fix bad rules in samba, bug 1623

refpolicy/policy/modules/kernel/filesystem.if

@@ -2410,6 +2410,25 @@ interface(`fs_getattr_tmpfs_dirs',`
 	allow $1 tmpfs_t:dir getattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of tmpfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	dontaudit $1 tmpfs_t:dir getattr;
+')
+
 ########################################
 ## <summary>
 ##	Set the attributes of tmpfs directories.

refpolicy/policy/modules/services/samba.te

@@ -245,6 +245,7 @@ corenet_tcp_connect_smbd_port(smbd_t)
 
 dev_read_sysfs(smbd_t)
 dev_read_urand(smbd_t)
+dev_getattr_mtrr_dev(smbd_t)
 dev_dontaudit_getattr_usbfs_dirs(smbd_t)
 
 fs_getattr_all_fs(smbd_t)
@@ -286,6 +287,12 @@ userdom_dontaudit_search_sysadm_home_dirs(smbd_t)
 userdom_dontaudit_use_unpriv_user_fds(smbd_t)
 userdom_use_unpriv_users_fds(smbd_t)
 
+ifdef(`hide_broken_symptoms', `
+	files_dontaudit_getattr_default_dirs(smbd_t)
+	files_dontaudit_getattr_boot_dirs(smbd_t)
+	fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
+')
+
 ifdef(`targeted_policy', `
 	files_dontaudit_read_root_files(smbd_t)
 	term_dontaudit_use_generic_ptys(smbd_t)
@@ -326,19 +333,6 @@ optional_policy(`
 	udev_read_db(smbd_t)
 ')
 
-ifdef(`hide_broken_symptoms', `
-gen_require(`
-	type boot_t, default_t, tmpfs_t;
-')
-dontaudit smbd_t { devpts_t boot_t default_t tmpfs_t }:dir getattr;
-dontaudit smbd_t devpts_t:dir getattr;
-')
-
-gen_require(`
-	type mtrr_device_t;
-')
-allow smbd_t mtrr_device_t:file getattr;
-
 ########################################
 #
 # nmbd Local policy