Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy

2010-09-16 06:38:13 -04:00 · 2010-09-16 06:38:13 -04:00 · a55bb56954
commit a55bb56954
parent 4d71bc3534 9c9e4c8180
30 changed files with 223 additions and 259 deletions
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@ -131,6 +131,7 @@ interface(`samba_run_net',`
 ##	The role to be allowed the samba_net domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 template(`samba_role_notrans',`
 	gen_require(`
@ -490,8 +491,7 @@ interface(`samba_manage_var_files',`
 #
 interface(`samba_domtrans_smbcontrol',`
 	gen_require(`
-		type smbcontrol_t;
+		type smbcontrol_t, smbcontrol_exec_t;
 		type smbcontrol_exec_t;
 	')
 	domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
@ -721,7 +721,9 @@ interface(`samba_stream_connect_winbind',`
 template(`samba_helper_template',`
 	gen_require(`
 		type smbd_t;
 		role system_r;
 	')
 	#This type is for samba helper scripts
 	type samba_$1_script_t;
 	domain_type(samba_$1_script_t)
@ -734,7 +736,6 @@ template(`samba_helper_template',`
 	domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
 	allow smbd_t samba_$1_script_exec_t:file ioctl;
 ')
 ########################################
@ -756,20 +757,12 @@ template(`samba_helper_template',`
 #
 interface(`samba_admin',`
 	gen_require(`
-		type nmbd_t, nmbd_var_run_t;
+		type nmbd_t, nmbd_var_run_t, smbd_var_run_t;
-		type smbd_t, smbd_tmp_t;
+		type smbd_t, smbd_tmp_t, samba_secrets_t;
-		type smbd_var_run_t;
+		type samba_initrc_exec_t, samba_log_t, samba_var_t;
-		type samba_initrc_exec_t;
+		type samba_etc_t, samba_share_t, winbind_log_t;
 		type samba_log_t, samba_var_t;
 		type samba_etc_t, samba_share_t;
 		type samba_secrets_t;
 		type swat_var_run_t, swat_tmp_t;
 		type winbind_var_run_t, winbind_tmp_t;
 		type winbind_log_t;
 		type samba_unconfined_script_t, samba_unconfined_script_exec_t;
 	')
@ -779,8 +772,8 @@ interface(`samba_admin',`
 	allow $1 nmbd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, nmbd_t)
-	allow $1 samba_unconfined_script_t:process { ptrace signal_perms getattr };
+	allow $1 samba_unconfined_script_t:process { ptrace signal_perms };
-	read_files_pattern($1, samba_unconfined_script_t, samba_unconfined_script_t)
+	ps_process_pattern($1, samba_unconfined_script_t)
 	samba_run_smbcontrol($1, $2, $3)
 	samba_run_winbind_helper($1, $2, $3)
--- a/policy/modules/services/sasl.if
+++ b/policy/modules/services/sasl.if
@ -42,7 +42,7 @@ interface(`sasl_admin',`
 		type saslauthd_initrc_exec_t;
 	')
-	allow $1 saslauthd_t:process { ptrace signal_perms getattr };
+	allow $1 saslauthd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, saslauthd_t)
 	init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
--- a/policy/modules/services/sendmail.if
+++ b/policy/modules/services/sendmail.if
@ -51,10 +51,6 @@ interface(`sendmail_domtrans',`
 	')
 	mta_sendmail_domtrans($1, sendmail_t)
 	allow sendmail_t $1:fd use;
 	allow sendmail_t $1:fifo_file rw_file_perms;
 	allow sendmail_t $1:process sigchld;
 ')
 #######################################
@ -67,7 +63,7 @@ interface(`sendmail_domtrans',`
 ##	</summary>
 ## </param>
 #
-interface(`sendmail_initrc_domtrans', `
+interface(`sendmail_initrc_domtrans',`
 	gen_require(`
 		type sendmail_initrc_exec_t;
 	')
@ -170,7 +166,7 @@ interface(`sendmail_rw_unix_stream_sockets',`
 		type sendmail_t;
 	')
-	allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
+	allow $1 sendmail_t:unix_stream_socket rw_socket_perms;
 ')
 ########################################
@ -189,7 +185,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
 		type sendmail_t;
 	')
-	dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
+	dontaudit $1 sendmail_t:unix_stream_socket rw_socket_perms;
