diff --git a/refpolicy/policy/modules/admin/bootloader.te b/refpolicy/policy/modules/admin/bootloader.te
index 98aa2f82..41b40272 100644
--- a/refpolicy/policy/modules/admin/bootloader.te
+++ b/refpolicy/policy/modules/admin/bootloader.te
@@ -1,5 +1,5 @@
-policy_module(bootloader,1.2.3)
+policy_module(bootloader,1.2.4)
########################################
#
@@ -49,7 +49,7 @@ logging_log_file(var_log_ksyms_t)
#
allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
-allow bootloader_t self:process { sigkill sigstop signull signal };
+allow bootloader_t self:process { sigkill sigstop signull signal execmem };
allow bootloader_t self:fifo_file rw_file_perms;
allow bootloader_t bootloader_etc_t:file r_file_perms;
@@ -111,6 +111,7 @@ files_dontaudit_search_pids(bootloader_t)
# for blkid.tab
files_manage_etc_runtime_files(bootloader_t)
files_etc_filetrans_etc_runtime(bootloader_t,file)
+files_dontaudit_search_home(bootloader_t)
init_getattr_initctl(bootloader_t)
init_use_script_ptys(bootloader_t)
@@ -127,6 +128,8 @@ logging_rw_generic_logs(bootloader_t)
miscfiles_read_localization(bootloader_t)
+modutils_domtrans_insmod_uncond(bootloader_t)
+
seutil_read_bin_policy(bootloader_t)
seutil_read_loadpolicy(bootloader_t)
seutil_dontaudit_search_config(bootloader_t)
@@ -179,6 +182,10 @@ optional_policy(`
fstools_exec(bootloader_t)
')
+optional_policy(`
+ kudzu_domtrans(bootloader_t)
+')
+
optional_policy(`
dev_rw_lvm_control(bootloader_t)
diff --git a/refpolicy/policy/modules/admin/logwatch.te b/refpolicy/policy/modules/admin/logwatch.te
index 28ea0a20..d879781e 100644
--- a/refpolicy/policy/modules/admin/logwatch.te
+++ b/refpolicy/policy/modules/admin/logwatch.te
@@ -1,5 +1,5 @@
-policy_module(logwatch,1.1.1)
+policy_module(logwatch,1.1.2)
#################################
#
@@ -23,7 +23,7 @@ files_tmp_file(logwatch_tmp_t)
# Local policy
#
-allow logwatch_t self:capability setgid;
+allow logwatch_t self:capability { dac_override dac_read_search setgid };
allow logwatch_t self:fifo_file rw_file_perms;
allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index 2cc4c9f6..d5766aa0 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -1,5 +1,5 @@
-policy_module(netutils,1.1.3)
+policy_module(netutils,1.1.4)
########################################
#
@@ -54,6 +54,7 @@ corenet_tcp_sendrecv_all_ports(netutils_t)
corenet_udp_sendrecv_all_ports(netutils_t)
corenet_tcp_connect_all_ports(netutils_t)
corenet_sendrecv_all_client_packets(netutils_t)
+corenet_udp_bind_generic_node(netutils_t)
fs_getattr_xattr_fs(netutils_t)
diff --git a/refpolicy/policy/modules/admin/prelink.fc b/refpolicy/policy/modules/admin/prelink.fc
index 729f75a1..7d2b81b2 100644
--- a/refpolicy/policy/modules/admin/prelink.fc
+++ b/refpolicy/policy/modules/admin/prelink.fc
@@ -3,6 +3,5 @@
/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
-/var/lib/misc/prelink\..* -- gen_context(system_u:object_r:prelink_cache_t,s0)
-
/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
+/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
diff --git a/refpolicy/policy/modules/admin/prelink.te b/refpolicy/policy/modules/admin/prelink.te
index 3f18fca5..506215ac 100644
--- a/refpolicy/policy/modules/admin/prelink.te
+++ b/refpolicy/policy/modules/admin/prelink.te
@@ -1,5 +1,5 @@
-policy_module(prelink,1.1.3)
+policy_module(prelink,1.1.4)
########################################
#
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index dd761163..4ee35d78 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -351,6 +351,26 @@ interface(`files_dontaudit_list_non_security',`
dontaudit $1 { file_type -security_file_type }:dir r_dir_perms;
')
+########################################
+##
+## Mount a filesystem on all non-security
+## directories and files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_mounton_non_security',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
