot_auth_t)
@@ -256,7 +263,7 @@ init_rw_utmp(dovecot_auth_t)
logging_send_audit_msgs(dovecot_auth_t)
-seutil_dontaudit_search_config(dovecot_auth_t)
+seutil_search_default_contexts(dovecot_auth_t)
sysnet_use_ldap(dovecot_auth_t)
diff --git a/policy/modules/contrib/milter.if b/policy/modules/contrib/milter.if
index cba62db1..ffb58f9f 100644
--- a/policy/modules/contrib/milter.if
+++ b/policy/modules/contrib/milter.if
@@ -97,3 +97,21 @@ interface(`milter_manage_spamass_state',`
manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
manage_lnk_files_pattern($1, spamass_milter_state_t,
spamass_milter_state_t)
')
+
+########################################
+## <summary>
+## Get the attributes of the spamassissin milter data dir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`milter_getattr_data_dir',`
+ gen_require(`
+ type spamass_milter_data_t;
+ ')
+
+ allow $1 spamass_milter_data_t:dir getattr;
+')
diff --git a/policy/modules/contrib/milter.te b/policy/modules/contrib/milter.te
index 7c4b347d..8295ca64 100644
--- a/policy/modules/contrib/milter.te
+++ b/policy/modules/contrib/milter.te
@@ -1,4 +1,4 @@
-policy_module(milter, 1.6.0)
+policy_module(milter, 1.6.1)
########################################
#
@@ -94,15 +94,23 @@ mta_read_config(regex_milter_t)
#
allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
+allow spamass_milter_t self:process sigkill;
kernel_read_system_state(spamass_milter_t)
+kernel_read_vm_overcommit_sysctl(spamass_milter_t)
corecmd_exec_shell(spamass_milter_t)
+dev_read_sysfs(spamass_milter_t)
+
files_search_var_lib(spamass_milter_t)
mta_send_mail(spamass_milter_t)
optional_policy(`
+ postfix_search_spool(spamass_milter_t)
+')
+
+optional_policy(`
spamassassin_domtrans_client(spamass_milter_t)
')
diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc
index 24681349..dd9f799a 100644
--- a/policy/modules/contrib/mta.fc
+++ b/policy/modules/contrib/mta.fc
@@ -3,6 +3,7 @@ HOME_DIR/\.forward[^/]* --
gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/DovecotMail(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index f7280b11..22308885 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.8.2)
+policy_module(mta, 2.8.3)
########################################
#
@@ -199,6 +199,7 @@ selinux_getattr_fs(system_mail_t)
term_dontaudit_use_unallocated_ttys(system_mail_t)
init_use_script_ptys(system_mail_t)
+init_use_fds(system_mail_t)
userdom_use_user_terminals(system_mail_t)
@@ -233,6 +234,7 @@ optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
cron_rw_system_job_stream_sockets(system_mail_t)
+ cron_rw_tmp_files(system_mail_t)
')
optional_policy(`
@@ -294,6 +296,10 @@ optional_policy(`
smartmon_read_tmp_files(system_mail_t)
')
+optional_policy(`
+ unconfined_use_fds(system_mail_t)
+')
+
########################################
#
# MTA user agent local policy
diff --git a/policy/modules/contrib/perdition.fc
b/policy/modules/contrib/perdition.fc
index 156232f8..a7d2a8be 100644
--- a/policy/modules/contrib/perdition.fc
+++ b/policy/modules/contrib/perdition.fc
@@ -2,6 +2,6 @@
/etc/perdition(/.*)? gen_context(system_u:object_r:perdition_etc_t,s0)
-/usr/sbin/perdition --
gen_context(system_u:object_r:perdition_exec_t,s0)
+/usr/sbin/perdition.* --
gen_context(system_u:object_r:perdition_exec_t,s0)
/run/perdition\.pid --
gen_context(system_u:object_r:perdition_var_run_t,s0)
diff --git a/policy/modules/contrib/perdition.te
b/policy/modules/contrib/perdition.te
index 15023cee..2975c2cc 100644
--- a/policy/modules/contrib/perdition.te
+++ b/policy/modules/contrib/perdition.te
@@ -1,4 +1,4 @@
-policy_module(perdition, 1.10.0)
+policy_module(perdition, 1.10.1)
########################################
#
@@ -23,7 +23,7 @@ files_pid_file(perdition_var_run_t)
# Local policy
#
-allow perdition_t self:capability { setgid setuid };
+allow perdition_t self:capability { chown dac_override fowner setgid setuid };
dontaudit perdition_t self:capability sys_tty_config;
allow perdition_t self:process signal_perms;
allow perdition_t self:tcp_socket { accept listen };
@@ -33,7 +33,8 @@ allow perdition_t perdition_etc_t:file read_file_perms;
allow perdition_t perdition_etc_t:lnk_file read_lnk_file_perms;
