more updates

2005-09-15 21:03:45 +00:00 · 2005-09-15 21:03:45 +00:00 · 5493c2036b
commit 5493c2036b
parent 98a8ead4c5
40 changed files with 658 additions and 346 deletions
--- a/docs/macro_conversion_guide
+++ b/docs/macro_conversion_guide
@ -301,16 +301,7 @@ optional_policy(`kerberos.te',`
 #
 # can_ldap(): complete
 #
-optional_policy(`ldap.te',`
-	allow $1 self:tcp_socket create_socket_perms;
-	corenet_tcp_sendrecv_all_if($1)
-	corenet_raw_sendrecv_all_if($1)
-	corenet_tcp_sendrecv_all_nodes($1)
-	corenet_raw_sendrecv_all_nodes($1)
-	corenet_tcp_sendrecv_ldap_port($1)
-	corenet_tcp_bind_all_nodes($1)
-	sysnet_read_config($1)
-')
+sysnet_use_ldap($1)

 #
 # can_loadpol(): complete
@ -420,19 +411,15 @@ dontaudit $1 $2:process ptrace;
 allow $1 $2:process ptrace;
 allow $2 $1:process sigchld;

+#
+# can_portmap():
+#
+sysnet_use_portmap($1)
+
 #
 # can_resolve(): complete
 #
-tunable_policy(`use_dns',`
-	allow $1 self:udp_socket create_socket_perms;
-	corenet_udp_sendrecv_all_if($1)
-	corenet_raw_sendrecv_all_if($1)
-	corenet_udp_sendrecv_all_nodes($1)
-	corenet_raw_sendrecv_all_nodes($1)
-	corenet_udp_sendrecv_dns_port($1)
-	corenet_udp_bind_all_nodes($1)
-	sysnet_read_config($1)
-')
+sysnet_dns_name_resolve($1)

 #
 # can_setbool(): complete
@ -790,7 +777,7 @@ optional_policy(`nscd.te',`
 #
 # legacy_domain(): complete
 #
-allow $1_t self:process execmem;
+allow $1_t self:process { execmem execstack };
 libs_legacy_use_shared_libs($1_t)
 libs_legacy_use_ld_so($1_t)

@ -826,6 +813,30 @@ create_dir_file($1, $2)
 can_exec($1, $2)
 allow $1 $2:{ sock_file fifo_file } { create ioctl read getattr lock write setattr append link unlink rename };

+#
+# polyinstantiater():
+#
+ifdef(`support_polyinstantiation', `
+# Need to give access to /selinux/member
+selinux_compute_member($1)
+# Need sys_admin capability for mounting
+allow $1 self:capability sys_admin;
+# Need to give access to the directories to be polyinstantiated
+allow $1 polydir:dir { getattr mounton add_name create setattr write search };
+# Need to give access to the polyinstantiated subdirectories
+allow $1 polymember:dir {getattr search };
+# Need to give access to parent directories where original
+# is remounted for polyinstantiation aware programs (like gdm)
+allow $1 polyparent:dir { getattr mounton };
+# Need to give permission to create directories where applicable
+allow $1 polymember: dir { create setattr };
+allow $1 polydir: dir { write add_name };
+allow $1 self:process setfscreate;
+allow $1 polyparent:dir { write add_name };
+# Default type for mountpoints
+allow $1 poly_t:dir { create mounton };
+')
+
 #
 # pty_slave_label():
 #
--- a/strict/ChangeLog
+++ b/strict/ChangeLog
@ -1,3 +1,206 @@
+1.26 2005-09-06
+	* Updated version for release.
+
+1.25.4 2005-08-10
+	* Merged small patches from Russell Coker for the restorecon,
+	kudzu, lvm, radvd, and spamassasin policies.
+	* Added fs_use_trans rule for mqueue from Mark Gebhart to support
+	the work he has done on providing SELinux support for mqueue.
+	* Merged a patch from Dan Walsh. Removes the user_can_mount
+	tunable.  Adds disable_evolution_trans and disable_thunderbird_trans
+	booleans.  Adds the nscd_client_domain attribute to insmod_t.
+	Removes the user_ping boolean from targeted policy.  Adds
+	hugetlbfs, inotifyfs, and mqueue filesystems to genfs_contexts.
+	Adds the isakmp_port for vpnc.  Creates the pptp daemon domain.
+	Allows getty to run sbin_t for pppd.  Allows initrc to write to
+	default_t for booting.  Allows Hotplug_t sys_rawio for prism54
+	card at boot.  Other minor fixes.
+
+1.25.3 2005-07-18
+	* Merged patch from Dan Walsh.  Adds auth_bool attribute to allow
+	domains to have read access to shadow_t.  Creates pppd_can_insmod
+	boolean to control the loading of modem kernel modules.  Allows
+	nfs to export noexattrfile types.  Allows unix_chpwd to access
+	cert files and random devices for encryption purposes.  Other
+	minor cleanups and fixes.
+
+1.25.2 2005-07-11
+	* Merged patch from Dan Walsh.  Added allow_ptrace boolean to
+	allow sysadm_t to ptrace and debug apps.  Gives auth_chkpwd the
+	audit_control and audit_write capabilities.  Stops targeted policy
+	from transitioning from unconfined_t to netutils.  Allows cupsd to
+	audit messages.  Gives prelink the execheap, execmem, and execstack
+	permissions by default.  Adds can_winbind boolean and functions to
+	better handle samba and winbind communications.  Eliminates
+	allow_execmod checks around texrel_shlib_t libraries.  Other minor
+	cleanups and fixes.
+	
+1.25.1 2005-07-05
+	* Moved role_tty_type_change, reach_sysadm, and priv_user macros
+	from user.te to user_macros.te as suggested by Steve.
+	* Modified admin_domain macro so autrace would work and removed
+	privuser attribute for dhcpc as suggested by Russell Coker.
+	* Merged rather large patch from Dan Walsh.  Moves
+	targeted/strict/mls policies closer together.  Adds local.te for
+	users to customize.  Includes minor fixes to auditd, cups,
+	cyrus_imapd, dhcpc, and dovecot.  Includes Russell Coker's patch
+	that defines all ports in network.te.  Ports are always defined
+	now, no ifdefs are used in network.te.  Also includes Ivan
+	Gyurdiev's user home directory policy patches.  These patches add
+	alsa, bonobo, ethereal, evolution, gconf, gnome, gnome_vfs,
+	iceauth, orbit, and thunderbird policy.  They create read_content,
+	write_trusted, and write_untrusted macros in content.te.  They
+	create network_home, write_network_home, read_network_home,
+	base_domain_ro_access, home_domain_access, home_domain, and
+	home_domain_ro macros in home_macros.te.  They also create
+	$3_read_content, $3_write_content, and write_untrusted booleans.
+	
+1.24 2005-06-20
+	* Updated version for release.
+
+1.23.18 2005-05-31
+	* Merged minor fixes to pppd.fc and courier.te by Russell Coker.
+	* Removed devfsd policy as suggested by Russell Coker.
+	* Merged patch from Dan Walsh.  Includes beginnings of Ivan
+	Gyurdiev's Font Config policy.  Don't transition to fsadm_t from
+	unconfined_t (sysadm_t) in targeted policy.  Add support for
+	debugfs in modutil.  Allow automount to create and delete
+	directories in /root and /home dirs.  Move can_ypbind to
+	chkpwd_macro.te.  Allow useradd to create additional files and
+	types via the skell mechanism.  Other minor cleanups and fixes.
+
+1.23.17 2005-05-23
+	* Merged minor fixes by Petre Rodan to the daemontools, dante,
+	gpg, kerberos, and ucspi-tcp policies.
+	* Merged minor fixes by Russell Coker to the bluetooth, crond,
+	initrc, postfix, and udev  policies.  Modifies constraints so that
+	newaliases can be run.  Modifies types.fc so that objects in
+	lost+found directories will not be relabled.
+	* Modified fc rules for nvidia.
+	* Added Chad Sellers policy for polyinstantiation support, which
+	creates the polydir, polyparent, and polymember attributes.  Also
+	added the support_polyinstantiation tunable.
+	* Merged patch from Dan Walsh.  Includes mount_point attribute,
+	read_font macros and some other policy fixes from Ivan Gyurdiev.
+	Adds privkmsg and secadmfile attributes and ddcprobe policy.
+	Removes the use_syslogng boolean.  Many other minor fixes.
+
+1.23.16 2005-05-13
+	* Added rdisc policy from Russell Coker.
+	* Merged minor fix to named policy by Petre Rodan.
+	* Merged minor fixes to policy from Russell Coker for kudzu,
+	named, screen, setfiles, telnet, and xdm.
+	* Merged minor fix to Makefile from Russell Coker.
+
+1.23.15 2005-05-06
+	* Added tripwire and yam policy from David Hampton.
+	* Merged minor fixes to amavid and a clarification to the
+	httpdcontent attribute comments from David Hampton.
+	* Merged patch from Dan Walsh.  Includes fixes for restorecon,
+	games, and postfix from Russell Coker.  Adds support for debugfs.
+	Restores support for reiserfs.  Allows udev to work with tmpfs_t
+	before /dev is labled.  Removes transition from sysadm_t
+	(unconfined_t) to ifconfig_t for the targeted policy.  Other minor
+	cleanups and fixes.
+
+1.23.14 2005-04-29
+	* Added afs policy from Andrew Reisse.
+	* Merged patch from Lorenzo Hernández García-Hierro which defines
+	execstack and execheap permissions.  The patch excludes these
+	permissions from general_domain_access and updates the macros for
+	X, legacy binaries, users, and unconfined domains.
+	* Added nlmsg_relay permisison where netlink_audit_socket class is
+	used.  Added nlmsg_readpriv permission to auditd_t and auditctl_t.
+	* Merged some minor cleanups from Russell Coker and David Hampton.
+	* Merged patch from Dan Walsh.  Many changes made to allow
+	targeted policy to run closer to strict and now almost all of
+	non-userspace is protected via SELinux.  Kernel is now in
+	unconfined_domain for targeted and runs as root:system_r:kernel_t.
+	Added transitionbool to daemon_sub_domain, mainly to turn off
+	httpd_suexec transitioning.  Implemented web_client_domain
+	name_connect rules.  Added yp support for cups.  Now the real
+	hotplug, udev, initial_sid_contexts are used for the targeted
+	policy.  Other minor cleanups and fixes.  Auditd fixes by Paul
+	Moore.
+
+1.23.13 2005-04-22
+	* Merged more changes from Dan Walsh to initrc_t for removal of
+	unconfined_domain.
+	* Merged Dan Walsh's split of auditd policy into auditd_t for the
+	audit daemon and auditctl_t for the autoctl program.
+	* Added use of name_connect to uncond_can_ypbind macro by Dan
+	Walsh.
+	* Merged other cleanup and fixes by Dan Walsh.
+
+1.23.12 2005-04-20
+	* Merged Dan Walsh's Netlink changes to handle new auditing pam
+	modules.
+	* Merged Dan Walsh's patch removing the sysadmfile attribute from
+	policy files to separate sysadm_t from secadm_t.
+	* Added CVS and uucpd policy from Dan Walsh.
+	* Cleanup by Dan Walsh to handle turning off unlimitedRC.
+	* Merged Russell Coker's fixes to ntpd, postgrey, and named
+	policy.
+	* Cleanup of chkpwd_domain and added permissions to su_domain
+	macro due to pam changes to support audit.
+	* Added nlmsg_relay and nlmsg_readpriv permissions to the
+	netlink_audit_socket class.
+
+1.23.11 2005-04-14
+	* Merged Dan Walsh's separation of the security manager and system
+	administrator.
+	* Removed screensaver.te as suggested by Thomas Bleher
+	* Cleanup of typealiases that are no longer used by Thomas Bleher.
+	* Cleanup of fc files and additional rules for SuSE by Thomas
+	Bleher.
+	* Merged changes to auditd and named policy by Russell Coker.
+	* Merged MLS change from Darrel Goeddel to support the policy
+	hierarchy patch.
+
+1.23.10 2005-04-08
+	* Removed pump.te, pump.fc, and targeted/domains/program/modutil.te
+
+1.23.9 2005-04-07
+	* Merged diffs from Dan Walsh.  Includes Ivan Gyurdiev's cleanup
+	of x_client apps.
+	* Added dmidecode policy from Ivan Gyurdiev.
+
+1.23.8 2005-04-05
+	* Added netlink_kobject_uevent_socket class.
+	* Removed empty files pump.te and pump.fc.
+	* Added NetworkManager policy from Dan Walsh.
+	* Merged Dan Walsh's major restructuring of Apache's policy.
+
+1.23.7 2005-04-04
+	* Merged David Hampton's amavis and clamav cleanups.
+	* Added David Hampton's dcc, pyzor, and razor policy.
+	
+1.23.6 2005-04-01
+	* Merged cleanup of the Makefile and other stuff from Dan Walsh.
+	Dan's patch includes some desktop changes from Ivan Gyurdiev.
+	* Merged Thomas Bleher's patches which increase the usage of
+	lock_domain() and etc_domain(), changes var_lib_DOMAIN_t usage to
+	DOMAIN_var_lib_t, and removes use of notdevfile_class_set where
+	possible. 
+	* Merged Greg Norris's cleanup of fetchmail.
+	
+1.23.5 2005-03-23
+	* Added name_connect support from Dan Walsh.
+	* Added httpd_unconfined_t from Dan Walsh.
+	* Merged cleanup of assert.te to allow unresticted full access
+	from Dan Walsh.
+	
+1.23.4 2005-03-21
+	* Merged diffs from Dan Walsh:  
+	* Cleanup of x_client_macro, tvtime, mozilla, and mplayer by Ivan 
+	Gyurdiev.  
+	* Added syslogng support to syslog.te.
+	
+1.23.3 2005-03-15
+	* Added policy for nx_server from Thomas Bleher.
+	* Added policies for clockspeed, daemontools, djbdns, ucspi-tcp, and
+	publicfile from Petre Rodan.
+	
 1.23.2 2005-03-14
 	* Merged diffs from Dan Walsh.  Dan's patch includes Ivan Gyurdiev's 
 	gift policy.
--- a/strict/Makefile
+++ b/strict/Makefile
@ -60,7 +60,7 @@ POLICYFILES += $(USER_FILES)
 POLICYFILES += constraints
 POLICYFILES += $(DEFCONTEXTFILES)
 CONTEXTFILES = $(DEFCONTEXTFILES)
-POLICY_DIRS = domains/program domains/misc
+POLICY_DIRS = domains domains/program domains/misc macros macros/program

 UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)

@ -70,19 +70,19 @@ FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/pro
 CONTEXTFILES += $(FCFILES)

 APPDIR=$(CONTEXTPATH)
-APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
+APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types port_types) $(CONTEXTPATH)/files/media
 CONTEXTFILES += $(wildcard appconfig/*_context*) appconfig/media

 ROOTFILES = $(addprefix $(APPDIR)/users/,root)

 all:  policy

-tmp/valid_fc: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH) 
-	@echo "Validating file_contexts ..."	
-	$(SETFILES) -q -c $(LOADPATH) $(FCPATH)
+tmp/valid_fc: $(LOADPATH) $(FC) 
+	@echo "Validating file contexts files ..."	
+	$(SETFILES) -q -c $(LOADPATH) $(FC)
 	@touch tmp/valid_fc

-install: tmp/valid_fc $(USERPATH)/local.users
+install: $(FCPATH) $(APPFILES) $(ROOTFILES) $(USERPATH)/local.users

 $(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
 	@mkdir -p $(USERPATH)
@ -91,61 +91,64 @@ $(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
 	@echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
 	@echo "# Please edit local.users to make local changes." >> tmp/system.users
 	@echo "#" >> tmp/system.users
-	m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users
+	@m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users
 	install -m 644 tmp/system.users $@

 $(USERPATH)/local.users: local.users
 	@mkdir -p $(USERPATH)
-	install -C -b -m 644 $< $@
+	install -b -m 644 $< $@

 $(CONTEXTPATH)/files/media: appconfig/media
-	mkdir -p $(CONTEXTPATH)/files/
+	@mkdir -p $(CONTEXTPATH)/files/
 	install -m 644 $< $@

 $(APPDIR)/default_contexts: appconfig/default_contexts
-	mkdir -p $(APPDIR)
+	@mkdir -p $(APPDIR)
 	install -m 644 $< $@

 $(APPDIR)/removable_context: appconfig/removable_context
-	mkdir -p $(APPDIR)
+	@mkdir -p $(APPDIR)
 	install -m 644 $< $@

 $(APPDIR)/customizable_types: policy.conf
-	mkdir -p $(APPDIR)
+	@mkdir -p $(APPDIR)
 	@grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
 	install -m 644 tmp/customizable_types $@ 

+$(APPDIR)/port_types: policy.conf
+	@mkdir -p $(APPDIR)
+	@grep "^type .*port_type" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/port_types
+	install -m 644 tmp/port_types $@ 
+
 $(APPDIR)/default_type: appconfig/default_type
-	mkdir -p $(APPDIR)
+	@mkdir -p $(APPDIR)
 	install -m 644 $< $@

 $(APPDIR)/userhelper_context: appconfig/userhelper_context
-	mkdir -p $(APPDIR)
+	@mkdir -p $(APPDIR)
 	install -m 644 $< $@

 $(APPDIR)/initrc_context: appconfig/initrc_context
-	mkdir -p $(APPDIR)
+	@mkdir -p $(APPDIR)
 	install -m 644 $< $@

 $(APPDIR)/failsafe_context: appconfig/failsafe_context
-	mkdir -p $(APPDIR)
+	@mkdir -p $(APPDIR)
 	install -m 644 $< $@

 $(APPDIR)/dbus_contexts: appconfig/dbus_contexts
-	mkdir -p $(APPDIR)
+	@mkdir -p $(APPDIR)
 	install -m 644 $< $@

 $(APPDIR)/users/root: appconfig/root_default_contexts
-	mkdir -p $(APPDIR)/users
+	@mkdir -p $(APPDIR)/users
 	install -m 644 $< $@

-$(LOADPATH):  policy.conf $(CHECKPOLICY)
-	mkdir -p $(POLICYPATH)
+$(LOADPATH): policy.conf $(CHECKPOLICY) 
+	@echo "Compiling policy ..."
+	@mkdir -p $(POLICYPATH)
 	$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
 ifneq ($(MLS),y)
-ifneq ($(VERS),18)
-	$(CHECKPOLICY) -c 18 -o $(POLICYPATH)/policy.18 policy.conf
-endif
 endif
 # Note: Can't use install, so not sure how to deal with mode, user, and group
 #	other than by default.
@ -154,46 +157,39 @@ policy: $(POLICYVER)

 $(POLICYVER):  policy.conf $(FC) $(CHECKPOLICY)
 	$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
-ifneq ($(MLS),y)
-ifneq ($(VERS),18)
-	$(CHECKPOLICY) -c 18 -o policy.18 policy.conf
-endif
-endif
-	@echo "Validating file_contexts ..."
+	@echo "Validating file contexts files ..."
 	$(SETFILES) -q -c $(POLICYVER) $(FC)

-reload tmp/load: $(FCPATH) $(LOADPATH)
-ifeq ($(VERS), $(KERNVERS))
+reload tmp/load: $(LOADPATH) 
+	@echo "Loading Policy ..."
 	$(LOADPOLICY) $(LOADPATH)
-else
-	$(LOADPOLICY) $(POLICYPATH)/policy.18
-endif
 	touch tmp/load

