add dcc, bug 1522

refpolicy/Changelog

@@ -46,6 +46,7 @@
 	clamav (Erich Schubert)
 	courier
 	dante
+	dcc
 	ddclient
 	dpkg (Erich Schubert)
 	dnsmasq

refpolicy/policy/modules/services/amavis.te

@@ -1,5 +1,5 @@
 
-policy_module(amavis,1.0.1)
+policy_module(amavis,1.0.2)
 
 ########################################
 #
@@ -138,6 +138,11 @@ optional_policy(`
 	clamav_stream_connect(amavis_t)
 ')
 
+optional_policy(`
+	dcc_domtrans_client(amavis_t)
+	dcc_stream_connect_dccifd(amavis_t)
+')
+
 optional_policy(`
 	ldap_use(amavis_t)
 ')

refpolicy/policy/modules/services/dcc.fc

@@ -0,0 +1,18 @@
+/etc/dcc(/.*)?				gen_context(system_u:object_r:dcc_var_t,s0)
+/etc/dcc/dccifd			-s	gen_context(system_u:object_r:dccifd_var_run_t,s0)
+/etc/dcc/map			--	gen_context(system_u:object_r:dcc_client_map_t,s0)
+
+/usr/bin/cdcc			--	gen_context(system_u:object_r:cdcc_exec_t,s0)
+/usr/bin/dccproc		--	gen_context(system_u:object_r:dcc_client_exec_t,s0)
+
+/usr/libexec/dcc/dbclean	--	gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
+/usr/libexec/dcc/dccd		--	gen_context(system_u:object_r:dccd_exec_t,s0)
+/usr/libexec/dcc/dccifd		--	gen_context(system_u:object_r:dccifd_exec_t,s0)
+/usr/libexec/dcc/dccm		--	gen_context(system_u:object_r:dccm_exec_t,s0)
+
+/var/dcc(/.*)?				gen_context(system_u:object_r:dcc_var_t,s0)
+/var/dcc/map			--	gen_context(system_u:object_r:dcc_client_map_t,s0)
+
+/var/run/dcc(/.*)?			gen_context(system_u:object_r:dcc_var_run_t,s0)
+/var/run/dcc/map		--	gen_context(system_u:object_r:dcc_client_map_t,s0)
+/var/run/dcc/dccifd		-s	gen_context(system_u:object_r:dccifd_var_run_t,s0)

refpolicy/policy/modules/services/dcc.if

@@ -0,0 +1,181 @@
+## <summary>Distributed checksum clearinghouse spam filtering</summary>
+
+########################################
+## <summary>
+##	Execute cdcc in the cdcc domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dcc_domtrans_cdcc',`
+	gen_require(`
+		type cdcc_t, cdcc_exec_t;
+	')
+
+	corecmd_search_sbin($1)
+	domain_auto_trans($1,cdcc_exec_t,cdcc_t)
+	allow cdcc_t $1:fd use;
+	allow cdcc_t $1:fifo_file rw_file_perms;
+	allow cdcc_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute cdcc in the cdcc domain, and
+##	allow the specified role the cdcc domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the cdcc domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the cdcc domain to use.
+##	</summary>
+## </param>
+#
+interface(`dcc_run_cdcc',`
+	gen_require(`
+		type cdcc_t;
+	')
+
+	dcc_domtrans_cdcc($1)
+	role $2 types cdcc_t;
+	allow cdcc_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Execute dcc_client in the dcc_client domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dcc_domtrans_client',`
+	gen_require(`
+		type dcc_client_t, dcc_client_exec_t;
+	')
+
+	corecmd_search_sbin($1)
+	domain_auto_trans($1,dcc_client_exec_t,dcc_client_t)
+	allow dcc_client_t $1:fd use;
+	allow dcc_client_t $1:fifo_file rw_file_perms;
+	allow dcc_client_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute dcc_client in the dcc_client domain, and
+##	allow the specified role the dcc_client domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the dcc_client domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the dcc_client domain to use.
+##	</summary>
+## </param>
+#
+interface(`dcc_run_client',`
+	gen_require(`
+		type dcc_client_t;
+	')
+
+	dcc_domtrans_client($1)
+	role $2 types dcc_client_t;
+	allow dcc_client_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Execute dbclean in the dcc_dbclean domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dcc_domtrans_dbclean',`
+	gen_require(`
+		type dcc_dbclean_t, dcc_dbclean_exec_t;
+	')
+
+	corecmd_search_sbin($1)
+	domain_auto_trans($1,dcc_dbclean_exec_t,dcc_dbclean_t)
+	allow dcc_dbclean_t $1:fd use;
+	allow dcc_dbclean_t $1:fifo_file rw_file_perms;
+	allow dcc_dbclean_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute dbclean in the dcc_dbclean domain, and
+##	allow the specified role the dcc_dbclean domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the dcc_dbclean domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the dcc_dbclean domain to use.
+##	</summary>
+## </param>
+#
+interface(`dcc_run_dbclean',`
+	gen_require(`
+		type dcc_dbclean_t;
+	')
+
+	dcc_domtrans_dbclean($1)
+	role $2 types dcc_dbclean_t;
+	allow dcc_dbclean_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Connect to dccifd over a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dcc_stream_connect_dccifd',`
+	gen_require(`
+		type dcc_var_t, dccifd_var_run_t, dccifd_t;
+	')
+
+	files_search_var($1)
+	allow $1 dcc_var_t:dir search;
+	allow $1 dccifd_var_run_t:sock_file { getattr write };
+	allow $1 dccifd_t:unix_stream_socket connectto;
+')

