From 59475c25246ce6072caf0f375f94a7bdbefa1ba4 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Fri, 27 Aug 2010 08:58:04 -0400
Subject: [PATCH] - Merge with upstream

---
 policy-F14.patch | 124 ++++++++++++++++++++++++++---------------------
 1 file changed, 69 insertions(+), 55 deletions(-)

diff --git a/policy-F14.patch b/policy-F14.patch
index 437c188c..5df91144 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -7091,7 +7091,7 @@ index 3b2da10..7eed11d 100644
 +#
 +/sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index cac0c64..9223f7d 100644
+index cac0c64..d0aaa1c 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
 @@ -461,6 +461,24 @@ interface(`dev_getattr_generic_chr_files',`
@@ -7287,7 +7287,32 @@ index cac0c64..9223f7d 100644
  ##	Get the attributes of sysfs directories.
  ## </summary>
  ## <param name="domain">
-@@ -3851,6 +3995,24 @@ interface(`dev_read_usbmon_dev',`
+@@ -3682,6 +3826,24 @@ interface(`dev_rw_sysfs',`
+ 
+ ########################################
+ ## <summary>
++##	Allow caller to modify hardware state information.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_manage_sysfs_dirs',`
++	gen_require(`
++		type sysfs_t;
++	')
++
++	manage_dirs_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++## <summary>
+ ##	Read from pseudo random number generator devices (e.g., /dev/urandom).
+ ## </summary>
+ ## <desc>
+@@ -3851,6 +4013,24 @@ interface(`dev_read_usbmon_dev',`
  
  ########################################
  ## <summary>
@@ -7312,7 +7337,7 @@ index cac0c64..9223f7d 100644
  ##	Mount a usbfs filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -4161,11 +4323,10 @@ interface(`dev_write_video_dev',`
+@@ -4161,11 +4341,10 @@ interface(`dev_write_video_dev',`
  #
  interface(`dev_rw_vhost',`
  	gen_require(`
@@ -14184,7 +14209,7 @@ index 1cf6c4e..90c60df 100644
 -/var/lib/cobbler(/.*)?		gen_context(system_u:object_r:cobbler_var_lib_t, s0)
 -/var/log/cobbler(/.*)?		gen_context(system_u:object_r:cobbler_var_log_t, s0)
 diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if
-index 293e08d..a57fe37 100644
+index 293e08d..1bdfe84 100644
 --- a/policy/modules/services/cobbler.if
 +++ b/policy/modules/services/cobbler.if
 @@ -26,6 +26,7 @@ interface(`cobblerd_domtrans',`
@@ -14260,7 +14285,7 @@ index 293e08d..a57fe37 100644
  	files_search_var_lib($1)
  ')
  
-@@ -137,12 +140,51 @@ interface(`cobbler_manage_lib_files',`
+@@ -137,12 +140,33 @@ interface(`cobbler_manage_lib_files',`
  		type cobbler_var_lib_t;
  	')
  
@@ -14272,24 +14297,6 @@ index 293e08d..a57fe37 100644
  
  ########################################
  ## <summary>
-+##	dontaudit read and write Cobbler log files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`cobbler_dontaudit_rw_log',`
-+	gen_require(`
-+		type cobbler_var_log_t;
-+	')
-+
-+	dontaudit $1 cobbler_var_log_t:file rw_inherited_files_perms;
-+')
-+
-+########################################
-+## <summary>
 +##	Do not audit attempts to read and write
 +##	Cobbler log files (leaked fd).
 +## </summary>
@@ -14312,7 +14319,7 @@ index 293e08d..a57fe37 100644
  ##	All of the rules required to administrate
  ##	an cobblerd environment
  ## </summary>
-@@ -162,6 +204,9 @@ interface(`cobblerd_admin',`
+@@ -162,6 +186,9 @@ interface(`cobblerd_admin',`
  	gen_require(`
  		type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
  		type cobbler_etc_t, cobblerd_initrc_exec_t;
@@ -14322,7 +14329,7 @@ index 293e08d..a57fe37 100644
  	')
  
  	allow $1 cobblerd_t:process { ptrace signal_perms getattr };
-@@ -176,10 +221,18 @@ interface(`cobblerd_admin',`
+@@ -176,10 +203,18 @@ interface(`cobblerd_admin',`
  	logging_search_logs($1)
  	admin_pattern($1, cobbler_var_log_t)
  
