pile o fixes

refpolicy/policy/modules/admin/consoletype.te

@@ -26,6 +26,7 @@ allow consoletype_t self:capability sys_admin;
 allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow consoletype_t self:fd use;
 allow consoletype_t self:fifo_file rw_file_perms;
+allow consoletype_t self:sock_file r_file_perms;
 allow consoletype_t self:unix_dgram_socket create_socket_perms;
 allow consoletype_t self:unix_stream_socket create_stream_socket_perms;
 allow consoletype_t self:unix_dgram_socket sendto;
@@ -88,6 +89,10 @@ optional_policy(`logrotate.te',`
 	logrotate_dontaudit_use_fd(consoletype_t)
 ')
 
+optional_policy(`lpd.te',`
+	lpd_read_config(consoletype_t)
+')
+
 optional_policy(`nis.te',`
 	nis_use_ypbind(consoletype_t)
 ')

refpolicy/policy/modules/admin/dmidecode.te

@@ -29,3 +29,8 @@ files_list_usr(dmidecode_t)
 
 libs_use_ld_so(dmidecode_t)
 libs_use_shared_libs(dmidecode_t)
+
+ifdef(`targeted_policy',`
+	term_use_generic_pty(dmidecode_t)
+	term_use_unallocated_tty(dmidecode_t)
+')

refpolicy/policy/modules/admin/firstboot.te

@@ -79,7 +79,7 @@ files_manage_var_dirs(firstboot_t)
 files_manage_var_files(firstboot_t)
 files_manage_var_symlinks(firstboot_t)
 
-init_read_script(firstboot_t)
+init_domtrans_script(firstboot_t)
 init_rw_script_pid(firstboot_t)
 
 libs_use_ld_so(firstboot_t)

refpolicy/policy/modules/kernel/devices.if

@@ -2170,7 +2170,7 @@ interface(`dev_unconfined',`
 	')
 
 	allow $1 device_node:devfile_class_set *;
-	allow $1 mtrr_device_t:file *;
+	allow $1 mtrr_device_t:{ dir file } *;
 
 	allow $1 self:capability sys_rawio;
 	typeattribute $1 memory_raw_write, memory_raw_read;

refpolicy/policy/modules/kernel/terminal.te

@@ -27,6 +27,8 @@ dev_node(console_device_t)
 #
 type devpts_t;
 files_mountpoint(devpts_t)
+fs_associate_tmpfs(devpts_t)
+files_associate_tmp(devpts_t)
 fs_type(devpts_t)
 fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
 

refpolicy/policy/modules/services/bluetooth.te

@@ -60,7 +60,7 @@ allow bluetooth_t bluetooth_conf_rw_t:file create_file_perms;
 allow bluetooth_t bluetooth_conf_rw_t:lnk_file create_lnk_perms;
 allow bluetooth_t bluetooth_conf_rw_t:sock_file create_file_perms;
 allow bluetooth_t bluetooth_conf_rw_t:fifo_file create_file_perms;
-type_transition bluetooth_t bluetooth_conf_t:{ file lnk_file sock_file fifo_file } bluetooth_conf_rw_t;
+type_transition bluetooth_t bluetooth_conf_t:{ dir file lnk_file sock_file fifo_file } bluetooth_conf_rw_t;
 
 domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
 allow bluetooth_t bluetooth_helper_t:fd use;

refpolicy/policy/modules/services/comsat.te

@@ -29,12 +29,14 @@ allow comsat_t self:fifo_file rw_file_perms;
 allow comsat_t self:{ lnk_file file } { getattr read };
 allow comsat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 allow comsat_t self:tcp_socket connected_stream_socket_perms;
+allow comsat_t self:udp_socket connected_socket_perms;
 
 allow comsat_t comsat_tmp_t:dir create_dir_perms;
 allow comsat_t comsat_tmp_t:file create_file_perms;
 files_create_tmp_files(comsat_t, comsat_tmp_t, { file dir })
 
 allow comsat_t comsat_var_run_t:file create_file_perms;
+allow comsat_t comsat_var_run_t:dir rw_dir_perms;
 files_create_pid(comsat_t,comsat_var_run_t)
 
 kernel_read_kernel_sysctl(comsat_t)

refpolicy/policy/modules/services/cups.te

@@ -105,7 +105,8 @@ logging_create_log(cupsd_t,cupsd_log_t,{ file dir })
 
