- Cleanup of aiccu policy

- initial mock policy
2010-06-11 15:39:46 +00:00 · 2010-06-11 15:39:46 +00:00 · f2403c5b4f
commit f2403c5b4f
parent f651bb6fdc
4 changed files with 553 additions and 74 deletions
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@ -968,6 +968,13 @@ miscfiles = base
 # 
 mls = base

+# Layer: services
+# Module: mock
+#
+# Policy for mock rpm builder
+# 
+mock = base
+
 # Layer: system
 # Module: modutils
 #
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -968,6 +968,13 @@ miscfiles = base
 # 
 mls = base

+# Layer: services
+# Module: mock
+#
+# Policy for mock rpm builder
+# 
+mock = base
+
 # Layer: system
 # Module: modutils
 #
--- a/policy-F14.patch
+++ b/policy-F14.patch
@ -602,8 +602,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
 +/usr/sbin/send_arp      --  gen_context(system_u:object_r:ping_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.8.3/policy/modules/admin/netutils.te
 --- nsaserefpolicy/policy/modules/admin/netutils.te	2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/admin/netutils.te	2010-06-08 11:32:10.000000000 -0400
-@@ -144,15 +144,27 @@
+++ serefpolicy-3.8.3/policy/modules/admin/netutils.te	2010-06-10 08:42:54.000000000 -0400
+@@ -52,6 +52,8 @@
+ 
+ kernel_search_proc(netutils_t)
+ kernel_read_all_sysctls(netutils_t)
+kernel_read_network_state(netutils_t)
+kernel_request_load_module(netutils_t)
+ 
+ corenet_all_recvfrom_unlabeled(netutils_t)
+ corenet_all_recvfrom_netlabel(netutils_t)
+@@ -144,15 +146,27 @@
 	init_dontaudit_use_fds(ping_t)
 
 	optional_policy(`
@ -631,9 +640,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
 	pcmcia_use_cardmgr_fds(ping_t)
 ')
 
-@@ -213,3 +225,10 @@
+@@ -212,4 +226,12 @@
+ #rules needed for nmap
 dev_read_rand(traceroute_t)
 dev_read_urand(traceroute_t)
+dev_read_usbmon_dev(netutils_t)
 files_read_usr_files(traceroute_t)
 +
 +term_use_all_terms(traceroute_t)
@ -763,7 +774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
 /var/cache/yum(/.*)?			gen_context(system_u:object_r:rpm_var_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.8.3/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/admin/rpm.if	2010-06-08 11:32:10.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/admin/rpm.if	2010-06-09 17:43:12.000000000 -0400
@@ -13,11 +13,36 @@
 interface(`rpm_domtrans',`
 	gen_require(`
@ -883,7 +894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
 ')
 
 ########################################
-@@ -556,3 +626,48 @@
+@@ -556,3 +626,66 @@
 
         files_pid_filetrans($1, rpm_var_run_t, file)
 ')
@ -932,6 +943,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
 +')
 +
 +
+########################################
+## <summary>
+##	Make rpm_exec_t an entry point for
+##	the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+# 
+interface(`rpm_entry_type',`
+	gen_require(`
+		type rpm_exec_t;
+	')
+
+	domain_entry_file($1, rpm_exec_t)
+')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.8.3/policy/modules/admin/rpm.te
 --- nsaserefpolicy/policy/modules/admin/rpm.te	2010-05-25 16:28:22.000000000 -0400
 +++ serefpolicy-3.8.3/policy/modules/admin/rpm.te	2010-06-08 11:32:10.000000000 -0400
@ -1119,8 +1148,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
 		java_domtrans_unconfined(rpm_script_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.8.3/policy/modules/admin/shorewall.te
 --- nsaserefpolicy/policy/modules/admin/shorewall.te	2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/admin/shorewall.te	2010-06-08 11:32:10.000000000 -0400
-@@ -87,7 +87,11 @@
+++ serefpolicy-3.8.3/policy/modules/admin/shorewall.te	2010-06-11 10:56:42.000000000 -0400
+@@ -81,13 +81,18 @@
+ 
+ init_rw_utmp(shorewall_t)
+ 
+logging_read_generic_logs(shorewall_t)
+ logging_send_syslog_msg(shorewall_t)
+ 
+ miscfiles_read_localization(shorewall_t)
 
 sysnet_domtrans_ifconfig(shorewall_t)
 
