more upstream merging

2005-09-16 21:20:37 +00:00 · 2005-09-16 21:20:37 +00:00 · cf6a7d8993
commit cf6a7d8993
parent cff75c90ca
36 changed files with 289 additions and 46 deletions
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@ -121,9 +121,18 @@ sysnet_dns_name_resolve(ping_t)

 logging_send_syslog_msg(ping_t)

-tunable_policy(`user_ping',`
+ifdef(`hide_broken_symptoms',`
+	init_dontaudit_use_fd(ping_t)
+')
+
+ifdef(`targeted_policy',`
 	term_use_all_user_ttys(ping_t)
 	term_use_all_user_ptys(ping_t)
+',`
+	tunable_policy(`user_ping',`
+		term_use_all_user_ttys(ping_t)
+		term_use_all_user_ptys(ping_t)
+	')
 ')

 optional_policy(`nis.te',`
@ -134,6 +143,10 @@ optional_policy(`nscd.te',`
 	nscd_use_socket(ping_t)
 ')

+optional_policy(`pcmcia.te',`
+	pcmcia_use_cardmgr_fd(ping_t)
+')
+
 optional_policy(`sysnetwork.te',`
 	optional_policy(`hotplug.te',`
 		hotplug_use_fd(ping_t)
@ -146,9 +159,6 @@ tunable_policy(`user_ping',`
 	domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
 	ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
 ')
-ifdef(`cardmgr.te',`
-	allow ping_t cardmgr_t:fd use;
-')
 ') dnl end TODO

 ########################################
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@ -6,10 +6,11 @@ policy_module(rpm,1.0)
 # Declarations
 #

-type rpm_t; #, admin, privmem, priv_system_role;
+type rpm_t; #, priv_system_role;
 type rpm_exec_t;
 init_system_domain(rpm_t,rpm_exec_t)
 domain_obj_id_change_exempt(rpm_t)
+domain_role_change_exempt(rpm_t)
 domain_wide_inherit_fd(rpm_t)
 role system_r types rpm_t;

@ -179,6 +180,8 @@ optional_policy(`nis.te',`
 ')

 ifdef(`TODO',`
+# cjp: this seems way out of place
+role sysadm_r types initrc_t;

 type_transition rpm_t tmpfs_t:{ dir file lnk_file sock_file fifo_file } rpm_tmpfs_t;

--- a/refpolicy/policy/modules/admin/tmpreaper.te
+++ b/refpolicy/policy/modules/admin/tmpreaper.te
@ -37,6 +37,7 @@ libs_use_shared_libs(tmpreaper_t)
 logging_send_syslog_msg(tmpreaper_t)

 miscfiles_read_localization(tmpreaper_t)
+miscfiles_delete_man_pages(tmpreaper_t)

 cron_system_entry(tmpreaper_t,tmpreaper_exec_t)

--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@ -673,6 +673,38 @@ interface(`dev_setattr_all_chr_files',`
 	allow $1 device_node:chr_file setattr;
 ')

+########################################
+## <summary>
+##	Dontaudit read on all block file device nodes.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`dev_dontaudit_read_all_blk_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	dontaudit $1 device_node:blk_file { getattr read };
+')
+
+########################################
+## <summary>
+##	Dontaudit read on all character file device nodes.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`dev_dontaudit_read_all_chr_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	dontaudit $1 device_node:chr_file { getattr read };
+')
+
 ########################################
 ## <summary>
 ##	Read, write, create, and delete all block device files.
@ -2169,6 +2201,44 @@ interface(`dev_dontaudit_setattr_video_dev',`
 	dontaudit $1 v4l_device_t:chr_file setattr;
 ')

