patch from dan Thu, 31 Aug 2006 15:16:30 -0400

Changelog

@@ -64,6 +64,7 @@
 	Tue, 20 Jun 2006
 	Wed, 26 Jul 2006
 	Wed, 23 Aug 2006
+	Thu, 31 Aug 2006
 - Added modules:
 	afs
 	amavis (Erich Schubert)

policy/modules/admin/anaconda.te

@@ -53,6 +53,10 @@ optional_policy(`
 	rpm_domtrans_script(anaconda_t)
 ')
 
+optional_policy(`
+	ssh_domtrans_keygen(anaconda_t)
+')
+
 optional_policy(`
 	udev_domtrans(anaconda_t)
 ')

policy/modules/apps/mono.te

@@ -19,9 +19,12 @@ domain_entry_file(mono_t,mono_exec_t)
 
 ifdef(`targeted_policy',`
 	allow mono_t self:process { execheap execmem };
+
 	unconfined_domain_noaudit(mono_t)
 	unconfined_dbus_chat(mono_t)
 
+	userdom_generic_user_home_dir_filetrans_generic_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
+
 	init_dbus_chat_script(mono_t)
 
 	optional_policy(`

policy/modules/kernel/corecommands.fc

@@ -54,7 +54,9 @@ ifdef(`distro_redhat',`
 /etc/rc\.d/init\.d/functions	--	gen_context(system_u:object_r:bin_t,s0)
 
 /etc/sysconfig/network-scripts/ifup-.*	-- gen_context(system_u:object_r:bin_t,s0)
+/etc/sysconfig/network-scripts/ifup-.*	-l gen_context(system_u:object_r:bin_t,s0)
 /etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/sysconfig/network-scripts/ifdown-.* -l gen_context(system_u:object_r:bin_t,s0)
 
 /etc/X11/xdm/GiveConsole	--	gen_context(system_u:object_r:bin_t,s0)
 /etc/X11/xdm/TakeConsole	--	gen_context(system_u:object_r:bin_t,s0)

policy/modules/kernel/corenetwork.te.in

@@ -126,6 +126,7 @@ network_port(rndc, tcp,953,s0)
 network_port(router, udp,520,s0)
 network_port(rsh, tcp,514,s0)
 network_port(rsync, tcp,873,s0, udp,873,s0)
+network_port(setroubleshoot, tcp,3267,s0)
 network_port(smbd, tcp,137-139,s0, tcp,445,s0)
 network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
 network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)

policy/modules/kernel/devices.fc

@@ -3,7 +3,7 @@
 /dev/.*				gen_context(system_u:object_r:device_t,s0)
 
 /dev/.*mouse.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
-/dev/adsp		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/adsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/(misc/)?agpgart	-c	gen_context(system_u:object_r:agp_device_t,s0)
 /dev/aload.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/amidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)

policy/modules/kernel/files.fc

@@ -57,6 +57,7 @@ ifdef(`distro_suse',`
 /etc/motd		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/nohotplug		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/nologin.*		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/reader.conf	-- 	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/smartd\.conf	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 
 /etc/cups/client\.conf	--	gen_context(system_u:object_r:etc_t,s0)

policy/modules/kernel/kernel.if

@@ -1048,6 +1048,24 @@ interface(`kernel_write_xen_state',`
 	allow $1 proc_xen_t:file write;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to list all proc directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_list_all_proc',`
+	gen_require(`
+		attribute proc_type;
+	')
+
+	dontaudit $1 proc_type:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts by caller to search
@@ -1604,6 +1622,24 @@ interface(`kernel_rw_rpc_sysctls',`
 	allow $1 sysctl_rpc_t:file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to list all sysctl directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_list_all_sysctls',`
+	gen_require(`
+		attribute sysctl_type;
+	')
+
+	dontaudit $1 sysctl_type:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow caller to read all sysctls.