 ')
 ########################################
@ -338,11 +334,11 @@ interface(`sendmail_admin',`
 		type mail_spool_t;
 	')
-	allow $1 sendmail_t:process { ptrace signal_perms getattr };
+	allow $1 sendmail_t:process { ptrace signal_perms };
-	read_files_pattern($1, sendmail_t, sendmail_t)
+	ps_process_pattern($1, sendmail_t)
-	allow $1 unconfined_sendmail_t:process { ptrace signal_perms getattr };
+	allow $1 unconfined_sendmail_t:process { ptrace signal_perms };
-	read_files_pattern($1, unconfined_sendmail_t, unconfined_sendmail_t)
+	ps_process_pattern($1, unconfined_sendmail_t)
 	sendmail_initrc_domtrans($1)
 	domain_system_change_exemption($1)
--- a/policy/modules/services/setroubleshoot.if
+++ b/policy/modules/services/setroubleshoot.if
@ -109,7 +109,7 @@ interface(`setroubleshoot_dbus_chat_fixit',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
--- a/policy/modules/services/smartmon.if
+++ b/policy/modules/services/smartmon.if
@ -15,6 +15,7 @@ interface(`smartmon_read_tmp_files',`
 		type fsdaemon_tmp_t;
 	')
 	files_search_tmp($1)
 	allow $1 fsdaemon_tmp_t:file read_file_perms;
 ')
@ -41,7 +42,7 @@ interface(`smartmon_admin',`
 		type fsdaemon_initrc_exec_t;
 	')
-	allow $1 fsdaemon_t:process { ptrace signal_perms getattr };
+	allow $1 fsdaemon_t:process { ptrace signal_perms };
 	ps_process_pattern($1, fsdaemon_t)
 	init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
--- a/policy/modules/services/snmp.if
+++ b/policy/modules/services/snmp.if
@ -62,6 +62,7 @@ interface(`snmp_read_snmp_var_lib_files',`
 		type snmpd_var_lib_t;
 	')
 	files_search_var_lib($1)
 	allow $1 snmpd_var_lib_t:dir list_dir_perms;
 	read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
 	read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
@ -81,9 +82,10 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',`
 	gen_require(`
 		type snmpd_var_lib_t;
 	')
 	dontaudit $1 snmpd_var_lib_t:dir list_dir_perms;
 	dontaudit $1 snmpd_var_lib_t:file read_file_perms;
-	dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read };
+	dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms;
 ')
 ########################################
@ -128,7 +130,7 @@ interface(`snmp_admin',`
 		type snmpd_initrc_exec_t;
 	')
-	allow $1 snmpd_t:process { ptrace signal_perms getattr };
+	allow $1 snmpd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, snmpd_t)
 	init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@ -14,6 +14,7 @@
 ##	User domain for the role
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`spamassassin_role',`
 	gen_require(`
@ -25,9 +26,13 @@ interface(`spamassassin_role',`
 	role $1 types { spamc_t spamassassin_t };
 	domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
 	allow $2 spamassassin_t:process { ptrace signal_perms };
 	ps_process_pattern($2, spamassassin_t)
 	domtrans_pattern($2, spamc_exec_t, spamc_t)
 	allow $2 spamc_t:process { ptrace signal_perms };
 	ps_process_pattern($2, spamc_t)
 	manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
@ -55,7 +60,6 @@ interface(`spamassassin_exec',`
 	')
 	can_exec($1, spamassassin_exec_t)
 ')
 ########################################
@ -147,6 +151,7 @@ interface(`spamassassin_manage_home_client',`
 		type spamc_home_t;
 	')
 	userdom_search_user_home_dirs($1)
 	manage_dirs_pattern($1, spamc_home_t, spamc_home_t)
 	manage_files_pattern($1, spamc_home_t, spamc_home_t)
 	manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
@ -245,6 +250,7 @@ interface(`spamassassin_read_spamd_tmp_files',`
 		type spamd_tmp_t;
 	')
 	files_search_tmp($1)
 	allow $1 spamd_tmp_t:file read_file_perms;
 ')
@ -264,7 +270,7 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
 		type spamd_tmp_t;
 	')
