* Fri Oct 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-151

- Update modules_filetrans_named_content() to make sure we don't get modules_dep labeling by filename transitions. - Remove /usr/lib/modules/[^/]+/modules\..+ labeling - Add modutils_read_module_deps_files() which is called from files_read_kernel_modules() for module deps which are still labeled as modules_dep_t. - Remove modules_dep_t labeling for kernel module deps. depmod is a symlink to kmod which is labeled as insmod_exec_t which handles modules_object_t and there is no transition to modules_dep_t. Also some of these module deps are placed by cpio during install/update of kernel package.
2015-10-02 19:11:32 +02:00 · 2015-10-02 19:11:32 +02:00 · 0927e3f742
commit 0927e3f742
parent 61514837cc
2 changed files with 130 additions and 94 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -10876,7 +10876,7 @@ index b876c48..03f9342 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..7c3c35b 100644
+index f962f76..9cb7e98 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@ -12776,19 +12776,20 @@ index f962f76..7c3c35b 100644
 ')
 
 ########################################
-@@ -4012,6 +4834,11 @@ interface(`files_read_kernel_modules',`
+@@ -4012,6 +4834,12 @@ interface(`files_read_kernel_modules',`
 	allow $1 modules_object_t:dir list_dir_perms;
 	read_files_pattern($1, modules_object_t, modules_object_t)
 	read_lnk_files_pattern($1, modules_object_t, modules_object_t)
-+  
-+    # allow to read module deps because of labeling changed to modules_dep_t
+
+    # FIXME:
+    # needed for already labeled module deps by modules_dep_t
 +    optional_policy(`
-+        modutils_read_module_deps($1)
+        modutils_read_module_deps_files($1)
 +    ')
 ')
 
 ########################################
-@@ -4217,6 +5044,175 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,6 +5045,175 @@ interface(`files_read_world_readable_sockets',`
 	allow $1 readable_t:sock_file read_sock_file_perms;
 ')
 
@ -12964,7 +12965,7 @@ index f962f76..7c3c35b 100644
 ########################################
 ## <summary>
 ##	Allow the specified type to associate
-@@ -4239,6 +5235,26 @@ interface(`files_associate_tmp',`
+@@ -4239,6 +5236,26 @@ interface(`files_associate_tmp',`
 
 ########################################
 ## <summary>
@ -12991,7 +12992,7 @@ index f962f76..7c3c35b 100644
 ##	Get the	attributes of the tmp directory (/tmp).
 ## </summary>
 ## <param name="domain">
-@@ -4252,17 +5268,37 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4252,17 +5269,37 @@ interface(`files_getattr_tmp_dirs',`
 		type tmp_t;
 	')
 
@ -13030,7 +13031,7 @@ index f962f76..7c3c35b 100644
 ##	</summary>
 ## </param>
 #
-@@ -4289,6 +5325,8 @@ interface(`files_search_tmp',`
+@@ -4289,6 +5326,8 @@ interface(`files_search_tmp',`
 		type tmp_t;
 	')
 
@ -13039,7 +13040,7 @@ index f962f76..7c3c35b 100644
 	allow $1 tmp_t:dir search_dir_perms;
 ')
 
-@@ -4325,6 +5363,7 @@ interface(`files_list_tmp',`
+@@ -4325,6 +5364,7 @@ interface(`files_list_tmp',`
 		type tmp_t;
 	')
 
@ -13047,7 +13048,7 @@ index f962f76..7c3c35b 100644
 	allow $1 tmp_t:dir list_dir_perms;
 ')
 
-@@ -4334,7 +5373,7 @@ interface(`files_list_tmp',`
+@@ -4334,7 +5374,7 @@ interface(`files_list_tmp',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -13056,7 +13057,7 @@ index f962f76..7c3c35b 100644
 ##	</summary>
 ## </param>
 #
-@@ -4346,21 +5385,41 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4346,14 +5386,33 @@ interface(`files_dontaudit_list_tmp',`
 	dontaudit $1 tmp_t:dir list_dir_perms;
 ')
 
