trunk: 8 patches from dan.

Changelog

@@ -14,6 +14,7 @@
   named pipe.  Updated init_telinit() to match.
 - Added modules:
 	cyphesis (Dan Walsh)
+	memcached (Dan Walsh)
 	oident (Dominick Grift)
 	w3c (Dan Walsh)
 

policy/modules/services/amavis.fc

@@ -1,8 +1,10 @@
 
 /etc/amavis\.conf		--	gen_context(system_u:object_r:amavis_etc_t,s0)
-/etc/amavisd(/.*)?		--	gen_context(system_u:object_r:amavis_etc_t,s0)
+/etc/amavisd(/.*)?			gen_context(system_u:object_r:amavis_etc_t,s0)
+/etc/rc\.d/init\.d/amavis	--	gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
 
 /usr/sbin/amavisd.*		--	gen_context(system_u:object_r:amavis_exec_t,s0)
+/usr/lib(64)?/AntiVir/antivir	--	gen_context(system_u:object_r:amavis_exec_t,s0)
 
 ifdef(`distro_debian',`
 /usr/sbin/amavisd-new-cronjob	--	gen_context(system_u:object_r:amavis_exec_t,s0)

policy/modules/services/amavis.if

@@ -197,6 +197,11 @@ interface(`amavis_create_pid_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
 ## <rolecap/>
 #
 interface(`amavis_admin',`
@@ -204,28 +209,34 @@ interface(`amavis_admin',`
 		type amavis_t, amavis_tmp_t, amavis_var_log_t;
 		type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t;
 		type amavis_etc_t, amavis_quarantine_t;
+ 		type amavis_initrc_exec_t;
 	')
 
 	allow $1 amavis_t:process { ptrace signal_perms };
 	ps_process_pattern($1, amavis_t)
-        
-	files_list_tmp($1)
-	manage_files_pattern($1, amavis_tmp_t, amavis_tmp_t)
 
-	manage_files_pattern($1, amavis_quarantine_t, amavis_quarantine_t)
+	init_labeled_script_domtrans($1, amavis_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 amavis_initrc_exec_t system_r;
+ 	allow $2 system_r;
 
 	files_list_etc($1)
-	manage_files_pattern($1, amavis_etc_t, amavis_etc_t)
+	admin_pattern($1, amavis_etc_t)
 
-	logging_list_logs($1)
-	manage_files_pattern($1, amavis_var_log_t, amavis_var_log_t)
+	admin_pattern($1, amavis_quarantine_t)
 
 	files_list_spool($1)
-	manage_files_pattern($1, amavis_spool_t, amavis_spool_t)
+	admin_pattern($1, amavis_spool_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, amavis_tmp_t)
 
 	files_list_var_lib($1)
-	manage_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t)
+	admin_pattern($1, amavis_var_lib_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, amavis_var_log_t)
 
 	files_list_pids($1)
-	manage_files_pattern($1, amavis_var_run_t, amavis_var_run_t)
+	admin_pattern($1, amavis_var_run_t)
 ')

policy/modules/services/amavis.te

@@ -1,5 +1,5 @@
 
-policy_module(amavis, 1.7.0)
+policy_module(amavis, 1.7.1)
 
 ########################################
 #
@@ -13,7 +13,10 @@ init_daemon_domain(amavis_t, amavis_exec_t)
 
 # configuration files
 type amavis_etc_t;
-files_type(amavis_etc_t)
+files_config_file(amavis_etc_t)
+
+type amavis_initrc_exec_t;
+init_script_file(amavis_initrc_exec_t)
 
 # pid files
 type amavis_var_run_t;
@@ -57,6 +60,8 @@ allow amavis_t amavis_etc_t:dir list_dir_perms;
 read_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t)
 read_lnk_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t)
 
+can_exec(amavis_t, amavis_exec_t)
+
 # mail quarantine
 manage_dirs_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
 manage_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)

policy/modules/services/automount.fc

@@ -2,6 +2,7 @@
 # /etc
 #
 /etc/apm/event\.d/autofs --	gen_context(system_u:object_r:automount_exec_t,s0)
+/etc/rc\.d/init\.d/autofs	--	gen_context(system_u:object_r:automount_initrc_exec_t,s0)
 
