From 4d6782fd89f019ecb9bd7aec5d89979ea43d708c Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Sep 10 2013 10:37:32 +0000
Subject: * Tue Sep 10 2013 Lukas Vrabec <lvrabec@redhat.com> 3.10.1-103

- Allow virt_domain to read virt_var_run_t symlinks
- Allow polipo to connect to tor port
- Add additional fixes for abrt-upload-watch

---

diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index b755ee5..fffec53 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -370,7 +370,7 @@ index 0b827c5..cce58bb 100644
 +	dontaudit $1 abrt_t:sock_file write;
  ')
 diff --git a/abrt.te b/abrt.te
-index 30861ec..9551f2f 100644
+index 30861ec..6c5549d 100644
 --- a/abrt.te
 +++ b/abrt.te
 @@ -5,13 +5,41 @@ policy_module(abrt, 1.2.0)
@@ -454,7 +454,7 @@ index 30861ec..9551f2f 100644
  application_domain(abrt_helper_t, abrt_helper_exec_t)
  role system_r types abrt_helper_t;
  
-@@ -43,14 +82,40 @@ ifdef(`enable_mcs',`
+@@ -43,14 +82,43 @@ ifdef(`enable_mcs',`
  	init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
  ')
  
@@ -484,6 +484,9 @@ index 30861ec..9551f2f 100644
 +abrt_basic_types_template(abrt_upload_watch)
 +init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
 +
++type abrt_upload_watch_tmp_t;
++files_tmp_file(abrt_upload_watch_tmp_t)
++
  ########################################
  #
  # abrt local policy
@@ -497,7 +500,7 @@ index 30861ec..9551f2f 100644
  
  allow abrt_t self:fifo_file rw_fifo_file_perms;
  allow abrt_t self:tcp_socket create_stream_socket_perms;
-@@ -59,6 +124,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
+@@ -59,6 +127,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
  allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
  
  # abrt etc files
@@ -505,7 +508,7 @@ index 30861ec..9551f2f 100644
  rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
  
  # log file
-@@ -68,7 +134,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+@@ -68,7 +137,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
  # abrt tmp files
  manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
  manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
@@ -515,7 +518,7 @@ index 30861ec..9551f2f 100644
  
  # abrt var/cache files
  manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -76,16 +144,18 @@ manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -76,16 +147,18 @@ manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
  manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
  files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
  files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
@@ -536,7 +539,7 @@ index 30861ec..9551f2f 100644
  kernel_rw_kernel_sysctl(abrt_t)
  
  corecmd_exec_bin(abrt_t)
-@@ -93,7 +163,6 @@ corecmd_exec_shell(abrt_t)
+@@ -93,7 +166,6 @@ corecmd_exec_shell(abrt_t)
  corecmd_read_all_executables(abrt_t)
  
  corenet_all_recvfrom_netlabel(abrt_t)
@@ -544,7 +547,7 @@ index 30861ec..9551f2f 100644
  corenet_tcp_sendrecv_generic_if(abrt_t)
  corenet_tcp_sendrecv_generic_node(abrt_t)
  corenet_tcp_sendrecv_generic_port(abrt_t)
-@@ -104,6 +173,8 @@ corenet_tcp_connect_all_ports(abrt_t)
+@@ -104,6 +176,8 @@ corenet_tcp_connect_all_ports(abrt_t)
  corenet_sendrecv_http_client_packets(abrt_t)
  
  dev_getattr_all_chr_files(abrt_t)
@@ -553,7 +556,7 @@ index 30861ec..9551f2f 100644
  dev_read_urand(abrt_t)
  dev_rw_sysfs(abrt_t)
  dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +184,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -113,7 +187,8 @@ domain_read_all_domains_state(abrt_t)
  domain_signull_all_domains(abrt_t)
  
  files_getattr_all_files(abrt_t)
@@ -563,7 +566,7 @@ index 30861ec..9551f2f 100644
  files_read_var_symlinks(abrt_t)
  files_read_var_lib_files(abrt_t)
  files_read_usr_files(abrt_t)
-@@ -121,6 +193,9 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +196,9 @@ files_read_generic_tmp_files(abrt_t)
  files_read_kernel_modules(abrt_t)
  files_dontaudit_list_default(abrt_t)
  files_dontaudit_read_default_files(abrt_t)
@@ -573,7 +576,7 @@ index 30861ec..9551f2f 100644
  
  fs_list_inotifyfs(abrt_t)
  fs_getattr_all_fs(abrt_t)
-@@ -131,22 +206,39 @@ fs_read_nfs_files(abrt_t)
+@@ -131,22 +209,39 @@ fs_read_nfs_files(abrt_t)
  fs_read_nfs_symlinks(abrt_t)
  fs_search_all(abrt_t)
  
