Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy

policy/modules/admin/shorewall.if

@@ -185,18 +185,18 @@ interface(`shorewall_admin',`
 	role_transition $2 shorewall_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_etc($1)
+	files_list_etc($1)
 	admin_pattern($1, shorewall_etc_t)
 
-	files_search_locks($1)
+	files_list_locks($1)
 	admin_pattern($1, shorewall_lock_t)
 
-	files_search_var_lib($1)
+	files_list_var_lib($1)
 	admin_pattern($1, shorewall_var_lib_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, shorewall_log_t)
 
-	files_search_tmp($1)
+	files_list_tmp($1)
 	admin_pattern($1, shorewall_tmp_t)
 ')

policy/modules/apps/gnome.if

@@ -320,7 +320,7 @@ interface(`gnome_admin_home_gconf_filetrans',`
 ##	</summary>
 ## </param>
 #
-template(`gnome_read_gconf_config',`
+interface(`gnome_read_gconf_config',`
 	gen_require(`
 		type gconf_etc_t;
 	')
@@ -498,7 +498,7 @@ interface(`gnome_stream_connect',`
 ##	</summary>
 ## </param>
 #
-template(`gnome_list_home_config',`
+interface(`gnome_list_home_config',`
 	gen_require(`
 		type config_home_t;
 	')
@@ -535,7 +535,7 @@ template(`gnome_setattr_home_config',`
 ##	</summary>
 ## </param>
 #
-template(`gnome_read_home_config',`
+interface(`gnome_read_home_config',`
 	gen_require(`
 		type config_home_t;
 	')

policy/modules/kernel/files.if

@@ -5286,6 +5286,24 @@ interface(`files_manage_mounttab',`
 	manage_files_pattern($1, var_lib_t, var_lib_t)
 ')
 
+########################################
+## <summary>
+##	List generic lock directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_locks',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	list_dirs_pattern($1, var_t, var_lock_t)
+')
+
 ########################################
 ## <summary>
 ##	Search the locks directory (/var/lock).

policy/modules/services/abrt.if

@@ -326,18 +326,18 @@ interface(`abrt_admin',`
 	role_transition $2 abrt_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_etc($1)
+	files_list_etc($1)
 	admin_pattern($1, abrt_etc_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, abrt_var_log_t)
 
-	files_search_var($1)
+	files_list_var($1)
 	admin_pattern($1, abrt_var_cache_t)
 
-	files_search_pids($1)
+	files_list_pids($1)
 	admin_pattern($1, abrt_var_run_t)
 
-	files_search_tmp($1)
+	files_list_tmp($1)
 	admin_pattern($1, abrt_tmp_t)
 ')

policy/modules/services/abrt.te

@@ -214,7 +214,7 @@ optional_policy(`
 
 ########################################
 #
-# abrt--helper local policy
+# abrt-helper local policy
 #
 
 allow abrt_helper_t self:capability { chown setgid sys_nice };
@@ -252,16 +252,16 @@ ifdef(`hide_broken_symptoms', `
 	domain_dontaudit_leaks(abrt_helper_t)
 	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
 	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
-	optional_policy(`
-		rpm_dontaudit_leaks(abrt_helper_t)
-	')
 	dev_dontaudit_read_all_blk_files(abrt_helper_t)
 	dev_dontaudit_read_all_chr_files(abrt_helper_t)
 	dev_dontaudit_write_all_chr_files(abrt_helper_t)
 	dev_dontaudit_write_all_blk_files(abrt_helper_t)
 	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
-')
 
+	optional_policy(`
+		rpm_dontaudit_leaks(abrt_helper_t)
+	')
+')
 
 ifdef(`hide_broken_symptoms',`
 	gen_require(`

policy/modules/services/afs.te

@@ -82,10 +82,6 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
 
 kernel_rw_afs_state(afs_t)
 
-ifdef(`hide_broken_symptoms', `
-	kernel_rw_unlabeled_files(afs_t)
-')
-
 corenet_all_recvfrom_unlabeled(afs_t)
 corenet_all_recvfrom_netlabel(afs_t)
 corenet_tcp_sendrecv_generic_if(afs_t)
@@ -111,6 +107,10 @@ miscfiles_read_localization(afs_t)
 
 sysnet_dns_name_resolve(afs_t)
 
+ifdef(`hide_broken_symptoms',`
+	kernel_rw_unlabeled_files(afs_t)
+')
+
 ########################################
 #
 # AFS bossserver local policy

policy/modules/services/aiccu.if

@@ -19,7 +19,6 @@ interface(`aiccu_domtrans',`
 	corecmd_search_bin($1)
 ')
 
-
 ########################################
 ## <summary>
 ##	Execute aiccu server in the aiccu domain.
@@ -78,7 +77,6 @@ interface(`aiccu_manage_var_run',`
 	files_search_pids($1)
 ')
 
-
 ########################################
 ## <summary>
 ##	All of the rules required to administrate 
@@ -111,8 +109,8 @@ interface(`aiccu_admin',`
 	allow $2 system_r;
 
 	admin_pattern($1, aiccu_etc_t)
-	files_search_etc($1)
+	files_list_etc($1)
 
 	admin_pattern($1, aiccu_var_run_t)
-	files_search_pids($1)
+	files_list_pids($1)
 ')

policy/modules/services/aide.if

@@ -33,6 +33,7 @@ interface(`aide_domtrans',`
 ##	The role to allow the AIDE domain.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`aide_run',`
 	gen_require(`

policy/modules/services/ajaxterm.if

@@ -1,4 +1,3 @@
-
 ## <summary>policy for ajaxterm</summary>
 
 ########################################
@@ -19,14 +18,13 @@ interface(`ajaxterm_domtrans',`
 	domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t)
 ')
 
-
 ########################################
 ## <summary>
 ##	Execute ajaxterm server in the ajaxterm domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
@@ -57,8 +55,7 @@ interface(`ajaxterm_initrc_domtrans',`
 #
 interface(`ajaxterm_admin',`
 	gen_require(`
-		type ajaxterm_t;
+		type ajaxterm_t, ajaxterm_initrc_exec_t;
-		type ajaxterm_initrc_exec_t;
 	')
 
 	allow $1 ajaxterm_t:process { ptrace signal_perms };
@@ -68,5 +65,4 @@ interface(`ajaxterm_admin',`
 	domain_system_change_exemption($1)
 	role_transition $2 ajaxterm_initrc_exec_t system_r;
 	allow $2 system_r;
-
 ')

policy/modules/services/ajaxterm.te

@@ -30,7 +30,7 @@ allow ajaxterm_t self:fifo_file rw_fifo_file_perms;
 allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms;
 allow ajaxterm_t self:tcp_socket create_stream_socket_perms;
 
-allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
+allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms relabelfrom };
 term_create_pty(ajaxterm_t, ajaxterm_devpts_t)
 
 manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)

policy/modules/services/amavis.if

@@ -183,7 +183,7 @@ interface(`amavis_setattr_pid_files',`
 		type amavis_var_run_t;
 	')
 
-	allow $1 amavis_var_run_t:file setattr;
+	allow $1 amavis_var_run_t:file setattr_file_perms;
 	files_search_pids($1)
 ')
 

policy/modules/services/amavis.te

@@ -76,7 +76,7 @@ files_search_spool(amavis_t)
 
 # tmp files
 manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
-allow amavis_t amavis_tmp_t:dir setattr;
+allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
 files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
 
 # var/lib files for amavis
@@ -86,7 +86,7 @@ manage_sock_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
 files_search_var_lib(amavis_t)
 
 # log files
-allow amavis_t amavis_var_log_t:dir setattr;
+allow amavis_t amavis_var_log_t:dir setattr_dir_perms;
 manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
 manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
 logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })

policy/modules/services/apache.if

@@ -13,8 +13,7 @@
 #
 template(`apache_content_template',`
 	gen_require(`
-		attribute httpd_exec_scripts;
+		attribute httpd_exec_scripts, httpd_script_exec_type;
-		attribute httpd_script_exec_type;
 		type httpd_t, httpd_suexec_t, httpd_log_t;
 		type httpd_sys_content_t;
 	')
@@ -50,8 +49,6 @@ template(`apache_content_template',`
 
 	read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
 
-	domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
-
 	allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
 	allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
 
@@ -132,6 +129,8 @@ template(`apache_content_template',`
 	tunable_policy(`httpd_enable_cgi',`
 		allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
 
+		domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+
 		# privileged users run the script:
 		domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
 
@@ -152,6 +151,8 @@ template(`apache_content_template',`
 		allow httpd_$1_script_t httpd_t:fd use;
 		allow httpd_$1_script_t httpd_t:process sigchld;
 
+		dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
+
 		kernel_read_system_state(httpd_$1_script_t)
 
 		dev_read_urand(httpd_$1_script_t)
@@ -180,8 +181,6 @@ template(`apache_content_template',`
 	optional_policy(`
 		nscd_socket_use(httpd_$1_script_t)
 	')
-
-	dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
 ')
 
 ########################################
@@ -202,16 +201,15 @@ template(`apache_content_template',`
 interface(`apache_role',`
 	gen_require(`
 		attribute httpdcontent;
-		type httpd_user_content_t, httpd_user_htaccess_t;
+		type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t;
-		type httpd_user_script_t, httpd_user_script_exec_t;
+		type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t;
-		type httpd_user_ra_content_t, httpd_user_rw_content_t;
 	')
 
 	role $1 types httpd_user_script_t;
 
 	allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
 
-	allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
+	allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms };
 
 	manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
 	manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
@@ -501,7 +499,7 @@ interface(`apache_setattr_cache_dirs',`
 		type httpd_cache_t;
 	')
 
-	allow $1 httpd_cache_t:dir setattr;
+	allow $1 httpd_cache_t:dir setattr_dir_perms;
 ')
 
 ########################################
@@ -732,7 +730,7 @@ interface(`apache_dontaudit_append_log',`
 		type httpd_log_t;
 	')
 
-	dontaudit $1 httpd_log_t:file { getattr append };
+	dontaudit $1 httpd_log_t:file append_file_perms;
 ')
 
