more merging from nsa cvs

refpolicy/Changelog

@@ -1,3 +1,4 @@
+- Add experimental MCS support.
 - Add equivalents for old can_resolve(), can_ldap(), and
   can_portmap() to sysnetwork.
 - Fix base module compile issues.

refpolicy/Makefile

@@ -108,12 +108,19 @@ USERPATH = $(INSTALLDIR)/users
 CONTEXTPATH = $(INSTALLDIR)/contexts
 
 # enable MLS if requested.
-ifneq ($(findstring mls,$(TYPE)),)
+ifneq ($(findstring -mls,$(TYPE)),)
 	override M4PARAM += -D enable_mls
 	CHECKPOLICY += -M
 	CHECKMODULE += -M
 endif
 
+# enable MLS if MCS requested.
+ifneq ($(findstring -mcs,$(TYPE)),)
+	override M4PARAM += -D enable_mcs
+	CHECKPOLICY += -M
+	CHECKMODULE += -M
+endif
+
 # compile targeted policy if requested.
 ifneq ($(findstring targeted,$(TYPE)),)
 	override M4PARAM += -D targeted_policy

refpolicy/Rules.modular

@@ -11,7 +11,7 @@ BASE_FC := base.fc
 
 BASE_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf
 
-BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls
+BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
 BASE_TE_FILES := $(BASE_MODS)
 BASE_POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/constraints
 BASE_FC_FILES := $(BASE_MODS:.te=.fc)

refpolicy/Rules.monolithic

@@ -18,7 +18,7 @@ ALL_INTERFACES := $(ALL_MODULES:.te=.if)
 ALL_TE_FILES := $(ALL_MODULES)
 ALL_FC_FILES := $(ALL_MODULES:.te=.fc)
 
-PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls
+PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
 POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/users $(POLDIR)/constraints
 
 POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf

refpolicy/policy/global_tunables

@@ -22,6 +22,9 @@ gen_tunable(allow_gpg_execstack,false)
 ## Allow system to run with kerberos
 gen_tunable(allow_kerberos,false)
 
+## allow host key based authentication
+gen_tunable(allow_ssh_keysign,false)
+
 ## Allow users to connect to mysql
 gen_tunable(allow_user_mysql_connect,false)
 

refpolicy/policy/mcs

@@ -0,0 +1,215 @@
+ifdef(`enable_mcs',`
+#
+# Define sensitivities 
+#
+# Each sensitivity has a name and zero or more aliases.
+#
+# MCS is single-sensitivity.
+#
+sensitivity s0;
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0;
+category c1;
+category c2;
+category c3;
+category c4;
+category c5;
+category c6;
+category c7;
+category c8;
+category c9;
+category c10;
+category c11;
+category c12;
+category c13;
+category c14;
+category c15;
+category c16;
+category c17;
+category c18;
+category c19;
+category c20;
+category c21;
+category c22;
+category c23;
+category c24;
+category c25;
+category c26;
+category c27;
+category c28;
+category c29;
+category c30;
+category c31;
+category c32;
+category c33;
+category c34;
+category c35;
+category c36;
+category c37;
+category c38;
+category c39;
+category c40;
+category c41;
+category c42;
+category c43;
+category c44;
+category c45;
+category c46;
+category c47;
+category c48;
+category c49;
+category c50;
+category c51;
+category c52;
+category c53;
+category c54;
+category c55;
+category c56;
+category c57;
+category c58;
+category c59;
+category c60;
+category c61;
+category c62;
+category c63;
+category c64;
+category c65;
+category c66;
+category c67;
+category c68;
+category c69;
+category c70;
+category c71;
+category c72;
+category c73;
+category c74;
+category c75;
+category c76;
+category c77;
+category c78;
+category c79;
+category c80;
+category c81;
+category c82;
+category c83;
+category c84;
+category c85;
+category c86;
+category c87;
+category c88;
+category c89;
+category c90;
+category c91;
+category c92;
+category c93;
+category c94;
+category c95;
+category c96;
+category c97;
+category c98;
+category c99;
+category c100;
+category c101;
+category c102;
+category c103;
+category c104;
+category c105;
+category c106;
+category c107;
+category c108;
+category c109;
+category c110;
+category c111;
+category c112;
+category c113;
+category c114;
+category c115;
+category c116;
+category c117;
+category c118;
+category c119;
+category c120;
+category c121;
+category c122;
+category c123;
+category c124;
+category c125;
+category c126;
+category c127;
+
+
+#
+# Each MCS level specifies a sensitivity and zero or more categories which may
+# be associated with that sensitivity.
+#
+level s0:c0.c127;
+
+#
+# Define the MCS policy
+#
+# mlsconstrain class_set perm_set expression ;
+#
+# mlsvalidatetrans class_set expression ;
+#
+# expression : ( expression )
+#	     | not expression
+#	     | expression and expression
+#	     | expression or expression
+#	     | u1 op u2
+#	     | r1 role_mls_op r2
+#	     | t1 op t2
+#	     | l1 role_mls_op l2
+#	     | l1 role_mls_op h2
+#	     | h1 role_mls_op l2
+#	     | h1 role_mls_op h2
+#	     | l1 role_mls_op h1
+#	     | l2 role_mls_op h2
+#	     | u1 op names
+#	     | u2 op names
+#	     | r1 op names
+#	     | r2 op names
+#	     | t1 op names
+#	     | t2 op names
+#	     | u3 op names (NOTE: this is only available for mlsvalidatetrans)
+#	     | r3 op names (NOTE: this is only available for mlsvalidatetrans)
+#	     | t3 op names (NOTE: this is only available for mlsvalidatetrans)
+#
+# op : == | !=
+# role_mls_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name
+#
+
+#
+# MCS policy for the file classes
+#
+# Constrain file access so that the high range of the process dominates
+# the high range of the file.  We use the high range of the process so
+# that processes can always simply run at s0.
+#
+# Only files are constrained by MCS at this stage.
+#
+mlsconstrain file { read write setattr append unlink link rename
+		    create ioctl lock execute } (h1 dom h2);
+
+
+# XXX
+#
+# For some reason, we need to reference the mlsfileread attribute
+# or we get a build error.  Below is a dummy entry to do this.
+mlsconstrain xextension query ( t1 == mlsfileread );
+
+attribute mlsfileread;
+') dnl end enable_mcs

refpolicy/policy/modules/admin/firstboot.te

@@ -93,8 +93,6 @@ modutils_domtrans_insmod(firstboot_t)
 modutils_read_module_conf(firstboot_t)
 modutils_read_mods_deps(firstboot_t)
 
-sysnet_manage_config(firstboot_t)
-
 # Add/remove user home directories
 userdom_create_user_home_dir(firstboot_t)
 userdom_manage_user_home_dir(firstboot_t)
@@ -109,10 +107,6 @@ ifdef(`targeted_policy',`
 	unconfined_domtrans(firstboot_t)
 ')
 
-optional_policy(`kerberos.te',`
-	kerberos_rw_config(firstboot_t)
-')
-
 optional_policy(`nis.te',`
 	nis_use_ypbind(firstboot_t)
 ')

refpolicy/policy/modules/admin/logrotate.te

@@ -72,6 +72,7 @@ fs_search_auto_mountpoints(logrotate_t)
 fs_getattr_xattr_fs(logrotate_t)
 
 selinux_get_fs_mount(logrotate_t)
+selinux_get_enforce_mode(logrotate_t)
 
 auth_manage_login_records(logrotate_t)
 
@@ -106,7 +107,7 @@ libs_use_shared_libs(logrotate_t)
 
 miscfiles_read_localization(logrotate_t)
 
-seutil_dontaudit_search_config(logrotate_t)
+seutil_dontaudit_read_config(logrotate_t)
 
 sysnet_read_config(logrotate_t)
 

refpolicy/policy/modules/admin/netutils.fc

@@ -1,5 +1,6 @@
 
 /bin/ping.* 		--	context_template(system_u:object_r:ping_exec_t,s0)
+/bin/tracepath.*	--	context_template(system_u:object_r:traceroute_exec_t,s0)
 /bin/traceroute.*	--	context_template(system_u:object_r:traceroute_exec_t,s0)
 
 /sbin/arping		--	context_template(system_u:object_r:netutils_exec_t,s0)

refpolicy/policy/modules/admin/su.fc

@@ -1,2 +1,4 @@
 
 /bin/su			--	context_template(system_u:object_r:su_exec_t,s0)
+
+/usr(/local)?/bin/ksu	--	context_template(system_u:object_r:su_exec_t,s0)

refpolicy/policy/modules/admin/sudo.fc

@@ -1,2 +1,2 @@
 
-/usr/bin/sudo		--	context_template(system_u:object_r:sudo_exec_t,s0)
+/usr/bin/sudo(edit)?	--	context_template(system_u:object_r:sudo_exec_t,s0)

refpolicy/policy/modules/admin/usermanage.te

@@ -78,6 +78,8 @@ allow chfn_t self:msgq create_msgq_perms;
 allow chfn_t self:msg { send receive };
 
 kernel_read_system_state(chfn_t)
+kernel_read_kernel_sysctl(chfn_t)
+
 selinux_get_fs_mount(chfn_t)
 selinux_validate_context(chfn_t)
 selinux_compute_access_vector(chfn_t)
@@ -297,6 +299,8 @@ allow passwd_t self:msg { send receive };
 allow passwd_t crack_db_t:dir r_dir_perms;
 allow passwd_t crack_db_t:file r_file_perms;
 
+kernel_read_kernel_sysctl(passwd_t)
+
 # for SSP
 dev_read_urand(passwd_t)
 
@@ -389,14 +393,16 @@ allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms;
 files_create_tmp_files(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
 files_search_var(sysadm_passwd_t)
 
+kernel_read_kernel_sysctl(sysadm_passwd_t)
+# for /proc/meminfo
+kernel_read_system_state(sysadm_passwd_t)
+
 selinux_get_fs_mount(sysadm_passwd_t)
 selinux_validate_context(sysadm_passwd_t)
 selinux_compute_access_vector(sysadm_passwd_t)
 selinux_compute_create_context(sysadm_passwd_t)
 selinux_compute_relabel_context(sysadm_passwd_t)
 selinux_compute_user_contexts(sysadm_passwd_t)
-# for /proc/meminfo
-kernel_read_system_state(sysadm_passwd_t)
 
 # for SSP
 dev_read_urand(sysadm_passwd_t)
@@ -460,6 +466,10 @@ dontaudit sysadm_passwd_t sysadm_home_dir_t:dir { getattr search };
 dontaudit sysadm_passwd_t var_run_t:dir search;
 
 dontaudit sysadm_passwd_t selinux_config_t:dir search;
+ifdef(`targeted_policy', `
+role system_r types sysadm_passwd_t;
+allow sysadm_passwd_t devpts_t:chr_file rw_file_perms;
+')
 ') dnl endif TODO
 
