From f1bc73d0ef3c84dc88514c335cadb9d7ebd16673 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Tue, 4 Oct 2011 10:50:39 -0400
Subject: [PATCH] Allow logrotate setuid and setgid since logrotate is supposed
 to do it Fixes for thumb policy by grift Add new nfsd ports Added fix to
 allow confined apps to execmod on chrome Add labeling for additional vdsm
 directories Allow Exim and Dovecot SASL Add label for /var/run/nmbd Add fixes
 to make virsh and xen working together Colord executes ls /var/spool/cron  is
 now labeled as user_cron_spool_t

---
 execmem.patch         | 379 ++++++++++++++++++++++++++++++++++++++++++
 modules-mls.conf      |  14 --
 modules-targeted.conf |  14 --
 policy-F16.patch      |  16 +-
 selinux-policy.spec   |  26 ++-
 thumb.patch           |   2 +-
 6 files changed, 417 insertions(+), 34 deletions(-)
 create mode 100644 execmem.patch

diff --git a/execmem.patch b/execmem.patch
new file mode 100644
index 00000000..82343be9
--- /dev/null
+++ b/execmem.patch
@@ -0,0 +1,379 @@
+diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
+index 8d3c1d8..a7b1b65 100644
+--- a/policy/modules/admin/rpm.te
++++ b/policy/modules/admin/rpm.te
+@@ -416,14 +416,6 @@ optional_policy(`
+ 	unconfined_domain_noaudit(rpm_script_t)
+ 	unconfined_domtrans(rpm_script_t)
+ 	unconfined_execmem_domtrans(rpm_script_t)
+-
+-	optional_policy(`
+-		java_domtrans_unconfined(rpm_script_t)
+-	')
+-
+-	optional_policy(`
+-		mono_domtrans(rpm_script_t)
+-	')
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
+index 6f3570a..70c661e 100644
+--- a/policy/modules/apps/execmem.fc
++++ b/policy/modules/apps/execmem.fc
+@@ -46,3 +46,48 @@ ifdef(`distro_gentoo',`
+ /opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+ /opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0)
+ /usr/local/Wolfram/Mathematica(/.*)?MathKernel	  -- gen_context(system_u:object_r:execmem_exec_t,s0)
++
++#
++# /opt
++#
++/opt/(.*/)?bin/java[^/]* --	gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/matlab.*/bin.*/MATLAB.* --	gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/local/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/MATLAB.*/bin.*/MATLAB.* --	gen_context(system_u:object_r:execmem_exec_t,s0)
++
++#
++# /usr
++#
++/usr/Aptana[^/]*/AptanaStudio	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/(.*/)?bin/java.* 	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/fastjar	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/frysk		--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/gappletviewer	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/gcj-dbtool	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/gij		--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/gjarsigner	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/gkeytool	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/grmic		--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/grmiregistry	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/jv-convert	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/octave-[^/]*	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++
++/usr/lib(.*/)?bin/java[^/]* --	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib/eclipse/eclipse --	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib/opera(/.*)?/opera --	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib/opera(/.*)?/works --	gen_context(system_u:object_r:execmem_exec_t,s0)
++
++/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++
++/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++
++/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)?	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/ibm(/.*)?/eclipse/plugins(/.*)?	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++
++ifdef(`distro_redhat',`
++/usr/java/eclipse[^/]*/eclipse	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++')
