From 8ad4d5288803114552c6b56c4b58d8548275bbe0 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Jan 15 2008 18:55:37 +0000
Subject: - Allow daemons to write to cron fifo_files


---

diff --git a/modules-targeted.conf b/modules-targeted.conf
index 33de0d0..843f7fb 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1556,3 +1556,10 @@ munin = module
 # An IRC to other chat networks  gateway
 # 
 bitlbee = module
+
+# Layer: services
+# Module: nx
+#
+# NX Remote Desktop
+# 
+nx = module
diff --git a/policy-20070703.patch b/policy-20070703.patch
index 92b19e6..861116e 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -15607,7 +15607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if	2008-01-13 08:42:50.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if	2008-01-15 13:51:25.000000000 -0500
 @@ -26,7 +26,8 @@
  	type $1_chkpwd_t, can_read_shadow_passwords;
  	application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -15636,16 +15636,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	dontaudit $2 shadow_t:file { getattr read };
  
  	# Transition from the user domain to this domain.
-@@ -120,6 +119,8 @@
+@@ -120,6 +119,7 @@
  
  	# Write to the user domain tty.
  	userdom_use_user_terminals($1,$1_chkpwd_t)
 +	userdom_dontaudit_write_user_home_content_files($1, pam_t)
-+
  ')
  
  ########################################
-@@ -169,6 +170,10 @@
+@@ -169,6 +169,10 @@
  ## </param>
  #
  interface(`auth_login_pgm_domain',`
@@ -15656,7 +15655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  
  	domain_type($1)
  	domain_subj_id_change_exemption($1)
-@@ -176,11 +181,34 @@
+@@ -176,11 +180,34 @@
  	domain_obj_id_change_exemption($1)
  	role system_r types $1;
  
@@ -15691,7 +15690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	selinux_get_fs_mount($1)
  	selinux_validate_context($1)
  	selinux_compute_access_vector($1)
-@@ -196,20 +224,48 @@
+@@ -196,20 +223,48 @@
  	mls_fd_share_all_levels($1)
  
  	auth_domtrans_chk_passwd($1)
@@ -15741,7 +15740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	tunable_policy(`allow_polyinstantiation',`
  		files_polyinstantiate_all($1)
  	')
-@@ -309,9 +365,6 @@
+@@ -309,9 +364,6 @@
  		type system_chkpwd_t, chkpwd_exec_t, shadow_t;
  	')
  
@@ -15751,7 +15750,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	corecmd_search_bin($1)
  	domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
  
-@@ -329,6 +382,8 @@
+@@ -329,6 +381,8 @@
  
  	optional_policy(`
  		kerberos_use($1)
@@ -15760,7 +15759,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	')
  
  	optional_policy(`
-@@ -347,6 +402,37 @@
+@@ -347,6 +401,37 @@
  
  ########################################
  ## <summary>
@@ -15798,7 +15797,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  ##	Get the attributes of the shadow passwords file.
  ## </summary>
  ## <param name="domain">
-@@ -695,6 +781,24 @@
+@@ -695,6 +780,24 @@
  
  ########################################
  ## <summary>
@@ -15823,7 +15822,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  ##	Execute pam programs in the PAM domain.
  ## </summary>
  ## <param name="domain">
-@@ -1318,16 +1422,14 @@
+@@ -1318,16 +1421,14 @@
  ## </param>
  #
  interface(`auth_use_nsswitch',`
@@ -15843,7 +15842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	miscfiles_read_certs($1)
  
  	sysnet_dns_name_resolve($1)
-@@ -1347,6 +1449,8 @@
+@@ -1347,6 +1448,8 @@
  
  	optional_policy(`
  		samba_stream_connect_winbind($1)
@@ -15852,7 +15851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	')
  ')
  
-@@ -1381,3 +1485,181 @@
+@@ -1381,3 +1484,181 @@
  	typeattribute $1 can_write_shadow_passwords;
  	typeattribute $1 can_relabelto_shadow_passwords;
  ')
@@ -16036,7 +16035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.8/policy/modules/system/authlogin.te
 --- nsaserefpolicy/policy/modules/system/authlogin.te	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.te	2008-01-13 08:42:16.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.te	2008-01-15 13:51:53.000000000 -0500
 @@ -9,6 +9,13 @@
  attribute can_read_shadow_passwords;
  attribute can_write_shadow_passwords;
@@ -16087,13 +16086,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  term_use_all_user_ttys(pam_t)
  term_use_all_user_ptys(pam_t)
  
