many loadable module build fixes

refpolicy/policy/modules/admin/dmesg.if

@@ -10,6 +10,10 @@
 #
 interface(`dmesg_domtrans',`
 	ifdef(`targeted_policy',`
+		gen_require(`
+			type dmesg_exec_t;
+		')
+
 		# $0(): disabled in targeted policy as there
 		# is no dmesg domain.
 	',`

refpolicy/policy/modules/admin/dmesg.te

@@ -6,24 +6,26 @@ policy_module(dmesg, 1.0)
 # Declarations
 #
 
-ifdef(`targeted_policy',`
-	# for compatibility with strict:
-	corecmd_bin_alias(dmesg_exec_t)
-',`
+ifdef(`strict_policy',`
 	type dmesg_t;
 	type dmesg_exec_t;
 	init_system_domain(dmesg_t,dmesg_exec_t)
 	role system_r types dmesg_t;
 ')
 
+ifdef(`targeted_policy',`
+	# dmesg domain is disabled in the 
+	# targeted policy. for compatibility
+	# with strict:
+	corecmd_bin_alias(dmesg_exec_t)
+')
+
 ########################################
 #
 # Local policy
 #
 
-ifdef(`targeted_policy',`
-	# dmesg domain disabled in targeted policy
-',`
+ifdef(`strict_policy',`
 	allow dmesg_t self:capability sys_admin;
 	dontaudit dmesg_t self:capability sys_tty_config;
 

refpolicy/policy/modules/admin/updfstab.if

@@ -22,22 +22,3 @@ interface(`updfstab_domtrans',`
 	allow updfstab_t $1:fifo_file rw_file_perms;
 	allow updfstab_t $1:process sigchld;
 ')
-
-########################################
-## <summary>
-##	Send and receive messages from
-##	updfstab over dbus.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`updfstab_dbus_chat',`
-	gen_require(`
-		type updfstab_t;
-		class dbus send_msg;
-	')
-
-	allow $1 updfstab_t:dbus send_msg;
-	allow updfstab_t $1:dbus send_msg;
-')

refpolicy/policy/modules/admin/updfstab.te

@@ -1,5 +1,5 @@
 
-policy_module(updfstab,1.0.2)
+policy_module(updfstab,1.0.3)
 
 ########################################
 #
@@ -94,6 +94,8 @@ optional_policy(`authlogin',`
 ')
 
 optional_policy(`dbus',`
+	init_dbus_chat_script(updfstab_t)
+
 	dbus_system_bus_client_template(updfstab,updfstab_t)
 	dbus_send_system_bus_msg(updfstab_t)
 ')

refpolicy/policy/modules/kernel/files.if

@@ -2128,6 +2128,23 @@ interface(`files_read_generic_tmp_symlinks',`
 	allow $1 tmp_t:lnk_file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read and write generic named sockets in the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_rw_generic_tmp_sockets',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	allow $1 tmp_t:dir search_dir_perms;
+	allow $1 tmp_t:sock_file { read write };
+')
+
 ########################################
 ## <summary>
 ##	Set the attributes of all tmp directories.

refpolicy/policy/modules/kernel/filesystem.if

@@ -1221,6 +1221,23 @@ interface(`fs_read_nfs_symlinks',`
 	allow $1 nfs_t:lnk_file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read directories of RPC file system pipes.
+## </summary>
+## <param name="domain">
+##	The type of the domain reading the symbolic links.
+## </param>
+#
+interface(`fs_getattr_rpc_dirs',`
+	gen_require(`
+		type rpc_pipefs_t;
+	')
+
+	allow $1 rpc_pipefs_t:dir getattr;
+
+')
+
 ########################################
 ## <summary>
 ##	Read directories of RPC file system pipes.
@@ -1232,7 +1249,6 @@ interface(`fs_read_nfs_symlinks',`
 interface(`fs_read_rpc_dirs',`
 	gen_require(`
 		type rpc_pipefs_t;
-		class dir { getattr read search };
 	')
 
 	allow $1 rpc_pipefs_t:dir { getattr read search };

refpolicy/policy/modules/kernel/mls.te

@@ -1,5 +1,5 @@
 
-policy_module(mls,1.0)
+policy_module(mls,1.0.1)
 
