From 277da5b355fdc222eea4d4b6b3b190a4d29896b1 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@fedoraproject.org>
Date: Feb 04 2010 18:23:37 +0000
Subject: - Fixes for cluster policy


---

diff --git a/policy-20100106.patch b/policy-20100106.patch
index c6611ad..288694e 100644
--- a/policy-20100106.patch
+++ b/policy-20100106.patch
@@ -802,6 +802,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  domain_mmap_low_type(wine_t)
  tunable_policy(`mmap_low_allowed',`
  	domain_mmap_low(wine_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc
+--- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2010-01-18 18:24:22.665531100 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc	2010-02-04 18:36:15.524100702 +0100
+@@ -219,7 +219,7 @@
+ /usr/share/apr-0/build/libtool --	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/debconf/.+		--	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/cluster/.*\.sh               gen_context(system_u:object_r:bin_t,s0)
+-/usr/share/cluster/ocf-shellfunc --     gen_context(system_u:object_r:bin_t,s0)
++/usr/share/cluster/ocf-shellfuncs  --   gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/cluster/svclib_nfslock  --   gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/cluster/SAPInstance  --      gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/cluster/SAPDatabase  --      gen_context(system_u:object_r:bin_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.if.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in	2009-09-16 16:01:19.000000000 +0200
 +++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.if.in	2010-02-02 15:20:43.717067439 +0100
@@ -846,8 +858,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  network_port(dns, udp,53,s0, tcp,53,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2010-01-18 18:24:22.670530409 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc	2010-02-02 15:44:16.896067937 +0100
-@@ -83,6 +83,7 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc	2010-02-04 16:53:06.664653707 +0100
+@@ -19,6 +19,7 @@
+ /dev/btrfs-control	-c	gen_context(system_u:object_r:lvm_control_t,s0)
+ /dev/controlD64		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/dahdi/.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
++/dev/misc/dlm.* 	-c  gen_context(system_u:object_r:dlm_control_device_t,s0)
+ /dev/dmfm		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dmmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+@@ -83,6 +84,7 @@
  /dev/pcfclock.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
  /dev/pmu		-c	gen_context(system_u:object_r:power_device_t,s0)
  /dev/port		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
@@ -855,7 +875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /dev/(misc/)?psaux	-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/rmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/radeon		-c	gen_context(system_u:object_r:dri_device_t,s0)
-@@ -103,6 +104,7 @@
+@@ -103,6 +105,7 @@
  /dev/tpm[0-9]*		-c	gen_context(system_u:object_r:tpm_device_t,s0)
  /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
  /dev/ub[a-c]		-c	gen_context(system_u:object_r:usb_device_t,s0)
@@ -863,7 +883,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /dev/usb.+		-c	gen_context(system_u:object_r:usb_device_t,s0)
  /dev/usblp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
  ifdef(`distro_suse', `
-@@ -162,6 +164,8 @@
+@@ -162,6 +165,8 @@
  /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
  /dev/usb/scanner.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
  
@@ -874,8 +894,51 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2010-01-18 18:24:22.673530022 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if	2010-01-27 17:35:46.879614965 +0100
-@@ -3551,6 +3551,24 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.if	2010-02-04 18:30:05.373350781 +0100
+@@ -1398,6 +1398,42 @@
+ 	rw_chr_files_pattern($1, device_t, crypt_device_t)
+ ')
+ 
++#######################################
++## <summary>
++##  Set the attributes of the dlm control devices.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`dev_setattr_dlm_control',`
++    gen_require(`
++        type device_t, kvm_device_t;
++    ')
++
++    setattr_chr_files_pattern($1, device_t, dlm_control_device_t)
++')
++
++#######################################
++## <summary>
++##  Read and write the the dlm control device
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`dev_rw_dlm_control',`
++    gen_require(`
++        type device_t, dlm_control_device_t;
++    ')
++
++    rw_chr_files_pattern($1, device_t, dlm_control_device_t)
++')
++
+ ########################################
+ ## <summary>
+ ##	getattr the dri devices.
+@@ -3551,6 +3587,24 @@
  	rw_chr_files_pattern($1, device_t, usb_device_t)
  ')
  
@@ -900,7 +963,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  ## <summary>
  ##	Mount a usbfs filesystem.
-@@ -3833,6 +3851,24 @@
+@@ -3833,6 +3887,24 @@
  	write_chr_files_pattern($1, device_t, v4l_device_t)
  ')
  
@@ -927,8 +990,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Read and write VMWare devices.
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.32/policy/modules/kernel/devices.te
 --- nsaserefpolicy/policy/modules/kernel/devices.te	2010-01-18 18:24:22.675530137 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.te	2010-01-27 17:34:18.787624215 +0100
-@@ -228,11 +228,23 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.te	2010-02-04 16:53:11.965403508 +0100
+@@ -59,6 +59,12 @@
+ type crypt_device_t;
+ dev_node(crypt_device_t)
+ 
++#
++# dlm_misc_device_t is the type of /dev/misc/dlm-control
++#
++type dlm_control_device_t;
++dev_node(dlm_control_device_t)
++
+ type dri_device_t;
+ dev_node(dri_device_t)
+ 
+@@ -228,11 +234,23 @@
  genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)
  