+########################################
+## <summary>
+##	Get the attributes of X server miscellaneous devices.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_getattr_xserver_misc_dev',`
+	gen_require(`
+		type device_t, xserver_misc_device_t;
+		class dir r_dir_perms;
+		class chr_file getattr;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 xserver_misc_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Set the attributes of X server miscellaneous devices.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_setattr_xserver_misc_dev',`
+	gen_require(`
+		type device_t, xserver_misc_device_t;
+		class dir r_dir_perms;
+		class chr_file setattr;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 xserver_misc_device_t:chr_file setattr;
+')
+
 ########################################
 ## <summary>
 ##	Read and write to the zero device (/dev/zero).
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@ -1967,6 +1967,23 @@ interface(`fs_set_all_quotas',`
 	allow $1 filesystem_type:filesystem quotamod;
 ')

+########################################
+## <summary>
+##	Relabelfrom all filesystems.
+## </summary>
+## <param name="domain">
+##	The type of the domain doing the
+##	getattr on the filesystem.
+## </param>
+#
+interface(`fs_relabelfrom_all_fs',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	allow $1 filesystem_type:filesystem relabelfrom;
+')
+
 ########################################
 ## <summary>
 ##	List all directories with a filesystem type.
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@ -203,6 +203,16 @@ files_list_etc(kernel_t)
 files_list_home(kernel_t)
 files_read_usr_files(kernel_t)

+ifdef(`TODO',`
+ifdef(`targeted_policy', `
+unconfined_domain(kernel_t)
+')
+ifdef(`mls_policy', `
+# run init with maximum MLS range
+range_transition kernel_t init_exec_t s0 - s9:c0.c127;
+')
+') dnl end TODO
+
 ########################################
 #
 # Unlabeled process local policy
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@ -287,7 +287,7 @@ logging_read_generic_logs(system_crond_t)
 logging_send_syslog_msg(system_crond_t)

 miscfiles_read_localization(system_crond_t)
-miscfiles_read_man_pages(system_crond_t)
+miscfiles_manage_man_pages(system_crond_t)

 seutil_read_config(system_crond_t)

@ -311,6 +311,10 @@ tunable_policy(`cron_can_relabel',`
 	seutil_read_file_contexts(system_crond_t)
 ')

+optional_policy(`mysql.te',`
+	mysql_read_config(system_crond_t)
+')
+
 optional_policy(`nis.te',`
 	nis_use_ypbind(system_crond_t)
 ')
--- a/refpolicy/policy/modules/services/rsync.te
+++ b/refpolicy/policy/modules/services/rsync.te
@ -88,5 +88,5 @@ optional_policy(`nscd.te',`
 ')

 ifdef(`TODO',`
-r_dir_file(rsync_t, ftpd_anon_t)
+anonymous_domain(rsync)
 ') dnl end TODO
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@ -279,6 +279,7 @@ ifdef(`TODO',`
 optional_policy(`rhgb.te',`
 	rhgb_domain(smbd_t)
 ')
+anonymous_domain(smbd)
 can_winbind(smbd_t)
 ')

--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@ -438,8 +438,10 @@ template(`ssh_server_template', `
 	auth_domtrans_chk_passwd($1_t)
 	auth_rw_login_records($1_t)
 	auth_rw_lastlog($1_t)
+	auth_append_faillog($1_t)

 	corecmd_read_bin_symlink($1_t)
+	corecmd_getattr_bin_file($1_t)
 	# for sshd subsystems, such as sftp-server.
 	corecmd_getattr_bin_file($1_t)

--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@ -380,6 +380,24 @@ interface(`auth_relabelto_shadow',`
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')

+#######################################
+## <summary>
+##	Append to the login failure log.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`auth_append_faillog',`
+	gen_require(`
+		type faillog_t;
+		class file { getattr append };
+	')
+
+	logging_search_logs($1)
+	allow $1 faillog_t:file { getattr append };
+')
+
 #######################################
 #
 # auth_rw_faillog(domain)
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@ -167,6 +167,8 @@ dev_getattr_snd_dev(pam_console_t)
 dev_setattr_snd_dev(pam_console_t)
 dev_getattr_video_dev(pam_console_t)
 dev_setattr_video_dev(pam_console_t)
+dev_getattr_xserver_misc_dev(pam_console_t)
+dev_setattr_xserver_misc_dev(pam_console_t)

 fs_search_auto_mountpoints(pam_console_t)

