From ce6bf7cc233822df5dff9f22f0cd23aa5a2da707 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Aug 28 2006 02:46:20 +0000
Subject: more testing fixes


---

diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 44faeed..774450e 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -90,6 +90,7 @@ interface(`term_tty',`
 	typeattribute $2 ttynode, serial_device;
 	type_change $1 tty_device_t:chr_file $2;
 
+	fs_associate($1)
 	files_associate_tmp($1)
 
 	# Debian login is from shadow utils and does not allow resetting the perms.
@@ -715,6 +716,25 @@ interface(`term_setattr_unallocated_ttys',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to set the attributes
+##	of unallocated tty device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_dontaudit_setattr_unallocated_ttys',`
+	gen_require(`
+		type tty_device_t;
+	')
+
+	dontaudit $1 tty_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to ioctl
 ##	unallocated tty device nodes.
 ## </summary>
@@ -776,6 +796,25 @@ interface(`term_reset_tty_labels',`
 
 ########################################
 ## <summary>
+##	Append to unallocated ttys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_append_unallocated_ttys',`
+	gen_require(`
+		type tty_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 tty_device_t:chr_file { getattr append };
+')
+
+########################################
+## <summary>
 ##	Write to unallocated ttys.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index 497652a..c2f3639 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -1,5 +1,5 @@
 
-policy_module(terminal,1.1.4)
+policy_module(terminal,1.1.5)
 
 ########################################
 #
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 1006dc4..1b0376d 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -265,6 +265,7 @@ term_dontaudit_use_unallocated_ttys(system_chkpwd_t)
 term_dontaudit_use_generic_ptys(system_chkpwd_t)
 
 userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
+userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
 
 ########################################
 #
diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
index d5c66e3..542db15 100644
--- a/policy/modules/system/clock.if
+++ b/policy/modules/system/clock.if
@@ -55,14 +55,14 @@ interface(`clock_run',`
 ')
 
 ########################################
-##     <summary>
-##             Execute hwclock in the caller domain.
-##     </summary>
-##     <param name="domain">
+## <summary>
+## 	Execute hwclock in the caller domain.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##             The type of the process performing this action.
+## 	The type of the process performing this action.
 ##	</summary>
-##     </param>
+## </param>
 #
 interface(`clock_exec',`
 	gen_require(`
@@ -73,14 +73,32 @@ interface(`clock_exec',`
 ')
 
 ########################################
-##     <summary>
-##             Allow executing domain to modify clock drift
-##     </summary>
-##     <param name="domain">
+## <summary>
+##	Do not audit attempts to write clock drift adjustments.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##             The type of the process performing this action.
+##	Domain to not audit.
 ##	</summary>
-##     </param>
+## </param>
+#
+interface(`clock_dontaudit_write_adjtime',`
+	gen_require(`
+		type adjtime_t;
+	')
+
+	dontaudit $1 adjtime_t:file write;
+')
+
+########################################
+## <summary>
+##	Read and write clock drift adjustments.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`clock_rw_adjtime',`
 	gen_require(`
@@ -90,4 +108,3 @@ interface(`clock_rw_adjtime',`
 	allow $1 adjtime_t:file rw_file_perms;
 	files_list_etc($1)
 ')
-
diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
index 03d9885..8b7cef3 100644
--- a/policy/modules/system/clock.te
+++ b/policy/modules/system/clock.te
@@ -1,5 +1,5 @@
 
-policy_module(clock,1.0.1)
+policy_module(clock,1.0.2)
 
 ########################################
 #
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index ab9d4b3..2cb9b8c 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -416,6 +416,9 @@ ifdef(`distro_gentoo',`
 	# mounting tmpfs on /dev
 	fs_tmpfs_filetrans(initrc_t,initrc_state_t,file)
 
+	# init scripts touch this
+	clock_dontaudit_write_adjtime(initrc_t)
+
 	optional_policy(`
 		arpwatch_manage_data_files(initrc_t)
 	')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 0c1b3ed..195a1a1 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
 
-policy_module(logging,1.3.9)
+policy_module(logging,1.3.10)
 
 ########################################
 #
@@ -349,6 +349,13 @@ miscfiles_read_localization(syslogd_t)
 userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
 userdom_dontaudit_search_sysadm_home_dirs(syslogd_t)
 
+ifdef(`distro_gentoo',`
+	# default gentoo syslog-ng config appends kernel
+	# and high priority messages to /dev/tty12
+	term_append_unallocated_ttys(syslogd_t)
+	term_dontaudit_setattr_unallocated_ttys(syslogd_t)
+')
+
 ifdef(`distro_suse',`
 	# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
 	files_var_lib_filetrans(syslogd_t,devlog_t,sock_file)