From 0554a10b8028ec5ccee56a2def2013cf623a8b3a Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Jan 30 2009 16:49:11 +0000
Subject: - Add back transition from xguest to mozilla


---

diff --git a/policy-20090105.patch b/policy-20090105.patch
index 9863be1..ecdf395 100644
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@@ -57,13 +57,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
 +system_r:sshd_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.6.3/config/appconfig-mcs/seusers
 --- nsaserefpolicy/config/appconfig-mcs/seusers	2008-08-07 11:15:14.000000000 -0400
-+++ serefpolicy-3.6.3/config/appconfig-mcs/seusers	2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/config/appconfig-mcs/seusers	2009-01-30 10:44:12.000000000 -0500
 @@ -1,3 +1,3 @@
  system_u:system_u:s0-mcs_systemhigh
 -root:root:s0-mcs_systemhigh
 -__default__:user_u:s0
 +root:unconfined_u:s0-mcs_systemhigh
-+__default__:unconfined_u:s0
++__default__:unconfined_u:s0-mcs_systemhigh
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.6.3/config/appconfig-mcs/staff_u_default_contexts
 --- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts	2008-11-11 16:13:50.000000000 -0500
 +++ serefpolicy-3.6.3/config/appconfig-mcs/staff_u_default_contexts	2009-01-19 13:10:02.000000000 -0500
@@ -359,6 +359,40 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +gen_tunable(allow_console_login,false)
 +
 +
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.3/policy/mcs
+--- nsaserefpolicy/policy/mcs	2008-08-07 11:15:13.000000000 -0400
++++ serefpolicy-3.6.3/policy/mcs	2009-01-30 10:40:41.000000000 -0500
+@@ -67,7 +67,7 @@
+ # Note that getattr on files is always permitted.
+ #
+ mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
+-	( h1 dom h2 );
++	(( h1 dom h2 ) or ( t1 == mlsfilewrite ));
+ 
+ mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
+ 	(( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
+@@ -75,7 +75,7 @@
+ # New filesystem object labels must be dominated by the relabeling subject
+ # clearance, also the objects are single-level.
+ mlsconstrain file { create relabelto }
+-	(( h1 dom h2 ) and ( l2 eq h2 ));
++	     ((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 == mlsfilewrite ));
+ 
+ # At this time we do not restrict "ps" type operations via MCS.  This
+ # will probably change in future.
+@@ -84,10 +84,10 @@
+ 
+ # new file labels must be dominated by the relabeling subject clearance
+ mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
+-	( h1 dom h2 );
++	(( h1 dom h2 ) or ( t1 == mlsfilewrite ));
+ 
+ mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
+-	(( h1 dom h2 ) and ( l2 eq h2 ));
++	((( h1 dom h2 ) and ( l2 eq h2 ))  or ( t1 == mlsfilewrite ));
+ 
+ mlsconstrain process { transition dyntransition }
+ 	(( h1 dom h2 ) or ( t1 == mcssetcats ));
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.3/policy/modules/admin/anaconda.te
 --- nsaserefpolicy/policy/modules/admin/anaconda.te	2009-01-05 15:39:44.000000000 -0500
 +++ serefpolicy-3.6.3/policy/modules/admin/anaconda.te	2009-01-19 13:10:02.000000000 -0500
@@ -6646,8 +6680,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.3/policy/modules/roles/guest.te
 --- nsaserefpolicy/policy/modules/roles/guest.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/roles/guest.te	2009-01-19 13:10:02.000000000 -0500
-@@ -0,0 +1,36 @@
++++ serefpolicy-3.6.3/policy/modules/roles/guest.te	2009-01-30 11:41:43.000000000 -0500
+@@ -0,0 +1,26 @@
 +
 +policy_module(guest, 1.0.0)
 +
@@ -6673,16 +6707,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	mono_role_template(guest, guest_r, guest_t)
 +')
 +
-+
-+optional_policy(`
-+	gen_require(`
-+		type xguest_t;
-+		role xguest_r;
-+	')
-+
-+	mozilla_role(xguest, xguest_t, xguest_r)
-+')
-+
 +gen_user(guest_u, user, guest_r, s0, s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.fc serefpolicy-3.6.3/policy/modules/roles/logadm.fc
 --- nsaserefpolicy/policy/modules/roles/logadm.fc	1969-12-31 19:00:00.000000000 -0500
@@ -7776,7 +7800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.3/policy/modules/roles/xguest.te
 --- nsaserefpolicy/policy/modules/roles/xguest.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/roles/xguest.te	2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/roles/xguest.te	2009-01-30 10:50:34.000000000 -0500
 @@ -0,0 +1,87 @@
 +
 +policy_module(xguest, 1.0.0)
@@ -7816,9 +7840,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +# Local policy
 +#
 +
-+#optional_policy(`
-+#	mozilla_role(xguest_r, xguest_t)
-+#')
++optional_policy(`
++	mozilla_role(xguest_r, xguest_t)
++')
 +
 +optional_policy(`
 +	java_role_template(xguest, xguest_r, xguest_t)
@@ -27846,8 +27870,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.3/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/unconfined.te	2009-01-19 13:10:02.000000000 -0500
-@@ -6,35 +6,76 @@
++++ serefpolicy-3.6.3/policy/modules/system/unconfined.te	2009-01-30 10:55:24.000000000 -0500
+@@ -6,35 +6,77 @@
  # Declarations
  #
  
@@ -27925,13 +27949,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  mcs_killall(unconfined_t)
  mcs_ptrace_all(unconfined_t)
++mls_file_write_all_levels(unconfined_t)
  
  init_run_daemon(unconfined_t, unconfined_r)
 +init_domtrans_script(unconfined_t)
  
  libs_run_ldconfig(unconfined_t, unconfined_r)
  
-@@ -42,26 +83,39 @@
+@@ -42,26 +84,39 @@
  logging_run_auditctl(unconfined_t, unconfined_r)
  
  mount_run_unconfined(unconfined_t, unconfined_r)
@@ -27973,7 +27998,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -102,12 +156,24 @@
+@@ -102,12 +157,24 @@
  	')
  
  	optional_policy(`
@@ -27998,7 +28023,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -119,31 +185,33 @@
+@@ -119,31 +186,33 @@
  ')
  
  optional_policy(`
@@ -28039,7 +28064,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -155,36 +223,38 @@
+@@ -155,36 +224,38 @@
  ')
  
  optional_policy(`
@@ -28090,7 +28115,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -192,7 +262,7 @@
+@@ -192,7 +263,7 @@
  ')
  
  optional_policy(`
@@ -28099,7 +28124,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -204,11 +274,12 @@
+@@ -204,11 +275,12 @@
  ')
  
  optional_policy(`
@@ -28114,7 +28139,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -218,14 +289,60 @@
+@@ -218,14 +290,60 @@
  
  allow unconfined_execmem_t self:process { execstack execmem };
  unconfined_domain_noaudit(unconfined_execmem_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d74c636..4cd961e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.3
-Release: 11%{?dist}
+Release: 12%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -444,6 +444,9 @@ exit 0
 %endif
 
 %changelog
+* Fri Jan 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-12
+- Add back transition from xguest to mozilla
+
 * Fri Jan 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-11
 - Add virt_content_ro_t and labeling for isos directory