From adea587572af105d1fbec32be5ca8c0a5caa20d2 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Mon, 20 Jul 2009 11:34:46 -0400
Subject: [PATCH] 4 patches from dan.

---
 policy/modules/admin/kismet.te    | 34 ++++++++++++++++++++++++-------
 policy/modules/admin/logrotate.te |  6 +++++-
 policy/modules/admin/logwatch.te  |  7 ++++++-
 policy/modules/admin/prelink.fc   |  2 ++
 policy/modules/admin/prelink.if   | 20 ++++++++++++++++++
 policy/modules/admin/prelink.te   | 23 ++++++++++++++++-----
 6 files changed, 78 insertions(+), 14 deletions(-)

diff --git a/policy/modules/admin/kismet.te b/policy/modules/admin/kismet.te
index 4d81aae43..c346f74aa 100644
--- a/policy/modules/admin/kismet.te
+++ b/policy/modules/admin/kismet.te
@@ -1,5 +1,5 @@
 
-policy_module(kismet, 1.2.0)
+policy_module(kismet, 1.2.1)
 
 ########################################
 #
@@ -11,30 +11,39 @@ type kismet_exec_t;
 application_domain(kismet_t, kismet_exec_t)
 role system_r types kismet_t;
 
-type kismet_var_run_t;
-files_pid_file(kismet_var_run_t)
+type kismet_log_t;
+logging_log_file(kismet_log_t)
+
+type kismet_tmp_t;
+files_tmp_file(kismet_tmp_t)
 
 type kismet_var_lib_t;
 files_type(kismet_var_lib_t)
 
-type kismet_log_t;
-logging_log_file(kismet_log_t)
+type kismet_var_run_t;
+files_pid_file(kismet_var_run_t)
 
 ########################################
 #
 # kismet local policy
 #
 
-allow kismet_t self:capability { net_admin net_raw setuid setgid };
+allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid };
+allow kismet_t self:process signal_perms;
 allow kismet_t self:fifo_file rw_file_perms;
 allow kismet_t self:packet_socket create_socket_perms;
-allow kismet_t self:unix_dgram_socket create_socket_perms;
+allow kismet_t self:unix_dgram_socket { create_socket_perms sendto };
 allow kismet_t self:unix_stream_socket create_stream_socket_perms;
+allow kismet_t self:tcp_socket create_stream_socket_perms;
 
 manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
 allow kismet_t kismet_log_t:dir setattr;
 logging_log_filetrans(kismet_t, kismet_log_t, { file dir })
 
+manage_dirs_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
+manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
+files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir })
+
 allow kismet_t kismet_var_lib_t:file manage_file_perms;
 allow kismet_t kismet_var_lib_t:dir manage_dir_perms;
 files_var_lib_filetrans(kismet_t, kismet_var_lib_t, { file dir })
@@ -47,9 +56,20 @@ kernel_search_debugfs(kismet_t)
 
 corecmd_exec_bin(kismet_t)
 
+corenet_all_recvfrom_unlabeled(kismet_t)
+corenet_all_recvfrom_netlabel(kismet_t)
+corenet_tcp_sendrecv_generic_if(kismet_t)
+corenet_tcp_sendrecv_generic_node(kismet_t)
+corenet_tcp_sendrecv_all_ports(kismet_t)
+corenet_tcp_bind_generic_node(kismet_t)
+corenet_tcp_bind_kismet_port(kismet_t)
+corenet_tcp_connect_kismet_port(kismet_t)
+corenet_tcp_connect_pulseaudio_port(kismet_t)
+
 auth_use_nsswitch(kismet_t)
 
 files_read_etc_files(kismet_t)
+files_read_usr_files(kismet_t)
 
 miscfiles_read_localization(kismet_t)
 
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index 402cb7f2e..0a7f8d4f5 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -1,5 +1,5 @@
 
-policy_module(logrotate, 1.11.0)
+policy_module(logrotate, 1.11.1)
 
 ########################################
 #
@@ -189,3 +189,7 @@ optional_policy(`
 optional_policy(`
 	squid_domtrans(logrotate_t)
 ')
+
+optional_policy(`
+	varnishd_manage_log(logrotate_t)
+')
diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
index ade2bb02c..945673201 100644
--- a/policy/modules/admin/logwatch.te
+++ b/policy/modules/admin/logwatch.te
@@ -1,5 +1,5 @@
 
-policy_module(logwatch, 1.9.1)
+policy_module(logwatch, 1.9.2)
 
 #################################
 #
@@ -96,6 +96,11 @@ userdom_dontaudit_search_user_home_dirs(logwatch_t)
 
 mta_send_mail(logwatch_t)
 
+ifdef(`distro_redhat',`
+	files_search_all(logwatch_t)
+	files_getattr_all_file_type_fs(logwatch_t)
+')
+
 optional_policy(`
 	apache_read_log(logwatch_t)
 ')
diff --git a/policy/modules/admin/prelink.fc b/policy/modules/admin/prelink.fc
index 7d2b81b21..0c1055d70 100644
--- a/policy/modules/admin/prelink.fc
+++ b/policy/modules/admin/prelink.fc
@@ -5,3 +5,5 @@
 
 /var/log/prelink\.log		--	gen_context(system_u:object_r:prelink_log_t,s0)
 /var/log/prelink(/.*)?			gen_context(system_u:object_r:prelink_log_t,s0)
+
+/var/lib/misc/prelink.*		--	gen_context(system_u:object_r:prelink_var_lib_t,s0)
diff --git a/policy/modules/admin/prelink.if b/policy/modules/admin/prelink.if
index 38d22ad6e..7abf956bb 100644
--- a/policy/modules/admin/prelink.if
+++ b/policy/modules/admin/prelink.if
@@ -120,3 +120,23 @@ interface(`prelink_manage_log',`
 	logging_search_logs($1)
 	manage_files_pattern($1, prelink_log_t, prelink_log_t)
 ')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	prelink var_lib files.
+## </summary>
+## <param name="file_type">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`prelink_manage_lib',`
+	gen_require(`
+		type prelink_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
+')
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
index 31f3e14a5..9113295c5 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -1,5 +1,5 @@
 
-policy_module(prelink, 1.6.0)
+policy_module(prelink, 1.6.1)
 
 ########################################
 #
@@ -21,12 +21,15 @@ logging_log_file(prelink_log_t)
 type prelink_tmp_t;
 files_tmp_file(prelink_tmp_t)
 
+type prelink_var_lib_t;
+files_tmp_file(prelink_var_lib_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow prelink_t self:capability { chown dac_override fowner fsetid };
+allow prelink_t self:capability { chown dac_override fowner fsetid sys_resource };
 allow prelink_t self:process { execheap execmem execstack signal };
 allow prelink_t self:fifo_file rw_fifo_file_perms;
 
@@ -40,17 +43,20 @@ append_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
 read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
 logging_log_filetrans(prelink_t, prelink_log_t, file)
 
-allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom };
+allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod };
 files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
 fs_tmpfs_filetrans(prelink_t, prelink_tmp_t, file)
 
+manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
+manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
+files_search_var_lib(prelink_t)
+
 # prelink misc objects that are not system
 # libraries or entrypoints
 allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
 
 kernel_read_system_state(prelink_t)
-kernel_dontaudit_search_kernel_sysctl(prelink_t)
-kernel_dontaudit_search_sysctl(prelink_t)
+kernel_read_kernel_sysctls(prelink_t)
 
 corecmd_manage_all_executables(prelink_t)
 corecmd_relabel_all_executables(prelink_t)
@@ -65,6 +71,9 @@ files_write_non_security_dirs(prelink_t)
 files_read_etc_files(prelink_t)
 files_read_etc_runtime_files(prelink_t)
 files_dontaudit_read_all_symlinks(prelink_t)
+files_manage_usr_files(prelink_t)
+files_manage_var_files(prelink_t)
+files_relabelfrom_usr_files(prelink_t)
 
 fs_getattr_xattr_fs(prelink_t)
 
@@ -88,3 +97,7 @@ optional_policy(`
 optional_policy(`
 	cron_system_entry(prelink_t, prelink_exec_t)
 ')
+
+optional_policy(`
+	unconfined_domain(prelink_t)
+')