turnserver: update policy for the new version in Debian stretch

policy/modules/turnserver.fc

@@ -9,3 +9,5 @@
 /var/log/turn.*	--	gen_context(system_u:object_r:turnserver_var_log_t,s0)
 /var/run/turnserver(/.*)?	--	gen_context(system_u:object_r:turnserver_var_run_t,s0)
 
+/var/lib/turn(/.*)?		gen_context(system_u:object_r:turnserver_var_t,s0)
+

policy/modules/turnserver.te

@@ -1,4 +1,4 @@
-policy_module(turnserver, 0.1.8)
+policy_module(turnserver, 0.1.9)
 
 ########################################
 #
@@ -23,6 +23,8 @@ files_pid_file(turnserver_var_run_t)
 type turnserver_var_log_t;
 logging_log_file(turnserver_var_log_t)
 
+type turnserver_var_t;
+files_type(turnserver_var_t)
 
 type turnserver_tmp_t;
 files_tmp_file(turnserver_tmp_t)
@@ -34,10 +36,14 @@ files_tmp_file(turnserver_tmp_t)
 
 allow turnserver_t self:tcp_socket { bind create setopt listen };
 allow turnserver_t self:udp_socket { getopt create setopt bind };
-allow turnserver_t self:capability { setuid setgid dac_override };
+allow turnserver_t self:capability { setuid setgid };
 allow turnserver_t self:process signal;
 allow turnserver_t self:tcp_socket accept;
+allow turnserver_t self:rawip_socket { bind create listen setopt };
 
+manage_dirs_pattern(turnserver_t, turnserver_var_t, turnserver_var_t)
+manage_files_pattern(turnserver_t, turnserver_var_t, turnserver_var_t)
+type_transition turnserver_t turnserver_var_t:file turnserver_var_t;
 
 read_files_pattern(turnserver_t, turnserver_etc_t, turnserver_etc_t)
 
@@ -58,7 +64,18 @@ corenet_udp_bind_all_unreserved_ports(turnserver_t)
 
 corenet_tcp_bind_generic_node(turnserver_t)
 corenet_udp_bind_generic_node(turnserver_t)
+corenet_raw_bind_generic_node(turnserver_t)
 
 miscfiles_read_localization(turnserver_t)
 dev_read_urand(turnserver_t)
 auth_use_nsswitch(turnserver_t)
+
+kernel_request_load_module(turnserver_t)
+
+optional_policy(`
+	gen_require(`
+		type port_t;
+	')
+	allow turnserver_t port_t:rawip_socket name_bind;
+')
+