From a4f1f54302d2064917a1f6901ad2471455ab3645 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Fri, 3 Dec 2010 17:07:37 +0000
Subject: [PATCH] - Fix gnome_manage_data interface - Dontaudit sys_ptrace
 capability for iscsid - Fixes for nagios plugin policy

---
 policy-F15.patch    | 116 ++++++++++++++++++++++++++++++++++----------
 selinux-policy.spec |   7 ++-
 2 files changed, 96 insertions(+), 27 deletions(-)

diff --git a/policy-F15.patch b/policy-F15.patch
index d7161521..744ca4a2 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -2520,7 +2520,7 @@ index 00a19e3..46db5ff 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +
 diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..dd4bd1e 100644
+index f5afe78..df99449 100644
 --- a/policy/modules/apps/gnome.if
 +++ b/policy/modules/apps/gnome.if
 @@ -37,8 +37,7 @@ interface(`gnome_role',`
@@ -2533,7 +2533,7 @@ index f5afe78..dd4bd1e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -46,25 +45,300 @@ interface(`gnome_role',`
+@@ -46,25 +45,302 @@ interface(`gnome_role',`
  ##	</summary>
  ## </param>
  #
@@ -2797,8 +2797,10 @@ index f5afe78..dd4bd1e 100644
 +interface(`gnome_manage_data',`
 +        gen_require(`
 +                type data_home_t;
++				type gconf_home_t;
 +        ')
 +
++		allow $1 gconf_home_t:dir search_dir_perms;
 +        manage_files_pattern($1, data_home_t, data_home_t)
 +')
 +
@@ -2840,7 +2842,7 @@ index f5afe78..dd4bd1e 100644
  	gen_require(`
  		type gconf_etc_t;
  	')
-@@ -76,7 +350,27 @@ template(`gnome_read_gconf_config',`
+@@ -76,7 +352,27 @@ template(`gnome_read_gconf_config',`
  
  #######################################
  ## <summary>
@@ -2869,7 +2871,7 @@ index f5afe78..dd4bd1e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -84,37 +378,40 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +380,40 @@ template(`gnome_read_gconf_config',`
  ##	</summary>
  ## </param>
  #
@@ -2921,7 +2923,7 @@ index f5afe78..dd4bd1e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -122,12 +419,13 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,12 +421,13 @@ interface(`gnome_stream_connect_gconf',`
  ##	</summary>
  ## </param>
  #
@@ -2938,7 +2940,7 @@ index f5afe78..dd4bd1e 100644
  ')
  
  ########################################
-@@ -151,40 +449,173 @@ interface(`gnome_setattr_config_dirs',`
+@@ -151,40 +451,173 @@ interface(`gnome_setattr_config_dirs',`
  
  ########################################
  ## <summary>
@@ -26200,7 +26202,7 @@ index 0a0d63c..d02b476 100644
  
  mysql_manage_db_files(mysqld_safe_t)
 diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if
-index 8581040..f54b3b8 100644
+index 8581040..cfcdf10 100644
 --- a/policy/modules/services/nagios.if
 +++ b/policy/modules/services/nagios.if
 @@ -12,10 +12,8 @@
@@ -26215,7 +26217,7 @@ index 8581040..f54b3b8 100644
  	')
  
  	type nagios_$1_plugin_t;
-@@ -26,6 +24,7 @@ template(`nagios_plugin_template',`
+@@ -26,9 +24,11 @@ template(`nagios_plugin_template',`
  	allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms;
  
  	domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
@@ -26223,7 +26225,11 @@ index 8581040..f54b3b8 100644
  
  	# needed by command.cfg
  	domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
-@@ -36,6 +35,8 @@ template(`nagios_plugin_template',`
++	allow nagios_t nagios_$1_plugin_exec_t:file ioctl;
+ 
+ 	allow nagios_t nagios_$1_plugin_t:process signal_perms;
+ 
+@@ -36,6 +36,8 @@ template(`nagios_plugin_template',`
  	dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
  	dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };
  
@@ -26232,7 +26238,7 @@ index 8581040..f54b3b8 100644
  	miscfiles_read_localization(nagios_$1_plugin_t)
  ')
  
