patch from dan Fri, 17 Mar 2006 15:22:53 -0500

refpolicy/Changelog

@@ -1,3 +1,4 @@
+- Numerous fixes from Dan Walsh.
 - Change build order to preserve m4 line number information so policy
   compile errors are useful again.
 - Additional MLS interfaces from Chad Hanson.
@@ -23,6 +24,7 @@
 	rhgb
 	thunderbird
 	tor (Erich Schubert)
+	xen (Dan Walsh)
 
 * Tue Mar 07 2006 Chris PeBenito <selinux@tresys.com> - 20060307
 - Make all interface parameters required.

refpolicy/Rules.modular

@@ -208,7 +208,7 @@ enableaudit: $(BASE_CONF)
 #
 $(APPDIR)/customizable_types: $(BASE_CONF)
 	@mkdir -p $(APPDIR)
-	$(verbose) $(GREP) "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > $(TMPDIR)/customizable_types
+	$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
 	$(verbose) install -m 644 $(TMPDIR)/customizable_types $@ 
 
 ########################################

refpolicy/Rules.monolithic

@@ -213,7 +213,7 @@ $(BUILDDIR)longcheck.res: $(POLICY_CONF) $(FC)
 #
 $(APPDIR)/customizable_types: $(POLICY_CONF)
 	@mkdir -p $(APPDIR)
-	$(verbose) $(GREP) "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > $(TMPDIR)/customizable_types
+	$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
 	$(verbose) install -m 644 $(TMPDIR)/customizable_types $@ 
 
 ########################################

refpolicy/policy/mcs

@@ -141,9 +141,7 @@ mlsconstrain file { write setattr append unlink link rename
 
 mlsconstrain file { create relabelto } ((h1 dom h2) and (l2 eq h2));
 
-mlsconstrain file { read } ((h1 dom h2) or 
-			    ( t1 == mlsfileread ));
-
+mlsconstrain file { read } ((h1 dom h2) or ( t2 == domain ) or ( t1 == mlsfileread ));
 
 # new file labels must be dominated by the relabeling subject clearance
 mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }

refpolicy/policy/modules/admin/bootloader.te

@@ -1,5 +1,5 @@
 
-policy_module(bootloader,1.2.0)
+policy_module(bootloader,1.2.1)
 
 ########################################
 #
@@ -103,13 +103,14 @@ files_manage_boot_files(bootloader_t)
 files_manage_boot_symlinks(bootloader_t)
 files_read_etc_files(bootloader_t)
 files_exec_etc_files(bootloader_t)
-files_read_etc_runtime_files(bootloader_t)
 files_read_usr_src_files(bootloader_t)
 files_read_usr_files(bootloader_t)
 files_read_var_files(bootloader_t)
 files_read_kernel_modules(bootloader_t)
 # for nscd
 files_dontaudit_search_pids(bootloader_t)
+# for blkid.tab
+files_manage_etc_runtime_files(bootloader_t)
 
 init_getattr_initctl(bootloader_t)
 init_use_script_ptys(bootloader_t)

refpolicy/policy/modules/admin/dmidecode.te

@@ -1,5 +1,5 @@
 
-policy_module(dmidecode,1.0.0)
+policy_module(dmidecode,1.0.1)
 
 ########################################
 #
@@ -23,6 +23,8 @@ allow dmidecode_t self:capability sys_rawio;
 # Allow dmidecode to read /dev/mem
 dev_read_raw_memory(dmidecode_t)
 
+mls_file_read_up(dmidecode_t)
+
 term_list_ptys(dmidecode_t)
 
 files_list_usr(dmidecode_t)

refpolicy/policy/modules/admin/readahead.te

@@ -1,5 +1,5 @@
 
-policy_module(readahead,1.2.0)
+policy_module(readahead,1.2.1)
 
 ########################################
 #
@@ -18,7 +18,7 @@ files_pid_file(readahead_var_run_t)
 # Local policy
 #
 
-dontaudit readahead_t self:capability sys_tty_config;
+dontaudit readahead_t self:capability { dac_override dac_read_search sys_tty_config };
 allow readahead_t self:process signal_perms;
 
 allow readahead_t readahead_var_run_t:file create_file_perms;

refpolicy/policy/modules/admin/rpm.fc

@@ -22,7 +22,7 @@ ifdef(`distro_redhat', `
 /var/lib/rpm(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
 
 /var/log/rpmpkgs.*		--	gen_context(system_u:object_r:rpm_log_t,s0)
-/var/log/yum\.log		--	gen_context(system_u:object_r:rpm_log_t,s0)
+/var/log/yum\.log.*		--	gen_context(system_u:object_r:rpm_log_t,s0)
 
 # SuSE
 ifdef(`distro_suse', `

refpolicy/policy/modules/admin/rpm.if

@@ -78,6 +78,9 @@ interface(`rpm_run',`
 	role $2 types rpm_t;
 	role $2 types rpm_script_t;
 	seutil_run_loadpolicy(rpm_script_t,$2,$3)
+	seutil_run_semanage(rpm_script_t,$2,$3)
+	seutil_run_setfiles(rpm_script_t,$2,$3)
+	seutil_run_restorecon(rpm_script_t,$2,$3)
 	allow rpm_t $3:chr_file rw_term_perms;
 ')
 

refpolicy/policy/modules/admin/rpm.te

@@ -1,5 +1,5 @@
 
-policy_module(rpm,1.3.1)
+policy_module(rpm,1.3.2)
 
 ########################################
 #
@@ -326,6 +326,7 @@ modutils_domtrans_insmod(rpm_script_t)
 
 seutil_domtrans_loadpolicy(rpm_script_t)
 seutil_domtrans_restorecon(rpm_script_t)
+seutil_domtrans_semanage(rpm_script_t)
 
 userdom_use_all_users_fds(rpm_script_t)
 

refpolicy/policy/modules/admin/su.fc

@@ -2,3 +2,4 @@
 /bin/su			--	gen_context(system_u:object_r:su_exec_t,s0)
 
 /usr(/local)?/bin/ksu	--	gen_context(system_u:object_r:su_exec_t,s0)
+/usr/bin/kdesu		--	gen_context(system_u:object_r:su_exec_t,s0)

refpolicy/policy/modules/admin/su.if

@@ -134,7 +134,6 @@ template(`su_per_userdomain_template',`
 
 	# Transition from the user domain to this domain.
 	domain_auto_trans($2, su_exec_t, $1_su_t)
-	allow $2 $1_su_t:fd use;
 	allow $1_su_t $2:fd use;
 	allow $1_su_t $2:fifo_file rw_file_perms;
 	allow $1_su_t $2:process sigchld;
@@ -142,9 +141,8 @@ template(`su_per_userdomain_template',`
 	# By default, revert to the calling domain when a shell is executed.
 	corecmd_shell_domtrans($1_su_t,$2)
 	allow $2 $1_su_t:fd use;
-	allow $1_su_t $2:fd use;
-	allow $1_su_t $2:fifo_file rw_file_perms;
-	allow $1_su_t $2:process sigchld;
+	allow $2 $1_su_t:fifo_file rw_file_perms;
+	allow $2 $1_su_t:process sigchld;
 
 	kernel_read_system_state($1_su_t)
 	kernel_read_kernel_sysctls($1_su_t)

refpolicy/policy/modules/admin/su.te

@@ -1,5 +1,5 @@
 
-policy_module(su,1.3.0)
+policy_module(su,1.3.1)
 
 ########################################
 #

refpolicy/policy/modules/admin/updfstab.te

@@ -1,5 +1,5 @@
 
-policy_module(updfstab,1.2.0)
+policy_module(updfstab,1.2.1)
 
 ########################################
 #
@@ -102,6 +102,10 @@ optional_policy(`dbus',`
 	dbus_send_system_bus(updfstab_t)
 ')
 
+optional_policy(`fstools',`
+	fstools_getattr_swap_files(updfstab_t)
+')
+
 optional_policy(`hal',`
 	hal_stream_connect(updfstab_t)
 	hal_dbus_chat(updfstab_t)
@@ -124,7 +128,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(updfstab_t)
 ')
-
-ifdef(`TODO',`
-allow updfstab_t tmpfs_t:dir getattr;
-')

refpolicy/policy/modules/admin/vbetool.te

@@ -1,5 +1,5 @@
 
-policy_module(vbetool,1.0.0)
+policy_module(vbetool,1.0.1)
 
