From 8e4560394ae8c18e457a7275ca88bfb0a0f13eb8 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Jul 10 2012 07:01:13 +0000
Subject: * Tue Jul 10 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-138

- Add labeling for aeolus-configserver-thinwrapper
- Allow thin domains to execute shell
- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
- Allow OpenMPI job to use kerberos
- Make deltacloudd_t as nsswitch_domain
- Allow xend_t to run lsscsi
- Allow qemu-dm running as xend_t to create tun_socket
- Allow jockey-backend to read pyconfig-64.h labeled as usr_t
- Fix alsa_manage_home_files interface
- Fix clamscan_can_scan_system boolean
- Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11

---

diff --git a/policy-F16.patch b/policy-F16.patch
index 14b0ff5..3a8069f 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -58467,14 +58467,14 @@ index d362d9c..230a2f6 100644
 +
 +/usr/lib/systemd/system/alsa.*  --              gen_context(system_u:object_r:alsa_unit_file_t,s0)
 diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
-index 1392679..25e02df 100644
+index 1392679..64e685f 100644
 --- a/policy/modules/admin/alsa.if
 +++ b/policy/modules/admin/alsa.if
 @@ -148,6 +148,7 @@ interface(`alsa_manage_home_files',`
  
  	userdom_search_user_home_dirs($1)
  	allow $1 alsa_home_t:file manage_file_perms;
-+	alsa_filetrans_home_content(unpriv_userdomain)
++	alsa_filetrans_home_content($1)
  ')
  
  ########################################
@@ -66479,10 +66479,10 @@ index 0000000..fb58f33
 +')
 diff --git a/policy/modules/apps/jockey.te b/policy/modules/apps/jockey.te
 new file mode 100644
-index 0000000..efa139b
+index 0000000..56b4856
 --- /dev/null
 +++ b/policy/modules/apps/jockey.te
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,43 @@
 +policy_module(jockey, 1.0.0)
 +
 +########################################
@@ -66523,6 +66523,7 @@ index 0000000..efa139b
 +domain_use_interactive_fds(jockey_t)
 +
 +files_read_etc_files(jockey_t)
++files_read_usr_files(jockey_t)
 +
 +miscfiles_read_localization(jockey_t)
 diff --git a/policy/modules/apps/kde.fc b/policy/modules/apps/kde.fc
@@ -92585,7 +92586,7 @@ index 1f11572..87840b4 100644
 +
  ')
 diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index f758323..ced0ce2 100644
+index f758323..1ae1cef 100644
 --- a/policy/modules/services/clamav.te
 +++ b/policy/modules/services/clamav.te
 @@ -1,9 +1,23 @@
@@ -92763,7 +92764,7 @@ index f758323..ced0ce2 100644
  ########################################
  #
  # clamscam local policy
-@@ -242,15 +288,33 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+@@ -242,15 +288,35 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
  manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
  allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
  
@@ -92790,6 +92791,8 @@ index f758323..ced0ce2 100644
 +
 +tunable_policy(`clamscan_can_scan_system',`
 +        files_read_non_security_files(clamscan_t)
++		files_getattr_all_pipes(clamscan_t)
++		files_getattr_all_sockets(clamscan_t)
 +')
 +
  kernel_read_kernel_sysctls(clamscan_t)
@@ -92797,7 +92800,7 @@ index f758323..ced0ce2 100644
  
  files_read_etc_files(clamscan_t)
  files_read_etc_runtime_files(clamscan_t)
-@@ -264,10 +328,15 @@ miscfiles_read_public_files(clamscan_t)
+@@ -264,10 +330,15 @@ miscfiles_read_public_files(clamscan_t)
  
  clamav_stream_connect(clamscan_t)
  