 ########################################
 #
@@ -58,6 +58,7 @@ type login_exec_t;
 type init_t;
 type init_exec_t;
 type initrc_t;
+type initrc_exec_t;
 type sshd_exec_t;
 type su_exec_t;
 type udev_exec_t;

refpolicy/policy/modules/services/bind.if

@@ -21,6 +21,22 @@ interface(`bind_domtrans_ndc',`
 	allow ndc_t $1:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Send generic signals to BIND.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`bind_signal',`
+	gen_require(`
+		type named_t;
+	')
+
+	allow $1 named_t:process signal;
+')
+
 ########################################
 ## <summary>
 ##	Execute ndc in the ndc domain, and
@@ -135,6 +151,27 @@ interface(`bind_manage_config_dir',`
 	allow $1 named_conf_t:dir create_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	BIND cache files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`bind_manage_cache',`
+	gen_require(`
+		type named_cache_t, named_zone_t;
+	')
+
+	files_search_var($1)
+	allow $1 named_zone_t:dir search_dir_perms;
+	allow $1 named_cache_t:dir rw_dir_perms;
+	allow $1 named_cache_t:file create_file_perms;
+	allow $1 named_cache_t:lnk_file create_lnk_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to set the attributes

refpolicy/policy/modules/services/bind.te

@@ -1,5 +1,5 @@
 
-policy_module(bind,0.9)
+policy_module(bind,1.0.0)
 
 ########################################
 #
@@ -150,15 +150,37 @@ ifdef(`targeted_policy',`
 	files_dontaudit_read_root_file(named_t)
 ')
 
-optional_policy(`dbus',`
-	gen_require(`
-		class dbus send_msg;
-	')
+tunable_policy(`named_write_master_zones',`
+	allow named_t named_zone_t:dir create_dir_perms;
+	allow named_t named_zone_t:file create_file_perms;
+	allow named_t named_zone_t:lnk_file create_lnk_perms;
+')
+
+optional_policy(`dbus',`
+	init_dbus_chat_script(named_t)
+
+	sysnet_dbus_chat_dhcpc(named_t)
 
-	allow named_t self:dbus send_msg;
 	dbus_system_bus_client_template(named,named_t)
 	dbus_connect_system_bus(named_t)
 	dbus_send_system_bus_msg(named_t)
+
+	optional_policy(`networkmanager',`
+		networkmanager_dbus_chat(named_t)
+	')
+')
+
+optional_policy(`mount',`
+	mount_send_nfs_client_request(named_t)
+')
+
+optional_policy(`networkmanager',`
+	# this seems like fds that arent being
+	# closed.  these should probably be
+	# dontaudits instead.
+	networkmanager_rw_udp_socket(named_t)
+	networkmanager_rw_packet_socket(named_t)
+	networkmanager_rw_routing_socket(named_t)
 ')
 
 optional_policy(`nis',`
@@ -250,16 +272,6 @@ ifdef(`targeted_policy',`
 	term_use_generic_pty(ndc_t)
 ')
 
-tunable_policy(`named_write_master_zones',`
-	allow named_t named_zone_t:dir create_dir_perms;
-	allow named_t named_zone_t:file create_file_perms;
-	allow named_t named_zone_t:lnk_file create_lnk_perms;
-')
-
-optional_policy(`mount',`
-	mount_send_nfs_client_request(named_t)
-')
-
 optional_policy(`nis',`
 	nis_use_ypbind(ndc_t)
 ')
@@ -268,46 +280,6 @@ optional_policy(`nscd',`
 	nscd_use_socket(ndc_t)
 ')
 