 allow cupsd_t cupsd_tmp_t:dir create_dir_perms;
 allow cupsd_t cupsd_tmp_t:file create_file_perms;
-files_create_tmp_files(cupsd_t, cupsd_tmp_t, { file dir })
+allow cupsd_t cupsd_tmp_t:fifo_file create_file_perms;
+files_create_tmp_files(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
 
 allow cupsd_t cupsd_var_run_t:file create_file_perms;
 allow cupsd_t cupsd_var_run_t:dir rw_dir_perms;
@@ -504,10 +505,12 @@ allow hplip_t devpts_t:chr_file { getattr ioctl };
 #
 
 allow cupsd_config_t self:capability { chown sys_tty_config };
+dontaudit cupsd_config_t self:capability sys_tty_config;
 allow cupsd_config_t self:process signal_perms;
 allow cupsd_config_t self:fifo_file rw_file_perms;
 allow cupsd_config_t self:unix_stream_socket create_socket_perms;
 allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
+allow cupsd_config_t self:tcp_socket create_socket_perms;
 
 allow cupsd_config_t cupsd_t:tcp_socket { connectto recvfrom };
 allow cupsd_t cupsd_config_t:tcp_socket { acceptfrom recvfrom };
@@ -569,6 +572,8 @@ corecmd_exec_shell(cupsd_config_t)
 domain_use_wide_inherit_fd(cupsd_config_t)
 
 files_read_usr_files(cupsd_config_t)
+files_read_etc_files(cupsd_config_t)
+files_read_etc_runtime_files(cupsd_config_t)
 
 init_use_fd(cupsd_config_t)
 init_use_script_pty(cupsd_config_t)
@@ -687,6 +692,7 @@ ifdef(`targeted_policy', `
 allow cupsd_lpd_t self:process signal_perms;
 allow cupsd_lpd_t self:fifo_file rw_file_perms;
 allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
+allow cupsd_lpd_t self:udp_socket create_socket_perms;
 
 # for identd
 # cjp: this should probably only be inetd_child rules?

refpolicy/policy/modules/services/cvs.te

@@ -41,6 +41,7 @@ allow cvs_t cvs_tmp_t:file create_file_perms;
 files_create_tmp_files(cvs_t, cvs_tmp_t, { file dir })
 
 allow cvs_t cvs_var_run_t:file create_file_perms;
+allow cvs_t cvs_var_run_t:dir rw_dir_perms;
 files_create_pid(cvs_t,cvs_var_run_t)
 
 kernel_read_kernel_sysctl(cvs_t)

refpolicy/policy/modules/services/cyrus.te

@@ -30,6 +30,7 @@ allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit ex
 allow cyrus_t self:process setrlimit;
 allow cyrus_t self:fd use;
 allow cyrus_t self:fifo_file rw_file_perms;
+allow cyrus_t self:sock_file r_file_perms;
 allow cyrus_t self:shm create_shm_perms;
 allow cyrus_t self:sem create_sem_perms;
 allow cyrus_t self:msgq create_msgq_perms;
@@ -90,6 +91,7 @@ files_read_etc_files(cyrus_t)
 files_read_etc_runtime_files(cyrus_t)
 
 init_use_fd(cyrus_t)
+init_use_script_pty(cyrus_t)
 
 libs_use_ld_so(cyrus_t)
 libs_use_shared_libs(cyrus_t)

refpolicy/policy/modules/services/dbskk.te

@@ -25,6 +25,7 @@ files_pid_file(dbskkd_var_run_t)
 allow dbskkd_t self:process signal_perms;
 allow dbskkd_t self:fifo_file rw_file_perms;
 allow dbskkd_t self:tcp_socket connected_stream_socket_perms;
+allow dbskkd_t self:udp_socket create_socket_perms;
 
 # for identd
 # cjp: this should probably only be inetd_child rules?

refpolicy/policy/modules/services/dbus.te

@@ -132,6 +132,10 @@ optional_policy(`nscd.te',`
 	nscd_use_socket(system_dbusd_t)
 ')
 
