devicekit, mount, xserver, and selinuxutil from Russell Coker

Allow devicekit_power_t to chat to xdm via dbus and log via syslog.

Allow mount_t to do more with it's runtime files and stat more filesystem
types.

Allow xauth to send sigchld to xdm.

Allow semanage to search policy_src_t dirs and read /dev/urandom.

policy/modules/contrib

@@ -1 +1 @@
-Subproject commit 2b8cc38af0ccc125a8004ec09d5f052c3cce4a9f
+Subproject commit 8f3a5492d213d8ffecb0233ce1ff924485bb72d2

policy/modules/services/xserver.te

@@ -1,4 +1,4 @@
-policy_module(xserver, 3.13.7)
+policy_module(xserver, 3.13.8)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;
@@ -275,6 +275,7 @@ files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
 allow xdm_t xauth_home_t:file manage_file_perms;
 userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
 
+allow xauth_t xdm_t:process sigchld;
 allow xauth_t xdm_t:fd use;
 allow xauth_t xdm_t:fifo_file { getattr read };
 allow xauth_t xdm_t:unix_stream_socket { read write };
@@ -643,6 +644,7 @@ allow xserver_t input_xevent_t:x_event send;
 
 allow xserver_t self:capability { dac_override fowner fsetid ipc_owner mknod net_bind_service setgid setuid sys_admin sys_nice sys_rawio sys_tty_config };
 dontaudit xserver_t self:capability chown;
+allow xserver_t self:capability2 wake_alarm;
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:fd use;
 allow xserver_t self:fifo_file rw_fifo_file_perms;

policy/modules/system/mount.te

@@ -1,4 +1,4 @@
-policy_module(mount, 1.19.2)
+policy_module(mount, 1.19.3)
 
 ########################################
 #
@@ -53,8 +53,8 @@ can_exec(mount_t, mount_exec_t)
 
 files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
 
-create_dirs_pattern(mount_t, mount_runtime_t, mount_runtime_t)
-create_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
+manage_dirs_pattern(mount_t, mount_runtime_t, mount_runtime_t)
+manage_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
 rw_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
 files_pid_filetrans(mount_t, mount_runtime_t, dir, "mount")
 
@@ -101,7 +101,10 @@ files_dontaudit_write_all_mountpoints(mount_t)
 files_dontaudit_setattr_all_mountpoints(mount_t)
 
 fs_getattr_xattr_fs(mount_t)
+fs_getattr_tmpfs(mount_t)
+fs_getattr_rpc_pipefs(mount_t)
 fs_getattr_cifs(mount_t)
+fs_getattr_nfs(mount_t)
 fs_mount_all_fs(mount_t)
 fs_unmount_all_fs(mount_t)
 fs_remount_all_fs(mount_t)

policy/modules/system/selinuxutil.te

@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.22.6)
+policy_module(selinuxutil, 1.22.7)
 
 gen_require(`
 	bool secure_mode;
@@ -476,6 +476,8 @@ allow semanage_t self:fifo_file rw_fifo_file_perms;
 
 allow semanage_t policy_config_t:file rw_file_perms;
 
+allow semanage_t policy_src_t:dir search;
+
 filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules")
 
 allow semanage_t semanage_tmp_t:dir manage_dir_perms;
@@ -572,6 +574,7 @@ kernel_dontaudit_list_all_proc(setfiles_t)
 kernel_dontaudit_list_all_sysctls(setfiles_t)
 kernel_getattr_debugfs(setfiles_t)
 
+dev_read_urand(setfiles_t)
 dev_relabel_all_dev_nodes(setfiles_t)
 # to handle when /dev/console needs to be relabeled
 dev_rw_generic_chr_files(setfiles_t)