From f72bd44737d115063e79113645c869e15f21880a Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: May 14 2009 18:53:40 +0000
Subject: - Fixes for kpropd


---

diff --git a/policy-20090105.patch b/policy-20090105.patch
index f9f32c5..f6664c8 100644
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@@ -1887,7 +1887,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.12/policy/modules/apps/gnome.if
 --- nsaserefpolicy/policy/modules/apps/gnome.if	2008-11-11 16:13:41.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/gnome.if	2009-05-14 10:31:02.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/apps/gnome.if	2009-05-14 11:05:16.000000000 -0400
 @@ -89,5 +89,175 @@
  
  	allow $1 gnome_home_t:dir manage_dir_perms;
@@ -10664,7 +10664,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te
 --- nsaserefpolicy/policy/modules/services/consolekit.te	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/consolekit.te	2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/consolekit.te	2009-05-14 13:42:00.000000000 -0400
 @@ -13,6 +13,9 @@
  type consolekit_var_run_t;
  files_pid_file(consolekit_var_run_t)
@@ -13790,8 +13790,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te
 --- nsaserefpolicy/policy/modules/services/fprintd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/fprintd.te	2009-05-12 15:30:13.000000000 -0400
-@@ -0,0 +1,48 @@
++++ serefpolicy-3.6.12/policy/modules/services/fprintd.te	2009-05-14 13:42:21.000000000 -0400
+@@ -0,0 +1,49 @@
 +policy_module(fprintd,1.0.0)
 +
 +########################################
@@ -13806,6 +13806,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +type fprintd_var_lib_t;
 +files_type(fprintd_var_lib_t)
 +
++allow fprintd_t self:capability sys_ptrace;
 +allow fprintd_t self:fifo_file rw_fifo_file_perms;
 +allow fprintd_t self:process { getsched signal };
 +
@@ -14919,7 +14920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.6.12/policy/modules/services/kerberos.fc
 --- nsaserefpolicy/policy/modules/services/kerberos.fc	2009-03-23 13:47:11.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/kerberos.fc	2009-05-14 08:39:20.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/kerberos.fc	2009-05-14 13:29:16.000000000 -0400
 @@ -6,13 +6,14 @@
  /etc/krb5kdc/principal.*		gen_context(system_u:object_r:krb5kdc_principal_t,s0)
  
@@ -14936,6 +14937,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  /usr/local/var/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
  /usr/local/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+@@ -21,7 +22,7 @@
+ /var/kerberos/krb5kdc/from_master.*	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+ /var/kerberos/krb5kdc/kadm5\.keytab --	gen_context(system_u:object_r:krb5_keytab_t,s0)
+ /var/kerberos/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+-/var/kerberos/krb5kdc/principal\.ok	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
++/var/kerberos/krb5kdc/principal.*\.ok	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+ 
+ /var/log/krb5kdc\.log			gen_context(system_u:object_r:krb5kdc_log_t,s0)
+ /var/log/kadmin(d)?\.log		gen_context(system_u:object_r:kadmind_log_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.12/policy/modules/services/kerberos.te
+--- nsaserefpolicy/policy/modules/services/kerberos.te	2009-03-23 13:47:11.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/kerberos.te	2009-05-14 13:28:31.000000000 -0400
+@@ -33,6 +33,7 @@
+ type kpropd_t;
+ type kpropd_exec_t;
+ init_daemon_domain(kpropd_t, kpropd_exec_t)
++domain_obj_id_change_exemption(kpropd_t)
+ 
+ type krb5_conf_t;
+ files_type(krb5_conf_t)
+@@ -281,6 +282,7 @@
+ 
+ allow kpropd_t krb5_keytab_t:file read_file_perms;
+ 
++manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t)
+ manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t)
+ 
+ corecmd_exec_bin(kpropd_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.6.12/policy/modules/services/kerneloops.if
 --- nsaserefpolicy/policy/modules/services/kerneloops.if	2009-01-05 15:39:43.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/services/kerneloops.if	2009-05-12 15:30:13.000000000 -0400
@@ -23298,7 +23327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:home_ssh_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.12/policy/modules/services/ssh.if
 --- nsaserefpolicy/policy/modules/services/ssh.if	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/ssh.if	2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/ssh.if	2009-05-14 14:05:37.000000000 -0400
 @@ -36,6 +36,7 @@
  	gen_require(`
  		attribute ssh_server;
@@ -23474,7 +23503,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  
  	optional_policy(`
-@@ -454,6 +455,24 @@
+@@ -345,6 +346,7 @@
+ 	allow ssh_t $3:unix_stream_socket connectto;
+ 
+ 	# user can manage the keys and config
++	userdom_search_user_home_dirs($1_t)
+ 	manage_files_pattern($3, home_ssh_t, home_ssh_t)
+ 	manage_lnk_files_pattern($3, home_ssh_t, home_ssh_t)
+ 	manage_sock_files_pattern($3, home_ssh_t, home_ssh_t)
+@@ -454,6 +456,24 @@
  
