From c2b04d1ea2e6ac10c056f89f8dfc9107f211bab8 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <pebenito@ieee.org>
Date: Tue, 18 Apr 2017 21:17:36 -0400
Subject: [PATCH] kmod, lvm, brctl patches from Russell Coker

Patches for modutils, at least one of which is needed to generate an initramfs
on Debian.

Patch to allow lvm to talk to fifos from dpkg_script_t for postinst scripts
etc.

Patch for brctl to allow it to create sysfs files.
---
 policy/modules/contrib            |  2 +-
 policy/modules/kernel/devices.if  | 18 ++++++++++++++++++
 policy/modules/kernel/devices.te  |  2 +-
 policy/modules/system/iptables.if | 18 ++++++++++++++++++
 policy/modules/system/iptables.te |  2 +-
 policy/modules/system/lvm.te      |  6 +++++-
 policy/modules/system/modutils.te | 11 ++++++++++-
 7 files changed, 54 insertions(+), 5 deletions(-)

diff --git a/policy/modules/contrib b/policy/modules/contrib
index 89c5442a0..2b8cc38af 160000
--- a/policy/modules/contrib
+++ b/policy/modules/contrib
@@ -1 +1 @@
-Subproject commit 89c5442a083107b0092f408ba1c9b6f0a40a49b4
+Subproject commit 2b8cc38af0ccc125a8004ec09d5f052c3cce4a9f
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 7da17d8a5..c833171f4 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4277,6 +4277,24 @@ interface(`dev_rw_sysfs',`
 	list_dirs_pattern($1, sysfs_t, sysfs_t)
 ')
 
+########################################
+## <summary>
+##	Add a sysfs file
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_create_sysfs_files',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	create_files_pattern($1, sysfs_t, sysfs_t)
+')
+
 ########################################
 ## <summary>
 ##     Relabel hardware state directories.
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 277a6a19a..680acd9ef 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.20.6)
+policy_module(devices, 1.20.7)
 
 ########################################
 #
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 00c49c61e..6321f8c4b 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -165,6 +165,24 @@ interface(`iptables_manage_config',`
 	manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
 ')
 
+###################################
+## <summary>
+##	dontaudit reading iptables_var_run_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`iptables_dontaudit_read_pids',`
+	gen_require(`
+		type iptables_var_run_t;
+	')
+
+	dontaudit $1 iptables_var_run_t:file read;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 2c8037bea..e91f94e97 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -1,4 +1,4 @@
-policy_module(iptables, 1.18.3)
+policy_module(iptables, 1.18.4)
 
 ########################################
 #
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 7ba62cb54..e6fbd379f 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,4 +1,4 @@
-policy_module(lvm, 1.19.8)
+policy_module(lvm, 1.19.9)
 
 ########################################
 #
@@ -341,6 +341,10 @@ optional_policy(`
 	ccs_stream_connect(lvm_t)
 ')
 
+optional_policy(`
+	dpkg_script_rw_pipes(lvm_t)
+')
+
 optional_policy(`
 	gpm_dontaudit_getattr_gpmctl(lvm_t)
 ')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 701fe510f..1261c603d 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,4 +1,4 @@
-policy_module(modutils, 1.17.3)
+policy_module(modutils, 1.17.4)
 
 ########################################
 #
@@ -89,6 +89,7 @@ files_read_etc_runtime_files(kmod_t)
 files_read_etc_files(kmod_t)
 files_read_usr_files(kmod_t)
 files_exec_etc_files(kmod_t)
+files_search_tmp(kmod_t)
 # for nscd:
 files_dontaudit_search_pids(kmod_t)
 # to manage modules.dep
@@ -126,6 +127,10 @@ optional_policy(`
 	alsa_domtrans(kmod_t)
 ')
 
+optional_policy(`
+	dpkg_manage_script_tmp_files(kmod_t)
+')
+
 optional_policy(`
 	firstboot_dontaudit_rw_pipes(kmod_t)
 	firstboot_dontaudit_rw_stream_sockets(kmod_t)
@@ -139,6 +144,10 @@ optional_policy(`
 	hotplug_search_config(kmod_t)
 ')
 
+optional_policy(`
+	iptables_dontaudit_read_pids(kmod_t)
+')
+
 optional_policy(`
 	mount_domtrans(kmod_t)
 ')