diff --git a/refpolicy/policy/modules/admin/acct.te b/refpolicy/policy/modules/admin/acct.te
index 3d8048c0..5ef15eb3 100644
--- a/refpolicy/policy/modules/admin/acct.te
+++ b/refpolicy/policy/modules/admin/acct.te
@@ -99,8 +99,3 @@ optional_policy(`udev',`
udev_read_db(acct_t)
')
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(acct_t)
-')
-')
diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te
index 1d83fe3d..a46294b5 100644
--- a/refpolicy/policy/modules/admin/dmesg.te
+++ b/refpolicy/policy/modules/admin/dmesg.te
@@ -70,9 +70,4 @@ ifdef(`targeted_policy',`
udev_read_db(dmesg_t)
')
- ifdef(`TODO',`
- optional_policy(`rhgb',`
- rhgb_domain(dmesg_t)
- ')
- ') dnl endif TODO
')
diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te
index a7a6a82d..0091b4aa 100644
--- a/refpolicy/policy/modules/admin/kudzu.te
+++ b/refpolicy/policy/modules/admin/kudzu.te
@@ -152,9 +152,6 @@ optional_policy(`udev',`
ifdef(`TODO',`
allow kudzu_t modules_conf_t:file unlink;
-optional_policy(`rhgb',`
- rhgb_domain(kudzu_t)
-')
optional_policy(`lpd',`
allow kudzu_t printconf_t:file { getattr read };
')
diff --git a/refpolicy/policy/modules/admin/quota.te b/refpolicy/policy/modules/admin/quota.te
index efced031..296d8c20 100644
--- a/refpolicy/policy/modules/admin/quota.te
+++ b/refpolicy/policy/modules/admin/quota.te
@@ -82,7 +82,4 @@ file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t
allow quota_t file_t:file quotaon;
allow quota_t proc_t:file getattr;
-optional_policy(`rhgb',`
- rhgb_domain(quota_t)
-')
') dnl end TODO
diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te
index 17331c12..bf83e257 100644
--- a/refpolicy/policy/modules/admin/updfstab.te
+++ b/refpolicy/policy/modules/admin/updfstab.te
@@ -98,7 +98,7 @@ optional_policy(`dbus',`
dbus_send_system_bus_msg(updfstab_t)
')
-optional_policy(`hald',`
+optional_policy(`hal',`
hal_stream_connect(updfstab_t)
')
@@ -121,9 +121,6 @@ optional_policy(`udev',`
')
ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(updfstab_t)
-')
allow updfstab_t tmpfs_t:dir getattr;
')
diff --git a/refpolicy/policy/modules/admin/usermanage.if b/refpolicy/policy/modules/admin/usermanage.if
index 14fb0c13..77d92bc5 100644
--- a/refpolicy/policy/modules/admin/usermanage.if
+++ b/refpolicy/policy/modules/admin/usermanage.if
@@ -180,6 +180,32 @@ interface(`usermanage_domtrans_admin_passwd',`
allow sysadm_passwd_t $1:process sigchld;
')
+########################################
+##
+## Execute passwd admin functions in the admin
+## passwd domain, and allow the specified role
+## the admin passwd domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the admin passwd domain.
+##
+##
+## The type of the terminal allow the admin passwd domain to use.
+##
+#
+interface(`usermanage_run_admin_passwd',`
+ gen_require(`
+ type sysadm_passwd_t;
+ ')
+
+ usermanage_domtrans_admin_passwd($1)
+ role $2 types sysadm_passwd_t;
+ allow sysadm_passwd_t $3:chr_file rw_term_perms;
+')
+
########################################
##
## Execute useradd in the useradd domain.
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 84f7a86b..87514ddc 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -1,5 +1,5 @@
-policy_module(usermanage,1.0)
+policy_module(usermanage,1.0.1)
########################################
#
@@ -136,10 +136,6 @@ optional_policy(`nis',`
nis_use_ypbind(chfn_t)
')
-ifdef(`TODO',`
-ifdef(`gnome-pty-helper.te', `allow chfn_t gphdomain:fd use;')
-') dnl endif TODO
-
########################################
#
# Crack local policy
@@ -224,6 +220,7 @@ init_dontaudit_write_script_pid(groupadd_t)
domain_use_wide_inherit_fd(groupadd_t)
files_manage_etc_files(groupadd_t)
+files_relabel_etc_files(groupadd_t)
libs_use_ld_so(groupadd_t)
libs_use_shared_libs(groupadd_t)
@@ -237,6 +234,7 @@ logging_send_syslog_msg(groupadd_t)
miscfiles_read_localization(groupadd_t)
auth_manage_shadow(groupadd_t)
+auth_relabel_shadow(groupadd_t)
auth_rw_lastlog(groupadd_t)
auth_use_nsswitch(groupadd_t)
@@ -259,14 +257,6 @@ optional_policy(`rpm',`
rpm_rw_pipe(groupadd_t)
')
-ifdef(`TODO',`
-# Update /etc/shadow and /etc/passwd
-allow groupadd_t { etc_t shadow_t }:file { relabelfrom relabelto };
-
-# Access terminals.
