more merging from nsa cvs

refpolicy/policy/modules/admin/consoletype.te

@@ -9,9 +9,12 @@ policy_module(consoletype, 1.0)
 type consoletype_t; #, mlsfileread, mlsfilewrite
 type consoletype_exec_t;
 init_domain(consoletype_t,consoletype_exec_t)
-init_system_domain(consoletype_t,consoletype_exec_t)
 role system_r types consoletype_t;
 
+ifdef(`targeted_policy',`',`
+	init_system_domain(consoletype_t,consoletype_exec_t)
+')
+
 ########################################
 #
 # Local declarations
@@ -99,9 +102,11 @@ allow consoletype_t xdm_tmp_t:file rw_file_perms;
 ')
 
 # this goes to xdm module
+ifdef(`targeted_policy',`
 	optional_policy(`consoletype.te',`
 		consoletype_domtrans(xdm_t)
 	')
+')
 
 optional_policy(`lpd.te', `
 allow consoletype_t printconf_t:file r_file_perms;

refpolicy/policy/modules/admin/firstboot.te

@@ -10,6 +10,7 @@ type firstboot_t;
 type firstboot_exec_t;
 init_system_domain(firstboot_t,firstboot_exec_t)
 domain_obj_id_change_exempt(firstboot_t)
+domain_subj_id_change_exempt(firstboot_t)
 role system_r types firstboot_t;
 
 type firstboot_etc_t; #, usercanread;
@@ -103,8 +104,10 @@ userdom_manage_user_home_files(firstboot_t)
 userdom_manage_user_home_symlinks(firstboot_t)
 userdom_manage_user_home_pipes(firstboot_t)
 userdom_manage_user_home_sockets(firstboot_t)
-usermanage_domtrans_useradd(firstboot_t)
+
-usermanage_domtrans_groupadd(firstboot_t)
+ifdef(`targeted_policy',`
+	unconfined_domtrans(firstboot_t)
+')
 
 optional_policy(`kerberos.te',`
 	kerberos_rw_config(firstboot_t)
@@ -114,6 +117,11 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(firstboot_t)
 ')
 
+optional_policy(`usermanage.te',`
+	usermanage_domtrans_useradd(firstboot_t)
+	usermanage_domtrans_groupadd(firstboot_t)
+')
+
 ifdef(`TODO',`
 allow firstboot_t proc_t:file write;
 

refpolicy/policy/modules/admin/updfstab.te

@@ -116,4 +116,12 @@ ifdef(`TODO',`
 optional_policy(`rhgb.te',`
 	rhgb_domain(updfstab_t)
 ')
+ifdef(`dbusd.te',`
+allow initrc_t updfstab_t:dbus send_msg;
+allow updfstab_t initrc_t:dbus send_msg;
+')
+allow updfstab_t tmpfs_t:dir getattr;
+ifdef(`hald.te', `
+can_unix_connect(updfstab_t, hald_t)
+')
 ')

refpolicy/policy/modules/admin/usermanage.te

@@ -520,6 +520,7 @@ logging_send_syslog_msg(useradd_t)
 miscfiles_read_localization(useradd_t)
 
 seutil_read_config(useradd_t)
+seutil_read_file_contexts(useradd_t)
 
 userdom_use_unpriv_users_fd(useradd_t)
 

refpolicy/policy/modules/kernel/devices.if

@@ -395,12 +395,12 @@ interface(`dev_del_generic_symlinks',`
 interface(`dev_manage_generic_symlinks',`
 	gen_require(`
 		type device_t;
-		class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
+		class dir rw_dir_perms;
-		class lnk_file { create read getattr setattr link unlink rename };
+		class lnk_file create_lnk_perms;
 	')
 
-	allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
+	allow $1 device_t:dir rw_dir_perms;
-	allow $1 device_t:lnk_file { create read getattr setattr link unlink rename };
+	allow $1 device_t:lnk_file create_lnk_perms;
 ')
 
 ########################################

refpolicy/policy/modules/kernel/kernel.if

@@ -1492,7 +1492,7 @@ interface(`kernel_use_shared_libs_from',`
 	gen_require(`
 		type kernel_t;
 		class lnk_file r_file_perms;
-		class file rx_dir_perms;
+		class file rx_file_perms;
 	')
 
 	allow kernel_t $1:dir r_dir_perms;

refpolicy/policy/modules/kernel/kernel.te

@@ -25,7 +25,7 @@ attribute sysctl_type;
 # kernel_t is the domain of kernel threads.
 # It is also the target type when checking permissions in the system class.
 # 
-type kernel_t, can_load_kernmodule;
+type kernel_t, can_load_kernmodule; # mlsprocread, mlsprocwrite, privrangetrans
 role system_r types kernel_t;
 domain_base_type(kernel_t)
 sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127)
@@ -169,6 +169,9 @@ allow kernel_t sysctl_t:dir r_dir_perms;
 allow kernel_t sysctl_kernel_t:dir r_dir_perms;
 allow kernel_t sysctl_kernel_t:file r_file_perms;
 
+# cjp: this seems questionable
+allow kernel_t unlabeled_t:fifo_file rw_file_perms;
+
 # Kernel-generated traffic e.g., ICMP replies:
 corenet_raw_sendrecv_all_if(kernel_t)
 corenet_raw_sendrecv_all_nodes(kernel_t)
@@ -176,20 +179,24 @@ corenet_raw_sendrecv_all_nodes(kernel_t)
 corenet_tcp_sendrecv_all_if(kernel_t)
 corenet_tcp_sendrecv_all_nodes(kernel_t)
 
-selinux_load_policy(kernel_t)
+dev_read_sysfs(kernel_t)
-
+dev_search_usbfs(kernel_t)
-term_use_console(kernel_t)
 
 # Mount root file system.  Used when loading a policy
 # from initrd, then mounting the root filesystem
 fs_mount_all_fs(kernel_t)
 