 ########################################
@@ -508,6 +518,7 @@ corecmd_exec_sbin(useradd_t)
 domain_use_wide_inherit_fd(useradd_t)
 
 files_manage_etc_files(useradd_t)
+files_search_var_lib(useradd_t)
 
 init_use_fd(useradd_t)
 init_rw_script_pid(useradd_t)

refpolicy/policy/modules/kernel/bootloader.fc

@@ -3,7 +3,7 @@
 /initrd\.img.*		-l	context_template(system_u:object_r:boot_t,s0)
 
 /boot(/.*)?			context_template(system_u:object_r:boot_t,s0)
-/boot/System\.map-.*	--	context_template(system_u:object_r:system_map_t,s0)
+/boot/System\.map(-.*)?	--	context_template(system_u:object_r:system_map_t,s0)
 
 /etc/lilo\.conf.*	--	context_template(system_u:object_r:bootloader_etc_t,s0)
 /etc/yaboot\.conf.*	--	context_template(system_u:object_r:bootloader_etc_t,s0)

refpolicy/policy/modules/kernel/corenetwork.te.in

@@ -158,11 +158,5 @@ network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
 type netif_t, netif_type;
 sid netif context_template(system_u:object_r:netif_t,s0)
 
-network_interface(lo, lo,s0)
-network_interface(eth0, eth0,s0)
-network_interface(eth1, eth1,s0)
-network_interface(eth2, eth2,s0)
-network_interface(ippp0, ippp0,s0)
-network_interface(ipsec0, ipsec0,s0)
-network_interface(ipsec1, ipsec1,s0)
-network_interface(ipsec2, ipsec2,s0)
+#network_interface(lo, lo,s0)
+#network_interface(eth0, eth0,s0)

refpolicy/policy/modules/kernel/devices.fc

@@ -55,6 +55,7 @@ ifdef(`distro_suse', `
 /dev/vttuner		-c	context_template(system_u:object_r:v4l_device_t,s0)
 /dev/vtx.*		-c	context_template(system_u:object_r:v4l_device_t,s0)
 /dev/winradio.		-c	context_template(system_u:object_r:v4l_device_t,s0)
+/dev/z90crypt		-c	context_template(system_u:object_r:crypt_device_t,s0)
 /dev/zero		-c	context_template(system_u:object_r:zero_device_t,s0)
 
 /dev/cpu/.*		-c	context_template(system_u:object_r:cpu_device_t,s0)

refpolicy/policy/modules/kernel/terminal.fc

@@ -1,6 +1,7 @@
 
 /dev/.*tty[^/]*		-c	context_template(system_u:object_r:tty_device_t,s0)
 /dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f]	-c context_template(system_u:object_r:bsdpty_device_t,s0)
+/dev/adb.*		-c	context_template(system_u:object_r:tty_device_t,s0)
 /dev/capi.*		-c	context_template(system_u:object_r:tty_device_t,s0)
 /dev/cu.*		-c	context_template(system_u:object_r:tty_device_t,s0)
 /dev/dcbri[0-9]+	-c	context_template(system_u:object_r:tty_device_t,s0)

refpolicy/policy/modules/services/bind.fc

@@ -1,27 +1,28 @@
 /etc/rndc.*		--	context_template(system_u:object_r:named_conf_t,s0)
-/etc/rndc.key  		-- 	context_template(system_u:object_r:dnssec_t,s0)
+/etc/rndc\.key 		-- 	context_template(system_u:object_r:dnssec_t,s0)
 
 /usr/sbin/lwresd	--	context_template(system_u:object_r:named_exec_t,s0)
-/usr/sbin/named      	--	context_template(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named		--	context_template(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-checkconf --	context_template(system_u:object_r:named_checkconf_exec_t,s0)
 /usr/sbin/r?ndc		--	context_template(system_u:object_r:ndc_exec_t,s0)
 
+/var/log/named.*	--	context_template(system_u:object_r:named_log_t,s0)
+
 /var/run/ndc		-s	context_template(system_u:object_r:named_var_run_t,s0)
-
 /var/run/bind(/.*)?		context_template(system_u:object_r:named_var_run_t,s0)
-
 /var/run/named(/.*)?		context_template(system_u:object_r:named_var_run_t,s0)
 
 ifdef(`distro_debian',`
 /etc/bind(/.*)?			context_template(system_u:object_r:named_zone_t,s0)
 /etc/bind/named\.conf	--	context_template(system_u:object_r:named_conf_t,s0)
-/etc/bind/rndc\.key	--	context_template(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.key	--	context_template(system_u:object_r:dnssec_t,s0)
 /var/cache/bind(/.*)?		context_template(system_u:object_r:named_cache_t,s0)
 ')
 
 ifdef(`distro_gentoo',`
 /etc/bind(/.*)?			context_template(system_u:object_r:named_zone_t,s0)
 /etc/bind/named\.conf	--	context_template(system_u:object_r:named_conf_t,s0)
-/etc/bind/rndc\.key	--	context_template(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.key	--	context_template(system_u:object_r:dnssec_t,s0)
 /var/bind(/.*)?			context_template(system_u:object_r:named_cache_t,s0)
 /var/bind/pri(/.*)?		context_template(system_u:object_r:named_zone_t,s0)
 ')

refpolicy/policy/modules/services/cron.fc

@@ -22,8 +22,12 @@
 
 /var/spool/cron			-d	context_template(system_u:object_r:cron_spool_t,s0)
 #/var/spool/cron/root		--	context_template(system_u:object_r:sysadm_cron_spool_t,s0)
-
 /var/spool/cron/[^/]*		--	<<none>>
+ifdef(`distro_suse', `
+/var/spool/cron/lastrun		-d	context_template(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun/[^/]*	--	<<none>>
+/var/spool/cron/tabs		-d	context_template(system_u:object_r:cron_spool_t,s0)
+')
 
 /var/spool/cron/crontabs 	-d	context_template(system_u:object_r:cron_spool_t,s0)
 /var/spool/cron/crontabs/.*	--	<<none>>

refpolicy/policy/modules/services/dhcp.fc

@@ -3,4 +3,4 @@
 
 /var/lib/dhcp(3)?/dhcpd\.leases.* --	context_template(system_u:object_r:dhcpd_state_t,s0)
 
-/var/run/dhcpd\.pid		-d	context_template(system_u:object_r:dhcpd_var_run_t,s0)
+/var/run/dhcpd\.pid		--	context_template(system_u:object_r:dhcpd_var_run_t,s0)

refpolicy/policy/modules/services/dhcp.te

@@ -62,6 +62,7 @@ corenet_tcp_bind_all_nodes(dhcpd_t)
 corenet_udp_bind_all_nodes(dhcpd_t)
 corenet_udp_bind_dhcpd_port(dhcpd_t)
 corenet_udp_bind_pxe_port(dhcpd_t)
+corenet_tcp_connect_all_ports(dhcpd_t)
 
 dev_read_sysfs(dhcpd_t)
 dev_read_rand(dhcpd_t)
@@ -121,6 +122,10 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(dhcpd_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(dhcpd_t)
+')
+
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(dhcpd_t)
 ')

refpolicy/policy/modules/services/hal.te

@@ -16,7 +16,7 @@ files_tmp_file(hald_tmp_t)
 type hald_var_run_t;
 files_pid_file(hald_var_run_t)
 
-allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
+allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
 dontaudit hald_t self:capability sys_tty_config;
 allow hald_t self:fifo_file rw_file_perms;
 allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -49,12 +49,21 @@ dev_read_sysfs(hald_t)
 dev_read_usbfs(hald_t)
 dev_read_urand(hald_t)
 dev_read_input(hald_t)
+dev_read_mouse(hald_t)
 dev_rw_printer(hald_t)
+dev_getattr_all_chr_files(hald_t)
 dev_manage_generic_chr_file(hald_t)
 
 fs_getattr_all_fs(hald_t)
 fs_search_auto_mountpoints(hald_t)
 
+selinux_get_fs_mount(hald_t)
+selinux_validate_context(hald_t)
+selinux_compute_access_vector(hald_t)
+selinux_compute_create_context(hald_t)
+selinux_compute_relabel_context(hald_t)
+selinux_compute_user_contexts(hald_t)
+
 storage_raw_read_removable_device(hald_t)
 storage_raw_read_fixed_disk(hald_t)
 storage_raw_write_fixed_disk(hald_t)

refpolicy/policy/modules/services/kerberos.fc

@@ -12,6 +12,3 @@
 
 /var/log/krb5kdc\.log			context_template(system_u:object_r:krb5kdc_log_t,s0)
 /var/log/kadmind\.log			context_template(system_u:object_r:kadmind_log_t,s0)
-
-#this goes to su:
-#/usr(/local)?/bin/ksu		--	context_template(system_u:object_r:su_exec_t,s0)

refpolicy/policy/modules/services/nscd.fc

@@ -3,6 +3,8 @@
 
 /var/db/nscd(/.*)?		context_template(system_u:object_r:nscd_var_run_t,s0)
 
+/var/log/nscd\.log.*	--	context_template(system_u:object_r:nscd_log_t,s0)
+
 /var/run/nscd\.pid	--	context_template(system_u:object_r:nscd_var_run_t,s0)
 /var/run/\.nscd_socket	-s	context_template(system_u:object_r:nscd_var_run_t,s0)
 

refpolicy/policy/modules/services/ntp.fc

@@ -1,10 +1,10 @@
 
-/etc/ntp(d)?\.conf(.sv)?	--	context_template(system_u:object_r:net_conf_t,s0)
+/etc/ntp(d)?\.conf.*		--	context_template(system_u:object_r:net_conf_t,s0)
 
 /etc/cron\.(daily|weekly)/ntp-simple -- context_template(system_u:object_r:ntpd_exec_t,s0)
 /etc/cron\.(daily|weekly)/ntp-server -- context_template(system_u:object_r:ntpd_exec_t,s0)
 
-/etc/ntp/step-tickers		--	context_template(system_u:object_r:net_conf_t,s0)
+/etc/ntp/step-tickers.*		--	context_template(system_u:object_r:net_conf_t,s0)
 /etc/ntp/data(/.*)?			context_template(system_u:object_r:ntp_drift_t,s0)
 
