From f749aef4103645d1642e8fa90adf59adf0126105 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Aug 20 2007 22:22:36 +0000
Subject: - Allow rpcd to write to sysctl_fs_t


---

diff --git a/policy-20070501.patch b/policy-20070501.patch
index 9508709..9b36df5 100644
--- a/policy-20070501.patch
+++ b/policy-20070501.patch
@@ -2795,7 +2795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.6.4/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc	2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apache.fc	2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/apache.fc	2007-08-20 15:01:13.000000000 -0400
 @@ -1,10 +1,5 @@
  # temporary hack till genhomedircon is fixed
 -ifdef(`targeted_policy',`
@@ -2826,7 +2826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +/var/lib/bugzilla(/.*)?			gen_context(system_u:object_r:httpd_bugzilla_script_rw_t,s0)
 +#viewvc file context
 +/var/spool/viewvc(/.*)?  		gen_context(system_u:object_r:httpd_sys_script_rw_t, s0)
-+
++/var/www/html/[^/]*/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.6.4/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2007-05-07 14:51:01.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/services/apache.if	2007-08-13 19:33:33.000000000 -0400
@@ -3080,7 +3080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.6.4/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apache.te	2007-08-14 06:47:44.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/apache.te	2007-08-20 15:05:12.000000000 -0400
 @@ -1,5 +1,5 @@
  
 -policy_module(apache,1.6.0)
@@ -3285,16 +3285,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  optional_policy(`
-@@ -606,6 +672,8 @@
+@@ -606,6 +672,10 @@
  manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
  files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
  
++can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
++
 +auth_use_nsswitch(httpd_suexec_t)
 +
  kernel_read_kernel_sysctls(httpd_suexec_t)
  kernel_list_proc(httpd_suexec_t)
  kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -668,6 +736,12 @@
+@@ -668,6 +738,12 @@
  	fs_exec_nfs_files(httpd_suexec_t)
  ')
  
@@ -3307,7 +3309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_suexec_t)
  	fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -685,18 +759,6 @@
+@@ -685,18 +761,6 @@
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -3326,7 +3328,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ########################################
  #
  # Apache system script local policy
-@@ -706,7 +768,8 @@
+@@ -706,7 +770,8 @@
  
  dontaudit httpd_sys_script_t httpd_config_t:dir search;
  
@@ -3336,7 +3338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
  read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -720,21 +783,64 @@
+@@ -720,21 +785,64 @@
  # Should we add a boolean?
  apache_domtrans_rotatelogs(httpd_sys_script_t)
  
@@ -3406,7 +3408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -754,14 +860,8 @@
+@@ -754,14 +862,8 @@
  # Apache unconfined script local policy
  #
  
@@ -3422,7 +3424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  ########################################
-@@ -784,7 +884,26 @@
+@@ -784,7 +886,26 @@
  
  miscfiles_read_localization(httpd_rotatelogs_t)
  
@@ -3724,7 +3726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-2.6.4/policy/modules/services/bind.te
 --- nsaserefpolicy/policy/modules/services/bind.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/bind.te	2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/bind.te	2007-08-20 15:53:18.000000000 -0400
 @@ -119,6 +119,10 @@
  corenet_sendrecv_rndc_server_packets(named_t)
  corenet_sendrecv_rndc_client_packets(named_t)
@@ -3736,7 +3738,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
  dev_read_sysfs(named_t)
  dev_read_rand(named_t)
  
-@@ -236,6 +240,7 @@
+@@ -159,6 +163,8 @@
+ 	manage_lnk_files_pattern(named_t,named_zone_t,named_zone_t)
+ ')
+ 
++auth_use_nsswitch(named_t)
++
+ optional_policy(`
+ 	gen_require(`
+ 		class dbus send_msg;
+@@ -180,6 +186,10 @@
+ ')
+ 
+ optional_policy(`
++	kerberos_use(named_t)
++')
++
++optional_policy(`
+ 	# this seems like fds that arent being
+ 	# closed.  these should probably be
+ 	# dontaudits instead.
+@@ -236,6 +246,7 @@
  corenet_tcp_sendrecv_all_nodes(ndc_t)
  corenet_tcp_sendrecv_all_ports(ndc_t)
  corenet_tcp_connect_rndc_port(ndc_t)
@@ -7060,7 +7082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  	fs_search_auto_mountpoints($1_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.6.4/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/rpc.te	2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/rpc.te	2007-08-20 14:56:56.000000000 -0400
 @@ -59,10 +59,14 @@
  manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
  files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@@ -7071,7 +7093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  kernel_search_network_state(rpcd_t) 
  # for rpc.rquotad
  kernel_read_sysctl(rpcd_t)  
-+kernel_read_fs_sysctls(rpcd_t)  
++kernel_rw_fs_sysctls(rpcd_t)  
 +kernel_getattr_core_if(nfsd_t)
  
  fs_list_rpc(rpcd_t)
@@ -9438,7 +9460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  # vmware 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-2.6.4/policy/modules/system/libraries.te
 --- nsaserefpolicy/policy/modules/system/libraries.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/libraries.te	2007-08-13 07:21:34.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/libraries.te	2007-08-20 17:13:12.000000000 -0400
 @@ -55,14 +55,15 @@
  # ldconfig local policy
  #
@@ -9465,7 +9487,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  files_search_var_lib(ldconfig_t)
  files_read_etc_files(ldconfig_t)
  files_search_tmp(ldconfig_t)
-@@ -99,8 +101,9 @@
+@@ -81,6 +83,8 @@
+ 
+ init_use_script_ptys(ldconfig_t)
+ 
++corecmd_search_bin(ldconfig_t)
++
+ libs_use_ld_so(ldconfig_t)
+ libs_use_shared_libs(ldconfig_t)
+ 
+@@ -99,8 +103,9 @@
  ifdef(`targeted_policy',`
  	allow ldconfig_t lib_t:file read_file_perms;
  	files_read_generic_tmp_symlinks(ldconfig_t)
@@ -9477,7 +9508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  ')
  
  optional_policy(`
-@@ -113,4 +116,6 @@
+@@ -113,4 +118,6 @@
  	# and executes ldconfig on it.  If you dont allow this kernel installs 
  	# blow up.
  	rpm_manage_script_tmp_files(ldconfig_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7c2b53f..c640403 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.6.4
-Release: 38%{?dist}
+Release: 39%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -361,6 +361,9 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init
 %endif
 
 %changelog
+* Mon Aug 20 2007 Dan Walsh <dwalsh@redhat.com> 2.6.4-39
+- Allow rpcd to write to sysctl_fs_t
+
 * Tue Aug 13 2007 Dan Walsh <dwalsh@redhat.com> 2.6.4-38
 - Fix nagios_cgi problems