From ee42ebdca4fe54172a74cf564f743e88d66701b0 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@fedoraproject.org>
Date: May 11 2010 16:14:29 +0000
Subject: - Allow avahi-autoipd to chat with NetworkManager over dbus

- Allow tgtd to read files on anon_inodefs file systems
- Add label for /var/lib/mpd directory

---

diff --git a/policy-20100106.patch b/policy-20100106.patch
index dab1f84..9ca23f3 100644
--- a/policy-20100106.patch
+++ b/policy-20100106.patch
@@ -2014,11 +2014,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  term_use_generic_ptys(ptchown_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.6.32/policy/modules/apps/pulseaudio.fc
 --- nsaserefpolicy/policy/modules/apps/pulseaudio.fc	2009-09-16 16:01:19.000000000 +0200
-+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.fc	2010-03-04 16:47:02.038534128 +0100
-@@ -1 +1,8 @@
++++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.fc	2010-05-11 15:15:30.272625684 +0200
+@@ -1 +1,9 @@
 +HOME_DIR/\.pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_home_t,s0)
 +HOME_DIR/\.pulse-cookie		gen_context(system_u:object_r:pulseaudio_home_t,s0)
 +
++/var/lib/mpd(/.*)?      	gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
 +/var/lib/pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
 +
 +/var/run/pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
@@ -6242,7 +6243,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/www/html/configuration\.php 	gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2010-01-18 18:24:22.736530563 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/apache.if	2010-03-01 15:49:14.043490674 +0100
++++ serefpolicy-3.6.32/policy/modules/services/apache.if	2010-05-11 17:59:31.278624767 +0200
 @@ -16,6 +16,7 @@
  		attribute httpd_exec_scripts;
  		attribute httpd_script_exec_type;
@@ -6296,7 +6297,53 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  ## <summary>
  ##	Allow the specified domain to manage
-@@ -1167,6 +1192,29 @@
+@@ -1112,6 +1137,45 @@
+ 	allow $1 httpd_sys_script_t:dir search_dir_perms;
+ ')
+ 
++#######################################
++## <summary>
++##  Allow the specified domain to read
++##  apache tmp files.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`apache_read_tmp_files',`
++    gen_require(`
++        type httpd_tmp_t;
++    ')
++
++    files_search_tmp($1)
++    read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
++')
++
++#######################################
++## <summary>
++##  Dontaudit attempts to write
++##  apache tmp files.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`apache_dontaudit_write_tmp_files',`
++    gen_require(`
++        type httpd_tmp_t;
++    ')
++
++    dontaudit $1 httpd_tmp_t:file write;
++')
++
+ ########################################
+ ## <summary>
+ ##	Execute CGI in the specified domain.
+@@ -1167,6 +1231,29 @@
  	allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
  ')
  
@@ -6577,6 +6624,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.32/policy/modules/services/avahi.te
+--- nsaserefpolicy/policy/modules/services/avahi.te	2010-01-18 18:24:22.744530603 +0100
++++ serefpolicy-3.6.32/policy/modules/services/avahi.te	2010-05-11 15:12:00.780625139 +0200
+@@ -104,6 +104,10 @@
+ ')
+ 
+ optional_policy(`
++	networkmanager_dbus_chat(avahi_t)
++')
++
++optional_policy(`
+ 	seutil_sigchld_newrole(avahi_t)
+ ')
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.32/policy/modules/services/bind.if
 --- nsaserefpolicy/policy/modules/services/bind.if	2010-01-18 18:24:22.745530450 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/bind.if	2010-03-01 15:52:05.256741085 +0100
@@ -10250,8 +10311,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.32/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2010-01-18 18:24:22.813543710 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/mta.te	2010-04-13 14:33:39.218868826 +0200
-@@ -132,6 +132,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/mta.te	2010-05-11 15:20:17.046875252 +0200
+@@ -94,6 +94,7 @@
+ 	apache_dontaudit_rw_tcp_sockets(system_mail_t)
+ 	apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
+ 	apache_dontaudit_rw_bugzilla_script_stream_sockets(system_mail_t)
++	apache_dontaudit_write_tmp_files(system_mail_t)
+ ')
+ 
+ optional_policy(`
+@@ -132,6 +133,7 @@
  