--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@ -186,8 +186,8 @@ dev_read_sysfs(sysfs_t)
 # perhaps this should be blk_files?
 dev_relabel_generic_symlinks(lvm_t)
 # LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
-dev_dontaudit_getattr_all_chr_files(lvm_t)
-dev_dontaudit_getattr_all_blk_files(lvm_t)
+dev_dontaudit_read_all_chr_files(lvm_t)
+dev_dontaudit_read_all_blk_files(lvm_t)
 dev_dontaudit_getattr_generic_chr_file(lvm_t)
 dev_dontaudit_getattr_generic_blk_file(lvm_t)
 dev_dontaudit_getattr_generic_pipe(lvm_t)
@ -264,4 +264,5 @@ optional_policy(`gnome-pty-helper.te', `
 optional_policy(`rhgb.te',`
 rhgb_domain(lvm_t)
 ')
+dontaudit lvm_t xconsole_device_t:fifo_file getattr;
 ') dnl end TODO
--- a/refpolicy/policy/modules/system/miscfiles.if
+++ b/refpolicy/policy/modules/system/miscfiles.if
@ -70,10 +70,10 @@ interface(`miscfiles_legacy_read_localization',`

 ########################################
 ## <summary>
-##	Allow process to read man pages
+##	Read man pages
 ## </summary>
 ## <param name="domain">
-##	Type type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`miscfiles_read_man_pages',`
@ -90,6 +90,51 @@ interface(`miscfiles_read_man_pages',`
 	allow $1 man_t:lnk_file r_file_perms;
 ')

+########################################
+## <summary>
+##	Delete man pages
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+# cjp: added for tmpreaper
+#
+interface(`miscfiles_delete_man_pages',`
+	gen_require(`
+		type man_t;
+		class dir { setattr rw_dir_perms rmdir };
+		class file { getattr unlink };
+		class lnk_file { getattr unlink };
+	')
+
+	files_search_usr($1)
+	allow $1 man_t:dir { setattr rw_dir_perms rmdir };
+	allow $1 man_t:file { getattr unlink };
+	allow $1 man_t:lnk_file { getattr unlink };
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete man pages
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`miscfiles_manage_man_pages',`
+	gen_require(`
+		type man_t;
+		class dir create_dir_perms;
+		class file create_file_perms;
+		class lnk_file r_file_perms;
+	')
+
+	files_search_usr($1)
+	allow $1 man_t:dir create_dir_perms;
+	allow $1 man_t:file create_file_perms;
+	allow $1 man_t:lnk_file r_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read TeX data
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@ -127,9 +127,12 @@ optional_policy(`rpm.te',`
 	rpm_rw_pipe(insmod_t)
 ')

-#optional_policy(`xserver.te',`
-#	xserver_getattr_log(insmod_t)
-#')
+ifdef(`TODO',`
+optional_policy(`xserver.te',`
+	xserver_getattr_log(insmod_t)
+	allow insmod_t xserver_misc_device_t:chr_file { read write };
+')
+')

 ########################################
 #
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@ -43,7 +43,7 @@ fs_getattr_xattr_fs(mount_t)
 fs_mount_all_fs(mount_t)
 fs_unmount_all_fs(mount_t)
 fs_remount_all_fs(mount_t)
-fs_relabelfrom_xattr_fs(mount_t)
+fs_relabelfrom_all_fs(mount_t)
 fs_search_auto_mountpoints(mount_t)
 fs_use_tmpfs_chr_dev(mount_t)