-	dontaudit $1 spamd_tmp_t:sock_file getattr;
+	dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms;
 ')
 ########################################
@ -279,9 +285,10 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
 #
 interface(`spamd_stream_connect',`
 	gen_require(`
-		type spamd_t, spamd_var_run_t, spamd_spool_t;
+		type spamd_t, spamd_var_run_t;
 	')
 	files_search_pids($1)
 	stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
 ')
--- a/policy/modules/services/squid.if
+++ b/policy/modules/services/squid.if
@ -71,7 +71,7 @@ interface(`squid_rw_stream_sockets',`
 		type squid_t;
 	')
-	allow $1 squid_t:unix_stream_socket { getattr read write };
+	allow $1 squid_t:unix_stream_socket rw_socket_perms;
 ')
 ########################################
@ -83,7 +83,6 @@ interface(`squid_rw_stream_sockets',`
 ##	Domain to not audit.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`squid_dontaudit_search_cache',`
 	gen_require(`
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@ -32,7 +32,6 @@
 ## </param>
 #
 template(`ssh_basic_client_template',`
 	gen_require(`
 		attribute ssh_server;
 		type ssh_exec_t, sshd_key_t, sshd_tmp_t;
@ -167,7 +166,7 @@ template(`ssh_basic_client_template',`
 ##	</summary>
 ## </param>
 #
-template(`ssh_server_template', `
+template(`ssh_server_template',`
 	type $1_t, ssh_server;
 	auth_login_pgm_domain($1_t)
@ -189,7 +188,7 @@ template(`ssh_server_template', `
 	allow $1_t self:unix_stream_socket create_stream_socket_perms;
 	allow $1_t self:shm create_shm_perms;
-	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
+	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
 	term_create_pty($1_t, $1_devpts_t)
 	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
@ -248,7 +247,6 @@ template(`ssh_server_template', `
 	miscfiles_read_localization($1_t)
 	userdom_dontaudit_relabelfrom_user_ptys($1_t)
 	userdom_search_user_home_dirs($1_t)
 	userdom_read_user_home_content_files($1_t)
 	# Allow checking users mail at login
@ -302,11 +300,11 @@ template(`ssh_server_template', `
 ##	User domain for the role
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 template(`ssh_role_template',`
 	gen_require(`
 		attribute ssh_server, ssh_agent_type;
 		type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
 		type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
 		type ssh_agent_tmp_t;
@ -339,7 +337,7 @@ template(`ssh_role_template',`
 	# allow ps to show ssh
 	ps_process_pattern($3, ssh_t)
-	allow $3 ssh_t:process signal;
+	allow $3 ssh_t:process { ptrace signal_perms };
 	# for rsync
 	allow ssh_t $3:unix_stream_socket rw_socket_perms;
@ -372,7 +370,7 @@ template(`ssh_role_template',`
 	stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
 	# Allow the user shell to signal the ssh program.
-	allow $3 $1_ssh_agent_t:process signal;
+	allow $3 $1_ssh_agent_t:process { ptrace signal_perms };
 	# allow ps to show ssh
 	ps_process_pattern($3, $1_ssh_agent_t)
@ -394,7 +392,6 @@ template(`ssh_role_template',`
 	files_read_etc_files($1_ssh_agent_t)
 	files_read_etc_runtime_files($1_ssh_agent_t)
 	files_search_home($1_ssh_agent_t)
 	libs_read_lib_files($1_ssh_agent_t)
@ -411,9 +408,6 @@ template(`ssh_role_template',`
 	# for the transition back to normal privs upon exec
 	userdom_search_user_home_content($1_ssh_agent_t)
 	userdom_user_home_domtrans($1_ssh_agent_t, $3)
 	allow $3 $1_ssh_agent_t:fd use;
 	allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
 	allow $3 $1_ssh_agent_t:process sigchld;
 	tunable_policy(`use_nfs_home_dirs',`
 		fs_manage_nfs_files($1_ssh_agent_t)
@ -490,8 +484,9 @@ interface(`ssh_read_pipes',`
 		type sshd_t;
 	')
-	allow $1 sshd_t:fifo_file { getattr read };
+	allow $1 sshd_t:fifo_file read_fifo_file_perms;
 ')
