Description: Misc patches needed to make an MTA work
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2012-06-16

Index: refpolicy-2.20110726/policy/modules/services/courier.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/courier.te	2012-06-21 17:24:41.233203653 +1000
+++ refpolicy-2.20110726/policy/modules/services/courier.te	2012-06-21 17:28:41.717296140 +1000
@@ -64,6 +64,7 @@
 files_search_spool(courier_authdaemon_t)
 
 corecmd_search_bin(courier_authdaemon_t)
+corecmd_exec_shell(courier_authdaemon_t)
 
 # for SSP
 dev_read_urand(courier_authdaemon_t)
Index: refpolicy-2.20110726/policy/modules/services/dovecot.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/dovecot.te	2012-06-21 17:24:41.233203653 +1000
+++ refpolicy-2.20110726/policy/modules/services/dovecot.te	2012-06-21 17:28:41.717296140 +1000
@@ -58,7 +58,7 @@
 # dovecot local policy
 #
 
-allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
+allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot sys_resource };
 dontaudit dovecot_t self:capability sys_tty_config;
 allow dovecot_t self:process { setrlimit signal_perms getcap setcap };
 allow dovecot_t self:fifo_file rw_fifo_file_perms;
@@ -98,9 +98,11 @@
 manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
 
 manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
 manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
 manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
-files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file })
+allow dovecot_t dovecot_var_run_t:fifo_file manage_file_perms;
 
 kernel_read_kernel_sysctls(dovecot_t)
 kernel_read_system_state(dovecot_t)
@@ -221,6 +223,8 @@
 files_search_pids(dovecot_auth_t)
 files_read_usr_files(dovecot_auth_t)
 files_read_usr_symlinks(dovecot_auth_t)
+files_list_usr(dovecot_t)
+files_read_usr_files(dovecot_t)
 files_read_var_lib_files(dovecot_auth_t)
 files_search_tmp(dovecot_auth_t)
 files_read_var_lib_files(dovecot_t)
@@ -245,6 +249,7 @@
 	mysql_stream_connect(dovecot_auth_t)
 	mysql_tcp_connect(dovecot_auth_t)
 	mysql_read_config(dovecot_auth_t)
+	mysql_read_config(dovecot_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20110726/policy/modules/kernel/files.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/kernel/files.fc	2012-06-21 17:24:41.233203653 +1000
+++ refpolicy-2.20110726/policy/modules/kernel/files.fc	2012-06-21 17:28:41.721296133 +1000
@@ -261,5 +261,5 @@
 /var/tmp/vi\.recover	-d	gen_context(system_u:object_r:tmp_t,s0)
 
 ifdef(`distro_debian',`
-/var/run/motd		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/motd.*		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 ')
Index: refpolicy-2.20110726/policy/modules/services/postfix.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/postfix.fc	2012-06-21 17:24:41.233203653 +1000
+++ refpolicy-2.20110726/policy/modules/services/postfix.fc	2012-06-21 17:28:41.721296133 +1000
@@ -10,6 +10,7 @@
 /usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
 /usr/libexec/postfix/showq --	gen_context(system_u:object_r:postfix_showq_exec_t,s0)
 /usr/libexec/postfix/smtp --	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/libexec/postfix/lmtp --	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
 /usr/libexec/postfix/scache --	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
 /usr/libexec/postfix/smtpd --	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
 /usr/libexec/postfix/bounce --	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
@@ -22,6 +23,7 @@
 /usr/lib(64)?/postfix/master	-- gen_context(system_u:object_r:postfix_master_exec_t,s0)
 /usr/lib(64)?/postfix/pickup	-- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
 /usr/lib(64)?/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/lib(64)?/postfix/showq --	gen_context(system_u:object_r:postfix_showq_exec_t,s0)
 /usr/lib(64)?/postfix/smtp	-- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
 /usr/lib(64)?/postfix/lmtp	-- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
 /usr/lib(64)?/postfix/scache	-- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
Index: refpolicy-2.20110726/policy/modules/services/postfix.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/postfix.te	2012-06-21 17:24:41.233203653 +1000
+++ refpolicy-2.20110726/policy/modules/services/postfix.te	2012-06-21 17:28:41.721296133 +1000
@@ -503,6 +503,11 @@
 # wants to write to /var/spool/postfix/public/showq
 stream_connect_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t, postfix_master_t)
 
+allow postfix_postqueue_t self:capability { setuid setgid };
+allow postfix_postqueue_t postfix_spool_maildrop_t:dir list_dir_perms;
+allow postfix_postqueue_t postfix_spool_maildrop_t:file read_file_perms;
+allow postfix_postqueue_t postfix_spool_t:file read_file_perms;
+
 # write to /var/spool/postfix/public/qmgr
 write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t)
 
Index: refpolicy-2.20110726/policy/modules/services/courier.if
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/courier.if	2012-06-21 17:24:41.233203653 +1000
+++ refpolicy-2.20110726/policy/modules/services/courier.if	2012-06-21 17:28:41.721296133 +1000
@@ -120,6 +120,7 @@
 	')
 	allow $1 courier_authdaemon_t:unix_stream_socket connectto;
 	allow $1 courier_etc_t:dir search;
+	allow $1 courier_var_run_t:dir { getattr search };
 	allow $1 courier_var_run_t:sock_file write;
 ')
 
Index: refpolicy-2.20110726/policy/modules/services/postfix.if
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/postfix.if	2012-06-21 17:24:41.233203653 +1000
+++ refpolicy-2.20110726/policy/modules/services/postfix.if	2012-06-21 17:31:46.064986229 +1000
@@ -142,6 +142,31 @@
 
