add patch from dan

refpolicy/Changelog

@@ -1,3 +1,4 @@
+- Fixes from Dan Walsh for ldap and authlogin.
 - Fix corenetwork gen_context()'s to expand during the policy
   build phase instead of during the generation phase.  
 - DISTRO=redhat now implies DIRECT_INITRC=y.

refpolicy/policy/modules/services/ldap.te

@@ -1,5 +1,5 @@
 
-policy_module(ldap,1.0)
+policy_module(ldap,1.0.1)
 
 ########################################
 #
@@ -10,12 +10,18 @@ type slapd_t;
 type slapd_exec_t;
 init_daemon_domain(slapd_t,slapd_exec_t)
 
+type slapd_cert_t;
+files_type(slapd_cert_t)
+
 type slapd_db_t;
 files_type(slapd_db_t)
 
 type slapd_etc_t;
 files_config_file(slapd_etc_t)
 
+type slapd_lock_t;
+files_lock_file(slapd_lock_t)
+
 type slapd_replog_t;
 files_type(slapd_replog_t)
 
@@ -41,6 +47,10 @@ allow slapd_t self:udp_socket create_socket_perms;
 #slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach)
 allow slapd_t self:tcp_socket create_stream_socket_perms;
 
+allow slapd_t slapd_cert_t:dir r_dir_perms;
+allow slapd_t slapd_cert_t:file r_file_perms;
+allow slapd_t slapd_cert_t:lnk_file { getattr read };
+
 # Allow access to the slapd databases
 allow slapd_t slapd_db_t:dir create_dir_perms;
 allow slapd_t slapd_db_t:file create_file_perms;
@@ -48,6 +58,9 @@ allow slapd_t slapd_db_t:lnk_file create_lnk_perms;
 
 allow slapd_t slapd_etc_t:file { getattr read };
 
+allow slapd_t slapd_lock_t:file create_file_perms;
+files_create_lock(slapd_t,slapd_lock_t)
+
 # Allow access to write the replication log (should tighten this)
 allow slapd_t slapd_replog_t:dir create_dir_perms;
 allow slapd_t slapd_replog_t:file create_file_perms;

refpolicy/policy/modules/system/authlogin.fc

@@ -23,6 +23,8 @@ ifdef(`distro_suse', `
 
 /var/db/shadow.*	--	gen_context(system_u:object_r:shadow_t,s0)
 
+/var/lib/abl(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
+
 /var/log/btmp.*		--	gen_context(system_u:object_r:faillog_t,s0)
 /var/log/dmesg		--	gen_context(system_u:object_r:var_log_t,s0)
 /var/log/faillog	--	gen_context(system_u:object_r:faillog_t,s0)

refpolicy/policy/modules/system/authlogin.if

@@ -920,6 +920,12 @@ interface(`auth_manage_login_records',`
 ## </param>
 #
 interface(`auth_use_nsswitch',`
+	gen_require(`
+		type var_auth_t;
+	')
+
+	allow $1 var_auth_t:dir r_dir_perms;
+	allow $1 var_auth_t:file create_file_perms;
 
 	sysnet_dns_name_resolve($1)
 	sysnet_use_ldap($1)

refpolicy/policy/modules/system/authlogin.te

@@ -1,5 +1,5 @@
 
-policy_module(authlogin,1.0)
+policy_module(authlogin,1.0.1)
 
 ########################################
 #
@@ -64,6 +64,13 @@ domain_type(utempter_t)
 type utempter_exec_t;
 domain_entry_file(utempter_t,utempter_exec_t)
 
+#
+# var_auth_t is the type of /var/lib/auth, usually
+# used for auth data in pam_able
+#
+type var_auth_t;
+files_type(var_auth_t)
+
 type wtmp_t;
 logging_log_file(wtmp_t)
 

refpolicy/policy/modules/system/logging.te

@@ -1,5 +1,5 @@
 
-policy_module(logging,1.0)
+policy_module(logging,1.0.1)
 
 ########################################
 #
@@ -108,6 +108,7 @@ allow auditd_t self:process { signal_perms setsched };
 allow auditd_t self:file { getattr read write };
 allow auditd_t self:unix_dgram_socket create_socket_perms;
 allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
+allow auditd_t self:fifo_file rw_file_perms;
 
 allow auditd_t auditd_etc_t:file r_file_perms;