From 731008ad85faea6e0acd4d648fd5ce75a70fe162 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Mon, 8 Jun 2009 17:18:26 +0000
Subject: [PATCH] trunk: 2 patches from dan.

---
 policy/modules/kernel/devices.fc    |  3 +++
 policy/modules/kernel/devices.if    |  2 +-
 policy/modules/kernel/devices.te    |  8 +++++++-
 policy/modules/kernel/filesystem.if | 20 ++++++++++++++++++++
 policy/modules/kernel/filesystem.te |  8 +++++---
 5 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 5fef2cd2..94b4bc4f 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -16,6 +16,7 @@
 /dev/audio.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/autofs.*		-c	gen_context(system_u:object_r:autofs_device_t,s0)
 /dev/beep		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/controlD64		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/dmfm		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/dmmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/dsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
@@ -91,6 +92,7 @@
 /dev/sndstat		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/tpm[0-9]*		-c	gen_context(system_u:object_r:tpm_device_t,s0)
 /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
 /dev/ub[a-c]		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/usb.+		-c	gen_context(system_u:object_r:usb_device_t,s0)
@@ -113,6 +115,7 @@ ifdef(`distro_suse', `
 
 /dev/bus/usb/.*/[0-9]+	-c	gen_context(system_u:object_r:usb_device_t,s0)
 
+/dev/card.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
 
 /dev/cpu_dma_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index c3dbd7de..7ddb8e24 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3217,7 +3217,7 @@ interface(`dev_read_generic_usb_dev',`
 #
 interface(`dev_rw_generic_usb_dev',`
 	gen_require(`
-		type usb_device_t;
+		type device_t, usb_device_t;
 	')
 
 	rw_chr_files_pattern($1, device_t, usb_device_t)
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 893c4a8d..874d0f6e 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
 
-policy_module(devices, 1.7.1)
+policy_module(devices, 1.7.2)
 
 ########################################
 #
@@ -187,6 +187,12 @@ files_mountpoint(sysfs_t)
 fs_type(sysfs_t)
 genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
 
+#
+# Type for /dev/tpm
+#
+type tpm_device_t;
+dev_node(tpm_device_t)
+
 #
 # urandom_device_t is the type of /dev/urandom
 #
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index d29ca4ea..b9b367ad 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -757,6 +757,24 @@ interface(`fs_read_noxattr_fs_files',`
 	read_files_pattern($1, noxattrfs, noxattrfs)
 ')
 
+########################################
+## <summary>
+##	Dont audit attempts to write to noxattrfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_write_noxattr_fs_files',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	dontaudit $1 noxattrfs:file write;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete all noxattrfs files.
@@ -2154,6 +2172,7 @@ interface(`fs_rw_removable_blk_files',`
 		type removable_t;
 	')
 
+	allow $1 removable_t:dir list_dir_perms;
 	rw_blk_files_pattern($1, removable_t, removable_t)
 ')
 
@@ -3624,6 +3643,7 @@ interface(`fs_getattr_all_fs',`
 	')
 
 	allow $1 filesystem_type:filesystem getattr;
+	files_getattr_all_file_type_fs($1)
 ')
 
 ########################################
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index ba6e23ff..c8fed3d0 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
 
-policy_module(filesystem, 1.11.3)
+policy_module(filesystem, 1.11.4)
 
 ########################################
 #
@@ -202,6 +202,8 @@ type dosfs_t;
 fs_noxattr_type(dosfs_t)
 allow dosfs_t fs_t:filesystem associate;
 genfscon fat / gen_context(system_u:object_r:dosfs_t,s0)
+genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0)
+genfscon hfsplus / gen_context(system_u:object_r:dosfs_t,s0)
 genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0)
 genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0)
 genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)
@@ -244,12 +246,12 @@ genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0)
 genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon dazukofs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon coda / gen_context(system_u:object_r:nfs_t,s0)
-genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
-genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
 genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
 genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon xenfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
 
 ########################################
 #