From b84d6ec491555e8fe877e18f4cdf1f71c0e06d35 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Dec 18 2009 15:33:50 +0000
Subject: smartmon patch from Dan Walsh.


---

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 2b7ad83..fe31e1f 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -147,6 +147,24 @@ interface(`dev_add_entry_generic_dirs',`
 
 ########################################
 ## <summary>
+##	Add entries to directories in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to add entries.
+##	</summary>
+## </param>
+#
+interface(`dev_remove_entry_generic_dirs',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:dir del_entry_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Create a directory in the device directory.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 1b536ec..b3107fa 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
 
-policy_module(devices, 1.9.1)
+policy_module(devices, 1.9.2)
 
 ########################################
 #
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index a388e63..f37c658 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -190,6 +190,44 @@ interface(`storage_raw_rw_fixed_disk',`
 
 ########################################
 ## <summary>
+##	Allow the caller to create fixed disk device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_create_fixed_disk_dev',`
+	gen_require(`
+		type fixed_disk_device_t;
+	')
+
+	allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
+	dev_add_entry_generic_dirs($1)
+')
+
+########################################
+## <summary>
+##	Allow the caller to create fixed disk device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_delete_fixed_disk_dev',`
+	gen_require(`
+		type fixed_disk_device_t;
+	')
+
+	allow $1 fixed_disk_device_t:blk_file delete_blk_file_perms;
+	dev_remove_entry_generic_dirs($1)
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete fixed disk device nodes.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
index fc46c28..c926611 100644
--- a/policy/modules/kernel/storage.te
+++ b/policy/modules/kernel/storage.te
@@ -1,5 +1,5 @@
 
-policy_module(storage, 1.7.1)
+policy_module(storage, 1.7.2)
 
 ########################################
 #
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
index 44564d2..ebdc899 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -1,11 +1,19 @@
 
-policy_module(smartmon, 1.9.0)
+policy_module(smartmon, 1.9.1)
 
 ########################################
 #
 # Declarations
 #
 
+## <desc>
+## <p>
+## Enable additional permissions needed to support
+## devices on 3ware controllers.
+## </p>
+## </desc>
+gen_tunable(smartmon_3ware, false)
+
 type fsdaemon_t;
 type fsdaemon_exec_t;
 init_daemon_domain(fsdaemon_t, fsdaemon_exec_t)
@@ -19,14 +27,18 @@ files_pid_file(fsdaemon_var_run_t)
 type fsdaemon_tmp_t;
 files_tmp_file(fsdaemon_tmp_t)
 
+ifdef(`enable_mls',`
+	init_ranged_daemon_domain(fsdaemon_t, fsdaemon_exec_t, mls_systemhigh)
+')
+
 ########################################
 #
 # Local policy
 #
 
-allow fsdaemon_t self:capability { setgid sys_rawio sys_admin };
+allow fsdaemon_t self:capability { setpcap setgid sys_rawio sys_admin };
 dontaudit fsdaemon_t self:capability sys_tty_config;
-allow fsdaemon_t self:process signal_perms;
+allow fsdaemon_t self:process { getcap setcap signal_perms };
 allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
 allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
 allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
@@ -66,6 +78,7 @@ fs_getattr_all_fs(fsdaemon_t)
 fs_search_auto_mountpoints(fsdaemon_t)
 
 mls_file_read_all_levels(fsdaemon_t)
+#mls_rangetrans_target(fsdaemon_t)
 
 storage_raw_read_fixed_disk(fsdaemon_t)
 storage_raw_write_fixed_disk(fsdaemon_t)
@@ -80,17 +93,27 @@ logging_send_syslog_msg(fsdaemon_t)
 
 miscfiles_read_localization(fsdaemon_t)
 
+seutil_sigchld_newrole(fsdaemon_t)
+
 sysnet_dns_name_resolve(fsdaemon_t)
 
 userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)
 userdom_dontaudit_search_user_home_dirs(fsdaemon_t)
 
-optional_policy(`
-	mta_send_mail(fsdaemon_t)
+tunable_policy(`smartmon_3ware',`
+	allow fsdaemon_t self:process setfscreate;
+
+	storage_create_fixed_disk_dev(fsdaemon_t)
+	storage_delete_fixed_disk_dev(fsdaemon_t)
+	storage_dev_filetrans_fixed_disk(fsdaemon_t)
+
+	selinux_validate_context(fsdaemon_t)
+
+	seutil_read_file_contexts(fsdaemon_t)
 ')
 
 optional_policy(`
-	seutil_sigchld_newrole(fsdaemon_t)
+	mta_send_mail(fsdaemon_t)
 ')
 
 optional_policy(`