policy/modules/kernel/terminal.fc

@@ -22,11 +22,13 @@
 
 /dev/tts/[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 
+/dev/usb/tty.*		-c	gen_context(system_u:object_r:usbtty_device_t,s0)
+
 /dev/vcc?/.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 
 /dev/vcs[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 
-/dev/usb/tty.*		-c	gen_context(system_u:object_r:usbtty_device_t,s0)
+/dev/xvc[0-9]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 
 ifdef(`distro_gentoo',`
 /dev/tts/[0-9]*		-c	gen_context(system_u:object_r:tty_device_t,s0)

policy/modules/services/dovecot.te

@@ -185,6 +185,7 @@ files_read_etc_runtime_files(dovecot_auth_t)
 files_search_pids(dovecot_auth_t)
 files_read_usr_symlinks(dovecot_auth_t)
 files_search_tmp(dovecot_auth_t)
+files_read_var_lib_files(dovecot_t)
 
 libs_use_ld_so(dovecot_auth_t)
 libs_use_shared_libs(dovecot_auth_t)

policy/modules/services/hal.te

@@ -110,10 +110,6 @@ storage_raw_write_removable_device(hald_t)
 storage_raw_read_fixed_disk(hald_t)
 storage_raw_write_fixed_disk(hald_t)
 
-term_dontaudit_use_console(hald_t)
-term_dontaudit_use_generic_ptys(hald_t)
-term_use_unallocated_ttys(hald_t)
-
 auth_use_nsswitch(hald_t)
 
 init_use_fds(hald_t)
@@ -145,7 +141,8 @@ sysnet_read_config(hald_t)
 userdom_dontaudit_use_unpriv_user_fds(hald_t)
 userdom_dontaudit_search_sysadm_home_dirs(hald_t)
 
-ifdef(`targeted_policy', `
+ifdef(`targeted_policy',`
+	term_dontaudit_use_console(hald_t)
 	term_setattr_unallocated_ttys(hald_t)
 	term_dontaudit_use_unallocated_ttys(hald_t)
 	term_dontaudit_use_generic_ptys(hald_t)

policy/modules/services/pyzor.te

@@ -58,6 +58,8 @@ libs_use_shared_libs(pyzor_t)
 
 miscfiles_read_localization(pyzor_t)
 
+userdom_dontaudit_search_sysadm_home_dirs(pyzor_t)
+
 optional_policy(`
 	amavis_manage_lib_files(pyzor_t)
 	amavis_manage_spool_files(pyzor_t)
@@ -104,13 +106,13 @@ corenet_sendrecv_pyzor_server_packets(pyzord_t)
 
 files_read_etc_files(pyzord_t)
 
-term_dontaudit_use_generic_ptys(pyzord_t)
-
 auth_use_nsswitch(pyzord_t)
 
 libs_use_ld_so(pyzord_t)
 libs_use_shared_libs(pyzord_t)
 
+locallogin_dontaudit_use_fds(pyzord_t)
+
 miscfiles_read_localization(pyzord_t)
 
 # Do not audit attempts to access /root.
@@ -120,6 +122,9 @@ userdom_dontaudit_search_staff_home_dirs(pyzord_t)
 mta_manage_spool(pyzord_t)
 
 ifdef(`targeted_policy',`
+	term_dontaudit_use_generic_ptys(pyzord_t)
+	term_dontaudit_use_unallocated_ttys(pyzord_t)
+
 	userdom_read_generic_user_home_content_files(pyzord_t)
 ')
 

policy/modules/services/rhgb.te

@@ -105,6 +105,7 @@ xserver_kill_xdm_xserver(rhgb_t)
 xserver_read_xkb_libs(rhgb_t)
 
 ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_ttys(rhgb_t)
 	term_dontaudit_use_generic_ptys(rhgb_t)
 	files_dontaudit_read_root_files(rhgb_t)
 ')

policy/modules/services/setroubleshoot.fc

@@ -0,0 +1,7 @@
+/usr/sbin/setroubleshootd	--	gen_context(system_u:object_r:setroubleshootd_exec_t,s0)
+
+/var/run/setroubleshoot(/.*)?		gen_context(system_u:object_r:setroubleshoot_var_run_t,s0)
+
+/var/log/setroubleshoot(/.*)?		gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
+
+/var/lib/setroubleshoot(/.*)?		gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)

policy/modules/services/setroubleshoot.if

@@ -0,0 +1 @@
+## <summary>SELinux troubleshooting service</summary>

policy/modules/services/setroubleshoot.te

@@ -0,0 +1,111 @@
+
+policy_module(setroubleshoot,1.0.0)
+
+########################################
+#
+# Declarations 
+#
+
+type setroubleshootd_t alias setroubleshoot_t;
+type setroubleshootd_exec_t;
+domain_type(setroubleshootd_t)
+init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
+
+type setroubleshoot_var_lib_t;
+files_type(setroubleshoot_var_lib_t)
+
+# log files
+type setroubleshoot_var_log_t;
+logging_log_file(setroubleshoot_var_log_t)
+
+# pid files
+type setroubleshoot_var_run_t;
+files_pid_file(setroubleshoot_var_run_t)
+
+########################################
+#
+# setroubleshootd local policy
+#
+
+allow setroubleshootd_t self:capability { dac_override sys_tty_config };
+allow setroubleshootd_t self:process { signal getattr };
+allow setroubleshootd_t self:fifo_file rw_file_perms;
+allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
+allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow setroubleshootd_t self:unix_dgram_socket create_socket_perms;
+allow setroubleshootd_t self:netlink_route_socket r_netlink_socket_perms;
+
+# database files
+allow setroubleshootd_t setroubleshoot_var_lib_t:file create_file_perms;
+allow setroubleshootd_t setroubleshoot_var_lib_t:dir { rw_dir_perms setattr };
+files_var_lib_filetrans(setroubleshootd_t,setroubleshoot_var_lib_t,{ file dir })
+
+# log files
+allow setroubleshootd_t setroubleshoot_var_log_t:file manage_file_perms;
+allow setroubleshootd_t setroubleshoot_var_log_t:sock_file manage_file_perms;
+allow setroubleshootd_t setroubleshoot_var_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(setroubleshootd_t,setroubleshoot_var_log_t,{ file dir })
+
+# pid file
+allow setroubleshootd_t setroubleshoot_var_run_t:file manage_file_perms;
+allow setroubleshootd_t setroubleshoot_var_run_t:sock_file manage_file_perms;
+allow setroubleshootd_t setroubleshoot_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(setroubleshootd_t,setroubleshoot_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(setroubleshootd_t)
+kernel_read_system_state(setroubleshootd_t)
+
+corecmd_exec_sbin(setroubleshootd_t)
+corecmd_exec_bin(setroubleshootd_t)
+corecmd_exec_shell(setroubleshootd_t)
+
+corenet_non_ipsec_sendrecv(setroubleshootd_t)
+corenet_tcp_sendrecv_generic_if(setroubleshootd_t)
+corenet_tcp_sendrecv_all_nodes(setroubleshootd_t)
+corenet_tcp_sendrecv_all_ports(setroubleshootd_t)
+corenet_tcp_bind_all_nodes(setroubleshootd_t)
+corenet_tcp_bind_setroubleshoot_port(setroubleshootd_t)
+corenet_tcp_connect_smtp_port(setroubleshootd_t)
+corenet_sendrecv_setroubleshoot_server_packets(setroubleshootd_t)
+corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
+
+dev_read_urand(setroubleshootd_t)
+
+files_read_usr_files(setroubleshootd_t)
+files_read_etc_files(setroubleshootd_t)
+files_getattr_all_dirs(setroubleshootd_t)
+
+selinux_get_enforce_mode(setroubleshootd_t)
+
+term_dontaudit_use_console(setroubleshootd_t)
+term_dontaudit_use_all_user_ptys(setroubleshootd_t)
+term_dontaudit_use_all_user_ttys(setroubleshootd_t)
+
+init_read_utmp(setroubleshootd_t)
+init_dontaudit_write_utmp(setroubleshootd_t)
+init_use_fds(setroubleshootd_t)
+
+libs_use_ld_so(setroubleshootd_t)
+libs_use_shared_libs(setroubleshootd_t)
+
+miscfiles_read_localization(setroubleshootd_t)
+
+locallogin_dontaudit_use_fds(setroubleshootd_t)
+
+logging_send_syslog_msg(setroubleshootd_t)
+logging_stream_connect_auditd(setroubleshootd_t)
+
+seutil_read_config(setroubleshootd_t)
+
+sysnet_read_config(setroubleshootd_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_generic_ptys(setroubleshootd_t)
+	term_dontaudit_use_unallocated_ttys(setroubleshootd_t)
+')
+
+optional_policy(`
+	rpm_read_db(setroubleshootd_t)
+	rpm_dontaudit_manage_db(setroubleshootd_t)
+        rpm_use_script_fds(setroubleshootd_t)
+')

