From 0eaa2c908c751f7c7400acd94aab459d05085433 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Dec 20 2010 18:32:50 +0000
Subject: - Fixes for certmonger

- Backport passenger policy
- Allow run_init to read console_device
- Add label for /var/lib/dkim-milter
- Fixes for munin policy

---

diff --git a/modules-targeted.conf b/modules-targeted.conf
index 4f68a1a..f302c42 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -669,6 +669,13 @@ hal = module
 hddtemp = module
 
 # Layer: services
+# Module: passenger
+#
+# Passenger 
+# 
+passenger = module
+
+# Layer: services
 # Module: policykit
 #
 # Hardware abstraction layer
diff --git a/policy-F13.patch b/policy-F13.patch
index 26760ce..6d6cfe8 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -1017,8 +1017,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
 +/usr/sbin/send_arp      --  gen_context(system_u:object_r:ping_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.if serefpolicy-3.7.19/policy/modules/admin/netutils.if
 --- nsaserefpolicy/policy/modules/admin/netutils.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/netutils.if	2010-06-15 18:40:03.058768889 +0200
-@@ -299,3 +299,4 @@
++++ serefpolicy-3.7.19/policy/modules/admin/netutils.if	2010-12-15 14:42:55.632042421 +0100
+@@ -41,6 +41,7 @@
+ 	')
+ 
+ 	netutils_domtrans($1)
++	allow $1 netutils_t:process { signal sigkill };
+ 	role $2 types netutils_t;
+ ')
+ 
+@@ -158,6 +159,7 @@
+ 
+ 	netutils_domtrans_ping($1)
+ 	role $2 types ping_t;
++	allow $1 ping_t:process { signal sigkill };
+ ')
+ 
+ ########################################
+@@ -187,6 +189,7 @@
+ 
+ 	if ( user_ping ) {
+ 		netutils_domtrans_ping($1)
++		allow $1 ping_t:process { signal sigkill };
+ 	}
+ ')
+ 
+@@ -250,6 +253,7 @@
+ 
+ 	netutils_domtrans_traceroute($1)
+ 	role $2 types traceroute_t;
++	allow $1 traceroute_t:process { signal sigkill };
+ ')
+ 
+ ########################################
+@@ -279,6 +283,7 @@
+ 
+ 	if( user_ping ) {
+ 		netutils_domtrans_traceroute($1)
++		allow $1 traceroute_t:process { signal sigkill };
+ 	}
+ ')
+ 
+@@ -299,3 +304,4 @@
  
  	can_exec($1, traceroute_exec_t)
  ')
@@ -6915,8 +6955,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if 
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.19/policy/modules/apps/qemu.te
 --- nsaserefpolicy/policy/modules/apps/qemu.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/qemu.te	2010-05-28 09:42:00.001611798 +0200
-@@ -50,6 +50,8 @@
++++ serefpolicy-3.7.19/policy/modules/apps/qemu.te	2010-12-20 15:25:40.428041440 +0100
+@@ -50,9 +50,12 @@
  #
  # qemu local policy
  #
@@ -6925,7 +6965,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te 
  
  userdom_search_user_home_content(qemu_t)
  userdom_read_user_tmpfs_files(qemu_t)
-@@ -100,6 +102,10 @@
++userdom_stream_connect(qemu_t)
+ 
+ tunable_policy(`qemu_full_network',`
+ 	allow qemu_t self:udp_socket create_socket_perms;
+@@ -100,6 +103,10 @@
  	xen_rw_image_files(qemu_t)
  ')
  
@@ -6936,7 +6980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te 
  ########################################
  #
  # Unconfined qemu local policy
-@@ -109,7 +115,10 @@
+@@ -109,7 +116,10 @@
  	type unconfined_qemu_t;
  	typealias unconfined_qemu_t alias qemu_unconfined_t;
  	application_type(unconfined_qemu_t)
@@ -12365,8 +12409,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.19/policy/modules/roles/staff.te
 --- nsaserefpolicy/policy/modules/roles/staff.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/roles/staff.te	2010-07-21 16:02:00.296133754 +0200
-@@ -9,25 +9,56 @@
++++ serefpolicy-3.7.19/policy/modules/roles/staff.te	2010-12-15 14:43:54.408042196 +0100
+@@ -9,25 +9,58 @@
  role staff_r;
  
  userdom_unpriv_user_template(staff)
@@ -12392,7 +12436,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
 +seutil_read_module_store(staff_t)
 +seutil_run_newrole(staff_t, staff_r)
 +netutils_run_ping(staff_t, staff_r)
++netutils_run_traceroute(staff_t, staff_r)
 +netutils_signal_ping(staff_t)
++netutils_kill_ping(staff_t)
 +
  optional_policy(`
  	apache_role(staff_r, staff_t)
@@ -12423,7 +12469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
  	bluetooth_role(staff_r, staff_t)
  ')
  
