From d6823d337b8e74ce074d19efe9008b49743af17e Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Feb 11 2016 13:22:13 +0000
Subject: * Thu Feb 11 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-171

- Allow setroubleshoot_fixit_t to use temporary files

---

diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 62c4b1a..1868e25 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index b31e8a4..c6d4153 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -97165,10 +97165,10 @@ index 3a9a70b..903109c 100644
  	logging_list_logs($1)
  	admin_pattern($1, setroubleshoot_var_log_t)
 diff --git a/setroubleshoot.te b/setroubleshoot.te
-index ce67935..24c746f 100644
+index ce67935..4985c02 100644
 --- a/setroubleshoot.te
 +++ b/setroubleshoot.te
-@@ -7,68 +7,95 @@ policy_module(setroubleshoot, 1.12.1)
+@@ -7,68 +7,111 @@ policy_module(setroubleshoot, 1.12.1)
  
  type setroubleshootd_t alias setroubleshoot_t;
  type setroubleshootd_exec_t;
@@ -97198,6 +97198,12 @@ index ce67935..24c746f 100644
 +type setroubleshoot_tmpfs_t;
 +files_tmpfs_file(setroubleshoot_tmpfs_t)
 +
++type setroubleshoot_fixit_tmp_t;
++files_tmp_file(setroubleshoot_fixit_tmp_t)
++
++type setroubleshoot_fixit_tmpfs_t;
++files_tmpfs_file(setroubleshoot_fixit_tmpfs_t)
++
  ########################################
  #
 -# Local policy
@@ -97219,8 +97225,7 @@ index ce67935..24c746f 100644
 +allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 +allow setroubleshootd_t self:unix_dgram_socket create_socket_perms;
 +
- 
--allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr_dir_perms;
++
 +manage_files_pattern(setroubleshootd_t, setroubleshoot_tmp_t, setroubleshoot_tmp_t)
 +manage_dirs_pattern(setroubleshootd_t, setroubleshoot_tmp_t, setroubleshoot_tmp_t)
 +files_tmp_filetrans(setroubleshootd_t, setroubleshoot_tmp_t, { file dir })
@@ -97231,6 +97236,17 @@ index ce67935..24c746f 100644
 +fs_tmpfs_filetrans(setroubleshootd_t, setroubleshoot_tmpfs_t, { file dir })
 +allow setroubleshootd_t setroubleshoot_tmpfs_t:file mmap_file_perms;
 +
++manage_files_pattern(setroubleshoot_fixit_t, setroubleshoot_fixit_tmp_t, setroubleshoot_fixit_tmp_t)
++manage_dirs_pattern(setroubleshoot_fixit_t, setroubleshoot_fixit_tmp_t, setroubleshoot_fixit_tmp_t)
++files_tmp_filetrans(setroubleshoot_fixit_t, setroubleshoot_fixit_tmp_t, { file dir })
++allow setroubleshoot_fixit_t setroubleshoot_fixit_tmp_t:file mmap_file_perms;
+ 
+-allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr_dir_perms;
++manage_files_pattern(setroubleshoot_fixit_t, setroubleshoot_fixit_tmpfs_t, setroubleshoot_fixit_tmpfs_t)
++manage_dirs_pattern(setroubleshoot_fixit_t, setroubleshoot_fixit_tmpfs_t, setroubleshoot_fixit_tmpfs_t)
++fs_tmpfs_filetrans(setroubleshoot_fixit_t, setroubleshoot_fixit_tmpfs_t, { file dir })
++allow setroubleshoot_fixit_t setroubleshoot_fixit_tmpfs_t:file mmap_file_perms;
++
 +# database files
 +allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr;
  manage_files_pattern(setroubleshootd_t, setroubleshoot_var_lib_t, setroubleshoot_var_lib_t)
@@ -97280,7 +97296,7 @@ index ce67935..24c746f 100644
  
  dev_read_urand(setroubleshootd_t)
  dev_read_sysfs(setroubleshootd_t)
-@@ -76,10 +103,9 @@ dev_getattr_all_blk_files(setroubleshootd_t)
+@@ -76,10 +119,9 @@ dev_getattr_all_blk_files(setroubleshootd_t)
  dev_getattr_all_chr_files(setroubleshootd_t)
  dev_getattr_mtrr_dev(setroubleshootd_t)
  
@@ -97292,7 +97308,7 @@ index ce67935..24c746f 100644
  files_list_all(setroubleshootd_t)
  files_getattr_all_files(setroubleshootd_t)
  files_getattr_all_pipes(setroubleshootd_t)
-@@ -109,27 +135,24 @@ init_read_utmp(setroubleshootd_t)
+@@ -109,27 +151,24 @@ init_read_utmp(setroubleshootd_t)
  init_dontaudit_write_utmp(setroubleshootd_t)
  
  libs_exec_ld_so(setroubleshootd_t)
@@ -97325,7 +97341,7 @@ index ce67935..24c746f 100644
  ')
  
  optional_policy(`
-@@ -137,10 +160,18 @@ optional_policy(`
+@@ -137,10 +176,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -97344,7 +97360,7 @@ index ce67935..24c746f 100644
  	rpm_exec(setroubleshootd_t)
  	rpm_signull(setroubleshootd_t)
  	rpm_read_db(setroubleshootd_t)
-@@ -150,26 +181,36 @@ optional_policy(`
+@@ -150,26 +197,36 @@ optional_policy(`
  
  ########################################
  #
@@ -97383,7 +97399,7 @@ index ce67935..24c746f 100644
  files_list_tmp(setroubleshoot_fixit_t)
  
  auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -177,23 +218,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -177,23 +234,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
  logging_send_audit_msgs(setroubleshoot_fixit_t)
  logging_send_syslog_msg(setroubleshoot_fixit_t)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7574896..8fcf613 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 170%{?dist}
+Release: 171%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -664,6 +664,9 @@ exit 0
 %endif
 
 %changelog
+* Thu Feb 11 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-171
+- Allow setroubleshoot_fixit_t to use temporary files
+
 * Wed Feb 10 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-170
 - Allow abrt_dump_oops_t to getattr filesystem nsfs files. rhbz#1300334
 - Allow ulogd_t to create netlink_netfilter sockets. rhbz#1305426