pile of sediff fixes

refpolicy/policy/modules/admin/amanda.te

@@ -201,7 +201,7 @@ allow amanda_recover_t amanda_recover_dir_t:file create_file_perms;
 allow amanda_recover_t amanda_recover_dir_t:lnk_file create_lnk_perms;
 allow amanda_recover_t amanda_recover_dir_t:sock_file create_file_perms;
 allow amanda_recover_t amanda_recover_dir_t:fifo_file create_file_perms;
-userdom_create_sysadm_home(amanda_recover_t,amanda_recover_dir_t,{ file lnk_file sock_file fifo_file })
+userdom_create_sysadm_home(amanda_recover_t,amanda_recover_dir_t,{ dir file lnk_file sock_file fifo_file })
 
 allow amanda_recover_t amanda_tmp_t:dir create_dir_perms;
 allow amanda_recover_t amanda_tmp_t:file create_file_perms;

refpolicy/policy/modules/admin/anaconda.te

@@ -35,6 +35,10 @@ optional_policy(`dmesg.te',`
 	dmesg_domtrans(anaconda_t)
 ')
 
+optional_policy(`kudzu.te',`
+	kudzu_domtrans(anaconda_t)
+')
+
 optional_policy(`rpm.te',`
 	rpm_domtrans(anaconda_t)
 ')

refpolicy/policy/modules/admin/consoletype.te

@@ -41,6 +41,7 @@ kernel_dontaudit_read_system_state(consoletype_t)
 
 fs_getattr_all_fs(consoletype_t)
 fs_search_auto_mountpoints(consoletype_t)
+fs_write_nfs_files(consoletype_t)
 
 term_use_console(consoletype_t)
 term_use_unallocated_tty(consoletype_t)
@@ -48,6 +49,7 @@ term_use_unallocated_tty(consoletype_t)
 init_use_fd(consoletype_t)
 init_use_script_pty(consoletype_t)
 init_use_script_fd(consoletype_t)
+init_write_script_pipe(consoletype_t)
 
 domain_use_wide_inherit_fd(consoletype_t)
 
@@ -107,8 +109,6 @@ optional_policy(`userdomain.te',`
 ')
 
 ifdef(`TODO',`
-allow consoletype_t nfs_t:file write;
-
 optional_policy(`xdm.te', `
 allow consoletype_t xdm_tmp_t:file rw_file_perms;
 ')

refpolicy/policy/modules/admin/kudzu.te

@@ -155,9 +155,6 @@ allow kudzu_t modules_conf_t:file unlink;
 optional_policy(`rhgb.te',`
         rhgb_domain(kudzu_t)
 ')
-optional_policy(`anaconda.te', `
-	domain_auto_trans(anaconda_t, kudzu_exec_t, kudzu_t)
-')
 optional_policy(`lpd.te',`
 	allow kudzu_t printconf_t:file { getattr read };
 ')

refpolicy/policy/modules/admin/su.if

@@ -56,7 +56,10 @@ template(`su_restricted_domain_template', `
 	domain_use_wide_inherit_fd($1_su_t)
 
 	files_read_etc_files($1_su_t)
+	files_search_var_lib($1_su_t)
 
+	init_dontaudit_use_fd($1_su_t)
+	init_dontaudit_use_script_pty($1_su_t)
 	# Write to utmp.
 	init_rw_script_pid($1_su_t)
 
@@ -73,7 +76,7 @@ template(`su_restricted_domain_template', `
 	# Only allow transitions to unprivileged user domains.
 	userdom_spec_domtrans_unpriv_users($1_su_t)
 
-	optional_policy(`crond.te',`
+	optional_policy(`cron.te',`
 		cron_read_pipe($1_su_t)
 	')
 

refpolicy/policy/modules/admin/usermanage.te

@@ -68,6 +68,7 @@ allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit exe
 allow chfn_t self:process { setrlimit setfscreate };
 allow chfn_t self:fd use;
 allow chfn_t self:fifo_file rw_file_perms;
+allow chfn_t self:sock_file r_file_perms;
 allow chfn_t self:shm create_shm_perms;
 allow chfn_t self:sem create_sem_perms;
 allow chfn_t self:msgq create_msgq_perms;
@@ -102,6 +103,8 @@ auth_dontaudit_read_shadow(chfn_t)
 # can exec /sbin/unix_chkpwd
 corecmd_search_bin(chfn_t)
 corecmd_search_sbin(chfn_t)
+# allow checking if a shell is executable
+corecmd_check_exec_shell(chfn_t)
 
 domain_use_wide_inherit_fd(chfn_t)
 
@@ -134,9 +137,6 @@ optional_policy(`nis.te',`
 
 ifdef(`TODO',`
 ifdef(`gnome-pty-helper.te', `allow chfn_t gphdomain:fd use;')
-
-# allow checking if a shell is executable
-allow chfn_t shell_exec_t:file execute;
 ') dnl endif TODO
 
 ########################################
@@ -310,9 +310,8 @@ term_use_all_user_ptys(passwd_t)
 
 auth_manage_shadow(passwd_t)
 
-# /usr/bin/passwd asks for w access to utmp, but it will operate
-# correctly without it.  Do not audit write denials to utmp.
-init_dontaudit_rw_script_pid(passwd_t)
+# allow checking if a shell is executable
+corecmd_check_exec_shell(passwd_t)
 
 domain_use_wide_inherit_fd(passwd_t)
 
@@ -321,6 +320,10 @@ files_manage_etc_files(passwd_t)
 files_search_var(passwd_t)
 files_dontaudit_search_pids(passwd_t)
 
+# /usr/bin/passwd asks for w access to utmp, but it will operate
+# correctly without it.  Do not audit write denials to utmp.
+init_dontaudit_rw_script_pid(passwd_t)
+
 libs_use_ld_so(passwd_t)
 libs_use_shared_libs(passwd_t)
 
@@ -346,9 +349,6 @@ allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
 # Inherit and use descriptors from login.
 ifdef(`gnome-pty-helper.te', `allow passwd_t gphdomain:fd use;')
 
-# allow checking if a shell is executable
-allow passwd_t shell_exec_t:file execute;
-
 # make sure that getcon succeeds
 allow passwd_t userdomain:dir search;
 allow passwd_t userdomain:file read;
@@ -365,6 +365,7 @@ allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setr
 allow sysadm_passwd_t self:process { setrlimit setfscreate };
 allow sysadm_passwd_t self:fd use;
 allow sysadm_passwd_t self:fifo_file rw_file_perms;
+allow sysadm_passwd_t self:sock_file r_file_perms;
 allow sysadm_passwd_t self:unix_dgram_socket create_socket_perms;
 allow sysadm_passwd_t self:unix_stream_socket create_stream_socket_perms;
 allow sysadm_passwd_t self:unix_dgram_socket sendto;
@@ -403,6 +404,7 @@ term_use_all_user_ptys(sysadm_passwd_t)
 auth_manage_shadow(sysadm_passwd_t)
 
 # allow vipw to exec the editor
+corecmd_search_sbin(sysadm_passwd_t)
 corecmd_exec_bin(sysadm_passwd_t)
 corecmd_exec_shell(sysadm_passwd_t)
 files_read_usr_files(sysadm_passwd_t)

refpolicy/policy/modules/kernel/bootloader.if

@@ -164,6 +164,9 @@ interface(`bootloader_read_kernel_symbol_table',`
 
 	allow $1 boot_t:dir r_dir_perms;
 	allow $1 system_map_t:file r_file_perms;
+
+	# cjp: this should be dropped:
+	allow $1 boot_t:file { getattr read };
 ')
 
 ########################################

refpolicy/policy/modules/kernel/devices.if

@@ -790,6 +790,23 @@ interface(`dev_rw_apm_bios',`
 	allow $1 apm_bios_t:chr_file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read and write the PCMCIA card manager device.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_rw_cardmgr',`
+	gen_require(`
+		type cardmgr_dev_t;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 cardmgr_dev_t:chr_file { read write };
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read and
@@ -1356,7 +1373,9 @@ interface(`dev_getattr_mtrr',`
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 mtrr_device_t:chr_file getattr;
+
+	# proc entry is a file.  added for nmbd_t
+	allow $1 mtrr_device_t:{ file chr_file } getattr;
 ')
 
 ########################################
@@ -1965,6 +1984,23 @@ interface(`dev_getattr_usbfs_dir',`
 	allow $1 usbfs_t:dir getattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of a directory in the usb filesystem.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`dev_dontaudit_getattr_usbfs_dir',`
+	gen_require(`
+		type usbfs_t;
+	')
+
+	dontaudit $1 usbfs_t:dir getattr;
+')
+
 ########################################
 ## <summary>
 ##	Search the directory containing USB hardware information.

