From 59bedc1886cc73520a8df62a7c9ccd21f457a998 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mar 07 2007 21:33:22 +0000 Subject: procmail uses /tmp files Wants to send signull to itself Can exec ls Read spamassinn_lib_dirs New directory for spamassin /var/lib/ pyzor uses tmp files --- diff --git a/Changelog b/Changelog index c04f3bb..b9f3917 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Patch for procmail, spamassassin, and pyzor updates from Dan Walsh. - Patch for setroubleshoot for validating file contexts from Dan Walsh. - Patch for gssd fixes from Dan Walsh. - Patch for lvm fixes from Dan Walsh. diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te index 870f6cf..77d5437 100644 --- a/policy/modules/services/procmail.te +++ b/policy/modules/services/procmail.te @@ -1,5 +1,5 @@ -policy_module(procmail,1.4.0) +policy_module(procmail,1.4.1) ######################################## # @@ -12,19 +12,25 @@ domain_type(procmail_t) domain_entry_file(procmail_t,procmail_exec_t) role system_r types procmail_t; +type procmail_tmp_t; +files_tmp_file(procmail_tmp_t) + ######################################## # # Local policy # allow procmail_t self:capability { sys_nice chown setuid setgid dac_override }; -allow procmail_t self:process { setsched signal }; +allow procmail_t self:process { setsched signal signull }; allow procmail_t self:fifo_file rw_fifo_file_perms; allow procmail_t self:unix_stream_socket create_socket_perms; allow procmail_t self:unix_dgram_socket create_socket_perms; allow procmail_t self:tcp_socket create_stream_socket_perms; allow procmail_t self:udp_socket create_socket_perms; +allow procmail_t procmail_tmp_t:file manage_file_perms; +files_tmp_filetrans(procmail_t, procmail_tmp_t, file) + kernel_read_system_state(procmail_t) kernel_read_kernel_sysctls(procmail_t) @@ -50,6 +56,7 @@ auth_use_nsswitch(procmail_t) corecmd_exec_bin(procmail_t) corecmd_exec_shell(procmail_t) corecmd_dontaudit_search_sbin(procmail_t) +corecmd_exec_ls(procmail_t) files_read_etc_files(procmail_t) files_read_etc_runtime_files(procmail_t) @@ -115,8 +122,7 @@ optional_policy(` optional_policy(` corenet_udp_bind_generic_port(procmail_t) - files_getattr_tmp_dirs(procmail_t) - spamassassin_exec(procmail_t) spamassassin_exec_client(procmail_t) + spamassassin_read_lib_files(procmail_t) ') diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if index 0b98efe..5ee2ba4 100644 --- a/policy/modules/services/pyzor.if +++ b/policy/modules/services/pyzor.if @@ -64,6 +64,10 @@ interface(`pyzor_exec',` ## # template(`pyzor_per_role_template',` + gen_require(` + type pyzord_t; + ') + type $1_pyzor_home_t; userdom_user_home_content($1,$1_pyzor_home_t) diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te index f89dd6f..bbf655d 100644 --- a/policy/modules/services/pyzor.te +++ b/policy/modules/services/pyzor.te @@ -1,5 +1,5 @@ -policy_module(pyzor,1.1.1) +policy_module(pyzor,1.1.2) ######################################## # @@ -23,6 +23,9 @@ files_type(pyzor_etc_t) type pyzord_log_t; logging_log_file(pyzord_log_t) +type pyzor_tmp_t; +files_tmp_file(pyzor_tmp_t) + type pyzor_var_lib_t; files_type(pyzor_var_lib_t) @@ -37,6 +40,10 @@ allow pyzor_t pyzor_var_lib_t:dir list_dir_perms; read_files_pattern(pyzor_t,pyzor_var_lib_t,pyzor_var_lib_t) files_search_var_lib(pyzor_t) +manage_files_pattern(pyzor_t,pyzor_tmp_t,pyzor_tmp_t) +manage_dirs_pattern(pyzor_t,pyzor_tmp_t,pyzor_tmp_t) +files_tmp_filetrans(pyzor_t, pyzor_tmp_t, { file dir }) + kernel_read_kernel_sysctls(pyzor_t) kernel_read_system_state(pyzor_t) diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc index 3da7107..471cf9f 100644 --- a/policy/modules/services/spamassassin.fc +++ b/policy/modules/services/spamassassin.fc @@ -6,6 +6,8 @@ /usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) +/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) + /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) ifdef(`strict_policy',` diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if index 6723760..304224e 100644 --- a/policy/modules/services/spamassassin.if +++ b/policy/modules/services/spamassassin.if @@ -462,6 +462,45 @@ template(`spamassassin_domtrans_user_local_client',` ######################################## ## +## read spamd lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`spamassassin_read_lib_files',` + gen_require(` + type spamd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t) +') + +######################################## +## +## Create, read, write, and delete +## spamd lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`spamassassin_manage_lib_files',` + gen_require(` + type spamd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t) +') + +######################################## +## ## Read temporary spamd file. ## ## diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te index b1643ce..7d0717e 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -1,5 +1,5 @@ -policy_module(spamassassin,1.5.1) +policy_module(spamassassin,1.5.2) ######################################## # @@ -20,6 +20,10 @@ files_type(spamd_spool_t) type spamd_tmp_t; files_tmp_file(spamd_tmp_t) +# var/lib files +type spamd_var_lib_t; +files_type(spamd_var_lib_t) + type spamd_var_run_t; files_pid_file(spamd_var_run_t) @@ -61,6 +65,10 @@ manage_dirs_pattern(spamd_t,spamd_tmp_t,spamd_tmp_t) manage_files_pattern(spamd_t,spamd_tmp_t,spamd_tmp_t) files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) +# var/lib files for spamd +allow spamd_t spamd_var_lib_t:dir list_dir_perms; +read_files_pattern(spamd_t,spamd_var_lib_t,spamd_var_lib_t) + manage_files_pattern(spamd_t,spamd_var_run_t,spamd_var_run_t) files_pid_filetrans(spamd_t,spamd_var_run_t,file)