From c32d79e2c35d5328a8782d38b7587e050c960536 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: May 04 2009 18:20:29 +0000
Subject: - Fix /sbin/ip6tables-save context

- Allod udev to transition to mount
- Fix loading of mls policy file

---

diff --git a/policy-20090105.patch b/policy-20090105.patch
index 519d45e..6041370 100644
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@@ -655,7 +655,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	corenet_udp_sendrecv_lo_if(mrtg_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.12/policy/modules/admin/netutils.te
 --- nsaserefpolicy/policy/modules/admin/netutils.te	2009-03-12 11:16:47.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/admin/netutils.te	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/netutils.te	2009-05-04 11:25:11.000000000 -0400
+@@ -50,7 +50,7 @@
+ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
+ 
+ kernel_search_proc(netutils_t)
+-kernel_read_sysctl(netutils_t)
++kernel_read_all_sysctls(netutils_t)
+ 
+ corenet_all_recvfrom_unlabeled(netutils_t)
+ corenet_all_recvfrom_netlabel(netutils_t)
 @@ -152,6 +152,10 @@
  ')
  
@@ -4489,8 +4498,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/run/screen(/.*)?			gen_context(system_u:object_r:screen_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.12/policy/modules/apps/screen.if
 --- nsaserefpolicy/policy/modules/apps/screen.if	2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/screen.if	2009-05-02 07:49:38.000000000 -0400
-@@ -165,3 +165,23 @@
++++ serefpolicy-3.6.12/policy/modules/apps/screen.if	2009-05-04 11:30:29.000000000 -0400
+@@ -165,3 +165,24 @@
  		nscd_socket_use($1_screen_t)
  	')
  ')
@@ -4513,6 +4522,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +         manage_dirs_pattern($1,screen_var_run_t,screen_var_run_t)
 +         manage_files_pattern($1,screen_var_run_t,screen_var_run_t)
 +         manage_lnk_files_pattern($1,screen_var_run_t,screen_var_run_t)
++         manage_fifo_files_pattern($1,screen_var_run_t,screen_var_run_t)
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.te serefpolicy-3.6.12/policy/modules/apps/uml.te
 --- nsaserefpolicy/policy/modules/apps/uml.te	2009-01-19 11:03:28.000000000 -0500
@@ -5948,7 +5958,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  #
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.12/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if	2009-05-04 11:25:35.000000000 -0400
 @@ -1197,6 +1197,26 @@
  	')
  
@@ -20507,7 +20517,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.12/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2009-03-20 12:39:39.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/rpc.te	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/rpc.te	2009-05-04 12:28:35.000000000 -0400
 @@ -23,7 +23,7 @@
  gen_tunable(allow_nfsd_anon_write, false)
  
@@ -20517,7 +20527,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  rpc_domain_template(gssd)
  
-@@ -74,21 +74,31 @@
+@@ -74,21 +74,33 @@
  
  files_manage_mounttab(rpcd_t)
  
@@ -20527,6 +20537,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  fs_read_rpc_symlinks(rpcd_t)
  fs_rw_rpc_sockets(rpcd_t) 
  
++storage_getattr_fixed_disk_dev(rpcd_t)
++
 +kernel_signal(rpcd_t) 
 +
  selinux_dontaudit_read_fs(rpcd_t)
@@ -20549,7 +20561,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # NFSD local policy
-@@ -116,8 +126,9 @@
+@@ -116,8 +128,9 @@
  # for exportfs and rpc.mountd
  files_getattr_tmp_dirs(nfsd_t) 
  # cjp: this should really have its own type
@@ -20560,7 +20572,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  fs_mount_nfsd_fs(nfsd_t) 
  fs_search_nfsd_fs(nfsd_t) 
  fs_getattr_all_fs(nfsd_t) 
-@@ -125,6 +136,7 @@
+@@ -125,6 +138,7 @@
  fs_rw_nfsd_fs(nfsd_t) 
  
  storage_dontaudit_read_fixed_disk(nfsd_t)
@@ -20568,7 +20580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  # Read access to public_content_t and public_content_rw_t
  miscfiles_read_public_files(nfsd_t)
-@@ -141,6 +153,7 @@
+@@ -141,6 +155,7 @@
  	fs_read_noxattr_fs_files(nfsd_t) 
  	auth_manage_all_files_except_shadow(nfsd_t)
  ')
@@ -20576,7 +20588,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  tunable_policy(`nfs_export_all_ro',`
  	dev_getattr_all_blk_files(nfsd_t)
-@@ -175,6 +188,7 @@
+@@ -175,6 +190,7 @@
  
  corecmd_exec_bin(gssd_t)
  
