patch from dan Wed, 29 Nov 2006 17:06:40 -0500

Changelog

@@ -16,6 +16,7 @@
 - Enhanced setransd support from Darrel Goeddel.
 - Patches from Dan Walsh:
 	Tue, 24 Oct 2006
+	Wed, 29 Nov 2006
 - Added modules:
 	aide (Matt Anderson)
 	ccs (Dan Walsh)

policy/global_tunables

@@ -596,7 +596,7 @@ gen_tunable(allow_mount_anyfile,false)
 
 ## <desc>
 ## <p>
-## Allow spammd to read/write user home directories.
+## Allow spamd to read/write user home directories.
 ## </p>
 ## </desc>
 gen_tunable(spamd_enable_home_dirs,true)

policy/modules/admin/amanda.if

@@ -109,6 +109,26 @@ interface(`amanda_rw_dumpdates_files',`
 
 	allow $1 amanda_dumpdates_t:file rw_file_perms;
 ')
+
+########################################
+## <summary>
+##	Search amanda library directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`amanda_manage_lib',`
+	gen_require(`
+		type amanda_usr_lib_t;
+	')
+
+	allow $1 amanda_usr_lib_t:dir manage_dir_perms;
+	files_search_usr($1)
+')
+
 ########################################
 ## <summary>
 ##	Allow read/writing amanda logs

policy/modules/admin/amanda.te

@@ -1,5 +1,5 @@
 
-policy_module(amanda,1.4.1)
+policy_module(amanda,1.4.2)
 
 #######################################
 #
@@ -75,6 +75,7 @@ allow amanda_t self:unix_stream_socket create_stream_socket_perms;
 allow amanda_t self:unix_dgram_socket create_socket_perms;
 allow amanda_t self:tcp_socket create_stream_socket_perms;
 allow amanda_t self:udp_socket create_socket_perms;
+allow amanda_t self:netlink_route_socket r_netlink_socket_perms;
 
 # access to amanda_amandates_t
 allow amanda_t amanda_amandates_t:file { getattr lock read write };

policy/modules/admin/bootloader.te

@@ -1,5 +1,5 @@
 
-policy_module(bootloader,1.3.1)
+policy_module(bootloader,1.3.2)
 
 ########################################
 #
@@ -186,6 +186,10 @@ optional_policy(`
 	fstools_exec(bootloader_t)
 ')
 
+optional_policy(`
+	hal_dontaudit_append_lib_files(bootloader_t)
+')
+
 optional_policy(`
 	kudzu_domtrans(bootloader_t)
 ')

policy/modules/admin/consoletype.te

@@ -1,5 +1,5 @@
 
-policy_module(consoletype,1.1.0)
+policy_module(consoletype,1.1.1)
 
 ########################################
 #
@@ -84,7 +84,7 @@ optional_policy(`
 optional_policy(`
 	files_read_etc_files(consoletype_t)
 	firstboot_use_fds(consoletype_t)
-	firstboot_write_pipes(consoletype_t)
+	firstboot_rw_pipes(consoletype_t)
 ')
 
 optional_policy(`

policy/modules/admin/firstboot.if

@@ -111,3 +111,21 @@ interface(`firstboot_write_pipes',`
 
 	allow $1 firstboot_t:fifo_file write;
 ')
+
+########################################
+## <summary>
+##	Read and Write to a firstboot unnamed pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`firstboot_rw_pipes',`
+	gen_require(`
+		type firstboot_t;
+	')
+
+	allow $1 firstboot_t:fifo_file { read write };
+')

policy/modules/admin/firstboot.te

@@ -1,5 +1,5 @@
 
-policy_module(firstboot,1.2.0)
+policy_module(firstboot,1.2.1)
 
 gen_require(`
 	class passwd rootok;

policy/modules/admin/logwatch.te

@@ -1,5 +1,5 @@
 
-policy_module(logwatch,1.2.0)
+policy_module(logwatch,1.2.1)
 
 #################################
 #
@@ -53,6 +53,7 @@ corecmd_exec_shell(logwatch_t)
 corecmd_exec_ls(logwatch_t)
 
 dev_read_urand(logwatch_t)
+dev_search_sysfs(logwatch_t)
 
 # Read /proc/PID directories for all domains.
 domain_read_all_domains_state(logwatch_t)

policy/modules/admin/prelink.te

@@ -1,5 +1,5 @@
 
-policy_module(prelink,1.2.1)
+policy_module(prelink,1.2.2)
 
 ########################################
 #
@@ -57,6 +57,7 @@ files_getattr_all_files(prelink_t)
 files_write_non_security_dirs(prelink_t)
 files_read_etc_files(prelink_t)
 files_read_etc_runtime_files(prelink_t)
+files_dontaudit_read_all_symlinks(prelink_t)
 
 fs_getattr_xattr_fs(prelink_t)
 
@@ -82,6 +83,12 @@ ifdef(`targeted_policy',`
 
 	# prelink executables in the user homedir
 	userdom_manage_generic_user_home_content_files(prelink_t)
+	userdom_mmap_generic_user_home_content_files(prelink_t)
+	userdom_dontaudit_relabel_generic_user_home_content_files(prelink_t)
+')
+
+optional_policy(`
+	amanda_manage_lib(prelink_t)
 ')
 
 optional_policy(`

policy/modules/admin/quota.te

@@ -1,5 +1,5 @@
 
-policy_module(quota,1.0.0)
+policy_module(quota,1.0.1)
 
 ########################################
 #
@@ -37,6 +37,8 @@ fs_getattr_xattr_fs(quota_t)
 fs_remount_xattr_fs(quota_t)
 fs_search_auto_mountpoints(quota_t)
 
+mls_file_read_up(quota_t)
+
 storage_raw_read_fixed_disk(quota_t)
 
 term_dontaudit_use_console(quota_t)

policy/modules/admin/rpm.te

@@ -1,5 +1,5 @@
 
-policy_module(rpm,1.4.1)
+policy_module(rpm,1.4.2)
 
 ########################################
 #
@@ -188,6 +188,10 @@ ifdef(`targeted_policy',`
 	logging_log_filetrans(rpm_t,rpm_log_t,file)
 ')
 
+optional_policy(`
+	hal_dbus_chat(rpm_t)
+')
+
 optional_policy(`
 	cron_system_entry(rpm_t,rpm_exec_t)
 ')
@@ -196,6 +200,10 @@ optional_policy(`
 	nis_use_ypbind(rpm_t)
 ')
 
+optional_policy(`
+	prelink_domtrans(rpm_t)
+')
+
 ifdef(`TODO',`
 # read/write/create any files in the system
 dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
@@ -270,6 +278,9 @@ fs_mount_xattr_fs(rpm_script_t)
 fs_unmount_xattr_fs(rpm_script_t)
 fs_search_auto_mountpoints(rpm_script_t)
 
+mcs_killall(rpm_script_t)
+mcs_ptrace_all(rpm_script_t)
+
 mls_file_read_up(rpm_script_t)
 mls_file_write_down(rpm_script_t)
 
@@ -367,32 +378,3 @@ optional_policy(`
 	usermanage_domtrans_groupadd(rpm_script_t)
 	usermanage_domtrans_useradd(rpm_script_t)
 ')
-
-ifdef(`TODO',`
-optional_policy(`
-can_exec(rpm_script_t,printconf_t)
-')
-
-optional_policy(`
-allow cupsd_t rpm_var_lib_t:dir r_dir_perms;
-allow cupsd_t rpm_var_lib_t:file r_file_perms;
-allow cupsd_t rpb_var_lib_t:lnk_file r_file_perms;
-allow cupsd_t initrc_exec_t:file r_file_perms;
-domain_auto_trans(rpm_script_t, cupsd_exec_t, cupsd_t)
-')
-
-optional_policy(`
-domain_auto_trans(rpm_script_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
-')
-
-optional_policy(`
-domain_auto_trans(rpm_t, prelink_exec_t, prelink_t)
-')
-
-ifdef(`hide_broken_symptoms', `
-	optional_policy(`
-		domain_trans(rpm_t, pam_console_exec_t, rpm_script_t)
-	')
-')
-
-') dnl end TODO

policy/modules/admin/usermanage.te

@@ -1,5 +1,5 @@
 
-policy_module(usermanage,1.4.1)
+policy_module(usermanage,1.4.2)
 
 ########################################
 #
@@ -189,7 +189,7 @@ optional_policy(`
 #
 
 allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write };
-dontaudit groupadd_t self:capability fsetid;
+dontaudit groupadd_t self:capability { fsetid sys_tty_config };
 allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow groupadd_t self:process { setrlimit setfscreate };
 allow groupadd_t self:fd use;
@@ -454,6 +454,7 @@ optional_policy(`
 #
 
 allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource audit_write };
+dontaudit useradd_t self:capability sys_tty_config;
 allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow useradd_t self:process setfscreate;
 allow useradd_t self:fd use;

policy/modules/apps/slocate.te

@@ -1,5 +1,5 @@
 
-policy_module(slocate,1.2.0)
+policy_module(slocate,1.2.1)
 
 #################################
 #
@@ -41,8 +41,6 @@ files_list_all(locate_t)
 files_getattr_all_files(locate_t)
 files_read_etc_runtime_files(locate_t)
 files_read_etc_files(locate_t)
-# mls Higher level directories will be refused, so dontaudit
-files_dontaudit_getattr_all_dirs(locate_t)
 
 fs_getattr_xattr_fs(locate_t)
 fs_getattr_rpc_pipefs(locate_t)
@@ -52,6 +50,11 @@ libs_use_ld_so(locate_t)
 
 miscfiles_read_localization(locate_t)
 
