From 448282b8016377f24f4608428ea9c4a3fef73168 Mon Sep 17 00:00:00 2001
From: "Anthony G. Basile" <blueness@gentoo.org>
Date: Sat, 16 Apr 2011 13:08:55 +0000
Subject: Updates to policies

Package-Manager: portage-2.1.9.42/cvs/Linux x86_64
---
 sec-policy/selinux-courier/ChangeLog               | 12 ++-
 sec-policy/selinux-courier/Manifest                | 16 +++-
 .../files/fix-services-courier-r2.patch            | 84 +++++++++++++++++++
 .../files/fix-services-courier-r3.patch            | 95 ++++++++++++++++++++++
 .../selinux-courier-2.20101213-r2.ebuild           | 17 ++++
 .../selinux-courier-2.20101213-r3.ebuild           | 17 ++++
 6 files changed, 239 insertions(+), 2 deletions(-)
 create mode 100644 sec-policy/selinux-courier/files/fix-services-courier-r2.patch
 create mode 100644 sec-policy/selinux-courier/files/fix-services-courier-r3.patch
 create mode 100644 sec-policy/selinux-courier/selinux-courier-2.20101213-r2.ebuild
 create mode 100644 sec-policy/selinux-courier/selinux-courier-2.20101213-r3.ebuild

(limited to 'sec-policy/selinux-courier')

diff --git a/sec-policy/selinux-courier/ChangeLog b/sec-policy/selinux-courier/ChangeLog
index 346a772ecae0..4e8e99da9159 100644
--- a/sec-policy/selinux-courier/ChangeLog
+++ b/sec-policy/selinux-courier/ChangeLog
@@ -1,6 +1,16 @@
 # ChangeLog for sec-policy/selinux-courier
 # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-courier/ChangeLog,v 1.1 2011/03/07 02:32:30 blueness Exp $
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-courier/ChangeLog,v 1.2 2011/04/16 13:08:55 blueness Exp $
+
+*selinux-courier-2.20101213-r3 (16 Apr 2011)
+*selinux-courier-2.20101213-r2 (16 Apr 2011)
+
+  16 Apr 2011; Anthony G. Basile <blueness@gentoo.org>
+  +files/fix-services-courier-r2.patch,
+  +selinux-courier-2.20101213-r2.ebuild,
+  +files/fix-services-courier-r3.patch,
+  +selinux-courier-2.20101213-r3.ebuild:
+  Updates to policies
 
   07 Mar 2011; Anthony G. Basile <blueness@gentoo.org>
   +files/fix-services-courier-r1.patch,
diff --git a/sec-policy/selinux-courier/Manifest b/sec-policy/selinux-courier/Manifest
index ae8fd950bfef..3ae27a25bae0 100644
--- a/sec-policy/selinux-courier/Manifest
+++ b/sec-policy/selinux-courier/Manifest
@@ -1,5 +1,19 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
 AUX fix-services-courier-r1.patch 2628 RMD160 87c22453d19e9fb068a20b8103b51605b6e2fb81 SHA1 8be3fcdfe8f3314583a94f074ced2e59908f831b SHA256 111546e079912c38d805820e8bb073e4b29f99114c8049f41433c74f18a9968d
+AUX fix-services-courier-r2.patch 4010 RMD160 d4f8344b4af792f76f08ce3db5673d3c57fc4757 SHA1 ec1f1a6cb3a9c22d5f753408f9f48ec44bdccfad SHA256 1bf3a6529c6ab5658a88469208075743f686681d4397ea70f9273c3b83c622e6
+AUX fix-services-courier-r3.patch 4266 RMD160 b5ca8bc30d8275fb24c66b9ff2905d8b35bcf09f SHA1 c7e3f7034f0d8c6808c93f26af50fe4e77cb2293 SHA256 052ddca696f40aa31f5c7fc8ade1a095efdf3a4f27eac51dc84b25a9a0740b86
