trunk: a pile of misc fixes, mainly sync xml docs with interface implementation.

policy/modules/admin/portage.if

@@ -92,6 +92,8 @@ interface(`portage_compile_domain',`
 
 	gen_require(`
 		class dbus send_msg;
+		type portage_devpts_t, portage_log_t, portage_tmp_t;
+		type portage_tmpfs_t;
 	')
 
 	allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
@@ -219,6 +221,10 @@ interface(`portage_compile_domain',`
 ## </param>
 #
 interface(`portage_fetch_domain',`
+	gen_require(`
+		type portage_cache_t, portage_conf_t, portage_ebuild_t;
+		type portage_tmp_t, portage_fetch_tmp_t;
+	')
 
 	allow $1 self:capability { dac_override fowner fsetid };
 	allow $1 self:process signal;
@@ -290,6 +296,9 @@ interface(`portage_fetch_domain',`
 ## </param>
 #
 interface(`portage_main_domain',`
+	gen_require(`
+		type portage_log_t, portage_tmp_t;
+	')
 
 	# - setfscreate for merging to live fs
 	# - setexec to run portage fetch

policy/modules/apps/awstats.if

@@ -34,6 +34,7 @@ interface(`awstats_rw_pipes',`
 interface(`awstats_cgi_exec',`
 	gen_require(`
 		type httpd_awstats_script_exec_t;
+		type httpd_awstats_content_t;
 	')
 
 	allow $1 httpd_awstats_content_t:dir search_dir_perms;

policy/modules/apps/ethereal.if

@@ -192,11 +192,6 @@ template(`ethereal_per_role_template',`
 ##	is the prefix for user_t).
 ##	</summary>
 ## </param>
-## <param name="user_domain">
-##	<summary>
-##	The type of the user domain.
-##	</summary>
-## </param>
 #
 template(`ethereal_admin_template',`
 	gen_require(`

policy/modules/apps/evolution.if

@@ -809,7 +809,12 @@ template(`evolution_per_role_template',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="object">
+## <param name="file_type">
+##	<summary>
+##	Private file type.
+##	</summary>
+## </param>
+## <param name="class">
 ##	<summary>
 ##	The object class of the object being created.  If
 ##	no class is specified, dir will be used.
@@ -864,6 +869,12 @@ template(`evolution_stream_connect',`
 ##	Send and receive messages from
 ##	evolution over dbus.
 ## </summary>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
@@ -885,6 +896,12 @@ interface(`evolution_dbus_chat',`
 ##	Send and receive messages from
 ##	evolution_alarm over dbus.
 ## </summary>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.

policy/modules/apps/wireshark.if

@@ -192,11 +192,6 @@ template(`wireshark_per_role_template',`
 ##	is the prefix for user_t).
 ##	</summary>
 ## </param>
-## <param name="user_domain">
-##	<summary>
-##	The type of the user domain.
-##	</summary>
-## </param>
 #
 template(`wireshark_admin_template',`
 	gen_require(`

policy/modules/kernel/corecommands.if

@@ -197,6 +197,25 @@ interface(`corecmd_getattr_bin_files',`
 	getattr_files_pattern($1,bin_t,bin_t)
 ')
 
+########################################
+## <summary>
+##	Get the attributes of files in bin directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_dontaudit_getattr_bin_files',`
+	gen_require(`
+		type bin_t;
+	')
+
+	dontaudit $1 bin_t:dir search_dir_perms;
+	dontaudit $1 bin_t:file getattr_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read files in bin directories.
@@ -685,7 +704,7 @@ interface(`corecmd_mmap_sbin_files',`
 ## </param>
 #
 interface(`corecmd_sbin_domtrans',`
-	corecmd_bin_domtrans($1,$2,$3)
+	corecmd_bin_domtrans($1,$2)
 	refpolicywarn(`$0() has been deprecated, please use corecmd_bin_domtrans() instead.')
 ')
 
