trunk: 11 patches from dan.

2007-10-29 18:35:32 +00:00 · 2007-10-29 18:35:32 +00:00 · 495df41602
parent bd973e3e68
commit 495df41602
22 changed files with 448 additions and 26 deletions
--- a/policy/modules/admin/alsa.fc
+++ b/policy/modules/admin/alsa.fc
@ -1,4 +1,8 @@

 /etc/alsa/pcm(/.*)?		gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/asound(/.*)?		gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/asound\.state		gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+
+/sbin/alsactl 		--	gen_context(system_u:object_r:alsa_exec_t,s0)

 /usr/bin/ainit 		--	gen_context(system_u:object_r:alsa_exec_t,s0)
--- a/policy/modules/admin/alsa.te
+++ b/policy/modules/admin/alsa.te
@ -1,5 +1,5 @@

-policy_module(alsa,1.2.0)
+policy_module(alsa,1.2.1)

 ########################################
 #
@ -19,7 +19,7 @@ files_type(alsa_etc_rw_t)
 # Local policy
 #

-allow alsa_t self:capability { setgid setuid ipc_owner };
+allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
 dontaudit alsa_t self:capability sys_admin;
 allow alsa_t self:sem create_sem_perms;
 allow alsa_t self:shm create_shm_perms;
@ -28,12 +28,16 @@ allow alsa_t self:unix_dgram_socket create_socket_perms;

 manage_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
 manage_lnk_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
+files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)

+kernel_read_system_state(alsa_t)
+
+dev_read_sound(alsa_t)
+dev_write_sound(alsa_t)
+
+files_search_home(alsa_t)
 files_read_etc_files(alsa_t)

-term_use_generic_ptys(alsa_t)
-term_dontaudit_use_unallocated_ttys(alsa_t)
-
 libs_use_ld_so(alsa_t)
 libs_use_shared_libs(alsa_t)

@ -43,7 +47,13 @@ miscfiles_read_localization(alsa_t)

 userdom_manage_unpriv_user_semaphores(alsa_t)
 userdom_manage_unpriv_user_shared_mem(alsa_t)
+userdom_search_generic_user_home_dirs(alsa_t)

 optional_policy(`
 	nscd_socket_use(alsa_t)
 ')
+
+optional_policy(`
+	hal_use_fds(alsa_t)
+	hal_write_log(alsa_t)
+')
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@ -36,6 +36,11 @@ ifdef(`distro_redhat',`
 /etc/cipe/ip-up.*		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/cipe/ip-down.*		--	gen_context(system_u:object_r:bin_t,s0)

+/etc/cron.daily/.*		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.hourly/.*		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.weekly/.*		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.monthly/.*		--	gen_context(system_u:object_r:bin_t,s0)
+
 /etc/hotplug/.*agent		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/hotplug/.*rc		-- 	gen_context(system_u:object_r:bin_t,s0)
 /etc/hotplug/hotplug\.functions --	gen_context(system_u:object_r:bin_t,s0)
@ -164,6 +169,7 @@ ifdef(`distro_gentoo',`

 /usr/local/lib(64)?/ipsec/.*	-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/local/Brother/lpd(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Brother/Printer/[^/]*/cupswrapper(/.*)?      gen_context(system_u:object_r:bin_t,s0)

 /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)

@ -187,6 +193,10 @@ ifdef(`distro_gentoo', `
 ')

 ifdef(`distro_redhat', `
+/etc/gdm/XKeepsCrashing[^/]*	--	gen_context(system_u:object_r:bin_t,s0)
+/etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0)
+/etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
+
 /usr/lib/.*/program(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/bluetooth(/.*)?	--      gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/vmware-tools/sbin32(/.*)?      gen_context(system_u:object_r:bin_t,s0)
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@ -1,5 +1,5 @@

-policy_module(corecommands,1.8.2)
+policy_module(corecommands,1.8.3)

 ########################################
 #
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@ -867,9 +867,11 @@ interface(`corenet_udp_sendrecv_generic_port',`
 interface(`corenet_tcp_bind_generic_port',`
 	gen_require(`
 		type port_t;
+		attribute port_type;
 	')

 	allow $1 port_t:tcp_socket name_bind;
+	dontaudit $1 { port_type -port_t }:tcp_socket name_bind;
 ')

 ########################################
@ -903,9 +905,11 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',`
 interface(`corenet_udp_bind_generic_port',`
 	gen_require(`
 		type port_t;
+		attribute port_type;
 	')

 	allow $1 port_t:udp_socket name_bind;
+	dontaudit $1 { port_type -port_t }:udp_socket name_bind;
 ')

 ########################################
@ -1447,6 +1451,43 @@ interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
 	dontaudit $1 reserved_port_type:tcp_socket name_connect;
 ')

+########################################
+## <summary>
+##      Connect TCP sockets to rpc ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##      The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	allow $1 rpc_port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to connect TCP sockets
+##	all rpc ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	dontaudit $1 rpc_port_type:tcp_socket name_connect;
+')
+
 ########################################
 ## <summary>
 ##	Read and write the TUN/TAP virtual network device.
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@ -1,5 +1,5 @@

-policy_module(corenetwork,1.2.12)
+policy_module(corenetwork,1.2.13)

 ########################################
 #
@ -54,6 +54,11 @@ sid port gen_context(system_u:object_r:port_t,s0)
 #
 type reserved_port_t, port_type, reserved_port_type;

+#
+# hi_reserved_port_t is the type of INET port numbers between 600-1023.
+#
+type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+
 #
 # server_packet_t is the default type of IPv4 and IPv6 server packets.
 #
@ -67,7 +72,7 @@ network_port(afs_vl, udp,7003,s0)
 network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
 network_port(amavisd_recv, tcp,10024,s0)
 network_port(amavisd_send, tcp,10025,s0)
-network_port(aol, tcp,5190,s0, udp,5190,s0)
+network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0) 
 network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
 network_port(auth, tcp,113,s0)
@ -94,12 +99,13 @@ network_port(gopher, tcp,70,s0, udp,70,s0)
 network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
 network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
 network_port(howl, tcp,5335,s0, udp,5353,s0)
-network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
+network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
 network_port(i18n_input, tcp,9010,s0)
 network_port(imaze, tcp,5323,s0, udp,5323,s0)
-network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
+network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
 network_port(innd, tcp,119,s0)
 network_port(ipp, tcp,631,s0, udp,631,s0)
+network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
 network_port(ircd, tcp,6667,s0)
 network_port(isakmp, udp,500,s0)
 network_port(iscsi, tcp,3260,s0)
@ -109,14 +115,15 @@ network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
 network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
 network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
 network_port(ktalkd, udp,517,s0, udp,518,s0)
-network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
+network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
 type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
 network_port(lmtp, tcp,24,s0, udp,24,s0)
 network_port(mail, tcp,2000,s0)
 network_port(mmcc, tcp,5050,s0, udp,5050,s0)
-network_port(msnp, tcp,1863,s0, udp,1863,s0)
 network_port(monopd, tcp,1234,s0)
-network_port(mysqld, tcp,3306,s0)
+network_port(msnp, tcp,1863,s0, udp,1863,s0)
+network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
+portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
 network_port(nessus, tcp,1241,s0)
 network_port(netsupport, tcp,5405,s0, udp,5405,s0)
 network_port(nmbd, udp,137,s0, udp,138,s0)
@ -149,7 +156,7 @@ network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
 network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
 network_port(spamd, tcp,783,s0)
 network_port(ssh, tcp,22,s0)
-network_port(soundd, tcp,8000,s0, tcp,9433,s0)
+network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
 type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
 type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
 network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
@ -163,16 +170,21 @@ network_port(transproxy, tcp,8081,s0)
 type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
 network_port(uucpd, tcp,540,s0)
 network_port(vnc, tcp,5900,s0)
+network_port(wccp, udp,2048,s0)
+network_port(xdmcp, udp,177,s0, tcp,177,s0)
 network_port(xen, tcp,8002,s0)
 network_port(xfs, tcp,7100,s0)
-network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
+network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0, tcp,6020,s0)
 network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0)
 network_port(zope, tcp,8021,s0)

 # Defaults for reserved ports.  Earlier portcon entries take precedence;
 # these entries just cover any remaining reserved ports not otherwise declared.
-portcon tcp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
-portcon udp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
+
+portcon tcp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon udp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon tcp 1-599 gen_context(system_u:object_r:reserved_port_t, s0)
+portcon udp 1-599 gen_context(system_u:object_r:reserved_port_t, s0)