 ########################################
 ## <summary>
+##	Allows a user role to contain domains for Postfix utilities
+##	that are ran by users.
+## </summary>
+## <param name="role">
+##	<summary>
+##	User role that can run Postfix commands
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain that can run Postfix commands
+##	</summary>
+## </param>
+#
+interface(`postfix_user_role',`
+	gen_require(`
+		type postfix_postqueue_t;
+	')
+
+	role $1 types postfix_postqueue_t;
+	allow postfix_postqueue_t $2:process sigchld;
+')
+
+########################################
+## <summary>
 ##	Creates a process domain for programs
 ##	that are ran by users.
 ## </summary>
@@ -190,6 +215,24 @@
 ')
 
 ########################################
+## <summary>
+##	Access postfix master fifos
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`postfix_rw_master_fifo',`
+	gen_require(`
+		type postfix_master_t;
+	')
+	allow $1 postfix_master_t:fifo_file rw_file_perms;
+')
+
+########################################
 ## <summary>
 ##	Create files with the specified type in
 ##	the postfix configuration directories.
Index: refpolicy-2.20110726/policy/modules/services/lda.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/services/lda.te	2012-06-21 17:24:41.233203653 +1000
+++ refpolicy-2.20110726/policy/modules/services/lda.te	2012-06-21 17:28:41.725296132 +1000
@@ -138,6 +138,7 @@
 	postfix_read_spool_files(lda_t)
 	postfix_read_local_state(lda_t)
 	postfix_read_master_state(lda_t)
+	postfix_rw_master_fifo(lda_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20110726/policy/modules/system/mount.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/mount.te	2012-06-21 17:28:41.633296281 +1000
+++ refpolicy-2.20110726/policy/modules/system/mount.te	2012-06-21 17:28:41.725296132 +1000
@@ -79,7 +79,7 @@
 dev_dontaudit_getattr_memory_dev(mount_t)
 dev_getattr_sound_dev(mount_t)
 # Early devtmpfs, before udev relabel
-dev_dontaudit_rw_generic_chr_files(mount_t)
+dev_rw_generic_chr_files(mount_t)
 
 domain_use_interactive_fds(mount_t)
 
@@ -116,6 +116,7 @@
 mls_file_write_all_levels(mount_t)
 
 selinux_get_enforce_mode(mount_t)
+selinux_getattr_fs(mount_t)
 
 storage_raw_read_fixed_disk(mount_t)
 storage_raw_write_fixed_disk(mount_t)
Index: refpolicy-2.20110726/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/kernel/corecommands.fc	2012-06-21 17:24:41.233203653 +1000
+++ refpolicy-2.20110726/policy/modules/kernel/corecommands.fc	2012-06-21 17:28:41.725296132 +1000
@@ -138,6 +138,9 @@
 /lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
 /lib64/udev/[^/]*		--	gen_context(system_u:object_r:bin_t,s0)
 
+ifdef(`distro_debian',`
+/lib/bridge-utils/.*		--	gen_context(system_u:object_r:bin_t,s0)
+')
 ifdef(`distro_gentoo',`
 /lib/dhcpcd/dhcpcd-run-hooks	--	gen_context(system_u:object_r:bin_t,s0)
 /lib64/dhcpcd/dhcpcd-run-hooks	--	gen_context(system_u:object_r:bin_t,s0)
Index: refpolicy-2.20110726/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/udev.te	2012-06-21 17:28:41.629296288 +1000
+++ refpolicy-2.20110726/policy/modules/system/udev.te	2012-06-21 17:28:41.725296132 +1000
@@ -40,6 +40,7 @@
 
 allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
 dontaudit udev_t self:capability sys_tty_config;
+kernel_load_module(udev_t)
 allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow udev_t self:process { execmem setfscreate };
 allow udev_t self:fd use;
Index: refpolicy-2.20110726/policy/modules/roles/staff.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/roles/staff.te	2012-06-21 17:24:41.233203653 +1000
+++ refpolicy-2.20110726/policy/modules/roles/staff.te	2012-06-21 17:30:57.893067372 +1000
@@ -128,6 +128,10 @@
 	')
 
 	optional_policy(`
+		postfix_user_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
 		pyzor_role(staff_r, staff_t)
 	')
 
Index: refpolicy-2.20110726/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/roles/sysadm.te	2012-06-21 17:24:41.233203653 +1000
+++ refpolicy-2.20110726/policy/modules/roles/sysadm.te	2012-06-21 17:31:08.069050158 +1000
@@ -221,6 +221,10 @@
 ')
 
 optional_policy(`
+	postfix_user_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
 	munin_stream_connect(sysadm_t)
 ')
 
Index: refpolicy-2.20110726/policy/modules/roles/unprivuser.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/roles/unprivuser.te	2012-06-21 17:24:41.233203653 +1000
+++ refpolicy-2.20110726/policy/modules/roles/unprivuser.te	2012-06-21 17:31:14.873038777 +1000
@@ -106,6 +106,10 @@
 	')
 
 	optional_policy(`
+		postfix_user_role(user_r, user_t)
+	')
+
+	optional_policy(`
 		postgresql_role(user_r, user_t)
 	')
 
Index: refpolicy-2.20110726/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/unconfined.te	2012-06-21 17:24:41.233203653 +1000
+++ refpolicy-2.20110726/policy/modules/system/unconfined.te	2012-06-21 17:31:22.409025879 +1000
@@ -157,6 +157,10 @@
 ')
 
 optional_policy(`
+	postfix_user_role(unconfined_r, unconfined_t)
+')
+
+optional_policy(`
 	oddjob_domtrans_mkhomedir(unconfined_t)
 ')
 