@@ -20584,7 +20596,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  fs_list_rpc(gssd_t) 
  fs_rw_rpc_sockets(gssd_t) 
  fs_read_rpc_files(gssd_t) 
-@@ -183,9 +197,12 @@
+@@ -183,9 +199,12 @@
  files_read_usr_symlinks(gssd_t) 
  
  auth_use_nsswitch(gssd_t)
@@ -29601,7 +29613,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	xen_append_log(ifconfig_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.12/policy/modules/system/udev.te
 --- nsaserefpolicy/policy/modules/system/udev.te	2009-04-07 15:53:36.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/system/udev.te	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/udev.te	2009-05-04 14:15:06.000000000 -0400
 @@ -50,6 +50,7 @@
  allow udev_t self:unix_stream_socket connectto;
  allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -29638,7 +29650,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -242,6 +250,10 @@
+@@ -228,6 +236,10 @@
+ ')
+ 
+ optional_policy(`
++	mount_domtrans(udev_t)
++')
++
++optional_policy(`
+ 	openct_read_pid_files(udev_t)
+ 	openct_domtrans(udev_t)
+ ')
+@@ -242,6 +254,10 @@
  ')
  
  optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e47bb1b..3615a6c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -165,11 +165,6 @@ if [ -s /etc/selinux/config ]; then \
 	fi \
 fi
 
-%define loadminpolicy() \
-( cd /usr/share/selinux/%1; \
-semodule -b base.pp.bz2 -i unconfined.pp.bz2 unconfineduser.pp.bz2 -s %1; \
-); \
-
 %define loadpolicy() \
 ( cd /usr/share/selinux/%1; \
 semodule -b base.pp.bz2 -i %{expand:%%moduleList %1} %2 -s %1; \
@@ -351,12 +346,12 @@ echo $packages
 }
 
 if [ $1 -eq 1 ]; then
-   packages="unconfined.pp.bz2 unconfineduser.pp.bz2"
+   packages="%{expand:%%moduleList targeted} unconfined.pp.bz2 unconfineduser.pp.bz2"
    %loadpolicy targeted $packages
    restorecon -R /root /var/log /var/run 2> /dev/null
 else
    semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid 2>/dev/null
-   packages=`get_unconfined $(semodule -l)`
+   packages="%{expand:%%moduleList targeted} `get_unconfined $(semodule -l)`"
    %loadpolicy targeted $packages
    %relabel targeted
 fi
@@ -402,7 +397,8 @@ SELinux Reference policy minimum base module.
 
 %post minimum
 if [ $1 -eq 1 ]; then
-%loadminpolicy minimum
+packages="unconfined.pp.bz2 unconfineduser.pp.bz2"
+%loadpolicy minimum $packages
 semanage -S minimum -i - << __eof
 login -m  -s unconfined_u -r s0-s0:c0.c1023 __default__
 login -m  -s unconfined_u -r s0-s0:c0.c1023 root
@@ -435,7 +431,8 @@ SELinux Reference policy olpc base module.
 %saveFileContext olpc
 
 %post olpc 
-%loadpolicy olpc ""
+packages="%{expand:%%moduleList olpc} unconfined.pp.bz2 unconfineduser.pp.bz2"
+%loadpolicy olpc $packages
 
 if [ $1 -ne 1 ]; then
 %relabel olpc
@@ -466,7 +463,8 @@ SELinux Reference policy mls base module.
 
 %post mls 
 semodule -n -s mls -r mailscanner 2>/dev/null
-%loadpolicy mls ""
+packages="%{expand:%%moduleList mls}"
+%loadpolicy mls $packages
 
 if [ $1 != 1 ]; then
 %relabel mls
@@ -482,6 +480,8 @@ exit 0
 %changelog
 * Fri May 1 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-27
 - Fix /sbin/ip6tables-save context
+- Allod udev to transition to mount
+- Fix loading of mls policy file
 
 * Thu Apr 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-26
 - Add shorewall policy