 /usr/sbin/ntpd			--	context_template(system_u:object_r:ntpd_exec_t,s0)

refpolicy/policy/modules/services/ntp.te

@@ -30,7 +30,7 @@ init_system_domain(ntpd_t,ntpdate_exec_t)
 # Local policy
 #
 
-allow ntpd_t self:capability { kill setgid setuid sys_time ipc_lock sys_chroot };
+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot };
 # ntpdate wants sys_nice
 dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
 allow ntpd_t self:process { signal_perms setcap setsched };

refpolicy/policy/modules/services/portmap.fc

@@ -8,3 +8,5 @@ ifdef(`distro_debian',`
 /usr/sbin/pmap_dump	--	context_template(system_u:object_r:portmap_helper_exec_t,s0)
 /usr/sbin/pmap_set	--	context_template(system_u:object_r:portmap_helper_exec_t,s0)
 ')
+
+/var/run/portmap.upgrade-state -- context_template(system_u:object_r:portmap_var_run_t,s0)

refpolicy/policy/modules/services/privoxy.te

@@ -63,6 +63,8 @@ logging_send_syslog_msg(privoxy_t)
 
 miscfiles_read_localization(privoxy_t)
 
+sysnet_dns_name_resolve(privoxy_t)
+
 userdom_dontaudit_use_unpriv_user_fd(privoxy_t)
 userdom_dontaudit_search_sysadm_home_dir(privoxy_t)
 # cjp: this should really not be needed

refpolicy/policy/modules/services/samba.te

@@ -125,6 +125,11 @@ optional_policy(`nscd.te',`
 	nscd_use_socket(samba_net_t)
 ')
 
+ifdef(`TODO',`
+role system_r types samba_net_t;
+in_user_role(samba_net_t)
+')
+
 ########################################
 #
 # smbd Local policy
@@ -194,6 +199,7 @@ corenet_tcp_bind_all_nodes(smbd_t)
 corenet_udp_bind_all_nodes(smbd_t)
 corenet_tcp_bind_smbd_port(smbd_t)
 corenet_tcp_connect_ipp_port(smbd_t)
+corenet_tcp_connect_smbd_port(smbd_t)
 
 dev_read_sysfs(smbd_t)
 dev_read_urand(smbd_t)

refpolicy/policy/modules/services/ssh.fc

@@ -7,6 +7,8 @@
 /usr/bin/ssh-agent		--	context_template(system_u:object_r:ssh_agent_exec_t,s0)
 /usr/bin/ssh-keygen		--	context_template(system_u:object_r:ssh_keygen_exec_t,s0)
 
+/usr/libexec/openssh/ssh-keysign --	context_template(system_u:object_r:ssh_keysign_exec_t,s0)
+
 /usr/sbin/sshd			--	context_template(system_u:object_r:sshd_exec_t,s0)
 
 /var/run/sshd\.init\.pid	--	context_template(system_u:object_r:sshd_var_run_t,s0)

refpolicy/policy/modules/services/ssh.if

@@ -467,6 +467,9 @@ template(`ssh_server_template', `
 
 	userdom_search_all_users_home($1_t)
 
+	# Allow checking users mail at login
+	mta_getattr_spool($1_t)
+
 	tunable_policy(`use_nfs_home_dirs',`
 		fs_read_nfs_files($1_t)
 	')

refpolicy/policy/modules/services/ssh.te

@@ -21,6 +21,9 @@ type ssh_keygen_exec_t;
 init_system_domain(ssh_keygen_t,ssh_keygen_exec_t)
 role system_r types ssh_keygen_t;
 
+type ssh_keysign_exec_t;
+files_type(ssh_keysign_exec_t)
+
 ssh_server_template(sshd)
 
 # cjp: commenting this out until typeattribute works in a conditional
@@ -69,9 +72,6 @@ auth_exec_pam(sshd_t)
 
 seutil_read_config(sshd_t)
 
-# Allow checking users mail at login
-mta_getattr_spool(sshd_t)
-
 tunable_policy(`ssh_sysadm_login',`
 	# Relabel and access ptys created by sshd
 	# ioctl is necessary for logout() processing for utmp entry and for w to

refpolicy/policy/modules/system/clock.te

@@ -25,6 +25,7 @@ allow hwclock_t self:process signal_perms;
 # but hwclock does require it.
 allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config };
 dontaudit hwclock_t self:capability sys_tty_config;
+allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 
 # Allow hwclock to store & retrieve correction factors.
 allow hwclock_t adjtime_t:file { setattr ioctl read getattr lock write append };

refpolicy/policy/modules/system/corecommands.fc

@@ -65,6 +65,10 @@ ifdef(`distro_gentoo', `
 
 /usr(/.*)?/sbin(/.*)?		context_template(system_u:object_r:sbin_t,s0)
 
+ifdef(`distro_suse', `
+/usr/lib/cron/run-crons	--	context_template(system_u:object_r:bin_t,s0)
+')
+
 /usr/lib(64)?/sftp-server --	context_template(system_u:object_r:bin_t,s0)
 
 /usr/lib(64)?/emacsen-common/.*	context_template(system_u:object_r:bin_t,s0)

refpolicy/policy/modules/system/fstools.fc

@@ -34,5 +34,6 @@
 /usr/bin/partition_uuid	--	context_template(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/raw		--	context_template(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/scsi_unique_id	--	context_template(system_u:object_r:fsadm_exec_t,s0)
+/usr/bin/syslinux	--	context_template(system_u:object_r:fsadm_exec_t,s0)
 
 /usr/sbin/smartctl	--	context_template(system_u:object_r:fsadm_exec_t,s0)

refpolicy/policy/modules/system/fstools.te

@@ -6,7 +6,7 @@ policy_module(fstools,1.0)
 # Declarations
 #
 
-type fsadm_t;
+type fsadm_t; #, mlsfileread;
 type fsadm_exec_t;
 init_system_domain(fsadm_t,fsadm_exec_t)
 role system_r types fsadm_t;
@@ -23,7 +23,7 @@ files_type(swapfile_t)
 #
 
 # ipc_lock is for losetup
-allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config };
+allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search };
 allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
 allow fsadm_t self:fd use;
 allow fsadm_t self:fifo_file rw_file_perms;
@@ -63,8 +63,7 @@ dev_manage_generic_symlinks(fsadm_t)
 # Access to /initrd devices
 dev_search_usbfs(fsadm_t)
 # for swapon
-dev_getattr_sysfs_dir(fsadm_t)
-dev_search_sysfs(fsadm_t)
+dev_read_sysfs(fsadm_t)
 # Access to /initrd devices
 dev_getattr_usbfs_dir(fsadm_t)
 
@@ -83,6 +82,8 @@ storage_raw_write_removable_device(fsadm_t)
 storage_read_scsi_generic(fsadm_t)
 storage_swapon_fixed_disk(fsadm_t)
 
+term_use_console(fsadm_t)
+
 corecmd_list_bin(fsadm_t)
 corecmd_list_sbin(fsadm_t)
 corecmd_read_bin_symlink(fsadm_t)

refpolicy/policy/modules/system/hostname.te

@@ -36,6 +36,7 @@ term_use_all_user_ttys(hostname_t)
 term_use_all_user_ptys(hostname_t)
 
 init_use_fd(hostname_t)
+init_use_script_fd(hostname_t)
 init_use_script_pty(hostname_t)
 
 domain_use_wide_inherit_fd(hostname_t)

refpolicy/policy/modules/system/ipsec.te

@@ -42,6 +42,7 @@ files_pid_file(ipsec_mgmt_var_run_t)
 allow ipsec_t self:capability { net_admin dac_override dac_read_search };
 dontaudit ipsec_t self:capability sys_tty_config;
 allow ipsec_t self:process signal;
+allow ipsec_t self:netlink_route_socket r_netlink_socket_perms;
 allow ipsec_t self:tcp_socket create_stream_socket_perms;
 allow ipsec_t self:key_socket { create write read setopt };
 allow ipsec_t self:fifo_file { read getattr };

refpolicy/policy/modules/system/libraries.fc

@@ -44,6 +44,7 @@
 /usr/X11R6/lib/libGL\.so.* 		--	context_template(system_u:object_r:texrel_shlib_t,s0)
 /usr/X11R6/lib/libXvMCNVIDIA\.so.* 	--	context_template(system_u:object_r:texrel_shlib_t,s0)
 
+/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
 #
 # /var
 #

refpolicy/policy/modules/system/logging.fc

@@ -1,6 +1,10 @@
 
 /dev/log		-s	context_template(system_u:object_r:devlog_t,s0)
 
+/etc/auditd.conf	--	context_template(system_u:object_r:auditd_etc_t,s0)
+/etc/audit.rules	--	context_template(system_u:object_r:auditd_etc_t,s0)
+
+/sbin/auditctl		--	context_template(system_u:object_r:auditctl_exec_t,s0)
 /sbin/auditd		--	context_template(system_u:object_r:auditd_exec_t,s0)
 /sbin/klogd		--	context_template(system_u:object_r:klogd_exec_t,s0)
 /sbin/minilogd		--	context_template(system_u:object_r:syslogd_exec_t,s0)

refpolicy/policy/modules/system/miscfiles.fc

@@ -23,15 +23,14 @@
 /usr/man(/.*)?			context_template(system_u:object_r:man_t,s0)
 
 /usr/share/fonts(/.*)?		context_template(system_u:object_r:fonts_t,s0)
-
 /usr/share/ghostscript/fonts(/.*)? context_template(system_u:object_r:fonts_t,s0)
-
 /usr/share/locale(/.*)?		context_template(system_u:object_r:locale_t,s0)
-
 /usr/share/man(/.*)?		context_template(system_u:object_r:man_t,s0)
-
 /usr/share/zoneinfo(/.*)?	context_template(system_u:object_r:locale_t,s0)
 
+/usr/share/ssl/certs(/.*)?	context_template(system_u:object_r:cert_t,s0)
+/usr/share/ssl/private(/.*)?	context_template(system_u:object_r:cert_t,s0)
+
 /usr/X11R6/lib/X11/fonts(/.*)?	context_template(system_u:object_r:fonts_t,s0)
 
 /usr/X11R6/man(/.*)?		context_template(system_u:object_r:man_t,s0)
@@ -46,9 +45,6 @@ ifdef(`distro_debian', `
 /var/lib/texmf(/.*)?		context_template(system_u:object_r:tetex_data_t,s0)
 
 /var/cache/fonts(/.*)?		context_template(system_u:object_r:tetex_data_t,s0)
-
-/var/cache/man(/.*)?		context_template(system_u:object_r:catman_t,s0)
-
-/var/catman(/.*)?		context_template(system_u:object_r:catman_t,s0)
+/var/cache/man(/.*)?		context_template(system_u:object_r:man_t,s0)
 
 /var/spool/texmf(/.*)?		context_template(system_u:object_r:tetex_data_t,s0)

refpolicy/policy/modules/system/selinuxutil.if

@@ -474,6 +474,26 @@ interface(`seutil_dontaudit_search_config',`
 	dontaudit $1 selinux_config_t:dir search;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read the SELinux
+##	userland configuration (/etc/selinux).
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`seutil_dontaudit_read_config',`
+	gen_require(`
+		type selinux_config_t;
+		class dir search;
+		class file { getattr read };
+	')
+
+	dontaudit $1 selinux_config_t:dir search;
+	dontaudit $1 selinux_config_t:file { getattr read };
+')
+
 ########################################
 #
 # seutil_read_config(domain)

refpolicy/policy/modules/system/udev.fc

@@ -1,18 +1,19 @@
 # udev
 
-/dev/\.udev\.tdb --	context_template(system_u:object_r:udev_tbl_t,s0)
+/dev/\.udevdb	--	context_template(system_u:object_r:udev_tbl_t,s0)
 /dev/udev\.tbl	--	context_template(system_u:object_r:udev_tbl_t,s0)
 
