From f86ed5a43756311b1e26db41d426e83186634d09 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Tue, 24 Jun 2008 11:14:04 +0000
Subject: [PATCH] - Allow confined users to use postgres - Allow system_mail_t
 to exec other mail clients - Label mogrel_rails as an apache server

---
 policy-20080509.patch | 160 ++++++++++++++++++++++++++++++++++--------
 selinux-policy.spec   |   7 +-
 2 files changed, 137 insertions(+), 30 deletions(-)

diff --git a/policy-20080509.patch b/policy-20080509.patch
index a1a58dab..e127f0c7 100644
--- a/policy-20080509.patch
+++ b/policy-20080509.patch
@@ -642,7 +642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.4.2/policy/modules/admin/mrtg.te
 --- nsaserefpolicy/policy/modules/admin/mrtg.te	2008-06-12 23:25:08.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/admin/mrtg.te	2008-06-12 23:37:53.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/admin/mrtg.te	2008-06-24 06:26:50.000000000 -0400
 @@ -78,6 +78,7 @@
  dev_read_urand(mrtg_t)
  
@@ -651,6 +651,55 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te
  
  files_read_usr_files(mrtg_t)
  files_search_var(mrtg_t)
+@@ -101,6 +102,8 @@
+ init_read_utmp(mrtg_t)
+ init_dontaudit_write_utmp(mrtg_t)
+ 
++auth_use_nsswitch(mrtg_t)
++
+ libs_read_lib_files(mrtg_t)
+ libs_use_ld_so(mrtg_t)
+ libs_use_shared_libs(mrtg_t)
+@@ -111,12 +114,10 @@
+ 
+ selinux_dontaudit_getattr_dir(mrtg_t)
+ 
+-# Use the network.
+-sysnet_read_config(mrtg_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
+ 
+ sysadm_use_terms(mrtg_t)
++sysadm_dontaudit_read_home_content_files(mrtg_t)
+ 
+ ifdef(`enable_mls',`
+ 	corenet_udp_sendrecv_lo_if(mrtg_t)
+@@ -140,14 +141,6 @@
+ ')
+ 
+ optional_policy(`
+-	nis_use_ypbind(mrtg_t)
+-')
+-
+-optional_policy(`
+-	nscd_dontaudit_search_pid(mrtg_t)
+-')
+-
+-optional_policy(`
+ 	seutil_sigchld_newrole(mrtg_t)
+ ')
+ 
+@@ -162,10 +155,3 @@
+ optional_policy(`
+ 	udev_read_db(mrtg_t)
+ ')
+-
+-ifdef(`TODO',`
+-	# should not need this!
+-	dontaudit mrtg_t { staff_home_dir_t sysadm_home_dir_t }:dir { search read getattr };
+-	dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr;
+-	dontaudit mrtg_t root_t:lnk_file getattr;
+-')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.4.2/policy/modules/admin/netutils.te
 --- nsaserefpolicy/policy/modules/admin/netutils.te	2008-06-12 23:25:08.000000000 -0400
 +++ serefpolicy-3.4.2/policy/modules/admin/netutils.te	2008-06-12 23:37:53.000000000 -0400
@@ -7923,8 +7972,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.4.2/policy/modules/roles/staff.te
 --- nsaserefpolicy/policy/modules/roles/staff.te	2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/roles/staff.te	2008-06-12 23:37:52.000000000 -0400
-@@ -8,18 +8,30 @@
++++ serefpolicy-3.4.2/policy/modules/roles/staff.te	2008-06-24 07:05:16.000000000 -0400
+@@ -8,18 +8,34 @@
  
  role staff_r;
  
@@ -7952,11 +8001,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
 +	logadm_role_change_template(staff)
 +')
 +
++optional_policy(`
++	postgresql_userdom_template(staff,staff_t,staff_r)
++')
++
 +optional_policy(`
  	secadm_role_change_template(staff)
  ')
  
-@@ -28,3 +40,14 @@
+@@ -28,3 +44,14 @@
  	sysadm_dontaudit_use_terms(staff_t)
  ')
  
@@ -7973,7 +8026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.4.2/policy/modules/roles/sysadm.if
 --- nsaserefpolicy/policy/modules/roles/sysadm.if	2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/roles/sysadm.if	2008-06-14 07:13:35.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/roles/sysadm.if	2008-06-24 06:22:32.000000000 -0400
 @@ -334,10 +334,10 @@
  #
  interface(`sysadm_getattr_home_dirs',`
@@ -8135,7 +8188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  ## <summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.if serefpolicy-3.4.2/policy/modules/roles/unprivuser.if
 --- nsaserefpolicy/policy/modules/roles/unprivuser.if	2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/roles/unprivuser.if	2008-06-12 23:37:52.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/roles/unprivuser.if	2008-06-24 05:57:35.000000000 -0400
 @@ -62,6 +62,26 @@
  	files_home_filetrans($1,user_home_dir_t,dir)
  ')
@@ -8805,8 +8858,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.4.2/policy/modules/roles/unprivuser.te
 --- nsaserefpolicy/policy/modules/roles/unprivuser.te	2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/roles/unprivuser.te	2008-06-12 23:37:52.000000000 -0400
-@@ -13,3 +13,19 @@
++++ serefpolicy-3.4.2/policy/modules/roles/unprivuser.te	2008-06-24 07:05:40.000000000 -0400
+@@ -13,3 +13,23 @@
  
  userdom_unpriv_user_template(user)
  
