add radius and amanda, which I forgot to ci

refpolicy/policy/modules/admin/amanda.fc

@@ -0,0 +1,72 @@
+
+/etc/amanda(/.*)?			gen_context(system_u:object_r:amanda_config_t,s0)
+/etc/amanda/.*/tapelist(/.*)?		gen_context(system_u:object_r:amanda_data_t,s0)
+/etc/amandates				gen_context(system_u:object_r:amanda_amandates_t,s0)
+/etc/dumpdates				gen_context(system_u:object_r:amanda_dumpdates_t,s0)
+
+/root/restore			-d	gen_context(system_u:object_r:amanda_recover_dir_t,s0)
+
+/tmp/amanda(/.*)?			gen_context(system_u:object_r:amanda_tmp_t,s0)
+
+/usr/lib(64)?/amanda		-d	gen_context(system_u:object_r:amanda_usr_lib_t,s0)
+/usr/lib(64)?/amanda/amandad	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/lib(64)?/amanda/amcat\.awk	--	gen_context(system_u:object_r:amanda_script_exec_t,s0)
+/usr/lib(64)?/amanda/amcleanupdisk --	gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/amidxtaped	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/lib(64)?/amanda/amindexd	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/lib(64)?/amanda/amlogroll	--	gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/amplot\.awk --	gen_context(system_u:object_r:amanda_script_exec_t,s0)
+/usr/lib(64)?/amanda/amplot\.g	--	gen_context(system_u:object_r:amanda_script_exec_t,s0)
+/usr/lib(64)?/amanda/amplot\.gp	--	gen_context(system_u:object_r:amanda_script_exec_t,s0)
+/usr/lib(64)?/amanda/amtrmidx	--	gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/amtrmlog	--	gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/calcsize	--	gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/chg-chio	--	gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/chg-chs	--	gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/chg-manual	--	gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/chg-mtx	--	gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/chg-multi	--	gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/chg-rth	--	gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/chg-scsi	--	gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/chg-zd-mtx	--	gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/driver	--	gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/dumper	--	gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/killpgrp	--	gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/patch-system --	gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/planner	--	gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/rundump	--	gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/runtar	--	gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/selfcheck	--	gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/sendbackup	--	gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/sendsize	--	gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/taper	--	gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/versionsuffix --	gen_context(system_u:object_r:amanda_exec_t,s0)
+
+/usr/sbin/amadmin		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amcheck		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amcheckdb		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amcleanup		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amdump		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amflush		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amgetconf		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amlabel		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amoverview		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amplot		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amrecover		--	gen_context(system_u:object_r:amanda_recover_exec_t,s0)
+/usr/sbin/amreport		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amrestore		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amrmtape		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amstatus		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amtape		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amtoc			--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amverify		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
+
+/var/lib/amanda			-d	gen_context(system_u:object_r:amanda_var_lib_t,s0)
+/var/lib/amanda/\.amandahosts	--	gen_context(system_u:object_r:amanda_config_t,s0)
+/var/lib/amanda/\.bashrc	--	gen_context(system_u:object_r:amanda_shellconfig_t,s0)
+/var/lib/amanda/\.profile	--	gen_context(system_u:object_r:amanda_shellconfig_t,s0)
+/var/lib/amanda/disklist	--	gen_context(system_u:object_r:amanda_data_t,s0)
+/var/lib/amanda/gnutar-lists(/.*)?	gen_context(system_u:object_r:amanda_gnutarlists_t,s0)
+/var/lib/amanda/index			gen_context(system_u:object_r:amanda_data_t,s0)
+
+/var/log/amanda(/.*)?			gen_context(system_u:object_r:amanda_log_t,s0)

refpolicy/policy/modules/admin/amanda.if

@@ -0,0 +1,64 @@
+## <summary>Automated backup program.</summary>
+
+########################################
+## <summary>
+##	Execute amrecover in the amanda_recover domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`amanda_domtrans_recover',`
+	gen_require(`
+		type amanda_recover_t, amanda_recover_exec_t;
+	')
+
+	domain_auto_trans($1,amanda_recover_exec_t,amanda_recover_t)
+
+	allow $1 amanda_recover_t:fd use;
+	allow amanda_recover_t $1:fd use;
+	allow amanda_recover_t $1:fifo_file rw_file_perms;
+	allow amanda_recover_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute amrecover in the amanda_recover domain, and
+##	allow the specified role the amanda_recover domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the amanda_recover domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the amanda_recover domain to use.
+## </param>
+#
+interface(`amanda_run_recover',`
+	gen_require(`
+		type amanda_recover_t;
+	')
+
+	amanda_domtrans_recover($1)
+	role $2 types amanda_recover_t;
+	allow amanda_recover_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Search amanda library directories.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`amanda_search_lib',`
+	gen_require(`
+		type amanda_usr_lib_t;
+	')
+
+	allow $1 amanda_usr_lib_t:dir search;
+	files_search_usr($1)
+')

