trunk: 3 patches from dan

Changelog

@@ -1,3 +1,4 @@
+- Filesystem updates from Dan Walsh.
 - Large samba update from Dan Walsh.
 - Drop snmpd_etc_t.
 - Confine sendmail and logrotate on targeted.

policy/modules/kernel/corecommands.fc

@@ -189,6 +189,7 @@ ifdef(`distro_gentoo', `
 ifdef(`distro_redhat', `
 /usr/lib/.*/program(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/bluetooth(/.*)?	--      gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/vmware-tools/sbin32(/.*)?      gen_context(system_u:object_r:bin_t,s0)
 /usr/lib64/bluetooth(/.*)?	--      gen_context(system_u:object_r:bin_t,s0)
 /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -248,6 +249,7 @@ ifdef(`distro_suse', `
 /var/ftp/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
 /usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib64/yp/.+		--	gen_context(system_u:object_r:bin_t,s0)
 
 /var/qmail/bin                  -d      gen_context(system_u:object_r:bin_t,s0)
 /var/qmail/bin(/.*)?                    gen_context(system_u:object_r:bin_t,s0)

policy/modules/kernel/corecommands.if

@@ -929,6 +929,24 @@ interface(`corecmd_exec_all_executables',`
 	read_lnk_files_pattern($1,bin_t,exec_type)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to execute all executables.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_dontaudit_exec_all_executables',`
+	gen_require(`
+		attribute exec_type;
+	')
+
+	dontaudit $1 exec_type:file { execute execute_no_trans };
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and all executable files.

policy/modules/kernel/corecommands.te

@@ -1,5 +1,5 @@
 
-policy_module(corecommands,1.6.0)
+policy_module(corecommands,1.6.1)
 
 ########################################
 #

policy/modules/kernel/files.fc

@@ -45,7 +45,6 @@ ifdef(`distro_suse',`
 /etc			-d	gen_context(system_u:object_r:etc_t,s0)
 /etc/.*				gen_context(system_u:object_r:etc_t,s0)
 /etc/\.fstab\.hal\..+	--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/asound\.state	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/blkid(/.*)?		gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/fstab\.REVOKE	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/HOSTNAME		--	gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -54,6 +53,7 @@ ifdef(`distro_suse',`
 /etc/issue\.net		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/localtime		-l	gen_context(system_u:object_r:etc_t,s0)
 /etc/mtab		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/mtab\.fuselock	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/motd		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/nohotplug		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/nologin.*		--	gen_context(system_u:object_r:etc_runtime_t,s0)

policy/modules/kernel/files.if

@@ -992,7 +992,7 @@ interface(`files_dontaudit_search_all_dirs',`
 		attribute file_type;
 	')
 
-	dontaudit $1 file_type:dir search;
+	dontaudit $1 file_type:dir search_dir_perms;
 ')
 
 ########################################
@@ -1320,7 +1320,7 @@ interface(`files_dontaudit_search_boot',`
 		type boot_t;
 	')
 
-	dontaudit $1 boot_t:dir search;
+	dontaudit $1 boot_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -3308,6 +3308,24 @@ interface(`files_list_usr',`
 	allow $1 usr_t:dir list_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Add and remove entries from /usr directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_rw_usr_dirs',`
+	gen_require(`
+		type usr_t;
+	')
+
+	allow $1 usr_t:dir rw_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of files in /usr.
@@ -3366,6 +3384,24 @@ interface(`files_exec_usr_files',`
 	read_lnk_files_pattern($1,usr_t,usr_t)
 ')
 
+########################################
+## <summary>
+##	Create, read, write, and delete files in the /usr directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_usr_files',`
+	gen_require(`
+		type usr_t;
+	')
+
+	manage_files_pattern($1, usr_t, usr_t)
+')
+
 ########################################
 ## <summary>
 ##	Relabel a file to the type used in /usr.
@@ -3637,7 +3673,7 @@ interface(`files_dontaudit_search_var',`
 		type var_t;
 	')
 
-	dontaudit $1 var_t:dir search;
+	dontaudit $1 var_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -3993,7 +4029,7 @@ interface(`files_dontaudit_search_locks',`
 		type var_lock_t;
 	')
 
-	dontaudit $1 var_lock_t:dir search;
+	dontaudit $1 var_lock_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -4181,7 +4217,7 @@ interface(`files_dontaudit_search_pids',`
 		type var_run_t;
 	')
 
