another pile o fixes

refpolicy/policy/modules/admin/amanda.te

@@ -37,10 +37,16 @@ files_type(amanda_gnutarlists_t)
 type amanda_user_exec_t;
 files_type(amanda_user_exec_t)
 
+# temp:
+typeattribute amanda_user_exec_t entry_type;
+
 # type for same awk and other scripts
 type amanda_script_exec_t;
 files_type(amanda_script_exec_t)
 
+# temp:
+typeattribute amanda_user_exec_t entry_type;
+
 # type for the shell configuration files 
 type amanda_shellconfig_t;
 files_type(amanda_shellconfig_t)

refpolicy/policy/modules/admin/netutils.te

@@ -73,8 +73,15 @@ logging_send_syslog_msg(netutils_t)
 
 miscfiles_read_localization(netutils_t)
 
+sysnet_read_config(netutils_t)
+
 userdom_use_all_user_fd(netutils_t)
 
+ifdef(`targeted_policy',`
+	term_use_generic_pty(netutils_t)
+	term_use_unallocated_tty(netutils_t)
+')
+
 optional_policy(`nis.te',`
 	nis_use_ypbind(netutils_t)
 ')

refpolicy/policy/modules/services/kerberos.te

@@ -55,9 +55,10 @@ files_pid_file(krb5kdc_var_run_t)
 # Use capabilities. Surplus capabilities may be allowed.
 allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
 dontaudit kadmind_t self:capability sys_tty_config;
-allow kadmind_t self:tcp_socket connected_stream_socket_perms;
 allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
 allow kadmind_t self:unix_dgram_socket { connect create write };
+allow kadmind_t self:tcp_socket connected_stream_socket_perms;
+allow kadmind_t self:udp_socket create_socket_perms;
 
 allow kadmind_t kadmind_log_t:file create_file_perms;
 logging_create_log(kadmind_t,kadmind_log_t)
@@ -77,7 +78,8 @@ allow kadmind_t kadmind_tmp_t:dir create_dir_perms;
 allow kadmind_t kadmind_tmp_t:file create_file_perms;
 files_create_tmp_files(kadmind_t, kadmind_tmp_t, { file dir })
 
-allow kadmind_t kadmind_var_run_t:file { getattr create read write append setattr unlink };
+allow kadmind_t kadmind_var_run_t:file create_file_perms;
+allow kadmind_t kadmind_var_run_t:dir rw_dir_perms;
 files_create_pid(kadmind_t,kadmind_var_run_t)
 
 kernel_read_kernel_sysctl(kadmind_t)

refpolicy/policy/modules/services/ktalk.te

@@ -43,6 +43,7 @@ allow ktalkd_t ktalkd_tmp_t:file create_file_perms;
 files_create_tmp_files(ktalkd_t, ktalkd_tmp_t, { file dir })
 
 allow ktalkd_t ktalkd_var_run_t:file create_file_perms;
+allow ktalkd_t ktalkd_var_run_t:dir rw_dir_perms;
 files_create_pid(ktalkd_t,ktalkd_var_run_t)
 
 kernel_read_kernel_sysctl(ktalkd_t)

refpolicy/policy/modules/services/ldap.te

@@ -37,6 +37,7 @@ dontaudit slapd_t self:capability sys_tty_config;
 allow slapd_t self:process setsched;
 allow slapd_t self:fifo_file { read write };
 allow slapd_t self:netlink_route_socket r_netlink_socket_perms;
+allow slapd_t self:udp_socket create_socket_perms;
 
 # Allow access to the slapd databases
 allow slapd_t slapd_db_t:dir create_dir_perms;
@@ -97,8 +98,11 @@ libs_use_shared_libs(slapd_t)
 
 logging_send_syslog_msg(slapd_t)
 
+miscfiles_read_certs(slapd_t)
 miscfiles_read_localization(slapd_t)
 
+sysnet_read_config(slapd_t)
+
 userdom_dontaudit_use_unpriv_user_fd(slapd_t)
 userdom_dontaudit_search_sysadm_home_dir(slapd_t)
 
@@ -121,7 +125,6 @@ optional_policy(`udev.te', `
 ')
 
 ifdef(`TODO',`
-r_dir_file(slapd_t, cert_t)
 optional_policy(`rhgb.te',`
 	rhgb_domain(slapd_t)
 ')

refpolicy/policy/modules/services/mysql.te

@@ -42,8 +42,11 @@ allow mysqld_t self:udp_socket create_socket_perms;
 allow mysqld_t mysqld_db_t:dir create_dir_perms;
 allow mysqld_t mysqld_db_t:file create_file_perms;
 allow mysqld_t mysqld_db_t:lnk_file create_lnk_perms;
+files_create_var_lib(mysqld_t,mysqld_db_t,{ dir file })
 
 allow mysqld_t mysqld_etc_t:file { getattr read };
+allow mysqld_t mysqld_etc_t:lnk_file { getattr read };
+allow mysqld_t mysqld_etc_t:dir list_dir_perms;
 
