From 1094d02fe9ade88d8eabdecdd0b21994e25a6979 Mon Sep 17 00:00:00 2001
From: Miroslav <mgrepl@redhat.com>
Date: Dec 07 2011 17:40:29 +0000
Subject: - Fixes for xguest package


---

diff --git a/policy-F16.patch b/policy-F16.patch
index 05c483c..34541cc 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -584,7 +584,7 @@ index 0bfc958..af95b7a 100644
  optional_policy(`
  	cron_system_entry(backup_t, backup_exec_t)
 diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
-index 7a6f06f..39f1adf 100644
+index 7a6f06f..3cf6457 100644
 --- a/policy/modules/admin/bootloader.fc
 +++ b/policy/modules/admin/bootloader.fc
 @@ -1,9 +1,11 @@
@@ -600,7 +600,7 @@ index 7a6f06f..39f1adf 100644
  
 -/usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 +/usr/sbin/grub.*	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
-+/sur/sbin/lilo.*	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
++/usr/sbin/lilo.*	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 +/usr/sbin/ybin.*	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
 index 63eb96b..d7a6063 100644
@@ -4322,7 +4322,7 @@ index 81fb26f..66cf96c 100644
  ## </summary>
  ## <param name="domain">
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..6bcfc8c 100644
+index 441cf22..a2987d7 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
 @@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto;
@@ -4522,17 +4522,23 @@ index 441cf22..6bcfc8c 100644
  files_search_var_lib(useradd_t)
  files_relabel_etc_files(useradd_t)
  files_read_etc_runtime_files(useradd_t)
-@@ -460,6 +477,7 @@ fs_search_auto_mountpoints(useradd_t)
+@@ -460,17 +477,15 @@ fs_search_auto_mountpoints(useradd_t)
  fs_getattr_xattr_fs(useradd_t)
  
  mls_file_upgrade(useradd_t)
 +mls_process_read_to_clearance(useradd_t)
  
- # Allow access to context for shadow file
- selinux_get_fs_mount(useradd_t)
-@@ -469,8 +487,8 @@ selinux_compute_create_context(useradd_t)
- selinux_compute_relabel_context(useradd_t)
- selinux_compute_user_contexts(useradd_t)
+-# Allow access to context for shadow file
+-selinux_get_fs_mount(useradd_t)
+-selinux_validate_context(useradd_t)
+-selinux_compute_access_vector(useradd_t)
+-selinux_compute_create_context(useradd_t)
+-selinux_compute_relabel_context(useradd_t)
+-selinux_compute_user_contexts(useradd_t)
++seutil_semanage_policy(useradd_t)
++seutil_manage_file_contexts(useradd_t)
++seutil_manage_config(useradd_t)
++seutil_manage_default_contexts(useradd_t)
  
 -term_use_all_ttys(useradd_t)
 -term_use_all_ptys(useradd_t)
@@ -4541,7 +4547,7 @@ index 441cf22..6bcfc8c 100644
  
  auth_domtrans_chk_passwd(useradd_t)
  auth_rw_lastlog(useradd_t)
-@@ -478,6 +496,7 @@ auth_rw_faillog(useradd_t)
+@@ -478,6 +493,7 @@ auth_rw_faillog(useradd_t)
  auth_use_nsswitch(useradd_t)
  # these may be unnecessary due to the above
  # domtrans_chk_passwd() call.
@@ -4549,7 +4555,7 @@ index 441cf22..6bcfc8c 100644
  auth_manage_shadow(useradd_t)
  auth_relabel_shadow(useradd_t)
  auth_etc_filetrans_shadow(useradd_t)
-@@ -495,24 +514,19 @@ seutil_read_file_contexts(useradd_t)
+@@ -495,24 +511,19 @@ seutil_read_file_contexts(useradd_t)
  seutil_read_default_contexts(useradd_t)
  seutil_domtrans_semanage(useradd_t)
  seutil_domtrans_setfiles(useradd_t)
@@ -22966,10 +22972,10 @@ index 0000000..bac0dc0
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..90af157
+index 0000000..692ef0d
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,379 @@
+@@ -0,0 +1,383 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -23323,6 +23329,10 @@ index 0000000..90af157
 +')
 +
 +optional_policy(`
++	usermanage_run_useradd(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
 +	vbetool_run(unconfined_t, unconfined_r)
 +')
 +
@@ -46681,7 +46691,7 @@ index e9c0982..ac7e846 100644
 +	mysql_stream_connect($1)
  ')
 diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
-index 0a0d63c..8fcabd8 100644
+index 0a0d63c..2f51d5a 100644
 --- a/policy/modules/services/mysql.te
 +++ b/policy/modules/services/mysql.te
 @@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
@@ -46740,7 +46750,7 @@ index 0a0d63c..8fcabd8 100644
  ')
  
  tunable_policy(`mysql_connect_any',`
-@@ -154,7 +158,7 @@ optional_policy(`
+@@ -154,10 +158,11 @@ optional_policy(`
  #
  
  allow mysqld_safe_t self:capability { chown dac_override fowner kill };
@@ -46749,7 +46759,11 @@ index 0a0d63c..8fcabd8 100644
  allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
  
  read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-@@ -170,26 +174,33 @@ kernel_read_system_state(mysqld_safe_t)
++delete_sock_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
+ 
+ domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
+ 
+@@ -170,26 +175,33 @@ kernel_read_system_state(mysqld_safe_t)
  kernel_read_kernel_sysctls(mysqld_safe_t)
  
  corecmd_exec_bin(mysqld_safe_t)
@@ -70011,10 +70025,10 @@ index 1a3d970..0995a02 100644
  ')
  
 diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index 354ce93..32b31b4 100644
+index 354ce93..4738083 100644
 --- a/policy/modules/system/init.fc
 +++ b/policy/modules/system/init.fc
-@@ -33,9 +33,23 @@ ifdef(`distro_gentoo', `
+@@ -33,6 +33,18 @@ ifdef(`distro_gentoo', `
  #
  # /sbin
  #
@@ -70033,12 +70047,7 @@ index 354ce93..32b31b4 100644
  /sbin/init(ng)?		--	gen_context(system_u:object_r:init_exec_t,s0)
  # because nowadays, /sbin/init is often a symlink to /sbin/upstart
  /sbin/upstart		--	gen_context(system_u:object_r:init_exec_t,s0)
-+# for Fedora
-+/lib/upstart/init   --  gen_context(system_u:object_r:init_exec_t,s0)
- 
- ifdef(`distro_gentoo', `
- /sbin/rc		--	gen_context(system_u:object_r:initrc_exec_t,s0)
-@@ -50,11 +64,23 @@ ifdef(`distro_gentoo', `
+@@ -50,11 +62,23 @@ ifdef(`distro_gentoo', `
  #
  /usr/bin/sepg_ctl	--	gen_context(system_u:object_r:initrc_exec_t,s0)
  
@@ -70062,7 +70071,7 @@ index 354ce93..32b31b4 100644
  
  #
  # /var
-@@ -76,3 +102,4 @@ ifdef(`distro_suse', `
+@@ -76,3 +100,4 @@ ifdef(`distro_suse', `
  /var/run/setleds-on	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
  /var/run/sysconfig(/.*)?	gen_context(system_u:object_r:initrc_var_run_t,s0)
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 245cbf7..aea6f29 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 65%{?dist}
+Release: 66%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,9 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed Dec 7 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-66
+- Fixes for xguest package
+
 * Tue Dec 6 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-65
 - Fixes related to  /bin, /sbin
 - Allow abrt to getattr on blk files