From: russell@coker.com.au (Russell Coker)
Date: Sat, 31 Dec 2016 21:16:47 +1100
Subject: [refpolicy]  boinc patch for inclusion
Message-ID: <20161231101647.hqiobvyph4rh7ckv@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Below is my final boinc patch.  It runs well on several systems.

diff -ru /home/rjc/src/pol-git/policy/modules/contrib/boinc.te ./policy/modules/contrib/boinc.te
--- /home/rjc/src/pol-git/policy/modules/contrib/boinc.te	2016-11-02 14:53:37.763215655 +1100
+++ ./policy/modules/contrib/boinc.te	2016-12-31 21:14:18.482560122 +1100
@@ -85,6 +85,7 @@
 
 kernel_read_system_state(boinc_t)
 kernel_search_vm_sysctl(boinc_t)
+kernel_read_crypto_sysctls(boinc_t)
 
 corenet_all_recvfrom_unlabeled(boinc_t)
 corenet_all_recvfrom_netlabel(boinc_t)
@@ -143,6 +144,10 @@
 miscfiles_read_fonts(boinc_t)
 miscfiles_read_localization(boinc_t)
 
+xserver_list_xdm_tmp(boinc_t)
+corenet_tcp_connect_xserver_port(boinc_t)
+xserver_non_drawing_client(boinc_t)
+
 tunable_policy(`boinc_execmem',`
 	allow boinc_t self:process { execstack execmem };
 ')
diff -ru /home/rjc/src/pol-git/policy/modules/services/xserver.if ./policy/modules/services/xserver.if
--- /home/rjc/src/pol-git/policy/modules/services/xserver.if	2016-12-31 21:09:24.677504879 +1100
+++ ./policy/modules/services/xserver.if	2016-12-31 21:14:18.486560245 +1100
@@ -1236,6 +1236,24 @@
 
 ########################################
 ## <summary>
+##	list xdm_tmp_t directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow
+##	</summary>
+## </param>
+#
+interface(`xserver_list_xdm_tmp',`
+	gen_require(`
+		type xdm_tmp_t;
+	')
+
+	allow $1 xdm_tmp_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Execute the X server in the X server domain.
 ## </summary>
 ## <param name="domain">