@@ -726,7 +745,7 @@ interface(`corecmd_sbin_domtrans',`
 ## </param>
 #
 interface(`corecmd_sbin_spec_domtrans',`
-	corecmd_bin_spec_domtrans($1,$2,$3)
+	corecmd_bin_spec_domtrans($1,$2)
 	refpolicywarn(`$0() has been deprecated, please use corecmd_bin_spec_domtrans() instead.')
 ')
 

policy/modules/kernel/domain.if

@@ -1219,6 +1219,11 @@ interface(`domain_mmap_all_entry_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="target_domain">
+##	<summary>
+##      The type of the new process.
+##	</summary>
+## </param>
 #
 # cjp: added for userhelper
 interface(`domain_entry_file_spec_domtrans',`

policy/modules/kernel/files.if

@@ -4208,7 +4208,7 @@ interface(`files_getattr_generic_locks',`
 #
 interface(`files_manage_generic_locks',`
 	gen_require(`
-		type var_lock_t;
+		type var_t, var_lock_t;
 	')
 
 	allow $1 var_t:dir search_dir_perms;
@@ -4229,6 +4229,7 @@ interface(`files_manage_generic_locks',`
 interface(`files_delete_all_locks',`
 	gen_require(`
 		attribute lockfile;
+		type var_t;
 	')
 
 	allow $1 var_t:dir search_dir_perms;
@@ -4659,6 +4660,17 @@ interface(`files_manage_generic_spool',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="file">
+##	<summary>
+##	Type to which the created node will be transitioned.
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Object class(es) (single or set including {}) for which this
+##	the transition will occur.
+##	</summary>
+## </param>
 #
 interface(`files_spool_filetrans',`
 	gen_require(`

policy/modules/kernel/filesystem.if

@@ -776,6 +776,25 @@ interface(`fs_read_noxattr_fs_symlinks',`
 	read_lnk_files_pattern($1,noxattrfs,noxattrfs)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read
+##	dirs on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_list_cifs_dirs',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	dontaudit $1 cifs_t:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read
@@ -833,6 +852,44 @@ interface(`fs_read_cifs_symlinks',`
 	read_lnk_files_pattern($1,cifs_t,cifs_t)
 ')
 
+########################################
+## <summary>
+##	Read named pipes
+##	on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_cifs_named_pipes',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	read_fifo_files_pattern($1,cifs_t,cifs_t)
+')
+
+########################################
+## <summary>
+##	Read named pipes
+##	on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_cifs_named_sockets',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	read_sock_files_pattern($1,cifs_t,cifs_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute files on a CIFS or SMB
@@ -1647,6 +1704,43 @@ interface(`fs_read_nfs_symlinks',`
 	read_lnk_files_pattern($1,nfs_t,nfs_t)
 ')
 
+#########################################
+## <summary>
+##	Read named sockets on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_nfs_named_sockets',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	read_sock_files_pattern($1,nfs_t,nfs_t)
+')
+
+#########################################
+## <summary>
+##  Read named pipes on a NFS network filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_read_nfs_named_pipes',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	read_fifo_files_pattern($1,nfs_t,nfs_t)
+')
+
 ########################################
 ## <summary>
 ##	Read directories of RPC file system pipes.
@@ -2611,7 +2705,7 @@ interface(`fs_getattr_rpc_pipefs',`
 #
 interface(`fs_rw_rpc_named_pipes',`
 	gen_require(`
-		type nfs_t;
+		type rpc_pipefs_t;
 	')
 
 	allow $1 rpc_pipefs_t:fifo_file { read write };

policy/modules/kernel/terminal.if

@@ -625,6 +625,7 @@ interface(`term_dontaudit_use_ptmx',`
 interface(`term_getattr_all_user_ptys',`
 	gen_require(`
 		attribute ptynode;
+		type devpts_t;
 	')
 
 	dev_list_all_dev_nodes($1)
@@ -667,6 +668,7 @@ interface(`term_dontaudit_getattr_all_user_ptys',`
 interface(`term_setattr_all_user_ptys',`
 	gen_require(`
 		attribute ptynode;
+		type devpts_t;
 	')
 
 	dev_list_all_dev_nodes($1)

policy/modules/services/fetchmail.if

@@ -10,16 +10,6 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the fetchmail domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`fetchmail_admin',`

policy/modules/services/mta.if

@@ -293,6 +293,11 @@ template(`mta_admin_template',`
 ##	Type to be used as a mail server domain.
 ##	</summary>
 ## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
 #
 interface(`mta_mailserver',`
 	gen_require(`