--- a/refpolicy/policy/modules/system/pcmcia.if
+++ b/refpolicy/policy/modules/system/pcmcia.if
@ -11,9 +11,6 @@
 interface(`pcmcia_domtrans_cardmgr',`
 	gen_require(`
 		type cardmgr_t, cardmgr_exec_t;
-		class process sigchld;
-		class fd use;
-		class fifo_file rw_file_perms;
 	')

 	domain_auto_trans($1,cardmgr_exec_t,cardmgr_t)
@ -24,6 +21,22 @@ interface(`pcmcia_domtrans_cardmgr',`
 	allow cardmgr_t $1:process sigchld;
 ')

+########################################
+## <summary>
+##	Inherit and use file descriptors from cardmgr.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`pcmcia_use_cardmgr_fd',`
+	gen_require(`
+		type cardmgr_t;
+	')
+
+	allow $1 cardmgr_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	Execute cardctl in the cardmgr domain.
@ -35,9 +48,6 @@ interface(`pcmcia_domtrans_cardmgr',`
 interface(`pcmcia_domtrans_cardctl',`
 	gen_require(`
 		type cardmgr_t, cardctl_exec_t;
-		class process sigchld;
-		class fd use;
-		class fifo_file rw_file_perms;
 	')

 	domain_auto_trans($1,cardctl_exec_t,cardmgr_t)
@ -66,7 +76,6 @@ interface(`pcmcia_domtrans_cardctl',`
 interface(`pcmcia_run_cardctl',`
 	gen_require(`
 		type cardmgr_t;
-		class chr_file rw_term_perms;
 	')

 	pcmcia_domtrans_cardctl($1)
@ -85,8 +94,6 @@ interface(`pcmcia_run_cardctl',`
 interface(`pcmcia_read_pid',`
 	gen_require(`
 		type cardmgr_var_run_t;
-		class dir r_dir_perms;
-		class file r_file_perms;
 	')

 	files_search_pids($1)
@ -106,8 +113,6 @@ interface(`pcmcia_read_pid',`
 interface(`pcmcia_manage_pid',`
 	gen_require(`
 		type cardmgr_var_run_t;
-		class dir rw_dir_perms;
-		class file create_file_perms;
 	')

 	files_search_pids($1)
@ -127,8 +132,6 @@ interface(`pcmcia_manage_pid',`
 interface(`pcmcia_manage_runtime_chr',`
 	gen_require(`
 		type cardmgr_var_run_t;
-		class dir rw_dir_perms;
-		class chr_file create_file_perms;
 	')

 	files_search_pids($1)
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@ -288,6 +288,8 @@ selinux_compute_relabel_context(restorecon_t)
 selinux_compute_user_contexts(restorecon_t)

 term_use_unallocated_tty(restorecon_t)
+term_use_all_user_ttys(restorecon_t)
+term_use_all_user_ptys(restorecon_t)

 init_use_fd(restorecon_t)
 init_use_script_pty(restorecon_t)
@ -332,6 +334,9 @@ ifdef(`TODO',`
 # for upgrading glibc and other shared objects - without this the upgrade
 # scripts will put things in a state such that restorecon can not be run!
 allow restorecon_t lib_t:file { read execute };
+ifdef(`dpkg.te', `
+domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t)
+')
 ') dnl endif TODO

 #################################
--- a/strict/domains/misc/kernel.te
+++ b/strict/domains/misc/kernel.te
@ -28,6 +28,11 @@ allow kernel_t { usbfs_t usbdevfs_t }:dir search;
 # Run init in the init_t domain.
 domain_auto_trans(kernel_t, init_exec_t, init_t)

+ifdef(`mls_policy', `
+# run init with maximum MLS range
+range_transition kernel_t init_exec_t s0 - s9:c0.c127;
+')
+
 # Share state with the init process.
 allow kernel_t init_t:process share;

@ -65,4 +70,6 @@ can_loadpol(kernel_t)
 # /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
 can_exec(kernel_t, bin_t)

