From 0037b6084b18634bfc68930c8c247d87bd2ffb91 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Mon, 21 Mar 2011 10:22:10 -0400
Subject: [PATCH] Amavis patch for connecting to nslcd from Miroslav Grepl.

* needs to talk to nslcd
* needs sigkill
* executes shell
---
 Changelog                         |  1 +
 policy/modules/services/amavis.if |  2 +-
 policy/modules/services/amavis.te | 13 +++++++++----
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/Changelog b/Changelog
index 40825f1db..573e348ba 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Amavis patch for connecting to nslcd from Miroslav Grepl.
 - Shorewall patch from Miroslav Grepl.
 - Cpufreqselector dbus patch from Guido Trentalancia.
 - Cron pam_namespace and pam_loginuid support from Harry Ciao.
diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
index ceb214243..e31d92a45 100644
--- a/policy/modules/services/amavis.if
+++ b/policy/modules/services/amavis.if
@@ -183,7 +183,7 @@ interface(`amavis_setattr_pid_files',`
 		type amavis_var_run_t;
 	')
 
-	allow $1 amavis_var_run_t:file setattr;
+	allow $1 amavis_var_run_t:file setattr_file_perms;
 	files_search_pids($1)
 ')
 
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index c3a1903a3..deca9d3e8 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -1,4 +1,4 @@
-policy_module(amavis, 1.11.0)
+policy_module(amavis, 1.11.1)
 
 ########################################
 #
@@ -47,7 +47,7 @@ files_type(amavis_spool_t)
 
 allow amavis_t self:capability { kill chown dac_override setgid setuid };
 dontaudit amavis_t self:capability sys_tty_config;
-allow amavis_t self:process { signal sigchld signull };
+allow amavis_t self:process { signal sigchld sigkill signull };
 allow amavis_t self:fifo_file rw_fifo_file_perms;
 allow amavis_t self:unix_stream_socket create_stream_socket_perms;
 allow amavis_t self:unix_dgram_socket create_socket_perms;
@@ -76,7 +76,7 @@ files_search_spool(amavis_t)
 
 # tmp files
 manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
-allow amavis_t amavis_tmp_t:dir setattr;
+allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
 files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
 
 # var/lib files for amavis
@@ -86,7 +86,7 @@ manage_sock_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
 files_search_var_lib(amavis_t)
 
 # log files
-allow amavis_t amavis_var_log_t:dir setattr;
+allow amavis_t amavis_var_log_t:dir setattr_dir_perms;
 manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
 manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
 logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })
@@ -105,6 +105,7 @@ kernel_dontaudit_read_system_state(amavis_t)
 
 # find perl
 corecmd_exec_bin(amavis_t)
+corecmd_exec_shell(amavis_t)
 
 corenet_all_recvfrom_unlabeled(amavis_t)
 corenet_all_recvfrom_netlabel(amavis_t)
@@ -169,6 +170,10 @@ optional_policy(`
 	dcc_stream_connect_dccifd(amavis_t)
 ')
 
+optional_policy(`
+	nslcd_stream_connect(amavis_t)
+')
+
 optional_policy(`
 	postfix_read_config(amavis_t)
 ')