trunk: 5 patches from dan

Changelog

@@ -1,3 +1,4 @@
+- Openct updates patch from Dan Walsh.
 - Merge restorecon into setfiles.
 - Patch to begin separating out hald helper programs from Dan Walsh.
 - Fixes for squid, dovecot, and snmp from Dan Walsh.

policy/modules/kernel/devices.fc

@@ -19,6 +19,7 @@
 /dev/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
 /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
 /dev/full		-c	gen_context(system_u:object_r:null_device_t,s0)
+/dev/fw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/hiddev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/hpet		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/hw_random		-c	gen_context(system_u:object_r:random_device_t,s0)
@@ -81,6 +82,8 @@ ifdef(`distro_suse', `
 
 /dev/bus/usb/.*/[0-9]+	-c	gen_context(system_u:object_r:usb_device_t,s0)
 
+/dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
+
 /dev/cpu/.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/cpu/mtrr		-c	gen_context(system_u:object_r:mtrr_device_t,s0)
 

policy/modules/kernel/devices.if

@@ -2429,6 +2429,80 @@ interface(`dev_rw_power_management',`
 	rw_chr_files_pattern($1,device_t,power_device_t)
 ')
 
+########################################
+## <summary>
+##	Getattr on smartcard devices
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_smartcard_dev',`
+	gen_require(`
+		type smartcard_device_t;
+	')
+
+	allow $1 smartcard_device_t:chr_file getattr;
+
+')
+
+########################################
+## <summary>
+##	dontaudit getattr on smartcard devices
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_smartcard_dev',`
+	gen_require(`
+		type smartcard_device_t;
+	')
+
+	dontaudit $1 smartcard_device_t:chr_file getattr;
+
+')
+
+########################################
+## <summary>
+##	Read and write smartcard devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_smartcard',`
+	gen_require(`
+		type device_t, smartcard_device_t;
+	')
+
+	rw_chr_files_pattern($1,device_t,smartcard_device_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete smartcard devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_smartcard',`
+	gen_require(`
+		type device_t, smartcard_device_t;
+	')
+
+	manage_chr_files_pattern($1,device_t,smartcard_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of sysfs directories.

policy/modules/kernel/devices.te

@@ -136,6 +136,12 @@ dev_node(random_device_t)
 type scanner_device_t;
 dev_node(scanner_device_t)
 
+#
+# Type for smartcards
+#
+type smartcard_device_t;
+dev_node(smartcard_device_t)
+
 #
 # Type for sound devices and mixers
 #

policy/modules/kernel/storage.if

@@ -184,6 +184,7 @@ interface(`storage_manage_fixed_disk',`
 	')
 
 	dev_list_all_dev_nodes($1)
+	allow $1 self:capability mknod;
 	allow $1 fixed_disk_device_t:blk_file manage_blk_file_perms;
 	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
 ')

policy/modules/services/openct.fc

@@ -1,6 +1,7 @@
 #
 # /usr
 #
+/usr/sbin/ifdhandler		--	gen_context(system_u:object_r:openct_exec_t,s0)
 /usr/sbin/openct-control	--	gen_context(system_u:object_r:openct_exec_t,s0)
 
 #

policy/modules/services/openct.if

@@ -1 +1,95 @@
 ## <summary>Service for handling smart card readers.</summary>
+
+########################################
+## <summary>
+##	Send openct a null signal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openct_signull',`
+	gen_require(`
+		type openct_t;
+	')
+
+	allow $1 openct_t:process signull;
+')
+
+########################################
+## <summary>
+##	Execute openct in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openct_exec',`
+	gen_require(`
+		type openct_t, openct_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1,openct_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run openct.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`openct_domtrans',`
+	gen_require(`
+		type openct_t, openct_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1,openct_exec_t,openct_t)
+')
+
+########################################
+## <summary>
+##	Read openct PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openct_read_pid_files',`
+	gen_require(`
+		type openct_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1,openct_var_run_t,openct_var_run_t)
+')
+
+########################################
+## <summary>
+##	Connect to openct over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openct_stream_connect',`
+	gen_require(`
+		type openct_t, openct_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1,openct_var_run_t,openct_var_run_t,openct_t)
+')

policy/modules/services/openct.te

@@ -31,6 +31,8 @@ kernel_read_proc_symlinks(openct_t)
 dev_read_sysfs(openct_t)
 # openct asks for this
 dev_rw_usbfs(openct_t)
+dev_rw_smartcard(openct_t)
+dev_rw_generic_usb_dev(openct_t)
 
 domain_use_interactive_fds(openct_t)
 
@@ -50,6 +52,8 @@ miscfiles_read_localization(openct_t)
 userdom_dontaudit_use_unpriv_user_fds(openct_t)
 userdom_dontaudit_search_sysadm_home_dirs(openct_t)
 
+openct_exec(openct_t)
+
 ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_ttys(openct_t)
 	term_dontaudit_use_generic_ptys(openct_t)

policy/modules/services/pcscd.te

@@ -21,6 +21,7 @@ files_pid_file(pcscd_var_run_t)
 #
 
 allow pcscd_t self:capability { dac_override dac_read_search };
+allow pcscd_t self:process signal;
 allow pcscd_t self:fifo_file { read write };
 allow pcscd_t self:unix_stream_socket create_stream_socket_perms;
 allow pcscd_t self:unix_dgram_socket create_socket_perms;
@@ -61,6 +62,12 @@ ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_ttys(pcscd_t)
 ')
 
+optional_policy(`
+	openct_stream_connect(pcscd_t)
+	openct_read_pid_files(pcscd_t)
+	openct_signull(pcscd_t)
+')
+
 optional_policy(`
 	rpm_use_script_fds(pcscd_t)
 ')

policy/modules/system/libraries.fc

@@ -133,6 +133,8 @@ ifdef(`distro_gentoo',`
 /usr/(.*/)?nvidia/.+\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/lib/transgaming_cedega/gddb_parser.so --	gen_context(system_u:object_r:shlib_t,s0)
+/usr/lib/vlc/codec/libdmo_plugin.so	   --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vlc/codec/librealaudio_plugin.so  --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/win32/.*			--	gen_context(system_u:object_r:shlib_t,s0)
 
 /usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -149,6 +151,7 @@ ifdef(`distro_gentoo',`
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xulrunner-[^/]*/libxul\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 

policy/modules/system/libraries.te

@@ -62,7 +62,8 @@ files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
 
 manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
 manage_files_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
-files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir })
+manage_lnk_files_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
+files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file })
 
 manage_lnk_files_pattern(ldconfig_t,lib_t,lib_t)
 

policy/modules/system/raid.te

@@ -46,6 +46,7 @@ fs_dontaudit_list_tmpfs(mdadm_t)
 # RAID block device access
 storage_manage_fixed_disk(mdadm_t)
 storage_dev_filetrans_fixed_disk(mdadm_t)
+storage_read_scsi_generic(mdadm_t)
 
 term_dontaudit_list_ptys(mdadm_t)