most of patch from dan Mon, 15 May 2006 11:58:01 -0400

diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index ba5e9e64fb75cab8a86a678fc89f043f2f815098..39a28ce8911f2de76ca47af5d452385aa8c0356c 100644 (file)
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -547,6 +547,13 @@ gen_tunable(xdm_sysadm_login,false)
 #
 
 ifdef(`targeted_policy',`
+## <desc>
+## <p>
+## Allow mount to mount any file
+## </p>
+## </desc>
+gen_tunable(allow_mount_anyfile,false)
+
 ## <desc>
 ## <p>
 ## Allow spammd to read/write user home directories.

diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index 2e72dc4ab40c32ed38292a2d919207e80afd827f..58c545f5da6fcef1afe95a959049fcfc4482077e 100644 (file)
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -186,6 +186,7 @@ corenet_udp_bind_all_nodes(traceroute_t)
 corenet_tcp_bind_all_nodes(traceroute_t)
 # traceroute needs this but not tracepath
 corenet_raw_bind_all_nodes(traceroute_t)
+corenet_udp_bind_traceroute_port(traceroute_t)
 corenet_tcp_connect_all_ports(traceroute_t)
 
 fs_dontaudit_getattr_xattr_fs(traceroute_t)
@@ -195,6 +196,8 @@ domain_use_interactive_fds(traceroute_t)
 files_read_etc_files(traceroute_t)
 files_dontaudit_search_var(traceroute_t)
 
+init_use_fds(traceroute_t)
+
 libs_use_ld_so(traceroute_t)
 libs_use_shared_libs(traceroute_t)
 

diff --git a/refpolicy/policy/modules/admin/prelink.te b/refpolicy/policy/modules/admin/prelink.te
index 59678e0e02233854cd1cf73aa57053298d076d0b..3ec11323f0a71c3338de2b1aa0b3fae5395845fd 100644 (file)
--- a/refpolicy/policy/modules/admin/prelink.te
+++ b/refpolicy/policy/modules/admin/prelink.te
@@ -46,6 +46,7 @@ kernel_dontaudit_search_sysctl(prelink_t)
 corecmd_manage_all_executables(prelink_t)
 corecmd_relabel_all_executables(prelink_t)
 corecmd_mmap_all_executables(prelink_t)
+corecmd_read_sbin_symlinks(prelink_t)
 
 dev_read_urand(prelink_t)
 

diff --git a/refpolicy/policy/modules/apps/mono.te b/refpolicy/policy/modules/apps/mono.te
index a30fc766919a73d15a8593cff70e5e872e89171a..5769ceb6640777c4c097e0012b9dcd8e1b8731ba 100644 (file)
--- a/refpolicy/policy/modules/apps/mono.te
+++ b/refpolicy/policy/modules/apps/mono.te
@@ -35,4 +35,8 @@ ifdef(`targeted_policy',`
        optional_policy(`
                networkmanager_dbus_chat(mono_t)
        ')
+
+       optional_policy(`
+               unconfined_dbus_connect(mono_t)
+       ')
 ')

diff --git a/refpolicy/policy/modules/kernel/corecommands.fc b/refpolicy/policy/modules/kernel/corecommands.fc
index 44e046aa4fed1181bc48a1aa90b34c7425a138fd..53e1db71dc667e24aa738ae9e941069e0411abd5 100644 (file)
--- a/refpolicy/policy/modules/kernel/corecommands.fc
+++ b/refpolicy/policy/modules/kernel/corecommands.fc
@@ -76,6 +76,7 @@ ifdef(`targeted_policy',`
 #
 
 /lib/udev/[^/]*                        --      gen_context(system_u:object_r:bin_t,s0)
+/lib/udev/scsi_id              --      gen_context(system_u:object_r:sbin_t,s0)
 
 ifdef(`distro_gentoo',`
 /lib/rcscripts/addons(/.*)?            gen_context(system_u:object_r:bin_t,s0)

diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in
index 6e2635268eaf42faf953bd48786c353cebf8a36d..781e88430867fc30992317cb921f9428d6210f63 100644 (file)
--- a/refpolicy/policy/modules/kernel/corenetwork.te.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.in
@@ -69,9 +69,9 @@ network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
 network_port(giftd, tcp,1213,s0)
 network_port(gopher, tcp,70,s0, udp,70,s0)
 network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
-network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0)
+network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0)
 network_port(howl, tcp,5335,s0, udp,5353,s0)
-network_port(hplip, tcp,50000,s0, tcp,50002,s0, tcp,9100,s0)
+network_port(hplip, tcp,50000,s0, tcp,50002,s0, tcp,1782,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
 network_port(i18n_input, tcp,9010,s0)
 network_port(imaze, tcp,5323,s0, udp,5323,s0)
 network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
@@ -125,6 +125,7 @@ network_port(syslogd, udp,514,s0)
 network_port(telnetd, tcp,23,s0)
 network_port(tftp, udp,69,s0)
 network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0)
+network_port(traceroute, udp,64000-64010,s0)
 network_port(transproxy, tcp,8081,s0)
 type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
 network_port(uucpd, tcp,540,s0)

diff --git a/refpolicy/policy/modules/kernel/domain.te b/refpolicy/policy/modules/kernel/domain.te
index 8c6ea33e528742f9b324153d25f9b1277c534095..c58cb7b12e351073cdc67c7f95533a9202490e3b 100644 (file)
--- a/refpolicy/policy/modules/kernel/domain.te
+++ b/refpolicy/policy/modules/kernel/domain.te
@@ -109,6 +109,10 @@ tunable_policy(`global_ssp',`
        dev_read_urand(domain)
 ')
 