@ -4986,7 +5022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc
 /usr/libexec/qemu.* --	gen_context(system_u:object_r:qemu_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.8.3/policy/modules/apps/qemu.if
 --- nsaserefpolicy/policy/modules/apps/qemu.if	2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.8.3/policy/modules/apps/qemu.if	2010-06-08 11:32:10.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/apps/qemu.if	2010-06-09 17:41:04.000000000 -0400
@@ -127,12 +127,14 @@
 template(`qemu_role',`
 	gen_require(`
@ -6678,7 +6714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.8.3/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/kernel/corenetwork.te.in	2010-06-08 11:32:10.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/kernel/corenetwork.te.in	2010-06-11 11:15:13.000000000 -0400
@@ -25,6 +25,7 @@
 #
 type tun_tap_device_t;
@ -6774,8 +6810,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
 network_port(printer, tcp,515,s0)
 network_port(ptal, tcp,5703,s0)
 network_port(pulseaudio, tcp,4713,s0)
-@@ -184,15 +202,17 @@
+@@ -182,17 +200,20 @@
+ network_port(sap, tcp,9875,s0, udp,9875,s0)
+ network_port(sieve, tcp,4190,s0)
 network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
+network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0)
 network_port(smbd, tcp,137-139,s0, tcp,445,s0)
 network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
 -network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0)
@ -6793,7 +6832,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
 network_port(syslogd, udp,514,s0)
 network_port(telnetd, tcp,23,s0)
 network_port(tftp, udp,69,s0)
-@@ -205,13 +225,13 @@
+@@ -205,13 +226,13 @@
 network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
 network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
 network_port(virt_migration, tcp,49152-49216,s0)
@ -10880,19 +10919,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.
 corenet_tcp_sendrecv_generic_if(afs_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.8.3/policy/modules/services/aiccu.fc
 --- nsaserefpolicy/policy/modules/services/aiccu.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.3/policy/modules/services/aiccu.fc	2010-06-08 11:32:10.000000000 -0400
-@@ -0,0 +1,5 @@
-+
-+/usr/sbin/aiccu	--	gen_context(system_u:object_r:aiccu_exec_t,s0)
-+
+++ serefpolicy-3.8.3/policy/modules/services/aiccu.fc	2010-06-11 11:16:28.000000000 -0400
+@@ -0,0 +1,6 @@
+/etc/aiccu.conf			--	gen_context(system_u:object_r:aiccu_etc_t,s0)
 +/etc/rc\.d/init\.d/aiccu	--	gen_context(system_u:object_r:aiccu_initrc_exec_t,s0)
-+/var/run/aiccu.pid		--	gen_context(system_u:object_r:aiccu_var_run_t,s0)
+
+/usr/sbin/aiccu			--	gen_context(system_u:object_r:aiccu_exec_t,s0)
+
+/var/run/aiccu\.pid		--	gen_context(system_u:object_r:aiccu_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.8.3/policy/modules/services/aiccu.if
 --- nsaserefpolicy/policy/modules/services/aiccu.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.3/policy/modules/services/aiccu.if	2010-06-08 11:32:10.000000000 -0400
-@@ -0,0 +1,119 @@
-+
-+## <summary>policy for aiccu</summary>
+++ serefpolicy-3.8.3/policy/modules/services/aiccu.if	2010-06-11 11:15:13.000000000 -0400
+@@ -0,0 +1,118 @@
+## <summary>Automatic IPv6 Connectivity Client Utility.</summary>
 +
 +########################################
 +## <summary>
@ -10910,6 +10949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
 +	')
 +
 +	domtrans_pattern($1, aiccu_exec_t, aiccu_t)
