From 9b622fb10670bce2733f46119ff9c00dc02b65b1 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@fedoraproject.org>
Date: Jan 29 2010 11:11:23 +0000
Subject: - Fix rpm_dontaudit_leaks

- Fix typo in rgmanager.if
- Fixes for nis policy

---

diff --git a/policy-20100106.patch b/policy-20100106.patch
index ae6f2bf..d388b63 100644
--- a/policy-20100106.patch
+++ b/policy-20100106.patch
@@ -1,3 +1,39 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if
+--- nsaserefpolicy/policy/modules/admin/rpm.if	2010-01-18 18:24:22.567540216 +0100
++++ serefpolicy-3.6.32/policy/modules/admin/rpm.if	2010-01-29 10:12:23.130864561 +0100
+@@ -189,22 +189,22 @@
+ 		type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t;
+ 	')
+ 
+-	dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms;
+- 	dontaudit $1 rpm_t:tcp_socket rw_socket_perms;
+-	dontaudit $1 rpm_t:unix_dgram_socket rw_socket_perms;
++	dontaudit $1 rpm_t:fifo_file rw_inherited_fifo_file_perms;
++    dontaudit $1 rpm_t:tcp_socket { read write };
++    dontaudit $1 rpm_t:unix_dgram_socket { read write };
+ 	dontaudit $1 rpm_t:shm rw_shm_perms;
+ 
+ 	dontaudit $1 rpm_script_t:fd use;
+-	dontaudit $1 rpm_script_t:fifo_file rw_fifo_file_perms;
++    dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
+ 
+-	dontaudit $1 rpm_var_run_t:file write_file_perms;
++    dontaudit $1 rpm_var_run_t:file write;
+ 
+-	dontaudit $1 rpm_tmp_t:file rw_file_perms;
++    dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms;
+  	dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
+- 	dontaudit $1 rpm_tmpfs_t:file write_file_perms;
+-	dontaudit $1 rpm_script_tmp_t:file write_file_perms;
+-	dontaudit $1 rpm_var_lib_t:file { read write };
+-	dontaudit $1 rpm_var_cache_t:file  { read write };
++    dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms;
++    dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms;
++    dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms;
++    dontaudit $1 rpm_var_cache_t:file  rw_inherited_file_perms;
+ ')
+ 
+ ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.6.32/policy/modules/admin/smoltclient.te
 --- nsaserefpolicy/policy/modules/admin/smoltclient.te	2010-01-18 18:24:22.573543214 +0100
 +++ serefpolicy-3.6.32/policy/modules/admin/smoltclient.te	2010-01-25 11:03:49.548441857 +0100
@@ -596,6 +632,60 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  type v4l_device_t;
  dev_node(v4l_device_t)
  