+selinux_load_policy(kernel_t)
+
+term_use_console(kernel_t)
+
 corecmd_exec_shell(kernel_t)
 corecmd_list_sbin(kernel_t)
 # /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
 corecmd_exec_bin(kernel_t)
 
 domain_signal_all_domains(kernel_t)
+domain_search_all_domains_state(kernel_t)
 
 files_list_root(kernel_t)
 files_list_etc(kernel_t)

refpolicy/policy/modules/services/cron.fc

@@ -10,8 +10,6 @@
 /usr/sbin/cron(d)?		--	context_template(system_u:object_r:crond_exec_t,s0)
 /usr/sbin/fcron			--	context_template(system_u:object_r:crond_exec_t,s0)
 
-/var/log/cron.*			--	context_template(system_u:object_r:crond_log_t,s0)
-
 /var/run/atd\.pid		--	context_template(system_u:object_r:crond_var_run_t,s0)
 /var/run/crond?\.pid		--	context_template(system_u:object_r:crond_var_run_t,s0)
 /var/run/crond\.reboot		--	context_template(system_u:object_r:crond_var_run_t,s0)

refpolicy/policy/modules/services/cron.if

@@ -188,8 +188,6 @@ template(`cron_per_userdomain_template',`
 	# crontab signals crond by updating the mtime on the spooldir
 	allow $1_crontab_t cron_spool_t:dir setattr;
 
-	allow $1_crontab_t crond_log_t:file ra_file_perms;
-
 	# for the checks used by crontab -u
 	selinux_dontaudit_search_fs($1_crontab_t)
 
@@ -384,24 +382,6 @@ interface(`cron_rw_pipe',`
 	allow $1 crond_t:file { read write };
 ')
 
-########################################
-## <summary>
-##	Read and write the cron daemon log files.
-## </summary>
-## <param name="domain">
-##	The type of the process to performing this action.
-## </param>
-#
-interface(`cron_rw_log',`
-	gen_require(`
-		type crond_log_t;
-		class file rw_file_perms;
-	')
-
-	logging_search_logs($1)
-	allow $1 crond_log_t:file rw_file_perms;
-')
-
 ########################################
 ## <summary>
 ##	Search the directory containing user cron tables.

refpolicy/policy/modules/services/cron.te

@@ -19,9 +19,6 @@ init_daemon_domain(crond_t,crond_exec_t)
 domain_wide_inherit_fd(crond_t)
 domain_cron_exemption_source(crond_t)
 
-type crond_log_t;
-logging_log_file(crond_log_t)
-
 type crond_tmp_t;
 files_tmp_file(crond_tmp_t)
 
@@ -65,8 +62,6 @@ allow crond_t self:sem create_sem_perms;
 allow crond_t self:msgq create_msgq_perms;
 allow crond_t self:msg { send receive };
 
-allow crond_t crond_log_t:file create_file_perms;
-
 allow crond_t crond_var_run_t:file create_file_perms;
 files_create_pid(crond_t,crond_var_run_t)
 
@@ -228,10 +223,6 @@ type_transition system_crond_t crond_tmp_t:file system_crond_tmp_t;
 allow system_crond_t cron_spool_t:dir r_dir_perms;
 allow system_crond_t cron_spool_t:file r_file_perms;
 
-# Access crond log files
-allow system_crond_t crond_log_t:file create_file_perms;
-logging_create_log(system_crond_t,crond_log_t)
-
 kernel_read_kernel_sysctl(system_crond_t)
 kernel_read_system_state(system_crond_t)
 kernel_read_software_raid_state(system_crond_t)
@@ -372,7 +363,7 @@ allow system_crond_su_t crond_t:fifo_file ioctl;
 # Required for webalizer
 #
 ifdef(`apache.te', `
-allow system_crond_t httpd_log_t:file r_file_perms;
+allow system_crond_t { httpd_log_t httpd_config_t }:file r_file_perms;
 ')
 
 ifdef(`mta.te', `

refpolicy/policy/modules/system/authlogin.te

@@ -342,9 +342,8 @@ optional_policy(`nscd.te',`
 	nscd_use_socket(utempter_t)
 ')
 
+ifdef(`TODO',`
 optional_policy(`xdm.te',`
-	#allow utempter_t xdm_t:fd use;
+	can_pipe_xdm(utempter_t)
-	xdm_use_fd(utempter_t)
+')
-	#allow utempter_t xdm_t:fifo_file { write getattr };
-	xdm_write_pipe(utempter_t)
 ')

refpolicy/policy/modules/system/domain.if

@@ -423,13 +423,30 @@ interface(`domain_kill_all_domains',`
 	allow $1 domain:process sigkill;
 	allow $1 self:capability kill;
 ')
+########################################
+## <summary>
+##	Search the process state directory (/proc/pid) of all domains.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`domain_search_all_domains_state',`
+	gen_require(`
+		attribute domain;
+		class dir search;
+	')
+
+	kernel_search_proc($1)
+	allow $1 domain:dir search;
+')
 
 ########################################
 ## <summary>
 ##	Read the process state (/proc/pid) of all domains.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`domain_read_all_domains_state',`
@@ -441,6 +458,7 @@ interface(`domain_read_all_domains_state',`
 		class process { getattr ptrace };
 	')
 
+	kernel_search_proc($1)
 	allow $1 domain:dir r_dir_perms;
 	allow $1 domain:lnk_file r_file_perms;
 	allow $1 domain:file r_file_perms;
@@ -453,6 +471,38 @@ interface(`domain_read_all_domains_state',`
 	dontaudit $1 domain:process ptrace;
 ')
 
+########################################
+## <summary>
+##	Read the process state (/proc/pid) of all domains.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`domain_read_confined_domains_state',`
+	gen_require(`
+		attribute domain, unconfined_domain;
+		class dir r_dir_perms;
+		class lnk_file r_file_perms;
+		class file r_file_perms;
+		class process { getattr ptrace };
+	')
+
+	kernel_search_proc($1)
+	allow $1 { domain -unconfined_domain }:dir r_dir_perms;
+	allow $1 { domain -unconfined_domain }:lnk_file r_file_perms;
+	allow $1 { domain -unconfined_domain }:file r_file_perms;
+	allow $1 { domain -unconfined_domain }:process getattr;
+
+	dontaudit $1 unconfined_domain:dir search;
+
+	# We need to suppress this denial because procps tries to access
+	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
+	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
+	# running in a privileged domain.
+	dontaudit $1 { domain -unconfined_domain }:process ptrace;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read the process
@@ -767,6 +817,8 @@ interface(`domain_unconfined',`
 		class lnk_file r_file_perms;
 	')
 