 ########################################
 #
@@ -15,6 +15,7 @@ init_system_domain(vbetool_t,vbetool_exec_t)
 # Local policy
 #
 
+allow vbetool_t self:capability { sys_tty_config sys_admin };
 allow vbetool_t self:process execmem;
 
 dev_wx_raw_memory(vbetool_t)
@@ -22,5 +23,13 @@ dev_read_raw_memory(vbetool_t)
 dev_rwx_zero(vbetool_t)
 dev_read_sysfs(vbetool_t)
 
+term_use_unallocated_ttys(vbetool_t)
+
 libs_use_ld_so(vbetool_t)
 libs_use_shared_libs(vbetool_t)
+
+miscfiles_read_localization(vbetool_t)
+
+optional_policy(`hal',`
+	hal_rw_pid_files(vbetool_t)
+')

refpolicy/policy/modules/kernel/corecommands.fc

@@ -32,11 +32,14 @@ ifdef(`distro_redhat',`
 #
 # /etc
 #
+
 /etc/hotplug/.*agent		--	gen_context(system_u:object_r:sbin_t,s0)
 /etc/hotplug/.*rc		-- 	gen_context(system_u:object_r:sbin_t,s0)
 /etc/hotplug/hotplug\.functions --	gen_context(system_u:object_r:sbin_t,s0)
 /etc/hotplug\.d/default/default.*	gen_context(system_u:object_r:sbin_t,s0)
 
+/etc/init\.d/functions		--	gen_context(system_u:object_r:bin_t,s0)
+
 /etc/netplug\.d(/.*)? 	 		gen_context(system_u:object_r:sbin_t,s0)
 
 /etc/ppp/ip-down\..*		--	gen_context(system_u:object_r:bin_t,s0)
@@ -44,6 +47,8 @@ ifdef(`distro_redhat',`
 /etc/ppp/ipv6-up\..*		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/ppp/ipv6-down\..*		--	gen_context(system_u:object_r:bin_t,s0)
 
+/etc/rc\.d/init\.d/functions	--	gen_context(system_u:object_r:bin_t,s0)
+
 /etc/sysconfig/network-scripts/ifup-.*	-- gen_context(system_u:object_r:bin_t,s0)
 /etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0)
 
@@ -52,6 +57,8 @@ ifdef(`distro_redhat',`
 /etc/X11/xdm/Xsetup_0		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/X11/xinit(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
+/etc/xen/scripts(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
 ifdef(`distro_debian',`
 /etc/mysql/debian-start		--	gen_context(system_u:object_r:bin_t,s0)
 ')
@@ -132,6 +139,8 @@ ifdef(`distro_gentoo',`
 /usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
 
+/usr/lib(64)?/xen/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+
 /usr/libexec(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
 

refpolicy/policy/modules/kernel/corecommands.te

@@ -1,5 +1,5 @@
 
-policy_module(corecommands,1.3.3)
+policy_module(corecommands,1.3.4)
 
 ########################################
 #

refpolicy/policy/modules/kernel/corenetwork.te.in

@@ -1,5 +1,5 @@
 
-policy_module(corenetwork,1.1.2)
+policy_module(corenetwork,1.1.3)
 
 ########################################
 #
@@ -126,6 +126,7 @@ network_port(transproxy, tcp,8081,s0)
 type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
 network_port(uucpd, tcp,540,s0)
 network_port(vnc, tcp,5900,s0)
+network_port(xen, tcp,8002,s0)
 network_port(xserver, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
 network_port(zebra, tcp,2601,s0)
 network_port(zope, tcp,8021,s0)

refpolicy/policy/modules/kernel/devices.fc

@@ -15,6 +15,7 @@
 /dev/dsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/efirtc		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/event.*		-c	gen_context(system_u:object_r:event_device_t,s0)
+/dev/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
 /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
 /dev/full		-c	gen_context(system_u:object_r:null_device_t,s0)
 /dev/hw_random		-c	gen_context(system_u:object_r:random_device_t,s0)
@@ -47,6 +48,7 @@
 /dev/sequencer		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/sequencer2		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/smpte.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/smu			-c	gen_context(system_u:object_r:power_device_t,s0)
 /dev/srnd[0-7]		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/sndstat		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
@@ -86,6 +88,8 @@ ifdef(`distro_suse', `
 /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
 /dev/usb/scanner.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
 
+/dev/xen/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
+
 ifdef(`distro_redhat',`
 # originally from named.fc
 /var/named/chroot/dev/null -c	gen_context(system_u:object_r:null_device_t,s0)

refpolicy/policy/modules/kernel/devices.if

@@ -2382,7 +2382,7 @@ interface(`dev_rw_generic_usb_dev',`
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 usb_device_t:chr_file { read write };
+	allow $1 usb_device_t:chr_file rw_file_perms;
 ')
 
 ########################################
@@ -2632,6 +2632,64 @@ interface(`dev_read_video_dev',`
 	allow $1 v4l_device_t:chr_file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read and write Xen devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_xen',`
+	gen_require(`
+		type device_t, xen_device_t;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 xen_device_t:chr_file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete Xen devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_xen',`
+	gen_require(`
+		type device_t, xen_device_t;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 xen_device_t:chr_file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Automatic type transition to the type
+##	for xen device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_filetrans_xen',`
+	gen_require(`
+		type device_t, xen_device_t;
+	')
+
+	allow $1 device_t:dir rw_dir_perms;
+	type_transition $1 device_t:chr_file xen_device_t;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of X server miscellaneous devices.
@@ -2768,4 +2826,3 @@ interface(`dev_unconfined',`
 	allow $1 self:capability sys_rawio;
 	typeattribute $1 memory_raw_write, memory_raw_read;
 ')
-

refpolicy/policy/modules/kernel/devices.te

@@ -1,5 +1,5 @@
 
-policy_module(devices,1.1.1)
+policy_module(devices,1.1.2)
 
 ########################################
 #
@@ -168,6 +168,9 @@ dev_node(usb_device_t)
 type v4l_device_t;
 dev_node(v4l_device_t)
 
+type xen_device_t;
+dev_node(xen_device_t)
+
 type xserver_misc_device_t;
 dev_node(xserver_misc_device_t)
 

refpolicy/policy/modules/kernel/files.fc

@@ -45,7 +45,7 @@ ifdef(`distro_redhat',`
 /etc(/.*)?			gen_context(system_u:object_r:etc_t,s0)
 /etc/\.fstab\.hal\..+	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/asound\.state	--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/blkid\.tab.*	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/blkid(/.*)?		gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/fstab\.REVOKE	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/HOSTNAME		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/ioctl\.save		--	gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -60,7 +60,6 @@ ifdef(`distro_redhat',`
 
 /etc/cups/client\.conf	--	gen_context(system_u:object_r:etc_t,s0)
 
-/etc/init\.d/functions	--	gen_context(system_u:object_r:etc_t,s0)
 
 /etc/ipsec\.d/examples(/.*)?	gen_context(system_u:object_r:etc_t,s0)
 
@@ -68,8 +67,6 @@ ifdef(`distro_redhat',`
 
 /etc/ptal/ptal-printd-like -- 	gen_context(system_u:object_r:etc_runtime_t,s0)
 
-/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:etc_t,s0)
-
 /etc/sysconfig/hwconf	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/sysconfig/firstboot --	gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -93,7 +90,7 @@ ifdef(`distro_suse',`
 # HOME_ROOT
 # expanded by genhomedircon
 #
-HOME_ROOT		-d	gen_context(system_u:object_r:home_root_t,s15:c0.c255)
+HOME_ROOT		-d	gen_context(system_u:object_r:home_root_t,s0-s15:c0.c255)
 HOME_ROOT/\.journal		<<none>>
 HOME_ROOT/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
 HOME_ROOT/lost\+found/.*		<<none>>

refpolicy/policy/modules/kernel/files.if

@@ -1726,6 +1726,7 @@ interface(`files_manage_etc_runtime_files',`
 	')
 
 	allow $1 etc_t:dir rw_dir_perms;
+	allow $1 etc_runtime_t:dir rw_dir_perms;
 	allow $1 etc_runtime_t:file create_file_perms;
 	type_transition $1 etc_t:file etc_runtime_t;
 ')
@@ -3808,12 +3809,13 @@ interface(`files_polyinstantiate_all',`
 
