- Lots of fixes for initrc and other unconfined domains

2009-09-08 14:30:36 +00:00 · 2009-09-08 14:30:36 +00:00 · 123ae9957d
commit 123ae9957d
parent 72bc25da0e
2 changed files with 154 additions and 73 deletions
--- a/policy-F12.patch
+++ b/policy-F12.patch
@ -989,7 +989,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 locallogin_dontaudit_use_fds(tzdata_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.6.30/policy/modules/admin/usermanage.if
 --- nsaserefpolicy/policy/modules/admin/usermanage.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/admin/usermanage.if	2009-08-31 13:40:47.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/admin/usermanage.if	2009-09-08 07:14:39.000000000 -0400
@@ -274,6 +274,11 @@
 	usermanage_domtrans_useradd($1)
 	role $2 types useradd_t;
@ -1004,7 +1004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.30/policy/modules/admin/usermanage.te
 --- nsaserefpolicy/policy/modules/admin/usermanage.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/admin/usermanage.te	2009-08-31 13:40:47.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/admin/usermanage.te	2009-09-08 07:19:05.000000000 -0400
@@ -209,6 +209,7 @@
 files_manage_etc_files(groupadd_t)
 files_relabel_etc_files(groupadd_t)
@ -1046,7 +1046,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 files_manage_etc_files(useradd_t)
 files_search_var_lib(useradd_t)
-@@ -468,15 +468,12 @@
+@@ -465,18 +465,16 @@
+ selinux_compute_relabel_context(useradd_t)
+ selinux_compute_user_contexts(useradd_t)
+ 
+term_use_console(useradd_t)
 term_use_all_user_ttys(useradd_t)
 term_use_all_user_ptys(useradd_t)
 
@ -1065,19 +1069,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 init_use_fds(useradd_t)
 init_rw_utmp(useradd_t)
-@@ -494,10 +491,7 @@
+@@ -494,10 +492,8 @@
 
 userdom_use_unpriv_users_fds(useradd_t)
 # Add/remove user home directories
 -userdom_manage_user_home_content_dirs(useradd_t)
 -userdom_manage_user_home_content_files(useradd_t)
-userdom_home_filetrans_user_home_dir(useradd_t)
+ userdom_home_filetrans_user_home_dir(useradd_t)
 -userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
 +userdom_manage_home_role(system_r, useradd_t)
 
 mta_manage_spool(useradd_t)
 
-@@ -521,6 +515,12 @@
+@@ -521,6 +517,12 @@
 ')
 
 optional_policy(`
@ -1398,7 +1402,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.30/policy/modules/apps/gnome.if
 --- nsaserefpolicy/policy/modules/apps/gnome.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/apps/gnome.if	2009-08-31 13:40:47.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/apps/gnome.if	2009-09-08 07:07:37.000000000 -0400
@@ -89,5 +89,175 @@
 
 	allow $1 gnome_home_t:dir manage_dir_perms;
@ -4395,12 +4399,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.30/policy/modules/apps/wine.te
 --- nsaserefpolicy/policy/modules/apps/wine.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/apps/wine.te	2009-09-02 09:37:57.000000000 -0400
-@@ -9,20 +9,36 @@
+++ serefpolicy-3.6.30/policy/modules/apps/wine.te	2009-09-08 07:24:41.000000000 -0400
+@@ -9,20 +9,46 @@
 type wine_t;
 type wine_exec_t;
 application_domain(wine_t, wine_exec_t)
 +role system_r types wine_t;
+
+type wine_tmp_t;
+files_tmp_file(wine_tmp_t)
+ubac_constrained(wine_tmp_t)
 
