* fix chroot exec interface

* more TODO cleanup * move IPC out of generic domtrans interfaces
2005-07-13 18:29:08 +00:00 · 2005-07-13 18:29:08 +00:00 · df00b2e235
commit df00b2e235
parent 25a0c61ffc
16 changed files with 399 additions and 165 deletions
--- a/refpolicy/policy/modules/admin/rpm.if
+++ b/refpolicy/policy/modules/admin/rpm.if
@ -121,6 +121,23 @@ interface(`rpm_manage_log',`
 	allow $1 rpm_log_t:file create_file_perms;
 ')

+########################################
+## <summary>
+##	Inherit and use file descriptors from RPM scripts.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`rpm_use_script_fd',`
+	gen_require(`
+		type rpm_script_t;
+		class fd use;
+	')
+
+	allow $1 rpm_script_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	Read the RPM package database.
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@ -137,7 +137,7 @@ auth_dontaudit_read_shadow(rpm_t)

 corecmd_exec_bin(rpm_t)
 corecmd_exec_sbin(rpm_t)
-corecmd_domtrans_shell(rpm_t,rpm_script_t)
+corecmd_shell_domtrans(rpm_t,rpm_script_t)

 domain_exec_all_entry_files(rpm_t)
 domain_read_all_domains_state(rpm_t)
@ -230,6 +230,11 @@ allow rpm_script_t rpm_script_tmpfs_t:sock_file create_file_perms;
 allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms;
 fs_create_tmpfs_data(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })

+allow rpm_t rpm_script_t:fd use;
+allow rpm_script_t rpm_t:fd use;
+allow rpm_script_t rpm_t:fifo_file rw_file_perms;
+allow rpm_script_t rpm_t:process sigchld;
+
 kernel_read_kernel_sysctl(rpm_script_t)
 kernel_read_system_state(rpm_script_t)

--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@ -576,6 +576,48 @@ interface(`fs_manage_cifs_named_sockets',`
 	allow $1 cifs_t:sock_file create_file_perms;
 ')

+########################################
+## <summary>
+##	Execute a file on a CIFS or SMB filesystem
+##	in the specified domain.
+## </summary>
+## <desc>
+##	<p>
+##	Execute a file on a CIFS or SMB filesystem
+##	in the specified domain.  This allows
+##	the specified domain to execute any file
+##	on these filesystems in the specified
+##	domain.  This is not suggested.
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+##	<p>
+##	This interface was added to handle
+##	home directories on CIFS/SMB filesystems,
+##	in particular used by the ssh-agent policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="target_domain">
+##	The type of the new process.
+## </param>
+#
+interface(`fs_cifs_domtrans',`
+	gen_require(`
+		type cifs_t;
+		class dir search;
+	')
+
+	allow $1 cifs_t:dir search;
+
+	domain_auto_trans($1,cifs_t,$2)
+')
+
 ########################################
 ## <summary>
 ##	Mount a DOS filesystem, such as
@ -984,6 +1026,48 @@ interface(`fs_manage_nfs_named_sockets',`
 	allow $1 nfs_t:sock_file create_file_perms;
 ')

+########################################
+## <summary>
+##	Execute a file on a NFS filesystem
+##	in the specified domain.
+## </summary>
+## <desc>
+##	<p>
+##	Execute a file on a NFS filesystem
+##	in the specified domain.  This allows
+##	the specified domain to execute any file
+##	on a NFS filesystem in the specified
+##	domain.  This is not suggested.
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+##	<p>
+##	This interface was added to handle
+##	home directories on NFS filesystems,
+##	in particular used by the ssh-agent policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="target_domain">
+##	The type of the new process.
+## </param>
+#
+interface(`fs_nfs_domtrans',`
+	gen_require(`
+		type nfs_t;
+		class dir search;
+	')
+
+	allow $1 nfs_t:dir search;
+
+	domain_auto_trans($1,nfs_t,$2)
+')
+
 ########################################
 ## <summary>
 ##	Mount a NFS server pseudo filesystem.
--- a/refpolicy/policy/modules/kernel/selinux.if
+++ b/refpolicy/policy/modules/kernel/selinux.if
@ -6,9 +6,9 @@
 ## </required>