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if
+--- nsaserefpolicy/policy/modules/kernel/files.if	2010-01-18 18:24:22.691530426 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/files.if	2010-01-29 10:02:38.893864113 +0100
+@@ -5537,3 +5537,23 @@
+ 
+ 	dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
+ ')
++
++########################################
++## <summary>
++##	Do not audit attempts to read or write
++##	all leaked files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_leaks',`
++	gen_require(`
++		attribute file_type;
++	')
++
++	dontaudit $1 file_type:file rw_inherited_file_perms;
++	dontaudit $1 file_type:lnk_file { read };
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.32/policy/modules/kernel/filesystem.if
+--- nsaserefpolicy/policy/modules/kernel/filesystem.if	2010-01-18 18:24:22.697530142 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if	2010-01-29 10:02:57.270864470 +0100
+@@ -4409,3 +4409,23 @@
+ 	write_files_pattern($1, cgroup_t, cgroup_t)
+ ')
+ 
++
++########################################
++## <summary>
++##	Do not audit attempts to read or write
++##	all leaked filesystems files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_dontaudit_leaks',`
++	gen_require(`
++		attribute filesystem_type;
++	')
++
++	dontaudit $1 filesystem_type:file rw_inherited_file_perms;
++	dontaudit $1 filesystem_type:lnk_file { read };
++')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc	2010-01-18 18:24:22.720530134 +0100
 +++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc	2010-01-18 18:27:02.752530994 +0100
@@ -802,6 +892,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 -/usr/lib/avahi-autoipd(/.*)		gen_context(system_u:object_r:avahi_var_lib_t,s0)
 +/var/lib/avahi-autoipd(/.*)?  	gen_context(system_u:object_r:avahi_var_lib_t,s0)    
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.32/policy/modules/services/cron.te
+--- nsaserefpolicy/policy/modules/services/cron.te	2010-01-18 18:24:22.769530360 +0100
++++ serefpolicy-3.6.32/policy/modules/services/cron.te	2010-01-29 09:59:49.239614360 +0100
+@@ -323,6 +323,10 @@
+ 	udev_read_db(crond_t)
+ ')
+ 
++optional_policy(`
++	mta_system_content(cron_var_run_t)
++')
++
+ ########################################
+ #
+ # System cron process domain
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2010-01-18 18:24:22.771540183 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/cups.te	2010-01-25 17:36:13.178435741 +0100
@@ -1145,7 +1249,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	tunable_policy(`allow_kerberos',`
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.6.32/policy/modules/services/ldap.fc
 --- nsaserefpolicy/policy/modules/services/ldap.fc	2009-09-16 16:01:19.000000000 +0200
-+++ serefpolicy-3.6.32/policy/modules/services/ldap.fc	2010-01-26 14:30:08.546712216 +0100
++++ serefpolicy-3.6.32/policy/modules/services/ldap.fc	2010-01-29 10:17:34.113864636 +0100
 @@ -2,6 +2,8 @@
  /etc/ldap/slapd\.conf	--	gen_context(system_u:object_r:slapd_etc_t,s0)
  /etc/rc\.d/init\.d/ldap	--	gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
@@ -1155,6 +1259,43 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /usr/sbin/slapd		--	gen_context(system_u:object_r:slapd_exec_t,s0)
  
