refpolicy: add rules for /var/cache symlink

/var/cache is a symlink in poky, so we need allow rules for files to read lnk_file while doing search/list/delete/rw.. in /var/cache/ directory. Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
2026-01-01 13:58:04 +00:00 · 2013-02-27 14:45:52 +08:00 · 2013-02-27 14:45:52 +08:00 · 10754edb75
commit 10754edb75
parent e558dba5db
2 changed files with 510 additions and 0 deletions
--- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-cache-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-cache-symlink.patch
@ -0,0 +1,509 @@
+Subject: [PATCH] add rules for the symlink of /var/cache
+
+/var/cache is a symlink in poky, so we need allow rules for files to read
+lnk_file while doing search/list/delete/rw.. in /var/cache/ directory.
+
+Upstream-Status: Inappropriate [only for Poky] 
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/contrib/abrt.te      |    2 ++
+ policy/modules/contrib/afs.te       |    1 +
+ policy/modules/contrib/apache.if    |    5 +++++
+ policy/modules/contrib/apache.te    |    1 +
+ policy/modules/contrib/apt.if       |    2 ++
+ policy/modules/contrib/apt.te       |    1 +
+ policy/modules/contrib/bind.if      |    2 ++
+ policy/modules/contrib/bind.te      |    1 +
+ policy/modules/contrib/logwatch.if  |    2 ++
+ policy/modules/contrib/logwatch.te  |    1 +
+ policy/modules/contrib/podsleuth.te |    1 +
+ policy/modules/contrib/portage.te   |    1 +
+ policy/modules/contrib/rpm.if       |    4 ++++
+ policy/modules/contrib/rpm.te       |    1 +
+ policy/modules/contrib/squid.if     |    2 ++
+ policy/modules/contrib/squid.te     |    1 +
+ policy/modules/contrib/virt.if      |    2 ++
+ policy/modules/contrib/virt.te      |    2 ++
+ policy/modules/services/xserver.if  |    6 ++++++
+ policy/modules/system/authlogin.if  |   10 ++++++++++
+ policy/modules/system/miscfiles.if  |    8 ++++++++
+ 21 files changed, 56 insertions(+)
+
+diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
+index 30861ec..10c941a 100644
+--- a/policy/modules/contrib/abrt.te
+++ b/policy/modules/contrib/abrt.te
+@@ -73,6 +73,7 @@ files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
+ # abrt var/cache files
+ manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+ manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+allow abrt_t var_t:lnk_file read_lnk_file_perms;
+ manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+ files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
+ files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
+@@ -193,6 +194,7 @@ read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t)
+ 
+ files_search_spool(abrt_helper_t)
+ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+allow abrt_helper_t var_t:lnk_file read_lnk_file_perms;
+ manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+ manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+diff --git a/policy/modules/contrib/afs.te b/policy/modules/contrib/afs.te
+index a496fde..a739e1d 100644
+--- a/policy/modules/contrib/afs.te
+++ b/policy/modules/contrib/afs.te
+@@ -78,6 +78,7 @@ allow afs_t self:unix_stream_socket create_stream_socket_perms;
+ 
+ manage_files_pattern(afs_t, afs_cache_t, afs_cache_t)
+ manage_dirs_pattern(afs_t, afs_cache_t, afs_cache_t)
+allow afs_t var_t:lnk_file read_lnk_file_perms;
+ files_var_filetrans(afs_t, afs_cache_t, { file dir })
+ 
+ kernel_rw_afs_state(afs_t)
+diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
+index 6480167..1b3c593 100644
+--- a/policy/modules/contrib/apache.if
+++ b/policy/modules/contrib/apache.if
+@@ -485,9 +485,11 @@ interface(`apache_manage_all_content',`
+ interface(`apache_setattr_cache_dirs',`
+ 	gen_require(`
+ 		type httpd_cache_t;