-optional_policy(`bind',`
+optional_policy(`ppp',`
 	ppp_dontaudit_use_fd(ndc_t)
 ')
-
-###########################################################
-#
-# Partially converted rules.  THESE ARE ONLY TEMPORARY
-#
-
-allow named_t initrc_t:dbus send_msg;
-allow initrc_t named_t:dbus send_msg;
-allow named_t dhcpc_t:dbus send_msg;
-allow dhcpc_t named_t:dbus send_msg;
-
-# cjp: this whole block was originally in networkmanager
-optional_policy(`networkmanager',`
-	gen_require(`
-		type NetworkManager_t;
-	')
-
-#	optional_policy(`dbus',`
-		gen_require(`
-			class dbus send_msg;
-		')
-
-		allow NetworkManager_t named_t:dbus send_msg;
-		allow named_t NetworkManager_t:dbus send_msg;
-#	')
-
-	bind_domtrans(NetworkManager_t)
-
-	allow NetworkManager_t named_zone_t:dir search;
-
-	allow NetworkManager_t named_cache_t:dir rw_dir_perms;
-	allow NetworkManager_t named_cache_t:file create_file_perms;
-	allow NetworkManager_t named_cache_t:lnk_file create_lnk_perms;
-
-	allow named_t NetworkManager_t:udp_socket { read write };
-	allow named_t NetworkManager_t:netlink_route_socket { read write };
-
-	allow NetworkManager_t named_t:process signal;
-	allow named_t NetworkManager_t:packet_socket { read write };
-')

refpolicy/policy/modules/services/bluetooth.if

@@ -21,6 +21,25 @@ interface(`bluetooth_domtrans_helper',`
 	allow bluetooth_helper_t $1:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Send and receive messages from
+##	bluetooth over dbus.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`bluetooth_dbus_chat',`
+	gen_require(`
+		type bluetooth_t;
+		class dbus send_msg;
+	')
+
+	allow $1 bluetooth_t:dbus send_msg;
+	allow bluetooth_t $1:dbus send_msg;
+')
+
 ########################################
 ## <summary>
 ##	Execute bluetooth_helper in the bluetooth_helper domain, and

refpolicy/policy/modules/services/bluetooth.te

@@ -1,5 +1,5 @@
 
-policy_module(bluetooth,1.0)
+policy_module(bluetooth,1.0.1)
 
 ########################################
 #
@@ -214,22 +214,15 @@ ifdef(`xserver.te', `
 	allow bluetooth_helper_t xserver_log_t:file { getattr read };
 ')
 
-ifdef(`targeted_policy', `', `
-	ifdef(`xdm.te', `
+ifdef(`strict_policy',`
+	ifdef(`xdm.te',`
 		allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write };
 	')
-
-	allow bluetooth_t unpriv_userdomain:dbus send_msg;
-	allow unpriv_userdomain bluetooth_t:dbus send_msg;
 ')
 ') dnl end TODO
 
 ifdef(`targeted_policy',`
-	allow bluetooth_helper_t tmp_t:sock_file { read write };
+	files_rw_generic_tmp_sockets(bluetooth_helper_t)
 	allow bluetooth_helper_t tmpfs_t:file { read write };
 	allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
-	allow bluetooth_t unconfined_t:dbus send_msg;
-	allow unconfined_t bluetooth_t:dbus send_msg;
-	allow bluetooth_t unconfined_t:dbus send_msg;
-	allow unconfined_t bluetooth_t:dbus send_msg;
 ')

refpolicy/policy/modules/services/cups.if

@@ -21,6 +21,25 @@ interface(`cups_domtrans',`
 	allow cupsd_t $1:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Send and receive messages from
+##	cups over dbus.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`cups_dbus_chat',`
+	gen_require(`
+		type cupsd_t;
+		class dbus send_msg;
+	')
+
+	allow $1 cupsd_t:dbus send_msg;
+	allow cupsd_t $1:dbus send_msg;
+')
+
 ########################################
 ## <summary>
 ##	Execute cups_config in the cups_config domain.

refpolicy/policy/modules/services/cups.te

@@ -1,5 +1,5 @@
 
-policy_module(cups,1.0.1)
+policy_module(cups,1.0.2)
 
