six trivial patches from dan for iptables, netutils, ipsec, devices, filesystem and cpuspeed

policy/modules/admin/netutils.te

@@ -1,5 +1,5 @@
 
-policy_module(netutils,1.3.1)
+policy_module(netutils,1.3.2)
 
 ########################################
 #
@@ -65,6 +65,8 @@ corenet_tcp_connect_all_ports(netutils_t)
 corenet_sendrecv_all_client_packets(netutils_t)
 corenet_udp_bind_generic_node(netutils_t)
 
+dev_read_sysfs(netutils_t)
+
 fs_getattr_xattr_fs(netutils_t)
 
 domain_use_interactive_fds(netutils_t)

policy/modules/kernel/devices.if

@@ -2501,6 +2501,25 @@ interface(`dev_list_sysfs',`
 	list_dirs_pattern($1,sysfs_t,sysfs_t)
 ')
 
+########################################
+## <summary>
+##	Write in a sysfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+# cjp: added for cpuspeed
+interface(`dev_write_sysfs_dirs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	allow $1 sysfs_t:dir write;
+')
+
 ########################################
 ## <summary>
 ##	Allow caller to read hardware state information.

policy/modules/kernel/devices.te

@@ -1,5 +1,5 @@
 
-policy_module(devices,1.3.1)
+policy_module(devices,1.3.2)
 
 ########################################
 #

policy/modules/kernel/filesystem.if

@@ -1094,6 +1094,24 @@ interface(`fs_relabelfrom_dos_fs',`
 	allow $1 dosfs_t:filesystem relabelfrom;
 ')
 
+########################################
+## <summary>
+##	Read files on a DOS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_dos_files',`
+	gen_require(`
+		type dosfs_t;
+	')
+
+	read_files_pattern($1,dosfs_t,dosfs_t)
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete files

policy/modules/kernel/filesystem.te

@@ -1,5 +1,5 @@
 
-policy_module(filesystem,1.5.1)
+policy_module(filesystem,1.5.2)
 
 ########################################
 #

policy/modules/kernel/storage.fc

@@ -42,7 +42,8 @@ ifdef(`distro_redhat', `
 /dev/sjcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/sonycd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/tape.*		-c	gen_context(system_u:object_r:tape_device_t,s0)
-/dev/ub[a-z]		-b	gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
+/dev/tw[a-z][^/]+	-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/ub[a-z][^/]+	-b	gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
 /dev/ubd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/xvd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 

policy/modules/kernel/storage.te

@@ -1,5 +1,5 @@
 
-policy_module(storage,1.2.0)
+policy_module(storage,1.2.1)
 
 ########################################
 #

policy/modules/services/cpucontrol.te

@@ -1,5 +1,5 @@
 
-policy_module(cpucontrol,1.1.0)
+policy_module(cpucontrol,1.1.1)
 
 ########################################
 #
@@ -91,6 +91,7 @@ files_pid_filetrans(cpuspeed_t,cpuspeed_var_run_t,file)
 kernel_read_system_state(cpuspeed_t)
 kernel_read_kernel_sysctls(cpuspeed_t)
 
+dev_write_sysfs_dirs(cpuspeed_t)
 dev_rw_sysfs(cpuspeed_t)
 
 domain_use_interactive_fds(cpuspeed_t)

policy/modules/system/ipsec.if

@@ -111,3 +111,70 @@ interface(`ipsec_manage_pid',`
 	files_search_pids($1)
 	manage_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t)
 ')
+
+########################################
+## <summary>
+##	Execute racoon in the racoon domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`ipsec_domtrans_racoon',`
+	gen_require(`
+		type racoon_t, racoon_exec_t;
+	')
+
+	domtrans_pattern($1,racoon_exec_t,racoon_t)
+')
+
+########################################
+## <summary>
+##	Execute setkey in the setkey domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`ipsec_domtrans_setkey',`
+	gen_require(`
+		type setkey_t, setkey_exec_t;
+	')
+
+	domtrans_pattern($1,setkey_exec_t,setkey_t)
+')
+
+########################################
+## <summary>
+##	Execute setkey and allow the specified role the domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the racoon and setkey domains.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the racoon and setkey domains to use.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ipsec_run_setkey',`
+	gen_require(`
+		type setkey_t;
+	')
+
+	ipsec_domtrans_setkey($1)
+	role $2 types setkey_t;
+	allow setkey_t $3:chr_file rw_term_perms;
+')

policy/modules/system/ipsec.te

@@ -1,5 +1,5 @@
 
-policy_module(ipsec,1.2.1)
+policy_module(ipsec,1.2.2)
 
 ########################################
 #

policy/modules/system/iptables.te

@@ -1,5 +1,5 @@
 
-policy_module(iptables,1.2.1)
+policy_module(iptables,1.2.2)
 
 ########################################
 #
@@ -77,9 +77,10 @@ sysnet_dns_name_resolve(iptables_t)
 userdom_use_all_users_fds(iptables_t)
 
 ifdef(`targeted_policy', `
-	term_dontaudit_use_unallocated_ttys(iptables_t)
-	term_dontaudit_use_generic_ptys(iptables_t)
+	term_use_unallocated_ttys(iptables_t)
+	term_use_generic_ptys(iptables_t)
 	files_dontaudit_read_root_files(iptables_t)
+ 	unconfined_rw_pipes(iptables_t)
 ')
 
 optional_policy(`

policy/modules/system/userdomain.if

@@ -1337,6 +1337,10 @@ template(`userdom_security_admin_template',`
 		dmesg_exec($1)
 	')
 
+	optional_policy(`	
+		ipsec_run_setkey($1,$2,$3)
+	')
+
 	optional_policy(`
 		netlabel_run_mgmt($1,$2, $3)
 	')

policy/modules/system/userdomain.te

@@ -1,5 +1,5 @@
 
-policy_module(userdomain,2.1.3)
+policy_module(userdomain,2.1.4)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;