policy/modules/services/spamassassin.te

@@ -132,8 +132,11 @@ userdom_dontaudit_search_sysadm_home_dirs(spamd_t)
 ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_ttys(spamd_t)
 	term_dontaudit_use_generic_ptys(spamd_t)
+
 	files_dontaudit_read_root_files(spamd_t)
+
 	tunable_policy(`spamd_enable_home_dirs',`
+		userdom_home_filetrans_generic_user_home_dir(spamd_t)
 		userdom_manage_generic_user_home_content_dirs(spamd_t)
 		userdom_manage_generic_user_home_content_files(spamd_t)
 		userdom_manage_generic_user_home_content_symlinks(spamd_t)

policy/modules/services/ssh.if

@@ -694,6 +694,27 @@ interface(`ssh_exec',`
 	can_exec($1,ssh_exec_t)
 ')
 
+########################################
+## <summary>
+##	Execute the ssh key generator in the ssh keygen domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_domtrans_keygen',`
+	gen_require(`
+		type ssh_keygen_t, ssh_keygen_exec_t;
+	')
+
+	domain_auto_trans($1,ssh_keygen_exec_t,ssh_keygen_t)
+	allow ssh_keygen_t $1:fd use;
+	allow ssh_keygen_t $1:fifo_file rw_file_perms;
+	allow ssh_keygen_t $1:process sigchld;
+')
+
 ########################################
 ## <summary>
 ##	Read ssh server keys

policy/modules/services/xserver.if

@@ -45,7 +45,6 @@ template(`xserver_common_domain_template',`
 	allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
 	dontaudit $1_xserver_t self:capability chown;
 	allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-	allow $1_xserver_t self:process { execmem execheap execstack setsched };
 	allow $1_xserver_t self:fd use;
 	allow $1_xserver_t self:fifo_file rw_file_perms;
 	allow $1_xserver_t self:sock_file r_file_perms;
@@ -159,6 +158,14 @@ template(`xserver_common_domain_template',`
 
 	sysnet_read_config($1_xserver_t)
 
+	ifndef(`distro_redhat',`
+		allow $1_xserver_t self:process { execmem execheap execstack };
+	')
+
+	ifdef(`distro_rhel4',`
+		allow $1_xserver_t self:process { execmem execheap execstack };
+	')
+
 	optional_policy(`
 		apm_stream_connect($1_xserver_t)
 	')
@@ -770,9 +777,12 @@ interface(`xserver_rw_xdm_pipes',`
 #
 interface(`xserver_stream_connect_xdm',`
 	gen_require(`
-		type xdm_t;
+		type xdm_t, xdm_tmp_t;
 	')
 
+	files_search_tmp($1)
+	allow $1 xdm_tmp_t:dir search_dir_perms;
+	allow $1 xdm_tmp_t:sock_file write;
 	allow $1 xdm_t:unix_stream_socket connectto;
 ')
 
@@ -1047,6 +1057,24 @@ interface(`xserver_read_xdm_xserver_tmp_files',`
 	allow $1 xdm_xserver_tmp_t:file { getattr read };
 ')
 
