diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 7125eb10..7eac43fd 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -13,6 +13,8 @@
- Fix errors uncovered by sediff.
- Added policies:
anaconda
+ apm
+ arpwatch
bluetooth
dmidecode
finger
diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index 8668d804..c53035a7 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -64,6 +64,11 @@ ifdef(`distro_redhat',`
fs_use_tmpfs_chr_dev(consoletype_t)
')
+optional_policy(`apm.te',`
+ apm_use_fd(consoletype_t)
+ apm_write_pipe(consoletype_t)
+')
+
optional_policy(`authlogin.te', `
auth_read_pam_pid(consoletype_t)
')
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index 9594d28a..6a28a61a 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -13,7 +13,7 @@ domain_system_change_exempt(logrotate_t)
role system_r types logrotate_t;
type logrotate_exec_t;
-files_type(logrotate_exec_t)
+domain_entry_file(logrotate_t,logrotate_exec_t)
type logrotate_lock_t;
files_lock_file(logrotate_lock_t)
diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if
index 8659a3d4..e735de3c 100644
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@@ -53,10 +53,12 @@ template(`gpg_per_userdomain_template',`
type $1_gpg_helper_t;
domain_type($1_gpg_helper_t)
+ domain_entry_file($1_gpg_helper_t,gpg_helper_exec_t)
role $3 types $1_gpg_helper_t;
type $1_gpg_pinentry_t;
domain_type($1_gpg_pinentry_t)
+ domain_entry_file($1_gpg_pinentry_t,pinentry_exec_t)
role $3 types $1_gpg_pinentry_t;
########################################
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 79b253cf..e69e2b87 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -2186,26 +2186,145 @@ interface(`fs_list_all',`
')
########################################
-#
-# fs_getattr_all_files(type)
+##
+## Get the attributes of all files with
+## a filesystem type.
+##
+##
+## Domain allowed access.
+##
#
interface(`fs_getattr_all_files',`
gen_require(`
attribute filesystem_type;
- class dir { search getattr };
- class file getattr;
- class lnk_file getattr;
- class fifo_file getattr;
- class sock_file getattr;
')
allow $1 filesystem_type:dir { search getattr };
allow $1 filesystem_type:file getattr;
+')
+
+########################################
+##
+## Get the attributes of all symbolic links with
+## a filesystem type.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`fs_getattr_all_symlinks',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:dir { search getattr };
allow $1 filesystem_type:lnk_file getattr;
+')
+
+########################################
+##
+## Get the attributes of all named pipes with
+## a filesystem type.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`fs_getattr_all_pipes',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:dir { search getattr };
allow $1 filesystem_type:fifo_file getattr;
+')
+
+########################################
+##
+## Get the attributes of all named sockets with
+## a filesystem type.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`fs_getattr_all_sockets',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:dir { search getattr };
allow $1 filesystem_type:sock_file getattr;
')
+########################################
+##
+## Do not audit attempts to get the attributes
+## of all files with a filesystem type.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`fs_dontaudit_getattr_all_files',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ dontaudit $1 filesystem_type:file getattr;
+')
+
+########################################
+##
+## Do not audit attempts to get the attributes
+## of all symbolic links with a filesystem type.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`fs_dontaudit_getattr_all_symlinks',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ dontaudit $1 filesystem_type:lnk_file getattr;
+')
+
+########################################
+##
+## Do not audit attempts to get the attributes
+## of all named pipes with a filesystem type.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`fs_dontaudit_getattr_all_pipes',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ dontaudit $1 filesystem_type:fifo_file getattr;
+')
+
+########################################
+##
+## Do not audit attempts to get the attributes