 /etc/dev\.d/.+	--	context_template(system_u:object_r:udev_helper_exec_t,s0)
 
 /etc/hotplug\.d/default/udev.* -- context_template(system_u:object_r:udev_helper_exec_t,s0)
 
-/etc/udev/scripts/.+	-- context_template(system_u:object_r:udev_helper_exec_t,s0)
+/etc/udev/scripts/.+ --	context_template(system_u:object_r:udev_helper_exec_t,s0)
 
 /sbin/start_udev --	context_template(system_u:object_r:udev_exec_t,s0)
 /sbin/udev	--	context_template(system_u:object_r:udev_exec_t,s0)
 /sbin/udevd	--	context_template(system_u:object_r:udev_exec_t,s0)
 /sbin/udevsend	--	context_template(system_u:object_r:udev_exec_t,s0)
+/sbin/udevstart  --	context_template(system_u:object_r:udev_exec_t,s0)
 /sbin/wait_for_sysfs -- context_template(system_u:object_r:udev_exec_t,s0)
 
 /usr/bin/udevinfo --	context_template(system_u:object_r:udev_exec_t,s0)

refpolicy/policy/modules/system/udev.te

@@ -42,7 +42,7 @@ allow udev_t self:fifo_file rw_file_perms;
 allow udev_t self:unix_stream_socket { listen accept };
 allow udev_t self:unix_dgram_socket sendto;
 allow udev_t self:unix_stream_socket connectto;
-allow udev_t self:netlink_kobject_uevent_socket { create bind read };
+allow udev_t self:netlink_kobject_uevent_socket { create bind read setopt };
 allow udev_t self:shm create_shm_perms;
 allow udev_t self:sem create_sem_perms;
 allow udev_t self:msgq create_msgq_perms;

refpolicy/policy/support/misc_macros.spt

@@ -21,11 +21,12 @@ user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4');
 
 ########################################
 #
-# gen_con(context,sensitivity)
+# gen_con(context,mls_sensitivity,[mcs_categories])
 #
-# Optionally put the sensitivity for the file
+# MLS: Optionally put the sensitivity for the file
+# MCS: Optionally put the categories of the file
 #
-define(`context_template',`ifdef(`enable_mls',`$1:$2',`$1')') dnl
+define(`context_template',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')') dnl
 
 ########################################
 #

strict/ChangeLog

@@ -1,3 +1,26 @@
+1.27.1 2005-09-15
+	* Merged small patches from Russell Coker for the apostrophe,
+	dhcpc, fsadm, and setfiles policy.
+	* Merged a patch from Russell Coker with some minor fixes to a
+	multitude of policy files.
+	* Merged patch from Dan Walsh from August 15th. Adds certwatch
+	policy.  Adds mcs support to Makefile.  Adds mcs file which
+	defines sensitivities and categories for the MSC policy.  Creates
+	an authentication_domain macro in global_macros.te for domains
+	that use pam_authentication.  Creates the anonymous_domain macro
+	so that the ftpd, rsync, httpd, and smbd domains can share the
+	ftpd_anon_t and ftpd_anon_rw_t types.  Removes netifcon rules to
+	start isolating individual ethernet devices.  Changes vpnc from a
+	daemon to an application_domain.  Adds audit_control capability to
+	crond_t.  Adds dac_override and dac_read_search capabilities to
+	fsadm_t to allow the manipulation of removable media.  Adds
+	read_sysctl macro to the base_passwd_domain macro.  Adds rules to
+	allow alsa_t to communicate with userspace.  Allows networkmanager
+	to communicate with isakmp_port and to use vpnc.  For targeted
+	policy, removes transitions of sysadm_t to apm_t, backup_t,
+	bootloader_t, cardmgr_t, clockspeed_t, hwclock_t, and kudzu_t.
+	Makes other minor cleanups and fixes.
+	
 1.26 2005-09-06
 	* Updated version for release.
 

strict/Makefile

@@ -15,6 +15,9 @@
 # Set to y if MLS is enabled in the policy.
 MLS=n
 
+# Set to y if MCS is enabled in the policy
+MCS=n
+
 FLASKDIR = flask/
 PREFIX = /usr
 BINDIR = $(PREFIX)/bin
@@ -24,14 +27,18 @@ CHECKPOLICY = $(BINDIR)/checkpolicy
 GENHOMEDIRCON = $(SBINDIR)/genhomedircon
 SETFILES = $(SBINDIR)/setfiles
 VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
+PREVERS := 19
 KERNVERS := $(shell cat /selinux/policyvers)
 POLICYVER := policy.$(VERS)
 TOPDIR = $(DESTDIR)/etc/selinux
+TYPE=strict
 ifeq ($(MLS),y)
 TYPE=mls
-else
-TYPE=strict
 endif
+ifeq ($(MCS),y)
+TYPE=mcs
+endif
+
 INSTALLDIR = $(TOPDIR)/$(TYPE)
 POLICYPATH = $(INSTALLDIR)/policy
 SRCPATH = $(INSTALLDIR)/src
@@ -54,6 +61,10 @@ ifeq ($(MLS),y)
 POLICYFILES += mls
 CHECKPOLMLS += -M
 endif
+ifeq ($(MCS), y)
+POLICYFILES += mcs
+CHECKPOLMLS += -M
+endif
 DEFCONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts
 POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES)
 POLICYFILES += $(USER_FILES)
@@ -148,8 +159,10 @@ $(LOADPATH): policy.conf $(CHECKPOLICY)
 	@echo "Compiling policy ..."
 	@mkdir -p $(POLICYPATH)
 	$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
-ifneq ($(MLS),y)
+ifneq ($(VERS),$(PREVERS))
+	$(CHECKPOLICY) -c $(PREVERS) -o $(POLICYPATH)/policy.$(PREVERS) policy.conf
 endif
+
 # Note: Can't use install, so not sure how to deal with mode, user, and group
 #	other than by default.
 
@@ -162,7 +175,11 @@ $(POLICYVER):  policy.conf $(FC) $(CHECKPOLICY)
 
 reload tmp/load: $(LOADPATH) 
 	@echo "Loading Policy ..."
+ifeq ($(VERS), $(KERNVERS))
 	$(LOADPOLICY) $(LOADPATH)
+else
+	$(LOADPOLICY) $(POLICYPATH)/policy.$(PREVERS)
+endif
 	touch tmp/load
 
 load: tmp/load $(FCPATH) 
@@ -328,3 +345,22 @@ mlsconvert:
 	@sed "s/MLS=n/MLS=y/" Makefile > Makefile.new
 	@mv Makefile.new Makefile
 	@echo "Done"
+
+mcsconvert: 
+	@for file in $(CONTEXTFILES); do \
+		echo "Converting $$file"; \
+		sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \
+		mv $$file.new $$file; \
+	done
+	@for file in $(USER_FILES); do \
+		echo "Converting $$file"; \
+		sed -r -e 's/\;/ level s0 range s0;/' $$file | \
+		sed -r -e 's/(user (root|system_u).*);/\1 - s0:c0.c127;/' > $$file.new; \
+		mv $$file.new $$file; \
+	done
+	@sed -e '/sid kernel/s/s0/s0 - s0:c0.c127/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts
+	@echo "Enabling MCS in the Makefile"
+	@sed "s/MCS=y/MCS=y/" Makefile > Makefile.new
+	@mv Makefile.new Makefile
+	@echo "Done"
+

strict/VERSION

@@ -1 +1 @@
-1.26
+1.27.1

strict/appconfig/default_type

@@ -1,3 +1,4 @@
+secadm_r:secadm_t
 sysadm_r:sysadm_t
 staff_r:staff_t
 user_r:user_t

strict/attrib.te

@@ -94,7 +94,7 @@ attribute priv_system_role;
 
 # The privowner attribute identifies every domain that can 
 # assign a different SELinux user identity to a file, or that
-# can create a file with an identity that's not the same as the
+# can create a file with an identity that is not the same as the
 # process identity.  This attribute is used in the constraints
 # configuration.
 attribute privowner;
@@ -201,6 +201,10 @@ attribute userpty_type;
 # unpriviledged user
 attribute user_tty_type;
 
+# The admin_tty_type identifies every type for a tty or pty owned by a
+# priviledged user
+attribute admin_tty_type;
+
 # The user_crond_domain attribute identifies every user_crond domain, presently
 # user_crond_t and sysadm_crond_t.  It is used in TE rules that should be
 # applied to all user domains.
@@ -255,6 +259,11 @@ attribute dev_fs;
 # in TE rules to grant such access for administrator domains.
 attribute sysadmfile;
 
+# The secadmfile attribute identifies all types assigned to files 
+# that should be only accessible to security administrators.  It is used
+# in TE rules to grant such access for security administrator domains.
+attribute secadmfile;
+
 # The fs_type attribute identifies all types assigned to filesystems
 # (not limited to persistent filesystems).
 # It is used in TE rules to permit certain domains to mount

strict/domains/program/acct.te

@@ -23,10 +23,11 @@ allow acct_t urandom_device_t:chr_file read;
 
 type acct_data_t, file_type, logfile, sysadmfile;
 
-allow acct_t self:capability sys_pacct;
+# not sure why we need this, the command "last" is reported as using it
+dontaudit acct_t self:capability kill;
 
 # gzip needs chown capability for some reason
-allow acct_t self:capability chown;
+allow acct_t self:capability { chown fsetid sys_pacct };
 
 allow acct_t var_t:dir { getattr search };
 rw_dir_create_file(acct_t, acct_data_t)
@@ -37,14 +38,13 @@ allow acct_t bin_t:lnk_file read;
 
 read_locale(acct_t)
 
-allow acct_t self:capability fsetid;
 allow acct_t fs_t:filesystem getattr;
 
 allow acct_t self:unix_stream_socket create_socket_perms;
 
 allow acct_t self:fifo_file { read write getattr };
 
-allow acct_t proc_t:file { read getattr };
+allow acct_t { self proc_t }:file { read getattr };
 
 read_sysctl(acct_t)
 
@@ -53,8 +53,6 @@ dontaudit acct_t sysadm_home_dir_t:dir { getattr search };
 # for nscd
 dontaudit acct_t var_run_t:dir search;
 
