updates from dan

refpolicy/policy/modules.conf

@@ -189,7 +189,7 @@ logrotate = off
 #
 # Virtual Private Networking client
 # 
-vpn = base
+vpn = off
 
 # Layer: admin
 # Module: consoletype

refpolicy/policy/modules/admin/rpm.te

@@ -6,12 +6,7 @@ policy_module(rpm,1.0.1)
 # Declarations
 #
 
-ifdef(`targeted_policy',`
+type rpm_t;
-	unconfined_alias_domain(rpm_t)
-',`
-	type rpm_t;
-')
-
 type rpm_exec_t;
 init_system_domain(rpm_t,rpm_exec_t)
 domain_obj_id_change_exempt(rpm_t)
@@ -143,6 +138,8 @@ auth_dontaudit_read_shadow(rpm_t)
 
 corecmd_exec_bin(rpm_t)
 corecmd_exec_sbin(rpm_t)
+# transition to rpm script:
+corecmd_shell_domtrans(rpm_t,rpm_script_t)
 
 domain_exec_all_entry_files(rpm_t)
 domain_read_all_domains_state(rpm_t)
@@ -178,11 +175,6 @@ ifdef(`targeted_policy',`
 	# unconfined in the targeted policy
 	allow rpm_t rpm_log_t:file create_file_perms;
 	logging_create_log(rpm_t,rpm_log_t)
-
-	# cjp: if rpm_t and xdm_t are aliases of
-	# unconfined_t, this will break xdm logins
-	# by making users log in to rpm_script_t.
-	corecmd_shell_domtrans(rpm_t,rpm_script_t)
 ')
 
 optional_policy(`cron.te',`

refpolicy/policy/modules/services/pegasus.te

@@ -35,9 +35,9 @@ allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
 allow pegasus_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 allow pegasus_t self:tcp_socket create_stream_socket_perms;
 
-allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
+allow pegasus_t pegasus_conf_t:dir r_dir_perms;
-allow pegasus_t pegasus_conf_t:file create_file_perms;
+allow pegasus_t pegasus_conf_t:file { r_file_perms link unlink };
-allow pegasus_t pegasus_conf_t:lnk_file create_lnk_perms;
+allow pegasus_t pegasus_conf_t:lnk_file r_file_perms;
 
 allow pegasus_t pegasus_data_t:dir rw_dir_perms;
 allow pegasus_t pegasus_data_t:file create_file_perms;

refpolicy/policy/modules/system/corecommands.fc

@@ -6,6 +6,7 @@
 /bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/bash2			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/ksh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/ls				--	gen_context(system_u:object_r:ls_exec_t,s0)
 /bin/sash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/tcsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -97,8 +98,8 @@ ifdef(`distro_gentoo',`
 /usr/lib/qt.*/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 # these two lines are separate because of a
 # sorting issue with the java module
-/usr/lib/jvm/java(.*)?/jre/bin -d	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/jvm/java.*/jre/bin -d		gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/jvm/java(.*)?/jre/bin/.*	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/jvm/java.*/jre/bin/.*		gen_context(system_u:object_r:bin_t,s0)
 
 /usr/lib(64)?/cups/cgi-bin/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/cups/filter/.*	--	gen_context(system_u:object_r:bin_t,s0)
@@ -120,7 +121,7 @@ ifdef(`distro_gentoo',`
 /usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/thunderbird(.*)?/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
 
 /usr/libexec(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)