 #
 # /usr
@@ -12,4 +13,4 @@
 # /var
 #
 
-/var/run/autofs(/.*)?		gen_context(system_u:object_r:automount_var_run_t,s0)
+/var/run/autofs.*		gen_context(system_u:object_r:automount_var_run_t,s0)

policy/modules/services/automount.if

@@ -56,6 +56,42 @@ interface(`automount_read_state',`
 	read_files_pattern($1, automount_t, automount_t)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to file descriptors for automount.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`automount_dontaudit_use_fds',`
+	gen_require(`
+		type automount_t;
+	')
+
+	dontaudit $1 automount_t:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write automount daemon unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`automount_dontaudit_write_pipes',`
+	gen_require(`
+		type automount_t;
+	')
+
+	dontaudit $1 automount_t:fifo_file write;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the attributes
@@ -74,3 +110,44 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
 
 	dontaudit $1 automount_tmp_t:dir getattr;
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an automount environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the automount domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`automount_admin',`
+	gen_require(`
+		type automount_t, automount_lock_t, automount_tmp_t;
+		type automount_var_run_t, automount_initrc_exec_t;
+	')
+
+	allow $1 automount_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, automount_t)
+
+	init_labeled_script_domtrans($1, automount_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 automount_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_var($1)
+	admin_pattern($1, automount_lock_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, automount_tmp_t)
+
+	files_list_pids($1)
+	admin_pattern($1, automount_var_run_t)
+')

policy/modules/services/automount.te

@@ -1,5 +1,5 @@
 
-policy_module(automount, 1.9.0)
+policy_module(automount, 1.9.1)
 
 ########################################
 #
@@ -10,6 +10,9 @@ type automount_t;
 type automount_exec_t;
 init_daemon_domain(automount_t, automount_exec_t)
 
+type automount_initrc_exec_t;
+init_script_file(automount_initrc_exec_t)
+
 type automount_var_run_t;
 files_pid_file(automount_var_run_t)
 
@@ -35,8 +38,6 @@ allow automount_t self:tcp_socket create_stream_socket_perms;
 allow automount_t self:udp_socket create_socket_perms;
 allow automount_t self:rawip_socket create_socket_perms;
 
-allow automount_t self:netlink_route_socket r_netlink_socket_perms;
-
 can_exec(automount_t, automount_exec_t)
 
 allow automount_t automount_lock_t:file manage_file_perms;
@@ -52,7 +53,8 @@ files_home_filetrans(automount_t, automount_tmp_t, dir)
 files_root_filetrans(automount_t, automount_tmp_t, dir)
 
 manage_files_pattern(automount_t, automount_var_run_t, automount_var_run_t)
-files_pid_filetrans(automount_t, automount_var_run_t, file)
+manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t)
+files_pid_filetrans(automount_t, automount_var_run_t, { file fifo_file })
 
 kernel_read_kernel_sysctls(automount_t)
 kernel_read_irq_sysctls(automount_t)
@@ -126,8 +128,12 @@ fs_unmount_autofs(automount_t)
 fs_mount_autofs(automount_t)
 fs_manage_autofs_symlinks(automount_t)
 
+storage_rw_fuse(automount_t)
+
 term_dontaudit_getattr_pty_dirs(automount_t)
 
+auth_use_nsswitch(automount_t)
+
 libs_use_ld_so(automount_t)
 libs_use_shared_libs(automount_t)
 
@@ -140,10 +146,6 @@ miscfiles_read_certs(automount_t)
 # Run mount in the mount_t domain.
 mount_domtrans(automount_t)
 
