From ff721805d24f76d2a9096d9b67d888265c357cab Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Oct 29 2007 20:05:37 +0000
Subject: - Allow unconfined to run crontab


---

diff --git a/policy-20070703.patch b/policy-20070703.patch
index 27ba9da..77755ed 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -4642,8 +4642,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
  neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.0.8/policy/modules/kernel/storage.fc
 --- nsaserefpolicy/policy/modules/kernel/storage.fc	2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/storage.fc	2007-10-22 13:22:31.000000000 -0400
-@@ -39,6 +39,7 @@
++++ serefpolicy-3.0.8/policy/modules/kernel/storage.fc	2007-10-29 16:03:39.000000000 -0400
+@@ -31,6 +31,7 @@
+ /dev/pcd[0-3]		-b	gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/pd[a-d][^/]*	-b	gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/pg[0-3]		-c	gen_context(system_u:object_r:removable_device_t,s0)
++/dev/ps3d.*   		-b 	gen_context(system_u:object_r:fixed_disk_device_t:s0)
+ /dev/ram.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/rawctl		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/rd.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+@@ -39,6 +40,7 @@
  ')
  /dev/s(cd|r)[^/]*	-b	gen_context(system_u:object_r:removable_device_t,s0)
  /dev/sbpcd.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
@@ -4651,7 +4659,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
  /dev/sg[0-9]+		-c	gen_context(system_u:object_r:scsi_generic_device_t,s0)
  /dev/sjcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
  /dev/sonycd		-b	gen_context(system_u:object_r:removable_device_t,s0)
-@@ -52,7 +53,7 @@
+@@ -52,7 +54,7 @@
  
  /dev/cciss/[^/]*	-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
  
@@ -7519,8 +7527,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.0.8/policy/modules/services/exim.te
 --- nsaserefpolicy/policy/modules/services/exim.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.te	2007-10-27 07:39:12.000000000 -0400
-@@ -0,0 +1,230 @@
++++ serefpolicy-3.0.8/policy/modules/services/exim.te	2007-10-27 07:41:14.000000000 -0400
+@@ -0,0 +1,237 @@
 +
 +policy_module(exim, 1.0.0)
 +
@@ -7544,6 +7552,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
 +type exim_spool_t;
 +files_type(exim_spool_t)
 +
++type exim_tmp_t;
++files_tmp_file(exim_tmp_t)
++
 +type exim_var_run_t;
 +files_pid_file(exim_var_run_t)
 +
@@ -7653,6 +7664,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
 +allow exim_t exim_spool_t:sock_file create_file_perms;
 +files_spool_filetrans(exim_t,exim_spool_t, { file dir sock_file })
 +
++manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t)
++manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t)
++files_tmp_filetrans(exim_t, exim_tmp_t, { file dir })
++
 +## logging
 +logging_send_syslog_msg(exim_t)
 +
@@ -16290,7 +16305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te	2007-10-26 11:52:26.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te	2007-10-29 15:01:25.000000000 -0400
 @@ -5,36 +5,52 @@
  #
  # Declarations
@@ -16351,7 +16366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  
  libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
  
-@@ -42,37 +58,36 @@
+@@ -42,37 +58,37 @@
  logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
  
  mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -16394,10 +16409,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  	# this is disallowed usage:
  	unconfined_domain(unconfined_crond_t)
 +	unconfined_domain(unconfined_crontab_t)
++	role system_r types unconfined_crontab_t;
  ')
  
  optional_policy(`
-@@ -107,6 +122,10 @@
+@@ -107,6 +123,10 @@
  	optional_policy(`
  		oddjob_dbus_chat(unconfined_t)
  	')
@@ -16408,7 +16424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -114,15 +133,15 @@
+@@ -114,15 +134,15 @@
  ')
  
  optional_policy(`
@@ -16427,7 +16443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -130,15 +149,10 @@
+@@ -130,15 +150,10 @@
  ')
  
  optional_policy(`
@@ -16445,7 +16461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -155,32 +169,23 @@
+@@ -155,32 +170,23 @@
  
  optional_policy(`
  	postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -16482,7 +16498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -205,11 +210,22 @@
+@@ -205,11 +211,22 @@
  ')
  
  optional_policy(`
@@ -16507,7 +16523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  ########################################
-@@ -225,8 +241,21 @@
+@@ -225,8 +242,21 @@
  
  	init_dbus_chat_script(unconfined_execmem_t)
  	unconfined_dbus_chat(unconfined_execmem_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 12bcf56..448636c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 38%{?dist}
+Release: 39%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -373,6 +373,9 @@ exit 0
 %endif
 
 %changelog
+* Mon Oct 29 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-39
+- Allow unconfined to run crontab
+
 * Sat Oct 27 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-38
 - Allow ip to load sys_modules in order to bring up ip6 networks