-ifdef(`gnome-pty-helper.te', `allow groupadd_t gphdomain:fd use;')
-') dnl end TODO
-
########################################
#
# Passwd local policy
@@ -310,6 +300,7 @@ term_use_all_user_ttys(passwd_t)
term_use_all_user_ptys(passwd_t)
auth_manage_shadow(passwd_t)
+auth_relabel_shadow(passwd_t)
# allow checking if a shell is executable
corecmd_check_exec_shell(passwd_t)
@@ -320,6 +311,7 @@ files_read_etc_runtime_files(passwd_t)
files_manage_etc_files(passwd_t)
files_search_var(passwd_t)
files_dontaudit_search_pids(passwd_t)
+files_relabel_etc_files(passwd_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
@@ -335,6 +327,9 @@ miscfiles_read_localization(passwd_t)
seutil_dontaudit_search_config(passwd_t)
userdom_use_unpriv_users_fd(passwd_t)
+# make sure that getcon succeeds
+userdom_getattr_all_userdomains(passwd_t)
+userdom_read_all_userdomains_state(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_all_users_home(passwd_t)
@@ -343,19 +338,6 @@ optional_policy(`nis',`
nis_use_ypbind(passwd_t)
')
-ifdef(`TODO',`
-# Update /etc/shadow and /etc/passwd
-allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
-
-# Inherit and use descriptors from login.
-ifdef(`gnome-pty-helper.te', `allow passwd_t gphdomain:fd use;')
-
-# make sure that getcon succeeds
-allow passwd_t userdomain:dir search;
-allow passwd_t userdomain:file read;
-allow passwd_t userdomain:process getattr;
-') dnl endif TODO
-
########################################
#
# Password admin local policy
@@ -403,7 +385,10 @@ term_use_all_user_ttys(sysadm_passwd_t)
term_use_all_user_ptys(sysadm_passwd_t)
auth_manage_shadow(sysadm_passwd_t)
+auth_relabel_shadow(sysadm_passwd_t)
+# allow checking if a shell is executable
+corecmd_check_exec_shell(sysadm_passwd_t)
# allow vipw to exec the editor
corecmd_search_sbin(sysadm_passwd_t)
corecmd_exec_bin(sysadm_passwd_t)
@@ -413,6 +398,7 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_wide_inherit_fd(sysadm_passwd_t)
files_manage_etc_files(sysadm_passwd_t)
+files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
files_dontaudit_search_pids(sysadm_passwd_t)
@@ -439,24 +425,6 @@ optional_policy(`nis',`
nis_use_ypbind(sysadm_passwd_t)
')
-ifdef(`TODO',`
-role sysadm_r types sysadm_passwd_t;
-domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t)
-
-# Inherit and use descriptors from login.
-ifdef(`gnome-pty-helper.te', `allow sysadm_passwd_t gphdomain:fd use;')
-
-# allow checking if a shell is executable
-allow sysadm_passwd_t shell_exec_t:file execute;
-
-# Update /etc/shadow and /etc/passwd
-allow sysadm_passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
-
-ifdef(`targeted_policy', `
-role system_r types sysadm_passwd_t;
-')
-') dnl endif TODO
-
########################################
#
# Useradd local policy
@@ -494,6 +462,7 @@ term_use_all_user_ttys(useradd_t)
term_use_all_user_ptys(useradd_t)
auth_manage_shadow(useradd_t)
+auth_relabel_shadow(useradd_t)
auth_rw_lastlog(useradd_t)
auth_use_nsswitch(useradd_t)
@@ -506,6 +475,7 @@ domain_use_wide_inherit_fd(useradd_t)
files_manage_etc_files(useradd_t)
files_search_var_lib(useradd_t)
+files_relabel_etc_files(useradd_t)
init_use_fd(useradd_t)
init_rw_script_pid(useradd_t)
@@ -542,14 +512,3 @@ optional_policy(`rpm',`
rpm_use_fd(useradd_t)
rpm_rw_pipe(useradd_t)
')
-
-ifdef(`TODO',`
-# Update /etc/shadow and /etc/passwd
-allow useradd_t { etc_t shadow_t }:file { relabelfrom relabelto };
-
-# Access terminals.
-ifdef(`gnome-pty-helper.te', `allow useradd_t gphdomain:fd use;')
-
-# /var/mail is a link to /var/spool/mail
-allow useradd_t mail_spool_t:lnk_file read;
-') dnl end TODO
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index 7edc7a3c..d5584967 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -418,10 +418,6 @@ optional_policy(`udev', `
')
ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(httpd_t)
-')
-
can_tcp_connect(web_client_domain, httpd_t)
') dnl end TODO
diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te
index cb041f4f..59e8d3f3 100644
--- a/refpolicy/policy/modules/services/apm.te
+++ b/refpolicy/policy/modules/services/apm.te
@@ -230,7 +230,4 @@ optional_policy(`cron',`
r_dir_file(apmd_t, hwdata_t)
-optional_policy(`rhgb',`
- rhgb_domain(apmd_t)
-')
')
diff --git a/refpolicy/policy/modules/services/arpwatch.te b/refpolicy/policy/modules/services/arpwatch.te
index 49a3b385..74e4d5c7 100644
--- a/refpolicy/policy/modules/services/arpwatch.te
+++ b/refpolicy/policy/modules/services/arpwatch.te
@@ -114,9 +114,3 @@ optional_policy(`udev',`
udev_read_db(arpwatch_t)
')
-ifdef(`TODO',`
-# TODO from daemon_domain
-optional_policy(`rhgb',`
- rhgb_domain(arpwatch_t)
-')
-')
diff --git a/refpolicy/policy/modules/services/avahi.te b/refpolicy/policy/modules/services/avahi.te
index ca5e5346..c26bedee 100644
--- a/refpolicy/policy/modules/services/avahi.te
+++ b/refpolicy/policy/modules/services/avahi.te
@@ -108,8 +108,3 @@ optional_policy(`udev',`
udev_read_db(avahi_t)
')
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(avahi_t)
-')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te
index e41fed14..f5e2d154 100644
--- a/refpolicy/policy/modules/services/bind.te
+++ b/refpolicy/policy/modules/services/bind.te
@@ -181,9 +181,6 @@ ifdef(`TODO',`
can_udp_send(domain, named_t)
can_udp_send(named_t, domain)
can_tcp_connect(domain, named_t)
-optional_policy(`rhgb',`
- rhgb_domain(named_t)
-')
')
########################################
diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te
index 3bed3e61..b17758d2 100644