+	typeattribute $1 unconfined_domain;
+
 	# pass all constraints
 	typeattribute $1 can_change_process_identity;
 	typeattribute $1 can_change_process_role;

refpolicy/policy/modules/system/domain.te

@@ -12,6 +12,9 @@ attribute domain;
 # Transitions only allowed from domains to other domains
 neverallow domain ~domain:process { transition dyntransition };
 
+# Domains that are unconfined
+attribute unconfined_domain;
+
 # Domains that can set their current context
 # (perform dynamic transitions)
 attribute set_curr_context;

refpolicy/policy/modules/system/hotplug.te

@@ -123,11 +123,11 @@ ifdef(`distro_redhat', `
 
 ifdef(`targeted_policy', `
 	unconfined_domain_template(hotplug_t)
-')
 
 	optional_policy(`consoletype.te',`
 		consoletype_domtrans(hotplug_t)
 	')
+')
 
 optional_policy(`dbus.te',`
 	dbus_system_bus_client_template(hotplug,hotplug_t)

refpolicy/policy/modules/system/init.if

@@ -157,6 +157,23 @@ interface(`init_domtrans',`
 	allow init_t $1:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Execute the init program in the caller domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`init_exec',`
+	gen_require(`
+		type init_exec_t;
+	')
+
+	corecmd_search_sbin($1)
+	can_exec($1,init_exec_t)
+')
+
 ########################################
 #
 # init_get_process_group(domain)

refpolicy/policy/modules/system/init.te

@@ -239,6 +239,7 @@ dev_write_snd_mixer_dev(initrc_t)
 dev_setattr_all_chr_files(initrc_t)
 dev_read_lvm_control(initrc_t)
 dev_delete_lvm_control(initrc_t)
+dev_manage_generic_symlinks(initrc_t)
 # Wants to remove udev.tbl:
 dev_del_generic_symlinks(initrc_t)
 
@@ -317,6 +318,7 @@ logging_send_syslog_msg(initrc_t)
 logging_manage_generic_logs(initrc_t)
 logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
+logging_read_auditd_config(initrc_t)
 
 miscfiles_read_localization(initrc_t)
 
@@ -386,6 +388,7 @@ ifdef(`distro_redhat',`
 ')
 
 ifdef(`targeted_policy',`
+	domain_subj_id_change_exempt(initrc_t)
 	unconfined_domain_template(initrc_t)
 	unconfined_shell_domtrans(initrc_t)
 ')

refpolicy/policy/modules/system/locallogin.if

@@ -18,7 +18,7 @@ interface(`locallogin_domtrans',`
 
 ########################################
 ## <summary>
-##	Allow processes to inherit local login file descriptors
+##	Allow processes to inherit local login file descriptors.
 ## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
@@ -33,6 +33,23 @@ interface(`locallogin_use_fd',`
 	allow $1 local_login_t:fd use;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to inherit local login file descriptors.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`locallogin_dontaudit_use_fd',`
+	gen_require(`
+		type local_login_t;
+		class fd use;
+	')
+
+	dontaudit $1 local_login_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	Send a null signal to local login processes.

refpolicy/policy/modules/system/logging.if

@@ -83,6 +83,24 @@ interface(`logging_send_syslog_msg',`
 	term_use_console($1)
 ')
 
+########################################
+## <summary>
+##	Read the auditd configuration files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`logging_read_auditd_config',`
+	gen_require(`
+		type auditd_etc_t;
+		class file r_file_perms;
+	')
+
+	files_search_etc($1)
+	allow $1 auditd_etc_t:file r_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allows the domain to open a file in the

refpolicy/policy/modules/system/logging.te

@@ -8,7 +8,15 @@ policy_module(logging,1.0)
 
 attribute logfile;
 
-type auditd_log_t;
+type auditctl_t; #, privlog;
+type auditctl_exec_t;
+init_system_domain(auditctl_t,auditctl_exec_t)
+role system_r types auditctl_t;
+
+type auditd_etc_t; #, secure_file_type;
+files_type(auditd_etc_t)
+
+type auditd_log_t; # secure_file_type;
 files_type(auditd_log_t)
 
 type auditd_t;
@@ -49,13 +57,55 @@ files_type(var_log_t)
 # Auditd local policy
 #
 
+allow auditctl_t self:capability { audit_write audit_control };
+allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
+
+libs_use_ld_so(auditctl_t)
+libs_use_shared_libs(auditctl_t)
+
+allow auditctl_t etc_t:file { getattr read };
+
+allow auditctl_t auditd_etc_t:file r_file_perms;
+
+kernel_read_kernel_sysctl(auditctl_t)
+
+domain_use_wide_inherit_fd(auditctl_t)
+
+init_use_script_pty(auditctl_t)
+init_dontaudit_use_fd(auditctl_t)
+
+locallogin_dontaudit_use_fd(auditctl_t)
+
+ifdef(`TODO',`
+role secadm_r types auditctl_t;
+role sysadm_r types auditctl_t;
+audit_manager_domain(secadm_t)
+
+ifdef(`targeted_policy', `', `
+ifdef(`separate_secadm', `', `
+audit_manager_domain(sysadm_t)
+allow auditctl_t admin_tty_type:chr_file rw_file_perms;
+') 
+')
+') dnl end TODO
+
+########################################
+#
+# Auditd local policy
+#
+
 allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
 dontaudit auditd_t self:capability sys_tty_config;
 allow auditd_t self:process { signal_perms setsched };
-allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
+allow auditd_t self:file { getattr read write };
+allow auditd_t self:unix_dgram_socket create_socket_perms;
+allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
 
