trunk: 10 patches from dan.

policy/modules/services/aide.if

@@ -64,8 +64,8 @@ interface(`aide_admin',`
 	ps_process_pattern($1, aide_t)
 
 	files_list_etc($1)
-	manage_files_pattern($1, aide_db_t, aide_db_t)
+	admin_pattern($1, aide_db_t)
 
 	logging_list_logs($1)
-	manage_files_pattern($1, aide_log_t, aide_log_t)
+	admin_pattern($1, aide_log_t)
 ')

policy/modules/services/aide.te

@@ -1,5 +1,5 @@
 
-policy_module(aide, 1.4.1)
+policy_module(aide, 1.4.2)
 
 ########################################
 #

policy/modules/services/arpwatch.fc

@@ -1,3 +1,4 @@
+/etc/rc\.d/init\.d/arpwatch --	gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
 
 #
 # /usr

policy/modules/services/arpwatch.if

@@ -90,3 +90,45 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
 
 	dontaudit $1 arpwatch_t:packet_socket { read write };
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an arpwatch environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the arpwatch domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`arpwatch_admin',`
+	gen_require(`
+		type arpwatch_t, arpwatch_tmp_t;
+		type arpwatch_data_t, arpwatch_var_run_t;
+		type arpwatch_initrc_exec_t;
+	')
+
+	allow $1 arpwatch_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, arpwatch_t)
+
+	init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 arpwatch_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, arpwatch_tmp_t)
+
+	files_list_var($1)
+	admin_pattern($1, arpwatch_data_t)
+
+	files_list_pids($1)
+	admin_pattern($1, arpwatch_var_run_t)
+')

policy/modules/services/arpwatch.te

@@ -1,5 +1,5 @@
 
-policy_module(arpwatch, 1.6.1)
+policy_module(arpwatch, 1.6.2)
 
 ########################################
 #
@@ -13,6 +13,9 @@ init_daemon_domain(arpwatch_t, arpwatch_exec_t)
 type arpwatch_data_t;
 files_type(arpwatch_data_t)
 
+type arpwatch_initrc_exec_t;
+init_script_file(arpwatch_initrc_exec_t)
+
 type arpwatch_tmp_t;
 files_tmp_file(arpwatch_tmp_t)
 

policy/modules/services/asterisk.fc

@@ -1,4 +1,5 @@
 /etc/asterisk(/.*)?		gen_context(system_u:object_r:asterisk_etc_t,s0)
+/etc/rc\.d/init\.d/asterisk --	gen_context(system_u:object_r:asterisk_initrc_exec_t,s0)
 
 /usr/sbin/asterisk	--	gen_context(system_u:object_r:asterisk_exec_t,s0)
 

policy/modules/services/asterisk.if

@@ -1 +1,53 @@
 ## <summary>Asterisk IP telephony server</summary>
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an asterisk environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the asterisk domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`asterisk_admin',`
+	gen_require(`
+		type asterisk_t, asterisk_var_run_t, asterisk_spool_t;
+		type asterisk_etc_t, asterisk_tmp_t, asterisk_log_t;
+		type asterisk_var_lib_t;
+		type asterisk_initrc_exec_t;
+	')
+
+	allow $1 asterisk_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, asterisk_t)
+
+	init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 asterisk_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, asterisk_tmp_t)
+
+	files_list_etc($1)
+	admin_pattern($1, asterisk_etc_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, asterisk_log_t)
+
+	files_list_spool($1)
+	admin_pattern($1, asterisk_spool_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, asterisk_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, asterisk_var_run_t)
+')

policy/modules/services/asterisk.te

@@ -1,5 +1,5 @@
 
-policy_module(asterisk, 1.5.1)
+policy_module(asterisk, 1.5.2)
 
 ########################################
 #
@@ -13,6 +13,9 @@ init_daemon_domain(asterisk_t, asterisk_exec_t)
 type asterisk_etc_t;
 files_config_file(asterisk_etc_t)
 
