patch from dan

refpolicy/policy/modules/apps/webalizer.fc

@@ -7,4 +7,4 @@
 #
 # /var
 #
-/var/lib/webalizer(/.*)		gen_context(system_u:object_r:webalizer_var_lib_t,s0)
+/var/lib/webalizer(/.*)?	gen_context(system_u:object_r:webalizer_var_lib_t,s0)

refpolicy/policy/modules/apps/webalizer.te

@@ -1,5 +1,5 @@
 
-policy_module(webalizer,1.0)
+policy_module(webalizer,1.0.1)
 
 ########################################
 #

refpolicy/policy/modules/kernel/filesystem.te

@@ -1,5 +1,5 @@
 
-policy_module(filesystem,1.0)
+policy_module(filesystem,1.0.1)
 
 ########################################
 #
@@ -114,6 +114,7 @@ allow tmpfs_t noxattrfs:filesystem associate;
 #
 type autofs_t, noxattrfs;
 fs_type(autofs_t)
+files_mountpoint(autofs_t)
 genfscon autofs / gen_context(system_u:object_r:autofs_t,s0)
 genfscon automount / gen_context(system_u:object_r:autofs_t,s0)
 

refpolicy/policy/modules/services/avahi.te

@@ -1,5 +1,5 @@
 
-policy_module(avahi,1.0)
+policy_module(avahi,1.0.1)
 
 ########################################
 #
@@ -18,9 +18,9 @@ files_pid_file(avahi_var_run_t)
 # Local policy
 #
 
-allow avahi_t self:capability { dac_override setgid chown kill setuid };
+allow avahi_t self:capability { dac_override setgid chown kill setuid sys_chroot };
 dontaudit avahi_t self:capability sys_tty_config;
-allow avahi_t self:process { setrlimit signal_perms };
+allow avahi_t self:process { setrlimit signal_perms setcap };
 allow avahi_t self:fifo_file { read write };
 allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow avahi_t self:unix_dgram_socket create_socket_perms;

refpolicy/policy/modules/services/cron.te

@@ -1,5 +1,5 @@
 
-policy_module(cron, 1.0)
+policy_module(cron, 1.0.1)
 
 gen_require(`
 	class passwd rootok;
@@ -170,14 +170,8 @@ tunable_policy(`fcron_crond', `
 	allow crond_t system_cron_spool_t:file create_file_perms;
 ')
 
-optional_policy(`cyrus.te',`
+optional_policy(`hal.te',`
-	cyrus_manage_data(system_crond_t)
+	hal_dbus_send(crond_t)
-')
-
-optional_policy(`inn.te',`
-	inn_manage_log(system_crond_t)
-	inn_manage_pid(system_crond_t)
-	inn_read_config(system_crond_t)
 ')
 
 optional_policy(`nis.te',`
@@ -375,10 +369,20 @@ ifdef(`targeted_policy',`
 		seutil_read_file_contexts(system_crond_t)
 	')
 
+	optional_policy(`cyrus.te',`
+		cyrus_manage_data(system_crond_t)
+	')
+
 	optional_policy(`ftp.te',`
 		ftp_read_log(system_crond_t)
 	')
 
+	optional_policy(`inn.te',`
+		inn_manage_log(system_crond_t)
+		inn_manage_pid(system_crond_t)
+		inn_read_config(system_crond_t)
+	')
+
 	optional_policy(`mysql.te',`
 		mysql_read_config(system_crond_t)
 	')

refpolicy/policy/modules/services/ftp.fc

@@ -18,8 +18,7 @@
 #
 # /var
 #
-/var/run/proftpd/proftpd-inetd -- gen_context(system_u:object_r:ftpd_var_run_t,s0)
+/var/run/proftpd(/.*)? 		gen_context(system_u:object_r:ftpd_var_run_t,s0)
-/var/run/proftpd/proftpd\.scoreboard -- gen_context(system_u:object_r:ftpd_var_run_t,s0)
 
 /var/log/muddleftpd\.log.* --	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/vsftpd.*	--	gen_context(system_u:object_r:xferlog_t,s0)

refpolicy/policy/modules/services/ftp.te

@@ -1,5 +1,5 @@
 
-policy_module(ftp,1.0)
+policy_module(ftp,1.0.1)
 
 ########################################
 #

refpolicy/policy/modules/services/hal.if

@@ -54,3 +54,20 @@ interface(`hal_stream_connect',`
 
 	allow $1 hald_t:unix_stream_socket connectto;
 ')
+
+########################################
+## <summary>
+##	Send a dbus message to hal.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`hal_dbus_send',`
+	gen_require(`
+		type hald_t;
+		class dbus send_msg;
+	')
+
+	allow $1 hald_t:dbus send_msg;
+')

refpolicy/policy/modules/services/hal.te

@@ -1,5 +1,5 @@
 
-policy_module(hal,1.0)
+policy_module(hal,1.0.1)
 
 ########################################
 #
@@ -80,6 +80,7 @@ selinux_compute_relabel_context(hald_t)
 selinux_compute_user_contexts(hald_t)
 
 storage_raw_read_removable_device(hald_t)
+storage_raw_write_removable_device(hald_t)
 storage_raw_read_fixed_disk(hald_t)
 storage_raw_write_fixed_disk(hald_t)
 

refpolicy/policy/modules/services/pegasus.te

@@ -1,5 +1,5 @@
 
-policy_module(pegasus,1.0)
+policy_module(pegasus,1.0.1)
 
 ########################################
 #
@@ -79,6 +79,7 @@ auth_use_nsswitch(pegasus_t)
 auth_read_shadow(pegasus_t)
 
 domain_use_wide_inherit_fd(pegasus_t)
+domain_read_all_domains_state(pegasus_t)
 
 files_read_etc_files(pegasus_t)
 files_list_var_lib(pegasus_t)

refpolicy/policy/modules/services/rpc.te

@@ -1,5 +1,5 @@
 
-policy_module(rpc,1.0)
+policy_module(rpc,1.0.1)
 
 ########################################
 #
@@ -31,6 +31,7 @@ files_config_file(nfsd_ro_t)
 
 type var_lib_nfs_t;
 files_config_file(var_lib_nfs_t)
+files_mountpoint(var_lib_nfs_t)
 
 ########################################
 #

refpolicy/policy/modules/system/mount.te

@@ -133,9 +133,6 @@ optional_policy(`samba.te',`
 ')
 
 ifdef(`TODO',`
-# this goes to the nfs/rpc module
-files_mountpoint(var_lib_nfs_t)
-
 # TODO: Need to examine this further. Not sure how to handle this
 #type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type;
 #allow sysadm_t sysadm_mount_source_t:file create_file_perms;

refpolicy/policy/modules/system/sysnetwork.te

@@ -1,5 +1,5 @@
 
-policy_module(sysnetwork,1.0)
+policy_module(sysnetwork,1.0.1)
 
 ########################################
 #
@@ -58,6 +58,7 @@ allow dhcpc_t dhcp_etc_t:file { r_file_perms execute execute_no_trans };
 
 allow dhcpc_t dhcp_state_t:dir rw_dir_perms;
 allow dhcpc_t dhcp_state_t:file { getattr read };
+allow dhcpc_t dhcpc_state_t:dir rw_dir_perms;
 allow dhcpc_t dhcpc_state_t:file create_file_perms;
 type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t;