-@@ -111,19 +129,14 @@
+@@ -111,19 +129,15 @@
  logging_send_syslog_msg(pam_t)
  
  userdom_use_unpriv_users_fds(pam_t)
 +userdom_write_unpriv_users_tmp_files(pam_t)
 +userdom_dontaudit_read_unpriv_users_home_content_files(pam_t)
 +userdom_unlink_unpriv_users_tmp_files(pam_t)
++userdom_append_unpriv_users_home_content_files(pam_t)
  
  optional_policy(`
  	locallogin_use_fds(pam_t)
@@ -16110,7 +16110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  ########################################
  #
  # PAM console local policy
-@@ -149,6 +162,8 @@
+@@ -149,6 +163,8 @@
  dev_setattr_apm_bios_dev(pam_console_t)
  dev_getattr_dri_dev(pam_console_t)
  dev_setattr_dri_dev(pam_console_t)
@@ -16119,7 +16119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  dev_getattr_framebuffer_dev(pam_console_t)
  dev_setattr_framebuffer_dev(pam_console_t)
  dev_getattr_generic_usb_dev(pam_console_t)
-@@ -159,6 +174,8 @@
+@@ -159,6 +175,8 @@
  dev_setattr_mouse_dev(pam_console_t)
  dev_getattr_power_mgmt_dev(pam_console_t)
  dev_setattr_power_mgmt_dev(pam_console_t)
@@ -16128,7 +16128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  dev_getattr_scanner_dev(pam_console_t)
  dev_setattr_scanner_dev(pam_console_t)
  dev_getattr_sound_dev(pam_console_t)
-@@ -200,6 +217,7 @@
+@@ -200,6 +218,7 @@
  
  fs_list_auto_mountpoints(pam_console_t)
  fs_list_noxattr_fs(pam_console_t)
@@ -16136,7 +16136,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  
  init_use_fds(pam_console_t)
  init_use_script_ptys(pam_console_t)
-@@ -236,7 +254,7 @@
+@@ -236,7 +255,7 @@
  
  optional_policy(`
  	xserver_read_xdm_pid(pam_console_t)
@@ -16145,7 +16145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  ')
  
  ########################################
-@@ -256,6 +274,7 @@
+@@ -256,6 +275,7 @@
  userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
  userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
  userdom_dontaudit_use_sysadm_terms(system_chkpwd_t)
@@ -16153,7 +16153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  
  ########################################
  #
-@@ -302,3 +321,28 @@
+@@ -302,3 +322,28 @@
  	xserver_use_xdm_fds(utempter_t)
  	xserver_rw_xdm_pipes(utempter_t)
  ')
@@ -16635,7 +16635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.8/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/init.te	2008-01-08 13:53:49.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/init.te	2008-01-15 09:56:24.000000000 -0500
 @@ -10,6 +10,20 @@
  # Declarations
  #
@@ -16764,7 +16764,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
 +# Cron jobs used to start and stop services
 +optional_policy(`
-+	cron_read_pipes(daemon)
++	cron_rw_pipes(daemon)
 +')
 +
 +optional_policy(`
@@ -17033,7 +17033,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.8/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/libraries.fc	2008-01-14 12:58:26.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/libraries.fc	2008-01-15 08:23:50.000000000 -0500
 @@ -65,11 +65,15 @@
  /opt/(.*/)?java/.+\.jar			--	gen_context(system_u:object_r:lib_t,s0)
  /opt/(.*/)?jre.*/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -19747,7 +19747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2008-01-15 08:07:59.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2008-01-15 13:51:31.000000000 -0500
 @@ -29,8 +29,9 @@
  	')
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c3cbc43..c0e1bc4 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 76%{?dist}
+Release: 77%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,9 @@ exit 0
 %endif
 
 %changelog
+* Tue Jan 15 2008 Dan Walsh <dwalsh@redhat.com> 3.0.8-77
+- Allow daemons to write to cron fifo_files
+
 * Mon Jan 14 2008 Dan Walsh <dwalsh@redhat.com> 3.0.8-76
 - Fix filecontext for networkmanagerlog files
 - Allow mount to read samba config