Latest diffs

Latest diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1211 bytes --]

bootloader has gotten more powerfull, needs more privs

Added allow_httpd_mod_auth_pam
 boolean but can't use it because of limitation of policy compiler

logwatch needs dac override privs

netutils binds to arbitrary udp ports.

prelink is changine location of log file.

Add ibmasmfs_t

Dontaudit restorecon walking some kernel types

I have made several changes to allow me to build a webadm_r.
Label all httpd_$1_script_exec_t as httpd_script_exec_type

Then add that type to httpd_manage_all_content.

Add httpd_manage_config and httpd_manage_log

Add domain for rotatelogs (httpd_rotatelogs_t)

automount moved to 5.0 and needs a lot of privs that mount.te has.

New minor changes to cups

cups needs to read tmp files of hal

ntp needs to read network state for IPV6.

cron runs postfix

clamav reads postfix lib

More commands want to look at ldap

spelling mistake on fglrx_drv

Split base_user_template into two

base_user_template (This can be used by extended roles, some privs were 
moved here from unpriv_userdomain also).

base_login_user_template

Also added some gen_require to get template working

Added role_change_template so we can change from one role to another.

xen needs more privs



[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 47607 bytes --]

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.2.48/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables	2006-06-08 08:45:56.000000000 -0400
+++ serefpolicy-2.2.48/policy/global_tunables	2006-06-20 10:16:12.000000000 -0400
@@ -89,6 +89,13 @@
 
 ## <desc>
 ## <p>
+## Allow Apache to use mod_auth_pam
+## </p>
+## </desc>
+gen_tunable(allow_httpd_mod_auth_pam,false)
+
+## <desc>
+## <p>
 ## Allow java executable stack
 ## </p>
 ## </desc>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-2.2.48/policy/modules/admin/bootloader.te
--- nsaserefpolicy/policy/modules/admin/bootloader.te	2006-05-02 18:59:59.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/admin/bootloader.te	2006-06-20 10:16:12.000000000 -0400
@@ -49,7 +49,7 @@
 #
 
 allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
-allow bootloader_t self:process { sigkill sigstop signull signal };
+allow bootloader_t self:process { sigkill sigstop signull signal execmem };
 allow bootloader_t self:fifo_file rw_file_perms;
 
 allow bootloader_t bootloader_etc_t:file r_file_perms;
@@ -111,6 +111,7 @@
 # for blkid.tab
 files_manage_etc_runtime_files(bootloader_t)
 files_etc_filetrans_etc_runtime(bootloader_t,file)
+files_dontaudit_search_home(bootloader_t)
 
 init_getattr_initctl(bootloader_t)
 init_use_script_ptys(bootloader_t)
@@ -127,6 +128,8 @@
 
 miscfiles_read_localization(bootloader_t)
 
+modutils_domtrans_insmod_uncond(bootloader_t)
+
 seutil_read_bin_policy(bootloader_t)
 seutil_read_loadpolicy(bootloader_t)
 seutil_dontaudit_search_config(bootloader_t)
@@ -207,3 +210,7 @@
 	userdom_dontaudit_search_staff_home_dirs(bootloader_t)
 	userdom_dontaudit_search_sysadm_home_dirs(bootloader_t)
 ')
+
+optional_policy(`
+	kudzu_domtrans(bootloader_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.2.48/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te	2006-05-19 10:07:51.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/admin/consoletype.te	2006-06-20 10:16:12.000000000 -0400
@@ -8,7 +8,12 @@
 
 type consoletype_t;
 type consoletype_exec_t;
-init_domain(consoletype_t,consoletype_exec_t)
+#dont transition from initrc
+#init_domain(consoletype_t,consoletype_exec_t)
+domain_type(consoletype_t)
+domain_entry_file(consoletype_t,consoletype_exec_t)
+role system_r types consoletype_t;
+
 mls_file_read_up(consoletype_t)
 mls_file_write_down(consoletype_t)
 role system_r types consoletype_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-2.2.48/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te	2006-04-04 18:06:37.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/admin/logwatch.te	2006-06-20 10:16:12.000000000 -0400
@@ -22,8 +22,7 @@
 #
 # Local policy
 #
-
-allow logwatch_t self:capability setgid;
+allow logwatch_t self:capability { dac_override dac_read_search setgid };
 allow logwatch_t self:fifo_file rw_file_perms;
 allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.2.48/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te	2006-06-06 22:21:51.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/admin/netutils.te	2006-06-20 10:16:12.000000000 -0400
@@ -54,6 +54,7 @@
 corenet_udp_sendrecv_all_ports(netutils_t)
 corenet_tcp_connect_all_ports(netutils_t)
 corenet_sendrecv_all_client_packets(netutils_t)
+corenet_udp_bind_generic_node(netutils_t)
 
 fs_getattr_xattr_fs(netutils_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-2.2.48/policy/modules/admin/prelink.fc
--- nsaserefpolicy/policy/modules/admin/prelink.fc	2006-06-13 07:03:39.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/admin/prelink.fc	2006-06-20 10:16:12.000000000 -0400
@@ -3,6 +3,5 @@
 
 /usr/sbin/prelink(\.bin)?	--	gen_context(system_u:object_r:prelink_exec_t,s0)
 
-/var/lib/misc/prelink\..*	--	gen_context(system_u:object_r:prelink_cache_t,s0)
-
 /var/log/prelink\.log		--	gen_context(system_u:object_r:prelink_log_t,s0)
+/var/log/prelink(/.*)?			gen_context(system_u:object_r:prelink_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.48/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if	2006-06-08 23:00:29.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/kernel/files.if	2006-06-20 10:16:12.000000000 -0400
@@ -1931,6 +1931,21 @@
 ')
 
 ########################################
+#
+# files_unlink_boot_flag(domain)
+#
+# /halt, /.autofsck, etc
+#
+interface(`files_unlink_boot_flag',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:file unlink;
+')
+
+
+########################################
 ## <summary>
 ##	Read files in /etc that are dynamically
 ##	created on boot, such as mtab.
@@ -4379,3 +4394,23 @@
 
 	typeattribute $1 files_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Mount a filesystem on all files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_all_files',`
+	gen_require(`
+		attribute file_type, security_file_type;
+	')
+
+	allow $1 { file_type -security_file_type }:dir mounton;
+	allow $1 { file_type -security_file_type }:file mounton;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.2.48/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te	2006-06-20 09:54:01.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/kernel/filesystem.te	2006-06-20 10:16:12.000000000 -0400
@@ -48,6 +48,11 @@
 files_mountpoint(binfmt_misc_fs_t)
 genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
 
+type ibmasmfs_t;
+fs_type(ibmasmfs_t)
+allow ibmasmfs_t self:filesystem associate;
+genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
+
 type capifs_t;
 fs_type(capifs_t)
 genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.2.48/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if	2006-05-26 14:02:27.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/kernel/kernel.if	2006-06-20 10:16:12.000000000 -0400
@@ -2096,3 +2096,41 @@
 
 	typeattribute $1 kern_unconfined;
 ')
+
+########################################
+## <summary>
+##	Do not audit attempts to list sysctl_type directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_list_sysctls',`
+	gen_require(`
+		attribute sysctl_type;
+	')
+
+	dontaudit $1 sysctl_type:dir list_dir_perms;
+')
+
+
+########################################
+## <summary>
+##	Do not audit attempts to list proc_type file/directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_list_all_proc',`
+	gen_require(`
+		attribute proc_type;
+	')
+
+	dontaudit $1 proc_type:dir list_dir_perms;
+	dontaudit $1 proc_type:file getattr;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.2.48/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc	2006-05-02 18:59:59.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/services/apache.fc	2006-06-20 10:16:12.000000000 -0400
@@ -78,3 +78,4 @@
 /var/www/icons(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/www/perl(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 /usr/share/selinux-policy([^/]*)?/html(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/sbin/rotatelogs		--	gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.2.48/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if	2006-06-08 08:45:57.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/services/apache.if	2006-06-20 16:00:09.000000000 -0400
@@ -15,6 +15,7 @@
 	gen_require(`
 		attribute httpdcontent;
 		attribute httpd_exec_scripts;
+		attribute httpd_script_exec_type;
 		type httpd_t, httpd_suexec_t, httpd_log_t;
 	')
 	# allow write access to public file transfer
@@ -35,7 +36,7 @@
 	role system_r types httpd_$1_script_t;
 
 	# This type is used for executable scripts files
-	type httpd_$1_script_exec_t; # customizable;
+	type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
 	corecmd_shell_entry_type(httpd_$1_script_t)
 	domain_entry_file(httpd_$1_script_t,httpd_$1_script_exec_t)
 
@@ -464,12 +465,17 @@
 #
 interface(`apache_manage_all_content',`
 	gen_require(`
-		attribute httpdcontent;
+		attribute httpdcontent, httpd_script_exec_type;
 	')
 
 	allow $1 httpdcontent:dir manage_dir_perms;
 	allow $1 httpdcontent:file manage_file_perms;
 	allow $1 httpdcontent:lnk_file create_lnk_perms;
+
+	allow $1 httpd_script_exec_type:dir manage_dir_perms;
+	allow $1 httpd_script_exec_type:file manage_file_perms;
+	allow $1 httpd_script_exec_type:lnk_file create_lnk_perms;
+
 ')
 
 ########################################
@@ -515,6 +521,28 @@
 
 ########################################
 ## <summary>
+##	Allow the specified domain to manage
+##	apache configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_manage_config',`
+	gen_require(`
+		type httpd_config_t;
+	')
+
+	files_search_etc($1)
+	allow $1 httpd_config_t:dir create_dir_perms;
+	allow $1 httpd_config_t:file create_file_perms;
+	allow $1 httpd_config_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
 ##	Execute the Apache helper program with
 ##	a domain transition.
 ## </summary>
@@ -594,6 +622,28 @@
 
 ########################################
 ## <summary>
+##	Allow the specified domain to manage
+##	to apache log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_manage_log',`
+	gen_require(`
+		type httpd_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 httpd_log_t:dir create_dir_perms;
+	allow $1 httpd_log_t:file create_file_perms;
+	allow $1 httpd_log_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
 ##	Allow the specified domain to append
 ##	to apache log files.
 ## </summary>
@@ -955,3 +1005,28 @@
 	allow $2 httpd_$1_content_t:file r_file_perms;
 	allow $2 httpd_$1_content_t:lnk_file { getattr read };
 ')
+
+
+########################################
+## <summary>
+##	Execute a domain transition to run httpd_rotatelogs.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`apache_domtrans_rotatelogs',`
+	gen_require(`
+		type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
+	')
+
+	domain_auto_trans($1,httpd_rotatelogs_exec_t,httpd_rotatelogs_t)
+
+	allow $1 httpd_rotatelogs_t:fd use;
+	allow httpd_rotatelogs_t $1:fd use;
+	allow httpd_rotatelogs_t $1:fifo_file rw_file_perms;
+	allow httpd_rotatelogs_t $1:process sigchld;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.2.48/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te	2006-06-20 09:54:04.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/services/apache.te	2006-06-20 10:16:12.000000000 -0400
@@ -109,13 +109,10 @@
 type squirrelmail_spool_t;
 files_tmp_file(squirrelmail_spool_t)
 
-# mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
-# This is a bug but it still exists in FC2
-# cjp: probably can remove this
-ifdef(`distro_redhat',`
-	typealias httpd_log_t alias httpd_runtime_t;
-	dontaudit httpd_t httpd_runtime_t:file ioctl;
-')
+type httpd_rotatelogs_t;
+type httpd_rotatelogs_exec_t;
+domain_type(httpd_rotatelogs_t)
+init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
 
 ifdef(`targeted_policy',`
 	typealias httpd_sys_content_t alias httpd_user_content_t;
@@ -293,6 +290,15 @@
 	miscfiles_manage_public_files(httpd_t)
 ') 
 
+ifdef(`TODO', `
+#
+# We need optionals to be able to be within booleans to make this work
+#
+tunable_policy(`allow_httpd_mod_auth_pam',`
+	auth_domtrans_chk_passwd(httpd_t)
+')
+')
+
 tunable_policy(`httpd_can_network_connect',`
 	corenet_tcp_connect_all_ports(httpd_t)
 ')
@@ -600,6 +606,10 @@
 	allow httpd_sys_script_t httpd_suexec_t:process sigchld;
 ')
 
+tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
+	domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+')
+
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 	fs_read_nfs_files(httpd_suexec_t)
 	fs_read_nfs_symlinks(httpd_suexec_t)
@@ -688,3 +698,29 @@
 optional_policy(`
 	nscd_socket_use(httpd_unconfined_script_t)
 ')
+
+########################################
+#
+# httpd_rotatelogs local policy
+#
+# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
+
+# Some common macros (you might be able to remove some)
+files_read_etc_files(httpd_rotatelogs_t)
+libs_use_ld_so(httpd_rotatelogs_t)
+libs_use_shared_libs(httpd_rotatelogs_t)
+miscfiles_read_localization(httpd_rotatelogs_t)
+kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+kernel_dontaudit_list_proc(httpd_rotatelogs_t)
+kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
+term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
+
+allow httpd_rotatelogs_t httpd_log_t:dir rw_dir_perms;
+allow httpd_rotatelogs_t httpd_log_t:file create_file_perms;
+
+#
+# Should we add a boolean?
+#
+apache_domtrans_rotatelogs(httpd_sys_script_t)
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.2.48/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te	2006-06-13 07:03:42.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/services/automount.te	2006-06-20 10:16:12.000000000 -0400
@@ -28,7 +28,7 @@
 # Local policy
 #
 
-allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override };
+allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override sys_admin };
 dontaudit automount_t self:capability sys_tty_config;
 allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
 allow automount_t self:fifo_file rw_file_perms;
@@ -64,9 +64,20 @@
 kernel_read_system_state(automount_t)
 kernel_read_network_state(automount_t)
 kernel_list_proc(automount_t)
+kernel_dontaudit_search_xen_state(automount_t)
 
 files_search_boot(automount_t)
 
+#
+# Automount is slowly adding all mount functionality internally
+#
+files_search_all(automount_t)
+files_mounton_all_mountpoints(automount_t)
+files_mount_all_file_type_fs(automount_t)
+files_unmount_all_file_type_fs(automount_t)
+fs_mount_all_fs(automount_t)
+fs_unmount_all_fs(automount_t)
+
 corecmd_exec_sbin(automount_t)
 corecmd_exec_bin(automount_t)
 corecmd_exec_shell(automount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-2.2.48/policy/modules/services/clamav.if
--- nsaserefpolicy/policy/modules/services/clamav.if	2006-05-17 10:54:31.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/services/clamav.if	2006-06-20 10:16:12.000000000 -0400
@@ -84,3 +84,23 @@
 	allow clamscan_t $1:process sigchld;
 ')
 
+
+########################################
+## <summary>
+##	Search clamav Libraries dir
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clamav_search_lib',`
+	gen_require(`
+		type clamd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 clamd_var_lib_t:dir search_dir_perms;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.2.48/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc	2006-04-19 11:26:51.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/services/cups.fc	2006-06-20 10:16:12.000000000 -0400
@@ -24,6 +24,7 @@
 
 /usr/sbin/cupsd		--	gen_context(system_u:object_r:cupsd_exec_t,s0)
 /usr/sbin/hal_lpadmin --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/libexec/hal_lpadmin --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 /usr/sbin/hpiod		--	gen_context(system_u:object_r:hplip_exec_t,s0)
 /usr/sbin/printconf-backend --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 /usr/sbin/ptal-printd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-2.2.48/policy/modules/services/cups.if
--- nsaserefpolicy/policy/modules/services/cups.if	2006-03-23 14:33:30.000000000 -0500
+++ serefpolicy-2.2.48/policy/modules/services/cups.if	2006-06-20 10:16:12.000000000 -0400
@@ -40,7 +40,7 @@
 
 	files_search_pids($1)
 	allow $1 cupsd_var_run_t:dir search;
-	allow $1 cupsd_var_run_t:sock_file write;
+	allow $1 cupsd_var_run_t:sock_file { getattr write };
 	allow $1 cupsd_t:unix_stream_socket connectto;
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.48/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te	2006-06-20 09:54:04.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/services/cups.te	2006-06-20 10:37:06.000000000 -0400
@@ -313,6 +313,7 @@
 allow cupsd_config_t self:unix_stream_socket create_socket_perms;
 allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
 allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
+allow cupsd_config_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow cupsd_config_t cupsd_t:tcp_socket { connectto recvfrom };
 allow cupsd_t cupsd_config_t:tcp_socket { acceptfrom recvfrom };
@@ -342,6 +343,7 @@
 allow cupsd_config_t cupsd_rw_etc_t:lnk_file create_lnk_perms;
 files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t,file)
 
+cups_stream_connect(cupsd_config_t)
 allow cupsd_config_t cupsd_var_run_t:file { getattr read };
 
 kernel_read_system_state(cupsd_config_t)
@@ -357,6 +359,7 @@
 
 dev_read_sysfs(cupsd_config_t)
 dev_read_urand(cupsd_config_t)
+dev_read_rand(cupsd_config_t)
 
 fs_getattr_all_fs(cupsd_config_t)
 fs_search_auto_mountpoints(cupsd_config_t)
@@ -395,6 +398,9 @@
 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
 userdom_dontaudit_search_sysadm_home_dirs(cupsd_config_t)
 
+allow cupsd_config_t cupsd_tmp_t:file create_file_perms;
+files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir })
+
 lpd_read_config(cupsd_config_t)
 
 ifdef(`distro_redhat',`
@@ -430,6 +436,7 @@
 
 optional_policy(`
 	hal_domtrans(cupsd_config_t)
+	hal_read_tmp_files(cupsd_config_t)
 ')
 
 optional_policy(`
@@ -593,6 +600,7 @@
 dev_read_sysfs(hplip_t)
 dev_rw_printer(hplip_t)
 dev_read_urand(hplip_t)
+dev_read_rand(hplip_t)
 dev_rw_generic_usb_dev(hplip_t)
 
 fs_getattr_all_fs(hplip_t)
@@ -646,6 +654,8 @@
 	udev_read_db(hplip_t)
 ')
 
+term_use_generic_ptys(hplip_t)
+
 ########################################
 #
 # PTAL local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-2.2.48/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if	2006-03-23 14:33:30.000000000 -0500
+++ serefpolicy-2.2.48/policy/modules/services/hal.if	2006-06-20 10:16:13.000000000 -0400
@@ -140,3 +140,23 @@
 	files_search_pids($1)
 	allow $1 hald_var_run_t:file rw_file_perms;
 ')
+
+
+########################################
+## <summary>
+##	Read hald tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_read_tmp_files',`
+	gen_require(`
+		type hald_tmp_t;
+	')
+
+	allow $1 hald_tmp_t:file r_file_perms;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.2.48/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te	2006-06-06 22:21:54.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/services/mta.te	2006-06-20 10:16:13.000000000 -0400
@@ -195,8 +195,3 @@
 	')
 ')
 
-ifdef(`TODO',`
-# for the start script to run make -C /etc/mail
-allow initrc_t etc_mail_t:dir rw_dir_perms;
-allow initrc_t etc_mail_t:file create_file_perms;
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.2.48/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te	2006-06-13 07:03:44.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/services/networkmanager.te	2006-06-20 10:16:13.000000000 -0400
@@ -92,6 +92,7 @@
 logging_send_syslog_msg(NetworkManager_t)
 
 miscfiles_read_localization(NetworkManager_t)
+miscfiles_read_certs(NetworkManager_t)
 
 modutils_domtrans_insmod(NetworkManager_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.2.48/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te	2006-06-13 07:03:44.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/services/ntp.te	2006-06-20 10:16:13.000000000 -0400
@@ -62,6 +62,7 @@
 
 kernel_read_kernel_sysctls(ntpd_t)
 kernel_read_system_state(ntpd_t)
+kernel_read_network_state(ntpd_t)
 
 corenet_non_ipsec_sendrecv(ntpd_t)
 corenet_tcp_sendrecv_all_if(ntpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-2.2.48/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te	2006-06-06 22:21:55.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/services/openvpn.te	2006-06-20 10:37:57.000000000 -0400
@@ -44,6 +44,7 @@
 allow openvpn_t openvpn_var_run_t:file create_file_perms;
 files_pid_filetrans(openvpn_t, openvpn_var_run_t, file)
 
+kernel_read_kernel_sysctls(openvpn_t)
 kernel_read_net_sysctls(openvpn_t)
 kernel_read_network_state(openvpn_t)
 kernel_read_system_state(openvpn_t)
@@ -81,6 +82,8 @@
 
 sysnet_exec_ifconfig(openvpn_t)
 
+term_dontaudit_use_generic_ptys(openvpn_t)
+
 optional_policy(`
 	daemontools_service_domain(openvpn_t,openvpn_exec_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.2.48/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if	2005-10-25 13:40:18.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/services/pegasus.if	2006-06-20 10:16:13.000000000 -0400
@@ -1 +1,32 @@
 ## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run pegasus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`pegasus_domtrans',`
+	gen_require(`
+		type pegasus_t, pegasus_exec_t;
+	')
+
+	ifdef(`targeted_policy',`
+		if(pegasus_disable_trans) {
+			can_exec($1,pegasus_exec_t)
+		} else {
+			domain_auto_trans($1,pegasus_exec_t,pegasus_t)
+		}
+	', `
+		domain_auto_trans($1,pegasus_exec_t,pegasus_t)
+	')
+
+	allow $1 pegasus_t:fd use;
+	allow pegasus_t $1:fd use;
+	allow pegasus_t $1:fifo_file rw_file_perms;
+	allow pegasus_t $1:process sigchld;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.2.48/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te	2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/services/pegasus.te	2006-06-20 10:16:13.000000000 -0400
@@ -100,13 +100,12 @@
 
 auth_use_nsswitch(pegasus_t)
 auth_domtrans_chk_passwd(pegasus_t)
+auth_read_shadow(pegasus_t)
 
 domain_use_interactive_fds(pegasus_t)
 domain_read_all_domains_state(pegasus_t)
 
-files_read_etc_files(pegasus_t)
-files_list_var_lib(pegasus_t)
-files_read_var_lib_files(pegasus_t)
+files_read_all_files(pegasus_t)
 files_read_var_lib_symlinks(pegasus_t)
 
 hostname_exec(pegasus_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-2.2.48/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if	2006-06-06 22:21:55.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/services/postfix.if	2006-06-20 10:16:13.000000000 -0400
@@ -459,3 +459,28 @@
 
 	typeattribute $1 postfix_user_domtrans;
 ')
+
+
+########################################
+## <summary>
+##	Execute the master postfix program in the
+##	postfix_master domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postfix_domtrans_smtp',`
+	gen_require(`
+		type postfix_smtp_t, postfix_smtp_exec_t;
+	')
+
+	domain_auto_trans($1,postfix_smtp_exec_t,postfix_smtp_t)
+
+	allow $1 postfix_smtp_t:fd use;
+	allow postfix_smtp_t $1:fd use;
+	allow postfix_smtp_t $1:fifo_file rw_file_perms;
+	allow postfix_smtp_t $1:process sigchld;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.2.48/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te	2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/services/postfix.te	2006-06-20 10:16:13.000000000 -0400
@@ -456,6 +456,7 @@
 ')
 
 optional_policy(`
+	cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
 	cron_use_fds(postfix_postdrop_t)
 	cron_rw_pipes(postfix_postdrop_t)
 	cron_use_system_job_fds(postfix_postdrop_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-2.2.48/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te	2006-06-06 22:21:55.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/services/ppp.te	2006-06-20 10:16:13.000000000 -0400
@@ -68,6 +68,7 @@
 allow pppd_t self:tcp_socket create_stream_socket_perms;
 allow pppd_t self:udp_socket { connect connected_socket_perms };
 allow pppd_t self:packet_socket create_socket_perms;
+allow pppd_t self:process signal;
 
 domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
 allow pppd_t pptp_t:fd use;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.2.48/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te	2006-06-13 07:03:44.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/services/procmail.te	2006-06-20 10:16:13.000000000 -0400
@@ -78,6 +78,7 @@
 
 optional_policy(`
 	clamav_domtrans_clamscan(procmail_t)
+	clamav_search_lib(procmail_t)
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-2.2.48/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te	2006-06-06 22:21:56.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/services/tftp.te	2006-06-20 10:16:13.000000000 -0400
@@ -78,6 +78,7 @@
 miscfiles_read_localization(tftpd_t)
 
 sysnet_read_config(tftpd_t)
+sysnet_use_ldap(tftpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
 userdom_dontaudit_use_sysadm_ttys(tftpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.2.48/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if	2006-06-13 07:03:45.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/system/authlogin.if	2006-06-20 10:16:13.000000000 -0400
@@ -1292,6 +1292,7 @@
 
 	sysnet_dns_name_resolve($1)
 	sysnet_use_ldap($1)
+	miscfiles_read_certs($1)
 
 	optional_policy(`
 		nis_use_ypbind($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.2.48/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te	2006-03-02 18:45:56.000000000 -0500
+++ serefpolicy-2.2.48/policy/modules/system/hostname.te	2006-06-20 10:16:13.000000000 -0400
@@ -8,7 +8,10 @@
 
 type hostname_t;
 type hostname_exec_t;
-init_system_domain(hostname_t,hostname_exec_t)
+
+#dont transition from initrc
+domain_type(hostname_t)
+domain_entry_file(hostname_t,hostname_exec_t)
 role system_r types hostname_t;
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.2.48/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if	2006-06-06 22:21:56.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/system/init.if	2006-06-20 10:16:13.000000000 -0400
@@ -158,13 +158,6 @@
 	allow $1 initrc_t:fifo_file rw_file_perms;
 	allow $1 initrc_t:process sigchld;
 
-	ifdef(`hide_broken_symptoms',`
-		# RHEL4 systems seem to have a stray
-		# fds open from the initrd
-		ifdef(`distro_rhel4',`
-			kernel_dontaudit_use_fds($1)
-		')
-	')
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.48/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te	2006-06-08 23:00:33.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/system/init.te	2006-06-20 10:16:13.000000000 -0400
@@ -345,6 +345,7 @@
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
+files_unlink_boot_flag(initrc_t)
 
 libs_rw_ld_so_cache(initrc_t)
 libs_use_ld_so(initrc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.48/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc	2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/system/libraries.fc	2006-06-20 10:16:13.000000000 -0400
@@ -121,7 +121,7 @@
 
 /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/xorg/modules/drivers/fglx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 ifdef(`distro_redhat',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.48/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te	2006-06-06 22:21:56.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/system/mount.te	2006-06-20 10:16:13.000000000 -0400
@@ -111,6 +111,7 @@
 	tunable_policy(`allow_mount_anyfile',`
 		auth_read_all_dirs_except_shadow(mount_t)
 		auth_read_all_files_except_shadow(mount_t)
+		files_mounton_all_files(mount_t)
 	')
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.48/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te	2006-06-13 07:03:48.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/system/selinuxutil.te	2006-06-20 10:16:13.000000000 -0400
@@ -352,6 +352,8 @@
 kernel_relabelfrom_unlabeled_symlinks(restorecon_t)
 kernel_relabelfrom_unlabeled_pipes(restorecon_t)
 kernel_relabelfrom_unlabeled_sockets(restorecon_t)
+kernel_dontaudit_list_all_proc(restorecon_t)
+kernel_dontaudit_list_sysctls(restorecon_t)
 
 dev_relabel_all_dev_nodes(restorecon_t)
 # cjp: why is this needed?
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.2.48/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc	2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/system/unconfined.fc	2006-06-20 10:16:13.000000000 -0400
@@ -7,4 +7,6 @@
 ifdef(`targeted_policy',`
 /usr/lib/openoffice.org.*/program/.*\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 /usr/bin/valgrind 	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/local/RealPlay/realplay.bin --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/mplayer	 	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.48/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if	2006-06-20 09:54:08.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/system/userdomain.if	2006-06-20 15:18:00.000000000 -0400
@@ -8,11 +8,10 @@
 ## <desc>
 ##	<p>
 ##	This template creates a user domain, types, and
-##	rules for the user's tty, pty, home directories,
-##	tmp, and tmpfs files.
+##	rules for the user's tty, pty, tmp, and tmpfs files.
 ##	</p>
 ##	<p>
-##	This generally should not be used, rather the
+##	This should only be used for new non login user roles, rather the
 ##	unpriv_user_template or admin_user_template should
 ##	be used.
 ##	</p>
@@ -25,7 +24,9 @@
 ## </param>
 #
 template(`base_user_template',`
-
+	gen_require(`
+		attribute userdomain, unpriv_userdomain;
+	')
 	attribute $1_file_type;
 
 	type $1_t, userdomain;
@@ -42,44 +43,17 @@
 	term_user_pty($1_t,$1_devpts_t)
 	files_type($1_devpts_t)
 
-	# type for contents of home directory
-	type $1_home_t, $1_file_type, home_type;
-	files_type($1_home_t)
-	files_associate_tmp($1_home_t)
-	fs_associate_tmpfs($1_home_t)
-
-	# type of home directory
-	type $1_home_dir_t, home_dir_type, home_type;
-	files_type($1_home_dir_t)
-	files_associate_tmp($1_home_dir_t)
-	fs_associate_tmpfs($1_home_dir_t)
-
 	type $1_tmp_t, $1_file_type;
 	files_tmp_file($1_tmp_t)
 
 	type $1_tmpfs_t;
 	files_tmpfs_file($1_tmpfs_t)
 
-	# types for network-obtained content
-	type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable
-	files_type($1_untrusted_content_t)
-	files_poly_member($1_untrusted_content_t)
-
-	type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable
-	files_tmp_file($1_untrusted_content_tmp_t)
-
 	type $1_tty_device_t; 
 	term_tty($1_t,$1_tty_device_t)
 
 	##############################
 	#
-	# User home directory file rules
-	#
-
-	allow $1_file_type $1_home_t:filesystem associate;
-
-	##############################
-	#
 	# User domain Local policy
 	#
 
@@ -103,19 +77,6 @@
 	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
 	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
 
-	# execute files in the home directory
-	can_exec($1_t,$1_home_t)
-
-	# full control of the home directory
-	allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto entrypoint };
-	allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
-	allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
-	allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
-	allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
-	allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto };
-	type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
-	files_search_home($1_t)
-
 	can_exec($1_t,$1_tmp_t)
 
 	# user temporary files
@@ -138,13 +99,13 @@
 	fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir notdevfile_class_set } )
 
 	allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
-
-	# Allow user to relabel untrusted content
-	allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
-	allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
+	allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms };
+	term_create_pty($1_t,$1_devpts_t)
 
 	allow $1_t unpriv_userdomain:fd use;
 
+	kernel_read_system_state($1_t)
+	kernel_read_network_state($1_t)
 	kernel_read_kernel_sysctls($1_t)
 	kernel_read_net_sysctls($1_t)
 	kernel_dontaudit_list_unlabeled($1_t)
@@ -165,8 +126,10 @@
 
 	corenet_non_ipsec_sendrecv($1_t)
 	corenet_tcp_sendrecv_all_if($1_t)
+	corenet_raw_sendrecv_all_if($1_t)
 	corenet_udp_sendrecv_all_if($1_t)
 	corenet_tcp_sendrecv_all_nodes($1_t)
+	corenet_raw_sendrecv_all_nodes($1_t)
 	corenet_udp_sendrecv_all_nodes($1_t)
 	corenet_tcp_sendrecv_all_ports($1_t)
 	corenet_udp_sendrecv_all_ports($1_t)
@@ -234,6 +197,10 @@
 	files_dontaudit_getattr_non_security_sockets($1_t)
 	files_dontaudit_getattr_non_security_blk_files($1_t)
 	files_dontaudit_getattr_non_security_chr_files($1_t)
+	files_read_etc_files($1_t)
+	files_read_etc_runtime_files($1_t)
+	files_read_usr_files($1_t)
+	files_exec_usr_files($1_t)
 
 	# Caused by su - init scripts
 	init_dontaudit_use_script_ptys($1_t)
@@ -254,16 +221,86 @@
 	seutil_read_default_contexts($1_t)
 	seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
 
-	tunable_policy(`allow_execmem',`
-		# Allow loading DSOs that require executable stack.
-		allow $1_t self:process execmem;
-	')
+')
+#######################################
+## <summary>
+##	The template containing rules common to unprivileged
+##	users and administrative users.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a user home directories,
+##	</p>
+##	<p>
+##	This generally should not be used, rather the
+##	unpriv_user_template or admin_user_template should
+##	be used.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+#
+template(`base_login_user_template',`
 
-	tunable_policy(`allow_execmem && allow_execstack',`
-		# Allow making the stack executable via mprotect.
-		allow $1_t self:process execstack;
+	gen_require(`
+		attribute $1_file_type;
+		attribute home_dir_type, home_type;
+		attribute untrusted_content_type;
 	')
 
+	# type for contents of home directory
+	type $1_home_t, $1_file_type, home_type;
+	files_type($1_home_t)
+	files_associate_tmp($1_home_t)
+	fs_associate_tmpfs($1_home_t)
+
+	# type of home directory
+	type $1_home_dir_t, home_dir_type, home_type;
+	files_type($1_home_dir_t)
+	files_associate_tmp($1_home_dir_t)
+	fs_associate_tmpfs($1_home_dir_t)
+
+	# types for network-obtained content
+	type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable
+	files_type($1_untrusted_content_t)
+	files_poly_member($1_untrusted_content_t)
+
+	type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable
+	files_tmp_file($1_untrusted_content_tmp_t)
+
+	##############################
+	#
+	# User home directory file rules
+	#
+
+	allow $1_file_type $1_home_t:filesystem associate;
+
+	##############################
+	#
+	# User domain Local policy
+	#
+
+	# execute files in the home directory
+	can_exec($1_t,$1_home_t)
+
+	# full control of the home directory
+	allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto entrypoint };
+	allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
+	allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
+	allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
+	allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
+	allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto };
+	type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
+	files_search_home($1_t)
+
+	# Allow user to relabel untrusted content
+	allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
+	allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
+
 	tunable_policy(`read_default_t',`
 		files_list_default($1_t)
 		files_read_default_files($1_t)
@@ -501,6 +538,7 @@
 
 	# Inherit rules for ordinary users.
 	base_user_template($1)
+	base_login_user_template($1)
 
 	typeattribute $1_t unpriv_userdomain;
 	domain_interactive_fd($1_t)
@@ -521,9 +559,6 @@
 	# Local policy
 	#
 
-	allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
-	term_create_pty($1_t,$1_devpts_t)
-
 	# Rules used to associate a homedir as a mountpoint
 	allow $1_home_t self:filesystem associate;
 	allow $1_file_type $1_home_t:filesystem associate;
@@ -535,10 +570,6 @@
 	allow privhome $1_home_t:sock_file create_file_perms;
 	allow privhome $1_home_t:fifo_file create_file_perms;
 	type_transition privhome $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
-
-	kernel_read_system_state($1_t)
-	kernel_read_network_state($1_t)
-
 	dev_read_sysfs($1_t)
 
 	corecmd_exec_all_executables($1_t)
@@ -546,11 +577,8 @@
 	# port access is audited even if dac would not have allowed it, so dontaudit it here
 	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
 
-	files_read_etc_files($1_t)
-	files_read_etc_runtime_files($1_t)
+
 	files_list_home($1_t)
-	files_read_usr_files($1_t)
-	files_exec_usr_files($1_t)
 	# Read directories and files with the readable_t type.
 	# This type is a general type for "world"-readable files.
 	files_list_world_readable($1_t)
@@ -558,8 +586,6 @@
 	files_read_world_readable_symlinks($1_t)
 	files_read_world_readable_pipes($1_t)
 	files_read_world_readable_sockets($1_t)
-	# cjp: why?
-	files_read_kernel_symbol_table($1_t)
 
 	init_read_utmp($1_t)
 	# The library functions always try to open read-write first,
@@ -748,6 +774,7 @@
 
 	# Inherit rules for ordinary users.
 	base_user_template($1)
+	base_login_user_template($1)
 
 	typeattribute $1_t privhome;
 	domain_obj_id_change_exemption($1_t)
@@ -783,11 +810,6 @@
 
 	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
 
-	allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
-	term_create_pty($1_t,$1_devpts_t)
-
-	kernel_read_system_state($1_t)
-	kernel_read_network_state($1_t)
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
 	kernel_getattr_message_if($1_t)
@@ -4128,7 +4150,7 @@
 	gen_require(`
 		type user_home_dir_t;
 	')
-
+	allow $1 user_home_dir_t:dir manage_dir_perms;
 	files_home_filetrans($1,user_home_dir_t,dir)
 ')
 
@@ -4767,3 +4789,37 @@
 	allow $1 user_home_dir_t:dir create_dir_perms;
 	files_home_filetrans($1,user_home_dir_t,dir)
 ')
+
+########################################
+## <summary>
+##	The template containing rules for changing from one role to another
+## </summary>
+## <desc>
+##	<p>
+##	This should only be used for new non login user roles, rather the
+##	unpriv_user_template or admin_user_template should
+##	be used.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	userdomain changing from 
+##	</summary>
+## </param>
+## <summary>
+##	Unconfined access to user domains.
+## </summary>
+## <param name="userdomain_prefix">
+##	<summary>
+##	userdomain changing to
+##	</summary>
+## </param>
+#
+template(`role_change_template',`
+        allow $1_r $2_r;
+        type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
+        type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
+        # avoid annoying messages on terminal hangup
+        dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.48/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te	2006-06-13 07:03:49.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/system/userdomain.te	2006-06-20 15:04:12.000000000 -0400
@@ -56,14 +56,6 @@
 # Local policy
 #
 
-define(`role_change',`
-	allow $1_r $2_r;
-	type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
-	type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
-	# avoid annoying messages on terminal hangup
-	dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
-')
-
 ifdef(`targeted_policy',`
 	# Define some type aliases to help with compatibility with
 	# macros and domains from the "strict" policy.
@@ -124,34 +116,34 @@
 
 	# user role change rules:
 	# sysadm_r can change to user roles
-	role_change(sysadm, user)
-	role_change(sysadm, staff)
+	role_change_template(sysadm, user)
+	role_change_template(sysadm, staff)
 
 	# only staff_r can change to sysadm_r
-	role_change(staff, sysadm)
+	role_change_template(staff, sysadm)
 
 	ifdef(`enable_mls',`
 		unpriv_user_template(secadm)
 		unpriv_user_template(auditadm)
 
-		role_change(staff,auditadm)
-		role_change(staff,secadm)
+		role_change_template(staff,auditadm)
+		role_change_template(staff,secadm)
 
-		role_change(sysadm,secadm)
-		role_change(sysadm,auditadm)
+		role_change_template(sysadm,secadm)
+		role_change_template(sysadm,auditadm)
 
-		role_change(auditadm,secadm)
-		role_change(auditadm,sysadm)
+		role_change_template(auditadm,secadm)
+		role_change_template(auditadm,sysadm)
 
-		role_change(secadm,auditadm)
-		role_change(secadm,sysadm)
+		role_change_template(secadm,auditadm)
+		role_change_template(secadm,sysadm)
 	')
 
 	# this should be tunable_policy, but
 	# currently type_change and RBAC allow
 	# do not work in conditionals
 	ifdef(`user_canbe_sysadm',`
-		role_change(user,sysadm)
+		role_change_template(user,sysadm)
 	')
 
 	allow privhome home_root_t:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.2.48/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te	2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.48/policy/modules/system/xen.te	2006-06-20 10:16:13.000000000 -0400
@@ -68,7 +68,8 @@
 # xend local policy
 #
 
-allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config };
+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
+
 allow xend_t self:process { signal sigkill };
 # internal communication is often done using fifo and unix sockets.
 allow xend_t self:fifo_file rw_file_perms;
@@ -168,6 +169,8 @@
 
 xen_stream_connect_xenstore(xend_t)
 
+netutils_domtrans(xend_t)
+
 optional_policy(`
 	consoletype_domtrans(xend_t)
 ')
@@ -255,7 +258,8 @@
 # xm local policy
 #
 
-allow xm_t self:capability { dac_override ipc_lock };
+allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
+
 # internal communication is often done using fifo and unix sockets.
 allow xm_t self:fifo_file { read write };
 allow xm_t self:unix_stream_socket create_stream_socket_perms;
@@ -265,6 +269,9 @@
 allow xm_t xend_var_lib_t:file create_file_perms;
 files_search_var_lib(xm_t)
 
+allow xm_t xen_image_t:dir rw_dir_perms;
+allow xm_t xen_image_t:file r_file_perms;
+
 kernel_read_system_state(xm_t)
 kernel_read_kernel_sysctls(xm_t)
 kernel_read_xen_state(xm_t)
@@ -284,6 +291,7 @@
 term_use_all_terms(xm_t)
 
 init_rw_script_stream_sockets(xm_t)
+init_use_fds(xm_t)
 
 libs_use_ld_so(xm_t)
 libs_use_shared_libs(xm_t)

Re: Latest diffs

[Christopher J. PeBenito]

On Tue, 2006-06-20 at 16:19 -0400, Daniel J Walsh wrote:
> bootloader has gotten more powerfull, needs more privs

I'm merging this bit, but out of curiosity is this a new feature for
grub?

> Added allow_httpd_mod_auth_pam
>  boolean but can't use it because of limitation of policy compiler

Dropped the declaration until we can resolve this in some way.

> logwatch needs dac override privs
> 
> netutils binds to arbitrary udp ports.

This is just a node bind, what ports are used for name bind?

> prelink is changine location of log file.
> 
> Add ibmasmfs_t
> 
> Dontaudit restorecon walking some kernel types
> 
> I have made several changes to allow me to build a webadm_r.
> Label all httpd_$1_script_exec_t as httpd_script_exec_type
> 
> Then add that type to httpd_manage_all_content.
> 
> Add httpd_manage_config and httpd_manage_log
> 
> Add domain for rotatelogs (httpd_rotatelogs_t)
> 
> automount moved to 5.0 and needs a lot of privs that mount.te has.
> 
> New minor changes to cups
> 
> cups needs to read tmp files of hal
> 
> ntp needs to read network state for IPV6.
> 
> cron runs postfix
> 
> clamav reads postfix lib
> 
> More commands want to look at ldap

tftp using ldap doesn't make sense.  Maybe this is a nsswitch thing?

> spelling mistake on fglrx_drv


> Split base_user_template into two
> 
> base_user_template (This can be used by extended roles, some privs were 
> moved here from unpriv_userdomain also).
> 
> base_login_user_template
> 
> Also added some gen_require to get template working
> 
> Added role_change_template so we can change from one role to another.

Dropped this for now because I've been working on an infrastructure for
building up roles.

> xen needs more privs

The remainder should be merged.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest diffs

[Daniel J Walsh]

After one hell of a merge.  :^(

Spent Christmas vacation week getting Strict policy into shape.

Here are a bunch of changes as well as fixes for targeted and mls policy

http://people.redhat.com/dwalsh/SELinux/policy.diff

----------------------------------------------------------------------------------

Had to add system_u:system_u to seusers to get cron to work correctly.  
Cron calls getseusers with parameter of "system_u" if this seuser does 
not exist it fails over to user_u and everything blows up.

Added booleans

allow_ftpd_full_access -  Allows users to use ftp and read any file on 
the system.  Pretty close to disable_trans, but you still have some 
network controls.


Changes allow_mount_anyfile to only allow files
added allow_mounton_anydir to allow admin to mount on any directory but 
not read files

allow_daemons_dump_core - Allow daemons to create corefiles in /

use_lpd_server boolean removes lots of not needed privs from lpr on cups 
platforms.

allow_unconfined_execmem_dyntrans is only used on ia64 platforms to run 
32 bit applications.  kernel does some funny stuff and rexecs 
unconfined_t programs but needs execmem and execstack.  Otherwise ia64 
has to run all apps with execmem execstack.


The MLS constraints are really screwed up.  Need to come to some kind of 
agreement between you, klaus and tcs.

usedom_executable_file is still in there.  I believe we need to separate 
out the executables that are expected to be run by a user and those 
expected to be run by the system.  This helps prevent accidently running 
of applications under sysadm_t.

mkinitrd should not be confined and should not be labeled 
bootloader_exec_t.  This just causes too many problems and little benifit.

I do not want consoletype and hostname transitioning to their domains 
unless they need the privs,  Having them transition from an init script 
is broken, because you end up with tons of denials when applications 
redirect stdin/stdout

Hal restarts the network which has a transition to consoletype and thus 
we get denials.

logwatch looks for files under /var

quota needed major rework to work correctly in MLS environment

Certain tools have rpm libraries built into them and these end up 
calling the transition rules and getting denials.  I want to allow 
unconfined_t to transition to rpm_script_t

rpm execs prelink and chats with hal, also needs to kill processes 
running at different sensitivity levels


Added a tzdata domain to allow proper context of /etc/localtime

sudo reads netlink_route_socket,  wants to look at the kernel key ring, 
stores a token in the pam_pid directory, and needs to getattr on all 
"user" executables.

Some changes to su in order to handle key rings,  Needs 
mls_file_write_down.  Need to be able to su from different domains, and 
pam_rootok causes some selinux_compute_access checks.


usermanage was changed to allow useradd to automatically label the 
homedirs correctly.  useradd now has a -s qualifier that allows it to 
select the selinux user.  It also then labels the directory correctly.  
Critical for MLS and Strict policy to work.

Lots of fixes to get evolution, mozilla, thunderbird, gnome, mplayer to 
work with strict policy.

evolution still needs work.  (I mainly use thunderbird...)

Fixes to get gpg secret created correctly

Added java_domtrans_user_javaplugin to get transition from 
staff_mozilla_t -> staff_javaplugin_t to work.

java wants to dbus chat with unconfined domains and init domains.

Not sure why you want if targeted_policy in loadkeys_run?

Fixes for slocate on MLS

userhelper role line is wrong
userhelper_exec so sysadm_t can run userhelper without transitioning.

webalizer wants to getattr fs_t

Label some executables stored in wierd places.

Still want break out of hi_reserved_port_t from reserved_port_t.

genfscon for ntfs-3g

handles for unlabled_t packets

fixes for kernel_unconfined

httpd_t wants to write to snmp_var_lib_t files.  Dontaudit.

Several domains want to run telinit.  Added init_exec.

Remove anacron_exec_t.   Just run in crond_t.

Remove automount_etc_t - Useless.

clamd wants to read kernel sysctl


Lots of fixes to get cron to work and to use polyinstantiation.

cups changes to run in MLS

dbus needs to ptrance itself.

Needs new interface to connect to user bus.

ftp needs to write to faillog

Hal transitions to some other domains, but needs to have it's fds and 
fifo_files dontaudited

fixes to allow inetd to run on mls

irqbalance needs additional privs

kerberos libraries now try to read krb6kdc_conf_t,  Should be dontaudited.

Lots of fixes to get ypxfr/ypserv to work correctly

Dont want dontaudit var_yp_t:dir search line since this prevents 
setroubleshoot from realizing you are on an NIS box.

nscd needs auth_use_nsswitch

Added policy for pcscd

Lots of fixes to get rhgb to work correctly in a strict enforcing mode.

rlogind needs nsswitch

sendmail wants to read clamav_libs

userspace connects to setroubleshoot unix_stream_socket

fsdaemon needs mls_write_down

spamassisin needs to read /var/lib/spamassisin directory

ssh_agent leaks fds by design.

sshd wants to look at kernel key ring


relabel ICE-UNIX to xdm_tmp_t, since we can not get transition to work 
correcrtly.  Hopefully alot of these other communications paths are 
being eliminated by gnome.

Lots of fixes to get xserver working with strict policy


fixes for authlogin handling of keyrings and mls, as well as pcscd

hwclock wants to read system state.

mkswap should not run as fsadm.  Should be labeled sbin_t.

Fixes for initrc to run in strict

fixes for iptbales to use nscd

local_login needs additional privs

lvm needs privs for multipath

/usr/share/X11/locale needs a label.

initrc replace localization files using cp -A to preserve context.  This 
causes many avc messages.

modutils fixes for strict policy

Need correct labels for genhomedircon and system-config-selinux to 
create context correctly.

Lots of fixes for polyinstatiation on MLS

Lots of updates to allow userdomain to work correctly in strict policy







--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Klaus Weidner]

On Wed, Jan 03, 2007 at 11:54:44AM -0500, Daniel J Walsh wrote:
> After one hell of a merge.  :^(
[...]
> The MLS constraints are really screwed up.  Need to come to some kind of 
> agreement between you, klaus and tcs.

I'm not sure what the areas of disagreement are - I didn't see any
opposing opinions after posting the proposed patches (subject "stricter
MLS policy constraints" on this list).

The old "ranged object" constraints violate LSPP requirements, that's why
the change is necessary for compliance. Any trusted apps that need the
old behavior can get it back by using appropriate overrides. If there are
more general problems with the stricter constraints please let me know.

-Klaus

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Klaus Weidner]

On Wed, Jan 03, 2007 at 11:54:44AM -0500, Daniel J Walsh wrote:
> sudo reads netlink_route_socket,  wants to look at the kernel key ring, 
> stores a token in the pam_pid directory, and needs to getattr on all 
> "user" executables.
> 
> Some changes to su in order to handle key rings,  Needs 
> mls_file_write_down.  Need to be able to su from different domains, and 
> pam_rootok causes some selinux_compute_access checks.
[...]
> sshd wants to look at kernel key ring
[...]
> fixes for authlogin handling of keyrings and mls, as well as pcscd

I'm confused about what kernel keyring features are currently available
in the current policy, and who gets to use them.

For the Common Criteria configuration, we had been assuming that the
kernel keyring feature would be unavailable for unprivileged users, so
that we can avoid the need to do MLS testing on keyring objects. Is that
still the case?

If not, an alternative would be to provide a boolean to disable keyring
access for the evaluated configuration. I had originally proposed that
(subject "[PATCH] Add boolean controlling user access to kernel keyring"
on this list back in August) based on a misunderstanding, it wasn't
actually necessary back then. I just wanted to make sure that the feature
isn't sneaking in now...

-Klaus

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Christopher J. PeBenito]

On Wed, 2007-01-03 at 15:48 -0600, Klaus Weidner wrote:
> On Wed, Jan 03, 2007 at 11:54:44AM -0500, Daniel J Walsh wrote:
> > sudo reads netlink_route_socket,  wants to look at the kernel key ring, 
> > stores a token in the pam_pid directory, and needs to getattr on all 
> > "user" executables.
> > 
> > Some changes to su in order to handle key rings,  Needs 
> > mls_file_write_down.  Need to be able to su from different domains, and 
> > pam_rootok causes some selinux_compute_access checks.
> [...]
> > sshd wants to look at kernel key ring
> [...]
> > fixes for authlogin handling of keyrings and mls, as well as pcscd
> 
> I'm confused about what kernel keyring features are currently available
> in the current policy, and who gets to use them.

I haven't had a chance to look at the patch, but what is currently
upstream does not allow users to do anything with keys.  Here's the
current rules across the entire upstream repo (which includes modules
not enabled in the lspp policy):

allow crond_t kernel_t:key search;
allow crond_t local_login_t:key link;
allow crond_t local_login_t:key search;
allow crond_t self:key { search write link };
allow initrc_su_t kernel_t:key search;
allow initrc_su_t self:key { search write };
allow local_login_t kernel_t:key link;
allow local_login_t kernel_t:key search;
allow local_login_t self:key { search write link };
allow local_login_t userdomain:key create;
allow remote_login_t self:key write;
allow sshd_t kernel_t:key link;
allow sshd_t self:key { search link write };
allow unconfined_domain_type domain:key *;
allow xdm_t self:key { search link write };
allow xdm_t userdomain:key create;


-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Klaus Weidner]

On Mon, Jan 08, 2007 at 12:48:36PM -0500, Christopher J. PeBenito wrote:
> On Wed, 2007-01-03 at 15:48 -0600, Klaus Weidner wrote:
> > On Wed, Jan 03, 2007 at 11:54:44AM -0500, Daniel J Walsh wrote:
> > > sudo reads netlink_route_socket,  wants to look at the kernel key ring, 
> > > stores a token in the pam_pid directory, and needs to getattr on all 
> > > "user" executables.
> > > 
> > > Some changes to su in order to handle key rings,  Needs 
> > > mls_file_write_down.  Need to be able to su from different domains, and 
> > > pam_rootok causes some selinux_compute_access checks.
> > [...]
> > > sshd wants to look at kernel key ring
> > [...]
> > > fixes for authlogin handling of keyrings and mls, as well as pcscd
> > 
> > I'm confused about what kernel keyring features are currently available
> > in the current policy, and who gets to use them.
> 
> I haven't had a chance to look at the patch, but what is currently
> upstream does not allow users to do anything with keys.  Here's the
> current rules across the entire upstream repo (which includes modules
> not enabled in the lspp policy):

That sounds harmless for the purposes of the LSPP evaluation, thanks for
the clarification.

-Klaus

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Russell Coker]

On Thursday 04 January 2007 03:54, Daniel J Walsh <dwalsh@redhat.com> wrote:
> allow_daemons_dump_core - Allow daemons to create corefiles in /

I hope you aren't planning to make this be on by default.  The potential for 
daemons creating files such as /.autorelabel is not nice.

It would probably be better to have some other directory for core files, 
someone who wants to collect them all could always change kernel.core_pattern 
to indicate a directory that has appropriate write permissions.

> Fixes for slocate on MLS

Isn't this just a bad idea?

Over the years there have been a number of issues with locate.  The design of 
having all the data in a file that all users can access is risky at best.

Are there actually people who desire both the confidentiality protections that 
MLS offers but who don't desire the integrity protection offered by turning 
off locate?

-- 
russell@coker.com.au
http://etbe.blogspot.com/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Steve G]

>> allow_daemons_dump_core - Allow daemons to create corefiles in /
>
>I hope you aren't planning to make this be on by default.  The potential for 
>daemons creating files such as /.autorelabel is not nice.

True. Very few processes should have the ability (or need) to write to /.

>It would probably be better to have some other directory for core files,

I think this had been discussed...not sure where it went.
 
>> Fixes for slocate on MLS

Is slocate in anyone's security target? I was thinking that it was not due to
needing to be level aware.

>Isn't this just a bad idea?

Or maybe needless.

>desire the integrity protection offered by turning off locate?

locate offers no integrity protection. It also has dubious confidentiality since
it is likely not level aware.

-Steve

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Klaus Weidner]

On Thu, Jan 04, 2007 at 05:33:26AM -0800, Steve G wrote:
> Is slocate in anyone's security target? I was thinking that it was not due to
> needing to be level aware.

I'm not aware of one, it hadn't even been included in previous CAPP
evaluations due to introducing additional complications for dubious
benefit. 

-Klaus

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Russell Coker]

On Friday 05 January 2007 00:33, Steve G <linux_4ever@yahoo.com> wrote:
> >> Fixes for slocate on MLS
>
> Is slocate in anyone's security target? I was thinking that it was not due
> to needing to be level aware.

Before returning a result locate checks whether it can be accessed by the 
calling user.  As long as you trust locate to do the right thing in this 
regard it should be OK.  Based on history I'm not going to trust it on my 
systems.

> >Isn't this just a bad idea?
>
> Or maybe needless.

Machines have become much faster since locate was invented, even when it's 
installed few people bother to use it.  The machines I run fall into two 
general categories, machines on which find is fast enough that you would 
never desire to run locate, and machines on which "find /" might not complete 
in 24 hours and therefore need to have locate disabled.

> >desire the integrity protection offered by turning off locate?
>
> locate offers no integrity protection. It also has dubious confidentiality
> since it is likely not level aware.

You mis-read my message.  I consider running locate to be risking the 
integrity of the system.  But you are probably correct in considering it to 
be a confidentiality issue instead.

-- 
russell@coker.com.au
http://etbe.blogspot.com/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Casey Schaufler]

--- Russell Coker <russell@coker.com.au> wrote:

> On Thursday 04 January 2007 03:54, Daniel J Walsh
> <dwalsh@redhat.com> wrote:

> > Fixes for slocate on MLS
> 
> Isn't this just a bad idea?
> 
> Over the years there have been a number of issues
> with locate.  The design of 
> having all the data in a file that all users can
> access is risky at best.
> 
> Are there actually people who desire both the
> confidentiality protections that 
> MLS offers but who don't desire the integrity
> protection offered by turning 
> off locate?

Yup. Users of real deployed MLS systems want
everything to work, regardless of how "obviously
stoopid" it may appear to you and/or me. Since
locate is a facility that makes looking up
files faster (than "find / -name") and "everyone
knows that MLS makes the system slower" it is
very likely that users will believe they want it.

That doesn't mean that you have to give locate
the ability to show users information about
files they aren't cleared for, that would be
wrong. If noone is eager to make locate MLS
cognizant there's always the option of
polyinstantiating /var/lib/mlocate and running
multiple updatedb's. Whichever (if either)
scheme is best in keeping with the overall
SELinux application philosophy ought to serve
fine.


Casey Schaufler
casey@schaufler-ca.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Russell Coker]

On Friday 05 January 2007 03:47, Casey Schaufler <casey@schaufler-ca.com> 
wrote:
> If noone is eager to make locate MLS
> cognizant there's always the option of
> polyinstantiating /var/lib/mlocate and running
> multiple updatedb's. Whichever (if either)
> scheme is best in keeping with the overall
> SELinux application philosophy ought to serve
> fine.

Having multiple copies of /var/lib/mlocate for each of s0..s15 might be 
viable, even if a separate "find /" is run for each.

Multiple copies of it for each of the 2^1024 category combinations isn't an 
option.  Multiple copies of it for each of the levels defined by "semanage 
translation" might be viable but it would involve some pain.

Could we have a version of locate that is a little slower than usual and which 
just calls find without telling the user?  :-#

-- 
russell@coker.com.au
http://etbe.blogspot.com/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Casey Schaufler]

--- Russell Coker <russell@coker.com.au> wrote:

> Could we have a version of locate that is a little
> slower than usual and which 
> just calls find without telling the user?  :-#

One of the first things I noticed as an important
difference between Unix and Linux is how much
faster (the second) find / is on Linux than it is
on Unix. I say go for it. As mentioned before,
locate is a holdover from the days when a MIPS
was a lot of compute power and disc platters
were a foot across.


Casey Schaufler
casey@schaufler-ca.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Erich Schubert]

Hi,
> Could we have a version of locate that is a little slower than usual and which 
> just calls find without telling the user?  :-#

Or have slocate trying to access the located files before printing them?
This will make slocate slower, but also removes files from the result
that were deleted in the meantime (locate can give you old results).
But it's still faster than find.

Then have a type slocate_t which is able to access the database; regular
user domains can't read the file. This should confine an information
leak to programming errors in slocate?

best regards,
Erich Schubert
-- 
    erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
             Reality continues to ruin my life --- Calvin            //\
   Die kürzeste Verbindung zwischen zwei Menschen ist ein Lächeln.   V_/_



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest Diffs

[Daniel J Walsh]

http://people.redhat.com/dwalsh/SELinux/policy-20061016.patch


flow_in flow_out changes for labeled networking.  Not sure if these are 
still needed.

Change allow_polyinstatiation into a boolean, since this turns on lots 
of privs.

Added use_lpd_server boolean to eliminate some not needed permissions 
from cups versions of lpr commands.

Added a userdom_executable_file type so that we can change the ability 
to execute all commands in MLS, to only be allowed to execute commands 
that an admin would legitimately like to execute without transition.

Amands needs additon privs

Anaconds should no longer create bootloader_runtime_t files

Remove commented out lines in bootloader.fc

Xen executed netutils and wants to log output.

prelink signals itself and needs to be able to output to the terminal 
and fix executables in homedirs.

Redhat's Fedora Extras apd-get and apt-shell run as rpm.

yum-updatesd runs as rpm and communicates over dbus with an applet 
running mono_t

Need to add rw_faillog to a bunch of domains.  Although this might be 
better in the a global place that handles login apps.

useradd is looking at default context and needs to be able to create 
home_dir_t.

IBM requests javaws and bin under /opt/ibm/java2-ppc64-50/jre be labeled 
java_exec_t


iscsi policy ready to merge.  You can probably start to role in ricci 
and cluster code, although I think only Red Hat is shipping this suff so 
far.

xen has a new device /dev/xen/blktap.*

Avc messages from caused by xsession-errors.log

Hal creats a file in /media directory

Autofs needs to manage symlinks

gfs and gfs2 now support xattrs.  encfs from fuse does also. although it 
is broken.

mv dosfs_t to nfs_t needs to work.

rhgb wants to setattr on a generic devpts_t

Apache scrips want to turn down their priority

httpd needs to be able to rotatelogs

httpd needs to be able to execute bash scripts as cgi.

automount needs to manage non security dirs and handle symlinks.  Also 
wants to open a rawip_socket.

Bluetooth now creates a directory in var as well as files.

Major changes to crontab_t to transition to user_tmp_t.  Why do we have 
a user_crond_t, would just transitioning to user_t make more sense?

crond needs to deal with kernel key ring

multi level cups support

other cups changes


dovecot_auth_t wants to rw utmp

hald needs power management device and manage mnt symlinks for setting 
up media (ipod)

Additional lpr type commands


nm-applet talks to named pipes of networkmanager

Fixed for oddjob_mkhomedir_t

Lots of fixes to get rhgb_t to work correctly

gssd_t needs to read certs

samba wants to rewrite cups configuration

setroubleshoot wants to look at sched because of threads

spamd needs to read netlink_route_socket

squid wants to rw_tmpfs for diskd mode.

add policy for tallylog

hwclock has a fifo_file and needs to search bin

fsadm_t needs to read up for MLS

getty needs sys_admin 

ibm wants all jre libraries and jar files textrel_shlib_t

locallogin keyring support

Auditctl needs aditional privs to look at other parts of the os

mount needs aditional privs


mdadm needs lots more privs

unconfined_t should not transition to so many domains.  Causes to many 
redirection avc messages.

auditadm and secadm need dac_ capabiliies

secadm needs to be able to relabel devices

Additional xen commands and devices

Want to be able to label a fixed_disk_device_t xen_image_t in order to 
allow xen access to raw devices.













--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Diffs

[Christopher J. PeBenito]

On Tue, 2006-10-24 at 11:00 -0400, Daniel J Walsh wrote:
> flow_in flow_out changes for labeled networking.  Not sure if these are 
> still needed.

Dropped this since labeled networking is still up in the air.

> Added use_lpd_server boolean to eliminate some not needed permissions 
> from cups versions of lpr commands.

I would rather split out the lpr portions out to a lpr module that would
function like the mta module.  Then the rules that aren't common for lpd
and cups can go into optionals.

> Added a userdom_executable_file type so that we can change the ability 
> to execute all commands in MLS, to only be allowed to execute commands 
> that an admin would legitimately like to execute without transition.

I don't like the implementation of this; the idea of a user executable
doesn't make sense to me.  It may be better defining this concept in
terms of executables an admin wouldn't execute.

In addition, the corecmd_exec_all_executables() change breaks the
meaning of the interface.

> Redhat's Fedora Extras apd-get and apt-shell run as rpm.

Can't add this because it causes conflicting file contexts if the dpkg
module is included.

Dropped mcs_killall(rpm_script_t) and mcs_ptrace_all(rpm_script_t) since
it does not have the requisite TE permissions.

> IBM requests javaws and bin under /opt/ibm/java2-ppc64-50/jre be labeled 
> java_exec_t

Dropped the other change; I'm trying to stay away from broad
specifications since it makes more problems for sorting.

> mv dosfs_t to nfs_t needs to work.

You have fs_associate_tmpfs(noxattrfs), which won't do it.  My guess is
that you want something like fs_associate_noxattr(noxattrfs).

> httpd needs to be able to rotatelogs

The problem with this is that it would allow apache to delete its logs.
I suggest trying rotatelogs labeled as logrotate_exec_t instead.

> Major changes to crontab_t to transition to user_tmp_t.  Why do we have 
> a user_crond_t, would just transitioning to user_t make more sense?

I don't know the original intention, but my guess is to be a subset of
the user domain.

> Fixed for oddjob_mkhomedir_t

Why is domain_subj_id_change_exemption(oddjob_t) needed?

> squid wants to rw_tmpfs for diskd mode.

I'm wondering if this is tmpfs_t because there is no squid_tmpfs_t+type
transition, or if it is because the machine is targeted.

> getty needs sys_admin 

I find this very questionable, and the bug you mentioned doesn't have
any good information.

Why does sasl need compute_av?

What program(s) have a dyntrans from unconfined to unconfined_execmem?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Diffs

[Daniel J Walsh]

http://people.redhat.com/dwalsh/SELinux/policy-20061106.patch.gz

Christopher J. PeBenito wrote:
> On Tue, 2006-10-24 at 11:00 -0400, Daniel J Walsh wrote:
>   
>> flow_in flow_out changes for labeled networking.  Not sure if these are 
>> still needed.
>>     
>
> Dropped this since labeled networking is still up in the air.
>
>   
I need to leave it in since I have already released it and any loadable
modules that have been created require it.

>> Added use_lpd_server boolean to eliminate some not needed permissions 
>> from cups versions of lpr commands.
>>     
>
> I would rather split out the lpr portions out to a lpr module that would
> function like the mta module.  Then the rules that aren't common for lpd
> and cups can go into optionals.
>
>   
Ok, when that I happens I will switch.
>> Added a userdom_executable_file type so that we can change the ability 
>> to execute all commands in MLS, to only be allowed to execute commands 
>> that an admin would legitimately like to execute without transition.
>>     
>
> I don't like the implementation of this; the idea of a user executable
> doesn't make sense to me.  It may be better defining this concept in
> terms of executables an admin wouldn't execute.
>
>   
I am trying to differentiate between executing commands like tools that
run in a domain and outside a domain cvs, rsync, rpm  from always
confined domains.
The requirement for this comes from MLS policy, we want to have a
failure when sysadm tries to run a SELinux utility.

So he executes setsebool he gets a exec failure rather then a partial
success.
> In addition, the corecmd_exec_all_executables() change breaks the
> meaning of the interface.
>
>   
>> Redhat's Fedora Extras apd-get and apt-shell run as rpm.
>>     
>
> Can't add this because it causes conflicting file contexts if the dpkg
> module is included.
>
>   
I think we need a rewrite of the dpkg te file so on redhat platforms
dbkg_t is aliased to rpm_t.
> Dropped mcs_killall(rpm_script_t) and mcs_ptrace_all(rpm_script_t) since
> it does not have the requisite TE permissions.
>
>   
Since these are unconfined domains, they do have the allows.  This
prevents the mcs constraint from firing.
>> IBM requests javaws and bin under /opt/ibm/java2-ppc64-50/jre be labeled 
>> java_exec_t
>>     
>
> Dropped the other change; I'm trying to stay away from broad
> specifications since it makes more problems for sorting.
>
>   
>> mv dosfs_t to nfs_t needs to work.
>>     
>
> You have fs_associate_tmpfs(noxattrfs), which won't do it.  My guess is
> that you want something like fs_associate_noxattr(noxattrfs).
>
>   
Yes, changed in this update.
>> httpd needs to be able to rotatelogs
>>     
>
> The problem with this is that it would allow apache to delete its logs.
> I suggest trying rotatelogs labeled as logrotate_exec_t instead.
>
>   
apache can not delete logs, only httpd_rotatelogs_t can.  We could
combine the domains together but that would give /usr/sbin/rotatelogs
more power, currently it can only touch apache logs.
>> Major changes to crontab_t to transition to user_tmp_t.  Why do we have 
>> a user_crond_t, would just transitioning to user_t make more sense?
>>     
>
> I don't know the original intention, but my guess is to be a subset of
> the user domain.
>
>   
>> Fixed for oddjob_mkhomedir_t
>>     
>
> Why is domain_subj_id_change_exemption(oddjob_t) needed?
>
>   
oddjob runs jobs on behalf of helper apps,  It asks the kernel how to
run them.

If I restart oddjob by hand, it will be running as user_u:system_r:oddjob_t

When it asks the kernel what to run jobs on behalf of
system_u:system_r:ricci_t, it
gets back system_u:system_r:ricci_modcluster_t, which causes this access
violation.
>> squid wants to rw_tmpfs for diskd mode.
>>     
>
> I'm wondering if this is tmpfs_t because there is no squid_tmpfs_t+type
> transition, or if it is because the machine is targeted.
>   
Not sure, this was in the old policy as well.  Never used squid.
>   
>> getty needs sys_admin 
>>     
>
> I find this very questionable, and the bug you mentioned doesn't have
> any good information.
>
> Why does sasl need compute_av?
>
>   
I think because it is running through pam and this causes the compute_av
> What program(s) have a dyntrans from unconfined to unconfined_execmem?
>
>   
on ia32el you need to transition 32 bit apps from unconfined_t to
unconfined_execmem_t.


The kernel steps into do this so there is no transition.



============================================================
New changes.

amanda, krb5kdc, postfix_smtp, swat, telnetd, mount - All want to read
netlink_route

Broke allo_mount_anyfiles boolean into allow_mount_anydir and
allow_mount_anydir,  So you can mount at the dir level or a bind_mount

Added boolean to allow daemons to dump core in /.

xen wants to read/write raw disks.  Currenly we are allowing this via a
boolean.  Eventually we want to force users to label devices as
xen_image_t.  Didn't make it in to RHEL5.  :^(

logwatch wants to search sysfs

prelink wants to execute privs on exe's in homedir.

rpm wants to chat with hal

remove big ugly todo at the bottom or rpm.te - They all looked broken.

Broke reserved ports in to hi_reserved_port_t and reserved_port_t, this
gives us better security to allow bindresvport, but protect ports
1-511.  Current implementation was broken, in that callers to
bindresvport were failing on non-defined ports > 512.

Added netsupport, ocsp ports.

New devices
           /dev/hpet
           /dev/kmsg
           /dev/raw1394.* (Bad def)
           /dev/snapshot
           /dev/xvc*

Added aide policy

New apache cache dir
+/var/cache/mod_proxy(/.*)?
gen_context(system_u:object_r:httpd_cache_t,s0)

New rules for apache.

I think crontab policy is good, to go.

cron wants to look at login keys?  Might be a leak?

cupsd changes to allow it to run in MLS.

Fix policy for dbus running in chroot under bind.

Hal has a new directory /var/lib/hal


Lots of changes to kerberos to allow it to work with Public Key
Infrastructure.

Dontaudit mqueue_spool_t:dir - Talked about in other emails.

Oddjob wants to signal itself.

Procmail using nfs or samba shares

swat needs additional privs

snmp wants to look at homedir.  Needs dontaudit

In order to get rhgb and X to work together had to add
+    allow $1 xdm_xserver_t:process siginh;

xdm opens stdout/stderr to an xdmerrors file and then hands that to
subprocesses.  If the
subprocesses don't reopen stderr/stdout and eventually run a confined
domain, the domain will
generate avc messages

Some domains try to lock the wtmp file when they update it.

pam_console reads /var when it is mislabled.  This probably could be
surrounded by a hide_broken_apps boolean

We don't want mkswap running as fsadm_exec_t.  It has SELinux awareness
in it, so this causes problems.

A bunch of textrel_shlib_t changes

libraries.te has a useless hide_broken_symptoms

/var/lib/mutlipath directory needs context

We have had requests to allow /var/log to be mounted on.

Many fixes for clvmd and additional lvm_var_lib_t context

Lots of changes for lvm_t, mainly tested with new management platform
for Red Hat (ricci, and conga)

New locale directory under /usr/share/X11/locale

depmod needs to be able to delete kernel modules.

mdadm can create physical devices.

selinux utilities needs to be able to create default_context files

initscripts running setsebool need to transition.

newrole needs privs to run pam/login stuff.

realplayer context wrong

Additional unconfined_execmem_exec_t context


oddjob wants to chat with unconfined domain.

fixes for gen_require in userdomain interfaces.

secadm needs to read audit.log, and run aide

More xen changes.




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Diffs

[Russell Coker]

On Wednesday 15 November 2006 07:11, Daniel J Walsh <dwalsh@redhat.com> wrote:
> >> Redhat's Fedora Extras apd-get and apt-shell run as rpm.
> >
> > Can't add this because it causes conflicting file contexts if the dpkg
> > module is included.
>
> I think we need a rewrite of the dpkg te file so on redhat platforms
> dbkg_t is aliased to rpm_t.

I think it's best if Red Hat compiles just don't include dpkg.te.

Have apt-get and yum run in the same context in Fedora.

> >> squid wants to rw_tmpfs for diskd mode.
> >
> > I'm wondering if this is tmpfs_t because there is no squid_tmpfs_t+type
> > transition, or if it is because the machine is targeted.
>
> Not sure, this was in the old policy as well.  Never used squid.

I believe that it was a mistake in the Squid policy.

> Added boolean to allow daemons to dump core in /.

Some of the fun things this permits include:

Creating a file named /fsckoptions with "-r" or "-N" as the contents (system 
hang on boot or failure to ever do an automatic fsck).

Creating /.unconfigured (could be good for taking over an Internet terminal 
machine).

Also as daemons don't have separate types for the core files there is the 
issue of matching the core files up to the domain that generated them.

Can't you use /proc/sys/kernel/core_pattern to put the core files somewhere 
else?  Preferably somewhere in a mode 700 directory.

Also those files that are generated in the root directory are a bad idea, 
there should probably be a long term plan to move them elsewhere.

-- 
russell@coker.com.au
http://etbe.blogspot.com/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Diffs

[Daniel J Walsh]

Russell Coker wrote:
> On Wednesday 15 November 2006 07:11, Daniel J Walsh <dwalsh@redhat.com> wrote:
>   
>>>> Redhat's Fedora Extras apd-get and apt-shell run as rpm.
>>>>         
>>> Can't add this because it causes conflicting file contexts if the dpkg
>>> module is included.
>>>       
>> I think we need a rewrite of the dpkg te file so on redhat platforms
>> dbkg_t is aliased to rpm_t.
>>     
>
> I think it's best if Red Hat compiles just don't include dpkg.te.
>
> Have apt-get and yum run in the same context in Fedora.
>
>   
That is the way it is now, but it is unacceptable to upstream.  Chris 
does not like the conflicting
file context.
>>>> squid wants to rw_tmpfs for diskd mode.
>>>>         
>>> I'm wondering if this is tmpfs_t because there is no squid_tmpfs_t+type
>>> transition, or if it is because the machine is targeted.
>>>       
>> Not sure, this was in the old policy as well.  Never used squid.
>>     
>
> I believe that it was a mistake in the Squid policy.
>
>   
I have just recently received an AVC requiring it, which is why I put it 
back.
>> Added boolean to allow daemons to dump core in /.
>>     
>
> Some of the fun things this permits include:
>
> Creating a file named /fsckoptions with "-r" or "-N" as the contents (system 
> hang on boot or failure to ever do an automatic fsck).
>
> Creating /.unconfigured (could be good for taking over an Internet terminal 
> machine).
>
> Also as daemons don't have separate types for the core files there is the 
> issue of matching the core files up to the domain that generated them.
>
> Can't you use /proc/sys/kernel/core_pattern to put the core files somewhere 
> else?  Preferably somewhere in a mode 700 directory.
>
> Also those files that are generated in the root directory are a bad idea, 
> there should probably be a long term plan to move them elsewhere.
>
>   
I am looking into this.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Diffs

[Russell Coker]

On Thursday 16 November 2006 00:39, Daniel J Walsh <dwalsh@redhat.com> wrote:
> > I think it's best if Red Hat compiles just don't include dpkg.te.
> >
> > Have apt-get and yum run in the same context in Fedora.
>
> That is the way it is now, but it is unacceptable to upstream.  Chris
> does not like the conflicting
> file context.

There is no conflict if rpm.te and dpkg.te are never included in the same 
build.

Having a one-line .fc supposed conflict (it's not a conflict if the two .fc 
files in question are never used at the same time) is much better than 
massively hacking up an entire .te file.

> >>>> squid wants to rw_tmpfs for diskd mode.
> >>>
> >>> I'm wondering if this is tmpfs_t because there is no squid_tmpfs_t+type
> >>> transition, or if it is because the machine is targeted.
> >>
> >> Not sure, this was in the old policy as well.  Never used squid.
> >
> > I believe that it was a mistake in the Squid policy.
>
> I have just recently received an AVC requiring it, which is why I put it
> back.

Do you have any more information?  If the user is doing something odd like 
using tmpfs for squid backing store then it's not something we want to 
support in policy in that manner.  Maybe we could have restorecon run on the 
Squid spool directory to cater for the case of using tmpfs for it if people 
want to do that.

-- 
russell@coker.com.au
http://etbe.blogspot.com/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Diffs

[Christopher J. PeBenito]

On Thu, 2006-11-16 at 04:33 +1100, Russell Coker wrote:
> On Thursday 16 November 2006 00:39, Daniel J Walsh <dwalsh@redhat.com> wrote:
> > > I think it's best if Red Hat compiles just don't include dpkg.te.
> > >
> > > Have apt-get and yum run in the same context in Fedora.
> >
> > That is the way it is now, but it is unacceptable to upstream.  Chris
> > does not like the conflicting
> > file context.
> 
> There is no conflict if rpm.te and dpkg.te are never included in the same 
> build.
> 
> Having a one-line .fc supposed conflict (it's not a conflict if the two .fc 
> files in question are never used at the same time) is much better than 
> massively hacking up an entire .te file.

Any configuration of modules where all dependencies are met should be a
valid configuration.  Having a file context conflict would make it an
invalid configuration.

> > >>>> squid wants to rw_tmpfs for diskd mode.
> > >>>
> > >>> I'm wondering if this is tmpfs_t because there is no squid_tmpfs_t+type
> > >>> transition, or if it is because the machine is targeted.
> > >>
> > >> Not sure, this was in the old policy as well.  Never used squid.
> > >
> > > I believe that it was a mistake in the Squid policy.
> >
> > I have just recently received an AVC requiring it, which is why I put it
> > back.
> 
> Do you have any more information?  If the user is doing something odd like 
> using tmpfs for squid backing store then it's not something we want to 
> support in policy in that manner.

I don't think I agree with that.  If it can be made to work with a
squid_tmpfs_t, then why not support it?

> Maybe we could have restorecon run on the Squid spool directory to
> cater for the case of using tmpfs for it if people want to do that.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Diffs

[Russell Coker]

On Friday 17 November 2006 00:49, "Christopher J. PeBenito" 
<cpebenito@tresys.com> wrote:
> > Having a one-line .fc supposed conflict (it's not a conflict if the two
> > .fc files in question are never used at the same time) is much better
> > than massively hacking up an entire .te file.
>
> Any configuration of modules where all dependencies are met should be a
> valid configuration.  Having a file context conflict would make it an
> invalid configuration.

Can we add conflicts to modules?  Or just deal with this?

> > > >>>> squid wants to rw_tmpfs for diskd mode.
> > > >>>
> > >
> > > I have just recently received an AVC requiring it, which is why I put
> > > it back.
> >
> > Do you have any more information?  If the user is doing something odd
> > like using tmpfs for squid backing store then it's not something we want
> > to support in policy in that manner.
>
> I don't think I agree with that.  If it can be made to work with a
> squid_tmpfs_t, then why not support it?

Any directory on the system that contains application data could be replaced 
by a tmpfs filesystem and require a $1_tmpfs_t type for the least intelligent 
use.  As an example I once ran a MySQL database with a tmpfs for the database 
store.

The correct solution for such cases is to use either restorecon or a -o 
context= mount option to give it the expected type.  It's worked for me every 
time I've tried such things.

> > Maybe we could have restorecon run on the Squid spool directory to
> > cater for the case of using tmpfs for it if people want to do that.

-- 
russell@coker.com.au
http://etbe.blogspot.com/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Diffs

[Joshua Brindle]

Russell Coker wrote:
> On Friday 17 November 2006 00:49, "Christopher J. PeBenito" 
> <cpebenito@tresys.com> wrote:
> 
> Any directory on the system that contains application data could be replaced 
> by a tmpfs filesystem and require a $1_tmpfs_t type for the least intelligent 
> use.  As an example I once ran a MySQL database with a tmpfs for the database 
> store.
> 

Eh? Why? MySQL has a memory backed database type, this is an unnecessary 
layer of indirection.

It makes sense for some apps but not others, why add lots of completely 
unnecessary policy?

> The correct solution for such cases is to use either restorecon or a -o 
> context= mount option to give it the expected type.  It's worked for me every 
> time I've tried such things.
> 
>>> Maybe we could have restorecon run on the Squid spool directory to
>>> cater for the case of using tmpfs for it if people want to do that.
> 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Diffs

[Russell Coker]

On Saturday 18 November 2006 05:33, Joshua Brindle <jbrindle@tresys.com> 
wrote:
> Russell Coker wrote:
> > On Friday 17 November 2006 00:49, "Christopher J. PeBenito"
> > <cpebenito@tresys.com> wrote:
> >
> > Any directory on the system that contains application data could be
> > replaced by a tmpfs filesystem and require a $1_tmpfs_t type for the
> > least intelligent use.  As an example I once ran a MySQL database with a
> > tmpfs for the database store.
>
> Eh? Why? MySQL has a memory backed database type, this is an unnecessary
> layer of indirection.

I wanted to prepare a database image for distribution to other people.  The 
database load took ages when used on a disk (due to synchronous writes) but 
was really fast on a tmpfs.  A memory backed database would not have worked 
as it's not something you can distribute.

> It makes sense for some apps but not others, why add lots of completely
> unnecessary policy?

I am opposing the addition of the unnecessary policy, which in this case is 
tmpfs access for squid.

> > The correct solution for such cases is to use either restorecon or a -o
> > context= mount option to give it the expected type.  It's worked for me
> > every time I've tried such things.
> >
> >>> Maybe we could have restorecon run on the Squid spool directory to
> >>> cater for the case of using tmpfs for it if people want to do that.

-- 
russell@coker.com.au
http://etbe.blogspot.com/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

latest diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 2140 bytes --]

Added two new booleans.

allow_polyinstatiation which will remove lots of privs if your system 
does not use it.

intel wants to allow ia32el to dynamically transition from unconfined_t 
to unconfined_execmem_t when running 32 bit applications on ia64 
platforms.  We do not want this in general so this boolean turns it off

allow_unconfined_execmem_dyntrans


On MLS machines we do not want certain user roles to be able to execute 
some confined domains.  So I added a new attribute user_exec_file that 
designates confined apps that can be executed by user accounts without  
a dynamic transition.

Amanda now needs to create directories in amanda_log_t.

yum-updatesd is marked as rpm_exec_t and needs to dbus to mono apps.

rpm_scripts needs to be able to run pidof and stuff like that so needs 
mcs_ptrace_all and killall

sysadm_passwd_t runs nscd apps

rhgb executes files in /etc/profile.d

vmware requires unconfined_t node_type:rawip_socket node_bind

relabeling of chr_devices for cups in MLS requires relaabelto

automount wants to manage autofs_t:sym_link

Adding support for fuse-encfs although kernel section is broken

rhgb needs to setattr on it devpts_t

automount uses rawip_socket

cupsd needs to read hplib_etc_t files/dirs

dovecot wants to rewrite utmp file

hal wants to be able to create symlinks in /media (ipod for example)

Additional lpr_exec_t, sorry about not fixing the ones you already added

dontaudt ncsd_t trying to talk to sysadm_t when run under the covers of 
useradd

rhgb needs access to devpts chr_file

rhgb runs consoletype

It also needs siginh on xserver to work properly

setroubleshoot needs getsched

Began iscsi domain

libjavaplugin_ojigcc3 needs textrel

auditctl needs to be able to getattr on file systems

auditd needs fs_use_all_levels

fusermount needs label

mdadm wants to rw_dir on mdadm_var_run_t:dir


newrole needs multilevel fd

semanage_t needs to verify file context

setrands needs mls fd access

Don't transition to bluetooth_helper from unconfined_t

unconfined_t needs to be able to kill and ptrace all apps

xend needs to communicate with xserver over tcp (vnc?)





