- Fix file context for MATLAB

- Fixes for xace

policy-20071130.patch

@@ -3964,8 +3964,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te s
 +	
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.3.1/policy/modules/apps/java.fc
 --- nsaserefpolicy/policy/modules/apps/java.fc	2007-03-01 10:01:48.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/java.fc	2008-03-13 18:18:13.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/apps/java.fc	2008-03-21 06:52:02.000000000 -0400
-@@ -11,6 +11,7 @@
+@@ -3,14 +3,15 @@
+ #
+ /opt/(.*/)?bin/java[^/]* --	gen_context(system_u:object_r:java_exec_t,s0)
+ /opt/ibm/java2-ppc64-50/jre/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+-/opt/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
+-/opt/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
++/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
++/opt/matlab.*/bin.*/MATLAB.*      -- gen_context(system_u:object_r:java_exec_t,s0)
+ 
+ #
+ # /usr
  #
  /usr/(.*/)?bin/java.* 	--	gen_context(system_u:object_r:java_exec_t,s0)
  /usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -3973,16 +3983,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc
  /usr/bin/frysk		--	gen_context(system_u:object_r:java_exec_t,s0)
  /usr/bin/gappletviewer  --	gen_context(system_u:object_r:java_exec_t,s0)
  /usr/bin/gcj-dbtool	--	gen_context(system_u:object_r:java_exec_t,s0)
-@@ -20,5 +21,11 @@
+@@ -20,5 +21,10 @@
  /usr/bin/grmic  	--	gen_context(system_u:object_r:java_exec_t,s0)
  /usr/bin/grmiregistry  	--	gen_context(system_u:object_r:java_exec_t,s0)
  /usr/bin/jv-convert  	--	gen_context(system_u:object_r:java_exec_t,s0)
 -/usr/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
 -/usr/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
 +/usr/bin/fastjar  	--	gen_context(system_u:object_r:java_exec_t,s0)
-+/usr/local/matlab/bin/(.*/)?MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
++/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
-+/usr/matlab(/.*)?/bin/(.*/)?MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
++/usr/matlab.*/bin.*/MATLAB.*      -- gen_context(system_u:object_r:java_exec_t,s0)
-+/opt/matlab(/.*)?/bin(/.*)?/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
 +/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
 +/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
 +
@@ -14704,7 +14713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.3.1/policy/modules/services/hal.fc
 --- nsaserefpolicy/policy/modules/services/hal.fc	2007-11-14 08:17:58.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/hal.fc	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/hal.fc	2008-03-21 18:49:34.000000000 -0400
 @@ -8,6 +8,7 @@
  /usr/libexec/hal-hotplug-map 		--	gen_context(system_u:object_r:hald_exec_t,s0)
  /usr/libexec/hal-system-sonypic	 	--	gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
@@ -14713,13 +14722,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  
  /usr/sbin/hald		--			gen_context(system_u:object_r:hald_exec_t,s0)
  
-@@ -16,10 +17,11 @@
+@@ -16,10 +17,12 @@
  /var/lib/hal(/.*)?				gen_context(system_u:object_r:hald_var_lib_t,s0)
  
  /var/log/pm-suspend\.log			gen_context(system_u:object_r:hald_log_t,s0)
 +/var/log/pm(/.*)?				gen_context(system_u:object_r:hald_log_t,s0)
  
 +/var/run/pm(/.*)?				gen_context(system_u:object_r:hald_var_run_t,s0)
++/var/run/hald(/.*)?				gen_context(system_u:object_r:hald_var_run_t,s0)
  /var/run/haldaemon\.pid	--	 		gen_context(system_u:object_r:hald_var_run_t,s0)
 -/var/run/vbestate 	--			gen_context(system_u:object_r:hald_var_run_t,s0)
 -
@@ -14775,7 +14785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.3.1/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/hal.te	2008-03-20 09:19:51.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/hal.te	2008-03-21 18:50:19.000000000 -0400
 @@ -49,6 +49,9 @@
  type hald_var_lib_t;
  files_type(hald_var_lib_t)
@@ -14795,7 +14805,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  logging_log_filetrans(hald_t,hald_log_t,file)
  
  manage_dirs_pattern(hald_t,hald_tmp_t,hald_tmp_t)
-@@ -93,6 +96,7 @@
+@@ -82,8 +85,9 @@
+ manage_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t)
+ manage_sock_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t)
+ 
++manage_dirs_pattern(hald_t,hald_var_run_t,hald_var_run_t)
+ manage_files_pattern(hald_t,hald_var_run_t,hald_var_run_t)
+-files_pid_filetrans(hald_t,hald_var_run_t,file)
++files_pid_filetrans(hald_t,hald_var_run_t,{ dir file })
+ 
+ kernel_read_system_state(hald_t)
+ kernel_read_network_state(hald_t)
+@@ -93,6 +97,7 @@
  kernel_rw_irq_sysctls(hald_t)
  kernel_rw_vm_sysctls(hald_t)
  kernel_write_proc_files(hald_t)
@@ -14803,7 +14824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  
  auth_read_pam_console_data(hald_t)
  
