From dbed6bf2d4912750524faff0a7ee1e385879c2dd Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: May 06 2011 16:05:26 +0000
Subject: - Add label for /lib/upstart/init

- Allow colord to getattr on /proc/scsi/scsi
- Dontaudit sys_module for ifconfig and irqbalance

---

diff --git a/policy-F15.patch b/policy-F15.patch
index 1b291a4..33a544e 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -6799,10 +6799,10 @@ index 0000000..4f9cb05
 +')
 diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
 new file mode 100644
-index 0000000..6cc919e
+index 0000000..3ce0256
 --- /dev/null
 +++ b/policy/modules/apps/nsplugin.te
-@@ -0,0 +1,323 @@
+@@ -0,0 +1,327 @@
 +policy_module(nsplugin, 1.0.0)
 +
 +########################################
@@ -6982,6 +6982,10 @@ index 0000000..6cc919e
 +')
 +
 +optional_policy(`
++	devicekit_dontaudit_dbus_chat_power(nsplugin_t)
++')
++
++optional_policy(`
 +	dbus_session_bus_client(nsplugin_t)
 +	dbus_connect_session_bus(nsplugin_t)
 +	dbus_system_bus_client(nsplugin_t)
@@ -21858,10 +21862,10 @@ index 0000000..939d76e
 +')
 diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
 new file mode 100644
-index 0000000..52ad073
+index 0000000..7aa11b6
 --- /dev/null
 +++ b/policy/modules/services/colord.te
-@@ -0,0 +1,109 @@
+@@ -0,0 +1,110 @@
 +policy_module(colord,1.0.0)
 +
 +########################################
@@ -21908,6 +21912,7 @@ index 0000000..52ad073
 +manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
 +files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
 +
++kernel_getattr_proc_files(colord_t)
 +kernel_read_device_sysctls(colord_t)
 +
 +corenet_udp_bind_generic_node(colord_t)
@@ -24052,7 +24057,7 @@ index 418a5a0..28d9e41 100644
  /var/run/udisks(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
  /var/run/upower(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
 diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..30954ba 100644
+index f706b99..9ed1b7c 100644
 --- a/policy/modules/services/devicekit.if
 +++ b/policy/modules/services/devicekit.if
 @@ -5,9 +5,9 @@
@@ -24095,12 +24100,33 @@ index f706b99..30954ba 100644
  ##	Send signal devicekit power
  ## </summary>
  ## <param name="domain">
-@@ -118,6 +139,44 @@ interface(`devicekit_dbus_chat_power',`
+@@ -118,6 +139,65 @@ interface(`devicekit_dbus_chat_power',`
  	allow devicekit_power_t $1:dbus send_msg;
  ')
  
 +#######################################
 +## <summary>
++##  Send and receive messages from
++##  devicekit power over dbus.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`devicekit_dontaudit_dbus_chat_power',`
++    gen_require(`
++        type devicekit_power_t;
++        class dbus send_msg;
++    ')
++
++    dontaudit $1 devicekit_power_t:dbus send_msg;
++    dontaudit devicekit_power_t $1:dbus send_msg;
++')
++
++#######################################
++## <summary>
 +##  Do not audit attempts to write the devicekit
 +##  log files.
 +## </summary>
@@ -24140,7 +24166,7 @@ index f706b99..30954ba 100644
  ########################################
  ## <summary>
  ##	Read devicekit PID files.
-@@ -139,22 +198,52 @@ interface(`devicekit_read_pid_files',`
+@@ -139,22 +219,52 @@ interface(`devicekit_read_pid_files',`
  
  ########################################
  ## <summary>
@@ -24200,7 +24226,7 @@ index f706b99..30954ba 100644
  ##	</summary>
  ## </param>
  ## <rolecap/>
-@@ -165,21 +254,21 @@ interface(`devicekit_admin',`
+@@ -165,21 +275,21 @@ interface(`devicekit_admin',`
  		type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
  	')
  
@@ -28118,6 +28144,22 @@ index 9fab1dc..dc7dd01 100644
  
  mta_send_mail(innd_t)
  
