start moving around to prep for 1.27.1-15 update

strict/domains/program/NetworkManager.te

@@ -11,16 +11,16 @@
 # NetworkManager_t is the domain for the NetworkManager daemon. 
 # NetworkManager_exec_t is the type of the NetworkManager executable.
 #
-daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod' )
+daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod, mlsfileread' )
 
 can_network(NetworkManager_t)
 allow NetworkManager_t port_type:tcp_socket name_connect;
-allow NetworkManager_t dhcpc_port_t:udp_socket name_bind;
+allow NetworkManager_t { isakmp_port_t dhcpc_port_t }:udp_socket name_bind;
 allow NetworkManager_t dhcpc_t:process signal;
 
 can_ypbind(NetworkManager_t)
 uses_shlib(NetworkManager_t)
-allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module};
+allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module ipc_lock};
 
 allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read };
 
@@ -93,6 +93,9 @@ allow NetworkManager_t initrc_var_run_t:file { getattr read };
 
 domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
 allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms;
+# allow vpnc connections
+allow NetworkManager_t self:rawip_socket create_socket_perms;
+allow NetworkManager_t tun_tap_device_t:chr_file rw_file_perms;
 
 domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t)
 domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t)
@@ -106,3 +109,4 @@ allow NetworkManager_t dhcpc_var_run_t:file { getattr read unlink };
 ')
 allow NetworkManager_t var_lib_t:dir search;
 dontaudit NetworkManager_t user_tty_type:chr_file { read write };
+dontaudit NetworkManager_t security_t:dir search;

strict/domains/program/alsa.te

@@ -6,12 +6,19 @@
 type alsa_t, domain, privlog, daemon;
 type alsa_exec_t, file_type, sysadmfile, exec_type;
 uses_shlib(alsa_t)
-allow alsa_t self:sem  create_sem_perms;
-allow alsa_t self:shm  create_shm_perms;
+allow alsa_t { unpriv_userdomain self }:sem  create_sem_perms;
+allow alsa_t { unpriv_userdomain self }:shm  create_shm_perms;
 allow alsa_t self:unix_stream_socket create_stream_socket_perms;
+allow alsa_t self:unix_dgram_socket create_socket_perms;
+allow unpriv_userdomain alsa_t:sem { unix_read unix_write associate read write };
+allow unpriv_userdomain alsa_t:shm { unix_read unix_write create_shm_perms };
+
 type alsa_etc_rw_t, file_type, sysadmfile, usercanread;
 rw_dir_create_file(alsa_t,alsa_etc_rw_t)
 allow alsa_t self:capability { setgid setuid ipc_owner };
+dontaudit alsa_t self:capability sys_admin;
 allow alsa_t devpts_t:chr_file { read write };
 allow alsa_t etc_t:file { getattr read };
 domain_auto_trans(pam_console_t, alsa_exec_t, alsa_t)
+role system_r types alsa_t;
+read_locale(alsa_t) 

strict/domains/program/amanda.te

@@ -84,7 +84,6 @@ domain_auto_trans(inetd_t, amanda_inetd_exec_t, amanda_t)
 
 # configuration files -> read only
 allow amanda_t amanda_config_t:file { getattr read };
-allow amanda_t amanda_config_t:dir search;
 
 # access to amanda_amandates_t
 allow amanda_t amanda_amandates_t:file { getattr lock read write };
@@ -97,43 +96,18 @@ allow amanda_t amanda_data_t:dir { read search write };
 allow amanda_t amanda_data_t:file { read write };
 
 # access to proc_t
-allow amanda_t proc_t:dir { getattr search };
 allow amanda_t proc_t:file { getattr read };
 
 # access to etc_t and similar
-allow amanda_t etc_t:dir { getattr search };
 allow amanda_t etc_t:file { getattr read };
 allow amanda_t etc_runtime_t:file { getattr read };
 