@@ -8819,6 +8872,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
 +')
 +
 +optional_policy(`
++	postgresql_userdom_template(user,user_t,user_r)
++')
++
++optional_policy(`
 +	rpm_dontaudit_dbus_chat(user_t)
 +')
 +
@@ -9322,14 +9379,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
  # amavis local policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.4.2/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc	2008-06-12 23:25:05.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/apache.fc	2008-06-12 23:37:52.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/services/apache.fc	2008-06-24 07:09:51.000000000 -0400
 @@ -1,4 +1,4 @@
 -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
 +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
  
  /etc/apache(2)?(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
  /etc/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_config_t,s0)
-@@ -16,7 +16,6 @@
+@@ -16,13 +16,13 @@
  
  /usr/lib/apache-ssl/.+		--	gen_context(system_u:object_r:httpd_exec_t,s0)
  /usr/lib/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -9337,7 +9394,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  /usr/lib(64)?/apache(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
  /usr/lib(64)?/apache2/modules(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
  /usr/lib(64)?/apache(2)?/suexec(2)? --	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-@@ -33,6 +32,7 @@
+ /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+ /usr/lib(64)?/httpd(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
+ 
++/usr/bin/mongrel_rails		--	gen_context(system_u:object_r:httpd_exec_t,s0)
+ /usr/sbin/apache(2)?		--	gen_context(system_u:object_r:httpd_exec_t,s0)
+ /usr/sbin/apache-ssl(2)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
+ /usr/sbin/httpd(\.worker)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
+@@ -33,6 +33,7 @@
  /usr/sbin/httpd2-.*		--	gen_context(system_u:object_r:httpd_exec_t,s0)
  ')
  
@@ -9345,7 +9409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  /usr/share/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /usr/share/openca/htdocs(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -48,11 +48,14 @@
+@@ -48,11 +49,14 @@
  
  /var/lib/cacti/rra(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /var/lib/dav(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -9360,7 +9424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  /var/log/apache(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
  /var/log/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
  /var/log/cacti(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -66,10 +69,21 @@
+@@ -66,10 +70,21 @@
  /var/run/gcache_port		-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
  /var/run/httpd.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
  
@@ -16036,8 +16100,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gami
 +/usr/libexec/gam_server	--	gen_context(system_u:object_r:gamin_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.if serefpolicy-3.4.2/policy/modules/services/gamin.if
 --- nsaserefpolicy/policy/modules/services/gamin.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.4.2/policy/modules/services/gamin.if	2008-06-12 23:37:52.000000000 -0400
-@@ -0,0 +1,39 @@
++++ serefpolicy-3.4.2/policy/modules/services/gamin.if	2008-06-24 06:34:46.000000000 -0400
+@@ -0,0 +1,57 @@
 +
 +## <summary>policy for gamin</summary>
 +
@@ -16062,6 +16126,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gami
 +
 +########################################
 +## <summary>
++##	Execute gamin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`gamin_exec',`
++	gen_require(`
++                type gamin_exec_t;
++	')
++
++	can_exec($1,gamin_exec_t)
++')
++
++########################################
++## <summary>
 +##	Connect to gamin over an unix stream socket.
 +## </summary>
 +## <param name="domain">
@@ -17707,7 +17789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.4.2/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2008-06-12 23:25:05.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/mta.te	2008-06-12 23:37:52.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/services/mta.te	2008-06-24 05:41:16.000000000 -0400
 @@ -6,6 +6,8 @@
  # Declarations
  #
@@ -17725,13 +17807,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  
  mta_base_mail_template(system)
  role system_r types system_mail_t;
-@@ -37,30 +40,50 @@
+@@ -37,30 +40,52 @@
  #
  
  # newalias required this, not sure if it is needed in 'if' file
 -allow system_mail_t self:capability { dac_override };
 +allow system_mail_t self:capability { dac_override fowner };
 +allow system_mail_t self:fifo_file rw_fifo_file_perms;
++
++can_exec(system_mail_t, mailclient_exec_type)
  
  read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t)
 +read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type)
@@ -17777,7 +17861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ')
  
  optional_policy(`
-@@ -73,7 +96,10 @@
+@@ -73,7 +98,10 @@
  
  optional_policy(`
  	cron_read_system_job_tmp_files(system_mail_t)
@@ -17788,7 +17872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ')
  
  optional_policy(`
-@@ -81,6 +107,11 @@
+@@ -81,6 +109,11 @@
  ')
  
  optional_policy(`
@@ -17800,7 +17884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  	logrotate_read_tmp_files(system_mail_t)
  ')
  