 ########################################
@@ -895,7 +893,6 @@ interface(`apache_manage_sys_content',`
 	')
 
 	files_search_var($1)
-	apache_search_sys_content($1)
 	manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
 	manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
 	manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -985,8 +982,7 @@ interface(`apache_delete_sys_content_rw',`
 interface(`apache_domtrans_sys_script',`
 	gen_require(`
 		attribute httpdcontent;
-		type httpd_sys_script_t;
+		type httpd_sys_script_t, httpd_sys_content_t;
-		type httpd_sys_content_t;
 	')
 
 	tunable_policy(`httpd_enable_cgi',`
@@ -1049,9 +1045,10 @@ interface(`apache_domtrans_all_scripts',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access..
+##	Role allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`apache_run_all_scripts',`
 	gen_require(`
@@ -1226,7 +1223,7 @@ interface(`apache_read_tmp_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##  Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -1317,17 +1314,14 @@ interface(`apache_cgi_domain',`
 #
 interface(`apache_admin',`
 	gen_require(`
-		attribute httpdcontent;
+		attribute httpdcontent, httpd_script_exec_type;
-		attribute httpd_script_exec_type;
-
 		type httpd_t, httpd_config_t, httpd_log_t;
-		type httpd_modules_t, httpd_lock_t;
+		type httpd_modules_t, httpd_lock_t, httpd_bool_t;
-		type httpd_var_run_t, httpd_php_tmp_t;
+		type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
 		type httpd_suexec_tmp_t, httpd_tmp_t;
-		type httpd_initrc_exec_t, httpd_bool_t;
 	')
 
-	allow $1 httpd_t:process { getattr ptrace signal_perms };
+	allow $1 httpd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, httpd_t)
 
 	init_labeled_script_domtrans($1, httpd_initrc_exec_t)
@@ -1338,10 +1332,10 @@ interface(`apache_admin',`
 	apache_manage_all_content($1)
 	miscfiles_manage_public_files($1)
 
-	files_search_etc($1)
+	files_list_etc($1)
 	admin_pattern($1, httpd_config_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, httpd_log_t)
 
 	admin_pattern($1, httpd_modules_t)
@@ -1352,16 +1346,12 @@ interface(`apache_admin',`
 	admin_pattern($1, httpd_var_run_t)
 	files_pid_filetrans($1, httpd_var_run_t, file)
 
-	kernel_search_proc($1)
-	allow $1 httpd_t:dir list_dir_perms;
-	ps_process_pattern($1, httpd_t)
-	read_lnk_files_pattern($1, httpd_t, httpd_t)
-
 	admin_pattern($1, httpdcontent)
 	admin_pattern($1, httpd_script_exec_type)
 
 	seutil_domtrans_setfiles($1)
 
+	files_list_tmp($1)
 	admin_pattern($1, httpd_tmp_t)
 	admin_pattern($1, httpd_php_tmp_t)
 	admin_pattern($1, httpd_suexec_tmp_t)
@@ -1380,7 +1370,7 @@ ifdef(`TODO',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #

policy/modules/services/apache.te

@@ -36,6 +36,13 @@ gen_tunable(allow_httpd_anon_write, false)
 ## </desc>
 gen_tunable(allow_httpd_mod_auth_pam, false)
 
+## <desc>
+##	<p>
+##	Allow Apache to use mod_auth_pam
+##	</p>
+## </desc>
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
+
 ## <desc>
 ##	<p>
 ##	Allow httpd scripts and modules execmem/execstack
@@ -279,6 +286,13 @@ typeattribute httpd_sys_content_t httpdcontent; # customizable
 typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
 typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
 
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
+typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
+typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+
 type httpd_tmp_t;
 files_tmp_file(httpd_tmp_t)
 
@@ -320,6 +334,9 @@ files_type(httpd_var_lib_t)
 type httpd_var_run_t;
 files_pid_file(httpd_var_run_t)
 
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
+
 # File Type of squirrelmail attachments
 type squirrelmail_spool_t;
 files_tmp_file(squirrelmail_spool_t)
@@ -506,12 +523,6 @@ tunable_policy(`allow_httpd_mod_auth_pam',`
 	logging_send_audit_msgs(httpd_t)
 ')
 
-## <desc>
-## <p>
-## Allow Apache to use mod_auth_pam
-## </p>
-## </desc>
-gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
 optional_policy(`
 	tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
 		samba_domtrans_winbind_helper(httpd_t)
@@ -522,6 +533,11 @@ tunable_policy(`httpd_can_network_connect',`
 	corenet_tcp_connect_all_ports(httpd_t)
 ')
 
+tunable_policy(`httpd_can_network_connect_db',`
+	corenet_tcp_connect_mssql_port(httpd_t)
+	corenet_sendrecv_mssql_client_packets(httpd_t)
+')
+
 tunable_policy(`httpd_can_network_memcache',`
 	corenet_tcp_connect_memcache_port(httpd_t)
 ')
@@ -541,6 +557,12 @@ tunable_policy(`httpd_can_network_relay',`
 	corenet_sendrecv_squid_client_packets(httpd_t)
 ')
 
+tunable_policy(`httpd_execmem',`
+	allow httpd_t self:process { execmem execstack };
+	allow httpd_sys_script_t self:process { execmem execstack };
+	allow httpd_suexec_t self:process { execmem execstack };
+')
+
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
 	filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
@@ -575,10 +597,6 @@ tunable_policy(`httpd_enable_ftp_server',`
 	corenet_tcp_bind_ftp_port(httpd_t)
 ')
 
-tunable_policy(`httpd_enable_homedirs',`
-	userdom_read_user_home_content_files(httpd_t)
-')
-
 tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
 	can_exec(httpd_t, httpd_tmp_t)
 ')
@@ -732,12 +750,6 @@ optional_policy(`
 	rpc_search_nfs_state_data(httpd_t)
 ')
 
-tunable_policy(`httpd_execmem',`
-	allow httpd_t self:process { execmem execstack };
-	allow httpd_sys_script_t self:process { execmem execstack };
-	allow httpd_suexec_t self:process { execmem execstack };
-') 
-
 optional_policy(`
 	# Allow httpd to work with postgresql
 	postgresql_stream_connect(httpd_t)
@@ -745,7 +757,6 @@ optional_policy(`
 
 	tunable_policy(`httpd_can_network_connect_db',`
 		postgresql_tcp_connect(httpd_t)
-		postgresql_tcp_connect(httpd_sys_script_t)
 	')
 ')
 
@@ -830,28 +841,27 @@ libs_exec_lib_files(httpd_php_t)
 userdom_use_unpriv_users_fds(httpd_php_t)
 
 tunable_policy(`httpd_can_network_connect_db',`
-	corenet_tcp_connect_mysqld_port(httpd_t)
+	corenet_tcp_connect_mssql_port(httpd_php_t)
-	corenet_sendrecv_mysqld_client_packets(httpd_t)
+	corenet_sendrecv_mssql_client_packets(httpd_php_t)
-	corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
-	corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
-	corenet_tcp_connect_mysqld_port(httpd_suexec_t)
-	corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
-
-	corenet_tcp_connect_mssql_port(httpd_t)
-	corenet_sendrecv_mssql_client_packets(httpd_t)
-	corenet_tcp_connect_mssql_port(httpd_sys_script_t)
-	corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
-	corenet_tcp_connect_mssql_port(httpd_suexec_t)
-	corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
 ')
 
 optional_policy(`
 	mysql_stream_connect(httpd_php_t)
+	mysql_rw_db_sockets(httpd_php_t)
 	mysql_read_config(httpd_php_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		mysql_tcp_connect(httpd_php_t)
+	')
 ')
 
 optional_policy(`
 	postgresql_stream_connect(httpd_php_t)
+	postgresql_unpriv_client(httpd_php_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		postgresql_tcp_connect(httpd_php_t)
+	')
 ')
 
 ########################################
@@ -877,6 +887,10 @@ files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
 
 can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
 
+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
 kernel_read_kernel_sysctls(httpd_suexec_t)
 kernel_list_proc(httpd_suexec_t)
 kernel_read_proc_symlinks(httpd_suexec_t)
@@ -917,11 +931,13 @@ tunable_policy(`httpd_can_network_connect',`
 	corenet_sendrecv_all_client_packets(httpd_suexec_t)
 ')
 
-read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
+tunable_policy(`httpd_can_network_connect_db',`
-read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
+	corenet_tcp_connect_mssql_port(httpd_suexec_t)
-read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+	corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
+')
 
 domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
+
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	allow httpd_sys_script_t httpdcontent:file entrypoint;
 	domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
@@ -930,9 +946,6 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
 	manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
 ')
-tunable_policy(`httpd_enable_cgi',`
-	domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t)
-')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 	fs_read_nfs_files(httpd_suexec_t)
@@ -961,6 +974,19 @@ optional_policy(`
 	mysql_stream_connect(httpd_suexec_t)
 	mysql_rw_db_sockets(httpd_suexec_t)
 	mysql_read_config(httpd_suexec_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		mysql_tcp_connect(httpd_suexec_t)
+	')
+')
+
+optional_policy(`
+	postgresql_stream_connect(httpd_suexec_t)
+	postgresql_unpriv_client(httpd_suexec_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		postgresql_tcp_connect(httpd_suexec_t)
+	')
 ')
 
 ########################################
@@ -1007,6 +1033,11 @@ optional_policy(`
 	')
 ')
 
+tunable_policy(`httpd_can_network_connect_db',`
+	corenet_tcp_connect_mssql_port(httpd_sys_script_t)
+	corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
+')
+
 fs_cifs_entry_type(httpd_sys_script_t)
 fs_read_iso9660_files(httpd_sys_script_t)
 fs_nfs_entry_type(httpd_sys_script_t)
@@ -1042,7 +1073,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
 ')
 
 tunable_policy(`httpd_enable_homedirs',`
-	userdom_read_user_home_content_files(httpd_sys_script_t)
+	userdom_search_user_home_dirs(httpd_sys_script_t)
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -1050,6 +1081,10 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 	fs_read_nfs_symlinks(httpd_sys_script_t)
 ')
 
+tunable_policy(`httpd_read_user_content',`
+	userdom_read_user_home_content_files(httpd_sys_script_t)
+')
+
 tunable_policy(`httpd_use_cifs',`
 	fs_manage_cifs_dirs(httpd_sys_script_t)
 	fs_manage_cifs_files(httpd_sys_script_t)
@@ -1073,10 +1108,19 @@ optional_policy(`
 	mysql_stream_connect(httpd_sys_script_t)
 	mysql_rw_db_sockets(httpd_sys_script_t)
 	mysql_read_config(httpd_sys_script_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		mysql_tcp_connect(httpd_sys_script_t)
+	')
 ')
 
 optional_policy(`
 	postgresql_stream_connect(httpd_sys_script_t)
+	postgresql_unpriv_client(httpd_sys_script_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		postgresql_tcp_connect(httpd_sys_script_t)
+	')
 ')
 
