diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2011-04-16 13:08:55 +0000 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2011-04-16 13:08:55 +0000 |
| commit | 448282b8016377f24f4608428ea9c4a3fef73168 (patch) | |
| tree | 5b22c67d9910098c0feb1011823f87c0f3c3297b /sec-policy/selinux-courier | |
| parent | Added new patchbundles for rev bumps to base policy 2.20101213 (diff) | |
| download | historical-448282b8016377f24f4608428ea9c4a3fef73168.tar.gz historical-448282b8016377f24f4608428ea9c4a3fef73168.tar.bz2 historical-448282b8016377f24f4608428ea9c4a3fef73168.zip | |
Updates to policies
Package-Manager: portage-2.1.9.42/cvs/Linux x86_64
Diffstat (limited to 'sec-policy/selinux-courier')
6 files changed, 239 insertions, 2 deletions
diff --git a/sec-policy/selinux-courier/ChangeLog b/sec-policy/selinux-courier/ChangeLog index 346a772ecae0..4e8e99da9159 100644 --- a/sec-policy/selinux-courier/ChangeLog +++ b/sec-policy/selinux-courier/ChangeLog @@ -1,6 +1,16 @@ # ChangeLog for sec-policy/selinux-courier # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-courier/ChangeLog,v 1.1 2011/03/07 02:32:30 blueness Exp $ +# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-courier/ChangeLog,v 1.2 2011/04/16 13:08:55 blueness Exp $ + +*selinux-courier-2.20101213-r3 (16 Apr 2011) +*selinux-courier-2.20101213-r2 (16 Apr 2011) + + 16 Apr 2011; Anthony G. Basile <blueness@gentoo.org> + +files/fix-services-courier-r2.patch, + +selinux-courier-2.20101213-r2.ebuild, + +files/fix-services-courier-r3.patch, + +selinux-courier-2.20101213-r3.ebuild: + Updates to policies 07 Mar 2011; Anthony G. Basile <blueness@gentoo.org> +files/fix-services-courier-r1.patch, diff --git a/sec-policy/selinux-courier/Manifest b/sec-policy/selinux-courier/Manifest index ae8fd950bfef..3ae27a25bae0 100644 --- a/sec-policy/selinux-courier/Manifest +++ b/sec-policy/selinux-courier/Manifest @@ -1,5 +1,19 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + AUX fix-services-courier-r1.patch 2628 RMD160 87c22453d19e9fb068a20b8103b51605b6e2fb81 SHA1 8be3fcdfe8f3314583a94f074ced2e59908f831b SHA256 111546e079912c38d805820e8bb073e4b29f99114c8049f41433c74f18a9968d +AUX fix-services-courier-r2.patch 4010 RMD160 d4f8344b4af792f76f08ce3db5673d3c57fc4757 SHA1 ec1f1a6cb3a9c22d5f753408f9f48ec44bdccfad SHA256 1bf3a6529c6ab5658a88469208075743f686681d4397ea70f9273c3b83c622e6 +AUX fix-services-courier-r3.patch 4266 RMD160 b5ca8bc30d8275fb24c66b9ff2905d8b35bcf09f SHA1 c7e3f7034f0d8c6808c93f26af50fe4e77cb2293 SHA256 052ddca696f40aa31f5c7fc8ade1a095efdf3a4f27eac51dc84b25a9a0740b86 DIST refpolicy-2.20101213.tar.bz2 559450 RMD160 4858f792f4db5b179de6fb8419a626c29d59bdd3 SHA1 0e881e99b8950a358eadc44633551ca10f12eaee SHA256 b691ee8f6066cc19bb0d4384fe3be277d97d22e9d4ac2db0c252065e8c3535de EBUILD selinux-courier-2.20101213-r1.ebuild 560 RMD160 0f2a9d7dceb8c842b1b7b6b2f7468712656d9387 SHA1 af6a18a2c3a806f64439ba23165449e72e44283c SHA256 d3078edf83af9f43a167c2b9b5e3b6f4214cc87dd81df1cd3299f9724fb91188 -MISC ChangeLog 5521 RMD160 8274e1d5a3b66a156ae0e648c4fcf0877d1d63f5 SHA1 dfdff414e16d338672d5d9e79e5c1fc8be2584a6 SHA256 d5dc0dbb3e3157875a1bd78e62d8d6841fd30dbe05bc22207afe4f848c755424 +EBUILD selinux-courier-2.20101213-r2.ebuild 560 RMD160 32e0f23d6daaa0b49083bee712b0354e5b886a3a SHA1 e4fce45cc84c29838b6932da719a96a1d5a03445 SHA256 5771950903b076d8b1ada971ad17771f13edf864cb622c0602cccfcdf8f59960 +EBUILD selinux-courier-2.20101213-r3.ebuild 560 RMD160 66a2e4302453909fd2f8e5df409975f54690cecc SHA1 4f3aa2537f83a09276b6e68772e8be958adadf2f SHA256 57664464a28c764141986e7606a13dbef51ad5521455ddf89c664599654c3557 +MISC ChangeLog 5852 RMD160 948a88def8f80e8b2ebc7f441f79e6ef7bb6e281 SHA1 83334b353267373a2221614970da7717d4b68e2f SHA256 8ca764cb277697d36ea8aed63ae73b9170e8bd8de8e0d7db4f8f7c2a489e649f MISC metadata.xml 231 RMD160 2edd1a1bd6245c475242111369bb31d63a0d6776 SHA1 3ce7a2229304d133fab727eedbf0474f6841b02b SHA256 24e517a12858d48c4c1885b602b0dd991eb2beadd3fc693e6b00ad89a93f46b7 +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.17 (GNU/Linux) + +iEYEAREIAAYFAk2plPMACgkQl5yvQNBFVTU44wCghWiaZPP4tUEF7oWYFlpwYWEr +yNUAnRmj/rYRk6YQksaO2LfOZLOzT1vL +=EkpN +-----END PGP SIGNATURE----- diff --git a/sec-policy/selinux-courier/files/fix-services-courier-r2.patch b/sec-policy/selinux-courier/files/fix-services-courier-r2.patch new file mode 100644 index 000000000000..b43e90b005c1 --- /dev/null +++ b/sec-policy/selinux-courier/files/fix-services-courier-r2.patch @@ -0,0 +1,84 @@ +--- services/courier.te 2010-12-13 15:11:02.000000000 +0100 ++++ services/courier.te 2011-03-13 15:02:29.525999999 +0100 +@@ -37,7 +37,7 @@ + # + + allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config }; +-allow courier_authdaemon_t self:unix_stream_socket connectto; ++allow courier_authdaemon_t self:unix_stream_socket { create_stream_socket_perms connectto }; + + can_exec(courier_authdaemon_t, courier_exec_t) + +@@ -52,7 +52,11 @@ + allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; + allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms; + ++read_lnk_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) ++ ++manage_dirs_pattern(courier_authdaemon_t, courier_var_run_t, courier_var_run_t) + manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t) ++manage_sock_files_pattern(courier_authdaemon_t, courier_var_run_t, courier_var_run_t) + files_search_spool(courier_authdaemon_t) + + corecmd_search_bin(courier_authdaemon_t) +@@ -95,8 +99,12 @@ + # inherits file handle - should it? + allow courier_pop_t courier_var_lib_t:file { read write }; + ++search_dirs_pattern(courier_pop_t, var_lib_t, courier_var_lib_t) ++read_lnk_files_pattern(courier_pop_t, var_lib_t, courier_var_lib_t) ++ + miscfiles_read_localization(courier_pop_t) + ++courier_authdaemon_rw_inherited_stream_sockets(courier_pop_t) + courier_domtrans_authdaemon(courier_pop_t) + + # do the actual work (read the Maildir) +@@ -133,6 +141,8 @@ + miscfiles_read_localization(courier_tcpd_t) + + courier_domtrans_pop(courier_tcpd_t) ++courier_authdaemon_stream_connect(courier_tcpd_t) ++courier_domtrans_authdaemon(courier_tcpd_t) + + ######################################## + # +@@ -144,3 +154,7 @@ + optional_policy(` + cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t) + ') ++ ++optional_policy(` ++ mysql_stream_connect(courier_authdaemon_t) ++') +--- services/courier.fc 2010-08-03 15:11:05.000000000 +0200 ++++ services/courier.fc 2011-03-13 14:55:55.737999999 +0100 +@@ -5,20 +5,24 @@ + /usr/sbin/courierlogger -- gen_context(system_u:object_r:courier_exec_t,s0) + /usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0) + /usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) +- +-/usr/lib(64)?/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) ++ifdef(`distro_gentoo',` ++/usr/lib(64)?/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) ++') ++/usr/lib(64)?