-sysnet_dns_name_resolve(automount_t)
-sysnet_use_ldap(automount_t)
-sysnet_read_config(automount_t)
-
 userdom_dontaudit_use_unpriv_user_fds(automount_t)
 
 sysadm_dontaudit_search_home_dirs(automount_t)
@@ -163,11 +165,12 @@ optional_policy(`
 ')
 
 optional_policy(`
-	nis_use_ypbind(automount_t)
+	rpc_search_nfs_state_data(automount_t)
 ')
 
 optional_policy(`
-	rpc_search_nfs_state_data(automount_t)
+	samba_read_config(automount_t)
+	samba_manage_var_files(automount_t)
 ')
 
 optional_policy(`

policy/modules/services/ftp.fc

@@ -3,6 +3,8 @@
 #
 /etc/proftpd\.conf	--	gen_context(system_u:object_r:ftpd_etc_t,s0)
 /etc/cron\.monthly/proftpd --	gen_context(system_u:object_r:ftpd_exec_t,s0)
+/etc/rc\.d/init\.d/vsftpd --	gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/proftpd --	gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
 
 #
 # /usr

policy/modules/services/ftp.if

@@ -28,11 +28,13 @@ template(`ftp_per_role_template',`
 		type ftpd_t;
 	')
 
-	userdom_manage_user_home_content_files($1, ftpd_t)
-	userdom_manage_user_home_content_symlinks($1, ftpd_t)
-	userdom_manage_user_home_content_sockets($1, ftpd_t)
-	userdom_manage_user_home_content_pipes($1, ftpd_t)
-	userdom_user_home_dir_filetrans_user_home_content($1, ftpd_t, { dir file lnk_file sock_file fifo_file })
+	tunable_policy(`ftp_home_dir',`
+		userdom_manage_user_home_content_files($1, ftpd_t)
+		userdom_manage_user_home_content_symlinks($1, ftpd_t)
+		userdom_manage_user_home_content_sockets($1, ftpd_t)
+		userdom_manage_user_home_content_pipes($1, ftpd_t)
+		userdom_user_home_dir_filetrans_user_home_content($1, ftpd_t, { dir file lnk_file sock_file fifo_file })
+	')
 ')
 
 ########################################
@@ -155,3 +157,62 @@ interface(`ftp_run_ftpdctl',`
 	role $2 types ftpdctl_t;
 	allow ftpdctl_t $3:chr_file rw_term_perms;
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an ftp environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the ftp domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the ftpdctl domain to use.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ftp_admin',`
+	gen_require(`
+		type ftpd_t, ftpdctl_t, ftpd_tmp_t;
+		type ftpd_etc_t, ftpd_lock_t;
+		type ftpd_var_run_t, xferlog_t;
+		type ftpd_initrc_exec_t;
+	')
+
+	allow $1 ftpd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, ftpd_t)
+
+	init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 ftpd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	ps_process_pattern($1, ftpdctl_t)
+	ftp_run_ftpdctl($1, $2, $3)
+
+	miscfiles_manage_public_files($1)
+
+	files_list_tmp($1)
+	admin_pattern($1, ftpd_tmp_t)
+
+	files_list_etc($1)
+	admin_pattern($1, ftpd_etc_t)
+
+	files_list_var($1)
+	admin_pattern($1, ftpd_lock_t)
+
+	files_list_pids($1)
+	admin_pattern($1, ftpd_var_run_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, xferlog_t)
+')

policy/modules/services/ftp.te

@@ -1,5 +1,5 @@
 
-policy_module(ftp, 1.8.0)
+policy_module(ftp, 1.8.1)
 
 ########################################
 #
@@ -53,6 +53,9 @@ init_daemon_domain(ftpd_t, ftpd_exec_t)
 type ftpd_etc_t;
 files_config_file(ftpd_etc_t)
 
+type ftpd_initrc_exec_t;
+init_script_file(ftpd_initrc_exec_t)
+
 type ftpd_lock_t;
 files_lock_file(ftpd_lock_t)
 
@@ -106,9 +109,10 @@ manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
 manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
 fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 
+manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
 manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
 manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
-files_pid_filetrans(ftpd_t, ftpd_var_run_t, file)
+files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
 
