From 1afb4243639c15f922009256a881da22be5929b8 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Wed, 27 Jun 2007 18:11:43 +0000
Subject: [PATCH] - Allow avahi to access inotify - Remove a lot of bogus
 security_t:filesystem avcs

---
 policy-20070525.patch | 66 +++++++++++++++++++++++++++++++++++--------
 1 file changed, 54 insertions(+), 12 deletions(-)

diff --git a/policy-20070525.patch b/policy-20070525.patch
index 205f655f..213e104e 100644
--- a/policy-20070525.patch
+++ b/policy-20070525.patch
@@ -129,7 +129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 sere
  .TP
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.0.1/policy/flask/access_vectors
 --- nsaserefpolicy/policy/flask/access_vectors	2007-06-19 16:23:34.000000000 -0400
-+++ serefpolicy-3.0.1/policy/flask/access_vectors	2007-06-22 14:07:33.000000000 -0400
++++ serefpolicy-3.0.1/policy/flask/access_vectors	2007-06-26 16:20:20.000000000 -0400
 @@ -598,6 +598,8 @@
  	shmempwd
  	shmemgrp
@@ -2350,7 +2350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.1/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/kernel/filesystem.if	2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/kernel/filesystem.if	2007-06-27 10:04:58.000000000 -0400
 @@ -1096,6 +1096,24 @@
  
  ########################################
@@ -2660,7 +2660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te
  attribute privrangetrans;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.0.1/policy/modules/kernel/selinux.if
 --- nsaserefpolicy/policy/modules/kernel/selinux.if	2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/kernel/selinux.if	2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/kernel/selinux.if	2007-06-27 10:07:44.000000000 -0400
 @@ -51,6 +51,44 @@
  
  ########################################
@@ -2706,6 +2706,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
  ##	Search selinuxfs.
  ## </summary>
  ## <param name="domain">
+@@ -101,6 +139,7 @@
+ 		type security_t;
+ 	')
+ 
++	selinux_dontaudit_getattr_fs($1)
+ 	dontaudit $1 security_t:dir search_dir_perms;
+ 	dontaudit $1 security_t:file { getattr read };
+ ')
+@@ -122,6 +161,7 @@
+ 		type security_t;
+ 	')
+ 
++	selinux_get_fs_mount($1)
+ 	allow $1 security_t:dir list_dir_perms;
+ 	allow $1 security_t:file { getattr read };
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.0.1/policy/modules/kernel/storage.if
 --- nsaserefpolicy/policy/modules/kernel/storage.if	2007-06-15 14:54:30.000000000 -0400
 +++ serefpolicy-3.0.1/policy/modules/kernel/storage.if	2007-06-19 17:06:27.000000000 -0400
@@ -3467,7 +3483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.0.1/policy/modules/services/apcupsd.te
 --- nsaserefpolicy/policy/modules/services/apcupsd.te	2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/apcupsd.te	2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/services/apcupsd.te	2007-06-27 08:33:56.000000000 -0400
 @@ -16,6 +16,9 @@
  type apcupsd_log_t;
  logging_log_file(apcupsd_log_t)
@@ -3603,6 +3619,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
  dev_read_urand(automount_t)
  
  domain_use_interactive_fds(automount_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.0.1/policy/modules/services/avahi.te
+--- nsaserefpolicy/policy/modules/services/avahi.te	2007-06-15 14:54:33.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/services/avahi.te	2007-06-27 10:05:15.000000000 -0400
+@@ -56,6 +56,7 @@
+ 
+ fs_getattr_all_fs(avahi_t)
+ fs_search_auto_mountpoints(avahi_t)
++fs_list_inotifyfs(avahi_t)
+ 
+ domain_use_interactive_fds(avahi_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.0.1/policy/modules/services/bind.fc
 --- nsaserefpolicy/policy/modules/services/bind.fc	2007-05-29 14:10:57.000000000 -0400
 +++ serefpolicy-3.0.1/policy/modules/services/bind.fc	2007-06-19 17:06:27.000000000 -0400
@@ -6337,8 +6364,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  	fs_search_auto_mountpoints($1_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.1/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/rpc.te	2007-06-20 06:34:45.000000000 -0400
-@@ -79,6 +79,7 @@
++++ serefpolicy-3.0.1/policy/modules/services/rpc.te	2007-06-27 10:08:39.000000000 -0400
+@@ -76,9 +76,11 @@
+ miscfiles_read_certs(rpcd_t)
+ 
+ seutil_dontaudit_search_config(rpcd_t)
++selinux_dontaudit_read_fs(rpcd_t)
  
  optional_policy(`
  	nis_read_ypserv_config(rpcd_t)
@@ -6346,7 +6377,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  ')
  
  ########################################
-@@ -91,6 +92,9 @@
+@@ -91,6 +93,9 @@
  allow nfsd_t exports_t:file { getattr read };
  allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
  
@@ -6356,7 +6387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  # for /proc/fs/nfs/exports - should we have a new type?
  kernel_read_system_state(nfsd_t) 
  kernel_read_network_state(nfsd_t) 
-@@ -123,6 +127,7 @@
+@@ -123,6 +128,7 @@
  tunable_policy(`nfs_export_all_rw',`
  	fs_read_noxattr_fs_files(nfsd_t) 
  	auth_manage_all_files_except_shadow(nfsd_t)
@@ -6364,7 +6395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  ')
  
  tunable_policy(`nfs_export_all_ro',`
-@@ -158,6 +163,11 @@
+@@ -158,6 +164,11 @@
  
  miscfiles_read_certs(gssd_t)
  
@@ -7740,7 +7771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
  /sbin/partx		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.0.1/policy/modules/system/fstools.if
 --- nsaserefpolicy/policy/modules/system/fstools.if	2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/fstools.if	2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/system/fstools.if	2007-06-27 08:13:43.000000000 -0400
 @@ -124,3 +124,22 @@
  
  	allow $1 swapfile_t:file getattr;
@@ -9262,7 +9293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.1/policy/modules/system/udev.te
 --- nsaserefpolicy/policy/modules/system/udev.te	2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/udev.te	2007-06-22 11:39:51.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/system/udev.te	2007-06-27 08:08:02.000000000 -0400
 @@ -68,8 +68,9 @@
  allow udev_t udev_tbl_t:file manage_file_perms;
  dev_filetrans(udev_t,udev_tbl_t,file)
@@ -9314,7 +9345,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
  userdom_dontaudit_search_all_users_home_content(udev_t)
  
  ifdef(`distro_gentoo',`
-@@ -188,5 +202,24 @@
+@@ -178,6 +192,10 @@
+ ')
+ 
+ optional_policy(`
++	fstools_domtrans(udev_t)
++')
++
++optional_policy(`
+ 	hal_dgram_send(udev_t)
+ ')
+ 
+@@ -188,5 +206,24 @@
  ')
  
  optional_policy(`