Merge branch 'master' into xselinux

Changelog

@@ -1,6 +1,7 @@
+* Tue Nov 17 2009 Chris PeBenito <selinux@tresys.com> - 2.20091117
 - Add separate x_pointer and x_keyboard classes inheriting from x_device. 
   From Eamon Walsh.
-- Deprecated the userdom_xwindwos_client_template().
+- Deprecated the userdom_xwindows_client_template().
 - Misc Gentoo fixes from Corentin Labbe.
 - Debian policykit fixes from Martin Orr.
 - Fix unconfined_r use of unconfined_java_t.
@@ -19,9 +20,11 @@
 	kdump (Dan Walsh)
 	modemmanager(Dan Walsh)
 	nslcd (Dan Walsh)
+	puppet (Craig Grube)
 	rtkit (Dan Walsh)
 	seunshare (Dan Walsh)
 	shorewall (Dan Walsh)
+	tgtd (Matthew Ife)
 	tuned (Miroslav Grepl)
 	xscreensaver (Corentin Labbe)
 

VERSION

@@ -1 +1 @@
-2.20090730
+2.20091117

policy/flask/access_vectors

@@ -376,6 +376,7 @@ class system
 	syslog_read  
 	syslog_mod
 	syslog_console
+	module_request
 }
 
 #

policy/modules/admin/certwatch.te

@@ -1,5 +1,5 @@
 
-policy_module(certwatch, 1.4.1)
+policy_module(certwatch, 1.5.0)
 
 ########################################
 #

policy/modules/admin/kismet.fc

@@ -1,3 +1,5 @@
+HOME_DIR/\.kismet(/.*)?			gen_context(system_u:object_r:kismet_home_t,s0)
+
 /usr/bin/kismet			--	gen_context(system_u:object_r:kismet_exec_t,s0)
 /var/lib/kismet(/.*)?			gen_context(system_u:object_r:kismet_var_lib_t,s0)
 /var/log/kismet(/.*)?			gen_context(system_u:object_r:kismet_log_t,s0)

policy/modules/admin/kismet.te

@@ -1,5 +1,5 @@
 
-policy_module(kismet, 1.3.1)
+policy_module(kismet, 1.4.1)
 
 ########################################
 #
@@ -11,6 +11,9 @@ type kismet_exec_t;
 application_domain(kismet_t, kismet_exec_t)
 role system_r types kismet_t;
 
+type kismet_home_t;
+userdom_user_home_content(kismet_home_t)
+
 type kismet_log_t;
 logging_log_file(kismet_log_t)
 
@@ -39,6 +42,11 @@ allow kismet_t self:unix_dgram_socket { create_socket_perms sendto };
 allow kismet_t self:unix_stream_socket create_stream_socket_perms;
 allow kismet_t self:tcp_socket create_stream_socket_perms;
 
+manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t)
+manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
+manage_lnk_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
+userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir })
+
 manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
 allow kismet_t kismet_log_t:dir setattr;
 logging_log_filetrans(kismet_t, kismet_log_t, { file dir })

policy/modules/admin/mrtg.te

@@ -1,5 +1,5 @@
 
-policy_module(mrtg, 1.7.1)
+policy_module(mrtg, 1.8.0)
 
 ########################################
 #

policy/modules/admin/portage.te

@@ -1,5 +1,5 @@
 
-policy_module(portage, 1.8.1)
+policy_module(portage, 1.9.0)
 
 ########################################
 #

policy/modules/admin/prelink.te

@@ -1,5 +1,5 @@
 
-policy_module(prelink, 1.7.1)
+policy_module(prelink, 1.8.0)
 
 ########################################
 #

policy/modules/admin/readahead.te

@@ -1,5 +1,5 @@
 
-policy_module(readahead, 1.9.1)
+policy_module(readahead, 1.10.0)
 
 ########################################
 #

policy/modules/admin/tzdata.te

@@ -19,6 +19,8 @@ application_domain(tzdata_t, tzdata_exec_t)
 files_read_etc_files(tzdata_t)
 files_search_spool(tzdata_t)
 
+fs_getattr_xattr_fs(tzdata_t)
+
 term_dontaudit_list_ptys(tzdata_t)
 
 locallogin_dontaudit_use_fds(tzdata_t)

policy/modules/admin/usermanage.te

@@ -1,5 +1,5 @@
 
-policy_module(usermanage, 1.13.1)
+policy_module(usermanage, 1.14.0)
 
 ########################################
 #
@@ -242,6 +242,10 @@ optional_policy(`
 	nscd_domtrans(groupadd_t)
 ')
 
+optional_policy(`
+	puppet_rw_tmp(groupadd_t)
+')
+
 optional_policy(`
 	rpm_use_fds(groupadd_t)
 	rpm_rw_pipes(groupadd_t)
@@ -520,6 +524,10 @@ optional_policy(`
 	nscd_domtrans(useradd_t)
 ')
 
+optional_policy(`
+	puppet_rw_tmp(useradd_t)
+')
+
 optional_policy(`
 	rpm_use_fds(useradd_t)
 	rpm_rw_pipes(useradd_t)

policy/modules/admin/vpn.te

@@ -1,5 +1,5 @@
 
-policy_module(vpn, 1.11.1)
+policy_module(vpn, 1.12.0)
 
 ########################################
 #

policy/modules/apps/awstats.te

@@ -1,5 +1,5 @@
 
-policy_module(awstats, 1.1.1)
+policy_module(awstats, 1.2.0)
 
 ########################################
 #

policy/modules/apps/calamaris.te

@@ -1,5 +1,5 @@
 
-policy_module(calamaris, 1.5.0)
+policy_module(calamaris, 1.5.1)
 
 ########################################
 #
@@ -59,12 +59,12 @@ files_read_etc_runtime_files(calamaris_t)
 
 libs_read_lib_files(calamaris_t)
 
+auth_use_nsswitch(calamaris_t)
+
 logging_send_syslog_msg(calamaris_t)
 
 miscfiles_read_localization(calamaris_t)
 
-sysnet_read_config(calamaris_t)
-
 userdom_dontaudit_list_user_home_dirs(calamaris_t)
 
 squid_read_log(calamaris_t)
@@ -80,7 +80,3 @@ optional_policy(`
 optional_policy(`
 	mta_send_mail(calamaris_t)
 ')
-
-optional_policy(`
-	nis_use_ypbind(calamaris_t)
-')

policy/modules/apps/cdrecord.te

@@ -1,5 +1,5 @@
 
-policy_module(cdrecord, 2.1.1)
+policy_module(cdrecord, 2.2.0)
 
 ########################################
 #

policy/modules/apps/cpufreqselector.te

@@ -1,5 +1,5 @@
 
-policy_module(cpufreqselector, 1.0.1)
+policy_module(cpufreqselector, 1.1.0)
 
 ########################################
 #

policy/modules/apps/gpg.te

@@ -1,5 +1,5 @@
 
-policy_module(gpg, 2.1.1)
+policy_module(gpg, 2.2.1)
 
 ########################################
 #
@@ -104,11 +104,36 @@ files_dontaudit_search_var(gpg_t)
 
 auth_use_nsswitch(gpg_t)
 
-miscfiles_read_localization(gpg_t)
-
 logging_send_syslog_msg(gpg_t)
 
+miscfiles_read_localization(gpg_t)
+
 userdom_use_user_terminals(gpg_t)
+# sign/encrypt user files
+userdom_manage_user_tmp_files(gpg_t)
+userdom_manage_user_home_content_files(gpg_t)
+
+mta_write_config(gpg_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(gpg_t)
+	fs_manage_nfs_files(gpg_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(gpg_t)
+	fs_manage_cifs_files(gpg_t)
+')
+
+optional_policy(`
+	xserver_use_xdm_fds(gpg_t)
+	xserver_rw_xdm_pipes(gpg_t)
+')
+
+optional_policy(`
+	cron_system_entry(gpg_t, gpg_exec_t)
+	cron_read_system_job_tmp_files(gpg_t)
+')
 
 ########################################
 #
@@ -146,23 +171,13 @@ files_read_etc_files(gpg_helper_t)
 auth_use_nsswitch(gpg_helper_t)
 
 userdom_use_user_terminals(gpg_helper_t)
-# sign/encrypt user files
-userdom_manage_user_tmp_files(gpg_t)
-userdom_manage_user_home_content_files(gpg_t)
 
 tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(gpg_t)
-	fs_manage_nfs_files(gpg_t)
+	fs_dontaudit_rw_nfs_files(gpg_helper_t)
 ')
 
 tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(gpg_t)
-	fs_manage_cifs_files(gpg_t)
-')
-
-optional_policy(`
-	xserver_use_xdm_fds(gpg_t)
-	xserver_rw_xdm_pipes(gpg_t)
+	fs_dontaudit_rw_cifs_files(gpg_helper_t)
 ')
 
 ########################################

policy/modules/apps/java.te

@@ -1,5 +1,5 @@
 
-policy_module(java, 2.1.1)
+policy_module(java, 2.2.0)
 
 ########################################
 #

policy/modules/apps/mozilla.if

@@ -45,6 +45,12 @@ interface(`mozilla_role',`
 	relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
 	relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
 	relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
+
+	mozilla_dbus_chat($2)
+
+	optional_policy(`
+		pulseaudio_role($1, mozilla_t)
+	')
 ')
 
 ########################################
@@ -64,6 +70,7 @@ interface(`mozilla_read_user_home_files',`
 
 	allow $1 mozilla_home_t:dir list_dir_perms;
 	allow $1 mozilla_home_t:file read_file_perms;
+	allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
 	userdom_search_user_home_dirs($1)
 ')
 
@@ -86,6 +93,43 @@ interface(`mozilla_write_user_home_files',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Dontaudit attempts to read/write mozilla home directory content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mozilla_dontaudit_rw_user_home_files',`
+	gen_require(`
+		type mozilla_home_t;
+	')
+
+	dontaudit $1 mozilla_home_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Dontaudit attempts to write mozilla home directory content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mozilla_dontaudit_manage_user_home_files',`
+	gen_require(`
+		type mozilla_home_t;
+	')
+
+	dontaudit $1 mozilla_home_t:dir manage_dir_perms;
+	dontaudit $1 mozilla_home_t:file manage_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Run mozilla in the mozilla domain.

policy/modules/apps/mozilla.te

@@ -1,5 +1,5 @@
 
-policy_module(mozilla, 2.1.0)
+policy_module(mozilla, 2.1.1)
 
 ########################################
 #
@@ -59,6 +59,7 @@ manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
 manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
 manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
 userdom_search_user_home_dirs(mozilla_t)
+userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir)
 
 # Mozpluggerrc
 allow mozilla_t mozilla_conf_t:file read_file_perms;
@@ -75,7 +76,7 @@ kernel_read_network_state(mozilla_t)
 kernel_read_system_state(mozilla_t)
 kernel_read_net_sysctls(mozilla_t)
 
-# Look for plugins 
+# Look for plugins
 corecmd_list_bin(mozilla_t)
 # for bash - old mozilla binary
 corecmd_exec_shell(mozilla_t)
@@ -97,6 +98,7 @@ corenet_tcp_connect_http_cache_port(mozilla_t)
 corenet_tcp_connect_ftp_port(mozilla_t)
 corenet_tcp_connect_ipp_port(mozilla_t)
 corenet_tcp_connect_generic_port(mozilla_t)
+corenet_tcp_connect_soundd_port(mozilla_t)
 corenet_sendrecv_http_client_packets(mozilla_t)
 corenet_sendrecv_http_cache_client_packets(mozilla_t)
 corenet_sendrecv_ftp_client_packets(mozilla_t)
@@ -114,6 +116,8 @@ dev_read_sound(mozilla_t)
 dev_dontaudit_rw_dri(mozilla_t)
 dev_getattr_sysfs_dirs(mozilla_t)
 
+domain_dontaudit_read_all_domains_state(mozilla_t)
+
 files_read_etc_runtime_files(mozilla_t)
 files_read_usr_files(mozilla_t)
 files_read_etc_files(mozilla_t)
@@ -231,6 +235,10 @@ optional_policy(`
 optional_policy(`
 	dbus_system_bus_client(mozilla_t)
 	dbus_session_bus_client(mozilla_t)
+
+	optional_policy(`
+		networkmanager_dbus_chat(mozilla_t)
+	')
 ')
 
 optional_policy(`

policy/modules/apps/podsleuth.te

@@ -1,5 +1,5 @@
 
-policy_module(podsleuth, 1.2.0)
+policy_module(podsleuth, 1.2.1)
 
 ########################################
 #
@@ -71,6 +71,8 @@ miscfiles_read_localization(podsleuth_t)
 
 sysnet_dns_name_resolve(podsleuth_t)
 
