From 1b77809f5e8569a2bd41097c107dea4fc48289e1 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Mon, 2 Jul 2007 01:49:51 +0000
Subject: [PATCH] - fix squid - Fix rpm running as uid

---
 policy-20070525.patch | 130 ++++++++++++++++++++++++++++++++++--------
 1 file changed, 106 insertions(+), 24 deletions(-)

diff --git a/policy-20070525.patch b/policy-20070525.patch
index 5f5467b8..bfa5dfa6 100644
--- a/policy-20070525.patch
+++ b/policy-20070525.patch
@@ -1792,7 +1792,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.f
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.0.1/policy/modules/apps/vmware.te
 --- nsaserefpolicy/policy/modules/apps/vmware.te	2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/apps/vmware.te	2007-06-21 13:41:35.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/apps/vmware.te	2007-07-01 21:06:08.000000000 -0400
+@@ -29,7 +29,7 @@
+ 
+ allow vmware_host_t self:capability { setuid net_raw };
+ dontaudit vmware_host_t self:capability sys_tty_config;
+-allow vmware_host_t self:process signal_perms;
++allow vmware_host_t self:process { execstack execmem signal_perms };
+ allow vmware_host_t self:fifo_file rw_fifo_file_perms;
+ allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
+ allow vmware_host_t self:rawip_socket create_socket_perms;
 @@ -55,6 +55,8 @@
  corenet_tcp_sendrecv_all_ports(vmware_host_t)
  corenet_udp_sendrecv_all_ports(vmware_host_t)
@@ -2350,7 +2359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.1/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/kernel/filesystem.if	2007-06-27 10:04:58.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/kernel/filesystem.if	2007-07-01 21:12:31.000000000 -0400
 @@ -1096,6 +1096,24 @@
  
  ########################################
@@ -3602,7 +3611,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audi
  fs_getattr_all_fs(entropyd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.0.1/policy/modules/services/automount.te
 --- nsaserefpolicy/policy/modules/services/automount.te	2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/automount.te	2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/services/automount.te	2007-07-01 21:23:33.000000000 -0400
 @@ -69,6 +69,7 @@
  files_mounton_all_mountpoints(automount_t)
  files_mount_all_file_type_fs(automount_t)
@@ -3619,6 +3628,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
  dev_read_urand(automount_t)
  
  domain_use_interactive_fds(automount_t)
+@@ -146,10 +148,6 @@
+ userdom_dontaudit_search_sysadm_home_dirs(automount_t)
+ 
+ optional_policy(`
+-	corecmd_exec_bin(automount_t)
+-')
+-
+-optional_policy(`
+ 	bind_search_cache(automount_t)
+ ')
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.0.1/policy/modules/services/avahi.te
 --- nsaserefpolicy/policy/modules/services/avahi.te	2007-06-15 14:54:33.000000000 -0400
 +++ serefpolicy-3.0.1/policy/modules/services/avahi.te	2007-06-27 10:05:15.000000000 -0400
@@ -4214,7 +4234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.1/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2007-06-15 14:54:33.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/cups.te	2007-06-21 05:59:32.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/services/cups.te	2007-07-01 21:17:10.000000000 -0400
 @@ -81,12 +81,11 @@
  # /usr/lib/cups/backend/serial needs sys_admin(?!)
  allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
@@ -4229,7 +4249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  allow cupsd_t self:tcp_socket create_stream_socket_perms;
  allow cupsd_t self:udp_socket create_socket_perms;
  allow cupsd_t self:appletalk_socket create_socket_perms;
-@@ -149,9 +148,11 @@
+@@ -149,14 +148,16 @@
  corenet_tcp_bind_reserved_port(cupsd_t)
  corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
  corenet_tcp_connect_all_ports(cupsd_t)
@@ -4241,6 +4261,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  
  dev_rw_printer(cupsd_t)
  dev_read_urand(cupsd_t)
+ dev_read_sysfs(cupsd_t)
+-dev_read_usbfs(cupsd_t)
++dev_rw_usbfs(cupsd_t)
+ dev_getattr_printer_dev(cupsd_t)
+ 
+ domain_read_all_domains_state(cupsd_t)
 @@ -175,6 +176,7 @@
  term_search_ptys(cupsd_t)
  