@@ -28994,7 +29001,7 @@ index f6aafe7..7da8294 100644
 +	allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index bd45076..cd266c0 100644
+index bd45076..a1b6d56 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -16,6 +16,27 @@ gen_require(`
@@ -29108,7 +29115,7 @@ index bd45076..cd266c0 100644
  	corecmd_shell_domtrans(init_t, initrc_t)
  ',`
  	# Run the shell in the sysadm role for single-user mode.
-@@ -185,15 +216,73 @@ tunable_policy(`init_upstart',`
+@@ -185,15 +216,80 @@ tunable_policy(`init_upstart',`
  	sysadm_shell_domtrans(init_t)
  ')
  
@@ -29116,7 +29123,7 @@ index bd45076..cd266c0 100644
 +modutils_domtrans_insmod(init_t)
 +
 +tunable_policy(`init_systemd',`
-+	allow init_t self:unix_dgram_socket create_socket_perms;
++	allow init_t self:unix_dgram_socket { create_socket_perms sendto };
 +	allow init_t self:process { setsockcreate setfscreate };
 +	allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
 +	allow init_t self:netlink_kobject_uevent_socket create_socket_perms; 
@@ -29135,6 +29142,7 @@ index bd45076..cd266c0 100644
 +	dev_read_generic_chr_files(init_t)
 +	dev_relabelfrom_generic_chr_files(init_t)
 +	dev_relabel_autofs_dev(init_t)
++	dev_manage_sysfs_dirs(init_t)
 +
 +	files_mounton_all_mountpoints(init_t)
 +	files_manage_all_pids_dirs(init_t)
@@ -29145,16 +29153,22 @@ index bd45076..cd266c0 100644
 +	fs_list_auto_mountpoints(init_t)
 +	fs_read_cgroup_files(init_t)
 +	fs_write_cgroup_files(init_t)
++	fs_search_cgroup_dirs(daemon)
 +
 +	selinux_compute_create_context(init_t)
 +	selinux_validate_context(init_t)
 +	selinux_unmount_fs(init_t)
 +
++	storage_getattr_removable_dev(init_t)
++
 +	init_read_script_state(init_t)
 +
 +	seutil_read_file_contexts(init_t)
 +
-+	storage_getattr_removable_dev(init_t)
++	optional_policy(`
++		plymouthd_stream_connect(init_t)
++		plymouthd_exec_plymouth(init_t)
++	')
 +')
 +
  optional_policy(`
@@ -29182,7 +29196,7 @@ index bd45076..cd266c0 100644
  	nscd_socket_use(init_t)
  ')
  
-@@ -202,6 +291,10 @@ optional_policy(`
+@@ -202,6 +298,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29193,7 +29207,7 @@ index bd45076..cd266c0 100644
  	unconfined_domain(init_t)
  ')
  
-@@ -211,7 +304,7 @@ optional_policy(`
+@@ -211,7 +311,7 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -29202,7 +29216,7 @@ index bd45076..cd266c0 100644
  dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
-@@ -240,6 +333,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -240,6 +340,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -29210,7 +29224,7 @@ index bd45076..cd266c0 100644
  
  can_exec(initrc_t, initrc_tmp_t)
  manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -257,11 +351,22 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -257,11 +358,22 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -29233,7 +29247,7 @@ index bd45076..cd266c0 100644
  
  corecmd_exec_all_executables(initrc_t)
  
-@@ -297,11 +402,13 @@ dev_manage_generic_files(initrc_t)
+@@ -297,11 +409,13 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -29247,7 +29261,7 @@ index bd45076..cd266c0 100644
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
-@@ -320,8 +427,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -320,8 +434,10 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -29259,7 +29273,7 @@ index bd45076..cd266c0 100644
  files_delete_all_pids(initrc_t)
  files_delete_all_pid_dirs(initrc_t)
  files_read_etc_files(initrc_t)
-@@ -337,8 +446,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -337,8 +453,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -29273,7 +29287,7 @@ index bd45076..cd266c0 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -348,6 +461,8 @@ fs_mount_all_fs(initrc_t)
+@@ -348,6 +468,8 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -29282,7 +29296,7 @@ index bd45076..cd266c0 100644
  
