From 370d04ed3cc7d486daf346e63120a225933a007b Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Wed, 25 Aug 2010 09:45:26 -0400
Subject: [PATCH] - Allow seunshare to fowner

---
 policy-F14.patch    | 105 ++++++++++++++++++++++++++++----------------
 selinux-policy.spec |   5 ++-
 2 files changed, 70 insertions(+), 40 deletions(-)

diff --git a/policy-F14.patch b/policy-F14.patch
index 7b7cb6ed..4a1f485a 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -6211,8 +6211,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +# No types are sandbox_exec_t
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.8.8/policy/modules/apps/sandbox.if
 --- nsaserefpolicy/policy/modules/apps/sandbox.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/sandbox.if	2010-08-23 08:34:27.000000000 -0400
-@@ -0,0 +1,333 @@
++++ serefpolicy-3.8.8/policy/modules/apps/sandbox.if	2010-08-25 09:14:51.000000000 -0400
+@@ -0,0 +1,334 @@
 +
 +## <summary>policy for sandbox</summary>
 +
@@ -6250,6 +6250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +	allow $1 sandbox_x_domain:process { signal_perms transition };
 +	dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
 +	allow sandbox_x_domain $1:process { sigchld signull };
++	dontaudit sandbox_domain $1:process signal;
 +	role $2 types sandbox_x_domain;
 +	role $2 types sandbox_xserver_t;
 +	allow $1 sandbox_xserver_t:process signal_perms;
@@ -7007,7 +7008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.8.8/policy/modules/apps/seunshare.te
 --- nsaserefpolicy/policy/modules/apps/seunshare.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te	2010-08-11 08:01:44.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te	2010-08-25 09:09:14.000000000 -0400
 @@ -5,40 +5,45 @@
  # Declarations
  #
@@ -7022,7 +7023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
  #
  # seunshare local policy
  #
-+allow seunshare_domain self:capability { setuid dac_override setpcap sys_admin sys_nice };
++allow seunshare_domain self:capability { fowner setuid dac_override setpcap sys_admin sys_nice };
 +allow seunshare_domain self:process { fork setexec signal getcap setcap setsched };
  
 -allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
@@ -7283,8 +7284,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathy.te serefpolicy-3.8.8/policy/modules/apps/telepathy.te
 --- nsaserefpolicy/policy/modules/apps/telepathy.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/telepathy.te	2010-08-19 05:59:57.000000000 -0400
-@@ -0,0 +1,311 @@
++++ serefpolicy-3.8.8/policy/modules/apps/telepathy.te	2010-08-25 09:41:04.000000000 -0400
+@@ -0,0 +1,313 @@
 +
 +policy_module(telepathy, 1.0.0)
 +
@@ -7335,9 +7336,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
 +
 +manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
 +manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
++manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
 +exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
 +files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file})
-+userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file})
++userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file})
++userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
 +
 +corenet_sendrecv_http_client_packets(telepathy_msn_t)
 +corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
@@ -10143,7 +10146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.8.8/policy/modules/roles/staff.te
 --- nsaserefpolicy/policy/modules/roles/staff.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/staff.te	2010-08-19 06:52:30.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/staff.te	2010-08-24 23:01:42.000000000 -0400
 @@ -8,25 +8,60 @@
  role staff_r;
  
@@ -10158,10 +10161,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
  # Local policy
  #
  
-+kernel_read_ring_buffer(staff_t)
-+kernel_getattr_core_if(staff_t)
-+kernel_getattr_message_if(staff_t)
-+kernel_read_software_raid_state(staff_t)
++kernel_read_ring_buffer(staff_usertype)
++kernel_getattr_core_if(staff_usertype)
++kernel_getattr_message_if(staff_usertype)
++kernel_read_software_raid_state(staff_usertype)
 +
 +auth_domtrans_pam_console(staff_t)
 +
@@ -21138,7 +21141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.8.8/policy/modules/services/nut.te
 --- nsaserefpolicy/policy/modules/services/nut.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nut.te	2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/nut.te	2010-08-25 09:16:11.000000000 -0400
 @@ -41,7 +41,7 @@
  manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
  manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
@@ -21148,7 +21151,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.
  