 ########################################
-## <desc>
+## <summary>
 ##	Gets the caller the mountpoint of the selinuxfs filesystem.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The process type requesting the selinuxfs mountpoint.
 ## </param>
@ -20,10 +20,27 @@ interface(`selinux_get_fs_mount',`
 ')

 ########################################
-## <desc>
+## <summary>
+##	Do not audit attempts to search selinuxfs.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`selinux_dontaudit_search_fs',`
+	gen_require(`
+		type security_t;
+		class dir search;
+	')
+
+	dontaudit $1 security_t:dir search;
+')
+
+########################################
+## <summary>
 ##	Allows the caller to get the mode of policy enforcement
 ##	(enforcing or permissive mode).
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The process type to allow to get the enforcing mode.
 ## </param>
@ -40,10 +57,10 @@ interface(`selinux_get_enforce_mode',`
 ')

 ########################################
-## <desc>
+## <summary>
 ##	Allow caller to set the mode of policy enforcement
 ##	(enforcing or permissive mode).
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The process type to allow to set the enforcement mode.
 ## </param>
@ -65,9 +82,9 @@ interface(`selinux_set_enforce_mode',`
 ')

 ########################################
-## <desc>
+## <summary>
 ##	Allow caller to load the policy into the kernel.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The process type that will load the policy.
 ## </param>
@ -89,10 +106,10 @@ interface(`selinux_load_policy',`
 ')

 ########################################
-## <desc>
+## <summary>
 ##	Allow caller to set the state of Booleans to
 ##	enable or disable conditional portions of the policy.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The process type allowed to set the Boolean.
 ## </param>
@ -122,9 +139,9 @@ interface(`selinux_set_boolean',`
 ')

 ########################################
-## <desc>
+## <summary>
 ##	Allow caller to set selinux security parameters.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The process type to allow to set security parameters.
 ## </param>
@ -146,9 +163,9 @@ interface(`selinux_set_parameters',`
 ')

 ########################################
-## <desc>
+## <summary>
 ##	Allows caller to validate security contexts.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The process type permitted to validate contexts.
 ## </param>
@ -167,9 +184,9 @@ interface(`selinux_validate_context',`
 ')

 ########################################
-## <desc>
+## <summary>
 ##	Allows caller to compute an access vector.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The process type allowed to compute an access vector.
 ## </param>
@ -188,9 +205,9 @@ interface(`selinux_compute_access_vector',`
 ')

 ########################################
-## <desc>
+## <summary>
 ##	
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	
 ## </param>
@ -209,9 +226,9 @@ interface(`selinux_compute_create_context',`
 ')

 ########################################
-## <desc>
+## <summary>
 ##	
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The process type to
 ## </param>
@ -230,9 +247,9 @@ interface(`selinux_compute_relabel_context',`
 ')

 ########################################
-## <desc>
+## <summary>
 ##	Allows caller to compute possible contexts for a user.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The process type allowed to compute user contexts.
 ## </param>
@ -251,9 +268,9 @@ interface(`selinux_compute_user_contexts',`
 ')

 ########################################
-## <desc>
+## <summary>
 ##	Unconfined access to the SELinux security server.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@ -395,10 +395,12 @@ interface(`term_dontaudit_use_all_user_ptys',`
 interface(`term_relabel_all_user_ptys',`
 	gen_require(`
 		attribute ptynode;
+		type devpts_t;
 		class chr_file { relabelfrom relabelto };
 	')

 	dev_list_all_dev_nodes($1)
+	allow $1 devpts_t:dir search;
 	allow $1 ptynode:chr_file { relabelfrom relabelto };
 ')

--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@ -24,7 +24,7 @@
 template(`cron_per_userdomain_template',`

 	# Type of user crontabs once moved to cron spool.
-	type $1_cron_spool_t;
+	type $1_cron_spool_t, cron_spool_type;
 	files_type($1_cron_spool_t)

 	type $1_crond_t; # user_crond_domain;
@ -152,6 +152,13 @@ template(`cron_per_userdomain_template',`
 	# $1_crontab_t local policy
 	#

