From Debian package 0.2.20091013-1
Manoj dd26539482dc77a20e05b741463a5e6cf6cf7f5e

Fix issues related /dev/{urandom,console}
    
Allow:
  load_policy_t, audisp_t, auditd_t, restorecond_t, portmap_t, hwclock_t,
  auditctl_t, hostname_t, portmap_helper_t, ndc_t, mount_t, dmidecode_t,
  getty_t, and setfiles_t
to read /dev/urandom
(The above should be taken care of by global_ssp)

Allow:
  portmap_helper_t, insmod_t, ifconfig_t, setfiles_t and portmap_t
to read /dev/console

Allow udev_t to access anon_inodefs_t

These changes take care of most of the problems encountered in recent
reference policy packages in Debian.

Signed-off-by: Russell Coker <russell@coker.com.au>
Signed-off-by: Manoj Srivastava <srivasta@debian.org>

Index: policy/modules/services/bind.te
===================================================================
--- policy/modules/services/bind.te.orig
+++ policy/modules/services/bind.te
@@ -199,6 +199,7 @@
 allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
 allow ndc_t self:tcp_socket create_socket_perms;
 allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
+dev_read_urand(ndc_t)
 
 allow ndc_t dnssec_t:file read_file_perms;
 allow ndc_t dnssec_t:lnk_file { getattr read };
Index: policy/modules/services/portmap.te
===================================================================
--- policy/modules/services/portmap.te.orig
+++ policy/modules/services/portmap.te
@@ -32,6 +32,8 @@
 allow portmap_t self:unix_stream_socket create_stream_socket_perms;
 allow portmap_t self:tcp_socket create_stream_socket_perms;
 allow portmap_t self:udp_socket create_socket_perms;
+dev_read_urand(portmap_t)
+term_read_console(portmap_t)
 
 manage_dirs_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t)
 manage_files_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t)
@@ -112,6 +114,8 @@
 
 allow portmap_helper_t portmap_var_run_t:file manage_file_perms;
 files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file)
+dev_read_urand(portmap_helper_t)
+term_read_console(portmap_helper_t)
 
 corenet_all_recvfrom_unlabeled(portmap_helper_t)
 corenet_all_recvfrom_netlabel(portmap_helper_t)
Index: policy/modules/system/clock.te
===================================================================
--- policy/modules/system/clock.te.orig
+++ policy/modules/system/clock.te
@@ -24,6 +24,7 @@
 dontaudit hwclock_t self:capability sys_tty_config;
 allow hwclock_t self:process signal_perms;
 allow hwclock_t self:fifo_file rw_fifo_file_perms;
+dev_read_urand(hwclock_t)
 
 # Allow hwclock to store & retrieve correction factors.
 allow hwclock_t adjtime_t:file { rw_file_perms setattr };
Index: policy/modules/system/getty.te
===================================================================
--- policy/modules/system/getty.te.orig
+++ policy/modules/system/getty.te
@@ -37,6 +37,7 @@
 dontaudit getty_t self:capability sys_tty_config;
 allow getty_t self:process { getpgid setpgid getsession signal_perms };
 allow getty_t self:fifo_file rw_fifo_file_perms;
+dev_read_urand(getty_t)
 
 read_files_pattern(getty_t, getty_etc_t, getty_etc_t)
 read_lnk_files_pattern(getty_t, getty_etc_t, getty_etc_t)
Index: policy/modules/system/hostname.te
===================================================================
--- policy/modules/system/hostname.te.orig
+++ policy/modules/system/hostname.te
@@ -25,6 +25,7 @@
 kernel_read_proc_symlinks(hostname_t)
 
 dev_read_sysfs(hostname_t)
+dev_read_urand(hostname_t)
 # Early devtmpfs, before udev relabel
 dev_dontaudit_rw_generic_chr_files(hostname_t)
 
