From f78292e7808cfe16f4b2dc1bfce34cd165df65a4 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Mar 10 2014 10:17:24 +0000
Subject: - Allow numad to write scan_sleep_millisecs

- Turn on entropyd_use_audio boolean by default
- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf.
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
- Fix label on irclogs in the homedir
- Allow kerberos_keytab_domain domains to manage keys until we get sssd fix
- Allow postgresql to use ldap
- Add missing syslog-conn port

---

diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 5a37828..883486b 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -5596,7 +5596,7 @@ index 8e0f9cd..b9f45b9 100644
  
  define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..3173c7b 100644
+index 4edc40d..28e68c5 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5852,7 +5852,7 @@ index 4edc40d..3173c7b 100644
  network_port(portmap, udp,111,s0, tcp,111,s0)
  network_port(postfix_policyd, tcp,10031,s0)
  network_port(postgresql, tcp,5432,s0)
-@@ -214,38 +266,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,51 +266,59 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
  network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
  network_port(printer, tcp,515,s0)
  network_port(ptal, tcp,5703,s0)
@@ -5905,7 +5905,12 @@ index 4edc40d..3173c7b 100644
  network_port(ssh, tcp,22,s0)
  network_port(stunnel) # no defined portcon
  network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -257,8 +316,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+ network_port(svrloc, tcp,427,s0, udp,427,s0)
+ network_port(swat, tcp,901,s0)
+ network_port(sype_transport, tcp,9911,s0, udp,9911,s0)
+-network_port(syslogd, udp,514,s0)
++network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0)
+ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
  network_port(tcs, tcp, 30003, s0)
  network_port(telnetd, tcp,23,s0)
  network_port(tftp, udp,69,s0)
@@ -22845,7 +22850,7 @@ index 9d2f311..9e87525 100644
 +	postgresql_filetrans_named_content($1)
  ')
 diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 346d011..3e23acb 100644
+index 346d011..e73a293 100644
 --- a/policy/modules/services/postgresql.te
 +++ b/policy/modules/services/postgresql.te
 @@ -19,25 +19,32 @@ gen_require(`
@@ -22937,15 +22942,19 @@ index 346d011..3e23acb 100644
  files_read_etc_runtime_files(postgresql_t)
  files_read_usr_files(postgresql_t)
  
-@@ -354,7 +361,6 @@ init_read_utmp(postgresql_t)
+@@ -354,20 +361,28 @@ init_read_utmp(postgresql_t)
  logging_send_syslog_msg(postgresql_t)
  logging_send_audit_msgs(postgresql_t)
  
 -miscfiles_read_localization(postgresql_t)
- 
+-
  seutil_libselinux_linked(postgresql_t)
  seutil_read_default_contexts(postgresql_t)
-@@ -364,10 +370,18 @@ userdom_dontaudit_search_user_home_dirs(postgresql_t)
+ 
++sysnet_use_ldap(postgresql_t)
++
+ userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
+ userdom_dontaudit_search_user_home_dirs(postgresql_t)
  userdom_dontaudit_use_user_terminals(postgresql_t)
  
  optional_policy(`
@@ -22965,7 +22974,7 @@ index 346d011..3e23acb 100644
  	allow postgresql_t self:process execmem;
  ')
  
-@@ -485,10 +499,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
+@@ -485,10 +500,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
  # It is always allowed to operate temporary objects for any database client.
  allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom };
  
@@ -23022,7 +23031,7 @@ index 346d011..3e23acb 100644
  	allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
  ')
  
-@@ -536,7 +592,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
+@@ -536,7 +593,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
  
  kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
  
@@ -23031,7 +23040,7 @@ index 346d011..3e23acb 100644
  	allow sepgsql_admin_type sepgsql_database_type:db_database *;
  
  	allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
-@@ -589,3 +645,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
+@@ -589,3 +646,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
  allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
  
  kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 2d08b5b..d9019a5 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -11065,7 +11065,7 @@ index 85ca63f..1d1c99c 100644
  	admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
  	files_list_etc($1)
 diff --git a/cgroup.te b/cgroup.te
-index fdee107..9bb9ad1 100644
+index fdee107..1910951 100644
 --- a/cgroup.te
 +++ b/cgroup.te
 @@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -11093,7 +11093,7 @@ index fdee107..9bb9ad1 100644
  domain_setpriority_all_domains(cgclear_t)
  
  fs_manage_cgroup_dirs(cgclear_t)
-@@ -64,20 +66,21 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
+@@ -64,23 +66,25 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
  kernel_list_unlabeled(cgconfig_t)
  kernel_read_system_state(cgconfig_t)
  
@@ -11118,7 +11118,11 @@ index fdee107..9bb9ad1 100644
  allow cgred_t self:netlink_socket { write bind create read };
  allow cgred_t self:unix_dgram_socket { write create connect };
  
