Yes mmap is the standard way of accessing the mail spool.
Removed spamd_gpg_t because there's no point to it, the separation doesn't
provide an actual benefit.
Made the other requested changes.
Signed-off-by: Russell Coker <[email protected]>
Index: refpolicy-2.20200405/policy/modules/services/mailman.fc
===================================================================
--- refpolicy-2.20200405.orig/policy/modules/services/mailman.fc
+++ refpolicy-2.20200405/policy/modules/services/mailman.fc
@@ -1,6 +1,7 @@
/etc/cron\.(daily|monthly)/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
/etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
+/etc/mailman/postfix-to-mailman.py -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
Index: refpolicy-2.20200405/policy/modules/services/mailman.if
===================================================================
--- refpolicy-2.20200405.orig/policy/modules/services/mailman.if
+++ refpolicy-2.20200405/policy/modules/services/mailman.if
@@ -319,6 +319,7 @@ interface(`mailman_read_archive',`
files_search_var_lib($1)
allow $1 mailman_archive_t:dir list_dir_perms;
read_files_pattern($1, mailman_archive_t, mailman_archive_t)
+ allow $1 mailman_archive_t:file map;
read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t)
')
Index: refpolicy-2.20200405/policy/modules/services/mailman.te
===================================================================
--- refpolicy-2.20200405.orig/policy/modules/services/mailman.te
+++ refpolicy-2.20200405/policy/modules/services/mailman.te
@@ -182,6 +182,7 @@ corecmd_exec_bin(mailman_mail_t)
files_search_locks(mailman_mail_t)
fs_rw_anon_inodefs_files(mailman_mail_t)
+fs_search_tmpfs(mailman_mail_t)
# this is far from ideal, but systemd reduces the importance of initrc_t
init_signal_script(mailman_mail_t)
Index: refpolicy-2.20200405/policy/modules/services/mta.if
===================================================================
--- refpolicy-2.20200405.orig/policy/modules/services/mta.if
+++ refpolicy-2.20200405/policy/modules/services/mta.if
@@ -251,6 +251,7 @@ interface(`mta_manage_mail_home_rw_conte
userdom_search_user_home_dirs($1)
manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ allow $1 mail_home_rw_t:file map;
manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
')
@@ -867,6 +868,7 @@ interface(`mta_read_spool_files',`
files_search_spool($1)
read_files_pattern($1, mail_spool_t, mail_spool_t)
+ allow $1 mail_spool_t:file map;
')
########################################
@@ -949,6 +951,7 @@ interface(`mta_manage_spool',`
files_search_spool($1)
manage_dirs_pattern($1, mail_spool_t, mail_spool_t)
manage_files_pattern($1, mail_spool_t, mail_spool_t)
+ allow $1 mail_spool_t:file map;
manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
Index: refpolicy-2.20200405/policy/modules/services/spamassassin.if
===================================================================
--- refpolicy-2.20200405.orig/policy/modules/services/spamassassin.if
+++ refpolicy-2.20200405/policy/modules/services/spamassassin.if
@@ -433,3 +433,41 @@ interface(`spamassassin_admin',`
# sa-update
spamassassin_run_update($1, $2)
')
+
+########################################
+## <summary>
+## reload SA service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`spamassassin_service_reload',`
+ gen_require(`
+ type spamassassin_unit_t;
+ ')
+
+ allow $1 spamassassin_unit_t:service reload;
+')
+
+########################################
+## <summary>
