patch from dan 1/16/06

refpolicy/man/man8/ftpd_selinux.8

@@ -16,9 +16,9 @@ If you want to setup a directory where you can upload files to you must label th
 .TP
 chcon -t public_content_rw_t /var/ftp/incoming
 .TP
-You must also turn on the boolean allow_ftp_anon_write.
+You must also turn on the boolean allow_ftpd_anon_write.
 .TP
-setsebool -P allow_ftp_anon_write=1
+setsebool -P allow_ftpd_anon_write=1
 .TP
 If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
 .TP

refpolicy/policy/modules/admin/kudzu.te

@@ -1,5 +1,5 @@
 
-policy_module(kudzu,1.0.1)
+policy_module(kudzu,1.0.2)
 
 ########################################
 #
@@ -63,6 +63,7 @@ fs_search_ramfs(kudzu_t)
 fs_write_ramfs_socket(kudzu_t)
 
 mls_file_read_up(kudzu_t)
+mls_file_write_down(kudzu_t)
 
 modutils_read_mods_deps(kudzu_t)
 modutils_read_module_conf(kudzu_t)

refpolicy/policy/modules/admin/readahead.te

@@ -1,5 +1,5 @@
 
-policy_module(readahead,1.0.1)
+policy_module(readahead,1.0.2)
 
 ########################################
 #
@@ -35,6 +35,7 @@ dev_getattr_generic_blk_file(readahead_t)
 dev_getattr_all_chr_files(readahead_t)
 dev_getattr_all_blk_files(readahead_t)
 dev_dontaudit_read_all_blk_files(readahead_t)
+dev_dontaudit_getattr_memory_dev(readahead_t)
 
 domain_use_wide_inherit_fd(readahead_t)
 
@@ -46,6 +47,7 @@ fs_getattr_all_fs(readahead_t)
 fs_search_auto_mountpoints(readahead_t)
 fs_getattr_all_pipes(readahead_t)
 fs_getattr_all_files(readahead_t)
+fs_search_ramfs(readahead_t)
 
 term_dontaudit_use_console(readahead_t)
 

refpolicy/policy/modules/apps/java.fc

@@ -2,3 +2,4 @@
 # /usr
 #
 /usr(/.*)?/bin/java.* 	--	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gij		--	gen_context(system_u:object_r:java_exec_t,s0)

refpolicy/policy/modules/kernel/devices.if

@@ -1133,6 +1133,22 @@ interface(`dev_delete_lvm_control',`
 	allow $1 lvm_control_t:chr_file unlink;
 ')
 
+########################################
+## <summary>
+##	dontaudit getattr raw memory devices (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_dontaudit_getattr_memory_dev',`
+	gen_require(`
+		type memory_device_t;
+	')
+
+	dontaudit $1 memory_device_t:chr_file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Read raw memory devices (e.g. /dev/mem).

refpolicy/policy/modules/kernel/filesystem.if

@@ -952,6 +952,23 @@ interface(`fs_relabelfrom_dos_fs',`
 	allow $1 dosfs_t:filesystem relabelfrom;
 ')
 
+########################################
+## <summary>
+##	Read eventpollfs files
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_read_eventpollfs',`
+	gen_require(`
+		type eventpollfs_t;
+	')
+
+	allow $1 eventpollfs_t:dir search_dir_perms;
+	allow $1 eventpollfs_t:file r_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Mount an iso9660 filesystem, which
@@ -2280,6 +2297,25 @@ interface(`fs_use_tmpfs_chr_dev',`
 	allow $1 tmpfs_t:chr_file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##	dontaudit Read and write character nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+	gen_require(`
+		type tmpfs_t;
+		class dir r_dir_perms; 
+		class chr_file rw_file_perms;
+	')
+
+	dontaudit $1 tmpfs_t:dir r_dir_perms;
+	dontaudit $1 tmpfs_t:chr_file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Relabel character nodes on tmpfs filesystems.

refpolicy/policy/modules/kernel/mls.te

@@ -1,5 +1,5 @@
 
-policy_module(mls,1.1.2)
+policy_module(mls,1.1.3)
 
 ########################################
 #
@@ -55,6 +55,7 @@ attribute mlsrangetrans;
 # temporarily have to break encapsulation to work around this.
 #
 
+type auditd_exec_t;
 type crond_exec_t;
 type cupsd_exec_t;
 type getty_t;
@@ -87,4 +88,5 @@ range_transition unconfined_t initrc_exec_t s0;
 ifdef(`enable_mls',`
 # run init with maximum MLS range
 range_transition kernel_t init_exec_t s0 - s15:c0.c255;
+range_transition initrc_t auditd_exec_t s15:c0.c255;
 ')

refpolicy/policy/modules/services/apache.te

@@ -1,5 +1,5 @@
 
-policy_module(apache,1.1.3)
+policy_module(apache,1.1.4)
 
