From 25d81d265525f8ce80946ca48c76c59196511ade Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Mon, 29 Mar 2010 14:30:52 -0400
Subject: [PATCH] Tor patch from Dan Walsh.

---
 policy/modules/services/tor.fc |  3 +++
 policy/modules/services/tor.te | 15 ++++++++++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/tor.fc b/policy/modules/services/tor.fc
index 4e786ae6e..e2e06b286 100644
--- a/policy/modules/services/tor.fc
+++ b/policy/modules/services/tor.fc
@@ -5,5 +5,8 @@
 /usr/sbin/tor		--	gen_context(system_u:object_r:tor_exec_t,s0)
 
 /var/lib/tor(/.*)?		gen_context(system_u:object_r:tor_var_lib_t,s0)
+/var/lib/tor-data(/.*)?		gen_context(system_u:object_r:tor_var_lib_t,s0)
+
 /var/log/tor(/.*)?		gen_context(system_u:object_r:tor_var_log_t,s0)
+
 /var/run/tor(/.*)?		gen_context(system_u:object_r:tor_var_run_t,s0)
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
index a5415aa47..0dbc80b35 100644
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
@@ -1,11 +1,19 @@
 
-policy_module(tor, 1.6.0)
+policy_module(tor, 1.6.1)
 
 ########################################
 #
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow tor daemon to bind
+## tcp sockets to all unreserved ports.
+## </p>
+## </desc>
+gen_tunable(tor_bind_all_unreserved_ports, false)
+
 type tor_t;
 type tor_exec_t;
 init_daemon_domain(tor_t, tor_exec_t)
@@ -89,11 +97,16 @@ domain_use_interactive_fds(tor_t)
 
 files_read_etc_files(tor_t)
 files_read_etc_runtime_files(tor_t)
+files_read_usr_files(tor_t)
 
 auth_use_nsswitch(tor_t)
 
 miscfiles_read_localization(tor_t)
 
+tunable_policy(`tor_bind_all_unreserved_ports', `
+	corenet_tcp_bind_all_unreserved_ports(tor_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(tor_t)
 ')