merge in some of dan's old policy changes

refpolicy/policy/global_booleans

@@ -8,3 +8,11 @@
 ## newrole, from transitioning to administrative
 ## user domains.
 gen_bool(secure_mode,false)
+
+## Disable transitions to insmod.
+gen_bool(secure_mode_insmod,false)
+
+## boolean to determine whether the system permits loading policy, setting
+## enforcing mode, and changing boolean values.  Set this to true and you
+## have to reboot to set it back
+gen_bool(secure_mode_policyload,false)

refpolicy/policy/modules/kernel/selinux.if

@@ -127,13 +127,17 @@ interface(`selinux_set_enforce_mode',`
 	gen_require(`
 		type security_t;
 		attribute can_setenforce;
+		bool secure_mode_policyload;
 	')
 
 	allow $1 security_t:dir { read search getattr };
 	allow $1 security_t:file { getattr read write };
-	allow $1 security_t:security setenforce;
-	auditallow $1 security_t:security setenforce;
 	typeattribute $1 can_setenforce;
+
+	if(!secure_mode_policyload) {
+		allow $1 security_t:security setenforce;
+		auditallow $1 security_t:security setenforce;
+	}
 ')
 
 ########################################
@@ -148,13 +152,17 @@ interface(`selinux_load_policy',`
 	gen_require(`
 		type security_t;
 		attribute can_load_policy;
+		bool secure_mode_policyload;
 	')
 
 	allow $1 security_t:dir { read search getattr };
 	allow $1 security_t:file { getattr read write };
-	allow $1 security_t:security load_policy;
-	auditallow $1 security_t:security load_policy;
 	typeattribute $1 can_load_policy;
+
+	if(!secure_mode_policyload) {
+		allow $1 security_t:security load_policy;
+		auditallow $1 security_t:security load_policy;
+	}
 ')
 
 ########################################
@@ -175,26 +183,20 @@ interface(`selinux_load_policy',`
 ## <param name="domain">
 ##	The process type allowed to set the Boolean.
 ## </param>
-## <param name="booltype" optional="true">
-##	The type of Booleans the caller is allowed to set.
-## </param>
 #
 interface(`selinux_set_boolean',`
 	gen_require(`
 		type security_t;
 	')
 
-	ifelse(`$2',`',`
-		allow $1 security_t:dir { getattr search read };
-		allow $1 security_t:file { getattr read write };
-	',`
-		allow $1 $2:dir { getattr search read };
-		allow $1 $2:file { getattr read write };
-	')
-
 	allow $1 security_t:dir search;
-	allow $1 security_t:security setbool;
+	allow $1 security_t:dir { getattr search read };
-	auditallow $1 security_t:security setbool;
+	allow $1 security_t:file { getattr read write };
+
+	if(!secure_mode_policyload) {
+		allow $1 security_t:security setbool;
+		auditallow $1 security_t:security setbool;
+	}
 ')
 
 ########################################
@@ -358,16 +360,19 @@ interface(`selinux_compute_user_contexts',`
 interface(`selinux_unconfined',`
 	gen_require(`
 		attribute can_load_policy, can_setenforce, can_setsecparam;
+		bool secure_mode_policyload;
 		type security_t;
 	')
 
-	# Access the security API.
-	allow $1 security_t:security *;
-	auditallow $1 security_t:security { load_policy setenforce setbool };
-
 	# use SELinuxfs
 	allow $1 security_t:dir { getattr search read };
 	allow $1 security_t:file { getattr read write };
 
 	typeattribute $1 can_load_policy, can_setenforce, can_setsecparam;
+
+	if(!secure_mode_policyload) {
+		# Access the security API.
+		allow $1 security_t:security *;
+		auditallow $1 security_t:security { load_policy setenforce setbool };
+	}
 ')

refpolicy/policy/modules/services/dbus.if

@@ -57,7 +57,7 @@ template(`dbus_per_userdomain_template',`
 	allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
 	allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
 	allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
-	# Receive notifications of policy reloads and enforcing status changes.
+	allow $1_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 	allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
 
