Fix build failure with puppet module due to typeattribute constraint

4 files changed, 99 insertions, 4 deletions

diff --git a/sec-policy/selinux-puppet/ChangeLog b/sec-policy/selinux-puppet/ChangeLog
index f20f80fa..1611f65e 100644
--- a/sec-policy/selinux-puppet/ChangeLog
+++ b/sec-policy/selinux-puppet/ChangeLog
@@ -2,6 +2,11 @@
 # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
 # $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-puppet/ChangeLog,v 1.3 2011/07/25 23:14:24 blueness Exp $
 
+  14 Aug 2011; <swift@gentoo.org> +files/fix-services-puppet-r1.patch,
+  selinux-puppet-2.20110726-r1.ebuild:
+  Duplicate code so we do not hit seutil_relabelto_bin_policy which causes a
+  build failure
+
 *selinux-puppet-2.20101213-r3 (25 Jul 2011)
 *selinux-puppet-2.20101213-r2 (25 Jul 2011)
 *selinux-puppet-2.20101213-r1 (25 Jul 2011)
diff --git a/sec-policy/selinux-puppet/Manifest b/sec-policy/selinux-puppet/Manifest
index 2aa07b36..490a2e42 100644
--- a/sec-policy/selinux-puppet/Manifest
+++ b/sec-policy/selinux-puppet/Manifest
@@ -1,5 +1,5 @@
-DIST patchbundle-selinux-base-policy-2.20110726-r1.tar.bz2 18052 RMD160 cff13706b370498cf7193d968b3bff47a718ed84 SHA1 68dbdf8366068f80b85333ecc8bbc578567218c5 SHA256 ebfb12f861447c8865e28ff5ee06ff0d89f870db3b9745c2b18558772a783023
+AUX fix-services-puppet-r1.patch 3973 RMD160 57a846facd16cb038854f0e33547d947d83c74a7 SHA1 8a91bbeb90f520a165159a71e179d26903fda347 SHA256 8aaf2cd43c38397a31bc46de77b1f91f6d4623a404dfdce9df4f10d11110408e
 DIST refpolicy-2.20110726.tar.bz2 588033 RMD160 9803effffe1dbb28d52bee03432e052f4fdc8d3f SHA1 cc27b06c3f541d8f2c57c52804ab6893afcd9db2 SHA256 8159b7535aa0f805510e4e3504b1317d7083b227f0ef3df51c6f002ed70ecedb
-EBUILD selinux-puppet-2.20110726-r1.ebuild 266 RMD160 5e4739969b332c008ae3231d44ef728387d8758a SHA1 893e90adb4f39b1092860b6fe698170c6297324f SHA256 90ed9e2ad80090f2b878cbc7775cd0f52e56c545cdc1dc40fec1a17db95124c5
-MISC ChangeLog 1031 RMD160 1f254caaaba07cf970f285a78aee80bad979e57d SHA1 14b62185792e01b16c5898d4f36459b9051e5485 SHA256 5e3f7dc5e99db8b8a3e73755e398d2851f76ad19aab38b1e933a468db733f45d
+EBUILD selinux-puppet-2.20110726-r1.ebuild 298 RMD160 0179cbf76c5b3da1c3f451533e7a1df59a63d2af SHA1 d93ba35ab5a3d9820beee7c11859b3d780adec3d SHA256 4b09be1e282b63c6d51143899b4f258f73b23e5f1b339aeb7338cb218697a537
+MISC ChangeLog 1235 RMD160 e0d4aae9ba86449e1f30749905db613ac96040e7 SHA1 85bbdd679a840eda1cf93acd835fa26364d1bbaa SHA256 f6501f59e4e8facc9d65859925e299f0e9565e421ae3e704c928aba8255f8ade
 MISC metadata.xml 230 RMD160 5d5194ac8c13d1c054b3df43791bb3f5544aec02 SHA1 8653f0a6bb377d4a07ff59d75e1f2694b9867c4b SHA256 29b1c0521994399dc36bdc4fac4b4b7d1169b537602be0486896018c744d96cf
diff --git a/sec-policy/selinux-puppet/files/fix-services-puppet-r1.patch b/sec-policy/selinux-puppet/files/fix-services-puppet-r1.patch
new file mode 100644
index 00000000..1ee8cd56
--- /dev/null
+++ b/sec-policy/selinux-puppet/files/fix-services-puppet-r1.patch
@@ -0,0 +1,90 @@
+--- refpolicy-20110726/policy/modules/services/puppet.te	2011-07-26 14:10:40.000000000 +0200
++++ services/puppet.te	2011-08-14 09:59:37.005000094 +0200
+@@ -50,7 +50,7 @@
+ # Puppet personal policy
+ #
+ 
+-allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
++allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config chown };
+ allow puppet_t self:process { signal signull getsched setsched };
+ allow puppet_t self:fifo_file rw_fifo_file_perms;
+ allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
+@@ -77,7 +77,8 @@
+ files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
+ 
+ kernel_dontaudit_search_sysctl(puppet_t)
+-kernel_dontaudit_search_kernel_sysctl(puppet_t)
++kernel_read_kernel_sysctls(puppet_t)
++kernel_read_network_state(puppet_t)
+ kernel_read_system_state(puppet_t)
+ kernel_read_crypto_sysctls(puppet_t)
+ 
+@@ -130,9 +131,40 @@
+ 
+ sysnet_dns_name_resolve(puppet_t)
+ sysnet_run_ifconfig(puppet_t, system_r)
++sysnet_use_ldap(puppet_t)
++
++usermanage_domtrans_passwd(puppet_t)
++
++tunable_policy(`gentoo_try_dontaudit',`
++	dontaudit puppet_t self:capability dac_read_search;
++	userdom_dontaudit_use_user_terminals(puppet_t)
++')
+ 
+ tunable_policy(`puppet_manage_all_files',`
+ 	auth_manage_all_files_except_auth_files(puppet_t)
++
++	# We should use files_relabel_all_files here, but it calls
++	# seutil_relabelto_bin_policy which sets a "typeattribute type attr",
++	# which is not allowed within a tunable_policy.
++	# So, we duplicate the content of files_relabel_all_files except for
++	# the policy configuration stuff and hope users do that through Portage.
++
++	gen_require(`
++		attribute file_type;
++		attribute security_file_type;
++		type policy_config_t;
++	')
++
++	allow puppet_t { file_type -policy_config_t -security_file_type }:dir list_dir_perms;
++	relabel_dirs_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
++	relabel_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
++	relabel_lnk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
++	relabel_fifo_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
++	relabel_sock_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
++	# this is only relabelfrom since there should be no
++	# device nodes with file types.
++	relabelfrom_blk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
++	relabelfrom_chr_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
+ ')
+ 
+ optional_policy(`
+@@ -144,6 +176,15 @@
+ ')
+ 
+ optional_policy(`
++	mta_send_mail(puppet_t)
++')
++
++optional_policy(`
++	gentoo_init_rc_exec(puppet_t)
++	portage_run(puppet_t, system_r)
++')
++
++optional_policy(`
+ 	files_rw_var_files(puppet_t)
+ 
+ 	rpm_domtrans(puppet_t)
+--- refpolicy-20110726/policy/modules/services/puppet.fc	2010-08-03 15:11:07.000000000 +0200
++++ services/puppet.fc	2011-07-27 18:25:00.571005854 +0200
+@@ -3,7 +3,9 @@
+ /etc/rc\.d/init\.d/puppet	--	gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/puppetmaster --	gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
+ 
++/usr/bin/puppetd		--	gen_context(system_u:object_r:puppet_exec_t,s0)
+ /usr/sbin/puppetd		--	gen_context(system_u:object_r:puppet_exec_t,s0)
++/usr/bin/puppetmasterd		--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+ /usr/sbin/puppetmasterd		--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+ 
+ /var/lib/puppet(/.*)?			gen_context(system_u:object_r:puppet_var_lib_t,s0)
diff --git a/sec-policy/selinux-puppet/selinux-puppet-2.20110726-r1.ebuild b/sec-policy/selinux-puppet/selinux-puppet-2.20110726-r1.ebuild
index cb1152b4..d5284346 100644
--- a/sec-policy/selinux-puppet/selinux-puppet-2.20110726-r1.ebuild
+++ b/sec-policy/selinux-puppet/selinux-puppet-2.20110726-r1.ebuild
@@ -5,7 +5,7 @@ EAPI="4"
 
 IUSE=""
 MODS="puppet"
-BASEPOL="2.20110726-r1"
+POLICY_PATCH="${FILESDIR}/fix-services-puppet-r1.patch"
 
 inherit selinux-policy-2