more updates

refpolicy/Changelog

@@ -1,3 +1,5 @@
+- Add equivalents for old can_resolve(), can_ldap(), and
+  can_portmap() to sysnetwork.
 - Fix base module compile issues.
 - Added policies:
 	ktalk

refpolicy/policy/global_tunables

@@ -4,12 +4,18 @@
 # file should be used.
 #
 
-## Allow execution of anonymous mappings, e.g. executable stack.
+## Allow making anonymous memory executable, e.g. 
+## for runtime-code generation or executable stack.
 gen_tunable(allow_execmem,false)
 
-## Support Share libraries with text relocations
+## Allow making a modified private file
+## mapping executable (text relocation).
 gen_tunable(allow_execmod,false)
 
+## Allow making the stack executable via mprotect.
+## Also requires allow_execmem.
+gen_tunable(allow_execstack,false)
+
 ## Allow gpg executable stack
 gen_tunable(allow_gpg_execstack,false)
 
@@ -56,9 +62,6 @@ gen_tunable(ssh_sysadm_login,false)
 ## dir and read files (such as ~/.bashrc)
 gen_tunable(staff_read_sysadm_file,false)
 
-## Allow the use of DNS for name resolution.
-gen_tunable(use_dns,false)
-
 ## Support NFS home directories
 gen_tunable(use_nfs_home_dirs,false)
 

refpolicy/policy/modules/admin/logrotate.te

@@ -14,6 +14,9 @@ role system_r types logrotate_t;
 type logrotate_exec_t;
 files_type(logrotate_exec_t)
 
+type logrotate_lock_t;
+files_lock_file(logrotate_lock_t)
+
 type logrotate_tmp_t;
 files_tmp_file(logrotate_tmp_t)
 
@@ -46,6 +49,9 @@ allow logrotate_t self:sem create_sem_perms;
 allow logrotate_t self:msgq create_msgq_perms;
 allow logrotate_t self:msg { send receive };
 
+allow logrotate_t logrotate_lock_t:file create_file_perms;
+files_create_lock(logrotate_t,logrotate_lock_t)
+
 can_exec(logrotate_t, logrotate_tmp_t)
 
 allow logrotate_t logrotate_tmp_t:dir create_dir_perms;
@@ -82,7 +88,6 @@ domain_getattr_all_entry_files(logrotate_t)
 files_read_usr_files(logrotate_t)
 files_read_etc_files(logrotate_t)
 files_read_etc_runtime_files(logrotate_t)
-files_manage_generic_locks(logrotate_t)
 files_read_all_pids(logrotate_t)
 # Write to /var/spool/slrnpull - should be moved into its own type.
 files_manage_generic_spools(logrotate_t)

refpolicy/policy/modules/admin/netutils.te

@@ -117,6 +117,7 @@ libs_use_ld_so(ping_t)
 libs_use_shared_libs(ping_t)
 
 sysnet_read_config(ping_t)
+sysnet_dns_name_resolve(ping_t)
 
 logging_send_syslog_msg(ping_t)
 

refpolicy/policy/modules/kernel/corenetwork.if.in

@@ -618,6 +618,23 @@ interface(`corenet_udp_bind_generic_port',`
 	allow $1 port_t:udp_socket name_bind;
 ')
 
+########################################
+## <summary>
+##	Connect TCP sockets to generic ports.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`corenet_tcp_connect_generic_port',`
+	gen_require(`
+		type port_t;
+		class tcp_socket name_connect;
+	')
+
+	allow $1 port_t:tcp_socket name_connect;
+')
+
 ########################################
 ## <summary>
 ##	Send and receive TCP network traffic on all ports.
@@ -835,6 +852,23 @@ interface(`corenet_udp_bind_reserved_port',`
 	allow $1 self:capability net_bind_service;
 ')
 
+########################################
+## <summary>
+##	Connect TCP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`corenet_tcp_connect_reserved_port',`
+	gen_require(`
+		type reserved_port_t;
+		class tcp_socket name_connect;
+	')
+
+	allow $1 reserved_port_t:tcp_socket name_connect;
+')
+
 ########################################
 ## <summary>
 ##	Send and receive TCP network traffic on all reserved ports.
@@ -971,6 +1005,24 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
 	dontaudit $1 reserved_port_type:udp_socket name_bind;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to connect TCP sockets
+##	all reserved ports.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+		class tcp_socket name_connect;
+	')
+
+	dontaudit $1 reserved_port_type:tcp_socket name_connect;
+')
+
 ########################################
 ## <summary>
 ##	Read and write the TUN/TAP virtual network device.
@@ -982,11 +1034,11 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
 interface(`corenet_use_tun_tap_device',`
 	gen_require(`
 		type tun_tap_device_t;
-		class chr_file { read write };
+		class chr_file { read write ioctl };
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 tun_tap_device_t:chr_file { read write };
+	allow $1 tun_tap_device_t:chr_file { read write ioctl };
 ')
 
 ########################################

refpolicy/policy/modules/kernel/devices.if

@@ -183,6 +183,25 @@ interface(`dev_rw_generic_file',`
 	allow $1 device_t:file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##	Delete generic files in /dev.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_delete_generic_file',`
+	gen_require(`
+		type device_t;
+		class dir { search write remove_name };
+		class file unlink;
+	')
+
+	allow $1 device_t:dir { search write remove_name };
+	allow $1 device_t:file unlink;
+')
+
 ########################################
 ## <summary>
 ##	Dontaudit getattr on generic pipes.

refpolicy/policy/modules/kernel/filesystem.if

@@ -1629,6 +1629,24 @@ interface(`fs_dontaudit_list_tmpfs',`
 	dontaudit $1 tmpfs_t:dir r_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	tmpfs directories
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_manage_tmpfs_dirs',`
+	gen_require(`
+		type tmpfs_t;
+		class dir create_dir_perms;
+	')
+
+	allow $1 tmpfs_t:dir create_dir_perms;
+')
+
 ########################################
 #
 # fs_create_tmpfs_data(domain,derivedtype,[class])
@@ -1726,6 +1744,26 @@ interface(`fs_relabel_tmpfs_blk_dev',`
 	allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto };
 ')
 
+########################################
+## <summary>
+##	Read and write, create and delete generic
+##	files on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`fs_manage_tmpfs_files',`
+	gen_require(`
+		type tmpfs_t;
+		class dir rw_dir_perms;
+		class file create_file_perms;
+	')
+
+	allow $1 tmpfs_t:dir rw_dir_perms;
+	allow $1 tmpfs_t:file create_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read and write, create and delete symbolic

refpolicy/policy/modules/kernel/filesystem.te

@@ -22,6 +22,7 @@ sid fs context_template(system_u:object_r:fs_t,s0)
 fs_use_xattr ext2 context_template(system_u:object_r:fs_t,s0);
 fs_use_xattr ext3 context_template(system_u:object_r:fs_t,s0);
 fs_use_xattr jfs context_template(system_u:object_r:fs_t,s0);
+fs_use_xattr reiserfs context_template(system_u:object_r:fs_t,s0);
 fs_use_xattr xfs context_template(system_u:object_r:fs_t,s0);
 