 ########################################
@@ -1136,19 +1180,7 @@ tunable_policy(`httpd_enable_homedirs',`
 ')
 
 tunable_policy(`httpd_read_user_content',`
-	userdom_read_user_home_content_files(httpd_user_script_t)
-	userdom_read_user_home_content_files(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_read_user_content && httpd_builtin_scripting',`
 	userdom_read_user_home_content_files(httpd_t)
+	userdom_read_user_home_content_files(httpd_suexec_t)
+	userdom_read_user_home_content_files(httpd_user_script_t)
 ')
-
-# Removal of fastcgi, will cause problems without the following
-typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
-typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
-typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
-typealias httpd_sys_ra_content_t   alias httpd_fastcgi_script_ra_t;
-typealias httpd_sys_script_t      alias httpd_fastcgi_script_t;
-typealias httpd_var_run_t         alias httpd_fastcgi_var_run_t;
-

policy/modules/services/apcupsd.if

@@ -140,10 +140,8 @@ interface(`apcupsd_cgi_script_domtrans',`
 #
 interface(`apcupsd_admin',`
 	gen_require(`
-		type apcupsd_t, apcupsd_tmp_t;
+		type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t;
-		type apcupsd_log_t, apcupsd_lock_t;
+		type apcupsd_lock_t, apcupsd_var_run_t, apcupsd_initrc_exec_t;
-		type apcupsd_var_run_t;
-		type apcupsd_initrc_exec_t;
 	')
 
 	allow $1 apcupsd_t:process { ptrace signal_perms };

policy/modules/services/apm.if

@@ -52,7 +52,7 @@ interface(`apm_write_pipes',`
 		type apmd_t;
 	')
 
-	allow $1 apmd_t:fifo_file write; 
+	allow $1 apmd_t:fifo_file write_fifo_file_perms; 
 ')
 
 ########################################
@@ -89,7 +89,7 @@ interface(`apm_append_log',`
 	')
 
 	logging_search_logs($1)
-	allow $1 apmd_log_t:file append;
+	allow $1 apmd_log_t:file append_file_perms;
 ')
 
 ########################################
@@ -108,6 +108,5 @@ interface(`apm_stream_connect',`
 	')
 
 	files_search_pids($1)
-	allow $1 apmd_var_run_t:sock_file write;
+	stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
-	allow $1 apmd_t:unix_stream_socket connectto;
 ')

policy/modules/services/apm.te

@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
 #
 # Declarations
 #
+
 type apmd_t;
 type apmd_exec_t;
 init_daemon_domain(apmd_t, apmd_exec_t)

policy/modules/services/automount.if

@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
 ##	</summary>
 ## </param>
 #
-#
 interface(`automount_signal',`
 	gen_require(`
 		type automount_t;
@@ -124,7 +123,7 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
 		type automount_tmp_t;
 	')
 
-	dontaudit $1 automount_tmp_t:dir getattr;
+	dontaudit $1 automount_tmp_t:dir getattr_dir_perms;
 ')
 
 ########################################

policy/modules/services/avahi.if

@@ -151,8 +151,7 @@ interface(`avahi_dontaudit_search_pid',`
 #
 interface(`avahi_admin',`
 	gen_require(`
-		type avahi_t, avahi_var_run_t;
+		type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
-		type avahi_initrc_exec_t;
 	')
 
 	allow $1 avahi_t:process { ptrace signal_perms };

policy/modules/services/avahi.te

@@ -40,7 +40,7 @@ files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file })
 manage_dirs_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
 manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
 manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
-allow avahi_t avahi_var_run_t:dir setattr;
+allow avahi_t avahi_var_run_t:dir setattr_dir_perms;
 files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
 
 kernel_read_system_state(avahi_t)

policy/modules/services/bind.if

@@ -186,7 +186,7 @@ interface(`bind_write_config',`
 	')
 
 	write_files_pattern($1, named_conf_t, named_conf_t)
-	allow $1 named_conf_t:file setattr;
+	allow $1 named_conf_t:file setattr_file_perms;
 ')
 
 ########################################
@@ -266,7 +266,7 @@ interface(`bind_setattr_pid_dirs',`
 		type named_var_run_t;
 	')
 
-	allow $1 named_var_run_t:dir setattr;
+	allow $1 named_var_run_t:dir setattr_dir_perms;
 ')
 
 ########################################
@@ -284,7 +284,7 @@ interface(`bind_setattr_zone_dirs',`
 		type named_zone_t;
 	')
 
-	allow $1 named_zone_t:dir setattr;
+	allow $1 named_zone_t:dir setattr_dir_perms;
 ')
 
 ########################################
@@ -380,10 +380,9 @@ interface(`bind_udp_chat_named',`
 interface(`bind_admin',`
 	gen_require(`
 		type named_t, named_tmp_t, named_log_t;
-		type named_conf_t, named_var_run_t;
+		type named_conf_t, named_var_run_t, named_cache_t;
-		type named_cache_t, named_zone_t;
+		type named_zone_t, named_initrc_exec_t;
 		type dnssec_t, ndc_t, named_keytab_t;
-		type named_initrc_exec_t;
 	')
 
 	allow $1 named_t:process { ptrace signal_perms };

policy/modules/services/bind.te

@@ -202,12 +202,12 @@ allow ndc_t self:tcp_socket create_socket_perms;
 allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow ndc_t dnssec_t:file read_file_perms;
-allow ndc_t dnssec_t:lnk_file { getattr read };
+allow ndc_t dnssec_t:lnk_file read_lnk_file_perms;
 
 stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t)
 
 allow ndc_t named_conf_t:file read_file_perms;
-allow ndc_t named_conf_t:lnk_file { getattr read };
+allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
 
 allow ndc_t named_zone_t:dir search_dir_perms;
 
@@ -245,7 +245,7 @@ term_dontaudit_use_console(ndc_t)
 
 # for /etc/rndc.key
 ifdef(`distro_redhat',`
-	allow ndc_t named_conf_t:dir search;
+	allow ndc_t named_conf_t:dir search_dir_perms;
 ')
 
 optional_policy(`

policy/modules/services/bitlbee.te

@@ -26,7 +26,7 @@ files_type(bitlbee_var_t)
 #
 # Local policy
 #
-#
+
 allow bitlbee_t self:capability { setgid setuid };
 
 allow bitlbee_t self:udp_socket create_socket_perms;

policy/modules/services/bluetooth.if

@@ -14,6 +14,7 @@
 ##	User domain for the role
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`bluetooth_role',`
 	gen_require(`
@@ -27,7 +28,7 @@ interface(`bluetooth_role',`
 
 	# allow ps to show cdrecord and allow the user to kill it
 	ps_process_pattern($2, bluetooth_helper_t)
-	allow $2 bluetooth_helper_t:process signal;
+	allow $2 bluetooth_helper_t:process { ptrace signal_perms };
 
 	manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
 	manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
@@ -91,7 +92,7 @@ interface(`bluetooth_read_config',`
 		type bluetooth_conf_t;
 	')
 
-	allow $1 bluetooth_conf_t:file { getattr read ioctl };
+	allow $1 bluetooth_conf_t:file read_file_perms;
 ')
 
 ########################################
@@ -178,7 +179,7 @@ interface(`bluetooth_run_helper',`
 
 ########################################
 ## <summary>
-##	Read bluetooth helper state files.
+##	Do not audit attempts to read bluetooth helper state files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -191,8 +192,8 @@ interface(`bluetooth_dontaudit_read_helper_state',`
 		type bluetooth_helper_t;
 	')
 
-	dontaudit $1 bluetooth_helper_t:dir search;
+	dontaudit $1 bluetooth_helper_t:dir search_dir_perms;
-	dontaudit $1 bluetooth_helper_t:file { read getattr };
+	dontaudit $1 bluetooth_helper_t:file read_file_perms;
 ')
 
 ########################################
@@ -215,9 +216,8 @@ interface(`bluetooth_dontaudit_read_helper_state',`
 interface(`bluetooth_admin',`
 	gen_require(`
 		type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
-		type bluetooth_var_lib_t, bluetooth_var_run_t;
+		type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t;
 		type bluetooth_conf_t, bluetooth_conf_rw_t;
-		type bluetooth_initrc_exec_t;
 	')
 
 	allow $1 bluetooth_t:process { ptrace signal_perms };

policy/modules/services/bluetooth.te

@@ -4,6 +4,7 @@ policy_module(bluetooth, 3.3.0)
 #
 # Declarations
 #
+
 type bluetooth_t;
 type bluetooth_exec_t;
 init_daemon_domain(bluetooth_t, bluetooth_exec_t)

policy/modules/services/boinc.if

@@ -1,4 +1,3 @@
-
 ## <summary>policy for boinc</summary>
 
 ########################################
@@ -110,6 +109,7 @@ interface(`boinc_manage_var_lib',`
 		type boinc_var_lib_t;
 	')
 
+	files_search_var_lib($1)
 	manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
 	manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
 	manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
@@ -134,8 +134,7 @@ interface(`boinc_manage_var_lib',`
 #
 interface(`boinc_admin',`
 	gen_require(`
-		type boinc_t, boinc_initrc_exec_t;
+		type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
-		type boinc_var_lib_t;
 	')
 
 	allow $1 boinc_t:process { ptrace signal_perms };

policy/modules/services/boinc.te

@@ -27,6 +27,9 @@ role system_r types boinc_project_t;
 
 permissive boinc_project_t;
 
+type boinc_project_tmp_t;
+files_tmp_file(boinc_project_tmp_t)
+
 type boinc_project_var_lib_t;
 files_type(boinc_project_var_lib_t)
 
@@ -54,7 +57,7 @@ fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t,file)
 exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
 manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
 manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, { dir })
+filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir)
 
 manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
 manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
@@ -120,6 +123,10 @@ allow boinc_project_t self:process { execmem execstack };
 
 allow boinc_project_t self:fifo_file rw_fifo_file_perms;
 
+manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file })
+
 allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
 exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
 manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
@@ -129,7 +136,7 @@ files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { file dir })
 allow boinc_project_t boinc_project_var_lib_t:file execmod;
 
 allow boinc_project_t boinc_t:shm rw_shm_perms;
-allow boinc_project_t boinc_tmpfs_t:file { read write };
+allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
 
 list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
 rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
@@ -144,10 +151,16 @@ corecmd_exec_shell(boinc_project_t)
 
 corenet_tcp_connect_boinc_port(boinc_project_t)
 
+dev_read_rand(boinc_project_t)
 dev_read_urand(boinc_project_t)
+dev_read_sysfs(boinc_project_t)
 dev_rw_xserver_misc(boinc_project_t)
 
 files_read_etc_files(boinc_project_t)
 
+miscfiles_read_fonts(boinc_project_t)
 miscfiles_read_localization(boinc_project_t)
 