refpolicy/policy/modules/admin/amanda.te

@@ -0,0 +1,247 @@
+
+policy_module(amanda,1.0)
+
+#######################################
+#
+# Declarations
+#
+
+type amanda_t;
+type amanda_inetd_exec_t;
+inetd_udp_service_domain(amanda_t,amanda_inetd_exec_t)
+role system_r types amanda_t;
+
+type amanda_exec_t;
+domain_entry_file(amanda_t,amanda_exec_t)
+
+type amanda_log_t;
+logging_log_file(amanda_log_t)
+
+# type for amanda configurations files
+type amanda_config_t;
+files_type(amanda_config_t)
+
+# type for files in /usr/lib/amanda
+type amanda_usr_lib_t;
+files_type(amanda_usr_lib_t)
+
+# type for all files in /var/lib/amanda
+type amanda_var_lib_t;
+files_type(amanda_var_lib_t)
+
+# type for all files in /var/lib/amanda/gnutar-lists/
+type amanda_gnutarlists_t;
+files_type(amanda_gnutarlists_t)
+
+# type for user startable files
+type amanda_user_exec_t;
+files_type(amanda_user_exec_t)
+
+# type for same awk and other scripts
+type amanda_script_exec_t;
+files_type(amanda_script_exec_t)
+
+# type for the shell configuration files 
+type amanda_shellconfig_t;
+files_type(amanda_shellconfig_t)
+
+type amanda_tmp_t;
+files_tmp_file(amanda_tmp_t)
+
+# type for /etc/amandates
+type amanda_amandates_t;
+files_type(amanda_amandates_t)
+
+# type for /etc/dumpdates
+type amanda_dumpdates_t;
+files_type(amanda_dumpdates_t)
+
+# type for amanda data
+type amanda_data_t;
+files_type(amanda_data_t)
+
+# type for amrecover
+type amanda_recover_t;
+type amanda_recover_exec_t;
+domain_type(amanda_recover_t)
+domain_entry_file(amanda_recover_t,amanda_recover_exec_t)
+role system_r types amanda_recover_t;
+
+# type for recover files ( restored data )
+type amanda_recover_dir_t;
+files_type(amanda_recover_dir_t)
+
+########################################
+#
+# Amanda local policy
+#
+
+allow amanda_t self:capability { chown dac_override setuid };
+allow amanda_t self:process { setpgid signal };
+allow amanda_t self:fifo_file { getattr read write ioctl lock };
+allow amanda_t self:unix_stream_socket create_stream_socket_perms;
+allow amanda_t self:unix_dgram_socket create_socket_perms;
+allow amanda_t self:tcp_socket create_stream_socket_perms;
+allow amanda_t self:udp_socket create_socket_perms;
+
+# access to amanda_amandates_t
+allow amanda_t amanda_amandates_t:file { getattr lock read write };
+
+# configuration files -> read only
+allow amanda_t amanda_config_t:file { getattr read };
+
+# access to amandas data structure
+allow amanda_t amanda_data_t:dir { read search write };
+allow amanda_t amanda_data_t:file { read write };
+
+# access to amanda_dumpdates_t
+allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
+
+can_exec(amanda_t,amanda_exec_t)
+
+# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
+allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
+allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
+allow amanda_t amanda_gnutarlists_t:lnk_file manage_file_perms;
+
+allow amanda_t amanda_log_t:file create_file_perms;
+allow amanda_t amanda_log_t:dir rw_dir_perms;
+logging_create_log(amanda_t,amanda_log_t,{ file dir })
+
+allow amanda_t amanda_tmp_t:dir create_dir_perms;
+allow amanda_t amanda_tmp_t:file create_file_perms;
+files_create_tmp_files(amanda_t, amanda_tmp_t, { file dir })
+
+kernel_read_system_state(amanda_t)
+kernel_read_kernel_sysctl(amanda_t)
+kernel_dontaudit_getattr_unlabeled_file(amanda_t)
+
+corenet_tcp_sendrecv_all_if(amanda_t)
+corenet_udp_sendrecv_all_if(amanda_t)
+corenet_raw_sendrecv_all_if(amanda_t)
+corenet_tcp_sendrecv_all_nodes(amanda_t)
+corenet_udp_sendrecv_all_nodes(amanda_t)
+corenet_raw_sendrecv_all_nodes(amanda_t)
+corenet_tcp_bind_all_nodes(amanda_t)
+corenet_udp_bind_all_nodes(amanda_t)
+corenet_tcp_sendrecv_all_ports(amanda_t)
+corenet_udp_sendrecv_all_ports(amanda_t)
+
+dev_getattr_all_blk_files(amanda_t)