 # Use the allocating task SID to label inodes in the following filesystem
@@ -55,9 +56,11 @@ genfscon futexfs / context_template(system_u:object_r:futexfs_t,s0)
 type hugetlbfs_t, filesystem_type;
 files_mountpoint(hugetlbfs_t)
 allow hugetlbfs_t self:filesystem associate;
+genfscon hugetlbfs / context_template(system_u:object_r:hugetlbfs_t,s0)
 
 type inotifyfs_t, filesystem_type;
 allow inotifyfs_t self:filesystem associate;
+genfscon inotifyfs / context_template(system_u:object_r:inotifyfs_t,s0)
 
 type mqueue_t, filesystem_type;
 files_mountpoint(mqueue_t)
@@ -89,8 +92,8 @@ files_type(tmpfs_t)
 # and label the filesystem itself with the specified context.
 # This is appropriate for pseudo filesystems like devpts and tmpfs
 # where we want to label objects with a derived type.
-fs_use_trans tmpfs context_template(system_u:object_r:tmpfs_t,s0);
 fs_use_trans shm context_template(system_u:object_r:tmpfs_t,s0);
+fs_use_trans tmpfs context_template(system_u:object_r:tmpfs_t,s0);
 
 allow tmpfs_t self:filesystem associate;
 allow tmpfs_t noxattrfs:filesystem associate;
@@ -119,10 +122,10 @@ genfscon smbfs / context_template(system_u:object_r:cifs_t,s0)
 #
 type dosfs_t, filesystem_type, noxattrfs;
 allow dosfs_t self:filesystem associate;
-genfscon vfat / context_template(system_u:object_r:dosfs_t,s0)
-genfscon msdos / context_template(system_u:object_r:dosfs_t,s0)
 genfscon fat / context_template(system_u:object_r:dosfs_t,s0)
+genfscon msdos / context_template(system_u:object_r:dosfs_t,s0)
 genfscon ntfs / context_template(system_u:object_r:dosfs_t,s0)
+genfscon vfat / context_template(system_u:object_r:dosfs_t,s0)
 
 #
 # iso9660_t is the type for CD filesystems

refpolicy/policy/modules/kernel/kernel.if

@@ -51,6 +51,23 @@ interface(`kernel_rootfs_mountpoint',`
 	allow kernel_t $1:dir mounton;
 ')
 
+########################################
+## <summary>
+##	Set the process group of kernel threads.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`kernel_setpgid',`
+	gen_require(`
+		type kernel_t;
+		class process setpgid;
+	')
+
+	allow $1 kernel_t:process setpgid;
+')
+
 ########################################
 ## <summary>
 ##	Send a SIGCHLD signal to kernel threads.
@@ -65,7 +82,7 @@ interface(`kernel_sigchld',`
 		class process sigchld;
 	')
 
-	allow kernel_t $1:process sigchld;
+	allow $1 kernel_t:process sigchld;
 ')
 
 ########################################

refpolicy/policy/modules/kernel/selinux.if

@@ -274,6 +274,28 @@ interface(`selinux_compute_create_context',`
 	allow $1 security_t:security compute_create;
 ')
 
+########################################
+## <summary>
+##	Allows caller to compute polyinstatntiated
+##	directory members.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`selinux_compute_member',`
+	gen_require(`
+		type security_t;
+		class dir { read search getattr };
+		class file { getattr read write };
+		class security compute_member;
+	')
+
+	allow $1 security_t:dir { read search getattr };
+	allow $1 security_t:file { getattr read write };
+	allow $1 security_t:security compute_member;
+')
+
 ########################################
 ## <summary>
 ##	Calculate the context for relabeling objects.

refpolicy/policy/modules/services/bind.if

@@ -107,6 +107,24 @@ interface(`bind_write_config',`
 	allow $1 named_conf_t:file { write setattr };
 ')
 
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	BIND configuration directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`bind_manage_config_dir',`
+	gen_require(`
+		type named_conf_t;
+		class dir perms;
+	')
+
+	allow $1 named_conf_t:dir create_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to set the attributes

refpolicy/policy/modules/services/bind.te

@@ -15,6 +15,9 @@ type named_exec_t;
 init_daemon_domain(named_t,named_exec_t)
 role system_r types named_t;
 
+type named_checkconf_exec_t;
+init_system_domain(named_t,named_checkconf_exec_t)
+
 # A type for configuration files of named.
 type named_conf_t;
 files_type(named_conf_t)
@@ -23,6 +26,9 @@ files_type(named_conf_t)
 type named_cache_t;
 files_type(named_cache_t)
 
+type named_log_t;
+logging_log_file(named_log_t)
+
 type named_tmp_t;
 files_tmp_file(named_tmp_t)
 
@@ -67,6 +73,10 @@ allow named_t named_cache_t:lnk_file create_lnk_perms;
 
 can_exec(named_t, named_exec_t)
 
+allow named_t named_log_t:file create_file_perms;
+allow named_t named_log_t:dir rw_dir_perms;
+logging_create_log(named_t,named_log_t,{ file dir })
+
 allow named_t named_tmp_t:dir create_dir_perms;
 allow named_t named_tmp_t:file create_file_perms;
 files_create_tmp_files(named_t, named_tmp_t, { file dir })
@@ -99,7 +109,8 @@ corenet_tcp_bind_all_nodes(named_t)
 corenet_udp_bind_all_nodes(named_t)
 corenet_tcp_bind_dns_port(named_t)
 corenet_udp_bind_dns_port(named_t)
-#corenet_tcp_bind_rndc_port(named_t)
+corenet_tcp_bind_rndc_port(named_t)
+corenet_tcp_connect_all_ports(named_t)
 
 dev_read_sysfs(named_t)
 dev_read_rand(named_t)
@@ -196,6 +207,7 @@ corenet_tcp_sendrecv_all_nodes(ndc_t)
 corenet_raw_sendrecv_all_nodes(ndc_t)
 corenet_tcp_sendrecv_all_ports(ndc_t)
 corenet_tcp_bind_all_nodes(ndc_t)
+corenet_tcp_connect_rndc_port(ndc_t)
 
 fs_getattr_xattr_fs(ndc_t)
 
@@ -215,20 +227,13 @@ logging_send_syslog_msg(ndc_t)
 miscfiles_read_localization(ndc_t)
 
 sysnet_read_config(ndc_t)
+sysnet_dns_name_resolve(ndc_t)
 
