From 93df8504c9fafc542adb300fe91c4540aa930393 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Thu, 12 Jun 2008 18:26:59 +0000
Subject: [PATCH] - Update to upstream

---
 policy-20080509.patch | 158 +++++++++++++++++++++++-------------------
 1 file changed, 87 insertions(+), 71 deletions(-)

diff --git a/policy-20080509.patch b/policy-20080509.patch
index 4c95814d..e0bd3429 100644
--- a/policy-20080509.patch
+++ b/policy-20080509.patch
@@ -25914,7 +25914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.4.2/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2008-05-19 10:26:38.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/xserver.if	2008-06-12 10:36:55.251920000 -0400
++++ serefpolicy-3.4.2/policy/modules/services/xserver.if	2008-06-12 12:10:32.884486000 -0400
 @@ -16,7 +16,8 @@
  	gen_require(`
  		type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
@@ -26204,7 +26204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	# for when /tmp/.X11-unix is created by the system
  	allow $2 xdm_t:fd use;
-@@ -643,11 +623,81 @@
+@@ -643,13 +623,175 @@
  
  	xserver_read_xdm_tmp_files($2)
  
@@ -26246,7 +26246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +		attribute x_domain;
 +		type $1_xserver_t;
 +#		type $2_input_xevent_t;
- 	')
++	')
 +
 +#	typeattribute $2_input_xevent_t $1_input_xevent_type;
 +
@@ -26266,10 +26266,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	# manage: xhost X11:ChangeHosts
 +	# freeze: metacity X11:GrabKey
 +	# force_cursor: metacity X11:GrabPointer
-+	allow $3 $1_xserver_t:x_device { manage freeze force_cursor };
++	allow $3 $1_xserver_t:x_device { read manage freeze force_cursor };
 +	allow $3 $1_xserver_t:x_device { getfocus setfocus grab use getattr setattr bell };
 +
-+
 +	# gnome-settings-daemon XKEYBOARD:SetControls
 +	allow $3 $1_xserver_t:x_server { manage grab };
 +
@@ -26287,13 +26286,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 +	# setattr: metacity X11:InstallColormap
 +	allow $3 $1_xserver_t:x_screen { getattr saver_setattr saver_getattr setattr };
- ')
- 
- #######################################
-@@ -662,6 +712,99 @@
- ##	is the prefix for user_t).
- ##	</summary>
- ## </param>
++')
++
++#######################################
++## <summary>
++##	Interface to provide X object permissions on a given X server to
++##	an X client domain.  Provides the minimal set required by a basic
++##	X client application.
++## </summary>
++## <param name="user">
++##	<summary>
++##	The prefix of the X server domain (e.g., user
++##	is the prefix for user_t).
++##	</summary>
++## </param>
 +## <param name="domain">
 +##	<summary>
 +##	Client domain allowed access.
@@ -26333,7 +26339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +		type manage_xevent_t, output_xext_t, property_xevent_t;
 +		type shmem_xext_t, xselection_t;
 +		attribute xevent_type, xextension_type;
-+	')
+ 	')
 +	# can receive certain root window events
 +	allow $2 self:x_cursor { destroy create use setattr };
 +	allow $2 self:x_drawable { write getattr read destroy create add_child };
@@ -26341,7 +26347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	allow $2 self:x_resource { write read };
 +
 +	allow $2 input_xevent_t:x_synthetic_event receive;
-+	allow $2 client_xevent_t:x_synthetic_event receive;
++	allow $2 client_xevent_t:x_synthetic_event { send receive };
 +	allow $2 focus_xevent_t:x_event receive;
 +	allow $2 info_xproperty_t:x_property read;
 +	allow $2 manage_xevent_t:x_event receive;
@@ -26372,25 +26378,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 +#	xserver_use($1,$1,$2)
 +	xserver_use(xdm,$1,$2)
-+')
+ ')
+ 
 +
-+
-+#######################################
-+## <summary>
-+##	Interface to provide X object permissions on a given X server to
-+##	an X client domain.  Provides the minimal set required by a basic
-+##	X client application.
-+## </summary>
-+## <param name="user">
-+##	<summary>
-+##	The prefix of the X server domain (e.g., user
-+##	is the prefix for user_t).
-+##	</summary>
-+## </param>
- ## <param name="prefix">
- ##	<summary>
- ##	The prefix of the X client domain (e.g., user
-@@ -676,7 +819,7 @@
+ #######################################
+ ## <summary>
+ ##	Interface to provide X object permissions on a given X server to
+@@ -676,7 +818,7 @@
  #
  template(`xserver_common_x_domain_template',`
  	gen_require(`
@@ -26399,7 +26393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  		type xproperty_t, info_xproperty_t, clipboard_xproperty_t;
  		type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
  		type xevent_t, client_xevent_t;
-@@ -685,7 +828,6 @@
+@@ -685,7 +827,6 @@
  		attribute x_server_domain, x_domain;
  		attribute xproperty_type;
  		attribute xevent_type, xextension_type;
@@ -26407,7 +26401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  		class x_drawable all_x_drawable_perms;
  		class x_screen all_x_screen_perms;
-@@ -709,20 +851,22 @@
+@@ -709,20 +850,22 @@
  	# Declarations
  	#
  
