automount patch from dan.

4 files changed, 43 insertions, 3 deletions

diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if
index 89bccaac..4ff1bdf8 100644
--- a/policy/modules/services/automount.if
+++ b/policy/modules/services/automount.if
@@ -21,6 +21,25 @@ interface(`automount_domtrans',`
 
 ########################################
 ## <summary>
+##	Send automount a signal
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+#
+interface(`automount_signal',`
+	gen_require(`
+		type automount_t;
+	')
+
+	allow $1 automount_t:process signal;
+')
+
+########################################
+## <summary>
 ##	Execute automount in the caller domain.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
index c17c4db4..c76382b1 100644
--- a/policy/modules/services/automount.te
+++ b/policy/modules/services/automount.te
@@ -1,5 +1,5 @@
 
-policy_module(automount, 1.11.1)
+policy_module(automount, 1.11.2)
 
 ########################################
 #
@@ -71,6 +71,7 @@ files_search_all(automount_t)
 files_mounton_all_mountpoints(automount_t)
 files_mount_all_file_type_fs(automount_t)
 files_unmount_all_file_type_fs(automount_t)
+files_manage_non_security_dirs(automount_t)
 
 fs_mount_all_fs(automount_t)
 fs_unmount_all_fs(automount_t)
@@ -100,6 +101,7 @@ corenet_udp_bind_reserved_port(automount_t)
 corenet_udp_bind_all_rpc_ports(automount_t)
 
 dev_read_sysfs(automount_t)
+dev_rw_autofs(automount_t)
 # for SSP
 dev_read_rand(automount_t)
 dev_read_urand(automount_t)
@@ -142,6 +144,7 @@ miscfiles_read_certs(automount_t)
 
 # Run mount in the mount_t domain.
 mount_domtrans(automount_t)
+mount_signal(automount_t)
 
 userdom_dontaudit_use_unpriv_user_fds(automount_t)
 userdom_dontaudit_search_user_home_dirs(automount_t)
@@ -155,7 +158,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	kerberos_read_keytab(automount_t)
+	kerberos_keytab_template(automount, automount_t)
 	kerberos_read_config(automount_t)
 	kerberos_dontaudit_write_config(automount_t)
 ')
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index bb547ea9..d7e78ad6 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -73,6 +73,24 @@ interface(`mount_exec',`
 
 ########################################
 ## <summary>
+##	Send a generic signal to mount.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mount_signal',`
+	gen_require(`
+		type mount_t;
+	')
+
+	allow $1 mount_t:process signal;
+')
+
+########################################
+## <summary>
 ##	Use file descriptors for mount.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 8d7d9fc0..db30a480 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,5 +1,5 @@
 
-policy_module(mount, 1.10.0)
+policy_module(mount, 1.10.1)
 
 ########################################
 #