[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 45737 bytes --]

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.3.16/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables	2006-09-25 15:11:11.000000000 -0400
+++ serefpolicy-2.3.16/policy/global_tunables	2006-09-27 17:30:35.000000000 -0400
@@ -594,3 +594,18 @@
 ## </desc>
 gen_tunable(spamd_enable_home_dirs,true)
 ')
+
+## <desc>
+## <p>
+## Allow httpd cgi support
+## </p>
+## </desc>
+gen_tunable(allow_polyinstantiation,false)
+
+
+## <desc>
+## <p>
+## Allow unconfined to dyntrans to unconfined_execmem
+## </p>
+## </desc>
+gen_tunable(allow_unconfined_execmem_dyntrans,false)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-2.3.16/policy/modules/admin/acct.te
--- nsaserefpolicy/policy/modules/admin/acct.te	2006-07-14 17:04:46.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/admin/acct.te	2006-09-27 16:09:00.000000000 -0400
@@ -9,6 +9,7 @@
 type acct_t;
 type acct_exec_t;
 init_system_domain(acct_t,acct_exec_t)
+userdom_executable_file(acct_exec_t)
 
 type acct_data_t;
 logging_log_file(acct_data_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-2.3.16/policy/modules/admin/amanda.te
--- nsaserefpolicy/policy/modules/admin/amanda.te	2006-09-22 14:07:08.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/admin/amanda.te	2006-09-26 20:28:43.000000000 -0400
@@ -97,7 +97,7 @@
 allow amanda_t amanda_gnutarlists_t:lnk_file manage_file_perms;
 
 allow amanda_t amanda_log_t:file create_file_perms;
-allow amanda_t amanda_log_t:dir { rw_dir_perms setattr };
+allow amanda_t amanda_log_t:dir create_dir_perms;
 logging_log_filetrans(amanda_t,amanda_log_t,{ file dir })
 
 allow amanda_t amanda_tmp_t:dir create_dir_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.3.16/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te	2006-08-29 09:00:30.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/admin/consoletype.te	2006-09-27 16:06:16.000000000 -0400
@@ -16,6 +21,7 @@
 ifdef(`targeted_policy',`',`
 	init_system_domain(consoletype_t,consoletype_exec_t)
 ')
+userdom_executable_file(consoletype_exec_t)
 
 ########################################
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-2.3.16/policy/modules/admin/dmesg.te
--- nsaserefpolicy/policy/modules/admin/dmesg.te	2006-07-14 17:04:46.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/admin/dmesg.te	2006-09-27 16:09:32.000000000 -0400
@@ -10,6 +10,7 @@
 	type dmesg_t;
 	type dmesg_exec_t;
 	init_system_domain(dmesg_t,dmesg_exec_t)
+	userdom_executable_file(dmesg_exec_t)
 	role system_r types dmesg_t;
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.3.16/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te	2006-08-02 10:34:09.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/admin/netutils.te	2006-09-27 16:12:06.000000000 -0400
@@ -18,10 +18,12 @@
 type ping_exec_t;
 init_system_domain(ping_t,ping_exec_t)
 role system_r types ping_t;
+userdom_executable_file(ping_exec_t)
 
 type traceroute_t;
 type traceroute_exec_t;
 init_system_domain(traceroute_t,traceroute_exec_t)
+userdom_executable_file(traceroute_exec_t)
 role system_r types traceroute_t;
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.3.16/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if	2006-09-15 13:14:27.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/admin/rpm.if	2006-09-28 07:58:06.000000000 -0400
@@ -257,3 +257,24 @@
 	dontaudit $1 rpm_var_lib_t:file create_file_perms;
 	dontaudit $1 rpm_var_lib_t:lnk_file create_lnk_perms;
 ')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	rpm over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_dbus_chat',`
+	gen_require(`
+		type rpm_t;
+		class dbus send_msg;
+	')
+
+	allow $1 rpm_t:dbus send_msg;
+	allow rpm_t $1:dbus send_msg;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.3.16/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te	2006-09-22 14:07:08.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/admin/rpm.te	2006-09-27 16:13:07.000000000 -0400
@@ -9,6 +9,8 @@
 type rpm_t;
 type rpm_exec_t;
 init_system_domain(rpm_t,rpm_exec_t)
+userdom_executable_file(rpm_exec_t)
+
 domain_obj_id_change_exemption(rpm_t)
 domain_role_change_exemption(rpm_t)
 domain_system_change_exemption(rpm_t)
@@ -254,6 +256,9 @@
 kernel_read_kernel_sysctls(rpm_script_t)
 kernel_read_system_state(rpm_script_t)
 
+mcs_killall(rpm_script_t)
+mcs_ptrace_all(rpm_script_t)
+
 dev_list_sysfs(rpm_script_t)
 
 # ideally we would not need this
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-2.3.16/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if	2006-09-22 14:07:08.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/admin/su.if	2006-09-27 10:15:21.000000000 -0400
@@ -266,7 +266,7 @@
 		')
 	')
 
-	ifdef(`enable_polyinstantiation',`
+	tunable_policy(`allow_polyinstantiation',`
 		fs_mount_xattr_fs($1_su_t)
 		fs_unmount_xattr_fs($1_su_t)
 	')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.3.16/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te	2006-09-22 14:07:08.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/admin/usermanage.te	2006-09-28 10:21:26.000000000 -0400
@@ -379,6 +379,7 @@
 allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms;
 files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
 files_search_var(sysadm_passwd_t)
+files_dontaudit_search_home(sysadm_passwd_t)
 
 kernel_read_kernel_sysctls(sysadm_passwd_t)
 # for /proc/meminfo
@@ -444,6 +445,7 @@
 
 optional_policy(`
 	nscd_domtrans(sysadm_passwd_t)
+	nscd_socket_use(sysadm_passwd_t)
 ')
 
 ########################################
@@ -473,6 +475,8 @@
 selinux_compute_create_context(useradd_t)
 selinux_compute_relabel_context(useradd_t)
 selinux_compute_user_contexts(useradd_t)
+seutil_read_default_contexts(useradd_t)
+
 # for getting the number of groups
 kernel_read_kernel_sysctls(useradd_t)
 
@@ -521,6 +525,7 @@
 userdom_home_filetrans_generic_user_home_dir(useradd_t)
 userdom_manage_generic_user_home_content_dirs(useradd_t)
 userdom_manage_generic_user_home_content_files(useradd_t)
+userdom_manage_user_home_dirs(useradd_t)
 userdom_manage_staff_home_dirs(useradd_t)
 userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.3.16/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te	2006-09-22 14:07:03.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/apps/mono.te	2006-09-28 07:58:50.000000000 -0400
@@ -44,4 +44,7 @@
 	optional_policy(`
 		unconfined_dbus_connect(mono_t)
 	')
+	optional_policy(`
+		rpm_dbus_chat(mono_t)
+	')
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.3.16/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2006-09-22 14:07:03.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/kernel/corecommands.fc	2006-09-28 19:35:55.000000000 -0400
@@ -65,6 +65,7 @@
 
 /etc/xen/qemu-ifup		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/xen/scripts(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/etc/profile.d(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
 ifdef(`distro_debian',`
 /etc/mysql/debian-start		--	gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-2.3.16/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if	2006-09-15 13:14:21.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/kernel/corecommands.if	2006-09-29 09:56:57.000000000 -0400
@@ -928,7 +928,19 @@
 		type bin_t, sbin_t;
 	')
 
-	can_exec($1,exec_type)
+
+	ifdef(`targeted_policy',`
+		can_exec($1,exec_type)
+	', `
+		corecmd_exec_bin($1)
+		corecmd_exec_sbin($1)
+		corecmd_exec_shell($1)
+		corecmd_exec_ls($1)
+		corecmd_exec_chroot($1)
+	')
+
+	userdom_exec($1)
+
 	allow $1 { bin_t sbin_t }:dir list_dir_perms;
 	allow $1 { bin_t sbin_t }:lnk_file read_file_perms;
 ')
@@ -950,6 +962,7 @@
 		type bin_t, sbin_t;
 	')
 
+	userdom_manage_user_executables($1)
 	allow $1 exec_type:file manage_file_perms;
 	allow $1 { bin_t sbin_t }:dir rw_dir_perms;
 	allow $1 { bin_t sbin_t }:lnk_file create_lnk_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.3.16/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2006-09-29 14:28:01.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/kernel/corenetwork.te.in	2006-09-29 14:26:26.000000000 -0400
@@ -205,4 +208,4 @@
 
 # Bind to any network address.
 allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
-allow corenet_unconfined_type node_type:{ tcp_socket udp_socket } node_bind;
+allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.3.16/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if	2006-09-29 14:28:01.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/kernel/files.if	2006-09-29 13:48:53.000000000 -0400
@@ -896,8 +896,8 @@
 	allow $1 { file_type $2 }:lnk_file { getattr relabelfrom relabelto };
 	allow $1 { file_type $2 }:fifo_file { getattr relabelfrom relabelto };
 	allow $1 { file_type $2 }:sock_file { getattr relabelfrom relabelto };
-	allow $1 { file_type $2 }:blk_file { getattr relabelfrom };
-	allow $1 { file_type $2 }:chr_file { getattr relabelfrom };
+	allow $1 { file_type $2 }:blk_file { getattr relabelfrom relabelto };
+	allow $1 { file_type $2 }:chr_file { getattr relabelfrom relabelto };
 
 	# satisfy the assertions:
 	seutil_relabelto_bin_policy($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.3.16/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if	2006-09-25 15:11:10.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/kernel/filesystem.if	2006-09-26 10:02:05.000000000 -0400
@@ -3381,3 +3381,25 @@
 	allow $1 noxattrfs:blk_file { getattr relabelfrom };
 	allow $1 noxattrfs:chr_file { getattr relabelfrom };
 ')
+
+
+########################################
+## <summary>
+##	Create, read, write, and delete symbolic links
+##	on a autofs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_autofs_symlinks',`
+	gen_require(`
+		type autofs_t;
+	')
+
+	allow $1 autofs_t:dir rw_dir_perms;
+	allow $1 autofs_t:lnk_file create_lnk_perms;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.3.16/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te	2006-09-25 15:11:10.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/kernel/filesystem.te	2006-09-27 17:19:21.000000000 -0400
@@ -21,6 +21,7 @@
 
 # Use xattrs for the following filesystem types.
 # Requires that a security xattr handler exist for the filesystem.
+fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.3.16/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te	2006-09-22 09:35:44.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/kernel/kernel.te	2006-09-26 09:53:18.000000000 -0400
@@ -326,6 +326,7 @@
 
 ifdef(`targeted_policy',`
 	allow unlabeled_t self:filesystem associate;
+	allow unlabeled_t self:association polmatch;
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-2.3.16/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if	2006-07-14 17:04:29.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/kernel/storage.if	2006-09-26 09:53:18.000000000 -0400
@@ -37,6 +37,7 @@
 	')
 
 	dontaudit $1 fixed_disk_device_t:blk_file getattr;
+	dontaudit $1 fixed_disk_device_t:chr_file getattr; # /dev/rawctl
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.3.16/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if	2006-09-22 14:07:03.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/kernel/terminal.if	2006-09-29 10:05:27.000000000 -0400
@@ -458,6 +457,26 @@
 
 ########################################
 ## <summary>
+##	Allow setting the attributes of
+##	generic pty devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# dwalsh: added for rhgb
+interface(`term_setattr_generic_ptys',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	allow $1 devpts_t:chr_file setattr;
+')
+
+########################################
+## <summary>
 ##	Read and write the generic pty
 ##	type.  This is generally only used in
 ##	the targeted policy.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.3.16/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te	2006-09-22 14:07:05.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/services/automount.te	2006-09-26 10:01:31.000000000 -0400
@@ -36,6 +36,8 @@
 allow automount_t self:unix_dgram_socket create_socket_perms;
 allow automount_t self:tcp_socket create_stream_socket_perms;
 allow automount_t self:udp_socket create_socket_perms;
+allow automount_t self:rawip_socket create_socket_perms;
+
 allow automount_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow automount_t automount_etc_t:file { getattr read };
@@ -74,6 +76,7 @@
 files_mounton_all_mountpoints(automount_t)
 files_mount_all_file_type_fs(automount_t)
 files_unmount_all_file_type_fs(automount_t)
+files_manage_non_security_dirs(automount_t)
 
 fs_mount_all_fs(automount_t)
 fs_unmount_all_fs(automount_t)
@@ -128,6 +131,7 @@
 fs_manage_auto_mountpoints(automount_t)
 fs_unmount_autofs(automount_t)
 fs_mount_autofs(automount_t)
+fs_manage_autofs_symlinks(automount_t)
 
 term_dontaudit_use_console(automount_t)
 term_dontaudit_getattr_pty_dirs(automount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.3.16/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te	2006-09-22 14:07:06.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/services/cups.te	2006-09-27 15:05:01.000000000 -0400
@@ -124,6 +124,9 @@
 allow cupsd_t ptal_var_run_t:sock_file { write setattr };
 allow cupsd_t ptal_t:unix_stream_socket connectto;
 
+allow cupsd_t hplip_etc_t:file r_file_perms;
+allow cupsd_t hplip_etc_t:dir r_dir_perms;
+
 kernel_read_system_state(cupsd_t)
 kernel_read_network_state(cupsd_t)
 kernel_read_all_sysctls(cupsd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.3.16/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te	2006-07-14 17:04:40.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/services/cvs.te	2006-09-27 16:16:32.000000000 -0400
@@ -9,6 +9,7 @@
 type cvs_t;
 type cvs_exec_t;
 inetd_tcp_service_domain(cvs_t,cvs_exec_t)
+userdom_executable_file(cvs_exec_t)
 role system_r types cvs_t;
 
 type cvs_data_t; # customizable
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-2.3.16/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if	2006-09-15 13:14:24.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/services/dbus.if	2006-09-26 09:53:18.000000000 -0400
@@ -123,6 +123,7 @@
 	selinux_compute_relabel_context($1_dbusd_t)
 	selinux_compute_user_contexts($1_dbusd_t)
 
+	corecmd_bin_domtrans($1_dbusd_t, $1_t)
 	corecmd_list_bin($1_dbusd_t)
 	corecmd_read_bin_symlinks($1_dbusd_t)
 	corecmd_read_bin_files($1_dbusd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.3.16/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te	2006-09-06 13:04:51.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/services/dovecot.te	2006-09-27 06:32:56.000000000 -0400
@@ -171,6 +171,8 @@
 
 allow dovecot_auth_t dovecot_var_run_t:dir r_dir_perms;
 
+init_rw_utmp(dovecot_auth_t)
+
 kernel_read_all_sysctls(dovecot_auth_t)
 kernel_read_system_state(dovecot_auth_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.3.16/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te	2006-09-25 15:11:11.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/services/hal.te	2006-09-27 15:11:25.000000000 -0400
@@ -85,6 +85,7 @@
 files_rw_etc_runtime_files(hald_t)
 files_manage_mnt_dirs(hald_t)
 files_manage_mnt_files(hald_t)
+files_manage_mnt_symlinks(hald_t)
 files_search_var_lib(hald_t)
 files_read_usr_files(hald_t)
 # hal is now execing pm-suspend
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-2.3.16/policy/modules/services/lpd.fc
--- nsaserefpolicy/policy/modules/services/lpd.fc	2006-09-29 14:28:02.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/services/lpd.fc	2006-09-26 09:53:18.000000000 -0400
@@ -6,21 +6,25 @@
 #
 # /usr
 #
-/usr/bin/lp(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
-/usr/bin/lpr(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
-/usr/bin/lpq(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
-/usr/bin/lprm(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
-/usr/bin/lpstat(\.cups)? --	gen_context(system_u:object_r:lpr_exec_t,s0)
-
 /usr/sbin/checkpc	--	gen_context(system_u:object_r:checkpc_exec_t,s0)
 /usr/sbin/lpd		--	gen_context(system_u:object_r:lpd_exec_t,s0)
 /usr/sbin/lpadmin	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 /usr/sbin/lpc(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
-
+/usr/sbin/accept	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/sbin/lpinfo	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/sbin/lpmove	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 /usr/share/printconf/.* --	gen_context(system_u:object_r:printconf_t,s0)
+/usr/bin/lp(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpr(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpq(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lprm(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpstat(\.cups)? --	gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/cancel(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpoptions	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 
 #
 # /var
 #
 /var/spool/lpd(/.*)?		gen_context(system_u:object_r:print_spool_t,s0)
 /var/run/lprng(/.*)?		gen_context(system_u:object_r:lpd_var_run_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.3.16/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te	2006-08-29 09:00:28.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/services/mta.te	2006-09-27 16:18:32.000000000 -0400
@@ -27,6 +27,7 @@
 
 type sendmail_exec_t;
 files_type(sendmail_exec_t)
+userdom_executable_file(sendmail_exec_t)
 
 mta_base_mail_template(system)
 role system_r types system_mail_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-2.3.16/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if	2006-08-07 18:55:18.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/services/nscd.if	2006-09-26 09:53:18.000000000 -0400
@@ -181,3 +181,23 @@
 
 	allow $1 nscd_t:nscd *;
 ')
+
+
+########################################
+## <summary>
+##	Allow role on this domain
+## </summary>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the nscd domain.
+##	</summary>
+## </param>
+#
+interface(`nscd_role',`
+	gen_require(`
+		type nscd_t;
+	')
+
+	role $1 types nscd_t;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-2.3.16/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te	2006-09-25 15:11:11.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/services/nscd.te	2006-09-28 10:19:19.000000000 -0400
@@ -120,6 +120,9 @@
 	term_dontaudit_use_unallocated_ttys(nscd_t)
 	term_dontaudit_use_generic_ptys(nscd_t)
 	files_dontaudit_read_root_files(nscd_t)
+',`
+	userdom_dontaudit_use_sysadm_ttys(nscd_t)
+	userdom_dontaudit_use_sysadm_ptys(nscd_t)
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.3.16/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te	2006-09-15 13:14:25.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/services/procmail.te	2006-09-27 16:19:02.000000000 -0400
@@ -10,6 +10,7 @@
 type procmail_exec_t;
 domain_type(procmail_t)
 domain_entry_file(procmail_t,procmail_exec_t)
+userdom_executable_file(procmail_exec_t)
 role system_r types procmail_t;
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-2.3.16/policy/modules/services/rhgb.te
--- nsaserefpolicy/policy/modules/services/rhgb.te	2006-09-06 13:04:51.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/services/rhgb.te	2006-09-29 01:20:51.000000000 -0400
@@ -13,10 +13,8 @@
 type rhgb_tmpfs_t;
 files_tmpfs_file(rhgb_tmpfs_t)
 
-ifdef(`strict_policy',`
-	type rhgb_devpts_t;
-	term_pty(rhgb_devpts_t)
-')
+type rhgb_devpts_t;
+term_pty(rhgb_devpts_t)
 
 ########################################
 #
@@ -25,7 +23,7 @@
 
 allow rhgb_t self:capability { fsetid setgid setuid sys_admin sys_tty_config };
 dontaudit rhgb_t self:capability sys_tty_config;
-allow rhgb_t self:process signal_perms;
+allow rhgb_t self:process { setpgid signal_perms };
 allow rhgb_t self:shm create_shm_perms;
 allow rhgb_t self:unix_stream_socket create_stream_socket_perms;
 allow rhgb_t self:fifo_file rw_file_perms;
@@ -112,16 +110,21 @@
 # for running setxkbmap
 xserver_read_xkb_libs(rhgb_t)
 
+selinux_dontaudit_search_fs(rhgb_t)
+selinux_dontaudit_read_fs(rhgb_t)
+seutil_search_default_contexts(rhgb_t)
+seutil_read_config(rhgb_t)
+
 ifdef(`strict_policy',`
 	allow rhgb_t rhgb_devpts_t:chr_file { rw_file_perms setattr };
 	term_create_pty(rhgb_t,rhgb_devpts_t)
+
 ', `
 	files_dontaudit_read_root_files(rhgb_t)
 
-	term_dontaudit_use_generic_ptys(rhgb_t)
-	term_dontaudit_setattr_generic_ptys(rhgb_t)
+	term_use_generic_ptys(rhgb_t)
+	term_setattr_generic_ptys(rhgb_t)
 	term_dontaudit_use_unallocated_ttys(rhgb_t)
-	term_dontaudit_use_generic_ptys(rhgb_t)
 
 	xserver_domtrans_xdm_xserver(rhgb_t)
 	xserver_signal_xdm_xserver(rhgb_t)
@@ -140,8 +143,13 @@
 	udev_read_db(rhgb_t)
 ')
 
+optional_policy(`
+	consoletype_exec(rhgb_t)
+')
+
 ifdef(`TODO',`
 	#this seems a bit much
 	allow domain rhgb_devpts_t:chr_file { read write };
 	allow initrc_t rhgb_gph_t:fd use;
 ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-2.3.16/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te	2006-07-14 17:04:41.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/services/rsync.te	2006-09-27 16:19:26.000000000 -0400
@@ -9,6 +9,7 @@
 type rsync_t;
 type rsync_exec_t;
 init_daemon_domain(rsync_t,rsync_exec_t)
+userdom_executable_file(rsync_exec_t)
 role system_r types rsync_t;
 
 type rsync_data_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-2.3.16/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2006-09-22 14:07:05.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/services/setroubleshoot.te	2006-09-26 09:53:18.000000000 -0400
@@ -28,7 +28,7 @@
 #
 
 allow setroubleshootd_t self:capability { dac_override sys_tty_config };
-allow setroubleshootd_t self:process { signal getattr };
+allow setroubleshootd_t self:process { signal getattr getsched };
 allow setroubleshootd_t self:fifo_file rw_file_perms;
 allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
 allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.3.16/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te	2006-09-01 14:10:18.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/services/spamassassin.te	2006-09-27 16:26:15.000000000 -0400
@@ -8,7 +8,7 @@
 
 # spamassassin client executable
 type spamc_exec_t;
-corecmd_executable_file(spamc_exec_t)
+userdom_executable_file(spamc_exec_t)
 
 type spamd_t;
 type spamd_exec_t;
@@ -24,7 +24,7 @@
 files_pid_file(spamd_var_run_t)
 
 type spamassassin_exec_t;
-corecmd_executable_file(spamassassin_exec_t)
+userdom_executable_file(spamassassin_exec_t)
 
 ########################################
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.3.16/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te	2006-09-25 15:11:11.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/services/ssh.te	2006-09-27 16:30:19.000000000 -0400
@@ -10,7 +10,7 @@
 
 # ssh client executable.
 type ssh_exec_t;
-corecmd_executable_file(ssh_exec_t)
+userdom_executable_file(ssh_exec_t)
 
 type ssh_keygen_t;
 type ssh_keygen_exec_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.3.16/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if	2006-09-15 13:14:25.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/services/xserver.if	2006-09-29 00:59:16.000000000 -0400
@@ -898,10 +898,12 @@
 
 	domain_auto_trans($1,xserver_exec_t,xdm_xserver_t)
 
+	allow $1 xdm_xserver_t:process siginh;
 	allow $1 xdm_xserver_t:fd use;
 	allow xdm_xserver_t $1:fd use;
 	allow xdm_xserver_t $1:fifo_file rw_file_perms;
 	allow xdm_xserver_t $1:process sigchld;
+
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-2.3.16/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te	2006-09-06 13:04:51.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/services/xserver.te	2006-09-27 10:14:32.000000000 -0400
@@ -462,7 +462,7 @@
 allow rhgb_t xdm_xserver_t:process signal;
 ')
 
-ifdef(`enable_polyinstantiation',`
+tunable_policy(`allow_polyinstantiation',`
 # xdm needs access for linking .X11-unix to poly /tmp
 allow xdm_t polymember:dir { add_name remove_name write };
 allow xdm_t polymember:lnk_file { create unlink };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.3.16/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if	2006-09-15 13:14:27.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/system/authlogin.if	2006-09-27 10:14:47.000000000 -0400
@@ -230,7 +230,7 @@
 	seutil_read_config($1)
 	seutil_read_default_contexts($1)
 
-	ifdef(`enable_polyinstantiation',`
+	tunable_policy(`allow_polyinstantiation',`
 		files_polyinstantiate_all($1)
 	')
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.3.16/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te	2006-09-22 14:07:06.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/system/fstools.te	2006-09-27 16:27:37.000000000 -0400
@@ -9,7 +9,7 @@
 type fsadm_t;
 type fsadm_exec_t;
 init_system_domain(fsadm_t,fsadm_exec_t)
-mls_file_read_up(fsadm_t)
+userdom_executable_file(fsadm_exec_t)
 role system_r types fsadm_t;
 
 type fsadm_log_t;
@@ -98,6 +98,7 @@
 fs_read_tmpfs_symlinks(fsadm_t)
 
 mls_file_write_down(fsadm_t)
+mls_file_read_up(fsadm_t)
 
 storage_raw_read_fixed_disk(fsadm_t)
 storage_raw_write_fixed_disk(fsadm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-2.3.16/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc	2006-08-25 13:29:58.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/system/init.fc	2006-09-26 09:53:18.000000000 -0400
@@ -66,3 +66,6 @@
 /var/run/sysconfig(/.*)?	gen_context(system_u:object_r:initrc_var_run_t,s0)
 ')
 
+# Until their is a policy for pcscd we need these
+/var/run/pcscd\.pub	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/pcscd\.pid	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.3.16/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te	2006-09-29 14:28:02.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/system/init.te	2006-09-27 15:58:36.000000000 -0400
@@ -151,6 +151,7 @@
 mcs_process_set_categories(init_t)
 
 mls_process_write_down(init_t)
+mls_fd_use_all_levels(init_t)
 
 selinux_set_boolean(init_t)
 
@@ -365,7 +366,8 @@
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
 
-miscfiles_read_localization(initrc_t)
+miscfiles_rw_localization(initrc_t)
+
 # slapd needs to read cert files from its initscript
 miscfiles_read_certs(initrc_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-2.3.16/policy/modules/system/iscsi.fc
--- nsaserefpolicy/policy/modules/system/iscsi.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.16/policy/modules/system/iscsi.fc	2006-09-26 10:04:37.000000000 -0400
@@ -0,0 +1,7 @@
+# iscsid executable will have:
+# label: system_u:object_r:iscsid_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/sbin/iscsid		--	gen_context(system_u:object_r:iscsid_exec_t,s0)
+/var/run/iscsid.pid	--	gen_context(system_u:object_r:iscsi_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-2.3.16/policy/modules/system/iscsi.if
--- nsaserefpolicy/policy/modules/system/iscsi.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.16/policy/modules/system/iscsi.if	2006-09-26 10:04:37.000000000 -0400
@@ -0,0 +1,24 @@
+## <summary>policy for iscsid</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run iscsid.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`iscsid_domtrans',`
+	gen_require(`
+		type iscsid_t, iscsid_exec_t;
+	')
+
+	domain_auto_trans($1,iscsid_exec_t,iscsid_t)
+
+	allow $1 iscsid_t:fd use;
+	allow iscsid_t $1:fd use;
+	allow iscsid_t $1:fifo_file rw_file_perms;
+	allow iscsid_t $1:process sigchld;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-2.3.16/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.16/policy/modules/system/iscsi.te	2006-09-26 10:04:37.000000000 -0400
@@ -0,0 +1,74 @@
+policy_module(iscsid,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type iscsid_t;
+type iscsid_exec_t;
+domain_type(iscsid_t)
+init_daemon_domain(iscsid_t, iscsid_exec_t)
+
+type iscsi_tmp_t;
+files_tmp_file(iscsi_tmp_t)
+
+type iscsi_var_run_t;
+files_pid_file(iscsi_var_run_t)
+
+
+########################################
+#
+# iscsid local policy
+#
+# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
+
+# Some common macros (you might be able to remove some)
+files_read_etc_files(iscsid_t)
+libs_use_ld_so(iscsid_t)
+libs_use_shared_libs(iscsid_t)
+miscfiles_read_localization(iscsid_t)
+## internal communication is often done using fifo and unix sockets.
+allow iscsid_t self:fifo_file { read write };
+allow iscsid_t self:unix_stream_socket create_stream_socket_perms;
+
+## Networking basics (adjust to your needs!)
+sysnet_dns_name_resolve(iscsid_t)
+corenet_tcp_sendrecv_all_if(iscsid_t)
+corenet_tcp_sendrecv_all_nodes(iscsid_t)
+corenet_tcp_sendrecv_all_ports(iscsid_t)
+corenet_non_ipsec_sendrecv(iscsid_t)
+corenet_tcp_connect_http_port(iscsid_t)
+#corenet_tcp_connect_all_ports(iscsid_t)
+## if it is a network daemon, consider these:
+#corenet_tcp_bind_all_ports(iscsid_t)
+#corenet_tcp_bind_all_nodes(iscsid_t)
+allow iscsid_t self:tcp_socket { listen accept };
+
+# Init script handling
+init_use_fds(iscsid_t)
+init_use_script_ptys(iscsid_t)
+domain_use_interactive_fds(iscsid_t)
+
+logging_send_syslog_msg(iscsid_t)
+
+allow iscsid_t self:capability { ipc_lock net_admin sys_nice sys_resource };
+allow iscsid_t self:netlink_socket { bind create };
+allow iscsid_t self:unix_dgram_socket create_socket_perms;
+
+allow iscsid_t devpts_t:chr_file { read write };
+
+allow iscsid_t self:process setsched;
+allow iscsid_t self:sem create_sem_perms;
+allow iscsid_t self:shm create_shm_perms;
+
+dev_rw_sysfs(iscsid_t)
+
+allow iscsid_t iscsi_var_run_t:dir rw_dir_perms;
+allow iscsid_t iscsi_var_run_t:file create_file_perms;
+files_pid_filetrans(iscsid_t,iscsi_var_run_t,file)
+
+allow iscsid_t iscsi_tmp_t:dir create_dir_perms;
+allow iscsid_t iscsi_tmp_t:file create_file_perms;
+fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, file )
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.3.16/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc	2006-09-22 14:07:07.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/system/libraries.fc	2006-09-27 15:02:39.000000000 -0400
@@ -255,6 +255,7 @@
 /usr/(.*/)?jre.*/libdeploy\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?(.*/)?jre.*/libjvm\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?(.*/)?jre.*/libawt\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?(.*/)?jre.*/libjavaplugin_ojigcc3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.3.16/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te	2006-09-29 14:28:02.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/system/logging.te	2006-09-29 11:18:36.000000000 -0400
@@ -75,6 +75,7 @@
 allow auditctl_t auditd_etc_t:file r_file_perms;
 
 # Needed for adding watches
+fs_getattr_all_fs(auditctl_t)
 files_getattr_all_dirs(auditctl_t)
 files_read_etc_files(auditctl_t)
 
@@ -95,6 +96,8 @@
 
 logging_send_syslog_msg(auditctl_t)
 
+selinux_search_fs(auditctl_t)
+
 ifdef(`targeted_policy',`
 	term_use_generic_ptys(auditctl_t)
 	term_use_unallocated_ttys(auditctl_t)
@@ -164,6 +167,7 @@
 mls_file_read_up(auditd_t)
 mls_file_write_down(auditd_t) # Need to be able to write to /var/run/ directory
 mls_rangetrans_target(auditd_t)
+mls_fd_use_all_levels(auditd_t)
 
 seutil_dontaudit_read_config(auditd_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-2.3.16/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc	2006-07-14 17:04:43.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/system/mount.fc	2006-09-27 17:50:25.000000000 -0400
@@ -4,4 +4,5 @@
 # mount file contexts
 #
 /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
+/usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
 /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.3.16/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te	2006-09-15 13:14:27.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/system/mount.te	2006-09-27 16:29:01.000000000 -0400
@@ -9,6 +9,7 @@
 type mount_t;
 type mount_exec_t;
 init_system_domain(mount_t,mount_exec_t)
+userdom_executable_file(mount_exec_t)
 role system_r types mount_t;
 
 type mount_loopback_t; # customizable
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-2.3.16/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te	2006-09-29 14:28:02.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/system/raid.te	2006-09-28 12:22:13.000000000 -0400
@@ -23,6 +23,7 @@
 dontaudit mdadm_t self:capability sys_tty_config;
 allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
 
+allow mdadm_t mdadm_var_run_t:dir rw_dir_perms;
 allow mdadm_t mdadm_var_run_t:file create_file_perms;
 files_pid_filetrans(mdadm_t,mdadm_var_run_t,file)
 
@@ -36,6 +37,8 @@
 dev_dontaudit_getattr_all_blk_files(mdadm_t)
 dev_dontaudit_getattr_all_chr_files(mdadm_t)
 dev_dontaudit_getattr_generic_files(mdadm_t)
+dev_dontaudit_getattr_generic_chr_files(mdadm_t)
+dev_dontaudit_getattr_generic_blk_files(mdadm_t)
 
 fs_search_auto_mountpoints(mdadm_t)
 fs_dontaudit_list_tmpfs(mdadm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.3.16/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te	2006-09-22 14:07:07.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/system/selinuxutil.te	2006-09-29 13:23:46.000000000 -0400
@@ -274,6 +274,7 @@
 mls_file_upgrade(newrole_t)
 mls_file_downgrade(newrole_t)
 mls_process_set_level(newrole_t)
+mls_fd_share_all_levels(newrole_t)
 
 selinux_get_fs_mount(newrole_t)
 selinux_validate_context(newrole_t)
@@ -587,6 +588,7 @@
 mls_rangetrans_target(semanage_t)
 mls_file_read_up(semanage_t)
 
+selinux_validate_context(semanage_t)
 selinux_get_enforce_mode(semanage_t)
 # for setsebool:
 selinux_set_boolean(semanage_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.fc serefpolicy-2.3.16/policy/modules/system/setrans.fc
--- nsaserefpolicy/policy/modules/system/setrans.fc	2006-07-14 17:04:44.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/system/setrans.fc	2006-09-26 09:53:18.000000000 -0400
@@ -1,3 +1,3 @@
 /sbin/mcstransd	--	gen_context(system_u:object_r:setrans_exec_t,s0)
 
-/var/run/setrans(/.*)?	gen_context(system_u:object_r:setrans_var_run_t,s15:c0.c255)
+/var/run/setrans(/.*)?	gen_context(system_u:object_r:setrans_var_run_t,s15:c0.c1023)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-2.3.16/policy/modules/system/setrans.te
--- nsaserefpolicy/policy/modules/system/setrans.te	2006-09-22 14:07:07.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/system/setrans.te	2006-09-27 15:59:14.000000000 -0400
@@ -53,6 +53,7 @@
 mls_file_write_down(setrans_t)
 mls_net_receive_all_levels(setrans_t)
 mls_rangetrans_target(setrans_t)
+mls_fd_use_all_levels(setrans_t)
 
 selinux_compute_access_vector(setrans_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.3.16/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if	2006-08-29 09:00:29.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/system/unconfined.if	2006-09-26 09:53:18.000000000 -0400
@@ -31,6 +31,7 @@
 	allow $1 self:nscd *;
 	allow $1 self:dbus *;
 	allow $1 self:passwd *;
+	allow $1 self:association *;
 
 	kernel_unconfined($1)
 	corenet_unconfined($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.3.16/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te	2006-09-29 14:28:02.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/system/unconfined.te	2006-09-29 12:11:13.000000000 -0400
@@ -64,10 +64,6 @@
 	')
 
 	optional_policy(`
-		bluetooth_domtrans_helper(unconfined_t)
-	')
-
-	optional_policy(`
 		bootloader_domtrans(unconfined_t)
 	')
 
@@ -189,6 +181,8 @@
 	optional_policy(`
 		xserver_domtrans_xdm_xserver(unconfined_t)
 	')
+	mcs_killall(unconfined_t)
+	mcs_ptrace_all(unconfined_t)
 ')
 
 ########################################
@@ -197,6 +191,10 @@
 #
 
 ifdef(`targeted_policy',`
+	tunable_policy(`allow_unconfined_execmem_dyntrans',`
+		allow unconfined_t unconfined_execmem_t:process dyntransition;
+	')
+
 	allow unconfined_execmem_t self:process { execstack execmem };
 	unconfined_domain_noaudit(unconfined_execmem_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.3.16/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if	2006-09-25 15:11:11.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/system/userdomain.if	2006-09-29 09:56:59.000000000 -0400
@@ -3896,12 +3896,7 @@
 #
 interface(`userdom_manage_staff_home_dirs',`
 	ifdef(`targeted_policy',`
-		gen_require(`
-			type user_home_dir_t;
-		')
-
-		files_search_home($1)
-		allow $1 user_home_dir_t:dir manage_dir_perms;
+		userdom_manage_user_home_dirs($1)
 	',`
 		gen_require(`
 			type staff_home_dir_t;
@@ -5338,3 +5333,82 @@
 	allow $1 user_home_dir_t:dir create_dir_perms;
 	files_home_filetrans($1,user_home_dir_t,dir)
 ')
+
+
+########################################
+## <summary>
+##	Make the specified type usable for files
+##	that are exectuables, such as binary programs.
+##	This does not include shared libraries.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used for files.
+##	</summary>
+## </param>
+#
+interface(`userdom_executable_file',`
+	gen_require(`
+		attribute user_exec_type;
+	')
+
+	typeattribute $1 user_exec_type;
+
+	files_type($1)
+')
+
+########################################
+## <summary>
+## Execute user executables in the caller domain.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_exec',`
+	gen_require(`
+		attribute user_exec_type;
+	')
+
+	can_exec($1, user_exec_type)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete user
+##	home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+	files_search_home($1)
+	allow $1 user_home_dir_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and all executable files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_manage_user_executables',`
+	gen_require(`
+		attribute user_exec_type;
+	')
+	allow $1 user_exec_type:file manage_file_perms;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.3.16/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te	2006-09-25 15:11:11.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/system/userdomain.te	2006-09-27 14:48:29.000000000 -0400
@@ -24,6 +24,9 @@
 # users home directory contents
 attribute home_type;
 
+# Executables to be run by user
+attribute user_exec_type;
+
 # The privhome attribute identifies every domain that can create files under
 # regular user home directories in the regular context (IE act on behalf of
 # a user in writing regular files)
@@ -423,6 +426,9 @@
 	')
 
 	optional_policy(`
+		nscd_role(sysadm_r)
+	')
+	optional_policy(`
 		usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
 		usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
 		usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.3.16/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te	2006-09-22 14:07:07.000000000 -0400
+++ serefpolicy-2.3.16/policy/modules/system/xen.te	2006-09-28 12:06:41.000000000 -0400
@@ -132,6 +132,7 @@
 corenet_tcp_bind_soundd_port(xend_t)
 corenet_tcp_bind_generic_port(xend_t)
 corenet_tcp_bind_vnc_port(xend_t)
+corenet_tcp_connect_xserver_port(xend_t)
 corenet_sendrecv_xen_server_packets(xend_t)
 corenet_sendrecv_soundd_server_packets(xend_t)
 corenet_rw_tun_tap_dev(xend_t)

Latest diffs

[Daniel J Walsh]

http://people.redhat.com/dwalsh/SELinux/policy.diff

Changed to allow 1024 categories.

serefpolicy-2.3.14/policy/flask/mkaccess_vector.sh Changes to not output blank lines.  Kernel folks don't like blank lines.

I have a request for a boolean to allow all domains to talk to the ttys in targeted policy.  This would allow a domain to 
output errors if their is a failure.  Currenly if I screw up my httpd.conf file apache has no easy way of telling me, via 
the init script.

More changes to amanda paths

Don't transition on grubby.  Some one needs to write grubby policy, but it should not be the same as bootloader

+	#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=202410
+	allow bootloader_t boot_runtime_t:file { rw_file_perms unlink };

+corecmd_etc_runtime_alias(firstboot_rw_t)
Adding a new alias is a pain in reference policy.  We need a better way of doing this.

logwatch scans the / directory

new rpm_exec_t executables

su needs to deal with kernel keys

mono needs to be able to be started by initrc,  Will need to confine domains we know about in the future.

gnome-pty-helper on 64 bit platforms

Fix files.if interfaces

Add a files_manage_non_secure_dirs for autofs

nfs now uses rpc_pipefs_t:fifo_file

Stop using bluetooth_helper_t

Lots of fixes to make ppp work from network manager with bluetooth

dhcpd speaks dbus

New version  of kerberos library checks access to /lib/kerberos/krb5kdc directory

add file_context for /usr/bin/lp

new networkmanager file

ntp needs to talk to unconfined_t for setting date from gnome.

oddjob policy should be added

sendmail should create pid with correct context in targeted policy

small changes to setroubleshootd to eliminate avc messages

xfs needs dac_override

need policy for pcscd any one up for it?

don't transition to su domain in targeted policy

libGL and libfame are moving around

xen has a new log directory

xen needs ptrace

xen needs to read from removable devices









--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Christopher J. PeBenito]

On Wed, 2006-09-20 at 12:12 -0400, Daniel J Walsh wrote:

I haven't looked at the patch but I have some initial reactions from
your description:

> http://people.redhat.com/dwalsh/SELinux/policy.diff
> 
> Changed to allow 1024 categories.

Why do we need this many?  This isn't even an incremental change up to
something like 384 or 512.

> +corecmd_etc_runtime_alias(firstboot_rw_t)
> Adding a new alias is a pain in reference policy.  We need a better way of doing this.

No.  We don't want aliases that cross module boundaries.  Otherwise it
turns into a way to access other module's types directly instead of
through an interface.  The ones that cross modules in the policy right
now are for compatibility in targeted policy.

> ntp needs to talk to unconfined_t for setting date from gnome.

Thats weird, it seems like it would be the other way around.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Wed, 2006-09-20 at 12:12 -0400, Daniel J Walsh wrote:
>
> I haven't looked at the patch but I have some initial reactions from
> your description:
>
>   
>> http://people.redhat.com/dwalsh/SELinux/policy.diff
>>
>> Changed to allow 1024 categories.
>>     
>
> Why do we need this many?  This isn't even an incremental change up to
> something like 384 or 512.
>
>   
MLS People have past 256 and wanted a big jump to prevent hitting this 
problem again.  I put it in for both to prevent confusion between MCS/MLS
>> +corecmd_etc_runtime_alias(firstboot_rw_t)
>> Adding a new alias is a pain in reference policy.  We need a better way of doing this.
>>     
>
> No.  We don't want aliases that cross module boundaries.  Otherwise it
> turns into a way to access other module's types directly instead of
> through an interface.  The ones that cross modules in the policy right
> now are for compatibility in targeted policy.
>   
So how do I get rid of firstboot_rw_t which should be etc_runtime_t?
>   
>> ntp needs to talk to unconfined_t for setting date from gnome.
>>     
>
> Thats weird, it seems like it would be the other way around.
>
>   
I think it is, it is just a chat.  The Date GUI code is requesting that 
the ntp code change the date of the machine.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Christopher J. PeBenito]

On Thu, 2006-09-21 at 10:06 -0400, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Wed, 2006-09-20 at 12:12 -0400, Daniel J Walsh wrote:
> >
> > I haven't looked at the patch but I have some initial reactions from
> > your description:
> >
> >   
> >> http://people.redhat.com/dwalsh/SELinux/policy.diff
> >>
> >> Changed to allow 1024 categories.
> >>     
> >
> > Why do we need this many?  This isn't even an incremental change up to
> > something like 384 or 512.
> >
> >   
> MLS People have past 256 and wanted a big jump to prevent hitting this 
> problem again.  I put it in for both to prevent confusion between MCS/MLS

Ok, we'll go with 1024, but that's where I draw the line; I consider any
higher to be a corner case.  Anyone that needs more than that will have
to build their own custom policy.

> >> +corecmd_etc_runtime_alias(firstboot_rw_t)
> >> Adding a new alias is a pain in reference policy.  We need a better way of doing this.
> >>     
> >
> > No.  We don't want aliases that cross module boundaries.  Otherwise it
> > turns into a way to access other module's types directly instead of
> > through an interface.  The ones that cross modules in the policy right
> > now are for compatibility in targeted policy.
> >   
> So how do I get rid of firstboot_rw_t which should be etc_runtime_t?

Since this is a compat thing due to a type removal, and will eventually
be dropped, just put it in files.te.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Karl MacMillan]

On Thu, 2006-09-21 at 10:34 -0400, Christopher J. PeBenito wrote:
> On Thu, 2006-09-21 at 10:06 -0400, Daniel J Walsh wrote:
> > Christopher J. PeBenito wrote:
> > > On Wed, 2006-09-20 at 12:12 -0400, Daniel J Walsh wrote:
> > >
> > > I haven't looked at the patch but I have some initial reactions from
> > > your description:
> > >
> > >   
> > >> http://people.redhat.com/dwalsh/SELinux/policy.diff
> > >>
> > >> Changed to allow 1024 categories.
> > >>     
> > >
> > > Why do we need this many?  This isn't even an incremental change up to
> > > something like 384 or 512.
> > >
> > >   
> > MLS People have past 256 and wanted a big jump to prevent hitting this 
> > problem again.  I put it in for both to prevent confusion between MCS/MLS
> 
> Ok, we'll go with 1024, but that's where I draw the line; I consider any
> higher to be a corner case.  Anyone that needs more than that will have
> to build their own custom policy.
> 

We have also discussed reserving category ranges for different purposes
- e.g., categories local to a machine and categories managed across a
network. With that usage model higher numbers start looking more
reasonable quickly.

What is the objection to the higher numbers of categories? It shouldn't
have a large impact on policy size I wouldn't think.

If you are trying to prevent misuse I think that is a losing battle. We
should provide tools that can be used reasonably not prevent potentially
legitimate uses because some people are clueless.

Karl


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Christopher J. PeBenito]

On Thu, 2006-09-21 at 12:33 -0400, Karl MacMillan wrote:
> On Thu, 2006-09-21 at 10:34 -0400, Christopher J. PeBenito wrote:
> > On Thu, 2006-09-21 at 10:06 -0400, Daniel J Walsh wrote:
> > > Christopher J. PeBenito wrote:
> > > > On Wed, 2006-09-20 at 12:12 -0400, Daniel J Walsh wrote:
> > > >
> > > > I haven't looked at the patch but I have some initial reactions from
> > > > your description:
> > > >
> > > >   
> > > >> http://people.redhat.com/dwalsh/SELinux/policy.diff
> > > >>
> > > >> Changed to allow 1024 categories.
> > > >>     
> > > >
> > > > Why do we need this many?  This isn't even an incremental change up to
> > > > something like 384 or 512.
> > > >
> > > >   
> > > MLS People have past 256 and wanted a big jump to prevent hitting this 
> > > problem again.  I put it in for both to prevent confusion between MCS/MLS
> > 
> > Ok, we'll go with 1024, but that's where I draw the line; I consider any
> > higher to be a corner case.  Anyone that needs more than that will have
> > to build their own custom policy.
> > 
> 
> We have also discussed reserving category ranges for different purposes
> - e.g., categories local to a machine and categories managed across a
> network. With that usage model higher numbers start looking more
> reasonable quickly.
>
> What is the objection to the higher numbers of categories? It shouldn't
> have a large impact on policy size I wouldn't think.
> 
> If you are trying to prevent misuse I think that is a losing battle. We
> should provide tools that can be used reasonably not prevent potentially
> legitimate uses because some people are clueless.

The line has to be drawn somewhere.  If you want to argue another number
that's fine.  I'd prefer setting a max now, rather than bumping
categories every few months for every new use of categories.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Mikel L. Matthews]

Christopher J. PeBenito wrote:
> On Wed, 2006-09-20 at 12:12 -0400, Daniel J Walsh wrote:
> 
> I haven't looked at the patch but I have some initial reactions from
> your description:
> 
>> http://people.redhat.com/dwalsh/SELinux/policy.diff
>>
>> Changed to allow 1024 categories.
> 
> Why do we need this many?  This isn't even an incremental change up to
> something like 384 or 512.

We have customers that use all of our 1024 categories and want more. 
They have requested 10,000 categories.

<snip>

-- 
Thanks,
Mike

Mikel L. Matthews
Chief Technology Officer
Innovative Security Systems, Inc.
(dba Argus Systems Group)
1809 Woodfield Dr.
Savoy IL 61874
+1-217-355-6308
www.argus-systems.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Joshua Brindle]

On Thu, 2006-09-21 at 09:08 -0500, Mikel L. Matthews wrote:
> 
> Christopher J. PeBenito wrote:
> > On Wed, 2006-09-20 at 12:12 -0400, Daniel J Walsh wrote:
> > 
> > I haven't looked at the patch but I have some initial reactions from
> > your description:
> > 
> >> http://people.redhat.com/dwalsh/SELinux/policy.diff
> >>
> >> Changed to allow 1024 categories.
> > 
> > Why do we need this many?  This isn't even an incremental change up to
> > something like 384 or 512.
> 
> We have customers that use all of our 1024 categories and want more. 
> They have requested 10,000 categories.
> 

That is because they are probably using categories as an integrity
mechanism which is entirely inappropriate for SELinux since TE should be
used for integrity and mls should only be used for confidentiality. I
seriously doubt that a reasonable system could have 10000 useful
categories.

I don't think this change should be made to the refpolicy policy without
a good justification, saying "MLS people want it" isn't good, its
possible that they are also misusing categories.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Mikel L. Matthews]

Once it is in the customers hands, they use it as they feel they need 
to. It is not always the way we, as developers/designers, intended.

Joshua Brindle wrote:
> On Thu, 2006-09-21 at 09:08 -0500, Mikel L. Matthews wrote:
>> Christopher J. PeBenito wrote:
>>> On Wed, 2006-09-20 at 12:12 -0400, Daniel J Walsh wrote:
>>>
>>> I haven't looked at the patch but I have some initial reactions from
>>> your description:
>>>
>>>> http://people.redhat.com/dwalsh/SELinux/policy.diff
>>>>
>>>> Changed to allow 1024 categories.
>>> Why do we need this many?  This isn't even an incremental change up to
>>> something like 384 or 512.
>> We have customers that use all of our 1024 categories and want more. 
>> They have requested 10,000 categories.
>>
> 
> That is because they are probably using categories as an integrity
> mechanism which is entirely inappropriate for SELinux since TE should be
> used for integrity and mls should only be used for confidentiality. I
> seriously doubt that a reasonable system could have 10000 useful
> categories.
> 
> I don't think this change should be made to the refpolicy policy without
> a good justification, saying "MLS people want it" isn't good, its
> possible that they are also misusing categories.
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 

-- 
Thanks,
Mike

Mikel L. Matthews
Chief Technology Officer
Innovative Security Systems, Inc.
(dba Argus Systems Group)
1809 Woodfield Dr.
Savoy IL 61874
+1-217-355-6308
www.argus-systems.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Stephen Smalley]

On Thu, 2006-09-21 at 10:49 -0400, Joshua Brindle wrote:
> On Thu, 2006-09-21 at 09:08 -0500, Mikel L. Matthews wrote:
> > 
> > Christopher J. PeBenito wrote:
> > > On Wed, 2006-09-20 at 12:12 -0400, Daniel J Walsh wrote:
> > > 
> > > I haven't looked at the patch but I have some initial reactions from
> > > your description:
> > > 
> > >> http://people.redhat.com/dwalsh/SELinux/policy.diff
> > >>
> > >> Changed to allow 1024 categories.
> > > 
> > > Why do we need this many?  This isn't even an incremental change up to
> > > something like 384 or 512.
> > 
> > We have customers that use all of our 1024 categories and want more. 
> > They have requested 10,000 categories.
> > 
> 
> That is because they are probably using categories as an integrity
> mechanism which is entirely inappropriate for SELinux since TE should be
> used for integrity and mls should only be used for confidentiality. I
> seriously doubt that a reasonable system could have 10000 useful
> categories.

More like "one category assigned per project, never to be re-used".  For
confidentiality, not integrity.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Joe Nall]

On Sep 21, 2006, at 9:49 AM, Joshua Brindle wrote:

> On Thu, 2006-09-21 at 09:08 -0500, Mikel L. Matthews wrote:
>>
>> We have customers that use all of our 1024 categories and want more.
>> They have requested 10,000 categories.

Wow, and I though I was out on the fringes :) Admin must be ugly.

> That is because they are probably using categories as an integrity
> mechanism which is entirely inappropriate for SELinux since TE  
> should be
> used for integrity and mls should only be used for confidentiality. I
> seriously doubt that a reasonable system could have 10000 useful
> categories.

I can't comment on 10K, but 256 is not enough. Imagine a system that
exchanges data with countries, alliances and has dissemination controls
and compartments local to the country the system is in. There are ~243
countries in ISO 3166, there are between 10 and 20 alliances you might
want to exchange data with, there are another dozen common dissemination
controls (eg NOFORN) and there are quite a few compartments. You can get
over 300 bits pretty easily just using bits for confidentiality.

I'm happy with 1024 because it means we will not have to maintain
policy diffs (for this) and explain them to our accreditors.

joe

http://en.wikipedia.org/wiki/ISO_3166-1_alpha-3
http://www.afei.org/news/ddms.pdf (Table C4.T1)
http://metadata.dod.mil/mdr/irs/DDMS/

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Klaus Weidner]

On Thu, Sep 21, 2006 at 10:49:32AM -0400, Joshua Brindle wrote:
> I don't think this change should be made to the refpolicy policy without
> a good justification, saying "MLS people want it" isn't good, its
> possible that they are also misusing categories.

A fairly typical usage scenario in government use seems to be to have one
category per country plus several for treaty groups or other groups of
countries (NATO, AXIS_OF_EVIL, or whatever). This alone can exceed the
current 256 categories. Since categories generally aren't reusable (old
data should keep its original category set), you want to have a
significant margin for expansion.

The main reason why this would be painful to do as a local site
modifications is that many users who want a MLS system also want to be
running a Common Criteria LSPP evaluated system, and the evaluated
configuration restrictions generally require running the shipped policy
and not a modified one. Since the change requires completely rebuilding
the policy (as opposed to just adding a module) such a change is unlikely
to be acceptable to them.

-Klaus

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Casey Schaufler]

--- Joshua Brindle <jbrindle@tresys.com> wrote:

 
> > We have customers that use all of our 1024
> categories and want more. 
> > They have requested 10,000 categories.
> > 
> 
> That is because they are probably using categories
> as an integrity
> mechanism which is entirely inappropriate for
> SELinux since TE should be
> used for integrity and mls should only be used for
> confidentiality. I
> seriously doubt that a reasonable system could have
> 10000 useful
> categories.

If y'all don't support on the order of 10,000
categories I know of potential users (they may
be the same ones refered to initially) who
use a category for each "project", which is
perfectly reasonable, never reuse categories
because many "projects" have extended lifetimes
(sometimes decades), and have many projects
start every month. This is correct usage of
MLS categories. These people have been MLS
users since the Reagan administration because
it gives them what they want.


Casey Schaufler
casey@schaufler-ca.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Christopher J. PeBenito]

On Wed, 2006-09-20 at 12:12 -0400, Daniel J Walsh wrote:
> http://people.redhat.com/dwalsh/SELinux/policy.diff
> 
> Changed to allow 1024 categories.

Not adding this yet.  Waiting for concensus on how high we should go.

> I have a request for a boolean to allow all domains to talk to the ttys in targeted policy.  This would allow a domain to 
> output errors if their is a failure.  Currenly if I screw up my httpd.conf file apache has no easy way of telling me, via 
> the init script.

This sounds like it should be for daemons rather than all domains.

> Don't transition on grubby.  Some one needs to write grubby policy, but it should not be the same as bootloader

Dropping the types for now, until someone writes the policy.

> +	#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=202410
> +	allow bootloader_t boot_runtime_t:file { rw_file_perms unlink };

This bug information is lacking.  Since it doesn't make sense for grub
itself to write its own stage files, I did some deeper looking.  My
guess is that grub-install is being run, and that it is inappropriately
being labeled as bootloader_exec_t.  I'm not very familiar with grubby,
but I suspect that grub-install should also be bootloader_helper_t.

> Add a files_manage_non_secure_dirs for autofs

This seems suspect.

> nfs now uses rpc_pipefs_t:fifo_file

Moved this interface up in filesystem.  Moved the call into the rpc
template.

> Stop using bluetooth_helper_t

Why?

> dhcpd speaks dbus

Moved this hunk up.

> oddjob policy should be added

Why are there two modules?  It seems like they should be merged.

> sendmail should create pid with correct context in targeted policy

Moved this block up.


> xen has a new log directory
> 
> xen needs ptrace
> 
> xen needs to read from removable devices


* There is a removal in corenetwork.te.m4 that you reversed.

* What is the /opt/fortitude stuff in apache?

* xserver_create_ice_tmp_sockets() does not have any callers.

* I don't agree with the selinuxutil change to allow strict semanage_t
to read user files.  This is an insecure source for policy packages.

* The unconfined.te change confuses me; unconfined should already have
these perms.

* I fixed up a change in amanda.fc, since it had a m4 internal function
call (index(/.*)), which made the match not what you thought it was.

On a side note, I looked at the bug noted in the fstools change, and the
user pasted this bit:

*** An error occurred during the file system check.
*** Dropping you to a shell; the system will reboot
*** when you leave the shell.
*** Warning -- SELinux is active
*** Disabling security enforcement for system recovery.
*** Run 'setenforce 1' to reenable.
Give root password for maintenance
(or type Control-D to continue): 

SELinux being in enforcing shouldn't be a warning, if anything it should
be a notice.  "Warning" has a negative spin (at least it does to me).

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Wed, 2006-09-20 at 12:12 -0400, Daniel J Walsh wrote:
>   
>> http://people.redhat.com/dwalsh/SELinux/policy.diff
>>
>> Changed to allow 1024 categories.
>>     
>
> Not adding this yet.  Waiting for concensus on how high we should go.
>
>   
Ok, any way we could make this a constant defined in the Makefile?

TOTAL_CATS=1024, MAX_CAT=c1023

>> I have a request for a boolean to allow all domains to talk to the ttys in targeted policy.  This would allow a domain to 
>> output errors if their is a failure.  Currenly if I screw up my httpd.conf file apache has no easy way of telling me, via 
>> the init script.
>>     
>
> This sounds like it should be for daemons rather than all domains.
>
>   
Changed to use daemon
>> Don't transition on grubby.  Some one needs to write grubby policy, but it should not be the same as bootloader
>>     
>
> Dropping the types for now, until someone writes the policy.
>
>   
Changed spec to be only /sbin/grub, eliminate /sbin/grub-install
>> +	#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=202410
>> +	allow bootloader_t boot_runtime_t:file { rw_file_perms unlink };
>>     
>
>   
Removed
> This bug information is lacking.  Since it doesn't make sense for grub
> itself to write its own stage files, I did some deeper looking.  My
> guess is that grub-install is being run, and that it is inappropriately
> being labeled as bootloader_exec_t.  I'm not very familiar with grubby,
> but I suspect that grub-install should also be bootloader_helper_t.
>
>   
>> Add a files_manage_non_secure_dirs for autofs
>>     
>
> This seems suspect.
>
>   
Autofs creates a file/directory in every directory it mounts over.
>> nfs now uses rpc_pipefs_t:fifo_file
>>     
>
> Moved this interface up in filesystem.  Moved the call into the rpc
> template.
>   
Good
>   
>> Stop using bluetooth_helper_t
>>     
>
> Why?
>
>   
Two many bugs and it is confining userspace with X-Windows.
>> dhcpd speaks dbus
>>     
>
> Moved this hunk up.
>
>   
>> oddjob policy should be added
>>     
>
> Why are there two modules?  It seems like they should be merged.
>
>   
Ok
>> sendmail should create pid with correct context in targeted policy
>>     
>
> Moved this block up.
>
>
>   
>> xen has a new log directory
>>
>> xen needs ptrace
>>
>> xen needs to read from removable devices
>>     
>
>
> * There is a removal in corenetwork.te.m4 that you reversed.
>
>   
Sorry looks ok now
> * What is the /opt/fortitude stuff in apache?
>
>   
It is a new Red Hat product for government use, I believe. 
> * xserver_create_ice_tmp_sockets() does not have any callers.
>
> * I don't agree with the selinuxutil change to allow strict semanage_t
> to read user files.  This is an insecure source for policy packages.
>   
semanage has to be able to read sysadm_home_t and sysadm_tmp_t for 
strict policy and
for MLS you would need secadm_tmp_t,   The question is where would the 
admin likely put his
loadable policy modules.
> * The unconfined.te change confuses me; unconfined should already have
> these perms.
>
>   
Removed
> * I fixed up a change in amanda.fc, since it had a m4 internal function
> call (index(/.*)), which made the match not what you thought it was.
>
> On a side note, I looked at the bug noted in the fstools change, and the
> user pasted this bit:
>
> *** An error occurred during the file system check.
> *** Dropping you to a shell; the system will reboot
> *** when you leave the shell.
> *** Warning -- SELinux is active
> *** Disabling security enforcement for system recovery.
> *** Run 'setenforce 1' to reenable.
> Give root password for maintenance
> (or type Control-D to continue): 
>
> SELinux being in enforcing shouldn't be a warning, if anything it should
> be a notice.  "Warning" has a negative spin (at least it does to me).
>
>   
The warning is that SELinux is being disabled.  So maybe the warning 
should drop down one line.



Additional Changes in this updated patch

http://people.redhat.com/dwalsh/SELinux/policy.diff

Added staff_u to

readahead needs mls_read_up priv, donaudit looking at nvram

http has a new port 8443 for use with mod_nss

fsdaemon_exec_t needs to run at SystemHigh to be able to look at fixed disks


/dev/rawctl is labeled as a fixed_disk_device_t even though it is a 
chr_file.  Not sure if this is correct.


automount uses rawip_socket  

ndc has to read named_conf_t lnk_file in chroot environment

hal needs to touch unallocated ttys in order to see if anydevice is on 
the serial port, I don't think this is just a targeted policy issue. 

nscd needs to be accessable from sysadm_r.

nscd needs to read etc_runtime_t, for files created in firstboot

These are the same files (Hard Links)
 /usr/lib/postfix/smtp  --      
gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/lmtp  --      
gen_context(system_u:object_r:postfix_smtp_exec_t,s0)

make smartmon work on mls machines

sshd needs to deal with kernel keyring

udev generates avc when it pidof all processes

need a userdom_use_unpriv_users_ttys so sysadm_t can write to all users 
terminals when system is going down.

auditadm and secadm need to be able to messages to syslog

secadm terminals are not admin_terminals.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Christopher J. PeBenito]

On Fri, 2006-09-22 at 16:30 -0400, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Wed, 2006-09-20 at 12:12 -0400, Daniel J Walsh wrote:
> >   
> >> http://people.redhat.com/dwalsh/SELinux/policy.diff
> >>
> >> Changed to allow 1024 categories.
> >
> > Not adding this yet.  Waiting for concensus on how high we should go.
> >   
> Ok, any way we could make this a constant defined in the Makefile?
> 
> TOTAL_CATS=1024, MAX_CAT=c1023

This was suggested to me by others; it seems like a reasonable
compromise.  I'll probably make build options for the number of MLS and
MCS categories, and the number of MLS sensitivities.

> >> Add a files_manage_non_secure_dirs for autofs
> >
> > This seems suspect.
> >   
> Autofs creates a file/directory in every directory it mounts over.

But why does it do this?

Also, the other change sounds suspect since it can't do any rawip send
or receive:

> automount uses rawip_socket  

> >> Stop using bluetooth_helper_t
> >
> > Why?
> >
> Two many bugs and it is confining userspace with X-Windows.

I assume you're referring to targeted, in which case, the transition
should be removed from unconfined_t, not the label from the file.

> >> oddjob policy should be added

/usr/lib/oddjobd    gen_context(system_u:object_r:oddjob_var_lib_t,s0)

Is this right?  Not /var/lib/oddjobd since its oddjob_var_lib_t?

> > * What is the /opt/fortitude stuff in apache?
> >   
> It is a new Red Hat product for government use, I believe. 

I'm not sure this should upstreamed in that case.

> readahead needs mls_read_up priv, donaudit looking at nvram

The second part seems weird since there already is:

dev_getattr_all_chr_files(readahead_t)

> fsdaemon_exec_t needs to run at SystemHigh to be able to look at fixed disks

Holding off on this one until the range_transitions work in modules,
which should hopefully be very soon.  Also, why not just do mls_read_up
instead?

> /dev/rawctl is labeled as a fixed_disk_device_t even though it is a 
> chr_file.  Not sure if this is correct.

According to drivers/char/raw.c:

 * Front-end raw character devices.  These can be bound to any block
 * devices to provide genuine Unix raw character device semantics.
 *
 * We reserve minor number 0 for a control interface.  ioctl()s on this
 * device are used to bind the other minor numbers to block devices.

So it sounds like we need two types, one for the control device and one
for raw1, etc.

> nscd needs to be accessable from sysadm_r.

I think there may be another way to fix this.  I looked back at the
direct_sysadm_daemon stuff, and I realized that there are two parts to
this.  The first is the role transition to allow sysadm_t to restart
services without using run_init.  The second allows sysadm_t to start up
daemons by directly executing them.  Right now they're both controlled
by the DIRECT_INITRC build option.

So the question is, do we still want the second part?  If so, it should
be separated into its own build option or tunable.

I understand that usermod restarts nscd; its too bad it can't just
signal nscd to clear its cache rather than doing something broken like
this.

> need a userdom_use_unpriv_users_ttys so sysadm_t can write to all users 
> terminals when system is going down.

Moved this change down.

> auditadm and secadm need to be able to messages to syslog

* moved firstboot_rw_t alias to files.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Fri, 2006-09-22 at 16:30 -0400, Daniel J Walsh wrote:
>   
>> Christopher J. PeBenito wrote:
>>     
>>> On Wed, 2006-09-20 at 12:12 -0400, Daniel J Walsh wrote:
>>>   
>>>       
>>>> http://people.redhat.com/dwalsh/SELinux/policy.diff
>>>>
>>>> Changed to allow 1024 categories.
>>>>         
>>> Not adding this yet.  Waiting for concensus on how high we should go.
>>>   
>>>       
>> Ok, any way we could make this a constant defined in the Makefile?
>>
>> TOTAL_CATS=1024, MAX_CAT=c1023
>>     
>
> This was suggested to me by others; it seems like a reasonable
> compromise.  I'll probably make build options for the number of MLS and
> MCS categories, and the number of MLS sensitivities.
>
>   
>>>> Add a files_manage_non_secure_dirs for autofs
>>>>         
>>> This seems suspect.
>>>   
>>>       
>> Autofs creates a file/directory in every directory it mounts over.
>>     
>
> But why does it do this?
>
>   
Taken off list to get an answer from autofs package maintainer, will 
post answer.
> Also, the other change sounds suspect since it can't do any rawip send
> or receive:
>
>   
>> automount uses rawip_socket  
>>     
>
>   
>>>> Stop using bluetooth_helper_t
>>>>         
>>> Why?
>>>
>>>       
>> Two many bugs and it is confining userspace with X-Windows.
>>     
>
> I assume you're referring to targeted, in which case, the transition
> should be removed from unconfined_t, not the label from the file.
>
>   
Yes although I think it will not work well in strict, but we can remove 
the transition.
>>>> oddjob policy should be added
>>>>         
>
> /usr/lib/oddjobd    gen_context(system_u:object_r:oddjob_var_lib_t,s0)
>
> Is this right?  Not /var/lib/oddjobd since its oddjob_var_lib_t?
>   
Yes this should be eliminated.  Not needed. 
>   
>>> * What is the /opt/fortitude stuff in apache?
>>>   
>>>       
>> It is a new Red Hat product for government use, I believe. 
>>     
>
> I'm not sure this should upstreamed in that case.
>
>   
Fine.
>> readahead needs mls_read_up priv, donaudit looking at nvram
>>     
>
> The second part seems weird since there already is:
>
> dev_getattr_all_chr_files(readahead_t)
>
>   
Your right this would be fixes by mls_read_up.
>> fsdaemon_exec_t needs to run at SystemHigh to be able to look at fixed disks
>>     
>
> Holding off on this one until the range_transitions work in modules,
> which should hopefully be very soon.  Also, why not just do mls_read_up
> instead?
>
>   
I will try that.
>> /dev/rawctl is labeled as a fixed_disk_device_t even though it is a 
>> chr_file.  Not sure if this is correct.
>>     
>
> According to drivers/char/raw.c:
>
>  * Front-end raw character devices.  These can be bound to any block
>  * devices to provide genuine Unix raw character device semantics.
>  *
>  * We reserve minor number 0 for a control interface.  ioctl()s on this
>  * device are used to bind the other minor numbers to block devices.
>
> So it sounds like we need two types, one for the control device and one
> for raw1, etc.
>
>   
>> nscd needs to be accessable from sysadm_r.
>>     
>
> I think there may be another way to fix this.  I looked back at the
> direct_sysadm_daemon stuff, and I realized that there are two parts to
> this.  The first is the role transition to allow sysadm_t to restart
> services without using run_init.  The second allows sysadm_t to start up
> daemons by directly executing them.  Right now they're both controlled
> by the DIRECT_INITRC build option.
>
> So the question is, do we still want the second part?  If so, it should
> be separated into its own build option or tunable.
>
> I understand that usermod restarts nscd; its too bad it can't just
> signal nscd to clear its cache rather than doing something broken like
> this.
>
>   
This is a similar problem to rpm.  Where sysadm_r is required access to 
all domains that could be run in a rpm scriptlet.  Currently I require 
mls people to run rpm with run_init to get it to work correctly.
>> need a userdom_use_unpriv_users_ttys so sysadm_t can write to all users 
>> terminals when system is going down.
>>     
>
> Moved this change down.
>
>   
>> auditadm and secadm need to be able to messages to syslog
>>     
>
> * moved firstboot_rw_t alias to files.
>
>   


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Russell Coker]

On Tuesday 26 September 2006 04:51, "Christopher J. PeBenito" 
<cpebenito@tresys.com> wrote:
> > /dev/rawctl is labeled as a fixed_disk_device_t even though it is a
> > chr_file.  Not sure if this is correct.
>
> According to drivers/char/raw.c:
>
>  * Front-end raw character devices.  These can be bound to any block
>  * devices to provide genuine Unix raw character device semantics.
>  *
>  * We reserve minor number 0 for a control interface.  ioctl()s on this
>  * device are used to bind the other minor numbers to block devices.
>
> So it sounds like we need two types, one for the control device and one
> for raw1, etc.

What is the benefit of having an additional type?

fixed_disk_device_t determines access to fixed disks.  If there is a control 
device that controls fixed disks then surely the same type is appropriate.

-- 
russell@coker.com.au
http://etbe.blogspot.com/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Christopher J. PeBenito]

On Tue, 2006-09-26 at 20:41 +1000, Russell Coker wrote:
> On Tuesday 26 September 2006 04:51, "Christopher J. PeBenito" 
> <cpebenito@tresys.com> wrote:
> > > /dev/rawctl is labeled as a fixed_disk_device_t even though it is a
> > > chr_file.  Not sure if this is correct.
> >
> > According to drivers/char/raw.c:
> >
> >  * Front-end raw character devices.  These can be bound to any block
> >  * devices to provide genuine Unix raw character device semantics.
> >  *
> >  * We reserve minor number 0 for a control interface.  ioctl()s on this
> >  * device are used to bind the other minor numbers to block devices.
> >
> > So it sounds like we need two types, one for the control device and one
> > for raw1, etc.
> 
> What is the benefit of having an additional type?
> 
> fixed_disk_device_t determines access to fixed disks.  If there is a control 
> device that controls fixed disks then surely the same type is appropriate.

Its not just fixed disks, its any block device.  Its just like
scsi_generic_t, which could be another option rather than a new type.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Russell Coker]

On Tuesday 26 September 2006 23:13, "Christopher J. PeBenito" 
<cpebenito@tresys.com> wrote:
> > > So it sounds like we need two types, one for the control device and one
> > > for raw1, etc.
> >
> > What is the benefit of having an additional type?
> >
> > fixed_disk_device_t determines access to fixed disks.  If there is a
> > control device that controls fixed disks then surely the same type is
> > appropriate.
>
> Its not just fixed disks, its any block device.  Its just like
> scsi_generic_t, which could be another option rather than a new type.

Are you trying to cater for the case of raw access to removable_device_t or 
raw access to tape_device_t?

Currently either we only have three types for block devices or I messed up a 
grep command very badly.

-- 
russell@coker.com.au
http://etbe.blogspot.com/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Christopher J. PeBenito]

On Tue, 2006-09-26 at 23:21 +1000, Russell Coker wrote:
> On Tuesday 26 September 2006 23:13, "Christopher J. PeBenito" 
> <cpebenito@tresys.com> wrote:
> > > > So it sounds like we need two types, one for the control device and one
> > > > for raw1, etc.
> > >
> > > What is the benefit of having an additional type?
> > >
> > > fixed_disk_device_t determines access to fixed disks.  If there is a
> > > control device that controls fixed disks then surely the same type is
> > > appropriate.
> >
> > Its not just fixed disks, its any block device.  Its just like
> > scsi_generic_t, which could be another option rather than a new type.
> 
> Are you trying to cater for the case of raw access to removable_device_t or 
> raw access to tape_device_t?

Yes.  I understand that fixed disks are the common case; however, I also
don't want to mix block and char devices, since it doesn't make sense
for the general case of /dev/hda, etc.

> Currently either we only have three types for block devices or I messed up a 
> grep command very badly.

You are correct.  They are all in storage.te.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Russell Coker]

On Saturday 23 September 2006 03:13, "Christopher J. PeBenito" 
<cpebenito@tresys.com> wrote:
> On Wed, 2006-09-20 at 12:12 -0400, Daniel J Walsh wrote:
> > http://people.redhat.com/dwalsh/SELinux/policy.diff
> >
> > Changed to allow 1024 categories.
>
> Not adding this yet.  Waiting for concensus on how high we should go.

I think that the only solution for this is to allow semanage to configure it.

If you have 10,000 categories and a system that is run for 20 years that never 
re-uses categories (as previously described) then you have the scope for 41 
categories per month.  Assuming 20 working days per month that's two 
categories per day.

I find it easy to imagine organizations that are large enough to have two new 
projects started per day.

Based on the information in Casey's email I think you could justify 64K 
categories, or whatever the upper limit might be.

It seems to me that the ideal solution would be to default to 256 categories 
for regular users and allow people who need it to reconfigure their system 
for more.

-- 
russell@coker.com.au
http://etbe.blogspot.com/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest Diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1154 bytes --]

Your pathing in Makefile for setfiles is wrong, it should be /sbin/setfiles

firstboot.if need firstboot_read_rw_files removed.

Fixes for rhgb on a targeted platform including file context for 
gnome-pty-helper, setattr on ramfs_t:dir,
Some dontaudit rules for generic_ptys, needs to signal xserver

setroubleshoot is not using the network now, so remove corenetwork stuff

Bluetooth_helper hits the unlabeled_t:socket stuff

dovecot does not need netlink_route_socket since this is in nsswitch

xserver should create its own xdm_tmp_t files



What is the problem with the following?

        # Handle pp files created in homedir and /tmp
        files_read_generic_tmp_files(semanage_t)
        userdom_read_generic_user_home_content_files(semanage_t)
+',`
+       ifdef(`enable_mls',`
+               userdom_read_user_tmp_files(secadm, semanage_t)
+       ',`
+               userdom_read_user_tmp_files(sysadm, semanage_t)
+       ')
 ')


xen wants to bind to vnc_port.

And wants to read /root.  Dontaudit.

Added validatefc to check file context against base.pp.

Only works on targeted policy since others have ROLE_home_dir_t and the 
like.



