From d9d64ed29e682e2b5b849e9e8db23d0c5cb1377e Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Sep 30 2009 21:20:46 +0000
Subject: - Fix minimum policy installs

- Allow udev and rpcbind to request the kernel to load modules

---

diff --git a/policy-F12.patch b/policy-F12.patch
index 48dd327..a92a951 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -16782,6 +16782,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	All of the rules required to administrate 
  ##	an rpcbind environment
  ## </summary>
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.6.32/policy/modules/services/rpcbind.te
+--- nsaserefpolicy/policy/modules/services/rpcbind.te	2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/rpcbind.te	2009-09-30 17:16:58.000000000 -0400
+@@ -42,6 +42,7 @@
+ 
+ kernel_read_system_state(rpcbind_t)
+ kernel_read_network_state(rpcbind_t)
++kernel_request_load_module(rpcbind_t)
+ 
+ corenet_all_recvfrom_unlabeled(rpcbind_t)
+ corenet_all_recvfrom_netlabel(rpcbind_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.32/policy/modules/services/rpc.if
 --- nsaserefpolicy/policy/modules/services/rpc.if	2009-07-14 14:19:57.000000000 -0400
 +++ serefpolicy-3.6.32/policy/modules/services/rpc.if	2009-09-30 16:12:48.000000000 -0400
@@ -25801,7 +25812,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.32/policy/modules/system/udev.te
 --- nsaserefpolicy/policy/modules/system/udev.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/udev.te	2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/udev.te	2009-09-30 17:17:54.000000000 -0400
 @@ -50,6 +50,7 @@
  allow udev_t self:unix_stream_socket connectto;
  allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -25810,7 +25821,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  allow udev_t udev_exec_t:file write;
  can_exec(udev_t, udev_exec_t)
-@@ -66,6 +67,7 @@
+@@ -66,9 +67,11 @@
  
  manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
  manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
@@ -25818,7 +25829,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
  
  kernel_read_system_state(udev_t)
-@@ -111,6 +113,7 @@
++kernel_request_load_module(udev_t)
+ kernel_getattr_core_if(udev_t)
+ kernel_use_fds(udev_t)
+ kernel_read_device_sysctls(udev_t)
+@@ -111,6 +114,7 @@
  
  fs_getattr_all_fs(udev_t)
  fs_list_inotifyfs(udev_t)
@@ -25826,7 +25841,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  mcs_ptrace_all(udev_t)
  
-@@ -140,6 +143,7 @@
+@@ -140,6 +144,7 @@
  logging_send_audit_msgs(udev_t)
  
  miscfiles_read_localization(udev_t)
@@ -25834,7 +25849,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  modutils_domtrans_insmod(udev_t)
  # read modules.inputmap:
-@@ -194,6 +198,10 @@
+@@ -194,6 +199,10 @@
  ')
  
  optional_policy(`
@@ -25845,7 +25860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	brctl_domtrans(udev_t)
  ')
  
-@@ -202,14 +210,27 @@
+@@ -202,14 +211,27 @@
  ')
  
  optional_policy(`
@@ -25873,7 +25888,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	lvm_domtrans(udev_t)
  ')
  
-@@ -219,6 +240,7 @@
+@@ -219,6 +241,7 @@
  
  optional_policy(`
  	hal_dgram_send(udev_t)
@@ -25881,7 +25896,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -228,6 +250,10 @@
+@@ -228,6 +251,10 @@
  ')
  
  optional_policy(`
@@ -25892,7 +25907,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	openct_read_pid_files(udev_t)
  	openct_domtrans(udev_t)
  ')
-@@ -242,6 +268,18 @@
+@@ -242,6 +269,18 @@
  ')
  
  optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a9f9e00..34d611e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.32
-Release: 15%{?dist}
+Release: 16%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -448,6 +448,10 @@ exit 0
 %endif
 
 %changelog
+* Wed Sep 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-16
+- Fix minimum policy installs
+- Allow udev and rpcbind to request the kernel to load modules
+
 * Wed Sep 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-15
 - Add plymouth policy
 - Allow local_login to sys_admin