From 1507cc2a79e7331d270b4fc531c03bd1f115f2bf Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Sep 24 2010 10:27:59 +0000 Subject: Internal interaction goes before external interface calls. --- diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te index 019f357..1befa13 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -252,11 +252,6 @@ allow spamc_t self:unix_dgram_socket sendto; allow spamc_t self:unix_stream_socket connectto; allow spamc_t self:tcp_socket create_stream_socket_perms; allow spamc_t self:udp_socket create_socket_perms; -corenet_all_recvfrom_unlabeled(spamc_t) -corenet_all_recvfrom_netlabel(spamc_t) -corenet_tcp_sendrecv_generic_if(spamc_t) -corenet_tcp_sendrecv_generic_node(spamc_t) -corenet_tcp_connect_spamd_port(spamc_t) can_exec(spamc_t, spamc_exec_t) @@ -272,6 +267,9 @@ manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t) userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file }) userdom_append_user_home_content_files(spamc_t) +list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) +read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) + # Allow connecting to a local spamd allow spamc_t spamd_t:unix_stream_socket connectto; allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms; @@ -290,6 +288,11 @@ corenet_tcp_sendrecv_all_ports(spamc_t) corenet_udp_sendrecv_all_ports(spamc_t) corenet_tcp_connect_all_ports(spamc_t) corenet_sendrecv_all_client_packets(spamc_t) +corenet_all_recvfrom_unlabeled(spamc_t) +corenet_all_recvfrom_netlabel(spamc_t) +corenet_tcp_sendrecv_generic_if(spamc_t) +corenet_tcp_sendrecv_generic_node(spamc_t) +corenet_tcp_connect_spamd_port(spamc_t) fs_search_auto_mountpoints(spamc_t) @@ -309,8 +312,6 @@ files_dontaudit_search_var(spamc_t) # cjp: this may be removable: files_list_home(spamc_t) files_list_var_lib(spamc_t) -list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) -read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) fs_search_auto_mountpoints(spamc_t)