more upstream merging

refpolicy/policy/modules/admin/netutils.te

@@ -121,9 +121,18 @@ sysnet_dns_name_resolve(ping_t)
 
 logging_send_syslog_msg(ping_t)
 
-tunable_policy(`user_ping',`
+ifdef(`hide_broken_symptoms',`
+	init_dontaudit_use_fd(ping_t)
+')
+
+ifdef(`targeted_policy',`
 	term_use_all_user_ttys(ping_t)
 	term_use_all_user_ptys(ping_t)
+',`
+	tunable_policy(`user_ping',`
+		term_use_all_user_ttys(ping_t)
+		term_use_all_user_ptys(ping_t)
+	')
 ')
 
 optional_policy(`nis.te',`
@@ -134,6 +143,10 @@ optional_policy(`nscd.te',`
 	nscd_use_socket(ping_t)
 ')
 
+optional_policy(`pcmcia.te',`
+	pcmcia_use_cardmgr_fd(ping_t)
+')
+
 optional_policy(`sysnetwork.te',`
 	optional_policy(`hotplug.te',`
 		hotplug_use_fd(ping_t)
@@ -146,9 +159,6 @@ tunable_policy(`user_ping',`
 	domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
 	ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
 ')
-ifdef(`cardmgr.te',`
-	allow ping_t cardmgr_t:fd use;
-')
 ') dnl end TODO
 
 ########################################

refpolicy/policy/modules/admin/rpm.te

@@ -6,10 +6,11 @@ policy_module(rpm,1.0)
 # Declarations
 #
 
-type rpm_t; #, admin, privmem, priv_system_role;
+type rpm_t; #, priv_system_role;
 type rpm_exec_t;
 init_system_domain(rpm_t,rpm_exec_t)
 domain_obj_id_change_exempt(rpm_t)
+domain_role_change_exempt(rpm_t)
 domain_wide_inherit_fd(rpm_t)
 role system_r types rpm_t;
 
@@ -179,6 +180,8 @@ optional_policy(`nis.te',`
 ')
 
 ifdef(`TODO',`
+# cjp: this seems way out of place
+role sysadm_r types initrc_t;
 
 type_transition rpm_t tmpfs_t:{ dir file lnk_file sock_file fifo_file } rpm_tmpfs_t;
 

refpolicy/policy/modules/admin/tmpreaper.te

@@ -37,6 +37,7 @@ libs_use_shared_libs(tmpreaper_t)
 logging_send_syslog_msg(tmpreaper_t)
 
 miscfiles_read_localization(tmpreaper_t)
+miscfiles_delete_man_pages(tmpreaper_t)
 
 cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
 

refpolicy/policy/modules/kernel/devices.if

@@ -673,6 +673,38 @@ interface(`dev_setattr_all_chr_files',`
 	allow $1 device_node:chr_file setattr;
 ')
 
+########################################
+## <summary>
+##	Dontaudit read on all block file device nodes.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`dev_dontaudit_read_all_blk_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	dontaudit $1 device_node:blk_file { getattr read };
+')
+
+########################################
+## <summary>
+##	Dontaudit read on all character file device nodes.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`dev_dontaudit_read_all_chr_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	dontaudit $1 device_node:chr_file { getattr read };
+')
+
 ########################################
 ## <summary>
 ##	Read, write, create, and delete all block device files.
@@ -2169,6 +2201,44 @@ interface(`dev_dontaudit_setattr_video_dev',`
 	dontaudit $1 v4l_device_t:chr_file setattr;
 ')
 
+########################################
+## <summary>
+##	Get the attributes of X server miscellaneous devices.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_getattr_xserver_misc_dev',`
+	gen_require(`
+		type device_t, xserver_misc_device_t;
+		class dir r_dir_perms;
+		class chr_file getattr;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 xserver_misc_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Set the attributes of X server miscellaneous devices.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_setattr_xserver_misc_dev',`
+	gen_require(`
+		type device_t, xserver_misc_device_t;
+		class dir r_dir_perms;
+		class chr_file setattr;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 xserver_misc_device_t:chr_file setattr;
+')
+
 ########################################
 ## <summary>
 ##	Read and write to the zero device (/dev/zero).

refpolicy/policy/modules/kernel/filesystem.if

@@ -1967,6 +1967,23 @@ interface(`fs_set_all_quotas',`
 	allow $1 filesystem_type:filesystem quotamod;
 ')
 