-
+ifdef(`targeted_policy', `
+unconfined_domain(kernel_t)
+')
--- a/strict/domains/program/crond.te
+++ b/strict/domains/program/crond.te
@ -128,9 +128,8 @@ allow system_crond_t var_lib_t:dir rw_dir_perms;
 allow system_crond_t var_lib_t:file create_file_perms;

 # Update whatis files.
-allow system_crond_t catman_t:dir create_dir_perms;
-allow system_crond_t catman_t:file create_file_perms;
-allow system_crond_t man_t:file r_file_perms;
+allow system_crond_t man_t:dir create_dir_perms;
+allow system_crond_t man_t:file create_file_perms;
 allow system_crond_t man_t:lnk_file read;

 # Write /var/lock/makewhatis.lock.
--- a/strict/domains/program/lvm.te
+++ b/strict/domains/program/lvm.te
@ -97,10 +97,11 @@ allow lvm_t devpts_t:dir { search getattr read };
 read_locale(lvm_t)

 # LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
-dontaudit lvm_t device_type:{ chr_file blk_file } getattr;
+dontaudit lvm_t device_type:{ chr_file blk_file } { getattr read };
 dontaudit lvm_t ttyfile:chr_file getattr;
 dontaudit lvm_t device_t:{ fifo_file dir chr_file blk_file } getattr;
 dontaudit lvm_t devpts_t:dir { getattr read };
+dontaudit lvm_t xconsole_device_t:fifo_file getattr;

 ifdef(`gpm.te', `
 dontaudit lvm_t gpmctl_t:sock_file getattr;
--- a/strict/domains/program/modutil.te
+++ b/strict/domains/program/modutil.te
@ -116,6 +116,7 @@ allow insmod_t modules_object_t:file write;
 allow insmod_t { var_t var_log_t }:dir search;
 ifdef(`xserver.te', `
 allow insmod_t xserver_log_t:file getattr;
+allow insmod_t xserver_misc_device_t:chr_file { read write };
 ')
 rw_dir_create_file(insmod_t, var_log_ksyms_t)
 allow insmod_t { etc_t etc_runtime_t }:file { getattr read };
--- a/strict/domains/program/mount.te
+++ b/strict/domains/program/mount.te
@ -68,7 +68,7 @@ rhgb_domain(mount_t)
 # for localization
 allow mount_t lib_t:file { getattr read };
 allow mount_t autofs_t:dir read;
-allow mount_t fs_t:filesystem relabelfrom;
+allow mount_t fs_type:filesystem relabelfrom;
 #
 # This rule needs to be generalized.  Only admin, initrc should have it.
 #
--- a/strict/domains/program/mysqld.te
+++ b/strict/domains/program/mysqld.te
@ -88,4 +88,7 @@ allow userdomain mysqld_var_run_t:sock_file write;
 }
 ')

+ifdef(`crond.te', `
+allow system_crond_t mysqld_etc_t:file { getattr read };
+')
 allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
--- a/strict/domains/program/pamconsole.te
+++ b/strict/domains/program/pamconsole.te
@ -30,7 +30,7 @@ r_dir_file(pam_console_t, pam_var_console_t)
 allow pam_console_t device_t:dir { getattr read };
 allow pam_console_t device_t:lnk_file { getattr read };
 # mouse_device_t is for joy sticks
-allow pam_console_t { framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t power_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr };
+allow pam_console_t { xserver_misc_device_t framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t power_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr };
 allow pam_console_t { removable_device_t fixed_disk_device_t }:blk_file { getattr setattr };

 allow pam_console_t mnt_t:dir r_dir_perms;
--- a/strict/domains/program/ping.te
+++ b/strict/domains/program/ping.te
@ -17,7 +17,9 @@ role system_r types ping_t;
 in_user_role(ping_t)
 type ping_exec_t, file_type, sysadmfile, exec_type;