@ -13073,9 +13074,8 @@ index f962f76..7c3c35b 100644
 +##  <summary>
 +##  Domain not to audit.
 +##  </summary>
- ## </param>
- #
-interface(`files_delete_tmp_dir_entry',`
+## </param>
+#
 +interface(`files_rw_generic_tmp_dir',`
 +    gen_require(`
 +        type tmp_t;
@ -13093,10 +13093,10 @@ index f962f76..7c3c35b 100644
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
-+## </param>
-+#
-+interface(`files_delete_tmp_dir_entry',`
- 	gen_require(`
+ ## </param>
+ #
+ interface(`files_delete_tmp_dir_entry',`
+@@ -4361,6 +5420,7 @@ interface(`files_delete_tmp_dir_entry',`
 		type tmp_t;
 	')
 
@ -13104,7 +13104,7 @@ index f962f76..7c3c35b 100644
 	allow $1 tmp_t:dir del_entry_dir_perms;
 ')
 
-@@ -4402,6 +5461,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4402,6 +5462,32 @@ interface(`files_manage_generic_tmp_dirs',`
 
 ########################################
 ## <summary>
@ -13137,7 +13137,7 @@ index f962f76..7c3c35b 100644
 ##	Manage temporary files and directories in /tmp.
 ## </summary>
 ## <param name="domain">
-@@ -4456,6 +5541,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4456,6 +5542,42 @@ interface(`files_rw_generic_tmp_sockets',`
 
 ########################################
 ## <summary>
@ -13180,7 +13180,7 @@ index f962f76..7c3c35b 100644
 ##	Set the attributes of all tmp directories.
 ## </summary>
 ## <param name="domain">
-@@ -4474,6 +5595,60 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4474,6 +5596,60 @@ interface(`files_setattr_all_tmp_dirs',`
 
 ########################################
 ## <summary>
@ -13241,7 +13241,7 @@ index f962f76..7c3c35b 100644
 ##	List all tmp directories.
 ## </summary>
 ## <param name="domain">
-@@ -4519,7 +5694,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4519,7 +5695,7 @@ interface(`files_relabel_all_tmp_dirs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -13250,7 +13250,7 @@ index f962f76..7c3c35b 100644
 ##	</summary>
 ## </param>
 #
-@@ -4579,7 +5754,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4579,7 +5755,7 @@ interface(`files_relabel_all_tmp_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -13259,7 +13259,7 @@ index f962f76..7c3c35b 100644
 ##	</summary>
 ## </param>
 #
-@@ -4611,6 +5786,44 @@ interface(`files_read_all_tmp_files',`
+@@ -4611,6 +5787,44 @@ interface(`files_read_all_tmp_files',`
 
 ########################################
 ## <summary>
@ -13304,7 +13304,7 @@ index f962f76..7c3c35b 100644
 ##	Create an object in the tmp directories, with a private
 ##	type using a type transition.
 ## </summary>
-@@ -4664,6 +5877,16 @@ interface(`files_purge_tmp',`
+@@ -4664,6 +5878,16 @@ interface(`files_purge_tmp',`
 	delete_lnk_files_pattern($1, tmpfile, tmpfile)
 	delete_fifo_files_pattern($1, tmpfile, tmpfile)
 	delete_sock_files_pattern($1, tmpfile, tmpfile)
@ -13321,7 +13321,7 @@ index f962f76..7c3c35b 100644
 ')
 
 ########################################
-@@ -5112,6 +6335,24 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5112,6 +6336,24 @@ interface(`files_create_kernel_symbol_table',`
 
 ########################################
 ## <summary>
@ -13346,7 +13346,7 @@ index f962f76..7c3c35b 100644
 ##	Read system.map in the /boot directory.
 ## </summary>
 ## <param name="domain">
-@@ -5241,6 +6482,24 @@ interface(`files_list_var',`
+@@ -5241,6 +6483,24 @@ interface(`files_list_var',`
 
 ########################################
 ## <summary>
@ -13371,7 +13371,7 @@ index f962f76..7c3c35b 100644
 ##	Create, read, write, and delete directories
 ##	in the /var directory.
 ## </summary>
-@@ -5328,7 +6587,7 @@ interface(`files_dontaudit_rw_var_files',`
+@@ -5328,7 +6588,7 @@ interface(`files_dontaudit_rw_var_files',`
 		type var_t;
 	')
 
@ -13380,7 +13380,7 @@ index f962f76..7c3c35b 100644
 ')
 
 ########################################
-@@ -5527,6 +6786,25 @@ interface(`files_rw_var_lib_dirs',`
+@@ -5527,6 +6787,25 @@ interface(`files_rw_var_lib_dirs',`
 
 ########################################
 ## <summary>
@ -13406,7 +13406,7 @@ index f962f76..7c3c35b 100644
 ##	Create objects in the /var/lib directory
 ## </summary>
 ## <param name="domain">
-@@ -5596,6 +6874,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5596,6 +6875,25 @@ interface(`files_read_var_lib_symlinks',`
 	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
 ')
 
@ -13432,7 +13432,7 @@ index f962f76..7c3c35b 100644
 # cjp: the next two interfaces really need to be fixed
 # in some way.  They really neeed their own types.
 
