From 882186c9338fdeff10f10456aa41e6f1c6da4255 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Wed, 2 May 2007 17:31:38 +0000
Subject: [PATCH] - Patch to allow insmod to mount kvmfs and dontaudit rw
 unconfined_t pipes   to handle usage from userhelper.

---
 Changelog                         |  2 ++
 policy/modules/kernel/kernel.if   | 18 ++++++++++++++++++
 policy/modules/kernel/kernel.te   |  2 +-
 policy/modules/system/modutils.te |  7 ++++++-
 4 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/Changelog b/Changelog
index 731e22de..f6bcd1c2 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,5 @@
+- Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes
+  to handle usage from userhelper.
 - Patch to allow amavis to read spamassassin libraries from Dan Walsh.
 - Patch to allow slocate to getattr other filesystems and directories on those
   filesystems from Dan Walsh.
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 39fd13f2..00c3cc01 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -552,6 +552,24 @@ interface(`kernel_read_debugfs',`
 	list_dirs_pattern($1,debugfs_t,debugfs_t)
 ')
 
+########################################
+## <summary>
+##	Mount a kernel VM filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the domain mounting the filesystem.
+##	</summary>
+## </param>
+#
+interface(`kernel_mount_kvmfs',`
+	gen_require(`
+		type kvmfs_t;
+	')
+
+	allow $1 kvmfs_t:filesystem mount;
+')
+
 ########################################
 ## <summary>
 ##	Unmount the proc filesystem.
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 2cccc459..cd5f3663 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
 
-policy_module(kernel,1.6.0)
+policy_module(kernel,1.6.1)
 
 ########################################
 #
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 49bb1b87..3cb7fe76 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,5 +1,5 @@
 
-policy_module(modutils,1.3.0)
+policy_module(modutils,1.3.1)
 
 gen_require(`
 	bool secure_mode_insmod;
@@ -58,6 +58,7 @@ kernel_load_module(insmod_t)
 kernel_read_system_state(insmod_t)
 kernel_write_proc_files(insmod_t)
 kernel_mount_debugfs(insmod_t)
+kernel_mount_kvmfs(insmod_t)
 kernel_read_debugfs(insmod_t)
 # Rules for /proc/sys/kernel/tainted
 kernel_read_kernel_sysctls(insmod_t)
@@ -156,6 +157,10 @@ optional_policy(`
 	rpm_rw_pipes(insmod_t)
 ')
 
+optional_policy(`
+	unconfined_dontaudit_rw_pipes(insmod_t)
+')
+
 optional_policy(`
 	# cjp: why is this needed:
 	dev_rw_xserver_misc(insmod_t)