add daemontools, djbdns, publicfile, and ucspitcp from Petre Rodan.

2006-01-16 18:30:14 +00:00 · 2006-01-16 18:30:14 +00:00 · 44d5d93fb8
commit 44d5d93fb8
parent 6a57b68da7
24 changed files with 659 additions and 19 deletions
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@ -14,7 +14,9 @@
 	alsa
 	automount
 	cdrecord
+	daemontools (Petre Rodan)
 	ddcprobe
+	djbdns (Petre Rodan)
 	fetchmail
 	irc
 	java
@ -22,6 +24,7 @@
 	logwatch (Dan Walsh)
 	openct
 	prelink (Dan Walsh)
+	publicfile (Petre Rodan)
 	readahead
 	roundup
 	screen
@ -29,6 +32,7 @@
 	slrnpull
 	smartmon
 	sysstat
+	ucspitcp (Petre Rodan)
 	usbmodules
 	vbetool (Dan Walsh)

--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@ -1,5 +1,5 @@

-policy_module(apache,1.1.2)
+policy_module(apache,1.1.3)

 #
 # NOTES: 
@ -395,6 +395,10 @@ tunable_policy(`httpd_tty_comm',`
 	userdom_dontaudit_use_sysadm_terms(httpd_t)
 ')

+optional_policy(`daemontools',`
+	daemontools_service_domain(httpd_t, httpd_exec_t)
+')
+
 optional_policy(`kerberos',`
 	kerberos_use(httpd_t)
 ')
--- a/refpolicy/policy/modules/services/djbdns.fc
+++ b/refpolicy/policy/modules/services/djbdns.fc
@ -0,0 +1,9 @@
+
+/usr/bin/axfrdns		--	gen_context(system_u:object_r:djbdns_axfrdns_exec_t,s0)
+/usr/bin/dnscache	--	gen_context(system_u:object_r:djbdns_dnscache_exec_t,s0)
+/usr/bin/tinydns		--	gen_context(system_u:object_r:djbdns_tinydns_exec_t,s0)
+
+/var/axfrdns/root(/.*)?		gen_context(system_u:object_r:djbdns_axfrdns_conf_t,s0)
+/var/dnscache/root(/.*)?		gen_context(system_u:object_r:djbdns_dnscache_conf_t,s0)
+/var/tinydns/root(/.*)?		gen_context(system_u:object_r:djbdns_tinydns_conf_t,s0)
+
--- a/refpolicy/policy/modules/services/djbdns.if
+++ b/refpolicy/policy/modules/services/djbdns.if
@ -0,0 +1,53 @@
+## <summary>small and secure DNS daemon</summary>
+
+########################################
+## <summary>
+##      Create a set of derived types for djbdns 
+##	components that are directly supervised by daemontools.
+## </summary>
+## <param name="prefix">
+##      The prefix to be used for deriving type names.
+## </param>
+#
+template(`djbdns_daemontools_domain_template',`
+
+	type djbdns_$1_t;
+	type djbdns_$1_exec_t;
+	type djbdns_$1_conf_t;
+	files_config_file(djbdns_$1_conf_t)
+
+	domain_type(djbdns_$1_t)
+	domain_entry_file(djbdns_$1_t,djbdns_$1_exec_t)
+	role system_r types djbdns_$1_t;
+
+	daemontools_service_domain(djbdns_$1_t, djbdns_$1_exec_t)
