From c4ea0499cb2084eff710a075a6ba2114216612b1 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Oct 23 2012 15:48:49 +0000
Subject: Adopt pki-selinux -policy


---

diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 4f753b3..854e721 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -4965,7 +4965,7 @@ index d80a16b..ef740ef 100644
 +	allow $1 automount_unit_file_t:service all_service_perms;
  ')
 diff --git a/automount.te b/automount.te
-index 39799db..07d242d 100644
+index 39799db..6264256 100644
 --- a/automount.te
 +++ b/automount.te
 @@ -22,6 +22,9 @@ type automount_tmp_t;
@@ -4978,7 +4978,13 @@ index 39799db..07d242d 100644
  ########################################
  #
  # Local policy
-@@ -61,9 +64,11 @@ kernel_read_fs_sysctls(automount_t)
+@@ -56,14 +59,17 @@ manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t)
+ files_pid_filetrans(automount_t, automount_var_run_t, { file fifo_file })
+ 
+ kernel_read_kernel_sysctls(automount_t)
++kernel_read_vm_sysctls(automount_t)
+ kernel_read_irq_sysctls(automount_t)
+ kernel_read_fs_sysctls(automount_t)
  kernel_read_proc_symlinks(automount_t)
  kernel_read_system_state(automount_t)
  kernel_read_network_state(automount_t)
@@ -4990,7 +4996,7 @@ index 39799db..07d242d 100644
  files_search_boot(automount_t)
  # Automount is slowly adding all mount functionality internally
  files_search_all(automount_t)
-@@ -79,7 +84,6 @@ fs_search_all(automount_t)
+@@ -79,7 +85,6 @@ fs_search_all(automount_t)
  corecmd_exec_bin(automount_t)
  corecmd_exec_shell(automount_t)
  
@@ -4998,7 +5004,7 @@ index 39799db..07d242d 100644
  corenet_all_recvfrom_netlabel(automount_t)
  corenet_tcp_sendrecv_generic_if(automount_t)
  corenet_udp_sendrecv_generic_if(automount_t)
-@@ -113,7 +117,6 @@ files_dontaudit_write_var_dirs(automount_t)
+@@ -113,7 +118,6 @@ files_dontaudit_write_var_dirs(automount_t)
  files_getattr_all_dirs(automount_t)
  files_list_mnt(automount_t)
  files_getattr_home_dir(automount_t)
@@ -5006,7 +5012,7 @@ index 39799db..07d242d 100644
  files_read_etc_runtime_files(automount_t)
  # for if the mount point is not labelled
  files_getattr_isid_type_dirs(automount_t)
-@@ -140,13 +143,8 @@ auth_use_nsswitch(automount_t)
+@@ -140,13 +144,8 @@ auth_use_nsswitch(automount_t)
  logging_send_syslog_msg(automount_t)
  logging_search_logs(automount_t)
  
@@ -5020,7 +5026,7 @@ index 39799db..07d242d 100644
  userdom_dontaudit_use_unpriv_user_fds(automount_t)
  userdom_dontaudit_search_user_home_dirs(automount_t)
  
-@@ -155,6 +153,13 @@ optional_policy(`
+@@ -155,6 +154,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14221,7 +14227,7 @@ index 305ddf4..f3cd95f 100644
 +	corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
  ')
 diff --git a/cups.te b/cups.te
-index e5a8924..c5c823c 100644
+index e5a8924..cd3c7de 100644
 --- a/cups.te
 +++ b/cups.te
 @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -14545,7 +14551,18 @@ index e5a8924..c5c823c 100644
  ')
  
  ########################################
-@@ -635,9 +658,16 @@ read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
+@@ -613,6 +636,10 @@ tunable_policy(`use_samba_home_dirs',`
+ 
+ # Needed for USB Scanneer and xsane
+ allow hplip_t self:capability { dac_override dac_read_search net_raw };
++#sched_setscheduler 
++allow hplip_t self:capability sys_nice;
++allow hplip_t self:process setsched;
++
+ dontaudit hplip_t self:capability sys_tty_config;
+ allow hplip_t self:fifo_file rw_fifo_file_perms;
+ allow hplip_t self:process signal_perms;
+@@ -635,9 +662,16 @@ read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
  read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
  files_search_etc(hplip_t)
  