+ allow $1 { file_type -security_file_type }:dir mounton;
+ allow $1 { file_type -security_file_type }:file mounton;
+')
+
########################################
##
## Allow attempts to modify any directory
diff --git a/refpolicy/policy/modules/kernel/files.te b/refpolicy/policy/modules/kernel/files.te
index ccf74ba4..e3f7b8f7 100644
--- a/refpolicy/policy/modules/kernel/files.te
+++ b/refpolicy/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
-policy_module(files,1.2.11)
+policy_module(files,1.2.12)
########################################
#
diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
index 867de410..ebcabc41 100644
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
-policy_module(filesystem,1.3.10)
+policy_module(filesystem,1.3.11)
########################################
#
@@ -69,6 +69,11 @@ fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0)
+type ibmasmfs_t;
+fs_type(ibmasmfs_t)
+allow ibmasmfs_t self:filesystem associate;
+genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
+
type inotifyfs_t;
fs_type(inotifyfs_t)
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
diff --git a/refpolicy/policy/modules/services/apache.fc b/refpolicy/policy/modules/services/apache.fc
index 82e51537..f6277c55 100644
--- a/refpolicy/policy/modules/services/apache.fc
+++ b/refpolicy/policy/modules/services/apache.fc
@@ -7,7 +7,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_R
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/etc/httpd -d gen_context(system_u:object_r:httpd_config_t,s0)
/etc/httpd/conf.* gen_context(system_u:object_r:httpd_config_t,s0)
/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
@@ -29,19 +29,22 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_R
/usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
+/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+
ifdef(`distro_suse', `
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
-/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/selinux-policy([^/]*)?/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
@@ -65,11 +68,11 @@ ifdef(`distro_debian', `
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
-ifdef(`targeted_policy', `', `
+ifdef(`strict_policy',`
/var/spool/cron/apache -- gen_context(system_u:object_r:user_cron_spool_t,s0)
')
@@ -77,4 +80,3 @@ ifdef(`targeted_policy', `', `
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/selinux-policy([^/]*)?/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index 69a605f4..98cbfb08 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -15,6 +15,7 @@ template(`apache_content_template',`
gen_require(`
attribute httpdcontent;
attribute httpd_exec_scripts;
+ attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
')
# allow write access to public file transfer
@@ -35,7 +36,7 @@ template(`apache_content_template',`
role system_r types httpd_$1_script_t;
# This type is used for executable scripts files
- type httpd_$1_script_exec_t; # customizable;
+ type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
corecmd_shell_entry_type(httpd_$1_script_t)
domain_entry_file(httpd_$1_script_t,httpd_$1_script_exec_t)
@@ -336,6 +337,58 @@ template(`apache_per_userdomain_template', `
')
')
+########################################
+##
+## Read httpd user scripts executables.
+##
+##
+##
+## Prefix of the domain. Example, user would be
+## the prefix for the uder_t domain.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+template(`apache_read_user_scripts',`
+ gen_require(`
+ type httpd_$1_script_exec_t;
+ ')
+
+ allow $2 httpd_$1_script_exec_t:dir r_dir_perms;
+ allow $2 httpd_$1_script_exec_t:file r_file_perms;
+ allow $2 httpd_$1_script_exec_t:lnk_file { getattr read };
+')
+
+########################################
+##
+## Read user web content.
