From 5f6c30f8bd3b15c9845ffb24d2e7035e1ca2fe2d Mon Sep 17 00:00:00 2001
From: Chris PeBenito <pebenito@gentoo.org>
Date: Mon, 27 Jul 2009 15:11:22 -0400
Subject: [PATCH 1/2] wm policy from dan

---
 Changelog                 |  1 +
 policy/modules/apps/wm.fc |  3 ++
 policy/modules/apps/wm.if | 98 +++++++++++++++++++++++++++++++++++++++
 policy/modules/apps/wm.te | 10 ++++
 4 files changed, 112 insertions(+)
 create mode 100644 policy/modules/apps/wm.fc
 create mode 100644 policy/modules/apps/wm.if
 create mode 100644 policy/modules/apps/wm.te

diff --git a/Changelog b/Changelog
index a48f9c93..85b677dc 100644
--- a/Changelog
+++ b/Changelog
@@ -37,6 +37,7 @@
 	ulogd (Dan Walsh)
 	varnishd (Dan Walsh)
 	webadm (Dan Walsh)
+	wm (Dan Walsh)
 	xguest (Dan Walsh)
 	zosremote (Dan Walsh)
 
diff --git a/policy/modules/apps/wm.fc b/policy/modules/apps/wm.fc
new file mode 100644
index 00000000..be30d554
--- /dev/null
+++ b/policy/modules/apps/wm.fc
@@ -0,0 +1,3 @@
+/usr/bin/twm		--	gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/openbox	--	gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/metacity	--	gen_context(system_u:object_r:wm_exec_t,s0)
diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if
new file mode 100644
index 00000000..313f247e
--- /dev/null
+++ b/policy/modules/apps/wm.if
@@ -0,0 +1,98 @@
+## <summary>X Window Managers</summary>
+
+#######################################
+## <summary>
+##	The role template for the wm module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for window manager applications.
+##	</p>
+## </desc>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`wm_role_template',`
+	gen_require(`
+		type wm_exec_t;
+	')
+
+	type $1_wm_t;
+	domain_type($1_wm_t)
+	domain_entry_file($1_wm_t, wm_exec_t)
+	role $2 types $1_wm_t;
+
+	allow $1_wm_t self:fifo_file rw_fifo_file_perms;
+	allow $1_wm_t self:process getsched;
+	allow $1_wm_t self:shm create_shm_perms;
+
+	allow $1_wm_t $3:unix_stream_socket connectto;
+
+	domtrans_pattern($3, wm_exec_t, $1_wm_t)
+
+	kernel_read_system_state($1_wm_t)
+
+	corecmd_bin_domtrans($1_wm_t, $3)
+	corecmd_shell_domtrans($1_wm_t, $3)
+
+	dev_read_urand($1_wm_t)
+
+	files_read_etc_files($1_wm_t)
+	files_read_usr_files($1_wm_t)
+
+	mls_file_read_all_levels($1_wm_t)
+	mls_file_write_all_levels($1_wm_t)
+	mls_xwin_read_all_levels($1_wm_t)
+	mls_xwin_write_all_levels($1_wm_t)
+	mls_fd_use_all_levels($1_wm_t)
+
+	auth_use_nsswitch($1_wm_t)
+
+	miscfiles_read_fonts($1_wm_t)
+	miscfiles_read_localization($1_wm_t)
+
+	userdom_manage_home_role($2, $1_wm_t)
+	userdom_manage_tmpfs_role($2, $1_wm_t)
+	userdom_manage_tmp_role($2, $1_wm_t)
+
+	optional_policy(`
+		dbus_system_bus_client($1_wm_t)
+	')
+
+	optional_policy(`
+		xserver_role($2, $1_wm_t)
+	')
+')
+
+########################################
+## <summary>
+##	Execute the wm program in the wm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wm_exec',`
+	gen_require(`
+		type wm_exec_t;
+	')
+
+	can_exec($1, wm_exec_t)
+')
diff --git a/policy/modules/apps/wm.te b/policy/modules/apps/wm.te
new file mode 100644
index 00000000..d19d2ec7
--- /dev/null
+++ b/policy/modules/apps/wm.te
@@ -0,0 +1,10 @@
+
+policy_module(wm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type wm_exec_t;
+corecmd_executable_file(wm_exec_t)

From ebf3ec9063e5dae87af376cae497820a2b808ad5 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <pebenito@gentoo.org>
Date: Mon, 27 Jul 2009 16:04:10 -0400
Subject: [PATCH 2/2] snort patch from dan.

---
 policy/modules/services/snort.if |  2 +-
 policy/modules/services/snort.te | 10 +++++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/snort.if b/policy/modules/services/snort.if
index 170da367..c117e8b5 100644
--- a/policy/modules/services/snort.if
+++ b/policy/modules/services/snort.if
@@ -38,7 +38,7 @@ interface(`snort_domtrans',`
 interface(`snort_admin',`
 	gen_require(`
 		type snort_t, snort_var_run_t, snort_log_t;
-		type snort_initrc_exec_t;
+		type snort_etc_t, snort_initrc_exec_t;
 	')
 
 	allow $1 snort_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te
index ab038091..5b13b97c 100644
--- a/policy/modules/services/snort.te
+++ b/policy/modules/services/snort.te
@@ -1,5 +1,5 @@
 
-policy_module(snort, 1.7.1)
+policy_module(snort, 1.7.2)
 
 ########################################
 #
@@ -56,6 +56,7 @@ manage_files_pattern(snort_t, snort_var_run_t, snort_var_run_t)
 files_pid_filetrans(snort_t, snort_var_run_t, file)
 
 kernel_read_kernel_sysctls(snort_t)
+kernel_read_sysctl(snort_t)
 kernel_list_proc(snort_t)
 kernel_read_proc_symlinks(snort_t)
 kernel_dontaudit_read_system_state(snort_t)
@@ -70,6 +71,7 @@ corenet_udp_sendrecv_generic_node(snort_t)
 corenet_raw_sendrecv_generic_node(snort_t)
 corenet_tcp_sendrecv_all_ports(snort_t)
 corenet_udp_sendrecv_all_ports(snort_t)
+corenet_tcp_connect_prelude_port(snort_t)
 
 dev_read_sysfs(snort_t)
 dev_read_rand(snort_t)
@@ -90,10 +92,16 @@ logging_send_syslog_msg(snort_t)
 miscfiles_read_localization(snort_t)
 
 sysnet_read_config(snort_t)
+# snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager
+sysnet_dns_name_resolve(snort_t)
 
 userdom_dontaudit_use_unpriv_user_fds(snort_t)
 userdom_dontaudit_search_user_home_dirs(snort_t)
 
+optional_policy(`
+	prelude_manage_spool(snort_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(snort_t)
 ')