[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 84154 bytes --]

diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.3.12/Makefile
--- nsaserefpolicy/Makefile	2006-09-05 16:51:05.000000000 -0400
+++ serefpolicy-2.3.12/Makefile	2006-09-05 16:16:40.000000000 -0400
@@ -44,22 +45,25 @@
 endif
 
 # executable paths
-BINDIR ?= /usr/bin
-SBINDIR ?= /usr/sbin
+USRBINDIR ?= /usr/bin
+USRSBINDIR ?= /usr/sbin
+SBINDIR ?= /sbin
 ifdef TEST_TOOLCHAIN
-tc_bindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(BINDIR)
+tc_usrbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(BINDIR)
+tc_usrsbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(USRSBINDIR)
 tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(SBINDIR)
 else
-tc_bindir := $(BINDIR)
+tc_usrbindir := $(USRBINDIR)
+tc_usrsbindir := $(USRSBINDIR)
 tc_sbindir := $(SBINDIR)
 endif
-CHECKPOLICY ?= $(tc_bindir)/checkpolicy
-CHECKMODULE ?= $(tc_bindir)/checkmodule
-SEMODULE ?= $(tc_sbindir)/semodule
-SEMOD_PKG ?= $(tc_bindir)/semodule_package
-SEMOD_LNK ?= $(tc_bindir)/semodule_link
-SEMOD_EXP ?= $(tc_bindir)/semodule_expand
-LOADPOLICY ?= $(tc_sbindir)/load_policy
+CHECKPOLICY ?= $(tc_usrbindir)/checkpolicy
+CHECKMODULE ?= $(tc_usrbindir)/checkmodule
+SEMODULE ?= $(tc_usrsbindir)/semodule
+SEMOD_PKG ?= $(tc_usrbindir)/semodule_package
+SEMOD_LNK ?= $(tc_usrbindir)/semodule_link
+SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
+LOADPOLICY ?= $(tc_usrsbindir)/load_policy
 SETFILES ?= $(tc_sbindir)/setfiles
 XMLLINT ?= $(BINDIR)/xmllint
 SECHECK ?= $(BINDIR)/sechecker
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-2.3.12/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te	2006-09-01 14:10:19.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/admin/anaconda.te	2006-09-05 09:37:39.000000000 -0400
@@ -64,3 +64,9 @@
 optional_policy(`
 	usermanage_domtrans_admin_passwd(anaconda_t)
 ')
+
+
+# The following is just to quiet the anaconda complaining during the install
+domain_dontaudit_getattr_all_stream_sockets(anaconda_t)
+dontaudit domain anaconda_t:fd use;
+domain_dontaudit_use_interactive_fds(anaconda_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.fc serefpolicy-2.3.12/policy/modules/admin/bootloader.fc
--- nsaserefpolicy/policy/modules/admin/bootloader.fc	2006-07-14 17:04:46.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/admin/bootloader.fc	2006-09-05 09:37:39.000000000 -0400
@@ -10,3 +10,4 @@
 /sbin/lilo.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /sbin/mkinitrd		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /sbin/ybin.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/boot/grub/.*		--	gen_context(system_u:object_r:boot_runtime_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-2.3.12/policy/modules/admin/bootloader.te
--- nsaserefpolicy/policy/modules/admin/bootloader.te	2006-08-29 09:00:30.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/admin/bootloader.te	2006-09-05 09:37:39.000000000 -0400
@@ -161,7 +161,7 @@
 	allow bootloader_t self:capability ipc_lock;
 
 	# new file system defaults to file_t, granting file_t access is still bad.
-	allow bootloader_t boot_runtime_t:file { r_file_perms unlink };
+	allow bootloader_t boot_runtime_t:file { rw_file_perms unlink };
 
 	# mkinitrd mount initrd on bootloader temp dir
 	files_mountpoint(bootloader_tmp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.3.12/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te	2006-08-29 09:00:30.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/admin/consoletype.te	2006-09-05 09:37:39.000000000 -0400
@@ -8,7 +8,12 @@
 
 type consoletype_t;
 type consoletype_exec_t;
-init_domain(consoletype_t,consoletype_exec_t)
+#dont transition from initrc
+#init_domain(consoletype_t,consoletype_exec_t)
+domain_type(consoletype_t)
+domain_entry_file(consoletype_t,consoletype_exec_t)
+role system_r types consoletype_t;
+
 mls_file_read_up(consoletype_t)
 mls_file_write_down(consoletype_t)
 role system_r types consoletype_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.if serefpolicy-2.3.12/policy/modules/admin/firstboot.if
--- nsaserefpolicy/policy/modules/admin/firstboot.if	2006-07-14 17:04:46.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/admin/firstboot.if	2006-09-05 10:44:32.000000000 -0400
@@ -111,20 +111,3 @@
 
 	allow $1 firstboot_t:fifo_file write;
 ')
-########################################
-## <summary>
-##	Read firstboot writable config files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	The type of the process performing this action.
-##	</summary>
-## </param>
-#
-interface(`firstboot_read_rw_files',`
-	gen_require(`
-		type firstboot_rw_t;
-	')
-
-	allow $1 firstboot_rw_t:file r_file_perms;
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.3.12/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc	2006-07-14 17:04:46.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/admin/rpm.fc	2006-09-05 09:37:39.000000000 -0400
@@ -19,6 +19,8 @@
 /usr/sbin/pup			--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/rhn_check		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/up2date		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-get		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-shell		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 ')
 
 /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.3.12/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if	2006-08-02 10:34:09.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/admin/rpm.if	2006-09-05 09:37:39.000000000 -0400
@@ -75,12 +75,13 @@
 	')
 
 	rpm_domtrans($1)
-	role $2 types rpm_t;
-	role $2 types rpm_script_t;
-	seutil_run_loadpolicy(rpm_script_t,$2,$3)
-	seutil_run_semanage(rpm_script_t,$2,$3)
-	seutil_run_setfiles(rpm_script_t,$2,$3)
-	seutil_run_restorecon(rpm_script_t,$2,$3)
+	#role $2 types rpm_t;
+	#role $2 types rpm_script_t;
+	role_transition $2 rpm_exec_t system_r;
+	seutil_run_loadpolicy(rpm_script_t,system_r,$3)
+	seutil_run_semanage(rpm_script_t,system_r,$3)
+	seutil_run_setfiles(rpm_script_t,system_r,$3)
+	seutil_run_restorecon(rpm_script_t,system_r,$3)
 	allow rpm_t $3:chr_file rw_term_perms;
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.3.12/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc	2006-08-29 09:00:26.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/apps/java.fc	2006-09-05 09:37:39.000000000 -0400
@@ -1,7 +1,7 @@
 #
 # /opt
 #
-/opt/(.*/)?bin/java([^/]*)? --	gen_context(system_u:object_r:java_exec_t,s0)
+/opt/(.*/)?java([^/]*)? --	gen_context(system_u:object_r:java_exec_t,s0)
 
 #
 # /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.3.12/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2006-09-01 14:10:17.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/kernel/corecommands.fc	2006-09-05 14:10:00.000000000 -0400
@@ -122,6 +122,7 @@
 /usr/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:sbin_t,s0)
 /usr/lib(.*/)?sbin(/.*)?		gen_context(system_u:object_r:sbin_t,s0)
 
+/usr/lib/vte/gnome-pty-helper --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/pgsql/test/regress/.*\.sh --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/qt.*/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.3.12/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2006-09-01 14:10:17.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/kernel/corenetwork.te.in	2006-09-05 09:37:39.000000000 -0400
@@ -67,6 +67,7 @@
 network_port(clamd, tcp,3310,s0)
 network_port(clockspeed, udp,4041,s0)
 network_port(comsat, udp,512,s0)
+network_port(cluster, tcp,40040,s0)
 network_port(cvs, tcp,2401,s0, udp,2401,s0)
 network_port(dcc, udp,6276,s0, udp,6277,s0)
 network_port(dbskkd, tcp,1178,s0)
@@ -121,12 +122,13 @@
 network_port(radacct, udp,1646,s0, udp,1813,s0)
 network_port(radius, udp,1645,s0, udp,1812,s0)
 network_port(razor, tcp,2703,s0)
+network_port(ricci, tcp,11111,s0, udp,11111,s0)
+network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
 network_port(rlogind, tcp,513,s0)
 network_port(rndc, tcp,953,s0)
 network_port(router, udp,520,s0)
 network_port(rsh, tcp,514,s0)
 network_port(rsync, tcp,873,s0, udp,873,s0)
-network_port(setroubleshoot, tcp,3267,s0)
 network_port(smbd, tcp,137-139,s0, tcp,445,s0)
 network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
 network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.3.12/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc	2006-09-05 07:41:00.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/kernel/files.fc	2006-09-05 09:37:39.000000000 -0400
@@ -32,6 +32,7 @@
 /boot/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
 /boot/lost\+found/.*		<<none>>
 /boot/System\.map(-.*)?	--	gen_context(system_u:object_r:system_map_t,s0)
+/boot/grub/slapsh.xpm.gz --	gen_context(system_u:object_r:boot_t,s0)
 
 #
 # /emul
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.3.12/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if	2006-08-02 10:34:05.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/kernel/filesystem.if	2006-09-05 14:35:07.000000000 -0400
@@ -2095,7 +2095,7 @@
 		type ramfs_t;
 	')
 
-	allow $1 ramfs_t:dir rw_dir_perms;
+	allow $1 ramfs_t:dir manage_dir_perms;
 	allow $1 ramfs_t:file manage_file_perms;
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.3.12/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if	2006-09-05 07:41:00.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/kernel/terminal.if	2006-09-05 15:27:35.000000000 -0400
@@ -433,6 +434,25 @@
 
 ########################################
 ## <summary>
+##	dontaudit setattr of generic pty types.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+# dwalsh: added for rhgb
+interface(`term_dontaudit_setattr_generic_ptys',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	dontaudit $1 devpts_t:chr_file setattr;
+')
+
+########################################
+## <summary>
 ##	Read and write the generic pty
 ##	type.  This is generally only used in
 ##	the targeted policy.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.3.12/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te	2006-09-05 07:41:01.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/services/amavis.te	2006-09-05 09:37:39.000000000 -0400
@@ -156,6 +156,7 @@
 
 ifdef(`targeted_policy',`
 	term_dontaudit_use_generic_ptys(amavis_t)
+	term_dontaudit_use_unallocated_ttys(amavis_t)
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.3.12/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te	2006-09-05 07:41:01.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/services/apache.te	2006-09-05 09:37:39.000000000 -0400
@@ -712,4 +712,5 @@
 
 ifdef(`targeted_policy',`
 	term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
+	term_dontaudit_use_unallocated_ttys(httpd_rotatelogs_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.3.12/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te	2006-08-02 10:34:07.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/services/bluetooth.te	2006-09-05 09:37:39.000000000 -0400
@@ -217,14 +217,16 @@
 	fs_rw_tmpfs_files(bluetooth_helper_t)
 
 	term_dontaudit_use_generic_ptys(bluetooth_helper_t)
+	term_dontaudit_use_unallocated_ttys(bluetooth_helper_t)
 
 	unconfined_stream_connect(bluetooth_helper_t)
 
 	userdom_manage_generic_user_home_content_files(bluetooth_helper_t)
 
+	corenet_non_ipsec_sendrecv(bluetooth_helper_t)
+
 	optional_policy(`
 	        corenet_tcp_connect_xserver_port(bluetooth_helper_t)
-
 		xserver_stream_connect_xdm(bluetooth_helper_t)
 		xserver_use_xdm_fds(bluetooth_helper_t)
 		xserver_rw_xdm_pipes(bluetooth_helper_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-2.3.12/policy/modules/services/ccs.fc
--- nsaserefpolicy/policy/modules/services/ccs.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.12/policy/modules/services/ccs.fc	2006-09-05 09:37:39.000000000 -0400
@@ -0,0 +1,8 @@
+# ccs executable will have:
+# label: system_u:object_r:ccs_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/sbin/ccsd		--	gen_context(system_u:object_r:ccs_exec_t,s0)
+/var/run/cluster(/.*)?		gen_context(system_u:object_r:ccs_var_run_t,s0)
+/etc/cluster(/.*)?		gen_context(system_u:object_r:cluster_conf_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.if serefpolicy-2.3.12/policy/modules/services/ccs.if
--- nsaserefpolicy/policy/modules/services/ccs.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.12/policy/modules/services/ccs.if	2006-09-05 09:37:39.000000000 -0400
@@ -0,0 +1,65 @@
+## <summary>policy for ccs</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run ccs.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ccs_domtrans',`
+	gen_require(`
+		type ccs_t, ccs_exec_t;
+	')
+
+	domain_auto_trans($1,ccs_exec_t,ccs_t)
+
+	allow $1 ccs_t:fd use;
+	allow ccs_t $1:fd use;
+	allow ccs_t $1:fifo_file rw_file_perms;
+	allow ccs_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Connect to ccs over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ccs_stream_connect',`
+	gen_require(`
+		type ccs_t, ccs_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 ccs_var_run_t:dir r_dir_perms;
+	allow $1 ccs_var_run_t:sock_file write;
+	allow $1 ccs_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Read cluster configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ccs_read_config',`
+	gen_require(`
+		type cluster_conf_t;
+	')
+
+	allow $1 cluster_conf_t:dir search_dir_perms;
+	allow $1 cluster_conf_t:file { getattr read };
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-2.3.12/policy/modules/services/ccs.te
--- nsaserefpolicy/policy/modules/services/ccs.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.12/policy/modules/services/ccs.te	2006-09-05 09:37:39.000000000 -0400
@@ -0,0 +1,87 @@
+policy_module(ccs,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ccs_t;
+type ccs_exec_t;
+domain_type(ccs_t)
+init_daemon_domain(ccs_t, ccs_exec_t)
+
+# pid files
+type ccs_var_run_t;
+files_pid_file(ccs_var_run_t)
+
+# pid files
+type cluster_conf_t;
+files_type(cluster_conf_t)
+
+# log files
+type ccs_var_log_t;
+logging_log_file(ccs_var_log_t)
+
+########################################
+#
+# ccs local policy
+#
+# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
+
+allow ccs_t self:process signal;
+
+allow ccs_t self:socket create_socket_perms;
+allow ccs_t self:tcp_socket create_stream_socket_perms;
+allow ccs_t self:udp_socket { create_socket_perms listen recv_msg send_msg };
+allow ccs_t self:unix_dgram_socket create_socket_perms;
+allow ccs_t self:netlink_route_socket r_netlink_socket_perms;
+## Networking basics (adjust to your needs!)
+sysnet_dns_name_resolve(ccs_t)
+corenet_tcp_sendrecv_all_if(ccs_t)
+corenet_tcp_sendrecv_all_nodes(ccs_t)
+corenet_tcp_sendrecv_all_ports(ccs_t)
+corenet_udp_sendrecv_all_ports(ccs_t)
+corenet_non_ipsec_sendrecv(ccs_t)
+corenet_tcp_bind_all_nodes(ccs_t)
+corenet_udp_bind_all_nodes(ccs_t)
+# Wants to connect to 40040
+corenet_tcp_connect_all_ports(ccs_t)
+
+# Some common macros (you might be able to remove some)
+files_read_etc_files(ccs_t)
+libs_use_ld_so(ccs_t)
+libs_use_shared_libs(ccs_t)
+miscfiles_read_localization(ccs_t)
+## internal communication is often done using fifo and unix sockets.
+allow ccs_t self:fifo_file { read write };
+allow ccs_t self:unix_stream_socket create_stream_socket_perms;
+
+# pid file
+allow ccs_t ccs_var_run_t:file manage_file_perms;
+allow ccs_t ccs_var_run_t:sock_file manage_file_perms;
+allow ccs_t ccs_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(ccs_t,ccs_var_run_t, { file sock_file })
+
+# log files
+allow ccs_t ccs_var_log_t:file create_file_perms;
+allow ccs_t ccs_var_log_t:sock_file create_file_perms;
+allow ccs_t ccs_var_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(ccs_t,ccs_var_log_t,{ sock_file file dir })
+
+logging_send_syslog_msg(ccs_t)
+
+files_read_etc_runtime_files(ccs_t)
+
+kernel_read_kernel_sysctls(ccs_t)
+
+sysnet_dns_name_resolve(ccs_t)
+
+unconfined_use_fds(ccs_t)
+
+ifdef(`targeted_policy', `
+	term_dontaudit_use_generic_ptys(ccs_t)
+	term_dontaudit_use_unallocated_ttys(ccs_t)
+')
+
+allow ccs_t cluster_conf_t:dir r_dir_perms;
+allow ccs_t cluster_conf_t:file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-2.3.12/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te	2006-08-02 10:34:07.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/services/clamav.te	2006-09-05 09:37:39.000000000 -0400
@@ -121,6 +121,7 @@
 cron_rw_pipes(clamd_t)
 
 ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_ttys(clamd_t)
 	term_dontaudit_use_generic_ptys(clamd_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-2.3.12/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if	2006-09-05 07:41:01.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/services/cron.if	2006-09-05 09:37:39.000000000 -0400
@@ -57,6 +57,8 @@
 	type $1_crontab_tmp_t;
 	files_tmp_file($1_crontab_tmp_t)
 
+
+
 	##############################
 	#
 	# $1_crond_t local policy
@@ -178,10 +180,6 @@
 	# $1_crontab_t local policy
 	#
 
-	# dac_override is to create the file in the directory under /tmp
-	allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
-	allow $1_crontab_t self:process signal_perms;
-
 	# Transition from the user domain to the derived domain.
 	domain_auto_trans($2, crontab_exec_t, $1_crontab_t)
 	allow $2 $1_crontab_t:fd use;
@@ -200,8 +198,13 @@
 	# Allow crond to read those crontabs in cron spool.
 	allow crond_t $1_cron_spool_t:file create_file_perms;
 
-	allow $1_crontab_t $1_crontab_tmp_t:file manage_file_perms;
-	files_tmp_filetrans($1_crontab_t,$1_crontab_tmp_t,file)
+	allow $1_crontab_t tmp_t:dir rw_dir_perms;
+	allow $1_crontab_t $1_crontab_tmp_t:file create_file_perms;
+	type_transition $1_crontab_t tmp_t:file $1_crontab_tmp_t;
+
+	# dac_override is to create the file in the directory under /tmp
+	allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
+	allow $1_crontab_t self:process signal_perms;
 
 	# create files in /var/spool/cron
 	allow $1_crontab_t cron_spool_t:dir rw_dir_perms;
@@ -256,6 +259,9 @@
 	')
 
 	ifdef(`TODO',`
+	allow $1_crond_t tmp_t:dir rw_dir_perms;
+	type_transition $1_crond_t $1_tmp_t:{ file dir } $1_tmp_t;
+
 	# Read user crontabs
 	dontaudit $1_crontab_t $1_home_dir_t:dir write;
 	') dnl endif TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.3.12/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te	2006-09-05 07:41:01.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/services/cron.te	2006-09-05 09:37:39.000000000 -0400
@@ -175,6 +175,7 @@
 	allow crond_t crond_tmp_t:dir create_dir_perms;
 	allow crond_t crond_tmp_t:file create_file_perms;
 	files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
+	files_pid_filetrans(system_crond_t,crond_var_run_t,file)
 ')
 
 tunable_policy(`fcron_crond', `
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-2.3.12/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if	2006-08-29 09:00:28.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/services/dbus.if	2006-09-05 09:37:39.000000000 -0400
@@ -123,6 +123,7 @@
 	selinux_compute_relabel_context($1_dbusd_t)
 	selinux_compute_user_contexts($1_dbusd_t)
 
+	corecmd_bin_domtrans($1_dbusd_t, $1_t)
 	corecmd_list_bin($1_dbusd_t)
 	corecmd_read_bin_symlinks($1_dbusd_t)
 	corecmd_read_bin_files($1_dbusd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.3.12/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te	2006-09-01 14:10:18.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/services/dovecot.te	2006-09-05 09:37:39.000000000 -0400
@@ -46,8 +46,6 @@
 allow dovecot_t self:tcp_socket create_stream_socket_perms;
 allow dovecot_t self:unix_dgram_socket create_socket_perms;
 allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow dovecot_t self:netlink_route_socket r_netlink_socket_perms;
-
 domain_auto_trans(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
 allow dovecot_t dovecot_auth_t:fd use;
 allow dovecot_auth_t dovecot_t:process sigchld;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-2.3.12/policy/modules/services/oddjob.fc
--- nsaserefpolicy/policy/modules/services/oddjob.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.12/policy/modules/services/oddjob.fc	2006-09-05 09:37:39.000000000 -0400
@@ -0,0 +1,8 @@
+# oddjob executable will have:
+# label: system_u:object_r:oddjob_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/usr/sbin/oddjobd		--	gen_context(system_u:object_r:oddjob_exec_t,s0)
+/var/run/oddjobd.pid			gen_context(system_u:object_r:oddjob_var_run_t,s0)
+/usr/lib/oddjobd			gen_context(system_u:object_r:oddjob_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-2.3.12/policy/modules/services/oddjob.if
--- nsaserefpolicy/policy/modules/services/oddjob.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.12/policy/modules/services/oddjob.if	2006-09-05 09:37:39.000000000 -0400
@@ -0,0 +1,76 @@
+## <summary>policy for oddjob</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run oddjob.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`oddjob_domtrans',`
+	gen_require(`
+		type oddjob_t, oddjob_exec_t;
+	')
+
+	domain_auto_trans($1,oddjob_exec_t,oddjob_t)
+
+	allow $1 oddjob_t:fd use;
+	allow oddjob_t $1:fd use;
+	allow oddjob_t $1:fifo_file rw_file_perms;
+	allow oddjob_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Make the specified program domain accessable
+##	from the oddjob.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process to transition to.
+##	</summary>
+## </param>
+## <param name="entrypoint">
+##	<summary>
+##	The type of the file used as an entrypoint to this domain.
+##	</summary>
+## </param>
+#
+interface(`oddjob_system_entry',`
+	gen_require(`
+		type oddjob_t;
+	')
+
+	domain_auto_trans(oddjob_t, $2, $1)
+
+	allow oddjob_t $1:fd use;
+	allow $1 oddjob_t:fd use;
+	allow $1 oddjob_t:fifo_file rw_file_perms;
+	allow $1 oddjob_t:process sigchld;
+
+')
+
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	oddjob over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`oddjob_dbus_chat',`
+	gen_require(`
+		type oddjob_t;
+		class dbus send_msg;
+	')
+
+	allow $1 oddjob_t:dbus send_msg;
+	allow oddjob_t $1:dbus send_msg;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.fc serefpolicy-2.3.12/policy/modules/services/oddjob_mkhomedir.fc
--- nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.12/policy/modules/services/oddjob_mkhomedir.fc	2006-09-05 09:37:39.000000000 -0400
@@ -0,0 +1,6 @@
+# oddjob_mkhomedir executable will have:
+# label: system_u:object_r:oddjob_mkhomedir_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/usr/lib/oddjob/mkhomedir		--	gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.if serefpolicy-2.3.12/policy/modules/services/oddjob_mkhomedir.if
--- nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.12/policy/modules/services/oddjob_mkhomedir.if	2006-09-05 09:37:39.000000000 -0400
@@ -0,0 +1,24 @@
+## <summary>policy for oddjob_mkhomedir</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run oddjob_mkhomedir.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`oddjob_mkhomedir_domtrans',`
+	gen_require(`
+		type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t;
+	')
+
+	domain_auto_trans($1,oddjob_mkhomedir_exec_t,oddjob_mkhomedir_t)
+
+	allow $1 oddjob_mkhomedir_t:fd use;
+	allow oddjob_mkhomedir_t $1:fd use;
+	allow oddjob_mkhomedir_t $1:fifo_file rw_file_perms;
+	allow oddjob_mkhomedir_t $1:process sigchld;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.te serefpolicy-2.3.12/policy/modules/services/oddjob_mkhomedir.te
--- nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.12/policy/modules/services/oddjob_mkhomedir.te	2006-09-05 09:37:39.000000000 -0400
@@ -0,0 +1,29 @@
+policy_module(oddjob_mkhomedir,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type oddjob_mkhomedir_t;
+type oddjob_mkhomedir_exec_t;
+domain_type(oddjob_mkhomedir_t)
+init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+
+########################################
+#
+# oddjob_mkhomedir local policy
+#
+
+# Some common macros (you might be able to remove some)
+files_read_etc_files(oddjob_mkhomedir_t)
+libs_use_ld_so(oddjob_mkhomedir_t)
+libs_use_shared_libs(oddjob_mkhomedir_t)
+miscfiles_read_localization(oddjob_mkhomedir_t)
+## internal communication is often done using fifo and unix sockets.
+allow oddjob_mkhomedir_t self:fifo_file { read write };
+allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
+
+oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+domain_auto_trans(unconfined_t,oddjob_mkhomedir_exec_t,oddjob_mkhomedir_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-2.3.12/policy/modules/services/oddjob.te
--- nsaserefpolicy/policy/modules/services/oddjob.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.12/policy/modules/services/oddjob.te	2006-09-05 09:37:39.000000000 -0400
@@ -0,0 +1,73 @@
+policy_module(oddjob,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type oddjob_t;
+type oddjob_exec_t;
+domain_type(oddjob_t)
+init_daemon_domain(oddjob_t, oddjob_exec_t)
+
+# pid files
+type oddjob_var_run_t;
+files_pid_file(oddjob_var_run_t)
+
+# var/lib files
+type oddjob_var_lib_t;
+files_type(oddjob_var_lib_t)
+
+########################################
+#
+# oddjob local policy
+#
+# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
+
+# Some common macros (you might be able to remove some)
+files_read_etc_files(oddjob_t)
+libs_use_ld_so(oddjob_t)
+libs_use_shared_libs(oddjob_t)
+miscfiles_read_localization(oddjob_t)
+## internal communication is often done using fifo and unix sockets.
+allow oddjob_t self:fifo_file { read write };
+allow oddjob_t self:unix_stream_socket create_stream_socket_perms;
+
+# pid file
+allow oddjob_t oddjob_var_run_t:file manage_file_perms;
+allow oddjob_t oddjob_var_run_t:sock_file manage_file_perms;
+allow oddjob_t oddjob_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(oddjob_t,oddjob_var_run_t, { file sock_file })
+
+# var/lib files for oddjob
+allow oddjob_t oddjob_var_lib_t:file create_file_perms;
+allow oddjob_t oddjob_var_lib_t:sock_file create_file_perms;
+allow oddjob_t oddjob_var_lib_t:dir create_dir_perms;
+files_var_lib_filetrans(oddjob_t,oddjob_var_lib_t, { file dir sock_file })
+
+init_dontaudit_use_fds(oddjob_t)
+allow oddjob_t self:capability { audit_write setgid } ;
+allow oddjob_t self:process setexec;
+
+locallogin_dontaudit_use_fds(oddjob_t)
+
+optional_policy(`
+	dbus_system_bus_client_template(oddjob,oddjob_t)
+	dbus_send_system_bus(oddjob_t)
+	dbus_connect_system_bus(oddjob_t)
+')
+
+corecmd_search_sbin(oddjob_t)
+corecmd_exec_shell(oddjob_t)
+
+selinux_compute_create_context(oddjob_t)
+
+kernel_read_system_state(oddjob_t)
+
+unconfined_domtrans(oddjob_t)
+
+ifdef(`targeted_policy', `
+	term_dontaudit_use_generic_ptys(oddjob_t)
+	term_dontaudit_use_unallocated_ttys(oddjob_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.3.12/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if	2006-07-14 17:04:41.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/services/pegasus.if	2006-09-05 09:37:39.000000000 -0400
@@ -1 +1,32 @@
 ## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run pegasus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`pegasus_domtrans',`
+	gen_require(`
+		type pegasus_t, pegasus_exec_t;
+	')
+
+	ifdef(`targeted_policy',`
+		if(pegasus_disable_trans) {
+			can_exec($1,pegasus_exec_t)
+		} else {
+			domain_auto_trans($1,pegasus_exec_t,pegasus_t)
+		}
+	', `
+		domain_auto_trans($1,pegasus_exec_t,pegasus_t)
+	')
+
+	allow $1 pegasus_t:fd use;
+	allow pegasus_t $1:fd use;
+	allow pegasus_t $1:fifo_file rw_file_perms;
+	allow pegasus_t $1:process sigchld;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.3.12/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te	2006-08-23 12:14:54.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/services/pegasus.te	2006-09-05 09:37:39.000000000 -0400
@@ -100,13 +100,12 @@
 
 auth_use_nsswitch(pegasus_t)
 auth_domtrans_chk_passwd(pegasus_t)
+auth_read_shadow(pegasus_t)
 
 domain_use_interactive_fds(pegasus_t)
 domain_read_all_domains_state(pegasus_t)
 
-files_read_etc_files(pegasus_t)
-files_list_var_lib(pegasus_t)
-files_read_var_lib_files(pegasus_t)
+files_read_all_files(pegasus_t)
 files_read_var_lib_symlinks(pegasus_t)
 
 hostname_exec(pegasus_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.3.12/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te	2006-08-29 09:00:28.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/services/postfix.te	2006-09-05 09:37:39.000000000 -0400
@@ -171,6 +171,11 @@
 mta_rw_aliases(postfix_master_t)
 mta_read_sendmail_bin(postfix_master_t)
 
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_ttys(postfix_master_t)
+	term_dontaudit_use_generic_ptys(postfix_master_t)
+')
+
 optional_policy(`
 	cyrus_stream_connect(postfix_master_t)
 ')
@@ -361,6 +366,7 @@
 sysnet_read_config(postfix_map_t)
 
 ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_ttys(postfix_map_t)
 	term_dontaudit_use_generic_ptys(postfix_map_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-2.3.12/policy/modules/services/rhgb.te
--- nsaserefpolicy/policy/modules/services/rhgb.te	2006-09-01 14:10:18.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/services/rhgb.te	2006-09-05 15:28:11.000000000 -0400
@@ -10,9 +10,6 @@
 type rhgb_exec_t;
 init_daemon_domain(rhgb_t,rhgb_exec_t)
 
-type rhgb_devpts_t;
-term_pty(rhgb_devpts_t)
-
 type rhgb_tmpfs_t;
 files_tmpfs_file(rhgb_tmpfs_t)
 
@@ -21,7 +18,7 @@
 # Local policy
 #
 
-allow rhgb_t self:capability { sys_admin sys_tty_config };
+allow rhgb_t self:capability { fsetid setgid setuid sys_admin sys_tty_config };
 dontaudit rhgb_t self:capability sys_tty_config;
 allow rhgb_t self:process signal_perms;
 allow rhgb_t self:shm create_shm_perms;
@@ -29,9 +26,7 @@
 allow rhgb_t self:fifo_file rw_file_perms;
 allow rhgb_t self:tcp_socket create_socket_perms;
 allow rhgb_t self:udp_socket create_socket_perms;
-
-allow rhgb_t rhgb_devpts_t:chr_file { rw_file_perms setattr };
-term_create_pty(rhgb_t,rhgb_devpts_t)
+allow rhgb_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow rhgb_t rhgb_tmpfs_t:dir manage_dir_perms;
 allow rhgb_t rhgb_tmpfs_t:file manage_file_perms;
@@ -39,12 +34,14 @@
 allow rhgb_t rhgb_tmpfs_t:sock_file manage_file_perms;
 allow rhgb_t rhgb_tmpfs_t:fifo_file manage_file_perms;
 fs_tmpfs_filetrans(rhgb_t,rhgb_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+fs_getattr_tmpfs(rhgb_t)
 
 kernel_read_kernel_sysctls(rhgb_t)
 kernel_read_system_state(rhgb_t)
 
 corecmd_exec_bin(rhgb_t)
 corecmd_exec_sbin(rhgb_t)
+corecmd_exec_shell(rhgb_t)
 
 corenet_non_ipsec_sendrecv(rhgb_t)
 corenet_tcp_sendrecv_generic_if(rhgb_t)
@@ -61,6 +58,7 @@
 domain_use_interactive_fds(rhgb_t)
 
 files_read_etc_files(rhgb_t)
+files_read_var_files(rhgb_t)
 files_read_etc_runtime_files(rhgb_t)
 files_search_tmp(rhgb_t)
 files_read_usr_files(rhgb_t)
@@ -80,6 +78,8 @@
 
 term_dontaudit_use_console(rhgb_t)
 term_use_unallocated_ttys(rhgb_t)
+term_use_ptmx(rhgb_t)
+term_getattr_pty_fs(rhgb_t)
 
 init_use_fds(rhgb_t)
 init_use_script_ptys(rhgb_t)
@@ -96,6 +96,7 @@
 miscfiles_read_fonts(rhgb_t)
 
 sysnet_read_config(rhgb_t)
+sysnet_domtrans_ifconfig(rhgb_t)
 
 userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
 
@@ -104,14 +105,21 @@
 # for running setxkbmap
 xserver_read_xkb_libs(rhgb_t)
 
-ifdef(`targeted_policy',`
+ifdef(`strict_policy',`
+	type rhgb_devpts_t;
+	term_pty(rhgb_devpts_t)
+
+	allow rhgb_t rhgb_devpts_t:chr_file { rw_file_perms setattr };
+	term_create_pty(rhgb_t,rhgb_devpts_t)
+', `
+	term_dontaudit_use_generic_ptys(rhgb_t)
+	term_dontaudit_setattr_generic_ptys(rhgb_t)
 	term_dontaudit_use_unallocated_ttys(rhgb_t)
 	term_dontaudit_use_generic_ptys(rhgb_t)
 	files_dontaudit_read_root_files(rhgb_t)
-')
-
-optional_policy(`
-	firstboot_read_rw_files(rhgb_t)
+	xserver_domtrans_xdm_xserver(rhgb_t)
+	xserver_signal_xdm_xserver(rhgb_t)
+	xserver_read_xdm_tmp_files(rhgb_t)
 ')
 
 optional_policy(`
@@ -126,22 +134,13 @@
 	udev_read_db(rhgb_t)
 ')
 
+userdom_dontaudit_search_sysadm_home_dirs(rhgb_t)
+
 ifdef(`TODO',`
-	#TODO
-	ifdef(`hide_broken_symptoms', `
-		# for a bug in the X server
-		dontaudit mount_t rhgb_gph_t:fd use;
-	')
 	#TODO this seems a bit much
 	allow domain rhgb_devpts_t:chr_file { read write };
-	#TODO this (ie files_dontaudit_read_default_files(rhgb_t))doesn't make sense with the following
-	allow rhgb_t default_t:file { getattr read };
 	#TODO
 	# for gnome-pty-helper
 	gph_domain(rhgb, system)
 	allow initrc_t rhgb_gph_t:fd use;
-	ifdef(`hide_broken_symptoms', `
-		# it should not do this
-		dontaudit rhgb_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
-	')
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.fc serefpolicy-2.3.12/policy/modules/services/ricci.fc
--- nsaserefpolicy/policy/modules/services/ricci.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.12/policy/modules/services/ricci.fc	2006-09-05 09:37:39.000000000 -0400
@@ -0,0 +1,20 @@
+# ricci executable will have:
+# label: system_u:object_r:ricci_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/usr/sbin/ricci		--	gen_context(system_u:object_r:ricci_exec_t,s0)
+/var/lib/ricci(/.*)?		gen_context(system_u:object_r:ricci_var_lib_t,s0)
+
+/usr/sbin/ricci-modclusterd	--	gen_context(system_u:object_r:ricci_modclusterd_exec_t,s0)
+/var/run/ricci-modclusterd.pid  --	gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0)
+/var/log/clumond.log 		--	gen_context(system_u:object_r:ricci_modcluster_var_log_t,s0)
+
+/usr/sbin/ricci-modlog		--	gen_context(system_u:object_r:ricci_modlog_exec_t,s0)
+/usr/sbin/ricci-modlog_ro	--	gen_context(system_u:object_r:ricci_modlog_ro_exec_t,s0)
+
+/usr/sbin/ricci-modrpm		--	gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
+/usr/sbin/ricci-modcluster	--	gen_context(system_u:object_r:ricci_modcluster_exec_t,s0)
+/usr/sbin/ricci-modservice	--	gen_context(system_u:object_r:ricci_modservice_exec_t,s0)
+/usr/sbin/ricci-modstorage	--	gen_context(system_u:object_r:ricci_modstorage_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-2.3.12/policy/modules/services/ricci.if
--- nsaserefpolicy/policy/modules/services/ricci.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.12/policy/modules/services/ricci.if	2006-09-05 09:37:39.000000000 -0400
@@ -0,0 +1,184 @@
+## <summary>policy for ricci</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run ricci.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ricci_domtrans',`
+	gen_require(`
+		type ricci_t, ricci_exec_t;
+	')
+
+	domain_auto_trans($1,ricci_exec_t,ricci_t)
+
+	allow $1 ricci_t:fd use;
+	allow ricci_t $1:fd use;
+	allow ricci_t $1:fifo_file rw_file_perms;
+	allow ricci_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run ricci_modlog.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ricci_modlog_domtrans',`
+	gen_require(`
+		type ricci_modlog_t, ricci_modlog_exec_t;
+	')
+
+	domain_auto_trans($1,ricci_modlog_exec_t,ricci_modlog_t)
+
+	allow $1 ricci_modlog_t:fd use;
+	allow ricci_modlog_t $1:fd use;
+	allow ricci_modlog_t $1:fifo_file rw_file_perms;
+	allow ricci_modlog_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run ricci_modlog_ro.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ricci_modlog_ro_domtrans',`
+	gen_require(`
+		type ricci_modlog_ro_t, ricci_modlog_ro_exec_t;
+	')
+
+	domain_auto_trans($1,ricci_modlog_ro_exec_t,ricci_modlog_ro_t)
+
+	allow $1 ricci_modlog_ro_t:fd use;
+	allow ricci_modlog_ro_t $1:fd use;
+	allow ricci_modlog_ro_t $1:fifo_file rw_file_perms;
+	allow ricci_modlog_ro_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run ricci_modrpm.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ricci_modrpm_domtrans',`
+	gen_require(`
+		type ricci_modrpm_t, ricci_modrpm_exec_t;
+	')
+
+	domain_auto_trans($1,ricci_modrpm_exec_t,ricci_modrpm_t)
+
+	allow $1 ricci_modrpm_t:fd use;
+	allow ricci_modrpm_t $1:fd use;
+	allow ricci_modrpm_t $1:fifo_file rw_file_perms;
+	allow ricci_modrpm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run ricci_modservice.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ricci_modservice_domtrans',`
+	gen_require(`
+		type ricci_modservice_t, ricci_modservice_exec_t;
+	')
+
+	domain_auto_trans($1,ricci_modservice_exec_t,ricci_modservice_t)
+
+	allow $1 ricci_modservice_t:fd use;
+	allow ricci_modservice_t $1:fd use;
+	allow ricci_modservice_t $1:fifo_file rw_file_perms;
+	allow ricci_modservice_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run ricci_modcluster.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ricci_modcluster_domtrans',`
+	gen_require(`
+		type ricci_modcluster_t, ricci_modcluster_exec_t;
+	')
+
+	domain_auto_trans($1,ricci_modcluster_exec_t,ricci_modcluster_t)
+
+	allow $1 ricci_modcluster_t:fd use;
+	allow ricci_modcluster_t $1:fd use;
+	allow ricci_modcluster_t $1:fifo_file rw_file_perms;
+	allow ricci_modcluster_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run ricci_modstorage.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ricci_modstorage_domtrans',`
+	gen_require(`
+		type ricci_modstorage_t, ricci_modstorage_exec_t;
+	')
+
+	domain_auto_trans($1,ricci_modstorage_exec_t,ricci_modstorage_t)
+
+	allow $1 ricci_modstorage_t:fd use;
+	allow ricci_modstorage_t $1:fd use;
+	allow ricci_modstorage_t $1:fifo_file rw_file_perms;
+	allow ricci_modstorage_t $1:process sigchld;
+')
+
+
+
+########################################
+## <summary>
+##	Connect to ricci_modclusterd over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ricci_modclusterd_stream_connect',`
+	gen_require(`
+		type ricci_modclusterd_t, ricci_modcluster_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 ricci_modcluster_var_run_t:sock_file write;
+	allow $1 ricci_modclusterd_t:unix_stream_socket connectto;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-2.3.12/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.12/policy/modules/services/ricci.te	2006-09-05 09:37:39.000000000 -0400
@@ -0,0 +1,386 @@
+policy_module(ricci,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ricci_t;
+type ricci_exec_t;
+domain_type(ricci_t)
+init_daemon_domain(ricci_t, ricci_exec_t)
+
+# pid files
+type ricci_var_run_t;
+files_pid_file(ricci_var_run_t)
+
+# tmp files
+type ricci_tmp_t;
+files_tmp_file(ricci_tmp_t)
+
+# var/lib files
+type ricci_var_lib_t;
+files_type(ricci_var_lib_t)
+
+# log files
+type ricci_var_log_t;
+logging_log_file(ricci_var_log_t)
+
+type ricci_modclusterd_t;
+type ricci_modclusterd_exec_t;
+domain_type(ricci_modclusterd_t)
+init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t)
+
+type ricci_modlog_t;
+type ricci_modlog_exec_t;
+domain_type(ricci_modlog_t)
+domain_entry_file(ricci_modlog_t, ricci_modlog_exec_t)
+role system_r types ricci_modlog_t;
+
+type ricci_modlog_ro_t;
+type ricci_modlog_ro_exec_t;
+domain_type(ricci_modlog_ro_t)
+domain_entry_file(ricci_modlog_ro_t, ricci_modlog_ro_exec_t)
+role system_r types ricci_modlog_ro_t;
+
+type ricci_modrpm_t;
+type ricci_modrpm_exec_t;
+domain_type(ricci_modrpm_t)
+domain_entry_file(ricci_modrpm_t, ricci_modrpm_exec_t)
+role system_r types ricci_modrpm_t;
+
+type ricci_modservice_t;
+type ricci_modservice_exec_t;
+domain_type(ricci_modservice_t)
+domain_entry_file(ricci_modservice_t, ricci_modservice_exec_t)
+role system_r types ricci_modservice_t;
+
+type ricci_modstorage_t;
+type ricci_modstorage_exec_t;
+domain_type(ricci_modstorage_t)
+domain_entry_file(ricci_modstorage_t, ricci_modstorage_exec_t)
+role system_r types ricci_modstorage_t;
+
+type ricci_modcluster_t;
+type ricci_modcluster_exec_t;
+domain_type(ricci_modcluster_t)
+domain_entry_file(ricci_modcluster_t, ricci_modcluster_exec_t)
+role system_r types ricci_modcluster_t;
+
+# pid files
+type ricci_modcluster_var_run_t;
+files_pid_file(ricci_modcluster_var_run_t)
+
+# var/lib files
+type ricci_modcluster_var_lib_t;
+files_type(ricci_modcluster_var_lib_t)
+
+# log files
+type ricci_modcluster_var_log_t;
+logging_log_file(ricci_modcluster_var_log_t)
+
+########################################
+#
+# ricci local policy
+#
+allow ricci_t self:capability { setuid sys_nice };
+allow ricci_t self:process setsched;
+
+# Some common macros (you might be able to remove some)
+files_read_etc_files(ricci_t)
+files_read_etc_runtime_files(ricci_t)
+
+libs_use_ld_so(ricci_t)
+libs_use_shared_libs(ricci_t)
+miscfiles_read_localization(ricci_t)
+## internal communication is often done using fifo and unix sockets.
+allow ricci_t self:fifo_file { read write };
+allow ricci_t self:unix_stream_socket create_stream_socket_perms;
+
+# pid file
+allow ricci_t ricci_var_run_t:file manage_file_perms;
+allow ricci_t ricci_var_run_t:sock_file manage_file_perms;
+allow ricci_t ricci_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(ricci_t,ricci_var_run_t, { file sock_file })
+
+# tmp file
+allow ricci_t ricci_tmp_t:dir create_dir_perms;
+allow ricci_t ricci_tmp_t:file create_file_perms;
+files_tmp_filetrans(ricci_t, ricci_tmp_t, { file dir })
+
+# log files
+allow ricci_t ricci_var_log_t:file create_file_perms;
+allow ricci_t ricci_var_log_t:sock_file create_file_perms;
+allow ricci_t ricci_var_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(ricci_t,ricci_var_log_t,{ sock_file file dir })
+
+init_dontaudit_use_fds(ricci_t)
+
+kernel_read_kernel_sysctls(ricci_t)
+
+optional_policy(`
+	dbus_system_bus_client_template(ricci,ricci_t)
+	dbus_send_system_bus(ricci_t)
+	oddjob_dbus_chat(ricci_t)
+')
+
+# var/lib files for ricci
+allow ricci_t ricci_var_lib_t:file create_file_perms;
+allow ricci_t ricci_var_lib_t:sock_file create_file_perms;
+allow ricci_t ricci_var_lib_t:dir create_dir_perms;
+files_var_lib_filetrans(ricci_t,ricci_var_lib_t, { file dir sock_file })
+
+auth_domtrans_chk_passwd(ricci_t)
+
+ifdef(`targeted_policy', `
+	term_dontaudit_use_generic_ptys(ricci_t)
+	term_dontaudit_use_unallocated_ttys(ricci_t)
+')
+
+locallogin_dontaudit_use_fds(ricci_t)
+
+## Networking basics (adjust to your needs!)
+sysnet_dns_name_resolve(ricci_t)
+corenet_tcp_sendrecv_all_if(ricci_t)
+corenet_tcp_sendrecv_all_nodes(ricci_t)
+corenet_tcp_sendrecv_all_ports(ricci_t)
+corenet_non_ipsec_sendrecv(ricci_t)
+corenet_tcp_connect_http_port(ricci_t)
+#corenet_tcp_connect_all_ports(ricci_t)
+## if it is a network daemon, consider these:
+#corenet_tcp_bind_all_ports(ricci_t)
+#corenet_tcp_bind_all_nodes(ricci_t)
+allow ricci_t self:tcp_socket { listen accept };
+
+# ricci wants to bind to 11111
+corenet_udp_bind_ricci_port(ricci_t)
+corenet_tcp_bind_ricci_port(ricci_t)
+corenet_tcp_bind_inaddr_any_node(ricci_t)
+
+corecmd_exec_sbin(ricci_t)
+
+dev_read_urand(ricci_t)
+
+unconfined_use_fds(ricci_t)
+
+optional_policy(`
+	ccs_read_config(ricci_t)
+')
+
+########################################
+#
+# ricci_modclusterd local policy
+#
+allow ricci_modclusterd_t self:capability sys_nice;
+allow ricci_modclusterd_t self:process { signal sigkill setsched };
+
+# Some common macros (you might be able to remove some)
+files_read_etc_files(ricci_modclusterd_t)
+libs_use_ld_so(ricci_modclusterd_t)
+libs_use_shared_libs(ricci_modclusterd_t)
+miscfiles_read_localization(ricci_modclusterd_t)
+## internal communication is often done using fifo and unix sockets.
+allow ricci_modclusterd_t self:fifo_file rw_file_perms;
+allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
+allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms;
+allow ricci_modclusterd_t self:netlink_route_socket r_netlink_socket_perms;
+
+corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t)
+corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t)
+
+corenet_tcp_sendrecv_all_ports(ricci_modclusterd_t)
+corenet_tcp_bind_inaddr_any_node(ricci_modclusterd_t)
+corenet_tcp_bind_all_nodes(ricci_modclusterd_t)
+allow ricci_modclusterd_t self:tcp_socket create_socket_perms;
+allow ricci_modclusterd_t self:socket create_socket_perms;
+files_read_etc_runtime_files(ricci_modclusterd_t)
+
+corecmd_exec_bin(ricci_modclusterd_t)
+corecmd_exec_sbin(ricci_modclusterd_t)
+
+# pid file
+allow ricci_modclusterd_t ricci_modcluster_var_run_t:file manage_file_perms;
+allow ricci_modclusterd_t ricci_modcluster_var_run_t:sock_file manage_file_perms;
+allow ricci_modclusterd_t ricci_modcluster_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(ricci_modclusterd_t,ricci_modcluster_var_run_t, { file sock_file })
+
+# log files
+allow ricci_modclusterd_t ricci_modcluster_var_log_t:file create_file_perms;
+allow ricci_modclusterd_t ricci_modcluster_var_log_t:sock_file create_file_perms;
+allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(ricci_modclusterd_t,ricci_modcluster_var_log_t,{ sock_file file dir })
+
+init_dontaudit_use_fds(ricci_modclusterd_t)
+
+ifdef(`targeted_policy', `
+	term_dontaudit_use_generic_ptys(ricci_modclusterd_t)
+	term_dontaudit_use_unallocated_ttys(ricci_modclusterd_t)
+')
+
+locallogin_dontaudit_use_fds(ricci_modclusterd_t)
+
+fs_getattr_xattr_fs(ricci_modclusterd_t)
+
+kernel_read_kernel_sysctls(ricci_modclusterd_t)
+kernel_read_system_state(ricci_modclusterd_t)
+
+sysnet_domtrans_ifconfig(ricci_modclusterd_t)
+sysnet_dns_name_resolve(ricci_modclusterd_t)
+
+unconfined_use_fds(ricci_modclusterd_t)
+
+optional_policy(`
+	ccs_stream_connect(ricci_modclusterd_t)
+	ccs_read_config(ricci_modclusterd_t)
+')
+
+########################################
+#
+# ricci_modlog local policy
+#
+
+oddjob_system_entry(ricci_modlog_t, ricci_modlog_exec_t)
+domain_auto_trans(ricci_t,ricci_modlog_exec_t,ricci_modlog_t)
+
+########################################
+#
+# ricci_modlog_ro local policy
+#
+
+oddjob_system_entry(ricci_modlog_ro_t, ricci_modlog_ro_exec_t)
+domain_auto_trans(ricci_t,ricci_modlog_ro_exec_t,ricci_modlog_ro_t)
+files_read_etc_files(ricci_modlog_t)
+
+libs_use_ld_so(ricci_modlog_t)
+libs_use_shared_libs(ricci_modlog_t)
+miscfiles_read_localization(ricci_modlog_t)
+
+nscd_dontaudit_search_pid(ricci_modlog_t)
+
+allow ricci_modlog_t self:capability sys_nice;
+allow ricci_modlog_t self:process setsched;
+
+corecmd_exec_bin(ricci_modlog_t)
+corecmd_exec_sbin(ricci_modlog_t)
+
+kernel_read_kernel_sysctls(ricci_modlog_t)
+kernel_read_system_state(ricci_modlog_t)
+
+files_search_usr(ricci_modlog_t)
+logging_read_generic_logs(ricci_modlog_t)
+
+domain_read_all_domains_state(ricci_modlog_t)
+
+########################################
+#
+# ricci_modrpm local policy
+#
+
+oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t)
+domain_auto_trans(ricci_t,ricci_modrpm_exec_t,ricci_modrpm_t)
+
+########################################
+#
+# ricci_modservice local policy
+#
+
+oddjob_system_entry(ricci_modservice_t, ricci_modservice_exec_t)
+domain_auto_trans(ricci_t,ricci_modservice_exec_t,ricci_modservice_t)
+
+consoletype_exec(ricci_modservice_t)
+
+files_read_etc_runtime_files(ricci_modservice_t)
+
+init_domtrans_script(ricci_modservice_t)
+
+libs_use_ld_so(ricci_modservice_t)
+libs_use_shared_libs(ricci_modservice_t)
+miscfiles_read_localization(ricci_modservice_t)
+
+nscd_dontaudit_search_pid(ricci_modservice_t)
+
+allow ricci_modservice_t self:capability { dac_override sys_nice };
+allow ricci_modservice_t self:fifo_file { getattr read write };
+allow ricci_modservice_t self:process setsched;
+
+corecmd_exec_sbin(ricci_modservice_t)
+corecmd_exec_bin(ricci_modservice_t)
+corecmd_exec_shell(ricci_modservice_t)
+
+kernel_read_kernel_sysctls(ricci_modservice_t)
+kernel_read_system_state(ricci_modservice_t)
+
+files_search_usr(ricci_modservice_t)
+
+optional_policy(`
+	ccs_read_config(ricci_modservice_t)
+')
+
+########################################
+#
+# ricci_modstorage local policy
+#
+
+oddjob_system_entry(ricci_modstorage_t, ricci_modstorage_exec_t)
+domain_auto_trans(ricci_t,ricci_modstorage_exec_t,ricci_modstorage_t)
+
+allow ricci_modstorage_t self:process setsched;
+allow ricci_modstorage_t self:capability { mknod sys_nice };
+allow ricci_modstorage_t self:fifo_file rw_file_perms;
+
+corecmd_exec_bin(ricci_modstorage_t)
+corecmd_exec_sbin(ricci_modstorage_t)
+
+files_read_etc_files(ricci_modstorage_t)
+files_read_etc_runtime_files(ricci_modstorage_t)
+
+fstools_domtrans(ricci_modstorage_t)
+
+libs_use_ld_so(ricci_modstorage_t)
+libs_use_shared_libs(ricci_modstorage_t)
+miscfiles_read_localization(ricci_modstorage_t)
+
+lvm_domtrans(ricci_modstorage_t)
+
+kernel_read_kernel_sysctls(ricci_modstorage_t)
+dev_read_sysfs(ricci_modstorage_t)
+dev_read_urand(ricci_modstorage_t)
+
+files_read_usr_files(ricci_modstorage_t)
+
+########################################
+#
+# ricci_modcluster local policy
+#
+
+oddjob_system_entry(ricci_modcluster_t, ricci_modcluster_exec_t)
+domain_auto_trans(ricci_t,ricci_modcluster_exec_t,ricci_modcluster_t)
+
+files_read_etc_runtime_files(ricci_modcluster_t)
+files_read_etc_files(ricci_modcluster_t)
+
+libs_use_ld_so(ricci_modcluster_t)
+libs_use_shared_libs(ricci_modcluster_t)
+
+miscfiles_read_localization(ricci_modcluster_t)
+
+nscd_socket_use(ricci_modcluster_t)
+
+allow ricci_modcluster_t self:capability sys_nice;
+allow ricci_modcluster_t self:process setsched;
+
+corecmd_exec_sbin(ricci_modcluster_t)
+corecmd_exec_bin(ricci_modcluster_t)
+
+kernel_read_kernel_sysctls(ricci_modcluster_t)
+kernel_read_system_state(ricci_modcluster_t)
+
+files_search_usr(ricci_modcluster_t)
+
+ricci_modclusterd_stream_connect(ricci_modcluster_t)
+
+optional_policy(`
+	ccs_read_config(ricci_modcluster_t)
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-2.3.12/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2006-09-01 14:10:18.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/services/setroubleshoot.te	2006-09-05 09:37:39.000000000 -0400
@@ -64,9 +64,7 @@
 corenet_tcp_sendrecv_all_nodes(setroubleshootd_t)
 corenet_tcp_sendrecv_all_ports(setroubleshootd_t)
 corenet_tcp_bind_all_nodes(setroubleshootd_t)
-corenet_tcp_bind_setroubleshoot_port(setroubleshootd_t)
 corenet_tcp_connect_smtp_port(setroubleshootd_t)
-corenet_sendrecv_setroubleshoot_server_packets(setroubleshootd_t)
 corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
 
 dev_read_urand(setroubleshootd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.3.12/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te	2006-08-16 08:46:30.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/services/ssh.te	2006-09-05 13:13:30.000000000 -0400
@@ -39,10 +39,6 @@
 	type ssh_agent_exec_t;
 	files_type(ssh_agent_exec_t)
 
-	type ssh_keygen_t;
-	init_system_domain(ssh_keygen_t,ssh_keygen_exec_t)
-	role system_r types ssh_keygen_t;
-
 	ssh_server_template(sshd)
 	ssh_server_template(sshd_extern)
 
@@ -193,62 +189,68 @@
 # ssh_keygen local policy
 #
 
-ifdef(`targeted_policy',`',`
-	# ssh_keygen_t is the type of the ssh-keygen program when run at install time
-	# and by sysadm_t
+# ssh_keygen_t is the type of the ssh-keygen program when run at install time
+# and by sysadm_t
 
-	dontaudit ssh_keygen_t self:capability sys_tty_config;
-	allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
+type ssh_keygen_t;
+init_system_domain(ssh_keygen_t,ssh_keygen_exec_t)
+role system_r types ssh_keygen_t;
 
-	allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
+dontaudit ssh_keygen_t self:capability sys_tty_config;
+allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
 
-	allow ssh_keygen_t sshd_key_t:file create_file_perms;
-	files_etc_filetrans(ssh_keygen_t,sshd_key_t,file)
+allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
 
-	kernel_read_kernel_sysctls(ssh_keygen_t)
+allow ssh_keygen_t sshd_key_t:file create_file_perms;
+files_etc_filetrans(ssh_keygen_t,sshd_key_t,file)
 
-	fs_search_auto_mountpoints(ssh_keygen_t)
+kernel_read_kernel_sysctls(ssh_keygen_t)
 
-	dev_read_sysfs(ssh_keygen_t)
-	dev_read_urand(ssh_keygen_t)
+fs_search_auto_mountpoints(ssh_keygen_t)
 
-	term_dontaudit_use_console(ssh_keygen_t)
+dev_read_sysfs(ssh_keygen_t)
+dev_read_urand(ssh_keygen_t)
 
-	domain_use_interactive_fds(ssh_keygen_t)
+term_dontaudit_use_console(ssh_keygen_t)
 
-	files_read_etc_files(ssh_keygen_t)
+domain_use_interactive_fds(ssh_keygen_t)
 
-	init_use_fds(ssh_keygen_t)
-	init_use_script_ptys(ssh_keygen_t)
+files_read_etc_files(ssh_keygen_t)
 
-	libs_use_ld_so(ssh_keygen_t)
-	libs_use_shared_libs(ssh_keygen_t)
+init_use_fds(ssh_keygen_t)
+init_use_script_ptys(ssh_keygen_t)
 
-	logging_send_syslog_msg(ssh_keygen_t)
+libs_use_ld_so(ssh_keygen_t)
+libs_use_shared_libs(ssh_keygen_t)
 
-	allow ssh_keygen_t proc_t:dir r_dir_perms;
-	allow ssh_keygen_t proc_t:lnk_file read;
+logging_send_syslog_msg(ssh_keygen_t)
 
-	userdom_use_sysadm_ttys(ssh_keygen_t)
-	userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
+allow ssh_keygen_t proc_t:dir r_dir_perms;
+allow ssh_keygen_t proc_t:lnk_file read;
 
-	# cjp: with the old daemon_(base_)domain being broken up into
-	# a daemon and system interface, this probably is not needed:
-	ifdef(`direct_sysadm_daemon',`
-		userdom_dontaudit_use_sysadm_terms(ssh_keygen_t)
-	')
+userdom_use_sysadm_ttys(ssh_keygen_t)
+userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
 
-	ifdef(`targeted_policy', `
-		term_dontaudit_use_unallocated_ttys(ssh_keygen_t)
-		term_dontaudit_use_generic_ptys(ssh_keygen_t)
-		files_dontaudit_read_root_files(ssh_keygen_t)
-	')
+# cjp: with the old daemon_(base_)domain being broken up into
+# a daemon and system interface, this probably is not needed:
+ifdef(`direct_sysadm_daemon',`
+	userdom_dontaudit_use_sysadm_terms(ssh_keygen_t)
+')
 
-	optional_policy(`
-		seutil_sigchld_newrole(ssh_keygen_t)
-	')
+ifdef(`targeted_policy', `
+	term_dontaudit_use_unallocated_ttys(ssh_keygen_t)
+	term_dontaudit_use_generic_ptys(ssh_keygen_t)
+	files_dontaudit_read_root_files(ssh_keygen_t)
+')
 
-	optional_policy(`
-		udev_read_db(ssh_keygen_t)
-	')
+optional_policy(`
+	seutil_sigchld_newrole(ssh_keygen_t)
+')
+
+optional_policy(`
+	udev_read_db(ssh_keygen_t)
+')
+
+optional_policy(`
+	nscd_socket_use(ssh_keygen_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.3.12/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if	2006-09-01 14:10:18.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/services/xserver.if	2006-09-05 15:13:42.000000000 -0400
@@ -1072,6 +1071,7 @@
 		type xdm_tmp_t;
 	')
 
+	allow $1 xdm_tmp_t:dir search_dir_perms;
 	allow $1 xdm_tmp_t:file { getattr read };
 ')
 
@@ -1133,3 +1133,45 @@
 	allow $1 xdm_xserver_tmp_t:sock_file write;
 	allow $1 xdm_xserver_t:unix_stream_socket connectto;
 ')
+
+
+########################################
+## <summary>
+##	Create a named socket in a ice
+##	temporary directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_create_ice_tmp_sockets',`
+	gen_require(`
+		type ice_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 ice_tmp_t:dir ra_dir_perms;
+	allow $1 ice_tmp_t:sock_file create_file_perms;
+')
+
+
+########################################
+## <summary>
+##	signal XDM X servers
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit
+##	</summary>
+## </param>
+#
+interface(`xserver_signal_xdm_xserver',`
+	gen_require(`
+		type xdm_xserver_t;
+	')
+
+	allow $1 xdm_xserver_t:process signal;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-2.3.12/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te	2006-09-01 14:10:18.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/services/xserver.te	2006-09-05 15:02:35.000000000 -0400
@@ -214,15 +214,15 @@
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
 
+allow xdm_t xdm_tmp_t:dir manage_dir_perms;
+allow xdm_t xdm_tmp_t:file manage_file_perms;
+allow xdm_t xdm_tmp_t:sock_file manage_file_perms;
+files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
+
 ifdef(`strict_policy',`
 	allow xdm_t xdm_lock_t:file create_file_perms;
 	files_lock_filetrans(xdm_t,xdm_lock_t,file)
 
-	allow xdm_t xdm_tmp_t:dir manage_dir_perms;
-	allow xdm_t xdm_tmp_t:file manage_file_perms;
-	allow xdm_t xdm_tmp_t:sock_file manage_file_perms;
-	files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
-
 	allow xdm_t xdm_tmpfs_t:dir manage_dir_perms;
 	allow xdm_t xdm_tmpfs_t:file manage_file_perms;
 	allow xdm_t xdm_tmpfs_t:lnk_file create_lnk_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.3.12/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te	2006-08-29 09:00:29.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/system/authlogin.te	2006-09-05 09:37:39.000000000 -0400
@@ -176,7 +176,7 @@
 dev_setattr_xserver_misc_dev(pam_console_t)
 dev_read_urand(pam_console_t)
 
-fs_search_auto_mountpoints(pam_console_t)
+fs_list_auto_mountpoints(pam_console_t)
 
 mls_file_read_up(pam_console_t)
 mls_file_write_down(pam_console_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.3.12/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te	2006-08-29 09:00:29.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/system/hostname.te	2006-09-05 09:37:39.000000000 -0400
@@ -8,7 +8,10 @@
 
 type hostname_t;
 type hostname_exec_t;
-init_system_domain(hostname_t,hostname_exec_t)
+
+#dont transition from initrc
+domain_type(hostname_t)
+domain_entry_file(hostname_t,hostname_exec_t)
 role system_r types hostname_t;
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.3.12/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te	2006-08-28 16:22:32.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/system/init.te	2006-09-05 09:37:39.000000000 -0400
@@ -361,7 +361,8 @@
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
 
-miscfiles_read_localization(initrc_t)
+miscfiles_rw_localization(initrc_t)
+
 # slapd needs to read cert files from its initscript
 miscfiles_read_certs(initrc_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.3.12/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te	2006-09-05 07:41:01.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/system/selinuxutil.te	2006-09-05 09:37:39.000000000 -0400
@@ -450,6 +450,7 @@
 selinux_compute_user_contexts(restorecond_t)
 
 term_dontaudit_use_generic_ptys(restorecond_t)
+term_dontaudit_use_unallocated_ttys(restorecond_t)
 
 auth_relabel_all_files_except_shadow(restorecond_t )
 auth_read_all_files_except_shadow(restorecond_t)
@@ -622,6 +623,12 @@
 	# Handle pp files created in homedir and /tmp
 	files_read_generic_tmp_files(semanage_t)
 	userdom_read_generic_user_home_content_files(semanage_t)
+',`
+	ifdef(`enable_mls',`
+		userdom_read_user_tmp_files(secadm, semanage_t)
+	',`
+		userdom_read_user_tmp_files(sysadm, semanage_t)
+	')
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.3.12/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if	2006-08-16 08:46:31.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/system/userdomain.if	2006-09-05 09:37:39.000000000 -0400
@@ -8,11 +8,10 @@
 ## <desc>
 ##	<p>
 ##	This template creates a user domain, types, and
-##	rules for the user's tty, pty, home directories,
-##	tmp, and tmpfs files.
+##	rules for the user's tty, pty, tmp, and tmpfs files.
 ##	</p>
 ##	<p>
-##	This generally should not be used, rather the
+##	This should only be used for new non login user roles, rather the
 ##	unpriv_user_template or admin_user_template should
 ##	be used.
 ##	</p>
@@ -25,7 +24,9 @@
 ## </param>
 #
 template(`base_user_template',`
-
+	gen_require(`
+		attribute userdomain, unpriv_userdomain;
+	')
 	attribute $1_file_type;
 
 	type $1_t, userdomain;
@@ -42,44 +43,17 @@
 	term_user_pty($1_t,$1_devpts_t)
 	files_type($1_devpts_t)
 
-	# type for contents of home directory
-	type $1_home_t, $1_file_type, home_type;
-	files_type($1_home_t)
-	files_associate_tmp($1_home_t)
-	fs_associate_tmpfs($1_home_t)
-
-	# type of home directory
-	type $1_home_dir_t, home_dir_type, home_type;
-	files_type($1_home_dir_t)
-	files_associate_tmp($1_home_dir_t)
-	fs_associate_tmpfs($1_home_dir_t)
-
 	type $1_tmp_t, $1_file_type;
 	files_tmp_file($1_tmp_t)
 
 	type $1_tmpfs_t;
 	files_tmpfs_file($1_tmpfs_t)
 
-	# types for network-obtained content
-	type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable
-	files_type($1_untrusted_content_t)
-	files_poly_member($1_untrusted_content_t)
-
-	type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable
-	files_tmp_file($1_untrusted_content_tmp_t)
-
 	type $1_tty_device_t; 
 	term_tty($1_t,$1_tty_device_t)
 
 	##############################
 	#
-	# User home directory file rules
-	#
-
-	allow $1_file_type $1_home_t:filesystem associate;
-
-	##############################
-	#
 	# User domain Local policy
 	#
 
@@ -103,19 +77,6 @@
 	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
 	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
 
-	# execute files in the home directory
-	can_exec($1_t,$1_home_t)
-
-	# full control of the home directory
-	allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto entrypoint };
-	allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
-	allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
-	allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
-	allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
-	allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto };
-	type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
-	files_search_home($1_t)
-
 	can_exec($1_t,$1_tmp_t)
 
 	# user temporary files
@@ -138,15 +99,16 @@
 	fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir notdevfile_class_set } )
 
 	allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
-
-	# Allow user to relabel untrusted content
-	allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
-	allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
+	allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms };
+	term_create_pty($1_t,$1_devpts_t)
 
 	allow $1_t unpriv_userdomain:fd use;
 
+	kernel_read_system_state($1_t)
+	kernel_read_network_state($1_t)
 	kernel_read_kernel_sysctls($1_t)
 	kernel_read_net_sysctls($1_t)
+	kernel_read_fs_sysctls($1_t)
 	kernel_dontaudit_list_unlabeled($1_t)
 	kernel_dontaudit_getattr_unlabeled_files($1_t)
 	kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
@@ -165,8 +127,10 @@
 
 	corenet_non_ipsec_sendrecv($1_t)
 	corenet_tcp_sendrecv_all_if($1_t)
+	corenet_raw_sendrecv_all_if($1_t)
 	corenet_udp_sendrecv_all_if($1_t)
 	corenet_tcp_sendrecv_all_nodes($1_t)
+	corenet_raw_sendrecv_all_nodes($1_t)
 	corenet_udp_sendrecv_all_nodes($1_t)
 	corenet_tcp_sendrecv_all_ports($1_t)
 	corenet_udp_sendrecv_all_ports($1_t)
@@ -193,6 +157,7 @@
 	fs_getattr_all_fs($1_t)
 	fs_getattr_all_dirs($1_t)
 	fs_search_auto_mountpoints($1_t)
+	fs_list_inotifyfs($1_t)
 
 	# cjp: some of this probably can be removed
 	selinux_get_fs_mount($1_t)
@@ -234,6 +199,11 @@
 	files_dontaudit_getattr_non_security_sockets($1_t)
 	files_dontaudit_getattr_non_security_blk_files($1_t)
 	files_dontaudit_getattr_non_security_chr_files($1_t)
+	files_read_var_files($1_t)
+	files_read_etc_files($1_t)
+	files_read_etc_runtime_files($1_t)
+	files_read_usr_files($1_t)
+	files_exec_usr_files($1_t)
 
 	# Caused by su - init scripts
 	init_dontaudit_use_script_ptys($1_t)
@@ -254,16 +224,88 @@
 	seutil_read_default_contexts($1_t)
 	seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
 
-	tunable_policy(`allow_execmem',`
-		# Allow loading DSOs that require executable stack.
-		allow $1_t self:process execmem;
-	')
+	sysnet_dns_name_resolve($1_t)
+
+')
+#######################################
+## <summary>
+##	The template containing rules common to unprivileged
+##	users and administrative users.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a user home directories,
+##	</p>
+##	<p>
+##	This generally should not be used, rather the
+##	unpriv_user_template or admin_user_template should
+##	be used.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+#
+template(`base_login_user_template',`
 
-	tunable_policy(`allow_execmem && allow_execstack',`
-		# Allow making the stack executable via mprotect.
-		allow $1_t self:process execstack;
+	gen_require(`
+		attribute $1_file_type;
+		attribute home_dir_type, home_type;
+		attribute untrusted_content_type;
 	')
 
+	# type for contents of home directory
+	type $1_home_t, $1_file_type, home_type;
+	files_type($1_home_t)
+	files_associate_tmp($1_home_t)
+	fs_associate_tmpfs($1_home_t)
+
+	# type of home directory
+	type $1_home_dir_t, home_dir_type, home_type;
+	files_type($1_home_dir_t)
+	files_associate_tmp($1_home_dir_t)
+	fs_associate_tmpfs($1_home_dir_t)
+
+	# types for network-obtained content
+	type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable
+	files_type($1_untrusted_content_t)
+	files_poly_member($1_untrusted_content_t)
+
+	type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable
+	files_tmp_file($1_untrusted_content_tmp_t)
+
+	##############################
+	#
+	# User home directory file rules
+	#
+
+	allow $1_file_type $1_home_t:filesystem associate;
+
+	##############################
+	#
+	# User domain Local policy
+	#
+
+	# execute files in the home directory
+	can_exec($1_t,$1_home_t)
+
+	# full control of the home directory
+	allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto entrypoint };
+	allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
+	allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
+	allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
+	allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
+	allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto };
+	type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
+	files_search_home($1_t)
+
+	# Allow user to relabel untrusted content
+	allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
+	allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
+
 	tunable_policy(`read_default_t',`
 		files_list_default($1_t)
 		files_read_default_files($1_t)
@@ -322,10 +364,15 @@
 	')
 
 	optional_policy(`
+		alsa_read_rw_config($1_t)
+	')
+
+	optional_policy(`
 		canna_stream_connect($1_t)
 	')
 
 	optional_policy(`
+		cups_stream_connect(sysadm_t)
 		cups_stream_connect_ptal($1_t)
 	')
 
@@ -426,8 +473,10 @@
 		xserver_stream_connect_xdm($1_t)
 		# certain apps want to read xdm.pid file
 		xserver_read_xdm_pid($1_t)
+		xserver_read_xdm_tmp_files($1_t)
 		# gnome-session creates socket under /tmp/.ICE-unix/
 		xserver_create_xdm_tmp_sockets($1_t)
+		xserver_create_ice_tmp_sockets($1_t)
 	')
 ')
 
@@ -457,6 +506,7 @@
 
 	# Inherit rules for ordinary users.
 	base_user_template($1)
+	base_login_user_template($1)
 
 	typeattribute $1_t unpriv_userdomain;
 	domain_interactive_fd($1_t)
@@ -477,9 +527,6 @@
 	# Local policy
 	#
 
-	allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
-	term_create_pty($1_t,$1_devpts_t)
-
 	# Rules used to associate a homedir as a mountpoint
 	allow $1_home_t self:filesystem associate;
 	allow $1_file_type $1_home_t:filesystem associate;
@@ -491,10 +538,6 @@
 	allow privhome $1_home_t:sock_file create_file_perms;
 	allow privhome $1_home_t:fifo_file create_file_perms;
 	type_transition privhome $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
-
-	kernel_read_system_state($1_t)
-	kernel_read_network_state($1_t)
-
 	dev_read_sysfs($1_t)
 
 	corecmd_exec_all_executables($1_t)
@@ -502,11 +545,8 @@
 	# port access is audited even if dac would not have allowed it, so dontaudit it here
 	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
 
-	files_read_etc_files($1_t)
-	files_read_etc_runtime_files($1_t)
+
 	files_list_home($1_t)
-	files_read_usr_files($1_t)
-	files_exec_usr_files($1_t)
 	# Read directories and files with the readable_t type.
 	# This type is a general type for "world"-readable files.
 	files_list_world_readable($1_t)
@@ -514,8 +554,6 @@
 	files_read_world_readable_symlinks($1_t)
 	files_read_world_readable_pipes($1_t)
 	files_read_world_readable_sockets($1_t)
-	# cjp: why?
-	files_read_kernel_symbol_table($1_t)
 
 	init_read_utmp($1_t)
 	# The library functions always try to open read-write first,
@@ -621,6 +659,8 @@
 
 	# do not audit read on disk devices
 	dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;
+	dontaudit $1_t sysadm_home_t:file { read append };
+	userdom_dontaudit_append_sysadm_home_content_files($1_t)
 
 	ifdef(`xdm.te', `
 		allow xdm_t $1_home_t:lnk_file read;
@@ -657,8 +697,6 @@
 	# Do not audit write denials to /etc/ld.so.cache.
 	dontaudit $1_t ld_so_cache_t:file write;
 
-	dontaudit $1_t sysadm_home_t:file { read append };
-
 	allow $1_t initrc_t:fifo_file write;
 	') dnl end TODO
 ')
@@ -704,6 +742,7 @@
 
 	# Inherit rules for ordinary users.
 	base_user_template($1)
+	base_login_user_template($1)
 
 	typeattribute $1_t privhome;
 	domain_obj_id_change_exemption($1_t)
@@ -736,11 +775,6 @@
 
 	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
 
-	allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
-	term_create_pty($1_t,$1_devpts_t)
-
-	kernel_read_system_state($1_t)
-	kernel_read_network_state($1_t)
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
 	kernel_getattr_message_if($1_t)
@@ -806,6 +840,7 @@
 	domain_getattr_all_sockets($1_t)
 
 	files_exec_usr_src_files($1_t)
+	files_create_boot_flag($1_t)
 
 	init_rw_initctl($1_t)
 
@@ -3359,6 +3394,25 @@
 
 ########################################
 ## <summary>
+##	Do not audit attempts to append to the sysadm
+##	users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_append_sysadm_home_content_files',`
+	gen_require(`
+		type sysadm_home_t;
+	')
+
+	dontaudit $1 sysadm_home_t:file ra_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read files in the staff users home directory.
 ## </summary>
 ## <param name="domain">
@@ -4079,7 +4133,7 @@
 	gen_require(`
 		type user_home_dir_t;
 	')
-
+	allow $1 user_home_dir_t:dir manage_dir_perms;
 	files_home_filetrans($1,user_home_dir_t,dir)
 ')
 
@@ -4164,7 +4218,7 @@
 	')
 
 	files_search_home($1)
-	allow $1 user_home_dir_t:dir search_dir_perms;
+	allow $1 user_home_dir_t:dir rw_dir_perms;
 	allow $1 user_home_t:dir create_dir_perms;
 ')
 
@@ -4206,7 +4260,7 @@
 	')
 
 	files_search_home($1)
-	allow $1 user_home_dir_t:dir search_dir_perms;
+	allow $1 user_home_dir_t:dir rw_dir_perms;
 	allow $1 user_home_t:dir rw_dir_perms;
 	allow $1 user_home_t:file create_file_perms;
 ')
@@ -4228,7 +4282,7 @@
 	')
 
 	files_search_home($1)
-	allow $1 user_home_dir_t:dir search_dir_perms;
+	allow $1 user_home_dir_t:dir rw_dir_perms;
 	allow $1 user_home_t:dir rw_dir_perms;
 	allow $1 user_home_t:lnk_file create_lnk_perms;
 ')
@@ -4250,7 +4304,7 @@
 	')
 
 	files_search_home($1)
-	allow $1 user_home_dir_t:dir search_dir_perms;
+	allow $1 user_home_dir_t:dir rw_dir_perms;
 	allow $1 user_home_t:dir rw_dir_perms;
 	allow $1 user_home_t:fifo_file create_file_perms;
 ')
@@ -4272,7 +4326,7 @@
 	')
 
 	files_search_home($1)
-	allow $1 user_home_dir_t:dir search_dir_perms;
+	allow $1 user_home_dir_t:dir rw_dir_perms;
 	allow $1 user_home_t:dir rw_dir_perms;
 	allow $1 user_home_t:sock_file create_file_perms;
 ')
@@ -4740,3 +4794,34 @@
 	allow $1 user_home_dir_t:dir create_dir_perms;
 	files_home_filetrans($1,user_home_dir_t,dir)
 ')
+
+########################################
+## <summary>
+##	The template containing rules for changing from one role to another
+## </summary>
+## <desc>
+##	<p>
+##	This should only be used for new non login user roles, rather the
+##	unpriv_user_template or admin_user_template should
+##	be used.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	userdomain changing from 
+##	</summary>
+## </param>
+## <param name="userdomain_prefix">
+##	<summary>
+##	userdomain changing to
+##	</summary>
+## </param>
+#
+template(`role_change_template',`
+        allow $1_r $2_r;
+        type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
+        type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
+        # avoid annoying messages on terminal hangup
+        dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.3.12/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te	2006-08-16 08:46:31.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/system/userdomain.te	2006-09-05 09:37:39.000000000 -0400
@@ -56,14 +56,6 @@
 # Local policy
 #
 
-define(`role_change',`
-	allow $1_r $2_r;
-	type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
-	type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
-	# avoid annoying messages on terminal hangup
-	dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
-')
-
 ifdef(`targeted_policy',`
 	# Define some type aliases to help with compatibility with
 	# macros and domains from the "strict" policy.
@@ -124,34 +116,34 @@
 
 	# user role change rules:
 	# sysadm_r can change to user roles
-	role_change(sysadm, user)
-	role_change(sysadm, staff)
+	role_change_template(sysadm, user)
+	role_change_template(sysadm, staff)
 
 	# only staff_r can change to sysadm_r
-	role_change(staff, sysadm)
+	role_change_template(staff, sysadm)
 
 	ifdef(`enable_mls',`
 		unpriv_user_template(secadm)
 		unpriv_user_template(auditadm)
 
-		role_change(staff,auditadm)
-		role_change(staff,secadm)
+		role_change_template(staff,auditadm)
+		role_change_template(staff,secadm)
 
-		role_change(sysadm,secadm)
-		role_change(sysadm,auditadm)
+		role_change_template(sysadm,secadm)
+		role_change_template(sysadm,auditadm)
 
-		role_change(auditadm,secadm)
-		role_change(auditadm,sysadm)
+		role_change_template(auditadm,secadm)
+		role_change_template(auditadm,sysadm)
 
-		role_change(secadm,auditadm)
-		role_change(secadm,sysadm)
+		role_change_template(secadm,auditadm)
+		role_change_template(secadm,sysadm)
 	')
 
 	# this should be tunable_policy, but
 	# currently type_change and RBAC allow
 	# do not work in conditionals
 	ifdef(`user_canbe_sysadm',`
-		role_change(user,sysadm)
+		role_change_template(user,sysadm)
 	')
 
 	allow privhome home_root_t:dir { getattr search };
@@ -172,6 +164,8 @@
 
 	mls_process_read_up(sysadm_t)
 
+	term_getattr_all_user_ttys(sysadm_t)
+
 	init_exec(sysadm_t)
 
 	ifdef(`direct_sysadm_daemon',`
@@ -210,7 +204,9 @@
 		init_exec(secadm_t)
 		logging_read_audit_log(secadm_t)
 	        logging_read_generic_logs(secadm_t)
-		userdom_dontaudit_append_staff_home_content_files(secadm_t)
+		userdom_dontaudit_append_sysadm_home_content_files(secadm_t)
+		userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
+
 	', `
 		logging_manage_audit_log(sysadm_t)
 		logging_manage_audit_config(sysadm_t)
@@ -439,11 +435,11 @@
 			selinux_set_parameters(secadm_t)
 
 			seutil_manage_bin_policy(secadm_t)
-			seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal)
-			seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal)
-			seutil_run_semanage(secadm_t,secadm_r,admin_terminal)
-			seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
-			seutil_run_restorecon(secadm_t,secadm_r,admin_terminal)
+			seutil_run_checkpolicy(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
+			seutil_run_loadpolicy(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
+			seutil_run_semanage(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
+			seutil_run_setfiles(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
+			seutil_run_restorecon(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
 		', `
 			selinux_set_enforce_mode(sysadm_t)
 			selinux_set_boolean(sysadm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.3.12/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te	2006-08-29 09:00:29.000000000 -0400
+++ serefpolicy-2.3.12/policy/modules/system/xen.te	2006-09-05 12:50:19.000000000 -0400
@@ -131,6 +131,7 @@
 corenet_tcp_bind_xen_port(xend_t)
 corenet_tcp_bind_soundd_port(xend_t)
 corenet_tcp_bind_generic_port(xend_t)
+corenet_tcp_bind_vnc_port(xend_t)
 corenet_sendrecv_xen_server_packets(xend_t)
 corenet_sendrecv_soundd_server_packets(xend_t)
 corenet_rw_tun_tap_dev(xend_t)
@@ -313,3 +314,5 @@
 xen_append_log(xm_t)
 xen_stream_connect(xm_t)
 xen_stream_connect_xenstore(xm_t)
+
+userdom_dontaudit_search_sysadm_home_dirs(xend_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.3.12/Rules.modular
--- nsaserefpolicy/Rules.modular	2006-08-31 14:57:06.000000000 -0400
+++ serefpolicy-2.3.12/Rules.modular	2006-09-05 16:00:01.000000000 -0400
@@ -218,6 +218,16 @@
 
 ########################################
 #
+# Validate File Contexts
+#
+validatefc: $(base_pkg) $(base_fc) 
+	@echo "Validating file context."
+	$(verbose) $(SEMOD_EXP) $(base_pkg) $(tmpdir)/policy.tmp
+	$(verbose) $(SETFILES) -c $(tmpdir)/policy.tmp $(base_fc)
+	@echo "Success."
+
+########################################
+#
 # Clean the sources
 #
 clean:

Re: Latest Diffs

[Christopher J. PeBenito]

On Tue, 2006-09-05 at 17:06 -0400, Daniel J Walsh wrote:
> Bluetooth_helper hits the unlabeled_t:socket stuff

Unlabeled generic socket?  I don't see this in the patch, and it doesn't
make sense to me anyway.

> What is the problem with the following?
> 
> +',`
> +       ifdef(`enable_mls',`
> +               userdom_read_user_tmp_files(secadm, semanage_t)
> +       ',`
> +               userdom_read_user_tmp_files(sysadm, semanage_t)
> +       ')
>  ')

Can't use these prefixes here since they don't originate from this
module.

> Added validatefc to check file context against base.pp.
> 
> Only works on targeted policy since others have ROLE_home_dir_t and the 
> like.

I don't see this as being very useful since its only the base module.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1464 bytes --]

mls constraints changed by evaluator

consoletype/hostname need to ignore open fds from xen.  Xen leaks them 
and uses them to communicate.  Maybe someday they will fix this.

firstboot needs to dbus chat with hal


apt runs as rpm on Red Hat platforms

userad
d and groupadd need to transition to nscd

mozilla fixes for strict policy

qemu-ifup should be bin_t

xfs now supports xattrs

Added new access to kernel:key

xen wants to getattr on devpts filesystem

Fixes for amavis

Apache should not ignore access to sysadm home dirs

avahi needs access to certs for encryption

bluetooth running on ypbind systems

Fixes for crontab in strict/mls policies

Fixes for newversion of cupsd that is SELinux aware

user dbus needs to talk to hal in strict policy

ldap has   a socket

ntp needs net_bind_service

Fixes for postfix

Samba needs to be able to create a log directory

setroubleshoot has been cleaned up to be one process.

spam wants to read postfix config

squid needs to be able to setrlimit, and sys_resource

xserver in strict policy needs additional privs

libavutil changed its name

login programs need self:key {search write }.  Should this be moved to 
auth_pgm?

Audit is being changed to use a socket.

Avahi has its own  localtime

mount wants to check if selinux in enforcing mode

semanage_t needs to be able to read files created by secadm_t

uncofined_execmem_t needs to be chating

We need to coordinat the changes to userdomain.