-@@ -99,12 +130,18 @@
+@@ -99,12 +132,18 @@
  	oident_manage_user_content(staff_t)
  	oident_relabel_user_content(staff_t)
  ')
@@ -12442,7 +12488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
  	pyzor_role(staff_r, staff_t)
  ')
  
-@@ -119,22 +156,27 @@
+@@ -119,22 +158,27 @@
  optional_policy(`
  	screen_role_template(staff, staff_r, staff_t)
  ')
@@ -12470,7 +12516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
  
  optional_policy(`
  	sudo_role_template(staff, staff_r, staff_t)
-@@ -145,6 +187,11 @@
+@@ -145,6 +189,11 @@
  	userdom_dontaudit_use_user_terminals(staff_t)
  ')
  
@@ -12482,7 +12528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
  optional_policy(`
  	thunderbird_role(staff_r, staff_t)
  ')
-@@ -169,6 +216,77 @@
+@@ -169,6 +218,77 @@
  	wireshark_role(staff_r, staff_t)
  ')
  
@@ -14104,7 +14150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.19/policy/modules/roles/unprivuser.te
 --- nsaserefpolicy/policy/modules/roles/unprivuser.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/roles/unprivuser.te	2010-05-28 09:42:00.049610676 +0200
++++ serefpolicy-3.7.19/policy/modules/roles/unprivuser.te	2010-12-15 14:45:10.473042920 +0100
 @@ -13,10 +13,13 @@
  
  userdom_unpriv_user_template(user)
@@ -14119,13 +14165,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
  optional_policy(`
  	auth_role(user_r, user_t)
  ')
-@@ -109,11 +112,25 @@
+@@ -109,11 +112,30 @@
  optional_policy(`
  	rssh_role(user_r, user_t)
  ')
 +')
 +
 +optional_policy(`
++    netutils_run_ping_cond(user_t, user_r)
++    netutils_run_traceroute_cond(user_t, user_r)
++')
++
++optional_policy(`
 +	rpm_dontaudit_dbus_chat(user_t)
 +')
 +
@@ -14145,7 +14196,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
  optional_policy(`
  	spamassassin_role(user_r, user_t)
  ')
-@@ -154,6 +171,12 @@
+@@ -154,6 +176,12 @@
  	wireshark_role(user_r, user_t)
  ')
  
@@ -17978,7 +18029,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.19/policy/modules/services/certmonger.te
 --- nsaserefpolicy/policy/modules/services/certmonger.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/certmonger.te	2010-12-01 11:34:55.678040906 +0100
++++ serefpolicy-3.7.19/policy/modules/services/certmonger.te	2010-12-15 15:05:16.296042554 +0100
 @@ -0,0 +1,92 @@
 +policy_module(certmonger,1.0.0)
 +
@@ -18005,7 +18056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
 +# certmonger local policy
 +#
 +
-+allow certmonger_t self:capability { kill sys_nice };
++allow certmonger_t self:capability { dac_override dac_read_search kill sys_nice };
 +dontaudit certmonger_t self:capability sys_tty_config;
 +
 +allow certmonger_t self:process { fork getsched setsched sigkill };
@@ -22546,7 +22597,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.19/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/dovecot.te	2010-12-01 11:51:00.058042190 +0100
++++ serefpolicy-3.7.19/policy/modules/services/dovecot.te	2010-12-15 15:26:48.255042227 +0100
 @@ -9,6 +9,9 @@
  type dovecot_exec_t;
  init_daemon_domain(dovecot_t, dovecot_exec_t)
@@ -22581,7 +22632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  #
  