++/usr/bin/mono.*	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
+index e23f640..a78bec0 100644
+--- a/policy/modules/apps/execmem.if
++++ b/policy/modules/apps/execmem.if
+@@ -129,4 +129,3 @@ interface(`execmem_execmod',`
+ 
+ 	allow $1 execmem_exec_t:file execmod;
+ ')
+-
+diff --git a/policy/modules/apps/execmem.te b/policy/modules/apps/execmem.te
+index a7d37e2..fd8450f 100644
+--- a/policy/modules/apps/execmem.te
++++ b/policy/modules/apps/execmem.te
+@@ -4,7 +4,25 @@ policy_module(execmem, 1.0.0)
+ #
+ # Declarations
+ #
++attribute execmem_type;
+ 
+-type execmem_exec_t alias unconfined_execmem_exec_t;
++type execmem_exec_t;
++typealias execmem_exec_t alias { unconfined_execmem_exec_t mono_exec_t java_exec_t };
+ application_executable_file(execmem_exec_t)
+ 
++allow execmem_type self:process { execmem execstack };
++files_execmod_tmp(execmem_type)
++execmem_execmod(execmem_type)
++
++optional_policy(`
++	gnome_read_usr_config(execmem_type)
++')
++	
++optional_policy(`
++	mozilla_execmod_user_home_files(execmem_type)
++')
++
++optional_policy(`
++	nsplugin_rw_shm(execmem_type)
++	nsplugin_rw_semaphores(execmem_type)
++')
+diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
+index d1b1280..f93103b 100644
+--- a/policy/modules/apps/mozilla.te
++++ b/policy/modules/apps/mozilla.te
+@@ -273,10 +273,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	java_domtrans(mozilla_t)
+-')
+-
+-optional_policy(`
+ 	lpd_domtrans_lpr(mozilla_t)
+ ')
+ 
+@@ -456,7 +452,7 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	java_exec(mozilla_plugin_t)
++	execmem_exec(mozilla_plugin_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te
+index ccc15ab..9d0e298 100644
+--- a/policy/modules/apps/podsleuth.te
++++ b/policy/modules/apps/podsleuth.te
+@@ -85,5 +85,5 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mono_exec(podsleuth_t)
++	execmem_exec(podsleuth_t)
+ ')
+diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
+index bfabe3f..fbbce55 100644
+--- a/policy/modules/roles/staff.te
++++ b/policy/modules/roles/staff.te
+@@ -268,10 +268,6 @@ ifndef(`distro_redhat',`
+ 	')
+ 
+ 	optional_policy(`
+-		java_role(staff_r, staff_t)
+-	')
+-
+-	optional_policy(`
+ 		lockdev_role(staff_r, staff_t)
+ 	')
+ 
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index 7cd6d4f..e120bbc 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -524,10 +524,6 @@ ifndef(`distro_redhat',`
+ 	')
+ 
+ 	optional_policy(`
+-		java_role(sysadm_r, sysadm_t)
+-	')
+-
+-	optional_policy(`
+ 		lockdev_role(sysadm_r, sysadm_t)
+ 	')
+ 
+diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
+index fcc8949..6f1425f 100644
+--- a/policy/modules/roles/unconfineduser.te
++++ b/policy/modules/roles/unconfineduser.te
+@@ -337,10 +337,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	java_run_unconfined(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+ 	kerberos_filetrans_named_content(unconfined_t)
+ ')
+ 
+@@ -361,13 +357,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mono_role_template(unconfined, unconfined_r, unconfined_t)
+-	unconfined_domain_noaudit(unconfined_mono_t)
+-	role system_r types unconfined_mono_t;
+-')
+-
+-
+-optional_policy(`
+ 	mozilla_role_plugin(unconfined_r)
+ 
+ 	tunable_policy(`unconfined_mozilla_plugin_transition', `
+diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
+index e5a8559..68013b7 100644
+--- a/policy/modules/roles/unprivuser.te
++++ b/policy/modules/roles/unprivuser.te
+@@ -148,10 +148,6 @@ ifndef(`distro_redhat',`
+ 	')
+ 
+ 	optional_policy(`
+-		java_role(user_r, user_t)
+-	')
+-
+-	optional_policy(`
+ 		lockdev_role(user_r, user_t)
+ 	')
+ 
+diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
+index 1cd57fd..a1db79d 100644
+--- a/policy/modules/roles/xguest.te
++++ b/policy/modules/roles/xguest.te
+@@ -107,14 +107,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	java_role_template(xguest, xguest_r, xguest_t)
