trunk: a pile of misc fixes.

policy/modules/services/automount.if

@@ -30,12 +30,8 @@ interface(`automount_domtrans',`
 ## </param>
 #
 interface(`automount_exec_config',`
-	gen_require(`
+	refpolicywarn(`$0(): has been deprecated, please use files_exec_etc_files() instead.')
-		type automount_etc_t;
+	files_exec_etc_files($1)
-	')
-
-	corecmd_search_bin($1)
-	can_exec($1, automount_etc_t)
 ')
 
 ########################################

policy/modules/services/bind.if

@@ -265,6 +265,16 @@ interface(`bind_udp_chat_named',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal.
+##	</summary>
+## </param>
 ## <rolecap/>
 #
 interface(`bind_admin',`

policy/modules/services/mta.if

@@ -584,6 +584,26 @@ interface(`mta_read_aliases',`
 	allow $1 etc_aliases_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##	Create, read, write, and delete mail address aliases.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_manage_aliases',`
+	gen_require(`
+		type etc_aliases_t;
+	')
+
+	files_search_etc($1)
+	manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
+	manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
+')
+
 ########################################
 ## <summary>
 ##	Type transition files created in /etc

policy/modules/services/mta.te

@@ -1,5 +1,5 @@
 
-policy_module(mta, 1.10.1)
+policy_module(mta, 1.10.2)
 
 ########################################
 #

policy/modules/services/ntp.if

@@ -74,7 +74,7 @@ interface(`ntp_domtrans_ntpdate',`
 interface(`ntp_admin',`
 	gen_require(`
 		type ntpd_t, ntpd_tmp_t, ntpd_log_t;
-		type ntpd_key_t, ntpd_var_lib_t, ntpd_var_run_t;
+		type ntpd_key_t, ntpd_var_run_t;
 		type ntpd_initrc_exec_t;
 	')
 

policy/modules/services/oident.if

@@ -39,7 +39,7 @@
 ## 	</summary>
 ## </param>
 #
-template(`oidentd_per_role_template', `
+template(`oident_per_role_template', `
 
 	########################################
 	#
@@ -51,17 +51,17 @@ template(`oidentd_per_role_template', `
 	')
 
 	type $1_oidentd_home_t, oidentd_user_content_type;
-	userdom_user_home_content($1, oidentd_$1_content_t)
+	userdom_user_home_content($1, $1_oidentd_home_t)
 
-	typeattribute oidentd_$1_content_t oidentd_user_content_type;
+	typeattribute $1_oidentd_home_t oidentd_user_content_type;
 
 	########################################
 	#
 	#  Oident daemon shared policy
 	#
 
-	allow $2 oidentd_$1_content_t:file manage_file_perms; 
+	allow $2 $1_oidentd_home_t:file manage_file_perms; 
-	allow $2 oidentd_$1_content_t:file relabel_file_perms;
+	allow $2 $1_oidentd_home_t:file relabel_file_perms;
 ')
 
 ########################################
@@ -75,7 +75,7 @@ template(`oidentd_per_role_template', `
 ##	</summary>
 ## </param>
 #
-interface(`oidentd_read_all_user_content', `
+interface(`oident_read_all_user_content', `
 	gen_require(`
 		attribute oidentd_user_content_type;
 	')

policy/modules/services/oident.te

@@ -56,7 +56,7 @@ miscfiles_read_localization(oidentd_t)
 
 sysnet_read_config(oidentd_t)
 
-oidentd_read_all_user_content(oidentd_t)
+oident_read_all_user_content(oidentd_t)
 
 optional_policy(`
 	nis_use_ypbind(oidentd_t)

policy/modules/services/postfix.te

@@ -182,6 +182,12 @@ seutil_dontaudit_search_config(postfix_master_t)
 mta_rw_aliases(postfix_master_t)
 mta_read_sendmail_bin(postfix_master_t)
 
+ifdef(`distro_redhat',`
+	# for newer main.cf that uses /etc/aliases
+	mta_manage_aliases(postfix_master_t)
+	mta_etc_filetrans_aliases(postfix_master_t)
+')
+
 optional_policy(`
 	cyrus_stream_connect(postfix_master_t)
 ')
@@ -199,22 +205,6 @@ optional_policy(`
 	sendmail_signal(postfix_master_t)
 ')
 
-###########################################################
-#
-# Partially converted rules.  THESE ARE ONLY TEMPORARY
-#
-
-ifdef(`distro_redhat',`
-	# for newer main.cf that uses /etc/aliases
-	allow postfix_master_t etc_aliases_t:dir manage_dir_perms;
-	allow postfix_master_t etc_aliases_t:file manage_file_perms;
-	allow postfix_master_t etc_aliases_t:lnk_file manage_lnk_file_perms;
-	mta_etc_filetrans_aliases(postfix_master_t)
-	filetrans_pattern(postfix_master_t, postfix_etc_t, etc_aliases_t, { dir file lnk_file })
-')
-
-# end partially converted rules
-
 ########################################
 #
 # Postfix bounce local policy

policy/modules/services/sasl.if

@@ -29,6 +29,11 @@ interface(`sasl_connect',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
 ## <rolecap/>
 #
 interface(`sasl_admin',`

policy/modules/services/virt.if

@@ -68,7 +68,7 @@ interface(`virt_read_pid_files',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_manage_pids_files',`
+interface(`virt_manage_pid_files',`
 	gen_require(`
 		type virt_var_run_t;
 	')
@@ -167,7 +167,7 @@ interface(`virt_read_log',`
 #
 interface(`virt_append_log',`
 	gen_require(`
-		type var_log_t, virt_log_t;
+		type virt_log_t;
 	')
 
 	logging_search_logs($1)

policy/modules/system/init.te

@@ -535,10 +535,6 @@ optional_policy(`
 	apache_list_modules(initrc_t)
 ')
 
-optional_policy(`
-	automount_exec_config(initrc_t)
-')
-
 optional_policy(`
 	bind_read_config(initrc_t)
 

policy/modules/system/pcmcia.te

@@ -136,5 +136,6 @@ optional_policy(`
 
 # Create device files in /tmp.
 # cjp: why is this created all over the place?
-allow cardmgr_t { var_run_t cardmgr_var_run_t tmp_t }:dir rw_dir_perms;
+files_pid_filetrans(cardmgr_t, cardmgr_dev_t, { chr_file blk_file })
-type_transition cardmgr_t { var_run_t cardmgr_var_run_t tmp_t }:{ chr_file blk_file } cardmgr_dev_t;
+files_tmp_filetrans(cardmgr_t, cardmgr_dev_t, { chr_file blk_file })
+filetrans_pattern(cardmgr_t, cardmgr_var_run_t, cardmgr_dev_t, { chr_file blk_file })