  optional_policy(`
  	fail2ban_append_log(system_mail_t)
@@ -10259,7 +10328,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -148,6 +149,10 @@
+@@ -148,6 +150,10 @@
  ')
  
  optional_policy(`
@@ -10420,7 +10489,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	All of the rules required to administrate 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.32/policy/modules/services/munin.te
 --- nsaserefpolicy/policy/modules/services/munin.te	2010-01-18 18:24:22.815530066 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/munin.te	2010-04-13 14:38:35.134852697 +0200
++++ serefpolicy-3.6.32/policy/modules/services/munin.te	2010-05-11 15:18:42.193873511 +0200
 @@ -28,6 +28,20 @@
  type munin_var_run_t alias lrrd_var_run_t;
  files_pid_file(munin_var_run_t)
@@ -10450,7 +10519,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	mta_read_queue(munin_t)
  ')
  
-@@ -166,3 +181,147 @@
+@@ -166,3 +181,149 @@
  optional_policy(`
  	udev_read_db(munin_t)
  ')
@@ -10586,6 +10655,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +corecmd_exec_shell(munin_system_plugin_t)
 +
++files_read_etc_files(munin_system_plugin_t)
++
 +fs_getattr_all_fs(munin_system_plugin_t)
 +
 +dev_read_sysfs(munin_system_plugin_t)
@@ -14307,10 +14378,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  kernel_read_proc_symlinks(tftpd_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.6.32/policy/modules/services/tgtd.te
 --- nsaserefpolicy/policy/modules/services/tgtd.te	2010-01-18 18:24:22.905534669 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/tgtd.te	2010-01-26 14:33:27.943463104 +0100
-@@ -63,6 +63,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/tgtd.te	2010-05-11 15:13:48.864626103 +0200
+@@ -62,7 +62,10 @@
+ 
  files_read_etc_files(tgtd_t)
  
++fs_read_anon_inodefs_files(tgtd_t)
++
  storage_getattr_fixed_disk_dev(tgtd_t)
 +storage_manage_fixed_disk(tgtd_t)
  
@@ -17793,8 +17867,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  optional_policy(`
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.6.32/policy/modules/system/miscfiles.fc
 --- nsaserefpolicy/policy/modules/system/miscfiles.fc	2010-01-18 18:24:22.954530704 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.fc	2010-03-01 09:54:58.045489944 +0100
-@@ -71,10 +71,15 @@
++++ serefpolicy-3.6.32/policy/modules/system/miscfiles.fc	2010-05-11 16:38:38.894623751 +0200
+@@ -71,10 +71,17 @@
  
  /var/lib/texmf(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
  
@@ -17806,7 +17880,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 +/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
 +
-+/var/www/cobbler/images(/.*)?   gen_context(system_u:object_r:public_content_rw_t, s0)
++/var/www/cobbler/images(/.*)?   	gen_context(system_u:object_r:public_content_rw_t, s0)
++/var/www/cobbler/ks_mirror(/.*)? 	gen_context(system_u:object_r:public_content_rw_t, s0)
++/var/www/cobbler/links(/.*)? 		gen_context(system_u:object_r:public_content_rw_t, s0)
  /var/spool/texmf(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
  
  ifdef(`distro_debian',`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 53a4307..aff9ccf 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.32
-Release: 114%{?dist}
+Release: 115%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,11 @@ exit 0
 %endif
 
 %changelog
+* Tue May 11 2010 Miroslav Grepl <mgrepl@redhat.com> 3.6.32-115
+- Allow avahi-autoipd to chat with NetworkManager over dbus
+- Allow tgtd to read files on anon_inodefs file systems
+- Add label for /var/lib/mpd directory
+
 * Wed May 5 2010 Miroslav Grepl <mgrepl@redhat.com> 3.6.32-114
 - Allow denyhosts sys_tty_config capability
 - Fixes for chrony policy