+-')
+-
+-optional_policy(`
+-	mono_role_template(xguest, xguest_r, xguest_t)
+-')
+-
+-optional_policy(`
+ 	mozilla_run_plugin(xguest_usertype, xguest_r)
+ ')
+ 
+diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
+index 1442451..add9ada 100644
+--- a/policy/modules/services/boinc.te
++++ b/policy/modules/services/boinc.te
+@@ -168,5 +168,5 @@ miscfiles_read_fonts(boinc_project_t)
+ miscfiles_read_localization(boinc_project_t)
+ 
+ optional_policy(`
+-	java_exec(boinc_project_t)
++	execmem_exec(boinc_project_t)
+ ')
+diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
+index 86ea0ba..a2c41fd 100644
+--- a/policy/modules/services/cron.te
++++ b/policy/modules/services/cron.te
+@@ -299,10 +299,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mono_domtrans(crond_t)
+-')
+-
+-optional_policy(`
+ 	amanda_search_var_lib(crond_t)
+ ')
+ 
+@@ -553,10 +549,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mono_domtrans(system_cronjob_t)
+-')
+-
+-optional_policy(`
+ 	mrtg_append_create_logs(system_cronjob_t)
+ ')
+ 
+@@ -709,11 +701,6 @@ tunable_policy(`fcron_crond',`
+ 	allow crond_t user_cron_spool_t:file manage_file_perms;
+ ')
+ 
+-# need a per-role version of this:
+-#optional_policy(`
+-#	mono_domtrans(cronjob_t)
+-#')
+-
+ optional_policy(`
+ 	nis_use_ypbind(cronjob_t)
+ ')
+diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
+index 1e40c00..ae34382 100644
+--- a/policy/modules/services/hadoop.if
++++ b/policy/modules/services/hadoop.if
+@@ -127,7 +127,7 @@ template(`hadoop_domain_template',`
+ 
+ 	hadoop_exec_config(hadoop_$1_t)
+ 
+-	java_exec(hadoop_$1_t)
++	execmem_exec(hadoop_$1_t)
+ 
+ 	kerberos_use(hadoop_$1_t)
+ 
+diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
+index 3889dc9..32dc803 100644
+--- a/policy/modules/services/hadoop.te
++++ b/policy/modules/services/hadoop.te
+@@ -167,7 +167,7 @@ miscfiles_read_localization(hadoop_t)
+ 
+ userdom_use_inherited_user_terminals(hadoop_t)
+ 
+-java_exec(hadoop_t)
++execmem_exec(hadoop_t)
+ 
+ kerberos_use(hadoop_t)
+ 
+@@ -342,7 +342,7 @@ sysnet_read_config(zookeeper_t)
+ userdom_use_inherited_user_terminals(zookeeper_t)
+ userdom_dontaudit_search_user_home_dirs(zookeeper_t)
+ 
+-java_exec(zookeeper_t)
++execmem_exec(zookeeper_t)
+ 
+ ########################################
+ #
+@@ -427,4 +427,4 @@ miscfiles_read_localization(zookeeper_server_t)
+ 
+ sysnet_read_config(zookeeper_server_t)
+ 
+-java_exec(zookeeper_server_t)
++execmem_exec(zookeeper_server_t)
+diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
+index 60e0e2d..d14f2d6 100644
+--- a/policy/modules/services/xserver.te
++++ b/policy/modules/services/xserver.te
+@@ -1247,10 +1247,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mono_rw_shm(xserver_t)
+-')
+-
+-optional_policy(`
+ 	rhgb_rw_shm(xserver_t)
+ 	rhgb_rw_tmpfs_files(xserver_t)
+ ')
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 53f3bfe..20dd3a0 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -1190,10 +1190,6 @@ optional_policy(`
+ 		unconfined_dontaudit_rw_pipes(daemon)
+ 	')
+ 
+-	optional_policy(`
+-		mono_domtrans(initrc_t)
+-	')
+-
+ 	# Allow SELinux aware applications to request rpm_script_t execution
+ 	rpm_transition_script(initrc_t)
+ 	
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index e7a65ae..a001ce9 100644
+--- a/policy/modules/system/userdomain.if
++++ b/policy/modules/system/userdomain.if
+@@ -1281,14 +1281,6 @@ template(`userdom_unpriv_user_template', `
+ 	')
+ 
+ 	optional_policy(`
+-		java_role_template($1, $1_r, $1_t)
+-	')
+-
+-	optional_policy(`
+-		mono_role_template($1, $1_r, $1_t)
+-	')
+-
+-	optional_policy(`
+ 		mount_run_fusermount($1_t, $1_r)
+ 		mount_read_pid_files($1_t)
+ 	')
diff --git a/modules-mls.conf b/modules-mls.conf
index 9706ffb9..28ac6681 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -733,13 +733,6 @@ i18n_input = off
 # 
 jabber = module
 
