From b71ea0d4a1eaa06eb14af2e1ae973ab4c4c57405 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@fedoraproject.org>
Date: Jun 30 2010 12:54:13 +0000
Subject: - Fix label for /var/lib/git

- Fix labels for conflicted files
- Fix cgroup_admin interface

---

diff --git a/policy-F13.patch b/policy-F13.patch
index 0b6c7f7..98652ae 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -7743,7 +7743,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc	2010-06-16 18:40:09.826109969 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc	2010-06-30 14:38:26.006616726 +0200
 @@ -49,7 +49,8 @@
  /etc/cipe/ip-up.*		--	gen_context(system_u:object_r:bin_t,s0)
  /etc/cipe/ip-down.*		--	gen_context(system_u:object_r:bin_t,s0)
@@ -7777,7 +7777,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  #
  # /usr
  #
-@@ -217,10 +227,15 @@
+@@ -189,7 +199,8 @@
+ /usr/lib(64)?/debug/bin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/debug/sbin(/.*)? --	gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/debug/usr/bin(/.*)? --	gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/debug/usr/sbin(/.*)? --	gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/debug/usr/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/debug/usr/libexec(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
+ 
+ /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
+@@ -217,10 +228,15 @@
  /usr/share/apr-0/build/[^/]+\.sh --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/apr-0/build/libtool --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/debconf/.+		--	gen_context(system_u:object_r:bin_t,s0)
@@ -7793,7 +7803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -240,6 +255,7 @@
+@@ -240,6 +256,7 @@
  /usr/share/shorewall-shell(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall-lite(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall6-lite(/.*)?	gen_context(system_u:object_r:bin_t,s0)
@@ -7801,7 +7811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  /usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/vhostmd/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  
-@@ -297,6 +313,7 @@
+@@ -297,6 +314,7 @@
  /usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -7809,7 +7819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  /usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0)
-@@ -331,3 +348,21 @@
+@@ -331,3 +349,21 @@
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -15868,8 +15878,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
 +/var/run/cgred.*		gen_context(system_u:object_r:cgred_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.19/policy/modules/services/cgroup.if
 --- nsaserefpolicy/policy/modules/services/cgroup.if	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/cgroup.if	2010-06-28 18:45:48.968401671 +0200
-@@ -0,0 +1,242 @@
++++ serefpolicy-3.7.19/policy/modules/services/cgroup.if	2010-06-30 14:34:47.947618029 +0200
+@@ -0,0 +1,244 @@
 +## <summary>libcg is a library that abstracts the control group file system in Linux.</summary>
 +## <desc>
 +##	<p>
@@ -16087,6 +16097,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
 +		type cgred_t, cgconfigparser_t, cgred_var_run_t;
 +		type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t;
 +		type cgroup_t, cgroupfs_t;	
++		type cgrules_etc_t;
 +	')
 +
 +	allow $1 cgconfigparser_t:process { ptrace signal_perms getattr };
@@ -16100,6 +16111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
 +
 +	files_search_etc($1)
 +	admin_pattern($1, cgconfig_etc_t)
++	admin_pattern($1, cgrules_etc_t)
 +
 +	files_list_var($1)
 +	admin_pattern($1, cgred_var_run_t)
@@ -19818,7 +19830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.19/policy/modules/services/git.fc
 --- nsaserefpolicy/policy/modules/services/git.fc	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/git.fc	2010-05-28 09:42:00.112610839 +0200
++++ serefpolicy-3.7.19/policy/modules/services/git.fc	2010-06-30 13:03:56.351618002 +0200
 @@ -1,3 +1,12 @@
 +HOME_DIR/public_git(/.*)?	gen_context(system_u:object_r:git_session_content_t, s0)
 +HOME_DIR/\.gitconfig	--	gen_context(system_u:object_r:git_session_content_t, s0)
@@ -19828,7 +19840,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +/usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t, s0)
 +
  /var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
- /var/lib/git(/.*)?		gen_context(system_u:object_r:httpd_git_content_t,s0)
+-/var/lib/git(/.*)?		gen_context(system_u:object_r:httpd_git_content_t,s0)
++/var/lib/git(/.*)?		gen_context(system_u:object_r:git_system_content_t,s0)
  /var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
 +/var/www/git(/.*)?		gen_context(system_u:object_r:httpd_git_content_t,s0)
 +/var/www/git/gitweb.cgi		gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a3d8785..1a5f2d5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.19
-Release: 32%{?dist}
+Release: 33%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,11 @@ exit 0
 %endif
 
 %changelog
+* Wed Jun 30 2010 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-33
+- Fix label for /var/lib/git
+- Fix labels for conflicted files
+- Fix cgroup_admin interface
+
 * Mon Jun 28 2010 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-32
 - Allow sectool to connect to users over unix stream socket
 - Add label for /var/spool/abrt-upload