[selinux-policy: 1730/3172] - Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes to handle usage from us

[Daniel J Walsh]

commit 882186c9338fdeff10f10456aa41e6f1c6da4255
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed May 2 17:31:38 2007 +0000

    - Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes
      to handle usage from userhelper.

 Changelog                         |    2 ++
 policy/modules/kernel/kernel.if   |   18 ++++++++++++++++++
 policy/modules/kernel/kernel.te   |    2 +-
 policy/modules/system/modutils.te |    7 ++++++-
 4 files changed, 27 insertions(+), 2 deletions(-)
---
diff --git a/Changelog b/Changelog
index 731e22d..f6bcd1c 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,5 @@
+- Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes
+  to handle usage from userhelper.
 - Patch to allow amavis to read spamassassin libraries from Dan Walsh.
 - Patch to allow slocate to getattr other filesystems and directories on those
   filesystems from Dan Walsh.
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 39fd13f..00c3cc0 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -554,6 +554,24 @@ interface(`kernel_read_debugfs',`
 
 ########################################
 ## <summary>
+##	Mount a kernel VM filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the domain mounting the filesystem.
+##	</summary>
+## </param>
+#
+interface(`kernel_mount_kvmfs',`
+	gen_require(`
+		type kvmfs_t;
+	')
+
+	allow $1 kvmfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
 ##	Unmount the proc filesystem.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 2cccc45..cd5f366 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
 
-policy_module(kernel,1.6.0)
+policy_module(kernel,1.6.1)
 
 ########################################
 #
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 49bb1b8..3cb7fe7 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,5 +1,5 @@
 
-policy_module(modutils,1.3.0)
+policy_module(modutils,1.3.1)
 
 gen_require(`
 	bool secure_mode_insmod;
@@ -58,6 +58,7 @@ kernel_load_module(insmod_t)
 kernel_read_system_state(insmod_t)
 kernel_write_proc_files(insmod_t)
 kernel_mount_debugfs(insmod_t)
+kernel_mount_kvmfs(insmod_t)
 kernel_read_debugfs(insmod_t)
 # Rules for /proc/sys/kernel/tainted
 kernel_read_kernel_sysctls(insmod_t)
@@ -157,6 +158,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	unconfined_dontaudit_rw_pipes(insmod_t)
+')
+
+optional_policy(`
 	# cjp: why is this needed:
 	dev_rw_xserver_misc(insmod_t)