Allow postfix admin through sysadm (-r2) and postfix_smtpd_t to mysql (-r3)

(Portage version: 2.1.9.42/cvs/Linux x86_64)

5 files changed, 193 insertions, 1 deletions

diff --git a/sec-policy/selinux-postfix/ChangeLog b/sec-policy/selinux-postfix/ChangeLog
index 277e26ef25c0..c52bcd393f98 100644
--- a/sec-policy/selinux-postfix/ChangeLog
+++ b/sec-policy/selinux-postfix/ChangeLog
@@ -1,6 +1,17 @@
 # ChangeLog for sec-policy/selinux-postfix
 # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-postfix/ChangeLog,v 1.32 2011/03/07 02:50:05 blueness Exp $
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-postfix/ChangeLog,v 1.33 2011/04/16 13:40:20 blueness Exp $
+
+*selinux-postfix-2.20101213-r3 (16 Apr 2011)
+*selinux-postfix-2.20101213-r2 (16 Apr 2011)
+
+  16 Apr 2011; Anthony G. Basile <blueness@gentoo.org>
+  +files/fix-services-postfix-r2.patch,
+  +selinux-postfix-2.20101213-r2.ebuild,
+  +files/fix-services-postfix-r3.patch,
+  +selinux-postfix-2.20101213-r3.ebuild:
+  Allow postfix admin through sysadm (-r2) and postfix_smtpd_t to mysql
+  (-r3)
 
 *selinux-postfix-2.20101213-r1 (07 Mar 2011)
 