 DIST refpolicy-2.20101213.tar.bz2 559450 RMD160 4858f792f4db5b179de6fb8419a626c29d59bdd3 SHA1 0e881e99b8950a358eadc44633551ca10f12eaee SHA256 b691ee8f6066cc19bb0d4384fe3be277d97d22e9d4ac2db0c252065e8c3535de
 EBUILD selinux-courier-2.20101213-r1.ebuild 560 RMD160 0f2a9d7dceb8c842b1b7b6b2f7468712656d9387 SHA1 af6a18a2c3a806f64439ba23165449e72e44283c SHA256 d3078edf83af9f43a167c2b9b5e3b6f4214cc87dd81df1cd3299f9724fb91188
-MISC ChangeLog 5521 RMD160 8274e1d5a3b66a156ae0e648c4fcf0877d1d63f5 SHA1 dfdff414e16d338672d5d9e79e5c1fc8be2584a6 SHA256 d5dc0dbb3e3157875a1bd78e62d8d6841fd30dbe05bc22207afe4f848c755424
+EBUILD selinux-courier-2.20101213-r2.ebuild 560 RMD160 32e0f23d6daaa0b49083bee712b0354e5b886a3a SHA1 e4fce45cc84c29838b6932da719a96a1d5a03445 SHA256 5771950903b076d8b1ada971ad17771f13edf864cb622c0602cccfcdf8f59960
+EBUILD selinux-courier-2.20101213-r3.ebuild 560 RMD160 66a2e4302453909fd2f8e5df409975f54690cecc SHA1 4f3aa2537f83a09276b6e68772e8be958adadf2f SHA256 57664464a28c764141986e7606a13dbef51ad5521455ddf89c664599654c3557
+MISC ChangeLog 5852 RMD160 948a88def8f80e8b2ebc7f441f79e6ef7bb6e281 SHA1 83334b353267373a2221614970da7717d4b68e2f SHA256 8ca764cb277697d36ea8aed63ae73b9170e8bd8de8e0d7db4f8f7c2a489e649f
 MISC metadata.xml 231 RMD160 2edd1a1bd6245c475242111369bb31d63a0d6776 SHA1 3ce7a2229304d133fab727eedbf0474f6841b02b SHA256 24e517a12858d48c4c1885b602b0dd991eb2beadd3fc693e6b00ad89a93f46b7
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.17 (GNU/Linux)
+
+iEYEAREIAAYFAk2plPMACgkQl5yvQNBFVTU44wCghWiaZPP4tUEF7oWYFlpwYWEr
+yNUAnRmj/rYRk6YQksaO2LfOZLOzT1vL
+=EkpN
+-----END PGP SIGNATURE-----
diff --git a/sec-policy/selinux-courier/files/fix-services-courier-r2.patch b/sec-policy/selinux-courier/files/fix-services-courier-r2.patch
new file mode 100644
index 000000000000..b43e90b005c1
--- /dev/null
+++ b/sec-policy/selinux-courier/files/fix-services-courier-r2.patch
@@ -0,0 +1,84 @@
+--- services/courier.te	2010-12-13 15:11:02.000000000 +0100
++++ services/courier.te	2011-03-13 15:02:29.525999999 +0100
+@@ -37,7 +37,7 @@
+ #
+ 
+ allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config };
+-allow courier_authdaemon_t self:unix_stream_socket connectto;
++allow courier_authdaemon_t self:unix_stream_socket {  create_stream_socket_perms connectto };
+ 
+ can_exec(courier_authdaemon_t, courier_exec_t)
+ 
+@@ -52,7 +52,11 @@
+ allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
+ allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
+ 
++read_lnk_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
++
++manage_dirs_pattern(courier_authdaemon_t, courier_var_run_t, courier_var_run_t)
+ manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
++manage_sock_files_pattern(courier_authdaemon_t, courier_var_run_t, courier_var_run_t)
+ files_search_spool(courier_authdaemon_t)
+ 
+ corecmd_search_bin(courier_authdaemon_t)
+@@ -95,8 +99,12 @@
+ # inherits file handle - should it?