 ########################################
 #
@ -4414,6 +4422,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -	unconfined_domain_noaudit(wine_t)
 +allow wine_t self:fifo_file manage_fifo_file_perms;
 +
+can_exec(wine_t, wine_exec_t)
+
+manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+files_tmp_filetrans(wine_t, wine_tmp_t,{ file dir })
+
 +domain_mmap_low_type(wine_t)
 +tunable_policy(`mmap_low_allowed',`
 +	domain_mmap_low(wine_t)
@ -4428,7 +4442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
 +
 +optional_policy(`
-+	unconfined_domain(wine_t)
+	unconfined_domain_noaudit(wine_t)
 +')
 +
 +optional_policy(`
@ -4513,7 +4527,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/lib(64)?/gimp/.*/plug-ins(/.*)?  gen_context(system_u:object_r:bin_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.30/policy/modules/kernel/corecommands.if
 --- nsaserefpolicy/policy/modules/kernel/corecommands.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/kernel/corecommands.if	2009-08-31 13:40:47.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/kernel/corecommands.if	2009-09-07 07:16:21.000000000 -0400
@@ -893,6 +893,7 @@
 
 	read_lnk_files_pattern($1, bin_t, bin_t)
@ -4522,6 +4536,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
+@@ -973,6 +974,7 @@
+ 		type bin_t;
+ 	')
+ 
+	manage_dirs_pattern($1, bin_t, exec_type)
+ 	manage_files_pattern($1, bin_t, exec_type)
+ 	manage_lnk_files_pattern($1, bin_t, bin_t)
+ ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.30/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2009-08-14 16:14:31.000000000 -0400
 +++ serefpolicy-3.6.30/policy/modules/kernel/corenetwork.te.in	2009-08-31 13:40:47.000000000 -0400
@ -5246,7 +5268,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /var/lib/nfs/rpc_pipefs(/.*)?	<<none>>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.30/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/kernel/files.if	2009-08-31 13:40:47.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/kernel/files.if	2009-09-07 06:40:00.000000000 -0400
@@ -110,6 +110,11 @@
 ## </param>
 #
@ -5683,7 +5705,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm		-d	gen_context(system_u:object_r:tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.30/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/kernel/filesystem.if	2009-09-04 11:37:45.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/kernel/filesystem.if	2009-09-08 07:44:43.000000000 -0400
@@ -1537,6 +1537,24 @@
 
 ########################################
@ -6142,7 +6164,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /dev/tty		-c	gen_context(system_u:object_r:devtty_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.30/policy/modules/kernel/terminal.if
 --- nsaserefpolicy/policy/modules/kernel/terminal.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/kernel/terminal.if	2009-08-31 13:40:47.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/kernel/terminal.if	2009-09-08 07:17:17.000000000 -0400
@@ -173,7 +173,7 @@
 
 	dev_list_all_dev_nodes($1)
@ -8028,14 +8050,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +gen_user(xguest_u, user, xguest_r, s0, s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.6.30/policy/modules/services/abrt.fc
 --- nsaserefpolicy/policy/modules/services/abrt.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.30/policy/modules/services/abrt.fc	2009-08-31 13:40:47.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/services/abrt.fc	2009-09-07 13:12:20.000000000 -0400
@@ -0,0 +1,13 @@
 +
 +/etc/rc\.d/init\.d/abrt	        --      gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
 +
 +/etc/abrt(/.*)?                         gen_context(system_u:object_r:abrt_etc_t,s0)
 +
-+/usr/sbin/abrt                  --      gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrtd                  --      gen_context(system_u:object_r:abrt_exec_t,s0)
 +
 +/var/cache/abrt(/.*)?                   gen_context(system_u:object_r:abrt_var_cache_t,s0)
 +
@ -11273,7 +11295,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	allow $1 devicekit_t:process { ptrace signal_perms getattr };
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.30/policy/modules/services/devicekit.te
 --- nsaserefpolicy/policy/modules/services/devicekit.te	2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/services/devicekit.te	2009-08-31 13:40:47.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/services/devicekit.te	2009-09-07 07:18:47.000000000 -0400
@@ -36,12 +36,15 @@
 manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
 manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
@ -11295,7 +11317,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 #
 
