From cdc5b616164585a98f1b533f693010efaed3c642 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@fedoraproject.org>
Date: Nov 19 2009 11:10:15 +0000
Subject: - Allow mysqld_safe_t to read generic kernel sysctls

- Dontaudit netutils sys_module capability
- Fix nfs_selinux man page

---

diff --git a/policy-20090521.patch b/policy-20090521.patch
index 9d48106..15bc23c 100644
--- a/policy-20090521.patch
+++ b/policy-20090521.patch
@@ -1,3 +1,27 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/nfs_selinux.8 serefpolicy-3.6.12/man/man8/nfs_selinux.8
+--- nsaserefpolicy/man/man8/nfs_selinux.8	2009-06-25 10:19:43.000000000 +0200
++++ serefpolicy-3.6.12/man/man8/nfs_selinux.8	2009-11-19 10:29:57.000000000 +0100
+@@ -1,9 +1,9 @@
+ .TH  "nfs_selinux"  "8"  "9 Feb 2009" "dwalsh@redhat.com" "NFS SELinux Policy documentation"
+ .SH "NAME"
+-nfs_selinux \- Security Enhanced Linux Policy for NFS
++nfs_selinux \- Security-Enhanced Linux Policy for NFS
+ .SH "DESCRIPTION"
+ 
+-Security Enhanced Linux secures the NFS server via flexible mandatory access
++Security-Enhanced Linux secures the NFS server via flexible mandatory access
+ control.  
+ .SH BOOLEANS
+ SELinux policy is customizable based on the least level of access required. SELinux can be configured to not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on:
+@@ -11,7 +11,7 @@
+ .TP
+ setsebool -P nfs_export_all_ro 1
+ .TP
+-If you want to share files read/write you must set the nfs_export_all_rw boolean.
++If you want to share NFS partitions, and allow read and write access to those NFS partitions, turn the nfs_export_all_rw boolean on:
+ .TP
+ setsebool -P nfs_export_all_rw 1
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/samba_selinux.8 serefpolicy-3.6.12/man/man8/samba_selinux.8
 --- nsaserefpolicy/man/man8/samba_selinux.8	2009-04-07 21:54:45.000000000 +0200
 +++ serefpolicy-3.6.12/man/man8/samba_selinux.8	2009-08-19 18:01:06.000000000 +0200
@@ -75,6 +99,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  logging_send_syslog_msg(certwatch_t)
  
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.12/policy/modules/admin/dmesg.te
+--- nsaserefpolicy/policy/modules/admin/dmesg.te	2009-06-25 10:19:43.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/admin/dmesg.te	2009-11-19 12:04:46.000000000 +0100
+@@ -62,3 +62,6 @@
+ optional_policy(`
+ 	udev_read_db(dmesg_t)
+ ')
++
++#mcelog needs
++dev_read_raw_memory(dmesg_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.12/policy/modules/admin/kismet.te
 --- nsaserefpolicy/policy/modules/admin/kismet.te	2009-06-25 10:19:43.000000000 +0200
 +++ serefpolicy-3.6.12/policy/modules/admin/kismet.te	2009-07-07 08:55:43.000000000 +0200
@@ -164,6 +198,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	seutil_sigchld_newrole(mrtg_t)
  ')
  
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.12/policy/modules/admin/netutils.te
+--- nsaserefpolicy/policy/modules/admin/netutils.te	2009-06-25 10:19:43.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/admin/netutils.te	2009-11-19 10:07:23.000000000 +0100
+@@ -38,7 +38,7 @@
+ 
+ # Perform network administration operations and have raw access to the network.
+ allow netutils_t self:capability { net_admin net_raw setuid setgid };
+-dontaudit netutils_t self:capability sys_tty_config;
++dontaudit netutils_t self:capability { sys_module sys_tty_config };
+ allow netutils_t self:process { sigkill sigstop signull signal };
+ allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
+ allow netutils_t self:packet_socket create_socket_perms;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.12/policy/modules/admin/prelink.te
 --- nsaserefpolicy/policy/modules/admin/prelink.te	2009-06-25 10:19:43.000000000 +0200
 +++ serefpolicy-3.6.12/policy/modules/admin/prelink.te	2009-06-25 10:21:01.000000000 +0200
@@ -3487,8 +3533,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.12/policy/modules/services/mysql.te
 --- nsaserefpolicy/policy/modules/services/mysql.te	2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/services/mysql.te	2009-11-05 17:55:55.000000000 +0100
-@@ -136,10 +136,14 @@
++++ serefpolicy-3.6.12/policy/modules/services/mysql.te	2009-11-19 10:03:36.000000000 +0100
+@@ -136,15 +136,20 @@
  allow mysqld_safe_t self:capability { dac_override fowner chown };
  allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
   
@@ -3504,6 +3550,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  mysql_read_config(mysqld_safe_t)
  mysql_search_pid_files(mysqld_safe_t)
  mysql_write_log(mysqld_safe_t)
+ 
+ kernel_read_system_state(mysqld_safe_t) 
++kernel_read_kernel_sysctls(mysqld_safe_t) 
+ 
+ dev_list_sysfs(mysqld_safe_t)
+      
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.12/policy/modules/services/nis.te
 --- nsaserefpolicy/policy/modules/services/nis.te	2009-06-25 10:19:44.000000000 +0200
 +++ serefpolicy-3.6.12/policy/modules/services/nis.te	2009-06-26 15:48:39.000000000 +0200
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8746212..2598bd7 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 89%{?dist}
+Release: 90%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -442,6 +442,11 @@ exit 0
 %endif
 
 %changelog
+* Thu Nov 19 2009 Miroslav Grepl <mgrepl@redhat.com> 3.6.12-90
+- Allow mysqld_safe_t to read generic kernel sysctls
+- Dontaudit netutils sys_module capability
+- Fix nfs_selinux man page
+
 * Mon Nov 16 2009 Miroslav Grepl <mgrepl@redhat.com> 3.6.12-89
 - Fix libADM* libs labeling
 - More textrel_shlib_t file path fixes