refpolicy/policy/modules/services/dcc.te

@@ -0,0 +1,471 @@
+
+policy_module(dcc,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cdcc_t;
+type cdcc_exec_t;
+domain_type(cdcc_t)
+domain_entry_file(cdcc_t,cdcc_exec_t)
+role system_r types cdcc_t;
+
+type cdcc_tmp_t;
+files_tmp_file(cdcc_tmp_t)
+
+type dcc_client_t;
+type dcc_client_exec_t;
+domain_type(dcc_client_t)
+domain_entry_file(dcc_client_t,dcc_client_exec_t)
+role system_r types dcc_client_t;
+
+type dcc_client_map_t;
+files_type(dcc_client_map_t)
+
+type dcc_client_tmp_t;
+files_tmp_file(dcc_client_tmp_t)
+
+type dcc_dbclean_t;
+type dcc_dbclean_exec_t;
+domain_type(dcc_dbclean_t)
+domain_entry_file(dcc_dbclean_t,dcc_dbclean_exec_t)
+role system_r types dcc_dbclean_t;
+
+type dcc_dbclean_tmp_t;
+files_tmp_file(dcc_dbclean_tmp_t)
+
+type dcc_var_t;
+files_type(dcc_var_t)
+
+type dcc_var_run_t;
+files_type(dcc_var_run_t)
+
+type dccd_t;
+type dccd_exec_t;
+init_daemon_domain(dccd_t,dccd_exec_t)
+
+type dccd_tmp_t;
+files_tmp_file(dccd_tmp_t)
+
+type dccd_var_run_t;
+files_pid_file(dccd_var_run_t)
+
+type dccifd_t;
+type dccifd_exec_t;
+init_daemon_domain(dccifd_t,dccifd_exec_t)
+
+type dccifd_tmp_t;
+files_tmp_file(dccifd_tmp_t)
+
+type dccifd_var_run_t;
+files_pid_file(dccifd_var_run_t)
+
+type dccm_t;
+type dccm_exec_t;
+init_daemon_domain(dccm_t,dccm_exec_t)
+
+type dccm_tmp_t;
+files_tmp_file(dccm_tmp_t)
+
+type dccm_var_run_t;
+files_pid_file(dccm_var_run_t)
+
+# NOTE: DCC has writeable files in /etc/dcc that should probably be in
+# /var/lib/dcc.  For now this policy supports both directories being
+# writable.
+
+# cjp: dccifd and dccm should be merged, as
+# they have the same rules.
+
+########################################
+#
+# dcc daemon controller local policy
+#
+
+allow cdcc_t self:capability setuid;
+allow cdcc_t self:unix_dgram_socket create_socket_perms;
+allow cdcc_t self:udp_socket create_socket_perms;
+
+allow cdcc_t cdcc_tmp_t:dir manage_dir_perms;
+allow cdcc_t cdcc_tmp_t:file create_file_perms;
+files_tmp_filetrans(cdcc_t, cdcc_tmp_t, { file dir })
+
+allow cdcc_t dcc_client_map_t:file rw_file_perms;
+
+# Access files in /var/dcc. The map file can be updated
+allow cdcc_t dcc_var_t:dir r_dir_perms;
+allow cdcc_t dcc_var_t:file r_file_perms;
+allow cdcc_t dcc_var_t:lnk_file { getattr read };
+
+corenet_non_ipsec_sendrecv(cdcc_t)
+corenet_udp_sendrecv_generic_if(cdcc_t)
+corenet_udp_sendrecv_all_nodes(cdcc_t)
+corenet_udp_sendrecv_all_ports(cdcc_t)
+
+files_read_etc_files(cdcc_t)
+files_read_etc_runtime_files(cdcc_t)
+
+libs_use_ld_so(cdcc_t)
+libs_use_shared_libs(cdcc_t)
+
+logging_send_syslog_msg(cdcc_t)
+
+miscfiles_read_localization(cdcc_t)
+
+sysnet_read_config(cdcc_t)
+sysnet_dns_name_resolve(cdcc_t)
+
+optional_policy(`
+	nscd_socket_use(cdcc_t)
+')
+
+########################################
+#
+# dcc procmail interface local policy
+#
+
+allow dcc_client_t self:capability setuid;
+allow dcc_client_t self:unix_dgram_socket create_socket_perms;
+allow dcc_client_t self:udp_socket create_socket_perms;
+
+allow dcc_client_t dcc_client_map_t:file rw_file_perms;
+
+allow dcc_client_t dcc_client_tmp_t:dir manage_dir_perms;