-load: tmp/load
+load: tmp/load $(FCPATH) 

 enableaudit: policy.conf 
 	grep -v dontaudit policy.conf > policy.audit
 	mv policy.audit policy.conf

 policy.conf: $(POLICYFILES) $(POLICY_DIRS)
-	mkdir -p tmp
+	@echo "Building policy.conf ..."
+	@mkdir -p tmp
 	m4 $(M4PARAM) -Imacros -s $(POLICYFILES) > $@.tmp
-	mv $@.tmp $@
+	@mv $@.tmp $@

 install-src: 
 	rm -rf $(SRCPATH)/policy.old
 	-mv $(SRCPATH)/policy $(SRCPATH)/policy.old
-	mkdir -p $(SRCPATH)/policy
+	@mkdir -p $(SRCPATH)/policy
 	cp -R . $(SRCPATH)/policy

 tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program
-	mkdir -p tmp
+	@mkdir -p tmp
 	( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@.tmp
 	( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp
 	mv $@.tmp $@

-FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';`
+FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs | reiserfs ).*rw/{print $$3}';`

 checklabels: $(SETFILES)
 	$(SETFILES) -v -n $(FC) $(FILESYSTEMS)
@ -205,20 +201,20 @@ relabel:  $(FC) $(SETFILES)
 	$(SETFILES) $(FC) $(FILESYSTEMS)

 file_contexts/misc:
-	mkdir -p file_contexts/misc
+	@mkdir -p file_contexts/misc

-
-$(FCPATH): $(FC) $(USERPATH)/system.users 
+$(FCPATH): tmp/valid_fc $(USERPATH)/system.users  $(APPDIR)/customizable_types $(APPDIR)/port_types
+	@echo "Installing file contexts files..."
 	@mkdir -p $(CONTEXTPATH)/files
-	install -m 644 $(FC) $(FCPATH)
 	install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
+	install -m 644 $(FC) $(FCPATH)
 	@$(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD)

 $(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd
-	@echo "Building file_contexts ..."
+	@echo "Building file contexts files..."
 	@m4 $(M4PARAM) $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) > $@.tmp
-	@grep -v -e HOME -e ROLE $@.tmp > $@
-	@grep -e HOME -e ROLE $@.tmp  > $(HOMEDIR_TEMPLATE)
+	@grep -v -e HOME -e ROLE -e USER $@.tmp > $@
+	@grep -e HOME -e ROLE -e USER $@.tmp  > $(HOMEDIR_TEMPLATE)
 	@-rm $@.tmp

 # Create a tags-file for the policy:
@ -239,7 +235,7 @@ tags: $(wildcard *.te types/*.te domains/*.te domains/misc/*.te domains/program/
 	  --regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' $^
 
 clean:
-	rm -f policy.conf $(POLICYVER) policy.18
+	rm -f policy.conf $(POLICYVER)
 	rm -f tags
 	rm -f tmp/*
 	rm -f $(FC)
@ -324,8 +320,11 @@ mlsconvert:
 	done
 	@for file in $(USER_FILES); do \
 		echo "Converting $$file"; \
-		sed -e 's/;/ level s0 range s0 - s9 : c0 . c127;/' $$file > $$file.new && \
+		sed -e 's/;/ level s0 range s0 - s9:c0.c127;/' $$file > $$file.new && \
 		mv $$file.new $$file; \
 	done
-	@sed -e '/sid kernel/s/s0/s0 - s9 : c0 . c127/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts
+	@sed -e '/sid kernel/s/s0/s0 - s9:c0.c127/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts
+	@echo "Enabling MLS in the Makefile"
+	@sed "s/MLS=n/MLS=y/" Makefile > Makefile.new
+	@mv Makefile.new Makefile
 	@echo "Done"
--- a/strict/VERSION
+++ b/strict/VERSION
@ -1 +1 @@
-1.23.2-1
+1.26
--- a/strict/attrib.te
+++ b/strict/attrib.te
@ -110,6 +110,10 @@ attribute privlog;
 # and an allow rule to permit it
 attribute privmodule;

+# The privsysmod attribute identifies every domain that can have the
+# sys_module capability
+attribute privsysmod;
+
 # The privmem attribute identifies every domain that can 
 # access kernel memory devices.
 # This attribute is used in the TE assertions to verify
@ -117,6 +121,13 @@ attribute privmodule;
 # tagged with this attribute.
 attribute privmem;

+# The privkmsg attribute identifies every domain that can 
+# read kernel messages (/proc/kmsg)
+# This attribute is used in the TE assertions to verify
+# that such access is limited to domains that are explicitly
+# tagged with this attribute.
+attribute privkmsg;
+
 # The privfd attribute identifies every domain that should have
 # file handles inherited widely (IE sshd_t and getty_t).
 attribute privfd;
@ -251,6 +262,12 @@ attribute sysadmfile;
 # overall filesystem statistics.
 attribute fs_type;

+# The mount_point attribute identifies all types that can serve
+# as a mount point (for the mount binary). It is used in the mount 
+# policy to grant mounton permission, and in other domains to grant 
+# getattr permission over all the mount points.
+attribute mount_point;
+
 # The exec_type attribute identifies all types assigned
 # to entrypoint executables for domains.  This attribute is 
 # used in TE rules and assertions that should be applied to all 
@ -413,7 +430,11 @@ attribute nscd_client_domain;
 # For clients of nscd that can use shmem interface.
 attribute nscd_shmem_domain;

-# For labeling of content for httpd
+# For labeling of content for httpd.  This attribute is only used by
+# the httpd_unified domain, which says treat all httpdcontent the
+# same.  If you want content to be served in a "non-unified" system
+# you must specifically add "r_dir_file(httpd_t, your_content_t)" to
+# your policy.
 attribute httpdcontent;

 # For labeling of domains whos transition can be disabled
--- a/strict/constraints
+++ b/strict/constraints
@ -61,6 +61,10 @@ ifdef(`crond.te', `
 ')
 ifdef(`userhelper.te', 
 	`or (t1 == userhelperdomain)')
+ifdef(`postfix.te', `
+ifdef(`direct_sysadm_daemon',
+	`or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )')
+')
 	 or (t1 == priv_system_role and r2 == system_r )
        );

--- a/strict/domains/program/crond.te
+++ b/strict/domains/program/crond.te
@ -86,6 +86,8 @@ allow crond_t rpm_log_t: file create_file_perms;

 system_crond_entry(rpm_exec_t, rpm_t)
 allow system_crond_t rpm_log_t:file create_file_perms;
+#read ahead wants to read this
+allow initrc_t system_cron_spool_t:file { getattr read };
 ')
 ')

--- a/strict/domains/program/dhcpc.te
+++ b/strict/domains/program/dhcpc.te
@ -64,6 +64,9 @@ allow ping_t hotplug_t:fd use;
 ifdef(`cardmgr.te', `
 allow ping_t cardmgr_t:fd use;
 ') dnl end if cardmgr
+', `
+allow dhcpc_t self:capability setuid;
+allow dhcpc_t self:rawip_socket create_socket_perms;
 ') dnl end if ping

 ifdef(`dhcpd.te', `', `
@ -116,7 +119,7 @@ allow dhcpc_t self:packet_socket create_socket_perms;
 allow dhcpc_t var_lib_t:dir search;
 file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)

-allow dhcpc_t bin_t:dir search;
+allow dhcpc_t bin_t:dir { getattr search };
 allow dhcpc_t bin_t:lnk_file read;
 can_exec(dhcpc_t, { bin_t shell_exec_t })

--- a/strict/domains/program/hotplug.te
+++ b/strict/domains/program/hotplug.te
@ -65,7 +65,7 @@ allow hotplug_t usbfs_t:file { getattr read };
 allow hotplug_t etc_t:dir r_dir_perms;
 allow hotplug_t etc_t:{ file lnk_file } r_file_perms;

-allow hotplug_t kernel_t:process sigchld;
+allow hotplug_t kernel_t:process { sigchld setpgid };

 ifdef(`distro_redhat', `
 allow hotplug_t var_lock_t:dir search;
@ -128,9 +128,9 @@ dontaudit hotplug_t initctl_t:fifo_file { read write };
 # Read /usr/lib/gconv/.*
 allow hotplug_t lib_t:file { getattr read };

-allow hotplug_t self:capability { net_admin sys_tty_config mknod };
-allow hotplug_t sysfs_t:dir { getattr read search };
-allow hotplug_t sysfs_t:file { getattr read };
+allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
+allow hotplug_t sysfs_t:dir { getattr read search write };
+allow hotplug_t sysfs_t:file rw_file_perms;
 allow hotplug_t sysfs_t:lnk_file { getattr read };
 allow hotplug_t udev_runtime_t:file rw_file_perms;
 ifdef(`lpd.te', `
@ -156,10 +156,7 @@ ifdef(`mta.te', `
 domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t) 
 ')

-allow restorecon_t hotplug_t:fd use;
+allow { insmod_t kernel_t } hotplug_etc_t:dir { search getattr };
+allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;

-ifdef(`unlimitedUtils', `
-unconfined_domain(hotplug_t) 
-')
-
-allow kernel_t hotplug_etc_t:dir search;
+dontaudit hotplug_t selinux_config_t:dir search;
--- a/strict/domains/program/ipsec.te
+++ b/strict/domains/program/ipsec.te
@ -185,9 +185,8 @@ allow ipsec_t etc_t:file { read getattr };
 allow ipsec_mgmt_t null_device_t:chr_file rw_file_perms;
 allow ipsec_t null_device_t:chr_file rw_file_perms;

-# Allow scripts to use /var/locl/subsys/ipsec
-allow ipsec_mgmt_t var_lock_t:dir rw_dir_perms;
-allow ipsec_mgmt_t var_lock_t:file create_file_perms;
+# Allow scripts to use /var/lock/subsys/ipsec
+lock_domain(ipsec_mgmt)

