From 8becee1975fd6376afbe5b4b759e34e05d789be3 Mon Sep 17 00:00:00 2001
From: Miroslav <mgrepl@redhat.com>
Date: Oct 27 2011 15:26:43 +0000
Subject: -  Begin removing qemu_t domain, we really no longer need this domain.

- systemd_passwd needs dac_overide to communicate with users TTY's
- Allow svirt_lxc domains to send kill signals within their container

---

diff --git a/policy-F16.patch b/policy-F16.patch
index ffb6ad5..5356641 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -20736,7 +20736,7 @@ index be4de58..7e8b6ec 100644
  init_exec(secadm_t)
  
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..2c588ca 100644
+index 2be17d2..b172ab4 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
 @@ -8,12 +8,55 @@ policy_module(staff, 2.2.0)
@@ -20795,7 +20795,7 @@ index 2be17d2..2c588ca 100644
  optional_policy(`
  	apache_role(staff_r, staff_t)
  ')
-@@ -27,19 +70,113 @@ optional_policy(`
+@@ -27,19 +70,107 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20883,12 +20883,6 @@ index 2be17d2..2c588ca 100644
  ')
  
  optional_policy(`
-+	qemu_run(staff_t, staff_r)
-+	virt_manage_tmpfs_files(staff_t)
-+	virt_filetrans_home_content(staff_t)
-+')
-+
-+optional_policy(`
 +	rtkit_scheduled(staff_t)
 +')
 +
@@ -20911,7 +20905,7 @@ index 2be17d2..2c588ca 100644
  ')
  
  optional_policy(`
-@@ -48,10 +185,48 @@ optional_policy(`
+@@ -48,10 +179,48 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20960,7 +20954,7 @@ index 2be17d2..2c588ca 100644
  	xserver_role(staff_r, staff_t)
  ')
  
-@@ -89,18 +264,10 @@ ifndef(`distro_redhat',`
+@@ -89,18 +258,10 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -20979,7 +20973,7 @@ index 2be17d2..2c588ca 100644
  		java_role(staff_r, staff_t)
  	')
  
-@@ -121,10 +288,6 @@ ifndef(`distro_redhat',`
+@@ -121,10 +282,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -20990,7 +20984,7 @@ index 2be17d2..2c588ca 100644
  		pyzor_role(staff_r, staff_t)
  	')
  
-@@ -137,10 +300,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +294,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -21001,7 +20995,7 @@ index 2be17d2..2c588ca 100644
  		spamassassin_role(staff_r, staff_t)
  	')
  
-@@ -172,3 +331,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +325,7 @@ ifndef(`distro_redhat',`
  		wireshark_role(staff_r, staff_t)
  	')
  ')
@@ -61079,7 +61073,7 @@ index 7c5d8d8..d711fd5 100644
 +')
 +
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..148ce98 100644
+index 3eca020..d2d599b 100644
 --- a/policy/modules/services/virt.te
 +++ b/policy/modules/services/virt.te
 @@ -5,56 +5,81 @@ policy_module(virt, 1.4.0)
@@ -61528,10 +61522,15 @@ index 3eca020..148ce98 100644
  
  	# Manages /etc/sysconfig/system-config-firewall
  	iptables_manage_config(virtd_t)
-@@ -365,6 +519,12 @@ optional_policy(`
- 	qemu_signal(virtd_t)
- 	qemu_kill(virtd_t)
- 	qemu_setsched(virtd_t)
+@@ -360,11 +514,12 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	qemu_domtrans(virtd_t)
+-	qemu_read_state(virtd_t)
+-	qemu_signal(virtd_t)
+-	qemu_kill(virtd_t)
+-	qemu_setsched(virtd_t)
 +	qemu_entry_type(virt_domain)
 +	qemu_exec(virt_domain)
 +')
@@ -61541,7 +61540,7 @@ index 3eca020..148ce98 100644
  ')
  
  optional_policy(`
-@@ -394,20 +554,36 @@ optional_policy(`
+@@ -394,20 +549,36 @@ optional_policy(`
  # virtual domains common policy
  #
  
@@ -61581,7 +61580,7 @@ index 3eca020..148ce98 100644
  corecmd_exec_bin(virt_domain)
  corecmd_exec_shell(virt_domain)
  
-@@ -418,10 +594,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +589,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
  corenet_tcp_sendrecv_all_ports(virt_domain)
  corenet_tcp_bind_generic_node(virt_domain)
  corenet_tcp_bind_vnc_port(virt_domain)
@@ -61594,7 +61593,7 @@ index 3eca020..148ce98 100644
  dev_read_rand(virt_domain)
  dev_read_sound(virt_domain)
  dev_read_urand(virt_domain)
-@@ -429,10 +606,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +601,12 @@ dev_write_sound(virt_domain)
  dev_rw_ksm(virt_domain)
  dev_rw_kvm(virt_domain)
  dev_rw_qemu(virt_domain)
@@ -61607,7 +61606,7 @@ index 3eca020..148ce98 100644
  files_read_usr_files(virt_domain)
  files_read_var_files(virt_domain)
  files_search_all(virt_domain)
-@@ -440,25 +619,360 @@ files_search_all(virt_domain)
+@@ -440,25 +614,359 @@ files_search_all(virt_domain)
  fs_getattr_tmpfs(virt_domain)
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
@@ -61772,8 +61771,6 @@ index 3eca020..148ce98 100644
 +
 +allow virtd_lxc_t virt_image_type:dir mounton;
 +
-+allow virtd_lxc_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
-+
 +domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
 +allow virtd_t virtd_lxc_t:process { signal signull sigkill };
 +
@@ -61846,11 +61843,12 @@ index 3eca020..148ce98 100644
 +#
 +# virt_lxc_domain local policy
 +#
-+allow svirt_lxc_domain self:capability { setuid setgid dac_override };
++allow svirt_lxc_domain self:capability { kill setuid setgid dac_override };
 +dontaudit svirt_lxc_domain self:capability sys_ptrace;
 +
 +allow virtd_t svirt_lxc_domain:process { signal_perms };
 +allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
++
 +allow svirt_lxc_domain virtd_lxc_t:fd use;
 +allow svirt_lxc_domain virtd_lxc_var_run_t:dir search_dir_perms;
 +dontaudit svirt_lxc_domain virtd_lxc_t:unix_stream_socket { read write };
@@ -73473,7 +73471,7 @@ index 0000000..79c358c
 +
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..a84b8e7
+index 0000000..84e0e66
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
 @@ -0,0 +1,371 @@
@@ -73624,7 +73622,7 @@ index 0000000..a84b8e7
 +# Local policy
 +#
 +
-+allow systemd_passwd_agent_t self:capability { chown sys_tty_config };
++allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
 +allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
 +allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
 +
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 5c069fc..ecbc3d7 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 50%{?dist}
+Release: 51%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,11 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Thu Oct 27 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-51
+-  Begin removing qemu_t domain, we really no longer need this domain.  
+- systemd_passwd needs dac_overide to communicate with users TTY's
+- Allow svirt_lxc domains to send kill signals within their container
+
 * Wed Oct 25 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-50
 - Allow policykit to talk to the systemd via dbus
 - Move chrome_sandbox_nacl_t to permissive domains