From 673eaaeafbab6dc03d0e599f794e4f90a5571fb2 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Thu, 20 Dec 2007 21:26:31 +0000
Subject: [PATCH] - Run rpm in system_r

---
 policy-20071130.patch | 150 ++++++++++++++++++++++++++++++------------
 selinux-policy.spec   |   8 ++-
 2 files changed, 116 insertions(+), 42 deletions(-)

diff --git a/policy-20071130.patch b/policy-20071130.patch
index 8dc90d82..33a064cb 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -206,7 +206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.2.5/policy/modules/admin/alsa.te
 --- nsaserefpolicy/policy/modules/admin/alsa.te	2007-12-19 05:32:18.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/admin/alsa.te	2007-12-19 05:38:08.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/admin/alsa.te	2007-12-20 08:55:02.000000000 -0500
 @@ -8,12 +8,15 @@
  
  type alsa_t;
@@ -224,7 +224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
  ########################################
  #
  # Local policy
-@@ -30,11 +33,18 @@
+@@ -30,14 +33,23 @@
  manage_lnk_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
  files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
  
@@ -243,7 +243,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
  files_search_home(alsa_t)
  files_read_etc_files(alsa_t)
  
-@@ -48,10 +58,7 @@
++auth_use_nsswitch(alsa_t)
++
+ libs_use_ld_so(alsa_t)
+ libs_use_shared_libs(alsa_t)
+ 
+@@ -48,10 +60,7 @@
  userdom_manage_unpriv_user_semaphores(alsa_t)
  userdom_manage_unpriv_user_shared_mem(alsa_t)
  userdom_search_generic_user_home_dirs(alsa_t)
@@ -920,7 +925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
  /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.2.5/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2007-05-18 11:12:44.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/admin/rpm.if	2007-12-19 05:38:08.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/admin/rpm.if	2007-12-20 08:55:42.000000000 -0500
 @@ -152,6 +152,24 @@
  
  ########################################
@@ -1002,7 +1007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
  ')
  
  ########################################
-@@ -289,3 +346,111 @@
+@@ -289,3 +346,137 @@
  	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
  	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
  ')
@@ -1114,6 +1119,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
 +	read_lnk_files_pattern($1,rpm_tmpfs_t,rpm_tmpfs_t)
 +')
 +
++########################################
++## <summary>
++##	Transition to system_r when execute an init script
++## </summary>
++## <desc>
++##      <p>
++##	Execute rpm script in a specified role
++##      </p>
++##      <p>
++##      No interprocess communication (signals, pipes,
++##      etc.) is provided by this interface since
++##      the domains are not owned by this module.
++##      </p>
++## </desc>
++## <param name="source_role">
++##	<summary>
++##	Role to transition from.
++##	</summary>
++## </param>
++interface(`rpm_role_transition',`
++	gen_require(`
++		type rpm_t;
++	')
++
++	role_transition $1 rpm_t system_r;
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.2.5/policy/modules/admin/rpm.te
 --- nsaserefpolicy/policy/modules/admin/rpm.te	2007-12-19 05:32:18.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/admin/rpm.te	2007-12-19 05:38:08.000000000 -0500
@@ -3699,7 +3730,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.5/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/kernel/files.if	2007-12-19 05:38:08.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/kernel/files.if	2007-12-20 16:15:45.000000000 -0500
 @@ -1266,6 +1266,24 @@
  
