patch from dan Wed, 26 Jul 2006 14:42:46 -0400

policy/global_booleans

@@ -4,6 +4,7 @@
 # file should be used.
 #
 
+ifdef(`strict_policy',`
 ## <desc>
 ## <p>
 ## Enabling secure mode disallows programs, such as
@@ -12,6 +13,7 @@
 ## </p>
 ## </desc>
 gen_bool(secure_mode,false)
+')
 
 ## <desc>
 ## <p>

policy/global_tunables

@@ -17,6 +17,14 @@
 #
 gen_tunable(allow_cvs_read_shadow,false)
 
+## <desc>
+## <p>
+## Allow zebra daemon to write it configuration files
+## </p>
+## </desc>
+#
+gen_tunable(allow_zebra_write_config,false)
+
 ## <desc>
 ## <p>
 ## Allow making the heap executable.
@@ -87,6 +95,13 @@ gen_tunable(allow_gssd_read_tmp,true)
 ## </desc>
 gen_tunable(allow_httpd_anon_write,false)
 
+## <desc>
+## <p>
+## Allow Apache to use mod_auth_pam
+## </p>
+## </desc>
+gen_tunable(allow_httpd_mod_auth_pam,false)
+
 ## <desc>
 ## <p>
 ## Allow java executable stack
@@ -132,12 +147,6 @@ gen_tunable(allow_saslauthd_read_shadow,false)
 ## </desc>
 gen_tunable(allow_smbd_anon_write,false)
 
-## <desc>
-## <p>
-## Allow sysadm to ptrace all processes
-## </p>
-## </desc>
-gen_tunable(allow_ptrace,false)
 
 ## <desc>
 ## <p>
@@ -288,13 +297,6 @@ gen_tunable(pppd_can_insmod,false)
 ## </desc>
 gen_tunable(read_default_t,false)
 
-## <desc>
-## <p>
-## Allow ssh to run from inetd instead of as a daemon.
-## </p>
-## </desc>
-gen_tunable(run_ssh_inetd,false)
-
 ## <desc>
 ## <p>
 ## Allow samba to export user home directories.
@@ -309,13 +311,6 @@ gen_tunable(samba_enable_home_dirs,false)
 ## </desc>
 gen_tunable(samba_share_nfs,false)
 
-## <desc>
-## <p>
-## Allow spamassassin to do DNS lookups
-## </p>
-## </desc>
-gen_tunable(spamassasin_can_network,false)
-
 ## <desc>
 ## <p>
 ## Allow squid to connect to all ports, not just
@@ -324,13 +319,6 @@ gen_tunable(spamassasin_can_network,false)
 ## </desc>
 gen_tunable(squid_connect_any,false)
 
-## <desc>
-## <p>
-## Allow ssh logins as sysadm_r:sysadm_t
-## </p>
-## </desc>
-gen_tunable(ssh_sysadm_login,false)
-
 ## <desc>
 ## <p>
 ## Configure stunnel to be a standalone daemon or
@@ -353,6 +341,12 @@ gen_tunable(use_nfs_home_dirs,false)
 ## </desc>
 gen_tunable(use_samba_home_dirs,false)
 
+########################################
+#
+# Strict policy specific
+#
+
+ifdef(`strict_policy',`
 ## <desc>
 ## <p>
 ## Control users use of ping and traceroute
@@ -360,12 +354,6 @@ gen_tunable(use_samba_home_dirs,false)
 ## </desc>
 gen_tunable(user_ping,false)
 
-########################################
-#
-# Strict policy specific
-#
-
-ifdef(`strict_policy',`
 ## <desc>
 ## <p>
 ## Allow gpg executable stack
@@ -380,6 +368,13 @@ gen_tunable(allow_gpg_execstack,false)
 ## </desc>
 gen_tunable(allow_mplayer_execstack,false)
 
+## <desc>
+## <p>
+## Allow sysadm to ptrace all processes
+## </p>
+## </desc>
+gen_tunable(allow_ptrace,false)
+
 ## <desc>
 ## <p>
 ## allow host key based authentication
@@ -480,6 +475,13 @@ gen_tunable(pppd_for_user,false)
 ## </desc>
 gen_tunable(read_untrusted_content,false)
 
+## <desc>
+## <p>
+## Allow ssh to run from inetd instead of as a daemon.
+## </p>
+## </desc>
+gen_tunable(run_ssh_inetd,false)
+
 ## <desc>
 ## <p>
 ## Allow user spamassassin clients to use the network.
@@ -487,6 +489,13 @@ gen_tunable(read_untrusted_content,false)
 ## </desc>
 gen_tunable(spamassassin_can_network,false)
 
+## <desc>
+## <p>
+## Allow ssh logins as sysadm_r:sysadm_t
+## </p>
+## </desc>
+gen_tunable(ssh_sysadm_login,false)
+
 ## <desc>
 ## <p>
 ## Allow staff_r users to search the sysadm home 

policy/mcs

@@ -160,7 +160,7 @@ mlsconstrain process { transition dyntransition }
 	(( h1 dom h2 ) or ( t1 == mcssetcats ));
 
 mlsconstrain process { ptrace }
-	( h1 dom h2 );
+	(( h1 dom h2) or ( t1 == mcsptraceall ));
 
 mlsconstrain process { sigkill sigstop }
 	(( h1 dom h2 ) or ( t1 == mcskillall ));

policy/modules/admin/bootloader.te

@@ -1,5 +1,5 @@
 
-policy_module(bootloader,1.2.4)
+policy_module(bootloader,1.2.5)
 
 ########################################
 #
@@ -48,7 +48,7 @@ logging_log_file(var_log_ksyms_t)
 # bootloader local policy
 #
 
-allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
+allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown };
 allow bootloader_t self:process { sigkill sigstop signull signal execmem };
 allow bootloader_t self:fifo_file rw_file_perms;
 
@@ -67,6 +67,7 @@ files_tmp_filetrans(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file b
 files_root_filetrans(bootloader_t,bootloader_tmp_t,file)
 
 kernel_getattr_core_if(bootloader_t)
+kernel_read_network_state(bootloader_t)
 kernel_read_system_state(bootloader_t)
 kernel_read_software_raid_state(bootloader_t)
 kernel_read_kernel_sysctls(bootloader_t)
@@ -86,7 +87,10 @@ dev_read_sysfs(bootloader_t)
 dev_read_raw_memory(bootloader_t)
 
 fs_getattr_xattr_fs(bootloader_t)
+fs_getattr_tmpfs(bootloader_t)
 fs_read_tmpfs_symlinks(bootloader_t)
+#Needed for ia64
+fs_manage_dos_files(bootloader_t)
 
 mls_file_read_up(bootloader_t)
 

policy/modules/admin/firstboot.te

@@ -1,5 +1,5 @@
 
-policy_module(firstboot,1.1.2)
+policy_module(firstboot,1.1.3)
 
 gen_require(`
 	class passwd rootok;
@@ -105,6 +105,10 @@ ifdef(`targeted_policy',`
 	unconfined_domtrans(firstboot_t)
 ')
 
+optional_policy(`
+	hal_dbus_send(firstboot_t)
+')
+
 optional_policy(`
 	nis_use_ypbind(firstboot_t)
 ')

policy/modules/admin/netutils.te

@@ -1,5 +1,5 @@
 
-policy_module(netutils,1.1.4)
+policy_module(netutils,1.1.5)
 
 ########################################
 #
@@ -211,12 +211,12 @@ sysnet_read_config(traceroute_t)
 ifdef(`targeted_policy',`
 	term_use_unallocated_ttys(traceroute_t)
 	term_use_generic_ptys(traceroute_t)
-')
+',`
-
 	tunable_policy(`user_ping',`
 		term_use_all_user_ttys(traceroute_t)
 		term_use_all_user_ptys(traceroute_t)
 	')
+')
 
 optional_policy(`
 	nis_use_ypbind(traceroute_t)

policy/modules/admin/prelink.te

@@ -1,5 +1,5 @@
 
-policy_module(prelink,1.1.4)
+policy_module(prelink,1.1.5)
 
 ########################################
 #
@@ -48,6 +48,7 @@ corecmd_manage_all_executables(prelink_t)
 corecmd_relabel_all_executables(prelink_t)
 corecmd_mmap_all_executables(prelink_t)
 corecmd_read_sbin_symlinks(prelink_t)
+corecmd_read_bin_symlinks(prelink_t)
 
 dev_read_urand(prelink_t)
 

policy/modules/admin/rpm.if

@@ -211,7 +211,7 @@ interface(`rpm_read_db',`
 
 	files_search_var_lib($1)
 	allow $1 rpm_var_lib_t:dir r_dir_perms;
-	allow $1 rpm_var_lib_t:file { getattr read };
+	allow $1 rpm_var_lib_t:file r_file_perms;
 	allow $1 rpm_var_lib_t:lnk_file r_file_perms;
 ')
 