refpolicy/policy/modules/kernel/filesystem.if

@@ -462,7 +462,7 @@ interface(`fs_getattr_cifs',`
 ##	Search directories on a CIFS or SMB filesystem.
 ## </summary>
 ## <param name="domain">
-##	The type of the domain reading the files.
+##	Domain allowed access.
 ## </param>
 #
 interface(`fs_search_cifs',`
@@ -480,7 +480,7 @@ interface(`fs_search_cifs',`
 ##	CIFS or SMB filesystem.
 ## </summary>
 ## <param name="domain">
-##	The type of the domain reading the files.
+##	Domain allowed access.
 ## </param>
 #
 interface(`fs_list_cifs',`
@@ -514,7 +514,7 @@ interface(`fs_dontaudit_list_cifs',`
 ##	Read files on a CIFS or SMB filesystem.
 ## </summary>
 ## <param name="domain">
-##	The type of the domain reading the files.
+##	Domain allowed access.
 ## </param>
 #
 interface(`fs_read_cifs_files',`
@@ -1085,7 +1085,7 @@ interface(`fs_getattr_nfs',`
 ##	Search directories on a NFS filesystem.
 ## </summary>
 ## <param name="domain">
-##	The type of the domain reading the files.
+##	Domain allowed access.
 ## </param>
 #
 interface(`fs_search_nfs',`
@@ -1119,7 +1119,7 @@ interface(`fs_dontaudit_list_nfs',`
 ##	Read files on a NFS filesystem.
 ## </summary>
 ## <param name="domain">
-##	The type of the domain reading the files.
+##	Domain allowed access.
 ## </param>
 #
 interface(`fs_read_nfs_files',`
@@ -1150,6 +1150,23 @@ interface(`fs_dontaudit_read_nfs_files',`
 	dontaudit $1 nfs_t:file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_write_nfs_files',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	allow $1 nfs_t:dir r_dir_perms;
+	allow $1 nfs_t:file write;
+')
+
 ########################################
 ## <summary>
 ##	Execute files on a NFS filesystem.

refpolicy/policy/modules/kernel/kernel.if

@@ -2,7 +2,7 @@
 ##	Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
 ## </summary>
 ## <required val="true">
-##	This policy has initial SIDs.
+##	This module has initial SIDs.
 ## </required>
 
 ########################################
@@ -27,9 +27,9 @@ interface(`kernel_userland_entry',`
 
 	domain_auto_trans(kernel_t, $2, $1)
 
-	allow $1 kernel_t:fd use;
 	allow kernel_t $1:fd use;
-	allow kernel_t $1:fifo_file rw_file_perms;
+	allow $1 kernel_t:fd use;
+	allow $1 kernel_t:fifo_file rw_file_perms;
 	allow $1 kernel_t:process sigchld;
 ')
 
@@ -492,6 +492,23 @@ interface(`kernel_list_proc',`
 	allow $1 proc_t:dir r_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to list the
+##	contents of directories in /proc.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`kernel_dontaudit_list_proc',`
+	gen_require(`
+		type proc_t;
+	')
+
+	dontaudit $1 proc_t:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read symbolic links in /proc.
@@ -1500,6 +1517,23 @@ interface(`kernel_dontaudit_getattr_unlabeled_file',`
 	dontaudit $1 unlabeled_t:file getattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts by caller to
+##	read an unlabeled file.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`kernel_dontaudit_read_unlabeled_file',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:file { getattr read };
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts by caller to get attributes for

refpolicy/policy/modules/kernel/terminal.if

@@ -124,7 +124,7 @@ interface(`term_create_pty',`
 ##	ttys and all ptys.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_use_all_terms',`
@@ -143,7 +143,7 @@ interface(`term_use_all_terms',`
 ##	Write to the console.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_write_console',`
@@ -160,7 +160,7 @@ interface(`term_write_console',`
 ##	Read from and write to the console.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_use_console',`
@@ -178,7 +178,7 @@ interface(`term_use_console',`
 ##	or write to the console.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_dontaudit_use_console',`
@@ -195,7 +195,7 @@ interface(`term_dontaudit_use_console',`
 ##	device node.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_setattr_console',`
@@ -230,7 +230,7 @@ interface(`term_dontaudit_getattr_pty_dir',`
 ##	Search the contents of the /dev/pts directory.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_search_ptys',`
@@ -248,7 +248,7 @@ interface(`term_search_ptys',`
 ##	list all ptys.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_list_ptys',`
@@ -302,7 +302,7 @@ interface(`term_dontaudit_manage_pty_dir',`
 ##	ioctl of generic pty types.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 # cjp: added for ppp
@@ -323,7 +323,7 @@ interface(`term_ioctl_generic_pty',`
 ##	the targeted policy.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_use_generic_pty',`
@@ -361,7 +361,7 @@ interface(`term_dontaudit_use_generic_pty',`
 ##	terminal (/dev/tty).
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_use_controlling_term',`
@@ -413,7 +413,7 @@ interface(`term_dontaudit_use_ptmx',`
 ##	pty device nodes.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_getattr_all_user_ptys',`
@@ -435,7 +435,7 @@ interface(`term_getattr_all_user_ptys',`
 ##	device nodes.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_dontaudit_getattr_all_user_ptys',`
@@ -455,7 +455,7 @@ interface(`term_dontaudit_getattr_all_user_ptys',`
 ##	pty device nodes.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_setattr_all_user_ptys',`
@@ -475,7 +475,7 @@ interface(`term_setattr_all_user_ptys',`
 ##	Relabel to all user ptys.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_relabelto_all_user_ptys',`
@@ -492,7 +492,7 @@ interface(`term_relabelto_all_user_ptys',`
 ##	Read and write all user ptys.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_use_all_user_ptys',`
@@ -529,7 +529,7 @@ interface(`term_dontaudit_use_all_user_ptys',`
 ##	user pty device nodes.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_relabel_all_user_ptys',`
@@ -550,7 +550,7 @@ interface(`term_relabel_all_user_ptys',`
 ##	tty device nodes.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_getattr_unallocated_ttys',`
@@ -569,7 +569,7 @@ interface(`term_getattr_unallocated_ttys',`
 ##	of all unallocated tty device nodes.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_dontaudit_getattr_unallocated_ttys',`
@@ -587,7 +587,7 @@ interface(`term_dontaudit_getattr_unallocated_ttys',`
 ##	tty device nodes.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_setattr_unallocated_ttys',`
@@ -606,7 +606,7 @@ interface(`term_setattr_unallocated_ttys',`
 ##	tty type.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_relabel_unallocated_ttys',`
@@ -625,7 +625,7 @@ interface(`term_relabel_unallocated_ttys',`
 ##	the unallocated tty type.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_reset_tty_labels',`
@@ -640,12 +640,29 @@ interface(`term_reset_tty_labels',`
 	allow $1 tty_device_t:chr_file relabelto;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of unallocated ttys.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`term_dontaudit_getattr_unallocated_ttys',`
+	gen_require(`
+		type tty_device_t;
+	')
+
+	dontaudit $1 tty_device_t:chr_file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Write to unallocated ttys.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_write_unallocated_ttys',`
@@ -663,7 +680,7 @@ interface(`term_write_unallocated_ttys',`
 ##	Read and write unallocated ttys.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_use_unallocated_tty',`
@@ -699,7 +716,7 @@ interface(`term_dontaudit_use_unallocated_tty',`
 ##	device nodes.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_getattr_all_user_ttys',`
@@ -719,7 +736,7 @@ interface(`term_getattr_all_user_ttys',`
 ##	device nodes.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_dontaudit_getattr_all_user_ttys',`
@@ -738,7 +755,7 @@ interface(`term_dontaudit_getattr_all_user_ttys',`
 ##	device nodes.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_setattr_all_user_ttys',`
@@ -757,7 +774,7 @@ interface(`term_setattr_all_user_ttys',`
 ##	user tty device nodes.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_relabel_all_user_ttys',`
@@ -775,7 +792,7 @@ interface(`term_relabel_all_user_ttys',`
 ##	Write to all user ttys.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_write_all_user_ttys',`
@@ -793,7 +810,7 @@ interface(`term_write_all_user_ttys',`
 ##	Read and write all user to all user ttys.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_use_all_user_ttys',`
@@ -811,7 +828,7 @@ interface(`term_use_all_user_ttys',`
 ##	any user ttys.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`term_dontaudit_use_all_user_ttys',`

refpolicy/policy/modules/services/apache.te

@@ -179,6 +179,8 @@ allow httpd_t httpd_squirrelmail_t:dir create_dir_perms;
 allow httpd_t httpd_squirrelmail_t:lnk_file create_lnk_perms;
 allow httpd_t httpd_squirrelmail_t:file create_file_perms;
 
+allow httpd_t httpd_suexec_exec_t:file { getattr read };
+
 allow httpd_t httpd_sys_content_t:dir r_dir_perms;
 allow httpd_t httpd_sys_content_t:file r_file_perms;
 
@@ -393,13 +395,6 @@ optional_policy(`mailman.te',`
 	mailman_read_archive(httpd_t)
 ')
 
-optional_policy(`mta.te',`
-	mta_stub()
-
-	# apache should set close-on-exec
-	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
-')
-
 optional_policy(`mysql.te',`
 	mysql_stream_connect(httpd_t)
 	mysql_rw_db_socket(httpd_t)
@@ -409,6 +404,11 @@ optional_policy(`nscd.te',`
 	nscd_use_socket(httpd_t)
 ')
 
+optional_policy(`postgresql.te',` 
+	# Allow httpd to work with postgresql
+	postgresql_unix_connect(httpd_t)
+')
+
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(httpd_t)
 ')
@@ -544,6 +544,7 @@ corecmd_exec_shell(httpd_suexec_t)
 files_read_etc_files(httpd_suexec_t)
 files_read_usr_files(httpd_suexec_t)
 files_dontaudit_search_pids(httpd_suexec_t)
+files_search_home(httpd_suexec_t)
 
 libs_use_ld_so(httpd_suexec_t)
 libs_use_shared_libs(httpd_suexec_t)
@@ -619,6 +620,13 @@ optional_policy(`mount.te',`
 	')
 ')
 
