From 778df9fa9421f420cfb53b7831338f9220713b09 Mon Sep 17 00:00:00 2001
From: Mike Palmiotto <mike.palmiotto@crunchydata.com>
Date: Thu, 24 May 2018 18:37:08 -0400
Subject: [PATCH] Fix sepgsql regression tests on fedora28

The sepgsql-regtest policy module fails to install on F28 after
neverallow fixes to libsepol. Add missing interface calls to local
module until the proper fixes are pushed to the upstream policy repo.
---
 contrib/sepgsql/sepgsql-regtest.te | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/contrib/sepgsql/sepgsql-regtest.te b/contrib/sepgsql/sepgsql-regtest.te
index e5d65243e6..bd34512609 100644
--- a/contrib/sepgsql/sepgsql-regtest.te
+++ b/contrib/sepgsql/sepgsql-regtest.te
@@ -28,6 +28,7 @@ postgresql_schema_object(sepgsql_regtest_invisible_schema_t);
 #
 role sepgsql_regtest_superuser_r;
 userdom_base_user_template(sepgsql_regtest_superuser)
+domain_dyntrans_type(sepgsql_regtest_superuser_t)
 userdom_manage_home_role(sepgsql_regtest_superuser_r, sepgsql_regtest_superuser_t)
 userdom_exec_user_home_content_files(sepgsql_regtest_superuser_t)
 userdom_write_user_tmp_sockets(sepgsql_regtest_superuser_t)
@@ -47,6 +48,14 @@ optional_policy(`
 	allow sepgsql_regtest_superuser_t { self sepgsql_client_type } : process { dyntransition };
 ')
 
+optional_policy(`
+	gen_require(`
+		type sepgsql_regtest_dba_t;
+	')
+
+	domain_dyntrans_type(sepgsql_regtest_dba_t)
+')
+
 # Type transition rules
 allow sepgsql_regtest_user_t sepgsql_regtest_dba_t : process { transition };
 type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t;
@@ -99,6 +108,8 @@ userdom_manage_home_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)
 userdom_exec_user_home_content_files(sepgsql_regtest_user_t)
 userdom_write_user_tmp_sockets(sepgsql_regtest_user_t)
 optional_policy(`
+	domain_type(sepgsql_regtest_user_t)
+	domain_dyntrans_type(sepgsql_regtest_user_t)
 	postgresql_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)
 	postgresql_stream_connect(sepgsql_regtest_user_t)
 ')
@@ -143,12 +154,18 @@ optional_policy(`
 	gen_require(`
 		role unconfined_r;
 	')
+	domain_type(sepgsql_regtest_foo_t)
+	domain_type(sepgsql_regtest_var_t)
+	domain_dyntrans_type(sepgsql_regtest_foo_t)
+	domain_dyntrans_type(sepgsql_regtest_var_t)
 	postgresql_role(unconfined_r, sepgsql_regtest_foo_t)
 	postgresql_role(unconfined_r, sepgsql_regtest_var_t)
 	postgresql_table_object(sepgsql_regtest_foo_table_t)
 	postgresql_table_object(sepgsql_regtest_var_table_t)
 ')
 optional_policy(`
+	domain_type(sepgsql_regtest_pool_t)
+	domain_dyntrans_type(sepgsql_regtest_pool_t)
 	postgresql_stream_connect(sepgsql_regtest_pool_t)
 	postgresql_role(sepgsql_regtest_pool_r, sepgsql_regtest_pool_t)
 ')
@@ -170,7 +187,9 @@ allow { sepgsql_regtest_foo_t sepgsql_regtest_var_t } sepgsql_regtest_pool_t:pro
 role sepgsql_regtest_nosuch_r;
 userdom_base_user_template(sepgsql_regtest_nosuch)
 optional_policy(`
-    postgresql_role(sepgsql_regtest_nosuch_r, sepgsql_regtest_nosuch_t)
+	domain_type(sepgsql_regtest_nosuch_t)
+	domain_dyntrans_type(sepgsql_regtest_nosuch_t)
+	postgresql_role(sepgsql_regtest_nosuch_r, sepgsql_regtest_nosuch_t)
 ')
 
 #
-- 
2.17.0