 





[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 62252 bytes --]

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-2.3.4/policy/mls
--- nsaserefpolicy/policy/mls	2006-07-14 17:04:46.000000000 -0400
+++ serefpolicy-2.3.4/policy/mls	2006-08-02 11:32:53.000000000 -0400
@@ -184,19 +184,12 @@
 	 ( t2 == mlstrustedobject ));
 
 # the "single level" file "write" ops
-mlsconstrain { file lnk_file fifo_file } { write create setattr relabelfrom append unlink link rename mounton }
+mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
 	(( l1 eq l2 ) or
 	 (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
 	 ( t1 == mlsfilewrite ) or
 	 ( t2 == mlstrustedobject ));
 
-# the "ranged" file "write" ops
-mlsconstrain { dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
-	((( l1 dom l2 ) and ( l1 domby h2 )) or
-	 (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
-	 ( t1 == mlsfilewrite ) or
-	 ( t2 == mlstrustedobject ));
-
 mlsconstrain dir { add_name remove_name reparent rmdir }
 	((( l1 dom l2 ) and ( l1 domby h2 )) or
 	 (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.3.4/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te	2006-07-14 17:04:46.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/admin/consoletype.te	2006-08-02 11:32:53.000000000 -0400
@@ -8,7 +8,12 @@
 
 type consoletype_t;
 type consoletype_exec_t;
-init_domain(consoletype_t,consoletype_exec_t)
+#dont transition from initrc
+#init_domain(consoletype_t,consoletype_exec_t)
+domain_type(consoletype_t)
+domain_entry_file(consoletype_t,consoletype_exec_t)
+role system_r types consoletype_t;
+
 mls_file_read_up(consoletype_t)
 mls_file_write_down(consoletype_t)
 role system_r types consoletype_t;
@@ -114,3 +119,7 @@
 	xen_append_log(consoletype_t)
 	xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
 ')
+
+optional_policy(`
+	xen_dontaudit_use_fds(consoletype_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-2.3.4/policy/modules/admin/firstboot.te
--- nsaserefpolicy/policy/modules/admin/firstboot.te	2006-08-02 10:34:09.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/admin/firstboot.te	2006-08-02 11:32:53.000000000 -0400
@@ -106,7 +106,7 @@
 ')
 
 optional_policy(`
-	hal_dbus_send(firstboot_t)
+	hal_dbus_chat(firstboot_t)
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.3.4/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc	2006-07-14 17:04:46.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/admin/rpm.fc	2006-08-02 11:32:53.000000000 -0400
@@ -19,6 +19,8 @@
 /usr/sbin/pup			--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/rhn_check		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/up2date		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-get		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-shell		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 ')
 
 /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.3.4/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te	2006-08-02 10:34:09.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/admin/usermanage.te	2006-08-02 11:32:53.000000000 -0400
@@ -260,7 +260,7 @@
 ')
 
 optional_policy(`
-	nscd_exec(groupadd_t)
+	nscd_domtrans(groupadd_t)
 	nscd_socket_use(groupadd_t)
 ')
 
@@ -535,7 +535,7 @@
 ')
 
 optional_policy(`
-	nscd_exec(useradd_t)
+	nscd_domtrans(useradd_t)
 	nscd_socket_use(useradd_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-2.3.4/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if	2006-07-14 17:04:31.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/apps/mozilla.if	2006-08-02 11:32:53.000000000 -0400
@@ -63,6 +63,7 @@
 	allow $1_mozilla_t self:unix_stream_socket { listen accept };
 	# Browse the web, connect to printer
 	allow $1_mozilla_t self:tcp_socket create_socket_perms;
+	allow $1_mozilla_t self:netlink_route_socket r_netlink_socket_perms;
 
 	# for bash - old mozilla binary
 	can_exec($1_mozilla_t, mozilla_exec_t)
@@ -175,6 +176,7 @@
 	logging_send_syslog_msg($1_mozilla_t)
 
 	miscfiles_read_fonts($1_mozilla_t)
+	miscfiles_read_localization($1_mozilla_t)
 
 	# Browse the web, connect to printer
 	sysnet_dns_name_resolve($1_mozilla_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.3.4/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2006-08-02 10:34:05.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/kernel/corecommands.fc	2006-08-02 11:32:53.000000000 -0400
@@ -62,6 +62,7 @@
 /etc/X11/xinit(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
 /etc/xen/scripts(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/etc/xen/qemu-ifup		--	gen_context(system_u:object_r:bin_t,s0)
 
 ifdef(`distro_debian',`
 /etc/mysql/debian-start		--	gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.3.4/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2006-08-02 10:34:05.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/kernel/corenetwork.te.in	2006-08-02 11:32:53.000000000 -0400
@@ -73,6 +73,7 @@
 network_port(dhcpc, udp,68,s0)
 network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0)
 network_port(dict, tcp,2628,s0)
+network_port(setroubleshoot, tcp,3267,s0)
 network_port(distccd, tcp,3632,s0)
 network_port(dns, udp,53,s0, tcp,53,s0)
 network_port(fingerd, tcp,79,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.3.4/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te	2006-08-02 10:34:05.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/kernel/filesystem.te	2006-08-02 11:32:53.000000000 -0400
@@ -24,6 +24,7 @@
 fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
 
@@ -181,7 +182,6 @@
 genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
 genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
-genfscon gfs / gen_context(system_u:object_r:nfs_t,s0)
 
 ########################################
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.3.4/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if	2006-07-14 17:04:30.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/kernel/kernel.if	2006-08-02 11:32:53.000000000 -0400
@@ -1456,6 +1456,42 @@
 
 ########################################
 ## <summary>
+##	Allow search the kernel key ring.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_search_key',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:key search;
+')
+
+########################################
+## <summary>
+##	Allow link to the kernel key ring.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_link_key',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:key link;
+')
+
+########################################
+## <summary>
 ##	Read filesystem sysctls.
 ## </summary>
 ## <param name="domain">
@@ -2099,3 +2135,42 @@
 
 	typeattribute $1 kern_unconfined;
 ')
+
+########################################
+## <summary>
+##	Do not audit attempts to list sysctl_type directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_list_sysctls',`
+	gen_require(`
+		attribute sysctl_type;
+	')
+
+	dontaudit $1 sysctl_type:dir list_dir_perms;
+')
+
+
+########################################
+## <summary>
+##	Do not audit attempts to list proc_type file/directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_list_all_proc',`
+	gen_require(`
+		attribute proc_type;
+	')
+
+	dontaudit $1 proc_type:dir list_dir_perms;
+	dontaudit $1 proc_type:file getattr;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.3.4/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if	2006-08-02 10:34:05.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/kernel/terminal.if	2006-08-02 11:32:53.000000000 -0400
@@ -308,6 +308,7 @@
 		type devpts_t;
 	')
 
+	dev_dontaudit_list_all_dev_nodes($1)
 	dontaudit $1 devpts_t:dir search;
 ')
 
@@ -948,3 +949,21 @@
 	dontaudit $1 ttynode:chr_file { read write };
 ')
 
+########################################
+## <summary>
+##	Get the attributes of a pty filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_getattr_ptys_fs',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	allow $1 devpts_t:filesystem getattr;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.3.4/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te	2006-07-14 17:04:40.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/services/amavis.te	2006-08-02 11:32:53.000000000 -0400
@@ -62,10 +62,12 @@
 allow amavis_t amavis_quarantine_t:dir create_dir_perms;
 
 # Spool Files
+files_search_spool(amavis_t)
 allow amavis_t amavis_spool_t:dir manage_dir_perms;
 allow amavis_t amavis_spool_t:file manage_file_perms;
 allow amavis_t amavis_spool_t:sock_file manage_file_perms;
 files_spool_filetrans(amavis_t,amavis_spool_t,{ dir file })
+type_transition amavis_t amavis_spool_t:sock_file amavis_var_run_t;
 
 # tmp files
 allow amavis_t amavis_tmp_t:file create_file_perms;
@@ -116,6 +118,7 @@
 # bind to incoming port
 corenet_tcp_bind_amavisd_recv_port(amavis_t)
 corenet_udp_bind_generic_port(amavis_t)
+corenet_tcp_connect_razor_port(amavis_t)
 
 dev_read_rand(amavis_t)
 dev_read_urand(amavis_t)
@@ -180,3 +183,7 @@
 	spamassassin_exec(amavis_t)
 	spamassassin_exec_client(amavis_t)
 ')
+
+optional_policy(`
+	postfix_read_config(amavis_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.3.4/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te	2006-07-14 17:04:41.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/services/apache.te	2006-08-02 11:32:53.000000000 -0400
@@ -273,7 +273,6 @@
 sysnet_read_config(httpd_t)
 
 userdom_use_unpriv_users_fds(httpd_t)
-userdom_dontaudit_search_sysadm_home_dirs(httpd_t)
 
 mta_send_mail(httpd_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-2.3.4/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te	2006-08-02 10:34:07.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/services/avahi.te	2006-08-02 11:32:54.000000000 -0400
@@ -79,6 +79,7 @@
 
 sysnet_read_config(avahi_t)
 sysnet_use_ldap(avahi_t)
+miscfiles_read_certs(avahi_t)
 
 userdom_dontaudit_use_unpriv_user_fds(avahi_t)
 userdom_dontaudit_search_sysadm_home_dirs(avahi_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.3.4/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te	2006-08-02 10:34:07.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/services/bluetooth.te	2006-08-02 11:32:54.000000000 -0400
@@ -247,3 +247,8 @@
 optional_policy(`
        	xserver_stream_connect_xdm(bluetooth_helper_t)
 ')	
+
+optional_policy(`
+	nis_use_ypbind(bluetooth_helper_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-2.3.4/policy/modules/services/clamav.if
--- nsaserefpolicy/policy/modules/services/clamav.if	2006-08-02 10:34:07.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/services/clamav.if	2006-08-02 13:15:45.000000000 -0400
@@ -102,3 +102,4 @@
 	allow clamscan_t $1:fifo_file rw_file_perms;
 	allow clamscan_t $1:process sigchld;
 ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-2.3.4/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if	2006-07-14 17:04:41.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/services/cron.if	2006-08-02 11:32:54.000000000 -0400
@@ -181,6 +181,7 @@
 	allow $1_crontab_t $2:fd use;
 	allow $1_crontab_t $2:fifo_file rw_file_perms;
 	allow $1_crontab_t $2:process sigchld;
+	allow $2 $1_crontab_t:process sigchld;
 
 	# crontab shows up in user ps
 	allow $2 $1_crontab_t:dir { search getattr read };
@@ -194,14 +195,19 @@
 	# Allow crond to read those crontabs in cron spool.
 	allow crond_t $1_cron_spool_t:file create_file_perms;
 
+	allow $1_crontab_t tmp_t:dir rw_dir_perms;
+	allow $1_crontab_t $1_tmp_t:file create_file_perms;
+	type_transition $1_crontab_t tmp_t:file $1_tmp_t;
+
 	# dac_override is to create the file in the directory under /tmp
-	allow $1_crontab_t self:capability { setuid setgid chown dac_override };
+	allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
 	allow $1_crontab_t self:process signal_perms;
 
 	# create files in /var/spool/cron
-	allow $1_crontab_t $1_cron_spool_t:file create_file_perms;
+	files_search_spool($1_crontab_t)
 	allow $1_crontab_t cron_spool_t:dir rw_dir_perms;
-	type_transition $1_crontab_t $1_cron_spool_t:file $1_cron_spool_t;
+	allow $1_crontab_t $1_cron_spool_t:file create_file_perms;
+	type_transition $1_crontab_t cron_spool_t:file $1_cron_spool_t;
 
 	# crontab signals crond by updating the mtime on the spooldir
 	allow $1_crontab_t cron_spool_t:dir setattr;
@@ -239,6 +245,10 @@
 	# Read user crontabs
 	userdom_read_user_home_content_files($1,$1_crontab_t)
 
+	optional_policy(`
+		nscd_socket_use($1_crontab_t)
+	')
+
 	tunable_policy(`fcron_crond', `
 		# fcron wants an instant update of a crontab change for the administrator
 		# also crontab does a security check for crontab -u
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.3.4/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te	2006-07-14 17:04:41.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/services/cups.te	2006-08-02 11:32:54.000000000 -0400
@@ -81,6 +81,7 @@
 allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow cupsd_t self:unix_dgram_socket create_socket_perms;
 allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow cupsd_t self:netlink_selinux_socket create_socket_perms;
 allow cupsd_t self:netlink_route_socket r_netlink_socket_perms;
 allow cupsd_t self:tcp_socket { create_stream_socket_perms connectto acceptfrom recvfrom };
 allow cupsd_t self:udp_socket create_socket_perms;
@@ -153,6 +154,8 @@
 dev_read_sysfs(cupsd_t)
 dev_read_usbfs(cupsd_t)
 
+domain_read_all_domains_state(cupsd_t)
+
 fs_getattr_all_fs(cupsd_t)
 fs_search_auto_mountpoints(cupsd_t)
 # from old usercanread attrib:
@@ -202,7 +205,8 @@
 # invoking ghostscript needs to read fonts
 miscfiles_read_fonts(cupsd_t)
 
-seutil_dontaudit_read_config(cupsd_t)
+seutil_read_config(cupsd_t)
+selinux_compute_access_vector(cupsd_t)
 
 sysnet_read_config(cupsd_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-2.3.4/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if	2006-07-14 17:04:41.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/services/dbus.if	2006-08-02 11:32:54.000000000 -0400
@@ -171,6 +171,11 @@
 		xserver_use_xdm_fds($1_dbusd_t)
 		xserver_rw_xdm_pipes($1_dbusd_t)
 	')
+
+	optional_policy(`
+		hal_dbus_chat($1_dbusd_t)
+	')
+
 ')
 
 #######################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-2.3.4/policy/modules/services/ldap.te
--- nsaserefpolicy/policy/modules/services/ldap.te	2006-08-02 10:34:07.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/services/ldap.te	2006-08-02 11:32:54.000000000 -0400
@@ -72,7 +72,7 @@
 
 allow slapd_t slapd_var_run_t:file create_file_perms;
 allow slapd_t slapd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(slapd_t,slapd_var_run_t,file)
+files_pid_filetrans(slapd_t,slapd_var_run_t,{ file socket })
 
 kernel_read_system_state(slapd_t)
 kernel_read_kernel_sysctls(slapd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-2.3.4/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te	2006-08-02 10:34:07.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/services/nis.te	2006-08-02 13:30:44.000000000 -0400
@@ -249,8 +249,6 @@
 allow ypserv_t self:unix_dgram_socket create_socket_perms;
 allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
 allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
-allow ypserv_t self:tcp_socket connected_stream_socket_perms;
-allow ypserv_t self:udp_socket create_socket_perms;
 
 allow ypserv_t var_yp_t:dir rw_dir_perms;
 allow ypserv_t var_yp_t:file create_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.3.4/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te	2006-07-14 17:04:41.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/services/ntp.te	2006-08-02 11:32:54.000000000 -0400
@@ -32,7 +32,7 @@
 
 # sys_resource and setrlimit is for locking memory
 # ntpdate wants sys_nice
-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot sys_nice sys_resource };
+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock net_bind_service sys_chroot sys_nice sys_resource };
 dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
 allow ntpd_t self:process { signal_perms setcap setsched setrlimit };
 allow ntpd_t self:fifo_file { read write getattr };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.3.4/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if	2006-07-14 17:04:41.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/services/pegasus.if	2006-08-02 11:32:54.000000000 -0400
@@ -1 +1,32 @@
 ## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run pegasus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`pegasus_domtrans',`
+	gen_require(`
+		type pegasus_t, pegasus_exec_t;
+	')
+
+	ifdef(`targeted_policy',`
+		if(pegasus_disable_trans) {
+			can_exec($1,pegasus_exec_t)
+		} else {
+			domain_auto_trans($1,pegasus_exec_t,pegasus_t)
+		}
+	', `
+		domain_auto_trans($1,pegasus_exec_t,pegasus_t)
+	')
+
+	allow $1 pegasus_t:fd use;
+	allow pegasus_t $1:fd use;
+	allow pegasus_t $1:fifo_file rw_file_perms;
+	allow pegasus_t $1:process sigchld;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.3.4/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te	2006-07-14 17:04:41.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/services/pegasus.te	2006-08-02 11:32:54.000000000 -0400
@@ -100,13 +100,12 @@
 
 auth_use_nsswitch(pegasus_t)
 auth_domtrans_chk_passwd(pegasus_t)
+auth_read_shadow(pegasus_t)
 
 domain_use_interactive_fds(pegasus_t)
 domain_read_all_domains_state(pegasus_t)
 
-files_read_etc_files(pegasus_t)
-files_list_var_lib(pegasus_t)
-files_read_var_lib_files(pegasus_t)
+files_read_all_files(pegasus_t)
 files_read_var_lib_symlinks(pegasus_t)
 
 hostname_exec(pegasus_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.3.4/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te	2006-08-02 10:34:07.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/services/postfix.te	2006-08-02 11:32:54.000000000 -0400
@@ -250,6 +250,7 @@
 allow postfix_cleanup_t postfix_spool_t:lnk_file create_lnk_perms;
 
 allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms;
+corecmd_exec_bin(postfix_cleanup_t)
 
 ########################################
 #
@@ -293,6 +294,10 @@
 	procmail_domtrans(postfix_local_t)
 ')
 
+optional_policy(`
+	clamav_search_lib(postfix_local_t)
+')
+
 ########################################
 #
 # Postfix map local policy
@@ -519,6 +524,7 @@
 allow postfix_qmgr_t postfix_spool_bounce_t:dir { getattr read search };
 allow postfix_qmgr_t postfix_spool_bounce_t:file { read getattr };
 allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
+corecmd_exec_bin(postfix_qmgr_t)
 
 ########################################
 #
@@ -589,6 +595,7 @@
 # for OpenSSL certificates
 files_read_usr_files(postfix_smtpd_t)
 mta_read_aliases(postfix_smtpd_t)
+corecmd_exec_bin(postfix_smtpd_t)
 
 optional_policy(`
 	postgrey_stream_connect(postfix_smtpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.3.4/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te	2006-08-02 10:34:07.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/services/procmail.te	2006-08-02 13:19:00.000000000 -0400
@@ -29,6 +29,7 @@
 kernel_read_kernel_sysctls(procmail_t)
 
 corenet_non_ipsec_sendrecv(procmail_t)
+corenet_udp_bind_inaddr_any_node(procmail_t)
 corenet_tcp_sendrecv_all_if(procmail_t)
 corenet_udp_sendrecv_all_if(procmail_t)
 corenet_tcp_sendrecv_all_nodes(procmail_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.3.4/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te	2006-08-02 10:34:07.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/services/samba.te	2006-08-02 11:32:54.000000000 -0400
@@ -191,7 +191,7 @@
 allow smbd_t samba_etc_t:dir rw_dir_perms;
 allow smbd_t samba_etc_t:file { rw_file_perms setattr };
 
-allow smbd_t samba_log_t:dir { ra_dir_perms setattr };
+allow smbd_t samba_log_t:dir { create ra_dir_perms setattr };
 dontaudit smbd_t samba_log_t:dir remove_name;
 allow smbd_t samba_log_t:file { create ra_file_perms };
 
@@ -367,7 +367,7 @@
 allow nmbd_t samba_etc_t:dir { search getattr };
 allow nmbd_t samba_etc_t:file { getattr read };
 
-allow nmbd_t samba_log_t:dir { ra_dir_perms setattr };
+allow nmbd_t samba_log_t:dir { create ra_dir_perms setattr };
 allow nmbd_t samba_log_t:file { create ra_file_perms };
 
 allow nmbd_t samba_var_t:dir rw_dir_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-2.3.4/policy/modules/services/setroubleshoot.fc
--- nsaserefpolicy/policy/modules/services/setroubleshoot.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.4/policy/modules/services/setroubleshoot.fc	2006-08-02 11:32:54.000000000 -0400
@@ -0,0 +1,9 @@
+# setroubleshoot executables
+
+/usr/sbin/setroubleshootd		--	gen_context(system_u:object_r:setroubleshootd_exec_t,s0)
+
+/var/run/setroubleshoot(/.*)?			gen_context(system_u:object_r:setroubleshoot_var_run_t,s0)
+
+/var/log/setroubleshoot(/.*)?			gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
+
+/var/lib/setroubleshoot(/.*)?			gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-2.3.4/policy/modules/services/setroubleshoot.if
--- nsaserefpolicy/policy/modules/services/setroubleshoot.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.4/policy/modules/services/setroubleshoot.if	2006-08-02 11:32:54.000000000 -0400
@@ -0,0 +1,3 @@
+## <summary>policy for setroubleshoot</summary>
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-2.3.4/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.4/policy/modules/services/setroubleshoot.te	2006-08-02 11:32:54.000000000 -0400
@@ -0,0 +1,101 @@
+policy_module(setroubleshoot,1.0.0)
+
+########################################
+#
+# Declarations 
+#
+
+type setroubleshootd_t;
+type setroubleshootd_exec_t;
+domain_type(setroubleshootd_t)
+init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
+typealias setroubleshootd_t alias setroubleshoot_t;
+
+# log files
+type setroubleshoot_var_log_t;
+logging_log_file(setroubleshoot_var_log_t)
+
+# pid files
+type setroubleshoot_var_run_t;
+files_pid_file(setroubleshoot_var_run_t)
+
+type setroubleshoot_var_lib_t;
+files_type(setroubleshoot_var_lib_t)
+
+########################################
+#
+# setroubleshootd local policy
+#
+allow setroubleshootd_t self:capability { dac_override sys_tty_config };
+allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
+allow setroubleshootd_t self:process { signal getattr };
+allow setroubleshootd_t self:fifo_file { read write };
+allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow setroubleshootd_t self:unix_dgram_socket create_socket_perms;
+allow setroubleshootd_t self:netlink_route_socket r_netlink_socket_perms;
+
+files_dontaudit_getattr_tmp_dirs(setroubleshootd_t)
+files_dontaudit_search_home(setroubleshootd_t)
+files_read_usr_files(setroubleshootd_t)
+files_read_etc_files(setroubleshootd_t)
+
+libs_use_ld_so(setroubleshootd_t)
+libs_use_shared_libs(setroubleshootd_t)
+miscfiles_read_localization(setroubleshootd_t)
+
+logging_send_syslog_msg(setroubleshootd_t)
+
+# pid file
+files_search_pids(setroubleshootd_t)
+allow setroubleshootd_t setroubleshoot_var_run_t:file manage_file_perms;
+allow setroubleshootd_t setroubleshoot_var_run_t:sock_file manage_file_perms;
+allow setroubleshootd_t setroubleshoot_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(setroubleshootd_t,setroubleshoot_var_run_t, { file sock_file })
+
+# log files
+logging_search_logs(setroubleshootd_t)
+allow setroubleshootd_t setroubleshoot_var_log_t:file create_file_perms;
+allow setroubleshootd_t setroubleshoot_var_log_t:sock_file create_file_perms;
+allow setroubleshootd_t setroubleshoot_var_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(setroubleshootd_t,setroubleshoot_var_log_t,{ file dir })
+
+# database files
+allow setroubleshootd_t setroubleshoot_var_lib_t:file create_file_perms;
+allow setroubleshootd_t setroubleshoot_var_lib_t:dir { rw_dir_perms setattr };
+files_var_lib_filetrans(setroubleshootd_t,setroubleshoot_var_lib_t,{ file dir })
+corenet_tcp_bind_generic_node(setroubleshootd_t)
+corenet_tcp_bind_lo_node(setroubleshootd_t)
+corenet_tcp_bind_setroubleshoot_port(setroubleshootd_t)
+corenet_non_ipsec_sendrecv(setroubleshootd_t)
+corenet_tcp_sendrecv_generic_if(setroubleshootd_t)
+corenet_raw_sendrecv_generic_if(setroubleshootd_t)
+corenet_tcp_sendrecv_all_nodes(setroubleshootd_t)
+corenet_raw_sendrecv_all_nodes(setroubleshootd_t)
+corenet_tcp_sendrecv_all_ports(setroubleshootd_t)
+corenet_tcp_bind_all_nodes(setroubleshootd_t)
+corenet_tcp_connect_smtp_port(setroubleshootd_t)
+
+corecmd_exec_sbin(setroubleshootd_t)
+corecmd_exec_bin(setroubleshootd_t)
+
+dev_read_urand(setroubleshootd_t)
+
+kernel_read_kernel_sysctls(setroubleshootd_t)
+kernel_read_system_state(setroubleshootd_t)
+
+init_read_utmp(setroubleshootd_t)
+init_dontaudit_write_utmp(setroubleshootd_t)
+init_use_fds(setroubleshootd_t)
+
+sysnet_read_config(setroubleshootd_t)
+
+seutil_read_config(setroubleshootd_t)
+selinux_get_enforce_mode(setroubleshootd_t)
+
+term_dontaudit_use_console(setroubleshootd_t)
+term_dontaudit_use_generic_ptys(setroubleshootd_t)
+
+optional_policy(`
+	rpm_read_db(setroubleshootd_t)
+	rpm_dontaudit_manage_db(setroubleshootd_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.3.4/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te	2006-07-14 17:04:41.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/services/spamassassin.te	2006-08-02 11:32:54.000000000 -0400
@@ -194,3 +194,7 @@
 optional_policy(`
 	udev_read_db(spamd_t)
 ')
+
+optional_policy(`
+	postfix_read_config(spamd_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-2.3.4/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te	2006-08-02 10:34:07.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/services/squid.te	2006-08-02 11:32:54.000000000 -0400
@@ -28,9 +28,9 @@
 # Local policy
 #
 
-allow squid_t self:capability { setgid setuid dac_override };
+allow squid_t self:capability { setgid setuid dac_override sys_resource };
 dontaudit squid_t self:capability sys_tty_config;
-allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
 allow squid_t self:fifo_file rw_file_perms;
 allow squid_t self:sock_file r_file_perms;
 allow squid_t self:fd use;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-2.3.4/policy/modules/services/stunnel.te
--- nsaserefpolicy/policy/modules/services/stunnel.te	2006-08-02 10:34:07.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/services/stunnel.te	2006-08-02 11:32:54.000000000 -0400
@@ -105,6 +105,10 @@
 	')
 
 	optional_policy(`
+        	mount_send_nfs_client_request(stunnel_t)
+	')
+
+	optional_policy(`
         	seutil_sigchld_newrole(stunnel_t)
 	')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.3.4/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if	2006-08-02 10:34:07.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/services/xserver.if	2006-08-02 11:32:54.000000000 -0400
@@ -120,7 +120,9 @@
 	dev_setattr_generic_dirs($1_xserver_t)
 	# raw memory access is needed if not using the frame buffer
 	dev_read_raw_memory($1_xserver_t)
-	dev_write_raw_memory($1_xserver_t)
+	dev_wx_raw_memory($1_xserver_t)
+	dev_rw_sysfs($1_xserver_t)
+	
 	# for other device nodes such as the NVidia binary-only driver
 	dev_rw_xserver_misc($1_xserver_t)
 	# read events - the synaptics touchpad driver reads raw events
@@ -160,6 +162,10 @@
 	sysnet_read_config($1_xserver_t)
 
 	optional_policy(`
+		apm_stream_connect($1_xserver_t)
+	')
+
+	optional_policy(`
 		auth_search_pam_console_data($1_xserver_t)
 	')
 
@@ -1125,7 +1131,47 @@
 	')
 
 	files_search_tmp($1)
-	allow $1 xdm_xserver_tmp_t:dir search_dir_perms;
+	xserver_search_xdm_xserver_tmp_dir($1)
 	allow $1 xdm_xserver_tmp_t:sock_file write;
 	allow $1 xdm_xserver_t:unix_stream_socket connectto;
 ')
+
+
+########################################
+## <summary>
+##	search xdm temporary directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit
+##	</summary>
+## </param>
+#
+interface(`xserver_search_xdm_xserver_tmp_dir',`
+	gen_require(`
+		type xdm_xserver_tmp_t;
+	')
+
+	allow $1 xdm_xserver_tmp_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create a named socket in a ice
+##	temporary directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_create_ice_tmp_sockets',`
+	gen_require(`
+		type ice_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 ice_tmp_t:dir ra_dir_perms;
+	allow $1 ice_tmp_t:sock_file create_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-2.3.4/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te	2006-08-02 10:34:07.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/services/xserver.te	2006-08-02 11:32:54.000000000 -0400
@@ -81,7 +81,7 @@
 #
 
 allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
 allow xdm_t self:fifo_file rw_file_perms;
 allow xdm_t self:shm create_shm_perms;
 allow xdm_t self:sem create_sem_perms;
@@ -89,7 +89,9 @@
 allow xdm_t self:unix_dgram_socket create_socket_perms;
 allow xdm_t self:tcp_socket create_stream_socket_perms;
 allow xdm_t self:udp_socket create_socket_perms;
-allow xdm_t self:key write;
+allow xdm_t self:socket create_socket_perms;
+allow xdm_t self:appletalk_socket create_socket_perms;
+allow xdm_t self:key { search write };
 
 # Supress permission check on .ICE-unix
 dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
@@ -106,6 +108,7 @@
 
 kernel_read_system_state(xdm_t)
 kernel_read_kernel_sysctls(xdm_t)
+kernel_read_network_state(xdm_t)
 
 corecmd_exec_shell(xdm_t)
 corecmd_exec_bin(xdm_t)
@@ -154,6 +157,7 @@
 domain_dontaudit_read_all_domains_state(xdm_t)
 
 files_read_etc_files(xdm_t)
+files_read_var_files(xdm_t)
 files_read_etc_runtime_files(xdm_t)
 files_exec_etc_files(xdm_t)
 files_list_mnt(xdm_t)
@@ -257,7 +261,7 @@
 	allow xdm_t xdm_xserver_tmp_t:sock_file unlink;
 	allow xdm_t xdm_xserver_tmp_t:file unlink;
 
-	allow xdm_t xserver_log_t:dir { rw_dir_perms setattr };
+	allow xdm_t xserver_log_t:dir { create_dir_perms setattr };
 	allow xdm_t xserver_log_t:file manage_file_perms;
 	allow xdm_t xserver_log_t:fifo_file manage_file_perms;
 	logging_log_filetrans(xdm_t,xserver_log_t,file)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.3.4/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te	2006-07-14 17:04:44.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/system/hostname.te	2006-08-02 11:32:54.000000000 -0400
@@ -8,7 +8,10 @@
 
 type hostname_t;
 type hostname_exec_t;
-init_system_domain(hostname_t,hostname_exec_t)
+
+#dont transition from initrc
+domain_type(hostname_t)
+domain_entry_file(hostname_t,hostname_exec_t)
 role system_r types hostname_t;
 
 ########################################
@@ -56,6 +59,7 @@
 sysnet_read_config(hostname_t)
 sysnet_dns_name_resolve(hostname_t)
 
-
-
+optional_policy(`
+	xen_dontaudit_use_fds(hostname_t)
+')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.3.4/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if	2006-07-14 17:04:44.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/system/init.if	2006-08-02 11:32:54.000000000 -0400
@@ -158,13 +158,6 @@
 	allow $1 initrc_t:fifo_file rw_file_perms;
 	allow $1 initrc_t:process sigchld;
 
-	ifdef(`hide_broken_symptoms',`
-		# RHEL4 systems seem to have a stray
-		# fds open from the initrd
-		ifdef(`distro_rhel4',`
-			kernel_dontaudit_use_fds($1)
-		')
-	')
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.3.4/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc	2006-08-02 10:34:08.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/system/libraries.fc	2006-08-02 11:32:54.000000000 -0400
@@ -200,7 +200,7 @@
 /usr/lib(64)?/libpostproc\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libavformat.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libavcodec-.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libavutil-.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavutil.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libxvidcore\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xine/plugins/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libgsm\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-2.3.4/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te	2006-08-02 10:34:08.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/system/locallogin.te	2006-08-02 11:32:54.000000000 -0400
@@ -47,7 +47,7 @@
 allow local_login_t self:sem create_sem_perms;
 allow local_login_t self:msgq create_msgq_perms;
 allow local_login_t self:msg { send receive };
-allow local_login_t self:key write;
+allow local_login_t self:key { search write };
 
 allow local_login_t local_login_lock_t:file create_file_perms;
 files_lock_filetrans(local_login_t,local_login_lock_t,file)
@@ -58,6 +58,8 @@
 
 kernel_read_system_state(local_login_t)
 kernel_read_kernel_sysctls(local_login_t)
+kernel_search_key(local_login_t)
+kernel_link_key(local_login_t)
 
 dev_setattr_mouse_dev(local_login_t)
 dev_getattr_mouse_dev(local_login_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-2.3.4/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc	2006-08-02 10:34:08.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/system/logging.fc	2006-08-02 11:32:54.000000000 -0400
@@ -38,3 +38,6 @@
 /var/spool/postfix/pid	-d	gen_context(system_u:object_r:var_run_t,s0)
 
 /var/tinydns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
+
+/var/run/auditd\.pid	--	gen_context(system_u:object_r:auditd_var_run_t,s0)
+/var/run/auditd_sock	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.3.4/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te	2006-08-02 10:34:08.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/system/logging.te	2006-08-02 11:32:54.000000000 -0400
@@ -120,9 +120,10 @@
 allow auditd_t auditd_log_t:lnk_file create_lnk_perms;
 allow auditd_t var_log_t:dir search;
 
+allow auditd_t auditd_var_run_t:sock_file create_file_perms;
 allow auditd_t auditd_var_run_t:file create_file_perms;
 allow auditd_t auditd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(auditd_t,auditd_var_run_t,file)
+files_pid_filetrans(auditd_t,auditd_var_run_t,{ file sock_file })
 
 kernel_read_kernel_sysctls(auditd_t)
 # Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-2.3.4/policy/modules/system/miscfiles.fc
--- nsaserefpolicy/policy/modules/system/miscfiles.fc	2006-07-14 17:04:43.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/system/miscfiles.fc	2006-08-02 11:32:54.000000000 -0400
@@ -9,6 +9,7 @@
 # /etc
 #
 /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
+/etc/avahi/etc/localtime --	gen_context(system_u:object_r:locale_t,s0)
 /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
 
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.3.4/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te	2006-07-14 17:04:44.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/system/mount.te	2006-08-02 11:32:54.000000000 -0400
@@ -97,6 +97,8 @@
 
 sysnet_use_portmap(mount_t)
 
+selinux_get_enforce_mode(mount_t)
+
 userdom_use_all_users_fds(mount_t)
 
 ifdef(`distro_redhat',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.3.4/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te	2006-08-02 10:34:09.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/system/selinuxutil.te	2006-08-02 13:31:02.000000000 -0400
@@ -355,6 +355,8 @@
 kernel_relabelfrom_unlabeled_symlinks(restorecon_t)
 kernel_relabelfrom_unlabeled_pipes(restorecon_t)
 kernel_relabelfrom_unlabeled_sockets(restorecon_t)
+kernel_dontaudit_list_all_proc(restorecon_t)
+kernel_dontaudit_list_sysctls(restorecon_t)
 
 dev_relabel_all_dev_nodes(restorecon_t)
 # cjp: why is this needed?
@@ -613,6 +615,10 @@
 	userdom_read_generic_user_home_content_files(semanage_t)
 ')
 
+ifdef(`enable_mls',`
+	userdom_read_user_tmp_files(secadm, semanage_t)
+')
+
 optional_policy(`
 	nscd_socket_use(semanage_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.3.4/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if	2006-08-02 10:34:09.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/system/unconfined.if	2006-08-02 11:32:54.000000000 -0400
@@ -20,6 +20,7 @@
 	# Use any Linux capability.
 	allow $1 self:capability *;
 	allow $1 self:fifo_file create_file_perms;
+	allow $1 self:key *;
 
 	# Transition to myself, to make get_ordered_context_list happy.
 	allow $1 self:process transition;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.3.4/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te	2006-08-02 10:34:09.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/system/unconfined.te	2006-08-02 11:32:54.000000000 -0400
@@ -195,4 +195,9 @@
 ifdef(`targeted_policy',`
 	allow unconfined_execmem_t self:process { execstack execmem };
 	unconfined_domain_noaudit(unconfined_execmem_t)
+	optional_policy(`
+		init_dbus_chat_script(unconfined_execmem_t)
+		dbus_stub(unconfined_execmem_t)
+		unconfined_dbus_chat(unconfined_execmem_t)
+	')
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.3.4/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if	2006-07-14 17:04:43.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/system/userdomain.if	2006-08-02 11:32:54.000000000 -0400
@@ -8,11 +8,10 @@
 ## <desc>
 ##	<p>
 ##	This template creates a user domain, types, and
-##	rules for the user's tty, pty, home directories,
-##	tmp, and tmpfs files.
+##	rules for the user's tty, pty, tmp, and tmpfs files.
 ##	</p>
 ##	<p>
-##	This generally should not be used, rather the
+##	This should only be used for new non login user roles, rather the
 ##	unpriv_user_template or admin_user_template should
 ##	be used.
 ##	</p>
@@ -25,7 +24,9 @@
 ## </param>
 #
 template(`base_user_template',`
-
+	gen_require(`
+		attribute userdomain, unpriv_userdomain;
+	')
 	attribute $1_file_type;
 
 	type $1_t, userdomain;
@@ -42,44 +43,17 @@
 	term_user_pty($1_t,$1_devpts_t)
 	files_type($1_devpts_t)
 
-	# type for contents of home directory
-	type $1_home_t, $1_file_type, home_type;
-	files_type($1_home_t)
-	files_associate_tmp($1_home_t)
-	fs_associate_tmpfs($1_home_t)
-
-	# type of home directory
-	type $1_home_dir_t, home_dir_type, home_type;
-	files_type($1_home_dir_t)
-	files_associate_tmp($1_home_dir_t)
-	fs_associate_tmpfs($1_home_dir_t)
-
 	type $1_tmp_t, $1_file_type;
 	files_tmp_file($1_tmp_t)
 
 	type $1_tmpfs_t;
 	files_tmpfs_file($1_tmpfs_t)
 
-	# types for network-obtained content
-	type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable
-	files_type($1_untrusted_content_t)
-	files_poly_member($1_untrusted_content_t)
-
-	type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable
-	files_tmp_file($1_untrusted_content_tmp_t)
-
 	type $1_tty_device_t; 
 	term_tty($1_t,$1_tty_device_t)
 
 	##############################
 	#
-	# User home directory file rules
-	#
-
-	allow $1_file_type $1_home_t:filesystem associate;
-
-	##############################
-	#
 	# User domain Local policy
 	#
 
@@ -103,19 +77,6 @@
 	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
 	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
 
-	# execute files in the home directory
-	can_exec($1_t,$1_home_t)
-
-	# full control of the home directory
-	allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto entrypoint };
-	allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
-	allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
-	allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
-	allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
-	allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto };
-	type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
-	files_search_home($1_t)
-
 	can_exec($1_t,$1_tmp_t)
 
 	# user temporary files
@@ -138,15 +99,16 @@
 	fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir notdevfile_class_set } )
 
 	allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
-
-	# Allow user to relabel untrusted content
-	allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
-	allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
+	allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms };
+	term_create_pty($1_t,$1_devpts_t)
 
 	allow $1_t unpriv_userdomain:fd use;
 
+	kernel_read_system_state($1_t)
+	kernel_read_network_state($1_t)
 	kernel_read_kernel_sysctls($1_t)
 	kernel_read_net_sysctls($1_t)
+	kernel_read_fs_sysctls($1_t)
 	kernel_dontaudit_list_unlabeled($1_t)
 	kernel_dontaudit_getattr_unlabeled_files($1_t)
 	kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
@@ -165,8 +127,10 @@
 
 	corenet_non_ipsec_sendrecv($1_t)
 	corenet_tcp_sendrecv_all_if($1_t)
+	corenet_raw_sendrecv_all_if($1_t)
 	corenet_udp_sendrecv_all_if($1_t)
 	corenet_tcp_sendrecv_all_nodes($1_t)
+	corenet_raw_sendrecv_all_nodes($1_t)
 	corenet_udp_sendrecv_all_nodes($1_t)
 	corenet_tcp_sendrecv_all_ports($1_t)
 	corenet_udp_sendrecv_all_ports($1_t)
@@ -193,6 +157,7 @@
 	fs_getattr_all_fs($1_t)
 	fs_getattr_all_dirs($1_t)
 	fs_search_auto_mountpoints($1_t)
+	fs_list_inotifyfs($1_t)
 
 	# cjp: some of this probably can be removed
 	selinux_get_fs_mount($1_t)
@@ -234,6 +199,11 @@
 	files_dontaudit_getattr_non_security_sockets($1_t)
 	files_dontaudit_getattr_non_security_blk_files($1_t)
 	files_dontaudit_getattr_non_security_chr_files($1_t)
+	files_read_var_files($1_t)
+	files_read_etc_files($1_t)
+	files_read_etc_runtime_files($1_t)
+	files_read_usr_files($1_t)
+	files_exec_usr_files($1_t)
 
 	# Caused by su - init scripts
 	init_dontaudit_use_script_ptys($1_t)
@@ -254,16 +224,88 @@
 	seutil_read_default_contexts($1_t)
 	seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
 
-	tunable_policy(`allow_execmem',`
-		# Allow loading DSOs that require executable stack.
-		allow $1_t self:process execmem;
-	')
+	sysnet_dns_name_resolve($1_t)
 
-	tunable_policy(`allow_execmem && allow_execstack',`
-		# Allow making the stack executable via mprotect.
-		allow $1_t self:process execstack;
+')
+#######################################
+## <summary>
+##	The template containing rules common to unprivileged
+##	users and administrative users.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a user home directories,
+##	</p>
+##	<p>
+##	This generally should not be used, rather the
+##	unpriv_user_template or admin_user_template should
+##	be used.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+#
+template(`base_login_user_template',`
+
+	gen_require(`
+		attribute $1_file_type;
+		attribute home_dir_type, home_type;
+		attribute untrusted_content_type;
 	')
 
+	# type for contents of home directory
+	type $1_home_t, $1_file_type, home_type;
+	files_type($1_home_t)
+	files_associate_tmp($1_home_t)
+	fs_associate_tmpfs($1_home_t)
+
+	# type of home directory
+	type $1_home_dir_t, home_dir_type, home_type;
+	files_type($1_home_dir_t)
+	files_associate_tmp($1_home_dir_t)
+	fs_associate_tmpfs($1_home_dir_t)
+
+	# types for network-obtained content
+	type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable
+	files_type($1_untrusted_content_t)
+	files_poly_member($1_untrusted_content_t)
+
+	type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable
+	files_tmp_file($1_untrusted_content_tmp_t)
+
+	##############################
+	#
+	# User home directory file rules
+	#
+
+	allow $1_file_type $1_home_t:filesystem associate;
+
+	##############################
+	#
+	# User domain Local policy
+	#
+
+	# execute files in the home directory
+	can_exec($1_t,$1_home_t)
+
+	# full control of the home directory
+	allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto entrypoint };
+	allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
+	allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
+	allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
+	allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
+	allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto };
+	type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
+	files_search_home($1_t)
+
+	# Allow user to relabel untrusted content
+	allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
+	allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
+
 	tunable_policy(`read_default_t',`
 		files_list_default($1_t)
 		files_read_default_files($1_t)
@@ -322,6 +364,10 @@
 	')
 
 	optional_policy(`
+		alsa_read_rw_config($1_t)
+	')
+
+	optional_policy(`
 		canna_stream_connect($1_t)
 	')
 
@@ -472,6 +518,7 @@
 		xserver_read_xdm_pid($1_t)
 		# gnome-session creates socket under /tmp/.ICE-unix/
 		xserver_create_xdm_tmp_sockets($1_t)
+		xserver_create_ice_tmp_sockets($1_t)
 	')
 ')
 
@@ -501,6 +548,7 @@
 
 	# Inherit rules for ordinary users.
 	base_user_template($1)
+	base_login_user_template($1)
 
 	typeattribute $1_t unpriv_userdomain;
 	domain_interactive_fd($1_t)
@@ -521,9 +569,6 @@
 	# Local policy
 	#
 
-	allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
-	term_create_pty($1_t,$1_devpts_t)
-
 	# Rules used to associate a homedir as a mountpoint
 	allow $1_home_t self:filesystem associate;
 	allow $1_file_type $1_home_t:filesystem associate;
@@ -535,10 +580,6 @@
 	allow privhome $1_home_t:sock_file create_file_perms;
 	allow privhome $1_home_t:fifo_file create_file_perms;
 	type_transition privhome $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
-
-	kernel_read_system_state($1_t)
-	kernel_read_network_state($1_t)
-
 	dev_read_sysfs($1_t)
 
 	corecmd_exec_all_executables($1_t)
@@ -546,11 +587,8 @@
 	# port access is audited even if dac would not have allowed it, so dontaudit it here
 	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
 
-	files_read_etc_files($1_t)
-	files_read_etc_runtime_files($1_t)
+
 	files_list_home($1_t)
-	files_read_usr_files($1_t)
-	files_exec_usr_files($1_t)
 	# Read directories and files with the readable_t type.
 	# This type is a general type for "world"-readable files.
 	files_list_world_readable($1_t)
@@ -558,8 +596,6 @@
 	files_read_world_readable_symlinks($1_t)
 	files_read_world_readable_pipes($1_t)
 	files_read_world_readable_sockets($1_t)
-	# cjp: why?
-	files_read_kernel_symbol_table($1_t)
 
 	init_read_utmp($1_t)
 	# The library functions always try to open read-write first,
@@ -748,6 +784,7 @@
 
 	# Inherit rules for ordinary users.
 	base_user_template($1)
+	base_login_user_template($1)
 
 	typeattribute $1_t privhome;
 	domain_obj_id_change_exemption($1_t)
@@ -783,11 +820,6 @@
 
 	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
 
-	allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
-	term_create_pty($1_t,$1_devpts_t)
-
-	kernel_read_system_state($1_t)
-	kernel_read_network_state($1_t)
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
 	kernel_getattr_message_if($1_t)
@@ -855,6 +887,7 @@
 	domain_getattr_all_sockets($1_t)
 
 	files_exec_usr_src_files($1_t)
+	files_create_boot_flag($1_t)
 
 	init_rw_initctl($1_t)
 
@@ -3408,6 +3441,25 @@
 
 ########################################
 ## <summary>
+##	Do not audit attempts to append to the sysadm
+##	users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_append_sysadm_home_content_files',`
+	gen_require(`
+		type sysadm_home_t;
+	')
+
+	dontaudit $1 sysadm_home_t:file append;
+')
+
+########################################
+## <summary>
 ##	Read files in the staff users home directory.
 ## </summary>
 ## <param name="domain">
@@ -4128,7 +4180,7 @@
 	gen_require(`
 		type user_home_dir_t;
 	')
-
+	allow $1 user_home_dir_t:dir manage_dir_perms;
 	files_home_filetrans($1,user_home_dir_t,dir)
 ')
 
@@ -4789,3 +4841,34 @@
 	allow $1 user_home_dir_t:dir create_dir_perms;
 	files_home_filetrans($1,user_home_dir_t,dir)
 ')
+
+########################################
+## <summary>
+##	The template containing rules for changing from one role to another
+## </summary>
+## <desc>
+##	<p>
+##	This should only be used for new non login user roles, rather the
+##	unpriv_user_template or admin_user_template should
+##	be used.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	userdomain changing from 
+##	</summary>
+## </param>
+## <param name="userdomain_prefix">
+##	<summary>
+##	userdomain changing to
+##	</summary>
+## </param>
+#
+template(`role_change_template',`
+        allow $1_r $2_r;
+        type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
+        type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
+        # avoid annoying messages on terminal hangup
+        dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.3.4/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te	2006-07-14 17:04:43.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/system/userdomain.te	2006-08-02 11:32:54.000000000 -0400
@@ -56,14 +56,6 @@
 # Local policy
 #
 
-define(`role_change',`
-	allow $1_r $2_r;
-	type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
-	type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
-	# avoid annoying messages on terminal hangup
-	dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
-')
-
 ifdef(`targeted_policy',`
 	# Define some type aliases to help with compatibility with
 	# macros and domains from the "strict" policy.
@@ -85,7 +77,7 @@
 	# compatibility for switching from strict
 #	dominance { role secadm_r { role system_r; }}
 #	dominance { role auditadm_r { role system_r; }}
-#	dominance { role sysadm_r { role system_r; }}
+	dominance { role sysadm_r { role system_r; }}
 #	dominance { role user_r { role system_r; }}
 #	dominance { role staff_r { role system_r; }}
 
@@ -124,34 +116,34 @@
 
 	# user role change rules:
 	# sysadm_r can change to user roles
-	role_change(sysadm, user)
-	role_change(sysadm, staff)
+	role_change_template(sysadm, user)
+	role_change_template(sysadm, staff)
 
 	# only staff_r can change to sysadm_r
-	role_change(staff, sysadm)
+	role_change_template(staff, sysadm)
 
 	ifdef(`enable_mls',`
 		unpriv_user_template(secadm)
 		unpriv_user_template(auditadm)
 
-		role_change(staff,auditadm)
-		role_change(staff,secadm)
+		role_change_template(staff,auditadm)
+		role_change_template(staff,secadm)
 
-		role_change(sysadm,secadm)
-		role_change(sysadm,auditadm)
+		role_change_template(sysadm,secadm)
+		role_change_template(sysadm,auditadm)
 
-		role_change(auditadm,secadm)
-		role_change(auditadm,sysadm)
+		role_change_template(auditadm,secadm)
+		role_change_template(auditadm,sysadm)
 
-		role_change(secadm,auditadm)
-		role_change(secadm,sysadm)
+		role_change_template(secadm,auditadm)
+		role_change_template(secadm,sysadm)
 	')
 
 	# this should be tunable_policy, but
 	# currently type_change and RBAC allow
 	# do not work in conditionals
 	ifdef(`user_canbe_sysadm',`
-		role_change(user,sysadm)
+		role_change_template(user,sysadm)
 	')
 
 	allow privhome home_root_t:dir { getattr search };
@@ -172,6 +164,8 @@
 
 	mls_process_read_up(sysadm_t)
 
+	term_getattr_all_user_ttys(sysadm_t)
+
 	init_exec(sysadm_t)
 
 	ifdef(`direct_sysadm_daemon',`
@@ -210,7 +204,9 @@
 		init_exec(secadm_t)
 		logging_read_audit_log(secadm_t)
 	        logging_read_generic_logs(secadm_t)
-		userdom_dontaudit_append_staff_home_content_files(secadm_t)
+		userdom_dontaudit_append_sysadm_home_content_files(secadm_t)
+		userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
+
 	', `
 		logging_manage_audit_log(sysadm_t)
 		logging_manage_audit_config(sysadm_t)
@@ -443,11 +439,11 @@
 			selinux_set_parameters(secadm_t)
 
 			seutil_manage_bin_policy(secadm_t)
-			seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal)
-			seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal)
-			seutil_run_semanage(secadm_t,secadm_r,admin_terminal)
-			seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
-			seutil_run_restorecon(secadm_t,secadm_r,admin_terminal)
+			seutil_run_checkpolicy(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
+			seutil_run_loadpolicy(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
+			seutil_run_semanage(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
+			seutil_run_setfiles(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
+			seutil_run_restorecon(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
 		', `
 			selinux_set_enforce_mode(sysadm_t)
 			selinux_set_boolean(sysadm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.3.4/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if	2006-07-14 17:04:43.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/system/xen.if	2006-08-02 11:32:54.000000000 -0400
@@ -127,3 +127,41 @@
 	allow xm_t $1:fifo_file rw_file_perms;
 	allow xm_t $1:process sigchld;
 ')
+
+
+########################################
+## <summary>
+##	Inherit and use xen file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`xen_use_fds',`
+	gen_require(`
+		type xen_t;
+	')
+
+	allow $1 xen_t:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to inherit
+##	xen file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`xen_dontaudit_use_fds',`
+	gen_require(`
+		type xen_t;
+	')
+
+	dontaudit $1 xen_t:fd use;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.3.4/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te	2006-08-02 10:34:08.000000000 -0400
+++ serefpolicy-2.3.4/policy/modules/system/xen.te	2006-08-02 11:32:54.000000000 -0400
@@ -70,6 +70,8 @@
 
 allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
 allow xend_t self:process { signal sigkill };
+dontaudit xend_t self:process ptrace;
+
 # internal communication is often done using fifo and unix sockets.
 allow xend_t self:fifo_file rw_file_perms;
 allow xend_t self:unix_stream_socket create_stream_socket_perms;
@@ -130,6 +132,8 @@
 corenet_tcp_bind_soundd_port(xend_t)
 corenet_sendrecv_xen_server_packets(xend_t)
 corenet_sendrecv_soundd_server_packets(xend_t)
+corenet_tcp_bind_generic_port(xend_t)
+corenet_rw_tun_tap_dev(xend_t)
 
 dev_read_urand(xend_t)
 dev_manage_xen(xend_t)
@@ -144,13 +148,17 @@
 files_read_kernel_img(xend_t)
 files_manage_etc_runtime_files(xend_t)
 files_etc_filetrans_etc_runtime(xend_t,file)
+files_read_usr_files(xend_t)
 
 storage_raw_read_fixed_disk(xend_t)
 
 term_dontaudit_getattr_all_user_ptys(xend_t)
 term_dontaudit_use_generic_ptys(xend_t)
+term_use_ptmx(xend_t)
+term_getattr_ptys_fs(xend_t)
 
 init_use_fds(xend_t)
+init_use_script_ptys(xend_t)
 
 libs_use_ld_so(xend_t)
 libs_use_shared_libs(xend_t)
@@ -200,6 +208,7 @@
 term_use_console(xenconsoled_t)
 
 init_use_fds(xenconsoled_t)
+init_use_script_ptys(xenconsoled_t)
 
 libs_use_ld_so(xenconsoled_t)
 libs_use_shared_libs(xenconsoled_t)
@@ -238,10 +247,11 @@
 dev_filetrans_xen(xenstored_t)
 dev_rw_xen(xenstored_t)
 
-term_dontaudit_use_generic_ptys(xenstored_t)
-term_dontaudit_use_console(xenconsoled_t)
+term_use_generic_ptys(xenstored_t)
+term_use_console(xenconsoled_t)
 
 init_use_fds(xenstored_t)
+init_use_script_ptys(xenstored_t)
 
 libs_use_ld_so(xenstored_t)
 libs_use_shared_libs(xenstored_t)

Latest diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1233 bytes --]

Fix prelink file context

Add unconfined_domain transition to rpm_script_t,
also moved bootloader transition out of targeted policy ifdef

webalizer wants to do udp.

One last fix for allowing mounting any file on any file.

gfs2 supports extended attributes.
gfs does not, so I am calling them nfs

New version of automount wants new privs.

I am looking into updating prelink cron entry to do restorecon to 
eliminate avc messages, also trying
to get prelink maintainer to modify program which would make this change 
not as important

hplib is communicating with nfs somehow.

proftpd uses a socket to communicate with itself

hald needs nsswitch stuff

krb5kdc needs to read kernel network state.

mysql uses nsswitch

NetworkManager neets to transition to pppd to bring up dialup networking.

ntpd - nsswitch

procmail transition to clamav

pegasus we need to setup a chat with pegasus maintainer.  He wants 
transition from unconfined_t.

pyzor wants to read home dir.

xfs - nsswitch

Fix auditd config files specs

semanage needs additional perms to work with setrans file

merged unconfined_execmem into unconfined.te

remove todo stuff from userdomain.

useradd needs to be able to create user_home_dir_t in mls policy





[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 31681 bytes --]

diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.2.45/config/appconfig-strict-mls/default_type
--- nsaserefpolicy/config/appconfig-strict-mls/default_type	2006-01-06 17:55:17.000000000 -0500
+++ serefpolicy-2.2.45/config/appconfig-strict-mls/default_type	2006-06-09 15:45:23.000000000 -0400
@@ -2,3 +2,4 @@
 secadm_r:secadm_t
 staff_r:staff_t
 user_r:user_t
+auditadm_r:auditadm_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.2.45/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te	2006-05-19 10:07:51.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/admin/consoletype.te	2006-06-09 15:45:23.000000000 -0400
@@ -8,7 +8,12 @@
 
 type consoletype_t;
 type consoletype_exec_t;
-init_domain(consoletype_t,consoletype_exec_t)
+#dont transition from initrc
+#init_domain(consoletype_t,consoletype_exec_t)
+domain_type(consoletype_t)
+domain_entry_file(consoletype_t,consoletype_exec_t)
+role system_r types consoletype_t;
+
 mls_file_read_up(consoletype_t)
 mls_file_write_down(consoletype_t)
 role system_r types consoletype_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-2.2.45/policy/modules/admin/prelink.fc
--- nsaserefpolicy/policy/modules/admin/prelink.fc	2006-01-25 12:52:21.000000000 -0500
+++ serefpolicy-2.2.45/policy/modules/admin/prelink.fc	2006-06-09 15:45:23.000000000 -0400
@@ -3,6 +3,6 @@
 
 /usr/sbin/prelink(\.bin)?	--	gen_context(system_u:object_r:prelink_exec_t,s0)
 
-/var/lib/misc/prelink\.*		--	gen_context(system_u:object_r:prelink_cache_t,s0)
+/var/lib/misc/prelink\..*	--	gen_context(system_u:object_r:prelink_cache_t,s0)
 
 /var/log/prelink\.log		--	gen_context(system_u:object_r:prelink_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.2.45/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te	2006-06-08 08:45:57.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/admin/rpm.te	2006-06-09 15:45:23.000000000 -0400
@@ -341,12 +341,16 @@
 	optional_policy(`
 		mono_domtrans(rpm_script_t)
 	')
-',`
+
 	optional_policy(`
-		bootloader_domtrans(rpm_script_t)
+		unconfined_domtrans(rpm_script_t)
 	')
 ')
 
+optional_policy(`
+	bootloader_domtrans(rpm_script_t)
+')
+
 ifdef(`distro_redhat',`
 	optional_policy(`
 		mta_send_mail(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-2.2.45/policy/modules/apps/webalizer.te
--- nsaserefpolicy/policy/modules/apps/webalizer.te	2006-06-08 08:45:57.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/apps/webalizer.te	2006-06-09 15:45:23.000000000 -0400
@@ -44,6 +44,7 @@
 allow webalizer_t self:unix_dgram_socket sendto;
 allow webalizer_t self:unix_stream_socket connectto;
 allow webalizer_t self:tcp_socket connected_stream_socket_perms;
+allow webalizer_t self:udp_socket { connect connected_socket_perms };
 allow webalizer_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow webalizer_t webalizer_etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.45/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if	2006-06-08 23:00:29.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/kernel/files.if	2006-06-09 15:45:23.000000000 -0400
@@ -1931,6 +1931,21 @@
 ')
 
 ########################################
+#
+# files_unlink_boot_flag(domain)
+#
+# /halt, /.autofsck, etc
+#
+interface(`files_unlink_boot_flag',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:file unlink;
+')
+
+
+########################################
 ## <summary>
 ##	Read files in /etc that are dynamically
 ##	created on boot, such as mtab.
@@ -4379,3 +4394,23 @@
 
 	typeattribute $1 files_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Mount a filesystem on all files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_all_files',`
+	gen_require(`
+		attribute file_type, security_file_type;
+	')
+
+	allow $1 { file_type -security_file_type }:dir mounton;
+	allow $1 { file_type -security_file_type }:file mounton;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.2.45/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te	2006-06-08 08:45:57.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/kernel/filesystem.te	2006-06-09 15:45:23.000000000 -0400
@@ -23,7 +23,7 @@
 # Requires that a security xattr handler exist for the filesystem.
 fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
-fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
 
@@ -174,6 +174,7 @@
 genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
 genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon gfs / gen_context(system_u:object_r:nfs_t,s0)
 
 ########################################
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.2.45/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te	2006-06-06 22:21:53.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/kernel/kernel.te	2006-06-09 15:45:23.000000000 -0400
@@ -28,6 +28,7 @@
 
 ifdef(`enable_mls',`
 	role secadm_r;
+	role auditadm_r;
 ')
 
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.2.45/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te	2006-06-06 22:21:53.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/services/automount.te	2006-06-09 15:45:23.000000000 -0400
@@ -30,7 +30,7 @@
 
 allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override };
 dontaudit automount_t self:capability sys_tty_config;
-allow automount_t self:process { signal_perms getpgid setpgid setsched };
+allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
 allow automount_t self:fifo_file rw_file_perms;
 allow automount_t self:unix_stream_socket create_socket_perms;
 allow automount_t self:unix_dgram_socket create_socket_perms;
@@ -58,9 +58,11 @@
 files_pid_filetrans(automount_t,automount_var_run_t,file)
 
 kernel_read_kernel_sysctls(automount_t)
+kernel_read_irq_sysctls(automount_t)
 kernel_read_fs_sysctls(automount_t)
 kernel_read_proc_symlinks(automount_t)
 kernel_read_system_state(automount_t)
+kernel_read_network_state(automount_t)
 kernel_list_proc(automount_t)
 
 files_search_boot(automount_t)
@@ -92,6 +94,7 @@
 dev_read_urand(automount_t)
 
 domain_use_interactive_fds(automount_t)
+domain_dontaudit_read_all_domains_state(automount_t)
 
 files_dontaudit_write_var_dirs(automount_t)
 files_getattr_all_dirs(automount_t)
@@ -104,11 +107,14 @@
 files_getattr_default_dirs(automount_t)
 # because config files can be shell scripts
 files_exec_etc_files(automount_t)
+files_mounton_mnt(automount_t)
 
 fs_getattr_all_fs(automount_t)
 fs_getattr_all_dirs(automount_t)
 fs_search_auto_mountpoints(automount_t)
 fs_manage_auto_mountpoints(automount_t)
+fs_unmount_autofs(automount_t)
+fs_mount_autofs(automount_t)
 
 term_dontaudit_use_console(automount_t)
 term_dontaudit_getattr_pty_dirs(automount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.2.45/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te	2006-06-06 22:21:53.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/services/cron.te	2006-06-09 15:45:23.000000000 -0400
@@ -353,6 +353,7 @@
 
 	tunable_policy(`cron_can_relabel',`
 		seutil_domtrans_setfiles(system_crond_t)
+		seutil_domtrans_restorecon(system_crond_t)
 	',`
 		selinux_get_fs_mount(system_crond_t)
 		selinux_validate_context(system_crond_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.45/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te	2006-06-08 23:00:30.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/services/cups.te	2006-06-09 15:45:23.000000000 -0400
@@ -638,6 +638,10 @@
 ')
 
 optional_policy(`
+	mount_send_nfs_client_request(hplip_t)
+')
+
+optional_policy(`
 	udev_read_db(hplip_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.2.45/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te	2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/services/ftp.te	2006-06-09 15:45:23.000000000 -0400
@@ -59,6 +59,7 @@
 
 allow ftpd_t ftpd_var_run_t:file create_file_perms;
 allow ftpd_t ftpd_var_run_t:dir rw_dir_perms;
+allow ftpd_t ftpd_var_run_t:sock_file create_file_perms;
 files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
 
 # Create and modify /var/log/xferlog.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.45/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te	2006-06-06 22:21:54.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/services/hal.te	2006-06-09 15:45:23.000000000 -0400
@@ -140,6 +140,8 @@
 
 sysnet_read_config(hald_t)
 
+auth_use_nsswitch(hald_t)
+
 userdom_dontaudit_use_unpriv_user_fds(hald_t)
 userdom_dontaudit_search_sysadm_home_dirs(hald_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-2.2.45/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te	2006-06-06 22:21:54.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/services/kerberos.te	2006-06-12 11:25:20.000000000 -0400
@@ -188,6 +188,7 @@
 kernel_read_kernel_sysctls(krb5kdc_t)
 kernel_list_proc(krb5kdc_t)
 kernel_read_proc_symlinks(krb5kdc_t)
+kernel_read_network_state(krb5kdc_t)
 
 corenet_non_ipsec_sendrecv(krb5kdc_t)
 corenet_tcp_sendrecv_all_if(krb5kdc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-2.2.45/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te	2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/services/mysql.te	2006-06-09 15:45:23.000000000 -0400
@@ -101,7 +101,7 @@
 
 miscfiles_read_localization(mysqld_t)
 
-sysnet_use_ldap(mysqld_t)
+auth_use_nsswitch(mysqld_t)
 sysnet_read_config(mysqld_t)
 
 userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.2.45/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te	2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/services/networkmanager.te	2006-06-11 07:42:46.000000000 -0400
@@ -172,3 +172,7 @@
 	vpn_domtrans(NetworkManager_t)
 	vpn_signal(NetworkManager_t)
 ')
+
+optional_policy(`
+	ppp_domtrans(NetworkManager_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.2.45/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te	2006-06-06 22:21:55.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/services/ntp.te	2006-06-09 15:45:23.000000000 -0400
@@ -112,6 +112,8 @@
 
 sysnet_read_config(ntpd_t)
 
+auth_use_nsswitch(ntpd_t)
+
 userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
 userdom_list_sysadm_home_dirs(ntpd_t)
 userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.2.45/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if	2005-10-25 13:40:18.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/services/pegasus.if	2006-06-09 15:45:23.000000000 -0400
@@ -1 +1,32 @@
 ## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run pegasus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`pegasus_domtrans',`
+	gen_require(`
+		type pegasus_t, pegasus_exec_t;
+	')
+
+	ifdef(`targeted_policy',`
+		if(pegasus_disable_trans) {
+			can_exec($1,pegasus_exec_t)
+		} else {
+			domain_auto_trans($1,pegasus_exec_t,pegasus_t)
+		}
+	', `
+		domain_auto_trans($1,pegasus_exec_t,pegasus_t)
+	')
+
+	allow $1 pegasus_t:fd use;
+	allow pegasus_t $1:fd use;
+	allow pegasus_t $1:fifo_file rw_file_perms;
+	allow pegasus_t $1:process sigchld;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.2.45/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te	2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/services/pegasus.te	2006-06-09 15:45:23.000000000 -0400
@@ -100,13 +100,12 @@
 
 auth_use_nsswitch(pegasus_t)
 auth_domtrans_chk_passwd(pegasus_t)
+auth_read_shadow(pegasus_t)
 
 domain_use_interactive_fds(pegasus_t)
 domain_read_all_domains_state(pegasus_t)
 
-files_read_etc_files(pegasus_t)
-files_list_var_lib(pegasus_t)
-files_read_var_lib_files(pegasus_t)
+files_read_all_files(pegasus_t)
 files_read_var_lib_symlinks(pegasus_t)
 
 hostname_exec(pegasus_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.2.45/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te	2006-06-06 22:21:55.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/services/procmail.te	2006-06-09 15:45:23.000000000 -0400
@@ -109,3 +109,8 @@
 	spamassassin_exec(procmail_t)
 	spamassassin_exec_client(procmail_t)
 ')
+
+optional_policy(`
+	clamav_domtrans_clamscan(procmail_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-2.2.45/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te	2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/services/pyzor.te	2006-06-09 15:45:23.000000000 -0400
@@ -126,3 +126,7 @@
 optional_policy(`
 	nscd_socket_use(pyzord_t)
 ')
+
+ifdef(`targeted_policy',`
+	userdom_read_generic_user_home_content_files(pyzord_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.te serefpolicy-2.2.45/policy/modules/services/xfs.te
--- nsaserefpolicy/policy/modules/services/xfs.te	2006-05-19 10:07:51.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/services/xfs.te	2006-06-09 15:45:23.000000000 -0400
@@ -69,6 +69,8 @@
 miscfiles_read_localization(xfs_t)
 miscfiles_read_fonts(xfs_t)
 
+auth_use_nsswitch(xfs_t)
+
 userdom_dontaudit_use_unpriv_user_fds(xfs_t)
 userdom_dontaudit_search_sysadm_home_dirs(xfs_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.2.45/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if	2006-05-12 09:22:08.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/system/authlogin.if	2006-06-09 15:45:23.000000000 -0400
@@ -1287,6 +1287,7 @@
 	allow $1 var_auth_t:dir r_dir_perms;
 	allow $1 var_auth_t:file create_file_perms;
 	files_list_var_lib($1)
+	allow $1 self:netlink_route_socket r_netlink_socket_perms;
 
 	sysnet_dns_name_resolve($1)
 	sysnet_use_ldap($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.2.45/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te	2006-03-02 18:45:56.000000000 -0500
+++ serefpolicy-2.2.45/policy/modules/system/hostname.te	2006-06-09 15:45:23.000000000 -0400
@@ -8,7 +8,10 @@
 
 type hostname_t;
 type hostname_exec_t;
-init_system_domain(hostname_t,hostname_exec_t)
+
+#dont transition from initrc
+domain_type(hostname_t)
+domain_entry_file(hostname_t,hostname_exec_t)
 role system_r types hostname_t;
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.45/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te	2006-06-08 23:00:33.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/system/init.te	2006-06-09 15:45:23.000000000 -0400
@@ -345,6 +345,7 @@
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
+files_unlink_boot_flag(initrc_t)
 
 libs_rw_ld_so_cache(initrc_t)
 libs_use_ld_so(initrc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-2.2.45/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc	2006-02-02 16:12:27.000000000 -0500
+++ serefpolicy-2.2.45/policy/modules/system/logging.fc	2006-06-09 15:45:23.000000000 -0400
@@ -1,9 +1,6 @@
 
 /dev/log			-s	gen_context(system_u:object_r:devlog_t,s0)
 
-/etc/auditd.conf		--	gen_context(system_u:object_r:auditd_etc_t,s0)
-/etc/audit.rules		--	gen_context(system_u:object_r:auditd_etc_t,s0)
-
 /sbin/auditctl		--	gen_context(system_u:object_r:auditctl_exec_t,s0)
 /sbin/auditd		--	gen_context(system_u:object_r:auditd_exec_t,s0)
 /sbin/klogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)
@@ -39,3 +36,6 @@
 /var/spool/postfix/pid	-d	gen_context(system_u:object_r:var_run_t,s0)
 
 /var/tinydns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
+/etc/audit(/.*)?		gen_context(system_u:object_r:auditd_etc_t,s15:c0.c255)
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.2.45/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te	2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/system/logging.te	2006-06-09 15:45:23.000000000 -0400
@@ -70,6 +70,7 @@
 
 allow auditctl_t etc_t:file { getattr read };
 
+allow auditctl_t auditd_etc_t:dir r_dir_perms;
 allow auditctl_t auditd_etc_t:file r_file_perms;
 
 # Needed for adding watches
@@ -111,6 +112,7 @@
 allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
 allow auditd_t self:fifo_file rw_file_perms;
 
+allow auditd_t auditd_etc_t:dir r_dir_perms;
 allow auditd_t auditd_etc_t:file r_file_perms;
 
 allow auditd_t auditd_log_t:dir rw_dir_perms;
@@ -123,9 +125,8 @@
 files_pid_filetrans(auditd_t,auditd_var_run_t,file)
 
 kernel_read_kernel_sysctls(auditd_t)
-# Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
-# Probably want a transition, and a new auditd_helper app
-kernel_read_system_state(auditd_t)
+kernel_list_proc(auditd_t)
+kernel_read_proc_symlinks(auditd_t)
 
 dev_read_sysfs(auditd_t)
 
@@ -134,11 +135,12 @@
 
 term_dontaudit_use_console(auditd_t)
 
+# cjp: why?
 # Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
 # Probably want a transition, and a new auditd_helper app
 corecmd_exec_sbin(auditd_t)
 corecmd_exec_bin(auditd_t)
-
+kernel_read_system_state(auditd_t)
 
 domain_use_interactive_fds(auditd_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.45/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te	2006-06-06 22:21:56.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/system/mount.te	2006-06-09 15:45:23.000000000 -0400
@@ -111,6 +111,7 @@
 	tunable_policy(`allow_mount_anyfile',`
 		auth_read_all_dirs_except_shadow(mount_t)
 		auth_read_all_files_except_shadow(mount_t)
+		files_mounton_all_files(mount_t)
 	')
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.45/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te	2006-05-19 10:07:51.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/system/selinuxutil.te	2006-06-12 12:06:22.000000000 -0400
@@ -118,6 +118,9 @@
 type semanage_trans_lock_t; 
 files_type(semanage_trans_lock_t)
 
+type semanage_tmp_t; 
+files_tmp_file(semanage_tmp_t)
+
 type setfiles_t, can_relabelto_binary_policy;
 domain_obj_id_change_exemption(setfiles_t)
 domain_type(setfiles_t)
@@ -531,12 +534,17 @@
 # semodule local policy
 #
 
+allow semanage_t self:capability dac_override;
 allow semanage_t self:unix_stream_socket create_stream_socket_perms;
 allow semanage_t self:unix_dgram_socket create_socket_perms;
 allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 
 allow semanage_t policy_config_t:file { read write };
 
+allow semanage_t semanage_tmp_t:dir create_dir_perms;
+allow semanage_t semanage_tmp_t:file create_file_perms;
+files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
+
 kernel_read_system_state(semanage_t)
 kernel_read_kernel_sysctls(semanage_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.2.45/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc	2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/system/unconfined.fc	2006-06-09 15:45:23.000000000 -0400
@@ -4,7 +4,9 @@
 # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
 /usr/bin/vncserver	--	gen_context(system_u:object_r:unconfined_exec_t,s0)
 
-ifdef(`targeted_policy',`
-/usr/lib/openoffice.org.*/program/.*\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/bin/valgrind 	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/lib/openoffice.org.*/program/.*\.bin	-- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/valgrind 	-- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+ifdef(`targeted_policy', `
+/usr/bin/mplayer 	-- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.45/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if	2006-05-19 13:46:37.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/system/unconfined.if	2006-06-09 15:45:23.000000000 -0400
@@ -449,3 +449,31 @@
 
 	allow $1 unconfined_t:dbus acquire_svc;
 ')
+
+########################################
+## <summary>
+##	Execute the application that requires dexecmem program in the unconfined_execmem domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_execmem_domtrans',`
+	ifdef(`targeted_policy',`
+		gen_require(`
+			type unconfined_execmem_t, unconfined_execmem_exec_t;
+		')
+
+		corecmd_search_bin($1)
+		domain_auto_trans($1, unconfined_execmem_exec_t, unconfined_execmem_t)
+
+		allow $1 unconfined_execmem_t:fd use;
+		allow unconfined_execmem_t $1:fd use;
+		allow unconfined_execmem_t $1:fifo_file rw_file_perms;
+		allow unconfined_execmem_t $1:process sigchld;
+	',`
+		errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
+	')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.45/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te	2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/system/unconfined.te	2006-06-09 15:45:23.000000000 -0400
@@ -33,8 +33,6 @@
 	allow unconfined_t self:system syslog_read;
 	dontaudit unconfined_t self:capability sys_module;
 
-	domain_auto_trans(unconfined_t,unconfined_execmem_exec_t,unconfined_execmem_t)
-
 	files_create_boot_flag(unconfined_t)
 
 	init_domtrans_script(unconfined_t)
@@ -114,6 +112,10 @@
 	')
 
 	optional_policy(`
+		unconfined_execmem_domtrans(unconfined_t)
+	')
+
+	optional_policy(`
 		lpd_domtrans_checkpc(unconfined_t)
 	')
 
@@ -180,11 +182,16 @@
 	optional_policy(`
 		xserver_domtrans_xdm_xserver(unconfined_t)
 	')
+
+	optional_policy(`
+		pegasus_domtrans(unconfined_t)
+	')
+
 ')
 
 ########################################
 #
-# Unconfined Execmem Local policy
+# Local policy
 #
 
 ifdef(`targeted_policy',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.45/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if	2006-06-06 22:21:56.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/system/userdomain.if	2006-06-12 10:32:05.000000000 -0400
@@ -474,34 +474,6 @@
 		xserver_create_xdm_tmp_sockets($1_t)
 	')
 
-	ifdef(`TODO',`
-	#
-	# Cups daemon running as user tries to write /etc/printcap
-	#
-	dontaudit $1_t usr_t:file setattr;
-
-	# /initrd is left mounted, various programs try to look at it
-	dontaudit $1_t ramfs_t:dir getattr;
-
-	#
-	# Running ifconfig as a user generates the following
-	#
-	dontaudit $1_t sysctl_net_t:dir search;
-
-	r_dir_file($1_t, usercanread)
-
-	# old browser_domain():
-	dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr;
-	dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search;
-	dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read;
-
-	allow $1_t usbtty_device_t:chr_file read;
-
-	ifdef(`xdm.te', `
-		allow $1_t xdm_var_lib_t:file r_file_perms;
-	')
-	') dnl endif TODO
-
 ')
 
 #######################################
@@ -4174,7 +4146,7 @@
 	gen_require(`
 		type user_home_dir_t;
 	')
-
+	allow $1 user_home_dir_t:dir manage_dir_perms;
 	files_home_filetrans($1,user_home_dir_t,dir)
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.45/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te	2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.45/policy/modules/system/userdomain.te	2006-06-09 15:45:23.000000000 -0400
@@ -1,11 +1,12 @@
 
-policy_module(userdomain,1.3.27)
+policy_module(userdomain,1.3.26)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;
 
 	ifdef(`enable_mls',`
 		role secadm_r;
+		role auditadm_r;
 	')
 ')
 
@@ -67,6 +68,7 @@
 	# Define some type aliases to help with compatibility with
 	# macros and domains from the "strict" policy.
 	unconfined_alias_domain(secadm_t)
+	unconfined_alias_domain(auditadm_t)
 	unconfined_alias_domain(sysadm_t)
 
 	# User home directory type.
@@ -82,6 +84,7 @@
 
 	# compatibility for switching from strict
 #	dominance { role secadm_r { role system_r; }}
+#	dominance { role auditadm_r { role system_r; }}
 #	dominance { role sysadm_r { role system_r; }}
 #	dominance { role user_r { role system_r; }}
 #	dominance { role staff_r { role system_r; }}
@@ -105,8 +108,10 @@
 
 	ifdef(`enable_mls',`
 		allow secadm_r system_r;
+		allow auditadm_r system_r;
 		allow secadm_r user_r;
 		allow staff_r secadm_r;
+		allow staff_r auditadm_r;
 	')
 
 	optional_policy(`
@@ -126,9 +131,21 @@
 	role_change(staff, sysadm)
 
 	ifdef(`enable_mls',`
-		admin_user_template(secadm)
+#		admin_user_template(secadm)
+#		admin_user_template(auditadm)
+		unpriv_user_template(secadm)
+		unpriv_user_template(auditadm)
+
+		role_change(staff,auditadm)
 		role_change(staff,secadm)
+
 		role_change(sysadm,secadm)
+		role_change(sysadm,auditadm)
+
+		role_change(auditadm,secadm)
+		role_change(auditadm,sysadm)
+
+		role_change(secadm,auditadm)
 		role_change(secadm,sysadm)
 	')
 
@@ -172,19 +189,33 @@
 	')
 
 	ifdef(`enable_mls',`
+		allow secadm_t self:capability dac_override;
 		corecmd_exec_shell(secadm_t)
 		mls_process_read_up(secadm_t)
+		mls_file_read_up(secadm_t)
 		mls_file_write_down(secadm_t)
 		mls_file_upgrade(secadm_t)
 		mls_file_downgrade(secadm_t)
 		init_exec(secadm_t)
 		logging_read_audit_log(secadm_t)
-		logging_run_auditctl(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
 		userdom_dontaudit_append_staff_home_content_files(secadm_t)
-		files_relabel_all_files(secadm_t)
+	        auth_relabel_all_files_except_shadow(secadm_t)
 		auth_relabel_shadow(secadm_t)
+		domain_obj_id_change_exemption(secadm_t)
+	        logging_read_generic_logs(secadm_t)
+
+		seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+		domain_kill_all_domains(auditadm_t)
+	        seutil_read_bin_policy(auditadm_t)
+		corecmd_exec_shell(auditadm_t)
+	        logging_read_generic_logs(auditadm_t)
+		logging_manage_audit_log(auditadm_t)
+		logging_manage_audit_config(auditadm_t)
+		logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
+		logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
 	', `
-		logging_read_audit_log(sysadm_t)
+		logging_manage_audit_log(sysadm_t)
+		logging_manage_audit_config(sysadm_t)
 		logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
 	')
 
@@ -252,6 +283,7 @@
 
 		ifdef(`enable_mls',`
 			consoletype_exec(secadm_t)
+			consoletype_exec(auditadm_t)
 		')
 	')
 
@@ -270,6 +302,7 @@
 
 		ifdef(`enable_mls',`
 			dmesg_exec(secadm_t)
+			dmesg_exec(auditadm_t)
 		')
 	')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.2.45/policy/rolemap
--- nsaserefpolicy/policy/rolemap	2006-01-26 15:38:41.000000000 -0500
+++ serefpolicy-2.2.45/policy/rolemap	2006-06-09 15:45:23.000000000 -0400
@@ -15,5 +15,6 @@
 
 	ifdef(`enable_mls',`
 		secadm_r secadm secadm_t
+		auditadm_r auditadm auditadm_t
 	')
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_macros.spt serefpolicy-2.2.45/policy/support/misc_macros.spt
--- nsaserefpolicy/policy/support/misc_macros.spt	2006-05-19 10:07:51.000000000 -0400
+++ serefpolicy-2.2.45/policy/support/misc_macros.spt	2006-06-09 15:45:23.000000000 -0400
@@ -37,7 +37,7 @@
 #
 # gen_context(context,mls_sensitivity,[mcs_categories])
 #
-define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')')dnl
+define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')') dnl
 
 ########################################
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.45/policy/users
--- nsaserefpolicy/policy/users	2006-02-15 17:02:30.000000000 -0500
+++ serefpolicy-2.2.45/policy/users	2006-06-09 15:45:23.000000000 -0400
@@ -29,7 +29,7 @@
 gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
 gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
 gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
 ')
 
@@ -44,8 +44,8 @@
 	gen_user(root, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
 	ifdef(`direct_sysadm_daemon',`
-		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
+		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
 	',`
-		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
 	')
 ')

Re: Latest diffs

[Christopher J. PeBenito]

On Mon, 2006-06-12 at 15:32 -0400, Daniel J Walsh wrote:
> Fix prelink file context
> 
> Add unconfined_domain transition to rpm_script_t,
> also moved bootloader transition out of targeted policy ifdef
> 
> webalizer wants to do udp.
> 
> One last fix for allowing mounting any file on any file.

Is this supposed to be all files or non security files?  The docs and
interface name are inconsistent with the implementation.

> gfs2 supports extended attributes.
> gfs does not, so I am calling them nfs
> 
> New version of automount wants new privs.
> 
> I am looking into updating prelink cron entry to do restorecon to 
> eliminate avc messages, also trying
> to get prelink maintainer to modify program which would make this change 
> not as important
> 
> hplib is communicating with nfs somehow.

Interesting, I always thought this access (which was in can_network())
was a leaked fd.  If possible, can you find out more?  Moved the add up
a few lines in the file.

> proftpd uses a socket to communicate with itself
> 
> hald needs nsswitch stuff
> 
> krb5kdc needs to read kernel network state.
> 
> mysql uses nsswitch
> 
> NetworkManager neets to transition to pppd to bring up dialup networking.
> 
> ntpd - nsswitch
> 
> procmail transition to clamav
> 
> pegasus we need to setup a chat with pegasus maintainer.  He wants 
> transition from unconfined_t.
> 
> pyzor wants to read home dir.
> 
> xfs - nsswitch
> 
> Fix auditd config files specs

dropped some hunks that reverted some of my changes

> semanage needs additional perms to work with setrans file
> 
> merged unconfined_execmem into unconfined.te

dropped the fc changes.  see my previous email on mplayer, and for the
others, unconfined_execmem_exec_t only exists in the targeted policy, so
these lines have to be wrapped with the targeted_policy ifdef.  also
dropped hunks that reverted my changes.

> remove todo stuff from userdomain.
> 
> useradd needs to be able to create user_home_dir_t in mls policy

The remainder is merged.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Christopher J. PeBenito]

On Mon, 2006-06-12 at 17:39 -0400, Christopher J. PeBenito wrote:
> On Mon, 2006-06-12 at 15:32 -0400, Daniel J Walsh wrote:
> > hplib is communicating with nfs somehow.
> 
> Interesting, I always thought this access (which was in can_network())
> was a leaked fd.  If possible, can you find out more?  Moved the add up
> a few lines in the file.

Actually, I think you just accidentally reverted my change, considering
there were other reversions later in the patch.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Christopher J. PeBenito]

On Tue, 2006-06-06 at 22:50 -0400, Daniel J Walsh wrote:
> A change to the glibc interface is causing lots of domains to want to 
> read the routing database.

We should figure out what this is related to, in case it fits better in
an existing interface (my wild guess is sysnet_dns_name_resolve()).

> Add wine definition in picasa

Then we can get Google to stop suggesting that FC users switch to
permissive to use it :)

> Add oprofilefs_t

moved to filesystem

> More changes to get bluetooth to work with startx

Merged the write socket interface into the stream connect interface.

> Lots of changes for nss_ldap + Reading of certs

Perhaps these domains should be using auth_use_nsswitch(), and reading
of certs should be added to that interface?

> pegasus_domtrans added for uncofined_domain

Why is this needed?  Its a service, and the transition to initrc should
take care of restarts.  Related comment farther down.

> Lots of pegasus fixes to make it work correctly and pass self test.

See comments below.

> -init_domain(consoletype_t,consoletype_exec_t)
> +#dont transition from initrc
> +#init_domain(consoletype_t,consoletype_exec_t)
> +domain_type(consoletype_t)
> +domain_entry_file(consoletype_t,consoletype_exec_t)
> +role system_r types consoletype_t;

>From the comment you have here, this is wrong since init_domain() is for
running it from init itself, not initrc.

> +       ifdef(`targeted_policy',`
> +               if(pegasus_disable_trans) {
> +                       can_exec($1,pegasus_exec_t)
> +               } else {
> +                       domain_auto_trans($1,pegasus_exec_t,pegasus_t)
> +               }
> +       ', `
> +               domain_auto_trans($1,pegasus_exec_t,pegasus_t)
> +       ')

Why is this conditional?

> @@ -97,13 +99,12 @@
>  
>  auth_use_nsswitch(pegasus_t)
>  auth_domtrans_chk_passwd(pegasus_t)
> +auth_read_shadow(pegasus_t)
>  
>  domain_use_interactive_fds(pegasus_t)
>  domain_read_all_domains_state(pegasus_t)
>  
> -files_read_etc_files(pegasus_t)
> -files_list_var_lib(pegasus_t)
> -files_read_var_lib_files(pegasus_t)
> +files_read_all_files(pegasus_t)
>  files_read_var_lib_symlinks(pegasus_t)


The above added lines seem way too privileged.

>  type auditd_etc_t;
> +ifdef(`enable_mls',`', `
>  files_security_file(auditd_etc_t)
> +')
>  
>  type auditd_log_t;
> +ifdef(`enable_mls',`', `
>  files_security_file(auditd_log_t)
> +')

This is not an acceptable way of excluding access to these files.  My
feeling is that the better way would be to change sysadm's (and any
other domain that has this concern) access to "all files but shadow" to
"all files but security files" for mls policies.

> +/usr/bin/mplayer 	-- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)

It would be cleaner if we made mplayer_exec_t an alias of
unconfined_execmem_exec_t in the targeted policy, and the other two exec
files in the mplayer module aliases of bin, and just include that
module.  Then if someone happens to have the mplayer module included
too, there won't be conflicting fc specifications.

The alias interface that needs to be added can be modeled after
corecmd_bin_alias().

> +interface(`unconfined_execmem_domtrans',`
> +	ifdef(`targeted_policy',`
> +		gen_require(`
> +			type unconfined_execmem_t, unconfined_execmem_exec_t;
> +		')
> +
> +		corecmd_search_bin($1)
> +		domain_auto_trans($1, unconfined_execmem_exec_t, unconfined_execmem_t)
> +
> +		allow $1 unconfined_execmem_t:fd use;
> +		allow unconfined_execmem_t $1:fd use;
> +		allow unconfined_execmem_t $1:fifo_file rw_file_perms;
> +		allow unconfined_execmem_t $1:process sigchld;
> +	',`
> +		errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
> +	')
> +')

I believe this should just be moved into unconfined_domtrans().  If
you're transitioning from a confined domain to either of the unconfined
domains, all bets are pretty much off already.  Differentiating them
just seems like it will cause headaches, so it would be best to be as
transparent as possible.

The remainder should be merged.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1765 bytes --]

Add boolean allow_nfsd_anon_write to it can write to public_content_rw_t

Stop transition to consoletype from initrc_t.  Maybe we need an 
ifdef(targeted_policy)  But hostname and consoletype transitioning is a 
pain in the but.  Lots of init scripts do stuff like

consoletype >> MYLOG.log

prelink needs to be able to change the context even if the user part is 
different.

Added unconfined_execmem_exec_t so that I can change the global 
allow_execmem to off.  OpenOffice, valgrind and mplayer need it.  
Probably could eliminate java, and wine domain and change to this.

Additinional dontaudit for ioctl on terminals

Fixes for amavis domain

named needs access to ldap when running with nss_ldap  (Seems lots of 
domains need this if you set up nss_ldap.)

Allow bluetooth helper access to users homedir and tmp files.

cupsd_lpd_t wants to look at the routing table and communicate with the 
cupsd socket

Want to label cvs and rsync as being executables so sysadm_r can run 
them.  (No transition).

Hal wants to look at the kernel image file

nfs needs access to rand/urand probably caused by nss_ldap.

xfs wants to execute itself if it has greater than 10 displays.

xdm is creating .Xauthority file with wrong context.

auditadm_r which is running as SystemHigh wants to be able to restart 
auditd through init scripts.  So it needs to be able to 
mls_range_transition run_init down to SystemLow-SystemHigh

Major bug in that we were not running semanage and setsebool as 
semanage_t.  This is what is causing the mislabeled 
/etc/selinux/targeted/modules directory

semanage_t needed fixes so that setsebool and semanage could run.

More fixes for xen domain.

auditadm_ stuff, but I agree that this is still in flux so don't add it.


