 # allow tncfg to create sockets
 allow ipsec_mgmt_t self:udp_socket { create ioctl };
--- a/strict/domains/program/klogd.te
+++ b/strict/domains/program/klogd.te
@ -43,3 +43,6 @@ allow klogd_t kernel_t:system { syslog_mod syslog_console };
 # Read /boot/System.map*
 allow klogd_t system_map_t:file r_file_perms;
 allow klogd_t boot_t:dir r_dir_perms;
+ifdef(`targeted_policy', `
+allow klogd_t unconfined_t:system syslog_mod;
+')
--- a/strict/domains/program/load_policy.te
+++ b/strict/domains/program/load_policy.te
@ -11,6 +11,7 @@

 type load_policy_t, domain;
 role sysadm_r types load_policy_t;
+role secadm_r types load_policy_t;
 role system_r types load_policy_t;

 type load_policy_exec_t, file_type, exec_type, sysadmfile;
@ -19,7 +20,7 @@ type load_policy_exec_t, file_type, exec_type, sysadmfile;
 # 
 # Rules

-domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
+domain_auto_trans(secadmin, load_policy_exec_t, load_policy_t)

 allow load_policy_t console_device_t:chr_file { read write };

--- a/strict/domains/program/login.te
+++ b/strict/domains/program/login.te
@ -13,7 +13,7 @@

 # $1 is the name of the domain (local or remote)
 define(`login_domain', `
-type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain;
+type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade;
 role system_r types $1_login_t;

 dontaudit $1_login_t shadow_t:file { getattr read };
@ -83,6 +83,9 @@ if (use_samba_home_dirs) {
 r_dir_file($1_login_t, cifs_t)
 }

+# Login can polyinstantiate
+polyinstantiater($1_login_t)
+
 # FIXME: what is this for?
 ifdef(`xdm.te', `
 allow xdm_t $1_login_t:process signull;
@ -166,9 +169,7 @@ dontaudit local_login_t mnt_t:dir r_dir_perms;


 # Create lock file.
-allow local_login_t var_lock_t:dir rw_dir_perms;
-allow local_login_t var_lock_t:file create_file_perms;
-
+lock_domain(local_login)

 # Read and write ttys.
 allow local_login_t tty_device_t:chr_file { setattr rw_file_perms };
--- a/strict/domains/program/logrotate.te
+++ b/strict/domains/program/logrotate.te
@ -46,7 +46,7 @@ allow logrotate_t etc_runtime_t:file r_file_perms;
 allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search };

 # create lock files
-rw_dir_create_file(logrotate_t, var_lock_t)
+lock_domain(logrotate)

 # Create temporary files.
 tmp_domain(logrotate)
--- a/strict/domains/program/modutil.te
+++ b/strict/domains/program/modutil.te
@ -71,7 +71,7 @@ r_dir_file(depmod_t, { staff_home_t sysadm_home_t })
 # Rules for the insmod_t domain.
 #

-type insmod_t, domain, privlog, sysctl_kernel_writer, privmem ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' )
+type insmod_t, domain, privlog, sysctl_kernel_writer, privmem, privsysmod ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' ), mlsfilewrite, nscd_client_domain
 ;
 role system_r types insmod_t;
 role sysadm_r types insmod_t;
--- a/strict/domains/program/mount.te
+++ b/strict/domains/program/mount.te
@ -11,7 +11,7 @@

 type mount_exec_t, file_type, sysadmfile, exec_type;

-mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain')
+mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain, mlsfileread, mlsfilewrite')
 mount_loopback_privs(sysadm, mount)
 role sysadm_r types mount_t;
 role system_r types mount_t;
@ -39,20 +39,16 @@ allow mount_t file_t:file { getattr read unlink };
 allow mount_t fs_type:filesystem mount_fs_perms;
 allow mount_t mount_point:dir mounton;
 allow mount_t nfs_t:dir search;
-# nfsv4 has a filesystem to mount for its userspace daemons
-allow mount_t var_lib_nfs_t:dir mounton;
-
-# On some RedHat systems, /boot is a mount point
-allow mount_t boot_t:dir mounton;
-allow mount_t device_t:dir mounton;
-# mount binfmt_misc on /proc/sys/fs/binfmt_misc
-allow mount_t sysctl_t:dir { mounton search };
+allow mount_t sysctl_t:dir search;

 allow mount_t root_t:filesystem unmount;

+can_portmap(mount_t)
+
 ifdef(`portmap.te', `
 # for nfs
 can_network(mount_t)
+allow mount_t port_type:tcp_socket name_connect;
 can_ypbind(mount_t)
 allow mount_t port_t:{ tcp_socket udp_socket } name_bind;
 allow mount_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
@ -83,11 +79,7 @@ dontaudit mount_t kernel_t:fd use;
 allow mount_t userdomain:fd use;
 can_exec(mount_t, { sbin_t bin_t })
 allow mount_t device_t:dir r_dir_perms;
-ifdef(`distro_redhat', `
 allow mount_t tmpfs_t:chr_file { read write };
-allow mount_t tmpfs_t:dir mounton;
-')
-

 # tries to read /init
 dontaudit mount_t root_t:file { getattr read };
--- a/strict/domains/program/mta.te
+++ b/strict/domains/program/mta.te
@ -13,8 +13,6 @@
 ifdef(`sendmail.te', `', `
 type sendmail_exec_t, file_type, exec_type, sysadmfile;
 ')
-type smtp_port_t, port_type, reserved_port_type;
-

 # create a system_mail_t domain for daemons, init scripts, etc when they run
 # "mail user@domain"
@ -25,6 +23,7 @@ ifdef(`targeted_policy', `
 # targeted policy.  We could move these rules permanantly here.
 ifdef(`postfix.te', `', `can_exec_any(system_mail_t)')
 allow system_mail_t self:dir { search };
+allow system_mail_t self:lnk_file read;
 r_dir_file(system_mail_t, { proc_t proc_net_t })
 allow system_mail_t fs_t:filesystem getattr;
 allow system_mail_t { var_t var_spool_t }:dir getattr;
@ -59,15 +58,6 @@ allow { system_mail_t mta_user_agent } privmail:process sigchld;
 allow { system_mail_t mta_user_agent } privmail:fifo_file { read write };
 allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write };

-ifdef(`arpwatch.te', `
-# why is mail delivered to a directory of type arpwatch_data_t?
-allow mta_delivery_agent arpwatch_data_t:dir search;
-allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms;
-ifdef(`hide_broken_symptoms', `
-dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write };
-')
-')dnl end if arpwatch.te
-
 allow mta_delivery_agent home_root_t:dir { getattr search };

 # for /var/spool/mail
@ -81,4 +71,4 @@ allow mta_delivery_agent devtty_t:chr_file rw_file_perms;
 allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read };

 allow system_mail_t etc_runtime_t:file { getattr read };
-allow system_mail_t urandom_device_t:chr_file read;
+allow system_mail_t { random_device_t urandom_device_t }:chr_file { getattr read };
--- a/strict/domains/program/mysqld.te
+++ b/strict/domains/program/mysqld.te
@ -10,15 +10,13 @@
 #
 # mysqld_exec_t is the type of the mysqld executable.
 #
-daemon_domain(mysqld)
+daemon_domain(mysqld, `, nscd_client_domain')

-type mysqld_port_t, port_type;
 allow mysqld_t mysqld_port_t:tcp_socket name_bind;

 allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;

 etcdir_domain(mysqld)
-typealias mysqld_etc_t alias etc_mysqld_t;
 type mysqld_db_t, file_type, sysadmfile;

 log_domain(mysqld)
@ -36,7 +34,7 @@ allow initrc_t mysqld_var_run_t:sock_file write;
 allow initrc_t mysqld_log_t:file { write append setattr ioctl };

 allow mysqld_t self:capability { dac_override setgid setuid net_bind_service };
-allow mysqld_t self:process getsched;
+allow mysqld_t self:process { setsched getsched };

 allow mysqld_t proc_t:file { getattr read };

@ -90,3 +88,4 @@ allow userdomain mysqld_var_run_t:sock_file write;
 }
 ')

+allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
--- a/strict/domains/program/named.te
+++ b/strict/domains/program/named.te
@ -10,11 +10,13 @@
 #
 # Rules for the named_t domain.
 #
-type rndc_port_t, port_type, reserved_port_type;

 daemon_domain(named, `, nscd_client_domain')
 tmp_domain(named)

+type named_checkconf_exec_t, file_type, exec_type, sysadmfile;
+domain_auto_trans(initrc_t, named_checkconf_exec_t, named_t)
+
 # For /var/run/ndc used in BIND 8
 file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file)

@ -54,11 +56,13 @@ allow named_t etc_runtime_t:{ file lnk_file } { getattr read };

 #Named can use network
 can_network(named_t)
+allow named_t port_type:tcp_socket name_connect;
 can_ypbind(named_t)
 # allow UDP transfer to/from any program
 can_udp_send(domain, named_t)
 can_udp_send(named_t, domain)
 can_tcp_connect(domain, named_t)
+log_domain(named)

 # Bind to the named port.
 allow named_t dns_port_t:udp_socket name_bind;
@ -103,6 +107,7 @@ type ndc_exec_t, file_type,sysadmfile, exec_type;
 domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t)
 uses_shlib(ndc_t)
 can_network_client_tcp(ndc_t)
+allow ndc_t rndc_port_t:tcp_socket name_connect;
 can_ypbind(ndc_t)
 can_resolve(ndc_t)
 read_locale(ndc_t)
@ -113,6 +118,7 @@ ifdef(`distro_redhat', `
 allow { ndc_t initrc_t } named_conf_t:dir search;
 # Allow init script to cp localtime to named_conf_t
 allow initrc_t named_conf_t:file { setattr write };
+allow initrc_t named_conf_t:dir create_dir_perms;
 ')
 allow { ndc_t initrc_t } named_conf_t:file { getattr read };

--- a/strict/domains/program/newrole.te
+++ b/strict/domains/program/newrole.te
@ -17,3 +17,4 @@ newrole_domain(newrole)
 allow newrole_t var_run_t:dir r_dir_perms;
 allow newrole_t initrc_var_run_t:file rw_file_perms;