+	corecmd_search_bin($1)
 +')
 +
 +
@ -10919,7 +10959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	The type of the process performing this action.
+##	Domain allowed to transition.
 +##	</summary>
 +## </param>
 +#
@ -10946,13 +10986,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
 +		type aiccu_var_run_t;
 +	')
 +
-+	files_search_pids($1)
 +	allow $1 aiccu_var_run_t:file read_file_perms;
+	files_search_pids($1)
 +')
 +
 +########################################
 +## <summary>
-+##	Manage aiccu var_run files.
+##	Manage aiccu PID files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@ -10965,15 +11005,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
 +		type aiccu_var_run_t;
 +	')
 +
-+         manage_dirs_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
-+         manage_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
-+         manage_lnk_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
+	manage_dirs_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
+	manage_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
+	manage_lnk_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
+	files_search_pids($1)
 +')
 +
 +
 +########################################
 +## <summary>
-+##	All of the rules required to administrate
+##	All of the rules required to administrate 
 +##	an aiccu environment
 +## </summary>
 +## <param name="domain">
@ -10990,31 +11031,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
 +#
 +interface(`aiccu_admin',`
 +	gen_require(`
-+		type aiccu_t;
+		type aiccu_t, aiccu_initrc_exec_t, aiccu_etc_t;
+		type aiccu_var_run_t;
 +	')
 +
-+	allow $1 aiccu_t:process { ptrace signal_perms getattr };
-+	read_files_pattern($1, aiccu_t, aiccu_t)
-+	        
+	allow $1 aiccu_t:process { ptrace signal_perms };
+	ps_process_pattern($1, aiccu_t)
 +
-+	gen_require(`
-+		type aiccu_initrc_exec_t;
-+	')
-+
-+	# Allow aiccu_t to restart the apache service
 +	aiccu_initrc_domtrans($1)
 +	domain_system_change_exemption($1)
 +	role_transition $2 aiccu_initrc_exec_t system_r;
 +	allow $2 system_r;
 +
-+	aiccu_manage_var_run($1)
+	admin_pattern($1, aiccu_etc_t)
+	files_search_etc($1)
 +
+	admin_pattern($1, aiccu_var_run_t)
+	files_search_pids($1)
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.8.3/policy/modules/services/aiccu.te
 --- nsaserefpolicy/policy/modules/services/aiccu.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.3/policy/modules/services/aiccu.te	2010-06-08 11:32:10.000000000 -0400
-@@ -0,0 +1,42 @@
-+policy_module(aiccu,1.0.0)
+++ serefpolicy-3.8.3/policy/modules/services/aiccu.te	2010-06-11 11:20:20.000000000 -0400
+@@ -0,0 +1,71 @@
+
+policy_module(aiccu, 1.0.0)
 +
 +########################################
 +#
@ -11028,6 +11068,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
 +type aiccu_initrc_exec_t;
 +init_script_file(aiccu_initrc_exec_t)
 +
+type aiccu_etc_t;
+files_config_file(aiccu_etc_t)
+
 +type aiccu_var_run_t;
 +files_pid_file(aiccu_var_run_t)
 +
@ -11036,26 +11079,51 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
 +# aiccu local policy
 +#
 +
-+allow aiccu_t self:capability { kill };
-+allow aiccu_t self:process { fork signal };
-+
-+# Init script handling
-+domain_use_interactive_fds(aiccu_t)
-+
-+# internal communication is often done using fifo and unix sockets.
+allow aiccu_t self:capability { kill net_admin };
+allow aiccu_t self:process signal;
 +allow aiccu_t self:fifo_file rw_file_perms;
+allow aiccu_t self:netlink_route_socket create_netlink_socket_perms;