 #
 # NOTES: 
@@ -690,6 +690,10 @@ optional_policy(`mysql',`
 
 unconfined_domain_template(httpd_unconfined_script_t)
 
+optional_policy(`cron',`
+	cron_system_entry(httpd_t, httpd_exec_t)
+')
+
 optional_policy(`nscd',`
 	nscd_use_socket(httpd_unconfined_script_t)
 ')

refpolicy/policy/modules/services/apm.te

@@ -1,5 +1,5 @@
 
-policy_module(apm,1.1.1)
+policy_module(apm,1.1.2)
 
 ########################################
 #
@@ -196,6 +196,7 @@ optional_policy(`clock',`
 ')
 
 optional_policy(`cron',`
+	cron_system_entry(apmd_t, apmd_exec_t)
 	cron_domtrans_anacron_system_job(apmd_t)
 ')
 

refpolicy/policy/modules/services/automount.te

@@ -1,5 +1,5 @@
 
-policy_module(automount,1.0.4)
+policy_module(automount,1.0.5)
 
 ########################################
 #
@@ -108,6 +108,7 @@ fs_search_auto_mountpoints(automount_t)
 fs_manage_auto_mountpoints(automount_t)
 
 term_dontaudit_use_console(automount_t)
+term_dontaudit_getattr_pty_dir(automount_t)
 
 init_use_fd(automount_t)
 init_use_script_pty(automount_t)

refpolicy/policy/modules/services/cron.te

@@ -1,5 +1,5 @@
 
-policy_module(cron,1.1.4)
+policy_module(cron,1.1.5)
 
 gen_require(`
 	class passwd rootok;
@@ -120,7 +120,7 @@ files_search_default(crond_t)
 
 init_use_fd(crond_t)
 init_use_script_pty(crond_t)
-init_read_script_pid(crond_t)
+init_rw_script_pid(crond_t)
 
 libs_use_ld_so(crond_t)
 libs_use_shared_libs(crond_t)

refpolicy/policy/modules/services/cups.te

@@ -1,5 +1,5 @@
 
-policy_module(cups,1.1.1)
+policy_module(cups,1.1.2)
 
 ########################################
 #
@@ -201,8 +201,7 @@ ifdef(`targeted_policy',`
 ')
 
 optional_policy(`cron',`
-	cron_use_fd(cupsd_t)
-	cron_read_pipe(cupsd_t)
+	cron_system_entry(cupsd_t, cupsd_exec_t)
 ')
 
 optional_policy(`dbus',`
@@ -580,8 +579,7 @@ ifdef(`targeted_policy', `
 ')
 
 optional_policy(`cron',`
-	cron_use_system_job_fd(cupsd_config_t)
-	cron_read_pipe(cupsd_config_t)
+	cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
 ')
 
 optional_policy(`dbus',`

refpolicy/policy/modules/services/hal.te

@@ -1,5 +1,5 @@
 
-policy_module(hal,1.1.5)
+policy_module(hal,1.1.6)
 
 ########################################
 #
@@ -50,6 +50,8 @@ kernel_read_kernel_sysctl(hald_t)
 kernel_read_fs_sysctl(hald_t)
 kernel_write_proc_file(hald_t)
 
+bootloader_getattr_boot_dir(hald_t)
+
 corecmd_exec_bin(hald_t)
 corecmd_exec_sbin(hald_t)
 
@@ -82,8 +84,8 @@ domain_exec_all_entry_files(hald_t)
 files_exec_etc_files(hald_t)
 files_read_etc_files(hald_t)
 files_rw_etc_runtime_files(hald_t)
-files_search_mnt(hald_t)
 files_manage_mnt_dirs(hald_t)
+files_manage_mnt_files(hald_t)
 files_search_var_lib(hald_t)
 files_read_usr_files(hald_t)
 # hal is now execing pm-suspend
@@ -145,6 +147,10 @@ optional_policy(`apm',`
 	apm_stream_connect(hald_t)
 ')
 
+optional_policy(`bind',`
+	bind_search_cache(hald_t)
+')
+
 optional_policy(`clock',`
 	clock_domtrans(hald_t)
 ')
@@ -158,6 +164,7 @@ optional_policy(`dbus',`
 	dbus_system_bus_client_template(hald,hald_t)
 	dbus_send_system_bus_msg(hald_t)
 	dbus_connect_system_bus(hald_t)
+	allow hald_t self:dbus send_msg;
 
 	init_dbus_chat_script(hald_t)
 

refpolicy/policy/modules/services/mta.te

@@ -1,5 +1,5 @@
 
-policy_module(mta,1.1.3)
+policy_module(mta,1.1.4)
 
