From f4edf6a50b0e692de388a3a91693c4e420c8b204 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Dec 09 2008 21:04:52 +0000
Subject: - Allow semanage to send signals to itself


---

diff --git a/policy-20080710.patch b/policy-20080710.patch
index 4bd4290..af3ef1f 100644
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@@ -4964,8 +4964,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.5.13/policy/modules/apps/podsleuth.te
 --- nsaserefpolicy/policy/modules/apps/podsleuth.te	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/podsleuth.te	2008-11-24 10:49:49.000000000 -0500
-@@ -11,24 +11,55 @@
++++ serefpolicy-3.5.13/policy/modules/apps/podsleuth.te	2008-12-09 14:43:48.000000000 -0500
+@@ -11,24 +11,61 @@
  application_domain(podsleuth_t, podsleuth_exec_t)
  role system_r types podsleuth_t;
  
@@ -5004,6 +5004,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +fs_read_dos_files(podsleuth_t)
 +fs_search_dos(podsleuth_t)
 +
++fs_mount_nfs_fs(podsleuth_t)
++fs_unmount_nfs_fs(podsleuth_t)
++fs_getattr_nfs_fs(podsleuth_t)
++fs_read_nfs_files(podsleuth_t)
++fs_search_nfs(podsleuth_t)
++
 +allow podsleuth_t podsleuth_tmp_t:dir mounton;
 +manage_files_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
 +files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir })
@@ -15579,7 +15585,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.5.13/policy/modules/services/dnsmasq.te
 --- nsaserefpolicy/policy/modules/services/dnsmasq.te	2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.te	2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.te	2008-12-09 13:32:10.000000000 -0500
 @@ -10,6 +10,9 @@
  type dnsmasq_exec_t;
  init_daemon_domain(dnsmasq_t, dnsmasq_exec_t)
@@ -15618,7 +15624,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  corenet_sendrecv_dns_server_packets(dnsmasq_t)
  corenet_sendrecv_dhcpd_server_packets(dnsmasq_t)
  
-@@ -71,6 +73,8 @@
+@@ -67,10 +69,13 @@
+ 
+ # allow access to dnsmasq.conf
+ files_read_etc_files(dnsmasq_t)
++files_read_etc_runtime_files(dnsmasq_t)
+ 
  fs_getattr_all_fs(dnsmasq_t)
  fs_search_auto_mountpoints(dnsmasq_t)
  
@@ -15627,7 +15638,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  libs_use_ld_so(dnsmasq_t)
  libs_use_shared_libs(dnsmasq_t)
  
-@@ -78,14 +82,12 @@
+@@ -78,14 +83,12 @@
  
  miscfiles_read_localization(dnsmasq_t)
  
@@ -15643,7 +15654,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -95,3 +97,7 @@
+@@ -95,3 +98,7 @@
  optional_policy(`
  	udev_read_db(dnsmasq_t)
  ')
@@ -20756,7 +20767,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.5.13/policy/modules/services/portreserve.te
 --- nsaserefpolicy/policy/modules/services/portreserve.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/services/portreserve.te	2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/portreserve.te	2008-12-09 13:51:00.000000000 -0500
 @@ -0,0 +1,55 @@
 +policy_module(portreserve,1.0.0)
 +
@@ -20795,7 +20806,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
 +files_pid_filetrans(portreserve_t,portreserve_var_run_t, { file sock_file })
 +
-+corenet_sendrecv_unlabeled_packets(portreserve_t)
++corenet_all_recvfrom_unlabeled(portreserve_t)
 +corenet_all_recvfrom_netlabel(portreserve_t)
 +corenet_tcp_bind_all_ports(portreserve_t)
 +corenet_tcp_bind_all_ports(portreserve_t)
@@ -24852,7 +24863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/spool/MIMEDefang(/.*)?		gen_context(system_u:object_r:spamd_spool_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.5.13/policy/modules/services/spamassassin.if
 --- nsaserefpolicy/policy/modules/services/spamassassin.if	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/spamassassin.if	2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/spamassassin.if	2008-12-09 13:35:43.000000000 -0500
 @@ -37,7 +37,8 @@
  