+allow aiccu_t self:tcp_socket create_stream_socket_perms;
+allow aiccu_t self:tun_socket create_socket_perms;
+allow aiccu_t self:udp_socket create_stream_socket_perms;
 +allow aiccu_t self:unix_stream_socket create_stream_socket_perms;
 +
-+files_read_etc_files(aiccu_t)
-+
-+corenet_rw_tun_tap_dev(aiccu_t)
-+
-+miscfiles_read_localization(aiccu_t)
+allow aiccu_t aiccu_etc_t:file read_file_perms;
 +
 +manage_dirs_pattern(aiccu_t, aiccu_var_run_t,  aiccu_var_run_t)
 +manage_files_pattern(aiccu_t, aiccu_var_run_t,  aiccu_var_run_t)
 +files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir })
 +
+kernel_read_system_state(aiccu_t)
+
+corecmd_exec_shell(aiccu_t)
+
+corenet_all_recvfrom_netlabel(aiccu_t)
+corenet_all_recvfrom_unlabeled(aiccu_t)
+corenet_tcp_bind_generic_node(aiccu_t)
+corenet_tcp_sendrecv_generic_if(aiccu_t)
+corenet_tcp_sendrecv_generic_node(aiccu_t)
+corenet_tcp_sendrecv_generic_port(aiccu_t)
+corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
+corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
+corenet_tcp_connect_sixxsconfig_port(aiccu_t)
+corenet_rw_tun_tap_dev(aiccu_t)
+
+domain_use_interactive_fds(aiccu_t)
+
+dev_read_rand(aiccu_t)
+dev_read_urand(aiccu_t)
+
+files_read_etc_files(aiccu_t)
+
+logging_send_syslog_msg(aiccu_t)
+
+miscfiles_read_localization(aiccu_t)
+
+modutils_domtrans_insmod(aiccu_t)
+
+sysnet_domtrans_ifconfig(aiccu_t)
+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.8.3/policy/modules/services/aisexec.te
 --- nsaserefpolicy/policy/modules/services/aisexec.te	2010-05-25 16:28:22.000000000 -0400
 +++ serefpolicy-3.8.3/policy/modules/services/aisexec.te	2010-06-08 11:32:10.000000000 -0400
@ -12987,7 +13055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
 +/var/run/cmirrord\.pid		--	gen_context(system_u:object_r:cmirrord_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.if serefpolicy-3.8.3/policy/modules/services/cmirrord.if
 --- nsaserefpolicy/policy/modules/services/cmirrord.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.3/policy/modules/services/cmirrord.if	2010-06-08 11:32:10.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/cmirrord.if	2010-06-10 08:52:34.000000000 -0400
@@ -0,0 +1,118 @@
 +
 +## <summary>policy for cmirrord</summary>
@ -13060,14 +13128,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
 +interface(`cmirrord_rw_shm',`
 +        gen_require(`
 +                type cmirrord_t;
-+				type cmirrord_tmpfs_t;
+		type cmirrord_tmpfs_t;
 +        ')
 +
 +        allow $1 cmirrord_t:shm { rw_shm_perms destroy };
 +        allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
 +        rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
-+		delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
-+		read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+	delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+	read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
 +        fs_search_tmpfs($1)
 +')
 +
@ -13320,7 +13388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.8.3/policy/modules/services/corosync.te
 --- nsaserefpolicy/policy/modules/services/corosync.te	2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/services/corosync.te	2010-06-08 11:32:10.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/corosync.te	2010-06-11 11:31:01.000000000 -0400
@@ -33,8 +33,8 @@
 # corosync local policy
 #
@ -13368,17 +13436,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
 userdom_rw_user_tmpfs_files(corosync_t)
 
