From 6605b9869d386dec08cb84d62ae7c827a114a0a6 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Apr 18 2013 15:01:29 +0000
Subject: Make realmd+IPA working


---

diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 636ef2c..932a185 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -7316,10 +7316,10 @@ index 0000000..98ab9ed
 +')
 diff --git a/authconfig.te b/authconfig.te
 new file mode 100644
-index 0000000..340b755
+index 0000000..d4eb297
 --- /dev/null
 +++ b/authconfig.te
-@@ -0,0 +1,32 @@
+@@ -0,0 +1,33 @@
 +policy_module(authconfig, 1.0.0)
 +
 +########################################
@@ -7330,6 +7330,7 @@ index 0000000..340b755
 +type authconfig_t;
 +type authconfig_exec_t;
 +application_domain(authconfig_t, authconfig_exec_t)
++role system_r types authconfig_t;
 +
 +type authconfig_var_lib_t;
 +files_type(authconfig_var_lib_t)
@@ -11571,7 +11572,7 @@ index 973d208..2b650a7 100644
  
  /var/lib/tftpboot/etc(/.*)?	gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 diff --git a/cobbler.if b/cobbler.if
-index c223f81..b2efe4b 100644
+index c223f81..83d5104 100644
 --- a/cobbler.if
 +++ b/cobbler.if
 @@ -38,6 +38,28 @@ interface(`cobblerd_initrc_domtrans',`
@@ -11611,6 +11612,14 @@ index c223f81..b2efe4b 100644
  ')
  
  ########################################
+@@ -199,7 +222,4 @@ interface(`cobbler_admin',`
+ 
+ 	logging_search_logs($1)
+ 	admin_pattern($1, cobbler_var_log_t)
+-
+-	apache_search_sys_content($1)
+-	admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
+ ')
 diff --git a/cobbler.te b/cobbler.te
 index 2a71346..bf24fca 100644
 --- a/cobbler.te
@@ -20963,7 +20972,7 @@ index dbcac59..66d42bb 100644
 +	admin_pattern($1, dovecot_passwd_t)
  ')
 diff --git a/dovecot.te b/dovecot.te
-index a7bfaf0..d16e5e8 100644
+index a7bfaf0..93e583c 100644
 --- a/dovecot.te
 +++ b/dovecot.te
 @@ -1,4 +1,4 @@
@@ -21150,7 +21159,7 @@ index a7bfaf0..d16e5e8 100644
  
  init_getattr_utmp(dovecot_t)
  
-@@ -166,36 +160,29 @@ auth_use_nsswitch(dovecot_t)
+@@ -166,44 +160,42 @@ auth_use_nsswitch(dovecot_t)
  
  miscfiles_read_generic_certs(dovecot_t)
  
@@ -21163,12 +21172,6 @@ index a7bfaf0..d16e5e8 100644
 -	fs_manage_nfs_files(dovecot_t)
 -	fs_manage_nfs_symlinks(dovecot_t)
 -')
--
--tunable_policy(`use_samba_home_dirs',`
--	fs_manage_cifs_dirs(dovecot_t)
--	fs_manage_cifs_files(dovecot_t)
--	fs_manage_cifs_symlinks(dovecot_t)
--')
 +userdom_home_manager(dovecot_t)
 +userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
 +userdom_manage_user_home_content_dirs(dovecot_t)
@@ -21178,12 +21181,20 @@ index a7bfaf0..d16e5e8 100644
 +userdom_manage_user_home_content_sockets(dovecot_t)
 +userdom_filetrans_home_content(dovecot_t)
  
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(dovecot_t)
+-	fs_manage_cifs_files(dovecot_t)
+-	fs_manage_cifs_symlinks(dovecot_t)
++optional_policy(`
++	mta_manage_home_rw(dovecot_t)
++	mta_manage_spool(dovecot_t)
+ ')
+ 
  optional_policy(`
--	kerberos_keytab_template(dovecot, dovecot_t)
+ 	kerberos_keytab_template(dovecot, dovecot_t)
 -	kerberos_manage_host_rcache(dovecot_t)
 -	kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0")
-+	mta_manage_home_rw(dovecot_t)
-+	mta_manage_spool(dovecot_t)
++	kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0")
  ')
  
  optional_policy(`
@@ -21191,24 +21202,22 @@ index a7bfaf0..d16e5e8 100644
 -	mta_manage_mail_home_rw_content(dovecot_t)
 -	mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
 -	mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
-+	kerberos_keytab_template(dovecot_t, dovecot_t)
-+	kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0")
++	gnome_manage_data(dovecot_t)
  ')
  
