From 60a9ef60f0d2902c591e581086f75703aaffd8ca Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Aug 10 2007 20:04:48 +0000
Subject: - Fix dhcpc startup of service


---

diff --git a/policy-20070703.patch b/policy-20070703.patch
index 670e3cd..12ce500 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -468,7 +468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloa
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.0.5/policy/modules/admin/consoletype.te
 --- nsaserefpolicy/policy/modules/admin/consoletype.te	2007-07-25 10:37:43.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/admin/consoletype.te	2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/admin/consoletype.te	2007-08-10 15:47:06.000000000 -0400
 @@ -8,9 +8,11 @@
  
  type consoletype_t;
@@ -504,6 +504,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console
  	logrotate_dontaudit_use_fds(consoletype_t)
  ')
  
+@@ -114,3 +120,7 @@
+ 	xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
+ 	xen_dontaudit_use_fds(consoletype_t)
+ ')
++
++optional_policy(`
++	unconfined_use_terminals(consoletype_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.0.5/policy/modules/admin/kudzu.te
 --- nsaserefpolicy/policy/modules/admin/kudzu.te	2007-05-29 14:10:59.000000000 -0400
 +++ serefpolicy-3.0.5/policy/modules/admin/kudzu.te	2007-08-07 09:39:49.000000000 -0400
@@ -656,8 +664,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.0.5/policy/modules/admin/netutils.te
 --- nsaserefpolicy/policy/modules/admin/netutils.te	2007-07-25 10:37:43.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/admin/netutils.te	2007-08-07 09:39:49.000000000 -0400
-@@ -113,6 +113,7 @@
++++ serefpolicy-3.0.5/policy/modules/admin/netutils.te	2007-08-10 15:49:00.000000000 -0400
+@@ -94,9 +94,14 @@
+ ')
+ 
+ optional_policy(`
++	unconfined_dontaudit_use_terminals(netutils_t)
++')
++
++optional_policy(`
+ 	xen_append_log(netutils_t)
+ ')
+ 
++
+ ########################################
+ #
+ # Ping local policy
+@@ -113,6 +118,7 @@
  corenet_tcp_sendrecv_all_if(ping_t)
  corenet_raw_sendrecv_all_if(ping_t)
  corenet_raw_sendrecv_all_nodes(ping_t)
@@ -3145,7 +3168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.5/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/apache.if	2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/apache.if	2007-08-10 15:52:40.000000000 -0400
 @@ -18,10 +18,6 @@
  		attribute httpd_script_exec_type;
  		type httpd_t, httpd_suexec_t, httpd_log_t;
@@ -4997,7 +5020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.0.5/policy/modules/services/dbus.te
 --- nsaserefpolicy/policy/modules/services/dbus.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/dbus.te	2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/dbus.te	2007-08-10 15:24:38.000000000 -0400
 @@ -23,6 +23,9 @@
  type system_dbusd_var_run_t;
  files_pid_file(system_dbusd_var_run_t)
@@ -5017,6 +5040,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
  manage_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t)
  manage_sock_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t)
  files_pid_filetrans(system_dbusd_t,system_dbusd_var_run_t,file)
+@@ -116,9 +121,18 @@
+ ')
+ 
+ optional_policy(`
++	rhgb_use_ptys(system_dbusd_t)
++')
++
++optional_policy(`
+ 	sysnet_domtrans_dhcpc(system_dbusd_t)
+ ')
+ 
+ optional_policy(`
+ 	udev_read_db(system_dbusd_t)
+ ')
++
++optional_policy(`
++	unconfined_use_terminals(system_dbusd_t)
++')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.0.5/policy/modules/services/dhcp.te
 --- nsaserefpolicy/policy/modules/services/dhcp.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.5/policy/modules/services/dhcp.te	2007-08-07 09:39:49.000000000 -0400
@@ -5961,7 +6003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
  /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.5/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/networkmanager.te	2007-08-10 11:35:13.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/networkmanager.te	2007-08-10 15:24:52.000000000 -0400
 @@ -41,6 +41,8 @@
  kernel_read_kernel_sysctls(NetworkManager_t)
  kernel_load_module(NetworkManager_t)
@@ -5983,14 +6025,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
  	ppp_domtrans(NetworkManager_t)
  	ppp_read_pid_files(NetworkManager_t)
  	ppp_signal(NetworkManager_t)
-@@ -166,6 +173,7 @@
+@@ -166,8 +173,10 @@
  ')
  