  ########################################
  ## <summary>
@@ -23499,7 +23536,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Read a ssh server unnamed pipe.
  ## </summary>
  ## <param name="domain">
-@@ -469,6 +488,23 @@
+@@ -469,6 +489,23 @@
  
  	allow $1 sshd_t:fifo_file { getattr read };
  ')
@@ -23523,7 +23560,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  ########################################
  ## <summary>
-@@ -611,3 +647,42 @@
+@@ -611,3 +648,42 @@
  
  	dontaudit $1 sshd_key_t:file { getattr read };
  ')
@@ -24533,7 +24570,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/virt.te	2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/virt.te	2009-05-14 13:40:26.000000000 -0400
 @@ -8,19 +8,31 @@
  
  ## <desc>
@@ -24700,7 +24737,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  term_getattr_pty_fs(virtd_t)
  term_use_ptmx(virtd_t)
  
-@@ -129,6 +192,13 @@
+@@ -129,7 +192,15 @@
  
  logging_send_syslog_msg(virtd_t)
  
@@ -24710,11 +24747,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +userdom_dontaudit_list_admin_dir(virtd_t)
 +userdom_getattr_all_users(virtd_t)
-+userdom_search_user_home_content(virtd_t)
++userdom_list_user_home_content(virtd_t)
  userdom_read_all_users_state(virtd_t)
++userdom_read_user_home_content_files(virtd_t)
  
  tunable_policy(`virt_use_nfs',`
-@@ -167,22 +237,34 @@
+ 	fs_manage_nfs_dirs(virtd_t)
+@@ -167,22 +238,34 @@
  	dnsmasq_domtrans(virtd_t)
  	dnsmasq_signal(virtd_t)
  	dnsmasq_kill(virtd_t)
@@ -24737,15 +24776,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
 +	lvm_domtrans(virtd_t)
 +')
-+
-+optional_policy(`
+ 
+ optional_policy(`
+-	qemu_domtrans(virtd_t)
 +	polkit_domtrans_auth(virtd_t)
 +	polkit_domtrans_resolve(virtd_t)
 +	polkit_read_lib(virtd_t)
 +')
- 
- optional_policy(`
--	qemu_domtrans(virtd_t)
++
++optional_policy(`
 +	qemu_spec_domtrans(virtd_t, svirt_t)
  	qemu_read_state(virtd_t)
  	qemu_signal(virtd_t)
@@ -24754,7 +24793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -195,8 +277,88 @@
+@@ -195,8 +278,89 @@
  
  	xen_stream_connect(virtd_t)
  	xen_stream_connect_xenstore(virtd_t)
@@ -24763,11 +24802,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +optional_policy(`
 +	udev_domtrans(virtd_t)
-+')
-+
-+#optional_policy(`
-+#	unconfined_domain(virtd_t)
-+#')
+ ')
+ 
+ optional_policy(`
+ 	unconfined_domain(virtd_t)
+ ')
 +
 +manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 +manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
@@ -24838,12 +24877,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +optional_policy(`
 +	xen_rw_image_files(svirt_t)
- ')
- 
- optional_policy(`
--	unconfined_domain(virtd_t)
++')
++
++optional_policy(`
 +	xen_rw_image_files(svirt_t)
- ')
++')
++
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.12/policy/modules/services/w3c.te
 --- nsaserefpolicy/policy/modules/services/w3c.te	2008-08-25 09:12:31.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/services/w3c.te	2009-05-12 15:30:13.000000000 -0400
@@ -30862,7 +30901,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if	2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if	2009-05-14 13:40:08.000000000 -0400
 @@ -30,8 +30,9 @@
  	')
  
