From 3a4daf804de2611ad4736f4fd33b078800d4f353 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@fedoraproject.org>
Date: Mar 19 2009 17:19:31 +0000
Subject: - Allow mdadm to read/write mls override


---

diff --git a/policy-20080710.patch b/policy-20080710.patch
index d59e9d1..50f53e0 100644
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@@ -6351,26 +6351,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalize
  files_read_etc_runtime_files(webalizer_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.5.13/policy/modules/apps/wine.fc
 --- nsaserefpolicy/policy/modules/apps/wine.fc	2008-10-17 14:49:14.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/apps/wine.fc	2009-03-06 09:53:41.000000000 +0100
-@@ -1,4 +1,15 @@
++++ serefpolicy-3.5.13/policy/modules/apps/wine.fc	2009-03-16 15:53:56.000000000 +0100
+@@ -1,4 +1,21 @@
 -/usr/bin/wine			--	gen_context(system_u:object_r:wine_exec_t,s0)
 +HOME_DIR/cxoffice/bin/wine.+  		-- 	gen_context(system_u:object_r:wine_exec_t,s0)
-+
+ 
+-/opt/cxoffice/bin/wine		--	gen_context(system_u:object_r:wine_exec_t,s0)
+-/opt/picasa/wine/bin/wine	--	gen_context(system_u:object_r:wine_exec_t,s0)
 +/usr/bin/wine.*				--	gen_context(system_u:object_r:wine_exec_t,s0)
-+
-+/opt/cxoffice/bin/wine.*		--	gen_context(system_u:object_r:wine_exec_t,s0)
-+/opt/picasa/wine/bin/wine.*		--	gen_context(system_u:object_r:wine_exec_t,s0)
-+/opt/google/picasa(/.*)?/bin/wine.*	--	gen_context(system_u:object_r:wine_exec_t,s0)
-+
 +/usr/bin/msiexec        		--      gen_context(system_u:object_r:wine_exec_t,s0)
 +/usr/bin/notepad        		--      gen_context(system_u:object_r:wine_exec_t,s0)
++/usr/bin/progman        		--      gen_context(system_u:object_r:wine_exec_t,s0)
 +/usr/bin/regsvr32       		--      gen_context(system_u:object_r:wine_exec_t,s0)
 +/usr/bin/regedit        		--      gen_context(system_u:object_r:wine_exec_t,s0)
 +/usr/bin/uninstaller    		--      gen_context(system_u:object_r:wine_exec_t,s0)
-+/usr/bin/progman        		--      gen_context(system_u:object_r:wine_exec_t,s0)
- 
--/opt/cxoffice/bin/wine		--	gen_context(system_u:object_r:wine_exec_t,s0)
--/opt/picasa/wine/bin/wine	--	gen_context(system_u:object_r:wine_exec_t,s0)
++
++/opt/cxoffice/bin/wine.*		--	gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/picasa/wine/bin/wine.*		--	gen_context(system_u:object_r:wine_exec_t,s0)
++
++/opt/google/picasa(/.*)?/bin/wine.*		--	gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/google/picasa(/.*)?/bin/regsvr32 		--      gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/google/picasa(/.*)?/bin/regedit 		--      gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/google/picasa(/.*)?/bin/uninstaller 	--      gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/google/picasa(/.*)?/bin/msiexec		--      gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/google/picasa(/.*)?/bin/progman		--      gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/google/picasa(/.*)?/bin/notepad		--	gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/google/picasa(/.*)?/bin/wdi		--	gen_context(system_u:object_r:wine_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.5.13/policy/modules/apps/wine.if
 --- nsaserefpolicy/policy/modules/apps/wine.if	2008-10-17 14:49:14.000000000 +0200
 +++ serefpolicy-3.5.13/policy/modules/apps/wine.if	2009-02-10 15:07:15.000000000 +0100
@@ -8779,7 +8785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 Binary files nsaserefpolicy/policy/modules/kernel/.filesystem.if.swp and serefpolicy-3.5.13/policy/modules/kernel/.filesystem.if.swp differ
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.5.13/policy/modules/kernel/filesystem.te
 --- nsaserefpolicy/policy/modules/kernel/filesystem.te	2008-10-17 14:49:14.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te	2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te	2009-03-18 09:34:45.000000000 +0100
 @@ -21,7 +21,7 @@
  
