final updates from nsa cvs

refpolicy/Changelog

@@ -5,9 +5,11 @@
 - Added policies:
 	ktalk
 	portmap
+	postgresql
 	samba
 	snmp
 	tftp
+	vpn
 	zebra
 
 * Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907

refpolicy/policy/global_tunables

@@ -46,6 +46,11 @@ gen_tunable(named_write_master_zones,false)
 ## Allow reading of default_t files.
 gen_tunable(read_default_t,false)
 
+## Allow applications to read untrusted content
+## If this is disallowed, Internet content has
+## to be manually relabeled for read access to be granted
+gen_tunable(read_untrusted_content,false)
+
 ## Allow ssh to run from inetd instead of as a daemon.
 gen_tunable(run_ssh_inetd,false)
 
@@ -97,3 +102,8 @@ gen_tunable(user_tcp_server,false)
 
 ## Allow w to display everyone
 gen_tunable(user_ttyfile_stat,false)
+
+## Allow applications to write untrusted content
+## If this is disallowed, no Internet content
+## will be stored.
+gen_tunable(write_untrusted_content,false)

refpolicy/policy/modules/admin/vpn.fc

@@ -0,0 +1,9 @@
+#
+# /usr
+#
+/usr/sbin/vpnc		--	context_template(system_u:object_r:vpnc_exec_t,s0)
+
+#
+# sbin
+#
+/sbin/vpnc		--	context_template(system_u:object_r:vpnc_exec_t,s0)

refpolicy/policy/modules/admin/vpn.if

@@ -0,0 +1,51 @@
+## <summary>Virtual Private Networking client</summary>
+
+########################################
+## <summary>
+##	Execute VPN clients in the vpnc domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`vpn_domtrans',`
+	gen_require(`
+		type vpnc_t, vpnc_exec_t;
+		class process sigchld;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	domain_auto_trans($1,vpnc_exec_t,vpnc_t)
+
+	allow $1 vpnc_t:fd use;
+	allow vpnc_t $1:fd use;
+	allow vpnc_t $1:fifo_file rw_file_perms;
+	allow vpnc_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute VPN clients in the vpnc domain, and
+##	allow the specified role the vpnc domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the vpnc domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the vpnc domain to use.
+## </param>
+#
+interface(`vpn_run',`
+	gen_require(`
+		type vpnc_t;
+		class chr_file rw_term_perms;
+	')
+
+	vpn_domtrans($1)
+	role $2 types vpnc_t;
+	allow vpnc_t $3:chr_file rw_term_perms;
+')

refpolicy/policy/modules/admin/vpn.te

@@ -0,0 +1,114 @@
+
+policy_module(vpnc,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type vpnc_t;
+domain_type(vpnc_t)
+
+type vpnc_exec_t;
+domain_entry_file(vpnc_t,vpnc_exec_t)
+
+type vpnc_tmp_t;
+files_tmp_file(vpnc_tmp_t)
+
+type vpnc_var_run_t;
+files_pid_file(vpnc_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow vpnc_t self:capability { net_admin ipc_lock net_raw };
+allow vpnc_t self:fifo_file { getattr ioctl read write };
+allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
+allow vpnc_t self:tcp_socket create_stream_socket_perms;
+allow vpnc_t self:udp_socket create_socket_perms;
+allow vpnc_t self:rawip_socket create_socket_perms;
+allow vpnc_t self:unix_dgram_socket create_socket_perms;
+allow vpnc_t self:unix_stream_socket create_socket_perms;
+# cjp: this needs to be fixed
+allow vpnc_t self:socket create_socket_perms;
+
+allow vpnc_t vpnc_tmp_t:dir create_dir_perms;
+allow vpnc_t vpnc_tmp_t:file create_file_perms;
+files_create_tmp_files(vpnc_t, vpnc_tmp_t, { file dir })
+
+allow vpnc_t vpnc_var_run_t:file create_file_perms;
+allow vpnc_t vpnc_var_run_t:dir rw_dir_perms;
+files_create_pid(vpnc_t,vpnc_var_run_t)
+
+kernel_read_system_state(vpnc_t)
+kernel_read_network_state(vpnc_t)
+kernel_read_kernel_sysctl(vpnc_t)
+kernel_rw_net_sysctl(vpnc_t)
+
+corenet_tcp_sendrecv_all_if(vpnc_t)
+corenet_udp_sendrecv_all_if(vpnc_t)
+corenet_raw_sendrecv_all_if(vpnc_t)
+corenet_tcp_sendrecv_all_nodes(vpnc_t)
+corenet_udp_sendrecv_all_nodes(vpnc_t)
+corenet_raw_sendrecv_all_nodes(vpnc_t)
+corenet_tcp_sendrecv_all_ports(vpnc_t)
+corenet_udp_sendrecv_all_ports(vpnc_t)
+corenet_tcp_bind_all_nodes(vpnc_t)
+corenet_udp_bind_all_nodes(vpnc_t)
+corenet_udp_bind_generic_port(vpnc_t)
+corenet_udp_bind_isakmp_port(vpnc_t)
+corenet_tcp_connect_all_ports(vpnc_t)
+corenet_use_tun_tap_device(vpnc_t)
+
+dev_read_rand(vpnc_t)
+dev_read_urand(vpnc_t)
+dev_read_sysfs(vpnc_t)
+
+fs_getattr_xattr_fs(vpnc_t)
+
+term_use_all_user_ptys(vpnc_t)
+term_use_all_user_ttys(vpnc_t)
+
+corecmd_exec_bin(vpnc_t)
+corecmd_exec_sbin(vpnc_t)
+corecmd_exec_shell(vpnc_t)
+
+domain_exec_all_entry_files(vpnc_t)
+
+files_exec_etc_files(vpnc_t)
+files_read_etc_runtime_files(vpnc_t)
+files_read_etc_files(vpnc_t)
+files_dontaudit_search_home(vpnc_t)
+
+libs_exec_ld_so(vpnc_t)
+libs_exec_lib_files(vpnc_t)
+libs_use_ld_so(vpnc_t)
+libs_use_shared_libs(vpnc_t)
+
+miscfiles_read_localization(vpnc_t)
+
+seutil_dontaudit_search_config(vpnc_t)
+
+sysnet_exec_ifconfig(vpnc_t)
+sysnet_create_config(vpnc_t)
+sysnet_manage_config(vpnc_t)
+
+userdom_use_all_user_fd(vpnc_t)
+
+optional_policy(`mount.te',`
+        mount_send_nfs_client_request(vpnc_t)
+')
+
+optional_policy(`nis.te',`
+        nis_use_ypbind(vpnc_t)
+')
+
+optional_policy(`nscd.te',`
+	nscd_use_socket(vpnc_t)
+')
+
+ifdef(`TODO',`
+dontaudit vpnc_t user_home_dir_type:dir search;
+')

refpolicy/policy/modules/apps/gpg.te

@@ -20,5 +20,7 @@ files_type(gpg_agent_exec_t)
 type pinentry_exec_t;
 files_type(pinentry_exec_t)
 
-#allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search;
+ifdef(`TODO',`
-#allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
+allow sysadm_gpg_t { home_root_t user_home_dir_type }:dir search;
+allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
+')

refpolicy/policy/modules/kernel/filesystem.if

@@ -472,6 +472,23 @@ interface(`fs_list_cifs',`
 	allow $1 cifs_t:dir r_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to list the contents
+##	of directories on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`fs_dontaudit_list_cifs',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	dontaudit $1 cifs_t:dir r_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read files on a CIFS or SMB filesystem.
@@ -483,14 +500,29 @@ interface(`fs_list_cifs',`
 interface(`fs_read_cifs_files',`
 	gen_require(`
 		type cifs_t;
-		class dir r_dir_perms;
-		class file r_file_perms;
 	')
 
 	allow $1 cifs_t:dir r_dir_perms;
 	allow $1 cifs_t:file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read
+##	files on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+##	The type of the domain to not audit.
+## </param>
+#
+interface(`fs_dontaudit_read_cifs_files',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	dontaudit $1 cifs_t:file r_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read or
@@ -503,7 +535,6 @@ interface(`fs_read_cifs_files',`
 interface(`fs_dontaudit_rw_cifs_files',`
 	gen_require(`
 		type cifs_t;
-		class file { read write };
 	')
 
 	dontaudit $1 cifs_t:file { read write };
@@ -578,10 +609,27 @@ interface(`fs_read_cifs_files',`
 interface(`fs_manage_cifs_dirs',`
 	gen_require(`
 		type cifs_t;
-		class dir create_dir_perms;
 	')
 
-	allow $1 cifs_t:dir create_file_perms;
+	allow $1 cifs_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to create, read,
+##	write, and delete directories
+##	on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+##	The type of the domain managing the directories.
+## </param>
+#
+interface(`fs_dontaudit_manage_cifs_dirs',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	dontaudit $1 cifs_t:dir create_dir_perms;
 ')
 
 ########################################
@@ -604,6 +652,24 @@ interface(`fs_manage_cifs_files',`
 	allow $1 cifs_t:file create_file_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to create, read,
+##	write, and delete files
+##	on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`fs_dontaudit_manage_cifs_files',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	dontaudit $1 cifs_t:file create_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete symbolic links
@@ -959,6 +1025,23 @@ interface(`fs_search_nfs',`
 	allow $1 nfs_t:dir search;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to list the contents
+##	of directories on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`fs_dontaudit_list_nfs',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	dontaudit $1 nfs_t:dir r_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read files on a NFS filesystem.
@@ -978,6 +1061,23 @@ interface(`fs_read_nfs_files',`
 	allow $1 nfs_t:file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read
+##	files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	The type of the domain to not audit.
+## </param>
+#
+interface(`fs_dontaudit_read_nfs_files',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	dontaudit $1 nfs_t:file r_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Execute files on a NFS filesystem.
@@ -1008,7 +1108,6 @@ interface(`fs_execute_nfs_files',`
 interface(`fs_dontaudit_rw_nfs_files',`
 	gen_require(`
 		type nfs_t;
-		class file { read write };
 	')
 
 	dontaudit $1 nfs_t:file { read write };
@@ -1051,6 +1150,24 @@ interface(`fs_manage_nfs_dirs',`
 	allow $1 nfs_t:dir create_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to create, read,
+##	write, and delete directories
+##	on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`fs_dontaudit_manage_nfs_dirs',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	dontaudit $1 nfs_t:dir create_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete files
@@ -1071,6 +1188,24 @@ interface(`fs_manage_nfs_files',`
 	allow $1 nfs_t:file create_file_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to create,
+##	read, write, and delete files
+##	on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`fs_dontaudit_manage_nfs_files',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	dontaudit $1 nfs_t:file create_file_perms;
+')
+
 #########################################
 ## <summary>
 ##	Create, read, write, and delete symbolic links
@@ -1984,6 +2119,23 @@ interface(`fs_relabelfrom_all_fs',`
 	allow $1 filesystem_type:filesystem relabelfrom;
 ')
 
+########################################
+## <summary>
+##	Search all directories with a filesystem type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_search_all',`
+	gen_require(`
+		attribute filesystem_type;
+		class dir { getattr search };
+	')
+
+	allow $1 filesystem_type:dir { getattr search };
+')
+
 ########################################
 ## <summary>
 ##	List all directories with a filesystem type.
@@ -2001,7 +2153,6 @@ interface(`fs_list_all',`
 	allow $1 filesystem_type:dir r_dir_perms;
 ')
 
-
 ########################################
 #
 # fs_getattr_all_files(type)

refpolicy/policy/modules/kernel/filesystem.te

@@ -44,9 +44,6 @@ type binfmt_misc_fs_t, filesystem_type;
 files_mountpoint(binfmt_misc_fs_t)
 genfscon binfmt_misc / context_template(system_u:object_r:binfmt_misc_fs_t,s0)
 
-type debugfs_t, filesystem_type;
-allow debugfs_t self:filesystem associate;
-
 type eventpollfs_t, filesystem_type;
 genfscon eventpollfs / context_template(system_u:object_r:eventpollfs_t,s0)
 

refpolicy/policy/modules/kernel/kernel.if

@@ -343,6 +343,86 @@ interface(`kernel_get_sysvipc_info',`
 	allow $1 kernel_t:system ipc_info;
 ')
 
+########################################
+## <summary>
+##	Get the attributes of a kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`kernel_getattr_debugfs',`
+	gen_require(`
+		type debugfs_t;
+	')
+
+	allow $1 debugfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Mount a kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+##	The type of the domain mounting the filesystem.
+## </param>
+#
+interface(`kernel_mount_debugfs',`
+	gen_require(`
+		type debugfs_t;
+	')
+
+	allow $1 debugfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Unmount a kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+##	The type of the domain unmounting the filesystem.
+## </param>
+#
+interface(`kernel_unmount_debugfs',`
+	gen_require(`
+		type debugfs_t;
+	')
+
+	allow $1 debugfs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+##	Remount a kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+##	The type of the domain remounting the filesystem.
+## </param>
+#
+interface(`kernel_remount_debugfs',`
+	gen_require(`
+		type debugfs_t;
+	')
+
+	allow $1 debugfs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+##	Search the contents of a kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`kernel_search_debugfs',`
+	gen_require(`
+		type debugfs_t;
+	')
+
+	allow $1 debugfs_t:dir search;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of the proc filesystem.

refpolicy/policy/modules/kernel/kernel.te

@@ -30,6 +30,15 @@ role system_r types kernel_t;
 domain_base_type(kernel_t)
 sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127, c0.c127)
 