@@ -4333,9 +4359,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  	cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
  ')
  
+@@ -558,7 +591,7 @@
+ dev_read_urand(hplip_t)
+ dev_read_rand(hplip_t)
+ dev_rw_generic_usb_dev(hplip_t)
+-dev_read_usbfs(hplip_t)
++dev_rw_usbfs(hplip_t)
+ 
+ fs_getattr_all_fs(hplip_t)
+ fs_search_auto_mountpoints(hplip_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.0.1/policy/modules/services/cvs.te
 --- nsaserefpolicy/policy/modules/services/cvs.te	2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/cvs.te	2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/services/cvs.te	2007-07-01 21:36:29.000000000 -0400
 @@ -16,6 +16,7 @@
  type cvs_t;
  type cvs_exec_t;
@@ -4352,6 +4387,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
  
  corecmd_exec_bin(cvs_t)
  corecmd_exec_shell(cvs_t)
+@@ -80,6 +82,7 @@
+ libs_use_shared_libs(cvs_t)
+ 
+ logging_send_syslog_msg(cvs_t)
++logging_send_audit_msg(cvs_t)
+ 
+ miscfiles_read_localization(cvs_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.1/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2007-06-15 14:54:33.000000000 -0400
 +++ serefpolicy-3.0.1/policy/modules/services/dbus.if	2007-06-19 17:06:27.000000000 -0400
@@ -5438,7 +5481,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
  	corenet_tcp_connect_portmap_port($1)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.0.1/policy/modules/services/nis.te
 --- nsaserefpolicy/policy/modules/services/nis.te	2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/nis.te	2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/services/nis.te	2007-06-28 07:25:31.000000000 -0400
 @@ -112,6 +112,14 @@
  userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
  userdom_dontaudit_search_sysadm_home_dirs(ypbind_t)
@@ -5454,7 +5497,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
  optional_policy(`
  	seutil_sigchld_newrole(ypbind_t)
  ')
-@@ -154,8 +162,8 @@
+@@ -125,6 +133,7 @@
+ # yppasswdd local policy
+ #
+ 
++allow yppasswdd_t self:capability dac_override;
+ dontaudit yppasswdd_t self:capability sys_tty_config;
+ allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
+ allow yppasswdd_t self:process { setfscreate signal_perms };
+@@ -154,8 +163,8 @@
  corenet_udp_sendrecv_all_ports(yppasswdd_t)
  corenet_tcp_bind_all_nodes(yppasswdd_t)
  corenet_udp_bind_all_nodes(yppasswdd_t)
@@ -5465,7 +5516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
  corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
  corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
  corenet_sendrecv_generic_server_packets(yppasswdd_t)
-@@ -244,6 +252,8 @@
+@@ -244,6 +253,8 @@
  corenet_udp_bind_all_nodes(ypserv_t)
  corenet_tcp_bind_reserved_port(ypserv_t)
  corenet_udp_bind_reserved_port(ypserv_t)
@@ -5474,7 +5525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
  corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
  corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
  corenet_sendrecv_generic_server_packets(ypserv_t)
-@@ -311,6 +321,8 @@
+@@ -311,6 +322,8 @@
  corenet_udp_bind_all_nodes(ypxfr_t)
  corenet_tcp_bind_reserved_port(ypxfr_t)
  corenet_udp_bind_reserved_port(ypxfr_t)
@@ -6818,12 +6869,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
 +/usr/lib64/squid/cachemgr\.cgi	--	gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.0.1/policy/modules/services/squid.te
 --- nsaserefpolicy/policy/modules/services/squid.te	2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/squid.te	2007-06-19 17:06:27.000000000 -0400
-@@ -179,3 +179,12 @@
- #squid requires the following when run in diskd mode, the recommended setting
- allow squid_t tmpfs_t:file { read write };
- ') dnl end TODO
-+
++++ serefpolicy-3.0.1/policy/modules/services/squid.te	2007-07-01 21:13:36.000000000 -0400
+@@ -108,6 +108,8 @@
+ 
+ fs_getattr_all_fs(squid_t)
+ fs_search_auto_mountpoints(squid_t)
++#squid requires the following when run in diskd mode, the recommended setting
++fs_rw_tmpfs_files(squid_t)
+ 
+ selinux_dontaudit_getattr_dir(squid_t)
+ 
+@@ -175,7 +177,11 @@
+ 	udev_read_db(squid_t)
+ ')
+ 
+-ifdef(`TODO',`
+-#squid requires the following when run in diskd mode, the recommended setting
+-allow squid_t tmpfs_t:file { read write };
+-') dnl end TODO
 +optional_policy(`
 +	apache_content_template(squid)
 +	corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
@@ -8920,7 +8983,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.1/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/mount.te	2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/system/mount.te	2007-07-01 20:53:16.000000000 -0400
 @@ -8,6 +8,13 @@
  