+	daemontools_read_svc(djbdns_$1_t)
+
+	allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot };
+	allow djbdns_$1_t self:tcp_socket create_stream_socket_perms;
+	allow djbdns_$1_t self:udp_socket create_socket_perms;
+	allow djbdns_$1_t port_t:udp_socket name_bind;
+
+	allow djbdns_$1_t djbdns_$1_conf_t:dir r_dir_perms;
+	allow djbdns_$1_t djbdns_$1_conf_t:file r_file_perms;
+
+	corenet_tcp_sendrecv_all_if(djbdns_$1_t)
+	corenet_udp_sendrecv_all_if(djbdns_$1_t)
+	corenet_tcp_sendrecv_all_nodes(djbdns_$1_t)
+	corenet_udp_sendrecv_all_nodes(djbdns_$1_t)
+	corenet_tcp_sendrecv_all_ports(djbdns_$1_t)
+	corenet_udp_sendrecv_all_ports(djbdns_$1_t)
+	corenet_non_ipsec_sendrecv(djbdns_$1_t)
+	corenet_tcp_bind_all_nodes(djbdns_$1_t)
+	corenet_udp_bind_all_nodes(djbdns_$1_t)
+
+	corenet_tcp_bind_dns_port(djbdns_$1_t)
+	corenet_udp_bind_dns_port(djbdns_$1_t)
+
+	files_search_var(djbdns_$1_t)
+
+	libs_use_ld_so(djbdns_$1_t)
+	libs_use_shared_libs(djbdns_$1_t)
+
+')
+
--- a/refpolicy/policy/modules/services/djbdns.te
+++ b/refpolicy/policy/modules/services/djbdns.te
@ -0,0 +1,47 @@
+
+policy_module(djbdns,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type djbdns_axfrdns_t;
+type djbdns_axfrdns_exec_t;
+type djbdns_axfrdns_conf_t;
+domain_type(djbdns_axfrdns_t)
+domain_entry_file(djbdns_axfrdns_t,djbdns_axfrdns_exec_t)
+role system_r types djbdns_axfrdns_t;
+files_config_file(djbdns_axfrdns_conf_t)
+
+djbdns_daemontools_domain_template(dnscache)
+
+djbdns_daemontools_domain_template(tinydns)
+
+########################################
+#
+# Local policy for axfrdns component
+#
+
+files_config_file(djbdns_axfrdns_conf_t)
+
+daemontools_ipc_domain(djbdns_axfrdns_t)
+daemontools_read_svc(djbdns_axfrdns_t)
+
+allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot };
+
+allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir r_dir_perms;
+allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:file r_file_perms;
+
+allow djbdns_axfrdns_t djbdns_tinydns_t:dir r_dir_perms;
+allow djbdns_axfrdns_t djbdns_tinydns_t:file r_file_perms;
+
+allow djbdns_axfrdns_t djbdns_tinydns_conf_t:dir r_dir_perms;
+allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file r_file_perms;
+
+files_search_var(djbdns_axfrdns_t)
+
+libs_use_ld_so(djbdns_axfrdns_t)
+libs_use_shared_libs(djbdns_axfrdns_t)
+
+ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@ -1,5 +1,5 @@