+optional_policy(`
+	java_exec(boinc_project_t)
+')

policy/modules/services/bugzilla.if

@@ -57,10 +57,9 @@ interface(`bugzilla_dontaudit_rw_script_stream_sockets',`
 #
 interface(`bugzilla_admin',`
 	gen_require(`
-		type httpd_bugzilla_script_t;
+		type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
-		type httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
+		type httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t, httpd_bugzilla_script_exec_t;
-		type httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t;
+		type httpd_bugzilla_htaccess_t;
-		type httpd_bugzilla_script_exec_t, httpd_bugzilla_htaccess_t;
 	')
 
 	allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
@@ -69,9 +68,9 @@ interface(`bugzilla_admin',`
 	files_list_tmp($1)
 	admin_pattern($1, httpd_bugzilla_tmp_t)
 
-	files_search_var_lib(httpd_bugzilla_script_t)
+	files_list_var_lib(httpd_bugzilla_script_t)
 
-	apache_search_sys_content($1)
+	apache_list_sys_content($1)
 	admin_pattern($1, httpd_bugzilla_script_exec_t)
 	admin_pattern($1, httpd_bugzilla_script_t)
 	admin_pattern($1, httpd_bugzilla_content_t)

policy/modules/services/bugzilla.te

@@ -53,4 +53,3 @@ optional_policy(`
 optional_policy(`
 	postgresql_stream_connect(httpd_bugzilla_script_t)
 ')
-

policy/modules/services/cachefilesd.if

@@ -14,7 +14,6 @@
 #
 # Define the policy interface for the CacheFiles userspace management daemon.
 #
-
 ## <summary>policy for cachefilesd</summary>
 
 ########################################
@@ -32,10 +31,5 @@ interface(`cachefilesd_domtrans',`
 		type cachefilesd_t, cachefilesd_exec_t;
 	')
 
-	domain_auto_trans($1,cachefilesd_exec_t,cachefilesd_t)
+	domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
-
-	allow $1 cachefilesd_t:fd use;
-	allow cachefilesd_t $1:fd use;
-	allow cachefilesd_t $1:fifo_file rw_file_perms;
-	allow cachefilesd_t $1:process sigchld;
 ')

policy/modules/services/cachefilesd.te

@@ -42,7 +42,6 @@ dev_node(cachefiles_dev_t)
 #
 type cachefilesd_t;
 type cachefilesd_exec_t;
-domain_type(cachefilesd_t)
 init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
 
 #
@@ -80,21 +79,10 @@ rpm_use_script_fds(cachefilesd_t)
 #
 allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
 
-# Basic access
-files_read_etc_files(cachefilesd_t)
-libs_use_ld_so(cachefilesd_t)
-libs_use_shared_libs(cachefilesd_t)
-miscfiles_read_localization(cachefilesd_t)
-logging_send_syslog_msg(cachefilesd_t)
-init_dontaudit_use_script_ptys(cachefilesd_t)
-term_dontaudit_use_generic_ptys(cachefilesd_t)
-term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
-
 # Allow manipulation of pid file
 allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
 manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
 manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
-files_pid_file(cachefilesd_var_run_t)
 files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
 files_create_as_is_all_files(cachefilesd_t)
 
@@ -102,12 +90,20 @@ files_create_as_is_all_files(cachefilesd_t)
 allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
 
 # Allow access to cache superstructure
-allow cachefilesd_t cachefiles_var_t : dir { rw_dir_perms rmdir };
+allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms delete_dir_perms };
-allow cachefilesd_t cachefiles_var_t : file { getattr rename unlink };
+allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms };
 
 # Permit statfs on the backing filesystem
 fs_getattr_xattr_fs(cachefilesd_t)
 
+# Basic access
+files_read_etc_files(cachefilesd_t)
+miscfiles_read_localization(cachefilesd_t)
+logging_send_syslog_msg(cachefilesd_t)
+init_dontaudit_use_script_ptys(cachefilesd_t)
+term_dontaudit_use_generic_ptys(cachefilesd_t)
+term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
+
 ###############################################################################
 #
 # When cachefilesd invokes the kernel module to begin caching, it has to tell
@@ -136,7 +132,6 @@ allow cachefilesd_t cachefiles_var_t : kernel_service { create_files_as };
 # cache.
 #
 allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
-allow cachefiles_kernel_t initrc_t:process sigchld;
 
 manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
 manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
@@ -144,3 +139,5 @@ manage_files_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
 fs_getattr_xattr_fs(cachefiles_kernel_t)
 
 dev_search_sysfs(cachefiles_kernel_t)
+
+init_sigchld_script(cachefiles_kernel_t)

policy/modules/services/canna.te

@@ -34,7 +34,7 @@ allow canna_t self:unix_dgram_socket create_stream_socket_perms;
 allow canna_t self:tcp_socket create_stream_socket_perms;
 
 manage_files_pattern(canna_t, canna_log_t, canna_log_t)
-allow canna_t canna_log_t:dir setattr;
+allow canna_t canna_log_t:dir setattr_dir_perms;
 logging_log_filetrans(canna_t, canna_log_t, { file dir })
 
 manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)

policy/modules/services/ccs.te

@@ -61,7 +61,7 @@ manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
 manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
 files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })
 
-allow ccs_t ccs_var_log_t:dir setattr;
+allow ccs_t ccs_var_log_t:dir setattr_dir_perms;
 manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
 manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
 logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })

policy/modules/services/certmaster.if

@@ -108,7 +108,7 @@ interface(`certmaster_manage_log',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	The role to be allowed to manage the syslog domain.
+##	Role allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -116,8 +116,7 @@ interface(`certmaster_manage_log',`
 interface(`certmaster_admin',`
 	gen_require(`
 		type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
-		type certmaster_etc_rw_t, certmaster_var_log_t;
+		type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
-		type certmaster_initrc_exec_t;
 	')
 
 	allow $1 certmaster_t:process { ptrace signal_perms };

policy/modules/services/certmonger.if

@@ -166,9 +166,9 @@ interface(`certmonger_admin',`
 	role_transition $2 certmonger_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_var_lib($1)
+	files_list_var_lib($1)
 	admin_pattern($1, certmonger_var_lib_t)
 
-	files_search_pids($1)
+	files_list_pids($1)
 	admin_pattern($1, certmonger_var_run_t)
 ')

policy/modules/services/cgroup.if

@@ -182,10 +182,10 @@ interface(`cgroup_admin',`
 
 	admin_pattern($1, cgconfig_etc_t)
 	admin_pattern($1, cgrules_etc_t)
-	files_search_etc($1)
+	files_list_etc($1)
 
 	admin_pattern($1, cgred_var_run_t)
-	files_search_pids($1)
+	files_list_pids($1)
 
 	cgroup_initrc_domtrans_cgconfig($1)
 	domain_system_change_exemption($1)

policy/modules/services/chronyd.if

@@ -25,7 +25,7 @@ interface(`chronyd_domtrans',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
@@ -151,10 +151,9 @@ interface(`chronyd_append_keys',`
 #
 interface(`chronyd_admin',`
 	gen_require(`
-		type chronyd_t, chronyd_var_log_t;
+		type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
-		type chronyd_var_run_t, chronyd_var_lib_t;
+		type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
-		type chronyd_tmpfs_t;
+		type chronyd_keys_t;
-		type chronyd_initrc_exec_t, chronyd_keys_t;
 	')
 
 	allow $1 chronyd_t:process { ptrace signal_perms };
@@ -165,16 +164,16 @@ interface(`chronyd_admin',`
 	role_transition $2 chronyd_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_etc($1)
+	files_list_etc($1)
 	admin_pattern($1, chronyd_keys_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, chronyd_var_log_t)
 
-	files_search_var_lib($1)
+	files_list_var_lib($1)
 	admin_pattern($1, chronyd_var_lib_t)
 
-	files_search_pids($1)
+	files_list_pids($1)
 	admin_pattern($1, chronyd_var_run_t)
 
 	admin_pattern($1, chronyd_tmpfs_t)

policy/modules/services/clamav.if

@@ -33,6 +33,7 @@ interface(`clamav_stream_connect',`
 		type clamd_t, clamd_var_run_t;
 	')
 
+	files_search_pids($1)
 	stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t)
 ')
 
@@ -151,9 +152,8 @@ interface(`clamav_exec_clamscan',`
 interface(`clamav_admin',`
 	gen_require(`
 		type clamd_t, clamd_etc_t, clamd_tmp_t;
-		type clamd_var_log_t, clamd_var_lib_t;
+		type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t;
-		type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
+		type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t;
-		type clamd_initrc_exec_t;
 		type freshclam_t, freshclam_var_log_t;
 	')
 

policy/modules/services/clamav.te

@@ -182,7 +182,7 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
 
 # log files (own logfiles only)
 manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
-allow freshclam_t freshclam_var_log_t:dir setattr;
+allow freshclam_t freshclam_var_log_t:dir setattr_dir_perms;
 read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
 logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
 
@@ -220,16 +220,16 @@ clamav_stream_connect(freshclam_t)
 
 userdom_stream_connect(freshclam_t)
 
-optional_policy(`
-	cron_system_entry(freshclam_t, freshclam_exec_t)
-')
-
 tunable_policy(`clamd_use_jit',`
 	allow freshclam_t self:process execmem;
 ',`
 	dontaudit freshclam_t self:process execmem;
 ')
 
+optional_policy(`
+	cron_system_entry(freshclam_t, freshclam_exec_t)
+')
+
 ########################################
 #
 # clamscam local policy

policy/modules/services/clogd.te

@@ -23,7 +23,6 @@ files_pid_file(clogd_var_run_t)
 
 allow clogd_t self:capability { net_admin mknod };
 allow clogd_t self:process signal;
-
 allow clogd_t self:sem create_sem_perms;
 allow clogd_t self:shm create_shm_perms;
 allow clogd_t self:netlink_socket create_socket_perms;
@@ -36,7 +35,7 @@ fs_tmpfs_filetrans(clogd_t, clogd_tmpfs_t, { dir file })
 # pid files
 manage_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
 manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
-files_pid_filetrans(clogd_t, clogd_var_run_t, { file })
+files_pid_filetrans(clogd_t, clogd_var_run_t, file)
 
 dev_read_lvm_control(clogd_t)
 dev_manage_generic_blk_files(clogd_t)

policy/modules/services/cmirrord.if

@@ -1,4 +1,3 @@
-
 ## <summary>policy for cmirrord</summary>
 
 ########################################
@@ -68,8 +67,7 @@ interface(`cmirrord_read_pid_files',`
 #
 interface(`cmirrord_rw_shm',`
 	gen_require(`
-                type cmirrord_t;
+		type cmirrord_t, cmirrord_tmpfs_t;
-		type cmirrord_tmpfs_t;
 	')
 
 	allow $1 cmirrord_t:shm { rw_shm_perms destroy };
@@ -99,9 +97,7 @@ interface(`cmirrord_rw_shm',`
 #
 interface(`cmirrord_admin',`
 	gen_require(`
-		type cmirrord_t;
+		type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
-		type cmirrord_initrc_exec_t;
-                type cmirrord_var_run_t;
 	')
 