+## Get SA service status
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`spamassassin_service_status',`
+ gen_require(`
+ type spamassassin_unit_t;
+ ')
+
+ allow $1 spamassassin_unit_t:service status;
+')
Index: refpolicy-2.20200405/policy/modules/services/spamassassin.te
===================================================================
--- refpolicy-2.20200405.orig/policy/modules/services/spamassassin.te
+++ refpolicy-2.20200405/policy/modules/services/spamassassin.te
@@ -22,6 +22,7 @@ gen_tunable(spamassassin_can_network, fa
gen_tunable(spamd_enable_home_dirs, false)
type spamd_update_t;
+typealias spamd_update_t alias { spamd_gpg_t };
type spamd_update_exec_t;
init_system_domain(spamd_update_t, spamd_update_exec_t)
@@ -62,9 +63,6 @@ files_type(spamd_compiled_t)
type spamd_etc_t;
files_config_file(spamd_etc_t)
-type spamd_gpg_t;
-domain_type(spamd_gpg_t)
-
type spamd_home_t;
userdom_user_home_content(spamd_home_t)
@@ -199,11 +197,13 @@ corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
corenet_tcp_sendrecv_generic_if(spamc_t)
corenet_tcp_sendrecv_generic_node(spamc_t)
+corenet_udp_bind_generic_node(spamc_t)
corenet_sendrecv_all_client_packets(spamc_t)
corenet_tcp_connect_all_ports(spamc_t)
corecmd_exec_bin(spamc_t)
+corecmd_exec_shell(spamc_t)
dev_read_rand(spamc_t)
dev_read_urand(spamc_t)
@@ -256,6 +256,8 @@ optional_policy(`
optional_policy(`
mta_send_mail(spamc_t)
+ mta_getattr_spool(spamc_t)
+ mta_read_spool_files(spamc_t)
mta_read_config(spamc_t)
mta_read_queue(spamc_t)
sendmail_rw_pipes(spamc_t)
@@ -351,6 +353,7 @@ corenet_udp_bind_imaze_port(spamd_t)
corenet_dontaudit_udp_bind_all_ports(spamd_t)
+corecmd_exec_shell(spamd_t)
corecmd_exec_bin(spamd_t)
dev_read_sysfs(spamd_t)
@@ -358,6 +361,7 @@ dev_read_urand(spamd_t)
domain_use_interactive_fds(spamd_t)
+files_map_etc_files(spamd_t)
files_read_usr_files(spamd_t)
files_read_etc_runtime_files(spamd_t)
@@ -372,6 +376,7 @@ libs_use_shared_libs(spamd_t)
logging_send_syslog_msg(spamd_t)
+miscfiles_read_generic_certs(spamd_t)
miscfiles_read_localization(spamd_t)
sysnet_use_ldap(spamd_t)
@@ -487,6 +492,8 @@ manage_dirs_pattern(spamd_update_t, spam
manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
+kernel_read_crypto_sysctls(spamd_update_t)
+kernel_search_fs_sysctls(spamd_update_t)
kernel_read_system_state(spamd_update_t)
corecmd_exec_bin(spamd_update_t)
@@ -512,6 +519,7 @@ fs_getattr_xattr_fs(spamd_update_t)
auth_use_nsswitch(spamd_update_t)
auth_dontaudit_read_shadow(spamd_update_t)
+miscfiles_read_generic_certs(spamd_update_t)
miscfiles_read_localization(spamd_update_t)
userdom_use_inherited_user_terminals(spamd_update_t)
@@ -523,35 +531,5 @@ optional_policy(`
')
optional_policy(`
- gpg_spec_domtrans(spamd_update_t, spamd_gpg_t)
- gpg_entry_type(spamd_gpg_t)
- role system_r types spamd_gpg_t;
-
- allow spamd_gpg_t self:capability { dac_override dac_read_search };
- allow spamd_gpg_t self:unix_stream_socket { connect create };
-
- allow spamd_gpg_t spamd_update_t:fd use;
- allow spamd_gpg_t spamd_update_t:process sigchld;
- allow spamd_gpg_t spamd_update_t:fifo_file { getattr write };
- allow spamd_gpg_t spamd_var_lib_t:dir rw_dir_perms;
- allow spamd_gpg_t spamd_var_lib_t:file manage_file_perms;
- allow spamd_gpg_t spamd_update_tmp_t:file read_file_perms;
-
- # fips
- kernel_read_crypto_sysctls(spamd_gpg_t)
-
- domain_use_interactive_fds(spamd_gpg_t)
-
- files_read_etc_files(spamd_gpg_t)
- files_read_usr_files(spamd_gpg_t)