policy/modules/services/ppp.if

@@ -102,6 +102,16 @@ interface(`ppp_domtrans',`
 ##	 Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the ppp domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the ppp domain to use.
+##	</summary>
+## </param>
 ## <rolecap/>
 #
 interface(`ppp_run_cond',`
@@ -126,6 +136,16 @@ interface(`ppp_run_cond',`
 ##	 Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the ppp domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the ppp domain to use.
+##	</summary>
+## </param>
 ## <rolecap/>
 #
 interface(`ppp_run',`
@@ -280,23 +300,13 @@ interface(`ppp_pid_filetrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the ppp domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`ppp_admin',`
 	gen_require(`
 		type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t;
-		type pppd_etc_t, pppd_script_t, pppd_secret_t;
-		type pppd_etc_rw_t, pppd_var_lib_t, pppd_var_run_t;
+		type pppd_etc_t, pppd_secret_t;
+		type pppd_etc_rw_t, pppd_var_run_t;
 
 		type pptp_t, pptp_log_t, pptp_var_run_t;
 	')
@@ -319,9 +329,6 @@ interface(`ppp_admin',`
 
 	manage_files_pattern($1, pppd_secret_t, pppd_secret_t)
 
-	files_list_var_lib($1)
-	manage_files_pattern($1, pppd_var_lib_t, pppd_var_lib_t)
-
 	files_list_pids($1)
 	manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
 

policy/modules/services/privoxy.if

@@ -10,16 +10,6 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the privoxy domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`privoxy_admin',`

policy/modules/services/radius.if

@@ -24,38 +24,28 @@ interface(`radius_use',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the radius domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`radius_admin',`
 	gen_require(`
-		type radius_t, radius_etc_t, radius_log_t;
-		type radius_etc_rw_t, radius_var_lib_t, radius_var_run_t;
+		type radiusd_t, radiusd_etc_t, radiusd_log_t;
+		type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t;
 	')
 
-	allow $1 radius_t:process { ptrace signal_perms getattr };
-	ps_process_pattern($1, radius_t)
+	allow $1 radiusd_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, radiusd_t)
 
 	files_list_etc($1)
-	manage_files_pattern($1, radius_etc_t, radius_etc_t)
+	manage_files_pattern($1, radiusd_etc_t, radiusd_etc_t)
 
 	logging_list_logs($1)
-	manage_files_pattern($1, radius_log_t, radius_log_t)
+	manage_files_pattern($1, radiusd_log_t, radiusd_log_t)
 
-	manage_files_pattern($1, radius_etc_rw_t, radius_etc_rw_t)
+	manage_files_pattern($1, radiusd_etc_rw_t, radiusd_etc_rw_t)
 
 	files_list_var_lib($1)
-	manage_files_pattern($1, radius_var_lib_t, radius_var_lib_t)
+	manage_files_pattern($1, radiusd_var_lib_t, radiusd_var_lib_t)
 
 	files_list_pids($1)
-	manage_files_pattern($1, radius_var_run_t, radius_var_run_t)
+	manage_files_pattern($1, radiusd_var_run_t, radiusd_var_run_t)
 ')

policy/modules/services/radvd.if

@@ -10,16 +10,6 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the radvd domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`radvd_admin',`

policy/modules/services/rwho.if

@@ -126,16 +126,6 @@ interface(`rwho_manage_spool_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the rwho domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`rwho_admin',`

policy/modules/services/sasl.if

@@ -29,16 +29,6 @@ interface(`sasl_connect',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the sasl domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`sasl_admin',`

policy/modules/services/smartmon.if

@@ -28,16 +28,6 @@ interface(`smartmon_read_tmp_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the smartmon domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`smartmon_admin',`

policy/modules/services/snmp.if

@@ -95,33 +95,23 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the snmp domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`snmp_admin',`
 	gen_require(`
-		type snmp_t, snmp_log_t;
-		type snmp_var_lib_t, snmp_var_run_t;
+		type snmpd_t, snmpd_log_t;
+		type snmpd_var_lib_t, snmpd_var_run_t;
 	')
 
