trunk: 21 patches from dan.

policy/modules/services/apcupsd.fc

@@ -1,3 +1,5 @@
+/etc/rc\.d/init\.d/apcupsd	--	gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
+
 ifdef(`distro_debian',`
 /sbin/apcupsd			--	gen_context(system_u:object_r:apcupsd_exec_t,s0)
 ')

policy/modules/services/apcupsd.if

@@ -97,3 +97,48 @@ interface(`apcupsd_cgi_script_domtrans',`
 
 	domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an apcupsd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the apcupsd domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apcupsd_admin',`
+	gen_require(`
+		type apcupsd_t,  apcupsd_tmp_t;
+		type apcupsd_log_t, apcupsd_lock_t;
+		type apcupsd_var_run_t, apcupsd_initrc_exec_t;
+	')
+
+	allow $1 apcupsd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, apcupsd_t)
+
+	init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 apcupsd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_var($1)
+	admin_pattern($1, apcupsd_lock_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, apcupsd_log_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, apcupsd_tmp_t)
+
+	files_list_pids($1)
+	admin_pattern($1, apcupsd_var_run_t)
+')

policy/modules/services/apcupsd.te

@@ -1,5 +1,5 @@
 
-policy_module(apcupsd, 1.3.1)
+policy_module(apcupsd, 1.3.2)
 
 ########################################
 #
@@ -13,6 +13,9 @@ init_daemon_domain(apcupsd_t, apcupsd_exec_t)
 type apcupsd_lock_t;
 files_lock_file(apcupsd_lock_t)
 
+type apcupsd_initrc_exec_t;
+init_script_file(apcupsd_initrc_exec_t)
+
 type apcupsd_log_t;
 logging_log_file(apcupsd_log_t)
 
@@ -86,12 +89,18 @@ logging_send_syslog_msg(apcupsd_t)
 
 miscfiles_read_localization(apcupsd_t)
 
+sysnet_dns_name_resolve(apcupsd_t)
+
+userdom_use_unpriv_users_ttys(apcupsd_t)
+userdom_use_unpriv_users_ptys(apcupsd_t)
+
 optional_policy(`
 	hostname_exec(apcupsd_t)
 ')
 
 optional_policy(`
 	mta_send_mail(apcupsd_t)
+	mta_system_content(apcupsd_tmp_t)
 ')
 
 ########################################

policy/modules/services/bitlbee.fc

@@ -1,3 +1,6 @@
-/usr/sbin/bitlbee	--	gen_context(system_u:object_r:bitlbee_exec_t,s0)
+/etc/rc\.d/init\.d/bitlbee --	gen_context(system_u:object_r:bitlbee_initrc_exec_t,s0)
 /etc/bitlbee(/.*)?		gen_context(system_u:object_r:bitlbee_conf_t,s0)
+
+/usr/sbin/bitlbee	--	gen_context(system_u:object_r:bitlbee_exec_t,s0)
+
 /var/lib/bitlbee(/.*)?		gen_context(system_u:object_r:bitlbee_var_t,s0)

policy/modules/services/bitlbee.if

@@ -20,3 +20,40 @@ interface(`bitlbee_read_config',`
 	allow $1 bitlbee_conf_t:file { read getattr };
 ')
 
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an bitlbee environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the bitlbee domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bitlbee_admin',`
+	gen_require(`
+		type bitlbee_t, bitlbee_conf_t, bitlbee_var_t;
+		type bitlbee_initrc_exec_t;
+	')
+
+	allow $1 bitlbee_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bitlbee_t)
+
+	init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 bitlbee_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, bitlbee_conf_t)
+
+	files_list_var($1)
+	admin_pattern($1, bitlbee_var_t)
+')

policy/modules/services/bitlbee.te

@@ -1,5 +1,5 @@
 
-policy_module(bitlbee, 1.0.0)
+policy_module(bitlbee, 1.0.1)
 
 ########################################
 #
@@ -14,6 +14,12 @@ inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t)
 type bitlbee_conf_t;
 files_config_file(bitlbee_conf_t)
 
+type bitlbee_initrc_exec_t;
+init_script_file(bitlbee_initrc_exec_t)
+
+type bitlbee_tmp_t;
+files_tmp_file(bitlbee_tmp_t)
+
 type bitlbee_var_t;
 files_type(bitlbee_var_t)
 
@@ -26,9 +32,15 @@ files_type(bitlbee_var_t)
 allow bitlbee_t self:udp_socket create_socket_perms;
 allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
 allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
+allow bitlbee_t self:fifo_file rw_fifo_file_perms;
+allow bitlbee_t self:process signal;
 
 bitlbee_read_config(bitlbee_t)
 
+# tmp files
+manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
+files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file)
+
 # user account information is read and edited at runtime; give the usual
 # r/w access to bitlbee_var_t
 manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
@@ -54,6 +66,9 @@ corenet_tcp_sendrecv_mmcc_port(bitlbee_t)
 corenet_tcp_connect_msnp_port(bitlbee_t)
 corenet_tcp_sendrecv_msnp_port(bitlbee_t)
 
+dev_read_rand(bitlbee_t)
+dev_read_urand(bitlbee_t)
+
 files_read_etc_files(bitlbee_t)
 files_search_pids(bitlbee_t)
 # grant read-only access to the user help files
@@ -62,6 +77,8 @@ files_read_usr_files(bitlbee_t)
 libs_legacy_use_shared_libs(bitlbee_t)
 libs_use_ld_so(bitlbee_t)
 
+miscfiles_read_localization(bitlbee_t)
+
 sysnet_dns_name_resolve(bitlbee_t)
 
 optional_policy(`

policy/modules/services/canna.fc

@@ -1,3 +1,4 @@
+/etc/rc\.d/init\.d/canna --	gen_context(system_u:object_r:canna_initrc_exec_t,s0)
 
