From 831b840796094a751995512cb85bde43fd0e3c1b Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@fedoraproject.org>
Date: Aug 11 2009 08:52:45 +0000
Subject: - Allow polkit_auth_t to getattr of all persistent filesystems


---

diff --git a/policy-20090521.patch b/policy-20090521.patch
index 46e4212..46fe801 100644
--- a/policy-20090521.patch
+++ b/policy-20090521.patch
@@ -2157,10 +2157,79 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  auth_use_nsswitch(system_cronjob_t)
  
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.12/policy/modules/services/cups.fc
+--- nsaserefpolicy/policy/modules/services/cups.fc	2009-06-25 10:19:44.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/cups.fc	2009-08-11 09:45:17.000000000 +0200
+@@ -53,6 +53,8 @@
+ /var/lib/cups/certs	-d	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+ /var/lib/cups/certs/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+ 
++/var/lib/hp(/.*)?               gen_context(system_u:object_r:hplip_var_lib_t,s0)
++
+ /var/log/cups(/.*)?		gen_context(system_u:object_r:cupsd_log_t,s0)
+ /var/log/turboprint.*		gen_context(system_u:object_r:cupsd_log_t,s0)
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.12/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/services/cups.te	2009-08-04 13:01:36.000000000 +0200
-@@ -733,6 +733,8 @@
++++ serefpolicy-3.6.12/policy/modules/services/cups.te	2009-08-11 09:44:51.000000000 +0200
+@@ -59,12 +59,13 @@
+ init_daemon_domain(hplip_t, hplip_exec_t)
+ # For CUPS to run as a backend
+ cups_backend(hplip_t, hplip_exec_t)
+-domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
+-read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
+ 
+ type hplip_etc_t;
+ files_config_file(hplip_etc_t)
+ 
++type hplip_var_lib_t;
++files_type(hplip_var_lib_t)
++
+ type hplip_var_run_t;
+ files_pid_file(hplip_var_run_t)
+ 
+@@ -163,6 +164,9 @@
+ files_pid_filetrans(cupsd_t, cupsd_var_run_t, file)
+ 
+ allow cupsd_t hplip_t:process {signal sigkill };
++
++read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
++
+ allow cupsd_t hplip_var_run_t:file read_file_perms;
+ 
+ stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
+@@ -376,6 +380,10 @@
+ manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
+ files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
+ 
++domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
++ 
++read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
++
+ kernel_read_system_state(cupsd_config_t)
+ kernel_read_all_sysctls(cupsd_config_t)
+ 
+@@ -574,9 +582,8 @@
+ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
+ files_search_etc(hplip_t)
+ 
+-fs_rw_anon_inodefs_files(hplip_t)
+-
+-read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
++manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
++manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+ 
+ manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
+ files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
+@@ -615,6 +622,7 @@
+ 
+ fs_getattr_all_fs(hplip_t)
+ fs_search_auto_mountpoints(hplip_t)
++fs_rw_anon_inodefs_files(hplip_t)
+ 
+ # for python
+ corecmd_exec_bin(hplip_t)
+@@ -733,6 +741,8 @@
  files_read_etc_files(cups_pdf_t)
  files_read_usr_files(cups_pdf_t)
  
@@ -2169,7 +2238,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  kernel_read_system_state(cups_pdf_t)
  
  auth_use_nsswitch(cups_pdf_t)
-@@ -746,6 +748,7 @@
+@@ -746,6 +756,7 @@
  manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
  files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
  
@@ -3092,7 +3161,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.12/policy/modules/services/polkit.te
 --- nsaserefpolicy/policy/modules/services/polkit.te	2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/services/polkit.te	2009-07-28 14:10:06.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/polkit.te	2009-08-07 12:21:31.000000000 +0200
 @@ -72,6 +72,7 @@
  manage_files_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t)
  files_pid_filetrans(polkit_t, polkit_var_run_t, { file dir })
@@ -3101,6 +3170,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  userdom_read_all_users_state(polkit_t)
  
  optional_policy(`
+@@ -99,6 +100,8 @@
+ 
+ domain_use_interactive_fds(polkit_auth_t)
+ 
++fs_getattr_all_fs(polkit_auth_t)
++
+ files_read_etc_files(polkit_auth_t)
+ files_read_usr_files(polkit_auth_t)
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.12/policy/modules/services/postfix.if
 --- nsaserefpolicy/policy/modules/services/postfix.if	2009-06-25 10:19:44.000000000 +0200
 +++ serefpolicy-3.6.12/policy/modules/services/postfix.if	2009-07-31 13:05:32.000000000 +0200
@@ -4755,6 +4833,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  ifdef(`distro_redhat',`
  /etc/sysconfig/clock	--	gen_context(system_u:object_r:locale_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.12/policy/modules/system/mount.te
+--- nsaserefpolicy/policy/modules/system/mount.te	2009-06-25 10:19:44.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/system/mount.te	2009-08-11 10:04:04.000000000 +0200
+@@ -72,6 +72,7 @@
+ dev_list_all_dev_nodes(mount_t)
+ dev_read_usbfs(mount_t)
+ dev_read_rand(mount_t)
++dev_read_sysfs(mount_t)  
+ dev_rw_lvm_control(mount_t)
+ dev_dontaudit_getattr_all_chr_files(mount_t)
+ dev_dontaudit_getattr_memory_dev(mount_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.12/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2009-06-25 10:19:44.000000000 +0200
 +++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.te	2009-07-17 09:43:41.000000000 +0200
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 684a452..5f1f4bd 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 74%{?dist}
+Release: 75%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -475,6 +475,9 @@ exit 0
 %endif
 
 %changelog
+* Tue Aug 11 2009 Miroslav Grepl <mgrepl@redhat.com> 3.6.12-75
+- Allow polkit_auth_t to getattr of all persistent filesystems
+
 * Wed Aug 5 2009 Miroslav Grepl <mgrepl@redhat.com> 3.6.12-74
 - Allow svirt images to create sock_file in svirt_var_run_t