+	# Transition from the user domain to the derived domain.
+	domain_auto_trans($1_t, crontab_exec_t, $1_crontab_t)
+	allow $1_t $1_crontab_t:fd use;
+	allow $1_crontab_t $1_t:fd use;
+	allow $1_crontab_t $1_t:fifo_file rw_file_perms;
+	allow $1_crontab_t $1_t:process sigchld;
+
 	# for ^Z
 	allow $1_t $1_crontab_t:process signal;

@ -172,11 +179,15 @@ template(`cron_per_userdomain_template',`

 	allow $1_crontab_t crond_log_t:file ra_file_perms;

+	# for the checks used by crontab -u
+	selinux_dontaudit_search_fs($1_crontab_t)
+
 	fs_getattr_xattr_fs($1_crontab_t)

 	domain_use_wide_inherit_fd($1_crontab_t)

 	files_read_etc_files($1_crontab_t)
+	files_dontaudit_search_pids($1_crontab_t)

 	libs_use_ld_so($1_crontab_t)
 	libs_use_shared_libs($1_crontab_t)
@ -185,6 +196,8 @@ template(`cron_per_userdomain_template',`

 	miscfiles_read_localization($1_crontab_t)

+	seutil_dontaudit_search_config($1_crontab_t)
+
 	tunable_policy(`fcron_crond', `
 		# fcron wants an instant update of a crontab change for the administrator
 		# also crontab does a security check for crontab -u
@ -193,25 +206,14 @@ template(`cron_per_userdomain_template',`

 	ifdef(`TODO',`

-	# Transition from the user domain to the derived domain.
-	domain_auto_trans($1_t, crontab_exec_t, $1_crontab_t)
-
 	can_ps($1_t, $1_crontab_t)

 	dontaudit $1_crontab_t proc_t:dir search;
-	dontaudit $1_crontab_t selinux_config_t:dir search;
-	# for the checks used by crontab -u
-	dontaudit $1_crontab_t security_t:dir search;

 	# Type for temporary files.
 	file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file })

-	# Use the type when creating files in /var/spool/cron.
-	allow sysadm_crontab_t $1_cron_spool_t:file { getattr read };
-
 	# Run helper programs as $1_t
-	allow $1_crontab_t { bin_t sbin_t }:dir search;
-	allow $1_crontab_t bin_t:lnk_file read;
 	domain_auto_trans($1_crontab_t, { bin_t sbin_t shell_exec_t }, $1_t)

 	# Read user crontabs 
@ -226,8 +228,6 @@ template(`cron_per_userdomain_template',`

 	# Inherit and use descriptors from gnome-pty-helper.
 	ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;')
-
-	dontaudit $1_crontab_t var_run_t:dir search;
 	') dnl endif TODO
 ')

@ -247,10 +247,10 @@ template(`cron_per_userdomain_template',`
 ## </param>
 #
 template(`cron_admin_template',`
-	logging_read_generic_logs($1_crond_t)
-
 	# Allow our crontab domain to unlink a user cron spool file.
-	#allow $1_crontab_t user_cron_spool_t:file unlink;
+	allow $1_crontab_t cron_spool_type:file { getattr read unlink };
+
+	logging_read_generic_logs($1_crond_t)

 	# Manipulate other users crontab.
 	selinux_get_fs_mount($1_crontab_t)
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@ -5,6 +5,7 @@ policy_module(cron, 1.0)
 #
 # Declarations
 #
+attribute cron_spool_type;

 type anacron_exec_t;
 files_type(anacron_exec_t)
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@ -28,12 +28,12 @@ domain_type(system_mail_t)
 role system_r types system_mail_t;

 ifdef(`targeted_policy',`',`
-optional_policy(`sendmail.te', `
-domain_entry_file(system_mail_t,sendmail_exec_t)
-', `
-init_system_domain(system_mail_t,sendmail_exec_t)
-') dnl end if sendmail
-') dnl end targeted_policy
+	optional_policy(`sendmail.te',`
+		domain_entry_file(system_mail_t,sendmail_exec_t)
+	',`
+		init_system_domain(system_mail_t,sendmail_exec_t)
+	')
+')

