add apm and arpwatch. fix implementation error on fs_getattr_all_files,

splitting it up into correct interfaces.

refpolicy/Changelog

@@ -13,6 +13,8 @@
 - Fix errors uncovered by sediff.
 - Added policies:
 	anaconda
+	apm
+	arpwatch
 	bluetooth
 	dmidecode
 	finger

refpolicy/policy/modules/admin/consoletype.te

@@ -64,6 +64,11 @@ ifdef(`distro_redhat',`
 	fs_use_tmpfs_chr_dev(consoletype_t)
 ')
 
+optional_policy(`apm.te',`
+	apm_use_fd(consoletype_t)
+	apm_write_pipe(consoletype_t)
+')
+
 optional_policy(`authlogin.te', `
 	auth_read_pam_pid(consoletype_t)
 ')

refpolicy/policy/modules/admin/logrotate.te

@@ -13,7 +13,7 @@ domain_system_change_exempt(logrotate_t)
 role system_r types logrotate_t;
 
 type logrotate_exec_t;
-files_type(logrotate_exec_t)
+domain_entry_file(logrotate_t,logrotate_exec_t)
 
 type logrotate_lock_t;
 files_lock_file(logrotate_lock_t)

refpolicy/policy/modules/apps/gpg.if

@@ -53,10 +53,12 @@ template(`gpg_per_userdomain_template',`
 
 	type $1_gpg_helper_t;
 	domain_type($1_gpg_helper_t)
+	domain_entry_file($1_gpg_helper_t,gpg_helper_exec_t)
 	role $3 types $1_gpg_helper_t;
 
 	type $1_gpg_pinentry_t;
 	domain_type($1_gpg_pinentry_t)
+	domain_entry_file($1_gpg_pinentry_t,pinentry_exec_t)
 	role $3 types $1_gpg_pinentry_t;
 
 	########################################

refpolicy/policy/modules/kernel/filesystem.if

@@ -2186,26 +2186,145 @@ interface(`fs_list_all',`
 ')
 
 ########################################
-#
-# fs_getattr_all_files(type)
+## <summary>
+##	Get the attributes of all files with
+##	a filesystem type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
 #
 interface(`fs_getattr_all_files',`
 	gen_require(`
 		attribute filesystem_type;
-		class dir { search getattr };
-		class file getattr;
-		class lnk_file getattr;
-		class fifo_file getattr;
-		class sock_file getattr;
 	')
 
 	allow $1 filesystem_type:dir { search getattr };
 	allow $1 filesystem_type:file getattr;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all symbolic links with
+##	a filesystem type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_getattr_all_symlinks',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	allow $1 filesystem_type:dir { search getattr };
 	allow $1 filesystem_type:lnk_file getattr;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all named pipes with
+##	a filesystem type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_getattr_all_pipes',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	allow $1 filesystem_type:dir { search getattr };
 	allow $1 filesystem_type:fifo_file getattr;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all named sockets with
+##	a filesystem type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_getattr_all_sockets',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	allow $1 filesystem_type:dir { search getattr };
 	allow $1 filesystem_type:sock_file getattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all files with a filesystem type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_dontaudit_getattr_all_files',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	dontaudit $1 filesystem_type:file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all symbolic links with a filesystem type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_dontaudit_getattr_all_symlinks',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	dontaudit $1 filesystem_type:lnk_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all named pipes with a filesystem type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_dontaudit_getattr_all_pipes',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	dontaudit $1 filesystem_type:fifo_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all named sockets with a filesystem type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_dontaudit_getattr_all_sockets',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	dontaudit $1 filesystem_type:sock_file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to filesystems

refpolicy/policy/modules/services/apm.fc

@@ -0,0 +1,23 @@
+
+#
+# /usr
+#
+/usr/bin/apm		--	gen_context(system_u:object_r:apm_exec_t,s0)
+
+/usr/sbin/acpid		--	gen_context(system_u:object_r:apmd_exec_t,s0)
+/usr/sbin/apmd		--	gen_context(system_u:object_r:apmd_exec_t,s0)
+/usr/sbin/powersaved	--	gen_context(system_u:object_r:apmd_exec_t,s0)
+
+#
+# /var
+#
+/var/log/acpid		--	gen_context(system_u:object_r:apmd_log_t,s0)
+
+/var/run/\.?acpid\.socket -s	gen_context(system_u:object_r:apmd_var_run_t,s0)
+/var/run/apmd\.pid	--	gen_context(system_u:object_r:apmd_var_run_t,s0)
+/var/run/powersaved\.pid --	gen_context(system_u:object_r:apmd_var_run_t,s0)
+/var/run/powersave_socket -s	gen_context(system_u:object_r:apmd_var_run_t,s0)
+
+ifdef(`distro_suse',`
+/var/lib/acpi(/.*)?		gen_context(system_u:object_r:apmd_var_lib_t,s0)
+')

