diff --git a/Changelog b/Changelog
index f32025a..0290b04 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Openct updates patch from Dan Walsh.
- Merge restorecon into setfiles.
- Patch to begin separating out hald helper programs from Dan Walsh.
- Fixes for squid, dovecot, and snmp from Dan Walsh.
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index e0ef469..2fc074c 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -19,6 +19,7 @@
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
+/dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
@@ -81,6 +82,8 @@ ifdef(`distro_suse', `
/dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
+/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
+
/dev/cpu/.* -c gen_context(system_u:object_r:cpu_device_t,s0)
/dev/cpu/mtrr -c gen_context(system_u:object_r:mtrr_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 27973bb..cd19f57 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -2431,6 +2431,80 @@ interface(`dev_rw_power_management',`
########################################
##
+## Getattr on smartcard devices
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_getattr_smartcard_dev',`
+ gen_require(`
+ type smartcard_device_t;
+ ')
+
+ allow $1 smartcard_device_t:chr_file getattr;
+
+')
+
+########################################
+##
+## dontaudit getattr on smartcard devices
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_dontaudit_getattr_smartcard_dev',`
+ gen_require(`
+ type smartcard_device_t;
+ ')
+
+ dontaudit $1 smartcard_device_t:chr_file getattr;
+
+')
+
+########################################
+##
+## Read and write smartcard devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_rw_smartcard',`
+ gen_require(`
+ type device_t, smartcard_device_t;
+ ')
+
+ rw_chr_files_pattern($1,device_t,smartcard_device_t)
+')
+
+########################################
+##
+## Create, read, write, and delete smartcard devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_manage_smartcard',`
+ gen_require(`
+ type device_t, smartcard_device_t;
+ ')
+
+ manage_chr_files_pattern($1,device_t,smartcard_device_t)
+')
+
+########################################
+##
## Get the attributes of sysfs directories.
##
##
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index f7c7bc4..553a92b 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -137,6 +137,12 @@ type scanner_device_t;
dev_node(scanner_device_t)
#
+# Type for smartcards
+#
+type smartcard_device_t;
+dev_node(smartcard_device_t)
+
+#
# Type for sound devices and mixers
#
type sound_device_t;
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index bc7c840..8781fe6 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -184,6 +184,7 @@ interface(`storage_manage_fixed_disk',`
')
dev_list_all_dev_nodes($1)
+ allow $1 self:capability mknod;
allow $1 fixed_disk_device_t:blk_file manage_blk_file_perms;
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
')
diff --git a/policy/modules/services/openct.fc b/policy/modules/services/openct.fc
index 8aaadc5..58c8816 100644
--- a/policy/modules/services/openct.fc
+++ b/policy/modules/services/openct.fc
@@ -1,7 +1,8 @@
#
# /usr
#
-/usr/sbin/openct-control -- gen_context(system_u:object_r:openct_exec_t,s0)
+/usr/sbin/ifdhandler -- gen_context(system_u:object_r:openct_exec_t,s0)
+/usr/sbin/openct-control -- gen_context(system_u:object_r:openct_exec_t,s0)
#
# /var
diff --git a/policy/modules/services/openct.if b/policy/modules/services/openct.if
index 6df1a48..b947cfd 100644
--- a/policy/modules/services/openct.if
+++ b/policy/modules/services/openct.if
@@ -1 +1,95 @@
## Service for handling smart card readers.
+
+########################################
+##
+## Send openct a null signal.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openct_signull',`
+ gen_require(`
+ type openct_t;
+ ')
+
+ allow $1 openct_t:process signull;
+')
+
+########################################
+##
+## Execute openct in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openct_exec',`
+ gen_require(`
+ type openct_t, openct_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1,openct_exec_t)
+')
+
+########################################
+##
+## Execute a domain transition to run openct.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`openct_domtrans',`
+ gen_require(`
+ type openct_t, openct_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1,openct_exec_t,openct_t)
+')
+
+########################################
+##
+## Read openct PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openct_read_pid_files',`
+ gen_require(`
+ type openct_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1,openct_var_run_t,openct_var_run_t)
+')
+
+########################################
+##
+## Connect to openct over an unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openct_stream_connect',`
+ gen_require(`
+ type openct_t, openct_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1,openct_var_run_t,openct_var_run_t,openct_t)
+')
diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te
index 2bb27db..2e3e602 100644
--- a/policy/modules/services/openct.te
+++ b/policy/modules/services/openct.te
@@ -31,6 +31,8 @@ kernel_read_proc_symlinks(openct_t)
dev_read_sysfs(openct_t)
# openct asks for this
dev_rw_usbfs(openct_t)
+dev_rw_smartcard(openct_t)
+dev_rw_generic_usb_dev(openct_t)
domain_use_interactive_fds(openct_t)
@@ -50,6 +52,8 @@ miscfiles_read_localization(openct_t)
userdom_dontaudit_use_unpriv_user_fds(openct_t)
userdom_dontaudit_search_sysadm_home_dirs(openct_t)
+openct_exec(openct_t)
+
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(openct_t)
term_dontaudit_use_generic_ptys(openct_t)
diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te
index 9d04d41..681aa61 100644
--- a/policy/modules/services/pcscd.te
+++ b/policy/modules/services/pcscd.te
@@ -21,6 +21,7 @@ files_pid_file(pcscd_var_run_t)
#
allow pcscd_t self:capability { dac_override dac_read_search };
+allow pcscd_t self:process signal;
allow pcscd_t self:fifo_file { read write };
allow pcscd_t self:unix_stream_socket create_stream_socket_perms;
allow pcscd_t self:unix_dgram_socket create_socket_perms;
@@ -62,5 +63,11 @@ ifdef(`targeted_policy',`
')
optional_policy(`
+ openct_stream_connect(pcscd_t)
+ openct_read_pid_files(pcscd_t)
+ openct_signull(pcscd_t)
+')
+
+optional_policy(`
rpm_use_script_fds(pcscd_t)
')
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 6c5a096..db4b55c 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -133,6 +133,8 @@ ifdef(`distro_gentoo',`
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/transgaming_cedega/gddb_parser.so -- gen_context(system_u:object_r:shlib_t,s0)
+/usr/lib/vlc/codec/libdmo_plugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vlc/codec/librealaudio_plugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0)
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -149,6 +151,7 @@ ifdef(`distro_gentoo',`
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 3a6d102..f849f0f 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -62,7 +62,8 @@ files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
manage_files_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
-files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir })
+manage_lnk_files_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
+files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file })
manage_lnk_files_pattern(ldconfig_t,lib_t,lib_t)
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index 3ded450..59a7d69 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -46,6 +46,7 @@ fs_dontaudit_list_tmpfs(mdadm_t)
# RAID block device access
storage_manage_fixed_disk(mdadm_t)
storage_dev_filetrans_fixed_disk(mdadm_t)
+storage_read_scsi_generic(mdadm_t)
term_dontaudit_list_ptys(mdadm_t)