+ allow courier_pop_t courier_var_lib_t:file { read write };
+ 
++search_dirs_pattern(courier_pop_t, var_lib_t, courier_var_lib_t)
++read_lnk_files_pattern(courier_pop_t, var_lib_t, courier_var_lib_t)
++
+ miscfiles_read_localization(courier_pop_t)
+ 
++courier_authdaemon_rw_inherited_stream_sockets(courier_pop_t)
+ courier_domtrans_authdaemon(courier_pop_t)
+ 
+ # do the actual work (read the Maildir)
+@@ -133,6 +141,8 @@
+ miscfiles_read_localization(courier_tcpd_t)
+ 
+ courier_domtrans_pop(courier_tcpd_t)
++courier_authdaemon_stream_connect(courier_tcpd_t)
++courier_domtrans_authdaemon(courier_tcpd_t)
+ 
+ ########################################
+ #
+@@ -144,3 +154,7 @@
+ optional_policy(`
+ 	cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t)
+ ')
++
++optional_policy(`
++	mysql_stream_connect(courier_authdaemon_t)
++')
+--- services/courier.fc	2010-08-03 15:11:05.000000000 +0200
++++ services/courier.fc	2011-03-13 14:55:55.737999999 +0100
+@@ -5,20 +5,24 @@
+ /usr/sbin/courierlogger			--	gen_context(system_u:object_r:courier_exec_t,s0)
+ /usr/sbin/courierldapaliasd		--	gen_context(system_u:object_r:courier_exec_t,s0)
+ /usr/sbin/couriertcpd			--	gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+-
+-/usr/lib(64)?/courier/authlib/.*	--	gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
++ifdef(`distro_gentoo',`
++/usr/lib(64)?/courier-imap/couriertcpd	--	gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
++')
++/usr/lib(64)?/courier/(courier-)?authlib/.*	--	gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+ /usr/lib(64)?/courier/courier/.*	--	gen_context(system_u:object_r:courier_exec_t,s0)
+ /usr/lib(64)?/courier/courier/courierpop.* --	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+ /usr/lib(64)?/courier/courier/imaplogin --	gen_context(system_u:object_r:courier_pop_exec_t,s0)
++/usr/sbin/imaplogin			--	gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+ /usr/lib(64)?/courier/courier/pcpd	--	gen_context(system_u:object_r:courier_pcp_exec_t,s0)
+ /usr/lib(64)?/courier/imapd		--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
++/usr/sbin/courier-imapd			--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+ /usr/lib(64)?/courier/pop3d		--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+ /usr/lib(64)?/courier/rootcerts(/.*)?		gen_context(system_u:object_r:courier_etc_t,s0)
+ /usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
+ 
+-/var/lib/courier(/.*)?			--	gen_context(system_u:object_r:courier_var_lib_t,s0)
++/var/lib/courier(/.*)?				gen_context(system_u:object_r:courier_var_lib_t,s0)
+ 
+-/var/run/courier(/.*)?			--	gen_context(system_u:object_r:courier_var_run_t,s0)
++/var/run/courier(/.*)?				gen_context(system_u:object_r:courier_var_run_t,s0)
+ 
+ /var/spool/authdaemon(/.*)?			gen_context(system_u:object_r:courier_spool_t,s0)
+ /var/spool/courier(/.*)?			gen_context(system_u:object_r:courier_spool_t,s0)
diff --git a/sec-policy/selinux-courier/files/fix-services-courier-r3.patch b/sec-policy/selinux-courier/files/fix-services-courier-r3.patch
new file mode 100644
index 000000000000..7d240d0300e2
--- /dev/null
+++ b/sec-policy/selinux-courier/files/fix-services-courier-r3.patch
@@ -0,0 +1,95 @@
+--- services/courier.te	2010-12-13 15:11:02.000000000 +0100
++++ services/courier.te	2011-04-13 17:54:52.968000043 +0200
+@@ -37,7 +37,7 @@
+ #
+ 
+ allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config };
+-allow courier_authdaemon_t self:unix_stream_socket connectto;
++allow courier_authdaemon_t self:unix_stream_socket {  create_stream_socket_perms connectto };
+ 
+ can_exec(courier_authdaemon_t, courier_exec_t)
+ 
+@@ -52,7 +52,11 @@
+ allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
+ allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
+ 
++read_lnk_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
++
++create_dirs_pattern(courier_authdaemon_t, courier_var_run_t, courier_var_run_t)
+ manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
++manage_sock_files_pattern(courier_authdaemon_t, courier_var_run_t, courier_var_run_t)
+ files_search_spool(courier_authdaemon_t)
+ 
+ corecmd_search_bin(courier_authdaemon_t)
+@@ -73,6 +77,10 @@
+ 
+ courier_domtrans_pop(courier_authdaemon_t)
+ 
++tunable_policy(`gentoo_try_dontaudit',`
++	dontaudit courier_authdaemon_t self:capability dac_read_search;
++)
++
+ ########################################
+ #
+ # Calendar (PCP) local policy
+@@ -95,8 +103,12 @@
+ # inherits file handle - should it?
