more merging from 1.27.1-15

refpolicy/policy/modules/admin/kudzu.te

@@ -62,6 +62,8 @@ fs_search_ramfs(kudzu_t)
 fs_write_ramfs_socket(kudzu_t)
 
 modutils_read_mods_deps(kudzu_t)
+modutils_read_module_conf(kudzu_t)
+modutils_rename_module_conf(kudzu_t)
 
 storage_read_scsi_generic(kudzu_t)
 storage_read_tape_device(kudzu_t)

refpolicy/policy/modules/services/bind.if

@@ -5,7 +5,7 @@
 ##	Execute ndc in the ndc domain.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`bind_domtrans_ndc',`
@@ -30,7 +30,7 @@ interface(`bind_domtrans_ndc',`
 ##	allow the specified role the ndc domain.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 ## <param name="role">
 ##	The role to be allowed the bind domain.
@@ -50,6 +50,30 @@ interface(`bind_run_ndc',`
 	allow ndc_t $3:chr_file rw_term_perms;
 ')
 
+########################################
+## <summary>
+##	Execute bind in the named domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`bind_domtrans',`
+	gen_require(`
+		type named_t, named_exec_t;
+		class process sigchld;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	domain_auto_trans($1,named_exec_t,named_t)
+
+	allow $1 named_t:fd use;
+	allow named_t $1:fd use;
+	allow named_t $1:fifo_file rw_file_perms;
+	allow named_t $1:process sigchld;
+')
+
 ########################################
 ## <summary>
 ##	Read DNSSEC keys.

refpolicy/policy/modules/services/dbus.te

@@ -124,6 +124,10 @@ tunable_policy(`read_default_t',`
 	files_read_default_pipes(system_dbusd_t)
 ')
 
+optional_policy(`bind.te',`
+	bind_domtrans(system_dbusd_t)
+')
+
 optional_policy(`nscd.te',`
 	nscd_use_socket(system_dbusd_t)
 ')

refpolicy/policy/modules/services/mta.te

@@ -91,6 +91,8 @@ sysnet_dns_name_resolve(system_mail_t)
 userdom_use_sysadm_terms(system_mail_t)
 
 ifdef(`targeted_policy',`
+	typealias system_mail_t alias sysadm_mail_t;
+
 	allow system_mail_t etc_mail_t:file r_file_perms;
 
 	allow system_mail_t mail_spool_t:dir create_dir_perms;

refpolicy/policy/modules/system/modutils.if

@@ -41,6 +41,23 @@ interface(`modutils_read_module_conf',`
 	allow $1 modules_conf_t:file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Rename a file with the configuration options used when
+##	loading modules.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`modutils_rename_module_conf',`
+	gen_require(`
+		type modules_conf_t;
+	')
+
+	allow $1 modules_conf_t:file rename;
+')
+
 ########################################
 ## <summary>
 ##	Execute insmod in the insmod domain.

strict/domains/program/kudzu.te

@@ -20,7 +20,7 @@ allow kudzu_t memory_device_t:chr_file { read write execute };
 allow kudzu_t ramfs_t:dir search;
 allow kudzu_t ramfs_t:sock_file write;
 allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
-allow kudzu_t modules_conf_t:file { getattr read unlink };
+allow kudzu_t modules_conf_t:file { getattr read unlink rename };
 allow kudzu_t modules_object_t:dir r_dir_perms;
 allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
 allow kudzu_t mouse_device_t:chr_file { read write };

strict/domains/program/mta.te

@@ -72,3 +72,7 @@ allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read };
 
 allow system_mail_t etc_runtime_t:file { getattr read };
 allow system_mail_t { random_device_t urandom_device_t }:chr_file { getattr read };
+ifdef(`targeted_policy', `
+typealias system_mail_t alias sysadm_mail_t;
+')
+

strict/domains/program/named.te

@@ -104,6 +104,7 @@ allow named_t self:fifo_file rw_file_perms;
 # Enable named dbus support:
 ifdef(`dbusd.te', `
 dbusd_client(system, named)
+domain_auto_trans(system_dbusd_t, named_exec_t, named_t)
 allow named_t system_dbusd_t:dbus { acquire_svc send_msg };
 allow named_t self:dbus send_msg;
 ')