 ########################################
 #
@ -101,25 +101,28 @@ optional_policy(`procmail.te',`
 ifdef(`TODO',`

 optional_policy(`sendmail.te',`
-allow system_mail_t etc_mail_t:dir { getattr search };
-allow system_mail_t etc_runtime_t:file { getattr read };
-allow system_mail_t proc_t:dir search;
-allow system_mail_t proc_t:file { getattr read };
-allow system_mail_t proc_t:lnk_file read;
-dontaudit system_mail_t proc_net_t:dir search;
-allow system_mail_t fs_t:filesystem getattr;
-allow system_mail_t var_t:dir getattr;
-allow system_mail_t var_spool_t:dir getattr;
-dontaudit system_mail_t userpty_type:chr_file { getattr read write };
+	allow system_mail_t etc_mail_t:dir { getattr search };

-# sendmail -q 
-allow system_mail_t mqueue_spool_t:dir rw_dir_perms;
-allow system_mail_t mqueue_spool_t:file create_file_perms;
+	kernel_read_system_state(system_mail_t)

-ifdef(`crond.te', `
-dontaudit system_mail_t system_crond_tmp_t:file append;
+	fs_getattr_xattr_fs(system_mail_t)
+
+	files_read_etc_runtime_files(system_mail_t)
+
+	dontaudit system_mail_t proc_net_t:dir search;
+
+	allow system_mail_t var_t:dir getattr;
+	allow system_mail_t var_spool_t:dir getattr;
+	dontaudit system_mail_t userpty_type:chr_file { getattr read write };
+
+	# sendmail -q 
+	allow system_mail_t mqueue_spool_t:dir rw_dir_perms;
+	allow system_mail_t mqueue_spool_t:file create_file_perms;
+
+	optional_policy(`crond.te', `
+		dontaudit system_mail_t system_crond_tmp_t:file append;
+	')
 ')
-') dnl end if sendmail

 allow system_mail_t device_t:dir search;
 allow system_mail_t { var_t var_spool_t }:dir search;
@ -129,56 +132,56 @@ allow system_mail_t sbin_t:dir search;
 domain_auto_trans(privmail, sendmail_exec_t, system_mail_t)
 allow privmail sendmail_exec_t:lnk_file { getattr read };

-ifdef(`crond.te', `
-# Read cron temporary files.
-allow system_mail_t system_crond_tmp_t:file r_file_perms;
-allow mta_user_agent system_crond_tmp_t:file r_file_perms;
+optional_policy(`crond.te',`
+	# Read cron temporary files.
+	allow system_mail_t system_crond_tmp_t:file r_file_perms;
+	allow mta_user_agent system_crond_tmp_t:file r_file_perms;
 ')

 ifdef(`qmail.te', `
-allow system_mail_t qmail_etc_t:dir search;
-allow system_mail_t qmail_etc_t:{ file lnk_file } read;
-')dnl end if qmail
+	allow system_mail_t qmail_etc_t:dir search;
+	allow system_mail_t qmail_etc_t:{ file lnk_file } read;
+')

 ifdef(`targeted_policy', `
-# rules are currently defined in sendmail.te, but it is not included in 
-# targeted policy.  We could move these rules permanantly here.
+	allow system_mail_t { var_t var_spool_t }:dir getattr;

-ifdef(`postfix.te', `', `
-domain_exec_all_entry_files(system_mail_t)
-files_exec_etc_files(system_mail_t)
-corecmd_exec_bin(system_mail_t)
-corecmd_exec_sbin(system_mail_t)
-libs_use_ld_so(system_mail_t)
-libs_use_shared_libs(system_mail_t)
-libs_exec_ld_so(system_mail_t)
-libs_exec_lib_files(system_mail_t)
+	allow system_mail_t etc_mail_t:file r_file_perms;
+
+	allow system_mail_t mail_spool_t:dir create_dir_perms;
+	allow system_mail_t mail_spool_t:file create_file_perms;
+	allow system_mail_t mail_spool_t:lnk_file create_lnk_perms;
+	allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
+
+	allow system_mail_t mqueue_spool_t:dir create_dir_perms;
+	allow system_mail_t mqueue_spool_t:file create_file_perms;
+	allow system_mail_t mqueue_spool_t:lnk_file create_lnk_perms;
+
+	optional_policy(`postfix.te',`',`
+		corecmd_exec_bin(system_mail_t)
+		corecmd_exec_sbin(system_mail_t)
+
+		domain_exec_all_entry_files(system_mail_t)
+
+		files_exec_etc_files(system_mail_t)
+
+		libs_use_ld_so(system_mail_t)
+		libs_use_shared_libs(system_mail_t)
+		libs_exec_ld_so(system_mail_t)
+		libs_exec_lib_files(system_mail_t)
+	')
+',`
+	optional_policy(`sendmail.te', `
+		# sendmail has an ugly design, the one process parses input from the user and
+		# then does system things with it.
+		domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t)
+	')
+
+	# allow the sysadmin to do "mail someone < /home/user/whatever"
+	allow sysadm_mail_t user_home_dir_type:dir search;
+	r_dir_file(sysadm_mail_t, user_home_type)
 ')

