fixes

refpolicy/policy/modules/admin/su.if

@@ -53,7 +53,7 @@ template(`su_restricted_domain_template', `
 	auth_dontaudit_read_shadow($1_su_t)
 	auth_use_nsswitch($1_su_t)
 
-	domain_wide_inherit_fd($1_su_t)
+	domain_use_wide_inherit_fd($1_su_t)
 
 	files_read_etc_files($1_su_t)
 
@@ -177,11 +177,11 @@ template(`su_per_userdomain_template',`
 	term_use_all_user_ttys($1_su_t)
 	term_use_all_user_ptys($1_su_t)
 
-	auth_domtrans_user_chk_passwd($1_su_t,$1)
+	auth_domtrans_user_chk_passwd($1,$1_su_t)
 	auth_dontaudit_read_shadow($1_su_t)
 	auth_use_nsswitch($1_su_t)
 
-	domain_wide_inherit_fd($1_su_t)
+	domain_use_wide_inherit_fd($1_su_t)
 
 	files_read_etc_files($1_su_t)
 	files_search_var_lib($1_su_t)
@@ -218,7 +218,7 @@ template(`su_per_userdomain_template',`
 		fs_search_cifs($1_su_t)
 	')
 
-	optional_policy(`crond.te',`
+	optional_policy(`cron.te',`
 		cron_read_pipe($1_su_t)
 	')
 

refpolicy/policy/modules/kernel/devices.if

@@ -45,6 +45,7 @@ interface(`dev_node',`
 
 	fs_associate($1)
 	fs_associate_tmpfs($1)
+	files_associate_tmp($1)
 ')
 
 ########################################

refpolicy/policy/modules/kernel/selinux.if

@@ -68,6 +68,24 @@ interface(`selinux_dontaudit_search_fs',`
 	dontaudit $1 security_t:dir search;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read
+##	generic selinuxfs entries
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`selinux_dontaudit_read_fs',`
+	gen_require(`
+		type security_t;
+	')
+
+	dontaudit $1 security_t:dir search;
+	dontaudit $1 security_t:file { getattr read };
+')
+
 ########################################
 ## <summary>
 ##	Allows the caller to get the mode of policy enforcement

refpolicy/policy/modules/kernel/terminal.if

@@ -80,6 +80,8 @@ interface(`term_tty',`
 	typeattribute $2 ttynode, serial_device;
 	type_change $1 tty_device_t:chr_file $2;
 
+	files_associate_tmp($1)
+
 	# Debian login is from shadow utils and does not allow resetting the perms.
 	# have to fix this!
 	ifdef(`distro_debian',`

refpolicy/policy/modules/services/mta.if

@@ -349,8 +349,9 @@ interface(`mta_read_config',`
 	')
 
 	files_search_etc($1)
-	allow spamd_t etc_mail_t:dir list_dir_perms;
+	allow $1 etc_mail_t:dir list_dir_perms;
-	allow spamd_t etc_mail_t:file r_file_perms;
+	allow $1 etc_mail_t:file r_file_perms;
+	allow $1 etc_mail_t:lnk_file { getattr read };
 ')
 
 ########################################

refpolicy/policy/modules/services/postfix.if

@@ -88,6 +88,10 @@ template(`postfix_domain_template',`
 		files_dontaudit_read_root_file(postfix_$1_t)
 	')
 
+	optional_policy(`nscd.te',`
+		nscd_use_socket(postfix_$1_t)
+	')
+
 	optional_policy(`udev.te',`
 		udev_read_db(postfix_$1_t)
 	')
@@ -102,6 +106,10 @@ template(`postfix_server_domain_template',`
 	allow postfix_$1_t self:udp_socket create_socket_perms;
 
 	domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
+	allow postfix_master_t postfix_$1_t:fd use;
+	allow postfix_$1_t postfix_master_t:fd use;
+	allow postfix_$1_t postfix_master_t:fifo_file rw_file_perms;
+	allow postfix_$1_t postfix_master_t:process sigchld;
 
 	corenet_tcp_sendrecv_all_if(postfix_$1_t)
 	corenet_udp_sendrecv_all_if(postfix_$1_t)
@@ -128,6 +136,10 @@ template(`postfix_user_domain_template',`
 	allow postfix_$1_t self:capability dac_override;
 
 	domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t)
+	allow user_mail_domain postfix_$1_t:fd use;
+	allow postfix_$1_t user_mail_domain:fd use;
+	allow postfix_$1_t user_mail_domain:fifo_file rw_file_perms;
+	allow postfix_$1_t user_mail_domain:process sigchld;
 