  	gen_require(`
@@ -25383,7 +25394,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.5.13/policy/modules/services/spamassassin.te
 --- nsaserefpolicy/policy/modules/services/spamassassin.te	2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/spamassassin.te	2008-12-03 09:33:51.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/spamassassin.te	2008-12-09 14:59:03.000000000 -0500
 @@ -21,16 +21,24 @@
  gen_tunable(spamd_enable_home_dirs, true)
  
@@ -25442,12 +25453,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  dontaudit spamd_t self:capability sys_tty_config;
  allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow spamd_t self:fd use;
-@@ -69,10 +89,13 @@
+@@ -69,10 +89,14 @@
  allow spamd_t self:unix_stream_socket connectto;
  allow spamd_t self:tcp_socket create_stream_socket_perms;
  allow spamd_t self:udp_socket create_socket_perms;
 -allow spamd_t self:netlink_route_socket r_netlink_socket_perms;
 +
++
 +manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t)
 +logging_log_filetrans(spamd_t, spamd_log_t, file)
  
@@ -25457,7 +25469,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
  
  manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -81,10 +104,11 @@
+@@ -81,12 +105,21 @@
  
  # var/lib files for spamd
  allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -25469,8 +25481,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
  files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
  
++spamassassin_domtrans_spamc(spamd_t)
++manage_dirs_pattern(spamd_t, spamc_home_t, spamc_home_t)
++manage_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
++manage_lnk_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
++manage_fifo_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
++manage_sock_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
++userdom_user_home_dir_filetrans(user, spamd_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
++
  kernel_read_all_sysctls(spamd_t)
-@@ -134,6 +158,8 @@
+ kernel_read_system_state(spamd_t)
+ 
+@@ -134,6 +167,8 @@
  
  init_dontaudit_rw_utmp(spamd_t)
  
@@ -25479,7 +25501,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  libs_use_ld_so(spamd_t)
  libs_use_shared_libs(spamd_t)
  
-@@ -141,20 +167,40 @@
+@@ -141,20 +176,33 @@
  
  miscfiles_read_localization(spamd_t)
  
@@ -25492,13 +25514,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -
  sysadm_dontaudit_search_home_dirs(spamd_t)
  
-+manage_dirs_pattern(spamd_t, spamc_home_t, spamc_home_t)
-+manage_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
-+manage_lnk_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
-+manage_fifo_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
-+manage_sock_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
-+userdom_user_home_dir_filetrans(user, spamd_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
-+
 +optional_policy(`
 +	# Write pid file and socket in ~/.evolution/cache/tmp
 +	evolution_home_filetrans(user, spamd_t, spamd_tmp_t, { file sock_file })
@@ -25525,7 +25540,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	fs_manage_cifs_files(spamd_t)
  ')
  
-@@ -172,6 +218,7 @@
+@@ -172,6 +220,7 @@
  
  optional_policy(`
  	dcc_domtrans_client(spamd_t)
@@ -25533,7 +25548,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	dcc_stream_connect_dccifd(spamd_t)
  ')
  
-@@ -181,10 +228,6 @@
+@@ -181,10 +230,6 @@
  ')
  
  optional_policy(`
@@ -25544,7 +25559,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	postfix_read_config(spamd_t)
  ')
  
