fix up mtrr interfaces. missing the file class on a few interfaces, and read and write cannot be split.

policy/modules/kernel/devices.if

@@ -1684,7 +1684,8 @@ interface(`dev_rw_mouse',`
 
 ########################################
 ## <summary>
-##	Get the attributes of the mtrr device.
+##	Get the attributes of the memory type range
+##	registers (MTRR) device.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1698,15 +1699,27 @@ interface(`dev_getattr_mtrr_dev',`
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-
-	# proc entry is a file.  added for nmbd_t
 	allow $1 mtrr_device_t:{ file chr_file } getattr;
 ')
 
 ########################################
 ## <summary>
-##	Read the mtrr device.
+##	Read the memory type range
+##	registers (MTRR).  (Deprecated)
 ## </summary>
+## <desc>
+##	<p>
+##	Read the memory type range
+##	registers (MTRR).  This interface has
+##	been deprecated, dev_rw_mtrr() should be
+##	used instead.
+##	</p>
+##	<p>
+##	The MTRR device ioctls can be used for
+##	reading and writing; thus, read access to the
+##	device cannot be separated from write access.
+##	</p>
+## </desc>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
@@ -1714,18 +1727,28 @@ interface(`dev_getattr_mtrr_dev',`
 ## </param>
 #
 interface(`dev_read_mtrr',`
-	gen_require(`
+	refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
-		type device_t, mtrr_device_t;
+	dev_rw_mtrr($1)
-	')
-
-	allow $1 device_t:dir r_dir_perms;
-	allow $1 mtrr_device_t:chr_file r_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Write the mtrr device.
+##	Write the memory type range
+##	registers (MTRR).  (Deprecated)
 ## </summary>
+## <desc>
+##	<p>
+##	Write the memory type range
+##	registers (MTRR).  This interface has
+##	been deprecated, dev_rw_mtrr() should be
+##	used instead.
+##	</p>
+##	<p>
+##	The MTRR device ioctls can be used for
+##	reading and writing; thus, write access to the
+##	device cannot be separated from read access.
+##	</p>
+## </desc>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
@@ -1733,17 +1756,13 @@ interface(`dev_read_mtrr',`
 ## </param>
 #
 interface(`dev_write_mtrr',`
-	gen_require(`
+	refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
-		type device_t, mtrr_device_t;
+	dev_rw_mtrr($1)
-	')
-
-	allow $1 device_t:dir r_dir_perms;
-	allow $1 mtrr_device_t:chr_file { getattr write ioctl };
 ')
 
 ########################################
 ## <summary>
-##	Read and write the mtrr device.
+##	Read and write the memory type range registers (MTRR).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1752,8 +1771,12 @@ interface(`dev_write_mtrr',`
 ## </param>
 #
 interface(`dev_rw_mtrr',`
-	dev_read_mtrr($1)
+	gen_require(`
-	dev_write_mtrr($1)
+		type device_t, mtrr_device_t;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 mtrr_device_t:{ file chr_file } rw_file_perms;
 ')
 
 ########################################

policy/modules/kernel/devices.te

@@ -1,5 +1,5 @@
 
-policy_module(devices,1.1.15)
+policy_module(devices,1.1.16)
 
 ########################################
 #

policy/modules/system/modutils.te

@@ -1,5 +1,5 @@
 
-policy_module(modutils,1.1.2)
+policy_module(modutils,1.1.3)
 
 gen_require(`
 	bool secure_mode_insmod;
@@ -70,7 +70,7 @@ files_write_kernel_modules(insmod_t)
 
 dev_search_sysfs(insmod_t)
 dev_search_usbfs(insmod_t)
-dev_write_mtrr(insmod_t)
+dev_rw_mtrr(insmod_t)
 dev_read_urand(insmod_t)
 dev_rw_agp(insmod_t)
 dev_read_sound(insmod_t)