@@ -92938,10 +92941,10 @@ index 0000000..7f55959
 +')
 diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
 new file mode 100644
-index 0000000..da2404c
+index 0000000..e0716d7
 --- /dev/null
 +++ b/policy/modules/services/cloudform.te
-@@ -0,0 +1,195 @@
+@@ -0,0 +1,197 @@
 +policy_module(cloudform, 1.0)
 +########################################
 +#
@@ -93047,6 +93050,8 @@ index 0000000..da2404c
 +corenet_tcp_bind_generic_node(deltacloudd_t)
 +corenet_tcp_bind_generic_port(deltacloudd_t)
 +
++auth_use_nsswitch(deltacloudd_t)
++
 +files_read_usr_files(deltacloudd_t)
 +
 +logging_send_syslog_msg(deltacloudd_t)
@@ -94536,10 +94541,10 @@ index 0000000..168f664
 +')
 diff --git a/policy/modules/services/condor.te b/policy/modules/services/condor.te
 new file mode 100644
-index 0000000..4eb7bd9
+index 0000000..97437dd
 --- /dev/null
 +++ b/policy/modules/services/condor.te
-@@ -0,0 +1,231 @@
+@@ -0,0 +1,238 @@
 +policy_module(condor, 1.0.0)
 +
 +########################################
@@ -94766,6 +94771,13 @@ index 0000000..4eb7bd9
 +optional_policy(`
 +	ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
 +	ssh_domtrans(condor_startd_t)
++
++	manage_files_pattern(condor_startd_ssh_t, condor_var_lib_t, condor_var_lib_t)
++	manage_dirs_pattern(condor_startd_ssh_t, condor_var_lib_t, condor_var_lib_t)
++
++	optional_policy(`
++		kerberos_use(condor_startd_ssh_t)
++	')
 +')
 +
 +optional_policy(`
@@ -97293,7 +97305,7 @@ index 0000000..284fbae
 +	sysnet_domtrans_ifconfig(ctdbd_t)
 +')
 diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc
-index 1b492ed..d3e9822 100644
+index 1b492ed..7f49429 100644
 --- a/policy/modules/services/cups.fc
 +++ b/policy/modules/services/cups.fc
 @@ -19,7 +19,10 @@
@@ -97327,7 +97339,7 @@ index 1b492ed..d3e9822 100644
  
  /var/lib/hp(/.*)?		gen_context(system_u:object_r:hplip_var_lib_t,s0)
  
-@@ -64,10 +65,16 @@
+@@ -64,10 +65,18 @@
  
  /var/ccpd(/.*)?			gen_context(system_u:object_r:cupsd_var_run_t,s0)
  /var/ekpd(/.*)?			gen_context(system_u:object_r:cupsd_var_run_t,s0)
@@ -97345,6 +97357,8 @@ index 1b492ed..d3e9822 100644
 +/usr/local/Printer/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 +
 +/usr/local/linuxprinter/ppd(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++
++/opt/brother/Printers(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
 index 305ddf4..d1b97fb 100644
 --- a/policy/modules/services/cups.if
@@ -109017,7 +109031,7 @@ index a4f32f5..628b63c 100644
  ##	in the caller domain.
  ## </summary>
 diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
-index 93c14ca..d3d5067 100644
+index 93c14ca..00cd4a4 100644
 --- a/policy/modules/services/lpd.te
 +++ b/policy/modules/services/lpd.te
 @@ -6,9 +6,9 @@ policy_module(lpd, 1.12.0)
@@ -109080,7 +109094,7 @@ index 93c14ca..d3d5067 100644
  
  # Write to /var/spool/lpd.
  manage_files_pattern(lpd_t, print_spool_t, print_spool_t)
-@@ -277,19 +278,19 @@ miscfiles_read_localization(lpr_t)
+@@ -277,19 +278,21 @@ miscfiles_read_localization(lpr_t)
  
  userdom_read_user_tmp_symlinks(lpr_t)
  # Write to the user domain tty.
@@ -109088,6 +109102,8 @@ index 93c14ca..d3d5067 100644
 +userdom_use_inherited_user_terminals(lpr_t)
  userdom_read_user_home_content_files(lpr_t)
  userdom_read_user_tmp_files(lpr_t)
++userdom_write_user_tmp_sockets(lpr_t)
++userdom_stream_connect(lpr_t)
  
  tunable_policy(`use_lpd_server',`
  	# lpr can run in lightweight mode, without a local print spooler.
@@ -109105,7 +109121,7 @@ index 93c14ca..d3d5067 100644
  	# Send SIGHUP to lpd.
  	allow lpr_t lpd_t:process signal;
  
