testing fixes

12 files changed, 51 insertions, 14 deletions

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 8745c6f3..bcf84b38 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -103,6 +103,8 @@ ifdef(`distro_gentoo',`
 /opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:sbin_t,s0)
 
 ifdef(`distro_gentoo',`
+/opt/RealPlayer/realplay(\.bin)?	gen_context(system_u:object_r:bin_t,s0)
+/opt/RealPlayer/postint(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
 ')
 
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 854ca0ea..5805cd07 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,5 +1,5 @@
 
-policy_module(corecommands,1.3.11)
+policy_module(corecommands,1.3.12)
 
 ########################################
 #
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index e1e67f60..f8735a47 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -12,7 +12,6 @@
 /dev/atibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/audio.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/beep		-c	gen_context(system_u:object_r:sound_device_t,s0)
-/dev/console		-c	gen_context(system_u:object_r:console_device_t,s0)
 /dev/dsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/efirtc		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/event.*		-c	gen_context(system_u:object_r:event_device_t,s0)
@@ -99,6 +98,12 @@ ifdef(`distro_suse', `
 
 /dev/xen/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
 
+ifdef(`distro_gentoo',`
+# used by init scripts to initally populate udev /dev
+/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
+/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
+')
+
 ifdef(`distro_redhat',`
 # originally from named.fc
 /var/named/chroot/dev/null -c	gen_context(system_u:object_r:null_device_t,s0)
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 9d209458..c7aee136 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
 
-policy_module(devices,1.1.16)
+policy_module(devices,1.1.17)
 
 ########################################
 #
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
index df0d76c0..22ef3916 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
@@ -1,10 +1,11 @@
 
 /dev/.*tty[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
-/dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f]	-c gen_context(system_u:object_r:bsdpty_device_t,s0)
+/dev/[pt]ty[a-ep-z][0-9a-f] -c	gen_context(system_u:object_r:bsdpty_device_t,s0)
 /dev/adb.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/capi.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+/dev/console		-c	gen_context(system_u:object_r:console_device_t,s0)
 /dev/cu.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
-/dev/dcbri[0-9]+		-c	gen_context(system_u:object_r:tty_device_t,s0)
+/dev/dcbri[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/hvc.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/hvsi.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/ircomm[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
@@ -17,7 +18,7 @@
 
 /dev/pty/.*		-c	gen_context(system_u:object_r:bsdpty_device_t,s0)
 
-/dev/pts			-d	gen_context(system_u:object_r:devpts_t,s0-s15:c0.c255)
+/dev/pts		-d	gen_context(system_u:object_r:devpts_t,s0-s15:c0.c255)
 
 /dev/tts/[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 
@@ -29,4 +30,7 @@
 
 ifdef(`distro_gentoo',`
 /dev/tts/[0-9]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+
+# used by init scripts to initally populate udev /dev
+/lib/udev/devices/console -c	gen_context(system_u:object_r:console_device_t,s0)
 ')
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index 9fa8156c..216751b5 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -1,5 +1,5 @@
 
-policy_module(terminal,1.1.2)
+policy_module(terminal,1.1.3)
 
 ########################################
 #
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index d798bd06..95809549 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
 
-policy_module(init,1.3.19)
+policy_module(init,1.3.20)
 
 gen_require(`
 	class passwd rootok;
@@ -397,6 +397,11 @@ ifdef(`distro_debian',`
 ')
 
 ifdef(`distro_gentoo',`
+	# needed until baselayout is fixed to have the
+	# restorecon on /dev to again be immediately after
+	# mounting tmpfs on /dev
+	fs_tmpfs_filetrans(initrc_t,initrc_state_t,file)
+
 	optional_policy(`
 		arpwatch_manage_data_files(initrc_t)
 	')
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 054f2bb1..ec811c6d 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -64,8 +64,20 @@ ifdef(`distro_gentoo',`
 /opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 ifdef(`distro_gentoo',`
+# despite the extensions, they're actually libs
+/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api gen_context(system_u:object_r:shlib_t,s0)
+/opt/Acrobat[5-9]/Reader/intellinux/SPPlugins/.*\.api gen_context(system_u:object_r:shlib_t,s0)
+
 /opt/netscape/plugins/libflashplayer\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /opt/netscape/plugins/nppdf\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/RealPlayer/codecs(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/opt/RealPlayer/codecs/.*\.so			gen_context(system_u:object_r:shlib_t,s0)
+/opt/RealPlayer/common(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/opt/RealPlayer/common/.*\.so			gen_context(system_u:object_r:shlib_t,s0)
+/opt/RealPlayer/lib(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/opt/RealPlayer/lib/.*\.so			gen_context(system_u:object_r:shlib_t,s0)
+/opt/RealPlayer/mozilla(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/opt/RealPlayer/mozilla/.*\.so			gen_context(system_u:object_r:shlib_t,s0)
 ')
 
 #
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index a1dd7d39..01236031 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -1,5 +1,5 @@
 
-policy_module(libraries,1.3.10)
+policy_module(libraries,1.3.11)
 
 ########################################
 #
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index f209df68..0c1b3ed0 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
 
-policy_module(logging,1.3.8)
+policy_module(logging,1.3.9)
 
 ########################################
 #
@@ -255,11 +255,13 @@ optional_policy(`
 # syslogd local policy
 #
 
-# sys_admin chown fsetid for syslog-ng
+# chown fsetid for syslog-ng
+# sys_admin for the integrated klog of syslog-ng and metalog
 # cjp: why net_admin!
 allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
 dontaudit syslogd_t self:capability sys_tty_config;
-allow syslogd_t self:process signal_perms;
+# setpgid for metalog
+allow syslogd_t self:process { signal_perms setpgid };
 allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
 # receive messages to be logged
 allow syslogd_t self:unix_dgram_socket create_socket_perms;
diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
index aa219c13..688afeb8 100644
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
@@ -2,6 +2,12 @@
 /etc/modules\.conf.*	--	gen_context(system_u:object_r:modules_conf_t,s0)
 /etc/modprobe\.conf.*	--	gen_context(system_u:object_r:modules_conf_t,s0)
 
+ifdef(`distro_gentoo',`
+# gentoo init scripts still manage this file
+# even if devfs is off
+/etc/modprobe.devfs.*	--	gen_context(system_u:object_r:modules_conf_t,s0)
+')
+
 /lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
 /lib64/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
 
@@ -12,5 +18,6 @@
 /sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
 /sbin/insmod.*		--	gen_context(system_u:object_r:insmod_exec_t,s0)
 /sbin/modprobe.*	--	gen_context(system_u:object_r:insmod_exec_t,s0)
+/sbin/modules-update	--	gen_context(system_u:object_r:update_modules_exec_t,s0)
 /sbin/rmmod.*		--	gen_context(system_u:object_r:insmod_exec_t,s0)
 /sbin/update-modules	--	gen_context(system_u:object_r:update_modules_exec_t,s0)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index f50a4028..3884ddef 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,5 +1,5 @@
 
-policy_module(modutils,1.1.3)
+policy_module(modutils,1.1.4)
 
 gen_require(`
 	bool secure_mode_insmod;
@@ -68,7 +68,7 @@ files_read_kernel_modules(insmod_t)
 # for locking: (cjp: ????)
 files_write_kernel_modules(insmod_t)
 
-dev_search_sysfs(insmod_t)
+dev_read_sysfs(insmod_t)
 dev_search_usbfs(insmod_t)
 dev_rw_mtrr(insmod_t)
 dev_read_urand(insmod_t)