From 2c7e71b7e93066e616a98a0f3f61b817c9ef982a Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Apr 14 2014 13:59:34 +0000
Subject: * Mon Apr 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-155

- Allow httpd to send signull to apache script domains and don't audit
leaks
- Allow rabbitmq_beam to connect to httpd port
- Allow aiccu stream connect to pcscd
- Allow dmesg to read hwdata and memory dev

---

diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 80d8251..f0ed2b3 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -1644,7 +1644,7 @@ index d6cc2d9..0685b19 100644
 +
 +/usr/bin/dmesg		--		gen_context(system_u:object_r:dmesg_exec_t,s0)
 diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
-index 72bc6d8..17357e5 100644
+index 72bc6d8..bb4a6f0 100644
 --- a/policy/modules/admin/dmesg.te
 +++ b/policy/modules/admin/dmesg.te
 @@ -9,6 +9,10 @@ type dmesg_t;
@@ -1658,7 +1658,7 @@ index 72bc6d8..17357e5 100644
  ########################################
  #
  # Local policy
-@@ -19,14 +23,17 @@ dontaudit dmesg_t self:capability sys_tty_config;
+@@ -19,14 +23,18 @@ dontaudit dmesg_t self:capability sys_tty_config;
  
  allow dmesg_t self:process signal_perms;
  
@@ -1673,15 +1673,17 @@ index 72bc6d8..17357e5 100644
  
  dev_read_sysfs(dmesg_t)
 +dev_read_kmsg(dmesg_t)
++dev_read_raw_memory(dmesg_t)
  
  fs_search_auto_mountpoints(dmesg_t)
  
-@@ -44,10 +51,12 @@ init_use_script_ptys(dmesg_t)
+@@ -44,10 +52,14 @@ init_use_script_ptys(dmesg_t)
  logging_send_syslog_msg(dmesg_t)
  logging_write_generic_logs(dmesg_t)
  
 -miscfiles_read_localization(dmesg_t)
--
++miscfiles_read_hwdata(dmesg_t)
+ 
  userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
 -userdom_use_user_terminals(dmesg_t)
 +userdom_use_inherited_user_terminals(dmesg_t)
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 8370211..a0314fc 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -1592,7 +1592,7 @@ index 3b5dcb9..fbe187f 100644
  	domain_system_change_exemption($1)
  	role_transition $2 aiccu_initrc_exec_t system_r;
 diff --git a/aiccu.te b/aiccu.te
-index 72c33c2..6e4206c 100644
+index 72c33c2..a9039ce 100644
 --- a/aiccu.te
 +++ b/aiccu.te
 @@ -48,7 +48,6 @@ corenet_all_recvfrom_unlabeled(aiccu_t)
@@ -1603,7 +1603,7 @@ index 72c33c2..6e4206c 100644
  corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
  corenet_tcp_connect_sixxsconfig_port(aiccu_t)
  corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
-@@ -60,11 +59,10 @@ domain_use_interactive_fds(aiccu_t)
+@@ -60,17 +59,20 @@ domain_use_interactive_fds(aiccu_t)
  dev_read_rand(aiccu_t)
  dev_read_urand(aiccu_t)
  
@@ -1617,6 +1617,16 @@ index 72c33c2..6e4206c 100644
  
  optional_policy(`
  	modutils_domtrans_insmod(aiccu_t)
+ ')
+ 
+ optional_policy(`
++    pcscd_stream_connect(aiccu_t)
++')
++
++optional_policy(`
+ 	sysnet_dns_name_resolve(aiccu_t)
+ 	sysnet_domtrans_ifconfig(aiccu_t)
+ ')
 diff --git a/aide.fc b/aide.fc
 index df6e4d0..4b99c25 100644
 --- a/aide.fc
@@ -4954,7 +4964,7 @@ index 83e899c..64beed7 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/apache.te b/apache.te
-index 1a82e29..21d7195 100644
+index 1a82e29..15e3e0b 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -1,297 +1,381 @@
@@ -7119,7 +7129,7 @@ index 1a82e29..21d7195 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1602,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1602,100 @@ dev_read_urand(httpd_passwd_t)
  
  domain_use_interactive_fds(httpd_passwd_t)
  
@@ -7180,7 +7190,7 @@ index 1a82e29..21d7195 100644
 -allow httpd_gpg_t httpd_t:process sigchld;
 +allow httpd_t httpd_script_exec_type:file read_file_perms;
 +allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
-+allow httpd_t httpd_script_type:process { signal sigkill sigstop };
++allow httpd_t httpd_script_type:process { signal sigkill sigstop signull };
 +allow httpd_t httpd_script_exec_type:dir list_dir_perms;
  
 -dev_read_rand(httpd_gpg_t)
@@ -7195,6 +7205,7 @@ index 1a82e29..21d7195 100644
  
 -miscfiles_read_localization(httpd_gpg_t)
 +dontaudit httpd_script_type httpd_t:tcp_socket { read write };
++dontaudit httpd_script_type httpd_t:unix_stream_socket { read write };
  