--- a/refpolicy/policy/modules/services/bluetooth.te
+++ b/refpolicy/policy/modules/services/bluetooth.te
@@ -158,12 +158,6 @@ optional_policy(`udev',`
udev_read_db(bluetooth_t)
')
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(bluetooth_t)
-')
-') dnl end TOOD
-
########################################
#
# Bluetooth helper local policy
diff --git a/refpolicy/policy/modules/services/canna.te b/refpolicy/policy/modules/services/canna.te
index 105671cf..afbab294 100644
--- a/refpolicy/policy/modules/services/canna.te
+++ b/refpolicy/policy/modules/services/canna.te
@@ -107,10 +107,6 @@ optional_policy(`udev',`
')
ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(canna_t)
-')
-
optional_policy(`canna',`
canna_stream_connect(i18n_input_t)
')
diff --git a/refpolicy/policy/modules/services/cpucontrol.te b/refpolicy/policy/modules/services/cpucontrol.te
index 2a067e0c..02aa8963 100644
--- a/refpolicy/policy/modules/services/cpucontrol.te
+++ b/refpolicy/policy/modules/services/cpucontrol.te
@@ -73,12 +73,6 @@ optional_policy(`udev',`
udev_read_db(cpucontrol_t)
')
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(cpucontrol_t)
-')
-') dnl end TODO
-
########################################
#
# CPU frequency scaling daemons
@@ -132,9 +126,3 @@ optional_policy(`selinuxutil',`
optional_policy(`udev',`
udev_read_db(cpuspeed_t)
')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(cpuspeed_t)
-')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 250af7c0..7f106b97 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -200,10 +200,6 @@ ifdef(`TODO',`
# NB The constraints file has some entries for crond_t, this makes it
# different from all other domains...
-optional_policy(`rhgb',`
-rhgb_domain(crond_t)
-')
-
# crond tries to search /root. Not sure why.
allow crond_t sysadm_home_dir_t:dir r_dir_perms;
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index b84ecd60..b1a3cf3f 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -226,9 +226,6 @@ optional_policy(`udev',`
')
ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(cupsd_t)
-')
allow web_client_domain cupsd_t:tcp_socket { connectto recvfrom };
allow cupsd_t web_client_domain:tcp_socket { acceptfrom recvfrom };
allow cupsd_t kernel_t:tcp_socket recvfrom;
@@ -377,13 +374,6 @@ optional_policy(`udev',`
udev_read_db(ptal_t)
')
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(ptal_t)
-')
-') dnl end TODO
-
-
allow userdomain ptal_t:unix_stream_socket connectto;
allow userdomain ptal_var_run_t:sock_file write;
allow userdomain ptal_var_run_t:dir search;
@@ -491,12 +481,6 @@ optional_policy(`udev',`
udev_read_db(hplip_t)
')
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(hplip_t)
-')
-') dnl end TODO
-
allow hplip_t devpts_t:dir search;
allow hplip_t devpts_t:chr_file { getattr ioctl };
@@ -627,12 +611,6 @@ optional_policy(`udev',`
udev_read_db(cupsd_config_t)
')
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(cupsd_config_t)
-')
-') dnl end TODO
-
allow cupsd_config_t devpts_t:dir search;
allow cupsd_config_t devpts_t:chr_file { getattr ioctl };
diff --git a/refpolicy/policy/modules/services/cyrus.te b/refpolicy/policy/modules/services/cyrus.te
index 0a40f256..fa3c8975 100644
--- a/refpolicy/policy/modules/services/cyrus.te
+++ b/refpolicy/policy/modules/services/cyrus.te
@@ -140,9 +140,3 @@ optional_policy(`selinuxutil',`
optional_policy(`udev',`
udev_read_db(cyrus_t)
')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(cyrus_t)
-')
-')
diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te
index 71bbbd88..e54be526 100644
--- a/refpolicy/policy/modules/services/dbus.te
+++ b/refpolicy/policy/modules/services/dbus.te
@@ -139,9 +139,3 @@ optional_policy(`sysnetwork',`
optional_policy(`udev',`
udev_read_db(system_dbusd_t)
')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(system_dbusd_t)
-')
-')
diff --git a/refpolicy/policy/modules/services/dhcp.te b/refpolicy/policy/modules/services/dhcp.te
index c13ddbf0..0ad9809c 100644
--- a/refpolicy/policy/modules/services/dhcp.te
+++ b/refpolicy/policy/modules/services/dhcp.te
@@ -138,9 +138,3 @@ optional_policy(`selinuxutil',`
optional_policy(`udev',`
udev_read_db(dhcpd_t)
')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(dhcpd_t)
-')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/services/dictd.te b/refpolicy/policy/modules/services/dictd.te
index 60b402b5..c13cf87e 100644
--- a/refpolicy/policy/modules/services/dictd.te
+++ b/refpolicy/policy/modules/services/dictd.te
@@ -101,9 +101,3 @@ optional_policy(`selinuxutil',`
optional_policy(`udev',`
udev_read_db(dictd_t)
')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(dictd_t)
-')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/services/distcc.te b/refpolicy/policy/modules/services/distcc.te
index 5728da1b..c84cd3ad 100644
--- a/refpolicy/policy/modules/services/distcc.te
+++ b/refpolicy/policy/modules/services/distcc.te
@@ -107,9 +107,3 @@ optional_policy(`selinuxutil',`
optional_policy(`udev',`
udev_read_db(distccd_t)
')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(distccd_t)
-')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te
index 2315bcac..6955ca3c 100644
--- a/refpolicy/policy/modules/services/dovecot.te
+++ b/refpolicy/policy/modules/services/dovecot.te
@@ -185,9 +185,3 @@ optional_policy(`nis',`
optional_policy(`nscd',`
nscd_use_socket(dovecot_auth_t)
')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(dovecot_t)
-')
-')
diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te