-# Layer: apps
-# Module: java
-#
-# java executable
-# 
-java = module
-
 # Layer: admin
 # Module: kdump
 #
@@ -925,13 +918,6 @@ modutils = module
 # 
 mojomojo = module
 
-# Layer: apps
-# Module: mono
-#
-# mono executable
-# 
-mono = module
-
 # Layer: system
 # Module: mount
 #
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 35bbfa61..6930073c 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -843,13 +843,6 @@ i18n_input = off
 # 
 jabber = module
 
-# Layer: apps
-# Module: java
-#
-# java executable
-# 
-java = module
-
 # Layer: apps
 # Module: execmem
 #
@@ -1071,13 +1064,6 @@ mojomojo = module
 # 
 modutils = module
 
-# Layer: apps
-# Module: mono
-#
-# mono executable
-# 
-mono = module
-
 # Layer: system
 # Module: mount
 #
diff --git a/policy-F16.patch b/policy-F16.patch
index 922b4d28..29e1ca45 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -66791,7 +66791,7 @@ index 808ba93..ed84884 100644
  
  ########################################
 diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index e5836d3..c76046b 100644
+index e5836d3..eae9427 100644
 --- a/policy/modules/system/libraries.te
 +++ b/policy/modules/system/libraries.te
 @@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot };
@@ -66834,7 +66834,17 @@ index e5836d3..c76046b 100644
  ifdef(`hide_broken_symptoms',`
  	ifdef(`distro_gentoo',`
  		# leaked fds from portage
-@@ -131,6 +139,10 @@ optional_policy(`
+@@ -114,6 +122,9 @@ ifdef(`hide_broken_symptoms',`
+ 		')
+ 	')
+ 
++	dev_dontaudit_rw_lvm_control(ldconfig_t)
++	term_dontaudit_use_unallocated_ttys(ldconfig_t)
++
+ 	optional_policy(`
+ 		unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
+ 	')
+@@ -131,6 +142,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -66845,7 +66855,7 @@ index e5836d3..c76046b 100644
  	puppet_rw_tmp(ldconfig_t)
  ')
  
-@@ -141,6 +153,3 @@ optional_policy(`
+@@ -141,6 +156,3 @@ optional_policy(`
  	rpm_manage_script_tmp_files(ldconfig_t)
  ')
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b772eb90..e2bc2461 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 34.6%{?dist}
+Release: 36%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -214,7 +214,7 @@ fi;
 if [ -e /etc/selinux/%2/.rebuild ]; then \
    rm /etc/selinux/%2/.rebuild; \
    if [ %1 -ne 1 ]; then \
-	/usr/sbin/semodule -n -s %2 -r moilscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \
+	/usr/sbin/semodule -n -s %2 -r java mono moilscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \
    fi \
    /usr/sbin/semodule -B -s %2; \
 else \
@@ -240,6 +240,7 @@ Based off of reference policy: Checked out revision  2.20091117
 %patch -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 %install
 mkdir selinux_config
@@ -471,6 +472,27 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Oct 3 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-36
+- Allow logrotate setuid and setgid since logrotate is supposed to do it
+- Fixes for thumb policy by grift
+- Add new nfsd ports
+- Added fix to allow confined apps to execmod on chrome
+- Add labeling for additional vdsm directories
+- Allow Exim and Dovecot SASL
+- Add label for /var/run/nmbd
+- Add fixes to make virsh and xen working together
+- Colord executes ls
+- /var/spool/cron  is now labeled as user_cron_spool_t
+
+* Mon Oct 3 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-35
+- Stop complaining about leaked file descriptors during install
+
+* Fri Sep 29 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-34.7
+- Remove java and mono module and merge into execmem
+
+* Fri Sep 29 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-34.6
+- Fixes for thumb policy and passwd_file_t
+
 * Fri Sep 29 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-34.4
 - Fixes caused by the labeling of /etc/passwd
 - Add thumb.patch to transition unconfined_t to thumb_t for Rawhide
diff --git a/thumb.patch b/thumb.patch
index df9d9dae..97ff4097 100644
--- a/thumb.patch
+++ b/thumb.patch
@@ -6,7 +6,7 @@ index 1105ff5..620e17b 100644
  		rtkit_scheduled(unconfined_usertype)
  	')
  
-+	# Might remove later if this proves to be problematic, but would like to gather AVC's
++	# Might remove later if this proves to be problematic, but would like to gather AVCs
 +	optional_policy(`
 +		thumb_role(unconfined_r, unconfined_usertype)
 +	')