patch from Dan Tue, 20 Jun 2006 16:19:13 -0400

2006-06-21 18:25:06 +00:00 · 2006-06-21 18:25:06 +00:00 · 123a990b6f
commit 123a990b6f
parent 1b11a1fe65
35 changed files with 341 additions and 114 deletions
--- a/refpolicy/policy/modules/admin/bootloader.te
+++ b/refpolicy/policy/modules/admin/bootloader.te
@ -1,5 +1,5 @@
-policy_module(bootloader,1.2.3)
+policy_module(bootloader,1.2.4)
 ########################################
 #
@ -49,7 +49,7 @@ logging_log_file(var_log_ksyms_t)
 #
 allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
-allow bootloader_t self:process { sigkill sigstop signull signal };
+allow bootloader_t self:process { sigkill sigstop signull signal execmem };
 allow bootloader_t self:fifo_file rw_file_perms;
 allow bootloader_t bootloader_etc_t:file r_file_perms;
@ -111,6 +111,7 @@ files_dontaudit_search_pids(bootloader_t)
 # for blkid.tab
 files_manage_etc_runtime_files(bootloader_t)
 files_etc_filetrans_etc_runtime(bootloader_t,file)
 files_dontaudit_search_home(bootloader_t)
 init_getattr_initctl(bootloader_t)
 init_use_script_ptys(bootloader_t)
@ -127,6 +128,8 @@ logging_rw_generic_logs(bootloader_t)
 miscfiles_read_localization(bootloader_t)
 modutils_domtrans_insmod_uncond(bootloader_t)
 seutil_read_bin_policy(bootloader_t)
 seutil_read_loadpolicy(bootloader_t)
 seutil_dontaudit_search_config(bootloader_t)
@ -179,6 +182,10 @@ optional_policy(`
 	fstools_exec(bootloader_t)
 ')
 optional_policy(`
 	kudzu_domtrans(bootloader_t)
 ')
 optional_policy(`
 	dev_rw_lvm_control(bootloader_t)
--- a/refpolicy/policy/modules/admin/logwatch.te
+++ b/refpolicy/policy/modules/admin/logwatch.te
@ -1,5 +1,5 @@
-policy_module(logwatch,1.1.1)
+policy_module(logwatch,1.1.2)
 #################################
 #
@ -23,7 +23,7 @@ files_tmp_file(logwatch_tmp_t)
 # Local policy
 #
-allow logwatch_t self:capability setgid;
+allow logwatch_t self:capability { dac_override dac_read_search setgid };
 allow logwatch_t self:fifo_file rw_file_perms;
 allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@ -1,5 +1,5 @@
-policy_module(netutils,1.1.3)
+policy_module(netutils,1.1.4)
 ########################################
 #
@ -54,6 +54,7 @@ corenet_tcp_sendrecv_all_ports(netutils_t)
 corenet_udp_sendrecv_all_ports(netutils_t)
 corenet_tcp_connect_all_ports(netutils_t)
 corenet_sendrecv_all_client_packets(netutils_t)
 corenet_udp_bind_generic_node(netutils_t)
 fs_getattr_xattr_fs(netutils_t)
--- a/refpolicy/policy/modules/admin/prelink.fc
+++ b/refpolicy/policy/modules/admin/prelink.fc
@ -3,6 +3,5 @@
 /usr/sbin/prelink(\.bin)?	--	gen_context(system_u:object_r:prelink_exec_t,s0)
 /var/lib/misc/prelink\..*	--	gen_context(system_u:object_r:prelink_cache_t,s0)
 /var/log/prelink\.log		--	gen_context(system_u:object_r:prelink_log_t,s0)
 /var/log/prelink(/.*)?			gen_context(system_u:object_r:prelink_log_t,s0)
--- a/refpolicy/policy/modules/admin/prelink.te
+++ b/refpolicy/policy/modules/admin/prelink.te
@ -1,5 +1,5 @@
-policy_module(prelink,1.1.3)
+policy_module(prelink,1.1.4)
 ########################################
 #
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@ -351,6 +351,26 @@ interface(`files_dontaudit_list_non_security',`
 	dontaudit $1 { file_type -security_file_type }:dir r_dir_perms;
 ')
 ########################################
 ## <summary>
 ##	Mount a filesystem on all non-security
 ##	directories and files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_mounton_non_security',`
 	gen_require(`
 		attribute file_type, security_file_type;
 	')
 	allow $1 { file_type -security_file_type }:dir mounton;
 	allow $1 { file_type -security_file_type }:file mounton;
 ')
 ########################################
 ## <summary>
 ##	Allow attempts to modify any directory
--- a/refpolicy/policy/modules/kernel/files.te