 # for /etc/rndc.key
 ifdef(`distro_redhat',`
 	allow ndc_t named_conf_t:dir search;
 ')
 
-tunable_policy(`use_dns',`
-	allow ndc_t self:udp_socket create_socket_perms;
-	corenet_udp_sendrecv_all_if(ndc_t)
-	corenet_udp_sendrecv_all_nodes(ndc_t)
-	corenet_udp_sendrecv_dns_port(ndc_t)
-	corenet_udp_bind_all_nodes(ndc_t)
-')
-
 tunable_policy(`named_write_master_zones',`
 	allow named_t named_zone_t:dir create_dir_perms;
 	allow named_t named_zone_t:file create_file_perms;

refpolicy/policy/modules/services/cron.te

@@ -288,7 +288,6 @@ logging_send_syslog_msg(system_crond_t)
 
 miscfiles_read_localization(system_crond_t)
 miscfiles_read_man_pages(system_crond_t)
-miscfiles_rw_man_cache(system_crond_t)
 
 seutil_read_config(system_crond_t)
 

refpolicy/policy/modules/services/kerberos.if

@@ -55,10 +55,7 @@ interface(`kerberos_use',`
 		corenet_tcp_bind_all_nodes($1)
 		corenet_udp_bind_all_nodes($1)
 		sysnet_read_config($1)
-	')
-
-	tunable_policy(`allow_kerberos && use_dns',`
-		corenet_udp_sendrecv_dns_port($1)
+		sysnet_dns_name_resolve($1)
 	')
 ')
 

refpolicy/policy/modules/services/mta.if

@@ -42,8 +42,6 @@ template(`mta_per_userdomain_template',`
 
 	allow $1_mail_t self:capability { setuid setgid chown };
 	allow $1_mail_t self:process { signal_perms setrlimit };
-
-	# tcp networking
 	allow $1_mail_t self:tcp_socket create_socket_perms;
 
 	# re-exec itself
@@ -91,19 +89,12 @@ template(`mta_per_userdomain_template',`
 	miscfiles_read_localization($1_mail_t)
 
 	sysnet_read_config($1_mail_t)
+	sysnet_dns_name_resolve($1_mail_t)
 
 	userdom_use_user_terminals($1,$1_mail_t)
 	# Write to the user domain tty. cjp: why?
 	userdom_use_user_terminals($1,mta_user_agent)
 
-	tunable_policy(`use_dns',`
-		allow $1_mail_t self:udp_socket create_socket_perms;
-		corenet_udp_sendrecv_all_if($1_mail_t)
-		corenet_udp_sendrecv_all_nodes($1_mail_t)
-		corenet_udp_bind_all_nodes($1_mail_t)
-		corenet_udp_sendrecv_dns_port($1_mail_t)
-	')
-
 	tunable_policy(`use_samba_home_dirs',`
 		fs_manage_cifs_files($1_mail_t)
 		fs_manage_cifs_symlinks($1_mail_t)

refpolicy/policy/modules/services/mta.te

@@ -45,7 +45,6 @@ ifdef(`targeted_policy',`',`
 
 allow system_mail_t self:capability { setuid setgid chown };
 allow system_mail_t self:process { signal_perms setrlimit };
-
 allow system_mail_t self:tcp_socket create_socket_perms;
 
 # re-exec itself
@@ -60,9 +59,10 @@ corenet_tcp_sendrecv_all_if(system_mail_t)
 corenet_raw_sendrecv_all_if(system_mail_t)
 corenet_tcp_sendrecv_all_nodes(system_mail_t)
 corenet_raw_sendrecv_all_nodes(system_mail_t)
-corenet_tcp_bind_all_nodes(system_mail_t)
 corenet_tcp_sendrecv_all_ports(system_mail_t)
+corenet_tcp_bind_all_nodes(system_mail_t)
 
+dev_read_rand(system_mail_t)
 dev_read_urand(system_mail_t)
 
 fs_getattr_xattr_fs(system_mail_t)
@@ -86,6 +86,7 @@ logging_send_syslog_msg(system_mail_t)
 miscfiles_read_localization(system_mail_t)
 
 sysnet_read_config(system_mail_t)
+sysnet_dns_name_resolve(system_mail_t)
 
 userdom_use_sysadm_terms(system_mail_t)
 
@@ -116,14 +117,6 @@ ifdef(`targeted_policy',`
 	')
 ')
 
-tunable_policy(`use_dns',`
-	allow system_mail_t self:udp_socket create_socket_perms;
-	corenet_udp_sendrecv_all_if(system_mail_t)
-	corenet_udp_sendrecv_all_nodes(system_mail_t)
-	corenet_udp_bind_all_nodes(system_mail_t)
-	corenet_udp_sendrecv_dns_port(system_mail_t)
-')
-
 optional_policy(`cron.te',`
 	cron_read_system_job_tmp_files(system_mail_t)
 ')
@@ -174,14 +167,6 @@ allow system_mail_t privmail:fd use;
 allow system_mail_t privmail:process sigchld;
 allow system_mail_t privmail:fifo_file { read write };
 
-optional_policy(`arpwatch.te',`
-	allow system_mail_t arpwatch_tmp_t:file rw_file_perms;
-
-	ifdef(`hide_broken_symptoms', `
-		dontaudit system_mail_t arpwatch_t:packet_socket { read write };
-	')
-')
-
 optional_policy(`qmail.te',`
 	allow system_mail_t qmail_etc_t:dir search;
 	allow system_mail_t qmail_etc_t:{ file lnk_file } read;

refpolicy/policy/modules/services/mysql.te

@@ -32,8 +32,9 @@ files_tmp_file(mysqld_tmp_t)
 
 allow mysqld_t self:capability { dac_override setgid setuid };
 dontaudit mysqld_t self:capability sys_tty_config;
-allow mysqld_t self:process getsched;
+allow mysqld_t self:process { setsched getsched };
 allow mysqld_t self:fifo_file { read write };
+allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
 allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
 allow mysqld_t self:tcp_socket create_stream_socket_perms;
 allow mysqld_t self:tcp_socket connected_socket_perms;
@@ -112,6 +113,10 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(mysqld_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(mysqld_t)
+')
+
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(mysqld_t)
 ')

refpolicy/policy/modules/services/nis.if

@@ -35,17 +35,20 @@ interface(`nis_use_ypbind',`
 		corenet_tcp_sendrecv_all_nodes($1)
 		corenet_udp_sendrecv_all_nodes($1)
 		corenet_raw_sendrecv_all_nodes($1)
-		corenet_tcp_bind_all_nodes($1)
-		corenet_udp_bind_all_nodes($1)
 		corenet_tcp_sendrecv_all_ports($1)
 		corenet_udp_sendrecv_all_ports($1)
+		corenet_tcp_bind_all_nodes($1)
+		corenet_udp_bind_all_nodes($1)
 		corenet_tcp_bind_generic_port($1)
 		corenet_udp_bind_generic_port($1)
 		corenet_tcp_bind_reserved_port($1)
 		corenet_udp_bind_reserved_port($1)
 		corenet_dontaudit_tcp_bind_all_reserved_ports($1)
 		corenet_dontaudit_udp_bind_all_reserved_ports($1)
-
+		corenet_tcp_connect_portmap_port($1)
+		corenet_tcp_connect_reserved_port($1)
+		corenet_tcp_connect_generic_port($1)
+		corenet_dontaudit_tcp_connect_all_reserved_ports($1)
 	',`
 		dontaudit $1 var_yp_t:dir search;
 	')

refpolicy/policy/modules/services/nscd.te

@@ -11,6 +11,9 @@ type nscd_t;
 type nscd_exec_t;
 init_daemon_domain(nscd_t,nscd_exec_t)
 