+userdom_signal_unpriv_users(podsleuth_t)
+
 optional_policy(`
 	dbus_system_bus_client(podsleuth_t)
 

policy/modules/apps/pulseaudio.te

@@ -1,5 +1,5 @@
 
-policy_module(pulseaudio, 1.0.1)
+policy_module(pulseaudio, 1.1.0)
 
 ########################################
 #

policy/modules/apps/qemu.te

@@ -1,5 +1,5 @@
 
-policy_module(qemu, 1.2.1)
+policy_module(qemu, 1.3.0)
 
 ########################################
 #

policy/modules/apps/screen.if

@@ -80,6 +80,11 @@ template(`screen_role_template',`
 	relabel_files_pattern($3, screen_home_t, screen_home_t)
 	relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
 
+	manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
+	manage_files_pattern($3, screen_var_run_t, screen_var_run_t)
+	manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t)
+	manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
+
 	kernel_read_system_state($1_screen_t)
 	kernel_read_kernel_sysctls($1_screen_t)
 

policy/modules/apps/screen.te

@@ -1,5 +1,5 @@
 
-policy_module(screen, 2.1.1)
+policy_module(screen, 2.2.1)
 
 ########################################
 #

policy/modules/apps/seunshare.if

@@ -41,6 +41,14 @@ interface(`seunshare_run',`
 
 	seunshare_domtrans($1)
 	role $2 types seunshare_t;
+
+	allow $1 seunshare_t:process signal_perms;
+
+	ifdef(`hide_broken_symptoms', `
+		dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
+		dontaudit seunshare_t $1:udp_socket rw_socket_perms;
+		dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms;
+	')
 ')
 
 ########################################

policy/modules/apps/seunshare.te

@@ -1,5 +1,5 @@
 
-policy_module(seunshare, 1.0.0)
+policy_module(seunshare, 1.0.1)
 
 ########################################
 #
@@ -16,7 +16,7 @@ role system_r types seunshare_t;
 # seunshare local policy
 #
 
-allow seunshare_t self:capability setpcap;
+allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
 allow seunshare_t self:process { setexec signal getcap setcap };
 
 allow seunshare_t self:fifo_file rw_file_perms;
@@ -30,6 +30,16 @@ files_mounton_all_poly_members(seunshare_t)
 
 auth_use_nsswitch(seunshare_t)
 
+logging_send_syslog_msg(seunshare_t)
+
 miscfiles_read_localization(seunshare_t)
 
 userdom_use_user_terminals(seunshare_t)
+
+ifdef(`hide_broken_symptoms', `
+	fs_dontaudit_rw_anon_inodefs_files(seunshare_t)
+
+	optional_policy(`
+		mozilla_dontaudit_manage_user_home_files(seunshare_t)
+	')
+')

policy/modules/apps/vmware.te

@@ -1,5 +1,5 @@
 
-policy_module(vmware, 2.1.1)
+policy_module(vmware, 2.2.0)
 
 ########################################
 #

policy/modules/apps/webalizer.te

@@ -1,5 +1,5 @@
 
-policy_module(webalizer, 1.9.1)
+policy_module(webalizer, 1.10.0)
 
 ########################################
 #

policy/modules/apps/wireshark.te

@@ -1,5 +1,5 @@
 
-policy_module(wireshark, 2.0.1)
+policy_module(wireshark, 2.1.0)
 
 ########################################
 #

policy/modules/kernel/corecommands.fc

@@ -54,6 +54,8 @@ ifdef(`distro_redhat',`
 /etc/cron.weekly/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/cron.monthly/.*		--	gen_context(system_u:object_r:bin_t,s0)
 
+/etc/dhcp/dhclient\.d(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+
 /etc/hotplug/.*agent		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/hotplug/.*rc		-- 	gen_context(system_u:object_r:bin_t,s0)
 /etc/hotplug/hotplug\.functions --	gen_context(system_u:object_r:bin_t,s0)
@@ -123,8 +125,9 @@ ifdef(`distro_gentoo',`
 #
 /sbin				-d	gen_context(system_u:object_r:bin_t,s0)
 /sbin/.*				gen_context(system_u:object_r:bin_t,s0)
-/sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:bin_t,s0)
 /sbin/insmod_ksymoops_clean	--	gen_context(system_u:object_r:bin_t,s0)
+/sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:bin_t,s0)
+/sbin/nologin			--	gen_context(system_u:object_r:shell_exec_t,s0)
 
 #
 # /opt
@@ -135,7 +138,6 @@ ifdef(`distro_gentoo',`
 
 /opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
-/opt/real/RealPlayer/realplay(\.bin)?	gen_context(system_u:object_r:bin_t,s0)
 ifdef(`distro_gentoo',`
 /opt/RealPlayer/realplay(\.bin)?	gen_context(system_u:object_r:bin_t,s0)
 /opt/RealPlayer/postint(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -211,6 +213,8 @@ ifdef(`distro_gentoo',`
 /usr/share/apr-0/build/[^/]+\.sh --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/apr-0/build/libtool --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/debconf/.+		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cluster/.*\.sh		gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
@@ -220,7 +224,10 @@ ifdef(`distro_gentoo',`
 /usr/share/printconf/util/print\.py --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/PackageKit/pk-upgrade-distro\.sh -- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/PackageKit/helpers(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/sandbox/sandboxX.sh	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/sectool/.*\.py	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall/configpath	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall-perl(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall-shell(/.*)?	gen_context(system_u:object_r:bin_t,s0)
@@ -263,6 +270,7 @@ ifdef(`distro_redhat', `
 /usr/share/ssl/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0)

policy/modules/kernel/corecommands.if

@@ -447,7 +447,7 @@ interface(`corecmd_bin_domtrans',`
 		type bin_t;
 	')
 
-	corecmd_bin_spec_domtrans($1,$2)
+	corecmd_bin_spec_domtrans($1, $2)
 	type_transition $1 bin_t:process $2;
 ')
 

policy/modules/kernel/corecommands.te

@@ -1,5 +1,5 @@
 
-policy_module(corecommands, 1.12.0)
+policy_module(corecommands, 1.12.1)
 
 ########################################
 #

policy/modules/kernel/corenetwork.te.in

@@ -1,5 +1,5 @@
 
-policy_module(corenetwork, 1.12.1)
+policy_module(corenetwork, 1.13.0)
 
 ########################################
 #
@@ -156,6 +156,7 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
 network_port(printer, tcp,515,s0)
 network_port(ptal, tcp,5703,s0)
 network_port(pulseaudio, tcp,4713,s0)
+network_port(puppet, tcp, 8140, s0)
 network_port(pxe, udp,4011,s0)
 network_port(pyzor, udp,24441,s0)
 network_port(radacct, udp,1646,s0, udp,1813,s0)

policy/modules/kernel/devices.fc

@@ -47,8 +47,10 @@
 /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/kmsg		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
 /dev/kqemu		-c	gen_context(system_u:object_r:qemu_device_t,s0)
+/dev/ksm		-c	gen_context(system_u:object_r:ksm_device_t,s0)
 /dev/kvm		-c	gen_context(system_u:object_r:kvm_device_t,s0)
 /dev/lik.*		-c	gen_context(system_u:object_r:event_device_t,s0)
+/dev/lirc[0-9]+		-c	gen_context(system_u:object_r:lirc_device_t,s0)
 /dev/lircm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/logibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
@@ -61,10 +63,12 @@
 /dev/midi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/mixer.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/mmetfgrab		-c	gen_context(system_u:object_r:scanner_device_t,s0)
+/dev/modem		-c	gen_context(system_u:object_r:modem_device_t,s0)
 /dev/mpu401.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/msr.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/network_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
 /dev/network_throughput	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
+/dev/noz.* 		-c	gen_context(system_u:object_r:modem_device_t,s0)
 /dev/null		-c	gen_context(system_u:object_r:null_device_t,s0)
 /dev/nvidia.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/nvram		-c	gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
@@ -82,6 +86,7 @@
 /dev/radio.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/random		-c	gen_context(system_u:object_r:random_device_t,s0)
 /dev/raw1394.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/rfkill		-c	gen_context(system_u:object_r:wireless_device_t,s0)
 /dev/(misc/)?rtc[0-9]*	-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/sequencer		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/sequencer2		-c	gen_context(system_u:object_r:sound_device_t,s0)
@@ -101,7 +106,8 @@ ifdef(`distro_suse', `
 /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
 ')
 /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
-/dev/vboxadd.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/vbox.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/vga_arbiter	-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/vmmon		-c	gen_context(system_u:object_r:vmware_device_t,s0)
 /dev/vmnet.*		-c	gen_context(system_u:object_r:vmware_device_t,s0)
 /dev/video.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
@@ -168,6 +174,7 @@ ifdef(`distro_gentoo',`
 
 ifdef(`distro_redhat',`
 # originally from named.fc
+/var/named/chroot/dev	-d	gen_context(system_u:object_r:device_t,s0)
 /var/named/chroot/dev/null -c	gen_context(system_u:object_r:null_device_t,s0)
 /var/named/chroot/dev/random -c	gen_context(system_u:object_r:random_device_t,s0)
 /var/named/chroot/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)

policy/modules/kernel/devices.if

@@ -68,8 +68,8 @@ interface(`dev_relabel_all_dev_nodes',`
 	relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
 	relabelfrom_fifo_files_pattern($1, device_t, device_node)
 	relabelfrom_sock_files_pattern($1, device_t, device_node)
-	relabel_blk_files_pattern($1, device_t,{ device_t device_node })
-	relabel_chr_files_pattern($1, device_t,{ device_t device_node })
+	relabel_blk_files_pattern($1, device_t, { device_t device_node })
+	relabel_chr_files_pattern($1, device_t, { device_t device_node })
 ')
 
 ########################################
@@ -1690,6 +1690,78 @@ interface(`dev_read_kmsg',`
 	read_chr_files_pattern($1, device_t, kmsg_device_t)
 ')
 
+########################################
+## <summary>
+##	Get the attributes of the ksm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_ksm_dev',`
+	gen_require(`
+		type device_t, ksm_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the ksm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_ksm_dev',`
+	gen_require(`
+		type device_t, ksm_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+##	Read the ksm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_ksm',`
+	gen_require(`
+		type device_t, ksm_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write to ksm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_ksm',`
+	gen_require(`
+		type device_t, ksm_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of the kvm devices.
@@ -1762,6 +1834,61 @@ interface(`dev_rw_kvm',`
 	rw_chr_files_pattern($1, device_t, kvm_device_t)
 ')
 
+######################################
+## <summary>
+##	Read the lirc device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_lirc',`
+	gen_require(`
+		type device_t, lirc_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, lirc_device_t)
+')
+
+######################################
+## <summary>
+##	Read and write the lirc device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_lirc',`
+	gen_require(`
+		type device_t, lirc_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, lirc_device_t)
+')
+
+######################################
+## <summary>
+##	Automatic type transition to the type
+##	for lirc device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_filetrans_lirc',`
+	gen_require(`
+		type device_t, lirc_device_t;
+	')
+
+	filetrans_pattern($1, device_t, lirc_device_t, chr_file)
+')
+
 ########################################
 ## <summary>
 ##	Read the lvm comtrol device.
@@ -1798,6 +1925,24 @@ interface(`dev_rw_lvm_control',`
 	rw_chr_files_pattern($1, device_t, lvm_control_t)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read and write lvm control device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_rw_lvm_control',`
+	gen_require(`
+		type lvm_control_t;
+	')
+
+	dontaudit $1 lvm_control_t:chr_file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Delete the lvm control device.
@@ -2044,6 +2189,78 @@ interface(`dev_dontaudit_rw_misc',`
 	dontaudit $1 misc_device_t:chr_file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##	Get the attributes of the modem devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_modem_dev',`
+	gen_require(`
+		type device_t, modem_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, modem_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the modem devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_modem_dev',`
+	gen_require(`
+		type device_t, modem_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, modem_device_t)
+')
+
+########################################
+## <summary>
+##	Read the modem devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_modem',`
+	gen_require(`
+		type device_t, modem_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, modem_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write to modem devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_modem',`
+	gen_require(`
+		type device_t, modem_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, modem_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of the mouse devices.
@@ -2303,6 +2520,24 @@ interface(`dev_setattr_null_dev',`
 	setattr_chr_files_pattern($1, device_t, null_device_t)
 ')
 
+########################################
+## <summary>
+##	Delete the null device (/dev/null).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_delete_null',`
+	gen_require(`
+		type device_t, null_device_t;
+	')
+
+	delete_chr_files_pattern($1, device_t, null_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Read and write to the null device (/dev/null).
@@ -3597,6 +3832,24 @@ interface(`dev_write_watchdog',`
 	write_chr_files_pattern($1, device_t, watchdog_device_t)
 ')
 
