From 794d0d5f5f718917d58197778775cd1bf98b9aab Mon Sep 17 00:00:00 2001
From: Alexander Miroshnichenko <alex@millerson.name>
Date: Sat, 29 Feb 2020 11:34:59 +0300
Subject: [PATCH] sec-policy/selinux-knot: move to upstreamed policy

---
 sec-policy/selinux-knot/Manifest              |   9 +-
 sec-policy/selinux-knot/files/knot.fc         |  11 --
 sec-policy/selinux-knot/files/knot.if         | 108 --------------
 sec-policy/selinux-knot/files/knot.te         | 141 ------------------
 ...uild => selinux-knot-2.20190609-r1.ebuild} |   5 +-
 5 files changed, 5 insertions(+), 269 deletions(-)
 delete mode 100644 sec-policy/selinux-knot/files/knot.fc
 delete mode 100644 sec-policy/selinux-knot/files/knot.if
 delete mode 100644 sec-policy/selinux-knot/files/knot.te
 rename sec-policy/selinux-knot/{selinux-knot-2.20190201-r1.ebuild => selinux-knot-2.20190609-r1.ebuild} (71%)

diff --git a/sec-policy/selinux-knot/Manifest b/sec-policy/selinux-knot/Manifest
index 8a753a8..7bb96f8 100644
--- a/sec-policy/selinux-knot/Manifest
+++ b/sec-policy/selinux-knot/Manifest
@@ -1,6 +1,3 @@
-AUX knot.fc 422 BLAKE2B 9d7602908e81ab7b72f44bd302dbd83197928a92f0eab99b7f3545bb0da1af954d02a79020e0c3a4e06867ff0d8639fbb69b8a1f1975a7fec95a59c66968db1b SHA512 dcc584755579878e700bdaec34f076626fa81e1c420d9e21bcc45daffad535c36f8d85eb746b092530e257be114111b585d8160016d22de888dd5732cac57d70
-AUX knot.if 2312 BLAKE2B 9c6bd464e233491cd0d61579e2e3a25a87106c66f27f817e245dc9075ff303736aec1d86905adfee29be6b7c5d9702d167f0fd65c090ecd131eef99cd464b225 SHA512 4d3a321c47d94f3adfc30374eafc0c543aa4276a6728fe51636641994d895487f26c2f99e08042f3ba837b1a25d999e8cb5f86933ae16f26ad2f15ce9b43ef47
-AUX knot.te 3549 BLAKE2B 08392f8f8e2e0f104d1abd75dc1961a441f6c71a67ef74e5e64e2410b5b6b41207f9ab43193fd7c7a1a93786087d09ce03ca190c74dc56d58f38c62aac66aee0 SHA512 8a4ec1e751688fe9390f5fbde740317321141bcfa3380a587d452e48461932be6367ef6670a6f0960e53021d7522bcf34a6d0551a6a87d1e27203c145ec33bda
-DIST patchbundle-selinux-base-policy-2.20190201-r1.tar.bz2 426390 BLAKE2B 33e05e03e1e087f0bf460930f074108af5fa05688f7681ba3545530d21174be7d29e9035a7bc37e9acdbe3468680891f9865ad83188eb0f8fb9b9012252d6a1e SHA512 f2855a340f4ae7ba6c4cf0ec9445de7ca20f9fc0f11783992340ca2f073bbbf2d4999190f46f3910213dd1555e9578b3609284af6a7712b401053216c004ff7e
-DIST refpolicy-2.20190201.tar.bz2 552750 BLAKE2B d3cbdf5c5f8480cd36173d8cfbd2f55a6ad4a9f2176883dcc19eece6059114ca8700d07f8bd318d0430da253bb9e4e6a6e03f7a7db8a7964c95b00452aaab040 SHA512 c6568b679ad1a7c5c566b55291e86ce3784ee609c0091e5d465d41055724d950180780c7eedb3413351101b9182db51c7bce1816db1a9a17b3257861363efc6e
-EBUILD selinux-knot-2.20190201-r1.ebuild 377 BLAKE2B 3e0e81a404c1810ddeedad0ab2af2d6db2270f85492ea39d60992cf0b0015f500b8e70dda185af2341684115adcb580e79fba76665fbe80ba0d1db3305103082 SHA512 18f8f1a16161f4f648cbd346b467bc4bb3c810d156e6ffbdc34d12d7686f08c0911484e8c5304045ae2aef49c71d9586b574f041c1fe337fbacf1d405579c5f4