+allow dcc_client_t dcc_client_tmp_t:file create_file_perms;
+files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
+
+# Access files in /var/dcc. The map file can be updated
+allow dcc_client_t dcc_var_t:dir r_dir_perms;
+allow dcc_client_t dcc_var_t:file r_file_perms;
+allow dcc_client_t dcc_var_t:lnk_file { getattr read };
+
+corenet_non_ipsec_sendrecv(dcc_client_t)
+corenet_udp_sendrecv_generic_if(dcc_client_t)
+corenet_udp_sendrecv_all_nodes(dcc_client_t)
+corenet_udp_sendrecv_all_ports(dcc_client_t)
+
+files_read_etc_files(dcc_client_t)
+files_read_etc_runtime_files(dcc_client_t)
+
+libs_use_ld_so(dcc_client_t)
+libs_use_shared_libs(dcc_client_t)
+
+logging_send_syslog_msg(dcc_client_t)
+
+miscfiles_read_localization(dcc_client_t)
+
+sysnet_read_config(dcc_client_t)
+sysnet_dns_name_resolve(dcc_client_t)
+
+optional_policy(`
+	nscd_socket_use(dcc_client_t)
+')
+
+########################################
+#
+# Database cleanup tool local policy
+#
+
+allow dcc_dbclean_t self:unix_dgram_socket create_socket_perms;
+allow dcc_dbclean_t self:udp_socket create_socket_perms;
+
+allow dcc_dbclean_t dcc_client_map_t:file rw_file_perms;
+
+allow dcc_dbclean_t dcc_dbclean_tmp_t:dir manage_dir_perms;
+allow dcc_dbclean_t dcc_dbclean_tmp_t:file create_file_perms;
+files_tmp_filetrans(dcc_dbclean_t, dcc_dbclean_tmp_t, { file dir })
+
+allow dcc_dbclean_t dcc_var_t:dir manage_dir_perms;
+allow dcc_dbclean_t dcc_var_t:file manage_file_perms;
+allow dcc_dbclean_t dcc_var_t:lnk_file create_lnk_perms;
+
+kernel_read_system_state(dcc_dbclean_t)
+
+corenet_non_ipsec_sendrecv(dcc_dbclean_t)
+corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
+corenet_udp_sendrecv_all_nodes(dcc_dbclean_t)
+corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
+
+files_read_etc_files(dcc_dbclean_t)
+files_read_etc_runtime_files(dcc_dbclean_t)
+
+libs_use_ld_so(dcc_dbclean_t)
+libs_use_shared_libs(dcc_dbclean_t)
+
+logging_send_syslog_msg(dcc_dbclean_t)
+
+miscfiles_read_localization(dcc_dbclean_t)
+
+sysnet_read_config(dcc_dbclean_t)
+sysnet_dns_name_resolve(dcc_dbclean_t)
+
+optional_policy(`
+	nscd_socket_use(dcc_dbclean_t)
+')
+
+########################################
+#
+# Server daemon local policy
+#
+
+allow dccd_t self:capability net_admin;
+dontaudit dccd_t self:capability sys_tty_config;
+allow dccd_t self:process signal_perms;
+allow dccd_t self:unix_stream_socket create_socket_perms;
+allow dccd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow dccd_t self:udp_socket create_socket_perms;
+
+allow dccd_t dcc_client_map_t:file rw_file_perms;
+
+# Access files in /var/dcc. The map file can be updated
+allow dccd_t dcc_var_t:dir r_dir_perms;
+allow dccd_t dcc_var_t:file r_file_perms;
+allow dccd_t dcc_var_t:lnk_file { getattr read };
+
+# Runs the dbclean program
+domain_auto_trans(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t)
+corecmd_search_bin(dccd_t)
+allow dcc_dbclean_t dccd_t:fd use;
+allow dcc_dbclean_t dccd_t:fifo_file rw_file_perms;
+allow dcc_dbclean_t dccd_t:process sigchld;
+
+# Updating dcc_db, flod, ...
+allow dccd_t dcc_var_t:dir manage_dir_perms;