-allow auditd_t var_log_t:dir rw_dir_perms;
+allow auditd_t auditd_etc_t:file r_file_perms;
+
+allow auditd_t auditd_log_t:dir rw_dir_perms;
 allow auditd_t auditd_log_t:file create_file_perms;
+allow auditd_t var_log_t:dir search;
 
 allow auditd_t auditd_var_run_t:file create_file_perms;
 files_create_pid(auditd_t,auditd_var_run_t)
@@ -72,6 +122,8 @@ fs_search_auto_mountpoints(auditd_t)
 term_dontaudit_use_console(auditd_t)
 
 init_use_fd(auditd_t)
+init_exec(auditd_t)
+init_write_initctl(auditd_t)
 init_use_script_pty(auditd_t)
 
 domain_use_wide_inherit_fd(auditd_t)
@@ -92,9 +144,7 @@ userdom_dontaudit_search_sysadm_home_dir(auditd_t)
 userdom_use_sysadm_tty(auditd_t)
 
 ifdef(`targeted_policy',`
-	term_dontaudit_use_unallocated_tty(auditd_t)
+	unconfined_domain_template(auditd_t)
-	term_dontaudit_use_generic_pty(auditd_t)
-	files_dontaudit_read_root_file(auditd_t)
 ')
 
 optional_policy(`selinuxutil.te',`
@@ -155,11 +205,12 @@ miscfiles_read_localization(klogd_t)
 # syslogd local policy
 #
 
+# sys_admin chown fsetid for syslog-ng
 # cjp: why net_admin!
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin };
+allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
 dontaudit syslogd_t self:capability sys_tty_config;
 allow syslogd_t self:process signal_perms;
-
+allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
 # receive messages to be logged
 allow syslogd_t self:unix_dgram_socket create_socket_perms;
 allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
@@ -167,9 +218,18 @@ allow syslogd_t self:unix_dgram_socket sendto;
 allow syslogd_t self:fifo_file rw_file_perms;
 allow syslogd_t self:udp_socket { connected_socket_perms connect };
 
+# Create and bind to /dev/log or /var/run/log.
+allow syslogd_t devlog_t:sock_file create_file_perms;
+files_create_pid(syslogd_t,devlog_t,sock_file)
+# cjp: I belive these are not needed:
+allow syslogd_t devlog_t:unix_stream_socket name_bind;
+allow syslogd_t devlog_t:unix_dgram_socket name_bind;
+
 # create/append log files.
 allow syslogd_t var_log_t:dir rw_dir_perms;
 allow syslogd_t var_log_t:file create_file_perms;
+# Allow access for syslog-ng
+allow syslogd_t var_log_t:dir { create setattr };
 
 # manage temporary files
 allow syslogd_t syslogd_tmp_t:file create_file_perms;
@@ -178,13 +238,6 @@ files_create_tmp_files(syslogd_t,syslogd_tmp_t)
 allow syslogd_t syslogd_var_run_t:file create_file_perms;
 files_create_pid(syslogd_t,syslogd_var_run_t,file)
 
-# Create and bind to /dev/log or /var/run/log.
-allow syslogd_t devlog_t:sock_file create_file_perms;
-files_create_pid(syslogd_t,devlog_t,sock_file)
-# I belive these are not needed:
-allow syslogd_t devlog_t:unix_stream_socket name_bind;
-allow syslogd_t devlog_t:unix_dgram_socket name_bind;
-
 # manage pid file
 allow syslogd_t syslogd_var_run_t:file create_file_perms;
 files_create_pid(syslogd_t,syslogd_var_run_t)
@@ -192,6 +245,10 @@ files_create_pid(syslogd_t,syslogd_var_run_t)
 kernel_read_kernel_sysctl(syslogd_t)
 kernel_read_proc_symlinks(syslogd_t)
 kernel_send_syslog_msg_from(devlog_t,syslogd_t)
+# Allow access to /proc/kmsg for syslog-ng
+kernel_read_messages(klogd_t)
+kernel_clear_ring_buffer(klogd_t)
+kernel_change_ring_buffer_level(klogd_t)
 
 dev_create_dev_node(syslogd_t,devlog_t,sock_file)
 dev_read_sysfs(syslogd_t)
@@ -213,7 +270,9 @@ corenet_raw_sendrecv_all_nodes(syslogd_t)
 corenet_udp_sendrecv_all_nodes(syslogd_t)
 corenet_udp_sendrecv_all_ports(syslogd_t)
 corenet_udp_bind_all_nodes(syslogd_t)
-corenet_udp_bind_syslogd_port(syslogd_t)
+corenet_tcp_bind_syslogd_port(syslogd_t)
+#cjp: why?
+corenet_tcp_connect_rsh_port(syslogd_t)
 
 fs_getattr_all_fs(syslogd_t)
 
@@ -223,6 +282,8 @@ init_use_script_pty(syslogd_t)
 domain_use_wide_inherit_fd(syslogd_t)
 
 files_read_etc_files(syslogd_t)
+# /initrd is not umounted before minilog starts
+files_dontaudit_search_isid_type_dir(syslogd_t)
 
 libs_use_ld_so(syslogd_t)
 libs_use_shared_libs(syslogd_t)
@@ -234,38 +295,18 @@ miscfiles_read_localization(syslogd_t)
 userdom_dontaudit_use_unpriv_user_fd(syslogd_t)
 userdom_dontaudit_search_sysadm_home_dir(syslogd_t)
 
-#
-# /initrd is not umounted before minilog starts
-#
-files_dontaudit_search_isid_type_dir(syslogd_t)
-#allow syslogd_t tmpfs_t:dir search;
-#dontaudit syslogd_t unlabeled_t:file read;
-#dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
-allow syslogd_t self:capability net_admin;
-allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
-
 ifdef(`distro_suse',`
 	# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
 	files_create_var_lib(syslogd_t,devlog_t,sock_file)
 ')
 
-ifdef(`klogd.te', `', `
-	# Allow access to /proc/kmsg for syslog-ng
-	kernel_read_messages(syslogd_t)
-	kernel_clear_ring_buffer(syslogd_t)
-	kernel_change_ring_buffer_level(syslogd_t)
-')
-
 ifdef(`targeted_policy',`
+	allow syslogd_t var_run_t:fifo_file { ioctl read write };
 	term_dontaudit_use_unallocated_tty(syslogd_t)
 	term_dontaudit_use_generic_pty(syslogd_t)
 	files_dontaudit_read_root_file(syslogd_t)
 ')
 
