From 03527520dec0ea8d02b91a6eca30b6c785beec5d Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Sep 01 2010 13:47:50 +0000
Subject: firstboot is leaking a netlink_route socket into iptables.  We need to dontaudit

tmpfs_t/devpts_t files can be stored on device_t file system
unconfined_mono_t can pass file descriptors to chrome_sandbox, so need transition from all unoconfined users types
Hald can connect to user processes over streams
xdm_t now changes the brightness level on the system
mdadm needs to manage hugetlbfs filesystems

---

diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
index 2c438d9..fd55ce2 100644
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
@@ -103,6 +103,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	iptables_domtrans(firstboot_t)
+')
+
+optional_policy(`
 	nis_use_ypbind(firstboot_t)
 ')
 
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 7eed11d..18f3f4c 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -159,6 +159,8 @@ ifdef(`distro_suse', `
 
 /dev/mvideo/.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 
+/dev/hugepages(/.*)?		<<none>>
+/dev/mqueue(/.*)?		<<none>>
 /dev/pts(/.*)?			<<none>>
 
 /dev/s(ou)?nd/.*	-c	gen_context(system_u:object_r:sound_device_t,s0)
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 30bc860..3f4cf3d 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -185,6 +185,7 @@ fs_type(tmpfs_t)
 files_type(tmpfs_t)
 files_mountpoint(tmpfs_t)
 files_poly_parent(tmpfs_t)
+dev_associate(tmpfs_t)
 
 # Use a transition SID based on the allocating task SID and the
 # filesystem SID to label inodes in the following filesystem types,
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index 646bbcf..a5deade 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -29,6 +29,7 @@ files_mountpoint(devpts_t)
 fs_associate_tmpfs(devpts_t)
 fs_type(devpts_t)
 fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
+dev_associate(devpts_t)
 
 #
 # devtty_t is the type of /dev/tty.
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
index 821d0dd..177e89c 100644
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@@ -226,7 +226,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	chrome_role(unconfined_r, unconfined_t)
+	chrome_role(unconfined_r, unconfined_usertype)
 ')
 
 optional_policy(`
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
index 188cd75..e72b063 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -225,6 +225,7 @@ sysnet_signal_dhcpc(hald_t)
 
 userdom_dontaudit_use_unpriv_user_fds(hald_t)
 userdom_dontaudit_search_user_home_dirs(hald_t)
+userdom_stream_connect(hald_t)
 
 netutils_domtrans(hald_t)
 
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 60da940..4b4ddc3 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -545,7 +545,7 @@ corenet_dontaudit_tcp_bind_all_ports(xdm_t)
 
 dev_rwx_zero(xdm_t)
 dev_read_rand(xdm_t)
-dev_read_sysfs(xdm_t)
+dev_rw_sysfs(xdm_t)
 dev_getattr_framebuffer_dev(xdm_t)
 dev_setattr_framebuffer_dev(xdm_t)
 dev_getattr_mouse_dev(xdm_t)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index f7828f1..e8dd9c8 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -120,6 +120,7 @@ fs_getattr_tmpfs_dirs(fsadm_t)
 fs_read_tmpfs_symlinks(fsadm_t)
 fs_manage_nfs_files(fsadm_t)
 fs_manage_cifs_files(fsadm_t)
+fs_rw_hugetlbfs_files(fsadm_t)
 # Recreate /mnt/cdrom.
 files_manage_mnt_dirs(fsadm_t)
 # for tune2fs