+##
+##
+##
+## Prefix of the domain. Example, user would be
+## the prefix for the uder_t domain.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+template(`apache_read_user_content',`
+ gen_require(`
+ type httpd_$1_content_t;
+ ')
+
+ allow $2 httpd_$1_content_t:dir r_dir_perms;
+ allow $2 httpd_$1_content_t:file r_file_perms;
+ allow $2 httpd_$1_content_t:lnk_file { getattr read };
+')
+
########################################
##
## Transition to apache.
@@ -464,12 +517,17 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
#
interface(`apache_manage_all_content',`
gen_require(`
- attribute httpdcontent;
+ attribute httpdcontent, httpd_script_exec_type;
')
allow $1 httpdcontent:dir manage_dir_perms;
allow $1 httpdcontent:file manage_file_perms;
allow $1 httpdcontent:lnk_file create_lnk_perms;
+
+ allow $1 httpd_script_exec_type:dir manage_dir_perms;
+ allow $1 httpd_script_exec_type:file manage_file_perms;
+ allow $1 httpd_script_exec_type:lnk_file create_lnk_perms;
+
')
########################################
@@ -513,6 +571,28 @@ interface(`apache_read_config',`
allow $1 httpd_config_t:lnk_file { getattr read };
')
+########################################
+##
+## Allow the specified domain to manage
+## apache configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_manage_config',`
+ gen_require(`
+ type httpd_config_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 httpd_config_t:dir manage_dir_perms;
+ allow $1 httpd_config_t:file manage_file_perms;
+ allow $1 httpd_config_t:lnk_file { getattr read };
+')
+
########################################
##
## Execute the Apache helper program with
@@ -632,6 +712,28 @@ interface(`apache_dontaudit_append_log',`
dontaudit $1 httpd_log_t:file { getattr append };
')
+########################################
+##
+## Allow the specified domain to manage
+## to apache log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_manage_log',`
+ gen_require(`
+ type httpd_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 httpd_log_t:dir manage_dir_perms;
+ allow $1 httpd_log_t:file manage_file_perms;
+ allow $1 httpd_log_t:lnk_file { getattr read };
+')
+
########################################
##
## Do not audit attempts to search Apache
@@ -692,6 +794,28 @@ interface(`apache_exec_modules',`
can_exec($1,httpd_modules_t)
')
+########################################
+##
+## Execute a domain transition to run httpd_rotatelogs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_domtrans_rotatelogs',`
+ gen_require(`
+ type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
+ ')
+
+ domain_auto_trans($1,httpd_rotatelogs_exec_t,httpd_rotatelogs_t)
+
+ allow httpd_rotatelogs_t $1:fd use;
+ allow httpd_rotatelogs_t $1:fifo_file rw_file_perms;
+ allow httpd_rotatelogs_t $1:process sigchld;
+')
+
########################################
##
## Allow the specified domain to manage
@@ -903,55 +1027,3 @@ interface(`apache_search_sys_script_state',`
allow $1 httpd_sys_script_t:dir search;
')
-
-########################################
-##
-## Read httpd user scripts executables.
-##
-##
-##
-## Prefix of the domain. Example, user would be
-## the prefix for the uder_t domain.
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`apache_read_user_scripts',`
- gen_require(`
- type httpd_$1_script_exec_t;
- ')
-
- allow $2 httpd_$1_script_exec_t:dir r_dir_perms;
- allow $2 httpd_$1_script_exec_t:file r_file_perms;
- allow $2 httpd_$1_script_exec_t:lnk_file { getattr read };
-')
-
-########################################
-##
-## Read user web content.
-##
-##
-##
-## Prefix of the domain. Example, user would be
-## the prefix for the uder_t domain.