+++ b/refpolicy/policy/modules/kernel/files.te
@ -1,5 +1,5 @@
-policy_module(files,1.2.11)
+policy_module(files,1.2.12)
 ########################################
 #
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@ -1,5 +1,5 @@
-policy_module(filesystem,1.3.10)
+policy_module(filesystem,1.3.11)
 ########################################
 #
@ -69,6 +69,11 @@ fs_type(hugetlbfs_t)
 files_mountpoint(hugetlbfs_t)
 genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0)
 type ibmasmfs_t;
 fs_type(ibmasmfs_t)
 allow ibmasmfs_t self:filesystem associate;
 genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
 type inotifyfs_t;
 fs_type(inotifyfs_t)
 genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
--- a/refpolicy/policy/modules/services/apache.fc
+++ b/refpolicy/policy/modules/services/apache.fc
@ -31,13 +31,16 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_R
 /usr/sbin/apache(2)?		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/apache-ssl(2)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/httpd(\.worker)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/rotatelogs		--	gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
 /usr/sbin/suexec		--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
 ifdef(`distro_suse', `
 /usr/sbin/httpd2-.*		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 ')
 /usr/sbin/suexec			--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
 /usr/share/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /usr/share/openca/htdocs(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /usr/share/selinux-policy([^/]*)?/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/cache/httpd(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
 /var/cache/mason(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
@ -69,7 +72,7 @@ ifdef(`distro_debian', `
 /var/spool/gosa(/.*)?			gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
 /var/spool/squirrelmail(/.*)?		gen_context(system_u:object_r:squirrelmail_spool_t,s0)
-ifdef(`targeted_policy', `', `
+ifdef(`strict_policy',`
 /var/spool/cron/apache		-- 	gen_context(system_u:object_r:user_cron_spool_t,s0)
 ')
@ -77,4 +80,3 @@ ifdef(`targeted_policy', `', `
 /var/www/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 /var/www/icons(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/www/perl(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 /usr/share/selinux-policy([^/]*)?/html(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@ -15,6 +15,7 @@ template(`apache_content_template',`
 	gen_require(`
 		attribute httpdcontent;
 		attribute httpd_exec_scripts;
 		attribute httpd_script_exec_type;
 		type httpd_t, httpd_suexec_t, httpd_log_t;
 	')
 	# allow write access to public file transfer
@ -35,7 +36,7 @@ template(`apache_content_template',`
 	role system_r types httpd_$1_script_t;
 	# This type is used for executable scripts files
-	type httpd_$1_script_exec_t; # customizable;
+	type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
 	corecmd_shell_entry_type(httpd_$1_script_t)
 	domain_entry_file(httpd_$1_script_t,httpd_$1_script_exec_t)
@ -336,6 +337,58 @@ template(`apache_per_userdomain_template', `
 	')
 ')
 ########################################
 ## <summary>
 ##	Read httpd user scripts executables.
 ## </summary>
 ## <param name="domain_prefix">
 ##	<summary>
 ##	Prefix of the domain. Example, user would be
 ##	the prefix for the uder_t domain.
 ##	</summary>
 ## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 template(`apache_read_user_scripts',`
 	gen_require(`
 		type httpd_$1_script_exec_t;
 	')
 	allow $2 httpd_$1_script_exec_t:dir r_dir_perms;
 	allow $2 httpd_$1_script_exec_t:file r_file_perms;
 	allow $2 httpd_$1_script_exec_t:lnk_file { getattr read };
 ')