 	# For connecting to the bus

refpolicy/policy/modules/services/dhcp.te

@@ -123,10 +123,6 @@ optional_policy(`mount.te',`
 	mount_send_nfs_client_request(dhcpd_t)
 ')
 
-optional_policy(`netutils.te',`
-	netutils_domtrans(dhcpd_t)
-')
-
 optional_policy(`nis.te',`
 	nis_use_ypbind(dhcpd_t)
 ')

refpolicy/policy/modules/services/pegasus.fc

@@ -1,5 +1,6 @@
 
 /etc/Pegasus(/.*)?			gen_context(system_u:object_r:pegasus_conf_t,s0)
+/etc/Pegasus/pegasus_current.conf	gen_context(system_u:object_r:pegasus_data_t,s0)
 
 /usr/sbin/cimserver		--	gen_context(system_u:object_r:pegasus_exec_t,s0)
 /usr/sbin/init_repository	-- 	gen_context(system_u:object_r:pegasus_exec_t,s0)
@@ -9,9 +10,3 @@
 /var/run/tog-pegasus(/.*)?              gen_context(system_u:object_r:pegasus_var_run_t,s0)
 
 /usr/share/Pegasus/mof(/.*)?/.*\.mof    gen_context(system_u:object_r:pegasus_mof_t,s0)
-
-ifdef(`TODO',`
-/usr/sbin/cimauth		-- 	gen_context(system_u:object_r:pegasus_conf_exec_t,s0)
-/usr/sbin/cimconfig		-- 	gen_context(system_u:object_r:pegasus_conf_exec_t,s0)
-/usr/sbin/cimuser		-- 	gen_context(system_u:object_r:pegasus_conf_exec_t,s0)
-')

refpolicy/policy/modules/services/ppp.te

@@ -197,8 +197,8 @@ ifdef(`targeted_policy', `
 ')
 
 optional_policy(`modutils.te',`
-	tunable_policy(`pppd_can_insmod',`
+	tunable_policy(`pppd_can_insmod && ! secure_mode_insmod',`
-		modutils_domtrans_insmod(pppd_t)
+		modutils_domtrans_insmod_uncond(pppd_t)
 	')
 ')
 

refpolicy/policy/modules/system/fstools.te

@@ -77,6 +77,8 @@ fs_remount_xattr_fs(fsadm_t)
 fs_search_tmpfs(fsadm_t)
 fs_getattr_tmpfs_dir(fsadm_t)
 
+mls_file_write_down(fsadm_t)
+
 storage_raw_read_fixed_disk(fsadm_t)
 storage_raw_write_fixed_disk(fsadm_t)
 storage_raw_read_removable_device(fsadm_t)

refpolicy/policy/modules/system/init.te

@@ -123,6 +123,8 @@ kernel_sigchld_from_unlabeled(init_t)
 
 dev_read_sysfs(init_t)
 
+mls_process_write_down(init_t)
+
 selinux_set_boolean(init_t)
 
 term_use_all_terms(init_t)

refpolicy/policy/modules/system/libraries.fc

@@ -60,7 +60,6 @@ ifdef(`distro_redhat',`
 /usr/lib/win32/.*			--	gen_context(system_u:object_r:shlib_t,s0)
 
 /usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* --	gen_context(system_u:object_r:texrel_shlib_t,s0)
-/usr/lib(64)?/Pegasus/providers/.*\.so.*	gen_context(system_u:object_r:shlib_t,s0)
 /usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
 
