diff --git a/Changelog b/Changelog
index 1b2e5a46..dc7b54a7 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Filesystem updates from Dan Walsh.
- Large samba update from Dan Walsh.
- Drop snmpd_etc_t.
- Confine sendmail and logrotate on targeted.
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index d422ed89..108106a5 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -189,6 +189,7 @@ ifdef(`distro_gentoo', `
ifdef(`distro_redhat', `
/usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/vmware-tools/sbin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -248,6 +249,7 @@ ifdef(`distro_suse', `
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib64/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index cb69796e..3de09696 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -929,6 +929,24 @@ interface(`corecmd_exec_all_executables',`
read_lnk_files_pattern($1,bin_t,exec_type)
')
+########################################
+##
+## Do not audit attempts to execute all executables.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`corecmd_dontaudit_exec_all_executables',`
+ gen_require(`
+ attribute exec_type;
+ ')
+
+ dontaudit $1 exec_type:file { execute execute_no_trans };
+')
+
########################################
##
## Create, read, write, and all executable files.
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index bf373cd8..4fa3ded3 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,5 +1,5 @@
-policy_module(corecommands,1.6.0)
+policy_module(corecommands,1.6.1)
########################################
#
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index d5aca091..0aa22666 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -45,7 +45,6 @@ ifdef(`distro_suse',`
/etc -d gen_context(system_u:object_r:etc_t,s0)
/etc/.* gen_context(system_u:object_r:etc_t,s0)
/etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/asound\.state -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -54,6 +53,7 @@ ifdef(`distro_suse',`
/etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 386e7ef3..cd51464b 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -992,7 +992,7 @@ interface(`files_dontaudit_search_all_dirs',`
attribute file_type;
')
- dontaudit $1 file_type:dir search;
+ dontaudit $1 file_type:dir search_dir_perms;
')
########################################
@@ -1320,7 +1320,7 @@ interface(`files_dontaudit_search_boot',`
type boot_t;
')
- dontaudit $1 boot_t:dir search;
+ dontaudit $1 boot_t:dir search_dir_perms;
')
########################################
@@ -3308,6 +3308,24 @@ interface(`files_list_usr',`
allow $1 usr_t:dir list_dir_perms;
')
+########################################
+##
+## Add and remove entries from /usr directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_rw_usr_dirs',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ allow $1 usr_t:dir rw_dir_perms;
+')
+
########################################
##
## Get the attributes of files in /usr.
@@ -3366,6 +3384,24 @@ interface(`files_exec_usr_files',`
read_lnk_files_pattern($1,usr_t,usr_t)
')
+########################################
+##
+## Create, read, write, and delete files in the /usr directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_manage_usr_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ manage_files_pattern($1, usr_t, usr_t)
+')
+
########################################
##
## Relabel a file to the type used in /usr.
@@ -3637,7 +3673,7 @@ interface(`files_dontaudit_search_var',`
type var_t;
')
- dontaudit $1 var_t:dir search;
+ dontaudit $1 var_t:dir search_dir_perms;
')
########################################
@@ -3993,7 +4029,7 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
- dontaudit $1 var_lock_t:dir search;
+ dontaudit $1 var_lock_t:dir search_dir_perms;
')
########################################
@@ -4181,7 +4217,7 @@ interface(`files_dontaudit_search_pids',`
type var_run_t;
')
- dontaudit $1 var_run_t:dir search;
+ dontaudit $1 var_run_t:dir search_dir_perms;
')
########################################
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 0339a5d7..81473765 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
-policy_module(files,1.5.1)
+policy_module(files,1.5.2)
########################################
#
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 172ce142..dc1bd814 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1094,6 +1094,24 @@ interface(`fs_relabelfrom_dos_fs',`
allow $1 dosfs_t:filesystem relabelfrom;
')
+########################################
+##
+## Search dosfs filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_search_dos',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ allow $1 dosfs_t:dir search_dir_perms;
+')
+
########################################
##
## Read files on a DOS filesystem.
@@ -1154,6 +1172,24 @@ interface(`fs_read_eventpollfs',`
refpolicywarn(`$0($*) has been deprecated.')
')
+########################################
+##
+## Mount a FUSE filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_mount_fusefs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ allow $1 fusefs_t:filesystem mount;
+')
+
########################################
##
## Search inotifyfs filesystem.
@@ -1268,6 +1304,26 @@ interface(`fs_getattr_iso9660_fs',`
allow $1 iso9660_t:filesystem getattr;
')
+########################################
+##
+## Read files on an iso9660 filesystem, which
+## is usually used on CDs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_getattr_iso9660_files',`
+ gen_require(`
+ type iso9660_t;
+ ')
+
+ allow $1 iso9660_t:dir list_dir_perms;
+ allow $1 iso9660_t:file getattr;
+')
+
########################################
##
## Read files on an iso9660 filesystem, which
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index ca7bf0da..f6a7c5b5 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
-policy_module(filesystem,1.6.0)
+policy_module(filesystem,1.6.1)
########################################
#
@@ -54,17 +54,29 @@ genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
type capifs_t;
fs_type(capifs_t)
+files_mountpoint(capifs_t)
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
type configfs_t;
fs_type(configfs_t)
genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
+type cpusetfs_t;
+fs_type(cpusetfs_t)
+allow cpusetfs_t self:filesystem associate;
+genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0)
+
type eventpollfs_t;
fs_type(eventpollfs_t)
# change to task SID 20060628
#genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0)
+type fusefs_t;
+fs_noxattr_type(fusefs_t)
+allow fusefs_t self:filesystem associate;
+genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
+genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
+
type futexfs_t;
fs_type(futexfs_t)
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
@@ -83,6 +95,11 @@ type inotifyfs_t;
fs_type(inotifyfs_t)
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
+type mvfs_t;
+fs_noxattr_type(mvfs_t)
+allow mvfs_t self:filesystem associate;
+genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+
type nfsd_fs_t;
fs_type(nfsd_fs_t)
genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
@@ -105,6 +122,16 @@ fs_type(rpc_pipefs_t)
genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0)
files_mountpoint(rpc_pipefs_t)
+type spufs_t;
+fs_type(spufs_t)
+genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
+files_mountpoint(spufs_t)
+
+type vxfs_t;
+fs_noxattr_type(vxfs_t)
+files_mountpoint(vxfs_t)
+genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
+
#
# tmpfs_t is the type for tmpfs filesystems
#
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index a7d7e7ee..ed24ad2c 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -30,6 +30,43 @@ interface(`selinux_get_fs_mount',`
kernel_read_system_state($1)
')
+########################################
+##
+## Get the attributes of the selinuxfs filesystem
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`selinux_getattr_fs',`
+ gen_require(`
+ type security_t;
+ ')
+
+ allow $1 security_t:filesystem getattr;
+')
+
+########################################
+##
+## Do not audit attempts to get the
+## attributes of the selinuxfs filesystem
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`selinux_dontaudit_getattr_fs',`
+ gen_require(`
+ type security_t;
+ ')
+
+ dontaudit $1 security_t:filesystem getattr;
+')
+
########################################
##
## Do not audit attempts to get the
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index c1972e8d..a0561f0a 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -1,5 +1,5 @@
-policy_module(selinux,1.3.0)
+policy_module(selinux,1.3.1)
########################################
#