+optional_policy(`mta.te',`
+	mta_stub(httpd_suexec_t)
+
+	# apache should set close-on-exec
+	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
+')
+
 optional_policy(`nis.te',`
 	nis_use_ypbind(httpd_suexec_t)
 ')

refpolicy/policy/modules/services/apm.if

@@ -86,3 +86,21 @@ interface(`apm_append_log',`
 	logging_search_logs($1)
 	allow $1 apmd_log_t:file append;
 ')
+
+########################################
+## <summary>
+##	Connect to apmd over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`apm_stream_connect',`
+	gen_require(`
+		type apmd_t;
+	')
+
+	files_search_pids($1)
+	allow $1 apmd_var_run_t:sock_file write;
+	allow $1 apmd_t:unix_stream_socket connectto;
+')

refpolicy/policy/modules/services/arpwatch.if

@@ -49,6 +49,22 @@ interface(`arpwatch_rw_tmp_files',`
 	allow $1 arpwatch_tmp_t:file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read and write arpwatch temporary files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`arpwatch_manage_tmp_files',`
+	gen_require(`
+		type arpwatch_tmp_t;
+	')
+
+	allow $1 arpwatch_tmp_t:file manage_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read and write

refpolicy/policy/modules/services/bind.te

@@ -148,7 +148,6 @@ ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_tty(named_t)
 	term_dontaudit_use_generic_pty(named_t)
 	files_dontaudit_read_root_file(named_t)
-	#dontaudit ndc_t unlabeled_t:file { getattr read };	
 ')
 
 optional_policy(`dbus.te',`
@@ -247,7 +246,9 @@ ifdef(`distro_redhat',`
 	allow ndc_t named_conf_t:dir search;
 ')
 
-ifdef(`targeted_policy', `
+ifdef(`targeted_policy',`
+	kernel_dontaudit_read_unlabeled_file(ndc_t)
+
 	term_use_unallocated_tty(ndc_t)
 	term_use_generic_pty(ndc_t)
 ')
@@ -270,6 +271,10 @@ optional_policy(`nscd.te',`
 	nscd_use_socket(ndc_t)
 ')
 
+optional_policy(`bind.te',`
+	ppp_dontaudit_use_fd(ndc_t)
+')
+
 ###########################################################
 #
 # Partially converted rules.  THESE ARE ONLY TEMPORARY

refpolicy/policy/modules/services/bluetooth.te

@@ -206,6 +206,8 @@ logging_send_syslog_msg(bluetooth_helper_t)
 miscfiles_read_localization(bluetooth_helper_t) 
 miscfiles_read_fonts(bluetooth_helper_t)
 
+userdom_search_all_users_home(bluetooth_helper_t)
+
 optional_policy(`nscd.te',`
 	nscd_use_socket(bluetooth_helper_t)
 ')
@@ -213,20 +215,12 @@ optional_policy(`nscd.te',`
 ifdef(`TODO',`
 allow bluetooth_helper_t tmp_t:dir search;
 
-allow bluetooth_helper_t home_dir_type:dir search;
-
 ifdef(`xserver.te', `
 	allow bluetooth_helper_t xserver_log_t:dir search;
 	allow bluetooth_helper_t xserver_log_t:file { getattr read };
 ')
 
-ifdef(`targeted_policy', `
-	allow bluetooth_helper_t tmp_t:sock_file { read write };
-	allow bluetooth_helper_t tmpfs_t:file { read write };
-	allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
-	allow bluetooth_t unconfined_t:dbus send_msg;
-	allow unconfined_t bluetooth_t:dbus send_msg;
-', `
+ifdef(`targeted_policy', `', `
 	ifdef(`xdm.te', `
 		allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write };
 	')
@@ -237,6 +231,11 @@ ifdef(`targeted_policy', `
 ') dnl end TODO
 
 ifdef(`targeted_policy',`
+	allow bluetooth_helper_t tmp_t:sock_file { read write };
+	allow bluetooth_helper_t tmpfs_t:file { read write };
+	allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
+	allow bluetooth_t unconfined_t:dbus send_msg;
+	allow unconfined_t bluetooth_t:dbus send_msg;
 	allow bluetooth_t unconfined_t:dbus send_msg;
 	allow unconfined_t bluetooth_t:dbus send_msg;
 ')

refpolicy/policy/modules/services/comsat.te

@@ -75,6 +75,8 @@ miscfiles_read_localization(comsat_t)
 
 sysnet_read_config(comsat_t)
 
+userdom_dontaudit_getattr_sysadm_tty(comsat_t)
+
 mta_getattr_spool(comsat_t)
 
 optional_policy(`kerberos.te',`
@@ -89,6 +91,4 @@ optional_policy(`nscd.te',`
 	nscd_use_socket(comsat_t)
 ')
 
-ifdef(`TODO',`
-dontaudit comsat_t sysadm_tty_device_t:chr_file getattr;
-')
+

refpolicy/policy/modules/services/cron.if

@@ -375,10 +375,9 @@ interface(`cron_sigchld',`
 interface(`cron_read_pipe',`
 	gen_require(`
 		type crond_t;
-		class file r_file_perms;
 	')
 
-	allow $1 crond_t:file r_file_perms;
+	allow $1 crond_t:fifo_file r_file_perms;
 ')
 
 ########################################

refpolicy/policy/modules/services/cups.if

@@ -1,5 +1,26 @@
 ## <summary>Common UNIX printing system</summary>
 
+########################################
+## <summary>
+##	Execute cups_config in the cups_config domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`cups_domtrans_config',`
+	gen_require(`
+		type cupsd_config_t, cupsd_config_exec_t;
+	')
+
+	domain_auto_trans($1,cupsd_config_exec_t,cupsd_config_t)
+
+	allow $1 cupsd_config_t:fd use;
+	allow cupsd_config_t $1:fd use;
+	allow cupsd_config_t $1:fifo_file rw_file_perms;
+	allow cupsd_config_t $1:process sigchld;
+')
+
 ########################################
 ## <summary>
 ##	Read cups-writable configuration files.

refpolicy/policy/modules/services/cups.te

@@ -661,7 +661,6 @@ optional_policy(`hal.te', `
 	')
 
 	allow hald_t cupsd_config_t:process signal;
-	domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t)
 ')
 
 # killall causes the following

refpolicy/policy/modules/services/finger.te

@@ -136,3 +136,7 @@ optional_policy(`rhgb.te',`
 	rhgb_domain(fingerd_t)
 ')
 ')
+
+# stop it accessing sub-directories, prevents checking a Maildir for new mail,
+# have to change this when we create a type for Maildir
+dontaudit fingerd_t user_home_t:dir search;

refpolicy/policy/modules/services/ftp.if

@@ -1,5 +1,40 @@
 ## <summary>File transfer protocol service</summary>
 
+#######################################
+## <summary>
+##	The per user domain template for the ftp module.
+## </summary>
+## <desc>
+##	<p>
+##	This template allows ftpd to manage files in
+##	a user home directory, creating files with the
+##	correct type.
+##	</p>
+##	<p>
+##	This template is invoked automatically for each user, and
+##	generally does not need to be invoked directly
+##	by policy writers.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
+#
+template(`ftp_per_userdomain_template',`
+	gen_require(`
+		type ftpd_t;
+	')
+
+	tunable_policy(`ftpd_is_daemon',`
+		userdom_manage_user_home_subdir_files($1,ftpd_t)
+		userdom_manage_user_home_subdir_symlinks($1,ftpd_t)
+		userdom_manage_user_home_subdir_sockets($1,ftpd_t)
+		userdom_manage_user_home_subdir_pipes($1,ftpd_t)
+		userdom_create_user_home($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
+	')
+')
+
 ########################################
 ## <summary>
 ##      Use ftp by connecting over TCP.

refpolicy/policy/modules/services/ftp.te

@@ -97,6 +97,7 @@ auth_append_login_records(ftpd_t)
 auth_write_login_records(ftpd_t)
 
 corecmd_exec_bin(ftpd_t)
+corecmd_exec_sbin(ftpd_t)
 # Execute /bin/ls (can comment this out for proftpd)
 # also may need rules to allow tar etc...
 corecmd_exec_ls(ftpd_t)
@@ -130,6 +131,17 @@ ifdef(`targeted_policy',`
 
 	term_dontaudit_use_generic_pty(ftpd_t)
 	term_dontaudit_use_unallocated_tty(ftpd_t)
+
+	optional_policy(`ftp.te',`
+		tunable_policy(`ftpd_is_daemon',`
+			# cjp: fix this to use regular interfaces
+			userdom_manage_user_home_subdir_files(user,ftpd_t)
+			userdom_manage_user_home_subdir_symlinks(user,ftpd_t)
+			userdom_manage_user_home_subdir_sockets(user,ftpd_t)
+			userdom_manage_user_home_subdir_pipes(user,ftpd_t)
+			userdom_create_user_home(user,ftpd_t,{ dir file lnk_file sock_file fifo_file })
+		')
+	')
 ')
 
 tunable_policy(`allow_ftpd_anon_write',`
@@ -213,13 +225,4 @@ ifdef(`TODO',`
 optional_policy(`rhgb.te',`
 	rhgb_domain(ftpd_t)
 ')
-
-# cjp: this was in base user macro, but we cannot
-# use typeattribute ftpd_t privhome; interface
-# since typeattribute doesnt work in conditionals
-ifdef(`ftpd.te' , `
-if (ftpd_is_daemon) {
-file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
-}
-')
 ')

refpolicy/policy/modules/services/hal.if

@@ -20,3 +20,20 @@ interface(`hal_domtrans',`
 	allow hald_t $1:fifo_file rw_file_perms;
 	allow hald_t $1:process sigchld;
 ')
+
+########################################
+## <summary>
+##	Send to hal over a unix domain
+##	datagram socket.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`hal_dgram_sendto',`
+	gen_require(`
+		type hald_t;
+	')
+
+	allow $1 hald_t:unix_dgram_socket sendto;
+')

refpolicy/policy/modules/services/hal.te

@@ -125,6 +125,16 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_file(hald_t)
 ')
 