manage_files_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t)
-files_pid_filetrans(perdition_t, perdition_var_run_t, file)
+manage_dirs_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t)
+files_pid_filetrans(perdition_t, perdition_var_run_t, { file dir })
kernel_read_kernel_sysctls(perdition_t)
kernel_list_proc(perdition_t)
@@ -45,12 +46,17 @@ corenet_tcp_sendrecv_generic_if(perdition_t)
corenet_tcp_sendrecv_generic_node(perdition_t)
corenet_tcp_sendrecv_all_ports(perdition_t)
corenet_tcp_bind_generic_node(perdition_t)
-
+corenet_tcp_connect_pop_port(perdition_t)
corenet_sendrecv_pop_server_packets(perdition_t)
corenet_tcp_bind_pop_port(perdition_t)
corenet_tcp_sendrecv_pop_port(perdition_t)
+corenet_tcp_connect_sieve_port(perdition_t)
+corenet_sendrecv_sieve_server_packets(perdition_t)
+corenet_tcp_bind_sieve_port(perdition_t)
+corenet_tcp_sendrecv_sieve_port(perdition_t)
dev_read_sysfs(perdition_t)
+dev_read_urand(perdition_t)
domain_use_interactive_fds(perdition_t)
@@ -67,6 +73,11 @@ userdom_dontaudit_use_unpriv_user_fds(perdition_t)
userdom_dontaudit_search_user_home_dirs(perdition_t)
optional_policy(`
+ mysql_tcp_connect(perdition_t)
+ mysql_stream_connect(perdition_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(perdition_t)
')
diff --git a/policy/modules/contrib/postfix.fc
b/policy/modules/contrib/postfix.fc
index b71d8442..707b5be0 100644
--- a/policy/modules/contrib/postfix.fc
+++ b/policy/modules/contrib/postfix.fc
@@ -1,24 +1,24 @@
-/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
+/etc/postfix(/.*)?
gen_context(system_u:object_r:postfix_etc_t,s0)
/etc/postfix/postfix-script.* --
gen_context(system_u:object_r:postfix_exec_t,s0)
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
/etc/rc\.d/init\.d/postfix --
gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
# Remove catch-all so that .so files remain lib_t
-#/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
-/usr/lib/postfix/cleanup --
gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-/usr/lib/postfix/local --
gen_context(system_u:object_r:postfix_local_exec_t,s0)
-/usr/lib/postfix/master --
gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/lib/postfix/pickup --
gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
-/usr/lib/postfix/(n)?qmgr --
gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
-/usr/lib/postfix/showq --
gen_context(system_u:object_r:postfix_showq_exec_t,s0)
-/usr/lib/postfix/smtp --
gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/lmtp --
gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/scache --
gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/smtpd --
gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
-/usr/lib/postfix/bounce --
gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
-/usr/lib/postfix/pipe --
gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-/usr/lib/postfix/virtual --
gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+#/usr/lib/postfix/(sbin/)?.* --
gen_context(system_u:object_r:postfix_exec_t,s0)
+/usr/lib/postfix/(sbin/)?cleanup --
gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/lib/postfix/(sbin/)?local --
gen_context(system_u:object_r:postfix_local_exec_t,s0)
+/usr/lib/postfix/(sbin/)?master --
gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/lib/postfix/(sbin/)?pickup --
gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+/usr/lib/postfix/(sbin/)?(n)?qmgr --
gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/lib/postfix/(sbin/)?showq --
gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+/usr/lib/postfix/(sbin/)?smtp --
gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/(sbin/)?lmtp --
gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/(sbin/)?scache --
gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/(sbin/)?smtpd --
gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+/usr/lib/postfix/(sbin/)?bounce --
gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+/usr/lib/postfix/(sbin/)?pipe --
gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+/usr/lib/postfix/(sbin/)?virtual --
gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
/usr/libexec/postfix/.* --