@@ -232,8 +232,8 @@ interface(`rpm_manage_db',`
 
 	files_search_var_lib($1)
 	allow $1 rpm_var_lib_t:dir rw_dir_perms;
-	allow $1 rpm_var_lib_t:file { getattr create read write append unlink };
+	allow $1 rpm_var_lib_t:file manage_file_perms;
-	allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
+	allow $1 rpm_var_lib_t:lnk_file create_lnk_perms;
 ')
 
 ########################################

policy/modules/admin/rpm.te

@@ -1,5 +1,5 @@
 
-policy_module(rpm,1.3.9)
+policy_module(rpm,1.3.10)
 
 ########################################
 #

policy/modules/admin/usermanage.te

@@ -1,5 +1,5 @@
 
-policy_module(usermanage,1.3.7)
+policy_module(usermanage,1.3.8)
 
 ########################################
 #
@@ -260,6 +260,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	nscd_exec(groupadd_t)
 	nscd_socket_use(groupadd_t)
 ')
 
@@ -534,6 +535,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	nscd_exec(useradd_t)
 	nscd_socket_use(useradd_t)
 ')
 

policy/modules/kernel/corenetwork.te.in

@@ -1,5 +1,5 @@
 
-policy_module(corenetwork,1.1.12)
+policy_module(corenetwork,1.1.13)
 
 ########################################
 #
@@ -62,7 +62,7 @@ network_port(amavisd_recv, tcp,10024,s0)
 network_port(amavisd_send, tcp,10025,s0)
 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
 network_port(auth, tcp,113,s0)
-network_port(bgp, tcp,179,s0, udp,179,s0)
+network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
 type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
 network_port(clamd, tcp,3310,s0)
 network_port(clockspeed, udp,4041,s0)
@@ -145,7 +145,7 @@ network_port(uucpd, tcp,540,s0)
 network_port(vnc, tcp,5900,s0)
 network_port(xen, tcp,8002,s0)
 network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
-network_port(zebra, tcp,2601,s0)
+network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0)
 network_port(zope, tcp,8021,s0)
 
 # Defaults for reserved ports.  Earlier portcon entries take precedence;

policy/modules/kernel/devices.fc

@@ -19,7 +19,9 @@
 /dev/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
 /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
 /dev/full		-c	gen_context(system_u:object_r:null_device_t,s0)
+/dev/hiddev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/hw_random		-c	gen_context(system_u:object_r:random_device_t,s0)
+/dev/hwrng		-c	gen_context(system_u:object_r:random_device_t,s0)
 /dev/i915		-c	gen_context(system_u:object_r:dri_device_t,s0)
 /dev/irlpt[0-9]+	-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
@@ -54,6 +56,7 @@
 /dev/sndstat		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
+/dev/usbdev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/usblp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 ifdef(`distro_suse', `
 /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)

policy/modules/kernel/devices.te

@@ -1,5 +1,5 @@
 
-policy_module(devices,1.1.14)
+policy_module(devices,1.1.15)
 
 ########################################
 #

policy/modules/kernel/files.fc

@@ -11,6 +11,7 @@
 ifdef(`distro_redhat',`
 /\.autofsck		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /\.autorelabel		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/\.suspended		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /fastboot 		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /forcefsck 		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /fsckoptions 		--	gen_context(system_u:object_r:etc_runtime_t,s0)

policy/modules/kernel/files.te

@@ -1,5 +1,5 @@
 
-policy_module(files,1.2.12)
+policy_module(files,1.2.13)
 
 ########################################
 #

policy/modules/kernel/filesystem.if

@@ -1017,6 +1017,26 @@ interface(`fs_relabelfrom_dos_fs',`
 	allow $1 dosfs_t:filesystem relabelfrom;
 ')
 
+########################################
+## <summary>
+##	Create, read, write, and delete files
+##	on a DOS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_dos_files',`
+	gen_require(`
+		type dosfs_t;
+	')
+
+	allow $1 dosfs_t:dir rw_dir_perms;
+	allow $1 dosfs_t:file manage_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read eventpollfs files.

policy/modules/kernel/filesystem.te

@@ -1,5 +1,5 @@
 
-policy_module(filesystem,1.3.12)
+policy_module(filesystem,1.3.13)
 
 ########################################
 #

policy/modules/kernel/mcs.if

@@ -6,7 +6,7 @@
 ########################################
 ## <summary>
 ##	This domain is allowed to sigkill and sigstop 
-##	all domains regardless of their MCS level.
+##	all domains regardless of their MCS category set.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -22,6 +22,26 @@ interface(`mcs_killall',`
 	typeattribute $1 mcskillall;
 ')
 
+########################################
+## <summary>
+##	This domain is allowed to ptrace
+##	all domains regardless of their MCS
+##	category set.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain target for user exemption.
+##	</summary>
+## </param>
+#
+interface(`mcs_ptrace_all',`
+	gen_require(`
+		attribute mcsptraceall;
+	')
+
+	typeattribute $1 mcsptraceall;
+')
+
 ########################################
 ## <summary>
 ##	Make specified domain MCS trusted

policy/modules/kernel/mcs.te

@@ -1,5 +1,5 @@
 
-policy_module(mcs,1.0.2)
+policy_module(mcs,1.0.3)
 
 ########################################
 #
@@ -7,6 +7,7 @@ policy_module(mcs,1.0.2)
 #
 
 attribute mcskillall;
+attribute mcsptraceall;
 attribute mcssetcats;
 
 ########################################

policy/modules/kernel/selinux.if

@@ -150,7 +150,11 @@ interface(`selinux_set_enforce_mode',`
 
 	if(!secure_mode_policyload) {
 		allow $1 security_t:security setenforce;
+
+		ifdef(`distro_rhel4',`
+			# needed for systems without audit support
 			auditallow $1 security_t:security setenforce;
+		')
 	}
 ')
 
@@ -177,7 +181,11 @@ interface(`selinux_load_policy',`
 
 	if(!secure_mode_policyload) {
 		allow $1 security_t:security load_policy;
+
+		ifdef(`distro_rhel4',`
+			# needed for systems without audit support
 			auditallow $1 security_t:security load_policy;
+		')
 	}
 ')
 

policy/modules/kernel/selinux.te

@@ -1,5 +1,5 @@
 
-policy_module(selinux,1.1.1)
+policy_module(selinux,1.1.2)
 
 ########################################
 #
@@ -40,10 +40,9 @@ allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setb
 
 if(!secure_mode_policyload) {
 	allow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
-	auditallow selinux_unconfined_type security_t:security { load_policy setenforce };
 
 	ifdef(`distro_rhel4',`
 		# needed for systems without audit support
-		auditallow selinux_unconfined_type security_t:security setbool;
+		auditallow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
 	')
 }

policy/modules/kernel/storage.fc

@@ -23,6 +23,7 @@
 /dev/loop.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
 /dev/lvm		-c	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
 /dev/mcdx?		-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/mmcblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/nb[^/]+		-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
 /dev/optcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/p[fg][0-3]		-b	gen_context(system_u:object_r:removable_device_t,s0)

policy/modules/kernel/storage.te

@@ -1,5 +1,5 @@
 
-policy_module(storage,1.0.1)
+policy_module(storage,1.0.2)
 
 ########################################
 #

policy/modules/services/automount.te

@@ -1,5 +1,5 @@
 
-policy_module(automount,1.2.7)
+policy_module(automount,1.2.8)
 
 ########################################
 #
@@ -36,10 +36,12 @@ allow automount_t self:unix_stream_socket create_socket_perms;
 allow automount_t self:unix_dgram_socket create_socket_perms;
 allow automount_t self:tcp_socket create_stream_socket_perms;
 allow automount_t self:udp_socket create_socket_perms;
+allow automount_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow automount_t automount_etc_t:file { getattr read };
 # because config files can be shell scripts
 can_exec(automount_t, automount_etc_t)
+can_exec(automount_t, automount_exec_t)
 
 allow automount_t automount_lock_t:file create_file_perms;
 files_lock_filetrans(automount_t,automount_lock_t,file)
@@ -168,6 +170,12 @@ optional_policy(`
 	fstools_domtrans(automount_t)
 ')
 
