trunk: 6 patches from dan.

policy/modules/apps/ada.if

@@ -22,3 +22,38 @@ interface(`ada_domtrans',`
 		refpolicywarn(`$0($1) has no effect in strict policy.')
 	')
 ')
+
+########################################
+## <summary>
+##	Execute ada in the ada domain, and
+##	allow the specified role the ada domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the ada domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the ada domain to use.
+##	</summary>
+## </param>
+#
+interface(`ada_run',`
+	ifdef(`targeted_policy',`
+		gen_require(`
+			type ada_t;
+		')
+
+		ada_domtrans($1)
+		role $2 types ada_t;
+		allow ada_t $3:chr_file rw_term_perms;
+	',`
+		refpolicywarn(`$0($1) has no effect in strict policy.')
+	')
+')

policy/modules/apps/ada.te

@@ -1,5 +1,5 @@
 
-policy_module(ada,1.0.1)
+policy_module(ada,1.0.2)
 
 ########################################
 #

policy/modules/apps/wine.if

@@ -18,3 +18,34 @@ interface(`wine_domtrans',`
 	corecmd_search_bin($1)
 	domtrans_pattern($1, wine_exec_t, wine_t)
 ')
+
+########################################
+## <summary>
+##	Execute wine in the wine domain, and
+##	allow the specified role the wine domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the wine domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the wine domain to use.
+##	</summary>
+## </param>
+#
+interface(`wine_run',`
+	gen_require(`
+		type wine_t;
+	')
+
+	wine_domtrans($1)
+	role $2 types wine_t;
+	allow wine_t $3:chr_file rw_term_perms;
+')

policy/modules/apps/wine.te

@@ -1,5 +1,5 @@
 
-policy_module(wine,1.3.1)
+policy_module(wine,1.3.2)
 
 ########################################
 #

policy/modules/services/audioentropy.te

@@ -1,5 +1,5 @@
 
-policy_module(audio_entropy,1.1.0)
+policy_module(audio_entropy,1.1.1)
 
 ########################################
 #
@@ -18,7 +18,7 @@ files_pid_file(entropyd_var_run_t)
 # Local policy
 #
 
-allow entropyd_t self:capability { ipc_lock sys_admin };
+allow entropyd_t self:capability { dac_override ipc_lock sys_admin };
 dontaudit entropyd_t self:capability sys_tty_config;
 allow entropyd_t self:process signal_perms;
 
@@ -32,6 +32,8 @@ kernel_read_proc_symlinks(entropyd_t)
 dev_read_sysfs(entropyd_t)
 dev_read_urand(entropyd_t)
 dev_write_urand(entropyd_t)
+dev_read_rand(entropyd_t)
+dev_write_rand(entropyd_t)
 dev_read_sound(entropyd_t)
 
 fs_getattr_all_fs(entropyd_t)

policy/modules/services/automount.te

@@ -1,5 +1,5 @@
 
-policy_module(automount,1.6.0)
+policy_module(automount,1.6.1)
 
 ########################################
 #
@@ -99,6 +99,7 @@ corenet_udp_bind_all_rpc_ports(automount_t)
 
 dev_read_sysfs(automount_t)
 # for SSP
+dev_read_rand(automount_t)
 dev_read_urand(automount_t)
 
 domain_use_interactive_fds(automount_t)
@@ -152,10 +153,6 @@ ifdef(`targeted_policy', `
 	term_dontaudit_use_generic_ptys(automount_t)
 ')
 
-optional_policy(`
-	corecmd_exec_bin(automount_t)
-')
-
 optional_policy(`
 	bind_search_cache(automount_t)
 ')

policy/modules/services/dbus.fc

@@ -3,6 +3,9 @@
 # Sorting does not work correctly if I combine these next two roles
 /usr/bin/dbus-daemon(-1)? --	gen_context(system_u:object_r:system_dbusd_exec_t,s0)
 /bin/dbus-daemon 	--	gen_context(system_u:object_r:system_dbusd_exec_t,s0)
+
+/var/lib/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
+
 /var/run/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 
 ifdef(`distro_redhat',`

policy/modules/services/dbus.if

@@ -49,6 +49,10 @@ interface(`dbus_stub',`
 ## </param>
 #
 template(`dbus_per_role_template',`
+	gen_require(`
+		type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
+		class dbus { send_msg acquire_svc };
+	')
 