-@@ -199,6 +242,10 @@
+@@ -199,6 +244,10 @@
  
  optional_policy(`
  	razor_domtrans(spamd_t)
@@ -25555,7 +25570,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -213,3 +260,125 @@
+@@ -213,3 +262,127 @@
  optional_policy(`
  	udev_read_db(spamd_t)
  ')
@@ -25637,16 +25652,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +# terminal specific to the role
 +userdom_use_unpriv_users_ptys(spamc_t)
 +
++allow spamc_t self:tcp_socket create_stream_socket_perms;
++allow spamc_t self:udp_socket create_socket_perms;
++
++corenet_all_recvfrom_unlabeled(spamc_t)
++corenet_all_recvfrom_netlabel(spamc_t)
++corenet_tcp_sendrecv_generic_if(spamc_t)
++corenet_tcp_sendrecv_all_nodes(spamc_t)
++corenet_tcp_connect_spamd_port(spamc_t)
++
 +# set tunable if you have spamc do DNS lookups
 +tunable_policy(`spamassassin_can_network',`
-+	allow spamc_t self:tcp_socket create_stream_socket_perms;
-+	allow spamc_t self:udp_socket create_socket_perms;
-+
-+	corenet_all_recvfrom_unlabeled(spamc_t)
-+	corenet_all_recvfrom_netlabel(spamc_t)
-+	corenet_tcp_sendrecv_generic_if(spamc_t)
 +	corenet_udp_sendrecv_generic_if(spamc_t)
-+	corenet_tcp_sendrecv_all_nodes(spamc_t)
 +	corenet_udp_sendrecv_all_nodes(spamc_t)
 +	corenet_tcp_sendrecv_all_ports(spamc_t)
 +	corenet_udp_sendrecv_all_ports(spamc_t)
@@ -29995,7 +30012,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc	2008-12-04 08:07:48.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/libraries.fc	2008-12-09 10:22:43.000000000 -0500
 @@ -60,12 +60,15 @@
  #
  # /opt
@@ -30012,7 +30029,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ifdef(`distro_gentoo',`
  # despite the extensions, they are actually libs
  /opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
-@@ -75,16 +78,18 @@
+@@ -75,18 +78,20 @@
  /opt/netscape/plugins(/.*)?			gen_context(system_u:object_r:lib_t,s0)
  /opt/netscape/plugins/libflashplayer\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /opt/netscape/plugins/nppdf\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -30035,8 +30052,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0)
  /opt/cisco-vpnclient/lib/libvpnapi\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
- /opt/cxoffice/lib/wine/.+\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/opt/cxoffice/lib/wine/.+\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/cx.*/lib/wine/.+\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /opt/ibm/java.*/jre/.+\.jar		--	gen_context(system_u:object_r:lib_t,s0)
+ /opt/ibm/java.*/jre/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 @@ -115,9 +120,17 @@
  
  /usr/(.*/)?nvidia/.+\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -31046,7 +31066,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/etc/share/selinux/mls(/.*)?		gen_context(system_u:object_r:semanage_store_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.5.13/policy/modules/system/selinuxutil.if
 --- nsaserefpolicy/policy/modules/system/selinuxutil.if	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/selinuxutil.if	2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/selinuxutil.if	2008-12-09 09:02:26.000000000 -0500
 @@ -555,6 +555,59 @@
  
  ########################################
@@ -31217,7 +31237,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Full management of the semanage
  ##	module store.
  ## </summary>
-@@ -1165,3 +1270,260 @@
+@@ -1165,3 +1270,261 @@
  	selinux_dontaudit_get_fs_mount($1)
  	seutil_dontaudit_read_config($1)
  ')
@@ -31296,6 +31316,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	')
 +	allow $1 self:capability { dac_override audit_write sys_resource };
 +	dontaudit $1 self:capability sys_tty_config;
++	allow $1 self:process signal;
 +	allow $1 self:unix_stream_socket create_stream_socket_perms;
 +	allow $1 self:unix_dgram_socket create_socket_perms;
 +	logging_send_audit_msgs($1)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a19ba79..447fadc 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.5.13
-Release: 33%{?dist}
+Release: 34%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -459,6 +459,9 @@ exit 0
 %endif
 
 %changelog
+* Tue Dec 9 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-34
+- Allow semanage to send signals to itself
+
 * Fri Dec 5 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-33
 - Allow nsplugin to manage sock files and fifo_files in nsplugin_home_t