-	allow $1 snmp_t:process { ptrace signal_perms getattr };
-	ps_process_pattern($1, snmp_t)
+	allow $1 snmpd_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, snmpd_t)
 	        
 	logging_list_logs($1)
-	manage_files_pattern($1, snmp_log_t, snmp_log_t)
+	manage_files_pattern($1, snmpd_log_t, snmpd_log_t)
 
 	files_list_var_lib($1)
-	manage_files_pattern($1, snmp_var_lib_t, snmp_var_lib_t)
+	manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
 
 	files_list_pids($1)
-	manage_files_pattern($1, snmp_var_run_t, snmp_var_run_t)
+	manage_files_pattern($1, snmpd_var_run_t, snmpd_var_run_t)
 ')

policy/modules/services/tftp.if

@@ -10,31 +10,21 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the tftp domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`tftp_admin',`
 	gen_require(`
-		type tftp_t, tftpdir_t;
-		type tftp_rw_t, tftp_var_run_t;
+		type tftpd_t, tftpdir_t;
+		type tftpdir_rw_t, tftpd_var_run_t;
 	')
 
-	allow $1 tftp_t:process { ptrace signal_perms getattr };
-	ps_process_pattern($1, tftp_t)
+	allow $1 tftpd_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, tftpd_t)
 	        
-	manage_files_pattern($1, tftp_rw_t, tftp_rw_t)
+	manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
 
 	manage_files_pattern($1, tftpdir_t, tftpdir_t)
 
 	files_list_pids($1)
-	manage_files_pattern($1, tftp_var_run_t, tftp_var_run_t)
+	manage_files_pattern($1, tftpd_var_run_t, tftpd_var_run_t)
 ')

policy/modules/services/tor.if

@@ -28,21 +28,11 @@ interface(`tor_domtrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the tor domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`tor_admin',`
 	gen_require(`
-		type tor_t, tor_log_t, tor_etc_t;
+		type tor_t, tor_var_log_t, tor_etc_t;
 		type tor_var_lib_t, tor_var_run_t;
 	')
 
@@ -50,7 +40,7 @@ interface(`tor_admin',`
 	ps_process_pattern($1, tor_t)
 	        
 	logging_list_logs($1)
-	manage_files_pattern($1, tor_log_t, tor_log_t)
+	manage_files_pattern($1, tor_var_log_t, tor_var_log_t)
 
 	files_list_etc($1)
 	manage_files_pattern($1, tor_etc_t, tor_etc_t)

policy/modules/services/uucp.if

@@ -71,41 +71,31 @@ interface(`uucp_domtrans_uux',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the uucp domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`uucp_admin',`
 	gen_require(`
-		type uucp_t, uucp_tmp_t, uucp_log_t;
-		type uucp_spool_t, uucp_ro_t, uucp_rw_t;
-		type uucp_var_run_t;
+		type uucpd_t, uucpd_tmp_t, uucpd_log_t;
+		type uucpd_spool_t, uucpd_ro_t, uucpd_rw_t;
+		type uucpd_var_run_t;
 	')
 
-	allow $1 uucp_t:process { ptrace signal_perms getattr };
-	ps_process_pattern($1, uucp_t)
+	allow $1 uucpd_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, uucpd_t)
 	        
 	files_list_tmp($1)
-	manage_files_pattern($1, uucp_tmp_t, uucp_tmp_t)
+	manage_files_pattern($1, uucpd_tmp_t, uucpd_tmp_t)
 
 	logging_list_logs($1)
-	manage_files_pattern($1, uucp_log_t, uucp_log_t)
+	manage_files_pattern($1, uucpd_log_t, uucpd_log_t)
 
 	files_list_spool($1)
-	manage_files_pattern($1, uucp_spool_t, uucp_spool_t)
+	manage_files_pattern($1, uucpd_spool_t, uucpd_spool_t)
 
-	manage_files_pattern($1, uucp_rw_t, uucp_rw_t)
+	manage_files_pattern($1, uucpd_rw_t, uucpd_rw_t)
 