 #
 # /usr

policy/modules/services/canna.if

@@ -18,3 +18,44 @@ interface(`canna_stream_connect',`
 	files_search_pids($1)
 	stream_connect_pattern($1, canna_var_run_t, canna_var_run_t,canna_t)
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an canna environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the canna domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`canna_admin',`
+	gen_require(`
+		type canna_t, canna_log_t, canna_var_lib_t;
+		type canna_var_run_t, canna_initrc_exec_t;
+	')
+
+	allow $1 canna_t:process { ptrace signal_perms };
+	ps_process_pattern($1, canna_t)
+
+	init_labeled_script_domtrans($1, canna_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 canna_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_list_logs($1)
+	admin_pattern($1, canna_log_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, canna_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, canna_var_run_t)
+')

policy/modules/services/canna.te

@@ -1,5 +1,5 @@
 
-policy_module(canna, 1.7.0)
+policy_module(canna, 1.7.1)
 
 ########################################
 #
@@ -10,6 +10,9 @@ type canna_t;
 type canna_exec_t;
 init_daemon_domain(canna_t, canna_exec_t)
 
+type canna_initrc_exec_t;
+init_script_file(canna_initrc_exec_t)
+
 type canna_log_t;
 logging_log_file(canna_log_t)
 

policy/modules/services/ddclient.fc

@@ -1,5 +1,6 @@
 /etc/ddclient\.conf	--	gen_context(system_u:object_r:ddclient_etc_t,s0)
 /etc/ddtcd\.conf	--	gen_context(system_u:object_r:ddclient_etc_t,s0)
+/etc/rc\.d/init\.d/ddclient --	gen_context(system_u:object_r:ddclient_initrc_exec_t,s0)
 
 /usr/sbin/ddclient	--	gen_context(system_u:object_r:ddclient_exec_t,s0)
 /usr/sbin/ddtcd		--	gen_context(system_u:object_r:ddclient_exec_t,s0)

policy/modules/services/ddclient.if

@@ -18,3 +18,51 @@ interface(`ddclient_domtrans',`
 	corecmd_search_bin($1)
 	domtrans_pattern($1, ddclient_exec_t, ddclient_t)
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an ddclient environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the ddclient domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ddclient_admin',`
+	gen_require(`
+		type ddclient_t, ddclient_etc_t, ddclient_log_t;
+		type ddclient_var_t, ddclient_var_lib_t;
+		type ddclient_var_run_t, ddclient_initrc_exec_t;
+	')
+
+	allow $1 ddclient_t:process { ptrace signal_perms };
+	ps_process_pattern($1, ddclient_t)
+
+	init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 ddclient_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, ddclient_etc_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, ddclient_log_t)
+
+	files_list_var($1)
+	admin_pattern($1, ddclient_var_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, ddclient_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, ddclient_var_run_t)
+')

policy/modules/services/ddclient.te

@@ -1,5 +1,5 @@
 
-policy_module(ddclient, 1.5.0)
+policy_module(ddclient, 1.5.1)
 
 ########################################
 #
@@ -11,7 +11,10 @@ type ddclient_exec_t;
 init_daemon_domain(ddclient_t, ddclient_exec_t)
 
 type ddclient_etc_t;
-files_type(ddclient_etc_t)
+files_config_file(ddclient_etc_t)
+
+type ddclient_initrc_exec_t;
+init_script_file(ddclient_initrc_exec_t)
 
 type ddclient_log_t;
 logging_log_file(ddclient_log_t)

policy/modules/services/dictd.fc

@@ -1,6 +1,9 @@
+/etc/rc\.d/init\.d/dictd --	gen_context(system_u:object_r:dictd_initrc_exec_t,s0)
 
 /etc/dictd\.conf	--	gen_context(system_u:object_r:dictd_etc_t,s0)
 
 /usr/sbin/dictd		--	gen_context(system_u:object_r:dictd_exec_t,s0)
 
 /var/lib/dictd(/.*)?		gen_context(system_u:object_r:dictd_var_lib_t,s0)
+
+/var/run/dictd\.pid	--	gen_context(system_u:object_r:dictd_var_run_t,s0)

policy/modules/services/dictd.if

@@ -14,3 +14,44 @@
 interface(`dictd_tcp_connect',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an dictd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the dictd domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dictd_admin',`
+	gen_require(`
+		type dictd_t, dictd_etc_t, dictd_var_lib_t;
+		type dictd_var_run_t, dictd_initrc_exec_t;
+	')
+
+	allow $1 dictd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, dictd_t)
+
+	init_labeled_script_domtrans($1, dictd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 dictd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, dictd_etc_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, dictd_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, dictd_var_run_t)
+')

policy/modules/services/dictd.te

@@ -1,5 +1,5 @@
 
-policy_module(dictd, 1.5.0)
+policy_module(dictd, 1.5.1)
 
 ########################################
 #
@@ -13,9 +13,15 @@ init_daemon_domain(dictd_t, dictd_exec_t)
 type dictd_etc_t;
 files_config_file(dictd_etc_t)
 
+type dictd_initrc_exec_t;
+init_script_file(dictd_initrc_exec_t)
+
 type dictd_var_lib_t alias var_lib_dictd_t;
 files_type(dictd_var_lib_t)
 
+type dictd_var_run_t;
+files_pid_file(dictd_var_run_t)
+
 ########################################
 #
 # Local policy
@@ -34,6 +40,9 @@ files_search_etc(dictd_t)
 allow dictd_t dictd_var_lib_t:dir list_dir_perms;
 allow dictd_t dictd_var_lib_t:file read_file_perms;
 
+manage_files_pattern(dictd_t, dictd_var_run_t, dictd_var_run_t)
+files_pid_filetrans(dictd_t, dictd_var_run_t, file)
+
 kernel_read_system_state(dictd_t)
 kernel_read_kernel_sysctls(dictd_t)
 

policy/modules/services/fail2ban.fc

@@ -3,5 +3,4 @@
 /usr/bin/fail2ban	--	gen_context(system_u:object_r:fail2ban_exec_t,s0)
 /usr/bin/fail2ban-server --	gen_context(system_u:object_r:fail2ban_exec_t,s0)
 /var/log/fail2ban\.log	--	gen_context(system_u:object_r:fail2ban_log_t,s0)
-/var/run/fail2ban\.pid	--	gen_context(system_u:object_r:fail2ban_var_run_t,s0)
-/var/run/fail2ban\.sock	-s	gen_context(system_u:object_r:fail2ban_var_run_t,s0)
+/var/run/fail2ban.*		gen_context(system_u:object_r:fail2ban_var_run_t,s0)