 ########################################
 ## <summary>
 ##	Read and write a ssh server unnamed pipe.
@ -507,7 +502,7 @@ interface(`ssh_rw_pipes',`
 		type sshd_t;
 	')
-	allow $1 sshd_t:fifo_file { write read getattr ioctl };
+	allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 ########################################
@ -597,7 +592,6 @@ interface(`ssh_domtrans',`
 	domtrans_pattern($1, sshd_exec_t, sshd_t)
 ')
 ########################################
 ## <summary>
 ##	Execute sshd server in the sshd domain.
@ -650,7 +644,7 @@ interface(`ssh_setattr_key_files',`
 		type sshd_key_t;
 	')
-	allow $1 sshd_key_t:file setattr;
+	allow $1 sshd_key_t:file setattr_file_perms;
 	files_search_pids($1)
 ')
@ -727,7 +721,7 @@ interface(`ssh_dontaudit_read_server_keys',`
 		type sshd_key_t;
 	')
-	dontaudit $1 sshd_key_t:file { getattr read };
+	dontaudit $1 sshd_key_t:file read_file_perms;
 ')
 ######################################
@ -785,4 +779,3 @@ interface(`ssh_signull',`
 	allow $1 sshd_t:process signull;
 ')
--- a/policy/modules/services/sssd.if
+++ b/policy/modules/services/sssd.if
@ -89,6 +89,7 @@ interface(`sssd_manage_pids',`
 		type sssd_var_run_t;
 	')
 	files_search_pids($1)
 	manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
 	manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
 ')
@ -128,7 +129,6 @@ interface(`sssd_dontaudit_search_lib',`
 	')
 	dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
 	files_search_var_lib($1)
 ')
 ########################################
@ -225,21 +225,15 @@ interface(`sssd_stream_connect',`
 ##	The role to be allowed to manage the sssd domain.
 ##	</summary>
 ## </param>
 ## <param name="terminal">
 ##	<summary>
 ##	The type of the user terminal.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`sssd_admin',`
 	gen_require(`
-		type sssd_t, sssd_public_t;
+		type sssd_t, sssd_public_t, sssd_initrc_exec_t;
 		type sssd_initrc_exec_t;
 	')
-	allow $1 sssd_t:process { ptrace signal_perms getattr };
+	allow $1 sssd_t:process { ptrace signal_perms };
-	read_files_pattern($1, sssd_t, sssd_t)
+	ps_process_pattern($1, sssd_t)
 	# Allow sssd_t to restart the apache service
 	sssd_initrc_domtrans($1)
--- a/policy/modules/services/stunnel.if
+++ b/policy/modules/services/stunnel.if
@ -20,6 +20,6 @@ interface(`stunnel_service_domain',`
 		type stunnel_t;
 	')
-	domtrans_pattern(stunnel_t,$2,$1)
+	domtrans_pattern(stunnel_t, $2, $1)
 	allow $1 stunnel_t:tcp_socket rw_socket_perms;
 ')
--- a/policy/modules/services/tftp.if
+++ b/policy/modules/services/tftp.if
@ -105,9 +105,10 @@ interface(`tftp_admin',`
 		type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
 	')
-	allow $1 tftpd_t:process { ptrace signal_perms getattr };
+	allow $1 tftpd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, tftpd_t)
 	files_list_var_lib($1)
 	admin_pattern($1, tftpdir_rw_t)
 	admin_pattern($1, tftpdir_t)
--- a/policy/modules/services/tor.if
+++ b/policy/modules/services/tor.if
@ -42,7 +42,7 @@ interface(`tor_admin',`
 		type tor_initrc_exec_t;
 	')
-	allow $1 tor_t:process { ptrace signal_perms getattr };
+	allow $1 tor_t:process { ptrace signal_perms };
 	ps_process_pattern($1, tor_t)
 	init_labeled_script_domtrans($1, tor_initrc_exec_t)
--- a/policy/modules/services/tuned.if
+++ b/policy/modules/services/tuned.if
@ -112,8 +112,7 @@ interface(`tuned_initrc_domtrans',`
 #
 interface(`tuned_admin',`
 	gen_require(`
-		type tuned_t, tuned_var_run_t;
+		type tuned_t, tuned_var_run_t, tuned_initrc_exec_t;
 		type tuned_initrc_exec_t;
 	')
 	allow $1 tuned_t:process { ptrace signal_perms };
--- a/policy/modules/services/ucspitcp.if
+++ b/policy/modules/services/ucspitcp.if
@ -20,7 +20,7 @@
 ##	</summary>
 ## </param>
 #
-interface(`ucspitcp_service_domain', `
+interface(`ucspitcp_service_domain',`
 	gen_require(`
 		type ucspitcp_t;
 		role system_r;
@ -31,8 +31,5 @@ interface(`ucspitcp_service_domain', `
