modutils patch for update-modules

update-modules on Gentoo throws errors when run because it sources /etc/init.d/functions.sh, which always scans /var/lib/init.d to set SOFTLEVEL environment var.  This is never used by update-modules.

Signed-off-by: Chris Richards <gizmo@giz-works.com>
Signed-off-by: Chris PeBenito <pebenito@gentoo.org>

policy/modules/kernel/files.if

@@ -4658,6 +4658,26 @@ interface(`files_search_var_lib',`
 	search_dirs_pattern($1, var_t, var_lib_t)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to search the
+##	contents of /var/lib.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+#
+interface(`files_dontaudit_search_var_lib',`
+	gen_require(`
+		type var_lib_t;
+	')
+
+	dontaudit $1 var_lib_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	List the contents of the /var/lib directory.

policy/modules/system/modutils.te

@@ -303,6 +303,8 @@ ifdef(`distro_gentoo',`
 	files_search_pids(update_modules_t)
 	files_getattr_usr_src_files(update_modules_t)
 	files_list_isid_type_dirs(update_modules_t) # /var
+	files_dontaudit_search_var_lib(update_modules_t)
+	init_dontaudit_read_script_status_files(update_modules_t)
 
 	optional_policy(`
 		consoletype_exec(update_modules_t)