From 11ac4bcde1ef1b7bc923024bb6756de34a288c40 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Feb 02 2008 15:42:44 +0000
Subject: - Additional ports for vnc and allow qemu and libvirt to search all

    directories

---

diff --git a/policy-20071130.patch b/policy-20071130.patch
index 122ebd8..368c3f6 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -3058,7 +3058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys
 +userdom_dontaudit_write_unpriv_user_home_content_files(loadkeys_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.2.6/policy/modules/apps/mono.if
 --- nsaserefpolicy/policy/modules/apps/mono.if	2007-01-02 12:57:22.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/apps/mono.if	2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/apps/mono.if	2008-02-02 10:25:13.000000000 -0500
 @@ -18,3 +18,105 @@
  	corecmd_search_bin($1)
  	domtrans_pattern($1, mono_exec_t, mono_t)
@@ -3154,7 +3154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if 
 +
 +	userdom_unpriv_usertype($1, $1_mono_t)
 +
-+	allow $1_mono_t self:process { execheap execmem };
++	allow $1_mono_t self:process { ptrace signal getsched execheap execmem };
 +	allow $2 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
 +
 +	domtrans_pattern($2, mono_exec_t, $1_mono_t)
@@ -3167,13 +3167,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if 
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.2.6/policy/modules/apps/mono.te
 --- nsaserefpolicy/policy/modules/apps/mono.te	2007-12-19 05:32:09.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/apps/mono.te	2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/apps/mono.te	2008-02-02 10:38:18.000000000 -0500
 @@ -15,7 +15,7 @@
  # Local policy
  #
  
 -allow mono_t self:process { execheap execmem };
-+allow mono_t self:process { signal getsched execheap execmem };
++allow mono_t self:process { ptrace signal getsched execheap execmem };
  
  userdom_generic_user_home_dir_filetrans_generic_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
  
@@ -4818,7 +4818,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.6/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2008-02-01 09:12:53.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/kernel/corenetwork.te.in	2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/kernel/corenetwork.te.in	2008-02-02 10:38:16.000000000 -0500
 @@ -82,6 +82,7 @@
  network_port(clockspeed, udp,4041,s0)
  network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
@@ -4861,6 +4861,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  network_port(rsh, tcp,514,s0)
  network_port(rsync, tcp,873,s0, udp,873,s0)
  network_port(rwho, udp,513,s0)
+@@ -171,6 +176,8 @@
+ type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
+ network_port(uucpd, tcp,540,s0)
+ network_port(vnc, tcp,5900,s0)
++# Reserve 50 ports for vnc/virt machines
++portcon tcp 5901-5950 gen_context(system_u:object_r:vnc_port_t, s0)
+ network_port(wccp, udp,2048,s0)
+ network_port(xdmcp, udp,177,s0, tcp,177,s0)
+ network_port(xen, tcp,8002,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in.cyphesis serefpolicy-3.2.6/policy/modules/kernel/corenetwork.te.in.cyphesis
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in.cyphesis	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.2.6/policy/modules/kernel/corenetwork.te.in.cyphesis	2008-02-01 16:01:42.000000000 -0500
@@ -23485,7 +23494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.2.6/policy/modules/system/qemu.te
 --- nsaserefpolicy/policy/modules/system/qemu.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/system/qemu.te	2008-02-02 01:25:31.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/system/qemu.te	2008-02-02 10:40:41.000000000 -0500
 @@ -0,0 +1,56 @@
 +policy_module(qemu,1.0.0)
 +
@@ -23530,7 +23539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.t
 +files_read_etc_files(qemu_t)
 +files_read_usr_files(qemu_t)
 +files_read_var_files(qemu_t)
-+files_search_var_lib(qemu_t)
++files_search_all(qemu_t)
 +
 +fs_rw_anon_inodefs_files(qemu_t)
 +
@@ -28115,7 +28124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.2.6/policy/modules/system/virt.te
 --- nsaserefpolicy/policy/modules/system/virt.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/system/virt.te	2008-02-01 17:30:47.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/system/virt.te	2008-02-02 10:41:16.000000000 -0500
 @@ -0,0 +1,123 @@
 +
 +policy_module(virt,1.0.0)
@@ -28192,7 +28201,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
 +corenet_tcp_sendrecv_all_ports(virtd_t)
 +corenet_tcp_bind_all_nodes(virtd_t)
 +corenet_tcp_bind_vnc_port(virtd_t)
-+
 +corenet_rw_tun_tap_dev(virtd_t)
 +
 +kernel_read_system_state(virtd_t)
@@ -28204,6 +28212,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
 +
 +files_read_etc_files(virtd_t)
 +files_read_etc_runtime_files(virtd_t)
++files_search_all(virtd_t)
 +
 +libs_use_ld_so(virtd_t)
 +libs_use_shared_libs(virtd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index bddfabb..6b26882 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.2.6
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -387,6 +387,9 @@ exit 0
 %endif
 
 %changelog
+* Sat Feb 2 2008 Dan Walsh <dwalsh@redhat.com> 3.2.6-2
+- Additional ports for vnc and allow qemu and libvirt to search all directories
+
 * Fri Feb 1 2008 Dan Walsh <dwalsh@redhat.com> 3.2.6-1
 - Update to upstream
 - Add libvirt policy