@@ -26433,7 +26427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	##############################
  	#
  	# Local Policy
-@@ -740,7 +884,7 @@
+@@ -740,7 +883,7 @@
  	allow $3 x_server_domain:x_server getattr;
  	# everyone can do override-redirect windows.
  	# this could be used to spoof labels
@@ -26442,7 +26436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	# everyone can receive management events on the root window
  	# allows to know when new windows appear, among other things
  	allow $3 manage_xevent_t:x_event receive;
-@@ -749,7 +893,7 @@
+@@ -749,7 +892,7 @@
  	# can read server-owned resources
  	allow $3 x_server_domain:x_resource read;
  	# can mess with own clients
@@ -26451,7 +26445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	# X Protocol Extensions
  	allow $3 std_xext_t:x_extension { query use };
-@@ -758,27 +902,17 @@
+@@ -758,27 +901,17 @@
  
  	# X Properties
  	# can read and write client properties
@@ -26484,20 +26478,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	# X Input
  	# can receive own events
-@@ -805,6 +939,12 @@
+@@ -805,6 +938,12 @@
  	allow $3 manage_xevent_t:x_synthetic_event send;
  	allow $3 client_xevent_t:x_synthetic_event send;
  
 +	allow $3 input_xevent_t:x_event receive;
 +	allow $3 input_xevent_t:x_synthetic_event send;
 +	allow $3 $2_client_xevent_t:x_synthetic_event send;
-+	allow $3 xproperty_t:x_property read;
++	allow $3 xproperty_t:x_property { read destroy };
 +	allow $3 xselection_t:x_selection setattr;
 +
  	# X Selections
  	# can use the clipboard
  	allow $3 clipboard_xselection_t:x_selection { getattr setattr read };
-@@ -813,13 +953,15 @@
+@@ -813,13 +952,15 @@
  
  	# Other X Objects
  	# can create and use cursors
@@ -26517,7 +26511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	tunable_policy(`! xserver_object_manager',`
  		# should be xserver_unconfined($3),
-@@ -879,17 +1021,17 @@
+@@ -879,17 +1020,17 @@
  #
  template(`xserver_user_x_domain_template',`
  	gen_require(`
@@ -26542,7 +26536,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	# for when /tmp/.X11-unix is created by the system
  	allow $3 xdm_t:fd use;
-@@ -916,11 +1058,9 @@
+@@ -916,11 +1057,9 @@
  	# X object manager
  	xserver_common_x_domain_template($1,$2,$3)
  
@@ -26557,7 +26551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -952,26 +1092,43 @@
+@@ -952,26 +1091,43 @@
  #
  template(`xserver_use_user_fonts',`
  	gen_require(`
@@ -26608,7 +26602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Transition to a user Xauthority domain.
  ## </summary>
  ## <desc>
-@@ -1005,6 +1162,73 @@
+@@ -1005,6 +1161,73 @@
  
  ########################################
  ## <summary>
@@ -26682,7 +26676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Transition to a user Xauthority domain.
  ## </summary>
  ## <desc>
-@@ -1030,10 +1254,10 @@
+@@ -1030,10 +1253,10 @@
  #
  template(`xserver_user_home_dir_filetrans_user_xauth',`
  	gen_require(`
@@ -26695,7 +26689,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -1219,6 +1443,25 @@
+@@ -1219,6 +1442,25 @@
  