-optional_policy(`cron.te',`
-	cron_rw_log(syslogd_t)
-')
-
 optional_policy(`inn.te',`
 	inn_manage_log(syslogd_t)
 ')
@@ -283,16 +324,19 @@ optional_policy(`udev.te', `
 ')
 
 ifdef(`TODO',`
-
 optional_policy(`rhgb.te', `
 	rhgb_domain(syslogd_t)
 ')
 
+allow syslogd_t tmpfs_t:dir search;
+dontaudit syslogd_t unlabeled_t:file { getattr read };
+dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
+
 # log to the xconsole
 allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
 
 #
 # Special case to handle crashes
 #
-allow syslogd_t { device_t file_t }:sock_file unlink;
+allow syslogd_t { device_t file_t }:sock_file { getattr unlink };
 ') dnl end TODO

refpolicy/policy/modules/system/pcmcia.te

@@ -72,7 +72,7 @@ corecmd_exec_sbin(cardmgr_t)
 domain_use_wide_inherit_fd(cardmgr_t)
 domain_exec_all_entry_files(cardmgr_t)
 # Read /proc/PID directories for all domains (for fuser).
-domain_read_all_domains_state(cardmgr_t)
+domain_read_confined_domains_state(cardmgr_t)
 # cjp: these look excessive:
 domain_dontaudit_getattr_all_unnamed_pipes(cardmgr_t)
 domain_dontaudit_getattr_all_sockets(cardmgr_t)

strict/domains/misc/kernel.te

@@ -11,7 +11,7 @@
 # kernel_t is the domain of kernel threads.
 # It is also the target type when checking permissions in the system class.
 # 
-type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite ifdef(`nfs_export_all_rw',`,etc_writer') ;
+type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod ifdef(`nfs_export_all_rw',`,etc_writer'), privrangetrans ;
 role system_r types kernel_t;
 general_domain_access(kernel_t)
 general_proc_read_access(kernel_t)
@@ -22,8 +22,8 @@ can_exec(kernel_t, shell_exec_t)
 # Use capabilities.
 allow kernel_t self:capability *;
 
-allow kernel_t sysfs_t:dir search;
+r_dir_file(kernel_t, sysfs_t)
-allow kernel_t { usbfs_t usbdevfs_t sysfs_t }:dir search;
+allow kernel_t { usbfs_t usbdevfs_t }:dir search;
 
 # Run init in the init_t domain.
 domain_auto_trans(kernel_t, init_exec_t, init_t)
@@ -36,6 +36,7 @@ allow kernel_t fs_type:filesystem mount_fs_perms;
 
 # Send signal to any process.
 allow kernel_t domain:process signal;
+allow kernel_t domain:dir search;
 
 # Access the console.
 allow kernel_t device_t:dir search;
@@ -50,6 +51,7 @@ can_exec(kernel_t, chroot_exec_t)
 allow kernel_t self:capability sys_chroot;
 
 allow kernel_t { unlabeled_t root_t file_t }:dir mounton;
+allow kernel_t unlabeled_t:fifo_file rw_file_perms;
 allow kernel_t file_t:dir rw_dir_perms;
 allow kernel_t file_t:blk_file create_file_perms;
 allow kernel_t { sysctl_t sysctl_kernel_t }:file { setattr rw_file_perms };

strict/domains/program/auditd.te

@@ -2,11 +2,66 @@
 #
 # Authors: Colin Walters <walters@verbum.org>
 #
+# Some fixes by Paul Moore <paul.moore@hp.com>
+# 
+define(`audit_manager_domain', `
+allow $1 auditd_etc_t:file rw_file_perms;
+create_dir_file($1, auditd_log_t)
+domain_auto_trans($1, auditctl_exec_t, auditctl_t)
+')
 
 daemon_domain(auditd)
-allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
+
-allow auditd_t self:capability { audit_write audit_control };
+allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
-allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms;
 allow auditd_t self:unix_dgram_socket create_socket_perms;
+allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
+allow auditd_t self:process setsched;
+allow auditd_t self:file { getattr read write };
 allow auditd_t etc_t:file { getattr read };
-log_domain(auditd)
+
+# Do not use logdir_domain since this is a security file
+type auditd_log_t, file_type, secure_file_type;
+allow auditd_t var_log_t:dir search;
+rw_dir_create_file(auditd_t, auditd_log_t)
+
+can_exec(auditd_t, init_exec_t)
+allow auditd_t initctl_t:fifo_file write;
+
+ifdef(`targeted_policy', `
+dontaudit auditd_t unconfined_t:fifo_file read;
+')
+
+type auditctl_t, domain, privlog;
+type auditctl_exec_t, file_type, exec_type, sysadmfile;
+uses_shlib(auditctl_t)
+allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
+allow auditctl_t self:capability { audit_write audit_control };
+allow auditctl_t etc_t:file { getattr read };
+allow auditctl_t admin_tty_type:chr_file rw_file_perms;
+
+type auditd_etc_t, file_type, secure_file_type;
+allow { auditd_t auditctl_t } auditd_etc_t:file r_file_perms;
+allow initrc_t auditd_etc_t:file r_file_perms;
+
+role secadm_r types auditctl_t;
+role sysadm_r types auditctl_t;
+audit_manager_domain(secadm_t)
+
+ifdef(`targeted_policy', `', `
+ifdef(`separate_secadm', `', `
+audit_manager_domain(sysadm_t)
+') 
+')
+
+role system_r types auditctl_t;
+domain_auto_trans(initrc_t, auditctl_exec_t, auditctl_t)
+
+dontaudit auditctl_t local_login_t:fd use;
+allow auditctl_t proc_t:dir search;
+allow auditctl_t sysctl_kernel_t:dir search;
+allow auditctl_t sysctl_kernel_t:file { getattr read };
+dontaudit auditctl_t init_t:fd use; 
+allow auditctl_t initrc_devpts_t:chr_file { read write };
+allow auditctl_t privfd:fd use;
+
+

strict/domains/program/cardmgr.te

@@ -61,7 +61,9 @@ allow ifconfig_t cardmgr_t:fd use;
 allow cardmgr_t proc_t:file { getattr read ioctl };
 
