From ce3d03d0f2f6c47b2322aae6a3aba2cc56f82f17 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Jun 18 2009 17:11:19 +0000
Subject: - Allow ftp to create xferlog_t files in an xferlog_t directory


---

diff --git a/policy-20090521.patch b/policy-20090521.patch
index 7953c44..2cebcd0 100644
--- a/policy-20090521.patch
+++ b/policy-20090521.patch
@@ -1,3 +1,43 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.12/policy/mcs
+--- nsaserefpolicy/policy/mcs	2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/mcs	2009-06-18 13:09:45.000000000 -0400
+@@ -66,7 +66,7 @@
+ #
+ # Note that getattr on files is always permitted.
+ #
+-mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
++mlsconstrain { file chr_file blk_file sock_file lnk_file fifo_file } { write setattr append unlink link rename ioctl lock execute relabelfrom }
+ 	(( h1 dom h2 ) or ( t1 == mlsfilewrite ));
+ 
+ mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
+@@ -111,22 +111,22 @@
+ 	(( h1 dom h2 ) and ( l2 eq h2 ));
+ 
+ # Access control for any database objects based on MCS rules.
+-mlsconstrain db_database { drop setattr relabelfrom access install_module load_module get_param set_param }
++mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
+ 	( h1 dom h2 );
+ 
+-mlsconstrain db_table { drop setattr relabelfrom select update insert delete use }
++mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }
+ 	( h1 dom h2 );
+ 
+-mlsconstrain db_column { drop setattr relabelfrom select update insert use }
++mlsconstrain db_column { drop getattr setattr relabelfrom select update insert use }
+ 	( h1 dom h2 );
+ 
+ mlsconstrain db_tuple { relabelfrom select update delete use }
+ 	( h1 dom h2 );
+ 
+-mlsconstrain db_procedure { execute install }
++mlsconstrain db_procedure { drop getattr setattr execute install }
+ 	( h1 dom h2 );
+ 
+-mlsconstrain db_blob { drop setattr relabelfrom read write }
++mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
+ 	( h1 dom h2 );
+ 
+ ') dnl end enable_mcs
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.12/policy/modules/admin/prelink.te
 --- nsaserefpolicy/policy/modules/admin/prelink.te	2009-05-21 08:27:59.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/admin/prelink.te	2009-06-15 08:33:15.000000000 -0400
@@ -564,6 +604,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Execute automount in the caller domain.
  ## </summary>
  ## <param name="domain">
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.12/policy/modules/services/bluetooth.te
+--- nsaserefpolicy/policy/modules/services/bluetooth.te	2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/bluetooth.te	2009-06-16 09:05:29.000000000 -0400
+@@ -64,6 +64,7 @@
+ allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow bluetooth_t self:tcp_socket create_stream_socket_perms;
+ allow bluetooth_t self:udp_socket create_socket_perms;
++allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
+ 
+ read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te
 --- nsaserefpolicy/policy/modules/services/consolekit.te	2009-05-21 08:27:59.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/services/consolekit.te	2009-06-01 06:47:53.000000000 -0400
@@ -703,7 +754,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  dev_rw_sysfs(devicekit_power_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te
 --- nsaserefpolicy/policy/modules/services/fprintd.te	2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/fprintd.te	2009-06-04 13:23:04.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/fprintd.te	2009-06-17 09:18:27.000000000 -0400
 @@ -22,12 +22,15 @@
  
  corecmd_search_bin(fprintd_t)
@@ -720,6 +771,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  auth_use_nsswitch(fprintd_t)
  