+ allow courier_pop_t courier_var_lib_t:file { read write };
+ 
++search_dirs_pattern(courier_pop_t, var_lib_t, courier_var_lib_t)
++read_lnk_files_pattern(courier_pop_t, var_lib_t, courier_var_lib_t)
++
+ miscfiles_read_localization(courier_pop_t)
+ 
++courier_authdaemon_rw_inherited_stream_sockets(courier_pop_t)
+ courier_domtrans_authdaemon(courier_pop_t)
+ 
+ # do the actual work (read the Maildir)
+@@ -133,6 +145,8 @@
+ miscfiles_read_localization(courier_tcpd_t)
+ 
+ courier_domtrans_pop(courier_tcpd_t)
++courier_authdaemon_stream_connect(courier_tcpd_t)
++courier_domtrans_authdaemon(courier_tcpd_t)
+ 
+ ########################################
+ #
+@@ -144,3 +158,7 @@
+ optional_policy(`
+ 	cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t)
+ ')
++
++optional_policy(`
++	mysql_stream_connect(courier_authdaemon_t)
++')
+--- services/courier.fc	2010-08-03 15:11:05.000000000 +0200
++++ services/courier.fc	2011-03-13 14:55:55.737999999 +0100
+@@ -5,20 +5,24 @@
+ /usr/sbin/courierlogger			--	gen_context(system_u:object_r:courier_exec_t,s0)
+ /usr/sbin/courierldapaliasd		--	gen_context(system_u:object_r:courier_exec_t,s0)
+ /usr/sbin/couriertcpd			--	gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+-
+-/usr/lib(64)?/courier/authlib/.*	--	gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
++ifdef(`distro_gentoo',`
++/usr/lib(64)?/courier-imap/couriertcpd	--	gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
++')
++/usr/lib(64)?/courier/(courier-)?authlib/.*	--	gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+ /usr/lib(64)?/courier/courier/.*	--	gen_context(system_u:object_r:courier_exec_t,s0)
+ /usr/lib(64)?/courier/courier/courierpop.* --	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+ /usr/lib(64)?/courier/courier/imaplogin --	gen_context(system_u:object_r:courier_pop_exec_t,s0)
++/usr/sbin/imaplogin			--	gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+ /usr/lib(64)?/courier/courier/pcpd	--	gen_context(system_u:object_r:courier_pcp_exec_t,s0)
+ /usr/lib(64)?/courier/imapd		--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
++/usr/sbin/courier-imapd			--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+ /usr/lib(64)?/courier/pop3d		--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+ /usr/lib(64)?/courier/rootcerts(/.*)?		gen_context(system_u:object_r:courier_etc_t,s0)
+ /usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
+ 
+-/var/lib/courier(/.*)?			--	gen_context(system_u:object_r:courier_var_lib_t,s0)
++/var/lib/courier(/.*)?				gen_context(system_u:object_r:courier_var_lib_t,s0)
+ 
+-/var/run/courier(/.*)?			--	gen_context(system_u:object_r:courier_var_run_t,s0)
++/var/run/courier(/.*)?				gen_context(system_u:object_r:courier_var_run_t,s0)
+ 
+ /var/spool/authdaemon(/.*)?			gen_context(system_u:object_r:courier_spool_t,s0)
+ /var/spool/courier(/.*)?			gen_context(system_u:object_r:courier_spool_t,s0)
diff --git a/sec-policy/selinux-courier/selinux-courier-2.20101213-r2.ebuild b/sec-policy/selinux-courier/selinux-courier-2.20101213-r2.ebuild
new file mode 100644
index 000000000000..da6513aa2bcd
--- /dev/null
+++ b/sec-policy/selinux-courier/selinux-courier-2.20101213-r2.ebuild
@@ -0,0 +1,17 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-courier/selinux-courier-2.20101213-r2.ebuild,v 1.1 2011/04/16 13:08:55 blueness Exp $
+
+MODS="courier"
+IUSE=""
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for courier-imap"
+
+KEYWORDS="~amd64 ~x86"
+RDEPEND="!<=sec-policy/selinux-courier-imap-2.20101213
+		>=sys-apps/policycoreutils-1.30.30
+		>=sec-policy/selinux-base-policy-${PV}"
+
+POLICY_PATCH="${FILESDIR}/fix-services-courier-r2.patch"
diff --git a/sec-policy/selinux-courier/selinux-courier-2.20101213-r3.ebuild b/sec-policy/selinux-courier/selinux-courier-2.20101213-r3.ebuild
new file mode 100644
index 000000000000..f126025f1db5
--- /dev/null
+++ b/sec-policy/selinux-courier/selinux-courier-2.20101213-r3.ebuild
@@ -0,0 +1,17 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-courier/selinux-courier-2.20101213-r3.ebuild,v 1.1 2011/04/16 13:08:55 blueness Exp $
+
+MODS="courier"
+IUSE=""
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for courier-imap"
+
+KEYWORDS="~amd64 ~x86"
+RDEPEND="!<=sec-policy/selinux-courier-imap-2.20101213
+		>=sys-apps/policycoreutils-1.30.30
+		>=sec-policy/selinux-base-policy-${PV}"
+
+POLICY_PATCH="${FILESDIR}/fix-services-courier-r3.patch"
-- 
cgit v1.2.3-65-gdbad