-@@ -49,7 +50,6 @@ template(`nagios_plugin_template',`
+@@ -49,7 +51,6 @@ template(`nagios_plugin_template',`
  ##	Domain to not audit.
  ##	</summary>
  ## </param>
@@ -26240,7 +26246,7 @@ index 8581040..f54b3b8 100644
  #
  interface(`nagios_dontaudit_rw_pipes',`
  	gen_require(`
-@@ -159,6 +159,26 @@ interface(`nagios_read_tmp_files',`
+@@ -159,6 +160,26 @@ interface(`nagios_read_tmp_files',`
  
  ########################################
  ## <summary>
@@ -26267,7 +26273,7 @@ index 8581040..f54b3b8 100644
  ##	Execute the nagios NRPE with
  ##	a domain transition.
  ## </summary>
-@@ -195,11 +215,9 @@ interface(`nagios_domtrans_nrpe',`
+@@ -195,11 +216,9 @@ interface(`nagios_domtrans_nrpe',`
  #
  interface(`nagios_admin',`
  	gen_require(`
@@ -26283,7 +26289,7 @@ index 8581040..f54b3b8 100644
  
  	allow $1 nagios_t:process { ptrace signal_perms };
 diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index da5b33d..433417a 100644
+index da5b33d..3ce90f7 100644
 --- a/policy/modules/services/nagios.te
 +++ b/policy/modules/services/nagios.te
 @@ -107,13 +107,11 @@ files_read_etc_files(nagios_t)
@@ -26354,15 +26360,17 @@ index da5b33d..433417a 100644
  ')
  
  ######################################
-@@ -310,6 +310,7 @@ optional_policy(`
+@@ -310,6 +310,9 @@ optional_policy(`
  # needed by ioctl()
  allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
  
++kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
++
 +files_getattr_all_dirs(nagios_checkdisk_plugin_t)
  files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
  
  fs_getattr_all_fs(nagios_checkdisk_plugin_t)
-@@ -323,7 +324,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -323,7 +326,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
  
  allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
  allow nagios_services_plugin_t self:process { signal sigkill };
@@ -26370,7 +26378,7 @@ index da5b33d..433417a 100644
  allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
  allow nagios_services_plugin_t self:udp_socket create_socket_perms;
  
-@@ -340,6 +340,8 @@ files_read_usr_files(nagios_services_plugin_t)
+@@ -340,6 +342,8 @@ files_read_usr_files(nagios_services_plugin_t)
  
  optional_policy(`
  	netutils_domtrans_ping(nagios_services_plugin_t)
@@ -32529,7 +32537,7 @@ index cda37bb..484e552 100644
 +	allow $1 var_lib_nfs_t:file relabel_file_perms;
  ')
 diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index 8e1ab72..288e6cc 100644
+index 8e1ab72..e6821be 100644
 --- a/policy/modules/services/rpc.te
 +++ b/policy/modules/services/rpc.te
 @@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
@@ -32607,15 +32615,17 @@ index 8e1ab72..288e6cc 100644
  ########################################
  #
  # NFSD local policy
-@@ -120,6 +133,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+@@ -120,6 +133,9 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
  kernel_read_system_state(nfsd_t)
  kernel_read_network_state(nfsd_t)
  kernel_dontaudit_getattr_core_if(nfsd_t)
 +kernel_setsched(nfsd_t)
++
++corecmd_exec_shell(nfsd_t)
  
  corenet_tcp_bind_all_rpc_ports(nfsd_t)
  corenet_udp_bind_all_rpc_ports(nfsd_t)
-@@ -148,6 +162,8 @@ storage_raw_read_removable_device(nfsd_t)
+@@ -148,6 +164,8 @@ storage_raw_read_removable_device(nfsd_t)
  # Read access to public_content_t and public_content_rw_t
  miscfiles_read_public_files(nfsd_t)
  
