From 4444c30265fc797f3ba7062f5ff17faa8d290ab4 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Oct 22 2007 21:27:07 +0000
Subject: - Allow XServer to read /proc/self/cmdline

- Fix unconfined cron jobs
- Allow fetchmail to transition to procmail
- Fixes for hald_mac
- Allow system_mail to transition to exim
- Allow tftpd to upload files
- Allow xdm to manage unconfined_tmp
- Allow udef to read alsa config
- Fix xguest to be able to connect to sound port

---

diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index d912b95..ea86836 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -254,3 +254,7 @@ allow_xguest_exec_content = false
 # Only allow browser to use the web
 # 
 browser_confine_xguest=true
+
+# Allow postfix locat to write to mail spool
+# 
+allow_postfix_local_write_mail_spool=true
diff --git a/policy-20070703.patch b/policy-20070703.patch
index fe5216b..be6022a 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -766,7 +766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc
 +/bin/alsaunmute		--	gen_context(system_u:object_r:alsa_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.0.8/policy/modules/admin/alsa.if
 --- nsaserefpolicy/policy/modules/admin/alsa.if	2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/alsa.if	2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/alsa.if	2007-10-22 10:19:13.000000000 -0400
 @@ -74,3 +74,39 @@
  	read_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
  	read_lnk_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
@@ -4358,7 +4358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  files_mountpoint(vxfs_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.8/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if	2007-10-19 11:00:20.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if	2007-10-22 10:49:20.000000000 -0400
 @@ -352,6 +352,24 @@
  
  ########################################
@@ -5128,7 +5128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.8/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/apache.te	2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/apache.te	2007-10-22 17:13:12.000000000 -0400
 @@ -20,6 +20,8 @@
  # Declarations
  #
@@ -5249,7 +5249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  apache_domtrans_rotatelogs(httpd_t)
  # Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -284,6 +335,7 @@
+@@ -284,19 +335,22 @@
  kernel_read_kernel_sysctls(httpd_t)
  # for modules that want to access /proc/meminfo
  kernel_read_system_state(httpd_t)
@@ -5257,7 +5257,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  corenet_all_recvfrom_unlabeled(httpd_t)
  corenet_all_recvfrom_netlabel(httpd_t)
-@@ -330,6 +382,10 @@
+-corenet_tcp_sendrecv_all_if(httpd_t)
+ corenet_udp_sendrecv_all_if(httpd_t)
+-corenet_tcp_sendrecv_all_nodes(httpd_t)
+ corenet_udp_sendrecv_all_nodes(httpd_t)
+-corenet_tcp_sendrecv_all_ports(httpd_t)
+ corenet_udp_sendrecv_all_ports(httpd_t)
++
++corenet_tcp_sendrecv_all_ports(httpd_t)
++corenet_tcp_sendrecv_all_if(httpd_t)
+ corenet_tcp_bind_all_nodes(httpd_t)
+ corenet_tcp_bind_http_port(httpd_t)
+ corenet_tcp_bind_http_cache_port(httpd_t)
++corenet_tcp_sendrecv_all_nodes(httpd_t)
+ corenet_sendrecv_http_server_packets(httpd_t)
++
+ # Signal self for shutdown
+ corenet_tcp_connect_http_port(httpd_t)
+ 
+@@ -330,6 +384,10 @@
  files_read_var_lib_symlinks(httpd_t)
  
  fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -5268,7 +5286,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  libs_use_ld_so(httpd_t)
  libs_use_shared_libs(httpd_t)
-@@ -348,7 +404,9 @@
+@@ -348,7 +406,9 @@
  
  userdom_use_unpriv_users_fds(httpd_t)
  
@@ -5279,7 +5297,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  tunable_policy(`allow_httpd_anon_write',`
  	miscfiles_manage_public_files(httpd_t)
-@@ -360,6 +418,7 @@
+@@ -360,6 +420,7 @@
  #
  tunable_policy(`allow_httpd_mod_auth_pam',`
  	auth_domtrans_chk_passwd(httpd_t)
@@ -5287,7 +5305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  ')
  
