From 488362e60aaee03ee5f9b0aa87e08806cd4eb1fe Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: May 06 2015 22:09:26 +0000
Subject: * Thu May 07 2015 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-201

- Allow named to manage files in dnssec_trigger_var_run_t directory

---

diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index b11cf3b..4e35c46 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -9029,7 +9029,7 @@ index 866a1e2..43b445c 100644
 +	allow $1 named_unit_file_t:service all_service_perms;
  ')
 diff --git a/bind.te b/bind.te
-index 076ffee..93ffa1d 100644
+index 076ffee..605a624 100644
 --- a/bind.te
 +++ b/bind.te
 @@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -9089,23 +9089,27 @@ index 076ffee..93ffa1d 100644
  
  domain_use_interactive_fds(named_t)
  
-@@ -170,6 +172,15 @@ tunable_policy(`named_write_master_zones',`
+@@ -170,6 +172,19 @@ tunable_policy(`named_write_master_zones',`
  ')
  
  optional_policy(`
++	cron_system_entry(named_t, named_exec_t)
++')
++
++optional_policy(`
 +	# needed by FreeIPA with DNS support
 +	dirsrv_stream_connect(named_t)
 +')
 +
 +optional_policy(`
-+	cron_system_entry(named_t, named_exec_t)
++	dnssec_trigger_manage_pid_files(named_t)
 +')
 +
 +optional_policy(`
  	dbus_system_domain(named_t, named_exec_t)
  
  	init_dbus_chat_script(named_t)
-@@ -183,6 +194,7 @@ optional_policy(`
+@@ -183,6 +198,7 @@ optional_policy(`
  
  optional_policy(`
  	kerberos_keytab_template(named, named_t)
@@ -9113,7 +9117,7 @@ index 076ffee..93ffa1d 100644
  ')
  
  optional_policy(`
-@@ -209,7 +221,8 @@ optional_policy(`
+@@ -209,7 +225,8 @@ optional_policy(`
  #
  
  allow ndc_t self:capability { dac_override net_admin };
@@ -9123,7 +9127,7 @@ index 076ffee..93ffa1d 100644
  allow ndc_t self:fifo_file rw_fifo_file_perms;
  allow ndc_t self:unix_stream_socket { accept listen };
  
-@@ -223,10 +236,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -223,10 +240,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
  
  allow ndc_t named_zone_t:dir search_dir_perms;
  
@@ -9135,7 +9139,7 @@ index 076ffee..93ffa1d 100644
  corenet_all_recvfrom_netlabel(ndc_t)
  corenet_tcp_sendrecv_generic_if(ndc_t)
  corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -236,6 +248,9 @@ corenet_tcp_bind_generic_node(ndc_t)
+@@ -236,6 +252,9 @@ corenet_tcp_bind_generic_node(ndc_t)
  corenet_tcp_connect_rndc_port(ndc_t)
  corenet_sendrecv_rndc_client_packets(ndc_t)
  
@@ -9145,7 +9149,7 @@ index 076ffee..93ffa1d 100644
  domain_use_interactive_fds(ndc_t)
  
  files_search_pids(ndc_t)
-@@ -251,7 +266,7 @@ init_use_script_ptys(ndc_t)
+@@ -251,7 +270,7 @@ init_use_script_ptys(ndc_t)
  
  logging_send_syslog_msg(ndc_t)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c8bb6f0..c04ed2e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 200%{?dist}
+Release: 201%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,9 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Thu May 07 2015 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-201
+- Allow named to manage files in dnssec_trigger_var_run_t directory
+
 * Mon May 04 2015 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-200
 - add interface networkmanager_sigchld
 - Fix labels on new location of resolv.conf