trunk: 5 patches from dan.

diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
index 810ae5f4355c7a138f25951dce17159d8338f2a3..4250bbd2acb82f2263135ae6613f5047bc7c7f7f 100644 (file)
--- a/policy/modules/admin/alsa.te
+++ b/policy/modules/admin/alsa.te
@@ -1,5 +1,5 @@
 
-policy_module(alsa, 1.7.0)
+policy_module(alsa, 1.7.1)
 
 ########################################
 #
@@ -43,6 +43,7 @@ kernel_read_system_state(alsa_t)
 
 dev_read_sound(alsa_t)
 dev_write_sound(alsa_t)
+dev_read_sysfs(alsa_t)
 
 corecmd_exec_bin(alsa_t)
 

diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
index d8bf97fff818a7badd98ad879c29c2298605460b..955532d63b8894891986d2b003bcc1558bb5ffbf 100644 (file)
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
@@ -1,5 +1,5 @@
 
-policy_module(consoletype, 1.7.0)
+policy_module(consoletype, 1.7.1)
 
 ########################################
 #
@@ -18,7 +18,7 @@ role system_r types consoletype_t;
 # Local declarations
 #
 
-allow consoletype_t self:capability sys_admin;
+allow consoletype_t self:capability { sys_admin sys_tty_config };
 allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow consoletype_t self:fd use;
 allow consoletype_t self:fifo_file rw_fifo_file_perms;
@@ -38,6 +38,7 @@ kernel_dontaudit_read_system_state(consoletype_t)
 fs_getattr_all_fs(consoletype_t)
 fs_search_auto_mountpoints(consoletype_t)
 fs_write_nfs_files(consoletype_t)
+fs_list_inotifyfs(consoletype_t)
 
 mls_file_read_all_levels(consoletype_t)
 mls_file_write_all_levels(consoletype_t)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 5d3068b5d2a9718f982ee63f11385ad603819976..1c753faeded31861e2fc06684ddb16c80fe7ec7a 100644 (file)
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,5 +1,5 @@
 
-policy_module(netutils, 1.8.2)
+policy_module(netutils, 1.8.3)
 
 ########################################
 #
@@ -128,6 +128,8 @@ domain_use_interactive_fds(ping_t)
 files_read_etc_files(ping_t)
 files_dontaudit_search_var(ping_t)
 
+kernel_read_system_state(ping_t)
+
 auth_use_nsswitch(ping_t)
 
 logging_send_syslog_msg(ping_t)
@@ -145,6 +147,10 @@ tunable_policy(`user_ping',`
        term_use_all_user_ptys(ping_t)
 ')
 
+optional_policy(`
+       munin_append_log(ping_t)
+')
+
 optional_policy(`
        pcmcia_use_cardmgr_fds(ping_t)
 ')

diff --git a/policy/modules/admin/vbetool.if b/policy/modules/admin/vbetool.if
index 001e1488c44fd43a85f8d226b2b7133abe4bb3e2..2dc9f53f7a2f57071c68f8140265e566dc93642c 100644 (file)
--- a/policy/modules/admin/vbetool.if
+++ b/policy/modules/admin/vbetool.if
@@ -18,3 +18,28 @@ interface(`vbetool_domtrans',`
        corecmd_search_bin($1)
        domtrans_pattern($1, vbetool_exec_t, vbetool_t)
 ')
+
+########################################
+## <summary>
+##     Execute vbetool in the vbetool domain, and
+##     allow the specified role the vbetool domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     The role to be allowed the vbetool domain.
+##     </summary>
+## </param>
+#
+interface(`vbetool_run',`
+       gen_require(`
+               type vbetool_t;
+       ')
+
+       vbetool_domtrans($1)
+       role $2 types vbetool_t;
+')

diff --git a/policy/modules/admin/vbetool.te b/policy/modules/admin/vbetool.te
index a6d316e345f4b8ea31511a4adfe240e59e6a64e0..34e0a33eedaf55ba19c0d7127f026d5b013b4c93 100644 (file)
--- a/policy/modules/admin/vbetool.te
+++ b/policy/modules/admin/vbetool.te
@@ -1,5 +1,5 @@
 
-policy_module(vbetool, 1.3.0)
+policy_module(vbetool, 1.3.1)
 
 ########################################
 #
@@ -23,6 +23,8 @@ dev_read_raw_memory(vbetool_t)
 dev_rwx_zero(vbetool_t)
 dev_read_sysfs(vbetool_t)
 
+domain_mmap_low(vbetool_t)
+
 term_use_unallocated_ttys(vbetool_t)
 
 miscfiles_read_localization(vbetool_t)

diff --git a/policy/modules/admin/vpn.if b/policy/modules/admin/vpn.if
index 8779a187d9a2b31e9141c1807c0f5449d2d11970..b5272fb119bf6fac287b386769fe0c02022a156e 100644 (file)
--- a/policy/modules/admin/vpn.if
+++ b/policy/modules/admin/vpn.if
@@ -45,6 +45,24 @@ interface(`vpn_run',`
        sysnet_run_ifconfig(vpnc_t, $2)
 ')
 
+########################################
+## <summary>
+##     Send VPN clients the kill signal.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`vpn_kill',`
+       gen_require(`
+               type vpnc_t;
+       ')
+
+       allow $1 vpnc_t:process sigkill;
+')
+
 ########################################
 ## <summary>
 ##     Send generic signals to VPN clients.
@@ -63,6 +81,24 @@ interface(`vpn_signal',`
        allow $1 vpnc_t:process signal;
 ')
 
+########################################
+## <summary>
+##     Send signull to VPN clients.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`vpn_signull',`
+       gen_require(`
+               type vpnc_t;
+       ')
+
+       allow $1 vpnc_t:process signull;
+')
+
 ########################################
 ## <summary>
 ##     Send and receive messages from

diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
index d3029b375f5badaa55564390574478de302b1edf..4fa636bc24d16addc81b18f9cc749e98775f2fd8 100644 (file)
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
@@ -1,5 +1,5 @@
 
-policy_module(vpn, 1.10.2)
+policy_module(vpn, 1.10.3)
 
 ########################################
 #

diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
index 19848bb2660ab29710a05c0b0bcde55342c9dbdd..903e39b0ffd286ac05cf9828dce209c6a858eefd 100644 (file)
--- a/policy/modules/services/munin.if
+++ b/policy/modules/services/munin.if
@@ -43,6 +43,26 @@ interface(`munin_read_config',`
        files_search_etc($1)
 ')
 
+#######################################
+## <summary>
+##     Append to the munin log.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`munin_append_log',`
+       gen_require(`
+               type munin_log_t;
+       ')
+
+       allow $1 munin_log_t:file append_file_perms;
+       logging_search_logs($1)
+')
+
 #######################################
 ## <summary>
 ##     Search munin library directories.

diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
index 2a0971dc3d0d07f0b93f86e56c39c01dfb6aef3f..f0aab7579a732e356573d9d9cefb9089a3d29e5d 100644 (file)
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -1,5 +1,5 @@
 
-policy_module(munin, 1.6.1)
+policy_module(munin, 1.6.2)
 
 ########################################
 #