From c2dae98501c8259e1b6f6c59de6326d9d3678d40 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Tue, 14 Sep 2010 10:02:43 -0400
Subject: [PATCH] Allow a couple of sandbox issues. Remove postgresl managing
 of etc_files, until I find out why it is needed. Dontaudit leaks from rpm to
 mount

---
 policy/modules/apps/sandbox.te        | 7 +++++++
 policy/modules/services/postgresql.te | 3 +--
 policy/modules/system/mount.te        | 1 +
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
index 942bb309..2251b023 100644
--- a/policy/modules/apps/sandbox.te
+++ b/policy/modules/apps/sandbox.te
@@ -262,6 +262,13 @@ optional_policy(`
 	hal_dbus_chat(sandbox_x_client_t)
 ')
 
+
+allow sandbox_web_t self:process setsched;
+
+optional_policy(`
+	nsplugin_read_rw_files(sandbox_web_t)
+')
+
 ########################################
 #
 # sandbox_web_client_t local policy
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index a5b65085..0ed16715 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -251,8 +251,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
 domain_use_interactive_fds(postgresql_t)
 
 files_dontaudit_search_home(postgresql_t)
-files_manage_etc_files(postgresql_t)
-files_search_etc(postgresql_t)
+files_read_etc_files(postgresql_t)
 files_read_etc_runtime_files(postgresql_t)
 files_read_usr_files(postgresql_t)
 
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 1f8fee94..0fcd4e7f 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -283,6 +283,7 @@ optional_policy(`
 # for kernel package installation
 optional_policy(`
 	rpm_rw_pipes(mount_t)
+	rpm_dontaudit_leaks(mount_t)
 ')
 
 optional_policy(`