+role secadm_r types newrole_t;
--- a/strict/domains/program/nscd.te
+++ b/strict/domains/program/nscd.te
@ -73,3 +73,6 @@ allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
 allow nscd_t tmp_t:dir { search getattr };
 allow nscd_t tmp_t:lnk_file read;
 allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
+log_domain(nscd)
+r_dir_file(nscd_t, cert_t)
+allow nscd_t tun_tap_device_t:chr_file { read write };
--- a/strict/domains/program/ntpd.te
+++ b/strict/domains/program/ntpd.te
@ -43,6 +43,7 @@ can_network(ntpd_t)
 allow ntpd_t ntp_port_t:tcp_socket name_connect;
 can_ypbind(ntpd_t)
 allow ntpd_t ntp_port_t:udp_socket name_bind;
+allow sysadm_t ntp_port_t:udp_socket name_bind;
 allow ntpd_t self:unix_dgram_socket create_socket_perms;
 allow ntpd_t self:unix_stream_socket create_socket_perms;
 allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
--- a/strict/domains/program/pam.te
+++ b/strict/domains/program/pam.te
@ -37,4 +37,9 @@ dontaudit pam_t self:capability sys_tty_config;

 allow initrc_t pam_var_run_t:dir rw_dir_perms;
 allow initrc_t pam_var_run_t:file { getattr read unlink };
-dontaudit pam_t initrc_var_run_t:file { read write };
+dontaudit pam_t initrc_var_run_t:file rw_file_perms;
+
+# Supress xdm denial
+ifdef(`xdm.te', `
+dontaudit pam_t xdm_t:fd use;
+') dnl ifdef
--- a/strict/domains/program/ping.te
+++ b/strict/domains/program/ping.te
@ -17,6 +17,7 @@ role system_r types ping_t;
 in_user_role(ping_t)
 type ping_exec_t, file_type, sysadmfile, exec_type;

+ifdef(`targeted_policy', `', `
 bool user_ping false;

 if (user_ping) {
@ -25,6 +26,7 @@ if (user_ping) {
 	allow ping_t { ttyfile ptyfile }:chr_file rw_file_perms;
 	ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
 }
+')

 # Transition into this domain when you run this program.
 domain_auto_trans(sysadm_t, ping_exec_t, ping_t)
@ -32,6 +34,7 @@ domain_auto_trans(initrc_t, ping_exec_t, ping_t)

 uses_shlib(ping_t)
 can_network_client(ping_t)
+can_resolve(ping_t)
 can_ypbind(ping_t)
 allow ping_t etc_t:file { getattr read };
 allow ping_t self:unix_stream_socket create_socket_perms;
--- a/strict/domains/program/udev.te
+++ b/strict/domains/program/udev.te
@ -28,18 +28,19 @@ can_exec_any(udev_t)
 type udev_tdb_t, file_type, sysadmfile, dev_fs;
 typealias udev_tdb_t alias udev_tbl_t;
 file_type_auto_trans(udev_t, device_t, udev_tdb_t, file)
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin };
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin sys_rawio };
 allow udev_t self:file { getattr read };
 allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
 allow udev_t self:unix_dgram_socket create_socket_perms;
 allow udev_t self:fifo_file rw_file_perms;
 allow udev_t self:netlink_kobject_uevent_socket { create bind read }; 
+allow udev_t device_t:file { unlink rw_file_perms };
 allow udev_t device_t:sock_file create_file_perms;
 allow udev_t device_t:lnk_file create_lnk_perms;
 allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
 ifdef(`distro_redhat', `
-allow udev_t tmpfs_t:dir rw_dir_perms;
-allow udev_t tmpfs_t:sock_file create_file_perms;
+allow udev_t tmpfs_t:dir create_dir_perms;
+allow udev_t tmpfs_t:{ sock_file file } create_file_perms;
 allow udev_t tmpfs_t:lnk_file create_lnk_perms;
 allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
 allow udev_t tmpfs_t:dir search;
@ -53,7 +54,7 @@ allow udev_t { sbin_t bin_t }:lnk_file read;
 allow udev_t bin_t:lnk_file read;
 can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } )
 can_exec(udev_t, udev_exec_t)
-r_dir_file(udev_t, sysfs_t)
+rw_dir_file(udev_t, sysfs_t)
 allow udev_t sysadm_tty_device_t:chr_file { read write };

 # to read the file_contexts file
@ -138,3 +139,8 @@ file_type_auto_trans(udev_t, etc_t, dhcp_etc_t, file)
 ')
 r_dir_file(udev_t, domain)
 allow udev_t modules_dep_t:file r_file_perms;
+
+ifdef(`unlimitedUtils', `
+unconfined_domain(udev_t) 
+')
+dontaudit hostname_t udev_t:fd use;
--- a/strict/domains/user.te
+++ b/strict/domains/user.te
@ -10,10 +10,15 @@ bool user_dmesg false;
 # Support NFS home directories
 bool use_nfs_home_dirs false;

-# Allow execution of anonymous mappings, e.g. executable stack.
+# Allow making anonymous memory executable, e.g. 
+# for runtime-code generation or executable stack.
 bool allow_execmem false;

-# Support Share libraries with Text Relocation
+# Allow making the stack executable via mprotect.
+# Also requires allow_execmem.
+bool allow_execstack false;
+
+# Allow making a modified private file mapping executable (text relocation).
 bool allow_execmod false;

 # Support SAMBA home directories
@ -126,7 +131,16 @@ dontaudit unpriv_userdomain { sysadm_home_dir_t staff_home_dir_t }:dir { getattr
 role_tty_type_change(sysadm, user)
 role_tty_type_change(staff, sysadm)
 role_tty_type_change(sysadm, staff)
+role_tty_type_change(sysadm, secadm)
+role_tty_type_change(staff, secadm)

 # "ps aux" and "ls -l /dev/pts" make too much noise without this
 dontaudit unpriv_userdomain ptyfile:chr_file getattr;

+# to allow w to display everyone...
+bool user_ttyfile_stat false;
+
+if (user_ttyfile_stat) {
+allow userdomain ttyfile:chr_file getattr;
+}
+
--- a/strict/fs_use
+++ b/strict/fs_use
@ -8,6 +8,7 @@ fs_use_xattr ext2 system_u:object_r:fs_t;
 fs_use_xattr ext3 system_u:object_r:fs_t;
 fs_use_xattr xfs system_u:object_r:fs_t;
 fs_use_xattr jfs system_u:object_r:fs_t;
+fs_use_xattr reiserfs system_u:object_r:fs_t;

 # Use the allocating task SID to label inodes in the following filesystem
 # types, and label the filesystem itself with the specified context.
@ -25,6 +26,7 @@ fs_use_task sockfs system_u:object_r:fs_t;
 fs_use_trans devpts system_u:object_r:devpts_t;
 fs_use_trans tmpfs system_u:object_r:tmpfs_t;
 fs_use_trans shm system_u:object_r:tmpfs_t;
+fs_use_trans mqueue system_u:object_r:tmpfs_t;

 # The separate genfs_contexts configuration can be used for filesystem 
 # types that cannot support persistent label mappings or use
--- a/strict/genfs_contexts
+++ b/strict/genfs_contexts
@ -91,8 +91,10 @@ genfscon nfs /				system_u:object_r:nfs_t
 genfscon nfs4 /				system_u:object_r:nfs_t
 genfscon afs /				system_u:object_r:nfs_t

-# reiserfs - until xattr security support works properly
-genfscon reiserfs /			system_u:object_r:nfs_t
+genfscon debugfs /			system_u:object_r:debugfs_t
+genfscon inotifyfs /			system_u:object_r:inotifyfs_t
+genfscon hugetlbfs /			system_u:object_r:hugetlbfs_t
+genfscon mqueue /			system_u:object_r:mqueue_t

 # needs more work
 genfscon eventpollfs / system_u:object_r:eventpollfs_t
--- a/strict/macros/base_user_macros.te
+++ b/strict/macros/base_user_macros.te
@ -35,7 +35,8 @@ r_dir_file($1_t, usercanread)
 general_domain_access($1_t)

 if (allow_execmem) {
-# Allow loading DSOs that require executable stack.
+# Allow making anonymous memory executable, e.g. 
+# for runtime-code generation or executable stack.
 allow $1_t self:process execmem;
 }

@ -131,10 +132,6 @@ ifdef(`cardmgr.te', `
 allow $1_t cardmgr_var_run_t:file { getattr read };
 ')

-# Read and write /var/catman.
-allow $1_t catman_t:dir rw_dir_perms;
-allow $1_t catman_t:file create_file_perms;
-
 # Modify mail spool file.
 allow $1_t mail_spool_t:dir r_dir_perms;
 allow $1_t mail_spool_t:file rw_file_perms;
@ -176,19 +173,38 @@ ifdef(`crontab.te', `crontab_domain($1)')
 ifdef(`screen.te', `screen_domain($1)')
 ifdef(`tvtime.te', `tvtime_domain($1)')
 ifdef(`mozilla.te', `mozilla_domain($1)')
+ifdef(`thunderbird.te', `thunderbird_domain($1)')
 ifdef(`samba.te', `samba_domain($1)')
-ifdef(`games.te', `games_domain($1)')
 ifdef(`gpg.te', `gpg_domain($1)')
 ifdef(`xauth.te', `xauth_domain($1)')
+ifdef(`iceauth.te', `iceauth_domain($1)')
 ifdef(`startx.te', `xserver_domain($1)')
 ifdef(`lpr.te', `lpr_domain($1)')
 ifdef(`ssh.te', `ssh_domain($1)')
 ifdef(`irc.te', `irc_domain($1)')
 ifdef(`using_spamassassin', `spamassassin_domain($1)')
+ifdef(`pyzor.te', `pyzor_domain($1)')
+ifdef(`razor.te', `razor_domain($1)')
 ifdef(`uml.te', `uml_domain($1)')
 ifdef(`cdrecord.te', `cdrecord_domain($1)')
 ifdef(`mplayer.te', `mplayer_domains($1)')
+
+fontconfig_domain($1)
+
+# GNOME
+ifdef(`gnome.te', `
+gnome_domain($1)
+ifdef(`games.te', `games_domain($1)')
 ifdef(`gift.te', `gift_domains($1)')
+ifdef(`evolution.te', `evolution_domains($1)')
+ifdef(`ethereal.te', `ethereal_domain($1)')
+')
+
+# ICE communication channel
+ice_domain($1, $1)
+
+# ORBit communication channel (independent of GNOME)
+orbit_domain($1, $1)