 	# Need to give permission to create directories where applicable
 	allow $1 self:process setfscreate;
-	allow $1 polymember: dir { create setattr };
+	allow $1 polymember: dir { create setattr relabelto };
 	allow $1 polydir: dir { write add_name };
-	allow $1 polyparent:dir { write add_name };
+	allow $1 polyparent:dir { write add_name relabelfrom relabelto };
 
 	# Default type for mountpoints
 	allow $1 poly_t:dir { create mounton };
+	fs_unmount_xattr_fs($1)
 ')
 
 ########################################

refpolicy/policy/modules/kernel/files.te

@@ -1,5 +1,5 @@
 
-policy_module(files,1.2.1)
+policy_module(files,1.2.2)
 
 ########################################
 #

refpolicy/policy/modules/kernel/filesystem.te

@@ -1,5 +1,5 @@
 
-policy_module(filesystem,1.3.0)
+policy_module(filesystem,1.3.1)
 
 ########################################
 #
@@ -167,3 +167,5 @@ files_mountpoint(nfs_t)
 genfscon nfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0)
 genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)

refpolicy/policy/modules/kernel/kernel.if

@@ -907,6 +907,110 @@ interface(`kernel_read_network_state_symlinks',`
 	allow $1 proc_net_t:lnk_file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Allow searching of xen state directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The process type reading the state.
+##	</summary>
+## </param>
+##
+#
+interface(`kernel_search_xen_state',`
+	gen_require(`
+		type proc_t, proc_xen_t;
+	')
+
+	allow $1 proc_t:dir search_dir_perms;
+	allow $1 proc_xen_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the xen
+##	state directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The process type reading the state.
+##	</summary>
+## </param>
+##
+#
+interface(`kernel_dontaudit_search_xen_state',`
+	gen_require(`
+		type proc_xen_t;
+	')
+
+	dontaudit $1 proc_xen_t:dir search;
+')
+
+########################################
+## <summary>
+##	Allow caller to read the xen state information.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The process type reading the state.
+##	</summary>
+## </param>
+##
+#
+interface(`kernel_read_xen_state',`
+	gen_require(`
+		type proc_t, proc_xen_t;
+	')
+
+	allow $1 proc_t:dir search_dir_perms;
+	allow $1 proc_xen_t:dir r_dir_perms;
+	allow $1 proc_xen_t:file r_file_perms;
+	allow $1 proc_xen_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+##	Allow caller to read the xen state symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The process type reading the state.
+##	</summary>
+## </param>
+##
+#
+interface(`kernel_read_xen_state_symlinks',`
+	gen_require(`
+		type proc_t, proc_xen_t;
+	')
+
+	allow $1 proc_t:dir search;
+	allow $1 proc_xen_t:dir r_dir_perms;
+	allow $1 proc_xen_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow caller to write xen state information.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The process type writing the state.
+##	</summary>
+## </param>
+##
+#
+interface(`kernel_write_xen_state',`
+	gen_require(`
+		type proc_t, proc_xen_t;
+	')
+
+	allow $1 proc_t:dir search;
+	allow $1 proc_xen_t:dir r_dir_perms;
+	allow $1 proc_xen_t:file write;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts by caller to search
@@ -1044,6 +1148,7 @@ interface(`kernel_rw_vm_sysctls',`
 
 	allow $1 proc_t:dir search;
 	allow $1 sysctl_t:dir r_dir_perms;
+	allow $1 sysctl_vm_t:dir list_dir_perms;
 	allow $1 sysctl_vm_t:file rw_file_perms;
 ')
 

refpolicy/policy/modules/kernel/kernel.te

@@ -1,5 +1,5 @@
 
-policy_module(kernel,1.3.0)
+policy_module(kernel,1.3.1)
 
 ########################################
 #
@@ -75,6 +75,9 @@ genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
 type proc_net_t, proc_type;
 genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)
 
+type proc_xen_t, proc_type;
+genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
+
 #
 # Sysctl types
 #

refpolicy/policy/modules/services/apache.fc

@@ -15,6 +15,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_R
 /etc/vhosts			--	gen_context(system_u:object_r:httpd_config_t,s0)
 
 /srv/([^/]*/)?www(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/srv/gallery2(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 
 /usr/bin/htsslpass 		--	gen_context(system_u:object_r:httpd_helper_exec_t,s0)
 
@@ -75,3 +76,4 @@ ifdef(`targeted_policy', `', `
 /var/www/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 /var/www/icons(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/www/perl(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/selinux-policy([^/]*)?/html(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)

refpolicy/policy/modules/services/apache.if

@@ -12,6 +12,11 @@
 ## </param>
 #
 template(`apache_content_template',`
+	gen_require(`
+		attribute httpdcontent;
+		attribute httpd_exec_scripts;
+		type httpd_t, httpd_suexec_t, httpd_log_t;
+	')
 	# allow write access to public file transfer
 	# services files.
 	gen_tunable(allow_httpd_$1_script_anon_write,false)

refpolicy/policy/modules/services/apache.te

@@ -1,5 +1,5 @@
 
-policy_module(apache,1.3.3)
+policy_module(apache,1.3.4)
 
 #
 # NOTES: 

refpolicy/policy/modules/services/apm.fc

@@ -11,7 +11,7 @@
 #
 # /var
 #
-/var/log/acpid		--	gen_context(system_u:object_r:apmd_log_t,s0)
+/var/log/acpid.*	--	gen_context(system_u:object_r:apmd_log_t,s0)
 
 /var/run/\.?acpid\.socket -s	gen_context(system_u:object_r:apmd_var_run_t,s0)
 /var/run/apmd\.pid	--	gen_context(system_u:object_r:apmd_var_run_t,s0)

refpolicy/policy/modules/services/apm.te

@@ -1,5 +1,5 @@
 
-policy_module(apm,1.2.0)
+policy_module(apm,1.2.1)
 
 ########################################
 #

refpolicy/policy/modules/services/bluetooth.te

@@ -1,5 +1,5 @@
 
-policy_module(bluetooth,1.2.0)
+policy_module(bluetooth,1.2.1)
 
 ########################################
 #
@@ -115,6 +115,7 @@ corecmd_exec_bin(bluetooth_t)
 corecmd_exec_shell(bluetooth_t)
 
 domain_use_interactive_fds(bluetooth_t)
+domain_dontaudit_search_all_domains_state(bluetooth_t)
 
 files_read_etc_files(bluetooth_t)
 files_read_etc_runtime_files(bluetooth_t)
@@ -145,6 +146,7 @@ ifdef(`targeted_policy',`
 
 optional_policy(`dbus',`
 	dbus_system_bus_client_template(bluetooth,bluetooth_t)
+	dbus_connect_system_bus(bluetooth_t)
 	dbus_send_system_bus(bluetooth_t)
 ')
 
@@ -170,6 +172,7 @@ allow bluetooth_helper_t self:process getsched;
 allow bluetooth_helper_t self:fifo_file rw_file_perms;
 allow bluetooth_helper_t self:shm create_shm_perms;
 allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow bluetooth_helper_t self:tcp_socket create_socket_perms;
 
 allow bluetooth_helper_t bluetooth_t:socket { read write };
 
@@ -202,20 +205,23 @@ logging_send_syslog_msg(bluetooth_helper_t)
 miscfiles_read_localization(bluetooth_helper_t) 
 miscfiles_read_fonts(bluetooth_helper_t)
 
-userdom_search_all_users_home_content(bluetooth_helper_t)
+optional_policy(`dbus',`
+	dbus_system_bus_client_template(bluetooth_helper,bluetooth_helper_t)
+	dbus_connect_system_bus(bluetooth_helper_t)
+	dbus_send_system_bus(bluetooth_helper_t)
+')
 
 optional_policy(`nscd',`
 	nscd_socket_use(bluetooth_helper_t)
 ')
 