-	dontaudit $1 var_run_t:dir search;
+	dontaudit $1 var_run_t:dir search_dir_perms;
 ')
 
 ########################################

policy/modules/kernel/files.te

@@ -1,5 +1,5 @@
 
-policy_module(files,1.5.1)
+policy_module(files,1.5.2)
 
 ########################################
 #

policy/modules/kernel/filesystem.if

@@ -1094,6 +1094,24 @@ interface(`fs_relabelfrom_dos_fs',`
 	allow $1 dosfs_t:filesystem relabelfrom;
 ')
 
+########################################
+## <summary>
+##	Search dosfs filesystem. 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_search_dos',`
+	gen_require(`
+		type dosfs_t;
+	')
+
+	allow $1 dosfs_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read files on a DOS filesystem.
@@ -1154,6 +1172,24 @@ interface(`fs_read_eventpollfs',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
 
+########################################
+## <summary>
+##      Mount a FUSE filesystem.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`fs_mount_fusefs',`
+        gen_require(`
+                type fusefs_t;
+        ')
+
+        allow $1 fusefs_t:filesystem mount;
+')
+
 ########################################
 ## <summary>
 ##	Search inotifyfs filesystem. 
@@ -1268,6 +1304,26 @@ interface(`fs_getattr_iso9660_fs',`
 	allow $1 iso9660_t:filesystem getattr;
 ')
 
+########################################
+## <summary>
+##	Read files on an iso9660 filesystem, which
+##	is usually used on CDs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_iso9660_files',`
+	gen_require(`
+		type iso9660_t;
+	')
+
+	allow $1 iso9660_t:dir list_dir_perms;
+	allow $1 iso9660_t:file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Read files on an iso9660 filesystem, which

policy/modules/kernel/filesystem.te

@@ -1,5 +1,5 @@
 
-policy_module(filesystem,1.6.0)
+policy_module(filesystem,1.6.1)
 
 ########################################
 #
@@ -54,17 +54,29 @@ genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
 
 type capifs_t;
 fs_type(capifs_t)
+files_mountpoint(capifs_t)
 genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
 
 type configfs_t;
 fs_type(configfs_t)
 genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
 
+type cpusetfs_t;
+fs_type(cpusetfs_t)
+allow cpusetfs_t self:filesystem associate;
+genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0)
+
 type eventpollfs_t;
 fs_type(eventpollfs_t)
 # change to task SID 20060628
 #genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0)
 
+type fusefs_t;
+fs_noxattr_type(fusefs_t)
+allow fusefs_t self:filesystem associate;
+genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
+genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
+
 type futexfs_t;
 fs_type(futexfs_t)
 genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
@@ -83,6 +95,11 @@ type inotifyfs_t;
 fs_type(inotifyfs_t)
 genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
 
+type mvfs_t;
+fs_noxattr_type(mvfs_t)
+allow mvfs_t self:filesystem associate;
+genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+
 type nfsd_fs_t;
 fs_type(nfsd_fs_t)
 genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
@@ -105,6 +122,16 @@ fs_type(rpc_pipefs_t)
 genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0)
 files_mountpoint(rpc_pipefs_t)
 
+type spufs_t;
+fs_type(spufs_t)
+genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
+files_mountpoint(spufs_t)
+
+type vxfs_t;
+fs_noxattr_type(vxfs_t)
+files_mountpoint(vxfs_t)
+genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
+
 #
 # tmpfs_t is the type for tmpfs filesystems
 #

policy/modules/kernel/selinux.if

@@ -30,6 +30,43 @@ interface(`selinux_get_fs_mount',`
 	kernel_read_system_state($1)
 ')
 
+########################################
+## <summary>
+##	Get the attributes of the selinuxfs filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`selinux_getattr_fs',`
+	gen_require(`
+		type security_t;
+	')
+
+	allow $1 security_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the
+##	attributes of the selinuxfs filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`selinux_dontaudit_getattr_fs',`
+	gen_require(`
+		type security_t;
+	')
+
+	dontaudit $1 security_t:filesystem getattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the

policy/modules/kernel/selinux.te

@@ -1,5 +1,5 @@
 
-policy_module(selinux,1.3.0)
+policy_module(selinux,1.3.1)
 
 ########################################
 #