From 16e7e921e543e401c3e5b853cbbfa111eb72e4f7 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Dec 10 2010 14:01:37 +0000
Subject: - Allow boinc-project to read mtab

- Fixes for clamscan

---

diff --git a/policy-F14.patch b/policy-F14.patch
index 8413778..1b557d6 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -7416,7 +7416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
  		dbus_session_bus_client($1_wm_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.9.7/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/kernel/corecommands.fc	2010-11-05 14:02:26.511650387 +0100
++++ serefpolicy-3.9.7/policy/modules/kernel/corecommands.fc	2010-12-09 12:33:23.341041447 +0100
 @@ -9,8 +9,11 @@
  /bin/bash2			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /bin/fish			--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -7532,7 +7532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  ')
  
  ifdef(`distro_suse', `
-@@ -340,3 +367,25 @@
+@@ -340,3 +367,28 @@
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -7558,6 +7558,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 +
 +/etc/kde/env(/.*)?  gen_context(system_u:object_r:bin_t,s0)
 +/etc/kde/shutdown(/.*)?  gen_context(system_u:object_r:bin_t,s0)
++
++/usr/local/Brother/(.*/)?inf/brprintconf.*	--	gen_context(system_u:object_r:bin_t,s0)
++/usr/local/Brother/(.*/)?inf/setup.* 		--	gen_context(system_u:object_r:bin_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.9.7/policy/modules/kernel/corecommands.if
 --- nsaserefpolicy/policy/modules/kernel/corecommands.if	2010-10-12 22:42:50.000000000 +0200
 +++ serefpolicy-3.9.7/policy/modules/kernel/corecommands.if	2010-11-05 14:02:26.513653539 +0100
@@ -15657,8 +15660,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.9.7/policy/modules/services/boinc.te
 --- nsaserefpolicy/policy/modules/services/boinc.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.9.7/policy/modules/services/boinc.te	2010-11-05 14:02:26.599900184 +0100
-@@ -0,0 +1,167 @@
++++ serefpolicy-3.9.7/policy/modules/services/boinc.te	2010-12-09 12:28:05.201308230 +0100
+@@ -0,0 +1,169 @@
 +policy_module(boinc, 1.0.0)
 +
 +########################################
@@ -15779,7 +15782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
 +domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
 +allow boinc_t boinc_project_t:process sigkill;
 +
-+allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigstop };
++allow boinc_project_t self:process { ptrace setpgid setsched signal signull sigkill sigstop };
 +allow boinc_project_t self:process { execmem execstack };
 +
 +allow boinc_project_t self:fifo_file rw_fifo_file_perms;
@@ -15819,6 +15822,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
 +dev_rw_xserver_misc(boinc_project_t)
 +
 +files_read_etc_files(boinc_project_t)
++files_read_etc_runtime_files(boinc_project_t)
++files_read_usr_files(boinc_project_t)
 +
 +miscfiles_read_fonts(boinc_project_t)
 +miscfiles_read_localization(boinc_project_t)
@@ -16494,7 +16499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
  	domain_system_change_exemption($1)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.9.7/policy/modules/services/cgroup.te
 --- nsaserefpolicy/policy/modules/services/cgroup.te	2010-10-12 22:42:48.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/cgroup.te	2010-12-01 11:28:48.699041492 +0100
++++ serefpolicy-3.9.7/policy/modules/services/cgroup.te	2010-12-07 14:57:18.915041300 +0100
 @@ -16,14 +16,17 @@
  type cgred_initrc_exec_t;
  init_script_file(cgred_initrc_exec_t)
@@ -16533,7 +16538,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
  
  allow cgconfig_t cgconfig_etc_t:file read_file_perms;
  
-@@ -79,6 +82,9 @@
+@@ -67,6 +70,7 @@
+ fs_manage_cgroup_files(cgconfig_t)
+ fs_mount_cgroup(cgconfig_t)
+ fs_mounton_cgroup(cgconfig_t)
++fs_unmount_cgroup(cgconfig_t)
+ 
+ ########################################
+ #
+@@ -79,6 +83,9 @@
  
  allow cgred_t cgrules_etc_t:file read_file_perms;
  
