From cbee30b868f274b9ddd271f8bb7c25cd4346a64b Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Jul 16 2013 13:13:46 +0000
Subject: More fixes for freeipa-selinux


---

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 85db2a1..6debbcb 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -28454,29 +28454,33 @@ index dd3be8d..8cda2bb 100644
 +    allow direct_run_init direct_init_entry:file { getattr open read execute };
 +')
 diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..93aad6f 100644
+index 662e79b..ef9370d 100644
 --- a/policy/modules/system/ipsec.fc
 +++ b/policy/modules/system/ipsec.fc
-@@ -1,13 +1,17 @@
+@@ -1,14 +1,19 @@
  /etc/rc\.d/init\.d/ipsec	--	gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
  /etc/rc\.d/init\.d/racoon	--	gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/strongswan	--	gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
  
 -/etc/ipsec\.secrets		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)
+-/etc/ipsec\.conf		--	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
 +/usr/lib/systemd/system/strongswan.*         --  gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
 +
-+/etc/ipsec\.secrets.*		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)
- /etc/ipsec\.conf		--	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
++/etc/(strongswan)?/ipsec\.secrets.*		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/etc/(strongswan)?/ipsec\.conf		--	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
  /etc/racoon/psk\.txt		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)
  
  /etc/racoon(/.*)?			gen_context(system_u:object_r:ipsec_conf_file_t,s0)
  /etc/racoon/certs(/.*)?			gen_context(system_u:object_r:ipsec_key_file_t,s0)
  
+-/etc/ipsec\.d(/.*)?			gen_context(system_u:object_r:ipsec_key_file_t,s0)
 +/etc/strongswan(/.*)?		gen_context(system_u:object_r:ipsec_conf_file_t,s0)
 +
- /etc/ipsec\.d(/.*)?			gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/etc/(strongswan)?/ipsec\.d(/.*)?			gen_context(system_u:object_r:ipsec_key_file_t,s0)
  
  /sbin/setkey			--	gen_context(system_u:object_r:setkey_exec_t,s0)
-@@ -26,10 +30,12 @@
+ 
+@@ -26,12 +31,15 @@
  /usr/libexec/ipsec/pluto	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
  /usr/libexec/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
  /usr/libexec/nm-openswan-service -- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -28488,8 +28492,11 @@ index 662e79b..93aad6f 100644
 +/usr/sbin/strongswan	--	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
  
  /var/lock/subsys/ipsec		--	gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
++/var/lock/subsys/strongswan		--	gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
+ 
+ /var/log/pluto\.log		--	gen_context(system_u:object_r:ipsec_log_t,s0)
  
-@@ -39,3 +45,5 @@
+@@ -39,3 +47,5 @@
  
  /var/run/pluto(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
  /var/run/racoon\.pid		--	gen_context(system_u:object_r:ipsec_var_run_t,s0)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index a3352be..de0843d 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -8988,7 +8988,7 @@ index 02fefaa..fbcef10 100644
 +	')
  ')
 diff --git a/boinc.te b/boinc.te
-index 7c92aa1..1a30d34 100644
+index 7c92aa1..f177ca5 100644
 --- a/boinc.te
 +++ b/boinc.te
 @@ -1,11 +1,13 @@
@@ -9083,7 +9083,7 @@ index 7c92aa1..1a30d34 100644
  
  manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
  manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
-@@ -54,74 +91,47 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+@@ -54,74 +91,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
  manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
  fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
  
@@ -9116,6 +9116,7 @@ index 7c92aa1..1a30d34 100644
  
 +# needs read /proc/interrupts
  kernel_read_system_state(boinc_t)
++kernel_read_network_state(boinc_t)
  kernel_search_vm_sysctl(boinc_t)
  
 -corenet_all_recvfrom_unlabeled(boinc_t)
@@ -9179,7 +9180,7 @@ index 7c92aa1..1a30d34 100644
  
  term_getattr_all_ptys(boinc_t)
  term_getattr_unallocated_ttys(boinc_t)
-@@ -130,55 +140,65 @@ init_read_utmp(boinc_t)
+@@ -130,55 +141,65 @@ init_read_utmp(boinc_t)
  
  logging_send_syslog_msg(boinc_t)
  
@@ -25004,10 +25005,10 @@ index 0000000..1ed97fe
 +
 diff --git a/glusterd.te b/glusterd.te
 new file mode 100644
-index 0000000..eaf0f2a
+index 0000000..6ceb963
 --- /dev/null
 +++ b/glusterd.te
-@@ -0,0 +1,158 @@
+@@ -0,0 +1,160 @@
 +policy_module(glusterfs, 1.0.1)
 +
 +## <desc>
@@ -25136,6 +25137,8 @@ index 0000000..eaf0f2a
 +
 +fs_getattr_all_fs(glusterd_t)
 +
++storage_rw_fuse(glusterd_t)
++
 +auth_use_nsswitch(glusterd_t)
 +
 +fs_getattr_all_fs(glusterd_t)
@@ -35974,15 +35977,16 @@ index e08c55d..9e634bd 100644
 +
 +')
 diff --git a/mandb.fc b/mandb.fc
-index 2de0f64..50f34fd 100644
+index 2de0f64..3c24286 100644
 --- a/mandb.fc
 +++ b/mandb.fc
-@@ -1 +1,9 @@
+@@ -1 +1,10 @@
  /etc/cron.daily/man-db\.cron	--	gen_context(system_u:object_r:mandb_exec_t,s0)
 +
 +/usr/bin/mandb		--	gen_context(system_u:object_r:mandb_exec_t,s0)
 +
 +/var/cache/man(/.*)?		gen_context(system_u:object_r:mandb_cache_t,s0)
++/opt/local/share/man(/.*)?        gen_context(system_u:object_r:mandb_cache_t,s0)
 +
 +/var/lock/man-db\.lock	--	gen_context(system_u:object_r:mandb_lock_t,s0)
 +
@@ -53976,10 +53980,10 @@ index 0000000..726d992
 +/usr/lib/systemd/system/pki-tomcat.*	gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
 diff --git a/pki.if b/pki.if
 new file mode 100644
-index 0000000..051f952
+index 0000000..b975b85
 --- /dev/null
 +++ b/pki.if
-@@ -0,0 +1,293 @@
+@@ -0,0 +1,294 @@
 +
 +## <summary>policy for pki</summary>
 +
@@ -54020,6 +54024,7 @@ index 0000000..051f952
 +        ')
 +
 +        read_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
++        read_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
 +')
 +
 +########################################
@@ -54275,10 +54280,10 @@ index 0000000..051f952
 +')
 diff --git a/pki.te b/pki.te
 new file mode 100644
-index 0000000..10eaddc
+index 0000000..17f5d18
 --- /dev/null
 +++ b/pki.te
-@@ -0,0 +1,283 @@
+@@ -0,0 +1,284 @@
 +policy_module(pki,10.0.11)
 +
 +########################################
@@ -54367,6 +54372,7 @@ index 0000000..10eaddc
 +
 +manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
 +manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
++manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
 +
 +manage_dirs_pattern(pki_tomcat_t,  pki_tomcat_lock_t,  pki_tomcat_lock_t)
 +manage_files_pattern(pki_tomcat_t,  pki_tomcat_lock_t,  pki_tomcat_lock_t)