- files_search_var_lib(spamd_gpg_t)
- files_search_pids(spamd_gpg_t)
- files_search_tmp(spamd_gpg_t)
-
- init_use_fds(spamd_gpg_t)
- init_rw_inherited_stream_socket(spamd_gpg_t)
-
- miscfiles_read_localization(spamd_gpg_t)
-
- userdom_use_inherited_user_terminals(spamd_gpg_t)
+ gpg_exec(spamd_update_t)
')
Index: refpolicy-2.20200405/policy/modules/services/clamav.te
===================================================================
--- refpolicy-2.20200405.orig/policy/modules/services/clamav.te
+++ refpolicy-2.20200405/policy/modules/services/clamav.te
@@ -146,6 +146,7 @@ auth_use_nsswitch(clamd_t)
logging_send_syslog_msg(clamd_t)
+miscfiles_read_generic_certs(clamd_t)
miscfiles_read_localization(clamd_t)
tunable_policy(`clamd_use_jit',`
@@ -235,6 +236,7 @@ auth_use_nsswitch(freshclam_t)
logging_send_syslog_msg(freshclam_t)
+miscfiles_read_generic_certs(freshclam_t)
miscfiles_read_localization(freshclam_t)
tunable_policy(`clamd_use_jit',`
Index: refpolicy-2.20200405/policy/modules/services/dkim.te
===================================================================
--- refpolicy-2.20200405.orig/policy/modules/services/dkim.te
+++ refpolicy-2.20200405/policy/modules/services/dkim.te
@@ -44,6 +44,8 @@ files_pid_filetrans(dkim_milter_t, dkim_
files_read_usr_files(dkim_milter_t)
files_search_spool(dkim_milter_t)
+miscfiles_read_generic_certs(dkim_milter_t)
+
optional_policy(`
mta_read_config(dkim_milter_t)
')
Index: refpolicy-2.20200405/policy/modules/services/dovecot.te
===================================================================
--- refpolicy-2.20200405.orig/policy/modules/services/dovecot.te
+++ refpolicy-2.20200405/policy/modules/services/dovecot.te
@@ -173,6 +173,7 @@ files_read_usr_files(dovecot_t)
fs_getattr_all_fs(dovecot_t)
fs_getattr_all_dirs(dovecot_t)
+fs_read_tmpfs_symlinks(dovecot_t)
fs_search_auto_mountpoints(dovecot_t)
fs_list_inotifyfs(dovecot_t)
@@ -269,7 +270,12 @@ selinux_get_fs_mount(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
auth_use_nsswitch(dovecot_auth_t)
+fs_search_tmpfs(dovecot_auth_t)
+fs_read_tmpfs_symlinks(dovecot_auth_t)
+
init_rw_utmp(dovecot_auth_t)
+init_rw_inherited_stream_socket(dovecot_auth_t)
+init_use_fds(dovecot_auth_t)
logging_send_audit_msgs(dovecot_auth_t)
Index: refpolicy-2.20200405/policy/modules/services/postfix.te
===================================================================
--- refpolicy-2.20200405.orig/policy/modules/services/postfix.te
+++ refpolicy-2.20200405/policy/modules/services/postfix.te
@@ -336,6 +336,7 @@ optional_policy(`
')
optional_policy(`
+ mysql_read_config(postfix_master_t)
mysql_stream_connect(postfix_master_t)
')
@@ -427,6 +428,10 @@ optional_policy(`
')
optional_policy(`
+ mysql_read_config(postfix_cleanup_t)
+')
+
+optional_policy(`
dbus_send_system_bus(postfix_cleanup_t)
dbus_system_bus_client(postfix_cleanup_t)
init_dbus_chat(postfix_cleanup_t)
@@ -648,6 +653,7 @@ mta_rw_user_mail_stream_sockets(postfix_
optional_policy(`
apache_dontaudit_rw_fifo_file(postfix_postdrop_t)
+ apache_use_fds(postfix_postdrop_t)
')
optional_policy(`
@@ -826,6 +832,10 @@ optional_policy(`
')
optional_policy(`
+ mysql_read_config(postfix_smtpd_t)
+')
+
+optional_policy(`
postgrey_stream_connect(postfix_smtpd_t)
')
On 4/5/20 5:04 AM, Russell Coker wrote:
> Yes mmap is the standard way of accessing the mail spool.
>
> Removed spamd_gpg_t because there's no point to it, the separation doesn't
> provide an actual benefit.
>
> Made the other requested changes.
