From b11ae243a25abefdcb3f78d05737e2122e718a3c Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Aug 13 2007 11:38:10 +0000
Subject: - Allow NetworkManager to chown


---

diff --git a/policy-20070501.patch b/policy-20070501.patch
index 1c0e978..95bd7e7 100644
--- a/policy-20070501.patch
+++ b/policy-20070501.patch
@@ -4631,7 +4631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.6.4/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/dovecot.te	2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/dovecot.te	2007-08-13 07:17:55.000000000 -0400
 @@ -15,6 +15,12 @@
  domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
  role system_r types dovecot_auth_t;
@@ -4726,7 +4726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  files_read_usr_symlinks(dovecot_auth_t)
  files_search_tmp(dovecot_auth_t)
  files_read_var_lib_files(dovecot_t)
-@@ -190,12 +195,46 @@
+@@ -190,12 +195,54 @@
  
  seutil_dontaudit_search_config(dovecot_auth_t)
  
@@ -4747,6 +4747,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +	postfix_search_spool(dovecot_auth_t)
 +')
 +
++# for gssapi (kerberos)
++userdom_list_unpriv_users_tmp(dovecot_auth_t) 
++userdom_read_unpriv_users_tmp_files(dovecot_auth_t) 
++userdom_read_unpriv_users_tmp_symlinks(dovecot_auth_t) 
++
++ifdef(`targeted_policy',`
++	files_manage_generic_tmp_files(dovecot_auth_t) 
++')
 +
 +########################################
 +#
@@ -5649,7 +5657,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.6.4/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/networkmanager.te	2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/networkmanager.te	2007-08-13 06:58:07.000000000 -0400
+@@ -20,7 +20,7 @@
+ 
+ # networkmanager will ptrace itself if gdb is installed
+ # and it receives a unexpected signal (rh bug #204161) 
+-allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
++allow NetworkManager_t self:capability { chown kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
+ dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
+ allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
+ allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
 @@ -41,6 +41,8 @@
  kernel_read_kernel_sysctls(NetworkManager_t)
  kernel_load_module(NetworkManager_t)
@@ -9347,8 +9364,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  # vmware 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-2.6.4/policy/modules/system/libraries.te
 --- nsaserefpolicy/policy/modules/system/libraries.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/libraries.te	2007-08-11 07:02:45.000000000 -0400
-@@ -62,7 +62,8 @@
++++ serefpolicy-2.6.4/policy/modules/system/libraries.te	2007-08-13 07:21:34.000000000 -0400
+@@ -55,14 +55,15 @@
+ # ldconfig local policy
+ #
+ 
+-allow ldconfig_t self:capability sys_chroot;
++allow ldconfig_t self:capability { dac_override sys_chroot };
+ 
+ allow ldconfig_t ld_so_cache_t:file manage_file_perms;
+ files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
  
  manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
  manage_files_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
@@ -9358,7 +9383,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  
  manage_lnk_files_pattern(ldconfig_t,lib_t,lib_t)
  
-@@ -99,8 +100,9 @@
+@@ -72,6 +73,7 @@
+ 
+ domain_use_interactive_fds(ldconfig_t)
+ 
++files_search_home(ldconfig_t)
+ files_search_var_lib(ldconfig_t)
+ files_read_etc_files(ldconfig_t)
+ files_search_tmp(ldconfig_t)
+@@ -99,8 +101,9 @@
  ifdef(`targeted_policy',`
  	allow ldconfig_t lib_t:file read_file_perms;
  	files_read_generic_tmp_symlinks(ldconfig_t)
@@ -9370,7 +9403,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  ')
  
  optional_policy(`
-@@ -113,4 +115,6 @@
+@@ -113,4 +116,6 @@
  	# and executes ldconfig on it.  If you dont allow this kernel installs 
  	# blow up.
  	rpm_manage_script_tmp_files(ldconfig_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3fdf430..ba36d53 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.6.4
-Release: 35%{?dist}
+Release: 36%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -361,6 +361,9 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init
 %endif
 
 %changelog
+* Mon Aug 13 2007 Dan Walsh <dwalsh@redhat.com> 2.6.4-36
+- Allow NetworkManager to chown
+
 * Sat Aug 11 2007 Dan Walsh <dwalsh@redhat.com> 2.6.4-35
 - Allow ldconfig to talk to terminal