From 45515556d404a513f11902a49476f100f2a39e85 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Fri, 12 Jun 2009 19:44:10 +0000
Subject: [PATCH] trunk: 10 patches from dan.

---
 policy/modules/services/dcc.fc       |  3 +++
 policy/modules/services/dcc.te       |  2 +-
 policy/modules/services/fail2ban.fc  |  2 ++
 policy/modules/services/fail2ban.if  | 21 ++++++++++++++++++++-
 policy/modules/services/fail2ban.te  | 10 +++++++++-
 policy/modules/services/fetchmail.te |  3 ++-
 policy/modules/services/gpm.if       |  2 +-
 policy/modules/services/gpm.te       |  4 +++-
 policy/modules/services/rlogin.fc    |  1 +
 policy/modules/services/rlogin.if    | 27 +++++++++++++++++++++++++++
 policy/modules/services/rlogin.te    |  7 ++++++-
 policy/modules/services/rshd.te      |  6 +++++-
 policy/modules/services/rsync.te     |  4 +++-
 policy/modules/services/tftp.if      | 18 ++++++++++++++++++
 policy/modules/services/tftp.te      |  2 +-
 policy/modules/services/ulogd.if     | 19 +++++++++++++++++++
 policy/modules/services/ulogd.te     |  2 +-
 policy/modules/services/zosremote.if |  2 +-
 policy/modules/services/zosremote.te |  2 +-
 19 files changed, 124 insertions(+), 13 deletions(-)

diff --git a/policy/modules/services/dcc.fc b/policy/modules/services/dcc.fc
index 45efbf11..ecda170a 100644
--- a/policy/modules/services/dcc.fc
+++ b/policy/modules/services/dcc.fc
@@ -13,6 +13,9 @@
 /var/dcc(/.*)?				gen_context(system_u:object_r:dcc_var_t,s0)
 /var/dcc/map			--	gen_context(system_u:object_r:dcc_client_map_t,s0)
 
+/var/lib/dcc(/.*)?			gen_context(system_u:object_r:dcc_var_t,s0)
+/var/lib/dcc/map		--	gen_context(system_u:object_r:dcc_client_map_t,s0)
+
 /var/run/dcc(/.*)?			gen_context(system_u:object_r:dcc_var_run_t,s0)
 /var/run/dcc/map		--	gen_context(system_u:object_r:dcc_client_map_t,s0)
 /var/run/dcc/dccifd		-s	gen_context(system_u:object_r:dccifd_var_run_t,s0)
diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te
index 03c3dda5..437302f7 100644
--- a/policy/modules/services/dcc.te
+++ b/policy/modules/services/dcc.te
@@ -1,5 +1,5 @@
 
-policy_module(dcc, 1.7.2)
+policy_module(dcc, 1.7.3)
 
 ########################################
 #
diff --git a/policy/modules/services/fail2ban.fc b/policy/modules/services/fail2ban.fc
index c886ef55..0de2b83b 100644
--- a/policy/modules/services/fail2ban.fc
+++ b/policy/modules/services/fail2ban.fc
@@ -2,5 +2,7 @@
 
 /usr/bin/fail2ban	--	gen_context(system_u:object_r:fail2ban_exec_t,s0)
 /usr/bin/fail2ban-server --	gen_context(system_u:object_r:fail2ban_exec_t,s0)
+
+/var/lib/fail2ban(/.*)?		gen_context(system_u:object_r:fail2ban_var_lib_t,s0)
 /var/log/fail2ban\.log	--	gen_context(system_u:object_r:fail2ban_log_t,s0)
 /var/run/fail2ban.*		gen_context(system_u:object_r:fail2ban_var_run_t,s0)
diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if
index d9fc7e1c..aa53435a 100644
--- a/policy/modules/services/fail2ban.if
+++ b/policy/modules/services/fail2ban.if
@@ -18,6 +18,25 @@ interface(`fail2ban_domtrans',`
 	domtrans_pattern($1, fail2ban_exec_t, fail2ban_t)
 ')
 
+########################################
+## <summary>
+##	Read fail2ban lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fail2ban_read_lib_files',`
+	gen_require(`
+		type fail2ban_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 fail2ban_var_lib_t:file read_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to read fail2ban's log files.
@@ -105,7 +124,7 @@ interface(`fail2ban_admin',`
 	allow $1 fail2ban_t:process { ptrace signal_perms };
 	ps_process_pattern($1, fail2ban_t)
 
-	init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
+	init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 fail2ban_initrc_exec_t system_r;
 	allow $2 system_r;
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
index a9cde019..7be6eb0c 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -1,5 +1,5 @@
 
-policy_module(fail2ban, 1.2.1)
+policy_module(fail2ban, 1.2.2)
 
