From 7c3dcb358480ae3d0104a266319f614a7f7d4942 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: May 16 2007 19:31:34 +0000
Subject: - Allow unconfined_t to transition to NetworkManager_t

- Fix netlabel policy

---

diff --git a/policy-20070501.patch b/policy-20070501.patch
index ded66f2..b7a7ef4 100644
--- a/policy-20070501.patch
+++ b/policy-20070501.patch
@@ -1009,8 +1009,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
  	dev_dontaudit_rw_dri($1_mozilla_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-2.6.4/policy/modules/apps/slocate.te
 --- nsaserefpolicy/policy/modules/apps/slocate.te	2007-04-30 11:25:12.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/apps/slocate.te	2007-05-08 09:59:33.000000000 -0400
-@@ -43,7 +43,7 @@
++++ serefpolicy-2.6.4/policy/modules/apps/slocate.te	2007-05-15 11:05:16.000000000 -0400
+@@ -39,11 +39,12 @@
+ 
+ files_list_all(locate_t)
+ files_getattr_all_files(locate_t)
++files_getattr_all_sockets(locate_t)
+ files_read_etc_runtime_files(locate_t)
  files_read_etc_files(locate_t)
  
  fs_getattr_all_fs(locate_t)
@@ -1653,8 +1658,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.6.4/policy/modules/kernel/filesystem.te
 --- nsaserefpolicy/policy/modules/kernel/filesystem.te	2007-04-23 09:35:56.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.te	2007-05-08 09:59:33.000000000 -0400
-@@ -54,17 +54,30 @@
++++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.te	2007-05-16 09:21:57.000000000 -0400
+@@ -54,17 +54,29 @@
  
  type capifs_t;
  fs_type(capifs_t)
@@ -1676,7 +1681,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  #genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0)
  
 +type fusefs_t;
-+fs_type(fusefs_t)
 +fs_noxattr_type(fusefs_t)
 +allow fusefs_t self:filesystem associate;
 +genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
@@ -1685,12 +1689,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  type futexfs_t;
  fs_type(futexfs_t)
  genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
-@@ -83,6 +96,12 @@
+@@ -83,6 +95,11 @@
  fs_type(inotifyfs_t)
  genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
  
 +type mvfs_t;
-+fs_type(mvfs_t)
 +fs_noxattr_type(mvfs_t)
 +allow mvfs_t self:filesystem associate;
 +genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
@@ -1698,6 +1701,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  type nfsd_fs_t;
  fs_type(nfsd_fs_t)
  genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
+@@ -105,6 +122,11 @@
+ genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0)
+ files_mountpoint(rpc_pipefs_t)
+ 
++type vxfs_t;
++fs_noxattr_type(vxfs_t)
++files_mountpoint(vxfs_t)
++genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
++
+ #
+ # tmpfs_t is the type for tmpfs filesystems
+ #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.6.4/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2007-05-02 15:04:46.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/kernel/kernel.if	2007-05-08 09:59:33.000000000 -0400
@@ -2502,6 +2517,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
  dev_read_urand(automount_t)
  
  domain_use_interactive_fds(automount_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-2.6.4/policy/modules/services/avahi.te
+--- nsaserefpolicy/policy/modules/services/avahi.te	2007-05-03 08:50:57.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/avahi.te	2007-05-15 11:02:52.000000000 -0400
+@@ -18,7 +18,7 @@
+ # Local policy
+ #
+ 
+-allow avahi_t self:capability { dac_override setgid chown kill setuid sys_chroot };
++allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot };
+ dontaudit avahi_t self:capability sys_tty_config;
+ allow avahi_t self:process { setrlimit signal_perms setcap };
+ allow avahi_t self:fifo_file { read write };
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-2.6.4/policy/modules/services/bind.te
 --- nsaserefpolicy/policy/modules/services/bind.te	2007-04-23 09:36:01.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/services/bind.te	2007-05-08 09:59:33.000000000 -0400
@@ -2925,7 +2952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-2.6.4/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2007-03-26 10:39:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/dbus.if	2007-05-08 09:59:33.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/dbus.if	2007-05-14 15:57:48.000000000 -0400
 @@ -49,6 +49,12 @@
  ## </param>
  #
@@ -2981,7 +3008,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
  
  	miscfiles_read_localization($1_dbusd_t)
  