+########################################
+## <summary>
+##	Relabelfrom all filesystems.
+## </summary>
+## <param name="domain">
+##	The type of the domain doing the
+##	getattr on the filesystem.
+## </param>
+#
+interface(`fs_relabelfrom_all_fs',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	allow $1 filesystem_type:filesystem relabelfrom;
+')
+
 ########################################
 ## <summary>
 ##	List all directories with a filesystem type.

refpolicy/policy/modules/kernel/kernel.te

@@ -203,6 +203,16 @@ files_list_etc(kernel_t)
 files_list_home(kernel_t)
 files_read_usr_files(kernel_t)
 
+ifdef(`TODO',`
+ifdef(`targeted_policy', `
+unconfined_domain(kernel_t)
+')
+ifdef(`mls_policy', `
+# run init with maximum MLS range
+range_transition kernel_t init_exec_t s0 - s9:c0.c127;
+')
+') dnl end TODO
+
 ########################################
 #
 # Unlabeled process local policy

refpolicy/policy/modules/services/cron.te

@@ -287,7 +287,7 @@ logging_read_generic_logs(system_crond_t)
 logging_send_syslog_msg(system_crond_t)
 
 miscfiles_read_localization(system_crond_t)
-miscfiles_read_man_pages(system_crond_t)
+miscfiles_manage_man_pages(system_crond_t)
 
 seutil_read_config(system_crond_t)
 
@@ -311,6 +311,10 @@ tunable_policy(`cron_can_relabel',`
 	seutil_read_file_contexts(system_crond_t)
 ')
 
+optional_policy(`mysql.te',`
+	mysql_read_config(system_crond_t)
+')
+
 optional_policy(`nis.te',`
 	nis_use_ypbind(system_crond_t)
 ')

refpolicy/policy/modules/services/rsync.te

@@ -88,5 +88,5 @@ optional_policy(`nscd.te',`
 ')
 
 ifdef(`TODO',`
-r_dir_file(rsync_t, ftpd_anon_t)
+anonymous_domain(rsync)
 ') dnl end TODO

refpolicy/policy/modules/services/samba.te

@@ -279,6 +279,7 @@ ifdef(`TODO',`
 optional_policy(`rhgb.te',`
 	rhgb_domain(smbd_t)
 ')
+anonymous_domain(smbd)
 can_winbind(smbd_t)
 ')
 

refpolicy/policy/modules/services/ssh.if

@@ -438,8 +438,10 @@ template(`ssh_server_template', `
 	auth_domtrans_chk_passwd($1_t)
 	auth_rw_login_records($1_t)
 	auth_rw_lastlog($1_t)
+	auth_append_faillog($1_t)
 
 	corecmd_read_bin_symlink($1_t)
+	corecmd_getattr_bin_file($1_t)
 	# for sshd subsystems, such as sftp-server.
 	corecmd_getattr_bin_file($1_t)
 

refpolicy/policy/modules/system/authlogin.if

@@ -380,6 +380,24 @@ interface(`auth_relabelto_shadow',`
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
 
+#######################################
+## <summary>
+##	Append to the login failure log.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`auth_append_faillog',`
+	gen_require(`
+		type faillog_t;
+		class file { getattr append };
+	')
+
+	logging_search_logs($1)
+	allow $1 faillog_t:file { getattr append };
+')
+
 #######################################
 #
 # auth_rw_faillog(domain)

refpolicy/policy/modules/system/authlogin.te

@@ -167,6 +167,8 @@ dev_getattr_snd_dev(pam_console_t)
 dev_setattr_snd_dev(pam_console_t)
 dev_getattr_video_dev(pam_console_t)
 dev_setattr_video_dev(pam_console_t)
+dev_getattr_xserver_misc_dev(pam_console_t)
+dev_setattr_xserver_misc_dev(pam_console_t)
 
 fs_search_auto_mountpoints(pam_console_t)
 

refpolicy/policy/modules/system/lvm.te

@@ -186,8 +186,8 @@ dev_read_sysfs(sysfs_t)
 # perhaps this should be blk_files?
 dev_relabel_generic_symlinks(lvm_t)
 # LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
-dev_dontaudit_getattr_all_chr_files(lvm_t)
+dev_dontaudit_read_all_chr_files(lvm_t)
-dev_dontaudit_getattr_all_blk_files(lvm_t)
+dev_dontaudit_read_all_blk_files(lvm_t)
 dev_dontaudit_getattr_generic_chr_file(lvm_t)
 dev_dontaudit_getattr_generic_blk_file(lvm_t)
 dev_dontaudit_getattr_generic_pipe(lvm_t)
@@ -264,4 +264,5 @@ optional_policy(`gnome-pty-helper.te', `
 optional_policy(`rhgb.te',`
 rhgb_domain(lvm_t)
 ')
+dontaudit lvm_t xconsole_device_t:fifo_file getattr;
 ') dnl end TODO