 	role system_r types $1;
-	domain_auto_trans(ucspitcp_t, $2, $1)
+	domtrans_pattern(ucspitcp_t, $2, $1)
 	allow $1 ucspitcp_t:fd use;
 	allow $1 ucspitcp_t:process sigchld;
 	allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms;
 ')
--- a/policy/modules/services/ulogd.if
+++ b/policy/modules/services/ulogd.if
@ -119,9 +119,8 @@ interface(`ulogd_append_log',`
 #
 interface(`ulogd_admin',`
 	gen_require(`
-		type ulogd_t, ulogd_etc_t;
+		type ulogd_t, ulogd_etc_t, ulogd_modules_t;
 		type ulogd_var_log_t, ulogd_initrc_exec_t;
 		type ulogd_modules_t;
 	')
 	allow $1 ulogd_t:process { ptrace signal_perms };
--- a/policy/modules/services/uucp.if
+++ b/policy/modules/services/uucp.if
@ -99,7 +99,7 @@ interface(`uucp_admin',`
 		type uucpd_var_run_t;
 	')
-	allow $1 uucpd_t:process { ptrace signal_perms getattr };
+	allow $1 uucpd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, uucpd_t)
 	logging_list_logs($1)
--- a/policy/modules/services/varnishd.if
+++ b/policy/modules/services/varnishd.if
@ -151,9 +151,8 @@ interface(`varnishd_manage_log',`
 #
 interface(`varnishd_admin_varnishlog',`
 	gen_require(`
-		type varnishlog_t;
+		type varnishlog_t, varnishlog_initrc_exec_t;
 		type varnishlog_var_run_t, varnishlog_log_t;
 		type varnishlog_initrc_exec_t;
 	')
 	allow $1 varnishlog_t:process { ptrace signal_perms };
@ -169,7 +168,6 @@ interface(`varnishd_admin_varnishlog',`
 	logging_list_logs($1)
 	admin_pattern($1, varnishlog_log_t)
 ')
 #######################################
@ -215,5 +213,4 @@ interface(`varnishd_admin',`
 	files_search_tmp($1)
 	admin_pattern($1, varnishd_tmp_t)
 ')
--- a/policy/modules/services/vhostmd.if
+++ b/policy/modules/services/vhostmd.if
@ -52,7 +52,7 @@ interface(`vhostmd_read_tmpfs_files',`
 	')
 	allow $1 vhostmd_tmpfs_t:file read_file_perms;
-	files_search_tmp($1)
+	fs_search_tmpfs($1)
 ')
 ########################################
@ -90,7 +90,7 @@ interface(`vhostmd_rw_tmpfs_files',`
 	')
 	rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
-	files_search_tmp($1)
+	fs_search_tmpfs($1)
 ')
 ########################################
@ -109,7 +109,7 @@ interface(`vhostmd_manage_tmpfs_files',`
 	')
 	manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
-	files_search_tmp($1)
+	fs_search_tmpfs($1)
 ')
 ########################################
@ -146,6 +146,7 @@ interface(`vhostmd_manage_pid_files',`
 		type vhostmd_var_run_t;
 	')
 	files_search_pids($1)
 	manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
 ')
@ -220,5 +221,4 @@ interface(`vhostmd_admin',`
 	vhostmd_manage_tmpfs_files($1)
 	vhostmd_manage_pid_files($1)
 ')
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@ -14,8 +14,7 @@
 template(`virt_domain_template',`
 	gen_require(`
 		type virtd_t;
-		attribute virt_image_type;
+		attribute virt_image_type, virt_domain;
 		attribute virt_domain;
 	')
 	type $1_t, virt_domain;
@ -38,7 +37,7 @@ template(`virt_domain_template',`
 	dev_node($1_image_t)
 	dev_associate_sysfs($1_image_t)
-	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
+	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
 	term_create_pty($1_t, $1_devpts_t)
 	manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
@ -154,8 +153,7 @@ interface(`virt_attach_tun_iface',`
 #
 interface(`virt_read_config',`
 	gen_require(`
-		type virt_etc_t;
+		type virt_etc_t, virt_etc_rw_t;
 		type virt_etc_rw_t;
 	')
 	files_search_etc($1)
@ -176,8 +174,7 @@ interface(`virt_read_config',`
 #
 interface(`virt_manage_config',`
 	gen_require(`
-		type virt_etc_t;
+		type virt_etc_t, virt_etc_rw_t;
 		type virt_etc_rw_t;
 	')
 	files_search_etc($1)
@ -227,7 +224,7 @@ interface(`virt_read_content',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -578,6 +575,7 @@ interface(`virt_admin',`
 ##	The role to be allowed the sandbox domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`virt_transition_svirt',`
 	gen_require(`