[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 32260 bytes --]

diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.2.41/config/appconfig-strict-mls/default_type
--- nsaserefpolicy/config/appconfig-strict-mls/default_type	2006-01-06 17:55:17.000000000 -0500
+++ serefpolicy-2.2.41/config/appconfig-strict-mls/default_type	2006-05-18 11:41:22.000000000 -0400
@@ -2,3 +2,4 @@
 secadm_r:secadm_t
 staff_r:staff_t
 user_r:user_t
+auditadm_r:auditadm_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.2.41/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables	2006-05-17 10:54:31.000000000 -0400
+++ serefpolicy-2.2.41/policy/global_tunables	2006-05-18 11:41:22.000000000 -0400
@@ -73,6 +73,14 @@
 
 ## <desc>
 ## <p>
+## Allow nfs servers to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_nfsd_anon_write,false)
+
+## <desc>
+## <p>
 ## Allow java executable stack
 ## </p>
 ## </desc>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.2.41/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te	2006-04-04 18:06:37.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/admin/consoletype.te	2006-05-18 11:41:22.000000000 -0400
@@ -8,7 +8,12 @@
 
 type consoletype_t;
 type consoletype_exec_t;
-init_domain(consoletype_t,consoletype_exec_t)
+#dont transition from initrc
+#init_domain(consoletype_t,consoletype_exec_t)
+domain_type(consoletype_t)
+domain_entry_file(consoletype_t,consoletype_exec_t)
+role system_r types consoletype_t;
+
 mls_file_read_up(consoletype_t)
 mls_file_write_down(consoletype_t)
 role system_r types consoletype_t;
@@ -107,3 +112,12 @@
 optional_policy(`
 	userdom_use_unpriv_users_fds(consoletype_t)
 ')
+
+optional_policy(`
+	xen_append_log(consoletype_t)
+	xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
+	kernel_read_xen_state(consoletype_t)
+	kernel_write_xen_state(consoletype_t)
+
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.2.41/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te	2006-05-17 10:54:31.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/admin/prelink.te	2006-05-18 11:41:22.000000000 -0400
@@ -48,6 +48,8 @@
 corecmd_mmap_all_executables(prelink_t)
 corecmd_read_sbin_symlinks(prelink_t)
 
+domain_obj_id_change_exemption(prelink_t)
+
 dev_read_urand(prelink_t)
 
 files_list_all(prelink_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/unconfined_execmem.fc serefpolicy-2.2.41/policy/modules/apps/unconfined_execmem.fc
--- nsaserefpolicy/policy/modules/apps/unconfined_execmem.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.2.41/policy/modules/apps/unconfined_execmem.fc	2006-05-18 11:41:22.000000000 -0400
@@ -0,0 +1,3 @@
+/usr/lib/openoffice.org.*/program/.*\.bin	-- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/valgrind 	-- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/mplayer 	-- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/unconfined_execmem.if serefpolicy-2.2.41/policy/modules/apps/unconfined_execmem.if
--- nsaserefpolicy/policy/modules/apps/unconfined_execmem.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.2.41/policy/modules/apps/unconfined_execmem.if	2006-05-18 11:41:22.000000000 -0400
@@ -0,0 +1,29 @@
+## <summary>Unconfined domain with execmem/execstack privs</summary>
+
+########################################
+## <summary>
+##	Execute the application that requires dexecmem program in the unconfined_execmem domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_execmem_domtrans',`
+	ifdef(`targeted_policy',`
+		gen_require(`
+			type unconfined_execmem_t, unconfined_execmem_exec_t;
+		')
+
+		corecmd_search_bin($1)
+		domain_auto_trans($1, unconfined_execmem_exec_t, unconfined_execmem_t)
+
+		allow $1 unconfined_execmem_t:fd use;
+		allow unconfined_execmem_t $1:fd use;
+		allow unconfined_execmem_t $1:fifo_file rw_file_perms;
+		allow unconfined_execmem_t $1:process sigchld;
+	',`
+		errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
+	')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/unconfined_execmem.te serefpolicy-2.2.41/policy/modules/apps/unconfined_execmem.te
--- nsaserefpolicy/policy/modules/apps/unconfined_execmem.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.2.41/policy/modules/apps/unconfined_execmem.te	2006-05-18 11:41:42.000000000 -0400
@@ -0,0 +1,21 @@
+
+policy_module(unconfined_execmem,1.1.2)
+
+########################################
+#
+# Declarations
+#
+
+type unconfined_execmem_t;
+type unconfined_execmem_exec_t;
+init_system_domain(unconfined_execmem_t,unconfined_execmem_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+ifdef(`targeted_policy',`
+	allow unconfined_execmem_t self:process { execstack execmem };
+	unconfined_domain_noaudit(unconfined_execmem_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.41/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if	2006-05-12 09:22:08.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/kernel/files.if	2006-05-18 11:41:22.000000000 -0400
@@ -1882,6 +1882,21 @@
 ')
 
 ########################################
+#
+# files_unlink_boot_flag(domain)
+#
+# /halt, /.autofsck, etc
+#
+interface(`files_unlink_boot_flag',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:file unlink;
+')
+
+
+########################################
 ## <summary>
 ##	Read files in /etc that are dynamically
 ##	created on boot, such as mtab.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.2.41/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te	2006-04-29 11:17:34.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/kernel/kernel.te	2006-05-18 11:41:22.000000000 -0400
@@ -28,6 +28,7 @@
 
 ifdef(`enable_mls',`
 	role secadm_r;
+	role auditadm_r;
 ')
 
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.2.41/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te	2006-05-17 10:54:31.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/kernel/mls.te	2006-05-18 11:41:22.000000000 -0400
@@ -64,4 +64,5 @@
 range_transition kernel_t init_exec_t s0 - s15:c0.c255;
 range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
 range_transition initrc_t setrans_exec_t s15:c0.c255;
+range_transition run_init_t initrc_exec_t s0 - s15:c0.c255;
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.2.41/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if	2006-04-26 11:23:32.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/kernel/terminal.if	2006-05-18 11:41:22.000000000 -0400
@@ -430,7 +430,7 @@
 		type devpts_t;
 	')
 
-	dontaudit $1 devpts_t:chr_file { getattr read write };
+	dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.fc serefpolicy-2.2.41/policy/modules/services/amavis.fc
--- nsaserefpolicy/policy/modules/services/amavis.fc	2006-03-07 16:19:28.000000000 -0500
+++ serefpolicy-2.2.41/policy/modules/services/amavis.fc	2006-05-18 11:41:22.000000000 -0400
@@ -9,3 +9,4 @@
 /var/log/amavisd\.log		--	gen_context(system_u:object_r:amavis_var_log_t,s0)
 /var/run/amavis(/.*)?			gen_context(system_u:object_r:amavis_var_run_t,s0)
 /var/virusmails(/.*)?			gen_context(system_u:object_r:amavis_quarantine_t,s0)
+/var/spool/amavisd(/.*)?		gen_context(system_u:object_r:amavis_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.2.41/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te	2006-05-05 16:44:48.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/services/amavis.te	2006-05-18 11:41:22.000000000 -0400
@@ -31,6 +31,9 @@
 type amavis_tmp_t;
 files_tmp_file(amavis_tmp_t)
 
+type amavis_spool_t;
+files_type(amavis_spool_t)
+
 # virus quarantine
 type amavis_quarantine_t;
 files_type(amavis_quarantine_t)
@@ -40,7 +43,7 @@
 # amavis local policy
 #
 
-allow amavis_t self:capability { chown dac_override setgid setuid };
+allow amavis_t self:capability { kill chown dac_override setgid setuid };
 dontaudit amavis_t self:capability sys_tty_config;
 allow amavis_t self:process { signal sigchld signull };
 allow amavis_t self:fifo_file rw_file_perms;
@@ -70,6 +73,11 @@
 files_var_filetrans(amavis_t,amavis_var_lib_t,{ file dir sock_file })
 files_var_lib_filetrans(amavis_t,amavis_var_lib_t,file)
 
+# Spool Files
+files_spool_filetrans(amavis_t,amavis_spool_t,{ dir file })
+allow amavis_t amavis_spool_t:dir manage_dir_perms;
+allow amavis_t amavis_spool_t:file manage_file_perms;
+
 # log files
 allow amavis_t amavis_var_log_t:file create_file_perms;
 allow amavis_t amavis_var_log_t:sock_file create_file_perms;
@@ -84,6 +92,7 @@
 
 # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
 kernel_dontaudit_list_proc(amavis_t)
+kernel_dontaudit_read_system_state(amavis_t)
 
 # find perl
 corecmd_exec_bin(amavis_t)
@@ -115,6 +124,7 @@
 
 init_use_fds(amavis_t)
 init_use_script_ptys(amavis_t)
+init_stream_connect_script(amavis_t)
 
 libs_use_ld_so(amavis_t)
 libs_use_shared_libs(amavis_t)
@@ -132,10 +142,15 @@
 cron_use_system_job_fds(amavis_t)
 cron_rw_pipes(amavis_t)
 
+kernel_read_kernel_sysctls(amavis_t)
+
 mta_read_config(amavis_t)
 
+term_dontaudit_use_generic_ptys(amavis_t)
+
 optional_policy(`
 	clamav_stream_connect(amavis_t)
+	clamav_domtrans_clamscan(amavis_t)
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-2.2.41/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te	2006-05-17 16:57:08.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/services/bind.te	2006-05-18 11:41:22.000000000 -0400
@@ -125,6 +125,8 @@
 
 domain_use_interactive_fds(named_t)
 
+dev_read_urand(named_t)
+
 files_read_etc_files(named_t)
 files_read_etc_runtime_files(named_t)
 
@@ -137,6 +139,7 @@
 logging_send_syslog_msg(named_t)
 
 miscfiles_read_localization(named_t)
+miscfiles_read_certs(named_t)
 
 sysnet_read_config(named_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.2.41/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te	2006-05-17 10:54:31.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/services/bluetooth.te	2006-05-18 11:41:22.000000000 -0400
@@ -218,13 +218,14 @@
 
 	unconfined_stream_connect(bluetooth_helper_t)
 
-	userdom_read_all_users_home_content_files(bluetooth_helper_t)
+	userdom_manage_generic_user_home_content_files(bluetooth_helper_t)
 
 	optional_policy(`
 		xserver_stream_connect_xdm(bluetooth_helper_t)
 		xserver_use_xdm_fds(bluetooth_helper_t)
 		xserver_rw_xdm_pipes(bluetooth_helper_t)
 	')
+	files_manage_generic_tmp_files(bluetooth_helper_t)
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.41/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te	2006-05-04 16:43:40.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/services/cups.te	2006-05-18 11:41:22.000000000 -0400
@@ -672,6 +672,7 @@
 allow cupsd_lpd_t self:fifo_file rw_file_perms;
 allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
 allow cupsd_lpd_t self:udp_socket create_socket_perms;
+allow cupsd_lpd_t self:netlink_route_socket r_netlink_socket_perms;
 
 # for identd
 # cjp: this should probably only be inetd_child rules?
@@ -699,6 +700,8 @@
 allow cupsd_lpd_t cupsd_rw_etc_t:file r_file_perms;
 allow cupsd_lpd_t cupsd_rw_etc_t:lnk_file { getattr read };
 
+cups_stream_connect(cupsd_lpd_t)
+
 kernel_read_kernel_sysctls(cupsd_lpd_t)
 kernel_read_system_state(cupsd_lpd_t)
 kernel_read_network_state(cupsd_lpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.2.41/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te	2006-03-24 11:15:50.000000000 -0500
+++ serefpolicy-2.2.41/policy/modules/services/cvs.te	2006-05-18 11:41:22.000000000 -0400
@@ -8,6 +8,7 @@
 
 type cvs_t;
 type cvs_exec_t;
+corecmd_executable_file(cvs_exec_t)
 inetd_tcp_service_domain(cvs_t,cvs_exec_t)
 role system_r types cvs_t;
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.41/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te	2006-05-17 10:54:31.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/services/hal.te	2006-05-18 11:41:22.000000000 -0400
@@ -93,6 +93,7 @@
 # hal is now execing pm-suspend
 files_create_boot_flag(hald_t)
 files_getattr_all_dirs(hald_t)
+files_read_kernel_img(hald_t)
 
 fs_getattr_all_fs(hald_t)
 fs_search_all(hald_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-2.2.41/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc	2006-05-12 09:22:08.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/services/pyzor.fc	2006-05-18 11:41:22.000000000 -0400
@@ -5,3 +5,7 @@
 
 /var/lib/pyzord(/.*)?		gen_context(system_u:object_r:pyzor_var_lib_t,s0)
 /var/log/pyzord.log	--	gen_context(system_u:object_r:pyzord_log_t,s0)
+ifdef(`strict_policy',`
+HOME_DIR/\.pyzor(/.*)?		gen_context(system_u:object_r:ROLE_pyzor_home_t,s0)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.2.41/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te	2006-05-17 10:54:31.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/services/rpc.te	2006-05-18 11:41:22.000000000 -0400
@@ -65,6 +65,8 @@
 files_manage_mounttab(rpcd_t)
 
 miscfiles_read_certs(rpcd_t)
+dev_read_urand(rpcd_t)
+dev_read_rand(rpcd_t)
 
 seutil_dontaudit_search_config(rpcd_t)
 
@@ -114,6 +116,12 @@
 portmap_tcp_connect(nfsd_t) 
 portmap_udp_chat(nfsd_t)
 
+# Access to public_content_t and public_content_rw_t
+miscfiles_read_public_files(nfsd_t)
+tunable_policy(`allow_nfsd_anon_write',`
+	miscfiles_manage_public_files(nfsd_t)
+') 
+
 tunable_policy(`nfs_export_all_rw',`
 	fs_read_noxattr_fs_files(nfsd_t) 
 	auth_manage_all_files_except_shadow(nfsd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-2.2.41/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te	2006-04-28 14:40:40.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/services/rsync.te	2006-05-18 11:41:22.000000000 -0400
@@ -8,6 +8,7 @@
 
 type rsync_t;
 type rsync_exec_t;
+corecmd_executable_file(rsync_exec_t)
 init_daemon_domain(rsync_t,rsync_exec_t)
 role system_r types rsync_t;
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.if serefpolicy-2.2.41/policy/modules/services/xfs.if
--- nsaserefpolicy/policy/modules/services/xfs.if	2006-02-10 17:05:19.000000000 -0500
+++ serefpolicy-2.2.41/policy/modules/services/xfs.if	2006-05-18 11:41:22.000000000 -0400
@@ -41,3 +41,22 @@
 	allow $1 xfs_tmp_t:sock_file write;
 	allow $1 xfs_t:unix_stream_socket connectto;
 ')
+
+
+########################################
+## <summary>
+##	Allow the specified domain to execute xfs
+##	in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xfs_exec',`
+	gen_require(`
+		type xfs_exec_t;
+	')
+	can_exec($1,xfs_exec_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.te serefpolicy-2.2.41/policy/modules/services/xfs.te
--- nsaserefpolicy/policy/modules/services/xfs.te	2006-04-04 18:06:38.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/services/xfs.te	2006-05-18 11:41:22.000000000 -0400
@@ -34,6 +34,7 @@
 allow xfs_t xfs_var_run_t:file create_file_perms;
 allow xfs_t xfs_var_run_t:dir rw_dir_perms;
 files_pid_filetrans(xfs_t,xfs_var_run_t,file)
+xfs_exec(xfs_t)
 
 # Bind to /tmp/.font-unix/fs-1.
 # cjp: I do not believe this has an effect.
@@ -49,6 +50,8 @@
 
 term_dontaudit_use_console(xfs_t)
 
+corecmd_list_bin(xfs_t)
+corecmd_list_sbin(xfs_t)
 domain_use_interactive_fds(xfs_t)
 
 files_read_etc_files(xfs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-2.2.41/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te	2006-04-19 17:43:32.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/services/xserver.te	2006-05-18 11:41:22.000000000 -0400
@@ -311,6 +311,8 @@
 	allow xdm_t self:process { execheap execmem };
 	unconfined_domain(xdm_t)
 	unconfined_domtrans(xdm_t)
+	userdom_generic_user_home_dir_filetrans_generic_user_home_content(xdm_t, {file dir })
+
 ')
 
 tunable_policy(`use_nfs_home_dirs',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.2.41/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te	2006-03-02 18:45:56.000000000 -0500
+++ serefpolicy-2.2.41/policy/modules/system/hostname.te	2006-05-18 11:41:22.000000000 -0400
@@ -8,7 +8,10 @@
 
 type hostname_t;
 type hostname_exec_t;
-init_system_domain(hostname_t,hostname_exec_t)
+
+#dont transition from initrc
+domain_type(hostname_t)
+domain_entry_file(hostname_t,hostname_exec_t)
 role system_r types hostname_t;
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.41/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te	2006-05-12 16:31:53.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/system/init.te	2006-05-18 11:41:22.000000000 -0400
@@ -350,6 +350,7 @@
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
+files_unlink_boot_flag(initrc_t)
 
 libs_rw_ld_so_cache(initrc_t)
 libs_use_ld_so(initrc_t)
@@ -374,6 +375,7 @@
 mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
+mls_rangetrans_target(initrc_t)
 
 modutils_read_module_config(initrc_t)
 modutils_domtrans_insmod(initrc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.2.41/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te	2006-05-17 10:54:31.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/system/logging.te	2006-05-18 11:41:22.000000000 -0400
@@ -14,10 +14,14 @@
 role system_r types auditctl_t;
 
 type auditd_etc_t;
+ifdef(`enable_mls',`', `
 files_security_file(auditd_etc_t)
+')
 
 type auditd_log_t;
+ifdef(`enable_mls',`', `
 files_security_file(auditd_log_t)
+')
 
 type auditd_t;
 # real declaration moved to mls until
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.2.41/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc	2006-04-04 18:06:38.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/system/selinuxutil.fc	2006-05-18 11:41:22.000000000 -0400
@@ -37,6 +37,8 @@
 /usr/sbin/run_init		--	gen_context(system_u:object_r:run_init_exec_t,s0)
 /usr/sbin/setfiles.*		--	gen_context(system_u:object_r:setfiles_exec_t,s0)
 /usr/sbin/semodule		--	gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/sbin/setsebool		--	gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/sbin/semanage		--	gen_context(system_u:object_r:semanage_exec_t,s0)
 
 ifdef(`distro_debian', `
 /usr/share/selinux(/.*)?		gen_context(system_u:object_r:policy_src_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.41/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te	2006-05-17 10:54:31.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/system/selinuxutil.te	2006-05-18 11:41:22.000000000 -0400
@@ -447,7 +447,7 @@
 
 logging_send_syslog_msg(restorecond_t)
 
-miscfiles_read_localization(run_init_t)
+miscfiles_read_localization(restorecond_t)
 
 #################################
 #
@@ -461,6 +461,8 @@
 selinux_compute_relabel_context(run_init_t)
 selinux_compute_user_contexts(run_init_t)
 
+mls_rangetrans_source(run_init_t)
+
 ifdef(`direct_sysadm_daemon',`',`
 	ifdef(`distro_gentoo',`
 		# Gentoo integrated run_init:
@@ -526,6 +528,8 @@
 #
 
 allow semanage_t self:unix_stream_socket create_stream_socket_perms;
+allow semanage_t self:unix_dgram_socket create_socket_perms;
+allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 
 allow semanage_t policy_config_t:file { read write };
 
@@ -535,10 +539,18 @@
 corecmd_exec_bin(semanage_t)
 corecmd_exec_sbin(semanage_t)
 
+dev_read_urand(semanage_t)
+
 files_read_etc_files(semanage_t)
 files_read_usr_files(semanage_t)
 files_list_pids(semanage_t)
 
+logging_send_syslog_msg(semanage_t)
+
+miscfiles_read_localization(semanage_t)
+
+selinux_set_boolean(semanage_t)
+
 mls_file_write_down(semanage_t)
 mls_rangetrans_target(semanage_t)
 mls_file_read_up(semanage_t)
@@ -551,8 +563,6 @@
 libs_use_shared_libs(semanage_t)
 libs_use_lib_files(semanage_t)
 
-miscfiles_read_localization(semanage_t)
-
 seutil_search_default_contexts(semanage_t)
 seutil_manage_file_contexts(semanage_t)
 seutil_manage_selinux_config(semanage_t)
@@ -565,10 +575,12 @@
 seutil_get_semanage_trans_lock(semanage_t)
 seutil_get_semanage_read_lock(semanage_t)
 
+userdom_search_sysadm_home_dirs(semanage_t)
+
 ifdef(`targeted_policy',`
 # Handle pp files created in homedir and /tmp
-	files_read_generic_tmp_files(semanage_t)
 	userdom_read_generic_user_home_content_files(semanage_t)
+	files_read_generic_tmp_files(semanage_t)
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-2.2.41/policy/modules/system/setrans.te
--- nsaserefpolicy/policy/modules/system/setrans.te	2006-05-17 10:54:31.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/system/setrans.te	2006-05-18 11:41:22.000000000 -0400
@@ -23,7 +23,8 @@
 # setrans local policy
 #
 
-allow setrans_t self:process { setcap signal_perms };
+allow setrans_t self:capability sys_resource;
+allow setrans_t self:process { setrlimit setcap signal_perms };
 allow setrans_t self:unix_stream_socket create_stream_socket_perms;
 allow setrans_t self:unix_dgram_socket create_socket_perms;
 allow setrans_t self:netlink_selinux_socket create_socket_perms;
@@ -57,6 +58,7 @@
 term_dontaudit_use_generic_ptys(setrans_t)
 
 init_use_fds(setrans_t)
+init_dontaudit_use_script_ptys(setrans_t)
 
 libs_use_ld_so(setrans_t)
 libs_use_shared_libs(setrans_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.2.41/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te	2006-05-17 16:57:08.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/system/sysnetwork.te	2006-05-18 11:41:22.000000000 -0400
@@ -249,6 +249,8 @@
 optional_policy(`
 	xen_append_log(dhcpc_t)
 	xen_dontaudit_rw_unix_stream_sockets(dhcpc_t)
+	kernel_read_xen_state(dhcpc_t)
+	kernel_write_xen_state(dhcpc_t)
 ')
 
 ########################################
@@ -351,4 +353,6 @@
 optional_policy(`
 	xen_append_log(ifconfig_t)
 	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
+	kernel_read_xen_state(ifconfig_t)
+	kernel_write_xen_state(ifconfig_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.41/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te	2006-05-17 10:54:31.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/system/unconfined.te	2006-05-18 11:41:22.000000000 -0400
@@ -107,6 +107,10 @@
 	')
 
 	optional_policy(`
+		unconfined_execmem_domtrans(unconfined_t)
+	')
+
+	optional_policy(`
 		lpd_domtrans_checkpc(unconfined_t)
 	')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.41/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te	2006-05-17 10:54:31.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/system/userdomain.te	2006-05-18 11:41:22.000000000 -0400
@@ -6,6 +6,7 @@
 
 	ifdef(`enable_mls',`
 		role secadm_r;
+		role auditadm_r;
 	')
 ')
 
@@ -67,6 +68,7 @@
 	# Define some type aliases to help with compatibility with
 	# macros and domains from the "strict" policy.
 	unconfined_alias_domain(secadm_t)
+	unconfined_alias_domain(auditadm_t)
 	unconfined_alias_domain(sysadm_t)
 
 	# User home directory type.
@@ -82,6 +84,7 @@
 
 	# compatibility for switching from strict
 #	dominance { role secadm_r { role system_r; }}
+#	dominance { role auditadm_r { role system_r; }}
 #	dominance { role sysadm_r { role system_r; }}
 #	dominance { role user_r { role system_r; }}
 #	dominance { role staff_r { role system_r; }}
@@ -105,8 +108,10 @@
 
 	ifdef(`enable_mls',`
 		allow secadm_r system_r;
+		allow auditadm_r system_r;
 		allow secadm_r user_r;
 		allow staff_r secadm_r;
+		allow staff_r auditadm_r;
 	')
 
 	optional_policy(`
@@ -126,9 +131,21 @@
 	role_change(staff, sysadm)
 
 	ifdef(`enable_mls',`
-		admin_user_template(secadm)
+#		admin_user_template(secadm)
+#		admin_user_template(auditadm)
+		unpriv_user_template(secadm)
+		unpriv_user_template(auditadm)
+
+		role_change(staff,auditadm)
 		role_change(staff,secadm)
+
 		role_change(sysadm,secadm)
+		role_change(sysadm,auditadm)
+
+		role_change(auditadm,secadm)
+		role_change(auditadm,sysadm)
+
+		role_change(secadm,auditadm)
 		role_change(secadm,sysadm)
 	')
 
@@ -172,19 +189,33 @@
 	')
 
 	ifdef(`enable_mls',`
+		allow secadm_t self:capability dac_override;
 		corecmd_exec_shell(secadm_t)
 		mls_process_read_up(secadm_t)
+		mls_file_read_up(secadm_t)
 		mls_file_write_down(secadm_t)
 		mls_file_upgrade(secadm_t)
 		mls_file_downgrade(secadm_t)
 		init_exec(secadm_t)
 		logging_read_audit_log(secadm_t)
-		logging_run_auditctl(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
 		userdom_dontaudit_append_staff_home_content_files(secadm_t)
-		files_relabel_all_files(secadm_t)
+	        auth_relabel_all_files_except_shadow(secadm_t)
 		auth_relabel_shadow(secadm_t)
+		domain_obj_id_change_exemption(secadm_t)
+	        logging_read_generic_logs(secadm_t)
+
+		seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+		domain_kill_all_domains(auditadm_t)
+	        seutil_read_bin_policy(auditadm_t)
+		corecmd_exec_shell(auditadm_t)
+	        logging_read_generic_logs(auditadm_t)
+		logging_manage_audit_log(auditadm_t)
+		logging_manage_audit_config(auditadm_t)
+		logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
+		logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
 	', `
-		logging_read_audit_log(sysadm_t)
+		logging_manage_audit_log(sysadm_t)
+		logging_manage_audit_config(sysadm_t)
 		logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
 	')
 
@@ -248,6 +279,7 @@
 
 		ifdef(`enable_mls',`
 			consoletype_exec(secadm_t)
+			consoletype_exec(auditadm_t)
 		')
 	')
 
@@ -266,6 +298,7 @@
 
 		ifdef(`enable_mls',`
 			dmesg_exec(secadm_t)
+			dmesg_exec(auditadm_t)
 		')
 	')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-2.2.41/policy/modules/system/xen.fc
--- nsaserefpolicy/policy/modules/system/xen.fc	2006-05-03 16:01:26.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/system/xen.fc	2006-05-18 11:41:22.000000000 -0400
@@ -13,5 +13,6 @@
 
 /var/run/xenconsoled\.pid --	gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
 /var/run/xend\.pid	--      gen_context(system_u:object_r:xend_var_run_t,s0)
+/var/run/xend(/.*)?		gen_context(system_u:object_r:xend_var_run_t,s0)
 /var/run/xenstore\.pid	--	gen_context(system_u:object_r:xenstored_var_run_t,s0)
 /var/run/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.2.41/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te	2006-05-03 16:01:26.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/system/xen.te	2006-05-18 11:41:22.000000000 -0400
@@ -77,7 +77,7 @@
 # pid file
 allow xend_t xend_var_run_t:file manage_file_perms;
 allow xend_t xend_var_run_t:sock_file manage_file_perms;
-allow xend_t xend_var_run_t:dir rw_dir_perms;
+allow xend_t xend_var_run_t:dir { setattr rw_dir_perms };
 files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file })
 
 # log files
@@ -92,6 +92,10 @@
 allow xend_t xend_var_lib_t:dir create_dir_perms;
 files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir sock_file })
 
+optional_policy(`
+	consoletype_domtrans(xend_t)
+')
+
 # transition to store
 domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
 allow xenstored_t xend_t:fd use;
@@ -153,8 +157,6 @@
 sysnet_delete_dhcpc_pid(xend_t)
 sysnet_read_dhcpc_pid(xend_t)
 
-consoletype_exec(xend_t)
-
 xen_stream_connect_xenstore(xend_t)
 
 ########################################
@@ -180,6 +182,7 @@
 
 term_create_pty(xenconsoled_t,xen_devpts_t);
 term_dontaudit_use_generic_ptys(xenconsoled_t)
+term_use_console(xenconsoled_t)
 
 init_use_fds(xenconsoled_t)
 
@@ -198,6 +201,7 @@
 
 allow xenstored_t self:capability { dac_override mknod ipc_lock };
 allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
+allow xenstored_t self:unix_dgram_socket create_socket_perms;
 
 # pid file
 allow xenstored_t xenstored_var_run_t:file manage_file_perms;
@@ -220,12 +224,15 @@
 dev_rw_xen(xenstored_t)
 
 term_dontaudit_use_generic_ptys(xenstored_t)
+term_dontaudit_use_console(xenconsoled_t)
 
 init_use_fds(xenstored_t)
 
 libs_use_ld_so(xenstored_t)
 libs_use_shared_libs(xenstored_t)
 
+logging_send_syslog_msg(xenstored_t)
+
 miscfiles_read_localization(xenstored_t)
 
 xen_append_log(xenstored_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.2.41/policy/rolemap
--- nsaserefpolicy/policy/rolemap	2006-01-26 15:38:41.000000000 -0500
+++ serefpolicy-2.2.41/policy/rolemap	2006-05-18 11:41:22.000000000 -0400
@@ -15,5 +15,6 @@
 
 	ifdef(`enable_mls',`
 		secadm_r secadm secadm_t
+		auditadm_r auditadm auditadm_t
 	')
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.41/policy/users
--- nsaserefpolicy/policy/users	2006-02-15 17:02:30.000000000 -0500
+++ serefpolicy-2.2.41/policy/users	2006-05-18 11:41:22.000000000 -0400
@@ -29,7 +29,7 @@
 gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
 gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
 gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
 ')
 
@@ -44,8 +44,8 @@
 	gen_user(root, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
 	ifdef(`direct_sysadm_daemon',`
-		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
+		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
 	',`
-		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
 	')
 ')

Re: Latest diffs

[Christopher J. PeBenito]

On Thu, 2006-05-18 at 11:56 -0400, Daniel J Walsh wrote:
> Add boolean allow_nfsd_anon_write to it can write to public_content_rw_t
> 
> Stop transition to consoletype from initrc_t.  Maybe we need an 
> ifdef(targeted_policy)  But hostname and consoletype transitioning is a 
> pain in the but.  Lots of init scripts do stuff like

This is just like hostname, w.r.t. sys_admin capability, and us not
wanting to give that to initrc_t.

> consoletype >> MYLOG.log
> 
> prelink needs to be able to change the context even if the user part is 
> different.
> 
> Added unconfined_execmem_exec_t so that I can change the global 
> allow_execmem to off.  OpenOffice, valgrind and mplayer need it.  
> Probably could eliminate java, and wine domain and change to this.

I think this would be better if we had this transparently integrated
into the unconfined policy.  So we just add the rules to unconfined.te,
and put the domain transition into unconfined_domtrans().  The
differences between the two domains is just the execmem, so it should be
ok.  In fact this might be a simple example of hierarchy.

> Additinional dontaudit for ioctl on terminals
> 
> Fixes for amavis domain
> 
> named needs access to ldap when running with nss_ldap  (Seems lots of 
> domains need this if you set up nss_ldap.)
> 
> Allow bluetooth helper access to users homedir and tmp files.
> 
> cupsd_lpd_t wants to look at the routing table and communicate with the 
> cupsd socket
> 
> Want to label cvs and rsync as being executables so sysadm_r can run 
> them.  (No transition).

Should already be executable by being entrypoints for their respective
domains.

> Hal wants to look at the kernel image file
> 
> nfs needs access to rand/urand probably caused by nss_ldap.
> 
> xfs wants to execute itself if it has greater than 10 displays.
> 
> xdm is creating .Xauthority file with wrong context.
> 
> auditadm_r which is running as SystemHigh wants to be able to restart 
> auditd through init scripts.  So it needs to be able to 
> mls_range_transition run_init down to SystemLow-SystemHigh
> 
> Major bug in that we were not running semanage and setsebool as 
> semanage_t.  This is what is causing the mislabeled 
> /etc/selinux/targeted/modules directory
> 
> semanage_t needed fixes so that setsebool and semanage could run.
> 
> More fixes for xen domain.
> 
> auditadm_ stuff, but I agree that this is still in flux so don't add it.

The remainder is merged.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Thu, 2006-05-18 at 11:56 -0400, Daniel J Walsh wrote:
>   
>> Add boolean allow_nfsd_anon_write to it can write to public_content_rw_t
>>
>> Stop transition to consoletype from initrc_t.  Maybe we need an 
>> ifdef(targeted_policy)  But hostname and consoletype transitioning is a 
>> pain in the but.  Lots of init scripts do stuff like
>>     
>
> This is just like hostname, w.r.t. sys_admin capability, and us not
> wanting to give that to initrc_t.
>   
I understand that but confining does not work well.  What we need is a 
way to confine it only in the situation where it is actually
necessary, like dhclient.  Broadly taking these two apps and confining 
them does not work, considering they way they are used in
init scripts.  At least for targeted policy this transition should not 
happen, since we are not trying to confined initrc_t.


>   
>> consoletype >> MYLOG.log
>>
>> prelink needs to be able to change the context even if the user part is 
>> different.
>>
>> Added unconfined_execmem_exec_t so that I can change the global 
>> allow_execmem to off.  OpenOffice, valgrind and mplayer need it.  
>> Probably could eliminate java, and wine domain and change to this.
>>     
>
> I think this would be better if we had this transparently integrated
> into the unconfined policy.  So we just add the rules to unconfined.te,
> and put the domain transition into unconfined_domtrans().  The
> differences between the two domains is just the execmem, so it should be
> ok.  In fact this might be a simple example of hierarchy.
>
>   
Not sure what you mean.  The goal is for a normal unconfined_t program 
not to have execmem.

Hierarchy would be perfect.
>> Additinional dontaudit for ioctl on terminals
>>
>> Fixes for amavis domain
>>
>> named needs access to ldap when running with nss_ldap  (Seems lots of 
>> domains need this if you set up nss_ldap.)
>>
>> Allow bluetooth helper access to users homedir and tmp files.
>>
>> cupsd_lpd_t wants to look at the routing table and communicate with the 
>> cupsd socket
>>
>> Want to label cvs and rsync as being executables so sysadm_r can run 
>> them.  (No transition).
>>     
>
> Should already be executable by being entrypoints for their respective
> domains.
>   
Maybe these happened before the change to allow execute of entrypoints, 
but I know at
one point sysadm_t could not execute cvs.
>   
>> Hal wants to look at the kernel image file
>>
>> nfs needs access to rand/urand probably caused by nss_ldap.
>>
>> xfs wants to execute itself if it has greater than 10 displays.
>>
>> xdm is creating .Xauthority file with wrong context.
>>
>> auditadm_r which is running as SystemHigh wants to be able to restart 
>> auditd through init scripts.  So it needs to be able to 
>> mls_range_transition run_init down to SystemLow-SystemHigh
>>
>> Major bug in that we were not running semanage and setsebool as 
>> semanage_t.  This is what is causing the mislabeled 
>> /etc/selinux/targeted/modules directory
>>
>> semanage_t needed fixes so that setsebool and semanage could run.
>>
>> More fixes for xen domain.
>>
>> auditadm_ stuff, but I agree that this is still in flux so don't add it.
>>     
>
> The remainder is merged.
>
>   


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Christopher J. PeBenito]

On Fri, 2006-05-19 at 10:13 -0400, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Thu, 2006-05-18 at 11:56 -0400, Daniel J Walsh wrote:
> >> Added unconfined_execmem_exec_t so that I can change the global 
> >> allow_execmem to off.  OpenOffice, valgrind and mplayer need it.  
> >> Probably could eliminate java, and wine domain and change to this.
> >>     
> >
> > I think this would be better if we had this transparently integrated
> > into the unconfined policy.  So we just add the rules to unconfined.te,
> > and put the domain transition into unconfined_domtrans().  The
> > differences between the two domains is just the execmem, so it should be
> > ok.  In fact this might be a simple example of hierarchy.

So basically, we want unconfined_execmem_t to be the exact same as
unconfined_t, except have execmem too.  So the best way to do that would
be to have the unconfined interfaces also act on unconfined_execmem_t.
For example:

interface(`unconfined_domtrans',`
	domain_auto_trans($1,unconfined_exec_t,unconfined_t)
	domain_auto_trans($1,unconfined_execmem_exec_t,unconfined_execmem_t)
')

interface(`unconfined_dbus_send',`
	allow $1 { unconfined_t unconfined_execmem_t }:dbus send_msg;
')

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Fri, 2006-05-19 at 10:13 -0400, Daniel J Walsh wrote:
>   
>> Christopher J. PeBenito wrote:
>>     
>>> On Thu, 2006-05-18 at 11:56 -0400, Daniel J Walsh wrote:
>>>       
>>>> Added unconfined_execmem_exec_t so that I can change the global 
>>>> allow_execmem to off.  OpenOffice, valgrind and mplayer need it.  
>>>> Probably could eliminate java, and wine domain and change to this.
>>>>     
>>>>         
>>> I think this would be better if we had this transparently integrated
>>> into the unconfined policy.  So we just add the rules to unconfined.te,
>>> and put the domain transition into unconfined_domtrans().  The
>>> differences between the two domains is just the execmem, so it should be
>>> ok.  In fact this might be a simple example of hierarchy.
>>>       
>
> So basically, we want unconfined_execmem_t to be the exact same as
> unconfined_t, except have execmem too.  So the best way to do that would
> be to have the unconfined interfaces also act on unconfined_execmem_t.
> For example:
>
> interface(`unconfined_domtrans',`
> 	domain_auto_trans($1,unconfined_exec_t,unconfined_t)
> 	domain_auto_trans($1,unconfined_execmem_exec_t,unconfined_execmem_t)
> ')
>   
No because this would allow xdm, xdm_xserver_t, firstboot ... to 
transion.  All we want is

domain_auto_trans(unconfined_t,unconfined_execmem_exec_t,unconfined_execmem_t)

> interface(`unconfined_dbus_send',`
> 	allow $1 { unconfined_t unconfined_execmem_t }:dbus send_msg;
> ')
>
>   


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Christopher J. PeBenito]

[-- Attachment #1: Type: text/plain, Size: 1710 bytes --]

On Tue, 2006-05-02 at 10:08 -0400, Daniel J Walsh wrote:
> Fix spelling error fs_donaudit_read_removable_files
> 
> Mono apps need to be able to dbus_chat with unconfined_t
> 
> Mount/automount command needs to be able to name_bind to ports range 
> 600-2023.  I have called this the rpc_port_type.  This
> makes bindrsvcport work.

Is it supposed to be 600-2023 or 600-1023?  The latter is what I see in
the patch.

> nfs needs to be able to export noxattrfs file systems and needs getattr 
> as well as search
> 
> If I copy a file off of a defined filesystem_type to an ext3 system, 
> restorecon is not able to relabel.  So need
> fs_relabel_all_filesystem_types. 

I would think that the objects should just be noxattrfs rather than all
filesystems, and it should just be relabelfrom.

> Allow amavis to use pyzor
> 
> cups needs to be able to create socket to itself.

This needs more investigation; we need to find out more about this
generic socket so we can add a specific class for it.

> Allow domains to connectto cyrus streams
> 
> Fixes for postfix to be able to list spool directory
> 
> Allow procmail to send mail and run pyzor

Why was corenet_tcp_connect_spamd_port(procmail_t) removed?

> Add pyzor domain.  (Needs more testing)
> 
> nfs talking to ldap needs rand and certs access
> 
> Fixes for spamd to use postgres and pyzor

Why does spamd_t need to rw unconfined_t semaphores?  I don't see
anything like this in the per-userdomain template.

> pam_console touches all sorts of tty devices.
> 
> More textrel_shlib_t fixes.
> 
> ifconfig needs to rw_net_sysctls for IPV6
> 
> James Antill patch to add xm support to xen


-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


[-- Attachment #2: policy-20060411.patch --]
[-- Type: text/x-patch, Size: 40620 bytes --]

diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.2.36/config/appconfig-strict-mls/default_type
--- nsaserefpolicy/config/appconfig-strict-mls/default_type	2006-01-06 17:55:17.000000000 -0500
+++ serefpolicy-2.2.36/config/appconfig-strict-mls/default_type	2006-05-01 14:42:32.000000000 -0400
@@ -2,3 +2,4 @@
 secadm_r:secadm_t
 staff_r:staff_t
 user_r:user_t
+auditadm_r:auditadm_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.if serefpolicy-2.2.36/policy/modules/apps/cdrecord.if
--- nsaserefpolicy/policy/modules/apps/cdrecord.if	2006-04-18 22:49:59.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/apps/cdrecord.if	2006-05-01 14:42:32.000000000 -0400
@@ -152,7 +152,7 @@
 		files_dontaudit_list_tmp($1_cdrecord_t)
 		files_dontaudit_list_home($1_cdrecord_t)
 		fs_dontaudit_list_removable($1_cdrecord_t)
-		fs_donaudit_read_removable_files($1_cdrecord_t)
+		fs_dontaudit_read_removable_files($1_cdrecord_t)
 		userdom_dontaudit_list_user_tmp($1,$1_cdrecord_t)
 		userdom_dontaudit_read_user_tmp_files($1,$1_cdrecord_t)
 		userdom_dontaudit_list_user_home_dirs($1,$1_cdrecord_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/evolution.if serefpolicy-2.2.36/policy/modules/apps/evolution.if
--- nsaserefpolicy/policy/modules/apps/evolution.if	2006-04-20 08:17:35.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/apps/evolution.if	2006-05-01 14:42:32.000000000 -0400
@@ -303,7 +303,7 @@
 		files_dontaudit_list_tmp($1_evolution_t)
 		files_dontaudit_list_home($1_evolution_t)
 		fs_dontaudit_list_removable($1_evolution_t)
-		fs_donaudit_read_removable_files($1_evolution_t)
+		fs_dontaudit_read_removable_files($1_evolution_t)
 		userdom_dontaudit_list_user_tmp($1,$1_evolution_t)
 		userdom_dontaudit_read_user_tmp_files($1,$1_evolution_t)
 		userdom_dontaudit_list_user_home_dirs($1,$1_evolution_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.2.36/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te	2006-04-18 22:49:59.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/apps/mono.te	2006-05-01 14:42:32.000000000 -0400
@@ -20,8 +20,9 @@
 ifdef(`targeted_policy',`
 	allow mono_t self:process { execheap execmem };
 	unconfined_domain_noaudit(mono_t)
-	role system_r types mono_t;
+	unconfined_dbus_chat(mono_t)
 
+	role system_r types mono_t;
 	init_dbus_chat_script(mono_t)
 
 	optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-2.2.36/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if	2006-03-24 11:15:44.000000000 -0500
+++ serefpolicy-2.2.36/policy/modules/apps/mozilla.if	2006-05-01 14:42:32.000000000 -0400
@@ -249,7 +249,7 @@
 		files_dontaudit_list_tmp($1_mozilla_t)
 		files_dontaudit_list_home($1_mozilla_t)
 		fs_dontaudit_list_removable($1_mozilla_t)
-		fs_donaudit_read_removable_files($1_mozilla_t)
+		fs_dontaudit_read_removable_files($1_mozilla_t)
 		userdom_dontaudit_list_user_tmp($1,$1_mozilla_t)
 		userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t)
 		userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-2.2.36/policy/modules/apps/thunderbird.if
--- nsaserefpolicy/policy/modules/apps/thunderbird.if	2006-03-24 11:15:44.000000000 -0500
+++ serefpolicy-2.2.36/policy/modules/apps/thunderbird.if	2006-05-01 14:42:32.000000000 -0400
@@ -216,7 +216,7 @@
 		files_dontaudit_list_home($1_thunderbird_t)
 
 		fs_dontaudit_list_removable($1_thunderbird_t)
-		fs_donaudit_read_removable_files($1_thunderbird_t)
+		fs_dontaudit_read_removable_files($1_thunderbird_t)
 
 		userdom_dontaudit_list_user_tmp($1,$1_thunderbird_t)
 		userdom_dontaudit_read_user_tmp_files($1,$1_thunderbird_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-2.2.36/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in	2006-04-27 10:31:32.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/kernel/corenetwork.if.in	2006-05-01 14:42:32.000000000 -0400
@@ -1259,3 +1259,78 @@
 
 	typeattribute $1 corenet_unconfined_type;
 ')
+
+
+########################################
+## <summary>
+##	Bind TCP sockets to all rpc ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_bind_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	allow $1 rpc_port_type:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to bind TCP sockets to all rpc ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_bind_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	dontaudit $1 rpc_port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to all rpc ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_bind_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	allow $1 rpc_port_type:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to bind UDP sockets to all rpc ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	dontaudit $1 rpc_port_type:udp_socket name_bind;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.2.36/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2006-04-18 22:49:59.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/kernel/corenetwork.te.in	2006-05-01 14:42:32.000000000 -0400
@@ -10,6 +10,7 @@
 attribute node_type;
 attribute port_type;
 attribute reserved_port_type;
+attribute rpc_port_type;
 
 attribute corenet_unconfined_type;
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 serefpolicy-2.2.36/policy/modules/kernel/corenetwork.te.m4
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4	2006-01-16 13:55:42.000000000 -0500
+++ serefpolicy-2.2.36/policy/modules/kernel/corenetwork.te.m4	2006-05-01 14:42:32.000000000 -0400
@@ -46,7 +46,11 @@
 ') dnl end determine reserved capability depend
 
 define(`declare_ports',`dnl
-ifelse(eval($3 < 1024),1,`typeattribute $1 reserved_port_type;',`dnl')
+ifelse(eval($3 < 1024),1,`
+typeattribute $1 reserved_port_type;
+#bindresvport in glibc starts searching for reserved ports at 600
+ifelse(eval($3 >= 600),1,`typeattribute $1 rpc_port_type;',`dnl')
+',`dnl')
 portcon $2 $3 gen_context(system_u:object_r:$1,$4)
 ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.2.36/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te	2006-04-20 08:17:36.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/kernel/domain.te	2006-05-01 14:42:32.000000000 -0400
@@ -96,6 +96,7 @@
 	# workaround until role dominance is fixed in
 	# the module compiler
 	role secadm_r types domain;
+	role auditadm_r types domain;
 	role sysadm_r types domain;
 	role user_r types domain;
 	role staff_r types domain;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.36/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if	2006-04-28 22:50:56.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/kernel/files.if	2006-05-01 14:42:32.000000000 -0400
@@ -1699,6 +1699,21 @@
 ')
 
 ########################################
+#
+# files_unlink_boot_flag(domain)
+#
+# /halt, /.autofsck, etc
+#
+interface(`files_unlink_boot_flag',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:file unlink;
+')
+
+
+########################################
 ## <summary>
 ##	Read files in /etc that are dynamically
 ##	created on boot, such as mtab.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.2.36/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if	2006-04-28 22:50:56.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/kernel/filesystem.if	2006-05-01 14:42:32.000000000 -0400
@@ -609,7 +609,7 @@
 		attribute noxattrfs;
 	')
 
-	allow $1 noxattrfs:dir search;
+	allow $1 noxattrfs:dir search_dir_perms;
 	allow $1 noxattrfs:file r_file_perms;
 
 ')
@@ -629,7 +629,7 @@
 		attribute noxattrfs;
 	')
 
-	allow $1 noxattrfs:dir search;
+	allow $1 noxattrfs:dir search_dir_perms;
 	allow $1 noxattrfs:lnk_file r_file_perms;
 ')
 
@@ -1277,7 +1277,7 @@
 
 ########################################
 ## <summary>
-##	Read files on a NFS filesystem.
+##	Write files on a NFS filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1491,7 +1491,7 @@
 ##	</summary>
 ## </param>
 #
-interface(`fs_donaudit_read_removable_files',`
+interface(`fs_dontaudit_read_removable_files',`
 	gen_require(`
 		type removable_t;
 	')
@@ -3204,3 +3204,33 @@
 
 	typeattribute $1 filesystem_unconfined_type;
 ')
+
+
+
+########################################
+## <summary>
+##	Relabel all filesystem_types on the filesystem,
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the domain perfoming this action.
+##	</summary>
+## </param>
+#
+interface(`fs_relabel_all_filesystem_types',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	allow $1 { filesystem_type }:dir { r_dir_perms relabelfrom relabelto };
+	allow $1 { filesystem_type }:file { getattr relabelfrom relabelto };
+	allow $1 { filesystem_type }:lnk_file { getattr relabelfrom relabelto };
+	allow $1 { filesystem_type }:fifo_file { getattr relabelfrom relabelto };
+	allow $1 { filesystem_type }:sock_file { getattr relabelfrom relabelto };
+	allow $1 { filesystem_type }:blk_file { getattr relabelfrom };
+	allow $1 { filesystem_type }:chr_file { getattr relabelfrom };
+
+	# satisfy the assertions:
+	seutil_relabelto_bin_policy($1)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.2.36/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te	2006-05-01 14:39:06.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/kernel/kernel.te	2006-05-01 14:42:32.000000000 -0400
@@ -28,6 +28,7 @@
 
 ifdef(`enable_mls',`
 	role secadm_r;
+	role auditadm_r;
 ')
 
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.2.36/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te	2006-03-24 11:15:50.000000000 -0500
+++ serefpolicy-2.2.36/policy/modules/services/amavis.te	2006-05-01 14:42:32.000000000 -0400
@@ -146,3 +146,7 @@
 	spamassassin_exec(amavis_t)
 	spamassassin_exec_client(amavis_t)
 ')
+
+optional_policy(`
+	pyzor_domtrans(amavis_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.2.36/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te	2006-04-12 13:44:36.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/services/automount.te	2006-05-01 14:42:32.000000000 -0400
@@ -86,6 +86,7 @@
 # Automount execs showmount when you browse /net.  This is required until
 # Someone writes a showmount policy
 corenet_tcp_bind_reserved_port(automount_t)
+corenet_tcp_bind_all_rpc_ports(automount_t)
 
 dev_read_sysfs(automount_t)
 # for SSP
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.36/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te	2006-04-12 13:44:36.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/services/cups.te	2006-05-01 14:42:32.000000000 -0400
@@ -79,6 +79,7 @@
 allow cupsd_t self:process { setsched signal_perms };
 allow cupsd_t self:fifo_file rw_file_perms;
 allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow cupsd_t self:socket create_socket_perms;
 allow cupsd_t self:unix_dgram_socket create_socket_perms;
 allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.if serefpolicy-2.2.36/policy/modules/services/cyrus.if
--- nsaserefpolicy/policy/modules/services/cyrus.if	2006-02-10 17:05:19.000000000 -0500
+++ serefpolicy-2.2.36/policy/modules/services/cyrus.if	2006-05-01 14:42:32.000000000 -0400
@@ -20,3 +20,25 @@
 	allow $1 cyrus_var_lib_t:dir rw_dir_perms;
 	allow $1 cyrus_var_lib_t:file manage_file_perms;
 ')
+
+
+########################################
+## <summary>
+##	Connect to Cyrus using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cyrus_stream_connect',`
+	gen_require(`
+		type cyrus_t, cyrus_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 cyrus_var_lib_t:dir search;
+	allow $1 cyrus_var_lib_t:sock_file write;
+	allow $1 cyrus_t:unix_stream_socket connectto;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.2.36/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te	2006-04-20 08:17:39.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/services/postfix.te	2006-05-01 14:42:32.000000000 -0400
@@ -181,6 +181,10 @@
 ')
 
 optional_policy(`
+	cyrus_stream_connect(postfix_master_t)
+')
+
+optional_policy(`
 	nis_use_ypbind(postfix_master_t)
 ')
 
@@ -390,6 +394,7 @@
 allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms;
 allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms;
 
+postfix_list_spool(postfix_pickup_t)
 allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms;
 allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms;
 allow postfix_pickup_t postfix_spool_maildrop_t:file unlink;
@@ -430,6 +435,7 @@
 allow postfix_postdrop_t postfix_public_t:dir search;
 allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms;
 
+postfix_list_spool(postfix_postdrop_t)
 allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
 allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
 
@@ -538,6 +544,8 @@
 
 allow postfix_showq_t postfix_spool_t:file r_file_perms;
 
+postfix_list_spool(postfix_showq_t)
+
 allow postfix_showq_t postfix_spool_maildrop_t:dir { getattr read search };
 allow postfix_showq_t postfix_spool_maildrop_t:file { read getattr };
 allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.2.36/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te	2006-03-24 11:15:50.000000000 -0500
+++ serefpolicy-2.2.36/policy/modules/services/procmail.te	2006-05-01 14:42:32.000000000 -0400
@@ -95,16 +95,20 @@
 
 optional_policy(`
 	mta_read_config(procmail_t)
+	sendmail_domtrans(procmail_t)
 	sendmail_rw_tcp_sockets(procmail_t)
 	sendmail_rw_unix_stream_sockets(procmail_t)
 ')
 
 optional_policy(`
 	corenet_udp_bind_generic_port(procmail_t)
-	corenet_tcp_connect_spamd_port(procmail_t)
 
 	files_getattr_tmp_dirs(procmail_t)
 
 	spamassassin_exec(procmail_t)
 	spamassassin_exec_client(procmail_t)
 ')
+
+optional_policy(`
+	pyzor_domtrans(procmail_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-2.2.36/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.2.36/policy/modules/services/pyzor.fc	2006-05-01 14:42:32.000000000 -0400
@@ -0,0 +1,6 @@
+/etc/pyzor(/.*)?		gen_context(system_u:object_r:pyzor_etc_t, s0)
+/usr/bin/pyzor		--	gen_context(system_u:object_r:pyzor_exec_t,s0)
+/usr/bin/pyzord		--	gen_context(system_u:object_r:pyzord_exec_t,s0)
+/var/lib/pyzord(/.*)?		gen_context(system_u:object_r:pyzor_var_lib_t,s0)
+/var/log/pyzord.log	--	gen_context(system_u:object_r:pyzord_log_t,s0)
+HOME_DIR/\.pyzor(/.*)?		gen_context(system_u:object_r:ROLE_pyzor_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-2.2.36/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.2.36/policy/modules/services/pyzor.if	2006-05-01 14:42:32.000000000 -0400
@@ -0,0 +1,46 @@
+## <summary>Pyzor mail delivery agent</summary>
+
+########################################
+## <summary>
+##	Execute pyzor with a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pyzor_domtrans',`
+	gen_require(`
+		type pyzor_exec_t, pyzor_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	domain_auto_trans($1,pyzor_exec_t,pyzor_t)
+
+	allow $1 pyzor_t:fd use;
+	allow pyzor_t $1:fd use;
+	allow pyzor_t $1:fifo_file rw_file_perms;
+	allow pyzor_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute pyzor in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pyzor_exec',`
+	gen_require(`
+		type pyzor_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	can_exec($1,pyzor_exec_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-2.2.36/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.2.36/policy/modules/services/pyzor.te	2006-05-01 14:42:32.000000000 -0400
@@ -0,0 +1,109 @@
+policy_module(pyzor,1.1.0)
+
+type pyzord_t;
+type pyzord_exec_t;
+domain_type(pyzord_t)
+init_daemon_domain(pyzord_t,pyzord_exec_t)
+role system_r types pyzord_t;
+
+type pyzor_t;
+type pyzor_exec_t;
+domain_type(pyzor_t)
+domain_entry_file(pyzor_t,pyzor_exec_t)
+role system_r types pyzor_t;
+
+type pyzor_var_lib_t;
+files_type(pyzor_var_lib_t)
+
+type pyzor_etc_t;
+files_type(pyzor_etc_t)
+
+type pyzord_log_t;
+logging_log_file(pyzord_log_t)
+
+########################################
+#
+# Local policy
+#
+
+allow pyzord_t self:udp_socket create_socket_perms;
+allow pyzord_t pyzor_port_t:udp_socket name_bind;
+
+allow pyzord_t pyzor_var_lib_t:file create_file_perms;
+allow pyzord_t pyzor_var_lib_t:dir { rw_dir_perms setattr };
+files_var_lib_filetrans(pyzord_t,pyzor_var_lib_t,{ file dir })
+
+allow pyzord_t pyzor_etc_t:file create_file_perms;
+allow pyzord_t pyzor_etc_t:dir r_dir_perms;
+
+allow pyzord_t pyzord_log_t:file create_file_perms;
+allow pyzord_t pyzord_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(pyzord_t,pyzord_log_t, { file dir } )
+
+auth_use_nsswitch(pyzord_t)
+
+dev_read_urand(pyzord_t)
+
+can_exec(pyzord_t,pyzor_exec_t)
+
+corenet_raw_sendrecv_all_if(pyzord_t)
+corenet_udp_sendrecv_all_if(pyzord_t)
+corenet_udp_sendrecv_all_nodes(pyzord_t)
+corenet_raw_sendrecv_all_nodes(pyzord_t)
+corenet_udp_sendrecv_all_ports(pyzord_t)
+corenet_non_ipsec_sendrecv(pyzord_t)
+corenet_udp_bind_all_nodes(pyzord_t)
+corecmd_exec_bin(pyzord_t)
+
+files_read_etc_files(pyzord_t)
+
+kernel_read_kernel_sysctls(pyzord_t)
+kernel_read_system_state(pyzord_t)
+
+libs_use_ld_so(pyzord_t)
+libs_use_shared_libs(pyzord_t)
+
+miscfiles_read_localization(pyzord_t)
+
+term_dontaudit_use_generic_ptys(pyzord_t)
+
+# only works until we define a different type for maildir
+userdom_priveleged_home_dir_manager(pyzord_t)
+# Do not audit attempts to access /root.
+userdom_dontaudit_search_sysadm_home_dirs(pyzord_t)
+userdom_dontaudit_search_staff_home_dirs(pyzord_t)
+
+mta_manage_spool(pyzord_t)
+
+optional_policy(`
+	logging_send_syslog_msg(pyzord_t)
+')
+
+optional_policy(`
+	nscd_socket_use(pyzord_t)
+')
+
+########################################
+# pyzor defs
+########################################
+
+auth_use_nsswitch(pyzor_t)
+
+files_read_etc_files(pyzor_t)
+
+libs_use_ld_so(pyzor_t)
+libs_use_shared_libs(pyzor_t)
+
+miscfiles_read_localization(pyzor_t)
+
+files_search_var_lib(pyzor_t)
+allow pyzor_t pyzor_var_lib_t:dir r_dir_perms;
+allow pyzor_t pyzor_var_lib_t:file r_file_perms;
+
+optional_policy(`
+	spamassassin_read_spamd_tmp_files(pyzor_t)
+')
+
+optional_policy(`
+	amavis_manage_lib_files(pyzor_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.2.36/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te	2006-04-18 22:50:00.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/services/rpc.te	2006-05-01 15:22:55.000000000 -0400
@@ -52,6 +52,9 @@
 corenet_udp_bind_generic_port(rpcd_t)
 corenet_udp_bind_reserved_port(rpcd_t)
 
+dev_read_urand(rpcd_t)
+dev_read_rand(rpcd_t)
+
 fs_list_rpc(rpcd_t)
 fs_read_rpc_files(rpcd_t)
 fs_read_rpc_symlinks(rpcd_t)
@@ -61,6 +64,8 @@
 # cjp: this should really have its own type
 files_manage_mounttab(rpcd_t)
 
+miscfiles_read_certs(rpcd_t)
+
 seutil_dontaudit_search_config(rpcd_t)
 
 portmap_udp_chat(rpcd_t) 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.2.36/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te	2006-04-20 08:17:39.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/services/spamassassin.te	2006-05-01 14:42:32.000000000 -0400
@@ -128,6 +128,7 @@
 		userdom_manage_generic_user_home_content_files(spamd_t)
 		userdom_manage_generic_user_home_content_symlinks(spamd_t)
 	')
+	unconfined_rw_semaphores(spamd_t)
 ')
 
 tunable_policy(`use_nfs_home_dirs',`
@@ -143,6 +144,14 @@
 ')
 
 optional_policy(`
+        postgresql_stream_connect(spamd_t)
+');
+
+optional_policy(`
+	pyzor_domtrans(spamd_t)
+')
+
+optional_policy(`
 	amavis_manage_lib_files(spamd_t)
 ')
 
@@ -167,12 +176,4 @@
 	udev_read_db(spamd_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`
-# for bayes tokens
-allow spamd_t var_lib_t:dir { getattr search };
-allow spamd_t amavisd_lib_t:dir rw_dir_perms;
-allow spamd_t amavisd_lib_t:file create_file_perms;
-allow spamd_t amavisd_lib_t:lnk_file create_lnk_perms;
-')
-') dnl end TODO
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.2.36/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te	2006-04-19 12:23:07.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/system/authlogin.te	2006-05-01 14:42:32.000000000 -0400
@@ -188,6 +188,8 @@
 storage_setattr_scsi_generic_dev(pam_console_t)
 
 term_use_console(pam_console_t)
+term_use_all_user_ttys(pam_console_t)
+term_use_all_user_ptys(pam_console_t)
 term_setattr_console(pam_console_t)
 term_getattr_unallocated_ttys(pam_console_t)
 term_setattr_unallocated_ttys(pam_console_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.36/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te	2006-04-27 10:31:33.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/system/init.te	2006-05-01 14:42:32.000000000 -0400
@@ -348,6 +348,7 @@
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
+files_unlink_boot_flag(initrc_t)
 
 libs_rw_ld_so_cache(initrc_t)
 libs_use_ld_so(initrc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.36/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc	2006-04-27 10:31:33.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/system/libraries.fc	2006-05-01 17:18:37.000000000 -0400
@@ -75,6 +75,7 @@
 
 /usr/(.*/)?lib(64)?(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libsipphoneapi\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ati-fglrx/.*\.so(\..*)?	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libGLU\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libjs\.so.*     		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -84,9 +85,9 @@
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)*              --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.*            --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
+/usr/(local/)?.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:shlib_t,s0)
 /usr/(local/)?lib(64)?/wine/.*\.so  	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?lib/libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/local/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:shlib_t,s0)
 
 /usr/NX/lib/libXcomp.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/NX/lib/libjpeg.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -195,10 +196,12 @@
 
 # Java, Sun Microsystems (JPackage SRPM)
 /usr/(.*/)?jre.*/libdeploy.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(.*/)?jre.*/libjvm.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?(.*/)?jre.*/libjvm.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?Adobe/.*\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 ') dnl end distro_redhat
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.2.36/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te	2006-03-24 11:15:53.000000000 -0500
+++ serefpolicy-2.2.36/policy/modules/system/lvm.te	2006-05-01 14:42:32.000000000 -0400
@@ -205,9 +205,10 @@
 fs_getattr_xattr_fs(lvm_t)
 fs_search_auto_mountpoints(lvm_t)
 fs_read_tmpfs_symlinks(lvm_t)
-fs_donaudit_read_removable_files(lvm_t)
+fs_dontaudit_read_removable_files(lvm_t)
 
 storage_relabel_fixed_disk(lvm_t)
+storage_dontaudit_read_removable_device(lvm_t)
 # LVM creates block devices in /dev/mapper or /dev/<vg>
 # depending on its version
 # LVM(2) needs to create directores (/dev/mapper, /dev/<vg>)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.36/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te	2006-04-19 12:23:07.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/system/mount.te	2006-05-01 14:42:32.000000000 -0400
@@ -126,6 +126,8 @@
 	corenet_udp_bind_generic_port(mount_t)
 	corenet_tcp_bind_reserved_port(mount_t)
 	corenet_udp_bind_reserved_port(mount_t)
+	corenet_tcp_bind_all_rpc_ports(mount_t)
+	corenet_udp_bind_all_rpc_ports(mount_t)
 	corenet_tcp_connect_all_ports(mount_t)
 
 	fs_search_rpc(mount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.36/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te	2006-04-04 18:06:38.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/system/selinuxutil.te	2006-05-01 14:42:32.000000000 -0400
@@ -393,6 +393,8 @@
 userdom_use_all_users_fds(restorecon_t)
 
 files_relabel_all_files(restorecon_t)
+fs_relabel_all_filesystem_types(restorecon_t)
+
 files_list_all(restorecon_t)
 # this is to satisfy the assertion:
 auth_relabelto_shadow(restorecon_t)
@@ -427,6 +429,7 @@
 
 auth_relabel_all_files_except_shadow(restorecond_t )
 auth_read_all_files_except_shadow(restorecond_t)
+fs_relabel_all_filesystem_types(restorecond_t)
 
 kernel_use_fds(restorecond_t)
 kernel_rw_pipes(restorecond_t)
@@ -627,6 +630,7 @@
 files_read_etc_files(setfiles_t)
 files_list_all(setfiles_t)
 files_relabel_all_files(setfiles_t)
+fs_relabel_all_filesystem_types(setfiles_t)
 
 logging_send_syslog_msg(setfiles_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.2.36/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te	2006-04-27 10:31:34.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/system/sysnetwork.te	2006-05-01 14:42:32.000000000 -0400
@@ -286,6 +286,7 @@
 kernel_read_system_state(ifconfig_t)
 kernel_read_network_state(ifconfig_t)
 kernel_search_network_sysctl(ifconfig_t)
+kernel_rw_net_sysctls(ifconfig_t)
 
 corenet_rw_tun_tap_dev(ifconfig_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.36/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if	2006-04-27 10:31:34.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/system/unconfined.if	2006-05-01 14:42:32.000000000 -0400
@@ -381,6 +381,27 @@
 
 ########################################
 ## <summary>
+##	Send and receive messages from
+##	unconfined_t over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_dbus_chat',`
+	gen_require(`
+		type unconfined_t;
+		class dbus send_msg;
+	')
+
+	allow $1 unconfined_t:dbus send_msg;
+	allow unconfined_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
 ##	Add an alias type to the unconfined domain.
 ## </summary>
 ## <desc>
@@ -410,3 +431,22 @@
 		errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
 	')
 ')
+
+########################################
+## <summary>
+##	Communicate with  unconfined user SysV sempaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_rw_semaphores',`
+	gen_require(`
+			type unconfined_t;
+	')
+
+	allow $1 unconfined_t:sem rw_sem_perms;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.36/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te	2006-04-28 22:50:57.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/system/userdomain.te	2006-05-01 14:42:32.000000000 -0400
@@ -67,6 +67,7 @@
 	# Define some type aliases to help with compatibility with
 	# macros and domains from the "strict" policy.
 	unconfined_alias_domain(secadm_t)
+	unconfined_alias_domain(auditadm_t)
 	unconfined_alias_domain(sysadm_t)
 
 	# User home directory type.
@@ -82,6 +83,7 @@
 
 	# compatibility for switching from strict
 #	dominance { role secadm_r { role system_r; }}
+#	dominance { role auditadm_r { role system_r; }}
 #	dominance { role sysadm_r { role system_r; }}
 #	dominance { role user_r { role system_r; }}
 #	dominance { role staff_r { role system_r; }}
@@ -105,9 +107,10 @@
 
 	ifdef(`enable_mls',`
 		allow secadm_r system_r;
+		allow auditadm_r system_r;
 		allow secadm_r user_r;
-		allow user_r secadm_r;
 		allow staff_r secadm_r;
+		allow staff_r auditadm_r;
 	')
 
 	optional_policy(`
@@ -128,8 +131,19 @@
 
 	ifdef(`enable_mls',`
 		admin_user_template(secadm)
+		admin_user_template(auditadm)
+
+		role_change(staff,auditadm)
 		role_change(staff,secadm)
+
 		role_change(sysadm,secadm)
+		role_change(sysadm,auditadm)
+
+		role_change(auditadm,secadm)
+		role_change(auditadm,sysadm)
+
+		role_change(secadm,auditadm)
+		role_change(secadm,sysadm)
 	')
 
 	# this should be tunable_policy, but
@@ -179,10 +193,13 @@
 		mls_file_downgrade(secadm_t)
 		init_exec(secadm_t)
 		logging_read_audit_log(secadm_t)
-		logging_run_auditctl(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
 		userdom_dontaudit_append_staff_home_content_files(secadm_t)
 		files_relabel_all_files(secadm_t)
 		auth_relabel_shadow(secadm_t)
+
+		corecmd_exec_shell(auditadm_t)
+		logging_read_audit_log(auditadm_t)
+		logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
 	', `
 		logging_read_audit_log(sysadm_t)
 		logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
@@ -240,6 +257,7 @@
 
 		ifdef(`enable_mls',`
 			consoletype_exec(secadm_t)
+			consoletype_exec(auditadm_t)
 		')
 	')
 
@@ -252,6 +270,7 @@
 
 		ifdef(`enable_mls',`
 			dmesg_exec(secadm_t)
+			dmesg_exec(auditadm_t)
 		')
 	')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-2.2.36/policy/modules/system/xen.fc
--- nsaserefpolicy/policy/modules/system/xen.fc	2006-03-23 16:08:51.000000000 -0500
+++ serefpolicy-2.2.36/policy/modules/system/xen.fc	2006-05-01 14:42:32.000000000 -0400
@@ -14,3 +14,4 @@
 /var/run/xend\.pid	--      gen_context(system_u:object_r:xend_var_run_t,s0)
 /var/run/xenstore\.pid	--	gen_context(system_u:object_r:xenstored_var_run_t,s0)
 /var/run/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_run_t,s0)
+/usr/sbin/xm		--	gen_context(system_u:object_r:xm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.2.36/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if	2006-04-27 10:31:34.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/system/xen.if	2006-05-01 14:42:32.000000000 -0400
@@ -47,13 +47,12 @@
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read and write
-##	Xen unix domain stream sockets.
+##     Don't audit leaked file descriptor.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain to don't audit.
-##	</summary>
+##     <summary>
+##     Domain to don't audit.
+##     </summary>
 ## </param>
 #
 interface(`xen_dontaudit_rw_unix_stream_sockets',`
@@ -84,3 +83,66 @@
 	allow $1 xenstored_var_run_t:sock_file { getattr write };
 	allow $1 xenstored_t:unix_stream_socket connectto;
 ')
+
+########################################
+## <summary>
+##	Connect to xend over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xen_connect',`
+	gen_require(`
+		type xend_t, xend_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 xend_var_run_t:dir search;
+	allow $1 xend_var_run_t:sock_file getattr;
+	allow $1 xend_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Write to xend over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xen_writeto',`
+	gen_require(`
+		type xend_var_run_t;
+	')
+
+	allow $1 xend_var_run_t:sock_file write;
+')
+
+
+########################################
+## <summary>
+##	Execute a domain transition to run xm.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`xm_domtrans',`
+	gen_requires(`
+		type xm_t, xm_exec_t;
+	')
+
+	domain_auto_trans($1,xm_exec_t,xm_t)
+
+	allow $1 xm_t:fd use;
+	allow xm_t $1:fd use;
+	allow xm_t:$1:fifo_file rw_file_perms;
+	allow xm_t $1:process sigchld;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.2.36/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te	2006-04-27 10:31:34.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/system/xen.te	2006-05-01 14:42:32.000000000 -0400
@@ -224,3 +224,55 @@
 miscfiles_read_localization(xenstored_t)
 
 xen_append_log(xenstored_t)
+
+########################################
+#
+# Declarations
+#
+
+type xm_t;
+type xm_exec_t;
+domain_type(xm_t)
+init_daemon_domain(xm_t, xm_exec_t)
+
+########################################
+#
+# xm local policy
+#
+# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
+
+# Some common macros (you might be able to remove some)
+files_read_etc_files(xm_t)
+libs_use_ld_so(xm_t)
+libs_use_shared_libs(xm_t)
+miscfiles_read_localization(xm_t)
+# internal communication is often done using fifo and unix sockets.
+allow xm_t self:fifo_file { read write };
+allow xm_t self:unix_stream_socket create_stream_socket_perms;
+
+
+# james -- aujdit2allow
+
+corecmd_exec_bin(xm_t)
+corecmd_exec_sbin(xm_t)
+
+kernel_read_system_state(xm_t)
+kernel_read_kernel_sysctls(xm_t)
+kernel_read_xen_state(xm_t)
+kernel_write_xen_state(xm_t)
+term_use_all_terms(xm_t)
+
+dev_read_urand(xm_t)
+
+xen_append_log(xm_t)
+xen_connect(xm_t)
+xen_writeto(xm_t)
+
+xen_stream_connect_xenstore(xm_t)
+allow xm_t self:capability dac_override;
+
+
+# allow xm_t root_t:dir search;
+# Need to relabel files for xen
+auth_read_all_files_except_shadow(xm_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.2.36/policy/rolemap
--- nsaserefpolicy/policy/rolemap	2006-01-26 15:38:41.000000000 -0500
+++ serefpolicy-2.2.36/policy/rolemap	2006-05-01 14:42:32.000000000 -0400
@@ -15,5 +15,6 @@
 
 	ifdef(`enable_mls',`
 		secadm_r secadm secadm_t
+		auditadm_t auditadm auditadm_t
 	')
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.36/policy/users
--- nsaserefpolicy/policy/users	2006-02-15 17:02:30.000000000 -0500
+++ serefpolicy-2.2.36/policy/users	2006-05-01 14:42:32.000000000 -0400
@@ -29,7 +29,7 @@
 gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
 gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
 gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
 ')
 
@@ -44,8 +44,8 @@
 	gen_user(root, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
 	ifdef(`direct_sysadm_daemon',`
-		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
+		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
 	',`
-		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
 	')
 ')

Re: Latest diffs

[Christopher J. PeBenito]

On Tue, 2006-05-02 at 13:30 -0400, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Tue, 2006-05-02 at 10:08 -0400, Daniel J Walsh wrote:
> >> cups needs to be able to create socket to itself.
> >
> > This needs more investigation; we need to find out more about this
> > generic socket so we can add a specific class for it.
> >
> >   
> http://www.redhat.com/archives/fedora-selinux-list/2006-April/msg00216.html

So it appears that a class for appletalk sockets needs to be added.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Latest diffs

[Chad Hanson]

It is definitely desirable to a have an audit role where another user can
log onto the analyze the audit trail of a system to determine if there has
been malicous activity on the system by users or administrators.

This approach is follows the traditional seperation of duty concept.

-Chad

> -----Original Message-----
> From: Christopher J. PeBenito [mailto:cpebenito@tresys.com]
> Sent: Thursday, April 20, 2006 1:18 PM
> To: Daniel J Walsh
> Cc: SE Linux
> Subject: Re: Latest diffs
> 
> 
> On Thu, 2006-04-20 at 14:06 -0400, Daniel J Walsh wrote:
> > Added and fixed Russells patch to add auditadm_r.
> 
> Why do we need an auditadm in addition to secadm?
> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
> 
> 
> --
> This message was distributed to subscribers of the selinux 
> mailing list.
> If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 377 bytes --]

Added and fixed Russells patch to add auditadm_r.

Give ping access to packed_socket.

useradd needs to create files in user_home_dir_t

File context for authconfig-tui

More fixes to allow xen to run

Fixes to allow pegasus to pass configuration testing.

Samba typo

pam_console uses all terminals

remove some .so defs from libraries.fc that are covered by others defs.





[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 19313 bytes --]

diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.2.34/config/appconfig-strict-mls/default_type
--- nsaserefpolicy/config/appconfig-strict-mls/default_type	2006-01-06 17:55:17.000000000 -0500
+++ serefpolicy-2.2.34/config/appconfig-strict-mls/default_type	2006-04-20 14:04:12.000000000 -0400
@@ -2,3 +2,4 @@
 secadm_r:secadm_t
 staff_r:staff_t
 user_r:user_t
+auditadm_r:auditadm_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.2.34/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te	2006-04-06 14:05:24.000000000 -0400
+++ serefpolicy-2.2.34/policy/modules/admin/netutils.te	2006-04-20 14:04:12.000000000 -0400
@@ -97,7 +97,7 @@
 
 allow ping_t self:tcp_socket create_socket_perms;
 allow ping_t self:udp_socket create_socket_perms;
-allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
+allow ping_t self:{ rawip_socket packet_socket } { create ioctl read write bind getopt setopt };
 
 corenet_tcp_sendrecv_all_if(ping_t)
 corenet_udp_sendrecv_all_if(ping_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.2.34/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te	2006-04-18 22:49:59.000000000 -0400
+++ serefpolicy-2.2.34/policy/modules/admin/usermanage.te	2006-04-20 14:04:12.000000000 -0400
@@ -514,6 +514,7 @@
 # Add/remove user home directories
 userdom_home_filetrans_generic_user_home_dir(useradd_t)
 userdom_manage_generic_user_home_content_dirs(useradd_t)
+userdom_manage_generic_user_home_content_files(useradd_t)
 userdom_manage_staff_home_dirs(useradd_t)
 userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.2.34/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2006-04-18 22:49:59.000000000 -0400
+++ serefpolicy-2.2.34/policy/modules/kernel/corecommands.fc	2006-04-20 14:04:12.000000000 -0400
@@ -177,6 +177,7 @@
 ifdef(`distro_redhat', `
 /usr/lib/.*/program(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cvs/contrib/rcs2log	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.2.34/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te	2006-04-20 08:17:36.000000000 -0400
+++ serefpolicy-2.2.34/policy/modules/kernel/domain.te	2006-04-20 14:04:12.000000000 -0400
@@ -96,6 +96,7 @@
 	# workaround until role dominance is fixed in
 	# the module compiler
 	role secadm_r types domain;
+	role auditadm_r types domain;
 	role sysadm_r types domain;
 	role user_r types domain;
 	role staff_r types domain;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.34/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if	2006-04-18 22:49:59.000000000 -0400
+++ serefpolicy-2.2.34/policy/modules/kernel/files.if	2006-04-20 14:04:12.000000000 -0400
@@ -1679,6 +1679,21 @@
 ')
 
 ########################################
+#
+# files_unlink_boot_flag(domain)
+#
+# /halt, /.autofsck, etc
+#
+interface(`files_unlink_boot_flag',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:file unlink;
+')
+
+
+########################################
 ## <summary>
 ##	Read files in /etc that are dynamically
 ##	created on boot, such as mtab.
@@ -3905,3 +3920,23 @@
 
 	typeattribute $1 files_unconfined_type;
 ')
+
+########################################
+## <summary>
+##     Read kernel files in the /boot directory.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_read_kernel_img',`
+       gen_require(`
+               type boot_t;
+       ')
+
+       allow $1 boot_t:dir r_dir_perms;
+       allow $1 boot_t:file { getattr read };
+       allow $1 boot_t:lnk_file { getattr read };
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.2.34/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te	2006-04-18 22:49:59.000000000 -0400
+++ serefpolicy-2.2.34/policy/modules/kernel/kernel.te	2006-04-20 14:04:12.000000000 -0400
@@ -28,6 +28,7 @@
 
 ifdef(`enable_mls',`
 	role secadm_r;
+	role auditadm_r;
 ')
 
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.2.34/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if	2006-02-13 17:05:45.000000000 -0500
+++ serefpolicy-2.2.34/policy/modules/kernel/terminal.if	2006-04-20 14:04:12.000000000 -0400
@@ -174,7 +174,7 @@
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 console_device_t:chr_file write;
+	allow $1 console_device_t:chr_file { getattr write append };
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.2.34/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te	2006-04-04 18:06:38.000000000 -0400
+++ serefpolicy-2.2.34/policy/modules/services/pegasus.te	2006-04-20 14:04:12.000000000 -0400
@@ -79,11 +79,16 @@
 corenet_tcp_connect_pegasus_https_port(pegasus_t)
 corenet_tcp_connect_generic_port(pegasus_t)
 
+corecmd_exec_sbin(pegasus_t)
+corecmd_exec_bin(pegasus_t)
+corecmd_exec_shell(pegasus_t)
+
 dev_read_sysfs(pegasus_t)
 dev_read_urand(pegasus_t)
 
 fs_getattr_all_fs(pegasus_t)
 fs_search_auto_mountpoints(pegasus_t)
+files_getattr_all_dirs(pegasus_t)
 
 term_dontaudit_use_console(pegasus_t)
 
@@ -98,6 +103,8 @@
 files_read_var_lib_files(pegasus_t)
 files_read_var_lib_symlinks(pegasus_t)
 
+hostname_exec(pegasus_t)
+
 init_use_fds(pegasus_t)
 init_use_script_ptys(pegasus_t)
 init_rw_utmp(pegasus_t)
@@ -116,6 +123,7 @@
 	term_dontaudit_use_unallocated_ttys(pegasus_t)
 	term_dontaudit_use_generic_ptys(pegasus_t)
 	files_dontaudit_read_root_files(pegasus_t)
+	unconfined_signull(pegasus_t)
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.2.34/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te	2006-04-19 12:23:07.000000000 -0400
+++ serefpolicy-2.2.34/policy/modules/services/samba.te	2006-04-20 14:04:12.000000000 -0400
@@ -106,8 +106,8 @@
 files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
 
 allow samba_net_t samba_var_t:dir rw_dir_perms;
+allow samba_net_t samba_var_t:file create_file_perms;
 allow samba_net_t samba_var_t:lnk_file create_lnk_perms;
-allow samba_net_t samba_var_t:file create_lnk_perms;
 
 kernel_read_proc_symlinks(samba_net_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.2.34/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te	2006-04-19 12:23:07.000000000 -0400
+++ serefpolicy-2.2.34/policy/modules/system/authlogin.te	2006-04-20 14:04:12.000000000 -0400
@@ -188,6 +188,8 @@
 storage_setattr_scsi_generic_dev(pam_console_t)
 
 term_use_console(pam_console_t)
+term_use_all_user_ttys(pam_console_t)
+term_use_all_user_ptys(pam_console_t)
 term_setattr_console(pam_console_t)
 term_getattr_unallocated_ttys(pam_console_t)
 term_setattr_unallocated_ttys(pam_console_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.34/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te	2006-04-20 08:17:40.000000000 -0400
+++ serefpolicy-2.2.34/policy/modules/system/init.te	2006-04-20 14:04:12.000000000 -0400
@@ -348,6 +348,7 @@
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
+files_unlink_boot_flag(initrc_t)
 
 libs_rw_ld_so_cache(initrc_t)
 libs_use_ld_so(initrc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.34/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc	2006-04-19 12:23:07.000000000 -0400
+++ serefpolicy-2.2.34/policy/modules/system/libraries.fc	2006-04-20 14:04:21.000000000 -0400
@@ -66,13 +66,8 @@
 
 /usr/(.*/)?nvidia/.*\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
-/usr/lib(64)?/pgsql/test/regress/.*\.so	--	gen_context(system_u:object_r:shlib_t,s0)
-
 /usr/lib/win32/.*			--	gen_context(system_u:object_r:shlib_t,s0)
 
-/usr/lib(64)?/im/.*\.so.*		--	gen_context(system_u:object_r:shlib_t,s0)
-/usr/lib(64)?/iiim/.*\.so.*		--	gen_context(system_u:object_r:shlib_t,s0)
-
 /usr/(.*/)?lib(64)?(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libsipphoneapi\.so.*	--	gen_context(system_u:object_r:texrel_shlib_t,s0)
 /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -99,7 +94,6 @@
 /usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 ifdef(`distro_redhat',`
-/usr/lib(64)?/.*/program/.*\.so.*		gen_context(system_u:object_r:shlib_t,s0)
 /usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- gen_context(system_u:object_r:shlib_t,s0)
 
 # The following are libraries with text relocations in need of execmod permissions
@@ -113,7 +107,7 @@
 /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libglide3\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libglide-v[0-9]*\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libglide3-v[0-9]*\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libdv\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/helix/plugins/oggfformat\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/helix/plugins/theorarend\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -198,16 +192,12 @@
 /usr/(.*/)?jre.*/libdeploy.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(.*/)?jre.*/libjvm.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
-/usr/(.*/)?intellinux/nppdf\.so		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
-/usr/(.*/)?intellinux/lib/\.so		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
-/usr/(.*/)?intellinux/plug_ins/.*\.api	--	gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so	--	gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/(local/)?Adobe/.*\.api	--	gen_context(system_u:object_r:texrel_shlib_t,s0)
 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 ') dnl end distro_redhat
 
-ifdef(`distro_suse',`
-/usr/lib(64)?/samba/classic/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-')
-
 #
 # /var
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.2.34/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te	2006-04-06 15:32:43.000000000 -0400
+++ serefpolicy-2.2.34/policy/modules/system/logging.te	2006-04-20 14:04:12.000000000 -0400
@@ -140,7 +140,7 @@
 init_use_fds(auditd_t)
 init_exec(auditd_t)
 init_write_initctl(auditd_t)
-init_use_script_ptys(auditd_t)
+init_dontaudit_use_script_ptys(auditd_t)
 
 logging_send_syslog_msg(auditd_t)
 
@@ -293,7 +293,7 @@
 
 fs_search_auto_mountpoints(syslogd_t)
 
-term_dontaudit_use_console(syslogd_t)
+term_write_console(syslogd_t)
 # Allow syslog to a terminal
 term_write_unallocated_ttys(syslogd_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.2.34/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te	2006-03-24 11:15:53.000000000 -0500
+++ serefpolicy-2.2.34/policy/modules/system/sysnetwork.te	2006-04-20 14:04:12.000000000 -0400
@@ -248,6 +248,7 @@
 
 optional_policy(`
 	xen_append_log(dhcpc_t)
+	xen_dontaudit_rw_unix_stream_sockets(dhcpc_t)
 ')
 
 ########################################
@@ -346,4 +347,5 @@
 
 optional_policy(`
 	xen_append_log(ifconfig_t)
+	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.34/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if	2006-04-12 13:44:38.000000000 -0400
+++ serefpolicy-2.2.34/policy/modules/system/unconfined.if	2006-04-20 14:04:12.000000000 -0400
@@ -224,6 +224,24 @@
 
 ########################################
 ## <summary>
+##	Send a SIGNULL signal to the unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_signull',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:process signull;
+')
+
+########################################
+## <summary>
 ##	Send generic signals to the unconfined domain.
 ## </summary>
 ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.34/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te	2006-04-20 08:17:40.000000000 -0400
+++ serefpolicy-2.2.34/policy/modules/system/userdomain.te	2006-04-20 14:04:12.000000000 -0400
@@ -6,6 +6,7 @@
 
 	ifdef(`enable_mls',`
 		role secadm_r;
+		role auditadm_r;
 	')
 ')
 
@@ -67,6 +68,7 @@
 	# Define some type aliases to help with compatibility with
 	# macros and domains from the "strict" policy.
 	unconfined_alias_domain(secadm_t)
+	unconfined_alias_domain(auditadm_t)
 	unconfined_alias_domain(sysadm_t)
 
 	# User home directory type.
@@ -82,6 +84,7 @@
 
 	# compatibility for switching from strict
 #	dominance { role secadm_r { role system_r; }}
+#	dominance { role auditadm_r { role system_r; }}
 #	dominance { role sysadm_r { role system_r; }}
 #	dominance { role user_r { role system_r; }}
 #	dominance { role staff_r { role system_r; }}
@@ -105,9 +108,10 @@
 
 	ifdef(`enable_mls',`
 		allow secadm_r system_r;
+		allow auditadm_r system_r;
 		allow secadm_r user_r;
-		allow user_r secadm_r;
 		allow staff_r secadm_r;
+		allow staff_r auditadm_r;
 	')
 
 	optional_policy(`
@@ -128,8 +132,19 @@
 
 	ifdef(`enable_mls',`
 		admin_user_template(secadm)
+		admin_user_template(auditadm)
+
+		role_change(staff,auditadm)
 		role_change(staff,secadm)
+
 		role_change(sysadm,secadm)
+		role_change(sysadm,auditadm)
+
+		role_change(auditadm,secadm)
+		role_change(auditadm,sysadm)
+
+		role_change(secadm,auditadm)
+		role_change(secadm,sysadm)
 	')
 
 	# this should be tunable_policy, but
@@ -179,10 +194,13 @@
 		mls_file_downgrade(secadm_t)
 		init_exec(secadm_t)
 		logging_read_audit_log(secadm_t)
-		logging_run_auditctl(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
 		userdom_dontaudit_append_staff_home_content_files(secadm_t)
 		files_relabel_all_files(secadm_t)
 		auth_relabel_shadow(secadm_t)
+
+		corecmd_exec_shell(auditadm_t)
+		logging_read_audit_log(auditadm_t)
+		logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
 	', `
 		logging_read_audit_log(sysadm_t)
 		logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
@@ -236,6 +254,7 @@
 
 		ifdef(`enable_mls',`
 			consoletype_exec(secadm_t)
+			consoletype_exec(auditadm_t)
 		')
 	')
 
@@ -248,6 +267,7 @@
 
 		ifdef(`enable_mls',`
 			dmesg_exec(secadm_t)
+			dmesg_exec(auditadm_t)
 		')
 	')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.2.34/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if	2006-03-23 16:08:51.000000000 -0500
+++ serefpolicy-2.2.34/policy/modules/system/xen.if	2006-04-20 14:04:12.000000000 -0400
@@ -47,6 +47,24 @@
 
 ########################################
 ## <summary>
+##     Don't audit leaked file descriptor.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to don't audit.
+##     </summary>
+## </param>
+#
+interface(`xen_dontaudit_rw_unix_stream_sockets',`
+       gen_require(`
+               type xend_t;
+       ')
+
+       dontaudit $1 xend_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
 ##	Connect to xenstored over an unix stream socket.
 ## </summary>
 ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.2.34/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te	2006-04-18 22:50:01.000000000 -0400
+++ serefpolicy-2.2.34/policy/modules/system/xen.te	2006-04-20 14:04:12.000000000 -0400
@@ -125,6 +125,7 @@
 
 files_read_etc_files(xend_t)
 files_read_kernel_symbol_table(xend_t)
+files_read_kernel_img(xend_t)
 
 storage_raw_read_fixed_disk(xend_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.2.34/policy/rolemap
--- nsaserefpolicy/policy/rolemap	2006-01-26 15:38:41.000000000 -0500
+++ serefpolicy-2.2.34/policy/rolemap	2006-04-20 14:04:12.000000000 -0400
@@ -15,5 +15,6 @@
 
 	ifdef(`enable_mls',`
 		secadm_r secadm secadm_t
+		auditadm_t auditadm auditadm_t
 	')
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.34/policy/users
--- nsaserefpolicy/policy/users	2006-02-15 17:02:30.000000000 -0500
+++ serefpolicy-2.2.34/policy/users	2006-04-20 14:04:12.000000000 -0400
@@ -29,7 +29,7 @@
 gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
 gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
 gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
 ')
 
@@ -44,8 +44,8 @@
 	gen_user(root, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
 	ifdef(`direct_sysadm_daemon',`
-		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
+		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
 	',`
-		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
 	')
 ')

Re: Latest diffs

[Christopher J. PeBenito]

On Thu, 2006-04-20 at 14:06 -0400, Daniel J Walsh wrote:
> Added and fixed Russells patch to add auditadm_r.

Why do we need an auditadm in addition to secadm?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 562 bytes --]

Fix java domain,

Fix cups file context defs

ftp wants to use ldap to get users

postfix_map_t dontaudits

postgresql sometimes puts sock_file on /tmp

privoxy wants to connect to http_cache_ports

fix samb_net_t typo

samba needs access to ldap

samba wants to update utmp file

I believe sa-learn should be spamc_exec_t

pam_console needs to use certificates.

Additional textrel_shlib_t

Create new unconfined_mount_t to maintain /etc/mtab file context

useradd needs to be able to create user_home_dir_t.

customized types are not being created correctly.