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`apache_read_user_content',`
- gen_require(`
- type httpd_$1_content_t;
- ')
-
- allow $2 httpd_$1_content_t:dir r_dir_perms;
- allow $2 httpd_$1_content_t:file r_file_perms;
- allow $2 httpd_$1_content_t:lnk_file { getattr read };
-')
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index fb1c90ff..6951300a 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
-policy_module(apache,1.3.13)
+policy_module(apache,1.3.14)
#
# NOTES:
@@ -25,6 +25,8 @@ attribute httpdcontent;
# domains that can exec all users scripts
attribute httpd_exec_scripts;
+attribute httpd_script_exec_type;
+
# user script domains
attribute httpd_script_domains;
@@ -68,6 +70,10 @@ role system_r types httpd_php_t;
type httpd_php_tmp_t;
files_tmp_file(httpd_php_tmp_t)
+type httpd_rotatelogs_t;
+type httpd_rotatelogs_exec_t;
+init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
+
type httpd_squirrelmail_t;
files_type(httpd_squirrelmail_t)
@@ -109,14 +115,6 @@ files_pid_file(httpd_var_run_t)
type squirrelmail_spool_t;
files_tmp_file(squirrelmail_spool_t)
-# mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
-# This is a bug but it still exists in FC2
-# cjp: probably can remove this
-ifdef(`distro_redhat',`
- typealias httpd_log_t alias httpd_runtime_t;
- dontaudit httpd_t httpd_runtime_t:file ioctl;
-')
-
ifdef(`targeted_policy',`
typealias httpd_sys_content_t alias httpd_user_content_t;
typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
@@ -293,6 +291,15 @@ tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
')
+ifdef(`TODO', `
+#
+# We need optionals to be able to be within booleans to make this work
+#
+tunable_policy(`allow_httpd_mod_auth_pam',`
+ auth_domtrans_chk_passwd(httpd_t)
+')
+')
+
tunable_policy(`httpd_can_network_connect',`
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -655,6 +662,9 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
+# Should we add a boolean?
+apache_domtrans_rotatelogs(httpd_sys_script_t)
+
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file { getattr append };
')
@@ -688,3 +698,26 @@ optional_policy(`
optional_policy(`
nscd_socket_use(httpd_unconfined_script_t)
')
+
+########################################
+#
+# httpd_rotatelogs local policy
+#
+
+allow httpd_rotatelogs_t httpd_log_t:dir rw_dir_perms;
+allow httpd_rotatelogs_t httpd_log_t:file manage_file_perms;
+
+kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+kernel_dontaudit_list_proc(httpd_rotatelogs_t)
+kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
+
+files_read_etc_files(httpd_rotatelogs_t)
+
+libs_use_ld_so(httpd_rotatelogs_t)
+libs_use_shared_libs(httpd_rotatelogs_t)
+
+miscfiles_read_localization(httpd_rotatelogs_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
+')
diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te
index 9d364af8..67020c07 100644
--- a/refpolicy/policy/modules/services/automount.te
+++ b/refpolicy/policy/modules/services/automount.te
@@ -1,5 +1,5 @@
-policy_module(automount,1.2.6)
+policy_module(automount,1.2.7)
########################################
#
@@ -28,7 +28,7 @@ files_mountpoint(automount_tmp_t)
# Local policy
#
-allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override };
+allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override sys_admin };
dontaudit automount_t self:capability sys_tty_config;
allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
allow automount_t self:fifo_file rw_file_perms;
@@ -64,8 +64,17 @@ kernel_read_proc_symlinks(automount_t)
kernel_read_system_state(automount_t)
kernel_read_network_state(automount_t)
kernel_list_proc(automount_t)
+kernel_dontaudit_search_xen_state(automount_t)
files_search_boot(automount_t)
+# Automount is slowly adding all mount functionality internally
+files_search_all(automount_t)
+files_mounton_all_mountpoints(automount_t)
+files_mount_all_file_type_fs(automount_t)
+files_unmount_all_file_type_fs(automount_t)
+
+fs_mount_all_fs(automount_t)
+fs_unmount_all_fs(automount_t)
corecmd_exec_sbin(automount_t)
corecmd_exec_bin(automount_t)
diff --git a/refpolicy/policy/modules/services/clamav.if b/refpolicy/policy/modules/services/clamav.if
index dfb0dd08..3263dbb1 100644
--- a/refpolicy/policy/modules/services/clamav.if
+++ b/refpolicy/policy/modules/services/clamav.if
@@ -62,6 +62,25 @@ interface(`clamav_read_config',`
allow $1 clamd_etc_t:file r_file_perms;
')
+########################################
+##
+## Search clamav libraries directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`clamav_search_lib',`
+ gen_require(`
+ type clamd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 clamd_var_lib_t:dir search_dir_perms;
+')
