From b942ea937daedb6e4a9b0423089a597bc1a2bca7 Mon Sep 17 00:00:00 2001
From: Miroslav <mgrepl@redhat.com>
Date: Jan 03 2012 11:32:10 +0000
Subject: - Allow systemctl running as logrotate_t to connect to private systemd socket

- Allow tmpwatch to read meminfo
- Allow rpc.svcgssd to read supported_krb5_enctype
- Allow zarafa domains to read /dev/random and /dev/urandom
- Allow snmpd to read dev_snmp6
- Allow procmail to talk with cyrus
- Add fixes for check_disk and check_nagios plugins

---

diff --git a/policy-F16.patch b/policy-F16.patch
index 78ffd0d..84f4266 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1304,7 +1304,7 @@ index 4f7bd3c..a29af21 100644
 -	unconfined_domain(kudzu_t)
  ')
 diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..c1ccc06 100644
+index 7090dae..071d66e 100644
 --- a/policy/modules/admin/logrotate.te
 +++ b/policy/modules/admin/logrotate.te
 @@ -29,9 +29,9 @@ files_type(logrotate_var_lib_t)
@@ -1351,12 +1351,13 @@ index 7090dae..c1ccc06 100644
  
  # cjp: why is this needed?
  init_domtrans_script(logrotate_t)
-@@ -116,17 +120,15 @@ miscfiles_read_localization(logrotate_t)
+@@ -116,17 +120,16 @@ miscfiles_read_localization(logrotate_t)
  
  seutil_dontaudit_read_config(logrotate_t)
  
 -userdom_use_user_terminals(logrotate_t)
 +systemd_exec_systemctl(logrotate_t)
++init_stream_connect(logrotate_t)
 +
 +userdom_use_inherited_user_terminals(logrotate_t)
  userdom_list_user_home_dirs(logrotate_t)
@@ -1374,7 +1375,7 @@ index 7090dae..c1ccc06 100644
  	# for savelog
  	can_exec(logrotate_t, logrotate_exec_t)
  
-@@ -138,7 +140,7 @@ ifdef(`distro_debian', `
+@@ -138,7 +141,7 @@ ifdef(`distro_debian', `
  ')
  
  optional_policy(`
@@ -1383,7 +1384,7 @@ index 7090dae..c1ccc06 100644
  ')
  
  optional_policy(`
-@@ -154,6 +156,10 @@ optional_policy(`
+@@ -154,6 +157,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -1394,7 +1395,7 @@ index 7090dae..c1ccc06 100644
  	asterisk_domtrans(logrotate_t)
  ')
  
-@@ -162,10 +168,20 @@ optional_policy(`
+@@ -162,10 +169,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -1415,7 +1416,7 @@ index 7090dae..c1ccc06 100644
  	cups_domtrans(logrotate_t)
  ')
  
-@@ -200,9 +216,12 @@ optional_policy(`
+@@ -200,9 +217,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -1429,7 +1430,7 @@ index 7090dae..c1ccc06 100644
  
  optional_policy(`
  	samba_exec_log(logrotate_t)
-@@ -228,3 +247,14 @@ optional_policy(`
+@@ -228,3 +248,14 @@ optional_policy(`
  optional_policy(`
  	varnishd_manage_log(logrotate_t)
  ')
@@ -4091,7 +4092,7 @@ index d5aaf0e..6b16aef 100644
  optional_policy(`
  	mta_send_mail(sxid_t)
 diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
-index 6a5004b..90cf622 100644
+index 6a5004b..70d684a 100644
 --- a/policy/modules/admin/tmpreaper.te
 +++ b/policy/modules/admin/tmpreaper.te
 @@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0)
@@ -4102,7 +4103,16 @@ index 6a5004b..90cf622 100644
  application_domain(tmpreaper_t, tmpreaper_exec_t)
  role system_r types tmpreaper_t;
  
-@@ -25,11 +26,16 @@ fs_getattr_xattr_fs(tmpreaper_t)
+@@ -18,6 +19,8 @@ role system_r types tmpreaper_t;
+ allow tmpreaper_t self:process { fork sigchld };
+ allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
+ 
++kernel_read_system_state(tmpreaper_t)
++
+ dev_read_urand(tmpreaper_t)
+ 
+ fs_getattr_xattr_fs(tmpreaper_t)
+@@ -25,11 +28,16 @@ fs_getattr_xattr_fs(tmpreaper_t)
  files_read_etc_files(tmpreaper_t)
  files_read_var_lib_files(tmpreaper_t)
  files_purge_tmp(tmpreaper_t)
@@ -4119,7 +4129,7 @@ index 6a5004b..90cf622 100644
  mls_file_read_all_levels(tmpreaper_t)
  mls_file_write_all_levels(tmpreaper_t)
  