refpolicy/policy/modules/system/miscfiles.if

@@ -70,10 +70,10 @@ interface(`miscfiles_legacy_read_localization',`
 
 ########################################
 ## <summary>
-##	Allow process to read man pages
+##	Read man pages
 ## </summary>
 ## <param name="domain">
-##	Type type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`miscfiles_read_man_pages',`
@@ -90,6 +90,51 @@ interface(`miscfiles_read_man_pages',`
 	allow $1 man_t:lnk_file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Delete man pages
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+# cjp: added for tmpreaper
+#
+interface(`miscfiles_delete_man_pages',`
+	gen_require(`
+		type man_t;
+		class dir { setattr rw_dir_perms rmdir };
+		class file { getattr unlink };
+		class lnk_file { getattr unlink };
+	')
+
+	files_search_usr($1)
+	allow $1 man_t:dir { setattr rw_dir_perms rmdir };
+	allow $1 man_t:file { getattr unlink };
+	allow $1 man_t:lnk_file { getattr unlink };
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete man pages
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`miscfiles_manage_man_pages',`
+	gen_require(`
+		type man_t;
+		class dir create_dir_perms;
+		class file create_file_perms;
+		class lnk_file r_file_perms;
+	')
+
+	files_search_usr($1)
+	allow $1 man_t:dir create_dir_perms;
+	allow $1 man_t:file create_file_perms;
+	allow $1 man_t:lnk_file r_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read TeX data

refpolicy/policy/modules/system/modutils.te

@@ -127,9 +127,12 @@ optional_policy(`rpm.te',`
 	rpm_rw_pipe(insmod_t)
 ')
 
-#optional_policy(`xserver.te',`
+ifdef(`TODO',`
-#	xserver_getattr_log(insmod_t)
+optional_policy(`xserver.te',`
-#')
+	xserver_getattr_log(insmod_t)
+	allow insmod_t xserver_misc_device_t:chr_file { read write };
+')
+')
 
 ########################################
 #

refpolicy/policy/modules/system/mount.te

@@ -43,7 +43,7 @@ fs_getattr_xattr_fs(mount_t)
 fs_mount_all_fs(mount_t)
 fs_unmount_all_fs(mount_t)
 fs_remount_all_fs(mount_t)
-fs_relabelfrom_xattr_fs(mount_t)
+fs_relabelfrom_all_fs(mount_t)
 fs_search_auto_mountpoints(mount_t)
 fs_use_tmpfs_chr_dev(mount_t)
 

refpolicy/policy/modules/system/pcmcia.if

@@ -11,9 +11,6 @@
 interface(`pcmcia_domtrans_cardmgr',`
 	gen_require(`
 		type cardmgr_t, cardmgr_exec_t;
-		class process sigchld;
-		class fd use;
-		class fifo_file rw_file_perms;
 	')
 
 	domain_auto_trans($1,cardmgr_exec_t,cardmgr_t)
@@ -24,6 +21,22 @@ interface(`pcmcia_domtrans_cardmgr',`
 	allow cardmgr_t $1:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Inherit and use file descriptors from cardmgr.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`pcmcia_use_cardmgr_fd',`
+	gen_require(`
+		type cardmgr_t;
+	')
+
+	allow $1 cardmgr_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	Execute cardctl in the cardmgr domain.
@@ -35,9 +48,6 @@ interface(`pcmcia_domtrans_cardmgr',`
 interface(`pcmcia_domtrans_cardctl',`
 	gen_require(`
 		type cardmgr_t, cardctl_exec_t;
-		class process sigchld;
-		class fd use;
-		class fifo_file rw_file_perms;
 	')
 
 	domain_auto_trans($1,cardctl_exec_t,cardmgr_t)
@@ -66,7 +76,6 @@ interface(`pcmcia_domtrans_cardctl',`
 interface(`pcmcia_run_cardctl',`
 	gen_require(`
 		type cardmgr_t;
-		class chr_file rw_term_perms;
 	')
 
 	pcmcia_domtrans_cardctl($1)
@@ -85,8 +94,6 @@ interface(`pcmcia_run_cardctl',`
 interface(`pcmcia_read_pid',`
 	gen_require(`
 		type cardmgr_var_run_t;
-		class dir r_dir_perms;
-		class file r_file_perms;
 	')
 
