trunk: 9 patches from dan.

policy/modules/services/lpd.fc

@@ -27,5 +27,6 @@
 #
 # /var
 #
+/var/spool/cups(/.*)?		gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
 /var/spool/lpd(/.*)?		gen_context(system_u:object_r:print_spool_t,s0)
 /var/run/lprng(/.*)?		gen_context(system_u:object_r:lpd_var_run_t,s0)

policy/modules/services/lpd.if

@@ -301,6 +301,25 @@ interface(`lpd_list_spool',`
 	allow $1 print_spool_t:dir list_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Read the printer spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lpd_read_spool',`
+	gen_require(`
+		type print_spool_t;
+	')
+
+	files_search_spool($1)
+	read_files_pattern($1,print_spool_t,print_spool_t)
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete printer spool files.

policy/modules/services/lpd.te

@@ -1,5 +1,5 @@
 
-policy_module(lpd,1.7.1)
+policy_module(lpd,1.7.2)
 
 ########################################
 #

policy/modules/services/ppp.if

@@ -157,6 +157,25 @@ interface(`ppp_exec',`
 	can_exec($1, pppd_exec_t)
 ')
 
+########################################
+## <summary>
+##	Read ppp configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ppp_read_config',`
+	gen_require(`
+		type pppd_etc_t;
+	')
+
+	read_files_pattern($1, pppd_etc_t, pppd_etc_t)
+	files_search_etc($1)
+')
+
 ########################################
 ## <summary>
 ##	Read PPP-writable configuration files.

policy/modules/services/ppp.te

@@ -1,5 +1,5 @@
 
-policy_module(ppp,1.5.1)
+policy_module(ppp,1.5.2)
 
 ########################################
 #

policy/modules/services/procmail.te

@@ -1,5 +1,5 @@
 
-policy_module(procmail,1.7.0)
+policy_module(procmail,1.7.1)
 
 ########################################
 #
@@ -52,6 +52,7 @@ dev_read_urand(procmail_t)
 
 fs_getattr_xattr_fs(procmail_t)
 fs_search_auto_mountpoints(procmail_t)
+fs_rw_anon_inodefs_files(procmail_t)
 
 auth_use_nsswitch(procmail_t)
 
@@ -67,6 +68,8 @@ files_read_usr_files(procmail_t)
 libs_use_ld_so(procmail_t)
 libs_use_shared_libs(procmail_t)
 
+logging_send_syslog_msg(procmail_t)
+
 miscfiles_read_localization(procmail_t)
 
 # only works until we define a different type for maildir
@@ -99,11 +102,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	logging_send_syslog_msg(procmail_t)
+	munin_dontaudit_search_lib(procmail_t)
-')
-
-optional_policy(`
-	nis_use_ypbind(procmail_t)
 ')
 
 optional_policy(`

policy/modules/services/radius.fc

@@ -8,6 +8,8 @@
 /usr/sbin/radiusd	--	gen_context(system_u:object_r:radiusd_exec_t,s0)
 /usr/sbin/freeradius	--	gen_context(system_u:object_r:radiusd_exec_t,s0)
 
+/var/lib/radiousd(/.*)?		gen_context(system_u:object_r:radiusd_var_lib_t,s0)
+
 /var/log/freeradius(/.*)?	gen_context(system_u:object_r:radiusd_log_t,s0)
 /var/log/radacct(/.*)?		gen_context(system_u:object_r:radiusd_log_t,s0)
 /var/log/radius(/.*)?		gen_context(system_u:object_r:radiusd_log_t,s0)

policy/modules/services/radius.te

@@ -1,5 +1,5 @@
 
-policy_module(radius,1.5.2)
+policy_module(radius,1.5.3)
 
 ########################################
 #
@@ -19,6 +19,9 @@ files_type(radiusd_etc_rw_t)
 type radiusd_log_t;
 logging_log_file(radiusd_log_t)
 
+type radiusd_var_lib_t;
+files_type(radiusd_var_lib_t)
+
 type radiusd_var_run_t;
 files_pid_file(radiusd_var_run_t)
 