+type nscd_log_t;
+logging_log_file(nscd_log_t)
+
 type nscd_var_run_t;
 files_pid_file(nscd_var_run_t)
 
@@ -35,6 +38,9 @@ allow nscd_t self:udp_socket create_socket_perms;
 # cjp: this should probably be in a direct_sysadm_daemon tunable
 allow nscd_t self:nscd { admin getstat };
 
+allow nscd_t nscd_log_t:file create_file_perms;
+logging_create_log(nscd_t,nscd_log_t)
+
 allow nscd_t nscd_var_run_t:file create_file_perms;
 allow nscd_t nscd_var_run_t:sock_file create_file_perms;
 files_create_pid(nscd_t,nscd_var_run_t,{ file sock_file })
@@ -66,6 +72,7 @@ corenet_udp_sendrecv_all_ports(nscd_t)
 corenet_tcp_bind_all_nodes(nscd_t)
 corenet_udp_bind_all_nodes(nscd_t)
 corenet_tcp_connect_all_ports(nscd_t)
+corenet_use_tun_tap_device(nscd_t)
 
 selinux_get_fs_mount(nscd_t)
 selinux_validate_context(nscd_t)
@@ -111,8 +118,6 @@ optional_policy(`udev.te', `
 ')
 
 ifdef(`TODO',`
-nscd_socket_domain(daemon)
-
 optional_policy(`winbind.te', `
 	# Handle winbind for samba, Might only be needed for targeted policy
 
@@ -124,6 +129,7 @@ optional_policy(`winbind.te', `
 optional_policy(`rhgb.te',`
 	rhgb_domain(nscd_t)
 ')
+r_dir_file(nscd_t, cert_t)
 allow nscd_t tmp_t:dir { search getattr };
 allow nscd_t tmp_t:lnk_file read;
 ') dnl end TODO

refpolicy/policy/modules/services/ntp.if

@@ -1,5 +1,19 @@
 ## <summary>Network time protocol daemon</summary>
 
+########################################
+## <summary>
+##	NTP stub interface.  No access allowed.
+## </summary>
+## <param name="domain" optional="true">
+##	N/A
+## </param>
+#
+interface(`ntp_stub',`
+	gen_require(`ntp.te',`
+		type ntpd_t;
+	')
+')
+
 ########################################
 ## <summary>
 ##	Execute ntp server in the ntpd domain.

refpolicy/policy/modules/services/remotelogin.te

@@ -1,12 +1,12 @@
 
-policy_module(authlogin,1.0)
+policy_module(remotelogin,1.0)
 
 ########################################
 #
 # Declarations
 #
 
-type remote_login_t;
+type remote_login_t; #, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade;
 domain_obj_id_change_exempt(remote_login_t)
 domain_subj_id_change_exempt(remote_login_t)
 domain_role_change_exempt(remote_login_t)
@@ -107,6 +107,8 @@ logging_send_syslog_msg(remote_login_t)
 seutil_read_config(remote_login_t)
 seutil_read_default_contexts(remote_login_t)
 
+sysnet_dns_name_resolve(remote_login_t)
+
 miscfiles_read_localization(remote_login_t)
 
 userdom_use_unpriv_users_fd(remote_login_t)
@@ -132,18 +134,6 @@ tunable_policy(`read_default_t',`
 	files_read_default_pipes(remote_login_t)
 ')
 
-# Allow remote login to resolve host names (passed in via the -h switch)
-tunable_policy(`use_dns',`
-	allow remote_login_t self:udp_socket create_socket_perms;
-	corenet_udp_sendrecv_all_if(remote_login_t)
-	corenet_raw_sendrecv_all_if(remote_login_t)
-	corenet_udp_sendrecv_all_nodes(remote_login_t)
-	corenet_raw_sendrecv_all_nodes(remote_login_t)
-	corenet_udp_sendrecv_dns_port(remote_login_t)
-	corenet_udp_bind_all_nodes(remote_login_t)
-	sysnet_read_config(remote_login_t)
-')
-
 tunable_policy(`use_nfs_home_dirs',`
 	fs_read_nfs_files(remote_login_t)
 	fs_read_nfs_symlinks(remote_login_t)
@@ -172,6 +162,8 @@ optional_policy(`remotelogin.te',`
 	# FIXME: what is this for?
 	remotelogin_signull(xdm_t)
 ')
+# Login can polyinstantiate
+polyinstantiater(remote_login_t)
 
 allow remote_login_t userpty_type:chr_file { setattr write };
 allow remote_login_t ptyfile:chr_file { getattr ioctl };

refpolicy/policy/modules/services/sendmail.te

@@ -129,11 +129,6 @@ optional_policy(`rhgb.te', `
 rhgb_domain(sendmail_t)
 ')
 
-optional_policy(`arpwatch.te',`
-	# why is mail delivered to a directory of type arpwatch_data_t?
-	allow mta_delivery_agent arpwatch_data_t:dir search;
-')
-
 #
 #  Need this transition to create /etc/aliases.db 
 #

refpolicy/policy/modules/services/ssh.if

@@ -144,6 +144,7 @@ template(`ssh_per_userdomain_template',`
 	seutil_read_config($1_ssh_t)
 
 	sysnet_read_config($1_ssh_t)
+	sysnet_dns_name_resolve($1_ssh_t)
 
 	userdom_use_unpriv_users_fd($1_ssh_t)
 
@@ -155,14 +156,6 @@ template(`ssh_per_userdomain_template',`
 		files_read_default_pipes($1_ssh_t)
 	')
 
-	tunable_policy(`use_dns',`
-		allow $1_ssh_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
-		corenet_udp_sendrecv_all_if($1_ssh_t)
-		corenet_udp_sendrecv_all_nodes($1_ssh_t)
-		corenet_udp_sendrecv_dns_port($1_ssh_t)
-		corenet_udp_bind_all_nodes($1_ssh_t)
-	')
-
 	tunable_policy(`use_nfs_home_dirs',`
 		fs_manage_nfs_dirs($1_ssh_t)
 		fs_manage_nfs_files($1_ssh_t)

refpolicy/policy/modules/system/authlogin.if

@@ -53,6 +53,14 @@ template(`authlogin_per_userdomain_template',`
 	files_list_etc($1_chkpwd_t)
 	allow $1_chkpwd_t shadow_t:file { getattr read };
 
+	# Transition from the user domain to this domain.
+	domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
+
+	allow $1_chkpwd_t $2:fd use;
+	allow $2 $1_chkpwd_t:fd use;
+	allow $1_chkpwd_t $2:fifo_file rw_file_perms;
+	allow $1_chkpwd_t $2:process sigchld;
+
 	# is_selinux_enabled
 	kernel_read_system_state($1_chkpwd_t)
 
@@ -73,13 +81,7 @@ template(`authlogin_per_userdomain_template',`
 
 	seutil_read_config($1_chkpwd_t)
 