+		type var_t;
+ 	')
+ 
+ 	allow $1 httpd_cache_t:dir setattr;
+	allow $1 var_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -504,9 +506,11 @@ interface(`apache_setattr_cache_dirs',`
+ interface(`apache_list_cache',`
+ 	gen_require(`
+ 		type httpd_cache_t;
+		type var_t;
+ 	')
+ 
+ 	list_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
+	allow $1 var_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -777,6 +781,7 @@ interface(`apache_list_modules',`
+ interface(`apache_exec_modules',`
+ 	gen_require(`
+ 		type httpd_modules_t;
+		type var_t;
+ 	')
+ 
+ 	allow $1 httpd_modules_t:dir list_dir_perms;
+diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
+index 0833afb..1115d37 100644
+--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
+@@ -291,6 +291,7 @@ allow httpd_t self:udp_socket create_socket_perms;
+ 
+ # Allow httpd_t to put files in /var/cache/httpd etc
+ manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+allow httpd_t var_t:lnk_file read_lnk_file_perms;
+ manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+ manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+ 
+diff --git a/policy/modules/contrib/apt.if b/policy/modules/contrib/apt.if
+index e696b80..c6cc149 100644
+--- a/policy/modules/contrib/apt.if
+++ b/policy/modules/contrib/apt.if
+@@ -152,10 +152,12 @@ interface(`apt_use_ptys',`
+ interface(`apt_read_cache',`
+ 	gen_require(`
+ 		type apt_var_cache_t;
+		type var_t;
+ 	')
+ 
+ 	files_search_var($1)
+ 	allow $1 apt_var_cache_t:dir list_dir_perms;
+	allow $1 var_t:lnk_file read_lnk_file_perms;
+ 	dontaudit $1 apt_var_cache_t:dir write;
+ 	allow $1 apt_var_cache_t:file read_file_perms;
+ ')
+diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
+index 8555315..8bfd892 100644
+--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
+@@ -78,6 +78,7 @@ fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+ # Access /var/cache/apt files
+ manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
+ files_var_filetrans(apt_t, apt_var_cache_t, dir)
+allow apt_t var_t:lnk_file read_lnk_file_perms;
+ 
+ # Access /var/lib/apt files
+ manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
+diff --git a/policy/modules/contrib/bind.if b/policy/modules/contrib/bind.if
+index 44a1e3d..9b93562 100644
+--- a/policy/modules/contrib/bind.if
+++ b/policy/modules/contrib/bind.if
+@@ -221,12 +221,14 @@ interface(`bind_manage_config_dirs',`
+ interface(`bind_search_cache',`
+ 	gen_require(`
+ 		type named_conf_t, named_cache_t, named_zone_t;
+		type var_t;
+ 	')
+ 
+ 	files_search_var($1)
+ 	allow $1 named_conf_t:dir search_dir_perms;
+ 	allow $1 named_zone_t:dir search_dir_perms;
+ 	allow $1 named_cache_t:dir search_dir_perms;
+	allow $1 var_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
+index 0968cb4..15c605c 100644
+--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
+@@ -79,6 +79,7 @@ read_lnk_files_pattern(named_t, named_conf_t, named_conf_t)
+ # write cache for secondary zones
+ manage_files_pattern(named_t, named_cache_t, named_cache_t)
+ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
+allow named_t var_t:lnk_file read_lnk_file_perms;
+ 
+ can_exec(named_t, named_exec_t)
+ 
+diff --git a/policy/modules/contrib/logwatch.if b/policy/modules/contrib/logwatch.if
+index d878e75..1484c1e 100644
+--- a/policy/modules/contrib/logwatch.if
+++ b/policy/modules/contrib/logwatch.if
+@@ -32,7 +32,9 @@ interface(`logwatch_read_tmp_files',`
+ interface(`logwatch_search_cache_dir',`
+ 	gen_require(`
+ 		type logwatch_cache_t;
+		type var_t;
+ 	')
+ 
+ 	allow $1 logwatch_cache_t:dir search_dir_perms;
+	allow $1 var_t:lnk_file read_lnk_file_perms;
+ ')
+diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te
