More fixes

policy/modules/admin/consoletype.te

@@ -81,11 +81,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	hal_dontaudit_use_fds(consoletype_t)
-	hal_dontaudit_rw_pipes(consoletype_t)
-	hal_dontaudit_rw_dgram_sockets(consoletype_t)
-	hal_dontaudit_write_log(consoletype_t)
-	hal_dontaudit_read_pid_files(consoletype_t)
+	hal_dontaudit_leaks(consoletype_t)
 ')
 
 optional_policy(`

policy/modules/admin/tzdata.te

@@ -15,7 +15,7 @@ application_domain(tzdata_t, tzdata_exec_t)
 # tzdata local policy
 #
 
-files_read_etc_files(tzdata_t)
+files_read_config_files(tzdata_t)
 files_search_spool(tzdata_t)
 
 fs_getattr_xattr_fs(tzdata_t)

policy/modules/apps/gnome.if

@@ -198,6 +198,25 @@ interface(`gnome_setattr_cache_home_dir',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	append to generic cache home files (.cache)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_append_generic_cache_files',`
+	gen_require(`
+		type cache_home_t;
+	')
+
+	append_files_pattern($1, cache_home_t, cache_home_t)
+	userdom_search_user_home_dirs($1)
+')
+
 ########################################
 ## <summary>
 ##	write to generic cache home files (.cache)

policy/modules/apps/wine.if

@@ -48,8 +48,7 @@ template(`wine_role',`
 	allow $2 wine_t:process signal_perms;
 
 	allow $2 wine_t:fd use;
-	allow $2 wine_t:shm { associate getattr };
-	allow $2 wine_t:shm { unix_read unix_write };
+	allow $2 wine_t:shm { associate getattr  unix_read unix_write };
 	allow $2 wine_t:unix_stream_socket connectto;
 
 	# X access, Home files
@@ -165,3 +164,22 @@ interface(`wine_run',`
 	wine_domtrans($1)
 	role $2 types wine_t;
 ')
+
+########################################
+## <summary>
+##	Read and write wine Shared
+##	memory segments.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wine_rw_shm',`
+	gen_require(`
+		type wine_t;
+	')
+
+	allow $1 wine_t:shm rw_shm_perms;
+')

policy/modules/kernel/files.if

@@ -4933,6 +4933,24 @@ interface(`files_read_var_files',`
 	read_files_pattern($1, var_t, var_t)
 ')
 
+########################################
+## <summary>
+##	Append files in the /var directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_append_var_files',`
+	gen_require(`
+		type var_t;
+	')
+
+	append_files_pattern($1, var_t, var_t)
+')
+
 ########################################
 ## <summary>
 ##	Read and write files in the /var directory.

policy/modules/kernel/filesystem.te

@@ -72,6 +72,7 @@ type cgroup_t alias cgroupfs_t;
 fs_type(cgroup_t)
 files_type(cgroup_t)
 files_mountpoint(cgroup_t)
+dev_associate_sysfs(cgroup_t)
 genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
 
 type configfs_t;

policy/modules/services/apm.te

@@ -144,13 +144,8 @@ ifdef(`distro_redhat',`
 
 	can_exec(apmd_t, apmd_var_run_t)
 
-	# ifconfig_exec_t needs to be run in its own domain for Red Hat
 	optional_policy(`
-		sssd_search_lib(apmd_t)
-	')
-
-	optional_policy(`
-		sysnet_domtrans_ifconfig(apmd_t)
+		fstools_domtrans(apmd_t)
 	')
 
 	optional_policy(`
@@ -161,6 +156,15 @@ ifdef(`distro_redhat',`
 		netutils_domtrans(apmd_t)
 	')
 
+	# ifconfig_exec_t needs to be run in its own domain for Red Hat
+	optional_policy(`
+		sssd_search_lib(apmd_t)
+	')
+
+	optional_policy(`
+		sysnet_domtrans_ifconfig(apmd_t)
+	')
+
 ',`
 	# for ifconfig which is run all the time
 	kernel_dontaudit_search_sysctl(apmd_t)

policy/modules/services/cups.if

@@ -190,10 +190,12 @@ interface(`cups_dbus_chat_config',`
 interface(`cups_read_config',`
 	gen_require(`
 		type cupsd_etc_t, cupsd_rw_etc_t;
+		type hplip_etc_t;
 	')
 
 	files_search_etc($1)
 	read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
+	read_files_pattern($1, hplip_etc_t, hplip_etc_t)
 	read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
 ')
 
