From cd66769910e5d1a7fe4744966e76aa45886572ed Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Wed, 14 Dec 2005 15:27:14 +0000
Subject: [PATCH] another patch from dan

---
 refpolicy/policy/modules/admin/rpm.if         | 22 +++++++++++++
 refpolicy/policy/modules/admin/rpm.te         | 31 ++-----------------
 refpolicy/policy/modules/services/hal.te      |  6 +---
 refpolicy/policy/modules/services/nis.if      |  4 +--
 refpolicy/policy/modules/system/libraries.fc  |  1 +
 refpolicy/policy/modules/system/unconfined.te |  3 +-
 6 files changed, 30 insertions(+), 37 deletions(-)

diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if
index 12f93fad..d6306450 100644
--- a/refpolicy/policy/modules/admin/rpm.if
+++ b/refpolicy/policy/modules/admin/rpm.if
@@ -26,6 +26,28 @@ interface(`rpm_domtrans',`
 	allow rpm_t $1:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Execute rpm_script programs in the rpm_script domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`rpm_script_domtrans',`
+	gen_require(`
+		type rpm_exec_t;
+	')
+
+	# transition to rpm script:
+	corecmd_shell_domtrans($1,rpm_script_t)
+
+	allow $1 rpm_script_t:fd use;
+	allow rpm_script_t $1:fd use;
+	allow rpm_script_t $1:fifo_file rw_file_perms;
+	allow rpm_script_t $1:process sigchld;
+')
+
 ########################################
 ## <summary>
 ##	Execute RPM programs in the RPM domain.
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index 847e2c78..27194c3f 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -1,5 +1,5 @@
 
-policy_module(rpm,1.1.0)
+policy_module(rpm,1.1.1)
 
 ########################################
 #
@@ -47,12 +47,6 @@ files_tmp_file(rpm_script_tmp_t)
 type rpm_script_tmpfs_t;
 files_tmpfs_file(rpm_script_tmpfs_t)
 
-type rpmbuild_t;
-domain_type(rpmbuild_t)
-
-type rpmbuild_exec_t;
-domain_entry_file(rpmbuild_t,rpmbuild_exec_t)
-
 ########################################
 #
 # rpm Local policy
@@ -140,7 +134,7 @@ auth_dontaudit_read_shadow(rpm_t)
 corecmd_exec_bin(rpm_t)
 corecmd_exec_sbin(rpm_t)
 # transition to rpm script:
-corecmd_shell_domtrans(rpm_t,rpm_script_t)
+rpm_script_domtrans(rpm_t)
 
 domain_exec_all_entry_files(rpm_t)
 domain_read_all_domains_state(rpm_t)
@@ -362,27 +356,6 @@ ifdef(`TODO',`
 optional_policy(`lpd',`
 can_exec(rpm_script_t,printconf_t)
 ')
-') dnl end TODO
-
-########################################
-#
-# rpm-build Local policy
-#
-
-# cjp: this looks like dead policy.  nothing
-# can transition to this domain, nor can it
-# really do anything useful.
-
-selinux_get_fs_mount(rpmbuild_t)
-selinux_validate_context(rpmbuild_t)
-selinux_compute_access_vector(rpmbuild_t)
-selinux_compute_create_context(rpmbuild_t)
-selinux_compute_relabel_context(rpmbuild_t)
-selinux_compute_user_contexts(rpmbuild_t)
-
-seutil_read_src_pol(rpmbuild_t)
-
-ifdef(`TODO',`
 
 optional_policy(`cups',`
 allow cupsd_t rpm_var_lib_t:dir r_dir_perms;
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 455e384c..78365a06 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
 
-policy_module(hal,1.1.2)
+policy_module(hal,1.1.3)
 
 ########################################
 #
@@ -182,10 +182,6 @@ optional_policy(`nscd',`
 	nscd_use_socket(hald_t)
 ')
 
-optional_policy(`ntp',`
-	ntp_domtrans(hald_t)
-')
-
 optional_policy(`pcmcia',`
 	pcmcia_manage_pid(hald_t)
 	pcmcia_manage_runtime_chr(hald_t)
diff --git a/refpolicy/policy/modules/services/nis.if b/refpolicy/policy/modules/services/nis.if
index 9193fbe7..297c4b77 100644
--- a/refpolicy/policy/modules/services/nis.if
+++ b/refpolicy/policy/modules/services/nis.if
@@ -217,11 +217,11 @@ interface(`nis_tcp_connect_ypbind',`
 #
 interface(`nis_read_ypbind_pid',`
 	gen_require(`
-		type ypbind_t;
+		type ypbind_var_run_t;
 	')
 
 	files_search_pids($1)
-	allow $1 ypbind_t:file r_file_perms;
+	allow $1 ypbind_var_run_t:file r_file_perms;
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc
index 82fb18a3..e7f1ef07 100644
--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@@ -113,6 +113,7 @@ ifdef(`distro_redhat',`
 /usr/lib(64)?/.*/program/libsvx680li\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/.*/program/libsoffice\.so  --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr(/.*)?/pcsc/drivers(/.*)?/libcm(2020|4000|SCR24x)\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/firefox.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/mozilla.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/sunbird.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index c4c2a89c..37b933de 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
 
-policy_module(unconfined,1.1.1)
+policy_module(unconfined,1.1.2)
 
 ########################################
 #
@@ -118,6 +118,7 @@ ifdef(`targeted_policy',`
 
 	optional_policy(`rpm',`
 		rpm_domtrans(unconfined_t)
+		rpm_script_domtrans(unconfined_t)
 	')
 
 	optional_policy(`samba',`