index a82e455b..6af68c3f 100644
--- a/refpolicy/policy/modules/services/finger.te
+++ b/refpolicy/policy/modules/services/finger.te
@@ -131,12 +131,6 @@ optional_policy(`udev',`
udev_read_db(fingerd_t)
')
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(fingerd_t)
-')
-')
-
# stop it accessing sub-directories, prevents checking a Maildir for new mail,
# have to change this when we create a type for Maildir
dontaudit fingerd_t user_home_t:dir search;
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index 8b44ff06..1490fb1b 100644
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -220,9 +220,3 @@ optional_policy(`selinuxutil',`
optional_policy(`udev', `
udev_read_db(ftpd_t)
')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(ftpd_t)
-')
-')
diff --git a/refpolicy/policy/modules/services/gpm.te b/refpolicy/policy/modules/services/gpm.te
index 296f97f2..4ff3699f 100644
--- a/refpolicy/policy/modules/services/gpm.te
+++ b/refpolicy/policy/modules/services/gpm.te
@@ -95,7 +95,4 @@ ifdef(`TODO',`
# Access the mouse.
# cjp: why write?
allow gpm_t { event_device_t mouse_device_t }:chr_file rw_file_perms;
-optional_policy(`rhgb',`
- rhgb_domain(gpm_t)
-')
')
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 1a4d53ed..4234aced 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -183,10 +183,6 @@ optional_policy(`updfstab',`
')
ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(hald_t)
-')
-
allow hald_t device_t:dir create_dir_perms;
optional_policy(`hald',`
diff --git a/refpolicy/policy/modules/services/howl.te b/refpolicy/policy/modules/services/howl.te
index 1a858eaf..5673c90c 100644
--- a/refpolicy/policy/modules/services/howl.te
+++ b/refpolicy/policy/modules/services/howl.te
@@ -92,9 +92,3 @@ optional_policy(`selinuxutil',`
optional_policy(`udev',`
udev_read_db(howl_t)
')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(howl_t)
-')
-')
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index 00e089ec..37de5439 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -155,12 +155,6 @@ ifdef(`targeted_policy',`
')
')
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(inetd_t)
-')
-') dnl TODO
-
########################################
#
# inetd child local_policy
diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te
index ba6218ee..cc15668d 100644
--- a/refpolicy/policy/modules/services/inn.te
+++ b/refpolicy/policy/modules/services/inn.te
@@ -144,10 +144,3 @@ optional_policy(`selinuxutil',`
optional_policy(`udev',`
udev_read_db(innd_t)
')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(innd_t)
-')
-allow innd_t sysadm_t:unix_dgram_socket sendto;
-')
diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te
index 33e41a76..852efe57 100644
--- a/refpolicy/policy/modules/services/kerberos.te
+++ b/refpolicy/policy/modules/services/kerberos.te
@@ -148,12 +148,6 @@ optional_policy(`udev',`
udev_read_db(kadmind_t)
')
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(kadmind_t)
-')
-') dnl end TODO
-
########################################
#
# Krb5kdc local policy
@@ -254,10 +248,6 @@ optional_policy(`udev',`
')
ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(krb5kdc_t)
-')
-
# Allow user programs to talk to KDC
allow krb5kdc_t userdomain:udp_socket recvfrom;
allow userdomain krb5kdc_t:udp_socket recvfrom;
diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te
index 0f535fff..973a7d3e 100644
--- a/refpolicy/policy/modules/services/ldap.te
+++ b/refpolicy/policy/modules/services/ldap.te
@@ -148,9 +148,3 @@ optional_policy(`selinuxutil',`
optional_policy(`udev',`
udev_read_db(slapd_t)
')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(slapd_t)
-')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/services/lpd.te b/refpolicy/policy/modules/services/lpd.te
index 9c1943b2..976f7541 100644
--- a/refpolicy/policy/modules/services/lpd.te
+++ b/refpolicy/policy/modules/services/lpd.te
@@ -233,10 +233,3 @@ optional_policy(`selinuxutil',`
optional_policy(`udev',`
udev_read_db(lpd_t)
')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(lpd_t)
-')
-') dnl end TODO
-
diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te
index 39a289ab..6a23c8dd 100644
--- a/refpolicy/policy/modules/services/mysql.te
+++ b/refpolicy/policy/modules/services/mysql.te
@@ -141,9 +141,6 @@ optional_policy(`udev',`
')
ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(mysqld_t)
-')
optional_policy(`daemontools',`
domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t)
mysqld_signal(svc_start_t)
diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te
index b225a400..d70bbea6 100644
--- a/refpolicy/policy/modules/services/networkmanager.te
+++ b/refpolicy/policy/modules/services/networkmanager.te
@@ -143,12 +143,6 @@ optional_policy(`vpn',`
vpn_domtrans(NetworkManager_t)
')
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(NetworkManager_t)
-')
-') dnl end TODO
-
###########################################################
#
# Partially converted rules. THESE ARE ONLY TEMPORARY
diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te
index 9228e0f7..282ab382 100644
--- a/refpolicy/policy/modules/services/nis.te
+++ b/refpolicy/policy/modules/services/nis.te
@@ -130,12 +130,6 @@ optional_policy(`udev',`
udev_read_db(ypbind_t)
')
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(ypbind_t)
-')
-') dnl end TODO
-
########################################
#
# ypserv local policy
@@ -228,10 +222,6 @@ optional_policy(`udev', `
')
ifdef(`TODO',`
-optional_policy(`rhgb', `
-rhgb_domain(ypserv_t)
-')