+optional_policy(`apm.te',`
+	# For /usr/libexec/hald-addon-acpi
+	# writes to /var/run/acpid.socket
+	apm_stream_connect(hald_t)
+')
+
+optional_policy(`cups.te',`
+	cups_domtrans_config(hald_t)
+')
+
 optional_policy(`dbus.te',`
 	allow hald_t self:dbus send_msg;
 	dbus_system_bus_client_template(hald,hald_t)
@@ -181,12 +191,6 @@ allow hald_t device_t:dir create_dir_perms;
 optional_policy(`hald.te',`
 allow udev_t hald_t:unix_dgram_socket sendto;
 ')
-
-# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket
-ifdef(`apmd.te', `
-allow hald_t apmd_var_run_t:sock_file write;
-allow hald_t apmd_t:unix_stream_socket connectto;
-')
 ') dnl end TODO
 
 ifdef(`targeted_policy', `

refpolicy/policy/modules/services/inn.te

@@ -86,6 +86,8 @@ term_dontaudit_use_console(innd_t)
 
 corecmd_exec_bin(innd_t)
 corecmd_exec_shell(innd_t)
+corecmd_search_sbin(innd_t)
+corecmd_read_sbin_symlink(innd_t)
 
 domain_use_wide_inherit_fd(innd_t)
 

refpolicy/policy/modules/services/mailman.te

@@ -51,6 +51,9 @@ optional_policy(`apache.te',`
 	apache_sigchld(mailman_cgi_t)
 	apache_use_fd(mailman_cgi_t)
 	apache_dontaudit_append_log(mailman_cgi_t)
+
+	# FIXME:
+	allow mailman_cgi_t httpd_sys_script_t:dir search;
 ')
 
 ########################################

refpolicy/policy/modules/services/mta.te

@@ -191,6 +191,9 @@ optional_policy(`postfix.te',`
 	optional_policy(`crond.te',`
 		cron_crw_tcp_socket(system_mail_t)
 	')
+
+	allow mta_user_agent sysadm_t:fifo_file { read write };
+	type_transition postfix_master_t postfix_etc_t:dir etc_aliases_t;
 ')
 
 optional_policy(`sendmail.te',`
@@ -230,10 +233,13 @@ optional_policy(`qmail.te',`
 	allow system_mail_t qmail_etc_t:dir search;
 	allow system_mail_t qmail_etc_t:{ file lnk_file } read;
 ')
+') dnl end TODO
+
+allow mta_user_agent system_crond_tmp_t:file { read getattr };
 
 optional_policy(`arpwatch.te',`
 	# why is mail delivered to a directory of type arpwatch_data_t?
-	arpwatch_search_data_dir(mta_delivery_agent)
+	arpwatch_search_data(mailserver_delivery)
 	arpwatch_manage_tmp_files(system_mail_t)
 	arpwatch_manage_tmp_files(mta_user_agent)
 	ifdef(`hide_broken_symptoms', `
@@ -241,5 +247,3 @@ optional_policy(`arpwatch.te',`
 		arpwatch_dontaudit_rw_packet_socket(mta_user_agent)
 	')
 ')
-
-') dnl end TODO

refpolicy/policy/modules/services/nis.if

@@ -204,3 +204,54 @@ interface(`nis_tcp_connect_ypbind',`
 	allow ypbind_t $1:tcp_socket { acceptfrom recvfrom };
 	allow $1 kernel_t:tcp_socket recvfrom;
 ')
+
+########################################
+## <summary>
+##	Read ypbind pid files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`nis_read_ypbind_pid',`
+	gen_require(`
+		type ypbind_t;
+	')
+
+	files_search_pids($1)
+	allow $1 ypbind_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Delete ypbind pid files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`nis_delete_ypbind_pid',`
+	gen_require(`
+		type ypbind_t;
+	')
+
+	# TODO: add delete pid from dir call to files
+	allow $1 ypbind_t:file unlink;
+')
+
+########################################
+## <summary>
+##	Read ypserv configuration files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`nis_read_ypserv_config',`
+	gen_require(`
+		type ypserv_t;
+	')
+
+	files_search_etc($1)
+	allow $1 ypserv_t:file { getattr read };
+')

refpolicy/policy/modules/services/nscd.te

@@ -90,6 +90,7 @@ selinux_compute_user_contexts(nscd_t)
 domain_use_wide_inherit_fd(nscd_t)
 
 files_read_etc_files(nscd_t)
+files_read_generic_tmp_symlinks(nscd_t)
 
 init_use_fd(nscd_t)
 init_use_script_pty(nscd_t)
@@ -126,6 +127,7 @@ optional_policy(`nis.te',`
 
 optional_policy(`samba.te',`
 	samba_connect_winbind(nscd_t)
+	samba_search_var(nscd_t)
 ')
 
 optional_policy(`udev.te', `
@@ -133,13 +135,7 @@ optional_policy(`udev.te', `
 ')
 
 ifdef(`TODO',`
-optional_policy(`winbind.te', `
-	allow nscd_t samba_var_t:dir search;
-')
 optional_policy(`rhgb.te',`
 	rhgb_domain(nscd_t)
 ')
-
-allow nscd_t tmp_t:dir { search getattr };
-allow nscd_t tmp_t:lnk_file read;
 ') dnl end TODO

refpolicy/policy/modules/services/ntp.te

@@ -112,6 +112,7 @@ miscfiles_read_localization(ntpd_t)
 sysnet_read_config(ntpd_t)
 
 userdom_dontaudit_use_unpriv_user_fd(ntpd_t)
+userdom_list_sysadm_home_dir(ntpd_t)
 userdom_dontaudit_list_sysadm_home_dir(ntpd_t)
 
 ifdef(`targeted_policy', `
@@ -145,6 +146,12 @@ optional_policy(`nscd.te',`
 	nscd_use_socket(ntpd_t)
 ')
 
+optional_policy(`samba.te',`
+	# cjp: the connect was previously missing
+	# so it might be ok to drop this
+	samba_connect_winbind(ntpd_t)
+')
+
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(ntpd_t)
 ')
@@ -162,9 +169,4 @@ allow sysadm_t ntpd_t:udp_socket recvfrom;
 
 allow sysadm_t ntpd_t:udp_socket sendto;
 allow ntpd_t sysadm_t:udp_socket recvfrom;
-
-ifdef(`winbind.te', `
-allow ntpd_t winbind_var_run_t:dir r_dir_perms;
-allow ntpd_t winbind_var_run_t:sock_file rw_file_perms;
-')
 ') dnl end TODO

refpolicy/policy/modules/services/portmap.te

@@ -200,6 +200,11 @@ sysnet_read_config(portmap_helper_t)
 
 userdom_dontaudit_use_all_user_fd(portmap_helper_t)
 
+ifdef(`targeted_policy', `
+	term_dontaudit_use_unallocated_tty(portmap_helper_t)
+	term_dontaudit_use_generic_pty(portmap_helper_t)
+')
+
 optional_policy(`mount.te',`
 	mount_send_nfs_client_request(portmap_helper_t)
 ')

refpolicy/policy/modules/services/postfix.te

@@ -93,6 +93,8 @@ allow postfix_master_t self:fifo_file rw_file_perms;
 allow postfix_master_t self:tcp_socket create_stream_socket_perms;
 allow postfix_master_t self:udp_socket create_socket_perms;
 
+allow postfix_master_t postfix_etc_t:file rw_file_perms;
+
 can_exec(postfix_master_t,postfix_exec_t)
 
 allow postfix_master_t postfix_map_exec_t:file rx_file_perms;
@@ -333,6 +335,7 @@ allow postfix_map_t postfix_map_tmp_t:file create_file_perms;
 files_create_tmp_files(postfix_map_t, postfix_map_tmp_t, { file dir })
 
 kernel_read_kernel_sysctl(postfix_map_t)
+kernel_dontaudit_list_proc(postfix_map_t)
 
 corenet_tcp_sendrecv_all_if(postfix_map_t)
 corenet_udp_sendrecv_all_if(postfix_map_t)
@@ -463,6 +466,11 @@ optional_policy(`crond.te',`
 	cron_rw_system_job_pipe(postfix_postdrop_t)
 ')
 