>
> Signed-off-by: Russell Coker <[email protected]>
>
>
> Index: refpolicy-2.20200405/policy/modules/services/mailman.fc
> ===================================================================
> --- refpolicy-2.20200405.orig/policy/modules/services/mailman.fc
> +++ refpolicy-2.20200405/policy/modules/services/mailman.fc
> @@ -1,6 +1,7 @@
> /etc/cron\.(daily|monthly)/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
>
> /etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
> +/etc/mailman/postfix-to-mailman.py -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
>
> /usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> /usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> Index: refpolicy-2.20200405/policy/modules/services/mailman.if
> ===================================================================
> --- refpolicy-2.20200405.orig/policy/modules/services/mailman.if
> +++ refpolicy-2.20200405/policy/modules/services/mailman.if
> @@ -319,6 +319,7 @@ interface(`mailman_read_archive',`
> files_search_var_lib($1)
> allow $1 mailman_archive_t:dir list_dir_perms;
> read_files_pattern($1, mailman_archive_t, mailman_archive_t)
> + allow $1 mailman_archive_t:file map;
> read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t)
> ')
>
> Index: refpolicy-2.20200405/policy/modules/services/mailman.te
> ===================================================================
> --- refpolicy-2.20200405.orig/policy/modules/services/mailman.te
> +++ refpolicy-2.20200405/policy/modules/services/mailman.te
> @@ -182,6 +182,7 @@ corecmd_exec_bin(mailman_mail_t)
> files_search_locks(mailman_mail_t)
>
> fs_rw_anon_inodefs_files(mailman_mail_t)
> +fs_search_tmpfs(mailman_mail_t)
>
> # this is far from ideal, but systemd reduces the importance of initrc_t
> init_signal_script(mailman_mail_t)
> Index: refpolicy-2.20200405/policy/modules/services/mta.if
> ===================================================================
> --- refpolicy-2.20200405.orig/policy/modules/services/mta.if
> +++ refpolicy-2.20200405/policy/modules/services/mta.if
> @@ -251,6 +251,7 @@ interface(`mta_manage_mail_home_rw_conte
> userdom_search_user_home_dirs($1)
> manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
> manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
> + allow $1 mail_home_rw_t:file map;
> manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
> ')
>
> @@ -867,6 +868,7 @@ interface(`mta_read_spool_files',`
>
> files_search_spool($1)
> read_files_pattern($1, mail_spool_t, mail_spool_t)
> + allow $1 mail_spool_t:file map;
> ')
>
> ########################################
> @@ -949,6 +951,7 @@ interface(`mta_manage_spool',`
> files_search_spool($1)
> manage_dirs_pattern($1, mail_spool_t, mail_spool_t)
> manage_files_pattern($1, mail_spool_t, mail_spool_t)
> + allow $1 mail_spool_t:file map;
> manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
> ')
>
> Index: refpolicy-2.20200405/policy/modules/services/spamassassin.if
> ===================================================================
> --- refpolicy-2.20200405.orig/policy/modules/services/spamassassin.if
> +++ refpolicy-2.20200405/policy/modules/services/spamassassin.if
> @@ -433,3 +433,41 @@ interface(`spamassassin_admin',`
> # sa-update
> spamassassin_run_update($1, $2)
> ')
> +
> +########################################
> +## <summary>
> +## reload SA service
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`spamassassin_service_reload',`
> + gen_require(`
> + type spamassassin_unit_t;
> + ')
> +
> + allow $1 spamassassin_unit_t:service reload;
> +')
> +
> +########################################
> +## <summary>
> +## Get SA service status