+dev_getattr_all_blk_files(amanda_t)
+
+fs_getattr_xattr_fs(amanda_t)
+fs_list_all(amanda_t)
+
+storage_raw_read_fixed_disk(amanda_t)
+
+files_read_etc_files(amanda_t)
+files_read_etc_runtime_files(amanda_t)
+files_list_all_dirs(amanda_t)
+files_read_all_files(amanda_t)
+files_read_all_symlinks(amanda_t)
+files_read_all_blk_nodes(amanda_t)
+files_read_all_chr_nodes(amanda_t)
+files_getattr_all_pipes(amanda_t)
+files_getattr_all_sockets(amanda_t)
+
+corecmd_exec_shell(amanda_t)
+corecmd_exec_sbin(amanda_t)
+corecmd_exec_bin(amanda_t)
+
+libs_use_ld_so(amanda_t)
+libs_use_shared_libs(amanda_t)
+
+sysnet_read_config(amanda_t)
+
+optional_policy(`authlogin.te',`
+	auth_read_shadow(amanda_t)
+')
+
+optional_policy(`logging.te',`
+	logging_send_syslog_msg(amanda_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(amanda_t)
+')
+
+optional_policy(`nscd.te',`
+	nscd_use_socket(amanda_t)
+')
+
+########################################
+#
+# Amanda recover local policy
+
+allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service };
+allow amanda_recover_t self:process { sigkill sigstop signal };
+allow amanda_recover_t self:fifo_file { getattr ioctl read write };
+allow amanda_recover_t self:unix_stream_socket { connect create read write };
+allow amanda_recover_t self:tcp_socket create_stream_socket_perms;
+allow amanda_recover_t self:udp_socket create_socket_perms;
+
+allow amanda_recover_t amanda_log_t:dir rw_dir_perms;
+allow amanda_recover_t amanda_log_t:file manage_file_perms;
+allow amanda_recover_t amanda_log_t:lnk_file create_lnk_perms;
+
+# access to amanda_recover_dir_t
+allow amanda_recover_t amanda_recover_dir_t:dir create_dir_perms;
+allow amanda_recover_t amanda_recover_dir_t:file create_file_perms;
+allow amanda_recover_t amanda_recover_dir_t:lnk_file create_lnk_perms;
+allow amanda_recover_t amanda_recover_dir_t:sock_file create_file_perms;
+allow amanda_recover_t amanda_recover_dir_t:fifo_file create_file_perms;
+userdom_create_sysadm_home(amanda_recover_t,amanda_recover_dir_t,{ file lnk_file sock_file fifo_file })
+
+allow amanda_recover_t amanda_tmp_t:dir create_dir_perms;
+allow amanda_recover_t amanda_tmp_t:file create_file_perms;
+allow amanda_recover_t amanda_tmp_t:lnk_file create_lnk_perms;
+allow amanda_recover_t amanda_tmp_t:sock_file create_file_perms;
+allow amanda_recover_t amanda_tmp_t:fifo_file create_file_perms;
+files_create_tmp_files(amanda_recover_t,amanda_tmp_t,{ file lnk_file sock_file fifo_file })
+
+kernel_read_system_state(amanda_recover_t)
+kernel_read_kernel_sysctl(amanda_recover_t)
+
+corenet_tcp_sendrecv_all_if(amanda_recover_t)
+corenet_udp_sendrecv_all_if(amanda_recover_t)
+corenet_raw_sendrecv_all_if(amanda_recover_t)
+corenet_tcp_sendrecv_all_nodes(amanda_recover_t)
+corenet_udp_sendrecv_all_nodes(amanda_recover_t)
+corenet_raw_sendrecv_all_nodes(amanda_recover_t)
+corenet_tcp_sendrecv_all_ports(amanda_recover_t)
+corenet_udp_sendrecv_all_ports(amanda_recover_t)
+corenet_tcp_bind_all_nodes(amanda_recover_t)
+corenet_udp_bind_all_nodes(amanda_recover_t)
+corenet_tcp_connect_amanda_port(amanda_recover_t)
+
+corecmd_exec_shell(amanda_recover_t)
+corecmd_exec_bin(amanda_recover_t)
+
+domain_use_wide_inherit_fd(amanda_recover_t)
+
+files_read_etc_files(amanda_recover_t)
+files_read_etc_runtime_files(amanda_recover_t)
+files_search_tmp(amanda_recover_t)
+files_search_pids(amanda_recover_t)
+
+fstools_domtrans(amanda_t)
+
+libs_use_ld_so(amanda_recover_t)
+libs_use_shared_libs(amanda_recover_t)
+
+logging_search_logs(amanda_recover_t)
+
+miscfiles_read_localization(amanda_recover_t)
+
+sysnet_read_config(amanda_recover_t)
+
+userdom_search_sysadm_home_subdirs(amanda_recover_t)
+
+optional_policy(`mount.te',`
+	mount_send_nfs_client_request(amanda_recover_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(amanda_recover_t)
+')