+optional_policy(`ppp.te',`
+	ppp_use_fd(postfix_postqueue_t)
+	ppp_sigchld(postfix_postqueue_t)
+')
+
 #######################################
 #
 # Postfix postqueue local policy

refpolicy/policy/modules/services/postgresql.te

@@ -212,12 +212,4 @@ ifdef(`distro_gentoo', `
 	postgresql_search_db_dir(initrc_su_t)
 	dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
 ')
-
-# Goes to apache.te:
-# Allow httpd to work with postgresql
-optional_policy(`postgresql.te', ` 
-	# Original policy had apache connecting to postgresql_tmp_t:sock_file
-	# instead of what is assumed to be correct: postgresql_var_run_t. -Don
-	postgresql_unix_connect(httpd_t)
-')
 ')

refpolicy/policy/modules/services/ppp.if

@@ -16,6 +16,23 @@ interface(`ppp_use_fd',`
 	allow $1 pppd_t:fd use;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to inherit
+##	and use PPP file discriptors.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`ppp_dontaudit_use_fd',`
+	gen_require(`
+		type pppd_t;
+	')
+
+	dontaudit $1 pppd_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	Allow domain to send sigchld to parent of PPP domain type.
@@ -35,7 +52,7 @@ interface(`ppp_sigchld',`
 
 ########################################
 ## <summary>
-##	Allow domain to send a signal to PPP domain type.
+##	Send a generic signal to PPP.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
@@ -49,6 +66,22 @@ interface(`ppp_signal',`
 	allow $1 pppd_t:process signal;
 ')
 
+########################################
+## <summary>
+##	Send a SIGCHLD signal to PPP.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`ppp_sigchld',`
+	gen_require(`
+		type pppd_t;
+	')
+
+	allow $1 pppd_t:process sigchld;
+')
+
 ########################################
 ## <summary>
 ##	 Execute domain in the ppp domain.

refpolicy/policy/modules/services/ppp.te

@@ -107,9 +107,8 @@ allow pppd_t pppd_secret_t:file r_file_perms;
 # Automatically label newly created files under /etc/ppp with this type
 type_transition pppd_t pppd_etc_t:file pppd_etc_rw_t;
 
-kernel_list_proc(pppd_t)
 kernel_read_kernel_sysctl(pppd_t)
-kernel_read_proc_symlinks(pppd_t)
+kernel_read_system_state(pppd_t)
 kernel_read_net_sysctl(pppd_t)
 kernel_read_network_state(pppd_t)
 kernel_load_module(pppd_t)
@@ -318,23 +317,22 @@ optional_policy(`udev.te',`
 ')
 
 ifdef(`TODO',`
-ifdef(`postfix.te', `
-	allow pppd_t postfix_etc_t:dir search;
-	allow pppd_t postfix_etc_t:file r_file_perms;
-	allow pppd_t postfix_master_exec_t:file { getattr read };
-
-	ppp_use_fd(postfix_postqueue_t)
-	ppp_signal_daemon(postfix_postqueue_t)
-')
 optional_policy(`rhgb.te',`
 	rhgb_domain(pppd_t)
 ')
 optional_policy(`rhgb.te',`
         rhgb_domain(pptp_t)
 ')
-ifdef(`named.te', `
-	dontaudit ndc_t pppd_t:fd use;
+')
+
+ifdef(`postfix.te', `
+	allow pppd_t postfix_etc_t:dir search;
+	allow pppd_t postfix_etc_t:file r_file_perms;
+	allow pppd_t postfix_master_exec_t:file { getattr read };
 ')
 
 domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
-')
+allow pppd_t initrc_t:fd use;
+allow initrc_t pppd_t:fd use;
+allow initrc_t pppd_t:fifo_file rw_file_perms;
+allow initrc_t pppd_t:process sigchld;

refpolicy/policy/modules/services/radius.te

@@ -76,6 +76,7 @@ auth_read_shadow(radiusd_t)
 
 corecmd_exec_bin(radiusd_t)
 corecmd_exec_shell(radiusd_t)
+corecmd_search_sbin(radiusd_t)
 
 domain_use_wide_inherit_fd(radiusd_t)
 

refpolicy/policy/modules/services/rlogin.te

@@ -87,6 +87,7 @@ seutil_dontaudit_search_config(rlogind_t)
 
 sysnet_read_config(rlogind_t)
 
+userdom_setattr_unpriv_user_pty(rlogind_t)
 # cjp: this is egregious
 userdom_read_all_user_files(rlogind_t)
 

refpolicy/policy/modules/services/rpc.te

@@ -62,13 +62,17 @@ files_manage_mounttab(rpcd_t)
 
 seutil_dontaudit_search_config(rpcd_t)
 
-# FIXME
-dontaudit userdomain exports_t:file getattr;
-
 ifdef(`distro_redhat',`
 	allow rpcd_t self:capability { chown dac_override setgid setuid };
 ')
 
+optional_policy(`nis.te',`
+	nis_read_ypserv_config(rpcd_t)
+')
+
+# FIXME
+dontaudit userdomain exports_t:file getattr;
+
 ########################################
 #
 # NFSD local policy
@@ -132,9 +136,9 @@ fs_read_rpc_dirs(gssd_t)
 fs_read_rpc_sockets(gssd_t) 
 fs_read_rpc_files(gssd_t) 
 
-files_read_tmp(gssd_t) 
-files_read_tmp_files(gssd_t) 
-files_read_tmp_symlinks(gssd_t) 
+files_list_tmp(gssd_t) 
+files_read_generic_tmp_files(gssd_t) 
+files_read_generic_tmp_symlinks(gssd_t) 
 
 tunable_policy(`allow_gssd_read_tmp',`
 	userdom_list_unpriv_user_tmp(gssd_t) 

refpolicy/policy/modules/services/rshd.te

@@ -74,8 +74,8 @@ tunable_policy(`use_nfs_home_dirs',`
 ')
 
 tunable_policy(`use_samba_home_dirs',`
-	fs_read_nfs_files(rshd_t)
-	fs_read_nfs_symlinks(rshd_t)
+	fs_read_cifs_files(rshd_t)
+	fs_read_cifs_symlinks(rshd_t)
 ')
 
 optional_policy(`kerberos.te',`

refpolicy/policy/modules/services/samba.if

@@ -195,6 +195,24 @@ interface(`samba_read_secrets',`
 	allow $1 samba_secrets_t:file { read getattr lock };
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to search
+##	samba /var directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`samba_search_var',`
+	gen_require(`
+		type samba_var_t;
+	')
+
+	files_search_var($1)
+	allow $1 samba_var_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to write to smbmount tcp sockets.

refpolicy/policy/modules/services/samba.te

@@ -233,6 +233,7 @@ corenet_tcp_connect_smbd_port(smbd_t)
 
 dev_read_sysfs(smbd_t)
 dev_read_urand(smbd_t)
+dev_dontaudit_getattr_usbfs_dir(smbd_t)
 
 fs_getattr_all_fs(smbd_t)
 fs_get_xattr_fs_quotas(smbd_t)

refpolicy/policy/modules/services/snmp.te

@@ -146,6 +146,15 @@ ifdef(`TODO',`
 can_udp_send(sysadm_t, snmpd_t)
 can_udp_send(snmpd_t, sysadm_t)
 
+optional_policy(`cupsd.te', `
+	allow snmpd_t cupsd_rw_etc_t:file { getattr read };
+')
+
+optional_policy(`rhgb.te',`
+	rhgb_domain(snmpd_t)
+')
+') dnl end TODO
+
 ifdef(`distro_redhat', `
 	optional_policy(`rpm.te', `
 		dontaudit snmpd_t rpm_var_lib_t:dir write;
@@ -153,20 +162,9 @@ ifdef(`distro_redhat', `
 	')
 ')
 
-dontaudit snmpd_t rpc_pipefs_t:dir getattr;
-allow snmpd_t rpc_pipefs_t:dir getattr;
-
 optional_policy(`amanda.te', `
 	dontaudit snmpd_t amanda_dumpdates_t:file { getattr read };
 ')
 
-optional_policy(`cupsd.te', `
-	allow snmpd_t cupsd_rw_etc_t:file { getattr read };
-')
-
+allow snmpd_t rpc_pipefs_t:dir getattr;
 allow snmpd_t var_lib_nfs_t:dir search;
-
-optional_policy(`rhgb.te',`
-	rhgb_domain(snmpd_t)
-')
-') dnl end TODO

refpolicy/policy/modules/services/spamassassin.te

@@ -37,6 +37,7 @@ dontaudit spamd_t self:capability sys_tty_config;
 allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow spamd_t self:fd use;
 allow spamd_t self:fifo_file rw_file_perms;
+allow spamd_t self:sock_file r_file_perms;
 allow spamd_t self:shm create_shm_perms;
 allow spamd_t self:sem create_sem_perms;
 allow spamd_t self:msgq create_msgq_perms;

refpolicy/policy/modules/system/authlogin.te

@@ -262,16 +262,22 @@ ifdef(`xdm.te', `
 
 allow system_chkpwd_t self:capability setuid;
 allow system_chkpwd_t self:process getattr;
+allow system_chkpwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 
 allow system_chkpwd_t shadow_t:file { getattr read };
 
 # is_selinux_enabled
 kernel_read_system_state(system_chkpwd_t)
 
+dev_read_rand(system_chkpwd_t)
+dev_read_urand(system_chkpwd_t)
+
 fs_dontaudit_getattr_xattr_fs(system_chkpwd_t)
 
 term_dontaudit_use_unallocated_tty(system_chkpwd_t)
 
