From 1f5c71f5cf52653bbf50c6ef3cd1ff4ebaaae49c Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@fedoraproject.org>
Date: Jan 06 2010 16:14:55 +0000
Subject: - Allow snmbd to send itself signal

- Allow virt_domain to read /dev/random
- Allow apcupsd to send itself signull
- Allow swat to transition to nmbd
- Add textrel_shlib_t label for /usr/local/lib/codecs/

---

diff --git a/policy-20100106.patch b/policy-20100106.patch
new file mode 100644
index 0000000..87e0eaf
--- /dev/null
+++ b/policy-20100106.patch
@@ -0,0 +1,144 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if
+--- nsaserefpolicy/policy/modules/services/apache.if	2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/apache.if	2010-01-06 15:16:37.000000000 +0100
+@@ -16,6 +16,7 @@
+ 		attribute httpd_exec_scripts;
+ 		attribute httpd_script_exec_type;
+ 		type httpd_t, httpd_suexec_t, httpd_log_t;
++        type httpd_sys_content_t;
+ 	')
+ 	#This type is for webpages
+ 	type httpd_$1_content_t;
+@@ -123,6 +124,8 @@
+ 		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
+ 		read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+ 		read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
++
++        allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;
+ 	')
+ 
+ 	tunable_policy(`httpd_enable_cgi',`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.6.32/policy/modules/services/apcupsd.te
+--- nsaserefpolicy/policy/modules/services/apcupsd.te	2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/apcupsd.te	2010-01-06 13:06:31.000000000 +0100
+@@ -31,7 +31,7 @@
+ #
+ 
+ allow apcupsd_t self:capability { dac_override setgid sys_tty_config };
+-allow apcupsd_t self:process signal;
++allow apcupsd_t self:process { signal signull };
+ allow apcupsd_t self:fifo_file rw_file_perms;
+ allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
+ allow apcupsd_t self:tcp_socket create_stream_socket_perms;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te
+--- nsaserefpolicy/policy/modules/services/postfix.te	2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/postfix.te	2010-01-06 15:41:16.000000000 +0100
+@@ -443,6 +443,7 @@
+ 
+ optional_policy(`
+ 	spamassassin_domtrans_client(postfix_pipe_t)
++    spamassassin_kill_client(postfix_pipe_t)
+ ')
+ 
+ optional_policy(`
+@@ -573,6 +574,8 @@
+ # Postfix smtp delivery local policy
+ #
+ 
++allow postfix_smtp_t self:capability { sys_chroot };
++
+ # connect to master process
+ stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t },postfix_master_t)
+ 
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te
+--- nsaserefpolicy/policy/modules/services/samba.te	2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/samba.te	2010-01-06 13:55:09.000000000 +0100
+@@ -286,6 +286,8 @@
+ 
+ allow smbd_t winbind_t:process { signal signull };
+ 
++allow smbd_t swat_t:process signal;  
++
+ kernel_getattr_core_if(smbd_t)
+ kernel_getattr_message_if(smbd_t)
+ kernel_read_network_state(smbd_t)
+@@ -485,6 +487,8 @@
+ 
+ manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+ 
++allow nmbd_t swat_t:process signal;
++
+ allow nmbd_t smbcontrol_t:process signal;
+ 
+ allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
+@@ -661,6 +665,7 @@
+ allow swat_t self:udp_socket create_socket_perms;
+ allow swat_t self:unix_stream_socket connectto;
+ 
++samba_domtrans_nmbd(swat_t)
+ allow swat_t nmbd_t:process { signal signull };
+ 
+ allow swat_t nmbd_exec_t:file mmap_file_perms;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.32/policy/modules/services/snmp.te
+--- nsaserefpolicy/policy/modules/services/snmp.te	2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/snmp.te	2010-01-06 15:41:37.000000000 +0100
+@@ -27,7 +27,7 @@
+ #
+ allow snmpd_t self:capability { dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
+ dontaudit snmpd_t self:capability { sys_module sys_tty_config };
+-allow snmpd_t self:process { signal_perms getsched setsched };
++allow snmpd_t self:process { signal signal_perms getsched setsched };
+ allow snmpd_t self:fifo_file rw_fifo_file_perms;
+ allow snmpd_t self:unix_dgram_socket create_socket_perms;
+ allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.32/policy/modules/services/spamassassin.if
+--- nsaserefpolicy/policy/modules/services/spamassassin.if	2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/spamassassin.if	2010-01-06 15:40:10.000000000 +0100
+@@ -267,6 +267,24 @@
+ 	stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
+ ')
+ 
++######################################
++## <summary>
++##  Send kill signal to spamassassin client
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`spamassassin_kill_client',`
++    gen_require(`
++        type spamc_t;
++    ')
++
++    allow $1 spamc_t:process sigkill;
++')
++
+ ########################################
+ ## <summary>
+ ##	All of the rules required to administrate 
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
+--- nsaserefpolicy/policy/modules/services/virt.te	2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/virt.te	2010-01-06 16:09:14.000000000 +0100
+@@ -430,6 +430,8 @@
+ corenet_tcp_connect_virt_migration_port(virt_domain)
+ 
+ dev_read_sound(virt_domain)
++dev_read_rand(virt_domain)
++dev_read_urand(virt_domain)
+ dev_write_sound(virt_domain)
+ dev_rw_ksm(virt_domain)
+ dev_rw_kvm(virt_domain)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
+--- nsaserefpolicy/policy/modules/system/libraries.fc	2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc	2010-01-06 15:08:52.000000000 +0100
+@@ -245,6 +245,7 @@
+ # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
+ /usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/local(/.*)?/libmpg123\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/local/lib(64)?/codecs/.*\.so(\.[^/]*)* --  gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ 
+ HOME_DIR/.*/plugins/nppdf\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3ba05ca..77ed37a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,11 +20,12 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.32
-Release: 66%{?dist}
+Release: 67%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
-patch: policy-F12.patch
+patch1: policy-F12.patch
+patch2: policy-20100106.patch
 Source1: modules-targeted.conf
 Source2: booleans-targeted.conf
 Source3: Makefile.devel
@@ -193,7 +194,8 @@ Based off of reference policy: Checked out revision  2.20090730
 
 %prep 
 %setup -n serefpolicy-%{version} -q
-%patch -p1
+%patch1 -p1
+%patch2 -p1
 
 %install
 tar zxvf $RPM_SOURCE_DIR/config.tgz
@@ -449,6 +451,13 @@ exit 0
 %endif
 
 %changelog
+* Wed Jan 6 2010 Miroslav Grepl <mgrepl@redhat.com> 3.6.32-67
+- Allow snmbd to send itself signal
+- Allow virt_domain to read /dev/random
+- Allow apcupsd to send itself signull
+- Allow swat to transition to nmbd
+- Add textrel_shlib_t label for /usr/local/lib/codecs/ 
+
 * Mon Jan 4 2010 Dan Walsh <dwalsh@redhat.com> 3.6.32-66
 - Allow lircd to use tcp_socket and connect/bind to port 8675