trunk: 3 patches from the fedora policy, cherry picked by David Hardeman.

policy/modules/kernel/corenetwork.te.in

@@ -1,5 +1,5 @@
 
-policy_module(corenetwork,1.2.16)
+policy_module(corenetwork, 1.2.17)
 
 ########################################
 #
@@ -109,6 +109,7 @@ network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
 network_port(ircd, tcp,6667,s0)
 network_port(isakmp, udp,500,s0)
 network_port(iscsi, tcp,3260,s0)
+network_port(isns, tcp,3205,s0, udp,3205,s0)
 network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
 network_port(jabber_interserver, tcp,5269,s0)
 network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)

policy/modules/services/qmail.te

@@ -1,5 +1,5 @@
 
-policy_module(qmail, 1.3.0)
+policy_module(qmail, 1.3.1)
 
 ########################################
 #
@@ -14,7 +14,7 @@ files_type(qmail_alias_home_t)
 qmail_child_domain_template(qmail_clean, qmail_start_t)
 
 type qmail_etc_t;
-files_type(qmail_etc_t)
+files_config_file(qmail_etc_t)
 
 type qmail_exec_t;
 files_type(qmail_exec_t)
@@ -85,6 +85,8 @@ files_search_var(qmail_inject_t)
 libs_use_ld_so(qmail_inject_t)
 libs_use_shared_libs(qmail_inject_t)
 
+miscfiles_read_localization(qmail_inject_t)
+
 qmail_read_config(qmail_inject_t)
 
 ########################################
@@ -100,17 +102,24 @@ allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
 manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
 manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
 
+can_exec(qmail_local_t, qmail_local_exec_t)
+
 allow qmail_local_t qmail_queue_exec_t:file read;
 
 allow qmail_local_t qmail_spool_t:file read_file_perms;
 
 kernel_read_system_state(qmail_local_t)
 
+corecmd_exec_bin(qmail_local_t)
 corecmd_exec_shell(qmail_local_t)
 
 files_read_etc_files(qmail_local_t)
 files_read_etc_runtime_files(qmail_local_t)
 
+auth_use_nsswitch(qmail_local_t)
+
+logging_send_syslog_msg(qmail_local_t)
+
 mta_append_spool(qmail_local_t)
 
 qmail_domtrans_queue(qmail_local_t)
@@ -155,6 +164,10 @@ manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
 manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
 rw_fifo_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
 
+corecmd_exec_bin(qmail_queue_t)
+
+logging_send_syslog_msg(qmail_queue_t)
+
 optional_policy(`
 	daemontools_ipc_domain(qmail_queue_t)
 ')

policy/modules/system/ipsec.if

@@ -131,6 +131,25 @@ interface(`ipsec_setcontext_default_spd',`
 	allow $1 ipsec_spd_t:association setcontext;
 ')
 
+########################################
+## <summary>
+##	write the ipsec_var_run_t files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipsec_write_pid',`
+	gen_require(`
+		type ipsec_var_run_t;
+	')
+
+	files_search_pids($1)
+	write_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete the IPSEC pid files.

policy/modules/system/ipsec.te

@@ -1,5 +1,5 @@
 
-policy_module(ipsec, 1.7.0)
+policy_module(ipsec, 1.7.1)
 
 ########################################
 #
@@ -69,9 +69,9 @@ allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
 read_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
 read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
 
-allow ipsec_t ipsec_var_run_t:file manage_file_perms;
-allow ipsec_t ipsec_var_run_t:sock_file manage_sock_file_perms;
-files_pid_filetrans(ipsec_t,ipsec_var_run_t,{ file sock_file })
+manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
+manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
+files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file })
 
 can_exec(ipsec_t, ipsec_mgmt_exec_t)
 

policy/modules/system/iscsi.fc

@@ -1,5 +1,5 @@
 /sbin/iscsid		--	gen_context(system_u:object_r:iscsid_exec_t,s0)
 
-/var/lib/iscsi(/.*)?	--	gen_context(system_u:object_r:iscsi_var_lib_t,s0)
-/var/lock/iscsi(/.*)?	--	gen_context(system_u:object_r:iscsi_lock_t,s0)
+/var/lib/iscsi(/.*)?		gen_context(system_u:object_r:iscsi_var_lib_t,s0)
+/var/lock/iscsi(/.*)?		gen_context(system_u:object_r:iscsi_lock_t,s0)
 /var/run/iscsid\.pid	--	gen_context(system_u:object_r:iscsi_var_run_t,s0)

policy/modules/system/iscsi.te

@@ -1,5 +1,5 @@
 
-policy_module(iscsid,1.4.0)
+policy_module(iscsid, 1.4.1)
 
 ########################################
 #
@@ -29,7 +29,7 @@ files_pid_file(iscsi_var_run_t)
 #
 
 allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource };
-allow iscsid_t self:process { setrlimit setsched };
+allow iscsid_t self:process { setrlimit setsched signal };
 allow iscsid_t self:fifo_file { read write };
 allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow iscsid_t self:unix_dgram_socket create_socket_perms;
@@ -63,6 +63,7 @@ corenet_tcp_sendrecv_all_nodes(iscsid_t)
 corenet_tcp_sendrecv_all_ports(iscsid_t)
 corenet_tcp_connect_http_port(iscsid_t)
 corenet_tcp_connect_iscsi_port(iscsid_t)
+corenet_tcp_connect_isns_port(iscsid_t)
 
 dev_rw_sysfs(iscsid_t)
 

policy/modules/system/sysnetwork.te

@@ -1,5 +1,5 @@
 
-policy_module(sysnetwork, 1.7.0)
+policy_module(sysnetwork, 1.7.1)
 
 ########################################
 #
@@ -319,6 +319,10 @@ ifdef(`hide_broken_symptoms',`
 	')
 ')
 
+optional_policy(`
+	ipsec_write_pid(ifconfig_t)
+')
+
 optional_policy(`
 	netutils_domtrans(dhcpc_t)
 ')