+type asterisk_initrc_exec_t;
+init_script_file(asterisk_initrc_exec_t)
+
 type asterisk_log_t;
 logging_log_file(asterisk_log_t)
 

policy/modules/services/bind.fc

@@ -1,4 +1,4 @@
-/etc/rc.d/init.d/named	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named --	gen_context(system_u:object_r:named_initrc_exec_t,s0)
 /etc/rndc.*		--	gen_context(system_u:object_r:named_conf_t,s0)
 /etc/rndc\.key 		-- 	gen_context(system_u:object_r:dnssec_t,s0)
 

policy/modules/services/bind.if

@@ -261,19 +261,18 @@ interface(`bind_udp_chat_named',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal.
+##	The role to be allowed to manage the bind domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`bind_admin',`
 	gen_require(`
-		type named_t, ndc_t;
+		type named_t, named_tmp_t, named_log_t;
+		type named_conf_t, named_var_run_t;
+		type named_cache_t, named_zone_t;
+		type dnssec_t, ndc_t;
+		type named_initrc_exec_t;
 	')
 
 	allow $1 named_t:process { ptrace signal_perms };
@@ -282,5 +281,25 @@ interface(`bind_admin',`
 	allow $1 ndc_t:process { ptrace signal_perms };
 	ps_process_pattern($1, ndc_t)
 
-	bind_run_ndc($1, $2, $3)
+	bind_run_ndc($1, $2)
+
+	domain_system_change_exemption($1)
+	role_transition $2 named_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, named_tmp_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, named_log_t)
+
+	files_list_etc($1)
+	admin_pattern($1, named_conf_t)
+
+	admin_pattern($1, named_cache_t)
+	admin_pattern($1, named_zone_t)
+	admin_pattern($1, dnssec_t)
+
+	files_list_pids($1)
+	admin_pattern($1, named_var_run_t)
 ')

policy/modules/services/bind.te

@@ -1,5 +1,5 @@
 
-policy_module(bind, 1.8.1)
+policy_module(bind, 1.8.2)
 
 ########################################
 #
@@ -242,6 +242,8 @@ sysnet_dns_name_resolve(ndc_t)
 
 userdom_use_user_terminals(ndc_t)
 
+term_dontaudit_use_console(ndc_t)
+
 # for /etc/rndc.key
 ifdef(`distro_redhat',`
 	allow ndc_t named_conf_t:dir search;

policy/modules/services/inetd.fc

@@ -1,6 +1,8 @@
 
 /usr/sbin/identd	--	gen_context(system_u:object_r:inetd_child_exec_t,s0)
 /usr/sbin/in\..*d	--	gen_context(system_u:object_r:inetd_child_exec_t,s0)
+/usr/local/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
+
 /usr/sbin/inetd		--	gen_context(system_u:object_r:inetd_exec_t,s0)
 /usr/sbin/rlinetd	--	gen_context(system_u:object_r:inetd_exec_t,s0)
 /usr/sbin/xinetd	--	gen_context(system_u:object_r:inetd_exec_t,s0)

policy/modules/services/inetd.te

@@ -1,5 +1,5 @@
 
-policy_module(inetd, 1.8.1)
+policy_module(inetd, 1.8.2)
 
 ########################################
 #
@@ -136,6 +136,7 @@ corecmd_read_bin_symlinks(inetd_t)
 domain_use_interactive_fds(inetd_t)
 
 files_read_etc_files(inetd_t)
+files_read_etc_runtime_files(inetd_t)
 
 logging_send_syslog_msg(inetd_t)
 
@@ -219,6 +220,7 @@ dev_read_urand(inetd_child_t)
 fs_getattr_xattr_fs(inetd_child_t)
 
 files_read_etc_files(inetd_child_t)
+files_read_etc_runtime_files(inetd_child_t)
 
 auth_use_nsswitch(inetd_child_t)
 

policy/modules/services/lpd.fc

@@ -22,11 +22,14 @@
 /usr/sbin/lpinfo	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 /usr/sbin/lpmove	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 
+/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
+
 /usr/share/printconf/.* --	gen_context(system_u:object_r:printconf_t,s0)
 
 #
 # /var
 #
 /var/spool/cups(/.*)?		gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
+/var/spool/cups-pdf(/.*)?	gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
 /var/spool/lpd(/.*)?		gen_context(system_u:object_r:print_spool_t,s0)
 /var/run/lprng(/.*)?		gen_context(system_u:object_r:lpd_var_run_t,s0)

policy/modules/services/lpd.te

@@ -1,5 +1,5 @@
 
-policy_module(lpd, 1.10.1)
+policy_module(lpd, 1.10.2)
 
 ########################################
 #

policy/modules/services/postgrey.fc

@@ -1,5 +1,7 @@
 
 /etc/postgrey(/.*)?		gen_context(system_u:object_r:postgrey_etc_t,s0)
+/etc/rc\.d/init\.d/postgrey --	gen_context(system_u:object_r:postgrey_initrc_exec_t,s0)
+
 
