Merge pull request #417 from stephensmalley/stable6-oxt734

STABLE-6: refpolicy: fix OTA-related denials

recipes-security/refpolicy/refpolicy-mcs-2.20141203/policy/modules/services/updatemgr.te

@@ -82,3 +82,5 @@ allow updatemgr_t updatemgr_sync_client_storage_t:file manage_file_perms;
 allow updatemgr_t updatemgr_tmp_t:file manage_file_perms;
 allow updatemgr_t self:capability { dac_override chown fowner fsetid };
 
+kernel_request_load_module(updatemgr_t)
+

recipes-security/refpolicy/refpolicy-mcs-2.20141203/policy/modules/system/xc-installer.fc

@@ -18,5 +18,5 @@
 #
 #############################################################################
 
-/storage/update/upgrade		--	gen_context(system_u:object_r:xc_installer_t,s0)
+/storage/update/upgrade		--	gen_context(system_u:object_r:xc_installer_storage_t,s0)
 /usr/share/xenclient/post-upgrade.sh	--	gen_context(system_u:object_r:xc_installer_exec_t,s0)

recipes-security/refpolicy/refpolicy-mcs-2.20141203/policy/modules/system/xc-installer.if

@@ -48,6 +48,7 @@ interface(`xc_installer_domtrans',`
 	corecmd_search_bin($1)
 	domtrans_pattern($1, updatemgr_storage_t, xc_installer_t)
 	domtrans_pattern($1, xc_installer_exec_t, xc_installer_t)
+	allow $1 xc_installer_t:process { noatsecure siginh rlimitinh };
 ')
 ########################################
 ## <summary>
@@ -61,10 +62,11 @@ interface(`xc_installer_domtrans',`
 #
 interface(`xc_installer_delete',`
 	gen_require(`
-		type xc_installer_t;
+		type xc_installer_storage_t;
 	')
 
-	allow $1 xc_installer_t:file delete_file_perms;
+	allow $1 xc_installer_storage_t:dir manage_dir_perms;
+	allow $1 xc_installer_storage_t:file delete_file_perms;
 ')
 ########################################
 ## <summary>