@ -609,4 +607,3 @@ interface(`virt_dontaudit_write_pipes',`
 	dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
 ')
--- a/policy/modules/services/xfs.if
+++ b/policy/modules/services/xfs.if
@ -1,4 +1,4 @@
-## <summary>X Windows Font Server </summary>
+## <summary>X Windows Font Server</summary>
 ########################################
 ## <summary>
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@ -59,10 +59,6 @@ interface(`xserver_restricted_role',`
 	domtrans_pattern($2, iceauth_exec_t, iceauth_t)
 ifdef(`hide_broken_symptoms', `
 	dontaudit iceauth_t $2:socket_class_set { read write };
 ')
 	allow $2 iceauth_home_t:file read_file_perms;
 	domtrans_pattern($2, xauth_exec_t, xauth_t)
@ -77,11 +73,11 @@ ifdef(`hide_broken_symptoms', `
 	# for when /tmp/.X11-unix is created by the system
 	allow $2 xdm_t:fd use;
-	allow $2 xdm_t:fifo_file { getattr read write ioctl };
+	allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
 	allow $2 xdm_tmp_t:dir search_dir_perms;
-	allow $2 xdm_tmp_t:sock_file { read write };
+	allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
 	dontaudit $2 xdm_t:tcp_socket { read write };
-	dontaudit $2 xdm_tmp_t:dir setattr;
+	dontaudit $2 xdm_tmp_t:dir setattr_dir_perms;
 	allow $2 xdm_t:dbus send_msg;
 	allow xdm_t  $2:dbus send_msg;
@ -91,7 +87,7 @@ ifdef(`hide_broken_symptoms', `
 	allow $2 xserver_tmpfs_t:file read_file_perms;
 	# Read /tmp/.X0-lock
-	allow $2 xserver_tmp_t:file { getattr read };
+	allow $2 xserver_tmp_t:file read_inherited_file_perms;
 	dev_rw_xserver_misc($2)
 	dev_rw_power_management($2)
@ -100,9 +96,6 @@ ifdef(`hide_broken_symptoms', `
 	dev_write_misc($2)
 	# open office is looking for the following
 	dev_getattr_agp_dev($2)
 	tunable_policy(`user_direct_dri',`
 		dev_rw_dri($2)
 	')
 	# GNOME checks for usb and other devices:
 	dev_rw_usbfs($2)
@ -121,11 +114,19 @@ ifdef(`hide_broken_symptoms', `
 	# Needed for escd, remove if we get escd policy
 	xserver_manage_xdm_tmp_files($2)
 	ifdef(`hide_broken_symptoms',`
 		dontaudit iceauth_t $2:socket_class_set { read write };
 	')
 	# Client write xserver shm
 	tunable_policy(`allow_write_xshm',`
 		allow $2 xserver_t:shm rw_shm_perms;
 		allow $2 xserver_tmpfs_t:file rw_file_perms;
 	')
 	tunable_policy(`user_direct_dri',`
 		dev_rw_dri($2)
 	')
 ')
 ########################################
@ -157,10 +158,10 @@ interface(`xserver_role',`
 	allow $2 xserver_tmpfs_t:file rw_file_perms;
 	allow $2 iceauth_home_t:file manage_file_perms;
-	allow $2 iceauth_home_t:file { relabelfrom relabelto };
+	allow $2 iceauth_home_t:file relabel_file_perms;
 	allow $2 xauth_home_t:file manage_file_perms;
-	allow $2 xauth_home_t:file { relabelfrom relabelto };
+	allow $2 xauth_home_t:file relabel_file_perms;
 	mls_xwin_read_to_clearance($2)
 	manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
@ -178,7 +179,6 @@ interface(`xserver_role',`
 	manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
 	relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
 	relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
 ')
 #######################################
@ -363,9 +363,8 @@ template(`xserver_common_x_domain_template',`
 		type xevent_t, client_xevent_t;
 		type input_xevent_t, $1_input_xevent_t;
-		attribute x_domain;
+		attribute x_domain, input_xevent_type;
 		attribute xdrawable_type, xcolormap_type;
 		attribute input_xevent_type;
 		class x_drawable all_x_drawable_perms;
 		class x_property all_x_property_perms;
@ -489,9 +488,9 @@ template(`xserver_user_x_domain_template',`
 	# for when /tmp/.X11-unix is created by the system
 	allow $2 xdm_t:fd use;
-	allow $2 xdm_t:fifo_file { getattr read write ioctl };
+	allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
 	allow $2 xdm_tmp_t:dir search_dir_perms;
-	allow $2 xdm_tmp_t:sock_file { read write };
+	allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
 	dontaudit $2 xdm_t:tcp_socket { read write };