 -allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio };
-+allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_nice sys_ptrace sys_rawio };
 +allow devicekit_disk_t self:process signal_perms;
 +
 allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
@ -11495,8 +11517,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # dovecot deliver local policy
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.30/policy/modules/services/exim.te
 --- nsaserefpolicy/policy/modules/services/exim.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/services/exim.te	2009-08-31 13:40:47.000000000 -0400
-@@ -191,6 +191,10 @@
+++ serefpolicy-3.6.30/policy/modules/services/exim.te	2009-09-07 06:39:57.000000000 -0400
+@@ -111,6 +111,7 @@
+ files_search_var(exim_t)
+ files_read_etc_files(exim_t)
+ files_read_etc_runtime_files(exim_t)
+files_getattr_all_mountpoints(exim_t)
+ 
+ fs_getattr_xattr_fs(exim_t)
+ fs_list_inotifyfs(exim_t)
+@@ -191,6 +192,10 @@
 ')
 
 optional_policy(`
@ -11945,7 +11975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.30/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/services/hal.te	2009-08-31 13:40:47.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/services/hal.te	2009-09-07 07:18:31.000000000 -0400
@@ -55,6 +55,9 @@
 type hald_var_lib_t;
 files_type(hald_var_lib_t)
@ -12184,6 +12214,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +permissive hddtemp_t;
 +
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.6.30/policy/modules/services/inetd.te
+--- nsaserefpolicy/policy/modules/services/inetd.te	2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/services/inetd.te	2009-09-08 06:38:44.000000000 -0400
+@@ -138,6 +138,8 @@
+ files_read_etc_files(inetd_t)
+ files_read_etc_runtime_files(inetd_t)
+ 
+auth_use_nsswitch(inetd_t)
+
+ logging_send_syslog_msg(inetd_t)
+ 
+ miscfiles_read_localization(inetd_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.30/policy/modules/services/kerberos.te
 --- nsaserefpolicy/policy/modules/services/kerberos.te	2009-08-14 16:14:31.000000000 -0400
 +++ serefpolicy-3.6.30/policy/modules/services/kerberos.te	2009-08-31 13:40:47.000000000 -0400
@ -18321,7 +18363,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.30/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/services/virt.te	2009-08-31 13:57:44.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/services/virt.te	2009-09-08 10:19:57.000000000 -0400
@@ -20,6 +20,28 @@
 ## </desc>
 gen_tunable(virt_use_samba, false)
@ -18367,7 +18409,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 type virt_log_t;
 logging_log_file(virt_log_t)
 
-@@ -48,18 +75,38 @@
+@@ -48,27 +75,58 @@
 type virtd_initrc_exec_t;
 init_script_file(virtd_initrc_exec_t)
 
@ -18408,7 +18450,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
 read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
 
-@@ -69,6 +116,14 @@
+manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
+manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
+
+ manage_dirs_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
 filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
 
 manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@ -18423,7 +18470,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
 manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -87,6 +142,7 @@
+@@ -87,6 +145,7 @@
 kernel_read_network_state(virtd_t)
 kernel_rw_net_sysctls(virtd_t)
 kernel_load_module(virtd_t)
@ -18431,7 +18478,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 corecmd_exec_bin(virtd_t)
 corecmd_exec_shell(virtd_t)
-@@ -97,30 +153,52 @@
+@@ -97,30 +156,52 @@
 corenet_tcp_sendrecv_generic_node(virtd_t)
 corenet_tcp_sendrecv_all_ports(virtd_t)
 corenet_tcp_bind_generic_node(virtd_t)
@ -18487,7 +18534,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 term_use_ptmx(virtd_t)
 
 auth_use_nsswitch(virtd_t)
-@@ -130,7 +208,14 @@
+@@ -130,7 +211,14 @@
 
 logging_send_syslog_msg(virtd_t)
 