 ########################################
 ## <summary>
 ##	Read user web content.
 ## </summary>
 ## <param name="domain_prefix">
 ##	<summary>
 ##	Prefix of the domain. Example, user would be
 ##	the prefix for the uder_t domain.
 ##	</summary>
 ## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 template(`apache_read_user_content',`
 	gen_require(`
 		type httpd_$1_content_t;
 	')
 	allow $2 httpd_$1_content_t:dir r_dir_perms;
 	allow $2 httpd_$1_content_t:file r_file_perms;
 	allow $2 httpd_$1_content_t:lnk_file { getattr read };
 ')
 ########################################
 ## <summary>
 ##	Transition to apache.
@ -464,12 +517,17 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
 #
 interface(`apache_manage_all_content',`
 	gen_require(`
-		attribute httpdcontent;
+		attribute httpdcontent, httpd_script_exec_type;
 	')
 	allow $1 httpdcontent:dir manage_dir_perms;
 	allow $1 httpdcontent:file manage_file_perms;
 	allow $1 httpdcontent:lnk_file create_lnk_perms;
 	allow $1 httpd_script_exec_type:dir manage_dir_perms;
 	allow $1 httpd_script_exec_type:file manage_file_perms;
 	allow $1 httpd_script_exec_type:lnk_file create_lnk_perms;
 ')
 ########################################
@ -513,6 +571,28 @@ interface(`apache_read_config',`
 	allow $1 httpd_config_t:lnk_file { getattr read };
 ')
 ########################################
 ## <summary>
 ##	Allow the specified domain to manage
 ##	apache configuration files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`apache_manage_config',`
 	gen_require(`
 		type httpd_config_t;
 	')
 	files_search_etc($1)
 	allow $1 httpd_config_t:dir manage_dir_perms;
 	allow $1 httpd_config_t:file manage_file_perms;
 	allow $1 httpd_config_t:lnk_file { getattr read };
 ')
 ########################################
 ## <summary>
 ##	Execute the Apache helper program with
@ -632,6 +712,28 @@ interface(`apache_dontaudit_append_log',`
 	dontaudit $1 httpd_log_t:file { getattr append };
 ')
 ########################################
 ## <summary>
 ##	Allow the specified domain to manage
 ##	to apache log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`apache_manage_log',`
 	gen_require(`
 		type httpd_log_t;
 	')
 	logging_search_logs($1)
 	allow $1 httpd_log_t:dir manage_dir_perms;
 	allow $1 httpd_log_t:file manage_file_perms;
 	allow $1 httpd_log_t:lnk_file { getattr read };
 ')
 ########################################
 ## <summary>
 ##	Do not audit attempts to search Apache
@ -692,6 +794,28 @@ interface(`apache_exec_modules',`
 	can_exec($1,httpd_modules_t)
 ')
 ########################################
 ## <summary>
 ##	Execute a domain transition to run httpd_rotatelogs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`apache_domtrans_rotatelogs',`
 	gen_require(`
 		type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
 	')
 	domain_auto_trans($1,httpd_rotatelogs_exec_t,httpd_rotatelogs_t)
 	allow httpd_rotatelogs_t $1:fd use;
 	allow httpd_rotatelogs_t $1:fifo_file rw_file_perms;
 	allow httpd_rotatelogs_t $1:process sigchld;
 ')
 ########################################
 ## <summary>
 ##	Allow the specified domain to manage
@ -903,55 +1027,3 @@ interface(`apache_search_sys_script_state',`
 	allow $1 httpd_sys_script_t:dir search;
 ')
