From 463574d91e5c9a51c89b278066ac4d057e9c9229 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl
Date: Jun 11 2013 14:12:10 +0000
Subject: - Allow wine to manage wine home content
- Make amanda working with socket actiovation
- Add labeling for /usr/sbin/iscsiadm
- Add support for /var/run/gssproxy.sock
- dnsmasq_t needs to read sysctl_net_t
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 35366d1..a1ab260 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -765,7 +765,7 @@ index 66e85ea..d02654d 100644
## user domains.
##
diff --git a/policy/global_tunables b/policy/global_tunables
-index 4705ab6..629fe1b 100644
+index 4705ab6..b7e7ea5 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -6,52 +6,59 @@
@@ -854,7 +854,7 @@ index 4705ab6..629fe1b 100644
## Allow any files/directories to be exported read/write via NFS.
##
##
-@@ -105,9 +103,24 @@ gen_tunable(use_samba_home_dirs,false)
+@@ -105,9 +103,30 @@ gen_tunable(use_samba_home_dirs,false)
##
##
@@ -880,6 +880,12 @@ index 4705ab6..629fe1b 100644
-gen_tunable(user_tcp_server,false)
+gen_tunable(selinuxuser_tcp_server,false)
+
++##
++##
++## Allow the mount commands to mount any directory or file.
++##
++##
++gen_tunable(mount_anyfile, false)
diff --git a/policy/mcs b/policy/mcs
index 216b3d1..81bc8c4 100644
--- a/policy/mcs
@@ -29540,7 +29546,7 @@ index 0e3c2a9..ea9bd57 100644
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
+')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index c04ac46..e06286c 100644
+index c04ac46..799d194 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@@ -29664,15 +29670,19 @@ index c04ac46..e06286c 100644
unconfined_shell_domtrans(local_login_t)
')
-@@ -215,6 +211,7 @@ allow sulogin_t self:sem create_sem_perms;
+@@ -215,37 +211,55 @@ allow sulogin_t self:sem create_sem_perms;
allow sulogin_t self:msgq create_msgq_perms;
allow sulogin_t self:msg { send receive };
+kernel_read_crypto_sysctls(sulogin_t)
kernel_read_system_state(sulogin_t)
++dev_getattr_all_chr_files(sulogin_t)
++dev_getattr_all_blk_files(sulogin_t)
++
fs_search_auto_mountpoints(sulogin_t)
-@@ -223,13 +220,16 @@ fs_rw_tmpfs_chr_files(sulogin_t)
+ fs_rw_tmpfs_chr_files(sulogin_t)
+
files_read_etc_files(sulogin_t)
# because file systems are not mounted:
files_dontaudit_search_isid_type_dirs(sulogin_t)
@@ -29689,7 +29699,9 @@ index c04ac46..e06286c 100644
seutil_read_config(sulogin_t)
seutil_read_default_contexts(sulogin_t)
-@@ -238,14 +238,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
+ userdom_use_unpriv_users_fds(sulogin_t)
+
++userdom_search_admin_dir(sulogin_t)
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
@@ -29716,7 +29728,7 @@ index c04ac46..e06286c 100644
init_getpgid(sulogin_t)
', `
allow sulogin_t self:process setexec;
-@@ -256,11 +266,3 @@ ifdef(`sulogin_no_pam', `
+@@ -256,11 +270,3 @@ ifdef(`sulogin_no_pam', `
selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
@@ -31339,7 +31351,7 @@ index fc28bc3..2960ed7 100644
+ files_var_filetrans($1, public_content_t, dir, "ftp")
+')
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
-index d6293de..1c5e447 100644
+index d6293de..8f8d80d 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.10.2)
@@ -31350,14 +31362,15 @@ index d6293de..1c5e447 100644
attribute cert_type;
#
-@@ -49,9 +48,11 @@ files_type(man_cache_t)
+@@ -48,10 +47,10 @@ files_type(man_cache_t)
+ # Types for public content
#
type public_content_t; #, customizable;
- files_type(public_content_t)
+-files_type(public_content_t)
+files_mountpoint(public_content_t)
type public_content_rw_t; #, customizable;
- files_type(public_content_rw_t)
+-files_type(public_content_rw_t)
+files_mountpoint(public_content_rw_t)
#
@@ -32080,16 +32093,20 @@ index 4584457..e432df3 100644
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6a50270..8288fd0 100644
+index 6a50270..fa545e7 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
-@@ -10,35 +10,60 @@ policy_module(mount, 1.15.1)
- ## Allow the mount command to mount any directory or file.
- ##
- ##
--gen_tunable(allow_mount_anyfile, false)
-+gen_tunable(mount_anyfile, false)
+@@ -5,40 +5,58 @@ policy_module(mount, 1.15.1)
+ # Declarations
+ #
+-##