  ########################################
  ## <summary>
@@ -26721,7 +26715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Read xdm-writable configuration files.
  ## </summary>
  ## <param name="domain">
-@@ -1273,6 +1516,7 @@
+@@ -1273,6 +1515,7 @@
  	files_search_tmp($1)
  	allow $1 xdm_tmp_t:dir list_dir_perms;
  	create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -26729,7 +26723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -1291,7 +1535,7 @@
+@@ -1291,7 +1534,7 @@
  	')
  
  	files_search_pids($1)
@@ -26738,7 +26732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -1314,6 +1558,24 @@
+@@ -1314,6 +1557,24 @@
  
  ########################################
  ## <summary>
@@ -26763,7 +26757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Execute the X server in the XDM X server domain.
  ## </summary>
  ## <param name="domain">
-@@ -1324,15 +1586,47 @@
+@@ -1324,15 +1585,47 @@
  #
  interface(`xserver_domtrans_xdm_xserver',`
  	gen_require(`
@@ -26812,7 +26806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Make an X session script an entrypoint for the specified domain.
  ## </summary>
  ## <param name="domain">
-@@ -1482,7 +1776,7 @@
+@@ -1482,7 +1775,7 @@
  		type xdm_xserver_tmp_t;
  	')
  
@@ -26821,7 +26815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -1674,6 +1968,65 @@
+@@ -1674,6 +1967,65 @@
  
  ########################################
  ## <summary>
@@ -26887,7 +26881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Interface to provide X object permissions on a given X server to
  ##	an X client domain.  Gives the domain complete control over the
  ##	display.
-@@ -1686,8 +2039,87 @@
+@@ -1686,8 +2038,87 @@
  #
  interface(`xserver_unconfined',`
  	gen_require(`
@@ -30469,7 +30463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.4.2/policy/modules/system/selinuxutil.fc
 --- nsaserefpolicy/policy/modules/system/selinuxutil.fc	2008-05-19 10:26:42.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/system/selinuxutil.fc	2008-06-12 10:36:55.473696000 -0400
++++ serefpolicy-3.4.2/policy/modules/system/selinuxutil.fc	2008-06-12 14:04:10.162698000 -0400
 @@ -38,7 +38,7 @@
  /usr/sbin/restorecond		--	gen_context(system_u:object_r:restorecond_exec_t,s0)
  /usr/sbin/run_init		--	gen_context(system_u:object_r:run_init_exec_t,s0)
@@ -30479,6 +30473,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  /usr/sbin/semanage		--	gen_context(system_u:object_r:semanage_exec_t,s0)
  /usr/sbin/semodule		--	gen_context(system_u:object_r:semanage_exec_t,s0)
  
+@@ -46,3 +46,8 @@
+ # /var/run
+ #
+ /var/run/restorecond\.pid	--	gen_context(system_u:object_r:restorecond_var_run_t,s0)
++
++#
++# /var/lib
++#
++/var/lib/selinux(/.*)?			gen_context(system_u:object_r:selinux_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.4.2/policy/modules/system/selinuxutil.if
 --- nsaserefpolicy/policy/modules/system/selinuxutil.if	2008-05-29 15:55:43.000000000 -0400
 +++ serefpolicy-3.4.2/policy/modules/system/selinuxutil.if	2008-06-12 10:36:55.480688000 -0400
@@ -30986,8 +30989,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.4.2/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2008-05-29 15:55:43.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/system/selinuxutil.te	2008-06-12 10:36:55.485685000 -0400
-@@ -75,7 +75,6 @@
++++ serefpolicy-3.4.2/policy/modules/system/selinuxutil.te	2008-06-12 14:05:15.662484000 -0400
+@@ -23,6 +23,9 @@
+ type selinux_config_t;
+ files_type(selinux_config_t)
+ 
++type selinux_var_lib_t;
++files_type(selinux_var_lib_t)
++
+ type checkpolicy_t, can_write_binary_policy;
+ type checkpolicy_exec_t;
+ application_domain(checkpolicy_t, checkpolicy_exec_t)
+@@ -75,7 +78,6 @@
  type restorecond_exec_t;
  init_daemon_domain(restorecond_t,restorecond_exec_t)
  domain_obj_id_change_exemption(restorecond_t)
@@ -30995,7 +31008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  
  type restorecond_var_run_t;
  files_pid_file(restorecond_var_run_t)
-@@ -92,6 +91,10 @@
+@@ -92,6 +94,10 @@
  domain_interactive_fd(semanage_t)
  role system_r types semanage_t;
  
