From e2f53dfaecff342b4c5641dcec536c8c04cae87c Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Dec 23 2009 13:02:27 +0000
Subject: - Cleanups from dgrift


---

diff --git a/modules-minimum.conf b/modules-minimum.conf
index 35c7ddb..c26afeb 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -2019,7 +2019,7 @@ cgroup = module
 # Layer: services
 # Module: denyhosts
 #
-#  script to help thwart ssh server attacks
+# script to help thwart ssh server attacks
 # 
 denyhosts = module
 
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 35c7ddb..c26afeb 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2019,7 +2019,7 @@ cgroup = module
 # Layer: services
 # Module: denyhosts
 #
-#  script to help thwart ssh server attacks
+# script to help thwart ssh server attacks
 # 
 denyhosts = module
 
diff --git a/policy-F13.patch b/policy-F13.patch
index ae68730..2f48355 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -6274,7 +6274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.5/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/kernel/domain.te	2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/kernel/domain.te	2009-12-23 07:50:49.000000000 -0500
 @@ -5,6 +5,13 @@
  #
  # Declarations
@@ -6969,7 +6969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.5/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/kernel/filesystem.if	2009-12-22 10:30:40.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/kernel/filesystem.if	2009-12-23 07:46:46.000000000 -0500
 @@ -906,7 +906,7 @@
  		type cifs_t;
  	')
@@ -7014,33 +7014,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  #########################################
  ## <summary>
  ##	Read named sockets on a NFS filesystem.
-@@ -4181,3 +4200,216 @@
+@@ -4181,3 +4200,175 @@
  	relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
  	relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
  ')
 +
 +########################################
 +## <summary>
-+##	Search dirs on cgroup
-+##	file systems.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_search_cgroup_dirs', `
-+	gen_require(`
-+		type cgroup_t;
-+
-+	')
-+
-+	allow $1 cgroup_t:dir search;
-+')
-+
-+########################################
-+## <summary>
 +##      list dirs on cgroup
 +##      file systems.
 +## </summary>
@@ -7080,25 +7060,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 +
 +########################################
 +## <summary>
-+##      create dirs on cgroup
-+##      file systems.
-+## </summary>
-+## <param name="domain">
-+##      <summary>
-+##      Domain allowed access.
-+##      </summary>
-+## </param>
-+#
-+interface(`fs_create_cgroup_dirs', `
-+        gen_require(`
-+                type cgroup_t;
-+	')
-+
-+	create_dirs_pattern($1, cgroup_t, cgroup_t)
-+')
-+
-+########################################
-+## <summary>
 +##	Manage dirs on cgroup file systems.
 +## </summary>
 +## <param name="domain">
@@ -7207,7 +7168,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 +	')
 +
 +	setattr_files_pattern($1, cgroup_t, cgroup_t)
-+	fs_search_cgroup_dirs($1)
 +')
 +
 +########################################
@@ -7228,7 +7188,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 +	')
 +
 +	write_files_pattern($1, cgroup_t, cgroup_t)
-+	fs_search_cgroup_dirs($1)
 +')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.5/policy/modules/kernel/filesystem.te
@@ -9716,7 +9675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
  ##	All of the rules required to administrate 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.5/policy/modules/services/abrt.te
 --- nsaserefpolicy/policy/modules/services/abrt.te	2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/abrt.te	2009-12-22 08:42:16.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/abrt.te	2009-12-23 07:13:38.000000000 -0500
 @@ -33,12 +33,24 @@
  type abrt_var_run_t;
  files_pid_file(abrt_var_run_t)
@@ -9764,7 +9723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
  files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
  
  kernel_read_ring_buffer(abrt_t)
-@@ -75,18 +90,34 @@
+@@ -75,18 +90,35 @@
  
  corecmd_exec_bin(abrt_t)
  corecmd_exec_shell(abrt_t)
@@ -9795,11 +9754,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
  fs_getattr_all_fs(abrt_t)
  fs_getattr_all_dirs(abrt_t)
 +fs_read_fusefs_files(abrt_t)
++fs_read_nfs_files(abrt_t)
 +fs_search_all(abrt_t)
  
  sysnet_read_config(abrt_t)
  
-@@ -96,22 +127,92 @@
+@@ -96,22 +128,92 @@
  miscfiles_read_certs(abrt_t)
  miscfiles_read_localization(abrt_t)
  