[-- Attachment #2: policy-20060411.patch --]
[-- Type: text/x-patch, Size: 16793 bytes --]

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-2.2.33/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te	2006-04-18 22:49:59.000000000 -0400
+++ serefpolicy-2.2.33/policy/modules/apps/java.te	2006-04-18 23:05:25.000000000 -0400
@@ -7,8 +7,11 @@
 #
 
 type java_t;
+domain_type(java_t)
+
 type java_exec_t;
 init_system_domain(java_t,java_exec_t)
+files_type(java_exec_t)
 
 ########################################
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.2.33/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if	2006-04-18 22:49:59.000000000 -0400
+++ serefpolicy-2.2.33/policy/modules/kernel/devices.if	2006-04-18 23:05:25.000000000 -0400
@@ -2874,3 +2874,23 @@
 
 	typeattribute $1 devices_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Dontaudit getattr on all device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_all_device_nodes',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	dontaudit $1 device_t:dir_file_class_set getattr;
+	dontaudit $1 device_node:dir_file_class_set getattr;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.33/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if	2006-04-18 22:49:59.000000000 -0400
+++ serefpolicy-2.2.33/policy/modules/kernel/files.if	2006-04-18 23:05:25.000000000 -0400
@@ -1679,6 +1679,21 @@
 ')
 
 ########################################
+#
+# files_unlink_boot_flag(domain)
+#
+# /halt, /.autofsck, etc
+#
+interface(`files_unlink_boot_flag',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:file unlink;
+')
+
+
+########################################
 ## <summary>
 ##	Read files in /etc that are dynamically
 ##	created on boot, such as mtab.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.2.33/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te	2006-03-07 10:31:09.000000000 -0500
+++ serefpolicy-2.2.33/policy/modules/kernel/mls.te	2006-04-18 23:05:25.000000000 -0400
@@ -60,6 +60,7 @@
 
 ifdef(`enable_mls',`
 range_transition initrc_t auditd_exec_t s15:c0.c255;
+range_transition secadm_t auditctl_exec_t s15:c0.c255;
 range_transition kernel_t init_exec_t s0 - s15:c0.c255;
 range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.2.33/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc	2006-03-23 14:33:30.000000000 -0500
+++ serefpolicy-2.2.33/policy/modules/services/cups.fc	2006-04-18 23:05:25.000000000 -0400
@@ -35,7 +35,8 @@
 /usr/share/hplip/hpssd.py --	gen_context(system_u:object_r:hplip_exec_t,s0)
 
 /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/cache/foomatic(/.*)? --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/foomatic(/.*)? 	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/cups(/.*)? 		gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 
 /var/lib/cups/certs	-d	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /var/lib/cups/certs/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.2.33/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te	2006-04-12 13:44:37.000000000 -0400
+++ serefpolicy-2.2.33/policy/modules/services/ftp.te	2006-04-18 23:05:25.000000000 -0400
@@ -126,6 +126,7 @@
 seutil_dontaudit_search_config(ftpd_t)
 
 sysnet_read_config(ftpd_t)
+sysnet_use_ldap(ftpd_t)
 
 userdom_dontaudit_search_sysadm_home_dirs(ftpd_t)
 userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.2.33/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te	2006-04-18 22:50:00.000000000 -0400
+++ serefpolicy-2.2.33/policy/modules/services/postfix.te	2006-04-18 23:05:25.000000000 -0400
@@ -315,6 +315,7 @@
 
 kernel_read_kernel_sysctls(postfix_map_t)
 kernel_dontaudit_list_proc(postfix_map_t)
+kernel_dontaudit_read_system_state(postfix_map_t)
 
 corenet_tcp_sendrecv_all_if(postfix_map_t)
 corenet_udp_sendrecv_all_if(postfix_map_t)
@@ -360,6 +361,7 @@
 ifdef(`targeted_policy',`
 	# FIXME: would be better to use a run interface
 	role system_r types postfix_map_t;
+	term_dontaudit_use_generic_ptys(postfix_map_t)
 ')
 
 tunable_policy(`read_default_t',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-2.2.33/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if	2006-02-10 17:05:19.000000000 -0500
+++ serefpolicy-2.2.33/policy/modules/services/postgresql.if	2006-04-18 23:05:25.000000000 -0400
@@ -113,10 +113,12 @@
 #
 interface(`postgresql_stream_connect',`
 	gen_require(`
-		type postgresql_t, postgresql_var_run_t;
+		type postgresql_t, postgresql_var_run_t, postgresql_tmp_t;
 	')
 
 	files_search_pids($1)
 	allow $1 postgresql_t:unix_stream_socket connectto;
 	allow $1 postgresql_var_run_t:sock_file write;
+        # Some versions of postgresql put the sock file in /tmp
+	allow $1 postgresql_tmp_t:sock_file write;
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-2.2.33/policy/modules/services/privoxy.te
--- nsaserefpolicy/policy/modules/services/privoxy.te	2006-04-04 18:06:38.000000000 -0400
+++ serefpolicy-2.2.33/policy/modules/services/privoxy.te	2006-04-18 23:05:25.000000000 -0400
@@ -50,6 +50,7 @@
 corenet_non_ipsec_sendrecv(privoxy_t)
 corenet_tcp_bind_http_cache_port(privoxy_t)
 corenet_tcp_connect_http_port(privoxy_t)
+corenet_tcp_connect_http_cache_port(privoxy_t)
 corenet_tcp_connect_ftp_port(privoxy_t)
 corenet_tcp_connect_tor_port(privoxy_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.2.33/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te	2006-04-18 22:50:00.000000000 -0400
+++ serefpolicy-2.2.33/policy/modules/services/samba.te	2006-04-18 23:05:25.000000000 -0400
@@ -106,8 +106,8 @@
 files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
 
 allow samba_net_t samba_var_t:dir rw_dir_perms;
+allow samba_net_t samba_var_t:file create_file_perms;
 allow samba_net_t samba_var_t:lnk_file create_lnk_perms;
-allow samba_net_t samba_var_t:file create_lnk_perms;
 
 kernel_read_proc_symlinks(samba_net_t)
 
@@ -160,8 +160,10 @@
 	corenet_non_ipsec_sendrecv(samba_net_t)
 	corenet_tcp_bind_all_nodes(samba_net_t)
 	sysnet_read_config(samba_net_t)
+        corenet_tcp_connect_ldap_port(samba_net_t)
 ')
 
+
 optional_policy(`
 	nscd_socket_use(samba_net_t)
 ')
@@ -269,6 +271,7 @@
 
 init_use_fds(smbd_t)
 init_use_script_ptys(smbd_t)
+init_rw_utmp(smbd_t)
 
 libs_use_ld_so(smbd_t)
 libs_use_shared_libs(smbd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-2.2.33/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc	2005-12-01 17:57:16.000000000 -0500
+++ serefpolicy-2.2.33/policy/modules/services/spamassassin.fc	2006-04-18 23:05:25.000000000 -0400
@@ -1,5 +1,5 @@
 
-/usr/bin/sa-learn	--	gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/sa-learn	--	gen_context(system_u:object_r:spamc_exec_t,s0)
 /usr/bin/spamc		--	gen_context(system_u:object_r:spamc_exec_t,s0)
 /usr/bin/spamd		--	gen_context(system_u:object_r:spamd_exec_t,s0)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.2.33/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if	2006-04-06 15:31:54.000000000 -0400
+++ serefpolicy-2.2.33/policy/modules/services/xserver.if	2006-04-18 23:05:25.000000000 -0400
@@ -1070,3 +1070,24 @@
 
 	dontaudit $1 xdm_xserver_t:tcp_socket { read write };
 ')
+
+########################################
+## <summary>
+##	Allow read and write to
+##	a XDM X server socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow
+##	</summary>
+## </param>
+#
+interface(`xserver_rw_xdm_sockets',`
+	gen_require(`
+		type xdm_xserver_tmp_t;
+	')
+
+	allow $1 xdm_xserver_tmp_t:dir search;
+	allow $1 xdm_xserver_tmp_t:sock_file { read write };
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.2.33/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te	2006-04-04 18:06:38.000000000 -0400
+++ serefpolicy-2.2.33/policy/modules/system/authlogin.te	2006-04-18 23:05:25.000000000 -0400
@@ -173,9 +173,13 @@
 dev_setattr_video_dev(pam_console_t)
 dev_getattr_xserver_misc_dev(pam_console_t)
 dev_setattr_xserver_misc_dev(pam_console_t)
+dev_read_urand(pam_console_t)
 
 fs_search_auto_mountpoints(pam_console_t)
 
+miscfiles_read_localization(pam_console_t)
+miscfiles_read_certs(pam_console_t)
+
 storage_getattr_fixed_disk_dev(pam_console_t)
 storage_setattr_fixed_disk_dev(pam_console_t)
 storage_getattr_removable_dev(pam_console_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.2.33/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te	2006-04-04 18:06:38.000000000 -0400
+++ serefpolicy-2.2.33/policy/modules/system/fstools.te	2006-04-18 23:05:25.000000000 -0400
@@ -77,6 +77,7 @@
 dev_getattr_usbfs_dirs(fsadm_t)
 # Access to /dev/mapper/control
 dev_rw_lvm_control(fsadm_t)
+dev_dontaudit_getattr_all_device_nodes(fsadm_t)
 
 fs_search_auto_mountpoints(fsadm_t)
 fs_getattr_xattr_fs(fsadm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.33/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te	2006-04-18 22:50:00.000000000 -0400
+++ serefpolicy-2.2.33/policy/modules/system/init.te	2006-04-18 23:05:25.000000000 -0400
@@ -352,6 +352,7 @@
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
+files_unlink_boot_flag(initrc_t)
 
 libs_rw_ld_so_cache(initrc_t)
 libs_use_ld_so(initrc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.33/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc	2006-04-18 22:50:00.000000000 -0400
+++ serefpolicy-2.2.33/policy/modules/system/libraries.fc	2006-04-18 23:05:25.000000000 -0400
@@ -83,7 +83,6 @@
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)*             --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)*              --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.*            --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/vmware(.*/)?VmPerl\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/(local/)?lib(64)?/wine/.*\.so  		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?lib/libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -189,6 +188,8 @@
 
 # vmware 
 /usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.*  -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vmware/lib(/.*)?/HConfig.so  -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vmware/(.*/)?VmPerl\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # Java, Sun Microsystems (JPackage SRPM)
 /usr/(.*/)?jre.*/libdeploy.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -223,3 +224,5 @@
 /var/spool/postfix/lib(64)?/lib.*\.so.*	--	gen_context(system_u:object_r:shlib_t,s0)
 /var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
 /var/spool/postfix/lib(64)?/devfsd/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
+/usr/NX/lib/libXcomp.so.*	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/NX/lib/libjpeg.so.* 	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-2.2.33/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if	2006-03-02 18:45:56.000000000 -0500
+++ serefpolicy-2.2.33/policy/modules/system/mount.if	2006-04-18 23:05:25.000000000 -0400
@@ -113,3 +113,25 @@
 	allow $1 mount_t:udp_socket rw_socket_perms;
 ')
 
+########################################
+## <summary>
+##	Execute mount in the unconfined_mount domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`unconfined_mount_domtrans',`
+	gen_require(`
+		type unconfined_mount_t, mount_exec_t;
+	')
+
+	domain_auto_trans($1,mount_exec_t,unconfined_mount_t)
+
+	allow $1 unconfined_mount_t:fd use;
+	allow unconfined_mount_t $1:fd use;
+	allow unconfined_mount_t $1:fifo_file rw_file_perms;
+	allow unconfined_mount_t $1:process sigchld;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.33/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te	2006-04-12 13:44:38.000000000 -0400
+++ serefpolicy-2.2.33/policy/modules/system/mount.te	2006-04-18 23:05:25.000000000 -0400
@@ -151,3 +151,12 @@
 optional_policy(`
 	samba_domtrans_smbmount(mount_t)
 ')
+
+ifdef(`targeted_policy', `
+	type unconfined_mount_t;
+	domain_type(unconfined_mount_t)
+	role system_r types unconfined_mount_t;
+	domain_entry_file(unconfined_mount_t,mount_exec_t)
+	files_manage_etc_runtime_files(unconfined_mount_t)
+	unconfined_domain(unconfined_mount_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-2.2.33/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if	2006-03-29 14:18:17.000000000 -0500
+++ serefpolicy-2.2.33/policy/modules/system/selinuxutil.if	2006-04-18 23:05:25.000000000 -0400
@@ -697,8 +697,8 @@
 
 	files_search_etc($1)
 	allow $1 selinux_config_t:dir search;
-	allow $1 file_context_t:dir r_dir_perms;
-	allow $1 file_context_t:file rw_file_perms;
+	allow $1 file_context_t:dir rw_dir_perms;
+	allow $1 file_context_t:file create_file_perms;
 	allow $1 file_context_t:lnk_file { getattr read };
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.33/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te	2006-04-18 22:50:00.000000000 -0400
+++ serefpolicy-2.2.33/policy/modules/system/unconfined.te	2006-04-18 23:05:25.000000000 -0400
@@ -37,10 +37,13 @@
 	logging_domtrans_auditctl(unconfined_t)
 
 	seutil_domtrans_restorecon(unconfined_t)
+	seutil_domtrans_semanage(unconfined_t)
 
 	userdom_unconfined(unconfined_t)
 	userdom_priveleged_home_dir_manager(unconfined_t)
 
+	unconfined_mount_domtrans(unconfined_t)
+
 	optional_policy(`
 		ada_domtrans(unconfined_t)
 	')
@@ -140,10 +143,6 @@
 	')
 
 	optional_policy(`
-		seutil_domtrans_semanage(unconfined_t)
-	')
-
-	optional_policy(`
 		sysnet_domtrans_dhcpc(unconfined_t)
 	')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.33/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if	2006-04-18 22:50:01.000000000 -0400
+++ serefpolicy-2.2.33/policy/modules/system/userdomain.if	2006-04-18 23:07:34.000000000 -0400
@@ -4171,6 +4173,7 @@
 		type user_home_dir_t;
 	')
 
+	allow $1 user_home_dir_t:dir create_dir_perms;
 	files_home_filetrans($1,user_home_dir_t,dir)
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.2.33/Rules.modular
--- nsaserefpolicy/Rules.modular	2006-03-23 14:33:29.000000000 -0500
+++ serefpolicy-2.2.33/Rules.modular	2006-04-18 23:05:25.000000000 -0400
@@ -208,7 +208,7 @@
 #
 $(APPDIR)/customizable_types: $(BASE_CONF)
 	@mkdir -p $(APPDIR)
-	$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
+	$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
 	$(verbose) install -m 644 $(TMPDIR)/customizable_types $@ 
 
 ########################################

Re: Latest diffs

[Christopher J. PeBenito]

On Tue, 2006-04-18 at 23:16 -0400, Daniel J Walsh wrote:
> Fix java domain,

Its not broken.

> Fix cups file context defs
> 
> ftp wants to use ldap to get users
> 
> postfix_map_t dontaudits
> 
> postgresql sometimes puts sock_file on /tmp
> 
> privoxy wants to connect to http_cache_ports
> 
> fix samb_net_t typo
> 
> samba needs access to ldap
> 
> samba wants to update utmp file
> 
> I believe sa-learn should be spamc_exec_t
> 
> pam_console needs to use certificates.
> 
> Additional textrel_shlib_t
> 
> Create new unconfined_mount_t to maintain /etc/mtab file context
> 
> useradd needs to be able to create user_home_dir_t.

@@ -4171,6 +4173,7 @@
>  		type user_home_dir_t;
>  	')
>  
> +	allow $1 user_home_dir_t:dir create_dir_perms;
>  	files_home_filetrans($1,user_home_dir_t,dir)
>  ')

This addition isn't appropriate for filetrans interfaces because it
doesn't give us the flexibility on how the domain can access the file,
for example, create vs create+unlink and create+write vs. create+append
won't be available, just create-write-unlink.

> customized types are not being created correctly.

Please apply relevant changes also to the Rules.monolithic, in the
future.

> @@ -60,6 +60,7 @@
>  
>  ifdef(`enable_mls',`
>  range_transition initrc_t auditd_exec_t s15:c0.c255;
> +range_transition secadm_t auditctl_exec_t s15:c0.c255;
>  range_transition kernel_t init_exec_t s0 - s15:c0.c255;
>  range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
>  ')

I still haven't heard a justification for why the regular mls interfaces
are not sufficient for this.

> +interface(`dev_dontaudit_getattr_all_device_nodes',`
> +	gen_require(`
> +		attribute device_node;
> +	')
> +
> +	dontaudit $1 device_t:dir_file_class_set getattr;
> +	dontaudit $1 device_node:dir_file_class_set getattr;
> +')

I still feel this is excessive, there shouldn't be an device_nodes that
aren't chr_files or blk_file, and if there are we need to know about it.

> +interface(`xserver_rw_xdm_sockets',`
> +	gen_require(`
> +		type xdm_xserver_tmp_t;
> +	')
> +
> +	allow $1 xdm_xserver_tmp_t:dir search;
> +	allow $1 xdm_xserver_tmp_t:sock_file { read write };
> +')

No one uses this interface.

> @@ -697,8 +697,8 @@
>  
>  	files_search_etc($1)
>  	allow $1 selinux_config_t:dir search;
> -	allow $1 file_context_t:dir r_dir_perms;
> -	allow $1 file_context_t:file rw_file_perms;
> +	allow $1 file_context_t:dir rw_dir_perms;
> +	allow $1 file_context_t:file create_file_perms;
>  	allow $1 file_context_t:lnk_file { getattr read };
>  ')

This is not appropriate as the interface is for read-write of file
contexts, not manage.

The remainder is merged.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 601 bytes --]

Fixing problems for strict policy

$1_su_t needs to transition to $1_xauth_t

Stop locate audits on mls machines

pam_console needs to setattr/getattr dri_device_t

cron.if has a cut and paste error

crond wants to read postfix_etc_t

initrc wants to write to cups_log_t

spapmd needs to search user_home_dir_t

ssh_agent wants to connect to its own unix_stream_socket

Want to allow mount_t to mount on users home dirs

Fixed up semodule policy; although matchpathcon does not seem to be 
returning the correct labels

strict policy fixes for userdomain.
must get netstat, ifconfig, rpm -q working



[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 16146 bytes --]

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-2.2.17/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if	2006-02-14 07:20:23.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/admin/su.if	2006-02-20 16:22:06.000000000 -0500
@@ -220,6 +220,14 @@
 		nscd_socket_use($1_su_t)
 	')
 
+	# Modify .Xauthority file (via xauth program).
+	optional_policy(`xserver',`
+#		file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
+#		file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
+#		file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
+		xserver_domtrans_user_xauth($1, $1_su_t)
+	')
+
 	ifdef(`TODO',`
 	# Caused by su - init scripts
 	dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
@@ -235,17 +243,6 @@
 	dontaudit $1_su_t home_dir_type:dir { search write };
 	')
 
-	# Modify .Xauthority file (via xauth program).
-	ifdef(`xauth.te', `
-	file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
-	file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
-	file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
-	domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t)
-	')
-
-	ifdef(`cyrus.te', `
-	allow $1_su_t cyrus_var_lib_t:dir search;
-	')
 	ifdef(`ssh.te', `
 	# Access sshd cookie files.
 	allow $1_su_t sshd_tmp_t:file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-2.2.17/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te	2006-01-25 15:58:58.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/apps/slocate.te	2006-02-20 16:22:06.000000000 -0500
@@ -36,6 +36,8 @@
 
 files_list_all(locate_t)
 files_getattr_all_files(locate_t)
+# mls Higher level directories will be refused, so dontaudit
+files_dontaudit_getattr_all_dirs(locate_t)
 files_read_etc_runtime_files(locate_t)
 files_read_etc_files(locate_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.2.17/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if	2006-02-20 14:07:36.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/kernel/devices.if	2006-02-20 16:22:06.000000000 -0500
@@ -1115,6 +1115,45 @@
 
 ########################################
 ## <summary>
+##	Setattr the dri devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_dri_dev',`
+	gen_require(`
+		type device_t, dri_device_t;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 dri_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	getattr the dri devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_dri_dev',`
+	gen_require(`
+		type device_t, dri_device_t;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 dri_device_t:chr_file getattr;
+')
+
+
+########################################
+## <summary>
 ##	Read input event devices (/dev/input).
 ## </summary>
 ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-2.2.17/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if	2006-02-20 14:07:37.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/services/cron.if	2006-02-20 16:22:06.000000000 -0500
@@ -544,7 +544,7 @@
 		type system_crond_t;
 	')
 
-	allow $1 system_crond_t:file rw_file_perms;
+	allow $1 system_crond_t:fifo_file rw_file_perms;
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.2.17/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te	2006-02-20 14:07:37.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/services/cron.te	2006-02-20 16:22:06.000000000 -0500
@@ -398,6 +398,10 @@
 		prelink_delete_cache(system_crond_t)
 	')
 
+	optional_policy(`postfix',`
+		postfix_read_config(system_crond_t)
+	')	
+
 	optional_policy(`samba',`
 		samba_read_config(system_crond_t)
 		samba_read_log(system_crond_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-2.2.17/policy/modules/services/cups.if
--- nsaserefpolicy/policy/modules/services/cups.if	2006-02-10 21:34:13.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/services/cups.if	2006-02-20 16:22:06.000000000 -0500
@@ -169,6 +169,25 @@
 
 ########################################
 ## <summary>
+##	write cups log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cups_write_log',`
+	gen_require(`
+		type cupsd_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 cupsd_log_t:file write;
+')
+
+########################################
+## <summary>
 ##	Connect to ptal over an unix domain stream socket.
 ## </summary>
 ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.2.17/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te	2006-02-20 14:07:37.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/services/spamassassin.te	2006-02-20 16:22:06.000000000 -0500
@@ -124,6 +124,7 @@
 	term_dontaudit_use_generic_ptys(spamd_t)
 	files_dontaudit_read_root_files(spamd_t)
 	tunable_policy(`spamd_enable_home_dirs',`
+		userdom_search_unpriv_user_home_dirs(spamd_t)
 		userdom_manage_generic_user_home_dirs(spamd_t)
 		userdom_manage_generic_user_home_files(spamd_t)
 		userdom_manage_generic_user_home_symlinks(spamd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-2.2.17/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if	2006-02-16 09:05:14.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/services/ssh.if	2006-02-20 16:22:06.000000000 -0500
@@ -279,6 +279,8 @@
 
 	allow $1_ssh_agent_t { $1_ssh_agent_t $2 }:process signull;
 
+	allow $1_ssh_agent_t $1_ssh_agent_t:unix_stream_socket { connectto rw_socket_perms };
+
 	allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;
 
 	# for ssh-add
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.2.17/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te	2006-02-03 08:55:55.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/system/authlogin.te	2006-02-20 16:22:06.000000000 -0500
@@ -153,6 +153,8 @@
 dev_read_sysfs(pam_console_t)
 dev_getattr_apm_bios_dev(pam_console_t)
 dev_setattr_apm_bios_dev(pam_console_t)
+dev_getattr_dri_dev(pam_console_t)
+dev_setattr_dri_dev(pam_console_t)
 dev_getattr_framebuffer_dev(pam_console_t)
 dev_setattr_framebuffer_dev(pam_console_t)
 dev_getattr_misc_dev(pam_console_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.17/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te	2006-02-14 07:20:31.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/system/mount.te	2006-02-20 16:22:06.000000000 -0500
@@ -137,6 +137,8 @@
 	samba_domtrans_smbmount(mount_t)
 ')
 
+userdom_mounton_generic_user_home_dir(mount_t)
+
 ifdef(`TODO',`
 # TODO: Need to examine this further. Not sure how to handle this
 #type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.2.17/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc	2006-01-09 11:32:54.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/system/selinuxutil.fc	2006-02-20 17:04:24.000000000 -0500
@@ -39,3 +39,10 @@
 ifdef(`distro_debian', `
 /usr/share/selinux(/.*)?		gen_context(system_u:object_r:policy_src_t,s0)
 ')
+
+/usr/sbin/semodule		--	gen_context(system_u:object_r:semodule_exec_t,s0)
+
+/etc/selinux([^/]*/)?modules    -d	gen_context(system_u:object_r:selinux_config_t,s0)
+/etc/selinux([^/]*/)?modules/(active|tmp|previous)(/.*)?     --	gen_context(system_u:object_r:semodule_store_t,s0)
+/etc/selinux([^/]*/)?modules/semanage.read.LOCK    --	gen_context(system_u:object_r:semodule_read_lock_t,s0)
+/etc/selinux([^/]*/)?modules/semanage.trans.LOCK   --	gen_context(system_u:object_r:semodule_trans_lock_t,s0)
\ No newline at end of file
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-2.2.17/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if	2006-02-16 14:46:56.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/system/selinuxutil.if	2006-02-20 17:01:53.000000000 -0500
@@ -705,3 +705,90 @@
 	allow $1 policy_src_t:dir create_dir_perms;
 	allow $1 policy_src_t:file create_file_perms;
 ')
+
+########################################
+## <summary>
+##	Execute a domain transition to run semodule.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`semodule_domtrans',`
+	gen_require(`
+		type semodule_t, semodule_exec_t;
+	')
+	files_search_usr($1)
+	corecmd_search_bin($1)
+
+	domain_auto_trans($1,semodule_exec_t,semodule_t)
+
+	allow $1 semodule_t:fd use;
+	allow semodule_t $1:fd use;
+	allow semodule_t $1:fifo_file rw_file_perms;
+	allow semodule_t $1:process sigchld;
+')
+
+
+
+########################################
+## <summary>
+##	Create, read, write, and delete files in
+##	/etc/selinux/*/modules/*
+##	such as mtab.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_manage_module_store_files',`
+	gen_require(`
+		type semodule_store_t;
+	')
+
+	allow $1 semodule_store_t:dir rw_dir_perms;
+	allow $1 semodule_store_t:file create_file_perms;
+	type_transition $1 selinux_config_t:dir semodule_store_t;
+')
+
+
+#######################################
+## <summary>
+##	Get read lock on module store
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`seutil_module_get_read_lock',`
+	gen_require(`
+		type semodule_read_lock_t;
+	')
+
+	allow $1 semodule_read_lock_t:file rw_file_perms;
+')
+
+#######################################
+## <summary>
+##	Get trans lock on module store
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`seutil_module_get_trans_lock',`
+	gen_require(`
+		type semodule_trans_lock_t;
+	')
+
+	allow $1 semodule_trans_lock_t:file rw_file_perms;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.17/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te	2006-02-16 14:46:56.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/system/selinuxutil.te	2006-02-20 17:08:53.000000000 -0500
@@ -526,12 +526,74 @@
 
 miscfiles_read_localization(setfiles_t)
 
+seutil_module_get_trans_lock(setfiles_t)
+seutil_module_get_read_lock(setfiles_t)
+
 userdom_use_all_users_fd(setfiles_t)
 # for config files in a home directory
 userdom_read_all_user_files(setfiles_t)
 
-ifdef(`TODO',`
-# for upgrading glibc and other shared objects - without this the upgrade
-# scripts will put things in a state such that setfiles can not be run!
-allow setfiles_t lib_t:file { read execute };
-') dnl endif TODO
+########################################
+#
+# Declarations
+#
+
+type semodule_t;
+domain_type(semodule_t)
+
+type semodule_exec_t;
+domain_entry_file(semodule_t, semodule_exec_t)
+role system_r types semodule_t;
+
+type semodule_store_t;
+files_type(semodule_store_t)
+
+type semodule_read_lock_t;
+files_type(semodule_read_lock_t)
+
+type semodule_trans_lock_t; 
+files_type(semodule_trans_lock_t)
+
+term_use_all_terms(semodule_t)
+allow semodule_t policy_config_t:file { read write };
+
+########################################
+#
+# semodule local policy
+#
+corecmd_exec_bin(semodule_t)
+corecmd_exec_sbin(semodule_t)
+
+files_read_etc_files(semodule_t)
+files_search_etc(semodule_t)
+files_list_usr(semodule_t)
+files_list_pids(semodule_t)
+files_read_usr_files(semodule_t)
+
+kernel_read_system_state(semodule_t)
+kernel_read_kernel_sysctls(semodule_t)
+
+libs_use_ld_so(semodule_t)
+libs_use_shared_libs(semodule_t)
+libs_use_lib_files(semodule_t)
+
+mls_file_write_down(semodule_t)
+mls_rangetrans_target(semodule_t)
+
+optional_policy(`selinux', `
+	selinux_get_enforce_mode(semodule_t)
+')
+
+seutil_search_default_contexts(semodule_t)
+seutil_rw_file_contexts(semodule_t)
+seutil_domtrans_setfiles(semodule_t)
+seutil_domtrans_loadpolicy(semodule_t)
+seutil_read_config(semodule_t)
+seutil_manage_bin_policy(semodule_t)
+seutil_use_newrole_fd(semodule_t)
+
+allow semodule_t self:unix_stream_socket create_stream_socket_perms;
+
+seutil_manage_module_store_files(semodule_t)
+seutil_module_get_trans_lock(semodule_t)
+seutil_module_get_read_lock(semodule_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.17/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if	2006-02-20 14:07:38.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/system/userdomain.if	2006-02-20 16:22:06.000000000 -0500
@@ -145,6 +145,7 @@
 	allow $1_t unpriv_userdomain:fd use;
 
 	kernel_read_kernel_sysctls($1_t)
+	kernel_read_net_sysctls($1_t)
 	kernel_dontaudit_list_unlabeled($1_t)
 	kernel_dontaudit_getattr_unlabeled_files($1_t)
 	kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
@@ -414,6 +415,8 @@
 	optional_policy(`rpm',`
 		files_getattr_var_lib_dirs($1_t)
 		files_search_var_lib($1_t)
+		rpm_read_db($1_t)
+		rpm_dontaudit_manage_db($1_t)
 	')
 
 	optional_policy(`samba',`
@@ -4423,3 +4426,24 @@
 	allow $1 user_home_dir_t:dir create_dir_perms;
 	files_filetrans_home($1,user_home_dir_t)
 ')
+
+
+########################################
+## <summary>
+##	mounton generic user home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_mounton_generic_user_home_dir',`
+	gen_require(`
+		attribute user_home_dir_type, user_home_type;
+	')
+
+	allow $1 user_home_dir_type:dir mounton;
+	allow $1 user_home_type:dir mounton;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.17/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te	2006-02-16 14:46:56.000000000 -0500
+++ serefpolicy-2.2.17/policy/modules/system/userdomain.te	2006-02-20 16:22:06.000000000 -0500
@@ -358,6 +358,8 @@
 			seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal)
 			seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal)
 			seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
+			semodule_domtrans(secadm_t)
+			role secadm_r types semodule_t;
 			seutil_run_restorecon(secadm_t,secadm_r,admin_terminal)
 		', `
 			selinux_set_enforce_mode(sysadm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-2.2.17/support/Makefile.devel
--- nsaserefpolicy/support/Makefile.devel	2006-02-16 16:42:39.000000000 -0500
+++ serefpolicy-2.2.17/support/Makefile.devel	2006-02-20 16:22:06.000000000 -0500
@@ -1,3 +1,6 @@
+# installation paths
+SHAREDIR := $(PREFIX)/share/selinux
+HEADERDIR := $(SHAREDIR)/refpolicy/include
 
 include $(HEADERDIR)/build.conf
 
@@ -19,8 +22,13 @@
 PYTHON ?= python
 
 # set default build options if missing
-TYPE ?= strict
-NAME ?= $(TYPE)
+NAME ?= $(shell . /etc/selinux/config; echo $$SELINUXTYPE)
+MLSENABLED := $(shell cat /selinux/mls)
+ifeq ($(MLSENABLED),1)
+MCSFLAG=-mcs
+endif
+
+TYPE ?= $(NAME)${MCSFLAG}
 DIRECT_INITRC ?= n
 POLY ?= n
 QUIET ?= y

Re: Latest diffs

[Christopher J. PeBenito]

On Mon, 2006-02-20 at 17:19 -0500, Daniel J Walsh wrote:
> Fixed up semodule policy; although matchpathcon does not seem to be 
> returning the correct labels

Renamed semodule to semanage per the semodule policy discussion.

> plain text document attachment (diff)
> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.2.17/policy/modules/services/spamassassin.te
> --- nsaserefpolicy/policy/modules/services/spamassassin.te	2006-02-20 14:07:37.000000000 -0500
> +++ serefpolicy-2.2.17/policy/modules/services/spamassassin.te	2006-02-20 16:22:06.000000000 -0500
> @@ -124,6 +124,7 @@
>  	term_dontaudit_use_generic_ptys(spamd_t)
>  	files_dontaudit_read_root_files(spamd_t)
>  	tunable_policy(`spamd_enable_home_dirs',`
> +		userdom_search_unpriv_user_home_dirs(spamd_t)
>  		userdom_manage_generic_user_home_dirs(spamd_t)
>  		userdom_manage_generic_user_home_files(spamd_t)
>  		userdom_manage_generic_user_home_symlinks(spamd_t)

Fixed the userdom_manage_* interfaces to provide search on
user_home_dir_t instead.

> @@ -137,6 +137,8 @@
>  	samba_domtrans_smbmount(mount_t)
>  ')
>  
> +userdom_mounton_generic_user_home_dir(mount_t)
> +
>  ifdef(`TODO',`
>  # TODO: Need to examine this further. Not sure how to handle this
>  #type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type;

Made user_home_dir_t and user_home_t mount points with
files_mountpoint() instead.

> @@ -526,12 +526,74 @@
>  
>  miscfiles_read_localization(setfiles_t)
>  
> +seutil_module_get_trans_lock(setfiles_t)
> +seutil_module_get_read_lock(setfiles_t)
> +
>  userdom_use_all_users_fd(setfiles_t)
>  # for config files in a home directory
>  userdom_read_all_user_files(setfiles_t)

I dropped the trans lock for now, I don't see setfiles getting a trans
lock in the code.

> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.17/policy/modules/system/userdomain.te
> --- nsaserefpolicy/policy/modules/system/userdomain.te	2006-02-16 14:46:56.000000000 -0500
> +++ serefpolicy-2.2.17/policy/modules/system/userdomain.te	2006-02-20 16:22:06.000000000 -0500
> @@ -358,6 +358,8 @@
>  			seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal)
>  			seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal)
>  			seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
> +			semodule_domtrans(secadm_t)
> +			role secadm_r types semodule_t;
>  			seutil_run_restorecon(secadm_t,secadm_r,admin_terminal)
>  		', `
>  			selinux_set_enforce_mode(sysadm_t)

Changed this to a run interface.  Added a call for sysadm_t if mls is
disabled.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1490 bytes --]

Update build.conf to match what I believe should be the defaults.

Add some of Russell's mcs changes

Kudzu wants to check write access to removable devices

Prelink needs to execute_no_trans ld_so_t

dontaudit readahear reading ramfs file systems

su.if had some cut and paste errors

bootloader wants to ioctl fifo_file and read sysfs files

Added bgp port for Zebra

Additiona usb devices (per russell)

Added
+/usr/doc(/.*)?/lib(/.*)?       gen_context(system_u:object_r:usr_t,s0)
+/usr/src(/.*)?/lib(/.*)?       gen_context(system_u:object_r:usr_t,s0)

So labeling of these directories would not end up lib_t.

files.if had a cut and paste error

udev wants to read inotifyfs directory

Added cacti directories for httpd

automount creates tmp directories in / that hal wants to look at.

fetchmail wants to ps all processes.

hal continuously wants more privs...


mta/sendmail wants to read postfix config and spools.

NetworkManager needs to be able to create directory for wpa_supplicant

postfix_postdrop_t needs to be able to resolve

Made some changes to turn on polyinstatiation.

Spamd wants to talk to razor and ldap.

zebra needs to connect to its own tcp_socket

audit daemon needs sigpgid
auditctl needs to output to  terminals.

unconfined daemon needs to be able to create and setattr on its own 
fifo_files

make fstools and mount work from unconfined_t

sysadm needs to be able to run init in order to change runlevel

secadm needs to be able to run dmesg













[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 32735 bytes --]

diff --exclude-from=exclude -N -u -r nsaserefpolicy/build.conf serefpolicy-2.2.12/build.conf
--- nsaserefpolicy/build.conf	2006-01-26 16:54:24.000000000 -0500
+++ serefpolicy-2.2.12/build.conf	2006-02-08 11:43:58.000000000 -0500
@@ -8,13 +8,13 @@
 # version policy it supports.  Setting this will
 # override the version.  This only has an
 # effect for monolithic policies.
-#OUTPUT_POLICY = 18
+#OUTPUT_POLICY = 20
 
 # Policy Type
 # strict, targeted,
 # strict-mls, targeted-mls,
 # strict-mcs, targeted-mcs
-TYPE = strict
+TYPE = strict-mcs
 
 # Policy Name
 # If set, this will be used as the policy
@@ -40,7 +40,7 @@
 
 # Build monolithic policy.  Putting n here
 # will build a loadable module policy.
-MONOLITHIC=y
+MONOLITHIC=n
 
 # Polyinstantiation
 # Enable polyinstantiated directory support.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-2.2.12/policy/mcs
--- nsaserefpolicy/policy/mcs	2006-01-09 11:32:53.000000000 -0500
+++ serefpolicy-2.2.12/policy/mcs	2006-02-08 11:43:58.000000000 -0500
@@ -137,15 +137,24 @@
 # Only files are constrained by MCS at this stage.
 #
 mlsconstrain file { write setattr append unlink link rename
-		    create ioctl lock execute } (h1 dom h2);
+		    ioctl lock execute relabelfrom } (h1 dom h2);
+
+mlsconstrain file { create relabelto } ((h1 dom h2) and (l2 eq h2));
 
 mlsconstrain file { read } ((h1 dom h2) or 
 			    ( t1 == mlsfileread ));
 
 
 # new file labels must be dominated by the relabeling subject clearance
-mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto }
+mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
 	( h1 dom h2 );
+mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
+	(( h1 dom h2 ) and ( l2 eq h2 ));
+
+mlsconstrain process { ptrace } ( h1 dom h2 );
+
+mlsconstrain process { sigkill sigstop } ( h1 dom h2 ) or
+		( t1 == init_t ) or ( t1 == initrc_t );
 
 define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append 
 link unlink rename relabelfrom relabelto }')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-2.2.12/policy/modules/admin/kudzu.te
--- nsaserefpolicy/policy/modules/admin/kudzu.te	2006-02-07 10:43:25.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/admin/kudzu.te	2006-02-08 11:43:58.000000000 -0500
@@ -24,7 +24,6 @@
 allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
 dontaudit kudzu_t self:capability sys_tty_config;
 allow kudzu_t self:process { signal_perms execmem };
-auditallow kudzu_t self:process execmem; 
 allow kudzu_t self:fifo_file rw_file_perms;
 allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow kudzu_t self:unix_dgram_socket create_socket_perms;
@@ -72,6 +71,7 @@
 storage_read_scsi_generic(kudzu_t)
 storage_read_tape(kudzu_t)
 storage_raw_write_fixed_disk(kudzu_t)
+storage_raw_write_removable_device(kudzu_t)
 storage_raw_read_fixed_disk(kudzu_t)
 storage_raw_read_removable_device(kudzu_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.2.12/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te	2006-02-03 08:55:52.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/admin/prelink.te	2006-02-08 11:43:58.000000000 -0500
@@ -65,6 +65,7 @@
 fs_getattr_xattr_fs(prelink_t)
 
 libs_use_ld_so(prelink_t)
+libs_execute_no_trans_ld_so(prelink_t)
 libs_manage_ld_so(prelink_t)
 libs_relabel_ld_so(prelink_t)
 libs_use_shared_libs(prelink_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-2.2.12/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te	2006-02-03 08:55:52.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/admin/readahead.te	2006-02-08 11:43:58.000000000 -0500
@@ -47,7 +47,9 @@
 fs_search_auto_mountpoints(readahead_t)
 fs_getattr_all_pipes(readahead_t)
 fs_getattr_all_files(readahead_t)
-fs_search_ramfs(readahead_t)
+fs_dontaudit_search_ramfs(readahead_t)
+fs_dontaudit_read_ramfs_fifo_file(readahead_t)
+fs_dontaudit_read_ramfs_file(readahead_t)
 fs_read_tmpfs_symlinks(readahead_t)
 
 term_dontaudit_use_console(readahead_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-2.2.12/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if	2006-02-03 08:55:52.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/admin/su.if	2006-02-08 11:43:58.000000000 -0500
@@ -23,13 +23,12 @@
 	# Transition from the user domain to this domain.
 	domain_auto_trans($2, su_exec_t, $1_su_t)
 	allow $2 $1_su_t:fd use;
-	allow $1_su_t $2:fd use;
-	allow $1_su_t $2:fifo_file rw_file_perms;
-	allow $1_su_t $2:process sigchld;
+	allow $2 $1_su_t:fifo_file rw_file_perms;
+	allow $2 $1_su_t:process sigchld;
 
 	# By default, revert to the calling domain when a shell is executed.
 	corecmd_shell_domtrans($1_su_t,$2)
-	allow $2 $1_su_t:fd use;
+	allow $1_su_t $2:fd use;
 	allow $1_su_t $2:fd use;
 	allow $1_su_t $2:fifo_file rw_file_perms;
 	allow $1_su_t $2:process sigchld;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/bootloader.te serefpolicy-2.2.12/policy/modules/kernel/bootloader.te
--- nsaserefpolicy/policy/modules/kernel/bootloader.te	2006-02-03 08:55:52.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/kernel/bootloader.te	2006-02-08 11:43:58.000000000 -0500
@@ -71,7 +71,7 @@
 
 allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
 allow bootloader_t self:process { sigkill sigstop signull signal };
-allow bootloader_t self:fifo_file { getattr read write };
+allow bootloader_t self:fifo_file rw_file_perms;
 
 allow bootloader_t boot_t:dir { create rw_dir_perms };
 allow bootloader_t boot_t:file create_file_perms;
@@ -110,7 +110,7 @@
 dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
 dev_read_rand(bootloader_t)
 dev_read_urand(bootloader_t)
-dev_getattr_sysfs_dirs(bootloader_t)
+dev_read_sysfs(bootloader_t)
 # for reading BIOS data
 dev_read_raw_memory(bootloader_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.2.12/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2006-01-09 11:32:53.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/kernel/corenetwork.te.in	2006-02-08 11:43:58.000000000 -0500
@@ -124,6 +124,7 @@
 network_port(uucpd, tcp,540,s0)
 network_port(vnc, tcp,5900,s0)
 network_port(xserver, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
+network_port(bgp, tcp,179,s0, udp,179,s0)
 network_port(zebra, tcp,2601,s0)
 network_port(zope, tcp,8021,s0)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.2.12/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc	2006-02-02 10:39:15.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/kernel/devices.fc	2006-02-08 11:43:58.000000000 -0500
@@ -78,6 +78,7 @@
 /dev/usb/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
 /dev/usb/scanner.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
+/dev/bus/usb/.*/[0-9]+	-c	gen_context(system_u:object_r:usb_device_t,s0)
 
 ifdef(`distro_redhat',`
 # originally from named.fc
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-2.2.12/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te	2006-02-01 08:23:28.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/kernel/devices.te	2006-02-08 11:43:58.000000000 -0500
@@ -159,6 +159,11 @@
 genfscon usbfs / gen_context(system_u:object_r:usbfs_t,s0)
 genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)
 
+#
+# usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+
+type usb_device_t;
+dev_node(usb_device_t)
+
 type v4l_device_t;
 dev_node(v4l_device_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.2.12/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc	2006-02-03 08:55:52.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/kernel/files.fc	2006-02-08 11:43:58.000000000 -0500
@@ -192,6 +192,8 @@
 /usr/share(/.*)?/lib(64)?(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 
 /usr/src(/.*)?			gen_context(system_u:object_r:src_t,s0)
+/usr/doc(/.*)?/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
+/usr/src(/.*)?/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 
 /usr/tmp			-d	gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255)
 /usr/tmp/.*			<<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.12/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if	2006-02-03 08:55:52.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/kernel/files.if	2006-02-08 11:43:58.000000000 -0500
@@ -2080,7 +2080,7 @@
 		attribute tmpfile;
 	')
 
-	allow $1 tmpfile:dir { search getattr };
+	allow $1 tmpfile:dir { search setattr };
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.2.12/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if	2006-02-07 10:43:26.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/kernel/filesystem.if	2006-02-08 11:43:58.000000000 -0500
@@ -929,6 +929,22 @@
 
 ########################################
 ## <summary>
+##	List inotifyfs filesystem. 
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_list_inotifyfs',`
+	gen_require(`
+		type inotifyfs_t;
+	')
+
+	allow $1 inotifyfs_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Mount an iso9660 filesystem, which
 ##	is usually used on CDs.
 ## </summary>
@@ -1763,6 +1779,38 @@
 
 ########################################
 ## <summary>
+##	Dontaudit read on a ramfs file/fifo_file
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_dontaudit_read_ramfs_file',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	dontaudit $1 ramfs_t:file read;
+')
+
+########################################
+## <summary>
+##	Dontaudit read on a ramfs fifo_file
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_dontaudit_read_ramfs_fifo_file',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	dontaudit $1 ramfs_t:fifo_file read;
+')
+
+########################################
+## <summary>
 ##	Write to named pipe on a ramfs filesystem.
 ## </summary>
 ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.2.12/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if	2006-02-03 08:55:53.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/kernel/terminal.if	2006-02-09 07:23:31.000000000 -0500
@@ -386,7 +386,7 @@
 		type devpts_t;
 	')
 
-	dontaudit $1 devpts_t:chr_file { read write };
+	dontaudit $1 devpts_t:chr_file { getattr read write };
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.2.12/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc	2006-02-07 10:43:26.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/services/apache.fc	2006-02-09 08:54:38.000000000 -0500
@@ -48,6 +48,7 @@
 /var/lib/dav(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
 /var/lib/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/lib/httpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/cacti(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
 /var/lib/php/session(/.*)?		gen_context(system_u:object_r:httpd_var_run_t,s0)
 /var/lib/squirrelmail/prefs(/.*)?	gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
 
@@ -55,6 +56,8 @@
 /var/log/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/cgiwrap\.log.*		--	gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/httpd(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cacti(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
+
 ifdef(`distro_debian', `
 /var/log/horde2(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
 ')
@@ -73,3 +76,4 @@
 /var/www/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 /var/www/icons(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/www/perl(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-2.2.12/policy/modules/services/automount.if
--- nsaserefpolicy/policy/modules/services/automount.if	2005-12-12 15:35:53.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/services/automount.if	2006-02-09 07:12:23.000000000 -0500
@@ -39,3 +39,19 @@
 	corecmd_search_sbin($1)
 	can_exec($1,automount_etc_t)
 ')
+
+########################################
+## <summary>
+##	dontaudit getattr of automount tmp dir
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`automount_dontaudit_getattr_tmp_dir',`
+	gen_require(`
+		type automount_tmp_t;
+	')
+
+	dontaudit $1 automount_tmp_t:dir getattr;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.2.12/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te	2006-02-07 10:43:26.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/services/automount.te	2006-02-08 11:43:58.000000000 -0500
@@ -63,6 +63,7 @@
 kernel_read_system_state(automount_t)
 kernel_list_proc(automount_t)
 
+bootloader_getattr_boot_dirs(automount_t)
 bootloader_search_boot(automount_t)
 
 corecmd_exec_sbin(automount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-2.2.12/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if	2006-02-03 15:45:55.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/services/cron.if	2006-02-08 11:43:58.000000000 -0500
@@ -407,7 +407,7 @@
 		type crond_t;
 	')
 
-	allow $1 crond_t:fifo_file { read write };
+	allow $1 crond_t:fifo_file { getattr read write };
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.2.12/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te	2006-02-07 10:43:26.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/services/cron.te	2006-02-08 11:43:58.000000000 -0500
@@ -108,6 +108,7 @@
 
 corecmd_exec_shell(crond_t)
 corecmd_list_sbin(crond_t)
+corecmd_read_sbin_symlinks(crond_t)
 
 domain_use_wide_inherit_fd(crond_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-2.2.12/policy/modules/services/fetchmail.te
--- nsaserefpolicy/policy/modules/services/fetchmail.te	2006-02-03 08:55:53.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/services/fetchmail.te	2006-02-08 11:43:58.000000000 -0500
@@ -44,6 +44,7 @@
 kernel_list_proc(fetchmail_t)
 kernel_getattr_proc_files(fetchmail_t)
 kernel_read_proc_symlinks(fetchmail_t)
+kernel_dontaudit_read_system_state(fetchmail_t)
 
 corenet_non_ipsec_sendrecv(fetchmail_t)
 corenet_tcp_sendrecv_generic_if(fetchmail_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.12/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te	2006-02-07 10:43:26.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/services/hal.te	2006-02-09 07:25:33.000000000 -0500
@@ -50,6 +50,7 @@
 kernel_read_fs_sysctls(hald_t)
 kernel_write_proc_files(hald_t)
 
+bootloader_getattr_boot_dirs(hald_t)
 bootloader_search_boot(hald_t)
 
 corecmd_exec_bin(hald_t)
@@ -97,6 +98,8 @@
 
 mls_file_read_up(hald_t)
 
+modutils_domtrans_insmod_uncond(hald_t)
+
 selinux_get_fs_mount(hald_t)
 selinux_validate_context(hald_t)
 selinux_compute_access_vector(hald_t)
@@ -112,12 +115,15 @@
 term_dontaudit_use_console(hald_t)
 term_dontaudit_ioctl_unallocated_ttys(hald_t)
 term_dontaudit_use_unallocated_ttys(hald_t)
+term_dontaudit_use_generic_ptys(hald_t)
 
 init_use_fd(hald_t)
 init_use_script_ptys(hald_t)
 init_domtrans_script(hald_t)
 init_write_initctl(hald_t)
 init_read_utmp(hald_t)
+#hal runs shutdown, probably need a shutdown domain
+init_rw_utmp(hald_t)
 
 libs_use_ld_so(hald_t)
 libs_use_shared_libs(hald_t)
@@ -150,6 +156,10 @@
 	apm_stream_connect(hald_t)
 ')
 
+optional_policy(`automount', `
+	automount_dontaudit_getattr_tmp_dir(hald_t)
+')
+
 optional_policy(`bind',`
 	bind_search_cache(hald_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-2.2.12/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if	2006-02-03 15:45:55.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/services/mta.if	2006-02-08 11:43:58.000000000 -0500
@@ -434,6 +434,7 @@
 
 	allow $1 sendmail_exec_t:lnk_file r_file_perms;
 	domain_auto_trans($1, sendmail_exec_t, system_mail_t)
+	domain_entry_file($1,sendmail_exec_t)
 
 	allow $1 system_mail_t:fd use;
 	allow system_mail_t $1:fd use;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.2.12/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te	2006-02-03 15:45:55.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/services/mta.te	2006-02-08 11:43:58.000000000 -0500
@@ -145,6 +145,8 @@
 	files_getattr_tmp_dirs(system_mail_t)
 
 	postfix_exec_master(system_mail_t)
+	postfix_read_config(system_mail_t)
+	postfix_search_spool(system_mail_t)
 
 	ifdef(`distro_redhat',`
 		# compatability for old default main.cf
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.2.12/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te	2006-02-07 10:43:26.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/services/networkmanager.te	2006-02-08 11:43:58.000000000 -0500
@@ -31,7 +31,10 @@
 
 allow NetworkManager_t NetworkManager_var_run_t:file create_file_perms;
 allow NetworkManager_t NetworkManager_var_run_t:dir rw_dir_perms;
-files_filetrans_pid(NetworkManager_t,NetworkManager_var_run_t)
+files_filetrans_pid(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file })
+
+allow NetworkManager_t NetworkManager_var_run_t:sock_file create_file_perms;
+allow NetworkManager_t NetworkManager_var_run_t:dir create_dir_perms;
 
 kernel_read_system_state(NetworkManager_t)
 kernel_read_network_state(NetworkManager_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.2.12/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te	2006-02-03 08:55:54.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/services/postfix.te	2006-02-08 11:43:58.000000000 -0500
@@ -411,6 +411,9 @@
 allow postfix_postdrop_t self:capability sys_resource;
 allow postfix_postdrop_t self:tcp_socket create;
 allow postfix_postdrop_t self:udp_socket create_socket_perms;
+corenet_udp_sendrecv_all_if(postfix_postdrop_t)
+corenet_udp_sendrecv_all_nodes(postfix_postdrop_t)
+sysnet_dns_name_resolve(postfix_postdrop_t)
 
 allow postfix_postdrop_t postfix_public_t:dir search;
 allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-2.2.12/policy/modules/services/remotelogin.te
--- nsaserefpolicy/policy/modules/services/remotelogin.te	2006-02-07 10:43:26.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/services/remotelogin.te	2006-02-08 11:43:58.000000000 -0500
@@ -98,6 +98,7 @@
 files_list_mnt(remote_login_t)
 # for when /var/mail is a sym-link
 files_read_var_symlinks(remote_login_t)
+files_polyinstantiate_all(remote_login_t)
 
 init_rw_utmp(remote_login_t)
 
@@ -164,29 +165,6 @@
 	usermanage_read_crack_db(remote_login_t)
 ')
 
-ifdef(`TODO',`
-# this goes to xdm:
-optional_policy(`remotelogin',`
-	# FIXME: what is this for?
-	remotelogin_signull(xdm_t)
+optional_policy(`alsa',`
+	alsa_domtrans(remote_login_t)
 ')
-# Login can polyinstantiate
-polyinstantiater(remote_login_t)
-
-ifdef(`alsa.te', `
-domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
-')
-
-allow remote_login_t userpty_type:chr_file { setattr write };
-allow remote_login_t ptyfile:chr_file { getattr ioctl };
-
-optional_policy(`rlogind',`
-	allow remote_login_t rlogind_devpts_t:chr_file { setattr rw_file_perms };
-	allow remote_login_t rlogind_devpts_t:chr_file { relabelfrom relabelto };
-')
-
-optional_policy(`telnetd',`
-	allow remote_login_t telnetd_devpts_t:chr_file { setattr rw_file_perms };
-	allow remote_login_t telnetd_devpts_t:chr_file { relabelfrom relabelto };
-')
-') dnl endif TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-2.2.12/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te	2006-02-07 10:43:26.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/services/sendmail.te	2006-02-08 11:43:58.000000000 -0500
@@ -65,6 +65,7 @@
 
 # for piping mail to a command
 corecmd_exec_shell(sendmail_t)
+corecmd_search_sbin(sendmail_t)
 
 domain_use_wide_inherit_fd(sendmail_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.2.12/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te	2006-02-07 10:43:26.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/services/spamassassin.te	2006-02-08 11:43:58.000000000 -0500
@@ -77,6 +77,8 @@
 # DnsResolver.pm module which binds to
 # random ports >= 1024.
 corenet_udp_bind_generic_port(spamd_t)
+corenet_tcp_connect_razor_port(spamd_t)
+sysnet_use_ldap(spamd_t)
 
 dev_read_sysfs(spamd_t)
 dev_read_urand(spamd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.te serefpolicy-2.2.12/policy/modules/services/zebra.te
--- nsaserefpolicy/policy/modules/services/zebra.te	2006-02-03 08:55:55.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/services/zebra.te	2006-02-08 11:43:58.000000000 -0500
@@ -34,7 +34,7 @@
 allow zebra_t self:unix_dgram_socket create_socket_perms;
 allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow zebra_t self:netlink_route_socket rw_netlink_socket_perms;
-allow zebra_t self:tcp_socket connected_stream_socket_perms;
+allow zebra_t self:tcp_socket { connect connected_stream_socket_perms };
 allow zebra_t self:udp_socket create_socket_perms;
 allow zebra_t self:rawip_socket create_socket_perms;
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.2.12/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te	2006-02-03 08:55:55.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/system/fstools.te	2006-02-09 07:06:48.000000000 -0500
@@ -57,6 +57,8 @@
 kernel_rw_unlabeled_dirs(fsadm_t)
 kernel_rw_unlabeled_blk_files(fsadm_t)
 
+bootloader_getattr_boot_dirs(fsadm_t)
+
 dev_getattr_all_chr_files(fsadm_t)
 # mkreiserfs and other programs need this for UUID
 dev_read_rand(fsadm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-2.2.12/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc	2006-01-16 22:19:19.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/system/init.fc	2006-02-08 11:43:58.000000000 -0500
@@ -22,7 +22,8 @@
 #
 # /sbin
 #
-/sbin/init		--	gen_context(system_u:object_r:init_exec_t,s0)
+/sbin/init(ng)?		--	gen_context(system_u:object_r:init_exec_t,s0)
+
 
 ifdef(`distro_gentoo', `
 /sbin/rc			--	gen_context(system_u:object_r:initrc_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-2.2.12/policy/modules/system/libraries.if
--- nsaserefpolicy/policy/modules/system/libraries.if	2006-02-03 08:55:55.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/system/libraries.if	2006-02-08 11:43:58.000000000 -0500
@@ -70,6 +70,23 @@
 
 ########################################
 ## <summary>
+##	Allow domain execute_no_trans on ld_so_t
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`libs_execute_no_trans_ld_so',`
+	gen_require(`
+		type ld_so_t;
+	')
+
+	files_list_etc($1)
+	allow $1 ld_so_t:file execute_no_trans;
+')
+
+########################################
+## <summary>
 ##	Use the dynamic link/loader for automatic loading
 ##	of shared libraries with legacy support.
 ## </summary>
@@ -253,6 +270,7 @@
 
 	allow $1 lib_t:dir search_dir_perms;
 	allow $1 lib_t:file manage_file_perms;
+	allow $1 lib_t:lnk_file unlink;
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-2.2.12/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te	2006-02-07 10:43:26.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/system/libraries.te	2006-02-08 11:43:58.000000000 -0500
@@ -53,6 +53,7 @@
 
 allow ldconfig_t ld_so_cache_t:file create_file_perms;
 files_filetrans_etc(ldconfig_t,ld_so_cache_t,file)
+files_search_usr(ldconfig_t)
 
 allow ldconfig_t lib_t:dir rw_dir_perms;
 allow ldconfig_t lib_t:lnk_file { getattr create read unlink };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-2.2.12/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te	2006-02-07 10:43:26.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/system/locallogin.te	2006-02-08 11:43:58.000000000 -0500
@@ -214,10 +214,8 @@
 	alsa_domtrans(local_login_t)
 ')
 
-ifdef(`TODO',`
 # Login can polyinstantiate
-polyinstantiater(local_login_t)
-') dnl endif TODO
+files_polyinstantiate_all(local_login_t)
 
 #################################
 # 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.2.12/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te	2006-02-03 08:55:55.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/system/logging.te	2006-02-08 11:43:58.000000000 -0500
@@ -92,6 +92,8 @@
 	term_use_unallocated_ttys(auditctl_t)
 ')
 
+term_use_all_terms(auditctl_t)
+
 ifdef(`TODO',`
 role secadm_r types auditctl_t;
 role sysadm_r types auditctl_t;
@@ -114,7 +116,7 @@
 
 allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
 dontaudit auditd_t self:capability sys_tty_config;
-allow auditd_t self:process { signal_perms setsched };
+allow auditd_t self:process { signal_perms setpgid setsched };
 allow auditd_t self:file { getattr read write };
 allow auditd_t self:unix_dgram_socket create_socket_perms;
 allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.12/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te	2006-02-03 08:55:55.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/system/mount.te	2006-02-08 11:43:58.000000000 -0500
@@ -33,6 +33,8 @@
 dev_getattr_all_blk_files(mount_t)
 dev_list_all_dev_nodes(mount_t)
 dev_rw_lvm_control(mount_t)
+dev_dontaudit_getattr_memory_dev(mount_t)
+dev_getattr_sound_dev(mount_t)
 
 storage_raw_read_fixed_disk(mount_t)
 storage_raw_write_fixed_disk(mount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.12/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te	2006-02-03 15:45:55.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/system/selinuxutil.te	2006-02-09 07:21:02.000000000 -0500
@@ -245,6 +245,7 @@
 selinux_compute_relabel_context(newrole_t)
 selinux_compute_user_contexts(newrole_t)
 
+term_dontaudit_use_unallocated_ttys(newrole_t)
 term_use_all_user_ttys(newrole_t)
 term_use_all_user_ptys(newrole_t)
 term_relabel_all_user_ttys(newrole_t)
@@ -354,6 +355,7 @@
 init_use_script_ptys(restorecon_t)
 
 domain_use_wide_inherit_fd(restorecon_t)
+domain_dontaudit_search_all_domains_state(restorecon_t)
 
 files_read_etc_runtime_files(restorecon_t)
 files_read_etc_files(restorecon_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-2.2.12/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te	2006-02-07 10:43:26.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/system/udev.te	2006-02-08 11:43:58.000000000 -0500
@@ -18,6 +18,8 @@
 domain_obj_id_change_exemption(udev_t)
 domain_entry_file(udev_t,udev_helper_exec_t)
 domain_wide_inherit_fd(udev_t)
+domain_read_all_domains_state(udev_t)
+
 init_daemon_domain(udev_t,udev_exec_t)
 
 type udev_etc_t alias etc_udev_t;
@@ -90,7 +92,7 @@
 dev_delete_generic_files(udev_t)
 
 fs_getattr_all_fs(udev_t)
-fs_search_inotifyfs(udev_t)
+fs_list_inotifyfs(udev_t)
 
 selinux_get_fs_mount(udev_t)
 selinux_validate_context(udev_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.12/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if	2006-02-07 10:43:26.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/system/unconfined.if	2006-02-09 10:54:49.000000000 -0500
@@ -17,6 +17,7 @@
 
 	# Use any Linux capability.
 	allow $1 self:capability *;
+	allow $1 self:fifo_file create_file_perms;
 
 	# Transition to myself, to make get_ordered_context_list happy.
 	allow $1 self:process transition;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.12/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te	2006-02-07 10:43:26.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/system/unconfined.te	2006-02-08 11:43:58.000000000 -0500
@@ -152,4 +152,10 @@
 	optional_policy(`xserver',`
 		xserver_domtrans_xdm_xserver(unconfined_t)
 	')
+	optional_policy(`fstools',`
+		fstools_domtrans(unconfined_t)
+	')
+	optional_policy(`mount',`
+		mount_domtrans(unconfined_t)
+	')
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.12/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if	2006-02-03 15:45:55.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/system/userdomain.if	2006-02-08 11:43:58.000000000 -0500
@@ -2817,6 +2817,23 @@
 
 ########################################
 ## <summary>
+##	Do not audit attempts to append to the staff
+##	users home directory.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`userdom_dontaudit_append_staff_home_files',`
+	gen_require(`
+		type staff_home_t;
+	')
+
+	dontaudit $1 staff_home_t:file append;
+')
+
+########################################
+## <summary>
 ##	Read files in the staff users home directory.
 ## </summary>
 ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.12/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te	2006-02-03 08:55:55.000000000 -0500
+++ serefpolicy-2.2.12/policy/modules/system/userdomain.te	2006-02-08 11:43:58.000000000 -0500
@@ -162,10 +162,13 @@
 		')
 	')
 
+	init_exec(sysadm_t)
+
 	ifdef(`enable_mls',`
 		logging_read_audit_log(secadm_t)
 		logging_domtrans_auditctl(secadm_t)
 		mls_process_read_up(secadm_t)
+		userdom_dontaudit_append_staff_home_files(secadm_t)
 	', `
 		logging_domtrans_auditctl(sysadm_t)
 		logging_read_audit_log(sysadm_t)
@@ -224,6 +227,10 @@
 
 	optional_policy(`dmesg',`
 		dmesg_exec(sysadm_t)
+		ifdef(`enable_mls',`
+			dmesg_exec(secadm_t)
+		')
+
 	')
 
 	optional_policy(`dmidecode',`

Re: Latest diffs

[Christopher J. PeBenito]

On Thu, 2006-02-09 at 13:39 -0500, Daniel J Walsh wrote:
> Update build.conf to match what I believe should be the defaults.

I don't see a compelling need to make MCS default for the upstream
policy.  As for the MONOLITHIC=n, I'd prefer to wait until FC5 comes out
so that there is a final release with loadable modules.

> Add some of Russell's mcs changes

I dropped the mcs file change.  We can't have hard-coded types.

> Prelink needs to execute_no_trans ld_so_t

Fixed to use the already existing interface.

> hal continuously wants more privs...

Do we really want to make the insmod transition unconditional?

> mta/sendmail wants to read postfix config and spools.

I don't understand why this change is needed for mta_send_mail().  It
makes sendmail_exec_t an entrypoint for the domain that wants to send
mail:

@@ -434,6 +434,7 @@
>  
>  	allow $1 sendmail_exec_t:lnk_file r_file_perms;
>  	domain_auto_trans($1, sendmail_exec_t, system_mail_t)
> +	domain_entry_file($1,sendmail_exec_t)
>  
>  	allow $1 system_mail_t:fd use;
>  	allow system_mail_t $1:fd use;


> Spamd wants to talk to razor and ldap.

Moved the ldap part down with the other sysnet stuff.

> auditctl needs to output to  terminals.

I merged this, but I'm curious why this is needed.

Theres also a couple where you added bootloader_getattr_boot_dirs()
where there already was a bootloader_search_boot().  I dropped these
since the latter was upgraded to have search_dir_perms, which has
getattr.

I moved the udev addition down, and found a dontaudit that could be
removed (read_all_domains_state vs dontaudit_list_all_domains_state).

The remainder is merged.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 2833 bytes --]

Christopher J. PeBenito wrote:
> On Thu, 2006-02-09 at 13:39 -0500, Daniel J Walsh wrote:
>   
>> Update build.conf to match what I believe should be the defaults.
>>     
>
> I don't see a compelling need to make MCS default for the upstream
> policy.  As for the MONOLITHIC=n, I'd prefer to wait until FC5 comes out
> so that there is a final release with loadable modules.
>   
I was looking to make these changes, back when I thought this was the 
Makefile for users to build reference policy.  I have made some changes 
to Makefile.devel instead.
>   
>> Add some of Russell's mcs changes
>>     
>
> I dropped the mcs file change.  We can't have hard-coded types.
>   
Added a typealias mlskillall.  Does this look better?
>   
>> hal continuously wants more privs...
>>     
>
> Do we really want to make the insmod transition unconditional?
>   
Removed unconditional
>   
>> mta/sendmail wants to read postfix config and spools.
>>     
>
> I don't understand why this change is needed for mta_send_mail().  It
> makes sendmail_exec_t an entrypoint for the domain that wants to send
> mail:
>
>   
Ok, where should I move it.
> @@ -434,6 +434,7 @@
>   
>>  
>>  	allow $1 sendmail_exec_t:lnk_file r_file_perms;
>>  	domain_auto_trans($1, sendmail_exec_t, system_mail_t)
>> +	domain_entry_file($1,sendmail_exec_t)
>>  
>>  	allow $1 system_mail_t:fd use;
>>  	allow system_mail_t $1:fd use;
>>     
>   
>> auditctl needs to output to  terminals.
>>     
>
> I merged this, but I'm curious why this is needed.
>   
Getting denials when running auditctl in targeted and MLS policy.


Latest diff

bluetooth wants to rw new usb_device_t.

mlskillall mentioned above

newalias wants dav_override

NetworkManager needs to sendto for wpa_subplicant

More fixes for postfix.

spamd needs ldap

prelink needs to unlink lib_t lnk_files when managing them.

Added semodule policy.  This still needs work.  semodule now wants to 
create lock files in /etc/selinux/TYPE/modules sub directory.  I would 
like to label this policy_config_t, problem is that all tools (setfiles, 
restorecon ...) need write access in order
to create the lock file.  This is a serious problem.  I think we also 
need to label /usr/share/selinux/TYPE/*.pp files as policy_config_t.

Need to take this conversation out of this thread though.

We have serious problems with execstack. since it is needed for libflash 
to work correctly.  We can think about labeling web browsers with 
unconfined_ with execstack privs or for now I am just turning on avc's 
for denials.  So users might have an
idea of what to look for when the flash windows don't work.  (Looking at 
automobile web sites reveals this problem :^))

More privs for secadm

Added ability for Rules.modular to build with user_extras.  Probably 
need something similar for Rules.monolithic.







[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 17630 bytes --]

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-2.2.15/policy/mcs
--- nsaserefpolicy/policy/mcs	2006-01-09 11:32:53.000000000 -0500
+++ serefpolicy-2.2.15/policy/mcs	2006-02-14 08:04:17.000000000 -0500
@@ -137,15 +137,24 @@
 # Only files are constrained by MCS at this stage.
 #
 mlsconstrain file { write setattr append unlink link rename
-		    create ioctl lock execute } (h1 dom h2);
+		    ioctl lock execute relabelfrom } (h1 dom h2);
+
+mlsconstrain file { create relabelto } ((h1 dom h2) and (l2 eq h2));
 
 mlsconstrain file { read } ((h1 dom h2) or 
 			    ( t1 == mlsfileread ));
 
 
 # new file labels must be dominated by the relabeling subject clearance
-mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto }
+mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
 	( h1 dom h2 );
+mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
+	(( h1 dom h2 ) and ( l2 eq h2 ));
+
+mlsconstrain process { ptrace } ( h1 dom h2 );
+
+mlsconstrain process { sigkill sigstop } ( h1 dom h2 ) or
+		( t1 == mlskillall );
 
 define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append 
 link unlink rename relabelfrom relabelto }')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.2.15/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if	2006-02-10 21:34:12.000000000 -0500
+++ serefpolicy-2.2.15/policy/modules/kernel/devices.if	2006-02-14 08:04:17.000000000 -0500
@@ -2656,3 +2656,22 @@
 	typeattribute $1 memory_raw_write, memory_raw_read;
 ')
 
+
+########################################
+## <summary>
+##	Read and write the USB device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_usb',`
+	gen_require(`
+		type usb_device_t;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 usb_device_t:chr_file { read write };
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.if serefpolicy-2.2.15/policy/modules/kernel/mls.if
--- nsaserefpolicy/policy/modules/kernel/mls.if	2006-02-10 21:34:12.000000000 -0500
+++ serefpolicy-2.2.15/policy/modules/kernel/mls.if	2006-02-14 08:04:17.000000000 -0500
@@ -214,3 +214,22 @@
 
 	typeattribute $1 mlstrustedobject;
 ')
+
+########################################
+## <summary>
+##	This domain is allowed to sigkill and sigstop 
+##	all domains regardless of sensitivity level
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain target for user exemption.
+##	</summary>
+## </param>
+#
+interface(`mls_killall',`
+	gen_require(`
+		attribute mlskillall;
+	')
+
+	typeattribute $1 mlskillall;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.2.15/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te	2006-02-07 10:43:26.000000000 -0500
+++ serefpolicy-2.2.15/policy/modules/kernel/mls.te	2006-02-14 08:04:17.000000000 -0500
@@ -46,6 +46,7 @@
 
 attribute privrangetrans;
 attribute mlsrangetrans;
+attribute mlskillall;
 
 ########################################
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.2.15/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te	2006-02-03 08:55:53.000000000 -0500
+++ serefpolicy-2.2.15/policy/modules/services/bluetooth.te	2006-02-14 08:04:17.000000000 -0500
@@ -101,6 +101,7 @@
 
 dev_read_sysfs(bluetooth_t)
 dev_rw_usbfs(bluetooth_t)
+dev_rw_usb(bluetooth_t)
 dev_read_urand(bluetooth_t)
 
 fs_getattr_all_fs(bluetooth_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.15/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te	2006-02-14 07:20:26.000000000 -0500
+++ serefpolicy-2.2.15/policy/modules/services/hal.te	2006-02-14 08:05:36.000000000 -0500
@@ -97,6 +97,8 @@
 
 mls_file_read_up(hald_t)
 
+modutils_domtrans_insmod(hald_t)
+
 selinux_get_fs_mount(hald_t)
 selinux_validate_context(hald_t)
 selinux_compute_access_vector(hald_t)
@@ -128,6 +130,7 @@
 libs_exec_lib_files(hald_t)
 
 logging_send_syslog_msg(hald_t)
+logging_search_logs(hald_t)
 
 miscfiles_read_localization(hald_t)
 miscfiles_read_hwdata(hald_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-2.2.15/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if	2006-02-10 21:34:14.000000000 -0500
+++ serefpolicy-2.2.15/policy/modules/services/mta.if	2006-02-14 08:04:17.000000000 -0500
@@ -458,6 +458,7 @@
 
 	allow $1 sendmail_exec_t:lnk_file r_file_perms;
 	domain_auto_trans($1, sendmail_exec_t, system_mail_t)
+	domain_entry_file($1,sendmail_exec_t)
 
 	allow $1 system_mail_t:fd use;
 	allow system_mail_t $1:fd use;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.2.15/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te	2006-02-14 07:20:26.000000000 -0500
+++ serefpolicy-2.2.15/policy/modules/services/mta.te	2006-02-14 08:04:17.000000000 -0500
@@ -30,6 +30,9 @@
 
 mta_base_mail_template(system)
 role system_r types system_mail_t;
+# newalias required this, not sure if it is needed in 'if' file
+allow system_mail_t self:capability { dac_override };
+
 
 # cjp: need to resolve this, but require{}
 # does not work in the else part of the optional
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.2.15/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te	2006-02-14 07:20:26.000000000 -0500
+++ serefpolicy-2.2.15/policy/modules/services/networkmanager.te	2006-02-14 08:04:17.000000000 -0500
@@ -22,7 +22,7 @@
 dontaudit NetworkManager_t self:capability sys_tty_config;
 allow NetworkManager_t self:process { setcap getsched signal_perms };
 allow NetworkManager_t self:fifo_file rw_file_perms;
-allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
+allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
 allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
 allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
 allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.2.15/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te	2006-02-14 07:20:26.000000000 -0500
+++ serefpolicy-2.2.15/policy/modules/services/postfix.te	2006-02-14 08:04:17.000000000 -0500
@@ -273,6 +273,8 @@
 corecmd_exec_shell(postfix_local_t)
 corecmd_exec_bin(postfix_local_t)
 
+files_read_etc_files(postfix_local_t)
+
 mta_read_aliases(postfix_local_t)
 mta_delete_spool(postfix_local_t)
 # For reading spamassasin
@@ -394,6 +396,7 @@
 
 allow postfix_pipe_t postfix_private_t:dir search;
 allow postfix_pipe_t postfix_private_t:sock_file write;
+allow postfix_pipe_t postfix_public_t:fifo_file { getattr write };
 
 allow postfix_pipe_t postfix_spool_t:dir search;
 allow postfix_pipe_t postfix_spool_t:file rw_file_perms;
@@ -425,6 +428,7 @@
 term_dontaudit_use_all_user_ttys(postfix_postdrop_t)
 
 sysnet_dns_name_resolve(postfix_postdrop_t)
+sysnet_dontaudit_read_config(postfix_postdrop_t)
 
 mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.2.15/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te	2006-02-14 07:20:28.000000000 -0500
+++ serefpolicy-2.2.15/policy/modules/services/spamassassin.te	2006-02-14 08:04:17.000000000 -0500
@@ -78,6 +78,7 @@
 # random ports >= 1024.
 corenet_udp_bind_generic_port(spamd_t)
 corenet_tcp_connect_razor_port(spamd_t)
+sysnet_use_ldap(spamd_t)
 
 dev_read_sysfs(spamd_t)
 dev_read_urand(spamd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-2.2.15/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc	2006-01-16 22:19:19.000000000 -0500
+++ serefpolicy-2.2.15/policy/modules/system/init.fc	2006-02-14 08:04:17.000000000 -0500
@@ -22,7 +22,8 @@
 #
 # /sbin
 #
-/sbin/init		--	gen_context(system_u:object_r:init_exec_t,s0)
+/sbin/init(ng)?		--	gen_context(system_u:object_r:init_exec_t,s0)
+
 
 ifdef(`distro_gentoo', `
 /sbin/rc			--	gen_context(system_u:object_r:initrc_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.15/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te	2006-02-08 10:03:08.000000000 -0500
+++ serefpolicy-2.2.15/policy/modules/system/init.te	2006-02-14 08:04:17.000000000 -0500
@@ -157,6 +157,7 @@
 
 mls_file_read_up(init_t)
 mls_file_write_down(init_t)
+mls_killall(init_t)
 mls_rangetrans_target(init_t)
 
 seutil_read_config(init_t)
@@ -362,6 +363,7 @@
 
 mls_file_read_up(initrc_t)
 mls_file_write_down(initrc_t)
+mls_killall(initrc_t)
 mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-2.2.15/policy/modules/system/libraries.if
--- nsaserefpolicy/policy/modules/system/libraries.if	2006-02-10 21:34:15.000000000 -0500
+++ serefpolicy-2.2.15/policy/modules/system/libraries.if	2006-02-14 08:04:17.000000000 -0500
@@ -283,6 +283,7 @@
 
 	allow $1 lib_t:dir search_dir_perms;
 	allow $1 lib_t:file manage_file_perms;
+	allow $1 lib_t:lnk_file unlink;
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.2.15/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc	2006-01-09 11:32:54.000000000 -0500
+++ serefpolicy-2.2.15/policy/modules/system/selinuxutil.fc	2006-02-14 08:04:17.000000000 -0500
@@ -10,6 +10,7 @@
 /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
 
 /etc/selinux/([^/]*/)?policy(/.*)?	gen_context(system_u:object_r:policy_config_t,s15:c0.c255)
+/etc/selinux/([^/]*/)?modules(/.*)?	gen_context(system_u:object_r:policy_config_t,s15:c0.c255)
 /etc/selinux/([^/]*/)?seusers	--	gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
 /etc/selinux/([^/]*/)?users(/.*)?	--	gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
 
@@ -39,3 +40,5 @@
 ifdef(`distro_debian', `
 /usr/share/selinux(/.*)?		gen_context(system_u:object_r:policy_src_t,s0)
 ')
+
+/usr/sbin/semodule		--	gen_context(system_u:object_r:semodule_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-2.2.15/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if	2006-02-10 21:34:15.000000000 -0500
+++ serefpolicy-2.2.15/policy/modules/system/selinuxutil.if	2006-02-14 08:04:17.000000000 -0500
@@ -587,6 +587,22 @@
 
 ########################################
 #
+# seutil_rw_file_contexts(domain)
+#
+interface(`seutil_rw_file_contexts',`
+	gen_require(`
+		type selinux_config_t, file_context_t;
+	')
+
+	files_search_etc($1)
+	allow $1 selinux_config_t:dir search;
+	allow $1 file_context_t:dir r_dir_perms;
+	allow $1 file_context_t:file rw_file_perms;
+	allow $1 file_context_t:lnk_file { getattr read };
+')
+
+########################################
+#
 # seutil_read_bin_policy(domain)
 #
 interface(`seutil_read_bin_policy',`
@@ -649,7 +665,7 @@
 
 	files_search_etc($1)
 	allow $1 selinux_config_t:dir search;
-	allow $1 policy_config_t:dir rw_dir_perms;
+	allow $1 policy_config_t:dir create_dir_perms;
 	allow $1 policy_config_t:file create_file_perms;
 	typeattribute $1 can_write_binary_policy;
 ')
@@ -684,3 +700,27 @@
 	allow $1 policy_src_t:file create_file_perms;
 ')
 
+########################################
+## <summary>
+##	Execute a domain transition to run semodule.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`semodule_domtrans',`
+	gen_require(`
+		type semodule_t, semodule_exec_t;
+	')
+	files_search_usr($1)
+	corecmd_search_bin($1)
+
+	domain_auto_trans($1,semodule_exec_t,semodule_t)
+
+	allow $1 semodule_t:fd use;
+	allow semodule_t $1:fd use;
+	allow semodule_t $1:fifo_file rw_file_perms;
+	allow semodule_t $1:process sigchld;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.15/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te	2006-02-14 07:20:31.000000000 -0500
+++ serefpolicy-2.2.15/policy/modules/system/selinuxutil.te	2006-02-14 08:04:17.000000000 -0500
@@ -535,3 +535,53 @@
 # scripts will put things in a state such that setfiles can not be run!
 allow setfiles_t lib_t:file { read execute };
 ') dnl endif TODO
+
+########################################
+#
+# Declarations
+#
+
+type semodule_t;
+domain_type(semodule_t)
+type semodule_exec_t;
+domain_entry_file(semodule_t, semodule_exec_t)
+role system_r types semodule_t;
+
+term_use_all_terms(semodule_t)
+allow semodule_t policy_config_t:file { read write };
+
+########################################
+#
+# semodule local policy
+#
+corecmd_exec_bin(semodule_t)
+corecmd_exec_sbin(semodule_t)
+
+files_read_etc_files(semodule_t)
+files_search_etc(semodule_t)
+files_list_usr(semodule_t)
+files_list_pids(semodule_t)
+files_read_usr_files(semodule_t)
+
+kernel_read_system_state(semodule_t)
+kernel_read_kernel_sysctls(semodule_t)
+
+libs_use_ld_so(semodule_t)
+libs_use_shared_libs(semodule_t)
+libs_use_lib_files(semodule_t)
+
+mls_rangetrans_target(semodule_t)
+
+optional_policy(`selinux', `
+	selinux_get_enforce_mode(semodule_t)
+')
+
+seutil_search_default_contexts(semodule_t)
+seutil_rw_file_contexts(semodule_t)
+seutil_domtrans_setfiles(semodule_t)
+seutil_domtrans_loadpolicy(semodule_t)
+seutil_read_config(semodule_t)
+seutil_manage_bin_policy(semodule_t)
+seutil_use_newrole_fd(semodule_t)
+
+allow semodule_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.15/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if	2006-02-14 07:20:31.000000000 -0500
+++ serefpolicy-2.2.15/policy/modules/system/unconfined.if	2006-02-14 08:04:17.000000000 -0500
@@ -55,10 +55,11 @@
 	tunable_policy(`allow_execmem && allow_execstack',`
 		# Allow making the stack executable via mprotect.
 		allow $1 self:process execstack;
+		auditallow $1 self:process execstack;
 	', `
 		# These are fairly common but seem to be harmless
 		# caused by using shared libraries built with old tool chains
-		dontaudit $1 self:process execstack;
+		#dontaudit $1 self:process execstack;
 	')
 
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.15/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te	2006-02-14 07:20:31.000000000 -0500
+++ serefpolicy-2.2.15/policy/modules/system/userdomain.te	2006-02-14 08:04:17.000000000 -0500
@@ -168,7 +168,11 @@
 		logging_read_audit_log(secadm_t)
 		logging_domtrans_auditctl(secadm_t)
 		mls_process_read_up(secadm_t)
+		mls_file_write_down(secadm_t)
+		mls_file_upgrade(secadm_t)
+		mls_file_downgrade(secadm_t)
 		userdom_dontaudit_append_staff_home_files(secadm_t)
+		corecmd_exec_shell(sysadm_t)
 	', `
 		logging_domtrans_auditctl(sysadm_t)
 		logging_read_audit_log(sysadm_t)
@@ -354,6 +358,9 @@
 			seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal)
 			seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal)
 			seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
+			semodule_domtrans(secadm_t)
+			role secadm_r types semodule_t;
+			seutil_run_restorecon(secadm_t,secadm_r,admin_terminal)
 		', `
 			selinux_set_enforce_mode(sysadm_t)
 			selinux_set_boolean(sysadm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.2.15/Rules.modular
--- nsaserefpolicy/Rules.modular	2006-02-14 07:20:18.000000000 -0500
+++ serefpolicy-2.2.15/Rules.modular	2006-02-14 08:04:17.000000000 -0500
@@ -83,7 +83,7 @@
 #
 $(BASE_PKG): tmp/base.mod $(BASE_FC)
 	@echo "Creating $(NAME) base module package"
-	$(verbose) $(SEMOD_PKG) -o $@ -m tmp/base.mod -f $(BASE_FC)
+	$(verbose) $(SEMOD_PKG) $(USER_EXTRAS) -o $@ -m tmp/base.mod -f $(BASE_FC)
 
 tmp/base.mod: base.conf
 	@echo "Compiling $(NAME) base module"
diff --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-2.2.15/support/Makefile.devel
--- nsaserefpolicy/support/Makefile.devel	2006-02-10 17:05:19.000000000 -0500
+++ serefpolicy-2.2.15/support/Makefile.devel	2006-02-14 08:41:26.000000000 -0500
@@ -1,3 +1,6 @@
+# installation paths
+SHAREDIR := $(PREFIX)/share/selinux
+HEADERDIR := $(SHAREDIR)/refpolicy/include
 
 include $(HEADERDIR)/build.conf
 
@@ -19,8 +22,13 @@
 PYTHON ?= python
 
 # set default build options if missing
-TYPE ?= strict
-NAME ?= $(TYPE)
+NAME ?= $(shell . /etc/selinux/config; echo $$SELINUXTYPE)
+MLSENABLED := $(shell cat /selinux/mls)
+ifeq ($(MLSENABLED),1)
+MCSFLAG=-mcs
+endif
+
+TYPE ?= $(NAME)${MCSFLAG}
 DIRECT_INITRC ?= n
 POLY ?= n
 QUIET ?= y

Re: Latest diffs

[Joshua Brindle]

>
> Added semodule policy.  This still needs work.  semodule now wants to 
> create lock files in /etc/selinux/TYPE/modules sub directory.  I would 
> like to label this policy_config_t, problem is that all tools 
> (setfiles, restorecon ...) need write access in order
> to create the lock file.  This is a serious problem.  I think we also 
> need to label /usr/share/selinux/TYPE/*.pp files as policy_config_t.
>
setfiles nor restorecon link against libsemanage so they should not be 
touching the store at all, the store is a private resource of libsemanage.