+
########################################
##
## Execute a domain transition to run clamscan.
@@ -83,4 +102,3 @@ interface(`clamav_domtrans_clamscan',`
allow clamscan_t $1:fifo_file rw_file_perms;
allow clamscan_t $1:process sigchld;
')
-
diff --git a/refpolicy/policy/modules/services/clamav.te b/refpolicy/policy/modules/services/clamav.te
index 76a543a1..14f06d6b 100644
--- a/refpolicy/policy/modules/services/clamav.te
+++ b/refpolicy/policy/modules/services/clamav.te
@@ -1,5 +1,5 @@
-policy_module(clamav,1.0.3)
+policy_module(clamav,1.0.4)
########################################
#
diff --git a/refpolicy/policy/modules/services/cups.fc b/refpolicy/policy/modules/services/cups.fc
index c744fe98..44831b19 100644
--- a/refpolicy/policy/modules/services/cups.fc
+++ b/refpolicy/policy/modules/services/cups.fc
@@ -21,6 +21,7 @@
/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/cups.if b/refpolicy/policy/modules/services/cups.if
index 5fa55b1a..5f3a5cb6 100644
--- a/refpolicy/policy/modules/services/cups.if
+++ b/refpolicy/policy/modules/services/cups.if
@@ -40,7 +40,7 @@ interface(`cups_stream_connect',`
files_search_pids($1)
allow $1 cupsd_var_run_t:dir search;
- allow $1 cupsd_var_run_t:sock_file write;
+ allow $1 cupsd_var_run_t:sock_file { getattr write };
allow $1 cupsd_t:unix_stream_socket connectto;
')
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index 0c24a94e..48ed8105 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -1,5 +1,5 @@
-policy_module(cups,1.3.9)
+policy_module(cups,1.3.10)
########################################
#
@@ -313,6 +313,7 @@ allow cupsd_config_t self:fifo_file rw_file_perms;
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
+allow cupsd_config_t self:netlink_route_socket r_netlink_socket_perms;
allow cupsd_config_t cupsd_t:tcp_socket { connectto recvfrom };
allow cupsd_t cupsd_config_t:tcp_socket { acceptfrom recvfrom };
@@ -342,6 +343,9 @@ allow cupsd_config_t cupsd_rw_etc_t:file manage_file_perms;
allow cupsd_config_t cupsd_rw_etc_t:lnk_file create_lnk_perms;
files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t,file)
+allow cupsd_config_t cupsd_tmp_t:file create_file_perms;
+files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir })
+
allow cupsd_config_t cupsd_var_run_t:file { getattr read };
kernel_read_system_state(cupsd_config_t)
@@ -357,6 +361,7 @@ corenet_sendrecv_all_client_packets(cupsd_config_t)
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
+dev_read_rand(cupsd_config_t)
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
@@ -397,6 +402,8 @@ userdom_dontaudit_search_sysadm_home_dirs(cupsd_config_t)
lpd_read_config(cupsd_config_t)
+cups_stream_connect(cupsd_config_t)
+
ifdef(`distro_redhat',`
init_getattr_script_files(cupsd_config_t)
@@ -430,6 +437,7 @@ optional_policy(`
optional_policy(`
hal_domtrans(cupsd_config_t)
+ hal_read_tmp_files(cupsd_config_t)
')
optional_policy(`
@@ -593,6 +601,7 @@ corenet_receive_hplip_server_packets(hplip_t)
dev_read_sysfs(hplip_t)
dev_rw_printer(hplip_t)
dev_read_urand(hplip_t)
+dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
fs_getattr_all_fs(hplip_t)
diff --git a/refpolicy/policy/modules/services/hal.if b/refpolicy/policy/modules/services/hal.if
index 7bc69b2f..97e78308 100644
--- a/refpolicy/policy/modules/services/hal.if
+++ b/refpolicy/policy/modules/services/hal.if
@@ -101,10 +101,27 @@ interface(`hal_dbus_chat',`
allow hald_t $1:dbus send_msg;
')
+########################################
+##
+## Read hald tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_read_tmp_files',`
+ gen_require(`
+ type hald_tmp_t;
+ ')
+
+ allow $1 hald_tmp_t:file r_file_perms;
+')
########################################
##
-## Read hald state files.