+corecmd_search_sbin(system_chkpwd_t)
+
 domain_dontaudit_use_wide_inherit_fd(system_chkpwd_t)
 
 files_read_etc_files(system_chkpwd_t)

refpolicy/policy/modules/system/clock.te

@@ -61,7 +61,7 @@ logging_send_syslog_msg(hwclock_t)
 
 miscfiles_read_localization(hwclock_t)
 
-ifdef(`targeted_policy', `
+ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_tty(hwclock_t)
 	term_dontaudit_use_generic_pty(hwclock_t)
 	files_dontaudit_read_root_file(hwclock_t)

refpolicy/policy/modules/system/corecommands.if

@@ -54,7 +54,7 @@ interface(`corecmd_list_bin',`
 ##	Get the attributes of files in bin directories.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`corecmd_getattr_bin_file',`
@@ -71,7 +71,7 @@ interface(`corecmd_getattr_bin_file',`
 ##	Read files in bin directories.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`corecmd_read_bin_file',`
@@ -90,7 +90,7 @@ interface(`corecmd_read_bin_file',`
 ##	Read symbolic links in bin directories.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`corecmd_read_bin_symlink',`
@@ -109,7 +109,7 @@ interface(`corecmd_read_bin_symlink',`
 ##	Read pipes in bin directories.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`corecmd_read_bin_pipe',`
@@ -128,7 +128,7 @@ interface(`corecmd_read_bin_pipe',`
 ##	Read named sockets in bin directories.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`corecmd_read_bin_socket',`
@@ -183,7 +183,7 @@ interface(`corecmd_exec_bin',`
 ##	</p>
 ## </desc>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 ## <param name="target_domain">
 ##	The type of the new process.
@@ -259,7 +259,7 @@ interface(`corecmd_dontaudit_getattr_sbin_file',`
 ##	Read files in sbin directories.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`corecmd_read_sbin_file',`
@@ -278,7 +278,7 @@ interface(`corecmd_read_sbin_file',`
 ##	Read symbolic links in sbin directories.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`corecmd_read_sbin_symlink',`
@@ -297,7 +297,7 @@ interface(`corecmd_read_sbin_symlink',`
 ##	Read named pipes in sbin directories.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`corecmd_read_sbin_pipe',`
@@ -316,7 +316,7 @@ interface(`corecmd_read_sbin_pipe',`
 ##	Read named sockets in sbin directories.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`corecmd_read_sbin_socket',`
@@ -371,7 +371,7 @@ interface(`corecmd_exec_sbin',`
 ##	</p>
 ## </desc>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 ## <param name="target_domain">
 ##	The type of the new process.
@@ -390,6 +390,24 @@ interface(`corecmd_sbin_domtrans',`
 	domain_auto_trans($1,sbin_t,$2)
 ')
 
+########################################
+## <summary>
+##	Check if a shell is executable (DAC-wise).
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`corecmd_check_exec_shell',`
+	gen_require(`
+		type bin_t, shell_exec_t;
+	')
+
+	allow $1 bin_t:dir r_dir_perms;
+	allow $1 bin_t:lnk_file r_file_perms;
+	allow $1 shell_exec_t:file execute;
+')
+
 ########################################
 #
 # corecmd_exec_shell(domain)
@@ -441,7 +459,7 @@ interface(`corecmd_exec_ls',`
 ##	</p>
 ## </desc>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 ## <param name="target_domain">
 ##	The type of the shell process.
@@ -475,7 +493,7 @@ interface(`corecmd_shell_spec_domtrans',`
 ##	</p>
 ## </desc>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 ## <param name="target_domain">
 ##	The type of the shell process.

refpolicy/policy/modules/system/files.if

@@ -2067,13 +2067,12 @@ interface(`files_search_tmp',`
 ##	The type of the process performing this action.
 ## </param>
 #
-interface(`files_read_tmp',`
+interface(`files_list_tmp',`
 	gen_require(`
 		type tmp_t;
-		class dir r_dir_perms;
 	')
 
-	allow $1 tmp_t:dir r_dir_perms;
+	allow $1 tmp_t:dir list_dir_perms;
 ')
 
 ########################################
@@ -2084,12 +2083,12 @@ interface(`files_read_tmp',`
 ##	The type of the process performing this action.
 ## </param>
 #
-interface(`files_read_tmp_files',`
+interface(`files_read_generic_tmp_files',`
 	gen_require(`
 		type tmp_t;
-		class file r_file_perms;
 	')
 
+	allow $1 tmp_t:dir search_dir_perms;
 	allow $1 tmp_t:file r_file_perms;
 ')
 
@@ -2101,12 +2100,12 @@ interface(`files_read_tmp_files',`
 ##	The type of the process performing this action.
 ## </param>
 #
-interface(`files_read_tmp_symlinks',`
+interface(`files_read_generic_tmp_symlinks',`
 	gen_require(`
 		type tmp_t;
-		class lnk_file r_file_perms;
 	')
 
+	allow $1 tmp_t:dir search_dir_perms;
 	allow $1 tmp_t:lnk_file r_file_perms;
 ')
 
@@ -2339,7 +2338,7 @@ interface(`files_dontaudit_search_src',`
 		type src_t;
 	')
 
-	allow $1 src_t:dir search;
+	dontaudit $1 src_t:dir search;
 ')
 
 ########################################

refpolicy/policy/modules/system/fstools.te

@@ -28,6 +28,7 @@ allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_
 allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
 allow fsadm_t self:fd use;
 allow fsadm_t self:fifo_file rw_file_perms;
+allow fsadm_t self:sock_file r_file_perms;
 allow fsadm_t self:unix_dgram_socket create_socket_perms;
 allow fsadm_t self:unix_stream_socket create_stream_socket_perms;
 allow fsadm_t self:unix_dgram_socket sendto;
@@ -133,6 +134,11 @@ seutil_read_config(fsadm_t)
 
 userdom_use_unpriv_users_fd(fsadm_t)
 
+ifdef(`targeted_policy',`
+	term_use_unallocated_tty(fsadm_t)
+	term_use_generic_pty(fsadm_t)
+')
+
 tunable_policy(`read_default_t',`
 	files_list_default(fsadm_t)
 	files_read_default_files(fsadm_t)
@@ -151,7 +157,8 @@ optional_policy(`nis.te',`
 ')
 
 ifdef(`TODO',`
-allow fsadm_t tmpfs_t:file { read write };
-allow fsadm_t ramfs_t:fifo_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
 ') dnl end TODO
+
+allow fsadm_t tmpfs_t:file { read write };
+allow fsadm_t ramfs_t:fifo_file rw_file_perms;

refpolicy/policy/modules/system/getty.te

@@ -113,5 +113,5 @@ optional_policy(`ppp.te',`
 ')
 
 optional_policy(`udev.te',`
-	udev_read_db(system_dbusd_t)
+	udev_read_db(getty_t)
 ')

refpolicy/policy/modules/system/hotplug.te

@@ -14,7 +14,7 @@ init_daemon_domain(hotplug_t,hotplug_exec_t)
 type hotplug_etc_t;
 files_config_file(hotplug_etc_t)
 kernel_search_from(hotplug_etc_t)
-domain_entry_file(hotplug_t,hotplug_etc_t)
+init_daemon_domain(hotplug_t,hotplug_etc_t)
 
 type hotplug_var_run_t;
 files_pid_file(hotplug_var_run_t)
@@ -150,6 +150,10 @@ optional_policy(`fstools.te',`
 	fstools_domtrans(hotplug_t)
 ')
 
+optional_policy(`hal.te',`
+	hal_dgram_sendto(hotplug_t)
+')
+
 optional_policy(`hostname.te',`
 	hostname_exec(hotplug_t)
 ')
@@ -207,7 +211,4 @@ rhgb_domain(hotplug_t)
 
 dontaudit hotplug_t { init_t kernel_t }:file read;
 
-optional_policy(`hald.te', `
-	allow hotplug_t hald_t:unix_dgram_socket sendto;
-')
 ') dnl end TODO

refpolicy/policy/modules/system/init.if

@@ -346,7 +346,7 @@ interface(`init_dontaudit_use_fd',`
 ##	Send UDP network traffic to init.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`init_udp_sendto',`
@@ -392,7 +392,7 @@ interface(`init_domtrans_script',`
 ##	</p>
 ## </desc>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 ## <param name="role">
 ##	The role to be performing this action.
@@ -413,6 +413,22 @@ interface(`init_run_daemon',`
 	dontaudit direct_init $3:chr_file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##	Write an init script unnamed pipe.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`init_write_script_pipe',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:fifo_file write;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to connect to
@@ -484,7 +500,7 @@ interface(`init_exec_script',`
 ##	Read the process state (/proc/pid) of the init scripts.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`init_read_script_process_state',`
@@ -552,7 +568,7 @@ interface(`init_get_script_process_group',`
 ##	Send SIGCHLD signals to init scripts.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`init_sigchld_script',`
@@ -568,7 +584,7 @@ interface(`init_sigchld_script',`
 ##	Read and write init script unnamed pipes.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`init_rw_script_pipe',`
@@ -585,7 +601,7 @@ interface(`init_rw_script_pipe',`
 ##	Send UDP network traffic to init scripts.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`init_udp_sendto_script',`
@@ -629,7 +645,7 @@ interface(`init_unix_connect_script',`
 ##	</p>
 ## </desc>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`init_use_script_pty',`
@@ -663,7 +679,7 @@ interface(`init_dontaudit_use_script_pty',`
 ##	Read init scripts.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`init_read_script_file',`
@@ -681,7 +697,7 @@ interface(`init_read_script_file',`
 ##	Read and write init script temporary data.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`init_rw_script_tmp_files',`

refpolicy/policy/modules/system/init.te

@@ -366,6 +366,7 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 
 modutils_read_module_conf(initrc_t)
+modutils_domtrans_insmod(initrc_t)
 
 seutil_read_config(initrc_t)
 
