##
## Allow spamassassin to do DNS lookups
diff --git a/refpolicy/policy/mcs b/refpolicy/policy/mcs
index b61da4cd..c33b6678 100644
--- a/refpolicy/policy/mcs
+++ b/refpolicy/policy/mcs
@@ -134,14 +134,18 @@ level s0:c0.c255;
# the high range of the file. We use the high range of the process so
# that processes can always simply run at s0.
#
-# Only files are constrained by MCS at this stage.
+# Note that getattr on files is always permitted.
#
mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
( h1 dom h2 );
+# New filesystem object labels must be dominated by the relabeling subject
+# clearance, also the objects are single-level.
mlsconstrain file { create relabelto }
(( h1 dom h2 ) and ( l2 eq h2 ));
+# At this time we do not restrict "ps" type operations via MCS. This
+# will probably change in future.
mlsconstrain file { read }
(( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
diff --git a/refpolicy/policy/modules/admin/amanda.te b/refpolicy/policy/modules/admin/amanda.te
index dab81941..8b3c5310 100644
--- a/refpolicy/policy/modules/admin/amanda.te
+++ b/refpolicy/policy/modules/admin/amanda.te
@@ -1,5 +1,5 @@
-policy_module(amanda,1.3.0)
+policy_module(amanda,1.3.1)
#######################################
#
@@ -8,7 +8,7 @@ policy_module(amanda,1.3.0)
type amanda_t;
type amanda_inetd_exec_t;
-inetd_udp_service_domain(amanda_t,amanda_inetd_exec_t)
+inetd_service_domain(amanda_t,amanda_inetd_exec_t)
role system_r types amanda_t;
type amanda_exec_t;
@@ -189,7 +189,7 @@ optional_policy(`
#
# Amanda recover local policy
-allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service };
+allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
allow amanda_recover_t self:process { sigkill sigstop signal };
allow amanda_recover_t self:fifo_file { getattr ioctl read write };
allow amanda_recover_t self:unix_stream_socket { connect create read write };
@@ -229,6 +229,7 @@ corenet_udp_sendrecv_all_ports(amanda_recover_t)
corenet_non_ipsec_sendrecv(amanda_recover_t)
corenet_tcp_bind_all_nodes(amanda_recover_t)
corenet_udp_bind_all_nodes(amanda_recover_t)
+corenet_tcp_bind_reserved_port(amanda_recover_t)
corenet_tcp_connect_amanda_port(amanda_recover_t)
corecmd_exec_shell(amanda_recover_t)
@@ -261,3 +262,7 @@ optional_policy(`
optional_policy(`
nis_use_ypbind(amanda_recover_t)
')
+
+optional_policy(`
+ nscd_socket_use(amanda_recover_t)
+')
diff --git a/refpolicy/policy/modules/admin/bootloader.te b/refpolicy/policy/modules/admin/bootloader.te
index 9ee5bd64..6c9261d3 100644
--- a/refpolicy/policy/modules/admin/bootloader.te
+++ b/refpolicy/policy/modules/admin/bootloader.te
@@ -1,5 +1,5 @@
-policy_module(bootloader,1.2.1)
+policy_module(bootloader,1.2.2)
########################################
#
@@ -88,6 +88,8 @@ dev_read_raw_memory(bootloader_t)
fs_getattr_xattr_fs(bootloader_t)
fs_read_tmpfs_symlinks(bootloader_t)
+mls_file_read_up(bootloader_t)
+
term_getattr_all_user_ttys(bootloader_t)
term_dontaudit_manage_pty_dirs(bootloader_t)
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 10941b79..2d22241a 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -1,5 +1,5 @@
-policy_module(usermanage,1.3.2)
+policy_module(usermanage,1.3.3)
########################################
#
@@ -514,6 +514,7 @@ userdom_dontaudit_search_sysadm_home_dirs(useradd_t)
# Add/remove user home directories
userdom_home_filetrans_generic_user_home_dir(useradd_t)
userdom_manage_generic_user_home_content_dirs(useradd_t)
+userdom_manage_staff_home_dirs(useradd_t)
userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set)
mta_manage_spool(useradd_t)
diff --git a/refpolicy/policy/modules/apps/java.te b/refpolicy/policy/modules/apps/java.te
index 26cca072..0c6045d0 100644
--- a/refpolicy/policy/modules/apps/java.te
+++ b/refpolicy/policy/modules/apps/java.te
@@ -1,5 +1,5 @@