Index: policy/modules/system/logging.te
===================================================================
--- policy/modules/system/logging.te.orig
+++ policy/modules/system/logging.te
@@ -105,6 +105,7 @@
 
 allow auditctl_t self:capability { fsetid dac_read_search dac_override };
 allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
+dev_read_urand(auditctl_t)
 
 read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
 allow auditctl_t auditd_etc_t:dir list_dir_perms;
@@ -144,6 +145,7 @@
 allow auditd_t self:unix_dgram_socket create_socket_perms;
 allow auditd_t self:fifo_file rw_fifo_file_perms;
 allow auditd_t self:tcp_socket create_stream_socket_perms;
+dev_read_urand(auditd_t)
 
 allow auditd_t auditd_etc_t:dir list_dir_perms;
 allow auditd_t auditd_etc_t:file read_file_perms;
@@ -236,6 +238,7 @@
 allow audisp_t self:fifo_file rw_fifo_file_perms;
 allow audisp_t self:unix_stream_socket create_stream_socket_perms;
 allow audisp_t self:unix_dgram_socket create_socket_perms;
+dev_read_urand(audisp_t)
 
 allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
 
Index: policy/modules/system/modutils.te
===================================================================
--- policy/modules/system/modutils.te.orig
+++ policy/modules/system/modutils.te
@@ -113,6 +113,7 @@
 
 allow insmod_t self:udp_socket create_socket_perms;
 allow insmod_t self:rawip_socket create_socket_perms;
+term_read_console(insmod_t)
 
 # Read module config and dependency information
 list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
Index: policy/modules/system/mount.te
===================================================================
--- policy/modules/system/mount.te.orig
+++ policy/modules/system/mount.te
@@ -40,6 +40,7 @@
 # setuid/setgid needed to mount cifs 
 allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
 
+dev_read_urand(mount_t)
 allow mount_t mount_loopback_t:file read_file_perms;
 
 allow mount_t mount_tmp_t:file manage_file_perms;
Index: policy/modules/system/selinuxutil.te
===================================================================
--- policy/modules/system/selinuxutil.te.orig
+++ policy/modules/system/selinuxutil.te
@@ -107,6 +107,8 @@
 type setfiles_exec_t alias restorecon_exec_t;
 init_system_domain(setfiles_t, setfiles_exec_t)
 domain_obj_id_change_exemption(setfiles_t)
+term_read_console(setfiles_t)
+dev_read_urand(setfiles_t)
 
 ########################################
 #
@@ -159,6 +161,7 @@
 read_files_pattern(load_policy_t, { policy_src_t policy_config_t }, policy_config_t)
 
 domain_use_interactive_fds(load_policy_t)
+dev_read_urand(load_policy_t)
 
 # for mcs.conf
 files_read_etc_files(load_policy_t)
@@ -308,6 +311,7 @@
 
 allow restorecond_t self:capability { dac_override dac_read_search fowner };
 allow restorecond_t self:fifo_file rw_fifo_file_perms;
+dev_read_urand(restorecond_t)
 
 allow restorecond_t restorecond_var_run_t:file manage_file_perms;
 files_pid_filetrans(restorecond_t, restorecond_var_run_t, file)
Index: policy/modules/system/sysnetwork.te
===================================================================
--- policy/modules/system/sysnetwork.te.orig
+++ policy/modules/system/sysnetwork.te
@@ -254,6 +254,7 @@
 allow ifconfig_t self:sem create_sem_perms;
 allow ifconfig_t self:msgq create_msgq_perms;
 allow ifconfig_t self:msg { send receive };
+term_read_console(ifconfig_t)
 # Create UDP sockets, necessary when called from dhcpc
 allow ifconfig_t self:udp_socket create_socket_perms;
 # for /sbin/ip
Index: policy/modules/system/udev.te
===================================================================
--- policy/modules/system/udev.te.orig
+++ policy/modules/system/udev.te
@@ -54,6 +54,7 @@
 allow udev_t self:unix_stream_socket connectto;
 allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow udev_t self:rawip_socket create_socket_perms;
+fs_read_anon_inodefs_files(udev_t)
 
 can_exec(udev_t, udev_exec_t)