-	manage_files_pattern($1, uucp_ro_t, uucp_ro_t)
+	manage_files_pattern($1, uucpd_ro_t, uucpd_ro_t)
 
 	files_list_pids($1)
-	manage_files_pattern($1, uucp_var_run_t, uucp_var_run_t)
+	manage_files_pattern($1, uucpd_var_run_t, uucpd_var_run_t)
 ')

policy/modules/services/zabbix.if

@@ -87,16 +87,6 @@ interface(`zabbix_read_pid_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the zabbix domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`zabbix_admin',`

policy/modules/services/zebra.if

@@ -32,16 +32,6 @@ interface(`zebra_read_config',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the zebra domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`zebra_admin',`

policy/modules/system/logging.if

@@ -690,16 +690,6 @@ interface(`logging_manage_generic_logs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the audit domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`logging_admin_audit',`
@@ -731,16 +721,6 @@ interface(`logging_admin_audit',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the syslog domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`logging_admin_syslog',`
@@ -788,19 +768,9 @@ interface(`logging_admin_syslog',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the syslog domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`logging_admin',`
-	logging_admin_audit($1, $2, $3)
-	logging_admin_syslog($1, $2, $3)
+	logging_admin_audit($1)
+	logging_admin_syslog($1)
 ')

policy/modules/system/miscfiles.if

@@ -382,6 +382,7 @@ interface(`miscfiles_read_tetex_data',`
 interface(`miscfiles_exec_tetex_data',`
 	gen_require(`
 		type fonts_t;
+		type tetex_data_t;
 	')
 
 	files_search_var($1)

policy/modules/system/modutils.if

@@ -200,7 +200,7 @@ interface(`modutils_domtrans_depmod',`
 #
 interface(`modutils_run_depmod',`
 	gen_require(`
-		type depmod_t;
+		type depmod_t, insmod_t;
 	')
 
 	modutils_domtrans_depmod($1)

policy/modules/system/selinuxutil.if

@@ -817,7 +817,7 @@ interface(`seutil_read_file_contexts',`
 #
 interface(`seutil_rw_file_contexts',`
 	gen_require(`
-		type selinux_config_t, file_context_t;
+		type selinux_config_t, file_context_t, default_context_t;
 	')
 
 	files_search_etc($1)
@@ -838,7 +838,7 @@ interface(`seutil_rw_file_contexts',`
 #
 interface(`seutil_manage_file_contexts',`
 	gen_require(`
-		type selinux_config_t, file_context_t;
+		type selinux_config_t, file_context_t, default_context_t;
 	')
 
 	files_search_etc($1)

policy/modules/system/userdomain.if

@@ -191,7 +191,7 @@ template(`userdom_ro_home_template',`
 		fs_read_nfs_named_sockets($1_t)
 		fs_read_nfs_named_pipes($1_t)
 	',`
-		fs_dontaudit_read_nfs_dirs($1_t)
+		fs_dontaudit_list_nfs($1_t)
 		fs_dontaudit_read_nfs_files($1_t)
 	')
 
@@ -1111,10 +1111,6 @@ template(`userdom_restricted_xwindows_user_template',`
 		java_per_role_template($1, $1_t, $1_r)
 	')
 
-	optional_policy(`
-		mono_per_role_template($1, $1_t, $1_r)
-	')
-
 	optional_policy(`
 		setroubleshoot_dontaudit_stream_connect($1_t)
 	')
@@ -4130,8 +4126,8 @@ interface(`userdom_sysadm_sbin_spec_domtrans_to',`
 ## </param>
 #
 interface(`userdom_sysadm_entry_spec_domtrans_to',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_entry_spec_domtrans_to() instead.')
-	sysadm_entry_spec_domtrans_to($1)
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_entry_spec_domtrans() instead.')
+	sysadm_entry_spec_domtrans($1)
 ')
 
 ########################################
@@ -4850,7 +4846,7 @@ interface(`userdom_search_generic_user_home_dirs',`
 #
 interface(`userdom_generic_user_home_dir_filetrans_generic_user_home_content',`
 	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_home_dir_filetrans_home_content() instead.')
-	unprivuser_home_dir_filetrans_home_content($1)
+	unprivuser_home_dir_filetrans_home_content($1, $2)
 ')
 
 ########################################