refpolicy/policy/modules/services/radius.fc

@@ -0,0 +1,19 @@
+
+/etc/cron\.(daily|monthly)/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+/etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+
+/etc/raddb(/.*)?                gen_context(system_u:object_r:radiusd_etc_t,s0)
+
+/usr/sbin/radiusd	--	gen_context(system_u:object_r:radiusd_exec_t,s0)
+/usr/sbin/freeradius	--	gen_context(system_u:object_r:radiusd_exec_t,s0)
+
+/var/log/freeradius(/.*)?	gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radacct(/.*)?		gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radius(/.*)?		gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radius\.log.*	--	gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radiusd-freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radutmp	--	gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radwtmp.*	--	gen_context(system_u:object_r:radiusd_log_t,s0)
+
+/var/run/radiusd(/.*)?		gen_context(system_u:object_r:radiusd_var_run_t,s0)
+/var/run/radiusd\.pid	--	gen_context(system_u:object_r:radiusd_var_run_t,s0)

refpolicy/policy/modules/services/radius.if

@@ -0,0 +1,21 @@
+## <summary>RADIUS authentication and accounting server.</summary>
+
+########################################
+## <summary>
+##	Use radius over a UDP connection.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`radius_use',`
+	gen_require(`
+		type radius_t;
+	')
+
+	allow $1 radiusd_t:udp_socket sendto;
+	allow radiusd_t $1:udp_socket recvfrom;
+
+	allow radiusd_t $1:udp_socket sendto;
+	allow $1 radiusd_t:udp_socket recvfrom;
+')

refpolicy/policy/modules/services/radius.te

@@ -0,0 +1,137 @@
+
+policy_module(radius,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type radiusd_t;
+type radiusd_exec_t;
+init_daemon_domain(radiusd_t,radiusd_exec_t)
+
+type radiusd_etc_t; #, usercanread;
+files_type(radiusd_etc_t)
+
+type radiusd_log_t;
+logging_log_file(radiusd_log_t)
+
+type radiusd_var_run_t;
+files_pid_file(radiusd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+# fsetid is for gzip which needs it when run from scripts
+# gzip also needs chown access to preserve GID for radwtmp files
+allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
+dontaudit radiusd_t self:capability sys_tty_config;
+allow radiusd_t self:process setsched;
+allow radiusd_t self:fifo_file rw_file_perms;
+allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
+allow radiusd_t self:tcp_socket create_stream_socket_perms;
+allow radiusd_t self:udp_socket create_socket_perms;
+
+allow radiusd_t radiusd_etc_t:file r_file_perms;
+allow radiusd_t radiusd_etc_t:dir r_dir_perms;
+allow radiusd_t radiusd_etc_t:lnk_file { getattr read };
+files_search_etc(radiusd_t)
+
+allow radiusd_t radiusd_log_t:file create_file_perms;
+allow radiusd_t radiusd_log_t:dir { create rw_dir_perms };
+logging_create_log(radiusd_t,radiusd_log_t,{ file dir })
+
+allow radiusd_t radiusd_var_run_t:file create_file_perms;
+allow radiusd_t radiusd_var_run_t:dir rw_dir_perms;
+files_create_pid(radiusd_t,radiusd_var_run_t)
+
+kernel_read_kernel_sysctl(radiusd_t)
+kernel_read_system_state(radiusd_t)
+
+corenet_tcp_sendrecv_all_if(radiusd_t)
+corenet_udp_sendrecv_all_if(radiusd_t)
+corenet_raw_sendrecv_all_if(radiusd_t)
+corenet_tcp_sendrecv_all_nodes(radiusd_t)
+corenet_udp_sendrecv_all_nodes(radiusd_t)
+corenet_raw_sendrecv_all_nodes(radiusd_t)
+corenet_tcp_bind_all_nodes(radiusd_t)
+corenet_udp_bind_all_nodes(radiusd_t)
+corenet_tcp_sendrecv_all_ports(radiusd_t)
+corenet_udp_sendrecv_all_ports(radiusd_t)
+corenet_udp_bind_radacct_port(radiusd_t)
+corenet_udp_bind_radius_port(radiusd_t)
+# for RADIUS proxy port
+corenet_udp_bind_generic_port(radiusd_t)
+
+dev_read_sysfs(radiusd_t)
+
+fs_getattr_all_fs(radiusd_t)
+fs_search_auto_mountpoints(radiusd_t)
+
+term_dontaudit_use_console(radiusd_t)
+
+auth_read_shadow(radiusd_t)
+
+corecmd_exec_bin(radiusd_t)
+corecmd_exec_shell(radiusd_t)
+
+domain_use_wide_inherit_fd(radiusd_t)
+
+files_read_usr_files(radiusd_t)
+files_read_etc_files(radiusd_t)
+files_read_etc_runtime_files(radiusd_t)
+
+init_use_fd(radiusd_t)
+init_use_script_pty(radiusd_t)
+
+libs_use_ld_so(radiusd_t)
+libs_use_shared_libs(radiusd_t)
+libs_exec_lib_files(radiusd_t)
+
+logging_send_syslog_msg(radiusd_t)
+
+miscfiles_read_localization(radiusd_t)
+
+sysnet_read_config(radiusd_t)
+
+userdom_dontaudit_use_unpriv_user_fd(radiusd_t)
+userdom_dontaudit_search_sysadm_home_dir(radiusd_t)
+userdom_dontaudit_getattr_sysadm_home_dir(radiusd_t)
+
+ifdef(`targeted_policy', `
+	term_dontaudit_use_unallocated_tty(radiusd_t)
+	term_dontaudit_use_generic_pty(radiusd_t)
+	files_dontaudit_read_root_file(radiusd_t)
+')
+
+optional_policy(`cron.te',`
+	cron_system_entry(radiusd_t,radiusd_exec_t)
+')
+
+optional_policy(`logrotate.te', `
+	logrotate_exec(radiusd_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(radiusd_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(radiusd_t)
+')
+
+optional_policy(`snmp.te',`
+	snmp_use(radiusd_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(radiusd_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(radiusd_t)
+')
+') dnl end TODO

