some little misc things from Russell Coker.

This patch allows setfiles to use file handles inherited from apt (for dpkg
postinst scripts), adds those rsync permissions that were rejected previously
due to not using interfaces, allows fsadm_t to stat /run/mount/utab, and
allows system_cronjob_t some access it requires (including net_admin for
when it runs utilities that set buffers).

policy/modules/contrib

@@ -1 +1 @@
-Subproject commit bbaade66e2b6ebad9fad744008a5390eac7a74d8
+Subproject commit f371df35b44f6ed874ce3ff8a57cb19df7ff0663

policy/modules/system/fstools.te

@@ -1,4 +1,4 @@
-policy_module(fstools, 1.20.5)
+policy_module(fstools, 1.20.6)
 
 ########################################
 #
@@ -152,6 +152,8 @@ logging_send_syslog_msg(fsadm_t)
 
 miscfiles_read_localization(fsadm_t)
 
+# for /run/mount/utab
+mount_getattr_runtime_files(fsadm_t)
 # losetup: bind mount_loopback_t files to loop devices
 mount_rw_loopback_files(fsadm_t)
 

policy/modules/system/mount.if

@@ -210,6 +210,24 @@ interface(`mount_rw_loopback_files',`
 	allow $1 mount_loopback_t:file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##     Getattr on mount_var_run_t files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mount_getattr_runtime_files',`
+	gen_require(`
+		type mount_runtime_t;
+	')
+
+	allow $1 mount_runtime_t:file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Read and write mount runtime files.

policy/modules/system/mount.te

@@ -1,4 +1,4 @@
-policy_module(mount, 1.19.4)
+policy_module(mount, 1.19.5)
 
 ########################################
 #

policy/modules/system/selinuxutil.te

@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.22.7)
+policy_module(selinuxutil, 1.22.8)
 
 gen_require(`
 	bool secure_mode;
@@ -665,6 +665,10 @@ ifdef(`hide_broken_symptoms',`
 	')
 ')
 
+optional_policy(`
+	apt_use_fds(setfiles_t)
+')
+
 optional_policy(`
 	hotplug_use_fds(setfiles_t)
 ')