+allow dccd_t dcc_var_t:file manage_file_perms;
+allow dccd_t dcc_var_t:lnk_file create_lnk_perms;
+
+allow dccd_t dccd_tmp_t:dir manage_dir_perms;
+allow dccd_t dccd_tmp_t:file create_file_perms;
+files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir })
+
+allow dccd_t dccd_var_run_t:file create_file_perms;
+allow dccd_t dccd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(dccd_t,dccd_var_run_t,file)
+
+kernel_read_system_state(dccd_t)
+kernel_read_kernel_sysctls(dccd_t)
+
+corenet_non_ipsec_sendrecv(dccd_t)
+corenet_udp_sendrecv_generic_if(dccd_t)
+corenet_udp_sendrecv_all_nodes(dccd_t)
+corenet_udp_sendrecv_all_ports(dccd_t)
+corenet_udp_bind_all_nodes(dccd_t)
+corenet_udp_bind_dcc_port(dccd_t)
+
+dev_read_sysfs(dccd_t)
+
+domain_use_interactive_fds(dccd_t)
+
+files_read_etc_files(dccd_t)
+files_read_etc_runtime_files(dccd_t)
+
+fs_getattr_all_fs(dccd_t)
+fs_search_auto_mountpoints(dccd_t)
+
+term_dontaudit_use_console(dccd_t)
+
+init_use_fds(dccd_t)
+init_use_script_ptys(dccd_t)
+
+libs_use_ld_so(dccd_t)
+libs_use_shared_libs(dccd_t)
+
+logging_send_syslog_msg(dccd_t)
+
+miscfiles_read_localization(dccd_t)
+
+sysnet_read_config(dccd_t)
+sysnet_dns_name_resolve(dccd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dccd_t)
+userdom_dontaudit_search_sysadm_home_dirs(dccd_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_ttys(dccd_t)
+	term_dontaudit_use_generic_ptys(dccd_t)
+	files_dontaudit_read_root_files(dccd_t)
+')
+
+optional_policy(`
+	nscd_socket_use(dccd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(dccd_t)
+')
+
+optional_policy(`
+	udev_read_db(dccd_t)
+')
+
+########################################
+#
+# Spamassassin and general MTA persistent client local policy
+#
+
+dontaudit dccifd_t self:capability sys_tty_config;
+allow dccifd_t self:process signal_perms;
+allow dccifd_t self:unix_stream_socket create_stream_socket_perms;
+allow dccifd_t self:unix_dgram_socket create_socket_perms;
+allow dccifd_t self:udp_socket create_socket_perms;
+
+allow dccifd_t dcc_client_map_t:file rw_file_perms;
+
+# Updating dcc_db, flod, ...
+allow dccifd_t dcc_var_t:dir manage_dir_perms;
+allow dccifd_t dcc_var_t:{ file sock_file fifo_file } manage_file_perms;
+allow dccifd_t dcc_var_t:lnk_file create_lnk_perms;
+
+allow dccifd_t dccifd_tmp_t:dir manage_dir_perms;
+allow dccifd_t dccifd_tmp_t:file manage_file_perms;
+files_tmp_filetrans(dccifd_t, dccifd_tmp_t, { file dir })
+
+allow dccifd_t dccifd_var_run_t:file manage_file_perms;
+allow dccifd_t dccifd_var_run_t:sock_file manage_file_perms;
+allow dccifd_t dcc_var_t:dir rw_dir_perms;
+type_transition dccifd_t dcc_var_t:{ file sock_file } dccifd_var_run_t;
+
+allow dccifd_t dccifd_var_run_t:file manage_file_perms;
+allow dccifd_t dccifd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(dccifd_t,dccifd_var_run_t,file)
+
+kernel_read_system_state(dccifd_t)
+kernel_read_kernel_sysctls(dccifd_t)
+
+corenet_non_ipsec_sendrecv(dccifd_t)
+corenet_udp_sendrecv_generic_if(dccifd_t)
+corenet_udp_sendrecv_all_nodes(dccifd_t)
+corenet_udp_sendrecv_all_ports(dccifd_t)
+corenet_udp_bind_all_nodes(dccifd_t)
+
+dev_read_sysfs(dccifd_t)
+