policy/modules/services/fail2ban.if

@@ -78,3 +78,41 @@ interface(`fail2ban_read_pid_files',`
 	files_search_pids($1)
 	allow $1 fail2ban_var_run_t:file read_file_perms;
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an fail2ban environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the fail2ban domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fail2ban_admin',`
+	gen_require(`
+		type fail2ban_t, fail2ban_log_t;
+		type fail2ban_var_run_t, fail2ban_initrc_exec_t;
+	')
+
+	allow $1 fail2ban_t:process { ptrace signal_perms };
+	ps_process_pattern($1, fail2ban_t)
+
+	init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 fail2ban_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_list_logs($1)
+	admin_pattern($1, fail2ban_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, fail2ban_var_run_t)
+')

policy/modules/services/fail2ban.te

@@ -1,5 +1,5 @@
 
-policy_module(fail2ban, 1.1.1)
+policy_module(fail2ban, 1.1.2)
 
 ########################################
 #
@@ -37,9 +37,10 @@ manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
 logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
 
 # pid file
+manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
 manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
 manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
-files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { file sock_file })
+files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file })
 
 kernel_read_system_state(fail2ban_t)
 

policy/modules/services/inn.fc

@@ -4,6 +4,7 @@
 #
 /etc/news(/.*)?				gen_context(system_u:object_r:innd_etc_t,s0)
 /etc/news/boot		--		gen_context(system_u:object_r:innd_exec_t,s0)
+/etc/rc\.d/init\.d/innd	--		gen_context(system_u:object_r:innd_initrc_exec_t,s0)
 
 #
 # /usr

policy/modules/services/inn.if

@@ -54,8 +54,7 @@ interface(`inn_manage_log',`
 	')
 
 	logging_rw_generic_log_dirs($1)
-	allow $1 innd_log_t:dir search;
-	allow $1 innd_log_t:file manage_file_perms;
+	manage_files_pattern($1, innd_log_t, innd_log_t)
 ')
 
 ########################################
@@ -176,3 +175,51 @@ interface(`inn_domtrans',`
 	corecmd_search_bin($1)
 	domtrans_pattern($1, innd_exec_t, innd_t)
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an inn environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the inn domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`inn_admin',`
+	gen_require(`
+		type innd_t, innd_etc_t, innd_log_t;
+		type news_spool_t, innd_var_lib_t;
+		type innd_var_run_t, innd_initrc_exec_t;
+	')
+
+	allow $1 innd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, innd_t)
+
+	init_labeled_script_domtrans($1, innd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 innd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, innd_etc_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, innd_log_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, innd_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, innd_var_run_t)
+
+	files_list_spool($1)
+	admin_pattern($1, news_spool_t)
+')

policy/modules/services/inn.te

@@ -1,5 +1,5 @@
 
-policy_module(inn, 1.6.0)
+policy_module(inn, 1.6.1)
 
 ########################################
 #
@@ -12,6 +12,9 @@ init_daemon_domain(innd_t, innd_exec_t)
 type innd_etc_t;
 files_config_file(innd_etc_t)
 
+type innd_initrc_exec_t;
+init_script_file(innd_initrc_exec_t)
+
 type innd_log_t;
 logging_log_file(innd_log_t)
 
@@ -22,7 +25,7 @@ type innd_var_run_t;
 files_pid_file(innd_var_run_t)
 
 type news_spool_t;
-files_type(news_spool_t)
+files_mountpoint(news_spool_t)
 
 ########################################
 #

policy/modules/services/jabber.fc

@@ -1,3 +1,5 @@
+/etc/rc\.d/init\.d/jabber --	gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
+
 /usr/sbin/jabberd	--	gen_context(system_u:object_r:jabberd_exec_t,s0)
 
 /var/lib/jabber(/.*)?		gen_context(system_u:object_r:jabberd_var_lib_t,s0)

policy/modules/services/jabber.if

@@ -13,3 +13,44 @@
 interface(`jabber_tcp_connect',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an jabber environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the jabber domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`jabber_admin',`
+	gen_require(`
+		type jabberd_t, jabberd_log_t, jabberd_var_lib_t;
+		type jabberd_var_run_t, jabberd_initrc_exec_t;
+	')
+
+	allow $1 jabberd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, jabberd_t)
+
+	init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 jabberd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_list_logs($1)
+	admin_pattern($1, jabberd_log_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, jabberd_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, jabberd_var_run_t)
+')

policy/modules/services/jabber.te

@@ -1,5 +1,5 @@
 
-policy_module(jabber, 1.5.0)
+policy_module(jabber, 1.5.1)
 
 ########################################
 #
@@ -10,6 +10,9 @@ type jabberd_t;
 type jabberd_exec_t;
 init_daemon_domain(jabberd_t, jabberd_exec_t)
 
+type jabberd_initrc_exec_t;
+init_script_file(jabberd_initrc_exec_t)
+
 type jabberd_log_t;
 logging_log_file(jabberd_log_t)
 

policy/modules/services/ntp.if

@@ -53,3 +53,47 @@ interface(`ntp_domtrans_ntpdate',`
 	corecmd_search_bin($1)
 	domtrans_pattern($1, ntpdate_exec_t, ntpd_t)
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an ntp environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the ntp domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ntp_admin',`
+	gen_require(`
+		type ntpd_t, ntpd_tmp_t, ntpd_log_t;
+		type ntpd_key_t, ntpd_var_lib_t, ntpd_var_run_t;
+		type ntpd_initrc_exec_t;
+	')
+
+	allow $1 ntpd_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, ntpd_t)
+
+	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 ntpd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	admin_pattern($1, ntpd_key_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, ntpd_log_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, ntpd_tmp_t)
+
+	files_list_pids($1)
+	admin_pattern($1, ntpd_var_run_t)
+')

policy/modules/services/ntp.te

@@ -1,5 +1,5 @@
 
-policy_module(ntp, 1.6.2)
+policy_module(ntp, 1.6.3)
 
 ########################################
 #

policy/modules/services/postfixpolicyd.fc

@@ -1,4 +1,5 @@
 /etc/policyd.conf		--	gen_context(system_u:object_r:postfix_policyd_conf_t, s0)
+/etc/rc\.d/init\.d/postfixpolicyd --	gen_context(system_u:object_r:postfix_policyd_initrc_exec_t,s0)
 
 /usr/sbin/policyd		--	gen_context(system_u:object_r:postfix_policyd_exec_t, s0)
 

policy/modules/services/postfixpolicyd.if

@@ -1 +1,40 @@
 ## <summary>Postfix policy server</summary>
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an postfixpolicyd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the postfixpolicyd domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`postfixpolicyd_admin',`
+	gen_require(`
+		type postfix_policyd_t, postfix_policyd_conf_t;
+		type postfix_policyd_var_run_t;
+		type postfix_policyd_initrc_exec_t;	
+	')
+
+	allow $1 postfix_policyd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, postfix_policyd_t)
+
+	init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 postfix_policyd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, postfix_policyd_conf_t)
+
+	files_list_pids($1)
+	admin_pattern($1, postfix_policyd_var_run_t)
+')

policy/modules/services/postfixpolicyd.te

@@ -1,5 +1,5 @@
 
-policy_module(postfixpolicyd, 1.0.0)
+policy_module(postfixpolicyd, 1.0.1)
 
 ########################################
 #
@@ -13,6 +13,9 @@ init_daemon_domain(postfix_policyd_t, postfix_policyd_exec_t)
 type postfix_policyd_conf_t;
 files_config_file(postfix_policyd_conf_t)
 
+type postfix_policyd_initrc_exec_t;
+init_script_file(postfix_policyd_initrc_exec_t)
+
 type postfix_policyd_var_run_t;
 files_pid_file(postfix_policyd_var_run_t)
 

policy/modules/services/radius.fc

@@ -1,6 +1,7 @@
 
 /etc/cron\.(daily|monthly)/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
 /etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+/etc/rc\.d/init\.d/radiusd --	gen_context(system_u:object_r:radiusd_initrc_exec_t,s0)
 
 /etc/raddb(/.*)?                gen_context(system_u:object_r:radiusd_etc_t,s0)
 /etc/raddb/db\.daily     --      gen_context(system_u:object_r:radiusd_etc_rw_t,s0)

policy/modules/services/radius.if

@@ -24,28 +24,39 @@ interface(`radius_use',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
 ## <rolecap/>
 #
 interface(`radius_admin',`
 	gen_require(`
 		type radiusd_t, radiusd_etc_t, radiusd_log_t;
 		type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t;
+		type radiusd_initrc_exec_t;
 	')
 
 	allow $1 radiusd_t:process { ptrace signal_perms getattr };
 	ps_process_pattern($1, radiusd_t)
 
+	init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 radiusd_initrc_exec_t system_r;
+	allow $2 system_r;
+
 	files_list_etc($1)
-	manage_files_pattern($1, radiusd_etc_t, radiusd_etc_t)
+	admin_pattern($1, radiusd_etc_t)
 
 	logging_list_logs($1)
-	manage_files_pattern($1, radiusd_log_t, radiusd_log_t)
+	admin_pattern($1, radiusd_log_t)
 
-	manage_files_pattern($1, radiusd_etc_rw_t, radiusd_etc_rw_t)
+	admin_pattern($1, radiusd_etc_rw_t)
 
 	files_list_var_lib($1)
-	manage_files_pattern($1, radiusd_var_lib_t, radiusd_var_lib_t)
+	admin_pattern($1, radiusd_var_lib_t)
 
 	files_list_pids($1)
-	manage_files_pattern($1, radiusd_var_run_t, radiusd_var_run_t)
+	admin_pattern($1, radiusd_var_run_t)
 ')

policy/modules/services/radius.te

@@ -1,5 +1,5 @@
 
-policy_module(radius, 1.8.0)
+policy_module(radius, 1.8.1)
 
 ########################################
 #
@@ -16,6 +16,9 @@ files_config_file(radiusd_etc_t)
 type radiusd_etc_rw_t;
 files_type(radiusd_etc_rw_t)
 
+type radiusd_initrc_exec_t;
+init_script_file(radiusd_initrc_exec_t)
+
 type radiusd_log_t;
 logging_log_file(radiusd_log_t)
 
@@ -34,12 +37,11 @@ files_pid_file(radiusd_var_run_t)
 # gzip also needs chown access to preserve GID for radwtmp files
 allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
 dontaudit radiusd_t self:capability sys_tty_config;
-allow radiusd_t self:process { setsched signal };
+allow radiusd_t self:process { getsched setsched sigkill signal };
 allow radiusd_t self:fifo_file rw_fifo_file_perms;
 allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
 allow radiusd_t self:tcp_socket create_stream_socket_perms;
 allow radiusd_t self:udp_socket create_socket_perms;
-allow radiusd_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow radiusd_t radiusd_etc_t:dir list_dir_perms;
 read_files_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_t)
@@ -74,8 +76,12 @@ corenet_udp_sendrecv_all_ports(radiusd_t)
 corenet_udp_bind_all_nodes(radiusd_t)
 corenet_udp_bind_radacct_port(radiusd_t)
 corenet_udp_bind_radius_port(radiusd_t)
+corenet_tcp_connect_mysqld_port(radiusd_t)
+corenet_tcp_connect_snmp_port(radiusd_t)
 corenet_sendrecv_radius_server_packets(radiusd_t)
 corenet_sendrecv_radacct_server_packets(radiusd_t)
+corenet_sendrecv_mysqld_client_packets(radiusd_t)
+corenet_sendrecv_snmp_client_packets(radiusd_t)
 # for RADIUS proxy port
 corenet_udp_bind_generic_port(radiusd_t)
 corenet_dontaudit_udp_bind_all_ports(radiusd_t)
@@ -86,9 +92,6 @@ dev_read_sysfs(radiusd_t)
 fs_getattr_all_fs(radiusd_t)
 fs_search_auto_mountpoints(radiusd_t)
 
-auth_read_shadow(radiusd_t)
-auth_domtrans_chk_passwd(radiusd_t)
-
 corecmd_exec_bin(radiusd_t)
 corecmd_exec_shell(radiusd_t)
 
@@ -98,6 +101,10 @@ files_read_usr_files(radiusd_t)
 files_read_etc_files(radiusd_t)
 files_read_etc_runtime_files(radiusd_t)
 
+auth_use_nsswitch(radiusd_t)
+auth_read_shadow(radiusd_t)
+auth_domtrans_chk_passwd(radiusd_t)
+
 libs_use_ld_so(radiusd_t)
 libs_use_shared_libs(radiusd_t)
 libs_exec_lib_files(radiusd_t)
@@ -107,8 +114,6 @@ logging_send_syslog_msg(radiusd_t)
 miscfiles_read_localization(radiusd_t)
 miscfiles_read_certs(radiusd_t)
 
-sysnet_read_config(radiusd_t)
-
 userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
 
 sysadm_dontaudit_search_home_dirs(radiusd_t)
@@ -123,7 +128,8 @@ optional_policy(`
 ')
 
 optional_policy(`
-	nis_use_ypbind(radiusd_t)
+	mysql_read_config(radiusd_t)
+	mysql_stream_connect(radiusd_t)
 ')
 
 optional_policy(`

policy/modules/services/radvd.fc

@@ -1,5 +1,5 @@
-
 /etc/radvd\.conf	--	gen_context(system_u:object_r:radvd_etc_t,s0)
+/etc/rc\.d/init\.d/radvd --	gen_context(system_u:object_r:radvd_initrc_exec_t,s0)
 
 /usr/sbin/radvd		--	gen_context(system_u:object_r:radvd_exec_t,s0)
 

policy/modules/services/radvd.if

@@ -10,20 +10,30 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
 ## <rolecap/>
 #
 interface(`radvd_admin',`
 	gen_require(`
 		type radvd_t, radvd_etc_t;
-		type radvd_var_run_t;
+		type radvd_var_run_t, radvd_initrc_exec_t;
 	')
 
-	allow $1 radvd_t:process { ptrace signal_perms getattr };
+	allow $1 radvd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, radvd_t)
 
+	init_labeled_script_domtrans($1, radvd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 radvd_initrc_exec_t system_r;
+	allow $2 system_r;
+
 	files_list_etc($1)
-	manage_files_pattern($1, radvd_etc_t, radvd_etc_t)
+	admin_pattern($1, radvd_etc_t)
 
 	files_list_pids($1)
-	manage_files_pattern($1, radvd_var_run_t, radvd_var_run_t)
+	admin_pattern($1, radvd_var_run_t)
 ')

policy/modules/services/radvd.te

@@ -1,5 +1,5 @@
 
-policy_module(radvd, 1.8.0)
+policy_module(radvd, 1.8.1)
 
 ########################################
 #
@@ -9,6 +9,9 @@ type radvd_t;
 type radvd_exec_t;
 init_daemon_domain(radvd_t, radvd_exec_t)
 
+type radvd_initrc_exec_t;
+init_script_file(radvd_initrc_exec_t)
+
 type radvd_var_run_t;
 files_pid_file(radvd_var_run_t)
 
@@ -27,6 +30,7 @@ allow radvd_t self:unix_stream_socket create_socket_perms;
 allow radvd_t self:rawip_socket create_socket_perms;
 allow radvd_t self:tcp_socket create_stream_socket_perms;
 allow radvd_t self:udp_socket create_socket_perms;
+allow radvd_t self:fifo_file rw_file_perms;
 
 allow radvd_t radvd_etc_t:file read_file_perms;
 

policy/modules/services/rwho.fc

@@ -1,3 +1,5 @@
+/etc/rc\.d/init\.d/rwhod --	gen_context(system_u:object_r:rwho_initrc_exec_t,s0)
+
 /usr/sbin/rwhod		--	gen_context(system_u:object_r:rwho_exec_t,s0)
 
 /var/spool/rwho(/.*)?		gen_context(system_u:object_r:rwho_spool_t,s0)

policy/modules/services/rwho.if

@@ -126,19 +126,30 @@ interface(`rwho_manage_spool_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	The role allowed access.
+##	</summary>
+## </param>
 ## <rolecap/>
 #
 interface(`rwho_admin',`
 	gen_require(`
 		type rwho_t, rwho_log_t, rwho_spool_t;
+		type rwho_initrc_exec_t;
 	')
 
-	allow $1 rwho_t:process { ptrace signal_perms getattr };
+	allow $1 rwho_t:process { ptrace signal_perms };
 	ps_process_pattern($1, rwho_t)
-	        
+
+	init_labeled_script_domtrans($1, rwho_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 rwho_initrc_exec_t system_r;
+	allow $2 system_r;
+
 	logging_list_logs($1)
-	manage_files_pattern($1, rwho_log_t, rwho_log_t)
+	admin_pattern($1, rwho_log_t)
 
 	files_list_spool($1)
-	manage_files_pattern($1, rwho_spool_t, rwho_spool_t)
+	admin_pattern($1, rwho_spool_t)
 ')

policy/modules/services/rwho.te

@@ -1,5 +1,5 @@
 
-policy_module(rwho, 1.4.0)
+policy_module(rwho, 1.4.1)
 
 ########################################
 #
@@ -10,6 +10,9 @@ type rwho_t;
 type rwho_exec_t;
 init_daemon_domain(rwho_t, rwho_exec_t)
 
+type rwho_initrc_exec_t;
+init_script_file(rwho_initrc_exec_t)
+
 type rwho_log_t;
 files_type(rwho_log_t)
 

policy/modules/services/soundserver.fc

@@ -1,4 +1,5 @@
 /etc/nas(/.*)?			gen_context(system_u:object_r:soundd_etc_t,s0)
+/etc/rc\.d/init\.d/nasd	--	gen_context(system_u:object_r:soundd_initrc_exec_t,s0)
 /etc/yiff(/.*)?			gen_context(system_u:object_r:soundd_etc_t,s0)
 
 /usr/bin/nasd		--	gen_context(system_u:object_r:soundd_exec_t,s0)
@@ -6,5 +7,7 @@
 
 /usr/sbin/yiff		--	gen_context(system_u:object_r:soundd_exec_t,s0)
 