@@ -52,6 +55,8 @@ manage_dirs_pattern(radiusd_t,radiusd_log_t,radiusd_log_t)
 manage_files_pattern(radiusd_t,radiusd_log_t,radiusd_log_t)
 logging_log_filetrans(radiusd_t,radiusd_log_t,{ file dir })
 
+manage_files_pattern(radiusd_t,radiusd_var_lib_t,radiusd_var_lib_t)
+
 manage_files_pattern(radiusd_t,radiusd_var_run_t,radiusd_var_run_t)
 files_pid_filetrans(radiusd_t,radiusd_var_run_t,file)
 
@@ -73,6 +78,7 @@ corenet_sendrecv_radius_server_packets(radiusd_t)
 corenet_sendrecv_radacct_server_packets(radiusd_t)
 # for RADIUS proxy port
 corenet_udp_bind_generic_port(radiusd_t)
+corenet_dontaudit_udp_bind_all_ports(radiusd_t)
 corenet_sendrecv_generic_server_packets(radiusd_t)
 
 dev_read_sysfs(radiusd_t)

policy/modules/services/rhgb.te

@@ -1,5 +1,5 @@
 
-policy_module(rhgb,1.5.1)
+policy_module(rhgb,1.5.2)
 
 ########################################
 #
@@ -59,6 +59,7 @@ corenet_tcp_connect_all_ports(rhgb_t)
 corenet_sendrecv_all_client_packets(rhgb_t)
 
 dev_read_sysfs(rhgb_t)
+dev_read_urand(rhgb_t)
 
 domain_use_interactive_fds(rhgb_t)
 
@@ -68,6 +69,7 @@ files_read_etc_runtime_files(rhgb_t)
 files_search_tmp(rhgb_t)
 files_read_usr_files(rhgb_t)
 files_mounton_mnt(rhgb_t)
+files_dontaudit_rw_root_dir(rhgb_t)
 files_dontaudit_read_default_files(rhgb_t)
 files_dontaudit_search_pids(rhgb_t)
 # for nscd
@@ -100,6 +102,7 @@ logging_send_syslog_msg(rhgb_t)
 
 miscfiles_read_localization(rhgb_t)
 miscfiles_read_fonts(rhgb_t)
+miscfiles_dontaudit_write_fonts(rhgb_t)
 
 seutil_search_default_contexts(rhgb_t)
 seutil_read_config(rhgb_t)
@@ -118,6 +121,7 @@ xserver_read_xkb_libs(rhgb_t)
 xserver_domtrans_xdm_xserver(rhgb_t)
 xserver_signal_xdm_xserver(rhgb_t)
 xserver_read_xdm_tmp_files(rhgb_t)
+xserver_stream_connect_xdm_xserver(rhgb_t)
 
 optional_policy(`
 	consoletype_exec(rhgb_t)

policy/modules/services/ricci.te

@@ -1,5 +1,5 @@
 
-policy_module(ricci,1.2.2)
+policy_module(ricci,1.2.3)
 
 ########################################
 #
@@ -260,7 +260,7 @@ optional_policy(`
 # ricci_modclusterd local policy
 #
 
-allow ricci_modclusterd_t self:capability sys_nice;
+allow ricci_modclusterd_t self:capability { sys_nice sys_tty_config };
 allow ricci_modclusterd_t self:process { signal sigkill setsched };
 allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms;
 allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
@@ -468,9 +468,6 @@ libs_use_shared_libs(ricci_modstorage_t)
 
 logging_send_syslog_msg(ricci_modstorage_t)
 
-lvm_domtrans(ricci_modstorage_t)
-lvm_manage_config(ricci_modstorage_t)
-
 miscfiles_read_localization(ricci_modstorage_t)
 
 modutils_read_module_deps(ricci_modstorage_t)
@@ -482,6 +479,7 @@ optional_policy(`
 
 optional_policy(`
 	lvm_domtrans(ricci_modstorage_t)
+	lvm_manage_config(ricci_modstorage_t)
 ')
 
 optional_policy(`

policy/modules/services/rsync.te

@@ -1,11 +1,18 @@
 
-policy_module(rsync,1.5.1)
+policy_module(rsync,1.5.2)
 