+########################################
+## <summary>
+##	Read and write the the wireless device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_wireless',`
+	gen_require(`
+		type device_t, wireless_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, wireless_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Read and write Xen devices.

policy/modules/kernel/devices.te

@@ -1,5 +1,5 @@
 
-policy_module(devices, 1.8.2)
+policy_module(devices, 1.9.1)
 
 ########################################
 #
@@ -83,6 +83,12 @@ dev_node(ipmi_device_t)
 type kmsg_device_t;
 dev_node(kmsg_device_t)
 
+#
+# ksm_device_t is the type of /dev/ksm
+#
+type ksm_device_t;
+dev_node(ksm_device_t)
+
 #
 # kvm_device_t is the type of
 # /dev/kvm
@@ -90,6 +96,12 @@ dev_node(kmsg_device_t)
 type kvm_device_t;
 dev_node(kvm_device_t)
 
+#
+# Type for /dev/lirc
+#
+type lirc_device_t;
+dev_node(lirc_device_t)
+
 #
 # Type for /dev/mapper/control
 #
@@ -109,6 +121,12 @@ neverallow ~{ memory_raw_write devices_unconfined_type } memory_device_t:{ chr_f
 type misc_device_t;
 dev_node(misc_device_t)
 
+#
+# A general type for modem devices.
+#
+type modem_device_t;
+dev_node(modem_device_t)
+
 #
 # A more general type for mouse devices.
 #
@@ -123,7 +141,7 @@ dev_node(mtrr_device_t)
 genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)
 
 #
-# network control devices 
+# network control devices
 #
 type netcontrol_device_t;
 dev_node(netcontrol_device_t)
@@ -137,13 +155,13 @@ mls_trusted_object(null_device_t)
 sid devnull gen_context(system_u:object_r:null_device_t,s0)
 
 #
-# Type for /dev/nvram 
+# Type for /dev/nvram
 #
 type nvram_device_t;
 dev_node(nvram_device_t)
 
 #
-# Type for /dev/pmu 
+# Type for /dev/pmu
 #
 type power_device_t;
 dev_node(power_device_t)
@@ -153,7 +171,7 @@ dev_node(printer_device_t)
 mls_file_write_within_range(printer_device_t)
 
 #
-# qemu control devices 
+# qemu control devices
 #
 type qemu_device_t;
 dev_node(qemu_device_t)
@@ -224,6 +242,12 @@ dev_node(vmware_device_t)
 type watchdog_device_t;
 dev_node(watchdog_device_t)
 
+#
+# wireless control devices
+#
+type wireless_device_t;
+dev_node(wireless_device_t)
+
 type xen_device_t;
 dev_node(xen_device_t)
 

policy/modules/kernel/files.if

@@ -100,7 +100,7 @@ interface(`files_pid_file',`
 
 ########################################
 ## <summary>
-##	Make the specified type a 
+##	Make the specified type a
 ##	configuration file.
 ## </summary>
 ## <param name="file_type">
@@ -110,12 +110,16 @@ interface(`files_pid_file',`
 ## </param>
 #
 interface(`files_config_file',`
+	gen_require(`
+		attribute configfile;
+	')
 	files_type($1)
+	typeattribute $1 configfile;
 ')
 
 ########################################
 ## <summary>
-##	Make the specified type a 
+##	Make the specified type a
 ##	polyinstantiated directory.
 ## </summary>
 ## <param name="file_type">
@@ -1066,7 +1070,7 @@ interface(`files_dontaudit_search_all_dirs',`
 ##	</summary>
 ## </param>
 #
-# dwalsh: This interface is to allow quotacheck to work on a 
+# dwalsh: This interface is to allow quotacheck to work on a
 # a filesystem mounted with the --context switch
 # https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212957
 #
@@ -1150,6 +1154,102 @@ interface(`files_unmount_all_file_type_fs',`
 	allow $1 file_type:filesystem unmount;
 ')
 
+#############################################
+## <summary>
+##	Manage all configuration directories on filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of domain performing this action
+##	</summary>
+## </param>
+##
+#
+interface(`files_manage_config_dirs',`
+	gen_require(`
+		attribute configfile;
+	')
+
+	manage_dirs_pattern($1, configfile, configfile)
+')
+
+#########################################
+## <summary>
+##	Relabel configuration directories
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Type of domain performing this action
+##	</summary>
+## </param>
+##
+#
+interface(`files_relabel_config_dirs',`
+	gen_require(`
+		attribute configfile;
+	')
+
+	relabel_dirs_pattern($1, configfile, configfile)
+')
+
+########################################
+## <summary>
+##	Read config files in /etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_config_files',`
+	gen_require(`
+		attribute configfile;
+	')
+
+	allow $1 configfile:dir list_dir_perms;
+	read_files_pattern($1, configfile, configfile)
+	read_lnk_files_pattern($1, configfile, configfile)
+')
+
+###########################################
+## <summary>
+## 	Manage all configuration files on filesystem
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	The type of domain performing this action
+## 	</summary>
+## </param>
+##
+#
+interface(`files_manage_config_files',`
+	gen_require(`
+		attribute configfile;
+	')
+
+	manage_files_pattern($1, configfile, configfile)
+')
+
+#######################################
+## <summary>
+##	Relabel configuration files
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Type of domain performing this action
+##	</summary>
+## </param>
+##
+#
+interface(`files_relabel_config_files',`
+	gen_require(`
+		attribute configfile;
+	')
+
+	relabel_files_pattern($1, configfile, configfile)
+')
+
 ########################################
 ## <summary>
 ##	Mount a filesystem on all mount points.
@@ -1485,6 +1585,25 @@ interface(`files_boot_filetrans',`
 	filetrans_pattern($1, boot_t, $2, $3)
 ')
 
+########################################
+## <summary>
+##	read files in the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_read_boot_files',`
+	gen_require(`
+		type boot_t;
+	')
+
+	manage_files_pattern($1, boot_t, boot_t)
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete files
@@ -1713,6 +1832,25 @@ interface(`files_dontaudit_list_default',`
 	dontaudit $1 default_t:dir list_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Create, read, write, and delete directories with
+##	the default file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_default_dirs',`
+	gen_require(`
+		type default_t;
+	')
+
+	manage_dirs_pattern($1, default_t, default_t)
+')
+
 ########################################
 ## <summary>
 ##	Mount a filesystem on a directory with the default file type.
@@ -1787,6 +1925,25 @@ interface(`files_dontaudit_read_default_files',`
 	dontaudit $1 default_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##	Create, read, write, and delete files with
+##	the default file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_default_files',`
+	gen_require(`
+		type default_t;
+	')
+
+	manage_files_pattern($1, default_t, default_t)
+')
+
 ########################################
 ## <summary>
 ##	Read symbolic links with the default file type.
@@ -1913,6 +2070,25 @@ interface(`files_rw_etc_dirs',`
 	allow $1 etc_t:dir rw_dir_perms;
 ')
 
+##########################################
+## <summary>
+## 	Manage generic directories in /etc
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+##
+#
+interface(`files_manage_etc_dirs',`
+	gen_require(`
+		type etc_t;
+	')
+
+	manage_dirs_pattern($1, etc_t, etc_t)
+')
+
 ########################################
 ## <summary>
 ##	Read generic files in /etc.
@@ -2460,7 +2636,7 @@ interface(`files_manage_isid_type_symlinks',`
 
 ########################################
 ## <summary>
-##	Read and write block device nodes on new filesystems 
+##	Read and write block device nodes on new filesystems
 ##	that have not yet been labeled.
 ## </summary>
 ## <param name="domain">
@@ -3390,10 +3566,28 @@ interface(`files_setattr_all_tmp_dirs',`
 	allow $1 tmpfile:dir { search_dir_perms setattr };
 ')
 
+########################################
+## <summary>
+##	List all tmp directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_all_tmp',`
+	gen_require(`
+		attribute tmpfile;
+	')
+
+	allow $1 tmpfile:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the attributes
-##	of all tmp files. 
+##	of all tmp files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3412,7 +3606,7 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
 ########################################
 ## <summary>
 ##	Allow attempts to get the attributes
-##	of all tmp files. 
+##	of all tmp files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3431,7 +3625,7 @@ interface(`files_getattr_all_tmp_files',`
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the attributes
-##	of all tmp sock_file. 
+##	of all tmp sock_file.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4222,6 +4416,24 @@ interface(`files_list_var_lib',`
 	list_dirs_pattern($1, var_t, var_lib_t)
 ')
 
+###########################################
+## <summary>
+##	Read-write /var/lib directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_rw_var_lib_dirs',`
+	gen_require(`
+		type var_lib_t;
+	')
+
+	rw_dirs_pattern($1, var_lib_t, var_lib_t)
+')
+
 ########################################
 ## <summary>
 ##	Create objects in the /var/lib directory
@@ -4955,7 +5167,7 @@ interface(`files_polyinstantiate_all',`
 	selinux_compute_member($1)
 
 	# Need sys_admin capability for mounting
-	allow $1 self:capability { chown fsetid sys_admin };
+	allow $1 self:capability { chown fsetid sys_admin fowner };
 
 	# Need to give access to the directories to be polyinstantiated
 	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };

policy/modules/kernel/files.te

@@ -1,5 +1,5 @@
 
-policy_module(files, 1.12.0)
+policy_module(files, 1.12.1)
 
 ########################################
 #
@@ -11,6 +11,7 @@ attribute files_unconfined_type;
 attribute lockfile;
 attribute mountpoint;
 attribute pidfile;
+attribute configfile;
 
 # For labeling types that are to be polyinstantiated
 attribute polydir;
@@ -52,7 +53,7 @@ files_mountpoint(default_t)
 #
 # etc_t is the type of the system etc directories.
 #
-type etc_t;
+type etc_t, configfile;
 files_type(etc_t)
 # compatibility aliases for removed types:
 typealias etc_t alias automount_etc_t;
@@ -219,7 +220,7 @@ fs_associate_tmpfs(tmpfsfile)
 allow files_unconfined_type file_type:{ file chr_file } ~execmod;
 allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
 
-# Mount/unmount any filesystem with the context= option. 
+# Mount/unmount any filesystem with the context= option.
 allow files_unconfined_type file_type:filesystem *;
 
 tunable_policy(`allow_execmod',`

policy/modules/kernel/filesystem.fc

@@ -1 +1 @@
-# This module currently does not have any file contexts.
+/dev/shm	-d	gen_context(system_u:object_r:tmpfs_t,s0)

policy/modules/kernel/filesystem.if

@@ -308,6 +308,26 @@ interface(`fs_rw_anon_inodefs_files',`
 	rw_files_pattern($1, anon_inodefs_t, anon_inodefs_t)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read or write files on
+##	anon_inodefs file systems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_rw_anon_inodefs_files',`
+	gen_require(`
+		type anon_inodefs_t;
+
+	')
+
+	dontaudit $1 anon_inodefs_t:file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Mount an automount pseudo filesystem.
@@ -462,7 +482,7 @@ interface(`fs_manage_autofs_symlinks',`
 ########################################
 ## <summary>
 ##	Get the attributes of directories on
-##	binfmt_misc filesystems. 
+##	binfmt_misc filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1149,6 +1169,44 @@ interface(`fs_cifs_domtrans',`
 	domain_auto_transition_pattern($1, cifs_t, $2)
 ')
 
+#######################################
+## <summary>
+##	Create, read, write, and delete dirs
+##	on a configfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_configfs_dirs',`
+	gen_require(`
+		type configfs_t;
+	')
+
+	manage_dirs_pattern($1, configfs_t, configfs_t)
+')
+
+#######################################
+## <summary>
+##	Create, read, write, and delete files
+##	on a configfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_configfs_files',`
+	gen_require(`
+		type configfs_t;
+	')
+
+	manage_files_pattern($1, configfs_t, configfs_t)
+')
+
 ########################################
 ## <summary>
 ##	Mount a DOS filesystem, such as
@@ -1248,7 +1306,7 @@ interface(`fs_relabelfrom_dos_fs',`
 
 ########################################
 ## <summary>
-##	Search dosfs filesystem. 
+##	Search dosfs filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1537,7 +1595,25 @@ interface(`fs_rw_hugetlbfs_files',`
 
 ########################################
 ## <summary>
-##	Search inotifyfs filesystem. 
+##	Allow the type to associate to hugetlbfs filesystems.
+## </summary>
+## <param name="type">
+##	<summary>
+##	The type of the object to be associated.
+##	</summary>
+## </param>
+#
+interface(`fs_associate_hugetlbfs',`
+	gen_require(`
+		type hugetlbfs_t;
+	')
+
+	allow $1 hugetlbfs_t:filesystem associate;
+')
+
+########################################
+## <summary>
+##	Search inotifyfs filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1555,7 +1631,7 @@ interface(`fs_search_inotifyfs',`
 