  optional_policy(`
 -	postgresql_stream_connect(dovecot_t)
-+	gnome_manage_data(dovecot_t)
++	postfix_manage_private_sockets(dovecot_t)
++	postfix_search_spool(dovecot_t)
  ')
  
  optional_policy(`
-@@ -204,6 +191,11 @@ optional_policy(`
+-	postfix_manage_private_sockets(dovecot_t)
+-	postfix_search_spool(dovecot_t)
++	postgresql_stream_connect(dovecot_t)
  ')
  
  optional_policy(`
-+	postgresql_stream_connect(dovecot_t)
-+')
-+
-+optional_policy(`
 +	# Handle sieve scripts
  	sendmail_domtrans(dovecot_t)
  ')
@@ -31523,17 +31532,16 @@ index 3465a9a..353c4ce 100644
  
  sysnet_dns_name_resolve(kpropd_t)
 diff --git a/kerneloops.if b/kerneloops.if
-index 714448f..656a998 100644
+index 714448f..fa0c994 100644
 --- a/kerneloops.if
 +++ b/kerneloops.if
-@@ -101,13 +101,17 @@ interface(`kerneloops_manage_tmp_files',`
+@@ -101,13 +101,16 @@ interface(`kerneloops_manage_tmp_files',`
  #
  interface(`kerneloops_admin',`
  	gen_require(`
 -		type kerneloops_t, kerneloops_initrc_exec_t;
 -		type kerneloops_tmp_t;
 +		type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t;
-+		type kerneloops_initrc_exec_t;
  	')
  
 -	allow $1 kerneloops_t:process { ptrace signal_perms };
@@ -32005,7 +32013,7 @@ index e736c45..4b1e1e4 100644
  
  /var/log/ksmtuned.*	gen_context(system_u:object_r:ksmtuned_log_t,s0)
 diff --git a/ksmtuned.if b/ksmtuned.if
-index c530214..a3984cb 100644
+index c530214..eadf7e0 100644
 --- a/ksmtuned.if
 +++ b/ksmtuned.if
 @@ -38,6 +38,29 @@ interface(`ksmtuned_initrc_domtrans',`
@@ -32038,13 +32046,14 @@ index c530214..a3984cb 100644
  ########################################
  ## <summary>
  ##	All of the rules required to
-@@ -57,21 +80,25 @@ interface(`ksmtuned_initrc_domtrans',`
+@@ -57,21 +80,26 @@ interface(`ksmtuned_initrc_domtrans',`
  #
  interface(`ksmtuned_admin',`
  	gen_require(`
 -		type ksmtuned_t, ksmtuned_var_run_t;
 -		type ksmtuned_initrc_exec_t, ksmtuned_log_t;
 +		type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t, ksmtuned_unit_file_t;
++		type ksmtuned_log_t;
  	')
  
 -	ksmtuned_initrc_domtrans($1)
@@ -74532,7 +74541,7 @@ index d14b6bf..da5d41d 100644
 +/var/run/sendmail\.pid		--	gen_context(system_u:object_r:sendmail_var_run_t,s0)
 +/var/run/sm-client\.pid		--	gen_context(system_u:object_r:sendmail_var_run_t,s0)
 diff --git a/sendmail.if b/sendmail.if
-index 88e753f..e25aecc 100644
+index 88e753f..133d993 100644
 --- a/sendmail.if
 +++ b/sendmail.if
 @@ -1,4 +1,4 @@
@@ -74714,73 +74723,79 @@ index 88e753f..e25aecc 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -299,18 +281,13 @@ interface(`sendmail_domtrans_unconfined',`
- 	')
+@@ -285,58 +267,27 @@ interface(`sendmail_manage_tmp_files',`
  
- 	mta_sendmail_domtrans($1, unconfined_sendmail_t)
+ ########################################
+ ## <summary>
+-##	Execute sendmail in the unconfined sendmail domain.
+-## </summary>
+-## <param name="domain">
+-##	<summary>
+-##	Domain allowed to transition.
+-##	</summary>
+-## </param>
+-#
+-interface(`sendmail_domtrans_unconfined',`
+-	gen_require(`
+-		type unconfined_sendmail_t;
+-	')
+-
+-	mta_sendmail_domtrans($1, unconfined_sendmail_t)
 -
 -	allow unconfined_sendmail_t $1:fd use;
 -	allow unconfined_sendmail_t $1:fifo_file rw_fifo_file_perms;
 -	allow unconfined_sendmail_t $1:process sigchld;
- ')
- 
- ########################################
- ## <summary>
+-')
+-
+-########################################
+-## <summary>
 -##	Execute sendmail in the unconfined
 -##	sendmail domain, and allow the
 -##	specified role the unconfined
 -##	sendmail domain.
-+##	Execute sendmail in the unconfined sendmail domain, and
-+##	allow the specified role the unconfined sendmail domain,
-+##	and use the caller's terminal.
++##	Set the attributes of sendmail pid files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -326,17 +303,36 @@ interface(`sendmail_domtrans_unconfined',`
+-##	Domain allowed to transition.
+-##	</summary>
+-## </param>
+-## <param name="role">
+-##	<summary>
+-##	Role allowed access.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
  #
- interface(`sendmail_run_unconfined',`
+-interface(`sendmail_run_unconfined',`
++interface(`sendmail_setattr_pid_files',`
  	gen_require(`
 -		attribute_role sendmail_unconfined_roles;
-+		type unconfined_sendmail_t;
++		type sendmail_var_run_t;
  	')
  