-policy_module(java,1.1.1)
+policy_module(java,1.1.2)
########################################
#
@@ -7,10 +7,8 @@ policy_module(java,1.1.1)
#
type java_t;
-domain_type(java_t)
-
type java_exec_t;
-files_type(java_exec_t)
+init_system_domain(java_t,java_exec_t)
########################################
#
diff --git a/refpolicy/policy/modules/apps/mono.te b/refpolicy/policy/modules/apps/mono.te
index 1715c18d..c680ffc1 100644
--- a/refpolicy/policy/modules/apps/mono.te
+++ b/refpolicy/policy/modules/apps/mono.te
@@ -1,5 +1,5 @@
-policy_module(mono,1.1.1)
+policy_module(mono,1.1.2)
########################################
#
@@ -22,6 +22,8 @@ ifdef(`targeted_policy',`
unconfined_domain_noaudit(mono_t)
role system_r types mono_t;
+ init_dbus_chat_script(mono_t)
+
optional_policy(`
avahi_dbus_chat(mono_t)
')
@@ -29,4 +31,8 @@ ifdef(`targeted_policy',`
optional_policy(`
hal_dbus_chat(mono_t)
')
+
+ optional_policy(`
+ networkmanager_dbus_chat(mono_t)
+ ')
')
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 62ff408c..5b80d1ae 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -2701,7 +2701,7 @@ interface(`dev_rw_xen',`
')
allow $1 device_t:dir r_dir_perms;
- allow $1 xen_device_t:chr_file r_file_perms;
+ allow $1 xen_device_t:chr_file rw_file_perms;
')
########################################
@@ -2720,7 +2720,7 @@ interface(`dev_manage_xen',`
')
allow $1 device_t:dir r_dir_perms;
- allow $1 xen_device_t:chr_file r_file_perms;
+ allow $1 xen_device_t:chr_file manage_file_perms;
')
########################################
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index 8f6bd834..fbb684e6 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
-policy_module(devices,1.1.10)
+policy_module(devices,1.1.11)
########################################
#
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index 667fbd32..badc6192 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -946,6 +946,24 @@ interface(`files_mounton_all_mountpoints',`
allow $1 mountpoint:file { getattr mounton };
')
+########################################
+##
+## Get the attributes of all mount points.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_getattr_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ allow $1 mountpoint:dir getattr;
+')
+
########################################
#
# files_list_root(domain)
diff --git a/refpolicy/policy/modules/kernel/files.te b/refpolicy/policy/modules/kernel/files.te
index 09d96c5f..dacfc72a 100644
--- a/refpolicy/policy/modules/kernel/files.te
+++ b/refpolicy/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
-policy_module(files,1.2.6)
+policy_module(files,1.2.7)
########################################
#
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index d5d03fff..570433bf 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -1150,6 +1150,9 @@ interface(`kernel_rw_vm_sysctls',`
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_vm_t:dir list_dir_perms;
allow $1 sysctl_vm_t:file rw_file_perms;
+
+ # hal needs this
+ allow $1 sysctl_vm_t:dir write;
')
########################################
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 70df6fc3..0edc3d6d 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
-policy_module(kernel,1.3.4)
+policy_module(kernel,1.3.5)
########################################
#
diff --git a/refpolicy/policy/modules/kernel/mcs.te b/refpolicy/policy/modules/kernel/mcs.te
index adb57ea7..88a6e986 100644
--- a/refpolicy/policy/modules/kernel/mcs.te
+++ b/refpolicy/policy/modules/kernel/mcs.te
@@ -32,6 +32,10 @@ type unconfined_t;
type xdm_exec_t;
ifdef(`enable_mcs',`
+# The eventual plan is to have a range_transition to s0 for the daemon by
+# default and have the daemons which need to run with all categories be
+# exceptions. But while range_transitions have to be in the base module
+# this is not possible.