-	# Transition from the user domain to this domain.
-	domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
-
-	allow $1_chkpwd_t $2:fd use;
-	allow $2 $1_chkpwd_t:fd use;
-	allow $1_chkpwd_t $2:fifo_file rw_file_perms;
-	allow $1_chkpwd_t $2:process sigchld;
+	sysnet_dns_name_resolve($1_chkpwd_t)
 
 	# Write to the user domain tty.
 	userdom_use_user_terminals($1,$1_chkpwd_t)
@@ -87,17 +89,6 @@ template(`authlogin_per_userdomain_template',`
 	# Inherit and use descriptors from gnome-pty-helper.
 	#ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
 
-	tunable_policy(`use_dns',`
-		allow $1_chkpwd_t self:udp_socket create_socket_perms;
-		corenet_udp_sendrecv_all_if($1_chkpwd_t)
-		corenet_raw_sendrecv_all_if($1_chkpwd_t)
-		corenet_udp_sendrecv_all_nodes($1_chkpwd_t)
-		corenet_raw_sendrecv_all_nodes($1_chkpwd_t)
-		corenet_udp_bind_all_nodes($1_chkpwd_t)
-		corenet_udp_sendrecv_dns_port($1_chkpwd_t)
-		sysnet_read_config($1_chkpwd_t)
-	')
-
 	optional_policy(`kerberos.te',`
 		kerberos_use($1_chkpwd_t)
 	')
@@ -237,16 +228,7 @@ interface(`auth_domtrans_chk_passwd',`
 
 	dontaudit $1 shadow_t:file { getattr read };
 
-	tunable_policy(`use_dns',`
-		allow $1 self:udp_socket create_socket_perms;
-		corenet_udp_sendrecv_all_if($1)
-		corenet_raw_sendrecv_all_if($1)
-		corenet_udp_sendrecv_all_nodes($1)
-		corenet_raw_sendrecv_all_nodes($1)
-		corenet_udp_bind_all_nodes($1)
-		corenet_udp_sendrecv_dns_port($1)
-		sysnet_read_config($1)
-	')
+	sysnet_dns_name_resolve($1)
 
 	optional_policy(`kerberos.te',`
 		kerberos_use($1)

refpolicy/policy/modules/system/authlogin.te

@@ -124,6 +124,10 @@ optional_policy(`nscd.te',`
 
 ifdef(`TODO',`
 ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
+# Supress xdm denial
+ifdef(`xdm.te', `
+dontaudit pam_t xdm_t:fd use;
+') dnl ifdef
 ') dnl endif TODO
 
 ########################################
@@ -272,34 +276,15 @@ miscfiles_read_localization(system_chkpwd_t)
 
 seutil_read_config(system_chkpwd_t)
 
-userdom_dontaudit_use_unpriv_user_tty(system_chkpwd_t)
+sysnet_dns_name_resolve(system_chkpwd_t)
+sysnet_use_ldap(system_chkpwd_t)
 
-tunable_policy(`use_dns',`
-	allow system_chkpwd_t self:udp_socket create_socket_perms;
-	corenet_udp_sendrecv_all_if(system_chkpwd_t)
-	corenet_raw_sendrecv_all_if(system_chkpwd_t)
-	corenet_udp_sendrecv_all_nodes(system_chkpwd_t)
-	corenet_raw_sendrecv_all_nodes(system_chkpwd_t)
-	corenet_udp_bind_all_nodes(system_chkpwd_t)
-	corenet_udp_sendrecv_dns_port(system_chkpwd_t)
-	sysnet_read_config(system_chkpwd_t)
-')
+userdom_dontaudit_use_unpriv_user_tty(system_chkpwd_t)
 
 optional_policy(`kerberos.te',`
 	kerberos_use(system_chkpwd_t)
 ')
 
-optional_policy(`ldap.te',`
-	allow system_chkpwd_t self:tcp_socket create_socket_perms;
-	corenet_tcp_sendrecv_all_if(system_chkpwd_t)
-	corenet_raw_sendrecv_all_if(system_chkpwd_t)
-	corenet_tcp_sendrecv_all_nodes(system_chkpwd_t)
-	corenet_raw_sendrecv_all_nodes(system_chkpwd_t)
-	corenet_tcp_sendrecv_ldap_port(system_chkpwd_t)
-	corenet_tcp_bind_all_nodes(system_chkpwd_t)
-	sysnet_read_config(system_chkpwd_t)
-')
-
 optional_policy(`nis.te',`
 	nis_use_ypbind(system_chkpwd_t)
 ')

refpolicy/policy/modules/system/hostname.te

@@ -18,12 +18,9 @@ role system_r types hostname_t;
 
 # for setting the hostname
 allow hostname_t self:process { sigchld sigkill sigstop signull signal };
-
 allow hostname_t self:capability sys_admin;
 dontaudit hostname_t self:capability sys_tty_config;
 
-sysnet_read_config(hostname_t)
-
 kernel_read_kernel_sysctl(hostname_t)
 kernel_dontaudit_use_fd(hostname_t)
 kernel_list_proc(hostname_t)
@@ -55,6 +52,9 @@ logging_send_syslog_msg(hostname_t)
 
 miscfiles_read_localization(hostname_t)
 
+sysnet_read_config(hostname_t)
+sysnet_dns_name_resolve(hostname_t)
+
 userdom_use_all_user_fd(hostname_t)
 
 ifdef(`distro_redhat', `
@@ -67,17 +67,6 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_file(hostname_t)
 ')
 
-tunable_policy(`use_dns',`
-	allow hostname_t self:udp_socket create_socket_perms;
-	corenet_udp_sendrecv_all_if(hostname_t)
-	corenet_raw_sendrecv_all_if(hostname_t)
-	corenet_udp_sendrecv_all_nodes(hostname_t)
-	corenet_raw_sendrecv_all_nodes(hostname_t)
-	corenet_udp_bind_all_nodes(hostname_t)
-	corenet_udp_sendrecv_dns_port(hostname_t)
-	sysnet_read_config(hostname_t)
-')
-
 optional_policy(`firstboot.te',`
 	firstboot_use_fd(hostname_t)
 ')
@@ -90,7 +79,8 @@ optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(hostname_t)
 ')
 
-optional_policy(`udev.te', `
+optional_policy(`udev.te',`
+	udev_dontaudit_use_fd(hostname_t)
 	udev_read_db(hostname_t)
 ')
 

refpolicy/policy/modules/system/hotplug.if

@@ -104,10 +104,10 @@ interface(`hotplug_getattr_config_dir',`
 interface(`hotplug_search_config',`
 	gen_require(`
 		type hotplug_etc_t;
-		class dir search;
+		class dir { getattr search };
 	')
 
-	allow $1 hotplug_etc_t:dir search;
+	allow $1 hotplug_etc_t:dir { getattr search };
 ')
 