 	allow $1 cmirrord_t:process { ptrace signal_perms };
@@ -112,7 +108,6 @@ interface(`cmirrord_admin',`
 	role_transition $2 cmirrord_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_pids($1)
+	files_list_pids($1)
 	admin_pattern($1, cmirrord_var_run_t)
-
 ')

policy/modules/services/cmirrord.te

@@ -26,9 +26,7 @@ files_pid_file(cmirrord_var_run_t)
 allow cmirrord_t self:capability { net_admin kill };
 dontaudit cmirrord_t self:capability sys_tty_config;
 allow cmirrord_t self:process signal;
-
 allow cmirrord_t self:fifo_file rw_fifo_file_perms;
-
 allow cmirrord_t self:sem create_sem_perms;
 allow cmirrord_t self:shm create_shm_perms;
 allow cmirrord_t self:netlink_socket create_socket_perms;
@@ -40,7 +38,7 @@ fs_tmpfs_filetrans(cmirrord_t, cmirrord_tmpfs_t, { dir file })
 
 manage_dirs_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
 manage_files_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
-files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, { file })
+files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
 
 domain_use_interactive_fds(cmirrord_t)
 

policy/modules/services/cobbler.if

@@ -153,7 +153,7 @@ interface(`cobbler_manage_lib_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -185,25 +185,23 @@ interface(`cobbler_dontaudit_rw_log',`
 interface(`cobblerd_admin',`
 	gen_require(`
 		type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
-		type cobbler_etc_t, cobblerd_initrc_exec_t;
+		type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
-		type httpd_cobbler_content_t;
+		type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t;
-		type httpd_cobbler_content_ra_t;
-		type httpd_cobbler_content_rw_t;
 	')
 
 	allow $1 cobblerd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, cobblerd_t)
 
-	files_search_etc($1)
+	files_list_etc($1)
 	admin_pattern($1, cobbler_etc_t)
 
 	files_list_var_lib($1)
 	admin_pattern($1, cobbler_var_lib_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, cobbler_var_log_t)
 
-	apache_search_sys_content($1)
+	apache_list_sys_content($1)
 	admin_pattern($1, httpd_cobbler_content_t)
 	admin_pattern($1, httpd_cobbler_content_ra_t)
 	admin_pattern($1, httpd_cobbler_content_rw_t)

policy/modules/services/corosync.if

@@ -24,7 +24,7 @@ interface(`corosync_domtrans',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##      Domain allowed to transition.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #

policy/modules/services/corosync.te

@@ -92,10 +92,6 @@ userdom_delete_user_tmpfs_files(corosync_t)
 userdom_rw_user_tmpfs_files(corosync_t)
 
 optional_policy(`
-	gen_require(`
-		attribute unconfined_services;
-	')	
-
 	fs_manage_tmpfs_files(corosync_t)
 	init_manage_script_status_files(corosync_t)
 ')

policy/modules/services/courier.if

@@ -138,6 +138,7 @@ interface(`courier_read_config',`
 		type courier_etc_t;
 	')
 
+	files_search_etc($1)
 	read_files_pattern($1, courier_etc_t, courier_etc_t)
 ')
 
@@ -157,6 +158,7 @@ interface(`courier_manage_spool_dirs',`
 		type courier_spool_t;
 	')
 
+	files_search_spool($1)
 	manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
 ')
 
@@ -176,6 +178,7 @@ interface(`courier_manage_spool_files',`
 		type courier_spool_t;
 	')
 
+	files_search_spool($1)
 	manage_files_pattern($1, courier_spool_t, courier_spool_t)
 ')
 
@@ -194,6 +197,7 @@ interface(`courier_read_spool',`
 		type courier_spool_t;
 	')
 
+	files_search_spool($1)
 	read_files_pattern($1, courier_spool_t, courier_spool_t)
 ')
 

policy/modules/services/courier.te

@@ -93,7 +93,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
 allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
 
 # inherits file handle - should it?
-allow courier_pop_t courier_var_lib_t:file { read write };
+allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
 
 miscfiles_read_localization(courier_pop_t)
 

policy/modules/services/cron.if

@@ -52,7 +52,7 @@ template(`cron_common_crontab_template',`
 	files_list_spool($1_t)
 
 	# crontab signals crond by updating the mtime on the spooldir
-	allow $1_t cron_spool_t:dir setattr;
+	allow $1_t cron_spool_t:dir setattr_dir_perms;
 
 	kernel_read_system_state($1_t)
 
@@ -113,12 +113,12 @@ template(`cron_common_crontab_template',`
 ##	User domain for the role
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`cron_role',`
 	gen_require(`
 		type cronjob_t, crontab_t, crontab_exec_t;
-		type user_cron_spool_t;
+		type user_cron_spool_t, crond_t;
-		type crond_t;
 	')
 
 	role $1 types { cronjob_t crontab_t };
@@ -138,7 +138,7 @@ interface(`cron_role',`
 
 	# crontab shows up in user ps
 	ps_process_pattern($2, crontab_t)
-	allow $2 crontab_t:process signal;
+	allow $2 crontab_t:process { ptrace signal_perms };
 
 	# Run helper programs as the user domain
 	#corecmd_bin_domtrans(crontab_t, $2)
@@ -152,7 +152,6 @@ interface(`cron_role',`
 		')
 
 		dbus_stub(cronjob_t)
-
 		allow cronjob_t $2:dbus send_msg;
 	')
 ')
@@ -171,6 +170,7 @@ interface(`cron_role',`
 ##	User domain for the role
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`cron_unconfined_role',`
 	gen_require(`
@@ -181,6 +181,7 @@ interface(`cron_unconfined_role',`
 
 	# cronjob shows up in user ps
 	ps_process_pattern($2, unconfined_cronjob_t)
+	allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
 
 	optional_policy(`
 		gen_require(`
@@ -188,7 +189,6 @@ interface(`cron_unconfined_role',`
 		')
 
 		dbus_stub(unconfined_cronjob_t)
-
 		allow unconfined_cronjob_t $2:dbus send_msg;
 	')
 ')
@@ -207,6 +207,7 @@ interface(`cron_unconfined_role',`
 ##	User domain for the role
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`cron_admin_role',`
 	gen_require(`
@@ -227,7 +228,7 @@ interface(`cron_admin_role',`
 
 	# crontab shows up in user ps
 	ps_process_pattern($2, admin_crontab_t)
-	allow $2 admin_crontab_t:process signal;
+	allow $2 admin_crontab_t:process { ptrace signal_perms };
 
 	# Run helper programs as the user domain
 	#corecmd_bin_domtrans(admin_crontab_t, $2)
@@ -241,7 +242,6 @@ interface(`cron_admin_role',`
 		')
 
 		dbus_stub(admin_cronjob_t)
-
 		allow cronjob_t $2:dbus send_msg;
 	')
 ')
@@ -311,7 +311,7 @@ interface(`cron_exec',`
 
 ########################################
 ## <summary>
-##	Execute crond server in the nscd domain.
+##	Execute crond server in the crond domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -524,6 +524,7 @@ interface(`cron_manage_pid_files',`
 		type crond_var_run_t;
 	')
 
+	files_search_pids($1)
 	manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
 ')
 
@@ -579,7 +580,7 @@ interface(`cron_write_system_job_pipes',`
 		type system_cronjob_t;
 	')
 
-	allow $1 system_cronjob_t:file write;
+	allow $1 system_cronjob_t:fifo_file write;
 ')
 
 ########################################
@@ -695,7 +696,7 @@ interface(`cron_read_system_job_lib_files',`
 		type system_cronjob_var_lib_t;
 	')
 
-
+	files_search_var_lib($1)
 	read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
 ')
 
@@ -714,6 +715,6 @@ interface(`cron_manage_system_job_lib_files',`
 		type system_cronjob_var_lib_t;
 	')
 
-
+	files_search_var_lib($1)
 	manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
 ')

policy/modules/services/cron.te

@@ -99,10 +99,6 @@ files_lock_file(system_cronjob_lock_t)
 type system_cronjob_tmp_t alias system_crond_tmp_t;
 files_tmp_file(system_cronjob_tmp_t)
 
-ifdef(`enable_mcs',`
-	init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
-')
-
 type unconfined_cronjob_t;
 domain_type(unconfined_cronjob_t)
 domain_cron_exemption_target(unconfined_cronjob_t)
@@ -122,13 +118,17 @@ typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
 type system_cronjob_var_run_t;
 files_pid_file(system_cronjob_var_run_t)
 
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
+')
+
 ########################################
 #
 # Admin crontab local policy
 #
 
 # Allow our crontab domain to unlink a user cron spool file.
-allow admin_crontab_t user_cron_spool_t:file { getattr read unlink };
+allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
 
 # Manipulate other users crontab.
 selinux_get_fs_mount(admin_crontab_t)
@@ -263,6 +263,10 @@ tunable_policy(`allow_polyinstantiation',`
 	files_polyinstantiate_all(crond_t)
 ')
 
+tunable_policy(`fcron_crond',`
+	allow crond_t system_cron_spool_t:file manage_file_perms;
+')
+
 optional_policy(`
 	apache_search_sys_content(crond_t)
 ')
@@ -287,10 +291,6 @@ optional_policy(`
 	mono_domtrans(crond_t)
 ')
 
-tunable_policy(`fcron_crond', `
-	allow crond_t system_cron_spool_t:file manage_file_perms;
-')
-
 optional_policy(`
 	amanda_search_var_lib(crond_t)
 ')
@@ -351,7 +351,7 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
 
 # This is to handle /var/lib/misc directory.  Used currently
 # by prelink var/lib files for cron 
-allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabelfrom relabelto };
+allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
 files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
 
 allow system_cronjob_t cron_var_run_t:file manage_file_perms;

policy/modules/services/cups.if

@@ -316,12 +316,10 @@ interface(`cups_stream_connect_ptal',`
 interface(`cups_admin',`
 	gen_require(`
 		type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
-		type cupsd_etc_t, cupsd_log_t;
+		type cupsd_etc_t, cupsd_log_t, hplip_etc_t;
-		type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
+		type cupsd_config_var_run_t, cupsd_lpd_var_run_t, cupsd_initrc_exec_t;
-		type cupsd_var_run_t, ptal_etc_t;
+		type cupsd_var_run_t, ptal_etc_t, hplip_var_run_t;
-		type ptal_var_run_t, hplip_var_run_t;
+		type ptal_var_run_t;
-		type cupsd_initrc_exec_t;
-		type hplip_etc_t;
 	')
 
 	allow $1 cupsd_t:process { ptrace signal_perms };

policy/modules/services/cups.te

@@ -149,7 +149,7 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
 manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
 files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
 