+optional_policy(`sysnetwork.te',`
+	sysnet_domtrans_dhcpc(system_dbusd_t)
+')
+
 optional_policy(`udev.te', `
 	udev_read_db(system_dbusd_t)
 ')

refpolicy/policy/modules/services/dhcp.te

@@ -48,6 +48,7 @@ allow dhcpd_t dhcpd_tmp_t:file create_file_perms;
 files_create_tmp_files(dhcpd_t, dhcpd_tmp_t, { file dir })
 
 allow dhcpd_t dhcpd_var_run_t:file create_file_perms;
+allow dhcpd_t dhcpd_var_run_t:dir rw_dir_perms;
 files_create_pid(dhcpd_t,dhcpd_var_run_t)
 
 kernel_read_system_state(dhcpd_t)
@@ -122,6 +123,10 @@ optional_policy(`mount.te',`
 	mount_send_nfs_client_request(dhcpd_t)
 ')
 
+optional_policy(`netutils.te',`
+	netutils_domtrans(dhcpd_t)
+')
+
 optional_policy(`nis.te',`
 	nis_use_ypbind(dhcpd_t)
 ')

refpolicy/policy/modules/services/dictd.te

@@ -8,7 +8,7 @@ policy_module(dictd,1.0)
 
 type dictd_t;
 type dictd_exec_t;
-init_daemon_domain(dictd_t,dictd_exec_t)
+init_system_domain(dictd_t,dictd_exec_t)
 
 type dictd_etc_t;
 files_config_file(dictd_etc_t)
@@ -25,6 +25,8 @@ allow dictd_t self:capability { setuid setgid };
 dontaudit dictd_t self:capability sys_tty_config;
 allow dictd_t self:process { signal_perms setpgid };
 allow dictd_t self:unix_stream_socket create_stream_socket_perms;
+allow dictd_t self:tcp_socket create_stream_socket_perms;
+allow dictd_t self:udp_socket create_socket_perms;
 
 allow dictd_t dictd_etc_t:file r_file_perms;
 files_search_etc(dictd_t)
@@ -74,6 +76,8 @@ logging_send_syslog_msg(dictd_t)
 
 miscfiles_read_localization(dictd_t)
 
+sysnet_read_config(dictd_t)
+
 userdom_dontaudit_use_unpriv_user_fd(dictd_t)
 
 ifdef(`targeted_policy',`
@@ -86,6 +90,10 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(dictd_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(dictd_t)
+')
+
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(dictd_t)
 ')

refpolicy/policy/modules/services/kerberos.te

@@ -159,8 +159,9 @@ optional_policy(`rhgb.te',`
 # Use capabilities. Surplus capabilities may be allowed.
 allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
 dontaudit krb5kdc_t self:capability sys_tty_config;
-allow krb5kdc_t self:tcp_socket connected_stream_socket_perms;
 allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
+allow krb5kdc_t self:tcp_socket connected_stream_socket_perms;
+allow krb5kdc_t self:udp_socket create_socket_perms;
 
 allow krb5kdc_t krb5_conf_t:file r_file_perms;
 dontaudit krb5kdc_t krb5_conf_t:file write;
@@ -181,7 +182,8 @@ allow krb5kdc_t krb5kdc_tmp_t:dir create_dir_perms;
 allow krb5kdc_t krb5kdc_tmp_t:file create_file_perms;
 files_create_tmp_files(krb5kdc_t, krb5kdc_tmp_t, { file dir })
 
-allow krb5kdc_t krb5kdc_var_run_t:file { getattr create read write append setattr unlink };
+allow krb5kdc_t krb5kdc_var_run_t:file create_file_perms;
+allow krb5kdc_t krb5kdc_var_run_t:dir rw_dir_perms;
 files_create_pid(krb5kdc_t,krb5kdc_var_run_t)
 
 kernel_read_system_state(krb5kdc_t)

refpolicy/policy/modules/services/lpd.te

@@ -79,6 +79,7 @@ dev_append_printer(checkpc_t)
 # This is less desirable, but checkpc demands /bin/bash and /bin/chown:
 corecmd_exec_shell(checkpc_t)
 corecmd_exec_bin(checkpc_t)
+corecmd_search_sbin(checkpc_t)
 
 domain_use_wide_inherit_fd(checkpc_t)
 
@@ -94,6 +95,11 @@ libs_use_shared_libs(checkpc_t)
 
 sysnet_read_config(checkpc_t)
 
+ifdef(`targeted_policy',`
+	term_use_generic_pty(checkpc_t)
+	term_use_unallocated_tty(checkpc_t)
+')
+
 optional_policy(`cron.te',`
 	cron_system_entry(checkpc_t,checkpc_exec_t)
 ')

refpolicy/policy/modules/system/getty.te

@@ -38,10 +38,12 @@ files_pid_file(getty_var_run_t)
 