@@ -32624,7 +32634,7 @@ index 8e1ab72..288e6cc 100644
  # Write access to public_content_t and public_content_rw_t
  tunable_policy(`allow_nfsd_anon_write',`
  	miscfiles_manage_public_files(nfsd_t)
-@@ -181,7 +197,7 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -181,7 +199,7 @@ tunable_policy(`nfs_export_all_ro',`
  
  allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
  allow gssd_t self:process { getsched setsched };
@@ -32633,7 +32643,7 @@ index 8e1ab72..288e6cc 100644
  
  manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
  manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
-@@ -218,6 +234,8 @@ tunable_policy(`allow_gssd_read_tmp',`
+@@ -218,6 +236,8 @@ tunable_policy(`allow_gssd_read_tmp',`
  	userdom_list_user_tmp(gssd_t)
  	userdom_read_user_tmp_files(gssd_t)
  	userdom_read_user_tmp_symlinks(gssd_t)
@@ -37748,7 +37758,7 @@ index 6f1e3c7..ecfe665 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index da2601a..4b06508 100644
+index da2601a..6b12229 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
 @@ -19,9 +19,10 @@
@@ -38328,7 +38338,7 @@ index da2601a..4b06508 100644
  ')
  
  ########################################
-@@ -1243,10 +1395,355 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1395,393 @@ interface(`xserver_manage_core_devices',`
  #
  interface(`xserver_unconfined',`
  	gen_require(`
@@ -38395,6 +38405,44 @@ index da2601a..4b06508 100644
 +	')
 +')
 +
++#######################################
++## <summary>
++##  Allow search the xdm_spool files
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`xserver_xdm_search_spool',`
++    gen_require(`
++        type xdm_spool_t;
++    ')
++
++    files_search_spool($1)
++    search_dirs_pattern($1, xdm_spool_t, xdm_spool_t)
++')
++
++######################################
++## <summary>
++##  Allow read the xdm_spool files
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`xserver_xdm_read_spool',`
++    gen_require(`
++        type xdm_spool_t;
++    ')
++
++    files_search_spool($1)
++    read_files_pattern($1, xdm_spool_t, xdm_spool_t)
++')
++
 +########################################
 +## <summary>
 +##	Manage the xdm_spool files
@@ -42694,10 +42742,26 @@ index 663a47b..ad0b864 100644
 +	allow $1 iscsid_t:sem create_sem_perms;
 +')
 diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
-index 1d1c399..3ab3a47 100644
+index 1d1c399..67d0dec 100644
 --- a/policy/modules/system/iscsi.te
 +++ b/policy/modules/system/iscsi.te
-@@ -76,6 +76,8 @@ corenet_tcp_connect_isns_port(iscsid_t)
+@@ -31,6 +31,7 @@ files_pid_file(iscsi_var_run_t)
+ #
+ 
+ allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource };
++dontaudit iscsid_t self:capability { sys_ptrace };
+ allow iscsid_t self:process { setrlimit setsched signal };
+ allow iscsid_t self:fifo_file rw_fifo_file_perms;
+ allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
+@@ -64,6 +65,7 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
+ 
+ kernel_read_network_state(iscsid_t)
+ kernel_read_system_state(iscsid_t)
++kernel_setsched(iscsid_t)
+ 
+ corenet_all_recvfrom_unlabeled(iscsid_t)
+ corenet_all_recvfrom_netlabel(iscsid_t)
+@@ -76,6 +78,8 @@ corenet_tcp_connect_isns_port(iscsid_t)
  
  dev_rw_sysfs(iscsid_t)
  dev_rw_userio_dev(iscsid_t)
@@ -42706,7 +42770,7 @@ index 1d1c399..3ab3a47 100644
  
  domain_use_interactive_fds(iscsid_t)
  domain_dontaudit_read_all_domains_state(iscsid_t)
-@@ -91,5 +93,5 @@ logging_send_syslog_msg(iscsid_t)
+@@ -91,5 +95,5 @@ logging_send_syslog_msg(iscsid_t)
  miscfiles_read_localization(iscsid_t)
  
  optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b4fc3ecc..43b339bf 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.10
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,11 @@ exit 0
 %endif
 
 %changelog
+* Fri Dec 3 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-6
+- Fix gnome_manage_data interface
+- Dontaudit sys_ptrace capability for iscsid
+- Fixes for nagios plugin policy
+
 * Thu Dec 1 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-5
 - Fix cron to run ranged when started by init
 - Fix devicekit to use log files