+## of all named sockets with a filesystem type.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`fs_dontaudit_getattr_all_sockets',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ dontaudit $1 filesystem_type:sock_file getattr;
+')
+
########################################
##
## Unconfined access to filesystems
diff --git a/refpolicy/policy/modules/services/apm.fc b/refpolicy/policy/modules/services/apm.fc
new file mode 100644
index 00000000..cbe282e2
--- /dev/null
+++ b/refpolicy/policy/modules/services/apm.fc
@@ -0,0 +1,23 @@
+
+#
+# /usr
+#
+/usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0)
+
+/usr/sbin/acpid -- gen_context(system_u:object_r:apmd_exec_t,s0)
+/usr/sbin/apmd -- gen_context(system_u:object_r:apmd_exec_t,s0)
+/usr/sbin/powersaved -- gen_context(system_u:object_r:apmd_exec_t,s0)
+
+#
+# /var
+#
+/var/log/acpid -- gen_context(system_u:object_r:apmd_log_t,s0)
+
+/var/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
+/var/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
+/var/run/powersaved\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
+/var/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
+
+ifdef(`distro_suse',`
+/var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0)
+')
diff --git a/refpolicy/policy/modules/services/apm.if b/refpolicy/policy/modules/services/apm.if
new file mode 100644
index 00000000..ed346a9b
--- /dev/null
+++ b/refpolicy/policy/modules/services/apm.if
@@ -0,0 +1,88 @@
+## Advanced power management daemon
+
+########################################
+##
+## Execute APM in the apm domain.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`apm_domtrans_client',`
+ gen_require(`
+ type apm_t, apm_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domain_auto_trans($1,apm_exec_t,apm_t)
+
+ allow $1 apm_t:fd use;
+ allow apm_t $1:fd use;
+ allow apm_t $1:fifo_file rw_file_perms;
+ allow apm_t $1:process sigchld;
+')
+
+########################################
+##
+## Use file descriptors for apmd.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`apm_use_fd',`
+ gen_require(`
+ type apmd_t;
+ ')
+
+ allow $1 apmd_t:fd use;
+')
+
+########################################
+##
+## Write to apmd unnamed pipes.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`apm_write_pipe',`
+ gen_require(`
+ type apmd_t;
+ ')
+
+ allow $1 apmd_t:fifo_file write;
+')
+
+########################################
+##
+## Read and write to an apm unix stream socket.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`apm_rw_stream_socket',`
+ gen_require(`
+ type apmd_t;
+ ')
+
+ allow $1 apmd_t:unix_stream_socket { read write };
+')
+
+########################################
+##
+## Append to apm's log file.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`apm_append_log',`
+ gen_require(`
+ type apmd_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 apmd_log_t:file append;
+')
diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te
new file mode 100644
index 00000000..b9f32626
--- /dev/null
+++ b/refpolicy/policy/modules/services/apm.te
@@ -0,0 +1,218 @@
+
+policy_module(apm,1.0)
+
+########################################
+#
+# Declarations
+#
+type apmd_t;
+type apmd_exec_t;
+init_daemon_domain(apmd_t,apmd_exec_t)
+
+type apm_t;
+domain_type(apm_t)
+role sysadm_r types apm_t;
+role system_r types apm_t;
+
+type apm_exec_t;
+domain_entry_file(apm_t,apm_exec_t)
+
+type apmd_log_t;
+logging_log_file(apmd_log_t)
+
+type apmd_var_run_t;
+files_pid_file(apmd_var_run_t)
+
+ifdef(`distro_redhat',`
+ type apmd_lock_t;
+ files_lock_file(apmd_lock_t)
+')
+
+ifdef(`distro_suse',`
+ type apmd_var_lib_t;
+ files_type(apmd_var_lib_t)
+')
+
+########################################
+#
+# apm client Local policy
+#
+
+allow apm_t self:capability { dac_override sys_admin };
+
+kernel_read_system_state(apm_t)
+
+dev_rw_apm_bios(apm_t)
+
+fs_getattr_xattr_fs(apm_t)
+
+term_use_all_terms(apm_t)
+
+domain_use_wide_inherit_fd(apm_t)
+
+libs_use_ld_so(apm_t)
+libs_use_shared_libs(apm_t)
+
+logging_send_syslog_msg(apm_t)
+
+########################################
+#
+# apm daemon Local policy
+#
+
+# mknod: controlling an orderly resume of PCMCIA requires creating device
+# nodes 254,{0,1,2} for some reason.
+allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
+dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
+allow apmd_t self:process { signal_perms getsession };
+allow apmd_t self:fifo_file rw_file_perms;
+allow apmd_t self:unix_dgram_socket create_socket_perms;
+allow apmd_t self:unix_stream_socket create_stream_socket_perms;
+
+allow apmd_t apmd_log_t:file create_file_perms;
+logging_create_log(apmd_t,apmd_log_t)
+
+allow apmd_t apmd_var_run_t:dir rw_dir_perms;
+allow apmd_t apmd_var_run_t:file create_file_perms;
+allow apmd_t apmd_var_run_t:sock_file create_file_perms;
+files_create_pid(apmd_t, apmd_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctl(apmd_t)
+kernel_rw_all_sysctl(apmd_t)
+kernel_read_system_state(apmd_t)
+
+dev_read_realtime_clock(apmd_t)
+dev_read_urand(apmd_t)
+dev_rw_apm_bios(apmd_t)
+dev_rw_sysfs(apmd_t)
+dev_dontaudit_getattr_all_chr_files(apmd_t) # Excessive?
+dev_dontaudit_getattr_all_blk_files(apmd_t) # Excessive?
+
+fs_dontaudit_list_tmpfs(apmd_t)
+fs_getattr_all_fs(apmd_t)
+fs_search_auto_mountpoints(apmd_t)
+fs_dontaudit_getattr_all_files(apmd_t); # Excessive?
+fs_dontaudit_getattr_all_symlinks(apmd_t); # Excessive?
+fs_dontaudit_getattr_all_pipes(apmd_t); # Excessive?
+fs_dontaudit_getattr_all_sockets(apmd_t); # Excessive?
+
+term_dontaudit_use_console(apmd_t)
+
+corecmd_exec_bin(apmd_t)
+corecmd_exec_sbin(apmd_t)
+corecmd_exec_ls(apmd_t)
+
+domain_exec_all_entry_files(apmd_t)
+domain_read_all_domains_state(apmd_t)
+domain_use_wide_inherit_fd(apmd_t)
+domain_dontaudit_getattr_all_sockets(apmd_t)
+domain_dontaudit_getattr_all_key_sockets(apmd_t) # Excessive?
+domain_dontaudit_list_all_domains_proc(apmd_t) # Excessive?
+
+files_exec_etc_files(apmd_t)
+files_read_etc_runtime_files(apmd_t)
+files_dontaudit_getattr_all_files(apmd_t) # Excessive?
+files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
+files_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
+files_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
+
+init_domtrans_script(apmd_t)
+init_use_fd(apmd_t)
+init_use_script_pty(apmd_t)
+init_rw_script_pid(apmd_t)
+init_write_initctl(apmd_t)
+
+libs_exec_ld_so(apmd_t)
+libs_use_ld_so(apmd_t)
+libs_exec_lib_files(apmd_t)
+libs_use_shared_libs(apmd_t)
+
+logging_send_syslog_msg(apmd_t)
+
+miscfiles_read_localization(apmd_t)
+
+modutils_domtrans_insmod(apmd_t)
+modutils_read_module_conf(apmd_t)
+
+seutil_dontaudit_search_config(apmd_t)
+
+userdom_dontaudit_use_unpriv_user_fd(apmd_t)
+userdom_dontaudit_search_sysadm_home_dir(apmd_t)
+userdom_dontaudit_search_all_users_home(apmd_t) # Excessive?