+optional_policy(`
+	kerberos_read_keytab(automount_t)
+	kerberos_read_config(automount_t)
+	kerberos_dontaudit_write_config(automount_t)
+')
+
 optional_policy(`
 	nis_use_ypbind(automount_t)
 ')

policy/modules/services/avahi.te

@@ -1,5 +1,5 @@
 
-policy_module(avahi,1.2.3)
+policy_module(avahi,1.2.4)
 
 ########################################
 #
@@ -78,6 +78,7 @@ logging_send_syslog_msg(avahi_t)
 miscfiles_read_localization(avahi_t)
 
 sysnet_read_config(avahi_t)
+sysnet_use_ldap(avahi_t)
 
 userdom_dontaudit_use_unpriv_user_fds(avahi_t)
 userdom_dontaudit_search_sysadm_home_dirs(avahi_t)

policy/modules/services/bind.fc

@@ -28,6 +28,7 @@ ifdef(`distro_gentoo',`
 ')
 
 ifdef(`distro_redhat',`
+/etc/named\.rfc1912.zones  --	gen_context(system_u:object_r:named_conf_t,s0)
 /etc/named\.conf	   --	gen_context(system_u:object_r:named_conf_t,s0)
 /etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
 /var/named(/.*)?		gen_context(system_u:object_r:named_zone_t,s0)

policy/modules/services/bind.te

@@ -1,5 +1,5 @@
 
-policy_module(bind,1.1.6)
+policy_module(bind,1.1.7)
 
 ########################################
 #

policy/modules/services/bluetooth.if

@@ -1,5 +1,26 @@
 ## <summary>Bluetooth tools and system services.</summary>
 
+########################################
+## <summary>
+##	Execute bluetooth in the bluetooth domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`bluetooth_domtrans',`
+	gen_require(`
+		type bluetooth_t, bluetooth_exec_t;
+	')
+
+	domain_auto_trans($1,bluetooth_exec_t,bluetooth_t)
+	allow bluetooth_t $1:fd use;
+	allow bluetooth_t $1:fifo_file rw_file_perms;
+	allow bluetooth_t $1:process sigchld;
+')
+
 ########################################
 ## <summary>
 ##	Read bluetooth daemon configuration.

policy/modules/services/bluetooth.te

@@ -1,5 +1,5 @@
 
-policy_module(bluetooth,1.2.8)
+policy_module(bluetooth,1.2.9)
 
 ########################################
 #
@@ -173,6 +173,7 @@ allow bluetooth_helper_t self:fifo_file rw_file_perms;
 allow bluetooth_helper_t self:shm create_shm_perms;
 allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow bluetooth_helper_t self:tcp_socket create_socket_perms;
+allow bluetooth_helper_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow bluetooth_helper_t bluetooth_t:socket { read write };
 
@@ -222,6 +223,8 @@ ifdef(`targeted_policy',`
 	userdom_manage_generic_user_home_content_files(bluetooth_helper_t)
 
 	optional_policy(`
+	        corenet_tcp_connect_xserver_port(bluetooth_helper_t)
+
 		xserver_stream_connect_xdm(bluetooth_helper_t)
 		xserver_use_xdm_fds(bluetooth_helper_t)
 		xserver_rw_xdm_pipes(bluetooth_helper_t)

policy/modules/services/clamav.fc

@@ -7,9 +7,10 @@
 
 /usr/sbin/clamd			--	gen_context(system_u:object_r:clamd_exec_t,s0)
 
+/var/run/amavis(d)?/clamd\.pid	--	gen_context(system_u:object_r:clamd_var_run_t,s0)
 /var/run/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_run_t,s0)
-/var/run/clamav/clamd\.ctl	-s	gen_context(system_u:object_r:clamd_sock_t,s0)
 /var/lib/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_lib_t,s0)
 /var/log/clamav			-d	gen_context(system_u:object_r:clamd_var_log_t,s0)
 /var/log/clamav/clamav.*	--	gen_context(system_u:object_r:clamd_var_log_t,s0)
 /var/log/clamav/freshclam.*	--	gen_context(system_u:object_r:freshclam_var_log_t,s0)
+/var/spool/amavisd/clamd\.sock	-s	gen_context(system_u:object_r:clamd_var_run_t,s0)

policy/modules/services/clamav.if

@@ -35,11 +35,11 @@ interface(`clamav_domtrans',`
 #
 interface(`clamav_stream_connect',`
 	gen_require(`
-		type clamd_t, clamd_sock_t, clamd_var_run_t;
+		type clamd_t, clamd_var_run_t;
 	')
 
 	allow $1 clamd_var_run_t:dir search;
-	allow $1 clamd_sock_t:sock_file write;
+	allow $1 clamd_var_run_t:sock_file write;
 	allow $1 clamd_t:unix_stream_socket connectto;
 ')
 

policy/modules/services/clamav.te

@@ -1,5 +1,5 @@
 
-policy_module(clamav,1.0.4)
+policy_module(clamav,1.0.5)
 
 ########################################
 #
@@ -15,10 +15,6 @@ init_daemon_domain(clamd_t, clamd_exec_t)
 type clamd_etc_t;
 files_type(clamd_etc_t)
 
-# named socket type
-type clamd_sock_t;
-files_type(clamd_sock_t)
-
 # tmp files
 type clamd_tmp_t;
 files_tmp_file(clamd_tmp_t)
@@ -34,6 +30,7 @@ files_type(clamd_var_lib_t)
 # pid files
 type clamd_var_run_t;
 files_pid_file(clamd_var_run_t)
+typealias clamd_var_run_t alias clamd_sock_t;
 
 type clamscan_t;
 type clamscan_exec_t;
@@ -67,12 +64,6 @@ allow clamd_t clamd_etc_t:dir r_dir_perms;
 allow clamd_t clamd_etc_t:file r_file_perms;
 allow clamd_t clamd_etc_t:lnk_file { getattr read };
 
-# socket file
-allow clamd_t clamd_sock_t:file manage_file_perms;
-allow clamd_t clamd_sock_t:sock_file manage_file_perms;
-allow clamd_t clamd_sock_t:dir rw_dir_perms;
-files_pid_filetrans(clamd_t,clamd_sock_t,sock_file)
-
 # tmp files
 allow clamd_t clamd_tmp_t:file create_file_perms;
 allow clamd_t clamd_tmp_t:dir create_dir_perms;
@@ -80,14 +71,10 @@ files_tmp_filetrans(clamd_t,clamd_tmp_t,{ file dir })
 
 # var/lib files for clamd
 allow clamd_t clamd_var_lib_t:file create_file_perms;
-allow clamd_t clamd_var_lib_t:sock_file create_file_perms;
 allow clamd_t clamd_var_lib_t:dir create_dir_perms;
-files_var_filetrans(clamd_t,clamd_var_lib_t,{ file dir sock_file })
-files_var_lib_filetrans(clamd_t,clamd_var_lib_t,file)
 
 # log files
 allow clamd_t clamd_var_log_t:file create_file_perms;
-allow clamd_t clamd_var_log_t:sock_file create_file_perms;
 allow clamd_t clamd_var_log_t:dir { rw_dir_perms setattr };
 logging_log_filetrans(clamd_t,clamd_var_log_t,file)
 
@@ -161,10 +148,7 @@ allow freshclam_t clamd_etc_t:lnk_file { getattr read };
 
 # var/lib files together with clamd
 allow freshclam_t clamd_var_lib_t:file create_file_perms;
-allow freshclam_t clamd_var_lib_t:sock_file create_file_perms;
 allow freshclam_t clamd_var_lib_t:dir create_dir_perms;
-files_var_filetrans(freshclam_t,clamd_var_lib_t,{ file dir sock_file })
-files_var_lib_filetrans(freshclam_t,clamd_var_lib_t,file)
 
 # pidfiles- var/run together with clamd
 allow freshclam_t clamd_var_run_t:file manage_file_perms;
@@ -174,7 +158,6 @@ files_pid_filetrans(freshclam_t,clamd_var_run_t,file)
 
 # log files (own logfiles only)
 allow freshclam_t freshclam_var_log_t:file create_file_perms;
-allow freshclam_t freshclam_var_log_t:sock_file create_file_perms;
 allow freshclam_t freshclam_var_log_t:dir { rw_dir_perms setattr };
 allow freshclam_t clamd_var_log_t:dir search;
 logging_log_filetrans(freshclam_t,freshclam_var_log_t,file)
@@ -234,7 +217,6 @@ files_tmp_filetrans(clamscan_t,clamscan_tmp_t,{ file dir })
 