-# not sure why we need this, the command "last" is reported as using it
-dontaudit acct_t self:capability kill;
 
 allow acct_t devtty_t:chr_file { read write };
 

strict/domains/program/apache.te

@@ -222,6 +222,9 @@ tmp_domain(httpd_php)
 # Creation of lock files for apache2
 lock_domain(httpd)
 
+# Allow apache to used ftpd_anon_t
+anonymous_domain(httpd)
+
 # connect to mysql
 ifdef(`mysqld.te', `
 can_unix_connect(httpd_php_t, mysqld_t)
@@ -300,7 +303,7 @@ allow httpd_helper_t httpd_log_t:file { append };
 ##################################################
 
 if (httpd_tty_comm) {
-allow { httpd_t httpd_helper_t } devpts_t:dir { search };
+allow { httpd_t httpd_helper_t } devpts_t:dir search;
 ifdef(`targeted_policy', `
 allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file { read write };
 ')

strict/domains/program/apmd.te

@@ -16,7 +16,9 @@ allow apmd_t urandom_device_t:chr_file read;
 
 type apm_t, domain, privlog;
 type apm_exec_t, file_type, sysadmfile, exec_type;
+ifdef(`targeted_policy', `', `
 domain_auto_trans(sysadm_t, apm_exec_t, apm_t)
+')
 uses_shlib(apm_t)
 allow apm_t privfd:fd use;
 allow apm_t admin_tty_type:chr_file rw_file_perms;

strict/domains/program/bluetooth.te

@@ -43,3 +43,6 @@ allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
 allow initrc_t usbfs_t:file { getattr read };
 allow bluetooth_t usbfs_t:dir r_dir_perms;
 allow bluetooth_t usbfs_t:file rw_file_perms; 
+allow bluetooth_t bin_t:dir search;
+can_exec(bluetooth_t, bin_t)
+

strict/domains/program/certwatch.te

@@ -0,0 +1,11 @@
+#DESC certwatch - generate SSL certificate expiry warnings
+#
+# Domains for the certwatch process 
+# Authors:  Dan Walsh <dwalsh@redhat.com>,
+#
+application_domain(certwatch)
+role system_r types certwatch_t;
+r_dir_file(certwatch_t, cert_t)
+can_exec(certwatch_t, httpd_modules_t)
+system_crond_entry(certwatch_exec_t, certwatch_t)
+read_locale(certwatch_t) 

strict/domains/program/cyrus.te

@@ -20,7 +20,7 @@ allow cyrus_t port_type:tcp_socket name_connect;
 can_ypbind(cyrus_t)
 can_exec(cyrus_t, bin_t)
 allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
-allow cyrus_t cyrus_var_lib_t:{file sock_file } create_file_perms;
+allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms;
 allow cyrus_t etc_t:file { getattr read };
 allow cyrus_t lib_t:file { execute execute_no_trans getattr read };
 read_locale(cyrus_t)
@@ -42,3 +42,11 @@ allow system_crond_t cyrus_var_lib_t:file create_file_perms;
 create_dir_file(cyrus_t, mail_spool_t)
 allow cyrus_t var_spool_t:dir search;
 
+ifdef(`saslaudthd.te', `
+allow cyrus_t saslauthd_var_run_t:dir search;
+allow cyrus_t saslauthd_var_run_t:sock_file { read write };
+allow cyrus_t saslauthd_t:unix_stream_socket { connectto };
+')
+
+r_dir_file(cyrus_t, cert_t)
+allow cyrus_t { urandom_device_t random_device_t }:chr_file { read getattr };

strict/domains/program/dhcpd.te

@@ -15,21 +15,18 @@
 # dhcpd_exec_t is the type of the dhcpdd executable.
 # The dhcpd_t can be used for other DHCPC related files as well.
 #
-daemon_domain(dhcpd)
+daemon_domain(dhcpd, `, nscd_client_domain')
 
 allow dhcpd_t dhcpd_port_t:udp_socket name_bind;
 
 # for UDP port 4011
-ifdef(`pxe.te', `', `
-type pxe_port_t, port_type;
-')
 allow dhcpd_t pxe_port_t:udp_socket name_bind;
 
 type dhcp_etc_t, file_type, sysadmfile, usercanread;
-typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
 
 # Use the network.
 can_network(dhcpd_t)
+allow dhcpd_t port_type:tcp_socket name_connect;
 can_ypbind(dhcpd_t)
 allow dhcpd_t self:unix_dgram_socket create_socket_perms;
 allow dhcpd_t self:unix_stream_socket create_socket_perms;

strict/domains/program/firstboot.te

@@ -57,9 +57,6 @@ allow firstboot_t etc_t:file write;
 # Allow write to utmp file
 allow firstboot_t initrc_var_run_t:file write;
 
-allow firstboot_t krb5_conf_t:file { getattr read };
-allow firstboot_t net_conf_t:file { getattr read };
-
 ifdef(`samba.te', `
 rw_dir_file(firstboot_t, samba_etc_t)
 ')
@@ -95,10 +92,6 @@ allow firstboot_t krb5_conf_t:file rw_file_perms;
 allow firstboot_t modules_conf_t:file { getattr read };
 allow firstboot_t modules_dep_t:file { getattr read };
 allow firstboot_t modules_object_t:dir search;
-allow firstboot_t net_conf_t:file rw_file_perms;
-allow firstboot_t netif_lo_t:netif { tcp_recv tcp_send };
-allow firstboot_t node_t:node { tcp_recv tcp_send };
-
 allow firstboot_t port_t:tcp_socket { recv_msg send_msg };
 allow firstboot_t proc_t:lnk_file read;
 

strict/domains/program/fs_daemon.te

@@ -15,6 +15,8 @@ allow fsdaemon_t fixed_disk_device_t:blk_file rw_file_perms;
 allow fsdaemon_t self:capability { setgid sys_rawio sys_admin };
 allow fsdaemon_t etc_runtime_t:file { getattr read };
 
+allow fsdaemon_t proc_mdstat_t:file { getattr read };
+
 can_exec_any(fsdaemon_t)
 allow fsdaemon_t self:fifo_file rw_file_perms;
 can_network_udp(fsdaemon_t)

strict/domains/program/fsadm.te

@@ -12,14 +12,14 @@
 # administration.
 # fsadm_exec_t is the type of the corresponding programs.
 #
-type fsadm_t, domain, privlog, fs_domain;
+type fsadm_t, domain, privlog, fs_domain, mlsfileread;
 role system_r types fsadm_t;
 role sysadm_r types fsadm_t;
 
 general_domain_access(fsadm_t)
 
 # for swapon
-allow fsadm_t sysfs_t:dir { search getattr };
+r_dir_file(fsadm_t, sysfs_t)
 
 # Read system information files in /proc.
 r_dir_file(fsadm_t, proc_t)
@@ -33,8 +33,7 @@ allow fsadm_t tmpfs_t:dir { getattr search };
 base_file_read_access(fsadm_t)
 
 # Read /etc.
-allow fsadm_t etc_t:dir r_dir_perms;
-allow fsadm_t etc_t:notdevfile_class_set r_file_perms;
+r_dir_file(fsadm_t, etc_t)
 
 # Read module-related files.
 allow fsadm_t modules_conf_t:{ file lnk_file } r_file_perms;
@@ -47,8 +46,9 @@ uses_shlib(fsadm_t)
 
 type fsadm_exec_t, file_type, sysadmfile, exec_type;
 domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t)
+ifdef(`targeted_policy', `', `
 domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t)
-
+')
 tmp_domain(fsadm)
 
 # remount file system to apply changes
@@ -63,7 +63,7 @@ allow fsadm_t proc_t:filesystem getattr;
 allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read };
 
 # Use capabilities.  ipc_lock is for losetup
-allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config };
+allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search };
 
 # Write to /etc/mtab.
 file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file)
@@ -101,7 +101,7 @@ allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon };
 allow fsadm_t kernel_t:system syslog_console;
 
 # Access terminals.
-allow fsadm_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+allow fsadm_t { initrc_devpts_t admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
 allow fsadm_t privfd:fd use;
 allow fsadm_t devpts_t:dir { getattr search };

strict/domains/program/ftpd.te

@@ -110,9 +110,5 @@ if (use_samba_home_dirs && ftp_home_dir) {
 	r_dir_file(ftpd_t, cifs_t)
 }
 dontaudit ftpd_t selinux_config_t:dir search;
-#
-# Type for access to anon ftp
-#
-r_dir_file(ftpd_t,ftpd_anon_t)
-type ftpd_anon_rw_t, file_type, sysadmfile, customizable;
-create_dir_file(ftpd_t,ftpd_anon_rw_t)
+anonymous_domain(ftpd)
+

strict/domains/program/hald.te

@@ -30,12 +30,13 @@ allow hald_t { bin_t sbin_t }:dir search;
 allow hald_t self:fifo_file rw_file_perms;
 allow hald_t usr_t:file { getattr read };
 allow hald_t bin_t:file getattr;
+
 # For backwards compatibility with older kernels
 allow hald_t self:netlink_socket create_socket_perms;
 
 allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow hald_t self:netlink_route_socket r_netlink_socket_perms;
-allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
+allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
 can_network_server(hald_t)
 can_ypbind(hald_t)
 
@@ -45,6 +46,10 @@ allow hald_t removable_device_t:blk_file write;
 allow hald_t event_device_t:chr_file { getattr read ioctl };
 allow hald_t printer_device_t:chr_file rw_file_perms;
 allow hald_t urandom_device_t:chr_file read;
+allow hald_t mouse_device_t:chr_file r_file_perms;
+allow hald_t device_type:chr_file getattr;
+
+can_getsecurity(hald_t)
 
 ifdef(`updfstab.te', `
 domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)

strict/domains/program/hostname.te

@@ -10,7 +10,7 @@ role sysadm_r types hostname_t;
 allow hostname_t self:capability sys_admin;
 allow hostname_t etc_t:file { getattr read };
 
-allow hostname_t { user_tty_type admin_tty_type }:chr_file { getattr read write };
+allow hostname_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
 read_locale(hostname_t)
 can_resolve(hostname_t)
 allow hostname_t userdomain:fd use;
@@ -26,3 +26,5 @@ dontaudit hostname_t file_t:dir search;
 ifdef(`distro_redhat', `
 allow hostname_t tmpfs_t:chr_file rw_file_perms;
 ')
+allow hostname_t initrc_devpts_t:chr_file { read write };
+allow hostname_t initrc_t:fd use;

strict/domains/program/hwclock.te

@@ -17,7 +17,9 @@
 #
 daemon_base_domain(hwclock)
 role sysadm_r types hwclock_t;
+ifdef(`targeted_policy', `', `
 domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
+')
 type adjtime_t, file_type, sysadmfile;
 
 allow hwclock_t fs_t:filesystem getattr;
@@ -44,3 +46,4 @@ read_locale(hwclock_t)
 