+########################################
+## <summary>
+##	Read xdm temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit
+##	</summary>
+## </param>
+#
+interface(`xserver_read_xdm_tmp_files',`
+	gen_require(`
+		type xdm_tmp_t;
+	')
+
+	allow $1 xdm_tmp_t:file { getattr read };
+')
+
 ########################################
 ## <summary>
 ##	Kill XDM X servers

policy/modules/services/xserver.te

@@ -292,11 +292,17 @@ ifdef(`strict_policy',`
 ')
 
 ifdef(`targeted_policy',`
-	allow xdm_t self:process { execheap execmem };
 	unconfined_domain(xdm_t)
 	unconfined_domtrans(xdm_t)
 	userdom_generic_user_home_dir_filetrans_generic_user_home_content(xdm_t, {file dir })
 
+	ifndef(`distro_redhat',`
+		allow xdm_t self:process { execheap execmem };
+	')
+
+	ifdef(`distro_rhel4',`
+		allow xdm_t self:process { execheap execmem };
+	')
 ')
 
 tunable_policy(`use_nfs_home_dirs',`
@@ -420,10 +426,16 @@ ifdef(`strict_policy',`
 ')
 
 ifdef(`targeted_policy',`
-	allow xdm_xserver_t self:process { execheap execmem };
-
 	unconfined_domain_noaudit(xdm_xserver_t)
 	unconfined_domtrans(xdm_xserver_t)
+
+	ifndef(`distro_redhat',`
+		allow xdm_xserver_t self:process { execheap execmem };
+	')
+
+	ifdef(`distro_rhel4',`
+		allow xdm_xserver_t self:process { execheap execmem };
+	')
 ')
 
 optional_policy(`

policy/modules/system/hotplug.te

@@ -27,7 +27,7 @@ allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
 dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config };
 # for access("/etc/bashrc", X_OK) on Red Hat
 dontaudit hotplug_t self:capability { dac_override dac_read_search };
-allow hotplug_t self:process { getsession getattr signal_perms };
+allow hotplug_t self:process { setpgid getsession getattr signal_perms };
 allow hotplug_t self:fifo_file rw_file_perms;
 allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
 allow hotplug_t self:udp_socket create_socket_perms;

policy/modules/system/logging.fc

@@ -30,6 +30,7 @@ ifdef(`distro_suse', `
 
 /var/log/audit(/.*)?		gen_context(system_u:object_r:auditd_log_t,s15:c0.c255)
 
+/var/run/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
 /var/run/auditd\.pid	--	gen_context(system_u:object_r:auditd_var_run_t,s0)
 /var/run/auditd_sock	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
 /var/run/klogd\.pid	--	gen_context(system_u:object_r:klogd_var_run_t,s0)

policy/modules/system/mount.te

@@ -11,6 +11,9 @@ type mount_exec_t;
 init_system_domain(mount_t,mount_exec_t)
 role system_r types mount_t;
 
+type mount_loopback_t; # customizable
+files_type(mount_loopback_t)
+
 type mount_tmp_t;
 files_tmp_file(mount_tmp_t)
 
@@ -28,6 +31,8 @@ ifdef(`targeted_policy',`
 # setuid/setgid needed to mount cifs 
 allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
 
+allow mount_t mount_loopback_t:file r_file_perms;
+
 allow mount_t mount_tmp_t:file create_file_perms;
 allow mount_t mount_tmp_t:dir create_dir_perms;
 files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })

policy/modules/system/selinuxutil.te

@@ -355,6 +355,8 @@ kernel_relabelfrom_unlabeled_files(restorecon_t)
 kernel_relabelfrom_unlabeled_symlinks(restorecon_t)
 kernel_relabelfrom_unlabeled_pipes(restorecon_t)
 kernel_relabelfrom_unlabeled_sockets(restorecon_t)
+kernel_dontaudit_list_all_proc(restorecon_t)
+kernel_dontaudit_list_all_sysctls(restorecon_t)
 
 dev_relabel_all_dev_nodes(restorecon_t)
 # cjp: why is this needed?
@@ -458,6 +460,8 @@ init_dontaudit_use_script_ptys(restorecond_t)
 libs_use_ld_so(restorecond_t)
 libs_use_shared_libs(restorecond_t)
 
