more testing fixes

policy/modules/kernel/terminal.if

@@ -90,6 +90,7 @@ interface(`term_tty',`
 	typeattribute $2 ttynode, serial_device;
 	type_change $1 tty_device_t:chr_file $2;
 
+	fs_associate($1)
 	files_associate_tmp($1)
 
 	# Debian login is from shadow utils and does not allow resetting the perms.
@@ -713,6 +714,25 @@ interface(`term_setattr_unallocated_ttys',`
 	allow $1 tty_device_t:chr_file setattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to set the attributes
+##	of unallocated tty device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_dontaudit_setattr_unallocated_ttys',`
+	gen_require(`
+		type tty_device_t;
+	')
+
+	dontaudit $1 tty_device_t:chr_file setattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to ioctl
@@ -774,6 +794,25 @@ interface(`term_reset_tty_labels',`
 	allow $1 tty_device_t:chr_file relabelto;
 ')
 
+########################################
+## <summary>
+##	Append to unallocated ttys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_append_unallocated_ttys',`
+	gen_require(`
+		type tty_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 tty_device_t:chr_file { getattr append };
+')
+
 ########################################
 ## <summary>
 ##	Write to unallocated ttys.

policy/modules/kernel/terminal.te

@@ -1,5 +1,5 @@
 
-policy_module(terminal,1.1.4)
+policy_module(terminal,1.1.5)
 
 ########################################
 #

policy/modules/system/authlogin.te

@@ -265,6 +265,7 @@ term_dontaudit_use_unallocated_ttys(system_chkpwd_t)
 term_dontaudit_use_generic_ptys(system_chkpwd_t)
 
 userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
+userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
 
 ########################################
 #

policy/modules/system/clock.if

@@ -74,11 +74,29 @@ interface(`clock_exec',`
 
 ########################################
 ## <summary>
-##             Allow executing domain to modify clock drift
+##	Do not audit attempts to write clock drift adjustments.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##             The type of the process performing this action.
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`clock_dontaudit_write_adjtime',`
+	gen_require(`
+		type adjtime_t;
+	')
+
+	dontaudit $1 adjtime_t:file write;
+')
+
+########################################
+## <summary>
+##	Read and write clock drift adjustments.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -90,4 +108,3 @@ interface(`clock_rw_adjtime',`
 	allow $1 adjtime_t:file rw_file_perms;
 	files_list_etc($1)
 ')
-

policy/modules/system/clock.te

@@ -1,5 +1,5 @@
 
-policy_module(clock,1.0.1)
+policy_module(clock,1.0.2)
 
 ########################################
 #

policy/modules/system/init.te

@@ -416,6 +416,9 @@ ifdef(`distro_gentoo',`
 	# mounting tmpfs on /dev
 	fs_tmpfs_filetrans(initrc_t,initrc_state_t,file)
 
+	# init scripts touch this
+	clock_dontaudit_write_adjtime(initrc_t)
+
 	optional_policy(`
 		arpwatch_manage_data_files(initrc_t)
 	')

policy/modules/system/logging.te

@@ -1,5 +1,5 @@
 
-policy_module(logging,1.3.9)
+policy_module(logging,1.3.10)
 
 ########################################
 #
@@ -349,6 +349,13 @@ miscfiles_read_localization(syslogd_t)
 userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
 userdom_dontaudit_search_sysadm_home_dirs(syslogd_t)
 
+ifdef(`distro_gentoo',`
+	# default gentoo syslog-ng config appends kernel
+	# and high priority messages to /dev/tty12
+	term_append_unallocated_ttys(syslogd_t)
+	term_dontaudit_setattr_unallocated_ttys(syslogd_t)
+')
+
 ifdef(`distro_suse',`
 	# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
 	files_var_lib_filetrans(syslogd_t,devlog_t,sock_file)