From 915a9f26ccf21f309251d36496d0fdd09b6e11d5 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Oct 09 2007 14:51:25 +0000
Subject: - Dontaudit consoletype talking to unconfined_t


---

diff --git a/policy-20070703.patch b/policy-20070703.patch
index 793145a..abe1b43 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -280,7 +280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors 
  class key
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.0.8/policy/global_tunables
 --- nsaserefpolicy/policy/global_tunables	2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.8/policy/global_tunables	2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/global_tunables	2007-10-08 11:41:21.000000000 -0400
 @@ -133,3 +133,18 @@
  ## </desc>
  gen_tunable(write_untrusted_content,false)
@@ -2581,7 +2581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2007-09-12 10:34:49.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc	2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc	2007-10-08 11:30:10.000000000 -0400
 @@ -20,6 +20,7 @@
  /dev/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
  /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
@@ -3462,8 +3462,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
  neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.0.8/policy/modules/kernel/storage.fc
 --- nsaserefpolicy/policy/modules/kernel/storage.fc	2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/storage.fc	2007-10-03 11:10:24.000000000 -0400
-@@ -52,7 +52,7 @@
++++ serefpolicy-3.0.8/policy/modules/kernel/storage.fc	2007-10-08 11:31:31.000000000 -0400
+@@ -39,6 +39,7 @@
+ ')
+ /dev/s(cd|r)[^/]*	-b	gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/sbpcd.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
++/dev/bsg/.+		-c	gen_context(system_u:object_r:scsi_generic_device_t,s0)
+ /dev/sg[0-9]+		-c	gen_context(system_u:object_r:scsi_generic_device_t,s0)
+ /dev/sjcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/sonycd		-b	gen_context(system_u:object_r:removable_device_t,s0)
+@@ -52,7 +53,7 @@
  
  /dev/cciss/[^/]*	-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
  
@@ -5849,7 +5857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.0.8/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dovecot.te	2007-10-08 11:24:32.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dovecot.te	2007-10-09 10:31:36.000000000 -0400
 @@ -15,6 +15,12 @@
  domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
  role system_r types dovecot_auth_t;
@@ -5911,7 +5919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  	seutil_sigchld_newrole(dovecot_t)
  ')
  
-@@ -145,33 +144,43 @@
+@@ -145,33 +144,40 @@
  # dovecot auth local policy
  #
  
@@ -5947,9 +5955,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +auth_domtrans_upd_passwd(dovecot_auth_t)
  auth_use_nsswitch(dovecot_auth_t)
  
-+optional_policy
-+nis_authenticate(dovecot_auth_t)
-+
  files_read_etc_files(dovecot_auth_t)
  files_read_etc_runtime_files(dovecot_auth_t)
  files_search_pids(dovecot_auth_t)
@@ -5957,7 +5962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  files_read_usr_symlinks(dovecot_auth_t)
  files_search_tmp(dovecot_auth_t)
  files_read_var_lib_files(dovecot_t)
-@@ -185,12 +194,46 @@
+@@ -185,12 +191,50 @@
  
  seutil_dontaudit_search_config(dovecot_auth_t)
  
@@ -5971,12 +5976,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 -	logging_send_syslog_msg(dovecot_auth_t)
 +	mysql_search_db(dovecot_auth_t)
 +	mysql_stream_connect(dovecot_auth_t)
- ')
++')
++
++optional_policy(`
++	nis_authenticate(dovecot_auth_t)
++')
 +
 +optional_policy(`
 +	postfix_create_pivate_sockets(dovecot_auth_t)
 +	postfix_search_spool(dovecot_auth_t)
-+')
+ ')
 +
 +# for gssapi (kerberos)
 +userdom_list_unpriv_users_tmp(dovecot_auth_t) 
@@ -6533,7 +6542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  /var/run/vbestate 	--			gen_context(system_u:object_r:hald_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.8/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/hal.te	2007-10-05 11:48:00.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/hal.te	2007-10-08 11:29:21.000000000 -0400
 @@ -49,6 +49,9 @@
  type hald_var_lib_t;
  files_type(hald_var_lib_t)
@@ -7510,7 +7519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
  /usr/sbin/rpc\.ypxfrd	--	gen_context(system_u:object_r:ypxfr_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.0.8/policy/modules/services/nis.if
 --- nsaserefpolicy/policy/modules/services/nis.if	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/nis.if	2007-10-08 11:06:33.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/nis.if	2007-10-09 10:30:46.000000000 -0400
 @@ -49,8 +49,8 @@
  	corenet_udp_bind_all_nodes($1)
  	corenet_tcp_bind_generic_port($1)
@@ -7522,11 +7531,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
  	corenet_dontaudit_tcp_bind_all_ports($1)
  	corenet_dontaudit_udp_bind_all_ports($1)
  	corenet_tcp_connect_portmap_port($1)
-@@ -87,6 +87,25 @@
+@@ -87,6 +87,27 @@
  
