diff --git a/Changelog b/Changelog
index d363eac..af9981f 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,10 @@
+- Allow semanage to read from /root on strict non-MLS for
+ local policy modules.
+- Gentoo init script fixes for udev.
+- Allow udev to read kernel modules.inputmap.
+- Dnsmasq fixes from testing.
+- Allow kernel NFS server to getattr filesystems so df can work
+ on clients.
- Patch from Matt Anderson for a MLS constraint exemption on a
file that can be written to from a subject whose range is
within the object's range.
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index 6e039bd..fdd4403 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -1,5 +1,5 @@
-policy_module(logrotate,1.3.0)
+policy_module(logrotate,1.3.1)
########################################
#
@@ -118,6 +118,7 @@ seutil_dontaudit_read_config(logrotate_t)
sysnet_read_config(logrotate_t)
+userdom_dontaudit_search_sysadm_home_dirs(logrotate_t)
userdom_use_unpriv_users_fds(logrotate_t)
cron_system_entry(logrotate_t, logrotate_exec_t)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index b1ef366..e343df2 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -325,6 +325,8 @@ interface(`portage_main_domain',`
# run setfiles -r
seutil_domtrans_setfiles($1)
+ # run semodule
+ seutil_domtrans_semanage($1)
portage_domtrans_gcc_config($1)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 7369335..1523fad 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -1,5 +1,5 @@
-policy_module(portage,1.1.0)
+policy_module(portage,1.1.1)
########################################
#
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index ae8939f..443433a 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,26 @@ interface(`fs_read_cifs_files',`
########################################
##
+## Get the attributes of filesystems that
+## do not have extended attribute support.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`fs_getattr_noxattr_fs',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ allow $1 noxattrfs:filesystem getattr;
+')
+
+########################################
+##
## Read all noxattrfs directories.
##
##
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index eac86c5..52efe48 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
-policy_module(filesystem,1.4.1)
+policy_module(filesystem,1.4.2)
########################################
#
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 7f7a56e..e79caeb 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
-policy_module(kernel,1.4.0)
+policy_module(kernel,1.4.1)
########################################
#
@@ -287,6 +287,8 @@ optional_policy(`
corenet_sendrecv_portmap_client_packets(kernel_t)
corenet_sendrecv_generic_server_packets(kernel_t)
+ fs_getattr_xattr_fs(kernel_t)
+
auth_dontaudit_getattr_shadow(kernel_t)
sysnet_read_config(kernel_t)
@@ -296,19 +298,21 @@ optional_policy(`
rpc_udp_rw_nfs_sockets(kernel_t)
tunable_policy(`nfs_export_all_ro',`
- fs_list_noxattr_fs(kernel_t)
- fs_read_noxattr_fs_files(kernel_t)
- fs_read_noxattr_fs_symlinks(kernel_t)
-
- auth_read_all_dirs_except_shadow(kernel_t)
- auth_read_all_files_except_shadow(kernel_t)
- auth_read_all_symlinks_except_shadow(kernel_t)
+ fs_getattr_noxattr_fs(kernel_t)
+ fs_list_noxattr_fs(kernel_t)
+ fs_read_noxattr_fs_files(kernel_t)
+ fs_read_noxattr_fs_symlinks(kernel_t)
+
+ auth_read_all_dirs_except_shadow(kernel_t)
+ auth_read_all_files_except_shadow(kernel_t)
+ auth_read_all_symlinks_except_shadow(kernel_t)
')
tunable_policy(`nfs_export_all_rw',`
- fs_list_noxattr_fs(kernel_t)
- fs_read_noxattr_fs_files(kernel_t)
- fs_read_noxattr_fs_symlinks(kernel_t)
+ fs_getattr_noxattr_fs(kernel_t)
+ fs_list_noxattr_fs(kernel_t)
+ fs_read_noxattr_fs_files(kernel_t)
+ fs_read_noxattr_fs_symlinks(kernel_t)
auth_manage_all_files_except_shadow(kernel_t)
')
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index 4dc9cc9..0575a51 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -1,5 +1,5 @@
-policy_module(dnsmasq,1.1.0)
+policy_module(dnsmasq,1.1.1)
########################################
#
@@ -21,9 +21,11 @@ files_pid_file(dnsmasq_var_run_t)
# Local policy
#
-allow dnsmasq_t self:capability { setgid setuid net_bind_service net_raw };
+allow dnsmasq_t self:capability { net_admin setgid setuid net_bind_service net_raw };
dontaudit dnsmasq_t self:capability sys_tty_config;
-allow dnsmasq_t self:process signal_perms;
+allow dnsmasq_t self:process { setcap signal_perms };
+allow dnsmasq_t self:fifo_file { read write };
+allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write };
allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
allow dnsmasq_t self:udp_socket create_socket_perms;
allow dnsmasq_t self:packet_socket create_socket_perms;
diff --git a/policy/modules/system/hotplug.if b/policy/modules/system/hotplug.if
index 9a92dd8..9c8ea78 100644
--- a/policy/modules/system/hotplug.if
+++ b/policy/modules/system/hotplug.if
@@ -160,3 +160,21 @@ interface(`hotplug_read_config',`
allow $1 hotplug_etc_t:lnk_file r_file_perms;
')
+########################################
+##
+## Search the hotplug PIDs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hotplug_search_pids',`
+ gen_require(`
+ type hotplug_var_run_t;
+ ')
+
+ allow $1 hotplug_var_run_t:dir search_dir_perms;
+ files_search_pids($1)
+')
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
index 696b7b2..8207e2f 100644
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
@@ -1,5 +1,5 @@
-policy_module(hotplug,1.3.0)
+policy_module(hotplug,1.3.1)
########################################
#
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index bfb4eaa..c6d853f 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1074,6 +1074,26 @@ interface(`init_read_script_files',`
########################################
##
+## Get the attributes of init script
+## status files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_getattr_script_status_files',`
+ gen_require(`
+ type initrc_state_t;
+ ')
+
+ allow $1 initrc_state_t:dir search_dir_perms;
+ allow $1 initrc_state_t:file getattr;
+')