 	files_search_pids($1)
@@ -106,8 +113,6 @@ interface(`pcmcia_read_pid',`
 interface(`pcmcia_manage_pid',`
 	gen_require(`
 		type cardmgr_var_run_t;
-		class dir rw_dir_perms;
-		class file create_file_perms;
 	')
 
 	files_search_pids($1)
@@ -127,8 +132,6 @@ interface(`pcmcia_manage_pid',`
 interface(`pcmcia_manage_runtime_chr',`
 	gen_require(`
 		type cardmgr_var_run_t;
-		class dir rw_dir_perms;
-		class chr_file create_file_perms;
 	')
 
 	files_search_pids($1)

refpolicy/policy/modules/system/selinuxutil.te

@@ -288,6 +288,8 @@ selinux_compute_relabel_context(restorecon_t)
 selinux_compute_user_contexts(restorecon_t)
 
 term_use_unallocated_tty(restorecon_t)
+term_use_all_user_ttys(restorecon_t)
+term_use_all_user_ptys(restorecon_t)
 
 init_use_fd(restorecon_t)
 init_use_script_pty(restorecon_t)
@@ -332,6 +334,9 @@ ifdef(`TODO',`
 # for upgrading glibc and other shared objects - without this the upgrade
 # scripts will put things in a state such that restorecon can not be run!
 allow restorecon_t lib_t:file { read execute };
+ifdef(`dpkg.te', `
+domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t)
+')
 ') dnl endif TODO
 
 #################################

strict/domains/misc/kernel.te

@@ -28,6 +28,11 @@ allow kernel_t { usbfs_t usbdevfs_t }:dir search;
 # Run init in the init_t domain.
 domain_auto_trans(kernel_t, init_exec_t, init_t)
 
+ifdef(`mls_policy', `
+# run init with maximum MLS range
+range_transition kernel_t init_exec_t s0 - s9:c0.c127;
+')
+
 # Share state with the init process.
 allow kernel_t init_t:process share;
 
@@ -65,4 +70,6 @@ can_loadpol(kernel_t)
 # /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
 can_exec(kernel_t, bin_t)
 
-
+ifdef(`targeted_policy', `
+unconfined_domain(kernel_t)
+')

strict/domains/program/crond.te

@@ -128,9 +128,8 @@ allow system_crond_t var_lib_t:dir rw_dir_perms;
 allow system_crond_t var_lib_t:file create_file_perms;
 
 # Update whatis files.
-allow system_crond_t catman_t:dir create_dir_perms;
+allow system_crond_t man_t:dir create_dir_perms;
-allow system_crond_t catman_t:file create_file_perms;
+allow system_crond_t man_t:file create_file_perms;
-allow system_crond_t man_t:file r_file_perms;
 allow system_crond_t man_t:lnk_file read;
 
 # Write /var/lock/makewhatis.lock.

strict/domains/program/lvm.te

@@ -97,10 +97,11 @@ allow lvm_t devpts_t:dir { search getattr read };
 read_locale(lvm_t)
 
 # LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
-dontaudit lvm_t device_type:{ chr_file blk_file } getattr;
+dontaudit lvm_t device_type:{ chr_file blk_file } { getattr read };
 dontaudit lvm_t ttyfile:chr_file getattr;
 dontaudit lvm_t device_t:{ fifo_file dir chr_file blk_file } getattr;
 dontaudit lvm_t devpts_t:dir { getattr read };
+dontaudit lvm_t xconsole_device_t:fifo_file getattr;
 
 ifdef(`gpm.te', `
 dontaudit lvm_t gpmctl_t:sock_file getattr;

strict/domains/program/modutil.te

@@ -116,6 +116,7 @@ allow insmod_t modules_object_t:file write;
 allow insmod_t { var_t var_log_t }:dir search;
 ifdef(`xserver.te', `
 allow insmod_t xserver_log_t:file getattr;
+allow insmod_t xserver_misc_device_t:chr_file { read write };
 ')
 rw_dir_create_file(insmod_t, var_log_ksyms_t)
 allow insmod_t { etc_t etc_runtime_t }:file { getattr read };

strict/domains/program/mount.te

@@ -68,7 +68,7 @@ rhgb_domain(mount_t)
 # for localization
 allow mount_t lib_t:file { getattr read };
 allow mount_t autofs_t:dir read;
-allow mount_t fs_t:filesystem relabelfrom;
+allow mount_t fs_type:filesystem relabelfrom;
 #
 # This rule needs to be generalized.  Only admin, initrc should have it.
 #

strict/domains/program/mysqld.te

@@ -88,4 +88,7 @@ allow userdomain mysqld_var_run_t:sock_file write;
 }
 ')
 
