fixes from gentoo strict testing:

- Allow semanage to read from /root on strict non-MLS for
  local policy modules.
- Gentoo init script fixes for udev.
- Allow udev to read kernel modules.inputmap.
- Dnsmasq fixes from testing.
- Allow kernel NFS server to getattr filesystems so df can work
  on clients.

Changelog

@@ -1,3 +1,10 @@
+- Allow semanage to read from /root on strict non-MLS for
+  local policy modules.
+- Gentoo init script fixes for udev.
+- Allow udev to read kernel modules.inputmap.
+- Dnsmasq fixes from testing.
+- Allow kernel NFS server to getattr filesystems so df can work
+  on clients.
 - Patch from Matt Anderson for a MLS constraint exemption on a
   file that can be written to from a subject whose range is
   within the object's range.

policy/modules/admin/logrotate.te

@@ -1,5 +1,5 @@
 
-policy_module(logrotate,1.3.0)
+policy_module(logrotate,1.3.1)
 
 ########################################
 #
@@ -118,6 +118,7 @@ seutil_dontaudit_read_config(logrotate_t)
 
 sysnet_read_config(logrotate_t)
 
+userdom_dontaudit_search_sysadm_home_dirs(logrotate_t)
 userdom_use_unpriv_users_fds(logrotate_t)
 
 cron_system_entry(logrotate_t, logrotate_exec_t)

policy/modules/admin/portage.if

@@ -325,6 +325,8 @@ interface(`portage_main_domain',`
 
 	# run setfiles -r
 	seutil_domtrans_setfiles($1)
+	# run semodule
+	seutil_domtrans_semanage($1)
 
 	portage_domtrans_gcc_config($1)
 

policy/modules/admin/portage.te

@@ -1,5 +1,5 @@
 
-policy_module(portage,1.1.0)
+policy_module(portage,1.1.1)
 
 ########################################
 #

policy/modules/kernel/filesystem.if

@@ -629,6 +629,26 @@ interface(`fs_read_cifs_files',`
 	allow $1 cifs_t:file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Get the attributes of filesystems that
+##	do not have extended attribute support.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_getattr_noxattr_fs',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	allow $1 noxattrfs:filesystem getattr;
+')
+
 ########################################
 ## <summary>
 ##	Read all noxattrfs directories.

policy/modules/kernel/filesystem.te

@@ -1,5 +1,5 @@
 
-policy_module(filesystem,1.4.1)
+policy_module(filesystem,1.4.2)
 
 ########################################
 #

policy/modules/kernel/kernel.te

@@ -1,5 +1,5 @@
 
-policy_module(kernel,1.4.0)
+policy_module(kernel,1.4.1)
 
 ########################################
 #
@@ -287,6 +287,8 @@ optional_policy(`
 	corenet_sendrecv_portmap_client_packets(kernel_t)
 	corenet_sendrecv_generic_server_packets(kernel_t)
 
+	fs_getattr_xattr_fs(kernel_t)
+
 	auth_dontaudit_getattr_shadow(kernel_t)
 
 	sysnet_read_config(kernel_t)
@@ -296,19 +298,21 @@ optional_policy(`
 	rpc_udp_rw_nfs_sockets(kernel_t) 
 
 	tunable_policy(`nfs_export_all_ro',`
-		fs_list_noxattr_fs(kernel_t) 
-		fs_read_noxattr_fs_files(kernel_t) 
-		fs_read_noxattr_fs_symlinks(kernel_t) 
+		fs_getattr_noxattr_fs(kernel_t)
+		fs_list_noxattr_fs(kernel_t)
+		fs_read_noxattr_fs_files(kernel_t)
+		fs_read_noxattr_fs_symlinks(kernel_t)
 
-		auth_read_all_dirs_except_shadow(kernel_t) 
-		auth_read_all_files_except_shadow(kernel_t) 
-		auth_read_all_symlinks_except_shadow(kernel_t) 
+		auth_read_all_dirs_except_shadow(kernel_t)
+		auth_read_all_files_except_shadow(kernel_t)
+		auth_read_all_symlinks_except_shadow(kernel_t)
 	')
 
 	tunable_policy(`nfs_export_all_rw',`
-		fs_list_noxattr_fs(kernel_t) 
-		fs_read_noxattr_fs_files(kernel_t) 
-		fs_read_noxattr_fs_symlinks(kernel_t) 
+		fs_getattr_noxattr_fs(kernel_t)
+		fs_list_noxattr_fs(kernel_t)
+		fs_read_noxattr_fs_files(kernel_t)
+		fs_read_noxattr_fs_symlinks(kernel_t)
 
 		auth_manage_all_files_except_shadow(kernel_t)
 	')

policy/modules/services/dnsmasq.te

@@ -1,5 +1,5 @@
 
-policy_module(dnsmasq,1.1.0)
+policy_module(dnsmasq,1.1.1)
 
 ########################################
 #
@@ -21,9 +21,11 @@ files_pid_file(dnsmasq_var_run_t)
 # Local policy
 #
 
