From 50dacaca0955638b8615c9767bb4af021c10e792 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Nov 12 2010 14:56:06 +0000
Subject: - kdump leaks kdump_etc_t to ifconfig, add dontaudit

- uux needs to transition to uucpd_t
- More init fixes relabels man,faillog
- Remove maxima defs in libraries.fc
- insmod needs to be able to create tmpfs_t files
- ping needs setcap
- init executes mcelog, initrc_t needs to manage faillog.
- fix xserver_ralabel_xdm_tmp_dirs
- Allow dovecot_deliver_t to list dovecot_etc_t
- Run acroread as execmem_t

---

diff --git a/policy-F15.patch b/policy-F15.patch
index 746fd47..2ddc254 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -371,6 +371,35 @@ index 66e486e..bfda8e9 100644
  	gnome_manage_config(firstboot_t)
  ')
  
+diff --git a/policy/modules/admin/kdump.if b/policy/modules/admin/kdump.if
+index 4198ff5..df3f4d6 100644
+--- a/policy/modules/admin/kdump.if
++++ b/policy/modules/admin/kdump.if
+@@ -56,6 +56,24 @@ interface(`kdump_read_config',`
+ 	allow $1 kdump_etc_t:file read_file_perms;
+ ')
+ 
++#####################################
++## <summary>
++##	Dontaudit read kdump configuration file.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`kdump_dontaudit_read_config',`
++	gen_require(`
++		type kdump_etc_t;
++	')
++
++	dontaudit $1 kdump_etc_t:file read_inherited_file_perms;
++')
++
+ ####################################
+ ## <summary>
+ ##	Manage kdump configuration file.
 diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
 index 7390b15..a46b249 100644
 --- a/policy/modules/admin/logrotate.te
@@ -35262,7 +35291,7 @@ index a4fbe31..a717e2d 100644
  
  	logging_list_logs($1)
 diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
-index b775aaf..1e40c2a 100644
+index b775aaf..7718dbb 100644
 --- a/policy/modules/services/uucp.te
 +++ b/policy/modules/services/uucp.te
 @@ -7,7 +7,6 @@ policy_module(uucp, 1.11.0)
@@ -35281,7 +35310,7 @@ index b775aaf..1e40c2a 100644
  
  dev_read_urand(uucpd_t)
  
-@@ -113,13 +113,17 @@ optional_policy(`
+@@ -113,13 +113,19 @@ optional_policy(`
  	kerberos_use(uucpd_t)
  ')
  
@@ -35297,6 +35326,8 @@ index b775aaf..1e40c2a 100644
  allow uux_t self:capability { setuid setgid };
 -allow uux_t self:fifo_file write_file_perms;
 +allow uux_t self:fifo_file write_fifo_file_perms;
++
++domtrans_pattern(uux_t, uucpd_exec_t, uucpd_t)
  
  uucp_append_log(uux_t)
  uucp_manage_spool(uux_t)
@@ -39445,7 +39476,7 @@ index 1c4b1e7..ffa4134 100644
  /var/run/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
  /var/run/sepermit(/.*)? 	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index bea0ade..5ad363e 100644
+index bea0ade..f459bae 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
 @@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -39615,7 +39646,7 @@ index bea0ade..5ad363e 100644
 +		type faillog_t;
 +	')
 +
-+	allow $1 faillog_t:file relable_file_perms;
++	allow $1 faillog_t:file relabel_file_perms;
 +')
 +
 +########################################
@@ -41697,7 +41728,7 @@ index 1d1c399..3ab3a47 100644
 +	tgtd_manage_semaphores(iscsid_t)
  ')
 diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 9df8c4d..7a942fc 100644
+index 9df8c4d..8d1d7fa 100644
 --- a/policy/modules/system/libraries.fc
 +++ b/policy/modules/system/libraries.fc
 @@ -44,6 +44,7 @@ ifdef(`distro_redhat',`
@@ -41743,7 +41774,16 @@ index 9df8c4d..7a942fc 100644
  /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -208,6 +209,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* --	gen_context(system_u:object_r:textrel_shlib_t
+@@ -198,8 +199,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* --	gen_context(system_u:object_r:textrel_shlib_t
+ /usr/lib/libFLAC\.so.*			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/libfglrx_gamma\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/mozilla/plugins/nppdf\.so 	-- 	gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib/maxima/[^/]+/binary-gcl/maxima	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib64/maxima/[^/]+/binary-gcl/maxima --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/mozilla/plugins/libvlcplugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/nx/libXcomp\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/nx/libjpeg\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -208,6 +207,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* --	gen_context(system_u:object_r:textrel_shlib_t
  