 	##############################
 	#
@@ -70,6 +74,7 @@ template(`dbus_per_role_template',`
 	#
 
 	allow $1_dbusd_t self:process { getattr sigkill signal };
+	dontaudit $1_dbusd_t self:process ptrace;
 	allow $1_dbusd_t self:file { getattr read write };
 	allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
 	allow $1_dbusd_t self:dbus { send_msg acquire_svc };
@@ -98,6 +103,13 @@ template(`dbus_per_role_template',`
 	domtrans_pattern($2, system_dbusd_exec_t, $1_dbusd_t)
 	allow $2 $1_dbusd_t:process { sigkill signal };
 
+	# cjp: this seems very broken
+	corecmd_bin_domtrans($1_dbusd_t, $2)
+	allow $1_dbusd_t $2:process sigkill;
+	allow $2 $1_dbusd_t:fd use;
+	allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
+	allow $2 $1_dbusd_t:process sigchld;
+
 	kernel_read_system_state($1_dbusd_t)
 	kernel_read_kernel_sysctls($1_dbusd_t)
 
@@ -149,6 +161,12 @@ template(`dbus_per_role_template',`
 
 	sysnet_read_config($1_dbusd_t)
 
+	userdom_read_user_home_content_files($1, $1_dbusd_t)
+
+	ifdef(`hide_broken_symptoms', `
+		dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write };
+	')
+
 	tunable_policy(`read_default_t',`
 		files_list_default($1_dbusd_t)
 		files_read_default_files($1_dbusd_t)
@@ -191,7 +209,7 @@ template(`dbus_per_role_template',`
 template(`dbus_system_bus_client_template',`
 	gen_require(`
 		type system_dbusd_t, system_dbusd_t;
-		type system_dbusd_var_run_t;
+		type system_dbusd_var_run_t, system_dbusd_var_lib_t;
 		class dbus send_msg;
 	')
 
@@ -201,9 +219,12 @@ template(`dbus_system_bus_client_template',`
 	# SE-DBus specific permissions
 	allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
 
+	read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+
 	# For connecting to the bus
 	files_search_pids($2)
 	stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t)
+	dbus_read_config($2)
 ')
 
 #######################################
@@ -285,6 +306,7 @@ interface(`dbus_read_config',`
 		type dbusd_etc_t;
 	')
 
+	allow $1 dbusd_etc_t:dir list_dir_perms;
 	allow $1 dbusd_etc_t:file read_file_perms;
 ')
 

policy/modules/services/dbus.te

@@ -1,5 +1,5 @@
 
-policy_module(dbus,1.6.0)
+policy_module(dbus,1.6.1)
 
 gen_require(`
 	class dbus { send_msg acquire_svc };
@@ -20,6 +20,9 @@ init_system_domain(system_dbusd_t,system_dbusd_exec_t)
 type system_dbusd_tmp_t;
 files_tmp_file(system_dbusd_tmp_t)
 
+type system_dbusd_var_lib_t;
+files_pid_file(system_dbusd_var_lib_t)
+
 type system_dbusd_var_run_t;
 files_pid_file(system_dbusd_var_run_t)
 
@@ -48,6 +51,8 @@ manage_dirs_pattern(system_dbusd_t,system_dbusd_tmp_t,system_dbusd_tmp_t)
 manage_files_pattern(system_dbusd_t,system_dbusd_tmp_t,system_dbusd_tmp_t)
 files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
 
+read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+
 manage_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t)
 manage_sock_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t)
 files_pid_filetrans(system_dbusd_t,system_dbusd_var_run_t,file)

policy/modules/services/lpd.if

@@ -394,3 +394,22 @@ template(`lpd_domtrans_user_lpr',`
 
 	domtrans_pattern($2, lpr_exec_t, $1_lpr_t)
 ')
+
+########################################
+## <summary>
+##	Allow the specified domain to execute lpr
+##	in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lpd_exec_lpr',`
+	gen_require(`
+		type lpr_exec_t;
+	')
+
+	can_exec($1, lpr_exec_t)
+')

policy/modules/services/lpd.te

@@ -1,5 +1,5 @@
 
-policy_module(lpd,1.6.1)
+policy_module(lpd,1.6.2)
 
 ########################################
 #