+DIST patchbundle-selinux-base-policy-2.20190609-r1.tar.bz2 407664 BLAKE2B e6b6b56f990389365c062522582e2177bc3b70040c99948efad25737e69178f9f72149cc443cb9edacfdd1aa6bc29f637cc61939f66e5cc3841f83298b33c41e SHA512 16195b51bb414ac82821f93756b3b5d0ec206b7035a50379c1f796082d9c53b11369e15086e1e26521808944266364470c43dcfdd1818ba079fda1613b7ef9bd
+DIST refpolicy-2.20190609.tar.bz2 555882 BLAKE2B abc45d9c906e0c880b7c47b0fb8e33f4a277c73244e20e8a95c44452db817241110127a5f8a3347cfbf5e30bf91f9dd4e5dd826426eb88b383fdbff5963f5fcd SHA512 f05ca08d31e62b7bf7203d7b243cce9ba87dd68d13b30067b99a44d5007449078fa82d591faa88c2955d370a346e69faedc850c02bd77c5624a8c746a13467f3
+EBUILD selinux-knot-2.20190609-r1.ebuild 339 BLAKE2B 83730ffefca1589be5f7b3ed114c79ff07805ecec2148a1c74f1340860f7c1a70c6eb885b1030472d6e9a5d737c16e1c2412ade6c92e8f28d3545bedef71443d SHA512 041b9cc10e52f1862e9c4aaefe4488e3bdf817071befe3e04bc30feb8d37dd0f58093c27907a8d4928a59dd3f2a2945378d5d44f9a8f685357e34f888020238d
diff --git a/sec-policy/selinux-knot/files/knot.fc b/sec-policy/selinux-knot/files/knot.fc
deleted file mode 100644
index bbf8a35..0000000
--- a/sec-policy/selinux-knot/files/knot.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-/etc/rc\.d/init\.d/knot	--	gen_context(system_u:object_r:knot_initrc_exec_t,s0)
-
-/etc/knot(/.*)?		gen_context(system_u:object_r:knot_conf_t,s0)
-
-/usr/sbin/knotd		--	gen_context(system_u:object_r:knotd_exec_t,s0)
-
-/usr/sbin/knotc		--      gen_context(system_u:object_r:knotc_exec_t,s0)
-
-/var/lib/knot(/.*)?	gen_context(system_u:object_r:knot_var_lib_t,s0)
-
-/run/knot(/.*)?		gen_context(system_u:object_r:knot_runtime_t,s0)
diff --git a/sec-policy/selinux-knot/files/knot.if b/sec-policy/selinux-knot/files/knot.if
deleted file mode 100644
index 93285a9..0000000
--- a/sec-policy/selinux-knot/files/knot.if
+++ /dev/null
@@ -1,108 +0,0 @@
-## <summary>high-performance authoritative-only DNS server.</summary>
-
-########################################
-## <summary>
-##      Execute knotc in the knotc domain.
-## </summary>
-## <param name="domain">
-## <summary>
-##      Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`knot_domtrans_client',`
-	gen_require(`
-		type knotc_t, knotc_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, knotc_exec_t, knotc_t)
-')
-
-########################################
-## <summary>
-##      Execute knotc in the knotc domain, and
-##      allow the specified role the knotc domain.
-## </summary>
-## <param name="domain">
-##      <summary>
-##      Domain allowed to transition.
-##      </summary>
-## </param>
-## <param name="role">
-##      <summary>
-##      Role allowed access.
-##      </summary>
-## </param>
-## <rolecap/>
-#
-interface(`knot_run_client',`
-	gen_require(`
-		attribute_role knot_roles;
-	')
-
-	knot_domtrans_client($1)
-	roleattribute $2 knot_roles;
-')
-
-########################################
-## <summary>
-##      Read knot config files.
-## </summary>
-## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
-## </param>
-#
-interface(`knot_read_config_file',`
-	gen_require(`
-		type knot_conf_t;
-	')
-
-	read_files_pattern($1, knot_conf_t, knot_conf_t)
-	files_search_etc($1)
-')
-
-########################################
-## <summary>
-##      All of the rules required to
-##      administrate an knot environment.
-## </summary>
-## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
-## </param>
-## <param name="role">
-##      <summary>
-##      Role allowed access.
-##      </summary>
-## </param>
-## <rolecap/>
-#
-interface(`knot_admin',`
-	gen_require(`
-		type knotc_t, knotd_t, knot_conf_t, knot_initrc_exec_t;
-		type knot_runtime_t, knot_tmp_t, knot_var_lib_t;
-	')
-
-	allow $1 knotc_t:process signal_perms;
-	allow $1 knotd_t:process { ptrace signal_perms };
-	ps_process_pattern($1, knotc_t)
-	ps_process_pattern($1, knotd_t)
-
-	init_startstop_service($1, $2, knotd_t, knot_initrc_exec_t)
-
-	files_search_etc($1)
-	admin_pattern($1, knot_conf_t)
-
-	files_search_pids($1)
-	admin_pattern($1, knot_runtime_t)
-
-	files_search_tmp($1)
-	admin_pattern($1, knot_tmp_t)
-
-	files_search_var_lib($1)
-	admin_pattern($1, knot_var_lib_t)
-')
diff --git a/sec-policy/selinux-knot/files/knot.te b/sec-policy/selinux-knot/files/knot.te
deleted file mode 100644
index b203f4c..0000000
--- a/sec-policy/selinux-knot/files/knot.te
+++ /dev/null
@@ -1,141 +0,0 @@
-policy_module(knot, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-attribute_role knot_roles;
-
-type knotd_t;
-type knotd_exec_t;
-init_daemon_domain(knotd_t, knotd_exec_t)
-
-type knotc_t;
-type knotc_exec_t;
-application_domain(knotc_t, knotc_exec_t)
-init_daemon_domain(knotc_t, knotc_exec_t)
-role knot_roles types knotc_t;
-
-type knot_conf_t;
-files_config_file(knot_conf_t)
-
-type knot_initrc_exec_t;
-init_script_file(knot_initrc_exec_t)
-
-type knot_runtime_t;
-files_pid_file(knot_runtime_t)
-
-type knot_var_lib_t;
-files_type(knot_var_lib_t)
-
-type knot_tmp_t;
-files_tmp_file(knot_tmp_t)
-
-########################################
-#
-# knotd local policy
-#
-allow knotd_t self:capability { dac_override dac_read_search setgid setpcap setuid };
-allow knotd_t self:process { signal_perms getcap getsched setsched };
-allow knotd_t self:tcp_socket create_stream_socket_perms;
-allow knotd_t self:udp_socket create_socket_perms;
-allow knotd_t self:unix_stream_socket create_stream_socket_perms;
-
-corenet_tcp_bind_generic_node(knotd_t)
-corenet_udp_bind_generic_node(knotd_t)
-
-corenet_sendrecv_dns_server_packets(knotd_t)
-corenet_tcp_bind_dns_port(knotd_t)
-corenet_udp_bind_dns_port(knotd_t)
-# Slave replication
-corenet_tcp_connect_dns_port(knotd_t)
-
-kernel_read_kernel_sysctls(knotd_t)
-
-allow knotd_t knot_conf_t:file map;
-knot_read_config_file(knotd_t)
-
-manage_dirs_pattern(knotd_t, knot_runtime_t, knot_runtime_t)
-manage_files_pattern(knotd_t, knot_runtime_t, knot_runtime_t)
