From eadb0167754b3e1e3018b474317aaf5c777dd4eb Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Oct 26 2007 13:38:05 +0000
Subject: - Allow unconfined_t to run crontab -e as root


---

diff --git a/policy-20070703.patch b/policy-20070703.patch
index ff8d232..9ee4566 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -6142,7 +6142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 +/var/lib/misc(/.*)?			gen_context(system_u:object_r:system_crond_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.0.8/policy/modules/services/cron.if
 --- nsaserefpolicy/policy/modules/services/cron.if	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cron.if	2007-10-22 13:22:31.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/cron.if	2007-10-26 09:03:07.000000000 -0400
 @@ -35,6 +35,7 @@
  #
  template(`cron_per_role_template',`
@@ -6227,15 +6227,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  
  	##############################
  	#
-@@ -195,6 +175,7 @@
+@@ -192,9 +172,13 @@
+ 	# dac_override is to create the file in the directory under /tmp
+ 	allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
+ 	allow $1_crontab_t self:process signal_perms;
++	allow $1_crontab_t self:fifo_file rw_fifo_file_perms;
  
  	# Transition from the user domain to the derived domain.
  	domtrans_pattern($2, crontab_exec_t, $1_crontab_t)
 +	allow $2 $1_crontab_t:fd use;
++
++	auth_domtrans_upd_passwd_chk($1_crontab_t)
  
  	# crontab shows up in user ps
  	ps_process_pattern($2,$1_crontab_t)
-@@ -205,9 +186,6 @@
+@@ -205,9 +189,6 @@
  	# Allow crond to read those crontabs in cron spool.
  	allow crond_t $1_cron_spool_t:file manage_file_perms;
  
@@ -6245,7 +6251,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  	# create files in /var/spool/cron
  	manage_files_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t)
  	filetrans_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t,file)
-@@ -243,10 +221,12 @@
+@@ -236,6 +217,7 @@
+ 	libs_use_shared_libs($1_crontab_t)
+ 
+ 	logging_send_syslog_msg($1_crontab_t)
++	logging_send_audit_msgs($1_crontab_t)
+ 
+ 	miscfiles_read_localization($1_crontab_t)
+ 
+@@ -243,10 +225,12 @@
  
  	userdom_manage_user_tmp_dirs($1,$1_crontab_t)
  	userdom_manage_user_tmp_files($1,$1_crontab_t)
@@ -6258,7 +6272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  
  	tunable_policy(`fcron_crond',`
  		# fcron wants an instant update of a crontab change for the administrator
-@@ -438,6 +418,25 @@
+@@ -438,6 +422,25 @@
  
  ########################################
  ## <summary>
@@ -6286,7 +6300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.0.8/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cron.te	2007-10-22 13:22:31.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/cron.te	2007-10-26 08:41:15.000000000 -0400
 @@ -50,6 +50,7 @@
  
  type crond_tmp_t;
@@ -7340,7 +7354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.0.8/policy/modules/services/exim.if
 --- nsaserefpolicy/policy/modules/services/exim.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.if	2007-10-22 17:22:21.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/exim.if	2007-10-26 09:02:10.000000000 -0400
 @@ -0,0 +1,157 @@
 +## <summary>Exim service</summary>
 +
@@ -7423,7 +7437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
 +
 +########################################
 +## <summary>
-+##     Manage exim logs
++##     append exim logs
 +## </summary>
 +## <param name="domain">
 +##     <summary>
@@ -7431,13 +7445,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
 +##     </summary>
 +## </param>
 +#
-+interface(`exim_manage_logs',`
++interface(`exim_append_log',`
 +	gen_require(`
 +		type exim_log_t;
 +	')
 +
 +	files_search_var($1)
-+	manage_files_pattern($1, exim_log_t, exim_log_t)
++	append_files_pattern($1, exim_log_t, exim_log_t)
 +')
 +
 +########################################
@@ -7501,12 +7515,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.0.8/policy/modules/services/exim.te
 --- nsaserefpolicy/policy/modules/services/exim.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.te	2007-10-22 17:07:28.000000000 -0400
-@@ -0,0 +1,232 @@
-+# $Id: exim.te 687 2007-09-09 00:19:41Z aqua $
-+# Draft SELinux refpolicy module for the Exim MTA
-+# 
-+# Devin Carraway <selinux/at/devin.com>
++++ serefpolicy-3.0.8/policy/modules/services/exim.te	2007-10-26 09:02:43.000000000 -0400
+@@ -0,0 +1,229 @@
 +
 +policy_module(exim, 1.0.0)
 +
@@ -7640,7 +7650,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
 +
 +## logging
 +logging_send_syslog_msg(exim_t)
-+exim_manage_logs(exim_t)
++
++manage_files_pattern(exim_t, exim_log_t, exim_log_t)
 +logging_log_filetrans(exim_t, exim_log_t, { file dir })
 +
 +corecmd_search_bin(exim_t)
@@ -8484,7 +8495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ## <summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mta.te	2007-10-22 13:22:31.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/mta.te	2007-10-26 09:07:59.000000000 -0400
 @@ -6,6 +6,7 @@
  # Declarations
  #
@@ -8547,7 +8558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ')
  