@@ -32245,40 +32284,47 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2814,12 +3012,12 @@
- 		type user_tmp_t;
+@@ -2682,16 +2880,17 @@
+ #
+ interface(`userdom_search_user_home_content',`
+ 	gen_require(`
+-		type user_home_dir_t, user_home_t;
++		type user_home_dir_t;
++		attribute user_home_type;
  	')
  
--	allow $1 user_tmp_t:file write_file_perms;
-+	write_files_pattern($1, user_tmp_t, user_tmp_t)
+ 	files_list_home($1)
+-	allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
++	allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
  ')
  
  ########################################
  ## <summary>
--##	Do not audit attempts to use user ttys.
-+##	Delete all users files in /tmp
+-##	Send general signals to unprivileged user domains.
++##	List users home directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2827,17 +3025,35 @@
+@@ -2699,12 +2898,32 @@
  ##	</summary>
  ## </param>
  #
--interface(`userdom_dontaudit_use_user_ttys',`
-+interface(`userdom_delete_user_tmp_files',`
+-interface(`userdom_signal_unpriv_users',`
++interface(`userdom_list_user_home_content',`
  	gen_require(`
--		type user_tty_device_t;
-+		type user_tmp_t;
+-		attribute unpriv_userdomain;
++		type user_home_dir_t;
++		attribute user_home_type;
  	')
  
--	dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
-+	allow $1 user_tmp_t:file delete_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Read the process state of all user domains.
-+##	Do not audit attempts to use user ttys.
+-	allow $1 unpriv_userdomain:process signal;
++	files_list_home($1)
++	allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
++')
++
++########################################
++## <summary>
++##	Send general signals to unprivileged user domains.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -32286,21 +32332,43 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_dontaudit_use_user_ttys',`
++interface(`userdom_signal_unpriv_users',`
 +	gen_require(`
-+		type user_tty_device_t;
++		attribute unpriv_userdomain;
 +	')
 +
-+	dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
++	allow $1 unpriv_userdomain:process signal;
+ ')
+ 
+ ########################################
+@@ -2814,7 +3033,25 @@
+ 		type user_tmp_t;
+ 	')
+ 
+-	allow $1 user_tmp_t:file write_file_perms;
++	write_files_pattern($1, user_tmp_t, user_tmp_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Read the process state of all user domains.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2851,6 +3067,7 @@
++##	Delete all users files in /tmp
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_delete_user_tmp_files',`
++	gen_require(`
++		type user_tmp_t;
++	')
++
++	allow $1 user_tmp_t:file delete_file_perms;
+ ')
+ 
+ ########################################
+@@ -2851,6 +3088,7 @@
  	')
  
  	read_files_pattern($1,userdomain,userdomain)
@@ -32308,7 +32376,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	kernel_search_proc($1)
  ')
  
-@@ -2981,3 +3198,481 @@
+@@ -2981,3 +3219,481 @@
  
  	allow $1 userdomain:dbus send_msg;
  ')
@@ -33208,7 +33276,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.12/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/xen.te	2009-05-14 08:26:03.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/xen.te	2009-05-14 14:07:29.000000000 -0400
 @@ -6,6 +6,13 @@
  # Declarations
  #
@@ -33433,7 +33501,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  files_read_etc_runtime_files(xm_t)
  files_read_usr_files(xm_t)
-@@ -339,15 +390,64 @@
+@@ -339,15 +390,67 @@
  
  storage_raw_read_fixed_disk(xm_t)
  
@@ -33464,6 +33532,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +# SSH component local policy
 +#
 +ssh_basic_client_template(xm,xm_t,system_r)
++kernel_read_xen_state(xm_ssh_t)
++kernel_write_xen_state(xm_ssh_t)
++
 +
 +#Should have a boolean wrapping these
 +fs_list_auto_mountpoints(xend_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 41bc6b8..ebe4ecc 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 36%{?dist}
+Release: 37%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -473,6 +473,9 @@ exit 0
 %endif
 
 %changelog
+* Thu May 14 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-37
+- Fixes for kpropd
+
 * Tue May 12 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-36
 - Allow brctl to r/w tun_tap_device_t