refpolicy/policy/modules/services/apm.if

@@ -0,0 +1,88 @@
+## <summary>Advanced power management daemon</summary>
+
+########################################
+## <summary>
+##	Execute APM in the apm domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`apm_domtrans_client',`
+	gen_require(`
+		type apm_t, apm_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domain_auto_trans($1,apm_exec_t,apm_t)
+
+	allow $1 apm_t:fd use;
+	allow apm_t $1:fd use;
+	allow apm_t $1:fifo_file rw_file_perms;
+	allow apm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Use file descriptors for apmd.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`apm_use_fd',`
+	gen_require(`
+		type apmd_t;
+	')
+
+	allow $1 apmd_t:fd use; 
+')
+
+########################################
+## <summary>
+##	Write to apmd unnamed pipes.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`apm_write_pipe',`
+	gen_require(`
+		type apmd_t;
+	')
+
+	allow $1 apmd_t:fifo_file write; 
+')
+
+########################################
+## <summary>
+##	Read and write to an apm unix stream socket.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`apm_rw_stream_socket',`
+	gen_require(`
+		type apmd_t;
+	')
+
+	allow $1 apmd_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##	Append to apm's log file.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`apm_append_log',`
+	gen_require(`
+		type apmd_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 apmd_log_t:file append;
+')

