From 3fa48fc98998228f9e81a47ea1c9dc77ba6cb3eb Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Oct 01 2009 13:45:08 +0000
Subject: - Allow vpnc request the kernel to load modules


---

diff --git a/modules-minimum.conf b/modules-minimum.conf
index 36a02ad..f691dbb 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -900,6 +900,13 @@ mount = base
 # 
 mozilla = module
 
+# Layer: admin
+# Module: ntop
+#
+# Policy for ntop
+# 
+ntop = module
+
 # Layer: services
 # Module: nslcd
 #
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 36a02ad..f691dbb 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -900,6 +900,13 @@ mount = base
 # 
 mozilla = module
 
+# Layer: admin
+# Module: ntop
+#
+# Policy for ntop
+# 
+ntop = module
+
 # Layer: services
 # Module: nslcd
 #
diff --git a/policy-F12.patch b/policy-F12.patch
index a92a951..ebf58bc 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -285,6 +285,222 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  userdom_use_user_terminals(netutils_t)
  userdom_use_all_users_fds(netutils_t)
  
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ntop.fc serefpolicy-3.6.32/policy/modules/admin/ntop.fc
+--- nsaserefpolicy/policy/modules/admin/ntop.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/admin/ntop.fc	2009-10-01 08:24:35.000000000 -0400
+@@ -0,0 +1,5 @@
++/etc/rc\.d/init\.d/ntop	--	gen_context(system_u:object_r:ntop_initrc_exec_t,s0)
++
++/usr/sbin/ntop		--	gen_context(system_u:object_r:ntop_exec_t,s0)
++
++/var/lib/ntop(/.*)?		gen_context(system_u:object_r:ntop_var_lib_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ntop.if serefpolicy-3.6.32/policy/modules/admin/ntop.if
+--- nsaserefpolicy/policy/modules/admin/ntop.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/admin/ntop.if	2009-10-01 08:24:35.000000000 -0400
+@@ -0,0 +1,158 @@
++
++## <summary>policy for ntop</summary>
++
++########################################
++## <summary>
++##	Execute a domain transition to run ntop.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ntop_domtrans',`
++	gen_require(`
++		type ntop_t, ntop_exec_t;
++	')
++
++	domtrans_pattern($1,ntop_exec_t,ntop_t)
++')
++
++
++########################################
++## <summary>
++##	Execute ntop server in the ntop domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`ntop_initrc_domtrans',`
++	gen_require(`
++		type ntop_initrc_exec_t;
++	')
++
++	init_labeled_script_domtrans($1,ntop_initrc_exec_t)
++')
++
++########################################
++## <summary>
++##	Search ntop lib directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ntop_search_lib',`
++	gen_require(`
++		type ntop_var_lib_t;
++	')
++
++	allow $1 ntop_var_lib_t:dir search_dir_perms;
++	files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++##	Read ntop lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ntop_read_lib_files',`
++	gen_require(`
++		type ntop_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++        read_files_pattern($1, ntop_var_lib_t, ntop_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete
++##	ntop lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ntop_manage_lib_files',`
++	gen_require(`
++		type ntop_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++        manage_files_pattern($1, ntop_var_lib_t,  ntop_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Manage ntop var_lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ntop_manage_var_lib',`
++	gen_require(`
++		type ntop_var_lib_t;
++	')
++
++         manage_dirs_pattern($1,ntop_var_lib_t,ntop_var_lib_t)
++         manage_files_pattern($1,ntop_var_lib_t,ntop_var_lib_t)
++         manage_lnk_files_pattern($1,ntop_var_lib_t,ntop_var_lib_t)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an ntop environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`ntop_admin',`
++	gen_require(`
++		type ntop_t;
++	')
++
++	allow $1 ntop_t:process { ptrace signal_perms getattr };
++	read_files_pattern($1, ntop_t, ntop_t)
++	        
++
++	gen_require(`
++		type ntop_initrc_exec_t;
++	')
++
++	# Allow ntop_t to restart the apache service
++	ntop_initrc_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 ntop_initrc_exec_t system_r;
++	allow $2 system_r;
++
++	ntop_manage_var_lib($1)
++
++')
+Binary files nsaserefpolicy/policy/modules/admin/ntop.pp and serefpolicy-3.6.32/policy/modules/admin/ntop.pp differ
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ntop.te serefpolicy-3.6.32/policy/modules/admin/ntop.te
+--- nsaserefpolicy/policy/modules/admin/ntop.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/admin/ntop.te	2009-10-01 08:24:35.000000000 -0400
+@@ -0,0 +1,40 @@
++policy_module(ntop,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type ntop_t;
++type ntop_exec_t;
++init_daemon_domain(ntop_t, ntop_exec_t)
++
++permissive ntop_t;
++
++type ntop_initrc_exec_t;
++init_script_file(ntop_initrc_exec_t)
++
++type ntop_var_lib_t;
++files_type(ntop_var_lib_t)
++
++########################################
++#
++# ntop local policy
++#
++allow ntop_t self:capability { setgid setuid };
++allow ntop_t self:fifo_file manage_file_perms;
++allow ntop_t self:unix_stream_socket create_stream_socket_perms;
++
++# Init script handling
++domain_use_interactive_fds(ntop_t)
++
++files_read_etc_files(ntop_t)
++
++manage_dirs_pattern(ntop_t, ntop_var_lib_t,  ntop_var_lib_t)
++manage_files_pattern(ntop_t, ntop_var_lib_t,  ntop_var_lib_t)
++files_var_lib_filetrans(ntop_t, ntop_var_lib_t, { file dir } )
++
++auth_use_nsswitch(ntop_t)
++
++miscfiles_read_localization(ntop_t)
++
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.te serefpolicy-3.6.32/policy/modules/admin/portage.te
 --- nsaserefpolicy/policy/modules/admin/portage.te	2009-08-18 18:39:50.000000000 -0400
 +++ serefpolicy-3.6.32/policy/modules/admin/portage.te	2009-09-30 16:12:48.000000000 -0400
@@ -1340,6 +1556,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	xserver_exec_pid(vbetool_t)
 +	xserver_write_pid(vbetool_t)
 +')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.6.32/policy/modules/admin/vpn.te
+--- nsaserefpolicy/policy/modules/admin/vpn.te	2009-08-31 13:30:04.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/admin/vpn.te	2009-10-01 09:40:37.000000000 -0400
+@@ -46,6 +46,7 @@
+ kernel_read_system_state(vpnc_t)
+ kernel_read_network_state(vpnc_t)
+ kernel_read_all_sysctls(vpnc_t)
++kernel_request_load_module(vpnc_t)
+ kernel_rw_net_sysctls(vpnc_t)
+ 
+ corenet_all_recvfrom_unlabeled(vpnc_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/calamaris.te serefpolicy-3.6.32/policy/modules/apps/calamaris.te
 --- nsaserefpolicy/policy/modules/apps/calamaris.te	2009-08-14 16:14:31.000000000 -0400
 +++ serefpolicy-3.6.32/policy/modules/apps/calamaris.te	2009-09-30 16:12:48.000000000 -0400
@@ -8711,7 +8938,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.32/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/apache.fc	2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/apache.fc	2009-10-01 08:26:33.000000000 -0400
 @@ -1,12 +1,13 @@
 -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
 +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -8737,12 +8964,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /usr/sbin/apache(2)?		--	gen_context(system_u:object_r:httpd_exec_t,s0)
  /usr/sbin/apache-ssl(2)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
  /usr/sbin/httpd(\.worker)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
-@@ -32,12 +34,17 @@
+@@ -32,12 +34,18 @@
  /usr/sbin/httpd2-.*		--	gen_context(system_u:object_r:httpd_exec_t,s0)
  ')
  