+ifdef(`enable_mls',`
+	# On MLS machines will not be allowed to getattr Anything but SystemLow
+	files_dontaudit_getattr_all_dirs(locate_t)
+')
+
 optional_policy(`
 	cron_system_entry(locate_t, locate_exec_t)
 ')

policy/modules/kernel/corecommands.fc

@@ -171,6 +171,7 @@ ifdef(`distro_gentoo',`
 /usr/share/debconf/.+		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/hal/scripts(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/mc/extfs/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/printconf/util/print\.py --	gen_context(system_u:object_r:bin_t,s0)

policy/modules/kernel/corecommands.te

@@ -1,5 +1,5 @@
 
-policy_module(corecommands,1.4.2)
+policy_module(corecommands,1.4.3)
 
 ########################################
 #

policy/modules/kernel/corenetwork.if.in

@@ -967,6 +967,24 @@ interface(`corenet_udp_bind_all_ports',`
 	allow $1 self:capability net_bind_service;
 ')
 
+########################################
+## <summary>
+##	Do not audit attepts to bind UDP sockets to any ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_bind_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	dontaudit $1 port_type:udp_socket name_bind;
+')
+
 ########################################
 ## <summary>
 ##	Connect TCP sockets to all ports.

policy/modules/kernel/corenetwork.te.in

@@ -1,5 +1,5 @@
 
-policy_module(corenetwork,1.2.2)
+policy_module(corenetwork,1.2.3)
 
 ########################################
 #
@@ -110,6 +110,7 @@ network_port(nessus, tcp,1241,s0)
 network_port(netsupport, tcp,5405,s0, udp,5405,s0)
 network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0)
 network_port(ntp, udp,123,s0)
+network_port(ocsp, tcp,9080,s0)
 network_port(openvpn, udp,1194,s0)
 network_port(pegasus_http, tcp,5988,s0)
 network_port(pegasus_https, tcp,5989,s0)

policy/modules/kernel/devices.fc

@@ -20,12 +20,14 @@
 /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
 /dev/full		-c	gen_context(system_u:object_r:null_device_t,s0)
 /dev/hiddev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
+/dev/hpet		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/hw_random		-c	gen_context(system_u:object_r:random_device_t,s0)
 /dev/hwrng		-c	gen_context(system_u:object_r:random_device_t,s0)
 /dev/i915		-c	gen_context(system_u:object_r:dri_device_t,s0)
 /dev/irlpt[0-9]+	-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/kmsg		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
 /dev/logibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/mem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
@@ -47,13 +49,14 @@
 /dev/radeon		-c	gen_context(system_u:object_r:dri_device_t,s0)
 /dev/radio.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/random		-c	gen_context(system_u:object_r:random_device_t,s0)
-/dev/raw1394.		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/raw1394.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/(misc/)?rtc	-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/sequencer		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/sequencer2		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/smpte.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/smu		-c	gen_context(system_u:object_r:power_device_t,s0)
 /dev/srnd[0-7]		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/snapshot		-c	gen_context(system_u:object_r:apm_bios_t,s0)
 /dev/sndstat		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)

policy/modules/kernel/devices.if

@@ -568,6 +568,7 @@ interface(`dev_manage_generic_blk_files',`
 
 	allow $1 device_t:dir rw_dir_perms;
 	allow $1 device_t:blk_file create_file_perms;
+	allow $1 self:capability mknod;
 ')
 
 ########################################
@@ -587,6 +588,7 @@ interface(`dev_manage_generic_chr_files',`
 
 	allow $1 device_t:dir rw_dir_perms;
 	allow $1 device_t:chr_file create_file_perms;
+	allow $1 self:capability mknod;
 ')
 
 ########################################

policy/modules/kernel/devices.te

@@ -1,5 +1,5 @@
 
-policy_module(devices,1.2.3)
+policy_module(devices,1.2.4)
 
 ########################################
 #
@@ -65,6 +65,12 @@ dev_node(event_device_t)
 type framebuf_device_t;
 dev_node(framebuf_device_t)
 
+#
+# Type for /dev/kmsg
+#
+type kmsg_device_t;
+dev_node(kmsg_device_t)
+
 #
 # Type for /dev/mapper/control
 #

policy/modules/kernel/files.if

@@ -639,6 +639,24 @@ interface(`files_dontaudit_getattr_all_symlinks',`
 	dontaudit $1 file_type:lnk_file getattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read all symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_read_all_symlinks',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	dontaudit $1 file_type:lnk_file read;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the attributes
@@ -4478,7 +4496,7 @@ interface(`files_polyinstantiate_all',`
 	allow $1 self:capability sys_admin;
 
 	# Need to give access to the directories to be polyinstantiated
-	allow $1 polydir:dir { create getattr search write add_name setattr mounton };
+	allow $1 polydir:dir { create getattr search write add_name setattr mounton rmdir };
 
 	# Need to give access to the polyinstantiated subdirectories
 	allow $1 polymember:dir search_dir_perms;

policy/modules/kernel/files.te

@@ -1,5 +1,5 @@
 
-policy_module(files,1.3.1)
+policy_module(files,1.3.2)
 
 ########################################
 #

policy/modules/kernel/filesystem.te

@@ -1,5 +1,5 @@
 
-policy_module(filesystem,1.4.2)
+policy_module(filesystem,1.4.3)
 
 ########################################
 #
@@ -21,8 +21,10 @@ sid fs gen_context(system_u:object_r:fs_t,s0)
 
 # Use xattrs for the following filesystem types.
 # Requires that a security xattr handler exist for the filesystem.
+fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
@@ -182,7 +184,6 @@ genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
 genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
-genfscon gfs / gen_context(system_u:object_r:nfs_t,s0)
 
 ########################################
 #
@@ -191,6 +192,14 @@ genfscon gfs / gen_context(system_u:object_r:nfs_t,s0)
 
 allow filesystem_type self:filesystem associate;
 
+########################################
+#
+# Rules for filesystems without xattr support
+#
+
+# Allow me to mv from one noxattrfs to another nfs_t to dosfs_t for example
+fs_associate_noxattr(noxattrfs)
+
 ########################################
 #
 # Unconfined access to this module

policy/modules/kernel/terminal.fc

@@ -15,6 +15,7 @@
 /dev/rfcomm[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/tty			-c	gen_context(system_u:object_r:devtty_t,s0)
 /dev/ttySG.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+/dev/xvc[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 
 /dev/pty/.*		-c	gen_context(system_u:object_r:bsdpty_device_t,s0)
 

policy/modules/kernel/terminal.te

@@ -1,5 +1,5 @@
 
-policy_module(terminal,1.2.2)
+policy_module(terminal,1.2.3)
 
 ########################################
 #

policy/modules/services/apache.fc

@@ -44,6 +44,7 @@ ifdef(`distro_suse', `
 
 /var/cache/httpd(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
 /var/cache/mason(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_proxy(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
 /var/cache/mod_ssl(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
 /var/cache/php-eaccelerator(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
 /var/cache/php-mmcache(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)

policy/modules/services/apache.te

@@ -1,5 +1,5 @@
 
-policy_module(apache,1.4.2)
+policy_module(apache,1.4.3)
 
 #
 # NOTES: 
@@ -170,6 +170,10 @@ allow httpd_t httpd_modules_t:file rx_file_perms;
 allow httpd_t httpd_modules_t:dir r_dir_perms;
 allow httpd_t httpd_modules_t:lnk_file r_file_perms;
 
+apache_domtrans_rotatelogs(httpd_t)
+# Apache-httpd needs to be able to send signals to the log rotate procs.
+allow httpd_t httpd_rotatelogs_t:process signal_perms;
+
 allow httpd_t httpd_squirrelmail_t:dir create_dir_perms;
 allow httpd_t httpd_squirrelmail_t:lnk_file create_lnk_perms;
 allow httpd_t httpd_squirrelmail_t:file create_file_perms;
@@ -219,6 +223,8 @@ corenet_tcp_bind_all_nodes(httpd_t)
 corenet_tcp_bind_http_port(httpd_t)
 corenet_tcp_bind_http_cache_port(httpd_t)
 corenet_sendrecv_http_server_packets(httpd_t)
+# Signal self for shutdown
+corenet_tcp_connect_http_port(httpd_t)
 
 dev_read_sysfs(httpd_t)
 dev_read_rand(httpd_t)
@@ -235,7 +241,7 @@ auth_use_nsswitch(httpd_t)
 # execute perl
 corecmd_exec_bin(httpd_t)
 corecmd_exec_sbin(httpd_t)
-corecmd_check_exec_shell(httpd_t)
+corecmd_exec_shell(httpd_t)
 
 domain_use_interactive_fds(httpd_t)
 
@@ -252,6 +258,8 @@ files_read_etc_files(httpd_t)
 # for tomcat
 files_read_var_lib_symlinks(httpd_t)
 
+fs_search_auto_mountpoints(httpd_sys_script_t)
+
 init_use_fds(httpd_t)
 init_use_script_ptys(httpd_t)
 
@@ -669,6 +677,16 @@ ifdef(`targeted_policy',`
 	')
 ')
 
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+	fs_read_nfs_files(httpd_sys_script_t)
+	fs_read_nfs_symlinks(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+	fs_read_cifs_files(httpd_sys_script_t)
+	fs_read_cifs_symlinks(httpd_sys_script_t)
+')
+
 optional_policy(`
 	clamav_domtrans_clamscan(httpd_sys_script_t)
 ')
@@ -714,6 +732,8 @@ files_read_etc_files(httpd_rotatelogs_t)
 libs_use_ld_so(httpd_rotatelogs_t)
 libs_use_shared_libs(httpd_rotatelogs_t)
 