-ifdef(`targeted_policy', `', `
+ifdef(`targeted_policy', `
+	allow ping_t { devpts_t ttyfile ptyfile }:chr_file rw_file_perms;
+', `
 bool user_ping false;

 if (user_ping) {
@ -55,4 +57,7 @@ dontaudit ping_t fs_t:filesystem getattr;
 dontaudit ping_t var_t:dir search;
 dontaudit ping_t devtty_t:chr_file { read write };
 dontaudit ping_t self:capability sys_tty_config;
+ifdef(`hide_broken_symptoms', `
+allow ping_t init_t:fd use;
+')

--- a/strict/domains/program/portmap.te
+++ b/strict/domains/program/portmap.te
@ -58,7 +58,7 @@ role system_r types portmap_helper_t;
 domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t)
 dontaudit portmap_helper_t self:capability { net_admin };
 allow portmap_helper_t self:capability { net_bind_service };
-allow portmap_helper_t { var_run_t initrc_var_run_t } :file rw_file_perms;
+allow portmap_helper_t initrc_var_run_t:file rw_file_perms;
 file_type_auto_trans(portmap_helper_t, var_run_t, portmap_var_run_t, file)
 allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
 can_network(portmap_helper_t)
--- a/strict/domains/program/restorecon.te
+++ b/strict/domains/program/restorecon.te
@ -17,11 +17,12 @@ type restorecon_exec_t, file_type, sysadmfile, exec_type;

 role system_r types restorecon_t;
 role sysadm_r types restorecon_t;
+role secadm_r types restorecon_t;

 allow restorecon_t initrc_devpts_t:chr_file { read write ioctl };
-allow restorecon_t { tty_device_t admin_tty_type }:chr_file { read write ioctl };
+allow restorecon_t { tty_device_t admin_tty_type user_tty_type devtty_t }:chr_file { read write ioctl };

-domain_auto_trans({ initrc_t sysadm_t }, restorecon_exec_t, restorecon_t)
+domain_auto_trans({ initrc_t sysadm_t secadm_t }, restorecon_exec_t, restorecon_t)
 allow restorecon_t { userdomain init_t privfd }:fd use;

 uses_shlib(restorecon_t)
@ -44,6 +45,9 @@ allow restorecon_t { device_t device_type }:{ chr_file blk_file } { getattr rela
 ifdef(`distro_redhat', `
 allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto };
 ')
+ifdef(`dpkg.te', `
+domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t)
+')

 allow restorecon_t ptyfile:chr_file getattr;

--- a/strict/domains/program/rpm.te
+++ b/strict/domains/program/rpm.te
@ -114,7 +114,7 @@ allow rpm_script_t {devpts_t devtty_t}:chr_file rw_file_perms;

 allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;

-type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, priv_system_role;
+type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, privrole, priv_system_role;
 # policy for rpm scriptlet
 role system_r types rpm_script_t;
 uses_shlib(rpm_script_t)
@ -194,6 +194,7 @@ domain_auto_trans(rpm_script_t, restorecon_exec_t, restorecon_t)

 domain_auto_trans(rpm_script_t, ldconfig_exec_t, ldconfig_t)
 domain_auto_trans(rpm_script_t, depmod_exec_t, depmod_t)
+role sysadm_r types initrc_t;
 domain_auto_trans(rpm_script_t, initrc_exec_t, initrc_t)
 ifdef(`bootloader.te', `
 domain_auto_trans(rpm_script_t, bootloader_exec_t, bootloader_t)
--- a/strict/domains/program/rsync.te
+++ b/strict/domains/program/rsync.te
@ -14,6 +14,6 @@
 inetd_child_domain(rsync)
 type rsync_data_t, file_type, sysadmfile;
 r_dir_file(rsync_t, rsync_data_t)
-r_dir_file(rsync_t, ftpd_anon_t)
+anonymous_domain(rsync)


--- a/strict/domains/program/samba.te
+++ b/strict/domains/program/samba.te
@ -79,6 +79,7 @@ allow smbd_t usr_t:file { getattr read };