 # Instantiate a derived domain for user cron jobs.
 ifdef(`crond.te', `crond_domain($1)')
@ -213,7 +229,9 @@ dontaudit $1_t self:netlink_route_socket create_netlink_socket_perms;

 # Use the network.
 can_network($1_t)
+allow $1_t port_type:tcp_socket name_connect;
 can_ypbind($1_t)
+can_winbind($1_t)

 ifdef(`pamconsole.te', `
 allow $1_t pam_var_console_t:dir search;
@ -321,13 +339,12 @@ allow $1_t mnt_t:dir { getattr search };

 # Get attributes of file systems.
 allow $1_t fs_type:filesystem getattr;
-allow $1_t removable_t:filesystem getattr;

 # Read and write /dev/tty and /dev/null.
 allow $1_t devtty_t:chr_file rw_file_perms;
 allow $1_t null_device_t:chr_file rw_file_perms;
 allow $1_t zero_device_t:chr_file { rw_file_perms execute };
-allow $1_t { random_device_t urandom_device_t }:chr_file { getattr read ioctl };
+allow $1_t { random_device_t urandom_device_t }:chr_file ra_file_perms;
 #
 # Added to allow reading of cdrom
 #
@ -347,8 +364,11 @@ dontaudit $1_t wtmp_t:file write;
 # Read the devpts root directory.
 allow $1_t devpts_t:dir r_dir_perms;

-allow $1_t src_t:dir r_dir_perms;
-allow $1_t src_t:notdevfile_class_set r_file_perms;
+r_dir_file($1_t, src_t)
+
+# Allow user to read default_t files
+# This is different from reading default_t content, 
+# because it also includes sockets, fifos, and links

 if (read_default_t) {
 allow $1_t default_t:dir r_dir_perms;
@ -368,8 +388,6 @@ dontaudit $1_t initrc_devpts_t:chr_file { ioctl read write };
 dontaudit $1_t self:socket create;
 dontaudit $1_t sysctl_net_t:dir search;

-dontaudit $1_t default_context_t:dir search;
-
 ifdef(`rpcd.te', `
 create_dir_file($1_t, nfsd_rw_t)
 ')
--- a/strict/macros/core_macros.te
+++ b/strict/macros/core_macros.te
@ -662,9 +662,9 @@ allow $1_t $2_devpts_t:chr_file { setattr rw_file_perms };
 #
 define(`general_domain_access',`
 # Access other processes in the same domain.
-# Omits ptrace, setcurrent, setexec, setfscreate, setrlimit, and execmem.  
+# Omits ptrace, setcurrent, setexec, setfscreate, setrlimit, execmem, execstack and execheap.
 # These must be granted separately if desired.
-allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit execmem};
+allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap};

 # Access /proc/PID files for processes in the same domain.
 allow $1 self:dir r_dir_perms;
--- a/strict/macros/global_macros.te
+++ b/strict/macros/global_macros.te
@ -60,7 +60,7 @@ allow $1 self:file { getattr read write };
 # read_sysctl(domain)
 #
 # Permissions for reading sysctl variables.
-# If the second parameter is 'full', allow
+# If the second parameter is full, allow
 # reading of any sysctl variables, else only
 # sysctl_kernel_t.
 #
@ -106,6 +106,7 @@ allow $1 ld_so_t:file rx_file_perms;
 allow $1 ld_so_t:lnk_file r_file_perms;
 allow $1 { texrel_shlib_t shlib_t }:file rx_file_perms;
 allow $1 { texrel_shlib_t shlib_t }:lnk_file r_file_perms;
+allow $1 texrel_shlib_t:file execmod;
 allow $1 ld_so_cache_t:file r_file_perms;
 allow $1 device_t:dir search;
 allow $1 null_device_t:chr_file rw_file_perms;
@ -156,7 +157,6 @@ allow $1 lib_t:file r_file_perms;
 r_dir_file($1, locale_t)
 ')

-
 ###################################
 #
 # access_terminal(domain, typeprefix)
@ -253,7 +253,7 @@ allow $1_t self:process { signal_perms fork };
 uses_shlib($1_t)

 allow $1_t { self proc_t }:dir r_dir_perms;
-allow $1_t { self proc_t }:lnk_file read;
+allow $1_t { self proc_t }:lnk_file { getattr read };

 allow $1_t device_t:dir r_dir_perms;
 ifdef(`udev.te', `
@ -293,6 +293,8 @@ domain_auto_trans(init_t, $1_exec_t, $1_t)
 # Define a daemon domain with a base set of type declarations
 # and permissions that are common to most daemons.
 # attribs is the list of attributes which must start with "," if it is not empty
+# nosysadm may be given as an optional third parameter, to specify that the
+# sysadmin should not transition to the domain when directly calling the executable
 #
 # Author:  Russell Coker <russell@coker.com.au>
 #
@ -353,6 +355,14 @@ file_type_auto_trans($1_t, var_run_t, $1_var_run_t, $2)
 allow $1_t var_t:dir search;
 allow $1_t $1_var_run_t:dir rw_dir_perms;
 ')
+
+#######################
+# daemon_domain(domain_prefix, attribs)
+#
+# see daemon_base_domain for calling details
+# daemon_domain defines some additional privileges needed by many domains,
+# like pid files and locale support
+
 define(`daemon_domain', `
 ifdef(`targeted_policy', `
 daemon_base_domain($1, `$2, transitionbool', $3)
@ -396,8 +406,19 @@ type $2_exec_t, file_type, sysadmfile, exec_type;

 role system_r types $2_t;

+ifelse(index(`$3',`transitionbool'), -1, `
+
 domain_auto_trans($1, $2_exec_t, $2_t)

+', `
+
+bool $2_disable_trans false;
+
+if (! $2_disable_trans) {
+domain_auto_trans($1, $2_exec_t, $2_t)
+}
+
+');
 # Inherit and use descriptors from parent.
 allow $2_t $1:fd use;
 allow $2_t $1:process sigchld;
@ -422,16 +443,23 @@ ifelse($3, `',
 `file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `$3')')
 ')

+# grant access to /tmp. Do not perform an automatic transition.
+define(`tmp_domain_notrans', `
+type $1_tmp_t, file_type, sysadmfile, polymember, tmpfile $2;
+')
+
 define(`tmpfs_domain', `
+ifdef(`$1_tmpfs_t_defined',`', `
+define(`$1_tmpfs_t_defined')
 type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile;
 # Use this type when creating tmpfs/shm objects.
 file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t)
 allow $1_tmpfs_t tmpfs_t:filesystem associate;
 ')
+')

 define(`var_lib_domain', `
 type $1_var_lib_t, file_type, sysadmfile;
-typealias $1_var_lib_t alias var_lib_$1_t;
 file_type_auto_trans($1_t, var_lib_t, $1_var_lib_t, file)
 allow $1_t $1_var_lib_t:dir rw_dir_perms;
 ')
@ -474,105 +502,6 @@ type $1_lock_t, file_type, sysadmfile, lockfile;
 file_type_auto_trans($1_t, var_lock_t, $1_lock_t, file)
 ')

-####################################################################
-# home_domain_ro_access(source, user, app) 
-# 
-# Gives source access to the read-only home
-# domain of app for the given user type
-#
-
-define(`home_domain_ro_access', `
-
-allow $1 home_root_t:dir search;
-
-if (use_nfs_home_dirs) {
-r_dir_file($1, nfs_t)
-}
-if (use_samba_home_dirs) {
-r_dir_file($1, cifs_t)
-}
-allow $1 autofs_t:dir { search getattr };
-
-r_dir_file($1, $2_$3_ro_home_t)
-
-') dnl home_domain_ro_access
-
-####################################################################
-# home_domain_access(source, user, app)
-#
-# Gives source full access to the home
-# domain of app for the given user type
-#
-
-define(`home_domain_access', `
-
-allow $1 home_root_t:dir search;
-
-if (use_nfs_home_dirs) {
-create_dir_file($1, nfs_t)
-}
-if (use_samba_home_dirs) {
-create_dir_file($1, cifs_t)
-}
-allow $1 autofs_t:dir { search getattr };
-
-file_type_auto_trans($1, $2_home_dir_t, $2_$3_home_t)
-
-') dnl home_domain_access
-
-####################################################################
-# home_domain (prefix, app)
-#
-# Creates a domain in the prefix home where an application can
-# store its settings. It's accessible by the prefix domain.
-#
-
-define(`home_domain', `
-
-# Declare home domain
-# FIXME: the second alias is problematic because
-# home_domain and home_domain_ro cannot be used in parallel
-# Remove the second alias when compatibility is no longer an issue
-
-type $1_$2_home_t, file_type, $1_file_type, sysadmfile;
-typealias $1_$2_home_t alias $1_$2_rw_t;
-typealias $1_$2_home_t alias $1_home_$2_t;
-
-# User side access
-create_dir_file($1_t, $1_$2_home_t)
-allow $1_t $1_$2_home_t:{ dir file lnk_file } { relabelfrom relabelto };
-
-# App side access
-home_domain_access($1_$2_t, $1, $2)
-')
-
-####################################################################
-# home_domain_ro (user, app)
-#
-# Creates a read-only domain in the user home where an application can
-# store its settings. It's fully accessible by the user, but
-# it's read-only for the application.
-#
-
-define(`home_domain_ro', `
-
-# Declare home domain
-# FIXME: the second alias is problematic because
-# home_domain and home_domain_ro cannot be used in parallel
-# Remove the second alias when compatibility is no longer an issue
-
-type $1_$2_ro_home_t, file_type, $1_file_type, sysadmfile;
-typealias $1_$2_ro_home_t alias $1_$2_ro_t;
-typealias $1_$2_ro_home_t alias $1_home_$2_t;
-
-# User side access
-create_dir_file($1_t, $1_$2_ro_home_t)
-allow $1_t $1_$2_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto };
-
-# App side access
-home_domain_ro_access($1_$2_t, $1, $2)
-')
-
 #######################
 # application_domain(domain_prefix)
 #
@ -589,12 +518,6 @@ domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
 uses_shlib($1_t)
 ')

