gentoo testing fixes.

policy/modules/admin/portage.if

@@ -173,6 +173,7 @@ interface(`portage_compile_domain',`
 	dev_read_urand($1)
 
 	domain_use_interactive_fds($1)
+	domain_dontaudit_read_all_domains_state($1)
 
 	files_exec_etc_files($1)
 	files_exec_usr_src_files($1)
@@ -222,8 +223,7 @@ interface(`portage_compile_domain',`
 #
 interface(`portage_fetch_domain',`
 
-	allow $1 self:capability dac_override;
-	dontaudit $1 self:capability { fowner fsetid };
+	allow $1 self:capability { dac_override fowner fsetid };
 	allow $1 self:process signal;
 	allow $1 self:unix_stream_socket create_socket_perms;
 	allow $1 self:tcp_socket create_stream_socket_perms;

policy/modules/admin/portage.te

@@ -1,5 +1,5 @@
 
-policy_module(portage,1.0.5)
+policy_module(portage,1.0.6)
 
 ########################################
 #
@@ -151,7 +151,7 @@ portage_main_domain(portage_t.merge)
 # if sesandbox is disabled, compiling is performed in this domain
 portage_compile_domain(portage_t.merge)
 
-allow portage_t.merge portage_t.fetch:process signal;
+allow portage_t.merge { portage_t.fetch portage_t.sandbox }:process signal;
 
 # transition for rsync and wget
 corecmd_shell_spec_domtrans(portage_t.merge,portage_t.fetch)

policy/modules/services/cron.fc

@@ -24,6 +24,12 @@
 /var/spool/cron			-d	gen_context(system_u:object_r:cron_spool_t,s0)
 #/var/spool/cron/root		--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
 /var/spool/cron/[^/]*		--	<<none>>
+
+ifdef(`distro_gentoo',`
+/var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun/[^/]*	--	<<none>>
+')
+
 ifdef(`distro_suse', `
 /var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
 /var/spool/cron/lastrun/[^/]*	--	<<none>>

policy/modules/services/cron.te

@@ -1,5 +1,5 @@
 
-policy_module(cron,1.3.15)
+policy_module(cron,1.3.16)
 
 gen_require(`
 	class passwd rootok;
@@ -287,12 +287,13 @@ ifdef(`targeted_policy',`
 	files_lock_filetrans(system_crond_t,system_crond_lock_t,file)
 
 	# write temporary files
-	allow system_crond_t system_crond_tmp_t:file create_file_perms;
+	allow system_crond_t system_crond_tmp_t:file manage_file_perms;
+	allow system_crond_t system_crond_tmp_t:lnk_file create_lnk_perms;
 	files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
 
 	# write temporary files in crond tmp dir:
 	allow system_crond_t crond_tmp_t:dir rw_dir_perms;
-	type_transition system_crond_t crond_tmp_t:file system_crond_tmp_t;
+	type_transition system_crond_t crond_tmp_t:{ file lnk_file } system_crond_tmp_t;
 
 	# Read from /var/spool/cron.
 	allow system_crond_t cron_spool_t:dir r_dir_perms;

policy/modules/system/logging.fc

@@ -26,10 +26,12 @@ ifdef(`distro_suse', `
 
 /var/log		-d	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
 /var/log/.*			gen_context(system_u:object_r:var_log_t,s0)
-/var/log/audit\.log	--	gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-
 /var/log/audit(/.*)?		gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
 
+ifndef(`distro_gentoo',`
+/var/log/audit\.log	--	gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+')
+
 /var/run/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
 /var/run/auditd\.pid	--	gen_context(system_u:object_r:auditd_var_run_t,s0)
 /var/run/auditd_sock	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)

policy/modules/system/logging.te

@@ -1,5 +1,5 @@
 
-policy_module(logging,1.3.13)
+policy_module(logging,1.3.14)
 
 ########################################
 #

policy/modules/system/modutils.te

@@ -1,5 +1,5 @@
 
-policy_module(modutils,1.1.6)
+policy_module(modutils,1.1.7)
 
 gen_require(`
 	bool secure_mode_insmod;
@@ -278,6 +278,7 @@ userdom_dontaudit_search_sysadm_home_dirs(update_modules_t)
 ifdef(`distro_gentoo',`
 	files_search_pids(update_modules_t)
 	files_getattr_usr_src_files(update_modules_t)
+	files_list_isid_type_dirs(update_modules_t) # /var
 
 	optional_policy(`
 		consoletype_exec(update_modules_t)