 ########################################
 ## <summary>
 ##	Read httpd user scripts executables.
 ## </summary>
 ## <param name="domain_prefix">
 ##	<summary>
 ##	Prefix of the domain. Example, user would be
 ##	the prefix for the uder_t domain.
 ##	</summary>
 ## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`apache_read_user_scripts',`
 	gen_require(`
 		type httpd_$1_script_exec_t;
 	')
 	allow $2 httpd_$1_script_exec_t:dir r_dir_perms;
 	allow $2 httpd_$1_script_exec_t:file r_file_perms;
 	allow $2 httpd_$1_script_exec_t:lnk_file { getattr read };
 ')
 ########################################
 ## <summary>
 ##	Read user web content.
 ## </summary>
 ## <param name="domain_prefix">
 ##	<summary>
 ##	Prefix of the domain. Example, user would be
 ##	the prefix for the uder_t domain.
 ##	</summary>
 ## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`apache_read_user_content',`
 	gen_require(`
 		type httpd_$1_content_t;
 	')
 	allow $2 httpd_$1_content_t:dir r_dir_perms;
 	allow $2 httpd_$1_content_t:file r_file_perms;
 	allow $2 httpd_$1_content_t:lnk_file { getattr read };
 ')
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@ -1,5 +1,5 @@
-policy_module(apache,1.3.13)
+policy_module(apache,1.3.14)
 #
 # NOTES: 
@ -25,6 +25,8 @@ attribute httpdcontent;
 # domains that can exec all users scripts
 attribute httpd_exec_scripts;
 attribute httpd_script_exec_type;
 # user script domains
 attribute httpd_script_domains;
@ -68,6 +70,10 @@ role system_r types httpd_php_t;
 type httpd_php_tmp_t;
 files_tmp_file(httpd_php_tmp_t)
 type httpd_rotatelogs_t;
 type httpd_rotatelogs_exec_t;
 init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
 type httpd_squirrelmail_t;
 files_type(httpd_squirrelmail_t)
@ -109,14 +115,6 @@ files_pid_file(httpd_var_run_t)
 type squirrelmail_spool_t;
 files_tmp_file(squirrelmail_spool_t)
 # mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
 # This is a bug but it still exists in FC2
 # cjp: probably can remove this
 ifdef(`distro_redhat',`
 	typealias httpd_log_t alias httpd_runtime_t;
 	dontaudit httpd_t httpd_runtime_t:file ioctl;
 ')
 ifdef(`targeted_policy',`
 	typealias httpd_sys_content_t alias httpd_user_content_t;
 	typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
@ -293,6 +291,15 @@ tunable_policy(`allow_httpd_anon_write',`
 	miscfiles_manage_public_files(httpd_t)
 ') 
 ifdef(`TODO', `
 #
 # We need optionals to be able to be within booleans to make this work
 #
 tunable_policy(`allow_httpd_mod_auth_pam',`
 	auth_domtrans_chk_passwd(httpd_t)
 ')
 ')
 tunable_policy(`httpd_can_network_connect',`
 	corenet_tcp_connect_all_ports(httpd_t)
 ')
@ -655,6 +662,9 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
 files_search_var_lib(httpd_sys_script_t)
 files_search_spool(httpd_sys_script_t)