+#
+# DebugFS
+#
+
+type debugfs_t;
+fs_type(debugfs_t)
+allow debugfs_t self:filesystem associate;
+genfscon debugfs / context_template(system_u:object_r:debugfs_t,s0)
+
 #
 # Procfs types
 #

refpolicy/policy/modules/services/cron.te

@@ -152,6 +152,11 @@ optional_policy(`rpm.te',`
 	rpm_read_pipe(crond_t)
 ')
 
+optional_policy(`postgresql.te', `
+	# allow crond to find /usr/lib/postgresql/bin/do.maintenance
+	postgresql_search_db_dir(crond_t)
+')
+
 optional_policy(`udev.te', `
 	udev_read_db(crond_t)
 ')

refpolicy/policy/modules/services/dbus.te

@@ -1,6 +1,10 @@
 
 policy_module(dbus,1.0)
 
+gen_require(`
+	class dbus { send_msg acquire_svc };
+')
+
 ##############################
 #
 # Delcarations
@@ -29,8 +33,9 @@ files_pid_file(system_dbusd_var_run_t)
 allow system_dbusd_t self:capability { dac_override setgid setuid };
 dontaudit system_dbusd_t self:capability sys_tty_config;
 allow system_dbusd_t self:process getattr;
+allow system_dbusd_t self:fifo_file { read write };
 allow system_dbusd_t self:dbus { send_msg acquire_svc };
-allow system_dbusd_t self:unix_stream_socket create_stream_socket_perms;
+allow system_dbusd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
 # Receive notifications of policy reloads and enforcing status changes.
 allow system_dbusd_t self:netlink_selinux_socket { create bind read };
@@ -75,6 +80,7 @@ corecmd_read_sbin_symlink(system_dbusd_t)
 corecmd_read_sbin_file(system_dbusd_t)
 corecmd_read_sbin_pipe(system_dbusd_t)
 corecmd_read_sbin_socket(system_dbusd_t)
+corecmd_exec_sbin(system_dbusd_t)
 
 domain_use_wide_inherit_fd(system_dbusd_t)
 

refpolicy/policy/modules/services/hal.te

@@ -16,6 +16,11 @@ files_tmp_file(hald_tmp_t)
 type hald_var_run_t;
 files_pid_file(hald_var_run_t)
 
+########################################
+#
+# Local policy
+#
+
 allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
 dontaudit hald_t self:capability sys_tty_config;
 allow hald_t self:fifo_file rw_file_perms;
@@ -46,15 +51,17 @@ corenet_tcp_sendrecv_all_ports(hald_t)
 corenet_tcp_bind_all_nodes(hald_t)
 
 dev_read_sysfs(hald_t)
-dev_read_usbfs(hald_t)
+dev_rw_usbfs(hald_t)
 dev_read_urand(hald_t)
 dev_read_input(hald_t)
 dev_read_mouse(hald_t)
 dev_rw_printer(hald_t)
+dev_read_lvm_control(hald_t)
 dev_getattr_all_chr_files(hald_t)
 dev_manage_generic_chr_file(hald_t)
 
 fs_getattr_all_fs(hald_t)
+fs_search_all(hald_t)
 fs_search_auto_mountpoints(hald_t)
 
 selinux_get_fs_mount(hald_t)
@@ -120,6 +127,10 @@ optional_policy(`hotplug.te',`
 	hotplug_read_config(hald_t)
 ')
 
+optional_policy(`mount.te',`
+	mount_domtrans(hald_t)
+')
+
 optional_policy(`nis.te',`
 	nis_use_ypbind(hald_t)
 ')
@@ -164,4 +175,18 @@ allow udev_t hald_t:unix_dgram_socket sendto;
 
 allow hald_t initrc_t:dbus send_msg;
 allow initrc_t hald_t:dbus send_msg;
+
+# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket
+ifdef(`apmd.te', `
+allow hald_t apmd_var_run_t:sock_file write;
+allow hald_t apmd_t:unix_stream_socket connectto;
+')
+
+# For /usr/libexec/hald-probe-smbios
+domain_auto_trans(hald_t, dmidecode_exec_t, dmidecode_t)
+
+ifdef(`targeted_policy', `
+allow unconfined_t hald_t:dbus send_msg;
+allow hald_t unconfined_t:dbus send_msg;
+')
 ') dnl end TODO

refpolicy/policy/modules/services/postgresql.fc

@@ -0,0 +1,36 @@
+#
+# /etc
+#
+/etc/postgresql(/.*)?			context_template(system_u:object_r:postgresql_etc_t,s0)
+
+#
+# /usr
+#
+/usr/bin/initdb			--	context_template(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/postgres		--	context_template(system_u:object_r:postgresql_exec_t,s0)
+
+/usr/lib/pgsql/test/regres(/.*)?	context_template(system_u:object_r:postgresql_db_t,s0)
+/usr/lib/pgsql/test/regress/pg_regress -- context_template(system_u:object_r:postgresql_exec_t,s0)
+
+/usr/lib(64)?/postgresql/bin/.* --	context_template(system_u:object_r:postgresql_exec_t,s0)
+
+ifdef(`distro_redhat', `
+/usr/share/jonas/pgsql(/.*)?		context_template(system_u:object_r:postgresql_db_t,s0)
+')
+
+#
+# /var
+#
+/var/lib/postgres(ql)?(/.*)? 		context_template(system_u:object_r:postgresql_db_t,s0)
+
+/var/lib/pgsql/data(/.*)?		context_template(system_u:object_r:postgresql_db_t,s0)
+/var/lib/pgsql/pgstartup.log		context_template(system_u:object_r:postgresql_log_t,s0)
+
+/var/log/postgres\.log.* 	--	context_template(system_u:object_r:postgresql_log_t,s0)
+/var/log/postgresql(/.*)?		context_template(system_u:object_r:postgresql_log_t,s0)
+
+ifdef(`distro_redhat', `
+/var/log/rhdb/rhdb(/.*)?		context_template(system_u:object_r:postgresql_log_t,s0)
+')
+
+/var/run/postgresql(/.*)?		context_template(system_u:object_r:postgresql_var_run_t,s0)

refpolicy/policy/modules/services/postgresql.if

@@ -0,0 +1,110 @@
+## <summary>PostgreSQL relational database</summary>
+
+########################################
+## <summary>
+##	Allow the specified domain to search postgresql's database directory.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`postgresql_search_db_dir',`
+	gen_require(`
+		type postgresql_db_t;
+	')
+
+	allow $1 postgresql_db_t:dir search;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to manage postgresql's database.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+interface(`postgresql_manage_db',`
+	gen_require(`
+		type postgresql_db_t;
+	')
+
+	allow $1 postgresql_db_t:dir rw_dir_perms;
+	allow $1 postgresql_db_t:file rw_file_perms;
+	allow $1 postgresql_db_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+##	Execute postgresql in the postgresql domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`postgresql_domtrans',`
+	gen_require(`
+		type postgresql_t, postgresql_exec_t;
+	')
+
+	domain_auto_trans($1,postgresql_exec_t,postgresql_t)
+
+	allow $1 postgresql_t:fd use;
+	allow postgresql_t $1:fd use;
+	allow postgresql_t $1:fifo_file rw_file_perms;
+	allow postgresql_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read postgresql's etc.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`postgresql_read_config',`
+	gen_require(`
+		type postgresql_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 postgresql_etc_t:dir { getattr read search };
+	allow $1 postgresql_etc_t:file { read getattr };
+	allow $1 postgresql_etc_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to connect to postgresql with a tcp socket.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`postgresql_tcp_connect',`
+	gen_require(`
+		type postgresql_t;
+	')
+
+	kernel_tcp_recvfrom($1)
+	allow $1 postgresql_t:tcp_socket { connectto recvfrom };
+	allow postgresql_t $1:tcp_socket { acceptfrom recvfrom };
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to connect to postgresql with a unix socket.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`postgresql_unix_connect',`
+	gen_require(`
+		type postgresql_t, postgresql_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 postgresql_t:unix_stream_socket connectto;
+	allow $1 postgresql_var_run_t:sock_file write;
+')

refpolicy/policy/modules/services/postgresql.te

@@ -0,0 +1,223 @@
+
+policy_module(postgresql,1.0)
+
+#################################
+#
+# Declarations
+#
+type postgresql_t;
+type postgresql_exec_t;
+init_daemon_domain(postgresql_t,postgresql_exec_t)
+
+type postgresql_db_t;
+files_type(postgresql_db_t)
+
+type postgresql_etc_t; #, usercanread;
+files_type(postgresql_etc_t)
+
+type postgresql_lock_t;
+files_lock_file(postgresql_lock_t)
+
+type postgresql_log_t;
+logging_log_file(postgresql_log_t)
+
+type postgresql_tmp_t;
+files_tmp_file(postgresql_tmp_t)
+
+type postgresql_var_run_t;
+files_pid_file(postgresql_var_run_t)
+
+########################################
+#
+# postgresql Local policy
+#
+allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
+allow postgresql_t self:fifo_file { getattr read write ioctl };
+allow postgresql_t self:file { getattr read };
+allow postgresql_t self:sem create_sem_perms;
+allow postgresql_t self:shm create_shm_perms;
+allow postgresql_t self:tcp_socket create_stream_socket_perms;
+allow postgresql_t self:udp_socket create_stream_socket_perms;
+allow postgresql_t self:unix_dgram_socket create_socket_perms;
+allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
+dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
+
+allow postgresql_t postgresql_db_t:dir create_dir_perms;
+allow postgresql_t postgresql_db_t:fifo_file create_file_perms;
+allow postgresql_t postgresql_db_t:file create_file_perms;
+allow postgresql_t postgresql_db_t:lnk_file create_lnk_perms;
+allow postgresql_t postgresql_db_t:sock_file create_file_perms;
+files_create_var_lib(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })
+
+allow postgresql_t postgresql_etc_t:dir r_dir_perms;
+allow postgresql_t postgresql_etc_t:file r_file_perms;
+allow postgresql_t postgresql_etc_t:lnk_file { getattr read };
+
+allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
+can_exec(postgresql_t, postgresql_exec_t )
+
+allow postgresql_t postgresql_lock_t:file create_file_perms;
+files_create_lock(postgresql_t,postgresql_lock_t)
+
+allow postgresql_t postgresql_log_t:dir rw_dir_perms;
+allow postgresql_t postgresql_log_t:file create_file_perms;
+logging_create_log(postgresql_t,postgresql_log_t,{ file dir })
+
+allow postgresql_t postgresql_tmp_t:dir create_dir_perms;
+allow postgresql_t postgresql_tmp_t:fifo_file create_file_perms;
+allow postgresql_t postgresql_tmp_t:file create_file_perms;
+allow postgresql_t postgresql_tmp_t:lnk_file create_lnk_perms;
+allow postgresql_t postgresql_tmp_t:sock_file create_file_perms;
+files_create_tmp_files(postgresql_t, postgresql_tmp_t, { dir file sock_file })
+fs_create_tmpfs_data(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
+
+allow postgresql_t postgresql_var_run_t:dir rw_dir_perms;
+allow postgresql_t postgresql_var_run_t:file create_file_perms;
+allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
+files_create_pid(postgresql_t,postgresql_var_run_t)
+
+kernel_read_kernel_sysctl(postgresql_t)
+kernel_read_system_state(postgresql_t)
+kernel_list_proc(postgresql_t)
+kernel_read_all_sysctl(postgresql_t)
+kernel_read_proc_symlinks(postgresql_t)
+kernel_tcp_recvfrom(postgresql_t)
+
+corenet_tcp_sendrecv_all_if(postgresql_t)
+corenet_udp_sendrecv_all_if(postgresql_t)
+corenet_raw_sendrecv_all_if(postgresql_t)
+corenet_tcp_sendrecv_all_nodes(postgresql_t)
+corenet_udp_sendrecv_all_nodes(postgresql_t)
+corenet_raw_sendrecv_all_nodes(postgresql_t)
+corenet_tcp_sendrecv_all_ports(postgresql_t)
+corenet_udp_sendrecv_all_ports(postgresql_t)
+corenet_tcp_bind_all_nodes(postgresql_t)
+corenet_udp_bind_all_nodes(postgresql_t)
+corenet_tcp_bind_postgresql_port(postgresql_t)
+corenet_tcp_connect_auth_port(postgresql_t)
+
+dev_read_sysfs(postgresql_t)
+dev_read_urand(postgresql_t)
+
+fs_getattr_all_fs(postgresql_t)
+fs_search_auto_mountpoints(postgresql_t)
+
+term_use_controlling_term(postgresql_t)
+term_dontaudit_use_console(postgresql_t)
+
+corecmd_exec_bin(postgresql_t)
+corecmd_exec_ls(postgresql_t)
+corecmd_exec_sbin(postgresql_t)
+corecmd_exec_shell(postgresql_t)
+
+domain_dontaudit_list_all_domains_proc(postgresql_t)
+domain_use_wide_inherit_fd(postgresql_t)
+
+files_dontaudit_search_home(postgresql_t)
+files_manage_etc_files(postgresql_t)
+files_search_etc(postgresql_t)
+files_read_etc_runtime_files(postgresql_t)
+files_read_usr_files(postgresql_t)
+
+init_read_script_pid(postgresql_t)
+init_use_fd(postgresql_t)
+init_use_script_pty(postgresql_t)
+
+libs_use_ld_so(postgresql_t)
+libs_use_shared_libs(postgresql_t)
+
+logging_send_syslog_msg(postgresql_t)
+
+miscfiles_read_localization(postgresql_t)
+
+seutil_dontaudit_search_config(postgresql_t)
+
+sysnet_read_config(postgresql_t)
+
+userdom_dontaudit_search_sysadm_home_dir(postgresql_t)
+userdom_dontaudit_use_sysadm_tty(postgresql_t)
+userdom_dontaudit_use_unpriv_user_fd(postgresql_t)
+
+mta_getattr_spool(postgresql_t)
+
+ifdef(`targeted_policy', `
+	files_dontaudit_read_root_file(postgresql_t)
+	term_dontaudit_use_generic_pty(postgresql_t)
+	term_dontaudit_use_unallocated_tty(postgresql_t)
+')
+
+tunable_policy(`allow_execmem',`
+	allow postgresql_t self:process execmem;
+')
+
+optional_policy(`consoletype.te', `
+	consoletype_exec(postgresql_t)
+')
+
+optional_policy(`cron.te',`
+	cron_search_spool(postgresql_t)
+	cron_system_entry(postgresql_t,postgresql_exec_t)
+')
+
+optional_policy(`hostname.te', `
+	hostname_exec(postgresql_t)
+')
+
+optional_policy(`kerberos.te',`
+	kerberos_use(postgresql_t)
+')
+
+optional_policy(`mount.te',`
+	mount_send_nfs_client_request(postgresql_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(postgresql_t)
+')
+
+optional_policy(`rhgb.te',`
+	rhgb_domain(postgresql_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(postgresql_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(postgresql_t)
+')
+
+ifdef(`TODO',`
+ifdef(`targeted_policy', `', `
+bool allow_user_postgresql_connect false;
+
+if (allow_user_postgresql_connect) {
+# allow any user domain to connect to the database server
+can_tcp_connect(userdomain, postgresql_t)
+allow userdomain postgresql_t:unix_stream_socket connectto;
+allow userdomain postgresql_var_run_t:sock_file write;
+allow userdomain postgresql_tmp_t:sock_file write;
+}
+')
+ifdef(`distro_debian', `
+	init_exec_script(postgresql_t)
+	# gross hack
+	postgresql_domtrans(dpkg_t)
+	can_exec(postgresql_t, dpkg_exec_t)
+')
+
+ifdef(`distro_gentoo', `
+	allow postgresql_t initrc_su_t:process { sigchld };
+	# "su - postgres ..." is called from initrc_t
+	postgresql_search_db_dir(initrc_su_t)
+	dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
+')
+
+# Goes to apache.te:
+# Allow httpd to work with postgresql
+optional_policy(`postgresql.te', ` 
+	# Original policy had apache connecting to postgresql_tmp_t:sock_file
+	# instead of what is assumed to be correct: postgresql_var_run_t. -Don
+	postgresql_unix_connect(httpd_t)
+')
+')