 # Read /proc/PID directories for all domains (for fuser).
-can_ps(cardmgr_t, domain)
+can_ps(cardmgr_t, domain -unrestricted)
+dontaudit cardmgr_t unrestricted:dir search;
+
 allow cardmgr_t device_type:{ chr_file blk_file } getattr;
 allow cardmgr_t ttyfile:chr_file getattr;
 dontaudit cardmgr_t ptyfile:chr_file getattr;

strict/domains/program/checkpolicy.te

@@ -12,6 +12,7 @@
 type checkpolicy_t, domain;
 role sysadm_r types checkpolicy_t;
 role system_r types checkpolicy_t;
+role secadm_r types checkpolicy_t;
 
 type checkpolicy_exec_t, file_type, exec_type, sysadmfile;
 
@@ -19,7 +20,7 @@ type checkpolicy_exec_t, file_type, exec_type, sysadmfile;
 # 
 # Rules
 
-domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
+domain_auto_trans(secadmin, checkpolicy_exec_t, checkpolicy_t)
 
 # able to create and modify binary policy files
 allow checkpolicy_t policy_config_t:dir rw_dir_perms;

strict/domains/program/consoletype.te

@@ -19,28 +19,28 @@ role system_r types consoletype_t;
 uses_shlib(consoletype_t)
 general_domain_access(consoletype_t)
 
+ifdef(`targeted_policy', `', `
 domain_auto_trans(initrc_t, consoletype_exec_t, consoletype_t)
 
-allow consoletype_t tty_device_t:chr_file { getattr ioctl write };
-allow consoletype_t initrc_devpts_t:chr_file { read write getattr ioctl };
-
 ifdef(`xdm.te', `
 domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t)
 allow consoletype_t xdm_tmp_t:file { read write };
 ')
 
-allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use;
-allow consoletype_t admin_tty_type:chr_file rw_file_perms;
 ifdef(`hotplug.te', `
 domain_auto_trans(hotplug_t, consoletype_exec_t, consoletype_t)
 ')
+')
+
+allow consoletype_t {admin_tty_type tty_device_t devtty_t initrc_devpts_t }:chr_file rw_file_perms;
+
+allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use;
 
 # Use capabilities.
 allow consoletype_t self:capability sys_admin;
 
 allow consoletype_t console_device_t:chr_file { getattr ioctl read write };
 allow consoletype_t initrc_t:fifo_file write;
-allow consoletype_t tty_device_t:chr_file read;
 allow consoletype_t nfs_t:file write;
 allow consoletype_t sysadm_t:fifo_file rw_file_perms;
 

strict/domains/program/crond.te

@@ -43,8 +43,6 @@ allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
 
 read_locale(crond_t)
 
-log_domain(crond)
-
 # Use capabilities.
 allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice };
 dontaudit crond_t self:capability sys_resource;
@@ -101,9 +99,6 @@ can_setexec(crond_t)
 # Still need to study anacron.
 domain_auto_trans(initrc_t, anacron_exec_t, system_crond_t)
 
-# Access log files
-file_type_auto_trans(system_crond_t, var_log_t, crond_log_t, file)
-
 # Inherit and use descriptors from init for anacron.
 allow system_crond_t init_t:fd use;
 
@@ -205,11 +200,11 @@ domain_auto_trans(system_crond_t, setfiles_exec_t, setfiles_t)
 r_dir_file(system_crond_t, file_context_t)
 can_getsecurity(system_crond_t)
 }
-allow system_crond_t removable_t:filesystem { getattr };
+dontaudit system_crond_t removable_t:filesystem getattr;
 #
 # Required for webalizer
 #
 ifdef(`apache.te', `
-allow system_crond_t httpd_log_t:file { getattr read };
+allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read };
 ')
-dontaudit crond_t self:capability { sys_tty_config };
+dontaudit crond_t self:capability sys_tty_config;

strict/domains/program/firstboot.te

@@ -10,7 +10,7 @@
 #
 # firstboot_exec_t is the type of the firstboot executable.
 #
-application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privlog, privowner, privmodule, sysctl_kernel_writer')
+application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, privuser, sysctl_kernel_writer')
 type firstboot_rw_t, file_type, sysadmfile;
 role system_r types firstboot_t;
 
@@ -29,8 +29,10 @@ domain_auto_trans(initrc_t, firstboot_exec_t, firstboot_t)
 file_type_auto_trans(firstboot_t, etc_t, firstboot_rw_t, file)
 
 can_exec_any(firstboot_t)
+ifdef(`useradd.te',`
 domain_auto_trans(firstboot_t, useradd_exec_t, useradd_t)
 domain_auto_trans(firstboot_t, groupadd_exec_t, groupadd_t)
+')
 allow firstboot_t etc_runtime_t:file { getattr read };
 
 r_dir_file(firstboot_t, etc_t)
@@ -107,8 +109,10 @@ read_sysctl(firstboot_t)
 
 allow firstboot_t var_run_t:dir getattr;
 allow firstboot_t var_t:dir getattr;
+ifdef(`hostname.te', `
 allow hostname_t devtty_t:chr_file { read write };
 allow hostname_t firstboot_t:fd use;
+')
 ifdef(`iptables.te', `
 allow iptables_t devtty_t:chr_file { read write };
 allow iptables_t firstboot_t:fd use;
@@ -128,4 +132,7 @@ file_type_auto_trans(firstboot_t, user_home_dir_t, user_home_t)
 # The big hammer
 #
 unconfined_domain(firstboot_t) 
+ifdef(`targeted_policy', `
+allow firstboot_t unconfined_t:process transition;
+')
 

strict/domains/program/getty.te

@@ -42,6 +42,7 @@ allow getty_t wtmp_t:file rw_file_perms;
 # Chown, chmod, read and write ttys.
 allow getty_t tty_device_t:chr_file { setattr rw_file_perms };
 allow getty_t ttyfile:chr_file { setattr rw_file_perms };
+dontaudit getty_t initrc_devpts_t:chr_file rw_file_perms; 
 
