Fix cert calls in telepath, boinc, kerberos

Add sys_admin to xend to allow it to start
Add oident calls to staff_t

policy/modules/apps/telepathy.te

@@ -78,7 +78,7 @@ libs_exec_ldconfig(telepathy_msn_t)
 
 logging_send_syslog_msg(telepathy_msn_t)
 
-miscfiles_read_certs(telepathy_msn_t)
+miscfiles_read_all_certs(telepathy_msn_t)
 
 sysnet_read_config(telepathy_msn_t)
 
@@ -129,7 +129,7 @@ dev_read_urand(telepathy_gabble_t)
 files_read_config_files(telepathy_gabble_t)
 files_read_usr_files(telepathy_gabble_t)
 
-miscfiles_read_certs(telepathy_gabble_t)
+miscfiles_read_all_certs(telepathy_gabble_t)
 
 sysnet_read_config(telepathy_gabble_t)
 

policy/modules/roles/staff.te

@@ -76,6 +76,11 @@ optional_policy(`
 	kerneloops_manage_tmp_files(staff_t)
 ')
 
+optional_policy(`
+	oident_manage_user_content(staff_t)
+	oident_relabel_user_content(staff_t)
+')
+
 optional_policy(`
 	postgresql_role(staff_r, staff_t)
 ')
@@ -186,10 +191,6 @@ ifndef(`distro_redhat',`
 		mta_role(staff_r, staff_t)
 	')
 
-	optional_policy(`
-		oident_manage_user_content(staff_t)
-		oident_relabel_user_content(staff_t)
-	')
 	optional_policy(`
 		pyzor_role(staff_r, staff_t)
 	')

policy/modules/services/boinc.te

@@ -99,7 +99,7 @@ fs_getattr_all_fs(boinc_t)
 term_dontaudit_getattr_ptmx(boinc_t)
 
 miscfiles_read_localization(boinc_t)
-miscfiles_read_certs(boinc_t)
+miscfiles_read_generic_certs(boinc_t)
 
 logging_send_syslog_msg(boinc_t)
 

policy/modules/services/kerberos.te

@@ -152,7 +152,7 @@ selinux_validate_context(kadmind_t)
 
 logging_send_syslog_msg(kadmind_t)
 
-miscfiles_read_certs(kadmind_t)
+miscfiles_read_generic_certs(kadmind_t)
 miscfiles_read_localization(kadmind_t)
 
 seutil_read_file_contexts(kadmind_t)
@@ -252,7 +252,7 @@ selinux_validate_context(krb5kdc_t)
 
 logging_send_syslog_msg(krb5kdc_t)
 
-miscfiles_read_certs(krb5kdc_t)
+miscfiles_read_geniric_certs(krb5kdc_t)
 miscfiles_read_localization(krb5kdc_t)
 
 seutil_read_file_contexts(krb5kdc_t)

policy/modules/system/xen.te

@@ -110,7 +110,7 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
 # xend local policy
 #
 
-allow xend_t self:capability { mknod dac_override ipc_lock net_admin setuid sys_nice sys_ptrace sys_tty_config net_raw };
+allow xend_t self:capability { mknod dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_ptrace sys_tty_config net_raw };
 dontaudit xend_t self:capability { sys_ptrace };
 allow xend_t self:process { signal sigkill };
 dontaudit xend_t self:process ptrace;
@@ -225,6 +225,7 @@ logging_send_syslog_msg(xend_t)
 lvm_domtrans(xend_t)
 
 miscfiles_read_localization(xend_t)
+miscfiles_read_hwdata(xend_t)
 
 mount_domtrans(xend_t)
 
@@ -242,6 +243,8 @@ xen_stream_connect_xenstore(xend_t)
 
 netutils_domtrans(xend_t)
 
+virt_read_config(xend_t)
+
 optional_policy(`
 	brctl_domtrans(xend_t)
 ')