+logging_search_logs(httpd_rotatelogs_t)
+
 miscfiles_read_localization(httpd_rotatelogs_t)
 
 ifdef(`targeted_policy',`

policy/modules/services/avahi.if

@@ -20,3 +20,24 @@ interface(`avahi_dbus_chat',`
 	allow $1 avahi_t:dbus send_msg;
 	allow avahi_t $1:dbus send_msg;
 ')
+
+########################################
+## <summary>
+##	Connect to avahi using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`avahi_stream_connect',`
+	gen_require(`
+		type avahi_t, avahi_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 avahi_var_run_t:dir search_dir_perms;
+	allow $1 avahi_var_run_t:sock_file rw_file_perms;
+	allow $1 avahi_t:unix_stream_socket connectto;
+')

policy/modules/services/avahi.te

@@ -1,5 +1,5 @@
 
-policy_module(avahi,1.3.0)
+policy_module(avahi,1.3.1)
 
 ########################################
 #

policy/modules/services/bind.fc

@@ -29,6 +29,7 @@ ifdef(`distro_gentoo',`
 
 ifdef(`distro_redhat',`
 /etc/named\.rfc1912.zones  --	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.root\.hints	   --	gen_context(system_u:object_r:named_conf_t,s0)
 /etc/named\.conf	   --	gen_context(system_u:object_r:named_conf_t,s0)
 /etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
 /var/named(/.*)?		gen_context(system_u:object_r:named_zone_t,s0)

policy/modules/services/bind.te

@@ -1,5 +1,5 @@
 
-policy_module(bind,1.2.0)
+policy_module(bind,1.2.1)
 
 ########################################
 #

policy/modules/services/clamav.te

@@ -1,5 +1,5 @@
 
-policy_module(clamav,1.1.0)
+policy_module(clamav,1.1.1)
 
 ########################################
 #
@@ -85,6 +85,7 @@ allow clamd_t clamd_var_run_t:dir rw_dir_perms;
 files_pid_filetrans(clamd_t,clamd_var_run_t,file)
 
 kernel_dontaudit_list_proc(clamd_t)
+kernel_read_sysctl(clamd_t)
 
 corenet_non_ipsec_sendrecv(clamd_t)
 corenet_tcp_sendrecv_all_if(clamd_t)

policy/modules/services/cron.te

@@ -1,5 +1,5 @@
 
-policy_module(cron,1.4.1)
+policy_module(cron,1.4.2)
 
 gen_require(`
 	class passwd rootok;
@@ -86,7 +86,7 @@ allow crond_t self:shm create_shm_perms;
 allow crond_t self:sem create_sem_perms;
 allow crond_t self:msgq create_msgq_perms;
 allow crond_t self:msg { send receive };
-allow crond_t self:key { search write };
+allow crond_t self:key { search write link };
 
 allow crond_t crond_var_run_t:file create_file_perms;
 files_pid_filetrans(crond_t,crond_var_run_t,file)
@@ -166,6 +166,11 @@ ifdef(`distro_redhat', `
 	')
 ')
 
+optional_policy(`
+	locallogin_search_keys(crond_t)
+	locallogin_link_keys(crond_t)
+')
+
 ifdef(`targeted_policy',`
 	allow crond_t system_crond_tmp_t:dir create_dir_perms;
 	allow crond_t system_crond_tmp_t:file create_file_perms;

policy/modules/services/cups.te

@@ -1,5 +1,5 @@
 
-policy_module(cups,1.4.1)
+policy_module(cups,1.4.2)
 
 ########################################
 #
@@ -43,6 +43,7 @@ files_tmp_file(cupsd_tmp_t)
 
 type cupsd_var_run_t;
 files_pid_file(cupsd_var_run_t)
+mls_trusted_object(cupsd_var_run_t)
 
 type hplip_t;
 type hplip_exec_t;
@@ -161,6 +162,7 @@ dev_rw_printer(cupsd_t)
 dev_read_urand(cupsd_t)
 dev_read_sysfs(cupsd_t)
 dev_read_usbfs(cupsd_t)
+dev_getattr_printer_dev(cupsd_t)
 
 domain_read_all_domains_state(cupsd_t)
 
@@ -518,6 +520,7 @@ corenet_udp_bind_all_nodes(cupsd_lpd_t)
 corenet_tcp_connect_ipp_port(cupsd_lpd_t)
 
 dev_read_urand(cupsd_lpd_t)
+dev_read_rand(cupsd_lpd_t)
 
 fs_getattr_xattr_fs(cupsd_lpd_t)
 

policy/modules/services/dbus.fc

@@ -4,3 +4,7 @@
 /usr/bin/dbus-daemon(-1)? --	gen_context(system_u:object_r:system_dbusd_exec_t,s0)
 /bin/dbus-daemon 	--	gen_context(system_u:object_r:system_dbusd_exec_t,s0)
 /var/run/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+
+ifdef(`distro_redhat',`
+/var/named/chroot/var/run/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')

policy/modules/services/dbus.te

@@ -1,5 +1,5 @@
 
-policy_module(dbus,1.3.0)
+policy_module(dbus,1.3.1)
 
 gen_require(`
 	class dbus { send_msg acquire_svc };

policy/modules/services/ftp.te

@@ -1,5 +1,5 @@
 
-policy_module(ftp,1.3.0)
+policy_module(ftp,1.3.1)
 
 ########################################
 #
@@ -127,6 +127,7 @@ auth_write_login_records(ftpd_t)
 
 init_use_fds(ftpd_t)
 init_use_script_ptys(ftpd_t)
+init_rw_utmp(ftpd_t)
 
 libs_use_ld_so(ftpd_t)
 libs_use_shared_libs(ftpd_t)

policy/modules/services/hal.fc

@@ -6,4 +6,6 @@
 
 /usr/sbin/hald		--			gen_context(system_u:object_r:hald_exec_t,s0)
 
-/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
+/var/lib/hal(/.*)?				gen_context(system_u:object_r:hald_var_lib_t,s0)
+
+/var/run/haldaemon.pid	--	 		gen_context(system_u:object_r:hald_var_run_t,s0)

policy/modules/services/hal.if

@@ -119,6 +119,25 @@ interface(`hal_read_tmp_files',`
 	allow $1 hald_tmp_t:file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read or write
+##	HAL libraries files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_dontaudit_append_lib_files',`
+	gen_require(`
+		type hald_var_lib_t;
+	')
+
+	dontaudit $1 hald_var_lib_t:file ra_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read hald PID files.

policy/modules/services/hal.te

@@ -1,5 +1,5 @@
 
-policy_module(hal,1.4.1)
+policy_module(hal,1.4.2)
 
 ########################################
 #
@@ -16,6 +16,9 @@ files_tmp_file(hald_tmp_t)
 type hald_var_run_t;
 files_pid_file(hald_var_run_t)
 
+type hald_var_lib_t;
+files_type(hald_var_lib_t)
+
 ########################################
 #
 # Local policy
@@ -39,6 +42,11 @@ allow hald_t hald_tmp_t:dir create_dir_perms;
 allow hald_t hald_tmp_t:file create_file_perms;
 files_tmp_filetrans(hald_t, hald_tmp_t, { file dir })
 
+# var/lib files for hald
+allow hald_t hald_var_lib_t:file manage_file_perms;
+allow hald_t hald_var_lib_t:sock_file manage_file_perms;
+allow hald_t hald_var_lib_t:dir manage_dir_perms;
+
 allow hald_t hald_var_run_t:file create_file_perms;
 allow hald_t hald_var_run_t:dir rw_dir_perms;
 files_pid_filetrans(hald_t,hald_var_run_t,file)

policy/modules/services/kerberos.if

@@ -56,7 +56,9 @@ interface(`kerberos_use',`
 		corenet_tcp_bind_all_nodes($1)
 		corenet_udp_bind_all_nodes($1)
 		corenet_tcp_connect_kerberos_port($1)
+		corenet_tcp_connect_ocsp_port($1)
 		corenet_sendrecv_kerberos_client_packets($1)
+		corenet_sendrecv_ocsp_client_packets($1)
 
 		sysnet_read_config($1)
 		sysnet_dns_name_resolve($1)

policy/modules/services/kerberos.te

@@ -1,5 +1,5 @@
 
-policy_module(kerberos,1.2.0)
+policy_module(kerberos,1.2.1)
 
 ########################################
 #
@@ -156,9 +156,9 @@ optional_policy(`
 # Use capabilities. Surplus capabilities may be allowed.
 allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
 dontaudit krb5kdc_t self:capability sys_tty_config;
-allow krb5kdc_t self:process signal_perms;
+allow krb5kdc_t self:process { getsched signal_perms };
 allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
-allow krb5kdc_t self:tcp_socket connected_stream_socket_perms;
+allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
 allow krb5kdc_t self:udp_socket create_socket_perms;
 
 allow krb5kdc_t krb5_conf_t:file r_file_perms;
@@ -190,6 +190,9 @@ kernel_list_proc(krb5kdc_t)
 kernel_read_proc_symlinks(krb5kdc_t)
 kernel_read_network_state(krb5kdc_t)
 
+corecmd_exec_sbin(krb5kdc_t)
+corecmd_exec_bin(krb5kdc_t)
+
 corenet_non_ipsec_sendrecv(krb5kdc_t)
 corenet_tcp_sendrecv_all_if(krb5kdc_t)
 corenet_udp_sendrecv_all_if(krb5kdc_t)
@@ -201,7 +204,9 @@ corenet_tcp_bind_all_nodes(krb5kdc_t)
 corenet_udp_bind_all_nodes(krb5kdc_t)
 corenet_tcp_bind_kerberos_port(krb5kdc_t)
 corenet_udp_bind_kerberos_port(krb5kdc_t)
+corenet_tcp_connect_ocsp_port(krb5kdc_t)
 corenet_sendrecv_kerberos_server_packets(krb5kdc_t)
+corenet_sendrecv_ocsp_client_packets(krb5kdc_t)
 
 dev_read_sysfs(krb5kdc_t)
 dev_read_urand(krb5kdc_t)
@@ -214,6 +219,8 @@ term_dontaudit_use_console(krb5kdc_t)
 domain_use_interactive_fds(krb5kdc_t)
 
 files_read_etc_files(krb5kdc_t)
+files_read_usr_symlinks(krb5kdc_t)
+files_read_var_files(krb5kdc_t)
 
 init_use_fds(krb5kdc_t)
 init_use_script_ptys(krb5kdc_t)

policy/modules/services/mta.if

@@ -820,6 +820,7 @@ interface(`mta_dontaudit_rw_queue',`
 		type mqueue_spool_t;
 	')
 