 # var/lib files together with clamd
 allow clamscan_t clamd_var_lib_t:file r_file_perms;
-allow clamscan_t clamd_var_lib_t:sock_file rw_file_perms;
 allow clamscan_t clamd_var_lib_t:dir r_dir_perms;
 
 kernel_read_kernel_sysctls(clamscan_t)

policy/modules/services/cyrus.te

@@ -1,5 +1,5 @@
 
-policy_module(cyrus,1.1.3)
+policy_module(cyrus,1.1.4)
 
 ########################################
 #
@@ -41,6 +41,7 @@ allow cyrus_t self:unix_dgram_socket sendto;
 allow cyrus_t self:unix_stream_socket connectto;
 allow cyrus_t self:tcp_socket create_stream_socket_perms;
 allow cyrus_t self:udp_socket create_socket_perms;
+allow cyrus_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow cyrus_t cyrus_tmp_t:dir create_dir_perms;
 allow cyrus_t cyrus_tmp_t:file create_file_perms;
@@ -122,6 +123,10 @@ optional_policy(`
 	cron_system_entry(cyrus_t,cyrus_exec_t)
 ')
 
+optional_policy(`
+	ldap_stream_connect(cyrus_t)
+')
+
 optional_policy(`
 	nis_use_ypbind(cyrus_t)
 ')

policy/modules/services/dovecot.fc

@@ -28,6 +28,8 @@ ifdef(`distro_redhat', `
 #
 /var/run/dovecot(-login)?(/.*)?		gen_context(system_u:object_r:dovecot_var_run_t,s0)
 
+/var/lib/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+
 /var/spool/dovecot(/.*)?		gen_context(system_u:object_r:dovecot_spool_t,s0)
 
 

policy/modules/services/dovecot.te

@@ -1,5 +1,5 @@
 
-policy_module(dovecot,1.2.4)
+policy_module(dovecot,1.2.5)
 
 ########################################
 #
@@ -9,6 +9,12 @@ type dovecot_t;
 type dovecot_exec_t;
 init_daemon_domain(dovecot_t,dovecot_exec_t)
 
+type dovecot_auth_t;
+type dovecot_auth_exec_t;
+domain_type(dovecot_auth_t)
+domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
+role system_r types dovecot_auth_t;
+
 type dovecot_cert_t;
 files_type(dovecot_cert_t)
 
@@ -21,15 +27,13 @@ files_type(dovecot_passwd_t)
 type dovecot_spool_t;
 files_type(dovecot_spool_t)
 
+# /var/lib/dovecot holds SSL parameters file
+type dovecot_var_lib_t;
+files_type(dovecot_var_lib_t) 
+
 type dovecot_var_run_t;
 files_pid_file(dovecot_var_run_t)
 
-type dovecot_auth_t;
-type dovecot_auth_exec_t;
-domain_type(dovecot_auth_t)
-domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
-role system_r types dovecot_auth_t;
-
 ########################################
 #
 # dovecot local policy
@@ -161,6 +165,11 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write io
 
 allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
 
+# Allow dovecot to create and read SSL parameters file
+allow dovecot_t dovecot_var_lib_t:dir rw_dir_perms;
+allow dovecot_t dovecot_var_lib_t:file manage_file_perms;
+files_search_var_lib(dovecot_t)
+
 allow dovecot_auth_t dovecot_var_run_t:dir r_dir_perms;
 
 kernel_read_all_sysctls(dovecot_auth_t)

policy/modules/services/ftp.te

@@ -1,5 +1,5 @@
 
-policy_module(ftp,1.2.6)
+policy_module(ftp,1.2.7)
 
 ########################################
 #
@@ -50,6 +50,7 @@ allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
 allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
 allow ftpd_t self:tcp_socket create_stream_socket_perms;
 allow ftpd_t self:udp_socket create_socket_perms;
+allow ftpd_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow ftpd_t ftpd_etc_t:file r_file_perms;
 
@@ -205,6 +206,12 @@ tunable_policy(`ftpd_is_daemon',`
 	corenet_tcp_bind_ftp_port(ftpd_t)
 ')
 
+optional_policy(`
+	tunable_policy(`ftp_home_dir',`
+		apache_search_sys_content(ftpd_t)
+	')
+')
+
 optional_policy(`
 	corecmd_exec_shell(ftpd_t)
 

policy/modules/services/hal.te

@@ -1,5 +1,5 @@
 
-policy_module(hal,1.3.10)
+policy_module(hal,1.3.11)
 
 ########################################
 #
@@ -22,7 +22,7 @@ files_pid_file(hald_var_run_t)
 #
 
 # execute openvt which needs setuid
-allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
+allow hald_t self:capability { audit_write chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
 dontaudit hald_t self:capability sys_tty_config;
 allow hald_t self:process signal_perms;
 allow hald_t self:fifo_file rw_file_perms;
@@ -152,6 +152,10 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_files(hald_t)
 ')
 
+optional_policy(`
+	bootloader_domtrans(hald_t)
+')
+
 optional_policy(`
 	# For /usr/libexec/hald-addon-acpi
 	# writes to /var/run/acpid.socket
@@ -162,6 +166,10 @@ optional_policy(`
 	bind_search_cache(hald_t)
 ')
 
+optional_policy(`
+	bluetooth_domtrans(hald_t)
+')
+
 optional_policy(`
 	clock_domtrans(hald_t)
 ')

policy/modules/services/inetd.te

@@ -1,5 +1,5 @@
 
-policy_module(inetd,1.1.4)
+policy_module(inetd,1.1.5)
 
 ########################################
 #
@@ -218,9 +218,11 @@ miscfiles_read_localization(inetd_child_t)
 
 sysnet_read_config(inetd_child_t)
 
+ifdef(`strict_policy',`
 	tunable_policy(`run_ssh_inetd',`
 		corenet_tcp_bind_ssh_port(inetd_t)
 	')
+')
 
 optional_policy(`
 	tunable_policy(`ftpd_is_daemon',`

policy/modules/services/ldap.fc

@@ -6,6 +6,7 @@
 /var/lib/ldap(/.*)?		gen_context(system_u:object_r:slapd_db_t,s0)
 /var/lib/ldap/replog(/.*)?	gen_context(system_u:object_r:slapd_replog_t,s0)
 
+/var/run/ldapi		-s	gen_context(system_u:object_r:slapd_var_run_t,s0)
 /var/run/openldap(/.*)?		gen_context(system_u:object_r:slapd_var_run_t,s0)
 /var/run/slapd\.args	--	gen_context(system_u:object_r:slapd_var_run_t,s0)
 /var/run/slapd\.pid	--	gen_context(system_u:object_r:slapd_var_run_t,s0)

policy/modules/services/ldap.if

@@ -57,3 +57,24 @@ interface(`ldap_use',`
 	allow slapd_t $1:tcp_socket { acceptfrom recvfrom };
 	kernel_tcp_recvfrom($1)
 ')
+
+
+########################################
+## <summary>
+##	Connect to slapd over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ldap_stream_connect',`
+	gen_require(`
+		type slapd_t, slapd_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 slapd_var_run_t:sock_file write;
+	allow $1 slapd_t:unix_stream_socket connectto;
+')

policy/modules/services/ldap.te

@@ -1,5 +1,5 @@
 
-policy_module(ldap,1.2.3)
+policy_module(ldap,1.2.4)
 
 ########################################
 #

policy/modules/services/lpd.if

@@ -62,6 +62,7 @@ template(`lpd_per_userdomain_template',`
 	allow $1_lpr_t self:unix_stream_socket create_stream_socket_perms;
 	allow $1_lpr_t self:tcp_socket create_socket_perms;
 	allow $1_lpr_t self:udp_socket create_socket_perms;
+	allow $1_lpr_t self:netlink_route_socket r_netlink_socket_perms;
 	
 	# lpr can run in lightweight mode, without a local print spooler.
 	allow $1_lpr_t lpd_var_run_t:dir search;
@@ -109,7 +110,9 @@ template(`lpd_per_userdomain_template',`
 	allow lpd_t $1_print_spool_t:file link_file_perms;
 
 	kernel_tcp_recvfrom($1_lpr_t)
+	kernel_read_kernel_sysctls($1_lpr_t)
 