-define(`user_application_domain', `
-application_domain($1, `$2')
-in_user_role($1_t)
-domain_auto_trans(userdomain, $1_exec_t, $1_t)
-')
-
 define(`system_domain', `
 type $1_t, domain, privlog $2;
 type $1_exec_t, file_type, sysadmfile, exec_type;
@ -603,23 +526,25 @@ uses_shlib($1_t)
 allow $1_t etc_t:dir r_dir_perms;
 ')

-# Do not flood message log, if the user does a browse
-define(`file_browse_domain', `
+# Dontaudit macros to prevent flooding the log

-# Regular files/directories that are not security sensitive
+define(`dontaudit_getattr', `
 dontaudit $1 file_type - secure_file_type:dir_file_class_set getattr; 
-dontaudit $1 file_type - secure_file_type:dir { read search };
+dontaudit $1 unlabeled_t:dir_file_class_set getattr;
+dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr;
+')dnl end dontaudit_getattr 

-# /dev
-dontaudit $1 dev_fs:dir_file_class_set getattr;
-dontaudit $1 dev_fs:dir { read search };
-
-# /proc
-dontaudit $1 sysctl_t:dir_file_class_set getattr;
-dontaudit $1 proc_fs:dir { read search };
-
-')dnl end file_browse_domain
+define(`dontaudit_search_dir', `
+dontaudit $1 file_type - secure_file_type:dir search;
+dontaudit $1 unlabeled_t:dir search;
+dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search;
+')dnl end dontaudit_search_dir

+define(`dontaudit_read_dir', `
+dontaudit $1 file_type - secure_file_type:dir read;
+dontaudit $1 unlabeled_t:dir read;
+dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read;
+')dnl end dontaudit_read_dir

 # Define legacy_domain  for legacy binaries (java)
 # "legacy" binary == lacks PT_GNU_STACK header, i.e. built with an old
@ -629,12 +554,46 @@ dontaudit $1 proc_fs:dir { read search };
 # shlib_t and ld_so_t unlike non-legacy binaries.

 define(`legacy_domain', `
-allow $1_t self:process { execmem };
+allow $1_t self:process { execmem execstack };
 allow $1_t { texrel_shlib_t shlib_t }:file execmod;
 allow $1_t ld_so_t:file execmod;
 allow $1_t ld_so_cache_t:file execute;
 ')

+
+# Allow domain to perform polyinstantiation functions
+# polyinstantiater(domain)
+
+define(`polyinstantiater', `
+
+ifdef(`support_polyinstantiation', `
+# Need to give access to /selinux/member
+allow $1 security_t:security compute_member;
+
+# Need to give access to the directories to be polyinstantiated
+allow $1 polydir:dir { getattr mounton add_name create setattr write search };
+
+# Need to give access to the polyinstantiated subdirectories
+allow $1 polymember:dir {getattr search };
+
+# Need to give access to parent directories where original
+# is remounted for polyinstantiation aware programs (like gdm)
+allow $1 polyparent:dir { getattr mounton };
+
+# Need to give permission to create directories where applicable
+allow $1 polymember: dir { create setattr };
+allow $1 polydir: dir { write add_name };
+allow $1 self:process setfscreate;
+allow $1 polyparent:dir { write add_name };
+# Default type for mountpoints
+allow $1 poly_t:dir { create mounton };
+
+# Need sys_admin capability for mounting
+allow $1 self:capability sys_admin;
+')dnl end else support_polyinstantiation
+
+')dnl end polyinstantiater
+
 # 
 # Define a domain that can do anything, so that it is
 # effectively unconfined by the SELinux policy.  This
@ -679,6 +638,7 @@ can_sysctl($1)
 allow $1 node_type:node *;
 allow $1 netif_type:netif *;
 allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg };
+allow $1 port_type:tcp_socket name_connect;

 # Bind to any network address.
 allow $1 port_type:{ tcp_socket udp_socket } name_bind;
@ -698,13 +658,24 @@ allow $1 domain:process ~{ transition dyntransition execmem };
 allow $1 self:process transition;

 if (allow_execmem) {
-# Allow loading DSOs that require executable stack.
+# Allow making anonymous memory executable, e.g. 
+# for runtime-code generation or executable stack.
 allow $1 self:process execmem;
 }

+if (allow_execmem && allow_execstack) {
+# Allow making the stack executable via mprotect.
+allow $1 self:process execstack;
+}
+
 if (allow_execmod) {
 # Allow text relocations on system shared libraries, e.g. libGL.
+ifdef(`targeted_policy', `
+allow $1 file_type:file execmod;
+', `
 allow $1 texrel_shlib_t:file execmod;
+allow $1 home_type:file execmod;
+')
 }

 # Create/access any System V IPC objects.
@ -737,3 +708,22 @@ allow $1 nscd_t:nscd *;
 ')

 ')dnl end unconfined_domain
+
+
+define(`access_removable_media', `
+
+can_exec($1, { removable_t noexattrfile } )
+if (user_rw_noexattrfile) {
+create_dir_file($1, noexattrfile)
+create_dir_file($1, removable_t)
+# Write floppies 
+allow $1 removable_device_t:blk_file rw_file_perms;
+allow $1 usbtty_device_t:chr_file write;
+} else {
+r_dir_file($1, noexattrfile)
+r_dir_file($1, removable_t)
+allow $1 removable_device_t:blk_file r_file_perms;
+}
+allow $1 removable_t:filesystem getattr;
+
+')
--- a/strict/macros/network_macros.te
+++ b/strict/macros/network_macros.te
@ -155,14 +155,23 @@ allow $1 mount_t:udp_socket rw_socket_perms;
 ')dnl end can_network definition

 define(`can_resolve',`
-ifdef(`use_dns',`
 can_network_udp($1, `dns_port_t')
 ')
+
+define(`can_portmap',`
+can_network_client($1, `portmap_port_t')
+allow $1 portmap_port_t:tcp_socket name_connect;
 ')

 define(`can_ldap',`
-ifdef(`slapd.te',`
 can_network_client_tcp($1, `ldap_port_t')
-')
+allow $1 ldap_port_t:tcp_socket name_connect;
 ')

+define(`can_winbind',`
+ifdef(`winbind.te', `
+allow $1 winbind_var_run_t:dir { getattr search };
+allow $1 winbind_t:unix_stream_socket connectto;
+allow $1 winbind_var_run_t:sock_file { getattr read write };
+')
+')
--- a/strict/macros/program/games_domain.te
+++ b/strict/macros/program/games_domain.te
@ -10,49 +10,80 @@
 #
 #
 define(`games_domain', `
-x_client_domain($1, `games', `, transitionbool')

+type $1_games_t, domain, nscd_client_domain;
+
+# Type transition
+if (! disable_games_trans) {
+domain_auto_trans($1_t, games_exec_t, $1_games_t)
+}
+can_exec($1_games_t, games_exec_t)
+role $1_r types $1_games_t;
+
+can_create_pty($1_games)
+
+# X access, GNOME, /tmp files
+x_client_domain($1_games, $1)
+tmp_domain($1_games, `', { dir notdevfile_class_set })
+gnome_application($1_games, $1)
+gnome_file_dialog($1_games, $1)
+
+# Games seem to need this
+if (allow_execmem) {
+allow $1_games_t self:process execmem;
+}
+
+allow $1_games_t texrel_shlib_t:file execmod;
 allow $1_games_t var_t:dir { search getattr };
 rw_dir_create_file($1_games_t, games_data_t)
 allow $1_games_t sound_device_t:chr_file rw_file_perms;
-r_dir_file($1_games_t, usr_t)
 can_udp_send($1_games_t, $1_games_t)
 can_tcp_connect($1_games_t, $1_games_t)

 # Access /home/user/.gnome2
-create_dir_file($1_games_t, $1_home_t)
-allow $1_games_t $1_home_dir_t:dir search;
-allow $1_games_t $1_home_t:dir { read getattr };
+# FIXME: Change to use per app types
+create_dir_file($1_games_t, $1_gnome_settings_t)

+# FIXME: why is this necessary - ORBit?
+# ORBit works differently now
 create_dir_file($1_games_t, $1_tmp_t)
 allow $1_games_t $1_tmp_t:sock_file create_file_perms;
+can_unix_connect($1_t, $1_games_t)
+can_unix_connect($1_games_t, $1_t)

-dontaudit $1_games_t sysctl_t:dir search;
-
-tmp_domain($1_games)
-allow $1_games_t urandom_device_t:chr_file { getattr ioctl read };
 ifdef(`xdm.te', `
 allow $1_games_t xdm_tmp_t:dir rw_dir_perms;
 allow $1_games_t xdm_tmp_t:sock_file create_file_perms;
 allow $1_games_t xdm_var_lib_t:file { getattr read };
 ')dnl end if xdm.te

-can_unix_connect($1_t, $1_games_t)
-can_unix_connect($1_games_t, $1_t)
-
 allow $1_games_t var_lib_t:dir search;
 r_dir_file($1_games_t, man_t)
-allow $1_games_t proc_t:file { read getattr };
+allow $1_games_t { proc_t self }:dir search;
+allow $1_games_t { proc_t self }:{ file lnk_file } { read getattr };
 ifdef(`mozilla.te', ` 
 dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
 ')
 allow $1_games_t event_device_t:chr_file getattr;
 allow $1_games_t mouse_device_t:chr_file getattr;
-allow $1_games_t self:file { getattr read };