refpolicy/policy/modules/system/authlogin.if

@@ -600,6 +600,25 @@ interface(`auth_manage_pam_console_data',`
 	allow $1 pam_var_console_t:lnk_file create_lnk_perms;
 ')
 
+#######################################
+## <summary>
+##	Delete pam_console data.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`auth_delete_pam_console_data',`
+	gen_require(`
+		type pam_var_console_t;
+	')
+
+	files_search_var($1)
+	files_search_pids($1)
+	allow $1 pam_var_console_t:dir rw_dir_perms;
+	allow $1 pam_var_console_t:file unlink;
+')
+
 ########################################
 ## <summary>
 ##	Relabel all files on the filesystem, except

refpolicy/policy/modules/system/corecommands.fc

@@ -69,6 +69,8 @@ ifdef(`distro_suse', `
 /usr/lib/cron/run-crons	--	context_template(system_u:object_r:bin_t,s0)
 ')
 
+/usr/lib/pgsql/test/regress/.*\.sh -- context_template(system_u:object_r:bin_t,s0)
+
 /usr/lib(64)?/sftp-server --	context_template(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/emacsen-common/.*	context_template(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/ipsec/.*	--	context_template(system_u:object_r:sbin_t,s0)

refpolicy/policy/modules/system/files.if

@@ -72,6 +72,85 @@ interface(`files_pid_file',`
 	typeattribute $1 pidfile;
 ')
 
+########################################
+## <summary>
+##	Make the specified type a 
+##	polyinstantiated directory.
+## </summary>
+## <param name="file_type">
+##	Type of the file to be used as a
+##	polyinstantiated directory.
+## </param>
+#
+interface(`files_poly',`
+	gen_require(`
+		attribute polydir;
+	')
+
+	files_type($1)
+	typeattribute $1 polydir;
+')
+
+########################################
+## <summary>
+##	Make the specified type a parent
+##	of a polyinstantiated directory.
+## </summary>
+## <param name="file_type">
+##	Type of the file to be used as a
+##	parent directory.
+## </param>
+#
+interface(`files_poly_parent',`
+	gen_require(`
+		attribute polyparent;
+	')
+
+	files_type($1)
+	typeattribute $1 polyparent;
+')
+
+########################################
+## <summary>
+##	Make the specified type a
+##	polyinstantiation member directory.
+## </summary>
+## <param name="file_type">
+##	Type of the file to be used as a
+##	member directory.
+## </param>
+#
+interface(`files_poly_member',`
+	gen_require(`
+		attribute polymember;
+	')
+
+	files_type($1)
+	typeattribute $1 polymember;
+')
+
+########################################
+## <summary>
+##	Make the domain use the specified
+##	type of polyinstantiated directory.
+## </summary>
+## <param name="domain">
+##	Domain using the polyinstantiated
+##	directory.
+## </param>
+## <param name="file_type">
+##	Type of the file to be used as a
+##	member directory.
+## </param>
+#
+interface(`files_poly_member_tmp',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	type_member $1 tmp_t:dir $2;
+')
+
 ########################################
 ## <summary>
 ##	Make the specified type a file
@@ -81,14 +160,18 @@ interface(`files_pid_file',`
 ##	Type of the file to be used as a
 ##	temporary file.
 ## </param>
+#
 interface(`files_tmp_file',`
 	gen_require(`
 		attribute tmpfile;
+		type tmp_t;
 	')
 
 	files_type($1)
+	files_poly_member($1)
 	fs_associate_tmpfs($1)
 	typeattribute $1 tmpfile;
+	allow $1 tmp_t:filesystem associate;
 ')
 
 ########################################
@@ -648,7 +731,6 @@ interface(`files_unmount_rootfs',`
 interface(`files_dontaudit_getattr_default_dir',`
 	gen_require(`
 		type default_t;
-		class dir getattr;
 	')
 
 	dontaudit $1 default_t:dir getattr;
@@ -665,12 +747,28 @@ interface(`files_dontaudit_getattr_default_dir',`
 interface(`files_list_default',`
 	gen_require(`
 		type default_t;
-		class dir r_dir_perms;
 	')
 
 	allow $1 default_t:dir r_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to list contents of
+##	directories with the default file type.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_list_default',`
+	gen_require(`
+		type default_t;
+	')
+
+	dontaudit $1 default_t:dir r_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Mount a filesystem on a directory with the default file type.
@@ -682,7 +780,6 @@ interface(`files_list_default',`
 interface(`files_mounton_default',`
 	gen_require(`
 		type default_t;
-		class dir { getattr search mounton };
 	')
 
 	allow $1 default_t:dir { getattr search mounton };
@@ -716,12 +813,28 @@ interface(`files_dontaudit_getattr_default_files',`
 interface(`files_read_default_files',`
 	gen_require(`
 		type default_t;
-		class file r_file_perms;
 	')
 
 	allow $1 default_t:file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read files
+##	with the default file type.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_read_default_files',`
+	gen_require(`
+		type default_t;
+	')
+
+	dontaudit $1 default_t:file r_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read symbolic links with the default file type.
@@ -1531,6 +1644,24 @@ interface(`files_read_world_readable_sockets',`
 	allow $1 readable_t:sock_file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Allow the specified type to associate
+##	to a filesystem with the type of the
+##	temporary directory (/tmp).
+## </summary>
+## <param name="file_type">
+##	Type of the file to associate.
+## </param>
+#
+interface(`files_associate_tmp',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	allow $1 tmp_t:filesystem associate;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the
@@ -2322,6 +2453,20 @@ interface(`files_delete_all_pids',`
 	allow $1 pidfile:sock_file { getattr unlink };
 ')
 
+########################################
+#
+# files_delete_all_pid_dirs(domain)
+#
+interface(`files_delete_all_pid_dirs',`
+	gen_require(`
+		attribute pidfile;
+		type var_t;
+	')
+
+	allow $1 var_t:dir search;
+	allow $1 pidfile:dir { rw_dir_perms rmdir };
+')
+
 ########################################
 #
 # files_search_spool(domain)

refpolicy/policy/modules/system/files.te

@@ -10,6 +10,18 @@ attribute file_type;
 attribute lockfile;
 attribute mountpoint;
 attribute pidfile;
+
+# For labeling types that are to be polyinstantiated
+attribute polydir;
+
+# And for labeling the parent directories of those polyinstantiated directories
+# This is necessary for remounting the original in the parent to give
+# security aware apps access
+attribute polyparent;
+
+# And labeling for the member directories
+attribute polymember;
+
 attribute tmpfile;
 attribute tmpfsfile;
 

refpolicy/policy/modules/system/fstools.te

@@ -55,6 +55,7 @@ kernel_getattr_proc(fsadm_t)
 kernel_rw_unlabeled_dir(fsadm_t)
 kernel_use_unlabeled_blk_dev(fsadm_t)
 
+dev_getattr_all_chr_files(fsadm_t)
 # mkreiserfs and other programs need this for UUID
 dev_read_rand(fsadm_t)
 dev_read_urand(fsadm_t)
@@ -145,5 +146,7 @@ optional_policy(`nis.te',`
 ')
 
 ifdef(`TODO',`
+allow fsadm_t tmpfs_t:file { read write };
+allow fsadm_t ramfs_t:fifo_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
 ') dnl end TODO

refpolicy/policy/modules/system/hostname.te

@@ -21,7 +21,6 @@ allow hostname_t self:process { sigchld sigkill sigstop signull signal };
 allow hostname_t self:capability sys_admin;
 dontaudit hostname_t self:capability sys_tty_config;
 
-kernel_read_kernel_sysctl(hostname_t)
 kernel_dontaudit_use_fd(hostname_t)
 kernel_list_proc(hostname_t)
 kernel_read_proc_symlinks(hostname_t)
@@ -84,9 +83,3 @@ optional_policy(`udev.te',`
 	udev_dontaudit_use_fd(hostname_t)
 	udev_read_db(hostname_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`rhgb.te', `
-rhgb_domain(hostname_t)
-')
-') dnl end TODO

refpolicy/policy/modules/system/init.te

@@ -51,15 +51,15 @@ type initrc_devpts_t;
 term_pty(initrc_devpts_t)
 files_type(initrc_devpts_t)
 
-type initrc_var_run_t;
-files_pid_file(initrc_var_run_t)
-
 type initrc_state_t;
 files_type(initrc_state_t)
 
 type initrc_tmp_t;
 files_tmp_file(initrc_tmp_t)
 
+type initrc_var_run_t;
+files_pid_file(initrc_var_run_t)
+
 ########################################
 #
 # Init local policy
@@ -263,7 +263,7 @@ auth_rw_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
 auth_delete_pam_pid(initrc_t)
-auth_list_pam_console_data(initrc_t)
+auth_delete_pam_console_data(initrc_t)
 
 corecmd_exec_bin(initrc_t)
 corecmd_exec_sbin(initrc_t)
@@ -297,6 +297,7 @@ files_purge_tmp(initrc_t)
 files_delete_all_locks(initrc_t)
 files_read_all_pids(initrc_t)
 files_delete_all_pids(initrc_t)
+files_delete_all_pid_dirs(initrc_t)
 files_read_etc_files(initrc_t)
 files_manage_etc_runtime_files(initrc_t)
 files_manage_generic_locks(initrc_t)
@@ -477,6 +478,11 @@ optional_policy(`raid.te',`
 	raid_manage_mdadm_pid(initrc_t)
 ')
 
+optional_policy(`postgresql.te',`
+	postgresql_manage_db(initrc_t)
+	postgresql_read_config(initrc_t)
+')
+
 optional_policy(`quota.te',`
 	quota_manage_flags(initrc_t)
 ')
@@ -535,6 +541,14 @@ ifdef(`TODO',`
 allow initrc_t xconsole_device_t:fifo_file setattr;
 
 allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc };
+allow initrc_t system_dbusd_t:unix_stream_socket connectto;
+allow initrc_t system_dbusd_var_run_t:sock_file write;
+
+# rhgb-console writes to ramfs
+allow initrc_t ramfs_t:fifo_file write;
+
+# during boot up initrc needs to do the following
+allow initrc_t default_t:dir write;
 
 #
 #  These rules are here to allow init scripts to su

refpolicy/policy/modules/system/libraries.fc

@@ -26,10 +26,6 @@
 #
 # /usr
 #
-/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* --	context_template(system_u:object_r:texrel_shlib_t,s0)
-
-/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
-
 /usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)*	--	context_template(system_u:object_r:texrel_shlib_t,s0)
 
 /usr(/.*)?/java/.*\.so(\.[^/]*)*	--	context_template(system_u:object_r:texrel_shlib_t,s0)
@@ -43,8 +39,14 @@
 
 /usr(/.*)?/nvidia/.*\.so(\..*)?		--	context_template(system_u:object_r:texrel_shlib_t,s0)
 
+/usr/lib/pgsql/test/regress/.*\.so 	--	context_template(system_u:object_r:shlib_t,s0)
+
 /usr/lib/win32/.*			--	context_template(system_u:object_r:shlib_t,s0)
 