+diff --git a/policy/modules/services/irqbalance.te b/policy/modules/services/irqbalance.te
+index 9aeeaf9..e0ed328 100644
+--- a/policy/modules/services/irqbalance.te
++++ b/policy/modules/services/irqbalance.te
+@@ -47,6 +47,11 @@ miscfiles_read_localization(irqbalance_t)
+ userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
+ userdom_dontaudit_search_user_home_dirs(irqbalance_t)
+ 
++ifdef(`hide_broken_symptoms',`
++	# caused by some bogus kernel code
++	dontaudit irqbalance_t self:capability sys_module;
++')
++
+ optional_policy(`
+ 	seutil_sigchld_newrole(irqbalance_t)
+ ')
 diff --git a/policy/modules/services/jabber.fc b/policy/modules/services/jabber.fc
 index 4c9acec..deef4c7 100644
 --- a/policy/modules/services/jabber.fc
@@ -48601,10 +48643,10 @@ index 882c6a2..d0ff4ec 100644
  ')
  
 diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index 354ce93..f97fbb7 100644
+index 354ce93..b8b14b9 100644
 --- a/policy/modules/system/init.fc
 +++ b/policy/modules/system/init.fc
-@@ -33,6 +33,19 @@ ifdef(`distro_gentoo', `
+@@ -33,9 +33,24 @@ ifdef(`distro_gentoo', `
  #
  # /sbin
  #
@@ -48624,7 +48666,12 @@ index 354ce93..f97fbb7 100644
  /sbin/init(ng)?		--	gen_context(system_u:object_r:init_exec_t,s0)
  # because nowadays, /sbin/init is often a symlink to /sbin/upstart
  /sbin/upstart		--	gen_context(system_u:object_r:init_exec_t,s0)
-@@ -55,6 +68,9 @@ ifdef(`distro_gentoo', `
++# for Fedora
++/lib/upstart/init   --  gen_context(system_u:object_r:init_exec_t,s0)
+ 
+ ifdef(`distro_gentoo', `
+ /sbin/rc		--	gen_context(system_u:object_r:initrc_exec_t,s0)
+@@ -55,6 +70,9 @@ ifdef(`distro_gentoo', `
  
  /usr/sbin/apachectl	-- 	gen_context(system_u:object_r:initrc_exec_t,s0)
  /usr/sbin/open_init_pty	--	gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -48634,7 +48681,7 @@ index 354ce93..f97fbb7 100644
  
  #
  # /var
-@@ -76,3 +92,4 @@ ifdef(`distro_suse', `
+@@ -76,3 +94,4 @@ ifdef(`distro_suse', `
  /var/run/setleds-on	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
  /var/run/sysconfig(/.*)?	gen_context(system_u:object_r:initrc_var_run_t,s0)
  ')
@@ -54203,7 +54250,7 @@ index ff80d0a..7f1a21c 100644
 +	role_transition $1 dhcpc_exec_t system_r;
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index df32316..a228139 100644
+index df32316..37f1cfa 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
 @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.1)
@@ -54400,7 +54447,7 @@ index df32316..a228139 100644
  userdom_use_user_terminals(ifconfig_t)
  userdom_use_all_users_fds(ifconfig_t)
  
-@@ -314,6 +363,10 @@ ifdef(`distro_ubuntu',`
+@@ -314,7 +363,15 @@ ifdef(`distro_ubuntu',`
  	')
  ')
  
@@ -54409,9 +54456,14 @@ index df32316..a228139 100644
 +')
 +
  ifdef(`hide_broken_symptoms',`
++
++	# caused by some bogus kernel code
++	dontaudit ifconfig_t self:capability sys_module;
++
  	optional_policy(`
  		dev_dontaudit_rw_cardmgr(ifconfig_t)
-@@ -325,12 +378,31 @@ ifdef(`hide_broken_symptoms',`
+ 	')
+@@ -325,12 +382,31 @@ ifdef(`hide_broken_symptoms',`
  ')
  
  optional_policy(`
@@ -54443,7 +54495,7 @@ index df32316..a228139 100644
  ')
  
  optional_policy(`
-@@ -355,3 +427,9 @@ optional_policy(`
+@@ -355,3 +431,9 @@ optional_policy(`
  	xen_append_log(ifconfig_t)
  	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1e408e7..a22ada4 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.16
-Release: 22%{?dist}
+Release: 23%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,11 @@ exit 0
 %endif
 
 %changelog
+* Fri May 6 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-23
+- Add label for /lib/upstart/init
+- Allow colord to getattr on /proc/scsi/scsi
+- Dontaudit sys_module for ifconfig and irqbalance
+
 * Thu May 5 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-22
 - Make telepathy working with confined users
 - Allow colord signal