-allow system_mail_t { var_t var_spool_t }:dir getattr;
-
-allow system_mail_t mqueue_spool_t:dir create_dir_perms;
-allow system_mail_t mqueue_spool_t:file create_file_perms;
-allow system_mail_t mqueue_spool_t:lnk_file create_lnk_perms;
-
-allow system_mail_t mail_spool_t:dir create_dir_perms;
-allow system_mail_t mail_spool_t:file create_file_perms;
-allow system_mail_t mail_spool_t:lnk_file create_lnk_perms;
-
-allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
-allow system_mail_t etc_mail_t:file r_file_perms;
-', ` dnl if not targeted policy:
-optional_policy(`sendmail.te', `
-# sendmail has an ugly design, the one process parses input from the user and
-# then does system things with it.
-domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t)
-')
-
-# allow the sysadmin to do "mail someone < /home/user/whatever"
-allow sysadm_mail_t user_home_dir_type:dir search;
-r_dir_file(sysadm_mail_t, user_home_type)
-') dnl end ifdef targeted_policy
-
 # for a mail server process that does things in response to a user command
 allow mta_user_agent userdomain:process sigchld;
 allow mta_user_agent { userdomain privfd }:fd use;
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ b/refpolicy/policy/modules/services/remotelogin.te
@ -43,12 +43,6 @@ files_create_tmp_files(remote_login_t, remote_login_tmp_t, { file dir })

 kernel_read_system_state(remote_login_t)
 kernel_read_kernel_sysctl(remote_login_t)
-selinux_get_fs_mount(remote_login_t)
-selinux_validate_context(remote_login_t)
-selinux_compute_access_vector(remote_login_t)
-selinux_compute_create_context(remote_login_t)
-selinux_compute_relabel_context(remote_login_t)
-selinux_compute_user_contexts(remote_login_t)

 dev_getattr_mouse(remote_login_t)
 dev_setattr_mouse(remote_login_t)
@ -59,6 +53,15 @@ dev_read_urand(remote_login_t)
 fs_getattr_xattr_fs(remote_login_t)
 fs_search_auto_mountpoints(remote_login_t)

+selinux_get_fs_mount(remote_login_t)
+selinux_validate_context(remote_login_t)
+selinux_compute_access_vector(remote_login_t)
+selinux_compute_create_context(remote_login_t)
+selinux_compute_relabel_context(remote_login_t)
+selinux_compute_user_contexts(remote_login_t)
+
+term_relabel_all_user_ptys(remote_login_t)
+
 auth_domtrans_chk_passwd(remote_login_t)
 auth_dontaudit_read_shadow(remote_login_t)
 auth_rw_login_records(remote_login_t)
@ -166,9 +169,8 @@ optional_policy(`remotelogin.te',`
 	remotelogin_signull(xdm_t)
 ')