+/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* --	context_template(system_u:object_r:texrel_shlib_t,s0)
+
+/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
+
 /usr/(local/)?lib/wine/.*\.so  		--	context_template(system_u:object_r:texrel_shlib_t,s0)
 /usr/(local/)?lib/libfame-.*\.so.*	--	context_template(system_u:object_r:texrel_shlib_t,s0)
 /usr/local/.*\.so(\.[^/]*)*		--	context_template(system_u:object_r:shlib_t,s0)

refpolicy/policy/modules/system/logging.if

@@ -15,6 +15,7 @@ interface(`logging_log_file',`
 	')
 
 	files_type($1)
+	files_associate_tmp($1)
 	fs_associate_tmpfs($1)
 	typeattribute $1 logfile;
 ')

refpolicy/policy/modules/system/logging.te

@@ -51,6 +51,7 @@ files_pid_file(syslogd_var_run_t)
 
 type var_log_t, logfile;
 files_type(var_log_t)
+files_associate_tmp(var_log_t)
 
 ########################################
 #

refpolicy/policy/modules/system/lvm.te

@@ -30,6 +30,9 @@ files_lock_file(lvm_lock_t)
 type lvm_metadata_t;
 files_type(lvm_metadata_t)
 
+type lvm_var_run_t;
+files_pid_file(lvm_var_run_t)
+
 type lvm_tmp_t;
 files_tmp_file(lvm_tmp_t)
 
@@ -148,6 +151,10 @@ allow lvm_t lvm_lock_t:dir rw_dir_perms;
 allow lvm_t lvm_lock_t:file create_file_perms;
 files_create_lock(lvm_t,lvm_lock_t)
 
+allow lvm_t lvm_var_run_t:file create_file_perms;
+allow lvm_t lvm_var_run_t:dir create_dir_perms;
+files_create_pid(lvm_t,lvm_var_run_t)
+
 allow lvm_t lvm_etc_t:file r_file_perms;
 allow lvm_t lvm_etc_t:lnk_file r_file_perms;
 # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
@@ -213,7 +220,6 @@ domain_use_wide_inherit_fd(lvm_t)
 
 files_read_etc_files(lvm_t)
 files_read_etc_runtime_files(lvm_t)
-files_dontaudit_getattr_pid_dir(lvm_t)
 # for when /usr is not mounted:
 files_dontaudit_search_isid_type_dir(lvm_t)
 
@@ -258,6 +264,10 @@ optional_policy(`udev.te', `
 ')
 
 ifdef(`TODO',`
+# it has no reason to need this
+allow lvm_t var_t:dir { search getattr };
+allow lvm_t ramfs_t:filesystem unmount;
+
 optional_policy(`gnome-pty-helper.te', `
 	allow lvm_t sysadm_gph_t:fd use;
 ')

refpolicy/policy/modules/system/modutils.te

@@ -51,6 +51,8 @@ can_exec(insmod_t, insmod_exec_t)
 
 kernel_load_module(insmod_t)
 kernel_read_system_state(insmod_t)
+kernel_mount_debugfs(insmod_t)
+kernel_search_debugfs(insmod_t)
 # Rules for /proc/sys/kernel/tainted
 kernel_read_kernel_sysctl(insmod_t)
 kernel_rw_kernel_sysctl(insmod_t)
@@ -128,6 +130,7 @@ optional_policy(`rpm.te',`
 ')
 
 ifdef(`TODO',`
+allow insmod_t proc_t:file rw_file_perms;
 optional_policy(`xserver.te',`
 	xserver_getattr_log(insmod_t)
 	allow insmod_t xserver_misc_device_t:chr_file { read write };
@@ -182,6 +185,7 @@ optional_policy(`rpm.te',`
 ')
 
 ifdef(`TODO',`
+allow depmod_t modules_object_t:file unlink;
 ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
 ') dnl end ifdef TODO
 

refpolicy/policy/modules/system/pcmcia.te

@@ -140,6 +140,10 @@ optional_policy(`udev.te', `
 ifdef(`TODO',`
 allow cardmgr_t modules_object_t:dir search;
 
+ifdef(`dhcpc.te',`
+allow cardmgr_t dhcpc_var_run_t:file unlink;
+')
+
 # Create device files in /tmp.
 # cjp: why is this created all over the place?
 file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })

refpolicy/policy/modules/system/sysnetwork.if

@@ -25,6 +25,31 @@ interface(`sysnet_domtrans_dhcpc',`
 	allow dhcpc_t $1:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Execute DHCP clients in the dhcpc domain, and
+##	allow the specified role the dhcpc domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the clock domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the clock domain to use.
+## </param>
+#
+interface(`sysnet_run_dhcpc',`
+	gen_require(`
+		type dhcpc_t;
+	')
+
+	sysnet_domtrans_dhcpc($1)
+	role $2 types dhcpc_t;
+	allow dhcpc_t $3:chr_file { getattr read write ioctl };
+')
+
 ########################################
 ## <summary>
 ##	Send a SIGCHLD signal to the dhcp client.
@@ -227,9 +252,6 @@ interface(`sysnet_read_dhcpc_pid',`
 interface(`sysnet_domtrans_ifconfig',`
 	gen_require(`
 		type ifconfig_t, ifconfig_exec_t;
-		class process sigchld;
-		class fd use;
-		class fifo_file rw_file_perms;
 	')
 
 	corecmd_search_sbin($1)
@@ -260,7 +282,6 @@ interface(`sysnet_domtrans_ifconfig',`
 interface(`sysnet_run_ifconfig',`
 	gen_require(`
 		type ifconfig_t;
-		class chr_file rw_term_perms;
 	')
 
 	corecmd_search_sbin($1)
@@ -269,6 +290,23 @@ interface(`sysnet_run_ifconfig',`
 	allow ifconfig_t $3:chr_file rw_term_perms;
 ')
 
+#######################################
+## <summary>
+##	Execute ifconfig in the caller domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`sysnet_exec_ifconfig',`
+	gen_require(`
+		type ifconfig_exec_t;
+	')
+
+	corecmd_search_sbin($1)
+	can_exec($1,ifconfig_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	Read the DHCP configuration files.
@@ -280,8 +318,6 @@ interface(`sysnet_run_ifconfig',`
 interface(`sysnet_read_dhcp_config',`
 	gen_require(`
 		type dhcp_etc_t;
-		class dir search;
-		class file { getattr read };
 	')
 
 	files_search_etc($1)

refpolicy/policy/modules/system/sysnetwork.te

@@ -112,6 +112,7 @@ term_dontaudit_use_console(dhcpc_t)
 term_dontaudit_use_all_user_ttys(dhcpc_t)
 term_dontaudit_use_all_user_ptys(dhcpc_t)
 term_dontaudit_use_unallocated_tty(dhcpc_t)
+term_dontaudit_use_generic_pty(dhcpc_t)
 
 corecmd_exec_bin(dhcpc_t)
 corecmd_exec_sbin(dhcpc_t)
@@ -209,6 +210,27 @@ optional_policy(`userdomain.te',`
 ')
 
 ifdef(`TODO',`
+ifdef(`cardmgr.te',`
+allow dhcpc_t cardmgr_dev_t:chr_file { read write };
+')
+
+ifdef(`ypbind.te',`
+allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink };
+')
+
+ifdef(`dbusd.te', `
+dbusd_client(system, dhcpc)
+domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
+allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg };
+allow dhcpc_t self:dbus send_msg;
+allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
+allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
+ifdef(`unconfined.te', `
+allow unconfined_t dhcpc_t:dbus send_msg;
+allow dhcpc_t unconfined_t:dbus send_msg;
+')dnl end ifdef unconfined.te
+')
+
 optional_policy(`rhgb.te',`
 rhgb_domain(dhcpc_t)
 ')

refpolicy/policy/modules/system/userdomain.if

@@ -41,11 +41,13 @@ template(`base_user_template',`
 	# type for contents of home directory
 	type $1_home_t, $1_file_type, home_type;
 	files_type($1_home_t)
+	files_associate_tmp($1_home_t)
 	fs_associate_tmpfs($1_home_t)
 
 	# type of home directory
 	type $1_home_dir_t, home_dir_type, home_type;
 	files_type($1_home_dir_t)
+	files_associate_tmp($1_home_dir_t)
 	fs_associate_tmpfs($1_home_dir_t)
 
 	type $1_tmp_t, $1_file_type;
@@ -54,6 +56,14 @@ template(`base_user_template',`
 	type $1_tmpfs_t;
 	files_tmpfs_file($1_tmpfs_t)
 
+	# types for network-obtained content
+	type $1_untrusted_content_t, $1_file_type; #, customizable
+	files_type($1_untrusted_content_t)
+	files_poly_member($1_untrusted_content_t)
+
+	type $1_untrusted_content_tmp_t, $1_file_type; # customizable
+	files_tmp_file($1_untrusted_content_tmp_t)
+
 	type $1_tty_device_t; 
 	term_tty($1_t,$1_tty_device_t)
 
@@ -77,8 +87,7 @@ template(`base_user_template',`
 	allow $1_t self:msgq create_msgq_perms;
 	allow $1_t self:msg { send receive };
 	dontaudit $1_t self:socket create;
-	# Irrelevant until we have labeled networking.
+	allow $1_t self:udp_socket { sendto recvfrom };
-	#allow $1_t self:udp_socket { sendto recvfrom };
 
 	# evolution and gnome-session try to create a netlink socket
 	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
@@ -93,11 +102,19 @@ template(`base_user_template',`
 	allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
 	allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
 	allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
-	allow $1_t $1_home_dir_t:dir create_dir_perms;
+	allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto };
 	type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
 
 	can_exec($1_t,$1_tmp_t)
 
+	# user temporary files
+	allow $1_t $1_tmp_t:file create_file_perms;
+	allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
+	allow $1_t $1_tmp_t:dir create_dir_perms;
+	allow $1_t $1_tmp_t:sock_file create_file_perms;
+	allow $1_t $1_tmp_t:fifo_file create_file_perms;
+	files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set })
+
 	# Bind to a Unix domain socket in /tmp.
 	# cjp: this is combination is not checked and should be removed
 	allow $1_t $1_tmp_t:unix_stream_socket name_bind;
@@ -111,6 +128,10 @@ template(`base_user_template',`
 
 	allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
 
+	# Allow user to relabel untrusted content
+	allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
+	allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
+
 	allow $1_t unpriv_userdomain:fd use;
 
 	# Instantiate derived domains for a number of programs.
@@ -160,7 +181,14 @@ template(`base_user_template',`
 	fs_get_all_fs_quotas($1_t)
 	fs_getattr_all_fs($1_t)
 	fs_search_auto_mountpoints($1_t)
-	fs_exec_noxattr($1_t)
+
+	# cjp: some of this probably can be removed
+	selinux_get_fs_mount($1_t)
+	selinux_validate_context($1_t)
+	selinux_compute_access_vector($1_t)
+	selinux_compute_create_context($1_t)
+	selinux_compute_relabel_context($1_t)
+	selinux_compute_user_contexts($1_t)
 
 	# for eject
 	storage_getattr_fixed_disk($1_t)
@@ -196,10 +224,13 @@ template(`base_user_template',`
 	logging_dontaudit_getattr_all_logs($1_t)
 
 	miscfiles_read_localization($1_t)
+	miscfiles_read_fonts($1_t)
 	# for running TeX programs
 	miscfiles_read_tetex_data($1_t)
 	miscfiles_exec_tetex_data($1_t)
 
+	seutil_read_file_contexts($1_t)
+	seutil_read_default_contexts($1_t)
 	seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
 
 	mta_rw_spool($1_t)
@@ -209,12 +240,29 @@ template(`base_user_template',`
 		allow $1_t self:process execmem;
 	')
 
+	tunable_policy(`allow_execmem && allow_execstack',`
+		# Allow making the stack executable via mprotect.
+		allow $1_t self:process execstack;
+	')
+
 	tunable_policy(`read_default_t',`
 		files_list_default($1_t)
 		files_read_default_files($1_t)
 		files_read_default_symlinks($1_t)
 		files_read_default_sockets($1_t)
 		files_read_default_pipes($1_t)
+	',`
+		files_dontaudit_list_default($1_t)
+		files_dontaudit_read_default_files($1_t)
+	')
+
+	tunable_policy(`read_untrusted_content',`
+		allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir r_dir_perms;
+		allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file r_file_perms;
+		allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:lnk_file { getattr read };
+	',`
+		dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir r_dir_perms;
+		dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file r_file_perms;
 	')
 
 	tunable_policy(`use_nfs_home_dirs',`
@@ -224,6 +272,9 @@ template(`base_user_template',`
 		fs_manage_nfs_named_sockets($1_t)
 		fs_manage_nfs_named_pipes($1_t)
 		fs_execute_nfs_files($1_t)
+	',`
+		fs_dontaudit_manage_nfs_dirs($1_t)
+		fs_dontaudit_manage_nfs_files($1_t)
 	')
 
 	tunable_policy(`use_samba_home_dirs',`
@@ -233,6 +284,9 @@ template(`base_user_template',`
 		fs_manage_cifs_named_sockets($1_t)
 		fs_manage_cifs_named_pipes($1_t)
 		fs_execute_cifs_files($1_t)
+	',`
+		fs_dontaudit_manage_cifs_dirs($1_t)
+		fs_dontaudit_manage_cifs_files($1_t)
 	')
 
 	tunable_policy(`user_direct_mouse',`
@@ -329,36 +383,17 @@ template(`base_user_template',`
 
 	r_dir_file($1_t, usercanread)
 
