misc interfaces

This patch has some small interface changes as well as the policy patches to
use the new interfaces.

policy/modules/admin/bootloader.te

@@ -95,6 +95,7 @@ mls_file_read_all_levels(bootloader_t)
 mls_file_write_all_levels(bootloader_t)
 
 term_getattr_all_ttys(bootloader_t)
+term_getattr_generic_ptys(bootloader_t)
 term_dontaudit_manage_pty_dirs(bootloader_t)
 
 corecmd_exec_all_executables(bootloader_t)
@@ -102,6 +103,7 @@ corecmd_exec_all_executables(bootloader_t)
 domain_use_interactive_fds(bootloader_t)
 
 files_create_boot_dirs(bootloader_t)
+files_getattr_default_dirs(bootloader_t)
 files_manage_boot_files(bootloader_t)
 files_manage_boot_symlinks(bootloader_t)
 files_read_etc_files(bootloader_t)
@@ -118,6 +120,7 @@ files_manage_etc_runtime_files(bootloader_t)
 files_etc_filetrans_etc_runtime(bootloader_t, file)
 files_dontaudit_search_home(bootloader_t)
 
+fs_list_hugetlbfs(bootloader_t)
 fs_mount_fusefs(bootloader_t)
 fs_mount_xattr_fs(bootloader_t)
 fs_mounton_fusefs(bootloader_t)
@@ -172,7 +175,7 @@ ifdef(`distro_debian',`
 
 	# for apt-cache
 	apt_read_db(bootloader_t)
-	apt_read_cache(bootloader_t)
+	apt_manage_cache(bootloader_t)
 
 	dpkg_read_db(bootloader_t)
 	dpkg_rw_pipes(bootloader_t)
@@ -203,6 +206,10 @@ optional_policy(`
 	fstools_exec(bootloader_t)
 ')
 
+optional_policy(`
+	gpm_getattr_gpmctl(bootloader_t)
+')
+
 optional_policy(`
 	hal_dontaudit_append_lib_files(bootloader_t)
 	hal_write_log(bootloader_t)
@@ -229,6 +236,10 @@ optional_policy(`
 	nscd_use(bootloader_t)
 ')
 
+optional_policy(`
+	raid_read_mdadm_pid(bootloader_t)
+')
+
 optional_policy(`
 	rpm_rw_pipes(bootloader_t)
 ')

policy/modules/admin/dpkg.if

@@ -319,3 +319,21 @@ interface(`dpkg_map_script_tmp_files',`
 
 	allow $1 dpkg_script_tmp_t:file map;
 ')
+
+########################################
+## <summary>
+##	read dpkg_script_tmp_t links
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_read_script_tmp_links',`
+	gen_require(`
+		type dpkg_script_tmp_t;
+	')
+
+	allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
+')

policy/modules/services/gpm.if

@@ -59,6 +59,7 @@ interface(`gpm_dontaudit_getattr_gpmctl',`
 	')
 
 	dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms;
+	dontaudit $1 gpmctl_t:fifo_file getattr_fifo_file_perms;
 ')
 
 ########################################

policy/modules/system/authlogin.if

@@ -821,6 +821,25 @@ interface(`auth_append_lastlog',`
 	allow $1 lastlog_t:file { append_file_perms lock };
 ')
 
+#######################################
+## <summary>
+##	relabel the last logins log.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_relabel_lastlog',`
+	gen_require(`
+		type lastlog_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 lastlog_t:file { relabelfrom relabelto };
+')
+
 #######################################
 ## <summary>
 ##	Read and write to the last logins log.
@@ -840,6 +859,25 @@ interface(`auth_rw_lastlog',`
 	allow $1 lastlog_t:file { rw_file_perms lock setattr };
 ')
 
+########################################
+## <summary>
+##     Manage the last logins log.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`auth_manage_lastlog',`
+	gen_require(`
+		type lastlog_t;
+	')
+
+	allow $1 lastlog_t:file manage_file_perms;
+	logging_rw_generic_log_dirs($1)
+')
+
 ########################################
 ## <summary>
 ##	Execute pam programs in the pam domain.

policy/modules/system/modutils.te

@@ -136,6 +136,7 @@ optional_policy(`
 	# for postinst of a new kernel package
 	dpkg_manage_script_tmp_files(kmod_t)
 	dpkg_map_script_tmp_files(kmod_t)
+	dpkg_read_script_tmp_links(kmod_t)
 ')
 
 optional_policy(`

policy/modules/system/raid.if

@@ -46,6 +46,26 @@ interface(`raid_run_mdadm',`
 	roleattribute $1 mdadm_roles;
 ')
 
+########################################
+## <summary>
+##	read mdadm pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`raid_read_mdadm_pid',`
+	gen_require(`
+		type mdadm_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 mdadm_var_run_t:dir list_dir_perms;
+	allow $1 mdadm_var_run_t:file read_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete

policy/modules/system/sysnetwork.if

@@ -755,6 +755,10 @@ interface(`sysnet_dns_name_resolve',`
 	optional_policy(`
 		nscd_use($1)
 	')
+	optional_policy(`
+	# for /etc/resolv.conf symlink
+		networkmanager_read_pid_files($1)
+	')
 
 	ifdef(`init_systemd',`
 		optional_policy(`

policy/modules/system/systemd.te

@@ -970,14 +970,19 @@ files_relabelto_etc_dirs(systemd_tmpfiles_t)
 # for /etc/mtab
 files_manage_etc_symlinks(systemd_tmpfiles_t)
 
+fs_getattr_tmpfs(systemd_tmpfiles_t)
+fs_getattr_tmpfs_dirs(systemd_tmpfiles_t)
 fs_getattr_xattr_fs(systemd_tmpfiles_t)
 
 selinux_get_fs_mount(systemd_tmpfiles_t)
 selinux_search_fs(systemd_tmpfiles_t)
 
+auth_append_lastlog(systemd_tmpfiles_t)
 auth_manage_faillog(systemd_tmpfiles_t)
+auth_manage_lastlog(systemd_tmpfiles_t)
 auth_manage_login_records(systemd_tmpfiles_t)
 auth_manage_var_auth(systemd_tmpfiles_t)
+auth_relabel_lastlog(systemd_tmpfiles_t)
 auth_relabel_login_records(systemd_tmpfiles_t)
 auth_setattr_login_records(systemd_tmpfiles_t)