From 2b5aecffdbb49a5cf7630885c614ca3ce77cb4cf Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Nov 18 2010 19:32:05 +0000
Subject: - Fixes for dirsrv-admin policy


---

diff --git a/policy-F13.patch b/policy-F13.patch
index b777f7c..ed834d1 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -15916,7 +15916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/apache.te	2010-11-11 16:12:33.885398972 +0100
++++ serefpolicy-3.7.19/policy/modules/services/apache.te	2010-11-18 16:15:14.895397629 +0100
 @@ -19,11 +19,13 @@
  # Declarations
  #
@@ -16236,14 +16236,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +	corenet_sendrecv_pop_client_packets(httpd_t)
  	mta_send_mail(httpd_t)
 +	mta_signal(httpd_t)
- ')
- 
++')
++
 +tunable_policy(`httpd_use_cifs',`
 +	fs_manage_cifs_dirs(httpd_t)
 +	fs_manage_cifs_files(httpd_t)
 +	fs_manage_cifs_symlinks(httpd_t)
-+')
-+
+ ')
+ 
 +tunable_policy(`httpd_setrlimit',`
 +	allow httpd_t self:process setrlimit;
 +	allow httpd_t self:capability sys_resource;
@@ -16276,16 +16276,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  optional_policy(`
-@@ -528,7 +669,7 @@
+@@ -528,7 +669,18 @@
  	daemontools_service_domain(httpd_t, httpd_exec_t)
  ')
  
 - optional_policy(`
 +optional_policy(`
++    dirsrv_manage_config(httpd_t)
++    dirsrv_manage_log(httpd_t)
++    dirsrv_manage_var_run(httpd_t)
++    dirsrv_read_share(httpd_t)
++    dirsrv_signal(httpd_t)
++    dirsrv_signull(httpd_t)
++    dirsrvadmin_manage_config(httpd_t)
++    dirsrvadmin_manage_tmp(httpd_t)
++')
++
++optional_policy(`
  	dbus_system_bus_client(httpd_t)
  
  	tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +678,12 @@
+@@ -537,8 +689,12 @@
  ')
  
  optional_policy(`
@@ -16299,7 +16310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	')
  ')
  
-@@ -556,7 +701,13 @@
+@@ -556,7 +712,13 @@
  ')
  
  optional_policy(`
@@ -16313,7 +16324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	mysql_stream_connect(httpd_t)
  	mysql_rw_db_sockets(httpd_t)
  
-@@ -567,6 +718,7 @@
+@@ -567,6 +729,7 @@
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -16321,7 +16332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  optional_policy(`
-@@ -577,12 +729,23 @@
+@@ -577,12 +740,23 @@
  ')
  
  optional_policy(`
@@ -16345,7 +16356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	')
  ')
  
-@@ -591,6 +754,11 @@
+@@ -591,6 +765,11 @@
  ')
  
  optional_policy(`
@@ -16357,7 +16368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
  	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
  ')
-@@ -618,6 +786,10 @@
+@@ -618,6 +797,10 @@
  
  userdom_use_user_terminals(httpd_helper_t)
  
@@ -16368,7 +16379,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ########################################
  #
  # Apache PHP script local policy
-@@ -699,17 +871,18 @@
+@@ -699,17 +882,18 @@
  manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
  files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
  
@@ -16390,7 +16401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  files_read_etc_files(httpd_suexec_t)
  files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +913,21 @@
+@@ -740,10 +924,21 @@
  	corenet_sendrecv_all_client_packets(httpd_suexec_t)
  ')
  
@@ -16413,7 +16424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +953,12 @@
+@@ -769,6 +964,12 @@
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -16426,7 +16437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ########################################
  #
  # Apache system script local policy
-@@ -792,9 +982,13 @@
+@@ -792,9 +993,13 @@
  files_search_var_lib(httpd_sys_script_t)
  files_search_spool(httpd_sys_script_t)
  