 	# Allow connections to X server.
@ -503,7 +502,7 @@ template(`xserver_user_x_domain_template',`
 	# for .xsession-errors
 	userdom_dontaudit_write_user_home_content_files($2)
-	xserver_ro_session($2,$3)
+	xserver_ro_session($2, $3)
 	xserver_use_user_fonts($2)
 	xserver_read_xdm_tmp_files($2)
@ -511,17 +510,17 @@ template(`xserver_user_x_domain_template',`
 	# X object manager
 	xserver_object_types_template($1)
-	xserver_common_x_domain_template($1,$2)
+	xserver_common_x_domain_template($1, $2)
 	tunable_policy(`user_direct_dri',`
 		dev_rw_dri($2)
 	')
 	# Client write xserver shm
 	tunable_policy(`allow_write_xshm',`
 		allow $2 xserver_t:shm rw_shm_perms;
 		allow $2 xserver_tmpfs_t:file rw_file_perms;
 	')
 	tunable_policy(`user_direct_dri',`
 		dev_rw_dri($2)
 	')
 ')
 ########################################
@ -582,7 +581,8 @@ interface(`xserver_domtrans_xauth',`
 	')
 	domtrans_pattern($1, xauth_exec_t, xauth_t)
-	ifdef(`hide_broken_symptoms', `
+
 	ifdef(`hide_broken_symptoms',`
 		dontaudit xauth_t $1:socket_class_set { read write };
 	')
 ')
@ -674,7 +674,7 @@ interface(`xserver_setattr_console_pipes',`
 		type xconsole_device_t;
 	')
-	allow $1 xconsole_device_t:fifo_file setattr;
+	allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
 ')
 ########################################
@ -747,7 +747,7 @@ interface(`xserver_rw_xdm_pipes',`
 		type xdm_t;
 	')
-	allow $1 xdm_t:fifo_file { getattr read write }; 
+	allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 ########################################
@ -762,7 +762,6 @@ interface(`xserver_rw_xdm_pipes',`
 ## </param>
 #
 interface(`xserver_dontaudit_rw_xdm_pipes',`
 	gen_require(`
 		type xdm_t;
 	')
@ -783,11 +782,11 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
 #
 interface(`xserver_stream_connect_xdm',`
 	gen_require(`
-		type xdm_t, xdm_tmp_t;
+		type xdm_t, xdm_tmp_t, xdm_var_run_t;
 		type xdm_var_run_t;
 	')
 	files_search_tmp($1)
 	files_search_pids($1)
 	stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
 	stream_connect_pattern($1, xdm_var_run_t, xdm_var_run_t, xdm_t)
 ')
@ -826,7 +825,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
 		type xdm_tmp_t;
 	')
-	allow $1 xdm_tmp_t:dir setattr;
+	allow $1 xdm_tmp_t:dir setattr_dir_perms;
 ')
 ########################################
@ -958,7 +957,7 @@ interface(`xserver_getattr_log',`
 	')
 	logging_search_logs($1)
-	allow $1 xserver_log_t:file getattr;
+	allow $1 xserver_log_t:file getattr_file_perms;
 ')
 ########################################
@ -1151,7 +1150,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
 		type xdm_tmp_t;
 	')
-	dontaudit $1 xdm_tmp_t:sock_file getattr;
+	dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
 ')
 ########################################
@ -1322,13 +1321,12 @@ interface(`xserver_read_tmp_files',`
 #
 interface(`xserver_manage_core_devices',`
 	gen_require(`
-		type xserver_t;
+		type xserver_t, root_xdrawable_t;
 		class x_device all_x_device_perms;
 		class x_pointer all_x_pointer_perms;
 		class x_keyboard all_x_keyboard_perms;
 		class x_screen all_x_screen_perms;
 		class x_drawable { manage };
 		type root_xdrawable_t;
 		attribute x_domain;
 		class x_drawable { read manage setattr show };
