- Allow setroubelshoot exec* privs to prevent crash from bad libraries

- add cpufreqselector

modules-minimum.conf

@@ -32,6 +32,13 @@ alsa = base
 # 
 ada = module
 
+# Layer: apps
+# Module: cpufreqselector 
+#
+# cpufreqselector executable
+# 
+cpufreqselector = module
+
 # Layer: modules
 # Module: awstats
 #

modules-mls.conf

@@ -32,6 +32,13 @@ alsa = base
 # 
 ada = module
 
+# Layer: apps
+# Module: cpufreqselector 
+#
+# cpufreqselector executable
+# 
+cpufreqselector = module
+
 # Layer: modules
 # Module: awstats
 #

modules-targeted.conf

@@ -32,6 +32,13 @@ alsa = base
 # 
 ada = module
 
+# Layer: apps
+# Module: cpufreqselector 
+#
+# cpufreqselector executable
+# 
+cpufreqselector = module
+
 # Layer: modules
 # Module: awstats
 #

policy-20090105.patch

@@ -1593,8 +1593,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.te
 --- nsaserefpolicy/policy/modules/apps/cpufreqselector.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.te	2009-04-02 10:05:45.000000000 -0400
-@@ -0,0 +1,47 @@
++++ serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.te	2009-04-03 10:09:12.000000000 -0400
+@@ -0,0 +1,44 @@
 +policy_module(cpufreqselector,1.0.0)
 +
 +########################################
@@ -1624,9 +1624,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +fs_list_inotifyfs(cpufreqselector_t)
 +
-+libs_use_ld_so(cpufreqselector_t)
-+libs_use_shared_libs(cpufreqselector_t)
-+
 +userdom_read_all_users_state(cpufreqselector_t)
 +
 +nscd_dontaudit_search_pid(cpufreqselector_t)
@@ -10987,8 +10984,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.10/policy/modules/services/devicekit.te
 --- nsaserefpolicy/policy/modules/services/devicekit.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/services/devicekit.te	2009-03-30 10:09:41.000000000 -0400
-@@ -0,0 +1,210 @@
++++ serefpolicy-3.6.10/policy/modules/services/devicekit.te	2009-04-03 08:12:27.000000000 -0400
+@@ -0,0 +1,211 @@
 +policy_module(devicekit,1.0.0)
 +
 +########################################
@@ -11150,6 +11147,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +dev_read_sysfs(devicekit_disk_t)
 +dev_read_urand(devicekit_disk_t)
 +dev_getattr_usbfs_dirs(devicekit_disk_t)
++dev_manage_generic_files(devicekit_disk_t)
 +
 +kernel_read_software_raid_state(devicekit_disk_t)
 +
@@ -19761,7 +19759,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.10/policy/modules/services/setroubleshoot.te
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/services/setroubleshoot.te	2009-03-30 10:09:41.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/services/setroubleshoot.te	2009-04-03 10:25:52.000000000 -0400
 @@ -11,6 +11,9 @@
  domain_type(setroubleshootd_t)
  init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
@@ -19772,7 +19770,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  type setroubleshoot_var_lib_t;
  files_type(setroubleshoot_var_lib_t)
  
-@@ -27,8 +30,8 @@
+@@ -27,8 +30,10 @@
  # setroubleshootd local policy
  #
  
@@ -19780,10 +19778,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -allow setroubleshootd_t self:process { signull signal getattr getsched };
 +allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
 +allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
++# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run
++allow setroubleshootd_t self:process { execmem execstack };
  allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
  allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
  allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -52,7 +55,10 @@
+@@ -52,7 +57,10 @@
  
  kernel_read_kernel_sysctls(setroubleshootd_t)
  kernel_read_system_state(setroubleshootd_t)
@@ -19794,7 +19794,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  corecmd_exec_bin(setroubleshootd_t)
  corecmd_exec_shell(setroubleshootd_t)
-@@ -68,16 +74,24 @@
+@@ -68,16 +76,24 @@
  
  dev_read_urand(setroubleshootd_t)
  dev_read_sysfs(setroubleshootd_t)
@@ -19820,7 +19820,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  selinux_get_enforce_mode(setroubleshootd_t)
  selinux_validate_context(setroubleshootd_t)
-@@ -94,22 +108,24 @@
+@@ -94,22 +110,24 @@
  
  locallogin_dontaudit_use_fds(setroubleshootd_t)
  
@@ -27011,7 +27011,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/opt/real/(.*/)?realplay\.bin --	gen_context(system_u:object_r:execmem_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.10/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/system/unconfined.if	2009-04-01 14:58:39.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/system/unconfined.if	2009-04-03 10:28:13.000000000 -0400
 @@ -12,14 +12,13 @@
  #
  interface(`unconfined_domain_noaudit',`
@@ -27130,7 +27130,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		type unconfined_t;
 +	')
 +
-+	dontaudit $1 unconfined_t:unix_stream_socket rw_file_perms;
++	dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
 +')
 +
 +########################################
@@ -27668,7 +27668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.10/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/system/userdomain.if	2009-04-01 14:59:58.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/system/userdomain.if	2009-04-03 10:26:58.000000000 -0400
 @@ -30,8 +30,9 @@
  	')
  
@@ -29532,7 +29532,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		attribute userdomain;
 +	')
 +
-+	dontaudit $1 userdomain:unix_stream_socket rw_file_perms;
++	dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
 +')
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.10/policy/modules/system/userdomain.te

selinux-policy.spec

@@ -15,12 +15,12 @@
 %endif
 %define POLICYVER 23
 %define libsepolver 2.0.20-1
-%define POLICYCOREUTILSVER 2.0.61-7
+%define POLICYCOREUTILSVER 2.0.62-7
 %define CHECKPOLICYVER 2.0.16-3
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.10
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -444,6 +444,10 @@ exit 0
 %endif
 
 %changelog
+* Fri Apr 3 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-7
+- Allow setroubelshoot exec* privs to prevent crash from bad libraries
+- add cpufreqselector
+
 * Thu Apr 2 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-6
 - Dontaudit listing of /root directory for cron system jobs