-manage_lnk_files_pattern(knotd_t, knot_runtime_t, knot_runtime_t)
-manage_sock_files_pattern(knotd_t, knot_runtime_t, knot_runtime_t)
-files_search_pids(knotd_t) ### Check it
-files_pid_filetrans(knotd_t, knot_runtime_t, dir)
-
-allow knotd_t knot_tmp_t:file map;
-allow knotd_t knot_tmp_t:file manage_file_perms;
-allow knotd_t knot_tmp_t:dir manage_dir_perms;
-files_tmp_filetrans(knotd_t, knot_tmp_t, { file dir })
-
-allow knotd_t knot_var_lib_t:file map;
-manage_dirs_pattern(knotd_t, knot_var_lib_t, knot_var_lib_t)
-manage_files_pattern(knotd_t, knot_var_lib_t, knot_var_lib_t)
-manage_lnk_files_pattern(knotd_t, knot_var_lib_t, knot_var_lib_t)
-files_search_var_lib(knotd_t)
-files_var_lib_filetrans(knotd_t, knot_var_lib_t, dir)
-
-files_map_etc_files(knotd_t)
-
-fs_getattr_xattr_fs(knotd_t)
-
-fs_getattr_tmpfs(knotd_t)
-
-auth_use_nsswitch(knotd_t)
-
-logging_send_syslog_msg(knotd_t)
-
-miscfiles_read_localization(knotd_t)
-
-########################################
-#
-# knotc local policy
-#
-allow knotc_t self:capability { dac_override dac_read_search };
-allow knotc_t self:process signal;
-
-stream_connect_pattern(knotc_t, knot_runtime_t, knot_runtime_t, knotd_t)
-
-allow knotc_t knot_conf_t:file map;
-knot_read_config_file(knotc_t)
-
-allow knotc_t knot_tmp_t:file map;
-allow knotc_t knot_tmp_t:file manage_file_perms;
-allow knotc_t knot_tmp_t:dir manage_dir_perms;
-files_tmp_filetrans(knotc_t, knot_tmp_t, { file dir })
-
-allow knotc_t knot_var_lib_t:file map;
-manage_dirs_pattern(knotc_t, knot_var_lib_t, knot_var_lib_t)
-manage_files_pattern(knotc_t, knot_var_lib_t, knot_var_lib_t)
-manage_lnk_files_pattern(knotc_t, knot_var_lib_t, knot_var_lib_t)
-files_search_var_lib(knotc_t)
-
-files_read_etc_files(knotc_t)
-
-fs_getattr_tmpfs(knotc_t)
-
-domain_use_interactive_fds(knotc_t)
-
-miscfiles_read_localization(knotc_t)
-
-userdom_use_user_ptys(knotc_t)
-
-
-
-optional_policy(`
-	gen_require(`
-		type initrc_t;
-	')
-
-	knot_read_config_file(initrc_t)
-')
-
-optional_policy(`
-	gen_require(`
-		role sysadm_r;
-		type sysadm_t;
-	')
-
-	knot_admin(sysadm_t, sysadm_r)
-	knot_run_client(sysadm_t, sysadm_r)
-')
diff --git a/sec-policy/selinux-knot/selinux-knot-2.20190201-r1.ebuild b/sec-policy/selinux-knot/selinux-knot-2.20190609-r1.ebuild
similarity index 71%
rename from sec-policy/selinux-knot/selinux-knot-2.20190201-r1.ebuild
rename to sec-policy/selinux-knot/selinux-knot-2.20190609-r1.ebuild
index 9469ad7..9377e50 100644
--- a/sec-policy/selinux-knot/selinux-knot-2.20190201-r1.ebuild
+++ b/sec-policy/selinux-knot/selinux-knot-2.20190609-r1.ebuild
@@ -5,16 +5,15 @@ EAPI="5"
 
 IUSE=""
 MODS="knot"
-POLICY_FILES="knot.te knot.fc knot.if"
 
 inherit selinux-policy-2
 
 DESCRIPTION="SELinux policy for knot"
 
-RDEPEND="sec-policy/selinux-base-policy"
+DEPEND="sec-policy/selinux-base-policy"
 
 if [[ $PV == 9999* ]] ; then
         KEYWORDS=""
 else
-        KEYWORDS="amd64 x86"
+        KEYWORDS="~amd64 ~x86"
 fi