  #
@@ -1062,7 +1138,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ######################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
 --- nsaserefpolicy/policy/modules/services/abrt.te	2010-01-18 18:24:22.727540243 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.te	2010-02-03 15:45:55.176148406 +0100
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te	2010-02-04 16:36:56.307403800 +0100
 @@ -96,6 +96,7 @@
  corenet_tcp_connect_ftp_port(abrt_t)
  corenet_tcp_connect_all_ports(abrt_t)
@@ -1071,7 +1147,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  dev_read_urand(abrt_t)
  dev_rw_sysfs(abrt_t)
  dev_dontaudit_read_memory_dev(abrt_t)
-@@ -176,6 +177,13 @@
+@@ -176,6 +177,16 @@
  	sssd_stream_connect(abrt_t)
  ')
  
@@ -1079,13 +1155,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	gen_require(`
 +        attribute domain;
 +	')
++
++	allow abrt_t self:capability sys_resource;    
 +	allow abrt_t domain:file write;
++	allow abrt_t domain:process setrlimit;
 +')
 +
  permissive abrt_t;
  
  ########################################
-@@ -200,10 +208,13 @@
+@@ -200,10 +211,13 @@
  files_read_etc_files(abrt_helper_t)
  files_dontaudit_all_non_security_leaks(abrt_helper_t)
  
@@ -1333,6 +1412,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +    gpsd_rw_shm(chronyd_t)
 +')
 +
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.6.32/policy/modules/services/corosync.te
+--- nsaserefpolicy/policy/modules/services/corosync.te	2010-01-18 18:24:22.764539991 +0100
++++ serefpolicy-3.6.32/policy/modules/services/corosync.te	2010-02-04 15:37:12.010078276 +0100
+@@ -73,6 +73,8 @@
+ 
+ kernel_read_system_state(corosync_t)
+ 
++domain_read_all_domains_state(corosync_t)
++
+ corenet_udp_bind_netsupport_port(corosync_t)
+ 
+ corecmd_exec_bin(corosync_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.32/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2010-01-18 18:24:22.769530360 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/cron.te	2010-02-03 21:39:39.157822554 +0100
@@ -2235,9 +2326,51 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  ')
  
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.6.32/policy/modules/services/rgmanager.te
+--- nsaserefpolicy/policy/modules/services/rgmanager.te	2010-01-18 18:24:22.871540122 +0100
++++ serefpolicy-3.6.32/policy/modules/services/rgmanager.te	2010-02-04 18:32:00.142100552 +0100
+@@ -22,6 +22,9 @@
+ type rgmanager_tmp_t;
+ files_tmp_file(rgmanager_tmp_t)
+ 
++type rgmanager_tmpfs_t;
++files_tmpfs_file(rgmanager_tmpfs_t)
++
+ # log files
+ type rgmanager_var_log_t;
+ logging_log_file(rgmanager_var_log_t)
+@@ -51,6 +54,10 @@
+ manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
+ files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir })
+ 
++manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
++manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
++fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t,{ dir file })
++
+ # log files
+ manage_files_pattern(rgmanager_t, rgmanager_var_log_t,rgmanager_var_log_t)
+ logging_log_filetrans(rgmanager_t,rgmanager_var_log_t,{ file })
+@@ -61,6 +68,7 @@
+ files_pid_filetrans(rgmanager_t,rgmanager_var_run_t, { file sock_file })
+ 
+ aisexec_stream_connect(rgmanager_t)
++corosync_stream_connect(rgmanager_t)
+ groupd_stream_connect(rgmanager_t)
+ 
+ corecmd_exec_bin(rgmanager_t)
+@@ -74,7 +82,8 @@
+ fs_getattr_xattr_fs(rgmanager_t)
+ 
+ # need to write to /dev/misc/dlm-control 
+-dev_manage_generic_chr_files(rgmanager_t)
++dev_rw_dlm_control(rgmanager_t)
++dev_setattr_dlm_control(rgmanager_t)
+ dev_search_sysfs(rgmanager_t)
+ 
+ domain_read_all_domains_state(rgmanager_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.6.32/policy/modules/services/rhcs.fc
 --- nsaserefpolicy/policy/modules/services/rhcs.fc	2010-01-18 18:24:22.872542275 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/rhcs.fc	2010-02-01 16:27:13.351081209 +0100
++++ serefpolicy-3.6.32/policy/modules/services/rhcs.fc	2010-02-04 14:38:28.643078705 +0100
 @@ -1,19 +1,19 @@
  
 -/sbin/dlm_controld                     --      gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@@ -2246,7 +2379,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/run/dlm_controld\.pid             --      gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
  