 ########################################
 #
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@ -98,6 +98,7 @@ ifdef(`distro_suse', `
 /dev/input/event.*	-c	gen_context(system_u:object_r:event_device_t,s0)
 /dev/input/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/input/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/input/uinput	-c	gen_context(system_u:object_r:event_device_t,s0)

 /dev/mapper/control	-c	gen_context(system_u:object_r:lvm_control_t,s0)

--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@ -161,6 +161,7 @@ interface(`dev_create_generic_dirs',`
 		type device_t;
 	')

+	allow $1 device_t:dir list_dir_perms;
 	create_dirs_pattern($1,device_t,device_t)
 ')

@ -1303,6 +1304,44 @@ interface(`dev_manage_dri_dev',`
 	filetrans_pattern($1,device_t,dri_device_t,chr_file)
 ')

+########################################
+## <summary>
+##	Get the attributes of the event devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_input_dev',`
+	gen_require(`
+		type device_t, event_device_t;
+	')
+
+	allow $1 device_t:dir list_dir_perms;
+	allow $1 event_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Set the attributes of the event devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_input_dev',`
+	gen_require(`
+		type device_t, event_device_t;
+	')
+
+	allow $1 device_t:dir list_dir_perms;
+	allow $1 event_device_t:chr_file setattr;
+')
+
 ########################################
 ## <summary>
 ##	Read input event devices (/dev/input).
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@ -1,5 +1,5 @@

-policy_module(devices,1.6.0)
+policy_module(devices,1.6.1)

 ########################################
 #
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@ -45,6 +45,12 @@ interface(`domain_type',`
 	# start with basic domain
 	domain_base_type($1)

+	ifdef(`distro_redhat',`
+		optional_policy(`
+			unconfined_use_fds($1)
+		')
+	')
+
 	# send init a sigchld and signull
 	optional_policy(`
 		init_sigchld($1)
@ -59,6 +65,7 @@ interface(`domain_type',`
 	')

 	optional_policy(`
+		selinux_dontaudit_getattr_fs($1)
 		selinux_dontaudit_read_fs($1)
 	')

@ -1270,3 +1277,21 @@ interface(`domain_mmap_low',`

 	typeattribute $1 mmap_low_domain_type;
 ')
+
+########################################
+## <summary>
+##	Allow specified type to associate ipsec packets from any domain
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type of subject to be allowed this.
+##	</summary>
+## </param>
+#
+interface(`domain_ipsec_labels',`
+	gen_require(`
+		attribute domain;
+ 	')
+ 
+	allow $1 domain:association { sendto recvfrom };
+')
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@ -1,5 +1,5 @@

-policy_module(domain,1.4.1)
+policy_module(domain,1.4.2)

 ########################################
 #
@ -80,6 +80,11 @@ allow domain self:dir list_dir_perms;
 allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
 allow domain self:file rw_file_perms;
 kernel_read_proc_symlinks(domain)
+# Every domain gets the key ring, so we should default
+# to no one allowed to look at it; afs kernel support creates
+# a keyring
+kernel_dontaudit_search_key(domain)
+kernel_dontaudit_link_key(domain)

 # create child processes in the domain
 allow domain self:process { fork sigchld };
@ -104,6 +109,12 @@ optional_policy(`
 	setrans_translate_context(domain)
 ')

+# xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.
+optional_policy(`
+	xserver_dontaudit_use_xdm_fds(domain)
+	xserver_dontaudit_rw_xdm_pipes(domain)
+')
+
 ########################################
 #
 # Unconfined access to this module
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@ -209,7 +209,7 @@ HOME_ROOT/lost\+found/.*		<<none>>
 /usr/lost\+found		-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /usr/lost\+found/.*		<<none>>

-/usr/share(/.*)?/lib(64)?(/.*)?	gen_context(system_u:object_r:usr_t,s0)
+/usr/share/doc(/.*)?/README.*	gen_context(system_u:object_r:usr_t,s0)

