From e05169a7865453d6bb118748794d3ab85a250a7f Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Sep 13 2010 15:34:10 +0000
Subject: - Allow dovecot-deliver to create tmp files

- Allow tor to send signals to itself
- Handle /var/db/sudo
- Remove allow_corosync_rw_tmpfs boolean

---

diff --git a/policy-F13.patch b/policy-F13.patch
index ee29a30..486475b 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -2510,10 +2510,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
 +optional_policy(`
 +	xserver_dontaudit_write_log(shutdown_t)
 +')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.fc serefpolicy-3.7.19/policy/modules/admin/sudo.fc
+--- nsaserefpolicy/policy/modules/admin/sudo.fc	2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/sudo.fc	2010-09-13 15:54:07.362085420 +0200
+@@ -1,2 +1,4 @@
+ 
+ /usr/bin/sudo(edit)?	--	gen_context(system_u:object_r:sudo_exec_t,s0)
++
++/var/db/sudo(/.*)?              gen_context(system_u:object_r:sudo_db_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.19/policy/modules/admin/sudo.if
 --- nsaserefpolicy/policy/modules/admin/sudo.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/sudo.if	2010-05-28 09:41:59.964611081 +0200
-@@ -73,12 +73,16 @@
++++ serefpolicy-3.7.19/policy/modules/admin/sudo.if	2010-09-13 15:56:30.021085395 +0200
+@@ -32,6 +32,7 @@
+ 
+ 	gen_require(`
+ 		type sudo_exec_t;
++		type sudo_db_t;
+ 		attribute sudodomain;
+ 	')
+ 
+@@ -47,6 +48,9 @@
+ 	ubac_constrained($1_sudo_t)
+ 	role $2 types $1_sudo_t;
+ 
++	manage_dirs_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
++	manage_files_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
++
+ 	##############################
+ 	#
+ 	# Local Policy
+@@ -73,12 +77,16 @@
  	# Enter this derived domain from the user domain
  	domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
  
@@ -2531,7 +2557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
  
  	kernel_read_kernel_sysctls($1_sudo_t)
  	kernel_read_system_state($1_sudo_t)
-@@ -134,7 +138,11 @@
+@@ -134,7 +142,11 @@
  	userdom_manage_user_tmp_symlinks($1_sudo_t)
  	userdom_use_user_terminals($1_sudo_t)
  	# for some PAM modules and for cwd
@@ -2544,6 +2570,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
  
