From b24e39b3348b3d22c24b9695b0816ec063bfd379 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@fedoraproject.org>
Date: Oct 16 2009 11:58:40 +0000
Subject: - Allow xdm to unlink xauth_home_t


---

diff --git a/policy-20090521.patch b/policy-20090521.patch
index 1ff9d4c..05d5715 100644
--- a/policy-20090521.patch
+++ b/policy-20090521.patch
@@ -3018,6 +3018,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.6.12/policy/modules/services/fail2ban.te
+--- nsaserefpolicy/policy/modules/services/fail2ban.te	2009-06-25 10:19:44.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/fail2ban.te	2009-10-16 13:32:38.000000000 +0200
+@@ -79,6 +79,7 @@
+ auth_use_nsswitch(fail2ban_t)
+ 
+ logging_read_all_logs(fail2ban_t)
++logging_send_syslog_msg(fail2ban_t)
+ 
+ miscfiles_read_localization(fail2ban_t)
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.12/policy/modules/services/fetchmail.te
 --- nsaserefpolicy/policy/modules/services/fetchmail.te	2009-06-25 10:19:44.000000000 +0200
 +++ serefpolicy-3.6.12/policy/modules/services/fetchmail.te	2009-06-29 16:22:53.000000000 +0200
@@ -3409,14 +3420,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  kerberos_use(kpropd_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.12/policy/modules/services/lircd.te
 --- nsaserefpolicy/policy/modules/services/lircd.te	2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/services/lircd.te	2009-07-30 17:14:36.000000000 +0200
-@@ -45,6 +45,10 @@
++++ serefpolicy-3.6.12/policy/modules/services/lircd.te	2009-10-16 13:42:13.000000000 +0200
+@@ -45,6 +45,13 @@
  dev_filetrans(lircd_t, lircd_sock_t, sock_file )
  dev_read_generic_usb_dev(lircd_t)
  
 +dev_filetrans_lirc(lircd_t)
 +dev_rw_input_dev(lircd_t)
 +dev_rw_lirc(lircd_t)
++dev_rw_mouse(lircd_t)
++
++dev_read_generic_usb_dev(lircd_t)
 +
  logging_send_syslog_msg(lircd_t)
  
@@ -3432,6 +3446,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	read_files_pattern($1, mailman_data_t, mailman_data_t)
  	read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
  ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.6.12/policy/modules/services/milter.if
+--- nsaserefpolicy/policy/modules/services/milter.if	2009-06-25 10:19:44.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/milter.if	2009-10-16 13:35:27.000000000 +0200
+@@ -35,6 +35,8 @@
+ 	# Create other data files and directories in the data directory
+ 	manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
+ 
++	files_read_etc_files($1_milter_t)
++
+ 	miscfiles_read_localization($1_milter_t)
+ 
+ 	logging_send_syslog_msg($1_milter_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.12/policy/modules/services/mta.if
 --- nsaserefpolicy/policy/modules/services/mta.if	2009-06-25 10:19:44.000000000 +0200
 +++ serefpolicy-3.6.12/policy/modules/services/mta.if	2009-06-25 10:21:01.000000000 +0200
@@ -5183,8 +5209,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child add_child };
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/services/xserver.te	2009-09-30 09:25:12.000000000 +0200
-@@ -370,8 +370,9 @@
++++ serefpolicy-3.6.12/policy/modules/services/xserver.te	2009-10-09 09:30:55.000000000 +0200
+@@ -339,6 +339,8 @@
+ allow xdm_t self:appletalk_socket create_socket_perms;
+ allow xdm_t self:key { search link write };
+ 
++allow xdm_t xauth_home_t:file manage_file_perms;
++
+ allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+ manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
+ manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -370,8 +372,9 @@
  manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
  manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
  manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
@@ -5195,7 +5230,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  fs_read_noxattr_fs_files(xdm_t)
  
  manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
-@@ -530,6 +531,7 @@
+@@ -530,6 +533,7 @@
  miscfiles_read_localization(xdm_t)
  miscfiles_read_fonts(xdm_t)
  miscfiles_manage_localization(xdm_t)
@@ -5203,7 +5238,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -538,6 +540,7 @@
+@@ -538,6 +542,7 @@
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -5211,7 +5246,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  userdom_manage_user_tmp_sockets(xdm_t)
  userdom_manage_tmpfs_role(system_r, xdm_t)
  
-@@ -651,7 +654,12 @@
+@@ -651,7 +656,12 @@
  ')
  
  optional_policy(`
@@ -5224,7 +5259,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  # On crash gdm execs gdb to dump stack
-@@ -839,7 +847,6 @@
+@@ -839,7 +849,6 @@
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -5232,7 +5267,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  fs_rw_tmpfs_files(xserver_t)
  
  mls_xwin_read_to_clearance(xserver_t)
-@@ -931,6 +938,10 @@
+@@ -931,6 +940,10 @@
  ')
  
  optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index fdc2b78..eb0fed4 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 85%{?dist}
+Release: 86%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -442,6 +442,9 @@ exit 0
 %endif
 
 %changelog
+* Fri Oct 16 2009 Miroslav Grepl <mgrepl@redhat.com> 3.6.12-86
+- Allow xdm to unlink xauth_home_t
+
 * Wed Sep 30 2009 Miroslav Grepl <mgrepl@redhat.com> 3.6.12-85
 - dovecot needs setcap/getcap
 - Fix up sssd policy  
@@ -449,7 +452,6 @@ exit 0
 * Tue Sep 22 2009 Miroslav Grepl <mgrepl@redhat.com> 3.6.12-84
 - Allow sshd to create .ssh directory and content
 
-
 * Wed Sep 16 2009 Miroslav Grepl <mgrepl@redhat.com> 3.6.12-83
 - Add wordpress/wp-content/uploads label
 - Add /var/lib/libvirt/qemu label