From d05104fd80f0b93149adab8d804a2dd1c50fc0c7 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Mar 29 2008 18:36:30 +0000
Subject: - Allow stunnel apps to r/w the stunnel socket


---

diff --git a/policy-20070703.patch b/policy-20070703.patch
index b970d57..5181bdc 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -9896,7 +9896,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.0.8/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2007-10-22 19:21:36.000000000 +0200
-+++ serefpolicy-3.0.8/policy/modules/services/dovecot.te	2008-01-17 15:03:07.000000000 +0100
++++ serefpolicy-3.0.8/policy/modules/services/dovecot.te	2008-03-29 12:22:55.000000000 +0100
 @@ -15,6 +15,12 @@
  domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
  role system_r types dovecot_auth_t;
@@ -10022,7 +10022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  files_read_usr_symlinks(dovecot_auth_t)
  files_search_tmp(dovecot_auth_t)
  files_read_var_lib_files(dovecot_t)
-@@ -185,12 +198,54 @@
+@@ -185,12 +198,57 @@
  
  seutil_dontaudit_search_config(dovecot_auth_t)
  
@@ -10045,7 +10045,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +optional_policy(`
 +	postfix_manage_pivate_sockets(dovecot_auth_t)
 +	postfix_search_spool(dovecot_auth_t)
- ')
++')
 +
 +# for gssapi (kerberos)
 +userdom_list_unpriv_users_tmp(dovecot_auth_t) 
@@ -10064,11 +10064,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +kernel_read_all_sysctls(dovecot_deliver_t)
 +kernel_read_system_state(dovecot_deliver_t)
 +
-+dovecot_auth_stream_connect(dovecot_deliver_t)
-+
 +files_read_etc_files(dovecot_deliver_t)
 +files_read_etc_runtime_files(dovecot_deliver_t)
 +
++auth_use_nsswitch(dovecot_deliver_t)
++
 +libs_use_ld_so(dovecot_deliver_t)
 +libs_use_shared_libs(dovecot_deliver_t)
 +
@@ -10076,10 +10076,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +
 +miscfiles_read_localization(dovecot_deliver_t)
 +
++dovecot_auth_stream_connect(dovecot_deliver_t)
++
++userdom_priveleged_home_dir_manager(dovecot_deliver_t)
++
 +optional_policy(`
 +	mta_manage_spool(dovecot_deliver_t)
-+')
-+
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.0.8/policy/modules/services/exim.fc
 --- nsaserefpolicy/policy/modules/services/exim.fc	1970-01-01 01:00:00.000000000 +0100
 +++ serefpolicy-3.0.8/policy/modules/services/exim.fc	2008-01-17 15:03:07.000000000 +0100
@@ -16959,8 +16962,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.if serefpolicy-3.0.8/policy/modules/services/stunnel.if
 --- nsaserefpolicy/policy/modules/services/stunnel.if	2007-10-22 19:21:39.000000000 +0200
-+++ serefpolicy-3.0.8/policy/modules/services/stunnel.if	2008-03-18 19:30:06.000000000 +0100
-@@ -1 +1,24 @@
++++ serefpolicy-3.0.8/policy/modules/services/stunnel.if	2008-03-29 17:44:46.000000000 +0100
+@@ -1 +1,25 @@
  ## <summary>SSL Tunneling Proxy</summary>
 +
 +########################################
@@ -16984,6 +16987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stun
 +	')
 +
 +	domtrans_pattern(stunnel_t,$2,$1)
++	allow $1 stunnel_t:tcp_socket rw_socket_perms;
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.0.8/policy/modules/services/stunnel.te
 --- nsaserefpolicy/policy/modules/services/stunnel.te	2007-10-22 19:21:36.000000000 +0200
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 033b910..2254320 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 96%{?dist}
+Release: 97%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,9 @@ exit 0
 %endif
 
 %changelog
+* Fri Mar 28 2008 Dan Walsh <dwalsh@redhat.com> 3.0.8-97
+- Allow stunnel apps to r/w the stunnel socket
+
 * Fri Mar 28 2008 Dan Walsh <dwalsh@redhat.com> 3.0.8-96
 - Allow munin-node to bind to socket