+optional_policy(`
+       setrans_translate_context(domain)
+')
+
 ########################################
 #
 # Unconfined access to this module

diff --git a/refpolicy/policy/modules/kernel/files.te b/refpolicy/policy/modules/kernel/files.te
index 947082f9e7aac390319c8a68ec4da9828fdedb50..6a362d6a3c27275797c7eee924ef4d7dfcb114df 100644 (file)
--- a/refpolicy/policy/modules/kernel/files.te
+++ b/refpolicy/policy/modules/kernel/files.te
@@ -181,6 +181,10 @@ allow file_type self:filesystem associate;
 fs_associate(file_type)
 fs_associate_noxattr(file_type)
 
+ifdef(`targeted_policy', `
+       fs_associate_tmpfs(file_type)
+')
+
 ########################################
 #
 # Rules for all tmp file types

diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 07df53844cbaebe7e17308eaea7b49e8edca9973..47edcf8b8819a1e6d529d4159deff6d3232691e7 100644 (file)
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -1409,7 +1409,7 @@ interface(`kernel_read_kernel_sysctls',`
                type proc_t, sysctl_t, sysctl_kernel_t;
        ')
 
-       allow $1 proc_t:dir search;
+       allow $1 proc_t:dir search_dir_perms;
        allow $1 sysctl_t:dir r_dir_perms;
        allow $1 sysctl_kernel_t:dir r_dir_perms;
        allow $1 sysctl_kernel_t:file r_file_perms;

diff --git a/refpolicy/policy/modules/kernel/mls.te b/refpolicy/policy/modules/kernel/mls.te
index 7638c0cadd7928596400d76165ea69ba92c6d3b2..f2ea7e1152c552b50a75a84831cc06e3cebc951e 100644 (file)
--- a/refpolicy/policy/modules/kernel/mls.te
+++ b/refpolicy/policy/modules/kernel/mls.te
@@ -57,9 +57,11 @@ attribute mlsrangetrans;
 #
 
 type lvm_exec_t;
+type setrans_exec_t;
 
 ifdef(`enable_mls',`
 range_transition initrc_t auditd_exec_t s15:c0.c255;
 range_transition kernel_t init_exec_t s0 - s15:c0.c255;
 range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
+range_transition initrc_t setrans_exec_t s15:c0.c255;
 ')

diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index 710c28b29f3ee752dd66490916bcfe09fd9cc49e..318419486a1ac13dab0650905d3a117b85c32c22 100644 (file)
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -427,11 +427,6 @@ optional_policy(`
        yam_read_content(httpd_t)
 ')
 
-ifdef(`TODO',`
-can_tcp_connect(web_client_domain, httpd_t)
-
-') dnl end TODO
-
 ########################################
 #
 # Apache helper local policy
@@ -667,6 +662,10 @@ ifdef(`targeted_policy',`
        ')
 ')
 
+optional_policy(`
+       clamav_domtrans_clamscan(httpd_sys_script_t)
+')
+
 optional_policy(`
        mysql_stream_connect(httpd_sys_script_t)
        mysql_rw_db_sockets(httpd_sys_script_t)

diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te
index e6b6496c2f8f8b80dda10e950cfc60a020186ea2..2cac58b3d873f7aa79db98db377b26b68c259766 100644 (file)
--- a/refpolicy/policy/modules/services/bluetooth.te
+++ b/refpolicy/policy/modules/services/bluetooth.te
@@ -222,6 +222,8 @@ ifdef(`targeted_policy',`
 
        optional_policy(`
                xserver_stream_connect_xdm(bluetooth_helper_t)
+               xserver_use_xdm_fds(bluetooth_helper_t)
+               xserver_rw_xdm_pipes(bluetooth_helper_t)
        ')
 ')
 

diff --git a/refpolicy/policy/modules/services/clamav.fc b/refpolicy/policy/modules/services/clamav.fc
index c4ec71ea8aca33f9ff75a84c76bd66899f1e807a..4640ac66bcbe11971e90ea4ae729d5f9c1ed9714 100644 (file)
--- a/refpolicy/policy/modules/services/clamav.fc
+++ b/refpolicy/policy/modules/services/clamav.fc
@@ -1,5 +1,8 @@
 /etc/clamav(/.*)?                      gen_context(system_u:object_r:clamd_etc_t,s0)
 
+
+/usr/bin/clamscan              --      gen_context(system_u:object_r:clamscan_exec_t,s0)
+/usr/bin/clamdscan             --      gen_context(system_u:object_r:clamscan_exec_t,s0)
 /usr/bin/freshclam             --      gen_context(system_u:object_r:freshclam_exec_t,s0)
 
