begin merging in upstream NSA CVS changes

refpolicy/policy/mls

@@ -22,6 +22,7 @@ sensitivity s9;
 #
 dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 }
 
+
 #
 # Define the categories
 #
@@ -207,7 +208,7 @@ level s9:c0.c127;
 # role_mls_op : == | != | eq | dom | domby | incomp
 #
 # names : name | { name_list }
-# name_list : name | name_list name#
+# name_list : name | name_list name
 #
 
 #
@@ -218,7 +219,7 @@ level s9:c0.c127;
 mlsconstrain { file lnk_file fifo_file } { create relabelto }
 	( l2 eq h2 );
 
-# new file labels must be dominated by the relabling subject clearance
+# new file labels must be dominated by the relabeling subject clearance
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
 	( h1 dom h2 );
 
@@ -258,10 +259,10 @@ mlsconstrain dir { add_name remove_name reparent rmdir }
 # these access vectors have no MLS restrictions
 # { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon }
 #
-# file { execute_no_trans entrypoint }
+# { file chr_file } { execute_no_trans entrypoint execmod }
 
 # the file upgrade/downgrade rule
-mlsvalidatetrans { file lnk_file chr_file blk_file sock_file fifo_file }
+mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file }
 	((( l1 eq l2 ) or
 	  (( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or
 	  (( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or
@@ -285,11 +286,13 @@ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
 	  (( t1 == mlsfiledowngrade ) and ( l1 incomp h2 ))));
 
 
+
+
 #
 # MLS policy for the filesystem class
 #
 
-# new filesystem labels must be dominated by the relabling subject clearance
+# new filesystem labels must be dominated by the relabeling subject clearance
 mlsconstrain filesystem relabelto
 	( h1 dom h2 );
 
@@ -309,50 +312,46 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
 # filesystem { transition associate }
 
 
+
+
 #
 # MLS policy for the socket classes
 #
 
-# new socket labels must be dominated by the relabling subject clearance
+# new socket labels must be dominated by the relabeling subject clearance
 mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
 	( h1 dom h2 );
 
-# the socket "read" ops (note that the we check dominance of the low level)
+# the socket "read" ops (note the check is dominance of the low level)
 mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recvfrom recv_msg }
 	(( l1 dom l2 ) or
 	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
 	 ( t1 == mlsnetread ));
 
-mlsconstrain { tcp_socket unix_stream_socket } acceptfrom
-	(( l1 dom l2 ) or
-	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
-	 ( t1 == mlsnetread ));
-
 mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read
 	(( l1 dom l2 ) or
 	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
 	 ( t1 == mlsnetread ));
 
 # the socket "write" ops
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { setattr relabelfrom connect setopt shutdown }
-	((( l1 dom l2 ) and ( l1 domby h2 )) or
-	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
-	 ( t1 == mlsnetwrite ));
-
-mlsconstrain { tcp_socket unix_stream_socket } { connectto newconn }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
 	((( l1 dom l2 ) and ( l1 domby h2 )) or
 	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
 	 ( t1 == mlsnetwrite ));
 
 # these access vectors have no MLS restrictions
-# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl write create lock append bind sendto send_msg name_bind }
+# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
 #
 # { tcp_socket udp_socket rawip_socket } node_bind
 #
+# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom }
+#
 # { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
 #
 
 
+
+
 #
 # MLS policy for the ipc classes
 #
@@ -393,6 +392,8 @@ mlsconstrain msg send
 # { ipc sem msgq shm } associate
 
 
+
+
 #
 # MLS policy for the fd class
 #
@@ -401,29 +402,38 @@ mlsconstrain msg send
 # fd use
 
 
+
+
 #
-# MLS policy for the node class
+# MLS policy for the network object classes
 #
 
+# the netif/node "read" ops (implicit single level socket doing the read)
+#                           (note the check is dominance of the low level)
+mlsconstrain { node netif } { tcp_recv udp_recv rawip_recv }
+	(( l1 dom l2 ) or ( t1 == mlsnetrecvall ));
+
+# the netif/node "write" ops (implicit single level socket doing the write)
+mlsconstrain { netif node } { tcp_send udp_send rawip_send }
+	(( l1 dom l2 ) and ( l1 domby h2 ));
+
 # these access vectors have no MLS restrictions
-# node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest }
+# { netif node } { enforce_dest }
 
 
-#
-# MLS policy for the netif class
-#
-
-# these access vectors have no MLS restrictions
-# netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest }
 
 
 #
 # MLS policy for the process class
 #
 
-# new process labels must be dominated by the relabling subject clearance and
-# sensitivity level changes require privilege
-mlsconstrain process { transition dyntransition }
+# new process labels must be dominated by the relabeling subject clearance
+# and sensitivity level changes require privilege
+mlsconstrain process transition
+	(( h1 dom h2 ) and
+	 (( l1 eq l2 ) or ( t1 == mlsprocsetsl ) or
+	  (( t1 == privrangetrans ) and ( t2 == mlsrangetrans ))));
+mlsconstrain process dyntransition
 	(( h1 dom h2 ) and
 	 (( l1 eq l2 ) or ( t1 == mlsprocsetsl )));
 
@@ -440,7 +450,9 @@ mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec se
 	 ( t1 == mlsprocwrite ));
 
 # these access vectors have no MLS restrictions
-# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh}
+# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh execmem }
+
+
 
 
 #
@@ -451,6 +463,8 @@ mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec se
 # security *
 
 
+
+
 #
 # MLS policy for the system class
 #
@@ -459,6 +473,8 @@ mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec se
 # system *
 
 
+
+
 #
 # MLS policy for the capability class
 #
@@ -468,6 +484,7 @@ mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec se
 
 
 
+
 #
 # MLS policy for the passwd class
 #
@@ -476,6 +493,8 @@ mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec se
 # passwd *
 
 
+
+
 #
 # MLS policy for the drawable class
 #
@@ -493,6 +512,8 @@ mlsconstrain drawable { create destroy draw copy }
 	 ( t1 == mlsxwinwrite ));
 
 
+
+
 #
 # MLS policy for the gc class
 #
@@ -510,6 +531,8 @@ mlsconstrain gc { create free setattr }
 	 ( t1 == mlsxwinwrite ));
 
 
+
+
 #
 # MLS policy for the window class
 #
@@ -530,6 +553,8 @@ mlsconstrain window { addchild create destroy chstack chproplist chprop setattr
 # window { map unmap }
 
 
+
+
 #
 # MLS policy for the font class
 #
@@ -550,6 +575,8 @@ mlsconstrain font free
 # font use
 
 
+
+
 #
 # MLS policy for the colormap class
 #
@@ -567,6 +594,8 @@ mlsconstrain colormap { create free install uninstall store setattr }
 	 ( t1 == mlsxwinwrite ));
 
 
+
+
 #
 # MLS policy for the property class
 #
@@ -583,6 +612,9 @@ mlsconstrain property { create free write }
 	 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
 	 ( t1 == mlsxwinwrite ));
 
+
+
+
 #
 # MLS policy for the cursor class
 #
@@ -594,6 +626,8 @@ mlsconstrain cursor { create createglyph free assign setattr }
 	 ( t1 == mlsxwinwrite ));
 
 
+
+
 #
 # MLS policy for the xclient class
 #
@@ -605,6 +639,8 @@ mlsconstrain xclient kill
 	 ( t1 == mlsxwinwrite ));
 
 
+
+
 #
 # MLS policy for the xinput class
 #
@@ -641,6 +677,8 @@ mlsconstrain xserver { sethostlist setfontpath grab ungrab screensaver }
 	 ( t1 == mlsxwinwrite ));
 
 
+
+
 #
 # MLS policy for the xextension class
 #
@@ -666,6 +704,8 @@ mlsconstrain xextension use
 # pax { pageexec emutramp mprotect randmmap randexec segmexec }
 
 
+
+
 #
 # MLS policy for the dbus class
 #
@@ -674,6 +714,8 @@ mlsconstrain xextension use
 # dbus { acquire_svc send_msg }
 
 
+
+
 #
 # MLS policy for the nscd class
 #
@@ -682,6 +724,8 @@ mlsconstrain xextension use
 # nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost }
 
 
+
+
 #
 # MLS policy for the association class
 #
@@ -702,7 +746,7 @@ attribute mlsnetwrite;
 attribute mlsnetwritetoclr;
 attribute mlsnetupgrade;
 attribute mlsnetdowngrade;
-attribute mlsnetbindall;
+attribute mlsnetrecvall;
 
 attribute mlsipcread;
 attribute mlsipcreadtoclr;

refpolicy/policy/modules/admin/acct.te

@@ -11,7 +11,7 @@ type acct_exec_t;
 init_daemon_domain(acct_t,acct_exec_t)
 
 type acct_data_t;
-files_type(acct_data_t)
+logging_log_file(acct_data_t)
 
 ########################################
 #

refpolicy/policy/modules/admin/logrotate.te

@@ -84,8 +84,6 @@ files_read_all_pids(logrotate_t)
 files_manage_generic_spools(logrotate_t)
 files_manage_generic_spool_dirs(logrotate_t)
 
-hostname_exec(logrotate_t)
-
 # cjp: why is this needed?
 init_domtrans_script(logrotate_t)
 
@@ -124,6 +122,10 @@ optional_policy(`consoletype.te',`
 
 ')
 
+optional_policy(`hostname.te',`
+	hostname_exec(logrotate_t)
+')
+
 optional_policy(`mysql.te',`
 	mysql_read_config(logrotate_t)
 	mysql_search_db_dir(logrotate_t)

refpolicy/policy/modules/admin/netutils.te

@@ -172,6 +172,7 @@ corenet_tcp_sendrecv_all_ports(traceroute_t)
 corenet_udp_sendrecv_all_ports(traceroute_t)
 corenet_udp_bind_all_nodes(traceroute_t)
 corenet_tcp_bind_all_nodes(traceroute_t)
+corenet_tcp_connect_all_ports(traceroute_t)
 
 fs_dontaudit_getattr_xattr_fs(traceroute_t)
 

refpolicy/policy/modules/admin/rpm.te

@@ -106,6 +106,7 @@ corenet_tcp_sendrecv_all_ports(rpm_t)
 corenet_udp_sendrecv_all_ports(rpm_t)
 corenet_tcp_bind_all_nodes(rpm_t)
 corenet_udp_bind_all_nodes(rpm_t)
+corenet_tcp_connect_all_ports(rpm_t)
 
 dev_list_sysfs(rpm_t)
 dev_list_usbfs(rpm_t)
@@ -304,6 +305,10 @@ seutil_domtrans_restorecon(rpm_script_t)
 
 userdom_use_all_user_fd(rpm_script_t)
 
+if (allow_execmem) {
+	allow rpm_script_t self:process execmem;
+}
+
 # this should be tunable_policy, but
 # typeattribute does not work in conditionals
 ifdef(`unlimitedRPM',`

refpolicy/policy/modules/kernel/corenetwork.if.in

@@ -716,6 +716,23 @@ interface(`corenet_udp_bind_all_ports',`
 	allow $1 port_type:udp_socket name_bind;
 ')
 
+########################################
+## <summary>
+##	Connect TCP sockets to all ports.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`corenet_tcp_connect_all_ports',`
+	gen_require(`
+		attribute port_type;
+		class tcp_socket name_connect;
+	')
+
+	allow $1 port_type:tcp_socket name_connect;
+')
+
 ########################################
 ## <summary>
 ##	Send and receive TCP network traffic on generic reserved ports.

refpolicy/policy/modules/kernel/corenetwork.te.in

@@ -37,6 +37,7 @@ sid port context_template(system_u:object_r:port_t,s0)
 type reserved_port_t, port_type, reserved_port_type;
 
 network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
+network_port(auth, tcp,113,s0)
 dnl network_port(biff) # no defined portcon in current strict
 network_port(dbskkd, tcp,1178,s0)
 network_port(dhcpc, udp,68,s0)
@@ -50,7 +51,7 @@ network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0)
 network_port(http, tcp,80,s0, tcp,443,s0)
 network_port(howl, tcp,5335,s0, udp,5353,s0)
 dnl network_port(i18n_input) # no defined portcon in current strict
-network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,113,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0)
+network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0)
 network_port(innd, tcp,119,s0)
 network_port(ipp, tcp,631,s0, udp,631,s0)
 network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)

refpolicy/policy/modules/services/inetd.te

@@ -68,8 +68,10 @@ corenet_tcp_sendrecv_all_ports(inetd_t)
 corenet_udp_sendrecv_all_ports(inetd_t)
 corenet_tcp_bind_all_nodes(inetd_t)
 corenet_udp_bind_all_nodes(inetd_t)
+corenet_tcp_connect_all_ports(inetd_t)
 
 # listen on service ports:
+corenet_tcp_bind_auth_port(inetd_t)
 #corenet_udp_bind_comsat_port(inetd_t)
 corenet_tcp_bind_dbskkd_port(inetd_t)
 corenet_udp_bind_dbskkd_port(inetd_t)

refpolicy/policy/modules/services/inn.te

@@ -74,6 +74,7 @@ corenet_udp_sendrecv_all_ports(innd_t)
 corenet_tcp_bind_all_nodes(innd_t)
 corenet_udp_bind_all_nodes(innd_t)
 corenet_tcp_bind_innd_port(innd_t)
+corenet_tcp_connect_all_ports(innd_t)
 
 dev_read_sysfs(innd_t)
 dev_read_urand(innd_t)

refpolicy/policy/modules/services/ldap.te

@@ -32,7 +32,7 @@ files_pid_file(slapd_var_run_t)
 
 # should not need kill
 # cjp: why net_raw?
-allow slapd_t self:capability { kill setgid setuid net_raw };
+allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
 dontaudit slapd_t self:capability sys_tty_config;
 allow slapd_t self:process setsched;
 allow slapd_t self:fifo_file { read write };
@@ -71,6 +71,7 @@ corenet_udp_sendrecv_all_ports(slapd_t)
 corenet_tcp_bind_all_nodes(slapd_t)
 corenet_udp_bind_all_nodes(slapd_t)
 corenet_tcp_bind_ldap_port(slapd_t)
+corenet_tcp_connect_all_ports(slapd_t)
 
 dev_read_urand(slapd_t)
 dev_read_sysfs(slapd_t)

refpolicy/policy/modules/services/nis.te

@@ -73,6 +73,7 @@ corenet_tcp_bind_generic_port(ypbind_t)
 corenet_udp_bind_generic_port(ypbind_t)
 corenet_tcp_bind_reserved_port(ypbind_t)
 corenet_udp_bind_reserved_port(ypbind_t)
+corenet_tcp_connect_all_ports(ypbind_t)
 corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t)
 corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
 
@@ -113,6 +114,10 @@ optional_policy(`mount.te',`
 	mount_send_nfs_client_request(ypbind_t)
 ')
 
+optional_policy(`portmap.te',`
+	portmap_udp_sendto(ypbind_t)
+')
+
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(ypbind_t)
 ')
@@ -122,8 +127,6 @@ optional_policy(`udev.te', `
 ')
 
 ifdef(`TODO',`
-can_udp_send(ypbind_t, portmap_t)
-
 optional_policy(`rhgb.te', `
 	rhgb_domain(ypbind_t)
 ')
@@ -199,6 +202,10 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_file(ypserv_t)
 ')
 
+optional_policy(`portmap.te',`
+	portmap_udp_sendto(ypserv_t)
+')
+
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(ypserv_t)
 ')
@@ -212,9 +219,6 @@ optional_policy(`rhgb.te', `
 rhgb_domain(ypserv_t)
 ')
 
-# Send to portmap and initrc.
-can_udp_send(ypserv_t, portmap_t)
-
 # Read and write /var/yp.
 ifdef(`rpcd.te', `
 allow rpcd_t ypserv_conf_t:file { getattr read };

refpolicy/policy/modules/services/sendmail.te

@@ -56,6 +56,7 @@ corenet_udp_sendrecv_all_ports(sendmail_t)
 corenet_tcp_bind_all_nodes(sendmail_t)
 corenet_udp_bind_all_nodes(sendmail_t)
 corenet_tcp_bind_smtp_port(sendmail_t)
+corenet_tcp_connect_all_ports(sendmail_t)
 
 dev_read_urand(sendmail_t)
 dev_read_sysfs(sendmail_t)

refpolicy/policy/modules/services/squid.te

@@ -28,7 +28,7 @@ files_pid_file(squid_var_run_t)
 # Local policy
 #
 
-allow squid_t self:capability { setgid setuid };
+allow squid_t self:capability { setgid setuid dac_override };
 dontaudit squid_t self:capability sys_tty_config;
 allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow squid_t self:unix_stream_socket create_stream_socket_perms;

refpolicy/policy/modules/system/clock.te

@@ -84,9 +84,4 @@ rhgb_domain(hwclock_t)
 ')
 
 optional_policy(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;')
-
-optional_policy(`apmd.te', `
-domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
-')
-
 ') dnl end TODO

refpolicy/policy/modules/system/hotplug.te

@@ -107,8 +107,6 @@ modutils_read_mods_deps(hotplug_t)
 
 miscfiles_read_localization(hotplug_t)
 
-mount_domtrans(hotplug_t)
-
 sysnet_read_config(hotplug_t)
 
 userdom_dontaudit_use_unpriv_user_fd(hotplug_t)
@@ -147,6 +145,10 @@ optional_policy(`iptables.te',`
 	iptables_domtrans(hotplug_t)
 ')
 
+optional_policy(`mount.te',`
+	mount_domtrans(hotplug_t)
+')
+
 optional_policy(`mta.te', `
 	mta_send_mail(hotplug_t)
 ')

refpolicy/policy/modules/system/init.te

@@ -145,6 +145,10 @@ ifdef(`distro_redhat',`
 	fs_create_tmpfs_data(init_t,initctl_t,fifo_file)
 ')
 
+ifdef(`targeted_policy',`
+	unconfined_domain_template(init_t)
+')
+
 optional_policy(`authlogin.te',`
 	auth_rw_login_records(init_t)
 ')

refpolicy/policy/modules/system/selinuxutil.if

@@ -31,7 +31,6 @@ interface(`seutil_domtrans_checkpol',`
 ##	Execute checkpolicy in the checkpolicy domain, and
 ##	allow the specified role the checkpolicy domain,
 ##	and use the caller's terminal.
-##	Has a SIGCHLD signal backchannel.
 ## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.

refpolicy/policy/modules/system/selinuxutil.te

@@ -94,6 +94,10 @@ role system_r types setfiles_t;
 type setfiles_exec_t;
 domain_entry_file(setfiles_t,setfiles_exec_t)
 
+ifdef(`distro_redhat',`
+	init_system_domain(setfiles_t,setfiles_exec_t)
+')
+
 ########################################
 #
 # Checkpolicy local policy
@@ -142,7 +146,8 @@ allow load_policy_t self:capability dac_override;
 # only allow read of policy config files
 allow load_policy_t policy_src_t:dir search;
 allow load_policy_t policy_config_t:dir r_dir_perms;
-allow load_policy_t policy_config_t:notdevfile_class_set r_file_perms;
+allow load_policy_t policy_config_t:file r_file_perms;
+allow load_policy_t policy_config_t:lnk_file r_file_perms;
 
 allow load_policy_t selinux_config_t:dir r_dir_perms;
 allow load_policy_t selinux_config_t:file r_file_perms;

refpolicy/policy/modules/system/sysnetwork.te

@@ -99,6 +99,7 @@ corenet_udp_sendrecv_all_ports(dhcpc_t)
 corenet_tcp_bind_all_nodes(dhcpc_t)
 corenet_udp_bind_all_nodes(dhcpc_t)
 corenet_udp_bind_dhcpc_port(dhcpc_t)
+corenet_tcp_connect_all_ports(dhcpc_t)
 
 dev_read_sysfs(dhcpc_t)
 # for SSP:
@@ -216,7 +217,7 @@ rhgb_domain(dhcpc_t)
 #
 
 allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
-allow ifconfig_t self:capability net_admin;
+allow ifconfig_t self:capability { net_admin sys_tty_config };
 dontaudit ifconfig_t self:capability sys_module;
 
 allow ifconfig_t self:fd use;
@@ -234,6 +235,7 @@ allow ifconfig_t self:msg { send receive };
 allow ifconfig_t self:udp_socket create_socket_perms;
 
 # for /sbin/ip
+allow ifconfig_t self:packet_socket create_socket_perms;
 allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
 allow ifconfig_t self:tcp_socket { create ioctl };
 files_read_etc_files(ifconfig_t);
@@ -246,6 +248,8 @@ kernel_dontaudit_search_network_sysctl_dir(ifconfig_t)
 
 corenet_use_tun_tap_device(ifconfig_t)
 
+dev_read_sysfs(ifconfig_t)
+
 fs_getattr_xattr_fs(ifconfig_t)
 fs_search_auto_mountpoints(ifconfig_t)
 

refpolicy/policy/modules/system/udev.te

@@ -121,7 +121,6 @@ seutil_domtrans_restorecon(udev_t)
 sysnet_domtrans_ifconfig(udev_t)
 
 userdom_use_sysadm_tty(udev_t)
-userdom_dontaudit_search_staff_home_dir(udev_t)
 
 ifdef(`distro_redhat',`
 	fs_manage_tmpfs_symlinks(udev_t)

strict/attrib.te

@@ -30,7 +30,7 @@ attribute mlsnetwrite;
 attribute mlsnetwritetoclr;
 attribute mlsnetupgrade;
 attribute mlsnetdowngrade;
-attribute mlsnetbindall;
+attribute mlsnetrecvall;
 
 attribute mlsipcread;
 attribute mlsipcreadtoclr;

strict/domains/program/acct.te

@@ -21,7 +21,7 @@ file_type_auto_trans(acct_t, var_log_t, wtmp_t, file)
 # for SSP
 allow acct_t urandom_device_t:chr_file read;
 
-type acct_data_t, file_type, sysadmfile;
+type acct_data_t, file_type, logfile, sysadmfile;
 
 allow acct_t self:capability sys_pacct;
 

strict/domains/program/amanda.te

@@ -31,7 +31,7 @@
 # General declarations
 ######################
 
-type amanda_t, domain, privlog, auth, nscd_client_domain ;
+type amanda_t, domain, privlog, auth, fs_domain, nscd_client_domain;
 role system_r types amanda_t;
 
 # type for the amanda executables
@@ -128,10 +128,7 @@ allow amanda_t amanda_usr_lib_t:dir search;
 
 # access to device_t and similar
 allow amanda_t device_t:dir search;
-allow amanda_t null_device_t:chr_file { getattr read write };
 allow amanda_t devpts_t:dir getattr;
-allow amanda_t fixed_disk_device_t:blk_file getattr;
-allow amanda_t removable_device_t:blk_file getattr;
 allow amanda_t devtty_t:chr_file { read write };
 
 # access to boot_t
@@ -160,7 +157,7 @@ allow amanda_t shell_exec_t:file { execute execute_no_trans getattr read };
 allow amanda_t bin_t:file { execute execute_no_trans };
 
 allow amanda_t self:capability { chown dac_override setuid };
-allow amanda_t self:process { fork sigchld };
+allow amanda_t self:process { fork sigchld setpgid signal };
 allow amanda_t self:unix_dgram_socket create;
 
 
@@ -170,6 +167,7 @@ allow amanda_t self:unix_dgram_socket create;
 
 can_network_server(amanda_t);
 can_ypbind(amanda_t);
+can_exec(amanda_t, sbin_t);
 	
 allow amanda_t self:fifo_file { getattr read write ioctl lock };
 allow amanda_t self:unix_stream_socket { connect create read write };
@@ -237,7 +235,7 @@ file_type_auto_trans(amanda_recover_t, tmp_t, amanda_tmp_t)
 
 uses_shlib(amanda_recover_t)
 allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal };
-allow amanda_recover_t self:capability { fowner fsetid setgid setuid chown dac_override net_bind_service };
+allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service };
 allow amanda_recover_t shell_exec_t:file { execute execute_no_trans getattr read };
 allow amanda_recover_t privfd:fd use;
 
@@ -251,6 +249,9 @@ can_ypbind(amanda_recover_t);
 allow amanda_recover_t self:fifo_file { getattr ioctl read write };
 allow amanda_recover_t self:unix_stream_socket { connect create read write };
 
+allow amanda_t self:dir search;
+allow amanda_t self:file { getattr read };
+
 
 # amrecover file permissions
 ############################
@@ -298,10 +299,24 @@ allow amanda_recover_t tmp_t:dir search;
 #
 #  Rules to allow amanda to be run as a service in xinetd
 #
-type amanda_port_t, port_type;
 allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind;
 
 allow amanda_t file_type:dir {getattr read search };
-allow amanda_t file_type:file {getattr read };
+allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read };
+allow amanda_t device_type:{ blk_file chr_file } getattr;
+allow amanda_t fixed_disk_device_t:blk_file read;
+domain_auto_trans(amanda_t, fsadm_exec_t, fsadm_t)
+
+dontaudit amanda_t file_type:sock_file getattr;
 logdir_domain(amanda)
 
+dontaudit amanda_t autofs_t:dir { getattr read search };
+dontaudit amanda_t binfmt_misc_fs_t:dir getattr;
+dontaudit amanda_t nfs_t:dir { getattr read };
+dontaudit amanda_t proc_t:dir read;
+dontaudit amanda_t proc_t:lnk_file read;
+dontaudit amanda_t rpc_pipefs_t:dir { getattr read };
+dontaudit amanda_t security_t:dir { getattr read };
+dontaudit amanda_t sysfs_t:dir { getattr read };
+dontaudit amanda_t unlabeled_t:file getattr;
+dontaudit amanda_t usbfs_t:dir getattr;

strict/domains/program/anaconda.te

@@ -17,13 +17,17 @@ unconfined_domain(anaconda_t)
 role system_r types ldconfig_t;
 domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t)
 
+ifdef(`su.te', `
 role system_r types sysadm_su_t;
 domain_auto_trans(anaconda_t, su_exec_t, sysadm_su_t)
+')
 
 # Run other rc scripts in the anaconda_t domain.
 domain_auto_trans(anaconda_t, initrc_exec_t, initrc_t)
 
+ifdef(`dmesg.te', `
 domain_auto_trans(anaconda_t, dmesg_exec_t, dmesg_t)
+')
 
 ifdef(`distro_redhat', `
 file_type_auto_trans(anaconda_t, boot_t, boot_runtime_t, file)
@@ -44,4 +48,6 @@ ifdef(`ssh-agent.te', `
 role system_r types sysadm_ssh_agent_t;
 domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
 ')
+ifdef(`passwd.te', `
 domain_auto_trans(anaconda_t , admin_passwd_exec_t, sysadm_passwd_t)
+')

strict/domains/program/apache.te

@@ -26,10 +26,11 @@ r_dir_file(httpd_suexec_t, $1)
 can_exec(httpd_suexec_t, $1)
 ')
 
-type http_port_t, port_type, reserved_port_type;
-
 bool httpd_unified false;
 
+# Allow httpd to use built in scripting (usually php)
+bool httpd_builtin_scripting false;
+
 # Allow httpd cgi support
 bool httpd_enable_cgi false;
 
@@ -42,6 +43,9 @@ bool httpd_ssi_exec false;
 # Allow http daemon to communicate with the TTY
 bool httpd_tty_comm false;
 
+# Allow http daemon to tcp connect 
+bool httpd_can_network_connect false;
+
 #########################################################
 # Apache types
 #########################################################
@@ -50,15 +54,6 @@ bool httpd_tty_comm false;
 #
 type httpd_config_t, file_type, sysadmfile;
 
-append_logdir_domain(httpd)
-#can read /etc/httpd/logs
-allow httpd_t httpd_log_t:lnk_file read;
-
-# For /etc/init.d/apache2 reload
-can_tcp_connect(httpd_t, httpd_t)
-
-can_tcp_connect(web_client_domain, httpd_t)
-
 # httpd_modules_t is the type given to module files (libraries) 
 # that come with Apache /etc/httpd/modules and /usr/lib/apache
 #
@@ -71,7 +66,16 @@ type httpd_cache_t, file_type, sysadmfile;
 
 # httpd_exec_t is the type give to the httpd executable.
 #
-daemon_domain(httpd, `, privmail')
+daemon_domain(httpd, `, privmail, nscd_client_domain')
+
+append_logdir_domain(httpd)
+#can read /etc/httpd/logs
+allow httpd_t httpd_log_t:lnk_file read;
+
+# For /etc/init.d/apache2 reload
+can_tcp_connect(httpd_t, httpd_t)
+
+can_tcp_connect(web_client_domain, httpd_t)
 
 can_exec(httpd_t, httpd_exec_t)
 file_type_auto_trans(httpd_t, var_run_t, httpd_var_run_t, sock_file)
@@ -82,53 +86,11 @@ allow httpd_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read
 
 read_sysctl(httpd_t)
 
+allow httpd_t crypt_device_t:chr_file rw_file_perms;
+
 # for modules that want to access /etc/mtab and /proc/meminfo
 allow httpd_t { proc_t etc_runtime_t }:file { getattr read };
 
-# setup the system domain for system CGI scripts
-apache_domain(sys)
-
-# The following are types for SUEXEC,which runs user scripts as their
-# own user ID
-#
-daemon_sub_domain(httpd_t, httpd_suexec)
-allow httpd_t httpd_suexec_exec_t:file read;
-
-#########################################################
-# Permissions for running child processes and scripts
-##########################################################
-
-allow httpd_suexec_t self:capability { setuid setgid };
-
-dontaudit httpd_suexec_t var_run_t:dir search;
-allow httpd_suexec_t { var_t var_log_t }:dir search;
-allow httpd_suexec_t home_root_t:dir search;
-
-allow httpd_suexec_t httpd_log_t:dir search;
-allow httpd_suexec_t httpd_log_t:file { append getattr };
-allow httpd_suexec_t httpd_t:fifo_file getattr;
-allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
-
-allow httpd_suexec_t etc_t:file { getattr read };
-read_locale(httpd_suexec_t)
-read_sysctl(httpd_suexec_t)
-allow httpd_suexec_t urandom_device_t:chr_file { getattr read };
-
-# for shell scripts
-allow httpd_suexec_t bin_t:dir search;
-allow httpd_suexec_t bin_t:lnk_file read;
-can_exec(httpd_suexec_t, { bin_t shell_exec_t })
-
-can_network(httpd_suexec_t)
-can_ypbind(httpd_suexec_t)
-allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl };
-
-ifdef(`mta.te', `
-# apache should set close-on-exec
-dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
-dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
-')
-
 uses_shlib(httpd_t)
 allow httpd_t { usr_t lib_t }:file { getattr read ioctl };
 allow httpd_t usr_t:lnk_file { getattr read };
@@ -144,12 +106,31 @@ allow httpd_t { bin_t sbin_t }:dir r_dir_perms;
 can_exec(httpd_t, { bin_t sbin_t })
 allow httpd_t bin_t:lnk_file read;
 
-can_network(httpd_t)
-can_ypbind(httpd_t)
+########################################
+# Set up networking
+########################################
 
-###################
-# Allow httpd to search users diretories
-######################
+can_network_server(httpd_t)
+can_kerberos(httpd_t)
+can_resolve(httpd_t)
+can_ypbind(httpd_t)
+can_ldap(httpd_t)
+allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
+
+if (httpd_can_network_connect) {
+can_network_client(httpd_t)
+allow httpd_t port_type:tcp_socket name_connect;
+}
+
+##########################################
+# Legacy: remove when it's fixed         #
+# Allow libphp5.so with text relocations #
+##########################################
+allow httpd_t texrel_shlib_t:file execmod;
+
+#########################################
+# Allow httpd to search users directories
+#########################################
 allow httpd_t home_root_t:dir { getattr search };
 dontaudit httpd_t sysadm_home_dir_t:dir getattr;
 
@@ -163,7 +144,6 @@ dontaudit httpd_t self:capability net_admin;
 # Allow the httpd_t to read the web servers config files
 ###################################################
 r_dir_file(httpd_t, httpd_config_t)
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
 # allow logrotate to read the config files for restart
 ifdef(`logrotate.te', `
 r_dir_file(logrotate_t, httpd_config_t)
@@ -173,11 +153,6 @@ allow logrotate_t httpd_t:process signull;
 r_dir_file(initrc_t, httpd_config_t)
 ##################################################
 
-########################################
-# Allow httpd_t to bind to the HTTP port
-########################################
-allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
-
 ###############################
 # Allow httpd_t to put files in /var/cache/httpd etc
 ##############################
@@ -209,13 +184,14 @@ allow initrc_t httpd_modules_t:dir r_dir_perms;
 allow httpd_t etc_t:file { read getattr ioctl };
 allow httpd_t etc_t:lnk_file { getattr read };
 
+# setup the system domain for system CGI scripts
+apache_domain(sys)
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
+
 # Run SSI execs in system CGI script domain.
 if (httpd_ssi_exec) {
 domain_auto_trans(httpd_t, shell_exec_t, httpd_sys_script_t)
 }
-r_dir_file(httpd_t, httpd_sys_script_ro_t)
-create_dir_file(httpd_t, httpd_sys_script_rw_t)
-ra_dir_file(httpd_t, httpd_sys_script_ra_t)
 allow httpd_sys_script_t httpd_t:tcp_socket { read write };
 
 ##################################################
@@ -242,7 +218,6 @@ allow httpd_php_t httpd_log_t:file ra_file_perms;
 # access to /tmp
 tmp_domain(httpd)
 tmp_domain(httpd_php)
-tmp_domain(httpd_suexec)
 
 # Creation of lock files for apache2
 lock_domain(httpd)
@@ -262,10 +237,11 @@ allow httpd_t bin_t:dir search;
 allow httpd_t sbin_t:dir search;
 allow httpd_t httpd_log_t:dir remove_name;
 
+read_fonts(httpd_t)
+
 allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
 
 allow httpd_t autofs_t:dir { search getattr };
-allow httpd_suexec_t autofs_t:dir { search getattr };
 
 if (use_nfs_home_dirs && httpd_enable_homedirs) {
 httpd_home_dirs(nfs_t)
@@ -273,33 +249,24 @@ httpd_home_dirs(nfs_t)
 if (use_samba_home_dirs && httpd_enable_homedirs) {
 httpd_home_dirs(cifs_t)
 }
-r_dir_file(httpd_t, fonts_t)
 
 #
 # Allow users to mount additional directories as http_source
 #
 allow httpd_t mnt_t:dir r_dir_perms;
 
-########################################
-# When the admin starts the server, the server wants to acess
-# the TTY or PTY associated with the session. The httpd appears
-# to run correctly without this permission, so the permission
-# are dontaudited here. 
-##################################################
-dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
-
-can_kerberos(httpd_t)
-
 ifdef(`targeted_policy', `
 typealias httpd_sys_content_t alias httpd_user_content_t;
 typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
 
 if (httpd_enable_homedirs) {
-allow httpd_sys_script_t user_home_dir_t:dir { getattr search };
-allow httpd_t user_home_dir_t:dir { getattr search };
+allow { httpd_t httpd_sys_script_t httpd_suexec_t } user_home_dir_t:dir { getattr search };
 }
 ') dnl targeted policy
 
+# We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context
+typealias httpd_sys_content_t alias httpd_sysadm_content_t;
+
 ifdef(`distro_redhat', `
 #
 # mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
@@ -319,6 +286,104 @@ dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
 dontaudit httpd_t usr_t:dir write;
 ')
 
+application_domain(httpd_helper)
+role system_r types httpd_helper_t;
+domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
+allow httpd_helper_t httpd_config_t:file { getattr read };
+allow httpd_helper_t httpd_log_t:file { append };
+
+########################################
+# When the admin starts the server, the server wants to access
+# the TTY or PTY associated with the session. The httpd appears
+# to run correctly without this permission, so the permission
+# are dontaudited here. 
+##################################################
+
+if (httpd_tty_comm) {
+allow { httpd_t httpd_helper_t } devpts_t:dir { search };
+ifdef(`targeted_policy', `
+allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file { read write };
+')
+allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write };
+} else {
+dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
+}
+
+read_sysctl(httpd_sys_script_t)
+allow httpd_sys_script_t var_lib_t:dir search;
+dontaudit httpd_t selinux_config_t:dir search;
+r_dir_file(httpd_t, cert_t)
+
+#
+# unconfined domain for apache scripts.  Only to be used as a last resort
+#
+type httpd_unconfined_script_exec_t, file_type, sysadmfile, customizable;
+type httpd_unconfined_script_t, domain, nscd_client_domain;
+role system_r types httpd_unconfined_script_t;
+unconfined_domain(httpd_unconfined_script_t)
+
+# The following are types for SUEXEC,which runs user scripts as their
+# own user ID
+#
+daemon_sub_domain(httpd_t, httpd_suexec, `, transitionbool')
+allow httpd_t httpd_suexec_exec_t:file { getattr read };
+
+#########################################################
+# Permissions for running child processes and scripts
+##########################################################
+
+allow httpd_suexec_t self:capability { setuid setgid };
+
+dontaudit httpd_suexec_t var_run_t:dir search;
+allow httpd_suexec_t { var_t var_log_t }:dir search;
+allow httpd_suexec_t home_root_t:dir search;
+
+allow httpd_suexec_t httpd_log_t:dir ra_dir_perms;
+allow httpd_suexec_t httpd_log_t:file { create ra_file_perms };
+allow httpd_suexec_t httpd_t:fifo_file getattr;
+allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
+
+allow httpd_suexec_t etc_t:file { getattr read };
+read_locale(httpd_suexec_t)
+read_sysctl(httpd_suexec_t)
+allow httpd_suexec_t urandom_device_t:chr_file { getattr read };
+
+# for shell scripts
+allow httpd_suexec_t bin_t:dir search;
+allow httpd_suexec_t bin_t:lnk_file read;
+can_exec(httpd_suexec_t, { bin_t shell_exec_t })
+
+if (httpd_can_network_connect) {
+can_network(httpd_suexec_t)
+allow httpd_suexec_t port_type:tcp_socket name_connect;
+}
+
+can_ypbind(httpd_suexec_t)
+allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl };
+
+allow httpd_suexec_t autofs_t:dir { search getattr };
+tmp_domain(httpd_suexec)
+
+if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+ifdef(`targeted_policy', `', `
+domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
+')
+}
+if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
+create_dir_file(httpd_t, httpdcontent)
+}
+if (httpd_enable_cgi) {
+domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop };
+allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms;
+}
+
+#
+# Types for squirrelmail
+#
 type httpd_squirrelmail_t, file_type, sysadmfile;
 create_dir_file(httpd_t, httpd_squirrelmail_t)
 allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
@@ -329,26 +394,10 @@ create_dir_file(httpd_t, squirrelmail_spool_t)
 r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
 
 ifdef(`mta.te', `
+# apache should set close-on-exec
+dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
+dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
 dontaudit system_mail_t httpd_log_t:file { append getattr };
 allow system_mail_t httpd_squirrelmail_t:file { append read };
 dontaudit system_mail_t httpd_t:tcp_socket { read write };
 ')
-
-application_domain(httpd_helper)
-role system_r types httpd_helper_t;
-domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
-allow httpd_helper_t httpd_config_t:file { getattr read };
-allow httpd_helper_t httpd_log_t:file { append };
-
-if (httpd_tty_comm) {
-allow { httpd_t httpd_helper_t } devpts_t:dir { search };
-ifdef(`targeted_policy', `
-allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file { read write };
-')
-allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write };
-}
-
-read_sysctl(httpd_sys_script_t)
-allow httpd_sys_script_t var_lib_t:dir search;
-dontaudit httpd_t selinux_config_t:dir search;
-r_dir_file(httpd_t, cert_t)

strict/domains/program/apmd.te

@@ -21,17 +21,19 @@ uses_shlib(apm_t)
 allow apm_t privfd:fd use;
 allow apm_t admin_tty_type:chr_file rw_file_perms;
 allow apm_t device_t:dir search;
-allow apm_t self:capability sys_admin;
+allow apm_t self:capability { dac_override sys_admin };
 allow apm_t proc_t:dir search;
-allow apm_t proc_t:file { read getattr };
+allow apm_t proc_t:file r_file_perms;
 allow apm_t fs_t:filesystem getattr;
 allow apm_t apm_bios_t:chr_file rw_file_perms;
 role sysadm_r types apm_t;
 role system_r types apm_t;
 
 allow apmd_t device_t:lnk_file read;
-allow apmd_t proc_t:file { getattr read };
-read_sysctl(apmd_t)
+allow apmd_t proc_t:file { getattr read write };
+can_sysctl(apmd_t)
+allow apmd_t sysfs_t:file write;
+
 allow apmd_t self:unix_dgram_socket create_socket_perms;
 allow apmd_t self:unix_stream_socket create_stream_socket_perms;
 allow apmd_t self:fifo_file rw_file_perms;
@@ -52,7 +54,7 @@ allow apmd_t self:file { getattr read ioctl };
 allow apmd_t self:process getsession;
 
 # Use capabilities.
-allow apmd_t self:capability { sys_admin sys_nice sys_time };
+allow apmd_t self:capability { sys_admin sys_nice sys_time kill };
 
 # controlling an orderly resume of PCMCIA requires creating device
 # nodes 254,{0,1,2} for some reason.
@@ -67,7 +69,10 @@ can_exec_any(apmd_t)
 # apmd calls hwclock.sh on suspend and resume
 allow apmd_t clock_device_t:chr_file r_file_perms;
 ifdef(`hwclock.te', `
+domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
 allow apmd_t adjtime_t:file rw_file_perms;
+allow hwclock_t apmd_log_t:file append;
+allow hwclock_t apmd_t:unix_stream_socket { read write };
 ')
 
 
@@ -84,7 +89,7 @@ dontaudit apmd_t domain:dir search;
 ifdef(`distro_redhat', `
 can_exec(apmd_t, apmd_var_run_t)
 # for /var/lock/subsys/network
-rw_dir_create_file(apmd_t, var_lock_t)
+lock_domain(apmd)
 
 # ifconfig_exec_t needs to be run in its own domain for Red Hat
 ifdef(`ifconfig.te', `domain_auto_trans(apmd_t, ifconfig_exec_t, ifconfig_t)')
@@ -108,6 +113,7 @@ allow apmd_t initrc_var_run_t:file { read write lock };
 #
 # Allow it to run killof5 and pidof
 #
+typeattribute apmd_t unrestricted;
 r_dir_file(apmd_t, domain)
 
 # Same for apm/acpid scripts

strict/domains/program/arpwatch.te

@@ -40,3 +40,9 @@ allow initrc_t arpwatch_data_t:dir { add_name write };
 allow initrc_t arpwatch_data_t:file create;
 ')dnl end distro_gentoo
 
+# why is mail delivered to a directory of type arpwatch_data_t?
+allow mta_delivery_agent arpwatch_data_t:dir search;
+allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms;
+ifdef(`hide_broken_symptoms', `
+dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write };
+')

strict/domains/program/automount.te

@@ -25,8 +25,8 @@ allow automount_t fs_type:dir getattr;
 
 allow automount_t { etc_t etc_runtime_t }:file { getattr read };
 allow automount_t proc_t:file { getattr read };
-allow automount_t self:process { setpgid setsched };
-allow automount_t self:capability sys_nice;
+allow automount_t self:process { getpgid setpgid setsched };
+allow automount_t self:capability { sys_nice dac_override };
 allow automount_t self:unix_stream_socket create_socket_perms;
 allow automount_t self:unix_dgram_socket create_socket_perms;
 
@@ -63,7 +63,13 @@ dontaudit automount_t var_t:dir write;
 allow userdomain autofs_t:dir r_dir_perms;
 allow kernel_t autofs_t:dir { getattr ioctl read search };
 
-allow automount_t home_root_t:dir getattr;
+allow automount_t { boot_t home_root_t }:dir getattr;
 allow automount_t mnt_t:dir { getattr search };
 
-allow initrc_t automount_etc_t:file { getattr read };
+can_exec(initrc_t, automount_etc_t)
+
+# Allow automount to create and delete directories in / and /home
+file_type_auto_trans(automount_t, { root_t home_root_t }, automount_tmp_t, dir)
+
+allow automount_t var_lib_t:dir search;
+allow automount_t var_lib_nfs_t:dir search;

strict/domains/program/bluetooth.te

@@ -17,7 +17,7 @@ tmp_domain(bluetooth)
 # Use capabilities.
 allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
 
-rw_dir_create_file(bluetooth_t, var_lock_t)
+lock_domain(bluetooth)
 
 # Use the network.
 can_network_server(bluetooth_t)
@@ -26,7 +26,8 @@ ifdef(`dbusd.te', `
 dbusd_client(system, bluetooth)
 allow bluetooth_t system_dbusd_t:dbus send_msg;
 ')
-allow bluetooth_t self:socket { create setopt ioctl bind listen };
+allow bluetooth_t self:socket create_stream_socket_perms;
+
 allow bluetooth_t self:unix_dgram_socket create_socket_perms;
 allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
 
@@ -39,4 +40,6 @@ type bluetooth_conf_t, file_type, sysadmfile;
 allow bluetooth_t bluetooth_conf_t:dir search;
 allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
 #/usr/sbin/hid2hci causes the following
-allow initrc_t usbfs_t:file { read };
+allow initrc_t usbfs_t:file { getattr read };
+allow bluetooth_t usbfs_t:dir r_dir_perms;
+allow bluetooth_t usbfs_t:file rw_file_perms; 

strict/domains/program/bootloader.te

@@ -13,7 +13,6 @@
 type bootloader_t, domain, privlog, privmem, fs_domain, nscd_client_domain ifdef(`direct_sysadm_daemon', `, priv_system_role') ifdef(`distro_debian', `, privowner, admin');
 type bootloader_exec_t, file_type, sysadmfile, exec_type;
 etc_domain(bootloader)
-typealias bootloader_etc_t alias etc_bootloader_t;
 
 role sysadm_r types bootloader_t;
 role system_r types bootloader_t;

strict/domains/program/canna.te

@@ -29,6 +29,7 @@ allow canna_t canna_var_lib_t:dir create;
 rw_dir_create_file(canna_t, canna_var_lib_t)
 
 can_network_tcp(canna_t)
+allow canna_t port_type:tcp_socket name_connect;
 can_ypbind(canna_t)
 
 allow userdomain canna_var_run_t:dir search;
@@ -41,3 +42,5 @@ allow i18n_input_t canna_var_run_t:sock_file write;
 can_unix_connect(i18n_input_t, canna_t)
 ')
 
+dontaudit canna_t kernel_t:fd use;
+dontaudit canna_t root_t:file read;

strict/domains/program/checkpolicy.te

@@ -50,8 +50,6 @@ allow checkpolicy_t { initrc_devpts_t admin_tty_type devtty_t }:chr_file { read
 uses_shlib(checkpolicy_t)
 allow checkpolicy_t self:capability dac_override;
 
-allow checkpolicy_t sysadm_tmp_t:file { getattr write } ;
-
 ##########################
 # Allow users to execute checkpolicy without a domain transition
 # so it can be used without privilege to write real binary policy file

strict/domains/program/cups.te

@@ -11,17 +11,15 @@
 # cupsd_t is the domain of cupsd.
 # cupsd_exec_t is the type of the cupsd executable.
 #
-type ipp_port_t, port_type, reserved_port_type;
 daemon_domain(cupsd, `, auth_chkpwd, nscd_client_domain')
 etcdir_domain(cupsd)
-typealias cupsd_etc_t alias etc_cupsd_t;
 type cupsd_rw_etc_t, file_type, sysadmfile, usercanread;
-typealias cupsd_rw_etc_t alias etc_cupsd_rw_t;
 
 can_network(cupsd_t)
+allow cupsd_t port_type:tcp_socket name_connect;
 logdir_domain(cupsd)
 
-tmp_domain(cupsd)
+tmp_domain(cupsd, `', { file dir fifo_file })
 
 allow cupsd_t devpts_t:dir search;
 
@@ -71,15 +69,22 @@ dontaudit cupsd_t etc_t:file write;
 can_exec(cupsd_t, cupsd_exec_t)
 allow cupsd_t cupsd_exec_t:dir search;
 allow cupsd_t cupsd_exec_t:lnk_file read;
+allow cupsd_t reserved_port_t:tcp_socket name_bind;
+dontaudit cupsd_t reserved_port_type:tcp_socket name_bind;
 
 allow cupsd_t self:unix_stream_socket create_socket_perms;
 allow cupsd_t self:unix_dgram_socket create_socket_perms;
 allow cupsd_t self:fifo_file rw_file_perms;
 
 # Use capabilities.
-allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config };
+allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
 dontaudit cupsd_t self:capability net_admin;
 
+#
+# /usr/lib/cups/backend/serial needs sys_admin
+# Need new context to run under???
+allow cupsd_t self:capability sys_admin;
+
 allow cupsd_t self:process setsched;
 
 # for /var/lib/defoma
@@ -109,7 +114,7 @@ allow cupsd_t bin_t:lnk_file read;
 can_exec(cupsd_t, { shell_exec_t bin_t sbin_t })
 
 # They will also invoke ghostscript, which needs to read fonts
-r_dir_file(cupsd_t, fonts_t)
+read_fonts(cupsd_t)
 
 # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
 allow cupsd_t lib_t:file { read getattr };
@@ -120,7 +125,9 @@ allow cupsd_t usr_t:{ file lnk_file } { read getattr ioctl };
 #
 # lots of errors generated requiring the following
 #
-allow cupsd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms };
+
 #
 # Satisfy readahead
 #
@@ -140,18 +147,23 @@ dontaudit cupsd_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
 # PTAL
 daemon_domain(ptal)
 etcdir_domain(ptal)
-allow ptal_t ptal_var_run_t:fifo_file create_file_perms;
-allow ptal_t ptal_var_run_t:sock_file create_file_perms;
-allow ptal_t self:capability chown;
+
+file_type_auto_trans(ptal_t, var_run_t, ptal_var_run_t)
+allow ptal_t self:capability { chown sys_rawio };
 allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
 allow ptal_t self:unix_stream_socket { listen accept };
+can_network_server_tcp(ptal_t)
+allow ptal_t ptal_port_t:tcp_socket name_bind;
+allow userdomain ptal_t:unix_stream_socket connectto;
+allow userdomain ptal_var_run_t:sock_file write;
+allow userdomain ptal_var_run_t:dir search;
 allow ptal_t self:fifo_file rw_file_perms;
 allow ptal_t device_t:dir read;
-allow ptal_t printer_device_t:chr_file { ioctl read write };
+allow ptal_t printer_device_t:chr_file rw_file_perms;
 allow initrc_t printer_device_t:chr_file getattr;
 allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
 r_dir_file(ptal_t, usbdevfs_t)
-r_dir_file(ptal_t, usbfs_t)
+rw_dir_file(ptal_t, usbfs_t)
 allow cupsd_t ptal_var_run_t:sock_file { write setattr };
 allow cupsd_t ptal_t:unix_stream_socket connectto;
 allow cupsd_t ptal_var_run_t:dir search;
@@ -160,19 +172,47 @@ dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
 allow initrc_t ptal_var_run_t:dir rmdir;
 allow initrc_t ptal_var_run_t:fifo_file unlink;
 
+
+# HPLIP
+daemon_domain(hplip)
+etcdir_domain(hplip)
+allow hplip_t etc_t:file r_file_perms;
+allow hplip_t etc_runtime_t:file { read getattr };
+allow hplip_t printer_device_t:chr_file rw_file_perms;
+allow cupsd_t hplip_var_run_t:file { read getattr };
+allow hplip_t cupsd_etc_t:dir search;
+can_network(hplip_t)
+allow hplip_t { hplip_port_t ipp_port_t }:tcp_socket name_connect;
+allow hplip_t hplip_port_t:tcp_socket name_bind;
+
+# Uses networking to talk to the daemons
+allow hplip_t self:unix_dgram_socket create_socket_perms;
+allow hplip_t self:unix_stream_socket create_socket_perms;
+
+# for python
+can_exec(hplip_t, bin_t)
+allow hplip_t { sbin_t bin_t }:dir search;
+allow hplip_t self:file { getattr read };
+allow hplip_t proc_t:file r_file_perms;
+allow hplip_t urandom_device_t:chr_file { getattr read };
+allow hplip_t usr_t:{ file lnk_file } r_file_perms;
+
 dontaudit cupsd_t selinux_config_t:dir search;
 dontaudit cupsd_t selinux_config_t:file { getattr read };
 
 allow cupsd_t printconf_t:file { getattr read };
 
+ifdef(`dbusd.te', `
 dbusd_client(system, cupsd)
-
-ifdef(`hald.te', `
+allow cupsd_t system_dbusd_t:dbus send_msg;
+allow cupsd_t userdomain:dbus send_msg;
+')
 
 # CUPS configuration daemon
 daemon_domain(cupsd_config)
 
 allow cupsd_config_t devpts_t:dir search;
+allow cupsd_config_t devpts_t:chr_file { getattr ioctl };
 
 ifdef(`distro_redhat', `
 ifdef(`rpm.te', `
@@ -196,8 +236,11 @@ allow cupsd_config_t self:capability chown;
 rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
 rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
 file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
+file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, file)
 
 can_network_tcp(cupsd_config_t)
+can_ypbind(cupsd_config_t)
+allow cupsd_config_t port_type:tcp_socket name_connect;
 can_tcp_connect(cupsd_config_t, cupsd_t)
 allow cupsd_config_t self:fifo_file rw_file_perms;
 
@@ -206,15 +249,23 @@ ifdef(`dbusd.te', `
 dbusd_client(system, cupsd_config)
 allow cupsd_config_t userdomain:dbus send_msg;
 allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc };
-allow cupsd_t system_dbusd_t:dbus send_msg;
 allow userdomain cupsd_config_t:dbus send_msg;
-allow cupsd_config_t hald_t:dbus send_msg;
-allow hald_t cupsd_config_t:dbus send_msg;
-allow cupsd_t userdomain:dbus send_msg;
+')dnl end if dbusd.te
+
+ifdef(`hald.te', `
+
+ifdef(`dbusd.te', `
 allow cupsd_t hald_t:dbus send_msg;
+allow cupsd_config_t hald_t:dbus send_msg;
 allow hald_t cupsd_t:dbus send_msg;
 ')dnl end if dbusd.te
 
+allow hald_t cupsd_config_t:process signal;
+domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t)
+
+') dnl end if hald.te
+
+
 can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t })
 ifdef(`hostname.te', `
 can_exec(cupsd_t, hostname_exec_t)
@@ -235,23 +286,27 @@ allow cupsd_config_t printconf_t:file { getattr read };
 
 allow cupsd_config_t urandom_device_t:chr_file { getattr read };
 
-domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t)
 ifdef(`logrotate.te', `
 allow cupsd_config_t logrotate_t:fd use;
 ')dnl end if logrotate.te
 allow cupsd_config_t system_crond_t:fd use;
-allow cupsd_config_t crond_t:fifo_file read;
+allow cupsd_config_t crond_t:fifo_file r_file_perms;
 allow cupsd_t crond_t:fifo_file read;
+allow cupsd_t crond_t:fd use;
 
 # Alternatives asks for this
 allow cupsd_config_t initrc_exec_t:file getattr;
-') dnl end if hald.te
 ifdef(`targeted_policy', `
 can_unix_connect(cupsd_t, initrc_t)
 allow cupsd_t initrc_t:dbus send_msg;
 allow initrc_t cupsd_t:dbus send_msg;
+allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg;
+allow unconfined_t cupsd_config_t:dbus send_msg;
+allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read;
 ')
-
-ifdef(`targeted_policy', `
-allow cupsd_t unconfined_t:dbus send_msg;
-')
+typealias printer_port_t alias cupsd_lpd_port_t;
+inetd_child_domain(cupsd_lpd)
+allow inetd_t printer_port_t:tcp_socket name_bind;
+r_dir_file(cupsd_lpd_t, cupsd_etc_t)
+r_dir_file(cupsd_lpd_t, cupsd_rw_etc_t)
+allow cupsd_lpd_t ipp_port_t:tcp_socket name_connect;

strict/domains/program/cyrus.te

@@ -15,9 +15,8 @@ type cyrus_var_lib_t, file_type, sysadmfile;
 allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
 allow cyrus_t self:process setrlimit;
 
-allow initrc_su_t cyrus_var_lib_t:dir search;
-
 can_network(cyrus_t)
+allow cyrus_t port_type:tcp_socket name_connect;
 can_ypbind(cyrus_t)
 can_exec(cyrus_t, bin_t)
 allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
@@ -27,14 +26,11 @@ allow cyrus_t lib_t:file { execute execute_no_trans getattr read };
 read_locale(cyrus_t)
 read_sysctl(cyrus_t)
 tmp_domain(cyrus)
-ifdef(`use_pop', `
-allow cyrus_t pop_port_t:tcp_socket name_bind;
-')
+allow cyrus_t { mail_port_t pop_port_t }:tcp_socket name_bind;
 allow cyrus_t proc_t:dir search;
 allow cyrus_t proc_t:file { getattr read };
 allow cyrus_t sysadm_devpts_t:chr_file { read write };
 
-allow cyrus_t staff_t:fd use;
 allow cyrus_t var_lib_t:dir search;
 
 allow cyrus_t etc_runtime_t:file { read getattr };
@@ -42,6 +38,7 @@ ifdef(`crond.te', `
 system_crond_entry(cyrus_exec_t, cyrus_t)
 allow system_crond_t cyrus_var_lib_t:dir rw_dir_perms;
 allow system_crond_t cyrus_var_lib_t:file create_file_perms;
-allow system_crond_su_t cyrus_var_lib_t:dir search;
 ')
-allow cyrus_t mail_port_t:tcp_socket name_bind;
+create_dir_file(cyrus_t, mail_spool_t)
+allow cyrus_t var_spool_t:dir search;
+

strict/domains/program/dhcpc.te

@@ -15,14 +15,13 @@
 # dhcpc_exec_t is the type of the dhcpcd executable.
 # The dhcpc_t can be used for other DHCPC related files as well.
 #
-type dhcpc_port_t, port_type, reserved_port_type;
-
 daemon_domain(dhcpc)
 
 # for SSP
 allow dhcpc_t urandom_device_t:chr_file read;
 
 can_network(dhcpc_t)
+allow dhcpc_t port_type:tcp_socket name_connect;
 can_ypbind(dhcpc_t)
 allow dhcpc_t self:unix_dgram_socket create_socket_perms;
 allow dhcpc_t self:unix_stream_socket create_socket_perms;
@@ -38,6 +37,7 @@ domain_auto_trans(dhcpc_t, consoletype_exec_t, consoletype_t)
 ')
 ifdef(`nscd.te', `
 domain_auto_trans(dhcpc_t, nscd_exec_t, nscd_t)
+allow dhcpc_t nscd_var_run_t:file { getattr read };
 ')
 ifdef(`cardmgr.te', `
 domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
@@ -69,7 +69,6 @@ allow ping_t cardmgr_t:fd use;
 ifdef(`dhcpd.te', `', `
 type dhcp_state_t, file_type, sysadmfile;
 type dhcp_etc_t, file_type, sysadmfile, usercanread; 
-typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
 ')
 type dhcpc_state_t, file_type, sysadmfile;
 

strict/domains/program/dictd.te

@@ -10,11 +10,10 @@
 #
 # dictd_exec_t is the type of the dictd executable.
 #
-type dict_port_t, port_type;
 daemon_base_domain(dictd)
-type var_lib_dictd_t, file_type, sysadmfile;
+type dictd_var_lib_t, file_type, sysadmfile;
+typealias dictd_var_lib_t alias var_lib_dictd_t;
 etc_domain(dictd)
-typealias dictd_etc_t alias etc_dictd_t;
 
 # for checking for nscd
 dontaudit dictd_t var_run_t:dir search;
@@ -25,8 +24,8 @@ allow dictd_t { etc_t etc_runtime_t }:file r_file_perms;
 read_locale(dictd_t)
 
 allow dictd_t { var_t var_lib_t }:dir search;
-allow dictd_t var_lib_dictd_t:dir r_dir_perms;
-allow dictd_t var_lib_dictd_t:file r_file_perms;
+allow dictd_t dictd_var_lib_t:dir r_dir_perms;
+allow dictd_t dictd_var_lib_t:file r_file_perms;
 
 allow dictd_t self:capability { setuid setgid };
 

strict/domains/program/dovecot.te

@@ -3,17 +3,24 @@
 # Author:  Russell Coker <russell@coker.com.au>
 # X-Debian-Packages: dovecot-imapd, dovecot-pop3d
 
+#
+# Main dovecot daemon
+#
 daemon_domain(dovecot, `, privhome')
+etc_domain(dovecot);
 
 allow dovecot_t dovecot_var_run_t:sock_file create_file_perms;
 
 can_exec(dovecot_t, dovecot_exec_t)
 
 type dovecot_cert_t, file_type, sysadmfile;
+type dovecot_passwd_t, file_type, sysadmfile;
+type dovecot_spool_t, file_type, sysadmfile;
 
 allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
 allow dovecot_t self:process setrlimit;
 can_network_tcp(dovecot_t)
+allow dovecot_t port_type:tcp_socket name_connect;
 can_ypbind(dovecot_t)
 allow dovecot_t self:unix_dgram_socket create_socket_perms;
 allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
@@ -25,9 +32,10 @@ allow dovecot_t bin_t:dir { getattr search };
 can_exec(dovecot_t, bin_t)
 
 allow dovecot_t pop_port_t:tcp_socket name_bind;
-allow dovecot_t urandom_device_t:chr_file read;
+allow dovecot_t urandom_device_t:chr_file { getattr read };
 allow dovecot_t cert_t:dir search;
-allow dovecot_t dovecot_cert_t:file { getattr read };
+r_dir_file(dovecot_t, dovecot_cert_t)
+r_dir_file(dovecot_t, cert_t)
 
 allow dovecot_t { self proc_t }:file { getattr read };
 allow dovecot_t self:fifo_file rw_file_perms;
@@ -36,11 +44,21 @@ can_kerberos(dovecot_t)
 
 allow dovecot_t tmp_t:dir search;
 rw_dir_file(dovecot_t, mail_spool_t)
+create_dir_file(dovecot_t, dovecot_spool_t)
+create_dir_file(mta_delivery_agent, dovecot_spool_t)
 allow dovecot_t mail_spool_t:lnk_file read;
 allow dovecot_t var_spool_t:dir { search };
 
+#
+# Dovecot auth daemon
+#
 daemon_sub_domain(dovecot_t, dovecot_auth, `, auth_chkpwd')
+can_ldap(dovecot_auth_t)
+can_ypbind(dovecot_auth_t)
+can_kerberos(dovecot_auth_t)
+can_resolve(dovecot_auth_t)
 allow dovecot_auth_t self:process { fork signal_perms };
+allow dovecot_auth_t self:capability { setgid setuid };
 allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
 allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
 allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
@@ -50,6 +68,6 @@ allow dovecot_auth_t etc_t:file { getattr read };
 allow dovecot_auth_t { self proc_t }:file { getattr read };
 read_locale(dovecot_auth_t)
 read_sysctl(dovecot_auth_t)
-allow dovecot_auth_t sysctl_t:dir search;
+allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
 dontaudit dovecot_auth_t selinux_config_t:dir search;
 

strict/domains/program/fetchmail.te

@@ -2,6 +2,7 @@
 #
 # Author: Greg Norris <haphazard@kc.rr.com>
 # X-Debian-Packages: fetchmail
+# Depends: mta.te
 #
 # Note: This policy is only required when running fetchmail in daemon mode.
 
@@ -17,7 +18,10 @@ type fetchmail_uidl_cache_t, file_type, sysadmfile;
 allow fetchmail_t self:process setrlimit;
 
 # network-related goodies
-can_network(fetchmail_t)
+can_network_client_tcp(fetchmail_t, { dns_port_t pop_port_t smtp_port_t })
+can_network_udp(fetchmail_t, dns_port_t)
+allow fetchmail_t port_type:tcp_socket name_connect;
+
 allow fetchmail_t self:unix_dgram_socket create_socket_perms;
 allow fetchmail_t self:unix_stream_socket create_stream_socket_perms;
 

strict/domains/program/fingerd.te

@@ -12,9 +12,7 @@
 #
 daemon_domain(fingerd)
 
-type fingerd_port_t, port_type, reserved_port_type;
 etcdir_domain(fingerd)
-typealias fingerd_etc_t alias etc_fingerd_t;
 
 allow fingerd_t etc_t:lnk_file read;
 allow fingerd_t { etc_t etc_runtime_t }:file { read getattr };

strict/domains/program/ftpd.te

@@ -9,13 +9,11 @@
 #
 # Rules for the ftpd_t domain 
 #
-type ftp_port_t, port_type, reserved_port_type;
-type ftp_data_port_t, port_type, reserved_port_type;
-daemon_domain(ftpd, `, auth_chkpwd')
+daemon_domain(ftpd, `, auth_chkpwd, nscd_client_domain')
 etc_domain(ftpd)
-typealias ftpd_etc_t alias etc_ftpd_t;
 
 can_network(ftpd_t)
+allow ftpd_t port_type:tcp_socket name_connect;
 allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
 allow ftpd_t self:unix_stream_socket create_socket_perms;
 allow ftpd_t self:process { getcap setcap setsched setrlimit };
@@ -41,10 +39,13 @@ can_exec(ftpd_t, logrotate_exec_t)
 allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
 allow ftpd_t port_t:tcp_socket name_bind;
 
+# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally
+type ftpd_lock_t, file_type, sysadmfile, lockfile;
+
 # Allow ftpd to run directly without inetd.
 bool ftpd_is_daemon false;
 if (ftpd_is_daemon) {
-rw_dir_create_file(ftpd_t, var_lock_t)
+file_type_auto_trans(ftpd_t, var_lock_t, ftpd_lock_t, file)
 allow ftpd_t ftp_port_t:tcp_socket name_bind;
 can_tcp_connect(userdomain, ftpd_t)
 # Allows it to check exec privs on daemon
@@ -99,6 +100,8 @@ bool ftp_home_dir false;
 if (ftp_home_dir) {
 # allow access to /home
 allow ftpd_t home_root_t:dir { getattr search };
+allow ftpd_t home_dir_type:dir r_dir_perms;
+create_dir_file(ftpd_t, home_type)
 }
 if (use_nfs_home_dirs && ftp_home_dir) {
 	r_dir_file(ftpd_t, nfs_t)
@@ -110,7 +113,6 @@ dontaudit ftpd_t selinux_config_t:dir search;
 #
 # Type for access to anon ftp
 #
-type ftpd_anon_t, file_type, sysadmfile, customizable;
 r_dir_file(ftpd_t,ftpd_anon_t)
 type ftpd_anon_rw_t, file_type, sysadmfile, customizable;
 create_dir_file(ftpd_t,ftpd_anon_rw_t)

strict/domains/program/games.te

@@ -13,5 +13,8 @@ daemon_domain(games,,nosysadm)
 rw_dir_create_file(games_t, games_data_t)
 r_dir_file(initrc_t, games_data_t)
 
+# Run in user_t
+bool disable_games_trans false;
+
 # Everything else is in the x_client_domain macro in
 # macros/program/x_client_macros.te.

strict/domains/program/getty.te

@@ -11,7 +11,6 @@
 init_service_domain(getty, `, privfd')
 
 etcdir_domain(getty)
-typealias getty_etc_t alias etc_getty_t;
 
 allow getty_t console_device_t:chr_file setattr;
 

strict/domains/program/hald.te

@@ -29,7 +29,6 @@ allow hald_t { self proc_t }:file { getattr read };
 allow hald_t { bin_t sbin_t }:dir search;
 allow hald_t self:fifo_file rw_file_perms;
 allow hald_t usr_t:file { getattr read };
-
 allow hald_t bin_t:file getattr;
 allow hald_t self:netlink_route_socket r_netlink_socket_perms;
 allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };

strict/domains/program/hotplug.te

@@ -29,7 +29,7 @@ allow hotplug_t sysctl_net_t:file { getattr read };
 
 # get info from /proc
 r_dir_file(hotplug_t, proc_t)
-allow hotplug_t self:file { getattr read };
+allow hotplug_t self:file { getattr read ioctl };
 
 allow hotplug_t devtty_t:chr_file rw_file_perms;
 
@@ -83,7 +83,9 @@ allow hotplug_t self:process { getsession getattr };
 allow hotplug_t self:file getattr;
 
 domain_auto_trans(kernel_t, hotplug_exec_t, hotplug_t)
+ifdef(`mount.te', `
 domain_auto_trans(hotplug_t, mount_exec_t, mount_t)
+')
 domain_auto_trans(hotplug_t, ifconfig_exec_t, ifconfig_t)
 ifdef(`updfstab.te', `
 domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t)

strict/domains/program/howl.te

@@ -3,7 +3,7 @@
 # Author:  Russell Coker <rcoker@redhat.com>
 #
 
-daemon_domain(howl)
+daemon_domain(howl, `, privsysmod')
 r_dir_file(howl_t, proc_net_t)
 can_network_server(howl_t)
 can_ypbind(howl_t)
@@ -12,7 +12,6 @@ allow howl_t self:capability { kill net_admin sys_module };
 
 allow howl_t self:fifo_file rw_file_perms;
 
-type howl_port_t, port_type;
 allow howl_t howl_port_t:{ udp_socket tcp_socket } name_bind;
 
 allow howl_t self:unix_dgram_socket create_socket_perms;

strict/domains/program/hwclock.te

@@ -19,9 +19,6 @@ daemon_base_domain(hwclock)
 role sysadm_r types hwclock_t;
 domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
 type adjtime_t, file_type, sysadmfile;
-ifdef(`apmd.te', `
-domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
-')
 
 allow hwclock_t fs_t:filesystem getattr;
 

strict/domains/program/i18n_input.te

@@ -2,17 +2,16 @@
 # Security Policy for IIIMF htt server
 # Date: 2004, 12th April (Monday)
 
-# Types for server port
-type i18n_input_port_t, port_type;
-
 # Establish i18n_input as a daemon
 daemon_domain(i18n_input)
 
 can_exec(i18n_input_t, i18n_input_exec_t)
 can_network(i18n_input_t)
+allow i18n_input_t port_type:tcp_socket name_connect;
 can_ypbind(i18n_input_t)
 
 can_tcp_connect(userdomain, i18n_input_t)
+can_unix_connect(i18n_input_t, initrc_t)
 
 allow i18n_input_t self:fifo_file rw_file_perms;
 allow i18n_input_t i18n_input_port_t:tcp_socket name_bind;
@@ -21,9 +20,14 @@ allow i18n_input_t self:capability { kill setgid setuid };
 allow i18n_input_t self:process { setsched setpgid };
 
 allow i18n_input_t { bin_t sbin_t }:dir search;
+can_exec(i18n_input_t, bin_t)
 
 allow i18n_input_t etc_t:file r_file_perms;
 allow i18n_input_t self:unix_dgram_socket create_socket_perms;
 allow i18n_input_t self:unix_stream_socket create_stream_socket_perms;
 allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms;
 allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms;
+allow i18n_input_t usr_t:file { getattr read };
+allow i18n_input_t home_root_t:dir search;
+allow i18n_input_t etc_runtime_t:file { getattr read };
+allow i18n_input_t proc_t:file { getattr read };

strict/domains/program/ifconfig.te

@@ -21,9 +21,12 @@ uses_shlib(ifconfig_t)
 general_domain_access(ifconfig_t)
 
 domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t)
+ifdef(`targeted_policy', `', `
 domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t)
+')
 
 # for /sbin/ip
+allow ifconfig_t self:packet_socket create_socket_perms;
 allow ifconfig_t self:netlink_route_socket rw_netlink_socket_perms;
 allow ifconfig_t self:tcp_socket { create ioctl };
 allow ifconfig_t etc_t:file { getattr read };
@@ -33,6 +36,7 @@ allow ifconfig_t self:socket create_socket_perms;
 # Use capabilities.
 allow ifconfig_t self:capability net_admin;
 dontaudit ifconfig_t self:capability sys_module;
+allow ifconfig_t self:capability sys_tty_config;
 
 # Inherit and use descriptors from init.
 allow ifconfig_t { kernel_t init_t }:fd use;
@@ -66,3 +70,4 @@ allow ifconfig_t lib_t:file { getattr read };
 rhgb_domain(ifconfig_t)
 allow ifconfig_t userdomain:fd use;
 dontaudit ifconfig_t root_t:file read;
+r_dir_file(ifconfig_t, sysfs_t)

strict/domains/program/inetd.te

@@ -10,16 +10,11 @@
 # Rules for the inetd_t domain and
 # the inetd_child_t domain.
 #
-type biff_port_t, port_type, reserved_port_type;
-
-#################################
-#
-# Rules for the inetd_t domain.
-#
 
 daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
 
 can_network(inetd_t)
+allow inetd_t port_type:tcp_socket name_connect;
 allow inetd_t self:unix_dgram_socket create_socket_perms;
 allow inetd_t self:unix_stream_socket create_socket_perms;
 allow inetd_t self:fifo_file rw_file_perms;
@@ -50,6 +45,7 @@ allow inetd_t talk_port_t:tcp_socket name_bind;
 allow inetd_t ntalk_port_t:tcp_socket name_bind;
 ')
 
+allow inetd_t auth_port_t:tcp_socket name_bind;
 # Communicate with the portmapper.
 ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
 

strict/domains/program/init.te

@@ -131,10 +131,8 @@ can_exec(init_t,etc_t)
 
 allow init_t lib_t:file { getattr read };
 
-ifdef(`rhgb.te', `
 allow init_t devtty_t:chr_file { read write };
 allow init_t ramfs_t:dir search;
-')
 r_dir_file(init_t, sysfs_t)
 
 r_dir_file(init_t, selinux_config_t)
@@ -142,6 +140,6 @@ r_dir_file(init_t, selinux_config_t)
 # file descriptors inherited from the rootfs.
 dontaudit init_t root_t:{ file chr_file } { read write }; 
 ifdef(`targeted_policy', `
-typeattribute init_t unrestricted;
+unconfined_domain(init_t)
 ')
 

strict/domains/program/innd.te

@@ -7,7 +7,6 @@
 
 # Types for the server port and news spool.
 #
-type innd_port_t, port_type, reserved_port_type;
 type news_spool_t, file_type, sysadmfile;
 
 
@@ -29,6 +28,7 @@ can_exec(innd_t, hostname_exec_t)
 allow innd_t var_spool_t:dir { getattr search };
 
 can_network(innd_t)
+allow innd_t port_type:tcp_socket name_connect;
 can_ypbind(innd_t)
 
 can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } )

strict/domains/program/kudzu.te

@@ -20,7 +20,7 @@ allow kudzu_t memory_device_t:chr_file { read write execute };
 allow kudzu_t ramfs_t:dir search;
 allow kudzu_t ramfs_t:sock_file write;
 allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
-allow kudzu_t modules_conf_t:file { getattr read };
+allow kudzu_t modules_conf_t:file { getattr read unlink };
 allow kudzu_t modules_object_t:dir r_dir_perms;
 allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
 allow kudzu_t mouse_device_t:chr_file { read write };
@@ -38,7 +38,7 @@ allow kudzu_t usbdevfs_t:dir search;
 allow kudzu_t usbdevfs_t:file { getattr read };
 allow kudzu_t usbfs_t:dir search;
 allow kudzu_t usbfs_t:file { getattr read };
-allow kudzu_t var_t:dir search;
+var_run_domain(kudzu)
 allow kudzu_t kernel_t:system syslog_console;
 allow kudzu_t self:udp_socket { create ioctl };
 allow kudzu_t var_lock_t:dir search;
@@ -94,9 +94,19 @@ dontaudit kudzu_t file_t:dir search;
 ifdef(`lpd.te', `
 allow kudzu_t printconf_t:file { getattr read };
 ')
+ifdef(`cups.te', `
 allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms;
+')
 dontaudit kudzu_t src_t:dir search;
 ifdef(`xserver.te', `
 allow kudzu_t xserver_exec_t:file getattr;
 ')
 
+ifdef(`userhelper.te', `
+role system_r types sysadm_userhelper_t;
+domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
+')
+
+allow kudzu_t initrc_t:unix_stream_socket connectto;
+allow kudzu_t net_conf_t:file { getattr read };
+

strict/domains/program/ldconfig.te

@@ -39,7 +39,7 @@ dontaudit ldconfig_t httpd_modules_t:dir search;
 ')
 
 allow ldconfig_t { var_t var_lib_t }:dir search;
-allow ldconfig_t proc_t:file read;
+allow ldconfig_t proc_t:file { getattr read };
 ifdef(`hide_broken_symptoms', `
 ifdef(`unconfined.te',`
 dontaudit ldconfig_t unconfined_t:tcp_socket { read write };

strict/domains/program/load_policy.te

@@ -37,8 +37,8 @@ can_setbool(load_policy_t)
 
 # only allow read of policy config files
 allow load_policy_t policy_src_t:dir search;
-allow load_policy_t policy_config_t:dir r_dir_perms;
-allow load_policy_t policy_config_t:notdevfile_class_set r_file_perms;
+r_dir_file(load_policy_t, policy_config_t)
+r_dir_file(load_policy_t, selinux_config_t)
 
 # directory search permissions for path to binary policy files
 allow load_policy_t root_t:dir search;
@@ -56,6 +56,4 @@ allow load_policy_t { userdomain privfd initrc_t }:fd use;
 
 allow load_policy_t fs_t:filesystem getattr;
 
-allow load_policy_t sysadm_tmp_t:file { getattr write } ;
 read_locale(load_policy_t)
-r_dir_file(load_policy_t, selinux_config_t)

strict/domains/program/login.te

@@ -37,8 +37,7 @@ allow $1_login_t { var_t var_spool_t }:dir search;
 allow $1_login_t var_t:lnk_file read;
 
 # Read /etc.
-allow $1_login_t etc_t:dir r_dir_perms;
-allow $1_login_t etc_t:notdevfile_class_set r_file_perms;
+r_dir_file($1_login_t, etc_t)
 allow $1_login_t etc_runtime_t:{ file lnk_file } r_file_perms;
 
 read_locale($1_login_t)
@@ -109,7 +108,7 @@ allow $1_login_t wtmp_t:file rw_file_perms;
 allow $1_login_t lastlog_t:file rw_file_perms;
 
 # Write to /var/log/btmp
-allow $1_login_t faillog_t:file { append read write };
+allow $1_login_t faillog_t:file { lock append read write };
 
 # Search for mail spool file.
 allow $1_login_t mail_spool_t:dir r_dir_perms;

strict/domains/program/logrotate.te

@@ -128,7 +128,7 @@ read_locale(logrotate_t)
 
 allow logrotate_t fs_t:filesystem getattr;
 can_exec(logrotate_t, shell_exec_t)
-can_exec(logrotate_t, hostname_exec_t)
+ifdef(`hostname.te', `can_exec(logrotate_t, hostname_exec_t)')
 can_exec(logrotate_t,logfile)
 allow logrotate_t net_conf_t:file { getattr read };
 

strict/domains/program/lpd.te

@@ -15,12 +15,11 @@
 # printer_t is the type of the Unix domain socket created
 # by lpd.
 #
-type printer_port_t, port_type, reserved_port_type;
 daemon_domain(lpd)
 
 allow lpd_t lpd_var_run_t:sock_file create_file_perms;
 
-r_dir_file(lpd_t, fonts_t)
+read_fonts(lpd_t)
 
 type printer_t, file_type, sysadmfile, dev_fs;
 
@@ -37,6 +36,7 @@ type checkpc_t, domain, privlog;
 role system_r types checkpc_t;
 uses_shlib(checkpc_t)
 can_network_client(checkpc_t)
+allow checkpc_t port_type:tcp_socket name_connect;
 can_ypbind(checkpc_t)
 log_domain(checkpc)
 type checkpc_exec_t, file_type, sysadmfile, exec_type;

strict/domains/program/mailman.te

@@ -30,6 +30,7 @@ file_type_auto_trans(mailman_$1_t, var_lock_t, mailman_lock_t, file)
 allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
 allow mailman_$1_t fs_t:filesystem getattr;
 can_network(mailman_$1_t)
+allow mailman_$1_t smtp_port_t:tcp_socket name_connect;
 can_ypbind(mailman_$1_t)
 allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms;
 allow mailman_$1_t var_t:dir r_dir_perms;

strict/domains/program/modutil.te

@@ -30,7 +30,9 @@ type depmod_exec_t, file_type, exec_type, sysadmfile;
 domain_auto_trans(initrc_t, depmod_exec_t, depmod_t)
 allow depmod_t { bin_t sbin_t }:dir search;
 can_exec(depmod_t, depmod_exec_t)
+ifdef(`targeted_policy', `', `
 domain_auto_trans(sysadm_t, depmod_exec_t, depmod_t)
+')
 
 # Inherit and use descriptors from init and login programs.
 allow depmod_t { init_t privfd }:fd use;
@@ -94,7 +96,7 @@ allow insmod_t self:lnk_file read;
 allow insmod_t usr_t:file { getattr read };
 
 allow insmod_t privfd:fd use;
-allow insmod_t { initrc_devpts_t admin_tty_type }:chr_file { getattr read write };
+allow insmod_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow insmod_t sysadm_gph_t:fd use;')
 
 allow insmod_t { agp_device_t apm_bios_t }:chr_file { read write };
@@ -149,7 +151,7 @@ allow insmod_t proc_t:lnk_file read;
 allow insmod_t mtrr_device_t:file write;
 
 # Read /proc/sys/kernel/hotplug.
-allow insmod_t sysctl_hotplug_t:file read;
+allow insmod_t sysctl_hotplug_t:file { getattr read };
 
 allow insmod_t device_t:dir read;
 allow insmod_t devpts_t:dir { getattr search };
@@ -228,5 +230,3 @@ file_type_auto_trans(update_modules_t, etc_t, modules_conf_t, file)
 
 tmp_domain(update_modules)
 ')dnl end IS_INITRD
-
-

strict/domains/program/mount.te

@@ -37,19 +37,7 @@ allow mount_t file_t:file { getattr read unlink };
 
 # Mount, remount and unmount file systems.
 allow mount_t fs_type:filesystem mount_fs_perms;
-allow mount_t default_t:dir mounton;
-allow mount_t file_t:dir mounton;
-allow mount_t usr_t:dir mounton;
-allow mount_t var_t:dir mounton;
-allow mount_t proc_t:dir mounton;
-allow mount_t root_t:dir mounton;
-allow mount_t home_root_t:dir mounton;
-allow mount_t tmp_t:dir mounton;
-allow mount_t mnt_t:dir mounton;
-allow mount_t devpts_t:dir mounton;
-allow mount_t usbdevfs_t:dir mounton;
-allow mount_t sysfs_t:dir mounton;
-allow mount_t nfs_t:dir mounton;
+allow mount_t mount_point:dir mounton;
 allow mount_t nfs_t:dir search;
 # nfsv4 has a filesystem to mount for its userspace daemons
 allow mount_t var_lib_nfs_t:dir mounton;

strict/domains/program/mozilla.te

@@ -8,11 +8,8 @@
 type mozilla_exec_t, file_type, sysadmfile, exec_type;
 type mozilla_conf_t, file_type, sysadmfile;
 
-# Allow mozilla to read files in the user home directory
-bool mozilla_readhome false;
-
-# Allow mozilla to write files in the user home directory
-bool mozilla_writehome false;
+# Run in user_t
+bool disable_mozilla_trans false;
 
 # Everything else is in the mozilla_domain macro in
 # macros/program/mozilla_macros.te.

strict/domains/program/mrtg.te

@@ -26,12 +26,14 @@ dontaudit mrtg_t usr_t:file ioctl;
 logdir_domain(mrtg)
 etcdir_domain(mrtg)
 typealias mrtg_etc_t alias etc_mrtg_t;
-type var_lib_mrtg_t, file_type, sysadmfile;
+type mrtg_var_lib_t, file_type, sysadmfile;
+typealias mrtg_var_lib_t alias var_lib_mrtg_t;
 type mrtg_lock_t, file_type, sysadmfile, lockfile;
 r_dir_file(mrtg_t, lib_t)
 
 # Use the network.
 can_network_client(mrtg_t)
+allow mrtg_t port_type:tcp_socket name_connect;
 can_ypbind(mrtg_t)
 
 allow mrtg_t self:fifo_file { getattr read write ioctl };
@@ -58,7 +60,7 @@ allow mrtg_t { proc_t proc_net_t }:file { read getattr };
 dontaudit mrtg_t proc_t:file ioctl;
 
 allow mrtg_t { var_lock_t var_lib_t }:dir search;
-rw_dir_create_file(mrtg_t, var_lib_mrtg_t)
+rw_dir_create_file(mrtg_t, mrtg_var_lib_t)
 rw_dir_create_file(mrtg_t, mrtg_lock_t)
 ifdef(`distro_redhat', `
 file_type_auto_trans(mrtg_t, mrtg_etc_t, mrtg_lock_t, file)
@@ -79,7 +81,7 @@ read_sysctl(mrtg_t)
 
 # for uptime
 allow mrtg_t var_run_t:dir search;
-allow mrtg_t initrc_var_run_t:file read;
+allow mrtg_t initrc_var_run_t:file { getattr read };
 dontaudit mrtg_t initrc_var_run_t:file { write lock };
 allow mrtg_t etc_runtime_t:file { getattr read };
 
@@ -94,5 +96,5 @@ dontaudit mrtg_t quota_db_t:file getattr;
 dontaudit mrtg_t root_t:lnk_file getattr;
 
 allow mrtg_t self:capability { setgid setuid };
-can_exec(mrtg_t, hostname_exec_t)
+ifdef(`hostname.te', `can_exec(mrtg_t, hostname_exec_t)')
 allow mrtg_t var_spool_t:dir search;

strict/domains/program/pppd.te

@@ -32,14 +32,15 @@ allow pppd_t sysfs_t:dir search;
 log_domain(pppd)
 
 # Use the network.
-can_network_server(pppd_t)
+can_network(pppd_t)
 can_ypbind(pppd_t)
 
-# Use capabilities.
-allow pppd_t self:capability { net_admin setuid setgid fsetid };
+allow pppd_t fingerd_port_t:tcp_socket name_connect;
 
-allow pppd_t var_lock_t:dir rw_dir_perms;
-allow pppd_t var_lock_t:file create_file_perms;
+
+# Use capabilities.
+allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
+lock_domain(pppd)
 
 # Access secret files
 allow pppd_t pppd_secret_t:file r_file_perms;
@@ -47,15 +48,17 @@ allow pppd_t pppd_secret_t:file r_file_perms;
 ifdef(`postfix.te', `
 allow pppd_t postfix_etc_t:dir search;
 allow pppd_t postfix_etc_t:file r_file_perms;
-allow pppd_t postfix_master_exec_t:file read;
+allow pppd_t postfix_master_exec_t:file { getattr read };
 allow postfix_postqueue_t pppd_t:fd use;
 allow postfix_postqueue_t pppd_t:process sigchld;
 ')
 
 # allow running ip-up and ip-down scripts and running chat.
 can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t })
+can_exec(pppd_t, pppd_etc_rw_t)
+can_exec(pppd_t, hostname_exec_t)
 allow pppd_t { bin_t sbin_t }:dir search;
-allow pppd_t bin_t:lnk_file read;
+allow pppd_t { sbin_t bin_t }:lnk_file read;
 
 # Access /dev/ppp.
 allow pppd_t ppp_device_t:chr_file rw_file_perms;
@@ -66,6 +69,8 @@ allow pppd_t self:unix_stream_socket create_socket_perms;
 
 allow pppd_t proc_t:dir search;
 allow pppd_t proc_t:{ file lnk_file } r_file_perms;
+allow pppd_t proc_net_t:dir { read search };
+allow pppd_t proc_net_t:file r_file_perms;
 
 allow pppd_t etc_runtime_t:file r_file_perms;
 
@@ -92,8 +97,43 @@ allow unpriv_userdomain pppd_t:process signal;
 # for pppoe
 can_create_pty(pppd)
 allow pppd_t self:file { read getattr };
-allow pppd_t self:capability { fowner net_raw };
+
 allow pppd_t self:packet_socket create_socket_perms;
 
 file_type_auto_trans(pppd_t, etc_t, net_conf_t, file)
 tmp_domain(pppd)
+allow pppd_t sysctl_net_t:dir search;
+allow pppd_t sysctl_net_t:file r_file_perms;
+allow pppd_t self:netlink_route_socket r_netlink_socket_perms;
+allow pppd_t initrc_var_run_t:file r_file_perms;
+dontaudit pppd_t initrc_var_run_t:file { lock write };
+
+# pppd needs to load kernel modules for certain modems
+bool pppd_can_insmod false;
+if (pppd_can_insmod) {
+ifdef(`modutil.te', `
+domain_auto_trans(pppd_t, insmod_exec_t, insmod_t)
+')
+}
+domain_auto_trans(pppd_t, named_exec_t, named_t)
+
+daemon_domain(pptp)
+can_network_client_tcp(pptp_t)
+allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect;
+can_exec(pptp_t, hostname_exec_t)
+domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
+allow pptp_t self:rawip_socket create_socket_perms;
+allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow pptp_t self:unix_dgram_socket create_socket_perms;
+can_exec(pptp_t, pppd_etc_rw_t)
+allow pptp_t devpts_t:chr_file ioctl;
+r_dir_file(pptp_t, pppd_etc_rw_t)
+r_dir_file(pptp_t, pppd_etc_t)
+allow pptp_t devpts_t:dir search;
+allow pppd_t devpts_t:chr_file ioctl;
+allow pppd_t pptp_t:process signal;
+allow pptp_t self:capability net_raw;
+allow pptp_t self:fifo_file { read write };
+allow pptp_t ptmx_t:chr_file rw_file_perms;
+log_domain(pptp)
+allow pptp_t pppd_log_t:file append;

strict/domains/program/prelink.te

@@ -9,15 +9,10 @@
 #
 # prelink_exec_t is the type of the prelink executable.
 #
-daemon_base_domain(prelink, `, admin')
+daemon_base_domain(prelink, `, admin, privowner')
 
-if (allow_execmem) {
-allow prelink_t self:process execmem;
-}
-if (allow_execmod) {
+allow prelink_t self:process { execheap execmem execstack };
 allow prelink_t texrel_shlib_t:file execmod;
-}
-
 allow prelink_t fs_t:filesystem getattr;
 
 ifdef(`crond.te', `
@@ -36,7 +31,7 @@ allow prelink_t etc_prelink_t:file { getattr read };
 allow prelink_t file_type:dir rw_dir_perms;
 allow prelink_t file_type:lnk_file r_file_perms;
 allow prelink_t file_type:file getattr;
-allow prelink_t { ifdef(`amanda.te', `amanda_usr_lib_t') admin_passwd_exec_t ifdef(`apache.te', `httpd_modules_t') ifdef(`xserver.te', `var_lib_xkb_t') ld_so_t su_exec_t texrel_shlib_t shlib_t sbin_t bin_t lib_t exec_type }:file { create_file_perms execute relabelto relabelfrom };
+allow prelink_t { ifdef(`amanda.te', `amanda_usr_lib_t') admin_passwd_exec_t ifdef(`apache.te', `httpd_modules_t') ifdef(`xserver.te', `xkb_var_lib_t') ld_so_t su_exec_t texrel_shlib_t shlib_t sbin_t bin_t lib_t exec_type }:file { create_file_perms execute relabelto relabelfrom };
 allow prelink_t ld_so_t:file execute_no_trans;
 
 allow prelink_t self:capability { chown dac_override fowner fsetid };

strict/domains/program/procmail.te

@@ -20,6 +20,7 @@ uses_shlib(procmail_t)
 allow procmail_t device_t:dir search;
 can_network_server(procmail_t)
 can_ypbind(procmail_t)
+can_winbind(procmail_t)
 
 allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
 
@@ -57,6 +58,9 @@ allow procmail_t { self proc_t }:lnk_file read;
 
 # for spamassasin
 allow procmail_t usr_t:file { getattr ioctl read };
+ifdef(`spamassassin.te', `
+can_exec(procmail_t, spamassassin_exec_t)
+')
 
 # Search /var/run.
 allow procmail_t var_run_t:dir { getattr search };

strict/domains/program/radius.te

@@ -10,12 +10,9 @@
 #
 # radiusd_exec_t is the type of the radiusd executable.
 #
-type radius_port_t, port_type;
-type radacct_port_t, port_type;
 daemon_domain(radiusd, `, auth')
 
 etcdir_domain(radiusd)
-typealias radiusd_etc_t alias etc_radiusd_t;
 
 system_crond_entry(radiusd_exec_t, radiusd_t)
 

strict/domains/program/radvd.te

@@ -15,14 +15,15 @@ allow radvd_t etc_t:file { getattr read };
 
 allow radvd_t self:{ rawip_socket unix_dgram_socket } rw_socket_perms;
 
-allow radvd_t self:capability net_raw;
+allow radvd_t self:capability { setgid setuid net_raw };
 allow radvd_t self:{ unix_dgram_socket rawip_socket } create;
 allow radvd_t self:unix_stream_socket create_socket_perms;
 
 can_network_server(radvd_t)
+can_ypbind(radvd_t)
 
-allow radvd_t proc_t:dir r_dir_perms;
-allow radvd_t proc_t:file { getattr read };
+allow radvd_t { proc_t proc_net_t }:dir r_dir_perms;
+allow radvd_t { proc_t proc_net_t }:file { getattr read };
 allow radvd_t etc_t:lnk_file read;
 
 allow radvd_t sysctl_net_t:file r_file_perms;

strict/domains/program/rhgb.te

@@ -40,13 +40,13 @@ allow rhgb_t self:capability { sys_admin sys_tty_config };
 dontaudit rhgb_t var_run_t:dir search;
 
 can_network_client(rhgb_t)
+allow rhgb_t port_type:tcp_socket name_connect;
 can_ypbind(rhgb_t)
 
-# for fonts
 allow rhgb_t usr_t:{ file lnk_file } { getattr read };
 
 # for running setxkbmap
-r_dir_file(rhgb_t, var_lib_xkb_t)
+r_dir_file(rhgb_t, xkb_var_lib_t)
 
 # for localization
 allow rhgb_t lib_t:file { getattr read };
@@ -67,8 +67,7 @@ can_unix_connect(initrc_t, rhgb_t)
 tmpfs_domain(rhgb)
 allow xdm_xserver_t rhgb_tmpfs_t:file { read write };
 
-allow rhgb_t fonts_t:dir { getattr read search };
-allow rhgb_t fonts_t:file { getattr read };
+read_fonts(rhgb_t)
 
 # for nscd
 dontaudit rhgb_t var_t:dir search;

strict/domains/program/rpcd.te

@@ -11,8 +11,13 @@
 # Rules for the rpcd_t and nfsd_t domain.
 #
 define(`rpc_domain', `
+ifdef(`targeted_policy', `
+daemon_base_domain($1, `, transitionbool')
+', `
 daemon_base_domain($1)
+')
 can_network($1_t)
+allow $1_t port_type:tcp_socket name_connect;
 can_ypbind($1_t)
 allow $1_t etc_t:file { getattr read };
 read_locale($1_t)
@@ -88,7 +93,8 @@ type nfsd_ro_t, file_type, sysadmfile, usercanread;
 bool nfs_export_all_rw false;
 
 if(nfs_export_all_rw) {
-allow nfsd_t { file_type -shadow_t }:dir r_dir_perms;
+allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms;
+r_dir_file(kernel_t, noexattrfile)
 create_dir_file(kernel_t,{ file_type -shadow_t })
 }
 
@@ -97,8 +103,8 @@ dontaudit kernel_t shadow_t:file getattr;
 bool nfs_export_all_ro false;
 
 if(nfs_export_all_ro) {
-allow nfsd_t { file_type -shadow_t }:dir r_dir_perms;
-r_dir_file(kernel_t,{ file_type -shadow_t })
+allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms;
+r_dir_file(kernel_t,{ noexattrfile file_type -shadow_t })
 }
 
 allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
@@ -113,7 +119,7 @@ can_udp_send(nfsd_t, kernel_t)
 allow nfsd_t var_run_t:dir search;
 
 allow nfsd_t self:capability { sys_admin sys_resource };
-allow nfsd_t fs_t:filesystem getattr;
+allow nfsd_t fs_type:filesystem getattr;
 
 can_udp_send(nfsd_t, portmap_t)
 can_udp_send(portmap_t, nfsd_t)
@@ -131,7 +137,9 @@ allow rpcd_t proc_net_t:dir search;
 
 rpc_domain(gssd)
 can_kerberos(gssd_t)
+ifdef(`kerberos.te', `
 allow gssd_t krb5_keytab_t:file r_file_perms;
+')
 allow gssd_t urandom_device_t:chr_file { getattr read };
 r_dir_file(gssd_t, tmp_t)
 tmp_domain(gssd)
@@ -139,3 +147,7 @@ allow gssd_t self:fifo_file { read write };
 r_dir_file(gssd_t, proc_net_t)
 allow gssd_t rpc_pipefs_t:dir r_dir_perms;
 allow gssd_t rpc_pipefs_t:sock_file { read write };
+allow gssd_t rpc_pipefs_t:file r_file_perms;
+allow gssd_t self:capability setuid;
+allow nfsd_t devtty_t:chr_file rw_file_perms;
+allow rpcd_t devtty_t:chr_file rw_file_perms;

strict/domains/program/rpm.te

@@ -7,8 +7,8 @@
 #
 # rpm_t is the domain for rpm and related utilities in /usr/lib/rpm
 # rpm_exec_t is the type of the rpm executables.
-# var_log_rpm_t is the type for rpm log files (/var/log/rpmpkgs*)
-# var_lib_rpm_t is the type for rpm files in /var/lib
+# rpm_log_t is the type for rpm log files (/var/log/rpmpkgs*)
+# rpm_var_lib_t is the type for rpm files in /var/lib
 #
 type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd;
 role system_r types rpm_t;
@@ -252,4 +252,7 @@ unconfined_domain(rpm_t)
 typeattribute rpm_script_t auth_write;
 unconfined_domain(rpm_script_t)
 ')
+if (allow_execmem) {
+allow rpm_script_t self:process execmem;
+}
 

strict/domains/program/rshd.te

@@ -9,7 +9,6 @@
 #
 # Rules for the rshd_t domain.
 #
-type rsh_port_t, port_type, reserved_port_type;
 daemon_sub_domain(inetd_t, rshd, `, auth_chkpwd, privuser, privrole')
 
 ifdef(`tcpd.te', `

strict/domains/program/saslauthd.te

@@ -3,7 +3,7 @@
 # Author: Colin Walters <walters@verbum.org>
 #
 
-daemon_domain(saslauthd, `, auth_chkpwd')
+daemon_domain(saslauthd, `, auth_chkpwd, auth_bool')
 
 allow saslauthd_t self:fifo_file { read write };
 allow saslauthd_t self:unix_dgram_socket create_socket_perms;
@@ -15,9 +15,17 @@ allow saslauthd_t etc_t:file r_file_perms;
 allow saslauthd_t net_conf_t:file r_file_perms;
 
 allow saslauthd_t self:file r_file_perms;
-allow saslauthd_t proc_t:file read;
+allow saslauthd_t proc_t:file { getattr read };
 
 allow saslauthd_t urandom_device_t:chr_file { getattr read }; 
 
 # Needs investigation
 dontaudit saslauthd_t home_root_t:dir getattr;
+can_network_client_tcp(saslauthd_t)
+allow saslauthd_t pop_port_t:tcp_socket name_connect;
+
+bool allow_saslauthd_read_shadow false;
+
+if (allow_saslauthd_read_shadow) {
+allow saslauthd_t shadow_t:file r_file_perms;
+}

strict/domains/program/sendmail.te

@@ -26,6 +26,7 @@ allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown
 
 # Use the network.
 can_network(sendmail_t)
+allow sendmail_t port_type:tcp_socket name_connect;
 can_ypbind(sendmail_t)
 
 allow sendmail_t self:unix_stream_socket create_stream_socket_perms;

strict/domains/program/setfiles.te

@@ -18,6 +18,9 @@ type setfiles_exec_t, file_type, sysadmfile, exec_type;
 role system_r types setfiles_t;
 role sysadm_r types setfiles_t;
 
+ifdef(`distro_redhat', `
+domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t)
+')
 allow setfiles_t initrc_devpts_t:chr_file { read write ioctl };
 allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl };
 
@@ -52,8 +55,8 @@ allow setfiles_t fs_type:dir r_dir_perms;
 
 read_locale(setfiles_t)
 
-allow setfiles_t etc_runtime_t:file read;
-allow setfiles_t etc_t:file read;
+allow setfiles_t etc_runtime_t:file { getattr read };
+allow setfiles_t etc_t:file { getattr read };
 allow setfiles_t proc_t:file { getattr read };
 dontaudit setfiles_t proc_t:lnk_file { getattr read };
 

strict/domains/program/slapd.te

@@ -12,11 +12,9 @@
 #
 daemon_domain(slapd)
 
-type ldap_port_t, port_type, reserved_port_type;
 allow slapd_t ldap_port_t:tcp_socket name_bind;
 
 etc_domain(slapd)
-typealias slapd_etc_t alias etc_slapd_t;
 type slapd_db_t, file_type, sysadmfile;
 type slapd_replog_t, file_type, sysadmfile;
 
@@ -24,6 +22,7 @@ tmp_domain(slapd)
 
 # Use the network.
 can_network(slapd_t)
+allow slapd_t port_type:tcp_socket name_connect;
 can_ypbind(slapd_t)
 allow slapd_t self:fifo_file { read write };
 allow slapd_t self:unix_stream_socket create_socket_perms;
@@ -32,7 +31,7 @@ allow slapd_t self:unix_dgram_socket create_socket_perms;
 can_tcp_connect(domain, slapd_t)
 
 # Use capabilities  should not need kill...
-allow slapd_t self:capability { kill setgid setuid net_bind_service net_raw };
+allow slapd_t self:capability { kill setgid setuid net_bind_service net_raw dac_override dac_read_search };
 allow slapd_t self:process setsched;
 
 allow slapd_t proc_t:file r_file_perms;
@@ -50,7 +49,7 @@ allow slapd_t etc_t:{ file lnk_file } { getattr read };
 allow slapd_t etc_runtime_t:file { getattr read };
 
 # for startup script
-allow initrc_t slapd_etc_t:file read;
+allow initrc_t slapd_etc_t:file { getattr read };
 
 allow slapd_t etc_t:dir r_dir_perms;
 

strict/domains/program/slocate.te

@@ -2,7 +2,6 @@
 #
 # Author:  Dan Walsh <dwalsh@redhat.com>
 #
-# Depends: inetd.te
 
 #################################
 #
@@ -36,11 +35,11 @@ allow locate_t unlabeled_t:dir read;
 
 logdir_domain(locate)
 etcdir_domain(locate)
-typealias locate_etc_t alias etc_locate_t;
 
-type var_lib_locate_t, file_type, sysadmfile;
+type locate_var_lib_t, file_type, sysadmfile;
+typealias locate_var_lib_t alias var_lib_locate_t;
 
-create_dir_file(locate_t, var_lib_locate_t)
+create_dir_file(locate_t, locate_var_lib_t)
 dontaudit locate_t sysadmfile:file getattr;
 
 allow locate_t proc_t:file { getattr read };

strict/domains/program/spamd.te

@@ -9,7 +9,6 @@ daemon_domain(spamd)
 
 tmp_domain(spamd)
 
-type spamd_port_t, port_type, reserved_port_type;
 allow spamd_t spamd_port_t:tcp_socket name_bind;
 
 general_domain_access(spamd_t)

strict/domains/program/squid.te

@@ -28,7 +28,7 @@ allow squid_t usr_t:file { getattr read };
 # type for /var/cache/squid
 type squid_cache_t, file_type, sysadmfile;
 
-allow squid_t self:capability { setgid setuid net_bind_service };
+allow squid_t self:capability { setgid setuid net_bind_service dac_override };
 allow squid_t { etc_t etc_runtime_t }:file r_file_perms;
 allow squid_t etc_t:lnk_file read;
 allow squid_t self:unix_stream_socket create_socket_perms;

strict/domains/program/ssh.te

@@ -19,8 +19,6 @@ bool run_ssh_inetd false;
 type sshd_exec_t, file_type, exec_type, sysadmfile;
 type sshd_key_t, file_type, sysadmfile;
 
-type ssh_port_t, port_type, reserved_port_type;
-
 define(`sshd_program_domain', `
 # privowner is for changing the identity on the terminal device
 # privfd is for passing the terminal file handle to the user process

strict/domains/program/stunnel.te

@@ -3,11 +3,11 @@
 # Author:   petre rodan <kaiowas@gentoo.org>
 #
 ifdef(`distro_gentoo', `
-type stunnel_port_t, port_type;
 
 daemon_domain(stunnel)
 
 can_network(stunnel_t)
+allow stunnel_t port_type:tcp_socket name_connect;
 
 allow stunnel_t self:capability { setgid setuid sys_chroot };
 allow stunnel_t self:fifo_file { read write };

strict/domains/program/sysstat.te

@@ -42,7 +42,6 @@ allow sysstat_t self:fifo_file rw_file_perms;
 
 # Type for files created during execution of sysstatd.
 logdir_domain(sysstat)
-typealias sysstat_log_t alias var_log_sysstat_t;
 allow sysstat_t var_t:dir search;
 
 allow sysstat_t etc_t:dir r_dir_perms;

strict/domains/program/tftpd.te

@@ -13,8 +13,6 @@
 #
 daemon_domain(tftpd)
 
-type tftp_port_t, port_type, reserved_port_type;
-
 # tftpdir_t is the type of files in the /tftpboot directories.
 type tftpdir_t, file_type, sysadmfile;
 r_dir_file(tftpd_t, tftpdir_t)

strict/domains/program/traceroute.te

@@ -19,6 +19,7 @@ role system_r types traceroute_t;
 in_user_role(traceroute_t)
 uses_shlib(traceroute_t)
 can_network_client(traceroute_t)
+allow traceroute_t port_type:tcp_socket name_connect;
 can_ypbind(traceroute_t)
 allow traceroute_t node_t:rawip_socket node_bind;
 type traceroute_exec_t, file_type, sysadmfile, exec_type;

strict/domains/program/udev.te

@@ -19,7 +19,6 @@ allow udev_t self:process execmem;
 }
 
 etc_domain(udev)
-typealias udev_etc_t alias etc_udev_t;
 type udev_helper_exec_t, file_type, sysadmfile, exec_type;
 can_exec_any(udev_t)
 
@@ -75,7 +74,6 @@ allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
 allow udev_t initrc_var_run_t:file r_file_perms;
 dontaudit udev_t initrc_var_run_t:file write;
 
-domain_auto_trans(initrc_t, udev_exec_t, udev_t)
 domain_auto_trans(kernel_t, udev_exec_t, udev_t)
 domain_auto_trans(udev_t, restorecon_exec_t, restorecon_t)
 ifdef(`hide_broken_symptoms', `
@@ -86,7 +84,6 @@ allow udev_t etc_runtime_t:file { getattr read };
 ifdef(`xdm.te', `
 allow udev_t xdm_var_run_t:file { getattr read };
 ')
-dontaudit udev_t staff_home_dir_t:dir search;
 
 ifdef(`hotplug.te', `
 r_dir_file(udev_t, hotplug_etc_t)

strict/domains/program/unused/NetworkManager.te

@@ -0,0 +1,108 @@
+#DESC NetworkManager - 
+#
+# Authors: Dan Walsh <dwalsh@redhat.com>
+#
+#
+
+#################################
+#
+# Rules for the NetworkManager_t domain.
+#
+# NetworkManager_t is the domain for the NetworkManager daemon. 
+# NetworkManager_exec_t is the type of the NetworkManager executable.
+#
+daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod' )
+
+can_network(NetworkManager_t)
+allow NetworkManager_t port_type:tcp_socket name_connect;
+allow NetworkManager_t dhcpc_port_t:udp_socket name_bind;
+allow NetworkManager_t dhcpc_t:process signal;
+
+can_ypbind(NetworkManager_t)
+uses_shlib(NetworkManager_t)
+allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module};
+
+allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read };
+
+allow NetworkManager_t self:process { setcap getsched };
+allow NetworkManager_t self:fifo_file rw_file_perms;
+allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
+allow NetworkManager_t self:file { getattr read };
+allow NetworkManager_t self:packet_socket create_socket_perms;
+allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
+
+
+#
+# Communicate with Caching Name Server
+#
+ifdef(`named.te', `
+allow NetworkManager_t named_zone_t:dir search;
+rw_dir_create_file(NetworkManager_t, named_cache_t)
+domain_auto_trans(NetworkManager_t, named_exec_t, named_t)
+allow named_t NetworkManager_t:udp_socket { read write };
+allow named_t NetworkManager_t:netlink_route_socket { read write };
+allow NetworkManager_t named_t:process signal;
+allow named_t NetworkManager_t:packet_socket { read write };
+')
+
+allow NetworkManager_t selinux_config_t:dir search;
+allow NetworkManager_t selinux_config_t:file { getattr read };
+
+ifdef(`dbusd.te', `
+dbusd_client(system, NetworkManager)
+allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg };
+allow NetworkManager_t self:dbus send_msg;
+ifdef(`hald.te', `
+allow NetworkManager_t hald_t:dbus send_msg;
+allow hald_t NetworkManager_t:dbus send_msg;
+')
+allow NetworkManager_t initrc_t:dbus send_msg;
+allow initrc_t NetworkManager_t:dbus send_msg;
+ifdef(`targeted_policy', `
+allow NetworkManager_t unconfined_t:dbus send_msg;
+allow unconfined_t NetworkManager_t:dbus send_msg;
+')
+allow NetworkManager_t userdomain:dbus send_msg;
+allow userdomain NetworkManager_t:dbus send_msg;
+')
+
+allow NetworkManager_t usr_t:file { getattr read };
+
+ifdef(`ifconfig.te', `
+domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t)
+')dnl end if def ifconfig
+
+allow NetworkManager_t { sbin_t bin_t }:dir search;
+allow NetworkManager_t bin_t:lnk_file read;
+can_exec(NetworkManager_t, { ls_exec_t sbin_t bin_t shell_exec_t })
+
+# in /etc created by NetworkManager will be labelled net_conf_t.
+file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file)
+
+allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read };
+allow NetworkManager_t proc_t:file { getattr read };
+r_dir_file(NetworkManager_t, proc_net_t)
+
+allow NetworkManager_t { domain -unrestricted }:dir search;
+allow NetworkManager_t { domain -unrestricted }:file { getattr read };
+dontaudit NetworkManager_t unrestricted:dir search;
+dontaudit NetworkManager_t unrestricted:file { getattr read };
+
+allow NetworkManager_t howl_t:process signal;
+allow NetworkManager_t initrc_var_run_t:file { getattr read };
+
+domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
+allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms;
+
+domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t)
+domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t)
+ifdef(`vpnc.te', `
+domain_auto_trans(NetworkManager_t, vpnc_exec_t, vpnc_t)
+')
+
+ifdef(`dhcpc.te', `
+allow NetworkManager_t dhcp_state_t:dir search;
+allow NetworkManager_t dhcpc_var_run_t:file { getattr read unlink };
+')
+allow NetworkManager_t var_lib_t:dir search;
+dontaudit NetworkManager_t user_tty_type:chr_file { read write };

strict/domains/program/unused/afs.te

@@ -0,0 +1,166 @@
+#
+# Policy for AFS server
+#
+
+type afs_files_t, file_type;
+type afs_config_t, file_type, sysadmfile;
+type afs_logfile_t, file_type, logfile;
+type afs_dbdir_t, file_type;
+
+allow afs_files_t afs_files_t:filesystem associate;
+# df should show sizes
+allow sysadm_t afs_files_t:filesystem getattr;
+
+#
+# Macros for defining AFS server domains
+#
+
+define(`afs_server_domain',`
+type afs_$1server_t, domain $2;
+type afs_$1server_exec_t, file_type, sysadmfile;
+
+role system_r types afs_$1server_t;
+
+allow afs_$1server_t afs_config_t:file r_file_perms;
+allow afs_$1server_t afs_config_t:dir r_dir_perms;
+allow afs_$1server_t afs_logfile_t:file create_file_perms;
+allow afs_$1server_t afs_logfile_t:dir create_dir_perms;
+allow afs_$1server_t afs_$1_port_t:udp_socket name_bind;
+uses_shlib(afs_$1server_t)
+can_network(afs_$1server_t)
+read_locale(afs_$1server_t)
+
+dontaudit afs_$1server_t { var_t var_run_t }:file r_file_perms;
+dontaudit afs_$1server_t { var_t var_run_t }:dir r_dir_perms;
+dontaudit afs_$1server_t admin_tty_type:chr_file rw_file_perms;
+')
+
+define(`afs_under_bos',`
+domain_auto_trans(afs_bosserver_t, afs_$1server_exec_t, afs_$1server_t)
+allow afs_$1server_t self:unix_stream_socket create_stream_socket_perms;
+allow afs_$1server_t etc_t:{ file lnk_file } r_file_perms;
+allow afs_$1server_t net_conf_t:file r_file_perms;
+allow afs_bosserver_t afs_$1server_t:process signal_perms;
+')
+
+define(`afs_server_db',`
+type afs_$1_db_t, file_type;
+
+allow afs_$1server_t afs_$1_db_t:file create_file_perms;
+file_type_auto_trans(afs_$1server_t, afs_dbdir_t, afs_$1_db_t, file);
+')
+
+
+#
+# bosserver
+#
+
+afs_server_domain(`bos')
+base_file_read_access(afs_bosserver_t)
+
+domain_auto_trans(initrc_t, afs_bosserver_exec_t, afs_bosserver_t)
+
+allow afs_bosserver_t self:process { fork setsched signal_perms };
+allow afs_bosserver_t afs_bosserver_exec_t:file { execute_no_trans rx_file_perms };
+allow afs_bosserver_t afs_dbdir_t:dir { search read getattr };
+allow afs_bosserver_t afs_config_t:file create_file_perms;
+allow afs_bosserver_t afs_config_t:dir create_dir_perms;
+
+allow afs_bosserver_t etc_t:{file lnk_file} r_file_perms;
+allow afs_bosserver_t { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms;
+allow afs_bosserver_t device_t:dir r_dir_perms;
+
+# allow sysadm to use bos
+allow afs_bosserver_t sysadm_t:udp_socket { sendto recvfrom };
+allow sysadm_t afs_bosserver_t:udp_socket { recvfrom sendto };
+
+#
+# fileserver, volserver, and salvager
+#
+
+afs_server_domain(`fs',`,privlog')
+afs_under_bos(`fs')
+
+base_file_read_access(afs_fsserver_t)
+file_type_auto_trans(afs_fsserver_t, afs_config_t, afs_files_t)
+
+allow afs_fsserver_t self:process { fork sigchld setsched signal_perms };
+allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice };
+allow afs_fsserver_t self:fifo_file { rw_file_perms };
+can_exec(afs_fsserver_t, afs_fsserver_exec_t)
+allow afs_fsserver_t afs_files_t:file create_file_perms;
+allow afs_fsserver_t afs_files_t:dir create_dir_perms;
+allow afs_fsserver_t afs_config_t:file create_file_perms;
+allow afs_fsserver_t afs_config_t:dir create_dir_perms;
+
+allow afs_fsserver_t afs_fs_port_t:tcp_socket name_bind;
+allow afs_fsserver_t { afs_files_t fs_t }:filesystem getattr;
+
+allow afs_fsserver_t { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms;
+allow afs_fsserver_t device_t:dir r_dir_perms;
+allow afs_fsserver_t etc_runtime_t:{file lnk_file} r_file_perms;
+allow afs_fsserver_t { var_run_t var_t } :dir r_dir_perms;
+
+allow afs_fsserver_t proc_t:dir r_dir_perms;
+allow afs_fsserver_t { self proc_t } : { file lnk_file } r_file_perms;
+allow afs_fsserver_t { self proc_t } : dir r_dir_perms;
+
+# fs communicates with other servers
+allow afs_fsserver_t self:unix_dgram_socket create_socket_perms;
+allow afs_fsserver_t self:tcp_socket { connectto acceptfrom recvfrom };
+allow afs_fsserver_t self:udp_socket { sendto recvfrom };
+allow afs_fsserver_t { afs_vlserver_t afs_ptserver_t }:udp_socket { recvfrom };
+allow afs_fsserver_t sysadm_t:udp_socket { sendto recvfrom };
+allow sysadm_t afs_fsserver_t:udp_socket { recvfrom sendto };
+
+dontaudit afs_fsserver_t self:capability fsetid;
+dontaudit afs_fsserver_t console_device_t:chr_file rw_file_perms;
+dontaudit afs_fsserver_t initrc_t:fd use;
+dontaudit afs_fsserver_t mnt_t:dir search;
+
+
+#
+# kaserver
+#
+
+afs_server_domain(`ka')
+afs_under_bos(`ka')
+afs_server_db(`ka')
+
+base_file_read_access(afs_kaserver_t)
+
+allow afs_kaserver_t kerberos_port_t:udp_socket name_bind;
+allow afs_kaserver_t self:capability { net_bind_service };
+allow afs_kaserver_t afs_config_t:file create_file_perms;
+allow afs_kaserver_t afs_config_t:dir rw_dir_perms;
+
+# allow sysadm to use kas
+allow afs_kaserver_t sysadm_t:udp_socket { sendto recvfrom };
+allow sysadm_t afs_kaserver_t:udp_socket { recvfrom sendto };
+
+
+#
+# ptserver
+#
+
+afs_server_domain(`pt')
+afs_under_bos(`pt')
+afs_server_db(`pt')
+
+# allow users to use pts
+allow afs_ptserver_t userdomain:udp_socket { sendto recvfrom };
+allow userdomain afs_ptserver_t:udp_socket { recvfrom sendto };
+allow afs_ptserver_t afs_fsserver_t:udp_socket { recvfrom };
+
+
+#
+# vlserver
+#
+
+afs_server_domain(`vl')
+afs_under_bos(`vl')
+afs_server_db(`vl')
+
+allow afs_vlserver_t sysadm_t:udp_socket { sendto recvfrom };
+allow sysadm_t afs_vlserver_t:udp_socket { recvfrom sendto };
+allow afs_vlserver_t afs_fsserver_t:udp_socket { recvfrom };

strict/domains/program/unused/alsa.te

@@ -0,0 +1,17 @@
+#DESC       ainit - configuration tool for ALSA
+#
+# Author:  Dan Walsh <dwalsh@redhat.com>
+#
+#
+type alsa_t, domain, privlog, daemon;
+type alsa_exec_t, file_type, sysadmfile, exec_type;
+uses_shlib(alsa_t)
+allow alsa_t self:sem  create_sem_perms;
+allow alsa_t self:shm  create_shm_perms;
+allow alsa_t self:unix_stream_socket create_stream_socket_perms;
+type alsa_etc_rw_t, file_type, sysadmfile, usercanread;
+rw_dir_create_file(alsa_t,alsa_etc_rw_t)
+allow alsa_t self:capability { setgid setuid ipc_owner };
+allow alsa_t devpts_t:chr_file { read write };
+allow alsa_t etc_t:file { getattr read };
+domain_auto_trans(pam_console_t, alsa_exec_t, alsa_t)

strict/domains/program/unused/amavis.te

@@ -12,10 +12,13 @@
 type amavisd_etc_t, file_type, sysadmfile;
 type amavisd_lib_t, file_type, sysadmfile;
 
-type amavis_port_t, port_type;
+# Virus and spam found and quarantined.
+type amavisd_quarantine_t, file_type, sysadmfile, tmpfile;
+
 daemon_domain(amavisd)
 tmp_domain(amavisd)
 
+allow initrc_t amavisd_etc_t:file { getattr read };
 allow initrc_t amavisd_lib_t:dir { search read write rmdir remove_name unlink };
 allow initrc_t amavisd_lib_t:file unlink;
 allow initrc_t amavisd_var_run_t:dir setattr;
@@ -26,11 +29,17 @@ allow amavisd_t usr_t:{ file lnk_file } { getattr read };
 dontaudit amavisd_t usr_t:file ioctl;
 
 # networking
-can_network(amavisd_t)
+can_network_server_tcp(amavisd_t, amavisd_recv_port_t)
+allow amavisd_t amavisd_recv_port_t:tcp_socket name_bind;
+allow mta_delivery_agent amavisd_recv_port_t:tcp_socket name_connect;
+# The next line doesn't work right so drop the port specification.
+#can_network_client_tcp(amavisd_t, amavisd_send_port_t)
+can_network_client_tcp(amavisd_t)
+allow amavisd_t amavisd_send_port_t:tcp_socket name_connect;
+can_resolve(amavisd_t);
 can_ypbind(amavisd_t);
 can_tcp_connect(mail_server_sender, amavisd_t);
 can_tcp_connect(amavisd_t, mail_server_domain)
-allow amavisd_t amavis_port_t:tcp_socket name_bind;
 
 ifdef(`scannerdaemon.te', `
 can_tcp_connect(amavisd_t, scannerdaemon_t);
@@ -49,6 +58,25 @@ allow clamd_t amavisd_lib_t:dir r_dir_perms;
 allow clamd_t amavisd_lib_t:file r_file_perms;
 ')
 
+# DCC
+ifdef(`dcc.te', `
+allow dcc_client_t amavisd_lib_t:file r_file_perms;
+')
+
+# Pyzor
+ifdef(`pyzor.te',`
+domain_auto_trans(amavisd_t, pyzor_exec_t, pyzor_t)
+#allow pyzor_t amavisd_data_t:dir search;
+# Pyzor creates a temp file adjacent to the working file.
+create_dir_file(pyzor_t, amavisd_lib_t);
+')
+
+# SpamAssassin is executed from within amavisd, but needs to read its
+# config
+ifdef(`spamd.te', `
+r_dir_file(amavisd_t, etc_mail_t)
+')
+
 # Can create unix sockets
 allow amavisd_t self:unix_stream_socket create_stream_socket_perms;
 allow amavisd_t self:unix_dgram_socket create_socket_perms;
@@ -64,6 +92,9 @@ log_domain(amavisd)
 # Access amavisd var/lib files.
 create_dir_file(amavisd_t, amavisd_lib_t)
 
+# Access amavisd quarantined files.
+create_dir_file(amavisd_t, amavisd_quarantine_t)
+
 # Run helper programs.
 can_exec_any(amavisd_t,bin_t)
 allow amavisd_t bin_t:dir { getattr search };
@@ -83,3 +114,4 @@ allow amavisd_t etc_runtime_t:file { getattr read };
 dontaudit amavisd_t sysadm_home_dir_t:dir search;
 dontaudit amavisd_t shadow_t:file { getattr read };
 dontaudit amavisd_t sysadm_devpts_t:chr_file { read write };
+

strict/domains/program/unused/asterisk.te

@@ -4,8 +4,6 @@
 #
 # X-Debian-Packages: asterisk
 
-type asterisk_port_t, port_type;
-
 daemon_domain(asterisk)
 allow asterisk_t asterisk_var_run_t:{ sock_file fifo_file } create_file_perms;
 allow initrc_t asterisk_var_run_t:fifo_file unlink;

strict/domains/program/unused/authbind.te

@@ -16,7 +16,6 @@ type authbind_exec_t, file_type, sysadmfile, exec_type;
 role system_r types authbind_t;
 
 etcdir_domain(authbind)
-typealias authbind_etc_t alias etc_authbind_t;
 
 can_exec(authbind_t, authbind_etc_t)
 allow authbind_t etc_t:dir r_dir_perms;

strict/domains/program/unused/backup.te

@@ -27,6 +27,7 @@ rw_dir_create_file(system_crond_t, backup_store_t)
 allow backup_t urandom_device_t:chr_file read;
 
 can_network_client(backup_t)
+allow backup_t port_type:tcp_socket name_connect;
 can_ypbind(backup_t)
 uses_shlib(backup_t)
 

strict/domains/program/unused/bonobo.te

@@ -0,0 +1,9 @@
+# DESC - Bonobo Activation Server 
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+# Type for executable
+type bonobo_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in macros/bonobo_macros.te

strict/domains/program/unused/ciped.te

@@ -5,11 +5,11 @@ daemon_base_domain(ciped)
 # for SSP
 allow ciped_t urandom_device_t:chr_file read;
 
-type cipe_port_t, port_type;
+# cipe uses the afs3-bos port (udp 7007)
+allow ciped_t afs_bos_port_t:udp_socket name_bind;
 
 can_network_udp(ciped_t)
 can_ypbind(ciped_t)
-allow ciped_t cipe_port_t:udp_socket name_bind;
 
 allow ciped_t devpts_t:dir search;
 allow ciped_t devtty_t:chr_file { read write };

strict/domains/program/unused/clamav.te

@@ -15,13 +15,22 @@ type clamav_var_lib_t, file_type, sysadmfile;
 # clamscan_t is the domain of the clamscan virus scanner
 type clamscan_exec_t, file_type, sysadmfile, exec_type;
 
-daemon_base_domain(freshclam)
+##########
+##########
+
+#
+# Freshclam
+#
+
+daemon_base_domain(freshclam, `, web_client_domain')
 read_locale(freshclam_t)
 
 # not sure why it needs this
 read_sysctl(freshclam_t)
 
-can_network_server(freshclam_t)
+can_network_client_tcp(freshclam_t, http_port_t);
+allow freshclam_t http_port_t:tcp_socket name_connect;
+can_resolve(freshclam_t)
 can_ypbind(freshclam_t)
 
 # Access virus signatures
@@ -56,24 +65,59 @@ allow freshclam_t self:fifo_file rw_file_perms;
 logdir_domain(freshclam)
 allow initrc_t freshclam_log_t:file append;
 
+# Pid files for freshclam
+allow initrc_t clamd_var_run_t:file { create setattr };
+
 system_crond_entry(freshclam_exec_t, freshclam_t)
 domain_auto_trans(logrotate_t, freshclam_exec_t, freshclam_t)
 
 domain_auto_trans(sysadm_t, freshclam_exec_t, freshclam_t)
 role sysadm_r types freshclam_t;
 
+create_dir_file(freshclam_t, clamd_var_run_t)
+
+##########
+##########
+
+#
+# Clamscan
+#
+
 # macros/program/clamav_macros.te.
 user_clamscan_domain(sysadm)
 
+##########
+##########
+
+#
+# Clamd
+#
+
+type clamd_sock_t, file_type, sysadmfile;
+
 # clamd executable
 daemon_domain(clamd)
 
 tmp_domain(clamd)
+
+# The dir containing the clamd log files is labelled freshclam_t
 logdir_domain(clamd)
+allow clamd_t freshclam_log_t:dir search;
 
-file_type_auto_trans(clamd_t, var_run_t, clamd_var_run_t, sock_file)
+allow clamd_t self:capability { kill setgid setuid dac_override };
 
-allow clamd_t self:capability { kill setgid setuid };
+# Give the clamd local communications socket a unique type
+ifdef(`distro_debian', `
+file_type_auto_trans(clamd_t, var_run_t, clamd_sock_t, sock_file)
+')
+ifdef(`distro_redhat', `
+file_type_auto_trans(clamd_t, clamd_var_run_t, clamd_sock_t, sock_file)
+')
+
+# Clamd can be configured to listen on a TCP port.
+can_network_server_tcp(clamd_t, clamd_port_t)
+allow clamd_t clamd_port_t:tcp_socket name_bind;
+can_resolve(clamd_t);
 
 allow clamd_t var_lib_t:dir search;
 r_dir_file(clamd_t, clamav_var_lib_t)
@@ -86,3 +130,18 @@ allow clamd_t self:fifo_file rw_file_perms;
 
 allow clamd_t { random_device_t urandom_device_t }:chr_file { getattr read };
 dontaudit clamd_t { random_device_t urandom_device_t }:chr_file ioctl;
+
+
+##########
+##########
+
+#
+# Interaction with external programs
+#
+
+ifdef(`amavis.te',`
+allow amavisd_t clamd_var_run_t:dir search;
+allow amavisd_t clamd_t:unix_stream_socket connectto;
+allow amavisd_t clamd_sock_t:sock_file write;
+')
+

strict/domains/program/unused/clockspeed.te

@@ -0,0 +1,25 @@
+#DESC clockspeed - Simple network time protocol client
+#
+# Author Petre Rodan <kaiowas@gentoo.org>
+#
+
+daemon_base_domain(clockspeed)
+var_lib_domain(clockspeed)
+can_network(clockspeed_t)
+allow clockspeed_t port_type:tcp_socket name_connect;
+read_locale(clockspeed_t)
+
+allow clockspeed_t self:capability { sys_time net_bind_service };
+allow clockspeed_t self:unix_dgram_socket create_socket_perms;
+allow clockspeed_t self:unix_stream_socket create_socket_perms;
+allow clockspeed_t clockspeed_port_t:udp_socket name_bind;
+allow clockspeed_t domain:packet_socket recvfrom;
+
+allow clockspeed_t var_t:dir search;
+allow clockspeed_t clockspeed_var_lib_t:file create_file_perms;
+allow clockspeed_t clockspeed_var_lib_t:fifo_file create_file_perms;
+
+# sysadm can play with clockspeed
+role sysadm_r types clockspeed_t;
+domain_auto_trans( sysadm_t, clockspeed_exec_t, clockspeed_t)
+

strict/domains/program/unused/courier.te

@@ -9,7 +9,6 @@ type courier_var_run_t, file_type, sysadmfile, pidfile;
 type courier_var_lib_t, file_type, sysadmfile;
 
 type courier_etc_t, file_type, sysadmfile;
-typealias courier_etc_t alias etc_courier_t;
 
