From 6dc592af521a21b1bff8b0fa590121b2015f259d Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@coreos.com>
Date: Mon, 23 May 2016 16:08:14 -0700
Subject: [PATCH] sec-policy/selinux-virt: Allow setattr on devpts ptys and
 grant pipefs access

Policy was blocking the modification of attributes on devpts ptys, making it
impossible to enter a rkt container interactively. Fix that. In addition,
pipefs access is being blocked which makes Docker unhappy. Fix that too.
---
 ...3-r10.ebuild => selinux-base-policy-2.20141203-r11.ebuild} | 0
 ...20141203-r10.ebuild => selinux-base-2.20141203-r11.ebuild} | 0
 ...03-r10.ebuild => selinux-unconfined-2.20141203-r11.ebuild} | 0
 .../coreos-overlay/sec-policy/selinux-virt/files/virt.diff    | 4 +++-
 ...20141203-r10.ebuild => selinux-virt-2.20141203-r11.ebuild} | 0
 5 files changed, 3 insertions(+), 1 deletion(-)
 rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/{selinux-base-policy-2.20141203-r10.ebuild => selinux-base-policy-2.20141203-r11.ebuild} (100%)
 rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/{selinux-base-2.20141203-r10.ebuild => selinux-base-2.20141203-r11.ebuild} (100%)
 rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/{selinux-unconfined-2.20141203-r10.ebuild => selinux-unconfined-2.20141203-r11.ebuild} (100%)
 rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/{selinux-virt-2.20141203-r10.ebuild => selinux-virt-2.20141203-r11.ebuild} (100%)

diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r10.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r11.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r10.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r11.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r10.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r11.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r10.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r11.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r10.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r11.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r10.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r11.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.diff b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.diff
index da447b87da..d11b4f9266 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.diff
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.diff
@@ -1,7 +1,7 @@
 diff -u contrib.orig/virt.te contrib/virt.te
 --- modules/contrib.orig/virt.te	2016-02-20 13:18:44.670955920 -0800
 +++ modules/contrib/virt.te	2016-02-20 13:22:24.186318856 -0800
-@@ -1299,3 +1299,30 @@
+@@ -1299,3 +1299,32 @@
  
  virt_append_log(virtlockd_t)
  virt_read_config(virtlockd_t)
@@ -27,8 +27,10 @@ diff -u contrib.orig/virt.te contrib/virt.te
 +term_use_generic_ptys(svirt_lxc_net_t)
 +term_setattr_generic_ptys(svirt_lxc_net_t)
 +allow svirt_lxc_net_t tmpfs_t:chr_file { read write open };
++allow svirt_lxc_net_t svirt_lxc_file_t:chr_file { setattr };
 +allow svirt_lxc_net_t self:capability sys_chroot;
 +allow svirt_lxc_net_t self:process getpgid;
 +allow svirt_lxc_net_t svirt_lxc_file_t:file { entrypoint mounton };
 +allow svirt_lxc_net_t var_lib_t:file { entrypoint execute execute_no_trans };
++allow svirt_lxc_net_t kernel_t:fifo_file {read write open };
 +
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r10.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r11.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r10.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r11.ebuild