 /usr/sbin/clamd                        --      gen_context(system_u:object_r:clamd_exec_t,s0)

diff --git a/refpolicy/policy/modules/services/clamav.if b/refpolicy/policy/modules/services/clamav.if
index aef1c030e58b693cb48194f321edc6162c4d2f3d..dfb0dd0810f486412a33e879b5a33dfaf9a32555 100644 (file)
--- a/refpolicy/policy/modules/services/clamav.if
+++ b/refpolicy/policy/modules/services/clamav.if
@@ -61,3 +61,26 @@ interface(`clamav_read_config',`
        files_search_etc($1)
        allow $1 clamd_etc_t:file r_file_perms;
 ')
+
+########################################
+## <summary>
+##     Execute a domain transition to run clamscan.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`clamav_domtrans_clamscan',`
+       gen_require(`
+               type clamscan_t, clamscan_exec_t;
+       ')
+
+       domain_auto_trans($1,clamscan_exec_t,clamscan_t)
+
+       allow clamscan_t $1:fd use;
+       allow clamscan_t $1:fifo_file rw_file_perms;
+       allow clamscan_t $1:process sigchld;
+')
+

diff --git a/refpolicy/policy/modules/services/clamav.te b/refpolicy/policy/modules/services/clamav.te
index 3c686468c2a5faf8164bfcf911acf7c16877a934..03a916bd4b9dc0c250705fa88e4cda3361ac5a3a 100644 (file)
--- a/refpolicy/policy/modules/services/clamav.te
+++ b/refpolicy/policy/modules/services/clamav.te
@@ -35,6 +35,10 @@ files_type(clamd_var_lib_t)
 type clamd_var_run_t;
 files_pid_file(clamd_var_run_t)
 
+type clamscan_t;
+type clamscan_exec_t;
+init_daemon_domain(clamscan_t, clamscan_exec_t)
+
 type freshclam_t;
 type freshclam_exec_t;
 init_daemon_domain(freshclam_t, freshclam_exec_t)
@@ -193,3 +197,42 @@ clamav_stream_connect(freshclam_t)
 cron_use_fds(freshclam_t)
 cron_use_system_job_fds(freshclam_t)
 cron_rw_pipes(freshclam_t)
+
+########################################
+#
+# clamscam local policy
+#
+
+allow clamscan_t self:capability { setgid setuid dac_override };
+allow clamscan_t self:fifo_file rw_file_perms;
+allow clamscan_t self:unix_stream_socket create_stream_socket_perms;
+allow clamscan_t self:unix_dgram_socket create_socket_perms;
+allow clamscan_t self:tcp_socket { listen accept };
+
+# configuration files
+allow clamscan_t clamd_etc_t:dir r_dir_perms;
+allow clamscan_t clamd_etc_t:file r_file_perms;
+allow clamscan_t clamd_etc_t:lnk_file { getattr read };
+
+# var/lib files together with clamd
+allow clamscan_t clamd_var_lib_t:file r_file_perms;
+allow clamscan_t clamd_var_lib_t:sock_file rw_file_perms;
+allow clamscan_t clamd_var_lib_t:dir r_dir_perms;
+
+kernel_read_kernel_sysctls(clamscan_t)
+
+files_read_etc_files(clamscan_t)
+files_read_etc_runtime_files(clamscan_t)
+files_search_var_lib(clamscan_t)
+
+libs_use_ld_so(clamscan_t)
+libs_use_shared_libs(clamscan_t)
+
+miscfiles_read_localization(clamscan_t)
+miscfiles_read_public_files(clamscan_t)
+
+clamav_stream_connect(clamscan_t)
+
+optional_policy(`
+       apache_read_sys_content(clamscan_t)
+')

diff --git a/refpolicy/policy/modules/services/cvs.if b/refpolicy/policy/modules/services/cvs.if
index bdb19b4ad0c61f14886786356684a5da79398c72..380a139a6183aff2c7379e1a7cb94deddeadb7ba 100644 (file)
--- a/refpolicy/policy/modules/services/cvs.if
+++ b/refpolicy/policy/modules/services/cvs.if
@@ -17,3 +17,23 @@ interface(`cvs_read_data',`
 
        allow $1 cvs_data_t:file { getattr read };
 ')
+
+########################################
+## <summary>
+##     Allow the specified domain to execute cvs
+##     in the caller domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`cvs_exec',`
+       gen_require(`
+               type cvs_exec_t;
+       ')
+
+       can_exec($1,cvs_exec_t)
+')
+

diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te
index 9ef28dffde8eb61571956fb12147e1f684bfaf22..f932ad056a876c47134d7b7f87e527286d7a7107 100644 (file)
--- a/refpolicy/policy/modules/services/dovecot.te
+++ b/refpolicy/policy/modules/services/dovecot.te
@@ -98,6 +98,9 @@ files_read_etc_files(dovecot_t)
 files_search_spool(dovecot_t)
 files_search_tmp(dovecot_t)
 files_dontaudit_list_default(dovecot_t)
+# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
+files_read_etc_runtime_files(dovecot_t)
+files_getattr_all_mountpoints(dovecot_t)
 
 init_use_fds(dovecot_t)
 init_use_script_ptys(dovecot_t)

diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index eb8bdee9494c3a72a1f17e6a2547d492812ffb05..fd59766df011a0a50b99781e3da9224bc2f02834 100644 (file)
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -143,6 +143,8 @@ tunable_policy(`allow_ftpd_anon_write',`
 ') 
 
 tunable_policy(`ftp_home_dir',`
+       allow ftpd_t self:capability { dac_override dac_read_search };
+
        # allow access to /home
        files_list_home(ftpd_t)
        userdom_read_all_users_home_content_files(ftpd_t)

diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index dfd67d4f827ceef29613d57e8c2f3af3bcc99042..dc4af08de1f779e19caa3d5de8ba3c5aaafda6a5 100644 (file)
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -51,9 +51,6 @@ kernel_read_fs_sysctls(hald_t)
 kernel_rw_vm_sysctls(hald_t)
 kernel_write_proc_files(hald_t)
 