+	dontaudit $1 mqueue_spool_t:dir search_dir_perms;
 	dontaudit $1 mqueue_spool_t:file { getattr read write };
 ')
 

policy/modules/services/mta.te

@@ -1,5 +1,5 @@
 
-policy_module(mta,1.4.0)
+policy_module(mta,1.4.1)
 
 ########################################
 #

policy/modules/services/nis.fc

@@ -3,7 +3,9 @@
 
 /sbin/ypbind		--	gen_context(system_u:object_r:ypbind_exec_t,s0)
 
-/usr/sbin/rpc\.yppasswdd	--	gen_context(system_u:object_r:yppasswdd_exec_t,s0)
+/usr/lib/yp/ypxfr	--	gen_context(system_u:object_r:ypxfr_exec_t,s0)
+
+/usr/sbin/rpc\.yppasswdd --	gen_context(system_u:object_r:yppasswdd_exec_t,s0)
 /usr/sbin/rpc\.ypxfr	--	gen_context(system_u:object_r:ypxfr_exec_t,s0)
 /usr/sbin/ypserv	--	gen_context(system_u:object_r:ypserv_exec_t,s0)
 

policy/modules/services/nis.if

@@ -248,9 +248,9 @@ interface(`nis_domtrans_ypxfr',`
 	')
 
 	corecmd_search_bin($1)
+	corecmd_search_sbin($1)
 	domain_auto_trans($1,ypxfr_exec_t,ypxfr_t)
 
-	allow $1 ypxfr_t:fd use;
 	allow ypxfr_t $1:fd use;
 	allow ypxfr_t $1:fifo_file rw_file_perms;
 	allow ypxfr_t $1:process sigchld;

policy/modules/services/nis.te

@@ -1,5 +1,5 @@
 
-policy_module(nis,1.2.0)
+policy_module(nis,1.2.1)
 
 ########################################
 #
@@ -331,6 +331,12 @@ optional_policy(`
 
 allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
 
+allow ypxfr_t var_yp_t:dir search_dir_perms;
+allow ypxfr_t var_yp_t:file read_file_perms;
+
+allow ypxfr_t ypserv_t:tcp_socket { read write };
+allow ypxfr_t ypserv_t:udp_socket { read write };
+
 corenet_non_ipsec_sendrecv(ypxfr_t)
 corenet_tcp_sendrecv_all_if(ypxfr_t)
 corenet_udp_sendrecv_all_if(ypxfr_t)
@@ -349,3 +355,7 @@ corenet_sendrecv_generic_server_packets(ypxfr_t)
 corenet_sendrecv_all_client_packets(ypxfr_t)
 
 files_read_etc_files(ypxfr_t)
+files_search_usr(ypxfr_t)
+
+libs_use_shared_libs(ypxfr_t)
+libs_use_ld_so(ypxfr_t)

policy/modules/services/oddjob.te

@@ -1,5 +1,5 @@
 
-policy_module(oddjob,1.0.1)
+policy_module(oddjob,1.0.2)
 
 ########################################
 #
@@ -10,6 +10,7 @@ type oddjob_t;
 type oddjob_exec_t;
 domain_type(oddjob_t)
 init_daemon_domain(oddjob_t, oddjob_exec_t)
+domain_subj_id_change_exemption(oddjob_t)
 
 type oddjob_mkhomedir_t;
 type oddjob_mkhomedir_exec_t;
@@ -27,7 +28,7 @@ files_pid_file(oddjob_var_run_t)
 #
 
 allow oddjob_t self:capability { audit_write setgid } ;
-allow oddjob_t self:process setexec;
+allow oddjob_t self:process { setexec signal };
 allow oddjob_t self:fifo_file { read write };
 allow oddjob_t self:unix_stream_socket create_stream_socket_perms;
 

policy/modules/services/postfix.te

@@ -1,5 +1,5 @@
 
-policy_module(postfix,1.3.0)
+policy_module(postfix,1.3.1)
 
 ########################################
 #
@@ -382,9 +382,9 @@ optional_policy(`
 	locallogin_dontaudit_use_fds(postfix_map_t)
 ')
 
-# a "run" interface needs to be
-# added, and have sysadm_t use it
-# in a optional_policy block.
+optional_policy(`
+	nscd_socket_use(postfix_map_t)
+')
 
 ########################################
 #
@@ -431,6 +431,10 @@ optional_policy(`
 	mailman_domtrans_queue(postfix_pipe_t)
 ')
 
+optional_policy(`
+	uucp_domtrans_uux(postfix_pipe_t)
+')
+
 ########################################
 #
 # Postfix postdrop local policy
@@ -570,6 +574,8 @@ sysnet_dns_name_resolve(postfix_showq_t)
 # Postfix smtp delivery local policy
 #
 
+allow postfix_smtp_t self:netlink_route_socket r_netlink_socket_perms;
+
 # connect to master process
 allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;
 allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search;
@@ -577,6 +583,10 @@ allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;
 
 allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
 
+optional_policy(`
+	cyrus_stream_connect(postfix_smtp_t)
+')
+
 ########################################
 #
 # Postfix smtpd local policy

policy/modules/services/procmail.te

@@ -1,5 +1,5 @@
 
-policy_module(procmail,1.3.1)
+policy_module(procmail,1.3.2)
 
 ########################################
 #
@@ -74,6 +74,18 @@ ifdef(`hide_broken_symptoms',`
 	mta_dontaudit_rw_queue(procmail_t)
 ')
 
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(procmail_t)
+	fs_manage_nfs_files(procmail_t)
+	fs_manage_nfs_symlinks(procmail_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(procmail_t)
+	fs_manage_cifs_files(procmail_t)
+	fs_manage_cifs_symlinks(procmail_t)
+')
+
 optional_policy(`
 	clamav_domtrans_clamscan(procmail_t)
 	clamav_search_lib(procmail_t)

policy/modules/services/rpc.te

@@ -1,5 +1,5 @@
 
-policy_module(rpc,1.3.1)
+policy_module(rpc,1.3.2)
 
 ########################################
 #
@@ -121,6 +121,7 @@ tunable_policy(`nfs_export_all_ro',`
 #
 
 allow gssd_t self:capability { dac_override dac_read_search setuid };
+allow gssd_t self:process getsched;
 allow gssd_t self:fifo_file { read write };
 
 allow gssd_t gssd_tmp_t:dir create_dir_perms;

policy/modules/services/samba.if

@@ -140,6 +140,7 @@ interface(`samba_read_config',`
 	')
 
 	files_search_etc($1)
+	allow $1 samba_etc_t:dir search_dir_perms;
 	allow $1 samba_etc_t:file { read getattr lock };
 ')
 
@@ -161,6 +162,7 @@ interface(`samba_rw_config',`
 	')
 
 	files_search_etc($1)
+	allow $1 samba_etc_t:dir search_dir_perms;
 	allow $1 samba_etc_t:file rw_file_perms;
 ')
 

policy/modules/services/samba.te

@@ -1,5 +1,5 @@
 
-policy_module(samba,1.3.1)
+policy_module(samba,1.3.2)
 
 #################################
 #
@@ -525,7 +525,7 @@ allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 allow swat_t self:netlink_audit_socket create;
 allow swat_t self:tcp_socket create_stream_socket_perms;
 allow swat_t self:udp_socket create_socket_perms;
-
+allow swat_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow swat_t nmbd_exec_t:file { execute read };
 
@@ -566,9 +566,10 @@ corenet_udp_sendrecv_all_nodes(swat_t)
 corenet_raw_sendrecv_all_nodes(swat_t)
 corenet_tcp_sendrecv_all_ports(swat_t)
 corenet_udp_sendrecv_all_ports(swat_t)
-corenet_tcp_bind_all_nodes(swat_t)
-corenet_udp_bind_all_nodes(swat_t)
 corenet_tcp_connect_smbd_port(swat_t)
+corenet_tcp_connect_ipp_port(swat_t)
+corenet_sendrecv_smbd_client_packets(swat_t)
+corenet_sendrecv_ipp_client_packets(swat_t)
 
 dev_read_urand(swat_t)
 
@@ -591,6 +592,7 @@ sysnet_read_config(swat_t)
 
 optional_policy(`
 	cups_read_rw_config(swat_t)
+	cups_stream_connect(swat_t)
 ')
 
 optional_policy(`

policy/modules/services/sasl.te

@@ -1,5 +1,5 @@
 
-policy_module(sasl,1.3.0)
+policy_module(sasl,1.3.1)
 
 ########################################
 #
@@ -47,6 +47,8 @@ dev_read_urand(saslauthd_t)
 fs_getattr_all_fs(saslauthd_t)
 fs_search_auto_mountpoints(saslauthd_t)
 
+selinux_compute_access_vector(saslauthd_t)
+
 term_dontaudit_use_console(saslauthd_t)
 
 auth_domtrans_chk_passwd(saslauthd_t)

policy/modules/services/snmp.te

@@ -1,5 +1,5 @@
 
-policy_module(snmp,1.2.1)
+policy_module(snmp,1.2.2)
 
