diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if
index 08af7b0c..1a02004a 100644
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@@ -2,7 +2,7 @@
#######################################
##
-## The per-userdomain template for the gpg module.
+## The per user domain template for the gpg module.
##
##
##
@@ -12,9 +12,9 @@
## in domains specific to the user type.
##
##
-## This is invoked automatically for each user, and
-## generally does not need to be statically invoked
-## directly by policy writers.
+## This is invoked automatically for each user and
+## generally does not need to be invoked directly
+## by policy writers.
##
##
##
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index 60bd1a78..81d9c973 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -1,10 +1,26 @@
## Periodic execution of scheduled commands.
-########################################
+#######################################
+##
+## The per user domain template for the cron module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for running programs on behalf of the user, from cron.
+## A type for the user crontab is also created.
+##
+##
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
#
-# cron_per_userdomain_template(domainprefix)
-#
-
template(`cron_per_userdomain_template',`
# Type of user crontabs once moved to cron spool.
@@ -213,11 +229,21 @@ template(`cron_per_userdomain_template',`
') dnl endif TODO
')
-########################################
+#######################################
+##
+## The administrative functions template for the cron module.
+##
+##
+##
+## This template creates rules for administrating the cron service,
+## allowing the specified user to manage other user crontabs.
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
#
-# cron_admin_template(domainprefix)
-#
-
template(`cron_admin_template',`
logging_read_generic_logs($1_crond_t)
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index 3d92b4d7..c65d7f2e 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -1,5 +1,26 @@
## Secure shell client and server policy.
+#######################################
+##
+## The per user domain template for the ssh module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for ssh client sessions and user ssh agents. A derived
+## type is also created to protect the user ssh keys.
+##
+##
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+#
template(`ssh_per_userdomain_template',`
##############################
#
@@ -103,6 +124,8 @@ template(`ssh_per_userdomain_template',`
userdom_use_unpriv_users_fd($1_ssh_t)
+ nis_use_ypbind($1_ssh_t)
+
tunable_policy(`use_dns',`
allow $1_ssh_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
corenet_udp_sendrecv_all_if($1_ssh_t)
@@ -147,9 +170,6 @@ template(`ssh_per_userdomain_template',`
allow $1_ssh_t var_run_t:dir r_dir_perms;
allow $1_ssh_t var_run_t:{ file lnk_file } r_file_perms;
- # Grant permissions needed to create TCP and UDP sockets and
- # to access the network.
- can_ypbind($1_ssh_t)
can_kerberos($1_ssh_t)
allow $1_ssh_t $1_tmp_t:dir r_dir_perms;
@@ -306,9 +326,23 @@ template(`ssh_per_userdomain_template',`
') dnl endif TODO
')
-########################################
-#
-#
+#######################################
+##
+## The template to define a ssh server.
+##
+##
+##
+## This template creates a domains to be used for
+## creating a ssh server. This is typically done
+## to have multiple ssh servers of different sensitivities,
+## such as for an internal network-facing ssh server, and
+## a external network-facing ssh server.
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
#
template(`sshd_program_domain', `
type $1_t, ssh_server; #, nscd_client_domain;
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 573068fc..a004cfae 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -1,12 +1,28 @@
## Common policy for authentication and user login.
#######################################
+##
+## The per user domain template for the authlogin module.
+##
+##
+##
+## This template creates a derived domain which is allowed
+## to authenticate users by using PAM unix_chkpwd support.
+## This domain will be used by any programs running in the
+## user domain which use PAM to authenticate.
+##
+##
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
#
-# Per user domain template for this module
-#
-# authlogin_per_userdomain_template(userdomain_prefix)
-#
-interface(`authlogin_per_userdomain_template',`
+template(`authlogin_per_userdomain_template',`
gen_require(`
attribute can_read_shadow_passwords;
type chkpwd_exec_t, system_chkpwd_t, shadow_t;
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index d56ece05..9f2932d9 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -259,9 +259,9 @@ interface(`init_exec_script',`
')
########################################
-##
+##
## Read the process state (/proc/pid) of the init scripts.
-##
+##
##
## The type of the process performing this action.
##
@@ -327,9 +327,9 @@ interface(`init_get_script_process_group',`
')
########################################
-##
+##
## Read and write init script unnamed pipes.
-##
+##
##
## The type of the process performing this action.
##
@@ -343,6 +343,24 @@ interface(`init_rw_script_pipe',`
allow $1 initrc_t:fifo_file { read write };
')
+########################################
+##
+## Send UDP network traffic to init scripts.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`init_udp_sendto_script',`
+ gen_require(`
+ type initrc_t;
+ class udp_socket { sendto recvfrom };
+ ')
+
+ allow $1 initrc_t:udp_socket sendto;
+ allow initrc_t $1:udp_socket recvfrom;
+')
+
########################################
#
# init_use_script_pty(domain)
@@ -371,9 +389,9 @@ interface(`init_dontaudit_use_script_pty',`
')
########################################
-##
+##
## Read and write init script temporary data.
-##
+##
##
## The type of the process performing this action.
##
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index b941ec8a..688df508 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -350,6 +350,11 @@ optional_policy(`lvm.te',`
dev_create_generic_chr_file(initrc_t)
')
+optional_policy(`nis.te',`
+ nis_udp_sendto_ypbind(initrc_t)
+ nis_list_var_yp(initrc_t)
+')
+
optional_policy(`rhgb.te',`
corecmd_shell_entry_type(initrc_t)
')