-files_search_boot(hald_t)
-files_getattr_home_dir(hald_t)
-
 auth_read_pam_console_data(hald_t)
 
 corecmd_exec_all_executables(hald_t)
@@ -95,7 +92,7 @@ files_search_var_lib(hald_t)
 files_read_usr_files(hald_t)
 # hal is now execing pm-suspend
 files_create_boot_flag(hald_t)
-files_getattr_default_dirs(hald_t)
+files_getattr_all_dirs(hald_t)
 
 fs_getattr_all_fs(hald_t)
 fs_search_all(hald_t)
@@ -154,7 +151,6 @@ ifdef(`targeted_policy', `
        term_dontaudit_use_unallocated_ttys(hald_t)
        term_dontaudit_use_generic_ptys(hald_t)
        files_dontaudit_read_root_files(hald_t)
-       files_dontaudit_getattr_home_dir(hald_t)
 ')
 
 optional_policy(`
@@ -163,10 +159,6 @@ optional_policy(`
        apm_stream_connect(hald_t)
 ')
 
-optional_policy(`
-       automount_dontaudit_getattr_tmp_dirs(hald_t)
-')
-
 optional_policy(`
        bind_search_cache(hald_t)
 ')

diff --git a/refpolicy/policy/modules/services/inn.if b/refpolicy/policy/modules/services/inn.if
index 56cf211c78a55b971d8c3d008b43029c426a8190..39ce526904bec5d2761c2df57c31f53170693859 100644 (file)
--- a/refpolicy/policy/modules/services/inn.if
+++ b/refpolicy/policy/modules/services/inn.if
@@ -16,7 +16,7 @@ interface(`inn_exec',`
                type innd_t;
        ')
 
-       can_exec($1,innd_t)
+       can_exec($1,innd_exec_t)
 ')
 
 ########################################
@@ -156,3 +156,28 @@ interface(`inn_dgram_send',`
 
        allow $1 innd_t:unix_dgram_socket sendto;
 ')
+
+
+########################################
+## <summary>
+##     Execute inn in the inn domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`inn_domtrans',`
+       gen_require(`
+               type innd_t, innd_exec_t;
+       ')
+
+       corecmd_search_bin($1)
+       domain_auto_trans($1,innd_exec_t,innd_t)
+
+       allow innd_t $1:fd use;
+       allow innd_t $1:fifo_file rw_file_perms;
+       allow innd_t $1:process sigchld;
+')
+

diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te
index 98cbbc799968ab7bdfdd6144ed44c91f529fa20e..8f7938c99319274bb816cb9d8cf24287754e6186 100644 (file)
--- a/refpolicy/policy/modules/services/nis.te
+++ b/refpolicy/policy/modules/services/nis.te
@@ -87,6 +87,7 @@ corenet_tcp_bind_generic_port(ypbind_t)
 corenet_udp_bind_generic_port(ypbind_t)
 corenet_tcp_bind_reserved_port(ypbind_t)
 corenet_udp_bind_reserved_port(ypbind_t)
+corenet_tcp_bind_all_rpc_ports(ypbind_t)
 corenet_tcp_connect_all_ports(ypbind_t)
 corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t)
 corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)

diff --git a/refpolicy/policy/modules/services/postgresql.te b/refpolicy/policy/modules/services/postgresql.te
index d602f4d12d85a5b12a59fe8eff2c506096f7ff12..760926fa2ff217fe239083b06a33360e84d249b9 100644 (file)
--- a/refpolicy/policy/modules/services/postgresql.te
+++ b/refpolicy/policy/modules/services/postgresql.te
@@ -32,6 +32,7 @@ files_pid_file(postgresql_var_run_t)
 # postgresql Local policy
 #
 allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
+dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
 allow postgresql_t self:process signal_perms;
 allow postgresql_t self:fifo_file { getattr read write ioctl };
 allow postgresql_t self:file { getattr read };
@@ -41,7 +42,7 @@ allow postgresql_t self:tcp_socket create_stream_socket_perms;
 allow postgresql_t self:udp_socket create_stream_socket_perms;
 allow postgresql_t self:unix_dgram_socket create_socket_perms;
 allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
-dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
+allow postgresql_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow postgresql_t postgresql_db_t:dir create_dir_perms;
 allow postgresql_t postgresql_db_t:fifo_file create_file_perms;

