diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 0ceec0ae..f5cd8e67 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -3,7 +3,7 @@
- Add apache relay and db connect tunables.
- Rename texrel_shlib_t to textrel_shlib_t.
- Add swat to samba module.
-- Miscellaneous fixes from Dan Walsh.
+- Numerous miscellaneous fixes from Dan Walsh.
- Added modules:
automount
ddcprobe
@@ -12,6 +12,7 @@
lockdev
logwatch (Dan Walsh)
openct
+ prelink (Dan Walsh)
readahead
roundup
screen
diff --git a/refpolicy/policy/modules/admin/amanda.te b/refpolicy/policy/modules/admin/amanda.te
index ad505e52..b9516818 100644
--- a/refpolicy/policy/modules/admin/amanda.te
+++ b/refpolicy/policy/modules/admin/amanda.te
@@ -1,5 +1,5 @@
-policy_module(amanda,1.1.0)
+policy_module(amanda,1.1.1)
#######################################
#
@@ -77,6 +77,10 @@ role system_r types amanda_recover_t;
type amanda_recover_dir_t;
files_type(amanda_recover_dir_t)
+optional_policy(`prelink',`
+ prelink_object_file(amanda_usr_lib_t)
+')
+
########################################
#
# Amanda local policy
diff --git a/refpolicy/policy/modules/admin/prelink.fc b/refpolicy/policy/modules/admin/prelink.fc
new file mode 100644
index 00000000..ee0cf317
--- /dev/null
+++ b/refpolicy/policy/modules/admin/prelink.fc
@@ -0,0 +1,6 @@
+
+/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
+
+/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
+
+/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
diff --git a/refpolicy/policy/modules/admin/prelink.if b/refpolicy/policy/modules/admin/prelink.if
new file mode 100644
index 00000000..e76434d4
--- /dev/null
+++ b/refpolicy/policy/modules/admin/prelink.if
@@ -0,0 +1,92 @@
+## Prelink ELF shared library mappings.
+
+########################################
+##
+## Execute the prelink program in the prelink domain.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`prelink_domtrans',`
+ gen_require(`
+ type prelink_t, prelink_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1, prelink_exec_t, prelink_t)
+
+ allow $1 prelink_t:fd use;
+ allow prelink_t $1:fd use;
+ allow prelink_t $1:fifo_file rw_file_perms;
+ allow prelink_t $1:process sigchld;
+')
+
+########################################
+##
+## Make the specified file type prelinkable.
+##
+##
+## File type to be prelinked.
+##
+#
+# cjp: added for misc non-entrypoint objects
+interface(`prelink_object_file',`
+ gen_require(`
+ attribute prelink_object;
+ ')
+
+ typeattribute $1 prelink_object;
+')
+
+########################################
+##
+## Read the prelink cache.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`prelink_read_cache',`
+ gen_require(`
+ type prelink_cache_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 prelink_cache_t:file { getattr read };
+')
+
+########################################
+##
+## Delete the prelink cache.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`prelink_delete_cache',`
+ gen_require(`
+ type prelink_cache_t;
+ ')
+
+ allow $1 prelink_cache_t:file unlink;
+')
+
+########################################
+##
+## Create, read, write, and delete
+## prelink log files.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`prelink_manage_log',`
+ gen_require(`
+ type prelink_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 prelink_log_t:dir rw_dir_perms;
+ allow $1 prelink_log_t:file create_file_perms;
+')
diff --git a/refpolicy/policy/modules/admin/prelink.te b/refpolicy/policy/modules/admin/prelink.te
new file mode 100644
index 00000000..91c5f86d
--- /dev/null
+++ b/refpolicy/policy/modules/admin/prelink.te
@@ -0,0 +1,79 @@
+
+policy_module(prelink,1.0.0)
+
+########################################
+#
+# Declarations
+
+attribute prelink_object;
+
+type prelink_t;
+type prelink_exec_t;
+init_system_domain(prelink_t,prelink_exec_t)
+
+type prelink_cache_t;
+files_type(prelink_cache_t)
+
+type prelink_log_t;
+logging_log_file(prelink_log_t)
+