 # allow start scripts to read the config
 allow initrc_t courier_etc_t:file r_file_perms;
@@ -93,7 +92,7 @@ allow courier_tcpd_t pop_port_t:tcp_socket name_bind;
 allow courier_tcpd_t sbin_t:dir search;
 allow courier_tcpd_t var_lib_t:dir search;
 # for TLS
-allow courier_tcpd_t urandom_device_t:chr_file read;
+allow courier_tcpd_t { random_device_t urandom_device_t }:chr_file { getattr read };
 read_locale(courier_tcpd_t)
 can_exec(courier_tcpd_t, courier_exec_t)
 allow courier_authdaemon_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;

strict/domains/program/unused/cvs.te

@@ -0,0 +1,26 @@
+#DESC cvs - Concurrent Versions System
+#
+# Author:  Dan Walsh <dwalsh@redhat.com>
+#
+# Depends: inetd.te
+
+#################################
+#
+# Rules for the cvs_t domain.
+#
+# cvs_exec_t is the type of the cvs executable.
+#
+
+inetd_child_domain(cvs, tcp)
+typeattribute cvs_t privmail;
+typeattribute cvs_t auth_chkpwd;
+
+type cvs_data_t, file_type, sysadmfile;
+create_dir_file(cvs_t, cvs_data_t)
+can_exec(cvs_t, { bin_t sbin_t shell_exec_t })
+allow cvs_t etc_runtime_t:file { getattr read };
+allow system_mail_t cvs_data_t:file { getattr read };
+dontaudit cvs_t devtty_t:chr_file { read write };
+allow cvs_t default_t:dir search;
+allow cvs_t default_t:lnk_file read;
+

strict/domains/program/unused/daemontools.te

@@ -0,0 +1,203 @@
+#DESC Daemontools - Tools for managing UNIX services
+#
+# Author:  Petre Rodan <kaiowas@gentoo.org>
+# with the help of Chris PeBenito, Russell Coker and Tad Glines
+# 
+
+#
+# selinux policy for daemontools
+# http://cr.yp.to/daemontools.html
+#
+# thanks for D. J. Bernstein and the NSA team for the great software
+# they provide
+#
+
+##############################################################
+# type definitions
+
+type svc_conf_t, file_type, sysadmfile;
+type svc_log_t, file_type, sysadmfile;
+type svc_svc_t, file_type, sysadmfile;
+
+
+##############################################################
+# Macros
+define(`svc_filedir_domain', `
+create_dir_file($1, svc_svc_t)
+file_type_auto_trans($1, svc_svc_t, svc_svc_t);
+')
+
+##############################################################
+# the domains
+daemon_base_domain(svc_script)
+svc_filedir_domain(svc_script_t)
+
+# part started by initrc_t
+daemon_base_domain(svc_start)
+domain_auto_trans(init_t, svc_start_exec_t, svc_start_t)
+svc_filedir_domain(svc_start_t)
+
+# also get here from svc_script_t
+domain_auto_trans(svc_script_t, svc_start_exec_t, svc_start_t)
+
+# the domain for /service/*/run and /service/*/log/run
+daemon_sub_domain(svc_start_t, svc_run)
+r_dir_file(svc_run_t, svc_conf_t)
+
+# the logger
+daemon_sub_domain(svc_run_t, svc_multilog)
+file_type_auto_trans(svc_multilog_t, svc_log_t, svc_log_t, file);
+
+######
+# rules for all those domains
+
+# sysadm can tweak svc_run_exec_t files
+allow sysadm_t svc_run_exec_t:file create_file_perms;
+
+# run_init can control svc_script_t and svc_start_t domains
+domain_auto_trans(run_init_t, svc_script_exec_t, svc_script_t)
+domain_auto_trans(run_init_t, svc_start_exec_t, svc_start_t)
+allow initrc_t { svc_script_exec_t svc_start_exec_t }:file entrypoint;
+svc_filedir_domain(initrc_t)
+
+# svc_start_t
+allow svc_start_t self:fifo_file rw_file_perms;
+allow svc_start_t self:capability kill;
+allow svc_start_t self:unix_stream_socket create_socket_perms;
+
+allow svc_start_t { bin_t sbin_t etc_t }:dir r_dir_perms;
+allow svc_start_t { bin_t sbin_t etc_t }:lnk_file r_file_perms;
+allow svc_start_t { etc_t etc_runtime_t }:file r_file_perms;
+allow svc_start_t { var_t var_run_t }:dir search;
+can_exec(svc_start_t, bin_t)
+can_exec(svc_start_t, shell_exec_t)
+allow svc_start_t svc_start_exec_t:file { rx_file_perms execute_no_trans };
+allow svc_start_t svc_run_t:process signal;
+dontaudit svc_start_t proc_t:file r_file_perms;
+dontaudit svc_start_t devtty_t:chr_file { read write };
+
+# svc script
+allow svc_script_t self:capability sys_admin;
+allow svc_script_t self:fifo_file { getattr read write };
+allow svc_script_t self:file r_file_perms;
+allow svc_script_t { bin_t sbin_t var_t }:dir r_dir_perms;
+allow svc_script_t bin_t:lnk_file r_file_perms;
+can_exec(svc_script_t, bin_t)
+can_exec(svc_script_t, shell_exec_t)
+allow svc_script_t proc_t:file r_file_perms;
+allow svc_script_t shell_exec_t:file rx_file_perms;
+allow svc_script_t devtty_t:chr_file rw_file_perms;
+allow svc_script_t etc_runtime_t:file r_file_perms;
+allow svc_script_t svc_run_exec_t:file r_file_perms;
+allow svc_script_t svc_script_exec_t:file execute_no_trans;
+allow svc_script_t sysctl_kernel_t:dir r_dir_perms;
+allow svc_script_t sysctl_kernel_t:file r_file_perms;
+
+# svc_run_t
+allow svc_run_t self:capability { setgid setuid chown fsetid };
+allow svc_run_t self:fifo_file rw_file_perms;
+allow svc_run_t self:file r_file_perms;
+allow svc_run_t self:process { fork setrlimit };
+allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
+allow svc_run_t svc_svc_t:dir r_dir_perms;
+allow svc_run_t svc_svc_t:file r_file_perms;
+allow svc_run_t svc_run_exec_t:file { rx_file_perms execute_no_trans };
+allow svc_run_t { bin_t sbin_t etc_t }:dir r_dir_perms;
+allow svc_run_t { bin_t sbin_t etc_t }:lnk_file r_file_perms;
+allow svc_run_t { var_t var_run_t }:dir search;
+can_exec(svc_run_t, etc_t)
+can_exec(svc_run_t, lib_t)
+can_exec(svc_run_t, bin_t)
+can_exec(svc_run_t, sbin_t)
+can_exec(svc_run_t, ls_exec_t)
+can_exec(svc_run_t, shell_exec_t)
+allow svc_run_t devtty_t:chr_file rw_file_perms;
+allow svc_run_t etc_runtime_t:file r_file_perms;
+allow svc_run_t exec_type:{ file lnk_file } getattr;
+allow svc_run_t init_t:fd use;
+allow svc_run_t initrc_t:fd use;
+allow svc_run_t proc_t:file r_file_perms;
+allow svc_run_t sysctl_t:dir search;
+allow svc_run_t sysctl_kernel_t:dir r_dir_perms;
+allow svc_run_t sysctl_kernel_t:file r_file_perms;
+allow svc_run_t var_lib_t:dir r_dir_perms;
+
+# multilog creates /service/*/log/status
+allow svc_multilog_t svc_svc_t:dir { read search };
+allow svc_multilog_t svc_svc_t:file { append write };
+# writes to /var/log/*/*
+allow svc_multilog_t var_t:dir search;
+allow svc_multilog_t var_log_t:dir create_dir_perms;
+allow svc_multilog_t var_log_t:file create_file_perms;
+# misc
+allow svc_multilog_t init_t:fd use;
+allow svc_start_t svc_multilog_t:process signal;
+svc_ipc_domain(svc_multilog_t)
+
+################################################################
+# scripts that can be started by daemontools
+# keep it sorted please.
+
+ifdef(`apache.te', `
+domain_auto_trans(svc_run_t, httpd_exec_t, httpd_t)
+svc_ipc_domain(httpd_t)
+dontaudit httpd_t svc_svc_t:dir { search };
+')
+
+ifdef(`clamav.te', `
+domain_auto_trans(svc_run_t, clamd_exec_t, clamd_t)
+svc_ipc_domain(clamd_t)
+')
+
+ifdef(`clockspeed.te', `
+domain_auto_trans( svc_run_t, clockspeed_exec_t, clockspeed_t)
+svc_ipc_domain(clockspeed_t)
+r_dir_file(svc_run_t, clockspeed_var_lib_t)
+allow svc_run_t clockspeed_var_lib_t:fifo_file { rw_file_perms setattr };
+')
+
+ifdef(`dante.te', `
+domain_auto_trans( svc_run_t, dante_exec_t, dante_t);
+svc_ipc_domain(dante_t)
+')
+
+ifdef(`publicfile.te', `
+svc_ipc_domain(publicfile_t)
+')
+
+ifdef(`qmail.te', `
+allow svc_run_t qmail_start_exec_t:file rx_file_perms;
+domain_auto_trans(svc_run_t, qmail_start_exec_t, qmail_start_t)
+r_dir_file(svc_run_t, qmail_etc_t)
+svc_ipc_domain(qmail_send_t)
+svc_ipc_domain(qmail_start_t)
+svc_ipc_domain(qmail_queue_t)
+svc_ipc_domain(qmail_smtpd_t)
+')
+
+ifdef(`rsyncd.te', `
+domain_auto_trans(svc_run_t, rsyncd_exec_t, rsyncd_t)
+svc_ipc_domain(rsyncd_t)
+')
+
+ifdef(`spamd.te', `
+domain_auto_trans(svc_run_t, spamd_exec_t, spamd_t)
+svc_ipc_domain(spamd_t)
+')
+
+ifdef(`ssh.te', `
+domain_auto_trans(svc_run_t, sshd_exec_t, sshd_t)
+svc_ipc_domain(sshd_t)
+')
+
+ifdef(`stunnel.te', `
+domain_auto_trans( svc_run_t, stunnel_exec_t, stunnel_t)
+svc_ipc_domain(stunnel_t)
+')
+
+ifdef(`ucspi-tcp.te', `
+domain_auto_trans(svc_run_t, utcpserver_exec_t, utcpserver_t)
+allow svc_run_t utcpserver_t:process { signal };
+svc_ipc_domain(utcpserver_t)
+')
+

strict/domains/program/unused/dante.te

@@ -4,17 +4,20 @@
 #
 
 type dante_conf_t, file_type, sysadmfile;
-type socks_port_t, port_type;
 
 daemon_domain(dante)
 can_network_server(dante_t)
 
 allow dante_t self:fifo_file { read write };
-allow dante_t self:capability { setuid };
+allow dante_t self:capability { setuid setgid };
 allow dante_t self:unix_dgram_socket { connect create write };
 allow dante_t self:unix_stream_socket { connect create read setopt write };
+allow dante_t self:tcp_socket connect;
 
 allow dante_t socks_port_t:tcp_socket name_bind;
 
 allow dante_t { etc_t etc_runtime_t }:file r_file_perms;
 r_dir_file(dante_t, dante_conf_t)
+
+allow dante_t initrc_var_run_t:file { getattr write };
+

strict/domains/program/unused/dcc.te

@@ -0,0 +1,252 @@
+#
+# DCC - Distributed Checksum Clearinghouse
+# Author:  David Hampton <hampton@employees.org>
+#
+#
+# NOTE: DCC has writeable files in /etc/dcc that should probably be in
+# /var/lib/dcc.  For now this policy supports both directories being
+# writable.
+
+# Files common to all dcc programs
+type dcc_client_map_t, file_type, sysadmfile;
+type dcc_var_t, file_type, sysadmfile;
+type dcc_var_run_t, file_type, sysadmfile;
+
+
+##########
+##########
+
+#
+# common to all dcc variants
+#
+define(`dcc_common',`
+# Access files in /var/dcc. The map file can be updated
+r_dir_file($1_t, dcc_var_t)
+allow $1_t dcc_client_map_t:file rw_file_perms;
+
+# Read mtab, nsswitch and locale
+allow $1_t { etc_t etc_runtime_t }:file { getattr read };
+read_locale($1_t)
+
+#Networking
+can_resolve($1_t)
+ifelse($2, `server', `
+can_network_udp($1_t)
+', `
+can_network_udp($1_t, `dcc_port_t')
+')
+allow $1_t self:unix_dgram_socket create_socket_perms;
+
+# Create private temp files
+tmp_domain($1)
+
+# Triggered by a call to gethostid(2) in dcc client libs
+allow $1_t self:unix_stream_socket { connect create };
+
+allow $1_t sysadm_su_t:process { sigchld };
+allow $1_t dcc_script_t:fd use;
+
+dontaudit $1_t kernel_t:fd use;
+dontaudit $1_t root_t:file read;
+')
+
+allow initrc_t dcc_var_run_t:dir rw_dir_perms;
+
+
+##########
+##########
+
+#
+# dccd - Server daemon that can be accessed over the net
+#
+daemon_domain(dccd, `, privlog, nscd_client_domain')
+dcc_common(dccd, server);
+
+# Runs the dbclean program
+allow dccd_t bin_t:dir search;
+domain_auto_trans(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t)
+
+# The daemon needs to listen on the dcc ports
+allow dccd_t dcc_port_t:udp_socket name_bind;
+
+# Updating dcc_db, flod, ...
+create_dir_file(dccd_t, dcc_var_t);
+
+allow dccd_t self:capability net_admin;
+allow dccd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+
+# Reading /proc/meminfo
+allow dccd_t proc_t:file { getattr read };
+
+
+#
+# cdcc - control dcc daemon
+#
+application_domain(cdcc, `, nscd_client_domain')
+role system_r types cdcc_t;
+dcc_common(cdcc)
+
+# suid program
+allow cdcc_t self:capability setuid;
+
+# Running from the command line
+allow cdcc_t sshd_t:fd use;
+allow cdcc_t sysadm_devpts_t:chr_file rw_file_perms;
+
+
+
+##########
+##########
+
+#
+# DCC Clients
+#
+
+#
+# dccifd  - Spamassassin and general MTA persistent client
+#
+daemon_domain(dccifd, `, privlog, nscd_client_domain')
+dcc_common(dccifd);
+file_type_auto_trans(dccifd_t, dcc_var_run_t, dccifd_var_run_t, file)
+
+# Allow the domain to communicate with other processes
+allow dccifd_t self:unix_stream_socket create_stream_socket_perms;
+
+# Updating dcc_db, flod, ...
+create_dir_notdevfile(dccifd_t, dcc_var_t);
+
+# Updating map, ...
+allow dccifd_t dcc_client_map_t:file rw_file_perms;
+
+# dccifd communications socket
+type dccifd_sock_t, file_type, sysadmfile;
+file_type_auto_trans(dccifd_t, dcc_var_t, dccifd_sock_t, sock_file)
+
+# Reading /proc/meminfo
+allow dccifd_t proc_t:file { getattr read };
+
+
+#
+# dccm  - sendmail milter client
+#
+daemon_domain(dccm, `, privlog, nscd_client_domain')
+dcc_common(dccm);
+file_type_auto_trans(dccm_t, dcc_var_run_t, dccm_var_run_t, file)
+
+# Allow the domain to communicate with other processes
+allow dccm_t self:unix_stream_socket create_stream_socket_perms;
+
+# Updating map, ...
+create_dir_notdevfile(dccm_t, dcc_var_t);
+allow dccm_t dcc_client_map_t:file rw_file_perms;
+
+# dccm communications socket
+type dccm_sock_t, file_type, sysadmfile;
+file_type_auto_trans(dccm_t, dcc_var_run_t, dccm_sock_t, sock_file)
+
+
+#
+# dccproc - dcc procmail interface
+#
+application_domain(dcc_client, `, privlog, nscd_client_domain')
+role system_r types dcc_client_t;
+dcc_common(dcc_client)
+
+# suid program
+allow dcc_client_t self:capability setuid;
+
+# Running from the command line
+allow dcc_client_t sshd_t:fd use;
+allow dcc_client_t sysadm_devpts_t:chr_file rw_file_perms;
+
+
+##########
+##########
+
+#
+# DCC Utilities
+#
+
+#
+# dbclean - database cleanup tool
+#
+application_domain(dcc_dbclean, `, nscd_client_domain')
+role system_r types dcc_dbclean_t;
+dcc_common(dcc_dbclean)
+
+# Updating various files.
+create_dir_file(dcc_dbclean_t, dcc_var_t);
+
+# wants to look at /proc/meminfo
+allow dcc_dbclean_t proc_t:dir search;
+allow dcc_dbclean_t proc_t:file { getattr read };
+
+# Running from the command line
+allow dcc_dbclean_t sshd_t:fd use;
+allow dcc_dbclean_t sysadm_devpts_t:chr_file rw_file_perms;
+
+##########
+##########
+
+#
+# DCC Startup scripts
+#
+# These are shell sccripts that start/stop/restart the various dcc
+# programs.
+#
+init_service_domain(dcc_script, `, nscd_client_domain')
+general_domain_access(dcc_script_t)
+general_proc_read_access(dcc_script_t)
+can_exec_any(dcc_script_t)
+dcc_common(dcc_script)
+
+# Allow calling the script from an init script (initrt_t) or from
+# rc.local (staff_t)
+domain_auto_trans({ initrc_t staff_t }, dcc_script_exec_t, dcc_script_t)
+
+# Start up the daemon process.  These scripts run 'su' to change to
+# the dcc user (even though the default dcc user is root).
+allow dcc_script_t self:capability setuid;
+su_restricted_domain(dcc_script, system)
+role system_r types dcc_script_su_t;
+domain_auto_trans(dcc_script_su_t, dccd_exec_t, dccd_t)
+domain_auto_trans(dcc_script_su_t, dccm_exec_t, dccm_t)
+domain_auto_trans(dcc_script_su_t, dccifd_exec_t, dccifd_t)
+
+# Stop the daemon process
+allow dcc_script_t { dccifd_t dccm_t }:process { sigkill signal };
+
+# Access various DCC files
+allow dcc_script_t { var_t var_run_t dcc_var_run_t}:dir { getattr search };
+allow dcc_script_t { dccifd_var_run_t dccm_var_run_t }:file { getattr read };
+
+allow { dcc_script_t dcc_script_su_t } initrc_t:fd use;
+allow { dcc_script_t dcc_script_su_t } devpts_t:dir search;
+allow { dcc_script_t dcc_script_su_t } initrc_devpts_t:chr_file rw_file_perms;
+allow dcc_script_t devtty_t:chr_file { read write };
+allow dcc_script_su_t sysadm_home_dir_t:dir search;
+allow dcc_script_su_t sysadm_t:process { noatsecure rlimitinh siginh transition };
+allow dcc_script_su_t initrc_devpts_t:chr_file { relabelfrom relabelto };
+
+dontaudit dcc_script_su_t kernel_t:fd use;
+dontaudit dcc_script_su_t root_t:file read;
+dontaudit dcc_script_t { home_root_t user_home_dir_t}:dir { getattr search };
+
+allow sysadm_t dcc_script_t:fd use;
+
+##########
+##########
+
+#
+# External spam checkers need to run and/or talk to DCC
+#
+define(`access_dcc',`
+domain_auto_trans($1_t, dcc_client_exec_t, dcc_client_t);
+allow $1_t dcc_var_t:dir search;
+allow $1_t dccifd_sock_t:sock_file { getattr write };
+allow $1_t dccifd_t:unix_stream_socket connectto;
+allow $1_t dcc_script_t:unix_stream_socket connectto;
+')
+
+ifdef(`amavis.te',`access_dcc(amavisd)')
+ifdef(`spamd.te',`access_dcc(spamd)')