 ########################################
 #
@@ -17,6 +17,9 @@ init_script_file(fail2ban_initrc_exec_t)
 type fail2ban_log_t;
 logging_log_file(fail2ban_log_t)
 
+type fail2ban_var_lib_t;
+files_type(fail2ban_var_lib_t)
+
 # pid files
 type fail2ban_var_run_t;
 files_pid_file(fail2ban_var_run_t)
@@ -26,6 +29,7 @@ files_pid_file(fail2ban_var_run_t)
 # fail2ban local policy
 #
 
+allow fail2ban_t self:capability { sys_tty_config };
 allow fail2ban_t self:process signal;
 allow fail2ban_t self:fifo_file rw_fifo_file_perms;
 allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -36,6 +40,10 @@ allow fail2ban_t fail2ban_log_t:dir setattr;
 manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
 logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
 
+manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
+manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
+files_var_lib_filetrans(fail2ban_t, fail2ban_var_lib_t, { dir file })
+
 # pid file
 manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
 manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
index af3947ac..734a58fb 100644
--- a/policy/modules/services/fetchmail.te
+++ b/policy/modules/services/fetchmail.te
@@ -1,5 +1,5 @@
 
-policy_module(fetchmail, 1.8.1)
+policy_module(fetchmail, 1.8.2)
 
 ########################################
 #
@@ -9,6 +9,7 @@ policy_module(fetchmail, 1.8.1)
 type fetchmail_t;
 type fetchmail_exec_t;
 init_daemon_domain(fetchmail_t, fetchmail_exec_t)
+application_executable_file(fetchmail_exec_t)
 
 type fetchmail_var_run_t;
 files_pid_file(fetchmail_var_run_t)
diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if
index 2890beb3..1fecb115 100644
--- a/policy/modules/services/gpm.if
+++ b/policy/modules/services/gpm.if
@@ -16,7 +16,7 @@ interface(`gpm_stream_connect',`
 		type gpmctl_t, gpm_t;
 	')
 
-	allow $1 gpmctl_t:sock_file { getattr write };
+	allow $1 gpmctl_t:sock_file rw_sock_file_perms;
 	allow $1 gpm_t:unix_stream_socket connectto;
 ')
 
diff --git a/policy/modules/services/gpm.te b/policy/modules/services/gpm.te
index 786cd6d4..70ec2ab4 100644
--- a/policy/modules/services/gpm.te
+++ b/policy/modules/services/gpm.te
@@ -1,5 +1,5 @@
 
-policy_module(gpm, 1.6.0)
+policy_module(gpm, 1.6.1)
 
 ########################################
 #
@@ -54,6 +54,8 @@ dev_read_sysfs(gpm_t)
 dev_rw_input_dev(gpm_t)
 dev_rw_mouse(gpm_t)
 
+files_read_etc_files(gpm_t)
+
 fs_getattr_all_fs(gpm_t)
 fs_search_auto_mountpoints(gpm_t)
 
diff --git a/policy/modules/services/rlogin.fc b/policy/modules/services/rlogin.fc
index b4478005..27853373 100644
--- a/policy/modules/services/rlogin.fc
+++ b/policy/modules/services/rlogin.fc
@@ -1,3 +1,4 @@
+HOME_DIR/\.rlogin		--	gen_context(system_u:object_r:rlogind_home_t,s0)
 
 /usr/kerberos/sbin/klogind	--	gen_context(system_u:object_r:rlogind_exec_t,s0)
 
diff --git a/policy/modules/services/rlogin.if b/policy/modules/services/rlogin.if
index d111a6f6..0e272a4d 100644
--- a/policy/modules/services/rlogin.if
+++ b/policy/modules/services/rlogin.if
@@ -18,3 +18,30 @@ interface(`rlogin_domtrans',`
 	corecmd_search_bin($1)
 	domtrans_pattern($1, rlogind_exec_t, rlogind_t)
 ')
+
+########################################
+## <summary>
+##	read rlogin homedir content (.config)
+## </summary>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`rlogin_read_home_content',`
+	gen_require(`
+		type rlogind_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	list_dirs_pattern($1, rlogind_home_t, rlogind_home_t)
+	read_files_pattern($1, rlogind_home_t, rlogind_home_t)
+	read_lnk_files_pattern($1, rlogind_home_t, rlogind_home_t)
+')
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
index 2b87f325..8a70702f 100644
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@@ -1,5 +1,5 @@
 
-policy_module(rlogin, 1.8.3)
+policy_module(rlogin, 1.8.4)
 
 ########################################
 #
@@ -14,6 +14,9 @@ role system_r types rlogind_t;
 type rlogind_devpts_t; #, userpty_type;
 term_login_pty(rlogind_devpts_t)
 
