From d57a094347949aee977db69dea63d7d9b5577153 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 4 Mar 2008 18:25:13 +0000 Subject: [PATCH] trunk: Exim updates on Debian from Devin Carrawy. --- Changelog | 1 + policy/modules/services/exim.fc | 12 ++++++++---- policy/modules/services/exim.te | 11 +++++++++-- 3 files changed, 18 insertions(+), 6 deletions(-) diff --git a/Changelog b/Changelog index f4ed5d77b..729781faf 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Exim updates on Debian from Devin Carrawy. - Pam and samba updates from Stefan Schulze Frielinghaus. - Backup update on Debian from Vaclav Ovsik. - Cracklib update on Debian from Vaclav Ovsik. diff --git a/policy/modules/services/exim.fc b/policy/modules/services/exim.fc index 8df159470..ad4e0a0af 100644 --- a/policy/modules/services/exim.fc +++ b/policy/modules/services/exim.fc @@ -1,4 +1,8 @@ -/usr/sbin/exim -- gen_context(system_u:object_r:exim_exec_t,s0) -/var/log/exim(/.*)? gen_context(system_u:object_r:exim_log_t,s0) -/var/run/exim.pid -- gen_context(system_u:object_r:exim_var_run_t,s0) -/var/spool/exim(/.*)? gen_context(system_u:object_r:exim_spool_t,s0) +/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0) +/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0) +/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0) +/var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0) + +ifdef(`distro_debian',` +/var/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0) +') diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te index cf4b4f9ac..d6360c023 100644 --- a/policy/modules/services/exim.te +++ b/policy/modules/services/exim.te @@ -1,5 +1,5 @@ -policy_module(exim,1.0.0) +policy_module(exim,1.0.1) ######################################## # @@ -42,7 +42,7 @@ files_pid_file(exim_var_run_t) # exim local policy # -allow exim_t self:capability { dac_override dac_read_search setuid setgid }; +allow exim_t self:capability { dac_override dac_read_search setuid setgid fowner chown }; allow exim_t self:fifo_file rw_fifo_file_perms; allow exim_t self:unix_stream_socket create_stream_socket_perms; allow exim_t self:tcp_socket create_stream_socket_perms; @@ -67,6 +67,8 @@ files_pid_filetrans(exim_t, exim_var_run_t, { file dir }) kernel_read_kernel_sysctls(exim_t) +kernel_dontaudit_read_system_state(exim_t) + corecmd_search_bin(exim_t) corenet_all_recvfrom_unlabeled(exim_t) @@ -77,8 +79,13 @@ corenet_tcp_bind_all_nodes(exim_t) corenet_tcp_bind_smtp_port(exim_t) corenet_tcp_bind_amavisd_send_port(exim_t) corenet_tcp_connect_auth_port(exim_t) +corenet_tcp_connect_smtp_port(exim_t) +corenet_tcp_connect_ldap_port(exim_t) corenet_tcp_connect_inetd_child_port(exim_t) +dev_read_rand(exim_t) +dev_read_urand(exim_t) + # Init script handling domain_use_interactive_fds(exim_t)