From 40d8f60dd73eb22c229a69f7291505d30814d708 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Apr 28 2009 20:09:21 +0000
Subject: - Allow nsplugin to unix_read unix_write sem for unconfined_java


---

diff --git a/modules-targeted.conf b/modules-targeted.conf
index abdf2ef..9f3c5bf 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -493,6 +493,13 @@ finger = module
 # 
 firstboot = base
 
+# Layer: services
+# Module: fprintd
+#
+# finger print server
+# 
+fprintd = module
+
 # Layer: system
 # Module: fstools
 #
diff --git a/policy-20090105.patch b/policy-20090105.patch
index e7d3ec5..368a7bc 100644
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@@ -788,7 +788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -/usr/sbin/readahead	--	gen_context(system_u:object_r:readahead_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te
 --- nsaserefpolicy/policy/modules/admin/readahead.te	2009-01-05 15:39:44.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te	2009-04-27 11:01:26.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/readahead.te	2009-04-28 15:47:35.000000000 -0400
 @@ -11,8 +11,8 @@
  init_daemon_domain(readahead_t, readahead_exec_t)
  application_domain(readahead_t, readahead_exec_t)
@@ -800,7 +800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  type readahead_var_run_t;
  files_pid_file(readahead_var_run_t)
-@@ -24,9 +24,11 @@
+@@ -24,14 +24,17 @@
  
  allow readahead_t self:capability { fowner dac_override dac_read_search };
  dontaudit readahead_t self:capability sys_tty_config;
@@ -814,7 +814,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
  files_pid_filetrans(readahead_t, readahead_var_run_t, file)
-@@ -46,6 +48,7 @@
+ 
+ kernel_read_kernel_sysctls(readahead_t)
++kernel_read_net_sysctls(readahead_t)
+ kernel_read_system_state(readahead_t)
+ kernel_dontaudit_getattr_core_if(readahead_t)
+ 
+@@ -46,6 +49,7 @@
  storage_raw_read_fixed_disk(readahead_t)
  
  domain_use_interactive_fds(readahead_t)
@@ -822,7 +828,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  files_dontaudit_getattr_all_sockets(readahead_t)
  files_list_non_security(readahead_t)
-@@ -58,6 +61,7 @@
+@@ -58,6 +62,7 @@
  fs_dontaudit_search_ramfs(readahead_t)
  fs_dontaudit_read_ramfs_pipes(readahead_t)
  fs_dontaudit_read_ramfs_files(readahead_t)
@@ -830,7 +836,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  fs_read_tmpfs_symlinks(readahead_t)
  fs_list_inotifyfs(readahead_t)
  
-@@ -72,6 +76,7 @@
+@@ -72,6 +77,7 @@
  init_getattr_initctl(readahead_t)
  
  logging_send_syslog_msg(readahead_t)
@@ -2336,7 +2342,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/lib/opera(/.*)?/opera	--	gen_context(system_u:object_r:java_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.12/policy/modules/apps/java.if
 --- nsaserefpolicy/policy/modules/apps/java.if	2008-11-11 16:13:42.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/java.if	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/apps/java.if	2009-04-28 12:20:13.000000000 -0400
 @@ -30,6 +30,7 @@
  
  	allow java_t $2:unix_stream_socket connectto;
@@ -2345,7 +2351,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -68,3 +69,129 @@
+@@ -68,3 +69,130 @@
  	domtrans_pattern($1, java_exec_t, unconfined_java_t)
  	corecmd_search_bin($1)
  ')
@@ -2400,6 +2406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	java_domtrans_unconfined($1)
 +	role $2 types unconfined_java_t;
 +	role $2 types java_t;
++	nsplugin_role_notrans($2, unconfined_java_t)
 +')
 +
 +########################################
@@ -2477,7 +2484,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.12/policy/modules/apps/java.te
 --- nsaserefpolicy/policy/modules/apps/java.te	2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/java.te	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/apps/java.te	2009-04-28 12:19:47.000000000 -0400
 @@ -20,6 +20,8 @@
  typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
  typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
@@ -2519,18 +2526,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  optional_policy(`
  	nis_use_ypbind(java_t)
  ')
-@@ -147,4 +151,11 @@
+@@ -147,4 +151,12 @@
  
