[selinux-policy/f12/master] - Fixes for nut policy

Wed Sep 1 13:25:23 UTC 2010

commit 8d7a021376cd846e21b1322f0568c0cf93704241
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Wed Sep 1 15:25:15 2010 +0200

    - Fixes for nut policy

 policy-20100106.patch |  108 ++++++++++++++++++++++++++++++++++++++++++++----
 selinux-policy.spec   |    5 ++-
 2 files changed, 103 insertions(+), 10 deletions(-)
---

diff --git a/policy-20100106.patch b/policy-20100106.patch
index ba65e07..7b83d7e 100644
--- a/policy-20100106.patch
+++ b/policy-20100106.patch
@@ -3073,7 +3073,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2010-01-18 18:24:22.665531100 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc	2010-04-16 09:19:46.149614555 +0200
++++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc	2010-09-01 14:34:55.989084677 +0200
 @@ -166,6 +166,7 @@
  /usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/pgsql/test/regress/.*\.sh --	gen_context(system_u:object_r:bin_t,s0)
@@ -3103,7 +3103,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /usr/share/shorewall/configpath	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall-perl(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall-shell(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-@@ -299,6 +304,7 @@
+@@ -244,6 +249,7 @@
+ /usr/share/shorewall6-lite(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/turboprint/lib(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/vhostmd/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
++/usr/share/wicd/daemon(/.*)?    gen_context(system_u:object_r:bin_t,s0)
+ 
+ /usr/X11R6/lib(64)?/X11/xkb/xkbcomp --	gen_context(system_u:object_r:bin_t,s0)
+ 
+@@ -299,6 +305,7 @@
  /usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -11711,8 +11719,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  optional_policy(`
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.6.32/policy/modules/services/nut.te
 --- nsaserefpolicy/policy/modules/services/nut.te	2010-01-18 18:24:22.836530501 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/nut.te	2010-03-15 12:18:24.764614391 +0100
-@@ -96,9 +96,6 @@
++++ serefpolicy-3.6.32/policy/modules/services/nut.te	2010-09-01 14:31:37.938334024 +0200
+@@ -79,13 +79,15 @@
+ allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;
+ allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow nut_upsmon_t self:tcp_socket create_socket_perms;
++allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
+ 
+ read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
+ 
+ # pid file
+ manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
+ manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
+-files_pid_filetrans(nut_upsmon_t, nut_var_run_t, { file })
++manage_sock_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
++files_pid_filetrans(nut_upsmon_t, nut_var_run_t, { file sock_file })
+ 
+ corenet_tcp_connect_ups_port(nut_upsmon_t)
+ #corenet_tcp_connect_generic_port(nut_upsmon_t)
+@@ -96,9 +98,6 @@
  kernel_read_kernel_sysctls(nut_upsmon_t)
  kernel_read_system_state(nut_upsmon_t)
  
@@ -11722,7 +11747,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # Creates /etc/killpower
  files_manage_etc_runtime_files(nut_upsmon_t)
  files_etc_filetrans_etc_runtime(nut_upsmon_t, file)
-@@ -118,6 +115,12 @@
+@@ -118,6 +117,12 @@
  init_rw_utmp(nut_upsmon_t)
  init_telinit(nut_upsmon_t)
  
@@ -11735,7 +11760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # Local policy for upsdrvctl
-@@ -140,7 +143,6 @@
+@@ -140,7 +145,6 @@
  files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file })
  
  # /sbin/upsdrvctl executes other drivers
@@ -11743,7 +11768,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  corecmd_exec_bin(nut_upsdrvctl_t)
  corecmd_exec_sbin(nut_upsdrvctl_t)
  
-@@ -177,7 +179,6 @@
+@@ -177,7 +181,6 @@
      corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
      corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
      corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
@@ -13013,6 +13038,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  ## <summary>
  ##	Read qmail configuration files.
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.te serefpolicy-3.6.32/policy/modules/services/qmail.te
+--- nsaserefpolicy/policy/modules/services/qmail.te	2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/qmail.te	2010-09-01 14:27:05.270334208 +0200
+@@ -125,6 +125,10 @@
+ 	spamassassin_domtrans_client(qmail_local_t)
+ ')
+ 
++optional_policy(`
++	uucp_domtrans(qmail_local_t)
++')
++
+ ########################################
+ #
+ # qmail-lspawn local policy
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.fc serefpolicy-3.6.32/policy/modules/services/qpidd.fc
 --- nsaserefpolicy/policy/modules/services/qpidd.fc	1970-01-01 01:00:00.000000000 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/qpidd.fc	2010-03-23 13:40:07.842390658 +0100
@@ -15236,6 +15275,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +auth_use_nsswitch(usbmuxd_t)
 +
 +logging_send_syslog_msg(usbmuxd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.if serefpolicy-3.6.32/policy/modules/services/uucp.if
+--- nsaserefpolicy/policy/modules/services/uucp.if	2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/uucp.if	2010-09-01 14:27:51.808084472 +0200
+@@ -1,5 +1,24 @@
+ ## <summary>Unix to Unix Copy</summary>
+ 
++#######################################
++## <summary>
++## Execute the uucico program in the
++## uucpd_t domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`uucp_domtrans',`
++	gen_require(`
++		type uucpd_t, uucpd_exec_t;
++	')
++
++	domtrans_pattern($1, uucpd_exec_t, uucpd_t)
++')
++     
+ ########################################
+ ## <summary>
+ ##	Allow the specified domain to append
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.if serefpolicy-3.6.32/policy/modules/services/varnishd.if
 --- nsaserefpolicy/policy/modules/services/varnishd.if	2009-09-16 16:01:19.000000000 +0200
 +++ serefpolicy-3.6.32/policy/modules/services/varnishd.if	2010-04-13 14:36:06.397612500 +0200
@@ -17585,6 +17652,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  		kerberos_use($1)
  	')
  
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.32/policy/modules/system/authlogin.te
+--- nsaserefpolicy/policy/modules/system/authlogin.te	2010-01-18 18:24:22.929540026 +0100
++++ serefpolicy-3.6.32/policy/modules/system/authlogin.te	2010-09-01 14:37:19.726085065 +0200
+@@ -84,7 +84,7 @@
+ 
+ allow chkpwd_t self:capability { dac_override setuid };
+ dontaudit chkpwd_t self:capability sys_tty_config;
+-allow chkpwd_t self:process getattr;
++allow chkpwd_t self:process { getattr signal };
+ 
+ allow chkpwd_t shadow_t:file read_file_perms;
+ files_list_etc(chkpwd_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.6.32/policy/modules/system/daemontools.if
 --- nsaserefpolicy/policy/modules/system/daemontools.if	2009-09-16 16:01:19.000000000 +0200
 +++ serefpolicy-3.6.32/policy/modules/system/daemontools.if	2010-02-11 14:55:16.780616974 +0100
@@ -18889,8 +18968,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.32/policy/modules/system/selinuxutil.if
 --- nsaserefpolicy/policy/modules/system/selinuxutil.if	2010-01-18 18:24:22.965530078 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.if	2010-03-01 16:18:46.909490203 +0100
-@@ -1142,6 +1142,27 @@
++++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.if	2010-09-01 14:23:30.404335337 +0200
+@@ -525,6 +525,10 @@
+ 	files_search_usr($1)
+ 	corecmd_search_bin($1)
+ 	domtrans_pattern($1, setfiles_exec_t, setfiles_t)
++
++	ifdef(`hide_broken_symptoms', `
++		dontaudit setfiles_t $1:socket_class_set { read write };
++	')
+ ')
+ 
+ ########################################
+@@ -1142,6 +1146,27 @@
  	role $2 types setsebool_t;
  ')
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1c49c5c..62acc0a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.32
-Release: 121%{?dist}
+Release: 122%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,9 @@ exit 0
 %endif
 
 %changelog
+* Wed Sep 1 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-122
+- Fixes for nut policy
+
 * Tue Aug 17 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-121
 - Fix label for mount.crypt
 - Allow dhcpc to read Network Manger lib files