+## Read hald PID files.
##
##
##
@@ -124,7 +141,7 @@ interface(`hal_read_pid_files',`
########################################
##
-## Read/Write hald state files.
+## Read/Write hald PID files.
##
##
##
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 74c9809b..47786ad8 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
-policy_module(hal,1.3.9)
+policy_module(hal,1.3.10)
########################################
#
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 71aa8983..fc62d0b7 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -194,9 +194,3 @@ optional_policy(`
cron_read_system_job_tmp_files(mta_user_agent)
')
')
-
-ifdef(`TODO',`
-# for the start script to run make -C /etc/mail
-allow initrc_t etc_mail_t:dir rw_dir_perms;
-allow initrc_t etc_mail_t:file create_file_perms;
-')
diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te
index c5228b63..c6eda322 100644
--- a/refpolicy/policy/modules/services/networkmanager.te
+++ b/refpolicy/policy/modules/services/networkmanager.te
@@ -1,5 +1,5 @@
-policy_module(networkmanager,1.3.4)
+policy_module(networkmanager,1.3.5)
########################################
#
@@ -92,6 +92,7 @@ libs_use_shared_libs(NetworkManager_t)
logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
+miscfiles_read_certs(NetworkManager_t)
modutils_domtrans_insmod(NetworkManager_t)
diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te
index af22a7ee..a679b2fe 100644
--- a/refpolicy/policy/modules/services/ntp.te
+++ b/refpolicy/policy/modules/services/ntp.te
@@ -1,5 +1,5 @@
-policy_module(ntp,1.1.2)
+policy_module(ntp,1.1.3)
########################################
#
@@ -62,6 +62,7 @@ files_pid_filetrans(ntpd_t,ntpd_var_run_t,file)
kernel_read_kernel_sysctls(ntpd_t)
kernel_read_system_state(ntpd_t)
+kernel_read_network_state(ntpd_t)
corenet_non_ipsec_sendrecv(ntpd_t)
corenet_tcp_sendrecv_all_if(ntpd_t)
diff --git a/refpolicy/policy/modules/services/openvpn.te b/refpolicy/policy/modules/services/openvpn.te
index 8967f0c5..8277b366 100644
--- a/refpolicy/policy/modules/services/openvpn.te
+++ b/refpolicy/policy/modules/services/openvpn.te
@@ -1,5 +1,5 @@
-policy_module(openvpn,1.0.1)
+policy_module(openvpn,1.0.2)
########################################
#
@@ -44,6 +44,7 @@ logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)
allow openvpn_t openvpn_var_run_t:file create_file_perms;
files_pid_filetrans(openvpn_t, openvpn_var_run_t, file)
+kernel_read_kernel_sysctls(openvpn_t)
kernel_read_net_sysctls(openvpn_t)
kernel_read_network_state(openvpn_t)
kernel_read_system_state(openvpn_t)
@@ -81,6 +82,10 @@ miscfiles_read_localization(openvpn_t)
sysnet_exec_ifconfig(openvpn_t)
+ifdef(`targeted_policy',`
+ term_dontaudit_use_generic_ptys(openvpn_t)
+')
+
optional_policy(`
daemontools_service_domain(openvpn_t,openvpn_exec_t)
')
diff --git a/refpolicy/policy/modules/services/postfix.if b/refpolicy/policy/modules/services/postfix.if
index 1618a945..b6c9bb14 100644
--- a/refpolicy/policy/modules/services/postfix.if
+++ b/refpolicy/policy/modules/services/postfix.if
@@ -403,6 +403,29 @@ interface(`postfix_exec_master',`
can_exec($1,postfix_master_exec_t)
')
+########################################
+##
+## Execute the master postfix program in the