-@@ -5641,7 +6938,7 @@ interface(`files_manage_mounttab',`
+@@ -5641,7 +6939,7 @@ interface(`files_manage_mounttab',`
 
 ########################################
 ## <summary>
@ -13441,7 +13441,7 @@ index f962f76..7c3c35b 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5649,12 +6946,13 @@ interface(`files_manage_mounttab',`
+@@ -5649,12 +6947,13 @@ interface(`files_manage_mounttab',`
 ##	</summary>
 ## </param>
 #
@ -13457,7 +13457,7 @@ index f962f76..7c3c35b 100644
 ')
 
 ########################################
-@@ -5672,6 +6970,7 @@ interface(`files_search_locks',`
+@@ -5672,6 +6971,7 @@ interface(`files_search_locks',`
 		type var_t, var_lock_t;
 	')
 
@ -13465,7 +13465,7 @@ index f962f76..7c3c35b 100644
 	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 	search_dirs_pattern($1, var_t, var_lock_t)
 ')
-@@ -5698,7 +6997,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5698,7 +6998,26 @@ interface(`files_dontaudit_search_locks',`
 
 ########################################
 ## <summary>
@ -13493,7 +13493,7 @@ index f962f76..7c3c35b 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5706,13 +7024,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,13 +7025,12 @@ interface(`files_dontaudit_search_locks',`
 ##	</summary>
 ## </param>
 #
@ -13510,7 +13510,7 @@ index f962f76..7c3c35b 100644
 ')
 
 ########################################
-@@ -5731,7 +7048,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5731,7 +7049,7 @@ interface(`files_rw_lock_dirs',`
 		type var_t, var_lock_t;
 	')
 
@ -13519,7 +13519,7 @@ index f962f76..7c3c35b 100644
 	rw_dirs_pattern($1, var_t, var_lock_t)
 ')
 
-@@ -5764,7 +7081,6 @@ interface(`files_create_lock_dirs',`
+@@ -5764,7 +7082,6 @@ interface(`files_create_lock_dirs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
@ -13527,7 +13527,7 @@ index f962f76..7c3c35b 100644
 #
 interface(`files_relabel_all_lock_dirs',`
 	gen_require(`
-@@ -5779,7 +7095,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5779,7 +7096,7 @@ interface(`files_relabel_all_lock_dirs',`
 
 ########################################
 ## <summary>
@ -13536,7 +13536,7 @@ index f962f76..7c3c35b 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5787,13 +7103,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,13 +7104,33 @@ interface(`files_relabel_all_lock_dirs',`
 ##	</summary>
 ## </param>
 #
@ -13571,7 +13571,7 @@ index f962f76..7c3c35b 100644
 	allow $1 var_lock_t:dir list_dir_perms;
 	getattr_files_pattern($1, var_lock_t, var_lock_t)
 ')
-@@ -5809,13 +7145,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5809,13 +7146,12 @@ interface(`files_getattr_generic_locks',`
 ## </param>
 #
 interface(`files_delete_generic_locks',`
@ -13589,7 +13589,7 @@ index f962f76..7c3c35b 100644
 ')
 
 ########################################
-@@ -5834,9 +7169,7 @@ interface(`files_manage_generic_locks',`
+@@ -5834,9 +7170,7 @@ interface(`files_manage_generic_locks',`
 		type var_t, var_lock_t;
 	')
 
@ -13600,7 +13600,7 @@ index f962f76..7c3c35b 100644
 	manage_files_pattern($1, var_lock_t, var_lock_t)
 ')
 
-@@ -5878,8 +7211,7 @@ interface(`files_read_all_locks',`
+@@ -5878,8 +7212,7 @@ interface(`files_read_all_locks',`
 		type var_t, var_lock_t;
 	')
 
