From 41617c099b2a6063ac3cfad57f9db34d0fa8158b Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Wed, 12 Mar 2008 12:35:06 +0000
Subject: [PATCH] - Change init_t to an unconfined_domain

---
 policy-20071130.patch | 68 +++++++++++++++++++++++++------------------
 1 file changed, 40 insertions(+), 28 deletions(-)

diff --git a/policy-20071130.patch b/policy-20071130.patch
index 3e044fca..150e48e9 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -3316,7 +3316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s
 +/usr/lib(64)?/gnupg/gpgkeys.* --	gen_context(system_u:object_r:gpg_helper_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.3.1/policy/modules/apps/gpg.if
 --- nsaserefpolicy/policy/modules/apps/gpg.if	2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/apps/gpg.if	2008-02-29 17:00:38.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/apps/gpg.if	2008-03-12 08:31:43.000000000 -0400
 @@ -38,6 +38,10 @@
  	gen_require(`
  		type gpg_exec_t, gpg_helper_exec_t;
@@ -3328,7 +3328,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
  	')
  
  	########################################
-@@ -45,275 +49,59 @@
+@@ -45,275 +49,61 @@
  	# Declarations
  	#
  
@@ -3519,6 +3519,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
 +	dontaudit gpg_t $2:udp_socket rw_socket_perms;
 +	dontaudit gpg_helper_t $2:tcp_socket rw_socket_perms;
 +	dontaudit gpg_helper_t $2:udp_socket rw_socket_perms;
++	#Leaked File Descriptors
++	dontaudit gpg_helper_t $2:unix_stream_socket rw_socket_perms;
  
 -	# allow gpg to connect to the gpg agent
 -	stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
@@ -5076,8 +5078,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +HOME_DIR/\.macromedia(/.*)?			gen_context(system_u:object_r:user_nsplugin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.3.1/policy/modules/apps/nsplugin.if
 --- nsaserefpolicy/policy/modules/apps/nsplugin.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if	2008-03-10 14:36:14.000000000 -0400
-@@ -0,0 +1,344 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if	2008-03-12 08:30:42.000000000 -0400
+@@ -0,0 +1,347 @@
 +
 +## <summary>policy for nsplugin</summary>
 +
@@ -5239,10 +5241,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +	read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
 +	can_exec($2, nsplugin_rw_t)
 +
-+	allow nsplugin_t $2:udp_socket { read write };
-+	allow nsplugin_t $2:tcp_socket { read write };
++	#Leaked File Descriptors
++	dontaudit nsplugin_t $2:tcp_socket rw_socket_perms;
++	dontaudit nsplugin_t $2:udp_socket rw_socket_perms;
++	dontaudit nsplugin_t $2:unix_stream_socket rw_socket_perms;
 +	allow nsplugin_t $2:unix_stream_socket connectto;
 +	dontaudit nsplugin_t $2:process ptrace;
++
 +	allow nsplugin_t $1_tmpfs_t:file { read getattr };
 +
 +	allow $2 nsplugin_t:process { getattr ptrace signal_perms };
@@ -26321,7 +26326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2008-02-26 08:17:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/init.te	2008-03-11 18:57:27.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/init.te	2008-03-12 08:33:31.000000000 -0400
 @@ -10,6 +10,20 @@
  # Declarations
  #
@@ -26414,7 +26419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
  ')
-@@ -163,22 +194,25 @@
+@@ -163,14 +194,16 @@
  	fs_tmpfs_filetrans(init_t,initctl_t,fifo_file)
  ')
  
@@ -26436,18 +26441,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
- 	nscd_socket_use(init_t)
+@@ -181,13 +214,18 @@
+ 	unconfined_domain(init_t)
  ')
  
--optional_policy(`
--	unconfined_domain(init_t)
 +ifndef(`distro_ubuntu',`
 +	corecmd_shell_domtrans(init_t,initrc_t)
 +	corecmd_shell_entry_type(initrc_t)
- ')
- 
++')
++
  ########################################
-@@ -187,7 +221,7 @@
+ #
+ # Init script local policy
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -26456,7 +26461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
  allow initrc_t self:passwd rootok;
  