  optional_policy(`
-+	exim_domtrans(system_mail_t)
++	exim_append_log(system_mail_t)
 +')
 +
 +optional_policy(`
@@ -9912,6 +9923,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ########################################
  #
  # postgresql Local policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.0.8/policy/modules/services/ppp.fc
+--- nsaserefpolicy/policy/modules/services/ppp.fc	2007-10-22 13:21:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/ppp.fc	2007-10-26 08:55:32.000000000 -0400
+@@ -25,7 +25,7 @@
+ #
+ # /var
+ #
+-/var/run/(i)?ppp.*pid		--	gen_context(system_u:object_r:pppd_var_run_t,s0)
++/var/run/(i)?ppp.*pid[^/]*	--	gen_context(system_u:object_r:pppd_var_run_t,s0)
+ /var/run/pppd[0-9]*\.tdb	--	gen_context(system_u:object_r:pppd_var_run_t,s0)
+ /var/run/ppp(/.*)?			gen_context(system_u:object_r:pppd_var_run_t,s0)
+ # Fix pptp sockets
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.0.8/policy/modules/services/ppp.if
 --- nsaserefpolicy/policy/modules/services/ppp.if	2007-10-22 13:21:39.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/ppp.if	2007-10-22 13:22:31.000000000 -0400
@@ -16252,7 +16275,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te	2007-10-25 15:22:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te	2007-10-26 08:42:39.000000000 -0400
 @@ -5,36 +5,52 @@
  #
  # Declarations
@@ -16313,7 +16336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  
  libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
  
-@@ -42,31 +58,29 @@
+@@ -42,37 +58,36 @@
  logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
  
  mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -16352,7 +16375,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -107,6 +121,10 @@
+ 	cron_per_role_template(unconfined,unconfined_t,unconfined_r)
+ 	# this is disallowed usage:
+ 	unconfined_domain(unconfined_crond_t)
++	unconfined_domain(unconfined_crontab_t)
+ ')
+ 
+ optional_policy(`
+@@ -107,6 +122,10 @@
  	optional_policy(`
  		oddjob_dbus_chat(unconfined_t)
  	')
@@ -16363,7 +16393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -114,15 +132,15 @@
+@@ -114,15 +133,15 @@
  ')
  
  optional_policy(`
@@ -16382,7 +16412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -130,15 +148,10 @@
+@@ -130,15 +149,10 @@
  ')
  
  optional_policy(`
@@ -16400,7 +16430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -155,32 +168,23 @@
+@@ -155,32 +169,23 @@
  
  optional_policy(`
  	postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -16437,7 +16467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -205,11 +209,22 @@
+@@ -205,11 +210,22 @@
  ')
  
  optional_policy(`
@@ -16462,7 +16492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  ########################################
-@@ -225,8 +240,21 @@
+@@ -225,8 +241,21 @@
  
  	init_dbus_chat_script(unconfined_execmem_t)
  	unconfined_dbus_chat(unconfined_execmem_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7f4e420..f94a624 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 35%{?dist}
+Release: 36%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -373,6 +373,9 @@ exit 0
 %endif
 
 %changelog
+* Fri Oct 26 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-36
+- Allow unconfined_t to run crontab -e as root
+
 * Thu Oct 25 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-35
 - Add ecryptfs definition