-@@ -99,10 +102,11 @@ domain_setpriority_all_domains(cgred_t)
++allow cgred_t cgconfig_t:file read_file_perms;
+ allow cgred_t cgrules_etc_t:file read_file_perms;
+ 
+ allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+@@ -99,10 +103,11 @@ domain_setpriority_all_domains(cgred_t)
  files_getattr_all_files(cgred_t)
  files_getattr_all_sockets(cgred_t)
  files_read_all_symlinks(cgred_t)
@@ -24807,9 +24811,18 @@ index 266cb8f..b619351 100644
 +    procmail_domtrans(dspam_t)
 +')
 diff --git a/entropyd.te b/entropyd.te
-index a0da189..d8bc9d5 100644
+index a0da189..dc22b89 100644
 --- a/entropyd.te
 +++ b/entropyd.te
+@@ -12,7 +12,7 @@ policy_module(entropyd, 1.7.2)
+ ##	the entropy feeds.
+ ##	</p>
+ ## </desc>
+-gen_tunable(entropyd_use_audio, false)
++gen_tunable(entropyd_use_audio, true)
+ 
+ type entropyd_t;
+ type entropyd_exec_t;
 @@ -45,9 +45,6 @@ dev_write_urand(entropyd_t)
  dev_read_rand(entropyd_t)
  dev_write_rand(entropyd_t)
@@ -32777,14 +32790,14 @@ index 0000000..0fd2678
 +	kerberos_use(ipa_otpd_t)
 +')
 diff --git a/irc.fc b/irc.fc
-index 48e7739..c3285c2 100644
+index 48e7739..1bf0326 100644
 --- a/irc.fc
 +++ b/irc.fc
 @@ -1,6 +1,6 @@
  HOME_DIR/\.ircmotd	--	gen_context(system_u:object_r:irc_home_t,s0)
  HOME_DIR/\.irssi(/.*)?	gen_context(system_u:object_r:irc_home_t,s0)
 -HOME_DIR/irclogs(/.*)?	gen_context(system_u:object_r:irc_log_home_t,s0)
-+HOME_DIR/irclog(/.*)?	gen_context(system_u:object_r:issi_home_t,s0)
++HOME_DIR/irclog(/.*)?	gen_context(system_u:object_r:irc_home_t,s0)
  
  /etc/irssi\.conf	--	gen_context(system_u:object_r:irc_conf_t,s0)
  
@@ -36040,7 +36053,7 @@ index f9de9fc..11504e6 100644
 +	kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
  ')
 diff --git a/kerberos.te b/kerberos.te
-index 3465a9a..c37f70b 100644
+index 3465a9a..31ad037 100644
 --- a/kerberos.te
 +++ b/kerberos.te
 @@ -1,4 +1,4 @@
@@ -36371,7 +36384,7 @@ index 3465a9a..c37f70b 100644
  
  allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
  
-@@ -303,28 +343,34 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
+@@ -303,28 +343,37 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
  
  corecmd_exec_bin(kpropd_t)
  
@@ -36408,6 +36421,9 @@ index 3465a9a..c37f70b 100644
 +# kerberos keytab domain local policy
 +#
 +
++#until we get sssd fix
++allow kerberos_keytab_domain kerberos_keytab_domain:key manage_key_perms;
++
 +userdom_manage_all_users_keys(kerberos_keytab_domain)
 +
 +optional_policy(`
@@ -53957,7 +53973,7 @@ index 0d3c270..709dda1 100644
 +	')
  ')
 diff --git a/numad.te b/numad.te
-index f5d145d..97e1148 100644
+index f5d145d..f050103 100644
 --- a/numad.te
 +++ b/numad.te
 @@ -1,4 +1,4 @@
@@ -53966,7 +53982,7 @@ index f5d145d..97e1148 100644
  
  ########################################
  #
-@@ -8,29 +8,29 @@ policy_module(numad, 1.0.3)
+@@ -8,37 +8,44 @@ policy_module(numad, 1.0.3)
  type numad_t;
  type numad_exec_t;
  init_daemon_domain(numad_t, numad_exec_t)
@@ -54005,15 +54021,17 @@ index f5d145d..97e1148 100644
  
  manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t)
  files_pid_filetrans(numad_t, numad_var_run_t, file)
-@@ -39,6 +39,13 @@ kernel_read_system_state(numad_t)
  
- dev_read_sysfs(numad_t)
+ kernel_read_system_state(numad_t)
  
--files_read_etc_files(numad_t)
+-dev_read_sysfs(numad_t)
++dev_rw_sysfs(numad_t)
++
 +domain_use_interactive_fds(numad_t)
 +domain_read_all_domains_state(numad_t)
 +domain_setpriority_all_domains(numad_t)
-+
+ 
+-files_read_etc_files(numad_t)
 +fs_manage_cgroup_dirs(numad_t)
 +fs_rw_cgroup_files(numad_t)
  
@@ -78024,7 +78042,7 @@ index 6dbc905..4b17c93 100644
 -	admin_pattern($1, rhsmcertd_lock_t)
  ')
 diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 1cedd70..b23c97a 100644
+index 1cedd70..d193f7a 100644
 --- a/rhsmcertd.te
 +++ b/rhsmcertd.te
 @@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -78045,13 +78063,15 @@ index 1cedd70..b23c97a 100644
  
  manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
  files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
-@@ -52,21 +51,45 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+@@ -51,22 +50,47 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+ 
  kernel_read_network_state(rhsmcertd_t)
  kernel_read_system_state(rhsmcertd_t)
- 
++kernel_read_sysctl(rhsmcertd_t)
++
 +corenet_tcp_connect_http_port(rhsmcertd_t)
 +corenet_tcp_connect_squid_port(rhsmcertd_t)
-+
+ 
  corecmd_exec_bin(rhsmcertd_t)
 +corecmd_exec_shell(rhsmcertd_t)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f70a229..b1e1c56 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 132%{?dist}
+Release: 133%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,16 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Mar 10 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-133
+- Allow numad to write scan_sleep_millisecs
+- Turn on entropyd_use_audio boolean by default
+- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf.
+- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
+- Fix label on irclogs in the homedir
+- Allow kerberos_keytab_domain domains to manage keys until we get sssd fix
+- Allow postgresql to use ldap
+- Add missing syslog-conn port
+
 * Fri Mar 7 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-132
 - Modify xdm_write_home to allow create files/links in /root with xdm_home_
 - Allow virt domains to read network state