 # Should we add a boolean?
 apache_domtrans_rotatelogs(httpd_sys_script_t)
 ifdef(`distro_redhat',`
 	allow httpd_sys_script_t httpd_log_t:file { getattr append };
 ')
@ -688,3 +698,26 @@ optional_policy(`
 optional_policy(`
 	nscd_socket_use(httpd_unconfined_script_t)
 ')
 ########################################
 #
 # httpd_rotatelogs local policy
 #
 allow httpd_rotatelogs_t httpd_log_t:dir rw_dir_perms;
 allow httpd_rotatelogs_t httpd_log_t:file manage_file_perms;
 kernel_read_kernel_sysctls(httpd_rotatelogs_t)
 kernel_dontaudit_list_proc(httpd_rotatelogs_t)
 kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
 files_read_etc_files(httpd_rotatelogs_t)
 libs_use_ld_so(httpd_rotatelogs_t)
 libs_use_shared_libs(httpd_rotatelogs_t)
 miscfiles_read_localization(httpd_rotatelogs_t)
 ifdef(`targeted_policy',`
 	term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
 ')
--- a/refpolicy/policy/modules/services/automount.te
+++ b/refpolicy/policy/modules/services/automount.te
@ -1,5 +1,5 @@
-policy_module(automount,1.2.6)
+policy_module(automount,1.2.7)
 ########################################
 #
@ -28,7 +28,7 @@ files_mountpoint(automount_tmp_t)
 # Local policy
 #
-allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override };
+allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override sys_admin };
 dontaudit automount_t self:capability sys_tty_config;
 allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
 allow automount_t self:fifo_file rw_file_perms;
@ -64,8 +64,17 @@ kernel_read_proc_symlinks(automount_t)
 kernel_read_system_state(automount_t)
 kernel_read_network_state(automount_t)
 kernel_list_proc(automount_t)
 kernel_dontaudit_search_xen_state(automount_t)
 files_search_boot(automount_t)
 # Automount is slowly adding all mount functionality internally
 files_search_all(automount_t)
 files_mounton_all_mountpoints(automount_t)
 files_mount_all_file_type_fs(automount_t)
 files_unmount_all_file_type_fs(automount_t)
 fs_mount_all_fs(automount_t)
 fs_unmount_all_fs(automount_t)
 corecmd_exec_sbin(automount_t)
 corecmd_exec_bin(automount_t)
--- a/refpolicy/policy/modules/services/clamav.if
+++ b/refpolicy/policy/modules/services/clamav.if
@ -62,6 +62,25 @@ interface(`clamav_read_config',`
 	allow $1 clamd_etc_t:file r_file_perms;
 ')
 ########################################
 ## <summary>
 ##	Search clamav libraries directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`clamav_search_lib',`
 	gen_require(`
 		type clamd_var_lib_t;
 	')
 	files_search_var_lib($1)
 	allow $1 clamd_var_lib_t:dir search_dir_perms;
 ')
 ########################################
 ## <summary>
 ##	Execute a domain transition to run clamscan.
@ -83,4 +102,3 @@ interface(`clamav_domtrans_clamscan',`
 	allow clamscan_t $1:fifo_file rw_file_perms;
 	allow clamscan_t $1:process sigchld;
 ')
--- a/refpolicy/policy/modules/services/clamav.te
+++ b/refpolicy/policy/modules/services/clamav.te
@ -1,5 +1,5 @@
-policy_module(clamav,1.0.3)
+policy_module(clamav,1.0.4)
 ########################################
 #
--- a/refpolicy/policy/modules/services/cups.fc
+++ b/refpolicy/policy/modules/services/cups.fc
@ -21,6 +21,7 @@
 /usr/lib(64)?/cups/daemon/.*	-- gen_context(system_u:object_r:cupsd_exec_t,s0)
 /usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
 /usr/libexec/hal_lpadmin --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 /usr/sbin/cupsd		--	gen_context(system_u:object_r:cupsd_exec_t,s0)
 /usr/sbin/hal_lpadmin --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
--- a/refpolicy/policy/modules/services/cups.if
+++ b/refpolicy/policy/modules/services/cups.if
