patch from dan to remove rhgb and gph:fd use

refpolicy/policy/modules/admin/acct.te

@@ -99,8 +99,3 @@ optional_policy(`udev',`
 	udev_read_db(acct_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(acct_t)
-')
-')

refpolicy/policy/modules/admin/dmesg.te

@@ -70,9 +70,4 @@ ifdef(`targeted_policy',`
 		udev_read_db(dmesg_t)
 	')
 
-	ifdef(`TODO',`
-	optional_policy(`rhgb',`
-	rhgb_domain(dmesg_t)
-	')
-	') dnl endif TODO
 ')

refpolicy/policy/modules/admin/kudzu.te

@@ -152,9 +152,6 @@ optional_policy(`udev',`
 
 ifdef(`TODO',`
 allow kudzu_t modules_conf_t:file unlink;
-optional_policy(`rhgb',`
-        rhgb_domain(kudzu_t)
-')
 optional_policy(`lpd',`
 	allow kudzu_t printconf_t:file { getattr read };
 ')

refpolicy/policy/modules/admin/quota.te

@@ -82,7 +82,4 @@ file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t
 allow quota_t file_t:file quotaon;
 
 allow quota_t proc_t:file getattr;
-optional_policy(`rhgb',`
-	rhgb_domain(quota_t)
-')
 ') dnl end TODO

refpolicy/policy/modules/admin/updfstab.te

@@ -98,7 +98,7 @@ optional_policy(`dbus',`
 	dbus_send_system_bus_msg(updfstab_t)
 ')
 
-optional_policy(`hald',`
+optional_policy(`hal',`
 	hal_stream_connect(updfstab_t)
 ')
 
@@ -121,9 +121,6 @@ optional_policy(`udev',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(updfstab_t)
-')
 allow updfstab_t tmpfs_t:dir getattr;
 ')
 

refpolicy/policy/modules/admin/usermanage.if

@@ -180,6 +180,32 @@ interface(`usermanage_domtrans_admin_passwd',`
 	allow sysadm_passwd_t $1:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Execute passwd admin functions in the admin
+##	passwd domain, and allow the specified role
+##	the admin passwd domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the admin passwd domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the admin passwd domain to use.
+## </param>
+#
+interface(`usermanage_run_admin_passwd',`
+	gen_require(`
+		type sysadm_passwd_t;
+	')
+
+	usermanage_domtrans_admin_passwd($1)
+	role $2 types sysadm_passwd_t;
+	allow sysadm_passwd_t $3:chr_file rw_term_perms;
+')
+
 ########################################
 ## <summary>
 ##	Execute useradd in the useradd domain.

refpolicy/policy/modules/admin/usermanage.te

@@ -1,5 +1,5 @@
 
-policy_module(usermanage,1.0)
+policy_module(usermanage,1.0.1)
 
 ########################################
 #
@@ -136,10 +136,6 @@ optional_policy(`nis',`
 	nis_use_ypbind(chfn_t)
 ')
 
-ifdef(`TODO',`
-ifdef(`gnome-pty-helper.te', `allow chfn_t gphdomain:fd use;')
-') dnl endif TODO
-
 ########################################
 #
 # Crack local policy
@@ -224,6 +220,7 @@ init_dontaudit_write_script_pid(groupadd_t)
 domain_use_wide_inherit_fd(groupadd_t)
 
 files_manage_etc_files(groupadd_t)
+files_relabel_etc_files(groupadd_t)
 
 libs_use_ld_so(groupadd_t)
 libs_use_shared_libs(groupadd_t)
@@ -237,6 +234,7 @@ logging_send_syslog_msg(groupadd_t)
 miscfiles_read_localization(groupadd_t)
 
 auth_manage_shadow(groupadd_t)
+auth_relabel_shadow(groupadd_t)
 auth_rw_lastlog(groupadd_t)
 auth_use_nsswitch(groupadd_t)
 
@@ -259,14 +257,6 @@ optional_policy(`rpm',`
 	rpm_rw_pipe(groupadd_t)
 ')
 
-ifdef(`TODO',`
-# Update /etc/shadow and /etc/passwd
-allow groupadd_t { etc_t shadow_t }:file { relabelfrom relabelto };
-
-# Access terminals.
-ifdef(`gnome-pty-helper.te', `allow groupadd_t gphdomain:fd use;')
-') dnl end TODO
-
 ########################################
 #
 # Passwd local policy
@@ -310,6 +300,7 @@ term_use_all_user_ttys(passwd_t)
 term_use_all_user_ptys(passwd_t)
 
 auth_manage_shadow(passwd_t)
+auth_relabel_shadow(passwd_t)
 