@ -18502,7 +18549,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virtd_t)
-@@ -168,22 +253,35 @@
+@@ -168,22 +256,35 @@
 	dnsmasq_domtrans(virtd_t)
 	dnsmasq_signal(virtd_t)
 	dnsmasq_kill(virtd_t)
@ -18525,16 +18572,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
 +	lvm_domtrans(virtd_t)
 +')
- 
- optional_policy(`
-	qemu_domtrans(virtd_t)
+
+optional_policy(`
 +        policykit_dbus_chat(virtd_t)
 +	policykit_domtrans_auth(virtd_t)
 +	policykit_domtrans_resolve(virtd_t)
 +	policykit_read_lib(virtd_t)
 +')
-+
-+optional_policy(`
+ 
+ optional_policy(`
+-	qemu_domtrans(virtd_t)
 +	qemu_spec_domtrans(virtd_t, svirt_t)
 	qemu_read_state(virtd_t)
 	qemu_signal(virtd_t)
@ -18543,7 +18590,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -196,8 +294,159 @@
+@@ -196,8 +297,159 @@
 
 	xen_stream_connect(virtd_t)
 	xen_stream_connect_xenstore(virtd_t)
@ -21415,7 +21462,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.30/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/system/init.te	2009-08-31 13:40:47.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/system/init.te	2009-09-08 07:47:24.000000000 -0400
@@ -17,6 +17,20 @@
 ## </desc>
 gen_tunable(init_upstart, false)
@ -21587,7 +21634,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +fs_unmount_all_fs(initrc_t)
 +fs_remount_all_fs(initrc_t)
 +fs_getattr_all_fs(initrc_t)
-+fs_search_nfsd_fs(initrc_t)
+fs_search_all(initrc_t)
 +fs_getattr_nfsd_files(initrc_t)
 +
 +# initrc_t needs to do a pidof which requires ptrace
@ -21649,9 +21696,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_exec_etc_files(initrc_t)
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
-@@ -325,47 +415,13 @@
+@@ -324,48 +414,16 @@
+ files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
+files_manage_mnt_dirs(initrc_t)
+files_manage_mnt_files(initrc_t)
 
 -fs_register_binary_executable_type(initrc_t)
 -# rhgb-console writes to ramfs
@ -21699,7 +21749,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 logging_send_syslog_msg(initrc_t)
 logging_manage_generic_logs(initrc_t)
 logging_read_all_logs(initrc_t)
-@@ -374,13 +430,14 @@
+@@ -374,19 +432,22 @@
 
 miscfiles_read_localization(initrc_t)
 # slapd needs to read cert files from its initscript
@ -21715,7 +21765,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 userdom_read_user_home_content_files(initrc_t)
 # Allow access to the sysadm TTYs. Note that this will give access to the 
 # TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -422,8 +479,6 @@
+ # started from init should be placed in their own domain.
+ userdom_use_user_terminals(initrc_t)
+ 
+usermanage_domtrans_passwd(initrc_t)
+
+ ifdef(`distro_debian',`
+ 	dev_setattr_generic_dirs(initrc_t)
+ 
+@@ -422,8 +483,6 @@
 	# init scripts touch this
 	clock_dontaudit_write_adjtime(initrc_t)
 
@ -21724,7 +21782,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# for integrated run_init to read run_init_type.
 	# happens during boot (/sbin/rc execs init scripts)
 	seutil_read_default_contexts(initrc_t)
-@@ -450,11 +505,9 @@
+@@ -450,11 +509,9 @@
 
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -21737,7 +21795,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# These seem to be from the initrd
 	# during device initialization:
 	dev_create_generic_dirs(initrc_t)
-@@ -464,6 +517,7 @@
+@@ -464,6 +521,7 @@
 	storage_raw_read_fixed_disk(initrc_t)
 	storage_raw_write_fixed_disk(initrc_t)
 
@ -21745,11 +21803,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
 	# wants to read /.fonts directory
-@@ -492,11 +546,13 @@
+@@ -492,11 +550,17 @@
 	optional_policy(`
 		bind_manage_config_dirs(initrc_t)
 		bind_write_config(initrc_t)
 +		bind_setattr_zone_dirs(initrc_t)
+	')
+
+	optional_policy(`
+		gnome_manage_gconf_config(initrc_t)
 	')
 
 	optional_policy(`
@ -21759,7 +21821,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 
 	optional_policy(`
-@@ -515,6 +571,33 @@
+@@ -515,6 +579,33 @@
 	')
 ')
 