  # Use xattrs for the following filesystem types.
@@ -8810,7 +8816,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  
  type vxfs_t;
  fs_noxattr_type(vxfs_t)
-@@ -241,6 +248,8 @@
+@@ -199,6 +206,11 @@
+ genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0)
+ genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)
+ genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0)
++# Labeling dosfs_t since these are removable file systems with the i
++# same security properties as dosfs_t
++genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0)
++genfscon hfsplus / gen_context(system_u:object_r:dosfs_t,s0)
++
+ 
+ type fusefs_t;
+ fs_noxattr_type(fusefs_t)
+@@ -236,11 +248,11 @@
+ genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon coda / gen_context(system_u:object_r:nfs_t,s0)
+-genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
+-genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
  genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
  genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -18135,20 +18158,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
 +files_type(mailscanner_spool_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.5.13/policy/modules/services/milter.fc
 --- nsaserefpolicy/policy/modules/services/milter.fc	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.5.13/policy/modules/services/milter.fc	2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/milter.fc	2009-03-17 16:49:14.000000000 +0100
 @@ -0,0 +1,8 @@
 +
 +/usr/sbin/milter-regex				--	gen_context(system_u:object_r:regex_milter_exec_t,s0)
 +/usr/sbin/spamass-milter			--	gen_context(system_u:object_r:spamass_milter_exec_t,s0)
-+
++/var/lib/spamass-milter(/.*)?				gen_context(system_u:object_r:spamass_milter_state_t,s0)
 +/var/run/spamass-milter(/.*)?				gen_context(system_u:object_r:spamass_milter_data_t,s0)
 +/var/run/spamass-milter\.pid			--	gen_context(system_u:object_r:spamass_milter_data_t,s0)
 +
 +/var/spool/milter-regex(/.*)?				gen_context(system_u:object_r:regex_milter_data_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.5.13/policy/modules/services/milter.if
 --- nsaserefpolicy/policy/modules/services/milter.if	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.5.13/policy/modules/services/milter.if	2009-02-18 14:29:13.000000000 +0100
-@@ -0,0 +1,84 @@
++++ serefpolicy-3.5.13/policy/modules/services/milter.if	2009-03-17 16:49:58.000000000 +0100
+@@ -0,0 +1,104 @@
 +## <summary>Milter mail filters</summary>
 +
 +########################################
@@ -18233,10 +18256,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt
 +	getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
 +')
 +
++########################################
++## <summary>
++##	Manage spamassassin milter state
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`spamass_milter_manage_state',`
++	gen_require(`
++		type spamass_milter_state_t;
++	')
++
++	files_search_var_lib($1)
++	manage_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
++	manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
++	manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.te serefpolicy-3.5.13/policy/modules/services/milter.te
 --- nsaserefpolicy/policy/modules/services/milter.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.5.13/policy/modules/services/milter.te	2009-02-10 15:07:15.000000000 +0100
-@@ -0,0 +1,55 @@
++++ serefpolicy-3.5.13/policy/modules/services/milter.te	2009-03-17 16:48:44.000000000 +0100
+@@ -0,0 +1,69 @@
 +
 +policy_module(milter, 1.0.0)
 +
@@ -18253,6 +18296,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt
 +milter_template(regex)
 +milter_template(spamass)
 +
++# Type for the spamass-milter home directory, under which spamassassin will
++# store system-wide preferences, bayes databases etc. if not configured to
++# use per-user configuration
++type spamass_milter_state_t;
++files_type(spamass_milter_state_t);
++
 +########################################
 +#
 +# milter-regex local policy
@@ -18260,6 +18309,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt
 +#   http://www.benzedrine.cx/milter-regex.html
 +#
 +
++# The milter runs from /var/lib/spamass-milter
++files_search_var_lib(spamass_milter_t);
++allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
++
 +# It removes any existing socket (not owned by root) whilst running as root
 +# and then calls setgid() and setuid() to drop privileges
 +allow regex_milter_t self:capability { setuid setgid dac_override };
@@ -18280,6 +18333,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt
 +#   http://savannah.nongnu.org/projects/spamass-milt/
 +#
 +
++# The milter runs from /var/lib/spamass-milter
++files_search_var_lib(spamass_milter_t);
++allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
++
 +kernel_read_system_state(spamass_milter_t)
 +
 +# When used with -b or -B options, the milter invokes sendmail to send mail
@@ -27790,7 +27847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.5.13/policy/modules/services/spamassassin.te
 --- nsaserefpolicy/policy/modules/services/spamassassin.te	2008-10-17 14:49:11.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/spamassassin.te	2009-02-18 14:29:57.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/spamassassin.te	2009-03-17 16:50:53.000000000 +0100
 @@ -21,16 +21,24 @@
  gen_tunable(spamd_enable_home_dirs, true)
  