  ifdef(`distro_debian',`
+@@ -10,8 +12,12 @@
+ 
+ /var/lib/ldap(/.*)?		gen_context(system_u:object_r:slapd_db_t,s0)
+ /var/lib/ldap/replog(/.*)?	gen_context(system_u:object_r:slapd_replog_t,s0)
++/var/lib/dirsrv(/.*)?		gen_context(system_u:object_r:slapd_db_t,s0)
++
++/var/log/dirsrv(/.*)?		gen_context(system_u:object_r:slapd_log_t,s0)
+ 
+ /var/run/ldapi		-s	gen_context(system_u:object_r:slapd_var_run_t,s0)
+ /var/run/openldap(/.*)?		gen_context(system_u:object_r:slapd_var_run_t,s0)
+ /var/run/slapd\.args	--	gen_context(system_u:object_r:slapd_var_run_t,s0)
+ /var/run/slapd\.pid	--	gen_context(system_u:object_r:slapd_var_run_t,s0)
++/var/run/slapd.*	-s	gen_context(system_u:object_r:slapd_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.6.32/policy/modules/services/ldap.te
+--- nsaserefpolicy/policy/modules/services/ldap.te	2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/ldap.te	2010-01-29 10:41:13.184864510 +0100
+@@ -28,6 +28,9 @@
+ type slapd_replog_t;
+ files_type(slapd_replog_t)
+ 
++type slapd_log_t;
++logging_log_file(slapd_log_t)
++
+ type slapd_tmp_t;
+ files_tmp_file(slapd_tmp_t)
+ 
+@@ -68,6 +71,10 @@
+ manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+ manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+ 
++manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t)
++manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
++logging_log_filetrans(slapd_t, slapd_log_t, { file dir })
++
+ manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
+ manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
+ files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.32/policy/modules/services/mailman.te
 --- nsaserefpolicy/policy/modules/services/mailman.te	2010-01-18 18:24:22.808530642 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/mailman.te	2010-01-22 17:16:41.576604913 +0100
@@ -1312,6 +1453,41 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ######################################
  #
  # local policy for system check plugins 
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.32/policy/modules/services/nis.fc
+--- nsaserefpolicy/policy/modules/services/nis.fc	2010-01-18 18:24:22.826540614 +0100
++++ serefpolicy-3.6.32/policy/modules/services/nis.fc	2010-01-29 09:57:02.171614102 +0100
+@@ -14,3 +14,8 @@
+ /usr/sbin/ypserv	--	gen_context(system_u:object_r:ypserv_exec_t,s0)
+ 
+ /var/yp(/.*)?			gen_context(system_u:object_r:var_yp_t,s0)
++
++/var/run/ypxfrd.*	--	gen_context(system_u:object_r:ypxfr_var_run_t,s0)
++/var/run/ypbind.*	--	gen_context(system_u:object_r:ypbind_var_run_t,s0)
++/var/run/ypserv.*	--	gen_context(system_u:object_r:ypserv_var_run_t,s0)
++/var/run/yppass.*	--	gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.32/policy/modules/services/nis.te
+--- nsaserefpolicy/policy/modules/services/nis.te	2010-01-18 18:24:22.828542614 +0100
++++ serefpolicy-3.6.32/policy/modules/services/nis.te	2010-01-29 09:57:06.796318812 +0100
+@@ -47,6 +47,9 @@
+ type ypxfr_exec_t;
+ init_daemon_domain(ypxfr_t, ypxfr_exec_t)
+ 
++type ypxfr_var_run_t;
++files_pid_file(ypxfr_var_run_t)
++
+ type nis_initrc_exec_t;
+ init_script_file(nis_initrc_exec_t)
+ 
+@@ -312,6 +315,9 @@
+ 
+ allow ypxfr_t ypserv_conf_t:file read_file_perms;
+ 
++manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
++files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
++
+ corenet_all_recvfrom_unlabeled(ypxfr_t)
+ corenet_all_recvfrom_netlabel(ypxfr_t)
+ corenet_tcp_sendrecv_generic_if(ypxfr_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.6.32/policy/modules/services/nx.if
 --- nsaserefpolicy/policy/modules/services/nx.if	2010-01-18 18:24:22.840530591 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/nx.if	2010-01-26 14:43:43.595472728 +0100
@@ -1415,6 +1591,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  domain_use_interactive_fds(plymouth_t)
  
  files_read_etc_files(plymouth_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.32/policy/modules/services/policykit.te
+--- nsaserefpolicy/policy/modules/services/policykit.te	2010-01-18 18:24:22.850542758 +0100
++++ serefpolicy-3.6.32/policy/modules/services/policykit.te	2010-01-29 10:12:36.454864455 +0100
+@@ -89,6 +89,10 @@
+ 	')
+ ')
+ 
++optional_policy(`
++    gnome_read_config(policykit_t)
++')
++
+ ########################################
+ #
+ # polkit_auth local policy
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2010-01-18 18:24:22.855540671 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/postfix.te	2010-01-18 18:27:02.768530934 +0100
@@ -1456,6 +1646,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  fs_rw_anon_inodefs_files(prelude_lml_t)
  