-@@ -38,13 +44,17 @@ logging_send_syslog_msg(tmpreaper_t)
+@@ -38,13 +46,17 @@ logging_send_syslog_msg(tmpreaper_t)
  miscfiles_read_localization(tmpreaper_t)
  miscfiles_delete_man_pages(tmpreaper_t)
  
@@ -4141,7 +4151,7 @@ index 6a5004b..90cf622 100644
  ')
  
  optional_policy(`
-@@ -52,7 +62,9 @@ optional_policy(`
+@@ -52,7 +64,9 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -4151,7 +4161,7 @@ index 6a5004b..90cf622 100644
  	apache_delete_cache_files(tmpreaper_t)
  	apache_setattr_cache_dirs(tmpreaper_t)
  ')
-@@ -66,9 +78,13 @@ optional_policy(`
+@@ -66,9 +80,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -18705,7 +18715,7 @@ index 22821ff..20251b0 100644
  ########################################
  #
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..630ff53 100644
+index 97fcdac..fdb4b09 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
 @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -19172,7 +19182,32 @@ index 97fcdac..630ff53 100644
  	manage_lnk_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3958,6 +4217,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3258,6 +3517,24 @@ interface(`fs_getattr_nfsd_files',`
+ 	getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+ ')
+ 
++#######################################
++## <summary>
++##  read files on an nfsd filesystem
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`fs_read_nfsd_files',`
++    gen_require(`
++        type nfsd_fs_t;
++    ')
++
++    read_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
++')
++
+ ########################################
+ ## <summary>
+ ##	Read and write NFS server files.
+@@ -3958,6 +4235,42 @@ interface(`fs_dontaudit_list_tmpfs',`
  
  ########################################
  ## <summary>
@@ -19215,7 +19250,7 @@ index 97fcdac..630ff53 100644
  ##	Create, read, write, and delete
  ##	tmpfs directories
  ## </summary>
-@@ -4175,6 +4470,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4175,6 +4488,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
  
  ########################################
  ## <summary>
@@ -19240,7 +19275,7 @@ index 97fcdac..630ff53 100644
  ##	Relabel character nodes on tmpfs filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4251,6 +4564,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4251,6 +4582,25 @@ interface(`fs_manage_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -19266,7 +19301,7 @@ index 97fcdac..630ff53 100644
  ##	Read and write, create and delete symbolic
  ##	links on tmpfs filesystems.
  ## </summary>
-@@ -4457,6 +4789,8 @@ interface(`fs_mount_all_fs',`
+@@ -4457,6 +4807,8 @@ interface(`fs_mount_all_fs',`
  	')
  
  	allow $1 filesystem_type:filesystem mount;
@@ -19275,7 +19310,7 @@ index 97fcdac..630ff53 100644
  ')
  
  ########################################
-@@ -4503,7 +4837,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +4855,7 @@ interface(`fs_unmount_all_fs',`
  ## <desc>
  ##	<p>
  ##	Allow the specified domain to
@@ -19284,7 +19319,7 @@ index 97fcdac..630ff53 100644
  ##	Example attributes:
  ##	</p>
  ##	<ul>
-@@ -4866,3 +5200,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5218,24 @@ interface(`fs_unconfined',`
  
  	typeattribute $1 filesystem_unconfined_type;
  ')
@@ -45980,7 +46015,7 @@ index 8581040..2367841 100644
  
  	allow $1 nagios_t:process { ptrace signal_perms };
 diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index bf64a4c..1147e19 100644
+index bf64a4c..9ad9024 100644
 --- a/policy/modules/services/nagios.te
 +++ b/policy/modules/services/nagios.te
 @@ -25,7 +25,10 @@ type nagios_var_run_t;
@@ -46127,14 +46162,24 @@ index bf64a4c..1147e19 100644
  ')
  
  optional_policy(`
-@@ -363,7 +376,6 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -363,6 +376,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
  manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
  files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
  