@ -40,7 +40,7 @@ interface(`cups_stream_connect',`
 	files_search_pids($1)
 	allow $1 cupsd_var_run_t:dir search;
-	allow $1 cupsd_var_run_t:sock_file write;
+	allow $1 cupsd_var_run_t:sock_file { getattr write };
 	allow $1 cupsd_t:unix_stream_socket connectto;
 ')
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@ -1,5 +1,5 @@
-policy_module(cups,1.3.9)
+policy_module(cups,1.3.10)
 ########################################
 #
@ -313,6 +313,7 @@ allow cupsd_config_t self:fifo_file rw_file_perms;
 allow cupsd_config_t self:unix_stream_socket create_socket_perms;
 allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
 allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
 allow cupsd_config_t self:netlink_route_socket r_netlink_socket_perms;
 allow cupsd_config_t cupsd_t:tcp_socket { connectto recvfrom };
 allow cupsd_t cupsd_config_t:tcp_socket { acceptfrom recvfrom };
@ -342,6 +343,9 @@ allow cupsd_config_t cupsd_rw_etc_t:file manage_file_perms;
 allow cupsd_config_t cupsd_rw_etc_t:lnk_file create_lnk_perms;
 files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t,file)
 allow cupsd_config_t cupsd_tmp_t:file create_file_perms;
 files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir })
 allow cupsd_config_t cupsd_var_run_t:file { getattr read };
 kernel_read_system_state(cupsd_config_t)
@ -357,6 +361,7 @@ corenet_sendrecv_all_client_packets(cupsd_config_t)
 dev_read_sysfs(cupsd_config_t)
 dev_read_urand(cupsd_config_t)
 dev_read_rand(cupsd_config_t)
 fs_getattr_all_fs(cupsd_config_t)
 fs_search_auto_mountpoints(cupsd_config_t)
@ -397,6 +402,8 @@ userdom_dontaudit_search_sysadm_home_dirs(cupsd_config_t)
 lpd_read_config(cupsd_config_t)
 cups_stream_connect(cupsd_config_t)
 ifdef(`distro_redhat',`
 	init_getattr_script_files(cupsd_config_t)
@ -430,6 +437,7 @@ optional_policy(`
 optional_policy(`
 	hal_domtrans(cupsd_config_t)
 	hal_read_tmp_files(cupsd_config_t)
 ')
 optional_policy(`
@ -593,6 +601,7 @@ corenet_receive_hplip_server_packets(hplip_t)
 dev_read_sysfs(hplip_t)
 dev_rw_printer(hplip_t)
 dev_read_urand(hplip_t)
 dev_read_rand(hplip_t)
 dev_rw_generic_usb_dev(hplip_t)
 fs_getattr_all_fs(hplip_t)
--- a/refpolicy/policy/modules/services/hal.if
+++ b/refpolicy/policy/modules/services/hal.if
@ -101,10 +101,27 @@ interface(`hal_dbus_chat',`
 	allow hald_t $1:dbus send_msg;
 ')
 ########################################
 ## <summary>
 ##	Read hald tmp files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`hal_read_tmp_files',`
 	gen_require(`
 		type hald_tmp_t;
 	')
 	allow $1 hald_tmp_t:file r_file_perms;
 ')
 ########################################
 ## <summary>
-##	Read hald state files.
+##	Read hald PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -124,7 +141,7 @@ interface(`hal_read_pid_files',`
 ########################################
 ## <summary>
-##	Read/Write hald state files.
+##	Read/Write hald PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@ -1,5 +1,5 @@
-policy_module(hal,1.3.9)
+policy_module(hal,1.3.10)
 ########################################
 #
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@ -194,9 +194,3 @@ optional_policy(`
 		cron_read_system_job_tmp_files(mta_user_agent)
 	')
 ')
 ifdef(`TODO',`
 # for the start script to run make -C /etc/mail
 allow initrc_t etc_mail_t:dir rw_dir_perms;
 allow initrc_t etc_mail_t:file create_file_perms;
 ')
--- a/refpolicy/policy/modules/services/networkmanager.te
+++ b/refpolicy/policy/modules/services/networkmanager.te
@ -1,5 +1,5 @@
-policy_module(networkmanager,1.3.4)
+policy_module(networkmanager,1.3.5)
 ########################################
 #
@ -92,6 +92,7 @@ libs_use_shared_libs(NetworkManager_t)