 # allow checking if a shell is executable
 corecmd_check_exec_shell(passwd_t)
@@ -320,6 +311,7 @@ files_read_etc_runtime_files(passwd_t)
 files_manage_etc_files(passwd_t)
 files_search_var(passwd_t)
 files_dontaudit_search_pids(passwd_t)
+files_relabel_etc_files(passwd_t)
 
 # /usr/bin/passwd asks for w access to utmp, but it will operate
 # correctly without it.  Do not audit write denials to utmp.
@@ -335,6 +327,9 @@ miscfiles_read_localization(passwd_t)
 seutil_dontaudit_search_config(passwd_t)
 
 userdom_use_unpriv_users_fd(passwd_t)
+# make sure that getcon succeeds
+userdom_getattr_all_userdomains(passwd_t)
+userdom_read_all_userdomains_state(passwd_t)
 # user generally runs this from their home directory, so do not audit a search
 # on user home dir
 userdom_dontaudit_search_all_users_home(passwd_t)
@@ -343,19 +338,6 @@ optional_policy(`nis',`
 	nis_use_ypbind(passwd_t)
 ')
 
-ifdef(`TODO',`
-# Update /etc/shadow and /etc/passwd
-allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
-
-# Inherit and use descriptors from login.
-ifdef(`gnome-pty-helper.te', `allow passwd_t gphdomain:fd use;')
-
-# make sure that getcon succeeds
-allow passwd_t userdomain:dir search;
-allow passwd_t userdomain:file read;
-allow passwd_t userdomain:process getattr;
-') dnl endif TODO
-
 ########################################
 #
 # Password admin local policy
@@ -403,7 +385,10 @@ term_use_all_user_ttys(sysadm_passwd_t)
 term_use_all_user_ptys(sysadm_passwd_t)
 
 auth_manage_shadow(sysadm_passwd_t)
+auth_relabel_shadow(sysadm_passwd_t)
 
+# allow checking if a shell is executable
+corecmd_check_exec_shell(sysadm_passwd_t)
 # allow vipw to exec the editor
 corecmd_search_sbin(sysadm_passwd_t)
 corecmd_exec_bin(sysadm_passwd_t)
@@ -413,6 +398,7 @@ files_read_usr_files(sysadm_passwd_t)
 domain_use_wide_inherit_fd(sysadm_passwd_t)
 
 files_manage_etc_files(sysadm_passwd_t)
+files_relabel_etc_files(sysadm_passwd_t)
 files_read_etc_runtime_files(sysadm_passwd_t)
 # for nscd lookups
 files_dontaudit_search_pids(sysadm_passwd_t)
@@ -439,24 +425,6 @@ optional_policy(`nis',`
 	nis_use_ypbind(sysadm_passwd_t)
 ')
 
-ifdef(`TODO',`
-role sysadm_r types sysadm_passwd_t;
-domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t)
-
-# Inherit and use descriptors from login.
-ifdef(`gnome-pty-helper.te', `allow sysadm_passwd_t gphdomain:fd use;')
-
-# allow checking if a shell is executable
-allow sysadm_passwd_t shell_exec_t:file execute;
-
-# Update /etc/shadow and /etc/passwd
-allow sysadm_passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
-
-ifdef(`targeted_policy', `
-role system_r types sysadm_passwd_t;
-')
-') dnl endif TODO
-
 ########################################
 #
 # Useradd local policy
@@ -494,6 +462,7 @@ term_use_all_user_ttys(useradd_t)
 term_use_all_user_ptys(useradd_t)
 
 auth_manage_shadow(useradd_t)
+auth_relabel_shadow(useradd_t)
 auth_rw_lastlog(useradd_t)
 auth_use_nsswitch(useradd_t)
 