 ########################################
 ## <summary>
-##	List inotifyfs filesystem. 
+##	List inotifyfs filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2540,6 +2616,42 @@ interface(`fs_search_nfsd_fs',`
 	allow $1 nfsd_fs_t:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##	List NFS server directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_list_nfsd_fs',`
+	gen_require(`
+		type nfsd_fs_t;
+	')
+
+	allow $1 nfsd_fs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Getattr files on an nfsd filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_nfsd_files',`
+	gen_require(`
+		type nfsd_fs_t;
+	')
+
+	getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+')
+
 ########################################
 ## <summary>
 ##	Read and write NFS server files.
@@ -2687,7 +2799,7 @@ interface(`fs_dontaudit_search_ramfs',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete 
+##	Create, read, write, and delete
 ##	directories on a ramfs.
 ## </summary>
 ## <param name="domain">
@@ -2779,7 +2891,7 @@ interface(`fs_write_ramfs_pipes',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to write to named 
+##	Do not audit attempts to write to named
 ##	pipes on a ramfs filesystem.
 ## </summary>
 ## <param name="domain">
@@ -2816,7 +2928,7 @@ interface(`fs_rw_ramfs_pipes',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete 
+##	Create, read, write, and delete
 ##	named pipes on a ramfs filesystem.
 ## </summary>
 ## <param name="domain">
@@ -3570,6 +3682,104 @@ interface(`fs_manage_tmpfs_blk_files',`
 	manage_blk_files_pattern($1, tmpfs_t, tmpfs_t)
 ')
 
+########################################
+## <summary>
+##	Mount a XENFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mount_xenfs',`
+	gen_require(`
+		type xenfs_t;
+	')
+
+	allow $1 xenfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete directories
+##	on a XENFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_xenfs_dirs',`
+	gen_require(`
+		type xenfs_t;
+	')
+
+	allow $1 xenfs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to create, read,
+##	write, and delete directories
+##	on a XENFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_xenfs_dirs',`
+	gen_require(`
+		type xenfs_t;
+	')
+
+	dontaudit $1 xenfs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files
+##	on a XENFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_xenfs_files',`
+	gen_require(`
+		type xenfs_t;
+	')
+
+	manage_files_pattern($1, xenfs_t, xenfs_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to create,
+##	read, write, and delete files
+##	on a XENFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_xenfs_files',`
+	gen_require(`
+		type xenfs_t;
+	')
+
+	dontaudit $1 xenfs_t:file manage_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Mount all filesystems.

policy/modules/kernel/filesystem.te

@@ -1,5 +1,5 @@
 
-policy_module(filesystem, 1.12.0)
+policy_module(filesystem, 1.12.1)
 
 ########################################
 #
@@ -38,7 +38,7 @@ fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
 # types, and label the filesystem itself with the specified context.
 # This is appropriate for pseudo filesystems that represent objects
 # like pipes and sockets, so that these objects are labeled with the same
-# type as the creating task.  
+# type as the creating task.
 fs_use_task eventpollfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_task pipefs gen_context(system_u:object_r:fs_t,s0);
 fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0);
@@ -93,7 +93,7 @@ genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
 type hugetlbfs_t;
 fs_type(hugetlbfs_t)
 files_mountpoint(hugetlbfs_t)
-genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0)
+fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
 
 type ibmasmfs_t;
 fs_type(ibmasmfs_t)
@@ -174,6 +174,11 @@ fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
 
 allow tmpfs_t noxattrfs:filesystem associate;
 
+type xenfs_t;
+fs_noxattr_type(xenfs_t)
+files_mountpoint(xenfs_t)
+genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0)
+
 ##############################
 #
 # Filesystems without extended attribute support
@@ -250,7 +255,6 @@ genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
 genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
-genfscon xenfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
 
 ########################################
@@ -275,7 +279,7 @@ fs_associate_noxattr(noxattrfs)
 
 allow filesystem_unconfined_type filesystem_type:filesystem *;
 
-# Create/access other files.  fs_type is to pick up various
+# Create/access other files. fs_type is to pick up various
 # pseudo filesystem types that are applied to both the filesystem
 # and its files.
 allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;

policy/modules/kernel/kernel.if

@@ -1,5 +1,5 @@
 ## <summary>
-##	Policy for kernel threads, proc filesystem, 
+##	Policy for kernel threads, proc filesystem,
 ##	and unlabeled processes and objects.
 ## </summary>
 ## <required val="true">
@@ -57,7 +57,7 @@ interface(`kernel_ranged_domtrans_to',`
 		type kernel_t;
 	')
 
-	kernel_domtrans_to($1,$2)
+	kernel_domtrans_to($1, $2)
 
 	ifdef(`enable_mcs',`
 		range_transition kernel_t $2:process $3;
@@ -483,13 +483,32 @@ interface(`kernel_clear_ring_buffer',`
 	allow $1 kernel_t:system syslog_mod;
 ')
 
+########################################
+## <summary>
+##	Allows caller to request the kernel to load a module
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_request_load_module',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:system module_request;
+')
+
 ########################################
 ## <summary>
 ##	Get information on all System V IPC objects.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -939,6 +958,29 @@ interface(`kernel_dontaudit_getattr_core_if',`
 	dontaudit $1 proc_kcore_t:file getattr;
 ')
 
+########################################
+## <summary>
+##	Allows caller to read the core kernel interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_read_core_if',`
+	gen_require(`
+		type proc_t, proc_kcore_t;
+		attribute can_dump_kernel;
+	')
+
+	allow $1 self:capability sys_rawio;
+	read_files_pattern($1, proc_t, proc_kcore_t)
+	list_dirs_pattern($1, proc_t, proc_t)
+
+	typeattribute $1 can_dump_kernel;
+')
+
 ########################################
 ## <summary>
 ##	Allow caller to read kernel messages

policy/modules/kernel/kernel.te

@@ -1,5 +1,5 @@
 
-policy_module(kernel, 1.11.0)
+policy_module(kernel, 1.11.2)
 
 ########################################
 #
@@ -9,6 +9,7 @@ policy_module(kernel, 1.11.0)
 # assertion related attributes
 attribute can_load_kernmodule;
 attribute can_receive_kernel_messages;
+attribute can_dump_kernel;
 
 neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module;
 
@@ -37,7 +38,7 @@ ifdef(`enable_mls',`
 #
 # kernel_t is the domain of kernel threads.
 # It is also the target type when checking permissions in the system class.
-# 
+#
 type kernel_t, can_load_kernmodule;
 domain_base_type(kernel_t)
 mls_rangetrans_source(kernel_t)
@@ -90,7 +91,7 @@ neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~ge
 
 # /proc kcore: inaccessible
 type proc_kcore_t, proc_type;
-neverallow ~kern_unconfined proc_kcore_t:file ~getattr;
+neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~getattr;
 genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
 
 type proc_mdstat_t, proc_type;
@@ -248,7 +249,7 @@ corenet_send_all_packets(kernel_t)
 dev_read_sysfs(kernel_t)
 dev_search_usbfs(kernel_t)
 
-# Mount root file system.  Used when loading a policy
+# Mount root file system. Used when loading a policy
 # from initrd, then mounting the root filesystem
 fs_mount_all_fs(kernel_t)
 fs_unmount_all_fs(kernel_t)
@@ -275,7 +276,7 @@ mcs_process_set_categories(kernel_t)
 mls_process_read_up(kernel_t)
 mls_process_write_down(kernel_t)
 mls_file_write_all_levels(kernel_t)
-mls_file_read_all_levels(kernel_t) 
+mls_file_read_all_levels(kernel_t)
 
 ifdef(`distro_redhat',`
 	# Bugzilla 222337
@@ -309,7 +310,7 @@ optional_policy(`
 	allow kernel_t self:tcp_socket create_stream_socket_perms;
 	allow kernel_t self:udp_socket create_socket_perms;
 
-	# nfs kernel server needs kernel UDP access.  It is less risky and painful
+	# nfs kernel server needs kernel UDP access. It is less risky and painful
 	# to just give it everything.
 	corenet_udp_sendrecv_generic_if(kernel_t)
 	corenet_udp_sendrecv_generic_node(kernel_t)
@@ -326,7 +327,7 @@ optional_policy(`
 
 	rpc_manage_nfs_ro_content(kernel_t)
 	rpc_manage_nfs_rw_content(kernel_t)
-	rpc_udp_rw_nfs_sockets(kernel_t) 
+	rpc_udp_rw_nfs_sockets(kernel_t)
 
 	tunable_policy(`nfs_export_all_ro',`
 		fs_getattr_noxattr_fs(kernel_t)
@@ -355,7 +356,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	unconfined_domain(kernel_t)
+	unconfined_domain_noaudit(kernel_t)
 ')
 
 ########################################

policy/modules/kernel/mcs.te

@@ -1,5 +1,5 @@
 
-policy_module(mcs, 1.1.1)
+policy_module(mcs, 1.2.0)
 
 ########################################
 #

policy/modules/kernel/storage.fc

@@ -28,6 +28,7 @@
 /dev/megadev.*		-c	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mmcblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mspblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/mtd.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/nb[^/]+		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/optcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/p[fg][0-3]		-b	gen_context(system_u:object_r:removable_device_t,s0)

policy/modules/kernel/storage.if

@@ -529,7 +529,7 @@ interface(`storage_dontaudit_read_removable_device',`
 
 	')
 
-	dontaudit $1 removable_device_t:blk_file { getattr ioctl read };
+	dontaudit $1 removable_device_t:blk_file read_blk_file_perms;
 ')
 
 ########################################

policy/modules/kernel/storage.te

@@ -1,5 +1,5 @@
 
-policy_module(storage, 1.7.0)
+policy_module(storage, 1.7.1)
 
 ########################################
 #
@@ -13,7 +13,7 @@ attribute scsi_generic_write;
 attribute storage_unconfined_type;
 
 #
-# fixed_disk_device_t is the type of 
+# fixed_disk_device_t is the type of
 # /dev/hd* and /dev/sd*.
 #
 type fixed_disk_device_t;

policy/modules/kernel/terminal.fc

@@ -13,6 +13,7 @@
 /dev/ip2[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/isdn.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)
+/dev/pts/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)
 /dev/rfcomm[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/slamr[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/tty		-c	gen_context(system_u:object_r:devtty_t,s0)

policy/modules/kernel/terminal.if

@@ -196,7 +196,7 @@ interface(`term_use_all_terms',`
 
 	dev_list_all_dev_nodes($1)
 	allow $1 devpts_t:dir list_dir_perms;
-	allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms;
+	allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms;
 ')
 
 ########################################
@@ -472,6 +472,24 @@ interface(`term_dontaudit_manage_pty_dirs',`
 	dontaudit $1 devpts_t:dir manage_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of generic pty devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process to not audit.
+##	</summary>
+## </param>
+#
+interface(`term_dontaudit_getattr_generic_ptys',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	dontaudit $1 devpts_t:chr_file getattr;
+')
 ########################################
 ## <summary>
 ##	ioctl of generic pty devices.
@@ -575,6 +593,25 @@ interface(`term_dontaudit_use_generic_ptys',`
 	dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
 ')
 
+#######################################
+## <summary>
+##	Set the attributes of the tty device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_setattr_controlling_term',`
+	gen_require(`
+		type devtty_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 devtty_t:chr_file setattr;
+')
+
 ########################################
 ## <summary>
 ##	Read and write the controlling

policy/modules/kernel/terminal.te

@@ -1,5 +1,5 @@
 
-policy_module(terminal, 1.7.0)
+policy_module(terminal, 1.7.1)
 
 ########################################
 #
@@ -22,7 +22,7 @@ type console_device_t;
 dev_node(console_device_t)
 
 #
-# devpts_t is the type of the devpts file system and 
+# devpts_t is the type of the devpts file system and
 # the type of the root directory of the file system.
 #
 type devpts_t;
@@ -44,6 +44,7 @@ mls_trusted_object(devtty_t)
 type ptmx_t;
 dev_node(ptmx_t)
 mls_trusted_object(ptmx_t)
+allow ptmx_t devpts_t:filesystem associate;
 
 #
 # tty_device_t is the type of /dev/*tty*

policy/modules/services/cron.te

@@ -1,5 +1,5 @@
 
-policy_module(cron, 2.1.2)
+policy_module(cron, 2.2.0)
 
 gen_require(`
 	class passwd rootok;

policy/modules/services/dbus.te

@@ -1,5 +1,5 @@
 
-policy_module(dbus, 1.11.1)
+policy_module(dbus, 1.12.0)
 
 gen_require(`
 	class dbus all_dbus_perms;

policy/modules/services/nscd.te

@@ -1,5 +1,5 @@
 
-policy_module(nscd, 1.9.2)
+policy_module(nscd, 1.10.0)
 
 gen_require(`
 	class nscd all_nscd_perms;

policy/modules/services/openvpn.te

@@ -1,5 +1,5 @@
 
-policy_module(openvpn, 1.8.2)
+policy_module(openvpn, 1.9.0)
 