 allow mysqld_t mysqld_log_t:file create_file_perms;
 logging_create_log(mysqld_t,mysqld_log_t)

refpolicy/policy/modules/services/nscd.te

@@ -49,6 +49,7 @@ logging_create_log(nscd_t,nscd_log_t)
 
 allow nscd_t nscd_var_run_t:file create_file_perms;
 allow nscd_t nscd_var_run_t:sock_file create_file_perms;
+allow nscd_t nscd_var_run_t:dir rw_dir_perms;
 files_create_pid(nscd_t,nscd_var_run_t,{ file sock_file })
 
 kernel_read_kernel_sysctl(nscd_t)
@@ -110,7 +111,10 @@ sysnet_read_config(nscd_t)
 userdom_dontaudit_use_unpriv_user_fd(nscd_t)
 userdom_dontaudit_search_sysadm_home_dir(nscd_t)
 
-ifdef(`targeted_policy', `
+ifdef(`targeted_policy',`
+	term_use_unallocated_tty(nscd_t)
+	term_use_generic_pty(nscd_t)
+
 	term_dontaudit_use_unallocated_tty(nscd_t)
 	term_dontaudit_use_generic_pty(nscd_t)
 	files_dontaudit_read_root_file(nscd_t)
@@ -120,23 +124,22 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(nscd_t)
 ')
 
+optional_policy(`samba.te',`
+	samba_connect_winbind(nscd_t)
+')
+
 optional_policy(`udev.te', `
 	udev_read_db(nscd_t)
 ')
 
 ifdef(`TODO',`
 optional_policy(`winbind.te', `
-	# Handle winbind for samba, Might only be needed for targeted policy
-
-	allow nscd_t winbind_var_run_t:sock_file { read write getattr };
-	can_unix_connect(nscd_t, winbind_t)
 	allow nscd_t samba_var_t:dir search;
-	allow nscd_t winbind_var_run_t:dir { getattr search };
 ')
 optional_policy(`rhgb.te',`
 	rhgb_domain(nscd_t)
 ')
-r_dir_file(nscd_t, cert_t)
+
 allow nscd_t tmp_t:dir { search getattr };
 allow nscd_t tmp_t:lnk_file read;
 ') dnl end TODO

refpolicy/policy/modules/services/ntp.te

@@ -57,6 +57,7 @@ allow ntpd_t ntpd_tmp_t:file create_file_perms;
 files_create_tmp_files(ntpd_t, ntpd_tmp_t, { file dir })
 
 allow ntpd_t ntpd_var_run_t:file create_file_perms;
+allow ntpd_t ntpd_var_run_t:dir rw_dir_perms;
 files_create_pid(ntpd_t,ntpd_var_run_t)
 
 kernel_read_kernel_sysctl(ntpd_t)

refpolicy/policy/modules/services/postfix.te

@@ -19,6 +19,9 @@ files_type(postfix_etc_t)
 type postfix_exec_t;
 files_type(postfix_exec_t)
 
+# temp:
+typeattribute postfix_exec_t entry_type;
+
 postfix_server_domain_template(local)
 mta_mailserver_delivery(postfix_local_t)
 

refpolicy/policy/modules/services/privoxy.te

@@ -27,7 +27,7 @@ allow privoxy_t self:tcp_socket create_stream_socket_perms;
 
 allow privoxy_t privoxy_log_t:file create_file_perms;
 allow privoxy_t privoxy_log_t:dir rw_dir_perms;
-logging_search_logs(privoxy_t,privoxy_log_t,{ file dir })
+logging_create_log(privoxy_t,privoxy_log_t)
 
 allow privoxy_t privoxy_var_run_t:file create_file_perms;
 files_create_pid(privoxy_t,privoxy_var_run_t)

refpolicy/policy/modules/services/spamassassin.te

@@ -157,3 +157,5 @@ allow spamd_t amavisd_lib_t:file create_file_perms;
 allow spamd_t amavisd_lib_t:lnk_file create_lnk_perms;
 ')
 ') dnl end TODO
+
+typeattribute spamc_exec_t entry_type;

refpolicy/policy/modules/services/squid.te

@@ -31,16 +31,19 @@ files_pid_file(squid_var_run_t)
 allow squid_t self:capability { setgid setuid dac_override };
 dontaudit squid_t self:capability sys_tty_config;
 allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow squid_t self:unix_stream_socket create_stream_socket_perms;
-allow squid_t self:unix_dgram_socket create_socket_perms;
-allow squid_t self:unix_dgram_socket sendto;
-allow squid_t self:unix_stream_socket connectto;
 allow squid_t self:fifo_file rw_file_perms;
+allow squid_t self:sock_file r_file_perms;
 allow squid_t self:fd use;
 allow squid_t self:shm create_shm_perms;
 allow squid_t self:sem create_sem_perms;
 allow squid_t self:msgq create_msgq_perms;
 allow squid_t self:msg { send receive };
+allow squid_t self:unix_stream_socket create_stream_socket_perms;
+allow squid_t self:unix_dgram_socket create_socket_perms;
+allow squid_t self:unix_dgram_socket sendto;
+allow squid_t self:unix_stream_socket connectto;
+allow squid_t self:tcp_socket create_stream_socket_perms;
+allow squid_t self:udp_socket create_socket_perms;
 