  ########################################
@@ -5138,7 +5169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 +/var/lib/misc(/.*)?			gen_context(system_u:object_r:system_crond_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.2.5/policy/modules/services/cron.if
 --- nsaserefpolicy/policy/modules/services/cron.if	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/cron.if	2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/cron.if	2007-12-20 14:02:12.000000000 -0500
 @@ -35,38 +35,23 @@
  #
  template(`cron_per_role_template',`
@@ -5388,6 +5419,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ##	Read, and write cron daemon TCP sockets.
  ## </summary>
  ## <param name="domain">
+@@ -583,3 +495,23 @@
+ 
+ 	dontaudit $1 system_crond_tmp_t:file append;
+ ')
++
++
++########################################
++## <summary>
++##	Read temporary files from the system cron jobs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`cron_read_system_job_lib_files',`
++	gen_require(`
++		type system_crond_var_lib_t;
++	')
++
++
++	read_files_pattern($1, system_crond_var_lib_t,  system_crond_var_lib_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.2.5/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2007-12-19 05:32:17.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/services/cron.te	2007-12-19 05:38:09.000000000 -0500
@@ -6698,7 +6753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.2.5/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/hal.te	2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/hal.te	2007-12-20 14:02:58.000000000 -0500
 @@ -49,6 +49,9 @@
  type hald_var_lib_t;
  files_type(hald_var_lib_t)
@@ -6782,11 +6837,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  libs_use_ld_so(hald_mac_t)
  libs_use_shared_libs(hald_mac_t)
  
-@@ -391,3 +412,4 @@
+@@ -391,3 +412,7 @@
  libs_use_shared_libs(hald_keymap_t)
  
  miscfiles_read_localization(hald_keymap_t)
 +
++# This is caused by a bug in hald and PolicyKit.  
++# Should be removed when this is fixed
++cron_read_system_job_lib_files(hald_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.2.5/policy/modules/services/inetd.te
 --- nsaserefpolicy/policy/modules/services/inetd.te	2007-12-19 05:32:17.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/services/inetd.te	2007-12-19 05:38:09.000000000 -0500
@@ -11742,7 +11800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.2.5/policy/modules/system/fstools.te
 --- nsaserefpolicy/policy/modules/system/fstools.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/fstools.te	2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/fstools.te	2007-12-20 16:16:24.000000000 -0500
 @@ -109,8 +109,7 @@
  
  term_use_console(fsadm_t)
@@ -11753,7 +11811,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
  #RedHat bug #201164
  corecmd_exec_shell(fsadm_t)
  
-@@ -183,4 +182,5 @@
+@@ -132,6 +131,8 @@
+ # Access to /initrd devices
+ files_rw_isid_type_dirs(fsadm_t)
+ files_rw_isid_type_blk_files(fsadm_t)
++files_read_isid_type_files(fsadm_t)
++
+ # Recreate /mnt/cdrom.
+ files_manage_mnt_dirs(fsadm_t)
+ # for tune2fs
+@@ -183,4 +184,5 @@
  
  optional_policy(`
  	xen_append_log(fsadm_t)
@@ -11811,7 +11878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.2.5/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/system/init.if	2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/init.if	2007-12-20 08:48:00.000000000 -0500
 @@ -211,6 +211,13 @@
  			kernel_dontaudit_use_fds($1)
  		')
@@ -14034,8 +14101,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.5/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/unconfined.te	2007-12-19 16:35:02.000000000 -0500
-@@ -9,32 +9,48 @@
++++ serefpolicy-3.2.5/policy/modules/system/unconfined.te	2007-12-20 09:13:54.000000000 -0500
+@@ -9,32 +9,49 @@
  # usage in this module of types created by these
  # calls is not correct, however we dont currently
  # have another method to add access to these types
@@ -14054,6 +14121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +allow system_r unconfined_r;
 +allow unconfined_r system_r;
 +init_script_role_transition(unconfined_r)
++rpm_role_transition(unconfined_r)
  
  type unconfined_execmem_t;
  type unconfined_execmem_exec_t;
@@ -14088,7 +14156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  
  libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
  
-@@ -42,7 +58,10 @@
+@@ -42,7 +59,10 @@
  logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
  
  mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@@ -14099,7 +14167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
  seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
  
-@@ -51,13 +70,13 @@
+@@ -51,13 +71,13 @@
  userdom_priveleged_home_dir_manager(unconfined_t)
  
  optional_policy(`
@@ -14115,7 +14183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  	unconfined_domain(httpd_unconfined_script_t)
  ')
  