-@@ -201,10 +235,9 @@
+@@ -201,10 +239,9 @@
  allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
  term_create_pty(initrc_t,initrc_devpts_t)
  
@@ -26469,7 +26474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
  manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
-@@ -257,7 +290,7 @@
+@@ -257,7 +294,7 @@
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
  dev_setattr_all_chr_files(initrc_t)
@@ -26478,7 +26483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -283,7 +316,6 @@
+@@ -283,7 +320,6 @@
  mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
@@ -26486,7 +26491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -496,6 +528,31 @@
+@@ -496,6 +532,31 @@
  	')
  ')
  
@@ -26518,7 +26523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -559,14 +616,6 @@
+@@ -559,14 +620,6 @@
  ')
  
  optional_policy(`
@@ -26533,7 +26538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	ftp_read_config(initrc_t)
  ')
  
-@@ -639,12 +688,6 @@
+@@ -639,12 +692,6 @@
  	mta_read_config(initrc_t)
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
@@ -26546,7 +26551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  optional_policy(`
  	ifdef(`distro_redhat',`
-@@ -705,6 +748,9 @@
+@@ -705,6 +752,9 @@
  
  	# why is this needed:
  	rpm_manage_db(initrc_t)
@@ -26556,7 +26561,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -717,9 +763,11 @@
+@@ -717,9 +767,11 @@
  	squid_manage_logs(initrc_t)
  ')
  
@@ -26571,7 +26576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -738,6 +786,11 @@
+@@ -738,6 +790,11 @@
  	uml_setattr_util_sockets(initrc_t)
  ')
  
@@ -26583,7 +26588,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  optional_policy(`
  	unconfined_domain(initrc_t)
  
-@@ -752,6 +805,10 @@
+@@ -752,6 +809,10 @@
  ')
  
  optional_policy(`
@@ -26594,7 +26599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	vmware_read_system_config(initrc_t)
  	vmware_append_system_config(initrc_t)
  ')
-@@ -774,3 +831,4 @@
+@@ -774,3 +835,4 @@
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -27160,7 +27165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.3.1/policy/modules/system/lvm.fc
 --- nsaserefpolicy/policy/modules/system/lvm.fc	2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/lvm.fc	2008-03-11 18:59:24.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/lvm.fc	2008-03-12 07:01:13.000000000 -0400
 @@ -55,6 +55,7 @@
  /sbin/lvs		--	gen_context(system_u:object_r:lvm_exec_t,s0)
  /sbin/lvscan		--	gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -27169,6 +27174,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc
  /sbin/pvchange		--	gen_context(system_u:object_r:lvm_exec_t,s0)
  /sbin/pvcreate		--	gen_context(system_u:object_r:lvm_exec_t,s0)
  /sbin/pvdata		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+@@ -97,3 +98,4 @@
+ /var/lock/lvm(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
+ /var/run/multipathd\.sock -s	gen_context(system_u:object_r:lvm_var_run_t,s0)
+ /var/lib/multipath(/.*)?	gen_context(system_u:object_r:lvm_var_lib_t,s0)
++/var/run/dmevent.*		gen_context(system_u:object_r:lvm_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.3.1/policy/modules/system/lvm.te
 --- nsaserefpolicy/policy/modules/system/lvm.te	2007-12-19 05:32:17.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/system/lvm.te	2008-03-11 19:04:42.000000000 -0400
@@ -29611,7 +29621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-03-09 08:38:37.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-03-12 08:26:37.000000000 -0400
 @@ -29,9 +29,14 @@
  	')
  
@@ -31962,7 +31972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -5704,3 +6074,368 @@
+@@ -5704,3 +6074,370 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
@@ -32331,6 +32341,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 +  ')
 +')
++
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.3.1/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2007-12-19 05:32:17.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/system/userdomain.te	2008-02-26 08:29:22.000000000 -0500