From a9ef84b578895f7920013cdb3e55bc43e08108da Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Fri, 18 Jun 2010 14:07:53 -0400
Subject: [PATCH] Prelink patch from Dan Walsh.

Prelink has new directory under /var/lib

dontaudit leaks from domains that transition

cron job looks at all mount points.
---
 policy/modules/admin/prelink.fc | 1 +
 policy/modules/admin/prelink.if | 5 +++++
 policy/modules/admin/prelink.te | 6 ++++--
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/prelink.fc b/policy/modules/admin/prelink.fc
index cfb874af..ec0e76a4 100644
--- a/policy/modules/admin/prelink.fc
+++ b/policy/modules/admin/prelink.fc
@@ -8,3 +8,4 @@
 /var/log/prelink(/.*)?			gen_context(system_u:object_r:prelink_log_t,s0)
 
 /var/lib/misc/prelink.*		--	gen_context(system_u:object_r:prelink_var_lib_t,s0)
+/var/lib/prelink(/.*)?			gen_context(system_u:object_r:prelink_var_lib_t,s0)
diff --git a/policy/modules/admin/prelink.if b/policy/modules/admin/prelink.if
index 6c151d4a..89e8209b 100644
--- a/policy/modules/admin/prelink.if
+++ b/policy/modules/admin/prelink.if
@@ -17,6 +17,11 @@ interface(`prelink_domtrans',`
 
 	corecmd_search_bin($1)
 	domtrans_pattern($1, prelink_exec_t, prelink_t)
+
+	ifdef(`hide_broken_symptoms', `
+		dontaudit prelink_t $1:socket_class_set { read write };
+		dontaudit prelink_t $1:fifo_file setattr;
+	')
 ')
 
 ########################################
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
index d44467f5..aa0dcc67 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -1,4 +1,4 @@
-policy_module(prelink, 1.9.0)
+policy_module(prelink, 1.9.1)
 
 ########################################
 #
@@ -123,7 +123,7 @@ optional_policy(`
 
 optional_policy(`
 	allow prelink_cron_system_t self:capability setuid;
-	allow prelink_cron_system_t self:process { setsched setfscreate };
+	allow prelink_cron_system_t self:process { setsched setfscreate signal };
 	allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms;
 	allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt };
 
@@ -144,7 +144,9 @@ optional_policy(`
 	corecmd_exec_bin(prelink_cron_system_t)
 	corecmd_exec_shell(prelink_cron_system_t)
 
+	files_dontaudit_search_all_mountpoints(prelink_cron_system_t)
 	files_read_etc_files(prelink_cron_system_t)
+	files_search_var_lib(prelink_cron_system_t)
 
 	init_exec(prelink_cron_system_t)