 ########################################

refpolicy/policy/modules/system/hotplug.te

@@ -23,14 +23,13 @@ files_pid_file(hotplug_var_run_t)
 # Local policy
 #
 
-allow hotplug_t self:capability { net_admin sys_tty_config mknod };
+allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
 dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config };
 # for access("/etc/bashrc", X_OK) on Red Hat
 dontaudit hotplug_t self:capability { dac_override dac_read_search };
-
 allow hotplug_t self:process { getsession getattr };
-
 allow hotplug_t self:fifo_file rw_file_perms;
+allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
 allow hotplug_t self:udp_socket create_socket_perms;
 allow hotplug_t self:tcp_socket connected_stream_socket_perms;
 
@@ -45,6 +44,7 @@ allow hotplug_t hotplug_var_run_t:file { getattr create read write append setatt
 files_create_pid(hotplug_t,hotplug_var_run_t)
 
 kernel_sigchld(hotplug_t)
+kernel_setpgid(hotplug_t)
 kernel_read_system_state(hotplug_t)
 kernel_read_kernel_sysctl(hotplug_t)
 kernel_read_net_sysctl(hotplug_t)
@@ -58,7 +58,7 @@ corenet_raw_sendrecv_all_nodes(hotplug_t)
 corenet_tcp_sendrecv_all_ports(hotplug_t)
 corenet_tcp_bind_all_nodes(hotplug_t)
 
-dev_read_sysfs(hotplug_t)
+dev_rw_sysfs(hotplug_t)
 dev_read_usbfs(hotplug_t)
 dev_setattr_printer(hotplug_t)
 dev_setattr_snd_dev(hotplug_t)
@@ -107,6 +107,8 @@ modutils_read_mods_deps(hotplug_t)
 
 miscfiles_read_localization(hotplug_t)
 
+seutil_dontaudit_search_config(hotplug_t)
+
 sysnet_read_config(hotplug_t)
 
 userdom_dontaudit_use_unpriv_user_fd(hotplug_t)
@@ -122,8 +124,6 @@ ifdef(`distro_redhat', `
 ')
 
 ifdef(`targeted_policy', `
-	unconfined_domain_template(hotplug_t)
-
 	optional_policy(`consoletype.te',`
 		consoletype_domtrans(hotplug_t)
 	')

refpolicy/policy/modules/system/init.if

@@ -90,10 +90,14 @@ interface(`init_daemon_domain',`
 
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
-	optional_policy(`distro_redhat',`
+	ifdef(`distro_redhat',`
 		kernel_dontaudit_use_fd($1)
 		files_dontaudit_read_root_file($1)
 	')
+
+	optional_policy(`nscd.te',`
+		nscd_use_socket($1)
+	')
 ')
 
 ########################################

refpolicy/policy/modules/system/init.te

@@ -385,6 +385,10 @@ ifdef(`distro_redhat',`
 
 	# readahead asks for these
 	mta_read_aliases(initrc_t)
+
+	optional_policy(`bind.te',`
+		bind_manage_config_dir(initrc_t)
+	')
 ')
 
 ifdef(`targeted_policy',`
@@ -546,6 +550,12 @@ ifdef(`distro_redhat', `
 	allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
 	allow initrc_t self:capability sys_admin;
 	allow initrc_t device_t:dir create;
+
+	optional_policy(`rpm.te',`
+		rpm_stub()
+		#read ahead wants to read this
+		allow initrc_t system_cron_spool_t:file { getattr read };
+	')
 ')
 
 ifdef(`targeted_policy',`

refpolicy/policy/modules/system/ipsec.te

@@ -28,6 +28,9 @@ type ipsec_mgmt_exec_t;
 init_system_domain(ipsec_mgmt_t,ipsec_mgmt_exec_t)
 role system_r types ipsec_mgmt_t;
 
+type ipsec_mgmt_lock_t;
+files_lock_file(ipsec_mgmt_lock_t)
+
 type ipsec_mgmt_var_run_t;
 files_pid_file(ipsec_mgmt_var_run_t)
 
@@ -155,6 +158,9 @@ allow ipsec_mgmt_t self:udp_socket create_socket_perms;
 allow ipsec_mgmt_t self:key_socket { create setopt };
 allow ipsec_mgmt_t self:fifo_file rw_file_perms;
 
+allow ipsec_mgmt_t ipsec_mgmt_lock_t:file create_file_perms;
+files_create_lock(ipsec_mgmt_t,ipsec_mgmt_lock_t)
+
 allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file create_file_perms;
 files_create_pid(ipsec_mgmt_t,ipsec_mgmt_var_run_t)
 
@@ -235,9 +241,6 @@ files_exec_etc_files(ipsec_mgmt_t)
 files_read_etc_runtime_files(ipsec_mgmt_t)
 files_dontaudit_getattr_default_dir(ipsec_mgmt_t)
 files_dontaudit_getattr_default_files(ipsec_mgmt_t)
-# Allow scripts to use /var/locl/subsys/ipsec
-# cjp: need a lock type
-files_manage_generic_locks(ipsec_mgmt_t)
 
 init_use_script_pty(ipsec_mgmt_t)
 init_exec_script(ipsec_mgmt_t)

refpolicy/policy/modules/system/iptables.te

@@ -69,6 +69,7 @@ logging_send_syslog_msg(iptables_t)
 miscfiles_read_localization(iptables_t)
 
 sysnet_domtrans_ifconfig(iptables_t)
+sysnet_dns_name_resolve(iptables_t)
 
 userdom_use_all_user_fd(iptables_t)
 
@@ -79,19 +80,6 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_file(iptables_t)
 ')
 
-tunable_policy(`use_dns',`
-	allow iptables_t self:udp_socket create_socket_perms;
-
-	corenet_udp_sendrecv_all_if(iptables_t)
-	corenet_raw_sendrecv_all_if(iptables_t)
-	corenet_udp_sendrecv_all_nodes(iptables_t)
-	corenet_raw_sendrecv_all_nodes(iptables_t)
-	corenet_udp_bind_all_nodes(iptables_t)
-	corenet_udp_sendrecv_dns_port(iptables_t)
-
-	sysnet_read_config(iptables_t)
-')
-
 optional_policy(`firstboot.te',`
 	firstboot_use_fd(iptables_t)
 	firstboot_write_pipe(iptables_t)

refpolicy/policy/modules/system/libraries.if

@@ -225,7 +225,7 @@ interface(`libs_use_shared_libs',`
 		type lib_t, shlib_t, texrel_shlib_t;
 		class dir r_dir_perms;
 		class lnk_file r_file_perms;
-		class file rx_file_perms;
+		class file { rx_file_perms execmod };
 	')
 
 	files_search_usr($1)
@@ -233,6 +233,7 @@ interface(`libs_use_shared_libs',`
 	allow $1 lib_t:lnk_file r_file_perms;
 	allow $1 { shlib_t texrel_shlib_t }:lnk_file r_file_perms;
 	allow $1 { shlib_t texrel_shlib_t }:file rx_file_perms;
+	allow $1 texrel_shlib_t:file execmod;
 ')
 