+optional_policy(`xserver',`
+       	xserver_stream_connect_xdm(bluetooth_helper_t)
+')	
+
 ifdef(`TODO',`
 allow bluetooth_helper_t tmp_t:dir search;
 
-ifdef(`xserver.te', `
-	allow bluetooth_helper_t xserver_log_t:dir search;
-	allow bluetooth_helper_t xserver_log_t:file { getattr read };
-')
-
 ifdef(`strict_policy',`
 	ifdef(`xdm.te',`
 		allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write };
@@ -227,4 +233,9 @@ ifdef(`targeted_policy',`
 	files_rw_generic_tmp_sockets(bluetooth_helper_t)
 	allow bluetooth_helper_t tmpfs_t:file { read write };
 	allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
+	userdom_read_all_users_home_content_files(bluetooth_helper_t)
+
+	optional_policy(`xserver',`
+		xserver_stream_connect_xdm(bluetooth_helper_t)
+	')
 ')

refpolicy/policy/modules/services/cron.te

@@ -1,5 +1,5 @@
 
-policy_module(cron,1.3.1)
+policy_module(cron,1.3.2)
 
 gen_require(`
 	class passwd rootok;
@@ -166,6 +166,10 @@ ifdef(`targeted_policy',`
 
 	allow crond_t unconfined_t:dbus send_msg;
 	allow crond_t initrc_t:dbus send_msg;
+
+	optional_policy(`mono',`
+		mono_domtrans(crond_t)
+	')
 ',`
 	allow crond_t crond_tmp_t:dir create_dir_perms;
 	allow crond_t crond_tmp_t:file create_file_perms;

refpolicy/policy/modules/services/cups.fc

@@ -43,7 +43,7 @@
 /var/log/cups(/.*)?		gen_context(system_u:object_r:cupsd_log_t,s0)
 /var/log/turboprint_cups\.log.* -- gen_context(system_u:object_r:cupsd_log_t,s0)
 
-/var/run/cups/printcap	--	gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/cups(/.*)?		gen_context(system_u:object_r:cupsd_var_run_t,s0)
 /var/run/hp.*\.pid	--	gen_context(system_u:object_r:hplip_var_run_t,s0)
 /var/run/hp.*\.port	--	gen_context(system_u:object_r:hplip_var_run_t,s0)
 /var/run/ptal-printd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)

refpolicy/policy/modules/services/cups.if

@@ -23,6 +23,47 @@ interface(`cups_domtrans',`
 	allow cupsd_t $1:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Connect to cupsd over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cups_stream_connect',`
+	gen_require(`
+		type cupsd_t, cupsd_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 cupsd_var_run_t:dir search;
+	allow $1 cupsd_var_run_t:sock_file write;
+	allow $1 cupsd_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Connect to cups over TCP.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cups_tcp_connect',`
+	gen_require(`
+		type cupsd_t;
+	')
+
+	allow $1 cupsd_t:tcp_socket { connectto recvfrom };
+	allow cupsd_t $1:tcp_socket { acceptfrom recvfrom };
+	kernel_tcp_recvfrom($1)
+')
+
 ########################################
 ## <summary>
 ##	Send and receive messages from
@@ -206,23 +247,3 @@ interface(`cups_stream_connect_ptal',`
 	allow $1 ptal_var_run_t:sock_file write;
 	allow $1 ptal_t:unix_stream_socket connectto;
 ')
-
-########################################
-## <summary>
-##	Connect to cups over TCP.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`cups_tcp_connect',`
-	gen_require(`
-		type cupsd_t;
-	')
-
-	allow $1 cupsd_t:tcp_socket { connectto recvfrom };
-	allow cupsd_t $1:tcp_socket { acceptfrom recvfrom };
-	kernel_tcp_recvfrom($1)
-')

refpolicy/policy/modules/services/cups.te

@@ -1,5 +1,5 @@
 
-policy_module(cups,1.3.0)
+policy_module(cups,1.3.1)
 
 ########################################
 #
@@ -77,7 +77,7 @@ allow cupsd_t self:capability { sys_admin dac_read_search kill setgid setuid fse
 dontaudit cupsd_t self:capability { sys_tty_config net_admin };
 allow cupsd_t self:process { setsched signal_perms };
 allow cupsd_t self:fifo_file rw_file_perms;
-allow cupsd_t self:unix_stream_socket create_socket_perms;
+allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow cupsd_t self:unix_dgram_socket create_socket_perms;
 allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms };
@@ -110,6 +110,7 @@ files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
 
 allow cupsd_t cupsd_var_run_t:file create_file_perms;
 allow cupsd_t cupsd_var_run_t:dir rw_dir_perms;
+allow cupsd_t cupsd_var_run_t:sock_file create_file_perms;
 files_pid_filetrans(cupsd_t,cupsd_var_run_t,file)
 
 allow cupsd_t hplip_var_run_t:file { read getattr };
@@ -119,6 +120,7 @@ allow cupsd_t ptal_var_run_t:sock_file { write setattr };
 allow cupsd_t ptal_t:unix_stream_socket connectto;
 
 kernel_read_system_state(cupsd_t)
+kernel_read_network_state(cupsd_t)
 kernel_read_all_sysctls(cupsd_t)
 kernel_tcp_recvfrom(cupsd_t)
 
@@ -383,6 +385,8 @@ allow hplip_t self:rawip_socket create_socket_perms;
 
 allow hplip_t cupsd_etc_t:dir search;
 
+cups_stream_connect(hplip_t)
+
 allow hplip_t hplip_etc_t:file r_file_perms;
 allow hplip_t hplip_etc_t:dir r_dir_perms;
 allow hplip_t hplip_etc_t:lnk_file { getattr read };
@@ -649,7 +653,7 @@ ifdef(`targeted_policy', `
 ifdef(`targeted_policy',`
 	term_use_generic_ptys(cupsd_config_t)
 
-	unconfined_read_pipes(cupsd_config_t)
+	unconfined_rw_pipes(cupsd_config_t)
 ')
 
 ########################################

refpolicy/policy/modules/services/hal.if

@@ -100,3 +100,43 @@ interface(`hal_dbus_chat',`
 	allow $1 hald_t:dbus send_msg;
 	allow hald_t $1:dbus send_msg;
 ')
+
+
+########################################
+## <summary>
+##	Read hald state files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_read_pid_files',`
+	gen_require(`
+		type hald_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 hald_var_run_t:file r_file_perms;
+')
+
+
+########################################
+## <summary>
+##	Read/Write hald state files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_rw_pid_files',`
+	gen_require(`
+		type hald_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 hald_var_run_t:file rw_file_perms;
+')

refpolicy/policy/modules/services/hal.te

@@ -1,5 +1,5 @@
 
-policy_module(hal,1.3.0)
+policy_module(hal,1.3.1)
 
 ########################################
 #
@@ -22,7 +22,7 @@ files_pid_file(hald_var_run_t)
 #
 
 # execute openvt which needs setuid
-allow hald_t self:capability { setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio };
+allow hald_t self:capability { setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
 dontaudit hald_t self:capability sys_tty_config;
 allow hald_t self:process signal_perms;
 allow hald_t self:fifo_file rw_file_perms;
@@ -48,6 +48,7 @@ kernel_read_system_state(hald_t)
 kernel_read_network_state(hald_t)
 kernel_read_kernel_sysctls(hald_t)
 kernel_read_fs_sysctls(hald_t)
+kernel_rw_vm_sysctls(hald_t)
 kernel_write_proc_files(hald_t)
 
 files_search_boot(hald_t)
@@ -75,6 +76,8 @@ dev_rw_printer(hald_t)
 dev_read_lvm_control(hald_t)
 dev_getattr_all_chr_files(hald_t)
 dev_manage_generic_chr_files(hald_t)
+dev_rw_generic_usb_dev(hald_t)
+
 # hal is now execing pm-suspend
 dev_rw_sysfs(hald_t)
 