-allow cupsd_t cupsd_var_run_t:dir setattr;
+allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
 manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
 manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
 manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
@@ -163,7 +163,7 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
 allow cupsd_t hplip_var_run_t:file read_file_perms;
 
 stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
-allow cupsd_t ptal_var_run_t : sock_file setattr;
+allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
 
 kernel_read_system_state(cupsd_t)
 kernel_read_network_state(cupsd_t)
@@ -609,10 +609,6 @@ userdom_dontaudit_search_admin_dir(cups_pdf_t)
 
 lpd_manage_spool(cups_pdf_t)
 
-optional_policy(`
-	gnome_read_config(cups_pdf_t)
-')
-
 tunable_policy(`use_nfs_home_dirs',`
 	fs_search_auto_mountpoints(cups_pdf_t)
 	fs_manage_nfs_dirs(cups_pdf_t)
@@ -624,6 +620,10 @@ tunable_policy(`use_samba_home_dirs',`
 	fs_manage_cifs_files(cups_pdf_t)
 ')
 
+optional_policy(`
+	gnome_read_config(cups_pdf_t)
+')
+
 ########################################
 #
 # HPLIP local policy

policy/modules/services/cvs.if

@@ -58,9 +58,8 @@ interface(`cvs_exec',`
 #
 interface(`cvs_admin',`
 	gen_require(`
-		type cvs_t, cvs_tmp_t;
+		type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
 		type cvs_data_t, cvs_var_run_t;
-		type cvs_initrc_exec_t;
 	')
 
 	allow $1 cvs_t:process { ptrace signal_perms };

policy/modules/services/cvs.te

@@ -35,12 +35,12 @@ files_pid_file(cvs_var_run_t)
 # Local policy
 #
 
+allow cvs_t self:capability { setuid setgid };
 allow cvs_t self:process signal_perms;
 allow cvs_t self:fifo_file rw_fifo_file_perms;
 allow cvs_t self:tcp_socket connected_stream_socket_perms;
 # for identd; cjp: this should probably only be inetd_child rules?
 allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow cvs_t self:capability { setuid setgid };
 
 manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
 manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)

policy/modules/services/dbus.if

@@ -41,9 +41,7 @@ interface(`dbus_stub',`
 template(`dbus_role_template',`
 	gen_require(`
 		class dbus { send_msg acquire_svc };
-
+		attribute dbusd_unconfined, session_bus_type;
-		attribute dbusd_unconfined;
-		attribute session_bus_type;
 		type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
 		type $1_t;
 	')
@@ -90,14 +88,15 @@ template(`dbus_role_template',`
 	files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
 
 	domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
-	allow $3 $1_dbusd_t:process { signull sigkill signal };
+
+	ps_process_pattern($3, $1_dbusd_t)
+	allow $3 $1_dbusd_t:process { ptrace signal_perms };
 
 	# cjp: this seems very broken
 	corecmd_bin_domtrans($1_dbusd_t, $1_t)
 	allow $1_dbusd_t $3:process sigkill;
 	allow $3 $1_dbusd_t:fd use;
 	allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
-	allow $3 $1_dbusd_t:process sigchld;
 
 	kernel_read_system_state($1_dbusd_t)
 	kernel_read_kernel_sysctls($1_dbusd_t)
@@ -520,6 +519,6 @@ interface(`dbus_delete_pid_files',`
 		type system_dbusd_var_run_t;
 	')
 
+	files_search_pids($1)
 	delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
 ')
-

policy/modules/services/dcc.if

@@ -168,6 +168,6 @@ interface(`dcc_stream_connect_dccifd',`
 		type dcc_var_t, dccifd_var_run_t, dccifd_t;
 	')
 
-	files_search_var($1)
+	files_search_pids($1)
 	stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
 ')

policy/modules/services/ddclient.if

@@ -64,8 +64,8 @@ interface(`ddclient_run',`
 interface(`ddclient_admin',`
 	gen_require(`
 		type ddclient_t, ddclient_etc_t, ddclient_log_t;
-		type ddclient_var_t, ddclient_var_lib_t;
+		type ddclient_var_t, ddclient_var_lib_t, ddclient_initrc_exec_t;
-		type ddclient_var_run_t, ddclient_initrc_exec_t;
+		type ddclient_var_run_t;
 	')
 
 	allow $1 ddclient_t:process { ptrace signal_perms };

policy/modules/services/denyhosts.if

@@ -59,6 +59,7 @@ interface(`denyhosts_initrc_domtrans', `
 ##	Role allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`denyhosts_admin',`
 	gen_require(`
@@ -74,12 +75,12 @@ interface(`denyhosts_admin', `
 	role_transition $2 denyhosts_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_var_lib($1)
+	files_list_var_lib($1)
 	admin_pattern($1, denyhosts_var_lib_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, denyhosts_var_log_t)
 
-	files_search_locks($1)
+	files_list_locks($1)
 	admin_pattern($1, denyhosts_var_lock_t)
 ')

policy/modules/services/devicekit.if

@@ -147,16 +147,6 @@ interface(`devicekit_read_pid_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the devicekit domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`devicekit_admin',`
@@ -175,11 +165,11 @@ interface(`devicekit_admin',`
 	ps_process_pattern($1, devicekit_power_t)
 
 	admin_pattern($1, devicekit_tmp_t)
-	files_search_tmp($1)
+	files_list_tmp($1)
 
 	admin_pattern($1, devicekit_var_lib_t)
-	files_search_var_lib($1)
+	files_list_var_lib($1)
 
 	admin_pattern($1, devicekit_var_run_t)
-	files_search_pids($1)
+	files_list_pids($1)
 ')

policy/modules/services/devicekit.te

@@ -309,4 +309,3 @@ optional_policy(`
 optional_policy(`
 	vbetool_domtrans(devicekit_power_t)
 ')
-

policy/modules/services/dhcp.if

@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',`
 	')
 
 	sysnet_search_dhcp_state($1)
-	allow $1 dhcpd_state_t:file setattr;
+	allow $1 dhcpd_state_t:file setattr_file_perms;
 ')
 
 ########################################

policy/modules/services/djbdns.te

@@ -23,11 +23,6 @@ djbdns_daemontools_domain_template(tinydns)
 # Local policy for axfrdns component
 #
 
-files_config_file(djbdns_axfrdns_conf_t)
-
-daemontools_ipc_domain(djbdns_axfrdns_t)
-daemontools_read_svc(djbdns_axfrdns_t)
-
 allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot };
 
 allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms;
@@ -41,6 +36,9 @@ allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms;
 
 files_search_var(djbdns_axfrdns_t)
 
+daemontools_ipc_domain(djbdns_axfrdns_t)
+daemontools_read_svc(djbdns_axfrdns_t)
+
 ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
 
 ########################################

policy/modules/services/dnsmasq.if

@@ -144,12 +144,12 @@ interface(`dnsmasq_write_config',`
 ##	</summary>
 ## </param>
 #
-#
 interface(`dnsmasq_delete_pid_files',`
 	gen_require(`
 		type dnsmasq_var_run_t;
 	')
 
+	files_search_pids($1)
 	delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
 ')
 
@@ -169,6 +169,7 @@ interface(`dnsmasq_read_pid_files',`
 		type dnsmasq_var_run_t;
 	')
 
+	files_search_pids($1)
 	read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
 ')
 

policy/modules/services/dovecot.if

@@ -9,13 +9,13 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`dovecot_stream_connect_auth',`
 	gen_require(`
 		type dovecot_auth_t, dovecot_var_run_t;
 	')
 
+	files_search_pids($1)
 	stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t)
 ')
 
@@ -52,6 +52,7 @@ interface(`dovecot_manage_spool',`
 		type dovecot_spool_t;
 	')
 
+	files_search_spool($1)
 	manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
 	manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
 ')
@@ -94,13 +95,9 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
 interface(`dovecot_admin',`
 	gen_require(`
 		type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t;
-		type dovecot_spool_t, dovecot_var_lib_t;
+		type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t;
-		type dovecot_var_run_t, dovecot_tmp_t;
+		type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t;
-		type dovecot_var_log_t;
+		type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t;
-
-		type dovecot_cert_t, dovecot_passwd_t;
-		type dovecot_initrc_exec_t;
-		type dovecot_keytab_t;
 	')
 
 	allow $1 dovecot_t:process { ptrace signal_perms };

policy/modules/services/exim.if

@@ -24,7 +24,7 @@ interface(`exim_domtrans',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
@@ -243,15 +243,15 @@ interface(`exim_admin', `
 	role_transition $2 exim_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, exim_log_t)
 
-	files_search_tmp($1)
+	files_list_tmp($1)
 	admin_pattern($1, exim_tmp_t)
 
-	files_search_spool($1)
+	files_list_spool($1)
 	admin_pattern($1, exim_spool_t)
 
-	files_search_pids($1)
+	files_list_pids($1)
 	admin_pattern($1, exim_var_run_t)
 ')

policy/modules/services/fail2ban.if

@@ -175,8 +175,8 @@ interface(`fail2ban_dontaudit_leaks',`
 #
 interface(`fail2ban_admin',`
 	gen_require(`
-		type fail2ban_t, fail2ban_log_t;
+		type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
-		type fail2ban_var_run_t, fail2ban_initrc_exec_t;
+		type fail2ban_var_run_t;
 	')
 
 	allow $1 fail2ban_t:process { ptrace signal_perms };

policy/modules/services/fail2ban.te

@@ -36,7 +36,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms;
 allow fail2ban_t self:tcp_socket create_stream_socket_perms;
 
 # log files
-allow fail2ban_t fail2ban_log_t:dir setattr;
+allow fail2ban_t fail2ban_log_t:dir setattr_dir_perms;
 manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
 logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
 

policy/modules/services/fprintd.if

@@ -38,4 +38,3 @@ interface(`fprintd_dbus_chat',`
 	allow $1 fprintd_t:dbus send_msg;
 	allow fprintd_t $1:dbus send_msg;
 ')
-

policy/modules/services/ftp.if

@@ -51,25 +51,6 @@ interface(`ftp_read_config',`
 	allow $1 ftpd_etc_t:file read_file_perms;
 ')
 
-########################################
-## <summary>
-##	Execute FTP daemon entry point programs.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`ftp_check_exec',`
-	gen_require(`
-		type ftpd_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	allow $1 ftpd_exec_t:file { getattr execute };
-')
-
 ########################################
 ## <summary>
 ##	Read FTP transfer logs
@@ -171,9 +152,8 @@ interface(`ftp_dyntrans_sftpd',`
 interface(`ftp_admin',`
 	gen_require(`
 		type ftpd_t, ftpdctl_t, ftpd_tmp_t;
-		type ftpd_etc_t, ftpd_lock_t;
+		type ftpd_etc_t, ftpd_lock_t, ftpd_initrc_exec_t;
 		type ftpd_var_run_t, xferlog_t;
-		type ftpd_initrc_exec_t;
 	')
 
 	allow $1 ftpd_t:process { ptrace signal_perms };

policy/modules/services/ftp.te

@@ -187,7 +187,7 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
 # it can stat the socket to perform access control decisions,
 # since getsockopt with SO_PEERCRED is not available on all
 # proftpd-supported OSs
-allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
+allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
 