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_tty(apmd_t)
+ term_dontaudit_use_generic_pty(apmd_t)
+ files_dontaudit_read_root_file(apmd_t)
+')
+
+ifdef(`distro_redhat',`
+ allow apmd_t apmd_lock_t:file create_file_perms;
+ files_create_lock(apmd_t,apmd_lock_t)
+
+ can_exec(apmd_t, apmd_var_run_t)
+
+ # ifconfig_exec_t needs to be run in its own domain for Red Hat
+ optional_policy(`ifconfig.te',`
+ sysnet_domtrans_ifconfig(apmd_t)
+ ')
+
+ optional_policy(`iptables.te',`
+ iptables_domtrans(apmd_t)
+ ')
+
+ optional_policy(`netutils.te',`
+ netutils_domtrans(apmd_t)
+ ')
+
+ ',`
+
+ # for ifconfig which is run all the time
+ kernel_dontaudit_search_sysctl_dir(apmd_t)
+')
+
+ifdef(`distro_suse',`
+ allow apmd_t apmd_var_lib_t:file create_file_perms;
+ allow apmd_t apmd_var_lib_t:dir create_dir_perms;
+ files_create_var_lib(apmd_t,apmd_var_lib_t)
+')
+
+optional_policy(`clock.te',`
+ clock_domtrans(apmd_t)
+ clock_rw_adjtime(apmd_t)
+')
+
+optional_policy(`mta.te',`
+ mta_send_mail(apmd_t)
+')
+
+optional_policy(`nscd.te',`
+ nscd_use_socket(apmd_t)
+')
+
+optional_policy(`pcmcia.te',`
+ pcmcia_domtrans_cardmgr(apmd_t)
+ pcmcia_domtrans_cardctl(apmd_t)
+')
+
+optional_policy(`selinuxutil.te',`
+ seutil_sigchld_newrole(apmd_t)
+')
+
+optional_policy(`udev.te',`
+ udev_read_db(apmd_t)
+ udev_read_state(apmd_t) #necessary?
+')
+
+ifdef(`TODO',`
+allow apmd_t proc_t:file write;
+allow apmd_t user_tty_type:chr_file { ioctl read getattr lock write append };
+optional_policy(`cron.te',`
+ domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t)
+ allow apmd_t crond_t:fifo_file { getattr read write ioctl };
+')
+
+optional_policy(`rhgb.te',`
+ rhgb_domain(apmd_t)
+')
+')
diff --git a/refpolicy/policy/modules/services/arpwatch.fc b/refpolicy/policy/modules/services/arpwatch.fc
new file mode 100644
index 00000000..6318f23f
--- /dev/null
+++ b/refpolicy/policy/modules/services/arpwatch.fc
@@ -0,0 +1,11 @@
+
+#
+# /usr
+#
+/usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
+
+#
+# /var
+#
+/var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
+/var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
diff --git a/refpolicy/policy/modules/services/arpwatch.if b/refpolicy/policy/modules/services/arpwatch.if
new file mode 100644
index 00000000..dc5b0707
--- /dev/null
+++ b/refpolicy/policy/modules/services/arpwatch.if
@@ -0,0 +1,68 @@
+## Ethernet activity monitor.
+
+########################################
+##
+## Search arpwatch's data file directories.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`arpwatch_search_data',`
+ gen_require(`
+ type arpwatch_data_t;
+ ')
+
+ allow $1 arpwatch_data_t:dir search;
+')
+
+########################################
+##
+## Create arpwatch data files.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`arpwatch_manage_data_files',`
+ gen_require(`
+ type arpwatch_data_t;
+ ')
+
+ allow $1 arpwatch_data_t:dir rw_dir_perms;
+ allow $1 arpwatch_data_t:file create_file_perms;
+')
+
+########################################
+##
+## Read and write arpwatch temporary files.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`arpwatch_rw_tmp_files',`
+ gen_require(`
+ type arpwatch_tmp_t;
+ ')
+
+ allow $1 arpwatch_tmp_t:file rw_file_perms;
+')
+
+########################################
+##
+## Do not audit attempts to read and write
+## arpwatch packet sockets.