+	corenet_non_ipsec_sendrecv($1_lpr_t)
 	corenet_tcp_sendrecv_generic_if($1_lpr_t)
 	corenet_udp_sendrecv_generic_if($1_lpr_t)
 	corenet_tcp_sendrecv_all_nodes($1_lpr_t)
@@ -119,8 +122,8 @@ template(`lpd_per_userdomain_template',`
 	corenet_tcp_connect_all_ports($1_lpr_t)
 	corenet_sendrecv_all_client_packets($1_lpr_t)
 
-	# for /dev/null
+	dev_read_rand($1_lpr_t)
-	dev_list_all_dev_nodes($1_lpr_t)
+	dev_read_urand($1_lpr_t)
 
 	domain_use_interactive_fds($1_lpr_t)
 
@@ -149,6 +152,8 @@ template(`lpd_per_userdomain_template',`
 	userdom_read_user_tmp_symlinks($1,$1_lpr_t)
 	# Write to the user domain tty.
 	userdom_use_user_terminals($1,$1_lpr_t)
+	userdom_read_user_home_content_files($1,$1_lpr_t)
+	userdom_read_user_tmp_files($1,$1_lpr_t)
 
 	tunable_policy(`read_default_t',`
 		files_list_default($1_lpr_t)
@@ -158,8 +163,6 @@ template(`lpd_per_userdomain_template',`
 
 	tunable_policy(`read_untrusted_content',`
 		#list and read user specific untrusted content
-		files_list_home($1_lpr_t)
-		userdom_list_user_home_dirs($1,$1_lpr_t)
 		userdom_read_user_untrusted_content_files($1,$1_lpr_t)
 
 		#list and read user specific temporary untrusted content
@@ -186,6 +189,7 @@ template(`lpd_per_userdomain_template',`
 		cups_tcp_connect($1_lpr_t)
 		cups_read_config($2)
 		cups_tcp_connect($2)
+		cups_stream_connect($1_lpr_t)
 	')
 
 	optional_policy(`
@@ -199,14 +203,6 @@ template(`lpd_per_userdomain_template',`
 	optional_policy(`
 		nis_use_ypbind($1_lpr_t)
 	')
-
-	ifdef(`TODO',`
-	optional_policy(`
-		allow $1_lpr_t xdm_t:fd use;
-		allow $1_lpr_t xdm_var_run_t:dir search;
-		allow $1_lpr_t xdm_t:fifo_file { getattr read write ioctl };
-	')
-	') dnl end TODO
 ')
 
 #######################################

policy/modules/services/lpd.te

@@ -1,5 +1,5 @@
 
-policy_module(lpd,1.2.4)
+policy_module(lpd,1.2.5)
 
 ########################################
 #

policy/modules/services/mailman.te

@@ -1,5 +1,5 @@
 
-policy_module(mailman,1.1.5)
+policy_module(mailman,1.1.6)
 
 ########################################
 #
@@ -30,12 +30,16 @@ mailman_domain_template(queue)
 # Mailman CGI local policy
 #
 
-# cjp: the template invocation for queue should be
+# cjp: the template invocation for cgi should be
 # in the below optional policy; however, there are no
 # optionals for file contexts yet, so it is promoted
 # to global scope until such facilities exist.
 
 optional_policy(`
+	allow mailman_cgi_t self:netlink_route_socket r_netlink_socket_perms;
+
+	dev_read_urand(mailman_cgi_t)
+
 	allow mailman_cgi_t mailman_archive_t:dir create_dir_perms;
 	allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
 	allow mailman_cgi_t mailman_archive_t:file create_file_perms;
@@ -52,6 +56,10 @@ optional_policy(`
 	apache_use_fds(mailman_cgi_t)
 	apache_dontaudit_append_log(mailman_cgi_t)
 	apache_search_sys_script_state(mailman_cgi_t)
+
+	optional_policy(`
+		nscd_socket_use(mailman_cgi_t)
+	')
 ')
 
 ########################################

policy/modules/services/nis.te

@@ -1,5 +1,5 @@
 
-policy_module(nis,1.1.5)
+policy_module(nis,1.1.6)
 
 ########################################
 #
@@ -86,6 +86,7 @@ corenet_udp_bind_generic_port(ypbind_t)
 corenet_tcp_bind_reserved_port(ypbind_t)
 corenet_udp_bind_reserved_port(ypbind_t)
 corenet_tcp_bind_all_rpc_ports(ypbind_t)
+corenet_udp_bind_all_rpc_ports(ypbind_t)
 corenet_tcp_connect_all_ports(ypbind_t)
 corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t)
 corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)

policy/modules/services/nscd.if

@@ -42,6 +42,25 @@ interface(`nscd_domtrans',`
 	allow nscd_t $1:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to execute nscd
+##	in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nscd_exec',`
+	gen_require(`
+		type nscd_exec_t;
+	')
+
+	can_exec($1,nscd_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	Use NSCD services by connecting using

policy/modules/services/nscd.te

@@ -1,5 +1,5 @@
 
-policy_module(nscd,1.2.6)
+policy_module(nscd,1.2.7)
 
 gen_require(`
 	class nscd all_nscd_perms;

policy/modules/services/openvpn.te

@@ -1,5 +1,5 @@
 
-policy_module(openvpn,1.0.2)
+policy_module(openvpn,1.0.3)
 
 ########################################
 #
@@ -33,6 +33,7 @@ allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
 allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow openvpn_t self:udp_socket create_socket_perms;
 allow openvpn_t self:tcp_socket create_socket_perms;
+allow openvpn_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow openvpn_t openvpn_etc_t:dir r_dir_perms;
 allow openvpn_t openvpn_etc_t:file r_file_perms;
@@ -67,12 +68,15 @@ corenet_udp_bind_openvpn_port(openvpn_t)
 corenet_sendrecv_openvpn_server_packets(openvpn_t)
 corenet_rw_tun_tap_dev(openvpn_t)
 
+dev_search_sysfs(openvpn_t)
 dev_read_rand(openvpn_t)
 dev_read_urand(openvpn_t)
 
 files_read_etc_files(openvpn_t)
 files_read_etc_runtime_files(openvpn_t)
 
+init_use_fds(openvpn_t)
+
 libs_use_ld_so(openvpn_t)
 libs_use_shared_libs(openvpn_t)
 
@@ -80,10 +84,12 @@ logging_send_syslog_msg(openvpn_t)
 
 miscfiles_read_localization(openvpn_t)
 
+sysnet_dns_name_resolve(openvpn_t)
 sysnet_exec_ifconfig(openvpn_t)
 
 ifdef(`targeted_policy',`
-	term_dontaudit_use_generic_ptys(openvpn_t)
+	# Need to interact with terminals if config option "auth-user-pass" is used
+	term_use_generic_ptys(openvpn_t)
 ')
 
 optional_policy(`

policy/modules/services/postfix.te

@@ -1,5 +1,5 @@
 
-policy_module(postfix,1.2.9)
+policy_module(postfix,1.2.10)
 
 ########################################
 #
@@ -160,7 +160,7 @@ files_read_usr_files(postfix_master_t)
 
 init_use_script_ptys(postfix_master_t)
 
-miscfiles_dontaudit_search_man_pages(postfix_master_t)
+miscfiles_read_man_pages(postfix_master_t)
 
 seutil_sigchld_newrole(postfix_master_t)
 # postfix does a "find" on startup for some reason - keep it quiet
@@ -590,6 +590,10 @@ allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
 files_read_usr_files(postfix_smtpd_t)
 mta_read_aliases(postfix_smtpd_t)
 
+optional_policy(`
+	postgrey_stream_connect(postfix_smtpd_t)
+')
+
 optional_policy(`
 	sasl_connect(postfix_smtpd_t)
 ')

policy/modules/services/postgrey.fc

@@ -3,6 +3,7 @@
 
 /usr/sbin/postgrey	--	gen_context(system_u:object_r:postgrey_exec_t,s0)
 
-/var/run/postgrey\.pid	--	gen_context(system_u:object_r:postgrey_var_run_t,s0)
-
 /var/lib/postgrey(/.*)?		gen_context(system_u:object_r:postgrey_var_lib_t,s0)
+
+/var/run/postgrey(/.*)?		gen_context(system_u:object_r:postgrey_var_run_t,s0)
+/var/run/postgrey\.pid	--	gen_context(system_u:object_r:postgrey_var_run_t,s0)

policy/modules/services/postgrey.if

@@ -1 +1,21 @@
 ## <summary>Postfix grey-listing server</summary>
+
+########################################
+## <summary>
+##      Write to postgrey socket
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to talk to postgrey
+##      </summary>
+## </param>
+#
+interface(`postgrey_stream_connect',`
+        gen_require(`
+                type postgrey_var_run_t, postgrey_t;
+        ')
+
+	allow $1 postgrey_t:unix_stream_socket connectto;
+        allow $1 postgrey_var_run_t:sock_file write;
+	files_search_pids($1)
+')

policy/modules/services/postgrey.te

@@ -1,5 +1,5 @@
 
-policy_module(postgrey,1.0.1)
+policy_module(postgrey,1.0.2)
 
