From 4a1f8e60249eec82295d22743818779dd3073a2c Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@fedoraproject.org>
Date: Jun 24 2009 08:43:56 +0000
Subject: - Dontaudit dhcpc to access sys_ptrace


---

diff --git a/policy-20080710.patch b/policy-20080710.patch
index 90b6f67..f30df6b 100644
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@@ -20047,7 +20047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.5.13/policy/modules/services/mysql.te
 --- nsaserefpolicy/policy/modules/services/mysql.te	2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/mysql.te	2009-03-23 10:41:48.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/mysql.te	2009-06-24 09:54:02.000000000 +0200
 @@ -10,6 +10,10 @@
  type mysqld_exec_t;
  init_daemon_domain(mysqld_t, mysqld_exec_t)
@@ -20093,7 +20093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
  
  domain_use_interactive_fds(mysqld_t)
  
-@@ -120,3 +129,42 @@
+@@ -120,3 +129,45 @@
  optional_policy(`
  	udev_read_db(mysqld_t)
  ')
@@ -20107,11 +20107,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
 +
 +allow mysqld_safe_t self:capability { dac_override fowner chown };
 +allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
++
++allow mysqld_safe_t mysqld_var_run_t:sock_file unlink;
 + 
 +allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
 +logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
 +
 +mysql_append_db_files(mysqld_safe_t)        
++mysql_manage_db_files(mysqld_safe_t) 
 +mysql_read_config(mysqld_safe_t)
 +mysql_search_pid_files(mysqld_safe_t)
 +mysql_write_log(mysqld_safe_t)
@@ -36006,7 +36009,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.13/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te	2009-03-12 15:06:51.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te	2009-06-24 09:52:07.000000000 +0200
 @@ -20,6 +20,9 @@
  init_daemon_domain(dhcpc_t,dhcpc_exec_t)
  role system_r types dhcpc_t;
@@ -36022,8 +36025,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  # DHCP client local policy
  #
 -allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config };
+-dontaudit dhcpc_t self:capability sys_tty_config;
 +allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_nice sys_resource sys_tty_config };
- dontaudit dhcpc_t self:capability sys_tty_config;
++dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
  # for access("/etc/bashrc", X_OK) on Red Hat
  dontaudit dhcpc_t self:capability { dac_read_search sys_module };
 -allow dhcpc_t self:process signal_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e6438a5..3e01c6f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.5.13
-Release: 64%{?dist}
+Release: 65%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -462,6 +462,9 @@ exit 0
 %endif
 
 %changelog
+* Wed Jun 24 2009 Miroslav Grepl <mgrepl@redhat.com> 3.5.13-65
+- Dontaudit dhcpc to access sys_ptrace
+
 * Thu Jun 11 2009 Miroslav Grepl <mgrepl@redhat.com> 3.5.13-64
 - Allow rpcd to send signals to automount