From 7b4c696d8125af2cd0b8e0909e13282b31e73b57 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@fedoraproject.org>
Date: Jul 08 2009 19:31:17 +0000
Subject: - Fixes for xguest


---

diff --git a/policy-20090521.patch b/policy-20090521.patch
index e96b8b8..e995afb 100644
--- a/policy-20090521.patch
+++ b/policy-20090521.patch
@@ -1,12 +1,12 @@
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.12/policy/mcs
 --- nsaserefpolicy/policy/mcs	2009-06-25 10:19:43.000000000 +0200
-+++ serefpolicy-3.6.12/policy/mcs	2009-06-25 10:21:01.000000000 +0200
++++ serefpolicy-3.6.12/policy/mcs	2009-07-08 21:09:33.000000000 +0200
 @@ -66,7 +66,7 @@
  #
  # Note that getattr on files is always permitted.
  #
 -mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
-+mlsconstrain { file chr_file blk_file sock_file lnk_file fifo_file } { write setattr append unlink link rename ioctl lock execute relabelfrom }
++mlsconstrain { file chr_file blk_file lnk_file } { write setattr append unlink link rename ioctl lock execute relabelfrom }
  	(( h1 dom h2 ) or ( t1 == mlsfilewrite ));
  
  mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
@@ -628,8 +628,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.12/policy/modules/apps/mozilla.if
 --- nsaserefpolicy/policy/modules/apps/mozilla.if	2009-06-25 10:19:43.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/apps/mozilla.if	2009-06-26 15:48:23.000000000 +0200
-@@ -64,6 +64,7 @@
++++ serefpolicy-3.6.12/policy/modules/apps/mozilla.if	2009-07-08 21:12:05.000000000 +0200
+@@ -45,6 +45,18 @@
+ 	relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
+ 	relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ 	relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
++
++	mozilla_dbus_chat($2)
++
++	userdom_manage_tmp_role($1, mozilla_t)
++
++	optional_policy(`
++		nsplugin_role($1, mozilla_t)
++	')
++
++	optional_policy(`
++		pulseaudio_role($1, mozilla_t)
++	')
+ ')
+ 
+ ########################################
+@@ -64,6 +76,7 @@
  
  	allow $1 mozilla_home_t:dir list_dir_perms;
  	allow $1 mozilla_home_t:file read_file_perms;
@@ -637,17 +656,68 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	userdom_search_user_home_dirs($1)
  ')
  
+@@ -82,7 +95,8 @@
+ 		type mozilla_home_t;
+ 	')
+ 
+-	write_files_pattern($1, mozilla_home_t, mozilla_home_t)
++	allow $1 mozilla_home_t:dir list_dir_perms;
++	allow $1 mozilla_home_t:file write_file_perms;
+ 	userdom_search_user_home_dirs($1)
+ ')
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.12/policy/modules/apps/mozilla.te
 --- nsaserefpolicy/policy/modules/apps/mozilla.te	2009-06-25 10:19:43.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/apps/mozilla.te	2009-06-25 10:21:01.000000000 +0200
-@@ -145,6 +145,7 @@
- userdom_manage_user_tmp_dirs(mozilla_t)
- userdom_manage_user_tmp_files(mozilla_t)
- userdom_manage_user_tmp_sockets(mozilla_t)
++++ serefpolicy-3.6.12/policy/modules/apps/mozilla.te	2009-07-08 21:12:10.000000000 +0200
+@@ -59,6 +59,7 @@
+ manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+ manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+ userdom_search_user_home_dirs(mozilla_t)
++userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir)
+ 
+ # Mozpluggerrc
+ allow mozilla_t mozilla_conf_t:file read_file_perms;
+@@ -97,6 +98,7 @@
+ corenet_tcp_connect_ftp_port(mozilla_t)
+ corenet_tcp_connect_ipp_port(mozilla_t)
+ corenet_tcp_connect_generic_port(mozilla_t)
++corenet_tcp_connect_soundd_port(mozilla_t)
+ corenet_sendrecv_http_client_packets(mozilla_t)
+ corenet_sendrecv_http_cache_client_packets(mozilla_t)
+ corenet_sendrecv_ftp_client_packets(mozilla_t)
+@@ -114,6 +116,8 @@
+ dev_dontaudit_rw_dri(mozilla_t)
+ dev_getattr_sysfs_dirs(mozilla_t)
+ 
++domain_dontaudit_read_all_domains_state(mozilla_t)
++
+ files_read_etc_runtime_files(mozilla_t)
+ files_read_usr_files(mozilla_t)
+ files_read_etc_files(mozilla_t)
+@@ -139,12 +143,7 @@
+ # Browse the web, connect to printer
+ sysnet_dns_name_resolve(mozilla_t)
+ 
+-userdom_manage_user_home_content_dirs(mozilla_t)
+-userdom_manage_user_home_content_files(mozilla_t)
+-userdom_manage_user_home_content_symlinks(mozilla_t)
+-userdom_manage_user_tmp_dirs(mozilla_t)
+-userdom_manage_user_tmp_files(mozilla_t)
+-userdom_manage_user_tmp_sockets(mozilla_t)
 +userdom_use_user_ptys(mozilla_t)
  
  xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
  xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
+@@ -241,6 +240,9 @@
+ optional_policy(`
+ 	dbus_system_bus_client(mozilla_t)
+ 	dbus_session_bus_client(mozilla_t)
++	optional_policy(`
++		networkmanager_dbus_chat(mozilla_t)
++	')
+ ')
+ 
+ optional_policy(`
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.12/policy/modules/apps/nsplugin.if
 --- nsaserefpolicy/policy/modules/apps/nsplugin.if	2009-06-25 10:19:43.000000000 +0200
 +++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.if	2009-07-07 08:51:57.000000000 +0200
@@ -1785,6 +1855,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
  	setroubleshoot_dontaudit_stream_connect(user_t)
  ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.12/policy/modules/roles/xguest.te
+--- nsaserefpolicy/policy/modules/roles/xguest.te	2009-06-25 10:19:44.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/roles/xguest.te	2009-07-08 21:12:15.000000000 +0200
+@@ -36,11 +36,17 @@
+ # Local policy
+ #
+ 
++# Dontaudit fusermount
++dontaudit xguest_t self:capability sys_admin;
++
+ # Allow mounting of file systems
+ optional_policy(`
+ 	tunable_policy(`xguest_mount_media',`
+ 		kernel_read_fs_sysctls(xguest_t)
+ 
++		# allow fusermount
++		allow xguest_t self:capability sys_admin;
++
+ 		files_dontaudit_getattr_boot_dirs(xguest_t)
+ 		files_search_mnt(xguest_t)
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.12/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc	2009-06-25 10:19:44.000000000 +0200
 +++ serefpolicy-3.6.12/policy/modules/services/apache.fc	2009-06-25 10:21:01.000000000 +0200
@@ -2527,6 +2618,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +auth_use_nsswitch(nslcd_t)
 +
 +logging_send_syslog_msg(nslcd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.12/policy/modules/services/openvpn.te
+--- nsaserefpolicy/policy/modules/services/openvpn.te	2009-04-07 21:54:45.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/openvpn.te	2009-07-08 21:10:15.000000000 +0200
+@@ -86,6 +86,7 @@
+ corenet_udp_bind_openvpn_port(openvpn_t)
+ corenet_tcp_connect_openvpn_port(openvpn_t)
+ corenet_tcp_connect_http_port(openvpn_t)
++corenet_tcp_connect_http_cache_port(openvpn_t)
+ corenet_rw_tun_tap_dev(openvpn_t)
+ corenet_sendrecv_openvpn_server_packets(openvpn_t)
+ corenet_sendrecv_openvpn_client_packets(openvpn_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.12/policy/modules/services/pcscd.te
 --- nsaserefpolicy/policy/modules/services/pcscd.te	2009-04-07 21:54:45.000000000 +0200
 +++ serefpolicy-3.6.12/policy/modules/services/pcscd.te	2009-06-25 10:21:01.000000000 +0200
@@ -2609,7 +2711,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## </summary>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.12/policy/modules/services/postgresql.te
 --- nsaserefpolicy/policy/modules/services/postgresql.te	2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/services/postgresql.te	2009-06-29 16:24:29.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/postgresql.te	2009-07-08 21:12:21.000000000 +0200
 @@ -202,6 +202,7 @@
  corenet_tcp_bind_generic_node(postgresql_t)
  corenet_tcp_bind_postgresql_port(postgresql_t)
@@ -2618,6 +2720,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  corenet_sendrecv_postgresql_server_packets(postgresql_t)
  corenet_sendrecv_auth_client_packets(postgresql_t)
  
