rpms/selinux-policy/devel policy-20070703.patch, 1.35, 1.36 selinux-policy.spec, 1.498, 1.499

[Daniel J Walsh (dwalsh)]

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv22254

Modified Files:
	policy-20070703.patch selinux-policy.spec 
Log Message:
* Sat Aug 18 2007 Dan Walsh <dwalsh at redhat.com> 3.0.5-9
- Allow sshd to write to proc_t for afs login


policy-20070703.patch:

Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.35
retrieving revision 1.36
diff -u -r1.35 -r1.36
--- policy-20070703.patch	18 Aug 2007 11:54:11 -0000	1.35
+++ policy-20070703.patch	20 Aug 2007 21:43:05 -0000	1.36
@@ -514,7 +514,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.0.5/policy/modules/admin/kudzu.te
 --- nsaserefpolicy/policy/modules/admin/kudzu.te	2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/admin/kudzu.te	2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/admin/kudzu.te	2007-08-20 16:43:35.000000000 -0400
 @@ -21,8 +21,8 @@
  # Local policy
  #
@@ -535,22 +535,30 @@
  # kudzu will telinit to make init re-read
  # the inittab after configuring serial consoles
  init_telinit(kudzu_t)
-@@ -141,15 +143,6 @@
-         udev_read_db(kudzu_t)
+@@ -134,20 +136,15 @@
  ')
  
--optional_policy(`
+ optional_policy(`
+-        seutil_sigchld_newrole(kudzu_t)
++	rhgb_use_ptys(kudzu_t)
+ ')
+ 
+ optional_policy(`
+-        udev_read_db(kudzu_t)
++        seutil_sigchld_newrole(kudzu_t)
+ ')
+ 
+ optional_policy(`
 -	# cjp: this was originally in the else block
 -	# of ifdef userhelper.te, but it seems to
 -	# make more sense here.  also, require
 -	# blocks curently do not work in the
 -	# else block of optionals
 -	unconfined_domain(kudzu_t)
--')
--
++        udev_read_db(kudzu_t)
+ ')
+ 
  ifdef(`TODO',`
- allow kudzu_t modules_conf_t:file unlink;
- optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.0.5/policy/modules/admin/logrotate.te
 --- nsaserefpolicy/policy/modules/admin/logrotate.te	2007-07-25 10:37:43.000000000 -0400
 +++ serefpolicy-3.0.5/policy/modules/admin/logrotate.te	2007-08-07 09:39:49.000000000 -0400
@@ -664,11 +672,15 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.0.5/policy/modules/admin/netutils.te
 --- nsaserefpolicy/policy/modules/admin/netutils.te	2007-07-25 10:37:43.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/admin/netutils.te	2007-08-10 15:49:00.000000000 -0400
-@@ -94,9 +94,14 @@
++++ serefpolicy-3.0.5/policy/modules/admin/netutils.te	2007-08-20 16:43:54.000000000 -0400
+@@ -94,9 +94,18 @@
  ')
  
  optional_policy(`
++	rhgb_use_ptys(netutils_t)
++')
++
++optional_policy(`
 +	unconfined_dontaudit_use_terminals(netutils_t)
 +')
 +
@@ -680,7 +692,7 @@
  ########################################
  #
  # Ping local policy
-@@ -113,6 +118,7 @@
+@@ -113,6 +122,7 @@
  corenet_tcp_sendrecv_all_if(ping_t)
  corenet_raw_sendrecv_all_if(ping_t)
  corenet_raw_sendrecv_all_nodes(ping_t)
@@ -2948,7 +2960,7 @@
  # filesystem SID to label inodes in the following filesystem types,
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.5/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/kernel/kernel.if	2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/kernel/kernel.if	2007-08-20 15:13:02.000000000 -0400
 @@ -108,6 +108,24 @@
  
  ########################################
@@ -3176,7 +3188,7 @@
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.0.5/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc	2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/apache.fc	2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/apache.fc	2007-08-20 15:01:49.000000000 -0400
 @@ -16,7 +16,6 @@
  
  /usr/lib/apache-ssl/.+		--	gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -3199,7 +3211,7 @@
 +/var/lib/bugzilla(/.*)?			gen_context(system_u:object_r:httpd_bugzilla_script_rw_t,s0)
 +#viewvc file context
 +/var/spool/viewvc(/.*)?  		gen_context(system_u:object_r:httpd_sys_script_rw_t, s0)
-+
++/var/www/html/[^/]*/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.5/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2007-07-03 07:06:27.000000000 -0400
 +++ serefpolicy-3.0.5/policy/modules/services/apache.if	2007-08-10 15:52:40.000000000 -0400
@@ -3501,7 +3513,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.5/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/apache.te	2007-08-14 10:30:04.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/apache.te	2007-08-20 15:04:52.000000000 -0400
 @@ -30,6 +30,13 @@
  
  ## <desc>
@@ -3740,16 +3752,18 @@
  
  domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
  
-@@ -581,6 +673,8 @@
+@@ -581,6 +673,10 @@
  manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
  files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
  
 +auth_use_nsswitch(httpd_suexec_t)
 +
++can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
++
  kernel_read_kernel_sysctls(httpd_suexec_t)
  kernel_list_proc(httpd_suexec_t)
  kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -606,6 +700,10 @@
+@@ -606,6 +702,10 @@
  
  miscfiles_read_localization(httpd_suexec_t)
  
@@ -3760,7 +3774,7 @@
  tunable_policy(`httpd_can_network_connect',`
  	allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
  	allow httpd_suexec_t self:udp_socket create_socket_perms;
-@@ -620,10 +718,13 @@
+@@ -620,10 +720,13 @@
  	corenet_udp_sendrecv_all_ports(httpd_suexec_t)
  	corenet_tcp_connect_all_ports(httpd_suexec_t)
  	corenet_sendrecv_all_client_packets(httpd_suexec_t)
@@ -3775,7 +3789,7 @@
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
  ')
-@@ -634,6 +735,12 @@
+@@ -634,6 +737,12 @@
  	fs_exec_nfs_files(httpd_suexec_t)
  ')
  
@@ -3788,7 +3802,7 @@
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_suexec_t)
  	fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -651,18 +758,6 @@
+@@ -651,18 +760,6 @@
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -3807,7 +3821,7 @@
  ########################################
  #
  # Apache system script local policy
-@@ -672,7 +767,8 @@
+@@ -672,7 +769,8 @@
  
  dontaudit httpd_sys_script_t httpd_config_t:dir search;
  
@@ -3817,7 +3831,7 @@
  
  allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
  read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -686,15 +782,66 @@
+@@ -686,15 +784,66 @@
  # Should we add a boolean?
  apache_domtrans_rotatelogs(httpd_sys_script_t)
  
@@ -3885,7 +3899,7 @@
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -711,6 +858,19 @@
+@@ -711,6 +860,19 @@
  
  ########################################
  #
@@ -3905,7 +3919,7 @@
  # httpd_rotatelogs local policy
  #
  
-@@ -728,3 +888,27 @@
+@@ -728,3 +890,27 @@
  logging_search_logs(httpd_rotatelogs_t)
  
  miscfiles_read_localization(httpd_rotatelogs_t)
@@ -4155,8 +4169,25 @@
 +/var/named/chroot/var/log/named.*	--	gen_context(system_u:object_r:named_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.0.5/policy/modules/services/bind.te
 --- nsaserefpolicy/policy/modules/services/bind.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/bind.te	2007-08-07 09:39:49.000000000 -0400
-@@ -119,6 +119,11 @@
++++ serefpolicy-3.0.5/policy/modules/services/bind.te	2007-08-20 15:21:40.000000000 -0400
+@@ -66,7 +66,6 @@
+ allow named_t self:unix_dgram_socket create_socket_perms;
+ allow named_t self:tcp_socket create_stream_socket_perms;
+ allow named_t self:udp_socket create_socket_perms;
+-allow named_t self:netlink_route_socket r_netlink_socket_perms;
+ 
+ allow named_t dnssec_t:file { getattr read };
+ 
+@@ -92,6 +91,8 @@
+ manage_sock_files_pattern(named_t,named_var_run_t,named_var_run_t)
+ files_pid_filetrans(named_t,named_var_run_t,{ file sock_file })
+ 
++auth_use_nsswitch(named_t)
++
+ # read zone files
+ allow named_t named_zone_t:dir list_dir_perms;
+ read_files_pattern(named_t,named_zone_t,named_zone_t)
+@@ -119,6 +120,11 @@
  corenet_sendrecv_dns_client_packets(named_t)
  corenet_sendrecv_rndc_server_packets(named_t)
  corenet_sendrecv_rndc_client_packets(named_t)
@@ -4168,7 +4199,33 @@
  
  dev_read_sysfs(named_t)
  dev_read_rand(named_t)
-@@ -232,6 +237,7 @@
+@@ -175,6 +181,10 @@
+ ')
+ 
+ optional_policy(`
++	kerberos_use(named_t)
++')
++
++optional_policy(`
+ 	# this seems like fds that arent being
+ 	# closed.  these should probably be
+ 	# dontaudits instead.
+@@ -184,14 +194,6 @@
+ ')
+ 
+ optional_policy(`
+-	nis_use_ypbind(named_t)
+-')
+-
+-optional_policy(`
+-	nscd_socket_use(named_t)
+-')
+-
+-optional_policy(`
+ 	seutil_sigchld_newrole(named_t)
+ ')
+ 
+@@ -232,6 +234,7 @@
  corenet_tcp_sendrecv_all_nodes(ndc_t)
  corenet_tcp_sendrecv_all_ports(ndc_t)
  corenet_tcp_connect_rndc_port(ndc_t)
@@ -4308,6 +4365,20 @@
  
  libs_read_lib_files(courier_authdaemon_t)
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cpucontrol.te serefpolicy-3.0.5/policy/modules/services/cpucontrol.te
+--- nsaserefpolicy/policy/modules/services/cpucontrol.te	2007-05-29 14:10:57.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/cpucontrol.te	2007-08-20 16:43:03.000000000 -0400
+@@ -63,6 +63,10 @@
+ ')
+ 
+ optional_policy(`
++	rhgb_use_ptys(cpucontrol_t)
++')
++
++optional_policy(`
+ 	seutil_sigchld_newrole(cpucontrol_t)
+ ')
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.0.5/policy/modules/services/cron.fc
 --- nsaserefpolicy/policy/modules/services/cron.fc	2007-05-29 14:10:57.000000000 -0400
 +++ serefpolicy-3.0.5/policy/modules/services/cron.fc	2007-08-07 09:39:49.000000000 -0400
@@ -7129,7 +7200,7 @@
  	fs_search_auto_mountpoints($1_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.5/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/rpc.te	2007-08-13 07:08:48.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/rpc.te	2007-08-20 14:56:34.000000000 -0400
 @@ -59,10 +59,14 @@
  manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
  files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@@ -7140,7 +7211,7 @@
  kernel_search_network_state(rpcd_t) 
  # for rpc.rquotad
  kernel_read_sysctl(rpcd_t)  
-+kernel_read_fs_sysctls(rpcd_t)  
++kernel_rw_fs_sysctls(rpcd_t)  
 +kernel_getattr_core_if(nfsd_t)
  
  fs_list_rpc(rpcd_t)
@@ -7190,16 +7261,35 @@
  kernel_search_network_sysctl(gssd_t)	
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.0.5/policy/modules/services/rshd.te
 --- nsaserefpolicy/policy/modules/services/rshd.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/rshd.te	2007-08-07 09:39:49.000000000 -0400
-@@ -45,6 +45,7 @@
++++ serefpolicy-3.0.5/policy/modules/services/rshd.te	2007-08-20 16:32:42.000000000 -0400
+@@ -11,6 +11,7 @@
+ domain_subj_id_change_exemption(rshd_t)
+ domain_role_change_exemption(rshd_t)
+ role system_r types rshd_t;
++domain_interactive_fd(rshd_t)
+ 
+ ########################################
+ #
+@@ -33,6 +34,8 @@
+ corenet_udp_sendrecv_all_ports(rshd_t)
+ corenet_tcp_bind_all_nodes(rshd_t)
+ corenet_tcp_bind_rsh_port(rshd_t)
++corenet_tcp_bind_all_rpc_ports(rshd_t)
++corenet_tcp_connect_all_rpc_ports(rshd_t)
+ corenet_sendrecv_rsh_server_packets(rshd_t)
+ 
+ dev_read_urand(rshd_t)
+@@ -44,7 +47,9 @@
+ selinux_compute_relabel_context(rshd_t)
  selinux_compute_user_contexts(rshd_t)
  
++auth_use_nsswitch(rshd_t)
  auth_domtrans_chk_passwd(rshd_t)
 +auth_domtrans_upd_passwd_chk(rshd_t)
  
  corecmd_read_bin_symlinks(rshd_t)
  
-@@ -85,6 +86,5 @@
+@@ -85,6 +90,5 @@
  ')
  
  optional_policy(`
@@ -7383,7 +7473,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.5/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/samba.te	2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/samba.te	2007-08-20 17:37:27.000000000 -0400
 @@ -190,6 +190,8 @@
  
  miscfiles_read_localization(samba_net_t) 
@@ -7443,7 +7533,40 @@
  
  optional_policy(`
  	nis_use_ypbind(smbmount_t)
-@@ -622,17 +635,20 @@
+@@ -570,15 +583,18 @@
+ # SWAT Local policy
+ #
+ 
+-allow swat_t self:capability { setuid setgid };
+-allow swat_t self:process signal_perms;
++allow swat_t self:capability { setuid setgid sys_resource net_bind_service };
++allow swat_t self:process { setrlimit signal_perms };
+ allow swat_t self:fifo_file rw_file_perms;
+ allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+ allow swat_t self:tcp_socket create_stream_socket_perms;
+ allow swat_t self:udp_socket create_socket_perms;
+ allow swat_t self:netlink_route_socket r_netlink_socket_perms;
+ 
+-allow swat_t nmbd_exec_t:file { execute read };
++can_exec(swat_t, nmbd_exec_t)
++allow swat_t nmbd_port_t:udp_socket name_bind;
++allow swat_t nmbd_t:process { signal signull };
++allow swat_t nmbd_var_run_t:file { lock read unlink };
+ 
+ rw_files_pattern(swat_t,samba_etc_t,samba_etc_t)
+ 
+@@ -597,7 +613,9 @@
+ manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
+ files_pid_filetrans(swat_t,swat_var_run_t,file)
+ 
+-allow swat_t winbind_exec_t:file execute;
++can_exec(swat_t, winbind_exec_t)
++allow swat_t winbind_var_run_t:dir { write add_name remove_name };
++allow swat_t winbind_var_run_t:sock_file { create unlink };
+ 
+ kernel_read_kernel_sysctls(swat_t)
+ kernel_read_system_state(swat_t)
+@@ -622,17 +640,20 @@
  
  dev_read_urand(swat_t)
  
@@ -7464,7 +7587,32 @@
  logging_search_logs(swat_t)
  
  miscfiles_read_localization(swat_t)
-@@ -672,7 +688,6 @@
+@@ -660,6 +681,24 @@
+ 	nscd_socket_use(swat_t)
+ ')
+ 
++	
++init_read_utmp(swat_t)
++init_dontaudit_write_utmp(swat_t)
++
++manage_dirs_pattern(swat_t,samba_log_t,samba_log_t)
++create_files_pattern(swat_t,samba_log_t,samba_log_t)
++
++manage_files_pattern(swat_t,samba_etc_t,samba_secrets_t)
++
++manage_files_pattern(swat_t,samba_var_t,samba_var_t)
++files_list_var_lib(swat_t)
++
++allow swat_t self:unix_stream_socket connectto;
++allow swat_t smbd_exec_t:file { execute_no_trans read };
++allow swat_t smbd_port_t:tcp_socket name_bind;
++allow swat_t smbd_t:process signal;
++allow swat_t smbd_var_run_t:file { lock unlink };
++
+ ########################################
+ #
+ # Winbind local policy
+@@ -672,7 +711,6 @@
  allow winbind_t self:fifo_file { read write };
  allow winbind_t self:unix_dgram_socket create_socket_perms;
  allow winbind_t self:unix_stream_socket create_stream_socket_perms;
@@ -7472,7 +7620,7 @@
  allow winbind_t self:tcp_socket create_stream_socket_perms;
  allow winbind_t self:udp_socket create_socket_perms;
  
-@@ -709,6 +724,8 @@
+@@ -709,6 +747,8 @@
  manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
  files_pid_filetrans(winbind_t,winbind_var_run_t,file)
  
@@ -7481,7 +7629,7 @@
  kernel_read_kernel_sysctls(winbind_t)
  kernel_list_proc(winbind_t)
  kernel_read_proc_symlinks(winbind_t)
-@@ -733,7 +750,9 @@
+@@ -733,7 +773,9 @@
  fs_getattr_all_fs(winbind_t)
  fs_search_auto_mountpoints(winbind_t)
  
@@ -7491,7 +7639,7 @@
  
  domain_use_interactive_fds(winbind_t)
  
-@@ -746,9 +765,6 @@
+@@ -746,9 +788,6 @@
  
  miscfiles_read_localization(winbind_t)
  
@@ -7501,7 +7649,7 @@
  userdom_dontaudit_use_unpriv_user_fds(winbind_t)
  userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
  userdom_priveleged_home_dir_manager(winbind_t)
-@@ -758,10 +774,6 @@
+@@ -758,10 +797,6 @@
  ')
  
  optional_policy(`
@@ -7512,7 +7660,7 @@
  	seutil_sigchld_newrole(winbind_t)
  ')
  
-@@ -804,6 +816,7 @@
+@@ -804,6 +839,7 @@
  optional_policy(`
  	squid_read_log(winbind_helper_t)
  	squid_append_log(winbind_helper_t)
@@ -7662,8 +7810,8 @@
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.fc serefpolicy-3.0.5/policy/modules/services/soundserver.fc
 --- nsaserefpolicy/policy/modules/services/soundserver.fc	2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/soundserver.fc	2007-08-07 09:39:49.000000000 -0400
-@@ -1,10 +1,22 @@
++++ serefpolicy-3.0.5/policy/modules/services/soundserver.fc	2007-08-20 16:56:47.000000000 -0400
+@@ -1,10 +1,16 @@
 -/etc/nas(/.*)?			gen_context(system_u:object_r:soundd_etc_t,s0)
 -/etc/yiff(/.*)?			gen_context(system_u:object_r:soundd_etc_t,s0)
 -
@@ -7673,6 +7821,8 @@
  /usr/sbin/yiff		--	gen_context(system_u:object_r:soundd_exec_t,s0)
 -
  /var/run/yiff-[0-9]+\.pid --	gen_context(system_u:object_r:soundd_var_run_t,s0)
++/var/run/nasd(/.*)?  	gen_context(system_u:object_r:soundd_var_run_t,s0)
++
  /var/state/yiff(/.*)?		gen_context(system_u:object_r:soundd_state_t,s0)
 +
 +
@@ -7684,17 +7834,9 @@
 +#
 +
 +/usr/bin/nasd		--	gen_context(system_u:object_r:soundd_exec_t,s0)
-+
-+
-+# 
-+# /tmp
-+#
-+/tmp/\.sockets		-d	gen_context(system_u:object_r:soundd_tmp_t,s0)
-+/tmp/\.sockets/.*	-s	<<none>>
-+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.if serefpolicy-3.0.5/policy/modules/services/soundserver.if
 --- nsaserefpolicy/policy/modules/services/soundserver.if	2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/soundserver.if	2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/soundserver.if	2007-08-20 17:00:30.000000000 -0400
 @@ -13,3 +13,64 @@
  interface(`soundserver_tcp_connect',`
  	refpolicywarn(`$0($*) has been deprecated.')
@@ -7726,7 +7868,7 @@
 +########################################
 +## <summary>
 +##	Do not audit attempts to read, 
-+##	soundserver tmp files
++##	soundserver socket files
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7734,17 +7876,17 @@
 +##	</summary>
 +## </param>
 +#
-+interface(`soundserver_dontaudit_read_tmp_files',`
++interface(`soundserver_dontaudit_read_socket_files',`
 +	gen_require(`
-+		type soundd_tmp_t;
++		type soundd_socket_t;
 +	')
 +
-+	dontaudit $1 soundd_tmp_t:file r_file_perms;
++	dontaudit $1 soundd_socket_t:sock_file r_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Allow domain to read, soundserver tmp files
++##	Allow domain to read, soundserver socket files
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7752,17 +7894,17 @@
 +##	</summary>
 +## </param>
 +#
-+interface(`soundserver_read_tmp_files',`
++interface(`soundserver_read_socket_files',`
 +	gen_require(`
-+		type soundd_tmp_t;
++		type soundd_socket_t;
 +	')
 +
-+	dontaudit $1 soundd_tmp_t:file r_file_perms;
++	allow $1 soundd_var_run_t:sock_file r_file_perms;
 +')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.0.5/policy/modules/services/soundserver.te
 --- nsaserefpolicy/policy/modules/services/soundserver.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/soundserver.te	2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/soundserver.te	2007-08-20 16:59:45.000000000 -0400
 @@ -1,5 +1,5 @@
  
 -policy_module(soundserver,1.3.0)
@@ -7780,7 +7922,7 @@
  type soundd_state_t;
  files_type(soundd_state_t)
  
-@@ -28,20 +25,34 @@
+@@ -28,20 +25,28 @@
  
  ########################################
  #
@@ -7795,12 +7937,6 @@
  allow soundd_t self:udp_socket create_socket_perms;
 +
 +allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms };
-+manage_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
-+files_tmp_filetrans(soundd_t, soundd_tmp_t, { file dir sock_file })
-+
-+
-+# Remove /tmp/.sockets/audio$n
-+delete_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
 +
 +allow soundd_t self:capability { dac_override };
 +
@@ -7820,6 +7956,18 @@
  manage_files_pattern(soundd_t,soundd_state_t,soundd_state_t)
  manage_lnk_files_pattern(soundd_t,soundd_state_t,soundd_state_t)
  
+@@ -55,8 +60,10 @@
+ manage_sock_files_pattern(soundd_t,soundd_tmpfs_t,soundd_tmpfs_t)
+ fs_tmpfs_filetrans(soundd_t,soundd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+ 
++manage_sock_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
+ manage_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
+-files_pid_filetrans(soundd_t,soundd_var_run_t,file)
++manage_dirs_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
++files_pid_filetrans(soundd_t,soundd_var_run_t,{ file dir sock_file })
+ 
+ kernel_read_kernel_sysctls(soundd_t)
+ kernel_list_proc(soundd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.0.5/policy/modules/services/spamassassin.fc
 --- nsaserefpolicy/policy/modules/services/spamassassin.fc	2007-06-11 16:05:30.000000000 -0400
 +++ serefpolicy-3.0.5/policy/modules/services/spamassassin.fc	2007-08-07 09:39:49.000000000 -0400
@@ -8016,7 +8164,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.0.5/policy/modules/services/ssh.te
 --- nsaserefpolicy/policy/modules/services/ssh.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/ssh.te	2007-08-14 20:40:43.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/ssh.te	2007-08-20 15:13:39.000000000 -0400
 @@ -24,7 +24,7 @@
  
  # Type for the ssh-agent executable.
@@ -8026,7 +8174,7 @@
  
  # ssh client executable.
  type ssh_exec_t;
-@@ -73,6 +73,8 @@
+@@ -73,8 +73,12 @@
  manage_sock_files_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t)
  files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
  
@@ -8034,8 +8182,12 @@
 +
  kernel_search_key(sshd_t)
  kernel_link_key(sshd_t)
++# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
++kernel_write_proc_files(sshd_t)
  
-@@ -100,6 +102,11 @@
+ # for X forwarding
+ corenet_tcp_bind_xserver_port(sshd_t)
+@@ -100,6 +104,11 @@
  	userdom_use_unpriv_users_ptys(sshd_t)
  ')
  
@@ -8047,7 +8199,7 @@
  optional_policy(`
  	daemontools_service_domain(sshd_t, sshd_exec_t)
  ')
-@@ -119,7 +126,12 @@
+@@ -119,7 +128,12 @@
  ')
  
  optional_policy(`
@@ -8103,15 +8255,18 @@
 +miscfiles_read_certs(httpd_w3c_validator_script_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.0.5/policy/modules/services/xserver.fc
 --- nsaserefpolicy/policy/modules/services/xserver.fc	2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/xserver.fc	2007-08-07 09:39:49.000000000 -0400
-@@ -92,6 +92,7 @@
++++ serefpolicy-3.0.5/policy/modules/services/xserver.fc	2007-08-20 16:46:34.000000000 -0400
+@@ -92,8 +92,10 @@
  /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
  /var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
  
 +/var/run/gdm_socket	-s	gen_context(system_u:object_r:xdm_var_run_t,s0)
  /var/run/[gx]dm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
  /var/run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/xauth(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
  
+ ifdef(`distro_suse',`
+ /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.5/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-07-03 07:06:27.000000000 -0400
 +++ serefpolicy-3.0.5/policy/modules/services/xserver.if	2007-08-18 06:25:18.000000000 -0400
@@ -8409,7 +8564,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.5/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/xserver.te	2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/xserver.te	2007-08-20 16:48:25.000000000 -0400
 @@ -16,6 +16,13 @@
  
  ## <desc>
@@ -8495,6 +8650,15 @@
  
  	ifdef(`distro_rhel4',`
  		allow xdm_t self:process { execheap execmem };
+@@ -385,7 +400,7 @@
+ allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
+ dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
+ 
+-allow xdm_xserver_t xdm_var_run_t:file { getattr read };
++read_files_pattern(xdm_xserver_t,xdm_var_run_t,xdm_var_run_t)
+ 
+ # Label pid and temporary files with derived types.
+ manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
 @@ -425,6 +440,10 @@
  ')
  
@@ -8607,7 +8771,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.5/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/authlogin.if	2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/system/authlogin.if	2007-08-20 15:21:45.000000000 -0400
 @@ -26,7 +26,8 @@
  	type $1_chkpwd_t, can_read_shadow_passwords;
  	application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -9759,7 +9923,7 @@
 +/var/cache/ldconfig(/.*)?			    	gen_context(system_u:object_r:ld_so_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.5/policy/modules/system/libraries.te
 --- nsaserefpolicy/policy/modules/system/libraries.te	2007-08-02 08:17:28.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/libraries.te	2007-08-13 07:20:30.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/system/libraries.te	2007-08-20 17:12:36.000000000 -0400
 @@ -44,9 +44,9 @@
  # ldconfig local policy
  #
@@ -9772,15 +9936,19 @@
  files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
  
  manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
-@@ -62,6 +62,7 @@
+@@ -60,8 +60,11 @@
+ 
+ fs_getattr_xattr_fs(ldconfig_t)
  
++corecmd_search_bin(ldconfig_t)
++
  domain_use_interactive_fds(ldconfig_t)
  
 +files_search_home(ldconfig_t)
  files_search_var_lib(ldconfig_t)
  files_read_etc_files(ldconfig_t)
  files_search_tmp(ldconfig_t)
-@@ -96,4 +97,11 @@
+@@ -96,4 +99,11 @@
  	# and executes ldconfig on it.  If you dont allow this kernel installs 
  	# blow up.
  	rpm_manage_script_tmp_files(ldconfig_t)
@@ -10819,7 +10987,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.5/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2007-08-02 08:17:28.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/selinuxutil.te	2007-08-15 06:15:41.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/system/selinuxutil.te	2007-08-20 16:44:46.000000000 -0400
 @@ -76,7 +76,6 @@
  type restorecond_exec_t;
  init_daemon_domain(restorecond_t,restorecond_exec_t)
@@ -10828,18 +10996,19 @@
  
  type restorecond_var_run_t;
  files_pid_file(restorecond_var_run_t)
-@@ -94,6 +93,10 @@
+@@ -94,6 +93,11 @@
  application_domain(semanage_t,semanage_exec_t)
  role system_r types semanage_t;
  
 +type setsebool_exec_t;
 +init_system_domain(semanage_t, setsebool_exec_t)
 +domain_interactive_fd(semanage_t)
++init_use_fds(semanage_t)
 +
  type semanage_store_t;
  files_type(semanage_store_t)
  
-@@ -173,6 +176,7 @@
+@@ -173,6 +177,7 @@
  fs_getattr_xattr_fs(load_policy_t)
  
  mls_file_read_up(load_policy_t)
@@ -10847,7 +11016,7 @@
  
  selinux_get_fs_mount(load_policy_t)
  selinux_load_policy(load_policy_t)
-@@ -195,7 +199,7 @@
+@@ -195,7 +200,7 @@
  	# cjp: cover up stray file descriptors.
  	dontaudit load_policy_t selinux_config_t:file write;
  	optional_policy(`
@@ -10856,7 +11025,7 @@
  	')
  ')
  
-@@ -216,7 +220,7 @@
+@@ -216,7 +221,7 @@
  allow newrole_t self:msg { send receive };
  allow newrole_t self:unix_dgram_socket sendto;
  allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -10865,7 +11034,7 @@
  
  read_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
  read_lnk_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
-@@ -254,7 +258,9 @@
+@@ -254,7 +259,9 @@
  term_dontaudit_use_unallocated_ttys(newrole_t)
  
  auth_domtrans_chk_passwd(newrole_t)
@@ -10875,7 +11044,7 @@
  
  corecmd_list_bin(newrole_t)
  corecmd_read_bin_symlinks(newrole_t)
-@@ -274,6 +280,7 @@
+@@ -274,6 +281,7 @@
  libs_use_ld_so(newrole_t)
  libs_use_shared_libs(newrole_t)
  
@@ -10883,7 +11052,7 @@
  logging_send_syslog_msg(newrole_t)
  
  miscfiles_read_localization(newrole_t)
-@@ -362,7 +369,7 @@
+@@ -362,7 +370,7 @@
  allow run_init_t self:process setexec;
  allow run_init_t self:capability setuid;
  allow run_init_t self:fifo_file rw_file_perms;
@@ -10892,7 +11061,7 @@
  
  # often the administrator runs such programs from a directory that is owned
  # by a different user or has restrictive SE permissions, do not want to audit
-@@ -376,6 +383,7 @@
+@@ -376,6 +384,7 @@
  term_dontaudit_list_ptys(run_init_t)
  
  auth_domtrans_chk_passwd(run_init_t)
@@ -10900,7 +11069,7 @@
  auth_dontaudit_read_shadow(run_init_t)
  
  corecmd_exec_bin(run_init_t)
-@@ -432,7 +440,7 @@
+@@ -432,7 +441,7 @@
  allow semanage_t self:capability { dac_override audit_write };
  allow semanage_t self:unix_stream_socket create_stream_socket_perms;
  allow semanage_t self:unix_dgram_socket create_socket_perms;
@@ -10909,7 +11078,7 @@
  
  allow semanage_t policy_config_t:file { read write };
  
-@@ -443,7 +451,10 @@
+@@ -443,7 +452,10 @@
  kernel_read_system_state(semanage_t)
  kernel_read_kernel_sysctls(semanage_t)
  
@@ -10920,7 +11089,7 @@
  
  dev_read_urand(semanage_t)
  
-@@ -467,6 +478,8 @@
+@@ -467,6 +479,8 @@
  
  # Running genhomedircon requires this for finding all users
  auth_use_nsswitch(semanage_t)
@@ -10929,7 +11098,7 @@
  
  libs_use_ld_so(semanage_t)
  libs_use_shared_libs(semanage_t)
-@@ -490,6 +503,17 @@
+@@ -490,6 +504,17 @@
  # netfilter_contexts:
  seutil_manage_default_contexts(semanage_t)
  
@@ -10947,7 +11116,7 @@
  # cjp: need a more general way to handle this:
  ifdef(`enable_mls',`
  	# read secadm tmp files
-@@ -517,6 +541,8 @@
+@@ -517,6 +542,8 @@
  allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
  allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
  
@@ -10956,7 +11125,7 @@
  kernel_read_system_state(setfiles_t)
  kernel_relabelfrom_unlabeled_dirs(setfiles_t)
  kernel_relabelfrom_unlabeled_files(setfiles_t)
-@@ -533,6 +559,7 @@
+@@ -533,6 +560,7 @@
  
  fs_getattr_xattr_fs(setfiles_t)
  fs_list_all(setfiles_t)
@@ -10964,7 +11133,7 @@
  fs_search_auto_mountpoints(setfiles_t)
  fs_relabelfrom_noxattr_fs(setfiles_t)
  
-@@ -588,6 +615,10 @@
+@@ -588,6 +616,10 @@
  
  ifdef(`hide_broken_symptoms',`
  	optional_policy(`
@@ -11331,7 +11500,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.5/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/unconfined.te	2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/system/unconfined.te	2007-08-20 16:24:34.000000000 -0400
 @@ -5,28 +5,36 @@
  #
  # Declarations
@@ -11430,20 +11599,21 @@
  ')
  
  optional_policy(`
-@@ -118,11 +120,7 @@
+@@ -118,11 +120,11 @@
  ')
  
  optional_policy(`
 -	inn_domtrans(unconfined_t)
--')
--
--optional_policy(`
++	iptables_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ ')
+ 
+ optional_policy(`
 -	java_domtrans(unconfined_t)
 +	java_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
  ')
  
  optional_policy(`
-@@ -134,11 +132,7 @@
+@@ -134,11 +136,7 @@
  ')
  
  optional_policy(`
@@ -11456,7 +11626,7 @@
  ')
  
  optional_policy(`
-@@ -155,22 +149,12 @@
+@@ -155,22 +153,12 @@
  
  optional_policy(`
  	postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -11481,7 +11651,7 @@
  ')
  
  optional_policy(`
-@@ -180,10 +164,6 @@
+@@ -180,10 +168,6 @@
  ')
  
  optional_policy(`
@@ -11492,7 +11662,7 @@
  	sysnet_run_dhcpc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
  	sysnet_dbus_chat_dhcpc(unconfined_t)
  ')
-@@ -205,11 +185,12 @@
+@@ -205,11 +189,12 @@
  ')
  
  optional_policy(`
@@ -11506,7 +11676,7 @@
  ')
  
  ########################################
-@@ -227,6 +208,17 @@
+@@ -227,6 +212,17 @@
  	unconfined_dbus_chat(unconfined_execmem_t)
  
  	optional_policy(`


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.498
retrieving revision 1.499
diff -u -r1.498 -r1.499
--- selinux-policy.spec	18 Aug 2007 11:54:11 -0000	1.498
+++ selinux-policy.spec	20 Aug 2007 21:43:05 -0000	1.499
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.5
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -360,6 +360,9 @@
 %endif
 
 %changelog
+* Sat Aug 18 2007 Dan Walsh <dwalsh at redhat.com> 3.0.5-9
+- Allow sshd to write to proc_t for afs login
+
 * Sat Aug 18 2007 Dan Walsh <dwalsh at redhat.com> 3.0.5-8
 - Allow xserver access to urand