  	tunable_policy(`use_nfs_home_dirs',`
  		fs_manage_nfs_files($1_sudo_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.te serefpolicy-3.7.19/policy/modules/admin/sudo.te
+--- nsaserefpolicy/policy/modules/admin/sudo.te	2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/sudo.te	2010-09-13 15:54:35.371085087 +0200
+@@ -8,3 +8,6 @@
+ 
+ type sudo_exec_t;
+ application_executable_file(sudo_exec_t)
++
++type sudo_db_t;
++files_type(sudo_db_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.7.19/policy/modules/admin/su.if
 --- nsaserefpolicy/policy/modules/admin/su.if	2010-04-13 20:44:37.000000000 +0200
 +++ serefpolicy-3.7.19/policy/modules/admin/su.if	2010-05-28 09:41:59.965611225 +0200
@@ -3000,8 +3036,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.19/policy/modules/apps/chrome.te
 --- nsaserefpolicy/policy/modules/apps/chrome.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/chrome.te	2010-05-28 09:41:59.970610618 +0200
-@@ -0,0 +1,86 @@
++++ serefpolicy-3.7.19/policy/modules/apps/chrome.te	2010-09-13 14:43:33.016085201 +0200
+@@ -0,0 +1,88 @@
 +policy_module(chrome,1.0.0)
 +
 +########################################
@@ -3064,6 +3100,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t
 +miscfiles_read_localization(chrome_sandbox_t)
 +miscfiles_read_fonts(chrome_sandbox_t)
 +
++sysnet_dontaudit_read_config(chrome_sandbox_t)
++
 +optional_policy(`
 +	execmem_exec(chrome_sandbox_t)
 +')
@@ -18649,8 +18687,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.19/policy/modules/services/corosync.te
 --- nsaserefpolicy/policy/modules/services/corosync.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/corosync.te	2010-09-02 12:55:05.057085167 +0200
-@@ -0,0 +1,145 @@
++++ serefpolicy-3.7.19/policy/modules/services/corosync.te	2010-09-13 16:14:36.850085069 +0200
+@@ -0,0 +1,143 @@
 +
 +policy_module(corosync,1.0.0)
 +
@@ -18659,13 +18697,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
 +# Declarations
 +#
 +
-+## <desc>
-+## <p>
-+## Allow corosync to read and write generic tmpfs files.
-+## </p>
-+## </desc>
-+gen_tunable(allow_corosync_rw_tmpfs, false)
-+
 +type corosync_t;
 +type corosync_exec_t;
 +init_daemon_domain(corosync_t, corosync_exec_t)
@@ -18762,11 +18793,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
 +userdom_delete_user_tmpfs_files(corosync_t)
 +userdom_rw_user_tmpfs_files(corosync_t)
 +
-+tunable_policy(`allow_corosync_rw_tmpfs',`
-+	fs_rw_tmpfs_files(corosync_t)
-+	fs_delete_tmpfs_files(corosync_t)
++optional_policy(`
++	gen_require(`
++		attribute unconfined_services;
++	') 
++
++	fs_manage_tmpfs_files(corosync_t)
++	init_manage_script_status_files(corosync_t)
 +')
 +
++
 +optional_policy(`
 +	ccs_read_config(corosync_t)
 +')
@@ -20720,7 +20756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.19/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/dovecot.te	2010-09-09 10:57:08.707085315 +0200
++++ serefpolicy-3.7.19/policy/modules/services/dovecot.te	2010-09-13 12:37:55.230085213 +0200
 @@ -9,6 +9,9 @@
  type dovecot_exec_t;
  init_daemon_domain(dovecot_t, dovecot_exec_t)
@@ -20740,7 +20776,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  
  type dovecot_deliver_t;
  type dovecot_deliver_exec_t;
-@@ -54,15 +57,16 @@
+@@ -27,6 +30,9 @@
+ domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
+ role system_r types dovecot_deliver_t;
+ 
++type dovecot_deliver_tmp_t;
++files_tmp_file(dovecot_deliver_tmp_t)
++
+ type dovecot_etc_t;
+ files_config_file(dovecot_etc_t)
+ 
+@@ -54,15 +60,16 @@
  # dovecot local policy
  #
  
@@ -20759,7 +20805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  
  allow dovecot_t dovecot_cert_t:dir list_dir_perms;
  read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
-@@ -73,14 +77,26 @@
+@@ -73,14 +80,26 @@
  
  can_exec(dovecot_t, dovecot_exec_t)
  
@@ -20787,7 +20833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
  files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
  
-@@ -93,6 +109,7 @@
+@@ -93,6 +112,7 @@
  corenet_tcp_sendrecv_generic_node(dovecot_t)
  corenet_tcp_sendrecv_all_ports(dovecot_t)
  corenet_tcp_bind_generic_node(dovecot_t)
@@ -20795,7 +20841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  corenet_tcp_bind_pop_port(dovecot_t)
  corenet_tcp_connect_all_ports(dovecot_t)
  corenet_tcp_connect_postgresql_port(dovecot_t)
-@@ -103,6 +120,7 @@
+@@ -103,6 +123,7 @@
  dev_read_urand(dovecot_t)
  
  fs_getattr_all_fs(dovecot_t)
@@ -20803,7 +20849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  fs_search_auto_mountpoints(dovecot_t)
  fs_list_inotifyfs(dovecot_t)
  
-@@ -142,6 +160,16 @@
+@@ -142,6 +163,16 @@
  ')
  
  optional_policy(`
@@ -20820,7 +20866,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  	seutil_sigchld_newrole(dovecot_t)
  ')
  
-@@ -172,11 +200,6 @@
+@@ -172,11 +203,6 @@
  manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
  files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
  
@@ -20832,7 +20878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
  manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
  dovecot_stream_connect_auth(dovecot_auth_t)
-@@ -197,11 +220,13 @@
+@@ -197,11 +223,13 @@
  files_search_pids(dovecot_auth_t)
  files_read_usr_files(dovecot_auth_t)
  files_read_usr_symlinks(dovecot_auth_t)
@@ -20847,7 +20893,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  miscfiles_read_localization(dovecot_auth_t)
  
  seutil_dontaudit_search_config(dovecot_auth_t)
-@@ -225,6 +250,7 @@
+@@ -225,6 +253,7 @@
  ')
  
  optional_policy(`
@@ -20855,7 +20901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  	postfix_search_spool(dovecot_auth_t)
  ')
  
-@@ -234,18 +260,30 @@
+@@ -234,18 +263,34 @@
  #
  allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
  