 ########################################
 #
@@ -38,6 +38,7 @@ allow postgrey_t postgrey_var_lib_t:dir rw_dir_perms;
 files_var_lib_filetrans(postgrey_t,postgrey_var_lib_t,file)
 
 allow postgrey_t postgrey_var_run_t:file create_file_perms;
+allow postgrey_t postgrey_var_run_t:sock_file manage_file_perms;
 allow postgrey_t postgrey_var_run_t:dir rw_dir_perms;
 files_pid_filetrans(postgrey_t,postgrey_var_run_t,file)
 

policy/modules/services/procmail.te

@@ -1,5 +1,5 @@
 
-policy_module(procmail,1.2.4)
+policy_module(procmail,1.2.5)
 
 ########################################
 #
@@ -35,6 +35,7 @@ corenet_tcp_sendrecv_all_nodes(procmail_t)
 corenet_udp_sendrecv_all_nodes(procmail_t)
 corenet_tcp_sendrecv_all_ports(procmail_t)
 corenet_udp_sendrecv_all_ports(procmail_t)
+corenet_udp_bind_all_nodes(procmail_t)
 corenet_tcp_connect_spamd_port(procmail_t)
 corenet_sendrecv_spamd_client_packets(procmail_t)
 

policy/modules/services/radius.fc

@@ -3,6 +3,7 @@
 /etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
 
 /etc/raddb(/.*)?                gen_context(system_u:object_r:radiusd_etc_t,s0)
+/etc/raddb/db.daily     --      gen_context(system_u:object_r:radiusd_etc_rw_t,s0)
 
 /usr/sbin/radiusd	--	gen_context(system_u:object_r:radiusd_exec_t,s0)
 /usr/sbin/freeradius	--	gen_context(system_u:object_r:radiusd_exec_t,s0)

policy/modules/services/radius.te

@@ -1,5 +1,5 @@
 
-policy_module(radius,1.1.1)
+policy_module(radius,1.1.2)
 
 ########################################
 #
@@ -13,6 +13,9 @@ init_daemon_domain(radiusd_t,radiusd_exec_t)
 type radiusd_etc_t;
 files_config_file(radiusd_etc_t)
 
+type radiusd_etc_rw_t;
+files_type(radiusd_etc_rw_t)
+
 type radiusd_log_t;
 logging_log_file(radiusd_log_t)
 
@@ -39,6 +42,11 @@ allow radiusd_t radiusd_etc_t:dir r_dir_perms;
 allow radiusd_t radiusd_etc_t:lnk_file { getattr read };
 files_search_etc(radiusd_t)
 
+allow radiusd_t radiusd_etc_rw_t:dir create_dir_perms;
+allow radiusd_t radiusd_etc_rw_t:file create_file_perms;
+allow radiusd_t radiusd_etc_rw_t:lnk_file create_lnk_perms;
+type_transition radiusd_t radiusd_etc_t:{ dir file lnk_file } radiusd_etc_rw_t;
+
 allow radiusd_t radiusd_log_t:file create_file_perms;
 allow radiusd_t radiusd_log_t:dir create_dir_perms;
 logging_log_filetrans(radiusd_t,radiusd_log_t,{ file dir })

policy/modules/services/remotelogin.te

@@ -1,5 +1,5 @@
 
-policy_module(remotelogin,1.2.0)
+policy_module(remotelogin,1.2.1)
 
 ########################################
 #
@@ -37,6 +37,7 @@ allow remote_login_t self:shm create_shm_perms;
 allow remote_login_t self:sem create_sem_perms;
 allow remote_login_t self:msgq create_msgq_perms;
 allow remote_login_t self:msg { send receive };
+allow remote_login_t self:key write;
 
 allow remote_login_t remote_login_tmp_t:dir create_dir_perms;
 allow remote_login_t remote_login_tmp_t:file create_file_perms;

policy/modules/services/samba.te

@@ -1,5 +1,5 @@
 
-policy_module(samba,1.2.8)
+policy_module(samba,1.2.9)
 
 #################################
 #
@@ -186,11 +186,12 @@ allow smbd_t self:tcp_socket create_stream_socket_perms;
 allow smbd_t self:udp_socket create_socket_perms;
 allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
 allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow smbd_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow smbd_t samba_etc_t:dir rw_dir_perms;
 allow smbd_t samba_etc_t:file { rw_file_perms setattr };
 
-allow smbd_t samba_log_t:dir ra_dir_perms;
+allow smbd_t samba_log_t:dir { ra_dir_perms setattr };
 dontaudit smbd_t samba_log_t:dir remove_name;
 allow smbd_t samba_log_t:file { create ra_file_perms };
 
@@ -313,6 +314,7 @@ tunable_policy(`samba_share_nfs',`
 
 optional_policy(`
 	cups_read_rw_config(smbd_t)
+	cups_stream_connect(smbd_t)
 ')
 
 optional_policy(`
@@ -365,7 +367,7 @@ files_pid_filetrans(nmbd_t,nmbd_var_run_t,file)
 allow nmbd_t samba_etc_t:dir { search getattr };
 allow nmbd_t samba_etc_t:file { getattr read };
 
-allow nmbd_t samba_log_t:dir ra_dir_perms;
+allow nmbd_t samba_log_t:dir { ra_dir_perms setattr };
 allow nmbd_t samba_log_t:file { create ra_file_perms };
 
 allow nmbd_t samba_var_t:dir rw_dir_perms;

policy/modules/services/squid.te

@@ -1,5 +1,5 @@
 
-policy_module(squid,1.1.3)
+policy_module(squid,1.1.4)
 
 ########################################
 #
@@ -80,8 +80,10 @@ corenet_udp_sendrecv_all_ports(squid_t)
 corenet_tcp_bind_all_nodes(squid_t)
 corenet_udp_bind_all_nodes(squid_t)
 corenet_tcp_bind_http_cache_port(squid_t)
+corenet_udp_bind_http_cache_port(squid_t)
 corenet_tcp_bind_ftp_port(squid_t)
 corenet_tcp_bind_gopher_port(squid_t)
+corenet_udp_bind_gopher_port(squid_t)
 corenet_tcp_connect_ftp_port(squid_t)
 corenet_tcp_connect_gopher_port(squid_t)
 corenet_tcp_connect_http_port(squid_t)
@@ -176,9 +178,6 @@ optional_policy(`
 ')
 
 ifdef(`TODO',`
-ifdef(`apache.te',`
-can_tcp_connect(squid_t, httpd_t)
-')
 #squid requires the following when run in diskd mode, the recommended setting
 allow squid_t tmpfs_t:file { read write };
 ') dnl end TODO

policy/modules/services/ssh.if

@@ -71,6 +71,7 @@ template(`ssh_basic_client_template',`
 	allow $1_ssh_t self:msgq create_msgq_perms;
 	allow $1_ssh_t self:msg { send receive };
 	allow $1_ssh_t self:tcp_socket create_socket_perms;
+	allow $1_ssh_t self:netlink_route_socket r_netlink_socket_perms;
 
 	# for rsync
 	allow $1_ssh_t $2:unix_stream_socket rw_socket_perms;

policy/modules/services/ssh.te

@@ -1,5 +1,5 @@
 
-policy_module(ssh,1.3.6)
+policy_module(ssh,1.3.7)
 
 ########################################
 #

policy/modules/services/tftp.te

@@ -1,5 +1,5 @@
 
-policy_module(tftp,1.1.1)
+policy_module(tftp,1.1.2)
 
 ########################################
 #
@@ -78,6 +78,7 @@ logging_send_syslog_msg(tftpd_t)
 miscfiles_read_localization(tftpd_t)
 
 sysnet_read_config(tftpd_t)
+sysnet_use_ldap(tftpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
 userdom_dontaudit_use_sysadm_ttys(tftpd_t)

policy/modules/services/xfs.te

@@ -1,5 +1,5 @@
 
-policy_module(xfs,1.0.3)
+policy_module(xfs,1.0.4)
 
