From 6913d892a3d0ac5edf147b6ea6867917966d0b3c Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Feb 23 2010 19:12:28 +0000
Subject: - Additional policy for rgmanager


---

diff --git a/policy-F13.patch b/policy-F13.patch
index 974dac2..2c83682 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -158,50 +158,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console
  role system_r types consoletype_t;
  
  ########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.7.10/policy/modules/admin/dmesg.te
---- nsaserefpolicy/policy/modules/admin/dmesg.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/admin/dmesg.te	2010-02-22 09:09:07.000000000 -0500
-@@ -9,6 +9,7 @@
- type dmesg_t;
- type dmesg_exec_t;
- init_system_domain(dmesg_t, dmesg_exec_t)
-+cron_system_entry(dmesg_t, dmesg_exec_t)
- 
- ########################################
- #
-@@ -20,12 +21,16 @@
- 
- allow dmesg_t self:process signal_perms;
- 
-+kernel_read_system_state(dmesg_t)
- kernel_read_kernel_sysctls(dmesg_t)
- kernel_read_ring_buffer(dmesg_t)
- kernel_clear_ring_buffer(dmesg_t)
- kernel_change_ring_buffer_level(dmesg_t)
- kernel_list_proc(dmesg_t)
- kernel_read_proc_symlinks(dmesg_t)
-+dev_read_kmsg(dmesg_t)
-+
-+mls_process_read_all_levels(dmesg_t)
- 
- dev_read_sysfs(dmesg_t)
- 
-@@ -35,7 +40,7 @@
- 
- domain_use_interactive_fds(dmesg_t)
- 
--files_list_etc(dmesg_t)
-+files_read_etc_files(dmesg_t)
- # for when /usr is not mounted:
- files_dontaudit_search_isid_type_dirs(dmesg_t)
- 
-@@ -57,3 +62,6 @@
- optional_policy(`
- 	udev_read_db(dmesg_t)
- ')
-+
-+#mcelog needs
-+dev_read_raw_memory(dmesg_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.10/policy/modules/admin/firstboot.te
 --- nsaserefpolicy/policy/modules/admin/firstboot.te	2009-08-14 16:14:31.000000000 -0400
 +++ serefpolicy-3.7.10/policy/modules/admin/firstboot.te	2010-02-22 09:09:07.000000000 -0500
@@ -503,140 +459,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
 +	term_use_all_ttys(traceroute_t)
 +	term_use_all_ptys(traceroute_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.if serefpolicy-3.7.10/policy/modules/admin/portage.if
---- nsaserefpolicy/policy/modules/admin/portage.if	2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/admin/portage.if	2010-02-22 09:09:07.000000000 -0500
-@@ -114,8 +114,6 @@
- 	manage_fifo_files_pattern($1, portage_tmp_t, portage_tmp_t)
- 	manage_sock_files_pattern($1, portage_tmp_t, portage_tmp_t)
- 	files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file })
--	# SELinux-enabled programs running in the sandbox
--	allow $1 portage_tmp_t:file relabel_file_perms;
- 
- 	manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
- 	manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
-@@ -154,8 +152,6 @@
- 
- 	domain_use_interactive_fds($1)
- 	domain_dontaudit_read_all_domains_state($1)
--	# SELinux-aware installs doing relabels in the sandbox
--	domain_obj_id_change_exemption($1)
- 
- 	files_exec_etc_files($1)
- 	files_exec_usr_src_files($1)
-@@ -166,7 +162,6 @@
- 	fs_read_noxattr_fs_symlinks($1)
- 	fs_search_auto_mountpoints($1)
- 
--	selinux_validate_context($1)
- 	# needed for merging dbus:
- 	selinux_compute_access_vector($1)
- 
-@@ -185,9 +180,6 @@
- 
- 	userdom_use_user_terminals($1)
- 
--	# SELinux-enabled programs running in the sandbox
--	seutil_libselinux_linked($1)
--
- 	ifdef(`TODO',`
- 	# some gui ebuilds want to interact with X server, like xawtv
- 	optional_policy(`
-@@ -243,41 +235,3 @@
- 	portage_domtrans_gcc_config($1)
- 	role $2 types gcc_config_t;
- ')
--
--########################################
--## <summary>
--##	Do not audit attempts to search the
--##	portage temporary directories.
--## </summary>
--## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
--## </param>
--#
--interface(`portage_dontaudit_search_tmp',`
--	gen_require(`
--		type portage_tmp_t;
--	')
--
--	dontaudit $1 portage_tmp_t:dir search_dir_perms;
--')
--
--########################################
--## <summary>
--##	Do not audit attempts to read and write