 -allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
-+allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
++allow dovecot_t self:capability { dac_override dac_read_search fsetid chown kill net_bind_service setgid setuid sys_chroot };
  dontaudit dovecot_t self:capability sys_tty_config;
 -allow dovecot_t self:process { setrlimit signal_perms getcap setcap };
 +allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
@@ -25107,15 +25158,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memc
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.7.19/policy/modules/services/milter.fc
 --- nsaserefpolicy/policy/modules/services/milter.fc	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/milter.fc	2010-09-09 10:52:57.640084901 +0200
-@@ -1,3 +1,6 @@
++++ serefpolicy-3.7.19/policy/modules/services/milter.fc	2010-12-20 15:10:54.057041234 +0100
+@@ -1,10 +1,15 @@
 +/etc/mail/dkim-milter/keys(/.*)?        gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
 +
 +/usr/sbin/dkim-filter           --      gen_context(system_u:object_r:dkim_milter_exec_t,s0)
  /usr/sbin/milter-greylist	--	gen_context(system_u:object_r:greylist_milter_exec_t,s0)
  /usr/sbin/milter-regex				--	gen_context(system_u:object_r:regex_milter_exec_t,s0)
  /usr/sbin/spamass-milter	--	gen_context(system_u:object_r:spamass_milter_exec_t,s0)
-@@ -5,6 +8,7 @@
+ 
++/var/lib/dkim-milter(/.*)?			gen_context(system_u:object_r:dkim_milter_data_t,s0)
  /var/lib/milter-greylist(/.*)?		gen_context(system_u:object_r:greylist_milter_data_t,s0)
  /var/lib/spamass-milter(/.*)?		gen_context(system_u:object_r:spamass_milter_state_t,s0)
  
@@ -25593,8 +25645,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.te serefpolicy-3.7.19/policy/modules/services/mpd.te
 --- nsaserefpolicy/policy/modules/services/mpd.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/mpd.te	2010-11-11 20:18:12.828425369 +0100
-@@ -0,0 +1,122 @@
++++ serefpolicy-3.7.19/policy/modules/services/mpd.te	2010-12-16 10:26:52.090042381 +0100
+@@ -0,0 +1,123 @@
 +
 +policy_module(mpd,1.0.0)
 +
@@ -25677,6 +25729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
 +corenet_tcp_bind_mpd_port(mpd_t)
 +corenet_tcp_bind_soundd_port(mpd_t)
 +
++dev_read_sound(mpd_t)
 +dev_read_sysfs(mpd_t)
 +
 +files_read_usr_files(mpd_t)
@@ -26163,8 +26216,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.19/policy/modules/services/munin.fc
 --- nsaserefpolicy/policy/modules/services/munin.fc	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/munin.fc	2010-05-28 09:42:00.127610888 +0200
-@@ -6,6 +6,64 @@
++++ serefpolicy-3.7.19/policy/modules/services/munin.fc	2010-12-15 13:43:16.366042386 +0100
+@@ -6,6 +6,65 @@
  /usr/share/munin/munin-.*	--	gen_context(system_u:object_r:munin_exec_t,s0)
  /usr/share/munin/plugins/.*	--	gen_context(system_u:object_r:munin_exec_t,s0)
  
@@ -26213,6 +26266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
 +/usr/share/munin/plugins/irqstats   --	gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
 +/usr/share/munin/plugins/load	    --	gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
 +/usr/share/munin/plugins/memory		--	gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
++/usr/share/munin/plugins/munin_*	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
 +/usr/share/munin/plugins/netstat	--	gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
 +/usr/share/munin/plugins/nfs.*	 	--	gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
 +/usr/share/munin/plugins/open_files	--	gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
@@ -26328,7 +26382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
  ##	All of the rules required to administrate 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.19/policy/modules/services/munin.te
 --- nsaserefpolicy/policy/modules/services/munin.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/munin.te	2010-10-01 15:27:17.303600577 +0200
++++ serefpolicy-3.7.19/policy/modules/services/munin.te	2010-12-20 16:38:45.976041956 +0100
 @@ -28,12 +28,26 @@
  type munin_var_run_t alias lrrd_var_run_t;
  files_pid_file(munin_var_run_t)
@@ -26397,7 +26451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
  ')
  