 # Use capabilities.
 allow getty_t self:capability { dac_override chown sys_resource sys_tty_config fowner fsetid };
+dontaudit getty_t self:capability sys_tty_config;
 allow getty_t self:process { getpgid getsession signal_perms };
 
 allow getty_t getty_etc_t:dir r_dir_perms;
 allow getty_t getty_etc_t:file r_file_perms;
+allow getty_t getty_etc_t:lnk_file { getattr read };
 files_create_etc_config(getty_t,getty_etc_t,{ file dir })
 
 allow getty_t getty_lock_t:file create_file_perms;
@@ -58,8 +60,12 @@ allow getty_t getty_var_run_t:file create_file_perms;
 allow getty_t getty_var_run_t:dir rw_dir_perms;
 files_create_pid(getty_t,getty_var_run_t)
 
+kernel_list_proc(getty_t)
+kernel_read_proc_symlinks(getty_t)
+
 dev_read_sysfs(getty_t)
 
+fs_search_auto_mountpoints(getty_t)
 # for error condition handling
 fs_getattr_xattr_fs(getty_t)
 
@@ -69,6 +75,7 @@ term_use_unallocated_tty(getty_t)
 term_setattr_all_user_ttys(getty_t)
 term_setattr_unallocated_ttys(getty_t)
 term_setattr_console(getty_t)
+term_dontaudit_use_console(getty_t)
 
 auth_rw_login_records(getty_t)
 
@@ -81,6 +88,7 @@ files_read_etc_files(getty_t)
 
 init_rw_script_pid(getty_t)
 init_use_script_pty(getty_t)
+init_dontaudit_use_script_pty(getty_t)
 
 libs_use_ld_so(getty_t)
 libs_use_shared_libs(getty_t)
@@ -91,6 +99,11 @@ logging_send_syslog_msg(getty_t)
 
 miscfiles_read_localization(getty_t)
 
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_tty(getty_t)
+	term_dontaudit_use_generic_pty(getty_t)
+')
+
 optional_policy(`nscd.te',`
 	nscd_use_socket(getty_t)
 ')
@@ -98,3 +111,7 @@ optional_policy(`nscd.te',`
 optional_policy(`ppp.te',`
 	ppp_domtrans(getty_t)
 ')
+
+optional_policy(`udev.te',`
+	udev_read_db(system_dbusd_t)
+')

refpolicy/policy/modules/system/logging.if

@@ -20,6 +20,27 @@ interface(`logging_log_file',`
 	typeattribute $1 logfile;
 ')
 
+########################################
+## <summary>
+##	Execute auditctl in the auditctl domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`logging_domtrans_auditctl',`
+	gen_require(`
+		type auditctl_t, auditctl_exec_t;
+	')
+
+	domain_auto_trans($1,auditctl_exec_t,auditctl_t)
+
+	allow $1 auditctl_t:fd use;
+	allow auditctl_t $1:fd use;
+	allow auditctl_t $1:fifo_file rw_file_perms;
+	allow auditctl_t $1:process sigchld;
+')
+
 ########################################
 ## <summary>
 ##	Execute syslogd in the syslog domain.

refpolicy/policy/modules/system/logging.te

@@ -80,6 +80,11 @@ locallogin_dontaudit_use_fd(auditctl_t)
 
 logging_send_syslog_msg(auditctl_t)
 
+ifdef(`targeted_policy',`
+	term_use_generic_pty(auditctl_t)
+	term_use_unallocated_tty(auditctl_t)
+')
+
 ifdef(`TODO',`
 role secadm_r types auditctl_t;
 role sysadm_r types auditctl_t;
@@ -156,6 +161,12 @@ userdom_dontaudit_search_sysadm_home_dir(auditd_t)
 # cjp: this is questionable
 userdom_use_sysadm_tty(auditd_t)
 
+ifdef(`targeted_policy',`
+	term_dontaudit_use_generic_pty(auditd_t)
+	term_dontaudit_use_unallocated_tty(auditd_t)
+	unconfined_dontaudit_read_pipe(auditd_t)
+')
+
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(auditd_t)
 ')

refpolicy/policy/modules/system/miscfiles.if

@@ -37,6 +37,7 @@ interface(`miscfiles_read_fonts',`
 	# cjp: fonts can be in either of the above dirs
 	allow $1 fonts_t:dir r_dir_perms;
 	allow $1 fonts_t:file r_file_perms;
+	allow $1 fonts_t:lnk_file { getattr read };
 ')
 