-@@ -307,17 +308,7 @@ tunable_policy(`use_lpd_server',`
+@@ -307,17 +310,7 @@ tunable_policy(`use_lpd_server',`
  	read_lnk_files_pattern(lpr_t, printconf_t, printconf_t)
  ')
  
@@ -109124,7 +109140,7 @@ index 93c14ca..d3d5067 100644
  
  optional_policy(`
  	cups_read_config(lpr_t)
-@@ -326,5 +317,13 @@ optional_policy(`
+@@ -326,5 +319,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -132025,12 +132041,13 @@ index 665bf7c..55c5868 100644
 +')
 diff --git a/policy/modules/services/thin.fc b/policy/modules/services/thin.fc
 new file mode 100644
-index 0000000..62d2c77
+index 0000000..8954083
 --- /dev/null
 +++ b/policy/modules/services/thin.fc
-@@ -0,0 +1,10 @@
+@@ -0,0 +1,11 @@
 +/usr/bin/thin		--	gen_context(system_u:object_r:thin_exec_t,s0)
-+/usr/bin/thinStarter	--	gen_context(system_u:object_r:thin_aeolus_configserver_exec_t,s0)
++
++/usr/bin/aeolus-configserver-thinwrapper	--	gen_context(system_u:object_r:thin_aeolus_configserver_exec_t,s0)
 +
 +/var/lib/aeolus-configserver(/.*)?	gen_context(system_u:object_r:thin_aeolus_configserver_lib_t,s0)
 +
@@ -132089,10 +132106,10 @@ index 0000000..6de86e5
 +')
 diff --git a/policy/modules/services/thin.te b/policy/modules/services/thin.te
 new file mode 100644
-index 0000000..d1903e6
+index 0000000..1ed278e
 --- /dev/null
 +++ b/policy/modules/services/thin.te
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,106 @@
 +policy_module(thin, 1.0)
 +
 +########################################
@@ -132136,6 +132153,7 @@ index 0000000..d1903e6
 +kernel_read_system_state(thin_domain)
 +
 +corecmd_exec_bin(thin_domain)
++corecmd_exec_shell(thin_domain)
 +
 +dev_read_rand(thin_domain)
 +dev_read_urand(thin_domain)
@@ -155540,7 +155558,7 @@ index 77d41b6..cc73c96 100644
  
  	files_search_pids($1)
 diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
-index 4350ba0..74465c4 100644
+index 4350ba0..b1de3a5 100644
 --- a/policy/modules/system/xen.te
 +++ b/policy/modules/system/xen.te
 @@ -4,6 +4,7 @@ policy_module(xen, 1.10.1)
@@ -155599,7 +155617,22 @@ index 4350ba0..74465c4 100644
  # internal communication is often done using fifo and unix sockets.
  allow xend_t self:fifo_file rw_fifo_file_perms;
  allow xend_t self:unix_stream_socket create_stream_socket_perms;
-@@ -299,7 +303,6 @@ dev_rw_sysfs(xend_t)
+@@ -219,6 +223,7 @@ allow xend_t self:unix_dgram_socket create_socket_perms;
+ allow xend_t self:netlink_route_socket r_netlink_socket_perms;
+ allow xend_t self:tcp_socket create_stream_socket_perms;
+ allow xend_t self:packet_socket create_socket_perms;
++allow xend_t self:tun_socket create_socket_perms;
+ 
+ allow xend_t xen_image_t:dir list_dir_perms;
+ manage_dirs_pattern(xend_t, xen_image_t, xen_image_t)
+@@ -294,12 +299,13 @@ corenet_sendrecv_soundd_server_packets(xend_t)
+ corenet_rw_tun_tap_dev(xend_t)
+ 
+ dev_read_urand(xend_t)
++# run lsscsi
++dev_getattr_all_chr_files(xend_t)
+ dev_filetrans_xen(xend_t)
+ dev_rw_sysfs(xend_t)
  dev_rw_xen(xend_t)
  