  miscfiles_read_localization(fprintd_t)
+@@ -40,9 +43,10 @@
+ ')
+ 
+ optional_policy(`
+-	polkit_read_reload(fprintd_t)
+-	polkit_read_lib(fprintd_t)
++	polkit_dbus_chat(fprintd_t)
+ 	polkit_domtrans_auth(fprintd_t)
++	polkit_read_lib(fprintd_t)
++	polkit_read_reload(fprintd_t)
+ ')
+ 
+ permissive fprintd_t;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.12/policy/modules/services/ftp.te
+--- nsaserefpolicy/policy/modules/services/ftp.te	2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/ftp.te	2009-06-16 08:25:50.000000000 -0400
+@@ -129,8 +129,7 @@
+ allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
+ 
+ # Create and modify /var/log/xferlog.
+-allow ftpd_t xferlog_t:dir search_dir_perms;
+-allow ftpd_t xferlog_t:file manage_file_perms;
++manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
+ logging_log_filetrans(ftpd_t, xferlog_t, file)
+ 
+ kernel_read_kernel_sysctls(ftpd_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.12/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2009-05-21 08:27:59.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/services/hal.te	2009-05-27 07:02:29.000000000 -0400
@@ -796,6 +873,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.12/policy/modules/services/pcscd.te
+--- nsaserefpolicy/policy/modules/services/pcscd.te	2009-04-07 15:54:45.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/pcscd.te	2009-06-16 09:51:56.000000000 -0400
+@@ -28,6 +28,7 @@
+ allow pcscd_t self:tcp_socket create_stream_socket_perms;
+ 
+ manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
++manage_fifo_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+ manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+ manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
+@@ -46,6 +47,8 @@
+ files_read_etc_files(pcscd_t)
+ files_read_etc_runtime_files(pcscd_t)
+ 
++kernel_read_system_state(pcscd_t)
++
+ term_use_unallocated_ttys(pcscd_t)
+ term_dontaudit_getattr_pty_dirs(pcscd_t)
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.6.12/policy/modules/services/polkit.fc
 --- nsaserefpolicy/policy/modules/services/polkit.fc	2009-05-21 08:27:59.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/services/polkit.fc	2009-06-15 11:00:10.000000000 -0400
@@ -1101,7 +1198,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  optional_policy(`
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te
 --- nsaserefpolicy/policy/modules/system/ipsec.te	2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/system/ipsec.te	2009-06-12 11:35:19.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/ipsec.te	2009-06-15 16:11:42.000000000 -0400
 @@ -1,5 +1,5 @@
  
 -policy_module(ipsec, 1.9.0)
@@ -1151,13 +1248,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  init_use_fds(ipsec_t)
  init_use_script_ptys(ipsec_t)
-@@ -157,13 +155,13 @@
- # ipsec_mgmt Local policy
+@@ -158,12 +156,12 @@
  #
  
--allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
-+allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search ptrace };
- allow ipsec_mgmt_t self:process { signal setrlimit };
+ allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
+-allow ipsec_mgmt_t self:process { signal setrlimit };
++allow ipsec_mgmt_t self:process { signal setrlimit ptrace };
  allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
  allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
  allow ipsec_mgmt_t self:udp_socket create_socket_perms;
@@ -1224,6 +1320,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  # allow setkey to set the context for ipsec SAs and policy.
  ipsec_setcontext_default_spd(setkey_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.12/policy/modules/system/iscsi.te
+--- nsaserefpolicy/policy/modules/system/iscsi.te	2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/iscsi.te	2009-06-16 09:44:36.000000000 -0400
+@@ -69,6 +69,7 @@
+ dev_rw_sysfs(iscsid_t)
+ 
+ domain_use_interactive_fds(iscsid_t)
++domain_read_all_domains_state(iscsid_t)
+ 
+ files_read_etc_files(iscsid_t)
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.12/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2009-05-21 08:27:59.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/system/libraries.fc	2009-06-12 09:03:04.000000000 -0400
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2ec4a08..62d1859 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 52%{?dist}
+Release: 53%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -475,6 +475,9 @@ exit 0
 %endif
 
 %changelog
+* Tue Jun 15 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-53
+- Allow ftp to create xferlog_t files in an xferlog_t directory
+
 * Mon Jun 15 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-52
 - Allow kpropd to create krb5_lock_t files in krb5_conf_t directory