 ########################################

refpolicy/policy/modules/system/locallogin.te

@@ -6,7 +6,7 @@ policy_module(locallogin,1.0)
 # Declarations
 #
 
-type local_login_t;
+type local_login_t; #, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade;
 auth_login_entry_type(local_login_t)
 domain_type(local_login_t)
 domain_obj_id_change_exempt(local_login_t)
@@ -15,6 +15,9 @@ domain_role_change_exempt(local_login_t)
 domain_wide_inherit_fd(local_login_t)
 role system_r types local_login_t;
 
+type local_login_lock_t;
+files_lock_file(local_login_lock_t)
+
 type local_login_tmp_t;
 files_type(local_login_tmp_t)
 
@@ -47,6 +50,9 @@ allow local_login_t self:sem create_sem_perms;
 allow local_login_t self:msgq create_msgq_perms;
 allow local_login_t self:msg { send receive };
 
+allow local_login_t local_login_lock_t:file create_file_perms;
+files_create_lock(local_login_t,local_login_lock_t)
+
 allow local_login_t local_login_tmp_t:dir create_dir_perms;
 allow local_login_t local_login_tmp_t:file create_file_perms;
 files_create_tmp_files(local_login_t, local_login_tmp_t, { file dir })
@@ -125,7 +131,6 @@ domain_read_all_entry_files(local_login_t)
 files_read_etc_files(local_login_t)
 files_read_etc_runtime_files(local_login_t)
 files_read_usr_files(local_login_t)
-files_manage_generic_locks(var_lock_t)
 files_list_mnt(local_login_t)
 files_list_world_readable(local_login_t)
 files_read_world_readable_files(local_login_t)
@@ -209,6 +214,8 @@ optional_policy(`locallogin.te',`
 	# FIXME: what is this for?
 	locallogin_signull(xdm_t)
 ')
+# Login can polyinstantiate
+polyinstantiater(local_login_t)
 ') dnl endif TODO
 
 #################################

refpolicy/policy/modules/system/logging.te

@@ -200,6 +200,12 @@ logging_send_syslog_msg(klogd_t)
 
 miscfiles_read_localization(klogd_t)
 
+ifdef(`TODO',`
+ifdef(`targeted_policy', `
+allow klogd_t unconfined_t:system syslog_mod;
+')
+')
+
 ########################################
 #
 # syslogd local policy

refpolicy/policy/modules/system/miscfiles.if

@@ -1,26 +1,5 @@
 ## <summary>Miscelaneous files.</summary>
 
-########################################
-## <summary>
-##	Allow process to create files and dirs in /var/cache/man
-##	and /var/catman/
-## </summary>
-## <param name="domain">
-##	Type type of the process performing this action.
-## </param>
-#
-interface(`miscfiles_rw_man_cache',`
-	gen_require(`
-		type catman_t;
-		class dir create_dir_perms;
-		class file create_file_perms;
-	')
-
-	files_search_var($1)
-	allow $1 catman_t:dir create_dir_perms;
-	allow $1 catman_t:file create_file_perms;
-')
-
 ########################################
 ## <summary>
 ##	Read fonts

refpolicy/policy/modules/system/modutils.te

@@ -14,7 +14,7 @@ files_type(modules_conf_t)
 type modules_dep_t;
 files_type(modules_dep_t)
 
-type insmod_t;
+type insmod_t; #, mlsfilewrite
 type insmod_exec_t;
 kernel_userland_entry(insmod_t,insmod_exec_t)
 init_system_domain(insmod_t,insmod_exec_t)
@@ -111,10 +111,18 @@ ifdef(`targeted_policy',`
 	unconfined_domain_template(insmod_t)
 ')
 
+optional_policy(`hotplug.te',`
+	hotplug_search_config(insmod_t)
+')
+
 optional_policy(`mount.te',`
 	mount_domtrans(insmod_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(insmod_t)
+')
+
 optional_policy(`rpm.te',`
 	rpm_rw_pipe(insmod_t)
 ')

refpolicy/policy/modules/system/mount.te

@@ -6,7 +6,7 @@ policy_module(mount,1.0)
 # Declarations
 #
 
-type mount_t;
+type mount_t; #, mlsfileread, mlsfilewrite
 type mount_exec_t;
 init_system_domain(mount_t,mount_exec_t)
 role system_r types mount_t;
@@ -45,6 +45,7 @@ fs_unmount_all_fs(mount_t)
 fs_remount_all_fs(mount_t)
 fs_relabelfrom_xattr_fs(mount_t)
 fs_search_auto_mountpoints(mount_t)
+fs_use_tmpfs_chr_dev(mount_t)
 
 term_use_console(mount_t)
 
@@ -77,12 +78,11 @@ logging_send_syslog_msg(mount_t)
 
 miscfiles_read_localization(mount_t)
 
+sysnet_use_portmap(mount_t)
+
 userdom_use_all_user_fd(mount_t)
 
 ifdef(`distro_redhat',`
-	fs_use_tmpfs_chr_dev(mount_t)
-	allow mount_t tmpfs_t:dir mounton;
-
 	optional_policy(`authlogin.te',`
 		auth_read_pam_console_data(mount_t)
 		# mount config by default sets fscontext=removable_t
@@ -109,6 +109,7 @@ optional_policy(`portmap.te', `
 	corenet_udp_bind_generic_port(mount_t)
 	corenet_tcp_bind_reserved_port(mount_t)
 	corenet_udp_bind_reserved_port(mount_t)
+	corenet_tcp_connect_all_ports(mount_t)
 
 	optional_policy(`nis.te',`
 		nis_use_ypbind(mount_t)

refpolicy/policy/modules/system/sysnetwork.if

@@ -345,3 +345,91 @@ interface(`sysnet_create_dhcp_state',`
 		type_transition $1 dhcp_state_t:$3 $2;
 	')
 ')
+
+########################################
+## <summary>
+##	Perform a DNS name resolution.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`sysnet_dns_name_resolve',`
+	gen_require(`
+		type net_conf_t;
+		class udp_socket create_socket_perms;
+	')
+
+	allow $1 self:udp_socket create_socket_perms;
+	corenet_udp_sendrecv_all_if($1)
+	corenet_raw_sendrecv_all_if($1)
+	corenet_udp_sendrecv_all_nodes($1)
+	corenet_raw_sendrecv_all_nodes($1)
+	corenet_udp_sendrecv_dns_port($1)
+	corenet_udp_bind_all_nodes($1)
+
+	files_search_etc($1)
+	allow $1 net_conf_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Connect and use a LDAP server.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`sysnet_use_ldap',`
+	gen_require(`
+		type net_conf_t;
+		class tcp_socket create_socket_perms;
+	')		
+
+	allow $1 self:tcp_socket create_socket_perms;
+
+	corenet_tcp_sendrecv_all_if($1)
+	corenet_raw_sendrecv_all_if($1)
+	corenet_tcp_sendrecv_all_nodes($1)
+	corenet_raw_sendrecv_all_nodes($1)
+	corenet_tcp_sendrecv_ldap_port($1)
+	corenet_tcp_bind_all_nodes($1)
+	corenet_tcp_connect_ldap_port($1)
+
+	files_search_etc($1)
+	allow $1 net_conf_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Connect and use remote port mappers.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`sysnet_use_portmap',`
+	gen_require(`
+		type net_conf_t;
+		class tcp_socket create_socket_perms;
+		class udp_socket create_socket_perms;
+	')		
+
+	allow $1 self:tcp_socket create_socket_perms;
+	allow $1 self:udp_socket create_socket_perms;
+
+	corenet_tcp_sendrecv_all_if($1)
+	corenet_udp_sendrecv_all_if($1)
+	corenet_raw_sendrecv_all_if($1)
+	corenet_tcp_sendrecv_all_nodes($1)
+	corenet_udp_sendrecv_all_nodes($1)
+	corenet_raw_sendrecv_all_nodes($1)
+	corenet_tcp_sendrecv_portmap_port($1)
+	corenet_udp_sendrecv_portmap_port($1)
+	corenet_tcp_bind_all_nodes($1)
+	corenet_udp_bind_all_nodes($1)
+	corenet_tcp_connect_portmap_port($1)
+
+	files_search_etc($1)
+	allow $1 net_conf_t:file r_file_perms;
+')

