From a2478654b9e5b974a951e6a19530ac9a7a31cb8b Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@fedoraproject.org>
Date: Jul 20 2009 15:08:48 +0000
Subject: - Allow sshd getsched capability


---

diff --git a/policy-20090521.patch b/policy-20090521.patch
index 0a6dc14..ad33537 100644
--- a/policy-20090521.patch
+++ b/policy-20090521.patch
@@ -1818,7 +1818,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.te	2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te	2009-06-25 10:21:01.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te	2009-07-20 14:33:12.000000000 +0200
 @@ -52,6 +52,8 @@
  init_system_domain(unconfined_execmem_t, execmem_exec_t)
  role unconfined_r types unconfined_execmem_t;
@@ -1828,7 +1828,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  type unconfined_notrans_t;
  type unconfined_notrans_exec_t;
-@@ -253,6 +255,10 @@
+@@ -95,7 +97,6 @@
+ seutil_run_semanage(unconfined_t, unconfined_r)
+ 
+ unconfined_domain_noaudit(unconfined_t)
+-domain_mmap_low(unconfined_t)
+ 
+ userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
+ 
+@@ -253,6 +254,10 @@
  ')
  
  optional_policy(`
@@ -1839,7 +1847,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	qemu_role_notrans(unconfined_r, unconfined_t)
  	qemu_unconfined_role(unconfined_r)
  
-@@ -277,7 +283,7 @@
+@@ -277,7 +282,7 @@
  ')
  
  optional_policy(`
@@ -3286,7 +3294,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.12/policy/modules/services/ssh.if
 --- nsaserefpolicy/policy/modules/services/ssh.if	2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/services/ssh.if	2009-07-13 11:36:29.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/ssh.if	2009-07-20 14:31:17.000000000 +0200
+@@ -187,7 +187,7 @@
+ 
+ 	allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
+ 	allow $1_t self:fifo_file rw_fifo_file_perms;
+-	allow $1_t self:process { signal setsched setrlimit setexec };
++	allow $1_t self:process { signal getsched setsched setrlimit setexec };
+ 	allow $1_t self:tcp_socket create_stream_socket_perms;
+ 	allow $1_t self:udp_socket create_socket_perms;
+ 	# ssh agent connections:
 @@ -685,3 +685,24 @@
  	can_exec($1, ssh_agent_exec_t)
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a895cb1..f97e87e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 68%{?dist}
+Release: 69%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -475,6 +475,9 @@ exit 0
 %endif
 
 %changelog
+* Mon Jul 20 2009 Miroslav Grepl <mgrepl@redhat.com> 3.6.12-69
+- Allow sshd getsched capability
+
 * Fri Jul 17 2009 Miroslav Grepl <mgrepl@redhat.com> 3.6.12-68
 - Fixes for hald_dccm