@@ -480,7 +481,6 @@ optional_policy(`bind.te',`
 		# Allow init script to cp localtime to named_conf_t
 		bind_write_config(initrc_t)
 	')
-
 ')
 
 optional_policy(`bluetooth.te',`
@@ -488,7 +488,7 @@ optional_policy(`bluetooth.te',`
 ')
 
 optional_policy(`cpucontrol.te',`
-	cpucontrol_stub()
+	cpucontrol_stub(initrc_t)
 	dev_getattr_cpu(initrc_t)
 ')
 

refpolicy/policy/modules/system/libraries.te

@@ -95,9 +95,7 @@ ifdef(`targeted_policy',`
 	unconfined_domain_template(ldconfig_t) 
 ')
 
-ifdef(`TODO',`
 optional_policy(`apache.te',`
 	# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
 	dontaudit ldconfig_t httpd_modules_t:dir search;
 ')
-') dnl end TODO

refpolicy/policy/modules/system/locallogin.te

@@ -41,6 +41,7 @@ allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrli
 allow local_login_t self:process { setrlimit setexec };
 allow local_login_t self:fd use;
 allow local_login_t self:fifo_file rw_file_perms;
+allow local_login_t self:sock_file r_file_perms;
 allow local_login_t self:unix_dgram_socket create_socket_perms;
 allow local_login_t self:unix_stream_socket create_stream_socket_perms;
 allow local_login_t self:unix_dgram_socket sendto;

refpolicy/policy/modules/system/logging.te

@@ -229,6 +229,8 @@ logging_send_syslog_msg(klogd_t)
 
 miscfiles_read_localization(klogd_t)
 
+userdom_dontaudit_search_sysadm_home_dir(klogd_t)
+
 optional_policy(`udev.te', `
 	udev_read_db(klogd_t)
 ')
@@ -238,6 +240,10 @@ ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_tty(klogd_t)
 ')
 
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(klogd_t)
+')
+
 ########################################
 #
 # syslogd local policy

refpolicy/policy/modules/system/modutils.if

@@ -36,7 +36,7 @@ interface(`modutils_read_module_conf',`
 	files_search_etc($1)
 	bootloader_search_boot($1)
 
-	allow $1 modules_conf_t:file r_file_perms;
+	allow $1 modules_conf_t:{ file lnk_file } r_file_perms;
 ')
 
 ########################################

refpolicy/policy/modules/system/modutils.te

@@ -16,7 +16,6 @@ files_type(modules_dep_t)
 
 type insmod_t;
 type insmod_exec_t;
-kernel_userland_entry(insmod_t,insmod_exec_t)
 init_system_domain(insmod_t,insmod_exec_t)
 mls_file_write_down(insmod_t)
 role system_r types insmod_t;
@@ -110,6 +109,10 @@ logging_search_logs(insmod_t)
 
 miscfiles_read_localization(insmod_t)
 
+if( ! secure_mode_insmod ) {
+	kernel_userland_entry(insmod_t,insmod_exec_t)
+}
+
 ifdef(`hide_broken_symptoms',`
 	dev_dontaudit_rw_cardmgr(insmod_t)
 ')

refpolicy/policy/modules/system/pcmcia.if

@@ -1,5 +1,19 @@
 ## <summary>PCMCIA card management services</summary>
 
+########################################
+## <summary>
+##	PCMCIA stub interface.  No access allowed.
+## </summary>
+## <param name="domain" optional="true">
+##	N/A
+## </param>
+#
+interface(`pcmcia_stub',`
+	gen_require(`
+		type cardmgr_t;
+	')
+')
+
 ########################################
 ## <summary>
 ##	Execute cardmgr in the cardmgr domain.
@@ -99,6 +113,7 @@ interface(`pcmcia_read_pid',`
 	files_search_pids($1)
 	allow $1 cardmgr_var_run_t:dir r_dir_perms;
 	allow $1 cardmgr_var_run_t:file r_file_perms;
+	allow $1 cardmgr_var_run_t:lnk_file { getattr read };
 ')
 
 ########################################

refpolicy/policy/modules/system/selinuxutil.te

@@ -202,6 +202,7 @@ allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit
 allow newrole_t self:process setexec;
 allow newrole_t self:fd use;
 allow newrole_t self:fifo_file rw_file_perms;
+allow newrole_t self:sock_file r_file_perms;
 allow newrole_t self:shm create_shm_perms;
 allow newrole_t self:sem create_sem_perms;
 allow newrole_t self:msgq create_msgq_perms;
@@ -242,6 +243,9 @@ term_relabel_all_user_ptys(newrole_t)
 
 auth_domtrans_chk_passwd(newrole_t)
 
+corecmd_list_bin(newrole_t)
+corecmd_read_bin_symlink(newrole_t)
+
 domain_use_wide_inherit_fd(newrole_t)
 # for when the user types "exec newrole" at the command line:
 domain_sigchld_wide_inherit_fd(newrole_t)
@@ -251,6 +255,7 @@ init_rw_script_pid(newrole_t)
 
 files_read_etc_files(newrole_t)
 files_read_var_files(newrole_t)
+files_read_var_symlink(newrole_t)
 
 libs_use_ld_so(newrole_t)
 libs_use_shared_libs(newrole_t)
@@ -377,6 +382,8 @@ domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t)
 ')
 ') dnl endif TODO
 
+allow restorecon_t kernel_t:unix_dgram_socket { read write };
+
 #################################
 #
 # Run_init local policy

refpolicy/policy/modules/system/sysnetwork.te

@@ -206,6 +206,9 @@ optional_policy(`netutils.te',`
 optional_policy(`nis.te',`
 	nis_use_ypbind(dhcpc_t)
 	nis_signal_ypbind(dhcpc_t)
+	nis_read_ypbind_pid(dhcpc_t)
+	nis_delete_ypbind_pid(dhcpc_t)
+
 	# dhclient sometimes starts ypbind
 	init_exec_script(dhcpc_t)
 	nis_domtrans_ypbind(dhcpc_t)
@@ -222,6 +225,11 @@ optional_policy(`ntp.te',`
 	ntp_domtrans(dhcpc_t)
 ')
 
+optional_policy(`pcmcia.te',`
+	pcmcia_stub(dhcpc_t)
+	dev_rw_cardmgr(dhcpc_t)
+')
+
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(dhcpc_t)
 	seutil_dontaudit_search_config(dhcpc_t)
@@ -236,27 +244,6 @@ optional_policy(`userdomain.te',`
 ')
 
 ifdef(`TODO',`
-ifdef(`cardmgr.te',`
-allow dhcpc_t cardmgr_dev_t:chr_file { read write };
-')
-
-ifdef(`ypbind.te',`
-allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink };
-')
-
-ifdef(`dbusd.te', `
-dbusd_client(system, dhcpc)
-domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
-allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg };
-allow dhcpc_t self:dbus send_msg;
-allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
-allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
-ifdef(`unconfined.te', `
-allow unconfined_t dhcpc_t:dbus send_msg;
-allow dhcpc_t unconfined_t:dbus send_msg;
-')dnl end ifdef unconfined.te
-')
-
 optional_policy(`rhgb.te',`
 rhgb_domain(dhcpc_t)
 ')

