From d770c53fe9169e467a10d02bd4dfdca1643e64ba Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Sep 25 2007 15:03:25 +0000
Subject: - Allow login programs to set ioctl on /proc


---

diff --git a/policy-20070703.patch b/policy-20070703.patch
index 6772415..0f5e2fa 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -3112,8 +3112,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.8/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if	2007-09-17 16:20:18.000000000 -0400
-@@ -1867,6 +1867,27 @@
++++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if	2007-09-25 11:01:00.000000000 -0400
+@@ -352,6 +352,24 @@
+ 
+ ########################################
+ ## <summary>
++##	dontaudit search the kernel key ring.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`kernel_dontaudit_search_key',`
++	gen_require(`
++		type kernel_t;
++	')
++
++	dontaudit $1 kernel_t:key search;
++')
++
++########################################
++## <summary>
+ ##	Allow link to the kernel key ring.
+ ## </summary>
+ ## <param name="domain">
+@@ -1867,6 +1885,27 @@
  
  ########################################
  ## <summary>
@@ -6440,7 +6465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
 +/var/tmp/host_0			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.0.8/policy/modules/services/kerberos.if
 --- nsaserefpolicy/policy/modules/services/kerberos.if	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/kerberos.if	2007-09-25 10:30:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/kerberos.if	2007-09-25 11:00:13.000000000 -0400
 @@ -42,6 +42,10 @@
  	dontaudit $1 krb5_conf_t:file write;
  	dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
@@ -6452,7 +6477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  
  	tunable_policy(`allow_kerberos',`
  		allow $1 self:tcp_socket create_socket_perms;
-@@ -172,3 +176,26 @@
+@@ -172,3 +176,47 @@
  	allow $1 krb5kdc_conf_t:file read_file_perms;
  
  ')
@@ -6479,6 +6504,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
 +	seutil_read_file_contexts($1)
 +	allow $1 krb5_host_rcache_t:file manage_file_perms;
 +')
++
++########################################
++## <summary>
++##	Connect to krb524 service
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`kerberos_524_connect',`
++	tunable_policy(`allow_kerberos',`
++		allow $1 self:udp_socket create_socket_perms;
++		corenet_non_ipsec_sendrecv($1)
++		corenet_udp_sendrecv_all_if($1)
++		corenet_udp_sendrecv_all_nodes($1)
++		corenet_udp_sendrecv_kerberos_master_port($1)
++		corenet_udp_bind_all_nodes($1)
++	')
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.0.8/policy/modules/services/kerberos.te
 --- nsaserefpolicy/policy/modules/services/kerberos.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/kerberos.te	2007-09-17 16:20:18.000000000 -0400
@@ -10456,7 +10502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if	2007-09-25 10:32:38.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if	2007-09-25 10:59:20.000000000 -0400
 @@ -26,7 +26,8 @@
  	type $1_chkpwd_t, can_read_shadow_passwords;
  	application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -13900,7 +13946,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-09-21 19:20:56.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-09-25 10:59:50.000000000 -0400
 @@ -29,8 +29,9 @@
  	')
  
@@ -14494,7 +14540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  		samba_stream_connect_winbind($1_t)
  	')
  
-@@ -954,21 +882,164 @@
+@@ -954,21 +882,165 @@
  ##	</summary>
  ## </param>
  #
@@ -14617,6 +14663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 +	optional_policy(`
 +		kerberos_use($1_usertype)
++		kerberos_524_connect($1_usertype)
 +	')
 +
 +	optional_policy(`
@@ -14665,7 +14712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	domain_interactive_fd($1_t)
  
  	typeattribute $1_devpts_t user_ptynode;
-@@ -977,23 +1048,51 @@
+@@ -977,23 +1049,51 @@
  	typeattribute $1_tmp_t user_tmpfile;
  	typeattribute $1_tty_device_t user_ttynode;
  
@@ -14728,7 +14775,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
  	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1029,15 +1128,7 @@
+@@ -1029,15 +1129,7 @@
  	# and may change other protocols
  	tunable_policy(`user_tcp_server',`
  		corenet_tcp_bind_all_nodes($1_t)
@@ -14745,7 +14792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	optional_policy(`
-@@ -1054,17 +1145,6 @@
+@@ -1054,17 +1146,6 @@
  		setroubleshoot_stream_connect($1_t)
  	')
  
@@ -14763,7 +14810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  #######################################
-@@ -1102,6 +1182,8 @@
+@@ -1102,6 +1183,8 @@
  		class passwd { passwd chfn chsh rootok crontab };
  	')
  
@@ -14772,7 +14819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	##############################
  	#
  	# Declarations
-@@ -1127,7 +1209,7 @@
+@@ -1127,7 +1210,7 @@
  	# $1_t local policy
  	#
  
@@ -14781,7 +14828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	allow $1_t self:process { setexec setfscreate };
  
  	# Set password information for other users.
-@@ -1139,7 +1221,11 @@
+@@ -1139,7 +1222,11 @@
  	# Manipulate other users crontab.
  	allow $1_t self:passwd crontab;
  
@@ -14794,7 +14841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
-@@ -1642,9 +1728,11 @@
+@@ -1642,9 +1729,11 @@
  template(`userdom_user_home_content',`
  	gen_require(`
  		attribute $1_file_type;
@@ -14806,7 +14853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	files_type($2)
  ')
  
-@@ -1894,10 +1982,46 @@
+@@ -1894,10 +1983,46 @@
  template(`userdom_manage_user_home_content_dirs',`
  	gen_require(`
  		type $1_home_dir_t, $1_home_t;
@@ -14854,7 +14901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3078,7 +3202,7 @@
+@@ -3078,7 +3203,7 @@
  #
  template(`userdom_tmp_filetrans_user_tmp',`
  	gen_require(`
@@ -14863,7 +14910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -4615,6 +4739,24 @@
+@@ -4615,6 +4740,24 @@
  	files_list_home($1)
  	allow $1 home_dir_type:dir search_dir_perms;
  ')
@@ -14888,7 +14935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  ########################################
  ## <summary>
-@@ -4633,6 +4775,14 @@
+@@ -4633,6 +4776,14 @@
  
  	files_list_home($1)
  	allow $1 home_dir_type:dir list_dir_perms;
@@ -14903,7 +14950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -5323,7 +5473,7 @@
+@@ -5323,7 +5474,7 @@
  		attribute user_tmpfile;
  	')
  
@@ -14912,7 +14959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -5559,3 +5709,376 @@
+@@ -5559,3 +5710,376 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 08c16b7..76e82d3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 12%{?dist}
+Release: 13%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -365,6 +365,9 @@ exit 0
 %endif
 
 %changelog
+* Tue Sep 24 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-13
+- Allow login programs to set ioctl on /proc
+
 * Mon Sep 24 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-12
 - Allow nsswitch apps to read samba_var_t