-# kpat spews errors
-dontaudit $1_games_t bin_t:dir getattr;
+allow $1_games_t self:file { getattr read };
+allow $1_games_t self:sem create_sem_perms;
+
+allow $1_games_t { bin_t sbin_t }:dir { getattr search };
+can_exec($1_games_t, { shell_exec_t bin_t utempter_exec_t })
+allow $1_games_t bin_t:lnk_file read;
+
 dontaudit $1_games_t var_run_t:dir search;
+dontaudit $1_games_t initrc_var_run_t:file { read write };
+dontaudit $1_games_t var_log_t:dir search;
+
+can_network($1_games_t)
+allow $1_games_t port_t:tcp_socket name_bind;
+allow $1_games_t port_t:tcp_socket name_connect;
+
+# Suppress .icons denial until properly implemented
+dontaudit $1_games_t $1_home_t:dir read;

 ')dnl end macro definition

--- a/strict/macros/program/gift_macros.te
+++ b/strict/macros/program/gift_macros.te
@ -12,49 +12,34 @@

 define(`gift_domain', `

-# Connect to X
-x_client_domain($1, gift, `')	
-
-# Transition
+# Type transition
+type $1_gift_t, domain, nscd_client_domain;
 domain_auto_trans($1_t, gift_exec_t, $1_gift_t)
-can_exec($1_gift_t, gift_exec_t)
 role $1_r types $1_gift_t;

-# Self permissions
-allow $1_gift_t self:process getsched;
-
-# Home files
+# X access, Home files, GNOME, /tmp
+x_client_domain($1_gift, $1)
+gnome_application($1_gift, $1)
 home_domain($1, gift)
+file_type_auto_trans($1_gift_t, $1_home_dir_t, $1_gift_home_t, dir)

-# Fonts, icons
-r_dir_file($1_gift_t, usr_t)
-r_dir_file($1_gift_t, fonts_t)
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_gift_t)
+allow $1_t $1_gift_t:process signal_perms;

 # Launch gift daemon
-allow $1_gift_t self:process fork;
+allow $1_gift_t bin_t:dir search;
 domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t)

 # Connect to gift daemon
-can_network($1_gift_t)
+can_network_client_tcp($1_gift_t, giftd_port_t)
+allow $1_gift_t giftd_port_t:tcp_socket name_connect;

 # Read /proc/meminfo
 allow $1_gift_t proc_t:dir search;
 allow $1_gift_t proc_t:file { getattr read };

-# Tmp/ORBit
-tmp_domain($1_gift)
-file_type_auto_trans($1_gift_t, $1_tmp_t, $1_gift_tmp_t)
-can_unix_connect($1_t, $1_gift_t)
-can_unix_connect($1_gift_t, $1_t)
-allow $1_t $1_gift_tmp_t:sock_file write;
-allow $1_gift_t $1_tmp_t:file { getattr read write lock };
-allow $1_gift_t $1_tmp_t:sock_file { read write };
-dontaudit $1_gift_t $1_tmp_t:dir setattr;
-
-# Access random device
-allow $1_gift_t urandom_device_t:chr_file { read getattr ioctl };
-
-# giftui looks in .icons, .themes, .fonts-cache.
+# giftui looks in .icons, .themes.
 dontaudit $1_gift_t $1_home_t:dir { getattr read search };
 dontaudit $1_gift_t $1_home_t:file { getattr read };

@ -79,26 +64,34 @@ allow $1_giftd_t self:unix_stream_socket create_socket_perms;
 read_sysctl($1_giftd_t)
 read_locale($1_giftd_t)
 uses_shlib($1_giftd_t)
+access_terminal($1_giftd_t, $1)
+
+# Read /proc/meminfo
+allow $1_giftd_t proc_t:dir search;
+allow $1_giftd_t proc_t:file { getattr read };
+
+# Read /etc/mtab
+allow $1_giftd_t etc_runtime_t:file { getattr read };

 # Access home domain
 home_domain_access($1_giftd_t, $1, gift)
-	
-# Allow networking
-allow $1_giftd_t port_t:tcp_socket name_bind;
-allow $1_giftd_t port_t:udp_socket name_bind;
-can_network_server($1_giftd_t)
-can_network_client($1_giftd_t)
+file_type_auto_trans($1_gift_t, $1_home_dir_t, $1_gift_home_t, dir)

-# FIXME: ???
-dontaudit $1_giftd_t self:udp_socket listen;
+# Serve content on various p2p networks. Ports can be random.
+can_network_server($1_giftd_t)
+allow $1_giftd_t self:udp_socket listen;
+allow $1_giftd_t port_type:{ tcp_socket udp_socket } name_bind;
+
+# Connect to various p2p networks. Ports can be random.
+can_network_client($1_giftd_t)
+allow $1_giftd_t port_type:tcp_socket name_connect;

 # Plugins
 r_dir_file($1_giftd_t, usr_t)

 # Connect to xdm
 ifdef(`xdm.te', `
-allow $1_giftd_t xdm_t:fd use;
-allow $1_giftd_t xdm_t:fifo_file write;
+can_pipe_xdm($1_giftd_t)
 ') 

 ') dnl giftd_domain
--- a/strict/macros/program/userhelper_macros.te
+++ b/strict/macros/program/userhelper_macros.te
@ -76,8 +76,7 @@ allow $1_userhelper_t devpts_t:dir r_dir_perms;
 allow $1_userhelper_t etc_t:file r_file_perms;

 # Read /var.
-allow $1_userhelper_t var_t:dir r_dir_perms;
-allow $1_userhelper_t var_t:notdevfile_class_set r_file_perms;
+r_dir_file($1_userhelper_t, var_t)

 # Read /dev directories and any symbolic links.
 allow $1_userhelper_t device_t:dir r_dir_perms;
@ -97,7 +96,7 @@ can_getsecurity($1_userhelper_t)
 allow $1_userhelper_t fs_t:filesystem getattr;

 # for some PAM modules and for cwd
-dontaudit $1_userhelper_t { home_root_t home_type }:dir search;
+allow $1_userhelper_t { home_root_t $1_home_dir_t }:dir search;

 allow $1_userhelper_t proc_t:dir search;
 allow $1_userhelper_t proc_t:file { getattr read };
@ -120,8 +119,7 @@ role system_r types $1_userhelper_t;
 r_dir_file($1_userhelper_t, nfs_t)

 ifdef(`xdm.te', `
-allow $1_userhelper_t xdm_t:fd use;
-allow $1_userhelper_t xdm_t:fifo_file rw_file_perms;
+can_pipe_xdm($1_userhelper_t)
 allow $1_userhelper_t xdm_var_run_t:dir search;
 ')

--- a/strict/macros/program/ypbind_macros.te
+++ b/strict/macros/program/ypbind_macros.te
@ -1,10 +1,12 @@

 define(`uncond_can_ypbind', `
-dontaudit $1 reserved_port_type:{ tcp_socket udp_socket } name_bind;
 can_network($1)
 r_dir_file($1,var_yp_t)
 allow $1 { reserved_port_t port_t }:{ tcp_socket udp_socket } name_bind;
+allow $1 { portmap_port_t reserved_port_t port_t }:tcp_socket name_connect;
 dontaudit $1 self:capability net_bind_service;
+dontaudit $1 reserved_port_type:tcp_socket name_connect;
+dontaudit $1 reserved_port_type:{ tcp_socket udp_socket } name_bind;
 ')

 define(`can_ypbind', `
--- a/strict/tunables/distro.tun
+++ b/strict/tunables/distro.tun
@ -5,7 +5,7 @@
 # appropriate ifdefs.


-define(`distro_redhat')
+dnl define(`distro_redhat')

 dnl define(`distro_suse')

--- a/strict/tunables/tunable.tun
+++ b/strict/tunables/tunable.tun
@ -1,27 +1,27 @@
-# Allow users to execute the mount command
-define(`user_can_mount')
-
 # Allow rpm to run unconfined.
-#define(`unlimitedRPM')
+dnl define(`unlimitedRPM')

 # Allow privileged utilities like hotplug and insmod to run unconfined.
-#define(`unlimitedUtils')
+dnl define(`unlimitedUtils')

 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-#define(`unlimitedRC')
+dnl define(`unlimitedRC')

 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')

+# Do not allow sysadm_t to be in the security manager domain
+dnl define(`separate_secadm')
+
 # Do not audit things that we know to be broken but which
 # are not security risks
-define(`hide_broken_symptoms')
+dnl define(`hide_broken_symptoms')

 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-define(`user_canbe_sysadm')
+dnl define(`user_canbe_sysadm')

 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.
@ -29,3 +29,6 @@ dnl define(`unlimitedInetd')

 # for ndc_t to be used for restart shell scripts
 dnl define(`ndc_shell_script')
+
+# Enable Polyinstantiation support
+dnl define(`support_polyinstatiation')
--- a/strict/types/nfs.te
+++ b/strict/types/nfs.te
@ -13,7 +13,7 @@
 # The nfs_*_t types are used for specific NFS
 # servers in net_contexts or net_contexts.mls.
 #
-type nfs_t, fs_type;
+type nfs_t, mount_point, fs_type;

 #
 # Allow NFS files to be associated with an NFS file system.
--- a/strict/types/procfs.te
+++ b/strict/types/procfs.te
@ -14,7 +14,7 @@
 # proc_mdstat_t is the type of /proc/mdstat.
 # proc_net_t is the type of /proc/net.
 #
-type proc_t, fs_type, proc_fs;
+type proc_t, fs_type, mount_point, proc_fs;
 type proc_kmsg_t, proc_fs;
 type proc_kcore_t, proc_fs;
 type proc_mdstat_t, proc_fs;
@ -35,7 +35,7 @@ type proc_net_t, proc_fs;
 # These types are applied to both the entries in
 # /proc/sys and the corresponding sysctl parameters.
 #
-type sysctl_t, sysctl_type;
+type sysctl_t, mount_point, sysctl_type;
 type sysctl_fs_t, sysctl_type;
 type sysctl_kernel_t, sysctl_type;
 type sysctl_modprobe_t, sysctl_type;
 @ -1 +1 @@
 .23.2-1
 .26