 +/usr/share/drupal(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /usr/share/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/ntop/html(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /usr/share/openca/htdocs(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
 +/usr/share/wordpress-mu/wp-config\.php   -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -8755,7 +8983,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/cache/mod_proxy(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
  /var/cache/mod_ssl(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
  /var/cache/php-eaccelerator(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -47,6 +54,7 @@
+@@ -47,6 +55,7 @@
  
  /var/lib/cacti/rra(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /var/lib/dav(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -8763,7 +8991,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/lib/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /var/lib/httpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
  /var/lib/php/session(/.*)?		gen_context(system_u:object_r:httpd_var_run_t,s0)
-@@ -50,8 +58,10 @@
+@@ -50,8 +59,10 @@
  /var/lib/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /var/lib/httpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
  /var/lib/php/session(/.*)?		gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -8774,7 +9002,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/log/apache(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
  /var/log/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
  /var/log/cacti(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -64,11 +74,34 @@
+@@ -64,11 +75,30 @@
  /var/run/apache.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
  /var/run/gcache_port		-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
  /var/run/httpd.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -8806,10 +9034,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/www/svn(/.*)?			gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
 +/var/www/svn/hooks(/.*)?		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 +/var/www/svn/conf(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+
-+
-+
-+
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2009-07-28 15:51:13.000000000 -0400
 +++ serefpolicy-3.6.32/policy/modules/services/apache.if	2009-09-30 16:12:48.000000000 -0400
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 34d611e..02b817c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.32
-Release: 16%{?dist}
+Release: 17%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -366,7 +366,8 @@ SELinux Reference policy minimum base module.
 %saveFileContext minimum
 
 %post minimum
-%loadpolicy minimum
+packages="unconfined.pp.bz2 unconfineduser.pp.bz2"
+%loadpolicy minimum $packages
 if [ $1 -eq 1 ]; then
 semanage -S minimum -i - << __eof
 login -m  -s unconfined_u -r s0-s0:c0.c1023 __default__
@@ -448,6 +449,9 @@ exit 0
 %endif
 
 %changelog
+* Thu Oct 1 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-17
+- Allow vpnc request the kernel to load modules
+
 * Wed Sep 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-16
 - Fix minimum policy installs
 - Allow udev and rpcbind to request the kernel to load modules