 -tunable_policy(`httpd_gpg_anon_write',`
 -	miscfiles_manage_public_files(httpd_gpg_t)
@@ -24524,6 +24535,19 @@ index a7bfaf0..38bfca8 100644
 +	# Handle sieve scripts
  	sendmail_domtrans(dovecot_deliver_t)
  ')
+diff --git a/drbd.fc b/drbd.fc
+index 671a3fb..c781675 100644
+--- a/drbd.fc
++++ b/drbd.fc
+@@ -3,7 +3,7 @@
+ /sbin/drbdadm	--	gen_context(system_u:object_r:drbd_exec_t,s0)
+ /sbin/drbdsetup	--	gen_context(system_u:object_r:drbd_exec_t,s0)
+ 
+-/usr/lib/ocf/resource.\d/linbit/drbd	--	gen_context(system_u:object_r:drbd_exec_t,s0)
++/usr/lib/ocf/resource\.d/linbit/drbd	--	gen_context(system_u:object_r:drbd_exec_t,s0)
+ 
+ /usr/sbin/drbdadm	--	gen_context(system_u:object_r:drbd_exec_t,s0)
+ /usr/sbin/drbdsetup	--	gen_context(system_u:object_r:drbd_exec_t,s0)
 diff --git a/drbd.if b/drbd.if
 index 9a21639..26c5986 100644
 --- a/drbd.if
@@ -73779,7 +73803,7 @@ index 2c3d338..cf3e5ad 100644
  
  ########################################
 diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..7c4b65b 100644
+index 3698b51..9fb98a1 100644
 --- a/rabbitmq.te
 +++ b/rabbitmq.te
 @@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
@@ -73801,7 +73825,7 @@ index 3698b51..7c4b65b 100644
  allow rabbitmq_beam_t self:process { setsched signal signull };
  allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
  allow rabbitmq_beam_t self:tcp_socket { accept listen };
-@@ -38,56 +43,93 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+@@ -38,56 +43,94 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
  manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
  
  manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
@@ -73854,6 +73878,7 @@ index 3698b51..7c4b65b 100644
  corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
 +corenet_tcp_connect_jabber_interserver_port(rabbitmq_beam_t)
  corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
++corenet_tcp_connect_http_port(rabbitmq_beam_t)
  
 -dev_read_sysfs(rabbitmq_beam_t)
 +domain_read_all_domains_state(rabbitmq_beam_t)
@@ -73905,7 +73930,7 @@ index 3698b51..7c4b65b 100644
  
  corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t)
  corenet_all_recvfrom_netlabel(rabbitmq_epmd_t)
-@@ -99,8 +141,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -99,8 +142,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
  corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
  corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
  
@@ -93158,7 +93183,7 @@ index a240455..3dd6f00 100644
 -	admin_pattern($1, sssd_log_t)
  ')
 diff --git a/sssd.te b/sssd.te
-index 8b537aa..fb39837 100644
+index 8b537aa..eb8bb88 100644
 --- a/sssd.te
 +++ b/sssd.te
 @@ -1,4 +1,4 @@
@@ -93201,7 +93226,7 @@ index 8b537aa..fb39837 100644
  logging_log_filetrans(sssd_t, sssd_var_log_t, file)
  
  manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
-@@ -62,17 +63,11 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+@@ -62,17 +63,12 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
  
  kernel_read_network_state(sssd_t)
  kernel_read_system_state(sssd_t)
@@ -93218,10 +93243,11 @@ index 8b537aa..fb39837 100644
  corenet_udp_bind_generic_port(sssd_t)
  corenet_dontaudit_udp_bind_all_ports(sssd_t)
 +corenet_tcp_connect_kerberos_password_port(sssd_t)
++corenet_tcp_connect_smbd_port(sssd_t)
  
  corecmd_exec_bin(sssd_t)
  
-@@ -83,9 +78,7 @@ domain_read_all_domains_state(sssd_t)
+@@ -83,9 +79,7 @@ domain_read_all_domains_state(sssd_t)
  domain_obj_id_change_exemption(sssd_t)
  
  files_list_tmp(sssd_t)
@@ -93231,7 +93257,7 @@ index 8b537aa..fb39837 100644
  files_list_var_lib(sssd_t)
  
  fs_list_inotifyfs(sssd_t)
-@@ -94,14 +87,15 @@ selinux_validate_context(sssd_t)
+@@ -94,14 +88,15 @@ selinux_validate_context(sssd_t)
  
  seutil_read_file_contexts(sssd_t)
  # sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM module
@@ -93249,7 +93275,7 @@ index 8b537aa..fb39837 100644
  auth_domtrans_chk_passwd(sssd_t)
  auth_domtrans_upd_passwd(sssd_t)
  auth_manage_cache(sssd_t)
-@@ -112,18 +106,34 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +107,34 @@ logging_send_syslog_msg(sssd_t)
  logging_send_audit_msgs(sssd_t)
  
  miscfiles_read_generic_certs(sssd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 5429522..d0d2a48 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 154%{?dist}
+Release: 155%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,12 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Apr 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-155
+- Allow httpd to send signull to apache script domains and don't audit leaks
+- Allow rabbitmq_beam to connect to httpd port
+- Allow aiccu stream connect to pcscd
+- Allow dmesg to read hwdata and memory dev
+
 * Sat Apr 12 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-154
 - Allow all freeipmi domains to read/write ipmi devices
 - Allow sblim_sfcbd to use also pegasus-https port