 /usr/sbin/postgrey	--	gen_context(system_u:object_r:postgrey_exec_t,s0)
 
@@ -7,3 +9,5 @@
 
 /var/run/postgrey(/.*)?		gen_context(system_u:object_r:postgrey_var_run_t,s0)
 /var/run/postgrey\.pid	--	gen_context(system_u:object_r:postgrey_var_run_t,s0)
+
+/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0)

policy/modules/services/postgrey.if

@@ -12,10 +12,70 @@
 #
 interface(`postgrey_stream_connect',`
         gen_require(`
-                type postgrey_var_run_t, postgrey_t;
+                type postgrey_var_run_t, postgrey_t, postgrey_spool_t;
         ')
 
-	allow $1 postgrey_t:unix_stream_socket connectto;
-        allow $1 postgrey_var_run_t:sock_file write;
+	stream_connect_pattern($1, postgrey_var_run_t, postgrey_var_run_t, postgrey_t)
+	stream_connect_pattern($1, postgrey_spool_t, postgrey_spool_t, postgrey_t)
 	files_search_pids($1)
 ')
+
+########################################
+## <summary>
+##      Search the spool directory
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access
+##      </summary>
+## </param>
+#
+interface(`postgrey_search_spool',`
+        gen_require(`
+                type postgrey_spool_t;
+        ')
+
+	allow $1 postgrey_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an postgrey environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the postgrey domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`postgrey_admin',`
+	gen_require(`
+		type postgrey_t, postgrey_etc_t;
+		type postgrey_var_lib_t, postgrey_var_run_t;
+		type postgrey_initrc_exec_t;
+	')
+
+	allow $1 postgrey_t:process { ptrace signal_perms };
+	ps_process_pattern($1, postgrey_t)
+
+	init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 postgrey_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, postgrey_etc_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, postgrey_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, postgrey_var_run_t)
+')

policy/modules/services/postgrey.te

@@ -1,5 +1,5 @@
 
-policy_module(postgrey, 1.5.1)
+policy_module(postgrey, 1.5.2)
 
 ########################################
 #
@@ -13,6 +13,12 @@ init_daemon_domain(postgrey_t, postgrey_exec_t)
 type postgrey_etc_t;
 files_config_file(postgrey_etc_t)
 
+type postgrey_initrc_exec_t;
+init_script_file(postgrey_initrc_exec_t)
+
+type postgrey_spool_t;
+files_type(postgrey_spool_t)
+
 type postgrey_var_lib_t;
 files_type(postgrey_var_lib_t)
 
@@ -24,15 +30,21 @@ files_pid_file(postgrey_var_run_t)
 # Local policy
 #
 
-allow postgrey_t self:capability { chown setgid setuid };
+allow postgrey_t self:capability { chown dac_override setgid setuid };
 dontaudit postgrey_t self:capability sys_tty_config;
 allow postgrey_t self:process signal_perms;
 allow postgrey_t self:tcp_socket create_stream_socket_perms;
+allow postgrey_t self:fifo_file create_fifo_file_perms;
 
 allow postgrey_t postgrey_etc_t:dir list_dir_perms;
 read_files_pattern(postgrey_t, postgrey_etc_t, postgrey_etc_t)
 read_lnk_files_pattern(postgrey_t, postgrey_etc_t, postgrey_etc_t)
 
+manage_dirs_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+
 manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
 files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
 
@@ -81,6 +93,10 @@ optional_policy(`
 	nis_use_ypbind(postgrey_t)
 ')
 
+optional_policy(`
+	postfix_read_config(postgrey_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(postgrey_t)
 ')

policy/modules/services/privoxy.fc

@@ -1,5 +1,7 @@
 
 /etc/privoxy/user\.action --	gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
+/etc/privoxy/default\.action --	gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
+/etc/rc\.d/init\.d/privoxy --	gen_context(system_u:object_r:privoxy_initrc_exec_t,s0)
 
 /usr/sbin/privoxy	--	gen_context(system_u:object_r:privoxy_exec_t,s0)
 

policy/modules/services/privoxy.if

@@ -10,23 +10,34 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
 ## <rolecap/>
 #
 interface(`privoxy_admin',`
 	gen_require(`
 		type privoxy_t, privoxy_log_t;
 		type privoxy_etc_rw_t, privoxy_var_run_t;
+		type privoxy_initrc_exec_t;
 	')
 
 	allow $1 privoxy_t:process { ptrace signal_perms getattr };
 	ps_process_pattern($1, privoxy_t)
 
