From e0ed765c0e809ef2e8410948abb6cfe98cab17e9 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Mon, 11 Aug 2008 14:03:36 +0000
Subject: [PATCH] trunk: 3 patches from the fedora policy, cherry picked by
 David Hardeman.

---
 policy/modules/kernel/corenetwork.te.in |  3 ++-
 policy/modules/services/qmail.te        | 17 +++++++++++++++--
 policy/modules/system/ipsec.if          | 19 +++++++++++++++++++
 policy/modules/system/ipsec.te          |  8 ++++----
 policy/modules/system/iscsi.fc          |  4 ++--
 policy/modules/system/iscsi.te          |  5 +++--
 policy/modules/system/sysnetwork.te     |  6 +++++-
 7 files changed, 50 insertions(+), 12 deletions(-)

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 8ccf4672..137d2a58 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
 
-policy_module(corenetwork,1.2.16)
+policy_module(corenetwork, 1.2.17)
 
 ########################################
 #
@@ -109,6 +109,7 @@ network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
 network_port(ircd, tcp,6667,s0)
 network_port(isakmp, udp,500,s0)
 network_port(iscsi, tcp,3260,s0)
+network_port(isns, tcp,3205,s0, udp,3205,s0)
 network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
 network_port(jabber_interserver, tcp,5269,s0)
 network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te
index 5d4e608b..57cc7efb 100644
--- a/policy/modules/services/qmail.te
+++ b/policy/modules/services/qmail.te
@@ -1,5 +1,5 @@
 
-policy_module(qmail, 1.3.0)
+policy_module(qmail, 1.3.1)
 
 ########################################
 #
@@ -14,7 +14,7 @@ files_type(qmail_alias_home_t)
 qmail_child_domain_template(qmail_clean, qmail_start_t)
 
 type qmail_etc_t;
-files_type(qmail_etc_t)
+files_config_file(qmail_etc_t)
 
 type qmail_exec_t;
 files_type(qmail_exec_t)
@@ -85,6 +85,8 @@ files_search_var(qmail_inject_t)
 libs_use_ld_so(qmail_inject_t)
 libs_use_shared_libs(qmail_inject_t)
 
+miscfiles_read_localization(qmail_inject_t)
+
 qmail_read_config(qmail_inject_t)
 
 ########################################
@@ -100,17 +102,24 @@ allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
 manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
 manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
 
+can_exec(qmail_local_t, qmail_local_exec_t)
+
 allow qmail_local_t qmail_queue_exec_t:file read;
 
 allow qmail_local_t qmail_spool_t:file read_file_perms;
 
 kernel_read_system_state(qmail_local_t)
 
+corecmd_exec_bin(qmail_local_t)
 corecmd_exec_shell(qmail_local_t)
 
 files_read_etc_files(qmail_local_t)
 files_read_etc_runtime_files(qmail_local_t)
 
+auth_use_nsswitch(qmail_local_t)
+
+logging_send_syslog_msg(qmail_local_t)
+
 mta_append_spool(qmail_local_t)
 
 qmail_domtrans_queue(qmail_local_t)
@@ -155,6 +164,10 @@ manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
 manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
 rw_fifo_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
 
+corecmd_exec_bin(qmail_queue_t)
+
+logging_send_syslog_msg(qmail_queue_t)
+
 optional_policy(`
 	daemontools_ipc_domain(qmail_queue_t)
 ')
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index b84df8eb..e082a558 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -131,6 +131,25 @@ interface(`ipsec_setcontext_default_spd',`
 	allow $1 ipsec_spd_t:association setcontext;
 ')
 
+########################################
+## <summary>
+##	write the ipsec_var_run_t files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipsec_write_pid',`
+	gen_require(`
+		type ipsec_var_run_t;
+	')
+
+	files_search_pids($1)
+	write_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete the IPSEC pid files.
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 990b691c..f2c3843a 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,5 +1,5 @@
 
-policy_module(ipsec, 1.7.0)
+policy_module(ipsec, 1.7.1)
 
 ########################################
 #
@@ -69,9 +69,9 @@ allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
 read_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
 read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
 
-allow ipsec_t ipsec_var_run_t:file manage_file_perms;
-allow ipsec_t ipsec_var_run_t:sock_file manage_sock_file_perms;
-files_pid_filetrans(ipsec_t,ipsec_var_run_t,{ file sock_file })
+manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
+manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
+files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file })
 
 can_exec(ipsec_t, ipsec_mgmt_exec_t)
 
diff --git a/policy/modules/system/iscsi.fc b/policy/modules/system/iscsi.fc
index a5aaa684..405dbe23 100644
--- a/policy/modules/system/iscsi.fc
+++ b/policy/modules/system/iscsi.fc
@@ -1,5 +1,5 @@
 /sbin/iscsid		--	gen_context(system_u:object_r:iscsid_exec_t,s0)
 
-/var/lib/iscsi(/.*)?	--	gen_context(system_u:object_r:iscsi_var_lib_t,s0)
-/var/lock/iscsi(/.*)?	--	gen_context(system_u:object_r:iscsi_lock_t,s0)
+/var/lib/iscsi(/.*)?		gen_context(system_u:object_r:iscsi_var_lib_t,s0)
+/var/lock/iscsi(/.*)?		gen_context(system_u:object_r:iscsi_lock_t,s0)
 /var/run/iscsid\.pid	--	gen_context(system_u:object_r:iscsi_var_run_t,s0)
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
index 8b661e8d..4a27e616 100644
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
@@ -1,5 +1,5 @@
 
-policy_module(iscsid,1.4.0)
+policy_module(iscsid, 1.4.1)
 
 ########################################
 #
@@ -29,7 +29,7 @@ files_pid_file(iscsi_var_run_t)
 #
 
 allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource };
-allow iscsid_t self:process { setrlimit setsched };
+allow iscsid_t self:process { setrlimit setsched signal };
 allow iscsid_t self:fifo_file { read write };
 allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow iscsid_t self:unix_dgram_socket create_socket_perms;
@@ -63,6 +63,7 @@ corenet_tcp_sendrecv_all_nodes(iscsid_t)
 corenet_tcp_sendrecv_all_ports(iscsid_t)
 corenet_tcp_connect_http_port(iscsid_t)
 corenet_tcp_connect_iscsi_port(iscsid_t)
+corenet_tcp_connect_isns_port(iscsid_t)
 
 dev_rw_sysfs(iscsid_t)
 
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 0c890679..30e139b8 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,5 +1,5 @@
 
-policy_module(sysnetwork, 1.7.0)
+policy_module(sysnetwork, 1.7.1)
 
 ########################################
 #
@@ -319,6 +319,10 @@ ifdef(`hide_broken_symptoms',`
 	')
 ')
 
+optional_policy(`
+	ipsec_write_pid(ifconfig_t)
+')
+
 optional_policy(`
 	netutils_domtrans(dhcpc_t)
 ')