misc cleanup

refpolicy/policy/modules/kernel/kernel.te

@@ -278,18 +278,14 @@ optional_policy(`
 	# nfs kernel server needs kernel UDP access.  It is less risky and painful
 	# to just give it everything.
 	allow kernel_t self:tcp_socket create_stream_socket_perms;
-	allow kernel_t self:udp_socket { connect };
+	allow kernel_t self:udp_socket create_socket_perms;
-	allow kernel_t self:tcp_socket connected_socket_perms;
-	allow kernel_t self:udp_socket connected_socket_perms;
 
 	# nfs kernel server needs kernel UDP access.  It is less risky and painful
 	# to just give it everything.
 	corenet_udp_sendrecv_all_if(kernel_t)
 	corenet_udp_sendrecv_all_nodes(kernel_t)
-	corenet_tcp_bind_all_nodes(kernel_t)
-	corenet_udp_bind_all_nodes(kernel_t)
-	corenet_tcp_sendrecv_all_ports(kernel_t)
 	corenet_udp_sendrecv_all_ports(kernel_t)
+	corenet_udp_bind_all_nodes(kernel_t)
 
 	auth_dontaudit_getattr_shadow(kernel_t)
 

refpolicy/policy/modules/system/libraries.fc

@@ -41,6 +41,11 @@ ifdef(`distro_redhat',`
 /opt/(.*/)?jre.*/libdeploy.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /opt/(.*/)?jre.*/libjvm.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
+ifdef(`distro_gentoo',`
+/opt/netscape/plugins/libflashplayer.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/netscape/plugins/nppdf.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+')
+
 #
 # /sbin
 #

refpolicy/policy/modules/system/userdomain.if

@@ -87,16 +87,15 @@ template(`base_user_template',`
 	allow $1_t self:process { ptrace setfscreate };
 	allow $1_t self:fd use;
 	allow $1_t self:fifo_file rw_file_perms;
-	allow $1_t self:unix_dgram_socket create_socket_perms;
+	allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
-	allow $1_t self:unix_stream_socket create_stream_socket_perms;
+	allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
-	allow $1_t self:unix_dgram_socket sendto;
-	allow $1_t self:unix_stream_socket connectto;
 	allow $1_t self:shm create_shm_perms;
 	allow $1_t self:sem create_sem_perms;
 	allow $1_t self:msgq create_msgq_perms;
 	allow $1_t self:msg { send receive };
 	dontaudit $1_t self:socket create;
-	allow $1_t self:udp_socket { sendto recvfrom };
+	allow $1_t self:tcp_socket create_stream_socket_perms;
+	allow $1_t self:udp_socket { create_socket_perms sendto recvfrom };
 
 	# evolution and gnome-session try to create a netlink socket
 	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
@@ -162,6 +161,7 @@ template(`base_user_template',`
 	# GNOME checks for usb and other devices:
 	dev_rw_usbfs($1_t)
 
+	corenet_non_ipsec_sendrecv($1_t)
 	corenet_tcp_sendrecv_all_if($1_t)
 	corenet_raw_sendrecv_all_if($1_t)
 	corenet_udp_sendrecv_all_if($1_t)
@@ -170,7 +170,6 @@ template(`base_user_template',`
 	corenet_udp_sendrecv_all_nodes($1_t)
 	corenet_tcp_sendrecv_all_ports($1_t)
 	corenet_udp_sendrecv_all_ports($1_t)
-	corenet_non_ipsec_sendrecv($1_t)
 	corenet_tcp_bind_all_nodes($1_t)
 	corenet_udp_bind_all_nodes($1_t)
 	corenet_udp_bind_generic_port($1_t)