  /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -41751,7 +41791,7 @@ index 9df8c4d..7a942fc 100644
  /usr/lib(64)?/libglide3\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libglide3-v[0-9]*\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/helix/plugins/[^/]*\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -247,6 +249,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* --	gen_context(system_u:object_r:textrel_shlib_t
+@@ -247,6 +247,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* --	gen_context(system_u:object_r:textrel_shlib_t
  /usr/lib(64)?/ladspa/sc3_1427\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/ladspa/sc4_1882\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/ladspa/se4_1883\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -41759,7 +41799,7 @@ index 9df8c4d..7a942fc 100644
  /usr/lib(64)?/ocaml/stublibs/dllnums\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
  # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
-@@ -302,13 +305,8 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
+@@ -302,13 +303,8 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
  /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/acroread/.+\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/acroread/(.*/)?ADMPlugin\.apl	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -41775,7 +41815,7 @@ index 9df8c4d..7a942fc 100644
  ') dnl end distro_redhat
  
  #
-@@ -319,14 +317,150 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
+@@ -319,14 +315,150 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
  /var/ftp/lib(64)?(/.*)?				gen_context(system_u:object_r:lib_t,s0)
  /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:ld_so_t,s0)
  
@@ -42721,7 +42761,7 @@ index 9c0faab..def8d5a 100644
  ##	loading modules.
  ## </summary>
 diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 74a4466..3120e0e 100644
+index 74a4466..7243733 100644
 --- a/policy/modules/system/modutils.te
 +++ b/policy/modules/system/modutils.te
 @@ -18,6 +18,7 @@ type insmod_t;
@@ -42732,7 +42772,17 @@ index 74a4466..3120e0e 100644
  role system_r types insmod_t;
  
  # module loading config
-@@ -55,12 +56,15 @@ corecmd_search_bin(depmod_t)
+@@ -36,6 +37,9 @@ role system_r types update_modules_t;
+ type update_modules_tmp_t;
+ files_tmp_file(update_modules_tmp_t)
+ 
++type insmod_tmpfs_t;
++files_tmpfs_file(insmod_tmpfs_t)
++
+ ########################################
+ #
+ # depmod local policy
+@@ -55,12 +59,15 @@ corecmd_search_bin(depmod_t)
  
  domain_use_interactive_fds(depmod_t)
  
@@ -42748,7 +42798,7 @@ index 74a4466..3120e0e 100644
  
  fs_getattr_xattr_fs(depmod_t)
  
-@@ -74,6 +78,7 @@ userdom_use_user_terminals(depmod_t)
+@@ -74,6 +81,7 @@ userdom_use_user_terminals(depmod_t)
  # Read System.map from home directories.
  files_list_home(depmod_t)
  userdom_read_user_home_content_files(depmod_t)
@@ -42756,7 +42806,7 @@ index 74a4466..3120e0e 100644
  
  ifdef(`distro_ubuntu',`
  	optional_policy(`
-@@ -104,7 +109,7 @@ optional_policy(`
+@@ -104,11 +112,12 @@ optional_policy(`
  # insmod local policy
  #
  
@@ -42765,7 +42815,22 @@ index 74a4466..3120e0e 100644
  allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
  