  optional_policy(`
 +	unconfined_rw_pipes(NetworkManager_t)
  	# Read gnome-keyring
  	unconfined_read_home_content_files(NetworkManager_t)
++	unconfined_use_terminals(NetworkManager_t)
  ')
+ 
+ optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.0.5/policy/modules/services/nis.fc
 --- nsaserefpolicy/policy/modules/services/nis.fc	2007-05-29 14:10:57.000000000 -0400
 +++ serefpolicy-3.0.5/policy/modules/services/nis.fc	2007-08-07 09:39:49.000000000 -0400
@@ -6133,6 +6178,51 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
 +/etc/ntp/crypto(/.*)?         gen_context(system_u:object_r:ntpd_key_t,s0)
 +/etc/ntp/keys              -- gen_context(system_u:object_r:ntpd_key_t,s0)
 +
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.0.5/policy/modules/services/ntp.if
+--- nsaserefpolicy/policy/modules/services/ntp.if	2007-05-29 14:10:57.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/ntp.if	2007-08-10 15:57:31.000000000 -0400
+@@ -53,3 +53,41 @@
+ 	corecmd_search_bin($1)
+ 	domtrans_pattern($1,ntpdate_exec_t,ntpd_t)
+ ')
++
++########################################
++## <summary>
++##	Allow the specified domain to manage
++##	ntp pid file
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ntp_manage_pid',`
++	gen_require(`
++		type ntpd_var_run_t;
++	')
++	manage_files_pattern($1,ntpd_var_run_t,ntpd_var_run_t)
++	files_pid_filetrans($1,ntpd_var_run_t,file)
++')
++
++########################################
++## <summary>
++##	Send generic signals to the ntp domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ntp_signal',`
++	gen_require(`
++		type ntpd_t;
++	')
++
++	allow $1 ntpd_t:process signal;
++')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.0.5/policy/modules/services/ntp.te
 --- nsaserefpolicy/policy/modules/services/ntp.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.5/policy/modules/services/ntp.te	2007-08-07 09:39:49.000000000 -0400
@@ -7373,6 +7463,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 +	allow $1 sendmail_t:process signal;
 +')
 +
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.5/policy/modules/services/sendmail.te
+--- nsaserefpolicy/policy/modules/services/sendmail.te	2007-07-25 10:37:42.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/sendmail.te	2007-08-10 13:14:09.000000000 -0400
+@@ -130,6 +130,10 @@
+ ')
+ 
+ optional_policy(`
++	rhgb_use_ptys(sendmail_t)
++')
++
++optional_policy(`
+ 	seutil_sigchld_newrole(sendmail_t)
+ ')
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.0.5/policy/modules/services/setroubleshoot.if
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.if	2007-05-29 14:10:57.000000000 -0400
 +++ serefpolicy-3.0.5/policy/modules/services/setroubleshoot.if	2007-08-07 09:39:49.000000000 -0400
@@ -9912,7 +10016,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
  /var/spool/texmf(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.5/policy/modules/system/modutils.te
 --- nsaserefpolicy/policy/modules/system/modutils.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/modutils.te	2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/system/modutils.te	2007-08-10 14:08:13.000000000 -0400
 @@ -42,7 +42,7 @@
  # insmod local policy
  #
@@ -9975,7 +10079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
  	hotplug_search_config(insmod_t)
  ')
  