-	tunable_policy(`allow_execmod',`
-		# Allow text relocations on system shared libraries, e.g. libGL.
-		allow $1_t texrel_shlib_t:file execmod;
-	')
-
 	allow $1_t fs_type:dir getattr;
 
-	# old "file_browse_domain":
+	dontaudit $1 file_type - secure_file_type:dir_file_class_set getattr; 
-	# Regular files/directories that are not security sensitive
+	dontaudit $1 file_type - secure_file_type:dir search;
-	dontaudit $1_t file_type - secure_file_type:dir_file_class_set getattr;
+	dontaudit $1 file_type - secure_file_type:dir read;
-	dontaudit $1_t file_type - secure_file_type:dir { read search };
+	dontaudit $1 unlabeled_t:dir_file_class_set getattr;
-	# /dev
+	dontaudit $1 unlabeled_t:dir search;
-	dontaudit $1_t dev_fs:dir_file_class_set getattr;
+	dontaudit $1 unlabeled_t:dir read;
-	dontaudit $1_t dev_fs:dir { read search };
+	dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr;
-	# /proc
+	dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search;
-	dontaudit $1_t sysctl_t:dir_file_class_set getattr;
+	dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read;
-	dontaudit $1_t proc_fs:dir { read search };
-
-	tunable_policy(`user_rw_noexattrfile',`
-		create_dir_file($1_t, noexattrfile)
-		# Write floppies 
-		storage_raw_read_removable_device($1_t)
-		storage_raw_write_removable_device($1_t)
-		# cjp: what does this have to do with removable devices?
-		allow $1_t usbtty_device_t:chr_file write;
-	',`
-		r_dir_file($1_t, noexattrfile)
-		r_dir_file($1_t, removable_t)
-		allow $1_t removable_device_t:blk_file r_file_perms;
-	')
 
 	allow $1_t usbtty_device_t:chr_file read;
 
@@ -390,21 +425,16 @@ template(`base_user_template',`
 	# Connect to portmap.
 	ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')
 
+	# Use X
+	x_client_domain($1, $1)
+
 	ifdef(`xserver.te', `
-		# for /tmp/.ICE-unix
-		file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
 		allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
 	')
 
 	ifdef(`xdm.te', `
 		# Connect to the X server run by the X Display Manager.
 		can_unix_connect($1_t, xdm_t)
-		allow $1_t xdm_tmp_t:sock_file rw_file_perms;
-		allow $1_t xdm_tmp_t:dir r_dir_perms;
-		allow $1_t xdm_tmp_t:file r_file_perms;
-		allow $1_t xdm_xserver_tmp_t:sock_file { read write };
-		allow $1_t xdm_xserver_tmp_t:dir search;
-		allow $1_t xdm_xserver_t:unix_stream_socket connectto;
 		# certain apps want to read xdm.pid file
 		r_dir_file($1_t, xdm_var_run_t)
 		allow $1_t xdm_var_lib_t:file r_file_perms;
@@ -412,12 +442,26 @@ template(`base_user_template',`
 		ifdef(`xauth.te', `
 			file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
 		')
-
-		# for shared memory
-		allow xdm_xserver_t $1_tmpfs_t:file { read write };
-
 	')
 
+	# start read_fonts()
+
+	# cjp: this macro is unconditional, though
+	# its in a conditional file.
+
+	# Manipulate the global font cache
+	create_dir_file($1, $1_fonts_cache_t)
+
+	# Read per user fonts and font config
+	r_dir_file($1, $1_fonts_t)
+	r_dir_file($1, $1_fonts_config_t)
+
+	# There are some fonts in .gnome2
+	ifdef(`gnome.te', `
+	allow $1 $2_gnome_settings_t:dir { getattr search };
+	')
+	# end read_fonts()
+
 	ifdef(`rpcd.te', `
 		create_dir_file($1_t, nfsd_rw_t)
 	')
@@ -467,8 +511,13 @@ template(`unpriv_user_template', `
 	domain_wide_inherit_fd($1_t)
 
 	typeattribute $1_devpts_t user_ptynode;
+
 	typeattribute $1_home_dir_t user_home_dir_type;
+	files_poly($1_home_dir_t)
+
 	typeattribute $1_home_t user_home_type;
+	files_poly_member($1_home_t)
+
 	typeattribute $1_tmp_t user_tmpfile;
 	typeattribute $1_tty_device_t user_ttynode;
  
@@ -484,14 +533,6 @@ template(`unpriv_user_template', `
 	allow $1_home_t self:filesystem associate;
 	allow $1_file_type $1_home_t:filesystem associate;
 
-	# user temporary files
-	allow $1_t $1_tmp_t:file create_file_perms;
-	allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
-	allow $1_t $1_tmp_t:dir create_dir_perms;
-	allow $1_t $1_tmp_t:sock_file create_file_perms;
-	allow $1_t $1_tmp_t:fifo_file create_file_perms;
-	files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set })
-
 	# privileged home directory writers
 	allow privhome $1_home_t:file create_file_perms;
 	allow privhome $1_home_t:lnk_file create_lnk_perms;
@@ -537,6 +578,11 @@ template(`unpriv_user_template', `
 	# so it can be used without privilege to write real binary policy file
 	seutil_exec_checkpol($1_t)
 
+	ifdef(`enable_polyinstantiation',`
+		type_member $1_t $1_home_dir_t:dir $1_home_t;
+		files_poly_member_tmp($1_t)
+	')
+
 	tunable_policy(`user_dmesg',`
 		kernel_read_ring_buffer($1_t)
 	',`
@@ -575,6 +621,22 @@ template(`unpriv_user_template', `
 
 	ifdef(`TODO',`
 
+	ifdef(`enable_mls',`',`
+		fs_exec_noxattr($1_t)
+		tunable_policy(`user_rw_noexattrfile',`
+			create_dir_file($1_t, noexattrfile)
+			# Write floppies 
+			storage_raw_read_removable_device($1_t)
+			storage_raw_write_removable_device($1_t)
+			# cjp: what does this have to do with removable devices?
+			allow $1_t usbtty_device_t:chr_file write;
+		',`
+			r_dir_file($1_t, noexattrfile)
+			r_dir_file($1_t, removable_t)
+			allow $1_t removable_device_t:blk_file r_file_perms;
+		')
+	')
+
 	dontaudit $1_t boot_t:lnk_file read;
 	dontaudit $1_t boot_t:file read;
 
@@ -596,16 +658,20 @@ template(`unpriv_user_template', `
 		')
 	')
 
+	ifdef(`useradd.te', `
+	# Useradd relabels /etc/skel files so needs these privs 
+	allow useradd_t $1_file_type:dir create_dir_perms;
+	allow useradd_t $1_file_type:notdevfile_class_set create_file_perms;
+	')
+
 	# Stat lost+found.
 	allow $1_t lost_found_t:dir getattr;
 
 	# Read /var, /var/spool, /var/run.
-	allow $1_t var_t:dir r_dir_perms;
+	r_dir_file($1_t, var_t)
-	allow $1_t var_t:notdevfile_class_set r_file_perms;
+	# what about pipes and sockets under /var/spool?
-	allow $1_t var_spool_t:dir r_dir_perms;
+	r_dir_file($1_t, var_spool_t)
-	allow $1_t var_spool_t:notdevfile_class_set r_file_perms;
+	r_dir_file($1_t, var_run_t)
-	allow $1_t var_run_t:dir r_dir_perms;
-	allow $1_t var_run_t:{ file lnk_file } r_file_perms;
 	allow $1_t var_lib_t:dir r_dir_perms;
 	allow $1_t var_lib_t:file { getattr read };
 
@@ -631,23 +697,6 @@ template(`unpriv_user_template', `
 
 	allow $1_t initrc_t:fifo_file write;
 
-	ifdef(`user_can_mount', `
-		#
-		#  Allow users to mount file systems like floppies and cdrom
-		#
-		mount_domain($1, $1_mount, `, fs_domain')
-		r_dir_file($1_t, mnt_t)
-		allow $1_mount_t device_t:lnk_file read;
-		allow $1_mount_t removable_device_t:blk_file read;
-		allow $1_mount_t iso9660_t:filesystem relabelfrom;
-		allow $1_mount_t removable_t:filesystem { mount relabelto };
-		allow $1_mount_t removable_t:dir mounton;
-		ifdef(`xdm.te', `
-			allow $1_mount_t xdm_t:fd use;
-			allow $1_mount_t xdm_t:fifo_file { read write };
-		')
-	')
-
 	') dnl end TODO
 ')
 
@@ -721,16 +770,11 @@ template(`admin_user_template',`
 	# for the administrator to run TCP servers directly
 	allow $1_t self:tcp_socket { acceptfrom connectto recvfrom };
 
+	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
+
 	allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
 	term_create_pty($1_t,$1_devpts_t)
 
-	allow $1_t $1_tmp_t:dir create_dir_perms;
-	allow $1_t $1_tmp_t:file create_file_perms;
-	allow $1_t $1_tmp_t:lnk_file create_file_perms;
-	allow $1_t $1_tmp_t:fifo_file create_file_perms;
-	allow $1_t $1_tmp_t:sock_file create_file_perms;
-	files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set })
-
 	kernel_read_system_state($1_t)
 	kernel_read_network_state($1_t)
 	kernel_read_software_raid_state($1_t)
@@ -761,6 +805,7 @@ template(`admin_user_template',`
 
 	fs_getattr_all_fs($1_t)
 	fs_set_all_quotas($1_t)
+	fs_exec_noxattr($1_t)
 
 	selinux_set_enforce_mode($1_t)
 	selinux_set_boolean($1_t)
@@ -847,7 +892,7 @@ template(`admin_user_template',`
 			allow xdm_t $1_home_t:lnk_file read;
 			allow xdm_t $1_home_t:dir search;
 		')
-		allow $1_t xdm_t:fifo_file rw_file_perms;
+		can_pipe_xdm($1_t)
 	')
 
 	# Connect data port to ftpd.
@@ -877,6 +922,21 @@ template(`admin_user_template',`
 	# Run programs from staff home directories.
 	# Not ideal, but typical if users want to login as both sysadm_t or staff_t.
 	can_exec($1_t, staff_home_t)
+
+	tunable_policy(`user_rw_noexattrfile',`
+		create_dir_file($1_t, noexattrfile)
+		# Write floppies 
+		storage_raw_read_removable_device($1_t)
+		storage_raw_write_removable_device($1_t)
+		# cjp: what does this have to do with removable devices?
+		allow $1_t usbtty_device_t:chr_file write;
+	',`
+		r_dir_file($1_t, noexattrfile)
+		r_dir_file($1_t, removable_t)
+		allow $1_t removable_device_t:blk_file r_file_perms;
+	')
+	allow $1 removable_t:filesystem getattr;
+
 	') dnl endif TODO
 ')
 
@@ -2037,7 +2097,7 @@ interface(`userdom_sigcld_all_users',`
 		class process sigchld;
 	')
 
-	allow $1 userdomain:process sigghld;
+	allow $1 userdomain:process sigchld;
 ')
 
 ########################################

refpolicy/policy/modules/system/userdomain.te

@@ -223,6 +223,7 @@ ifdef(`targeted_policy',`
 
 	optional_policy(`sysnetwork.te',`
 		sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
+		sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal)
 	')
 
 	optional_policy(`unconfined.te',`
@@ -233,4 +234,8 @@ ifdef(`targeted_policy',`
 		usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
 		usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
 	')
+
+	optional_policy(`vpn.te',`
+		vpn_run(sysadm_t,sysadm_r,admin_terminal)
+	')
 ')

strict/domains/admin.te

@@ -17,19 +17,27 @@ general_proc_read_access(sysadm_t)
 # sysadm_t is also granted permissions specific to administrator domains.
 admin_domain(sysadm)
 
-# Allow administrator domains to set the enforcing flag.
-can_setenforce(sysadm_t)
-
-# Allow administrator domains to set policy booleans.
-can_setbool(sysadm_t)
-
-# Allow administrator domains to set security parameters
-can_setsecparam(sysadm_t)
-
 # for su
 allow sysadm_t userdomain:fd use;
 
-define(`admin_tty_type', `{ sysadm_tty_device_t sysadm_devpts_t }')
+ifdef(`separate_secadm', `', `
+security_manager_domain(sysadm_t)
+')
 
 # Add/remove user home directories
 file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
+
+limited_user_role(secadm)
+typeattribute secadm_t admin;
+role secadm_r types secadm_t; 
+security_manager_domain(secadm_t)
+r_dir_file(secadm_t, { var_t var_log_t })
+
+typeattribute secadm_tty_device_t admin_tty_type;
+typeattribute secadm_devpts_t admin_tty_type;
+
+bool allow_ptrace false;
+
+if (allow_ptrace) {
+can_ptrace(sysadm_t, domain)
+}

strict/domains/misc/screensaver.te

@@ -1,18 +0,0 @@
-#
-# Alias file to stop blow up during policy upgrade, since 
-# screensaver policy is being removed.
-#
-typealias bin_t alias screensaver_exec_t;
-typealias sysadm_home_t alias sysadm_screensaver_t;
-typealias sysadm_home_t alias sysadm_screensaver_rw_t;
-typealias sysadm_home_t alias sysadm_screensaver_ro_t;
-typealias sysadm_home_t alias sysadm_screensaver_tmpfs_t;
-typealias user_home_t alias user_screensaver_t;
-typealias user_home_t alias user_screensaver_rw_t;
-typealias user_home_t alias user_screensaver_ro_t;
-typealias user_home_t alias user_screensaver_tmpfs_t;
-typealias staff_home_t alias staff_screensaver_t;
-typealias staff_home_t alias staff_screensaver_rw_t;
-typealias staff_home_t alias staff_screensaver_ro_t;
-typealias staff_home_t alias staff_screensaver_tmpfs_t;
-

strict/domains/program/dbusd.te

@@ -17,4 +17,9 @@ can_ypbind(system_dbusd_t)
 # I expect we need more than this
 
 allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc };
+allow initrc_t system_dbusd_t:unix_stream_socket connectto;
+allow initrc_t system_dbusd_var_run_t:sock_file write;
 