gen_context(system_u:object_r:postfix_exec_t,s0)
/usr/libexec/postfix/cleanup --
gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
diff --git a/policy/modules/contrib/postfix.te
b/policy/modules/contrib/postfix.te
index 74cb3d7e..94ac8471 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -1,4 +1,4 @@
-policy_module(postfix, 1.17.0)
+policy_module(postfix, 1.17.1)
########################################
#
@@ -172,6 +172,7 @@ optional_policy(`
#
allow postfix_server_domain self:capability { dac_override setgid setuid };
+allow postfix_master_t self:process getsched;
allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto
rw_stream_socket_perms };
@@ -272,6 +273,7 @@ corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
corenet_tcp_bind_generic_node(postfix_master_t)
+corenet_udp_bind_generic_node(postfix_master_t)
corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
@@ -302,6 +304,8 @@ mcs_file_read_all(postfix_master_t)
term_dontaudit_search_ptys(postfix_master_t)
+hostname_exec(postfix_master_t)
+
miscfiles_read_man_pages(postfix_master_t)
seutil_sigchld_newrole(postfix_master_t)
@@ -326,6 +330,11 @@ optional_policy(`
optional_policy(`
mailman_manage_data_files(postfix_master_t)
+ mailman_search_data(postfix_pipe_t)
+')
+
+optional_policy(`
+ milter_getattr_data_dir(postfix_master_t)
')
optional_policy(`
@@ -371,6 +380,7 @@ allow postfix_cleanup_t self:process setrlimit;
allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms;
allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
+allow postfix_cleanup_t postfix_smtpd_t:fd use;
allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
@@ -397,6 +407,10 @@ corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t)
mta_read_aliases(postfix_cleanup_t)
optional_policy(`
+ dkim_stream_connect(postfix_cleanup_t)
+')
+
+optional_policy(`
mailman_read_data_files(postfix_cleanup_t)
')
@@ -432,6 +446,7 @@ tunable_policy(`postfix_local_write_mail_spool',`
optional_policy(`
clamav_search_lib(postfix_local_t)
clamav_exec_clamscan(postfix_local_t)
+ clamav_stream_connect(postfix_smtpd_t)
')
optional_policy(`
@@ -549,6 +564,7 @@ allow postfix_pipe_t self:process setrlimit;
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
+write_sock_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
@@ -567,6 +583,7 @@ optional_policy(`
optional_policy(`
mailman_domtrans_queue(postfix_pipe_t)
+ mailman_domtrans(postfix_pipe_t)
')
optional_policy(`
@@ -596,6 +613,9 @@ manage_files_pattern(postfix_postdrop_t,
postfix_spool_maildrop_t, postfix_spool
allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
+# for /var/spool/postfix/public/pickup
+stream_connect_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t,
postfix_master_t)
+
mcs_file_read_all(postfix_postdrop_t)
mcs_file_write_all(postfix_postdrop_t)
@@ -654,6 +674,10 @@ optional_policy(`
ppp_sigchld(postfix_postqueue_t)
')
+optional_policy(`
+ userdom_sigchld_all_users(postfix_postqueue_t)
+')
+
########################################
#
# Qmgr local policy
diff --git a/policy/modules/contrib/postfixpolicyd.te
b/policy/modules/contrib/postfixpolicyd.te
index 621e1817..be84e714 100644
--- a/policy/modules/contrib/postfixpolicyd.te
+++ b/policy/modules/contrib/postfixpolicyd.te
@@ -1,4 +1,4 @@
-policy_module(postfixpolicyd, 1.5.0)
+policy_module(postfixpolicyd, 1.5.1)
########################################
#
@@ -15,6 +15,9 @@ files_config_file(postfix_policyd_conf_t)
type postfix_policyd_initrc_exec_t;
init_script_file(postfix_policyd_initrc_exec_t)
+type postfix_policyd_tmp_t;
+files_type(postfix_policyd_tmp_t)
+
type postfix_policyd_var_run_t;
files_pid_file(postfix_policyd_var_run_t)
@@ -23,8 +26,8 @@ files_pid_file(postfix_policyd_var_run_t)
# Local policy
#
-allow postfix_policyd_t self:capability { setgid setuid sys_chroot
sys_resource };
-allow postfix_policyd_t self:process setrlimit;
+allow postfix_policyd_t self:capability { chown sys_chroot sys_resource setgid
setuid };
+allow postfix_policyd_t self:process { setrlimit signal signull };
allow postfix_policyd_t self:tcp_socket { accept listen };
allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms;
@@ -34,6 +37,13 @@ allow postfix_policyd_t postfix_policyd_conf_t:lnk_file