  auth_use_nsswitch(prelude_lml_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.6.32/policy/modules/services/rgmanager.if
+--- nsaserefpolicy/policy/modules/services/rgmanager.if	2010-01-18 18:24:22.870539995 +0100
++++ serefpolicy-3.6.32/policy/modules/services/rgmanager.if	2010-01-29 10:16:32.195864190 +0100
+@@ -16,7 +16,7 @@
+         ')
+ 
+         corecmd_search_bin($1)
+-        domrans_pattern($1,rgmanager_exec_t,rgmanager_t)
++        domtrans_pattern($1,rgmanager_exec_t,rgmanager_t)
+ 
+ ')
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2010-01-18 18:24:22.886540773 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/samba.te	2010-01-18 18:27:02.770531119 +0100
@@ -2022,17 +2224,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/run/video.rom	--	gen_context(system_u:object_r:xserver_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2010-01-18 18:24:22.923530253 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te	2010-01-26 14:27:29.964713815 +0100
-@@ -301,6 +301,8 @@
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te	2010-01-29 10:03:15.438864683 +0100
+@@ -301,6 +301,9 @@
  manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
  files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
  
 +allow xauth_t xserver_t:unix_stream_socket connectto;  
 +
++domain_dontaudit_leaks(xauth_t)
  domain_use_interactive_fds(xauth_t)
  
  dev_rw_xserver_misc(xauth_t)
-@@ -506,6 +508,7 @@
+@@ -309,7 +312,10 @@
+ files_read_usr_files(xauth_t)
+ files_search_pids(xauth_t)
+ files_dontaudit_getattr_all_dirs(xauth_t)
++files_dontaudit_leaks(xauth_t)
++files_var_lib_filetrans(xauth_t, xauth_home_t, file)
+ 
++fs_dontaudit_leaks(xauth_t)
+ fs_getattr_all_fs(xauth_t)
+ fs_search_auto_mountpoints(xauth_t)
+ 
+@@ -506,6 +512,7 @@
  dev_dontaudit_rw_misc(xdm_t)
  dev_getattr_video_dev(xdm_t)
  dev_setattr_video_dev(xdm_t)
@@ -2040,7 +2254,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  dev_getattr_scanner_dev(xdm_t)
  dev_setattr_scanner_dev(xdm_t)
  dev_read_sound(xdm_t)
-@@ -668,6 +671,7 @@
+@@ -668,6 +675,7 @@
  
  optional_policy(`
  	gnome_read_gconf_config(xdm_t)
@@ -2059,6 +2273,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /sbin/mkfs.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/mkraid		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/mkreiserfs	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.32/policy/modules/system/hostname.te
+--- nsaserefpolicy/policy/modules/system/hostname.te	2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/system/hostname.te	2010-01-29 10:03:19.733864870 +0100
+@@ -27,15 +27,18 @@
+ 
+ dev_read_sysfs(hostname_t)
+ 
++domain_dontaudit_leaks(hostname_t)
+ domain_use_interactive_fds(hostname_t)
+ 
+ files_read_etc_files(hostname_t)
++files_dontaudit_leaks(hostname_t)
+ files_dontaudit_search_var(hostname_t)
+ # for when /usr is not mounted:
+ files_dontaudit_search_isid_type_dirs(hostname_t)
+ 
+ fs_getattr_xattr_fs(hostname_t)
+ fs_search_auto_mountpoints(hostname_t)
++fs_dontaudit_leaks(hostname_t)
+ fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
+ 
+ term_dontaudit_use_console(hostname_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.6.32/policy/modules/system/hotplug.te
 --- nsaserefpolicy/policy/modules/system/hotplug.te	2009-09-16 16:01:19.000000000 +0200
 +++ serefpolicy-3.6.32/policy/modules/system/hotplug.te	2010-01-18 18:27:02.780542727 +0100
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b07deaf..d072d79 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.32
-Release: 78%{?dist}
+Release: 79%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -456,6 +456,11 @@ exit 0
 %endif
 
 %changelog
+* Fri Jan 29 2010 Miroslav Grepl <mgrepl@redhat.com> 3.6.32-79
+- Fix rpm_dontaudit_leaks
+- Fix typo in rgmanager.if
+- Fixes for nis policy
+
 * Wed Jan 27 2010 Miroslav Grepl <mgrepl@redhat.com> 3.6.32-78
 - Allow to openvpn to read utmp
 - Allow xdm to read the video4linux devices