-@@ -155,6 +159,8 @@
+@@ -155,6 +160,8 @@
  selinux_compute_relabel_context(hald_t)
  selinux_compute_user_contexts(hald_t)
  
@@ -14812,7 +14833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  storage_raw_read_removable_device(hald_t)
  storage_raw_write_removable_device(hald_t)
  storage_raw_read_fixed_disk(hald_t)
-@@ -172,6 +178,8 @@
+@@ -172,6 +179,8 @@
  init_rw_utmp(hald_t)
  init_telinit(hald_t)
  
@@ -14821,7 +14842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  libs_use_ld_so(hald_t)
  libs_use_shared_libs(hald_t)
  libs_exec_ld_so(hald_t)
-@@ -244,6 +252,10 @@
+@@ -244,6 +253,10 @@
  ')
  
  optional_policy(`
@@ -14832,7 +14853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  	hotplug_read_config(hald_t)
  ')
  
-@@ -265,6 +277,11 @@
+@@ -265,6 +278,11 @@
  ')
  
  optional_policy(`
@@ -14844,7 +14865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  	rpc_search_nfs_state_data(hald_t)
  ')
  
-@@ -291,7 +308,8 @@
+@@ -291,7 +309,8 @@
  #
  
  allow hald_acl_t self:capability { dac_override fowner };
@@ -14854,7 +14875,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  
  domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
  allow hald_t hald_acl_t:process signal;
-@@ -304,6 +322,7 @@
+@@ -301,9 +320,14 @@
+ manage_files_pattern(hald_acl_t,hald_var_lib_t,hald_var_lib_t)
+ files_search_var_lib(hald_acl_t)
+ 
++manage_dirs_pattern(hald_acl_t,hald_var_run_t,hald_var_run_t)
++manage_files_pattern(hald_acl_t,hald_var_run_t,hald_var_run_t)
++files_pid_filetrans(hald_acl_t,hald_var_run_t,{ dir file })
++
  corecmd_exec_bin(hald_acl_t)
  
  dev_getattr_all_chr_files(hald_acl_t)
@@ -14862,7 +14890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  dev_getattr_generic_usb_dev(hald_acl_t)
  dev_getattr_video_dev(hald_acl_t)
  dev_setattr_video_dev(hald_acl_t)
-@@ -325,6 +344,11 @@
+@@ -325,6 +349,11 @@
  
  miscfiles_read_localization(hald_acl_t)
  
@@ -14874,7 +14902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  ########################################
  #
  # Local hald mac policy
-@@ -338,10 +362,14 @@
+@@ -338,10 +367,14 @@
  manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
  files_search_var_lib(hald_mac_t)
  
@@ -14889,7 +14917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  libs_use_ld_so(hald_mac_t)
  libs_use_shared_libs(hald_mac_t)
  
-@@ -391,3 +419,7 @@
+@@ -391,3 +424,7 @@
  libs_use_shared_libs(hald_keymap_t)
  
  miscfiles_read_localization(hald_keymap_t)
@@ -23952,7 +23980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if	2008-03-14 11:14:49.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.if	2008-03-20 16:09:38.000000000 -0400
 @@ -12,9 +12,15 @@
  ##	</summary>
  ## </param>
@@ -24081,13 +24109,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  		allow $1_xserver_t self:process { execmem execheap execstack };
  	')
  
-+	tunable_policy(`xserver_object_manager',`
++	selinux_validate_context($1_xserver_t)
-+		selinux_validate_context($1_xserver_t)
++	selinux_compute_access_vector($1_xserver_t)
-+		selinux_compute_access_vector($1_xserver_t)
++	selinux_compute_create_context($1_xserver_t)
-+		selinux_compute_create_context($1_xserver_t)
++	seutil_read_default_contexts($1_xserver_t)
-+		seutil_read_default_contexts($1_xserver_t)
++	allow $1_xserver_t self:netlink_selinux_socket create_socket_perms;
-+		allow $1_xserver_t self:netlink_selinux_socket create_socket_perms;
 +
++	tunable_policy(`xserver_object_manager',`
 +		allow $1_xserver_t input_xevent_t:x_event send;
 +		allow $1_xserver_t x_rootwindow_t:x_drawable send;
 +		allow $1_xserver_t xdm_t:x_event send;
@@ -25321,7 +25349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.te	2008-03-18 15:08:05.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.te	2008-03-21 18:46:59.000000000 -0400
 @@ -8,6 +8,14 @@
  
  ## <desc>
@@ -25567,7 +25595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  dev_getattr_power_mgmt_dev(xdm_t)
  dev_setattr_power_mgmt_dev(xdm_t)
  
-@@ -226,6 +344,7 @@
+@@ -226,9 +344,11 @@
  files_read_usr_files(xdm_t)
  # Poweroff wants to create the /poweroff file when run from xdm
  files_create_boot_flag(xdm_t)
@@ -25575,7 +25603,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  fs_getattr_all_fs(xdm_t)
  fs_search_auto_mountpoints(xdm_t)
-@@ -237,6 +356,7 @@
++fs_rw_anon_inodefs_files(xdm_t)
+ 
+ storage_dontaudit_read_fixed_disk(xdm_t)
+ storage_dontaudit_write_fixed_disk(xdm_t)
+@@ -237,6 +357,7 @@
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -25583,7 +25615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  term_setattr_console(xdm_t)
  term_use_unallocated_ttys(xdm_t)
-@@ -245,6 +365,7 @@
+@@ -245,6 +366,7 @@
  auth_domtrans_pam_console(xdm_t)
  auth_manage_pam_pid(xdm_t)
  auth_manage_pam_console_data(xdm_t)
@@ -25591,7 +25623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  auth_rw_faillog(xdm_t)
  auth_write_login_records(xdm_t)
  
-@@ -256,12 +377,11 @@
+@@ -256,12 +378,11 @@
  libs_exec_lib_files(xdm_t)
  
  logging_read_generic_logs(xdm_t)
@@ -25605,7 +25637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -270,8 +390,13 @@
+@@ -270,8 +391,13 @@
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -25619,7 +25651,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xdm_t)
-@@ -304,7 +429,11 @@
+@@ -301,10 +427,15 @@
+ 
+ optional_policy(`
+ 	alsa_domtrans(xdm_t)
++	alsa_read_rw_config(xdm_t)
  ')
  
  optional_policy(`
@@ -25632,7 +25668,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  optional_policy(`
-@@ -312,6 +441,23 @@
+@@ -312,6 +443,23 @@
  ')
  
  optional_policy(`
@@ -25656,7 +25692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	# Talk to the console mouse server.
  	gpm_stream_connect(xdm_t)
  	gpm_setattr_gpmctl(xdm_t)
-@@ -322,6 +468,10 @@
+@@ -322,6 +470,10 @@
  ')
  
  optional_policy(`
@@ -25667,7 +25703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	loadkeys_exec(xdm_t)
  ')
  
-@@ -335,6 +485,11 @@
+@@ -335,6 +487,11 @@
  ')
  
  optional_policy(`
@@ -25679,7 +25715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	seutil_sigchld_newrole(xdm_t)
  ')
  
-@@ -343,8 +498,8 @@
+@@ -343,8 +500,8 @@
  ')
  
  optional_policy(`
@@ -25689,7 +25725,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	ifndef(`distro_redhat',`
  		allow xdm_t self:process { execheap execmem };
-@@ -380,7 +535,7 @@
+@@ -380,7 +537,7 @@
  allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
  dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
  
@@ -25698,7 +25734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -392,6 +547,15 @@
+@@ -392,6 +549,15 @@
  can_exec(xdm_xserver_t, xkb_var_lib_t)
  files_search_var_lib(xdm_xserver_t)
  
@@ -25714,7 +25750,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  # VNC v4 module in X server
  corenet_tcp_bind_vnc_port(xdm_xserver_t)
  
-@@ -404,9 +568,17 @@
+@@ -404,9 +570,17 @@
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@@ -25732,7 +25768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xdm_xserver_t)
  	fs_manage_nfs_files(xdm_xserver_t)
-@@ -420,6 +592,22 @@
+@@ -420,6 +594,22 @@
  ')
  
  optional_policy(`
@@ -25755,7 +25791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	resmgr_stream_connect(xdm_t)
  ')
  
-@@ -429,47 +617,139 @@
+@@ -429,47 +619,139 @@
  ')
  
  optional_policy(`

selinux-policy.spec

@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 22%{?dist}
+Release: 23%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -387,6 +387,10 @@ exit 0
 %endif
 
 %changelog
+* Fri Mar 18 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-23
+- Fix file context for MATLAB
+- Fixes for xace
+
 * Tue Mar 18 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-22
 - Allow stunnel to transition to inetd children domains
 - Make unconfined_dbusd_t an unconfined domain