range_transition getty_t login_exec_t s0 - s0:c0.c255;
range_transition init_t xdm_exec_t s0 - s0:c0.c255;
range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
diff --git a/refpolicy/policy/modules/services/avahi.te b/refpolicy/policy/modules/services/avahi.te
index 876e4993..7fc37cb6 100644
--- a/refpolicy/policy/modules/services/avahi.te
+++ b/refpolicy/policy/modules/services/avahi.te
@@ -1,5 +1,5 @@
-policy_module(avahi,1.2.0)
+policy_module(avahi,1.2.1)
########################################
#
@@ -92,6 +92,7 @@ optional_policy(`
dbus_system_bus_client_template(avahi,avahi_t)
dbus_connect_system_bus(avahi_t)
dbus_send_system_bus(avahi_t)
+ init_dbus_chat_script(avahi_t)
')
optional_policy(`
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 877926bf..e8e94fca 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
-policy_module(hal,1.3.4)
+policy_module(hal,1.3.5)
########################################
#
@@ -103,6 +103,7 @@ files_getattr_default_dirs(hald_t)
fs_getattr_all_fs(hald_t)
fs_search_all(hald_t)
fs_list_auto_mountpoints(hald_t)
+files_getattr_all_mountpoints(hald_t)
mls_file_read_up(hald_t)
diff --git a/refpolicy/policy/modules/services/mailman.if b/refpolicy/policy/modules/services/mailman.if
index 91e99dcb..497536d4 100644
--- a/refpolicy/policy/modules/services/mailman.if
+++ b/refpolicy/policy/modules/services/mailman.if
@@ -198,6 +198,45 @@ interface(`mailman_search_data',`
allow $1 mailman_data_t:dir search_dir_perms;
')
+#######################################
+##
+## Allow domain to to read mailman data files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mailman_read_data_files',`
+ gen_require(`
+ type mailman_data_t;
+ ')
+
+ allow $1 mailman_data_t:dir search_dir_perms;
+ allow $1 mailman_data_t:file read_file_perms;
+')
+
+#######################################
+##
+## Allow domain to to create mailman data files
+## and write the directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mailman_manage_data_files',`
+ gen_require(`
+ type mailman_data_t;
+ ')
+
+ allow $1 mailman_data_t:dir rw_dir_perms;
+ allow $1 mailman_data_t:file manage_file_perms;
+')
+
#######################################
##
## List the contents of mailman data directories.
diff --git a/refpolicy/policy/modules/services/mailman.te b/refpolicy/policy/modules/services/mailman.te
index 742b23f9..584ee4b6 100644
--- a/refpolicy/policy/modules/services/mailman.te
+++ b/refpolicy/policy/modules/services/mailman.te
@@ -1,5 +1,5 @@
-policy_module(mailman,1.1.1)
+policy_module(mailman,1.1.2)
########################################
#
diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te
index 6c44c061..bb7a992b 100644
--- a/refpolicy/policy/modules/services/postfix.te
+++ b/refpolicy/policy/modules/services/postfix.te
@@ -1,5 +1,5 @@
-policy_module(postfix,1.2.1)
+policy_module(postfix,1.2.2)
########################################
#
@@ -174,6 +174,11 @@ sysnet_read_config(postfix_master_t)
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
+optional_policy(`
+# for postalias
+ mailman_manage_data_files(postfix_master_t)
+')
+
optional_policy(`
mount_send_nfs_client_request(postfix_master_t)
')
@@ -280,6 +285,11 @@ mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
+optional_policy(`
+# for postalias
+ mailman_read_data_files(postfix_local_t)
+')
+
optional_policy(`
procmail_domtrans(postfix_local_t)
')
diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te
index 62e52cf0..731fe261 100644
--- a/refpolicy/policy/modules/services/rpc.te
+++ b/refpolicy/policy/modules/services/rpc.te
@@ -1,5 +1,5 @@
-policy_module(rpc,1.2.1)
+policy_module(rpc,1.2.2)
########################################
#
@@ -110,13 +110,13 @@ portmap_tcp_connect(nfsd_t)
portmap_udp_chat(nfsd_t)
tunable_policy(`nfs_export_all_rw',`