 # for when /usr is not mounted
 dontaudit hwclock_t file_t:dir search;
+allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };

strict/domains/program/ifconfig.te

@@ -34,7 +34,7 @@ allow ifconfig_t etc_t:file { getattr read };
 allow ifconfig_t self:socket create_socket_perms;
 
 # Use capabilities.
-allow ifconfig_t self:capability net_admin;
+allow ifconfig_t self:capability { net_raw net_admin };
 dontaudit ifconfig_t self:capability sys_module;
 allow ifconfig_t self:capability sys_tty_config;
 

strict/domains/program/ipsec.te

@@ -60,8 +60,8 @@ allow sysadm_t ipsec_t:key_socket getattr;
 # it in its own domain?)
 can_exec(ipsec_mgmt_t, bin_t)
 # logger, running in ipsec_mgmt_t needs to use sockets
-allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
-allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
+allow ipsec_mgmt_t self:unix_dgram_socket create_socket_perms;
+allow ipsec_mgmt_t ipsec_t:unix_dgram_socket create_socket_perms;
 
 # also need to run things like whack and shell scripts
 can_exec(ipsec_mgmt_t, ipsec_exec_t)
@@ -169,7 +169,7 @@ allow ipsec_t self:unix_stream_socket {create setopt bind listen accept read wri
 # Pluto needs network access
 can_network_server(ipsec_t)
 can_ypbind(ipsec_t)
-allow ipsec_t self:unix_dgram_socket { create connect write };
+allow ipsec_t self:unix_dgram_socket create_socket_perms;
 
 # for sleep
 allow ipsec_mgmt_t fs_t:filesystem getattr;
@@ -211,6 +211,7 @@ allow ipsec_mgmt_t tmpfs_t:dir { getattr read };
 allow ipsec_mgmt_t self:key_socket { create setopt };
 can_exec(ipsec_mgmt_t, initrc_exec_t)
 allow ipsec_t self:netlink_xfrm_socket create_socket_perms;
+allow ipsec_t self:netlink_route_socket r_netlink_socket_perms;
 read_locale(ipsec_t)
 ifdef(`consoletype.te', `
 can_exec(ipsec_mgmt_t, consoletype_exec_t )

strict/domains/program/kudzu.te

@@ -48,7 +48,9 @@ allow kudzu_t devpts_t:dir search;
 allow kudzu_t { tty_device_t devtty_t admin_tty_type }:chr_file rw_file_perms;
 
 role sysadm_r types kudzu_t;
+ifdef(`targeted_policy', `', `
 domain_auto_trans(sysadm_t, kudzu_exec_t, kudzu_t)
+')
 ifdef(`anaconda.te', `
 domain_auto_trans(anaconda_t, kudzu_exec_t, kudzu_t)
 ')

strict/domains/program/logrotate.te

@@ -141,5 +141,10 @@ allow logrotate_t syslogd_t:unix_dgram_socket sendto;
 
 domain_auto_trans(logrotate_t, initrc_exec_t, initrc_t)
 
+# Supress libselinux initialization denials
 dontaudit logrotate_t selinux_config_t:dir search;
+dontaudit logrotate_t selinux_config_t:file { read getattr };
 
+# Allow selinux_getenforce 
+allow logrotate_t security_t:dir search;
+allow logrotate_t security_t:file { getattr read };

strict/domains/program/mailman.te

@@ -91,6 +91,8 @@ allow mailman_cgi_t var_spool_t:dir search;
 
 allow mta_delivery_agent mailman_data_t:dir search;
 allow mta_delivery_agent mailman_data_t:lnk_file read;
+allow initrc_t mailman_data_t:lnk_file read;
+allow initrc_t mailman_data_t:dir r_dir_perms;
 domain_auto_trans({ mta_delivery_agent initrc_t }, mailman_mail_exec_t, mailman_mail_t)
 ifdef(`direct_sysadm_daemon', `
 domain_auto_trans(sysadm_t, mailman_mail_exec_t, mailman_mail_t)

strict/domains/program/mta.te

@@ -22,7 +22,7 @@ ifdef(`targeted_policy', `
 # rules are currently defined in sendmail.te, but it is not included in 
 # targeted policy.  We could move these rules permanantly here.
 ifdef(`postfix.te', `', `can_exec_any(system_mail_t)')
-allow system_mail_t self:dir { search };
+allow system_mail_t self:dir search;
 allow system_mail_t self:lnk_file read;
 r_dir_file(system_mail_t, { proc_t proc_net_t })
 allow system_mail_t fs_t:filesystem getattr;

strict/domains/program/ntpd.te

@@ -26,7 +26,7 @@ allow ntpd_t ntp_drift_t:file create_file_perms;
 # for SSP
 allow ntpd_t urandom_device_t:chr_file { getattr read };
 
-allow ntpd_t self:capability { kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot };
+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot };
 dontaudit ntpd_t self:capability { net_admin };
 allow ntpd_t self:process { setcap setsched };
 # ntpdate wants sys_nice

strict/domains/program/passwd.te

@@ -64,6 +64,7 @@ dontaudit $1_t { user_home_dir_type user_home_type }:dir search;
 dontaudit $1_t { proc_t device_t }:dir { search read };
 
 allow $1_t device_t:dir getattr;
+read_sysctl($1_t)
 ')
 
 #################################
@@ -149,3 +150,8 @@ allow passwd_t userdomain:file { getattr read };
 allow passwd_t userdomain:process getattr;
 
 allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+ifdef(`targeted_policy', `
+role system_r types sysadm_passwd_t;
+allow sysadm_passwd_t devpts_t:chr_file rw_file_perms;
+')

strict/domains/program/ping.te

@@ -42,9 +42,6 @@ allow ping_t self:unix_stream_socket create_socket_perms;
 # Let ping create raw ICMP packets.
 allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
 
-allow ping_t netif_type:netif { rawip_send rawip_recv };
-allow ping_t node_type:node { rawip_send rawip_recv };
-
 # Use capabilities.
 allow ping_t self:capability { net_raw setuid };
 
@@ -52,7 +49,6 @@ allow ping_t self:capability { net_raw setuid };
 allow ping_t admin_tty_type:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;')
 allow ping_t privfd:fd use;
-
 dontaudit ping_t fs_t:filesystem getattr;
 
 # it tries to access /var/run

strict/domains/program/pppd.te

@@ -32,12 +32,9 @@ allow pppd_t sysfs_t:dir search;
 log_domain(pppd)
 
 # Use the network.
-can_network(pppd_t)
+can_network_server(pppd_t)
 can_ypbind(pppd_t)
 
-allow pppd_t fingerd_port_t:tcp_socket name_connect;
-
-
 # Use capabilities.
 allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
 lock_domain(pppd)
@@ -55,8 +52,6 @@ allow postfix_postqueue_t pppd_t:process sigchld;
 
 # allow running ip-up and ip-down scripts and running chat.
 can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t })
-can_exec(pppd_t, pppd_etc_rw_t)
-can_exec(pppd_t, hostname_exec_t)
 allow pppd_t { bin_t sbin_t }:dir search;
 allow pppd_t { sbin_t bin_t }:lnk_file read;
 
@@ -115,7 +110,6 @@ ifdef(`modutil.te', `
 domain_auto_trans(pppd_t, insmod_exec_t, insmod_t)
 ')
 }
-domain_auto_trans(pppd_t, named_exec_t, named_t)
 
 daemon_domain(pptp)
 can_network_client_tcp(pptp_t)
@@ -136,4 +130,17 @@ allow pptp_t self:capability net_raw;
 allow pptp_t self:fifo_file { read write };
 allow pptp_t ptmx_t:chr_file rw_file_perms;
 log_domain(pptp)
+
+# Fix sockets
+allow pptp_t pptp_var_run_t:sock_file create_file_perms;
+
+# Allow pptp to append to pppd log files
 allow pptp_t pppd_log_t:file append;
+
+ifdef(`named.te', `
+dontaudit ndc_t pppd_t:fd use;
+')
+
+# Allow /etc/ppp/ip-{up,down} to run most anything
+type pppd_script_exec_t, file_type, sysadmfile;
+domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)

strict/domains/program/privoxy.te

@@ -16,8 +16,9 @@ logdir_domain(privoxy)
 allow privoxy_t self:capability net_bind_service;
 
 # Use the network.
-can_network(privoxy_t)
+can_network_tcp(privoxy_t)
 can_ypbind(privoxy_t)
+can_resolve(privoxy_t)
 allow privoxy_t http_cache_port_t:tcp_socket name_bind;
 allow privoxy_t etc_t:file { getattr read };
 allow privoxy_t self:capability { setgid setuid };

strict/domains/program/rlogind.te

@@ -35,4 +35,4 @@ allow rlogind_t self:file { getattr read };
 allow rlogind_t default_t:dir search;
 typealias rlogind_port_t alias rlogin_port_t;
 read_sysctl(rlogind_t);
-allow rlogind_t krb5_keytab_t:file { getattr read };
+allow rlogind_t krb5_keytab_t:file r_file_perms;

strict/domains/program/rpm.te

@@ -31,6 +31,7 @@ tmpfs_domain(rpm)
 log_domain(rpm)
 
 can_network(rpm_t)
+allow rpm_t port_type:tcp_socket name_connect;
 can_ypbind(rpm_t)
 
 # Allow the rpm domain to execute other programs

strict/domains/program/rsync.te

@@ -15,3 +15,5 @@ inetd_child_domain(rsync)
 type rsync_data_t, file_type, sysadmfile;
 r_dir_file(rsync_t, rsync_data_t)
 r_dir_file(rsync_t, ftpd_anon_t)
+
+

strict/domains/program/samba.te

@@ -50,7 +50,7 @@ can_network(smbd_t)
 can_ldap(smbd_t)
 can_kerberos(smbd_t)
 can_winbind(smbd_t)
-allow smbd_t ipp_port_t:tcp_socket name_connect;
+allow smbd_t { smbd_port_t ipp_port_t }:tcp_socket name_connect;
 
 allow smbd_t urandom_device_t:chr_file { getattr read };
 
