From 83715e6621b6012dd71599741604f93dc2130caf Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Wed, 26 Mar 2014 11:14:21 +0100
Subject: [PATCH] Fix ipa.if

---
 policy-rawhide-base.patch    | 45 ++++++++++++++++++++++++++++++++++--
 policy-rawhide-contrib.patch | 44 ++++++++++++++++++++++++-----------
 2 files changed, 74 insertions(+), 15 deletions(-)

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index a373432c..f15a12cf 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -16881,7 +16881,7 @@ index 54f1827..39faa3f 100644
 +/usr/lib/udev/devices/loop.* -b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 +/usr/lib/udev/devices/fuse   -c	gen_context(system_u:object_r:fuse_device_t,s0)
 diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 64c4cd0..69be610 100644
+index 64c4cd0..b9d9660 100644
 --- a/policy/modules/kernel/storage.if
 +++ b/policy/modules/kernel/storage.if
 @@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',`
@@ -17010,7 +17010,7 @@ index 64c4cd0..69be610 100644
  ########################################
  ## <summary>
  ##	Allow the caller to directly read
-@@ -813,3 +897,411 @@ interface(`storage_unconfined',`
+@@ -813,3 +897,452 @@ interface(`storage_unconfined',`
  
  	typeattribute $1 storage_unconfined_type;
  ')
@@ -17355,6 +17355,47 @@ index 64c4cd0..69be610 100644
 +	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg7")
 +	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg8")
 +	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg9")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg10")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg11")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg12")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg13")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg14")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg15")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg16")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg17")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg18")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg19")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg20")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg21")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg22")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg23")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg24")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg25")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg26")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg27")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg28")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg29")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg30")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg31")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg32")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg33")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg34")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg35")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg36")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg37")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg38")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg39")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg40")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg41")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg42")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg43")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg44")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg45")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg46")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg47")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg48")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg49")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg50")
 +	dev_filetrans($1, removable_device_t, blk_file, "sr0")
 +	dev_filetrans($1, removable_device_t, blk_file, "sr1")
 +	dev_filetrans($1, removable_device_t, blk_file, "sr2")
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 54cdf61e..c33f6676 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -28811,7 +28811,7 @@ index e39de43..6a6db28 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/gnome.if b/gnome.if
-index ab09d61..d0bfef0 100644
+index ab09d61..8bcb6ba 100644
 --- a/gnome.if
 +++ b/gnome.if
 @@ -1,52 +1,78 @@
@@ -29858,7 +29858,7 @@ index ab09d61..d0bfef0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -706,12 +820,931 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -706,12 +820,948 @@ interface(`gnome_stream_connect_gkeyringd',`
  ##	</summary>
  ## </param>
  #
@@ -30251,6 +30251,23 @@ index ab09d61..d0bfef0 100644
 +	read_files_pattern($1, config_home_t, config_home_t)
 +	read_lnk_files_pattern($1, config_home_t, config_home_t)
 +')
++#######################################
++## <summary>
++##  append gnome homedir content (.config)
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`gnome_append_home_config',`
++    gen_require(`
++        type config_home_t;
++    ')
++
++    append_files_pattern($1, config_home_t, config_home_t)
++')
 +
 +#######################################
 +## <summary>
@@ -33328,10 +33345,10 @@ index 0000000..48d7322
 +
 diff --git a/ipa.if b/ipa.if
 new file mode 100644
-index 0000000..4095bed
+index 0000000..d028154
 --- /dev/null
 +++ b/ipa.if
-@@ -0,0 +1,58 @@
+@@ -0,0 +1,57 @@
 +## <summary>Policy for IPA services.</summary>
 +
 +########################################
@@ -33389,7 +33406,6 @@ index 0000000..4095bed
 +    manage_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
 +')
 +
-+')
 diff --git a/ipa.te b/ipa.te
 new file mode 100644
 index 0000000..b60bc5f
@@ -73656,10 +73672,10 @@ index 0000000..a073efd
 +')
 diff --git a/rasdaemon.te b/rasdaemon.te
 new file mode 100644
-index 0000000..7b1fa9e
+index 0000000..6731d5c
 --- /dev/null
 +++ b/rasdaemon.te
-@@ -0,0 +1,45 @@
+@@ -0,0 +1,46 @@
 +policy_module(rasdaemon, 1.0.0)
 +
 +########################################
@@ -73691,16 +73707,17 @@ index 0000000..7b1fa9e
 +kernel_read_system_state(rasdaemon_t)
 +kernel_manage_debugfs(rasdaemon_t)
 +
-+auth_use_nsswitch(rasdaemon_t)
-+
 +dev_read_raw_memory(rasdaemon_t)
 +dev_read_sysfs(rasdaemon_t)
 +dev_read_urand(rasdaemon_t)
-+
-+logging_send_syslog_msg(rasdaemon_t)
++dev_rw_cpu_microcode(rasdaemon_t)
 +
 +modutils_dontaudit_exec_insmod(rasdaemon_t) # more info here #1030277
 +
++auth_use_nsswitch(rasdaemon_t)
++
++logging_send_syslog_msg(rasdaemon_t)
++
 +optional_policy(`
 +    dmidecode_exec(rasdaemon_t)
 +')
@@ -95084,10 +95101,10 @@ index 0000000..c1fd8b4
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 0000000..bb3e477
+index 0000000..0e30ce2
 --- /dev/null
 +++ b/thumb.te
-@@ -0,0 +1,156 @@
+@@ -0,0 +1,157 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@@ -95217,6 +95234,7 @@ index 0000000..bb3e477
 +	# .config
 +	gnome_dontaudit_search_config(thumb_t)
 +	gnome_dontaudit_write_config_files(thumb_t)
++    gnome_append_home_config(thumb_t)
 +	gnome_append_generic_cache_files(thumb_t)
 +	gnome_read_generic_data_home_files(thumb_t)
 +	gnome_dontaudit_rw_generic_cache_files(thumb_t)