+type rlogind_home_t;
+userdom_user_home_content(rlogind_home_t)
+
 type rlogind_tmp_t;
 files_tmp_file(rlogind_tmp_t)
 
@@ -90,6 +93,8 @@ userdom_read_user_home_content_files(rlogind_t)
 remotelogin_domtrans(rlogind_t)
 remotelogin_signal(rlogind_t)
 
+rlogin_read_home_content(rlogind_t)
+
 tunable_policy(`use_nfs_home_dirs',`
 	fs_list_nfs(rlogind_t)
 	fs_read_nfs_files(rlogind_t)
diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te
index f338d636..3ec9ba49 100644
--- a/policy/modules/services/rshd.te
+++ b/policy/modules/services/rshd.te
@@ -1,5 +1,5 @@
 
-policy_module(rshd, 1.6.1)
+policy_module(rshd, 1.6.2)
 
 ########################################
 #
@@ -83,6 +83,10 @@ optional_policy(`
 	kerberos_manage_host_rcache(rshd_t)
 ')
 
+optional_policy(`
+	rlogin_read_home_content(rshd_t)
+')
+
 optional_policy(`
 	tcpd_wrapped_domain(rshd_t, rshd_exec_t)
 ')
diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
index f9e9396a..d4cda957 100644
--- a/policy/modules/services/rsync.te
+++ b/policy/modules/services/rsync.te
@@ -1,5 +1,5 @@
 
-policy_module(rsync, 1.8.3)
+policy_module(rsync, 1.8.4)
 
 ########################################
 #
@@ -119,6 +119,8 @@ optional_policy(`
 
 tunable_policy(`rsync_export_all_ro',`
 	fs_read_noxattr_fs_files(rsync_t) 
+	fs_read_nfs_files(rsync_t)
+	fs_read_cifs_files(rsync_t)
 	auth_read_all_dirs_except_shadow(rsync_t)
 	auth_read_all_files_except_shadow(rsync_t)
 	auth_read_all_symlinks_except_shadow(rsync_t)
diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if
index 9213db05..2cbde687 100644
--- a/policy/modules/services/tftp.if
+++ b/policy/modules/services/tftp.if
@@ -1,5 +1,23 @@
 ## <summary>Trivial file transfer protocol daemon</summary>
 
+########################################
+## <summary>
+##	Read tftp content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tftp_read_content',`
+	gen_require(`
+		type tftpdir_t;
+	')
+
+	read_files_pattern($1, tftpdir_t, tftpdir_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to administrate 
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
index 56a81d9f..0de90436 100644
--- a/policy/modules/services/tftp.te
+++ b/policy/modules/services/tftp.te
@@ -1,5 +1,5 @@
 
-policy_module(tftp, 1.10.2)
+policy_module(tftp, 1.10.3)
 
 ########################################
 #
diff --git a/policy/modules/services/ulogd.if b/policy/modules/services/ulogd.if
index 9fb81752..4a2118e0 100644
--- a/policy/modules/services/ulogd.if
+++ b/policy/modules/services/ulogd.if
@@ -60,6 +60,25 @@ interface(`ulogd_read_log',`
 	read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t)
 ')
 
+#######################################
+## <summary>
+##      Allow the specified domain to search ulogd's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ulogd_search_log',`
+        gen_require(`
+                type ulogd_var_log_t;
+        ')
+
+        logging_search_logs($1)
+        allow $1 ulogd_var_log_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to append to ulogd's log files.
diff --git a/policy/modules/services/ulogd.te b/policy/modules/services/ulogd.te
index f6c2d11b..bb0a6828 100644
--- a/policy/modules/services/ulogd.te
+++ b/policy/modules/services/ulogd.te
@@ -1,5 +1,5 @@
 
-policy_module(ulogd, 1.0.0)
+policy_module(ulogd, 1.0.1)
 
 ########################################
 #
diff --git a/policy/modules/services/zosremote.if b/policy/modules/services/zosremote.if
index 3e49a8cc..84d4ddf1 100644
--- a/policy/modules/services/zosremote.if
+++ b/policy/modules/services/zosremote.if
@@ -12,7 +12,7 @@
 #
 interface(`zosremote_domtrans',`
         gen_require(`
-                type zos_remote_t, type zos_remote_exec_t;
+                type zos_remote_t, zos_remote_exec_t;
         ')
 
         domtrans_pattern($1, zos_remote_exec_t, zos_remote_t)
diff --git a/policy/modules/services/zosremote.te b/policy/modules/services/zosremote.te
index bdddee35..a93d6385 100644
--- a/policy/modules/services/zosremote.te
+++ b/policy/modules/services/zosremote.te
@@ -1,4 +1,4 @@
-policy_module(zosremote,1.0.0)
+policy_module(zosremote, 1.0.1)
 
 ########################################
 #