fix up audit message perms now that audit_write denials are being audited by the kernel.

policy/modules/admin/usermanage.te

@@ -1,5 +1,5 @@
 
-policy_module(usermanage,1.3.6)
+policy_module(usermanage,1.3.7)
 
 ########################################
 #
@@ -187,7 +187,7 @@ optional_policy(`
 # Groupadd local policy
 #
 
-allow groupadd_t self:capability { dac_override chown kill setuid sys_resource };
+allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write };
 dontaudit groupadd_t self:capability fsetid;
 allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow groupadd_t self:process { setrlimit setfscreate };
@@ -450,7 +450,7 @@ optional_policy(`
 # Useradd local policy
 #
 
-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource audit_write };
 allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow useradd_t self:process setfscreate;
 allow useradd_t self:fd use;

policy/modules/services/dbus.if

@@ -69,6 +69,7 @@ template(`dbus_per_userdomain_template',`
 	# Local policy
 	#
 
+	allow $1_dbusd_t self:capability audit_write;
 	allow $1_dbusd_t self:process { getattr sigkill signal };
 	allow $1_dbusd_t self:file { getattr read write };
 	allow $1_dbusd_t self:dbus { send_msg acquire_svc };

policy/modules/services/dbus.te

@@ -1,5 +1,5 @@
 
-policy_module(dbus,1.2.6)
+policy_module(dbus,1.2.7)
 
 gen_require(`
 	class dbus { send_msg acquire_svc };
@@ -30,7 +30,7 @@ files_pid_file(system_dbusd_var_run_t)
 
 # dac_override: /var/run/dbus is owned by messagebus on Debian
 # cjp: dac_override should probably go in a distro_debian
-allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
+allow system_dbusd_t self:capability { dac_override setgid setpcap setuid audit_write };
 dontaudit system_dbusd_t self:capability sys_tty_config;
 allow system_dbusd_t self:process { getattr signal_perms setcap };
 allow system_dbusd_t self:fifo_file { read write };

policy/modules/services/nscd.te

@@ -1,5 +1,5 @@
 
-policy_module(nscd,1.2.5)
+policy_module(nscd,1.2.6)
 
 gen_require(`
 	class nscd all_nscd_perms;
@@ -28,7 +28,7 @@ logging_log_file(nscd_log_t)
 # Local policy
 #
 
-allow nscd_t self:capability { kill setgid setuid };
+allow nscd_t self:capability { kill setgid setuid audit_write };
 dontaudit nscd_t self:capability sys_tty_config;
 allow nscd_t self:process { getattr setsched signal_perms };
 allow nscd_t self:fifo_file { read write };

policy/modules/system/authlogin.if

@@ -29,6 +29,7 @@ template(`authlogin_common_auth_domain_template',`
 
 	allow $1_chkpwd_t self:capability { audit_write audit_control setuid };
 	allow $1_chkpwd_t self:process getattr;
+	allow $1_chkpwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 
 	files_list_etc($1_chkpwd_t)
 	allow $1_chkpwd_t shadow_t:file { getattr read };

policy/modules/system/authlogin.te

@@ -1,5 +1,5 @@
 
-policy_module(authlogin,1.3.7)
+policy_module(authlogin,1.3.8)
 
 ########################################
 #

policy/modules/system/selinuxutil.te

@@ -1,5 +1,5 @@
 
-policy_module(selinuxutil,1.2.8)
+policy_module(selinuxutil,1.2.9)
 
 gen_require(`
 	bool secure_mode;
@@ -534,7 +534,7 @@ ifdef(`targeted_policy',`',`
 # semodule local policy
 #
 
-allow semanage_t self:capability dac_override;
+allow semanage_t self:capability { dac_override audit_write };
 allow semanage_t self:unix_stream_socket create_stream_socket_perms;
 allow semanage_t self:unix_dgram_socket create_socket_perms;
 allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };