From 0d738c28cfeaa587ffe64db504f51a9279c27925 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Nov 04 2016 11:22:28 +0000
Subject: Allow abrt_dump_oops_t to drop capabilities. bz(1391040)


---

diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index c402de5..7f21e55 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -589,7 +589,7 @@ index 058d908..ee0c559 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index eb50f07..a308065 100644
+index eb50f07..3a70d84 100644
 --- a/abrt.te
 +++ b/abrt.te
 @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -1071,7 +1071,7 @@ index eb50f07..a308065 100644
 -allow abrt_dump_oops_t self:capability dac_override;
 +allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_override setuid setgid };
 +allow abrt_dump_oops_t self:cap_userns { kill sys_ptrace };
-+allow abrt_dump_oops_t self:process setfscreate;
++allow abrt_dump_oops_t self:process {setfscreate setcap};
  allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
 -allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
 +allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
@@ -39922,14 +39922,14 @@ index ca020fa..d546e07 100644
 +	kdump_rw_inherited_kdumpctl_tmp_pipes(iscsid_t)
 +')
 diff --git a/isns.te b/isns.te
-index bc11034..20a7f39 100644
+index bc11034..3cda6e9 100644
 --- a/isns.te
 +++ b/isns.te
 @@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t)
  allow isnsd_t self:capability kill;
  allow isnsd_t self:process signal;
  allow isnsd_t self:fifo_file rw_fifo_file_perms;
-+allow isnsd_t self:tcp_socket { listen };
++allow isnsd_t self:tcp_socket { listen accept };
  allow isnsd_t self:udp_socket { accept listen };
  allow isnsd_t self:unix_stream_socket { accept listen };