@@ -110,9 +113,8 @@ storage_raw_read_fixed_disk(hald_t)
 storage_raw_write_fixed_disk(hald_t)
 
 term_dontaudit_use_console(hald_t)
-term_dontaudit_ioctl_unallocated_ttys(hald_t)
-term_dontaudit_use_unallocated_ttys(hald_t)
 term_dontaudit_use_generic_ptys(hald_t)
+term_use_unallocated_ttys(hald_t)
 
 init_use_fds(hald_t)
 init_use_script_ptys(hald_t)
@@ -144,6 +146,7 @@ userdom_dontaudit_use_unpriv_user_fds(hald_t)
 userdom_dontaudit_search_sysadm_home_dirs(hald_t)
 
 ifdef(`targeted_policy', `
+	term_setattr_unallocated_ttys(hald_t)
 	term_dontaudit_use_unallocated_ttys(hald_t)
 	term_dontaudit_use_generic_ptys(hald_t)
 	files_dontaudit_read_root_files(hald_t)
@@ -195,6 +198,10 @@ optional_policy(`hotplug',`
 	hotplug_read_config(hald_t)
 ')
 
+optional_policy(`lvm', `
+	lvm_domtrans(hald_t)
+')
+
 optional_policy(`mount',`
 	mount_domtrans(hald_t)
 ')

refpolicy/policy/modules/services/ktalk.fc

@@ -1,3 +1,4 @@
 
-/usr/bin/in.talkd		--	gen_context(system_u:object_r:ktalkd_exec_t,s0)
+/usr/bin/in.talkd	--	gen_context(system_u:object_r:ktalkd_exec_t,s0)
 /usr/bin/ktalkd		--	gen_context(system_u:object_r:ktalkd_exec_t,s0)
+/var/log/talkd.*	--	gen_context(system_u:object_r:ktalkd_log_t,s0)

refpolicy/policy/modules/services/ktalk.te

@@ -1,5 +1,5 @@
 
-policy_module(ktalk,1.2.0)
+policy_module(ktalk,1.2.1)
 
 ########################################
 #
@@ -11,6 +11,9 @@ type ktalkd_exec_t;
 inetd_udp_service_domain(ktalkd_t,ktalkd_exec_t)
 role system_r types ktalkd_t;
 
+type ktalkd_log_t;
+logging_log_file(ktalkd_log_t)
+
 type ktalkd_tmp_t;
 files_tmp_file(ktalkd_tmp_t)
 
@@ -38,6 +41,9 @@ optional_policy(`kerberos',`
 ')
 #end for identd
 
+allow ktalkd_t ktalkd_log_t:file manage_file_perms;
+logging_log_filetrans(ktalkd_t,ktalkd_log_t,file)
+
 allow ktalkd_t ktalkd_tmp_t:dir create_dir_perms;
 allow ktalkd_t ktalkd_tmp_t:file create_file_perms;
 files_tmp_filetrans(ktalkd_t, ktalkd_tmp_t, { file dir })
@@ -68,6 +74,8 @@ fs_getattr_xattr_fs(ktalkd_t)
 
 files_read_etc_files(ktalkd_t)
 
+init_read_utmp(ktalkd_t)
+
 libs_use_ld_so(ktalkd_t)
 libs_use_shared_libs(ktalkd_t)
 logging_send_syslog_msg(ktalkd_t)

refpolicy/policy/modules/services/mailman.if

@@ -275,3 +275,28 @@ interface(`mailman_read_archive',`
 	allow $1 mailman_archive_t:file r_file_perms;
 	allow $1 mailman_archive_t:lnk_file { getattr read };
 ')
+
+
+#######################################
+## <summary>
+##	Execute mailman_queue in the mailman_queue domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailman_domtrans_queue',`
+	gen_require(`
+		type mailman_queue_exec_t, mailman_queue_t;
+	')
+
+	domain_auto_trans($1, mailman_queue_exec_t, mailman_queue_t)
+
+	allow $1 mailman_queue_t:fd use;
+	allow mailman_queue_t $1:fd use;
+	allow mailman_queue_t $1:fifo_file rw_file_perms;
+	allow mailman_queue_t $1:process sigchld;
+')
+

refpolicy/policy/modules/services/mailman.te

@@ -1,5 +1,5 @@
 
-policy_module(mailman,1.1.0)
+policy_module(mailman,1.1.1)
 
 ########################################
 #

refpolicy/policy/modules/services/nis.fc

@@ -4,6 +4,7 @@
 /sbin/ypbind		--	gen_context(system_u:object_r:ypbind_exec_t,s0)
 
 /usr/sbin/rpc.yppasswdd	--	gen_context(system_u:object_r:yppasswdd_exec_t,s0)
+/usr/sbin/rpc.ypxfr	--	gen_context(system_u:object_r:ypxfr_exec_t,s0)
 /usr/sbin/ypserv	--	gen_context(system_u:object_r:ypserv_exec_t,s0)
 
 /var/yp(/.*)?			gen_context(system_u:object_r:var_yp_t,s0)

refpolicy/policy/modules/services/nis.if

@@ -277,3 +277,27 @@ interface(`nis_read_ypserv_config',`
 	files_search_etc($1)
 	allow $1 ypserv_conf_t:file { getattr read };
 ')
+
+########################################
+## <summary>
+##	Execute ypxfr in the ypxfr domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nis_domtrans_ypxfr',`
+	gen_require(`
+		type ypxfr_t, ypxfr_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domain_auto_trans($1,ypxfr_exec_t,ypxfr_t)
+
+	allow $1 ypxfr_t:fd use;
+	allow ypxfr_t $1:fd use;
+	allow ypxfr_t $1:fifo_file rw_file_perms;
+	allow ypxfr_t $1:process sigchld;
+')

refpolicy/policy/modules/services/nis.te

@@ -1,5 +1,5 @@
 
-policy_module(nis,1.1.0)
+policy_module(nis,1.1.1)
 
 ########################################
 #
@@ -40,6 +40,10 @@ files_tmp_file(ypserv_tmp_t)
 type ypserv_var_run_t;
 files_pid_file(ypserv_var_run_t)
 
+type ypxfr_t;
+type ypxfr_exec_t;
+init_daemon_domain(ypxfr_t,ypxfr_exec_t)
+
 ########################################
 #
 # ypbind local policy
@@ -245,6 +249,7 @@ dontaudit ypserv_t self:capability sys_tty_config;
 allow ypserv_t self:fifo_file rw_file_perms;
 allow ypserv_t self:process signal_perms;
 allow ypserv_t self:unix_dgram_socket create_socket_perms;
+allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
 allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
 allow ypserv_t self:tcp_socket connected_stream_socket_perms;
 allow ypserv_t self:udp_socket create_socket_perms;
@@ -306,6 +311,8 @@ logging_send_syslog_msg(ypserv_t)
 
 miscfiles_read_localization(ypserv_t)
 
+nis_domtrans_ypxfr(ypserv_t)
+
 sysnet_read_config(ypserv_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ypserv_t)
@@ -326,3 +333,29 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(ypserv_t)
 ')
+
+########################################
+#
+# ypxfr local policy
+#
+
+allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
+
+corenet_tcp_sendrecv_all_if(ypxfr_t)
+corenet_udp_sendrecv_all_if(ypxfr_t)
+corenet_raw_sendrecv_all_if(ypxfr_t)
+corenet_tcp_sendrecv_all_nodes(ypxfr_t)
+corenet_udp_sendrecv_all_nodes(ypxfr_t)
+corenet_raw_sendrecv_all_nodes(ypxfr_t)
+corenet_tcp_sendrecv_all_ports(ypxfr_t)
+corenet_udp_sendrecv_all_ports(ypxfr_t)
+corenet_non_ipsec_sendrecv(ypxfr_t)
+corenet_tcp_bind_all_nodes(ypxfr_t)
+corenet_udp_bind_all_nodes(ypxfr_t)
+corenet_tcp_bind_reserved_port(ypxfr_t)
+corenet_udp_bind_reserved_port(ypxfr_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
+corenet_tcp_connect_all_ports(ypxfr_t)
+
+files_read_etc_files(ypxfr_t)

refpolicy/policy/modules/services/nscd.if

@@ -49,8 +49,8 @@ interface(`nscd_socket_use',`
 	dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
 
 	files_search_pids($1)
+	allow $1 nscd_var_run_t:dir r_dir_perms;
 	allow $1 nscd_var_run_t:sock_file rw_file_perms;
-	dontaudit $1 nscd_var_run_t:dir { search getattr };
 	dontaudit $1 nscd_var_run_t:file { getattr read };
 ')
 

refpolicy/policy/modules/services/nscd.te

@@ -1,5 +1,5 @@
 
-policy_module(nscd,1.2.0)
+policy_module(nscd,1.2.1)
 
 gen_require(`
 	class nscd all_nscd_perms;

refpolicy/policy/modules/services/postfix.te

@@ -1,5 +1,5 @@
 
-policy_module(postfix,1.2.0)
+policy_module(postfix,1.2.1)
 
