From 12c61f36f46852ee72e57e44e0d78ce993b03d9f Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Oct 06 2008 17:27:49 +0000
Subject: trunk: 7 patches from dan, 1 from eamon.


---

diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te
index 0becba1..74d3726 100644
--- a/policy/modules/admin/certwatch.te
+++ b/policy/modules/admin/certwatch.te
@@ -15,8 +15,17 @@ role system_r types certwatch_t;
 #
 # Local policy
 #
+allow certwatch_t self:capability sys_nice;
+allow certwatch_t self:process { setsched getsched };
+
+dev_read_urand(certwatch_t)
 
 files_read_etc_files(certwatch_t)
+files_read_usr_files(certwatch_t)
+files_read_usr_symlinks(certwatch_t)
+files_list_tmp(certwatch_t)
+
+fs_list_inotifyfs(certwatch_t)
 
 libs_use_ld_so(certwatch_t)
 libs_use_shared_libs(certwatch_t)
@@ -26,8 +35,15 @@ logging_send_syslog_msg(certwatch_t)
 miscfiles_read_certs(certwatch_t)
 miscfiles_read_localization(certwatch_t)
 
-apache_exec_modules(certwatch_t)
+optional_policy(`
+	apache_exec_modules(certwatch_t)
+')
 
 optional_policy(`
 	cron_system_entry(certwatch_t, certwatch_exec_t)
 ')
+
+optional_policy(`
+	pcscd_stream_connect(certwatch_t)
+	pcscd_read_pub_files(certwatch_t)
+')
diff --git a/policy/modules/admin/kismet.te b/policy/modules/admin/kismet.te
index 92c9db8..f142503 100644
--- a/policy/modules/admin/kismet.te
+++ b/policy/modules/admin/kismet.te
@@ -1,5 +1,5 @@
 
-policy_module(kismet, 1.0.2)
+policy_module(kismet, 1.0.3)
 
 ########################################
 #
@@ -26,7 +26,10 @@ logging_log_file(kismet_log_t)
 #
 
 allow kismet_t self:capability { net_admin net_raw setuid setgid };
+allow kismet_t self:fifo_file rw_file_perms;
 allow kismet_t self:packet_socket create_socket_perms;
+allow kismet_t self:unix_dgram_socket create_socket_perms;
+allow kismet_t self:unix_stream_socket create_stream_socket_perms;
 
 manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
 allow kismet_t kismet_log_t:dir setattr;
@@ -40,6 +43,8 @@ allow kismet_t kismet_var_run_t:file manage_file_perms;
 allow kismet_t kismet_var_run_t:dir manage_dir_perms;
 files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir })
 
+kernel_search_debugfs(kismet_t)
+
 corecmd_exec_bin(kismet_t)
 
 auth_use_nsswitch(kismet_t)
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index 2e9ce3a..a357ed0 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -1,5 +1,5 @@
 
-policy_module(logrotate, 1.9.2)
+policy_module(logrotate, 1.9.3)
 
 ########################################
 #
@@ -97,6 +97,7 @@ files_read_usr_files(logrotate_t)
 files_read_etc_files(logrotate_t)
 files_read_etc_runtime_files(logrotate_t)
 files_read_all_pids(logrotate_t)
+files_search_all(logrotate_t)
 # Write to /var/spool/slrnpull - should be moved into its own type.
 files_manage_generic_spool(logrotate_t)
 files_manage_generic_spool_dirs(logrotate_t)
@@ -167,7 +168,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	mailman_exec(logrotate_t)
+	mailman_domtrans(logrotate_t)
 	mailman_search_data(logrotate_t)
 	mailman_manage_log(logrotate_t)
 ')
@@ -189,6 +190,5 @@ optional_policy(`
 ')
 
 optional_policy(`
-	# cjp: why?
-	squid_domtrans(logrotate_t)
+	squid_signal(logrotate_t)
 ')
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
index b0058d0..7dd85b0 100644
--- a/policy/modules/admin/readahead.te
+++ b/policy/modules/admin/readahead.te
@@ -1,5 +1,5 @@
 
