From 505e217a8aac5798e5913ab7d9db12464c0a9c4a Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@coreos.com>
Date: Fri, 13 Jan 2017 15:25:35 -0800
Subject: [PATCH] sec-policy/selinux-*: Two small updates

Ensure that containers can append to fifos so stderr works under Docker,
and quieten wake_alarm AVCs.
---
 ...03-r13.ebuild => selinux-base-policy-2.20141203-r14.ebuild} | 0
 .../sec-policy/selinux-base/files/kernel_mcs.diff              | 3 ++-
 ....20141203-r13.ebuild => selinux-base-2.20141203-r14.ebuild} | 0
 ...203-r13.ebuild => selinux-unconfined-2.20141203-r14.ebuild} | 0
 .../coreos-overlay/sec-policy/selinux-virt/files/virt.diff     | 2 +-
 ....20141203-r13.ebuild => selinux-virt-2.20141203-r14.ebuild} | 0
 6 files changed, 3 insertions(+), 2 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/{selinux-base-policy-2.20141203-r13.ebuild => selinux-base-policy-2.20141203-r14.ebuild} (100%)
 rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/{selinux-base-2.20141203-r13.ebuild => selinux-base-2.20141203-r14.ebuild} (100%)
 rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/{selinux-unconfined-2.20141203-r13.ebuild => selinux-unconfined-2.20141203-r14.ebuild} (100%)
 rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/{selinux-virt-2.20141203-r13.ebuild => selinux-virt-2.20141203-r14.ebuild} (100%)

diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r13.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r14.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r13.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r14.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/kernel_mcs.diff b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/kernel_mcs.diff
index 2e5c395a75..8f9cfd7e01 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/kernel_mcs.diff
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/kernel_mcs.diff
@@ -1,7 +1,7 @@
 diff -ur refpolicy.orig/policy/modules/kernel/kernel.te refpolicy/policy/modules/kernel/kernel.te
 --- refpolicy.orig/policy/modules/kernel/kernel.te	2015-06-24 14:05:01.160318849 -0700
 +++ refpolicy/policy/modules/kernel/kernel.te	2015-06-24 14:06:23.468516424 -0700
-@@ -442,3 +442,8 @@
+@@ -442,3 +442,9 @@
  	#dev_manage_all_dev_nodes(kernel_t)
  	dev_setattr_generic_chr_files(kernel_t)
  ')
@@ -10,3 +10,4 @@ diff -ur refpolicy.orig/policy/modules/kernel/kernel.te refpolicy/policy/modules
 +mcs_file_write_all(kernel_t)
 +mcs_process_set_categories(kernel_t)
 +mcs_ptrace_all(kernel_t)
++allow kernel_t self:capability2 wake_alarm;
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r13.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r14.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r13.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r14.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r13.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r14.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r13.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r14.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.diff b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.diff
index c5ed6c4128..bc321aba61 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.diff
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.diff
@@ -32,5 +32,5 @@ diff -u contrib.orig/virt.te contrib/virt.te
 +allow svirt_lxc_net_t self:process getpgid;
 +allow svirt_lxc_net_t svirt_lxc_file_t:file { entrypoint mounton };
 +allow svirt_lxc_net_t var_lib_t:file { entrypoint execute execute_no_trans };
-+allow svirt_lxc_net_t kernel_t:fifo_file { getattr ioctl read write open };
++allow svirt_lxc_net_t kernel_t:fifo_file { getattr ioctl read write open append };
 +
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r13.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r14.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r13.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r14.ebuild