-@@ -367,6 +426,16 @@
+@@ -367,6 +428,16 @@
  	corenet_tcp_connect_all_ports(httpd_t)
  ')
  
@@ -5304,7 +5322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_can_network_connect_db',`
  	# allow httpd to connect to mysql/posgresql
  	corenet_tcp_connect_postgresql_port(httpd_t)
-@@ -387,6 +456,17 @@
+@@ -387,6 +458,17 @@
  	corenet_sendrecv_http_cache_client_packets(httpd_t)
  ')
  
@@ -5322,7 +5340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
  	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
  
-@@ -404,11 +484,21 @@
+@@ -404,11 +486,21 @@
  	fs_read_nfs_symlinks(httpd_t)
  ')
  
@@ -5344,7 +5362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_ssi_exec',`
  	corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
  	allow httpd_sys_script_t httpd_t:fd use;
-@@ -430,6 +520,12 @@
+@@ -430,6 +522,12 @@
  ')
  
  optional_policy(`
@@ -5357,7 +5375,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	calamaris_read_www_files(httpd_t)
  ')
  
-@@ -442,8 +538,15 @@
+@@ -442,8 +540,15 @@
  ')
  
  optional_policy(`
@@ -5374,7 +5392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  optional_policy(`
-@@ -457,11 +560,11 @@
+@@ -457,11 +562,11 @@
  optional_policy(`
  	mysql_stream_connect(httpd_t)
  	mysql_rw_db_sockets(httpd_t)
@@ -5387,7 +5405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  optional_policy(`
-@@ -481,6 +584,7 @@
+@@ -481,6 +586,7 @@
  ')
  
  optional_policy(`
@@ -5395,7 +5413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
  	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
  ')
-@@ -512,10 +616,16 @@
+@@ -512,10 +618,16 @@
  tunable_policy(`httpd_tty_comm',`
  	# cjp: this is redundant:
  	term_use_controlling_term(httpd_helper_t)
@@ -5413,7 +5431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ########################################
  #
  # Apache PHP script local policy
-@@ -553,6 +663,7 @@
+@@ -553,6 +665,7 @@
  
  optional_policy(`
  	mysql_stream_connect(httpd_php_t)
@@ -5421,7 +5439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  optional_policy(`
-@@ -567,7 +678,6 @@
+@@ -567,7 +680,6 @@
  allow httpd_suexec_t self:capability { setuid setgid };
  allow httpd_suexec_t self:process signal_perms;
  allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
@@ -5429,7 +5447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
  
-@@ -581,6 +691,10 @@
+@@ -581,6 +693,10 @@
  manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
  files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
  
@@ -5440,7 +5458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  kernel_read_kernel_sysctls(httpd_suexec_t)
  kernel_list_proc(httpd_suexec_t)
  kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -606,6 +720,10 @@
+@@ -606,6 +722,10 @@
  
  miscfiles_read_localization(httpd_suexec_t)
  
@@ -5451,7 +5469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_can_network_connect',`
  	allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
  	allow httpd_suexec_t self:udp_socket create_socket_perms;
-@@ -620,10 +738,13 @@
+@@ -620,10 +740,13 @@
  	corenet_udp_sendrecv_all_ports(httpd_suexec_t)
  	corenet_tcp_connect_all_ports(httpd_suexec_t)
  	corenet_sendrecv_all_client_packets(httpd_suexec_t)
@@ -5466,7 +5484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
  ')
-@@ -634,6 +755,12 @@
+@@ -634,6 +757,12 @@
  	fs_exec_nfs_files(httpd_suexec_t)
  ')
  
