From d4151fe22971c1a546fd1bb01128187ee973e1ab Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@fedoraproject.org>
Date: Jan 25 2010 17:00:28 +0000
Subject: - Allow xenstored to manage files on on a XENFS filesystem

- Allow cupsd to setattr on a fonts cache directory
- Allot smolt-client to send system log messages

---

diff --git a/policy-20100106.patch b/policy-20100106.patch
index 8e27314..45d9598 100644
--- a/policy-20100106.patch
+++ b/policy-20100106.patch
@@ -1,3 +1,15 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.6.32/policy/modules/admin/smoltclient.te
+--- nsaserefpolicy/policy/modules/admin/smoltclient.te	2010-01-18 18:24:22.573543214 +0100
++++ serefpolicy-3.6.32/policy/modules/admin/smoltclient.te	2010-01-25 11:03:49.548441857 +0100
+@@ -48,6 +48,8 @@
+ files_read_etc_files(smoltclient_t)
+ files_read_usr_files(smoltclient_t)
+ 
++logging_send_syslog_msg(smoltclient_t)
++
+ miscfiles_read_localization(smoltclient_t)
+ 
+ optional_policy(`
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.32/policy/modules/apps/gnome.fc
 --- nsaserefpolicy/policy/modules/apps/gnome.fc	2010-01-18 18:24:22.594539949 +0100
 +++ serefpolicy-3.6.32/policy/modules/apps/gnome.fc	2010-01-21 18:31:02.867611919 +0100
@@ -383,6 +395,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  dbus_system_bus_client(sandbox_net_client_t)
  dbus_read_config(sandbox_net_client_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.6.32/policy/modules/apps/vmware.if
+--- nsaserefpolicy/policy/modules/apps/vmware.if	2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/apps/vmware.if	2010-01-25 17:40:10.448685801 +0100
+@@ -30,6 +30,24 @@
+ 	allow $2 vmware_t:process signal;
+ ')
+ 
++#######################################
++## <summary>
++## 	Execute vmware host executables
++## </summary>
++## <param name="domain">
++## <summary>
++## 	Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`vmware_exec_host',`
++	gen_require(`
++		type vmware_host_exec_t;
++	')
++
++	can_exec($1, vmware_host_exec_t)
++')
++      
+ ########################################
+ ## <summary>
+ ##	Read VMWare system configuration files.
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.32/policy/modules/apps/wine.if
 --- nsaserefpolicy/policy/modules/apps/wine.if	2010-01-18 18:24:22.657540000 +0100
 +++ serefpolicy-3.6.32/policy/modules/apps/wine.if	2010-01-18 18:27:02.744541291 +0100
@@ -658,8 +698,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/lib/avahi-autoipd(/.*)?  	gen_context(system_u:object_r:avahi_var_lib_t,s0)    
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2010-01-18 18:24:22.771540183 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/cups.te	2010-01-18 18:27:02.758531199 +0100
-@@ -555,6 +555,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/cups.te	2010-01-25 17:36:13.178435741 +0100
+@@ -265,6 +265,7 @@
+ # invoking ghostscript needs to read fonts
+ miscfiles_read_fonts(cupsd_t)
+ miscfiles_setattr_fonts_dirs(cupsd_t)
++miscfiles_setattr_fonts_cache_dirs(cupsd_t)
+ 
+ seutil_read_config(cupsd_t)
+ sysnet_exec_ifconfig(cupsd_t)
+@@ -555,6 +556,7 @@
  logging_send_syslog_msg(cupsd_lpd_t)
  
  miscfiles_read_localization(cupsd_lpd_t)
@@ -1944,7 +1992,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')   
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2010-01-18 18:24:22.961540534 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/mount.te	2010-01-18 18:27:02.788530824 +0100
++++ serefpolicy-3.6.32/policy/modules/system/mount.te	2010-01-25 17:40:43.288687056 +0100
 @@ -181,6 +181,7 @@
  	auth_read_all_dirs_except_shadow(mount_t)
  	auth_read_all_files_except_shadow(mount_t)
@@ -1953,6 +2001,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
+@@ -260,6 +261,10 @@
+ 	samba_read_config(mount_t)
+ ')
+ 
++optional_policy(`
++	vmware_exec_host(mount_t)
++')
++
+ ########################################
+ #
+ # Unconfined mount local policy
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.32/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2010-01-18 18:24:22.967540599 +0100
 +++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te	2010-01-18 18:27:02.789530951 +0100
@@ -2015,7 +2074,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.32/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2010-01-18 18:24:22.987540070 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/xen.te	2010-01-18 18:27:02.796530655 +0100
++++ serefpolicy-3.6.32/policy/modules/system/xen.te	2010-01-25 17:55:42.768687784 +0100
 @@ -248,6 +248,7 @@
  #
  
@@ -2043,6 +2102,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # Xen store local policy
+@@ -329,6 +335,7 @@
+ 
+ files_read_usr_files(xenstored_t)
+ 
++fs_manage_xenfs_files(xenstored_t)
+ fs_search_xenfs(xenstored_t)
+ 
+ storage_raw_read_fixed_disk(xenstored_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt
 --- nsaserefpolicy/policy/support/obj_perm_sets.spt	2010-01-18 18:24:22.988541733 +0100
 +++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt	2010-01-18 18:27:02.798533004 +0100
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 53d21e4..ab55bbc 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.32
-Release: 76%{?dist}
+Release: 77%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -456,6 +456,11 @@ exit 0
 %endif
 
 %changelog
+* Mon Jan 25 2010 Miroslav Grepl <mgrepl@redhat.com> 3.6.32-77
+- Allow xenstored to manage files on on a XENFS filesystem
+- Allow cupsd to setattr on a fonts cache directory
+- Allot smolt-client to send system log messages
+
 * Fri Jan 22 2010 Miroslav Grepl <mgrepl@redhat.com> 3.6.32-76
 - Add labeling for gitweb
 - Allow plymouth to read and write the /dev/ptmx