 /usr/(local/)?lib/wine/.*\.so  		--	gen_context(system_u:object_r:texrel_shlib_t,s0)

refpolicy/policy/modules/system/modutils.if

@@ -58,13 +58,15 @@ interface(`modutils_rename_module_conf',`
 
 ########################################
 ## <summary>
-##	Execute insmod in the insmod domain.
+##	Unconditionally execute insmod in the insmod domain.
 ## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 #
-interface(`modutils_domtrans_insmod',`
+# cjp: this is added for pppd, due to nested
+# conditionals not working.
+interface(`modutils_domtrans_insmod_uncond',`
 	gen_require(`
 		type insmod_t, insmod_exec_t;
 	')
@@ -78,6 +80,24 @@ interface(`modutils_domtrans_insmod',`
 	allow insmod_t $1:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Execute insmod in the insmod domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`modutils_domtrans_insmod',`
+	gen_require(`
+		bool secure_mode_insmod;
+	')
+
+	if (!secure_mode_insmod) {
+		modutils_domtrans_insmod_uncond($1)
+	}
+')
+
 ########################################
 ## <summary>
 ##	Execute insmod in the insmod domain, and

refpolicy/policy/modules/system/sysnetwork.te

@@ -344,14 +344,18 @@ ifdef(`targeted_policy',`
 	term_use_unallocated_tty(ifconfig_t)
 ')
 
-optional_policy(`ppp.te',`
+optional_policy(`netutils.te',`
-	ppp_use_fd(ifconfig_t)
+	netutils_domtrans(dhcpc_t)
 ')
 
 optional_policy(`nis.te',`
 	nis_use_ypbind(ifconfig_t)
 ')
 
+optional_policy(`ppp.te',`
+	ppp_use_fd(ifconfig_t)
+')
+
 ifdef(`TODO',`
 ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
 optional_policy(`rhgb.te', `

targeted/ChangeLog

@@ -1,3 +1,26 @@
+1.27.2 2005-10-20
+	* Merged patch from Chad Hanson.  Modified MLS constraints.
+	Provided comments for the MLS attributes.
+	* Merged two patches from Thomas Bleher which made some minor
+	fixes and cleanups.
+	* Merged patches from Russell Coker. Added comments to some of the
+	MLS attributes.  Added the secure_mode_insmod boolean to determine
+	whether the system permits loading policy, setting enforcing mode,
+	and changing boolean values. Made minor fixes for the cdrecord_domain
+	macro, application_domain, newrole_domain, and daemon_base_domain
+	macros.  Added rules to allow the mail server to access the user
+	home directories in the targeted policy and allows the postfix
+	showq program to do DNS lookups.  Minor fixes for the MCS
+	policy.  Made other minor fixes and cleanups.
+	* Merged patch from Dan Walsh.  Added opencd, pegasus, readahead,
+	and roundup policies.  Created can_access_pty macro to handle pty
+	output.  Created nsswithch_domain macro for domains using
+	nsswitch.  Added mcs transition rules.  Removed mqueue and added
+	capifs genfscon entries.  Added dhcpd and pegasus ports.  Added
+	domain transitions from login domains to pam_console and alsa
+	domains.  Added rules to allow the httpd and squid domains to
+	relay more protocols.  For the targeted policy, removed sysadm_r
+	role from unconfined_t.  Made other fixes and cleanups.
 1.27.1 2005-09-15
 	* Merged small patches from Russell Coker for the apostrophe,
 	dhcpc, fsadm, and setfiles policy.

targeted/Makefile

@@ -27,7 +27,7 @@ CHECKPOLICY = $(BINDIR)/checkpolicy
 GENHOMEDIRCON = $(SBINDIR)/genhomedircon
 SETFILES = $(SBINDIR)/setfiles
 VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
-PREVERS := 19
+PREVERS := 20
 KERNVERS := $(shell cat /selinux/policyvers)
 MLSENABLED := $(shell cat /selinux/mls)
 POLICYVER := policy.$(VERS)
@@ -178,11 +178,7 @@ endif
 
 reload tmp/load: $(LOADPATH) 
 	@echo "Loading Policy ..."
-ifeq ($(VERS), $(KERNVERS))
+	$(LOADPOLICY)
-	$(LOADPOLICY) $(LOADPATH)
-else
-	$(LOADPOLICY) $(POLICYPATH)/policy.$(PREVERS)
-endif
 	touch tmp/load
 
 load: tmp/load $(FCPATH) 

targeted/VERSION

@@ -1 +1 @@
-1.27.1
+1.27.2

targeted/domains/program/dhcpc.te

@@ -164,5 +164,5 @@ allow unconfined_t dhcpc_t:dbus send_msg;
 allow dhcpc_t unconfined_t:dbus send_msg;
 ')
 ')
-ifdef(`netutils.te', `domain_auto_trans(dhcpd_t, netutils_exec_t, netutils_t)')
+ifdef(`netutils.te', `domain_auto_trans(dhcpc_t, netutils_exec_t, netutils_t)')
 allow dhcpc_t locale_t:file write;

targeted/domains/program/fsadm.te

@@ -12,7 +12,7 @@
 # administration.
 # fsadm_exec_t is the type of the corresponding programs.
 #
-type fsadm_t, domain, privlog, fs_domain, mlsfileread;
+type fsadm_t, domain, privlog, fs_domain, mlsfileread, mlsfilewrite;
 role system_r types fsadm_t;
 role sysadm_r types fsadm_t;
 

targeted/domains/program/init.te

@@ -14,7 +14,7 @@
 # by init during initialization.  This pipe is used
 # to communicate with init.
 #
-type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite;
+type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite, mlsprocwrite;
 role system_r types init_t;
 uses_shlib(init_t);
 type init_exec_t, file_type, sysadmfile, exec_type;

targeted/domains/program/load_policy.te

@@ -8,6 +8,10 @@
 # load_policy_t is the domain type for load_policy 
 # load_policy_exec_t is the file type for the executable
 
+# boolean to determine whether the system permits loading policy, setting
+# enforcing mode, and changing boolean values.  Set this to true and you
+# have to reboot to set it back
+bool secure_mode_policyload false;
 
 type load_policy_t, domain;
 role sysadm_r types load_policy_t;

targeted/domains/program/modutil.te

@@ -77,11 +77,15 @@ type insmod_t, domain, privlog, sysctl_kernel_writer, privmem, privsysmod ifdef(
 ;
 role system_r types insmod_t;
 role sysadm_r types insmod_t;
+type insmod_exec_t, file_type, exec_type, sysadmfile;
+
+bool secure_mode_insmod false;
+
+can_ypbind(insmod_t)
 
 ifdef(`unlimitedUtils', `
 unconfined_domain(insmod_t) 
 ')
-can_ypbind(insmod_t)
 uses_shlib(insmod_t)
 read_locale(insmod_t)
 
@@ -128,7 +132,7 @@ allow insmod_t self:udp_socket create_socket_perms;
 allow insmod_t self:unix_dgram_socket create_socket_perms;
 allow insmod_t self:unix_stream_socket create_stream_socket_perms;
 allow insmod_t self:rawip_socket create_socket_perms;
-allow insmod_t self:capability { dac_override kill net_raw sys_module sys_tty_config };
+allow insmod_t self:capability { dac_override kill net_raw sys_tty_config };
 allow insmod_t domain:process signal;
 allow insmod_t self:process { fork signal_perms };
 allow insmod_t device_t:dir search;
@@ -161,8 +165,11 @@ allow insmod_t sysctl_hotplug_t:file { getattr read };
 allow insmod_t device_t:dir read;
 allow insmod_t devpts_t:dir { getattr search };
 
-type insmod_exec_t, file_type, exec_type, sysadmfile;
+if (!secure_mode_insmod) {
 domain_auto_trans(privmodule, insmod_exec_t, insmod_t)
+allow insmod_t self:capability sys_module;
+}dnl end if !secure_mode_insmod
+
 can_exec(insmod_t, { insmod_exec_t shell_exec_t bin_t sbin_t etc_t })
 allow insmod_t devtty_t:chr_file rw_file_perms;
 allow insmod_t privmodule:process sigchld;

targeted/domains/program/ping.te

@@ -37,7 +37,6 @@ domain_auto_trans(initrc_t, ping_exec_t, ping_t)
 uses_shlib(ping_t)
 can_network_client(ping_t)
 can_resolve(ping_t)
-allow ping_t dns_port_t:tcp_socket name_connect;
 can_ypbind(ping_t)
 allow ping_t etc_t:file { getattr read };
 allow ping_t self:unix_stream_socket create_socket_perms;

targeted/domains/program/postfix.te

@@ -193,10 +193,10 @@ allow postfix_smtpd_t self:file { getattr read };
 
