version 2:
* fix non existent interface kernel_search_crypto_sysctls
* add spamd-gpg permissions on update
---
spamassassin.te | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/spamassassin.te b/spamassassin.te
index 9bc81030..7d34829d 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -549,10 +549,13 @@ optional_policy(`
allow spamd_gpg_t spamd_update_t:fd use;
allow spamd_gpg_t spamd_update_t:process sigchld;
allow spamd_gpg_t spamd_update_t:fifo_file { getattr write };
- allow spamd_gpg_t spamd_var_lib_t:dir search_dir_perms;
- allow spamd_gpg_t spamd_var_lib_t:file rw_file_perms;
+ allow spamd_gpg_t spamd_var_lib_t:dir rw_dir_perms;
+ allow spamd_gpg_t spamd_var_lib_t:file manage_file_perms;
allow spamd_gpg_t spamd_update_tmp_t:file read_file_perms;
+ # fips
+ kernel_read_crypto_sysctls(spamd_gpg_t)
+
domain_use_interactive_fds(spamd_gpg_t)
files_read_etc_files(spamd_gpg_t)
@@ -562,6 +565,7 @@ optional_policy(`
files_search_tmp(spamd_gpg_t)
init_use_fds(spamd_gpg_t)
+ init_rw_inherited_stream_socket(spamd_gpg_t)
miscfiles_read_localization(spamd_gpg_t)
--
2.15.1
On 01/03/2018 06:40 PM, Christian G?ttsche via refpolicy wrote:
> version 2:
>
> * fix non existent interface kernel_search_crypto_sysctls
> * add spamd-gpg permissions on update
> ---
> spamassassin.te | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/spamassassin.te b/spamassassin.te
> index 9bc81030..7d34829d 100644
> --- a/spamassassin.te
> +++ b/spamassassin.te
> @@ -549,10 +549,13 @@ optional_policy(`
> allow spamd_gpg_t spamd_update_t:fd use;
> allow spamd_gpg_t spamd_update_t:process sigchld;
> allow spamd_gpg_t spamd_update_t:fifo_file { getattr write };
> - allow spamd_gpg_t spamd_var_lib_t:dir search_dir_perms;
> - allow spamd_gpg_t spamd_var_lib_t:file rw_file_perms;
> + allow spamd_gpg_t spamd_var_lib_t:dir rw_dir_perms;
> + allow spamd_gpg_t spamd_var_lib_t:file manage_file_perms;
> allow spamd_gpg_t spamd_update_tmp_t:file read_file_perms;
>
> + # fips
> + kernel_read_crypto_sysctls(spamd_gpg_t)
> +
> domain_use_interactive_fds(spamd_gpg_t)
>
> files_read_etc_files(spamd_gpg_t)
> @@ -562,6 +565,7 @@ optional_policy(`
> files_search_tmp(spamd_gpg_t)
>
> init_use_fds(spamd_gpg_t)
> + init_rw_inherited_stream_socket(spamd_gpg_t)
Sorry, I missed this on the previous patch, but this interface doesn't
exist either.
--
Chris PeBenito
On 01/03/2018 06:40 PM, Christian G?ttsche via refpolicy wrote:
> version 2:
>
> * fix non existent interface kernel_search_crypto_sysctls
> * add spamd-gpg permissions on update
> ---
> spamassassin.te | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/spamassassin.te b/spamassassin.te
> index 9bc81030..7d34829d 100644
> --- a/spamassassin.te
> +++ b/spamassassin.te
> @@ -549,10 +549,13 @@ optional_policy(`
> allow spamd_gpg_t spamd_update_t:fd use;
> allow spamd_gpg_t spamd_update_t:process sigchld;
> allow spamd_gpg_t spamd_update_t:fifo_file { getattr write };
> - allow spamd_gpg_t spamd_var_lib_t:dir search_dir_perms;
> - allow spamd_gpg_t spamd_var_lib_t:file rw_file_perms;
> + allow spamd_gpg_t spamd_var_lib_t:dir rw_dir_perms;
> + allow spamd_gpg_t spamd_var_lib_t:file manage_file_perms;
> allow spamd_gpg_t spamd_update_tmp_t:file read_file_perms;
>
> + # fips
> + kernel_read_crypto_sysctls(spamd_gpg_t)
> +
> domain_use_interactive_fds(spamd_gpg_t)
>
> files_read_etc_files(spamd_gpg_t)
> @@ -562,6 +565,7 @@ optional_policy(`
> files_search_tmp(spamd_gpg_t)
>
> init_use_fds(spamd_gpg_t)
> + init_rw_inherited_stream_socket(spamd_gpg_t)
>
> miscfiles_read_localization(spamd_gpg_t)
Merged.
--
Chris PeBenito