@ -13610,7 +13610,7 @@ index f962f76..7c3c35b 100644
 	allow $1 lockfile:dir list_dir_perms;
 	read_files_pattern($1, lockfile, lockfile)
 	read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5901,8 +7233,7 @@ interface(`files_manage_all_locks',`
+@@ -5901,8 +7234,7 @@ interface(`files_manage_all_locks',`
 		type var_t, var_lock_t;
 	')
 
@ -13620,7 +13620,7 @@ index f962f76..7c3c35b 100644
 	manage_dirs_pattern($1, lockfile, lockfile)
 	manage_files_pattern($1, lockfile, lockfile)
 	manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5939,8 +7270,7 @@ interface(`files_lock_filetrans',`
+@@ -5939,8 +7271,7 @@ interface(`files_lock_filetrans',`
 		type var_t, var_lock_t;
 	')
 
@ -13630,7 +13630,7 @@ index f962f76..7c3c35b 100644
 	filetrans_pattern($1, var_lock_t, $2, $3, $4)
 ')
 
-@@ -5979,7 +7309,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5979,7 +7310,7 @@ interface(`files_setattr_pid_dirs',`
 		type var_run_t;
 	')
 
@ -13639,7 +13639,7 @@ index f962f76..7c3c35b 100644
 	allow $1 var_run_t:dir setattr;
 ')
 
-@@ -5999,10 +7329,48 @@ interface(`files_search_pids',`
+@@ -5999,10 +7330,48 @@ interface(`files_search_pids',`
 		type var_t, var_run_t;
 	')
 
@ -13688,7 +13688,7 @@ index f962f76..7c3c35b 100644
 ########################################
 ## <summary>
 ##	Do not audit attempts to search
-@@ -6025,6 +7393,43 @@ interface(`files_dontaudit_search_pids',`
+@@ -6025,6 +7394,43 @@ interface(`files_dontaudit_search_pids',`
 
 ########################################
 ## <summary>
@ -13732,7 +13732,7 @@ index f962f76..7c3c35b 100644
 ##	List the contents of the runtime process
 ##	ID directories (/var/run).
 ## </summary>
-@@ -6039,7 +7444,7 @@ interface(`files_list_pids',`
+@@ -6039,7 +7445,7 @@ interface(`files_list_pids',`
 		type var_t, var_run_t;
 	')
 
@ -13741,7 +13741,7 @@ index f962f76..7c3c35b 100644
 	list_dirs_pattern($1, var_t, var_run_t)
 ')
 
-@@ -6058,7 +7463,7 @@ interface(`files_read_generic_pids',`
+@@ -6058,7 +7464,7 @@ interface(`files_read_generic_pids',`
 		type var_t, var_run_t;
 	')
 
@ -13750,7 +13750,7 @@ index f962f76..7c3c35b 100644
 	list_dirs_pattern($1, var_t, var_run_t)
 	read_files_pattern($1, var_run_t, var_run_t)
 ')
-@@ -6078,7 +7483,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6078,7 +7484,7 @@ interface(`files_write_generic_pid_pipes',`
 		type var_run_t;
 	')
 
@ -13759,7 +13759,7 @@ index f962f76..7c3c35b 100644
 	allow $1 var_run_t:fifo_file write;
 ')
 
-@@ -6140,7 +7545,6 @@ interface(`files_pid_filetrans',`
+@@ -6140,7 +7546,6 @@ interface(`files_pid_filetrans',`
 	')
 
 	allow $1 var_t:dir search_dir_perms;
@ -13767,7 +13767,7 @@ index f962f76..7c3c35b 100644
 	filetrans_pattern($1, var_run_t, $2, $3, $4)
 ')
 
-@@ -6169,6 +7573,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6169,6 +7574,24 @@ interface(`files_pid_filetrans_lock_dir',`
 
 ########################################
 ## <summary>
@ -13792,7 +13792,7 @@ index f962f76..7c3c35b 100644
 ##	Read and write generic process ID files.
 ## </summary>
 ## <param name="domain">
-@@ -6182,7 +7604,7 @@ interface(`files_rw_generic_pids',`
+@@ -6182,7 +7605,7 @@ interface(`files_rw_generic_pids',`
 		type var_t, var_run_t;
 	')
 
@ -13801,7 +13801,7 @@ index f962f76..7c3c35b 100644
 	list_dirs_pattern($1, var_t, var_run_t)
 	rw_files_pattern($1, var_run_t, var_run_t)
 ')
-@@ -6249,55 +7671,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6249,55 +7672,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
 