  # initrc_t needs to do a pidof which requires ptrace
  mcs_ptrace_all(initrc_t)
-@@ -360,6 +475,7 @@ mls_process_read_up(initrc_t)
+@@ -360,6 +482,7 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -29290,7 +29304,7 @@ index bd45076..cd266c0 100644
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -391,13 +507,14 @@ logging_read_audit_config(initrc_t)
+@@ -391,13 +514,14 @@ logging_read_audit_config(initrc_t)
  
  miscfiles_read_localization(initrc_t)
  # slapd needs to read cert files from its initscript
@@ -29306,7 +29320,7 @@ index bd45076..cd266c0 100644
  userdom_read_user_home_content_files(initrc_t)
  # Allow access to the sysadm TTYs. Note that this will give access to the
  # TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -470,7 +587,7 @@ ifdef(`distro_redhat',`
+@@ -470,7 +594,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -29315,7 +29329,7 @@ index bd45076..cd266c0 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -516,6 +633,19 @@ ifdef(`distro_redhat',`
+@@ -516,6 +640,19 @@ ifdef(`distro_redhat',`
  	optional_policy(`
  		bind_manage_config_dirs(initrc_t)
  		bind_write_config(initrc_t)
@@ -29335,7 +29349,7 @@ index bd45076..cd266c0 100644
  	')
  
  	optional_policy(`
-@@ -523,10 +653,17 @@ ifdef(`distro_redhat',`
+@@ -523,10 +660,17 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -29353,7 +29367,7 @@ index bd45076..cd266c0 100644
  	')
  
  	optional_policy(`
-@@ -541,6 +678,35 @@ ifdef(`distro_suse',`
+@@ -541,6 +685,35 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -29389,7 +29403,7 @@ index bd45076..cd266c0 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -553,6 +719,8 @@ optional_policy(`
+@@ -553,6 +726,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -29398,7 +29412,7 @@ index bd45076..cd266c0 100644
  ')
  
  optional_policy(`
-@@ -569,6 +737,7 @@ optional_policy(`
+@@ -569,6 +744,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -29406,7 +29420,7 @@ index bd45076..cd266c0 100644
  ')
  
  optional_policy(`
-@@ -581,6 +750,11 @@ optional_policy(`
+@@ -581,6 +757,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29418,7 +29432,7 @@ index bd45076..cd266c0 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -597,6 +771,7 @@ optional_policy(`
+@@ -597,6 +778,7 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -29426,7 +29440,7 @@ index bd45076..cd266c0 100644
  
  	optional_policy(`
  		consolekit_dbus_chat(initrc_t)
-@@ -698,7 +873,12 @@ optional_policy(`
+@@ -698,7 +880,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29439,7 +29453,7 @@ index bd45076..cd266c0 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -721,6 +901,10 @@ optional_policy(`
+@@ -721,6 +908,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29450,7 +29464,7 @@ index bd45076..cd266c0 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -742,6 +926,10 @@ optional_policy(`
+@@ -742,6 +933,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29461,7 +29475,7 @@ index bd45076..cd266c0 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -763,8 +951,6 @@ optional_policy(`
+@@ -763,8 +958,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -29470,7 +29484,7 @@ index bd45076..cd266c0 100644
  ')
  
  optional_policy(`
-@@ -773,14 +959,21 @@ optional_policy(`
+@@ -773,14 +966,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29492,7 +29506,7 @@ index bd45076..cd266c0 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -802,11 +995,19 @@ optional_policy(`
+@@ -802,11 +1002,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29513,7 +29527,7 @@ index bd45076..cd266c0 100644
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -816,6 +1017,25 @@ optional_policy(`
+@@ -816,6 +1024,25 @@ optional_policy(`
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -29539,7 +29553,7 @@ index bd45076..cd266c0 100644
  ')
  
  optional_policy(`
-@@ -841,3 +1061,55 @@ optional_policy(`
+@@ -841,3 +1068,55 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')