-policy_module(ftp,1.1.1)
+policy_module(ftp,1.1.2)

 ########################################
 #
@ -193,6 +193,10 @@ optional_policy(`cron',`
 	')
 ')

+optional_policy(`daemontools',`
+	daemontools_service_domain(ftpd_t, ftpd_exec_t)
+')
+
 optional_policy(`inetd',`
 	#reh: typeattributes not allowed in conditionals yet.
 	#tunable_policy(`! ftpd_is_daemon',`
--- a/refpolicy/policy/modules/services/mysql.te
+++ b/refpolicy/policy/modules/services/mysql.te
@ -1,5 +1,5 @@

-policy_module(mysql,1.1.0)
+policy_module(mysql,1.1.1)

 ########################################
 #
@ -121,6 +121,10 @@ ifdef(`targeted_policy',`
 	files_dontaudit_read_root_file(mysqld_t)
 ')

+optional_policy(`daemontools',`
+	daemontools_service_domain(mysqld_t, mysqld_exec_t)
+')
+
 optional_policy(`mount',`
 	mount_send_nfs_client_request(mysqld_t)
 ')
@ -140,12 +144,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(mysqld_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`daemontools',`
-	domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t)
-	mysqld_signal(svc_start_t)
-
-	svc_ipc_domain(mysqld_t)
-')
-') dnl end TODO
--- a/refpolicy/policy/modules/services/publicfile.fc
+++ b/refpolicy/policy/modules/services/publicfile.fc
@ -0,0 +1,7 @@
+
+/usr/bin/ftpd		--	gen_context(system_u:object_r:publicfile_exec_t,s0)
+/usr/bin/httpd		--	gen_context(system_u:object_r:publicfile_exec_t,s0)
+
+# this is the place where online content located
+# set this to suit your needs
+#/var/www(/.*)?			gen_context(system_u:object_r:publicfile_content_t,s0)
--- a/refpolicy/policy/modules/services/publicfile.if
+++ b/refpolicy/policy/modules/services/publicfile.if
@ -0,0 +1 @@
+## <summary>publicfile supplies files to the public through HTTP and FTP</summary>
--- a/refpolicy/policy/modules/services/publicfile.te
+++ b/refpolicy/policy/modules/services/publicfile.te
@ -0,0 +1,39 @@
+
+policy_module(publicfile,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type publicfile_t;
+type publicfile_exec_t;
+init_system_domain(publicfile_t,publicfile_exec_t)
+role system_r types publicfile_t;
+
+type publicfile_content_t;
+files_type(publicfile_content_t)
+
+########################################
+#
+# Local policy
+#
+
+allow publicfile_t self:capability { dac_override setgid setuid sys_chroot };
+allow publicfile_t publicfile_content_t:dir r_dir_perms;
+allow publicfile_t publicfile_content_t:file r_file_perms;
+
+files_search_var(publicfile_t)
+
+libs_use_ld_so(publicfile_t)
+libs_use_shared_libs(publicfile_t)
+
+optional_policy(`daemontools',`
+	daemontools_ipc_domain(publicfile_t)
+')
+
+optional_policy(`ucspitcp',`
+	ucspitcp_service_domain(publicfile_t, publicfile_exec_t)
+')
+
+#allow publicfile_t initrc_t:tcp_socket { read write };
--- a/refpolicy/policy/modules/services/rsync.te
+++ b/refpolicy/policy/modules/services/rsync.te
@ -1,5 +1,5 @@

-policy_module(rsync,1.1.0)
+policy_module(rsync,1.1.2)

 ########################################
 #
@ -87,6 +87,10 @@ tunable_policy(`allow_rsync_anon_write',`
 	miscfiles_manage_public_files(rsync_t)
 ')

+optional_policy(`daemontools',`
+	daemontools_service_domain(rsync_t, rsync_exec_t)
+')
+
 optional_policy(`kerberos',`
 	kerberos_use(rsync_t)
 ')
--- a/refpolicy/policy/modules/services/spamassassin.te
+++ b/refpolicy/policy/modules/services/spamassassin.te
@ -1,5 +1,5 @@

-policy_module(spamassassin,1.1.1)
+policy_module(spamassassin,1.1.2)

 ########################################
 #
@ -136,6 +136,10 @@ optional_policy(`cron',`
 	cron_system_entry(spamd_t,spamd_exec_t)
 ')

+optional_policy(`daemontools',`
+	daemontools_service_domain(spamd_t,spamd_exec_t)
+')
+
 optional_policy(`nis',`
 	nis_use_ypbind(spamd_t)
 ')
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@ -1,5 +1,5 @@

-policy_module(ssh,1.1.1)
+policy_module(ssh,1.1.2)

 ########################################
 #
@ -113,6 +113,10 @@ ifdef(`targeted_policy',`',`
 		userdom_signal_unpriv_users(sshd_t)
 	')

+	optional_policy(`daemontools',`
+		daemontools_service_domain(sshd_t, sshd_exec_t)
+	')
+
 	optional_policy(`rpm',`
 		rpm_use_script_fd(sshd_t)
 	')
--- a/refpolicy/policy/modules/services/stunnel.te
+++ b/refpolicy/policy/modules/services/stunnel.te
@ -103,6 +103,10 @@ ifdef(`distro_gentoo', `
        	files_dontaudit_read_root_file(stunnel_t)
 	')