  ########################################
  ## <summary>
-+##	Use the ypbind service to access NIS services.
++##	Use the nis to authenticate passwords
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7538,6 +7547,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
 +interface(`nis_authenticate',`
 +	tunable_policy(`allow_ypbind',`
 +		nis_use_ypbind_uncond($1)
++		# Needs to bind to a port < 1024
++		allow $1 self:capability net_bind_service;
 +		corenet_tcp_bind_all_rpc_ports($1)
 +		corenet_udp_bind_all_rpc_ports($1)
 +	')
@@ -8670,7 +8681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.8/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rpc.te	2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/rpc.te	2007-10-08 11:39:31.000000000 -0400
 @@ -59,10 +59,14 @@
  manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
  files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@@ -8836,8 +8847,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
 -')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.0.8/policy/modules/services/rsync.te
 --- nsaserefpolicy/policy/modules/services/rsync.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rsync.te	2007-10-03 11:10:24.000000000 -0400
-@@ -17,6 +17,7 @@
++++ serefpolicy-3.0.8/policy/modules/services/rsync.te	2007-10-08 11:44:11.000000000 -0400
+@@ -8,6 +8,13 @@
+ 
+ ## <desc>
+ ## <p>
++## Allow rsync export files read only
++## </p>
++## </desc>
++gen_tunable(rsync_export_all_ro,false)
++
++## <desc>
++## <p>
+ ## Allow rsync to modify public files
+ ## used for public file transfer services.
+ ## </p>
+@@ -17,6 +24,7 @@
  type rsync_t;
  type rsync_exec_t;
  init_daemon_domain(rsync_t,rsync_exec_t)
@@ -8845,6 +8870,39 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
  role system_r types rsync_t;
  
  type rsync_data_t;
+@@ -57,6 +65,8 @@
+ manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t)
+ files_pid_filetrans(rsync_t,rsync_var_run_t,file)
+ 
++auth_use_nsswitch(rsync_t)
++
+ kernel_read_kernel_sysctls(rsync_t)
+ kernel_read_system_state(rsync_t)
+ kernel_read_network_state(rsync_t)
+@@ -89,8 +99,6 @@
+ miscfiles_read_localization(rsync_t)
+ miscfiles_read_public_files(rsync_t)
+ 
+-sysnet_read_config(rsync_t)
+-
+ tunable_policy(`allow_rsync_anon_write',`
+ 	miscfiles_manage_public_files(rsync_t)
+ ')
+@@ -107,10 +115,8 @@
+ 	inetd_service_domain(rsync_t,rsync_exec_t)
+ ')
+ 
+-optional_policy(`
+-	nis_use_ypbind(rsync_t)
+-')
+-
+-optional_policy(`
+-	nscd_socket_use(rsync_t)
++tunable_policy(`rsync_export_all_ro',`
++	allow rsync_t self:capability dac_override;
++	fs_read_noxattr_fs_files(rsync_t) 
++	auth_read_all_files_except_shadow(rsync_t)
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.0.8/policy/modules/services/samba.fc
 --- nsaserefpolicy/policy/modules/services/samba.fc	2007-06-19 16:23:34.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/samba.fc	2007-10-03 11:10:24.000000000 -0400
@@ -10200,7 +10258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.
  dev_read_sysfs(xfs_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.0.8/policy/modules/services/xserver.fc
 --- nsaserefpolicy/policy/modules/services/xserver.fc	2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.fc	2007-10-03 11:10:25.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.fc	2007-10-08 13:25:36.000000000 -0400
 @@ -32,11 +32,6 @@
  /etc/X11/wdm/Xstartup.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
  /etc/X11/Xsession[^/]*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -10213,7 +10271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  #
  # /opt
  #
-@@ -92,13 +87,15 @@
+@@ -92,13 +87,16 @@
  /var/lib/[xkw]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
  /var/lib/xkb(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
  
