From 70e8a1d0b4369ae883a14e582c47f495ea73ea37 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Aug 14 2007 00:16:44 +0000
Subject: - Allow clamd to read kernel system state


---

diff --git a/policy-20070501.patch b/policy-20070501.patch
index 95bd7e7..a908086 100644
--- a/policy-20070501.patch
+++ b/policy-20070501.patch
@@ -2795,7 +2795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.6.4/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apache.if	2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/apache.if	2007-08-13 19:33:33.000000000 -0400
 @@ -18,10 +18,6 @@
  		attribute httpd_script_exec_type;
  		type httpd_t, httpd_suexec_t, httpd_log_t;
@@ -3711,8 +3711,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
  /var/log/clamav/clamav.*	--	gen_context(system_u:object_r:clamd_var_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-2.6.4/policy/modules/services/clamav.te
 --- nsaserefpolicy/policy/modules/services/clamav.te	2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/clamav.te	2007-08-07 09:42:35.000000000 -0400
-@@ -74,17 +74,19 @@
++++ serefpolicy-2.6.4/policy/modules/services/clamav.te	2007-08-13 19:28:50.000000000 -0400
+@@ -74,17 +74,20 @@
  manage_files_pattern(clamd_t,clamd_var_lib_t,clamd_var_lib_t)
  
  # log files
@@ -3732,10 +3732,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
  kernel_dontaudit_list_proc(clamd_t)
  kernel_read_sysctl(clamd_t)
 +kernel_read_kernel_sysctls(clamd_t)
++kernel_read_system_state(clamd_t)
  
  corenet_non_ipsec_sendrecv(clamd_t)
  corenet_tcp_sendrecv_all_if(clamd_t)
-@@ -126,6 +128,7 @@
+@@ -126,6 +129,7 @@
  	amavis_read_lib_files(clamd_t)
  	amavis_read_spool_files(clamd_t)
  	amavis_spool_filetrans(clamd_t,clamd_var_run_t,sock_file)
@@ -3743,7 +3744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
  ')
  
  ########################################
-@@ -213,6 +216,9 @@
+@@ -213,6 +217,9 @@
  read_files_pattern(clamscan_t,clamd_var_lib_t,clamd_var_lib_t)
  allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
  
@@ -3753,7 +3754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
  kernel_read_kernel_sysctls(clamscan_t)
  
  files_read_etc_files(clamscan_t)
-@@ -228,5 +234,13 @@
+@@ -228,5 +235,13 @@
  clamav_stream_connect(clamscan_t)
  
  optional_policy(`
@@ -5335,8 +5336,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-2.6.4/policy/modules/services/mailman.te
 --- nsaserefpolicy/policy/modules/services/mailman.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/mailman.te	2007-08-07 09:42:35.000000000 -0400
-@@ -96,6 +96,7 @@
++++ serefpolicy-2.6.4/policy/modules/services/mailman.te	2007-08-13 19:33:45.000000000 -0400
+@@ -55,6 +55,7 @@
+ 	apache_use_fds(mailman_cgi_t)
+ 	apache_dontaudit_append_log(mailman_cgi_t)
+ 	apache_search_sys_script_state(mailman_cgi_t)
++	apache_read_config(mailman_cgi_t)
+ 
+ 	optional_policy(`
+ 		nscd_socket_use(mailman_cgi_t)
+@@ -96,6 +97,7 @@
  kernel_read_proc_symlinks(mailman_queue_t)
  
  auth_domtrans_chk_passwd(mailman_queue_t)
@@ -6424,7 +6433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.6.4/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/postfix.te	2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/postfix.te	2007-08-13 19:36:56.000000000 -0400
 @@ -84,6 +84,12 @@
  type postfix_var_run_t;
  files_pid_file(postfix_var_run_t)
@@ -6475,7 +6484,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ###########################################################
  #
  # Partially converted rules.  THESE ARE ONLY TEMPORARY
-@@ -386,7 +406,7 @@
+@@ -268,6 +288,8 @@
+ 
+ files_read_etc_files(postfix_local_t)
+ 
++logging_dontaudit_search_logs(postfix_local_t)
++
+ mta_read_aliases(postfix_local_t)
+ mta_delete_spool(postfix_local_t)
+ # For reading spamassasin
+@@ -386,7 +408,7 @@
  # Postfix pipe local policy
  #
  
@@ -6484,7 +6502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)
  
-@@ -395,6 +415,10 @@
+@@ -395,6 +417,10 @@
  rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
  
  optional_policy(`
@@ -6495,7 +6513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  	procmail_domtrans(postfix_pipe_t)
  ')
  
-@@ -441,6 +465,10 @@
+@@ -441,6 +467,10 @@
  ')
  
  optional_policy(`
@@ -6506,7 +6524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  	ppp_use_fds(postfix_postqueue_t)
  	ppp_sigchld(postfix_postqueue_t)
  ')
-@@ -519,8 +547,6 @@
+@@ -519,8 +549,6 @@
  # Postfix smtp delivery local policy
  #
  
@@ -6515,7 +6533,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  # connect to master process
  stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
  
-@@ -528,6 +554,8 @@
+@@ -528,6 +556,8 @@
  
  allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
  
@@ -6524,7 +6542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  optional_policy(`
  	cyrus_stream_connect(postfix_smtp_t)
  ')
-@@ -536,6 +564,7 @@
+@@ -536,6 +566,7 @@
  #
  # Postfix smtpd local policy
  #
@@ -6532,7 +6550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
  
  # connect to master process
-@@ -552,9 +581,45 @@
+@@ -552,9 +583,45 @@
  mta_read_aliases(postfix_smtpd_t)
  
  optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ba36d53..0ee47d1 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.6.4
-Release: 36%{?dist}
+Release: 37%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -361,6 +361,9 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init
 %endif
 
 %changelog
+* Mon Aug 13 2007 Dan Walsh <dwalsh@redhat.com> 2.6.4-37
+- Allow clamd to read kernel system state
+
 * Mon Aug 13 2007 Dan Walsh <dwalsh@redhat.com> 2.6.4-36
 - Allow NetworkManager to chown