diff --git a/refpolicy/policy/modules/services/pyzor.if b/refpolicy/policy/modules/services/pyzor.if
index 9d38ba117a733c14b40aaa80c274bc88a9c28888..ef23b07726a428c3e00c0501d65f273f8989762e 100644 (file)
--- a/refpolicy/policy/modules/services/pyzor.if
+++ b/refpolicy/policy/modules/services/pyzor.if
@@ -44,3 +44,37 @@ interface(`pyzor_exec',`
        corecmd_search_bin($1)
        can_exec($1,pyzor_exec_t)
 ')
+
+#######################################
+## <summary>
+##     The per user domain template for the pyzor module.
+## </summary>
+## <desc>
+##     <p>
+##     This template allows pyzor to manage files in
+##     a user home directory, creating files with the
+##     correct type.
+##     </p>
+##     <p>
+##     This template is invoked automatically for each user, and
+##     generally does not need to be invoked directly
+##     by policy writers.
+##     </p>
+## </desc>
+## <param name="userdomain_prefix">
+##     <summary>
+##     The prefix of the user domain (e.g., user
+##     is the prefix for user_t).
+##     </summary>
+## </param>
+#
+template(`pyzor_per_userdomain_template',`
+       type $1_pyzor_home_t;
+       userdom_user_home_content($1,$1_pyzor_home_t)
+
+       allow pyzord_t $1_pyzor_home_t:dir create_dir_perms;
+       allow pyzord_t $1_pyzor_home_t:file create_file_perms;
+       allow pyzord_t $1_pyzor_home_t:lnk_file create_lnk_perms;
+       userdom_search_user_home_dirs($1,pyzord_t)
+       userdom_user_home_dir_filetrans($1,pyzord_t,$1_pyzor_home_t,{ dir file lnk_file })
+')

diff --git a/refpolicy/policy/modules/services/pyzor.te b/refpolicy/policy/modules/services/pyzor.te
index 72f9ffae78fa2863a8db38a3127b0cfcd27e8bc1..ab12af333bf26d37ef8c7250ff9b9c29c839bffc 100644 (file)
--- a/refpolicy/policy/modules/services/pyzor.te
+++ b/refpolicy/policy/modules/services/pyzor.te
@@ -99,8 +99,6 @@ libs_use_shared_libs(pyzord_t)
 
 miscfiles_read_localization(pyzord_t)
 
-# only works until we define a different type for maildir
-userdom_priveleged_home_dir_manager(pyzord_t)
 # Do not audit attempts to access /root.
 userdom_dontaudit_search_sysadm_home_dirs(pyzord_t)
 userdom_dontaudit_search_staff_home_dirs(pyzord_t)

diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te
index 1f55f3fee24de883a192ba5d0e064700b05c6339..9c038558f06ff7f717989a321127f6c6b6f45bb9 100644 (file)
--- a/refpolicy/policy/modules/services/rpc.te
+++ b/refpolicy/policy/modules/services/rpc.te
@@ -83,7 +83,7 @@ optional_policy(`
 # NFSD local policy
 #
 
-allow nfsd_t self:capability { sys_admin sys_resource };
+allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
 
 allow nfsd_t exports_t:file { getattr read };
 allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;

diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index fb9b239758a3ce6a584cc241dd9365b56667b83c..69b76a4db38e3d6de2a35478fcefd90d88963662 100644 (file)
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -73,6 +73,7 @@ ifdef(`targeted_policy',`
 ifdef(`strict_policy',`
        # so a tunnel can point to another ssh tunnel
        allow sshd_t self:tcp_socket { acceptfrom connectto recvfrom };
+       allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
 
        allow sshd_t sshd_tmp_t:dir create_dir_perms;
        allow sshd_t sshd_tmp_t:file create_file_perms;

diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if
index f8df8062797fe4da675702d2e061bf3aa82500b7..f807733f70bd567095f89acbdd4b95e8d6e8a8bd 100644 (file)
--- a/refpolicy/policy/modules/services/xserver.if
+++ b/refpolicy/policy/modules/services/xserver.if
@@ -747,6 +747,42 @@ interface(`xserver_rw_console',`
        allow $1 xconsole_device_t:fifo_file { getattr read write };
 ')
 
+########################################
+## <summary>
+##     Use file descriptors for xdm.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`xserver_use_xdm_fds',`
+       gen_require(`
+               type xdm_t;
+       ')
+
+       allow $1 xdm_t:fd use; 
+')
+
+########################################
+## <summary>
+##     Read and write XDM unnamed pipes.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     The type of the process performing this action.
+##     </summary>
+## </param>
+#
+interface(`xserver_rw_xdm_pipes',`
+       gen_require(`
+               type xdm_t;
+       ')
+
+       allow $1 xdm_t:fifo_file { getattr read write }; 
+')
+
 ########################################
 ## <summary>
 ##     Connect to XDM over a unix domain

diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 3b83771926986cd9b7ead423c727ea000a6427ce..4bf2db6310e18132c88e1e62ffee6b832866a155 100644 (file)
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -770,6 +770,25 @@ interface(`init_stream_connect_script',`
        allow $1 initrc_t:unix_stream_socket connectto;
 ')
 