+	optional_policy(`daemontools',`
+		daemontools_service_domain(stunnel_t, stunnel_exec_t)
+	')
+
 	optional_policy(`mount',`
        	mount_send_nfs_client_request(stunnel_t)
 	')
--- a/refpolicy/policy/modules/services/ucspitcp.fc
+++ b/refpolicy/policy/modules/services/ucspitcp.fc
@ -0,0 +1,3 @@
+
+/usr/bin/rblsmtpd	--	gen_context(system_u:object_r:rblsmtpd_exec_t,s0)
+/usr/bin/tcpserver	--	gen_context(system_u:object_r:ucspitcp_exec_t,s0)
--- a/refpolicy/policy/modules/services/ucspitcp.if
+++ b/refpolicy/policy/modules/services/ucspitcp.if
@ -0,0 +1,36 @@
+## <summary>ucspitcp policy</summary>
+## <desc>
+##      <p>
+##              Policy for DJB's ucspi-tcpd
+##      </p>
+## </desc>
+
+########################################
+## <summary>
+##      Define a specified domain as a ucspitcp service.
+## </summary>
+## <param name="domain">
+##      Domain allowed access.
+## </param>
+## <param name="entrypoint">
+##      The type associated with the process program.
+## </param>
+#
+interface(`ucspitcp_service_domain', `
+	gen_require(`
+		type ucspitcp_t;
+		role system_r;
+	')
+
+	domain_type($1)
+	domain_entry_file($1,$2)
+
+	role system_r types $1;
+
+	domain_auto_trans(ucspitcp_t, $2, $1)
+
+	allow $1 ucspitcp_t:fd use;
+	allow $1 ucspitcp_t:process sigchld;
+	allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms;
+')
+
--- a/refpolicy/policy/modules/services/ucspitcp.te
+++ b/refpolicy/policy/modules/services/ucspitcp.te
@ -0,0 +1,90 @@
+
+policy_module(ucspitcp,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type rblsmtpd_t;
+type rblsmtpd_exec_t;
+init_system_domain(rblsmtpd_t,rblsmtpd_exec_t)
+role system_r types rblsmtpd_t;
+
+type ucspitcp_t;
+type ucspitcp_exec_t;
+init_system_domain(ucspitcp_t,ucspitcp_exec_t)
+role system_r types ucspitcp_t;
+
+########################################
+#
+# Local policy for rblsmtpd
+#
+
+ucspitcp_service_domain(rblsmtpd_t, rblsmtpd_exec_t)
+
+allow rblsmtpd_t self:process { fork sigchld };
+
+corecmd_search_bin(rblsmtpd_t)
+
+corenet_tcp_sendrecv_all_if(rblsmtpd_t)
+corenet_udp_sendrecv_all_if(rblsmtpd_t)
+corenet_tcp_sendrecv_all_nodes(rblsmtpd_t)
+corenet_udp_sendrecv_all_nodes(rblsmtpd_t)
+corenet_tcp_sendrecv_all_ports(rblsmtpd_t)
+corenet_udp_sendrecv_all_ports(rblsmtpd_t)
+corenet_non_ipsec_sendrecv(rblsmtpd_t)
+corenet_tcp_bind_all_nodes(rblsmtpd_t)
+corenet_udp_bind_generic_port(rblsmtpd_t)
+
+files_read_etc_files(rblsmtpd_t)
+files_search_var(rblsmtpd_t)
+
+libs_use_ld_so(rblsmtpd_t)
+libs_use_shared_libs(rblsmtpd_t)
+
+optional_policy(`daemontools',`
+	daemontools_ipc_domain(rblsmtpd_t)
+')
+
+########################################
+#
+# Local policy for tcpserver
+#
+
+allow ucspitcp_t self:capability { net_bind_service setgid setuid };
+allow ucspitcp_t self:fifo_file { read write };
+allow ucspitcp_t self:process { fork sigchld };
+allow ucspitcp_t self:tcp_socket create_stream_socket_perms;
+
+corecmd_search_bin(ucspitcp_t)
+corecmd_search_sbin(ucspitcp_t)
+
+corenet_tcp_sendrecv_all_if(ucspitcp_t)
+corenet_udp_sendrecv_all_if(ucspitcp_t)
+corenet_tcp_sendrecv_all_nodes(ucspitcp_t)
+corenet_udp_sendrecv_all_nodes(ucspitcp_t)
+corenet_tcp_sendrecv_all_ports(ucspitcp_t)
+corenet_udp_sendrecv_all_ports(ucspitcp_t)
