[freeipa/f16] Update SELinux policy to allow ipa_kpasswd to connect ldap and read /dev/urandom. (#759679)

[rcritten]

commit ac1bbfdbb6bdeb46496ec16ba9434079746a4d9d
Author: Rob Crittenden <rcritten at redhat.com>
Date:   Mon Dec 5 11:50:50 2011 -0500

    Update SELinux policy to allow ipa_kpasswd to connect ldap and
    read /dev/urandom. (#759679)

 freeipa-2.1.3-kpasswd-selinux.patch |   34 ++++++++++++++++++++++++++++++++++
 freeipa.spec                        |    8 +++++++-
 2 files changed, 41 insertions(+), 1 deletions(-)
---
diff --git a/freeipa-2.1.3-kpasswd-selinux.patch b/freeipa-2.1.3-kpasswd-selinux.patch
new file mode 100644
index 0000000..4dd6233
--- /dev/null
+++ b/freeipa-2.1.3-kpasswd-selinux.patch
@@ -0,0 +1,34 @@
+From 6e81b847eecd2e91523119e041f892716aa16e9c Mon Sep 17 00:00:00 2001
+From: Evgeny Sinelnikov <sin at altlinux.ru>
+Date: Sat, 3 Dec 2011 09:44:38 +0400
+Subject: [PATCH] ipa_kpasswd: Update selinux policies for ldap and urandom
+
+Fixes: https://fedorahosted.org/freeipa/ticket/2160
+---
+ selinux/ipa_kpasswd/ipa_kpasswd.te |    6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+diff --git a/selinux/ipa_kpasswd/ipa_kpasswd.te b/selinux/ipa_kpasswd/ipa_kpasswd.te
+index 292be7b..eefb70b 100644
+--- a/selinux/ipa_kpasswd/ipa_kpasswd.te
++++ b/selinux/ipa_kpasswd/ipa_kpasswd.te
+@@ -64,6 +64,7 @@ corenet_tcp_bind_all_nodes(ipa_kpasswd_t)
+ corenet_udp_bind_all_nodes(ipa_kpasswd_t)
+ corenet_tcp_bind_kerberos_admin_port(ipa_kpasswd_t)
+ corenet_udp_bind_kerberos_admin_port(ipa_kpasswd_t)
++corenet_tcp_connect_ldap_port(ipa_kpasswd_t)
+ require {
+ 	type krb5kdc_conf_t; 
+ };
+@@ -78,3 +79,8 @@ optional_policy(`
+     corenet_udp_bind_kerberos_password_port(ipa_kpasswd_t)
+ ')
+ 
++require {
++    type urandom_device_t;
++}
++
++allow ipa_kpasswd_t urandom_device_t:chr_file { open read getattr };
+-- 
+1.7.7.3
+
diff --git a/freeipa.spec b/freeipa.spec
index 779f121..1127b50 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -14,7 +14,7 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
 
 Name:           freeipa
 Version:        2.1.3
-Release:        7%{?dist}
+Release:        8%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -24,6 +24,7 @@ Source0:        freeipa-%{version}.tar.gz
 Source1:        freeipa-systemd-upgrade
 Patch0:         freeipa-2.1.3-systemd.patch.gz
 Patch1:         freeipa-2.1.3-wait_for_socket.patch.gz
+Patch2:         freeipa-2.1.3-kpasswd-selinux.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
@@ -219,6 +220,7 @@ package.
 %setup -n freeipa-%{version} -q
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 cp %{SOURCE1} init/systemd/
 
 %build
@@ -541,6 +543,10 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
 
 %changelog
+* Mon Dec  5 2011 Rob Crittenden <rcritten at redhat.com> - 2.1.3-8
+- Update SELinux policy to allow ipa_kpasswd to connect ldap and
+  read /dev/urandom. (#759679)
+
 * Wed Nov 30 2011 Alexander Bokovoy <abokovoy at redhat.com> - 2.1.3-7
 - Fix typo in install of freeipa-systemd-upgrade script