refpolicy/policy/modules/services/apm.te

@@ -0,0 +1,218 @@
+
+policy_module(apm,1.0)
+
+########################################
+#
+# Declarations
+#
+type apmd_t;
+type apmd_exec_t;
+init_daemon_domain(apmd_t,apmd_exec_t)
+
+type apm_t;
+domain_type(apm_t)
+role sysadm_r types apm_t;
+role system_r types apm_t;
+
+type apm_exec_t;
+domain_entry_file(apm_t,apm_exec_t)
+
+type apmd_log_t;
+logging_log_file(apmd_log_t)
+
+type apmd_var_run_t;
+files_pid_file(apmd_var_run_t)
+
+ifdef(`distro_redhat',`
+	type apmd_lock_t;
+	files_lock_file(apmd_lock_t)
+')
+
+ifdef(`distro_suse',`
+	type apmd_var_lib_t;
+	files_type(apmd_var_lib_t)
+')
+
+########################################
+#
+# apm client Local policy
+#
+
+allow apm_t self:capability { dac_override sys_admin };
+
+kernel_read_system_state(apm_t)
+
+dev_rw_apm_bios(apm_t)
+
+fs_getattr_xattr_fs(apm_t)
+
+term_use_all_terms(apm_t)
+
+domain_use_wide_inherit_fd(apm_t)
+
+libs_use_ld_so(apm_t)
+libs_use_shared_libs(apm_t)
+
+logging_send_syslog_msg(apm_t)
+
+########################################
+#
+# apm daemon Local policy
+#
+
+# mknod: controlling an orderly resume of PCMCIA requires creating device
+# nodes 254,{0,1,2} for some reason.
+allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
+dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
+allow apmd_t self:process { signal_perms getsession };
+allow apmd_t self:fifo_file rw_file_perms;
+allow apmd_t self:unix_dgram_socket create_socket_perms;
+allow apmd_t self:unix_stream_socket create_stream_socket_perms;
+
+allow apmd_t apmd_log_t:file create_file_perms;
+logging_create_log(apmd_t,apmd_log_t)
+
+allow apmd_t apmd_var_run_t:dir rw_dir_perms;
+allow apmd_t apmd_var_run_t:file create_file_perms;
+allow apmd_t apmd_var_run_t:sock_file create_file_perms;
+files_create_pid(apmd_t, apmd_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctl(apmd_t)
+kernel_rw_all_sysctl(apmd_t)
+kernel_read_system_state(apmd_t)
+
+dev_read_realtime_clock(apmd_t)
+dev_read_urand(apmd_t)
+dev_rw_apm_bios(apmd_t)
+dev_rw_sysfs(apmd_t)
+dev_dontaudit_getattr_all_chr_files(apmd_t) # Excessive?
+dev_dontaudit_getattr_all_blk_files(apmd_t) # Excessive?
+
+fs_dontaudit_list_tmpfs(apmd_t)
+fs_getattr_all_fs(apmd_t)
+fs_search_auto_mountpoints(apmd_t)
+fs_dontaudit_getattr_all_files(apmd_t); # Excessive?
+fs_dontaudit_getattr_all_symlinks(apmd_t); # Excessive?
+fs_dontaudit_getattr_all_pipes(apmd_t); # Excessive?
+fs_dontaudit_getattr_all_sockets(apmd_t); # Excessive?
+
+term_dontaudit_use_console(apmd_t)
+
+corecmd_exec_bin(apmd_t)
+corecmd_exec_sbin(apmd_t)
+corecmd_exec_ls(apmd_t)
+
+domain_exec_all_entry_files(apmd_t)
+domain_read_all_domains_state(apmd_t)
+domain_use_wide_inherit_fd(apmd_t)
+domain_dontaudit_getattr_all_sockets(apmd_t)
+domain_dontaudit_getattr_all_key_sockets(apmd_t) # Excessive?
+domain_dontaudit_list_all_domains_proc(apmd_t) # Excessive?
+
+files_exec_etc_files(apmd_t)
+files_read_etc_runtime_files(apmd_t)
+files_dontaudit_getattr_all_files(apmd_t) # Excessive?
+files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
+files_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
+files_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
+
+init_domtrans_script(apmd_t)
+init_use_fd(apmd_t)
+init_use_script_pty(apmd_t)
+init_rw_script_pid(apmd_t)
+init_write_initctl(apmd_t)
+
+libs_exec_ld_so(apmd_t)
+libs_use_ld_so(apmd_t)
+libs_exec_lib_files(apmd_t)
+libs_use_shared_libs(apmd_t)
+
+logging_send_syslog_msg(apmd_t)
+
+miscfiles_read_localization(apmd_t)
+
+modutils_domtrans_insmod(apmd_t)
+modutils_read_module_conf(apmd_t)
+
+seutil_dontaudit_search_config(apmd_t)
+
+userdom_dontaudit_use_unpriv_user_fd(apmd_t)
+userdom_dontaudit_search_sysadm_home_dir(apmd_t)
+userdom_dontaudit_search_all_users_home(apmd_t) # Excessive?
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_tty(apmd_t)
+	term_dontaudit_use_generic_pty(apmd_t)
+	files_dontaudit_read_root_file(apmd_t)
+')
+
+ifdef(`distro_redhat',`
+	allow apmd_t apmd_lock_t:file create_file_perms;
+	files_create_lock(apmd_t,apmd_lock_t)
+
+	can_exec(apmd_t, apmd_var_run_t)
+
+	# ifconfig_exec_t needs to be run in its own domain for Red Hat
+	optional_policy(`ifconfig.te',`
+		sysnet_domtrans_ifconfig(apmd_t)
+	')
+
+	optional_policy(`iptables.te',`
+		iptables_domtrans(apmd_t)
+	')
+
+	optional_policy(`netutils.te',`
+		netutils_domtrans(apmd_t)
+	')
+
+	',`
+
+	# for ifconfig which is run all the time
+	kernel_dontaudit_search_sysctl_dir(apmd_t)
+')
+
+ifdef(`distro_suse',`
+	allow apmd_t apmd_var_lib_t:file create_file_perms;
+	allow apmd_t apmd_var_lib_t:dir create_dir_perms;
+	files_create_var_lib(apmd_t,apmd_var_lib_t)
+')
+
+optional_policy(`clock.te',`
+	clock_domtrans(apmd_t)
+	clock_rw_adjtime(apmd_t)
+')
+
+optional_policy(`mta.te',`
+	mta_send_mail(apmd_t)
+')
+
+optional_policy(`nscd.te',`
+	nscd_use_socket(apmd_t)
+')
+
+optional_policy(`pcmcia.te',`
+	pcmcia_domtrans_cardmgr(apmd_t)
+	pcmcia_domtrans_cardctl(apmd_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(apmd_t)
+')
+
+optional_policy(`udev.te',`
+	udev_read_db(apmd_t)
+	udev_read_state(apmd_t) #necessary?
+')
+
+ifdef(`TODO',`
+allow apmd_t proc_t:file write;
+allow apmd_t user_tty_type:chr_file { ioctl read getattr lock write append };
+optional_policy(`cron.te',`
+	domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t)
+	allow apmd_t crond_t:fifo_file { getattr read write ioctl };
+')
+
+optional_policy(`rhgb.te',`
+	rhgb_domain(apmd_t)
+')
+')