 ########################################
 ## <summary>
@ -13864,7 +13864,7 @@ index f962f76..7c3c35b 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6305,42 +7715,35 @@ interface(`files_delete_all_pids',`
+@@ -6305,42 +7716,35 @@ interface(`files_delete_all_pids',`
 ##	</summary>
 ## </param>
 #
@ -13914,7 +13914,7 @@ index f962f76..7c3c35b 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6348,18 +7751,18 @@ interface(`files_manage_all_pids',`
+@@ -6348,18 +7752,18 @@ interface(`files_manage_all_pids',`
 ##	</summary>
 ## </param>
 #
@ -13938,7 +13938,7 @@ index f962f76..7c3c35b 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6367,37 +7770,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,37 +7771,40 @@ interface(`files_mounton_all_poly_members',`
 ##	</summary>
 ## </param>
 #
@ -13990,7 +13990,7 @@ index f962f76..7c3c35b 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6405,18 +7811,17 @@ interface(`files_dontaudit_search_spool',`
+@@ -6405,18 +7812,17 @@ interface(`files_dontaudit_search_spool',`
 ##	</summary>
 ## </param>
 #
@ -14013,7 +14013,7 @@ index f962f76..7c3c35b 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6424,18 +7829,18 @@ interface(`files_list_spool',`
+@@ -6424,18 +7830,18 @@ interface(`files_list_spool',`
 ##	</summary>
 ## </param>
 #
@ -14037,7 +14037,7 @@ index f962f76..7c3c35b 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6443,19 +7848,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6443,19 +7849,18 @@ interface(`files_manage_generic_spool_dirs',`
 ##	</summary>
 ## </param>
 #
@ -14062,7 +14062,7 @@ index f962f76..7c3c35b 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6463,109 +7867,62 @@ interface(`files_read_generic_spool',`
+@@ -6463,109 +7868,62 @@ interface(`files_read_generic_spool',`
 ##	</summary>
 ## </param>
 #
@ -14193,7 +14193,7 @@ index f962f76..7c3c35b 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6573,10 +7930,944 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +7931,944 @@ interface(`files_polyinstantiate_all',`
 ##	</summary>
 ## </param>
 #
@ -39078,10 +39078,19 @@ index 1361961..be6b7fc 100644
 #
 # Base type for the tests directory.
 diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
-index 9933677..0b9c20a 100644
+index 9933677..7875b79 100644
 --- a/policy/modules/system/modutils.fc
 +++ b/policy/modules/system/modutils.fc
-@@ -23,3 +23,17 @@ ifdef(`distro_gentoo',`
+@@ -10,8 +10,6 @@ ifdef(`distro_gentoo',`
+ /etc/modprobe.devfs.*	--	gen_context(system_u:object_r:modules_conf_t,s0)
+ ')
+ 
+-/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
+-
+ /lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
+ 
+ /sbin/depmod.*		--	gen_context(system_u:object_r:depmod_exec_t,s0)
+@@ -23,3 +21,15 @@ ifdef(`distro_gentoo',`
 /sbin/update-modules	--	gen_context(system_u:object_r:update_modules_exec_t,s0)
 
 /usr/bin/kmod		--	gen_context(system_u:object_r:insmod_exec_t,s0)
@ -39094,16 +39103,14 @@ index 9933677..0b9c20a 100644
 +/usr/sbin/rmmod.*	--	gen_context(system_u:object_r:insmod_exec_t,s0)
 +/usr/sbin/update-modules	--	gen_context(system_u:object_r:update_modules_exec_t,s0)
 +
-+/usr/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
-+
 +/usr/lib/modules/modprobe\.conf -- 	gen_context(system_u:object_r:modules_conf_t,s0)
 +
 +/var/run/tmpfiles.d/kmod.conf --	gen_context(system_u:object_r:insmod_var_run_t,s0)
 diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
-index 7449974..f32a37c 100644
+index 7449974..b792900 100644
 --- a/policy/modules/system/modutils.if
 +++ b/policy/modules/system/modutils.if
-@@ -12,7 +12,7 @@
+@@ -12,11 +12,28 @@
 #
 interface(`modutils_getattr_module_deps',`
 	gen_require(`
@ -39112,7 +39119,34 @@ index 7449974..f32a37c 100644
 	')
 