+ifdef(`crond.te', `
+allow system_crond_t mysqld_etc_t:file { getattr read };
+')
 allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;

strict/domains/program/pamconsole.te

@@ -30,7 +30,7 @@ r_dir_file(pam_console_t, pam_var_console_t)
 allow pam_console_t device_t:dir { getattr read };
 allow pam_console_t device_t:lnk_file { getattr read };
 # mouse_device_t is for joy sticks
-allow pam_console_t { framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t power_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr };
+allow pam_console_t { xserver_misc_device_t framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t power_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr };
 allow pam_console_t { removable_device_t fixed_disk_device_t }:blk_file { getattr setattr };
 
 allow pam_console_t mnt_t:dir r_dir_perms;

strict/domains/program/ping.te

@@ -17,7 +17,9 @@ role system_r types ping_t;
 in_user_role(ping_t)
 type ping_exec_t, file_type, sysadmfile, exec_type;
 
-ifdef(`targeted_policy', `', `
+ifdef(`targeted_policy', `
+	allow ping_t { devpts_t ttyfile ptyfile }:chr_file rw_file_perms;
+', `
 bool user_ping false;
 
 if (user_ping) {
@@ -55,4 +57,7 @@ dontaudit ping_t fs_t:filesystem getattr;
 dontaudit ping_t var_t:dir search;
 dontaudit ping_t devtty_t:chr_file { read write };
 dontaudit ping_t self:capability sys_tty_config;
+ifdef(`hide_broken_symptoms', `
+allow ping_t init_t:fd use;
+')
 

strict/domains/program/portmap.te

@@ -58,7 +58,7 @@ role system_r types portmap_helper_t;
 domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t)
 dontaudit portmap_helper_t self:capability { net_admin };
 allow portmap_helper_t self:capability { net_bind_service };
-allow portmap_helper_t { var_run_t initrc_var_run_t } :file rw_file_perms;
+allow portmap_helper_t initrc_var_run_t:file rw_file_perms;
 file_type_auto_trans(portmap_helper_t, var_run_t, portmap_var_run_t, file)
 allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
 can_network(portmap_helper_t)

strict/domains/program/restorecon.te

@@ -17,11 +17,12 @@ type restorecon_exec_t, file_type, sysadmfile, exec_type;
 
 role system_r types restorecon_t;
 role sysadm_r types restorecon_t;
+role secadm_r types restorecon_t;
 
 allow restorecon_t initrc_devpts_t:chr_file { read write ioctl };
-allow restorecon_t { tty_device_t admin_tty_type }:chr_file { read write ioctl };
+allow restorecon_t { tty_device_t admin_tty_type user_tty_type devtty_t }:chr_file { read write ioctl };
 
-domain_auto_trans({ initrc_t sysadm_t }, restorecon_exec_t, restorecon_t)
+domain_auto_trans({ initrc_t sysadm_t secadm_t }, restorecon_exec_t, restorecon_t)
 allow restorecon_t { userdomain init_t privfd }:fd use;
 
 uses_shlib(restorecon_t)
@@ -44,6 +45,9 @@ allow restorecon_t { device_t device_type }:{ chr_file blk_file } { getattr rela
 ifdef(`distro_redhat', `
 allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto };
 ')
+ifdef(`dpkg.te', `
+domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t)
+')
 
 allow restorecon_t ptyfile:chr_file getattr;
 

strict/domains/program/rpm.te

@@ -114,7 +114,7 @@ allow rpm_script_t {devpts_t devtty_t}:chr_file rw_file_perms;
 
 allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
 
-type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, priv_system_role;
+type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, privrole, priv_system_role;
 # policy for rpm scriptlet
 role system_r types rpm_script_t;
 uses_shlib(rpm_script_t)
@@ -194,6 +194,7 @@ domain_auto_trans(rpm_script_t, restorecon_exec_t, restorecon_t)
 
 domain_auto_trans(rpm_script_t, ldconfig_exec_t, ldconfig_t)
 domain_auto_trans(rpm_script_t, depmod_exec_t, depmod_t)
+role sysadm_r types initrc_t;
 domain_auto_trans(rpm_script_t, initrc_exec_t, initrc_t)
 ifdef(`bootloader.te', `
 domain_auto_trans(rpm_script_t, bootloader_exec_t, bootloader_t)

strict/domains/program/rsync.te

@@ -14,6 +14,6 @@
 inetd_child_domain(rsync)
 type rsync_data_t, file_type, sysadmfile;
 r_dir_file(rsync_t, rsync_data_t)
-r_dir_file(rsync_t, ftpd_anon_t)
+anonymous_domain(rsync)
 