 	# this is replaced by run interfaces
 	role sysadm_r types postfix_$1_t;

refpolicy/policy/modules/services/postfix.te

@@ -109,6 +109,9 @@ allow postfix_master_t postfix_public_t:dir rw_dir_perms;
 allow postfix_master_t postfix_spool_t:dir create_dir_perms;
 allow postfix_master_t postfix_spool_t:file create_file_perms;
 
+allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
+allow postfix_master_t postfix_spool_bounce_t:file getattr;
+
 allow postfix_master_t postfix_spool_flush_t:dir create_dir_perms;
 allow postfix_master_t postfix_spool_flush_t:file create_file_perms;
 allow postfix_master_t postfix_spool_flush_t:lnk_file create_lnk_perms;
@@ -357,6 +360,8 @@ files_dontaudit_search_var(postfix_map_t)
 libs_use_ld_so(postfix_map_t)
 libs_use_shared_libs(postfix_map_t)
 
+logging_send_syslog_msg(postfix_map_t)
+
 miscfiles_read_localization(postfix_map_t)
 
 seutil_read_config(postfix_map_t)
@@ -464,10 +469,16 @@ allow postfix_postqueue_t postfix_public_t:dir search;
 allow postfix_postqueue_t postfix_public_t:fifo_file { getattr write };
 
 domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
+allow postfix_master_t postfix_postqueue_t:fd use;
+allow postfix_postqueue_t postfix_master_t:fd use;
+allow postfix_postqueue_t postfix_master_t:fifo_file rw_file_perms;
+allow postfix_postqueue_t postfix_master_t:process sigchld;
 
-# to write the mailq output, it really should not need read access!
+domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
-term_use_all_user_ptys(postfix_showq_t)
+allow postfix_postqueue_t postfix_showq_t:fd use;
-term_use_all_user_ttys(postfix_showq_t)
+allow postfix_showq_t postfix_postqueue_t:fd use;
+allow postfix_showq_t postfix_postqueue_t:fifo_file rw_file_perms;
+allow postfix_showq_t postfix_postqueue_t:process sigchld;
 
 init_sigchld_script(postfix_postqueue_t)
 init_use_script_fd(postfix_postqueue_t)
@@ -508,9 +519,12 @@ allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
 allow postfix_showq_t self:capability { setuid setgid };
 allow postfix_showq_t self:tcp_socket create_socket_perms;
 
-domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
 # the following auto_trans is usually in postfix server domain
 domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
+allow postfix_master_t postfix_showq_t:fd use;
+allow postfix_showq_t postfix_master_t:fd use;
+allow postfix_showq_t postfix_master_t:fifo_file rw_file_perms;
+allow postfix_showq_t postfix_master_t:process sigchld;
 
 allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
 
@@ -520,6 +534,7 @@ allow postfix_showq_t postfix_spool_maildrop_t:dir { getattr read search };
 allow postfix_showq_t postfix_spool_maildrop_t:file { read getattr };
 allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
 
+# to write the mailq output, it really should not need read access!
 term_use_all_user_ptys(postfix_showq_t)
 term_use_all_user_ttys(postfix_showq_t)
 

refpolicy/policy/modules/services/samba.if

@@ -304,3 +304,22 @@ interface(`samba_read_winbind_pid',`
 	files_search_pids($1)
 	allow $1 winbind_var_run_t:file r_file_perms;
 ')
+
+########################################
+## <summary>
+##	Connect to winbind.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`samba_connect_winbind',`
+	gen_require(`
+		type winbind_t, winbind_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 winbind_var_run_t:dir search_dir_perms;
+	allow $1 winbind_var_run_t:file { getattr read write };
+	allow $1 winbind_t:unix_stream_socket connectto;
+')

refpolicy/policy/modules/system/authlogin.if

@@ -103,12 +103,12 @@ template(`authlogin_per_userdomain_template',`
 		nscd_use_socket($1_chkpwd_t)
 	')
 
-	optional_policy(`selinuxutil.te',`
+	optional_policy(`samba.te',`
-		seutil_use_newrole_fd($1_chkpwd_t)
+		samba_connect_winbind($1_chkpwd_t)
 	')
 
-	ifdef(`TODO',`
+	optional_policy(`selinuxutil.te',`
-	can_winbind($1)
+		seutil_use_newrole_fd($1_chkpwd_t)
 	')
 ')
 
@@ -141,13 +141,13 @@ template(`auth_domtrans_user_chk_passwd',`
 			type chkpwd_exec_t;
 		')
 
-		corecmd_search_bin($1)
+		corecmd_search_bin($2)
-		domain_auto_trans($1,chkpwd_exec_t,$2_chkpwd_t)
+		domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
 
-		allow $1 $2_chkpwd_t:fd use;
+		allow $2 $1_chkpwd_t:fd use;
-		allow $2_chkpwd_t $1:fd use;
+		allow $1_chkpwd_t $2:fd use;
-		allow $2_chkpwd_t $1:fifo_file rw_file_perms;
+		allow $1_chkpwd_t $2:fifo_file rw_file_perms;
-		allow $2_chkpwd_t $1:process sigchld;
+		allow $1_chkpwd_t $2:process sigchld;
 	')
 ')
 
@@ -241,9 +241,8 @@ interface(`auth_domtrans_chk_passwd',`
 		nis_use_ypbind($1)
 	')
 
-	ifdef(`TODO',`
+	optional_policy(`samba.te',`
-	can_winbind($1)
+		samba_connect_winbind($1)
-	dontaudit $1 shadow_t:file { getattr read };
 	')
 ')
 
@@ -919,8 +918,8 @@ interface(`auth_use_nsswitch',`
 		nis_use_ypbind($1)
 	')
 
-	ifdef(`TODO',`
+	optional_policy(`samba.te',`
-	can_winbind($1)
+		samba_connect_winbind($1)
 	')
 ')
 

refpolicy/policy/modules/system/domain.if

@@ -93,7 +93,7 @@ interface(`domain_type',`
 	')
 
 	optional_policy(`selinux.te',`
-		selinux_dontaudit_search_fs($1)
+		selinux_dontaudit_read_fs($1)
 	')
 
 	optional_policy(`selinuxutil.te',`

refpolicy/policy/modules/system/selinuxutil.if

@@ -499,13 +499,12 @@ interface(`seutil_dontaudit_read_config',`
 interface(`seutil_read_config',`
 	gen_require(`
 		type selinux_config_t;
-		class dir r_dir_perms;
-		class file r_file_perms;
 	')
 
 	files_search_etc($1)
 	allow $1 selinux_config_t:dir r_dir_perms;
 	allow $1 selinux_config_t:file r_file_perms;
+	allow $1 selinux_config_t:lnk_file { getattr read };
 ')
 
 ########################################
@@ -534,14 +533,13 @@ interface(`seutil_search_default_contexts',`
 interface(`seutil_read_default_contexts',`
 	gen_require(`
 		type selinux_config_t, default_context_t;
-		class dir r_dir_perms;
-		class file r_file_perms;
 	')
 
 	files_search_etc($1)
 	allow $1 selinux_config_t:dir search;
 	allow $1 default_context_t:dir r_dir_perms;
 	allow $1 default_context_t:file r_file_perms;
+	allow $1 default_context_t:lnk_file { getattr read };
 ')
 
 ########################################