@@ -14634,8 +14594,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
 +/var/log/denyhosts(/.*)?					gen_context(system_u:object_r:denyhosts_var_log_t, s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.5/policy/modules/services/denyhosts.if
 --- nsaserefpolicy/policy/modules/services/denyhosts.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/services/denyhosts.if	2009-12-22 17:05:58.000000000 -0500
-@@ -0,0 +1,91 @@
++++ serefpolicy-3.7.5/policy/modules/services/denyhosts.if	2009-12-23 07:48:54.000000000 -0500
+@@ -0,0 +1,90 @@
 +## <summary>Deny Hosts.</summary>
 +## <desc>
 +##	<p>
@@ -14666,7 +14626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
 +
 +########################################
 +## <summary>
-+##	Execute ksmtuned server in the ksmtuned domain.
++##	Execute denyhost server in the denyhost domain.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -14708,8 +14668,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
 +	allow $1 denyhosts_t:process { ptrace signal_perms getattr };
 +	read_files_pattern($1, denyhosts_t, denyhosts_t)
 +	        
-+	files_list_pids($1)
-+	admin_pattern($1, denyhosts_var_run_t)
++	admin_pattern($1, denyhosts_var_lib_t)
 +
 +	logging_search_logs($1)
 +	admin_pattern($1, denyhosts_var_log_t)
@@ -14729,8 +14688,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.5/policy/modules/services/denyhosts.te
 --- nsaserefpolicy/policy/modules/services/denyhosts.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/services/denyhosts.te	2009-12-22 10:34:58.000000000 -0500
-@@ -0,0 +1,71 @@
++++ serefpolicy-3.7.5/policy/modules/services/denyhosts.te	2009-12-23 07:47:53.000000000 -0500
+@@ -0,0 +1,72 @@
 +
 +policy_module(denyhosts, 1.0.0) 
 +
@@ -14798,6 +14757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
 +miscfiles_read_localization(denyhosts_t)
 +
 +sysnet_manage_config(denyhosts_t)
++sysnet_etc_filetrans_config(denyhosts_t)
 +
 +optional_policy(`
 +	cron_system_entry(denyhosts_t, denyhosts_exec_t)
@@ -16182,13 +16142,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.7.5/policy/modules/services/ksmtuned.fc
 --- nsaserefpolicy/policy/modules/services/ksmtuned.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/services/ksmtuned.fc	2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/ksmtuned.fc	2009-12-23 07:41:58.000000000 -0500
 @@ -0,0 +1,5 @@
 +/etc/rc\.d/init\.d/ksmtuned	--	gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0)
 +
 +/usr/sbin/ksmtuned	--	gen_context(system_u:object_r:ksmtuned_exec_t,s0)
 +
-+/var/run/ksmtune\.pid		--	gen_context(system_u:object_r:ntpd_var_run_t,s0)
++/var/run/ksmtune\.pid		--	gen_context(system_u:object_r:ksmtuned_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.7.5/policy/modules/services/ksmtuned.if
 --- nsaserefpolicy/policy/modules/services/ksmtuned.if	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.7.5/policy/modules/services/ksmtuned.if	2009-12-21 13:07:09.000000000 -0500
@@ -28985,7 +28945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.
 +permissive kdump_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.5/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/system/libraries.fc	2009-12-22 08:51:29.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/system/libraries.fc	2009-12-23 07:33:05.000000000 -0500
 @@ -60,12 +60,15 @@
  #
  # /opt
@@ -29201,7 +29161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  ') dnl end distro_redhat
  
  #
-@@ -307,10 +316,111 @@
+@@ -307,10 +316,114 @@
  
  /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? --	gen_context(system_u:object_r:lib_t,s0)
  
@@ -29313,6 +29273,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
 +/opt/VirtualBox(/.*)?/VBox.*\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
 +/usr/lib(64)?/chromium-browser/.*\.so 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/local/zend/lib/apache2/libphp5\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib(64)?/python.*/site-packages/pymedia/muxer\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.5/policy/modules/system/libraries.if
 --- nsaserefpolicy/policy/modules/system/libraries.if	2009-07-14 14:19:57.000000000 -0400
 +++ serefpolicy-3.7.5/policy/modules/system/libraries.if	2009-12-21 13:07:09.000000000 -0500
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2df6be7..44e3f94 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.5
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -449,6 +449,9 @@ exit 0
 %endif
 
 %changelog
+* Wed Dec 23 2009 Dan Walsh <dwalsh@redhat.com> 3.7.5-4
+- Cleanups from dgrift
+
 * Tue Dec 22 2009 Dan Walsh <dwalsh@redhat.com> 3.7.5-3
 - Add back xserver_manage_home_fonts