@@ -189,6 +189,8 @@ allow smbmount_t local_login_t:fd use;
 ')
 # Derive from app. domain. Transition from mount.
 application_domain(samba_net, `, nscd_client_domain')
+role system_r types samba_net_t;
+in_user_role(samba_net_t)
 file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file)
 read_locale(samba_net_t) 
 allow samba_net_t samba_etc_t:file r_file_perms;

strict/domains/program/saslauthd.te

@@ -9,6 +9,7 @@ allow saslauthd_t self:fifo_file { read write };
 allow saslauthd_t self:unix_dgram_socket create_socket_perms;
 allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
 allow saslauthd_t saslauthd_var_run_t:sock_file create_file_perms;
+allow saslauthd_t var_lib_t:dir search;
 
 allow saslauthd_t etc_t:dir { getattr search };
 allow saslauthd_t etc_t:file r_file_perms;
@@ -29,3 +30,12 @@ bool allow_saslauthd_read_shadow false;
 if (allow_saslauthd_read_shadow) {
 allow saslauthd_t shadow_t:file r_file_perms;
 }
+dontaudit saslauthd_t selinux_config_t:dir search;
+dontaudit saslauthd_t selinux_config_t:file { getattr read };
+
+
+dontaudit saslauthd_t initrc_t:unix_stream_socket connectto;
+ifdef(`mysqld.te', `
+allow saslauthd_t mysqld_db_t:dir search;
+allow saslauthd_t mysqld_var_run_t:sock_file rw_file_perms;
+')

strict/domains/program/setfiles.te

@@ -17,6 +17,7 @@ type setfiles_exec_t, file_type, sysadmfile, exec_type;
 
 role system_r types setfiles_t;
 role sysadm_r types setfiles_t;
+role secadm_r types setfiles_t;
 
 ifdef(`distro_redhat', `
 domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t)
@@ -26,7 +27,7 @@ allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type devtty_t }:chr_fi
 
 allow setfiles_t self:unix_dgram_socket create_socket_perms;
 
-domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t)
+domain_auto_trans(secadmin, setfiles_exec_t, setfiles_t)
 allow setfiles_t { userdomain privfd initrc_t init_t }:fd use;
 
 uses_shlib(setfiles_t)

strict/domains/program/slocate.te

@@ -10,7 +10,8 @@
 # locate_exec_t is the type of the locate executable.
 #
 daemon_base_domain(locate)
-
+role system_r types locate_t;
+role sysadm_r types locate_t;
 allow locate_t fs_t:filesystem getattr;
 
 ifdef(`crond.te', `
@@ -23,6 +24,7 @@ allow system_crond_t locate_etc_t:file { getattr read };
 allow locate_t { userpty_type admin_tty_type }:chr_file rw_file_perms;
 
 allow locate_t { fs_type file_type }:dir r_dir_perms;
+dontaudit locate_t sysctl_t:dir getattr;
 allow locate_t file_type:lnk_file r_file_perms;
 allow locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } getattr;
 dontaudit locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } read;

strict/domains/program/ssh.te

@@ -9,6 +9,9 @@
 # Allow ssh logins as sysadm_r:sysadm_t
 bool ssh_sysadm_login false;
 
+# allow host key based authentication
+bool allow_ssh_keysign false;
+
 ifdef(`inetd.te', `
 # Allow ssh to run from inetd instead of as a daemon.
 bool run_ssh_inetd false;
@@ -111,6 +114,11 @@ read_sysctl($1_t)
 can_create_pty($1, `, server_pty')
 allow $1_t $1_devpts_t:chr_file { setattr getattr relabelfrom };
 dontaudit sshd_t userpty_type:chr_file relabelfrom;
+
+# Allow checking users mail at login
+allow $1_t { var_spool_t mail_spool_t }:dir search;
+allow $1_t mail_spool_t:lnk_file read;
+allow $1_t mail_spool_t:file getattr;
 ')dnl end sshd_program_domain
 
 # macro for defining which domains a sshd can spawn
@@ -157,11 +165,6 @@ sshd_spawn_domain(sshd_extern, user_mini_domain, mini_pty_type)
 # for when the network connection breaks after running newrole -r sysadm_r
 dontaudit sshd_t sysadm_devpts_t:chr_file setattr;
 
-# Allow checking users mail at login
-allow sshd_t { var_spool_t mail_spool_t }:dir search;
-allow sshd_t mail_spool_t:lnk_file read;
-allow sshd_t mail_spool_t:file getattr;
-
 ifdef(`inetd.te', `
 if (run_ssh_inetd) {
 allow inetd_t ssh_port_t:tcp_socket name_bind;
@@ -217,6 +220,7 @@ file_type_auto_trans(ssh_keygen_t, etc_t, sshd_key_t, file)
 
 # Type for the ssh executable.
 type ssh_exec_t, file_type, exec_type, sysadmfile;
+type ssh_keysign_exec_t, file_type, exec_type, sysadmfile;
 
 # Everything else is in the ssh_domain macro in
 # macros/program/ssh_macros.te.

strict/domains/program/udev.te

@@ -33,7 +33,7 @@ allow udev_t self:file { getattr read };
 allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
 allow udev_t self:unix_dgram_socket create_socket_perms;
 allow udev_t self:fifo_file rw_file_perms;
-allow udev_t self:netlink_kobject_uevent_socket { create bind read }; 
+allow udev_t self:netlink_kobject_uevent_socket { create bind read setopt }; 
 allow udev_t device_t:file { unlink rw_file_perms };
 allow udev_t device_t:sock_file create_file_perms;
 allow udev_t device_t:lnk_file create_lnk_perms;

strict/domains/program/unused/clockspeed.te

@@ -21,5 +21,6 @@ allow clockspeed_t clockspeed_var_lib_t:fifo_file create_file_perms;
 
 # sysadm can play with clockspeed
 role sysadm_r types clockspeed_t;
+ifdef(`targeted_policy', `', `
 domain_auto_trans( sysadm_t, clockspeed_exec_t, clockspeed_t)
-
+')

strict/domains/program/unused/cvs.te

@@ -15,12 +15,14 @@ inetd_child_domain(cvs, tcp)
 typeattribute cvs_t privmail;
 typeattribute cvs_t auth_chkpwd;
 
-type cvs_data_t, file_type, sysadmfile;
+type cvs_data_t, file_type, sysadmfile, customizable;
 create_dir_file(cvs_t, cvs_data_t)
 can_exec(cvs_t, { bin_t sbin_t shell_exec_t })
+allow cvs_t bin_t:dir search;
+allow cvs_t { bin_t sbin_t }:lnk_file read;
 allow cvs_t etc_runtime_t:file { getattr read };
 allow system_mail_t cvs_data_t:file { getattr read };
 dontaudit cvs_t devtty_t:chr_file { read write };
-allow cvs_t default_t:dir search;
-allow cvs_t default_t:lnk_file read;
-
+# Allow kerberos to work
+allow cvs_t { krb5_keytab_t krb5_conf_t }:file r_file_perms;
+dontaudit cvs_t krb5_conf_t:file write;

strict/domains/program/unused/ddclient.te

@@ -38,5 +38,7 @@ allow ddclient_t self:unix_stream_socket create_socket_perms;
 
 # allow access to ddclient.conf and ddclient.cache
 allow ddclient_t ddclient_etc_t:file r_file_perms;
-allow ddclient_t ddclient_var_t:dir rw_dir_perms;
-allow ddclient_t ddclient_var_t:file create_file_perms;
+file_type_auto_trans(ddclient_t, var_t, ddclient_var_t)
+dontaudit ddclient_t devpts_t:dir search;
+dontaudit ddclient_t { devtty_t admin_tty_type user_tty_type }:chr_file rw_file_perms;
+dontaudit httpd_t selinux_config_t:dir search;

strict/domains/program/unused/dpkg.te

@@ -178,6 +178,9 @@ etcdir_domain(apt)
 type apt_rw_etc_t, file_type, sysadmfile;
 tmp_domain(apt, `', `{ dir file lnk_file }')
 can_exec(apt_t, apt_tmp_t)
+ifdef(`crond.te', `
+allow system_crond_t apt_etc_t:file { getattr read };
+')
 
 rw_dir_create_file(apt_t, apt_rw_etc_t)
 

strict/domains/program/unused/sxid.te

@@ -32,6 +32,7 @@ allow sxid_t { device_t device_type }:{ chr_file blk_file } getattr;
 allow sxid_t ttyfile:chr_file getattr;
 allow sxid_t file_type:dir { getattr read search };
 allow sxid_t sysadmfile:file { getattr read };
+dontaudit sxid_t devpts_t:dir r_dir_perms;
 allow sxid_t fs_type:dir { getattr read search };
 
 # Use the network.

strict/domains/program/useradd.te

@@ -102,3 +102,4 @@ dontaudit groupadd_t initrc_var_run_t:file write;
 allow useradd_t default_context_t:dir search;
 allow useradd_t file_context_t:dir search;
 allow useradd_t file_context_t:file { getattr read };
+allow useradd_t var_lib_t:dir search;

strict/file_contexts/homedir_template

@@ -1,32 +0,0 @@
-# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd
-# HOME_DIR expands to each user's home directory,
-#                  and to HOME_ROOT/[^/]+ for each HOME_ROOT.
-# ROLE expands to each user's role when role != user_r, and to "user" otherwise.
-HOME_ROOT		-d	system_u:object_r:home_root_t
-HOME_DIR		-d	system_u:object_r:ROLE_home_dir_t
-HOME_DIR/.+			system_u:object_r:ROLE_home_t
-HOME_ROOT/\.journal		<<none>>
-HOME_ROOT/lost\+found(/.*)?	system_u:object_r:lost_found_t
-HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t
-HOME_DIR/\.gnupg(/.+)?	system_u:object_r:ROLE_gpg_secret_t
-HOME_DIR/\.ircmotd	--	system_u:object_r:ROLE_home_irc_t
-HOME_DIR/\.galeon(/.*)?	system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/\.netscape(/.*)?	system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/\.mozilla(/.*)?	system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/\.phoenix(/.*)?	system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/\.gconfd(/.*)?		system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/\.gconf(/.*)?		system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/\.gnome2/epiphany(/.*)? system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/My.Downloads(/.*)?	system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/\.java(/.*)?		system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/\.mplayer(/.*)?        system_u:object_r:ROLE_mplayer_home_t
-HOME_ROOT/a?quota\.(user|group) -- system_u:object_r:quota_db_t
-HOME_DIR/\.screenrc	--	system_u:object_r:ROLE_screen_ro_home_t
-HOME_DIR/\.spamassassin(/.*)?	system_u:object_r:ROLE_spamassassin_home_t
-HOME_DIR/\.ssh(/.*)?		system_u:object_r:ROLE_home_ssh_t
-HOME_DIR/\.uml(/.*)?		system_u:object_r:ROLE_uml_rw_t
-HOME_DIR/\.vmware(/.*)?	system_u:object_r:ROLE_vmware_file_t
-HOME_DIR/vmware(/.*)?	system_u:object_r:ROLE_vmware_file_t
-HOME_DIR/\.vmware[^/]*/.*\.cfg	--	system_u:object_r:ROLE_vmware_conf_t
-HOME_DIR/\.Xauthority.* --	system_u:object_r:ROLE_xauth_home_t
-HOME_DIR/.*/plugins/libflashplayer\.so.*	-- system_u:object_r:texrel_shlib_t