+##
+##
+## Domain to not audit.
+##
+#
+interface(`arpwatch_dontaudit_rw_packet_socket',`
+ gen_require(`
+ type arpwatch_t;
+ class packet_socket { read write };
+ ')
+
+ dontaudit $1 arpwatch_t:packet_socket { read write };
+')
diff --git a/refpolicy/policy/modules/services/arpwatch.te b/refpolicy/policy/modules/services/arpwatch.te
new file mode 100644
index 00000000..0566c05b
--- /dev/null
+++ b/refpolicy/policy/modules/services/arpwatch.te
@@ -0,0 +1,122 @@
+
+policy_module(arpwatch,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type arpwatch_t;
+type arpwatch_exec_t;
+init_daemon_domain(arpwatch_t,arpwatch_exec_t)
+
+type arpwatch_data_t;
+files_type(arpwatch_data_t)
+
+type arpwatch_tmp_t;
+files_tmp_file(arpwatch_tmp_t)
+
+type arpwatch_var_run_t;
+files_pid_file(arpwatch_var_run_t)
+
+########################################
+#
+# Local policy
+#
+allow arpwatch_t self:capability { net_admin net_raw setgid setuid };
+dontaudit arpwatch_t self:capability sys_tty_config;
+allow arpwatch_t self:process signal_perms;
+allow arpwatch_t self:unix_dgram_socket create_socket_perms;
+allow arpwatch_t self:unix_stream_socket create_stream_socket_perms;
+allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms;
+allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
+allow arpwatch_t self:udp_socket create_socket_perms;
+allow arpwatch_t self:packet_socket create_socket_perms;
+
+allow arpwatch_t arpwatch_data_t:dir create_dir_perms;
+allow arpwatch_t arpwatch_data_t:file create_file_perms;
+allow arpwatch_t arpwatch_data_t:lnk_file create_lnk_perms;
+
+allow arpwatch_t arpwatch_tmp_t:dir create_dir_perms;
+allow arpwatch_t arpwatch_tmp_t:file create_file_perms;
+files_create_tmp_files(arpwatch_t, arpwatch_tmp_t, { file dir })
+
+allow arpwatch_t arpwatch_var_run_t:file create_file_perms;
+allow arpwatch_t arpwatch_var_run_t:dir rw_dir_perms;
+files_create_pid(arpwatch_t,arpwatch_var_run_t)
+
+kernel_read_kernel_sysctl(arpwatch_t)
+kernel_list_proc(arpwatch_t)
+kernel_read_proc_symlinks(arpwatch_t)
+
+corenet_tcp_sendrecv_all_if(arpwatch_t)
+corenet_udp_sendrecv_all_if(arpwatch_t)
+corenet_raw_sendrecv_all_if(arpwatch_t)
+corenet_tcp_sendrecv_all_nodes(arpwatch_t)
+corenet_udp_sendrecv_all_nodes(arpwatch_t)
+corenet_raw_sendrecv_all_nodes(arpwatch_t)
+corenet_tcp_sendrecv_all_ports(arpwatch_t)
+corenet_udp_sendrecv_all_ports(arpwatch_t)
+corenet_tcp_bind_all_nodes(arpwatch_t)
+corenet_udp_bind_all_nodes(arpwatch_t)
+
+dev_read_sysfs(arpwatch_t)
+
+fs_getattr_all_fs(arpwatch_t)
+fs_search_auto_mountpoints(arpwatch_t)
+
+term_dontaudit_use_console(arpwatch_t)
+
+corecmd_read_sbin_symlink(arpwatch_t)
+
+domain_use_wide_inherit_fd(arpwatch_t)
+
+files_read_etc_files(arpwatch_t)
+files_read_usr_files(arpwatch_t)
+files_search_var_lib(arpwatch_t)
+
+init_use_fd(arpwatch_t)
+init_use_script_pty(arpwatch_t)
+
+libs_use_ld_so(arpwatch_t)
+libs_use_shared_libs(arpwatch_t)
+
+logging_send_syslog_msg(arpwatch_t)
+
+miscfiles_read_localization(arpwatch_t)
+
+sysnet_read_config(arpwatch_t)
+
+userdom_dontaudit_use_unpriv_user_fd(arpwatch_t)
+userdom_dontaudit_search_sysadm_home_dir(arpwatch_t)
+
+mta_send_mail(arpwatch_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_tty(arpwatch_t)