The module store labeling strategy should reflect what I did with the 
access_check function, eg., making module/{active,previous} totally 
inaccessible to anything except semodule_t, giving 
module/semodule.read.LOCK and module/semodule.trans.LOCK different 
labels so we can have legitimate "read only" domains.

Then, TYPE/contexts and TYPE/policy can have whatever labels they have 
now with whatever access they have now and it should be fine. 
Unfortunatly having the 'active' binary policy out of the store 
eliminates some ability to encapsulate access to it but I suppose that 
can be addressed some other time.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Christopher J. PeBenito]

On Tue, 2006-02-14 at 09:01 -0500, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Thu, 2006-02-09 at 13:39 -0500, Daniel J Walsh wrote:
> >   
> >> Update build.conf to match what I believe should be the defaults.
> >
> > I don't see a compelling need to make MCS default for the upstream
> > policy.  As for the MONOLITHIC=n, I'd prefer to wait until FC5 comes out
> > so that there is a final release with loadable modules.
> >   
> I was looking to make these changes, back when I thought this was the 
> Makefile for users to build reference policy.  I have made some changes 
> to Makefile.devel instead.

If you use the same settings (TYPE=.. NAME=..,etc.) when you run the
headers-install target, the settings will be preserved in the build.conf
that gets installed, so this change shouldn't be needed.

> >> Add some of Russell's mcs changes
> >
> > I dropped the mcs file change.  We can't have hard-coded types.
> >   
> Added a typealias mlskillall.  Does this look better?

Yes, that looks fine, but I renamed it to mcskillall, and created a mcs
module for greater clarity.

> >> mta/sendmail wants to read postfix config and spools.
> >>     
> >
> > I don't understand why this change is needed for mta_send_mail().  It
> > makes sendmail_exec_t an entrypoint for the domain that wants to send
> > mail:
> >   
> Ok, where should I move it.

Well it adds the rule:

allow $1 sendmail_exec_t:file entrypoint;

which doesn't make sense, why would sendmail_exec_t be an entrypoint for
the domain sending the mail?

> More fixes for postfix.

I removed the sysnet_dontaudit_read_config(postfix_postdrop_t), since
its redundant.  The DNS resolve rule right above it allows this access.

> spamd needs ldap

Already in there, but down by the other sysnet calls.

> prelink needs to unlink lib_t lnk_files when managing them.

I switched this over to a separate interface.

> More privs for secadm

Changed the corecmd_exec_shell(sysadm_t) to secadm_t.

I didn't commit the semodule policy yet, pending discussion on its
design.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest Diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 800 bytes --]

mls passwd changes from TCS.

I added a noaudit flag to unconfined_domain_template to stop mono/wine 
from spewing execmem messages to the auditlog.

filesystem cut and paste errors

ia64 needs fs_associate(dosfs_t)  I think its /boot is a dos partition.

Missing a couple of httpd_cache_t for FC4

Allow httpd_suexec_t to execute httpdcontent

Fix some automount/hald  searching

irqbalance wants to read etc and etc_runtime files.

wpa_supplicant changes for networkmanager, although there are more coming.

procmail talks to sendmail via unix_stream_socket.

spamasssasin wants to talk to ldap.

xserver changes in file context to map to current fedora.

Need to transition for unconfined_t to xdm_xserver_t, in order to allow 
startx to work from a user account.

Add file_context for initng





[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 16884 bytes --]

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.2.10/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te	2006-02-01 08:23:27.000000000 -0500
+++ serefpolicy-2.2.10/policy/modules/admin/usermanage.te	2006-02-01 08:25:15.000000000 -0500
@@ -328,6 +328,9 @@
 
 miscfiles_read_localization(passwd_t)
 
+mls_file_write_down(passwd_t)
+mls_file_downgrade(passwd_t)
+
 seutil_dontaudit_search_config(passwd_t)
 
 userdom_use_unpriv_users_fd(passwd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.2.10/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te	2006-01-27 21:35:04.000000000 -0500
+++ serefpolicy-2.2.10/policy/modules/apps/mono.te	2006-02-01 08:25:15.000000000 -0500
@@ -19,7 +19,7 @@
 
 ifdef(`targeted_policy',`
 	allow mono_t self:process { execheap execmem };
-	unconfined_domain_template(mono_t)
+	unconfined_domain_template(mono_t, noaudit)
 	role system_r types mono_t;
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-2.2.10/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te	2006-01-19 18:02:04.000000000 -0500
+++ serefpolicy-2.2.10/policy/modules/apps/wine.te	2006-02-01 08:25:15.000000000 -0500
@@ -19,7 +19,7 @@
 
 ifdef(`targeted_policy',`
 	allow wine_t self:process { execstack execmem };
-	unconfined_domain_template(wine_t)
+	unconfined_domain_template(wine_t, noaudit)
 	role system_r types wine_t;
 	allow wine_t file_type:file execmod;
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.2.10/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if	2006-02-01 08:23:28.000000000 -0500
+++ serefpolicy-2.2.10/policy/modules/kernel/filesystem.if	2006-02-01 08:25:15.000000000 -0500
@@ -149,7 +149,7 @@
 		type fs_t;
 	')
 
-	allow $1 fs_t:filesystem mount;
+	allow $1 fs_t:filesystem unmount;
 ')
 
 ########################################
@@ -289,7 +289,7 @@
 		type autofs_t;
 	')
 
-	allow $1 autofs_t:filesystem mount;
+	allow $1 autofs_t:filesystem unmount;
 ')
 
 ########################################
@@ -856,7 +856,7 @@
 		type dosfs_t;
 	')
 
-	allow $1 dosfs_t:filesystem mount;
+	allow $1 dosfs_t:filesystem unmount;
 ')
 
 ########################################
@@ -976,7 +976,7 @@
 		type iso9660_t;
 	')
 
-	allow $1 iso9660_t:filesystem mount;
+	allow $1 iso9660_t:filesystem unmount;
 ')
 
 ########################################
@@ -1043,7 +1043,7 @@
 		type nfs_t;
 	')
 
-	allow $1 nfs_t:filesystem mount;
+	allow $1 nfs_t:filesystem unmount;
 ')
 
 ########################################
@@ -1608,7 +1608,7 @@
 		type nfsd_fs_t;
 	')
 
-	allow $1 nfsd_fs_t:filesystem mount;
+	allow $1 nfsd_fs_t:filesystem unmount;
 ')
 
 ########################################
@@ -1709,7 +1709,7 @@
 		type ramfs_t;
 	')
 
-	allow $1 ramfs_t:filesystem mount;
+	allow $1 ramfs_t:filesystem unmount;
 ')
 
 ########################################
@@ -1855,7 +1855,7 @@
 		type romfs_t;
 	')
 
-	allow $1 romfs_t:filesystem mount;
+	allow $1 romfs_t:filesystem unmount;
 ')
 
 ########################################
@@ -1922,7 +1922,7 @@
 		type rpc_pipefs_t;
 	')
 
-	allow $1 rpc_pipefs_t:filesystem mount;
+	allow $1 rpc_pipefs_t:filesystem unmount;
 ')
 
 ########################################
@@ -1988,7 +1988,7 @@
 		type tmpfs_t;
 	')
 
-	allow $1 tmpfs_t:filesystem mount;
+	allow $1 tmpfs_t:filesystem unmount;
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.2.10/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te	2006-01-17 17:08:52.000000000 -0500
+++ serefpolicy-2.2.10/policy/modules/kernel/filesystem.te	2006-02-01 08:25:15.000000000 -0500
@@ -134,6 +134,7 @@
 #
 type dosfs_t, noxattrfs;
 fs_type(dosfs_t)
+fs_associate(dosfs_t)
 genfscon fat / gen_context(system_u:object_r:dosfs_t,s0)
 genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0)
 genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.2.10/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te	2006-01-17 17:08:52.000000000 -0500
+++ serefpolicy-2.2.10/policy/modules/kernel/mls.te	2006-02-01 08:25:15.000000000 -0500
@@ -86,7 +86,8 @@
 ')
 
 ifdef(`enable_mls',`
-# run init with maximum MLS range
 range_transition kernel_t init_exec_t s0 - s15:c0.c255;
+range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
 range_transition initrc_t auditd_exec_t s15:c0.c255;
+range_transition sysadm_t rpm_exec_t s0 - s15:c0.c255;
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.2.10/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc	2005-11-15 09:13:36.000000000 -0500
+++ serefpolicy-2.2.10/policy/modules/services/apache.fc	2006-02-01 08:25:15.000000000 -0500
@@ -42,6 +42,8 @@
 /var/cache/php-eaccelerator(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
 /var/cache/php-mmcache(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
 /var/cache/ssl.*\.sem		--	gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mason(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/rt3(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
 
 /var/lib/dav(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
 /var/lib/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.2.10/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te	2006-02-01 08:23:29.000000000 -0500
+++ serefpolicy-2.2.10/policy/modules/services/apache.te	2006-02-01 08:25:15.000000000 -0500
@@ -347,6 +347,7 @@
 
 tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 	domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
+	domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
 	allow httpd_t httpd_sys_script_t:fd use;
 	allow httpd_sys_script_t httpd_t:fd use;
 	allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.2.10/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te	2006-02-01 08:23:29.000000000 -0500
+++ serefpolicy-2.2.10/policy/modules/services/automount.te	2006-02-01 08:25:15.000000000 -0500
@@ -64,6 +64,7 @@
 kernel_list_proc(automount_t)
 
 bootloader_getattr_boot_dir(automount_t)
+bootloader_search_boot(automount_t)
 
 corecmd_exec_sbin(automount_t)
 corecmd_exec_bin(automount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.10/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te	2006-02-01 08:23:30.000000000 -0500
+++ serefpolicy-2.2.10/policy/modules/services/hal.te	2006-02-01 08:25:15.000000000 -0500
@@ -51,6 +51,7 @@
 kernel_write_proc_files(hald_t)
 
 bootloader_getattr_boot_dir(hald_t)
+bootloader_search_boot(hald_t)
 
 corecmd_exec_bin(hald_t)
 corecmd_exec_sbin(hald_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/irqbalance.te serefpolicy-2.2.10/policy/modules/services/irqbalance.te
--- nsaserefpolicy/policy/modules/services/irqbalance.te	2006-02-01 08:23:30.000000000 -0500
+++ serefpolicy-2.2.10/policy/modules/services/irqbalance.te	2006-02-01 08:25:15.000000000 -0500
@@ -31,6 +31,9 @@
 
 dev_read_sysfs(irqbalance_t)
 
+files_read_etc_files(irqbalance_t)
+files_read_etc_runtime_files(irqbalance_t)
+
 fs_getattr_all_fs(irqbalance_t)
 fs_search_auto_mountpoints(irqbalance_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-2.2.10/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc	2005-11-14 18:24:07.000000000 -0500
+++ serefpolicy-2.2.10/policy/modules/services/networkmanager.fc	2006-02-01 08:25:15.000000000 -0500
@@ -1,2 +1,4 @@
 
-/usr/bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/(s)?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/var/run/NetworkManager.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.2.10/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te	2006-02-01 08:23:31.000000000 -0500
+++ serefpolicy-2.2.10/policy/modules/services/networkmanager.te	2006-02-01 08:25:15.000000000 -0500
@@ -24,7 +24,7 @@
 allow NetworkManager_t self:fifo_file rw_file_perms;
 allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
 allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
-allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms;
+allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
 allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
 allow NetworkManager_t self:udp_socket create_socket_perms;
 allow NetworkManager_t self:packet_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.2.10/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te	2006-02-01 08:23:31.000000000 -0500
+++ serefpolicy-2.2.10/policy/modules/services/procmail.te	2006-02-01 08:25:15.000000000 -0500
@@ -96,6 +96,7 @@
 optional_policy(`sendmail',`
 	mta_read_config(procmail_t)
 	sendmail_rw_tcp_socket(procmail_t)
+	sendmail_rw_unix_stream_socket(procmail_t)
 ')
 
 optional_policy(`spamassassin',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-2.2.10/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if	2006-01-13 17:06:07.000000000 -0500
+++ serefpolicy-2.2.10/policy/modules/services/sendmail.if	2006-02-01 08:25:15.000000000 -0500
@@ -52,6 +52,21 @@
 
 	allow $1 sendmail_t:tcp_socket { read write };
 ')
+########################################
+## <summary>
+##	Read and write sendmail unix_stream_sockets.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`sendmail_rw_unix_stream_socket',`
+	gen_require(`
+		type sendmail_t;
+	')
+
+	allow $1 sendmail_t:unix_stream_socket { read write };
+')
 
 ########################################
 ## <summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.2.10/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te	2006-02-01 08:23:31.000000000 -0500
+++ serefpolicy-2.2.10/policy/modules/services/spamassassin.te	2006-02-01 08:25:15.000000000 -0500
@@ -77,6 +77,7 @@
 # DnsResolver.pm module which binds to
 # random ports >= 1024.
 corenet_udp_bind_generic_port(spamd_t)
+sysnet_use_ldap(spamd_t)
 
 dev_read_sysfs(spamd_t)
 dev_read_urand(spamd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-2.2.10/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc	2006-02-01 08:23:32.000000000 -0500
+++ serefpolicy-2.2.10/policy/modules/services/xserver.fc	2006-02-01 08:25:15.000000000 -0500
@@ -58,16 +58,19 @@
 
 /usr/X11R6/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/X11R6/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
-/usr/X11R6/bin/X		--	gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/X11R6/bin/X	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/X11R6/bin/xauth    --      gen_context(system_u:object_r:xauth_exec_t,s0)
 /usr/X11R6/bin/XFree86	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/X11R6/bin/Xipaq	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/X11R6/bin/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
-/usr/X11R6/bin/Xwrapper	--	gen_context(system_u:object_r:xserver_exec_t,s0)
-
 /usr/X11R6/lib/X11/xkb	-d	gen_context(system_u:object_r:xkb_var_lib_t,s0)
 /usr/X11R6/lib/X11/xkb/.* --	gen_context(system_u:object_r:xkb_var_lib_t,s0)
 
+/usr/X11R6/bin/Xwrapper	--	gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/xauth    	--      gen_context(system_u:object_r:xauth_exec_t,s0)
+/usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
+
 #
 # /var
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.2.10/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if	2006-02-01 08:23:32.000000000 -0500
+++ serefpolicy-2.2.10/policy/modules/services/xserver.if	2006-02-01 08:25:15.000000000 -0500
@@ -1,4 +1,25 @@
 ## <summary>X Windows Server</summary>
+########################################
+## <summary>
+##	Execute xdmd in the xdmd domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`xserver_domtrans',`
+	gen_require(`
+		type xdm_xserver_t, xserver_exec_t;
+	')
+
+	domain_auto_trans($1,xserver_exec_t,xdm_xserver_t)
+
+	allow $1 xdm_xserver_t:fd use;
+	allow xdm_xserver_t $1:fd use;
+	allow xdm_xserver_t $1:fifo_file rw_file_perms;
+	allow xdm_xserver_t $1:process sigchld;
+')
+
 
 template(`xserver_common_domain_template',`
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-2.2.10/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te	2006-02-01 08:23:32.000000000 -0500
+++ serefpolicy-2.2.10/policy/modules/services/xserver.te	2006-02-01 08:25:15.000000000 -0500
@@ -57,10 +57,8 @@
 type xserver_log_t;
 logging_log_file(xserver_log_t)
 
-ifdef(`strict_policy',`
-	xserver_common_domain_template(xdm)
-	init_system_domain(xdm_xserver_t,xserver_exec_t)
-')
+xserver_common_domain_template(xdm)
+init_system_domain(xdm_xserver_t,xserver_exec_t)
 
 optional_policy(`prelink',`
 	prelink_object_file(xkb_var_lib_t)
@@ -302,6 +300,9 @@
 	allow xdm_t self:process { execheap execmem };
 	unconfined_domain_template(xdm_t)
 	unconfined_domtrans(xdm_t)
+	allow xdm_xserver_t self:process { execheap execmem };
+	unconfined_domain_template(xdm_xserver_t)
+	unconfined_domtrans(xdm_xserver_t)
 ')
 
 tunable_policy(`use_nfs_home_dirs',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-2.2.10/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc	2006-01-16 22:19:19.000000000 -0500
+++ serefpolicy-2.2.10/policy/modules/system/init.fc	2006-02-01 08:25:15.000000000 -0500
@@ -22,7 +22,8 @@
 #
 # /sbin
 #
-/sbin/init		--	gen_context(system_u:object_r:init_exec_t,s0)
+/sbin/init(ng)?		--	gen_context(system_u:object_r:init_exec_t,s0)
+
 
 ifdef(`distro_gentoo', `
 /sbin/rc			--	gen_context(system_u:object_r:initrc_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.10/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if	2006-01-30 18:40:37.000000000 -0500
+++ serefpolicy-2.2.10/policy/modules/system/unconfined.if	2006-02-01 08:25:15.000000000 -0500
@@ -41,14 +41,18 @@
 	tunable_policy(`allow_execheap',`
 		# Allow making the stack executable via mprotect.
 		allow $1 self:process execheap;
-		auditallow $1 self:process execheap;
+		ifelse($2, `', `
+			auditallow $1 self:process execheap;
+		')
 	')
 
 	tunable_policy(`allow_execmem',`
 		# Allow making anonymous memory executable, e.g. 
 		# for runtime-code generation or executable stack.
 		allow $1 self:process execmem;
-		auditallow $1 self:process execmem;
+		ifelse($2, `', `
+			auditallow $1 self:process execmem;
+		')
 	')
 
 	tunable_policy(`allow_execmem && allow_execstack',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.10/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te	2006-01-27 21:35:05.000000000 -0500
+++ serefpolicy-2.2.10/policy/modules/system/unconfined.te	2006-02-01 08:25:15.000000000 -0500
@@ -148,4 +148,8 @@
 	optional_policy(`wine',`
 		wine_domtrans(unconfined_t)
 	')
+
+	optional_policy(`xserver',`
+		xserver_domtrans(unconfined_t)
+	')
 ')

Re: Latest Diffs

[Christopher J. PeBenito]

On Wed, 2006-02-01 at 08:33 -0500, Daniel J Walsh wrote:
> I added a noaudit flag to unconfined_domain_template to stop mono/wine 
> from spewing execmem messages to the auditlog.

I changed the implementation a little to use different interfaces rather
than using .

> Add file_context for initng

Dropped this pending resolution of the bug [1] in redhat bugzilla.

I merged the lvm range transition, but I still feel that the sysadm/rpm
one is wrong.  Sysadm should be running and system low, and the specific
MLS permissions should be given instead.

The remainder is merged.

[1] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179761

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest Diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 208 bytes --]

add allow_execheap boolean in case we need it.

Fixes for logwatch.

Fixes for wine and mono apps to be able to handle no execheap/execstack

Allow xdm in targeted policy execheap

Fix spec for libdeploy.so


[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 11680 bytes --]

diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.2.2/Makefile
--- nsaserefpolicy/Makefile	2006-01-19 10:00:35.000000000 -0500
+++ serefpolicy-2.2.2/Makefile	2006-01-19 10:42:14.000000000 -0500
@@ -92,7 +92,7 @@
 
 # enable MLS if requested.
 ifneq ($(findstring -mls,$(TYPE)),)
-	override M4PARAM += -D enable_mls
+	override M4PARAM += -D enable_mls -D separate_secadm
 	override CHECKPOLICY += -M
 	override CHECKMODULE += -M
 endif
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.2.2/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables	2006-01-13 09:48:26.000000000 -0500
+++ serefpolicy-2.2.2/policy/global_tunables	2006-01-19 10:55:45.000000000 -0500
@@ -22,6 +22,10 @@
 
 ## Allow making the stack executable via mprotect.
 ## Also requires allow_execmem.
+gen_tunable(allow_execheap,false)
+
+## Allow making the stack executable via mprotect.
+## Also requires allow_execmem.
 gen_tunable(allow_execstack,false)
 
 ## Allow ftp servers to modify public files
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-2.2.2/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te	2006-01-13 17:06:02.000000000 -0500
+++ serefpolicy-2.2.2/policy/modules/admin/logwatch.te	2006-01-19 11:23:59.000000000 -0500
@@ -38,6 +38,7 @@
 kernel_read_kernel_sysctl(logwatch_t)
 kernel_read_system_state(logwatch_t)
 
+corecmd_read_sbin_symlink(logwatch_t)
 corecmd_read_sbin_file(logwatch_t)
 corecmd_exec_bin(logwatch_t)
 corecmd_exec_shell(logwatch_t)
@@ -68,6 +69,8 @@
 
 miscfiles_read_localization(logwatch_t)
 
+selinux_dontaudit_getattr_dir(logwatch_t)
+
 userdom_dontaudit_search_sysadm_home_dir(logwatch_t)
 userdom_dontaudit_getattr_sysadm_home_dir(logwatch_t)
 
@@ -94,6 +97,10 @@
 	nscd_use_socket(logwatch_t)
 ')
 
+optional_policy(`ntp',`
+	ntp_domtrans(logwatch_t)
+')
+
 optional_policy(`rpc',`
 	rpc_search_nfs_state_data(logwatch_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-2.2.2/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te	2006-01-12 18:28:45.000000000 -0500
+++ serefpolicy-2.2.2/policy/modules/apps/java.te	2006-01-19 13:05:16.000000000 -0500
@@ -8,3 +8,4 @@
 
 type java_exec_t;
 files_type(java_exec_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.fc serefpolicy-2.2.2/policy/modules/apps/mono.fc
--- nsaserefpolicy/policy/modules/apps/mono.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.2.2/policy/modules/apps/mono.fc	2006-01-19 12:46:09.000000000 -0500
@@ -0,0 +1,2 @@
+/usr/bin/mono	--	gen_context(system_u:object_r:mono_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-2.2.2/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.2.2/policy/modules/apps/mono.if	2006-01-19 12:46:09.000000000 -0500
@@ -0,0 +1,23 @@
+## <summary>Load keyboard mappings.</summary>
+
+########################################
+## <summary>
+##	Execute the mono program in the mono domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`mono_domtrans',`
+	gen_require(`
+		type mono_t, mono_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domain_auto_trans($1, mono_exec_t, mono_t)
+
+	allow $1 mono_t:fd use;
+	allow mono_t $1:fd use;
+	allow mono_t $1:fifo_file rw_file_perms;
+	allow mono_t $1:process sigchld;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.2.2/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.2.2/policy/modules/apps/mono.te	2006-01-19 13:29:46.000000000 -0500
@@ -0,0 +1,25 @@
+policy_module(mono,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mono_t;
+domain_type(mono_t)
+
+type mono_exec_t;
+domain_entry_file(mono_t,mono_exec_t)
+
+
+########################################
+#
+# Local policy
+#
+
+ifdef(`targeted_policy',`
+	allow mono_t self:process execheap;
+	unconfined_domain_template(mono_t)
+	role system_r types mono_t;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-2.2.2/policy/modules/apps/wine.fc
--- nsaserefpolicy/policy/modules/apps/wine.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.2.2/policy/modules/apps/wine.fc	2006-01-19 10:58:16.000000000 -0500
@@ -0,0 +1,2 @@
+/usr/bin/wine	--	gen_context(system_u:object_r:wine_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-2.2.2/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.2.2/policy/modules/apps/wine.if	2006-01-19 10:58:17.000000000 -0500
@@ -0,0 +1,23 @@
+## <summary>Load keyboard mappings.</summary>
+
+########################################
+## <summary>
+##	Execute the wine program in the wine domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`wine_domtrans',`
+	gen_require(`
+		type wine_t, wine_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domain_auto_trans($1, wine_exec_t, wine_t)
+
+	allow $1 wine_t:fd use;
+	allow wine_t $1:fd use;
+	allow wine_t $1:fifo_file rw_file_perms;
+	allow wine_t $1:process sigchld;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-2.2.2/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.2.2/policy/modules/apps/wine.te	2006-01-19 13:30:34.000000000 -0500
@@ -0,0 +1,25 @@
+policy_module(wine,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type wine_t;
+domain_type(wine_t)
+
+type wine_exec_t;
+domain_entry_file(wine_t,wine_exec_t)
+
+
+########################################
+#
+# Local policy
+#
+
+ifdef(`targeted_policy',`
+	allow wine_t self:process { execstack execmem };
+	unconfined_domain_template(wine_t)
+	role system_r types wine_t;
+	allow wine_t file_type:file execmod;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.2.2/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if	2006-01-19 10:00:41.000000000 -0500
+++ serefpolicy-2.2.2/policy/modules/kernel/filesystem.if	2006-01-19 10:42:14.000000000 -0500
@@ -1826,6 +1826,22 @@
 
 ########################################
 ## <summary>
+##	Dontaudit Search directories on a ramfs
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_dontaudit_search_ramfs',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	dontaudit $1 ramfs_t:dir search;
+')
+
+########################################
+## <summary>
 ##	Write to named pipe on a ramfs filesystem.
 ## </summary>
 ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-2.2.2/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if	2006-01-13 09:48:26.000000000 -0500
+++ serefpolicy-2.2.2/policy/modules/services/bind.if	2006-01-19 13:58:34.000000000 -0500
@@ -165,6 +165,7 @@
 	')
 
 	files_search_var($1)
+	allow $1 named_conf_t:dir search_dir_perms;
 	allow $1 named_zone_t:dir search_dir_perms;
 	allow $1 named_cache_t:dir search_dir_perms;
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xdm.te serefpolicy-2.2.2/policy/modules/services/xdm.te
--- nsaserefpolicy/policy/modules/services/xdm.te	2006-01-19 10:00:41.000000000 -0500
+++ serefpolicy-2.2.2/policy/modules/services/xdm.te	2006-01-19 13:56:19.000000000 -0500
@@ -74,7 +74,7 @@
 files_read_etc_runtime_files(xdm_t)
 
 ifdef(`targeted_policy',`
-	allow xdm_t self:process execmem;
+	allow xdm_t self:process { execheap execmem };
 	unconfined_domain_template(xdm_t)
 	unconfined_domtrans(xdm_t)
 ',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.2/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc	2006-01-17 13:22:14.000000000 -0500
+++ serefpolicy-2.2.2/policy/modules/system/libraries.fc	2006-01-19 13:00:21.000000000 -0500
@@ -166,7 +166,7 @@
 /usr/lib(64)?/libdivxencore.so.0		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # Java, Sun Microsystems (JPackage SRPM)
-/usr/.*/jre/lib/i386/libdeploy.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/.*/jre.*/lib/i386/libdeploy.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:shlib_t,s0)
 /usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.2/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if	2006-01-17 13:22:14.000000000 -0500
+++ serefpolicy-2.2.2/policy/modules/system/unconfined.if	2006-01-19 10:56:11.000000000 -0500
@@ -45,6 +45,12 @@
 		auditallow $1 self:process execmem;
 	')
 
+	tunable_policy(`allow_execheap',`
+		# Allow making the stack executable via mprotect.
+		allow $1 self:process execheap;
+		auditallow $1 self:process execheap;
+	')
+
 	tunable_policy(`allow_execmem && allow_execstack',`
 		# Allow making the stack executable via mprotect.
 		allow $1 self:process execstack;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.2/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te	2006-01-17 17:08:57.000000000 -0500
+++ serefpolicy-2.2.2/policy/modules/system/unconfined.te	2006-01-19 13:44:58.000000000 -0500
@@ -97,6 +97,10 @@
 		modutils_domtrans_update_mods(unconfined_t)
 	')
 
+	optional_policy(`mono',`
+		mono_domtrans(unconfined_t)
+	')
+
 	optional_policy(`netutils',`
 		netutils_domtrans_ping(unconfined_t)
 	')
@@ -141,11 +145,8 @@
 		webalizer_domtrans(unconfined_t)
 	')
 
-	ifdef(`TODO',`
-	ifdef(`use_mcs',`
-	rw_dir_create_file(sysadm_su_t, home_dir_type)
-	')
-	allow unconfined_t initrc_t : dbus { send_msg acquire_svc };
-	allow initrc_t unconfined_t : dbus { send_msg acquire_svc };
-	') dnl end TODO
+	optional_policy(`wine',`
+		wine_domtrans(unconfined_t)
+	')
+
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.2/policy/users
--- nsaserefpolicy/policy/users	2005-12-05 22:35:02.000000000 -0500
+++ serefpolicy-2.2.2/policy/users	2006-01-19 10:42:14.000000000 -0500
@@ -26,7 +26,9 @@
 ifdef(`targeted_policy',`
 gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
-gen_user(user_u, user_r, s0, s0 - s15:c0.c255, c0.c255)
+gen_user(user_u, user_r, s0, s0 - s0, c0)
+gen_user(staff_u, staff_r secadm_r sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
+gen_user(sysadm_u, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
 ')
 
 #
@@ -40,8 +42,8 @@
 	gen_user(root, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
 	ifdef(`direct_sysadm_daemon',`
-		gen_user(root, sysadm_r staff_r system_r, s0, s0 - s15:c0.c255, c0.c255)
+		gen_user(root, sysadm_r staff_r secadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 	',`
-		gen_user(root, sysadm_r staff_r, s0, s0 - s15:c0.c255, c0.c255)
+		gen_user(root, sysadm_r staff_r secadm_r , s0, s0 - s15:c0.c255, c0.c255)
 	')
 ')

Re: Latest Diffs

[Christopher J. PeBenito]

Merged with a few notes:

On Thu, 2006-01-19 at 14:16 -0500, Daniel J Walsh wrote:
> Fixes for wine and mono apps to be able to handle no execheap/execstack

Added these, but if we get more apps like these, we might want to go to
unconfined_execheap and unconfined_execstack.

I haven't merged the users part, but I plan to.  I just want to make
sure this change is what we really want to do for the strict policy:

> -gen_user(user_u, user_r, s0, s0 - s15:c0.c255, c0.c255)
> +gen_user(user_u, user_r, s0, s0 - s0, c0)

The MLS change seems ok, but do we really want to give user_u one
arbitrary category (c0) for MCS?  It seems like it would be better for
the default to be no categories.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Diffs

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> Merged with a few notes:
>
> On Thu, 2006-01-19 at 14:16 -0500, Daniel J Walsh wrote:
>   
>> Fixes for wine and mono apps to be able to handle no execheap/execstack
>>     
>
> Added these, but if we get more apps like these, we might want to go to
> unconfined_execheap and unconfined_execstack.
>
> I haven't merged the users part, but I plan to.  I just want to make
> sure this change is what we really want to do for the strict policy:
>
>   
>> -gen_user(user_u, user_r, s0, s0 - s15:c0.c255, c0.c255)
>> +gen_user(user_u, user_r, s0, s0 - s0, c0)
>>     
>
> The MLS change seems ok, but do we really want to give user_u one
> arbitrary category (c0) for MCS?  It seems like it would be better for
> the default to be no categories.
>
>   
Yes I agree.  Never noticed that.  It should be s0.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Diffs

[Christopher J. PeBenito]

On Fri, 2006-01-20 at 08:56 -0500, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:

> >> -gen_user(user_u, user_r, s0, s0 - s15:c0.c255, c0.c255)
> >> +gen_user(user_u, user_r, s0, s0 - s0, c0)
> >
> > The MLS change seems ok, but do we really want to give user_u one
> > arbitrary category (c0) for MCS?  It seems like it would be better for
> > the default to be no categories.
> >   
> Yes I agree.  Never noticed that.  It should be s0.

Merged.  I also changed the MLS range to just s0, since it is the same
as s0 - s0.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest diffs

[Daniel J Walsh]

Ignore repeats from previous for now.

Changes for fetchmail

sendrecv_unlabeled_association needs to be added to unconfined_t and rpcd_t

Procmail execs spamc which tries to talk to spamd_port_t

Is this done some other way, that I am missing?

+    domain_auto_trans(run_init_t,initrc_exec_t,initrc_t)


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Christopher J. PeBenito]

On Tue, 2006-01-17 at 17:50 -0500, Daniel J Walsh wrote:

No attached patch?

> Is this done some other way, that I am missing?
> 
> +    domain_auto_trans(run_init_t,initrc_exec_t,initrc_t)

init_domtrans_script(run_init_t).  Upon closer inspection, run_init
seems to be missing the constraint exemptions for changing the identity
and role.  I'll fix that.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1158 bytes --]

Includes prelink changes

Lots of new kernel_read_proc_devices which was needed for the latest 
rawhide.

Fixes for readahead

Fixes for su, vpnc, automount

policy to allow java, wine to run with allow_execmem/allow_execmod 
turned off on a targeted policy machine.

Lots of changes to allow cron to transition to appropriate domains when 
running helper apps.

hal relocated it's heler apps,  needs access to fs_sysctl and needs mls 
read up.  Also hal now creates and delete directories in /media

Add locate and logwatch policy

Fixes for sendmail

Fixes to allow NetworkManager_vpnc to work

Major changes to hostname policy.  Basically I don't want anything 
except dhcpc to transition to hostname domain.  Everything else should 
just executed it.  You don't need the extra privs and stuff like 
redirection causes to many problems

hostname >> /tmp/mymachine


Remove some privs from initrc required for readahead

Change file context to add back the /usr/lib(64)? for x86_64 machines.

Add secadm_r to users files

I might have accidentally reversed some of your fixes.  When the patches 
get large it is sometimes hard to handle conflicts.

Dan




[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 68712 bytes --]

diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.1.8/Makefile
--- nsaserefpolicy/Makefile	2005-12-09 23:35:04.000000000 -0500
+++ serefpolicy-2.1.8/Makefile	2006-01-09 14:37:14.000000000 -0500
@@ -92,7 +92,7 @@
 
 # enable MLS if requested.
 ifneq ($(findstring -mls,$(TYPE)),)
-	override M4PARAM += -D enable_mls
+	override M4PARAM += -D enable_mls -D separate_secadm
 	override CHECKPOLICY += -M
 	override CHECKMODULE += -M
 endif
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-2.1.8/policy/modules/admin/amanda.te
--- nsaserefpolicy/policy/modules/admin/amanda.te	2005-12-09 23:35:04.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/admin/amanda.te	2006-01-09 14:37:14.000000000 -0500
@@ -165,6 +165,10 @@
 
 sysnet_read_config(amanda_t)
 
+optional_policy(`prelink', `
+	prelink_relabel(amanda_usr_lib_t)
+')
+
 optional_policy(`authlogin',`
 	auth_read_shadow(amanda_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.1.8/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te	2005-12-09 23:35:04.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/admin/consoletype.te	2006-01-09 14:37:14.000000000 -0500
@@ -38,6 +38,7 @@
 
 kernel_use_fd(consoletype_t)
 kernel_dontaudit_read_system_state(consoletype_t)
+kernel_read_proc_devices(consoletype_t)
 
 fs_getattr_all_fs(consoletype_t)
 fs_search_auto_mountpoints(consoletype_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.1.8/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te	2005-12-09 23:35:04.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/admin/netutils.te	2006-01-09 14:37:14.000000000 -0500
@@ -42,6 +42,7 @@
 files_create_tmp_files(netutils_t, netutils_tmp_t, { file dir })
 
 kernel_search_proc(netutils_t)
+kernel_read_proc_devices(netutils_t)
 
 corenet_tcp_sendrecv_all_if(netutils_t)
 corenet_raw_sendrecv_all_if(netutils_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-2.1.8/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te	2006-01-04 16:55:14.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/admin/readahead.te	2006-01-09 23:09:17.000000000 -0500
@@ -27,6 +27,7 @@
 
 kernel_read_kernel_sysctl(readahead_t)
 kernel_read_system_state(readahead_t)
+kernel_getattr_core(readahead_t)
 
 dev_read_sysfs(readahead_t)
 dev_getattr_generic_chr_file(readahead_t)
@@ -43,6 +44,8 @@
 
 fs_getattr_all_fs(readahead_t)
 fs_search_auto_mountpoints(readahead_t)
+fs_getattr_all_pipes(readahead_t)
+fs_getattr_all_files(readahead_t)
 
 term_dontaudit_use_console(readahead_t)
 
@@ -50,6 +53,7 @@
 
 init_use_fd(readahead_t)
 init_use_script_pty(readahead_t)
+init_getattr_initctl(readahead_t)
 
 libs_use_ld_so(readahead_t)
 libs_use_shared_libs(readahead_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-2.1.8/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if	2005-12-09 23:35:04.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/admin/su.if	2006-01-09 14:37:14.000000000 -0500
@@ -193,7 +193,9 @@
 	domain_use_wide_inherit_fd($1_su_t)
 
 	files_read_etc_files($1_su_t)
+	files_read_etc_runtime_files($1_su_t)
 	files_search_var_lib($1_su_t)
+	files_dontaudit_getattr_tmp_dir($1_su_t)
 
 	init_dontaudit_use_fd($1_su_t)
 	# Write to utmp.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-2.1.8/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te	2005-12-09 23:35:04.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/admin/vpn.te	2006-01-09 14:37:14.000000000 -0500
@@ -24,6 +24,7 @@
 #
 
 allow vpnc_t self:capability { net_admin ipc_lock net_raw };
+allow vpnc_t self:process getsched;
 allow vpnc_t self:fifo_file { getattr ioctl read write };
 allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
 allow vpnc_t self:tcp_socket create_stream_socket_perms;
@@ -88,6 +89,8 @@
 libs_use_ld_so(vpnc_t)
 libs_use_shared_libs(vpnc_t)
 
+logging_send_syslog_msg(vpnc_t)
+
 miscfiles_read_localization(vpnc_t)
 
 seutil_dontaudit_search_config(vpnc_t)
@@ -110,3 +113,7 @@
 optional_policy(`nscd',`
 	nscd_use_socket(vpnc_t)
 ')
+
+optional_policy(`dbus',`
+	dbus_system_bus_client_template(vpnc,vpnc_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.1.8/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/apps/java.fc	2006-01-09 14:37:14.000000000 -0500
@@ -0,0 +1,4 @@
+
+/usr/.*/java	--	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gij	--	gen_context(system_u:object_r:java_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-2.1.8/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/apps/java.if	2006-01-09 14:37:14.000000000 -0500
@@ -0,0 +1,23 @@
+## <summary>Load keyboard mappings.</summary>
+
+########################################
+## <summary>
+##	Execute the java program in the java domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`java_domtrans',`
+	gen_require(`
+		type java_t, java_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domain_auto_trans($1, java_exec_t, java_t)
+
+	allow $1 java_t:fd use;
+	allow java_t $1:fd use;
+	allow java_t $1:fifo_file rw_file_perms;
+	allow java_t $1:process sigchld;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-2.1.8/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/apps/java.te	2006-01-09 14:37:14.000000000 -0500
@@ -0,0 +1,25 @@
+policy_module(java,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type java_t;
+domain_type(java_t)
+
+type java_exec_t;
+domain_entry_file(java_t,java_exec_t)
+
+
+########################################
+#
+# Local policy
+#
+
+ifdef(`targeted_policy',`
+	allow java_t self:process execmem;
+	unconfined_domain_template(java_t)
+	unconfined_domtrans(java_t)
+	role system_r types java_t;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-2.1.8/policy/modules/apps/wine.fc
--- nsaserefpolicy/policy/modules/apps/wine.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/apps/wine.fc	2006-01-09 14:37:14.000000000 -0500
@@ -0,0 +1,2 @@
+/usr/bin/wine	--	gen_context(system_u:object_r:wine_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-2.1.8/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/apps/wine.if	2006-01-09 14:37:14.000000000 -0500
@@ -0,0 +1,23 @@
+## <summary>Load keyboard mappings.</summary>
+
+########################################
+## <summary>
+##	Execute the wine program in the wine domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`wine_domtrans',`
+	gen_require(`
+		type wine_t, wine_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domain_auto_trans($1, wine_exec_t, wine_t)
+
+	allow $1 wine_t:fd use;
+	allow wine_t $1:fd use;
+	allow wine_t $1:fifo_file rw_file_perms;
+	allow wine_t $1:process sigchld;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-2.1.8/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/apps/wine.te	2006-01-09 14:37:14.000000000 -0500
@@ -0,0 +1,27 @@
+policy_module(wine,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type wine_t;
+domain_type(wine_t)
+
+type wine_exec_t;
+domain_entry_file(wine_t,wine_exec_t)
+
+
+########################################
+#
+# Local policy
+#
+
+ifdef(`targeted_policy',`
+	allow wine_t self:process execmem;
+	unconfined_domain_template(wine_t)
+	unconfined_domtrans(wine_t)
+	role system_r types wine_t;
+	allow wine_t file_type:file execmod;
+
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.te serefpolicy-2.1.8/policy/modules/kernel/corecommands.te
--- nsaserefpolicy/policy/modules/kernel/corecommands.te	2005-12-09 23:35:04.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/kernel/corecommands.te	2006-01-09 14:37:14.000000000 -0500
@@ -35,3 +35,9 @@
 
 type chroot_exec_t;
 files_type(chroot_exec_t)
+
+optional_policy(`prelink', `
+	prelink_relabel({ sbin_t bin_t })
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-2.1.8/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if	2005-12-12 15:35:53.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/kernel/domain.if	2006-01-09 17:23:08.000000000 -0500
@@ -501,6 +501,7 @@
 	')
 
 	dontaudit $1 domain:dir search_dir_perms;
+	dontaudit $1 domain:{ file lnk_file } r_file_perms;
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.1.8/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te	2005-12-09 23:35:04.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/kernel/domain.te	2006-01-09 14:37:14.000000000 -0500
@@ -67,3 +67,7 @@
 # cjp: also need to except correctly for SEFramework
 neverallow { domain unlabeled_t } file_type:process *;
 neverallow ~{ domain unlabeled_t } *:process *;
+
+optional_policy(`prelink', `
+	prelink_relabel(entry_type)
+')
\ No newline at end of file
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.1.8/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if	2006-01-04 17:28:52.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/kernel/files.if	2006-01-09 14:37:14.000000000 -0500
@@ -3183,3 +3183,20 @@
 		')
 	')
 ')
+
+
+########################################
+## <summary>
+##	Allow attempts to modify any directory
+## </summary>
+## <param name="domain">
+##	Domain to allow
+## </param>
+#
+interface(`files_write_non_security_dir',`
+	gen_require(`
+		attribute file_type, security_file_type;
+	')
+
+	allow $1 file_type:dir write;
+')
\ No newline at end of file
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.1.8/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if	2006-01-09 11:32:53.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/kernel/kernel.if	2006-01-09 14:37:14.000000000 -0500
@@ -662,6 +662,27 @@
 	allow $1 proc_mdstat_t:file rw_file_perms;
 ')
 
+#######################################
+## <summary>
+##	Allow caller to read the state information for device node numbers.
+## </summary>
+## <param name="domain">
+##	The process type reading device number state.
+## </param>
+#
+interface(`kernel_read_proc_devices',`
+	gen_require(`
+		type proc_t, proc_devices_t;
+		class dir r_dir_perms;
+		class file r_file_perms;
+	')
+
+	allow $1 kernel_t:fd use;
+	allow $1 device_t:chr_file getattr;
+	allow $1 proc_t:dir r_dir_perms;
+	allow $1 proc_devices_t:file r_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allows caller to get attribues of core kernel interface.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.1.8/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te	2006-01-09 11:32:53.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/kernel/kernel.te	2006-01-09 14:37:14.000000000 -0500
@@ -72,6 +72,9 @@
 type proc_mdstat_t, proc_type;
 genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
 
+type proc_devices_t, proc_type;
+genfscon proc /devices gen_context(system_u:object_r:proc_devices_t,s0)
+
 type proc_net_t, proc_type;
 genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)
 
@@ -184,6 +187,8 @@
 allow kernel_t proc_net_t:dir r_dir_perms;
 allow kernel_t proc_net_t:file r_file_perms;
 allow kernel_t proc_mdstat_t:file r_file_perms;
+allow kernel_t proc_devices_t:file r_file_perms;
+allow kernel_t proc_devices_t:file { read };
 allow kernel_t proc_kcore_t:file getattr;
 allow kernel_t proc_kmsg_t:file getattr;
 allow kernel_t sysctl_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.1.8/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te	2006-01-09 11:32:53.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/kernel/mls.te	2006-01-09 14:37:14.000000000 -0500
@@ -82,9 +82,11 @@
 # these might be targeted_policy only
 range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
 range_transition unconfined_t initrc_exec_t s0;
+range_transition unconfined_t ping_exec_t s0;
 ')
 
 ifdef(`enable_mls',`
 # run init with maximum MLS range
 range_transition kernel_t init_exec_t s0 - s15:c0.c255;
+range_transition initrc_t auditd_exec_t s15:c0.c255;
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.1.8/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te	2005-12-12 23:05:35.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/apache.te	2006-01-09 14:37:14.000000000 -0500
@@ -391,6 +391,10 @@
 	userdom_dontaudit_use_sysadm_terms(httpd_t)
 ')
 
+optional_policy(`prelink', `
+	prelink_relabel(httpd_modules_t)
+')
+
 optional_policy(`kerberos',`
 	kerberos_use(httpd_t)
 ')
@@ -685,3 +689,8 @@
 optional_policy(`nscd',`
 	nscd_use_socket(httpd_unconfined_script_t)
 ')
+
+optional_policy(`crond',`
+	cron_system_entry(httpd_t, httpd_exec_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-2.1.8/policy/modules/services/apm.te
--- nsaserefpolicy/policy/modules/services/apm.te	2005-12-09 23:35:05.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/apm.te	2006-01-09 14:37:14.000000000 -0500
@@ -196,6 +196,7 @@
 ')
 
 optional_policy(`cron',`
+	cron_system_entry(apmd_t, apmd_exec_t)
 	cron_domtrans_anacron_system_job(apmd_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.1.8/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te	2006-01-09 11:32:53.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/automount.te	2006-01-09 14:37:14.000000000 -0500
@@ -28,7 +28,7 @@
 # Local policy
 #
 
-allow automount_t self:capability { sys_nice dac_override };
+allow automount_t self:capability { net_bind_service sys_nice dac_override };
 dontaudit automount_t self:capability sys_tty_config;
 allow automount_t self:process { signal_perms getpgid setpgid setsched };
 allow automount_t self:fifo_file rw_file_perms;
@@ -80,7 +80,9 @@
 corenet_udp_sendrecv_all_ports(automount_t)
 corenet_tcp_bind_all_nodes(automount_t)
 corenet_udp_bind_all_nodes(automount_t)
+
 corenet_tcp_connect_portmap_port(automount_t)
+corenet_tcp_connect_all_ports(automount_t)
 corenet_dontaudit_tcp_connect_all_reserved_ports(automount_t)
 
 dev_read_sysfs(automount_t)
@@ -143,6 +145,11 @@
 	fstools_domtrans(automount_t)
 ')
 
+optional_policy(`bind',`
+	allow automount_t named_conf_t:dir search;
+	allow automount_t named_zone_t:dir search;
+')
+
 optional_policy(`nis',`
 	nis_use_ypbind(automount_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.1.8/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te	2005-12-09 23:35:05.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/bluetooth.te	2006-01-09 14:37:14.000000000 -0500
@@ -86,6 +86,7 @@
 
 kernel_read_kernel_sysctl(bluetooth_t)
 kernel_read_system_state(bluetooth_t)
+kernel_read_proc_devices(bluetooth_t)
 
 corenet_tcp_sendrecv_all_if(bluetooth_t)
 corenet_udp_sendrecv_all_if(bluetooth_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.1.8/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te	2006-01-09 11:32:53.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/cron.te	2006-01-09 14:37:14.000000000 -0500
@@ -407,43 +407,21 @@
 		sysstat_manage_log(system_crond_t)
 	')
 
+
+	optional_policy(`mta',`
+		dontaudit system_mail_t crond_t:fifo_file write;
+	')
+
 	ifdef(`TODO',`
 	dontaudit userdomain system_crond_t:fd use;
 
-	# Do not audit attempts to search unlabeled directories (e.g. slocate).
-	dontaudit system_crond_t unlabeled_t:dir r_dir_perms;
-	dontaudit system_crond_t unlabeled_t:file r_file_perms;
-
 	allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
 
-	# Write to /var/lib/slocate.db.
-	allow system_crond_t var_lib_t:dir rw_dir_perms;
-	allow system_crond_t var_lib_t:file create_file_perms;
-
 	# for if /var/mail is a symlink
 	allow system_crond_t mail_spool_t:lnk_file read;
 
-	#
-	#  These rules are here to allow system cron jobs to su
-	#
-	ifdef(`su.te', `
-	su_restricted_domain(system_crond,system)
-	role system_r types system_crond_su_t;
-	allow system_crond_su_t crond_t:fifo_file ioctl;
-	')
-
-	#
-	# Required for webalizer
-	#
-	ifdef(`apache.te', `
-	allow system_crond_t { httpd_log_t httpd_config_t }:file r_file_perms;
-	')
-
 	ifdef(`mta.te', `
 	mta_send_mail_transition(system_crond_t)
-
-	# system_mail_t should only be reading from the cron fifo not needing to write
-	dontaudit system_mail_t crond_t:fifo_file write;
 	allow mta_user_agent system_crond_t:fd use;
 	r_dir_file(system_mail_t, crond_tmp_t)
 	')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.1.8/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te	2006-01-09 11:32:53.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/cups.te	2006-01-09 14:37:14.000000000 -0500
@@ -201,8 +201,7 @@
 ')
 
 optional_policy(`cron',`
-	cron_use_fd(cupsd_t)
-	cron_read_pipe(cupsd_t)
+	cron_system_entry(cupsd_t, cupsd_exec_t)
 ')
 
 optional_policy(`dbus',`
@@ -580,8 +579,7 @@
 ')
 
 optional_policy(`cron',`
-	cron_use_system_job_fd(cupsd_config_t)
-	cron_read_pipe(cupsd_config_t)
+	cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
 ')
 
 optional_policy(`dbus',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.1.8/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te	2006-01-09 11:32:54.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/dovecot.te	2006-01-09 14:37:14.000000000 -0500
@@ -95,6 +95,7 @@
 files_read_etc_files(dovecot_t)
 files_search_spool(dovecot_t)
 files_search_tmp(dovecot_t)
+files_search_tmp(dovecot_auth_t)
 files_dontaudit_list_default(dovecot_t)
 
 init_use_fd(dovecot_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-2.1.8/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc	2005-11-14 18:24:07.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/hal.fc	2006-01-09 14:37:14.000000000 -0500
@@ -7,3 +7,4 @@
 /usr/sbin/hald		--			gen_context(system_u:object_r:hald_exec_t,s0)
 
 /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/hal/scripts(/.*)?	 gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.1.8/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te	2006-01-09 11:32:54.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/hal.te	2006-01-09 23:10:48.000000000 -0500
@@ -47,8 +47,12 @@
 kernel_read_system_state(hald_t)
 kernel_read_network_state(hald_t)
 kernel_read_kernel_sysctl(hald_t)
+kernel_read_fs_sysctl(hald_t)
+
 kernel_write_proc_file(hald_t)
 
+mls_file_read_up(hald_t)
+
 corecmd_exec_bin(hald_t)
 corecmd_exec_sbin(hald_t)
 
@@ -82,6 +86,7 @@
 files_read_etc_files(hald_t)
 files_rw_etc_runtime_files(hald_t)
 files_search_mnt(hald_t)
+files_manage_mnt_dirs(hald_t)
 files_search_var_lib(hald_t)
 files_read_usr_files(hald_t)
 # hal is now execing pm-suspend
@@ -145,6 +150,10 @@
 	clock_domtrans(hald_t)
 ')
 
+optional_policy(`rpc',`
+	rpc_search_nfs_state_data(hald_t)
+')
+
 optional_policy(`cups',`
 	cups_domtrans_config(hald_t)
 	cups_signal_config(hald_t)
@@ -205,6 +214,3 @@
 	vbetool_domtrans(hald_t)
 ')
 
-ifdef(`TODO',`
-allow hald_t device_t:dir create_dir_perms;
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/irqbalance.te serefpolicy-2.1.8/policy/modules/services/irqbalance.te
--- nsaserefpolicy/policy/modules/services/irqbalance.te	2005-11-28 17:23:58.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/irqbalance.te	2006-01-09 14:37:14.000000000 -0500
@@ -28,6 +28,7 @@
 kernel_read_system_state(irqbalance_t)
 kernel_read_kernel_sysctl(irqbalance_t)
 kernel_rw_irq_sysctl(irqbalance_t)
+kernel_read_proc_devices(irqbalance_t)
 
 dev_read_sysfs(irqbalance_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-2.1.8/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te	2005-12-09 23:35:05.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/kerberos.te	2006-01-10 08:56:50.000000000 -0500
@@ -249,8 +249,3 @@
 	udev_read_db(krb5kdc_t)
 ')
 
-ifdef(`TODO',`
-# Allow user programs to talk to KDC
-allow krb5kdc_t userdomain:udp_socket recvfrom;
-allow userdomain krb5kdc_t:udp_socket recvfrom;
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/locate.fc serefpolicy-2.1.8/policy/modules/services/locate.fc
--- nsaserefpolicy/policy/modules/services/locate.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/locate.fc	2006-01-09 14:37:14.000000000 -0500
@@ -0,0 +1,4 @@
+# locate - file locater
+/usr/bin/updatedb		--	gen_context(system_u:object_r:locate_exec_t, s0)
+/var/lib/[sm]locate(/.*)?		gen_context(system_u:object_r:locate_var_lib_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/locate.if serefpolicy-2.1.8/policy/modules/services/locate.if
--- nsaserefpolicy/policy/modules/services/locate.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/locate.if	2006-01-09 14:37:14.000000000 -0500
@@ -0,0 +1 @@
+## <summary>Update database for mlocate</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/locate.te serefpolicy-2.1.8/policy/modules/services/locate.te
--- nsaserefpolicy/policy/modules/services/locate.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/locate.te	2006-01-09 14:37:14.000000000 -0500
@@ -0,0 +1,50 @@
+policy_module(locate,1.0.0)
+
+#DESC LOCATE - Security Enhanced version of the GNU Locate
+#
+# Author:  Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the locate_t domain.
+#
+# locate_exec_t is the type of the locate executable.
+#
+type locate_t;
+type locate_exec_t;
+init_daemon_domain(locate_t,locate_exec_t)
+
+type locate_log_t;
+logging_log_file(locate_log_t)
+
+type locate_var_lib_t;
+files_type(locate_var_lib_t)
+
+allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
+allow locate_t self:process { execheap execmem execstack };
+allow locate_t self:fifo_file rw_file_perms;
+allow locate_t self:file { getattr read };
+allow locate_t self:unix_stream_socket create_socket_perms;
+
+allow locate_t locate_var_lib_t:dir create_dir_perms;
+allow locate_t locate_var_lib_t:file create_file_perms;
+
+fs_getattr_xattr_fs(locate_t)
+
+files_list_all(locate_t)
+files_getattr_all_files(locate_t)
+
+kernel_dontaudit_search_sysctl(locate_t)
+kernel_read_system_state(locate_t)
+
+corecmd_exec_bin(locate_t)
+
+files_read_etc_runtime_files(locate_t)
+files_read_etc_files(locate_t)
+
+optional_policy(`crond',`
+	cron_system_entry(locate_t, locate_exec_t)
+	allow system_crond_t locate_log_t:dir rw_dir_perms;
+	allow system_crond_t locate_log_t:file { create append getattr };
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/logwatch.fc serefpolicy-2.1.8/policy/modules/services/logwatch.fc
--- nsaserefpolicy/policy/modules/services/logwatch.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/logwatch.fc	2006-01-09 14:37:14.000000000 -0500
@@ -0,0 +1,3 @@
+# logwatch - file logwatchr
+/usr/share/logwatch/scripts/logwatch.pl	--	gen_context(system_u:object_r:logwatch_exec_t, s0)
+/var/cache/logwatch(/.*)?			gen_context(system_u:object_r:logwatch_cache_t, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/logwatch.if serefpolicy-2.1.8/policy/modules/services/logwatch.if
--- nsaserefpolicy/policy/modules/services/logwatch.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/logwatch.if	2006-01-09 14:37:14.000000000 -0500
@@ -0,0 +1 @@
+## <summary>Update database for mlogwatch</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/logwatch.te serefpolicy-2.1.8/policy/modules/services/logwatch.te
--- nsaserefpolicy/policy/modules/services/logwatch.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/logwatch.te	2006-01-09 14:37:14.000000000 -0500
@@ -0,0 +1,107 @@
+policy_module(logwatch,1.0.0)
+
+#DESC LOGWATCH - system log analyzer and reporter
+#
+# Author:  Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the logwatch_t domain.
+#
+# logwatch_exec_t is the type of the logwatch executable.
+#
+type logwatch_t;
+domain_type(logwatch_t)
+role system_r types logwatch_t;
+
+type logwatch_exec_t;
+domain_entry_file(logwatch_t,logwatch_exec_t)
+
+type logwatch_cache_t;
+files_type(logwatch_cache_t)
+
+type logwatch_tmp_t;
+files_tmp_file(logwatch_tmp_t)
+
+allow logwatch_t self:capability setgid;
+allow logwatch_t self:fifo_file rw_file_perms;
+allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
+
+allow logwatch_t logwatch_tmp_t:dir create_dir_perms;
+allow logwatch_t logwatch_tmp_t:file create_file_perms;
+files_create_tmp_files(logwatch_t, logwatch_tmp_t, { file dir })
+
+allow logwatch_t logwatch_cache_t:dir create_dir_perms;
+allow logwatch_t logwatch_cache_t:file create_file_perms;
+
+auth_dontaudit_read_shadow(logwatch_t)
+
+corecmd_read_sbin_file(logwatch_t)
+corecmd_exec_bin(logwatch_t)
+corecmd_exec_shell(logwatch_t)
+
+dev_read_urand(logwatch_t)
+
+fs_getattr_all_fs(logwatch_t)
+
+kernel_read_fs_sysctl(logwatch_t)
+kernel_read_kernel_sysctl(logwatch_t)
+
+files_read_etc_files(logwatch_t)
+files_read_etc_runtime_files(logwatch_t)
+files_read_usr_files(logwatch_t)
+files_search_spool(logwatch_t)
+files_dontaudit_search_home(logwatch_t)
+
+kernel_read_system_state(logwatch_t)
+
+libs_use_ld_so(logwatch_t)
+libs_use_shared_libs(logwatch_t)
+libs_read_lib(logwatch_t)
+
+logging_read_all_logs(logwatch_t)
+
+miscfiles_read_localization(logwatch_t)
+
+nscd_use_socket(logwatch_t)
+
+rpc_search_nfs_state_data(logwatch_t)
+
+term_dontaudit_getattr_pty_dir(logwatch_t)
+term_dontaudit_list_ptys(logwatch_t)
+
+userdom_dontaudit_search_sysadm_home_dir(logwatch_t)
+userdom_dontaudit_getattr_sysadm_home_dir(logwatch_t)
+
+# Read /proc/PID directories for all domains.
+domain_read_all_domains_state(logwatch_t)
+
+mta_send_mail(logwatch_t)
+
+optional_policy(`cron',`
+	cron_system_entry(logwatch_t, logwatch_exec_t)
+')
+
+optional_policy(`samba',`
+	samba_read_log(logwatch_t)
+')
+
+optional_policy(`bind',`
+	bind_read_config(logwatch_t)
+	bind_read_zone(logwatch_t)
+')
+
+optional_policy(`mta',`
+	mta_getattr_spool(logwatch_t)
+	allow system_mail_t logwatch_tmp_t:file r_file_perms;
+')
+
+optional_policy(`apache',`
+	apache_read_log(logwatch_t)
+')
+
+optional_policy(`ntp',`
+	allow logwatch_t ntpd_exec_t:file getattr;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.1.8/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te	2006-01-04 17:28:52.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/mta.te	2006-01-09 14:37:14.000000000 -0500
@@ -47,6 +47,9 @@
 allow system_mail_t etc_mail_t:dir { getattr search };
 allow system_mail_t etc_mail_t:file r_file_perms;
 
+allow initrc_t etc_mail_t:dir r_dir_perms;
+allow initrc_t etc_mail_t:file r_file_perms;
+
 kernel_read_system_state(system_mail_t)
 kernel_read_network_state(system_mail_t)
 
@@ -124,6 +127,10 @@
 	logrotate_read_tmp_files(system_mail_t)
 ')
 
+optional_policy(`sendmail',`
+	files_create_etc_config(sendmail_t,etc_aliases_t, file)
+')
+
 optional_policy(`postfix',`
 	allow system_mail_t etc_aliases_t:dir create_dir_perms;
 	allow system_mail_t etc_aliases_t:file create_file_perms;
@@ -174,3 +181,9 @@
 		cron_read_system_job_tmp_files(mta_user_agent)
 	')
 ')
+
+ifdef(`TODO',`
+# for the start script to run make -C /etc/mail
+allow initrc_t etc_mail_t:dir rw_dir_perms;
+allow initrc_t etc_mail_t:file create_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.1.8/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te	2005-12-09 23:35:05.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/networkmanager.te	2006-01-10 09:08:19.000000000 -0500
@@ -28,8 +28,6 @@
 allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
 allow NetworkManager_t self:udp_socket create_socket_perms;
 allow NetworkManager_t self:packet_socket create_socket_perms;
-# allow vpnc connections
-allow NetworkManager_t self:rawip_socket create_socket_perms;
 
 allow NetworkManager_t NetworkManager_var_run_t:file create_file_perms;
 allow NetworkManager_t NetworkManager_var_run_t:dir rw_dir_perms;
@@ -54,8 +52,6 @@
 corenet_tcp_connect_all_ports(NetworkManager_t)
 corenet_udp_bind_isakmp_port(NetworkManager_t)
 corenet_udp_bind_dhcpc_port(NetworkManager_t)
-# vpn connections
-corenet_use_tun_tap_device(NetworkManager_t)
 
 dev_read_sysfs(NetworkManager_t)
 dev_read_rand(NetworkManager_t)
@@ -170,4 +166,5 @@
 
 optional_policy(`vpn',`
 	vpn_domtrans(NetworkManager_t)
+	allow NetworkManager_t vpnc_t:process signal;
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-2.1.8/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te	2005-12-09 23:35:06.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/nscd.te	2006-01-09 14:37:14.000000000 -0500
@@ -128,7 +128,6 @@
 
 optional_policy(`samba',`
 	samba_connect_winbind(nscd_t)
-	samba_search_var(nscd_t)
 ')
 
 optional_policy(`udev',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.1.8/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te	2005-12-09 23:35:06.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/ntp.te	2006-01-09 14:37:14.000000000 -0500
@@ -148,8 +148,6 @@
 ')
 
 optional_policy(`samba',`
-	# cjp: the connect was previously missing
-	# so it might be ok to drop this
 	samba_connect_winbind(ntpd_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portmap.te serefpolicy-2.1.8/policy/modules/services/portmap.te
--- nsaserefpolicy/policy/modules/services/portmap.te	2005-12-09 23:35:06.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/portmap.te	2006-01-09 14:37:14.000000000 -0500
@@ -47,6 +47,7 @@
 kernel_read_proc_symlinks(portmap_t)
 kernel_udp_sendfrom(portmap_t)
 kernel_tcp_recvfrom(portmap_t) 
+kernel_read_proc_devices(portmap_t)
 
 corenet_tcp_sendrecv_all_if(portmap_t)
 corenet_udp_sendrecv_all_if(portmap_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelink.fc serefpolicy-2.1.8/policy/modules/services/prelink.fc
--- nsaserefpolicy/policy/modules/services/prelink.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/prelink.fc	2006-01-09 14:37:14.000000000 -0500
@@ -0,0 +1,7 @@
+# prelink - prelink ELF shared libraries and binaries to speed up startup time
+/usr/sbin/prelink		--	gen_context(system_u:object_r:prelink_exec_t,s0)
+ifdef(`distro_debian', `
+/usr/sbin/prelink\.bin		--	gen_context(system_u:object_r:prelink_exec_t,s0)
+')
+/var/log/prelink\.log		--	gen_context(system_u:object_r:prelink_log_t,s0)
+/etc/prelink\.cache		--	gen_context(system_u:object_r:prelink_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelink.if serefpolicy-2.1.8/policy/modules/services/prelink.if
--- nsaserefpolicy/policy/modules/services/prelink.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/prelink.if	2006-01-09 14:37:14.000000000 -0500
@@ -0,0 +1,39 @@
+## <summary>Prelink mappings.</summary>
+
+########################################
+## <summary>
+##	Execute the prelink program in the prelink domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`prelink_domtrans',`
+	gen_require(`
+		type prelink_t, prelink_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domain_auto_trans($1, prelink_exec_t, prelink_t)
+
+	allow $1 prelink_t:fd use;
+	allow prelink_t $1:fd use;
+	allow prelink_t $1:fifo_file rw_file_perms;
+	allow prelink_t $1:process sigchld;
+')
+
+
+########################################
+## <summary>
+##	Allow prelink to rebuild the executable or library
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`prelink_relabel',`
+	gen_require(`
+		type prelink_t;
+	')
+	allow prelink_t $1:file { create_file_perms execute relabelto relabelfrom };
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelink.te serefpolicy-2.1.8/policy/modules/services/prelink.te
--- nsaserefpolicy/policy/modules/services/prelink.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/prelink.te	2006-01-09 14:37:14.000000000 -0500
@@ -0,0 +1,64 @@
+policy_module(prelink,1.0.0)
+
+#DESC PRELINK - Security Enhanced version of the GNU Prelink
+#
+# Author:  Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the prelink_t domain.
+#
+# prelink_exec_t is the type of the prelink executable.
+#
+type prelink_t;
+type prelink_exec_t;
+init_daemon_domain(prelink_t,prelink_exec_t)
+#
+# prelink_cache_t is the type of /etc/prelink.cache.
+#
+type prelink_cache_t;
+files_type(prelink_cache_t)
+
+type prelink_log_t;
+logging_log_file(prelink_log_t)
+
+allow prelink_t self:capability { chown dac_override fowner fsetid };
+allow prelink_t self:process { execheap execmem execstack };
+allow prelink_t self:fifo_file rw_file_perms;
+allow prelink_t self:file { getattr read };
+
+allow prelink_t prelink_log_t:dir { setattr rw_dir_perms };
+allow prelink_t prelink_log_t:file { create ra_file_perms };
+allow prelink_t prelink_log_t:lnk_file read;
+logging_create_log(prelink_t, prelink_log_t)
+
+fs_getattr_xattr_fs(prelink_t)
+
+libs_use_ld_so(prelink_t)
+libs_use_shared_libs(prelink_t)
+
+files_list_all(prelink_t)
+files_getattr_all_files(prelink_t)
+files_write_non_security_dir(prelink_t)
+files_create_etc_config(prelink_t, prelink_cache_t, file)
+
+kernel_dontaudit_search_kernel_sysctl(prelink_t)
+kernel_dontaudit_search_sysctl(prelink_t)
+kernel_read_system_state(prelink_t)
+
+files_read_etc_runtime_files(prelink_t)
+
+miscfiles_read_localization(prelink_t)
+
+dev_read_urand(prelink_t)
+
+optional_policy(`crond',`
+	cron_system_entry(prelink_t, prelink_exec_t)
+	allow system_crond_t prelink_log_t:dir rw_dir_perms;
+	allow system_crond_t prelink_log_t:file create_file_perms;
+	allow system_crond_t prelink_cache_t:file { getattr read unlink };
+	allow prelink_t crond_log_t:file append;
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.1.8/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te	2005-12-09 23:35:06.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/rpc.te	2006-01-09 14:37:14.000000000 -0500
@@ -48,6 +48,7 @@
 kernel_search_network_state(rpcd_t) 
 # for rpc.rquotad
 kernel_read_sysctl(rpcd_t)  
+kernel_read_proc_devices(rpcd_t)
 
 corenet_udp_bind_generic_port(rpcd_t)
 corenet_udp_bind_reserved_port(rpcd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-2.1.8/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if	2006-01-09 11:32:54.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/samba.if	2006-01-09 14:37:14.000000000 -0500
@@ -342,7 +342,9 @@
 	')
 
 	files_search_pids($1)
+	samba_search_var($1)
 	allow $1 winbind_var_run_t:dir search_dir_perms;
 	allow $1 winbind_var_run_t:sock_file { getattr read write };
 	allow $1 winbind_t:unix_stream_socket connectto;
 ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xdm.te serefpolicy-2.1.8/policy/modules/services/xdm.te
--- nsaserefpolicy/policy/modules/services/xdm.te	2005-12-09 23:35:06.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/services/xdm.te	2006-01-09 14:37:14.000000000 -0500
@@ -319,6 +319,10 @@
 allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
 can_exec(xdm_xserver_t, xkb_var_lib_t)
 
+optional_policy(`prelink', `
+	prelink_relabel(xkb_var_lib_t)
+')
+
 # Insert video drivers.  
 allow xdm_xserver_t self:capability mknod;
 allow xdm_xserver_t sysctl_modprobe_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.1.8/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te	2006-01-09 11:32:54.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/system/authlogin.te	2006-01-09 14:37:14.000000000 -0500
@@ -157,6 +157,7 @@
 kernel_use_fd(pam_console_t)
 # Read /proc/meminfo
 kernel_read_system_state(pam_console_t)
+kernel_read_proc_devices(pam_console_t)
 
 dev_read_sysfs(pam_console_t)
 dev_getattr_apm_bios(pam_console_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/clock.te serefpolicy-2.1.8/policy/modules/system/clock.te
--- nsaserefpolicy/policy/modules/system/clock.te	2005-12-09 23:35:06.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/system/clock.te	2006-01-09 14:37:14.000000000 -0500
@@ -33,6 +33,7 @@
 kernel_read_kernel_sysctl(hwclock_t)
 kernel_list_proc(hwclock_t)
 kernel_read_proc_symlinks(hwclock_t)
+kernel_read_proc_devices(hwclock_t)
 
 dev_read_sysfs(hwclock_t)
 dev_rw_realtime_clock(hwclock_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.1.8/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te	2005-12-09 23:35:06.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/system/fstools.te	2006-01-09 14:37:14.000000000 -0500
@@ -56,6 +56,8 @@
 # Access to /initrd devices
 kernel_rw_unlabeled_dir(fsadm_t)
 kernel_use_unlabeled_blk_dev(fsadm_t)
+# Access to /proc/devices
+kernel_read_proc_devices(fsadm_t)
 
 dev_getattr_all_chr_files(fsadm_t)
 # mkreiserfs and other programs need this for UUID
@@ -69,6 +71,8 @@
 dev_read_sysfs(fsadm_t)
 # Access to /initrd devices
 dev_getattr_usbfs_dir(fsadm_t)
+# Access to /dev/mapper/control
+dev_rw_lvm_control(fsadm_t)
 
 fs_search_auto_mountpoints(fsadm_t)
 fs_getattr_xattr_fs(fsadm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.1.8/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te	2005-12-09 23:35:06.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/system/hostname.te	2006-01-09 14:37:14.000000000 -0500
@@ -7,8 +7,10 @@
 #
 
 type hostname_t;
+domain_type(hostname_t)
+
 type hostname_exec_t;
-init_system_domain(hostname_t,hostname_exec_t)
+domain_entry_file(hostname_t,hostname_exec_t)
 role system_r types hostname_t;
 
 ########################################
@@ -24,6 +26,7 @@
 
 kernel_list_proc(hostname_t)
 kernel_read_proc_symlinks(hostname_t)
+kernel_read_proc_devices(hostname_t)
 
 dev_read_sysfs(hostname_t)
 
@@ -55,35 +58,6 @@
 sysnet_read_config(hostname_t)
 sysnet_dns_name_resolve(hostname_t)
 
-userdom_use_all_user_fd(hostname_t)
 
-ifdef(`distro_redhat', `
-	fs_use_tmpfs_chr_dev(hostname_t)
-')
-
-ifdef(`targeted_policy', `
-	term_dontaudit_use_unallocated_tty(hostname_t)
-	term_dontaudit_use_generic_pty(hostname_t)
-	files_dontaudit_read_root_file(hostname_t)
-')
-
-optional_policy(`firstboot',`
-	firstboot_use_fd(hostname_t)
-')
-
-optional_policy(`hotplug',`
-	hotplug_dontaudit_use_fd(hostname_t)
-')
-
-optional_policy(`nscd',`
-	nscd_use_socket(hostname_t)
-')
-
-optional_policy(`selinuxutil',`
-	seutil_sigchld_newrole(hostname_t)
-')
-
-optional_policy(`udev',`
-	udev_dontaudit_use_fd(hostname_t)
-	udev_read_db(hostname_t)
-')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.1.8/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te	2006-01-09 11:32:54.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/system/init.te	2006-01-09 14:37:14.000000000 -0500
@@ -449,7 +449,6 @@
 
 	# readahead asks for these
 	auth_dontaudit_read_shadow(initrc_t)
-	mta_read_aliases(initrc_t)
 
 	optional_policy(`bind',`
 		bind_manage_config_dir(initrc_t)
@@ -687,6 +686,10 @@
 	zebra_read_config(initrc_t)
 ')
 
+optional_policy(`hostname',`
+	hostname_exec(initrc_t)
+')
+
 ifdef(`TODO',`
 # Set device ownerships/modes.
 allow initrc_t xconsole_device_t:fifo_file setattr;
@@ -695,24 +698,13 @@
 allow initrc_t default_t:dir write;
 
 ifdef(`distro_redhat', `
-	# readahead asks for these
-	allow initrc_t var_lib_nfs_t:file r_file_perms;
-
-	allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
 	allow initrc_t device_t:dir create;
 
-	# wants to delete /poweroff and other files 
-	allow initrc_t root_t:file unlink;
 	ifdef(`xserver.te', `
 	# wants to cleanup xserver log dir
 	allow initrc_t xserver_log_t:dir rw_dir_perms;
 	allow initrc_t xserver_log_t:file unlink;
 	')
 
-	optional_policy(`rpm',`
-		rpm_stub(initrc_t)
-		#read ahead wants to read this
-		allow initrc_t system_cron_spool_t:file { getattr read };
-	')
 ')
 ') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.1.8/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc	2006-01-09 11:32:54.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/system/libraries.fc	2006-01-09 14:37:14.000000000 -0500
@@ -11,6 +11,9 @@
 /emul/ia32-linux/lib(/.*)?					gen_context(system_u:object_r:lib_t,s0)
 /emul/ia32-linux/lib/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:shlib_t,s0)
 /emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:ld_so_t,s0)
+
+/usr/bin/fedora-rmdevelrpms --	gen_context(system_u:object_r:rpm_exec_t,s0)
+
 ')
 
 #
@@ -55,7 +58,7 @@
 
 /usr(/.*)?/nvidia/.*\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
-/usr/lib/pgsql/test/regress/.*\.so 	--	gen_context(system_u:object_r:shlib_t,s0)
+/usr/lib(64)?/pgsql/test/regress/.*\.so 	--	gen_context(system_u:object_r:shlib_t,s0)
 
 /usr/lib/win32/.*			--	gen_context(system_u:object_r:shlib_t,s0)
 
@@ -76,7 +79,7 @@
 /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 ifdef(`distro_redhat',`
-/usr/lib/.*/program/.*\.so.*			gen_context(system_u:object_r:shlib_t,s0)
+/usr/lib(64)?/.*/program/.*\.so.*			gen_context(system_u:object_r:shlib_t,s0)
 /usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- gen_context(system_u:object_r:shlib_t,s0)
 
 # The following are libraries with text relocations in need of execmod permissions
@@ -84,32 +87,32 @@
 
 # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
 # 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
-/usr/lib/gstreamer-.*/libgstffmpeg\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/gstreamer-.*/libgstmms\.so 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/libg\+\+\.so\.2\.7\.2\.8	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/libglide3\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/libdv\.so.* 			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/helix/plugins/oggfformat\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/helix/plugins/theorarend\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/helix/plugins/vorbisrend\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/helix/codecs/colorcvt\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/helix/codecs/cvt1\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/libSDL-.*\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/gstreamer-.*/libgstffmpeg\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/gstreamer-.*/libgsthermescolorspace\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/gstreamer-.*/libgstmms\.so 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libglide3\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libdv\.so.* 			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/helix/plugins/oggfformat\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/helix/plugins/theorarend\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/helix/plugins/vorbisrend\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/helix/codecs/colorcvt\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/helix/codecs/cvt1\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libSDL-.*\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/X11R6/lib/modules/dri/.*\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/dri/.*\.so			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/dri/.*\.so			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/X11R6/lib/libOSMesa\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/X11R6/lib/libfglrx_gamma\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/libHermes\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/valgrind/hp2ps			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/valgrind/stage2		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/valgrind/vg.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/.*/program/libicudata\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/.*/program/libsts645li\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/.*/program/libvclplug_gen645li\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/.*/program/libwrp645li\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/.*/program/libswd680li\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libHermes\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/valgrind/hp2ps			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/valgrind/stage2		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/valgrind/vg.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libicudata\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libsts645li\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libvclplug_gen645li\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libwrp645li\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libswd680li\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/.*/program/librecentfile\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/.*/program/libsvx680li\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -122,48 +125,48 @@
 /usr/lib(64)?/thunderbird.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # Fedora Extras packages: ladspa, imlib2, ocaml
-/usr/lib/ladspa/analogue_osc_1416\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/ladspa/bandpass_a_iir_1893\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/ladspa/bandpass_iir_1892\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/ladspa/butterworth_1902\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/ladspa/fm_osc_1415\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/ladspa/gsm_1215\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/ladspa/gverb_1216\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/ladspa/hermes_filter_1200\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/ladspa/highpass_iir_1890\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/ladspa/lowpass_iir_1891\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/ladspa/notch_iir_1894\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/ladspa/pitch_scale_1193\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/ladspa/pitch_scale_1194\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/ladspa/sc1_1425\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/ladspa/sc2_1426\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/ladspa/sc3_1427\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/ladspa/sc4_1882\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/ladspa/se4_1883\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/libImlib2\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/ocaml/stublibs/dllnums\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/httpd/modules/libphp5\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/php/modules/.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/analogue_osc_1416\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/bandpass_a_iir_1893\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/bandpass_iir_1892\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/butterworth_1902\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/fm_osc_1415\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/gsm_1215\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/gverb_1216\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/hermes_filter_1200\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/highpass_iir_1890\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/lowpass_iir_1891\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/notch_iir_1894\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/pitch_scale_1193\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/pitch_scale_1194\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/sc1_1425\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/sc2_1426\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/sc3_1427\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/sc4_1882\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/se4_1883\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libImlib2\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ocaml/stublibs/dllnums\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/httpd/modules/libphp5\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/php/modules/.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
-/usr/lib/xmms/Input/libmpg123\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/libpostproc\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/libavformat-.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/libavcodec-.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/libavutil-.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/libxvidcore\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/xine/plugins/.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/libgsm\.so.*			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/libmp3lame\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xmms/Input/libmpg123\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libpostproc\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavformat-.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavcodec-.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavutil-.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libxvidcore\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xine/plugins/.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libgsm\.so.*			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libmp3lame\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # Flash plugin, Macromedia
 HOME_DIR/.*/plugins/libflashplayer\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/.*/plugins/libflashplayer\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/plugins/libflashplayer\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # Jai, Sun Microsystems (Jpackage SPRM)
-/usr/lib/libmlib_jai\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/libdivxdecore.so.0		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/libdivxencore.so.0		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libmlib_jai\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libdivxdecore.so.0		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libdivxencore.so.0		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # Java, Sun Microsystems (JPackage SRPM)
 /usr/.*/jre/lib/i386/libdeploy.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -175,7 +178,7 @@
 ') dnl end distro_redhat
 
 ifdef(`distro_suse',`
-/usr/lib/samba/classic/[^/]*\.so(\.[^/]*)* --	gen_context(system_u:object_r:shlib_t,s0)
+/usr/lib(64)?/samba/classic/[^/]*\.so(\.[^/]*)* --	gen_context(system_u:object_r:shlib_t,s0)
 ')
 
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-2.1.8/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te	2005-12-12 15:35:54.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/system/libraries.te	2006-01-09 14:37:14.000000000 -0500
@@ -94,6 +94,10 @@
 	unconfined_domain_template(ldconfig_t) 
 ')
 
+optional_policy(`prelink', `
+	prelink_relabel({ ld_so_t texrel_shlib_t shlib_t lib_t })
+')
+
 optional_policy(`apache',`
 	# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
 	apache_dontaudit_search_modules(ldconfig_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-2.1.8/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te	2006-01-09 11:32:54.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/system/locallogin.te	2006-01-09 14:37:14.000000000 -0500
@@ -165,6 +165,7 @@
 userdom_signal_all_users(local_login_t)
 userdom_search_all_users_home(local_login_t)
 userdom_use_unpriv_users_fd(local_login_t)
+userdom_all_users_sigchld(local_login_t)
 
 # Search for mail spool file.
 mta_getattr_spool(local_login_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.1.8/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te	2006-01-09 11:32:54.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/system/logging.te	2006-01-09 14:37:14.000000000 -0500
@@ -70,6 +70,7 @@
 
 kernel_read_kernel_sysctl(auditctl_t)
 kernel_read_proc_symlinks(auditctl_t)
+kernel_read_proc_devices(auditctl_t)
 
 domain_read_all_domains_state(auditctl_t)
 domain_use_wide_inherit_fd(auditctl_t)
@@ -128,6 +129,7 @@
 kernel_read_kernel_sysctl(auditd_t)
 kernel_list_proc(auditd_t)
 kernel_read_proc_symlinks(auditd_t)
+kernel_read_proc_devices(auditd_t)
 
 dev_read_sysfs(auditd_t)
 
@@ -203,6 +205,7 @@
 # Control syslog and console logging
 kernel_clear_ring_buffer(klogd_t)
 kernel_change_ring_buffer_level(klogd_t)
+kernel_read_proc_devices(klogd_t)
 
 bootloader_read_kernel_symbol_table(klogd_t)
 
@@ -298,6 +301,7 @@
 kernel_read_messages(syslogd_t)
 kernel_clear_ring_buffer(syslogd_t)
 kernel_change_ring_buffer_level(syslogd_t)
+kernel_read_proc_devices(syslogd_t)
 
 dev_create_dev_node(syslogd_t,devlog_t,sock_file)
 dev_read_sysfs(syslogd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.1.8/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te	2005-12-09 23:35:08.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/system/lvm.te	2006-01-09 14:37:14.000000000 -0500
@@ -155,6 +155,8 @@
 
 allow lvm_t lvm_etc_t:file r_file_perms;
 allow lvm_t lvm_etc_t:lnk_file r_file_perms;
+allow initrc_t lvm_etc_t:file r_file_perms;
+
 # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
 allow lvm_t lvm_etc_t:dir rw_dir_perms;
 allow lvm_t lvm_metadata_t:file create_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.1.8/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te	2005-12-12 23:05:35.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/system/mount.te	2006-01-09 14:37:14.000000000 -0500
@@ -26,12 +26,14 @@
 files_create_tmp_files(mount_t,mount_tmp_t,{ file dir })
 
 kernel_read_system_state(mount_t)
+kernel_read_proc_devices(mount_t)
 
 corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
 corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
 
 dev_getattr_all_blk_files(mount_t)
 dev_list_all_dev_nodes(mount_t)
+dev_rw_lvm_control(mount_t)
 
 storage_raw_read_fixed_disk(mount_t)
 storage_raw_write_fixed_disk(mount_t)
@@ -46,7 +48,7 @@
 fs_search_auto_mountpoints(mount_t)
 fs_use_tmpfs_chr_dev(mount_t)
 
-term_use_console(mount_t)
+term_use_all_terms(mount_t)
 
 # required for mount.smbfs
 corecmd_exec_sbin(mount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.1.8/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te	2006-01-09 11:32:54.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/system/selinuxutil.te	2006-01-09 14:37:14.000000000 -0500
@@ -324,6 +324,7 @@
 kernel_use_fd(restorecon_t)
 kernel_rw_pipe(restorecon_t)
 kernel_read_system_state(restorecon_t)
+kernel_read_proc_devices(restorecon_t)
 
 # cjp: why is this needed?
 dev_rw_generic_file(restorecon_t)
@@ -412,9 +413,11 @@
 ifdef(`targeted_policy',`',`
 	allow run_init_t self:process setexec;
 	allow run_init_t self:capability setuid;
-	allow run_init_t self:fifo_file rw_file_perms;
 	allow run_init_t self:netlink_audit_socket { create bind write nlmsg_read read };
 
+	allow run_init_t self:fifo_file rw_file_perms;
+	domain_auto_trans(run_init_t,initrc_exec_t,initrc_t)
+
 	# often the administrator runs such programs from a directory that is owned
 	# by a different user or has restrictive SE permissions, do not want to audit
 	# the failed access to the current directory
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.1.8/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te	2005-12-09 23:35:08.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/system/sysnetwork.te	2006-01-09 14:37:14.000000000 -0500
@@ -90,6 +90,7 @@
 kernel_read_network_state(dhcpc_t)
 kernel_read_kernel_sysctl(dhcpc_t)
 kernel_use_fd(dhcpc_t)
+kernel_read_proc_devices(dhcpc_t)
 
 corenet_tcp_sendrecv_all_if(dhcpc_t)
 corenet_raw_sendrecv_all_if(dhcpc_t)
@@ -281,6 +282,7 @@
 kernel_read_system_state(ifconfig_t)
 kernel_read_network_state(ifconfig_t)
 kernel_search_network_sysctl(ifconfig_t)
+kernel_read_proc_devices(ifconfig_t)
 
 corenet_use_tun_tap_device(ifconfig_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.1.8/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if	2005-12-13 15:51:50.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/system/unconfined.if	2006-01-09 17:22:51.000000000 -0500
@@ -33,6 +33,7 @@
 	corenet_unconfined($1)
 	dev_unconfined($1)
 	domain_unconfined($1)
+	domain_dontaudit_read_all_domains_state($1)
 	files_unconfined($1)
 	fs_unconfined($1)
 	selinux_unconfined($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.1.8/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te	2006-01-09 11:32:54.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/system/unconfined.te	2006-01-09 14:37:14.000000000 -0500
@@ -57,6 +57,10 @@
 		bluetooth_domtrans_helper(unconfined_t)
 	')
 
+	optional_policy(`java',`
+		java_domtrans(unconfined_t)
+	')
+
 	optional_policy(`dbus',`
 		dbus_stub(unconfined_t)
 
@@ -125,10 +129,6 @@
 		samba_domtrans_winbind_helper(unconfined_t)
 	')
 
-	optional_policy(`su',`
-		su_per_userdomain_template(sysadm,unconfined_t,system_r)
-	')
-
 	optional_policy(`sysnetwork',`
 		sysnet_domtrans_dhcpc(unconfined_t)
 	')
@@ -141,6 +141,10 @@
 		webalizer_domtrans(unconfined_t)
 	')
 
+	optional_policy(`sendmail',`
+		sendmail_domtrans(unconfined_t)
+	')
+
 	ifdef(`TODO',`
 	ifdef(`use_mcs',`
 	rw_dir_create_file(sysadm_su_t, home_dir_type)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-2.1.8/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc	2005-11-15 09:13:40.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/system/userdomain.fc	2006-01-09 14:37:14.000000000 -0500
@@ -4,6 +4,6 @@
 HOME_DIR		-d	gen_context(system_u:object_r:user_home_dir_t,s0)
 HOME_DIR/.+			gen_context(system_u:object_r:user_home_t,s0)
 ',`
-HOME_DIR		-d	gen_context(system_u:object_r:ROLE_home_dir_t,s0)
+HOME_DIR		-d	gen_context(system_u:object_r:ROLE_home_dir_t,s0-s15:c0.c255)
 HOME_DIR/.+			gen_context(system_u:object_r:ROLE_home_t,s0)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.1.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if	2006-01-09 11:32:54.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/system/userdomain.if	2006-01-09 14:37:14.000000000 -0500
@@ -1881,19 +1881,16 @@
 ## </param>
 #
 interface(`userdom_dontaudit_getattr_sysadm_home_dir',`
-	ifdef(`targeted_policy',`
-		gen_require(`
-			type user_home_dir_t;
-		')
+	gen_require(`
+		type sysadm_home_dir_t;
+	')
 
-		dontaudit $1 user_home_dir_t:dir getattr;
-	', `
-		gen_require(`
-			type sysadm_home_dir_t;
-		')
+	dontaudit $1 sysadm_home_dir_t:dir getattr;
+
+ifdef(`targeted_policy', `
+	userdom_dontaudit_getattr_user_home_dirs($1)
+')
 
-		dontaudit $1 sysadm_home_dir_t:dir getattr;
-	')
 ')
 
 ########################################
@@ -1922,19 +1919,15 @@
 ## </param>
 #
 interface(`userdom_dontaudit_search_sysadm_home_dir',`
-	ifdef(`targeted_policy',`
 	gen_require(`
-		type user_home_dir_t;
+		type sysadm_home_dir_t;
 	')
 
-		dontaudit $1 user_home_dir_t:dir search_dir_perms;
-	',`
-		gen_require(`
-			type sysadm_home_dir_t;
-		')
+	dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
 
-		dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
-	')
+ifdef(`targeted_policy', `
+	userdom_dontaudit_search_user_home_dirs($1)
+')
 ')
 
 ########################################
@@ -2074,6 +2067,22 @@
 
 ########################################
 ## <summary>
+##	Do not audit attempts to getattr all users home directories.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`userdom_dontaudit_getattr_user_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	dontaudit $1 user_home_dir_t:dir getattr;
+')
+
+########################################
+## <summary>
 ##	Read all files in all users home directories.
 ## </summary>
 ## <param name="domain">
@@ -2665,6 +2674,23 @@
 
 ########################################
 ## <summary>
+##	Send a chld signal to local login processes.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_all_users_sigchld',`
+	gen_require(`
+		attribute userdomain;
+		class process sigchld;
+	')
+
+	allow userdomain $1:process sigchld;
+')
+
+########################################
+## <summary>
 ##	Send general signals to all user domains.
 ## </summary>
 ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.1.8/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te	2006-01-09 11:32:54.000000000 -0500
+++ serefpolicy-2.1.8/policy/modules/system/userdomain.te	2006-01-09 14:37:14.000000000 -0500
@@ -205,6 +205,7 @@
 
 	optional_policy(`hostname',`
 		hostname_run(sysadm_t,sysadm_r,admin_terminal)
+		hostname_exec(userdomain)
 	')
 
 	optional_policy(`ipsec',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.1.8/policy/users
--- nsaserefpolicy/policy/users	2005-12-05 22:35:02.000000000 -0500
+++ serefpolicy-2.1.8/policy/users	2006-01-09 14:37:14.000000000 -0500
@@ -26,7 +26,9 @@
 ifdef(`targeted_policy',`
 gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
-gen_user(user_u, user_r, s0, s0 - s15:c0.c255, c0.c255)
+gen_user(user_u, user_r, s0, s0 - s0, c0)
+gen_user(staff_u, staff_r secadm_r sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
+gen_user(sysadm_u, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
 ')
 
 #
@@ -40,8 +42,8 @@
 	gen_user(root, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
 	ifdef(`direct_sysadm_daemon',`
-		gen_user(root, sysadm_r staff_r system_r, s0, s0 - s15:c0.c255, c0.c255)
+		gen_user(root, sysadm_r staff_r secadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 	',`
-		gen_user(root, sysadm_r staff_r, s0, s0 - s15:c0.c255, c0.c255)
+		gen_user(root, sysadm_r staff_r secadm_r , s0, s0 - s15:c0.c255, c0.c255)
 	')
 ')

Re: Latest diffs

[Christopher J. PeBenito]

On Tue, 2006-01-10 at 09:15 -0500, Daniel J Walsh wrote:
> Lots of new kernel_read_proc_devices which was needed for the latest 
> rawhide.