 /usr/src(/.*)?			gen_context(system_u:object_r:src_t,s0)
 /usr/src/kernels/.+/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@ -1104,6 +1104,24 @@ interface(`files_getattr_all_mountpoints',`
 	allow $1 mountpoint:dir getattr;
 ')

+########################################
+## <summary>
+##	Search all mount points.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_search_all_mountpoints',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	allow $1 mountpoint:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	List the contents of the root directory.
@ -1123,6 +1141,25 @@ interface(`files_list_root',`
 	allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
 ')

+########################################
+## <summary>
+##	Do not audit attempts to write
+##	files in the root directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_rw_root_dir',`
+	gen_require(`
+		type root_t;
+	')
+
+	dontaudit $1 root_t:dir rw_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Create an object in the root directory, with a private
@ -3105,6 +3142,24 @@ interface(`files_read_generic_tmp_files',`
 	read_files_pattern($1,tmp_t,tmp_t)
 ')

+########################################
+## <summary>
+##	Manage temporary directories in /tmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`files_manage_generic_tmp_dirs',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	manage_dirs_pattern($1,tmp_t,tmp_t)
+')
+
 ########################################
 ## <summary>
 ##	Manage temporary files and directories in /tmp.
@ -3196,6 +3251,44 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
 	dontaudit $1 tmpfile:file getattr;
 ')

+########################################
+## <summary>
+##	Allow attempts to get the attributes
+##	of all tmp files. 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain not to audit.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_all_tmp_files',`
+	gen_require(`
+		attribute tmpfile;
+	')
+
+	allow $1 tmpfile:file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all tmp sock_file. 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain not to audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_tmp_sockets',`
+	gen_require(`
+		attribute tmpfile;
+	')
+
+	dontaudit $1 tmpfile:sock_file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Read all tmp files.
@ -3321,6 +3414,24 @@ interface(`files_rw_usr_dirs',`
 	allow $1 usr_t:dir rw_dir_perms;
 ')

+########################################
+## <summary>
+##	dontaudit Add and remove entries from /usr directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_rw_usr_dirs',`
+	gen_require(`
+		type usr_t;
+	')
+
+	dontaudit $1 usr_t:dir rw_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of files in /usr.
@ -3415,6 +3526,24 @@ interface(`files_relabelto_usr_files',`
 	relabelto_files_pattern($1,usr_t,usr_t)
 ')

+########################################
+## <summary>
+##	Relabel a file from the type used in /usr.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabelfrom_usr_files',`
+	gen_require(`
+		type usr_t;
+	')
+
+	relabelfrom_files_pattern($1,usr_t,usr_t)
+')
+
 ########################################
 ## <summary>
 ##	Read symbolic links in /usr.
@ -4582,6 +4711,15 @@ interface(`files_polyinstantiate_all',`
 	# Default type for mountpoints
 	allow $1 poly_t:dir { create mounton };
 	fs_unmount_xattr_fs($1)
+
+	ifdef(`distro_redhat',`
+		# namespace.init
+		files_search_home($1)
+		corecmd_exec_bin($1)
+		seutil_domtrans_setfiles($1)
+		fs_mount_tmpfs($1)
+		fs_unmount_tmpfs($1)
+	')
 ')

 ########################################
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@ -1,5 +1,5 @@

-policy_module(files,1.7.2)
+policy_module(files,1.7.3)

 ########################################
 #
@ -188,6 +188,7 @@ allow file_type self:filesystem associate;
 fs_associate(file_type)
 fs_associate_noxattr(file_type)
 fs_associate_tmpfs(file_type)
+fs_associate_ramfs(file_type)

 ########################################
 #
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@ -1,5 +1,5 @@

-policy_module(filesystem,1.8.1)
+policy_module(filesystem,1.8.2)

 ########################################
 #
@ -21,6 +21,7 @@ sid fs gen_context(system_u:object_r:fs_t,s0)

 # Use xattrs for the following filesystem types.
 # Requires that a security xattr handler exist for the filesystem.
+fs_use_xattr ecryptfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
@ -28,6 +29,7 @@ fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);

 # Use the allocating task SID to label inodes in the following filesystem
@ -110,6 +112,7 @@ genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)

 type ramfs_t;
 fs_type(ramfs_t)
+files_mountpoint(ramfs_t)
 genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0)

 type romfs_t;
@ -127,6 +130,11 @@ fs_type(spufs_t)
 genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
 files_mountpoint(spufs_t)

