From b49d85c83df8ebcdd0f919e94e040fe881595add Mon Sep 17 00:00:00 2001
From: Chris PeBenito <pebenito@ieee.org>
Date: Tue, 18 Apr 2017 20:38:13 -0400
Subject: [PATCH] misc daemons from Russell Coker.

Put in libx32 subs entries that refer to directories with fc entries.

Allow dpkg_t to transition to dpkg_script_t when it executes bin_t for
dpkg-reconfigure.

Some dontaudit rules for mta processes spawned by mon for notification.

Lots of tiny changes that are obvious.
---
 config/file_contexts.subs_dist   |  3 ++-
 policy/modules/admin/dmesg.te    |  3 ++-
 policy/modules/admin/netutils.te |  4 +++-
 policy/modules/contrib           |  2 +-
 policy/modules/system/fstools.te |  6 +++++-
 policy/modules/system/udev.if    | 18 ++++++++++++++++++
 policy/modules/system/udev.te    |  2 +-
 7 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
index d54324edb..ed4a562ff 100644
--- a/config/file_contexts.subs_dist
+++ b/config/file_contexts.subs_dist
@@ -12,13 +12,14 @@
 /lib /usr/lib
 /lib32 /usr/lib
 /lib64 /usr/lib
-/libx32 /usr/libx32
+/libx32 /usr/lib
 /sbin /usr/sbin
 /etc/init.d /etc/rc.d/init.d
 /lib/systemd /usr/lib/systemd
 /run/lock /var/lock
 /usr/lib32 /usr/lib
 /usr/lib64 /usr/lib
+/usr/libx32 /usr/lib
 /usr/local/lib32 /usr/lib
 /usr/local/lib64 /usr/lib
 /usr/local/lib /usr/lib
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
index 6bcdb7344..9c5503620 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -1,4 +1,4 @@
-policy_module(dmesg, 1.5.1)
+policy_module(dmesg, 1.5.2)
 
 ########################################
 #
@@ -29,6 +29,7 @@ kernel_read_proc_symlinks(dmesg_t)
 kernel_dontaudit_search_unlabeled(dmesg_t)
 
 dev_read_sysfs(dmesg_t)
+dev_read_kmsg(dmesg_t)
 
 fs_search_auto_mountpoints(dmesg_t)
 
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 67d0f5b05..b84d0da21 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,4 +1,4 @@
-policy_module(netutils, 1.16.1)
+policy_module(netutils, 1.16.2)
 
 ########################################
 #
@@ -125,6 +125,8 @@ corenet_tcp_sendrecv_generic_node(ping_t)
 corenet_raw_bind_generic_node(ping_t)
 corenet_tcp_sendrecv_all_ports(ping_t)
 
+dev_read_urand(ping_t)
+
 fs_dontaudit_getattr_xattr_fs(ping_t)
 
 domain_use_interactive_fds(ping_t)
diff --git a/policy/modules/contrib b/policy/modules/contrib
index cc8217920..89c5442a0 160000
--- a/policy/modules/contrib
+++ b/policy/modules/contrib
@@ -1 +1 @@
-Subproject commit cc8217920149792e4a1ef7cc60af22e3b2bc6117
+Subproject commit 89c5442a083107b0092f408ba1c9b6f0a40a49b4
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index a56bfc052..b4104ee81 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,4 +1,4 @@
-policy_module(fstools, 1.20.2)
+policy_module(fstools, 1.20.3)
 
 ########################################
 #
@@ -208,6 +208,10 @@ optional_policy(`
 
 optional_policy(`
 	udev_read_db(fsadm_t)
+
+	# Xen causes losetup to run with a presumably accidentally inherited
+	# file handle for /run/xen-hotplug/block
+	udev_dontaudit_rw_pid_files(fsadm_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 8a7892929..9d5473e06 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -338,6 +338,24 @@ interface(`udev_read_pid_files',`
 	read_files_pattern($1, udev_var_run_t, udev_var_run_t)
 ')
 
+########################################
+## <summary>
+##	dontaudit attempts to read/write udev pidfiles
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_dontaudit_rw_pid_files',`
+	gen_require(`
+		type udev_var_run_t;
+	')
+
+	dontaudit $1 udev_var_run_t:file { read write };
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 2ea10f3d5..4b2e1d75a 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.21.8)
+policy_module(udev, 1.21.9)
 
 ########################################
 #