 ########################################
 #
@@ -77,6 +77,7 @@ dev_list_sysfs(snmpd_t)
 dev_read_sysfs(snmpd_t)
 dev_read_urand(snmpd_t)
 dev_read_rand(snmpd_t)
+dev_getattr_usbfs_dirs(snmpd_t)
 
 domain_use_interactive_fds(snmpd_t)
 domain_signull_all_domains(snmpd_t)
@@ -87,9 +88,10 @@ files_read_usr_files(snmpd_t)
 files_read_etc_runtime_files(snmpd_t)
 files_search_home(snmpd_t)
 files_getattr_boot_dirs(snmpd_t)
+files_dontaudit_getattr_home_dir(snmpd_t)
 
+fs_getattr_all_dirs(snmpd_t)
 fs_getattr_all_fs(snmpd_t)
-fs_getattr_rpc_dirs(snmpd_t)
 fs_search_auto_mountpoints(snmpd_t)
 
 storage_dontaudit_read_fixed_disk(snmpd_t)

policy/modules/services/spamassassin.te

@@ -1,5 +1,5 @@
 
-policy_module(spamassassin,1.4.1)
+policy_module(spamassassin,1.4.2)
 
 ########################################
 #
@@ -86,6 +86,7 @@ corenet_sendrecv_spamd_server_packets(spamd_t)
 corenet_udp_bind_all_nodes(spamd_t)
 corenet_udp_bind_generic_port(spamd_t)
 corenet_udp_bind_imaze_port(spamd_t)
+corenet_dontaudit_udp_bind_all_ports(spamd_t)
 corenet_sendrecv_imaze_server_packets(spamd_t)
 corenet_sendrecv_generic_server_packets(spamd_t)
 

policy/modules/services/telnet.te

@@ -1,5 +1,5 @@
 
-policy_module(telnet,1.2.0)
+policy_module(telnet,1.2.1)
 
 ########################################
 #
@@ -32,6 +32,7 @@ allow telnetd_t self:tcp_socket connected_stream_socket_perms;
 allow telnetd_t self:udp_socket create_socket_perms;
 # for identd; cjp: this should probably only be inetd_child rules?
 allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow telnetd_t self:netlink_route_socket r_netlink_socket_perms;
 allow telnetd_t self:capability { setuid setgid };
 
 allow telnetd_t telnetd_devpts_t:chr_file { rw_file_perms setattr };

policy/modules/services/tftp.te

@@ -1,5 +1,5 @@
 
-policy_module(tftp,1.2.0)
+policy_module(tftp,1.2.1)
 
 ########################################
 #
@@ -93,6 +93,10 @@ optional_policy(`
 	inetd_udp_service_domain(tftpd_t,tftpd_exec_t)
 ')
 
+optional_policy(`
+	nis_use_ypbind(tftpd_t)
+')
+
 optional_policy(`
 	nscd_socket_use(tftpd_t)
 ')

policy/modules/services/uucp.fc

@@ -1,4 +1,6 @@
 
+/usr/bin/uux 		--	gen_context(system_u:object_r:uux_exec_t,s0)
+
 /usr/sbin/uucico	--	gen_context(system_u:object_r:uucpd_exec_t,s0)
 
 /var/spool/uucp(/.*)?		gen_context(system_u:object_r:uucpd_spool_t,s0)

policy/modules/services/uucp.if

@@ -1 +1,66 @@
 ## <summary>Unix to Unix Copy</summary>
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	to uucp log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`uucp_append_log',`
+	gen_require(`
+		type uucpd_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 uucpd_log_t:dir r_dir_perms;
+	allow $1 uucpd_log_t:file { append getattr };
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete uucp spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`uucp_manage_spool',`
+	gen_require(`
+		type uucpd_spool_t;
+	')
+
+	files_search_spool($1)
+	allow $1 uucpd_spool_t:dir manage_dir_perms;
+	allow $1 uucpd_spool_t:lnk_file create_lnk_perms;
+	allow $1 uucpd_spool_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute the master uux program in the
+##	uux_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`uucp_domtrans_uux',`
+	gen_require(`
+		type uux_t, uux_exec_t;
+	')
+
+	domain_auto_trans($1,uux_exec_t,uux_t)
+
+	allow uux_t $1:fd use;
+	allow uux_t $1:fifo_file rw_file_perms;
+	allow uux_t $1:process sigchld;
+')

policy/modules/services/uucp.te

@@ -1,5 +1,5 @@
 
-policy_module(uucp,1.2.0)
+policy_module(uucp,1.2.1)
 
 ########################################
 #
@@ -28,9 +28,15 @@ files_type(uucpd_spool_t)
 type uucpd_log_t;
 logging_log_file(uucpd_log_t)
 
+type uux_t;
+type uux_exec_t;
+domain_type(uux_t)
+domain_entry_file(uux_t,uux_exec_t)
+role system_r types uux_t;
+
 ########################################
 #
-# Local policy
+# UUCPd Local policy
 #
 allow uucpd_t self:capability { setuid setgid };
 allow uucpd_t self:process signal_perms;
@@ -51,9 +57,7 @@ allow uucpd_t uucpd_rw_t:dir create_dir_perms;
 allow uucpd_t uucpd_rw_t:file create_file_perms;
 allow uucpd_t uucpd_rw_t:lnk_file create_lnk_perms;
 
-allow uucpd_t uucpd_spool_t:dir create_dir_perms;
-allow uucpd_t uucpd_spool_t:file create_file_perms;
-allow uucpd_t uucpd_spool_t:lnk_file create_lnk_perms;
+uucp_manage_spool(uucpd_t)
 
 allow uucpd_t uucpd_tmp_t:dir create_dir_perms;
 allow uucpd_t uucpd_tmp_t:file create_file_perms;
@@ -105,3 +109,38 @@ optional_policy(`
 optional_policy(`
 	nscd_socket_use(uucpd_t)
 ')
+
+########################################
+#
+# UUX Local policy
+#
+
+allow uux_t self:capability { setuid setgid };
+allow uux_t self:fifo_file { getattr write };
+
+uucp_append_log(uux_t)
+uucp_manage_spool(uux_t)
+
+corecmd_exec_sbin(uux_t)
+
+files_read_etc_files(uux_t)
+
+libs_use_ld_so(uux_t)
+libs_use_shared_libs(uux_t)
+
+logging_send_syslog_msg(uux_t)
+
+miscfiles_read_localization(uux_t)
+
+ifdef(`targeted_policy',`
+	term_use_unallocated_ttys(uux_t)
+	term_use_generic_ptys(uux_t)
+')
+
+optional_policy(`
+	mta_send_mail(uux_t)
+')
+
+optional_policy(`
+	nscd_socket_use(uux_t)
+')

policy/modules/services/xserver.if

@@ -754,13 +754,32 @@ interface(`xserver_use_xdm_fds',`
 	allow $1 xdm_t:fd use; 
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to inherit
+##	XDM file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`xserver_dontaudit_use_xdm_fds',`
+	gen_require(`
+		type xdm_t;
+	')
+
+	dontaudit $1 xdm_t:fd use; 
+')
+
 ########################################
 ## <summary>
 ##	Read and write XDM unnamed pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -772,6 +791,26 @@ interface(`xserver_rw_xdm_pipes',`
 	allow $1 xdm_t:fifo_file { getattr read write }; 
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	XDM unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`xserver_dontaudit_rw_xdm_pipes',`
+
+	gen_require(`
+		type xdm_t;
+	')
+
+	dontaudit $1 xdm_t:fifo_file { getattr read write }; 
+')
+
 ########################################
 ## <summary>
 ##	Connect to XDM over a unix domain

policy/modules/services/xserver.te

@@ -1,5 +1,5 @@
 
-policy_module(xserver,1.2.1)
+policy_module(xserver,1.2.2)
 
 ########################################
 #

policy/modules/system/authlogin.if

@@ -1258,7 +1258,7 @@ interface(`auth_append_login_records',`
 		type wtmp_t;
 	')
 
-	allow $1 wtmp_t:file { getattr append };
+	allow $1 wtmp_t:file { getattr append lock };
 ')
 
 #######################################
@@ -1363,6 +1363,10 @@ interface(`auth_use_nsswitch',`
 	sysnet_dns_name_resolve($1)
 	sysnet_use_ldap($1)
 
+	optional_policy(`
+		avahi_stream_connect($1)
+	')
+
 	optional_policy(`
 		nis_use_ypbind($1)
 	')

policy/modules/system/authlogin.te

@@ -1,5 +1,5 @@
 
-policy_module(authlogin,1.4.1)
+policy_module(authlogin,1.4.2)
 
 ########################################
 #
@@ -172,8 +172,6 @@ dev_getattr_xserver_misc_dev(pam_console_t)
 dev_setattr_xserver_misc_dev(pam_console_t)
 dev_read_urand(pam_console_t)
 
-fs_list_auto_mountpoints(pam_console_t)
-
 mls_file_read_up(pam_console_t)
 mls_file_write_down(pam_console_t)
 
@@ -199,10 +197,12 @@ domain_use_interactive_fds(pam_console_t)
 files_read_etc_files(pam_console_t)
 files_search_pids(pam_console_t)
 files_list_mnt(pam_console_t)
+files_dontaudit_search_isid_type_dirs(pam_console_t)
 # read /etc/mtab
 files_read_etc_runtime_files(pam_console_t)
 
 fs_list_auto_mountpoints(pam_console_t)
+fs_list_noxattr_fs(pam_console_t)
 
 init_use_fds(pam_console_t)
 init_use_script_ptys(pam_console_t)
@@ -265,6 +265,7 @@ term_dontaudit_use_generic_ptys(system_chkpwd_t)
 
 userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
 userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
+userdom_dontaudit_use_sysadm_terms(system_chkpwd_t)
 