@@ -14562,7 +14579,7 @@ index e5a8924..c5c823c 100644
  manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
  files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
  
-@@ -647,7 +677,9 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
+@@ -647,7 +681,9 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
  kernel_read_system_state(hplip_t)
  kernel_read_kernel_sysctls(hplip_t)
  
@@ -14573,7 +14590,7 @@ index e5a8924..c5c823c 100644
  corenet_all_recvfrom_netlabel(hplip_t)
  corenet_tcp_sendrecv_generic_if(hplip_t)
  corenet_udp_sendrecv_generic_if(hplip_t)
-@@ -661,10 +693,10 @@ corenet_tcp_bind_generic_node(hplip_t)
+@@ -661,10 +697,10 @@ corenet_tcp_bind_generic_node(hplip_t)
  corenet_udp_bind_generic_node(hplip_t)
  corenet_tcp_bind_hplip_port(hplip_t)
  corenet_tcp_connect_hplip_port(hplip_t)
@@ -14587,7 +14604,7 @@ index e5a8924..c5c823c 100644
  
  dev_read_sysfs(hplip_t)
  dev_rw_printer(hplip_t)
-@@ -673,31 +705,34 @@ dev_read_rand(hplip_t)
+@@ -673,31 +709,34 @@ dev_read_rand(hplip_t)
  dev_rw_generic_usb_dev(hplip_t)
  dev_rw_usbfs(hplip_t)
  
@@ -14609,10 +14626,10 @@ index e5a8924..c5c823c 100644
 +fs_getattr_all_fs(hplip_t)
 +fs_search_auto_mountpoints(hplip_t)
 +fs_rw_anon_inodefs_files(hplip_t)
-+
-+term_use_ptmx(hplip_t)
  
 -miscfiles_read_localization(hplip_t)
++term_use_ptmx(hplip_t)
++
 +auth_read_passwd(hplip_t)
 +
 +logging_send_syslog_msg(hplip_t)
@@ -14633,7 +14650,7 @@ index e5a8924..c5c823c 100644
  
  optional_policy(`
  	dbus_system_bus_client(hplip_t)
-@@ -743,7 +778,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -743,7 +782,6 @@ kernel_read_kernel_sysctls(ptal_t)
  kernel_list_proc(ptal_t)
  kernel_read_proc_symlinks(ptal_t)
  
@@ -14641,7 +14658,7 @@ index e5a8924..c5c823c 100644
  corenet_all_recvfrom_netlabel(ptal_t)
  corenet_tcp_sendrecv_generic_if(ptal_t)
  corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -760,13 +794,10 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -760,13 +798,10 @@ fs_search_auto_mountpoints(ptal_t)
  
  domain_use_interactive_fds(ptal_t)
  
@@ -30733,7 +30750,7 @@ index 3c7b1e8..1e155f5 100644
 +
 +/var/run/epylog\.pid		gen_context(system_u:object_r:logwatch_var_run_t,s0)
 diff --git a/logwatch.te b/logwatch.te
-index 75ce30f..9279c2d 100644
+index 75ce30f..12abef6 100644
 --- a/logwatch.te
 +++ b/logwatch.te
 @@ -7,6 +7,7 @@ policy_module(logwatch, 1.11.0)
@@ -30744,7 +30761,7 @@ index 75ce30f..9279c2d 100644
  application_domain(logwatch_t, logwatch_exec_t)
  role system_r types logwatch_t;
  
-@@ -19,6 +20,12 @@ files_lock_file(logwatch_lock_t)
+@@ -19,13 +20,19 @@ files_lock_file(logwatch_lock_t)
  type logwatch_tmp_t;
  files_tmp_file(logwatch_tmp_t)
  