 # for error condition handling
 allow getty_t fs_t:filesystem getattr;

strict/domains/program/initrc.te

@@ -120,7 +120,10 @@ allow initrc_t domain:process { getattr getsession };
 
 # Mount and unmount file systems.
 allow initrc_t fs_type:filesystem mount_fs_perms;
-allow initrc_t { file_t default_t }:dir { read search getattr mounton };
+allow initrc_t file_t:dir { read search getattr mounton };
+
+# during boot up initrc needs to do the following
+allow initrc_t default_t:dir { read search getattr mounton };
 
 # Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME.
 file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file)
@@ -153,9 +156,6 @@ allow initrc_t clock_device_t:devfile_class_set rw_file_perms;
 # Kill all processes.
 allow initrc_t domain:process signal_perms;
 
-# Read and unlink /var/run/*.pid files.
-allow initrc_t pidfile:file { getattr read unlink };
-
 # Write to /dev/urandom.
 allow initrc_t { random_device_t urandom_device_t }:chr_file rw_file_perms;
 
@@ -229,9 +229,13 @@ allow initrc_t sound_device_t:chr_file { setattr ioctl read write };
 allow initrc_t { home_root_t home_type }:dir r_dir_perms;
 allow initrc_t home_type:file r_file_perms;
 
+# Read and unlink /var/run/*.pid files.
+allow initrc_t pidfile:file { getattr read unlink };
+
 # for system start scripts
 allow initrc_t pidfile:dir rw_dir_perms;
 allow initrc_t pidfile:sock_file unlink;
+
 rw_dir_create_file(initrc_t, var_lib_t)
 
 # allow start scripts to clean /tmp
@@ -252,7 +256,9 @@ type run_init_t, domain;
 domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
 allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
 allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
+typeattribute initrc_t privuser;
 domain_trans(initrc_t, shell_exec_t, unconfined_t)
+allow initrc_t unconfined_t:system syslog_mod;
 ', `
 run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t)
 ')
@@ -309,3 +315,4 @@ ifdef(`distro_gentoo', `
 domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
 ')
 allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
+allow initrc_t device_t:lnk_file create_file_perms;

strict/domains/program/samba.te

@@ -9,14 +9,13 @@
 # Declarations for Samba
 #
 
-daemon_domain(smbd, `, auth_chkpwd')
+daemon_domain(smbd, `, auth_chkpwd, nscd_client_domain')
 daemon_domain(nmbd)
 type samba_etc_t, file_type, sysadmfile, usercanread;
 type samba_log_t, file_type, sysadmfile, logfile;
 type samba_var_t, file_type, sysadmfile;
 type samba_share_t, file_type, sysadmfile, customizable;
 type samba_secrets_t, file_type, sysadmfile;
-typealias samba_var_t alias samba_spool_t;
 
 # for /var/run/samba/messages.tdb
 allow smbd_t nmbd_var_run_t:file rw_file_perms;
@@ -41,14 +40,17 @@ allow system_crond_t samba_log_t:file { read getattr lock };
 general_domain_access(smbd_t)
 general_proc_read_access(smbd_t)
 
-type smbd_port_t, port_type, reserved_port_type;
 allow smbd_t smbd_port_t:tcp_socket name_bind;
 
 # Use capabilities.
 allow smbd_t self:capability { setgid setuid sys_resource net_bind_service lease dac_override dac_read_search };
 
 # Use the network.
-can_network_server(smbd_t)
+can_network(smbd_t)
+can_ldap(smbd_t)
+can_kerberos(smbd_t)
+can_winbind(smbd_t)
+allow smbd_t ipp_port_t:tcp_socket name_connect;
 
 allow smbd_t urandom_device_t:chr_file { getattr read };
 
@@ -62,13 +64,16 @@ allow smbd_t { etc_t samba_etc_t etc_runtime_t }:file r_file_perms;
 
 # Permissions for Samba cache files in /var/cache/samba and /var/lib/samba
 allow smbd_t var_lib_t:dir search;
-allow smbd_t samba_var_t:dir create_dir_perms;
+create_dir_file(smbd_t, samba_var_t)
-allow smbd_t samba_var_t:file create_file_perms;
+
+# Needed for shared printers
+allow smbd_t var_spool_t:dir search;
 
 # Permissions to write log files.
 allow smbd_t samba_log_t:file { create ra_file_perms };
 allow smbd_t var_log_t:dir search;
 allow smbd_t samba_log_t:dir ra_dir_perms;
+dontaudit smbd_t samba_log_t:dir remove_name;
 
 allow smbd_t usr_t:file { getattr read };
 
@@ -88,7 +93,6 @@ can_exec(logrotate_t, samba_log_t)
 general_domain_access(nmbd_t)
 general_proc_read_access(nmbd_t)
 
-type nmbd_port_t, port_type, reserved_port_type;
 allow nmbd_t nmbd_port_t:udp_socket name_bind;
 
 # Use capabilities.
@@ -111,6 +115,7 @@ allow nmbd_t usr_t:file { getattr read };
 allow nmbd_t samba_log_t:file { create ra_file_perms };
 allow nmbd_t var_log_t:dir search;
 allow nmbd_t samba_log_t:dir ra_dir_perms;
+allow nmbd_t etc_t:file { getattr read };
 ifdef(`cups.te', `
 allow smbd_t cupsd_rw_etc_t:file { getattr read };
 ')
@@ -136,6 +141,7 @@ allow smbmount_t self:capability { net_bind_service sys_rawio sys_admin dac_over
 # Access samba config
 allow smbmount_t samba_etc_t:file r_file_perms;
 allow smbmount_t samba_etc_t:dir r_dir_perms;
+allow initrc_t samba_etc_t:file rw_file_perms;
 
 # Write samba log
 allow smbmount_t samba_log_t:file create_file_perms;
@@ -153,6 +159,7 @@ allow smbmount_t etc_t:file r_file_perms;
 
