From caca2e7e6e5fee3025ccd78ba92ea2a58eb6e575 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <pebenito@ieee.org>
Date: Wed, 26 Apr 2017 18:03:02 -0400
Subject: [PATCH] some little misc things from Russell Coker.

This patch allows setfiles to use file handles inherited from apt (for dpkg
postinst scripts), adds those rsync permissions that were rejected previously
due to not using interfaces, allows fsadm_t to stat /run/mount/utab, and
allows system_cronjob_t some access it requires (including net_admin for
when it runs utilities that set buffers).
---
 policy/modules/contrib               |  2 +-
 policy/modules/system/fstools.te     |  4 +++-
 policy/modules/system/mount.if       | 18 ++++++++++++++++++
 policy/modules/system/mount.te       |  2 +-
 policy/modules/system/selinuxutil.te |  6 +++++-
 5 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/policy/modules/contrib b/policy/modules/contrib
index bbaade66e..f371df35b 160000
--- a/policy/modules/contrib
+++ b/policy/modules/contrib
@@ -1 +1 @@
-Subproject commit bbaade66e2b6ebad9fad744008a5390eac7a74d8
+Subproject commit f371df35b44f6ed874ce3ff8a57cb19df7ff0663
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 2b14f0834..bd36955cc 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,4 +1,4 @@
-policy_module(fstools, 1.20.5)
+policy_module(fstools, 1.20.6)
 
 ########################################
 #
@@ -152,6 +152,8 @@ logging_send_syslog_msg(fsadm_t)
 
 miscfiles_read_localization(fsadm_t)
 
+# for /run/mount/utab
+mount_getattr_runtime_files(fsadm_t)
 # losetup: bind mount_loopback_t files to loop devices
 mount_rw_loopback_files(fsadm_t)
 
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index 370628006..25b0514c1 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -210,6 +210,24 @@ interface(`mount_rw_loopback_files',`
 	allow $1 mount_loopback_t:file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##     Getattr on mount_var_run_t files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mount_getattr_runtime_files',`
+	gen_require(`
+		type mount_runtime_t;
+	')
+
+	allow $1 mount_runtime_t:file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Read and write mount runtime files.
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index f58a62bc4..1f16a6693 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,4 +1,4 @@
-policy_module(mount, 1.19.4)
+policy_module(mount, 1.19.5)
 
 ########################################
 #
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 97318a65c..7224e867a 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.22.7)
+policy_module(selinuxutil, 1.22.8)
 
 gen_require(`
 	bool secure_mode;
@@ -665,6 +665,10 @@ ifdef(`hide_broken_symptoms',`
 	')
 ')
 
+optional_policy(`
+	apt_use_fds(setfiles_t)
+')
+
 optional_policy(`
 	hotplug_use_fds(setfiles_t)
 ')