trunk: 4 patches from dan.

policy/modules/services/dnsmasq.fc

@@ -1,4 +1,7 @@
+/etc/rc\.d/init\.d/dnsmasq	--	gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
+
 /usr/sbin/dnsmasq		--	gen_context(system_u:object_r:dnsmasq_exec_t,s0)
 
 /var/lib/misc/dnsmasq\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+/var/lib/dnsmasq(/.*)?			gen_context(system_u:object_r:dnsmasq_lease_t,s0)
 /var/run/dnsmasq\.pid		--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)

policy/modules/services/dnsmasq.if

@@ -1 +1,97 @@
 ## <summary>dnsmasq DNS forwarder and DHCP server</summary>
+
+########################################
+## <summary>
+##	Execute dnsmasq server in the dnsmasq domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+#
+interface(`dnsmasq_domtrans',`
+	gen_require(`
+		type dnsmasq_exec_t, dnsmasq_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t)
+')
+
+########################################
+## <summary>
+##	Send dnsmasq a signal
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+#
+interface(`dnsmasq_signal',`
+	gen_require(`
+		type dnsmasq_t;
+	')
+
+	allow $1 dnsmasq_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send dnsmasq a kill signal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`dnsmasq_kill',`
+	gen_require(`
+		type dnsmasq_t;
+	')
+
+	allow $1 dnsmasq_t:process sigkill;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an dnsmasq environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the dnsmasq domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dnsmasq_admin',`
+	gen_require(`
+		type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
+		type dnsmasq_initrc_exec_t;
+	')
+
+	allow $1 dnsmasq_t:process { ptrace signal_perms };
+	ps_process_pattern($1, dnsmasq_t)
+
+	init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 dnsmasq_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_var_lib($1)
+	admin_pattern($1, dnsmasq_lease_t)
+
+	files_list_pids($1)
+	admin_pattern($1, dnsmasq_var_run_t)
+')

policy/modules/services/dnsmasq.te

@@ -1,5 +1,5 @@
 
-policy_module(dnsmasq, 1.6.1)
+policy_module(dnsmasq, 1.6.2)
 
 ########################################
 #
@@ -10,6 +10,9 @@ type dnsmasq_t;
 type dnsmasq_exec_t;
 init_daemon_domain(dnsmasq_t, dnsmasq_exec_t)
 
+type dnsmasq_initrc_exec_t;
+init_script_file(dnsmasq_initrc_exec_t)
+
 type dnsmasq_lease_t;
 files_type(dnsmasq_lease_t)
 
@@ -23,7 +26,7 @@ files_pid_file(dnsmasq_var_run_t)
 
 allow dnsmasq_t self:capability { net_admin setgid setuid net_bind_service net_raw };
 dontaudit dnsmasq_t self:capability sys_tty_config;
-allow dnsmasq_t self:process { setcap signal_perms };
+allow dnsmasq_t self:process { getcap setcap signal_perms };
 allow dnsmasq_t self:fifo_file rw_fifo_file_perms;
 allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write };
 allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
@@ -32,7 +35,7 @@ allow dnsmasq_t self:packet_socket create_socket_perms;
 allow dnsmasq_t self:rawip_socket create_socket_perms;
 
 # dhcp leases
-allow dnsmasq_t dnsmasq_lease_t:file manage_file_perms;
+manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
 files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file)
 
 manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
@@ -55,8 +58,7 @@ corenet_udp_sendrecv_all_ports(dnsmasq_t)
 corenet_tcp_bind_all_nodes(dnsmasq_t)
 corenet_udp_bind_all_nodes(dnsmasq_t)
 corenet_tcp_bind_dns_port(dnsmasq_t)
-corenet_udp_bind_dns_port(dnsmasq_t)
+corenet_udp_bind_all_ports(dnsmasq_t)
-corenet_udp_bind_dhcpd_port(dnsmasq_t)
 corenet_sendrecv_dns_server_packets(dnsmasq_t)
 corenet_sendrecv_dhcpd_server_packets(dnsmasq_t)
 
@@ -91,3 +93,7 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(dnsmasq_t)
 ')
+
+optional_policy(`
+	virt_manage_lib_files(dnsmasq_t)
+')

policy/modules/services/mysql.fc

@@ -5,6 +5,7 @@
 #
 /etc/my\.cnf		--	gen_context(system_u:object_r:mysqld_etc_t,s0)
 /etc/mysql(/.*)?		gen_context(system_u:object_r:mysqld_etc_t,s0)
+/etc/rc\.d/init\.d/mysqld --	gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
 