@@ -31006,7 +31019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  type semanage_store_t;
  files_type(semanage_store_t)
  
-@@ -109,6 +112,11 @@
+@@ -109,6 +115,11 @@
  init_system_domain(setfiles_t,setfiles_exec_t)
  domain_obj_id_change_exemption(setfiles_t)
  
@@ -31018,7 +31031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  ########################################
  #
  # Checkpolicy local policy
-@@ -168,6 +176,7 @@
+@@ -168,6 +179,7 @@
  files_read_etc_runtime_files(load_policy_t)
  
  fs_getattr_xattr_fs(load_policy_t)
@@ -31026,7 +31039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  
  mls_file_read_all_levels(load_policy_t)
  
-@@ -195,15 +204,6 @@
+@@ -195,15 +207,6 @@
  	')
  ')
  
@@ -31042,7 +31055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  ########################################
  #
  # Newrole local policy
-@@ -221,7 +221,7 @@
+@@ -221,7 +224,7 @@
  allow newrole_t self:msg { send receive };
  allow newrole_t self:unix_dgram_socket sendto;
  allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -31051,7 +31064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  
  read_files_pattern(newrole_t,default_context_t,default_context_t)
  read_lnk_files_pattern(newrole_t,default_context_t,default_context_t)
-@@ -277,6 +277,7 @@
+@@ -277,6 +280,7 @@
  libs_use_ld_so(newrole_t)
  libs_use_shared_libs(newrole_t)
  
@@ -31059,7 +31072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  logging_send_syslog_msg(newrole_t)
  
  miscfiles_read_localization(newrole_t)
-@@ -347,6 +348,8 @@
+@@ -347,6 +351,8 @@
  
  seutil_libselinux_linked(restorecond_t)
  
@@ -31068,7 +31081,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  ifdef(`distro_ubuntu',`
  	optional_policy(`
  		unconfined_domain(restorecond_t)
-@@ -365,7 +368,7 @@
+@@ -365,7 +371,7 @@
  allow run_init_t self:process setexec;
  allow run_init_t self:capability setuid;
  allow run_init_t self:fifo_file rw_file_perms;
@@ -31077,7 +31090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  
  # often the administrator runs such programs from a directory that is owned
  # by a different user or has restrictive SE permissions, do not want to audit
-@@ -396,7 +399,6 @@
+@@ -396,7 +402,6 @@
  
  auth_use_nsswitch(run_init_t)
  auth_domtrans_chk_passwd(run_init_t)
@@ -31085,7 +31098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  auth_dontaudit_read_shadow(run_init_t)
  
  init_spec_domtrans_script(run_init_t)
-@@ -435,64 +437,17 @@
+@@ -435,64 +440,22 @@
  # semodule local policy
  #
  
@@ -31104,9 +31117,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 -kernel_read_kernel_sysctls(semanage_t)
 -
 -corecmd_exec_bin(semanage_t)
--
++seutil_semanage_policy(semanage_t)
++allow semanage_t self:fifo_file rw_fifo_file_perms;
+ 
 -dev_read_urand(semanage_t)
--
++manage_dirs_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
++manage_files_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
+ 
 -domain_use_interactive_fds(semanage_t)
 -
 -files_read_etc_files(semanage_t)
@@ -31121,7 +31138,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 -selinux_get_enforce_mode(semanage_t)
 -selinux_getattr_fs(semanage_t)
 -# for setsebool:
-+seutil_semanage_policy(semanage_t)
  selinux_set_boolean(semanage_t)
 +can_exec(semanage_t, semanage_exec_t)
  
@@ -31155,7 +31171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  # netfilter_contexts:
  seutil_manage_default_contexts(semanage_t)
  
-@@ -501,12 +456,21 @@
+@@ -501,12 +464,21 @@
  	files_read_var_lib_symlinks(semanage_t)
  ')
  
@@ -31177,7 +31193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  # cjp: need a more general way to handle this:
  ifdef(`enable_mls',`
  	# read secadm tmp files
-@@ -514,121 +478,40 @@
+@@ -514,121 +486,40 @@
  	# Handle pp files created in homedir and /tmp
  	sysadm_read_home_content_files(semanage_t)
  	sysadm_read_tmp_files(semanage_t)