-@@ -273,6 +290,31 @@
+@@ -204,6 +221,7 @@
+ 	# For connecting to the bus
+ 	files_search_pids($2)
+ 	stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t)
++	dbus_read_config($2)
+ ')
+ 
+ #######################################
+@@ -273,6 +291,31 @@
  
  ########################################
  ## <summary>
@@ -3013,7 +3048,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
  ##	Read dbus configuration.
  ## </summary>
  ## <param name="domain">
-@@ -286,6 +328,7 @@
+@@ -286,6 +329,7 @@
  		type dbusd_etc_t;
  	')
  
@@ -3021,7 +3056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
  	allow $1 dbusd_etc_t:file read_file_perms;
  ')
  
-@@ -346,3 +389,23 @@
+@@ -346,3 +390,23 @@
  
  	allow $1 system_dbusd_t:dbus *;
  ')
@@ -3334,7 +3369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-2.6.4/policy/modules/services/hal.if
 --- nsaserefpolicy/policy/modules/services/hal.if	2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.6.4/policy/modules/services/hal.if	2007-05-08 09:59:33.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/hal.if	2007-05-14 15:45:53.000000000 -0400
 @@ -208,3 +208,98 @@
  	files_search_pids($1)
  	allow $1 hald_var_run_t:file rw_file_perms;
@@ -3788,6 +3823,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  
  	# apache should set close-on-exec
  	apache_dontaudit_append_log(system_mail_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-2.6.4/policy/modules/services/networkmanager.if
+--- nsaserefpolicy/policy/modules/services/networkmanager.if	2006-11-16 17:15:20.000000000 -0500
++++ serefpolicy-2.6.4/policy/modules/services/networkmanager.if	2007-05-16 08:30:20.000000000 -0400
+@@ -78,3 +78,22 @@
+ 	allow $1 NetworkManager_t:dbus send_msg;
+ 	allow NetworkManager_t $1:dbus send_msg;
+ ')
++
++########################################
++## <summary>
++##	Transition to NetworkManager 
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`networkmanager_domtrans',`
++	gen_require(`
++		type NetworkManager_t, NetworkManager_exec_t;
++	')
++	corecmd_search_bin($1)
++	domtrans_pattern($1,NetworkManager_exec_t,NetworkManager_t)
++
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-2.6.4/policy/modules/services/nis.if
 --- nsaserefpolicy/policy/modules/services/nis.if	2007-03-26 10:39:04.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/services/nis.if	2007-05-08 09:59:33.000000000 -0400
@@ -4708,8 +4769,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-2.6.4/policy/modules/services/samba.fc
 --- nsaserefpolicy/policy/modules/services/samba.fc	2007-02-23 16:50:01.000000000 -0500
-+++ serefpolicy-2.6.4/policy/modules/services/samba.fc	2007-05-08 09:59:33.000000000 -0400
-@@ -27,6 +27,9 @@
++++ serefpolicy-2.6.4/policy/modules/services/samba.fc	2007-05-16 08:24:46.000000000 -0400
+@@ -3,6 +3,7 @@
+ # /etc
+ #
+ /etc/samba/MACHINE\.SID		--	gen_context(system_u:object_r:samba_secrets_t,s0)
++/etc/samba/passdb.tdb		--	gen_context(system_u:object_r:samba_secrets_t,s0)
+ /etc/samba/secrets\.tdb		--	gen_context(system_u:object_r:samba_secrets_t,s0)
+ /etc/samba/smbpasswd		--	gen_context(system_u:object_r:samba_secrets_t,s0)
+ /etc/samba(/.*)?			gen_context(system_u:object_r:samba_etc_t,s0)
+@@ -27,6 +28,9 @@
  /var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
  