@@ -506,6 +475,7 @@ domain_use_wide_inherit_fd(useradd_t)
 
 files_manage_etc_files(useradd_t)
 files_search_var_lib(useradd_t)
+files_relabel_etc_files(useradd_t)
 
 init_use_fd(useradd_t)
 init_rw_script_pid(useradd_t)
@@ -542,14 +512,3 @@ optional_policy(`rpm',`
 	rpm_use_fd(useradd_t)
 	rpm_rw_pipe(useradd_t)
 ')
-
-ifdef(`TODO',`
-# Update /etc/shadow and /etc/passwd
-allow useradd_t { etc_t shadow_t }:file { relabelfrom relabelto };
-
-# Access terminals.
-ifdef(`gnome-pty-helper.te', `allow useradd_t gphdomain:fd use;')
-
-# /var/mail is a link to /var/spool/mail
-allow useradd_t mail_spool_t:lnk_file read;
-') dnl end TODO

refpolicy/policy/modules/services/apache.te

@@ -418,10 +418,6 @@ optional_policy(`udev', `
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(httpd_t)
-')
-
 can_tcp_connect(web_client_domain, httpd_t)
 
 ') dnl end TODO

refpolicy/policy/modules/services/apm.te

@@ -230,7 +230,4 @@ optional_policy(`cron',`
 
 r_dir_file(apmd_t, hwdata_t)
 
-optional_policy(`rhgb',`
-	rhgb_domain(apmd_t)
-')
 ')

refpolicy/policy/modules/services/arpwatch.te

@@ -114,9 +114,3 @@ optional_policy(`udev',`
 	udev_read_db(arpwatch_t)
 ')
 
-ifdef(`TODO',`
-# TODO from daemon_domain
-optional_policy(`rhgb',`
-	rhgb_domain(arpwatch_t)
-')
-')

refpolicy/policy/modules/services/avahi.te

@@ -108,8 +108,3 @@ optional_policy(`udev',`
 	udev_read_db(avahi_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(avahi_t)
-')
-') dnl end TODO

refpolicy/policy/modules/services/bind.te

@@ -181,9 +181,6 @@ ifdef(`TODO',`
 can_udp_send(domain, named_t)
 can_udp_send(named_t, domain)
 can_tcp_connect(domain, named_t)
-optional_policy(`rhgb',`
-	rhgb_domain(named_t)
-')
 ')
 
 ########################################

refpolicy/policy/modules/services/bluetooth.te

@@ -158,12 +158,6 @@ optional_policy(`udev',`
 	udev_read_db(bluetooth_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(bluetooth_t)
-')
-') dnl end TOOD
-
 ########################################
 #
 # Bluetooth helper local policy

refpolicy/policy/modules/services/canna.te

@@ -107,10 +107,6 @@ optional_policy(`udev',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(canna_t)
-')
-
 optional_policy(`canna',`
 	canna_stream_connect(i18n_input_t)
 ')

refpolicy/policy/modules/services/cpucontrol.te

@@ -73,12 +73,6 @@ optional_policy(`udev',`
 	udev_read_db(cpucontrol_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(cpucontrol_t)
-')
-') dnl end TODO
-
 ########################################
 #
 # CPU frequency scaling daemons
@@ -132,9 +126,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(cpuspeed_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(cpuspeed_t)
-')
-') dnl end TODO

refpolicy/policy/modules/services/cron.te

@@ -200,10 +200,6 @@ ifdef(`TODO',`
 # NB The constraints file has some entries for crond_t, this makes it
 # different from all other domains...
 
-optional_policy(`rhgb',`
-rhgb_domain(crond_t)
-')
-
 # crond tries to search /root.  Not sure why.
 allow crond_t sysadm_home_dir_t:dir r_dir_perms;
 

refpolicy/policy/modules/services/cups.te

@@ -226,9 +226,6 @@ optional_policy(`udev',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(cupsd_t)
-')
 allow web_client_domain cupsd_t:tcp_socket { connectto recvfrom };
 allow cupsd_t web_client_domain:tcp_socket { acceptfrom recvfrom };
 allow cupsd_t kernel_t:tcp_socket recvfrom;
@@ -377,13 +374,6 @@ optional_policy(`udev',`
 	udev_read_db(ptal_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(ptal_t)
-')
-') dnl end TODO
-
-
 allow userdomain ptal_t:unix_stream_socket connectto;
 allow userdomain ptal_var_run_t:sock_file write;
 allow userdomain ptal_var_run_t:dir search;
@@ -491,12 +481,6 @@ optional_policy(`udev',`
 	udev_read_db(hplip_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(hplip_t)
-')
-') dnl end TODO
-
 allow hplip_t devpts_t:dir search;
 allow hplip_t devpts_t:chr_file { getattr ioctl };
 