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`spamassassin_service_status',`
> + gen_require(`
> + type spamassassin_unit_t;
> + ')
> +
> + allow $1 spamassassin_unit_t:service status;
> +')
> Index: refpolicy-2.20200405/policy/modules/services/spamassassin.te
> ===================================================================
> --- refpolicy-2.20200405.orig/policy/modules/services/spamassassin.te
> +++ refpolicy-2.20200405/policy/modules/services/spamassassin.te
> @@ -22,6 +22,7 @@ gen_tunable(spamassassin_can_network, fa
> gen_tunable(spamd_enable_home_dirs, false)
>
> type spamd_update_t;
> +typealias spamd_update_t alias { spamd_gpg_t };
> type spamd_update_exec_t;
> init_system_domain(spamd_update_t, spamd_update_exec_t)
>
> @@ -62,9 +63,6 @@ files_type(spamd_compiled_t)
> type spamd_etc_t;
> files_config_file(spamd_etc_t)
>
> -type spamd_gpg_t;
> -domain_type(spamd_gpg_t)
> -
> type spamd_home_t;
> userdom_user_home_content(spamd_home_t)
>
> @@ -199,11 +197,13 @@ corenet_all_recvfrom_unlabeled(spamc_t)
> corenet_all_recvfrom_netlabel(spamc_t)
> corenet_tcp_sendrecv_generic_if(spamc_t)
> corenet_tcp_sendrecv_generic_node(spamc_t)
> +corenet_udp_bind_generic_node(spamc_t)
>
> corenet_sendrecv_all_client_packets(spamc_t)
> corenet_tcp_connect_all_ports(spamc_t)
>
> corecmd_exec_bin(spamc_t)
> +corecmd_exec_shell(spamc_t)
>
> dev_read_rand(spamc_t)
> dev_read_urand(spamc_t)
> @@ -256,6 +256,8 @@ optional_policy(`
>
> optional_policy(`
> mta_send_mail(spamc_t)
> + mta_getattr_spool(spamc_t)
> + mta_read_spool_files(spamc_t)
> mta_read_config(spamc_t)
> mta_read_queue(spamc_t)
> sendmail_rw_pipes(spamc_t)
> @@ -351,6 +353,7 @@ corenet_udp_bind_imaze_port(spamd_t)
>
> corenet_dontaudit_udp_bind_all_ports(spamd_t)
>
> +corecmd_exec_shell(spamd_t)
> corecmd_exec_bin(spamd_t)
>
> dev_read_sysfs(spamd_t)
> @@ -358,6 +361,7 @@ dev_read_urand(spamd_t)
>
> domain_use_interactive_fds(spamd_t)
>
> +files_map_etc_files(spamd_t)
> files_read_usr_files(spamd_t)
> files_read_etc_runtime_files(spamd_t)
>
> @@ -372,6 +376,7 @@ libs_use_shared_libs(spamd_t)
>
> logging_send_syslog_msg(spamd_t)
>
> +miscfiles_read_generic_certs(spamd_t)
> miscfiles_read_localization(spamd_t)
>
> sysnet_use_ldap(spamd_t)
> @@ -487,6 +492,8 @@ manage_dirs_pattern(spamd_update_t, spam
> manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
> manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
>
> +kernel_read_crypto_sysctls(spamd_update_t)
> +kernel_search_fs_sysctls(spamd_update_t)
> kernel_read_system_state(spamd_update_t)
>
> corecmd_exec_bin(spamd_update_t)
> @@ -512,6 +519,7 @@ fs_getattr_xattr_fs(spamd_update_t)
> auth_use_nsswitch(spamd_update_t)
> auth_dontaudit_read_shadow(spamd_update_t)
>
> +miscfiles_read_generic_certs(spamd_update_t)
> miscfiles_read_localization(spamd_update_t)
>
> userdom_use_inherited_user_terminals(spamd_update_t)
> @@ -523,35 +531,5 @@ optional_policy(`
> ')
>
> optional_policy(`
> - gpg_spec_domtrans(spamd_update_t, spamd_gpg_t)
> - gpg_entry_type(spamd_gpg_t)
> - role system_r types spamd_gpg_t;
> -
> - allow spamd_gpg_t self:capability { dac_override dac_read_search };
> - allow spamd_gpg_t self:unix_stream_socket { connect create };
> -
> - allow spamd_gpg_t spamd_update_t:fd use;
> - allow spamd_gpg_t spamd_update_t:process sigchld;
> - allow spamd_gpg_t spamd_update_t:fifo_file { getattr write };
> - allow spamd_gpg_t spamd_var_lib_t:dir rw_dir_perms;
> - allow spamd_gpg_t spamd_var_lib_t:file manage_file_perms;
> - allow spamd_gpg_t spamd_update_tmp_t:file read_file_perms;
> -
> - # fips
> - kernel_read_crypto_sysctls(spamd_gpg_t)
> -
> - domain_use_interactive_fds(spamd_gpg_t)