read_lnk_file_perms;
manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t,
postfix_policyd_var_run_t)
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
+allow postfix_policyd_t postfix_policyd_tmp_t:{ file sock_file }
manage_file_perms;
+files_tmp_filetrans(postfix_policyd_t, postfix_policyd_tmp_t, { file sock_file
})
+
+kernel_search_network_sysctl(postfix_policyd_t)
+
+corecmd_exec_bin(postfix_policyd_t)
+
corenet_all_recvfrom_unlabeled(postfix_policyd_t)
corenet_tcp_sendrecv_generic_if(postfix_policyd_t)
corenet_tcp_sendrecv_generic_node(postfix_policyd_t)
@@ -47,6 +57,8 @@ corenet_sendrecv_mysqld_server_packets(postfix_policyd_t)
corenet_tcp_bind_mysqld_port(postfix_policyd_t)
corenet_tcp_sendrecv_mysqld_port(postfix_policyd_t)
+dev_read_urand(postfix_policyd_t)
+
files_read_etc_files(postfix_policyd_t)
files_read_usr_files(postfix_policyd_t)
diff --git a/policy/modules/contrib/postgrey.te
b/policy/modules/contrib/postgrey.te
index ab5a8d3a..4fe73487 100644
--- a/policy/modules/contrib/postgrey.te
+++ b/policy/modules/contrib/postgrey.te
@@ -1,4 +1,4 @@
-policy_module(postgrey, 1.11.0)
+policy_module(postgrey, 1.11.1)
########################################
#
@@ -34,6 +34,8 @@ dontaudit postgrey_t self:capability sys_tty_config;
allow postgrey_t self:process signal_perms;
allow postgrey_t self:fifo_file create_fifo_file_perms;
allow postgrey_t self:tcp_socket create_stream_socket_perms;
+allow postgrey_t self:netlink_route_socket r_netlink_socket_perms;
+allow postgrey_t self:udp_socket { connect connected_socket_perms };
allow postgrey_t postgrey_etc_t:dir list_dir_perms;
allow postgrey_t postgrey_etc_t:file read_file_perms;
@@ -55,7 +57,8 @@ files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir
file sock_file })
kernel_read_system_state(postgrey_t)
kernel_read_kernel_sysctls(postgrey_t)
-corecmd_search_bin(postgrey_t)
+corecmd_read_bin_files(postgrey_t)
+corecmd_exec_bin(postgrey_t)
corenet_all_recvfrom_unlabeled(postgrey_t)
corenet_all_recvfrom_netlabel(postgrey_t)
diff --git a/policy/modules/contrib/procmail.fc
b/policy/modules/contrib/procmail.fc
index bdff6c93..dac08916 100644
--- a/policy/modules/contrib/procmail.fc
+++ b/policy/modules/contrib/procmail.fc
@@ -1,5 +1,6 @@
HOME_DIR/\.procmailrc --
gen_context(system_u:object_r:procmail_home_t,s0)
+/usr/bin/maildrop --
gen_context(system_u:object_r:procmail_exec_t,s0)
/usr/bin/procmail --
gen_context(system_u:object_r:procmail_exec_t,s0)
/var/log/procmail\.log.* --
gen_context(system_u:object_r:procmail_log_t,s0)
diff --git a/policy/modules/contrib/procmail.te
b/policy/modules/contrib/procmail.te
index 8a842661..cdd23cc9 100644
--- a/policy/modules/contrib/procmail.te
+++ b/policy/modules/contrib/procmail.te
@@ -1,4 +1,4 @@
-policy_module(procmail, 1.14.0)
+policy_module(procmail, 1.14.1)
########################################
#
@@ -96,6 +96,11 @@ optional_policy(`
')
optional_policy(`
+ courier_read_config(procmail_t)
+ courier_stream_connect_authdaemon(procmail_t)
+')
+
+optional_policy(`
cyrus_stream_connect(procmail_t)
')
diff --git a/policy/modules/contrib/spamassassin.fc
b/policy/modules/contrib/spamassassin.fc
index de27cda7..58dce766 100644
--- a/policy/modules/contrib/spamassassin.fc
+++ b/policy/modules/contrib/spamassassin.fc
@@ -23,6 +23,7 @@ HOME_DIR/\.spamd(/.*)?
gen_context(system_u:object_r:spamd_home_t,s0)
/var/log/mimedefang.* -- gen_context(system_u:object_r:spamd_log_t,s0)
/run/spamassassin(/.*)?
gen_context(system_u:object_r:spamd_var_run_t,s0)
+/run/spamassassin\.pid gen_context(system_u:object_r:spamd_var_run_t,s0)
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
diff --git a/policy/modules/contrib/spamassassin.te
b/policy/modules/contrib/spamassassin.te
index 4a9153ce..2f770d2d 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.10.0)
+policy_module(spamassassin, 2.10.1)
########################################
#
@@ -46,6 +46,7 @@ type spamc_exec_t;
typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
userdom_user_application_domain(spamc_t, spamc_exec_t)
+role system_r types spamc_t;
type spamc_tmp_t;
typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t
sysadm_spamc_tmp_t };
