[icecream] selinux: allow the scheduler to read state via netlink route sockets

[Michal Schmidt]

commit 577fbad8a6af636527f7d278b729702a65dfdb3d
Author: Michal Schmidt <mschmidt at redhat.com>
Date:   Thu Nov 27 18:04:50 2014 +0100

    selinux: allow the scheduler to read state via netlink route sockets
    
    The scheduler uses getifaddrs() to determine where to send broadcasts
    to. This needs read netlink socket access.
    
    Fixes: rhbz#1162321

 icecream.spec |    6 +++++-
 icecream.te   |    1 +
 2 files changed, 6 insertions(+), 1 deletions(-)
---
diff --git a/icecream.spec b/icecream.spec
index c96adf8..cff70bb 100644
--- a/icecream.spec
+++ b/icecream.spec
@@ -4,7 +4,7 @@
 
 Name:		icecream
 Version:	1.0.1
-Release:	8.20140822git%{?dist}
+Release:	9.20140822git%{?dist}
 Summary:	Distributed compiler
 
 Group:		Development/Tools
@@ -255,6 +255,10 @@ exit 0
 %{_libdir}/pkgconfig/icecc.pc
 
 %changelog
+* Thu Nov 27 2014 Michal Schmidt <mschmidt at redhat.com> - 1.0.1-9.20140822git
+- selinux: allow the scheduler to read state via netlink route sockets
+- Fixes: rhbz#1162321
+
 * Fri Sep 05 2014 Michal Schmidt <mschmidt at redhat.com> - 1.0.1-8.20140822git
 - Update to current upstream git.
 - Drops bundled minilzo, use system lzo library. (#1131794, CVE-2014-4607)
diff --git a/icecream.te b/icecream.te
index e6e5487..97ba564 100644
--- a/icecream.te
+++ b/icecream.te
@@ -187,6 +187,7 @@ fs_getattr_all_fs(iceccd_untrusted_t)
 
 allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms;
 allow icecc_scheduler_t self:udp_socket create_socket_perms;
+allow icecc_scheduler_t self:netlink_route_socket r_netlink_socket_perms;
 
 corenet_all_recvfrom_unlabeled(icecc_scheduler_t)
 corenet_all_recvfrom_netlabel(icecc_scheduler_t)