 ########################################
 #
@@ -627,13 +627,23 @@ allow cupsd_config_t printconf_t:file { getattr read };
 allow cupsd_config_t initrc_exec_t:file getattr;
 
 ifdef(`targeted_policy', `
-	allow cupsd_t initrc_t:unix_stream_socket connectto;
-	allow cupsd_t initrc_t:dbus send_msg;
-	allow initrc_t cupsd_t:dbus send_msg;
-	allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg;
-	allow unconfined_t cupsd_config_t:dbus send_msg;
-	allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file r_file_perms;
+	init_unix_connect_script(cupsd_t)
+
+	unconfined_read_pipe(cupsd_t)
+
+	optional_policy(`dbus',`
+		init_dbus_chat_script(cupsd_t)
+
+		unconfined_dbus_send(cupsd_t)
+
+		dbus_stub(cupsd_t)
+	')
+')
+
+ifdef(`targeted_policy',`
 	term_use_generic_pty(cupsd_config_t)
+
+	unconfined_read_pipe(cupsd_config_t)
 ')
 
 ########################################

refpolicy/policy/modules/services/networkmanager.if

@@ -1,5 +1,57 @@
 ## <summary>Manager for dynamically switching between networks.</summary>
 
+########################################
+## <summary>
+##	Read and write NetworkManager UDP sockets.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for named.
+interface(`networkmanager_rw_udp_socket',`
+	gen_require(`
+		type NetworkManager_t;
+	')
+
+	allow $1 NetworkManager_t:udp_socket { read write };
+')
+
+########################################
+## <summary>
+##	Read and write NetworkManager packet sockets.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for named.
+interface(`networkmanager_rw_packet_socket',`
+	gen_require(`
+		type NetworkManager_t;
+	')
+
+	allow $1 NetworkManager_t:packet_socket { read write };
+')
+
+########################################
+## <summary>
+##	Read and write NetworkManager netlink
+##	routing sockets.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for named.
+interface(`networkmanager_rw_routing_socket',`
+	gen_require(`
+		type NetworkManager_t;
+	')
+
+	allow $1 NetworkManager_t:netlink_route_socket { read write };
+')
+
 ########################################
 ## <summary>
 ##	Send and receive messages from

refpolicy/policy/modules/services/networkmanager.te

@@ -117,6 +117,12 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_file(NetworkManager_t)
 ')
 
+optional_policy(`bind',`
+	bind_domtrans(NetworkManager_t)
+	bind_manage_cache(NetworkManager_t)
+	bind_signal(NetworkManager_t)
+')
+
 optional_policy(`bluetooth',`
 	bluetooth_dontaudit_read_helper_files(NetworkManager_t)
 ')

refpolicy/policy/modules/services/rpc.if

@@ -272,3 +272,20 @@ interface(`rpc_udp_sendto_nfs',`
 	allow nfsd_t $1:udp_socket sendto;
 	allow $1 nfsd_t:udp_socket recvfrom;
 ')
+
+########################################
+## <summary>
+##	Search NFS state data in /var/lib/nfs.
+## </summary>
+## <param name="domain">
+##      Domain allowed access.
+## </param>
+#
+interface(`rpc_search_nfs_state_data',`
+	gen_require(`
+		type var_lib_nfs_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 var_lib_nfs_t:dir search;
+')

refpolicy/policy/modules/services/snmp.te

@@ -1,5 +1,5 @@
 
-policy_module(snmp,1.0.1)
+policy_module(snmp,1.0.2)
 
 ########################################
 #
@@ -56,6 +56,10 @@ kernel_read_system_state(snmpd_t)
 kernel_read_network_state(snmpd_t)
 kernel_tcp_recvfrom(snmpd_t)
 
+corecmd_exec_bin(snmpd_t)
+corecmd_exec_sbin(snmpd_t)
+corecmd_exec_shell(snmpd_t)
+
 corenet_tcp_sendrecv_all_if(snmpd_t)
 corenet_udp_sendrecv_all_if(snmpd_t)
 corenet_raw_sendrecv_all_if(snmpd_t)
@@ -74,18 +78,6 @@ dev_read_sysfs(snmpd_t)
 dev_read_urand(snmpd_t)
 dev_read_rand(snmpd_t)
 