 ########################################
 #
@@ -406,6 +406,10 @@ optional_policy(`procmail',`
 	procmail_domtrans(postfix_pipe_t)
 ')
 
+optional_policy(`mailman',`
+	mailman_domtrans_queue(postfix_pipe_t)
+')
+
 ########################################
 #
 # Postfix postdrop local policy

refpolicy/policy/modules/services/samba.te

@@ -1,5 +1,5 @@
 
-policy_module(samba,1.2.0)
+policy_module(samba,1.2.1)
 
 #################################
 #
@@ -32,7 +32,7 @@ files_tmp_file(samba_net_tmp_t)
 type samba_secrets_t;
 files_type(samba_secrets_t)
 
-type samba_share_t;
+type samba_share_t; # customizable
 files_config_file(samba_share_t)
 
 type samba_var_t;

refpolicy/policy/modules/services/sendmail.te

@@ -1,5 +1,5 @@
 
-policy_module(sendmail,1.2.0)
+policy_module(sendmail,1.2.1)
 
 ########################################
 #
@@ -125,6 +125,7 @@ optional_policy(`nscd',`
 ')
 
 optional_policy(`postfix',`
+	postfix_exec_master(sendmail_t)
 	postfix_read_config(sendmail_t)
 	postfix_search_spool(sendmail_t)
 ')

refpolicy/policy/modules/system/fstools.if

@@ -110,3 +110,21 @@ interface(`fstools_manage_entry_files',`
 
 	allow $1 fsadm_exec_t:file create_file_perms;
 ')
+
+########################################
+## <summary>
+##	Getattr swapfile
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`fstools_getattr_swap_files',`
+	gen_require(`
+		type swapfile_t;
+	')
+
+	allow $1 swapfile_t:file getattr;
+')

refpolicy/policy/modules/system/fstools.te

@@ -1,5 +1,5 @@
 
-policy_module(fstools,1.3.0)
+policy_module(fstools,1.3.1)
 
 ########################################
 #
@@ -53,6 +53,7 @@ kernel_read_kernel_sysctls(fsadm_t)
 kernel_change_ring_buffer_level(fsadm_t)
 # mkreiserfs needs this
 kernel_getattr_proc(fsadm_t)
+kernel_getattr_core_if(fsadm_t)
 # Access to /initrd devices
 kernel_rw_unlabeled_dirs(fsadm_t)
 kernel_rw_unlabeled_blk_files(fsadm_t)
@@ -60,6 +61,7 @@ kernel_rw_unlabeled_blk_files(fsadm_t)
 files_getattr_boot_dirs(fsadm_t)
 
 dev_getattr_all_chr_files(fsadm_t)
+dev_dontaudit_getattr_all_blk_files(fsadm_t)
 # mkreiserfs and other programs need this for UUID
 dev_read_rand(fsadm_t)
 dev_read_urand(fsadm_t)
@@ -127,6 +129,7 @@ files_search_all(fsadm_t)
 
 init_use_fds(fsadm_t)
 init_use_script_ptys(fsadm_t)
+init_dontaudit_getattr_initctl(fsadm_t)
 
 libs_use_ld_so(fsadm_t)
 libs_use_shared_libs(fsadm_t)

refpolicy/policy/modules/system/init.te

@@ -1,5 +1,5 @@
 
-policy_module(init,1.3.1)
+policy_module(init,1.3.2)
 
 gen_require(`
 	class passwd rootok;
@@ -482,6 +482,10 @@ ifdef(`distro_suse',`
 ifdef(`targeted_policy',`
 	domain_subj_id_change_exemption(initrc_t)
 	unconfined_domain(initrc_t)
+
+	optional_policy(`mono',`
+		mono_domtrans(initrc_t)
+	')
 ',`
 	# cjp: require doesnt work in optionals :\
 	# this also would result in a type transition

refpolicy/policy/modules/system/libraries.fc

@@ -65,6 +65,7 @@ ifdef(`distro_redhat',`
 /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libGLU\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/(local/)?lib/wine/.*\.so  		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?lib/libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -74,6 +75,7 @@ ifdef(`distro_redhat',`
 /usr/X11R6/lib/libXvMCNVIDIA\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 ifdef(`distro_redhat',`
 /usr/lib(64)?/.*/program/.*\.so.*		gen_context(system_u:object_r:shlib_t,s0)

refpolicy/policy/modules/system/libraries.te

@@ -1,5 +1,5 @@
 
-policy_module(libraries,1.3.0)
+policy_module(libraries,1.3.1)
 
 ########################################
 #

refpolicy/policy/modules/system/locallogin.te

@@ -1,5 +1,5 @@
 
-policy_module(locallogin,1.2.0)
+policy_module(locallogin,1.2.1)
 
 ########################################
 #
@@ -20,6 +20,7 @@ files_lock_file(local_login_lock_t)
 
 type local_login_tmp_t;
 files_tmp_file(local_login_tmp_t)
+files_poly_parent(local_login_tmp_t)
 
 type sulogin_t;
 type sulogin_exec_t;

refpolicy/policy/modules/system/lvm.fc

@@ -25,6 +25,7 @@
 # /sbin
 #
 /sbin/cryptsetup	--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/dmraid		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /sbin/dmsetup		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /sbin/dmsetup\.static	--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /sbin/e2fsadm		--	gen_context(system_u:object_r:lvm_exec_t,s0)

refpolicy/policy/modules/system/lvm.te

@@ -1,5 +1,5 @@
 
-policy_module(lvm,1.3.0)
+policy_module(lvm,1.3.1)
 
 ########################################
 #
@@ -128,7 +128,8 @@ optional_policy(`udev',`
 #
 
 # DAC overrides and mknod for modifying /dev entries (vgmknodes)
-allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod chown sys_resource };
+# rawio needed for dmraid
+allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio };
 dontaudit lvm_t self:capability sys_tty_config;
 allow lvm_t self:process { sigchld sigkill sigstop signull signal };
 # LVM will complain a lot if it cannot set its priority.
@@ -199,6 +200,7 @@ dev_dontaudit_read_all_blk_files(lvm_t)
 dev_dontaudit_getattr_generic_chr_files(lvm_t)
 dev_dontaudit_getattr_generic_blk_files(lvm_t)
 dev_dontaudit_getattr_generic_pipes(lvm_t)
+dev_create_generic_dirs(lvm_t)
 
 fs_getattr_xattr_fs(lvm_t)
 fs_search_auto_mountpoints(lvm_t)

refpolicy/policy/modules/system/mount.te

@@ -1,5 +1,5 @@
 
-policy_module(mount,1.3.0)
+policy_module(mount,1.3.1)
 
 ########################################
 #
@@ -26,6 +26,7 @@ allow mount_t mount_tmp_t:dir create_dir_perms;
 files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
 
 kernel_read_system_state(mount_t)
+kernel_dontaudit_getattr_core_if(mount_t)
 
 corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
 corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
@@ -33,6 +34,7 @@ corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
 dev_getattr_all_blk_files(mount_t)
 dev_list_all_dev_nodes(mount_t)
 dev_rw_lvm_control(mount_t)
+dev_dontaudit_getattr_all_chr_files(mount_t)
 dev_dontaudit_getattr_memory_dev(mount_t)
 dev_getattr_sound_dev(mount_t)
 