 ########################################
 #

policy/modules/system/clock.te

@@ -1,5 +1,5 @@
 
-policy_module(clock,1.1.1)
+policy_module(clock,1.1.2)
 
 ########################################
 #
@@ -25,7 +25,7 @@ allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config
 dontaudit hwclock_t self:capability sys_tty_config;
 allow hwclock_t self:process signal_perms;
 allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-allow hwclock_t self:fifo_file { getattr read };
+allow hwclock_t self:fifo_file { getattr read write };
 
 # Allow hwclock to store & retrieve correction factors.
 allow hwclock_t adjtime_t:file { rw_file_perms setattr };
@@ -34,7 +34,8 @@ kernel_read_kernel_sysctls(hwclock_t)
 kernel_list_proc(hwclock_t)
 kernel_read_proc_symlinks(hwclock_t)
 
-corecmd_search_bin(hwclock_t)
+corecmd_exec_bin(hwclock_t)
+corecmd_exec_shell(hwclock_t)
 
 dev_read_sysfs(hwclock_t)
 dev_rw_realtime_clock(hwclock_t)

policy/modules/system/hostname.te

@@ -1,5 +1,5 @@
 
-policy_module(hostname,1.3.0)
+policy_module(hostname,1.3.1)
 
 ########################################
 #
@@ -57,5 +57,6 @@ sysnet_read_config(hostname_t)
 sysnet_dns_name_resolve(hostname_t)
 
 optional_policy(`
+	xen_append_log(hostname_t)
 	xen_dontaudit_use_fds(hostname_t)
 ')

policy/modules/system/init.te

@@ -1,5 +1,5 @@
 
-policy_module(init,1.4.3)
+policy_module(init,1.4.4)
 
 gen_require(`
 	class passwd rootok;
@@ -205,6 +205,9 @@ allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
 allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
 term_create_pty(initrc_t,initrc_devpts_t)
 
+# Going to single user mode
+init_exec(initrc_t)
+
 can_exec(initrc_t,initrc_exec_t)
 
 allow initrc_t initrc_state_t:dir manage_dir_perms;
@@ -492,14 +495,19 @@ ifdef(`targeted_policy',`
 	domain_subj_id_change_exemption(initrc_t)
 	unconfined_domain(initrc_t)
 
-	optional_policy(`
-		mono_domtrans(initrc_t)
+	ifdef(`distro_redhat',`
+		# system-config-services causes avc messages that should be dontaudited
+		unconfined_dontaudit_rw_pipes(daemon)
 	')
 
 	tunable_policy(`allow_daemons_use_tty',`
 		term_use_unallocated_ttys(daemon)
 		term_use_generic_ptys(daemon)
 	')
+
+	optional_policy(`
+		mono_domtrans(initrc_t)
+	')
 ',`
 	# cjp: require doesnt work in the else of optionals :\
 	# this also would result in a type transition

policy/modules/system/iptables.te

@@ -1,5 +1,5 @@
 
-policy_module(iptables,1.1.0)
+policy_module(iptables,1.1.1)
 
 ########################################
 #
@@ -85,7 +85,7 @@ ifdef(`targeted_policy', `
 
 optional_policy(`
 	firstboot_use_fds(iptables_t)
-	firstboot_write_pipes(iptables_t)
+	firstboot_rw_pipes(iptables_t)
 ')
 
 optional_policy(`
@@ -97,6 +97,10 @@ optional_policy(`
 	nis_use_ypbind(iptables_t)
 ')
 
+optional_policy(`
+	ppp_dontaudit_use_fds(iptables_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(iptables_t)
 ')

policy/modules/system/libraries.fc

@@ -131,12 +131,14 @@ ifdef(`distro_gentoo',`
 /usr/lib/win32/.*			--	gen_context(system_u:object_r:shlib_t,s0)
 
 /usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libsipphoneapi\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/ati-fglrx/.+\.so(\..*)?	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libGLU\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libjs\.so.*     		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libx264\.so(\.[^/]*)* 	-- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -157,6 +159,7 @@ ifdef(`distro_gentoo',`
 /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 ifdef(`distro_redhat',`
@@ -167,19 +170,15 @@ ifdef(`distro_redhat',`
 
 # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
 # 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
-/usr/lib(64)?/gstreamer-.*/libgstffmpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/gstreamer-.*/libgsthermescolorspace\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/gstreamer-.*/libgstmms\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+
 /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libglide3\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libglide3-v[0-9]*\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libdv\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/helix/plugins/oggfformat\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/helix/plugins/theorarend\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/helix/plugins/vorbisrend\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/helix/codecs/colorcvt\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/helix/codecs/cvt1\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/helix/plugins/[^/]*\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/helix/codecs/[^/]*\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libSDL-.*\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xorg/modules/dri/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/X11R6/lib/modules/dri/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -246,6 +245,9 @@ ifdef(`distro_redhat',`
 HOME_DIR/.*/plugins/libflashplayer\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/.*/libflashplayer\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/local/(.*/)?libflashplayer\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+HOME_DIR/.*/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/nprhapengine\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/(.*/)?nprhapengine\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # Jai, Sun Microsystems (Jpackage SPRM)
 /usr/lib(64)?/libmlib_jai\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -258,10 +260,9 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* --	gen_context(system_u:object_r:textre
 /usr/lib(64)?/vmware/(.*/)?VmPerl\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # Java, Sun Microsystems (JPackage SRPM)
-/usr/(.*/)?jre.*/libdeploy\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?(.*/)?jre.*/libjvm\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?(.*/)?jre.*/libawt\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?(.*/)?jre.*/libjavaplugin_ojigcc3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/(.*/)?jre.*/.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)

policy/modules/system/libraries.te

@@ -1,5 +1,5 @@
 
-policy_module(libraries,1.4.1)
+policy_module(libraries,1.4.2)
 
 ########################################
 #

policy/modules/system/locallogin.if

@@ -75,3 +75,40 @@ interface(`locallogin_signull',`
 
 	allow $1 local_login_t:process signull;
 ')
+
+########################################
+## <summary>
+##	Search for key.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`locallogin_search_keys',`
+	gen_require(`
+		type local_login_t;
+	')
+
+	allow $1 local_login_t:key search;
+')
+
+
+########################################
+## <summary>
+##	Allow link to the local_login key ring.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`locallogin_link_keys',`
+	gen_require(`
+		type local_login_t;
+	')
+
+	allow $1 local_login_t:key link;
+')

policy/modules/system/locallogin.te

@@ -1,5 +1,5 @@
 
-policy_module(locallogin,1.3.1)
+policy_module(locallogin,1.3.2)
 
 ########################################
 #

policy/modules/system/logging.te

@@ -1,5 +1,5 @@
 
-policy_module(logging,1.4.1)
+policy_module(logging,1.4.2)
 
 ########################################
 #
@@ -53,6 +53,7 @@ files_pid_file(syslogd_var_run_t)
 
 type var_log_t;
 logging_log_file(var_log_t)
+files_mountpoint(var_log_t)
 
 ifdef(`enable_mls',`
 	init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)

policy/modules/system/lvm.fc

@@ -95,3 +95,4 @@ ifdef(`distro_gentoo',`
 /var/cache/multipathd(/.*)?	gen_context(system_u:object_r:lvm_metadata_t,s0)
 /var/lock/lvm(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
 /var/run/multipathd.sock -s	gen_context(system_u:object_r:lvm_var_run_t,s0)
+/var/lib/multipath(/.*)?	gen_context(system_u:object_r:lvm_var_lib_t,s0)

policy/modules/system/lvm.te

@@ -1,5 +1,5 @@
 
-policy_module(lvm,1.4.1)
+policy_module(lvm,1.4.2)
 
 ########################################
 #
@@ -30,6 +30,9 @@ files_lock_file(lvm_lock_t)
 type lvm_metadata_t;
 files_type(lvm_metadata_t)
 
+type lvm_var_lib_t;
+files_type(lvm_var_lib_t)
+
 type lvm_var_run_t;
 files_pid_file(lvm_var_run_t)
 
@@ -44,7 +47,7 @@ files_tmp_file(lvm_tmp_t)
 dontaudit clvmd_t self:capability sys_tty_config;
 allow clvmd_t self:process signal_perms;
 allow clvmd_t self:socket create_socket_perms;
-allow clvmd_t self:fifo_file { read write };
+allow clvmd_t self:fifo_file rw_file_perms;
 allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow clvmd_t self:tcp_socket create_stream_socket_perms;
 allow clvmd_t self:udp_socket create_socket_perms;
@@ -53,9 +56,18 @@ allow clvmd_t clvmd_var_run_t:file create_file_perms;
 allow clvmd_t clvmd_var_run_t:dir rw_dir_perms;
 files_pid_filetrans(clvmd_t,clvmd_var_run_t,file)
 
+allow clvmd_t lvm_metadata_t:dir search_dir_perms;
+allow clvmd_t lvm_metadata_t:file { getattr read };
+
 kernel_read_kernel_sysctls(clvmd_t)
+kernel_read_system_state(clvmd_t)
 kernel_list_proc(clvmd_t)
 kernel_read_proc_symlinks(clvmd_t)
+kernel_search_debugfs(clvmd_t)
+
+corecmd_exec_shell(clvmd_t)
+corecmd_read_bin_symlinks(clvmd_t)
+corecmd_read_sbin_symlinks(clvmd_t)
 
 corenet_non_ipsec_sendrecv(clvmd_t)
 corenet_tcp_sendrecv_all_if(clvmd_t)
@@ -72,6 +84,10 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(clvmd_t)
 corenet_sendrecv_generic_server_packets(clvmd_t)
 
 dev_read_sysfs(clvmd_t)
+dev_manage_generic_chr_files(clvmd_t)
+
+files_read_etc_files(clvmd_t)
+files_list_usr(clvmd_t)
 
 fs_getattr_all_fs(clvmd_t)
 fs_search_auto_mountpoints(clvmd_t)
@@ -80,7 +96,7 @@ term_dontaudit_use_console(clvmd_t)
 
 domain_use_interactive_fds(clvmd_t)
 