+/var/run/nasd(/.*)?		gen_context(system_u:object_r:soundd_var_run_t,s0)
 /var/run/yiff-[0-9]+\.pid --	gen_context(system_u:object_r:soundd_var_run_t,s0)
+
 /var/state/yiff(/.*)?		gen_context(system_u:object_r:soundd_state_t,s0)

policy/modules/services/soundserver.if

@@ -13,3 +13,45 @@
 interface(`soundserver_tcp_connect',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an soundd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the soundd domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`soundserver_admin',`
+	gen_require(`
+		type soundd_t, soundd_etc_t;
+		type soundd_tmp_t, soundd_var_run_t;
+		type soundd_initrc_exec_t;
+	')
+
+	allow $1 soundd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, soundd_t)
+
+	init_labeled_script_domtrans($1, soundd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 soundd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, soundd_etc_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, soundd_tmp_t)
+
+	files_list_pids($1)
+	admin_pattern($1, soundd_var_run_t)
+')

policy/modules/services/soundserver.te

@@ -1,5 +1,5 @@
 
-policy_module(soundserver, 1.5.0)
+policy_module(soundserver, 1.5.1)
 
 ########################################
 #
@@ -11,7 +11,10 @@ type soundd_exec_t;
 init_daemon_domain(soundd_t, soundd_exec_t)
 
 type soundd_etc_t alias etc_soundd_t;
-files_type(soundd_etc_t)
+files_config_file(soundd_etc_t)
+
+type soundd_initrc_exec_t;
+init_script_file(soundd_initrc_exec_t)
 
 type soundd_state_t;
 files_type(soundd_state_t)
@@ -31,16 +34,18 @@ files_pid_file(soundd_var_run_t)
 # Declarations
 #
 
+allow soundd_t self:capability dac_override;
 dontaudit soundd_t self:capability sys_tty_config;
 allow soundd_t self:process { setpgid signal_perms };
 allow soundd_t self:tcp_socket create_stream_socket_perms;
 allow soundd_t self:udp_socket create_socket_perms;
+allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
 # for yiff
 allow soundd_t self:shm create_shm_perms;
 
-allow soundd_t soundd_etc_t:dir list_dir_perms;
-allow soundd_t soundd_etc_t:file read_file_perms;
-allow soundd_t soundd_etc_t:lnk_file { getattr read };
+read_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t)
+read_lnk_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t)
 
 manage_files_pattern(soundd_t, soundd_state_t, soundd_state_t)
 manage_lnk_files_pattern(soundd_t, soundd_state_t, soundd_state_t)
@@ -55,8 +60,10 @@ manage_fifo_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t)
 manage_sock_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t)
 fs_tmpfs_filetrans(soundd_t, soundd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 
+manage_sock_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
 manage_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
-files_pid_filetrans(soundd_t, soundd_var_run_t, file)
+manage_dirs_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
+files_pid_filetrans(soundd_t, soundd_var_run_t, { file dir })
 
 kernel_read_kernel_sysctls(soundd_t)
 kernel_list_proc(soundd_t)
@@ -99,6 +106,10 @@ userdom_dontaudit_use_unpriv_user_fds(soundd_t)
 
 sysadm_dontaudit_search_home_dirs(soundd_t)
 
+optional_policy(`
+	alsa_domtrans(soundd_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(soundd_t)
 ')

policy/modules/services/squid.fc

@@ -1,4 +1,4 @@
-/etc/rc.d/init.d/squid	--	gen_context(system_u:object_r:squid_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/squid --	gen_context(system_u:object_r:squid_initrc_exec_t,s0)
 /etc/squid(/.*)?		gen_context(system_u:object_r:squid_conf_t,s0)
 
 /usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)

policy/modules/services/squid.if

@@ -168,3 +168,48 @@ interface(`squid_manage_logs',`
 interface(`squid_use',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an squid environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the squid domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`squid_admin',`
+	gen_require(`
+		type squid_t, squid_cache_t, squid_conf_t;
+		type squid_log_t, squid_var_run_t;
+		type squid_initrc_exec_t;
+	')
+
+	allow $1 squid_t:process { ptrace signal_perms };
+	ps_process_pattern($1, squid_t)
+		
+	init_labeled_script_domtrans($1, squid_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 squid_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_var($1)
+	admin_pattern($1, squid_cache_t)
+
+	files_list_etc($1)
+	admin_pattern($1, squid_conf_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, squid_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, squid_var_run_t)
+')

policy/modules/services/squid.te

@@ -1,5 +1,5 @@
 
-policy_module(squid, 1.6.1)
+policy_module(squid, 1.6.2)
 
 ########################################
 #
@@ -156,6 +156,8 @@ sysadm_dontaudit_search_home_dirs(squid_t)
 
 tunable_policy(`squid_connect_any',`
 	corenet_tcp_connect_all_ports(squid_t)
+	corenet_tcp_bind_all_ports(squid_t)
+	corenet_sendrecv_all_packets(squid_t)
 ')
 
 optional_policy(`

policy/modules/services/tftp.if

@@ -20,10 +20,10 @@ interface(`tftp_admin',`
 	allow $1 tftpd_t:process { ptrace signal_perms getattr };
 	ps_process_pattern($1, tftpd_t)
 	        
-	manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+	admin_pattern($1, tftpdir_rw_t)
 
-	manage_files_pattern($1, tftpdir_t, tftpdir_t)
+	admin_pattern($1, tftpdir_t)
 
 	files_list_pids($1)
-	manage_files_pattern($1, tftpd_var_run_t, tftpd_var_run_t)
+	admin_pattern($1, tftpd_var_run_t)
 ')

policy/modules/services/tftp.te

@@ -1,5 +1,5 @@
 
-policy_module(tftp, 1.8.0)
+policy_module(tftp, 1.8.1)
 
 ########################################
 #
@@ -37,7 +37,6 @@ allow tftpd_t self:tcp_socket create_stream_socket_perms;
 allow tftpd_t self:udp_socket create_socket_perms;
 allow tftpd_t self:unix_dgram_socket create_socket_perms;
 allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
-allow tftpd_t self:netlink_route_socket r_netlink_socket_perms;
 dontaudit tftpd_t self:capability sys_tty_config;
 
 allow tftpd_t tftpdir_t:dir { getattr read search };
@@ -80,6 +79,8 @@ files_read_var_files(tftpd_t)
 files_read_var_symlinks(tftpd_t)
 files_search_var(tftpd_t)
 