 # for prng_exch
 allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
+
 allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
 
 postfix_server_domain(local, `, mta_delivery_agent')
-
 ifdef(`procmail.te', `
 domain_auto_trans(postfix_local_t, procmail_exec_t, procmail_t)
 # for a bug in the postfix local program

targeted/domains/program/spamd.te

@@ -9,20 +9,19 @@ daemon_domain(spamd)
 
 tmp_domain(spamd)
 
-allow spamd_t spamd_port_t:tcp_socket name_bind;
-
 general_domain_access(spamd_t)
 uses_shlib(spamd_t)
-can_ypbind(spamd_t)
 read_sysctl(spamd_t)
 
 # Various Perl bits
 allow spamd_t lib_t:file rx_file_perms;
 dontaudit spamd_t shadow_t:file { getattr read };
 dontaudit spamd_t initrc_var_run_t:file { read write lock };
-dontaudit spamd_t sysadm_home_dir_t:dir getattr;
+dontaudit spamd_t sysadm_home_dir_t:dir { getattr search };
 
 can_network_server(spamd_t)
+allow spamd_t spamd_port_t:tcp_socket name_bind;
+can_ypbind(spamd_t)
 allow spamd_t self:capability net_bind_service;
 
 allow spamd_t proc_t:file { getattr read };

targeted/file_contexts/program/pegasus.fc

@@ -1,11 +1,9 @@
 # File Contexts for The Open Group Pegasus (tog-pegasus) cimserver
 /usr/sbin/cimserver		--	system_u:object_r:pegasus_exec_t:s0
-/usr/sbin/cimconfig		-- 	system_u:object_r:pegasus_conf_exec_t:s0
-/usr/sbin/cimuser		-- 	system_u:object_r:pegasus_conf_exec_t:s0
-/usr/sbin/cimauth		-- 	system_u:object_r:pegasus_conf_exec_t:s0
 /usr/sbin/init_repository	-- 	system_u:object_r:pegasus_exec_t:s0
-/usr/lib(64)?/Pegasus/providers/.*\.so.*	system_u:object_r:shlib_t:s0
 /etc/Pegasus(/.*)?			system_u:object_r:pegasus_conf_t:s0
 /var/lib/Pegasus(/.*)?	                system_u:object_r:pegasus_data_t:s0
 /var/run/tog-pegasus(/.*)?              system_u:object_r:pegasus_var_run_t:s0
 /usr/share/Pegasus/mof(/.*)?/.*\.mof    system_u:object_r:pegasus_mof_t:s0
+/etc/Pegasus/pegasus_current.conf	system_u:object_r:pegasus_data_t:s0
+

targeted/macros/base_user_macros.te

@@ -173,6 +173,7 @@ ifdef(`gnome-pty-helper.te', `gph_domain($1, $1)')
 ifdef(`chkpwd.te', `chkpwd_domain($1)')
 ifdef(`fingerd.te', `fingerd_macro($1)')
 ifdef(`mta.te', `mail_domain($1)')
+ifdef(`exim.te', `exim_user_domain($1)')
 ifdef(`crontab.te', `crontab_domain($1)')
 
 ifdef(`screen.te', `screen_domain($1)')

targeted/macros/core_macros.te

@@ -306,8 +306,10 @@ allow $1 self:file { getattr read };
 # Access selinuxfs.
 allow $1 security_t:dir { read search getattr };
 allow $1 security_t:file { getattr read write };
+if (!secure_mode_policyload) {
 allow $1 security_t:security setenforce;
 auditallow $1 security_t:security setenforce;
+}dnl end if !secure_mode_policyload
 ')
 
