From 60f04fcb7adadd7969eaec59eff008d9ca7ee8ec Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Jun 07 2010 15:08:35 +0000
Subject: Kernel patch from Dan Walsh.


Add ability to dontaudit requiests to load kernel modules.  If you
disable ipv6 every confined app that does ip, tries to get the kernel to
load the module.

Better handling of unlabeled files by the kernel interfaces

---

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 0352a19..814da80 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -534,6 +534,24 @@ interface(`kernel_request_load_module',`
 
 ########################################
 ## <summary>
+##	Do not audit requests to the kernel to load a module.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_request_load_module',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	dontaudit $1 kernel_t:system module_request;
+')
+
+########################################
+## <summary>
 ##	Get information on all System V IPC objects.
 ## </summary>
 ## <param name="domain">
@@ -2046,6 +2064,23 @@ interface(`kernel_mount_unlabeled',`
 	allow $1 unlabeled_t:filesystem mount;
 ')
 
+########################################
+## <summary>
+##	Unmount a kernel unlabeled filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_unmount_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:filesystem unmount;
+')
 
 ########################################
 ## <summary>
@@ -2195,6 +2230,24 @@ interface(`kernel_rw_unlabeled_dirs',`
 
 ########################################
 ## <summary>
+##	Read and write unlabeled files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_rw_unlabeled_files',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts by caller to get the
 ##	attributes of an unlabeled file.
 ## </summary>
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 78fb6b2..b0b4617 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
 
-policy_module(kernel, 1.12.0)
+policy_module(kernel, 1.12.1)
 
 ########################################
 #