@@ -627,12 +611,6 @@ optional_policy(`udev',`
 	udev_read_db(cupsd_config_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(cupsd_config_t)
-')
-') dnl end TODO
-
 allow cupsd_config_t devpts_t:dir search;
 allow cupsd_config_t devpts_t:chr_file { getattr ioctl };
 

refpolicy/policy/modules/services/cyrus.te

@@ -140,9 +140,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(cyrus_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(cyrus_t)
-')
-')

refpolicy/policy/modules/services/dbus.te

@@ -139,9 +139,3 @@ optional_policy(`sysnetwork',`
 optional_policy(`udev',`
 	udev_read_db(system_dbusd_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(system_dbusd_t)
-')
-')

refpolicy/policy/modules/services/dhcp.te

@@ -138,9 +138,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(dhcpd_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(dhcpd_t)
-')
-') dnl end TODO

refpolicy/policy/modules/services/dictd.te

@@ -101,9 +101,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(dictd_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(dictd_t)
-')
-') dnl end TODO

refpolicy/policy/modules/services/distcc.te

@@ -107,9 +107,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(distccd_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(distccd_t)
-')
-') dnl end TODO

refpolicy/policy/modules/services/dovecot.te

@@ -185,9 +185,3 @@ optional_policy(`nis',`
 optional_policy(`nscd',`
 	nscd_use_socket(dovecot_auth_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(dovecot_t)
-')
-')

refpolicy/policy/modules/services/finger.te

@@ -131,12 +131,6 @@ optional_policy(`udev',`
 	udev_read_db(fingerd_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(fingerd_t)
-')
-')
-
 # stop it accessing sub-directories, prevents checking a Maildir for new mail,
 # have to change this when we create a type for Maildir
 dontaudit fingerd_t user_home_t:dir search;

refpolicy/policy/modules/services/ftp.te

@@ -220,9 +220,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev', `
 	udev_read_db(ftpd_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(ftpd_t)
-')
-')

refpolicy/policy/modules/services/gpm.te

@@ -95,7 +95,4 @@ ifdef(`TODO',`
 # Access the mouse.
 # cjp: why write?
 allow gpm_t { event_device_t mouse_device_t }:chr_file rw_file_perms;
-optional_policy(`rhgb',`
-	rhgb_domain(gpm_t)
-')
 ')

refpolicy/policy/modules/services/hal.te

@@ -183,10 +183,6 @@ optional_policy(`updfstab',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(hald_t)
-')
-
 allow hald_t device_t:dir create_dir_perms;
 
 optional_policy(`hald',`

refpolicy/policy/modules/services/howl.te

@@ -92,9 +92,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(howl_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(howl_t)
-')
-')

refpolicy/policy/modules/services/inetd.te

@@ -155,12 +155,6 @@ ifdef(`targeted_policy',`
 	')
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(inetd_t)
-')
-') dnl TODO
-
 ########################################
 #
 # inetd child local_policy

refpolicy/policy/modules/services/inn.te

@@ -144,10 +144,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(innd_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(innd_t)
-')
-allow innd_t sysadm_t:unix_dgram_socket sendto;
-')

refpolicy/policy/modules/services/kerberos.te

@@ -148,12 +148,6 @@ optional_policy(`udev',`
 	udev_read_db(kadmind_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(kadmind_t)
-')
-') dnl end TODO
-
 ########################################
 #
 # Krb5kdc local policy
@@ -254,10 +248,6 @@ optional_policy(`udev',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(krb5kdc_t)
-')
-
 # Allow user programs to talk to KDC
 allow krb5kdc_t userdomain:udp_socket recvfrom;
 allow userdomain krb5kdc_t:udp_socket recvfrom;

refpolicy/policy/modules/services/ldap.te

@@ -148,9 +148,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(slapd_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(slapd_t)
-')
-') dnl end TODO

refpolicy/policy/modules/services/lpd.te

@@ -233,10 +233,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(lpd_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(lpd_t)
-')
-') dnl end TODO
-

refpolicy/policy/modules/services/mysql.te

@@ -141,9 +141,6 @@ optional_policy(`udev',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(mysqld_t)
-')
 optional_policy(`daemontools',`
 	domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t)
 	mysqld_signal(svc_start_t)

refpolicy/policy/modules/services/networkmanager.te

@@ -143,12 +143,6 @@ optional_policy(`vpn',`
 	vpn_domtrans(NetworkManager_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(NetworkManager_t)
-')
-') dnl end TODO
-
 ###########################################################
 #
 # Partially converted rules.  THESE ARE ONLY TEMPORARY

refpolicy/policy/modules/services/nis.te

@@ -130,12 +130,6 @@ optional_policy(`udev',`
 	udev_read_db(ypbind_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(ypbind_t)
-')
-') dnl end TODO
-
 ########################################
 #
 # ypserv local policy
@@ -228,10 +222,6 @@ optional_policy(`udev', `
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb', `
-rhgb_domain(ypserv_t)
-')
-
 # Read and write /var/yp.
 ifdef(`rpcd.te', `
 allow rpcd_t ypserv_conf_t:file { getattr read };

refpolicy/policy/modules/services/nscd.te

@@ -133,9 +133,3 @@ optional_policy(`samba',`
 optional_policy(`udev',`
 	udev_read_db(nscd_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(nscd_t)
-')
-') dnl end TODO

refpolicy/policy/modules/services/ntp.te

@@ -161,9 +161,6 @@ optional_policy(`udev',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(ntpd_t)
-')
 allow ntpd_t sysadm_t:udp_socket sendto;
 allow sysadm_t ntpd_t:udp_socket recvfrom;
 

refpolicy/policy/modules/services/pegasus.te

@@ -1,5 +1,5 @@
 
-policy_module(pegasus,1.0.1)
+policy_module(pegasus,1.0.2)
 
 ########################################
 #
@@ -13,6 +13,9 @@ init_daemon_domain(pegasus_t,pegasus_exec_t)
 type pegasus_data_t;
 files_type(pegasus_data_t)
 
+type pegasus_tmp_t;
+files_tmp_file(pegasus_tmp_t)
+
 type pegasus_conf_t;
 files_type(pegasus_conf_t)
 
@@ -29,30 +32,37 @@ files_pid_file(pegasus_var_run_t)
 
 allow pegasus_t self:capability { dac_override net_bind_service audit_write }; 
 dontaudit pegasus_t self:capability sys_tty_config;
+allow pegasus_t self:process signal;
 allow pegasus_t self:fifo_file rw_file_perms;
 allow pegasus_t self:unix_dgram_socket create_socket_perms;
 allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
 allow pegasus_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 allow pegasus_t self:tcp_socket create_stream_socket_perms;
 
-allow pegasus_t pegasus_conf_t:dir r_dir_perms;
+allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
 allow pegasus_t pegasus_conf_t:file { r_file_perms link unlink };
 allow pegasus_t pegasus_conf_t:lnk_file r_file_perms;
 
 allow pegasus_t pegasus_data_t:dir rw_dir_perms;
 allow pegasus_t pegasus_data_t:file create_file_perms;
 allow pegasus_t pegasus_data_t:lnk_file create_lnk_perms;
+type_transition pegasus_t pegasus_conf_t:{ file dir } pegasus_data_t;
 
 allow pegasus_t pegasus_mof_t:dir r_dir_perms;
 allow pegasus_t pegasus_mof_t:file r_file_perms;
 allow pegasus_t pegasus_mof_t:lnk_file { getattr read };
 
+allow pegasus_t pegasus_tmp_t:dir create_dir_perms;
+allow pegasus_t pegasus_tmp_t:file create_file_perms;
+files_create_tmp_files(pegasus_t, pegasus_tmp_t, { file dir })
+
 allow pegasus_t pegasus_var_run_t:file create_file_perms;
-allow pegasus_t pegasus_var_run_t:sock_file { create setattr };
+allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink };
 allow pegasus_t pegasus_var_run_t:dir rw_dir_perms;
 files_create_pid(pegasus_t,pegasus_var_run_t)
 
 kernel_read_kernel_sysctl(pegasus_t)
+kernel_read_fs_sysctl(pegasus_t)
 kernel_read_system_state(pegasus_t)
 kernel_search_vm_sysctl(pegasus_t)
 
@@ -76,7 +86,7 @@ fs_search_auto_mountpoints(pegasus_t)
 term_dontaudit_use_console(pegasus_t)
 
 auth_use_nsswitch(pegasus_t)
-auth_read_shadow(pegasus_t)
+auth_domtrans_chk_passwd(pegasus_t)
 
 domain_use_wide_inherit_fd(pegasus_t)
 domain_read_all_domains_state(pegasus_t)
@@ -122,16 +132,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(pegasus_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(pegasus_t)
-')
-') dnl end TODO
-
-# bad rules
-type pegasus_conf_exec_t, entry_type;
-files_type(pegasus_conf_exec_t)
-allow pegasus_conf_exec_t pegasus_conf_t:dir rw_dir_perms;
-allow pegasus_conf_exec_t pegasus_conf_t:file create_file_perms;
-allow pegasus_conf_exec_t pegasus_conf_t:lnk_file create_lnk_perms;

refpolicy/policy/modules/services/portmap.te

@@ -133,10 +133,6 @@ optional_policy(`udev',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(portmap_t)
-')
-
 ifdef(`rpcd.te',`can_udp_send(portmap_t, rpcd_t)')
 allow portmap_t rpcd_t:udp_socket sendto;
 allow rpcd_t portmap_t:udp_socket recvfrom;

refpolicy/policy/modules/services/postgresql.te

@@ -185,9 +185,6 @@ optional_policy(`udev',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(postgresql_t)
-')
 ifdef(`targeted_policy', `', `
 bool allow_user_postgresql_connect false;
 

refpolicy/policy/modules/services/ppp.te

@@ -316,15 +316,6 @@ optional_policy(`udev',`
         udev_read_db(pptp_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(pppd_t)
-')
-optional_policy(`rhgb',`
-        rhgb_domain(pptp_t)
-')
-')
-
 ifdef(`postfix.te', `
 	allow pppd_t postfix_etc_t:dir search;
 	allow pppd_t postfix_etc_t:file r_file_perms;

refpolicy/policy/modules/services/privoxy.te

@@ -95,9 +95,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(privoxy_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(privoxy_t)
-')
-')

refpolicy/policy/modules/services/radius.te

@@ -130,9 +130,3 @@ optional_policy(`snmp',`
 optional_policy(`udev',`
 	udev_read_db(radiusd_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(radiusd_t)
-')
-') dnl end TODO

refpolicy/policy/modules/services/radvd.te

@@ -94,9 +94,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(radvd_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(radvd_t)
-')
-')

refpolicy/policy/modules/services/rpc.if

@@ -113,12 +113,6 @@ template(`rpc_domain_template', `
 	optional_policy(`udev',`
 		udev_read_db($1_t)
 	')
-
-	ifdef(`TODO',`
-		optional_policy(`rhgb',`
-			rhgb_domain($1_t)
-		')
-	')
 ')
 
 ########################################

refpolicy/policy/modules/services/samba.te

@@ -308,12 +308,6 @@ optional_policy(`udev', `
 	udev_read_db(smbd_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(smbd_t)
-')
-') dnl end TODO
-
 ifdef(`hide_broken_symptoms', `
 gen_require(`
 	type boot_t, default_t, tmpfs_t;
@@ -428,12 +422,6 @@ optional_policy(`udev',`
 	udev_read_db(nmbd_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(nmbd_t)
-')
-')
-
 ########################################
 #
 # smbmount Local policy
@@ -640,12 +628,6 @@ optional_policy(`udev',`
 	udev_read_db(winbind_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(winbind_t)
-')
-') dnl end TODO
-
 ########################################
 #
 # Winbind helper local policy

refpolicy/policy/modules/services/sasl.te

@@ -99,10 +99,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(saslauthd_t)
 ')
-
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(saslauthd_t)
-')
-')

refpolicy/policy/modules/services/sendmail.te

@@ -136,10 +136,6 @@ optional_policy(`udev',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-rhgb_domain(sendmail_t)
-')
-
 allow sendmail_t etc_mail_t:dir rw_dir_perms;
 allow sendmail_t etc_mail_t:file create_file_perms;
 # for the start script to run make -C /etc/mail

refpolicy/policy/modules/services/snmp.te

@@ -149,10 +149,6 @@ can_udp_send(snmpd_t, sysadm_t)
 optional_policy(`cupsd',`
 	allow snmpd_t cupsd_rw_etc_t:file { getattr read };
 ')
-
-optional_policy(`rhgb',`
-	rhgb_domain(snmpd_t)
-')
 ') dnl end TODO
 
 ifdef(`distro_redhat', `

refpolicy/policy/modules/services/spamassassin.te

@@ -146,10 +146,6 @@ optional_policy(`udev',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(spamd_t)
-')
-
 optional_policy(`amavis', `
 # for bayes tokens
 allow spamd_t var_lib_t:dir { getattr search };

refpolicy/policy/modules/services/squid.te

@@ -177,9 +177,6 @@ optional_policy(`udev',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(squid_t)
-')
 ifdef(`apache.te',`
 can_tcp_connect(squid_t, httpd_t)
 ')

refpolicy/policy/modules/services/ssh.te

@@ -255,10 +255,4 @@ ifdef(`targeted_policy',`',`
 	optional_policy(`udev',`
 		udev_read_db(ssh_keygen_t)
 	')
-
-	ifdef(`TODO',`
-	optional_policy(`rhgb',`
-		rhgb_domain(ssh_keygen_t)
-	')
-	')
 ')

refpolicy/policy/modules/services/stunnel.te

@@ -113,13 +113,7 @@ ifdef(`distro_gentoo', `
 	optional_policy(`udev',`
         	udev_read_db(stunnel_t)
 	')
-
+',`
-	ifdef(`TODO',`
-	optional_policy(`rhgb',`
-        	rhgb_domain(stunnel_t)
-	')
-	') dnl end TODO
-', `
 	allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 
 	dev_read_urand(stunnel_t)

refpolicy/policy/modules/services/tftp.te

@@ -104,9 +104,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev', `
         udev_read_db(tftpd_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-        rhgb_domain(tftpd_t)
-')
-')

refpolicy/policy/modules/services/zebra.te

@@ -131,9 +131,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(zebra_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(zebra_t)
-')
-') dnl end TODO

refpolicy/policy/modules/system/authlogin.if

@@ -368,14 +368,18 @@ interface(`auth_manage_shadow',`
 ')
 
 #######################################
-#
+## <summary>
-# auth_relabelto_shadow(domain)
+##	Relabel to the shadow
+##	password file type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
 #
 interface(`auth_relabelto_shadow',`
 	gen_require(`
 		attribute can_relabelto_shadow_passwords;
 		type shadow_t;
-		class file relabelto;
 	')
 
 	files_search_etc($1)
@@ -383,6 +387,26 @@ interface(`auth_relabelto_shadow',`
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
 
+#######################################
+## <summary>
+##	Relabel from and to the shadow
+##	password file type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`auth_relabel_shadow',`
+	gen_require(`
+		attribute can_relabelto_shadow_passwords;
+		type shadow_t;
+	')
+
+	files_search_etc($1)
+	allow $1 shadow_t:file { relabelfrom relabelto };
+	typeattribute $1 can_relabelto_shadow_passwords;
+')
+
 #######################################
 ## <summary>
 ##	Append to the login failure log.

refpolicy/policy/modules/system/authlogin.te

@@ -253,10 +253,6 @@ optional_policy(`udev',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(pam_console_t)
-')
-
 ifdef(`xdm.te', `
 	allow pam_console_t xdm_var_run_t:file { getattr read };
 ')

refpolicy/policy/modules/system/clock.te

@@ -87,11 +87,3 @@ optional_policy(`udev',`
 optional_policy(`userdomain',`
 	userdom_dontaudit_use_unpriv_user_fd(hwclock_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-rhgb_domain(hwclock_t)
-')
-
-optional_policy(`gnome-pty-helper', `allow hwclock_t sysadm_gph_t:fd use;')
-') dnl end TODO

refpolicy/policy/modules/system/files.if

@@ -894,9 +894,11 @@ interface(`files_mounton_all_mountpoints',`
 	gen_require(`
 		attribute mountpoint;
 		class dir { getattr search mounton };
+		class file { getattr mounton };
 	')
 
 	allow $1 mountpoint:dir { getattr search mounton };
+	allow $1 mountpoint:file { getattr mounton };
 ')
 
 ########################################
@@ -1333,6 +1335,23 @@ interface(`files_exec_etc_files',`
 
 ')
 
+#######################################
+## <summary>
+##	Relabel from and to generic files in /etc.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_relabel_etc_files',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:dir list_dir_perms;
+	allow $1 etc_t:file { relabelfrom relabelto };
+')
+
 ########################################
 #
 # files_create_boot_flag(domain)

refpolicy/policy/modules/system/hotplug.te

@@ -203,12 +203,3 @@ optional_policy(`udev',`
 optional_policy(`updfstab',`
 	updfstab_domtrans(hotplug_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-rhgb_domain(hotplug_t)
-')
-
-dontaudit hotplug_t { init_t kernel_t }:file read;
-
-') dnl end TODO

refpolicy/policy/modules/system/ipsec.te

@@ -141,12 +141,6 @@ optional_policy(`udev',`
 	udev_read_db(ipsec_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(ipsec_t)
-')
-')
-
 ########################################
 #
 # ipsec_mgmt Local policy

refpolicy/policy/modules/system/iptables.te

@@ -102,13 +102,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(iptables_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-rhgb_domain(iptables_t)
-')
-
-optional_policy(`gnome-pty-helper',`
-	allow iptables_t sysadm_gph_t:fd use;
-')
-') dnl ifdef TODO

refpolicy/policy/modules/system/logging.te

@@ -175,12 +175,6 @@ optional_policy(`udev',`
 	udev_read_db(auditd_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-rhgb_domain(auditd_t)
-')
-') dnl endif TODO
-
 ########################################
 #
 # klogd local policy
@@ -380,12 +374,7 @@ optional_policy(`udev',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(syslogd_t)
-')
-
 allow syslogd_t tmpfs_t:dir search;
-dontaudit syslogd_t unlabeled_t:file { getattr read };
 dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
 
 # log to the xconsole

refpolicy/policy/modules/system/lvm.te

@@ -117,12 +117,6 @@ optional_policy(`udev',`
 	udev_read_db(clvmd_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(clvmd_t)
-')
-') dnl end TODO
-
 ########################################
 #
 # LVM Local policy
@@ -270,11 +264,5 @@ ifdef(`TODO',`
 allow lvm_t var_t:dir { search getattr };
 allow lvm_t ramfs_t:filesystem unmount;
 
-optional_policy(`gnome-pty-helper',`
-	allow lvm_t sysadm_gph_t:fd use;
-')
-optional_policy(`rhgb',`
-rhgb_domain(lvm_t)
-')
 dontaudit lvm_t xconsole_device_t:fifo_file getattr;
 ') dnl end TODO

refpolicy/policy/modules/system/mount.te

@@ -141,13 +141,4 @@ ifdef(`TODO',`
 
 # for when /etc/mtab loses its type
 allow mount_t file_t:file unlink;
-
-ifdef(`gnome-pty-helper.te', `
-allow mount_t sysadm_gph_t:fd use;
-')
-
-optional_policy(`rhgb',`
-rhgb_domain(mount_t)
-')
-
 ') dnl endif TODO

refpolicy/policy/modules/system/pcmcia.te

@@ -147,12 +147,6 @@ optional_policy(`udev',`
 	udev_read_db(cardmgr_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-	rhgb_domain(cardmgr_t)
-')
-') dnl end TODO
-
 # Create device files in /tmp.
 # cjp: why is this created all over the place?
 allow cardmgr_t cardmgr_dev_t:{ chr_file blk_file } manage_file_perms;

refpolicy/policy/modules/system/raid.te

@@ -88,7 +88,4 @@ ifdef(`TODO',`
 dontaudit mdadm_t device_t:{ fifo_file file chr_file blk_file } { read getattr };
 
 allow mdadm_t var_t:dir getattr;
-optional_policy(`rhgb',`
-	rhgb_domain(mdadm_t)
-')
 ') dnl TODO

refpolicy/policy/modules/system/sysnetwork.te

@@ -244,12 +244,6 @@ optional_policy(`userdomain',`
 	userdom_use_all_user_fd(dhcpc_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`rhgb',`
-rhgb_domain(dhcpc_t)
-')
-') dnl endif TODO
-
 ########################################
 #
 # Ifconfig local policy
@@ -343,10 +337,3 @@ optional_policy(`nis',`
 optional_policy(`ppp',`
 	ppp_use_fd(ifconfig_t)
 ')
-
-ifdef(`TODO',`
-ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
-optional_policy(`rhgb',`
-rhgb_domain(ifconfig_t)
-')
-') dnl endif TODO

refpolicy/policy/modules/system/userdomain.if

@@ -2476,6 +2476,40 @@ interface(`userdom_dontaudit_use_unpriv_user_tty',`
 	')
 ')
 
+########################################
+## <summary>
+##	Read the process state of all user domains.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_read_all_userdomains_state',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	allow $1 userdomain:dir search_dir_perms;
+	allow $1 userdomain:file r_file_perms;
+	kernel_search_proc($1)
+')
+
+########################################
+## <summary>
+##	Get the attributes of all user domains.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_getattr_all_userdomains',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	allow $1 userdomain:process getattr;
+')
+
 ########################################
 ## <summary>
 ##	Inherit the file descriptors from all user domains

refpolicy/policy/modules/system/userdomain.te

@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.0.1)
+policy_module(userdomain,1.0.2)
 
 ########################################
 #
@@ -295,6 +295,7 @@ ifdef(`targeted_policy',`
 	')
 
 	optional_policy(`usermanage',`
+		usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
 		usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
 		usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
 	')