-files_list_usr(clvmd_t)
+storage_raw_read_fixed_disk(clvmd_t)
 
 init_use_fds(clvmd_t)
 init_use_script_ptys(clvmd_t)
@@ -100,16 +116,28 @@ sysnet_read_config(clvmd_t)
 userdom_dontaudit_use_unpriv_user_fds(clvmd_t)
 userdom_dontaudit_search_sysadm_home_dirs(clvmd_t)
 
+lvm_domtrans(clvmd_t)
+lvm_read_config(clvmd_t)
+
 ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_ttys(clvmd_t)
 	term_dontaudit_use_generic_ptys(clvmd_t)
 	files_dontaudit_read_root_files(clvmd_t)
 ')
 
+optional_policy(`
+	ccs_stream_connect(clvmd_t)
+')
+
 optional_policy(`
 	nis_use_ypbind(clvmd_t)
 ')
 
+optional_policy(`
+	ricci_dontaudit_rw_modcluster_pipes(clvmd_t)
+	ricci_dontaudit_use_modcluster_fds(clvmd_t)
+')
+
 optional_policy(`
 	udev_read_db(clvmd_t)
 ')
@@ -147,6 +175,10 @@ allow lvm_t lvm_lock_t:dir rw_dir_perms;
 allow lvm_t lvm_lock_t:file create_file_perms;
 files_lock_filetrans(lvm_t,lvm_lock_t,file)
 
+allow lvm_t lvm_var_lib_t:dir manage_dir_perms;
+allow lvm_t lvm_var_lib_t:file manage_file_perms;
+files_var_lib_filetrans(lvm_t,lvm_var_lib_t,{ dir file })
+
 allow lvm_t lvm_var_run_t:file manage_file_perms;
 allow lvm_t lvm_var_run_t:sock_file manage_file_perms;
 allow lvm_t lvm_var_run_t:dir manage_dir_perms;
@@ -216,8 +248,7 @@ storage_manage_fixed_disk(lvm_t)
 term_dontaudit_getattr_all_user_ttys(lvm_t)
 term_dontaudit_getattr_pty_dirs(lvm_t)
 
-corecmd_search_sbin(lvm_t)
-corecmd_dontaudit_getattr_sbin_files(lvm_t)
+corecmd_exec_sbin(lvm_t)
 
 domain_use_interactive_fds(lvm_t)
 
@@ -258,6 +289,10 @@ optional_policy(`
 	bootloader_rw_tmp_files(lvm_t)
 ')
 
+optional_policy(`
+	ccs_stream_connect(lvm_t)
+')
+
 optional_policy(`
 	gpm_dontaudit_getattr_gpmctl(lvm_t)
 ')

policy/modules/system/miscfiles.fc

@@ -40,6 +40,7 @@ ifdef(`distro_gentoo',`
 /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
 /usr/share/locale(/.*)?		gen_context(system_u:object_r:locale_t,s0)
 /usr/share/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
+/usr/share/X11/locale(/.*)?	gen_context(system_u:object_r:locale_t,s0)
 /usr/share/zoneinfo(/.*)?	gen_context(system_u:object_r:locale_t,s0)
 
 /usr/share/ssl/certs(/.*)?	gen_context(system_u:object_r:cert_t,s0)

policy/modules/system/miscfiles.te

@@ -1,5 +1,5 @@
 
-policy_module(miscfiles,1.1.0)
+policy_module(miscfiles,1.1.1)
 
 ########################################
 #

policy/modules/system/mount.te

@@ -1,5 +1,5 @@
 
-policy_module(mount,1.4.1)
+policy_module(mount,1.4.2)
 
 ########################################
 #
@@ -32,6 +32,9 @@ ifdef(`targeted_policy',`
 allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
 
 allow mount_t mount_loopback_t:file r_file_perms;
+allow mount_t self:netlink_route_socket r_netlink_socket_perms;
+
+can_exec(mount_t, mount_exec_t)
 
 allow mount_t mount_tmp_t:file create_file_perms;
 allow mount_t mount_tmp_t:dir create_dir_perms;

policy/modules/system/raid.te

@@ -1,5 +1,5 @@
 
-policy_module(raid,1.1.1)
+policy_module(raid,1.1.2)
 
 ########################################
 #
@@ -38,12 +38,15 @@ dev_read_sysfs(mdadm_t)
 dev_dontaudit_getattr_all_blk_files(mdadm_t)
 dev_dontaudit_getattr_all_chr_files(mdadm_t)
 dev_dontaudit_getattr_generic_files(mdadm_t)
+dev_dontaudit_getattr_generic_chr_files(mdadm_t)
+dev_dontaudit_getattr_generic_blk_files(mdadm_t)
 
 fs_search_auto_mountpoints(mdadm_t)
 fs_dontaudit_list_tmpfs(mdadm_t)
 
 # RAID block device access
 storage_manage_fixed_disk(mdadm_t)
+storage_dev_filetrans_fixed_disk(mdadm_t)
 
 term_dontaudit_use_console(mdadm_t)
 term_dontaudit_list_ptys(mdadm_t)
@@ -80,6 +83,10 @@ ifdef(`targeted_policy',`
 	files_dontaudit_read_root_files(mdadm_t)
 ')
 
+optional_policy(`
+	gpm_dontaudit_getattr_gpmctl(mdadm_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(mdadm_t)
 ')

policy/modules/system/selinuxutil.te

@@ -1,5 +1,5 @@
 
-policy_module(selinuxutil,1.3.4)
+policy_module(selinuxutil,1.3.5)
 
 ifdef(`strict_policy',`
 	gen_require(`
@@ -338,6 +338,7 @@ optional_policy(`
 #
 
 allow restorecon_t self:capability { dac_override dac_read_search fowner };
+dontaudit restorecon_t self:capability sys_tty_config;
 allow restorecon_t self:fifo_file rw_file_perms;
 
 allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
@@ -362,6 +363,7 @@ dev_rw_generic_files(restorecon_t)
 
 fs_getattr_xattr_fs(restorecon_t)
 fs_search_auto_mountpoints(restorecon_t)
+fs_getattr_all_dirs(restorecon_t)
 
 mls_file_read_up(restorecon_t)
 mls_file_write_down(restorecon_t)
@@ -449,6 +451,7 @@ selinux_compute_user_contexts(restorecond_t)
 
 auth_relabel_all_files_except_shadow(restorecond_t )
 auth_read_all_files_except_shadow(restorecond_t)
+auth_use_nsswitch(restorecond_t)
 
 init_use_fds(restorecond_t)
 init_dontaudit_use_script_ptys(restorecond_t)

policy/modules/system/unconfined.fc

@@ -7,6 +7,6 @@
 ifdef(`targeted_policy',`
 /usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 /usr/bin/valgrind 		--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/local/RealPlay/realplay\.bin --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/local/RealPlayer/realplay\.bin --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 /usr/lib/ia32el/ia32x_loader 	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 ')

policy/modules/system/unconfined.if

@@ -350,6 +350,25 @@ interface(`unconfined_rw_pipes',`
 	allow $1 unconfined_t:fifo_file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_pipes',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	dontaudit $1 unconfined_t:fifo_file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Connect to the unconfined domain using

policy/modules/system/unconfined.te

@@ -1,5 +1,5 @@
 
-policy_module(unconfined,1.4.1)
+policy_module(unconfined,1.4.2)
 
 ########################################
 #
@@ -33,6 +33,9 @@ ifdef(`targeted_policy',`
 
 	files_create_boot_flag(unconfined_t)
 
+	mcs_killall(unconfined_t)
+	mcs_ptrace_all(unconfined_t)
+
 	init_domtrans_script(unconfined_t)
 
 	libs_domtrans_ldconfig(unconfined_t)
@@ -83,6 +86,10 @@ ifdef(`targeted_policy',`
 		optional_policy(`
 			networkmanager_dbus_chat(unconfined_t)
 		')
+
+		optional_policy(`
+			oddjob_dbus_chat(unconfined_t)
+		')
 	')
 
 	optional_policy(`
@@ -189,5 +196,9 @@ ifdef(`targeted_policy',`
 
 		init_dbus_chat_script(unconfined_execmem_t)
 		unconfined_dbus_chat(unconfined_execmem_t)
+
+		optional_policy(`
+			hal_dbus_chat(unconfined_execmem_t)
+		')
 	')
 ')

policy/modules/system/userdomain.if

@@ -24,6 +24,7 @@
 template(`userdom_base_user_template',`
 
 	gen_require(`
+		attribute userdomain;
 		class context contains;
 	')
 
@@ -136,6 +137,10 @@ template(`userdom_base_user_template',`
 ## <rolebase/>
 #
 template(`userdom_ro_home_template',`
+	gen_require(`
+		attribute home_type, home_dir_type, $1_file_type;
+	')
+
 	# type for contents of home directory
 	type $1_home_t, $1_file_type, home_type;
 	files_type($1_home_t)
@@ -220,6 +225,10 @@ template(`userdom_ro_home_template',`
 ## <rolebase/>
 #
 template(`userdom_manage_home_template',`
+	gen_require(`
+		attribute home_type, home_dir_type, $1_file_type;
+	')
+
 	# type for contents of home directory
 	type $1_home_t, $1_file_type, home_type;
 	files_type($1_home_t)
@@ -347,6 +356,10 @@ template(`userdom_poly_home_template',`
 ## <rolebase/>
 #
 template(`userdom_manage_tmp_template',`
+	gen_require(`
+		attribute $1_file_type;
+	')
+
 	type $1_tmp_t, $1_file_type;
 	files_tmp_file($1_tmp_t)
 