@ -21793,7 +21855,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -567,10 +650,19 @@
+@@ -567,10 +658,19 @@
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -21813,7 +21875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -590,6 +682,10 @@
+@@ -590,6 +690,10 @@
 ')
 
 optional_policy(`
@ -21824,7 +21886,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	dev_read_usbfs(initrc_t)
 
 	# init scripts run /etc/hotplug/usb.rc
-@@ -646,20 +742,20 @@
+@@ -646,20 +750,20 @@
 ')
 
 optional_policy(`
@ -21851,7 +21913,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 optional_policy(`
 	ifdef(`distro_redhat',`
-@@ -668,6 +764,7 @@
+@@ -668,6 +772,7 @@
 
 	mysql_stream_connect(initrc_t)
 	mysql_write_log(initrc_t)
@ -21859,7 +21921,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -696,7 +793,6 @@
+@@ -696,7 +801,6 @@
 ')
 
 optional_policy(`
@ -21867,7 +21929,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
 
-@@ -718,8 +814,6 @@
+@@ -718,8 +822,6 @@
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
 
@ -21876,7 +21938,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -732,13 +826,16 @@
+@@ -732,13 +834,16 @@
 	squid_manage_logs(initrc_t)
 ')
 
@ -21893,7 +21955,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -747,6 +844,7 @@
+@@ -747,6 +852,7 @@
 
 optional_policy(`
 	udev_rw_db(initrc_t)
@ -21901,7 +21963,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -754,6 +852,15 @@
+@@ -754,6 +860,15 @@
 ')
 
 optional_policy(`
@ -21917,7 +21979,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	unconfined_domain(initrc_t)
 
 	ifdef(`distro_redhat',`
-@@ -764,6 +871,13 @@
+@@ -764,6 +879,13 @@
 	optional_policy(`
 		mono_domtrans(initrc_t)
 	')
@ -21931,7 +21993,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -789,3 +903,31 @@
+@@ -789,3 +911,31 @@
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -23636,6 +23698,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +/var/cache/davfs2(/.*)?		gen_context(system_u:object_r:mount_var_run_t,s0)
 +/var/run/davfs2(/.*)?		gen_context(system_u:object_r:mount_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.30/policy/modules/system/mount.if
+--- nsaserefpolicy/policy/modules/system/mount.if	2009-07-29 15:15:33.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/system/mount.if	2009-09-08 06:58:15.000000000 -0400
+@@ -84,9 +84,11 @@
+ interface(`mount_signal',`
+ 	gen_require(`
+ 		type mount_t;
+		type unconfined_mount_t;
+ 	')
+ 
+ 	allow $1 mount_t:process signal;
+	allow $1 unconfined_mount_t:process signal;
+ ')
+ 
+ ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.30/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2009-08-14 16:14:31.000000000 -0400
 +++ serefpolicy-3.6.30/policy/modules/system/mount.te	2009-08-31 13:40:47.000000000 -0400
@ -26011,7 +26088,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +HOME_DIR/\.gvfs(/.*)?	<<none>>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.30/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/system/userdomain.if	2009-09-01 07:40:59.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/system/userdomain.if	2009-09-07 06:34:54.000000000 -0400
@@ -30,8 +30,9 @@
 	')
 
@ -27140,15 +27217,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# Allow MAKEDEV to work
 	dev_create_all_blk_files($1_t)
 	dev_create_all_chr_files($1_t)
-@@ -1124,6 +1247,7 @@
+@@ -1124,6 +1247,8 @@
 	files_exec_usr_src_files($1_t)
 
 	fs_getattr_all_fs($1_t)
+	fs_getattr_all_files($1_t)
 +	fs_list_all($1_t)
 	fs_set_all_quotas($1_t)
 	fs_exec_noxattr($1_t)
 
