From 639a5885e71eb1f88c16ed7c0dc103e3b8dcb95e Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Aug 12 2008 20:14:56 +0000
Subject: - dontaudit semanage config_tty

- Allow samba to share fusefs
- Allow bluetooth to read hwdate

---

diff --git a/policy-20070703.patch b/policy-20070703.patch
index 85a449d..faf6e45 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -8384,7 +8384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
 +/var/run/bluetoothd_address	gen_context(system_u:object_r:bluetooth_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.0.8/policy/modules/services/bluetooth.te
 --- nsaserefpolicy/policy/modules/services/bluetooth.te	2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/bluetooth.te	2008-06-12 23:37:59.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/bluetooth.te	2008-08-12 16:11:25.000000000 -0400
 @@ -37,14 +37,14 @@
  # Bluetooth services local policy
  #
@@ -8402,7 +8402,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
  allow bluetooth_t self:tcp_socket create_stream_socket_perms;
  allow bluetooth_t self:udp_socket create_socket_perms;
  
-@@ -110,6 +110,8 @@
+@@ -92,6 +92,7 @@
+ dev_rw_usbfs(bluetooth_t)
+ dev_rw_generic_usb_dev(bluetooth_t)
+ dev_read_urand(bluetooth_t)
++dev_rw_input_dev(bluetooth_t)
+ 
+ fs_getattr_all_fs(bluetooth_t)
+ fs_search_auto_mountpoints(bluetooth_t)
+@@ -110,6 +111,8 @@
  files_read_etc_runtime_files(bluetooth_t)
  files_read_usr_files(bluetooth_t)
  
@@ -8411,12 +8419,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
  libs_use_ld_so(bluetooth_t)
  libs_use_shared_libs(bluetooth_t)
  
-@@ -118,20 +120,20 @@
+@@ -117,21 +120,22 @@
+ 
  miscfiles_read_localization(bluetooth_t)
  miscfiles_read_fonts(bluetooth_t)
- 
--sysnet_read_config(bluetooth_t)
 -
+-sysnet_read_config(bluetooth_t)
++miscfiles_read_hwdata(bluetooth_t)
+ 
  userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
  userdom_dontaudit_use_sysadm_ptys(bluetooth_t)
  userdom_dontaudit_search_sysadm_home_dirs(bluetooth_t)
@@ -12835,7 +12845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.8/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te	2008-07-02 15:53:02.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te	2008-08-11 15:45:47.000000000 -0400
 @@ -1,5 +1,5 @@
  
 -policy_module(networkmanager,1.7.1)
@@ -12958,10 +12968,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
  ')
  
  optional_policy(`
-@@ -162,19 +178,20 @@
+@@ -162,19 +178,21 @@
  	ppp_domtrans(NetworkManager_t)
  	ppp_read_pid_files(NetworkManager_t)
  	ppp_signal(NetworkManager_t)
++	ppp_signull(NetworkManager_t)
 +	ppp_read_config(NetworkManager_t)
  ')
  
@@ -14374,8 +14385,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
  # Fix pptp sockets
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.0.8/policy/modules/services/ppp.if
 --- nsaserefpolicy/policy/modules/services/ppp.if	2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/ppp.if	2008-06-12 23:37:58.000000000 -0400
-@@ -159,6 +159,25 @@
++++ serefpolicy-3.0.8/policy/modules/services/ppp.if	2008-08-11 15:46:05.000000000 -0400
+@@ -76,6 +76,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Send a generic signull to PPP.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ppp_signull',`
++	gen_require(`
++		type pppd_t;
++	')
++
++	allow $1 pppd_t:process signull;
++')
++
++########################################
++## <summary>
+ ##	 Execute domain in the ppp domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -159,6 +177,25 @@
  
  ########################################
  ## <summary>
@@ -14403,7 +14439,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.0.8/policy/modules/services/ppp.te
 --- nsaserefpolicy/policy/modules/services/ppp.te	2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/ppp.te	2008-06-12 23:37:58.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/ppp.te	2008-08-11 16:47:54.000000000 -0400
+@@ -71,7 +71,7 @@
+ # PPPD Local policy
+ #
+ 
+-allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
++allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override };
+ dontaudit pppd_t self:capability sys_tty_config;
+ allow pppd_t self:process signal;
+ allow pppd_t self:fifo_file rw_fifo_file_perms;
 @@ -116,7 +116,7 @@
  
  kernel_read_kernel_sysctls(pppd_t)
@@ -17645,6 +17690,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ')
 +
 +
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.fc serefpolicy-3.0.8/policy/modules/services/stunnel.fc
+--- nsaserefpolicy/policy/modules/services/stunnel.fc	2008-06-12 23:37:57.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/stunnel.fc	2008-08-07 12:46:30.000000000 -0400
+@@ -2,5 +2,6 @@
+ /etc/stunnel(/.*)?          	gen_context(system_u:object_r:stunnel_etc_t,s0)
+ 
+ /usr/sbin/stunnel	--	gen_context(system_u:object_r:stunnel_exec_t,s0)
++/usr/bin/stunnel	--	gen_context(system_u:object_r:stunnel_exec_t,s0)
+ 
+ /var/run/stunnel(/.*)?		gen_context(system_u:object_r:stunnel_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.if serefpolicy-3.0.8/policy/modules/services/stunnel.if
 --- nsaserefpolicy/policy/modules/services/stunnel.if	2008-06-12 23:37:57.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/stunnel.if	2008-06-12 23:37:59.000000000 -0400
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 993a66a..77ecfe8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -381,9 +381,10 @@ exit 0
 %endif
 
 %changelog
-* Tue Aug 5 2008 Dan Walsh <dwalsh@redhat.com> 3.0.8-113
+* Tue Aug 12 2008 Dan Walsh <dwalsh@redhat.com> 3.0.8-113
 - dontaudit semanage config_tty
 - Allow samba to share fusefs
+- Allow bluetooth to read hwdate
 
 * Thu Jul 24 2008 Dan Walsh <dwalsh@redhat.com> 3.0.8-112
 - Change dhclient to be able to red networkmanager_var_run