From 6f256d240d9eeda161bc2f798431a6ef901cce5d Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Thu, 7 Oct 2010 09:59:45 -0400
Subject: [PATCH] - Allow smbd to use sys_admin - Remove duplicate file context
 for tcfmgr

---
 policy-F14.patch    | 18 +++++-------------
 selinux-policy.spec |  6 +++++-
 2 files changed, 10 insertions(+), 14 deletions(-)

diff --git a/policy-F14.patch b/policy-F14.patch
index b7c83722..7ac41af6 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -7236,7 +7236,7 @@ index 82842a0..369c3b5 100644
  		dbus_system_bus_client($1_wm_t)
  		dbus_session_bus_client($1_wm_t)
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 0eb1d97..217bd0d 100644
+index 0eb1d97..46af2a4 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -9,8 +9,11 @@
@@ -7340,15 +7340,7 @@ index 0eb1d97..217bd0d 100644
  /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -248,6 +273,7 @@ ifdef(`distro_gentoo',`
- /usr/share/shorewall-lite(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
- /usr/share/shorewall6-lite(/.*)?	gen_context(system_u:object_r:bin_t,s0)
- /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/texmf/texconfig/tcfmgr --	gen_context(system_u:object_r:bin_t,s0)
- /usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
- /usr/share/vhostmd/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
- 
-@@ -314,6 +340,7 @@ ifdef(`distro_redhat', `
+@@ -314,6 +339,7 @@ ifdef(`distro_redhat', `
  /usr/share/texmf/web2c/mktexdir	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/texmf/web2c/mktexnam	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/texmf/web2c/mktexupd	--	gen_context(system_u:object_r:bin_t,s0)
@@ -7356,7 +7348,7 @@ index 0eb1d97..217bd0d 100644
  ')
  
  ifdef(`distro_suse', `
-@@ -340,3 +367,27 @@ ifdef(`distro_suse', `
+@@ -340,3 +366,27 @@ ifdef(`distro_suse', `
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -30960,7 +30952,7 @@ index 82cb169..9e72970 100644
 +	admin_pattern($1, samba_unconfined_script_exec_t)
  ')
 diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..8e36be0 100644
+index e30bb63..6e627d6 100644
 --- a/policy/modules/services/samba.te
 +++ b/policy/modules/services/samba.te
 @@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
@@ -30978,7 +30970,7 @@ index e30bb63..8e36be0 100644
  # smbd Local policy
  #
 -allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
-+allow smbd_t self:capability { chown fowner kill setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
++allow smbd_t self:capability { chown fowner kill setgid setuid sys_nice sys_admin sys_resource lease dac_override dac_read_search };
  dontaudit smbd_t self:capability sys_tty_config;
  allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow smbd_t self:process setrlimit;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c26a444f..de35d49b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.5
-Release: 11%{?dist}
+Release: 12%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,10 @@ exit 0
 %endif
 
 %changelog
+* Thu Oct 7 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-12
+- Allow smbd to use sys_admin
+- Remove duplicate file context for tcfmgr
+
 * Wed Oct 6 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-11
 - Fix fusefs handling
 - Do not allow sandbox to manage nsplugin_rw_t