From a80e7ac6a3d3313a34ddef19f49a28841e6f4de1 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Sep 23 2008 15:14:53 +0000
Subject: - Fix transition to nsplugin


---

diff --git a/policy-20080710.patch b/policy-20080710.patch
index d3c60f5..34cabdb 100644
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@@ -564,7 +564,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  files_read_etc_files(kismet_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.5.8/policy/modules/admin/logrotate.te
 --- nsaserefpolicy/policy/modules/admin/logrotate.te	2008-09-03 10:17:00.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/admin/logrotate.te	2008-09-17 08:49:08.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/admin/logrotate.te	2008-09-23 08:33:35.000000000 -0400
 @@ -97,6 +97,7 @@
  files_read_etc_files(logrotate_t)
  files_read_etc_runtime_files(logrotate_t)
@@ -573,6 +573,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # Write to /var/spool/slrnpull - should be moved into its own type.
  files_manage_generic_spool(logrotate_t)
  files_manage_generic_spool_dirs(logrotate_t)
+@@ -167,7 +168,7 @@
+ ')
+ 
+ optional_policy(`
+-	mailman_exec(logrotate_t)
++	mailman_domtrans(logrotate_t)
+ 	mailman_search_data(logrotate_t)
+ 	mailman_manage_log(logrotate_t)
+ ')
 @@ -189,6 +190,5 @@
  ')
  
@@ -615,7 +624,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.5.8/policy/modules/admin/mrtg.te
 --- nsaserefpolicy/policy/modules/admin/mrtg.te	2008-08-07 11:15:13.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/admin/mrtg.te	2008-09-17 08:49:08.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/admin/mrtg.te	2008-09-23 10:04:14.000000000 -0400
 @@ -78,6 +78,7 @@
  dev_read_urand(mrtg_t)
  
@@ -624,7 +633,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  files_read_usr_files(mrtg_t)
  files_search_var(mrtg_t)
-@@ -101,6 +102,8 @@
+@@ -92,6 +93,7 @@
+ 
+ fs_search_auto_mountpoints(mrtg_t)
+ fs_getattr_xattr_fs(mrtg_t)
++fs_list_inotifyfs(mrtg_t)
+ 
+ term_dontaudit_use_console(mrtg_t)
+ 
+@@ -101,6 +103,8 @@
  init_read_utmp(mrtg_t)
  init_dontaudit_write_utmp(mrtg_t)
  
@@ -633,7 +650,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  libs_read_lib_files(mrtg_t)
  libs_use_ld_so(mrtg_t)
  libs_use_shared_libs(mrtg_t)
-@@ -111,12 +114,10 @@
+@@ -111,12 +115,10 @@
  
  selinux_dontaudit_getattr_dir(mrtg_t)
  
@@ -647,7 +664,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  ifdef(`enable_mls',`
  	corenet_udp_sendrecv_lo_if(mrtg_t)
-@@ -140,14 +141,6 @@
+@@ -140,14 +142,6 @@
  ')
  
  optional_policy(`
@@ -662,7 +679,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	seutil_sigchld_newrole(mrtg_t)
  ')
  
-@@ -162,10 +155,3 @@
+@@ -162,10 +156,3 @@
  optional_policy(`
  	udev_read_db(mrtg_t)
  ')
@@ -5119,7 +5136,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.5.8/policy/modules/apps/podsleuth.te
 --- nsaserefpolicy/policy/modules/apps/podsleuth.te	2008-08-07 11:15:03.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/apps/podsleuth.te	2008-09-17 08:49:08.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/apps/podsleuth.te	2008-09-22 16:03:15.000000000 -0400
 @@ -11,24 +11,55 @@
  application_domain(podsleuth_t, podsleuth_exec_t)
  role system_r types podsleuth_t;
@@ -5136,7 +5153,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  #
 -
 -allow podsleuth_t self:process { signal getsched execheap execmem };
-+allow podsleuth_t self:capability sys_admin;
++allow podsleuth_t self:capability { sys_admin sys_rawio };
 +allow podsleuth_t self:process { ptrace signal getsched execheap execmem };
  allow podsleuth_t self:fifo_file rw_file_perms;
  allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
@@ -18214,7 +18231,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/lib/mailman/mail/mailman --	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.5.8/policy/modules/services/mailman.if
 --- nsaserefpolicy/policy/modules/services/mailman.if	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/mailman.if	2008-09-19 10:41:48.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/mailman.if	2008-09-23 08:33:22.000000000 -0400
 @@ -31,6 +31,12 @@
  	allow mailman_$1_t self:tcp_socket create_stream_socket_perms;
  	allow mailman_$1_t self:udp_socket create_socket_perms;
@@ -21197,7 +21214,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.8/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/postfix.te	2008-09-17 08:49:08.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/postfix.te	2008-09-23 09:58:09.000000000 -0400
 @@ -6,6 +6,14 @@
  # Declarations
  #
@@ -21311,7 +21328,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  #	for postalias
  	mailman_manage_data_files(postfix_master_t)
  ')
-@@ -255,6 +275,10 @@
+@@ -196,6 +216,10 @@
+ ')
+ 
+ optional_policy(`
++	postgrey_search_spool(postfix_master_t)
++')
++
++optional_policy(`
+ 	sendmail_signal(postfix_master_t)
+ ')
+ 
+@@ -255,6 +279,10 @@
  
  corecmd_exec_bin(postfix_cleanup_t)
  