strict/file_contexts/program/apache.fc

@@ -7,6 +7,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_
 /var/www/perl(/.*)?		system_u:object_r:httpd_sys_script_exec_t
 /var/www/icons(/.*)?		system_u:object_r:httpd_sys_content_t
 /var/cache/httpd(/.*)?		system_u:object_r:httpd_cache_t
+/var/cache/php-eaccelerator(/.*)? system_u:object_r:httpd_cache_t
+/var/cache/php-mmcache(/.*)?	system_u:object_r:httpd_cache_t
 /etc/httpd		-d	system_u:object_r:httpd_config_t
 /etc/httpd/conf.*		system_u:object_r:httpd_config_t
 /etc/httpd/logs			system_u:object_r:httpd_log_t
@@ -26,15 +28,17 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_
 /var/log/cgiwrap\.log.*	--	system_u:object_r:httpd_log_t
 /var/cache/ssl.*\.sem	--	system_u:object_r:httpd_cache_t
 /var/cache/mod_ssl(/.*)?	system_u:object_r:httpd_cache_t
-/var/run/apache(2)?\.pid.* --	system_u:object_r:httpd_var_run_t
+/var/run/apache.*		system_u:object_r:httpd_var_run_t
 /var/lib/httpd(/.*)?		system_u:object_r:httpd_var_lib_t
 /var/lib/php/session(/.*)?	system_u:object_r:httpd_var_run_t
 /etc/apache-ssl(2)?(/.*)?	system_u:object_r:httpd_config_t
 /usr/lib/apache-ssl/.+	 --	system_u:object_r:httpd_exec_t
 /usr/sbin/apache-ssl(2)? --	system_u:object_r:httpd_exec_t
 /var/log/apache-ssl(2)?(/.*)?	system_u:object_r:httpd_log_t
-/var/run/apache-ssl(2)?\.pid.* -- system_u:object_r:httpd_var_run_t
 /var/run/gcache_port	-s	system_u:object_r:httpd_var_run_t
+ifdef(`distro_debian', `
+/var/log/horde2(/.*)?		system_u:object_r:httpd_log_t
+')
 ifdef(`distro_suse', `
 # suse puts shell scripts there :-(
 /usr/share/apache2/[^/]*	--	system_u:object_r:bin_t

strict/file_contexts/program/auditd.fc

@@ -1,3 +1,8 @@
 # auditd
+/sbin/auditctl		--	system_u:object_r:auditctl_exec_t
 /sbin/auditd		--	system_u:object_r:auditd_exec_t
 /var/log/audit.log 	-- 	system_u:object_r:auditd_log_t
+/var/log/audit(/.*)?  	 	system_u:object_r:auditd_log_t
+/etc/auditd.conf	--	system_u:object_r:auditd_etc_t
+/etc/audit.rules	--	system_u:object_r:auditd_etc_t
+

strict/file_contexts/program/certwatch.fc

@@ -0,0 +1,3 @@
+# certwatch.fc
+/usr/bin/certwatch	-- system_u:object_r:certwatch_exec_t
+

strict/file_contexts/program/clamav.fc

@@ -12,4 +12,4 @@
 /var/run/clamd\.ctl	-s	system_u:object_r:clamd_sock_t
 /var/run/clamd\.pid	--	system_u:object_r:clamd_var_run_t
 /var/run/clamav(/.*)?		system_u:object_r:clamd_var_run_t
-/var/run/clamav/clamd.sock -s	system_u:object_r:clamd_sock_t
+/var/run/clamav/clamd\.sock -s	system_u:object_r:clamd_sock_t

strict/file_contexts/program/compat.fc

@@ -0,0 +1,62 @@
+ifdef(`setfiles.te', `', `
+# setfiles
+/usr/sbin/setfiles.*	--	system_u:object_r:setfiles_exec_t
+')
+
+ifdef(`mount.te', `', `
+# mount
+/bin/mount.*			--	system_u:object_r:mount_exec_t
+/bin/umount.*			--	system_u:object_r:mount_exec_t
+')
+ifdef(`loadkeys.te', `', `
+# loadkeys
+/bin/unikeys		--	system_u:object_r:loadkeys_exec_t
+/bin/loadkeys		--	system_u:object_r:loadkeys_exec_t
+')
+ifdef(`dmesg.te', `', `
+# dmesg
+/bin/dmesg	--	system_u:object_r:dmesg_exec_t
+')
+ifdef(`fsadm.te', `', `
+# fs admin utilities
+/sbin/fsck.*		--	system_u:object_r:fsadm_exec_t
+/sbin/mkfs.*		--	system_u:object_r:fsadm_exec_t
+/sbin/e2fsck		--	system_u:object_r:fsadm_exec_t
+/sbin/mkdosfs		--	system_u:object_r:fsadm_exec_t
+/sbin/dosfsck		--	system_u:object_r:fsadm_exec_t
+/sbin/reiserfs(ck|tune)	--	system_u:object_r:fsadm_exec_t
+/sbin/mkreiserfs	--	system_u:object_r:fsadm_exec_t
+/sbin/resize.*fs	--	system_u:object_r:fsadm_exec_t
+/sbin/e2label		--	system_u:object_r:fsadm_exec_t
+/sbin/findfs		--	system_u:object_r:fsadm_exec_t
+/sbin/mkfs		--	system_u:object_r:fsadm_exec_t
+/sbin/mke2fs		--	system_u:object_r:fsadm_exec_t
+/sbin/mkswap		--	system_u:object_r:fsadm_exec_t
+/sbin/scsi_info		--	system_u:object_r:fsadm_exec_t
+/sbin/sfdisk		--	system_u:object_r:fsadm_exec_t
+/sbin/cfdisk		--	system_u:object_r:fsadm_exec_t
+/sbin/fdisk		--	system_u:object_r:fsadm_exec_t
+/sbin/parted		--	system_u:object_r:fsadm_exec_t
+/sbin/tune2fs		--	system_u:object_r:fsadm_exec_t
+/sbin/dumpe2fs		--	system_u:object_r:fsadm_exec_t
+/sbin/swapon.*		--	system_u:object_r:fsadm_exec_t
+/sbin/hdparm		--	system_u:object_r:fsadm_exec_t
+/sbin/raidstart		--	system_u:object_r:fsadm_exec_t
+/sbin/mkraid		--	system_u:object_r:fsadm_exec_t
+/sbin/blockdev		--	system_u:object_r:fsadm_exec_t
+/sbin/losetup.*		--	system_u:object_r:fsadm_exec_t
+/sbin/jfs_.*		--	system_u:object_r:fsadm_exec_t
+/sbin/lsraid		--	system_u:object_r:fsadm_exec_t
+/usr/sbin/smartctl	--	system_u:object_r:fsadm_exec_t
+/sbin/install-mbr	--	system_u:object_r:fsadm_exec_t
+/usr/bin/scsi_unique_id	--	system_u:object_r:fsadm_exec_t
+/usr/bin/raw		--	system_u:object_r:fsadm_exec_t
+/sbin/partx		--	system_u:object_r:fsadm_exec_t
+/usr/bin/partition_uuid	--	system_u:object_r:fsadm_exec_t
+/sbin/partprobe		--	system_u:object_r:fsadm_exec_t
+')
+ifdef(`kudzu.te', `', `
+# kudzu
+/usr/sbin/kudzu	--	system_u:object_r:kudzu_exec_t
+/sbin/kmodule	--	system_u:object_r:kudzu_exec_t
+')

strict/file_contexts/program/crond.fc

@@ -9,7 +9,6 @@
 /var/spool/cron/crontabs/root -- system_u:object_r:sysadm_cron_spool_t
 /var/spool/cron/root	--	system_u:object_r:sysadm_cron_spool_t
 /var/spool/cron/[^/]*	--	<<none>>
-/var/log/cron.*		--	system_u:object_r:crond_log_t
 /var/run/crond\.reboot	--	system_u:object_r:crond_var_run_t
 /var/run/crond?\.pid	--	system_u:object_r:crond_var_run_t
 # fcron
@@ -27,3 +26,9 @@
 /var/spool/at/spool	-d	system_u:object_r:cron_spool_t
 /var/spool/at/[^/]*	--	<<none>>
 /var/run/atd\.pid	--	system_u:object_r:crond_var_run_t
+ifdef(`distro_suse', `
+/usr/lib/cron/run-crons	--	system_u:object_r:bin_t
+/var/spool/cron/lastrun	-d	system_u:object_r:crond_tmp_t
+/var/spool/cron/lastrun/[^/]*	--	<<none>>
+/var/spool/cron/tabs	-d	system_u:object_r:cron_spool_t
+')

strict/file_contexts/program/cups.fc

@@ -5,6 +5,7 @@
 /var/cache/alchemist/printconf.* system_u:object_r:cupsd_rw_etc_t
 /etc/cups/client\.conf	--	system_u:object_r:etc_t
 /etc/cups/cupsd\.conf.* --	system_u:object_r:cupsd_rw_etc_t
+/etc/cups/classes\.conf.* --	system_u:object_r:cupsd_rw_etc_t
 /etc/cups/lpoptions	--	system_u:object_r:cupsd_rw_etc_t
 /etc/cups/printers\.conf.* --	system_u:object_r:cupsd_rw_etc_t
 /etc/cups/ppd/.*	--	system_u:object_r:cupsd_rw_etc_t

strict/file_contexts/program/dhcpd.fc

@@ -3,7 +3,7 @@
 /etc/dhcp3(/.*)?		system_u:object_r:dhcp_etc_t
 /usr/sbin/dhcpd.*	--	system_u:object_r:dhcpd_exec_t
 /var/lib/dhcp(3)?/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t
-/var/run/dhcpd\.pid	-d	system_u:object_r:dhcpd_var_run_t
+/var/run/dhcpd\.pid	--	system_u:object_r:dhcpd_var_run_t
 ifdef(`dhcp_defined', `', `
 /var/lib/dhcp(3)?	-d	system_u:object_r:dhcp_state_t
 define(`dhcp_defined')

strict/file_contexts/program/fsadm.fc

@@ -37,3 +37,4 @@
 /sbin/partx		--	system_u:object_r:fsadm_exec_t
 /usr/bin/partition_uuid	--	system_u:object_r:fsadm_exec_t
 /sbin/partprobe		--	system_u:object_r:fsadm_exec_t
+/usr/bin/syslinux	--	system_u:object_r:fsadm_exec_t

strict/file_contexts/program/lvm.fc

@@ -12,7 +12,6 @@
 /etc/lvm/lock(/.*)?		system_u:object_r:lvm_lock_t
 /var/lock/lvm(/.*)?		system_u:object_r:lvm_lock_t
 /dev/lvm		-c	system_u:object_r:fixed_disk_device_t
-/dev/mapper/.*		-b	system_u:object_r:fixed_disk_device_t
 /dev/mapper/control	-c	system_u:object_r:lvm_control_t
 /lib/lvm-10(/.*)	--	system_u:object_r:lvm_exec_t
 /lib/lvm-200(/.*)	--	system_u:object_r:lvm_exec_t