From 514305e2066ee9b256955e7f12343ee263c627d2 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Mar 16 2012 14:53:03 +0000
Subject: * Wed Mar 13 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-81

- boinc fixes
- Allow vnstat to search through var_lib_t directories
- Add jockey policy
- Allow nscd to read kernel network state
- Allow logrotate to read mysql home conten
- Add own type for rdate port

---

diff --git a/modules-targeted.conf b/modules-targeted.conf
index bb47a0f..5e4bd24 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2486,3 +2486,10 @@ rabbitmq = module
 #  cloudform daemons 
 #
 cloudform = module
+
+# Layer: apps
+# Module: jockey
+# 
+#  policy for jockey-backend 
+#
+jockey_t = module
diff --git a/policy-F16.patch b/policy-F16.patch
index c63b62d..b091186 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1312,7 +1312,7 @@ index 4f7bd3c..a29af21 100644
 -	unconfined_domain(kudzu_t)
  ')
 diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..1c6d379 100644
+index 7090dae..24f535a 100644
 --- a/policy/modules/admin/logrotate.te
 +++ b/policy/modules/admin/logrotate.te
 @@ -29,9 +29,9 @@ files_type(logrotate_var_lib_t)
@@ -1444,7 +1444,13 @@ index 7090dae..1c6d379 100644
  	icecast_signal(logrotate_t)
  ')
  
-@@ -200,9 +223,12 @@ optional_policy(`
+@@ -195,14 +218,18 @@ optional_policy(`
+ 
+ optional_policy(`
+ 	mysql_read_config(logrotate_t)
++	mysql_read_home_content(logrotate_t)
+ 	mysql_search_db(logrotate_t)
+ 	mysql_stream_connect(logrotate_t)
  ')
  