+corenet_non_ipsec_sendrecv(ucspitcp_t)
+corenet_tcp_bind_all_nodes(ucspitcp_t)
+corenet_tcp_bind_ftp_port(ucspitcp_t)
+corenet_tcp_bind_ftp_data_port(ucspitcp_t)
+corenet_tcp_bind_http_port(ucspitcp_t)
+corenet_tcp_bind_smtp_port(ucspitcp_t)
+corenet_tcp_bind_dns_port(ucspitcp_t)
+corenet_udp_bind_dns_port(ucspitcp_t)
+corenet_udp_bind_generic_port(ucspitcp_t)
+
+files_search_var(ucspitcp_t)
+files_read_etc_files(ucspitcp_t)
+
+libs_use_ld_so(ucspitcp_t)
+libs_use_shared_libs(ucspitcp_t)
+
+sysnet_read_config(ucspitcp_t)
+
+optional_policy(`daemontools',`
+	daemontools_service_domain(ucspitcp_t,ucspitcp_exec_t)
+	daemontools_read_svc(ucspitcp_t)
+')
--- a/refpolicy/policy/modules/system/daemontools.fc
+++ b/refpolicy/policy/modules/system/daemontools.fc
@ -0,0 +1,48 @@
+#
+# /service
+#
+
+/service(/.*)?			gen_context(system_u:object_r:svc_svc_t,s0)
+
+#
+# /usr
+#
+
+/usr/bin/envdir		--	gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/envuidgid	--	gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/fghack		--	gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/multilog	--	gen_context(system_u:object_r:svc_multilog_exec_t,s0)
+/usr/bin/pgrphack	--	gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/setlock		--	gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/setuidgid	--	gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/softlimit	--	gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/svc		--	gen_context(system_u:object_r:svc_start_exec_t,s0)
+/usr/bin/svok		--	gen_context(system_u:object_r:svc_start_exec_t,s0)
+/usr/bin/svscan		--	gen_context(system_u:object_r:svc_start_exec_t,s0)
+/usr/bin/svscanboot	--	gen_context(system_u:object_r:svc_start_exec_t,s0)
+/usr/bin/supervise	--	gen_context(system_u:object_r:svc_start_exec_t,s0)
+
+#
+# /var
+#
+
+/var/axfrdns(/.*)?		gen_context(system_u:object_r:svc_svc_t,s0)
+/var/axfrdns/run		--	gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/axfrdns/log/run	--	gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/axfrdns/env(/.*)?		gen_context(system_u:object_r:svc_conf_t,s0)
+
+/var/dnscache(/.*)?		gen_context(system_u:object_r:svc_svc_t,s0)
+/var/dnscache/env(/.*)?		gen_context(system_u:object_r:svc_conf_t,s0)
+/var/dnscache/run	--	gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/dnscache/log/run	--	gen_context(system_u:object_r:svc_run_exec_t,s0)
+
+/var/service/.*			gen_context(system_u:object_r:svc_svc_t,s0)
+/var/service/.*/env(/.*)?	gen_context(system_u:object_r:svc_conf_t,s0)
+/var/service/.*/log/main(/.*)?	gen_context(system_u:object_r:svc_log_t,s0)
+/var/service/.*/log/run		gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/service/.*/run.*		gen_context(system_u:object_r:svc_run_exec_t,s0)
+
+/var/tinydns(/.*)?		gen_context(system_u:object_r:svc_svc_t,s0)
+/var/tinydns/run		--	gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/tinydns/log/run	--	gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/tinydns/env(/.*)?		gen_context(system_u:object_r:svc_conf_t,s0)
--- a/refpolicy/policy/modules/system/daemontools.if
+++ b/refpolicy/policy/modules/system/daemontools.if
@ -0,0 +1,147 @@
+## <summary>Collection of tools for managing UNIX services</summary>
+## <desc>
+##	<p>
+##		Policy for DJB's daemontools