-@@ -1152,20 +1276,6 @@
+@@ -1152,20 +1277,6 @@
 	# But presently necessary for installing the file_contexts file.
 	seutil_manage_bin_policy($1_t)
 
@ -27169,7 +27247,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	optional_policy(`
 		postgresql_unconfined($1_t)
 	')
-@@ -1211,6 +1321,7 @@
+@@ -1211,6 +1322,7 @@
 	dev_relabel_all_dev_nodes($1)
 
 	files_create_boot_flag($1)
@ -27177,7 +27255,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	# Necessary for managing /boot/efi
 	fs_manage_dos_files($1)
-@@ -1276,11 +1387,15 @@
+@@ -1276,11 +1388,15 @@
 interface(`userdom_user_home_content',`
 	gen_require(`
 		type user_home_t;
@ -27193,7 +27271,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1391,12 +1506,13 @@
+@@ -1391,12 +1507,13 @@
 	')
 
 	allow $1 user_home_dir_t:dir search_dir_perms;
@ -27208,7 +27286,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1429,6 +1545,14 @@
+@@ -1429,6 +1546,14 @@
 
 	allow $1 user_home_dir_t:dir list_dir_perms;
 	files_search_home($1)
@ -27223,7 +27301,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1444,9 +1568,11 @@
+@@ -1444,9 +1569,11 @@
 interface(`userdom_dontaudit_list_user_home_dirs',`
 	gen_require(`
 		type user_home_dir_t;
@ -27235,7 +27313,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1503,6 +1629,25 @@
+@@ -1503,6 +1630,25 @@
 	allow $1 user_home_dir_t:dir relabelto;
 ')
 
@ -27261,7 +27339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 ## <summary>
 ##	Create directories in the home dir root with
-@@ -1577,6 +1722,8 @@
+@@ -1577,6 +1723,8 @@
 	')
 
 	dontaudit $1 user_home_t:dir search_dir_perms;
@ -27270,7 +27348,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1670,6 +1817,7 @@
+@@ -1670,6 +1818,7 @@
 		type user_home_dir_t, user_home_t;
 	')
 
@ -27278,7 +27356,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
 	files_search_home($1)
 ')
-@@ -1797,19 +1945,32 @@
+@@ -1797,19 +1946,32 @@
 #
 interface(`userdom_exec_user_home_content_files',`
 	gen_require(`
@ -27318,7 +27396,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1844,6 +2005,7 @@
+@@ -1844,6 +2006,7 @@
 interface(`userdom_manage_user_home_content_files',`
 	gen_require(`
 		type user_home_dir_t, user_home_t;
@ -27326,7 +27404,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 
 	manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2391,27 +2553,7 @@
+@@ -2391,27 +2554,7 @@
 
 ########################################
 ## <summary>
@ -27355,7 +27433,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2765,11 +2907,32 @@
+@@ -2765,11 +2908,32 @@
 #
 interface(`userdom_search_user_home_content',`
 	gen_require(`
@ -27390,7 +27468,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -2897,7 +3060,25 @@
+@@ -2897,7 +3061,25 @@
 		type user_tmp_t;
 	')
 
@ -27417,7 +27495,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -2934,6 +3115,7 @@
+@@ -2934,6 +3116,7 @@
 	')
 
 	read_files_pattern($1, userdomain, userdomain)
@ -27425,7 +27503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	kernel_search_proc($1)
 ')
 
-@@ -3064,3 +3246,559 @@
+@@ -3064,3 +3247,559 @@
 
 	allow $1 userdomain:dbus send_msg;
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.30
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -443,6 +443,9 @@ exit 0
 %endif

 %changelog
+* Tue Sep 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.30-5
+- Lots of fixes for initrc and other unconfined domains
+
 * Fri Sep 4 2009 Dan Walsh <dwalsh@redhat.com> 3.6.30-4
 - Allow xserver to use  netlink_kobject_uevent_socket