  domain_dontaudit_read_all_domains_state(xend_t)
@@ -155607,7 +155640,7 @@ index 4350ba0..74465c4 100644
  
  files_read_etc_files(xend_t)
  files_read_kernel_symbol_table(xend_t)
-@@ -320,13 +323,9 @@ locallogin_dontaudit_use_fds(xend_t)
+@@ -320,13 +326,9 @@ locallogin_dontaudit_use_fds(xend_t)
  
  logging_send_syslog_msg(xend_t)
  
@@ -155621,7 +155654,7 @@ index 4350ba0..74465c4 100644
  sysnet_domtrans_dhcpc(xend_t)
  sysnet_signal_dhcpc(xend_t)
  sysnet_domtrans_ifconfig(xend_t)
-@@ -339,8 +338,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
+@@ -339,8 +341,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
  
  xen_stream_connect_xenstore(xend_t)
  
@@ -155630,7 +155663,7 @@ index 4350ba0..74465c4 100644
  optional_policy(`
  	brctl_domtrans(xend_t)
  ')
-@@ -349,6 +346,23 @@ optional_policy(`
+@@ -349,6 +349,23 @@ optional_policy(`
  	consoletype_exec(xend_t)
  ')
  
@@ -155654,7 +155687,7 @@ index 4350ba0..74465c4 100644
  ########################################
  #
  # Xen console local policy
-@@ -374,8 +388,6 @@ dev_rw_xen(xenconsoled_t)
+@@ -374,8 +391,6 @@ dev_rw_xen(xenconsoled_t)
  dev_filetrans_xen(xenconsoled_t)
  dev_rw_sysfs(xenconsoled_t)
  
@@ -155663,7 +155696,7 @@ index 4350ba0..74465c4 100644
  files_read_etc_files(xenconsoled_t)
  files_read_usr_files(xenconsoled_t)
  
-@@ -413,9 +425,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+@@ -413,9 +428,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
  files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
  
  # pid file
@@ -155675,7 +155708,7 @@ index 4350ba0..74465c4 100644
  
  # log files
  manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-@@ -442,9 +455,11 @@ files_read_etc_files(xenstored_t)
+@@ -442,9 +458,11 @@ files_read_etc_files(xenstored_t)
  
  files_read_usr_files(xenstored_t)
  
@@ -155687,7 +155720,7 @@ index 4350ba0..74465c4 100644
  
  init_use_fds(xenstored_t)
  init_use_script_ptys(xenstored_t)
-@@ -457,96 +472,9 @@ xen_append_log(xenstored_t)
+@@ -457,96 +475,9 @@ xen_append_log(xenstored_t)
  
  ########################################
  #
@@ -155784,7 +155817,7 @@ index 4350ba0..74465c4 100644
  	#Should have a boolean wrapping these
  	fs_list_auto_mountpoints(xend_t)
  	files_search_mnt(xend_t)
-@@ -559,8 +487,4 @@ optional_policy(`
+@@ -559,8 +490,4 @@ optional_policy(`
  		fs_manage_nfs_files(xend_t)
  		fs_read_nfs_symlinks(xend_t)
  	')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 5464d74..4fe8d59 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 137%{?dist}
+Release: 138%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,19 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Tue Jul 10 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-138
+- Add labeling for aeolus-configserver-thinwrapper
+- Allow thin domains to execute shell
+- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
+- Allow OpenMPI job to use kerberos
+- Make deltacloudd_t as nsswitch_domain
+- Allow xend_t to run lsscsi
+- Allow qemu-dm running as xend_t to create tun_socket
+- Allow jockey-backend to read pyconfig-64.h labeled as usr_t
+- Fix alsa_manage_home_files interface
+- Fix clamscan_can_scan_system boolean
+- Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11
+
 * Tue Jul 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-137
 - Fixes for passenger running within openshift
 - Add labeling for all tomcat6 dirs