@@ -5479,7 +5497,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_suexec_t)
  	fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -651,18 +778,6 @@
+@@ -651,18 +780,6 @@
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -5498,7 +5516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ########################################
  #
  # Apache system script local policy
-@@ -672,7 +787,8 @@
+@@ -672,7 +789,8 @@
  
  dontaudit httpd_sys_script_t httpd_config_t:dir search;
  
@@ -5508,7 +5526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
  read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -686,15 +802,66 @@
+@@ -686,15 +804,66 @@
  # Should we add a boolean?
  apache_domtrans_rotatelogs(httpd_sys_script_t)
  
@@ -5576,7 +5594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -707,6 +874,20 @@
+@@ -707,6 +876,20 @@
  optional_policy(`
  	mysql_stream_connect(httpd_sys_script_t)
  	mysql_rw_db_sockets(httpd_sys_script_t)
@@ -5597,7 +5615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  ########################################
-@@ -728,3 +909,20 @@
+@@ -728,3 +911,20 @@
  logging_search_logs(httpd_rotatelogs_t)
  
  miscfiles_read_localization(httpd_rotatelogs_t)
@@ -6035,7 +6053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 +/var/lib/misc(/.*)?			gen_context(system_u:object_r:system_crond_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.0.8/policy/modules/services/cron.if
 --- nsaserefpolicy/policy/modules/services/cron.if	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cron.if	2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/cron.if	2007-10-22 16:39:48.000000000 -0400
 @@ -35,6 +35,7 @@
  #
  template(`cron_per_role_template',`
@@ -7225,7 +7243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.0.8/policy/modules/services/exim.if
 --- nsaserefpolicy/policy/modules/services/exim.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.if	2007-10-15 13:07:49.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/exim.if	2007-10-22 17:21:04.000000000 -0400
 @@ -0,0 +1,157 @@
 +## <summary>Exim service</summary>
 +
@@ -7246,7 +7264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
 +	')
 +
 +	corecmd_search_sbin($1)
-+	domtrans_pattern($1, exim_t, exim_exec_t)
++	domtrans_pattern($1, exim_exec_t, exim_t)
 +')
 +
 +########################################
@@ -7386,8 +7404,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.0.8/policy/modules/services/exim.te
 --- nsaserefpolicy/policy/modules/services/exim.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.te	2007-10-17 15:46:40.000000000 -0400
-@@ -0,0 +1,229 @@
++++ serefpolicy-3.0.8/policy/modules/services/exim.te	2007-10-22 17:07:07.000000000 -0400
+@@ -0,0 +1,232 @@
 +# $Id: exim.te 687 2007-09-09 00:19:41Z aqua $
 +# Draft SELinux refpolicy module for the Exim MTA
 +# 
@@ -7402,6 +7420,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
 +
 +type exim_t;
 +type exim_exec_t;
++domain_type(exim_t)
++domain_entry_file(exim_t,exim_exec_t)
 +mta_mailserver(exim_t, exim_exec_t)
 +mta_mailserver_user_agent(exim_t)
 +application_executable_file(exim_exec_t)
@@ -7501,13 +7521,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
 +
 +kernel_read_kernel_sysctls(exim_t)
 +kernel_dontaudit_read_system_state(exim_t)
++kernel_read_network_state(exim_t)
 +
 +miscfiles_read_localization(exim_t)
 +miscfiles_read_certs(exim_t)
 +
 +mta_read_aliases(exim_t)
 +mta_read_config(exim_t)
-+mta_rw_spool(exim_t)
++mta_manage_spool(exim_t)
 +mta_mailserver_delivery(exim_t)
 +
 +# Init script handling
@@ -7617,6 +7638,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
 +	exim_manage_var_lib(exim_lib_update_t)
 +')
 +
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.0.8/policy/modules/services/fetchmail.te
+--- nsaserefpolicy/policy/modules/services/fetchmail.te	2007-07-25 10:37:42.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/fetchmail.te	2007-10-22 11:52:47.000000000 -0400
+@@ -86,6 +86,10 @@
+ userdom_dontaudit_search_sysadm_home_dirs(fetchmail_t)
+ 
+ optional_policy(`
++	procmail_domtrans(fetchmail_t)
++')
++
++optional_policy(`
+ 	seutil_sigchld_newrole(fetchmail_t)
+ ')
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.0.8/policy/modules/services/ftp.if
 --- nsaserefpolicy/policy/modules/services/ftp.if	2007-05-29 14:10:57.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/ftp.if	2007-10-03 11:10:24.000000000 -0400
@@ -7735,7 +7770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  /var/run/vbestate 	--			gen_context(system_u:object_r:hald_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.8/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/hal.te	2007-10-19 15:06:33.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/hal.te	2007-10-22 10:00:45.000000000 -0400
 @@ -49,6 +49,9 @@
  type hald_var_lib_t;
  files_type(hald_var_lib_t)
@@ -7780,11 +7815,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  allow hald_acl_t self:fifo_file read_fifo_file_perms;
  
  domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
-@@ -341,9 +348,12 @@
+@@ -340,10 +347,14 @@
+ manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
  files_search_var_lib(hald_mac_t)
  
++dev_read_raw_memory(hald_mac_t)
  dev_write_raw_memory(hald_mac_t)
-+dev_read_sysfs(hald_t)
++dev_read_sysfs(hald_mac_t)
  
  files_read_usr_files(hald_mac_t)
  
@@ -8335,7 +8372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ## <summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mta.te	2007-10-18 09:24:04.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/mta.te	2007-10-22 11:09:36.000000000 -0400
 @@ -6,6 +6,7 @@
  # Declarations
  #
@@ -8394,6 +8431,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  	cron_dontaudit_write_pipes(system_mail_t)
  ')
  
+@@ -81,6 +94,10 @@
+ ')
+ 
+ optional_policy(`
++	exim_domtrans(system_mail_t)
++')
++
++optional_policy(`
+ 	logrotate_read_tmp_files(system_mail_t)
+ ')
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.0.8/policy/modules/services/mysql.fc
 --- nsaserefpolicy/policy/modules/services/mysql.fc	2007-05-29 14:10:57.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/mysql.fc	2007-10-03 11:10:24.000000000 -0400
@@ -9206,7 +9254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  /usr/sbin/postkick	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.0.8/policy/modules/services/postfix.if
 --- nsaserefpolicy/policy/modules/services/postfix.if	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/postfix.if	2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/postfix.if	2007-10-22 17:07:13.000000000 -0400
 @@ -41,6 +41,8 @@
  	allow postfix_$1_t self:unix_stream_socket connectto;
  
@@ -9339,7 +9387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.0.8/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/postfix.te	2007-10-12 09:13:21.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/postfix.te	2007-10-22 11:19:20.000000000 -0400
 @@ -6,6 +6,14 @@
  # Declarations
  #
@@ -11565,8 +11613,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln
 -')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.0.8/policy/modules/services/tftp.te
 --- nsaserefpolicy/policy/modules/services/tftp.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/tftp.te	2007-10-03 11:10:25.000000000 -0400
-@@ -26,6 +26,7 @@
++++ serefpolicy-3.0.8/policy/modules/services/tftp.te	2007-10-22 13:18:06.000000000 -0400
+@@ -16,6 +16,14 @@
+ type tftpdir_t;
+ files_type(tftpdir_t)
+ 
++## <desc>
++## <p>
++## Allow tftp to modify public files
++## used for public file transfer services.
++## </p>
++## </desc>
++gen_tunable(allow_tftp_anon_write,false)
++
+ ########################################
+ #
+ # Local policy
+@@ -26,12 +34,17 @@
  allow tftpd_t self:udp_socket create_socket_perms;
  allow tftpd_t self:unix_dgram_socket create_socket_perms;
  allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
@@ -11574,6 +11637,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp
  dontaudit tftpd_t self:capability sys_tty_config;
  