+@@ -237,6 +238,7 @@
+ init_read_utmp(postgresql_t)
+ 
+ logging_send_syslog_msg(postgresql_t)
++logging_send_audit_msgs(postgresql_t)
+ 
+ miscfiles_read_localization(postgresql_t)
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.12/policy/modules/services/ppp.if
 --- nsaserefpolicy/policy/modules/services/ppp.if	2009-06-25 10:19:44.000000000 +0200
 +++ serefpolicy-3.6.12/policy/modules/services/ppp.if	2009-06-25 10:21:01.000000000 +0200
@@ -2725,7 +2835,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	auth_read_all_symlinks_except_shadow(rsync_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.12/policy/modules/services/sendmail.te
 --- nsaserefpolicy/policy/modules/services/sendmail.te	2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/services/sendmail.te	2009-06-25 10:21:01.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/sendmail.te	2009-07-08 21:12:27.000000000 +0200
 @@ -148,6 +148,7 @@
  
  optional_policy(`
@@ -2734,6 +2844,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	postfix_domtrans_master(sendmail_t)
  	postfix_read_config(sendmail_t)
  	postfix_search_spool(sendmail_t)
+@@ -186,6 +187,6 @@
+ 
+ optional_policy(`
+ 	mta_etc_filetrans_aliases(unconfined_sendmail_t)
+-	unconfined_domain(unconfined_sendmail_t)
++	unconfined_domain_noaudit(unconfined_sendmail_t)
+ ')
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.12/policy/modules/services/setroubleshoot.te
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2009-06-25 10:19:44.000000000 +0200
 +++ serefpolicy-3.6.12/policy/modules/services/setroubleshoot.te	2009-06-25 10:21:01.000000000 +0200
@@ -3221,7 +3339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child add_child };
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/services/xserver.te	2009-06-25 10:21:01.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/xserver.te	2009-07-08 21:12:32.000000000 +0200
 @@ -370,8 +370,9 @@
  manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
  manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
@@ -3249,7 +3367,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  userdom_manage_user_tmp_sockets(xdm_t)
  userdom_manage_tmpfs_role(system_r, xdm_t)
  
-@@ -839,7 +842,6 @@
+@@ -652,6 +655,7 @@
+ 
+ optional_policy(`
+ 	pulseaudio_exec(xdm_t)
++	pulseaudio_dbus_chat(xdm_t)
+ ')
+ 
+ # On crash gdm execs gdb to dump stack
+@@ -839,7 +843,6 @@
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -3257,7 +3383,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  fs_rw_tmpfs_files(xserver_t)
  
  mls_xwin_read_to_clearance(xserver_t)
-@@ -931,6 +933,10 @@
+@@ -931,6 +934,10 @@
  ')
  
  optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4ce99b9..dcc9877 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 64%{?dist}
+Release: 65%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -475,6 +475,9 @@ exit 0
 %endif
 
 %changelog
+* Wed Jul 8 2009 Miroslav Grepl <mgrepl@redhat.com> 3.6.12-65
+- Fixes for xguest
+
 * Tue Jul 7 2009 Miroslav Grepl <mgrepl@redhat.com> 3.6.12-64
 - Fixes for kpropd
 - Fix up kismet policy