From b4e933120a9475517d94ca2af502b1ffaf2d5a1d Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Apr 24 2008 21:08:32 +0000
Subject: - Don't run crontab from unconfined_t


---

diff --git a/policy-20071130.patch b/policy-20071130.patch
index 959c394..47d05fd 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -31339,7 +31339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2008-02-13 16:26:06.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te	2008-04-21 11:02:50.559558000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te	2008-04-24 16:57:46.339086000 -0400
 @@ -6,35 +6,67 @@
  # Declarations
  #
@@ -31412,7 +31412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  
  libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
  
-@@ -42,23 +74,36 @@
+@@ -42,37 +74,44 @@
  logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
  
  mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@@ -31439,38 +31439,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +	tunable_policy(`allow_unconfined_nsplugin_transition', `
 +		nsplugin_use(unconfined, unconfined_t)
 +	')
-+')
-+
-+optional_policy(`
-+	ada_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
  ')
  
  optional_policy(`
- 	apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+-	apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 -	apache_per_role_template(unconfined, unconfined_t, unconfined_r)
 -	# this is disallowed usage:
 -	unconfined_domain(httpd_unconfined_script_t)
++	ada_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
  ')
  
  optional_policy(`
-@@ -69,11 +114,11 @@
- 	bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+-	bind_run_ndc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++	apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
  ')
  
--optional_policy(`
+ optional_policy(`
+-	bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++	bind_run_ndc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ ')
+ 
+ optional_policy(`
 -	cron_per_role_template(unconfined, unconfined_t, unconfined_r)
 -	# this is disallowed usage:
 -	unconfined_domain(unconfined_crond_t)
--')
-+#optional_policy(`
-+#	cron_per_role_template(unconfined, unconfined_t, unconfined_r)
-+#	unconfined_domain(unconfined_crontab_t)
-+#	role system_r types unconfined_crontab_t;
-+#')
++	bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ ')
  
  optional_policy(`
- 	init_dbus_chat_script(unconfined_t)
-@@ -101,12 +146,24 @@
+@@ -101,12 +140,24 @@
  	')
  
  	optional_policy(`
@@ -31495,7 +31492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -118,11 +175,7 @@
+@@ -118,11 +169,7 @@
  ')
  
  optional_policy(`
@@ -31508,7 +31505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -134,82 +187,92 @@
+@@ -134,82 +181,97 @@
  ')
  
  optional_policy(`
@@ -31550,6 +31547,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 -	# cjp: this should probably be removed:
 -	postfix_domtrans_master(unconfined_t)
 +	cron_per_role_template(unconfined, unconfined_t, unconfined_r)
++	# this is disallowed usage:
++	unconfined_domain(unconfined_crond_t)
++	unconfined_domain(unconfined_crontab_t)
++	role system_r types unconfined_crontab_t;
++	rpm_transition_script(unconfined_crond_t)
  ')
  
 -
@@ -31626,7 +31628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  ########################################
-@@ -219,14 +282,35 @@
+@@ -219,14 +281,35 @@
  
  allow unconfined_execmem_t self:process { execstack execmem };
  unconfined_domain_noaudit(unconfined_execmem_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6231f1c..ed2863c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 40%{?dist}
+Release: 41%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -385,7 +385,7 @@ exit 0
 %endif
 
 %changelog
-* Thu Apr 24 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-40 
+* Thu Apr 24 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-41
 - Don't run crontab from unconfined_t
 
 * Wed Apr 23 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-39