-# access to var_t and similar
-allow amanda_t var_t:dir search;
-allow amanda_t var_lib_t:dir search;
-allow amanda_t amanda_var_lib_t:dir search;
-
 # access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
-allow amanda_t amanda_gnutarlists_t:dir { add_name read remove_name search write };
-allow amanda_t amanda_gnutarlists_t:file { create getattr read rename setattr unlink write };
-
-# access to var_run_t
-allow amanda_t var_run_t:dir search;
-
-# access to var_log_t
-allow amanda_t var_log_t:dir getattr;
-
-# access to var_spool_t
-allow amanda_t var_spool_t:dir getattr;
-
-# access to amanda_usr_lib_t
-allow amanda_t amanda_usr_lib_t:dir search;
+rw_dir_create_file(amanda_t, amanda_gnutarlists_t)
 
 # access to device_t and similar
-allow amanda_t device_t:dir search;
-allow amanda_t devpts_t:dir getattr;
 allow amanda_t devtty_t:chr_file { read write };
 
-# access to boot_t
-allow amanda_t boot_t:dir getattr;
-
 # access to fs_t
 allow amanda_t fs_t:filesystem getattr;
 
@@ -158,7 +132,8 @@ allow amanda_t bin_t:file { execute execute_no_trans };
 
 allow amanda_t self:capability { chown dac_override setuid };
 allow amanda_t self:process { fork sigchld setpgid signal };
-allow amanda_t self:unix_dgram_socket create;
+allow amanda_t self:dir search;
+allow amanda_t self:file { getattr read };
 
 
 ###################################
@@ -170,7 +145,8 @@ can_ypbind(amanda_t);
 can_exec(amanda_t, sbin_t);
 	
 allow amanda_t self:fifo_file { getattr read write ioctl lock };
-allow amanda_t self:unix_stream_socket { connect create read write };
+allow amanda_t self:unix_stream_socket create_stream_socket_perms;
+allow amanda_t self:unix_dgram_socket create_socket_perms;
 
 
 ##########################
@@ -192,18 +168,8 @@ allow inetd_t amanda_usr_lib_t:dir search;
 ########################
 
 # access to user_home_t
-allow amanda_t { user_home_dir_type user_home_type }:dir { search getattr read };
 allow amanda_t user_home_type:file { getattr read };
 
-# access to file_t ( /floppy, /cdrom )
-allow amanda_t mnt_t:dir getattr;
-
-###########
-# Dontaudit
-###########
-dontaudit amanda_t lost_found_t:dir { getattr read };
-	
-	
 ##############################################################################
 # AMANDA RECOVER DECLARATIONS
 ##############################################################################
@@ -214,7 +180,8 @@ dontaudit amanda_t lost_found_t:dir { getattr read };
 
 # type for amrecover
 type amanda_recover_t, domain;
-role sysadm_r types { amanda_recover_t amanda_recover_dir_t };
+role sysadm_r types amanda_recover_t;
+role system_r types amanda_recover_t;
 
 # exec types for amrecover 
 type amanda_recover_exec_t, file_type, sysadmfile, exec_type;
@@ -236,22 +203,22 @@ file_type_auto_trans(amanda_recover_t, tmp_t, amanda_tmp_t)
 uses_shlib(amanda_recover_t)
 allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal };
 allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service };
-allow amanda_recover_t shell_exec_t:file { execute execute_no_trans getattr read };
+can_exec(amanda_recover_t, shell_exec_t)
 allow amanda_recover_t privfd:fd use;
 
 
 # amrecover network and process communication
 #############################################
 
-can_network_server(amanda_recover_t);
+can_network(amanda_recover_t);
+allow amanda_recover_t amanda_port_t:tcp_socket name_connect;
 can_ypbind(amanda_recover_t);
+read_locale(amanda_recover_t);
 
 allow amanda_recover_t self:fifo_file { getattr ioctl read write };
 allow amanda_recover_t self:unix_stream_socket { connect create read write };
-
-allow amanda_t self:dir search;
-allow amanda_t self:file { getattr read };
-
+allow amanda_recover_t var_log_t:dir search;
+rw_dir_create_file(amanda_recover_t, amanda_log_t)
 
 # amrecover file permissions
 ############################
@@ -301,22 +268,17 @@ allow amanda_recover_t tmp_t:dir search;
 #
 allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind;
 