@@ -73,6 +75,7 @@ files_read_isid_type_files(mount_t)
 
 init_use_fds(mount_t)
 init_use_script_ptys(mount_t)
+init_dontaudit_getattr_initctl(mount_t)
 
 libs_use_ld_so(mount_t)
 libs_use_shared_libs(mount_t)

refpolicy/policy/modules/system/selinuxutil.fc

@@ -8,9 +8,9 @@
 /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
 /etc/selinux/([^/]*/)?policy(/.*)?	gen_context(system_u:object_r:policy_config_t,s15:c0.c255)
 /etc/selinux/([^/]*/)?seusers	--	gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
-/etc/selinux([^/]*/)?modules/(active|tmp|previous)(/.*)?     --	gen_context(system_u:object_r:semanage_store_t,s0)
-/etc/selinux([^/]*/)?modules/semanage.read.LOCK    --	gen_context(system_u:object_r:semanage_read_lock_t,s0)
-/etc/selinux([^/]*/)?modules/semanage.trans.LOCK   --	gen_context(system_u:object_r:semanage_trans_lock_t,s0)
+/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?     gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/selinux/([^/]*/)?modules/semanage.read.LOCK    --	gen_context(system_u:object_r:semanage_read_lock_t,s0)
+/etc/selinux/([^/]*/)?modules/semanage.trans.LOCK   --	gen_context(system_u:object_r:semanage_trans_lock_t,s0)
 /etc/selinux/([^/]*/)?users(/.*)?	--	gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
 
 #

refpolicy/policy/modules/system/selinuxutil.if

@@ -606,6 +606,28 @@ interface(`seutil_read_config',`
 	allow $1 selinux_config_t:lnk_file { getattr read };
 ')
 
+#######################################
+## <summary>
+##	Create, read, write, and delete
+##	the general selinux configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`seutil_manage_selinux_config',`
+	gen_require(`
+		type selinux_config_t;
+	')
+
+	files_search_etc($1)
+	allow $1 selinux_config_t:dir rw_dir_perms;
+	allow $1 selinux_config_t:file manage_file_perms;
+	allow $1 selinux_config_t:lnk_file { getattr read };
+')
+
 ########################################
 ## <summary>
 ##	Search the policy directory with default_context files.

refpolicy/policy/modules/system/selinuxutil.te

@@ -1,5 +1,5 @@
 
-policy_module(selinuxutil,1.2.0)
+policy_module(selinuxutil,1.2.1)
 
 gen_require(`
 	bool secure_mode;
@@ -267,6 +267,7 @@ term_use_all_user_ttys(newrole_t)
 term_use_all_user_ptys(newrole_t)
 term_relabel_all_user_ttys(newrole_t)
 term_relabel_all_user_ptys(newrole_t)
+term_getattr_unallocated_ttys(newrole_t)
 term_dontaudit_use_unallocated_ttys(newrole_t)
 
 auth_domtrans_chk_passwd(newrole_t)
@@ -476,6 +477,11 @@ ifdef(`targeted_policy',`',`
 	optional_policy(`daemontools',`
 		daemontools_domtrans_start(run_init_t)
 	')
+
+	optional_policy(`nscd',`
+		nscd_socket_use(run_init_t)
+	')	
+
 ') dnl end ifdef targeted policy
 
 ########################################
@@ -499,6 +505,7 @@ files_list_pids(semanage_t)
 
 mls_file_write_down(semanage_t)
 mls_rangetrans_target(semanage_t)
+mls_file_read_up(semanage_t)
 
 selinux_get_enforce_mode(semanage_t)
 
@@ -510,6 +517,7 @@ libs_use_lib_files(semanage_t)
 
 seutil_search_default_contexts(semanage_t)
 seutil_rw_file_contexts(semanage_t)
+seutil_manage_selinux_config(semanage_t)
 seutil_domtrans_setfiles(semanage_t)
 seutil_domtrans_loadpolicy(semanage_t)
 seutil_read_config(semanage_t)
@@ -519,6 +527,10 @@ seutil_manage_module_store(semanage_t)
 seutil_get_semanage_trans_lock(semanage_t)
 seutil_get_semanage_read_lock(semanage_t)
 
+optional_policy(`nscd',`
+	nscd_socket_use(semanage_t)
+')
+
 ########################################
 #
 # Setfiles local policy

refpolicy/policy/modules/system/sysnetwork.te

@@ -1,5 +1,5 @@
 
-policy_module(sysnetwork,1.1.0)
+policy_module(sysnetwork,1.1.1)
 
 ########################################
 #
@@ -246,6 +246,10 @@ optional_policy(`userdomain',`
 	userdom_use_all_users_fds(dhcpc_t)
 ')
 
+optional_policy(`xen',`
+	xen_append_log(dhcpc_t)
+')
+
 ########################################
 #
 # Ifconfig local policy
@@ -339,3 +343,7 @@ optional_policy(`nis',`
 optional_policy(`ppp',`
 	ppp_use_fds(ifconfig_t)
 ')
+
+optional_policy(`xen',`
+	xen_append_log(ifconfig_t)
+')

refpolicy/policy/modules/system/udev.te

@@ -1,5 +1,5 @@
 
-policy_module(udev,1.3.0)
+policy_module(udev,1.3.1)
 
 ########################################
 #
@@ -39,7 +39,7 @@ files_pid_file(udev_var_run_t)
 # Local policy
 #
 
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource sys_nice };
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
 dontaudit udev_t self:capability sys_tty_config;
 allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow udev_t self:process { execmem setfscreate };

refpolicy/policy/modules/system/unconfined.te

@@ -1,5 +1,5 @@
 
-policy_module(unconfined,1.3.0)
+policy_module(unconfined,1.3.1)
 
 ########################################
 #
@@ -89,10 +89,6 @@ ifdef(`targeted_policy',`
 		firstboot_domtrans(unconfined_t)
 	')
 
-	optional_policy(`fstools',`
-		fstools_domtrans(unconfined_t)
-	')
-
 	optional_policy(`java',`
 		java_domtrans(unconfined_t)
 	')
@@ -109,10 +105,6 @@ ifdef(`targeted_policy',`
 		mono_domtrans(unconfined_t)
 	')
 
-	optional_policy(`mount',`
-		mount_domtrans(unconfined_t)
-	')
-
 	optional_policy(`netutils',`
 		netutils_domtrans_ping(unconfined_t)
 	')

refpolicy/policy/modules/system/userdomain.te

@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.3.4)
+policy_module(userdomain,1.3.5)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;
@@ -177,6 +177,7 @@ ifdef(`targeted_policy',`
 		mls_file_write_down(secadm_t)
 		mls_file_upgrade(secadm_t)
 		mls_file_downgrade(secadm_t)
+		init_exec(secadm_t)
 		logging_read_audit_log(secadm_t)
 		logging_domtrans_auditctl(secadm_t)
 		userdom_dontaudit_append_staff_home_content_files(secadm_t)

refpolicy/policy/modules/system/xen.fc

@@ -0,0 +1,16 @@
+/usr/sbin/xenconsoled	--	gen_context(system_u:object_r:xenconsoled_exec_t,s0)
+/usr/sbin/xend		--	gen_context(system_u:object_r:xend_exec_t,s0)
+/usr/sbin/xenstored	--	gen_context(system_u:object_r:xenstored_exec_t,s0)
+
+/var/lib/xen(/.*)?		gen_context(system_u:object_r:xend_var_lib_t,s0)
+/var/lib/xend(/.*)?		gen_context(system_u:object_r:xend_var_lib_t,s0)
+/var/lib/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_lib_t,s0)
+
+/var/log/xen-hotplug\.log --	gen_context(system_u:object_r:xend_var_log_t,s0)
+/var/log/xend\.log	--	gen_context(system_u:object_r:xend_var_log_t,s0)
+/var/log/xend-debug\.log --	gen_context(system_u:object_r:xend_var_log_t,s0)
+
+/var/run/xenconsoled\.pid --	gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
+/var/run/xend\.pid	--      gen_context(system_u:object_r:xend_var_run_t,s0)
+/var/run/xenstore\.pid	--	gen_context(system_u:object_r:xenstored_var_run_t,s0)
+/var/run/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_run_t,s0)