refpolicy/policy/modules/services/arpwatch.fc

@@ -0,0 +1,11 @@
+
+#
+# /usr
+#
+/usr/sbin/arpwatch	--	gen_context(system_u:object_r:arpwatch_exec_t,s0)
+
+#
+# /var
+#
+/var/arpwatch(/.*)?		gen_context(system_u:object_r:arpwatch_data_t,s0)
+/var/lib/arpwatch(/.*)?		gen_context(system_u:object_r:arpwatch_data_t,s0)

refpolicy/policy/modules/services/arpwatch.if

@@ -0,0 +1,68 @@
+## <summary>Ethernet activity monitor.</summary>
+
+########################################
+## <summary>
+##	Search arpwatch's data file directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`arpwatch_search_data',`
+	gen_require(`
+		type arpwatch_data_t;
+	')
+
+	allow $1 arpwatch_data_t:dir search;
+')
+
+########################################
+## <summary>
+##	Create arpwatch data files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`arpwatch_manage_data_files',`
+	gen_require(`
+		type arpwatch_data_t;
+	')
+
+	allow $1 arpwatch_data_t:dir rw_dir_perms;
+	allow $1 arpwatch_data_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write arpwatch temporary files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`arpwatch_rw_tmp_files',`
+	gen_require(`
+		type arpwatch_tmp_t;
+	')
+
+	allow $1 arpwatch_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	arpwatch packet sockets.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`arpwatch_dontaudit_rw_packet_socket',`
+	gen_require(`
+		type arpwatch_t;
+		class packet_socket { read write };
+	')
+
+	dontaudit $1 arpwatch_t:packet_socket { read write };
+')