+index 75ce30f..31bff65 100644
+--- a/policy/modules/contrib/logwatch.te
+++ b/policy/modules/contrib/logwatch.te
+@@ -30,6 +30,7 @@ allow logwatch_t self:fifo_file rw_file_perms;
+ allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
+ 
+ manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
+allow logwatch_t var_t:lnk_file read_lnk_file_perms;
+ manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
+ 
+ allow logwatch_t logwatch_lock_t:file manage_file_perms;
+diff --git a/policy/modules/contrib/podsleuth.te b/policy/modules/contrib/podsleuth.te
+index 4cffb07..32ab27e 100644
+--- a/policy/modules/contrib/podsleuth.te
+++ b/policy/modules/contrib/podsleuth.te
+@@ -33,6 +33,7 @@ allow podsleuth_t self:tcp_socket create_stream_socket_perms;
+ allow podsleuth_t self:udp_socket create_socket_perms;
+ 
+ manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
+allow podsleuth_t var_t:lnk_file read_lnk_file_perms;
+ manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
+ files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir })
+ 
+diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
+index 630f16f..f4e43be 100644
+--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
+@@ -339,5 +339,6 @@ portage_compile_domain(portage_sandbox_t)
+ ifdef(`hide_broken_symptoms',`
+ 	# leaked descriptors
+ 	dontaudit portage_sandbox_t portage_cache_t:dir { setattr };
+	allow portage_sandbox_t var_t:lnk_file read_lnk_file_perms;
+ 	dontaudit portage_sandbox_t portage_cache_t:file { setattr write };
+ ')
+diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if
+index 951d8f6..f4c6825 100644
+--- a/policy/modules/contrib/rpm.if
+++ b/policy/modules/contrib/rpm.if
+@@ -408,10 +408,12 @@ interface(`rpm_read_script_tmp_files',`
+ interface(`rpm_read_cache',`
+ 	gen_require(`
+ 		type rpm_var_cache_t;
+		type var_t;
+ 	')
+ 
+ 	files_search_var($1)
+ 	allow $1 rpm_var_cache_t:dir list_dir_perms;
+	allow $1 var_t:lnk_file read_lnk_file_perms;
+ 	read_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+ 	read_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+ ')
+@@ -429,10 +431,12 @@ interface(`rpm_read_cache',`
+ interface(`rpm_manage_cache',`
+ 	gen_require(`
+ 		type rpm_var_cache_t;
+		type var_t;
+ 	')
+ 
+ 	files_search_var_lib($1)
+ 	manage_dirs_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+	allow $1 var_t:lnk_file read_lnk_file_perms;
+ 	manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+ 	manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+ ')
+diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
+index 60149a5..f3f0640 100644
+--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
+@@ -98,6 +98,7 @@ fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+ can_exec(rpm_t, rpm_tmpfs_t)
+ 
+ manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
+allow rpm_t var_t:lnk_file read_lnk_file_perms;
+ manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
+ files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
+ 
+diff --git a/policy/modules/contrib/squid.if b/policy/modules/contrib/squid.if
+index d2496bd..28f8e2e 100644
+--- a/policy/modules/contrib/squid.if
+++ b/policy/modules/contrib/squid.if
+@@ -88,9 +88,11 @@ interface(`squid_rw_stream_sockets',`
+ interface(`squid_dontaudit_search_cache',`
+ 	gen_require(`
+ 		type squid_cache_t;
+		type var_t;
+ 	')
+ 
+ 	dontaudit $1 squid_cache_t:dir search_dir_perms;
+	allow $1 var_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
+index c38de7a..01e1222 100644
+--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
+@@ -67,6 +67,7 @@ allow squid_t self:udp_socket create_socket_perms;
+ 
+ # Grant permissions to create, access, and delete cache files.
+ manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
+allow squid_t var_t:lnk_file read_lnk_file_perms;
+ manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
+ manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t)
+ 
+diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
+index 6f0736b..2fcd979 100644
+--- a/policy/modules/contrib/virt.if
+++ b/policy/modules/contrib/virt.if
+@@ -438,10 +438,12 @@ interface(`virt_read_images',`
+ interface(`virt_manage_svirt_cache',`
+ 	gen_require(`
+ 		type svirt_cache_t;
+		type var_t;
+ 	')
+ 
+ 	files_search_var($1)
+ 	manage_dirs_pattern($1, svirt_cache_t, svirt_cache_t)
+	allow $1 var_t:lnk_file read_lnk_file_perms;
+ 	manage_files_pattern($1, svirt_cache_t, svirt_cache_t)
+ 	manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t)
+ ')
+diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
+index 947bbc6..659abcc 100644
+--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
+@@ -108,6 +108,7 @@ ifdef(`enable_mls',`
+ allow svirt_t self:udp_socket create_socket_perms;
+ 
+ manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
+allow svirt_t var_t:lnk_file read_lnk_file_perms;
+ manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
+ files_var_filetrans(svirt_t, svirt_cache_t, { file dir })
+ 
+@@ -186,6 +187,7 @@ allow virtd_t self:tun_socket create_socket_perms;
+ allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
+ 
+ manage_dirs_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
+allow virtd_t var_t:lnk_file read_lnk_file_perms;
+ manage_files_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
+ 
+ manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
+diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
+index 130ced9..ffef982 100644
+--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
+@@ -22,6 +22,7 @@ interface(`xserver_restricted_role',`
+ 		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
+ 		type iceauth_t, iceauth_exec_t, iceauth_home_t;
+ 		type xauth_t, xauth_exec_t, xauth_home_t;
+		type var_t;
+ 	')
+ 
+ 	role $1 types { xserver_t xauth_t iceauth_t };
+@@ -41,6 +42,7 @@ interface(`xserver_restricted_role',`
+ 	allow $2 user_fonts_config_t:file read_file_perms;
+ 
+ 	manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+	allow $2 var_t:lnk_file read_lnk_file_perms;
+ 	manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+ 
+ 	stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -134,6 +136,7 @@ interface(`xserver_role',`
+ 	gen_require(`
+ 		type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t;
+ 		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
+		type var_t;
+ 	')
+ 
+ 	xserver_restricted_role($1, $2)
+@@ -154,6 +157,7 @@ interface(`xserver_role',`
+ 	relabel_files_pattern($2, user_fonts_t, user_fonts_t)
+ 
+ 	manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+	allow $2 var_t:lnk_file read_lnk_file_perms;
+ 	manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+ 	relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+ 	relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+@@ -512,6 +516,7 @@ template(`xserver_user_x_domain_template',`
+ interface(`xserver_use_user_fonts',`
+ 	gen_require(`
+ 		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
+		type var_t;
+ 	')
+ 
+ 	# Read per user fonts
+@@ -520,6 +525,7 @@ interface(`xserver_use_user_fonts',`
+ 
+ 	# Manipulate the global font cache
+ 	manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
+	allow $1 var_t:lnk_file read_lnk_file_perms;
+ 	manage_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
+ 
+ 	# Read per user font config
+diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
+index f416ce9..00a209d 100644
+--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
+@@ -95,6 +95,7 @@ interface(`auth_use_pam',`
+ interface(`auth_login_pgm_domain',`
+ 	gen_require(`
+ 		type var_auth_t, auth_cache_t;
+		type var_t;
+ 	')
+ 
+ 	domain_type($1)