  ## <desc>
@@ -8971,7 +9034,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  
  allow mount_t mount_loopback_t:file read_file_perms;
  allow mount_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -128,10 +138,15 @@
+@@ -52,6 +62,8 @@
+ kernel_read_system_state(mount_t)
+ kernel_read_kernel_sysctls(mount_t)
+ kernel_dontaudit_getattr_core_if(mount_t)
++kernel_search_debugfs(mount_t)
++kernel_read_unlabeled_state(mount_t)
+ 
+ dev_getattr_all_blk_files(mount_t)
+ dev_list_all_dev_nodes(mount_t)
+@@ -102,6 +114,8 @@
+ init_use_fds(mount_t)
+ init_use_script_ptys(mount_t)
+ init_dontaudit_getattr_initctl(mount_t)
++init_stream_connect_script(mount_t)
++init_rw_script_stream_sockets(mount_t)
+ 
+ libs_use_ld_so(mount_t)
+ libs_use_shared_libs(mount_t)
+@@ -128,10 +142,15 @@
  	')
  ')
  
@@ -8988,7 +9069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  ')
  
  optional_policy(`
-@@ -201,4 +216,53 @@
+@@ -201,4 +220,53 @@
  optional_policy(`
  	files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
  	unconfined_domain(unconfined_mount_t)
@@ -9362,7 +9443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.1/policy/modules/system/udev.te
 --- nsaserefpolicy/policy/modules/system/udev.te	2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/udev.te	2007-06-27 08:08:02.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/system/udev.te	2007-06-28 07:26:24.000000000 -0400
 @@ -68,8 +68,9 @@
  allow udev_t udev_tbl_t:file manage_file_perms;
  dev_filetrans(udev_t,udev_tbl_t,file)
@@ -9374,7 +9455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
  
  kernel_read_system_state(udev_t)
  kernel_getattr_core_if(udev_t)
-@@ -83,16 +84,22 @@
+@@ -83,16 +84,23 @@
  kernel_dgram_send(udev_t)
  kernel_signal(udev_t)
  
@@ -9389,6 +9470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
  dev_rw_generic_files(udev_t)
  dev_delete_generic_files(udev_t)
 +dev_search_usbfs_dirs(udev_t)
++dev_relabel_all_dev_nodes(udev_t)
  
  domain_read_all_domains_state(udev_t)
  domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these 
@@ -9397,7 +9479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
  files_read_etc_runtime_files(udev_t)
  files_read_etc_files(udev_t)
  files_exec_etc_files(udev_t)
-@@ -142,9 +149,16 @@
+@@ -142,9 +150,16 @@
  seutil_read_file_contexts(udev_t)
  seutil_domtrans_setfiles(udev_t)
  
@@ -9414,7 +9496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
  userdom_dontaudit_search_all_users_home_content(udev_t)
  
  ifdef(`distro_gentoo',`
-@@ -178,6 +192,10 @@
+@@ -178,6 +193,10 @@
  ')
  
  optional_policy(`
@@ -9425,7 +9507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
  	hal_dgram_send(udev_t)
  ')
  
-@@ -188,5 +206,24 @@
+@@ -188,5 +207,24 @@
  ')
  
  optional_policy(`