-fs_getattr_all_fs(snmpd_t)
-fs_search_auto_mountpoints(snmpd_t)
-
-storage_dontaudit_read_fixed_disk(snmpd_t)
-storage_dontaudit_read_removable_device(snmpd_t)
-
-term_dontaudit_use_console(snmpd_t)
-
-corecmd_exec_bin(snmpd_t)
-corecmd_exec_sbin(snmpd_t)
-corecmd_exec_shell(snmpd_t)
-
 domain_use_wide_inherit_fd(snmpd_t)
 domain_signull_all_domains(snmpd_t)
 domain_read_all_domains_state(snmpd_t)
@@ -95,6 +87,15 @@ files_read_usr_files(snmpd_t)
 files_read_etc_runtime_files(snmpd_t)
 files_search_home(snmpd_t)
 
+fs_getattr_all_fs(snmpd_t)
+fs_getattr_rpc_dirs(snmpd_t)
+fs_search_auto_mountpoints(snmpd_t)
+
+storage_dontaudit_read_fixed_disk(snmpd_t)
+storage_dontaudit_read_removable_device(snmpd_t)
+
+term_dontaudit_use_console(snmpd_t)
+
 init_read_script_pid(snmpd_t)
 init_use_fd(snmpd_t)
 init_use_script_pty(snmpd_t)
@@ -131,6 +132,10 @@ optional_policy(`amanda',`
 	amanda_dontaudit_read_dumpdates(snmpd_t)
 ')
 
+optional_policy(`cups',`
+	cups_read_rw_config(snmpd_t)
+')
+
 optional_policy(`nis',`
 	nis_use_ypbind(snmpd_t)
 ')
@@ -139,6 +144,10 @@ optional_policy(`nscd',`
 	nscd_use_socket(snmpd_t)
 ')
 
+optional_policy(`rpc',`
+	rpc_search_nfs_state_data(snmpd_t)
+')
+
 optional_policy(`selinuxutil',`
 	seutil_sigchld_newrole(snmpd_t)
 ')
@@ -150,11 +159,4 @@ optional_policy(`udev',`
 ifdef(`TODO',`
 can_udp_send(sysadm_t, snmpd_t)
 can_udp_send(snmpd_t, sysadm_t)
-
-optional_policy(`cupsd',`
-	allow snmpd_t cupsd_rw_etc_t:file { getattr read };
-')
 ') dnl end TODO
-
-allow snmpd_t rpc_pipefs_t:dir getattr;
-allow snmpd_t var_lib_nfs_t:dir search;

refpolicy/policy/modules/system/authlogin.if

@@ -138,7 +138,7 @@ template(`authlogin_per_userdomain_template',`
 template(`auth_domtrans_user_chk_passwd',`
 	ifdef(`targeted_policy',`
 		gen_require(`
-			type chkpwd_exec_t;
+			type system_chkpwd_t, chkpwd_exec_t;
 		')
 
 		domain_auto_trans($2,chkpwd_exec_t,system_chkpwd_t)

refpolicy/policy/modules/system/init.if

@@ -469,7 +469,6 @@ interface(`init_unix_connect_script',`
 interface(`init_dontaudit_unix_connect_script',`
 	gen_require(`
 		type initrc_t;
-		class unix_stream_socket connectto;
 	')
 
 	dontaudit $1 initrc_t:unix_stream_socket connectto;
@@ -691,6 +690,25 @@ interface(`init_unix_connect_script',`
 	allow $1 initrc_t:unix_stream_socket connectto;
 ')
 
+########################################
+## <summary>
+##	Send and receive messages from
+##	init scripts over dbus.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`init_dbus_chat_script',`
+	gen_require(`
+		type initrc_t;
+		class dbus send_msg;
+	')
+
+	allow $1 initrc_t:dbus send_msg;
+	allow initrc_t $1:dbus send_msg;
+')
+
 ########################################
 ## <summary>
 ##	Read and write the init script pty.

refpolicy/policy/modules/system/init.te

@@ -1,5 +1,5 @@
 
-policy_module(init,1.0.2)
+policy_module(init,1.0.3)
 
 gen_require(`
 	class passwd rootok;
@@ -61,7 +61,11 @@ gen_require(`
 domain_type(initrc_t)
 role system_r types initrc_t;
 