+ term_dontaudit_use_generic_pty(arpwatch_t)
+ files_dontaudit_read_root_file(arpwatch_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(arpwatch_t)
+')
+
+optional_policy(`qmail.te',`
+ corecmd_search_bin(arpwatch_t)
+')
+
+optional_policy(`selinuxutil.te',`
+ seutil_sigchld_newrole(arpwatch_t)
+')
+
+optional_policy(`udev.te',`
+ udev_read_db(arpwatch_t)
+')
+
+ifdef(`TODO',`
+# TODO from daemon_domain
+optional_policy(`rhgb.te',`
+ rhgb_domain(arpwatch_t)
+')
+')
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 8596714d..3dc798a6 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -258,6 +258,9 @@ dev_read_urand(system_crond_t)
fs_getattr_all_fs(system_crond_t)
fs_getattr_all_files(system_crond_t)
+fs_getattr_all_symlinks(system_crond_t)
+fs_getattr_all_pipes(system_crond_t)
+fs_getattr_all_sockets(system_crond_t)
corecmd_exec_bin(system_crond_t)
corecmd_exec_sbin(system_crond_t)
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 8f99cc4d..be8777ae 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -175,4 +175,16 @@ optional_policy(`qmail.te',`
allow system_mail_t qmail_etc_t:dir search;
allow system_mail_t qmail_etc_t:{ file lnk_file } read;
')
+
+optional_policy(`arpwatch.te',`
+ # why is mail delivered to a directory of type arpwatch_data_t?
+ arpwatch_search_data_dir(mta_delivery_agent)
+ arpwatch_manage_tmp_files(system_mail_t)
+ arpwatch_manage_tmp_files(mta_user_agent)
+ ifdef(`hide_broken_symptoms', `
+ arpwatch_dontaudit_rw_packet_socket(system_mail_t)
+ arpwatch_dontaudit_rw_packet_socket(mta_user_agent)
+ ')
+')
+
') dnl end TODO
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index 09c19c69..3f1eb12d 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -39,11 +39,18 @@ template(`ssh_per_userdomain_template',`
type $1_ssh_t;
domain_type($1_ssh_t)
+ domain_entry_file($1_ssh_t,ssh_exec_t)
type $1_ssh_agent_t;
domain_type($1_ssh_agent_t)
+ domain_entry_file($1_ssh_agent_t,ssh_agent_exec_t)
role $3 types $1_ssh_agent_t;
+ type $1_ssh_keysign_t; #, nscd_client_domain;
+ domain_type($1_ssh_keysign_t)
+ domain_entry_file($1_ssh_keysign_t,ssh_keysign_exec_t)
+ role $3 types $1_ssh_keysign_t;
+
##############################
#
# $1_ssh_t local policy
@@ -222,9 +229,6 @@ template(`ssh_per_userdomain_template',`
files_search_mnt($1_ssh_t)
r_dir_file($1_ssh_t, removable_t)
- type $1_ssh_keysign_t, domain, nscd_client_domain;
- role $1_r types $1_ssh_keysign_t;
-
if (allow_ssh_keysign) {
domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
@@ -360,6 +364,15 @@ template(`ssh_per_userdomain_template',`
allow $1_ssh_t $1_tmp_t:sock_file write;
allow $1_ssh_t $2:unix_stream_socket connectto;
') dnl endif TODO
+
+ ##############################
+ #
+ # $1_ssh_keysign_t local policy
+ #
+
+ optional_policy(`nscd.te',`
+ nscd_use_socket($1_ssh_keysign_t)
+ ')
')
#######################################
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index 90c51bac..05334331 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -67,6 +67,11 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_file(hwclock_t)
')
+optional_policy(`apm.te',`
+ apm_append_log(hwclock_t)
+ apm_rw_stream_socket(hwclock_t)
+')
+