-@@ -149,6 +163,7 @@
+@@ -149,10 +163,12 @@
  
  optional_policy(`
  	rpm_rw_pipes(insmod_t)
@@ -9983,7 +10087,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
  ')
  
  optional_policy(`
-@@ -179,6 +194,7 @@
+ 	unconfined_dontaudit_rw_pipes(insmod_t)
++	unconfined_dontaudit_use_terminals(insmod_t)
+ ')
+ 
+ optional_policy(`
+@@ -179,6 +195,7 @@
  
  files_read_kernel_symbol_table(depmod_t)
  files_read_kernel_modules(depmod_t)
@@ -9991,7 +10100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
  
  fs_getattr_xattr_fs(depmod_t)
  
-@@ -205,9 +221,12 @@
+@@ -205,9 +222,12 @@
  userdom_read_staff_home_content_files(depmod_t)
  userdom_read_sysadm_home_content_files(depmod_t)
  
@@ -10738,7 +10847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.5/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/unconfined.if	2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/system/unconfined.if	2007-08-10 15:24:16.000000000 -0400
 @@ -12,14 +12,13 @@
  #
  interface(`unconfined_domain_noaudit',`
@@ -11119,7 +11228,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +corecmd_exec_all_executables(unconfined_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.5/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/userdomain.if	2007-08-10 11:57:57.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/system/userdomain.if	2007-08-10 13:44:41.000000000 -0400
 @@ -62,6 +62,10 @@
  
  	allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
@@ -11679,14 +11788,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	domain_interactive_fd($1_t)
  
  	typeattribute $1_devpts_t user_ptynode;
-@@ -985,15 +1051,53 @@
+@@ -985,15 +1051,51 @@
  	typeattribute $1_tmp_t user_tmpfile;
  	typeattribute $1_tty_device_t user_ttynode;
  
 -	userdom_poly_home_template($1)
 -	userdom_poly_tmp_template($1)
-+	auth_exec_pam($1_t)
-+
 +	optional_policy(`
 +		loadkeys_run($1_t,$1_r,$1_tty_device_t)
 +	')
@@ -11737,7 +11844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
  	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1024,20 +1128,12 @@
+@@ -1024,20 +1126,12 @@
  		kernel_dontaudit_read_ring_buffer($1_t)
  	')
  
@@ -11764,7 +11871,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	optional_policy(`
-@@ -1054,17 +1150,6 @@
+@@ -1054,17 +1148,6 @@
  		setroubleshoot_stream_connect($1_t)
  	')
  
@@ -11782,7 +11889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  #######################################
-@@ -1102,6 +1187,8 @@
+@@ -1102,6 +1185,8 @@
  		class passwd { passwd chfn chsh rootok crontab };
  	')
  
@@ -11791,7 +11898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	##############################
  	#
  	# Declarations
-@@ -1127,7 +1214,7 @@
+@@ -1127,7 +1212,7 @@
  	# $1_t local policy
  	#
  
@@ -11800,7 +11907,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	allow $1_t self:process { setexec setfscreate };
  
  	# Set password information for other users.
-@@ -1139,7 +1226,11 @@
+@@ -1139,7 +1224,11 @@
  	# Manipulate other users crontab.
  	allow $1_t self:passwd crontab;
  
@@ -11813,7 +11920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
-@@ -1902,6 +1993,41 @@
+@@ -1902,6 +1991,41 @@
  
  ########################################
  ## <summary>
@@ -11855,7 +11962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Do not audit attempts to set the
  ##	attributes of user home files.
  ## </summary>
-@@ -3078,7 +3204,7 @@
+@@ -3078,7 +3202,7 @@
  #
  template(`userdom_tmp_filetrans_user_tmp',`
  	gen_require(`
@@ -11864,7 +11971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -5323,7 +5449,7 @@
+@@ -5323,7 +5447,7 @@
  		attribute user_tmpfile;
  	')
  
@@ -11873,7 +11980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -5559,3 +5685,280 @@
+@@ -5559,3 +5683,280 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3641446..5eaf326 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.5
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -360,6 +360,9 @@ exit 0
 %endif
 
 %changelog
+* Fri Aug 10 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-5
+- Fix dhcpc startup of service 
+
 * Fri Aug 10 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-4
 - Fix dbus chat to not happen for xguest and guest users