 # proftpd requires the client side to bind a socket so that
 # it can stat the socket to perform access control decisions,
@@ -123,6 +127,7 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
 
 kernel_read_kernel_sysctls(ftpd_t)
 kernel_read_system_state(ftpd_t)
+kernel_search_network_state(ftpd_t)
 
 dev_read_sysfs(ftpd_t)
 dev_read_urand(ftpd_t)
@@ -169,7 +174,9 @@ init_rw_utmp(ftpd_t)
 libs_use_ld_so(ftpd_t)
 libs_use_shared_libs(ftpd_t)
 
+logging_send_audit_msgs(ftpd_t)
 logging_send_syslog_msg(ftpd_t)
+logging_set_loginuid(ftpd_t)
 
 miscfiles_read_localization(ftpd_t)
 miscfiles_read_public_files(ftpd_t)

policy/modules/services/ldap.fc

@@ -1,5 +1,6 @@
 
 /etc/ldap/slapd\.conf	--	gen_context(system_u:object_r:slapd_etc_t,s0)
+/etc/rc\.d/init\.d/ldap	--	gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
 
 /usr/sbin/slapd		--	gen_context(system_u:object_r:slapd_exec_t,s0)
 

policy/modules/services/ldap.if

@@ -73,3 +73,49 @@ interface(`ldap_stream_connect',`
 	allow $1 slapd_var_run_t:sock_file write;
 	allow $1 slapd_t:unix_stream_socket connectto;
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an ldap environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the ldap domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ldap_admin',`
+	gen_require(`
+		type slapd_t, slapd_tmp_t, slapd_replog_t;
+		type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
+		type slapd_initrc_exec_t;
+	')
+
+	allow $1 slapd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, slapd_t)
+
+	init_labeled_script_domtrans($1, slapd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 slapd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, slapd_etc_t)
+
+	admin_pattern($1, slapd_lock_t)
+
+	admin_pattern($1, slapd_replog_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, slapd_tmp_t)
+
+	files_list_pids($1)
+	admin_pattern($1, slapd_var_run_t)
+')

policy/modules/services/ldap.te

@@ -1,5 +1,5 @@
 
-policy_module(ldap, 1.7.0)
+policy_module(ldap, 1.7.1)
 
 ########################################
 #
@@ -19,6 +19,9 @@ files_type(slapd_db_t)
 type slapd_etc_t;
 files_config_file(slapd_etc_t)
 
+type slapd_initrc_exec_t;
+init_script_file(slapd_initrc_exec_t)
+
 type slapd_lock_t;
 files_lock_file(slapd_lock_t)
 

policy/modules/services/memcached.fc

@@ -0,0 +1,5 @@
+/etc/rc\.d/init\.d/memcached	--	gen_context(system_u:object_r:memcached_initrc_exec_t,s0)
+
+/usr/bin/memcached		--	gen_context(system_u:object_r:memcached_exec_t,s0)
+
+/var/run/memcached(/.*)?		gen_context(system_u:object_r:memcached_var_run_t,s0)

policy/modules/services/memcached.if

@@ -0,0 +1,73 @@
+## <summary>high-performance memory object caching system</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run memcached.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`memcached_domtrans',`
+	gen_require(`
+		type memcached_t;
+                type memcached_exec_t;
+	')
+
+	domtrans_pattern($1,memcached_exec_t,memcached_t)
+')
+
+########################################
+## <summary>
+##	Read memcached PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`memcached_read_pid_files',`
+	gen_require(`
+		type memcached_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 memcached_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an memcached environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the memcached domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`memcached_admin',`
+	gen_require(`
+		type memcached_t;
+		type memcached_initrc_exec_t;
+	')
+
+	allow $1 memcached_t:process { ptrace signal_perms };
+	ps_process_pattern($1, memcached_t)
+
+	init_labeled_script_domtrans($1, memcached_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 memcached_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	admin_pattern($1, memcached_var_run_t)
+')