-@@ -69,11 +88,11 @@
+@@ -69,11 +89,11 @@
  	bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
  ')
  
@@ -14132,7 +14200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  
  optional_policy(`
  	init_dbus_chat_script(unconfined_t)
-@@ -107,6 +126,10 @@
+@@ -107,6 +127,10 @@
  	optional_policy(`
  		oddjob_dbus_chat(unconfined_t)
  	')
@@ -14143,7 +14211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -118,11 +141,7 @@
+@@ -118,11 +142,7 @@
  ')
  
  optional_policy(`
@@ -14156,7 +14224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -134,14 +153,6 @@
+@@ -134,14 +154,6 @@
  ')
  
  optional_policy(`
@@ -14171,7 +14239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  	oddjob_domtrans_mkhomedir(unconfined_t)
  ')
  
-@@ -154,33 +165,20 @@
+@@ -154,33 +166,20 @@
  ')
  
  optional_policy(`
@@ -14209,7 +14277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -205,11 +203,30 @@
+@@ -205,11 +204,30 @@
  ')
  
  optional_policy(`
@@ -14242,34 +14310,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  ########################################
-@@ -219,14 +236,36 @@
+@@ -219,14 +237,32 @@
  
  allow unconfined_execmem_t self:process { execstack execmem };
  unconfined_domain_noaudit(unconfined_execmem_t)
 +allow unconfined_execmem_t unconfined_t:process transition;
  
  optional_policy(`
-+	init_dbus_chat_script(unconfined_execmem_t)
-+
- 	dbus_stub(unconfined_execmem_t)
- 
--	init_dbus_chat_script(unconfined_execmem_t)
-+	dbus_connect_system_bus(unconfined_execmem_t)
-+	unconfined_dbus_connect(unconfined_execmem_t)
+-	dbus_stub(unconfined_execmem_t)
+-
+ 	init_dbus_chat_script(unconfined_execmem_t)
++	dbus_system_bus_client_template(unconfined_execmem, unconfined_execmem_t)
  	unconfined_dbus_chat(unconfined_execmem_t)
++	unconfined_dbus_connect(unconfined_execmem_t)
++')
  
- 	optional_policy(`
-+		avahi_dbus_chat(unconfined_execmem_t)
-+	')
+-	optional_policy(`
+-		hal_dbus_chat(unconfined_execmem_t)
+-	')
++optional_policy(`
++	avahi_dbus_chat(unconfined_execmem_t)
++')
 +
-+	optional_policy(`
- 		hal_dbus_chat(unconfined_execmem_t)
- 	')
++optional_policy(`
++	hal_dbus_chat(unconfined_execmem_t)
++')
 +
-+	optional_policy(`
-+		xserver_xdm_rw_shm(unconfined_execmem_t)
-+
-+	')
++optional_policy(`
++	xserver_xdm_rw_shm(unconfined_execmem_t)
  ')
 +
 +########################################
@@ -14295,7 +14363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if	2007-12-19 16:35:24.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/userdomain.if	2007-12-20 14:54:51.000000000 -0500
 @@ -29,8 +29,9 @@
  	')
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b4e77617..c478a96d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.2.5
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -73,6 +73,9 @@ SELinux Policy development package
 %{_usr}/share/selinux/devel/policy.*
 %attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp
 
+%check devel
+/usr/bin/sepolgen-ifgen -i %{buildroot}%{_usr}/share/selinux/devel/include -o /dev/null
+
 %post devel
 [ -x /usr/bin/sepolgen-ifgen ] && /usr/bin/sepolgen-ifgen 
 exit 0
@@ -383,6 +386,9 @@ exit 0
 %endif
 
 %changelog
+* Thu Dec 20 2007 Dan Walsh <dwalsh@redhat.com> 3.2.5-3
+- Run rpm in system_r
+
 * Wed Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 3.2.5-2
 - Zero out customizable types