 # Create and modify /var/log/xferlog.
 manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
@@ -349,8 +349,8 @@ optional_policy(`
 ')
 
 tunable_policy(`ftpd_connect_db',`
-	corenet_tcp_connect_mysqld_port(ftpd_t)
+	mysql_tcp_connect(ftpd_t)
-	corenet_tcp_connect_postgresql_port(ftpd_t)
+	postgresql_tcp_connect(ftpd_t)
 ')
 
 optional_policy(`
@@ -385,10 +385,11 @@ optional_policy(`
 
 # Allow ftpdctl to talk to ftpd over a socket connection
 stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
+files_search_pids(ftpdctl_t)
 
 # ftpdctl creates a socket so that the daemon can perform
 # access control decisions (see comments in ftpd_t rules above)
-allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };
+allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms;
 files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
 
 # Allow ftpdctl to read config files
@@ -400,6 +401,7 @@ userdom_use_user_terminals(ftpdctl_t)
 #
 # sftpd local policy
 #
+
 files_read_etc_files(sftpd_t)
 
 # allow read access to /home by default

policy/modules/services/gatekeeper.te

@@ -33,7 +33,7 @@ allow gatekeeper_t self:fifo_file rw_fifo_file_perms;
 allow gatekeeper_t self:tcp_socket create_stream_socket_perms;
 allow gatekeeper_t self:udp_socket create_socket_perms;
 
-allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
+allow gatekeeper_t gatekeeper_etc_t:lnk_file read_lnk_file_perms;
 allow gatekeeper_t gatekeeper_etc_t:file read_file_perms;
 files_search_etc(gatekeeper_t)
 

policy/modules/services/git.fc

@@ -1,4 +1,5 @@
 HOME_DIR/public_git(/.*)?	gen_context(system_u:object_r:git_session_content_t,s0)
+HOME_DIR/\.gitaliases	--	gen_context(system_u:object_r:git_session_content_t,s0)
 HOME_DIR/\.gitconfig	--	gen_context(system_u:object_r:git_session_content_t,s0)
 
 /srv/git(/.*)?			gen_context(system_u:object_r:git_system_content_t,s0)

policy/modules/services/git.if

@@ -25,8 +25,7 @@
 #
 interface(`git_session_role',`
 	gen_require(`
-		type git_session_t, gitd_exec_t;
+		type git_session_t, gitd_exec_t, git_session_content_t;
-		type git_session_content_t;
 	')
 
 	########################################
@@ -59,10 +58,8 @@ interface(`git_session_role',`
 ## </param>
 #
 template(`git_content_template',`
-
 	gen_require(`
-		attribute git_system_content;
+		attribute git_system_content, git_content;
-		attribute git_content;
 	')
 
 	########################################
@@ -86,7 +83,6 @@ template(`git_content_template',`
 ## </param>
 #
 template(`git_role_template',`
-
 	gen_require(`
 		class context contains;
 		role system_r;
@@ -522,4 +518,3 @@ interface(`git_relabel_session_content',`
 	relabel_files_pattern($1, git_session_content_t, git_session_content_t)
 	userdom_search_user_home_dirs($1)
 ')
-

policy/modules/services/git.te

@@ -31,6 +31,7 @@ attribute git_system_content;
 attribute git_content;
 
 type gitd_exec_t;
+application_executable_file(gitd_exec_t)
 
 ########################################
 #
@@ -189,4 +190,3 @@ optional_policy(`
 
 git_role_template(git_shell)
 gen_user(git_shell_u, user, git_shell_r, s0, s0)
-

policy/modules/services/gnomeclock.if

@@ -71,7 +71,7 @@ interface(`gnomeclock_dbus_chat',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #

policy/modules/services/gpm.if

@@ -16,8 +16,8 @@ interface(`gpm_stream_connect',`
 		type gpmctl_t, gpm_t;
 	')
 
-	allow $1 gpmctl_t:sock_file rw_sock_file_perms;
+	dev_list_all_dev_nodes($1)
-	allow $1 gpm_t:unix_stream_socket connectto;
+	stream_connect_pattern($1, gpmctl_t, gpmctl_t, gpm_t)
 ')
 
 ########################################
@@ -37,7 +37,7 @@ interface(`gpm_getattr_gpmctl',`
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 gpmctl_t:sock_file getattr;
+	allow $1 gpmctl_t:sock_file getattr_sock_file_perms;
 ')
 
 ########################################
@@ -57,7 +57,7 @@ interface(`gpm_dontaudit_getattr_gpmctl',`
 		type gpmctl_t;
 	')
 
-	dontaudit $1 gpmctl_t:sock_file getattr;
+	dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms;
 ')
 
 ########################################
@@ -77,5 +77,5 @@ interface(`gpm_setattr_gpmctl',`
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 gpmctl_t:sock_file setattr;
+	allow $1 gpmctl_t:sock_file setattr_sock_file_perms;
 ')

policy/modules/services/hal.if

@@ -18,24 +18,6 @@ interface(`hal_domtrans',`
 	domtrans_pattern($1, hald_exec_t, hald_t)
 ')
 
-########################################
-## <summary>
-##	Get the attributes of a hal process.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`hal_getattr',`
-	gen_require(`
-		type hald_t;
-	')
-
-	allow $1 hald_t:process getattr;
-')
-
 ########################################
 ## <summary>
 ##	Read hal system state
@@ -464,9 +446,7 @@ interface(`hal_manage_pid_files',`
 #
 interface(`hal_dontaudit_leaks',`
 	gen_require(`
-		type hald_log_t;
+		type hald_log_t, hald_t, hald_var_run_t;
-		type hald_t;
-		type hald_var_run_t;
 	')
 
 	dontaudit $1 hald_t:fd use;

policy/modules/services/hddtemp.if

@@ -69,5 +69,5 @@ interface(`hddtemp_admin',`
 	allow $2 system_r;
 
 	admin_pattern($1, hddtemp_etc_t)
-	files_search_etc($1)
+	files_list_etc($1)
 ')

policy/modules/services/hddtemp.te

@@ -46,4 +46,3 @@ storage_raw_read_fixed_disk(hddtemp_t)
 logging_send_syslog_msg(hddtemp_t)
 
 miscfiles_read_localization(hddtemp_t)
-

policy/modules/services/icecast.if

@@ -183,7 +183,5 @@ interface(`icecast_admin',`
 	allow $2 system_r;
 
 	icecast_manage_pid_files($1)
-
 	icecast_manage_log($1)
-
 ')

policy/modules/services/ifplugd.if

@@ -113,8 +113,8 @@ interface(`ifplugd_read_pid_files',`
 #
 interface(`ifplugd_admin',`
 	gen_require(`
-		type ifplugd_t, ifplugd_etc_t;
+		type ifplugd_t, ifplugd_etc_t, ifplugd_var_run_t;
-		type ifplugd_var_run_t, ifplugd_initrc_exec_t;
+		type ifplugd_initrc_exec_t;
 	')
 
 	allow $1 ifplugd_t:process { ptrace signal_perms };

policy/modules/services/inetd.if

@@ -55,7 +55,6 @@ interface(`inetd_core_service_domain',`
 ## </param>
 #
 interface(`inetd_tcp_service_domain',`
-
 	gen_require(`
 		type inetd_t;
 	')

policy/modules/services/inn.if

@@ -93,6 +93,7 @@ interface(`inn_read_config',`
 		type innd_etc_t;
 	')
 
+	files_search_etc($1)
 	allow $1 innd_etc_t:dir list_dir_perms;
 	allow $1 innd_etc_t:file read_file_perms;
 	allow $1 innd_etc_t:lnk_file read_lnk_file_perms;
@@ -113,6 +114,7 @@ interface(`inn_read_news_lib',`
 		type innd_var_lib_t;
 	')
 
+	files_search_var_lib($1)
 	allow $1 innd_var_lib_t:dir list_dir_perms;
 	allow $1 innd_var_lib_t:file read_file_perms;
 	allow $1 innd_var_lib_t:lnk_file read_lnk_file_perms;
@@ -133,6 +135,7 @@ interface(`inn_read_news_spool',`
 		type news_spool_t;
 	')
 
+	files_search_spool($1)
 	allow $1 news_spool_t:dir list_dir_perms;
 	allow $1 news_spool_t:file read_file_perms;
 	allow $1 news_spool_t:lnk_file read_lnk_file_perms;
@@ -195,8 +198,8 @@ interface(`inn_domtrans',`
 interface(`inn_admin',`
 	gen_require(`
 		type innd_t, innd_etc_t, innd_log_t;
-		type news_spool_t, innd_var_lib_t;
+		type news_spool_t, innd_var_lib_t, innd_var_run_t;
-		type innd_var_run_t, innd_initrc_exec_t;
+		type innd_initrc_exec_t;
 	')
 
 	allow $1 innd_t:process { ptrace signal_perms };

policy/modules/services/inn.te

@@ -4,6 +4,7 @@ policy_module(inn, 1.9.0)
 #
 # Declarations
 #
+
 type innd_t;
 type innd_exec_t;
 init_daemon_domain(innd_t, innd_exec_t)
@@ -30,6 +31,7 @@ files_mountpoint(news_spool_t)
 #
 # Local policy
 #
+
 allow innd_t self:capability { dac_override kill setgid setuid };
 dontaudit innd_t self:capability sys_tty_config;
 allow innd_t self:process { setsched signal_perms };
@@ -46,7 +48,7 @@ read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t)
 can_exec(innd_t, innd_exec_t)
 
 manage_files_pattern(innd_t, innd_log_t, innd_log_t)
-allow innd_t innd_log_t:dir setattr;
+allow innd_t innd_log_t:dir setattr_dir_perms;
 logging_log_filetrans(innd_t, innd_log_t, file)
 
 manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)

policy/modules/services/jabber.if

@@ -113,8 +113,7 @@ interface(`jabberd_manage_lib_files',`
 interface(`jabber_admin',`
 	gen_require(`
 		type jabberd_t, jabberd_log_t, jabberd_var_lib_t;
-		type jabberd_var_run_t, jabberd_initrc_exec_t;
+		type jabberd_var_run_t, jabberd_initrc_exec_t, jabberd_router_t;
-		type jabberd_router_t;
 	')
 
 	allow $1 jabberd_t:process { ptrace signal_perms };

policy/modules/services/jabber.te

@@ -1,4 +1,3 @@
-
 policy_module(jabber, 1.8.0)
 