  optional_policy(`
-@@ -164,3 +186,161 @@
+@@ -164,3 +186,164 @@
  optional_policy(`
  	udev_read_db(munin_t)
  ')
@@ -26478,6 +26532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
 +# local policy for service plugins 
 +#
 +
++allow munin_services_plugin_t self:sem create_sem_perms;
 +allow munin_services_plugin_t self:tcp_socket create_stream_socket_perms;
 +allow munin_services_plugin_t self:udp_socket create_socket_perms;
 +allow munin_services_plugin_t self:netlink_route_socket r_netlink_socket_perms;
@@ -26498,6 +26553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
 +sysnet_read_config(munin_services_plugin_t)
 +
 +optional_policy(`
++	cups_read_config(munin_services_plugin_t)
 +    cups_stream_connect(munin_services_plugin_t)
 +')
 +
@@ -26556,6 +26612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
 +sysnet_exec_ifconfig(munin_system_plugin_t)
 +
 +term_getattr_unallocated_ttys(munin_system_plugin_t)
++term_getattr_all_ttys(munin_system_plugin_t)
 +term_getattr_all_ptys(munin_system_plugin_t)
 +
 +auth_use_nsswitch(munin_system_plugin_t)
@@ -26896,7 +26953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.19/policy/modules/services/nagios.te
 --- nsaserefpolicy/policy/modules/services/nagios.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/nagios.te	2010-12-03 10:08:04.831042328 +0100
++++ serefpolicy-3.7.19/policy/modules/services/nagios.te	2010-12-15 15:55:10.404042137 +0100
 @@ -10,13 +10,12 @@
  type nagios_exec_t;
  init_daemon_domain(nagios_t, nagios_exec_t)
@@ -26969,7 +27026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
  ########################################
  #
  # Nagios local policy
-@@ -60,6 +100,9 @@
+@@ -60,8 +100,12 @@
  manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
  files_pid_filetrans(nagios_t, nagios_var_run_t, file)
  
@@ -26978,8 +27035,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
 +
  kernel_read_system_state(nagios_t)
  kernel_read_kernel_sysctls(nagios_t)
++kernel_read_software_raid_state(nagios_t)
  
-@@ -76,6 +119,9 @@
+ corecmd_exec_bin(nagios_t)
+ corecmd_exec_shell(nagios_t)
+@@ -76,6 +120,9 @@
  corenet_udp_sendrecv_all_ports(nagios_t)
  corenet_tcp_connect_all_ports(nagios_t)
  
@@ -26989,7 +27049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
  dev_read_sysfs(nagios_t)
  dev_read_urand(nagios_t)
  
-@@ -86,13 +132,12 @@
+@@ -86,13 +133,12 @@
  files_read_etc_files(nagios_t)
  files_read_etc_runtime_files(nagios_t)
  files_read_kernel_symbol_table(nagios_t)
@@ -27005,7 +27065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
  auth_use_nsswitch(nagios_t)
  
  logging_send_syslog_msg(nagios_t)
-@@ -103,12 +148,13 @@
+@@ -103,12 +149,13 @@
  userdom_dontaudit_search_user_home_dirs(nagios_t)
  
  mta_send_mail(nagios_t)
@@ -27022,7 +27082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
  
  optional_policy(`
  	seutil_sigchld_newrole(nagios_t)
-@@ -118,61 +164,63 @@
+@@ -118,61 +165,63 @@
  	udev_read_db(nagios_t)
  ')
  
@@ -27118,7 +27178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
  kernel_read_system_state(nrpe_t)
  kernel_read_kernel_sysctls(nrpe_t)
  
-@@ -183,11 +231,15 @@
+@@ -183,11 +232,15 @@
  dev_read_urand(nrpe_t)
  
  domain_use_interactive_fds(nrpe_t)
@@ -27134,7 +27194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
  logging_send_syslog_msg(nrpe_t)
  
  miscfiles_read_localization(nrpe_t)
-@@ -199,6 +251,11 @@
+@@ -199,6 +252,11 @@
  ')
  
  optional_policy(`
@@ -27146,7 +27206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
  	seutil_sigchld_newrole(nrpe_t)
  ')
  
