From 366396d8557c53577bfa53cbc4b9a1ffd783bbbd Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Sep 10 2010 17:18:49 +0000
Subject: Fix cert calls in telepath, boinc, kerberos

Add sys_admin to xend to allow it to start
Add oident calls to staff_t

---

diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
index 4aea465..779a54b 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
@@ -78,7 +78,7 @@ libs_exec_ldconfig(telepathy_msn_t)
 
 logging_send_syslog_msg(telepathy_msn_t)
 
-miscfiles_read_certs(telepathy_msn_t)
+miscfiles_read_all_certs(telepathy_msn_t)
 
 sysnet_read_config(telepathy_msn_t)
 
@@ -129,7 +129,7 @@ dev_read_urand(telepathy_gabble_t)
 files_read_config_files(telepathy_gabble_t)
 files_read_usr_files(telepathy_gabble_t)
 
-miscfiles_read_certs(telepathy_gabble_t)
+miscfiles_read_all_certs(telepathy_gabble_t)
 
 sysnet_read_config(telepathy_gabble_t)
 
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index fabc1a0..06b7974 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -77,6 +77,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	oident_manage_user_content(staff_t)
+	oident_relabel_user_content(staff_t)
+')
+
+optional_policy(`
 	postgresql_role(staff_r, staff_t)
 ')
 
@@ -187,10 +192,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		oident_manage_user_content(staff_t)
-		oident_relabel_user_content(staff_t)
-	')
-	optional_policy(`
 		pyzor_role(staff_r, staff_t)
 	')
 
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
index 62a48ac..aaf0ba3 100644
--- a/policy/modules/services/boinc.te
+++ b/policy/modules/services/boinc.te
@@ -99,7 +99,7 @@ fs_getattr_all_fs(boinc_t)
 term_dontaudit_getattr_ptmx(boinc_t)
 
 miscfiles_read_localization(boinc_t)
-miscfiles_read_certs(boinc_t)
+miscfiles_read_generic_certs(boinc_t)
 
 logging_send_syslog_msg(boinc_t)
 
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index 6deff48..ca4bea5 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -152,7 +152,7 @@ selinux_validate_context(kadmind_t)
 
 logging_send_syslog_msg(kadmind_t)
 
-miscfiles_read_certs(kadmind_t)
+miscfiles_read_generic_certs(kadmind_t)
 miscfiles_read_localization(kadmind_t)
 
 seutil_read_file_contexts(kadmind_t)
@@ -252,7 +252,7 @@ selinux_validate_context(krb5kdc_t)
 
 logging_send_syslog_msg(krb5kdc_t)
 
-miscfiles_read_certs(krb5kdc_t)
+miscfiles_read_geniric_certs(krb5kdc_t)
 miscfiles_read_localization(krb5kdc_t)
 
 seutil_read_file_contexts(krb5kdc_t)
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index ff472d0..600d43f 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -110,7 +110,7 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
 # xend local policy
 #
 
-allow xend_t self:capability { mknod dac_override ipc_lock net_admin setuid sys_nice sys_ptrace sys_tty_config net_raw };
+allow xend_t self:capability { mknod dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_ptrace sys_tty_config net_raw };
 dontaudit xend_t self:capability { sys_ptrace };
 allow xend_t self:process { signal sigkill };
 dontaudit xend_t self:process ptrace;
@@ -225,6 +225,7 @@ logging_send_syslog_msg(xend_t)
 lvm_domtrans(xend_t)
 
 miscfiles_read_localization(xend_t)
+miscfiles_read_hwdata(xend_t)
 
 mount_domtrans(xend_t)
 
@@ -242,6 +243,8 @@ xen_stream_connect_xenstore(xend_t)
 
 netutils_domtrans(xend_t)
 
+virt_read_config(xend_t)
+
 optional_policy(`
 	brctl_domtrans(xend_t)
 ')