 ########################################

policy/modules/services/kerberos.if

@@ -69,8 +69,7 @@ interface(`kerberos_domtrans_kpropd',`
 #
 interface(`kerberos_use',`
 	gen_require(`
-		type krb5_conf_t, krb5kdc_conf_t;
+		type krb5_conf_t, krb5kdc_conf_t, krb5_host_rcache_t;
-		type krb5_host_rcache_t;
 	')
 
 	files_search_etc($1)
@@ -103,7 +102,7 @@ interface(`kerberos_use',`
 		corenet_sendrecv_kerberos_client_packets($1)
 		corenet_sendrecv_ocsp_client_packets($1)
 
-		allow $1 krb5_host_rcache_t:file getattr;
+		allow $1 krb5_host_rcache_t:file getattr_file_perms;
 	')
 
 	optional_policy(`
@@ -338,9 +337,8 @@ interface(`kerberos_admin',`
 		type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
 		type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
 		type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
-		type krb5kdc_principal_t, krb5kdc_tmp_t;
+		type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
 		type krb5kdc_var_run_t, krb5_host_rcache_t;
-		type kpropd_t;
 	')
 
 	allow $1 kadmind_t:process { ptrace signal_perms };

policy/modules/services/kerberos.te

@@ -93,9 +93,9 @@ allow kadmind_t krb5_conf_t:file read_file_perms;
 dontaudit kadmind_t krb5_conf_t:file write;
 
 read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
-dontaudit kadmind_t krb5kdc_conf_t:file { write setattr };
+dontaudit kadmind_t krb5kdc_conf_t:file { write_file_perms setattr_file_perms };
 
-allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr };
+allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
 
 allow kadmind_t krb5kdc_principal_t:file manage_file_perms;
 filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file)
@@ -197,7 +197,7 @@ can_exec(krb5kdc_t, krb5kdc_exec_t)
 read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
 dontaudit krb5kdc_t krb5kdc_conf_t:file write;
 
-allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr };
+allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
 
 allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
 logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)

policy/modules/services/kerneloops.if

@@ -12,8 +12,7 @@
 #
 interface(`kerneloops_domtrans',`
 	gen_require(`
-		type kerneloops_t;
+		type kerneloops_t, kerneloops_exec_t;
-		type kerneloops_exec_t;
 	')
 
 	domtrans_pattern($1, kerneloops_exec_t, kerneloops_t)
@@ -99,8 +98,7 @@ interface(`kerneloops_manage_tmp_files',`
 #
 interface(`kerneloops_admin',`
 	gen_require(`
-		type kerneloops_t, kerneloops_initrc_exec_t;
+		type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t;
-		type kerneloops_tmp_t;
 	')
 
 	allow $1 kerneloops_t:process { ptrace signal_perms };
@@ -111,5 +109,6 @@ interface(`kerneloops_admin',`
 	role_transition $2 kerneloops_initrc_exec_t system_r;
 	allow $2 system_r;
 
+	files_list_tmp($1)
 	admin_pattern($1, kerneloops_tmp_t)
 ')

policy/modules/services/ksmtuned.if

@@ -55,8 +55,7 @@ interface(`ksmtuned_initrc_domtrans',`
 #
 interface(`ksmtuned_admin',`
 	gen_require(`
-		type ksmtuned_t, ksmtuned_var_run_t;
+		type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t;
-		type ksmtuned_initrc_exec_t;
 	')
 
 	allow $1 ksmtuned_t:process { ptrace signal_perms };
@@ -70,5 +69,4 @@ interface(`ksmtuned_admin',`
 	domain_system_change_exemption($1)
 	role_transition $2 ksmtuned_initrc_exec_t system_r;
 	allow $2 system_r;
-
 ')

policy/modules/services/ksmtuned.te

@@ -49,4 +49,3 @@ mls_file_read_to_clearance(ksmtuned_t)
 term_use_all_terms(ksmtuned_t)
 
 miscfiles_read_localization(ksmtuned_t)
-

policy/modules/services/ldap.if

@@ -16,7 +16,6 @@ interface(`ldap_domtrans',`
 	')
 
 	domtrans_pattern($1, slapd_exec_t, slapd_t)
-
 ')
 
 #######################################
@@ -37,7 +36,6 @@ interface(`ldap_initrc_domtrans',`
 	init_labeled_script_domtrans($1, slapd_initrc_exec_t)
 ')
 
-
 ########################################
 ## <summary>
 ##	Read the contents of the OpenLDAP
@@ -189,6 +187,7 @@ interface(`ldap_admin',`
 
 	admin_pattern($1, slapd_lock_t)
 
+	files_list_var_lib($1)
 	admin_pattern($1, slapd_replog_t)
 
 	files_list_tmp($1)

policy/modules/services/likewise.if

@@ -63,7 +63,7 @@ template(`likewise_domain_template',`
 	allow $1_t self:tcp_socket create_stream_socket_perms;
 	allow $1_t self:udp_socket create_socket_perms;
 
-	allow $1_t likewise_var_lib_t:dir setattr;
+	allow $1_t likewise_var_lib_t:dir setattr_dir_perms;
 
 	manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
 	files_pid_filetrans($1_t, $1_var_run_t, file)

policy/modules/services/likewise.te

@@ -205,7 +205,7 @@ stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_
 # Likewise DC location service local policy
 #
 
-allow netlogond_t self:capability {dac_override};
+allow netlogond_t self:capability dac_override;
 
 manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t)
 

policy/modules/services/lircd.if

@@ -16,7 +16,6 @@ interface(`lircd_domtrans',`
 	')
 
 	domain_auto_trans($1, lircd_exec_t, lircd_t)
-
 ')
 
 ######################################
@@ -76,8 +75,8 @@ interface(`lircd_read_config',`
 #
 interface(`lircd_admin',`
 	gen_require(`
-		type lircd_t, lircd_var_run_t;
+		type lircd_t, lircd_var_run_t, lircd_etc_t;
-		type lircd_initrc_exec_t, lircd_etc_t;
+		type lircd_initrc_exec_t;
 	')
 
 	allow $1 lircd_t:process { ptrace signal_perms };
@@ -88,9 +87,9 @@ interface(`lircd_admin',`
 	role_transition $2 lircd_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_etc($1)
+	files_list_etc($1)
 	admin_pattern($1, lircd_etc_t)
 
-	files_search_pids($1)
+	files_list_pids($1)
 	admin_pattern($1, lircd_var_run_t)
 ')

policy/modules/services/lpd.if

@@ -14,6 +14,7 @@
 ##	User domain for the role
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`lpd_role',`
 	gen_require(`
@@ -27,7 +28,7 @@ interface(`lpd_role',`
 	dontaudit lpr_t $2:unix_stream_socket { read write };
 
 	ps_process_pattern($2, lpr_t)
-	allow $2 lpr_t:process signull;
+	allow $2 lpr_t:process { ptrace signal_perms };
 
 	optional_policy(`
 		cups_read_config($2)
@@ -186,7 +187,7 @@ interface(`lpd_read_config',`
 ##	</summary>
 ## </param>
 #
-template(`lpd_domtrans_lpr',`
+interface(`lpd_domtrans_lpr',`
 	gen_require(`
 		type lpr_t, lpr_exec_t;
 	')

policy/modules/services/lpd.te

@@ -80,7 +80,7 @@ rw_files_pattern(checkpc_t, print_spool_t, print_spool_t)
 delete_files_pattern(checkpc_t, print_spool_t, print_spool_t)
 files_search_spool(checkpc_t)
 
-allow checkpc_t printconf_t:file getattr;
+allow checkpc_t printconf_t:file getattr_file_perms;
 allow checkpc_t printconf_t:dir list_dir_perms;
 
 kernel_read_system_state(checkpc_t)
@@ -284,13 +284,13 @@ userdom_read_user_tmp_files(lpr_t)
 
 tunable_policy(`use_lpd_server',`
 	# lpr can run in lightweight mode, without a local print spooler.
-	allow lpr_t lpd_var_run_t:dir search;
+	allow lpr_t lpd_var_run_t:dir search_dir_perms;
-	allow lpr_t lpd_var_run_t:sock_file write;
+	allow lpr_t lpd_var_run_t:sock_file write_sock_file_perms;
 	files_read_var_files(lpr_t)
 
 	# Connect to lpd via a Unix domain socket.
-	allow lpr_t printer_t:sock_file rw_sock_file_perms;
+	allow lpr_t printer_t:sock_file read_sock_file_perms;
-	allow lpr_t lpd_t:unix_stream_socket connectto;
+	stream_connect_pattern(lpr_t, printer_t, printer_t, lpd_t)
 	# Send SIGHUP to lpd.
 	allow lpr_t lpd_t:process signal;
 

policy/modules/services/mailman.te

@@ -61,9 +61,9 @@ optional_policy(`
 # Mailman mail local policy
 #
 
-allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
-allow mailman_mail_t self:process { signal signull };
 allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
+allow mailman_mail_t self:process { signal signull };
+allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
 
 manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
 manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)

policy/modules/services/memcached.if

@@ -12,8 +12,7 @@
 #
 interface(`memcached_domtrans',`
 	gen_require(`
-		type memcached_t;
+		type memcached_t, memcached_exec_t;
-		type memcached_exec_t;
 	')
 
 	domtrans_pattern($1, memcached_exec_t, memcached_t)
@@ -57,9 +56,7 @@ interface(`memcached_read_pid_files',`
 #
 interface(`memcached_admin',`
 	gen_require(`
-		type memcached_t;
+		type memcached_t, memcached_initrc_exec_t, memcached_var_run_t;
-		type memcached_initrc_exec_t;
-		type memcached_var_run_t;
 	')
 
 	allow $1 memcached_t:process { ptrace signal_perms };
@@ -70,6 +67,6 @@ interface(`memcached_admin',`
 	role_transition $2 memcached_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_pids($1)
+	files_list_pids($1)
 	admin_pattern($1, memcached_var_run_t)
 ')

policy/modules/services/milter.if

@@ -59,7 +59,7 @@ interface(`milter_stream_connect_all',`
 		attribute milter_data_type, milter_domains;
 	')
 
-	getattr_dirs_pattern($1, milter_data_type, milter_data_type)
+	files_search_pids($1)
 	stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains)
 ')
 
@@ -78,7 +78,6 @@ interface(`milter_getattr_all_sockets',`
 		attribute milter_data_type;
 	')
 
-	getattr_dirs_pattern($1, milter_data_type, milter_data_type)
 	getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
 ')
 

policy/modules/services/milter.te

@@ -33,7 +33,6 @@ files_type(spamass_milter_state_t)
 #
 
 allow dkim_milter_t self:capability { kill setgid setuid };
-
 allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
 
 read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)