 ########################################
 #

policy/modules/services/policykit.te

@@ -1,5 +1,5 @@
 
-policy_module(policykit, 1.0.1)
+policy_module(policykit, 1.1.0)
 
 ########################################
 #

policy/modules/services/puppet.fc

@@ -0,0 +1,11 @@
+/etc/puppet(/.*)?			gen_context(system_u:object_r:puppet_etc_t,s0)
+
+/etc/rc\.d/init\.d/puppet	--	gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/puppetmaster --	gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
+
+/usr/sbin/puppetd		--	gen_context(system_u:object_r:puppet_exec_t,s0)
+/usr/sbin/puppetmasterd		--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+
+/var/lib/puppet(/.*)?			gen_context(system_u:object_r:puppet_var_lib_t,s0)
+/var/log/puppet(/.*)?			gen_context(system_u:object_r:puppet_log_t,s0)
+/var/run/puppet(/.*)?			gen_context(system_u:object_r:puppet_var_run_t,s0)

policy/modules/services/puppet.if

@@ -0,0 +1,31 @@
+## <summary>Puppet client daemon</summary>
+## <desc>
+##	<p>
+##	Puppet is a configuration management system written in Ruby.
+##	The client daemon is responsible for periodically requesting the
+##	desired system state from the server and ensuring the state of
+##	the client system matches.
+##	</p>
+## </desc>
+
+################################################
+## <summary>
+##	Read / Write to Puppet temp files.  Puppet uses
+##	some system binaries (groupadd, etc) that run in
+##	a non-puppet domain and redirects output into temp
+##	files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`puppet_rw_tmp', `
+	gen_require(`
+		type puppet_tmp_t;
+	')
+
+	allow $1 puppet_tmp_t:file rw_file_perms;
+	files_search_tmp($1)
+')

policy/modules/services/puppet.te

@@ -0,0 +1,234 @@
+
+policy_module(puppet, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow Puppet client to manage all file
+## types.
+## </p>
+## </desc>
+gen_tunable(puppet_manage_all_files, false)
+
+type puppet_t;
+type puppet_exec_t;
+init_daemon_domain(puppet_t, puppet_exec_t)
+
+type puppet_etc_t;
+files_config_file(puppet_etc_t)
+
+type puppet_initrc_exec_t;
+init_script_file(puppet_initrc_exec_t)
+
+type puppet_log_t;
+logging_log_file(puppet_log_t)
+
+type puppet_tmp_t;
+files_tmp_file(puppet_tmp_t)
+
+type puppet_var_lib_t;
+files_type(puppet_var_lib_t)
+
+type puppet_var_run_t;
+files_pid_file(puppet_var_run_t)
+
+type puppetmaster_t;
+type puppetmaster_exec_t;
+init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
+
+type puppetmaster_initrc_exec_t;
+init_script_file(puppetmaster_initrc_exec_t)
+
+type puppetmaster_tmp_t;
+files_tmp_file(puppetmaster_tmp_t)
+
+########################################
+#
+# Puppet personal policy
+#
+
+allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
+allow puppet_t self:process { signal signull getsched setsched };
+allow puppet_t self:fifo_file rw_fifo_file_perms;
+allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
+allow puppet_t self:tcp_socket create_stream_socket_perms;
+allow puppet_t self:udp_socket create_socket_perms;
+
+read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
+
+manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+files_search_var_lib(puppet_t)
+
+setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
+manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
+files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
+
+create_dirs_pattern(puppet_t, var_log_t, puppet_log_t)
+create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
+append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
+logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
+
+manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
+manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
+files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
+
+kernel_dontaudit_search_sysctl(puppet_t)
+kernel_dontaudit_search_kernel_sysctl(puppet_t)
+kernel_read_system_state(puppet_t)
+kernel_read_crypto_sysctls(puppet_t)
+
+corecmd_exec_bin(puppet_t)
+corecmd_exec_shell(puppet_t)
+
+corenet_all_recvfrom_netlabel(puppet_t)
+corenet_all_recvfrom_unlabeled(puppet_t)
+corenet_tcp_sendrecv_generic_if(puppet_t)
+corenet_tcp_sendrecv_generic_node(puppet_t)
+corenet_tcp_bind_generic_node(puppet_t)
+corenet_tcp_connect_puppet_port(puppet_t)
+corenet_sendrecv_puppet_client_packets(puppet_t)
+
+dev_read_rand(puppet_t)
+dev_read_sysfs(puppet_t)
+dev_read_urand(puppet_t)
+
+domain_read_all_domains_state(puppet_t)
+domain_interactive_fd(puppet_t)
+
+files_manage_config_files(puppet_t)
+files_manage_config_dirs(puppet_t)
+files_manage_etc_dirs(puppet_t)
+files_manage_etc_files(puppet_t)
+files_read_usr_symlinks(puppet_t)
+files_relabel_config_dirs(puppet_t)
+files_relabel_config_files(puppet_t)
+
+selinux_search_fs(puppet_t)
+selinux_set_all_booleans(puppet_t)
+selinux_set_generic_booleans(puppet_t)
+selinux_validate_context(puppet_t)
+
+term_dontaudit_getattr_unallocated_ttys(puppet_t)
+term_dontaudit_getattr_all_user_ttys(puppet_t)
+
+init_all_labeled_script_domtrans(puppet_t)
+init_domtrans_script(puppet_t)
+init_read_utmp(puppet_t)
+init_signull_script(puppet_t)
+
+logging_send_syslog_msg(puppet_t)
+
+miscfiles_read_hwdata(puppet_t)
+miscfiles_read_localization(puppet_t)
+
+seutil_domtrans_setfiles(puppet_t)
+seutil_domtrans_semanage(puppet_t)
+
+sysnet_dns_name_resolve(puppet_t)
+sysnet_run_ifconfig(puppet_t, system_r)
+
+tunable_policy(`puppet_manage_all_files',`
+	auth_manage_all_files_except_shadow(puppet_t)
+')
+
+optional_policy(`
+	consoletype_domtrans(puppet_t)
+')
+
+optional_policy(`
+	hostname_exec(puppet_t)
+')
+
+optional_policy(`
+	files_rw_var_files(puppet_t)
+
+	rpm_domtrans(puppet_t)
+	rpm_manage_db(puppet_t)
+	rpm_manage_log(puppet_t)
+')
+
+optional_policy(`
+	unconfined_domain(puppet_t)
+')
+
+optional_policy(`
+	usermanage_domtrans_groupadd(puppet_t)
+	usermanage_domtrans_useradd(puppet_t)
+')
+
+########################################
+#
+# Pupper master personal policy
+#
+
+allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
+allow puppetmaster_t self:process { signal_perms getsched setsched };
+allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
+allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
+allow puppetmaster_t self:socket create;
+allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
+allow puppetmaster_t self:udp_socket create_socket_perms;
+
+list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+
+allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
+allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
+logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
+
+manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
+manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
+
+setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
+manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
+files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
+
+manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
+manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
+files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
+
+kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
+kernel_read_system_state(puppetmaster_t)
+kernel_read_crypto_sysctls(puppetmaster_t)
+
+corecmd_exec_bin(puppetmaster_t)
+corecmd_exec_shell(puppetmaster_t)
+
+corenet_all_recvfrom_netlabel(puppetmaster_t)
+corenet_all_recvfrom_unlabeled(puppetmaster_t)
+corenet_tcp_sendrecv_generic_if(puppetmaster_t)
+corenet_tcp_sendrecv_generic_node(puppetmaster_t)
+corenet_tcp_bind_generic_node(puppetmaster_t)
+corenet_tcp_bind_puppet_port(puppetmaster_t)
+corenet_sendrecv_puppet_server_packets(puppetmaster_t)
+
+dev_read_rand(puppetmaster_t)
+dev_read_urand(puppetmaster_t)
+
+domain_read_all_domains_state(puppetmaster_t)
+
+files_read_etc_files(puppetmaster_t)
+files_search_var_lib(puppetmaster_t)
+
+logging_send_syslog_msg(puppetmaster_t)
+
+miscfiles_read_localization(puppetmaster_t)
+
+sysnet_dns_name_resolve(puppetmaster_t)
+sysnet_run_ifconfig(puppetmaster_t, system_r)
+
+optional_policy(`
+	hostname_exec(puppetmaster_t)
+')
+
+optional_policy(`
+	files_read_usr_symlinks(puppetmaster_t)
+
+	rpm_exec(puppetmaster_t)
+	rpm_read_db(puppetmaster_t)
+')

policy/modules/services/tgtd.fc

@@ -0,0 +1,3 @@
+/etc/rc\.d/init\.d/tgtd		--	gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
+/usr/sbin/tgtd			--	gen_context(system_u:object_r:tgtd_exec_t,s0)
+/var/lib/tgtd(/.*)?			gen_context(system_u:object_r:tgtd_var_lib_t,s0)

policy/modules/services/tgtd.if

@@ -0,0 +1,11 @@
+## <summary>Linux Target Framework Daemon.</summary>
+## <desc>
+##	<p>
+##	Linux target framework (tgt) aims to simplify various
+##	SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation
+##	and maintenance. Our key goals are the clean integration into
+##	the scsi-mid layer and implementing a great portion of tgt
+##	in user space.
+##	</p>
+## </desc>
+

policy/modules/services/tgtd.te

@@ -0,0 +1,67 @@
+
+policy_module(tgtd, 1.0.0)
+
+########################################
+#
+# TGTD personal declarations.
+#
+
+type tgtd_t;
+type tgtd_exec_t;
+init_daemon_domain(tgtd_t, tgtd_exec_t)
+
+type tgtd_initrc_exec_t;
+init_script_file(tgtd_initrc_exec_t)
+
+type tgtd_tmp_t;
+files_tmp_file(tgtd_tmp_t)
+
+type tgtd_tmpfs_t;
+files_tmpfs_file(tgtd_tmpfs_t)
+
+type tgtd_var_lib_t;
+files_type(tgtd_var_lib_t)
+
+########################################
+#
+# TGTD personal policy.
+#
+
+allow tgtd_t self:capability sys_resource;
+allow tgtd_t self:process { setrlimit signal };
+allow tgtd_t self:fifo_file rw_fifo_file_perms;
+allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow tgtd_t self:shm create_shm_perms;
+allow tgtd_t self:sem create_sem_perms;
+allow tgtd_t self:tcp_socket create_stream_socket_perms;
+allow tgtd_t self:udp_socket create_socket_perms;
+allow tgtd_t self:unix_dgram_socket create_socket_perms;
+
+manage_sock_files_pattern(tgtd_t, tgtd_tmp_t, tgtd_tmp_t)
+files_tmp_filetrans(tgtd_t, tgtd_tmp_t, { sock_file })
+
+manage_files_pattern(tgtd_t, tgtd_tmpfs_t, tgtd_tmpfs_t)
+fs_tmpfs_filetrans(tgtd_t, tgtd_tmpfs_t, file)
+
+manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
+manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
+files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file })
+
+kernel_read_fs_sysctls(tgtd_t)
+
+corenet_all_recvfrom_netlabel(tgtd_t)
+corenet_all_recvfrom_unlabeled(tgtd_t)
+corenet_tcp_sendrecv_generic_if(tgtd_t)
+corenet_tcp_sendrecv_generic_node(tgtd_t)
+corenet_tcp_sendrecv_iscsi_port(tgtd_t)
+corenet_tcp_bind_generic_node(tgtd_t)
+corenet_tcp_bind_iscsi_port(tgtd_t)
+corenet_sendrecv_iscsi_server_packets(tgtd_t)
+
+files_read_etc_files(tgtd_t)
+
+storage_getattr_fixed_disk_dev(tgtd_t)
+
+logging_send_syslog_msg(tgtd_t)
+
+miscfiles_read_localization(tgtd_t)

policy/modules/services/virt.te

@@ -1,5 +1,5 @@
 
-policy_module(virt, 1.2.1)
+policy_module(virt, 1.3.0)
 
 ########################################
 #

policy/modules/services/xserver.te

@@ -1,5 +1,5 @@
 
-policy_module(xserver, 3.2.3)
+policy_module(xserver, 3.3.0)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;

policy/modules/system/application.if

@@ -99,5 +99,23 @@ interface(`application_exec_all',`
 interface(`application_domain',`
 	application_type($1)
 	application_executable_file($2)
-	domain_entry_file($1,$2)
+	domain_entry_file($1, $2)
+')
+
+########################################
+## <summary>
+##	Send signull to all application domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`application_signull',`
+	gen_require(`
+		attribute application_domain_type;
+	')
+
+	allow $1 application_domain_type:process signull;
 ')

policy/modules/system/application.te

@@ -1,5 +1,5 @@
 
-policy_module(application, 1.1.0)
+policy_module(application, 1.1.1)
 