@@ -319,6 +321,7 @@ interface(`cups_admin',`
 		type cupsd_var_run_t, ptal_etc_t;
 		type ptal_var_run_t, hplip_var_run_t;
 		type cupsd_initrc_exec_t;
+		type hplip_etc_t;
 	')
 
 	allow $1 cupsd_t:process { ptrace signal_perms };
@@ -347,6 +350,8 @@ interface(`cups_admin',`
 	admin_pattern($1, cupsd_var_run_t)
 	files_list_pids($1)
 
+	admin_pattern($1, hplip_etc_t)
+
 	admin_pattern($1, hplip_var_run_t)
 
 	admin_pattern($1, ptal_etc_t)

policy/modules/services/devicekit.te

@@ -205,6 +205,10 @@ allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
 allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
 
+manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
+manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
+files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir })
+
 manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
 manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
 files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)

policy/modules/services/hal.if

@@ -391,8 +391,7 @@ interface(`hal_dontaudit_read_pid_files',`
 		type hald_var_run_t;
 	')
 
-	files_search_pids($1)
-	allow $1 hald_var_run_t:file read_inherited_file_perms;
+	dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
 ')
 
 ########################################
@@ -451,3 +450,27 @@ interface(`hal_manage_pid_files',`
 	files_search_pids($1)
 	manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
 ')
+
+########################################
+## <summary>
+##	dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_dontaudit_leaks',`
+	gen_require(`
+		type hald_log_t;
+		type hald_t;
+		type hald_var_run_t;
+	')
+
+	dontaudit $1 hald_t:fd use; 
+	dontaudit $1 hald_log_t:file rw_inherited_files_perms;
+	dontaudit $1 hald_t:fifo_file rw_fifo_file_perms; 
+	dontaudit hald_t $1:socket_class_set { read write };
+	dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
+')

policy/modules/services/rpcbind.te

@@ -43,6 +43,8 @@ kernel_read_system_state(rpcbind_t)
 kernel_read_network_state(rpcbind_t)
 kernel_request_load_module(rpcbind_t)
 
+corecmd_exec_shell(rpcbind_t)
+
 corenet_all_recvfrom_unlabeled(rpcbind_t)
 corenet_all_recvfrom_netlabel(rpcbind_t)
 corenet_tcp_sendrecv_generic_if(rpcbind_t)

policy/modules/services/xserver.te

@@ -1105,6 +1105,10 @@ optional_policy(`
 	userhelper_search_config(xserver_t)
 ')
 
+optional_policy(`
+	wine_rw_shm(xserver_t)
+')
+
 optional_policy(`
 	xfs_stream_connect(xserver_t)
 ')

policy/modules/system/libraries.te

@@ -136,6 +136,10 @@ optional_policy(`
 	apt_use_ptys(ldconfig_t)
 ')
 
+optional_policy(`
+	gnome_append_generic_cache_files(ldconfig_t)
+')
+
 optional_policy(`
 	puppet_rw_tmp(ldconfig_t)
 ')

policy/modules/system/modutils.te

@@ -63,6 +63,7 @@ files_read_etc_runtime_files(depmod_t)
 files_read_etc_files(depmod_t)
 files_read_usr_src_files(depmod_t)
 files_list_usr(depmod_t)
+files_append_var_files(depmod_t)
 files_read_boot_files(depmod_t)
 
 fs_getattr_xattr_fs(depmod_t)

policy/modules/system/selinuxutil.if

@@ -535,6 +535,10 @@ interface(`seutil_domtrans_setfiles',`
 	files_search_usr($1)
 	corecmd_search_bin($1)
 	domtrans_pattern($1, setfiles_exec_t, setfiles_t)
+
+	ifdef(`hide_broken_symptoms', `
+		dontaudit consoletype_t $1:socket_class_set { read write };
+	')
 ')
 
 ########################################

policy/modules/system/udev.te

@@ -233,6 +233,7 @@ optional_policy(`
 
 optional_policy(`
 	cups_domtrans_config(udev_t)
+	cups_read_config(udev_t)
 ')
 
 optional_policy(`