 ########################################
 #
@@ -46,6 +46,8 @@ corecmd_list_bin(xfs_t)
 corecmd_list_sbin(xfs_t)
 
 dev_read_sysfs(xfs_t)
+dev_read_urand(xfs_t)
+dev_read_rand(xfs_t)
 
 fs_getattr_all_fs(xfs_t)
 fs_search_auto_mountpoints(xfs_t)

policy/modules/services/xserver.if

@@ -317,7 +317,6 @@ template(`xserver_per_userdomain_template',`
 	')
 
 	ifdef(`TODO',`
-	allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
 	allow $1_t xdm_xserver_t:unix_stream_socket connectto;
 
 	ifdef(`xdm.te', `
@@ -1126,6 +1125,7 @@ interface(`xserver_stream_connect_xdm_xserver',`
 	')
 
 	files_search_tmp($1)
+	allow $1 xdm_xserver_tmp_t:dir search_dir_perms;
 	allow $1 xdm_xserver_tmp_t:sock_file write;
 	allow $1 xdm_xserver_t:unix_stream_socket connectto;
 ')

policy/modules/services/xserver.te

@@ -1,5 +1,5 @@
 
-policy_module(xserver,1.1.10)
+policy_module(xserver,1.1.11)
 
 ########################################
 #
@@ -88,6 +88,7 @@ allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow xdm_t self:unix_dgram_socket create_socket_perms;
 allow xdm_t self:tcp_socket create_stream_socket_perms;
 allow xdm_t self:udp_socket create_socket_perms;
+allow xdm_t self:key write;
 
 # Supress permission check on .ICE-unix
 dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
@@ -331,7 +332,7 @@ tunable_policy(`use_samba_home_dirs',`
 ')
 
 optional_policy(`
-	consoletype_domtrans(xdm_t)
+	consoletype_exec(xdm_t)
 ')
 
 optional_policy(`

policy/modules/services/zebra.te

@@ -1,5 +1,5 @@
 
-policy_module(zebra,1.2.2)
+policy_module(zebra,1.2.3)
 
 ########################################
 #
@@ -72,8 +72,10 @@ corenet_tcp_sendrecv_all_ports(zebra_t)
 corenet_udp_sendrecv_all_ports(zebra_t)
 corenet_tcp_bind_all_nodes(zebra_t)
 corenet_udp_bind_all_nodes(zebra_t)
+corenet_tcp_bind_bgp_port(zebra_t)
 corenet_tcp_bind_zebra_port(zebra_t)
 corenet_udp_bind_router_port(zebra_t)
+corenet_tcp_connect_bgp_port(zebra_t)
 corenet_sendrecv_zebra_server_packets(zebra_t)
 corenet_sendrecv_router_server_packets(zebra_t)
 
@@ -116,6 +118,11 @@ ifdef(`targeted_policy', `
 	unconfined_sigchld(zebra_t)
 ')
 
+tunable_policy(`allow_zebra_write_config',`
+	allow zebra_t zebra_conf_t:dir write;
+	allow zebra_t zebra_conf_t:file write;
+')
+
 optional_policy(`
 	ldap_use(zebra_t)
 ')

policy/modules/system/authlogin.te

@@ -1,5 +1,5 @@
 
-policy_module(authlogin,1.3.8)
+policy_module(authlogin,1.3.9)
 
 ########################################
 #
@@ -193,6 +193,7 @@ term_use_all_user_ptys(pam_console_t)
 term_setattr_console(pam_console_t)
 term_getattr_unallocated_ttys(pam_console_t)
 term_setattr_unallocated_ttys(pam_console_t)
+term_use_unallocated_ttys(pam_console_t)
 
 auth_use_nsswitch(pam_console_t)
 

policy/modules/system/fstools.fc

@@ -1,3 +1,4 @@
+/sbin/blkid		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/blockdev		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/cfdisk		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/dosfsck		--	gen_context(system_u:object_r:fsadm_exec_t,s0)

policy/modules/system/fstools.te

@@ -1,5 +1,5 @@
 
-policy_module(fstools,1.3.2)
+policy_module(fstools,1.3.3)
 
 ########################################
 #

policy/modules/system/getty.fc

@@ -9,3 +9,4 @@
 /var/run/mgetty\.pid.*	--	gen_context(system_u:object_r:getty_var_run_t,s0)
 
 /var/spool/fax		--	gen_context(system_u:object_r:getty_var_run_t,s0)
+/var/spool/voice	--	gen_context(system_u:object_r:getty_var_run_t,s0)

policy/modules/system/getty.te

@@ -1,5 +1,5 @@
 
-policy_module(getty,1.1.2)
+policy_module(getty,1.1.3)
 
 ########################################
 #
@@ -37,7 +37,7 @@ files_pid_file(getty_var_run_t)
 #
 
 # Use capabilities.
-allow getty_t self:capability { dac_override chown sys_resource sys_tty_config fowner fsetid };
+allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
 dontaudit getty_t self:capability sys_tty_config;
 allow getty_t self:process { getpgid getsession signal_perms };
 
@@ -90,6 +90,7 @@ corecmd_search_sbin(getty_t)
 files_rw_generic_pids(getty_t)
 files_read_etc_runtime_files(getty_t)
 files_read_etc_files(getty_t)
+files_search_spool(getty_t)
 
 init_rw_utmp(getty_t)
 init_use_script_ptys(getty_t)

policy/modules/system/hotplug.te

@@ -1,5 +1,5 @@
 
-policy_module(hotplug,1.2.1)
+policy_module(hotplug,1.2.2)
 
 ########################################
 #
@@ -136,7 +136,7 @@ ifdef(`targeted_policy', `
 	term_dontaudit_use_generic_ptys(hotplug_t)
 
 	optional_policy(`
-		consoletype_domtrans(hotplug_t)
+		consoletype_exec(hotplug_t)
 	')
 ')
 

policy/modules/system/init.te

@@ -1,5 +1,5 @@
 
-policy_module(init,1.3.17)
+policy_module(init,1.3.18)
 
 gen_require(`
 	class passwd rootok;
@@ -286,6 +286,9 @@ fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
 
+# initrc_t needs to do a pidof which requires ptrace
+mcs_ptrace_all(initrc_t)
+
 selinux_get_enforce_mode(initrc_t)
 
 storage_getattr_fixed_disk_dev(initrc_t)

policy/modules/system/libraries.fc

@@ -198,7 +198,7 @@ ifdef(`distro_redhat',`
 # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
 /usr/lib(64)?.*/libmpg123\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libpostproc\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libavformat-.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavformat.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libavcodec-.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libavutil-.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libxvidcore\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)

policy/modules/system/libraries.te

@@ -1,5 +1,5 @@
 
-policy_module(libraries,1.3.9)
+policy_module(libraries,1.3.10)
 
 ########################################
 #

policy/modules/system/locallogin.te

@@ -1,5 +1,5 @@
 
-policy_module(locallogin,1.2.3)
+policy_module(locallogin,1.2.4)
 
 ########################################
 #
@@ -51,6 +51,7 @@ allow local_login_t self:shm create_shm_perms;
 allow local_login_t self:sem create_sem_perms;
 allow local_login_t self:msgq create_msgq_perms;
 allow local_login_t self:msg { send receive };
+allow local_login_t self:key write;
 
 allow local_login_t local_login_lock_t:file create_file_perms;
 files_lock_filetrans(local_login_t,local_login_lock_t,file)

policy/modules/system/logging.if

@@ -165,7 +165,8 @@ interface(`logging_manage_audit_config',`
 	')
 
 	files_search_etc($1)
-	allow $1 auditd_etc_t:file create_file_perms;
+	allow $1 auditd_etc_t:dir rw_dir_perms;
+	allow $1 auditd_etc_t:file manage_file_perms;
 ')
 
 ########################################
@@ -287,6 +288,7 @@ interface(`logging_read_audit_config',`
 	')
 
 	files_search_etc($1)
+	allow $1 auditd_etc_t:dir r_dir_perms;
 	allow $1 auditd_etc_t:file r_file_perms;
 ')
 
@@ -308,7 +310,7 @@ interface(`logging_search_logs',`
 	')
 
 	files_search_var($1)
-	allow $1 var_log_t:dir search;
+	allow $1 var_log_t:dir search_dir_perms;
 ')
 
 #######################################
@@ -326,7 +328,7 @@ interface(`logging_dontaudit_search_logs',`
 		type var_log_t;
 	')
 