 optional_policy(`
-@@ -91,6 +97,10 @@
+@@ -91,12 +97,12 @@
 ')
 
 optional_policy(`
+-	# to communication with RHCS
+-	rhcs_rw_dlm_controld_semaphores(corosync_t)
+-
+-	rhcs_rw_fenced_semaphores(corosync_t)
 +	cmirrord_rw_shm(corosync_t)
 +')
-+
-+optional_policy(`
- 	# to communication with RHCS
- 	rhcs_rw_dlm_controld_semaphores(corosync_t)
 
+-	rhcs_rw_gfs_controld_semaphores(corosync_t)
+optional_policy(`
+	# to communication with RHCS
+	rhcs_rw_cluster_shm(corosync_t)
+ ')
+ 
+ optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.8.3/policy/modules/services/cron.fc
 --- nsaserefpolicy/policy/modules/services/cron.fc	2009-09-16 09:09:20.000000000 -0400
 +++ serefpolicy-3.8.3/policy/modules/services/cron.fc	2010-06-08 11:32:10.000000000 -0400
@ -15791,6 +15866,301 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt
 ##	Manage spamassassin milter state
 ## </summary>
 ## <param name="domain">
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.fc serefpolicy-3.8.3/policy/modules/services/mock.fc
+--- nsaserefpolicy/policy/modules/services/mock.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.3/policy/modules/services/mock.fc	2010-06-09 17:38:11.000000000 -0400
+@@ -0,0 +1,6 @@
+
+/usr/sbin/mock		--	gen_context(system_u:object_r:mock_exec_t,s0)
+
+/var/lib/mock(/.*)?		gen_context(system_u:object_r:mock_var_lib_t,s0)
+
+/var/cache/mock(/.*)?		gen_context(system_u:object_r:mock_cache_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.if serefpolicy-3.8.3/policy/modules/services/mock.if
+--- nsaserefpolicy/policy/modules/services/mock.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.3/policy/modules/services/mock.if	2010-06-09 17:38:11.000000000 -0400
+@@ -0,0 +1,183 @@
+
+## <summary>policy for mock</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run mock.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mock_domtrans',`
+	gen_require(`
+		type mock_t, mock_exec_t;
+	')
+
+	domtrans_pattern($1, mock_exec_t, mock_t)
+')
+
+
+########################################
+## <summary>
+##	Search mock lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mock_search_lib',`
+	gen_require(`
+		type mock_var_lib_t;
+	')
+
+	allow $1 mock_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read mock lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mock_read_lib_files',`
+	gen_require(`
+		type mock_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	mock lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mock_manage_lib_files',`
+	gen_require(`
+		type mock_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        manage_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage mock lib dirs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mock_manage_lib_dirs',`
+	gen_require(`
+		type mock_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        manage_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+
+########################################
+## <summary>
+##	Execute mock in the mock domain, and
+##	allow the specified role the mock domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the mock domain.
+##	</summary>
+## </param>
+#
+interface(`mock_run',`
+	gen_require(`
+		type mock_t;
+	')
+
+	mock_domtrans($1)
+	role $2 types mock_t;
+')
+
+########################################
+## <summary>
+##	Role access for mock
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`mock_role',`
+	gen_require(`
+              type mock_t;
+	')
+
+	role $1 types mock_t;
+
+	mock_domtrans($2)
+
+	ps_process_pattern($2, mock_t)
+	allow $2 mock_t:process signal;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an mock environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mock_admin',`
+	gen_require(`
+		type mock_t;
+                type mock_var_lib_t;
+	')
+
+	allow $1 mock_t:process { ptrace signal_perms };
+	ps_process_pattern($1, mock_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, mock_var_lib_t)
+
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.te serefpolicy-3.8.3/policy/modules/services/mock.te
+--- nsaserefpolicy/policy/modules/services/mock.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.3/policy/modules/services/mock.te	2010-06-09 17:44:30.000000000 -0400
+@@ -0,0 +1,94 @@
+policy_module(mock,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mock_t;
+type mock_exec_t;
+application_domain(mock_t, mock_exec_t)
+domain_role_change_exemption(mock_t)
+domain_system_change_exemption(mock_t)
+role system_r types mock_t;
+
+permissive mock_t;
+