 # Networking
 can_network(smbmount_t)
+allow smbmount_t port_type:tcp_socket name_connect;
 can_ypbind(smbmount_t)
 allow smbmount_t self:unix_dgram_socket create_socket_perms;
 allow smbmount_t self:unix_stream_socket create_socket_perms;
@@ -180,3 +187,28 @@ access_terminal(smbmount_t, sysadm)
 allow smbmount_t userdomain:fd use;
 allow smbmount_t local_login_t:fd use;
 ')
+# Derive from app. domain. Transition from mount.
+application_domain(samba_net, `, nscd_client_domain')
+file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file)
+read_locale(samba_net_t) 
+allow samba_net_t samba_etc_t:file r_file_perms;
+r_dir_file(samba_net_t, samba_var_t)
+can_network_udp(samba_net_t)
+access_terminal(samba_net_t, sysadm)
+allow samba_net_t self:unix_dgram_socket create_socket_perms;
+allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
+rw_dir_create_file(samba_net_t, samba_var_t)
+allow samba_net_t etc_t:file { getattr read };
+can_network_client(samba_net_t)
+allow samba_net_t smbd_port_t:tcp_socket name_connect;
+can_ldap(samba_net_t)
+can_kerberos(samba_net_t)
+allow samba_net_t urandom_device_t:chr_file r_file_perms;
+allow samba_net_t proc_t:dir search;
+allow samba_net_t proc_t:lnk_file read;
+allow samba_net_t self:dir search;
+allow samba_net_t self:file read;
+allow samba_net_t self:process signal;
+tmp_domain(samba_net)
+dontaudit samba_net_t sysadm_home_dir_t:dir search;
+allow samba_net_t privfd:fd use;

strict/domains/program/syslogd.te

@@ -64,8 +64,6 @@ can_unix_connect(privlog,syslogd_t)
 allow privlog devlog_t:lnk_file read;
 
 ifdef(`crond.te', `
-# Write to the cron log.
-allow syslogd_t crond_log_t:file rw_file_perms;
 # for daemon re-start
 allow system_crond_t syslogd_t:lnk_file read;
 ')
@@ -79,16 +77,10 @@ allow syslogd_t initrc_var_run_t:file { read lock };
 dontaudit syslogd_t initrc_var_run_t:file write;
 allow syslogd_t ttyfile:chr_file { getattr write };
 
-ifdef(`klogd.te', `', `
-# Allow access to /proc/kmsg for syslog-ng
-allow syslogd_t proc_t:dir search;
-allow syslogd_t proc_kmsg_t:file { getattr read };
-allow syslogd_t kernel_t:system { syslog_mod syslog_console };
-')
 #
 # Special case to handle crashes
 #
-allow syslogd_t { device_t file_t }:sock_file unlink;
+allow syslogd_t { device_t file_t }:sock_file { getattr unlink };
 
 # Allow syslog to a terminal
 allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
@@ -100,6 +92,18 @@ allow syslogd_t syslogd_port_t:udp_socket name_bind;
 #
 dontaudit syslogd_t file_t:dir search;
 allow syslogd_t { tmpfs_t devpts_t }:dir search;
-dontaudit syslogd_t unlabeled_t:file read;
+dontaudit syslogd_t unlabeled_t:file { getattr read };
 dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
 allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
+ifdef(`targeted_policy', `
+allow syslogd_t var_run_t:fifo_file { ioctl read write };
+')
+
+# Allow access to /proc/kmsg for syslog-ng
+allow syslogd_t proc_t:dir search;
+allow syslogd_t proc_kmsg_t:file { getattr read };
+allow syslogd_t kernel_t:system { syslog_mod syslog_console };
+allow syslogd_t self:capability { sys_admin chown fsetid };
+allow syslogd_t var_log_t:dir { create setattr };
+allow syslogd_t syslogd_port_t:tcp_socket name_bind;
+allow syslogd_t rsh_port_t:tcp_socket name_connect;

strict/domains/program/updfstab.te

@@ -31,6 +31,8 @@ read_locale(updfstab_t)
 ifdef(`dbusd.te', `
 dbusd_client(system, updfstab)
 allow updfstab_t system_dbusd_t:dbus { send_msg };
+allow initrc_t updfstab_t:dbus send_msg;
+allow updfstab_t initrc_t:dbus send_msg;
 ')
 
 # not sure what the sysctl_kernel_t file is, or why it wants to write it, so
@@ -72,3 +74,8 @@ can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } )
 dontaudit updfstab_t home_root_t:dir { getattr search };
 dontaudit updfstab_t { home_dir_type home_type }:dir search;
 allow updfstab_t fs_t:filesystem { getattr };
+allow updfstab_t tmpfs_t:dir getattr;
+ifdef(`hald.te', `
+can_unix_connect(updfstab_t, hald_t)
+')
+

strict/domains/program/useradd.te

@@ -98,3 +98,7 @@ allow groupadd_t self:capability { setuid sys_resource };
 allow groupadd_t self:process setrlimit;
 allow groupadd_t initrc_var_run_t:file r_file_perms;
 dontaudit groupadd_t initrc_var_run_t:file write;
+
+allow useradd_t default_context_t:dir search;
+allow useradd_t file_context_t:dir search;
+allow useradd_t file_context_t:file { getattr read };

strict/domains/program/utempter.te

@@ -38,10 +38,7 @@ allow utempter_t user_tmpfile:file { getattr write append };
 
 # Inherit and use descriptors from login.
 allow utempter_t privfd:fd use;
-ifdef(`xdm.te', `
+ifdef(`xdm.te', `can_pipe_xdm(utempter_t)')
-allow utempter_t xdm_t:fd use;
-allow utempter_t xdm_t:fifo_file { write getattr };
-')
 
 allow utempter_t self:unix_stream_socket create_stream_socket_perms;
 

strict/file_contexts/program/samba.fc

@@ -1,6 +1,7 @@
 # samba scripts
 /usr/sbin/smbd		--	system_u:object_r:smbd_exec_t
 /usr/sbin/nmbd		--	system_u:object_r:nmbd_exec_t
+/usr/bin/net		--	system_u:object_r:samba_net_exec_t
 /etc/samba(/.*)?		system_u:object_r:samba_etc_t
 /var/log/samba(/.*)?		system_u:object_r:samba_log_t
 /var/cache/samba(/.*)?		system_u:object_r:samba_var_t