+	init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 privoxy_initrc_exec_t system_r;
+	allow $2 system_r;
+
 	logging_list_logs($1)
-	manage_files_pattern($1, privoxy_log_t, privoxy_log_t)
+	admin_pattern($1, privoxy_log_t)
 
 	files_list_etc($1)
-	manage_files_pattern($1, privoxy_etc_rw_t, privoxy_etc_rw_t)
+	admin_pattern($1, privoxy_etc_rw_t)
 
 	files_list_pids($1)
-	manage_files_pattern($1, privoxy_var_run_t, privoxy_var_run_t)
+	admin_pattern($1, privoxy_var_run_t)
 ')

policy/modules/services/privoxy.te

@@ -1,5 +1,5 @@
 
-policy_module(privoxy, 1.7.1)
+policy_module(privoxy, 1.7.2)
 
 ########################################
 #
@@ -10,6 +10,9 @@ type privoxy_t; # web_client_domain
 type privoxy_exec_t;
 init_daemon_domain(privoxy_t, privoxy_exec_t)
 
+type privoxy_initrc_exec_t;
+init_script_file(privoxy_initrc_exec_t)
+
 type privoxy_etc_rw_t;
 files_type(privoxy_etc_rw_t)
 
@@ -50,6 +53,7 @@ corenet_tcp_bind_http_cache_port(privoxy_t)
 corenet_tcp_connect_http_port(privoxy_t)
 corenet_tcp_connect_http_cache_port(privoxy_t)
 corenet_tcp_connect_ftp_port(privoxy_t)
+corenet_tcp_connect_pgpkeyserver_port(privoxy_t)
 corenet_tcp_connect_tor_port(privoxy_t)
 corenet_sendrecv_http_cache_client_packets(privoxy_t)
 corenet_sendrecv_http_cache_server_packets(privoxy_t)

policy/modules/services/qmail.te

@@ -1,5 +1,5 @@
 
-policy_module(qmail, 1.4.1)
+policy_module(qmail, 1.4.2)
 
 ########################################
 #
@@ -121,6 +121,10 @@ mta_append_spool(qmail_local_t)
 
 qmail_domtrans_queue(qmail_local_t)
 
+optional_policy(`
+	spamassassin_domtrans_client(qmail_local_t)
+')
+
 ########################################
 #
 # qmail-lspawn local policy
@@ -251,6 +255,10 @@ optional_policy(`
 	daemontools_ipc_domain(qmail_smtpd_t)
 ')
 
+optional_policy(`
+	kerberos_keytab_template(qmail, qmail_smtpd_t)
+')
+
 optional_policy(`
 	ucspitcp_service_domain(qmail_smtpd_t, qmail_smtpd_exec_t)
 ')

policy/modules/services/roundup.fc

@@ -1,3 +1,5 @@
+/etc/rc\.d/init\.d/roundup	--	gen_context(system_u:object_r:roundup_initrc_exec_t,s0)
+
 #
 # /usr
 #

policy/modules/services/roundup.if

@@ -1 +1,39 @@
 ## <summary>Roundup Issue Tracking System policy</summary>
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an roundup environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the roundup domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`roundup_admin',`
+	gen_require(`
+		type roundup_t, roundup_var_lib_t, roundup_var_run_t;
+		type roundup_initrc_exec_t;
+	')
+
+	allow $1 roundup_t:process { ptrace signal_perms };
+	ps_process_pattern($1, roundup_t)
+
+	init_labeled_script_domtrans($1, roundup_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 roundup_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_var_lib($1)
+	admin_pattern($1, roundup_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, roundup_var_run_t)
+')

policy/modules/services/roundup.te

@@ -1,5 +1,5 @@
 
-policy_module(roundup, 1.5.1)
+policy_module(roundup, 1.5.2)
 
 ########################################
 #
@@ -10,6 +10,9 @@ type roundup_t;
 type roundup_exec_t;
 init_daemon_domain(roundup_t, roundup_exec_t)
 
+type roundup_initrc_exec_t;
+init_script_file(roundup_initrc_exec_t)
+
 type roundup_var_run_t;
 files_pid_file(roundup_var_run_t)