--##	the portage temporary files.
--## </summary>
--## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
--## </param>
--#
--interface(`portage_dontaudit_rw_tmp_files',`
--	gen_require(`
--		type portage_tmp_t;
--	')
--
--	dontaudit $1 portage_tmp_t:file rw_file_perms;
--')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.te serefpolicy-3.7.10/policy/modules/admin/portage.te
---- nsaserefpolicy/policy/modules/admin/portage.te	2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/admin/portage.te	2010-02-22 09:09:07.000000000 -0500
-@@ -1,5 +1,5 @@
- 
--policy_module(portage, 1.9.1)
-+policy_module(portage, 1.9.0)
- 
- ########################################
- #
-@@ -82,11 +82,8 @@
- corecmd_exec_bin(gcc_config_t)
- corecmd_manage_bin_files(gcc_config_t)
- 
--domain_use_interactive_fds(gcc_config_t)
--
- files_manage_etc_files(gcc_config_t)
- files_rw_etc_runtime_files(gcc_config_t)
--files_read_usr_files(gcc_config_t)
- files_search_var_lib(gcc_config_t)
- files_search_pids(gcc_config_t)
- # complains loudly about not being able to list
-@@ -122,11 +119,7 @@
- # - setfscreate for merging to live fs
- # - setexec to run portage fetch
- allow portage_t self:process { setfscreate setexec };
--# - kill for mysql merging, at least
--allow portage_t self:capability { sys_nice kill };
--
--# user post-sync scripts
--can_exec(portage_t, portage_conf_t)
-+allow portage_t self:capability sys_nice;
- 
- allow portage_t portage_log_t:file manage_file_perms;
- logging_log_filetrans(portage_t, portage_log_t, file)
-@@ -203,7 +196,7 @@
- # - for rsync and distfile fetching
- #
- 
--allow portage_fetch_t self:capability { dac_override fowner fsetid };
-+allow portage_fetch_t self:capability { dac_override fowner fsetid sys_nice };
- allow portage_fetch_t self:process signal;
- allow portage_fetch_t self:unix_stream_socket create_socket_perms;
- allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
-@@ -221,8 +214,6 @@
- # portage makes home dir the portage tmp dir, so
- # wget looks for .wgetrc there
- dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms;
--# rsync server timestamp check
--allow portage_fetch_t portage_tmp_t:file { read_file_perms delete_file_perms };
- 
- kernel_read_system_state(portage_fetch_t)
- kernel_read_kernel_sysctls(portage_fetch_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.7.10/policy/modules/admin/prelink.fc
 --- nsaserefpolicy/policy/modules/admin/prelink.fc	2009-07-23 14:11:04.000000000 -0400
 +++ serefpolicy-3.7.10/policy/modules/admin/prelink.fc	2010-02-22 09:09:07.000000000 -0500
@@ -1826,13 +1648,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.10/policy/modules/admin/usermanage.te
 --- nsaserefpolicy/policy/modules/admin/usermanage.te	2010-02-18 14:06:31.000000000 -0500
 +++ serefpolicy-3.7.10/policy/modules/admin/usermanage.te	2010-02-22 09:09:07.000000000 -0500
-@@ -1,5 +1,5 @@
- 
--policy_module(usermanage, 1.14.1)
-+policy_module(usermanage, 1.14.0)
- 
- ########################################
- #
 @@ -209,6 +209,7 @@
  files_manage_etc_files(groupadd_t)
  files_relabel_etc_files(groupadd_t)
@@ -4321,13 +4136,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.10/policy/modules/apps/pulseaudio.te
 --- nsaserefpolicy/policy/modules/apps/pulseaudio.te	2010-02-18 14:06:31.000000000 -0500
 +++ serefpolicy-3.7.10/policy/modules/apps/pulseaudio.te	2010-02-22 09:09:07.000000000 -0500
-@@ -1,5 +1,5 @@
- 
--policy_module(pulseaudio, 1.1.1)
-+policy_module(pulseaudio, 1.1.0)
- 
- ########################################
- #
 @@ -11,6 +11,15 @@
  application_domain(pulseaudio_t, pulseaudio_exec_t)
  role system_r types pulseaudio_t;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9eeea5e..a866498 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.10
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,9 @@ exit 0
 %endif
 
 %changelog
+* Tue Feb 22 2010 Dan Walsh <dwalsh@redhat.com> 3.7.10-3
+- Additional policy for rgmanager
+
 * Mon Feb 22 2010 Dan Walsh <dwalsh@redhat.com> 3.7.10-2
 - Allow sshd to setattr on pseudo terms