- auth_read_all_dirs_except_shadow(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
+ auth_manage_all_files_except_shadow(nfsd_t)
')
tunable_policy(`nfs_export_all_ro',`
- auth_read_all_dirs_except_shadow(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
+ auth_read_all_files_except_shadow(nfsd_t)
')
########################################
diff --git a/refpolicy/policy/modules/services/samba.if b/refpolicy/policy/modules/services/samba.if
index a38a6ea8..7cacf8b3 100644
--- a/refpolicy/policy/modules/services/samba.if
+++ b/refpolicy/policy/modules/services/samba.if
@@ -33,6 +33,7 @@ template(`samba_per_userdomain_template',`
')
tunable_policy(`samba_enable_home_dirs',`
+ userdom_manage_user_home_content_dirs($1,smbd_t)
userdom_manage_user_home_content_files($1,smbd_t)
userdom_manage_user_home_content_symlinks($1,smbd_t)
userdom_manage_user_home_content_sockets($1,smbd_t)
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index c5ae85e1..e8366281 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -1,5 +1,5 @@
-policy_module(samba,1.2.3)
+policy_module(samba,1.2.4)
#################################
#
@@ -296,6 +296,12 @@ tunable_policy(`allow_smbd_anon_write',`
miscfiles_manage_public_files(smbd_t)
')
+# Support Samba sharing of NFS mount points
+tunable_policy(`samba_share_nfs',`
+ fs_manage_nfs_dirs(smbd_t)
+ fs_manage_nfs_files(smbd_t)
+')
+
optional_policy(`
cups_read_rw_config(smbd_t)
')
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index a1b5818e..17e2fdb6 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
-policy_module(unconfined,1.3.5)
+policy_module(unconfined,1.3.6)
########################################
#
@@ -62,6 +62,8 @@ ifdef(`targeted_policy',`
')
optional_policy(`
+ init_dbus_chat_script(unconfined_t)
+
dbus_stub(unconfined_t)
optional_policy(`
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 475a7ce7..4bdf8f0c 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -3400,6 +3400,35 @@ interface(`userdom_dontaudit_search_staff_home_dirs',`
dontaudit $1 staff_home_dir_t:dir search;
')
+########################################
+##
+## Create, read, write, and delete staff
+## home directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_manage_staff_home_dirs',`
+ ifdef(`targeted_policy',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ files_search_home($1)
+ allow $1 user_home_dir_t:dir manage_dir_perms;
+ ',`
+ gen_require(`
+ type staff_home_dir_t;
+ ')
+
+ files_search_home($1)
+ allow $1 staff_home_dir_t:dir manage_dir_perms;
+ ')
+')
+
########################################
##
## Do not audit attempts to append to the staff
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 00baa24b..1d5ea220 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,1.3.14)
+policy_module(userdomain,1.3.15)
gen_require(`
role sysadm_r, staff_r, user_r;
diff --git a/refpolicy/policy/modules/system/xen.te b/refpolicy/policy/modules/system/xen.te
index 8787fcfe..08fb1b50 100644
--- a/refpolicy/policy/modules/system/xen.te
+++ b/refpolicy/policy/modules/system/xen.te
@@ -1,5 +1,5 @@
-policy_module(xen,1.0.0)
+policy_module(xen,1.0.1)
########################################
#
@@ -19,6 +19,8 @@ init_daemon_domain(xend_t, xend_exec_t)
# var/lib files
type xend_var_lib_t;
files_type(xend_var_lib_t)
+# for mounting an NFS store
+files_mountpoint(xend_var_lib_t)
# log files
type xend_var_log_t;
@@ -122,6 +124,7 @@ domain_read_all_domains_state(xend_t)
domain_dontaudit_read_all_domains_state(xend_t)
files_read_etc_files(xend_t)
+files_read_kernel_symbol_table(xend_t)
storage_raw_read_fixed_disk(xend_t)
@@ -208,6 +211,7 @@ kernel_read_xen_state(xenstored_t)
dev_create_generic_dirs(xenstored_t)
dev_manage_xen(xenconsoled_t)
dev_filetrans_xen(xenstored_t)
+dev_rw_xen(xenstored_t)
term_dontaudit_use_generic_ptys(xenstored_t)