  allow insmod_t self:udp_socket create_socket_perms;
-@@ -125,6 +130,7 @@ kernel_write_proc_files(insmod_t)
+ allow insmod_t self:rawip_socket create_socket_perms;
++allow insmod_t self:shm create_shm_perms;
+ 
+ # Read module config and dependency information
+ list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
+@@ -118,6 +127,9 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
+ 
+ can_exec(insmod_t, insmod_exec_t)
+ 
++manage_files_pattern(insmod_t,insmod_tmpfs_t,insmod_tmpfs_t)
++fs_tmpfs_filetrans(insmod_t,insmod_tmpfs_t,file)
++
+ kernel_load_module(insmod_t)
+ kernel_read_system_state(insmod_t)
+ kernel_read_network_state(insmod_t)
+@@ -125,6 +137,7 @@ kernel_write_proc_files(insmod_t)
  kernel_mount_debugfs(insmod_t)
  kernel_mount_kvmfs(insmod_t)
  kernel_read_debugfs(insmod_t)
@@ -42773,7 +42838,7 @@ index 74a4466..3120e0e 100644
  # Rules for /proc/sys/kernel/tainted
  kernel_read_kernel_sysctls(insmod_t)
  kernel_rw_kernel_sysctl(insmod_t)
-@@ -142,6 +148,7 @@ dev_rw_agp(insmod_t)
+@@ -142,6 +155,7 @@ dev_rw_agp(insmod_t)
  dev_read_sound(insmod_t)
  dev_write_sound(insmod_t)
  dev_rw_apm_bios(insmod_t)
@@ -42781,7 +42846,7 @@ index 74a4466..3120e0e 100644
  
  domain_signal_all_domains(insmod_t)
  domain_use_interactive_fds(insmod_t)
-@@ -160,11 +167,15 @@ files_write_kernel_modules(insmod_t)
+@@ -160,11 +174,15 @@ files_write_kernel_modules(insmod_t)
  
  fs_getattr_xattr_fs(insmod_t)
  fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
@@ -42797,7 +42862,7 @@ index 74a4466..3120e0e 100644
  
  logging_send_syslog_msg(insmod_t)
  logging_search_logs(insmod_t)
-@@ -173,8 +184,7 @@ miscfiles_read_localization(insmod_t)
+@@ -173,8 +191,7 @@ miscfiles_read_localization(insmod_t)
  
  seutil_read_file_contexts(insmod_t)
  
@@ -42807,7 +42872,7 @@ index 74a4466..3120e0e 100644
  userdom_dontaudit_search_user_home_dirs(insmod_t)
  
  if( ! secure_mode_insmod ) {
-@@ -186,8 +196,11 @@ optional_policy(`
+@@ -186,8 +203,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -42821,7 +42886,7 @@ index 74a4466..3120e0e 100644
  ')
  
  optional_policy(`
-@@ -235,6 +248,10 @@ optional_policy(`
+@@ -235,6 +255,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -44543,7 +44608,7 @@ index 8e71fb7..350d003 100644
 +	role_transition $1 dhcpc_exec_t system_r;
  ')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index dfbe736..5740b79 100644
+index dfbe736..e70feca 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
 @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.0)
@@ -44701,10 +44766,14 @@ index dfbe736..5740b79 100644
  ')
  
  optional_policy(`
-@@ -334,6 +379,10 @@ optional_policy(`
+@@ -334,6 +379,14 @@ optional_policy(`
  ')
  
  optional_policy(`
++	kdump_dontaudit_read_config(ifconfig_t)
++')
++
++optional_policy(`
 +	netutils_domtrans(dhcpc_t)
 +')
 +
@@ -44712,7 +44781,7 @@ index dfbe736..5740b79 100644
  	nis_use_ypbind(ifconfig_t)
  ')
  
-@@ -355,3 +404,9 @@ optional_policy(`
+@@ -355,3 +408,9 @@ optional_policy(`
  	xen_append_log(ifconfig_t)
  	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 484f01a..e5b78cd 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.8
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,18 @@ exit 0
 %endif
 
 %changelog
+* Thu Nov 11 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-5
+- kdump leaks kdump_etc_t to ifconfig, add dontaudit
+- uux needs to transition to uucpd_t
+- More init fixes relabels man,faillog
+- Remove maxima defs in libraries.fc
+- insmod needs to be able to create tmpfs_t files
+- ping needs setcap
+- init executes mcelog, initrc_t needs to manage faillog.
+- fix xserver_ralabel_xdm_tmp_dirs
+- Allow dovecot_deliver_t to list dovecot_etc_t
+- Run acroread as execmem_t
+
 * Wed Nov 10 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-4
 - Fix init to be able to relabel wtmp, tmp files