@@ -415,6 +428,10 @@ template(`userdom_poly_tmp_template',`
 ## <rolebase/>
 #
 template(`userdom_manage_tmpfs_template',`
+	gen_require(`
+		attribute $1_file_type;
+	')
+
 	type $1_tmpfs_t, $1_file_type;
 	files_tmpfs_file($1_tmpfs_t)
 
@@ -673,6 +690,8 @@ template(`userdom_common_user_template',`
 	allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 	allow $1_t self:process { ptrace setfscreate };
 
+	allow $1_t self:context contains;
+
 	# evolution and gnome-session try to create a netlink socket
 	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
 	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -1859,7 +1878,7 @@ template(`userdom_read_user_home_content_files',`
 	')
 
 	files_search_home($2)
-	allow $2 $1_home_dir_t:dir search;
+	allow $2 $1_home_dir_t:dir search_dir_perms;
 	allow $2 $1_home_t:dir search_dir_perms;
 	allow $2 $1_home_t:file r_file_perms;
 ')
@@ -1962,8 +1981,8 @@ template(`userdom_read_user_home_content_symlinks',`
 	')
 
 	files_search_home($2)
-	allow $2 $1_home_dir_t:dir search;
-	allow $2 $1_home_t:dir search;
+	allow $2 $1_home_dir_t:dir search_dir_perms;
+	allow $2 $1_home_t:dir search_dir_perms;
 	allow $2 $1_home_t:lnk_file r_file_perms;
 ')
 
@@ -1998,8 +2017,8 @@ template(`userdom_exec_user_home_content_files',`
 	')
 
 	files_search_home($2)
-	allow $2 $1_home_dir_t:dir search;
-	allow $2 $1_home_t:dir search;
+	allow $2 $1_home_dir_t:dir search_dir_perms;
+	allow $2 $1_home_t:dir search_dir_perms;
 	can_exec($2,$1_home_t)
 ')
 
@@ -2069,7 +2088,7 @@ template(`userdom_manage_user_home_content_files',`
 	')
 
 	files_search_home($2)
-	allow $2 $1_home_dir_t:dir search;
+	allow $2 $1_home_dir_t:dir search_dir_perms;
 	allow $2 $1_home_t:dir rw_dir_perms;
 	allow $2 $1_home_t:file create_file_perms;
 ')
@@ -2142,7 +2161,7 @@ template(`userdom_manage_user_home_content_symlinks',`
 	')
 
 	files_search_home($2)
-	allow $2 $1_home_dir_t:dir search;
+	allow $2 $1_home_dir_t:dir search_dir_perms;
 	allow $2 $1_home_t:dir rw_dir_perms;
 	allow $2 $1_home_t:lnk_file create_lnk_perms;
 ')
@@ -2180,7 +2199,7 @@ template(`userdom_manage_user_home_content_pipes',`
 	')
 
 	files_search_home($2)
-	allow $2 $1_home_dir_t:dir search;
+	allow $2 $1_home_dir_t:dir search_dir_perms;
 	allow $2 $1_home_t:dir rw_dir_perms;
 	allow $2 $1_home_t:fifo_file create_file_perms;
 ')
@@ -2218,7 +2237,7 @@ template(`userdom_manage_user_home_content_sockets',`
 	')
 
 	files_search_home($2)
-	allow $2 $1_home_dir_t:dir search;
+	allow $2 $1_home_dir_t:dir search_dir_perms;
 	allow $2 $1_home_t:dir rw_dir_perms;
 	allow $2 $1_home_t:sock_file create_file_perms;
 ')
@@ -3977,7 +3996,7 @@ interface(`userdom_search_staff_home_dirs',`
 	')
 
 	files_search_home($1)
-	allow $1 staff_home_dir_t:dir search;
+	allow $1 staff_home_dir_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -3996,7 +4015,7 @@ interface(`userdom_dontaudit_search_staff_home_dirs',`
 		type staff_home_dir_t;
 	')
 
-	dontaudit $1 staff_home_dir_t:dir search;
+	dontaudit $1 staff_home_dir_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -4023,6 +4042,29 @@ interface(`userdom_manage_staff_home_dirs',`
 	')
 ')
 
+########################################
+## <summary>
+##	Relabel to staff home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_relabelto_staff_home_dirs',`
+	ifdef(`targeted_policy',`
+		userdom_relabelto_generic_user_home_dirs($1)
+	',`
+		gen_require(`
+			type staff_home_dir_t;
+		')
+
+		files_search_home($1)
+		allow $1 staff_home_dir_t:dir relabelto;
+	')
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to append to the staff
@@ -4343,7 +4385,7 @@ interface(`userdom_search_sysadm_home_dirs',`
 		type sysadm_home_dir_t;
 	')
 
-	allow $1 sysadm_home_dir_t:dir search;
+	allow $1 sysadm_home_dir_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -4858,7 +4900,7 @@ interface(`userdom_dontaudit_search_generic_user_home_dirs',`
 		type user_home_t;
 	')
 
-	dontaudit $1 user_home_t:dir search;
+	dontaudit $1 user_home_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -4903,6 +4945,25 @@ interface(`userdom_manage_generic_user_home_content_dirs',`
 	allow $1 user_home_t:dir create_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Relabel to staff home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_relabelto_generic_user_home_dirs',`
+	gen_require(`
+		type staff_home_dir_t;
+	')
+
+	files_search_home($1)
+	allow $1 user_home_dir_t:dir relabelto;
+')
+
 ########################################
 ## <summary>
 ##	Read files in generic user home directories.
@@ -4924,6 +4985,26 @@ interface(`userdom_read_generic_user_home_content_files',`
 	allow $1 user_home_t:file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Mmap of generic user
+##	home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_mmap_generic_user_home_content_files',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	files_search_home($1)
+	allow $1 user_home_t:file execute;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete files
@@ -4946,6 +5027,25 @@ interface(`userdom_manage_generic_user_home_content_files',`
 	allow $1 user_home_t:file manage_file_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to relabel generic user
+##	home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_relabel_generic_user_home_content_files',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	dontaudit $1 user_home_t:file { relabelto relabelfrom };
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete symbolic

policy/modules/system/userdomain.te

@@ -1,5 +1,5 @@
 
-policy_module(userdomain,2.0.3)
+policy_module(userdomain,2.0.4)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;
@@ -155,8 +155,14 @@ ifdef(`strict_policy',`
 		init_exec(secadm_t)
 		logging_read_audit_log(secadm_t)
 	        logging_read_generic_logs(secadm_t)
+		logging_read_audit_config(secadm_t)
 		userdom_dontaudit_append_staff_home_content_files(secadm_t)
 		userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
+
+		optional_policy(`
+			aide_run(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
+		')
+
 		optional_policy(`
 			netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
 		')

policy/modules/system/xen.fc

@@ -8,6 +8,7 @@
 /usr/sbin/xm		--	gen_context(system_u:object_r:xm_exec_t,s0)
 
 /var/lib/xen(/.*)?		gen_context(system_u:object_r:xend_var_lib_t,s0)
+/var/lib/xen/images(/.*)?	gen_context(system_u:object_r:xen_image_t,s0)
 /var/lib/xend(/.*)?		gen_context(system_u:object_r:xend_var_lib_t,s0)
 /var/lib/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_lib_t,s0)
 

policy/modules/system/xen.te

@@ -1,5 +1,5 @@
 
-policy_module(xen,1.1.1)
+policy_module(xen,1.1.2)
 
 ########################################
 #
@@ -86,8 +86,8 @@ allow xend_t self:netlink_route_socket r_netlink_socket_perms;
 allow xend_t self:tcp_socket create_stream_socket_perms;
 allow xend_t self:packet_socket create_socket_perms;
 
-allow xend_t xen_image_t:dir r_dir_perms;
-allow xend_t xen_image_t:file rw_file_perms;
+allow xend_t xen_image_t:dir manage_dir_perms;
+allow xend_t xen_image_t:file manage_file_perms;
 allow xend_t xen_image_t:blk_file rw_file_perms;
 
 allow xend_t xenctl_t:fifo_file create_file_perms;
@@ -143,8 +143,10 @@ corenet_tcp_bind_soundd_port(xend_t)
 corenet_tcp_bind_generic_port(xend_t)
 corenet_tcp_bind_vnc_port(xend_t)
 corenet_tcp_connect_xserver_port(xend_t)
+corenet_tcp_connect_xen_port(xend_t)
 corenet_sendrecv_xserver_client_packets(xend_t)
 corenet_sendrecv_xen_server_packets(xend_t)
+corenet_sendrecv_xen_client_packets(xend_t)
 corenet_sendrecv_soundd_server_packets(xend_t)
 corenet_rw_tun_tap_dev(xend_t)
 
@@ -152,6 +154,7 @@ dev_read_urand(xend_t)
 dev_manage_xen(xend_t)
 dev_filetrans_xen(xend_t)
 dev_rw_sysfs(xend_t)
+dev_rw_xen(xend_t)
 
 domain_read_all_domains_state(xend_t)
 domain_dontaudit_read_all_domains_state(xend_t)
@@ -232,6 +235,10 @@ kernel_read_kernel_sysctls(xenconsoled_t)
 kernel_write_xen_state(xenconsoled_t)
 kernel_read_xen_state(xenconsoled_t)
 
+dev_manage_xen(xenconsoled_t)
+dev_filetrans_xen(xenconsoled_t)
+dev_rw_sysfs(xenconsoled_t)
+
 domain_dontaudit_ptrace_all_domains(xenconsoled_t)
 
 files_read_usr_files(xenconsoled_t)