diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index aa52f45b..a2c146b9 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -557,6 +557,218 @@ interface(`fs_register_binary_executable_type',`
rw_files_pattern($1, binfmt_misc_fs_t, binfmt_misc_fs_t)
')
+########################################
+##
+## Mount a cgroup filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_mount_cgroup', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:filesystem mount;
+')
+
+########################################
+##
+## Remount a cgroup filesystem This allows
+## some mount options to be changed.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_remount_cgroup', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:filesystem remount;
+')
+
+########################################
+##
+## Unmount a cgroup file system.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_unmount_cgroup', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:filesystem unmount;
+')
+
+########################################
+##
+## Get the attributes of a cgroup filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`fs_getattr_cgroup',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:filesystem getattr;
+')
+
+########################################
+##
+## list dirs on cgroup
+## file systems.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_list_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+
+ ')
+
+ list_dirs_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+##
+## Do not audit attempts to read
+## dirs on a CIFS or SMB filesystem.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`fs_dontaudit_list_cifs_dirs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ dontaudit $1 cifs_t:dir list_dir_perms;
+')
+
+########################################
+##
+## Manage dirs on cgroup file systems.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_manage_cgroup_dirs',`
+ gen_require(`
+ type cgroup_t;
+
+ ')
+
+ manage_dirs_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+##
+## Set attributes of files on cgroup
+## file systems.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_setattr_cgroup_files',`
+ gen_require(`
+ type cgroup_t;
+
+ ')
+
+ setattr_files_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+##
+## Read files on cgroup
+## file systems.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_read_cgroup_files',`
+ gen_require(`
+ type cgroup_t;
+
+ ')
+
+ read_files_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+##
+## Write files on cgroup
+## file systems.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_write_cgroup_files', `
+ gen_require(`
+ type cgroup_t;
+
+ ')
+
+ write_files_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+##
+## Read and write files on cgroup
+## file systems.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_rw_cgroup_files',`
+ gen_require(`
+ type cgroup_t;
+
+ ')
+
+ rw_files_pattern($1, cgroup_t, cgroup_t)
+')
+
########################################
##
## Mount a CIFS or SMB network filesystem.
@@ -929,7 +1141,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
type cifs_t;
')
- dontaudit $1 cifs_t:file { read write };
+ dontaudit $1 cifs_t:file rw_file_perms;
')
########################################
@@ -1480,6 +1692,25 @@ interface(`fs_search_fusefs',`
allow $1 fusefs_t:dir search_dir_perms;
')
+########################################
+##
+## Do not audit attempts to list the contents
+## of directories on a FUSEFS filesystem.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`fs_dontaudit_list_fusefs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ dontaudit $1 fusefs_t:dir list_dir_perms;
+')
+
########################################
##
## Create, read, write, and delete directories
@@ -1670,6 +1901,54 @@ interface(`fs_list_inotifyfs',`
allow $1 inotifyfs_t:dir list_dir_perms;
')
+########################################
+##
+## Dontaudit List inotifyfs filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_dontaudit_list_inotifyfs',`
+ gen_require(`
+ type inotifyfs_t;
+ ')
+
+ dontaudit $1 inotifyfs_t:dir list_dir_perms;
+')
+
+########################################
+##
+## Create an object in a hugetlbfs filesystem, with a private
+## type using a type transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to be created.
+##
+##
+##
+##
+## The object class of the object being created.
+##
+##
+#
+interface(`fs_hugetlbfs_filetrans',`
+ gen_require(`
+ type hugetlbfs_t;
+ ')
+
+ allow $2 hugetlbfs_t:filesystem associate;
+ filetrans_pattern($1, hugetlbfs_t, $2, $3)
+')
+
########################################
##
## Mount an iso9660 filesystem, which
@@ -2092,6 +2371,24 @@ interface(`fs_read_nfs_symlinks',`
read_lnk_files_pattern($1, nfs_t, nfs_t)
')
+########################################
+##
+## Dontaudit read symbolic links on a NFS filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_dontaudit_read_nfs_symlinks',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ dontaudit $1 nfs_t:lnk_file read_lnk_file_perms;
+')
+
#########################################
##
## Read named sockets on a NFS filesystem.
@@ -3479,6 +3776,24 @@ interface(`fs_manage_auto_mountpoints',`
allow $1 autofs_t:dir manage_dir_perms;
')
+########################################
+##
+## Read generic tmpfs files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_read_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ read_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
########################################
##
## Read and write generic tmpfs files.
@@ -3723,6 +4038,24 @@ interface(`fs_mount_xenfs',`
allow $1 xenfs_t:filesystem mount;
')
+########################################
+##
+## Search the XENFS filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_search_xenfs',`
+ gen_require(`
+ type xenfs_t;
+ ')
+
+ allow $1 xenfs_t:dir search_dir_perms;
+')
+
########################################
##
## Create, read, write, and delete directories
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 12272e55..5a49deae 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
-policy_module(filesystem, 1.12.1)
+policy_module(filesystem, 1.12.2)
########################################
#
@@ -29,6 +29,7 @@ fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
@@ -183,6 +184,7 @@ genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0)
#
# Filesystems without extended attribute support
#
+
type autofs_t;
fs_noxattr_type(autofs_t)
files_mountpoint(autofs_t)
@@ -205,6 +207,7 @@ genfscon smbfs / gen_context(system_u:object_r:cifs_t,s0)
#
type dosfs_t;
fs_noxattr_type(dosfs_t)
+files_mountpoint(dosfs_t)
allow dosfs_t fs_t:filesystem associate;
genfscon fat / gen_context(system_u:object_r:dosfs_t,s0)
genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0)
@@ -216,6 +219,7 @@ genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0)
type fusefs_t;
fs_noxattr_type(fusefs_t)
+files_mountpoint(fusefs_t)
allow fusefs_t self:filesystem associate;
allow fusefs_t fs_t:filesystem associate;
genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
@@ -228,6 +232,7 @@ genfscon fusectl / gen_context(system_u:object_r:fusefs_t,s0)
#
type iso9660_t;
fs_noxattr_type(iso9660_t)
+files_mountpoint(iso9660_t)
genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0)
genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
@@ -237,7 +242,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
-files_type(removable_t)
+files_mountpoint(removable_t)
#
# nfs_t is the default type for NFS file systems