+## postfix_master domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postfix_domtrans_smtp',`
+ gen_require(`
+ type postfix_smtp_t, postfix_smtp_exec_t;
+ ')
+
+ domain_auto_trans($1,postfix_smtp_exec_t,postfix_smtp_t)
+
+ allow postfix_smtp_t $1:fd use;
+ allow postfix_smtp_t $1:fifo_file rw_file_perms;
+ allow postfix_smtp_t $1:process sigchld;
+')
+
########################################
##
## Search postfix mail spool directories.
diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te
index 612ba911..d2f75154 100644
--- a/refpolicy/policy/modules/services/postfix.te
+++ b/refpolicy/policy/modules/services/postfix.te
@@ -1,5 +1,5 @@
-policy_module(postfix,1.2.7)
+policy_module(postfix,1.2.8)
########################################
#
@@ -456,10 +456,7 @@ ifdef(`targeted_policy', `
')
optional_policy(`
- cron_use_fds(postfix_postdrop_t)
- cron_rw_pipes(postfix_postdrop_t)
- cron_use_system_job_fds(postfix_postdrop_t)
- cron_rw_system_job_pipes(postfix_postdrop_t)
+ cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
optional_policy(`
diff --git a/refpolicy/policy/modules/services/ppp.te b/refpolicy/policy/modules/services/ppp.te
index 5ba43fd3..4f48f9b7 100644
--- a/refpolicy/policy/modules/services/ppp.te
+++ b/refpolicy/policy/modules/services/ppp.te
@@ -1,5 +1,5 @@
-policy_module(ppp,1.2.3)
+policy_module(ppp,1.2.4)
########################################
#
@@ -59,8 +59,8 @@ files_pid_file(pptp_var_run_t)
allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
dontaudit pppd_t self:capability sys_tty_config;
+allow pppd_t self:process signal;
allow pppd_t self:fifo_file rw_file_perms;
-allow pppd_t self:file { read getattr };
allow pppd_t self:socket create_socket_perms;
allow pppd_t self:unix_dgram_socket create_socket_perms;
allow pppd_t self:unix_stream_socket create_socket_perms;
diff --git a/refpolicy/policy/modules/services/procmail.te b/refpolicy/policy/modules/services/procmail.te
index 15f8deac..29eefaea 100644
--- a/refpolicy/policy/modules/services/procmail.te
+++ b/refpolicy/policy/modules/services/procmail.te
@@ -1,5 +1,5 @@
-policy_module(procmail,1.2.3)
+policy_module(procmail,1.2.4)
########################################
#
@@ -78,6 +78,7 @@ ifdef(`targeted_policy', `
optional_policy(`
clamav_domtrans_clamscan(procmail_t)
+ clamav_search_lib(procmail_t)
')
optional_policy(`
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index baeccb08..a6bdb4e1 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -1290,6 +1290,8 @@ interface(`auth_use_nsswitch',`
allow $1 var_auth_t:file create_file_perms;
files_list_var_lib($1)
+ miscfiles_read_certs($1)
+
sysnet_dns_name_resolve($1)
sysnet_use_ldap($1)
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 3cc57bdd..6a21bb70 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
-policy_module(authlogin,1.3.5)
+policy_module(authlogin,1.3.6)
########################################
#
diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc
index ec49bbf1..91263809 100644
--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@@ -121,7 +121,7 @@ ifdef(`distro_gentoo',`
/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/xorg/modules/drivers/fglx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_redhat',`