  allow tftpd_t tftpdir_t:dir { getattr read search };
+ allow tftpd_t tftpdir_t:file { read getattr };
+ allow tftpd_t tftpdir_t:lnk_file { getattr read };
+ 
++manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
++manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
++manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
++
+ manage_files_pattern(tftpd_t,tftpd_var_run_t,tftpd_var_run_t)
+ files_pid_filetrans(tftpd_t,tftpd_var_run_t,file)
+ 
+@@ -72,6 +85,10 @@
+ miscfiles_read_localization(tftpd_t)
+ miscfiles_read_public_files(tftpd_t)
+ 
++tunable_policy(`allow_tftp_anon_write',`
++	miscfiles_manage_public_files(tftpd_t)
++') 
++
+ sysnet_read_config(tftpd_t)
+ sysnet_use_ldap(tftpd_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.if serefpolicy-3.0.8/policy/modules/services/ucspitcp.if
 --- nsaserefpolicy/policy/modules/services/ucspitcp.if	2007-05-29 14:10:57.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/ucspitcp.if	2007-10-08 07:47:57.000000000 -0400
@@ -11707,7 +11791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.if	2007-10-19 16:57:07.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.if	2007-10-22 10:05:16.000000000 -0400
 @@ -126,6 +126,8 @@
  	# read events - the synaptics touchpad driver reads raw events
  	dev_rw_input_dev($1_xserver_t)
@@ -11740,7 +11824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	type $1_iceauth_t;
  	domain_type($1_iceauth_t)
-@@ -282,6 +286,7 @@
+@@ -282,11 +286,14 @@
  	domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
  
  	allow $1_xserver_t $1_xauth_home_t:file { getattr read };
@@ -11748,7 +11832,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
  	allow $1_xserver_t $2:process signal;
-@@ -353,12 +358,6 @@
+ 
+ 	allow $1_xserver_t $2:shm rw_shm_perms;
++	# Certain X Libraries want to read /proc/self/cmdline when started with startx
++	allow $1_xserver_t $2:file r_file_perms;
+ 
+ 	manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
+ 	manage_files_pattern($2,$1_fonts_t,$1_fonts_t)
+@@ -316,6 +323,7 @@
+ 	userdom_use_user_ttys($1,$1_xserver_t)
+ 	userdom_setattr_user_ttys($1,$1_xserver_t)
+ 	userdom_rw_user_tmpfs_files($1,$1_xserver_t)
++	userdom_rw_user_tmp_files($1,$1_xserver_t)
+ 
+ 	xserver_use_user_fonts($1,$1_xserver_t)
+ 	xserver_rw_xdm_tmp_files($1_xauth_t)
+@@ -353,12 +361,6 @@
  	# allow ps to show xauth
  	ps_process_pattern($2,$1_xauth_t)
  
@@ -11761,7 +11860,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	domain_use_interactive_fds($1_xauth_t)
  
  	files_read_etc_files($1_xauth_t)
-@@ -387,6 +386,14 @@
+@@ -387,6 +389,14 @@
  	')
  
  	optional_policy(`
@@ -11776,7 +11875,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  		nis_use_ypbind($1_xauth_t)
  	')
  
-@@ -537,16 +544,14 @@
+@@ -537,16 +547,14 @@
  
  	gen_require(`
  		type xdm_t, xdm_tmp_t;
@@ -11798,7 +11897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	# for when /tmp/.X11-unix is created by the system
  	allow $2 xdm_t:fd use;
-@@ -555,25 +560,53 @@
+@@ -555,25 +563,53 @@
  	allow $2 xdm_tmp_t:sock_file { read write };
  	dontaudit $2 xdm_t:tcp_socket { read write };
  
@@ -11860,7 +11959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	')
  ')
  