refpolicy/policy/modules/services/arpwatch.te

@@ -0,0 +1,122 @@
+
+policy_module(arpwatch,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type arpwatch_t;
+type arpwatch_exec_t;
+init_daemon_domain(arpwatch_t,arpwatch_exec_t)
+
+type arpwatch_data_t;
+files_type(arpwatch_data_t)
+
+type arpwatch_tmp_t;
+files_tmp_file(arpwatch_tmp_t)
+
+type arpwatch_var_run_t;
+files_pid_file(arpwatch_var_run_t)
+
+########################################
+#
+# Local policy
+#
+allow arpwatch_t self:capability { net_admin net_raw setgid setuid };
+dontaudit arpwatch_t self:capability sys_tty_config;
+allow arpwatch_t self:process signal_perms;
+allow arpwatch_t self:unix_dgram_socket create_socket_perms;
+allow arpwatch_t self:unix_stream_socket create_stream_socket_perms;
+allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms;
+allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
+allow arpwatch_t self:udp_socket create_socket_perms;
+allow arpwatch_t self:packet_socket create_socket_perms;
+
+allow arpwatch_t arpwatch_data_t:dir create_dir_perms;
+allow arpwatch_t arpwatch_data_t:file create_file_perms;
+allow arpwatch_t arpwatch_data_t:lnk_file create_lnk_perms;
+
+allow arpwatch_t arpwatch_tmp_t:dir create_dir_perms;
+allow arpwatch_t arpwatch_tmp_t:file create_file_perms;
+files_create_tmp_files(arpwatch_t, arpwatch_tmp_t, { file dir })
+
+allow arpwatch_t arpwatch_var_run_t:file create_file_perms;
+allow arpwatch_t arpwatch_var_run_t:dir rw_dir_perms;
+files_create_pid(arpwatch_t,arpwatch_var_run_t)
+
+kernel_read_kernel_sysctl(arpwatch_t)
+kernel_list_proc(arpwatch_t)
+kernel_read_proc_symlinks(arpwatch_t)
+
+corenet_tcp_sendrecv_all_if(arpwatch_t)
+corenet_udp_sendrecv_all_if(arpwatch_t)
+corenet_raw_sendrecv_all_if(arpwatch_t)
+corenet_tcp_sendrecv_all_nodes(arpwatch_t)
+corenet_udp_sendrecv_all_nodes(arpwatch_t)
+corenet_raw_sendrecv_all_nodes(arpwatch_t)
+corenet_tcp_sendrecv_all_ports(arpwatch_t)
+corenet_udp_sendrecv_all_ports(arpwatch_t)
+corenet_tcp_bind_all_nodes(arpwatch_t)
+corenet_udp_bind_all_nodes(arpwatch_t)
+
+dev_read_sysfs(arpwatch_t)
+
+fs_getattr_all_fs(arpwatch_t)
+fs_search_auto_mountpoints(arpwatch_t)
+
+term_dontaudit_use_console(arpwatch_t)
+
+corecmd_read_sbin_symlink(arpwatch_t)
+
+domain_use_wide_inherit_fd(arpwatch_t)
+
+files_read_etc_files(arpwatch_t)
+files_read_usr_files(arpwatch_t)
+files_search_var_lib(arpwatch_t)
+
+init_use_fd(arpwatch_t)
+init_use_script_pty(arpwatch_t)
+
+libs_use_ld_so(arpwatch_t)
+libs_use_shared_libs(arpwatch_t)
+
+logging_send_syslog_msg(arpwatch_t)
+
+miscfiles_read_localization(arpwatch_t)
+
+sysnet_read_config(arpwatch_t)
+
+userdom_dontaudit_use_unpriv_user_fd(arpwatch_t)
+userdom_dontaudit_search_sysadm_home_dir(arpwatch_t)
+
+mta_send_mail(arpwatch_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_tty(arpwatch_t)
+	term_dontaudit_use_generic_pty(arpwatch_t)
+	files_dontaudit_read_root_file(arpwatch_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(arpwatch_t)
+')
+
+optional_policy(`qmail.te',`
+	corecmd_search_bin(arpwatch_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(arpwatch_t)
+')
+
+optional_policy(`udev.te',`
+	udev_read_db(arpwatch_t)
+')
+
+ifdef(`TODO',`
+# TODO from daemon_domain
+optional_policy(`rhgb.te',`
+	rhgb_domain(arpwatch_t)
+')
+')

refpolicy/policy/modules/services/cron.te

@@ -258,6 +258,9 @@ dev_read_urand(system_crond_t)
 
 fs_getattr_all_fs(system_crond_t)
 fs_getattr_all_files(system_crond_t)
+fs_getattr_all_symlinks(system_crond_t)
+fs_getattr_all_pipes(system_crond_t)
+fs_getattr_all_sockets(system_crond_t)
 
 corecmd_exec_bin(system_crond_t)
 corecmd_exec_sbin(system_crond_t)

refpolicy/policy/modules/services/mta.te

@@ -175,4 +175,16 @@ optional_policy(`qmail.te',`
 	allow system_mail_t qmail_etc_t:dir search;
 	allow system_mail_t qmail_etc_t:{ file lnk_file } read;
 ')
+
+optional_policy(`arpwatch.te',`
+	# why is mail delivered to a directory of type arpwatch_data_t?
+	arpwatch_search_data_dir(mta_delivery_agent)
+	arpwatch_manage_tmp_files(system_mail_t)
+	arpwatch_manage_tmp_files(mta_user_agent)
+	ifdef(`hide_broken_symptoms', `
+		arpwatch_dontaudit_rw_packet_socket(system_mail_t)
+		arpwatch_dontaudit_rw_packet_socket(mta_user_agent)
+	')
+')
+
 ') dnl end TODO

refpolicy/policy/modules/services/ssh.if

@@ -39,11 +39,18 @@ template(`ssh_per_userdomain_template',`
 
 	type $1_ssh_t;
 	domain_type($1_ssh_t)
+	domain_entry_file($1_ssh_t,ssh_exec_t)
 
 	type $1_ssh_agent_t;
 	domain_type($1_ssh_agent_t)
+	domain_entry_file($1_ssh_agent_t,ssh_agent_exec_t)
 	role $3 types $1_ssh_agent_t;
 