  	unconfined_domain_noaudit(unconfined_java_t)
  	unconfined_dbus_chat(unconfined_java_t)
 +	optional_policy(`
 +		hal_dbus_chat(unconfined_java_t)
-+	')
+ ')
 +
 +	optional_policy(`
 +		rpm_domtrans(unconfined_java_t)
 +	')
- ')
++')
++
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.6.12/policy/modules/apps/livecd.fc
 --- nsaserefpolicy/policy/modules/apps/livecd.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/apps/livecd.fc	2009-04-23 09:44:57.000000000 -0400
@@ -5090,7 +5098,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /dev/usb.+		-c	gen_context(system_u:object_r:usb_device_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.12/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2009-03-05 12:28:56.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/devices.if	2009-04-24 09:05:52.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/devices.if	2009-04-28 15:25:49.000000000 -0400
 @@ -2268,6 +2268,25 @@
  
  ########################################
@@ -5117,6 +5125,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Read and write to the null device (/dev/null).
  ## </summary>
  ## <param name="domain">
+@@ -3217,6 +3236,7 @@
+ #
+ interface(`dev_rw_generic_usb_dev',`
+ 	gen_require(`
++		type device_t;
+ 		type usb_device_t;
+ 	')
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.12/policy/modules/kernel/devices.te
 --- nsaserefpolicy/policy/modules/kernel/devices.te	2009-03-05 12:28:57.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/kernel/devices.te	2009-04-23 09:44:57.000000000 -0400
@@ -7428,8 +7444,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te	2009-04-27 15:35:55.000000000 -0400
-@@ -0,0 +1,393 @@
++++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te	2009-04-28 12:10:25.000000000 -0400
+@@ -0,0 +1,397 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -7546,7 +7562,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +optional_policy(`
-+	nsplugin_role_notrans(unconfined_r, unconfined_t)
++	gen_require(`
++		attribute unconfined_usertype;
++	')
++
++	nsplugin_role_notrans(unconfined_r, unconfined_usertype)
 +	tunable_policy(`allow_unconfined_nsplugin_transition',`
 +	      nsplugin_domtrans(unconfined_execmem_t)
 +	      nsplugin_domtrans_config(unconfined_execmem_t)
@@ -13377,6 +13397,78 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # pid file
  manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
  manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.fc serefpolicy-3.6.12/policy/modules/services/fprintd.fc
+--- nsaserefpolicy/policy/modules/services/fprintd.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/services/fprintd.fc	2009-04-28 15:26:41.000000000 -0400
+@@ -0,0 +1,2 @@
++
++/usr/libexec/fprintd	--	gen_context(system_u:object_r:fprintd_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.if serefpolicy-3.6.12/policy/modules/services/fprintd.if
+--- nsaserefpolicy/policy/modules/services/fprintd.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/services/fprintd.if	2009-04-28 15:26:38.000000000 -0400
+@@ -0,0 +1,22 @@
++
++## <summary>policy for fprintd</summary>
++
++########################################
++## <summary>
++##	Execute a domain transition to run fprintd.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`fprintd_domtrans',`
++	gen_require(`
++		type fprintd_t;
++                type fprintd_exec_t;
++	')
++
++	domtrans_pattern($1,fprintd_exec_t,fprintd_t)
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te
+--- nsaserefpolicy/policy/modules/services/fprintd.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/services/fprintd.te	2009-04-28 16:07:25.000000000 -0400
+@@ -0,0 +1,36 @@
++policy_module(fprintd,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type fprintd_t;
++type fprintd_exec_t;
++dbus_system_domain(fprintd_t, fprintd_exec_t)
++
++allow fprintd_t self:fifo_file rw_fifo_file_perms;
++allow fprintd_t self:process { getsched signal };
++
++corecmd_search_bin(fprintd_t)
++
++dev_rw_generic_usb_dev(fprintd_t)
++dev_read_sysfs(fprintd_t)
++
++files_read_etc_files(fprintd_t)
++files_read_usr_files(fprintd_t)
++
++auth_use_nsswitch(fprintd_t)
++
++miscfiles_read_localization(fprintd_t)
++
++userdom_use_user_ptys(fprintd_t)
++userdom_read_all_users_state(fprintd_t)
++
++optional_policy(`
++	polkit_read_reload(fprintd_t)
++	polkit_read_lib(fprintd_t)
++')
++
++permissive fprintd_t;
++
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.12/policy/modules/services/ftp.te
 --- nsaserefpolicy/policy/modules/services/ftp.te	2009-01-19 11:06:49.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/services/ftp.te	2009-04-23 09:44:57.000000000 -0400
@@ -17341,7 +17433,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/lib/misc/PolicyKit.reload			gen_context(system_u:object_r:polkit_reload_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.12/policy/modules/services/polkit.if
 --- nsaserefpolicy/policy/modules/services/polkit.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/polkit.if	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/polkit.if	2009-04-28 16:05:38.000000000 -0400
 @@ -0,0 +1,241 @@
 +
 +## <summary>policy for polkit_auth</summary>
@@ -19377,7 +19469,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  		mysql_search_db(httpd_prewikka_script_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.12/policy/modules/services/privoxy.te
 --- nsaserefpolicy/policy/modules/services/privoxy.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/privoxy.te	2009-04-28 11:40:52.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/privoxy.te	2009-04-28 11:45:58.000000000 -0400
 @@ -6,6 +6,14 @@
  # Declarations
  #
@@ -19393,7 +19485,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  type privoxy_t; # web_client_domain
  type privoxy_exec_t;
  init_daemon_domain(privoxy_t, privoxy_exec_t)
-@@ -72,21 +80,19 @@
+@@ -72,21 +80,18 @@
  