 ##################################
@@ -326,8 +328,10 @@ allow $1 self:file { getattr read };
 # Access selinuxfs.
 allow $1 security_t:dir { read search getattr };
 allow $1 security_t:file { getattr read write };
+if (!secure_mode_policyload) {
 allow $1 security_t:security setbool;
 auditallow $1 security_t:security setbool;
+}dnl end if !secure_mode_policyload
 ')
 
 ##################################
@@ -367,8 +371,10 @@ allow $1 self:file { getattr read };
 # Access selinuxfs.
 allow $1 security_t:dir { read search getattr };
 allow $1 security_t:file { getattr read write };
+if (!secure_mode_policyload) {
 allow $1 security_t:security load_policy;
 auditallow $1 security_t:security load_policy;
+}dnl end if !secure_mode_policyload
 ')
 
 #################################

targeted/macros/global_macros.te

@@ -324,13 +324,14 @@ can_exec(sysadm_t, $1_exec_t)
 } else {
 ') dnl transitionbool
 domain_auto_trans(initrc_t, $1_exec_t, $1_t)
+
 allow initrc_t $1_t:process { noatsecure siginh rlimitinh };
 ifdef(`direct_sysadm_daemon', `
 ifelse(`$3', `nosysadm', `', `
 domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
 allow sysadm_t $1_t:process { noatsecure siginh rlimitinh };
-')dnl end direct_sysadm_daemon
 ')dnl end nosysadm
+')dnl end direct_sysadm_daemon
 ifelse(index(`$2', `transitionbool'), -1, `', `
 }
 ') dnl end transitionbool
@@ -703,8 +704,10 @@ allow $1 domain:{ sem msgq shm } *;
 allow $1 domain:msg  { send receive };
 
 # Access the security API.
+if (!secure_mode_policyload) {
 allow $1 security_t:security *;
 auditallow $1 security_t:security { load_policy setenforce setbool };
+}dnl end if !secure_mode_policyload
 
 # Perform certain system operations that lacked individual capabilities.
 allow $1 kernel_t:system *;
@@ -758,4 +761,6 @@ r_dir_file($1, cert_t)
 allow $1 { random_device_t urandom_device_t }:chr_file { getattr read };
 allow $1 self:capability { audit_write audit_control };
 dontaudit $1 shadow_t:file { getattr read };
+allow $1 sbin_t:dir search;
+allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 ')

targeted/macros/program/cdrecord_macros.te

@@ -45,5 +45,9 @@ can_access_pty($1_cdrecord_t, $1)
 allow $1_cdrecord_t $1_home_t:dir search;
 allow $1_cdrecord_t $1_home_dir_t:dir r_dir_perms;
 allow $1_cdrecord_t $1_home_t:file r_file_perms;
+if (use_nfs_home_dirs) {
+allow $1_cdrecord_t mnt_t:dir search;
+r_dir_file($1_cdrecord_t, nfs_t)
+}
 ')
 

targeted/macros/program/chkpwd_macros.te

@@ -27,15 +27,10 @@ authentication_domain($1_chkpwd_t)
 
 ifelse($1, system, `
 domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
-allow auth_chkpwd sbin_t:dir search;
-allow auth_chkpwd self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
 dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
 authentication_domain(auth_chkpwd)
 ', `
 domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
-allow $1_t sbin_t:dir search;
-allow $1_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 
 # Write to the user domain tty.
 access_terminal($1_chkpwd_t, $1)

targeted/macros/program/dbusd_macros.te

@@ -40,7 +40,8 @@ allow $1_dbusd_t proc_t:file read;
 
 can_getsecurity($1_dbusd_t)
 r_dir_file($1_dbusd_t, default_context_t)
-allow system_dbusd_t self:netlink_selinux_socket create_socket_perms;
+allow $1_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
 
 ifdef(`pamconsole.te', `
 r_dir_file($1_dbusd_t, pam_var_console_t)

targeted/macros/program/ypbind_macros.te

@@ -1,4 +1,3 @@
-
 define(`uncond_can_ypbind', `
 can_network($1)
 r_dir_file($1,var_yp_t)