+can_exec(system_dbusd_t, sbin_t)
+allow system_dbusd_t self:fifo_file { read write };
+allow system_dbusd_t self:unix_stream_socket connectto;

strict/domains/program/dhcpc.te

@@ -43,6 +43,8 @@ ifdef(`cardmgr.te', `
 domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
 allow cardmgr_t dhcpc_var_run_t:file { getattr read };
 allow cardmgr_t dhcpc_t:process signal_perms;
+allow cardmgr_t dhcpc_var_run_t:file unlink;
+allow dhcpc_t cardmgr_dev_t:chr_file { read write };
 ')
 ifdef(`hotplug.te', `
 domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t)
@@ -126,7 +128,7 @@ can_exec(dhcpc_t, { bin_t shell_exec_t })
 ifdef(`hostname.te', `
 domain_auto_trans(dhcpc_t, hostname_exec_t, hostname_t)
 ')
-dontaudit dhcpc_t { ttyfile ptyfile tty_device_t }:chr_file { read write };
+dontaudit dhcpc_t { devpts_t ttyfile ptyfile tty_device_t }:chr_file rw_file_perms;
 allow dhcpc_t { userdomain kernel_t }:fd use;
 
 allow dhcpc_t home_root_t:dir search;
@@ -142,7 +144,22 @@ allow dhcpc_t initrc_var_run_t:file rw_file_perms;
 can_exec(dhcpc_t, initrc_exec_t)
 ifdef(`ypbind.te', `
 domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t)
+allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink };
 ')
 ifdef(`ntpd.te', `
 domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t)
 ')
+role sysadm_r types dhcpc_t;
+domain_auto_trans(sysadm_t, dhcpc_exec_t, dhcpc_t)
+ifdef(`dbusd.te', `
+dbusd_client(system, dhcpc)
+domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
+allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg };
+allow dhcpc_t self:dbus send_msg;
+allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
+allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
+ifdef(`unconfined.te', `
+allow unconfined_t dhcpc_t:dbus send_msg;
+allow dhcpc_t unconfined_t:dbus send_msg;
+')dnl end ifdef unconfined.te
+')

strict/domains/program/fsadm.te

@@ -29,6 +29,7 @@ read_sysctl(fsadm_t)
 
 # for /dev/shm
 allow fsadm_t tmpfs_t:dir { getattr search };
+allow fsadm_t tmpfs_t:file { read write };
 
 base_file_read_access(fsadm_t)
 
@@ -115,3 +116,5 @@ system_crond_entry(fsadm_exec_t, fsadm_t)
 allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms;
 allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
 allow fsadm_t usbfs_t:dir { getattr search };
+allow fsadm_t ramfs_t:fifo_file rw_file_perms;
+allow fsadm_t device_type:chr_file getattr;

strict/domains/program/gpg.te

@@ -8,11 +8,8 @@
 type gpg_exec_t, file_type, sysadmfile, exec_type;
 type gpg_helper_exec_t, file_type, sysadmfile, exec_type;
 
-allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search;
+allow sysadm_gpg_t { home_root_t user_home_dir_type }:dir search;
 allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
 
-# Allow gpg exec stack
-bool allow_gpg_execstack false;
-
 # Everything else is in the gpg_domain macro in
 # macros/program/gpg_macros.te.

strict/domains/program/hald.te

@@ -65,10 +65,9 @@ allow hald_t udev_tbl_t:file { getattr read };
 ifdef(`hotplug.te', `
 r_dir_file(hald_t, hotplug_etc_t)
 ')
-allow hald_t usbdevfs_t:dir search;
+allow hald_t fs_type:dir { search getattr };
-allow hald_t usbdevfs_t:file { getattr read };
+allow hald_t usbfs_t:dir r_dir_perms;
-allow hald_t usbfs_t:dir search;
+allow hald_t { usbdevfs_t usbfs_t }:file rw_file_perms;
-allow hald_t usbfs_t:file { getattr read };
 allow hald_t bin_t:lnk_file read;
 r_dir_file(hald_t, { selinux_config_t default_context_t } )
 allow hald_t initrc_t:dbus send_msg;
@@ -80,3 +79,25 @@ allow hald_t device_t:chr_file create_file_perms;
 tmp_domain(hald)
 allow hald_t mnt_t:dir search;
 r_dir_file(hald_t, proc_net_t)
+
+# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket
+ifdef(`apmd.te', `
+allow hald_t apmd_var_run_t:sock_file write;
+allow hald_t apmd_t:unix_stream_socket connectto;
+')
+
+# For /usr/libexec/hald-probe-smbios
+domain_auto_trans(hald_t, dmidecode_exec_t, dmidecode_t)
+
+# ??
+ifdef(`lvm.te', `
+allow hald_t lvm_control_t:chr_file r_file_perms;
+')
+ifdef(`targeted_policy', `
+allow unconfined_t hald_t:dbus send_msg;
+allow hald_t unconfined_t:dbus send_msg;
+')
+ifdef(`mount.te', `
+domain_auto_trans(hald_t, mount_exec_t, mount_t)
+')
+

strict/domains/program/hostname.te

@@ -4,9 +4,7 @@
 # X-Debian-Packages: hostname
 
 # for setting the hostname
-daemon_base_domain(hostname, , nosysadm)
+daemon_core_rules(hostname, , nosysadm)
-role sysadm_r types hostname_t;
-
 allow hostname_t self:capability sys_admin;
 allow hostname_t etc_t:file { getattr read };
 

strict/domains/program/initrc.te

@@ -123,7 +123,10 @@ allow initrc_t fs_type:filesystem mount_fs_perms;
 allow initrc_t file_t:dir { read search getattr mounton };
 
 # during boot up initrc needs to do the following
-allow initrc_t default_t:dir { read search getattr mounton };
+allow initrc_t default_t:dir { write read search getattr mounton };
+
+# rhgb-console writes to ramfs
+allow initrc_t ramfs_t:fifo_file write;
 
 # Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME.
 file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file)
@@ -233,7 +236,7 @@ allow initrc_t home_type:file r_file_perms;
 allow initrc_t pidfile:file { getattr read unlink };
 
 # for system start scripts
-allow initrc_t pidfile:dir rw_dir_perms;
+allow initrc_t pidfile:dir { rmdir rw_dir_perms };
 allow initrc_t pidfile:sock_file unlink;
 
 rw_dir_create_file(initrc_t, var_lib_t)
@@ -316,3 +319,6 @@ domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
 ')
 allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
 allow initrc_t device_t:lnk_file create_file_perms;
+ifdef(`dbusd.te', `
+allow initrc_t system_dbusd_var_run_t:sock_file write;
+')

strict/domains/program/lvm.te

@@ -108,11 +108,11 @@ dontaudit lvm_t gpmctl_t:sock_file getattr;
 ')
 dontaudit lvm_t initctl_t:fifo_file getattr;
 allow lvm_t sbin_t:dir search;
-dontaudit lvm_t sbin_t:file getattr;
+dontaudit lvm_t sbin_t:file { getattr read };
 allow lvm_t lvm_control_t:chr_file rw_file_perms;
 allow initrc_t lvm_control_t:chr_file { getattr read unlink };
 allow initrc_t device_t:chr_file create;
-dontaudit lvm_t var_run_t:dir getattr;
+var_run_domain(lvm)
 
 # for when /usr is not mounted
 dontaudit lvm_t file_t:dir search;
@@ -122,6 +122,8 @@ r_dir_file(lvm_t, selinux_config_t)
 
 # it has no reason to need this
 dontaudit lvm_t proc_kcore_t:file getattr;
+allow lvm_t var_t:dir { search getattr };
+allow lvm_t ramfs_t:filesystem unmount;
 
 # cluster LVM daemon
 daemon_domain(clvmd)

strict/domains/program/modutil.te

@@ -56,6 +56,7 @@ file_type_auto_trans(depmod_t, modules_object_t, modules_dep_t, file)
 # Read module objects.
 allow depmod_t modules_object_t:dir r_dir_perms;
 allow depmod_t modules_object_t:{ file lnk_file } r_file_perms;
+allow depmod_t modules_object_t:file unlink;
 
 # Access terminals.
 allow depmod_t { console_device_t initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
@@ -137,15 +138,15 @@ allow insmod_t initrc_t:fifo_file { getattr read write };
 
 allow insmod_t fs_t:filesystem getattr;
 allow insmod_t sysfs_t:dir search;
-allow insmod_t { usbfs_t usbdevfs_t }:dir search;
+allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:dir search;
-allow insmod_t { usbfs_t usbdevfs_t }:filesystem mount;
+allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:filesystem mount;
 
 # Rules for /proc/sys/kernel/tainted
 read_sysctl(insmod_t)
 allow insmod_t proc_t:dir search;
 allow insmod_t sysctl_kernel_t:file { setattr rw_file_perms };
 
-allow insmod_t proc_t:file { getattr read };
+allow insmod_t proc_t:file rw_file_perms;
 allow insmod_t proc_t:lnk_file read;
 
 # Write to /proc/mtrr.

strict/domains/program/pamconsole.te

@@ -45,5 +45,6 @@ allow pam_console_t hotplug_t:fd use;
 ifdef(`xdm.te', `
 allow pam_console_t xdm_var_run_t:file { getattr read };
 ')
-allow initrc_t pam_var_console_t:dir r_dir_perms;
+allow initrc_t pam_var_console_t:dir rw_dir_perms;
+allow initrc_t pam_var_console_t:file unlink;
 allow pam_console_t file_context_t:file { getattr read };

strict/domains/program/postgresql.te

@@ -10,7 +10,6 @@
 #
 # postgresql_exec_t is the type of the postgresql executable.
 #
-type postgresql_port_t, port_type;
 daemon_domain(postgresql)
 allow initrc_t postgresql_exec_t:lnk_file read;
 allow postgresql_t usr_t:file { getattr read };
@@ -37,7 +36,6 @@ allow postgresql_t self:capability { kill dac_override dac_read_search chown fow
 dontaudit postgresql_t self:capability sys_admin;
 
 etcdir_domain(postgresql)
-typealias postgresql_etc_t alias etc_postgresql_t;
 type postgresql_db_t, file_type, sysadmfile;
 
 logdir_domain(postgresql)
@@ -52,7 +50,7 @@ tmp_domain(postgresql, `', `{ dir file sock_file }')
 file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t)
 
 # Use the network.
-can_network_server(postgresql_t)
+can_network(postgresql_t)
 can_ypbind(postgresql_t)
 allow postgresql_t self:fifo_file { getattr read write ioctl };
 allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
@@ -69,6 +67,7 @@ if (allow_user_postgresql_connect) {
 can_tcp_connect(userdomain, postgresql_t)
 allow userdomain postgresql_t:unix_stream_socket connectto;
 allow userdomain postgresql_var_run_t:sock_file write;
+allow userdomain postgresql_tmp_t:sock_file write;
 }
 ')
 ifdef(`consoletype.te', `
@@ -80,6 +79,7 @@ can_exec(postgresql_t, hostname_exec_t)
 ')
 
 allow postgresql_t postgresql_port_t:tcp_socket name_bind;
+allow postgresql_t auth_port_t:tcp_socket name_connect;
 
 allow postgresql_t { proc_t self }:file { getattr read };
 
@@ -110,9 +110,9 @@ allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
 allow postgresql_t self:sem create_sem_perms;
 
 allow postgresql_t initrc_var_run_t:file { getattr read lock };
-dontaudit postgresql_t selinux_config_t:dir { search };
+dontaudit postgresql_t selinux_config_t:dir search;
-allow postgresql_t mail_spool_t:dir { search };
+allow postgresql_t mail_spool_t:dir search;
-rw_dir_create_file(postgresql_t, var_lock_t)
+lock_domain(postgresql)
 can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } )
 ifdef(`apache.te', `
 # 
@@ -124,11 +124,15 @@ can_unix_connect(httpd_t, postgresql_t)
 
 ifdef(`distro_gentoo', `
 # "su - postgres ..." is called from initrc_t
-allow initrc_su_t postgresql_db_t:dir { search };
+allow initrc_su_t postgresql_db_t:dir search;
-allow postgresql_t initrc_su_t:process { sigchld };
+allow postgresql_t initrc_su_t:process sigchld;
 dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
 ')
 
 dontaudit postgresql_t home_root_t:dir search;
 can_kerberos(postgresql_t)
 allow postgresql_t urandom_device_t:chr_file { getattr read };
+
+if (allow_execmem) {
+allow postgresql_t self:process execmem;
+}

strict/domains/program/vpnc.te

@@ -10,9 +10,9 @@
 # vpnc_t is the domain for the vpnc program.
 # vpnc_exec_t is the type of the vpnc executable.
 #
-daemon_domain(vpnc, `, sysctl_net_writer')
+application_domain(vpnc, `, sysctl_net_writer, nscd_client_domain')
 
