diff --git a/modules-minimum.conf b/modules-minimum.conf
index 1c7d9c8..732ccfa 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -787,6 +787,13 @@ nsplugin = module
mplayer = module
# Layer: apps
+# Module: gitosis
+#
+# Policy for gitosis
+#
+gitosis = module
+
+# Layer: apps
# Module: gpg
#
# Policy for Mozilla and related web browsers
diff --git a/modules-mls.conf b/modules-mls.conf
index e70ca60..2259af9 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -249,6 +249,13 @@ tmpreaper = module
dmidecode = base
# Layer: apps
+# Module: gitosis
+#
+# Policy for gitosis
+#
+gitosis = module
+
+# Layer: apps
# Module: gpg
#
# Policy for GNU Privacy Guard and related programs.
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 220193d..15e3675 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -477,6 +477,13 @@ games = module
#
getty = base
+# Layer: apps
+# Module: gitosis
+#
+# Policy for gitosis
+#
+gitosis = module
+
# Layer: services
# Module: gpsd
#
diff --git a/policy-20080710.patch b/policy-20080710.patch
index 50f53e0..e386b6e 100644
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@@ -2053,6 +2053,159 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/games.if
+ rw_files_pattern($1, games_data_t, games_data_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.5.13/policy/modules/apps/gitosis.fc
+--- nsaserefpolicy/policy/modules/apps/gitosis.fc 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/apps/gitosis.fc 2009-03-20 09:26:47.000000000 +0100
+@@ -0,0 +1,4 @@
++
++/usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0)
++
++/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.5.13/policy/modules/apps/gitosis.if
+--- nsaserefpolicy/policy/modules/apps/gitosis.if 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/apps/gitosis.if 2009-03-20 09:26:47.000000000 +0100
+@@ -0,0 +1,94 @@
++## gitosis interface
++
++#######################################
++##
++## Execute a domain transition to run gitosis.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`gitosis_domtrans',`
++ gen_require(`
++ type gitosis_t, gitosis_exec_t;
++ ')
++
++ domtrans_pattern($1, gitosis_exec_t, gitosis_t)
++')
++
++#######################################
++##
++## Execute gitosis-serve in the gitosis domain, and
++## allow the specified role the gitosis domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the gpsd domain.
++##
++##
++##
++##
++## The type of the role's terminal.
++##
++##
++#
++interface(`gitosis_run',`
++ gen_require(`
++ type gitosis_t;
++ ')
++
++ gitosis_domtrans($1)
++ role $2 types gitosis_t;
++ allow gitosis_t $3:chr_file rw_term_perms;
++')
++
++#######################################
++##
++## Allow the specified domain to read
++## gitosis lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gitosis_read_var_lib',`
++ gen_require(`
++ type gitosis_var_lib_t;
++
++ ')
++
++ read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
++ read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
++ list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
++')
++
++######################################
++##
++## Allow the specified domain to manage
++## gitosis lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gitosis_manage_var_lib',`
++ gen_require(`
++ type gitosis_var_lib_t;
++
++ ')
++
++ manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
++ manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
++ manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.te serefpolicy-3.5.13/policy/modules/apps/gitosis.te
+--- nsaserefpolicy/policy/modules/apps/gitosis.te 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/apps/gitosis.te 2009-03-20 09:27:40.000000000 +0100
+@@ -0,0 +1,43 @@
++policy_module(gitosis,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type gitosis_t;
++type gitosis_exec_t;
++application_domain(gitosis_t, gitosis_exec_t)
++role system_r types gitosis_t;
++
++type gitosis_var_lib_t;
++files_type(gitosis_var_lib_t)
++
++########################################
++#
++# gitosis local policy
++#
++
++allow gitosis_t self:fifo_file rw_fifo_file_perms;
++
++exec_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
++manage_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
++manage_lnk_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
++manage_dirs_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
++
++corecmd_exec_bin(gitosis_t)
++corecmd_exec_shell(gitosis_t)
++
++kernel_read_system_state(gitosis_t)
++
++files_read_usr_files(gitosis_t)
++files_search_var_lib(gitosis_t)
++
++libs_use_ld_so(gitosis_t)
++libs_use_shared_libs(gitosis_t)
++
++miscfiles_read_localization(gitosis_t)
++
++optional_policy(`
++ ssh_rw_pipes(gitosis_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.5.13/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/gnome.fc 2009-02-10 15:07:15.000000000 +0100
@@ -18972,7 +19125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.5.13/policy/modules/services/mysql.if
--- nsaserefpolicy/policy/modules/services/mysql.if 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/mysql.if 2009-02-26 16:00:52.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/mysql.if 2009-03-20 09:38:48.000000000 +0100
@@ -53,9 +53,11 @@
interface(`mysql_stream_connect',`
gen_require(`
@@ -18994,12 +19147,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
')
########################################
-@@ -120,6 +122,25 @@
+@@ -120,6 +122,44 @@
allow $1 mysqld_db_t:dir rw_dir_perms;
')
+#######################################
+##
++## Append to the MySQL database directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mysql_append_db_files',`
++ gen_require(`
++ type mysqld_db_t;
++ ')
++
++ files_search_var_lib($1)
++ append_files_pattern($1, mysqld_db_t, mysqld_db_t)
++')
++
++#######################################
++##
+## Read and write to the MySQL database directory.