+locallogin_dontaudit_use_fds(restorecond_t)
+
 logging_send_syslog_msg(restorecond_t)
 
 miscfiles_read_localization(restorecond_t)

policy/modules/system/setrans.te

@@ -56,6 +56,7 @@ mls_rangetrans_target(setrans_t)
 selinux_compute_access_vector(setrans_t)
 
 term_dontaudit_use_generic_ptys(setrans_t)
+term_dontaudit_use_unallocated_ttys(setrans_t)
 
 init_use_fds(setrans_t)
 init_dontaudit_use_script_ptys(setrans_t)
@@ -63,6 +64,8 @@ init_dontaudit_use_script_ptys(setrans_t)
 libs_use_ld_so(setrans_t)
 libs_use_shared_libs(setrans_t)
 
+locallogin_dontaudit_use_fds(setrans_t)
+
 logging_send_syslog_msg(setrans_t)
 
 miscfiles_read_localization(setrans_t)

policy/modules/system/udev.te

@@ -84,14 +84,33 @@ kernel_rw_unix_dgram_sockets(udev_t)
 kernel_dgram_send(udev_t)
 kernel_signal(udev_t)
 
+corecmd_exec_all_executables(udev_t)
+
 dev_rw_sysfs(udev_t)
 dev_manage_all_dev_nodes(udev_t)
 dev_rw_generic_files(udev_t)
 dev_delete_generic_files(udev_t)
 
+domain_read_all_domains_state(udev_t)
+
+files_read_etc_runtime_files(udev_t)
+files_read_etc_files(udev_t)
+files_exec_etc_files(udev_t)
+files_dontaudit_search_isid_type_dirs(udev_t)
+files_getattr_generic_locks(udev_t)
+files_search_mnt(udev_t)
+
 fs_getattr_all_fs(udev_t)
 fs_list_inotifyfs(udev_t)
 
+mcs_ptrace_all(udev_t)
+
+mls_file_read_up(udev_t)
+mls_file_write_down(udev_t)
+mls_file_upgrade(udev_t)
+mls_file_downgrade(udev_t)
+mls_process_write_down(udev_t)
+
 selinux_get_fs_mount(udev_t)
 selinux_validate_context(udev_t)
 selinux_compute_access_vector(udev_t)
@@ -103,17 +122,6 @@ auth_read_pam_console_data(udev_t)
 auth_domtrans_pam_console(udev_t)
 auth_use_nsswitch(udev_t)
 
-corecmd_exec_all_executables(udev_t)
-
-domain_read_all_domains_state(udev_t)
-
-files_read_etc_runtime_files(udev_t)
-files_read_etc_files(udev_t)
-files_exec_etc_files(udev_t)
-files_dontaudit_search_isid_type_dirs(udev_t)
-files_getattr_generic_locks(udev_t)
-files_search_mnt(udev_t)
-
 init_use_fds(udev_t)
 init_read_utmp(udev_t)
 init_dontaudit_write_utmp(udev_t)
@@ -126,12 +134,6 @@ logging_send_syslog_msg(udev_t)
 
 miscfiles_read_localization(udev_t)
 
-mls_file_read_up(udev_t)
-mls_file_write_down(udev_t)
-mls_file_upgrade(udev_t)
-mls_file_downgrade(udev_t)
-mls_process_write_down(udev_t)
-
 modutils_domtrans_insmod(udev_t)
 
 seutil_read_config(udev_t)

policy/modules/system/unconfined.fc

@@ -1,13 +1,14 @@
 # Add programs here which should not be confined by SELinux
 # e.g.:
-# /usr/local/bin/appsrv	--	gen_context(system_u:object_r:unconfined_exec_t,s0)
+# /usr/local/bin/appsrv		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
 # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
-/usr/bin/vncserver	--	gen_context(system_u:object_r:unconfined_exec_t,s0)
+/usr/bin/vncserver		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
 
 ifdef(`targeted_policy',`
 /usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/bin/valgrind 	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/valgrind 		--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 /usr/local/RealPlay/realplay\.bin --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 /usr/bin/mplayer	 	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 /usr/bin/xine		 	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/lib/ia32el/ia32x_loader 	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 ')