diff --git a/sec-policy/selinux-postfix/files/fix-services-postfix-r2.patch b/sec-policy/selinux-postfix/files/fix-services-postfix-r2.patch
new file mode 100644
index 000000000000..df3af68576c0
--- /dev/null
+++ b/sec-policy/selinux-postfix/files/fix-services-postfix-r2.patch
@@ -0,0 +1,76 @@
+--- services/postfix.te	2010-08-03 15:11:07.000000000 +0200
++++ services/postfix.te	2011-03-13 16:04:36.436999999 +0100
+@@ -93,7 +93,7 @@
+ #
+ 
+ # chown is to set the correct ownership of queue dirs
+-allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
++allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config dac_read_search };
+ allow postfix_master_t self:fifo_file rw_fifo_file_perms;
+ allow postfix_master_t self:tcp_socket create_stream_socket_perms;
+ allow postfix_master_t self:udp_socket create_socket_perms;
+@@ -201,6 +201,9 @@
+ 
+ optional_policy(`
+ 	mysql_stream_connect(postfix_master_t)
++	mysql_stream_connect(postfix_cleanup_t)
++	mysql_stream_connect(postfix_local_t)
++	mysql_stream_connect(postfix_virtual_t)
+ ')
+ 
+ optional_policy(`
+@@ -589,6 +592,7 @@
+ # for OpenSSL certificates
+ files_read_usr_files(postfix_smtpd_t)
+ mta_read_aliases(postfix_smtpd_t)
++mta_read_config(postfix_smtpd_t)
+ 
+ optional_policy(`
+ 	dovecot_stream_connect_auth(postfix_smtpd_t)
+--- services/postfix.fc	2010-08-03 15:11:07.000000000 +0200
++++ services/postfix.fc	2011-03-13 15:54:11.765000000 +0100
+@@ -16,20 +16,21 @@
+ /usr/libexec/postfix/pipe --	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+ /usr/libexec/postfix/virtual --	gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+ ', `
+-/usr/lib/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
+-/usr/lib/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+-/usr/lib/postfix/local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
+-/usr/lib/postfix/master	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+-/usr/lib/postfix/pickup	--	gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+-/usr/lib/postfix/(n)?qmgr --	gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+-/usr/lib/postfix/showq	--	gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+-/usr/lib/postfix/smtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+-/usr/lib/postfix/lmtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+-/usr/lib/postfix/scache	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+-/usr/lib/postfix/smtpd	--	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+-/usr/lib/postfix/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+-/usr/lib/postfix/pipe	--	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+-/usr/lib/postfix/virtual --	gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
++/usr/lib(64)?/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
++/usr/lib(64)?/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
++/usr/lib(64)?/postfix/local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
++/usr/lib(64)?/postfix/master	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
++/usr/lib(64)?/postfix/pickup	--	gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
++/usr/lib(64)?/postfix/(n)?qmgr --	gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
++/usr/lib(64)?/postfix/showq	--	gen_context(system_u:object_r:postfix_showq_exec_t,s0)
++/usr/lib(64)?/postfix/smtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
++/usr/lib(64)?/postfix/lmtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
++/usr/lib(64)?/postfix/scache	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
++/usr/lib(64)?/postfix/smtpd	--	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
++/usr/lib(64)?/postfix/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
++/usr/lib(64)?/postfix/pipe	--	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
++/usr/lib(64)?/postfix/virtual --	gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
++/usr/lib(64)?/postfix/postfix-script.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
+ ')
+ /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+ /etc/postfix/prng_exch	--	gen_context(system_u:object_r:postfix_prng_t,s0)
+@@ -48,7 +49,7 @@
+ 
+ /var/spool/postfix(/.*)?		gen_context(system_u:object_r:postfix_spool_t,s0)
+ /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
+-/var/spool/postfix/pid/.*	gen_context(system_u:object_r:postfix_var_run_t,s0)
++/var/spool/postfix/pid(/.*)?	gen_context(system_u:object_r:postfix_var_run_t,s0)
+ /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
+ /var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
+ /var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
diff --git a/sec-policy/selinux-postfix/files/fix-services-postfix-r3.patch b/sec-policy/selinux-postfix/files/fix-services-postfix-r3.patch
new file mode 100644
index 000000000000..f748e9ad44a0
--- /dev/null
+++ b/sec-policy/selinux-postfix/files/fix-services-postfix-r3.patch
@@ -0,0 +1,77 @@
+--- services/postfix.te	2010-08-03 15:11:07.000000000 +0200
++++ services/postfix.te	2011-03-19 18:19:42.287000040 +0100
+@@ -93,7 +93,7 @@
+ #
+ 
+ # chown is to set the correct ownership of queue dirs
+-allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
++allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config dac_read_search };
+ allow postfix_master_t self:fifo_file rw_fifo_file_perms;
+ allow postfix_master_t self:tcp_socket create_stream_socket_perms;
+ allow postfix_master_t self:udp_socket create_socket_perms;
+@@ -201,6 +201,10 @@
+ 
+ optional_policy(`
+ 	mysql_stream_connect(postfix_master_t)
++	mysql_stream_connect(postfix_cleanup_t)
++	mysql_stream_connect(postfix_local_t)
++	mysql_stream_connect(postfix_virtual_t)
++	mysql_stream_connect(postfix_smtpd_t)
+ ')
+ 
+ optional_policy(`
+@@ -589,6 +593,7 @@
+ # for OpenSSL certificates
+ files_read_usr_files(postfix_smtpd_t)
+ mta_read_aliases(postfix_smtpd_t)
++mta_read_config(postfix_smtpd_t)
+ 
+ optional_policy(`
+ 	dovecot_stream_connect_auth(postfix_smtpd_t)
+--- services/postfix.fc	2010-08-03 15:11:07.000000000 +0200
++++ services/postfix.fc	2011-03-13 15:54:11.765000000 +0100
+@@ -16,20 +16,21 @@
+ /usr/libexec/postfix/pipe --	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+ /usr/libexec/postfix/virtual --	gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+ ', `
+-/usr/lib/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
+-/usr/lib/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+-/usr/lib/postfix/local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
+-/usr/lib/postfix/master	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+-/usr/lib/postfix/pickup	--	gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+-/usr/lib/postfix/(n)?qmgr --	gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+-/usr/lib/postfix/showq	--	gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+-/usr/lib/postfix/smtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+-/usr/lib/postfix/lmtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+-/usr/lib/postfix/scache	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+-/usr/lib/postfix/smtpd	--	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+-/usr/lib/postfix/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+-/usr/lib/postfix/pipe	--	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+-/usr/lib/postfix/virtual --	gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
++/usr/lib(64)?/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
++/usr/lib(64)?/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
++/usr/lib(64)?/postfix/local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
++/usr/lib(64)?/postfix/master	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
++/usr/lib(64)?/postfix/pickup	--	gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
++/usr/lib(64)?/postfix/(n)?qmgr --	gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
++/usr/lib(64)?/postfix/showq	--	gen_context(system_u:object_r:postfix_showq_exec_t,s0)
++/usr/lib(64)?/postfix/smtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
++/usr/lib(64)?/postfix/lmtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
++/usr/lib(64)?/postfix/scache	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
++/usr/lib(64)?/postfix/smtpd	--	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
++/usr/lib(64)?/postfix/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
++/usr/lib(64)?/postfix/pipe	--	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
++/usr/lib(64)?/postfix/virtual --	gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
++/usr/lib(64)?/postfix/postfix-script.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
+ ')
+ /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+ /etc/postfix/prng_exch	--	gen_context(system_u:object_r:postfix_prng_t,s0)
+@@ -48,7 +49,7 @@
+ 
+ /var/spool/postfix(/.*)?		gen_context(system_u:object_r:postfix_spool_t,s0)
+ /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
+-/var/spool/postfix/pid/.*	gen_context(system_u:object_r:postfix_var_run_t,s0)
++/var/spool/postfix/pid(/.*)?	gen_context(system_u:object_r:postfix_var_run_t,s0)
+ /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
+ /var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
+ /var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
diff --git a/sec-policy/selinux-postfix/selinux-postfix-2.20101213-r2.ebuild b/sec-policy/selinux-postfix/selinux-postfix-2.20101213-r2.ebuild
new file mode 100644
index 000000000000..73a41ba23359
--- /dev/null
+++ b/sec-policy/selinux-postfix/selinux-postfix-2.20101213-r2.ebuild
@@ -0,0 +1,14 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-postfix/selinux-postfix-2.20101213-r2.ebuild,v 1.1 2011/04/16 13:40:20 blueness Exp $
+
+MODS="postfix"
+IUSE=""
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for postfix"
+
+KEYWORDS="~amd64 ~x86"
+
+POLICY_PATCH="${FILESDIR}/fix-services-postfix-r2.patch"
diff --git a/sec-policy/selinux-postfix/selinux-postfix-2.20101213-r3.ebuild b/sec-policy/selinux-postfix/selinux-postfix-2.20101213-r3.ebuild
new file mode 100644
index 000000000000..2791677b3687
--- /dev/null
+++ b/sec-policy/selinux-postfix/selinux-postfix-2.20101213-r3.ebuild
@@ -0,0 +1,14 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-postfix/selinux-postfix-2.20101213-r3.ebuild,v 1.1 2011/04/16 13:40:20 blueness Exp $
+
+MODS="postfix"
+IUSE=""
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for postfix"
+
+KEYWORDS="~amd64 ~x86"
+
+POLICY_PATCH="${FILESDIR}/fix-services-postfix-r3.patch"