 

strict/domains/program/samba.te

@@ -79,6 +79,7 @@ allow smbd_t usr_t:file { getattr read };
 
 # Access Samba shares.
 create_dir_file(smbd_t, samba_share_t)
+anonymous_domain(smbd)
 
 ifdef(`logrotate.te', `
 # the application should be changed

strict/domains/program/ssh.te

@@ -115,6 +115,9 @@ can_create_pty($1, `, server_pty')
 allow $1_t $1_devpts_t:chr_file { setattr getattr relabelfrom };
 dontaudit sshd_t userpty_type:chr_file relabelfrom;
 
+allow $1_t faillog_t:file { append getattr };
+allow $1_t sbin_t:file getattr;
+
 # Allow checking users mail at login
 allow $1_t { var_spool_t mail_spool_t }:dir search;
 allow $1_t mail_spool_t:lnk_file read;

strict/domains/program/tmpreaper.te

@@ -16,8 +16,8 @@ role system_r types tmpreaper_t;
 system_crond_entry(tmpreaper_exec_t, tmpreaper_t)
 uses_shlib(tmpreaper_t)
 # why does it need setattr?
-allow tmpreaper_t tmpfile:dir { setattr rw_dir_perms rmdir };
+allow tmpreaper_t { man_t tmpfile }:dir { setattr rw_dir_perms rmdir };
-allow tmpreaper_t tmpfile:notdevfile_class_set { getattr unlink };
+allow tmpreaper_t { man_t tmpfile }:notdevfile_class_set { getattr unlink };
 allow tmpreaper_t { home_type file_t }:notdevfile_class_set { getattr unlink };
 allow tmpreaper_t self:process { fork sigchld };
 allow tmpreaper_t self:capability { dac_override dac_read_search fowner };

strict/macros/core_macros.te

@@ -361,6 +361,7 @@ define(`can_loadpol',`
 # Get the selinuxfs mount point via /proc/self/mounts.
 allow $1 proc_t:dir search;
 allow $1 proc_t:lnk_file read;
+allow $1 proc_t:file { getattr read };
 allow $1 self:dir search;
 allow $1 self:file { getattr read };
 # Access selinuxfs.

strict/macros/global_macros.te

@@ -594,6 +594,18 @@ allow $1 self:capability sys_admin;
 
 ')dnl end polyinstantiater
 
+# 
+# Domain that is allow to read anonymous data off the network
+# without providing authentication.
+# Also define boolean to allow anonymous writing
+#
+define(`anonymous_domain', `
+r_dir_file($1_t, ftpd_anon_t)
+bool allow_$1_anon_write false;
+if (allow_$1_anon_write) {
+create_dir_file($1_t,ftpd_anon_rw_t)
+}
+')
 # 
 # Define a domain that can do anything, so that it is
 # effectively unconfined by the SELinux policy.  This
@@ -727,3 +739,15 @@ allow $1 removable_device_t:blk_file r_file_perms;
 allow $1 removable_t:filesystem getattr;
 
 ')
+
+define(`authentication_domain', `
+can_ypbind($1)
+can_kerberos($1)
+can_ldap($1)
+can_resolve($1)
+can_winbind($1)
+r_dir_file($1, cert_t)
+allow $1 { random_device_t urandom_device_t }:chr_file { getattr read };
+allow $1 self:capability { audit_write audit_control };
+dontaudit $1 shadow_t:file { getattr read };
+')

strict/macros/network_macros.te

@@ -16,9 +16,7 @@ allow $1 self:$2_socket connected_socket_perms;
 # Allow the domain to send or receive using any network interface.
 # netif_type is a type attribute for all network interface types.
 #
-allow $1 netif_type:netif { $2_send rawip_send };
+allow $1 netif_t:netif { $2_recv $2_send rawip_send rawip_recv };
-allow $1 netif_type:netif { $2_recv rawip_recv };
-
 #
 # Allow the domain to send to or receive from any node.
 # node_type is a type attribute for all node types.