+	type $1_ssh_keysign_t; #, nscd_client_domain;
+	domain_type($1_ssh_keysign_t)
+	domain_entry_file($1_ssh_keysign_t,ssh_keysign_exec_t)
+	role $3 types $1_ssh_keysign_t;
+
 	##############################
 	#
 	# $1_ssh_t local policy
@@ -222,9 +229,6 @@ template(`ssh_per_userdomain_template',`
 	files_search_mnt($1_ssh_t)
 	r_dir_file($1_ssh_t, removable_t) 
 
-	type $1_ssh_keysign_t, domain, nscd_client_domain;
-	role $1_r types $1_ssh_keysign_t;
-
 	if (allow_ssh_keysign) {
 	domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
 	allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
@@ -360,6 +364,15 @@ template(`ssh_per_userdomain_template',`
 	allow $1_ssh_t $1_tmp_t:sock_file write;
 	allow $1_ssh_t $2:unix_stream_socket connectto;
 	') dnl endif TODO
+
+	##############################
+	#
+	# $1_ssh_keysign_t local policy
+	#
+
+	optional_policy(`nscd.te',`
+		nscd_use_socket($1_ssh_keysign_t)
+	')
 ')
 
 #######################################

refpolicy/policy/modules/system/clock.te

@@ -67,6 +67,11 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_file(hwclock_t)
 ')
 
+optional_policy(`apm.te',`
+	apm_append_log(hwclock_t)
+	apm_rw_stream_socket(hwclock_t)
+')
+
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(hwclock_t)
 ')

refpolicy/policy/modules/system/domain.if

@@ -802,6 +802,23 @@ interface(`domain_dontaudit_rw_all_udp_sockets',`
 	dontaudit $1 domain:udp_socket { read write };
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to get attribues of
+##	all domains IPSEC key management sockets.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_key_sockets',`
+	gen_require(`
+		attribute domain;
+		class key_socket { read write };
+	')
+
+	dontaudit $1 domain:key_socket getattr;
+')
 ########################################
 ## <summary>
 ##	Do not audit attempts to read or write

refpolicy/policy/modules/system/init.te

@@ -362,6 +362,10 @@ ifdef(`distro_debian', `
 ')
 
 ifdef(`distro_gentoo',`
+	optional_policy(`arpwatch.te',`
+		arpwatch_manage_data_files(initrc_t)
+	')
+
 	optional_policy(`dhcp.te',`
 		dhcpd_setattr_state_files(initrc_t)
 	')
@@ -433,6 +437,10 @@ optional_policy(`bluetooth.te',`
 	dev_read_usbfs(initrc_t)
 ')
 
+optional_policy(`apm.te',`
+	dev_rw_apm_bios(initrc_t)
+')
+
 optional_policy(`cpucontrol.te',`
 	cpucontrol_stub()
 	dev_getattr_cpu(initrc_t)

refpolicy/policy/modules/system/mount.te

@@ -119,6 +119,10 @@ optional_policy(`portmap.te', `
 	')
 ')
 
+optional_policy(`apm.te',`
+	apm_use_fd(mount_t)
+')
+
 # for kernel package installation
 optional_policy(`rpm.te', `
 	rpm_rw_pipe(mount_t)

refpolicy/policy/modules/system/pcmcia.te

@@ -148,12 +148,6 @@ ifdef(`TODO',`
 # cjp: why is this created all over the place?
 file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
 
-# this goes to apm
-optional_policy(`pcmcia.te',`
-	pcmcia_domtrans_cardmgr(apmd_t)
-	pcmcia_domtrans_cardctl(apmd_t)
-')
-
 optional_policy(`rhgb.te',`
 	rhgb_domain(cardmgr_t)
 ')

refpolicy/policy/modules/system/udev.if

@@ -24,6 +24,24 @@ interface(`udev_domtrans',`
 	allow udev_t $1:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Allow process to read udev process state.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`udev_read_state',`
+	gen_require(`
+		type udev_t;
+	')
+
+	kernel_search_proc($1)
+	allow $1 udev_t:file r_file_perms;
+	allow $1 udev_t:lnk_file r_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to inherit a

refpolicy/policy/modules/system/userdomain.te

@@ -120,6 +120,11 @@ ifdef(`targeted_policy',`
 		domain_ptrace_all_domains(sysadm_t)
 	')
 
+	optional_policy(`apm.te',`
+		# cjp: why is this not apm_run_client
+		apm_domtrans_client(sysadm_t)
+	')
+
 	optional_policy(`bootloader.te',`
 		bootloader_run(sysadm_t,sysadm_r,admin_terminal)
 	')