+##	</p>
+## </desc>
+
+########################################
+## <summary>
+##	An ipc channel between the supervised domain and svc_start_t
+## </summary>
+## <param name="domain">
+##	Domain allowed access to svc_start_t.
+## </param>
+#
+interface(`daemontools_ipc_domain',`
+	gen_require(`
+		type svc_start_t;
+	')
+
+	allow $1 svc_start_t:process sigchld;
+	allow $1 svc_start_t:fd use;
+	allow $1 svc_start_t:fifo_file { read write getattr };
+	allow svc_start_t $1:process signal;
+')
+
+########################################
+## <summary>
+##      Define a specified domain as a supervised service.
+## </summary>
+## <param name="domain">
+##      Domain allowed access.
+## </param>
+## <param name="entrypoint">
+##      The type associated with the process program.
+## </param>
+#
+interface(`daemontools_service_domain',`
+	gen_require(`
+		type svc_run_t;
+	')
+
+	domain_auto_trans(svc_run_t, $2, $1)
+	daemontools_ipc_domain($1)
+
+	allow svc_run_t $1:process signal;
+	allow $1 svc_run_t:fd use;
+')
+
+########################################
+## <summary>
+##      Execute in the svc_start_t domain.
+## </summary>
+## <param name="domain">
+##      Domain allowed access.
+## </param>
+#
+interface(`daemontools_domtrans_start',`
+	gen_require(`
+		type svc_start_t, svc_start_exec_t;
+	')
+
+	domain_auto_trans($1, svc_start_exec_t, svc_start_t)
+
+	allow $1 svc_start_t:fd use;
+	allow svc_start_t $1:fd use;
+	allow svc_start_t $1:fifo_file rw_file_perms;
+	allow svc_start_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##      Execute in the svc_run_t domain.
+## </summary>
+## <param name="domain">
+##      Domain allowed access.
+## </param>
+#
+interface(`daemontools_domtrans_run',`
+	gen_require(`
+		type svc_run_t, svc_run_exec_t;
+	')
+
+	domain_auto_trans($1, svc_run_exec_t, svc_run_t)
+
+	allow $1 svc_run_t:fd use;
+	allow svc_run_t $1:fd use;
+	allow svc_run_t $1:fifo_file rw_file_perms;
+	allow svc_run_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##      Execute in the svc_multilog_t domain.
+## </summary>
+## <param name="domain">
+##      Domain allowed access.
+## </param>
+#
+interface(`daemontools_domtrans_multilog',`
+	gen_require(`
+		type svc_multilog_t, svc_multilog_exec_t;
+	')
+
+	domain_auto_trans($1, svc_multilog_exec_t, svc_multilog_t)
+
+	allow $1 svc_multilog_t:fd use;
+	allow svc_multilog_t $1:fd use;
+	allow svc_multilog_t $1:fifo_file rw_file_perms;
+	allow svc_multilog_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##      Allow a domain to read svc_svc_t files.
+## </summary>
+## <param name="domain">
+##      Domain allowed access.
+## </param>
+#
+interface(`daemontools_read_svc',`
+	gen_require(`
+		type svc_svc_t;
+	')
+
+	allow $1 svc_svc_t:dir r_dir_perms;
+	allow $1 svc_svc_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##      Allow a domain to create svc_svc_t files.
+## </summary>
+## <param name="domain">
+##      Domain allowed access.
+## </param>
+#
+interface(`daemontools_manage_svc',`
+	gen_require(`
+		type svc_svc_t;
+	')
+
+	allow $1 svc_svc_t:dir create_dir_perms;
+	allow $1 svc_svc_t:fifo_file create_file_perms;
+	allow $1 svc_svc_t:file create_file_perms;
+	allow $1 svc_svc_t:lnk_file { read create };
+')