-allow amanda_t file_type:dir {getattr read search };
+#amanda needs to look at fs_type directories to decide whether it should backup
+allow amanda_t { fs_type file_type }:dir {getattr read search };
 allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read };
 allow amanda_t device_type:{ blk_file chr_file } getattr;
 allow amanda_t fixed_disk_device_t:blk_file read;
 domain_auto_trans(amanda_t, fsadm_exec_t, fsadm_t)
 
-dontaudit amanda_t file_type:sock_file getattr;
+allow amanda_t file_type:sock_file getattr;
 logdir_domain(amanda)
 
-dontaudit amanda_t autofs_t:dir { getattr read search };
-dontaudit amanda_t binfmt_misc_fs_t:dir getattr;
-dontaudit amanda_t nfs_t:dir { getattr read };
-dontaudit amanda_t proc_t:dir read;
 dontaudit amanda_t proc_t:lnk_file read;
-dontaudit amanda_t rpc_pipefs_t:dir { getattr read };
-dontaudit amanda_t security_t:dir { getattr read };
-dontaudit amanda_t sysfs_t:dir { getattr read };
 dontaudit amanda_t unlabeled_t:file getattr;
-dontaudit amanda_t usbfs_t:dir getattr;
+#amanda wants to check attributes on fifo_files
+allow amanda_t file_type:fifo_file getattr;

strict/domains/program/openct.te

@@ -0,0 +1,16 @@
+#DESC openct - read files in page cache 
+#
+# Author: Dan Walsh (dwalsh@redhat.com)
+#
+
+#################################
+#
+# Declarations for openct
+#
+
+daemon_domain(openct)
+#
+# openct asks for these
+#
+rw_dir_file(openct_t, usbfs_t)
+allow openct_t etc_t:file r_file_perms;

strict/domains/program/unused/backup.te

@@ -16,7 +16,9 @@ type backup_store_t, file_type, sysadmfile;
 role system_r types backup_t;
 role sysadm_r types backup_t;
 
+ifdef(`targeted_policy', `', `
 domain_auto_trans(sysadm_t, backup_exec_t, backup_t)
+')
 allow backup_t privfd:fd use;
 ifdef(`crond.te', `
 system_crond_entry(backup_exec_t, backup_t)

strict/file_contexts/program/openct.fc

@@ -0,0 +1,2 @@
+/usr/sbin/openct-control	-- 	system_u:object_r:openct_exec_t
+/var/run/openct(/.*)?			system_u:object_r:openct_var_run_t

strict/file_contexts/program/pegasus.fc

@@ -0,0 +1,11 @@
+# File Contexts for The Open Group Pegasus (tog-pegasus) cimserver
+/usr/sbin/cimserver		--	system_u:object_r:pegasus_exec_t
+/usr/sbin/cimconfig		-- 	system_u:object_r:pegasus_conf_exec_t
+/usr/sbin/cimuser		-- 	system_u:object_r:pegasus_conf_exec_t
+/usr/sbin/cimauth		-- 	system_u:object_r:pegasus_conf_exec_t
+/usr/sbin/init_repository	-- 	system_u:object_r:pegasus_exec_t
+/usr/lib(64)?/Pegasus/providers/.*\.so.*	system_u:object_r:shlib_t
+/etc/Pegasus(/.*)?			system_u:object_r:pegasus_conf_t
+/var/lib/Pegasus(/.*)?	                system_u:object_r:pegasus_data_t
+/var/run/tog-pegasus(/.*)?              system_u:object_r:pegasus_var_run_t
+/usr/share/Pegasus/mof(/.*)?/.*\.mof    system_u:object_r:pegasus_mof_t

strict/file_contexts/program/readahead.fc

@@ -0,0 +1 @@
+/usr/sbin/readahead -- system_u:object_r:readahead_exec_t

strict/file_contexts/program/roundup.fc

@@ -0,0 +1,2 @@
+/usr/bin/roundup-server         --      system_u:object_r:roundup_exec_t
+/var/lib/roundup(/.*)?          --      system_u:object_r:roundup_var_lib_t

strict/file_contexts/program/yppasswdd.fc

@@ -0,0 +1,2 @@
+# yppasswd
+/usr/sbin/rpc.yppasswdd		--	system_u:object_r:yppasswdd_exec_t