refpolicy/policy/modules/services/snmp.if

@@ -1 +1,19 @@
 ## <summary>Simple network management protocol services</summary>
+
+########################################
+## <summary>
+##	Use snmp over a TCP connection.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`snmp_use',`
+	gen_require(`
+		type snmpd_t;
+	')
+
+	allow $1 snmpd_t:tcp_socket { connectto recvfrom };
+	allow snmpd_t $1:tcp_socket { acceptfrom recvfrom };
+	kernel_tcp_recvfrom($1)
+')

refpolicy/policy/modules/services/snmp.te

@@ -52,6 +52,7 @@ kernel_read_net_sysctl(snmpd_t)
 kernel_read_proc_symlinks(snmpd_t)
 kernel_read_system_state(snmpd_t)
 kernel_read_network_state(snmpd_t)
+kernel_tcp_recvfrom(snmpd_t)
 
 corenet_tcp_sendrecv_all_if(snmpd_t)
 corenet_raw_sendrecv_all_if(snmpd_t)

refpolicy/policy/modules/system/userdomain.if

@@ -1740,7 +1740,7 @@ interface(`userdom_rw_sysadm_pipe',`
 ##	home directory.
 ## </summary>
 ## <param name="domain">
-##	Domain to not audit.
+##	Domain allowed access.
 ## </param>
 #
 interface(`userdom_getattr_sysadm_home_dir',`
@@ -1751,6 +1751,24 @@ interface(`userdom_getattr_sysadm_home_dir',`
 	allow $1 sysadm_home_dir_t:dir getattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to get the
+##	attributes of the sysadm users
+##	home directory.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`userdom_dontaudit_getattr_sysadm_home_dir',`
+	gen_require(`
+		type sysadm_home_dir_t;
+	')
+
+	dontaudit $1 sysadm_home_dir_t:dir getattr;
+')
+
 ########################################
 ## <summary>
 ##	Search the sysadm users home directory.

refpolicy/policy/modules/system/userdomain.te

@@ -235,6 +235,10 @@ ifdef(`targeted_policy',`
 		quota_run(sysadm_t,sysadm_r,admin_terminal)
 	')
 
+	optional_policy(`radius.te',`
+		radius_use(sysadm_t,sysadm_r,admin_terminal)
+	')
+
 	optional_policy(`rpm.te',`
 		rpm_run(sysadm_t,sysadm_r,admin_terminal)
 	')