 # Access Samba shares.
 create_dir_file(smbd_t, samba_share_t)
+anonymous_domain(smbd)

 ifdef(`logrotate.te', `
 # the application should be changed
--- a/strict/domains/program/ssh.te
+++ b/strict/domains/program/ssh.te
@ -115,6 +115,9 @@ can_create_pty($1, `, server_pty')
 allow $1_t $1_devpts_t:chr_file { setattr getattr relabelfrom };
 dontaudit sshd_t userpty_type:chr_file relabelfrom;

+allow $1_t faillog_t:file { append getattr };
+allow $1_t sbin_t:file getattr;
+
 # Allow checking users mail at login
 allow $1_t { var_spool_t mail_spool_t }:dir search;
 allow $1_t mail_spool_t:lnk_file read;
--- a/strict/domains/program/tmpreaper.te
+++ b/strict/domains/program/tmpreaper.te
@ -16,8 +16,8 @@ role system_r types tmpreaper_t;
 system_crond_entry(tmpreaper_exec_t, tmpreaper_t)
 uses_shlib(tmpreaper_t)
 # why does it need setattr?
-allow tmpreaper_t tmpfile:dir { setattr rw_dir_perms rmdir };
-allow tmpreaper_t tmpfile:notdevfile_class_set { getattr unlink };
+allow tmpreaper_t { man_t tmpfile }:dir { setattr rw_dir_perms rmdir };
+allow tmpreaper_t { man_t tmpfile }:notdevfile_class_set { getattr unlink };
 allow tmpreaper_t { home_type file_t }:notdevfile_class_set { getattr unlink };
 allow tmpreaper_t self:process { fork sigchld };
 allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
--- a/strict/macros/core_macros.te
+++ b/strict/macros/core_macros.te
@ -361,6 +361,7 @@ define(`can_loadpol',`
 # Get the selinuxfs mount point via /proc/self/mounts.
 allow $1 proc_t:dir search;
 allow $1 proc_t:lnk_file read;
+allow $1 proc_t:file { getattr read };
 allow $1 self:dir search;
 allow $1 self:file { getattr read };
 # Access selinuxfs.
--- a/strict/macros/global_macros.te
+++ b/strict/macros/global_macros.te
@ -594,6 +594,18 @@ allow $1 self:capability sys_admin;

 ')dnl end polyinstantiater

+# 
+# Domain that is allow to read anonymous data off the network
+# without providing authentication.
+# Also define boolean to allow anonymous writing
+#
+define(`anonymous_domain', `
+r_dir_file($1_t, ftpd_anon_t)
+bool allow_$1_anon_write false;
+if (allow_$1_anon_write) {
+create_dir_file($1_t,ftpd_anon_rw_t)
+}
+')
 # 
 # Define a domain that can do anything, so that it is
 # effectively unconfined by the SELinux policy.  This
@ -727,3 +739,15 @@ allow $1 removable_device_t:blk_file r_file_perms;
 allow $1 removable_t:filesystem getattr;

 ')
+
+define(`authentication_domain', `
+can_ypbind($1)
+can_kerberos($1)
+can_ldap($1)
+can_resolve($1)
+can_winbind($1)
+r_dir_file($1, cert_t)
+allow $1 { random_device_t urandom_device_t }:chr_file { getattr read };
+allow $1 self:capability { audit_write audit_control };
+dontaudit $1 shadow_t:file { getattr read };
+')
--- a/strict/macros/network_macros.te
+++ b/strict/macros/network_macros.te
@ -16,9 +16,7 @@ allow $1 self:$2_socket connected_socket_perms;
 # Allow the domain to send or receive using any network interface.
 # netif_type is a type attribute for all network interface types.
 #
-allow $1 netif_type:netif { $2_send rawip_send };
-allow $1 netif_type:netif { $2_recv rawip_recv };
-
+allow $1 netif_t:netif { $2_recv $2_send rawip_send rawip_recv };
 #
 # Allow the domain to send to or receive from any node.
 # node_type is a type attribute for all node types.