-@@ -626,6 +659,24 @@
+@@ -626,6 +662,24 @@
  
  ########################################
  ## <summary>
@@ -11885,7 +11984,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Transition to a user Xauthority domain.
  ## </summary>
  ## <desc>
-@@ -659,6 +710,73 @@
+@@ -659,6 +713,73 @@
  
  ########################################
  ## <summary>
@@ -11959,7 +12058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Transition to a user Xauthority domain.
  ## </summary>
  ## <desc>
-@@ -927,6 +1045,7 @@
+@@ -927,6 +1048,7 @@
  	files_search_tmp($1)
  	allow $1 xdm_tmp_t:dir list_dir_perms;
  	create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -11967,7 +12066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -987,6 +1106,37 @@
+@@ -987,6 +1109,37 @@
  
  ########################################
  ## <summary>
@@ -12005,7 +12104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Make an X session script an entrypoint for the specified domain.
  ## </summary>
  ## <param name="domain">
-@@ -1136,7 +1286,7 @@
+@@ -1136,7 +1289,7 @@
  		type xdm_xserver_tmp_t;
  	')
  
@@ -12014,7 +12113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -1325,3 +1475,63 @@
+@@ -1325,3 +1478,63 @@
  	files_search_tmp($1)
  	stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
  ')
@@ -12080,7 +12179,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.te	2007-10-19 14:06:25.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.te	2007-10-22 10:06:42.000000000 -0400
 @@ -16,6 +16,13 @@
  
  ## <desc>
@@ -15565,7 +15664,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te
 --- nsaserefpolicy/policy/modules/system/udev.te	2007-09-12 10:34:51.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/udev.te	2007-10-18 17:22:34.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/udev.te	2007-10-22 10:19:23.000000000 -0400
 @@ -132,6 +132,7 @@
  
  init_read_utmp(udev_t)
@@ -15574,20 +15673,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
  
  libs_use_ld_so(udev_t)
  libs_use_shared_libs(udev_t)
-@@ -184,6 +185,12 @@
+@@ -184,6 +185,13 @@
  ')
  
  optional_policy(`
 +	alsa_domtrans(udev_t)
 +	alsa_search_lib(udev_t)
 +	alsa_read_lib(udev_t)
++	alsa_read_rw_config(udev_t)
 +')
 +
 +optional_policy(`
  	brctl_domtrans(udev_t)
  ')
  
-@@ -220,6 +227,10 @@
+@@ -220,6 +228,10 @@
  ')
  
  optional_policy(`
@@ -15910,7 +16010,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te	2007-10-19 17:16:21.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te	2007-10-22 16:43:10.000000000 -0400
 @@ -5,36 +5,51 @@
  #
  # Declarations
@@ -15970,7 +16070,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  
  libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
  
-@@ -42,37 +57,29 @@
+@@ -42,31 +57,29 @@
  logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
  
  mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -15987,35 +16087,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  
  optional_policy(`
 -	ada_domtrans(unconfined_t)
--')
--
--optional_policy(`
--	apache_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
--	apache_per_role_template(unconfined,unconfined_t,unconfined_r)
--	# this is disallowed usage:
--	unconfined_domain(httpd_unconfined_script_t)
 +	ada_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
  ')
  
  optional_policy(`
--	bind_run_ndc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+-	apache_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+-	apache_per_role_template(unconfined,unconfined_t,unconfined_r)
+-	# this is disallowed usage:
+-	unconfined_domain(httpd_unconfined_script_t)
 +	bootloader_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
  ')
  
  optional_policy(`
--	bootloader_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+-	bind_run_ndc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 +	apache_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
  ')
  
  optional_policy(`
--	cron_per_role_template(unconfined,unconfined_t,unconfined_r)
--	# this is disallowed usage:
--	unconfined_domain(unconfined_crond_t)
+-	bootloader_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 +	bind_run_ndc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
  ')
  