 logging_send_syslog_msg(NetworkManager_t)
 miscfiles_read_localization(NetworkManager_t)
 miscfiles_read_certs(NetworkManager_t)
 modutils_domtrans_insmod(NetworkManager_t)
--- a/refpolicy/policy/modules/services/ntp.te
+++ b/refpolicy/policy/modules/services/ntp.te
@ -1,5 +1,5 @@
-policy_module(ntp,1.1.2)
+policy_module(ntp,1.1.3)
 ########################################
 #
@ -62,6 +62,7 @@ files_pid_filetrans(ntpd_t,ntpd_var_run_t,file)
 kernel_read_kernel_sysctls(ntpd_t)
 kernel_read_system_state(ntpd_t)
 kernel_read_network_state(ntpd_t)
 corenet_non_ipsec_sendrecv(ntpd_t)
 corenet_tcp_sendrecv_all_if(ntpd_t)
--- a/refpolicy/policy/modules/services/openvpn.te
+++ b/refpolicy/policy/modules/services/openvpn.te
@ -1,5 +1,5 @@
-policy_module(openvpn,1.0.1)
+policy_module(openvpn,1.0.2)
 ########################################
 #
@ -44,6 +44,7 @@ logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)
 allow openvpn_t openvpn_var_run_t:file create_file_perms;
 files_pid_filetrans(openvpn_t, openvpn_var_run_t, file)
 kernel_read_kernel_sysctls(openvpn_t)
 kernel_read_net_sysctls(openvpn_t)
 kernel_read_network_state(openvpn_t)
 kernel_read_system_state(openvpn_t)
@ -81,6 +82,10 @@ miscfiles_read_localization(openvpn_t)
 sysnet_exec_ifconfig(openvpn_t)
 ifdef(`targeted_policy',`
 	term_dontaudit_use_generic_ptys(openvpn_t)
 ')
 optional_policy(`
 	daemontools_service_domain(openvpn_t,openvpn_exec_t)
 ')
--- a/refpolicy/policy/modules/services/postfix.if
+++ b/refpolicy/policy/modules/services/postfix.if
@ -403,6 +403,29 @@ interface(`postfix_exec_master',`
 	can_exec($1,postfix_master_exec_t)
 ')
 ########################################
 ## <summary>
 ##	Execute the master postfix program in the
 ##	postfix_master domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`postfix_domtrans_smtp',`
 	gen_require(`
 		type postfix_smtp_t, postfix_smtp_exec_t;
 	')
 	domain_auto_trans($1,postfix_smtp_exec_t,postfix_smtp_t)
 	allow postfix_smtp_t $1:fd use;
 	allow postfix_smtp_t $1:fifo_file rw_file_perms;
 	allow postfix_smtp_t $1:process sigchld;
 ')
 ########################################
 ## <summary>
 ##	Search postfix mail spool directories.
--- a/refpolicy/policy/modules/services/postfix.te
+++ b/refpolicy/policy/modules/services/postfix.te
@ -1,5 +1,5 @@
-policy_module(postfix,1.2.7)
+policy_module(postfix,1.2.8)
 ########################################
 #
@ -456,10 +456,7 @@ ifdef(`targeted_policy', `
 ')
 optional_policy(`
-	cron_use_fds(postfix_postdrop_t)
+	cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
 	cron_rw_pipes(postfix_postdrop_t)
 	cron_use_system_job_fds(postfix_postdrop_t)
 	cron_rw_system_job_pipes(postfix_postdrop_t)
 ')
 optional_policy(`
--- a/refpolicy/policy/modules/services/ppp.te
+++ b/refpolicy/policy/modules/services/ppp.te
@ -1,5 +1,5 @@
-policy_module(ppp,1.2.3)
+policy_module(ppp,1.2.4)
 ########################################
 #
@ -59,8 +59,8 @@ files_pid_file(pptp_var_run_t)
 allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
 dontaudit pppd_t self:capability sys_tty_config;
 allow pppd_t self:process signal;
 allow pppd_t self:fifo_file rw_file_perms;
 allow pppd_t self:file { read getattr };
 allow pppd_t self:socket create_socket_perms;
 allow pppd_t self:unix_dgram_socket create_socket_perms;
 allow pppd_t self:unix_stream_socket create_socket_perms;
--- a/refpolicy/policy/modules/services/procmail.te
+++ b/refpolicy/policy/modules/services/procmail.te
@ -1,5 +1,5 @@
-policy_module(procmail,1.2.3)
+policy_module(procmail,1.2.4)
 ########################################
 #
@ -78,6 +78,7 @@ ifdef(`targeted_policy', `