@@ -21322,7 +21350,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # Postfix local local policy
-@@ -280,18 +304,25 @@
+@@ -280,18 +308,25 @@
  
  files_read_etc_files(postfix_local_t)
  
@@ -21348,7 +21376,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -302,8 +333,7 @@
+@@ -302,8 +337,7 @@
  #
  # Postfix map local policy
  #
@@ -21358,7 +21386,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
  allow postfix_map_t self:unix_dgram_socket create_socket_perms;
  allow postfix_map_t self:tcp_socket create_stream_socket_perms;
-@@ -353,8 +383,6 @@
+@@ -353,8 +387,6 @@
  
  miscfiles_read_localization(postfix_map_t)
  
@@ -21367,7 +21395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  tunable_policy(`read_default_t',`
  	files_list_default(postfix_map_t)
  	files_read_default_files(postfix_map_t)
-@@ -367,6 +395,11 @@
+@@ -367,6 +399,11 @@
  	locallogin_dontaudit_use_fds(postfix_map_t)
  ')
  
@@ -21379,7 +21407,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # Postfix pickup local policy
-@@ -391,6 +424,7 @@
+@@ -391,6 +428,7 @@
  #
  
  allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
@@ -21387,7 +21415,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
  
-@@ -398,6 +432,12 @@
+@@ -398,6 +436,12 @@
  
  rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
  
@@ -21400,7 +21428,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  optional_policy(`
  	procmail_domtrans(postfix_pipe_t)
  ')
-@@ -407,6 +447,14 @@
+@@ -407,6 +451,14 @@
  ')
  
  optional_policy(`
@@ -21415,7 +21443,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	uucp_domtrans_uux(postfix_pipe_t)
  ')
  
-@@ -443,8 +491,11 @@
+@@ -443,8 +495,11 @@
  ')
  
  optional_policy(`
@@ -21429,7 +21457,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  #######################################
-@@ -470,6 +521,15 @@
+@@ -470,6 +525,15 @@
  init_sigchld_script(postfix_postqueue_t)
  init_use_script_fds(postfix_postqueue_t)
  
@@ -21445,7 +21473,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # Postfix qmgr local policy
-@@ -553,6 +613,10 @@
+@@ -553,6 +617,10 @@
  mta_read_aliases(postfix_smtpd_t)
  
  optional_policy(`
@@ -21456,7 +21484,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	mailman_read_data_files(postfix_smtpd_t)
  ')
  
-@@ -579,7 +643,7 @@
+@@ -579,7 +647,7 @@
  files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
  
  # connect to master process
@@ -21710,8 +21738,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/spool/postfix/postgrey(/.*)?	gen_context(system_u:object_r:postgrey_spool_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.if serefpolicy-3.5.8/policy/modules/services/postgrey.if
 --- nsaserefpolicy/policy/modules/services/postgrey.if	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/postgrey.if	2008-09-19 10:23:31.000000000 -0400
-@@ -12,10 +12,80 @@
++++ serefpolicy-3.5.8/policy/modules/services/postgrey.if	2008-09-23 09:13:18.000000000 -0400
+@@ -12,10 +12,98 @@
  #
  interface(`postgrey_stream_connect',`
          gen_require(`
@@ -21728,6 +21756,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +########################################
 +## <summary>
++##      Search the spool directory
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access
++##      </summary>
++## </param>
++#
++interface(`postgrey_search_spool',`
++        gen_require(`
++                type postgrey_spool_t;
++        ')
++
++	allow $1 postgrey_spool_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
 +##	Execute postgrey server in the postgrey domain.
 +## </summary>
 +## <param name="domain">
@@ -21796,7 +21842,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.5.8/policy/modules/services/postgrey.te
 --- nsaserefpolicy/policy/modules/services/postgrey.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/postgrey.te	2008-09-17 08:49:08.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/postgrey.te	2008-09-23 09:17:06.000000000 -0400
 @@ -13,26 +13,38 @@
  type postgrey_etc_t;
  files_config_file(postgrey_etc_t)
@@ -30951,7 +30997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.5.8/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2008-09-03 10:17:00.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/system/logging.te	2008-09-17 08:49:09.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/system/logging.te	2008-09-23 08:51:04.000000000 -0400
 @@ -72,6 +72,12 @@
  logging_log_file(var_log_t)
  files_mountpoint(var_log_t)
@@ -30992,7 +31038,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
  # Probably want a transition, and a new auditd_helper app
  corecmd_exec_bin(auditd_t)
-@@ -241,6 +257,7 @@
+@@ -230,6 +246,8 @@
+ 
+ miscfiles_read_localization(audisp_t)
+ 
++sysnet_dns_name_resolve(audisp_t)
++
+ ########################################
+ #
+ # Audit remote logger local policy
+@@ -241,6 +259,7 @@
  corenet_all_recvfrom_netlabel(audisp_remote_t)
  corenet_tcp_sendrecv_all_if(audisp_remote_t)
  corenet_tcp_sendrecv_all_nodes(audisp_remote_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c14f3cc..5710f44 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -130,6 +130,7 @@ echo -n > %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
 %dir %{_sysconfdir}/selinux/%1/contexts/users \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u 
 
@@ -317,7 +318,6 @@ exit 0
 
 %files targeted
 %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u
-%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/xguest_u
 %fileList targeted
 %endif