 # Grant permissions to create, access, and delete cache files.
 allow squid_t squid_cache_t:dir create_dir_perms;
@@ -58,6 +61,7 @@ allow squid_t squid_log_t:dir rw_dir_perms;
 logging_create_log(squid_t,squid_log_t,{ file dir })
 
 allow squid_t squid_var_run_t:file create_file_perms;
+allow squid_t squid_var_run_t:dir rw_dir_perms;
 files_create_pid(squid_t,squid_var_run_t)
 
 kernel_read_kernel_sysctl(squid_t)
@@ -124,6 +128,8 @@ logging_send_syslog_msg(squid_t)
 miscfiles_read_certs(squid_t)
 miscfiles_read_localization(squid_t)
 
+sysnet_read_config(squid_t)
+
 userdom_use_unpriv_users_fd(squid_t)
 userdom_dontaudit_use_unpriv_user_fd(squid_t)
 userdom_dontaudit_search_sysadm_home_dir(squid_t)
@@ -158,6 +164,10 @@ optional_policy(`nscd.te',`
 	nscd_use_socket(squid_t)
 ')
 
+optional_policy(`samba.te',`
+	samba_domtrans_winbind_helper(squid_t)
+')
+
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(squid_t)
 ')

refpolicy/policy/modules/services/xdm.te

@@ -24,6 +24,9 @@ init_daemon_domain(xdm_t,xdm_exec_t)
 type xsession_exec_t;
 files_type(xsession_exec_t)
 
+# temp:
+typeattribute xsession_exec_t entry_type;
+
 type xserver_log_t;
 files_type(xserver_log_t)
 

refpolicy/policy/modules/system/corecommands.te

@@ -24,6 +24,9 @@ files_type(sbin_t)
 type ls_exec_t;
 files_type(ls_exec_t)
 
+#cjp: temp
+typeattribute ls_exec_t entry_type;
+
 #
 # shell_exec_t is the type of user shells such as /bin/bash.
 #

refpolicy/policy/modules/system/domain.if

@@ -359,10 +359,9 @@ interface(`domain_dontaudit_use_wide_inherit_fd',`
 interface(`domain_sigchld_wide_inherit_fd',`
 	gen_require(`
 		attribute privfd;
-		class process signal;
 	')
 
-	dontaudit $1 privfd:fd use;
+	allow $1 privfd:process sigchld;
 ')
 
 ########################################

refpolicy/policy/modules/system/logging.te

@@ -196,6 +196,7 @@ dontaudit klogd_t self:capability sys_resource;
 
 kernel_read_system_state(klogd_t)
 kernel_read_messages(klogd_t)
+kernel_read_kernel_sysctl(klogd_t)
 # Control syslog and console logging
 kernel_clear_ring_buffer(klogd_t)
 kernel_change_ring_buffer_level(klogd_t)
@@ -203,8 +204,10 @@ kernel_change_ring_buffer_level(klogd_t)
 bootloader_read_kernel_symbol_table(klogd_t)
 
 dev_read_raw_memory(klogd_t)
+dev_read_sysfs(klogd_t)
 
 fs_getattr_all_fs(klogd_t)
+fs_search_auto_mountpoints(klogd_t)
 
 domain_use_wide_inherit_fd(klogd_t)
 
@@ -214,6 +217,7 @@ files_read_etc_runtime_files(klogd_t)
 files_read_etc_files(klogd_t)
 
 init_use_fd(klogd_t)
+init_use_script_pty(klogd_t)
 
 libs_use_ld_so(klogd_t)
 libs_use_shared_libs(klogd_t)
@@ -222,10 +226,13 @@ logging_send_syslog_msg(klogd_t)
 
 miscfiles_read_localization(klogd_t)
 
-ifdef(`TODO',`
+optional_policy(`udev.te', `
-ifdef(`targeted_policy', `
+	udev_read_db(klogd_t)
-allow klogd_t unconfined_t:system syslog_mod;
 ')
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_generic_pty(klogd_t)
+	term_dontaudit_use_unallocated_tty(klogd_t)
 ')
 
 ########################################
@@ -261,7 +268,8 @@ allow syslogd_t var_log_t:dir { create setattr };
 
 # manage temporary files
 allow syslogd_t syslogd_tmp_t:file create_file_perms;
-files_create_tmp_files(syslogd_t,syslogd_tmp_t)
+allow syslogd_t syslogd_tmp_t:dir create_dir_perms;
+files_create_tmp_files(syslogd_t,syslogd_tmp_t,{ dir file })
 
 allow syslogd_t syslogd_var_run_t:file create_file_perms;
 files_create_pid(syslogd_t,syslogd_var_run_t,file)