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index 2251bf62..03ce1fa0 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -1,5 +1,5 @@
-policy_module(libraries,1.3.8)
+policy_module(libraries,1.3.9)
########################################
#
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 9caa6f82..d2573747 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -1,5 +1,5 @@
-policy_module(mount,1.3.6)
+policy_module(mount,1.3.7)
########################################
#
@@ -111,6 +111,7 @@ ifdef(`targeted_policy',`
tunable_policy(`allow_mount_anyfile',`
auth_read_all_dirs_except_shadow(mount_t)
auth_read_all_files_except_shadow(mount_t)
+ files_mounton_non_security(mount_t)
')
')
diff --git a/refpolicy/policy/modules/system/unconfined.fc b/refpolicy/policy/modules/system/unconfined.fc
index a505b37d..08643f95 100644
--- a/refpolicy/policy/modules/system/unconfined.fc
+++ b/refpolicy/policy/modules/system/unconfined.fc
@@ -7,4 +7,6 @@
ifdef(`targeted_policy',`
/usr/lib/openoffice.org.*/program/.*\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/local/RealPlay/realplay.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/mplayer -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
')
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index d8509df5..acd16f26 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
-policy_module(unconfined,1.3.10)
+policy_module(unconfined,1.3.11)
########################################
#
diff --git a/refpolicy/policy/modules/system/xen.te b/refpolicy/policy/modules/system/xen.te
index 8d15a080..4f80cc0e 100644
--- a/refpolicy/policy/modules/system/xen.te
+++ b/refpolicy/policy/modules/system/xen.te
@@ -1,5 +1,5 @@
-policy_module(xen,1.0.6)
+policy_module(xen,1.0.7)
########################################
#
@@ -68,7 +68,7 @@ init_daemon_domain(xm_t, xm_exec_t)
# xend local policy
#
-allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config };
+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
allow xend_t self:process { signal sigkill };
# internal communication is often done using fifo and unix sockets.
allow xend_t self:fifo_file rw_file_perms;
@@ -168,6 +168,8 @@ sysnet_read_dhcpc_pid(xend_t)
xen_stream_connect_xenstore(xend_t)
+netutils_domtrans(xend_t)
+
optional_policy(`
consoletype_domtrans(xend_t)
')
@@ -255,7 +257,8 @@ xen_append_log(xenstored_t)
# xm local policy
#
-allow xm_t self:capability { dac_override ipc_lock };
+allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
+
# internal communication is often done using fifo and unix sockets.
allow xm_t self:fifo_file { read write };
allow xm_t self:unix_stream_socket create_stream_socket_perms;
@@ -265,6 +268,9 @@ allow xm_t xend_var_lib_t:fifo_file create_file_perms;
allow xm_t xend_var_lib_t:file create_file_perms;
files_search_var_lib(xm_t)
+allow xm_t xen_image_t:dir rw_dir_perms;
+allow xm_t xen_image_t:file r_file_perms;
+
kernel_read_system_state(xm_t)
kernel_read_kernel_sysctls(xm_t)
kernel_read_xen_state(xm_t)
@@ -284,6 +290,7 @@ files_read_etc_files(xm_t)
term_use_all_terms(xm_t)
init_rw_script_stream_sockets(xm_t)
+init_use_fds(xm_t)
libs_use_ld_so(xm_t)
libs_use_shared_libs(xm_t)