+auth_use_nsswitch(tftpd_t)
+
 libs_use_ld_so(tftpd_t)
 libs_use_shared_libs(tftpd_t)
 
@@ -88,11 +89,7 @@ logging_send_syslog_msg(tftpd_t)
 miscfiles_read_localization(tftpd_t)
 miscfiles_read_public_files(tftpd_t)
 
-sysnet_read_config(tftpd_t)
-sysnet_use_ldap(tftpd_t)
-
 userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
-
 sysadm_dontaudit_use_ttys(tftpd_t)
 sysadm_dontaudit_search_home_dirs(tftpd_t)
 
@@ -104,14 +101,6 @@ optional_policy(`
 	inetd_udp_service_domain(tftpd_t, tftpd_exec_t)
 ')
 
-optional_policy(`
-	nis_use_ypbind(tftpd_t)
-')
-
-optional_policy(`
-	nscd_socket_use(tftpd_t)
-')
-
 optional_policy(`
         seutil_sigchld_newrole(tftpd_t)
 ')

policy/modules/services/tor.fc

@@ -1,3 +1,4 @@
+/etc/rc\.d/init\.d/tor	--	gen_context(system_u:object_r:tor_initrc_exec_t,s0)
 /etc/tor(/.*)?			gen_context(system_u:object_r:tor_etc_t,s0)
 
 /usr/bin/tor		--	gen_context(system_u:object_r:tor_exec_t,s0)

policy/modules/services/tor.if

@@ -28,26 +28,37 @@ interface(`tor_domtrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the tor domain.
+##	</summary>
+## </param>
 ## <rolecap/>
 #
 interface(`tor_admin',`
 	gen_require(`
 		type tor_t, tor_var_log_t, tor_etc_t;
 		type tor_var_lib_t, tor_var_run_t;
+		type tor_initrc_exec_t;
 	')
 
 	allow $1 tor_t:process { ptrace signal_perms getattr };
 	ps_process_pattern($1, tor_t)
-	        
-	logging_list_logs($1)
-	manage_files_pattern($1, tor_var_log_t, tor_var_log_t)
+
+	init_labeled_script_domtrans($1, tor_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 tor_initrc_exec_t system_r;
+	allow $2 system_r;
 
 	files_list_etc($1)
-	manage_files_pattern($1, tor_etc_t, tor_etc_t)
+	admin_pattern($1, tor_etc_t)
 
 	files_list_var_lib($1)
-	manage_files_pattern($1, tor_var_lib_t, tor_var_lib_t)
+	admin_pattern($1, tor_var_lib_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, tor_var_log_t)
 
 	files_list_pids($1)
-	manage_files_pattern($1, tor_var_run_t, tor_var_run_t)
+	admin_pattern($1, tor_var_run_t)
 ')

policy/modules/services/tor.te

@@ -1,5 +1,5 @@
 
-policy_module(tor, 1.4.0)
+policy_module(tor, 1.4.1)
 
 ########################################
 #
@@ -14,6 +14,9 @@ init_daemon_domain(tor_t, tor_exec_t)
 type tor_etc_t;
 files_config_file(tor_etc_t)
 
+type tor_initrc_exec_t;
+init_script_file(tor_initrc_exec_t)
+
 # var/lib/tor
 type tor_var_lib_t;
 files_type(tor_var_lib_t)
@@ -31,6 +34,7 @@ files_pid_file(tor_var_run_t)
 # tor local policy
 #
 
+allow tor_t self:capability { setgid setuid };
 allow tor_t self:fifo_file { read write };
 allow tor_t self:unix_stream_socket create_stream_socket_perms;
 allow tor_t self:netlink_route_socket r_netlink_socket_perms;
@@ -86,13 +90,13 @@ domain_use_interactive_fds(tor_t)
 files_read_etc_files(tor_t)
 files_read_etc_runtime_files(tor_t)
 
+auth_use_nsswitch(tor_t)
+
 libs_use_ld_so(tor_t)
 libs_use_shared_libs(tor_t)
 
 miscfiles_read_localization(tor_t)
 
-sysnet_dns_name_resolve(tor_t)
-
 optional_policy(`
 	seutil_sigchld_newrole(tor_t)
 ')

policy/modules/services/uucp.if

@@ -83,19 +83,19 @@ interface(`uucp_admin',`
 	allow $1 uucpd_t:process { ptrace signal_perms getattr };
 	ps_process_pattern($1, uucpd_t)
 	        
-	files_list_tmp($1)
-	manage_files_pattern($1, uucpd_tmp_t, uucpd_tmp_t)
-
 	logging_list_logs($1)
-	manage_files_pattern($1, uucpd_log_t, uucpd_log_t)
+	admin_pattern($1, uucpd_log_t)
 
 	files_list_spool($1)
-	manage_files_pattern($1, uucpd_spool_t, uucpd_spool_t)
+	admin_pattern($1, uucpd_spool_t)
 
-	manage_files_pattern($1, uucpd_rw_t, uucpd_rw_t)
+	admin_pattern($1, uucpd_ro_t)
 
-	manage_files_pattern($1, uucpd_ro_t, uucpd_ro_t)
+	admin_pattern($1, uucpd_rw_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, uucpd_tmp_t)
 
 	files_list_pids($1)
-	manage_files_pattern($1, uucpd_var_run_t, uucpd_var_run_t)
+	admin_pattern($1, uucpd_var_run_t)
 ')

policy/modules/services/uucp.te

@@ -1,5 +1,5 @@
 
-policy_module(uucp, 1.7.0)
+policy_module(uucp, 1.7.1)
 
 ########################################
 #
@@ -116,6 +116,8 @@ corecmd_exec_bin(uux_t)
 
 files_read_etc_files(uux_t)
 
+fs_rw_anon_inodefs_files(uux_t)
+
 libs_use_ld_so(uux_t)
 libs_use_shared_libs(uux_t)
 

policy/modules/services/zabbix.fc

@@ -1,3 +1,5 @@
+/etc/rc\.d/init\.d/zabbix --	gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
+
 /usr/bin/zabbix_server	--	gen_context(system_u:object_r:zabbix_exec_t,s0)
 