 # Attribute of user applications
 attribute application_domain_type;
@@ -11,3 +11,7 @@ optional_policy(`
 	ssh_sigchld(application_domain_type)
 	ssh_rw_stream_sockets(application_domain_type)
 ')
+
+optional_policy(`
+	sudo_sigchld(application_domain_type)
+')

policy/modules/system/fstools.fc

@@ -6,6 +6,7 @@
 /sbin/dump		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/dumpe2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/e2fsck		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/e4fsck		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/e2label		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/fdisk		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/findfs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)

policy/modules/system/fstools.te

@@ -1,5 +1,5 @@
 
-policy_module(fstools, 1.13.0)
+policy_module(fstools, 1.13.1)
 
 ########################################
 #
@@ -144,6 +144,7 @@ logging_send_syslog_msg(fsadm_t)
 miscfiles_read_localization(fsadm_t)
 
 modutils_read_module_config(fsadm_t)
+modutils_read_module_deps(fsadm_t)
 
 seutil_read_config(fsadm_t)
 
@@ -177,4 +178,5 @@ optional_policy(`
 
 optional_policy(`
 	xen_append_log(fsadm_t)
+	xen_rw_image_files(fsadm_t)
 ')

policy/modules/system/init.if

@@ -720,6 +720,25 @@ interface(`init_labeled_script_domtrans',`
 	files_search_etc($1)
 ')
 
+#########################################
+## <summary>
+##	Transition to the init script domain
+## 	for all labeled init script types
+## </summary>
+## <param name="domain">
+## 	<summary>
+##		Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`init_all_labeled_script_domtrans',`
+	gen_require(`
+		attribute init_script_file_type;
+	')
+
+	init_labeled_script_domtrans($1, init_script_file_type)
+')
+
 ########################################
 ## <summary>
 ##	Start and stop daemon programs directly.

policy/modules/system/init.te

@@ -687,6 +687,10 @@ optional_policy(`
 	postfix_list_spool(initrc_t)
 ')
 
+optional_policy(`
+	puppet_rw_tmp(initrc_t)
+')
+
 optional_policy(`
 	quota_manage_flags(initrc_t)
 ')

policy/modules/system/ipsec.fc

@@ -1,3 +1,6 @@
+/etc/rc\.d/init\.d/ipsec	--	gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/racoon	--	gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+
 /etc/ipsec\.secrets		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)
 /etc/ipsec\.conf		--	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
 /etc/racoon/psk\.txt		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)

policy/modules/system/ipsec.if

@@ -187,6 +187,31 @@ interface(`ipsec_domtrans_racoon',`
 	domtrans_pattern($1, racoon_exec_t, racoon_t)
 ')
 
+########################################
+## <summary>
+##	Execute racoon and allow the specified role the domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ipsec_run_racoon',`
+	gen_require(`
+		type racoon_t;
+	')
+
+	ipsec_domtrans_racoon($1)
+	role $2 types racoon_t;
+')
+
 ########################################
 ## <summary>
 ##	Execute setkey in the setkey domain.

policy/modules/system/ipsec.te

@@ -1,11 +1,18 @@
 
-policy_module(ipsec, 1.10.0)
+policy_module(ipsec, 1.10.1)
 
 ########################################
 #
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow racoon to read shadow
+## </p>
+## </desc>
+gen_tunable(racoon_read_shadow, false)
+
 type ipsec_t;
 type ipsec_exec_t;
 init_daemon_domain(ipsec_t, ipsec_exec_t)
@@ -15,6 +22,9 @@ role system_r types ipsec_t;
 type ipsec_conf_file_t;
 files_type(ipsec_conf_file_t)
 
+type ipsec_initrc_exec_t;
+init_script_file(ipsec_initrc_exec_t)
+
 # type for file(s) containing ipsec keys - RSA or preshared
 type ipsec_key_file_t;
 files_type(ipsec_key_file_t)
@@ -43,6 +53,9 @@ type racoon_exec_t;
 init_daemon_domain(racoon_t, racoon_exec_t)
 role system_r types racoon_t;
 
+type racoon_tmp_t;
+files_tmp_file(racoon_tmp_t)
+
 type setkey_t;
 type setkey_exec_t;
 init_system_domain(setkey_t, setkey_exec_t)
@@ -53,21 +66,23 @@ role system_r types setkey_t;
 # ipsec Local policy
 #
 
-allow ipsec_t self:capability { net_admin dac_override dac_read_search };
+allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice };
 dontaudit ipsec_t self:capability sys_tty_config;
-allow ipsec_t self:process { signal setsched };
+allow ipsec_t self:process { getcap setcap getsched signal setsched };
 allow ipsec_t self:tcp_socket create_stream_socket_perms;
 allow ipsec_t self:udp_socket create_socket_perms;
 allow ipsec_t self:key_socket create_socket_perms;
 allow ipsec_t self:fifo_file read_fifo_file_perms;
 allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
 
+allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
+
 allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
 read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
 read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
 
 allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
-read_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
+manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
 read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
 
 manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
@@ -82,7 +97,7 @@ can_exec(ipsec_t, ipsec_mgmt_exec_t)
 # so try flipping back into the ipsec_mgmt_t domain
 corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
 allow ipsec_mgmt_t ipsec_t:fd use;
-allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms;
+allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
 allow ipsec_mgmt_t ipsec_t:process sigchld;
 
 kernel_read_kernel_sysctls(ipsec_t)
@@ -92,6 +107,7 @@ kernel_read_proc_symlinks(ipsec_t)
 kernel_read_system_state(ipsec_t)
 kernel_read_network_state(ipsec_t)
 kernel_read_software_raid_state(ipsec_t)
+kernel_request_load_module(ipsec_t)
 kernel_getattr_core_if(ipsec_t)
 kernel_getattr_message_if(ipsec_t)
 
@@ -120,7 +136,9 @@ dev_read_urand(ipsec_t)
 
 domain_use_interactive_fds(ipsec_t)
 
+files_list_tmp(ipsec_t)
 files_read_etc_files(ipsec_t)
+files_read_usr_files(ipsec_t)
 
 fs_getattr_all_fs(ipsec_t)
 fs_search_auto_mountpoints(ipsec_t)
@@ -159,7 +177,7 @@ allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
 allow ipsec_mgmt_t self:udp_socket create_socket_perms;
 allow ipsec_mgmt_t self:key_socket create_socket_perms;
-allow ipsec_mgmt_t self:fifo_file rw_file_perms;
+allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
 
 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
 files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
@@ -280,6 +298,15 @@ allow racoon_t self:unix_dgram_socket { connect create ioctl write };
 allow racoon_t self:netlink_selinux_socket { bind create read };
 allow racoon_t self:udp_socket create_socket_perms;
 allow racoon_t self:key_socket create_socket_perms;
+allow racoon_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
+manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
+files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file })
+
+can_exec(racoon_t, racoon_exec_t)
+
+can_exec(racoon_t, setkey_exec_t)
 
 # manage pid file
 manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
@@ -297,6 +324,9 @@ read_lnk_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
 kernel_read_system_state(racoon_t)
 kernel_read_network_state(racoon_t)
 
+corecmd_exec_shell(racoon_t)
+corecmd_exec_bin(racoon_t)
+
 corenet_all_recvfrom_unlabeled(racoon_t)
 corenet_tcp_sendrecv_all_if(racoon_t)
 corenet_udp_sendrecv_all_if(racoon_t)
@@ -314,6 +344,8 @@ domain_ipsec_setcontext_all_domains(racoon_t)
 
 files_read_etc_files(racoon_t)
 
+fs_dontaudit_getattr_xattr_fs(racoon_t)
+
 # allow racoon to use avc_has_perm to check context on proposed SA
 selinux_compute_access_vector(racoon_t)
 
@@ -328,6 +360,13 @@ logging_send_audit_msgs(racoon_t)
 
 miscfiles_read_localization(racoon_t)
 
+sysnet_exec_ifconfig(racoon_t)
+
+auth_can_read_shadow_passwords(racoon_t)
+tunable_policy(`racoon_read_shadow',`
+	auth_tunable_read_shadow(racoon_t)
+')
+
 ########################################
 #
 # Setkey local policy

policy/modules/system/iptables.fc

@@ -1,7 +1,13 @@
-/sbin/ip6tables.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/ipchains.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/iptables.* 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/etc/rc\.d/init\.d/ip6?tables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
+/etc/sysconfig/ip6?tables.*	--	gen_context(system_u:object_r:iptables_conf_t,s0)
+/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
 
-/usr/sbin/ip6tables.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/ipchains.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/iptables.* 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ip6?tables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ip6?tables-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ip6?tables-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+
+/usr/sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/iptables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/iptables-multi 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/iptables-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)

policy/modules/system/iptables.if

@@ -69,3 +69,99 @@ interface(`iptables_exec',`
 	corecmd_search_bin($1)
 	can_exec($1, iptables_exec_t)
 ')
+
+#####################################
+## <summary>
+##	Execute iptables in the iptables domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`iptables_initrc_domtrans',`
+	gen_require(`
+		type iptables_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, iptables_initrc_exec_t)
+')
+
+#####################################
+## <summary>
+##	Set the attributes of iptables config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`iptables_setattr_config',`
+	gen_require(`
+		type iptables_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 iptables_conf_t:file setattr;
+')
+
+#####################################
+## <summary>
+##	Read iptables config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`iptables_read_config',`
+	gen_require(`
+		type iptables_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 iptables_conf_t:dir list_dir_perms;
+	read_files_pattern($1, iptables_conf_t, iptables_conf_t)
+')
+
+#####################################
+## <summary>
+##	Create files in /etc with the type used for
+##	the iptables config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`iptables_etc_filetrans_config',`
+	gen_require(`
+		type iptables_conf_t;
+	')
+
+	files_etc_filetrans($1, iptables_conf_t, file)
+')
+
+###################################
+## <summary>
+##	Manage iptables config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`iptables_manage_config',`
+	gen_require(`
+		type iptables_conf_t;
+		type etc_t;
+	')
+
+	files_search_etc($1)
+	manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
+')

policy/modules/system/iptables.te

@@ -1,5 +1,5 @@
 
-policy_module(iptables, 1.9.1)
+policy_module(iptables, 1.10.1)
 
 ########################################
 #
@@ -11,6 +11,12 @@ type iptables_exec_t;
 init_system_domain(iptables_t, iptables_exec_t)
 role system_r types iptables_t;
 
+type iptables_initrc_exec_t;
+init_script_file(iptables_initrc_exec_t)
+
+type iptables_conf_t;
+files_config_file(iptables_conf_t)
+
 type iptables_tmp_t;
 files_tmp_file(iptables_tmp_t)
 
@@ -27,6 +33,9 @@ dontaudit iptables_t self:capability sys_tty_config;
 allow iptables_t self:process { sigchld sigkill sigstop signull signal };
 allow iptables_t self:rawip_socket create_socket_perms;
 
+manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
+files_etc_filetrans(iptables_t, iptables_conf_t, file)
+
 manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
 files_pid_filetrans(iptables_t, iptables_var_run_t, file)
 
@@ -36,6 +45,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
 allow iptables_t iptables_tmp_t:file manage_file_perms;
 files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
 
+kernel_request_load_module(iptables_t)
 kernel_read_system_state(iptables_t)
 kernel_read_network_state(iptables_t)
 kernel_read_kernel_sysctls(iptables_t)
@@ -99,6 +109,10 @@ optional_policy(`
 	ppp_dontaudit_use_fds(iptables_t)
 ')
 
+optional_policy(`
+	psad_rw_tmp_files(iptables_t)
+')
+
 optional_policy(`
 	rhgb_dontaudit_use_ptys(iptables_t)
 ')

policy/modules/system/iscsi.if

@@ -17,3 +17,42 @@ interface(`iscsid_domtrans',`
 
 	domtrans_pattern($1, iscsid_exec_t, iscsid_t)
 ')
+
+########################################
+## <summary>
+##	Connect to ISCSI using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`iscsi_stream_connect',`
+	gen_require(`
+		type iscsid_t, iscsi_var_lib_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t, iscsid_t)
+')
+
+########################################
+## <summary>
+##	Read iscsi lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`iscsi_read_lib_files',`
+	gen_require(`
+		type iscsi_var_lib_t;
+	')
+
+	read_files_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t)
+	allow $1 iscsi_var_lib_t:dir list_dir_perms;
+	files_search_var_lib($1)
+')

policy/modules/system/iscsi.te

@@ -1,5 +1,5 @@
 
-policy_module(iscsi, 1.6.0)
+policy_module(iscsi, 1.6.1)
 