refpolicy/policy/modules/system/sysnetwork.te

@@ -172,6 +172,9 @@ optional_policy(`hotplug.te',`
 # for the dhcp client to run ping to check IP addresses
 optional_policy(`netutils.te',`
 	netutils_domtrans_ping(dhcpc_t)
+',`
+	allow dhcpc_t self:capability setuid;
+	allow dhcpc_t self:rawip_socket create_socket_perms;
 ')
 
 optional_policy(`nis.te',`

refpolicy/policy/modules/system/udev.if

@@ -24,6 +24,24 @@ interface(`udev_domtrans',`
 	allow udev_t $1:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to inherit a
+##	udev file descriptor.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`udev_dontaudit_use_fd',`
+	gen_require(`
+		type udev_t;
+		class fd use;
+	')
+
+	dontaudit $1 udev_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read or write
@@ -33,7 +51,7 @@ interface(`udev_domtrans',`
 ##	Domain to not audit.
 ## </param>
 #
-interface(`udev_donaudit_rw_unix_dgram_socket',`
+interface(`udev_dontaudit_rw_unix_dgram_socket',`
 	gen_require(`
 		type udev_t;
 		class unix_dgram_socket { read write };

refpolicy/policy/modules/system/udev.te

@@ -34,7 +34,7 @@ files_pid_file(udev_var_run_t)
 # Local policy
 #
 
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice };
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio };
 allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow udev_t self:process { execmem setfscreate };
 allow udev_t self:fd use;
@@ -75,8 +75,10 @@ kernel_rw_unix_dgram_socket(udev_t)
 kernel_sendto_unix_dgram_socket(udev_t)
 kernel_signal(udev_t)
 
-dev_read_sysfs(udev_t)
+dev_rw_sysfs(udev_t)
 dev_manage_dev_nodes(udev_t)
+dev_rw_generic_file(udev_t)
+dev_delete_generic_file(udev_t)
 
 fs_getattr_all_fs(udev_t)
 
@@ -125,6 +127,8 @@ sysnet_domtrans_ifconfig(udev_t)
 userdom_use_sysadm_tty(udev_t)
 
 ifdef(`distro_redhat',`
+	fs_manage_tmpfs_dirs(udev_t)
+	fs_manage_tmpfs_files(udev_t)
 	fs_manage_tmpfs_symlinks(udev_t)
 	fs_manage_tmpfs_sockets(udev_t)
 	fs_manage_tmpfs_blk_dev(udev_t)

refpolicy/policy/modules/system/unconfined.if

@@ -34,10 +34,16 @@ template(`unconfined_domain_template',`
 	files_unconfined($1)
 
 	tunable_policy(`allow_execmem',`
-		# Allow loading DSOs that require executable stack.
+		# Allow making anonymous memory executable, e.g. 
+		# for runtime-code generation or executable stack.
 		allow $1 self:process execmem;
 	')
 
+	tunable_policy(`allow_execmem && allow_execstack',`
+		# Allow making the stack executable via mprotect.
+		allow $1 self:process execstack;
+	')
+
 	optional_policy(`authlogin.te',`
 		auth_unconfined($1)
 	')
@@ -61,8 +67,13 @@ template(`unconfined_domain_template',`
 
 	ifdef(`TODO',`
 	if (allow_execmod) {
-		# Allow text relocations on system shared libraries, e.g. libGL.
-		allow $1 texrel_shlib_t:file execmod;
+		ifdef(`targeted_policy', `
+			allow $1 file_type:file execmod;
+		', `
+			# Allow text relocations on system shared libraries, e.g. libGL.
+			allow $1 texrel_shlib_t:file execmod;
+			allow $1 home_type:file execmod;
+		')
 	}
 
 	ifdef(`dbusd.te', `

refpolicy/policy/modules/system/userdomain.if

@@ -139,8 +139,8 @@ template(`base_user_template',`
 	corenet_udp_sendrecv_all_ports($1_t)
 	corenet_tcp_bind_all_nodes($1_t)
 	corenet_udp_bind_all_nodes($1_t)
-	# allow port_t name binding for UDP because it is not very usable otherwise
 	corenet_udp_bind_generic_port($1_t)
+	corenet_tcp_connect_all_ports($1_t)
 
 	dev_read_input($1_t)
 	dev_read_misc($1_t)
@@ -194,7 +194,6 @@ template(`base_user_template',`
 	logging_dontaudit_getattr_all_logs($1_t)
 
 	miscfiles_read_localization($1_t)
-	miscfiles_rw_man_cache($1_t)
 	# for running TeX programs
 	miscfiles_read_tetex_data($1_t)
 	miscfiles_exec_tetex_data($1_t)
@@ -301,6 +300,8 @@ template(`base_user_template',`
 
 	ifdef(`TODO',`
 
+	can_winbind($1_t)
+
 	#
 	# Cups daemon running as user tries to write /etc/printcap
 	#
@@ -324,8 +325,6 @@ template(`base_user_template',`
 	#
 	dontaudit $1_t sysctl_net_t:dir search;
 
-	dontaudit $1_t default_context_t:dir search;
-
 	r_dir_file($1_t, usercanread)
 
 	tunable_policy(`allow_execmod',`
@@ -1481,7 +1480,7 @@ interface(`userdom_dontaudit_use_sysadm_tty',`
 		term_dontaudit_use_unallocated_tty($1)
 	',`
 		gen_require(`
-			attribute sysadm_tty_device_t;
+			type sysadm_tty_device_t;
 			class chr_file { read write };
 		')
 

refpolicy/policy/modules/system/userdomain.te

@@ -186,6 +186,11 @@ ifdef(`targeted_policy',`
 		netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
 	')
 
+	optional_policy(`ntp.te',`
+		ntp_stub()
+		corenet_udp_bind_ntp_port(sysadm_t)
+	')
+
 	optional_policy(`pcmcia.te',`
 		pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
 	')