-@@ -209,3 +266,148 @@
+@@ -209,3 +267,148 @@
  optional_policy(`
  	udev_read_db(nrpe_t)
  ')
@@ -28803,6 +28863,157 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads
 +	files_search_etc($1)
  	admin_pattern($1, pads_config_t)
  ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/passenger.fc serefpolicy-3.7.19/policy/modules/services/passenger.fc
+--- nsaserefpolicy/policy/modules/services/passenger.fc	1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/policy/modules/services/passenger.fc	2010-12-20 17:53:36.719051943 +0100
+@@ -0,0 +1,6 @@
++
++/usr/lib(64)?/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
++
++/var/lib/passenger(/.*)?           gen_context(system_u:object_r:passenger_var_lib_t,s0)
++
++/var/run/passenger(/.*)?           gen_context(system_u:object_r:passenger_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/passenger.if serefpolicy-3.7.19/policy/modules/services/passenger.if
+--- nsaserefpolicy/policy/modules/services/passenger.if	1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/policy/modules/services/passenger.if	2010-12-20 17:53:36.719051943 +0100
+@@ -0,0 +1,67 @@
++## <summary>Passenger policy</summary>
++
++######################################
++## <summary>
++##	Execute passenger in the passenger domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`passenger_domtrans',`
++	gen_require(`
++		type passenger_t, passenger_exec_t;
++	')
++
++	allow $1 self:capability { fowner fsetid };
++
++	allow $1 passenger_t:process signal;
++
++	domtrans_pattern($1, passenger_exec_t, passenger_t)
++	allow $1 passenger_t:unix_stream_socket { read write shutdown };
++	allow passenger_t $1:unix_stream_socket { read write };
++')
++
++######################################
++## <summary>
++##	Manage passenger var_run content.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`passenger_manage_pid_content',`
++	gen_require(`
++		type passenger_var_run_t;
++	')
++
++	files_search_pids($1)
++	manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t)
++	manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
++	manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
++	manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
++')
++
++########################################
++## <summary>
++##	Read passenger lib files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`passenger_read_lib_files',`
++	gen_require(`
++		type passenger_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++	read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/passenger.te serefpolicy-3.7.19/policy/modules/services/passenger.te
+--- nsaserefpolicy/policy/modules/services/passenger.te	1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/policy/modules/services/passenger.te	2010-12-20 17:55:05.720041285 +0100
+@@ -0,0 +1,66 @@
++policy_module(passanger, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type passenger_t;
++type passenger_exec_t;
++domain_type(passenger_t)
++domain_entry_file(passenger_t, passenger_exec_t)
++role system_r types passenger_t;
++
++type passenger_tmp_t;
++files_tmp_file(passenger_tmp_t)
++
++type passenger_var_lib_t;
++files_type(passenger_var_lib_t)
++
++type passenger_var_run_t;
++files_pid_file(passenger_var_run_t)
++
++permissive passenger_t;
++
++########################################
++#
++# passanger local policy
++#
++
++allow passenger_t self:capability { dac_override fsetid fowner chown setuid setgid };
++allow passenger_t self:process signal;
++allow passenger_t self:fifo_file rw_fifo_file_perms;
++allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
++
++files_search_var_lib(passenger_t)
++manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
++manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
++
++manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
++manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
++manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
++manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
++files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
++
++kernel_read_system_state(passenger_t)
++kernel_read_kernel_sysctls(passenger_t)
++
++corenet_tcp_connect_http_port(passenger_t)
++
++corecmd_exec_bin(passenger_t)
++corecmd_exec_shell(passenger_t)
++
++dev_read_urand(passenger_t)
++
++files_read_etc_files(passenger_t)
++
++auth_use_nsswitch(passenger_t)
++
++miscfiles_read_localization(passenger_t)
++
++userdom_dontaudit_use_user_terminals(passenger_t)
++
++optional_policy(`
++	apache_append_log(passenger_t)
++	apache_read_sys_content(passenger_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.7.19/policy/modules/services/pcscd.te
 --- nsaserefpolicy/policy/modules/services/pcscd.te	2010-04-13 20:44:37.000000000 +0200
 +++ serefpolicy-3.7.19/policy/modules/services/pcscd.te	2010-08-17 15:11:28.402085340 +0200
@@ -35254,8 +35465,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor
  domain_use_interactive_fds(snort_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.19/policy/modules/services/spamassassin.fc
 --- nsaserefpolicy/policy/modules/services/spamassassin.fc	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/spamassassin.fc	2010-07-21 09:52:32.681135100 +0200
-@@ -1,15 +1,27 @@
++++ serefpolicy-3.7.19/policy/modules/services/spamassassin.fc	2010-12-20 16:58:16.259041911 +0100
+@@ -1,15 +1,28 @@
 -HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamassassin_home_t,s0)
 +HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamc_home_t,s0)
 +/root/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamc_home_t,s0)
@@ -35271,6 +35482,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
  /usr/bin/spamd		--	gen_context(system_u:object_r:spamd_exec_t,s0)
  
  /usr/sbin/spamd		--	gen_context(system_u:object_r:spamd_exec_t,s0)
++/usr/bin/mimedefang     --  gen_context(system_u:object_r:spamd_exec_t,s0)
 +/usr/bin/mimedefang-multiplexor --	gen_context(system_u:object_r:spamd_exec_t,s0)
  
