From df544cead422c61b3cdf680d1db31aca4721a74f Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Feb 22 2011 18:29:29 +0000
Subject: - Fix for cmirrord

- Add mcsnetwrite attribute

---

diff --git a/policy-F13.patch b/policy-F13.patch
index f022009..5efc171 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -290,7 +290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.19/policy/mcs
 --- nsaserefpolicy/policy/mcs	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/mcs	2011-01-19 18:02:35.000000000 +0000
++++ serefpolicy-3.7.19/policy/mcs	2011-02-22 18:00:53.341097838 +0000
 @@ -86,10 +86,10 @@
  	(( h1 dom h2 ) and ( l2 eq h2 ));
  
@@ -332,7 +332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.1
  mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }
  	( h1 dom h2 );
  
-@@ -126,9 +132,18 @@
+@@ -126,10 +132,22 @@
  mlsconstrain db_tuple { relabelfrom select update delete use }
  	( h1 dom h2 );
  
@@ -341,17 +341,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.1
 +	( h1 dom h2 );
 +
 +mlsconstrain db_view { drop getattr setattr relabelfrom expand }
-+	( h1 dom h2 );
-+
-+mlsconstrain db_procedure { drop getattr setattr relabelfrom execute install }
  	( h1 dom h2 );
  
++mlsconstrain db_procedure { drop getattr setattr relabelfrom execute install }
++	( h1 dom h2 );
++
 +mlsconstrain db_language { drop getattr setattr relabelfrom execute }
 + 	( h1 dom h2 );
 +
  mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
  	( h1 dom h2 );
  
++mlsconstrain packet { send recv }
++    (( h1 dom h2 ) or ( t1 == mcsnetwrite ));
++
+ ') dnl end enable_mcs
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.7.19/policy/mls
 --- nsaserefpolicy/policy/mls	2010-04-13 18:44:37.000000000 +0000
 +++ serefpolicy-3.7.19/policy/mls	2011-01-19 18:02:35.000000000 +0000
@@ -6711,8 +6715,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.19/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/apps/nsplugin.te	2010-08-05 08:55:36.000000000 +0000
-@@ -0,0 +1,299 @@
++++ serefpolicy-3.7.19/policy/modules/apps/nsplugin.te	2011-02-22 10:30:33.961204258 +0000
+@@ -0,0 +1,300 @@
 +
 +policy_module(nsplugin, 1.0.0)
 +
@@ -6844,6 +6848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +
 +term_dontaudit_getattr_all_ptys(nsplugin_t)
 +term_dontaudit_getattr_all_ttys(nsplugin_t)
++term_dontaudit_use_ptmx(nsplugin_t)
 +
 +auth_use_nsswitch(nsplugin_t)
 +
@@ -12849,7 +12854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.19/policy/modules/kernel/kernel.te
 --- nsaserefpolicy/policy/modules/kernel/kernel.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/kernel/kernel.te	2011-01-18 17:00:20.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/kernel/kernel.te	2011-02-22 18:11:18.509708746 +0000
 @@ -46,15 +46,6 @@
  sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
  
@@ -12910,7 +12915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
  
  corecmd_exec_shell(kernel_t)
  corecmd_list_bin(kernel_t)
-@@ -270,19 +275,30 @@
+@@ -270,19 +275,31 @@
  files_list_etc(kernel_t)
  files_list_home(kernel_t)
  files_read_usr_files(kernel_t)
@@ -12920,6 +12925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
  mcs_process_set_categories(kernel_t)
 +mcs_file_read_all(kernel_t)
 +mcs_file_write_all(kernel_t)  
++mcs_socket_write_all_levels(kernel_t)
  
  mls_process_read_up(kernel_t)
  mls_process_write_down(kernel_t)
@@ -12941,7 +12947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
  optional_policy(`
  	hotplug_search_config(kernel_t)
  ')
-@@ -359,6 +375,10 @@
+@@ -359,6 +376,10 @@
  	unconfined_domain_noaudit(kernel_t)
  ')
  