-allow vpnc_t { random_device_t urandom_device_t }:chr_file read;
+allow vpnc_t { random_device_t urandom_device_t }:chr_file { getattr read };
 
 # Use the network.
 can_network(vpnc_t)
@@ -31,7 +31,7 @@ allow vpnc_t tun_tap_device_t:chr_file { ioctl read write };
 allow vpnc_t self:rawip_socket create_socket_perms;
 allow vpnc_t self:unix_dgram_socket create_socket_perms;
 allow vpnc_t self:unix_stream_socket create_socket_perms;
-allow vpnc_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
+allow vpnc_t { devtty_t user_tty_type admin_tty_type }:chr_file rw_file_perms;
 allow vpnc_t port_t:udp_socket name_bind;
 allow vpnc_t etc_runtime_t:file { getattr read };
 allow vpnc_t proc_t:file { getattr read };
@@ -42,6 +42,8 @@ allow vpnc_t sysctl_net_t:file write;
 allow vpnc_t sbin_t:dir search;
 allow vpnc_t bin_t:dir search;
 allow vpnc_t bin_t:lnk_file read;
+allow vpnc_t self:dir search;
+r_dir_file(vpnc_t, proc_t)
 r_dir_file(vpnc_t, proc_net_t)
 tmp_domain(vpnc)
 allow vpnc_t self:fifo_file { getattr ioctl read write };
@@ -49,3 +51,12 @@ allow vpnc_t self:file { getattr read };
 allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
 file_type_auto_trans(vpnc_t, etc_t, net_conf_t, file)
 allow vpnc_t etc_t:file { execute execute_no_trans ioctl };
+dontaudit vpnc_t home_root_t:dir search;
+dontaudit vpnc_t user_home_dir_type:dir search;
+var_run_domain(vpnc)
+allow vpnc_t userdomain:fd use;
+r_dir_file(vpnc_t, sysfs_t)
+allow vpnc_t self:process { fork sigchld };
+read_locale(vpnc_t)
+read_sysctl(vpnc_t)
+allow vpnc_t fs_t:filesystem getattr;

strict/domains/user.te

@@ -4,6 +4,16 @@
 
 # Booleans for user domains.
 
+# Allow applications to read untrusted content
+# If this is disallowed, Internet content has
+# to be manually relabeled for read access to be granted
+bool read_untrusted_content false;
+
+# Allow applications to write untrusted content
+# If this is disallowed, no Internet content
+# will be stored.
+bool write_untrusted_content false;
+
 # Allow users to read system messages.
 bool user_dmesg false;
 
@@ -54,54 +64,6 @@ bool read_default_t false;
 # files (such as ~/.bashrc)
 bool staff_read_sysadm_file false;
 
-# change from role $1_r to $2_r and relabel tty appropriately
-define(`role_tty_type_change', `
-allow $1_r $2_r;
-type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
-type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
-# avoid annoying messages on terminal hangup
-dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
-')
-
-# Reach sysadm_t via programs like userhelper/sudo/su
-undefine(`reach_sysadm')
-define(`reach_sysadm', `
-ifdef(`userhelper.te', `userhelper_domain($1)')
-ifdef(`sudo.te', `sudo_domain($1)')
-ifdef(`su.te', `
-su_domain($1)
-# When an ordinary user domain runs su, su may try to
-# update the /root/.Xauthority file, and the user shell may
-# try to update the shell history. This is not allowed, but 
-# we dont need to audit it.
-dontaudit $1_su_t { sysadm_home_dir_t staff_home_dir_t }:dir search;
-dontaudit $1_su_t { sysadm_home_t staff_home_t }:dir rw_dir_perms;
-dontaudit $1_su_t { sysadm_home_t staff_home_t }:file create_file_perms;
-') dnl ifdef su.te
-')
-
-# Privileged user domain
-undefine(`priv_user')
-define(`priv_user', `
-# Reach sysadm_t
-reach_sysadm($1)
-
-# Read file_contexts for rpm and get security decisions. 
-r_dir_file($1_t, file_context_t)
-can_getsecurity($1_t)
-
-# Signal and see information about unprivileged user domains.
-allow $1_t unpriv_userdomain:process signal_perms;
-can_ps($1_t, unpriv_userdomain)
-allow $1_t { ttyfile ptyfile tty_device_t }:chr_file getattr;
-
-# Read /root files if boolean is enabled.
-if (staff_read_sysadm_file) {
-allow $1_t sysadm_home_dir_t:dir { getattr search };
-allow $1_t sysadm_home_t:file { getattr read };
-}
-
-') dnl priv_user
 
 full_user_role(user)
 

strict/file_contexts/program/postgresql.fc

@@ -14,3 +14,7 @@
 /usr/lib/pgsql/test/regress/.*\.so	-- system_u:object_r:shlib_t
 /usr/lib/pgsql/test/regress/.*\.sh	-- system_u:object_r:bin_t
 /usr/lib/pgsql/test/regress/pg_regress	-- system_u:object_r:postgresql_exec_t
+ifdef(`distro_redhat', `
+/usr/share/jonas/pgsql(/.*)?       system_u:object_r:postgresql_db_t
+/var/log/rhdb/rhdb(/.*)?           system_u:object_r:postgresql_log_t 
+')

strict/macros/admin_macros.te

@@ -20,15 +20,19 @@ type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type;
 type $1_home_t, file_type, sysadmfile, home_type, $1_file_type;
 
 # Type and access for pty devices.
-can_create_pty($1)
+can_create_pty($1, `, admin_tty_type')
 
-tmp_domain($1, `, $1_file_type', `{ file dir lnk_file sock_file fifo_file }')
+# Transition manually for { lnk sock fifo }. The rest is in content macros.
+tmp_domain_notrans($1, `, $1_file_type')
+file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file })
+allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom };
 
 # Type for tty devices.
-type $1_tty_device_t, sysadmfile, ttyfile, dev_fs;
+type $1_tty_device_t, sysadmfile, ttyfile, dev_fs, admin_tty_type;
 
 # Inherit rules for ordinary users.
 base_user_domain($1)
+access_removable_media($1_t)
 
 allow $1_t self:capability setuid;
 
@@ -36,11 +40,6 @@ ifdef(`su.te', `su_domain($1)')
 ifdef(`userhelper.te', `userhelper_domain($1)')
 ifdef(`sudo.te', `sudo_domain($1)')
 
-# Violates the goal of limiting write access to checkpolicy.
-# But presently necessary for installing the file_contexts file.
-create_dir_file($1_t, policy_config_t)
-r_dir_file($1_t, selinux_config_t)
-
 # Let admin stat the shadow file.
 allow $1_t shadow_t:file getattr;
 
@@ -51,12 +50,12 @@ allow $1_crond_t var_log_t:file r_file_perms;
 # Allow system log read
 allow $1_t kernel_t:system syslog_read;
 
+# Allow autrace
+# allow sysadm_t self:netlink_audit_socket nlmsg_readpriv;
+
 # Use capabilities other than sys_module.
 allow $1_t self:capability ~sys_module;
 
-# Get security policy decisions.
-can_getsecurity($1_t)
-
 # Use system operations.
 allow $1_t kernel_t:system *;
 
@@ -82,12 +81,6 @@ allow $1_t sysadmfile:dir create_dir_perms;
 allow $1_t mtrr_device_t:file getattr;
 allow $1_t fs_type:dir getattr;
 
-# Set an exec context, e.g. for runcon.
-can_setexec($1_t)
-
-# Set a context other than the default one for newly created files.
-can_setfscreate($1_t)
-
 # Access removable devices.
 allow $1_t removable_device_t:devfile_class_set rw_file_perms;
 
@@ -124,18 +117,6 @@ can_exec($1_t, staff_home_t)
 # Run programs from /usr/src.
 can_exec($1_t, src_t)
 
-# Run admin programs that require different permissions in their own domain.
-# These rules were moved into the appropriate program domain file.
-
-# added by mayerf@tresys.com
-# The following rules are temporary until such time that a complete
-# policy management infrastructure is in place so that an administrator
-# cannot directly manipulate policy files with arbitrary programs.
-#
-allow $1_t policy_src_t:file create_file_perms;
-allow $1_t policy_src_t:lnk_file create_lnk_perms;
-allow $1_t policy_src_t:dir create_dir_perms;
-
 # Relabel all files.
 # Actually this will not allow relabeling ALL files unless you change
 # sysadmfile to file_type (and change the assertion in assert.te that
@@ -157,7 +138,7 @@ if (xdm_sysadm_login) {
 allow xdm_t $1_home_t:lnk_file read;
 allow xdm_t $1_home_t:dir search;
 }
-allow $1_t xdm_t:fifo_file rw_file_perms;
+can_pipe_xdm($1_t)
 ')dnl end ifdef xauth.te
 ')dnl end ifdef xdm.te
 
@@ -205,3 +186,42 @@ allow $1_t device_t:lnk_file { create read };
 allow $1_t domain:socket_class_set getattr;
 allow $1_t eventpollfs_t:file getattr;
 ')
+
+define(`security_manager_domain', `
+
+typeattribute $1 secadmin;
+# Allow administrator domains to set the enforcing flag.
+can_setenforce($1)
+
+# Allow administrator domains to set policy booleans.
+can_setbool($1)
+
+# Get security policy decisions.
+can_getsecurity($1)
+
+# Allow administrator domains to set security parameters
+can_setsecparam($1)
+
+# Run admin programs that require different permissions in their own domain.
+# These rules were moved into the appropriate program domain file.
+
+# added by mayerf@tresys.com
+# The following rules are temporary until such time that a complete
+# policy management infrastructure is in place so that an administrator
+# cannot directly manipulate policy files with arbitrary programs.
+#
+allow $1 secadmfile:file { relabelto relabelfrom create_file_perms };
+allow $1 secadmfile:lnk_file { relabelto relabelfrom create_lnk_perms };
+allow $1 secadmfile:dir { relabelto relabelfrom create_dir_perms };
+
+# Set an exec context, e.g. for runcon.
+can_setexec($1)
+
+# Set a context other than the default one for newly created files.
+can_setfscreate($1)
+
+allow $1 self:netlink_audit_socket nlmsg_readpriv;
+
+')
+
+

strict/macros/base_user_macros.te

@@ -2,12 +2,6 @@
 # Macros for all user login domains.
 #
 
-define(`network_home_dir', `
-create_dir_file($1, $2)
-can_exec($1, $2)
-allow $1 $2:{ sock_file fifo_file } create_file_perms;
-')
-
 #
 # base_user_domain(domain_prefix)
 #
@@ -22,6 +16,30 @@ allow $1 $2:{ sock_file fifo_file } create_file_perms;
 undefine(`base_user_domain')
 define(`base_user_domain', `
 
+# Type for network-obtained content
+type $1_untrusted_content_t, file_type, $1_file_type, sysadmfile, customizable, polymember;
+type $1_untrusted_content_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile, customizable, polymember;
+
+# Allow user to relabel untrusted content
+allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
+allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
+
+# Read content
+read_content($1_t, $1)
+
+# Write trusted content. This includes proper transition
+# for /home, and /tmp, so no other transition is necessary (or allowed)
+write_trusted($1_t, $1)
+
+# Maybe the home directory is networked
+network_home($1_t)
+
+# Transition for { lnk, fifo, sock }. The rest is covered by write_trusted.
+# Relabel files in the home directory 
+file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t, { fifo_file sock_file lnk_file }); 
+allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto };
+can_setfscreate($1_t)
+
 allow $1_t self:capability { setgid chown fowner };
 dontaudit $1_t self:capability { sys_nice fsetid };
 
@@ -40,10 +58,13 @@ if (allow_execmem) {
 allow $1_t self:process execmem;
 }
 
-if (allow_execmod) {
+if (allow_execmem && allow_execstack) {
+# Allow making the stack executable via mprotect.
+allow $1_t self:process execstack;
+}
+
 # Allow text relocations on system shared libraries, e.g. libGL.
 allow $1_t texrel_shlib_t:file execmod;
-}
 
 #
 # kdeinit wants this access
@@ -63,38 +84,23 @@ allow $1_t event_device_t:chr_file { getattr read ioctl };
 allow $1_t dri_device_t:chr_file getattr;
 dontaudit $1_t dri_device_t:chr_file rw_file_perms;
 
-file_browse_domain($1_t)
+# Supress ls denials:
+# getattr() - ls -l
+# search_dir() - symlink path resolution
+# read_dir() - deep ls: ls parent/...
+
+dontaudit_getattr($1_t)
+dontaudit_search_dir($1_t)
+dontaudit_read_dir($1_t)
 
 # allow ptrace
 can_ptrace($1_t, $1_t)
 
-# Create, access, and remove files in home directory.
+# Allow user to run restorecon and relabel files
-file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t)
+can_getsecurity($1_t)
-allow $1_t $1_home_t:notdevfile_class_set { relabelfrom relabelto };
+r_dir_file($1_t, default_context_t)
-can_setfscreate($1_t)
+r_dir_file($1_t, file_context_t)
 
-allow $1_t autofs_t:dir { search getattr };
-
-if (use_nfs_home_dirs) {
-network_home_dir($1_t, nfs_t)
-}
-
-if (use_samba_home_dirs) {
-network_home_dir($1_t, cifs_t)
-}
-
-can_exec($1_t, { removable_t noexattrfile } )
-if (user_rw_noexattrfile) {
-create_dir_file($1_t, noexattrfile)
-create_dir_file($1_t, removable_t)
-# Write floppies 
-allow $1_t removable_device_t:blk_file rw_file_perms;
-allow $1_t usbtty_device_t:chr_file write;
-} else {
-r_dir_file($1_t, noexattrfile)
-r_dir_file($1_t, removable_t)
-allow $1_t removable_device_t:blk_file r_file_perms;
-}
 allow $1_t usbtty_device_t:chr_file read;
 
