misc cleanup

refpolicy/policy/modules/kernel/kernel.te

@@ -278,18 +278,14 @@ optional_policy(`
 	# nfs kernel server needs kernel UDP access.  It is less risky and painful
 	# to just give it everything.
 	allow kernel_t self:tcp_socket create_stream_socket_perms;
-	allow kernel_t self:udp_socket { connect };
+	allow kernel_t self:udp_socket create_socket_perms;
-	allow kernel_t self:tcp_socket connected_socket_perms;
-	allow kernel_t self:udp_socket connected_socket_perms;
 
 	# nfs kernel server needs kernel UDP access.  It is less risky and painful
 	# to just give it everything.
 	corenet_udp_sendrecv_all_if(kernel_t)
 	corenet_udp_sendrecv_all_nodes(kernel_t)
-	corenet_tcp_bind_all_nodes(kernel_t)
-	corenet_udp_bind_all_nodes(kernel_t)
-	corenet_tcp_sendrecv_all_ports(kernel_t)
 	corenet_udp_sendrecv_all_ports(kernel_t)
+	corenet_udp_bind_all_nodes(kernel_t)
 
 	auth_dontaudit_getattr_shadow(kernel_t)
 

refpolicy/policy/modules/system/libraries.fc

@@ -32,15 +32,20 @@ ifdef(`distro_redhat',`
 #
 # /opt
 #
-/opt/(.*/)?lib(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/opt/(.*/)?lib(/.*)?				gen_context(system_u:object_r:lib_t,s0)
-/opt/(.*/)?lib/.*\.so		--	gen_context(system_u:object_r:shlib_t,s0)
+/opt/(.*/)?lib/.*\.so			--	gen_context(system_u:object_r:shlib_t,s0)
-/opt/(.*/)?lib/.*\.so\.[^/]*	--	gen_context(system_u:object_r:shlib_t,s0)
+/opt/(.*/)?lib/.*\.so\.[^/]*		--	gen_context(system_u:object_r:shlib_t,s0)
-/opt/(.*/)?lib64(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/opt/(.*/)?lib64(/.*)?				gen_context(system_u:object_r:lib_t,s0)
-/opt/(.*/)?lib64/.*\.so		--	gen_context(system_u:object_r:shlib_t,s0)
+/opt/(.*/)?lib64/.*\.so			--	gen_context(system_u:object_r:shlib_t,s0)
-/opt/(.*/)?lib64/.*\.so\.[^/]*	--	gen_context(system_u:object_r:shlib_t,s0)
+/opt/(.*/)?lib64/.*\.so\.[^/]*		--	gen_context(system_u:object_r:shlib_t,s0)
 /opt/(.*/)?jre.*/libdeploy.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /opt/(.*/)?jre.*/libjvm.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
+ifdef(`distro_gentoo',`
+/opt/netscape/plugins/libflashplayer.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/netscape/plugins/nppdf.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+')
+
 #
 # /sbin
 #
@@ -49,18 +54,18 @@ ifdef(`distro_redhat',`
 #
 # /usr
 #
-/usr/(.*/)?/HelixPlayer/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?/HelixPlayer/.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/(.*/)?java/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(.*/)?java/.*\.jar			--	gen_context(system_u:object_r:shlib_t,s0)
 /usr/(.*/)?java/.*\.jsa			--	gen_context(system_u:object_r:shlib_t,s0)
 
-/usr/(.*/)?lib(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/usr/(.*/)?lib(/.*)?				gen_context(system_u:object_r:lib_t,s0)
-/usr/(.*/)?lib/.*\.so		--	gen_context(system_u:object_r:shlib_t,s0)
+/usr/(.*/)?lib/.*\.so			--	gen_context(system_u:object_r:shlib_t,s0)
-/usr/(.*/)?lib/.*\.so\.[^/]*	--	gen_context(system_u:object_r:shlib_t,s0)
+/usr/(.*/)?lib/.*\.so\.[^/]*		--	gen_context(system_u:object_r:shlib_t,s0)
-/usr/(.*/)?lib64(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/usr/(.*/)?lib64(/.*)?				gen_context(system_u:object_r:lib_t,s0)
-/usr/(.*/)?lib64/.*\.so		--	gen_context(system_u:object_r:shlib_t,s0)
+/usr/(.*/)?lib64/.*\.so			--	gen_context(system_u:object_r:shlib_t,s0)
-/usr/(.*/)?lib64/.*\.so\.[^/]*	--	gen_context(system_u:object_r:shlib_t,s0)
+/usr/(.*/)?lib64/.*\.so\.[^/]*		--	gen_context(system_u:object_r:shlib_t,s0)
 