  /var/lib/samba(/.*)?			gen_context(system_u:object_r:samba_var_t,s0)
@@ -5377,6 +5446,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ifdef(`TODO',`
  tunable_policy(`ssh_sysadm_login',`
  	# Relabel and access ptys created by sshd
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-2.6.4/policy/modules/services/tftp.te
+--- nsaserefpolicy/policy/modules/services/tftp.te	2007-04-23 09:36:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/tftp.te	2007-05-14 16:13:37.000000000 -0400
+@@ -69,6 +69,7 @@
+ logging_send_syslog_msg(tftpd_t)
+ 
+ miscfiles_read_localization(tftpd_t)
++miscfiles_read_public_files(tftpd_t)
+ 
+ sysnet_read_config(tftpd_t)
+ sysnet_use_ldap(tftpd_t)
+@@ -102,3 +103,4 @@
+ optional_policy(`
+         udev_read_db(tftpd_t)
+ ')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.fc serefpolicy-2.6.4/policy/modules/services/w3c.fc
 --- nsaserefpolicy/policy/modules/services/w3c.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-2.6.4/policy/modules/services/w3c.fc	2007-05-08 09:59:33.000000000 -0400
@@ -6905,6 +6990,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 +	term_use_generic_ptys(mount_ntfs_t)
 +')
 +
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlabel.te serefpolicy-2.6.4/policy/modules/system/netlabel.te
+--- nsaserefpolicy/policy/modules/system/netlabel.te	2006-11-16 17:15:24.000000000 -0500
++++ serefpolicy-2.6.4/policy/modules/system/netlabel.te	2007-05-15 21:07:39.000000000 -0400
+@@ -20,6 +20,10 @@
+ allow netlabel_mgmt_t self:capability net_admin;
+ allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
+ 
++init_use_script_ptys(netlabel_mgmt_t)
++
++files_read_etc_files(netlabel_mgmt_t)
++
+ kernel_read_network_state(netlabel_mgmt_t)
+ 
+ libs_use_ld_so(netlabel_mgmt_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-2.6.4/policy/modules/system/raid.te
 --- nsaserefpolicy/policy/modules/system/raid.te	2007-04-23 09:36:02.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/system/raid.te	2007-05-08 09:59:33.000000000 -0400
@@ -7321,7 +7420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.6.4/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-04-23 09:36:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/unconfined.te	2007-05-08 09:59:33.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/unconfined.te	2007-05-16 08:28:37.000000000 -0400
 @@ -6,6 +6,15 @@
  # Declarations
  #
@@ -7358,7 +7457,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  		init_dbus_chat_script(unconfined_t)
  
  		dbus_stub(unconfined_t)
-@@ -153,6 +160,8 @@
+@@ -93,6 +100,7 @@
+ 
+ 		optional_policy(`
+ 			networkmanager_dbus_chat(unconfined_t)
++			networkmanager_domtrans(unconfined_t)
+ 		')
+ 
+ 		optional_policy(`
+@@ -153,6 +161,8 @@
  
  	optional_policy(`
  		rpm_domtrans(unconfined_t)
@@ -7367,7 +7474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  	')
  
  	optional_policy(`
-@@ -192,6 +201,9 @@
+@@ -192,6 +202,9 @@
  	optional_policy(`
  		xserver_domtrans_xdm_xserver(unconfined_t)
  	')
@@ -7377,7 +7484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  ########################################
-@@ -200,10 +212,18 @@
+@@ -200,10 +213,18 @@
  #
  
  ifdef(`targeted_policy',`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b1af9db..ad67dc3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.6.4
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -359,6 +359,10 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init
 %endif
 
 %changelog
+* Wed May 16 2007 Dan Walsh <dwalsh@redhat.com> 2.6.4-2
+- Allow unconfined_t to transition to NetworkManager_t
+- Fix netlabel policy
+
 * Mon May 14 2007 Dan Walsh <dwalsh@redhat.com> 2.6.4-1
 - Update to latest from upstream