 #
 # /usr

policy/modules/services/mysql.if

@@ -52,10 +52,11 @@ interface(`mysql_tcp_connect',`
 #
 interface(`mysql_stream_connect',`
 	gen_require(`
-		type mysqld_t, mysqld_var_run_t;
+		type mysqld_t, mysqld_var_run_t, mysqld_db_t;
 	')
 
 	stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
+	stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
 ')
 
 ########################################
@@ -178,3 +179,46 @@ interface(`mysql_write_log',`
 	logging_search_logs($1)
 	allow $1 mysqld_log_t:file { write_file_perms setattr };
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate an mysql environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the mysql domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mysql_admin',`
+	gen_require(`
+		type mysqld_t, mysqld_var_run_t;
+		type mysqld_tmp_t, mysqld_db_t;
+		type mysqld_etc_t, mysqld_log_t;
+		type mysqld_initrc_exec_t;
+	')
+
+	allow $1 mysqld_t:process { ptrace signal_perms };
+	ps_process_pattern($1, mysqld_t)
+
+	init_labeled_script_domtrans($1, mysqld_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 mysqld_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	admin_pattern($1, mysqld_var_run_t)
+
+	admin_pattern($1, mysqld_db_t)
+
+	admin_pattern($1, mysqld_etc_t)
+
+	admin_pattern($1, mysqld_log_t)
+
+	admin_pattern($1, mysqld_tmp_t)
+')

policy/modules/services/mysql.te

@@ -1,5 +1,5 @@
 
-policy_module(mysql, 1.9.1)
+policy_module(mysql, 1.9.2)
 
 ########################################
 #
@@ -19,6 +19,9 @@ files_type(mysqld_db_t)
 type mysqld_etc_t alias etc_mysqld_t;
 files_config_file(mysqld_etc_t)
 
+type mysqld_initrc_exec_t;
+init_script_file(mysqld_initrc_exec_t)
+
 type mysqld_log_t;
 logging_log_file(mysqld_log_t)
 
@@ -34,6 +37,7 @@ allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bin
 dontaudit mysqld_t self:capability sys_tty_config;
 allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
 allow mysqld_t self:fifo_file rw_fifo_file_perms;
+allow mysqld_t self:shm create_shm_perms;
 allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
 allow mysqld_t self:tcp_socket create_stream_socket_perms;
 allow mysqld_t self:udp_socket create_socket_perms;
@@ -79,6 +83,7 @@ dev_read_sysfs(mysqld_t)
 
 fs_getattr_all_fs(mysqld_t)
 fs_search_auto_mountpoints(mysqld_t)
+fs_rw_hugetlbfs_files(mysqld_t)
 
 domain_use_interactive_fds(mysqld_t)
 

policy/modules/services/procmail.fc

@@ -1,2 +1,5 @@
 
 /usr/bin/procmail	--	gen_context(system_u:object_r:procmail_exec_t,s0)
+
+/var/log/procmail\.log.* --	gen_context(system_u:object_r:procmail_log_t,s0)
+/var/log/procmail(/.*)?		gen_context(system_u:object_r:procmail_log_t,s0) 

policy/modules/services/procmail.if

@@ -39,3 +39,41 @@ interface(`procmail_exec',`
 	corecmd_search_bin($1)
 	can_exec($1, procmail_exec_t)
 ')
+
+########################################
+## <summary>
+##	Read procmail tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`procmail_read_tmp_files',`
+	gen_require(`
+		type procmail_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 procmail_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Read/write procmail tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`procmail_rw_tmp_files',`
+	gen_require(`
+		type procmail_tmp_t;
+	')
+
+	files_search_tmp($1)
+	rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
+')

policy/modules/services/procmail.te

@@ -1,5 +1,5 @@
 
-policy_module(procmail, 1.9.1)
+policy_module(procmail, 1.9.2)
 
 ########################################
 #
@@ -11,6 +11,9 @@ type procmail_exec_t;
 application_domain(procmail_t, procmail_exec_t)
 role system_r types procmail_t;
 
+type procmail_log_t;
+logging_log_file(procmail_log_t) 
+
 type procmail_tmp_t;
 files_tmp_file(procmail_tmp_t)
 