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(hwclock_t)
')
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 3f7bfc28..be9077f4 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -802,6 +802,23 @@ interface(`domain_dontaudit_rw_all_udp_sockets',`
dontaudit $1 domain:udp_socket { read write };
')
+########################################
+##
+## Do not audit attempts to get attribues of
+## all domains IPSEC key management sockets.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`domain_dontaudit_getattr_all_key_sockets',`
+ gen_require(`
+ attribute domain;
+ class key_socket { read write };
+ ')
+
+ dontaudit $1 domain:key_socket getattr;
+')
########################################
##
## Do not audit attempts to read or write
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 8f1ce3d9..da36dfa4 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -362,6 +362,10 @@ ifdef(`distro_debian', `
')
ifdef(`distro_gentoo',`
+ optional_policy(`arpwatch.te',`
+ arpwatch_manage_data_files(initrc_t)
+ ')
+
optional_policy(`dhcp.te',`
dhcpd_setattr_state_files(initrc_t)
')
@@ -433,6 +437,10 @@ optional_policy(`bluetooth.te',`
dev_read_usbfs(initrc_t)
')
+optional_policy(`apm.te',`
+ dev_rw_apm_bios(initrc_t)
+')
+
optional_policy(`cpucontrol.te',`
cpucontrol_stub()
dev_getattr_cpu(initrc_t)
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 0a8770e6..ced726e3 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -119,6 +119,10 @@ optional_policy(`portmap.te', `
')
')
+optional_policy(`apm.te',`
+ apm_use_fd(mount_t)
+')
+
# for kernel package installation
optional_policy(`rpm.te', `
rpm_rw_pipe(mount_t)
diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te
index 25aef616..9e919ff2 100644
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ b/refpolicy/policy/modules/system/pcmcia.te
@@ -148,12 +148,6 @@ ifdef(`TODO',`
# cjp: why is this created all over the place?
file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
-# this goes to apm
-optional_policy(`pcmcia.te',`
- pcmcia_domtrans_cardmgr(apmd_t)
- pcmcia_domtrans_cardctl(apmd_t)
-')
-
optional_policy(`rhgb.te',`
rhgb_domain(cardmgr_t)
')
diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if
index 340f5287..b15f3a27 100644
--- a/refpolicy/policy/modules/system/udev.if
+++ b/refpolicy/policy/modules/system/udev.if
@@ -24,6 +24,24 @@ interface(`udev_domtrans',`
allow udev_t $1:process sigchld;
')
+########################################
+##
+## Allow process to read udev process state.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`udev_read_state',`
+ gen_require(`
+ type udev_t;
+ ')
+
+ kernel_search_proc($1)
+ allow $1 udev_t:file r_file_perms;
+ allow $1 udev_t:lnk_file r_file_perms;
+')
+
########################################
##
## Do not audit attempts to inherit a
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index d2fb3f94..2e42d4f6 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -120,6 +120,11 @@ ifdef(`targeted_policy',`
domain_ptrace_all_domains(sysadm_t)
')
+ optional_policy(`apm.te',`
+ # cjp: why is this not apm_run_client
+ apm_domtrans_client(sysadm_t)
+ ')
+
optional_policy(`bootloader.te',`
bootloader_run(sysadm_t,sysadm_r,admin_terminal)
')