@@ -16440,7 +16451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ifdef(`distro_redhat',`
  	allow httpd_sys_script_t httpd_log_t:file append_file_perms;
  ')
-@@ -803,6 +997,28 @@
+@@ -803,6 +1008,28 @@
  	mta_send_mail(httpd_sys_script_t)
  ')
  
@@ -16469,7 +16480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
  	allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
  	allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -830,6 +1046,16 @@
+@@ -830,6 +1057,16 @@
  	fs_read_nfs_symlinks(httpd_sys_script_t)
  ')
  
@@ -16486,7 +16497,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,6 +1068,7 @@
+@@ -842,6 +1079,7 @@
  optional_policy(`
  	mysql_stream_connect(httpd_sys_script_t)
  	mysql_rw_db_sockets(httpd_sys_script_t)
@@ -16494,7 +16505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  optional_policy(`
-@@ -891,11 +1118,33 @@
+@@ -891,11 +1129,33 @@
  
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -19815,7 +19826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.19/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/cron.te	2010-08-24 15:32:42.307335306 +0200
++++ serefpolicy-3.7.19/policy/modules/services/cron.te	2010-11-18 15:47:35.785397612 +0100
 @@ -38,8 +38,10 @@
  type cron_var_lib_t;
  files_type(cron_var_lib_t)
@@ -20029,15 +20040,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  
  fs_getattr_all_fs(system_cronjob_t)
  fs_getattr_all_files(system_cronjob_t)
-@@ -387,6 +451,7 @@
+@@ -387,6 +451,9 @@
  # Access other spool directories like
  # /var/spool/anacron and /var/spool/slrnpull.
  files_manage_generic_spool(system_cronjob_t)
 +files_create_boot_flag(system_cronjob_t)
++
++mls_file_read_to_clearance(system_cronjob_t)
  
  init_use_script_fds(system_cronjob_t)
  init_read_utmp(system_cronjob_t)
-@@ -411,6 +476,8 @@
+@@ -411,6 +478,8 @@
  
  ifdef(`distro_redhat', `
  	# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
@@ -20046,7 +20059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  	# via redirection of standard out.
  	optional_policy(`
  		rpm_manage_log(system_cronjob_t)
-@@ -435,6 +502,8 @@
+@@ -435,6 +504,8 @@
  	apache_read_config(system_cronjob_t)
  	apache_read_log(system_cronjob_t)
  	apache_read_sys_content(system_cronjob_t)
@@ -20055,7 +20068,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ')
  
  optional_policy(`
-@@ -442,6 +511,14 @@
+@@ -442,6 +513,14 @@
  ')
  
  optional_policy(`
@@ -20070,7 +20083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  	ftp_read_log(system_cronjob_t)
  ')
  
-@@ -452,15 +529,24 @@
+@@ -452,15 +531,24 @@
  ')
  
  optional_policy(`
@@ -20095,7 +20108,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ')
  
  optional_policy(`
-@@ -476,7 +562,7 @@
+@@ -476,7 +564,7 @@
  	prelink_manage_lib(system_cronjob_t)
  	prelink_manage_log(system_cronjob_t)
  	prelink_read_cache(system_cronjob_t)
@@ -20104,7 +20117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ')
  
  optional_policy(`
-@@ -491,6 +577,7 @@
+@@ -491,6 +579,7 @@
  
  optional_policy(`
  	spamassassin_manage_lib_files(system_cronjob_t)
@@ -20112,7 +20125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ')
  
  optional_policy(`
-@@ -498,6 +585,9 @@
+@@ -498,6 +587,9 @@
  ')
  
  optional_policy(`
@@ -20122,7 +20135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  	unconfined_domain(system_cronjob_t)
  	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
  ')
-@@ -591,6 +681,7 @@
+@@ -591,6 +683,7 @@
  #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
  
  list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 446580a..d4da75d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.19
-Release: 72%{?dist}
+Release: 73%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,9 @@ exit 0
 %endif
 
 %changelog
+* Thu Nov 18 2010 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-73
+- Fixes for dirsrv-admin policy
+
 * Mon Nov 15 2010 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-72
 - Allow mysqld-safe to send system log messages
 - Add dirsrv and dirsrv-admin policy