-type initrc_exec_t;
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+	type initrc_exec_t;
+')
 domain_entry_file(initrc_t,initrc_exec_t)
 
 type initrc_devpts_t;
@@ -506,10 +510,6 @@ optional_policy(`dbus',`
 	optional_policy(`networkmanager',`
 		networkmanager_dbus_chat(initrc_t)
 	')
-
-	optional_policy(`updfstab',`
-		updfstab_dbus_chat(initrc_t)
-	')
 ')
 
 optional_policy(`ftp',`

refpolicy/policy/modules/system/sysnetwork.if

@@ -127,6 +127,25 @@ interface(`sysnet_signal_dhcpc',`
 	allow $1 dhcpc_t:process signal;
 ')
 
+########################################
+## <summary>
+##	Send and receive messages from
+##	dhcpc over dbus.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`sysnet_dbus_chat_dhcpc',`
+	gen_require(`
+		type dhcpc_t;
+		class dbus send_msg;
+	')
+
+	allow $1 dhcpc_t:dbus send_msg;
+	allow dhcpc_t $1:dbus send_msg;
+')
+
 ########################################
 ## <summary>
 ##	Read and write dhcp configuration files.

refpolicy/policy/modules/system/sysnetwork.te

@@ -1,5 +1,5 @@
 
-policy_module(sysnetwork,1.0.1)
+policy_module(sysnetwork,1.0.2)
 
 ########################################
 #
@@ -161,21 +161,12 @@ optional_policy(`consoletype',`
 ')
 
 optional_policy(`dbus',`
-	gen_require(`
-		class dbus send_msg;
-	')
-
-	allow dhcpc_t self:dbus send_msg;
+	init_dbus_chat_script(dhcpc_t)
 
 	dbus_system_bus_client_template(dhcpc,dhcpc_t)
 	dbus_connect_system_bus(dhcpc_t)
 	dbus_send_system_bus_msg(dhcpc_t)
 
-	domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
-
-	allow initrc_t dhcpc_t:dbus send_msg;
-	allow dhcpc_t initrc_t:dbus send_msg;
-
 	optional_policy(`networkmanager',`
 		networkmanager_dbus_chat(dhcpc_t)
 	')

refpolicy/policy/modules/system/unconfined.if

@@ -201,6 +201,22 @@ interface(`unconfined_signal',`
 	allow $1 unconfined_t:process signal;
 ')
 
+########################################
+## <summary>
+##	Read unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`unconfined_read_pipe',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:fifo_file r_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read unconfined domain unnamed pipes.
@@ -262,6 +278,23 @@ interface(`unconfined_dontaudit_rw_tcp_socket',`
 	dontaudit $1 unconfined_t:tcp_socket { read write };
 ')
 
+########################################
+## <summary>
+##	Send messages to the unconfined domain over dbus.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`unconfined_dbus_send',`
+	gen_require(`
+		type unconfined_t;
+		class dbus send_msg;
+	')
+
+	allow $1 unconfined_t:dbus send_msg;
+')
+
 ########################################
 ## <summary>
 ##	Add an alias type to the unconfined domain.

refpolicy/policy/modules/system/unconfined.te

@@ -64,6 +64,14 @@ ifdef(`targeted_policy',`
 			avahi_dbus_chat(unconfined_t)
 		')
 
+		optional_policy(`bluetooth',`
+			bluetooth_dbus_chat(unconfined_t)
+		')
+
+		optional_policy(`cups',`
+			cups_dbus_chat_config(unconfined_t)
+		')
+
 		optional_policy(`hal',`
 			hal_dbus_chat(unconfined_t)
 		')

refpolicy/policy/modules/system/userdomain.if

@@ -611,6 +611,14 @@ template(`unpriv_user_template', `
 		corenet_tcp_bind_generic_port($1_t)
 	')
 
+	optional_policy(`dbus',`
+		dbus_stub($1_t)
+
+		optional_policy(`bluetooth',`
+			bluetooth_dbus_chat($1_t)
+		')
+	')
+
 	optional_policy(`kerberos',`
 		kerberos_use($1_t)
 	')

refpolicy/policy/modules/system/userdomain.te

@@ -1,5 +1,9 @@
 
-policy_module(userdomain,1.0.5)
+policy_module(userdomain,1.0.6)
+
+gen_require(`
+	role sysadm_r, staff_r, user_r;
+')
 
 ########################################
 #