+########################################
+## <summary>
+##     Allow the specified domain to read/write to
+##     init scripts with a unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`init_rw_script_stream_sockets',`
+       gen_require(`
+               type initrc_t;
+       ')
+
+       allow $1 initrc_t:unix_stream_socket { read write };
+')
+
 ########################################
 ## <summary>
 ##     Dont audit the specified domain connecting to

diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc
index 55ef8f4434129ddf1f7c6948bdefebb8a8402d03..6b9c98210f042e3a3115a88ace3205a96fee2b0d 100644 (file)
--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@@ -40,6 +40,8 @@ ifdef(`distro_redhat',`
 /opt/(.*/)?lib64/.*\.so\.[^/]*         --      gen_context(system_u:object_r:shlib_t,s0)
 /opt/(.*/)?jre.*/libdeploy.so(\.[^/]*)*        --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /opt/(.*/)?jre.*/libjvm.so(\.[^/]*)*   --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/(.*/)?jre.*/libawt.so(\.[^/]*)*   --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/netbeans(.*/)?jdk.*/linux/.*.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 ifdef(`distro_gentoo',`
 /opt/netscape/plugins/libflashplayer.so --     gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -55,6 +57,7 @@ ifdef(`distro_gentoo',`
 # /usr
 #
 /usr/(.*/)?/HelixPlayer/.*\.so(\.[^/]*)* --    gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?/RealPlayer/.*\.so(\.[^/]*)* --     gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/(.*/)?java/.*\.so(\.[^/]*)*       --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(.*/)?java/.*\.jar                        --      gen_context(system_u:object_r:shlib_t,s0)
@@ -73,6 +76,7 @@ ifdef(`distro_gentoo',`
 
 /usr/lib/win32/.*                      --      gen_context(system_u:object_r:shlib_t,s0)
 
+/usr/lib(64)?/xulrunner-[^/]*/libxul.so --     gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(.*/)?lib(64)?(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libsipphoneapi\.so.*     --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/ati-fglrx/.*\.so(\..*)?  --      gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -81,9 +85,9 @@ ifdef(`distro_gentoo',`
 /usr/lib(64)?/libjs\.so.*              --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)*             --       gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)*              --       gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.*            --       gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/(local/)?.*\.so(\.[^/]*)*         --      gen_context(system_u:object_r:shlib_t,s0)
 /usr/(local/)?lib(64)?/wine/.*\.so     --      gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -121,6 +125,7 @@ ifdef(`distro_redhat',`
 /usr/lib(64)?/helix/codecs/colorcvt\.so        --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/helix/codecs/cvt1\.so    --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libSDL-.*\.so.*          --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/dri/.*\.so  --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/X11R6/lib/modules/dri/.*\.so      --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/dri/.*\.so               --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/X11R6/lib/libOSMesa\.so.*         --      gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -172,9 +177,9 @@ ifdef(`distro_redhat',`
 # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
 /usr/lib(64)?.*/libmpg123\.so          --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libpostproc\.so.*                --      gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libavformat-.*\.so       --      gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libavcodec-.*\.so                --      gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libavutil-.*\.so         --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavformat-.*\.so(\.[^/]*)* --  gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavcodec-.*\.so(\.[^/]*)* --   gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavutil-.*\.so(\.[^/]*)* --    gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libxvidcore\.so.*                --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xine/plugins/.*\.so      --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libgsm\.so.*             --      gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -183,6 +188,7 @@ ifdef(`distro_redhat',`
 # Flash plugin, Macromedia
 HOME_DIR/.*/plugins/libflashplayer\.so.* --    gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/.*/libflashplayer\.so.*  --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/(.*/)?libflashplayer\.so.*  --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # Jai, Sun Microsystems (Jpackage SPRM)
 /usr/lib(64)?/libmlib_jai\.so          --      gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -197,8 +203,11 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* --        gen_context(system_u:object_r:textre
 # Java, Sun Microsystems (JPackage SRPM)
 /usr/(.*/)?jre.*/libdeploy.so(\.[^/]*)*        --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?(.*/)?jre.*/libjvm.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?(.*/)?jre.*/libawt.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
 /usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)

diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if
index 05f05b1b39db0c2f4e9c685e58d590e2a2e9b9c5..32bf65739834d8c63371cb39f15b72fe6b011822 100644 (file)
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@@ -96,6 +96,98 @@ interface(`logging_run_auditctl',`
        allow auditctl_t $3:chr_file rw_term_perms;
 ')
 
+########################################
+## <summary>
+##     Execute auditd in the auditd domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`logging_domtrans_auditd',`
+       gen_require(`
+               type auditd_t, auditd_exec_t;
+       ')
+
+       domain_auto_trans($1,auditd_exec_t,auditd_t)
+
+       allow auditd_t $1:fd use;
+       allow auditd_t $1:fifo_file rw_file_perms;
+       allow auditd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##     Execute auditd in the auditd domain, and
+##     allow the specified role the auditd domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     The role to be allowed the auditd domain.
+##     </summary>
+## </param>
+## <param name="terminal">
+##     <summary>
+##     The type of the terminal allow the auditd domain to use.
+##     </summary>
+## </param>
+#
+interface(`logging_run_auditd',`
+       gen_require(`
+               type auditd_t;
+       ')
+
+       logging_domtrans_auditd($1)
+       role $2 types auditd_t;
+       allow auditd_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##     Manage the auditd configuration files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`logging_manage_audit_config',`
+       gen_require(`
+               type auditd_etc_t;
+       ')
+
+       files_search_etc($1)
+       allow $1 auditd_etc_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+##     Manage the audit log.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`logging_manage_audit_log',`
+       gen_require(`
+               type auditd_log_t;
+       ')
+
+       files_search_var($1)
+       allow $1 auditd_log_t:dir create_dir_perms;
+       allow $1 auditd_log_t:file create_file_perms;
+')
+
 ########################################
 ## <summary>
 ##     Execute syslogd in the syslog domain.

diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 367a4bd7c67b8ba944506ce1f50a6ccea0548082..1d4060d43c7562ff3ebcacfa01d3bb2e596f77ce 100644 (file)
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -72,6 +72,10 @@ allow auditctl_t etc_t:file { getattr read };
 
 allow auditctl_t auditd_etc_t:file r_file_perms;
 
+# Needed for adding watches
+files_getattr_all_dirs(auditctl_t)
+files_read_etc_files(auditctl_t)
+
 kernel_read_kernel_sysctls(auditctl_t)
 kernel_read_proc_symlinks(auditctl_t)
 

diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 779b2e682b8048d63ff1d85fd0c68a6679889a40..e430ceb1cb9a479ac207719c8e5c8108f1b448b8 100644 (file)
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -110,6 +110,13 @@ ifdef(`distro_redhat',`
        ')
 ')
 
+ifdef(`targeted_policy',`
+       tunable_policy(`allow_mount_anyfile',`
+               auth_read_all_dirs_except_shadow(mount_t)
+               auth_read_all_files_except_shadow(mount_t)
+       ')
+')
+
 optional_policy(`
        # for nfs
        corenet_non_ipsec_sendrecv(mount_t)

diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 84fe30e5b9936073c1922d847c009ebac07b7d7e..cd2d18a836b499a1a93d872b4c20556baa4a7441 100644 (file)
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -551,6 +551,8 @@ libs_use_ld_so(semanage_t)
 libs_use_shared_libs(semanage_t)
 libs_use_lib_files(semanage_t)
 
+miscfiles_read_localization(semanage_t)
+
 seutil_search_default_contexts(semanage_t)
 seutil_manage_file_contexts(semanage_t)
 seutil_manage_selinux_config(semanage_t)
@@ -563,6 +565,12 @@ seutil_manage_module_store(semanage_t)
 seutil_get_semanage_trans_lock(semanage_t)
 seutil_get_semanage_read_lock(semanage_t)
 
+ifdef(`targeted_policy',`
+# Handle pp files created in homedir and /tmp
+       files_read_generic_tmp_files(semanage_t)
+       userdom_read_generic_user_home_content_files(semanage_t)
+')
+
 optional_policy(`
        nscd_socket_use(semanage_t)
 ')

diff --git a/refpolicy/policy/modules/system/setrans.fc b/refpolicy/policy/modules/system/setrans.fc
new file mode 100644 (file)
index 0000000..71c374f
--- /dev/null
+++ b/refpolicy/policy/modules/system/setrans.fc
@@ -0,0 +1,3 @@
+/sbin/mcstransd        --      gen_context(system_u:object_r:setrans_exec_t,s0)
+
+/var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,s15:c0.c255)

diff --git a/refpolicy/policy/modules/system/setrans.if b/refpolicy/policy/modules/system/setrans.if
new file mode 100644 (file)
index 0000000..9547503
--- /dev/null
+++ b/refpolicy/policy/modules/system/setrans.if
@@ -0,0 +1,25 @@
+## <summary>SELinux MLS/MCS label translation service.</summary>
+
+#######################################
+## <summary>
+##     Allow a domain to translate contexts.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`setrans_translate_context',`
+       gen_require(`
+               type setrans_t, setrans_var_run_t;
+       ')
+
+       allow $1 self:unix_stream_socket create_stream_socket_perms;
+
+       allow $1 setrans_t:unix_stream_socket connectto;
+       allow $1 setrans_var_run_t:unix_stream_socket rw_socket_perms;
+       allow $1 setrans_var_run_t:sock_file rw_file_perms;
+       allow $1 setrans_var_run_t:dir search_dir_perms;
+       files_list_pids($1)
+')

diff --git a/refpolicy/policy/modules/system/setrans.te b/refpolicy/policy/modules/system/setrans.te
new file mode 100644 (file)
index 0000000..3a7700f
--- /dev/null
+++ b/refpolicy/policy/modules/system/setrans.te
@@ -0,0 +1,68 @@
+
+policy_module(setrans,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type setrans_t;
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+       type setrans_exec_t;
+')
+init_daemon_domain(setrans_t, setrans_exec_t)
+
+type setrans_var_run_t;
+files_pid_file(setrans_var_run_t)
+mls_trusted_object(setrans_var_run_t)
+
+########################################
+#
+# setrans local policy
+#
+
+allow setrans_t self:process { setcap signal_perms };
+allow setrans_t self:unix_stream_socket create_stream_socket_perms;
+allow setrans_t self:unix_dgram_socket create_socket_perms;
+allow setrans_t self:netlink_selinux_socket create_socket_perms;
+
+can_exec(setrans_t, setrans_exec_t)
+corecmd_search_sbin(setrans_t)
+
+# create unix domain socket in /var
+allow setrans_t setrans_var_run_t:sock_file manage_file_perms;
+allow setrans_t setrans_var_run_t:file manage_file_perms;
+allow setrans_t setrans_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(setrans_t,setrans_var_run_t,file)
+
+kernel_read_kernel_sysctls(setrans_t)
+kernel_read_proc_symlinks(setrans_t)
+
+# allow performing getpidcon() on all processes
+domain_read_all_domains_state(setrans_t)
+domain_getattr_all_domains(setrans_t)
+domain_getsession_all_domains(setrans_t)
+
+files_read_etc_runtime_files(setrans_t)
+
+mls_file_read_up(setrans_t)
+mls_file_write_down(setrans_t)
+mls_net_receive_all_levels(setrans_t)
+mls_rangetrans_target(setrans_t)
+
+selinux_compute_access_vector(setrans_t)
+
+term_dontaudit_use_generic_ptys(setrans_t)
+
+init_use_fds(setrans_t)
+
+libs_use_ld_so(setrans_t)
+libs_use_shared_libs(setrans_t)
+
+logging_send_syslog_msg(setrans_t)
+
+miscfiles_read_localization(setrans_t)
+
+seutil_read_config(setrans_t)

diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 757d842d432cd83ff297ea5aa72da8b55596b479..4260837789ff690d83c986b27fdf42f30cb04748 100644 (file)
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -291,6 +291,8 @@ kernel_rw_net_sysctls(ifconfig_t)
 corenet_rw_tun_tap_dev(ifconfig_t)
 
 dev_read_sysfs(ifconfig_t)
+# for IPSEC setup:
+dev_read_urand(ifconfig_t)
 
 fs_getattr_xattr_fs(ifconfig_t)
 fs_search_auto_mountpoints(ifconfig_t)

diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index ded1e2db2bce71c023bc5d73ece2c6d22d270be0..97e99db1035b6b73e2c701d8505ab08c9f79b2af 100644 (file)
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -431,3 +431,23 @@ interface(`unconfined_alias_domain',`
                errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
        ')
 ')
+
+########################################
+## <summary>
+##     Connect to the the unconfined DBUS
+##     for service (acquire_svc).
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`unconfined_dbus_connect',`
+       gen_require(`
+               type unconfined_t;
+               class dbus acquire_svc;
+       ')
+
+       allow $1 unconfined_t:dbus acquire_svc;
+')

diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index f522e146d0d63ed3a53694976755d1d6dbb996c8..ca1438f25b5690eedeb0dd8e0ecca6502ab8c7c5 100644 (file)
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -98,6 +98,10 @@ ifdef(`targeted_policy',`
                firstboot_domtrans(unconfined_t)
        ')
 
+       optional_policy(`
+               inn_domtrans(unconfined_t)
+       ')
+
        optional_policy(`
                java_domtrans(unconfined_t)
        ')
@@ -114,6 +118,10 @@ ifdef(`targeted_policy',`
                mono_domtrans(unconfined_t)
        ')
 
+       optional_policy(`
+               prelink_domtrans(unconfined_t)
+       ')
+
        optional_policy(`
                portmap_domtrans_helper(unconfined_t)
        ')

diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 09247954d8fa58679f9f65b342cad2a47c67c7c5..41b44eb1ff39b03f06c06151321004229c020bd5 100644 (file)
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -4262,6 +4262,27 @@ interface(`userdom_manage_generic_user_home_content_dirs',`
        allow $1 user_home_t:dir create_dir_perms;
 ')
 
+########################################
+## <summary>
+##     Read files in generic user home directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_read_generic_user_home_content_files',`
+       gen_require(`
+               type user_home_t, user_home_dir_t;
+       ')
+
+       files_search_home($1)
+       allow $1 user_home_dir_t:dir search_dir_perms;
+       allow $1 user_home_t:dir r_dir_perms;
+       allow $1 user_home_t:file r_file_perms;
+')
+
 ########################################
 ## <summary>
 ##     Create, read, write, and delete files

diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 182982131c926bc5cf6e49a646adb520edf20fb3..5cda678bec2bd083b55b9503d2f97e941b5f71b1 100644 (file)
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -106,7 +106,6 @@ ifdef(`targeted_policy',`
        ifdef(`enable_mls',`
                allow secadm_r system_r;
                allow secadm_r user_r;
-               allow user_r secadm_r;
                allow staff_r secadm_r;
        ')
 
@@ -130,6 +129,7 @@ ifdef(`targeted_policy',`
                admin_user_template(secadm)
                role_change(staff,secadm)
                role_change(sysadm,secadm)
+               role_change(secadm,sysadm)
        ')
 
        # this should be tunable_policy, but
@@ -239,6 +239,10 @@ ifdef(`targeted_policy',`
                certwatach_run(sysadm_t,sysadm_r,admin_terminal)
        ')
 
+       optional_policy(`
+               cvs_exec(sysadm_t)
+       ')
+
        optional_policy(`
                consoletype_exec(sysadm_t)
 
@@ -384,6 +388,10 @@ ifdef(`targeted_policy',`
                rpm_run(sysadm_t,sysadm_r,admin_terminal)
        ')
 
+       optional_policy(`
+               rsync_exec(sysadm_t)
+       ')
+
        optional_policy(`
                samba_run_net(sysadm_t,sysadm_r,admin_terminal)
                samba_run_winbind_helper(sysadm_t,sysadm_r,admin_terminal)