+type squash_t;
+fs_type(squash_t)
+genfscon squash / gen_context(system_u:object_r:squash_t,s0)
+files_mountpoint(squash_t)
+
 type vxfs_t;
 fs_noxattr_type(vxfs_t)
 files_mountpoint(vxfs_t)
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@ -350,6 +350,24 @@ interface(`kernel_search_key',`
 	allow $1 kernel_t:key search;
 ')

+########################################
+## <summary>
+##	dontaudit search the kernel key ring.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_search_key',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	dontaudit $1 kernel_t:key search;
+')
+
 ########################################
 ## <summary>
 ##	Allow link to the kernel key ring.
@ -368,6 +386,24 @@ interface(`kernel_link_key',`
 	allow $1 kernel_t:key link;
 ')

+########################################
+## <summary>
+##	dontaudit link to the kernel key ring.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_link_key',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	dontaudit $1 kernel_t:key link;
+')
+
 ########################################
 ## <summary>
 ##	Allows caller to read the ring buffer.
@ -1865,6 +1901,27 @@ interface(`kernel_list_unlabeled',`
 	allow $1 unlabeled_t:dir list_dir_perms;
 ')

+########################################
+## <summary>
+##	Read the process state (/proc/pid) of all unlabeled_t.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_read_unlabeled_state',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:dir list_dir_perms;
+	read_files_pattern($1,unlabeled_t,unlabeled_t)
+	read_lnk_files_pattern($1,unlabeled_t,unlabeled_t)
+')
+
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to list unlabeled directories.
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@ -1,5 +1,5 @@

-policy_module(kernel,1.8.1)
+policy_module(kernel,1.8.2)

 ########################################
 #
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@ -8,6 +8,7 @@
 /dev/[shmx]d[^/]*	-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/aztcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/bpcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/bsg/.+		-c	gen_context(system_u:object_r:scsi_generic_device_t,s0)
 /dev/cdu.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/cm20.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/dasd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@ -52,7 +53,7 @@ ifdef(`distro_redhat', `

 /dev/cciss/[^/]*	-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)

-/dev/fuse		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/fuse		-c	gen_context(system_u:object_r:fuse_device_t,mls_systemhigh)
 /dev/floppy/[^/]*	-b	gen_context(system_u:object_r:removable_device_t,s0)

 /dev/i2o/hd[^/]*	-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@ -267,6 +267,63 @@ interface(`storage_swapon_fixed_disk',`
 	allow $1 fixed_disk_device_t:blk_file { getattr swapon };
 ')

+########################################
+## <summary>
+##	Allow the caller to get the attributes
+##	of device nodes of fuse devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`storage_getattr_fuse_dev',`
+	gen_require(`
+		type fuse_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 fuse_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	read or write fuse device interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`storage_rw_fuse',`
+	gen_require(`
+		type fuse_device_t;
+	')
+
+	allow $1 fuse_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write
+##	fuse device interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`storage_dontaudit_rw_fuse',`
+	gen_require(`
+		type fuse_device_t;
+	')
+
+	dontaudit $1 fuse_device_t:chr_file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow the caller to get the attributes of
--- a/policy/modules/kernel/storage.te
+++ b/policy/modules/kernel/storage.te
@ -1,5 +1,5 @@

-policy_module(storage,1.4.0)
+policy_module(storage,1.4.1)

 ########################################
 #
@ -22,6 +22,12 @@ dev_node(fixed_disk_device_t)
 neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read;
 neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write };

+#
+# fuse_device_t is the type of /dev/fuse
+#
+type fuse_device_t;
+dev_node(fuse_device_t)
+
 #
 # scsi_generic_device_t is the type of /dev/sg*
 # it gives access to ALL SCSI devices (both fixed and removable)
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
@ -8,6 +8,7 @@
 /dev/dcbri[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/hvc.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/hvsi.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+/dev/i2c[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/ircomm[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/ip2[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/isdn.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@ -1,5 +1,5 @@

-policy_module(terminal,1.6.1)
+policy_module(terminal,1.6.2)

 ########################################
 #