+########################################
+#
+# Local policy
+#
+
+allow prelink_t self:capability { chown dac_override fowner fsetid };
+allow prelink_t self:process { execheap execmem execstack };
+allow prelink_t self:fifo_file rw_file_perms;
+
+allow prelink_t prelink_cache_t:file manage_file_perms;
+files_create_etc_config(prelink_t, prelink_cache_t, file)
+
+allow prelink_t prelink_log_t:dir { setattr rw_dir_perms };
+allow prelink_t prelink_log_t:file { create ra_file_perms };
+allow prelink_t prelink_log_t:lnk_file read;
+logging_create_log(prelink_t, prelink_log_t)
+
+# prelink misc objects that are not system
+# libraries or entrypoints
+allow prelink_t prelink_object:file { create_file_perms execute relabelto relabelfrom };
+
+kernel_read_system_state(prelink_t)
+kernel_dontaudit_search_kernel_sysctl(prelink_t)
+kernel_dontaudit_search_sysctl(prelink_t)
+
+corecmd_manage_bin_files(prelink_t)
+corecmd_relabel_bin_files(prelink_t)
+corecmd_mmap_bin_files(prelink_t)
+corecmd_manage_sbin_files(prelink_t)
+corecmd_relabel_sbin_files(prelink_t)
+corecmd_mmap_sbin_files(prelink_t)
+
+dev_read_urand(prelink_t)
+
+domain_manage_all_entry_files(prelink_t)
+domain_relabel_all_entry_files(prelink_t)
+domain_mmap_all_entry_files(prelink_t)
+
+files_list_all(prelink_t)
+files_getattr_all_files(prelink_t)
+files_write_non_security_dir(prelink_t)
+files_read_etc_runtime_files(prelink_t)
+
+fs_getattr_xattr_fs(prelink_t)
+
+libs_use_ld_so(prelink_t)
+libs_manage_ld_so(prelink_t)
+libs_relabel_ld_so(prelink_t)
+libs_use_shared_libs(prelink_t)
+libs_manage_shared_libs(prelink_t)
+libs_relabel_shared_libs(prelink_t)
+libs_use_lib(prelink_t)
+libs_manage_lib_files(prelink_t)
+libs_relabel_lib_files(prelink_t)
+
+miscfiles_read_localization(prelink_t)
+
+optional_policy(`cron',`
+ cron_system_entry(prelink_t, prelink_exec_t)
+')
diff --git a/refpolicy/policy/modules/kernel/corecommands.if b/refpolicy/policy/modules/kernel/corecommands.if
index 00336791..f6f09fec 100644
--- a/refpolicy/policy/modules/kernel/corecommands.if
+++ b/refpolicy/policy/modules/kernel/corecommands.if
@@ -188,6 +188,57 @@ interface(`corecmd_exec_bin',`
')
+########################################
+##
+## Create, read, write, and delete bin files.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`corecmd_manage_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir rw_dir_perms;
+ allow $1 bin_t:file manage_file_perms;
+')
+
+########################################
+##
+## Relabel to and from the bin type.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`corecmd_relabel_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir search_dir_perms;
+ allow $1 bin_t:file { relabelfrom relabelto };
+')
+
+########################################
+##
+## Mmap a bin file as executable.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`corecmd_mmap_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir search_dir_perms;
+ allow $1 bin_t:file { getattr read execute };
+')
+
########################################
##
## Execute a file in a bin directory
@@ -389,7 +440,60 @@ interface(`corecmd_exec_sbin',`
allow $1 sbin_t:dir r_dir_perms;
allow $1 sbin_t:lnk_file r_file_perms;
can_exec($1,sbin_t)
+')
+########################################
+##
+## Create, read, write, and delete sbin files.
+##
+##
+## Domain allowed access.
+##
+#
+# cjp: added for prelink
+interface(`corecmd_manage_sbin_files',`
+ gen_require(`
+ type sbin_t;
+ ')
+
+ allow $1 sbin_t:dir rw_dir_perms;
+ allow $1 sbin_t:file manage_file_perms;
+')
+
+########################################
+##
+## Relabel to and from the sbin type.
+##
+##
+## Domain allowed access.
+##
+#
+# cjp: added for prelink
+interface(`corecmd_relabel_sbin_files',`
+ gen_require(`
+ type sbin_t;
+ ')
+
+ allow $1 sbin_t:dir search_dir_perms;
+ allow $1 sbin_t:file { relabelfrom relabelto };
+')
+
+########################################
+##
+## Mmap a sbin file as executable.
+##
+##
+## Domain allowed access.
+##
+#
+# cjp: added for prelink
+interface(`corecmd_mmap_sbin_files',`
+ gen_require(`
+ type sbin_t;
+ ')
+
+ allow $1 sbin_t:dir search_dir_perms;
+ allow $1 sbin_t:file { getattr read execute };
')
########################################
diff --git a/refpolicy/policy/modules/kernel/corecommands.te b/refpolicy/policy/modules/kernel/corecommands.te
index ff88d10c..d157fec4 100644
--- a/refpolicy/policy/modules/kernel/corecommands.te
+++ b/refpolicy/policy/modules/kernel/corecommands.te
@@ -1,5 +1,5 @@
-policy_module(corecommands,1.1.0)
+policy_module(corecommands,1.1.1)
########################################
#
diff --git a/refpolicy/policy/modules/kernel/domain.if b/refpolicy/policy/modules/kernel/domain.if
index 58d3c7de..d02815bc 100644
--- a/refpolicy/policy/modules/kernel/domain.if
+++ b/refpolicy/policy/modules/kernel/domain.if
@@ -1019,6 +1019,59 @@ interface(`domain_exec_all_entry_files',`
can_exec($1,entry_type)
')
+########################################
+##
+## Create, read, write, and delete all
+## entrypoint files.
+##
+##
+## Domain allowed access.
+##
+#
+# cjp: added for prelink
+interface(`domain_manage_all_entry_files',`
+ gen_require(`
+ attribute entry_type;
+ ')
+
+ allow $1 entry_type:file manage_file_perms;
+')
+
+########################################
+##
+## Relabel to and from all entry point
+## file types.
+##
+##
+## Domain allowed access.
+##
+#
+# cjp: added for prelink
+interface(`domain_relabel_all_entry_files',`
+ gen_require(`
+ attribute entry_type;
+ ')
+
+ allow $1 entry_type:file { relabelfrom relabelto };
+')
+
+########################################
+##
+## Mmap all entry point files as executable.
+##
+##
+## Domain allowed access.
+##
+#
+# cjp: added for prelink
+interface(`domain_mmap_all_entry_files',`
+ gen_require(`
+ attribute entry_type;
+ ')
+
+ allow $1 entry_type:file { getattr read execute };
+')
+
########################################
##
## Unconfined access to domains.
diff --git a/refpolicy/policy/modules/kernel/domain.te b/refpolicy/policy/modules/kernel/domain.te
index 099269e1..6956584e 100644
--- a/refpolicy/policy/modules/kernel/domain.te
+++ b/refpolicy/policy/modules/kernel/domain.te
@@ -1,5 +1,5 @@
-policy_module(domain,1.0.0)
+policy_module(domain,1.0.1)
########################################
#
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index f22676a1..32b7be43 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
-policy_module(apache,1.1.1)
+policy_module(apache,1.1.2)
#
# NOTES:
@@ -122,6 +122,10 @@ ifdef(`targeted_policy',`
typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
')
+optional_policy(`prelink',`
+ prelink_object_file(httpd_modules_t)
+')
+
########################################
#
# Apache server local policy
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index e89f8c4c..90fcf06a 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -1,5 +1,5 @@
-policy_module(cron,1.1.3)
+policy_module(cron,1.1.4)
gen_require(`
class passwd rootok;
@@ -397,6 +397,12 @@ ifdef(`targeted_policy',`
nscd_use_socket(system_crond_t)
')
+ optional_policy(`prelink',`
+ prelink_read_cache(system_crond_t)
+ prelink_manage_log(system_crond_t)
+ prelink_delete_cache(system_crond_t)
+ ')
+
optional_policy(`samba',`
samba_read_config(system_crond_t)
samba_read_log(system_crond_t)
diff --git a/refpolicy/policy/modules/services/xdm.te b/refpolicy/policy/modules/services/xdm.te
index b71ac92a..62086a6e 100644
--- a/refpolicy/policy/modules/services/xdm.te
+++ b/refpolicy/policy/modules/services/xdm.te
@@ -319,6 +319,10 @@ allow xdm_xserver_t var_lib_t:dir search;
allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
can_exec(xdm_xserver_t, xkb_var_lib_t)
+optional_policy(`prelink',`
+ prelink_object_file(xkb_var_lib_t)
+')
+
# Insert video drivers.
allow xdm_xserver_t self:capability mknod;
allow xdm_xserver_t sysctl_modprobe_t:file { getattr read };
diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if
index 05f69046..8863b6a8 100644
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@@ -113,6 +113,44 @@ interface(`libs_exec_ld_so',`
can_exec($1,ld_so_t)
')
+########################################
+##
+## Create, read, write, and delete the
+## dynamic link/loader.
+##
+##
+## Domain allowed access.
+##
+#
+# cjp: added for prelink
+interface(`libs_manage_ld_so',`
+ gen_require(`
+ type lib_t, ld_so_t;
+ ')
+
+ allow $1 lib_t:dir rw_dir_perms;
+ allow $1 ld_so_t:file manage_file_perms;
+')
+
+########################################
+##
+## Relabel to and from the type used for
+## the dynamic link/loader.
+##
+##
+## Domain allowed access.
+##
+#
+# cjp: added for prelink
+interface(`libs_relabel_ld_so',`
+ gen_require(`
+ type lib_t, ld_so_t;
+ ')
+
+ allow $1 lib_t:dir search_dir_perms;
+ allow $1 ld_so_t:file { relabelfrom relabelto };
+')
+
########################################
##
## Modify the dynamic link/loader's cached listing
@@ -212,6 +250,25 @@ interface(`libs_use_lib',`
allow $1 lib_t:file rx_file_perms;
')
+########################################
+##
+## Create, read, write, and delete generic
+## files in library directories.
+##
+##
+## Domain allowed access.
+##
+#
+# cjp: added for prelink
+interface(`libs_manage_lib_files',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ allow $1 lib_t:dir search_dir_perms;
+ allow $1 lib_t:file manage_file_perms;
+')
+
########################################
##
## Relabel files to the type used in library directories.
@@ -226,9 +283,47 @@ interface(`libs_relabelto_lib_files',`
class file relabelto;
')
+ allow $1 lib_t:dir search_dir_perms;
allow $1 lib_t:file relabelto;
')
+########################################
+##
+## Relabel to and from the type used
+## for generic lib files.
+##
+##
+## Domain allowed access.
+##
+#
+# cjp: added for prelink
+interface(`libs_relabel_lib_files',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ allow $1 lib_t:dir search_dir_perms;
+ allow $1 lib_t:file { relabelfrom relabelto };
+')
+
+########################################
+##
+## Create, read, write, and delete shared libraries.
+##
+##
+## Domain allowed access.
+##
+#
+# cjp: added for prelink
+interface(`libs_manage_shared_libs',`
+ gen_require(`
+ type lib_t, shlib_t, textrel_shlib_t;
+ ')
+
+ allow $1 lib_t:dir rw_dir_perms;
+ allow $1 { shlib_t textrel_shlib_t }:file manage_file_perms;
+')
+
########################################
##
## Load and execute functions from shared libraries.
@@ -269,3 +364,21 @@ interface(`libs_legacy_use_shared_libs',`
allow $1 { shlib_t textrel_shlib_t }:file execmod;
')
+########################################
+##
+## Relabel to and from the type used for
+## shared libraries.
+##
+##
+## Domain allowed access.
+##
+#
+# cjp: added for prelink
+interface(`libs_relabel_shared_libs',`
+ gen_require(`
+ type lib_t, shlib_t, textrel_shlib_t;
+ ')
+
+ allow $1 lib_t:dir search_dir_perms;
+ allow $1 { shlib_t textrel_shlib_t }:file { relabelfrom relabelto };
+')
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index 86b3c8c2..e5b30203 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -1,5 +1,5 @@
-policy_module(libraries,1.1.3)
+policy_module(libraries,1.1.4)
########################################
#
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index a2f47d10..81fd9bee 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
-policy_module(unconfined,1.1.4)
+policy_module(unconfined,1.1.5)
########################################
#
@@ -129,10 +129,6 @@ ifdef(`targeted_policy',`
sendmail_domtrans(unconfined_t)
')
- optional_policy(`su',`
- su_per_userdomain_template(sysadm,unconfined_t,system_r)
- ')
-
optional_policy(`sysnetwork',`
sysnet_domtrans_dhcpc(unconfined_t)
')