@@ -617,7 +620,7 @@ index 30861ec..9551f2f 100644
  ')
  
  optional_policy(`
-@@ -167,6 +259,7 @@ optional_policy(`
+@@ -167,6 +262,7 @@ optional_policy(`
  	rpm_exec(abrt_t)
  	rpm_dontaudit_manage_db(abrt_t)
  	rpm_manage_cache(abrt_t)
@@ -625,7 +628,7 @@ index 30861ec..9551f2f 100644
  	rpm_manage_pid_files(abrt_t)
  	rpm_read_db(abrt_t)
  	rpm_signull(abrt_t)
-@@ -178,9 +271,36 @@ optional_policy(`
+@@ -178,9 +274,36 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -662,7 +665,7 @@ index 30861ec..9551f2f 100644
  ########################################
  #
  # abrt--helper local policy
-@@ -196,13 +316,16 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -196,13 +319,16 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -680,7 +683,7 @@ index 30861ec..9551f2f 100644
  
  fs_list_inotifyfs(abrt_helper_t)
  fs_getattr_all_fs(abrt_helper_t)
-@@ -211,12 +334,11 @@ auth_use_nsswitch(abrt_helper_t)
+@@ -211,12 +337,11 @@ auth_use_nsswitch(abrt_helper_t)
  
  logging_send_syslog_msg(abrt_helper_t)
  
@@ -695,7 +698,7 @@ index 30861ec..9551f2f 100644
  	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
  	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
  	dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +346,170 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +349,188 @@ ifdef(`hide_broken_symptoms', `
  	dev_dontaudit_write_all_chr_files(abrt_helper_t)
  	dev_dontaudit_write_all_blk_files(abrt_helper_t)
  	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -847,13 +850,31 @@ index 30861ec..9551f2f 100644
 +# abrt-upload-watch local policy
 +#
 +
++allow abrt_upload_watch_t self:capability dac_override;
++
++manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
++manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
++files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir})
++
++read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t)
++
++manage_dirs_pattern(abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_cache_t)
++
 +corecmd_exec_bin(abrt_upload_watch_t)
 +
++dev_read_urand(abrt_upload_watch_t)
++
++auth_read_passwd(abrt_upload_watch_t)
++
 +tunable_policy(`abrt_upload_watch_anon_write',`
 +    miscfiles_manage_public_files(abrt_upload_watch_t)
 +')
 +
 +optional_policy(`
++    dbus_system_bus_client(abrt_upload_watch_t)
++')
++
++optional_policy(`
 +    unconfined_domain(abrt_upload_watch_t)
 +')
 +
@@ -50309,10 +50330,10 @@ index 0000000..d00f6ba
 +')
 diff --git a/polipo.te b/polipo.te
 new file mode 100644
-index 0000000..a0b37ad
+index 0000000..a97313e
 --- /dev/null
 +++ b/polipo.te
-@@ -0,0 +1,159 @@
+@@ -0,0 +1,160 @@
 +policy_module(polipo, 1.0.0)
 +
 +########################################
@@ -50409,6 +50430,7 @@ index 0000000..a0b37ad
 +corenet_tcp_bind_http_cache_port(polipo_daemon)
 +corenet_sendrecv_http_cache_server_packets(polipo_daemon)
 +corenet_tcp_connect_http_port(polipo_daemon)
++corenet_tcp_connect_tor_port(polipo_daemon)
 +
 +files_read_usr_files(polipo_daemon)
 +
@@ -73842,7 +73864,7 @@ index 2124b6a..d60e3e4 100644
 +/var/run/qga\.state             --      gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
 +/var/log/qemu-ga\.log           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
-index 6f0736b..b6aaf56 100644
+index 6f0736b..b6bde4c 100644
 --- a/virt.if
 +++ b/virt.if
 @@ -13,67 +13,30 @@
@@ -74082,7 +74104,7 @@ index 6f0736b..b6aaf56 100644
  ')
  
  ########################################
-@@ -233,6 +286,24 @@ interface(`virt_read_content',`
+@@ -233,6 +286,43 @@ interface(`virt_read_content',`
  
  ########################################
  ## <summary>
@@ -74104,10 +74126,29 @@ index 6f0736b..b6aaf56 100644
 +
 +########################################
 +## <summary>
++##	Read virt PID symlinks files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`virt_read_pid_symlinks',`
++	gen_require(`
++		type virt_var_run_t;
++	')
++
++	files_search_pids($1)
++	read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t)
++')
++
++########################################
++## <summary>
  ##	Read virt PID files.
  ## </summary>
  ## <param name="domain">
-@@ -252,6 +323,28 @@ interface(`virt_read_pid_files',`
+@@ -252,6 +342,28 @@ interface(`virt_read_pid_files',`
  
  ########################################
  ## <summary>
@@ -74136,7 +74177,7 @@ index 6f0736b..b6aaf56 100644
  ##	Manage virt pid files.
  ## </summary>
  ## <param name="domain">
-@@ -263,10 +356,47 @@ interface(`virt_read_pid_files',`
+@@ -263,10 +375,47 @@ interface(`virt_read_pid_files',`
  interface(`virt_manage_pid_files',`
  	gen_require(`
  		type virt_var_run_t;
@@ -74184,7 +74225,7 @@ index 6f0736b..b6aaf56 100644
  ')
  
  ########################################
-@@ -310,6 +440,24 @@ interface(`virt_read_lib_files',`
+@@ -310,6 +459,24 @@ interface(`virt_read_lib_files',`
  