+@@ -116,6 +117,7 @@ interface(`auth_login_pgm_domain',`
+ 	manage_files_pattern($1, var_auth_t, var_auth_t)
+ 
+ 	manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
+	allow $1 var_t:lnk_file read_lnk_file_perms;
+ 	manage_files_pattern($1, auth_cache_t, auth_cache_t)
+ 	manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
+ 	files_var_filetrans($1, auth_cache_t, dir)
+@@ -279,9 +281,11 @@ interface(`auth_ranged_domtrans_login_program',`
+ interface(`auth_search_cache',`
+ 	gen_require(`
+ 		type auth_cache_t;
+		type var_t;
+ 	')
+ 
+ 	allow $1 auth_cache_t:dir search_dir_perms;
+	allow $1 var_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -333,9 +337,11 @@ interface(`auth_rw_cache',`
+ interface(`auth_manage_cache',`
+ 	gen_require(`
+ 		type auth_cache_t;
+		type var_t;
+ 	')
+ 
+ 	manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
+	allow $1 var_t:lnk_file read_lnk_file_perms;
+ 	manage_files_pattern($1, auth_cache_t, auth_cache_t)
+ ')
+ 
+@@ -352,9 +358,11 @@ interface(`auth_manage_cache',`
+ interface(`auth_var_filetrans_cache',`
+ 	gen_require(`
+ 		type auth_cache_t;
+		type var_t;
+ 	')
+ 
+ 	files_var_filetrans($1, auth_cache_t, { file dir } )
+	allow $1 var_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -371,9 +379,11 @@ interface(`auth_domtrans_chk_passwd',`
+ 	gen_require(`
+ 		type chkpwd_t, chkpwd_exec_t, shadow_t;
+ 		type auth_cache_t;
+		type var_t;
+ 	')
+ 
+ 	allow $1 auth_cache_t:dir search_dir_perms;
+	allow $1 var_t:lnk_file read_lnk_file_perms;
+ 
+ 	corecmd_search_bin($1)
+ 	domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
+diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
+index 926ba65..e2eaee6 100644
+--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
+@@ -183,6 +183,7 @@ interface(`miscfiles_manage_cert_files',`
+ interface(`miscfiles_read_fonts',`
+ 	gen_require(`
+ 		type fonts_t, fonts_cache_t;
+		type var_t;
+ 	')
+ 
+ 	# cjp: fonts can be in either of these dirs
+@@ -194,6 +195,7 @@ interface(`miscfiles_read_fonts',`
+ 	read_lnk_files_pattern($1, fonts_t, fonts_t)
+ 
+ 	allow $1 fonts_cache_t:dir list_dir_perms;
+	allow $1 var_t:lnk_file read_lnk_file_perms;
+ 	read_files_pattern($1, fonts_cache_t, fonts_cache_t)
+ 	read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
+ ')
+@@ -295,9 +297,11 @@ interface(`miscfiles_manage_fonts',`
+ interface(`miscfiles_setattr_fonts_cache_dirs',`
+ 	gen_require(`
+ 		type fonts_cache_t;
+		type var_t;
+ 	')
+ 
+ 	allow $1 fonts_cache_t:dir setattr;
+	allow $1 var_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -314,9 +318,11 @@ interface(`miscfiles_setattr_fonts_cache_dirs',`
+ interface(`miscfiles_dontaudit_setattr_fonts_cache_dirs',`
+ 	gen_require(`
+ 		type fonts_cache_t;
+		type var_t;
+ 	')
+ 
+ 	dontaudit $1 fonts_cache_t:dir setattr;
+	allow $1 var_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -333,11 +339,13 @@ interface(`miscfiles_dontaudit_setattr_fonts_cache_dirs',`
+ interface(`miscfiles_manage_fonts_cache',`
+ 	gen_require(`
+ 		type fonts_cache_t;
+		type var_t;
+ 	')
+ 
+ 	files_search_var($1)
+ 
+ 	manage_dirs_pattern($1, fonts_cache_t, fonts_cache_t)
+	allow $1 var_t:lnk_file read_lnk_file_perms;
+ 	manage_files_pattern($1, fonts_cache_t, fonts_cache_t)
+ 	manage_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
+ ')
+-- 
+1.7.9.5
+
--- a/recipes-security/refpolicy/refpolicy_2.20120725.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20120725.inc
@ -19,6 +19,7 @@ SRC_URI += "file://poky-fc-subs_dist.patch \
 # Specific policy for Poky
 SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
            file://poky-policy-add-rules-for-var-log-symlink.patch \
+            file://poky-policy-add-rules-for-var-cache-symlink.patch \
            file://poky-policy-add-rules-for-tmp-symlink.patch \
            file://poky-policy-add-rules-for-bsdpty_device_t.patch \
            file://poky-policy-don-t-audit-tty_device_t.patch \