@@ -30757,6 +30774,15 @@ index 75ce30f..9279c2d 100644
  ########################################
  #
  # Local policy
+ #
+ 
+-allow logwatch_t self:capability { dac_override dac_read_search setgid };
+-allow logwatch_t self:process signal;
++allow logwatch_t self:capability { dac_override dac_read_search setgid sys_nice };
++allow logwatch_t self:process { signal setsched };
+ allow logwatch_t self:fifo_file rw_file_perms;
+ allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
+ 
 @@ -39,6 +46,9 @@ manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
  manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
  files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
@@ -42606,7 +42632,7 @@ index ceafba6..47b690d 100644
 +	udev_read_db(pcscd_t)
 +')
 diff --git a/pegasus.te b/pegasus.te
-index 3185114..4daaf7e 100644
+index 3185114..2a4e326 100644
 --- a/pegasus.te
 +++ b/pegasus.te
 @@ -9,6 +9,9 @@ type pegasus_t;
@@ -42699,10 +42725,14 @@ index 3185114..4daaf7e 100644
  sysnet_read_config(pegasus_t)
  sysnet_domtrans_ifconfig(pegasus_t)
  
-@@ -121,12 +130,31 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
+@@ -121,12 +130,39 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
  userdom_dontaudit_search_user_home_dirs(pegasus_t)
  
  optional_policy(`
++	corosync_stream_connect(pegasus_t)
++')
++
++optional_policy(`
 +	hostname_exec(pegasus_t)
 +')
 +
@@ -42711,6 +42741,10 @@ index 3185114..4daaf7e 100644
 +')
 +
 +optional_policy(`
++	ricci_stream_connect_modclusterd(pegasus_t)
++')
++
++optional_policy(`
  	rpm_exec(pegasus_t)
  ')
  
@@ -42732,7 +42766,7 @@ index 3185114..4daaf7e 100644
  ')
  
  optional_policy(`
-@@ -136,3 +164,14 @@ optional_policy(`
+@@ -136,3 +172,14 @@ optional_policy(`
  optional_policy(`
  	unconfined_signull(pegasus_t)
  ')
@@ -43905,10 +43939,10 @@ index 0000000..24087ed
 +/usr/lib/systemd/system/pki-tomcat.* --  gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
 diff --git a/pki.if b/pki.if
 new file mode 100644
-index 0000000..7104911
+index 0000000..83c13cf
 --- /dev/null
 +++ b/pki.if
-@@ -0,0 +1,246 @@
+@@ -0,0 +1,248 @@
 +
 +## <summary>policy for pki</summary>
 +########################################
@@ -43924,8 +43958,10 @@ index 0000000..7104911
 +interface(`pki_rw_tomcat_cert',`
 +        gen_require(`
 +                type pki_tomcat_cert_t;
++				type pki_tomcat_etc_rw_t;
 +        ')
 +
++		allow $1 pki_tomcat_etc_rw_t:dir search_dir_perms;
 +        rw_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
 +')
 +
@@ -44157,10 +44193,10 @@ index 0000000..7104911
 +
 diff --git a/pki.te b/pki.te
 new file mode 100644
-index 0000000..e15f399
+index 0000000..5e5f291
 --- /dev/null
 +++ b/pki.te
-@@ -0,0 +1,288 @@
+@@ -0,0 +1,289 @@
 +policy_module(pki,10.0.11)
 +
 +########################################
@@ -44259,6 +44295,7 @@ index 0000000..e15f399
 +read_lnk_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t, pki_tomcat_unit_file_t)
 +allow pki_tomcat_t pki_tomcat_unit_file_t:file setattr;
 +allow pki_tomcat_t pki_tomcat_unit_file_t:lnk_file setattr;
++systemd_search_unit_dirs(pki_tomcat_t)
 +
 +# allow java subsystems to talk to the ncipher hsm
 +allow pki_tomcat_t pki_common_dev_t:sock_file write;