add amanda

refpolicy/Changelog

@@ -2,6 +2,7 @@
   build phase instead of during the generation phase.  
 - DISTRO=redhat now implies DIRECT_INITRC=y.
 - Added policies:
+	amanda
 	canna
 	cyrus
 	dovecot

refpolicy/policy/modules/kernel/kernel.if

@@ -1393,6 +1393,23 @@ interface(`kernel_rw_unlabeled_dir',`
 	allow $1 unlabeled_t:dir rw_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts by caller to get the
+##	attributes of an unlabeled file.
+## </summary>
+## <param name="domain">
+##	The process type not to audit.
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_file',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts by caller to get attributes for
@@ -1408,7 +1425,7 @@ interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',`
 		class blk_file getattr;
 	')
 
-	allow $1 unlabeled_t:blk_file getattr;
+	dontaudit $1 unlabeled_t:blk_file getattr;
 ')
 
 ########################################

refpolicy/policy/modules/services/bind.te

@@ -1,5 +1,5 @@
 
-policy_module(bind,1.0)
+policy_module(bind,0.9)
 
 ########################################
 #

refpolicy/policy/modules/services/inetd.te

@@ -71,6 +71,8 @@ corenet_udp_bind_all_nodes(inetd_t)
 corenet_tcp_connect_all_ports(inetd_t)
 
 # listen on service ports:
+corenet_tcp_bind_amanda_port(inetd_t)
+corenet_udp_bind_amanda_port(inetd_t)
 corenet_tcp_bind_auth_port(inetd_t)
 #corenet_udp_bind_comsat_port(inetd_t)
 corenet_tcp_bind_dbskkd_port(inetd_t)
@@ -123,6 +125,10 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_file(inetd_t)
 ')
 
+optional_policy(`amanda.te',`
+	amanda_search_lib(inetd_t)
+')
+
 optional_policy(`mount.te',`
 	mount_send_nfs_client_request(inetd_t)
 ')

refpolicy/policy/modules/services/networkmanager.te

@@ -1,5 +1,5 @@
 
-policy_module(networkmanager,1.0)
+policy_module(networkmanager,0.9)
 
 ########################################
 #

refpolicy/policy/modules/system/files.if

@@ -616,6 +616,40 @@ interface(`files_dontaudit_getattr_non_security_sockets',`
 	dontaudit $1 { file_type -security_file_type }:sock_file getattr;
 ')
 
+########################################
+## <summary>
+##	Read all block nodes with file types.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_all_blk_nodes',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:dir search;
+	allow $1 file_type:blk_file { getattr read };
+')
+
+########################################
+## <summary>
+##	Read all character nodes with file types.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_all_chr_nodes',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:dir search;
+	allow $1 file_type:chr_file { getattr read };
+')
+
 ########################################
 ## <summary>
 ##	Relabel all files on the filesystem, except

refpolicy/policy/modules/system/userdomain.if

@@ -1801,6 +1801,87 @@ interface(`userdom_dontaudit_list_sysadm_home_dir',`
 	dontaudit $1 sysadm_home_dir_t:dir r_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Create objects in sysadm home directories
+##	with automatic file type transition.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+## <param name="object_class" optional="true">
+##	The class of the object to be created.
+##	If not specified, file is used.
+## </param>
+#
+interface(`userdom_create_sysadm_home',`
+	ifdef(`targeted_policy',`
+		gen_require(`
+			type user_home_dir_t, user_home_t;
+		')
+
+		allow $1 user_home_dir_t:dir rw_dir_perms;
+		ifelse(`$2',`',`
+			ifelse(`$3',`',`
+				type_transition $1 user_home_dir_t:file user_home_t;
+			',`
+				type_transition $1 user_home_dir_t:$3 user_home_t;
+			')
+		',`
+			ifelse(`$3',`',`
+				type_transition $1 user_home_dir_t:file $2;
+			',`
+				type_transition $1 user_home_dir_t:$3 $2;
+			')
+		')
+	',`
+		gen_require(`
+			type sysadm_home_dir_t, sysadm_home_t;
+		')
+
+		allow $1 sysadm_home_dir_t:dir rw_dir_perms;
+
+		ifelse(`$2',`',`
+			ifelse(`$3',`',`
+				type_transition $1 sysadm_home_dir_t:file sysadm_home_t;
+			',`
+				type_transition $1 sysadm_home_dir_t:$3 sysadm_home_t;
+			')
+		',`
+			ifelse(`$3',`',`
+				type_transition $1 sysadm_home_dir_t:file $2;
+			',`
+				type_transition $1 sysadm_home_dir_t:$3 $2;
+			')
+		')
+	')
+')
+
+########################################
+## <summary>
+##	Search the sysadm users home sub directories.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`userdom_search_sysadm_home_subdirs',`
+	ifdef(`targeted_policy',`
+		gen_require(`
+			type user_home_dir_t, user_home_t;
+		')
+
+		allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
+
+	',`
+		gen_require(`
+			type sysadm_home_dir_t, sysadm_home_t;
+		')
+
+		allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms;
+	')
+')
+
 ########################################
 ## <summary>
 ##	Read files in the sysadm users home directory.

refpolicy/policy/modules/system/userdomain.te

@@ -121,6 +121,10 @@ ifdef(`targeted_policy',`
 		domain_ptrace_all_domains(sysadm_t)
 	')
 
+	optional_policy(`amanda.te',`
+		amanda_run_recover(sysadm_t,sysadm_r,admin_terminal)
+	')
+
 	optional_policy(`apache.te',`
 		apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
 		#apache_run_all_scripts(sysadm_t,sysadm_r)