-policy_module(readahead, 1.6.1)
+policy_module(readahead, 1.6.2)
 
 ########################################
 #
@@ -22,7 +22,7 @@ files_pid_file(readahead_var_run_t)
 # Local policy
 #
 
-allow readahead_t self:capability { dac_override dac_read_search };
+allow readahead_t self:capability { fowner dac_override dac_read_search };
 dontaudit readahead_t self:capability sys_tty_config;
 allow readahead_t self:process signal_perms;
 
diff --git a/policy/modules/admin/vpn.if b/policy/modules/admin/vpn.if
index afe8f9a..05cfd4e 100644
--- a/policy/modules/admin/vpn.if
+++ b/policy/modules/admin/vpn.if
@@ -48,6 +48,7 @@ interface(`vpn_run',`
 	vpn_domtrans($1)
 	role $2 types vpnc_t;
 	allow vpnc_t $3:chr_file rw_term_perms;
+	sysnet_run_ifconfig(vpnc_t, $2, $3)
 ')
 
 ########################################
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
index ae69c22..06d3ab2 100644
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
@@ -1,5 +1,5 @@
 
-policy_module(vpn, 1.8.0)
+policy_module(vpn, 1.8.1)
 
 ########################################
 #
@@ -22,9 +22,10 @@ files_pid_file(vpnc_var_run_t)
 # Local policy
 #
 
-allow vpnc_t self:capability { dac_override net_admin ipc_lock net_raw };
+allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw };
 allow vpnc_t self:process getsched;
-allow vpnc_t self:fifo_file { getattr ioctl read write };
+allow vpnc_t self:fifo_file rw_fifo_file_perms;
+allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
 allow vpnc_t self:tcp_socket create_stream_socket_perms;
 allow vpnc_t self:udp_socket create_socket_perms;
 allow vpnc_t self:rawip_socket create_socket_perms;
@@ -102,7 +103,6 @@ miscfiles_read_localization(vpnc_t)
 seutil_dontaudit_search_config(vpnc_t)
 seutil_use_newrole_fds(vpnc_t)
 
-sysnet_domtrans_ifconfig(vpnc_t)
 sysnet_etc_filetrans_config(vpnc_t)
 sysnet_manage_config(vpnc_t)
 
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index 3a63d3a..bba1939 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -27,6 +27,7 @@
 /dev/mcdx?		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/megadev.*		-c	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mmcblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/mspblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/nb[^/]+		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/optcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/p[fg][0-3]		-b	gen_context(system_u:object_r:removable_device_t,s0)
diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
index 75524d9..2b90409 100644
--- a/policy/modules/kernel/storage.te
+++ b/policy/modules/kernel/storage.te
@@ -1,5 +1,5 @@
 
-policy_module(storage, 1.6.1)
+policy_module(storage, 1.6.2)
 
 ########################################
 #
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 18fa881..4f8acef 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -77,6 +77,9 @@ template(`xserver_common_domain_template',`
 	files_tmp_filetrans($1_xserver_t, $1_xserver_tmp_t, { file dir sock_file })
 
 	filetrans_pattern($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file)
+	ifdef(`enable_mls',`
+		range_transition $1_xserver_t $1_xserver_tmp_t:sock_file s0 - mls_systemhigh;
+	')
 
 	manage_dirs_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t)
 	manage_files_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t)
@@ -95,6 +98,9 @@ template(`xserver_common_domain_template',`
 
 	# Labeling rules for default windows and colormaps
 	type_transition $1_xserver_t $1_xserver_t:{ x_drawable x_colormap } $1_rootwindow_t;
+	ifdef(`enable_mls',`
+		range_transition $1_xserver_t $1_rootwindow_t:x_drawable s0 - mls_systemhigh;
+	')
 
 	kernel_read_system_state($1_xserver_t)
 	kernel_read_device_sysctls($1_xserver_t)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index f71f5c6..e132600 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,5 +1,5 @@
 
-policy_module(xserver, 2.1.1)
+policy_module(xserver, 2.1.2)
 
 ########################################
 #