- 	sendmail_domtrans_unconfined($1)
+-	sendmail_domtrans_unconfined($1)
 -	roleattribute $2 sendmail_unconfined_roles;
-+	role $2 types unconfined_sendmail_t;
++	allow $1 sendmail_var_run_t:file setattr_file_perms;
++	files_search_pids($1)
  ')
  
  ########################################
  ## <summary>
 -##	All of the rules required to
 -##	administrate an sendmail environment.
-+##	Set the attributes of sendmail pid files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`sendmail_setattr_pid_files',`
-+	gen_require(`
-+		type sendmail_var_run_t;
-+	')
-+
-+	allow $1 sendmail_var_run_t:file setattr_file_perms;
-+	files_search_pids($1)
-+')
-+
-+########################################
-+## <summary>
 +##	All of the rules required to administrate
 +##	an sendmail environment
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -354,12 +350,20 @@ interface(`sendmail_admin',`
+@@ -353,13 +304,17 @@ interface(`sendmail_run_unconfined',`
+ interface(`sendmail_admin',`
  	gen_require(`
  		type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;
- 		type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
+-		type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
++		type sendmail_tmp_t, sendmail_var_run_t;
 +		type mail_spool_t;
  	')
  
@@ -74790,18 +74805,14 @@ index 88e753f..e25aecc 100644
 +	ps_process_pattern($1, sendmail_t)
 +	tunable_policy(`deny_ptrace',`',`
 +		allow $1 sendmail_t:process ptrace;
-+		allow $1 unconfined_sendmail_t:process ptrace;
 +	')
  
 -	init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
-+	allow $1 unconfined_sendmail_t:process signal_perms;
-+	ps_process_pattern($1, unconfined_sendmail_t)
-+
 +	sendmail_initrc_domtrans($1)
  	domain_system_change_exemption($1)
  	role_transition $2 sendmail_initrc_exec_t system_r;
  
-@@ -372,6 +376,6 @@ interface(`sendmail_admin',`
+@@ -372,6 +327,6 @@ interface(`sendmail_admin',`
  	files_list_pids($1)
  	admin_pattern($1, sendmail_var_run_t)
  
@@ -84899,7 +84910,7 @@ index c30da4c..014e40c 100644
 +/var/run/qemu-ga\.pid           --      gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
 +/var/log/qemu-ga\.log           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
-index 9dec06c..a202ead 100644
+index 9dec06c..cd873d3 100644
 --- a/virt.if
 +++ b/virt.if
 @@ -1,120 +1,51 @@
@@ -86042,7 +86053,7 @@ index 9dec06c..a202ead 100644
 -		type virt_log_t;
 +		type virtd_t, virtd_initrc_exec_t;
 +		attribute virt_domain;
-+		type virt_lxc_t;
++		type virtd_lxc_t;
 +		type virtd_unit_file_t;
  	')
  
@@ -86052,11 +86063,11 @@ index 9dec06c..a202ead 100644
 +	ps_process_pattern($1, virtd_t)
 +	tunable_policy(`deny_ptrace',`',`
 +		allow $1 virtd_t:process ptrace;
-+		allow $1 virt_lxc_t:process ptrace;
++		allow $1 virtd_lxc_t:process ptrace;
 +	')
 +
-+	allow $1 virt_lxc_t:process signal_perms;
-+	ps_process_pattern($1, virt_lxc_t)
++	allow $1 virtd_lxc_t:process signal_perms;
++	ps_process_pattern($1, virtd_lxc_t)
 +
 +	init_labeled_script_domtrans($1, virtd_initrc_exec_t)
 +	domain_system_change_exemption($1)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2d64401..754b6aa 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -528,6 +528,7 @@ SELinux Reference policy mls base module.
 %changelog
 * Thu Apr 18 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-34
 - Allow certmonger to dbus communicate with realmd 
+- Make realmd working
 
 * Thu Apr 18 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-33
 - Fix mozilla specification of homedir content