@@ -29,6 +32,13 @@ allow procmail_t self:udp_socket create_socket_perms;
 
 can_exec(procmail_t,procmail_exec_t)
 
+# Write log to /var/log/procmail.log or /var/log/procmail/.*
+allow procmail_t procmail_log_t:dir setattr;
+create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
+append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
+read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
+logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
+
 allow procmail_t procmail_tmp_t:file manage_file_perms;
 files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
 
@@ -58,6 +68,7 @@ auth_use_nsswitch(procmail_t)
 
 corecmd_exec_bin(procmail_t)
 corecmd_exec_shell(procmail_t)
+corecmd_read_bin_symlinks(procmail_t)
 
 files_read_etc_files(procmail_t)
 files_read_etc_runtime_files(procmail_t)
@@ -118,11 +129,13 @@ optional_policy(`
 
 optional_policy(`
 	pyzor_domtrans(procmail_t)
+	pyzor_signal(procmail_t)
 ')
 
 optional_policy(`
 	mta_read_config(procmail_t)
 	sendmail_domtrans(procmail_t)
+	sendmail_signal(procmail_t)
 	sendmail_rw_tcp_sockets(procmail_t)
 	sendmail_rw_unix_stream_sockets(procmail_t)
 ')
@@ -131,7 +144,7 @@ optional_policy(`
 	corenet_udp_bind_generic_port(procmail_t)
 	corenet_dontaudit_udp_bind_all_ports(procmail_t)
 
-	spamassassin_exec(procmail_t)
+	spamassassin_domtrans_local_client(procmail_t)
-	spamassassin_exec_client(procmail_t)
+	spamassassin_domtrans_client(procmail_t)
 	spamassassin_read_lib_files(procmail_t)
 ')

policy/modules/services/rshd.te

@@ -1,5 +1,5 @@
 
-policy_module(rshd, 1.5.1)
+policy_module(rshd, 1.5.2)
 
 ########################################
 #
@@ -16,7 +16,7 @@ role system_r types rshd_t;
 #
 # Local policy
 #
-allow rshd_t self:capability { setuid setgid fowner fsetid chown dac_override };
+allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override };
 allow rshd_t self:process { signal_perms fork setsched setpgid setexec };
 allow rshd_t self:fifo_file rw_fifo_file_perms;
 allow rshd_t self:tcp_socket create_stream_socket_perms;
@@ -33,6 +33,9 @@ corenet_tcp_sendrecv_all_ports(rshd_t)
 corenet_udp_sendrecv_all_ports(rshd_t)
 corenet_tcp_bind_all_nodes(rshd_t)
 corenet_tcp_bind_rsh_port(rshd_t)
+corenet_tcp_bind_all_rpc_ports(rshd_t)
+corenet_tcp_connect_all_ports(rshd_t)
+corenet_tcp_connect_all_rpc_ports(rshd_t)
 corenet_sendrecv_rsh_server_packets(rshd_t)
 
 dev_read_urand(rshd_t)
@@ -44,17 +47,19 @@ selinux_compute_create_context(rshd_t)
 selinux_compute_relabel_context(rshd_t)
 selinux_compute_user_contexts(rshd_t)
 
-auth_domtrans_chk_passwd(rshd_t)
-
 corecmd_read_bin_symlinks(rshd_t)
 
 files_list_home(rshd_t)
 files_read_etc_files(rshd_t)
 files_search_tmp(rshd_t)
 
-auth_use_nsswitch(rshd_t)
+auth_login_pgm_domain(rshd_t)
+auth_write_login_records(rshd_t)
+
+init_rw_utmp(rshd_t)
 
 logging_send_syslog_msg(rshd_t)
+logging_search_logs(rshd_t)
 
 miscfiles_read_localization(rshd_t)
 
@@ -74,7 +79,8 @@ tunable_policy(`use_samba_home_dirs',`
 ')
 
 optional_policy(`
-	kerberos_use(rshd_t)
+	kerberos_keytab_template(rshd, rshd_t)
+	kerberos_manage_host_rcache(rshd_t)
 ')
 
 optional_policy(`
@@ -83,4 +89,5 @@ optional_policy(`
 
 optional_policy(`
 	unconfined_shell_domtrans(rshd_t)
+	unconfined_signal(rshd_t)
 ')