- Allow rpcd_t to send signals to kernel threads

policy-20090105.patch

@@ -6015,7 +6015,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  #
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.12/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if	2009-05-08 11:48:52.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if	2009-05-11 08:03:38.000000000 -0400
+@@ -157,7 +157,7 @@
+ 		type kernel_t;
+ 	')
+ 
+-	allow kernel_t $1:process signal;
++	allow $1 kernel_t:process signal;
+ ')
+ 
+ ########################################
 @@ -1197,6 +1197,26 @@
  	')
  
@@ -20679,7 +20688,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.12/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2009-03-20 12:39:39.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/rpc.te	2009-05-04 12:28:35.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/rpc.te	2009-05-11 09:09:05.000000000 -0400
 @@ -23,7 +23,7 @@
  gen_tunable(allow_nfsd_anon_write, false)
  
@@ -20689,7 +20698,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  rpc_domain_template(gssd)
  
-@@ -74,21 +74,33 @@
+@@ -69,26 +69,37 @@
+ kernel_read_sysctl(rpcd_t)
+ kernel_rw_fs_sysctls(rpcd_t)
+ kernel_dontaudit_getattr_core_if(rpcd_t)
++kernel_signal(rpcd_t) 
+ 
+ corecmd_exec_bin(rpcd_t)
  
  files_manage_mounttab(rpcd_t)
  
@@ -20700,8 +20715,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  fs_rw_rpc_sockets(rpcd_t) 
  
 +storage_getattr_fixed_disk_dev(rpcd_t)
-+
-+kernel_signal(rpcd_t) 
 +
  selinux_dontaudit_read_fs(rpcd_t)
  
@@ -20723,7 +20736,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # NFSD local policy
-@@ -116,8 +128,9 @@
+@@ -116,8 +127,9 @@
  # for exportfs and rpc.mountd
  files_getattr_tmp_dirs(nfsd_t) 
  # cjp: this should really have its own type
@@ -20734,7 +20747,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  fs_mount_nfsd_fs(nfsd_t) 
  fs_search_nfsd_fs(nfsd_t) 
  fs_getattr_all_fs(nfsd_t) 
-@@ -125,6 +138,7 @@
+@@ -125,6 +137,7 @@
  fs_rw_nfsd_fs(nfsd_t) 
  
  storage_dontaudit_read_fixed_disk(nfsd_t)
@@ -20742,7 +20755,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  # Read access to public_content_t and public_content_rw_t
  miscfiles_read_public_files(nfsd_t)
-@@ -141,6 +155,7 @@
+@@ -141,6 +154,7 @@
  	fs_read_noxattr_fs_files(nfsd_t) 
  	auth_manage_all_files_except_shadow(nfsd_t)
  ')
@@ -20750,7 +20763,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  tunable_policy(`nfs_export_all_ro',`
  	dev_getattr_all_blk_files(nfsd_t)
-@@ -175,6 +190,7 @@
+@@ -175,6 +189,7 @@
  
  corecmd_exec_bin(gssd_t)
  
@@ -20758,7 +20771,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  fs_list_rpc(gssd_t) 
  fs_rw_rpc_sockets(gssd_t) 
  fs_read_rpc_files(gssd_t) 
-@@ -183,9 +199,12 @@
+@@ -183,9 +198,12 @@
  files_read_usr_symlinks(gssd_t) 
  
  auth_use_nsswitch(gssd_t)

selinux-policy.spec

@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 33%{?dist}
+Release: 34%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,9 @@ exit 0
 %endif
 
 %changelog
+* Mon May 11 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-34
+- Allow rpcd_t to send signals to kernel threads
+
 * Fri May 7 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-33
 - Fix upgrade for F10 to F11