--kernel_read_system_state(nagios_system_plugin_t)
++read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t)
++
+ kernel_read_system_state(nagios_system_plugin_t)
  kernel_read_kernel_sysctls(nagios_system_plugin_t)
  
- corecmd_exec_bin(nagios_system_plugin_t)
+@@ -376,6 +391,8 @@ domain_read_all_domains_state(nagios_system_plugin_t)
+ 
+ files_read_etc_files(nagios_system_plugin_t)
+ 
++fs_getattr_all_fs(nagios_system_plugin_t)
++
+ # needed by check_users plugin
+ optional_policy(`
+ 	init_read_utmp(nagios_system_plugin_t)
 diff --git a/policy/modules/services/nessus.fc b/policy/modules/services/nessus.fc
 index 74da57f..b94bb3b 100644
 --- a/policy/modules/services/nessus.fc
@@ -51873,7 +51918,7 @@ index b64b02f..166e9c3 100644
 +	read_files_pattern($1, procmail_home_t, procmail_home_t)
 +')
 diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
-index 29b9295..6451f82 100644
+index 29b9295..d45c661 100644
 --- a/policy/modules/services/procmail.te
 +++ b/policy/modules/services/procmail.te
 @@ -10,6 +10,9 @@ type procmail_exec_t;
@@ -51927,7 +51972,19 @@ index 29b9295..6451f82 100644
  
  mta_manage_spool(procmail_t)
  mta_read_queue(procmail_t)
-@@ -125,6 +138,11 @@ optional_policy(`
+@@ -107,6 +120,11 @@ tunable_policy(`use_samba_home_dirs',`
+ 	fs_manage_cifs_dirs(procmail_t)
+ 	fs_manage_cifs_files(procmail_t)
+ 	fs_manage_cifs_symlinks(procmail_t)
++
++optional_policy(`
++	clamav_domtrans_clamscan(procmail_t)
++	clamav_search_lib(procmail_t)
++	cyrus_stream_connect(procmail_t)
+ ')
+ 
+ optional_policy(`
+@@ -125,6 +143,11 @@ optional_policy(`
  	postfix_read_spool_files(procmail_t)
  	postfix_read_local_state(procmail_t)
  	postfix_read_master_state(procmail_t)
@@ -56059,7 +56116,7 @@ index cda37bb..617e83f 100644
 +	allow $1 var_lib_nfs_t:file relabel_file_perms;
  ')
 diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index b1468ed..372f918 100644
+index b1468ed..4f18830 100644
 --- a/policy/modules/services/rpc.te
 +++ b/policy/modules/services/rpc.te
 @@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
@@ -56210,7 +56267,7 @@ index b1468ed..372f918 100644
  fs_list_rpc(gssd_t)
  fs_rw_rpc_sockets(gssd_t)
  fs_read_rpc_files(gssd_t)
-+fs_search_nfsd_fs(gssd_t)
++fs_read_nfsd_files(gssd_t)
  
  fs_list_inotifyfs(gssd_t)
  files_list_tmp(gssd_t)
@@ -58422,7 +58479,7 @@ index 275f9fb..2a0e198 100644
  
  	init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
 diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
-index 3d8d1b3..e666122 100644
+index 3d8d1b3..8cd0c85 100644
 --- a/policy/modules/services/snmp.te
 +++ b/policy/modules/services/snmp.te
 @@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0)
@@ -58449,7 +58506,7 @@ index 3d8d1b3..e666122 100644
  allow snmpd_t self:tcp_socket create_stream_socket_perms;
  allow snmpd_t self:udp_socket connected_stream_socket_perms;
  
-@@ -41,18 +43,18 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
+@@ -41,18 +43,19 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
  manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
  files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file)
  files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file })
@@ -58465,14 +58522,15 @@ index 3d8d1b3..e666122 100644
  kernel_read_kernel_sysctls(snmpd_t)
  kernel_read_fs_sysctls(snmpd_t)
  kernel_read_net_sysctls(snmpd_t)
- kernel_read_proc_symlinks(snmpd_t)
+-kernel_read_proc_symlinks(snmpd_t)
 -kernel_read_system_state(snmpd_t)
--kernel_read_network_state(snmpd_t)
+ kernel_read_network_state(snmpd_t)
++kernel_read_proc_symlinks(snmpd_t)
 +kernel_read_all_proc(snmpd_t)
  
  corecmd_exec_bin(snmpd_t)
  corecmd_exec_shell(snmpd_t)
-@@ -94,15 +96,19 @@ files_search_home(snmpd_t)
+@@ -94,15 +97,19 @@ files_search_home(snmpd_t)
  fs_getattr_all_dirs(snmpd_t)
  fs_getattr_all_fs(snmpd_t)
  fs_search_auto_mountpoints(snmpd_t)
@@ -58493,7 +58551,7 @@ index 3d8d1b3..e666122 100644
  
  logging_send_syslog_msg(snmpd_t)
  
