diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index d6ec546..f8fad77 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -1,5 +1,5 @@
##
-## Policy for kernel threads, proc filesystem,
+## Policy for kernel threads, proc filesystem,
## and unlabeled processes and objects.
##
##
@@ -57,7 +57,7 @@ interface(`kernel_ranged_domtrans_to',`
type kernel_t;
')
- kernel_domtrans_to($1,$2)
+ kernel_domtrans_to($1, $2)
ifdef(`enable_mcs',`
range_transition kernel_t $2:process $3;
@@ -485,11 +485,30 @@ interface(`kernel_clear_ring_buffer',`
########################################
##
+## Allows caller to request the kernel to load a module
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`kernel_request_load_module',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:system module_request;
+')
+
+########################################
+##
## Get information on all System V IPC objects.
##
##
##
-##
+## Domain allowed access.
##
##
#
@@ -941,6 +960,28 @@ interface(`kernel_dontaudit_getattr_core_if',`
########################################
##
+## Allows caller to read the core kernel interface.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_read_core_if',`
+ gen_require(`
+ type proc_t, proc_kcore_t;
+ attribute can_dump_kernel;
+ ')
+
+ read_files_pattern($1, proc_t, proc_kcore_t)
+ list_dirs_pattern($1, proc_t, proc_t)
+
+ typeattribute $1 can_dump_kernel;
+')
+
+########################################
+##
## Allow caller to read kernel messages
## using the /proc/kmsg interface.
##
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index faf39a5..42a4d05 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
-policy_module(kernel, 1.11.0)
+policy_module(kernel, 1.11.1)
########################################
#
@@ -9,6 +9,7 @@ policy_module(kernel, 1.11.0)
# assertion related attributes
attribute can_load_kernmodule;
attribute can_receive_kernel_messages;
+attribute can_dump_kernel;
neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module;
@@ -37,7 +38,7 @@ ifdef(`enable_mls',`
#
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
-#
+#
type kernel_t, can_load_kernmodule;
domain_base_type(kernel_t)
mls_rangetrans_source(kernel_t)
@@ -90,7 +91,7 @@ neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~ge
# /proc kcore: inaccessible
type proc_kcore_t, proc_type;
-neverallow ~kern_unconfined proc_kcore_t:file ~getattr;
+neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~getattr;
genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
type proc_mdstat_t, proc_type;
@@ -248,7 +249,7 @@ corenet_send_all_packets(kernel_t)
dev_read_sysfs(kernel_t)
dev_search_usbfs(kernel_t)
-# Mount root file system. Used when loading a policy
+# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
fs_mount_all_fs(kernel_t)
fs_unmount_all_fs(kernel_t)
@@ -275,7 +276,7 @@ mcs_process_set_categories(kernel_t)
mls_process_read_up(kernel_t)
mls_process_write_down(kernel_t)
mls_file_write_all_levels(kernel_t)
-mls_file_read_all_levels(kernel_t)
+mls_file_read_all_levels(kernel_t)
ifdef(`distro_redhat',`
# Bugzilla 222337
@@ -309,7 +310,7 @@ optional_policy(`
allow kernel_t self:tcp_socket create_stream_socket_perms;
allow kernel_t self:udp_socket create_socket_perms;
- # nfs kernel server needs kernel UDP access. It is less risky and painful
+ # nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
corenet_udp_sendrecv_generic_if(kernel_t)
corenet_udp_sendrecv_generic_node(kernel_t)
@@ -326,7 +327,7 @@ optional_policy(`
rpc_manage_nfs_ro_content(kernel_t)
rpc_manage_nfs_rw_content(kernel_t)
- rpc_udp_rw_nfs_sockets(kernel_t)
+ rpc_udp_rw_nfs_sockets(kernel_t)
tunable_policy(`nfs_export_all_ro',`
fs_getattr_noxattr_fs(kernel_t)
@@ -355,7 +356,7 @@ optional_policy(`
')
optional_policy(`
- unconfined_domain(kernel_t)
+ unconfined_domain_noaudit(kernel_t)
')
########################################