  kernel_read_kernel_sysctls(nut_upsd_t)
  
-@@ -103,6 +103,10 @@
+@@ -65,6 +65,7 @@
+ allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid };
+ allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;
+ allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
++allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
+ allow nut_upsmon_t self:tcp_socket create_socket_perms;
+ 
+ read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
+@@ -103,6 +104,10 @@
  
  mta_send_mail(nut_upsmon_t)
  
@@ -22382,8 +22393,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  /usr/sbin/postkick	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.8.8/policy/modules/services/postfix.if
 --- nsaserefpolicy/policy/modules/services/postfix.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/postfix.if	2010-07-30 14:06:53.000000000 -0400
-@@ -376,6 +376,25 @@
++++ serefpolicy-3.8.8/policy/modules/services/postfix.if	2010-08-25 09:35:31.000000000 -0400
+@@ -77,6 +77,7 @@
+ 
+ 	files_read_etc_files(postfix_$1_t)
+ 	files_read_etc_runtime_files(postfix_$1_t)
++	files_read_usr_files(postfix_$1_t)
+ 	files_read_usr_symlinks(postfix_$1_t)
+ 	files_search_spool(postfix_$1_t)
+ 	files_getattr_tmp_dirs(postfix_$1_t)
+@@ -376,6 +377,25 @@
  	domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
  ')
  
@@ -22409,7 +22428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ########################################
  ## <summary>
  ##	Execute the master postfix program in the
-@@ -529,6 +548,25 @@
+@@ -529,6 +549,25 @@
  
  ########################################
  ## <summary>
@@ -22435,7 +22454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ##	Search postfix mail spool directories.
  ## </summary>
  ## <param name="domain">
-@@ -539,10 +577,10 @@
+@@ -539,10 +578,10 @@
  #
  interface(`postfix_search_spool',`
  	gen_require(`
@@ -22448,7 +22467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  	files_search_spool($1)
  ')
  
-@@ -558,10 +596,10 @@
+@@ -558,10 +597,10 @@
  #
  interface(`postfix_list_spool',`
  	gen_require(`
@@ -22461,7 +22480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  	files_search_spool($1)
  ')
  
-@@ -577,11 +615,11 @@
+@@ -577,11 +616,11 @@
  #
  interface(`postfix_read_spool_files',`
  	gen_require(`
@@ -22475,7 +22494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ')
  
  ########################################
-@@ -596,11 +634,11 @@
+@@ -596,11 +635,11 @@
  #
  interface(`postfix_manage_spool_files',`
  	gen_require(`
@@ -22489,7 +22508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ')
  
  ########################################
-@@ -621,3 +659,101 @@
+@@ -621,3 +660,101 @@
  
  	typeattribute $1 postfix_user_domtrans;
  ')
@@ -22593,7 +22612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.8.8/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/postfix.te	2010-08-23 14:01:01.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/postfix.te	2010-08-25 09:35:15.000000000 -0400
 @@ -5,6 +5,15 @@
  # Declarations
  #
@@ -30372,7 +30391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
  # /var
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.8.8/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/init.if	2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/init.if	2010-08-25 07:50:48.000000000 -0400
 @@ -105,7 +105,11 @@
  
  	role system_r types $1;
@@ -35089,7 +35108,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.8.8/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.te	2010-07-30 14:45:35.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.te	2010-08-25 07:51:06.000000000 -0400
 @@ -5,6 +5,13 @@
  # Declarations
  #
@@ -35150,7 +35169,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  domain_use_interactive_fds(dhcpc_t)
  domain_dontaudit_read_all_domains_state(dhcpc_t)
  