-@@ -115,7 +121,7 @@ sysnet_read_config(snmpd_t)
+@@ -115,7 +122,7 @@ sysnet_read_config(snmpd_t)
  userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
  userdom_dontaudit_search_user_home_dirs(snmpd_t)
  
@@ -66497,7 +66555,7 @@ index 21ae664..3e448dd 100644
 +    manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
 +')
 diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
-index 9fb4747..6e2c42a 100644
+index 9fb4747..92c156b 100644
 --- a/policy/modules/services/zarafa.te
 +++ b/policy/modules/services/zarafa.te
 @@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t)
@@ -66511,16 +66569,7 @@ index 9fb4747..6e2c42a 100644
  zarafa_domain_template(monitor)
  zarafa_domain_template(server)
  
-@@ -41,6 +45,8 @@ manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t
- manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
- files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
- 
-+dev_read_rand(zarafa_deliver_t)
-+
- ########################################
- #
- # zarafa_gateway local policy
-@@ -57,6 +63,20 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
+@@ -57,6 +61,20 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
  corenet_tcp_bind_generic_node(zarafa_gateway_t)
  corenet_tcp_bind_pop_port(zarafa_gateway_t)
  
@@ -66541,7 +66590,7 @@ index 9fb4747..6e2c42a 100644
  #######################################
  #
  # zarafa-ical local policy
-@@ -107,7 +127,6 @@ corenet_tcp_bind_zarafa_port(zarafa_server_t)
+@@ -107,7 +125,6 @@ corenet_tcp_bind_zarafa_port(zarafa_server_t)
  
  files_read_usr_files(zarafa_server_t)
  
@@ -66549,22 +66598,16 @@ index 9fb4747..6e2c42a 100644
  logging_send_audit_msgs(zarafa_server_t)
  
  sysnet_dns_name_resolve(zarafa_server_t)
-@@ -136,6 +155,36 @@ corenet_tcp_sendrecv_generic_node(zarafa_spooler_t)
- corenet_tcp_sendrecv_all_ports(zarafa_spooler_t)
- corenet_tcp_connect_smtp_port(zarafa_spooler_t)
+@@ -138,6 +155,32 @@ corenet_tcp_connect_smtp_port(zarafa_spooler_t)
  
-+dev_read_rand(zarafa_spooler_t)
-+
-+########################################
-+#
+ ########################################
+ #
 +# zarafa_gateway local policy
 +#
 +
 +allow zarafa_gateway_t self:capability { chown kill };
 +allow zarafa_gateway_t self:process setrlimit;
 +
-+dev_read_rand(zarafa_gateway_t)
-+
 +corenet_tcp_bind_pop_port(zarafa_gateway_t)
 +
 +#######################################
@@ -66583,10 +66626,19 @@ index 9fb4747..6e2c42a 100644
 +
 +allow zarafa_monitor_t self:capability chown;
 +
- ########################################
- #
++########################################
++#
  # zarafa domains local policy
-@@ -156,6 +205,6 @@ kernel_read_system_state(zarafa_domain)
+ #
+ 
+@@ -152,10 +195,13 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var
+ 
+ read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t)
+ 
++dev_read_rand(zarafa_domain)
++dev_read_urand(zarafa_domain)
++
+ kernel_read_system_state(zarafa_domain)
  
  files_read_etc_files(zarafa_domain)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 58ec662..a727853 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 69%{?dist}
+Release: 70%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,15 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Tue Jan 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-70
+- Allow systemctl running as logrotate_t to connect to private systemd socket
+- Allow tmpwatch to read meminfo
+- Allow rpc.svcgssd to read supported_krb5_enctype
+- Allow zarafa domains to read /dev/random and /dev/urandom
+- Allow snmpd to read dev_snmp6
+- Allow procmail to talk with cyrus
+- Add fixes for check_disk and check_nagios plugins
+
 * Sun Dec 25 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-69
 - Fix bug in the boinc policy