-allow dnsmasq_t self:capability { setgid setuid net_bind_service net_raw };
+allow dnsmasq_t self:capability { net_admin setgid setuid net_bind_service net_raw };
 dontaudit dnsmasq_t self:capability sys_tty_config;
-allow dnsmasq_t self:process signal_perms;
+allow dnsmasq_t self:process { setcap signal_perms };
+allow dnsmasq_t self:fifo_file { read write };
+allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write };
 allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
 allow dnsmasq_t self:udp_socket create_socket_perms;
 allow dnsmasq_t self:packet_socket create_socket_perms;

policy/modules/system/hotplug.if

@@ -160,3 +160,21 @@ interface(`hotplug_read_config',`
 	allow $1 hotplug_etc_t:lnk_file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Search the hotplug PIDs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hotplug_search_pids',`
+	gen_require(`
+		type hotplug_var_run_t;
+	')
+
+	allow $1 hotplug_var_run_t:dir search_dir_perms;
+	files_search_pids($1)
+')

policy/modules/system/hotplug.te

@@ -1,5 +1,5 @@
 
-policy_module(hotplug,1.3.0)
+policy_module(hotplug,1.3.1)
 
 ########################################
 #

policy/modules/system/init.if

@@ -1072,6 +1072,26 @@ interface(`init_read_script_files',`
 	allow $1 initrc_exec_t:file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Get the attributes of init script
+##	status files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_getattr_script_status_files',`
+	gen_require(`
+		type initrc_state_t;
+	')
+
+	allow $1 initrc_state_t:dir search_dir_perms;
+	allow $1 initrc_state_t:file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read init script

policy/modules/system/init.te

@@ -1,5 +1,5 @@
 
-policy_module(init,1.4.2)
+policy_module(init,1.4.3)
 
 gen_require(`
 	class passwd rootok;

policy/modules/system/selinuxutil.te

@@ -1,5 +1,5 @@
 
-policy_module(selinuxutil,1.3.3)
+policy_module(selinuxutil,1.3.4)
 
 ifdef(`strict_policy',`
 	gen_require(`
@@ -617,10 +617,13 @@ seutil_manage_default_contexts(semanage_t)
 
 userdom_search_sysadm_home_dirs(semanage_t)
 
-ifdef(`targeted_policy',`
+# cjp: need a more general way to handle this:
+ifdef(`enable_mls',`
+	# read secadm tmp files
+',`
 	# Handle pp files created in homedir and /tmp
-	files_read_generic_tmp_files(semanage_t)
-	userdom_read_generic_user_home_content_files(semanage_t)
+	userdom_read_sysadm_home_content_files(semanage_t)
+	userdom_read_sysadm_tmp_files(semanage_t)
 ')
 
 ########################################

policy/modules/system/udev.te

@@ -1,5 +1,5 @@
 
-policy_module(udev,1.4.0)
+policy_module(udev,1.4.1)
 
 ########################################
 #
@@ -136,6 +136,8 @@ logging_send_syslog_msg(udev_t)
 miscfiles_read_localization(udev_t)
 
 modutils_domtrans_insmod(udev_t)
+# read modules.inputmap:
+modutils_read_module_deps(udev_t)
 
 seutil_read_config(udev_t)
 seutil_read_default_contexts(udev_t)
@@ -148,6 +150,12 @@ sysnet_domtrans_dhcpc(udev_t)
 userdom_use_sysadm_ttys(udev_t)
 userdom_dontaudit_search_all_users_home_content(udev_t)
 
+ifdef(`distro_gentoo',`
+	# during boot, init scripts use /dev/.rcsysinit
+	# existance to determine if we are in early booting
+	init_getattr_script_status_files(udev_t)
+')
+
 ifdef(`distro_redhat',`
 	fs_manage_tmpfs_dirs(udev_t)
 	fs_manage_tmpfs_files(udev_t)
@@ -183,6 +191,8 @@ optional_policy(`
 
 optional_policy(`
 	hotplug_read_config(udev_t)
+	# usb.agent searches /var/run/usb
+	hotplug_search_pids(udev_t)
 ')
 
 optional_policy(`

policy/modules/system/userdomain.if

@@ -4486,13 +4486,41 @@ interface(`userdom_search_sysadm_home_content_dirs',`
 ## </param>
 #
 interface(`userdom_read_sysadm_home_content_files',`
-	gen_require(`
-		type sysadm_home_dir_t, sysadm_home_t;
-	')
+	ifdef(`strict_policy',`
+		gen_require(`
+			type sysadm_home_dir_t, sysadm_home_t;
+		')
 
-	files_search_home($1)
-	allow $1 { sysadm_home_dir_t sysadm_home_t }:dir r_dir_perms;
-	allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
+		files_search_home($1)
+		allow $1 { sysadm_home_dir_t sysadm_home_t }:dir r_dir_perms;
+		allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
+	',`
+		userdom_read_generic_user_home_content_files($1)
+	')
+')
+
+########################################
+## <summary>
+##	Read files in the sysadm users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_read_sysadm_tmp_files',`
+	ifdef(`strict_policy',`
+		gen_require(`
+			type sysadm_tmp_t;
+		')
+
+		files_search_tmp($1)
+		allow $1 sysadm_tmp_t:dir list_dir_perms;
+		allow $1 sysadm_tmp_t:{ file lnk_file } r_file_perms;
+	',`
+		files_read_generic_tmp_files($1)
+	')
 ')
 
 ########################################

policy/modules/system/userdomain.te

@@ -1,5 +1,5 @@
 
-policy_module(userdomain,2.0.1)
+policy_module(userdomain,2.0.2)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;