@@ -16746,7 +16759,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.9.7/policy/modules/services/clamav.te
 --- nsaserefpolicy/policy/modules/services/clamav.te	2010-10-12 22:42:48.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/clamav.te	2010-11-05 14:02:26.611899958 +0100
++++ serefpolicy-3.9.7/policy/modules/services/clamav.te	2010-12-09 12:45:31.253041229 +0100
 @@ -1,9 +1,9 @@
  policy_module(clamav, 1.8.1)
  
@@ -16851,7 +16864,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
  ########################################
  #
  # clamscam local policy
-@@ -251,6 +266,7 @@
+@@ -248,9 +263,11 @@
+ corenet_tcp_sendrecv_generic_node(clamscan_t)
+ corenet_tcp_sendrecv_all_ports(clamscan_t)
+ corenet_tcp_sendrecv_clamd_port(clamscan_t)
++corenet_tcp_bind_generic_node(clamscan_t)
  corenet_tcp_connect_clamd_port(clamscan_t)
  
  kernel_read_kernel_sysctls(clamscan_t)
@@ -16859,6 +16876,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
  
  files_read_etc_files(clamscan_t)
  files_read_etc_runtime_files(clamscan_t)
+@@ -265,6 +282,9 @@
+ clamav_stream_connect(clamscan_t)
+ 
+ mta_send_mail(clamscan_t)
++mta_read_queue(clamscan_t)
++
++sysnet_read_config(clamscan_t)
+ 
+ optional_policy(`
+ 	amavis_read_spool_files(clamscan_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.9.7/policy/modules/services/clogd.if
 --- nsaserefpolicy/policy/modules/services/clogd.if	2010-10-12 22:42:47.000000000 +0200
 +++ serefpolicy-3.9.7/policy/modules/services/clogd.if	2010-11-05 14:02:26.612900102 +0100
@@ -42739,7 +42766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.9.7/policy/modules/system/lvm.fc
 --- nsaserefpolicy/policy/modules/system/lvm.fc	2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/system/lvm.fc	2010-11-05 14:02:26.936899930 +0100
++++ serefpolicy-3.9.7/policy/modules/system/lvm.fc	2010-12-07 13:48:49.058043850 +0100
 @@ -28,10 +28,12 @@
  #
  /lib/lvm-10/.*		--	gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -42753,6 +42780,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc
  /sbin/cryptsetup	--	gen_context(system_u:object_r:lvm_exec_t,s0)
  /sbin/dmraid		--	gen_context(system_u:object_r:lvm_exec_t,s0)
  /sbin/dmsetup		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+@@ -99,3 +101,4 @@
+ /var/lock/lvm(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
+ /var/run/multipathd\.sock -s	gen_context(system_u:object_r:lvm_var_run_t,s0)
+ /var/run/dmevent.*		gen_context(system_u:object_r:lvm_var_run_t,s0)
++/var/run/clvmd\.pid --  gen_context(system_u:object_r:clvmd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.9.7/policy/modules/system/lvm.if
 --- nsaserefpolicy/policy/modules/system/lvm.if	2010-10-12 22:42:50.000000000 +0200
 +++ serefpolicy-3.9.7/policy/modules/system/lvm.if	2010-11-05 14:02:26.936899930 +0100
@@ -46233,7 +46265,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +HOME_DIR/\.debug(/.*)?	<<none>>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.9.7/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/system/userdomain.if	2010-11-05 14:02:26.963900049 +0100
++++ serefpolicy-3.9.7/policy/modules/system/userdomain.if	2010-12-09 12:46:35.007042321 +0100
 @@ -30,8 +30,9 @@
  	')
  
@@ -47809,7 +47841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	kernel_search_proc($1)
  ')
  
-@@ -3135,3 +3481,854 @@
+@@ -3135,3 +3481,855 @@
  
  	allow $1 userdomain:dbus send_msg;
  ')
@@ -48381,6 +48413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	')
 +
 +	userdom_search_user_home_dirs($1)
++	userdom_search_user_home_content($1)
 +	allow $1 home_cert_t:dir list_dir_perms;
 +	read_files_pattern($1, home_cert_t, home_cert_t)
 +	read_lnk_files_pattern($1, home_cert_t, home_cert_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 51bffb3..1c9cd90 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.7
-Release: 15%{?dist}
+Release: 16%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,10 @@ exit 0
 %endif
 
 %changelog
+* Fri Dec 10 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.7-16
+- Allow boinc-project to read mtab
+- Fixes for clamscan
+
 * Mon Dec 6 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.7-15
 - Allow mount fowner capability
 - Fix the label for wicd log