From eab2cc89b49f18eb6bc2b571f24737c843eec8ca Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Tue, 22 Jun 2010 09:58:14 -0400
Subject: [PATCH] Slocate patch from Dan Walsh.

Locate attempts to look at network sate and does getattr on all blk/chr
and noxattr symlinks.
---
 policy/modules/apps/slocate.te      |  6 ++++-
 policy/modules/kernel/filesystem.if | 38 +++++++++++++++++++++++++++++
 policy/modules/kernel/filesystem.te |  2 +-
 3 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/policy/modules/apps/slocate.te b/policy/modules/apps/slocate.te
index fc443ec5a..e9134f015 100644
--- a/policy/modules/apps/slocate.te
+++ b/policy/modules/apps/slocate.te
@@ -1,4 +1,4 @@
-policy_module(slocate, 1.9.0)
+policy_module(slocate, 1.9.1)
 
 #################################
 #
@@ -29,6 +29,7 @@ manage_dirs_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
 manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
 
 kernel_read_system_state(locate_t)
+kernel_dontaudit_search_network_state(locate_t)
 kernel_dontaudit_search_sysctl(locate_t)
 
 corecmd_exec_bin(locate_t)
@@ -47,8 +48,11 @@ fs_getattr_all_fs(locate_t)
 fs_getattr_all_files(locate_t)
 fs_getattr_all_pipes(locate_t)
 fs_getattr_all_symlinks(locate_t)
+fs_getattr_all_blk_files(locate_t)
+fs_getattr_all_chr_files(locate_t)
 fs_list_all(locate_t)
 fs_list_inotifyfs(locate_t)
+fs_read_noxattr_fs_symlinks(locate_t)
 
 # getpwnam
 auth_use_nsswitch(locate_t)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 85b3bb428..0df5803c7 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -4572,6 +4572,44 @@ interface(`fs_dontaudit_getattr_all_sockets',`
 	dontaudit $1 filesystem_type:sock_file getattr;
 ')
 
+########################################
+## <summary>
+##	Get the attributes of all block device nodes with
+##	a filesystem type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_all_blk_files',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	getattr_blk_files_pattern($1, filesystem_type, filesystem_type)
+')
+
+########################################
+## <summary>
+##	Get the attributes of all character device nodes with
+##	a filesystem type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_all_chr_files',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	getattr_chr_files_pattern($1, filesystem_type, filesystem_type)
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to filesystems
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 5637b17e7..fb63c3add 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.13.0)
+policy_module(filesystem, 1.13.1)
 
 ########################################
 #