 		class x_resource { write read };
@ -1356,8 +1354,7 @@ interface(`xserver_manage_core_devices',`
 #
 interface(`xserver_unconfined',`
 	gen_require(`
-		attribute x_domain;
+		attribute x_domain, xserver_unconfined_type;
 		attribute xserver_unconfined_type;
 	')
 	typeattribute $1 x_domain;
@ -1376,8 +1373,7 @@ interface(`xserver_unconfined',`
 #
 interface(`xserver_dontaudit_append_xdm_home_files',`
 	gen_require(`
-		type xdm_home_t;
+		type xdm_home_t, xserver_tmp_t;
 		type xserver_tmp_t;
 	')
 	dontaudit $1 xdm_home_t:file rw_inherited_file_perms;
@ -1404,8 +1400,7 @@ interface(`xserver_dontaudit_append_xdm_home_files',`
 #
 interface(`xserver_append_xdm_home_files',`
 	gen_require(`
-		type xdm_home_t;
+		type xdm_home_t, xserver_tmp_t;
 		type xserver_tmp_t;
 	')
 	allow $1 xdm_home_t:file append_file_perms;
@ -1566,12 +1561,10 @@ template(`xserver_read_user_iceauth',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`xserver_rw_inherited_user_fonts',`
 	gen_require(`
-		type user_fonts_t;
+		type user_fonts_t, user_fonts_config_t;
 		type user_fonts_config_t;
 	')
 	allow $1 user_fonts_t:file rw_inherited_file_perms;
@ -1598,7 +1591,6 @@ interface(`xserver_search_xdm_lib',`
 	allow $1 xdm_var_lib_t:dir search_dir_perms;
 ')
 ########################################
 ## <summary>
 ##	Make an X executable an entrypoint for the specified domain.
@ -1632,6 +1624,7 @@ interface(`xserver_entry_type',`
 ##	The role to be allowed the xserver domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`xserver_run',`
 	gen_require(`
@ -1657,6 +1650,7 @@ interface(`xserver_run',`
 ##	The role to be allowed the xserver domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`xserver_run_xauth',`
 	gen_require(`
@ -1679,8 +1673,7 @@ interface(`xserver_run_xauth',`
 #
 interface(`xserver_manage_home_fonts',`
 	gen_require(`
-		type user_fonts_t;
+		type user_fonts_t, user_fonts_config_t;
 		type user_fonts_config_t;
 	')
 	manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
--- a/policy/modules/services/zarafa.if
+++ b/policy/modules/services/zarafa.if
@ -1,4 +1,3 @@
 ## <summary>policy for zarafa services</summary>
 ######################################
@ -13,7 +12,6 @@
 ## </param>
 #
 template(`zarafa_domain_template',`
 	gen_require(`
 		attribute zarafa_domain;
 	')
@ -66,7 +64,6 @@ interface(`zarafa_server_domtrans',`
 	domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t)
 ')
 ########################################
 ## <summary>
 ##	Execute a domain transition to run zarafa_deliver.
@ -94,12 +91,12 @@ interface(`zarafa_deliver_domtrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`zarafa_stream_connect_server',`
 	gen_require(`
 		type zarafa_server_t, zarafa_server_var_run_t;
 	')
 	files_search_var_lib($1)
 	stream_connect_pattern($1, zarafa_server_t, zarafa_server_var_run_t, zarafa_server_t)
 ')
--- a/policy/modules/services/zebra.if
+++ b/policy/modules/services/zebra.if
@ -38,8 +38,7 @@ interface(`zebra_stream_connect',`
 	')
 	files_search_pids($1)
-	allow $1 zebra_var_run_t:sock_file write;
+	stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t)
 	allow $1 zebra_t:unix_stream_socket connectto;
 ')
 ########################################