@@ -20865,6 +20911,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +allow dovecot_deliver_t dovecot_var_log_t:dir search_dir_perms;
  allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
  
++manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
++manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
++files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
++
 +append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
 +
 +allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
@@ -20886,7 +20936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  
  miscfiles_read_localization(dovecot_deliver_t)
  
-@@ -263,15 +301,24 @@
+@@ -263,15 +308,24 @@
  userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
  
  tunable_policy(`use_nfs_home_dirs',`
@@ -21070,7 +21120,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.19/policy/modules/services/fprintd.te
 --- nsaserefpolicy/policy/modules/services/fprintd.te	2010-04-13 20:44:36.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/fprintd.te	2010-05-28 09:42:00.108611036 +0200
++++ serefpolicy-3.7.19/policy/modules/services/fprintd.te	2010-09-13 13:10:28.599085102 +0200
+@@ -18,9 +18,9 @@
+ # Local policy
+ #
+ 
+-allow fprintd_t self:capability sys_ptrace;
++allow fprintd_t self:capability { sys_nice sys_ptrace };
+ allow fprintd_t self:fifo_file rw_fifo_file_perms;
+-allow fprintd_t self:process { getsched signal };
++allow fprintd_t self:process { getsched setsched signal };
+ 
+ manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
+ manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
 @@ -55,4 +55,6 @@
  	policykit_read_lib(fprintd_t)
  	policykit_dbus_chat(fprintd_t)
@@ -33843,16 +33905,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd
 +iscsi_manage_semaphores(tgtd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.19/policy/modules/services/tor.te
 --- nsaserefpolicy/policy/modules/services/tor.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/tor.te	2010-08-18 13:49:47.647335258 +0200
-@@ -45,6 +45,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/tor.te	2010-09-13 12:47:18.717085060 +0200
+@@ -43,8 +43,11 @@
+ #
+ 
  allow tor_t self:capability { setgid setuid sys_tty_config };
++allow tor_t self:process signal;
++
  allow tor_t self:fifo_file rw_fifo_file_perms;
  allow tor_t self:unix_stream_socket create_stream_socket_perms;
 +allow tor_t self:unix_dgram_socket create_socket_perms;
  allow tor_t self:netlink_route_socket r_netlink_socket_perms;
  allow tor_t self:tcp_socket create_stream_socket_perms;
  
-@@ -82,6 +83,7 @@
+@@ -82,6 +85,7 @@
  corenet_tcp_sendrecv_all_ports(tor_t)
  corenet_tcp_sendrecv_all_reserved_ports(tor_t)
  corenet_tcp_bind_generic_node(tor_t)
@@ -33860,7 +33926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.
  corenet_tcp_bind_tor_port(tor_t)
  corenet_sendrecv_tor_server_packets(tor_t)
  # TOR will need to connect to various ports
-@@ -101,6 +103,8 @@
+@@ -101,6 +105,8 @@
  
  auth_use_nsswitch(tor_t)
  
@@ -36856,7 +36922,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
  # /var
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.19/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/init.if	2010-09-09 13:09:09.505085410 +0200
++++ serefpolicy-3.7.19/policy/modules/system/init.if	2010-09-13 16:15:23.146085276 +0200
 @@ -193,8 +193,10 @@
  	gen_require(`
  		attribute direct_run_init, direct_init, direct_init_entry;
@@ -37089,7 +37155,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  ')
  
  ########################################
-@@ -1712,3 +1808,56 @@
+@@ -1712,3 +1808,74 @@
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -37146,6 +37212,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +	init_dontaudit_use_script_fds($1)
 +')
 +
++#######################################
++## <summary>
++## Manage init script
++## status files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_manage_script_status_files',`
++	gen_require(`
++		type initrc_state_t;
++	')
++
++	manage_files_pattern($1, initrc_state_t, initrc_state_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.19/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2010-04-13 20:44:37.000000000 +0200
 +++ serefpolicy-3.7.19/policy/modules/system/init.te	2010-09-09 10:54:48.345085410 +0200
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 02d5772..85a22b4 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.19
-Release: 56%{?dist}
+Release: 57%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,12 @@ exit 0
 %endif
 
 %changelog
+* Mon Sep 13 2010 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-57
+- Allow dovecot-deliver to create tmp files
+- Allow tor to send signals to itself
+- Handle /var/db/sudo
+- Remove allow_corosync_rw_tmpfs boolean
+
 * Thu Sep 9 2010 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-56
 - Add unconfined_mmap_zero_ignore boolean