--- a/refpolicy/policy/modules/system/daemontools.te
+++ b/refpolicy/policy/modules/system/daemontools.te
@ -0,0 +1,120 @@
+
+policy_module(daemontools,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type svc_conf_t;
+files_type(svc_conf_t)
+
+type svc_log_t;
+files_type(svc_log_t)
+
+type svc_multilog_t;
+type svc_multilog_exec_t;
+domain_type(svc_multilog_t)
+domain_entry_file(svc_multilog_t,svc_multilog_exec_t)
+role system_r types svc_multilog_t;
+
+type svc_run_t;
+type svc_run_exec_t;
+domain_type(svc_run_t)
+domain_entry_file(svc_run_t,svc_run_exec_t)
+role system_r types svc_run_t;
+
+type svc_start_t;
+type svc_start_exec_t;
+init_domain(svc_start_t,svc_start_exec_t)
+init_system_domain(svc_start_t,svc_start_exec_t)
+role system_r types svc_start_t;
+
+type svc_svc_t;
+files_type(svc_svc_t)
+
+########################################
+#
+# multilog local policy
+#
+
+# multilog creates /service/*/log/status
+allow svc_multilog_t svc_svc_t:dir rw_dir_perms;
+allow svc_multilog_t svc_svc_t:file create_file_perms;
+
+init_use_fd(svc_multilog_t)
+
+libs_use_ld_so(svc_multilog_t)
+libs_use_shared_libs(svc_multilog_t)
+
+# writes to /var/log/*/*
+logging_manage_generic_logs(svc_multilog_t)
+
+daemontools_ipc_domain(svc_multilog_t)
+
+########################################
+#
+# local policy for binaries that impose 
+# a given environment to supervised daemons
+# ie. softlimit, setuidgid, envuidgid, envdir, fghack ..
+#
+
+allow svc_run_t self:capability { setgid setuid chown fsetid };
+allow svc_run_t self:process setrlimit;
+allow svc_run_t self:fifo_file rw_file_perms;
+allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
+
+allow svc_run_t svc_conf_t:dir r_dir_perms;
+allow svc_run_t svc_conf_t:file r_file_perms;
+
+can_exec(svc_run_t svc_run_exec_t)
+
+kernel_read_system_state(svc_run_t)
+
+corecmd_exec_bin(svc_run_t)
+corecmd_exec_sbin(svc_run_t)
+corecmd_exec_shell(svc_run_t)
+corecmd_exec_ls(svc_run_t)
+
+files_read_etc_files(svc_run_t)
+files_read_etc_runtime_files(svc_run_t)
+files_search_pids(svc_run_t)
+files_search_var_lib(svc_run_t)
+
+init_use_script_fd(svc_run_t)
+init_use_fd(svc_run_t)
+
+libs_use_ld_so(svc_run_t)
+libs_use_shared_libs(svc_run_t)
+
+daemontools_domtrans_multilog(svc_run_t)
+daemontools_read_svc(svc_run_t)
+
+########################################
+#
+# local policy for service monitoring programs
+# ie svc, svscan, supervise ...
+#
+
+allow svc_start_t svc_run_t:process signal;
+
+allow svc_start_t self:fifo_file rw_file_perms;
+allow svc_start_t self:capability kill;
+allow svc_start_t self:unix_stream_socket create_socket_perms;
+
+can_exec(svc_start_t svc_start_exec_t)
+
+corecmd_read_sbin_symlink(svc_start_t)
+corecmd_exec_bin(svc_start_t)
+corecmd_exec_shell(svc_start_t)
+
+files_read_etc_files(svc_start_t)
+files_read_etc_runtime_files(svc_start_t)
+files_search_var(svc_start_t)
+files_search_pids(svc_start_t)
+
+libs_use_ld_so(svc_start_t)
+libs_use_shared_libs(svc_start_t)
+
+daemontools_domtrans_run(svc_start_t)
+daemontools_manage_svc(svc_start_t)
--- a/refpolicy/policy/modules/system/init.fc
+++ b/refpolicy/policy/modules/system/init.fc
@ -25,9 +25,11 @@ ifdef(`targeted_policy', `', `
 /sbin/init		--	gen_context(system_u:object_r:init_exec_t,s0)