-
# Read and write /var/yp.
ifdef(`rpcd.te', `
allow rpcd_t ypserv_conf_t:file { getattr read };
diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te
index 437c54c3..ff3eedfa 100644
--- a/refpolicy/policy/modules/services/nscd.te
+++ b/refpolicy/policy/modules/services/nscd.te
@@ -133,9 +133,3 @@ optional_policy(`samba',`
optional_policy(`udev',`
udev_read_db(nscd_t)
')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(nscd_t)
-')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te
index 71dfd7fe..2752ca55 100644
--- a/refpolicy/policy/modules/services/ntp.te
+++ b/refpolicy/policy/modules/services/ntp.te
@@ -161,9 +161,6 @@ optional_policy(`udev',`
')
ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(ntpd_t)
-')
allow ntpd_t sysadm_t:udp_socket sendto;
allow sysadm_t ntpd_t:udp_socket recvfrom;
diff --git a/refpolicy/policy/modules/services/pegasus.te b/refpolicy/policy/modules/services/pegasus.te
index bd8a790d..d55ed993 100644
--- a/refpolicy/policy/modules/services/pegasus.te
+++ b/refpolicy/policy/modules/services/pegasus.te
@@ -1,5 +1,5 @@
-policy_module(pegasus,1.0.1)
+policy_module(pegasus,1.0.2)
########################################
#
@@ -13,6 +13,9 @@ init_daemon_domain(pegasus_t,pegasus_exec_t)
type pegasus_data_t;
files_type(pegasus_data_t)
+type pegasus_tmp_t;
+files_tmp_file(pegasus_tmp_t)
+
type pegasus_conf_t;
files_type(pegasus_conf_t)
@@ -29,30 +32,37 @@ files_pid_file(pegasus_var_run_t)
allow pegasus_t self:capability { dac_override net_bind_service audit_write };
dontaudit pegasus_t self:capability sys_tty_config;
+allow pegasus_t self:process signal;
allow pegasus_t self:fifo_file rw_file_perms;
allow pegasus_t self:unix_dgram_socket create_socket_perms;
allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
allow pegasus_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow pegasus_t self:tcp_socket create_stream_socket_perms;
-allow pegasus_t pegasus_conf_t:dir r_dir_perms;
+allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
allow pegasus_t pegasus_conf_t:file { r_file_perms link unlink };
allow pegasus_t pegasus_conf_t:lnk_file r_file_perms;
allow pegasus_t pegasus_data_t:dir rw_dir_perms;
allow pegasus_t pegasus_data_t:file create_file_perms;
allow pegasus_t pegasus_data_t:lnk_file create_lnk_perms;
+type_transition pegasus_t pegasus_conf_t:{ file dir } pegasus_data_t;
allow pegasus_t pegasus_mof_t:dir r_dir_perms;
allow pegasus_t pegasus_mof_t:file r_file_perms;
allow pegasus_t pegasus_mof_t:lnk_file { getattr read };
+allow pegasus_t pegasus_tmp_t:dir create_dir_perms;
+allow pegasus_t pegasus_tmp_t:file create_file_perms;
+files_create_tmp_files(pegasus_t, pegasus_tmp_t, { file dir })
+
allow pegasus_t pegasus_var_run_t:file create_file_perms;
-allow pegasus_t pegasus_var_run_t:sock_file { create setattr };
+allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink };
allow pegasus_t pegasus_var_run_t:dir rw_dir_perms;
files_create_pid(pegasus_t,pegasus_var_run_t)
kernel_read_kernel_sysctl(pegasus_t)
+kernel_read_fs_sysctl(pegasus_t)
kernel_read_system_state(pegasus_t)
kernel_search_vm_sysctl(pegasus_t)
@@ -76,7 +86,7 @@ fs_search_auto_mountpoints(pegasus_t)
term_dontaudit_use_console(pegasus_t)
auth_use_nsswitch(pegasus_t)
-auth_read_shadow(pegasus_t)
+auth_domtrans_chk_passwd(pegasus_t)
domain_use_wide_inherit_fd(pegasus_t)
domain_read_all_domains_state(pegasus_t)
@@ -122,16 +132,3 @@ optional_policy(`selinuxutil',`
optional_policy(`udev',`
udev_read_db(pegasus_t)
')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(pegasus_t)
-')
-') dnl end TODO
-
-# bad rules
-type pegasus_conf_exec_t, entry_type;
-files_type(pegasus_conf_exec_t)
-allow pegasus_conf_exec_t pegasus_conf_t:dir rw_dir_perms;
-allow pegasus_conf_exec_t pegasus_conf_t:file create_file_perms;
-allow pegasus_conf_exec_t pegasus_conf_t:lnk_file create_lnk_perms;
diff --git a/refpolicy/policy/modules/services/portmap.te b/refpolicy/policy/modules/services/portmap.te
index a10db69e..b3c0188f 100644
--- a/refpolicy/policy/modules/services/portmap.te
+++ b/refpolicy/policy/modules/services/portmap.te
@@ -133,10 +133,6 @@ optional_policy(`udev',`
')
ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(portmap_t)
-')
-
ifdef(`rpcd.te',`can_udp_send(portmap_t, rpcd_t)')
allow portmap_t rpcd_t:udp_socket sendto;
allow rpcd_t portmap_t:udp_socket recvfrom;
diff --git a/refpolicy/policy/modules/services/postgresql.te b/refpolicy/policy/modules/services/postgresql.te
index b4e17cb2..fad6075c 100644
--- a/refpolicy/policy/modules/services/postgresql.te
+++ b/refpolicy/policy/modules/services/postgresql.te
@@ -185,9 +185,6 @@ optional_policy(`udev',`
')
ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(postgresql_t)
-')
ifdef(`targeted_policy', `', `
bool allow_user_postgresql_connect false;
diff --git a/refpolicy/policy/modules/services/ppp.te b/refpolicy/policy/modules/services/ppp.te
index 01d68085..3f55df5f 100644
--- a/refpolicy/policy/modules/services/ppp.te
+++ b/refpolicy/policy/modules/services/ppp.te
@@ -316,15 +316,6 @@ optional_policy(`udev',`
udev_read_db(pptp_t)
')
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(pppd_t)
-')
-optional_policy(`rhgb',`
- rhgb_domain(pptp_t)
-')
-')
-
ifdef(`postfix.te', `
allow pppd_t postfix_etc_t:dir search;
allow pppd_t postfix_etc_t:file r_file_perms;
diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te
index cad3ab7c..f112cb0f 100644
--- a/refpolicy/policy/modules/services/privoxy.te
+++ b/refpolicy/policy/modules/services/privoxy.te
@@ -95,9 +95,3 @@ optional_policy(`selinuxutil',`
optional_policy(`udev',`
udev_read_db(privoxy_t)
')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(privoxy_t)
-')
-')
diff --git a/refpolicy/policy/modules/services/radius.te b/refpolicy/policy/modules/services/radius.te
index 0d808ded..cb797906 100644
--- a/refpolicy/policy/modules/services/radius.te
+++ b/refpolicy/policy/modules/services/radius.te
@@ -130,9 +130,3 @@ optional_policy(`snmp',`
optional_policy(`udev',`
udev_read_db(radiusd_t)
')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(radiusd_t)
-')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/services/radvd.te b/refpolicy/policy/modules/services/radvd.te
index 05926427..b5b07b2e 100644
--- a/refpolicy/policy/modules/services/radvd.te
+++ b/refpolicy/policy/modules/services/radvd.te
@@ -94,9 +94,3 @@ optional_policy(`selinuxutil',`
optional_policy(`udev',`
udev_read_db(radvd_t)
')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(radvd_t)
-')
-')
diff --git a/refpolicy/policy/modules/services/rpc.if b/refpolicy/policy/modules/services/rpc.if
index 4d92875c..705944db 100644
--- a/refpolicy/policy/modules/services/rpc.if
+++ b/refpolicy/policy/modules/services/rpc.if
@@ -113,12 +113,6 @@ template(`rpc_domain_template', `
optional_policy(`udev',`
udev_read_db($1_t)
')
-
- ifdef(`TODO',`
- optional_policy(`rhgb',`
- rhgb_domain($1_t)
- ')
- ')
')
########################################
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index 193a788a..f4536be7 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -308,12 +308,6 @@ optional_policy(`udev', `
udev_read_db(smbd_t)
')
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(smbd_t)
-')
-') dnl end TODO
-
ifdef(`hide_broken_symptoms', `
gen_require(`
type boot_t, default_t, tmpfs_t;
@@ -428,12 +422,6 @@ optional_policy(`udev',`
udev_read_db(nmbd_t)
')
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(nmbd_t)
-')
-')
-
########################################
#
# smbmount Local policy
@@ -640,12 +628,6 @@ optional_policy(`udev',`
udev_read_db(winbind_t)
')
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(winbind_t)
-')
-') dnl end TODO
-
########################################
#
# Winbind helper local policy
diff --git a/refpolicy/policy/modules/services/sasl.te b/refpolicy/policy/modules/services/sasl.te
index ed6dac64..514a0a2f 100644
--- a/refpolicy/policy/modules/services/sasl.te
+++ b/refpolicy/policy/modules/services/sasl.te
@@ -99,10 +99,3 @@ optional_policy(`selinuxutil',`
optional_policy(`udev',`
udev_read_db(saslauthd_t)
')
-
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(saslauthd_t)
-')
-')
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index 1b19f5b3..593d14fd 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -136,10 +136,6 @@ optional_policy(`udev',`
')
ifdef(`TODO',`
-optional_policy(`rhgb',`
-rhgb_domain(sendmail_t)
-')
-
allow sendmail_t etc_mail_t:dir rw_dir_perms;
allow sendmail_t etc_mail_t:file create_file_perms;
# for the start script to run make -C /etc/mail
diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te
index 3635a35c..6b194b32 100644
--- a/refpolicy/policy/modules/services/snmp.te
+++ b/refpolicy/policy/modules/services/snmp.te
@@ -149,10 +149,6 @@ can_udp_send(snmpd_t, sysadm_t)
optional_policy(`cupsd',`
allow snmpd_t cupsd_rw_etc_t:file { getattr read };
')
-
-optional_policy(`rhgb',`
- rhgb_domain(snmpd_t)
-')
') dnl end TODO
ifdef(`distro_redhat', `
diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te
index d246dda2..6ea49194 100644
--- a/refpolicy/policy/modules/services/spamassassin.te
+++ b/refpolicy/policy/modules/services/spamassassin.te
@@ -146,10 +146,6 @@ optional_policy(`udev',`
')
ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(spamd_t)
-')
-
optional_policy(`amavis', `
# for bayes tokens
allow spamd_t var_lib_t:dir { getattr search };
diff --git a/refpolicy/policy/modules/services/squid.te b/refpolicy/policy/modules/services/squid.te
index f449403b..f4cc464f 100644
--- a/refpolicy/policy/modules/services/squid.te
+++ b/refpolicy/policy/modules/services/squid.te
@@ -177,9 +177,6 @@ optional_policy(`udev',`
')
ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(squid_t)
-')
ifdef(`apache.te',`
can_tcp_connect(squid_t, httpd_t)
')
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index c9d3bfab..d7b84d79 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -255,10 +255,4 @@ ifdef(`targeted_policy',`',`
optional_policy(`udev',`
udev_read_db(ssh_keygen_t)
')
-
- ifdef(`TODO',`
- optional_policy(`rhgb',`
- rhgb_domain(ssh_keygen_t)
- ')
- ')
')
diff --git a/refpolicy/policy/modules/services/stunnel.te b/refpolicy/policy/modules/services/stunnel.te
index d6c71682..f274d294 100644
--- a/refpolicy/policy/modules/services/stunnel.te
+++ b/refpolicy/policy/modules/services/stunnel.te
@@ -113,13 +113,7 @@ ifdef(`distro_gentoo', `
optional_policy(`udev',`
udev_read_db(stunnel_t)
')
-
- ifdef(`TODO',`
- optional_policy(`rhgb',`
- rhgb_domain(stunnel_t)
- ')
- ') dnl end TODO
-', `
+',`
allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
dev_read_urand(stunnel_t)
diff --git a/refpolicy/policy/modules/services/tftp.te b/refpolicy/policy/modules/services/tftp.te
index 77e87162..af3268fd 100644
--- a/refpolicy/policy/modules/services/tftp.te
+++ b/refpolicy/policy/modules/services/tftp.te
@@ -104,9 +104,3 @@ optional_policy(`selinuxutil',`
optional_policy(`udev', `
udev_read_db(tftpd_t)
')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(tftpd_t)
-')
-')
diff --git a/refpolicy/policy/modules/services/zebra.te b/refpolicy/policy/modules/services/zebra.te
index 42a145ab..7a5b4bed 100644
--- a/refpolicy/policy/modules/services/zebra.te
+++ b/refpolicy/policy/modules/services/zebra.te
@@ -131,9 +131,3 @@ optional_policy(`selinuxutil',`
optional_policy(`udev',`
udev_read_db(zebra_t)
')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(zebra_t)
-')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 4fcad8db..ed33f9f2 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -368,14 +368,18 @@ interface(`auth_manage_shadow',`
')
#######################################
-#
-# auth_relabelto_shadow(domain)
+##
+## Relabel to the shadow
+## password file type.
+##
+##
+## Domain allowed access.
+##
#
interface(`auth_relabelto_shadow',`
gen_require(`
attribute can_relabelto_shadow_passwords;
type shadow_t;
- class file relabelto;
')
files_search_etc($1)
@@ -383,6 +387,26 @@ interface(`auth_relabelto_shadow',`
typeattribute $1 can_relabelto_shadow_passwords;
')
+#######################################
+##
+## Relabel from and to the shadow
+## password file type.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`auth_relabel_shadow',`
+ gen_require(`
+ attribute can_relabelto_shadow_passwords;
+ type shadow_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 shadow_t:file { relabelfrom relabelto };
+ typeattribute $1 can_relabelto_shadow_passwords;
+')
+
#######################################
##
## Append to the login failure log.
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 20996690..eea835ae 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -253,10 +253,6 @@ optional_policy(`udev',`
')
ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(pam_console_t)
-')
-
ifdef(`xdm.te', `
allow pam_console_t xdm_var_run_t:file { getattr read };
')
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index 9c1a4bc2..f56f1619 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -87,11 +87,3 @@ optional_policy(`udev',`
optional_policy(`userdomain',`
userdom_dontaudit_use_unpriv_user_fd(hwclock_t)
')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-rhgb_domain(hwclock_t)
-')
-
-optional_policy(`gnome-pty-helper', `allow hwclock_t sysadm_gph_t:fd use;')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 9a9a8201..c43fa98c 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -894,9 +894,11 @@ interface(`files_mounton_all_mountpoints',`
gen_require(`
attribute mountpoint;
class dir { getattr search mounton };
+ class file { getattr mounton };
')
allow $1 mountpoint:dir { getattr search mounton };
+ allow $1 mountpoint:file { getattr mounton };
')
########################################
@@ -1333,6 +1335,23 @@ interface(`files_exec_etc_files',`
')
+#######################################
+##
+## Relabel from and to generic files in /etc.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`files_relabel_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir list_dir_perms;
+ allow $1 etc_t:file { relabelfrom relabelto };
+')
+
########################################
#
# files_create_boot_flag(domain)
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index c0d61995..19287631 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -203,12 +203,3 @@ optional_policy(`udev',`
optional_policy(`updfstab',`
updfstab_domtrans(hotplug_t)
')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-rhgb_domain(hotplug_t)
-')
-
-dontaudit hotplug_t { init_t kernel_t }:file read;
-
-') dnl end TODO
diff --git a/refpolicy/policy/modules/system/ipsec.te b/refpolicy/policy/modules/system/ipsec.te
index 89b7b65d..cc6d402b 100644
--- a/refpolicy/policy/modules/system/ipsec.te
+++ b/refpolicy/policy/modules/system/ipsec.te
@@ -141,12 +141,6 @@ optional_policy(`udev',`
udev_read_db(ipsec_t)
')
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(ipsec_t)
-')
-')
-
########################################
#
# ipsec_mgmt Local policy
diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te
index 85e6ef59..c1ea3db3 100644
--- a/refpolicy/policy/modules/system/iptables.te
+++ b/refpolicy/policy/modules/system/iptables.te
@@ -102,13 +102,3 @@ optional_policy(`selinuxutil',`
optional_policy(`udev',`
udev_read_db(iptables_t)
')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-rhgb_domain(iptables_t)
-')
-
-optional_policy(`gnome-pty-helper',`
- allow iptables_t sysadm_gph_t:fd use;
-')
-') dnl ifdef TODO
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index e30e46c7..309379c2 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -175,12 +175,6 @@ optional_policy(`udev',`
udev_read_db(auditd_t)
')
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-rhgb_domain(auditd_t)
-')
-') dnl endif TODO
-
########################################
#
# klogd local policy
@@ -380,12 +374,7 @@ optional_policy(`udev',`
')
ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(syslogd_t)
-')
-
allow syslogd_t tmpfs_t:dir search;
-dontaudit syslogd_t unlabeled_t:file { getattr read };
dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
# log to the xconsole
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 3fe62a3b..6fadbbcb 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -117,12 +117,6 @@ optional_policy(`udev',`
udev_read_db(clvmd_t)
')
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(clvmd_t)
-')
-') dnl end TODO
-
########################################
#
# LVM Local policy
@@ -270,11 +264,5 @@ ifdef(`TODO',`
allow lvm_t var_t:dir { search getattr };
allow lvm_t ramfs_t:filesystem unmount;
-optional_policy(`gnome-pty-helper',`
- allow lvm_t sysadm_gph_t:fd use;
-')
-optional_policy(`rhgb',`
-rhgb_domain(lvm_t)
-')
dontaudit lvm_t xconsole_device_t:fifo_file getattr;
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 391eaab0..82ae9be6 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -141,13 +141,4 @@ ifdef(`TODO',`
# for when /etc/mtab loses its type
allow mount_t file_t:file unlink;
-
-ifdef(`gnome-pty-helper.te', `
-allow mount_t sysadm_gph_t:fd use;
-')
-
-optional_policy(`rhgb',`
-rhgb_domain(mount_t)
-')
-
') dnl endif TODO
diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te
index a415bd8c..2a63867b 100644
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ b/refpolicy/policy/modules/system/pcmcia.te
@@ -147,12 +147,6 @@ optional_policy(`udev',`
udev_read_db(cardmgr_t)
')
-ifdef(`TODO',`
-optional_policy(`rhgb',`
- rhgb_domain(cardmgr_t)
-')
-') dnl end TODO
-
# Create device files in /tmp.
# cjp: why is this created all over the place?
allow cardmgr_t cardmgr_dev_t:{ chr_file blk_file } manage_file_perms;
diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te
index 96a96d44..1611c40a 100644
--- a/refpolicy/policy/modules/system/raid.te
+++ b/refpolicy/policy/modules/system/raid.te
@@ -88,7 +88,4 @@ ifdef(`TODO',`
dontaudit mdadm_t device_t:{ fifo_file file chr_file blk_file } { read getattr };
allow mdadm_t var_t:dir getattr;
-optional_policy(`rhgb',`
- rhgb_domain(mdadm_t)
-')
') dnl TODO
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 59e2632f..8347a597 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -244,12 +244,6 @@ optional_policy(`userdomain',`
userdom_use_all_user_fd(dhcpc_t)
')
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-rhgb_domain(dhcpc_t)
-')
-') dnl endif TODO
-
########################################
#
# Ifconfig local policy
@@ -343,10 +337,3 @@ optional_policy(`nis',`
optional_policy(`ppp',`
ppp_use_fd(ifconfig_t)
')
-
-ifdef(`TODO',`
-ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
-optional_policy(`rhgb',`
-rhgb_domain(ifconfig_t)
-')
-') dnl endif TODO
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 7b553393..b6530703 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -2476,6 +2476,40 @@ interface(`userdom_dontaudit_use_unpriv_user_tty',`
')
')
+########################################
+##
+## Read the process state of all user domains.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`userdom_read_all_userdomains_state',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:dir search_dir_perms;
+ allow $1 userdomain:file r_file_perms;
+ kernel_search_proc($1)
+')
+
+########################################
+##
+## Get the attributes of all user domains.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`userdom_getattr_all_userdomains',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:process getattr;
+')
+
########################################
##
## Inherit the file descriptors from all user domains
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index d7927f39..c7950a83 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,1.0.1)
+policy_module(userdomain,1.0.2)
########################################
#
@@ -295,6 +295,7 @@ ifdef(`targeted_policy',`
')
optional_policy(`usermanage',`
+ usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
')