  ########################################
  ## <summary>
@@ -74209,7 +74250,7 @@ index 6f0736b..b6aaf56 100644
  ##	Create, read, write, and delete
  ##	virt lib files.
  ## </summary>
-@@ -354,9 +502,9 @@ interface(`virt_read_log',`
+@@ -354,9 +521,9 @@ interface(`virt_read_log',`
  ##	virt log files.
  ## </summary>
  ## <param name="domain">
@@ -74221,7 +74262,7 @@ index 6f0736b..b6aaf56 100644
  ## </param>
  #
  interface(`virt_append_log',`
-@@ -390,6 +538,25 @@ interface(`virt_manage_log',`
+@@ -390,6 +557,25 @@ interface(`virt_manage_log',`
  
  ########################################
  ## <summary>
@@ -74247,7 +74288,7 @@ index 6f0736b..b6aaf56 100644
  ##	Allow domain to read virt image files
  ## </summary>
  ## <param name="domain">
-@@ -410,6 +577,7 @@ interface(`virt_read_images',`
+@@ -410,6 +596,7 @@ interface(`virt_read_images',`
  	read_files_pattern($1, virt_image_type, virt_image_type)
  	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
  	read_blk_files_pattern($1, virt_image_type, virt_image_type)
@@ -74255,7 +74296,7 @@ index 6f0736b..b6aaf56 100644
  
  	tunable_policy(`virt_use_nfs',`
  		fs_list_nfs($1)
-@@ -426,6 +594,42 @@ interface(`virt_read_images',`
+@@ -426,6 +613,42 @@ interface(`virt_read_images',`
  
  ########################################
  ## <summary>
@@ -74298,7 +74339,7 @@ index 6f0736b..b6aaf56 100644
  ##	Create, read, write, and delete
  ##	svirt cache files.
  ## </summary>
-@@ -435,15 +639,15 @@ interface(`virt_read_images',`
+@@ -435,15 +658,15 @@ interface(`virt_read_images',`
  ##	</summary>
  ## </param>
  #
@@ -74319,7 +74360,7 @@ index 6f0736b..b6aaf56 100644
  ')
  
  ########################################
-@@ -468,20 +672,94 @@ interface(`virt_manage_images',`
+@@ -468,20 +691,94 @@ interface(`virt_manage_images',`
  	manage_files_pattern($1, virt_image_type, virt_image_type)
  	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
  	rw_blk_files_pattern($1, virt_image_type, virt_image_type)
@@ -74422,7 +74463,7 @@ index 6f0736b..b6aaf56 100644
  ########################################
  ## <summary>
  ##	All of the rules required to administrate
-@@ -502,10 +780,20 @@ interface(`virt_manage_images',`
+@@ -502,10 +799,20 @@ interface(`virt_manage_images',`
  interface(`virt_admin',`
  	gen_require(`
  		type virtd_t, virtd_initrc_exec_t;
@@ -74444,7 +74485,7 @@ index 6f0736b..b6aaf56 100644
  
  	init_labeled_script_domtrans($1, virtd_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -517,4 +805,342 @@ interface(`virt_admin',`
+@@ -517,4 +824,342 @@ interface(`virt_admin',`
  	virt_manage_lib_files($1)
  
  	virt_manage_log($1)
@@ -74788,7 +74829,7 @@ index 6f0736b..b6aaf56 100644
 +	allow $1 svirt_image_t:chr_file rw_file_perms;
  ')
 diff --git a/virt.te b/virt.te
-index 947bbc6..3ae3c76 100644
+index 947bbc6..2757963 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -4,57 +4,97 @@ policy_module(virt, 1.5.0)
@@ -75407,7 +75448,7 @@ index 947bbc6..3ae3c76 100644
  	xen_stream_connect(virtd_t)
  	xen_stream_connect_xenstore(virtd_t)
  	xen_read_image_files(virtd_t)
-@@ -402,70 +592,799 @@ optional_policy(`
+@@ -402,70 +592,800 @@ optional_policy(`
  #
  # virtual domains common policy
  #
@@ -75564,6 +75605,7 @@ index 947bbc6..3ae3c76 100644
  	virt_read_lib_files(virt_domain)
  	virt_read_content(virt_domain)
  	virt_stream_connect(virt_domain)
++	virt_read_pid_symlinks(virt_domain)
 +	virt_domtrans_bridgehelper(virt_domain)
 +')
 +
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 70d3b90..9cf9b06 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.11.1
-Release: 102%{?dist}
+Release: 103%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,11 @@ SELinux Reference policy mls base module.
 %endif
 
 %Changelog
+* Tue Sep 10 2013 Lukas Vrabec <lvrabec@redhat.com> 3.10.1-103
+- Allow virt_domain to read virt_var_run_t symlinks
+- Allow polipo to connect to tor port
+- Add additional fixes for abrt-upload-watch
+
 * Tue Sep 03 2013 Lukas Vrabec <lvrabec@redhat.com> 3.10.1-102
 - Fix syntax error in mock policy
 - Allow glusterd to create sock_file in /run