* [gentoo-commits] proj/hardened-dev:master commit in: sec-policy/selinux-postfix/files/, sec-policy/selinux-postfix/
@ 2011-03-19 17:21 Sven Vermeulen
0 siblings, 0 replies; only message in thread
From: Sven Vermeulen @ 2011-03-19 17:21 UTC (permalink / raw
To: gentoo-commits
commit: 3806840ba477cd474cf8d6ce0c6d2e5fc58a1892
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Mar 19 17:21:33 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Mar 19 17:21:33 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=3806840b
Allow postfix_smtpd_t domain to connect to mysql, needed for virtual mailhosting
---
sec-policy/selinux-postfix/ChangeLog | 6 ++
.../files/fix-services-postfix-r3.patch | 77 ++++++++++++++++++++
.../selinux-postfix-2.20101213-r3.ebuild | 14 ++++
3 files changed, 97 insertions(+), 0 deletions(-)
diff --git a/sec-policy/selinux-postfix/ChangeLog b/sec-policy/selinux-postfix/ChangeLog
index a394f4c..80659ac 100644
--- a/sec-policy/selinux-postfix/ChangeLog
+++ b/sec-policy/selinux-postfix/ChangeLog
@@ -2,6 +2,12 @@
# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-postfix/ChangeLog,v 1.32 2011/03/07 02:50:05 blueness Exp $
+*selinux-postfix-2.20101213-r3 (19 Mar 2011)
+
+ 19 Mar 2011; <swift@gentoo.org> +files/fix-services-postfix-r3.patch,
+ +selinux-postfix-2.20101213-r3.ebuild:
+ Allow postfix_smtpd_t to access mysql (virtual mailhosting)
+
*selinux-postfix-2.20101213-r2 (14 Mar 2011)
14 Mar 2011; <swift@gentoo.org> +files/fix-services-postfix-r2.patch,
diff --git a/sec-policy/selinux-postfix/files/fix-services-postfix-r3.patch b/sec-policy/selinux-postfix/files/fix-services-postfix-r3.patch
new file mode 100644
index 0000000..f748e9a
--- /dev/null
+++ b/sec-policy/selinux-postfix/files/fix-services-postfix-r3.patch
@@ -0,0 +1,77 @@
+--- services/postfix.te 2010-08-03 15:11:07.000000000 +0200
++++ services/postfix.te 2011-03-19 18:19:42.287000040 +0100
+@@ -93,7 +93,7 @@
+ #
+
+ # chown is to set the correct ownership of queue dirs
+-allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
++allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config dac_read_search };
+ allow postfix_master_t self:fifo_file rw_fifo_file_perms;
+ allow postfix_master_t self:tcp_socket create_stream_socket_perms;
+ allow postfix_master_t self:udp_socket create_socket_perms;
+@@ -201,6 +201,10 @@
+
+ optional_policy(`
+ mysql_stream_connect(postfix_master_t)
++ mysql_stream_connect(postfix_cleanup_t)
++ mysql_stream_connect(postfix_local_t)
++ mysql_stream_connect(postfix_virtual_t)
++ mysql_stream_connect(postfix_smtpd_t)
+ ')
+
+ optional_policy(`
+@@ -589,6 +593,7 @@
+ # for OpenSSL certificates
+ files_read_usr_files(postfix_smtpd_t)
+ mta_read_aliases(postfix_smtpd_t)
++mta_read_config(postfix_smtpd_t)
+
+ optional_policy(`
+ dovecot_stream_connect_auth(postfix_smtpd_t)
+--- services/postfix.fc 2010-08-03 15:11:07.000000000 +0200
++++ services/postfix.fc 2011-03-13 15:54:11.765000000 +0100
+@@ -16,20 +16,21 @@
+ /usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+ /usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+ ', `
+-/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+-/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+-/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
+-/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+-/usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+-/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+-/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+-/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+-/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+-/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+-/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+-/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+-/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+-/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
++/usr/lib(64)?/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
++/usr/lib(64)?/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
++/usr/lib(64)?/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
++/usr/lib(64)?/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
++/usr/lib(64)?/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
++/usr/lib(64)?/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
++/usr/lib(64)?/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
++/usr/lib(64)?/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
++/usr/lib(64)?/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
++/usr/lib(64)?/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
++/usr/lib(64)?/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
++/usr/lib(64)?/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
++/usr/lib(64)?/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
++/usr/lib(64)?/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
++/usr/lib(64)?/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+ ')
+ /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+ /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
+@@ -48,7 +49,7 @@
+
+ /var/spool/postfix(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
+ /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
+-/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
++/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0)
+ /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
+ /var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
+ /var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
diff --git a/sec-policy/selinux-postfix/selinux-postfix-2.20101213-r3.ebuild b/sec-policy/selinux-postfix/selinux-postfix-2.20101213-r3.ebuild
new file mode 100644
index 0000000..04c476f
--- /dev/null
+++ b/sec-policy/selinux-postfix/selinux-postfix-2.20101213-r3.ebuild
@@ -0,0 +1,14 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-postfix/selinux-postfix-2.20101213-r1.ebuild,v 1.1 2011/03/07 02:50:05 blueness Exp $
+
+MODS="postfix"
+IUSE=""
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for postfix"
+
+KEYWORDS="~amd64 ~x86"
+
+POLICY_PATCH="${FILESDIR}/fix-services-postfix-r3.patch"
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2011-03-19 17:21 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-03-19 17:21 [gentoo-commits] proj/hardened-dev:master commit in: sec-policy/selinux-postfix/files/, sec-policy/selinux-postfix/ Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox