From 60c693e546734a89682bc968308518ea27b7f8b5 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Feb 03 2008 13:39:47 +0000
Subject: - Fixes for nsplugin


---

diff --git a/policy-20071130.patch b/policy-20071130.patch
index 368c3f6..c98a216 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -4122,8 +4122,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.2.6/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/apps/nsplugin.te	2008-02-01 22:19:57.000000000 -0500
-@@ -0,0 +1,135 @@
++++ serefpolicy-3.2.6/policy/modules/apps/nsplugin.te	2008-02-03 08:32:51.000000000 -0500
+@@ -0,0 +1,136 @@
 +policy_module(nsplugin,1.0.0)
 +
 +########################################
@@ -4156,7 +4156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +# nsplugin local policy
 +#
 +allow nsplugin_t self:fifo_file rw_file_perms;
-+allow nsplugin_t self:process getsched;
++allow nsplugin_t self:process { ptrace getsched };
 +
 +manage_dirs_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t)
 +manage_files_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t)
@@ -4169,6 +4169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +corenet_all_recvfrom_unlabeled(nsplugin_t)
 +corenet_all_recvfrom_netlabel(nsplugin_t)
 +corenet_tcp_connect_flash_port(nsplugin_t)
++corenet_tcp_connect_http_port(nsplugin_t)
 +corenet_tcp_sendrecv_generic_if(nsplugin_t)
 +corenet_tcp_sendrecv_all_nodes(nsplugin_t)
 +
@@ -5559,7 +5560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  # etc_runtime_t is the type of various
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.2.6/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2007-10-24 15:00:24.000000000 -0400
-+++ serefpolicy-3.2.6/policy/modules/kernel/filesystem.if	2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/kernel/filesystem.if	2008-02-02 17:18:44.000000000 -0500
 @@ -310,6 +310,25 @@
  
  ########################################
@@ -5621,6 +5622,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  ')
  