+domain_use_interactive_fds(dccifd_t)
+
+files_read_etc_files(dccifd_t)
+files_read_etc_runtime_files(dccifd_t)
+
+fs_getattr_all_fs(dccifd_t)
+fs_search_auto_mountpoints(dccifd_t)
+
+term_dontaudit_use_console(dccifd_t)
+
+init_use_fds(dccifd_t)
+init_use_script_ptys(dccifd_t)
+
+libs_use_ld_so(dccifd_t)
+libs_use_shared_libs(dccifd_t)
+
+logging_send_syslog_msg(dccifd_t)
+
+miscfiles_read_localization(dccifd_t)
+
+sysnet_read_config(dccifd_t)
+sysnet_dns_name_resolve(dccifd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
+userdom_dontaudit_search_sysadm_home_dirs(dccifd_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_ttys(dccifd_t)
+	term_dontaudit_use_generic_ptys(dccifd_t)
+	files_dontaudit_read_root_files(dccifd_t)
+')
+
+optional_policy(`
+	nscd_socket_use(dccifd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(dccifd_t)
+')
+
+optional_policy(`
+	udev_read_db(dccifd_t)
+')
+
+########################################
+#
+# sendmail milter client local policy
+#
+
+dontaudit dccm_t self:capability sys_tty_config;
+allow dccm_t self:process signal_perms;
+allow dccm_t self:unix_stream_socket create_stream_socket_perms;
+allow dccm_t self:unix_dgram_socket create_socket_perms;
+allow dccm_t self:udp_socket create_socket_perms;
+
+allow dccm_t dcc_client_map_t:file rw_file_perms;
+
+allow dccm_t dcc_var_t:dir manage_dir_perms;
+allow dccm_t dcc_var_t:{ file sock_file fifo_file } create_file_perms;
+allow dccm_t dcc_var_t:lnk_file create_lnk_perms;
+
+allow dccm_t dccm_tmp_t:dir manage_dir_perms;
+allow dccm_t dccm_tmp_t:file manage_file_perms;
+files_tmp_filetrans(dccm_t, dccm_tmp_t, { file dir })
+
+allow dccm_t dccm_var_run_t:file manage_file_perms;
+allow dccm_t dccm_var_run_t:sock_file manage_file_perms;
+allow dccm_t dcc_var_run_t:dir rw_dir_perms;
+type_transition dccm_t dcc_var_run_t:{ file sock_file } dccm_var_run_t;
+
+allow dccm_t dccm_var_run_t:file manage_file_perms;
+allow dccm_t dccm_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(dccm_t,dccm_var_run_t,file)
+
+kernel_read_system_state(dccm_t)
+kernel_read_kernel_sysctls(dccm_t)
+
+corenet_non_ipsec_sendrecv(dccm_t)
+corenet_udp_sendrecv_generic_if(dccm_t)
+corenet_udp_sendrecv_all_nodes(dccm_t)
+corenet_udp_sendrecv_all_ports(dccm_t)
+
+dev_read_sysfs(dccm_t)
+
+domain_use_interactive_fds(dccm_t)
+
+files_read_etc_files(dccm_t)
+files_read_etc_runtime_files(dccm_t)
+
+fs_getattr_all_fs(dccm_t)
+fs_search_auto_mountpoints(dccm_t)
+
+term_dontaudit_use_console(dccm_t)
+
+init_use_fds(dccm_t)
+init_use_script_ptys(dccm_t)
+
+libs_use_ld_so(dccm_t)
+libs_use_shared_libs(dccm_t)
+
+logging_send_syslog_msg(dccm_t)
+
+miscfiles_read_localization(dccm_t)
+
+sysnet_read_config(dccm_t)
+sysnet_dns_name_resolve(dccm_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dccm_t)
+userdom_dontaudit_search_sysadm_home_dirs(dccm_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_ttys(dccm_t)
+	term_dontaudit_use_generic_ptys(dccm_t)
+	files_dontaudit_read_root_files(dccm_t)
+')
+
+optional_policy(`
+	nscd_socket_use(dccm_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(dccm_t)
+')
+
+optional_policy(`
+	udev_read_db(dccm_t)
+')

