From b42a1eddf9c65fcf53bd640ce60cd83f44c6f887 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Oct 03 2008 15:07:40 +0000
Subject: - Allow domains to search other domains keys, coverup kernel bug


---

diff --git a/policy-20080710.patch b/policy-20080710.patch
index 5c399c1..43a1192 100644
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@@ -6691,7 +6691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.5.9/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2008-08-07 11:15:01.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/kernel/devices.if	2008-09-25 08:33:18.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/kernel/devices.if	2008-10-01 16:12:47.000000000 -0400
 @@ -65,7 +65,7 @@
  
  	relabelfrom_dirs_pattern($1, device_t, device_node)
@@ -8448,6 +8448,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /dev/nb[^/]+		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
  /dev/optcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
  /dev/p[fg][0-3]		-b	gen_context(system_u:object_r:removable_device_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.5.9/policy/modules/kernel/terminal.if
+--- nsaserefpolicy/policy/modules/kernel/terminal.if	2008-08-07 11:15:01.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/kernel/terminal.if	2008-10-02 09:16:08.000000000 -0400
+@@ -250,9 +250,11 @@
+ interface(`term_dontaudit_use_console',`
+ 	gen_require(`
+ 		type console_device_t;
++		type tty_device_t;
+ 	')
+ 
+ 	dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
++	dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
+ ')
+ 
+ ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.fc serefpolicy-3.5.9/policy/modules/roles/guest.fc
 --- nsaserefpolicy/policy/modules/roles/guest.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.5.9/policy/modules/roles/guest.fc	2008-09-25 08:33:18.000000000 -0400
@@ -12154,6 +12169,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	files_list_pids($1)
 +	admin_pattern($1, named_var_run_t)
  ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.5.9/policy/modules/services/bind.te
+--- nsaserefpolicy/policy/modules/services/bind.te	2008-09-24 09:07:28.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/services/bind.te	2008-10-02 09:17:54.000000000 -0400
+@@ -249,6 +249,8 @@
+ sysnet_read_config(ndc_t)
+ sysnet_dns_name_resolve(ndc_t)
+ 
++term_dontaudit_use_console(ndc_t)
++
+ # for /etc/rndc.key
+ ifdef(`distro_redhat',`
+ 	allow ndc_t named_conf_t:dir search;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.fc serefpolicy-3.5.9/policy/modules/services/bitlbee.fc
 --- nsaserefpolicy/policy/modules/services/bitlbee.fc	2008-08-07 11:15:11.000000000 -0400
 +++ serefpolicy-3.5.9/policy/modules/services/bitlbee.fc	2008-09-25 08:33:18.000000000 -0400
@@ -21324,7 +21351,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.5.9/policy/modules/services/prelude.te
 --- nsaserefpolicy/policy/modules/services/prelude.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/services/prelude.te	2008-09-25 08:33:18.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/services/prelude.te	2008-10-02 09:12:58.000000000 -0400
 @@ -13,18 +13,50 @@
  type prelude_spool_t;
  files_type(prelude_spool_t)
@@ -21418,7 +21445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  dev_read_rand(prelude_audisp_t)
  dev_read_urand(prelude_audisp_t)
-@@ -117,15 +161,129 @@
+@@ -117,15 +161,134 @@
  # Init script handling
  domain_use_interactive_fds(prelude_audisp_t)
  
@@ -21445,6 +21472,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +allow prelude_correlator_t self:tcp_socket create_stream_socket_perms;
 +allow prelude_correlator_t self:unix_dgram_socket create_socket_perms;
 +
++allow prelude_correlator_t prelude_correlator_config_t:dir list_dir_perms;
 +read_files_pattern(prelude_correlator_t, prelude_correlator_config_t, prelude_correlator_config_t)
 +
 +prelude_manage_spool(prelude_correlator_t)
@@ -21464,6 +21492,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +files_read_usr_files(prelude_correlator_t)
 +files_search_spool(prelude_correlator_t)
 +
++kernel_read_sysctl(prelude_correlator_t)
++
 +libs_use_ld_so(prelude_correlator_t)
 +libs_use_shared_libs(prelude_correlator_t)
 +
@@ -21504,7 +21534,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t)
 +files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file)
 +
-+corecmd_search_bin(prelude_lml_t)
++corecmd_exec_bin(prelude_lml_t)
 +
 +corenet_tcp_sendrecv_generic_if(prelude_lml_t)
 +corenet_tcp_sendrecv_all_nodes(prelude_lml_t)
@@ -21526,6 +21556,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +fs_list_inotifyfs(prelude_lml_t)
 +
++kernel_read_sysctl(prelude_lml_t)
++
 +auth_use_nsswitch(prelude_lml_t)
 +
 +libs_use_ld_so(prelude_lml_t)
@@ -21548,7 +21580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # prewikka_cgi Declarations
-@@ -134,6 +292,17 @@
+@@ -134,6 +297,17 @@
  optional_policy(`
  	apache_content_template(prewikka)
  	files_read_etc_files(httpd_prewikka_script_t)
@@ -28122,6 +28154,109 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  kernel_read_kernel_sysctls(zebra_t)
  kernel_rw_net_sysctls(zebra_t)
  