  optional_policy(`
-@@ -107,6 +114,10 @@
+@@ -107,6 +120,10 @@
  	optional_policy(`
  		oddjob_dbus_chat(unconfined_t)
  	')
@@ -16026,7 +16120,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -114,15 +125,15 @@
+@@ -114,15 +131,15 @@
  ')
  
  optional_policy(`
@@ -16045,7 +16139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -130,15 +141,10 @@
+@@ -130,15 +147,10 @@
  ')
  
  optional_policy(`
@@ -16063,7 +16157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -155,32 +161,23 @@
+@@ -155,32 +167,23 @@
  
  optional_policy(`
  	postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -16100,7 +16194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -205,11 +202,22 @@
+@@ -205,11 +208,22 @@
  ')
  
  optional_policy(`
@@ -16112,20 +16206,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +	mozilla_per_role_template(unconfined, unconfined_t, unconfined_r)
 +	unconfined_domain(unconfined_mozilla_t)
 +	allow unconfined_mozilla_t self:process { execstack execmem };
-+')
-+
-+optional_policy(`
-+	kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
  ')
  
  optional_policy(`
 -	xserver_domtrans_xdm_xserver(unconfined_t)
++	kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
++')
++
++optional_policy(`
 +	xserver_run_xdm_xserver(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 +	xserver_xdm_rw_shm(unconfined_t)
  ')
  
  ########################################
-@@ -225,8 +233,21 @@
+@@ -225,8 +239,21 @@
  
  	init_dbus_chat_script(unconfined_execmem_t)
  	unconfined_dbus_chat(unconfined_execmem_t)
@@ -16158,7 +16252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-10-19 16:52:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-10-22 17:00:16.000000000 -0400
 @@ -29,8 +29,9 @@
  	')
  
@@ -17192,7 +17286,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -5559,3 +5724,380 @@
+@@ -5559,3 +5724,386 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
@@ -17399,6 +17493,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	alsa_read_rw_config($1_usertype)
 +')
 +
++# Broken Cover up bugzilla #345921 Should be removed when this is fixed
++corenet_tcp_connect_soundd_port($1_t)
++corenet_tcp_sendrecv_soundd_port($1_t)
++corenet_tcp_sendrecv_all_if($1_t)
++corenet_tcp_sendrecv_lo_node($1_t)
++
 +authlogin_per_role_template($1, $1_t, $1_r)
 +
 +auth_search_pam_console_data($1_usertype)
@@ -17991,13 +18091,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.i
 +## <summary>Policy for guest user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.0.8/policy/modules/users/guest.te
 --- nsaserefpolicy/policy/modules/users/guest.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/users/guest.te	2007-10-17 12:57:05.000000000 -0400
-@@ -0,0 +1,13 @@
++++ serefpolicy-3.0.8/policy/modules/users/guest.te	2007-10-22 16:08:51.000000000 -0400
+@@ -0,0 +1,14 @@
 +policy_module(guest,1.0.0)
 +userdom_unpriv_login_user(guest)
 +userdom_unpriv_login_user(gadmin)
 +userdom_unpriv_xwindows_login_user(xguest)
 +mozilla_per_role_template(xguest, xguest_t, xguest_r)
++
 +# Allow mounting of file systems
 +optional_policy(`
 +	hal_dbus_chat(xguest_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0172add..927d606 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 28%{?dist}
+Release: 29%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -373,6 +373,17 @@ exit 0
 %endif
 
 %changelog
+* Mon Oct 22 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-29
+- Allow XServer to read /proc/self/cmdline
+- Fix unconfined cron jobs
+- Allow fetchmail to transition to procmail
+- Fixes for hald_mac
+- Allow system_mail to transition to exim
+- Allow tftpd to upload files
+- Allow xdm to manage unconfined_tmp
+- Allow udef to read alsa config
+- Fix xguest to be able to connect to sound port
+
 * Fri Oct 17 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-28
 - Fixes for hald_mac 
 - Treat unconfined_home_dir_t as a home dir