Add kernel patch from Dan Walsh

policy/modules/kernel/kernel.if

@@ -57,7 +57,7 @@ interface(`kernel_ranged_domtrans_to',`
 		type kernel_t;
 	')
 
-	kernel_domtrans_to($1,$2)
+	kernel_domtrans_to($1, $2)
 
 	ifdef(`enable_mcs',`
 		range_transition kernel_t $2:process $3;
@@ -483,13 +483,32 @@ interface(`kernel_clear_ring_buffer',`
 	allow $1 kernel_t:system syslog_mod;
 ')
 
+########################################
+## <summary>
+##	Allows caller to request the kernel to load a module
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_request_load_module',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:system module_request;
+')
+
 ########################################
 ## <summary>
 ##	Get information on all System V IPC objects.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -939,6 +958,28 @@ interface(`kernel_dontaudit_getattr_core_if',`
 	dontaudit $1 proc_kcore_t:file getattr;
 ')
 
+########################################
+## <summary>
+##	Allows caller to read the core kernel interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_read_core_if',`
+	gen_require(`
+		type proc_t, proc_kcore_t;
+		attribute can_dump_kernel;
+	')
+
+	read_files_pattern($1, proc_t, proc_kcore_t)
+	list_dirs_pattern($1, proc_t, proc_t)
+
+	typeattribute $1 can_dump_kernel;
+')
+
 ########################################
 ## <summary>
 ##	Allow caller to read kernel messages

policy/modules/kernel/kernel.te

@@ -1,5 +1,5 @@
 
-policy_module(kernel, 1.11.0)
+policy_module(kernel, 1.11.1)
 
 ########################################
 #
@@ -9,6 +9,7 @@ policy_module(kernel, 1.11.0)
 # assertion related attributes
 attribute can_load_kernmodule;
 attribute can_receive_kernel_messages;
+attribute can_dump_kernel;
 
 neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module;
 
@@ -90,7 +91,7 @@ neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~ge
 
 # /proc kcore: inaccessible
 type proc_kcore_t, proc_type;
-neverallow ~kern_unconfined proc_kcore_t:file ~getattr;
+neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~getattr;
 genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
 
 type proc_mdstat_t, proc_type;
@@ -248,7 +249,7 @@ corenet_send_all_packets(kernel_t)
 dev_read_sysfs(kernel_t)
 dev_search_usbfs(kernel_t)
 
-# Mount root file system.  Used when loading a policy
+# Mount root file system. Used when loading a policy
 # from initrd, then mounting the root filesystem
 fs_mount_all_fs(kernel_t)
 fs_unmount_all_fs(kernel_t)
@@ -309,7 +310,7 @@ optional_policy(`
 	allow kernel_t self:tcp_socket create_stream_socket_perms;
 	allow kernel_t self:udp_socket create_socket_perms;
 
-	# nfs kernel server needs kernel UDP access.  It is less risky and painful
+	# nfs kernel server needs kernel UDP access. It is less risky and painful
 	# to just give it everything.
 	corenet_udp_sendrecv_generic_if(kernel_t)
 	corenet_udp_sendrecv_generic_node(kernel_t)
@@ -355,7 +356,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	unconfined_domain(kernel_t)
+	unconfined_domain_noaudit(kernel_t)
 ')
 
 ########################################