From b4ae7d845a18aba27885dc783c1cc94541b36470 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Mon, 20 Aug 2007 22:15:46 +0000
Subject: [PATCH] - Allow sshd to write to proc_t for afs login

---
 policy-20070703.patch | 54 ++++++++++++++++++++++++++++++++++++++++---
 selinux-policy.spec   |  5 +++-
 2 files changed, 55 insertions(+), 4 deletions(-)

diff --git a/policy-20070703.patch b/policy-20070703.patch
index bf6f1ed4..961698f3 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -2388,6 +2388,53 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  /usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.0.5/policy/modules/kernel/corenetwork.if.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in	2007-07-03 07:05:38.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/kernel/corenetwork.if.in	2007-08-20 18:15:26.000000000 -0400
+@@ -1449,6 +1449,43 @@
+ 
+ ########################################
+ ## <summary>
++##      Connect TCP sockets to rpc ports.
++## </summary>
++## <param name="domain">
++##	<summary>
++##      The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`corenet_tcp_connect_all_rpc_ports',`
++	gen_require(`
++		attribute rpc_port_type;
++	')
++
++	allow $1 rpc_port_type:tcp_socket name_connect;
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to connect TCP sockets
++##	all rpc ports.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
++	gen_require(`
++		attribute rpc_port_type;
++	')
++
++	dontaudit $1 rpc_port_type:tcp_socket name_connect;
++')
++
++########################################
++## <summary>
+ ##	Read and write the TUN/TAP virtual network device.
+ ## </summary>
+ ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.5/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2007-07-03 07:05:38.000000000 -0400
 +++ serefpolicy-3.0.5/policy/modules/kernel/corenetwork.te.in	2007-08-07 09:39:49.000000000 -0400
@@ -5249,7 +5296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.0.5/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/dovecot.te	2007-08-14 08:15:55.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/dovecot.te	2007-08-20 17:56:52.000000000 -0400
 @@ -15,6 +15,12 @@
  domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
  role system_r types dovecot_auth_t;
@@ -5311,7 +5358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  	seutil_sigchld_newrole(dovecot_t)
  ')
  
-@@ -145,33 +144,39 @@
+@@ -145,33 +144,40 @@
  # dovecot auth local policy
  #
  
@@ -5333,6 +5380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +files_read_var_symlinks(dovecot_t)
  
  allow dovecot_auth_t dovecot_var_run_t:dir r_dir_perms;
++dovecot_auth_stream_connect(dovecot_auth_t)
  
  kernel_read_all_sysctls(dovecot_auth_t)
  kernel_read_system_state(dovecot_auth_t)
@@ -5353,7 +5401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  files_read_usr_symlinks(dovecot_auth_t)
  files_search_tmp(dovecot_auth_t)
  files_read_var_lib_files(dovecot_t)
-@@ -185,12 +190,46 @@
+@@ -185,12 +191,46 @@
  
  seutil_dontaudit_search_config(dovecot_auth_t)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2ece3f05..add8ff4c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.5
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -360,6 +360,9 @@ exit 0
 %endif
 
 %changelog
+* Sat Aug 18 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-9
+- Allow sshd to write to proc_t for afs login
+
 * Sat Aug 18 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-8
 - Allow xserver access to urand