+type mock_cache_t;
+files_type(mock_cache_t)
+
+type mock_tmp_t;
+files_tmp_file(mock_tmp_t)
+
+type mock_var_lib_t;
+files_type(mock_var_lib_t)
+
+########################################
+#
+# mock local policy
+#
+allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
+allow mock_t self:process { siginh noatsecure signull transition rlimitinh setsched setpgid };
+dontaudit mock_t self:process { siginh noatsecure rlimitinh };
+allow mock_t self:fifo_file manage_fifo_file_perms;
+allow mock_t self:unix_stream_socket create_stream_socket_perms;
+allow mock_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(mock_t, mock_cache_t, mock_cache_t)
+manage_files_pattern(mock_t, mock_cache_t, mock_cache_t)
+files_var_filetrans(mock_t, mock_cache_t, { dir file } )
+
+manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t)
+manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
+files_tmp_filetrans(mock_t, mock_tmp_t, { dir file } )
+can_exec(mock_t, mock_tmp_t)
+
+manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file } )
+can_exec(mock_t, mock_var_lib_t)
+allow mock_t mock_var_lib_t:dir mounton;
+
+kernel_list_proc(mock_t)
+kernel_read_irq_sysctls(mock_t)
+kernel_read_system_state(mock_t)
+kernel_read_kernel_sysctls(mock_t)
+
+corecmd_exec_bin(mock_t)
+corecmd_exec_shell(mock_t)
+
+corenet_tcp_connect_http_port(mock_t)
+
+dev_read_urand(mock_t)
+
+domain_poly(mock_t)
+domain_read_all_domains_state(mock_t)
+domain_use_interactive_fds(mock_t)
+
+files_read_etc_files(mock_t)
+files_read_usr_files(mock_t)
+
+fs_getattr_all_fs(mock_t)
+
+selinux_get_enforce_mode(mock_t)
+
+auth_use_nsswitch(mock_t)
+
+init_exec(mock_t)
+
+libs_domtrans_ldconfig(mock_t)
+
+logging_send_audit_msgs(mock_t)
+logging_send_syslog_msg(mock_t)
+
+miscfiles_read_localization(mock_t)
+
+mount_domtrans(mock_t)
+
+optional_policy(`
+	rpm_exec(mock_t)
+	rpm_manage_db(mock_t)
+	rpm_entry_type(mock_t)
+')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.8.3/policy/modules/services/modemmanager.te
 --- nsaserefpolicy/policy/modules/services/modemmanager.te	2010-05-25 16:28:22.000000000 -0400
 +++ serefpolicy-3.8.3/policy/modules/services/modemmanager.te	2010-06-08 11:32:10.000000000 -0400
@ -19103,10 +19473,89 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
 	mysql_domtrans_mysql_safe(rgmanager_t)
 	mysql_stream_connect(rgmanager_t)
 ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.8.3/policy/modules/services/rhcs.if
+--- nsaserefpolicy/policy/modules/services/rhcs.if	2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/rhcs.if	2010-06-11 11:30:32.000000000 -0400
+@@ -14,6 +14,7 @@
+ template(`rhcs_domain_template',`
+ 	gen_require(`
+ 		attribute cluster_domain;
+		attribute cluster_tmpfs;
+ 	')
+ 
+ 	##############################
+@@ -25,7 +26,7 @@
+ 	type $1_exec_t;
+ 	init_daemon_domain($1_t, $1_exec_t)
+ 
+-	type $1_tmpfs_t;
+	type $1_tmpfs_t, cluster_tmpfs;
+ 	files_tmpfs_file($1_tmpfs_t)
+ 
+ 	type $1_var_log_t;
+@@ -335,6 +336,28 @@
+ 	manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+ ')
+ 
+########################################
+## <summary>
+##	Read and write to group shared memory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhcs_rw_cluster_shm',`
+	gen_require(`
+		attribute cluster_domain;
+		attribute cluster_tmpfs;
+	')
+
+	allow $1 cluster_domain:shm { rw_shm_perms destroy };
+
+	fs_search_tmpfs($1)
+	manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
+')
+
+ ######################################
+ ## <summary>
+ ##	Execute a domain transition to run qdiskd.
+@@ -353,3 +376,21 @@
+ 	corecmd_search_bin($1)
+ 	domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
+ ')
+
+########################################
+## <summary>
+##	Allow domain to read qdiskd tmpfs files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhcs_read_qdiskd_tmpfs_files',`
+	gen_require(`
+		type qdiskd_tmpfs_t;
+	')
+
+	allow $1 qdiskd_tmpfs_t:file read_file_perms;
+')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.8.3/policy/modules/services/rhcs.te
 --- nsaserefpolicy/policy/modules/services/rhcs.te	2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/services/rhcs.te	2010-06-08 11:32:10.000000000 -0400
-@@ -56,17 +56,13 @@
+++ serefpolicy-3.8.3/policy/modules/services/rhcs.te	2010-06-11 11:31:16.000000000 -0400
+@@ -14,6 +14,7 @@
+ gen_tunable(fenced_can_network_connect, false)
+ 
+ attribute cluster_domain;
+attribute cluster_tmpfs;
+ 
+ rhcs_domain_template(dlm_controld)
+ 
+@@ -56,17 +57,13 @@
 
