From 8ff0154e034e60c99fe64b78c18441d26c3e07b3 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Thu, 18 Sep 2008 20:46:41 +0000
Subject: [PATCH] - Fix labeling on new pm*log - Allow ssh to bind to all nodes

---
 policy-20080710.patch | 35 ++++++++++++++++++++---------------
 1 file changed, 20 insertions(+), 15 deletions(-)

diff --git a/policy-20080710.patch b/policy-20080710.patch
index 7ec3bb3b..1b915e2a 100644
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@@ -23287,7 +23287,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.5.8/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2008-08-14 13:08:27.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/rpc.te	2008-09-17 08:49:09.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/rpc.te	2008-09-18 16:45:56.000000000 -0400
 @@ -23,7 +23,7 @@
  gen_tunable(allow_nfsd_anon_write, false)
  
@@ -23321,7 +23321,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  tunable_policy(`nfs_export_all_ro',`
-@@ -170,9 +173,13 @@
+@@ -170,9 +173,14 @@
  files_read_usr_symlinks(gssd_t) 
  
  auth_use_nsswitch(gssd_t)
@@ -23329,13 +23329,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  miscfiles_read_certs(gssd_t)
  
-+userdom_dontaudit_search_users_home_dirs(rpcd_t)
-+sysadm_dontaudit_search_home_dirs(rpcd_t)
++userdom_dontaudit_search_users_home_dirs(gssd_t)
++sysadm_dontaudit_search_home_dirs(gssd_t)
++userdom_dontaudit_write_user_tmp_files(user, gssd_t)
 +
  tunable_policy(`allow_gssd_read_tmp',`
  	userdom_list_unpriv_users_tmp(gssd_t) 
  	userdom_read_unpriv_users_tmp_files(gssd_t) 
-@@ -180,8 +187,7 @@
+@@ -180,8 +188,7 @@
  ')
  
  optional_policy(`
@@ -26609,7 +26610,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /etc/ssh/ssh_host_key 		--	gen_context(system_u:object_r:sshd_key_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.8/policy/modules/services/ssh.if
 --- nsaserefpolicy/policy/modules/services/ssh.if	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/ssh.if	2008-09-18 08:51:19.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/ssh.if	2008-09-18 15:56:17.000000000 -0400
 @@ -36,6 +36,7 @@
  	gen_require(`
  		attribute ssh_server;
@@ -26709,7 +26710,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	# Write to the user domain tty.
  	userdom_use_user_terminals($1,$1_ssh_t)
  	# needs to read krb tgt
-@@ -282,21 +289,10 @@
+@@ -279,24 +286,14 @@
+ 	# for port forwarding
+ 	tunable_policy(`user_tcp_server',`
+ 		corenet_tcp_bind_ssh_port($1_ssh_t)
++		corenet_tcp_bind_all_nodes($1_ssh_t)
  	')
  
  	optional_policy(`
@@ -26732,7 +26737,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	##############################
  	#
  	# $1_ssh_agent_t local policy
-@@ -383,10 +379,6 @@
+@@ -383,10 +380,6 @@
  		xserver_rw_xdm_pipes($1_ssh_agent_t)
  	')
  
@@ -26743,7 +26748,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	##############################
  	#
  	# $1_ssh_keysign_t local policy
-@@ -413,6 +405,25 @@
+@@ -413,6 +406,25 @@
  	')
  ')
  
@@ -26769,7 +26774,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  #######################################
  ## <summary>
  ##	The template to define a ssh server.
-@@ -443,13 +454,14 @@
+@@ -443,13 +455,14 @@
  	type $1_var_run_t;
  	files_pid_file($1_var_run_t)
  
@@ -26785,7 +26790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
  	term_create_pty($1_t,$1_devpts_t)
-@@ -479,6 +491,10 @@
+@@ -479,6 +492,10 @@
  	corenet_tcp_bind_ssh_port($1_t)
  	corenet_tcp_connect_all_ports($1_t)
  	corenet_sendrecv_ssh_server_packets($1_t)
@@ -26796,7 +26801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	fs_dontaudit_getattr_all_fs($1_t)
  
-@@ -506,9 +522,14 @@
+@@ -506,9 +523,14 @@
  
  	userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
  	userdom_search_all_users_home_dirs($1_t)
@@ -26811,7 +26816,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  
  	tunable_policy(`use_samba_home_dirs',`
-@@ -517,11 +538,7 @@
+@@ -517,11 +539,7 @@
  
  	optional_policy(`
  		kerberos_use($1_t)
@@ -26824,7 +26829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  
  	optional_policy(`
-@@ -710,3 +727,22 @@
+@@ -710,3 +728,22 @@
  
  	dontaudit $1 sshd_key_t:file { getattr read };
  ')
@@ -26934,7 +26939,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  corenet_tcp_sendrecv_all_if(stunnel_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.5.8/policy/modules/services/telnet.te
 --- nsaserefpolicy/policy/modules/services/telnet.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/telnet.te	2008-09-17 08:49:09.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/telnet.te	2008-09-18 16:12:20.000000000 -0400
 @@ -89,15 +89,19 @@
  
  userdom_search_unpriv_users_home_dirs(telnetd_t)