-allow remote_login_t devpts_t:dir search;
 allow remote_login_t userpty_type:chr_file { setattr write };
-allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl };
+allow remote_login_t ptyfile:chr_file { getattr ioctl };

 optional_policy(`rlogind.te', `
 	allow remote_login_t rlogind_devpts_t:chr_file { setattr rw_file_perms };
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@ -103,6 +103,12 @@ template(`ssh_per_userdomain_template',`
 	# run helper programs - needed eg for x11-ssh-askpass
 	corecmd_exec_shell($1_ssh_t)
 	corecmd_exec_bin($1_ssh_t)
+	corecmd_list_sbin($1_ssh_t)
+	corecmd_read_sbin_symlink($1_ssh_t)
+	# cjp: these are probably not needed:
+	corecmd_read_sbin_file($1_ssh_t)
+	corecmd_read_sbin_pipe($1_ssh_t)
+	corecmd_read_sbin_socket($1_ssh_t)

 	domain_use_wide_inherit_fd($1_ssh_t)

@ -125,6 +131,14 @@ template(`ssh_per_userdomain_template',`

 	userdom_use_unpriv_users_fd($1_ssh_t)

+	tunable_policy(`read_default_t',`
+		files_list_default($1_ssh_t)
+		files_read_default_files($1_ssh_t)
+		files_read_default_symlinks($1_ssh_t)
+		files_read_default_sockets($1_ssh_t)
+		files_read_default_pipes($1_ssh_t)
+	')
+
 	tunable_policy(`use_dns',`
 		allow $1_ssh_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
 		corenet_udp_sendrecv_all_if($1_ssh_t)
@ -157,15 +171,6 @@ template(`ssh_per_userdomain_template',`
 	')

 	ifdef(`TODO',`
-
-	allow $1 sbin_t:dir r_dir_perms;
-	allow $1 sbin_t:notdevfile_class_set r_file_perms;
-
-	if (read_default_t) {
-		allow $1 default_t:dir r_dir_perms;
-		allow $1 default_t:notdevfile_class_set r_file_perms;
-	}
-
 	# Read /var.
 	allow $1_ssh_t var_t:dir r_dir_perms;
 	allow $1_ssh_t var_t:notdevfile_class_set r_file_perms;
@ -232,6 +237,7 @@ template(`ssh_per_userdomain_template',`
 	#
 	# $1_ssh_agent_t local policy
 	#
+
 	allow $1_ssh_agent_t self:process setrlimit;
 	allow $1_ssh_agent_t self:capability setgid;

@ -239,6 +245,15 @@ template(`ssh_per_userdomain_template',`

 	allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;

+	# for the transition back to normal privs upon exec
+	allow $1_ssh_agent_t $1_t:fd use;
+	allow $1_t $1_ssh_agent_t:fd use;
+	allow $1_t $1_ssh_agent_t:fifo_file rw_file_perms;
+	allow $1_t $1_ssh_agent_t:process sigchld;
+
+	# Allow the ssh program to communicate with ssh-agent.
+	allow $1_ssh_t sshd_t:unix_stream_socket connectto;
+
 	domain_auto_trans($1_t, ssh_agent_exec_t, $1_ssh_agent_t)

 	kernel_read_kernel_sysctl($1_ssh_agent_t)
@ -248,6 +263,10 @@ template(`ssh_per_userdomain_template',`

 	fs_search_auto_mountpoints($1_ssh_agent_t)

+	# transition back to normal privs upon exec
+	corecmd_shell_domtrans($1_ssh_agent_t,$1_t)
+	corecmd_bin_domtrans($1_ssh_agent_t, $1_t)
+
 	domain_use_wide_inherit_fd($1_ssh_agent_t)

 	files_read_etc_files($1_ssh_agent_t)
@ -261,18 +280,34 @@ template(`ssh_per_userdomain_template',`

 	miscfiles_read_localization($1_ssh_agent_t)

-	if (use_nfs_home_dirs) {
-		fs_manage_nfs_files($1_ssh_agent_t)
-	}
+	seutil_dontaudit_search_config($1_ssh_agent_t)

-	if (use_samba_home_dirs) {
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_manage_nfs_files($1_ssh_agent_t)
+
+		# transition back to normal privs upon exec
+		fs_nfs_domtrans($1_ssh_agent_t, $1_t)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
 		fs_manage_cifs_files($1_ssh_agent_t)
-	}
+
+		# transition back to normal privs upon exec
+		fs_cifs_domtrans($1_ssh_agent_t, $1_t)
+	')

 	optional_policy(`nis.te',`
 		nis_use_ypbind($1_ssh_agent_t)
 	')