 ########################################
 #
@@ -53,6 +53,8 @@ kernel_read_network_state(system_mail_t)
 dev_read_rand(system_mail_t)
 dev_read_urand(system_mail_t)
 
+fs_read_eventpollfs(system_mail_t)
+
 init_use_script_pty(system_mail_t)
 
 userdom_use_sysadm_terms(system_mail_t)

refpolicy/policy/modules/services/sendmail.te

@@ -1,5 +1,5 @@
 
-policy_module(sendmail,1.1.1)
+policy_module(sendmail,1.1.2)
 
 ########################################
 #
@@ -31,6 +31,7 @@ allow sendmail_t self:fifo_file rw_file_perms;
 allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
 allow sendmail_t self:unix_dgram_socket create_socket_perms;
 allow sendmail_t self:tcp_socket create_stream_socket_perms;
+allow sendmail_t self:udp_socket create_socket_perms;
 
 allow sendmail_t sendmail_log_t:file create_file_perms;
 allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
@@ -92,6 +93,7 @@ sysnet_read_config(sendmail_t)
 userdom_dontaudit_use_unpriv_user_fd(sendmail_t)
 userdom_dontaudit_search_sysadm_home_dir(sendmail_t)
 
+mta_read_config(sendmail_t)
 mta_filetrans_etc_aliases(sendmail_t)
 # Write to /etc/aliases and /etc/mail.
 mta_rw_aliases(sendmail_t)

refpolicy/policy/modules/system/authlogin.if

@@ -918,6 +918,19 @@ interface(`auth_dontaudit_exec_utempter',`
 	dontaudit $1 utempter_exec_t:file { execute execute_no_trans };
 ')
 
+#######################################
+#
+# auth_setattr_login_records(domain)
+#
+interface(`auth_setattr_login_records',`
+	gen_require(`
+		type wtmp_t;
+	')
+
+	allow $1 wtmp_t:file setattr;
+	logging_search_logs($1)
+')
+
 #######################################
 #
 # auth_read_login_records(domain)

refpolicy/policy/modules/system/authlogin.te

@@ -1,5 +1,5 @@
 
-policy_module(authlogin,1.1.1)
+policy_module(authlogin,1.1.2)
 
 ########################################
 #
@@ -129,14 +129,6 @@ optional_policy(`nscd',`
 	nscd_use_socket(pam_t)
 ')
 
-ifdef(`TODO',`
-ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
-# Supress xdm denial
-ifdef(`xdm.te', `
-dontaudit pam_t xdm_t:fd use;
-') dnl ifdef
-') dnl endif TODO
-
 ########################################
 #
 # PAM console local policy
@@ -229,6 +221,10 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_file(pam_console_t)
 ')
 
+optional_policy(`alsa',`
+	alsa_domtrans(pam_console_t)
+')
+
 optional_policy(`gpm',`
 	gpm_getattr_gpmctl(pam_console_t)
 	gpm_setattr_gpmctl(pam_console_t)

refpolicy/policy/modules/system/hostname.te

@@ -29,6 +29,7 @@ dev_read_sysfs(hostname_t)
 
 fs_getattr_xattr_fs(hostname_t)
 fs_search_auto_mountpoints(hostname_t)
+fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
 
 term_dontaudit_use_console(hostname_t)
 term_use_all_user_ttys(hostname_t)
@@ -55,35 +56,6 @@ miscfiles_read_localization(hostname_t)
 sysnet_read_config(hostname_t)
 sysnet_dns_name_resolve(hostname_t)
 
-userdom_use_all_user_fd(hostname_t)
 
-ifdef(`distro_redhat', `
-	fs_use_tmpfs_chr_dev(hostname_t)
-')
 
-ifdef(`targeted_policy', `
-	term_dontaudit_use_unallocated_tty(hostname_t)
-	term_dontaudit_use_generic_pty(hostname_t)
-	files_dontaudit_read_root_file(hostname_t)
-')
 
