From 1a065bfc78d66731b28a58ec80bfdd3657b32507 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Nov 14 2007 17:29:28 +0000
Subject: - Allow cyrus to authenticate via sasl

- Allow sshd to work in tunnel mode
- Allow sshd to use -R
- Allow ssh to read user homedirs
- Add /var/lib/tftp to tftp.fc
- Add labels for /dev/dmmdi and /dev/admmdi
- Allow postmap to be run by unconfined_t
- Allow dictd to write pid file
- Allow bluetooth to connectto unix_stream_sockets

---

diff --git a/policy-20070703.patch b/policy-20070703.patch
index 07c58fb..4cfb659 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -7957,12 +7957,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.fc serefpolicy-3.0.8/policy/modules/services/dictd.fc
 --- nsaserefpolicy/policy/modules/services/dictd.fc	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dictd.fc	2007-11-14 11:37:22.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/dictd.fc	2007-11-14 12:26:30.000000000 -0500
 @@ -4,3 +4,4 @@
  /usr/sbin/dictd		--	gen_context(system_u:object_r:dictd_exec_t,s0)
  
  /var/lib/dictd(/.*)?		gen_context(system_u:object_r:dictd_var_lib_t,s0)
-+/var/run/dictd\.pid	--	gen_context(system_u:object_r:dictd_exec_t,s0)
++/var/run/dictd\.pid	--	gen_context(system_u:object_r:dictd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.te serefpolicy-3.0.8/policy/modules/services/dictd.te
 --- nsaserefpolicy/policy/modules/services/dictd.te	2007-10-22 13:21:39.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/dictd.te	2007-11-14 11:32:53.000000000 -0500
@@ -9163,7 +9163,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktal
 +term_search_ptys(ktalkd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.0.8/policy/modules/services/ldap.te
 --- nsaserefpolicy/policy/modules/services/ldap.te	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/ldap.te	2007-11-08 13:37:16.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/ldap.te	2007-11-14 12:20:04.000000000 -0500
 @@ -42,7 +42,6 @@
  dontaudit slapd_t self:capability sys_tty_config;
  allow slapd_t self:process setsched;
@@ -9734,7 +9734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.0.8/policy/modules/services/mysql.te
 --- nsaserefpolicy/policy/modules/services/mysql.te	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mysql.te	2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/mysql.te	2007-11-14 12:17:52.000000000 -0500
 @@ -25,6 +25,9 @@
  type mysqld_tmp_t;
  files_tmp_file(mysqld_tmp_t)
@@ -18235,7 +18235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-11-10 07:24:23.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-11-14 12:20:47.000000000 -0500
 @@ -29,8 +29,9 @@
  	')
  
@@ -19221,7 +19221,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -4609,11 +4741,29 @@
+@@ -4410,6 +4542,7 @@
+ 	')
+ 
+ 	dontaudit $1 sysadm_home_dir_t:dir getattr;
++	userdom_dontaudit_search_all_users_home_content($1)
+ ')
+ 
+ ########################################
+@@ -4574,6 +4707,7 @@
+ 	allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
+ 	read_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
+ 	read_lnk_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
++	userdom_read_unpriv_users_home_content_files($1)
+ ')
+ 
+ ########################################
+@@ -4609,11 +4743,29 @@
  #
  interface(`userdom_search_all_users_home_dirs',`
  	gen_require(`
@@ -19252,7 +19268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4633,6 +4783,14 @@
+@@ -4633,6 +4785,14 @@
  
  	files_list_home($1)
  	allow $1 home_dir_type:dir list_dir_perms;
@@ -19267,7 +19283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -5323,7 +5481,7 @@
+@@ -5323,7 +5483,7 @@
  		attribute user_tmpfile;
  	')
  
@@ -19276,7 +19292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -5346,6 +5504,25 @@
+@@ -5346,6 +5506,25 @@
  
  ########################################
  ## <summary>
@@ -19302,7 +19318,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Write all unprivileged users files in /tmp
  ## </summary>
  ## <param name="domain">
-@@ -5529,6 +5706,24 @@
+@@ -5529,6 +5708,24 @@
  
  ########################################
  ## <summary>
@@ -19327,7 +19343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -5559,3 +5754,379 @@
+@@ -5559,3 +5756,379 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0bfe0bf..bcabe07 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 53%{?dist}
+Release: 54%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -70,7 +70,7 @@ SELinux Policy development package
 %{_usr}/share/selinux/devel/Makefile
 %{_usr}/share/selinux/devel/policygentool
 %{_usr}/share/selinux/devel/example.*
-%{_usr}/share/selinux/devel/policy.*
+%{_usr}/share/selinux/devel/*.xml
 %attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp
 
 %post devel
@@ -216,7 +216,7 @@ mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/
 install -m 755 $RPM_SOURCE_DIR/policygentool %{buildroot}%{_usr}/share/selinux/devel/
 install -m 644 $RPM_SOURCE_DIR/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile
 install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/
-install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/
+install -m 644 doc/*xml %{buildroot}%{_usr}/share/selinux/devel/
 echo  "htmlview file:///usr/share/doc/selinux-policy-%{version}/html/index.html"> %{buildroot}%{_usr}/share/selinux/devel/policyhelp
 chmod +x %{buildroot}%{_usr}/share/selinux/devel/policyhelp
 
@@ -380,6 +380,17 @@ exit 0
 %endif
 
 %changelog
+* Mon Nov 12 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-54
+- Allow cyrus to authenticate via sasl
+- Allow sshd to work in tunnel mode
+- Allow sshd to use -R
+- Allow ssh to read user homedirs
+- Add /var/lib/tftp to tftp.fc
+- Add labels for /dev/dmmdi and /dev/admmdi
+- Allow postmap to be run by unconfined_t
+- Allow dictd to write pid file
+- Allow bluetooth to connectto unix_stream_sockets
+
 * Mon Nov 12 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-53
 - Allow bugzilla policy to connect to postgresql and mysql on other machines