From 14892547e5336e2ce28b3807a3ae040fe65c53dc Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Feb 14 2008 20:25:46 +0000
Subject: - Allow udev to send audit messages


---

diff --git a/policy-20071130.patch b/policy-20071130.patch
index 0ae1202..a94013a 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -5590,7 +5590,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  type lvm_control_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.2.7/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2007-12-19 05:32:07.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/kernel/domain.te	2008-02-13 16:57:15.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/kernel/domain.te	2008-02-14 15:03:13.000000000 -0500
 @@ -5,6 +5,13 @@
  #
  # Declarations
@@ -5622,7 +5622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
  allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  
  # act on all domains keys
-@@ -148,3 +156,25 @@
+@@ -148,3 +156,26 @@
  
  # receive from all domains over labeled networking
  domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -5647,6 +5647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +
 +optional_policy(`
 +	unconfined_dontaudit_rw_pipes(domain)
++	unconfined_sigchld(domain)
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.7/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2007-10-29 18:02:31.000000000 -0400
@@ -15371,8 +15372,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.7/policy/modules/services/polkit.te
 --- nsaserefpolicy/policy/modules/services/polkit.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/services/polkit.te	2008-02-13 16:57:15.000000000 -0500
-@@ -0,0 +1,156 @@
++++ serefpolicy-3.2.7/policy/modules/services/polkit.te	2008-02-14 09:29:19.000000000 -0500
+@@ -0,0 +1,157 @@
 +policy_module(polkit_auth,1.0.0)
 +
 +########################################
@@ -15476,6 +15477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
 +files_pid_filetrans(polkit_auth_t,polkit_var_run_t, { file dir })
 +
 +userdom_append_unpriv_users_home_content_files(polkit_auth_t)
++userdom_dontaudit_read_unpriv_users_home_content_files(polkit_auth_t)
 +
 +optional_policy(`
 +	dbus_system_bus_client_template(polkit_auth, polkit_auth_t)
@@ -25667,7 +25669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  	xen_append_log(ifconfig_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.2.7/policy/modules/system/udev.te
 --- nsaserefpolicy/policy/modules/system/udev.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/system/udev.te	2008-02-13 16:57:16.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/system/udev.te	2008-02-14 14:30:05.000000000 -0500
 @@ -83,6 +83,7 @@
  kernel_rw_unix_dgram_sockets(udev_t)
  kernel_dgram_send(udev_t)
@@ -25686,7 +25688,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
  
  domain_read_all_domains_state(udev_t)
  domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these 
-@@ -189,6 +187,7 @@
+@@ -142,6 +140,7 @@
+ 
+ logging_search_logs(udev_t)
+ logging_send_syslog_msg(udev_t)
++logging_send_audit_msgs(udev_t)
+ 
+ miscfiles_read_localization(udev_t)
+ 
+@@ -189,6 +188,7 @@
  
  optional_policy(`
  	alsa_domtrans(udev_t)
@@ -25694,7 +25704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
  	alsa_read_rw_config(udev_t)
  ')
  
-@@ -197,6 +196,10 @@
+@@ -197,6 +197,10 @@
  ')
  
  optional_policy(`
@@ -25732,7 +25742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +/usr/sbin/sysreport	 	    --	gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.2.7/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/system/unconfined.if	2008-02-13 16:57:16.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/system/unconfined.if	2008-02-14 15:02:03.000000000 -0500
 @@ -12,14 +12,13 @@
  #
  interface(`unconfined_domain_noaudit',`
@@ -26319,7 +26329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.7/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/system/userdomain.if	2008-02-13 16:57:16.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/system/userdomain.if	2008-02-14 09:29:10.000000000 -0500
 @@ -29,9 +29,14 @@
  	')