From ec5d81e1ca2be8323ef55b7ed95dade892ee5e24 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Mon, 21 Mar 2011 11:23:26 -0400
Subject: [PATCH] Aisexec patch from Miroslav Grepl.

* openais needs ipc_owner and read/write user SysV sempaphores/shared memory
---
 policy/modules/services/aisexec.te  |  7 ++++--
 policy/modules/system/userdomain.if | 37 +++++++++++++++++++++++++++++
 policy/modules/system/userdomain.te |  2 +-
 3 files changed, 43 insertions(+), 3 deletions(-)

diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te
index 97c9cae68..7a86bf6c5 100644
--- a/policy/modules/services/aisexec.te
+++ b/policy/modules/services/aisexec.te
@@ -1,4 +1,4 @@
-policy_module(aisexec, 1.0.0)
+policy_module(aisexec, 1.0.1)
 
 ########################################
 #
@@ -32,7 +32,7 @@ files_pid_file(aisexec_var_run_t)
 # aisexec local policy
 #
 
-allow aisexec_t self:capability { sys_nice sys_resource ipc_lock };
+allow aisexec_t self:capability { sys_nice sys_resource ipc_lock ipc_owner };
 allow aisexec_t self:process { setrlimit setsched signal };
 allow aisexec_t self:fifo_file rw_fifo_file_perms;
 allow aisexec_t self:sem create_sem_perms;
@@ -81,6 +81,9 @@ logging_send_syslog_msg(aisexec_t)
 
 miscfiles_read_localization(aisexec_t)
 
+userdom_rw_unpriv_user_semaphores(aisexec_t)
+userdom_rw_unpriv_user_shared_mem(aisexec_t)
+
 optional_policy(`
 	ccs_stream_connect(aisexec_t)
 ')
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index d066c6a43..e14540bab 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2736,6 +2736,24 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
 	allow unpriv_userdomain $1:process sigchld;
 ')
 
+#######################################
+## <summary>
+##	Read and write unpriviledged user SysV sempaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_rw_unpriv_user_semaphores',`
+	gen_require(`
+		attribute unpriv_userdomain;
+	')
+
+	allow $1 unpriv_userdomain:sem rw_sem_perms;
+')
+
 ########################################
 ## <summary>
 ##	Manage unpriviledged user SysV sempaphores.
@@ -2754,6 +2772,25 @@ interface(`userdom_manage_unpriv_user_semaphores',`
 	allow $1 unpriv_userdomain:sem create_sem_perms;
 ')
 
+#######################################
+## <summary>
+##	Read and write unpriviledged user SysV shared
+##	memory segments.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_rw_unpriv_user_shared_mem',`
+	gen_require(`
+		attribute unpriv_userdomain;
+	')
+
+	allow $1 unpriv_userdomain:shm rw_shm_perms;
+')
+
 ########################################
 ## <summary>
 ##	Manage unpriviledged user SysV shared
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index df29ca1fc..6f99b7c2f 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.5.0)
+policy_module(userdomain, 4.5.1)
 
 ########################################
 #