diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 44faeed..774450e 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -90,6 +90,7 @@ interface(`term_tty',`
typeattribute $2 ttynode, serial_device;
type_change $1 tty_device_t:chr_file $2;
+ fs_associate($1)
files_associate_tmp($1)
# Debian login is from shadow utils and does not allow resetting the perms.
@@ -715,6 +716,25 @@ interface(`term_setattr_unallocated_ttys',`
########################################
##
+## Do not audit attempts to set the attributes
+## of unallocated tty device nodes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`term_dontaudit_setattr_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ ')
+
+ dontaudit $1 tty_device_t:chr_file setattr;
+')
+
+########################################
+##
## Do not audit attempts to ioctl
## unallocated tty device nodes.
##
@@ -776,6 +796,25 @@ interface(`term_reset_tty_labels',`
########################################
##
+## Append to unallocated ttys.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`term_append_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tty_device_t:chr_file { getattr append };
+')
+
+########################################
+##
## Write to unallocated ttys.
##
##
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index 497652a..c2f3639 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -1,5 +1,5 @@
-policy_module(terminal,1.1.4)
+policy_module(terminal,1.1.5)
########################################
#
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 1006dc4..1b0376d 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -265,6 +265,7 @@ term_dontaudit_use_unallocated_ttys(system_chkpwd_t)
term_dontaudit_use_generic_ptys(system_chkpwd_t)
userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
+userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
########################################
#
diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
index d5c66e3..542db15 100644
--- a/policy/modules/system/clock.if
+++ b/policy/modules/system/clock.if
@@ -55,14 +55,14 @@ interface(`clock_run',`
')
########################################
-##
-## Execute hwclock in the caller domain.
-##
-##
+##
+## Execute hwclock in the caller domain.
+##
+##
##
-## The type of the process performing this action.
+## The type of the process performing this action.
##
-##
+##
#
interface(`clock_exec',`
gen_require(`
@@ -73,14 +73,32 @@ interface(`clock_exec',`
')
########################################
-##
-## Allow executing domain to modify clock drift
-##
-##
+##
+## Do not audit attempts to write clock drift adjustments.
+##
+##
##
-## The type of the process performing this action.
+## Domain to not audit.
##
-##
+##
+#
+interface(`clock_dontaudit_write_adjtime',`
+ gen_require(`
+ type adjtime_t;
+ ')
+
+ dontaudit $1 adjtime_t:file write;
+')
+
+########################################
+##
+## Read and write clock drift adjustments.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`clock_rw_adjtime',`
gen_require(`
@@ -90,4 +108,3 @@ interface(`clock_rw_adjtime',`
allow $1 adjtime_t:file rw_file_perms;
files_list_etc($1)
')
-
diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
index 03d9885..8b7cef3 100644
--- a/policy/modules/system/clock.te
+++ b/policy/modules/system/clock.te
@@ -1,5 +1,5 @@
-policy_module(clock,1.0.1)
+policy_module(clock,1.0.2)
########################################
#
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index ab9d4b3..2cb9b8c 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -416,6 +416,9 @@ ifdef(`distro_gentoo',`
# mounting tmpfs on /dev
fs_tmpfs_filetrans(initrc_t,initrc_state_t,file)
+ # init scripts touch this
+ clock_dontaudit_write_adjtime(initrc_t)
+
optional_policy(`
arpwatch_manage_data_files(initrc_t)
')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 0c1b3ed..195a1a1 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
-policy_module(logging,1.3.9)
+policy_module(logging,1.3.10)
########################################
#
@@ -349,6 +349,13 @@ miscfiles_read_localization(syslogd_t)
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
userdom_dontaudit_search_sysadm_home_dirs(syslogd_t)
+ifdef(`distro_gentoo',`
+ # default gentoo syslog-ng config appends kernel
+ # and high priority messages to /dev/tty12
+ term_append_unallocated_ttys(syslogd_t)
+ term_dontaudit_setattr_unallocated_ttys(syslogd_t)
+')
+
ifdef(`distro_suse',`
# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
files_var_lib_filetrans(syslogd_t,devlog_t,sock_file)