From 6234095bb97460cc5bd300f5cc9138f2b7224d22 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Aug 29 2008 20:55:32 +0000
Subject: - Allow crontab to work for unconfined users

- Allow courier_authdaemon_t to create sock_file in courier_spool
    directories

---

diff --git a/policy-20071130.patch b/policy-20071130.patch
index 4e6fa77..a292abe 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -7396,7 +7396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in	2008-08-15 15:31:02.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in	2008-08-29 16:52:50.000000000 -0400
 @@ -1,5 +1,5 @@
  
 -policy_module(corenetwork,1.2.15)
@@ -7424,7 +7424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  network_port(dict, tcp,2628,s0)
  network_port(distccd, tcp,3632,s0)
  network_port(dns, udp,53,s0, tcp,53,s0)
-+network_port(dogtag, tcp,9080,s0, tcp,9443,s0)
++network_port(dogtag, tcp,9443,s0)
  network_port(fingerd, tcp,79,s0)
 +network_port(flash, tcp,1935,s0, udp,1935,s0)
  network_port(ftp_data, tcp,20,s0)
@@ -9076,7 +9076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.3.1/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if	2008-07-15 14:02:51.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if	2008-08-29 16:50:55.000000000 -0400
 @@ -851,9 +851,8 @@
  		type proc_t, proc_afs_t;
  	')
@@ -9104,6 +9104,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
  ')
  
  ########################################
+@@ -2508,3 +2509,33 @@
+ 
+ 	typeattribute $1 kern_unconfined;
+ ')
++
++########################################
++## <summary>
++##      Relabel from unlabeled database objects.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`kernel_relabelfrom_unlabeled_database',`
++	gen_require(`
++		type unlabeled_t;
++		class db_database { setattr relabelfrom };
++		class db_table { setattr relabelfrom };
++		class db_procedure { setattr relabelfrom };
++		class db_column { setattr relabelfrom };
++		class db_tuple { update relabelfrom };
++		class db_blob { setattr relabelfrom };
++	')
++
++	allow $1 unlabeled_t:db_database { setattr relabelfrom };
++	allow $1 unlabeled_t:db_table { setattr relabelfrom };
++	allow $1 unlabeled_t:db_procedure { setattr relabelfrom };
++	allow $1 unlabeled_t:db_column { setattr relabelfrom };
++	allow $1 unlabeled_t:db_tuple { update relabelfrom };
++	allow $1 unlabeled_t:db_blob { setattr relabelfrom };
++')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.3.1/policy/modules/kernel/kernel.te
 --- nsaserefpolicy/policy/modules/kernel/kernel.te	2008-06-12 23:38:02.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/kernel/kernel.te	2008-07-15 14:02:51.000000000 -0400
@@ -32351,7 +32385,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 +/var/cfengine/outputs(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.3.1/policy/modules/system/logging.if
 --- nsaserefpolicy/policy/modules/system/logging.if	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/logging.if	2008-08-29 16:21:41.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/logging.if	2008-08-29 16:47:43.000000000 -0400
 @@ -213,12 +213,7 @@
  ## </param>
  #
@@ -32553,7 +32587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 +	role system_r types $1;
 +
 +	domtrans_pattern(audisp_t,$2,$1)
-+	allow audisp_t $1:process { sigkill sigstop signull signal }
++	allow audisp_t $1:process { sigkill sigstop signull signal };
 +	allow audisp_t $2:file getattr;
 +	allow $1 audisp_t:unix_stream_socket rw_socket_perms;
 +')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 17cc365..4c556e5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 85%{?dist}
+Release: 87%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -386,6 +386,13 @@ exit 0
 %endif
 
 %changelog
+* Tue Aug 26 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-87
+- Allow crontab to work for unconfined users
+- Allow courier_authdaemon_t to create sock_file in courier_spool directories
+
+* Thu Aug 14 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-86
+- Allow prewika to write log files
+
 * Wed Aug 6 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-85
 - Allow clamscan to connect to the clamd_port over tcp