refpolicy/policy/modules/system/xen.if

@@ -0,0 +1,67 @@
+## <summary>Xen hypervisor</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run xend.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed to transition.
+## 	</summary>
+## </param>
+#
+interface(`xen_domtrans',`
+	gen_requires(`
+		type xend_t, xend_exec_t;
+	')
+
+	domain_auto_trans($1,xend_exec_t,xend_t)
+
+	allow $1 xend_t:fd use;
+	allow xend_t $1:fd use;
+	allow xend_t $1:fifo_file rw_file_perms;
+	allow xend_t $1:process sigchld;
+')
+
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	xend log files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed to transition.
+## 	</summary>
+## </param>
+#
+interface(`xen_append_log',`
+	gen_require(`
+		type var_log_t, xend_var_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 xend_var_log_t:file { getattr append };
+	dontaudit $1 xend_var_log_t:file write;
+')
+
+########################################
+## <summary>
+##	Connect to xenstored over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xen_stream_connect_xenstore',`
+	gen_require(`
+		type xenstored_t, xenstored_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 xenstored_var_run_t:dir search;
+	allow $1 xenstored_var_run_t:sock_file { getattr write };
+	allow $1 xenstored_t:unix_stream_socket connectto;
+')

refpolicy/policy/modules/system/xen.te

@@ -0,0 +1,221 @@
+
+policy_module(xen,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# console ptys
+type xen_devpts_t;
+term_pty(xen_devpts_t);
+files_type(xen_devpts_t);
+
+type xend_t;
+type xend_exec_t;
+domain_type(xend_t)
+init_daemon_domain(xend_t, xend_exec_t)
+
+# var/lib files
+type xend_var_lib_t;
+files_type(xend_var_lib_t)
+
+# log files
+type xend_var_log_t;
+logging_log_file(xend_var_log_t)
+
+# pid files
+type xend_var_run_t;
+files_pid_file(xend_var_run_t)
+
+type xenstored_t;
+type xenstored_exec_t;
+domain_type(xenstored_t)
+domain_entry_file(xenstored_t,xenstored_exec_t)
+role system_r types xenstored_t;
+
+# var/lib files
+type xenstored_var_lib_t;
+files_type(xenstored_var_lib_t)
+
+# pid files
+type xenstored_var_run_t;
+files_pid_file(xenstored_var_run_t)
+
+type xenconsoled_t;
+type xenconsoled_exec_t;
+domain_type(xenconsoled_t)
+domain_entry_file(xenconsoled_t,xenconsoled_exec_t)
+role system_r types xenconsoled_t;
+
+# pid files
+type xenconsoled_var_run_t;
+files_pid_file(xenconsoled_var_run_t)
+
+########################################
+#
+# xend local policy
+#
+
+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config };
+allow xend_t self:process { signal sigkill };
+# internal communication is often done using fifo and unix sockets.
+allow xend_t self:fifo_file rw_file_perms;
+allow xend_t self:unix_stream_socket create_stream_socket_perms;
+allow xend_t self:unix_dgram_socket create_socket_perms;
+allow xend_t self:netlink_route_socket r_netlink_socket_perms;
+allow xend_t self:tcp_socket create_stream_socket_perms;
+allow xend_t self:packet_socket create_socket_perms;
+
+# pid file
+allow xend_t xend_var_run_t:file manage_file_perms;
+allow xend_t xend_var_run_t:sock_file manage_file_perms;
+allow xend_t xend_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file })
+
+# log files
+allow xend_t xend_var_log_t:file create_file_perms;
+allow xend_t xend_var_log_t:sock_file create_file_perms;
+allow xend_t xend_var_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir })
+
+# var/lib files for xend
+allow xend_t xend_var_lib_t:file create_file_perms;
+allow xend_t xend_var_lib_t:sock_file create_file_perms;
+allow xend_t xend_var_lib_t:dir create_dir_perms;
+files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir sock_file })
+
+# transition to store
+domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
+allow xenstored_t xend_t:fd use;
+allow xenstored_t xend_t:process sigchld;
+allow xenstored_t xend_t:fifo_file write;
+
+# transition to console
+domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t)
+allow xenconsoled_t xend_t:fd use;
+
+kernel_read_kernel_sysctls(xend_t)
+kernel_read_system_state(xend_t)
+kernel_write_xen_state(xend_t)
+kernel_read_xen_state(xend_t)
+kernel_rw_net_sysctls(xend_t)
+kernel_read_network_state(xend_t)
+
+corecmd_exec_sbin(xend_t)
+corecmd_exec_bin(xend_t)
+corecmd_exec_shell(xend_t)
+
+corenet_tcp_sendrecv_all_if(xend_t)
+corenet_tcp_sendrecv_all_nodes(xend_t)
+corenet_tcp_sendrecv_all_ports(xend_t)
+corenet_non_ipsec_sendrecv(xend_t)
+corenet_tcp_bind_xen_port(xend_t)
+corenet_tcp_bind_soundd_port(xend_t)
+
+dev_read_urand(xend_t)
+dev_manage_xen(xend_t)
+dev_filetrans_xen(xend_t)
+dev_rw_sysfs(xend_t)
+
+domain_read_all_domains_state(xend_t)
+domain_dontaudit_read_all_domains_state(xend_t)
+
+files_read_etc_files(xend_t)
+
+storage_raw_read_fixed_disk(xend_t)
+
+term_dontaudit_getattr_all_user_ptys(xend_t)
+term_dontaudit_use_generic_ptys(xend_t)
+
+init_use_fds(xend_t)
+
+libs_use_ld_so(xend_t)
+libs_use_shared_libs(xend_t)
+
+logging_send_syslog_msg(xend_t)
+
+miscfiles_read_localization(xend_t)
+
+sysnet_domtrans_dhcpc(xend_t)
+sysnet_signal_dhcpc(xend_t)
+sysnet_domtrans_ifconfig(xend_t)
+sysnet_dns_name_resolve(xend_t)
+sysnet_delete_dhcpc_pid(xend_t)
+sysnet_read_dhcpc_pid(xend_t)
+
+consoletype_exec(xend_t)
+
+xen_stream_connect_xenstore(xend_t)
+
+########################################
+#
+# Xen console local policy
+#
+
+allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
+allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
+allow xenconsoled_t self:fifo_file { read write };
+
+allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
+
+# pid file
+allow xenconsoled_t xenconsoled_var_run_t:file manage_file_perms;
+allow xenconsoled_t xenconsoled_var_run_t:sock_file manage_file_perms;
+allow xenconsoled_t xenconsoled_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(xenconsoled_t,xenconsoled_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(xenconsoled_t)
+kernel_write_xen_state(xenconsoled_t)
+kernel_read_xen_state(xenconsoled_t)
+
+term_create_pty(xenconsoled_t,xen_devpts_t);
+term_dontaudit_use_generic_ptys(xenconsoled_t)
+
+init_use_fds(xenconsoled_t)
+
+libs_use_ld_so(xenconsoled_t)
+libs_use_shared_libs(xenconsoled_t)
+
+miscfiles_read_localization(xenconsoled_t)
+
+xen_append_log(xenconsoled_t)
+xen_stream_connect_xenstore(xenconsoled_t)
+
+########################################
+#
+# Xen store local policy
+#
+
+allow xenstored_t self:capability { dac_override mknod ipc_lock };
+allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
+
+# pid file
+allow xenstored_t xenstored_var_run_t:file manage_file_perms;
+allow xenstored_t xenstored_var_run_t:sock_file manage_file_perms;
+allow xenstored_t xenstored_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(xenstored_t,xenstored_var_run_t, { file sock_file })
+
+# var/lib files for xenstored
+allow xenstored_t xenstored_var_lib_t:file create_file_perms;
+allow xenstored_t xenstored_var_lib_t:sock_file create_file_perms;
+allow xenstored_t xenstored_var_lib_t:dir create_dir_perms;
+files_var_lib_filetrans(xenstored_t,xenstored_var_lib_t,{ file dir sock_file })
+
+kernel_write_xen_state(xenstored_t)
+kernel_read_xen_state(xenstored_t)
+
+dev_create_generic_dirs(xenstored_t)
+dev_manage_xen(xenconsoled_t)
+dev_filetrans_xen(xenstored_t)
+
+term_dontaudit_use_generic_ptys(xenstored_t)
+
+init_use_fds(xenstored_t)
+
+libs_use_ld_so(xenstored_t)
+libs_use_shared_libs(xenstored_t)
+
+miscfiles_read_localization(xenstored_t)
+
+xen_append_log(xenstored_t)