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.fc serefpolicy-3.5.9/policy/modules/services/zosremote.fc
+--- nsaserefpolicy/policy/modules/services/zosremote.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.9/policy/modules/services/zosremote.fc	2008-10-02 09:31:06.000000000 -0400
+@@ -0,0 +1,2 @@
++
++/sbin/audispd-zos-remote	--	gen_context(system_u:object_r:zos_remote_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.if serefpolicy-3.5.9/policy/modules/services/zosremote.if
+--- nsaserefpolicy/policy/modules/services/zosremote.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.9/policy/modules/services/zosremote.if	2008-10-02 09:36:13.000000000 -0400
+@@ -0,0 +1,52 @@
++## <summary>policy for z/OS Remote-services Audit dispatcher plugin</summary>
++
++########################################
++## <summary>
++##      Execute a domain transition to run audispd-zos-remote.
++## </summary>
++## <param name="domain">
++## <summary>
++##      Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`zos_remote_domtrans',`
++        gen_require(`
++                type zos_remote_t;
++                type zos_remote_exec_t;
++        ')
++
++        domtrans_pattern($1, zos_remote_exec_t, zos_remote_t);
++')
++
++########################################
++## <summary>
++##	Allow specified type and role to transition and
++##	run in the zos_remote_t domain. Allow specified type
++##	to use zos_remote_t terminal.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed the zos_remote domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the role's terminal.
++##	</summary>
++## </param>
++#
++interface(`zos_remote_run',`
++	gen_require(`
++		type zos_remote_t;
++	')
++
++	zos_remote_domtrans($1)
++	role $2 types zos_remote_t;
++	dontaudit zos_remote_t $3:chr_file rw_term_perms;
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.te serefpolicy-3.5.9/policy/modules/services/zosremote.te
+--- nsaserefpolicy/policy/modules/services/zosremote.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.9/policy/modules/services/zosremote.te	2008-10-02 09:57:33.000000000 -0400
+@@ -0,0 +1,37 @@
++policy_module(zosremote,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type zos_remote_t;
++type zos_remote_exec_t;
++logging_dispater_domain(zos_remote_t, zos_remote_exec_t)
++
++## use below for RHEL5 series:
++init_system_domain(zos_remote_t, zos_remote_exec_t)
++
++role system_r types zos_remote_t;
++
++
++########################################
++#
++# zos_remote local policy
++#
++
++allow zos_remote_t self:fifo_file rw_file_perms;
++allow zos_remote_t self:unix_stream_socket create_stream_socket_perms;
++
++allow zos_remote_t self:process signal;
++
++files_read_etc_files(zos_remote_t)
++
++auth_use_nsswitch(zos_remote_t);
++
++libs_use_ld_so(zos_remote_t)
++libs_use_shared_libs(zos_remote_t)
++
++miscfiles_read_localization(zos_remote_t)
++
++logging_send_syslog_msg(zos_remote_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.5.9/policy/modules/system/application.te
 --- nsaserefpolicy/policy/modules/system/application.te	2008-08-07 11:15:12.000000000 -0400
 +++ serefpolicy-3.5.9/policy/modules/system/application.te	2008-09-25 08:33:18.000000000 -0400
@@ -28800,7 +28935,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.9/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2008-09-24 09:07:28.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/system/init.te	2008-09-25 08:33:18.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/system/init.te	2008-10-02 09:08:34.000000000 -0400
 @@ -17,6 +17,20 @@
  ## </desc>
  gen_tunable(init_upstart,false)
@@ -28990,7 +29125,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	squid_manage_logs(initrc_t)
  ')
  
-+ifndef(`targeted_policy',`
++ifdef(`enabled_mls',`
  optional_policy(`
  	# allow init scripts to su
  	su_restricted_domain_template(initrc,initrc_t,system_r)
@@ -30962,7 +31097,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.9/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2008-08-11 11:23:34.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/system/sysnetwork.te	2008-10-01 08:16:34.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/system/sysnetwork.te	2008-10-02 09:17:09.000000000 -0400
 @@ -20,6 +20,9 @@
  init_daemon_domain(dhcpc_t,dhcpc_exec_t)
  role system_r types dhcpc_t;
@@ -31102,12 +31237,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  corenet_rw_tun_tap_dev(ifconfig_t)
  
-@@ -279,8 +291,12 @@
+@@ -279,8 +291,13 @@
  fs_getattr_xattr_fs(ifconfig_t)
  fs_search_auto_mountpoints(ifconfig_t)
  
 +selinux_dontaudit_getattr_fs(ifconfig_t)
 +
++term_dontaudit_use_console(ifconfig_t)
  term_dontaudit_use_all_user_ttys(ifconfig_t)
  term_dontaudit_use_all_user_ptys(ifconfig_t)
 +term_dontaudit_use_ptmx(ifconfig_t)
@@ -31115,7 +31251,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  domain_use_interactive_fds(ifconfig_t)
  
-@@ -336,6 +352,14 @@
+@@ -336,6 +353,14 @@
  ')
  
  optional_policy(`
@@ -31972,7 +32108,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.9/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/system/userdomain.if	2008-09-29 10:56:25.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/system/userdomain.if	2008-10-01 16:13:30.000000000 -0400
 @@ -28,10 +28,14 @@
  		class context contains;
  	')
@@ -32543,7 +32679,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	# GNOME checks for usb and other devices:
 -	dev_rw_usbfs($1_t)
 +	dev_rw_usbfs($1_usertype)
-+	dev_read_generic_usb_dev($1_usertype)
++	dev_rw_generic_usb_dev($1_usertype)
  
 -	xserver_user_client_template($1,$1_t,$1_tmpfs_t)
 -	xserver_xsession_entry_type($1_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6c6dbda..f87d684 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.5.9
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -390,6 +390,9 @@ exit 0
 %endif
 
 %changelog
+* Wed Oct 1 2008 Dan Walsh <dwalsh@redhat.com> 3.5.9-5
+- Allow domains to search other domains keys, coverup kernel bug
+
 * Wed Oct 1 2008 Dan Walsh <dwalsh@redhat.com> 3.5.9-4
 - Fix labeling for oracle