Fixes for f14

policy/modules/apps/firewallgui.if

@@ -21,3 +21,21 @@ interface(`firewallgui_dbus_chat',`
 	allow $1 firewallgui_t:dbus send_msg;
 	allow firewallgui_t $1:dbus send_msg;
 ')
+
+########################################
+## <summary>
+##	Read and write firewallgui unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`firewallgui_dontaudit_rw_pipes',`
+	gen_require(`
+		type firewallgui_t;
+	')
+
+	dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms;
+')

policy/modules/kernel/corecommands.fc

@@ -10,6 +10,7 @@
 /bin/fish			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/ksh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/mksh			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/mountpoint			--	gen_context(system_u:object_r:bin_t,s0)
 /bin/sash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/tcsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/yash			--  gen_context(system_u:object_r:shell_exec_t,s0)

policy/modules/kernel/files.if

@@ -1442,6 +1442,24 @@ interface(`files_dontaudit_search_all_mountpoints',`
 	dontaudit $1 mountpoint:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit listing of all mount points.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_list_all_mountpoints',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	dontaudit $1 mountpoint:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Write all mount points.
@@ -3840,6 +3858,24 @@ interface(`files_relabelto_system_conf_files',`
     relabelto_files_pattern($1, system_conf_t, system_conf_t)
 ')
 
+######################################
+## <summary>
+##  Relabel manageable system configuration files in /etc.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`files_relabelfrom_system_conf_files',`
+    gen_require(`
+        type usr_t;
+    ')
+
+    relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
+')
+
 ###################################
 ## <summary>
 ##  Create files in /etc with the type used for

policy/modules/services/boinc.te

@@ -144,6 +144,7 @@ corecmd_exec_shell(boinc_project_t)
 
 corenet_tcp_connect_boinc_port(boinc_project_t)
 
+dev_read_urand(boinc_project_t)
 dev_rw_xserver_misc(boinc_project_t)
 
 files_read_etc_files(boinc_project_t)

policy/modules/services/radius.te

@@ -130,6 +130,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	samba_domtrans_winbind_helper(radiusd_t)
 	samba_read_var_files(radiusd_t)
 ')
 

policy/modules/services/samba.te

@@ -341,6 +341,7 @@ files_read_usr_files(smbd_t)
 files_search_spool(smbd_t)
 # smbd seems to getattr all mountpoints
 files_dontaudit_getattr_all_dirs(smbd_t)
+files_dontaudit_list_all_mountpoints(smbd_t)
 # Allow samba to list mnt_t for potential mounted dirs
 files_list_mnt(smbd_t)
 

policy/modules/services/virt.if

@@ -450,6 +450,24 @@ interface(`virt_read_images',`
 	')
 ')
 
+########################################
+## <summary>
+##	Allow domain to read virt blk image files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_read_blk_images',`
+	gen_require(`
+		attribute virt_image_type;
+	')
+
+	read_blk_files_pattern($1, virt_image_type, virt_image_type)
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete

policy/modules/services/virt.te

@@ -288,6 +288,8 @@ files_read_etc_runtime_files(virtd_t)
 files_search_all(virtd_t)
 files_read_kernel_modules(virtd_t)
 files_read_usr_src_files(virtd_t)
+files_relabelto_system_conf_files(virtd_t)
+files_relabelfrom_system_conf_files(virtd_t)
 
 # Manages /etc/sysconfig/system-config-firewall
 files_manage_system_conf_files(virtd_t)

policy/modules/system/fstools.te

@@ -189,6 +189,10 @@ optional_policy(`
 	rhgb_stub(fsadm_t)
 ')
 
+optional_policy(`
+	virt_read_blk_images(fsadm_t)
+')
+
 optional_policy(`
 	xen_append_log(fsadm_t)
 	xen_rw_image_files(fsadm_t)

policy/modules/system/modutils.te

@@ -203,6 +203,10 @@ optional_policy(`
 	firstboot_dontaudit_rw_stream_sockets(insmod_t)
 ')
 
+optional_policy(`
+	firewallgui_dontaudit_rw_pipes(insmod_t)
+')
+
 optional_policy(`
 	hal_write_log(insmod_t)
 ')