  logging_send_syslog_msg(privoxy_t)
  
@@ -19416,7 +19508,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -	nscd_socket_use(privoxy_t)
 +tunable_policy(`privoxy_connect_any',`
 +	corenet_tcp_connect_all_ports(privoxy_t)
-+	corenet_tcp_bind_all_ports(privoxy_t)
 +	corenet_sendrecv_all_packets(privoxy_t)
  ')
  
@@ -22284,7 +22375,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.12/policy/modules/services/squid.te
 --- nsaserefpolicy/policy/modules/services/squid.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/squid.te	2009-04-28 11:39:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/squid.te	2009-04-28 11:44:05.000000000 -0400
 @@ -118,6 +118,9 @@
  
  fs_getattr_all_fs(squid_t)
@@ -22994,8 +23085,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.12/policy/modules/services/sssd.te
 --- nsaserefpolicy/policy/modules/services/sssd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/sssd.te	2009-04-23 09:44:57.000000000 -0400
-@@ -0,0 +1,70 @@
++++ serefpolicy-3.6.12/policy/modules/services/sssd.te	2009-04-28 15:43:36.000000000 -0400
+@@ -0,0 +1,72 @@
 +policy_module(sssd,1.0.0)
 +
 +########################################
@@ -23022,7 +23113,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +#
 +# sssd local policy
 +#
-+allow sssd_t self:capability sys_nice;
++allow sssd_t self:capability { sys_nice setuid };
 +allow sssd_t self:process { setsched signal getsched };
 +allow sssd_t tmp_t:dir { read getattr open };
 +
@@ -23053,6 +23144,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +files_read_etc_files(sssd_t)
 +files_read_usr_files(sssd_t)
 +
++fs_list_inotifyfs(sssd_t)
++
 +auth_use_nsswitch(sssd_t)
 +auth_domtrans_chk_passwd(sssd_t)
 +auth_domtrans_upd_passwd(sssd_t)
@@ -29744,7 +29837,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if	2009-04-27 08:32:47.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if	2009-04-28 16:06:27.000000000 -0400
 @@ -30,8 +30,9 @@
  	')
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7a4cc9a..21ccbb0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 23%{?dist}
+Release: 24%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -480,6 +480,9 @@ exit 0
 %endif
 
 %changelog
+* Tue Apr 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-24
+- Allow nsplugin to unix_read unix_write sem for unconfined_java
+
 * Tue Apr 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-23
 - Fix uml files to be owned by users