 ########################################
 #
@@ -55,6 +55,7 @@ manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t)
 files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
 
 kernel_read_system_state(iscsid_t)
+kernel_search_debugfs(iscsid_t)
 
 corenet_all_recvfrom_unlabeled(iscsid_t)
 corenet_all_recvfrom_netlabel(iscsid_t)
@@ -73,6 +74,6 @@ files_read_etc_files(iscsid_t)
 
 logging_send_syslog_msg(iscsid_t)
 
-miscfiles_read_localization(iscsid_t)
+auth_use_nsswitch(iscsid_t)
 
-sysnet_dns_name_resolve(iscsid_t)
+miscfiles_read_localization(iscsid_t)

policy/modules/system/kdump.te

@@ -1,5 +1,5 @@
 
-policy_module(kdump, 1.0.0)
+policy_module(kdump, 1.0.1)
 
 #######################################
 #
@@ -29,6 +29,7 @@ files_read_etc_runtime_files(kdump_t)
 files_read_kernel_img(kdump_t)
 
 kernel_read_system_state(kdump_t)
+kernel_read_core_if(kdump_t)
 
 dev_read_framebuffer(kdump_t)
 dev_read_sysfs(kdump_t)

policy/modules/system/libraries.te

@@ -1,5 +1,5 @@
 
-policy_module(libraries, 2.5.1)
+policy_module(libraries, 2.6.0)
 
 ########################################
 #
@@ -117,6 +117,10 @@ optional_policy(`
 	apt_use_ptys(ldconfig_t)
 ')
 
+optional_policy(`
+	puppet_rw_tmp(ldconfig_t)
+')
+
 optional_policy(`
 	# When you install a kernel the postinstall builds a initrd image in tmp 
 	# and executes ldconfig on it. If you dont allow this kernel installs 

policy/modules/system/logging.te

@@ -1,5 +1,5 @@
 
-policy_module(logging, 1.14.1)
+policy_module(logging, 1.15.0)
 
 ########################################
 #

policy/modules/system/lvm.if

@@ -19,6 +19,25 @@ interface(`lvm_domtrans',`
 	domtrans_pattern($1, lvm_exec_t, lvm_t)
 ')
 
+########################################
+## <summary>
+##	Execute lvm programs in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`lvm_exec',`
+	gen_require(`
+		type lvm_exec_t;
+	')
+
+	corecmd_search_sbin($1)
+	can_exec($1, lvm_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute lvm programs in the lvm domain.
@@ -85,3 +104,22 @@ interface(`lvm_manage_config',`
 	manage_dirs_pattern($1, lvm_etc_t, lvm_etc_t)
 	manage_files_pattern($1, lvm_etc_t, lvm_etc_t)
 ')
+
+######################################
+## <summary>
+##	Execute a domain transition to run clvmd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lvm_domtrans_clvmd',`
+	gen_require(`
+		type clvmd_t, clvmd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, clvmd_exec_t, clvmd_t)
+')

policy/modules/system/lvm.te

@@ -1,5 +1,5 @@
 
-policy_module(lvm, 1.11.0)
+policy_module(lvm, 1.11.1)
 
 ########################################
 #
@@ -10,6 +10,9 @@ type clvmd_t;
 type clvmd_exec_t;
 init_daemon_domain(clvmd_t, clvmd_exec_t)
 
+type clvmd_initrc_exec_t;
+init_script_file(clvmd_initrc_exec_t)
+
 type clvmd_var_run_t;
 files_pid_file(clvmd_var_run_t)
 
@@ -102,6 +105,7 @@ fs_getattr_all_fs(clvmd_t)
 fs_search_auto_mountpoints(clvmd_t)
 fs_dontaudit_list_tmpfs(clvmd_t)
 fs_dontaudit_read_removable_files(clvmd_t)
+fs_rw_anon_inodefs_files(clvmd_t)
 
 storage_dontaudit_getattr_removable_dev(clvmd_t)
 storage_manage_fixed_disk(clvmd_t)
@@ -168,7 +172,7 @@ allow lvm_t self:process { sigchld sigkill sigstop signull signal };
 # LVM will complain a lot if it cannot set its priority.
 allow lvm_t self:process setsched;
 allow lvm_t self:file rw_file_perms;
-allow lvm_t self:fifo_file rw_fifo_file_perms;
+allow lvm_t self:fifo_file manage_fifo_file_perms;
 allow lvm_t self:unix_dgram_socket create_socket_perms;
 allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
 
@@ -192,12 +196,12 @@ files_lock_filetrans(lvm_t, lvm_lock_t, file)
 
 manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
 manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
-files_var_lib_filetrans(lvm_t, lvm_var_lib_t,{ dir file })
+files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
 
 manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
 manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
 manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
-files_pid_filetrans(lvm_t, lvm_var_run_t,{ file sock_file })
+files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
 
 read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
 read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
@@ -214,6 +218,7 @@ kernel_read_kernel_sysctls(lvm_t)
 # it has no reason to need this
 kernel_dontaudit_getattr_core_if(lvm_t)
 kernel_use_fds(lvm_t)
+kernel_search_debugfs(lvm_t)
 
 corecmd_exec_bin(lvm_t)
 corecmd_exec_shell(lvm_t)
@@ -255,6 +260,10 @@ fs_list_tmpfs(lvm_t)
 fs_read_tmpfs_symlinks(lvm_t)
 fs_dontaudit_read_removable_files(lvm_t)
 fs_dontaudit_getattr_tmpfs_files(lvm_t)
+fs_rw_anon_inodefs_files(lvm_t)
+
+mls_file_read_all_levels(lvm_t)
+mls_file_write_to_clearance(lvm_t)
 
 selinux_get_fs_mount(lvm_t)
 selinux_validate_context(lvm_t)
@@ -274,9 +283,12 @@ storage_dev_filetrans_fixed_disk(lvm_t)
 # Access raw devices and old /dev/lvm (c 109,0).  Is this needed?
 storage_manage_fixed_disk(lvm_t)
 
+term_use_all_terms(lvm_t)
+
 init_use_fds(lvm_t)
 init_dontaudit_getattr_initctl(lvm_t)
 init_use_script_ptys(lvm_t)
+init_read_script_state(lvm_t)
 
 logging_send_syslog_msg(lvm_t)
 
@@ -313,7 +325,9 @@ optional_policy(`
 optional_policy(`
 	dbus_system_bus_client(lvm_t)
 
-	hal_dbus_chat(lvm_t)
+	optional_policy(`
+		hal_dbus_chat(lvm_t)
+	')
 ')
 
 optional_policy(`
@@ -328,6 +342,10 @@ optional_policy(`
 	udev_read_db(lvm_t)
 ')
 
+optional_policy(`
+	virt_manage_images(lvm_t)
+')
+
 optional_policy(`
 	xen_append_log(lvm_t)
 	xen_dontaudit_rw_unix_stream_sockets(lvm_t)

policy/modules/system/miscfiles.if

@@ -85,6 +85,45 @@ interface(`miscfiles_read_fonts',`
 	read_lnk_files_pattern($1, fonts_t, fonts_t)
 ')
 
+########################################
+## <summary>
+##	Set the attributes on a fonts directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_setattr_fonts_dirs',`
+	gen_require(`
+		type fonts_t;
+	')
+
+	allow $1 fonts_t:dir setattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to set the attributes
+##	on a fonts directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_dontaudit_setattr_fonts_dirs',`
+	gen_require(`
+		type fonts_t;
+	')
+
+	dontaudit $1 fonts_t:dir setattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to write fonts.
@@ -253,6 +292,25 @@ interface(`miscfiles_legacy_read_localization',`
 	allow $1 locale_t:file execute;
 ')
 
+########################################
+## <summary>
+##	Search man pages.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_search_man_pages',`
+	gen_require(`
+		type man_t;
+	')
+
+	allow $1 man_t:dir search_dir_perms;
+	files_search_usr($1)
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to search man pages.
@@ -268,7 +326,7 @@ interface(`miscfiles_dontaudit_search_man_pages',`
 		type man_t;
 	')
 
-	dontaudit $1 man_t:dir search;
+	dontaudit $1 man_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -358,8 +416,8 @@ interface(`miscfiles_read_public_files',`
 	')
 
 	allow $1 { public_content_t public_content_rw_t }:dir list_dir_perms;
-	read_files_pattern($1,{ public_content_t public_content_rw_t },{ public_content_t public_content_rw_t })
-	read_lnk_files_pattern($1,{ public_content_t public_content_rw_t },{ public_content_t public_content_rw_t })
+	read_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t })
+	read_lnk_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t })
 ')
 
 ########################################

policy/modules/system/miscfiles.te

@@ -1,5 +1,5 @@
 
-policy_module(miscfiles, 1.7.0)
+policy_module(miscfiles, 1.7.1)
 
 ########################################
 #

policy/modules/system/modutils.fc

@@ -1,6 +1,7 @@
 
 /etc/modules\.conf.*	--	gen_context(system_u:object_r:modules_conf_t,s0)
 /etc/modprobe\.conf.*	--	gen_context(system_u:object_r:modules_conf_t,s0)
+/etc/modprobe\.d(/.*)?		gen_context(system_u:object_r:modules_conf_t,s0)
 
 ifdef(`distro_gentoo',`
 # gentoo init scripts still manage this file

policy/modules/system/modutils.if

@@ -1,5 +1,23 @@
 ## <summary>Policy for kernel module utilities</summary>
 
+######################################
+## <summary>
+##	Getattr the dependencies of kernel modules.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`modutils_getattr_module_deps',`
+	gen_require(`
+		type modules_dep_t;
+	')
+
+	getattr_files_pattern($1, modules_object_t, modules_dep_t)
+')
+
 ########################################
 ## <summary>
 ##	Read the dependencies of kernel modules.
@@ -41,8 +59,8 @@ interface(`modutils_read_module_config',`
 	files_search_etc($1)
 	files_search_boot($1)
 
-	allow $1 modules_conf_t:file read_file_perms;
-	allow $1 modules_conf_t:lnk_file read_lnk_file_perms;
+	read_files_pattern($1, modules_conf_t, modules_conf_t)
+	read_lnk_files_pattern($1, modules_conf_t, modules_conf_t)
 ')
 
 ########################################
@@ -61,7 +79,7 @@ interface(`modutils_rename_module_config',`
 		type modules_conf_t;
 	')
 
-	allow $1 modules_conf_t:file rename_file_perms;
+	rename_files_pattern($1, modules_conf_t, modules_conf_t)
 ')
 
 ########################################
@@ -80,7 +98,26 @@ interface(`modutils_delete_module_config',`
 		type modules_conf_t;
 	')
 
-	allow $1 modules_conf_t:file unlink;
+	delete_files_pattern($1, modules_conf_t, modules_conf_t)
+')
+
+########################################
+## <summary>
+##	Manage files with the configuration options used when
+##	loading modules.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`modutils_manage_module_config',`
+	gen_require(`
+		type modules_conf_t;
+	')
+
+	manage_files_pattern($1, modules_conf_t, modules_conf_t)
 ')
 
 ########################################

policy/modules/system/modutils.te

@@ -1,5 +1,5 @@
 
-policy_module(modutils, 1.9.0)
+policy_module(modutils, 1.9.1)
 
 gen_require(`
 	bool secure_mode_insmod;
@@ -45,7 +45,7 @@ files_tmp_file(update_modules_tmp_t)
 can_exec(depmod_t, depmod_exec_t)
 
 # Read conf.modules.
-allow depmod_t modules_conf_t:file read_file_perms;
+read_files_pattern(depmod_t, modules_conf_t, modules_conf_t)
 
 allow depmod_t modules_dep_t:file manage_file_perms;
 files_kernel_modules_filetrans(depmod_t, modules_dep_t, file)
@@ -82,8 +82,22 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 
+tunable_policy(`use_nfs_home_dirs',`
+	fs_read_nfs_files(depmod_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_read_cifs_files(depmod_t)
+')
+
 optional_policy(`
 	rpm_rw_pipes(depmod_t)
+	rpm_manage_script_tmp_files(depmod_t)
+')
+
+optional_policy(`
+	# Read System.map from home directories.
+	unconfined_domain(depmod_t)
 ')
 
 ########################################
@@ -91,19 +105,23 @@ optional_policy(`
 # insmod local policy
 #
 
-allow insmod_t self:capability { dac_override net_raw sys_tty_config };
+allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
 allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
 
-allow insmod_t self:udp_socket create_socket_perms; 
-allow insmod_t self:rawip_socket create_socket_perms; 
+allow insmod_t self:udp_socket create_socket_perms;
+allow insmod_t self:rawip_socket create_socket_perms;
 