@@ -12954,8 +12960,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
  # Unlabeled process local policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mcs.if serefpolicy-3.7.19/policy/modules/kernel/mcs.if
 --- nsaserefpolicy/policy/modules/kernel/mcs.if	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/kernel/mcs.if	2010-09-23 10:59:03.000000000 +0000
-@@ -102,3 +102,29 @@
++++ serefpolicy-3.7.19/policy/modules/kernel/mcs.if	2011-02-22 18:10:51.518373164 +0000
+@@ -102,3 +102,49 @@
  
  	typeattribute $1 mcssetcats;
  ')
@@ -12985,14 +12991,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mcs.if
 +
 +        typeattribute $1 mcsuntrustedproc;
 +')
++
++######################################
++## <summary>
++##  Make specified domain MCS trusted
++##  for writing to sockets at any level.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++## <rolecap/>
++#
++interface(`mcs_socket_write_all_levels',`
++    gen_require(`
++        attribute mcsnetwrite;
++    ')
++
++    typeattribute $1 mcsnetwrite;
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mcs.te serefpolicy-3.7.19/policy/modules/kernel/mcs.te
 --- nsaserefpolicy/policy/modules/kernel/mcs.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/kernel/mcs.te	2010-09-23 10:58:14.000000000 +0000
-@@ -11,3 +11,4 @@
++++ serefpolicy-3.7.19/policy/modules/kernel/mcs.te	2011-02-22 18:10:17.478211093 +0000
+@@ -11,3 +11,5 @@
  attribute mcssetcats;
  attribute mcswriteall;
  attribute mcsreadall;
 +attribute mcsuntrustedproc;
++attribute mcsnetwrite;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.19/policy/modules/kernel/selinux.if
 --- nsaserefpolicy/policy/modules/kernel/selinux.if	2010-04-13 18:44:37.000000000 +0000
 +++ serefpolicy-3.7.19/policy/modules/kernel/selinux.if	2011-02-07 16:33:28.029796002 +0000
@@ -13082,12 +13109,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.7.19/policy/modules/kernel/storage.fc
 --- nsaserefpolicy/policy/modules/kernel/storage.fc	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/kernel/storage.fc	2011-02-17 14:54:15.022796002 +0000
++++ serefpolicy-3.7.19/policy/modules/kernel/storage.fc	2011-02-22 18:04:02.158449928 +0000
 @@ -12,6 +12,7 @@
  /dev/cdu.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
  /dev/cm20.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
  /dev/dasd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-+/dev/dasd[^/]*		-c	gen_context(system_u:object_r:fixed_disk_device_t,s0)
++/dev/dasd[^/]*		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
  /dev/dm-[0-9]+		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
  /dev/drbd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
  /dev/etherd/.+		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -20016,8 +20043,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.te serefpolicy-3.7.19/policy/modules/services/cmirrord.te
 --- nsaserefpolicy/policy/modules/services/cmirrord.te	1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/cmirrord.te	2011-02-14 15:14:10.351796002 +0000
-@@ -0,0 +1,65 @@
++++ serefpolicy-3.7.19/policy/modules/services/cmirrord.te	2011-02-22 18:05:44.240937074 +0000
+@@ -0,0 +1,66 @@
 +
 +policy_module(cmirrord,1.0.0)
 +
@@ -20064,6 +20091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
 +files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, { file })
 +
 +domain_use_interactive_fds(cmirrord_t)
++domain_obj_id_change_exemption(cmirrord_t)
 +
 +files_read_etc_files(cmirrord_t)
 +
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 36264c0..963672b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.19
-Release: 93%{?dist}
+Release: 94%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,10 @@ exit 0
 %endif
 
 %changelog
+* Tue Feb 22 2011 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-94
+- Fix for cmirrord
+- Add mcsnetwrite attribute
+
 * Thu Feb 17 2011 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-93
 - Allow all sandbox to read selinux poilcy config files
 - Add allow_daemons_use_tcp_wrappers boolean