 ifdef(`distro_gentoo', `
-/sbin/rc		--	gen_context(system_u:object_r:initrc_exec_t,s0)
+/sbin/rc			--	gen_context(system_u:object_r:initrc_exec_t,s0)
 /sbin/runscript		--      gen_context(system_u:object_r:initrc_exec_t,s0)
 /sbin/runscript\.sh	--	gen_context(system_u:object_r:initrc_exec_t,s0)
+/sbin/runsvcscript\.sh	--	gen_context(system_u:object_r:initrc_exec_t,s0)
+/sbin/svcinit		--	gen_context(system_u:object_r:initrc_exec_t,s0)
 ')

 #
@ -41,6 +43,7 @@ ifdef(`distro_gentoo', `
 #
 ifdef(`distro_gentoo', `
 /var/lib/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
+/var/run/svscan\.pid	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 ')

 /var/run/utmp		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@ -1,5 +1,5 @@

-policy_module(init,1.1.3)
+policy_module(init,1.1.4)

 gen_require(`
 	class passwd rootok;
@ -386,7 +386,7 @@ userdom_read_all_user_files(initrc_t)
 # started from init should be placed in their own domain.
 userdom_use_sysadm_terms(initrc_t)

-ifdef(`distro_debian', `
+ifdef(`distro_debian',`
 	dev_setattr_dev_dir(initrc_t)

 	fs_filetrans_tmpfs(initrc_t,initrc_var_run_t,dir)
@ -512,6 +512,10 @@ optional_policy(`cups',`
 	cups_read_log(initrc_t)
 ')

+optional_policy(`daemontools',`
+	daemontools_manage_svc(initrc_t)
+')
+
 optional_policy(`dbus',`
 	dbus_connect_system_bus(initrc_t)
 	dbus_send_system_bus_msg(initrc_t)
--- a/refpolicy/policy/modules/system/logging.fc
+++ b/refpolicy/policy/modules/system/logging.fc
@ -19,6 +19,9 @@ ifdef(`distro_suse', `
 /var/lib/stunnel/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
 ')

+/var/axfrdns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
+/var/dnscache/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
+
 /var/log			-d	gen_context(system_u:object_r:var_log_t,s0-s15:c0.c255)
 /var/log/.*			gen_context(system_u:object_r:var_log_t,s0)
 /var/log/audit.log	--	gen_context(system_u:object_r:auditd_log_t,s15:c0.c255)
@ -29,3 +32,6 @@ ifdef(`distro_suse', `
 /var/run/log		-s	gen_context(system_u:object_r:devlog_t,s0)
 /var/run/metalog\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 /var/run/syslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
+
+/var/tinydns/log/main(/.*)?		gen_context(system_u:object_r:var_log_t,s0)
+
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@ -1,5 +1,5 @@

-policy_module(selinuxutil,1.0.1)
+policy_module(selinuxutil,1.0.2)

 gen_require(`
 	bool secure_mode;
@ -449,6 +449,10 @@ ifdef(`targeted_policy',`',`
 	miscfiles_read_localization(run_init_t)

 	logging_send_syslog_msg(run_init_t)
+
+	optional_policy(`daemontools',`
+		daemontools_domtrans_start(run_init_t)
+	')
 ') dnl end ifdef targeted policy

 ifdef(`TODO',`
				`@ -0,0 +1 @@`
				`## <summary>publicfile supplies files to the public through HTTP and FTP</summary>`