 ########################################

refpolicy/policy/modules/system/pcmcia.te

@@ -42,6 +42,7 @@ dev_create_dev_node(cardmgr_t,cardmgr_lnk_t,lnk_file)
 
 # Create stab file
 allow cardmgr_t cardmgr_var_lib_t:file create_file_perms;
+allow cardmgr_t cardmgr_var_lib_t:dir rw_dir_perms;
 files_create_var_lib(cardmgr_t,cardmgr_var_lib_t)
 
 allow cardmgr_t cardmgr_var_run_t:file create_file_perms;
@@ -69,6 +70,7 @@ term_dontaudit_getattr_all_user_ptys(cardmgr_t)
 
 corecmd_exec_bin(cardmgr_t)
 corecmd_exec_sbin(cardmgr_t)
+corecmd_exec_ls(cardmgr_t)
 
 domain_use_wide_inherit_fd(cardmgr_t)
 domain_exec_all_entry_files(cardmgr_t)

refpolicy/policy/modules/system/selinuxutil.te

@@ -141,6 +141,11 @@ libs_use_shared_libs(checkpolicy_t)
 
 userdom_use_all_user_fd(checkpolicy_t)
 
+ifdef(`targeted_policy',`
+	term_use_generic_pty(checkpolicy_t)
+	term_use_unallocated_tty(checkpolicy_t)
+')
+
 ########################################
 #
 # Load_policy local policy

refpolicy/policy/modules/system/sysnetwork.te

@@ -63,6 +63,7 @@ type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t;
 
 # create pid file
 allow dhcpc_t dhcpc_var_run_t:file create_file_perms;
+allow dhcpc_t dhcpc_var_run_t:dir rw_dir_perms;
 files_create_pid(dhcpc_t,dhcpc_var_run_t)
 
 # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
@@ -196,6 +197,7 @@ optional_policy(`hotplug.te',`
 # for the dhcp client to run ping to check IP addresses
 optional_policy(`netutils.te',`
 	netutils_domtrans_ping(dhcpc_t)
+	netutils_domtrans(dhcpc_t)
 ',`
 	allow dhcpc_t self:capability setuid;
 	allow dhcpc_t self:rawip_socket create_socket_perms;
@@ -214,7 +216,7 @@ optional_policy(`nscd.te',`
 	nscd_read_pid(dhcpc_t)
 ')
 
-optional_policy(`ntpd.te',`
+optional_policy(`ntp.te',`
 	# dhclient sometimes starts ntpd
 	init_exec_script(dhcpc_t)
 	ntp_domtrans(dhcpc_t)
@@ -319,6 +321,8 @@ logging_send_syslog_msg(ifconfig_t)
 
 miscfiles_read_localization(ifconfig_t)
 
+modutils_domtrans_insmod(ifconfig_t)
+
 seutil_use_runinit_fd(ifconfig_t)
 
 userdom_use_all_user_fd(ifconfig_t)
@@ -333,6 +337,11 @@ ifdef(`hide_broken_symptoms',`
 	')
 ')
 
+ifdef(`targeted_policy',`
+	term_use_generic_pty(ifconfig_t)
+	term_use_unallocated_tty(ifconfig_t)
+')
+
 optional_policy(`ppp.te',`
 	ppp_use_fd(ifconfig_t)
 ')

refpolicy/policy/modules/system/unconfined.if

@@ -185,6 +185,22 @@ interface(`unconfined_sigchld',`
 	allow $1 unconfined_t:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`unconfined_dontaudit_read_pipe',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	dontaudit $1 unconfined_t:fifo_file read;
+')
+
 ########################################
 ## <summary>
 ##	Read and write unconfined domain unnamed pipes.

refpolicy/policy/modules/system/unconfined.te

@@ -36,6 +36,14 @@ ifdef(`targeted_policy',`
 	userdom_unconfined(unconfined_t)
 	userdom_priveleged_home_dir_manager(unconfined_t)
 
+	optional_policy(`logging.te',`
+		logging_domtrans_auditctl(unconfined_t)
+	')
+
+	optional_policy(`lpd.te',`
+		lpd_domtrans_checkpc(unconfined_t)
+	')
+
 	optional_policy(`modutils.te',`
 		modutils_domtrans_depmod(unconfined_t)
 		modutils_domtrans_insmod(unconfined_t)