policy/modules/services/memcached.te

@@ -0,0 +1,50 @@
+
+policy_module(memcached, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type memcached_t;
+type memcached_exec_t;
+init_daemon_domain(memcached_t, memcached_exec_t)
+
+type memcached_initrc_exec_t;
+init_script_file(memcached_initrc_exec_t)
+
+type memcached_var_run_t;
+files_pid_file(memcached_var_run_t)
+
+########################################
+#
+# memcached local policy
+#
+
+allow memcached_t self:capability { setuid setgid };
+allow memcached_t self:tcp_socket create_stream_socket_perms;
+allow memcached_t self:udp_socket { create_socket_perms listen };
+allow memcached_t self:fifo_file rw_fifo_file_perms;
+
+corenet_all_recvfrom_unlabeled(memcached_t)
+corenet_udp_sendrecv_all_if(memcached_t)
+corenet_udp_sendrecv_all_nodes(memcached_t)
+corenet_udp_sendrecv_all_ports(memcached_t)
+corenet_udp_bind_all_nodes(memcached_t)
+corenet_tcp_sendrecv_all_if(memcached_t)
+corenet_tcp_sendrecv_all_nodes(memcached_t)
+corenet_tcp_sendrecv_all_ports(memcached_t)
+corenet_tcp_bind_all_nodes(memcached_t)
+
+manage_dirs_pattern(memcached_t, memcached_var_run_t,  memcached_var_run_t)
+manage_files_pattern(memcached_t, memcached_var_run_t,  memcached_var_run_t)
+files_pid_filetrans(memcached_t,memcached_var_run_t, { file dir })
+
+files_read_etc_files(memcached_t)
+
+libs_use_ld_so(memcached_t)
+libs_use_shared_libs(memcached_t)
+
+miscfiles_read_localization(memcached_t)
+
+sysnet_dns_name_resolve(memcached_t)

policy/modules/services/openvpn.fc

@@ -2,6 +2,7 @@
 # /etc
 #
 /etc/openvpn(/.*)?		gen_context(system_u:object_r:openvpn_etc_t,s0)
+/etc/rc\.d/init\.d/openvpn --	gen_context(system_u:object_r:openvpn_initrc_exec_t,s0)
 
 #
 # /usr
@@ -11,5 +12,5 @@
 #
 # /var
 #
-/var/log/openvpn(/.*)?		gen_context(system_u:object_r:openvpn_var_log_t,s0)
+/var/log/openvpn.*		gen_context(system_u:object_r:openvpn_var_log_t,s0)
 /var/run/openvpn(/.*)?		gen_context(system_u:object_r:openvpn_var_run_t,s0)

policy/modules/services/openvpn.if

@@ -90,3 +90,44 @@ interface(`openvpn_read_config',`
 	read_files_pattern($1, openvpn_etc_t, openvpn_etc_t)
 	read_lnk_files_pattern($1, openvpn_etc_t, openvpn_etc_t)
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an openvpn environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the openvpn domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`openvpn_admin',`
+	gen_require(`
+		type openvpn_t, openvpn_etc_t, openvpn_var_log_t;
+		type openvpn_var_run_t, openvpn_initrc_exec_t;
+	')
+
+	allow $1 openvpn_t:process { ptrace signal_perms };
+	ps_process_pattern($1, openvpn_t)
+
+	init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 openvpn_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, openvpn_etc_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, openvpn_var_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, openvpn_var_run_t)
+')

policy/modules/services/openvpn.te

@@ -1,5 +1,5 @@
 
-policy_module(openvpn, 1.5.0)
+policy_module(openvpn, 1.5.1)
 
 ########################################
 #
@@ -20,7 +20,10 @@ init_daemon_domain(openvpn_t, openvpn_exec_t)
 
 # configuration files
 type openvpn_etc_t;
-files_type(openvpn_etc_t)
+files_config_file(openvpn_etc_t)
+
+type openvpn_initrc_exec_t;
+init_script_file(openvpn_initrc_exec_t)
 