refpolicy/policy/modules/system/userdomain.if

@@ -992,7 +992,7 @@ template(`admin_user_template',`
 ##	is the prefix for user_t).
 ## </param>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 template(`userdom_search_user_home',`
@@ -1024,7 +1024,7 @@ template(`userdom_search_user_home',`
 ##	is the prefix for user_t).
 ## </param>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 template(`userdom_manage_user_home_subdirs',`
@@ -1055,7 +1055,7 @@ template(`userdom_manage_user_home_subdirs',`
 ##	is the prefix for user_t).
 ## </param>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 template(`userdom_read_user_home_files',`
@@ -1087,7 +1087,7 @@ template(`userdom_read_user_home_files',`
 ##	is the prefix for user_t).
 ## </param>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 template(`userdom_exec_user_home_files',`
@@ -1121,7 +1121,7 @@ template(`userdom_exec_user_home_files',`
 ##	is the prefix for user_t).
 ## </param>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 template(`userdom_manage_user_home_subdir_files',`
@@ -1155,7 +1155,7 @@ template(`userdom_manage_user_home_subdir_files',`
 ##	is the prefix for user_t).
 ## </param>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 template(`userdom_manage_user_home_subdir_symlinks',`
@@ -1189,7 +1189,7 @@ template(`userdom_manage_user_home_subdir_symlinks',`
 ##	is the prefix for user_t).
 ## </param>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 template(`userdom_manage_user_home_subdir_pipes',`
@@ -1223,7 +1223,7 @@ template(`userdom_manage_user_home_subdir_pipes',`
 ##	is the prefix for user_t).
 ## </param>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 template(`userdom_manage_user_home_subdir_sockets',`
@@ -1256,7 +1256,7 @@ template(`userdom_manage_user_home_subdir_sockets',`
 ##	is the prefix for user_t).
 ## </param>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 ## <param name="object_class" optional="true">
 ##	The class of the object to be created.  If not
@@ -1299,7 +1299,7 @@ template(`userdom_create_user_home',`
 ##	is the prefix for user_t).
 ## </param>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 template(`userdom_manage_user_tmp_dirs',`
@@ -1331,7 +1331,7 @@ template(`userdom_manage_user_tmp_dirs',`
 ##	is the prefix for user_t).
 ## </param>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 template(`userdom_manage_user_tmp_files',`
@@ -1364,7 +1364,7 @@ template(`userdom_manage_user_tmp_files',`
 ##	is the prefix for user_t).
 ## </param>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 template(`userdom_manage_user_tmp_symlinks',`
@@ -1397,7 +1397,7 @@ template(`userdom_manage_user_tmp_symlinks',`
 ##	is the prefix for user_t).
 ## </param>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 template(`userdom_manage_user_tmp_pipes',`
@@ -1430,7 +1430,7 @@ template(`userdom_manage_user_tmp_pipes',`
 ##	is the prefix for user_t).
 ## </param>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 template(`userdom_manage_user_tmp_sockets',`
@@ -1461,7 +1461,7 @@ template(`userdom_manage_user_tmp_sockets',`
 ##	is the prefix for user_t).
 ## </param>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 template(`userdom_use_user_terminals',`
@@ -1486,7 +1486,7 @@ template(`userdom_use_user_terminals',`
 ##	caller to use setexeccon().
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`userdom_spec_domtrans_all_users',`
@@ -1504,7 +1504,7 @@ interface(`userdom_spec_domtrans_all_users',`
 ##	caller to use setexeccon().
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`userdom_spec_domtrans_unpriv_users',`
@@ -1520,7 +1520,7 @@ interface(`userdom_spec_domtrans_unpriv_users',`
 ##	Execute a shell in the sysadm domain.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`userdom_shell_domtrans_sysadm',`
@@ -1580,7 +1580,7 @@ interface(`userdom_dontaudit_search_staff_home_dir',`
 ##	Read files in the staff users home directory.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`userdom_read_staff_home_files',`
@@ -1598,7 +1598,7 @@ interface(`userdom_read_staff_home_files',`
 ##	Send a SIGCHLD signal to sysadm users.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`userdom_sigchld_sysadm',`
@@ -1613,12 +1613,33 @@ interface(`userdom_sigchld_sysadm',`
 	')
 ')
 
+########################################
+## <summary>
+##	Do not audit attepts to get the attributes
+##	of sysadm ttys.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_dontaudit_getattr_sysadm_tty',`
+	ifdef(`targeted_policy',`
+		term_dontaudit_getattr_unallocated_ttys($1)
+	',`
+		gen_require(`
+			type sysadm_tty_device_t;
+		')
+
+		dontaudit $1 sysadm_tty_device_t:chr_file getattr;
+	')
+')
+
 ########################################
 ## <summary>
 ##	Read and write sysadm ttys.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`userdom_use_sysadm_tty',`
@@ -1660,7 +1681,7 @@ interface(`userdom_dontaudit_use_sysadm_tty',`
 ##	Read and write sysadm ptys.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`userdom_use_sysadm_pty',`
@@ -1702,7 +1723,7 @@ interface(`userdom_dontaudit_use_sysadm_pty',`
 ##	Read and write sysadm ttys and ptys.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`userdom_use_sysadm_terms',`
@@ -1735,7 +1756,7 @@ interface(`userdom_dontaudit_use_sysadm_terms',`
 ##	Inherit and use sysadm file descriptors
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`userdom_use_sysadm_fd',`
@@ -1756,7 +1777,7 @@ interface(`userdom_use_sysadm_fd',`
 ##	Read and write sysadm user unnamed pipes.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`userdom_rw_sysadm_pipe',`
@@ -1840,6 +1861,22 @@ interface(`userdom_dontaudit_search_sysadm_home_dir',`
 	dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##	List the sysadm users home directory.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_list_sysadm_home_dir',`
+	gen_require(`
+		type sysadm_home_dir_t;
+	')
+
+	allow $1 sysadm_home_dir_t:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to list the sysadm
@@ -1854,7 +1891,7 @@ interface(`userdom_dontaudit_list_sysadm_home_dir',`
 		type sysadm_home_dir_t;
 	')
 
-	dontaudit $1 sysadm_home_dir_t:dir r_dir_perms;
+	dontaudit $1 sysadm_home_dir_t:dir list_dir_perms;
 ')
 
 ########################################
@@ -1913,7 +1950,7 @@ interface(`userdom_search_sysadm_home_subdirs',`
 ##	Read files in the sysadm users home directory.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`userdom_read_sysadm_home_files',`
@@ -1931,7 +1968,7 @@ interface(`userdom_read_sysadm_home_files',`
 ##	Search all users home directories.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`userdom_search_all_users_home',`
@@ -1964,7 +2001,7 @@ interface(`userdom_dontaudit_search_all_users_home',`
 ##	Read all files in all users home directories.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`userdom_read_all_user_files',`
@@ -1983,7 +2020,7 @@ interface(`userdom_read_all_user_files',`
 ##	in all users home directories.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`userdom_manage_all_user_dirs',`
@@ -2001,7 +2038,7 @@ interface(`userdom_manage_all_user_dirs',`
 ##	in all users home directories.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`userdom_manage_all_user_files',`
@@ -2020,7 +2057,7 @@ interface(`userdom_manage_all_user_files',`
 ##	in all users home directories.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`userdom_manage_all_user_symlinks',`
@@ -2048,7 +2085,7 @@ interface(`userdom_manage_all_user_symlinks',`
 ##	</p>
 ## </desc>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`userdom_priveleged_home_dir_manager',`
@@ -2065,7 +2102,7 @@ interface(`userdom_priveleged_home_dir_manager',`
 ##	Send general signals to unprivileged user domains.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`userdom_signal_unpriv_users',`
@@ -2081,7 +2118,7 @@ interface(`userdom_signal_unpriv_users',`
 ##	Inherit the file descriptors from unprivileged user domains.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`userdom_use_unpriv_users_fd',`
@@ -2098,7 +2135,7 @@ interface(`userdom_use_unpriv_users_fd',`
 ##	file descriptors from all user domains.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`userdom_dontaudit_use_unpriv_user_fd',`
@@ -2326,6 +2363,22 @@ interface(`userdom_read_unpriv_user_home_files',`
 	allow $1 user_home_type:file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Set the attributes of user ptys.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_setattr_unpriv_user_pty',`
+	gen_require(`
+		attribute user_ptynode;
+	')
+
+	allow $1 user_ptynode:chr_file setattr;
+')
+
 ########################################
 ## <summary>
 ##	Read all unprivileged users temporary directories.
@@ -2335,11 +2388,15 @@ interface(`userdom_read_unpriv_user_home_files',`
 ## </param>
 #
 interface(`userdom_list_unpriv_user_tmp',`
-	gen_require(`
-		attribute user_tmpfile;
-	')
+	ifdef(`targeted_policy',`
+		files_list_tmp($1)
+	',`
+		gen_require(`
+			attribute user_tmpfile;
+		')
 
-	allow $1 user_tmpfile:dir list_dir_perms;
+		allow $1 user_tmpfile:dir list_dir_perms;
+	')
 ')
 
 ########################################
@@ -2351,11 +2408,15 @@ interface(`userdom_list_unpriv_user_tmp',`
 ## </param>
 #
 interface(`userdom_read_unpriv_user_tmp_files',`
-	gen_require(`
-		attribute user_tmpfile;
-	')
+	ifdef(`targeted_policy',`
+		files_read_generic_tmp_files($1)
+	',`
+		gen_require(`
+			attribute user_tmpfile;
+		')
 
-	allow $1 user_tmpfile:file { read getattr };
+		allow $1 user_tmpfile:file { read getattr };
+	')
 ')
 
 ########################################
@@ -2367,11 +2428,15 @@ interface(`userdom_read_unpriv_user_tmp_files',`
 ## </param>
 #
 interface(`userdom_read_unpriv_user_tmp_symlinks',`
-	gen_require(`
-		attribute user_tmpfile;
-	')
+	ifdef(`targeted_policy',`
+		files_read_generic_tmp_symlinks($1)
+	',`
+		gen_require(`
+			attribute user_tmpfile;
+		')
 
-	allow $1 user_tmpfile:lnk_file { getattr read };
+		allow $1 user_tmpfile:lnk_file { getattr read };
+	')
 ')
 
 ########################################
@@ -2379,7 +2444,7 @@ interface(`userdom_read_unpriv_user_tmp_symlinks',`
 ##	Write all unprivileged users files in /tmp
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`userdom_write_unpriv_user_tmp',`
@@ -2396,7 +2461,7 @@ interface(`userdom_write_unpriv_user_tmp',`
 ##	user ttys.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`userdom_dontaudit_use_unpriv_user_tty',`
@@ -2412,7 +2477,7 @@ interface(`userdom_dontaudit_use_unpriv_user_tty',`
 ##	Inherit the file descriptors from all user domains
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`userdom_use_all_user_fd',`
@@ -2445,7 +2510,7 @@ interface(`userdom_dontaudit_use_all_user_fd',`
 ##	Send general signals to all user domains.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`userdom_signal_all_users',`