-@@ -155,6 +173,10 @@
+@@ -130,6 +148,7 @@
+ term_dontaudit_use_generic_ptys(dhcpc_t)
+ 
+ init_rw_utmp(dhcpc_t)
++init_stream_connect(dhcpc_t)
+ 
+ logging_send_syslog_msg(dhcpc_t)
+ 
+@@ -155,6 +174,10 @@
  ')
  
  optional_policy(`
@@ -35161,7 +35188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  	init_dbus_chat_script(dhcpc_t)
  
  	dbus_system_bus_client(dhcpc_t)
-@@ -171,6 +193,8 @@
+@@ -171,6 +194,8 @@
  
  optional_policy(`
  	hal_dontaudit_rw_dgram_sockets(dhcpc_t)
@@ -35170,7 +35197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ')
  
  optional_policy(`
-@@ -192,6 +216,13 @@
+@@ -192,6 +217,13 @@
  ')
  
  optional_policy(`
@@ -35184,7 +35211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  	nis_read_ypbind_pid(dhcpc_t)
  ')
  
-@@ -213,6 +244,7 @@
+@@ -213,6 +245,7 @@
  optional_policy(`
  	seutil_sigchld_newrole(dhcpc_t)
  	seutil_dontaudit_search_config(dhcpc_t)
@@ -35192,7 +35219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ')
  
  optional_policy(`
-@@ -276,8 +308,11 @@
+@@ -276,8 +309,11 @@
  
  domain_use_interactive_fds(ifconfig_t)
  
@@ -35204,7 +35231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  
  fs_getattr_xattr_fs(ifconfig_t)
  fs_search_auto_mountpoints(ifconfig_t)
-@@ -305,6 +340,8 @@
+@@ -305,6 +341,8 @@
  
  seutil_use_runinit_fds(ifconfig_t)
  
@@ -35213,7 +35240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  userdom_use_user_terminals(ifconfig_t)
  userdom_use_all_users_fds(ifconfig_t)
  
-@@ -314,6 +351,10 @@
+@@ -314,6 +352,10 @@
  	')
  ')
  
@@ -35224,7 +35251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ifdef(`hide_broken_symptoms',`
  	optional_policy(`
  		dev_dontaudit_rw_cardmgr(ifconfig_t)
-@@ -327,6 +368,8 @@
+@@ -327,6 +369,8 @@
  optional_policy(`
  	hal_dontaudit_rw_pipes(ifconfig_t)
  	hal_dontaudit_rw_dgram_sockets(ifconfig_t)
@@ -35233,7 +35260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ')
  
  optional_policy(`
-@@ -334,6 +377,10 @@
+@@ -334,6 +378,10 @@
  ')
  
  optional_policy(`
@@ -35244,7 +35271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  	nis_use_ypbind(ifconfig_t)
  ')
  
-@@ -355,3 +402,9 @@
+@@ -355,3 +403,9 @@
  	xen_append_log(ifconfig_t)
  	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
  ')
@@ -36150,7 +36177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +HOME_DIR/\.gvfs(/.*)?	<<none>>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.8.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/userdomain.if	2010-08-19 07:42:28.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/userdomain.if	2010-08-25 09:41:50.000000000 -0400
 @@ -30,8 +30,9 @@
  	')
  
@@ -38391,7 +38418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 +########################################
 +## <summary>
-+##	Dontaudit search user temporary directories.
++##	Dontaudit attempt to set attributes on  user temporary directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -38399,12 +38426,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_dontaduit_search_user_tmp',`
++interface(`userdom_dontaudit_setattr_user_tmp',`
 +	gen_require(`
 +		type user_tmp_t;
 +	')
 +
-+	dontaudit $1 user_tmp_t:dir search_dir_perms;
++	dontaudit $1 user_tmp_t:dir setattr;
 +')
 +
 +########################################
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e4dedb87..cfdf87e2 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.8.8
-Release: 20%{?dist}
+Release: 21%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,9 @@ exit 0
 %endif
 
 %changelog
+* Tue Aug 24 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-21
+- Allow seunshare to fowner
+
 * Tue Aug 24 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-20
 - Allow cron to look at user_cron_spool links
 - Lots of fixes for mozilla_plugin_t