-	dontaudit $1 var_log_t:dir search;
+	dontaudit $1 var_log_t:dir search_dir_perms;
 ')
 
 #######################################

policy/modules/system/logging.te

@@ -1,5 +1,5 @@
 
-policy_module(logging,1.3.7)
+policy_module(logging,1.3.8)
 
 ########################################
 #
@@ -140,7 +140,7 @@ term_dontaudit_use_console(auditd_t)
 # Probably want a transition, and a new auditd_helper app
 corecmd_exec_sbin(auditd_t)
 corecmd_exec_bin(auditd_t)
-
+corecmd_exec_shell(auditd_t)
 
 domain_use_interactive_fds(auditd_t)
 

policy/modules/system/lvm.te

@@ -1,5 +1,5 @@
 
-policy_module(lvm,1.3.4)
+policy_module(lvm,1.3.5)
 
 ########################################
 #
@@ -125,7 +125,7 @@ optional_policy(`
 
 # DAC overrides and mknod for modifying /dev entries (vgmknodes)
 # rawio needed for dmraid
-allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio };
+allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio };
 dontaudit lvm_t self:capability sys_tty_config;
 allow lvm_t self:process { sigchld sigkill sigstop signull signal };
 # LVM will complain a lot if it cannot set its priority.
@@ -200,6 +200,7 @@ dev_create_generic_dirs(lvm_t)
 
 fs_getattr_xattr_fs(lvm_t)
 fs_search_auto_mountpoints(lvm_t)
+fs_list_tmpfs(lvm_t)
 fs_read_tmpfs_symlinks(lvm_t)
 fs_dontaudit_read_removable_files(lvm_t)
 

policy/modules/system/selinuxutil.te

@@ -1,9 +1,11 @@
 
-policy_module(selinuxutil,1.2.9)
+policy_module(selinuxutil,1.2.10)
 
+ifdef(`strict_policy',`
 	gen_require(`
 		bool secure_mode;
 	')
+')
 
 ########################################
 #
@@ -104,6 +106,7 @@ domain_system_change_exemption(run_init_t)
 
 type semanage_t;
 domain_type(semanage_t)
+domain_interactive_fd(semanage_t)
 
 type semanage_exec_t;
 domain_entry_file(semanage_t, semanage_exec_t)
@@ -423,18 +426,17 @@ optional_policy(`
 
 allow restorecond_t self:capability { dac_override dac_read_search fowner };
 allow restorecond_t self:fifo_file rw_file_perms;
+allow restorecond_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow restorecond_t restorecond_var_run_t:file create_file_perms;
 files_pid_filetrans(restorecond_t,restorecond_var_run_t, file)
 
-auth_relabel_all_files_except_shadow(restorecond_t )
-auth_read_all_files_except_shadow(restorecond_t)
-fs_relabelfrom_noxattr_fs(restorecond_t)
-
 kernel_use_fds(restorecond_t)
 kernel_rw_pipes(restorecond_t)
 kernel_read_system_state(restorecond_t)
 
+fs_relabelfrom_noxattr_fs(restorecond_t)
+fs_dontaudit_list_nfs(restorecond_t)
 fs_getattr_xattr_fs(restorecond_t)
 fs_list_inotifyfs(restorecond_t)
 
@@ -447,7 +449,11 @@ selinux_compute_user_contexts(restorecond_t)
 
 term_dontaudit_use_generic_ptys(restorecond_t)
 
+auth_relabel_all_files_except_shadow(restorecond_t )
+auth_read_all_files_except_shadow(restorecond_t)
+
 init_use_fds(restorecond_t)
+init_dontaudit_use_script_ptys(restorecond_t)
 
 libs_use_ld_so(restorecond_t)
 libs_use_shared_libs(restorecond_t)
@@ -456,6 +462,12 @@ logging_send_syslog_msg(restorecond_t)
 
 miscfiles_read_localization(restorecond_t)
 
+optional_policy(`
+	# restorecond watches for users logging in, 
+	# so it getspwnam when a user logs in to find his homedir
+	nis_use_ypbind(restorecond_t)
+')
+
 #################################
 #
 # Run_init local policy
@@ -538,6 +550,7 @@ allow semanage_t self:capability { dac_override audit_write };
 allow semanage_t self:unix_stream_socket create_stream_socket_perms;
 allow semanage_t self:unix_dgram_socket create_socket_perms;
 allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow semanage_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow semanage_t policy_config_t:file { read write };
 
@@ -567,10 +580,15 @@ selinux_set_boolean(semanage_t)
 
 term_use_all_terms(semanage_t)
 
+# Running genhomedircon requires this for finding all users
+auth_use_nsswitch(semanage_t)
+
 libs_use_ld_so(semanage_t)
 libs_use_shared_libs(semanage_t)
 libs_use_lib_files(semanage_t)
 
+locallogin_use_fds(semanage_t)
+
 logging_send_syslog_msg(semanage_t)
 
 miscfiles_read_localization(semanage_t)

policy/modules/system/setrans.te

@@ -1,5 +1,5 @@
 
-policy_module(setrans,1.0.1)
+policy_module(setrans,1.0.2)
 
 ########################################
 #
@@ -68,3 +68,7 @@ logging_send_syslog_msg(setrans_t)
 miscfiles_read_localization(setrans_t)
 
 seutil_read_config(setrans_t)
+
+optional_policy(`
+	rpm_use_script_fds(setrans_t)
+')

policy/modules/system/sysnetwork.te

@@ -1,5 +1,5 @@
 
-policy_module(sysnetwork,1.1.8)
+policy_module(sysnetwork,1.1.9)
 
 ########################################
 #
@@ -277,6 +277,7 @@ allow ifconfig_t self:udp_socket create_socket_perms;
 # for /sbin/ip
 allow ifconfig_t self:packet_socket create_socket_perms;
 allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
+allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
 allow ifconfig_t self:tcp_socket { create ioctl };
 files_read_etc_files(ifconfig_t);
 

policy/modules/system/udev.te

@@ -1,5 +1,5 @@
 
-policy_module(udev,1.3.3)
+policy_module(udev,1.3.4)
 
 ########################################
 #
@@ -39,9 +39,9 @@ files_pid_file(udev_var_run_t)
 # Local policy
 #
 
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
 dontaudit udev_t self:capability sys_tty_config;
-allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow udev_t self:process { execmem setfscreate };
 allow udev_t self:fd use;
 allow udev_t self:fifo_file rw_file_perms;

policy/modules/system/unconfined.fc

@@ -9,4 +9,5 @@ ifdef(`targeted_policy',`
 /usr/bin/valgrind 	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 /usr/local/RealPlay/realplay\.bin --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 /usr/bin/mplayer	 	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/xine		 	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 ')

policy/modules/system/unconfined.if

@@ -52,9 +52,10 @@ interface(`unconfined_domain_noaudit',`
 		allow $1 self:process execmem;
 	')
 
-	tunable_policy(`allow_execmem && allow_execstack',`
+	tunable_policy(`allow_execstack',`
-		# Allow making the stack executable via mprotect.
+		# Allow making the stack executable via mprotect;
-		allow $1 self:process execstack;
+		# execstack implies execmem;
+		allow $1 self:process { execstack execmem };
 #		auditallow $1 self:process execstack;
 	')
 

policy/modules/system/unconfined.te

@@ -1,5 +1,5 @@
 
-policy_module(unconfined,1.3.12)
+policy_module(unconfined,1.3.13)
 
 ########################################
 #
@@ -55,10 +55,6 @@ ifdef(`targeted_policy',`
 		ada_domtrans(unconfined_t)
 	')
 
-	optional_policy(`
-		amanda_domtrans_recover(unconfined_t)
-	')
-
 	optional_policy(`
 		apache_domtrans_helper(unconfined_t)
 	')
@@ -71,6 +67,10 @@ ifdef(`targeted_policy',`
 		bluetooth_domtrans_helper(unconfined_t)
 	')
 
+	optional_policy(`
+		bootloader_domtrans(unconfined_t)
+	')
+
 	optional_policy(`
 		init_dbus_chat_script(unconfined_t)
 

policy/modules/system/xen.te

@@ -1,5 +1,5 @@
 
-policy_module(xen,1.0.7)
+policy_module(xen,1.0.8)
 
 ########################################
 #
@@ -171,7 +171,7 @@ xen_stream_connect_xenstore(xend_t)
 netutils_domtrans(xend_t)
 
 optional_policy(`
-	consoletype_domtrans(xend_t)
+	consoletype_exec(xend_t)
 ')
 
 ########################################