 ########################################
 #
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow rsync export files read only
+## </p>
+## </desc>
+gen_tunable(rsync_export_all_ro,false)
+
 ## <desc>
 ## <p>
 ## Allow rsync to modify public files
@@ -58,6 +65,8 @@ files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir })
 manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t)
 files_pid_filetrans(rsync_t,rsync_var_run_t,file)
 
+auth_use_nsswitch(rsync_t)
+
 kernel_read_kernel_sysctls(rsync_t)
 kernel_read_system_state(rsync_t)
 kernel_read_network_state(rsync_t)
@@ -90,8 +99,6 @@ logging_dontaudit_search_logs(rsync_t)
 miscfiles_read_localization(rsync_t)
 miscfiles_read_public_files(rsync_t)
 
-sysnet_read_config(rsync_t)
-
 tunable_policy(`allow_rsync_anon_write',`
 	miscfiles_manage_public_files(rsync_t)
 ')
@@ -108,10 +115,8 @@ optional_policy(`
 	inetd_service_domain(rsync_t,rsync_exec_t)
 ')
 
-optional_policy(`
+tunable_policy(`rsync_export_all_ro',`
-	nis_use_ypbind(rsync_t)
+	allow rsync_t self:capability dac_override;
-')
+	fs_read_noxattr_fs_files(rsync_t) 
-
+	auth_read_all_files_except_shadow(rsync_t)
-optional_policy(`
-	nscd_socket_use(rsync_t)
 ')

policy/modules/services/tftp.te

@@ -1,11 +1,19 @@
 
-policy_module(tftp,1.5.2)
+policy_module(tftp,1.5.3)
 
 ########################################
 #
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow tftp to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(tftp_anon_write,false)
+
 type tftpd_t;
 type tftpd_exec_t;
 init_daemon_domain(tftpd_t,tftpd_exec_t)
@@ -16,6 +24,9 @@ files_pid_file(tftpd_var_run_t)
 type tftpdir_t;
 files_type(tftpdir_t)
 
+type tftpdir_rw_t;
+files_type(tftpdir_rw_t)
+
 ########################################
 #
 # Local policy
@@ -33,6 +44,10 @@ allow tftpd_t tftpdir_t:dir { getattr read search };
 allow tftpd_t tftpdir_t:file { read getattr };
 allow tftpd_t tftpdir_t:lnk_file { getattr read };
 
+manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
+manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
+manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
+
 manage_files_pattern(tftpd_t,tftpd_var_run_t,tftpd_var_run_t)
 files_pid_filetrans(tftpd_t,tftpd_var_run_t,file)
 
@@ -80,6 +95,10 @@ userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
 userdom_dontaudit_use_sysadm_ttys(tftpd_t)
 userdom_dontaudit_search_sysadm_home_dirs(tftpd_t)
 
+tunable_policy(`tftp_anon_write',`
+	miscfiles_manage_public_files(tftpd_t)
+') 
+
 optional_policy(`
 	inetd_udp_service_domain(tftpd_t,tftpd_exec_t)
 ')

policy/modules/system/miscfiles.if

@@ -46,6 +46,26 @@ interface(`miscfiles_read_fonts',`
 	read_lnk_files_pattern($1,fonts_t,fonts_t)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to write fonts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_dontaudit_write_fonts',`
+	gen_require(`
+		type fonts_t;
+	')
+
+	dontaudit $1 fonts_t:dir write;
+	dontaudit $1 fonts_t:file write;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete fonts.
@@ -253,6 +273,8 @@ interface(`miscfiles_delete_man_pages',`
 	files_search_usr($1)
 
 	allow $1 man_t:dir setattr;
+	# RH bug #309351
+	allow $1 man_t:dir list_dir_perms;
 	delete_dirs_pattern($1,man_t,man_t)
 	delete_files_pattern($1,man_t,man_t)
 	delete_lnk_files_pattern($1,man_t,man_t)

policy/modules/system/miscfiles.te

@@ -1,5 +1,5 @@
 
-policy_module(miscfiles,1.4.0)
+policy_module(miscfiles,1.4.1)
 
 ########################################
 #