@@ -10222,6 +10280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  /var/log/gdm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
  /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
  /var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/nvidia-installer\.log.* --	gen_context(system_u:object_r:xserver_log_t,s0)
  
 +/var/run/gdm_socket	-s	gen_context(system_u:object_r:xdm_var_run_t,s0)
  /var/run/[gx]dm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -10851,7 +10910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if	2007-10-08 11:03:54.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if	2007-10-09 10:32:37.000000000 -0400
 @@ -26,7 +26,8 @@
  	type $1_chkpwd_t, can_read_shadow_passwords;
  	application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -10916,7 +10975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	selinux_get_fs_mount($1)
  	selinux_validate_context($1)
  	selinux_compute_access_vector($1)
-@@ -196,22 +219,36 @@
+@@ -196,22 +219,40 @@
  	mls_fd_share_all_levels($1)
  
  	auth_domtrans_chk_passwd($1)
@@ -10945,6 +11004,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +	userdom_set_rlimitnh($1)
 +
 +	optional_policy(`
++		nis_authenticate($1)
++	')
++
++	optional_policy(`
 +		unconfined_set_rlimitnh($1)
 +	')
 +
@@ -10954,7 +11017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	')
  ')
  
-@@ -309,9 +346,6 @@
+@@ -309,9 +350,6 @@
  		type system_chkpwd_t, chkpwd_exec_t, shadow_t;
  	')
  
@@ -10964,7 +11027,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	corecmd_search_bin($1)
  	domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
  
-@@ -329,6 +363,8 @@
+@@ -329,6 +367,8 @@
  
  	optional_policy(`
  		kerberos_use($1)
@@ -10973,7 +11036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	')
  
  	optional_policy(`
-@@ -347,6 +383,37 @@
+@@ -347,6 +387,37 @@
  
  ########################################
  ## <summary>
@@ -11011,7 +11074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  ##	Get the attributes of the shadow passwords file.
  ## </summary>
  ## <param name="domain">
-@@ -695,6 +762,24 @@
+@@ -695,6 +766,24 @@
  
  ########################################
  ## <summary>
@@ -11036,7 +11099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  ##	Execute pam programs in the PAM domain.
  ## </summary>
  ## <param name="domain">
-@@ -1318,14 +1403,9 @@
+@@ -1318,14 +1407,9 @@
  ## </param>
  #
  interface(`auth_use_nsswitch',`
@@ -11051,7 +11114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	files_list_var_lib($1)
  
  	miscfiles_read_certs($1)
-@@ -1347,6 +1427,8 @@
+@@ -1347,6 +1431,8 @@
  
  	optional_policy(`
  		samba_stream_connect_winbind($1)
@@ -11060,7 +11123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	')
  ')
  
-@@ -1381,3 +1463,163 @@
+@@ -1381,3 +1467,163 @@
  	typeattribute $1 can_write_shadow_passwords;
  	typeattribute $1 can_relabelto_shadow_passwords;
  ')
@@ -13928,7 +13991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +/usr/bin/sbcl			    --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if	2007-10-08 10:26:34.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.if	2007-10-09 10:33:22.000000000 -0400
 @@ -12,14 +12,13 @@
  #
  interface(`unconfined_domain_noaudit',`
@@ -14421,7 +14484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-10-05 14:11:08.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-10-09 10:33:10.000000000 -0400
 @@ -29,8 +29,9 @@
  	')