 # log files
 type openvpn_var_log_t;
@@ -35,7 +38,7 @@ files_pid_file(openvpn_var_run_t)
 # openvpn local policy
 #
 
-allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_tty_config };
+allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
 allow openvpn_t self:process { signal getsched };
 
 allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -45,6 +48,7 @@ allow openvpn_t self:tcp_socket server_stream_socket_perms;
 allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
 
 allow openvpn_t openvpn_etc_t:dir list_dir_perms;
+can_exec(openvpn_t, openvpn_etc_t)
 read_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
 read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
 
@@ -74,9 +78,12 @@ corenet_tcp_bind_all_nodes(openvpn_t)
 corenet_udp_bind_all_nodes(openvpn_t)
 corenet_tcp_bind_openvpn_port(openvpn_t)
 corenet_udp_bind_openvpn_port(openvpn_t)
-corenet_sendrecv_openvpn_server_packets(openvpn_t)
-corenet_rw_tun_tap_dev(openvpn_t)
 corenet_tcp_connect_openvpn_port(openvpn_t)
+corenet_tcp_connect_http_port(openvpn_t)
+corenet_rw_tun_tap_dev(openvpn_t)
+corenet_sendrecv_openvpn_server_packets(openvpn_t)
+corenet_sendrecv_openvpn_client_packets(openvpn_t)
+corenet_sendrecv_http_client_packets(openvpn_t)
 
 dev_search_sysfs(openvpn_t)
 dev_read_rand(openvpn_t)

policy/modules/services/smartmon.fc

@@ -1,7 +1,9 @@
+/etc/rc\.d/init\.d/smartd --	gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0)
+
 #
 # /usr
 #
-/usr/sbin/smartd		--	gen_context(system_u:object_r:fsdaemon_exec_t,s0)
+/usr/sbin/smartd	--	gen_context(system_u:object_r:fsdaemon_exec_t,s0)
 
 #
 # /var

policy/modules/services/smartmon.if

@@ -28,19 +28,30 @@ interface(`smartmon_read_tmp_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
 ## <rolecap/>
 #
 interface(`smartmon_admin',`
 	gen_require(`
 		type fsdaemon_t, fsdaemon_tmp_t, fsdaemon_var_run_t;
+		type fsdaemon_initrc_exec_t;
 	')
 
 	allow $1 fsdaemon_t:process { ptrace signal_perms getattr };
 	ps_process_pattern($1, fsdaemon_t)
-	        
+
+	init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 fsdaemon_initrc_exec_t system_r;
+	allow $2 system_r;
+
 	files_list_tmp($1)
-	manage_files_pattern($1, fsdaemon_tmp_t, fsdaemon_tmp_t)
+	admin_pattern($1, fsdaemon_tmp_t)
 
 	files_list_pids($1)
-	manage_files_pattern($1, fsdaemon_var_run_t, fsdaemon_var_run_t)
+	admin_pattern($1, fsdaemon_var_run_t)
 ')

policy/modules/services/smartmon.te

@@ -1,5 +1,5 @@
 
-policy_module(smartmon, 1.6.0)
+policy_module(smartmon, 1.6.1)
 
 ########################################
 #
@@ -10,6 +10,9 @@ type fsdaemon_t;
 type fsdaemon_exec_t;
 init_daemon_domain(fsdaemon_t, fsdaemon_exec_t)
 
+type fsdaemon_initrc_exec_t;
+init_script_file(fsdaemon_initrc_exec_t)
+
 type fsdaemon_var_run_t;
 files_pid_file(fsdaemon_var_run_t)
 
@@ -28,6 +31,7 @@ allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
 allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
 allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
 allow fsdaemon_t self:udp_socket create_socket_perms;
+allow fsdaemon_t self:netlink_route_socket r_netlink_socket_perms;
 
 manage_dirs_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t)
 manage_files_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t)
@@ -78,7 +82,7 @@ logging_send_syslog_msg(fsdaemon_t)
 
 miscfiles_read_localization(fsdaemon_t)
 
-sysnet_read_config(fsdaemon_t)
+sysnet_dns_name_resolve(fsdaemon_t)
 
 userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)