 /var/log/zabbix(/.*)?		gen_context(system_u:object_r:zabbix_log_t,s0)

policy/modules/services/zabbix.if

@@ -87,19 +87,30 @@ interface(`zabbix_read_pid_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the zabbix domain.
+##	</summary>
+## </param>
 ## <rolecap/>
 #
 interface(`zabbix_admin',`
 	gen_require(`
 		type zabbix_t, zabbix_log_t, zabbix_var_run_t;
+		type zabbix_initrc_exec_t;
 	')
 
-	allow $1 zabbix_t:process { ptrace signal_perms getattr };
-	read_files_pattern($1, zabbix_t, zabbix_t)
+	allow $1 zabbix_t:process { ptrace signal_perms };
+	ps_process_pattern($1, zabbix_t)
+		
+	init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 zabbix_initrc_exec_t system_r;
+	allow $2 system_r;
 	        
 	logging_list_logs($1)
-	manage_files_pattern($1, zabbix_log_t, zabbix_log_t)
+	admin_pattern($1, zabbix_log_t)
 
 	files_list_pids($1)
-	manage_files_pattern($1, zabbix_var_run_t, zabbix_var_run_t)
+	admin_pattern($1, zabbix_var_run_t)
 ')

policy/modules/services/zabbix.te

@@ -1,5 +1,5 @@
 
-policy_module(zabbix, 1.1.0)
+policy_module(zabbix, 1.1.1)
 
 ########################################
 #
@@ -10,6 +10,9 @@ type zabbix_t;
 type zabbix_exec_t;
 init_daemon_domain(zabbix_t, zabbix_exec_t)
 
+type zabbix_initrc_exec_t;
+init_script_file(zabbix_initrc_exec_t)
+
 # log files
 type zabbix_log_t;
 logging_log_file(zabbix_log_t)

policy/modules/services/zebra.fc

@@ -1,3 +1,9 @@
+/etc/rc\.d/init\.d/bgpd	--	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ospf6d --	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ospfd --	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ripd	--	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ripngd --	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/zebra --	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
 
 /usr/sbin/bgpd		--	gen_context(system_u:object_r:zebra_exec_t,s0)
 /usr/sbin/zebra		--	gen_context(system_u:object_r:zebra_exec_t,s0)

policy/modules/services/zebra.if

@@ -32,26 +32,37 @@ interface(`zebra_read_config',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the zebra domain.
+##	</summary>
+## </param>
 ## <rolecap/>
 #
 interface(`zebra_admin',`
 	gen_require(`
 		type zebra_t, zebra_tmp_t, zebra_log_t;
 		type zebra_conf_t, zebra_var_run_t;
+		type zebra_initrc_exec_t;
 	')
 
-	allow $1 zebra_t:process { ptrace signal_perms getattr };
-	read_files_pattern($1, zebra_t, zebra_t)
-	        
-	files_list_tmp($1)
-	manage_files_pattern($1, zebra_tmp_t, zebra_tmp_t)
-
-	logging_list_logs($1)
-	manage_files_pattern($1, zebra_log_t, zebra_log_t)
+	allow $1 zebra_t:process { ptrace signal_perms };
+	ps_process_pattern($1, zebra_t)
+		
+	init_labeled_script_domtrans($1, zebra_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 zebra_initrc_exec_t system_r;
+	allow $2 system_r;
 
 	files_list_etc($1)
-	manage_files_pattern($1, zebra_conf_t, zebra_conf_t)
+	admin_pattern($1, zebra_conf_t)
+	        
+	logging_list_logs($1)
+	admin_pattern($1, zebra_log_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, zebra_tmp_t)
 
 	files_list_pids($1)
-	manage_files_pattern($1, zebra_var_run_t, zebra_var_run_t)
+	admin_pattern($1, zebra_var_run_t)
 ')

policy/modules/services/zebra.te

@@ -1,5 +1,5 @@
 
-policy_module(zebra, 1.7.0)
+policy_module(zebra, 1.7.1)
 
 ########################################
 #
@@ -21,6 +21,9 @@ init_daemon_domain(zebra_t, zebra_exec_t)
 type zebra_conf_t;
 files_type(zebra_conf_t)
 
+type zebra_initrc_exec_t;
+init_script_file(zebra_initrc_exec_t)
+
 type zebra_log_t;
 logging_log_file(zebra_log_t)
 
@@ -37,7 +40,7 @@ files_pid_file(zebra_var_run_t)
 
 allow zebra_t self:capability { setgid setuid net_admin net_raw };
 dontaudit zebra_t self:capability sys_tty_config;
-allow zebra_t self:process { signal_perms setcap };
+allow zebra_t self:process { signal_perms getcap setcap };
 allow zebra_t self:file { ioctl read write getattr lock append };
 allow zebra_t self:unix_dgram_socket create_socket_perms;
 allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -64,6 +67,7 @@ manage_sock_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
 files_pid_filetrans(zebra_t, zebra_var_run_t, { file sock_file })
 
 kernel_read_system_state(zebra_t)
+kernel_read_network_state(zebra_t)
 kernel_read_kernel_sysctls(zebra_t)
 kernel_rw_net_sysctls(zebra_t)
 

policy/support/file_patterns.spt

@@ -537,3 +537,17 @@ define(`filetrans_pattern',`
 	allow $1 $2:dir rw_dir_perms;
 	type_transition $1 $2:$4 $3;
 ')
+
+define(`admin_pattern',`
+        manage_dirs_pattern($1,$2,$2)
+        manage_files_pattern($1,$2,$2)
+        manage_lnk_files_pattern($1,$2,$2)
+        manage_fifo_files_pattern($1,$2,$2)
+        manage_sock_files_pattern($1,$2,$2)
+
+        relabel_dirs_pattern($1,$2,$2)
+        relabel_files_pattern($1,$2,$2)
+        relabel_lnk_files_pattern($1,$2,$2)
+        relabel_fifo_files_pattern($1,$2,$2)
+        relabel_sock_files_pattern($1,$2,$2)
+')