From 1c6bcafb00ada1fe728e30a9f0389ad865c07f53 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Oct 01 2009 21:27:34 +0000
Subject: - Allow svirt to list sysfs_t directory


---

diff --git a/policy-F12.patch b/policy-F12.patch
index ebf58bc..c461fa0 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -2514,6 +2514,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +seutil_domtrans_setfiles_mac(livecd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.6.32/policy/modules/apps/loadkeys.te
+--- nsaserefpolicy/policy/modules/apps/loadkeys.te	2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/apps/loadkeys.te	2009-10-01 14:51:17.000000000 -0400
+@@ -45,3 +45,7 @@
+ optional_policy(`
+ 	nscd_dontaudit_search_pid(loadkeys_t)
+ ')
++
++ifdef(`hide_broken_symptoms',`
++	dev_dontaudit_rw_lvm_control_dev(loadkeys_t)
++')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.32/policy/modules/apps/mono.if
 --- nsaserefpolicy/policy/modules/apps/mono.if	2009-07-14 14:19:57.000000000 -0400
 +++ serefpolicy-3.6.32/policy/modules/apps/mono.if	2009-09-30 16:12:48.000000000 -0400
@@ -5114,7 +5125,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/named/chroot/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if	2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.if	2009-10-01 16:59:38.000000000 -0400
 @@ -1692,6 +1692,78 @@
  
  ########################################
@@ -5256,7 +5267,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  ## <summary>
  ##	Read the lvm comtrol device.
-@@ -2305,6 +2432,25 @@
+@@ -1818,6 +1945,25 @@
+ 
+ ########################################
+ ## <summary>
++##	Do not audit attempts to read and write lvm control device.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_dontaudit_rw_lvm_control_dev',`
++	gen_require(`
++		type lvm_control_t;
++	')
++
++	dontaudit $1 lvm_control_t:chr_file rw_file_perms;
++')
++
++
++########################################
++## <summary>
+ ##	dontaudit getattr raw memory devices (e.g. /dev/mem).
+ ## </summary>
+ ## <param name="domain">
+@@ -2305,6 +2451,25 @@
  
  ########################################
  ## <summary>
@@ -5282,7 +5319,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Read and write to the null device (/dev/null).
  ## </summary>
  ## <param name="domain">
-@@ -3599,6 +3745,24 @@
+@@ -3599,6 +3764,24 @@
  
  ########################################
  ## <summary>
@@ -12460,7 +12497,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.32/policy/modules/services/ftp.te
 --- nsaserefpolicy/policy/modules/services/ftp.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/ftp.te	2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/ftp.te	2009-10-01 14:28:11.000000000 -0400
 @@ -41,6 +41,13 @@
  
  ## <desc>
@@ -12475,7 +12512,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## Allow ftp to read and write files in the user home directories
  ## </p>
  ## </desc>
-@@ -78,6 +85,14 @@
+@@ -78,12 +85,20 @@
  type xferlog_t;
  logging_log_file(xferlog_t)
  
@@ -12490,6 +12527,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # ftpd local policy
+ #
+ 
+-allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
++allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_admin sys_nice sys_resource };
+ dontaudit ftpd_t self:capability sys_tty_config;
+ allow ftpd_t self:process signal_perms;
+ allow ftpd_t self:process { getcap setcap setsched setrlimit };
 @@ -92,6 +107,8 @@
  allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
  allow ftpd_t self:tcp_socket create_stream_socket_perms;
@@ -19809,7 +19853,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/virt.te	2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/virt.te	2009-10-01 16:59:54.000000000 -0400
 @@ -20,6 +20,28 @@
  ## </desc>
  gen_tunable(virt_use_samba, false)
@@ -19970,9 +20014,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +fs_getattr_xattr_fs(virtd_t)
 +fs_rw_anon_inodefs_files(virtd_t)
 +fs_list_inotifyfs(virtd_t)
- 
-+modutils_manage_module_config(virtd_t)
 +
++modutils_manage_module_config(virtd_t)
+ 
 +storage_manage_fixed_disk(virtd_t)
 +storage_relabel_fixed_disk(virtd_t)
  storage_raw_write_removable_device(virtd_t)
@@ -20015,6 +20059,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +optional_policy(`
 +	kerberos_keytab_template(virtd, virtd_t)
++')
++
++optional_policy(`
++	lvm_domtrans(virtd_t)
  ')
  
 -#optional_policy(`
@@ -20022,10 +20070,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -#	polkit_domtrans_resolve(virtd_t)
 -#')
 +optional_policy(`
-+	lvm_domtrans(virtd_t)
-+')
-+
-+optional_policy(`
 +        policykit_dbus_chat(virtd_t)
 +	policykit_domtrans_auth(virtd_t)
 +	policykit_domtrans_resolve(virtd_t)
@@ -20042,7 +20086,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -196,8 +301,160 @@
+@@ -196,8 +301,162 @@
  
  	xen_stream_connect(virtd_t)
  	xen_stream_connect_xenstore(virtd_t)
@@ -20108,6 +20152,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	dev_rw_printer(svirt_t)
 +')
 +
++dev_list_sysfs(svirt_t)
++
 +tunable_policy(`virt_manage_sysfs',`
 +	dev_rw_sysfs(svirt_t)
 +')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 02b817c..29dd93d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.32
-Release: 17%{?dist}
+Release: 18%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -449,6 +449,9 @@ exit 0
 %endif
 
 %changelog
+* Thu Oct 1 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-18
+- Allow svirt to list sysfs_t directory
+
 * Thu Oct 1 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-17
 - Allow vpnc request the kernel to load modules