Merge branch 'master' of git.cyber-everything.de:Hoshpak/gentoo-selinux-policies

atop.te

@@ -1,4 +1,4 @@
-policy_module(atop, 0.1.23)
+policy_module(atop, 0.1.24)
 
 ########################################
 #
@@ -38,6 +38,9 @@ files_pid_file(atopacct_var_run_t)
 type atop_var_cache_t;
 files_type(atop_var_cache_t)
 
+type atop_unit_t;
+init_unit_file(atop_unit_t)
+
 ########################################
 #
 # Local policy

dovecot_additional.te

@@ -1,16 +1,28 @@
-policy_module(dovecot_additional, 0.0.5)
+policy_module(dovecot_additional, 0.0.7)
 
 require {
   type dovecot_deliver_exec_t;
   type dovecot_deliver_t;
   type dovecot_t;
   type mail_spool_t;
+  type postfix_master_t;
   type sendmail_exec_t;
 }
 
 optional_policy(`
 	mta_sendmail_domtrans(dovecot_deliver_t)
 ')
+
+allow dovecot_deliver_t self:process setrlimit;
+
 mta_manage_spool(dovecot_deliver_t)
+mta_sendmail_exec(dovecot_deliver_t)
 allow dovecot_t mail_spool_t:file map;
 allow dovecot_deliver_t mail_spool_t:file map;
+
+allow dovecot_deliver_t postfix_master_t:unix_stream_socket connectto;
+
+postfix_domtrans_postdrop(dovecot_deliver_t)
+postfix_search_spool(dovecot_deliver_t)
+postfix_read_config(dovecot_deliver_t)
+

gcc_config_additional.te

@@ -1,7 +0,0 @@
-policy_module(gcc_config_additional, 0.0.1)
-
-require {
-  type gcc_config_t;
-}
-
-files_read_var_files(gcc_config_t)

phpfpm_additional.te

@@ -1,4 +1,4 @@
-policy_module(phpfpm_additional, 0.0.5)
+policy_module(phpfpm_additional, 0.0.6)
 
 require {
   type phpfpm_t;
@@ -12,6 +12,9 @@ require {
 type phpfpm_initrc_exec_t;
 init_script_file(phpfpm_initrc_exec_t)
 
+type phpfpm_unit_t;
+init_unit_file(phpfpm_unit_t)
+
 allow phpfpm_t self:process sigkill;
 
 allow phpfpm_t phpfpm_tmp_t:lnk_file { create unlink };
@@ -34,3 +37,9 @@ allow phpfpm_t etc_t:file map;
 allow phpfpm_t httpd_sys_content_t:file map;
 allow phpfpm_t phpfpm_tmp_t:file map;
 allow phpfpm_t usr_t:file map;
+
+mta_sendmail_exec(phpfpm_t)
+mta_send_mail(phpfpm_t)
+mta_signal_system_mail(phpfpm_t)
+
+logging_send_syslog_msg(phpfpm_t)

postfix_additional.te

@@ -1,11 +1,13 @@
-policy_module(postfix_additional, 0.0.2)
+policy_module(postfix_additional, 0.0.3)
 
 require {
   type postfix_master_t;
   type porticron_t;
   type postfix_postdrop_t;
+  type dovecot_deliver_t;
 }
 
 allow postfix_postdrop_t porticron_t:unix_stream_socket { getattr read write };
+allow postfix_postdrop_t dovecot_deliver_t:unix_stream_socket { getattr read write };
 
 corenet_tcp_bind_all_unreserved_ports(postfix_master_t)

spamassassin.te

@@ -88,6 +88,9 @@ files_type(spamd_var_lib_t)
 type spamd_var_run_t;
 files_pid_file(spamd_var_run_t)
 
+type spamd_unit_t;
+init_unit_file(spamd_unit_t)
+
 ########################################
 #
 # Standalone local policy

sysadm_additional.te

@@ -1,16 +1,23 @@
-policy_module(sysadm_additional, 0.0.4)
+policy_module(sysadm_additional, 0.0.11)
 
 require {
   type sysadm_t;
   type atop_initrc_exec_t;
-  type spamd_initrc_exec_t;
-  type auditd_initrc_exec_t;
+  type atop_t;
+  type atop_unit_t;
+  type phpfpm_t;
   type phpfpm_initrc_exec_t;
-  type syslogd_initrc_exec_t;
+  type phpfpm_unit_t;
+  type spamd_t;
+  type spamd_initrc_exec_t;
+  type spamd_unit_t;
+  type unconfined_t;
+  role sysadm_r;
 }
 
-init_labeled_script_domtrans(sysadm_t, atop_initrc_exec_t)
-init_labeled_script_domtrans(sysadm_t, spamd_initrc_exec_t)
-init_labeled_script_domtrans(sysadm_t, auditd_initrc_exec_t)
-init_labeled_script_domtrans(sysadm_t, phpfpm_initrc_exec_t)
-init_labeled_script_domtrans(sysadm_t, syslogd_initrc_exec_t)
+init_startstop_service(sysadm_t, sysadm_r, atop_t, atop_initrc_exec_t, atop_unit_t)
+init_startstop_service(sysadm_t, sysadm_r, spamd_t, spamd_initrc_exec_t, spamd_unit_t)
+init_startstop_service(sysadm_t, sysadm_r, phpfpm_t, phpfpm_initrc_exec_t, phpfpm_unit_t)
+logging_admin_syslog(sysadm_t, sysadm_r)
+logging_admin_audit(sysadm_t, sysadm_r)
+allow sysadm_t unconfined_t:fd use;