 optional_policy(`
 	clamav_domtrans_clamscan(procmail_t)
 	clamav_search_lib(procmail_t)
 ')
 optional_policy(`
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@ -1290,6 +1290,8 @@ interface(`auth_use_nsswitch',`
 	allow $1 var_auth_t:file create_file_perms;
 	files_list_var_lib($1)
 	miscfiles_read_certs($1)
 	sysnet_dns_name_resolve($1)
 	sysnet_use_ldap($1)
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@ -1,5 +1,5 @@
-policy_module(authlogin,1.3.5)
+policy_module(authlogin,1.3.6)
 ########################################
 #
--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@ -121,7 +121,7 @@ ifdef(`distro_gentoo',`
 /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/xorg/modules/drivers/fglx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 ifdef(`distro_redhat',`
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@ -1,5 +1,5 @@
-policy_module(libraries,1.3.8)
+policy_module(libraries,1.3.9)
 ########################################
 #
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@ -1,5 +1,5 @@
-policy_module(mount,1.3.6)
+policy_module(mount,1.3.7)
 ########################################
 #
@ -111,6 +111,7 @@ ifdef(`targeted_policy',`
 	tunable_policy(`allow_mount_anyfile',`
 		auth_read_all_dirs_except_shadow(mount_t)
 		auth_read_all_files_except_shadow(mount_t)
 		files_mounton_non_security(mount_t)
 	')
 ')
--- a/refpolicy/policy/modules/system/unconfined.fc
+++ b/refpolicy/policy/modules/system/unconfined.fc
@ -7,4 +7,6 @@
 ifdef(`targeted_policy',`
 /usr/lib/openoffice.org.*/program/.*\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 /usr/bin/valgrind 	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 /usr/local/RealPlay/realplay.bin --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 /usr/bin/mplayer	 	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 ')
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@ -1,5 +1,5 @@
-policy_module(unconfined,1.3.10)
+policy_module(unconfined,1.3.11)
 ########################################
 #
--- a/refpolicy/policy/modules/system/xen.te
+++ b/refpolicy/policy/modules/system/xen.te
@ -1,5 +1,5 @@
-policy_module(xen,1.0.6)
+policy_module(xen,1.0.7)
 ########################################
 #
@ -68,7 +68,7 @@ init_daemon_domain(xm_t, xm_exec_t)
 # xend local policy
 #
-allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config };
+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
 allow xend_t self:process { signal sigkill };
 # internal communication is often done using fifo and unix sockets.
 allow xend_t self:fifo_file rw_file_perms;
@ -168,6 +168,8 @@ sysnet_read_dhcpc_pid(xend_t)
 xen_stream_connect_xenstore(xend_t)
 netutils_domtrans(xend_t)
 optional_policy(`
 	consoletype_domtrans(xend_t)
 ')
@ -255,7 +257,8 @@ xen_append_log(xenstored_t)
 # xm local policy
 #
-allow xm_t self:capability { dac_override ipc_lock };
+allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
 # internal communication is often done using fifo and unix sockets.
 allow xm_t self:fifo_file { read write };
 allow xm_t self:unix_stream_socket create_stream_socket_perms;
@ -265,6 +268,9 @@ allow xm_t xend_var_lib_t:fifo_file create_file_perms;
 allow xm_t xend_var_lib_t:file create_file_perms;
 files_search_var_lib(xm_t)
 allow xm_t xen_image_t:dir rw_dir_perms;
 allow xm_t xen_image_t:file r_file_perms;
 kernel_read_system_state(xm_t)
 kernel_read_kernel_sysctls(xm_t)
 kernel_read_xen_state(xm_t)
@ -284,6 +290,7 @@ files_read_etc_files(xm_t)
 term_use_all_terms(xm_t)
 init_rw_script_stream_sockets(xm_t)
 init_use_fds(xm_t)
 libs_use_ld_so(xm_t)
 libs_use_shared_libs(xm_t)