+
+########################################
+##
## Do not audit attempts to read init script
## status files.
##
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 989ffce..2b4ebea 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.4.2)
+policy_module(init,1.4.3)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 23dcfc8..9cae237 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
-policy_module(selinuxutil,1.3.3)
+policy_module(selinuxutil,1.3.4)
ifdef(`strict_policy',`
gen_require(`
@@ -617,10 +617,13 @@ seutil_manage_default_contexts(semanage_t)
userdom_search_sysadm_home_dirs(semanage_t)
-ifdef(`targeted_policy',`
+# cjp: need a more general way to handle this:
+ifdef(`enable_mls',`
+ # read secadm tmp files
+',`
# Handle pp files created in homedir and /tmp
- files_read_generic_tmp_files(semanage_t)
- userdom_read_generic_user_home_content_files(semanage_t)
+ userdom_read_sysadm_home_content_files(semanage_t)
+ userdom_read_sysadm_tmp_files(semanage_t)
')
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index ac9d336..87555e6 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,5 +1,5 @@
-policy_module(udev,1.4.0)
+policy_module(udev,1.4.1)
########################################
#
@@ -136,6 +136,8 @@ logging_send_syslog_msg(udev_t)
miscfiles_read_localization(udev_t)
modutils_domtrans_insmod(udev_t)
+# read modules.inputmap:
+modutils_read_module_deps(udev_t)
seutil_read_config(udev_t)
seutil_read_default_contexts(udev_t)
@@ -148,6 +150,12 @@ sysnet_domtrans_dhcpc(udev_t)
userdom_use_sysadm_ttys(udev_t)
userdom_dontaudit_search_all_users_home_content(udev_t)
+ifdef(`distro_gentoo',`
+ # during boot, init scripts use /dev/.rcsysinit
+ # existance to determine if we are in early booting
+ init_getattr_script_status_files(udev_t)
+')
+
ifdef(`distro_redhat',`
fs_manage_tmpfs_dirs(udev_t)
fs_manage_tmpfs_files(udev_t)
@@ -183,6 +191,8 @@ optional_policy(`
optional_policy(`
hotplug_read_config(udev_t)
+ # usb.agent searches /var/run/usb
+ hotplug_search_pids(udev_t)
')
optional_policy(`
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 70120a1..0532edc 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -4486,13 +4486,41 @@ interface(`userdom_search_sysadm_home_content_dirs',`
##
#
interface(`userdom_read_sysadm_home_content_files',`
- gen_require(`
- type sysadm_home_dir_t, sysadm_home_t;
+ ifdef(`strict_policy',`
+ gen_require(`
+ type sysadm_home_dir_t, sysadm_home_t;
+ ')
+
+ files_search_home($1)
+ allow $1 { sysadm_home_dir_t sysadm_home_t }:dir r_dir_perms;
+ allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
+ ',`
+ userdom_read_generic_user_home_content_files($1)
')
+')
- files_search_home($1)
- allow $1 { sysadm_home_dir_t sysadm_home_t }:dir r_dir_perms;
- allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
+########################################
+##
+## Read files in the sysadm users home directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_read_sysadm_tmp_files',`
+ ifdef(`strict_policy',`
+ gen_require(`
+ type sysadm_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 sysadm_tmp_t:dir list_dir_perms;
+ allow $1 sysadm_tmp_t:{ file lnk_file } r_file_perms;
+ ',`
+ files_read_generic_tmp_files($1)
+ ')
')
########################################
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 5520823..7999ffe 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,2.0.1)
+policy_module(userdomain,2.0.2)
gen_require(`
role sysadm_r, staff_r, user_r;