> -
> - files_read_etc_files(spamd_gpg_t)
> - files_read_usr_files(spamd_gpg_t)
> - files_search_var_lib(spamd_gpg_t)
> - files_search_pids(spamd_gpg_t)
> - files_search_tmp(spamd_gpg_t)
> -
> - init_use_fds(spamd_gpg_t)
> - init_rw_inherited_stream_socket(spamd_gpg_t)
> -
> - miscfiles_read_localization(spamd_gpg_t)
> -
> - userdom_use_inherited_user_terminals(spamd_gpg_t)
> + gpg_exec(spamd_update_t)
> ')
> Index: refpolicy-2.20200405/policy/modules/services/clamav.te
> ===================================================================
> --- refpolicy-2.20200405.orig/policy/modules/services/clamav.te
> +++ refpolicy-2.20200405/policy/modules/services/clamav.te
> @@ -146,6 +146,7 @@ auth_use_nsswitch(clamd_t)
>
> logging_send_syslog_msg(clamd_t)
>
> +miscfiles_read_generic_certs(clamd_t)
> miscfiles_read_localization(clamd_t)
>
> tunable_policy(`clamd_use_jit',`
> @@ -235,6 +236,7 @@ auth_use_nsswitch(freshclam_t)
>
> logging_send_syslog_msg(freshclam_t)
>
> +miscfiles_read_generic_certs(freshclam_t)
> miscfiles_read_localization(freshclam_t)
>
> tunable_policy(`clamd_use_jit',`
> Index: refpolicy-2.20200405/policy/modules/services/dkim.te
> ===================================================================
> --- refpolicy-2.20200405.orig/policy/modules/services/dkim.te
> +++ refpolicy-2.20200405/policy/modules/services/dkim.te
> @@ -44,6 +44,8 @@ files_pid_filetrans(dkim_milter_t, dkim_
> files_read_usr_files(dkim_milter_t)
> files_search_spool(dkim_milter_t)
>
> +miscfiles_read_generic_certs(dkim_milter_t)
> +
> optional_policy(`
> mta_read_config(dkim_milter_t)
> ')
> Index: refpolicy-2.20200405/policy/modules/services/dovecot.te
> ===================================================================
> --- refpolicy-2.20200405.orig/policy/modules/services/dovecot.te
> +++ refpolicy-2.20200405/policy/modules/services/dovecot.te
> @@ -173,6 +173,7 @@ files_read_usr_files(dovecot_t)
>
> fs_getattr_all_fs(dovecot_t)
> fs_getattr_all_dirs(dovecot_t)
> +fs_read_tmpfs_symlinks(dovecot_t)
> fs_search_auto_mountpoints(dovecot_t)
> fs_list_inotifyfs(dovecot_t)
>
> @@ -269,7 +270,12 @@ selinux_get_fs_mount(dovecot_auth_t)
> auth_domtrans_chk_passwd(dovecot_auth_t)
> auth_use_nsswitch(dovecot_auth_t)
>
> +fs_search_tmpfs(dovecot_auth_t)
> +fs_read_tmpfs_symlinks(dovecot_auth_t)
> +
> init_rw_utmp(dovecot_auth_t)
> +init_rw_inherited_stream_socket(dovecot_auth_t)
> +init_use_fds(dovecot_auth_t)
>
> logging_send_audit_msgs(dovecot_auth_t)
>
> Index: refpolicy-2.20200405/policy/modules/services/postfix.te
> ===================================================================
> --- refpolicy-2.20200405.orig/policy/modules/services/postfix.te
> +++ refpolicy-2.20200405/policy/modules/services/postfix.te
> @@ -336,6 +336,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> + mysql_read_config(postfix_master_t)
> mysql_stream_connect(postfix_master_t)
> ')
>
> @@ -427,6 +428,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + mysql_read_config(postfix_cleanup_t)
> +')
> +
> +optional_policy(`
> dbus_send_system_bus(postfix_cleanup_t)
> dbus_system_bus_client(postfix_cleanup_t)
> init_dbus_chat(postfix_cleanup_t)
> @@ -648,6 +653,7 @@ mta_rw_user_mail_stream_sockets(postfix_
>
> optional_policy(`
> apache_dontaudit_rw_fifo_file(postfix_postdrop_t)
> + apache_use_fds(postfix_postdrop_t)
> ')
>
> optional_policy(`
> @@ -826,6 +832,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + mysql_read_config(postfix_smtpd_t)
> +')
> +
> +optional_policy(`
> postgrey_stream_connect(postfix_smtpd_t)
> ')
>
Merged, though I renamed a couple interfaces and made a trivial syntax change.
--
Chris PeBenito