+##
+##
@@ -19020,7 +19192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
########################################
##
## Create, read, write, and delete MySQL database directories.
-@@ -139,6 +160,25 @@
+@@ -139,6 +179,25 @@
allow $1 mysqld_db_t:dir manage_dir_perms;
')
@@ -19046,7 +19218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
########################################
##
## Read and write to the MySQL database
-@@ -157,7 +197,26 @@
+@@ -157,7 +216,26 @@
files_search_var_lib($1)
allow $1 mysqld_db_t:dir search;
@@ -19074,12 +19246,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
')
########################################
-@@ -176,5 +235,49 @@
+@@ -176,5 +254,49 @@
')
logging_search_logs($1)
- allow $1 mysqld_log_t:file { write append setattr ioctl };
-+ write_files_pattern($1,mysqld_log_t,mysqld_log_t)
++ allow $1 mysqld_log_t:file { write_file_perms setattr getattr };
+')
+
+########################################
@@ -19127,7 +19299,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.5.13/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/mysql.te 2009-02-26 15:37:23.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/mysql.te 2009-03-20 09:39:54.000000000 +0100
@@ -10,6 +10,10 @@
type mysqld_exec_t;
init_daemon_domain(mysqld_t, mysqld_exec_t)
@@ -19173,7 +19345,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
domain_use_interactive_fds(mysqld_t)
-@@ -120,3 +129,40 @@
+@@ -120,3 +129,39 @@
optional_policy(`
udev_read_db(mysqld_t)
')
@@ -19188,8 +19360,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
+allow mysqld_safe_t self:capability { dac_override fowner chown };
+allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
+
-+append_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-+
++mysql_append_db_files(mysqld_safe_t)
+mysql_read_config(mysqld_safe_t)
+mysql_search_pid_files(mysqld_safe_t)
+mysql_write_log(mysqld_safe_t)
@@ -28246,7 +28417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.13/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2008-10-17 14:49:11.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/ssh.if 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/ssh.if 2009-03-20 09:28:24.000000000 +0100
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -28471,9 +28642,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_all_ports($1_t)
+ corenet_tcp_bind_all_unreserved_ports($1_t)
- corenet_sendrecv_ssh_server_packets($1_t)
-+ # -R qualifier
+ corenet_sendrecv_ssh_server_packets($1_t)
++ # -R qualifier
+ corenet_sendrecv_ssh_server_packets($1_t)
+ # tunnel feature and -w (net_admin capability also)
+ corenet_rw_tun_tap_dev($1_t)
@@ -28516,7 +28687,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
optional_policy(`
-@@ -710,3 +724,22 @@
+@@ -605,6 +619,25 @@
+ allow $1 sshd_t:tcp_socket rw_stream_socket_perms;
+ ')
+
++#######################################
++##
++## Allow attempts to read and write to
++## sshd unnamed pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ssh_rw_pipes',`
++ gen_require(`
++ type sshd_t;
++ ')
++
++ allow $1 sshd_t:fifo_file rw_fifo_file_perms;
++')
++
+ ########################################
+ ##
+ ## Do not audit attempts to read and write
+@@ -710,3 +743,22 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
@@ -28541,7 +28738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.5.13/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/ssh.te 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/ssh.te 2009-03-20 09:28:31.000000000 +0100