+	optional_policy(`xdm.te', `
+		xdm_use_fd($1_ssh_agent_t)
+		xdm_rw_pipe($1_ssh_agent_t)
+
+		# KDM:
+		xdm_sigchld($1_ssh_agent_t)
+	')
+
 	ifdef(`TODO',`

 	# Write to the user domain tty.
@ -285,7 +320,6 @@ template(`ssh_per_userdomain_template',`

 	allow $1_ssh_agent_t proc_t:dir search;
 	dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
-	dontaudit $1_ssh_agent_t selinux_config_t:dir search;

 	# Access the ssh temporary files. Should we have an own type here
 	# to which only ssh, ssh-agent and ssh-add have access?
@ -296,28 +330,12 @@ template(`ssh_per_userdomain_template',`
 	can_unix_connect($1_t, $1_ssh_agent_t)

 	# transition back to normal privs upon exec
-	domain_auto_trans($1_ssh_agent_t, { bin_t shell_exec_t $1_home_t }, $1_t)
-	allow $1_ssh_agent_t bin_t:dir search;
-	allow $1_ssh_agent_t bin_t:lnk_file read;
-	if (use_nfs_home_dirs) {
-	domain_auto_trans($1_ssh_agent_t, nfs_t, $1_t)
-	}
-	if (use_samba_home_dirs) {
-	domain_auto_trans($1_ssh_agent_t, cifs_t, $1_t)
-	}
+	domain_auto_trans($1_ssh_agent_t, $1_home_t, $1_t)

 	allow $1_ssh_agent_t { home_root_t $1_home_dir_t }:dir search;

 	allow $1_ssh_t $1_tmp_t:sock_file write;

-	ifdef(`xdm.te', `
-	allow $1_ssh_agent_t xdm_t:fd use;
-	allow $1_ssh_agent_t xdm_t:fifo_file { read write };
-
-	# kdm: sigchld
-	allow $1_ssh_agent_t xdm_t:process sigchld;
-	')
-
 	#
 	# Allow command to ssh-agent > ~/.ssh_agent
 	#
@ -327,7 +345,6 @@ template(`ssh_per_userdomain_template',`
 	# Allow the ssh program to communicate with ssh-agent.
 	allow $1_ssh_t $1_tmp_t:sock_file write;
 	allow $1_ssh_t $1_t:unix_stream_socket connectto;
-	allow $1_ssh_t sshd_t:unix_stream_socket connectto;
 	') dnl endif TODO
 ')

--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@ -72,6 +72,10 @@ seutil_read_config(sshd_t)
 # Allow checking users mail at login
 mta_getattr_spool(sshd_t)

+optional_policy(`rpm.te',`
+	rpm_use_script_fd(sshd_t)
+')
+
 ifdef(`TODO',`
 tunable_policy(`ssh_sysadm_login',`
 	userdom_spec_domtrans_all_users(sshd_t)
@ -108,9 +112,6 @@ tunable_policy(`ssh_sysadm_login',`
 # for when the network connection breaks after running newrole -r sysadm_r
 dontaudit sshd_t sysadm_devpts_t:chr_file setattr;

-optional_policy(`rpm.te',`
-allow sshd_t rpm_script_t:fd use;
-')
 ') dnl endif TODO

 #################################
--- a/refpolicy/policy/modules/system/corecommands.if
+++ b/refpolicy/policy/modules/system/corecommands.if
@ -153,6 +153,49 @@ interface(`corecmd_exec_bin',`

 ')

+########################################
+## <summary>
+##	Execute a file in a bin directory
+##	in the specified domain.
+## </summary>
+## <desc>
+##	<p>
+##	Execute a file in a bin directory
+##	in the specified domain.  This allows
+##	the specified domain to execute any file
+##	on these filesystems in the specified
+##	domain.  This is not suggested.
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+##	<p>
+##	This interface was added to handle
+##	the ssh-agent policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="target_domain">
+##	The type of the new process.
+## </param>
+#
+interface(`corecmd_bin_domtrans',`
+	gen_require(`
+		type bin_t;
+		class dir search;
+		class lnk_file { getattr read };
+	')
+
+	allow $1 bin_t:dir search;
+	allow $1 bin_t:lnk_file { getattr read };
+
+	domain_auto_trans($1,bin_t,$2)
+')
+
 ########################################
 #
 # corecmd_search_sbin(domain)
@ -332,9 +375,16 @@ interface(`corecmd_exec_ls',`