  optional_policy(`
@@ -1458,7 +1464,7 @@ index 7090dae..1c6d379 100644
  
  optional_policy(`
  	samba_exec_log(logrotate_t)
-@@ -228,3 +254,14 @@ optional_policy(`
+@@ -228,3 +255,14 @@ optional_policy(`
  optional_policy(`
  	varnishd_manage_log(logrotate_t)
  ')
@@ -2013,10 +2019,10 @@ index 0000000..bd83148
 +## <summary>No Interfaces</summary>
 diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
 new file mode 100644
-index 0000000..0bd2028
+index 0000000..3527e56
 --- /dev/null
 +++ b/policy/modules/admin/permissivedomains.te
-@@ -0,0 +1,349 @@
+@@ -0,0 +1,357 @@
 +policy_module(permissivedomains,16)
 +
 +optional_policy(`
@@ -2366,6 +2372,14 @@ index 0000000..0bd2028
 +
 +	permissive matahari_sysconfigd_t;
 +')
++
++optional_policy(`
++    gen_require(`
++        type jockey_t;
++    ')
++
++    permissive jockey_t;
++')
 diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
 index db46387..b665b08 100644
 --- a/policy/modules/admin/portage.fc
@@ -7994,6 +8008,200 @@ index 167950d..27d37b0 100644
 +        wine_domtrans(unconfined_java_t)
 +    ')
  ')
+diff --git a/policy/modules/apps/jockey.fc b/policy/modules/apps/jockey.fc
+new file mode 100644
+index 0000000..274cdec
+--- /dev/null
++++ b/policy/modules/apps/jockey.fc
+@@ -0,0 +1,6 @@
++/usr/share/jockey/jockey-backend		--	gen_context(system_u:object_r:jockey_exec_t,s0)
++
++/var/cache/jockey(/.*)?		gen_context(system_u:object_r:jockey_cache_t,s0)
++
++/var/log/jockey(/.*)?		gen_context(system_u:object_r:jockey_var_log_t,s0)
++/var/log/jockey\.log	--	gen_context(system_u:object_r:jockey_var_log_t,s0)
+diff --git a/policy/modules/apps/jockey.if b/policy/modules/apps/jockey.if
+new file mode 100644
+index 0000000..b083ea3
+--- /dev/null
++++ b/policy/modules/apps/jockey.if
+@@ -0,0 +1,133 @@
++
++## <summary>policy for jockey</summary>
++
++########################################
++## <summary>
++##	Transition to jockey.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`jockey_domtrans',`
++	gen_require(`
++		type jockey_t, jockey_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, jockey_exec_t, jockey_t)
++')
++
++########################################
++## <summary>
++##	Search jockey cache directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`jockey_search_cache',`
++	gen_require(`
++		type jockey_cache_t;
++	')
++
++	allow $1 jockey_cache_t:dir search_dir_perms;
++	files_search_var($1)
++')
++
++########################################
++## <summary>
++##	Read jockey cache files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`jockey_read_cache_files',`
++	gen_require(`
++		type jockey_cache_t;
++	')
++
++	files_search_var($1)
++	read_files_pattern($1, jockey_cache_t jockey_cache_t)
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete
++##	jockey cache files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`jockey_manage_cache_files',`
++	gen_require(`
++		type jockey_cache_t;
++	')
++
++	files_search_var($1)
++	manage_files_pattern($1, jockey_cache_t, jockey_cache_t)
++')
++
++########################################
++## <summary>
++##	Manage jockey cache dirs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`jockey_manage_cache_dirs',`
++	gen_require(`
++		type jockey_cache_t;
++	')
++
++	files_search_var($1)
++	manage_dirs_pattern($1, jockey_cache_t, jockey_cache_t)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an jockey environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`jockey_admin',`
++	gen_require(`
++		type jockey_t;
++		type jockey_cache_t;
++	')
++
++	allow $1 jockey_t:process { ptrace signal_perms };
++	ps_process_pattern($1, jockey_t)
++
++	files_search_var($1)
++	admin_pattern($1, jockey_cache_t)
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/policy/modules/apps/jockey.te b/policy/modules/apps/jockey.te
+new file mode 100644
+index 0000000..a323883
+--- /dev/null
++++ b/policy/modules/apps/jockey.te
+@@ -0,0 +1,37 @@
++policy_module(jockey, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type jockey_t;
++type jockey_exec_t;
++dbus_system_domain(jockey_t, jockey_exec_t)
++
++type jockey_cache_t;
++files_type(jockey_cache_t)
++
++type jockey_var_log_t;
++logging_log_file(jockey_var_log_t)
++
++########################################
++#
++# jockey local policy
++#
++
++
++manage_dirs_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
++manage_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
++manage_lnk_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
++files_var_filetrans(jockey_t, jockey_cache_t, { dir file })
++
++manage_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
++manage_dirs_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
++logging_log_filetrans(jockey_t, jockey_var_log_t, { file dir })
++
++domain_use_interactive_fds(jockey_t)
++
++files_read_etc_files(jockey_t)
++
++miscfiles_read_localization(jockey_t)
 diff --git a/policy/modules/apps/kde.fc b/policy/modules/apps/kde.fc
 new file mode 100644
 index 0000000..25e4b68
@@ -28138,10 +28346,10 @@ index 0000000..fa9b95a
 +')
 diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
 new file mode 100644
-index 0000000..41698a6
+index 0000000..b673632
 --- /dev/null
 +++ b/policy/modules/services/boinc.te
-@@ -0,0 +1,175 @@
+@@ -0,0 +1,192 @@
 +policy_module(boinc, 1.0.0)
 +
 +########################################
@@ -28185,6 +28393,9 @@ index 0000000..41698a6
 +allow boinc_domain self:fifo_file rw_fifo_file_perms;
 +allow boinc_domain self:sem create_sem_perms;
 +
++manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
++manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
++
 +# needs read /proc/interrupts
 +kernel_read_system_state(boinc_domain)
 +
@@ -28231,13 +28442,17 @@ index 0000000..41698a6
 +fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
 +
 +exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-+manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-+manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-+filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir)
++# this should be created by default by boinc
++# we need this label for transition to boinc_project_t
++# other boinc lib files will end up with boinc_var_lib_t
++filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots")
++filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects")
 +
 +manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
 +manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
 +
++kernel_search_vm_sysctl(boinc_t)
++
 +files_getattr_all_dirs(boinc_t)
 +files_getattr_all_files(boinc_t)
 +
@@ -28275,10 +28490,13 @@ index 0000000..41698a6
 +# boinc-projects local policy
 +#
 +
++allow boinc_project_t self:capability { setuid setgid };
++
 +domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
 +allow boinc_t boinc_project_t:process sigkill;
++allow boinc_t boinc_project_t:process noatsecure;
 +
-+allow boinc_project_t self:process { ptrace setpgid setsched signal signull sigkill sigstop };
++allow boinc_project_t self:process { ptrace setcap getcap setpgid setsched signal signull sigkill sigstop };
 +allow boinc_project_t self:process { execmem execstack };
 +
 +allow boinc_project_t self:fifo_file rw_fifo_file_perms;
@@ -28286,22 +28504,21 @@ index 0000000..41698a6
 +
 +manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
 +manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
-+files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file })
++manage_sock_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
++files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file sock_file})
 +
 +allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
 +exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
 +manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
 +manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { file dir })
++files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "projects")
++files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "slots" )
 +
 +allow boinc_project_t boinc_project_var_lib_t:file execmod;
 +
 +allow boinc_project_t boinc_t:shm rw_shm_perms;
 +allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
 +
-+list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
-+rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
-+
 +kernel_read_kernel_sysctls(boinc_project_t)
 +kernel_search_vm_sysctl(boinc_project_t)
 +kernel_read_network_state(boinc_project_t)
@@ -28310,6 +28527,9 @@ index 0000000..41698a6
 +
 +files_dontaudit_search_home(boinc_project_t)
 +
++# needed by java
++fs_read_hugetlbfs_files(boinc_project_t)
++
 +optional_policy(`
 +	gnome_read_gconf_config(boinc_project_t)	
 +')
@@ -28317,6 +28537,11 @@ index 0000000..41698a6
 +optional_policy(`
 +	java_exec(boinc_project_t)
 +')
++
++# until solution for VirtualBox, java ..
++optional_policy(`
++	unconfined_domain(boinc_project_t)
++')
 diff --git a/policy/modules/services/bugzilla.fc b/policy/modules/services/bugzilla.fc
 index 8c84063..c8bfb68 100644
 --- a/policy/modules/services/bugzilla.fc
@@ -48040,7 +48265,7 @@ index 85188dc..56dd1f0 100644
 +	nscd_systemctl($1)
  ')
 diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
-index 7936e09..812f966 100644
+index 7936e09..9384781 100644
 --- a/policy/modules/services/nscd.te
 +++ b/policy/modules/services/nscd.te
 @@ -1,9 +1,16 @@
@@ -48080,7 +48305,7 @@ index 7936e09..812f966 100644
  dontaudit nscd_t self:capability sys_tty_config;
  allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
  allow nscd_t self:fifo_file read_fifo_file_perms;
-@@ -47,9 +57,10 @@ allow nscd_t self:nscd { admin getstat };
+@@ -47,13 +57,15 @@ allow nscd_t self:nscd { admin getstat };
  allow nscd_t nscd_log_t:file manage_file_perms;
  logging_log_filetrans(nscd_t, nscd_log_t, file)
  
@@ -48092,7 +48317,12 @@ index 7936e09..812f966 100644
  
  corecmd_search_bin(nscd_t)
  can_exec(nscd_t, nscd_exec_t)
-@@ -90,6 +101,7 @@ selinux_compute_create_context(nscd_t)
+ 
++kernel_read_network_state(nscd_t)
+ kernel_read_kernel_sysctls(nscd_t)
+ kernel_list_proc(nscd_t)
+ kernel_read_proc_symlinks(nscd_t)
+@@ -90,6 +102,7 @@ selinux_compute_create_context(nscd_t)
  selinux_compute_relabel_context(nscd_t)
  selinux_compute_user_contexts(nscd_t)
  domain_use_interactive_fds(nscd_t)
@@ -48100,7 +48330,7 @@ index 7936e09..812f966 100644
  
  files_read_etc_files(nscd_t)
  files_read_generic_tmp_symlinks(nscd_t)
-@@ -112,6 +124,10 @@ userdom_dontaudit_use_unpriv_user_fds(nscd_t)
+@@ -112,6 +125,10 @@ userdom_dontaudit_use_unpriv_user_fds(nscd_t)
  userdom_dontaudit_search_user_home_dirs(nscd_t)
  
  optional_policy(`
@@ -48111,7 +48341,7 @@ index 7936e09..812f966 100644
  	cron_read_system_job_tmp_files(nscd_t)
  ')
  
-@@ -127,3 +143,17 @@ optional_policy(`
+@@ -127,3 +144,17 @@ optional_policy(`
  	xen_dontaudit_rw_unix_stream_sockets(nscd_t)
  	xen_append_log(nscd_t)
  ')
@@ -64429,10 +64659,10 @@ index 727fe95..21af852 100644
  ## <summary>
  ##	All of the rules required to administrate
 diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te
-index 8121937..5a462fb 100644
+index 8121937..275409f 100644
 --- a/policy/modules/services/vnstatd.te
 +++ b/policy/modules/services/vnstatd.te
-@@ -28,9 +28,12 @@ allow vnstatd_t self:process signal;
+@@ -28,9 +28,13 @@ allow vnstatd_t self:process signal;
  allow vnstatd_t self:fifo_file rw_fifo_file_perms;
  allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;
  
@@ -64443,11 +64673,15 @@ index 8121937..5a462fb 100644
  manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
  manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
 -files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
++files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, dir)
  
  manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
  manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
-@@ -64,7 +67,6 @@ allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
+@@ -62,9 +66,9 @@ allow vnstat_t self:process signal;
+ allow vnstat_t self:fifo_file rw_fifo_file_perms;
+ allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
  
++files_search_var_lib(vnstat_t)
  manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
  manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
 -files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file })
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a27d796..b9473eb 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 80%{?dist}
+Release: 81%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,14 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed Mar 13 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-81
+- boinc fixes
+- Allow vnstat to search through var_lib_t directories
+- Add jockey policy
+- Allow nscd to read kernel network state 
+- Allow logrotate to read mysql home conten
+- Add own type for rdate port
+
 * Wed Mar 13 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-80
 - Add own type for rdate port
 - Allow sssd setrlimit