/courier/(courier-)?authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) + /usr/lib(64)?/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0) + /usr/lib(64)?/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) + /usr/lib(64)?/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) ++/usr/sbin/imaplogin -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) + /usr/lib(64)?/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0) + /usr/lib(64)?/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) ++/usr/sbin/courier-imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) + /usr/lib(64)?/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0) + /usr/lib(64)?/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) + /usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0) + +-/var/lib/courier(/.*)? -- gen_context(system_u:object_r:courier_var_lib_t,s0) ++/var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) + +-/var/run/courier(/.*)? -- gen_context(system_u:object_r:courier_var_run_t,s0) ++/var/run/courier(/.*)? gen_context(system_u:object_r:courier_var_run_t,s0) + + /var/spool/authdaemon(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) + /var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) diff --git a/sec-policy/selinux-courier/files/fix-services-courier-r3.patch b/sec-policy/selinux-courier/files/fix-services-courier-r3.patch new file mode 100644 index 000000000000..7d240d0300e2 --- /dev/null +++ b/sec-policy/selinux-courier/files/fix-services-courier-r3.patch @@ -0,0 +1,95 @@ +--- services/courier.te 2010-12-13 15:11:02.000000000 +0100 ++++ services/courier.te 2011-04-13 17:54:52.968000043 +0200 +@@ -37,7 +37,7 @@ + # + + allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config }; +-allow courier_authdaemon_t self:unix_stream_socket connectto; ++allow courier_authdaemon_t self:unix_stream_socket { create_stream_socket_perms connectto }; + + can_exec(courier_authdaemon_t, courier_exec_t) + +@@ -52,7 +52,11 @@ + allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; + allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms; + ++read_lnk_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) ++ ++create_dirs_pattern(courier_authdaemon_t, courier_var_run_t, courier_var_run_t) + manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t) ++manage_sock_files_pattern(courier_authdaemon_t, courier_var_run_t, courier_var_run_t) + files_search_spool(courier_authdaemon_t) + + corecmd_search_bin(courier_authdaemon_t) +@@ -73,6 +77,10 @@ + + courier_domtrans_pop(courier_authdaemon_t) + ++tunable_policy(`gentoo_try_dontaudit',` ++ dontaudit courier_authdaemon_t self:capability dac_read_search; ++) ++ + ######################################## + # + # Calendar (PCP) local policy +@@ -95,8 +103,12 @@ + # inherits file handle - should it? + allow courier_pop_t courier_var_lib_t:file { read write }; + ++search_dirs_pattern(courier_pop_t, var_lib_t, courier_var_lib_t) ++read_lnk_files_pattern(courier_pop_t, var_lib_t, courier_var_lib_t) ++ + miscfiles_read_localization(courier_pop_t) + ++courier_authdaemon_rw_inherited_stream_sockets(courier_pop_t) + courier_domtrans_authdaemon(courier_pop_t) + + # do the actual work (read the Maildir) +@@ -133,6 +145,8 @@ + miscfiles_read_localization(courier_tcpd_t) + + courier_domtrans_pop(courier_tcpd_t) ++courier_authdaemon_stream_connect(courier_tcpd_t) ++courier_domtrans_authdaemon(courier_tcpd_t) + + ######################################## + # +@@ -144,3 +158,7 @@ + optional_policy(` + cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t) + ') ++ ++optional_policy(` ++ mysql_stream_connect(courier_authdaemon_t) ++') +--- services/courier.fc 2010-08-03 15:11:05.000000000 +0200 ++++ services/courier.fc 2011-03-13 14:55:55.737999999 +0100 +@@ -5,20 +5,24 @@ + /usr/sbin/courierlogger -- gen_context(system_u:object_r:courier_exec_t,s0) + /usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0) + /usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) +- +-/usr/lib(64)?/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) ++ifdef(`distro_gentoo',` ++/usr/lib(64)?/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) ++') ++/usr/lib(64)?/courier/(courier-)?authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) + /usr/lib(64)?/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0) + /usr/lib(64)?/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) + /usr/lib(64)?/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) ++/usr/sbin/imaplogin -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) + /usr/lib(64)?/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0) + /usr/lib(64)?/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) ++/usr/sbin/courier-imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) + /usr/lib(64)?/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0) + /usr/lib(64)?/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) + /usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0) + +-/var/lib/courier(/.*)? -- gen_context(system_u:object_r:courier_var_lib_t,s0) ++/var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) + +-/var/run/courier(/.*)? -- gen_context(system_u:object_r:courier_var_run_t,s0) ++/var/run/courier(/.*)? gen_context(system_u:object_r:courier_var_run_t,s0) + + /var/spool/authdaemon(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) + /var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) diff --git a/sec-policy/selinux-courier/selinux-courier-2.20101213-r2.ebuild b/sec-policy/selinux-courier/selinux-courier-2.20101213-r2.ebuild new file mode 100644 index 000000000000..da6513aa2bcd --- /dev/null +++ b/sec-policy/selinux-courier/selinux-courier-2.20101213-r2.ebuild @@ -0,0 +1,17 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-courier/selinux-courier-2.20101213-r2.ebuild,v 1.1 2011/04/16 13:08:55 blueness Exp $ + +MODS="courier" +IUSE="" + +inherit selinux-policy-2 + +DESCRIPTION="SELinux policy for courier-imap" + +KEYWORDS="~amd64 ~x86" +RDEPEND="!<=sec-policy/selinux-courier-imap-2.20101213 + >=sys-apps/policycoreutils-1.30.30 + >=sec-policy/selinux-base-policy-${PV}" + +POLICY_PATCH="${FILESDIR}/fix-services-courier-r2.patch" diff --git a/sec-policy/selinux-courier/selinux-courier-2.20101213-r3.ebuild b/sec-policy/selinux-courier/selinux-courier-2.20101213-r3.ebuild new file mode 100644 index 000000000000..f126025f1db5 --- /dev/null +++ b/sec-policy/selinux-courier/selinux-courier-2.20101213-r3.ebuild @@ -0,0 +1,17 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-courier/selinux-courier-2.20101213-r3.ebuild,v 1.1 2011/04/16 13:08:55 blueness Exp $ + +MODS="courier" +IUSE="" + +inherit selinux-policy-2 + +DESCRIPTION="SELinux policy for courier-imap" + +KEYWORDS="~amd64 ~x86" +RDEPEND="!<=sec-policy/selinux-courier-imap-2.20101213 + >=sys-apps/policycoreutils-1.30.30 + >=sec-policy/selinux-base-policy-${PV}" + +POLICY_PATCH="${FILESDIR}/fix-services-courier-r3.patch" |