From b2f6b0698fdc473abbb08b56ca9e51b0e6d8d1b8 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Thu, 28 Jan 2010 15:44:39 +0000
Subject: [PATCH] - Fix rpm_dontaudit_leaks

---
 policy-F13.patch    | 34 ++++++++++++++++++++++++++++------
 selinux-policy.spec |  5 ++++-
 2 files changed, 32 insertions(+), 7 deletions(-)

diff --git a/policy-F13.patch b/policy-F13.patch
index 255c5a4c..732e5cfd 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -19260,7 +19260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.7.8/policy/modules/services/nis.fc
 --- nsaserefpolicy/policy/modules/services/nis.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/nis.fc	2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/nis.fc	2010-01-28 10:40:55.000000000 -0500
 @@ -1,4 +1,7 @@
 -
 +/etc/rc\.d/init\.d/ypbind	--	gen_context(system_u:object_r:ypbind_initrc_exec_t,s0)
@@ -19270,6 +19270,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
  /etc/ypserv\.conf	--	gen_context(system_u:object_r:ypserv_conf_t,s0)
  
  /sbin/ypbind		--	gen_context(system_u:object_r:ypbind_exec_t,s0)
+@@ -11,3 +14,8 @@
+ /usr/sbin/ypserv	--	gen_context(system_u:object_r:ypserv_exec_t,s0)
+ 
+ /var/yp(/.*)?			gen_context(system_u:object_r:var_yp_t,s0)
++
++/var/run/ypxfrd.*	--	gen_context(system_u:object_r:ypxfr_var_run_t,s0)
++/var/run/ypbind.*	--	gen_context(system_u:object_r:ypbind_var_run_t,s0)
++/var/run/ypserv.*	--	gen_context(system_u:object_r:ypserv_var_run_t,s0)
++/var/run/yppass.*	--	gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.7.8/policy/modules/services/nis.if
 --- nsaserefpolicy/policy/modules/services/nis.if	2009-07-14 14:19:57.000000000 -0400
 +++ serefpolicy-3.7.8/policy/modules/services/nis.if	2010-01-18 15:18:03.000000000 -0500
@@ -19416,7 +19425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.7.8/policy/modules/services/nis.te
 --- nsaserefpolicy/policy/modules/services/nis.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/nis.te	2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/nis.te	2010-01-28 10:38:39.000000000 -0500
 @@ -13,6 +13,9 @@
  type ypbind_exec_t;
  init_daemon_domain(ypbind_t, ypbind_exec_t)
@@ -19427,17 +19436,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
  type ypbind_tmp_t;
  files_tmp_file(ypbind_tmp_t)
  
-@@ -44,6 +47,9 @@
+@@ -44,6 +47,12 @@
  type ypxfr_exec_t;
  init_daemon_domain(ypxfr_t, ypxfr_exec_t)
  
++type ypxfr_var_run_t;
++files_pid_file(ypxfr_var_run_t)
++
 +type nis_initrc_exec_t;
 +init_script_file(nis_initrc_exec_t)
 +
  ########################################
  #
  # ypbind local policy
-@@ -65,9 +71,8 @@
+@@ -65,9 +74,8 @@
  
  manage_files_pattern(ypbind_t, var_yp_t, var_yp_t)
  
@@ -19448,7 +19460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
  
  corenet_all_recvfrom_unlabeled(ypbind_t)
  corenet_all_recvfrom_netlabel(ypbind_t)
-@@ -250,6 +255,8 @@
+@@ -250,6 +258,8 @@
  corenet_udp_sendrecv_all_ports(ypserv_t)
  corenet_tcp_bind_generic_node(ypserv_t)
  corenet_udp_bind_generic_node(ypserv_t)
@@ -19457,7 +19469,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
  corenet_tcp_bind_all_rpc_ports(ypserv_t)
  corenet_udp_bind_all_rpc_ports(ypserv_t)
  corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
-@@ -315,6 +322,8 @@
+@@ -305,6 +315,9 @@
+ 
+ allow ypxfr_t ypserv_conf_t:file read_file_perms;
+ 
++manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
++files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
++
+ corenet_all_recvfrom_unlabeled(ypxfr_t)
+ corenet_all_recvfrom_netlabel(ypxfr_t)
+ corenet_tcp_sendrecv_generic_if(ypxfr_t)
+@@ -315,6 +328,8 @@
  corenet_udp_sendrecv_all_ports(ypxfr_t)
  corenet_tcp_bind_generic_node(ypxfr_t)
  corenet_udp_bind_generic_node(ypxfr_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index cfd4a3e0..947f49ec 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.8
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -459,6 +459,9 @@ exit 0
 %endif
 
 %changelog
+* Thu Jan 27 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-5
+- Fix rpm_dontaudit_leaks
+
 * Wed Jan 27 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-4
 - Add getsched to hald_t
 - Add file context for Fedora/Redhat Directory Server