-@@ -136,11 +167,38 @@
+@@ -136,11 +169,38 @@
  ')
  
  optional_policy(`
@@ -17840,7 +17924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  optional_policy(`
  	# why is mail delivered to a directory of type arpwatch_data_t?
  	arpwatch_search_data(mailserver_delivery)
-@@ -154,3 +212,4 @@
+@@ -154,3 +214,4 @@
  		cron_read_system_job_tmp_files(mta_user_agent)
  	')
  ')
@@ -21027,7 +21111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 +/etc/rc\.d/init\.d/prelude-lml --      gen_context(system_u:object_r:prelude_lml_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.4.2/policy/modules/services/prelude.if
 --- nsaserefpolicy/policy/modules/services/prelude.if	2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/prelude.if	2008-06-23 08:18:26.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/services/prelude.if	2008-06-24 06:33:22.000000000 -0400
 @@ -42,7 +42,7 @@
  ## </summary>
  ## <param name="domain">
@@ -21037,7 +21121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
  ## </summary>
  ## </param>
  #
-@@ -56,6 +56,80 @@
+@@ -56,6 +56,81 @@
  
  ########################################
  ## <summary>
@@ -21074,6 +21158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 +	')
 +
 +	files_search_spool($1)
++	list_dirs_pattern($1, prelude_spool_t, prelude_spool_t)
 +	rw_files_pattern($1, prelude_spool_t, prelude_spool_t)
 +')
 +
@@ -21118,7 +21203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
  ##	All of the rules required to administrate 
  ##	an prelude environment
  ## </summary>
-@@ -64,6 +138,16 @@
+@@ -64,6 +139,16 @@
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -21135,7 +21220,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
  ## <rolecap/>
  #
  interface(`prelude_admin',`
-@@ -71,6 +155,11 @@
+@@ -71,6 +156,11 @@
  		type prelude_t, prelude_spool_t;
  		type prelude_var_run_t, prelude_var_lib_t;
  		type prelude_audisp_t, prelude_audisp_var_run_t;
@@ -21147,7 +21232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
  	')
  
  	allow $1 prelude_t:process { ptrace signal_perms };
-@@ -79,11 +168,23 @@
+@@ -79,11 +169,23 @@
  	allow $1 prelude_audisp_t:process { ptrace signal_perms };
  	ps_process_pattern($1, prelude_audisp_t)
  
@@ -21179,7 +21264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.4.2/policy/modules/services/prelude.te
 --- nsaserefpolicy/policy/modules/services/prelude.te	2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/prelude.te	2008-06-23 08:09:53.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/services/prelude.te	2008-06-24 06:34:11.000000000 -0400
 @@ -19,12 +19,31 @@
  type prelude_var_lib_t;
  files_type(prelude_var_lib_t)
@@ -21238,7 +21323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
  
  dev_read_rand(prelude_audisp_t)
  dev_read_urand(prelude_audisp_t)
-@@ -126,6 +150,76 @@
+@@ -126,6 +150,80 @@
  
  miscfiles_read_localization(prelude_audisp_t)
  
@@ -21309,13 +21394,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 +miscfiles_read_localization(prelude_lml_t)
 +
 +optional_policy(`
++	gamin_exec(prelude_lml_t)
++')
++
++optional_policy(`
 +	apache_read_log(prelude_lml_t)
 +')
 +
  ########################################
  #
  # prewikka_cgi Declarations
-@@ -135,6 +229,10 @@
+@@ -135,6 +233,10 @@
  	apache_content_template(prewikka)
  	files_read_etc_files(httpd_prewikka_script_t)
  
@@ -28016,6 +28105,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr
  kernel_read_kernel_sysctls(zebra_t)
  kernel_rw_net_sysctls(zebra_t)
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.4.2/policy/modules/system/application.te
+--- nsaserefpolicy/policy/modules/system/application.te	2008-06-12 23:25:07.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/system/application.te	2008-06-24 05:58:09.000000000 -0400
+@@ -7,6 +7,9 @@
+ # Executables to be run by user
+ attribute application_exec_type;
+ 
++unprivuser_append_home_content_files(application_domain_type)
++unprivuser_write_tmp_files(application_domain_type)
++
+ optional_policy(`
+ 	ssh_sigchld(application_domain_type)
+ 	ssh_rw_stream_sockets(application_domain_type)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.4.2/policy/modules/system/authlogin.fc
 --- nsaserefpolicy/policy/modules/system/authlogin.fc	2008-06-12 23:25:07.000000000 -0400
 +++ serefpolicy-3.4.2/policy/modules/system/authlogin.fc	2008-06-12 23:37:52.000000000 -0400
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b917f173..01dc3bf6 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.4.2
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -375,6 +375,11 @@ exit 0
 %endif
 
 %changelog
+* Tue Jun 24 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-7
+- Allow confined users to use postgres
+- Allow system_mail_t to exec other mail clients
+- Label mogrel_rails as an apache server
+
 * Mon Jun 23 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-6
 - Apply unconfined_execmem_exec_t to haskell programs