-optional_policy(`firstboot',`
-	firstboot_use_fd(hostname_t)
-')
-
-optional_policy(`hotplug',`
-	hotplug_dontaudit_use_fd(hostname_t)
-')
-
-optional_policy(`nscd',`
-	nscd_use_socket(hostname_t)
-')
-
-optional_policy(`selinuxutil',`
-	seutil_sigchld_newrole(hostname_t)
-')
-
-optional_policy(`udev',`
-	udev_dontaudit_use_fd(hostname_t)
-	udev_read_db(hostname_t)
-')

refpolicy/policy/modules/system/init.te

@@ -1,5 +1,5 @@
 
-policy_module(init,1.1.4)
+policy_module(init,1.1.5)
 
 gen_require(`
 	class passwd rootok;
@@ -298,6 +298,7 @@ term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
 
 auth_rw_login_records(initrc_t)
+auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
 auth_delete_pam_pid(initrc_t)

refpolicy/policy/modules/system/libraries.fc

@@ -158,7 +158,7 @@ ifdef(`distro_redhat',`
 
 # Flash plugin, Macromedia
 HOME_DIR/.*/plugins/libflashplayer\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/libflashplayer\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # Jai, Sun Microsystems (Jpackage SPRM)
 /usr/lib(64)?/libmlib_jai\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)

refpolicy/policy/modules/system/logging.te

@@ -1,5 +1,5 @@
 
-policy_module(logging,1.1.1)
+policy_module(logging,1.1.2)
 
 ########################################
 #
@@ -20,7 +20,11 @@ type auditd_log_t;
 files_security_file(auditd_log_t)
 
 type auditd_t;
-type auditd_exec_t;
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+	type auditd_exec_t;
+')
 init_daemon_domain(auditd_t,auditd_exec_t)
 
 type auditd_var_run_t;

refpolicy/policy/modules/system/lvm.te

@@ -1,5 +1,5 @@
 
-policy_module(lvm,1.1.0)
+policy_module(lvm,1.1.1)
 
 ########################################
 #
@@ -209,6 +209,7 @@ storage_create_fixed_disk(lvm_t)
 storage_manage_fixed_disk(lvm_t)
 
 term_dontaudit_getattr_all_user_ttys(lvm_t)
+term_dontaudit_getattr_pty_dir(lvm_t)
 
 corecmd_search_sbin(lvm_t)
 corecmd_dontaudit_getattr_sbin_file(lvm_t)
@@ -259,11 +260,3 @@ optional_policy(`gpm',`
 optional_policy(`udev',`
 	udev_read_db(lvm_t)
 ')
-
-ifdef(`TODO',`
-# it has no reason to need this
-allow lvm_t var_t:dir { search getattr };
-allow lvm_t ramfs_t:filesystem unmount;
-
-dontaudit lvm_t xconsole_device_t:fifo_file getattr;
-') dnl end TODO

refpolicy/policy/modules/system/mount.te

@@ -1,5 +1,5 @@
 
-policy_module(mount,1.1.2)
+policy_module(mount,1.1.3)
 
 ########################################
 #
@@ -32,6 +32,7 @@ corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
 
 dev_getattr_all_blk_files(mount_t)
 dev_list_all_dev_nodes(mount_t)
+dev_rw_lvm_control(mount_t)
 
 storage_raw_read_fixed_disk(mount_t)
 storage_raw_write_fixed_disk(mount_t)
@@ -46,7 +47,7 @@ fs_relabelfrom_all_fs(mount_t)
 fs_search_auto_mountpoints(mount_t)
 fs_use_tmpfs_chr_dev(mount_t)
 
-term_use_console(mount_t)
+term_use_all_terms(mount_t)
 
 # required for mount.smbfs
 corecmd_exec_sbin(mount_t)

refpolicy/policy/modules/system/selinuxutil.te

@@ -1,5 +1,5 @@
 
-policy_module(selinuxutil,1.0.2)
+policy_module(selinuxutil,1.0.3)
 
 gen_require(`
 	bool secure_mode;
@@ -316,6 +316,7 @@ ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
 #
 
 allow restorecon_t self:capability { dac_override dac_read_search fowner };
+allow restorecon_t self:fifo_file rw_file_perms;
 
 allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
 allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
@@ -469,6 +470,7 @@ ifdef(`distro_gentoo', `
 #
 
 allow setfiles_t self:capability { dac_override dac_read_search fowner };
+allow setfiles_t self:fifo_file rw_file_perms;
 
 allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
 allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;

refpolicy/policy/modules/system/unconfined.if

@@ -33,6 +33,7 @@ template(`unconfined_domain_template',`
 	corenet_unconfined($1)
 	dev_unconfined($1)
 	domain_unconfined($1)
+	domain_dontaudit_read_all_domains_state($1)
 	files_unconfined($1)
 	fs_unconfined($1)
 	selinux_unconfined($1)

refpolicy/policy/modules/system/userdomain.if

@@ -111,6 +111,7 @@ template(`base_user_template',`
 	allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
 	allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto };
 	type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
+	files_search_home($1_t)
 
 	can_exec($1_t,$1_tmp_t)
 

refpolicy/policy/modules/system/userdomain.te

@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.1.5)
+policy_module(userdomain,1.1.6)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r, secadm_r;