From 68bbf78c18055feac61ab75fe8a5e462bcfa3dfc Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Mar 21 2011 09:07:46 +0000
Subject: - Add label for /usr/share/shorewall/getparams


---

diff --git a/policy-F14.patch b/policy-F14.patch
index e56fa4d..b9ed5a3 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -8386,7 +8386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
  		dbus_session_bus_client($1_wm_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.9.7/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/kernel/corecommands.fc	2011-03-18 15:10:04.615630000 +0000
++++ serefpolicy-3.9.7/policy/modules/kernel/corecommands.fc	2011-03-21 08:55:19.913630000 +0000
 @@ -9,8 +9,11 @@
  /bin/bash2			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /bin/fish			--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -8512,7 +8512,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,6 +340,7 @@
+@@ -243,6 +269,7 @@
+ /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall/configpath	--	gen_context(system_u:object_r:bin_t,s0)
++/usr/share/shorewall/getparams	--	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall-perl(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall-shell(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall-lite(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
+@@ -314,6 +341,7 @@
  /usr/share/texmf/web2c/mktexdir	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/texmf/web2c/mktexnam	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/texmf/web2c/mktexupd	--	gen_context(system_u:object_r:bin_t,s0)
@@ -8520,7 +8528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  ')
  
  ifdef(`distro_suse', `
-@@ -340,3 +367,28 @@
+@@ -340,3 +368,28 @@
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -26080,7 +26088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.te serefpolicy-3.9.7/policy/modules/services/milter.te
 --- nsaserefpolicy/policy/modules/services/milter.te	2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/milter.te	2011-03-15 14:58:42.887107001 +0000
++++ serefpolicy-3.9.7/policy/modules/services/milter.te	2011-03-21 09:00:27.137630000 +0000
 @@ -9,6 +9,13 @@
  attribute milter_domains;
  attribute milter_data_type;
@@ -26125,7 +26133,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt
  #
  
  # It removes any existing socket (not owned by root) whilst running as root,
-@@ -38,6 +61,12 @@
+@@ -32,12 +55,19 @@
+ # drop privileges
+ allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
+ allow greylist_milter_t self:process { setsched getsched };
++allow greylist_milter_t self:tcp_socket create_stream_socket_perms;
+ 
+ # It creates a pid file /var/run/milter-greylist.pid
+ files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
  
  kernel_read_kernel_sysctls(greylist_milter_t)
  
@@ -26138,7 +26153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt
  # Allow the milter to read a GeoIP database in /usr/share
  files_read_usr_files(greylist_milter_t)
  # The milter runs from /var/lib/milter-greylist and maintains files there
-@@ -52,8 +81,8 @@
+@@ -52,8 +82,8 @@
  ########################################
  #
  # milter-regex local policy
@@ -26149,7 +26164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt
  #
  
  # It removes any existing socket (not owned by root) whilst running as root
-@@ -72,8 +101,8 @@
+@@ -72,8 +102,8 @@
  ########################################
  #
  # spamass-milter local policy
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 53ab0bd..fadbe28 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.7
-Release: 36%{?dist}
+Release: 37%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,9 @@ exit 0
 %endif
 
 %changelog
+* Mon Mar 21 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.7-37
+- Add label for /usr/share/shorewall/getparams
+
 * Sun Mar 20 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.7-36
 - xdm needs to read KDE config files