 ########################################
 ## <desc>
+##	<p>
 ##	Execute a shell in the target domain.  This
 ##	is an explicit transition, requiring the
 ##	caller to use setexeccon().
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
@ -348,25 +398,27 @@ interface(`corecmd_shell_spec_domtrans',`
 		type bin_t, shell_exec_t;
 		class dir r_dir_perms;
 		class lnk_file r_file_perms;
-		class fd use;
-		class fifo_file rw_file_perms;
-		class process sigchld;
 	')

 	allow $1 bin_t:dir r_dir_perms;
 	allow $1 bin_t:lnk_file r_file_perms;

 	domain_trans($1,shell_exec_t,$2)
-
-	allow $1 $2:fd use;
-	allow $2 $1:fd use;
-	allow $2 $1:fifo_file rw_file_perms;
-	allow $2 $1:process sigchld;
 ')

 ########################################
+## <summary>
+##	Execute a shell in the specified domain.
+## </summary>
 ## <desc>
-##	Execute a shell in the target domain.
+##	<p>
+##	Execute a shell in the specified domain.
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
@ -375,7 +427,7 @@ interface(`corecmd_shell_spec_domtrans',`
 ##	The type of the shell process.
 ## </param>
 #
-interface(`corecmd_domtrans_shell',`
+interface(`corecmd_shell_domtrans',`
 	gen_require(`
 		type shell_exec_t;
 	')
@ -386,9 +438,9 @@ interface(`corecmd_domtrans_shell',`

 ########################################
 #
-# corecmd_chroot_exec_chroot(domain)
+# corecmd_exec_chroot(domain)
 #
-interface(`corecmd_chroot_exec_chroot',`
+interface(`corecmd_exec_chroot',`
 	gen_require(`
 		type chroot_exec_t;
 		class capability sys_chroot;
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@ -103,7 +103,7 @@ selinux_set_boolean(init_t)

 term_use_all_terms(init_t)

-corecmd_chroot_exec_chroot(init_t)
+corecmd_exec_chroot(init_t)
 corecmd_exec_bin(init_t)
 corecmd_exec_sbin(init_t)

--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@ -13,6 +13,31 @@ interface(`logging_log_file',`
 	typeattribute $1 logfile;
 ')

+########################################
+## <summary>
+##	Execute syslogd in the syslog domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`logging_domtrans_syslog',`
+	gen_require(`
+		type syslogd_t, syslogd_exec_t;
+		class process sigchld;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	corecmd_search_sbin($1)
+	domain_auto_trans($1,syslogd_exec_t,syslogd_t)
+
+	allow $1 syslogd_t:fd use;
+	allow syslogd_t $1:fd use;
+	allow syslogd_t $1:fifo_file rw_file_perms;
+	allow syslogd_t $1:process sigchld;
+')
+
 ########################################
 #
 # logging_create_log(domain,privatetype,[class(es)])
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@ -163,7 +163,7 @@ optional_policy(`hotplug.te',`
 	hotplug_search_config(dhcpc_t)

 	ifdef(`distro_redhat',`
-		logging_syslogd_transition(dhcpc_t)
+		logging_domtrans_syslog(dhcpc_t)
 	')
 ')

--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@ -917,9 +917,17 @@ interface(`userdom_shell_domtrans_sysadm',`
 	',`
 		gen_require(`
 			type sysadm_t;
+			class fd use;
+			class fifo_file rw_file_perms;
+			class process sigchld;
 		')

-		corecmd_domtrans_shell($1,sysadm_t)
+		corecmd_shell_domtrans($1,sysadm_t)
+
+		allow $1 sysadm_t:fd use;
+		allow sysadm_t $1:fd use;
+		allow sysadm_t $1:fifo_file rw_file_perms;
+		allow sysadm_t $1:process sigchld;
 	')
 ')