From c23eb5b1c4e17ce4420fcaec0870ed013881e6db Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Tue, 6 Mar 2007 16:18:59 +0000
Subject: [PATCH] Patch for gssd fixes from Dan Walsh

---
 Changelog                      |  1 +
 policy/modules/services/rpc.te | 30 ++++++++++++++++++++++++------
 2 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/Changelog b/Changelog
index 482a5318..3dce5ff3 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Patch for gssd fixes from Dan Walsh.
 - Patch for lvm fixes from Dan Walsh.
 - Patch for ricci fixes from Dan Walsh.
 - Patch for postfix lmtp labeling and pickup rule fix from Dan Walsh.
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index b487385e..d240811f 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -1,5 +1,5 @@
 
-policy_module(rpc,1.4.1)
+policy_module(rpc,1.4.2)
 
 ########################################
 #
@@ -120,9 +120,9 @@ tunable_policy(`nfs_export_all_ro',`
 # GSSD local policy
 #
 
-allow gssd_t self:capability { dac_override dac_read_search setuid };
-allow gssd_t self:process getsched;
-allow gssd_t self:fifo_file { read write };
+allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
+allow gssd_t self:process { getsched setsched };
+allow gssd_t self:fifo_file rw_file_perms;
 
 manage_dirs_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
 manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
@@ -130,17 +130,27 @@ files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
 
 kernel_read_network_state(gssd_t)
 kernel_read_network_state_symlinks(gssd_t)	
+kernel_search_network_sysctl(gssd_t)	
+
+corecmd_search_sbin(gssd_t)
+corecmd_exec_bin(gssd_t)
 
 fs_list_rpc(gssd_t) 
 fs_read_rpc_sockets(gssd_t) 
 fs_read_rpc_files(gssd_t) 
 
 files_list_tmp(gssd_t) 
-files_read_generic_tmp_files(gssd_t) 
-files_read_generic_tmp_symlinks(gssd_t) 
+files_read_usr_symlinks(gssd_t) 
 
 miscfiles_read_certs(gssd_t)
 
+ifdef(`targeted_policy',`
+	files_read_generic_tmp_files(gssd_t) 
+	files_read_generic_tmp_symlinks(gssd_t) 
+	# Manage the users kerberos tgt file
+	files_manage_generic_tmp_files(gssd_t) 
+')
+
 tunable_policy(`allow_gssd_read_tmp',`
 	userdom_list_unpriv_users_tmp(gssd_t) 
 	userdom_read_unpriv_users_tmp_files(gssd_t) 
@@ -151,3 +161,11 @@ optional_policy(`
 	kerberos_use(gssd_t)
 	kerberos_read_keytab(gssd_t) 
 ')
+
+optional_policy(`
+	pcscd_read_pub_files(gssd_t)
+')
+
+optional_policy(`
+	xserver_rw_xdm_tmp_files(gssd_t)
+')