@@ -24,7 +24,7 @@
# Type for the ssh-agent executable.
@@ -28604,7 +28801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
-@@ -99,6 +120,14 @@
+@@ -99,10 +120,22 @@
')
optional_policy(`
@@ -28619,7 +28816,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
daemontools_service_domain(sshd_t, sshd_exec_t)
')
-@@ -117,7 +146,11 @@
+ optional_policy(`
++ gitosis_read_var_lib(sshd_t)
++')
++
++optional_policy(`
+ inetd_tcp_service_domain(sshd_t, sshd_exec_t)
+ ')
+
+@@ -117,7 +150,11 @@
')
optional_policy(`
@@ -28632,7 +28837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
unconfined_shell_domtrans(sshd_t)
')
-@@ -176,6 +209,8 @@
+@@ -176,6 +213,8 @@
init_use_fds(ssh_keygen_t)
init_use_script_ptys(ssh_keygen_t)
@@ -35544,7 +35749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.5.13/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2009-03-10 13:22:29.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2009-03-20 09:28:45.000000000 +0100
@@ -6,35 +6,78 @@
# Declarations
#
@@ -35713,54 +35918,54 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -123,79 +183,91 @@
+@@ -123,79 +183,95 @@
')
optional_policy(`
- inn_domtrans(unconfined_t)
-+ gpsd_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
++ gitosis_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
')
optional_policy(`
- java_domtrans(unconfined_t)
-+ iptables_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ gpsd_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
')
optional_policy(`
- lpd_run_checkpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+ java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ iptables_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- modutils_run_update_mods(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
++ java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- mono_domtrans(unconfined_t)
-+ livecd_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
')
optional_policy(`
- mta_per_role_template(unconfined, unconfined_t, unconfined_r)
-+ lpd_run_checkpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ livecd_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- oddjob_domtrans_mkhomedir(unconfined_t)
-+ modutils_run_update_mods(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ lpd_run_checkpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+ mono_per_role_template(unconfined, unconfined_t, unconfined_r)
-+ unconfined_domain(unconfined_mono_t)
-+ role system_r types unconfined_mono_t;
++ modutils_run_update_mods(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+ prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ mono_per_role_template(unconfined, unconfined_t, unconfined_r)
++ unconfined_domain(unconfined_mono_t)
++ role system_r types unconfined_mono_t;
')
optional_policy(`
@@ -35768,17 +35973,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
- postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- # cjp: this should probably be removed:
- postfix_domtrans_master(unconfined_t)
-+ portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
-
optional_policy(`
- pyzor_per_role_template(unconfined)
--')
-+ qemu_per_role_template_notrans(unconfined, unconfined_t, unconfined_r)
++ portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ ')
--optional_policy(`
+ optional_policy(`
- qmail_per_role_template(unconfined, unconfined_t, unconfined_r)
++ qemu_per_role_template_notrans(unconfined, unconfined_t, unconfined_r)
++
+ tunable_policy(`allow_unconfined_qemu_transition',`
+ qemu_runas(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ ',`
@@ -35828,7 +36035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -203,7 +275,7 @@
+@@ -203,7 +279,7 @@
')
optional_policy(`
@@ -35837,7 +36044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -215,11 +287,12 @@
+@@ -215,11 +291,12 @@
')
optional_policy(`
@@ -35852,7 +36059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
########################################
-@@ -229,14 +302,61 @@
+@@ -229,14 +306,61 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d6624a4..79e72af 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
-Release: 49%{?dist}
+Release: 50%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -460,6 +460,10 @@ exit 0
%endif
%changelog
+* Fri Mar 20 2009 Miroslav Grepl 3.5.13-50
+- Add gitosis policy
+- Allow mdadm to read/write mls override
+
* Fri Mar 13 2009 Miroslav Grepl 3.5.13-49
- Add gpsd policy
- Fix razor policy