 	getattr_files_pattern($1, modules_object_t, modules_dep_t)
-@@ -39,6 +39,44 @@ interface(`modutils_read_module_deps',`
+ ')
+########################################
+## <summary>
+##	Read the dependencies of kernel modules.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`modutils_read_module_deps_files',`
+	gen_require(`
+		type modules_dep_t;
+	')
+
+	allow $1 modules_dep_t:file read_file_perms;
+')
+ 
+ ########################################
+ ## <summary>
+@@ -34,11 +51,50 @@ interface(`modutils_read_module_deps',`
+ 	')
+ 
+ 	files_list_kernel_modules($1)
+    files_read_kernel_modules($1)
+ 	allow $1 modules_dep_t:file read_file_perms;
+ ')
 
 ########################################
 ## <summary>
@ -39157,7 +39191,7 @@ index 7449974..f32a37c 100644
 ##	Read the configuration options used when
 ##	loading modules.
 ## </summary>
-@@ -163,6 +201,24 @@ interface(`modutils_domtrans_insmod',`
+@@ -163,6 +219,24 @@ interface(`modutils_domtrans_insmod',`
 
 ########################################
 ## <summary>
@ -39182,7 +39216,7 @@ index 7449974..f32a37c 100644
 ##	Execute insmod in the insmod domain, and
 ##	allow the specified role the insmod domain,
 ##	and use the caller's terminal.  Has a sigchld
-@@ -208,6 +264,24 @@ interface(`modutils_exec_insmod',`
+@@ -208,6 +282,24 @@ interface(`modutils_exec_insmod',`
 	can_exec($1, insmod_exec_t)
 ')
 
@ -39207,7 +39241,7 @@ index 7449974..f32a37c 100644
 ########################################
 ## <summary>
 ##	Execute depmod in the depmod domain.
-@@ -308,11 +382,18 @@ interface(`modutils_domtrans_update_mods',`
+@@ -308,11 +400,18 @@ interface(`modutils_domtrans_update_mods',`
 #
 interface(`modutils_run_update_mods',`
 	gen_require(`
@ -39228,7 +39262,7 @@ index 7449974..f32a37c 100644
 ')
 
 ########################################
-@@ -333,3 +414,43 @@ interface(`modutils_exec_update_mods',`
+@@ -333,3 +432,39 @@ interface(`modutils_exec_update_mods',`
 	corecmd_search_bin($1)
 	can_exec($1, update_modules_exec_t)
 ')
@ -39252,25 +39286,21 @@ index 7449974..f32a37c 100644
 +	files_etc_filetrans($1, modules_conf_t, file, "modprobe.conf")
 +	files_etc_filetrans($1, modules_conf_t, file, "modules.conf")
 +
-+	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.alias")
-+	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.alias.bin")
-+	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.block")
-+	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.builtin")
-+	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.builtin.bin")
-+	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep")
-+	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
-+	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.devname")
-+	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.drm")
-+	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.modesetting")
-+	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.networking")
-+	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.order")
-+	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.softdep")
-+	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols")
-+	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin")
-+')
-+
-+
-+
+	#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.alias")
+	#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.alias.bin")
+	#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.block")
+	#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.builtin")
+	#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.builtin.bin")
+	#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep")
+	#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
+	#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.devname")
+	#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.drm")
+	#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.modesetting")
+	#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.networking")
+	#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.order")
+	#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.softdep")
+	#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols")
+	#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin")
 +')
 diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
 index 7a363b8..3f02a36 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 150%{?dist}
+Release: 151%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -656,6 +656,12 @@ exit 0
 %endif

 %changelog
+* Fri Oct 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-151
+- Update modules_filetrans_named_content() to make sure we don't get modules_dep labeling by filename transitions.
+- Remove /usr/lib/modules/[^/]+/modules\..+ labeling
+- Add modutils_read_module_deps_files() which is called from files_read_kernel_modules() for module deps which are still labeled as modules_dep_t.
+- Remove modules_dep_t labeling for kernel module deps. depmod is a symlink to kmod which is labeled as insmod_exec_t which handles modules_object_t and there is no transition to modules_dep_t. Also some of these module deps are placed by cpio during install/update of kernel package.
+
 * Fri Oct 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-150
 - Allow acpid to attempt to connect to the Linux kernel via generic netlink socket.
 - Clean up pkcs11proxyd policy.