 init_rw_script_tmp_files(dlm_controld_t)
 
@ -19125,7 +19574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
 
 allow fenced_t self:tcp_socket create_stream_socket_perms;
 allow fenced_t self:udp_socket create_socket_perms;
-@@ -83,7 +79,10 @@
+@@ -83,7 +80,10 @@
 
 stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
 
@ -19136,7 +19585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
 
 corenet_tcp_connect_http_port(fenced_t)
 
-@@ -107,7 +106,6 @@
+@@ -107,7 +107,6 @@
 
 optional_policy(`
 	ccs_read_config(fenced_t)
@ -19144,7 +19593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
 ')
 
 optional_policy(`
-@@ -140,10 +138,6 @@
+@@ -140,10 +139,6 @@
 init_rw_script_tmp_files(gfs_controld_t)
 
 optional_policy(`
@ -19155,7 +19604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
 	lvm_exec(gfs_controld_t)
 	dev_rw_lvm_control(gfs_controld_t)
 ')
-@@ -169,7 +163,7 @@
+@@ -169,7 +164,7 @@
 # qdiskd local policy
 #
 
@ -19164,7 +19613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
 
 allow qdiskd_t self:tcp_socket create_stream_socket_perms;
 allow qdiskd_t self:udp_socket create_socket_perms;
-@@ -208,10 +202,6 @@
+@@ -208,10 +203,6 @@
 auth_use_nsswitch(qdiskd_t)
 
 optional_policy(`
@ -19175,7 +19624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
 	netutils_domtrans_ping(qdiskd_t)
 ')
 
-@@ -237,5 +227,9 @@
+@@ -237,5 +228,9 @@
 miscfiles_read_localization(cluster_domain)
 
 optional_policy(`
@ -21127,6 +21576,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varn
 #######################################
 ## <summary>
 ##	Read varnish logs.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.8.3/policy/modules/services/vhostmd.if
+--- nsaserefpolicy/policy/modules/services/vhostmd.if	2010-03-29 15:04:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/vhostmd.if	2010-06-10 08:52:54.000000000 -0400
+@@ -42,7 +42,7 @@
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
+##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.8.3/policy/modules/services/vhostmd.te
 --- nsaserefpolicy/policy/modules/services/vhostmd.te	2010-03-29 15:04:22.000000000 -0400
 +++ serefpolicy-3.8.3/policy/modules/services/vhostmd.te	2010-06-08 11:32:10.000000000 -0400
@ -23631,7 +24092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
 # /var
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.8.3/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2010-03-18 10:35:11.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/system/init.if	2010-06-09 16:31:07.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/system/init.if	2010-06-09 17:42:17.000000000 -0400
@@ -193,8 +193,10 @@
 	gen_require(`
 		attribute direct_run_init, direct_init, direct_init_entry;
@ -28117,7 +28578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +HOME_DIR/\.gvfs(/.*)?	<<none>>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.8.3/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2010-06-08 10:35:48.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/system/userdomain.if	2010-06-08 11:56:33.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/system/userdomain.if	2010-06-10 09:12:21.000000000 -0400
@@ -30,8 +30,9 @@
 	')
 
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.8.3
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -469,6 +469,10 @@ exit 0
 %endif

 %changelog
+* Wed Jun 9 2010 Dan Walsh <dwalsh@redhat.com> 3.8.3-3
+- Cleanup of aiccu policy
+- initial mock policy
+
 * Wed Jun 9 2010 Dan Walsh <dwalsh@redhat.com> 3.8.3-2
 - Lots of random fixes