From 32363900ec25abc12afc23ca03d703e30dbbd07b Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Dec 27 2008 13:06:14 +0000
Subject: - Change userdom_read_all_users_state to include reading symbolic links in

    /proc

---

diff --git a/policy-20081111.patch b/policy-20081111.patch
index edaeeb4..b34f77f 100644
--- a/policy-20081111.patch
+++ b/policy-20081111.patch
@@ -13504,7 +13504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.1/policy/modules/services/munin.te
 --- nsaserefpolicy/policy/modules/services/munin.te	2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/munin.te	2008-12-18 11:36:14.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/munin.te	2008-12-27 07:23:35.000000000 -0500
 @@ -13,6 +13,9 @@
  type munin_etc_t alias lrrd_etc_t;
  files_config_file(munin_etc_t)
@@ -13595,7 +13595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  userdom_dontaudit_use_unpriv_user_fds(munin_t)
  userdom_dontaudit_search_user_home_dirs(munin_t)
-@@ -105,7 +126,30 @@
+@@ -105,7 +126,31 @@
  ')
  
  optional_policy(`
@@ -13616,6 +13616,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +optional_policy(`
 +	postfix_list_spool(munin_t)
++	postfix_getattr_spool_files(munin_t)
 +')
 +
 +optional_policy(`
@@ -13627,7 +13628,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -115,3 +159,10 @@
+@@ -115,3 +160,10 @@
  optional_policy(`
  	udev_read_db(munin_t)
  ')
@@ -16679,7 +16680,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /usr/sbin/postkick	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.1/policy/modules/services/postfix.if
 --- nsaserefpolicy/policy/modules/services/postfix.if	2008-11-11 16:13:45.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/postfix.if	2008-12-18 11:31:37.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/postfix.if	2008-12-27 07:23:23.000000000 -0500
 @@ -174,9 +174,8 @@
  		type postfix_etc_t;
  	')
@@ -16740,28 +16741,49 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	files_search_spool($1)
  ')
  
-@@ -437,10 +455,10 @@
+@@ -437,11 +455,30 @@
  #
  interface(`postfix_list_spool',`
  	gen_require(`
 -		type postfix_spool_t;
 +		attribute postfix_spool_type;
++	')
++
++	allow $1 postfix_spool_type:dir list_dir_perms;
++	files_search_spool($1)
++')
++
++########################################
++## <summary>
++##	Getattr postfix mail spool files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`postfix_getattr_spool_files',`
++	gen_require(`
++		attribute postfix_spool_type;
  	')
  
 -	allow $1 postfix_spool_t:dir list_dir_perms;
-+	allow $1 postfix_spool_type:dir list_dir_perms;
  	files_search_spool($1)
++	getattr_files_pattern($1, postfix_spool_type, postfix_spool_type)
  ')
  
-@@ -456,11 +474,30 @@
+ ########################################
+@@ -456,11 +493,30 @@
  #
  interface(`postfix_read_spool_files',`
  	gen_require(`
 -		type postfix_spool_t;
 +		attribute postfix_spool_type;
-+	')
-+
-+	files_search_spool($1)
+ 	')
+ 
+ 	files_search_spool($1)
+-	read_files_pattern($1, postfix_spool_t, postfix_spool_t)
 +	read_files_pattern($1, postfix_spool_type, postfix_spool_type)
 +')
 +
@@ -16778,15 +16800,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +interface(`postfix_manage_spool_files',`
 +	gen_require(`
 +		attribute postfix_spool_type;
- 	')
- 
- 	files_search_spool($1)
--	read_files_pattern($1, postfix_spool_t, postfix_spool_t)
++	')
++
++	files_search_spool($1)
 +	manage_files_pattern($1, postfix_spool_type, postfix_spool_type)
  ')
  
  ########################################
-@@ -481,3 +518,23 @@
+@@ -481,3 +537,23 @@
  
  	typeattribute $1 postfix_user_domtrans;
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index edfe7f9..999b5ab 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.1
-Release: 13%{?dist}
+Release: 14%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -446,6 +446,9 @@ exit 0
 %endif
 
 %changelog
+* Sat Dec 27 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-14
+- Change userdom_read_all_users_state to include reading symbolic links in /proc
+
 * Mon Dec 22 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-13
 - Fix dbus reading /proc information