 # GNOME checks for usb and other devices
@@ -104,16 +110,9 @@ can_exec($1_t, noexattrfile)
 # Bind to a Unix domain socket in /tmp.
 allow $1_t $1_tmp_t:unix_stream_socket name_bind;
 
-# Access ttys.
-allow $1_t privfd:fd use;
-allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
-
 # Use the type when relabeling terminal devices.
 type_change $1_t tty_device_t:chr_file $1_tty_device_t;
 
-# read localization information
-read_locale($1_t)
-
 # Debian login is from shadow utils and does not allow resetting the perms.
 # have to fix this!
 type_change $1_t ttyfile:chr_file $1_tty_device_t;
@@ -297,21 +296,16 @@ dontaudit $1_t domain:process { getattr getsession };
 #
 dontaudit $1_t usr_t:file setattr;
 
+# Use X
+x_client_domain($1, $1)
+
 ifdef(`xserver.te', `
-# for /tmp/.ICE-unix
-file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
 allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
 ')
 
 ifdef(`xdm.te', `
 # Connect to the X server run by the X Display Manager.
 can_unix_connect($1_t, xdm_t)
-allow $1_t xdm_tmp_t:sock_file rw_file_perms;
-allow $1_t xdm_tmp_t:dir r_dir_perms;
-allow $1_t xdm_tmp_t:file { getattr read };
-allow $1_t xdm_xserver_tmp_t:sock_file { read write };
-allow $1_t xdm_xserver_tmp_t:dir search;
-allow $1_t xdm_xserver_t:unix_stream_socket connectto;
 # certain apps want to read xdm.pid file
 r_dir_file($1_t, xdm_var_run_t)
 allow $1_t xdm_var_lib_t:file { getattr read };
@@ -320,9 +314,6 @@ ifdef(`xauth.te', `
 file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
 ')
 
-# for shared memory
-allow xdm_xserver_t $1_tmpfs_t:file { read write };
-
 ')dnl end ifdef xdm.te
 
 # Access the sound device.
@@ -375,6 +366,9 @@ allow $1_t default_t:dir r_dir_perms;
 allow $1_t default_t:notdevfile_class_set r_file_perms;
 }
 
+# Read fonts
+read_fonts($1_t, $1)
+
 read_sysctl($1_t);
 
 #

strict/macros/global_macros.te

@@ -437,7 +437,7 @@ allow $2_t device_t:dir getattr;
 # by default, only plain files and dirs may be stored there.
 # This can be overridden with a third parameter
 define(`tmp_domain', `
-type $1_tmp_t, file_type, sysadmfile, tmpfile $2;
+type $1_tmp_t, file_type, sysadmfile, polymember, tmpfile $2;
 ifelse($3, `',
 `file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `{ file dir }')',
 `file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `$3')')

strict/macros/user_macros.te

@@ -2,6 +2,76 @@
 # Macros for all user login domains.
 #
 
+# role_tty_type_change(starting_role, ending_role)
+#
+# change from role $1_r to $2_r and relabel tty appropriately
+#
+
+undefine(`role_tty_type_change')
+define(`role_tty_type_change', `
+allow $1_r $2_r;
+type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
+type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
+# avoid annoying messages on terminal hangup
+dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
+')
+
+#
+# reach_sysadm(user)
+#
+# Reach sysadm_t via programs like userhelper/sudo/su
+#
+
+undefine(`reach_sysadm')
+define(`reach_sysadm', `
+ifdef(`userhelper.te', `userhelper_domain($1)')
+ifdef(`sudo.te', `sudo_domain($1)')
+ifdef(`su.te', `
+su_domain($1)
+# When an ordinary user domain runs su, su may try to
+# update the /root/.Xauthority file, and the user shell may
+# try to update the shell history. This is not allowed, but 
+# we dont need to audit it.
+dontaudit $1_su_t { sysadm_home_dir_t staff_home_dir_t }:dir search;
+dontaudit $1_su_t { sysadm_home_t staff_home_t }:dir rw_dir_perms;
+dontaudit $1_su_t { sysadm_home_t staff_home_t }:file create_file_perms;
+') dnl ifdef su.te
+ifdef(`xauth.te', `
+file_type_auto_trans($1_xauth_t, sysadm_home_dir_t, sysadm_xauth_home_t,file)
+ifdef(`userhelper.te', `
+file_type_auto_trans($1_userhelper_t, sysadm_home_dir_t, sysadm_xauth_home_t,file)
+') dnl userhelper.te 
+') dnl xauth.te 
+') dnl reach_sysadm
+
+#
+# priv_user(user)
+#
+# Privileged user domain
+#
+
+undefine(`priv_user')
+define(`priv_user', `
+# Reach sysadm_t
+reach_sysadm($1)
+
+# Read file_contexts for rpm and get security decisions. 
+r_dir_file($1_t, file_context_t)
+can_getsecurity($1_t)
+
+# Signal and see information about unprivileged user domains.
+allow $1_t unpriv_userdomain:process signal_perms;
+can_ps($1_t, unpriv_userdomain)
+allow $1_t { ttyfile ptyfile tty_device_t }:chr_file getattr;
+
+# Read /root files if boolean is enabled.
+if (staff_read_sysadm_file) {
+allow $1_t sysadm_home_dir_t:dir { getattr search };
+allow $1_t sysadm_home_t:file { getattr read };
+}
+
+') dnl priv_user
+
 #
 # user_domain(domain_prefix)
 #
@@ -18,18 +88,23 @@ define(`user_domain', `
 # Use capabilities
 
 # Type for home directory.
-type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type;
+type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type, polydir;
-type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_file_type;
+type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_file_type, polymember;
 
-tmp_domain($1, `, user_tmpfile, $1_file_type', `{ file lnk_file dir sock_file fifo_file }')
+# Transition manually for { lnk sock fifo }. The rest is in content macros.
+tmp_domain_notrans($1, `, user_tmpfile, $1_file_type')
+file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file })
+allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom };
 
-# Type and access for pty devices.
+ifdef(`support_polyinstantiation', `
-can_create_pty($1, `, userpty_type, user_tty_type')
+type_member $1_t tmp_t:dir $1_tmp_t;
-
+type_member $1_t $1_home_dir_t:dir $1_home_t;
-#Type for tty devices.
+')
-type $1_tty_device_t, sysadmfile, ttyfile, user_tty_type, dev_fs;
 
 base_user_domain($1)
+ifdef(`mls_policy', `', `
+access_removable_media($1_t)
+')
 
 # do not allow privhome access to sysadm_home_dir_t
 file_type_auto_trans(privhome, $1_home_dir_t, $1_home_t)
@@ -44,7 +119,9 @@ allow $1_t system_map_t:file { getattr read };
 # user domain and the program, and allow us to maintain separation
 # between different instances of the program being run by different
 # user domains.
-ifdef(`apache.te', `apache_domain($1)')
+ifelse($1, sysadm, `',`
+ifdef(`apache.te', `apache_user_domain($1)')
+')
 ifdef(`slocate.te', `locate_domain($1)')
 ifdef(`lockdev.te', `lockdev_domain($1)')
 
@@ -110,19 +187,73 @@ file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
 #
 # Domains for ordinary users.
 #
-undefine(`full_user_role')
+undefine(`limited_user_role')
-define(`full_user_role', `
+define(`limited_user_role', `
-
 # user_t/$1_t is an unprivileged users domain.
-type $1_t, domain, userdomain, unpriv_userdomain, web_client_domain, nscd_client_domain, privfd;
+type $1_t, domain, userdomain, unpriv_userdomain, nscd_client_domain, privfd;
+
+#Type for tty devices.
+type $1_tty_device_t, sysadmfile, ttyfile, user_tty_type, dev_fs;
+# Type and access for pty devices.
+can_create_pty($1, `, userpty_type, user_tty_type')
+
+# Access ttys.
+allow $1_t privfd:fd use;
+allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
 
-attribute $1_file_type;
 # Grant read/search permissions to some of /proc.
 r_dir_file($1_t, proc_t)
 r_dir_file($1_t, proc_net_t)
 
 base_file_read_access($1_t)
 
+# Execute from the system shared libraries.
+uses_shlib($1_t)
+
+# Read /etc.
+r_dir_file($1_t, etc_t)
+allow $1_t etc_runtime_t:file r_file_perms;
+allow $1_t etc_runtime_t:lnk_file { getattr read };
+
+allow $1_t self:process { fork sigchld setpgid signal_perms };
+
+# read localization information
+read_locale($1_t)
+
+read_sysctl($1_t)
+can_exec($1_t, { bin_t sbin_t shell_exec_t ls_exec_t })
+
+allow $1_t self:dir search;
+allow $1_t self:file { getattr read };
+allow secadm_t self:fifo_file rw_file_perms;
+
+allow $1_t self:lnk_file read;
+allow $1_t self:unix_stream_socket create_socket_perms;
+allow $1_t urandom_device_t:chr_file { getattr read };
+dontaudit $1_t { var_spool_t var_log_t }:dir search;
+
+# Read /dev directories and any symbolic links.
+allow $1_t device_t:dir r_dir_perms;
+allow $1_t device_t:lnk_file { getattr read };
+allow $1_t devtty_t:chr_file { read write };
+
+')
+
+undefine(`full_user_role')
+define(`full_user_role', `
+
+limited_user_role($1)
+
+typeattribute  $1_t web_client_domain;
+
+attribute $1_file_type;
+
+ifdef(`useradd.te', `
+# Useradd relabels /etc/skel files so needs these privs 
+allow useradd_t $1_file_type:dir create_dir_perms;
+allow useradd_t $1_file_type:notdevfile_class_set create_file_perms;
+')
+
 can_exec($1_t, usr_t)
 
 # Read directories and files with the readable_t type.
@@ -134,28 +265,18 @@ allow $1_t readable_t:notdevfile_class_set r_file_perms;
 allow $1_t lost_found_t:dir getattr;
 
 # Read /var, /var/spool, /var/run.
-allow $1_t var_t:dir r_dir_perms;
+r_dir_file($1_t, var_t)
-allow $1_t var_t:notdevfile_class_set r_file_perms;
+# what about pipes and sockets under /var/spool?
-allow $1_t var_spool_t:dir r_dir_perms;
+r_dir_file($1_t, var_spool_t)
-allow $1_t var_spool_t:notdevfile_class_set r_file_perms;
+r_dir_file($1_t, var_run_t)
-allow $1_t var_run_t:dir r_dir_perms;
-allow $1_t var_run_t:{ file lnk_file } r_file_perms;
 allow $1_t var_lib_t:dir r_dir_perms;
 allow $1_t var_lib_t:file { getattr read };
 
-read_sysctl($1_t)
-
-# Read /etc.
-allow $1_t etc_t:dir r_dir_perms;
-allow $1_t etc_t:notdevfile_class_set r_file_perms;
-allow $1_t etc_runtime_t:{ file lnk_file } r_file_perms;
-
 # for running depmod as part of the kernel packaging process
 allow $1_t modules_conf_t:file { getattr read };
 
 # Read man directories and files.
-allow $1_t man_t:dir r_dir_perms;
+r_dir_file($1_t, man_t)
-allow $1_t man_t:notdevfile_class_set r_file_perms;
 
 # Allow users to rw usb devices
 if (user_rw_usb) {
@@ -166,16 +287,9 @@ r_dir_file($1_t,usbdevfs_t)
 
 r_dir_file($1_t,sysfs_t)
 
-# Read /dev directories and any symbolic links.
-allow $1_t device_t:dir r_dir_perms;
-allow $1_t device_t:lnk_file r_file_perms;
-
 # Do not audit write denials to /etc/ld.so.cache.
 dontaudit $1_t ld_so_cache_t:file write;
 
-# Execute from the system shared libraries.
-uses_shlib($1_t);
-
 # $1_t is also granted permissions specific to user domains.
 user_domain($1)
 
@@ -193,22 +307,6 @@ dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
 dontaudit $1_t init_t:fd use;
 dontaudit $1_t initrc_t:fd use;
 allow $1_t initrc_t:fifo_file write;
-ifdef(`user_can_mount', `
-#
-#  Allow users to mount file systems like floppies and cdrom
-#
-mount_domain($1, $1_mount, `, fs_domain')
-r_dir_file($1_t, mnt_t)
-allow $1_mount_t device_t:lnk_file read;
-allow $1_mount_t removable_device_t:blk_file read;
-allow $1_mount_t iso9660_t:filesystem relabelfrom;
-allow $1_mount_t removable_t:filesystem { mount relabelto };
-allow $1_mount_t removable_t:dir mounton;
-ifdef(`xdm.te', `
-allow $1_mount_t xdm_t:fd use;
-allow $1_mount_t xdm_t:fifo_file { read write };
-')
-')
 
 #
 # Rules used to associate a homedir as a mountpoint

strict/types/file.te

@@ -278,7 +278,7 @@ allow devpts_t self:filesystem associate;
 
 type tmpfs_t, file_type, mount_point, sysadmfile, fs_type;
 allow { logfile tmpfs_t tmpfile home_type } tmpfs_t:filesystem associate;
-allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate;
+allow { logfile tmpfile home_type } tmp_t:filesystem associate;
 ifdef(`distro_redhat', `
 allow { dev_fs ttyfile } { tmpfs_t tmp_t }:filesystem associate;
 ')