  /var/lib/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_lib_t,s0)
@@ -42131,16 +42343,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.7.19/policy/modules/system/miscfiles.fc
 --- nsaserefpolicy/policy/modules/system/miscfiles.fc	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/miscfiles.fc	2010-12-01 16:12:34.019051437 +0100
-@@ -10,6 +10,7 @@
++++ serefpolicy-3.7.19/policy/modules/system/miscfiles.fc	2010-12-20 14:52:26.229042213 +0100
+@@ -9,7 +9,9 @@
+ # /etc
  #
  /etc/avahi/etc/localtime --	gen_context(system_u:object_r:locale_t,s0)
++/etc/httpd/alias(/.*)?          gen_context(system_u:object_r:cert_t,s0)
  /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
 +/etc/timezone           --      gen_context(system_u:object_r:locale_t,s0)
  /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
  
  ifdef(`distro_redhat',`
-@@ -75,13 +76,11 @@
+@@ -75,13 +77,11 @@
  /var/cache/fonts(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
  /var/cache/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
  
@@ -43365,7 +43579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.19/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.te	2010-10-26 10:36:50.480651251 +0200
++++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.te	2010-12-20 16:32:51.450041217 +0100
 @@ -23,6 +23,9 @@
  type selinux_config_t;
  files_type(selinux_config_t)
@@ -43515,7 +43729,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  
  # often the administrator runs such programs from a directory that is owned
  # by a different user or has restrictive SE permissions, do not want to audit
-@@ -383,7 +392,6 @@
+@@ -375,6 +384,8 @@
+ 
+ mls_rangetrans_source(run_init_t)
+ 
++term_use_console(run_init_t)
++
+ selinux_validate_context(run_init_t)
+ selinux_compute_access_vector(run_init_t)
+ selinux_compute_create_context(run_init_t)
+@@ -383,7 +394,6 @@
  
  auth_use_nsswitch(run_init_t)
  auth_domtrans_chk_passwd(run_init_t)
@@ -43523,7 +43746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  auth_dontaudit_read_shadow(run_init_t)
  
  init_spec_domtrans_script(run_init_t)
-@@ -406,6 +414,10 @@
+@@ -406,6 +416,10 @@
  	')
  ')
  
@@ -43534,7 +43757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  ifdef(`distro_ubuntu',`
  	optional_policy(`
  		unconfined_domain(run_init_t)
-@@ -421,61 +433,22 @@
+@@ -421,61 +435,22 @@
  # semodule local policy
  #
  
@@ -43548,16 +43771,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 -allow semanage_t semanage_tmp_t:dir manage_dir_perms;
 -allow semanage_t semanage_tmp_t:file manage_file_perms;
 -files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
--
--kernel_read_system_state(semanage_t)
--kernel_read_kernel_sysctls(semanage_t)
 +seutil_semanage_policy(semanage_t)
 +allow semanage_t self:fifo_file rw_fifo_file_perms;
  
--corecmd_exec_bin(semanage_t)
+-kernel_read_system_state(semanage_t)
+-kernel_read_kernel_sysctls(semanage_t)
 +manage_dirs_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
 +manage_files_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
  
+-corecmd_exec_bin(semanage_t)
+-
 -dev_read_urand(semanage_t)
 -
 -domain_use_interactive_fds(semanage_t)
@@ -43581,11 +43804,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 -
 -# Running genhomedircon requires this for finding all users
 -auth_use_nsswitch(semanage_t)
--
--locallogin_use_fds(semanage_t)
 +# Admins are creating pp files in random locations
 +auth_read_all_files_except_shadow(semanage_t)
  
+-locallogin_use_fds(semanage_t)
+-
 -logging_send_syslog_msg(semanage_t)
 -
 -miscfiles_read_localization(semanage_t)
@@ -43604,7 +43827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  # netfilter_contexts:
  seutil_manage_default_contexts(semanage_t)
  
-@@ -484,12 +457,24 @@
+@@ -484,12 +459,24 @@
  	files_read_var_lib_symlinks(semanage_t)
  ')
  
@@ -43629,7 +43852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  # cjp: need a more general way to handle this:
  ifdef(`enable_mls',`
  	# read secadm tmp files
-@@ -499,112 +484,54 @@
+@@ -499,112 +486,54 @@
  	userdom_read_user_tmp_files(semanage_t)
  ')
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b5178dd..2522639 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.19
-Release: 76%{?dist}
+Release: 77%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,13 @@ exit 0
 %endif
 
 %changelog
+* Mon Dec 20 2010 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-77
+- Fixes for certmonger
+- Backport passenger policy
+- Allow run_init to read console_device
+- Add label for /var/lib/dkim-milter
+- Fixes for munin policy
+
 * Thu Dec 9 2010 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-76
 - Fixes for clamscan