From bff907113d1978edab89dbf36db98b40070a57b7 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Nov 28 2006 15:57:22 +0000
Subject: fix dontaudit interface that was allowing instead of dontauditing; thanks to karl for pointing this out.


---

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index e08e393..1fd7ed9 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -183,6 +183,24 @@ interface(`dev_relabel_generic_dev_dirs',`
 
 ########################################
 ## <summary>
+##	dontaudit getattr generic files in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_generic_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	dontaudit $1 device_t:file getattr;
+')
+
+########################################
+## <summary>
 ##	Read and write generic files in /dev.
 ## </summary>
 ## <param name="domain">
@@ -3230,23 +3248,3 @@ interface(`dev_unconfined',`
 
 	typeattribute $1 devices_unconfined_type;
 ')
-
-########################################
-## <summary>
-##	dontaudit getattr generic files in /dev.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`dev_dontaudit_getattr_generic_files',`
-	gen_require(`
-		type device_t;
-	')
-
-	allow $1 device_t:dir search;
-	dontaudit $1 device_t:file getattr;
-')
-
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index d669577..dc5668f 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
 
-policy_module(devices,1.2.2)
+policy_module(devices,1.2.3)
 
 ########################################
 #
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 991d70d..a73376b 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -636,8 +636,6 @@ interface(`term_dontaudit_getattr_all_user_ptys',`
 		attribute ptynode;
 	')
 
-	dev_list_all_dev_nodes($1)
-	allow $1 devpts_t:dir r_dir_perms;
 	dontaudit $1 ptynode:chr_file getattr;
 ')
 
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index b4dbc4a..06cddf7 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -1,5 +1,5 @@
 
-policy_module(terminal,1.2.1)
+policy_module(terminal,1.2.2)
 
 ########################################
 #