refpolicy/policy/modules/services/spamassassin.te

@@ -1,5 +1,5 @@
 
-policy_module(spamassassin,1.3.4)
+policy_module(spamassassin,1.3.5)
 
 ########################################
 #
@@ -150,6 +150,11 @@ optional_policy(`
 	daemontools_service_domain(spamd_t,spamd_exec_t)
 ')
 
+optional_policy(`
+	dcc_domtrans_client(spamd_t)
+	dcc_stream_connect_dccifd(spamd_t)
+')
+
 optional_policy(`
 	nis_use_ypbind(spamd_t)
 ')

refpolicy/policy/modules/system/init.fc

@@ -1,4 +1,3 @@
-
 #
 # /etc
 #
@@ -26,7 +25,7 @@ ifdef(`targeted_policy', `', `
 
 
 ifdef(`distro_gentoo', `
-/sbin/rc			--	gen_context(system_u:object_r:initrc_exec_t,s0)
+/sbin/rc		--	gen_context(system_u:object_r:initrc_exec_t,s0)
 /sbin/runscript		--      gen_context(system_u:object_r:initrc_exec_t,s0)
 /sbin/runscript\.sh	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 /sbin/runsvcscript\.sh	--	gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -36,6 +35,9 @@ ifdef(`distro_gentoo', `
 #
 # /usr
 #
+/usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
+
 /usr/sbin/apachectl	-- 	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/sbin/open_init_pty	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 

refpolicy/policy/modules/system/init.te

@@ -1,5 +1,5 @@
 
-policy_module(init,1.3.10)
+policy_module(init,1.3.11)
 
 gen_require(`
 	class passwd rootok;

refpolicy/policy/modules/system/userdomain.te

@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.3.22)
+policy_module(userdomain,1.3.23)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;
@@ -243,6 +243,12 @@ ifdef(`targeted_policy',`
 		')
 	')
 
+	optional_policy(`
+		dcc_run_cdcc(sysadm_t,sysadm_r,admin_terminal)
+		dcc_run_client(sysadm_t,sysadm_r,admin_terminal)
+		dcc_run_dbclean(sysadm_t,sysadm_r,admin_terminal)
+	')
+
 	optional_policy(`
 		ddcprobe_run(sysadm_t,sysadm_r,admin_terminal)
 	')