From 57b1b4b08d7bf9fbb0a451cd6d2e8ee5d8c2e028 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Mon, 21 Nov 2011 12:28:14 +0100
Subject: [PATCH] Add sanlock_use_nfs and sanlock_use_samba booleans

---
 policy/modules/services/sanlock.te | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te
index 0c1e385d..96adff59 100644
--- a/policy/modules/services/sanlock.te
+++ b/policy/modules/services/sanlock.te
@@ -5,6 +5,20 @@ policy_module(sanlock,1.0.0)
 # Declarations
 #
 
+## <desc>
+##  <p>
+##  Allow confined virtual guests to manage nfs files
+##  </p>
+## </desc>
+gen_tunable(sanlock_use_nfs, false)
+
+## <desc>
+##  <p>
+##  Allow confined virtual guests to manage cifs files
+##  </p>
+## </desc>
+gen_tunable(sanlock_use_samba, false)
+
 type sanlock_t;
 type sanlock_exec_t;
 init_daemon_domain(sanlock_t, sanlock_exec_t)
@@ -61,6 +75,20 @@ init_dontaudit_write_utmp(sanlock_t)
 
 miscfiles_read_localization(sanlock_t)
 
+tunable_policy(`sanlock_use_nfs',`
+    fs_manage_nfs_dirs(sanlock_t)
+    fs_manage_nfs_files(sanlock_t)
+    fs_manage_nfs_named_sockets(sanlock_t)
+    fs_read_nfs_symlinks(sanlock_t)
+')
+
+tunable_policy(`sanlock_use_samba',`
+    fs_manage_cifs_dirs(sanlock_t)
+    fs_manage_cifs_files(sanlock_t)
+    fs_manage_cifs_named_sockets(sanlock_t)
+    fs_read_cifs_symlinks(sanlock_t)
+')
+
 optional_policy(`
 	wdmd_stream_connect(sanlock_t)
 ')
-- 
2.47.3