 # Read module config and dependency information
-allow insmod_t { modules_conf_t modules_dep_t }:file read_file_perms;
+list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
+read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
+list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t)
+read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
 
 can_exec(insmod_t, insmod_exec_t)
 
 kernel_load_module(insmod_t)
 kernel_read_system_state(insmod_t)
+kernel_read_network_state(insmod_t)
 kernel_write_proc_files(insmod_t)
 kernel_mount_debugfs(insmod_t)
 kernel_mount_kvmfs(insmod_t)
@@ -112,6 +130,7 @@ kernel_read_debugfs(insmod_t)
 kernel_read_kernel_sysctls(insmod_t)
 kernel_rw_kernel_sysctl(insmod_t)
 kernel_read_hotplug_sysctls(insmod_t)
+kernel_setsched(insmod_t)
 
 corecmd_exec_bin(insmod_t)
 corecmd_exec_shell(insmod_t)
@@ -124,9 +143,6 @@ dev_rw_agp(insmod_t)
 dev_read_sound(insmod_t)
 dev_write_sound(insmod_t)
 dev_rw_apm_bios(insmod_t)
-# cjp: why is this needed?  insmod cannot mounton any dir
-# and it also transitions to mount
-dev_mount_usbfs(insmod_t)
 
 domain_signal_all_domains(insmod_t)
 domain_use_interactive_fds(insmod_t)
@@ -159,16 +175,25 @@ seutil_read_file_contexts(insmod_t)
 
 userdom_use_user_terminals(insmod_t)
 
-ifdef(`distro_ubuntu',`
-	optional_policy(`
-		unconfined_domain(insmod_t)
-	')
-')
+userdom_dontaudit_search_user_home_dirs(insmod_t)
 
 if( ! secure_mode_insmod ) {
 	kernel_domtrans_to(insmod_t, insmod_exec_t)
 }
 
+optional_policy(`
+	alsa_domtrans(insmod_t)
+')
+
+optional_policy(`
+	firstboot_dontaudit_rw_pipes(insmod_t)
+	firstboot_dontaudit_rw_stream_sockets(insmod_t)
+')
+
+optional_policy(`
+	hal_write_log(insmod_t)
+')
+
 optional_policy(`
 	hotplug_search_config(insmod_t)
 ')
@@ -205,7 +230,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	unconfined_dontaudit_rw_pipes(insmod_t)
+	unconfined_domain(insmod_t)
 ')
 
 optional_policy(`
@@ -228,7 +253,7 @@ can_exec(update_modules_t, insmod_exec_t)
 can_exec(update_modules_t, update_modules_exec_t)
 
 # manage module loading configuration
-allow update_modules_t modules_conf_t:file manage_file_perms;
+manage_files_pattern(update_modules_t, modules_conf_t, modules_conf_t)
 files_kernel_modules_filetrans(update_modules_t, modules_conf_t, file)
 files_etc_filetrans(update_modules_t, modules_conf_t, file)
 

policy/modules/system/raid.fc

@@ -1,3 +1,4 @@
+/dev/.mdadm.map		--	gen_context(system_u:object_r:mdadm_map_t,s0)
 
 /sbin/mdadm		--	gen_context(system_u:object_r:mdadm_exec_t,s0)
 /sbin/mdmpd		--	gen_context(system_u:object_r:mdadm_exec_t,s0)

policy/modules/system/raid.te

@@ -1,5 +1,5 @@
 
-policy_module(raid, 1.9.0)
+policy_module(raid, 1.9.1)
 
 ########################################
 #
@@ -11,6 +11,9 @@ type mdadm_exec_t;
 init_daemon_domain(mdadm_t, mdadm_exec_t)
 role system_r types mdadm_t;
 
+type mdadm_map_t;
+files_type(mdadm_map_t)
+
 type mdadm_var_run_t;
 files_pid_file(mdadm_var_run_t)
 
@@ -24,6 +27,10 @@ dontaudit mdadm_t self:capability sys_tty_config;
 allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
 allow mdadm_t self:fifo_file rw_fifo_file_perms;
 
+# create .mdadm files in /dev
+allow mdadm_t mdadm_map_t:file manage_file_perms;
+dev_filetrans(mdadm_t, mdadm_map_t, file)
+
 manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
 files_pid_filetrans(mdadm_t, mdadm_var_run_t, file)
 

policy/modules/system/setrans.if

@@ -1,5 +1,24 @@
 ## <summary>SELinux MLS/MCS label translation service.</summary>
 
+########################################
+## <summary>
+##	Execute setrans server in the setrans domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+#
+interface(`setrans_initrc_domtrans',`
+	gen_require(`
+		type setrans_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, setrans_initrc_exec_t)
+')
+
 #######################################
 ## <summary>
 ##	Allow a domain to translate contexts.

policy/modules/system/setrans.te

@@ -1,5 +1,5 @@
 
-policy_module(setrans, 1.6.0)
+policy_module(setrans, 1.6.1)
 
 gen_require(`
 	class context contains;

policy/modules/system/udev.fc

@@ -6,8 +6,11 @@
 
 /etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
 
+/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
 /etc/udev/scripts/.+ --	gen_context(system_u:object_r:udev_helper_exec_t,s0)
 
+/lib/udev/udev-acl --	gen_context(system_u:object_r:udev_exec_t,s0)
+
 /sbin/start_udev --	gen_context(system_u:object_r:udev_exec_t,s0)
 /sbin/udev	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /sbin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)

policy/modules/system/udev.if

@@ -1,5 +1,23 @@
 ## <summary>Policy for udev.</summary>
 
+########################################
+## <summary>
+##	Send generic signals to udev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_signal',`
+	gen_require(`
+		type udev_t;
+	')
+
+	allow $1 udev_t:process signal;
+')
+
 ########################################
 ## <summary>
 ##	Execute udev in the udev domain.
@@ -169,3 +187,23 @@ interface(`udev_rw_db',`
 	dev_list_all_dev_nodes($1)
 	allow $1 udev_tbl_t:file rw_file_perms;
 ')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	udev pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_manage_pid_files',`
+	gen_require(`
+		type udev_var_run_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
+')

policy/modules/system/udev.te

@@ -1,5 +1,5 @@
 
-policy_module(udev, 1.11.0)
+policy_module(udev, 1.11.1)
 
 ########################################
 #
@@ -66,9 +66,11 @@ dev_filetrans(udev_t, udev_tbl_t, file)
 
 manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
+manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
 
 kernel_read_system_state(udev_t)
+kernel_request_load_module(udev_t)
 kernel_getattr_core_if(udev_t)
 kernel_use_fds(udev_t)
 kernel_read_device_sysctls(udev_t)
@@ -99,7 +101,7 @@ dev_relabel_all_dev_nodes(udev_t)
 dev_relabel_generic_symlinks(udev_t)
 
 domain_read_all_domains_state(udev_t)
-domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these 
+domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
 
 files_read_usr_files(udev_t)
 files_read_etc_runtime_files(udev_t)
@@ -111,6 +113,7 @@ files_search_mnt(udev_t)
 
 fs_getattr_all_fs(udev_t)
 fs_list_inotifyfs(udev_t)
+fs_rw_anon_inodefs_files(udev_t)
 
 mcs_ptrace_all(udev_t)
 
@@ -140,6 +143,7 @@ logging_send_syslog_msg(udev_t)
 logging_send_audit_msgs(udev_t)
 
 miscfiles_read_localization(udev_t)
+miscfiles_read_hwdata(udev_t)
 
 modutils_domtrans_insmod(udev_t)
 # read modules.inputmap:
@@ -193,6 +197,10 @@ optional_policy(`
 	alsa_read_rw_config(udev_t)
 ')
 
+optional_policy(`
+	bluetooth_domtrans(udev_t)
+')
+
 optional_policy(`
 	brctl_domtrans(udev_t)
 ')
@@ -205,10 +213,19 @@ optional_policy(`
 	consoletype_exec(udev_t)
 ')
 
+optional_policy(`
+	cups_domtrans_config(udev_t)
+')
+
 optional_policy(`
 	dbus_system_bus_client(udev_t)
 ')
 
+optional_policy(`
+	devicekit_read_pid_files(udev_t)
+	devicekit_dgram_send(udev_t)
+')
+
 optional_policy(`
 	lvm_domtrans(udev_t)
 ')
@@ -227,6 +244,10 @@ optional_policy(`
 	hotplug_search_pids(udev_t)
 ')
 
+optional_policy(`
+	mount_domtrans(udev_t)
+')
+
 optional_policy(`
 	openct_read_pid_files(udev_t)
 	openct_domtrans(udev_t)
@@ -241,6 +262,14 @@ optional_policy(`
 	raid_domtrans_mdadm(udev_t)
 ')
 
+optional_policy(`
+	unconfined_signal(udev_t)
+')
+
+optional_policy(`
+	vbetool_domtrans(udev_t)
+')
+
 optional_policy(`
 	kernel_write_xen_state(udev_t)
 	kernel_read_xen_state(udev_t)

policy/modules/system/unconfined.te

@@ -1,5 +1,5 @@
 
-policy_module(unconfined, 3.0.1)
+policy_module(unconfined, 3.1.0)
 
 ########################################
 #

policy/modules/system/userdomain.te

@@ -1,5 +1,5 @@
 
-policy_module(userdomain, 4.2.4)
+policy_module(userdomain, 4.3.0)
 
 ########################################
 #

policy/modules/system/xen.fc

@@ -2,6 +2,8 @@
 
 /usr/bin/virsh		--	gen_context(system_u:object_r:xm_exec_t,s0)
 
+/usr/sbin/evtchnd	--	gen_context(system_u:object_r:evtchnd_exec_t,s0)
+
 ifdef(`distro_debian',`
 /usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
 /usr/lib/xen-[^/]*/bin/xend --	gen_context(system_u:object_r:xend_exec_t,s0)
@@ -19,14 +21,18 @@ ifdef(`distro_debian',`
 /var/lib/xend(/.*)?		gen_context(system_u:object_r:xend_var_lib_t,s0)
 /var/lib/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_lib_t,s0)
 
+/var/log/evtchnd\.log	--	gen_context(system_u:object_r:evtchnd_var_log_t,s0)
 /var/log/xen(/.*)?		gen_context(system_u:object_r:xend_var_log_t,s0)
 /var/log/xen-hotplug\.log --	gen_context(system_u:object_r:xend_var_log_t,s0)
 /var/log/xend\.log	--	gen_context(system_u:object_r:xend_var_log_t,s0)
 /var/log/xend-debug\.log --	gen_context(system_u:object_r:xend_var_log_t,s0)
 
+/var/run/evtchnd	-s	gen_context(system_u:object_r:evtchnd_var_run_t,s0)
+/var/run/evtchnd\.pid	--	gen_context(system_u:object_r:evtchnd_var_run_t,s0)
 /var/run/xenconsoled\.pid --	gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
 /var/run/xend(/.*)?		gen_context(system_u:object_r:xend_var_run_t,s0)
 /var/run/xend\.pid	--	gen_context(system_u:object_r:xend_var_run_t,s0)
+/var/run/xenner(/.*)?		gen_context(system_u:object_r:xend_var_run_t,s0)
 /var/run/xenstore\.pid	--	gen_context(system_u:object_r:xenstored_var_run_t,s0)
 /var/run/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_run_t,s0)
 

policy/modules/system/xen.if

@@ -71,7 +71,30 @@ interface(`xen_read_image_files',`
 	')
 
 	files_list_var_lib($1)
-	read_files_pattern($1,{ xend_var_lib_t xen_image_t },xen_image_t)
+
+	list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
+	read_files_pattern($1, { xend_var_lib_t xen_image_t }, xen_image_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read/write
+##	xend image files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed to transition.
+## 	</summary>
+## </param>
+#
+interface(`xen_rw_image_files',`
+	gen_require(`
+		type xen_image_t, xend_var_lib_t;
+	')
+
+	files_list_var_lib($1)
+	allow $1 xend_var_lib_t:dir search_dir_perms;
+	rw_files_pattern($1, xen_image_t, xen_image_t)
 ')
 
 ########################################
@@ -167,11 +190,14 @@ interface(`xen_stream_connect_xenstore',`
 #
 interface(`xen_stream_connect',`
 	gen_require(`
-		type xend_t, xend_var_run_t;
+		type xend_t, xend_var_run_t, xend_var_lib_t;
 	')
 
 	files_search_pids($1)
 	stream_connect_pattern($1, xend_var_run_t, xend_var_run_t, xend_t)
+
+	files_search_var_lib($1)
+	stream_connect_pattern($1, xend_var_lib_t, xend_var_lib_t, xend_t)
 ')
 
 ########################################