 -/sbin/fenced                           --      gen_context(system_u:object_r:fenced_exec_t,s0)
-+/usr//sbin/fenced                      --      gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr/sbin/fenced                      --      gen_context(system_u:object_r:fenced_exec_t,s0)
  /usr/sbin/fence_node                   --      gen_context(system_u:object_r:fenced_exec_t,s0)
  /var/log/cluster/fenced\.log.*         --      gen_context(system_u:object_r:fenced_var_log_t,s0)
  /var/run/fenced\.pid                   --      gen_context(system_u:object_r:fenced_var_run_t,s0)
@@ -2262,6 +2395,41 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/run/groupd\.pid                   --      gen_context(system_u:object_r:groupd_var_run_t,s0)
  
  /usr/sbin/qdiskd                       --      gen_context(system_u:object_r:qdiskd_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.6.32/policy/modules/services/rhcs.te
+--- nsaserefpolicy/policy/modules/services/rhcs.te	2010-01-18 18:24:22.874530726 +0100
++++ serefpolicy-3.6.32/policy/modules/services/rhcs.te	2010-02-04 18:42:27.090100886 +0100
+@@ -128,10 +128,12 @@
+ stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
+ aisexec_stream_connect(dlm_controld_t)
+ ccs_stream_connect(dlm_controld_t)
++corosync_stream_connect(dlm_controld_t)
+ groupd_stream_connect(dlm_controld_t)
+ 
+ kernel_read_system_state(dlm_controld_t)
+ 
++dev_rw_dlm_control(dlm_controld_t)
+ dev_rw_sysfs(dlm_controld_t)
+ 
+ fs_manage_configfs_files(dlm_controld_t)
+@@ -258,14 +260,16 @@
+ 
+ aisexec_stream_connect(gfs_controld_t)
+ ccs_stream_connect(gfs_controld_t)
++corosync_stream_connect(gfs_controld_t)
+ groupd_stream_connect(gfs_controld_t)
+ 
+ kernel_read_system_state(gfs_controld_t)
+ 
+ storage_getattr_removable_dev(gfs_controld_t)
+ 
+-dev_manage_generic_chr_files(gfs_controld_t)
+-#dev_read_sysfs(gfs_controld_t)
++dev_rw_dlm_control(gfs_controld_t)
++dev_setattr_dlm_control(gfs_controld_t)
++
+ dev_rw_sysfs(gfs_controld_t)
+ 
+ init_rw_script_tmp_files(gfs_controld_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2010-01-18 18:24:22.886540773 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/samba.te	2010-02-01 20:42:31.450160322 +0100
@@ -2380,6 +2548,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  ## <summary>
  ##	All of the rules required to administrate 
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.32/policy/modules/services/spamassassin.te
+--- nsaserefpolicy/policy/modules/services/spamassassin.te	2010-01-18 18:24:22.896530172 +0100
++++ serefpolicy-3.6.32/policy/modules/services/spamassassin.te	2010-02-04 18:16:54.117060833 +0100
+@@ -147,6 +147,8 @@
+ 
+ kernel_read_kernel_sysctls(spamassassin_t)
+ 
++corenet_dontaudit_udp_bind_all_ports(spamassassin_t)
++
+ dev_read_urand(spamassassin_t)
+ 
+ fs_search_auto_mountpoints(spamassassin_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te
 --- nsaserefpolicy/policy/modules/services/ssh.te	2010-01-18 18:24:22.899530064 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/ssh.te	2010-01-18 18:27:02.774530790 +0100
@@ -3236,7 +3416,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +') 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2010-01-18 18:24:22.936530091 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/init.te	2010-02-03 22:20:55.858821762 +0100
++++ serefpolicy-3.6.32/policy/modules/system/init.te	2010-02-04 17:25:21.696810756 +0100
 @@ -40,6 +40,7 @@
  attribute init_script_domain_type;
  attribute init_script_file_type;
@@ -3264,6 +3444,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
+@@ -885,6 +891,9 @@
+ 	# Allow SELinux aware applications to request rpm_script_t execution
+ 	rpm_transition_script(initrc_t)
+ 
++	optional_policy(`
++		rtkit_daemon_system_domain(initrc_t)
++	')
+ 	
+ 	optional_policy(`
+ 		gen_require(`
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.32/policy/modules/system/ipsec.te
 --- nsaserefpolicy/policy/modules/system/ipsec.te	2010-01-18 18:24:22.939530053 +0100
 +++ serefpolicy-3.6.32/policy/modules/system/ipsec.te	2010-01-27 17:43:20.027613211 +0100
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4368629..4ef7924 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.32
-Release: 82%{?dist}
+Release: 83%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -454,6 +454,9 @@ exit 0
 %endif
 
 %changelog
+* Wed Feb 4 2010 Miroslav Grepl <mgrepl@redhat.com> 3.6.32-83
+- Fixes for cluster policy
+
 * Wed Feb 3 2010 Miroslav Grepl <mgrepl@redhat.com> 3.6.32-82
 - Add label for /root/.Xdefaults 
 - Allow xauth to read symbolic links on a NFS filesystem