@@ -27974,8 +28031,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
  ')
  
  optional_policy(`
-@@ -213,3 +263,131 @@
+@@ -211,5 +261,137 @@
+ ')
+ 
  optional_policy(`
++	spamass_milter_manage_state(spamd_t)
++')
++
++optional_policy(`
  	udev_read_db(spamd_t)
  ')
 +
@@ -32615,7 +32678,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
  allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc	2009-03-05 13:40:41.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/libraries.fc	2009-03-18 14:31:14.000000000 +0100
 @@ -60,12 +60,15 @@
  #
  # /opt
@@ -32714,7 +32777,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  /usr/lib(64)?/libSDL-.*\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/xorg/modules/dri/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/X11R6/lib/modules/dri/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -233,7 +251,7 @@
+@@ -208,6 +226,9 @@
+ /usr/lib(64)?/.*/program/libsoffice\.so  --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(.*/)?pcsc/drivers(/.*)?/lib(cm2020|cm4000|SCR24x)\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ 
++# Canon
++/usr/lib/libcncpmslld328\.so(\.[^/]*)*		gen_context(system_u:object_r:textrel_shlib_t,s0)
++
+ # Fedora Extras packages: ladspa, imlib2, ocaml
+ /usr/lib(64)?/ladspa/analogue_osc_1416\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/ladspa/bandpass_a_iir_1893\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -233,7 +254,7 @@
  /usr/lib(64)?/php/modules/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
  # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
@@ -32723,7 +32796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  /usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libpostproc\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libavformat.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -246,13 +264,16 @@
+@@ -246,13 +267,16 @@
  
  # Flash plugin, Macromedia
  HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -32742,7 +32815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  # Jai, Sun Microsystems (Jpackage SPRM)
  /usr/lib(64)?/libmlib_jai\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libdivxdecore\.so\.0	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -267,6 +288,9 @@
+@@ -267,6 +291,9 @@
  /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so  --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/vmware/(.*/)?VmPerl\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
@@ -32752,7 +32825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  # Java, Sun Microsystems (JPackage SRPM)
  /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -291,6 +315,8 @@
+@@ -291,6 +318,8 @@
  /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/acroread/.+\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/acroread/(.*/)?ADMPlugin\.apl	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -32761,7 +32834,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  ') dnl end distro_redhat
  
  #
-@@ -307,6 +333,33 @@
+@@ -307,6 +336,33 @@
  /var/lib/samba/bin/.+\.so(\.[^/]*)*	-l	gen_context(system_u:object_r:lib_t,s0)
  ')
  
@@ -33718,7 +33791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.5.13/policy/modules/system/raid.te
 --- nsaserefpolicy/policy/modules/system/raid.te	2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/raid.te	2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/raid.te	2009-03-19 18:14:44.000000000 +0100
 @@ -39,6 +39,7 @@
  dev_dontaudit_getattr_generic_files(mdadm_t)
  dev_dontaudit_getattr_generic_chr_files(mdadm_t)
@@ -33727,6 +33800,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t
  
  fs_search_auto_mountpoints(mdadm_t)
  fs_dontaudit_list_tmpfs(mdadm_t)
+@@ -48,6 +49,9 @@
+ storage_dev_filetrans_fixed_disk(mdadm_t)
+ storage_read_scsi_generic(mdadm_t)
+ 
++mls_file_read_all_levels(mdadm_t)
++mls_file_write_all_levels(mdadm_t)  
++
+ term_dontaudit_list_ptys(mdadm_t)
+ 
+ # Helper program access
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.5.13/policy/modules/system/selinuxutil.fc
 --- nsaserefpolicy/policy/modules/system/selinuxutil.fc	2008-10-17 14:49:13.000000000 +0200
 +++ serefpolicy-3.5.13/policy/modules/system/selinuxutil.fc	2009-02-10 15:07:15.000000000 +0100
@@ -38814,7 +38897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.5.13/policy/modules/system/xen.fc
 --- nsaserefpolicy/policy/modules/system/xen.fc	2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/xen.fc	2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/xen.fc	2009-03-19 18:00:28.000000000 +0100
 @@ -20,6 +20,7 @@
  /var/run/xenconsoled\.pid --	gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
  /var/run/xend(/.*)?		gen_context(system_u:object_r:xend_var_run_t,s0)
@@ -38825,7 +38908,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.5.13/policy/modules/system/xen.if
 --- nsaserefpolicy/policy/modules/system/xen.if	2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/xen.if	2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/xen.if	2009-03-19 18:01:20.000000000 +0100
 @@ -155,7 +155,7 @@
  	stream_connect_pattern($1,xenstored_var_run_t,xenstored_var_run_t,xenstored_t)
  ')
@@ -38851,7 +38934,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
  ')
  
  ########################################
-@@ -191,3 +194,24 @@
+@@ -191,3 +194,25 @@
  
  	domtrans_pattern($1,xm_exec_t,xm_t)
  ')
@@ -38876,9 +38959,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
 +	allow $1 xend_var_lib_t:dir search_dir_perms;
 +	rw_files_pattern($1, xen_image_t, xen_image_t)
 +')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.5.13/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/xen.te	2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/xen.te	2009-03-19 18:04:54.000000000 +0100
 @@ -6,6 +6,13 @@
  # Declarations
  #