 /usr/(.*/)?lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
 
@@ -84,7 +89,7 @@ ifdef(`distro_redhat',`
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)*              --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.*            --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
-/usr/(local/)?lib(64)?/wine/.*\.so  		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?lib(64)?/wine/.*\.so  	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?lib/libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/local/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:shlib_t,s0)
 
@@ -107,7 +112,7 @@ ifdef(`distro_redhat',`
 
 # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
 # 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
-/usr/lib(64)?/gstreamer-.*/libgstffmpeg\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/gstreamer-.*/libgstffmpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/gstreamer-.*/libgsthermescolorspace\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/gstreamer-.*/libgstmms\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -190,7 +195,7 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* --	gen_context(system_u:object_r:textre
 /usr/lib(64)?/libdivxencore.so.0	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # vmware 
-/usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.*  -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/vmware/lib(/.*)?/HConfig.so  --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/vmware/(.*/)?VmPerl\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
@@ -226,4 +231,4 @@ ifdef(`distro_suse',`
 /var/spool/postfix/lib(64)?/ld.*\.so.*	--	gen_context(system_u:object_r:ld_so_t,s0)
 /var/spool/postfix/lib(64)?/lib.*\.so.*	--	gen_context(system_u:object_r:shlib_t,s0)
 /var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
-/var/spool/postfix/lib(64)?/devfsd/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
+/var/spool/postfix/lib(64)?/devfsd/.*\.so.* --	gen_context(system_u:object_r:shlib_t,s0)

refpolicy/policy/modules/system/userdomain.if

@@ -87,16 +87,15 @@ template(`base_user_template',`
 	allow $1_t self:process { ptrace setfscreate };
 	allow $1_t self:fd use;
 	allow $1_t self:fifo_file rw_file_perms;
-	allow $1_t self:unix_dgram_socket create_socket_perms;
+	allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
-	allow $1_t self:unix_stream_socket create_stream_socket_perms;
+	allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
-	allow $1_t self:unix_dgram_socket sendto;
-	allow $1_t self:unix_stream_socket connectto;
 	allow $1_t self:shm create_shm_perms;
 	allow $1_t self:sem create_sem_perms;
 	allow $1_t self:msgq create_msgq_perms;
 	allow $1_t self:msg { send receive };
 	dontaudit $1_t self:socket create;
-	allow $1_t self:udp_socket { sendto recvfrom };
+	allow $1_t self:tcp_socket create_stream_socket_perms;
+	allow $1_t self:udp_socket { create_socket_perms sendto recvfrom };
 
 	# evolution and gnome-session try to create a netlink socket
 	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
@@ -162,6 +161,7 @@ template(`base_user_template',`
 	# GNOME checks for usb and other devices:
 	dev_rw_usbfs($1_t)
 
+	corenet_non_ipsec_sendrecv($1_t)
 	corenet_tcp_sendrecv_all_if($1_t)
 	corenet_raw_sendrecv_all_if($1_t)
 	corenet_udp_sendrecv_all_if($1_t)
@@ -170,7 +170,6 @@ template(`base_user_template',`
 	corenet_udp_sendrecv_all_nodes($1_t)
 	corenet_tcp_sendrecv_all_ports($1_t)
 	corenet_udp_sendrecv_all_ports($1_t)
-	corenet_non_ipsec_sendrecv($1_t)
 	corenet_tcp_bind_all_nodes($1_t)
 	corenet_udp_bind_all_nodes($1_t)
 	corenet_udp_bind_generic_port($1_t)