srivasta@debian.org--etch/refpolicy--debian--0.0--versionfix-5
srivasta@debian.org--etch/refpolicy--debian--0.0--versionfix-8
File contexts in russell-20080929.diff
In Russell's 2010-07-08 patch; the duplication was removed in second version
of that patch

Fix dcc-client/dcc-common policy for debian

Many of the files in these packages are overlooked when labelling files,
because refpolicy's dcc module stipulates paths not consistent with the
Debian FHS layout.  The files go unlabelled and dcc-client (at least)
stops working.

The two major problems I can see in policy/modules/services/dcc.fc are
the references to /usr/libexec/dcc (damons, placed in /usr/sbin by the
Debian packages) and to /var/dcc (all sorts of things, placed under
/var/lib/dcc).  A side effect of the latter is that dccifd_t and probably
domains need search on var_lib_t, through which it must pass to get to
/var/lib/dcc.

/var/lib/dcc merged upstream shortly before r3001, removed from Debian package
in 0.2.20100524-2

Index: policy/modules/services/dcc.fc
===================================================================
--- policy/modules/services/dcc.fc.orig
+++ policy/modules/services/dcc.fc
@@ -5,16 +5,26 @@
 /usr/bin/cdcc			--	gen_context(system_u:object_r:cdcc_exec_t,s0)
 /usr/bin/dccproc		--	gen_context(system_u:object_r:dcc_client_exec_t,s0)
 
+ifdef(`distro_redhat',`
 /usr/libexec/dcc/dbclean	--	gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
 /usr/libexec/dcc/dccd		--	gen_context(system_u:object_r:dccd_exec_t,s0)
 /usr/libexec/dcc/dccifd		--	gen_context(system_u:object_r:dccifd_exec_t,s0)
 /usr/libexec/dcc/dccm		--	gen_context(system_u:object_r:dccm_exec_t,s0)
+')
+ifdef(`distro_debian',`
+/usr/sbin/dbclean               --	gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
+/usr/sbin/dccd		        --	gen_context(system_u:object_r:dccd_exec_t,s0)
+/usr/sbin/dccifd		--	gen_context(system_u:object_r:dccifd_exec_t,s0)
+/usr/sbin/dccm		        --	gen_context(system_u:object_r:dccm_exec_t,s0)
+')
 
+ifdef(`distro_redhat',`
 /var/dcc(/.*)?				gen_context(system_u:object_r:dcc_var_t,s0)
 /var/dcc/map			--	gen_context(system_u:object_r:dcc_client_map_t,s0)
-
+', `
 /var/lib/dcc(/.*)?			gen_context(system_u:object_r:dcc_var_t,s0)
 /var/lib/dcc/map		--	gen_context(system_u:object_r:dcc_client_map_t,s0)
+')
 
 /var/run/dcc(/.*)?			gen_context(system_u:object_r:dcc_var_run_t,s0)
 /var/run/dcc/map		--	gen_context(system_u:object_r:dcc_client_map_t,s0)
Index: policy/modules/services/dcc.te
===================================================================
--- policy/modules/services/dcc.te.orig
+++ policy/modules/services/dcc.te
@@ -91,6 +91,9 @@
 allow cdcc_t dcc_client_map_t:file rw_file_perms;
 
 # Access files in /var/dcc. The map file can be updated
+ifdef(`distro_debian',`
+files_search_var_lib(cdcc_t)
+')
 allow cdcc_t dcc_var_t:dir list_dir_perms;
 read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
 read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
@@ -128,6 +131,9 @@
 files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
 
 # Access files in /var/dcc. The map file can be updated
+ifdef(`distro_debian',`
+files_search_var_lib(dcc_client_t)
+')
 allow dcc_client_t dcc_var_t:dir list_dir_perms;
 manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
 read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
@@ -176,6 +182,9 @@
 manage_files_pattern(dcc_dbclean_t, dcc_dbclean_tmp_t, dcc_dbclean_tmp_t)
 files_tmp_filetrans(dcc_dbclean_t, dcc_dbclean_tmp_t, { file dir })
 
+ifdef(`distro_debian',`
+files_search_var_lib(dcc_dbclean_t)
+')
 manage_dirs_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
 manage_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
 manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
@@ -214,6 +223,9 @@
 allow dccd_t dcc_client_map_t:file rw_file_perms;
 
 # Access files in /var/dcc. The map file can be updated
+ifdef(`distro_debian',`
+files_search_var_lib(dccd_t)
+')
 allow dccd_t dcc_var_t:dir list_dir_perms;
 read_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
 read_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
@@ -288,6 +300,9 @@
 allow dccifd_t dcc_client_map_t:file rw_file_perms;
 
 # Updating dcc_db, flod, ...
+ifdef(`distro_debian',`
+files_search_var_lib(dccifd_t)
+')
 manage_dirs_pattern(dccifd_t, dcc_var_t, dcc_var_t)
 manage_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
 manage_lnk_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
@@ -352,6 +367,9 @@
 
 allow dccm_t dcc_client_map_t:file rw_file_perms;
 
+ifdef(`distro_debian',`
+files_search_var_lib(dccm_t)
+')
 manage_dirs_pattern(dccm_t, dcc_var_t, dcc_var_t)
 manage_files_pattern(dccm_t, dcc_var_t, dcc_var_t)
 manage_lnk_files_pattern(dccm_t, dcc_var_t, dcc_var_t)