  ########################################
+@@ -3039,6 +3077,25 @@
+ 
+ ########################################
+ ## <summary>
++##	Read and write block nodes on removable filesystems.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_rw_removable_blk_files',`
++	gen_require(`
++		type removable_t;
++	')
++
++	allow $1 removable_t:dir list_dir_perms;
++	rw_blk_files_pattern($1,removable_t,removable_t)
++')
++
++########################################
++## <summary>
+ ##	Relabel block nodes on tmpfs filesystems.
+ ## </summary>
+ ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.2.6/policy/modules/kernel/filesystem.te
 --- nsaserefpolicy/policy/modules/kernel/filesystem.te	2007-12-19 05:32:07.000000000 -0500
 +++ serefpolicy-3.2.6/policy/modules/kernel/filesystem.te	2008-02-01 16:01:42.000000000 -0500
@@ -23494,8 +23521,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.2.6/policy/modules/system/qemu.te
 --- nsaserefpolicy/policy/modules/system/qemu.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/system/qemu.te	2008-02-02 10:40:41.000000000 -0500
-@@ -0,0 +1,56 @@
++++ serefpolicy-3.2.6/policy/modules/system/qemu.te	2008-02-02 17:19:03.000000000 -0500
+@@ -0,0 +1,58 @@
 +policy_module(qemu,1.0.0)
 +
 +########################################
@@ -23533,6 +23560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.t
 +corenet_rw_tun_tap_dev(qemu_t)
 +
 +virt_manage_image(qemu_t)
++virt_read_config(qemu_t)
 +
 +dev_rw_kvm(qemu_t)
 +
@@ -23542,6 +23570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.t
 +files_search_all(qemu_t)
 +
 +fs_rw_anon_inodefs_files(qemu_t)
++fs_rw_removable_blk_files(qemu_t)
 +
 +term_use_ptmx(qemu_t)
 +term_getattr_pty_fs(qemu_t)
@@ -27805,8 +27834,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.fc serefpolicy-3.2.6/policy/modules/system/virt.fc
 --- nsaserefpolicy/policy/modules/system/virt.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/system/virt.fc	2008-02-02 01:21:35.000000000 -0500
-@@ -0,0 +1,8 @@
++++ serefpolicy-3.2.6/policy/modules/system/virt.fc	2008-02-02 17:13:58.000000000 -0500
+@@ -0,0 +1,13 @@
 +
 +/usr/sbin/libvirtd	--	gen_context(system_u:object_r:virtd_exec_t,s0)
 +
@@ -27815,10 +27844,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.f
 +/var/run/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
 +/var/lib/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_lib_t,s0)
 +/var/lib/libvirt/images(/.*)? 	gen_context(system_u:object_r:virt_image_t,s0)
++
++/etc/libvirt		-d	gen_context(system_u:object_r:virt_etc_t,s0)
++/etc/libvirt/[^/]*	--	gen_context(system_u:object_r:virt_etc_t,s0)
++/etc/libvirt/[^/]*	-d	gen_context(system_u:object_r:virt_etc_rw_t,s0)
++/etc/libvirt/.*/.*		gen_context(system_u:object_r:virt_etc_rw_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.2.6/policy/modules/system/virt.if
 --- nsaserefpolicy/policy/modules/system/virt.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/system/virt.if	2008-02-01 23:48:44.000000000 -0500
-@@ -0,0 +1,303 @@
++++ serefpolicy-3.2.6/policy/modules/system/virt.if	2008-02-02 17:16:14.000000000 -0500
+@@ -0,0 +1,324 @@
 +
 +## <summary>policy for virt</summary>
 +
@@ -27881,6 +27915,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
 +
 +########################################
 +## <summary>
++##	Read virt config files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`virt_read_config',`
++	gen_require(`
++		type virt_etc_t;
++		type virt_etc_rw_t;
++	')
++
++	files_search_etc($1)
++	read_files_pattern($1, virt_etc_t, virt_etc_t)
++	read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
++')
++
++########################################
++## <summary>
 +##	Manage virt var_run files.
 +## </summary>
 +## <param name="domain">
@@ -28124,8 +28179,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.2.6/policy/modules/system/virt.te
 --- nsaserefpolicy/policy/modules/system/virt.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/system/virt.te	2008-02-02 10:41:16.000000000 -0500
-@@ -0,0 +1,123 @@
++++ serefpolicy-3.2.6/policy/modules/system/virt.te	2008-02-02 17:10:42.000000000 -0500
+@@ -0,0 +1,135 @@
 +
 +policy_module(virt,1.0.0)
 +
@@ -28162,6 +28217,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
 +type virt_var_lib_t;
 +files_type(virt_var_lib_t)
 +
++type virt_etc_t;
++files_type(virt_etc_t)
++
++type virt_etc_rw_t;
++files_type(virt_etc_rw_t)
++
 +type virt_log_t;
 +logging_log_file(virt_log_t)
 +
@@ -28194,6 +28255,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
 +manage_files_pattern(virtd_t, virt_log_t,  virt_log_t)
 +logging_log_filetrans(virtd_t, virt_log_t, { file dir } )
 +
++read_files_pattern(virtd_t, virt_etc_t,  virt_etc_t)
++
++manage_dirs_pattern(virtd_t, virt_etc_rw_t,  virt_etc_rw_t)
++manage_files_pattern(virtd_t, virt_etc_rw_t,  virt_etc_rw_t)
++files_trans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
++
 +corenet_all_recvfrom_unlabeled(virtd_t)
 +corenet_all_recvfrom_netlabel(virtd_t)
 +corenet_tcp_sendrecv_all_if(virtd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6b26882..3d46d9b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.2.6
-Release: 2%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -387,6 +387,12 @@ exit 0
 %endif
 
 %changelog
+* Sun Feb 3 2008 Dan Walsh <dwalsh@redhat.com> 3.2.6-4
+- Fixes for nsplugin
+
+* Sat Feb 2 2008 Dan Walsh <dwalsh@redhat.com> 3.2.6-3
+- More fixes for qemu
+
 * Sat Feb 2 2008 Dan Walsh <dwalsh@redhat.com> 3.2.6-2
 - Additional ports for vnc and allow qemu and libvirt to search all directories