Why does /proc/devices need a different type?  Its not writable, and its
content doesn't seem to warrant a new type.

> Major changes to hostname policy.  Basically I don't want anything 
> except dhcpc to transition to hostname domain.  Everything else should 
> just executed it.  You don't need the extra privs and stuff like 
> redirection causes to many problems

This is fine, but I think that the transition from init scripts should
be kept.  If there is a static IP, wouldn't the init scripts need to set
the hostname?  If we don't keep the transition in this case, we'd need
to add sys_admin to initrc_t (which was the original reason for the
hostname policy, if I remember right).

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest Diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 146 bytes --]

Certain applications linked with rpmlibes call the rpm_script_t so 
unconfined_t needs to transition.

rpmbuild policy should be dropped.


-- 



[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 5456 bytes --]

diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.1.5/Makefile
--- nsaserefpolicy/Makefile	2005-12-09 23:35:04.000000000 -0500
+++ serefpolicy-2.1.5/Makefile	2005-12-13 17:02:23.000000000 -0500
@@ -92,7 +92,7 @@
 
 # enable MLS if requested.
 ifneq ($(findstring -mls,$(TYPE)),)
-	override M4PARAM += -D enable_mls
+	override M4PARAM += -D enable_mls -D separate_secadm
 	override CHECKPOLICY += -M
 	override CHECKMODULE += -M
 endif
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.1.5/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if	2005-12-02 17:53:26.000000000 -0500
+++ serefpolicy-2.1.5/policy/modules/admin/rpm.if	2005-12-13 17:02:23.000000000 -0500
@@ -28,6 +28,31 @@
 
 ########################################
 ## <summary>
+##	Execute rpm_script programs in the rpm_script domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`rpm_script_domtrans',`
+	gen_require(`
+		type rpm_exec_t;
+		class process sigchld;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	# transition to rpm script:
+	corecmd_shell_domtrans($1,rpm_script_t)
+
+	allow $1 rpm_script_t:fd use;
+	allow rpm_script_t $1:fd use;
+	allow rpm_script_t $1:fifo_file rw_file_perms;
+	allow rpm_script_t $1:process sigchld;
+')
+
+########################################
+## <summary>
 ##	Execute RPM programs in the RPM domain.
 ## </summary>
 ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.1.5/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te	2005-12-09 23:35:04.000000000 -0500
+++ serefpolicy-2.1.5/policy/modules/admin/rpm.te	2005-12-13 17:02:23.000000000 -0500
@@ -47,12 +47,6 @@
 type rpm_script_tmpfs_t;
 files_tmpfs_file(rpm_script_tmpfs_t)
 
-type rpmbuild_t;
-domain_type(rpmbuild_t)
-
-type rpmbuild_exec_t;
-domain_entry_file(rpmbuild_t,rpmbuild_exec_t)
-
 ########################################
 #
 # rpm Local policy
@@ -140,7 +134,7 @@
 corecmd_exec_bin(rpm_t)
 corecmd_exec_sbin(rpm_t)
 # transition to rpm script:
-corecmd_shell_domtrans(rpm_t,rpm_script_t)
+rpm_script_domtrans(rpm_t)
 
 domain_exec_all_entry_files(rpm_t)
 domain_read_all_domains_state(rpm_t)
@@ -369,19 +363,6 @@
 # rpm-build Local policy
 #
 
-# cjp: this looks like dead policy.  nothing
-# can transition to this domain, nor can it
-# really do anything useful.
-
-selinux_get_fs_mount(rpmbuild_t)
-selinux_validate_context(rpmbuild_t)
-selinux_compute_access_vector(rpmbuild_t)
-selinux_compute_create_context(rpmbuild_t)
-selinux_compute_relabel_context(rpmbuild_t)
-selinux_compute_user_contexts(rpmbuild_t)
-
-seutil_read_src_pol(rpmbuild_t)
-
 ifdef(`TODO',`
 
 optional_policy(`cups',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.1.5/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te	2005-12-13 15:51:49.000000000 -0500
+++ serefpolicy-2.1.5/policy/modules/kernel/mls.te	2005-12-13 17:02:23.000000000 -0500
@@ -79,6 +79,7 @@
 # these might be targeted_policy only
 range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
 range_transition unconfined_t initrc_exec_t s0;
+range_transition unconfined_t ping_exec_t s0;
 ')
 
 ifdef(`enable_mls',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-2.1.5/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if	2005-12-06 19:49:50.000000000 -0500
+++ serefpolicy-2.1.5/policy/modules/services/nis.if	2005-12-13 17:04:12.000000000 -0500
@@ -217,11 +217,11 @@
 #
 interface(`nis_read_ypbind_pid',`
 	gen_require(`
-		type ypbind_t;
+		type ypbind_var_run_t;
 	')
 
 	files_search_pids($1)
-	allow $1 ypbind_t:file r_file_perms;
+	allow $1 ypbind_var_run_t:file r_file_perms;
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.1.5/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc	2005-12-12 15:35:53.000000000 -0500
+++ serefpolicy-2.1.5/policy/modules/system/libraries.fc	2005-12-13 17:02:23.000000000 -0500
@@ -113,6 +113,7 @@
 /usr/lib(64)?/.*/program/libsvx680li\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/.*/program/libsoffice\.so  --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr(/.*)?/pcsc/drivers(/.*)?/libcm(2020|4000|SCR24x)\.so(\.[^/]*)*  		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/firefox.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/mozilla.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/sunbird.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.1.5/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te	2005-12-13 15:51:50.000000000 -0500
+++ serefpolicy-2.1.5/policy/modules/system/unconfined.te	2005-12-13 17:02:23.000000000 -0500
@@ -118,6 +118,7 @@
 
 	optional_policy(`rpm',`
 		rpm_domtrans(unconfined_t)
+		rpm_script_domtrans(unconfined_t)
 	')
 
 	optional_policy(`samba',`

Re: Latest Diffs

[Christopher J. PeBenito]

On Tue, 2005-12-13 at 17:07 -0500, Daniel J Walsh wrote:
> Certain applications linked with rpmlibes call the rpm_script_t so 
> unconfined_t needs to transition.
> 
> rpmbuild policy should be dropped.

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest diffs.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1560 bytes --]

Add crond range_transition to run at SystemHigh for MCS policy
Added transition from unconfined_t to run ping at s0.
Which brings up a point, when a transition happens should the 
application continue to run at the same security level that the prev 
context ran at?  Or should all domains start with a default security 
level. 

In current MCS policy if unconfined_t started ping, it would run at the 
with the same mls range as unconfined_t.

Beginning to fix up automouter.  Wants to read sysctl_fs_t.  Also seems 
to exec showmount which requires additional privs.

allow automount_t self:capability net_bind_service;
allow automount_t portmap_port_t:tcp_socket name_connect;
allow automount_t reserved_port_t:tcp_socket name_connect;
allow automount_t sbin_t:file read;

We probably need a policy for the showmount command, rather then adding 
these rules to automount.  Anyone want to write some policy?

Rules to make dovecot work better.

/var/log/proftpd/ should be marked xferlog

gpm wants to communicate using unix_stream_socket.

More fixes for hal.  Seems hal is now tied into powersaver and needs 
some addtional privs.
Needs to be able to start init scripts.
Added new policy for vbetool, to be execed from hal.

If you need to signal nis, you need to read the pid file.  This is what 
dhcpd does.

spamassassin needs to write to users homedirs in targeted policy.  I 
hate it but, it has to work.

unconfined_t was not able to read textrel_shlib_t.
Added auditallow to show when unconfined_t is running a program that 
requires execmem


-- 



[-- Attachment #2: policy-20051208.patch --]
[-- Type: text/x-patch, Size: 10565 bytes --]

diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.1.4/Makefile
--- nsaserefpolicy/Makefile	2005-12-09 23:35:04.000000000 -0500
+++ serefpolicy-2.1.4/Makefile	2005-12-13 09:15:56.000000000 -0500
@@ -92,7 +92,7 @@
 
 # enable MLS if requested.
 ifneq ($(findstring -mls,$(TYPE)),)
-	override M4PARAM += -D enable_mls
+	override M4PARAM += -D enable_mls -D separate_secadm
 	override CHECKPOLICY += -M
 	override CHECKMODULE += -M
 endif
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/updfstab.te serefpolicy-2.1.4/policy/modules/admin/updfstab.te
--- nsaserefpolicy/policy/modules/admin/updfstab.te	2005-12-12 15:35:53.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/admin/updfstab.te	2005-12-13 09:15:56.000000000 -0500
@@ -32,6 +32,7 @@
 dev_manage_generic_symlinks(updfstab_t)
 
 fs_getattr_xattr_fs(updfstab_t)
+fs_getattr_tmpfs(updfstab_t)
 fs_getattr_tmpfs_dir(updfstab_t)
 fs_search_auto_mountpoints(updfstab_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.1.4/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te	2005-12-09 23:35:04.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/kernel/mls.te	2005-12-13 09:16:43.000000000 -0500
@@ -68,6 +68,7 @@
 ifdef(`enable_mcs',`
 range_transition getty_t login_exec_t s0 - s0:c0.c255;
 range_transition init_t xdm_exec_t s0 - s0:c0.c255;
+range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
 range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
 range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
 range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
@@ -77,6 +78,7 @@
 # these might be targeted_policy only
 range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
 range_transition unconfined_t initrc_exec_t s0;
+range_transition unconfined_t ping_exec_t s0;
 ')
 
 ifdef(`enable_mls',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.1.4/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te	2005-12-09 16:09:22.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/services/automount.te	2005-12-13 09:15:56.000000000 -0500
@@ -58,6 +58,7 @@
 files_create_pid(automount_t,automount_var_run_t)
 
 kernel_read_kernel_sysctl(automount_t)
+kernel_read_fs_sysctl(automount_t)
 kernel_read_proc_symlinks(automount_t)
 kernel_read_system_state(automount_t)
 kernel_list_proc(automount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.1.4/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te	2005-12-09 23:35:05.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/services/dovecot.te	2005-12-13 09:15:56.000000000 -0500
@@ -153,6 +153,7 @@
 allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
 
 allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
+allow dovecot_t dovecot_var_run_t:dir r_dir_perms;
 
 kernel_read_all_sysctl(dovecot_auth_t)
 kernel_read_system_state(dovecot_auth_t)
@@ -165,6 +166,8 @@
 files_read_etc_files(dovecot_auth_t)
 files_read_etc_runtime_files(dovecot_auth_t)
 files_search_pids(dovecot_auth_t)
+files_read_usr_symlinks(dovecot_auth_t)
+files_search_tmp(dovecot_auth_t)
 
 libs_use_ld_so(dovecot_auth_t)
 libs_use_shared_libs(dovecot_auth_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-2.1.4/policy/modules/services/ftp.fc
--- nsaserefpolicy/policy/modules/services/ftp.fc	2005-11-25 08:11:11.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/services/ftp.fc	2005-12-13 09:15:56.000000000 -0500
@@ -24,3 +24,4 @@
 /var/log/vsftpd.*	--	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/xferlog.*	--	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/xferreport.*	--	gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/proftpd(/.*)?          gen_context(system_u:object_r:xferlog_t,s0)
\ No newline at end of file
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.te serefpolicy-2.1.4/policy/modules/services/gpm.te
--- nsaserefpolicy/policy/modules/services/gpm.te	2005-12-12 15:35:53.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/services/gpm.te	2005-12-13 09:15:56.000000000 -0500
@@ -46,6 +46,8 @@
 
 # cjp: this has no effect
 allow gpm_t gpmctl_t:unix_stream_socket name_bind;
+allow gpm_t self:unix_stream_socket { create_stream_socket_perms };
+
 
 kernel_read_kernel_sysctl(gpm_t)
 kernel_list_proc(gpm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.1.4/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te	2005-12-09 23:35:05.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/services/hal.te	2005-12-13 09:15:56.000000000 -0500
@@ -21,7 +21,10 @@
 # Local policy
 #
 
-allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
+# execute openvt which needs setuid
+allow hald_t self:capability setuid;
+
+allow hald_t self:capability { kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio };
 dontaudit hald_t self:capability sys_tty_config;
 # vbetool requires execmem
 allow hald_t self:process { execmem signal_perms };
@@ -104,9 +107,11 @@
 storage_raw_write_fixed_disk(hald_t)
 
 term_dontaudit_use_console(hald_t)
+dontaudit hald_t tty_device_t:chr_file ioctl;
 
 init_use_fd(hald_t)
 init_use_script_pty(hald_t)
+init_domtrans_script(hald_t)
 
 libs_use_ld_so(hald_t)
 libs_use_shared_libs(hald_t)
@@ -143,6 +148,10 @@
 	cups_signal_config(hald_t)
 ')
 
+optional_policy(`clock',`
+	clock_domtrans(hald_t)
+')
+
 optional_policy(`dbus',`
 	dbus_system_bus_client_template(hald,hald_t)
 	dbus_send_system_bus_msg(hald_t)
@@ -176,8 +185,8 @@
 	nscd_use_socket(hald_t)
 ')
 
-optional_policy(`ntp',`
-	ntp_domtrans(hald_t)
+optional_policy(`vbetool',`
+	vbetool_domtrans(hald_t)
 ')
 
 optional_policy(`pcmcia',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-2.1.4/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if	2005-12-06 19:49:50.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/services/nis.if	2005-12-13 09:15:56.000000000 -0500
@@ -150,8 +150,10 @@
 interface(`nis_signal_ypbind',`
 	gen_require(`
 		type ypbind_t;
+		type ypbind_var_run_t;
 	')
 
+	allow $1 ypbind_var_run_t:file read;
 	allow $1 ypbind_t:process signal;
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.1.4/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te	2005-12-09 23:35:06.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/services/spamassassin.te	2005-12-13 09:15:56.000000000 -0500
@@ -120,6 +120,8 @@
 	term_dontaudit_use_unallocated_tty(spamd_t)
 	term_dontaudit_use_generic_pty(spamd_t)
 	files_dontaudit_read_root_file(spamd_t)
+	allow spamd_t user_home_t:dir create_dir_perms;
+	allow spamd_t user_home_t:file create_file_perms;
 ')
 
 tunable_policy(`use_nfs_home_dirs',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vbetool.fc serefpolicy-2.1.4/policy/modules/services/vbetool.fc
--- nsaserefpolicy/policy/modules/services/vbetool.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/services/vbetool.fc	2005-12-13 09:15:56.000000000 -0500
@@ -0,0 +1 @@
+/usr/sbin/vbetool	--	gen_context(system_u:object_r:vbetool_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vbetool.if serefpolicy-2.1.4/policy/modules/services/vbetool.if
--- nsaserefpolicy/policy/modules/services/vbetool.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/services/vbetool.if	2005-12-13 09:15:56.000000000 -0500
@@ -0,0 +1,27 @@
+## <summary>run real-mode video BIOS code to alter hardware state</summary>
+
+########################################
+## <summary>
+##	Execute vbetool application in the vbetool domain.
+## </summary>
+## <param name="domain" optional="true">
+##	N/A
+## </param>
+#
+interface(`vbetool_domtrans',`
+	gen_require(`
+		type vbetool_t, vbetool_exec_t;
+		class process sigchld;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	corecmd_search_sbin($1)
+	domain_auto_trans($1,vbetool_exec_t,vbetool_t)
+
+	allow $1 vbetool_t:fd use;
+	allow vbetool_t $1:fd use;
+	allow vbetool_t $1:fifo_file rw_file_perms;
+	allow vbetool_t $1:process sigchld;
+
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vbetool.te serefpolicy-2.1.4/policy/modules/services/vbetool.te
--- nsaserefpolicy/policy/modules/services/vbetool.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/services/vbetool.te	2005-12-13 09:15:56.000000000 -0500
@@ -0,0 +1,22 @@
+
+policy_module(vbetool,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type vbetool_t;
+type vbetool_exec_t;
+init_system_domain(vbetool_t,vbetool_exec_t)
+
+allow vbetool_t self:process execmem;
+
+dev_wx_raw_memory(vbetool_t)
+dev_read_raw_memory(vbetool_t)
+dev_rwx_zero_dev(vbetool_t)
+dev_read_sysfs(vbetool_t)
+
+libs_use_ld_so(vbetool_t)
+libs_use_shared_libs(vbetool_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.1.4/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te	2005-12-12 23:05:35.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/system/mount.te	2005-12-13 09:15:56.000000000 -0500
@@ -47,6 +47,7 @@
 fs_use_tmpfs_chr_dev(mount_t)
 
 term_use_console(mount_t)
+term_use_generic_pty(mount_t)
 
 # required for mount.smbfs
 corecmd_exec_sbin(mount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.1.4/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if	2005-12-12 15:35:54.000000000 -0500
+++ serefpolicy-2.1.4/policy/modules/system/unconfined.if	2005-12-13 09:15:56.000000000 -0500
@@ -29,6 +29,8 @@
 	allow $1 self:dbus *;
 	allow $1 self:passwd *;
 
+	libs_use_shared_libs($1)
+
 	kernel_unconfined($1)
 	corenet_unconfined($1)
 	dev_unconfined($1)
@@ -42,6 +44,7 @@
 		# Allow making anonymous memory executable, e.g. 
 		# for runtime-code generation or executable stack.
 		allow $1 self:process execmem;
+		auditallow $1 self:process execmem;
 	')
 
 	tunable_policy(`allow_execmem && allow_execstack',`

Re: Latest diffs.

[Christopher J. PeBenito]

On Tue, 2005-12-13 at 10:48 -0500, Daniel J Walsh wrote:
> Add crond range_transition to run at SystemHigh for MCS policy
> Added transition from unconfined_t to run ping at s0.
> Which brings up a point, when a transition happens should the 
> application continue to run at the same security level that the prev 
> context ran at?  Or should all domains start with a default security 
> level. 
> 
> In current MCS policy if unconfined_t started ping, it would run at the 
> with the same mls range as unconfined_t.

The cron part makes sense, but I don't understand why this would be
needed for ping.

> Beginning to fix up automouter.  Wants to read sysctl_fs_t.  Also seems 
> to exec showmount which requires additional privs.
> 
> allow automount_t self:capability net_bind_service;
> allow automount_t portmap_port_t:tcp_socket name_connect;
> allow automount_t reserved_port_t:tcp_socket name_connect;
> allow automount_t sbin_t:file read;
> 
> We probably need a policy for the showmount command, rather then adding 
> these rules to automount.  Anyone want to write some policy?
> 
> Rules to make dovecot work better.
> 
> /var/log/proftpd/ should be marked xferlog
> 
> gpm wants to communicate using unix_stream_socket.
> 
> More fixes for hal.  Seems hal is now tied into powersaver and needs 
> some addtional privs.
> Needs to be able to start init scripts.
> Added new policy for vbetool, to be execed from hal.

all merged.  I removed the execmem from hal, since it transitions to
vbetool, and the comment said it was required for vbetool.

> If you need to signal nis, you need to read the pid file.  This is what 
> dhcpd does.

See my previous email.

> spamassassin needs to write to users homedirs in targeted policy.  I 
> hate it but, it has to work.
> 
> unconfined_t was not able to read textrel_shlib_t.
> Added auditallow to show when unconfined_t is running a program that 
> requires execmem

merged.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs.

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Tue, 2005-12-13 at 10:48 -0500, Daniel J Walsh wrote:
>   
>> Add crond range_transition to run at SystemHigh for MCS policy
>> Added transition from unconfined_t to run ping at s0.
>> Which brings up a point, when a transition happens should the 
>> application continue to run at the same security level that the prev 
>> context ran at?  Or should all domains start with a default security 
>> level. 
>>
>> In current MCS policy if unconfined_t started ping, it would run at the 
>> with the same mls range as unconfined_t.
>>     
>
> The cron part makes sense, but I don't understand why this would be
> needed for ping.
>
>   
Otherwise ping runs with a range of s0-s0:c0,c255
I think all apps should run at s0 unless a range_transition is stated.
>> Beginning to fix up automouter.  Wants to read sysctl_fs_t.  Also seems 
>> to exec showmount which requires additional privs.
>>
>> allow automount_t self:capability net_bind_service;
>> allow automount_t portmap_port_t:tcp_socket name_connect;
>> allow automount_t reserved_port_t:tcp_socket name_connect;
>> allow automount_t sbin_t:file read;
>>
>> We probably need a policy for the showmount command, rather then adding 
>> these rules to automount.  Anyone want to write some policy?
>>
>> Rules to make dovecot work better.
>>
>> /var/log/proftpd/ should be marked xferlog
>>
>> gpm wants to communicate using unix_stream_socket.
>>
>> More fixes for hal.  Seems hal is now tied into powersaver and needs 
>> some addtional privs.
>> Needs to be able to start init scripts.
>> Added new policy for vbetool, to be execed from hal.
>>     
>
> all merged.  I removed the execmem from hal, since it transitions to
> vbetool, and the comment said it was required for vbetool.
>
>   
>> If you need to signal nis, you need to read the pid file.  This is what 
>> dhcpd does.
>>     
>
> See my previous email.
>
>   
>> spamassassin needs to write to users homedirs in targeted policy.  I 
>> hate it but, it has to work.
>>
>> unconfined_t was not able to read textrel_shlib_t.
>> Added auditallow to show when unconfined_t is running a program that 
>> requires execmem
>>     
>
> merged.
>
>   


-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest Diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 828 bytes --]

Add can_access_pty macro to handle pty output.

FIxes to make initrc scripts work

Allow login to work with pam_console and alsa

mcs transition rules

Allow users to interact with alsa.

Many fixes for amanda

added nsswithch_domain for any apps that communicate using nsswitch. 
Consolodates can_ypbind, can_ldap, can_resolve, can_winbind.

Allow httpd to run as relay.

FIxes for apmd and audit, bluetooth and automount

More features for hplip under cups.

dovecot needs to be able to write to mail_spool_t

mysql can connect out to other mysql ports.


Added openct, pegusus, readahead policies, roundup

Allow squid to relay additional protocols.

Remove mqueue genfscon entry

Change makefile to default to MCS policy.

Add dhcpd and pegasus ports

remove sysadm_r role from unconfined_t

Add capifs_t support.




-- 



[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 73979 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.27.1/domains/program/crond.te
--- nsapolicy/domains/program/crond.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/crond.te	2005-09-16 11:35:39.000000000 -0400
@@ -106,7 +106,7 @@
 
 # Inherit and use descriptors from initrc for anacron.
 allow system_crond_t initrc_t:fd use;
-allow system_crond_t initrc_devpts_t:chr_file { read write };
+can_access_pty(system_crond_t, initrc)
 
 # Use capabilities.
 allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.27.1/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/fsadm.te	2005-09-16 11:35:39.000000000 -0400
@@ -102,10 +102,10 @@
 allow fsadm_t kernel_t:system syslog_console;
 
 # Access terminals.
-allow fsadm_t { initrc_devpts_t admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
+can_access_pty(fsadm_t, initrc)
+allow fsadm_t { admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
 allow fsadm_t privfd:fd use;
-allow fsadm_t devpts_t:dir { getattr search };
 
 read_locale(fsadm_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/hostname.te policy-1.27.1/domains/program/hostname.te
--- nsapolicy/domains/program/hostname.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/hostname.te	2005-09-16 11:35:39.000000000 -0400
@@ -24,5 +24,5 @@
 ifdef(`distro_redhat', `
 allow hostname_t tmpfs_t:chr_file rw_file_perms;
 ')
-allow hostname_t initrc_devpts_t:chr_file { read write };
+can_access_pty(hostname_t, initrc)
 allow hostname_t initrc_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.27.1/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/ifconfig.te	2005-09-16 11:35:39.000000000 -0400
@@ -52,7 +52,8 @@
 allow ifconfig_t self:udp_socket create_socket_perms;
 
 # Access terminals.
-allow ifconfig_t { user_tty_type initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+can_access_pty(ifconfig_t, initrc)
+allow ifconfig_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
 
 allow ifconfig_t tun_tap_device_t:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.27.1/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/initrc.te	2005-09-16 11:35:39.000000000 -0400
@@ -214,7 +214,15 @@
 allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
 allow initrc_t self:capability sys_admin;
 allow initrc_t device_t:dir create;
-
+# wants to delete /poweroff and other files 
+allow initrc_t root_t:file unlink;
+# wants to read /.fonts directory
+allow initrc_t default_t:file { getattr read };
+ifdef(`xserver.te', `
+# wants to cleanup xserver log dir
+allow initrc_t xserver_log_t:dir rw_dir_perms;
+allow initrc_t xserver_log_t:file unlink;
+')
 ')dnl end distro_redhat
 
 allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
@@ -322,3 +330,6 @@
 ifdef(`dbusd.te', `
 allow initrc_t system_dbusd_var_run_t:sock_file write;
 ')
+
+# Slapd needs to read cert files from its initscript
+r_dir_file(initrc_t, cert_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.27.1/domains/program/ldconfig.te
--- nsapolicy/domains/program/ldconfig.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/ldconfig.te	2005-09-16 11:35:39.000000000 -0400
@@ -16,7 +16,8 @@
 
 domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t)
 dontaudit ldconfig_t device_t:dir search;
-allow ldconfig_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+can_access_pty(ldconfig_t, initrc)
+allow ldconfig_t admin_tty_type:chr_file rw_file_perms;
 allow ldconfig_t privfd:fd use;
 
 uses_shlib(ldconfig_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/load_policy.te policy-1.27.1/domains/program/load_policy.te
--- nsapolicy/domains/program/load_policy.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/load_policy.te	2005-09-16 11:35:39.000000000 -0400
@@ -45,11 +45,9 @@
 allow load_policy_t root_t:dir search;
 allow load_policy_t etc_t:dir search;
 
-# Read the devpts root directory (needed?)  
-allow load_policy_t devpts_t:dir r_dir_perms;
-
 # Other access
-allow load_policy_t { admin_tty_type initrc_devpts_t devtty_t }:chr_file { read write ioctl getattr };
+can_access_pty(load_policy_t, initrc)
+allow load_policy_t { admin_tty_type devtty_t }:chr_file { read write ioctl getattr };
 uses_shlib(load_policy_t)
 allow load_policy_t self:capability dac_override;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.27.1/domains/program/login.te
--- nsapolicy/domains/program/login.te	2005-09-12 16:40:29.000000000 -0400
+++ policy-1.27.1/domains/program/login.te	2005-09-16 11:35:39.000000000 -0400
@@ -62,6 +62,11 @@
 
 ifdef(`pamconsole.te', `
 rw_dir_create_file($1_login_t, pam_var_console_t)
+domain_auto_trans($1_login_t, pam_console_exec_t, pam_console_t)
+')
+
+ifdef(`alsa.te', `
+domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
 ')
 
 # Use capabilities
@@ -200,23 +205,20 @@
 # since very weak authentication is used.
 login_spawn_domain(remote_login, unpriv_userdomain)
 
-allow remote_login_t devpts_t:dir search;
 allow remote_login_t userpty_type:chr_file { setattr write };
 
 # Use the pty created by rlogind.
 ifdef(`rlogind.te', `
-allow remote_login_t rlogind_devpts_t:chr_file { setattr rw_file_perms };
-
+can_access_pty(remote_login_t, rlogind)
 # Relabel ptys created by rlogind.
-allow remote_login_t rlogind_devpts_t:chr_file { relabelfrom relabelto };
+allow remote_login_t rlogind_devpts_t:chr_file { setattr relabelfrom relabelto };
 ')
 
 # Use the pty created by telnetd.
 ifdef(`telnetd.te', `
-allow remote_login_t telnetd_devpts_t:chr_file { setattr rw_file_perms };
-
+can_access_pty(remote_login_t, telnetd)
 # Relabel ptys created by telnetd.
-allow remote_login_t telnetd_devpts_t:chr_file { relabelfrom relabelto };
+allow remote_login_t telnetd_devpts_t:chr_file { setattr relabelfrom relabelto };
 ')
 
 allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl };
@@ -225,3 +227,8 @@
 # Allow remote login to resolve host names (passed in via the -h switch)
 can_resolve(remote_login_t)
 
+ifdef(`use_mcs', `
+ifdef(`getty.te', `
+range_transition getty_t login_exec_t s0 - s0:c0.c127;
+')
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.27.1/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te	2005-09-12 16:40:29.000000000 -0400
+++ policy-1.27.1/domains/program/modutil.te	2005-09-16 11:35:39.000000000 -0400
@@ -59,7 +59,8 @@
 allow depmod_t modules_object_t:file unlink;
 
 # Access terminals.
-allow depmod_t { console_device_t initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+can_access_pty(depmod_t, initrc)
+allow depmod_t { console_device_t admin_tty_type }:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
 
 # Read System.map from home directories.
@@ -97,7 +98,8 @@
 allow insmod_t usr_t:file { getattr read };
 
 allow insmod_t privfd:fd use;
-allow insmod_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+can_access_pty(insmod_t, initrc)
+allow insmod_t admin_tty_type:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow insmod_t sysadm_gph_t:fd use;')
 
 allow insmod_t { agp_device_t apm_bios_t }:chr_file { read write };
@@ -138,8 +140,9 @@
 
 allow insmod_t fs_t:filesystem getattr;
 allow insmod_t sysfs_t:dir search;
-allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:dir search;
+allow insmod_t { usbfs_t usbdevfs_t }:dir search;
 allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:filesystem mount;
+r_dir_file(insmod_t, debugfs_t)
 
 # Rules for /proc/sys/kernel/tainted
 read_sysctl(insmod_t)
@@ -162,7 +165,6 @@
 domain_auto_trans(privmodule, insmod_exec_t, insmod_t)
 can_exec(insmod_t, { insmod_exec_t shell_exec_t bin_t sbin_t etc_t })
 allow insmod_t devtty_t:chr_file rw_file_perms;
-allow update_modules_t devpts_t:dir search;
 allow insmod_t privmodule:process sigchld;
 dontaudit sysadm_t self:capability sys_module;
 
@@ -197,8 +199,8 @@
 
 allow update_modules_t device_t:dir { getattr search };
 allow update_modules_t { console_device_t devtty_t }:chr_file rw_file_perms;
-allow update_modules_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
-allow update_modules_t devpts_t:dir search;
+can_access_pty(update_modules_t, initrc)
+allow update_modules_t admin_tty_type:chr_file rw_file_perms;
 
 can_exec(update_modules_t, insmod_exec_t)
 allow update_modules_t urandom_device_t:chr_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.27.1/domains/program/mount.te
--- nsapolicy/domains/program/mount.te	2005-09-12 16:40:29.000000000 -0400
+++ policy-1.27.1/domains/program/mount.te	2005-09-16 11:35:39.000000000 -0400
@@ -16,7 +16,8 @@
 role sysadm_r types mount_t;
 role system_r types mount_t;
 
-allow mount_t { initrc_devpts_t console_device_t }:chr_file { read write };
+can_access_pty(mount_t, initrc)
+allow mount_t console_device_t:chr_file { read write };
 
 domain_auto_trans(initrc_t, mount_exec_t, mount_t)
 allow mount_t init_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/netutils.te policy-1.27.1/domains/program/netutils.te
--- nsapolicy/domains/program/netutils.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/netutils.te	2005-09-16 11:35:39.000000000 -0400
@@ -55,7 +55,8 @@
 
 # Access terminals.
 allow netutils_t privfd:fd use;
-allow netutils_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+can_access_pty(netutils_t, initrc)
+allow netutils_t admin_tty_type:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;')
 allow netutils_t proc_t:dir search;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.27.1/domains/program/restorecon.te
--- nsapolicy/domains/program/restorecon.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/restorecon.te	2005-09-16 11:35:39.000000000 -0400
@@ -19,7 +19,7 @@
 role sysadm_r types restorecon_t;
 role secadm_r types restorecon_t;
 
-allow restorecon_t initrc_devpts_t:chr_file { read write ioctl };
+can_access_pty(restorecon_t, initrc)
 allow restorecon_t { tty_device_t admin_tty_type user_tty_type devtty_t }:chr_file { read write ioctl };
 
 domain_auto_trans({ initrc_t sysadm_t secadm_t }, restorecon_exec_t, restorecon_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/setfiles.te policy-1.27.1/domains/program/setfiles.te
--- nsapolicy/domains/program/setfiles.te	2005-09-12 16:40:29.000000000 -0400
+++ policy-1.27.1/domains/program/setfiles.te	2005-09-16 11:35:39.000000000 -0400
@@ -22,7 +22,7 @@
 ifdef(`distro_redhat', `
 domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t)
 ')
-allow setfiles_t initrc_devpts_t:chr_file { read write ioctl };
+can_access_pty(hostname_t, initrc)
 allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl };
 
 allow setfiles_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.27.1/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/ssh.te	2005-09-16 11:35:39.000000000 -0400
@@ -153,6 +153,7 @@
 #
 sshd_program_domain(sshd)
 if (ssh_sysadm_login) {
+allow sshd_t devpts_t:dir r_dir_perms;
 sshd_spawn_domain(sshd, userdomain, { sysadm_devpts_t userpty_type })
 } else {
 sshd_spawn_domain(sshd, unpriv_userdomain, userpty_type)
@@ -178,7 +179,7 @@
 allow { sshd_t sshd_extern_t } self:process signal;
 } else {
 ')
-allow { sshd_t sshd_extern_t } initrc_devpts_t:chr_file rw_file_perms;
+can_access_pty({ sshd_t sshd_extern_t }, initrc)
 allow { sshd_t sshd_extern_t } self:capability net_bind_service;
 allow { sshd_t sshd_extern_t } ssh_port_t:tcp_socket name_bind;
 
@@ -231,3 +232,6 @@
 allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
 allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write };
 allow ssh_keygen_t urandom_device_t:chr_file { getattr read };
+ifdef(`use_mcs', `
+range_transition initrc_t sshd_exec_t s0 - s0:c0.c127;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/su.te policy-1.27.1/domains/program/su.te
--- nsapolicy/domains/program/su.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/su.te	2005-09-16 11:35:39.000000000 -0400
@@ -12,3 +12,10 @@
 
 # Everything else is in the su_domain macro in
 # macros/program/su_macros.te.
+
+ifdef(`use_mcs', `
+ifdef(`targeted_policy', `
+range_transition unconfined_t su_exec_t s0 - s0:c0.c127;
+domain_auto_trans(unconfined_t, su_exec_t, sysadm_su_t)
+')
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.27.1/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/syslogd.te	2005-09-16 11:35:39.000000000 -0400
@@ -33,7 +33,7 @@
 tmp_domain(syslogd)
 
 # read files in /etc
-allow syslogd_t etc_t:file r_file_perms;
+allow syslogd_t { etc_runtime_t etc_t }:file r_file_perms;
 
 # Use capabilities.
 allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/alsa.te policy-1.27.1/domains/program/unused/alsa.te
--- nsapolicy/domains/program/unused/alsa.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/unused/alsa.te	2005-09-16 11:35:39.000000000 -0400
@@ -11,6 +11,8 @@
 allow alsa_t self:unix_stream_socket create_stream_socket_perms;
 allow alsa_t self:unix_dgram_socket create_socket_perms;
 allow unpriv_userdomain alsa_t:sem { unix_read unix_write associate read write };
+allow unpriv_userdomain alsa_t:shm { unix_read unix_write create_shm_perms };
+
 type alsa_etc_rw_t, file_type, sysadmfile, usercanread;
 rw_dir_create_file(alsa_t,alsa_etc_rw_t)
 allow alsa_t self:capability { setgid setuid ipc_owner };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.27.1/domains/program/unused/amanda.te
--- nsapolicy/domains/program/unused/amanda.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/unused/amanda.te	2005-09-16 11:35:39.000000000 -0400
@@ -84,7 +84,6 @@
 
 # configuration files -> read only
 allow amanda_t amanda_config_t:file { getattr read };
-allow amanda_t amanda_config_t:dir search;
 
 # access to amanda_amandates_t
 allow amanda_t amanda_amandates_t:file { getattr lock read write };
@@ -97,43 +96,18 @@
 allow amanda_t amanda_data_t:file { read write };
 
 # access to proc_t
-allow amanda_t proc_t:dir { getattr search };
 allow amanda_t proc_t:file { getattr read };
 
 # access to etc_t and similar
-allow amanda_t etc_t:dir { getattr search };
 allow amanda_t etc_t:file { getattr read };
 allow amanda_t etc_runtime_t:file { getattr read };
 
-# access to var_t and similar
-allow amanda_t var_t:dir search;
-allow amanda_t var_lib_t:dir search;
-allow amanda_t amanda_var_lib_t:dir search;
-
 # access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
-allow amanda_t amanda_gnutarlists_t:dir { add_name read remove_name search write };
-allow amanda_t amanda_gnutarlists_t:file { create getattr read rename setattr unlink write };
-
-# access to var_run_t
-allow amanda_t var_run_t:dir search;
-
-# access to var_log_t
-allow amanda_t var_log_t:dir getattr;
-
-# access to var_spool_t
-allow amanda_t var_spool_t:dir getattr;
-
-# access to amanda_usr_lib_t
-allow amanda_t amanda_usr_lib_t:dir search;
+rw_dir_create_file(amanda_t, amanda_gnutarlists_t)
 
 # access to device_t and similar
-allow amanda_t device_t:dir search;
-allow amanda_t devpts_t:dir getattr;
 allow amanda_t devtty_t:chr_file { read write };
 
-# access to boot_t
-allow amanda_t boot_t:dir getattr;
-
 # access to fs_t
 allow amanda_t fs_t:filesystem getattr;
 
@@ -192,18 +166,8 @@
 ########################
 
 # access to user_home_t
-allow amanda_t { user_home_dir_type user_home_type }:dir { search getattr read };
 allow amanda_t user_home_type:file { getattr read };
 
-# access to file_t ( /floppy, /cdrom )
-allow amanda_t mnt_t:dir getattr;
-
-###########
-# Dontaudit
-###########
-dontaudit amanda_t lost_found_t:dir { getattr read };
-	
-	
 ##############################################################################
 # AMANDA RECOVER DECLARATIONS
 ##############################################################################
@@ -301,22 +265,17 @@
 #
 allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind;
 
-allow amanda_t file_type:dir {getattr read search };
+#amanda needs to look at fs_type directories to decide whether it should backup
+allow amanda_t { fs_type file_type }:dir {getattr read search };
 allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read };
 allow amanda_t device_type:{ blk_file chr_file } getattr;
 allow amanda_t fixed_disk_device_t:blk_file read;
 domain_auto_trans(amanda_t, fsadm_exec_t, fsadm_t)
 
-dontaudit amanda_t file_type:sock_file getattr;
+allow amanda_t file_type:sock_file getattr;
 logdir_domain(amanda)
 
-dontaudit amanda_t autofs_t:dir { getattr read search };
-dontaudit amanda_t binfmt_misc_fs_t:dir getattr;
-dontaudit amanda_t nfs_t:dir { getattr read };
-dontaudit amanda_t proc_t:dir read;
 dontaudit amanda_t proc_t:lnk_file read;
-dontaudit amanda_t rpc_pipefs_t:dir { getattr read };
-dontaudit amanda_t security_t:dir { getattr read };
-dontaudit amanda_t sysfs_t:dir { getattr read };
 dontaudit amanda_t unlabeled_t:file getattr;
-dontaudit amanda_t usbfs_t:dir getattr;
+#amanda wants to check attributes on fifo_files
+allow amanda_t file_type:fifo_file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/anaconda.te policy-1.27.1/domains/program/unused/anaconda.te
--- nsapolicy/domains/program/unused/anaconda.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/unused/anaconda.te	2005-09-16 11:35:39.000000000 -0400
@@ -17,11 +17,6 @@
 role system_r types ldconfig_t;
 domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t)
 
-ifdef(`su.te', `
-role system_r types sysadm_su_t;
-domain_auto_trans(anaconda_t, su_exec_t, sysadm_su_t)
-')
-
 # Run other rc scripts in the anaconda_t domain.
 domain_auto_trans(anaconda_t, initrc_exec_t, initrc_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.27.1/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/unused/apache.te	2005-09-16 11:35:39.000000000 -0400
@@ -113,9 +113,12 @@
 can_network_server(httpd_t)
 can_kerberos(httpd_t)
 can_resolve(httpd_t)
-can_ypbind(httpd_t)
-can_ldap(httpd_t)
+nsswitch_domain(httpd_t)
 allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
+# allow httpd to connect to mysql/posgresql 
+allow httpd_t { postgresql_port_t mysqld_port_t }:tcp_socket name_connect;
+# allow httpd to work as a relay
+allow httpd_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect;
 
 if (httpd_can_network_connect) {
 can_network_client(httpd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.27.1/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/unused/apmd.te	2005-09-16 11:35:39.000000000 -0400
@@ -47,6 +47,7 @@
 
 # acpid also has a logfile
 log_domain(apmd)
+tmp_domain(apmd)
 
 ifdef(`distro_suse', `
 var_lib_domain(apmd)
@@ -140,3 +141,10 @@
 allow apmd_t user_tty_type:chr_file rw_file_perms;
 # Access /dev/apm_bios.
 allow initrc_t apm_bios_t:chr_file { setattr getattr read };
+
+ifdef(`logrotate.te', `
+allow apmd_t logrotate_t:fd use;
+')dnl end if logrotate.te
+allow apmd_t devpts_t:dir { getattr search };
+allow apmd_t security_t:dir search;
+r_dir_file(apmd_t, usr_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.27.1/domains/program/unused/auditd.te
--- nsapolicy/domains/program/unused/auditd.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/unused/auditd.te	2005-09-16 11:35:39.000000000 -0400
@@ -65,3 +65,5 @@
 allow auditctl_t privfd:fd use;
 
 
+allow auditd_t sbin_t:dir search;
+can_exec(auditd_t, sbin_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/automount.te policy-1.27.1/domains/program/unused/automount.te
--- nsapolicy/domains/program/unused/automount.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/unused/automount.te	2005-09-16 11:35:39.000000000 -0400
@@ -34,7 +34,9 @@
 can_exec(automount_t, { etc_t automount_etc_t })
 
 can_network_server(automount_t)
+can_resolve(automount_t)
 can_ypbind(automount_t)
+can_ldap(automount_t)
 
 ifdef(`fsadm.te', `
 domain_auto_trans(automount_t, fsadm_exec_t, fsadm_t)
@@ -56,6 +58,7 @@
 
 allow automount_t { bin_t sbin_t }:dir search;
 can_exec(automount_t, mount_exec_t)
+can_exec(automount_t, shell_exec_t)
 
 allow mount_t autofs_t:dir getattr;
 dontaudit automount_t var_t:dir write;
@@ -73,3 +76,4 @@
 
 allow automount_t var_lib_t:dir search;
 allow automount_t var_lib_nfs_t:dir search;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.27.1/domains/program/unused/bluetooth.te
--- nsapolicy/domains/program/unused/bluetooth.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/unused/bluetooth.te	2005-09-16 11:35:39.000000000 -0400
@@ -11,11 +11,16 @@
 daemon_domain(bluetooth)
 
 file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file)
+file_type_auto_trans(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
 
 tmp_domain(bluetooth)
 
 # Use capabilities.
 allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
+allow bluetooth_t self:process getsched;
+allow bluetooth_t proc_t:file { getattr read };
+
+allow bluetooth_t self:shm create_shm_perms;
 
 lock_domain(bluetooth)
 
@@ -35,6 +40,7 @@
 
 # bluetooth_conf_t is the type of the /etc/bluetooth dir.
 type bluetooth_conf_t, file_type, sysadmfile;
+type bluetooth_conf_rw_t, file_type, sysadmfile;
 
 # Read /etc/bluetooth
 allow bluetooth_t bluetooth_conf_t:dir search;
@@ -44,5 +50,14 @@
 allow bluetooth_t usbfs_t:dir r_dir_perms;
 allow bluetooth_t usbfs_t:file rw_file_perms; 
 allow bluetooth_t bin_t:dir search;
-can_exec(bluetooth_t, bin_t)
+can_exec(bluetooth_t, { bin_t shell_exec_t })
+allow bluetooth_t bin_t:lnk_file read;
+
+#Handle bluetooth serial devices
+allow bluetooth_t tty_device_t:chr_file rw_file_perms;
+allow bluetooth_t self:fifo_file rw_file_perms;
+allow bluetooth_t etc_t:file { getattr read };
+r_dir_file(bluetooth_t, fonts_t)
+allow bluetooth_t urandom_device_t:chr_file r_file_perms;
+allow bluetooth_t usr_t:file { getattr read };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.27.1/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/unused/cups.te	2005-09-16 11:35:39.000000000 -0400
@@ -188,6 +188,7 @@
 # Uses networking to talk to the daemons
 allow hplip_t self:unix_dgram_socket create_socket_perms;
 allow hplip_t self:unix_stream_socket create_socket_perms;
+allow hplip_t self:rawip_socket create_socket_perms;
 
 # for python
 can_exec(hplip_t, bin_t)
@@ -196,6 +197,9 @@
 allow hplip_t proc_t:file r_file_perms;
 allow hplip_t urandom_device_t:chr_file { getattr read };
 allow hplip_t usr_t:{ file lnk_file } r_file_perms;
+allow hplip_t devpts_t:dir search;
+allow hplip_t devpts_t:chr_file { getattr ioctl };
+
 
 dontaudit cupsd_t selinux_config_t:dir search;
 dontaudit cupsd_t selinux_config_t:file { getattr read };
@@ -231,12 +235,13 @@
 allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
 can_ps(cupsd_config_t, cupsd_t)
 
-allow cupsd_config_t self:capability chown;
+allow cupsd_config_t self:capability { chown sys_tty_config };
 
 rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
 rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
 file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
 file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, file)
+allow cupsd_config_t var_t:lnk_file read;
 
 can_network_tcp(cupsd_config_t)
 can_ypbind(cupsd_config_t)
@@ -311,3 +316,7 @@
 r_dir_file(cupsd_lpd_t, cupsd_etc_t)
 r_dir_file(cupsd_lpd_t, cupsd_rw_etc_t)
 allow cupsd_lpd_t ipp_port_t:tcp_socket name_connect;
+ifdef(`use_mcs', `
+range_transition initrc_t cupsd_exec_t s0 - s0:c0.c127;
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.27.1/domains/program/unused/cyrus.te
--- nsapolicy/domains/program/unused/cyrus.te	2005-09-16 11:17:09.000000000 -0400
+++ policy-1.27.1/domains/program/unused/cyrus.te	2005-09-16 11:35:39.000000000 -0400
@@ -42,7 +42,7 @@
 create_dir_file(cyrus_t, mail_spool_t)
 allow cyrus_t var_spool_t:dir search;
 
-ifdef(`saslaudthd.te', `
+ifdef(`saslauthd.te', `
 allow cyrus_t saslauthd_var_run_t:dir search;
 allow cyrus_t saslauthd_var_run_t:sock_file { read write };
 allow cyrus_t saslauthd_t:unix_stream_socket { connectto };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.27.1/domains/program/unused/dbusd.te
--- nsapolicy/domains/program/unused/dbusd.te	2005-09-16 11:17:09.000000000 -0400
+++ policy-1.27.1/domains/program/unused/dbusd.te	2005-09-16 11:35:39.000000000 -0400
@@ -12,7 +12,7 @@
 
 # dac_override: /var/run/dbus is owned by messagebus on Debian
 allow system_dbusd_t self:capability { dac_override setgid setuid };
-can_ypbind(system_dbusd_t)
+nsswitch_domain(system_dbusd_t)
 
 # I expect we need more than this
 
@@ -23,3 +23,5 @@
 can_exec(system_dbusd_t, sbin_t)
 allow system_dbusd_t self:fifo_file { read write };
 allow system_dbusd_t self:unix_stream_socket connectto;
+allow system_dbusd_t self:unix_stream_socket connectto;
+allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.27.1/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te	2005-09-16 11:17:09.000000000 -0400
+++ policy-1.27.1/domains/program/unused/dhcpc.te	2005-09-16 11:35:39.000000000 -0400
@@ -134,7 +134,6 @@
 allow dhcpc_t home_root_t:dir search;
 allow initrc_t dhcpc_state_t:file { getattr read };
 dontaudit dhcpc_t var_lock_t:dir search;
-dontaudit dhcpc_t selinux_config_t:dir search;
 allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms;
 dontaudit dhcpc_t domain:dir getattr;
 allow dhcpc_t initrc_var_run_t:file rw_file_perms;
@@ -145,6 +144,7 @@
 ifdef(`ypbind.te', `
 domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t)
 allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink };
+allow dhcpc_t ypbind_t:process signal;
 ')
 ifdef(`ntpd.te', `
 domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.27.1/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/unused/dovecot.te	2005-09-16 11:35:39.000000000 -0400
@@ -43,7 +43,9 @@
 can_kerberos(dovecot_t)
 
 allow dovecot_t tmp_t:dir search;
-rw_dir_file(dovecot_t, mail_spool_t)
+rw_dir_create_file(dovecot_t, mail_spool_t)
+
+
 create_dir_file(dovecot_t, dovecot_spool_t)
 create_dir_file(mta_delivery_agent, dovecot_spool_t)
 allow dovecot_t mail_spool_t:lnk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hwclock.te policy-1.27.1/domains/program/unused/hwclock.te
--- nsapolicy/domains/program/unused/hwclock.te	2005-09-16 11:17:09.000000000 -0400
+++ policy-1.27.1/domains/program/unused/hwclock.te	2005-09-16 11:35:39.000000000 -0400
@@ -47,3 +46,4 @@
 # for when /usr is not mounted
 dontaudit hwclock_t file_t:dir search;
 allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+r_dir_file(hwclock_t, etc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.27.1/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te	2005-09-16 11:17:09.000000000 -0400
+++ policy-1.27.1/domains/program/unused/kudzu.te	2005-09-16 11:35:39.000000000 -0400
@@ -20,7 +20,7 @@
 allow kudzu_t ramfs_t:dir search;
 allow kudzu_t ramfs_t:sock_file write;
 allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
-allow kudzu_t modules_conf_t:file { getattr read unlink };
+allow kudzu_t modules_conf_t:file { getattr read unlink rename };
 allow kudzu_t modules_object_t:dir r_dir_perms;
 allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
 allow kudzu_t mouse_device_t:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.27.1/domains/program/unused/mta.te
--- nsapolicy/domains/program/unused/mta.te	2005-09-16 11:17:09.000000000 -0400
+++ policy-1.27.1/domains/program/unused/mta.te	2005-09-16 11:35:39.000000000 -0400
@@ -72,3 +72,7 @@
 
 allow system_mail_t etc_runtime_t:file { getattr read };
 allow system_mail_t { random_device_t urandom_device_t }:chr_file { getattr read };
+ifdef(`targeted_policy', `
+typealias system_mail_t alias sysadm_mail_t;
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mysqld.te policy-1.27.1/domains/program/unused/mysqld.te
--- nsapolicy/domains/program/unused/mysqld.te	2005-09-16 11:17:09.000000000 -0400
+++ policy-1.27.1/domains/program/unused/mysqld.te	2005-09-16 11:35:39.000000000 -0400
@@ -12,7 +12,7 @@
 #
 daemon_domain(mysqld, `, nscd_client_domain')
 
-allow mysqld_t mysqld_port_t:tcp_socket name_bind;
+allow mysqld_t mysqld_port_t:tcp_socket { name_bind name_connect };
 
 allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
 
@@ -42,7 +42,7 @@
 create_dir_file(mysqld_t, mysqld_db_t)
 allow mysqld_t var_lib_t:dir { getattr search };
 
-can_network_server(mysqld_t)
+can_network(mysqld_t)
 can_ypbind(mysqld_t)
 
 # read config files
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.27.1/domains/program/unused/NetworkManager.te
--- nsapolicy/domains/program/unused/NetworkManager.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/unused/NetworkManager.te	2005-09-16 11:35:39.000000000 -0400
@@ -11,7 +11,7 @@
 # NetworkManager_t is the domain for the NetworkManager daemon. 
 # NetworkManager_exec_t is the type of the NetworkManager executable.
 #
-daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod' )
+daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod, mlsfileread' )
 
 can_network(NetworkManager_t)
 allow NetworkManager_t port_type:tcp_socket name_connect;
@@ -109,3 +109,4 @@
 ')
 allow NetworkManager_t var_lib_t:dir search;
 dontaudit NetworkManager_t user_tty_type:chr_file { read write };
+dontaudit NetworkManager_t security_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.27.1/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te	2005-09-16 11:17:09.000000000 -0400
+++ policy-1.27.1/domains/program/unused/ntpd.te	2005-09-16 11:35:39.000000000 -0400
@@ -54,7 +54,7 @@
 # for cron jobs
 # system_crond_t is not right, cron is not doing what it should
 ifdef(`crond.te', `
-system_crond_entry(ntpd_exec_t, ntpd_t)
+system_crond_entry(ntpdate_exec_t, ntpd_t)
 ')
 
 can_exec(ntpd_t, initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/openct.te policy-1.27.1/domains/program/unused/openct.te
--- nsapolicy/domains/program/unused/openct.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.27.1/domains/program/unused/openct.te	2005-09-16 11:35:39.000000000 -0400
@@ -0,0 +1,16 @@
+#DESC openct - read files in page cache 
+#
+# Author: Dan Walsh (dwalsh@redhat.com)
+#
+
+#################################
+#
+# Declarations for openct
+#
+
+daemon_domain(openct)
+#
+# openct asks for these
+#
+rw_dir_file(openct_t, usbfs_t)
+allow openct_t etc_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.27.1/domains/program/unused/pamconsole.te
--- nsapolicy/domains/program/unused/pamconsole.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/unused/pamconsole.te	2005-09-16 11:35:39.000000000 -0400
@@ -25,6 +25,7 @@
 # for /var/run/console.lock checking
 allow pam_console_t { var_t var_run_t }:dir search;
 r_dir_file(pam_console_t, pam_var_console_t)
+dontaudit pam_console_t pam_var_console_t:file write;
 
 # Allow to set attributes on /dev entries
 allow pam_console_t device_t:dir { getattr read };
@@ -48,3 +49,4 @@
 allow initrc_t pam_var_console_t:dir rw_dir_perms;
 allow initrc_t pam_var_console_t:file unlink;
 allow pam_console_t file_context_t:file { getattr read };
+nsswitch_domain(pam_console_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pegasus.te policy-1.27.1/domains/program/unused/pegasus.te
--- nsapolicy/domains/program/unused/pegasus.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.27.1/domains/program/unused/pegasus.te	2005-09-16 11:35:39.000000000 -0400
@@ -0,0 +1,31 @@
+#DESC pegasus - The Open Group Pegasus CIM/WBEM Server 
+#
+# Author:  Jason Vas Dias <jvdias@redhat.com>
+# Package: tog-pegasus
+# 
+#################################
+#
+# Rules for the pegasus domain
+#
+daemon_domain(pegasus, `, nscd_client_domain')
+type pegasus_data_t, file_type, sysadmfile;
+type pegasus_conf_t, file_type, sysadmfile;
+type pegasus_mof_t, file_type, sysadmfile;
+type pegasus_conf_exec_t, file_type, exec_type, sysadmfile;
+allow pegasus_t self:capability { dac_override net_bind_service }; 
+can_network_tcp(pegasus_t);
+nsswitch_domain(pegasus_t);
+allow pegasus_t pegasus_var_run_t:sock_file { create setattr };
+allow pegasus_t self:unix_dgram_socket create_socket_perms;
+allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
+allow pegasus_t { pegasus_http_port_t pegasus_https_port_t }:tcp_socket { name_bind name_connect };
+allow pegasus_t proc_t:file { getattr read };
+allow pegasus_t sysctl_vm_t:dir search;
+allow pegasus_t initrc_var_run_t:file { read write lock };
+allow pegasus_t urandom_device_t:chr_file { getattr read };
+r_dir_file(pegasus_t, etc_t)
+r_dir_file(pegasus_t, var_lib_t)
+r_dir_file(pegasus_t, pegasus_mof_t)
+rw_dir_create_file(pegasus_t, pegasus_conf_t)
+rw_dir_create_file(pegasus_t, pegasus_data_t)
+rw_dir_create_file(pegasus_conf_exec_t, pegasus_conf_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postfix.te policy-1.27.1/domains/program/unused/postfix.te
--- nsapolicy/domains/program/unused/postfix.te	2005-09-12 16:40:29.000000000 -0400
+++ policy-1.27.1/domains/program/unused/postfix.te	2005-09-16 11:35:39.000000000 -0400
@@ -329,7 +329,8 @@
 domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t)
 ')
 ifdef(`sendmail.te', `
-allow sendmail_t postfix_etc_t:dir search;
+r_dir_file(sendmail_t, postfix_etc_t)
+allow sendmail_t postfix_spool_t:dir search;
 ')
 
 # Program for creating database files
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.27.1/domains/program/unused/pppd.te
--- nsapolicy/domains/program/unused/pppd.te	2005-09-16 11:17:09.000000000 -0400
+++ policy-1.27.1/domains/program/unused/pppd.te	2005-09-16 11:35:39.000000000 -0400
@@ -54,6 +54,7 @@
 can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t })
 allow pppd_t { bin_t sbin_t }:dir search;
 allow pppd_t { sbin_t bin_t }:lnk_file read;
+dontaudit  ifconfig_t pppd_t:fd use;
 
 # Access /dev/ppp.
 allow pppd_t ppp_device_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/procmail.te policy-1.27.1/domains/program/unused/procmail.te
--- nsapolicy/domains/program/unused/procmail.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/unused/procmail.te	2005-09-16 11:35:39.000000000 -0400
@@ -19,8 +19,7 @@
 uses_shlib(procmail_t)
 allow procmail_t device_t:dir search;
 can_network_server(procmail_t)
-can_ypbind(procmail_t)
-can_winbind(procmail_t)
+nsswitch_domain(procmail_t)
 
 allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/readahead.te policy-1.27.1/domains/program/unused/readahead.te
--- nsapolicy/domains/program/unused/readahead.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.27.1/domains/program/unused/readahead.te	2005-09-16 11:35:39.000000000 -0400
@@ -0,0 +1,21 @@
+#DESC readahead - read files in page cache 
+#
+# Author: Dan Walsh (dwalsh@redhat.com)
+#
+
+#################################
+#
+# Declarations for readahead
+#
+
+daemon_domain(readahead)
+#
+# readahead asks for these
+#
+allow readahead_t { file_type -secure_file_type }:{ file lnk_file } { getattr read };
+allow readahead_t { file_type -secure_file_type }:dir r_dir_perms;
+dontaudit readahead_t shadow_t:file { getattr read };
+allow readahead_t { device_t device_type }:{ lnk_file chr_file blk_file } getattr;
+dontaudit readahead_t file_type:sock_file getattr;
+allow readahead_t proc_t:file { getattr read };
+dontaudit readahead_t device_type:blk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/roundup.te policy-1.27.1/domains/program/unused/roundup.te
--- nsapolicy/domains/program/unused/roundup.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.27.1/domains/program/unused/roundup.te	2005-09-16 11:35:39.000000000 -0400
@@ -0,0 +1,29 @@
+# Roundup Issue Tracking System
+#
+# Authors:  W. Michael Petullo <redhat@flyn.org
+#
+daemon_domain(roundup)
+var_lib_domain(roundup)
+can_network(roundup_t)
+allow roundup_t http_cache_port_t:tcp_socket name_bind;
+allow roundup_t smtp_port_t:tcp_socket name_connect;
+
+# execute python
+allow roundup_t bin_t:dir r_dir_perms;
+can_exec(roundup_t, bin_t)
+allow roundup_t bin_t:lnk_file read;
+
+allow roundup_t self:capability { setgid setuid };
+
+allow roundup_t self:unix_stream_socket create_stream_socket_perms;
+
+ifdef(`mysqld.te', `
+allow roundup_t mysqld_db_t:dir search;
+allow roundup_t mysqld_var_run_t:sock_file write;
+allow roundup_t mysqld_t:unix_stream_socket connectto;
+')
+
+# /usr/share/mysql/charsets/Index.xml
+allow roundup_t usr_t:file { getattr read };
+allow roundup_t urandom_device_t:chr_file { getattr read };
+allow roundup_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.27.1/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/unused/rpcd.te	2005-09-16 11:35:39.000000000 -0400
@@ -19,7 +19,7 @@
 can_network($1_t)
 allow $1_t port_type:tcp_socket name_connect;
 can_ypbind($1_t)
-allow $1_t etc_t:file { getattr read };
+allow $1_t { etc_runtime_t etc_t }:file { getattr read };
 read_locale($1_t)
 allow $1_t self:capability net_bind_service;
 dontaudit $1_t self:capability net_admin;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.27.1/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te	2005-09-16 11:17:10.000000000 -0400
+++ policy-1.27.1/domains/program/unused/samba.te	2005-09-16 11:35:39.000000000 -0400
@@ -25,6 +25,9 @@
 # not sure why it needs this
 tmp_domain(smbd)
 
+# Allow samba to search mnt_t for potential mounted dirs
+allow smbd_t mnt_t:dir r_dir_perms;
+
 ifdef(`crond.te', `
 allow system_crond_t samba_etc_t:file { read getattr lock };
 allow system_crond_t samba_log_t:file { read getattr lock };
@@ -47,9 +50,8 @@
 
 # Use the network.
 can_network(smbd_t)
-can_ldap(smbd_t)
+nsswitch_domain(smbd_t)
 can_kerberos(smbd_t)
-can_winbind(smbd_t)
 allow smbd_t { smbd_port_t ipp_port_t }:tcp_socket name_connect;
 
 allow smbd_t urandom_device_t:chr_file { getattr read };
@@ -75,6 +77,11 @@
 allow smbd_t samba_log_t:dir ra_dir_perms;
 dontaudit smbd_t samba_log_t:dir remove_name;
 
+ifdef(`hide_broken_symptoms', `
+dontaudit smbd_t { devpts_t boot_t default_t tmpfs_t }:dir getattr;
+dontaudit smbd_t devpts_t:dir getattr;
+')
+
 allow smbd_t usr_t:file { getattr read };
 
 # Access Samba shares.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.27.1/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/unused/snmpd.te	2005-09-16 11:35:39.000000000 -0400
@@ -22,8 +22,9 @@
 
 # for the .index file
 var_lib_domain(snmpd)
-file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, dir)
+file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, { dir sock_file })
 file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file)
+allow snmpd_t snmpd_var_lib_t:sock_file create_file_perms;
 
 log_domain(snmpd)
 # for /usr/share/snmp/mibs
@@ -33,7 +34,7 @@
 can_udp_send(snmpd_t, sysadm_t)
 
 allow snmpd_t self:unix_dgram_socket create_socket_perms;
-allow snmpd_t self:unix_stream_socket create_socket_perms;
+allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
 allow snmpd_t etc_t:lnk_file read;
 allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms;
 allow snmpd_t { random_device_t urandom_device_t }:chr_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.27.1/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te	2005-09-12 16:40:29.000000000 -0400
+++ policy-1.27.1/domains/program/unused/squid.te	2005-09-16 11:35:39.000000000 -0400
@@ -60,7 +60,7 @@
 can_tcp_connect(web_client_domain, squid_t)
 
 # tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts)
-allow squid_t http_cache_port_t:{ tcp_socket udp_socket } name_bind;
+allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:{ tcp_socket udp_socket } name_bind;
 allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect;
 
 # to allow running programs from /usr/lib/squid (IE unlinkd)
@@ -81,4 +81,5 @@
 ifdef(`winbind.te', `
 domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t)
 allow winbind_helper_t squid_t:tcp_socket rw_socket_perms;
+allow winbind_helper_t squid_log_t:file ra_file_perms;
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.27.1/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te	2005-09-16 11:17:10.000000000 -0400
+++ policy-1.27.1/domains/program/unused/udev.te	2005-09-16 11:35:39.000000000 -0400
@@ -140,7 +140,13 @@
 r_dir_file(udev_t, domain)
 allow udev_t modules_dep_t:file r_file_perms;
 
+nsswitch_domain(udev_t)
+
 ifdef(`unlimitedUtils', `
 unconfined_domain(udev_t) 
 ')
 dontaudit hostname_t udev_t:fd use;
+ifdef(`use_mcs', `
+range_transition kernel_t udev_exec_t s0 - s0:c0.c127;
+range_transition initrc_t udev_exec_t s0 - s0:c0.c127;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.27.1/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te	2005-09-12 16:40:29.000000000 -0400
+++ policy-1.27.1/domains/program/unused/winbind.te	2005-09-16 11:35:39.000000000 -0400
@@ -44,6 +44,7 @@
 r_dir_file(winbind_t, samba_etc_t)
 allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
 allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
+allow winbind_helper_t samba_var_t:dir search;
 allow winbind_helper_t winbind_var_run_t:dir r_dir_perms;
 can_winbind(winbind_helper_t)
 allow winbind_helper_t privfd:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.27.1/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/unused/xdm.te	2005-09-16 11:35:39.000000000 -0400
@@ -371,3 +371,6 @@
 dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
 
 #### Also see xdm_macros.te
+ifdef(`use_mcs', `
+range_transition initrc_t xdm_exec_t s0 - s0:c0.c127;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypserv.te policy-1.27.1/domains/program/unused/ypserv.te
--- nsapolicy/domains/program/unused/ypserv.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/unused/ypserv.te	2005-09-16 11:35:39.000000000 -0400
@@ -39,3 +39,4 @@
 ')
 allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
 dontaudit ypserv_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
+can_exec(ypserv_t, bin_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/useradd.te policy-1.27.1/domains/program/useradd.te
--- nsapolicy/domains/program/useradd.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/useradd.te	2005-09-16 11:35:39.000000000 -0400
@@ -67,6 +67,7 @@
 
 # for when /root is the cwd
 dontaudit $1_t sysadm_home_dir_t:dir search;
+nsswitch_domain($1_t)
 ')
 user_group_add_program(useradd)
 
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.27.1/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc	2005-09-12 16:40:27.000000000 -0400
+++ policy-1.27.1/file_contexts/distros.fc	2005-09-16 11:35:39.000000000 -0400
@@ -99,6 +99,7 @@
 /usr/lib(64)?/.*/program/librecentfile\.so 	--  system_u:object_r:texrel_shlib_t
 /usr/lib(64)?/.*/program/libsvx680li\.so	--  system_u:object_r:texrel_shlib_t
 /usr/lib(64)?/.*/program/libcomphelp4gcc3\.so  	--  system_u:object_r:texrel_shlib_t
+/usr/lib(64)?/.*/program/libsoffice\.so  	--  system_u:object_r:texrel_shlib_t
 
 # Fedora Extras packages: ladspa, imlib2, ocaml
 /usr/lib/ladspa/analogue_osc_1416\.so		-- system_u:object_r:texrel_shlib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/bluetooth.fc policy-1.27.1/file_contexts/program/bluetooth.fc
--- nsapolicy/file_contexts/program/bluetooth.fc	2005-09-12 16:40:27.000000000 -0400
+++ policy-1.27.1/file_contexts/program/bluetooth.fc	2005-09-16 11:35:39.000000000 -0400
@@ -1,5 +1,6 @@
 # bluetooth
 /etc/bluetooth(/.*)?		system_u:object_r:bluetooth_conf_t
+/etc/bluetooth/link_key		system_u:object_r:bluetooth_conf_rw_t
 /usr/bin/rfcomm		--	system_u:object_r:bluetooth_exec_t
 /usr/sbin/hcid		--	system_u:object_r:bluetooth_exec_t
 /usr/sbin/sdpd		--	system_u:object_r:bluetooth_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dhcpc.fc policy-1.27.1/file_contexts/program/dhcpc.fc
--- nsapolicy/file_contexts/program/dhcpc.fc	2005-09-12 16:40:27.000000000 -0400
+++ policy-1.27.1/file_contexts/program/dhcpc.fc	2005-09-16 11:35:39.000000000 -0400
@@ -4,6 +4,7 @@
 /etc/dhclient.*conf	--	system_u:object_r:dhcp_etc_t
 /etc/dhclient-script	--	system_u:object_r:dhcp_etc_t
 /sbin/dhcpcd		--	system_u:object_r:dhcpc_exec_t
+/sbin/dhcdbd		--	system_u:object_r:dhcpc_exec_t
 /sbin/dhclient.*	--	system_u:object_r:dhcpc_exec_t
 /var/lib/dhcp(3)?/dhclient.*	system_u:object_r:dhcpc_state_t
 /var/lib/dhcpcd(/.*)?		system_u:object_r:dhcpc_state_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ipsec.fc policy-1.27.1/file_contexts/program/ipsec.fc
--- nsapolicy/file_contexts/program/ipsec.fc	2005-09-12 16:40:27.000000000 -0400
+++ policy-1.27.1/file_contexts/program/ipsec.fc	2005-09-16 11:35:39.000000000 -0400
@@ -21,6 +21,7 @@
 /usr/lib(64)?/ipsec/spi	--	system_u:object_r:ipsec_exec_t
 /usr/local/lib(64)?/ipsec/spi --	system_u:object_r:ipsec_exec_t
 /var/run/pluto(/.*)?		system_u:object_r:ipsec_var_run_t
+/var/racoon(/.*)?		system_u:object_r:ipsec_var_run_t
 
 # Kame
 /usr/sbin/racoon	--	system_u:object_r:ipsec_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/openct.fc policy-1.27.1/file_contexts/program/openct.fc
--- nsapolicy/file_contexts/program/openct.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.27.1/file_contexts/program/openct.fc	2005-09-16 11:35:39.000000000 -0400
@@ -0,0 +1,2 @@
+/usr/sbin/openct-control	-- 	system_u:object_r:openct_exec_t
+/var/run/openct(/.*)?			system_u:object_r:openct_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/pegasus.fc policy-1.27.1/file_contexts/program/pegasus.fc
--- nsapolicy/file_contexts/program/pegasus.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.27.1/file_contexts/program/pegasus.fc	2005-09-16 11:35:39.000000000 -0400
@@ -0,0 +1,11 @@
+# File Contexts for The Open Group Pegasus (tog-pegasus) cimserver
+/usr/sbin/cimserver		--	system_u:object_r:pegasus_exec_t
+/usr/sbin/cimconfig		-- 	system_u:object_r:pegasus_conf_exec_t
+/usr/sbin/cimuser		-- 	system_u:object_r:pegasus_conf_exec_t
+/usr/sbin/cimauth		-- 	system_u:object_r:pegasus_conf_exec_t
+/usr/sbin/init_repository	-- 	system_u:object_r:pegasus_exec_t
+/usr/lib(64)?/Pegasus/providers/.*\.so.*	system_u:object_r:shlib_t
+/etc/Pegasus(/.*)?			system_u:object_r:pegasus_conf_t
+/var/lib/Pegasus(/.*)?	                system_u:object_r:pegasus_data_t
+/var/run/tog-pegasus(/.*)?              system_u:object_r:pegasus_var_run_t
+/usr/share/Pegasus/mof(/.*)?/.*\.mof    system_u:object_r:pegasus_mof_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/pppd.fc policy-1.27.1/file_contexts/program/pppd.fc
--- nsapolicy/file_contexts/program/pppd.fc	2005-09-16 11:17:11.000000000 -0400
+++ policy-1.27.1/file_contexts/program/pppd.fc	2005-09-16 11:35:39.000000000 -0400
@@ -20,6 +20,6 @@
 /etc/ppp/plugins/rp-pppoe\.so 	--	system_u:object_r:shlib_t
 /etc/ppp/resolv\.conf 	--	system_u:object_r:pppd_etc_rw_t
 # Fix pptp sockets
-/var/run/pptp(/.*)?	--	system_u:object_r:pptp_var_run_t
+/var/run/pptp(/.*)?		system_u:object_r:pptp_var_run_t
 # Fix /etc/ppp {up,down} family scripts (see man pppd)
 /etc/ppp/(auth|ip(v6|x)?)-(up|down)	--	system_u:object_r:pppd_script_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/readahead.fc policy-1.27.1/file_contexts/program/readahead.fc
--- nsapolicy/file_contexts/program/readahead.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.27.1/file_contexts/program/readahead.fc	2005-09-16 11:35:39.000000000 -0400
@@ -0,0 +1 @@
+/usr/sbin/readahead -- system_u:object_r:readahead_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/roundup.fc policy-1.27.1/file_contexts/program/roundup.fc
--- nsapolicy/file_contexts/program/roundup.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.27.1/file_contexts/program/roundup.fc	2005-09-16 11:35:39.000000000 -0400
@@ -0,0 +1,2 @@
+/usr/bin/roundup-server         --      system_u:object_r:roundup_exec_t
+/var/lib/roundup(/.*)?          --      system_u:object_r:roundup_var_lib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rpm.fc policy-1.27.1/file_contexts/program/rpm.fc
--- nsapolicy/file_contexts/program/rpm.fc	2005-09-12 16:40:27.000000000 -0400
+++ policy-1.27.1/file_contexts/program/rpm.fc	2005-09-16 11:52:41.000000000 -0400
@@ -23,3 +23,7 @@
 /var/lib/YaST2(/.*)?			system_u:object_r:rpm_var_lib_t
 /var/log/YaST2(/.*)?			system_u:object_r:rpm_log_t
 ')
+
+ifdef(`mls_policy', `
+/sbin/cpio			--	system_u:object_r:rpm_exec_t
+')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/xdm.fc policy-1.27.1/file_contexts/program/xdm.fc
--- nsapolicy/file_contexts/program/xdm.fc	2005-09-12 16:40:27.000000000 -0400
+++ policy-1.27.1/file_contexts/program/xdm.fc	2005-09-16 11:35:39.000000000 -0400
@@ -3,7 +3,7 @@
 /usr/X11R6/bin/[xgkw]dm	--	system_u:object_r:xdm_exec_t
 /opt/kde3/bin/kdm	--	system_u:object_r:xdm_exec_t
 /usr/bin/gpe-dm		--	system_u:object_r:xdm_exec_t
-/usr/bin/gdm-binary	--	system_u:object_r:xdm_exec_t
+/usr/(s)?bin/gdm-binary	--	system_u:object_r:xdm_exec_t
 /var/[xgk]dm(/.*)?		system_u:object_r:xserver_log_t
 /usr/var/[xgkw]dm(/.*)?		system_u:object_r:xserver_log_t
 /var/log/[kw]dm\.log	--	system_u:object_r:xserver_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ypserv.fc policy-1.27.1/file_contexts/program/ypserv.fc
--- nsapolicy/file_contexts/program/ypserv.fc	2005-09-12 16:40:27.000000000 -0400
+++ policy-1.27.1/file_contexts/program/ypserv.fc	2005-09-16 11:35:39.000000000 -0400
@@ -1,3 +1,4 @@
 # ypserv
 /usr/sbin/ypserv		--	system_u:object_r:ypserv_exec_t
+/usr/lib/yp/.+			--	system_u:object_r:bin_t
 /etc/ypserv\.conf		--	system_u:object_r:ypserv_conf_t
diff --exclude-from=exclude -N -u -r nsapolicy/genfs_contexts policy-1.27.1/genfs_contexts
--- nsapolicy/genfs_contexts	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/genfs_contexts	2005-09-16 11:35:39.000000000 -0400
@@ -94,7 +94,7 @@
 genfscon debugfs /			system_u:object_r:debugfs_t
 genfscon inotifyfs /			system_u:object_r:inotifyfs_t
 genfscon hugetlbfs /			system_u:object_r:hugetlbfs_t
-genfscon mqueue /			system_u:object_r:mqueue_t
+genfscon capifs /			system_u:object_r:capifs_t
 
 # needs more work
 genfscon eventpollfs / system_u:object_r:eventpollfs_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.27.1/macros/core_macros.te
--- nsapolicy/macros/core_macros.te	2005-09-12 16:40:27.000000000 -0400
+++ policy-1.27.1/macros/core_macros.te	2005-09-16 11:35:39.000000000 -0400
@@ -620,6 +620,9 @@
 # Label pty files with a derived type.
 type_transition $1_t devpts_t:chr_file $1_devpts_t;
 
+# allow searching /dev/pts
+allow $1_t devpts_t:dir { getattr read search };
+
 # Read and write my pty files.
 allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms };
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.27.1/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2005-09-16 11:17:11.000000000 -0400
+++ policy-1.27.1/macros/global_macros.te	2005-09-16 11:35:39.000000000 -0400
@@ -157,6 +157,11 @@
 r_dir_file($1, locale_t)
 ')
 
+define(`can_access_pty', `
+allow $1 devpts_t:dir r_dir_perms;
+allow $1 $2_devpts_t:chr_file rw_file_perms;
+')
+
 ###################################
 #
 # access_terminal(domain, typeprefix)
@@ -166,8 +171,7 @@
 define(`access_terminal', `
 allow $1 $2_tty_device_t:chr_file { read write getattr ioctl };
 allow $1 devtty_t:chr_file { read write getattr ioctl };
-allow $1 devpts_t:dir { read search getattr };
-allow $1 $2_devpts_t:chr_file { read write getattr ioctl };
+can_access_pty($1, $2)
 ') 
 
 #
diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.27.1/macros/network_macros.te
--- nsapolicy/macros/network_macros.te	2005-09-16 11:17:11.000000000 -0400
+++ policy-1.27.1/macros/network_macros.te	2005-09-16 11:35:39.000000000 -0400
@@ -153,7 +153,8 @@
 ')dnl end can_network definition
 
 define(`can_resolve',`
-can_network_udp($1, `dns_port_t')
+can_network_client($1, `dns_port_t')
+allow $1 dns_port_t:tcp_socket name_connect;
 ')
 
 define(`can_portmap',`
@@ -173,3 +174,17 @@
 allow $1 winbind_var_run_t:sock_file { getattr read write };
 ')
 ')
+
+
+#################################
+#
+# nsswitch_domain(domain)
+#
+# Permissions for looking up uid/username mapping via nsswitch
+#
+define(`nsswitch_domain', `
+can_resolve($1)
+can_ypbind($1)
+can_ldap($1)
+can_winbind($1)
+')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.27.1/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te	2005-09-16 11:17:11.000000000 -0400
+++ policy-1.27.1/macros/program/apache_macros.te	2005-09-16 11:35:39.000000000 -0400
@@ -38,7 +38,7 @@
 allow httpd_$1_script_t etc_runtime_t:file { getattr read };
 read_locale(httpd_$1_script_t)
 allow httpd_$1_script_t fs_t:filesystem getattr;
-allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
+allow httpd_$1_script_t self:unix_stream_socket { create_stream_socket_perms connectto };
 
 allow httpd_$1_script_t { self proc_t }:file r_file_perms;
 allow httpd_$1_script_t { self proc_t }:dir r_dir_perms;
@@ -49,7 +49,7 @@
 }
 
 if (httpd_enable_cgi && httpd_can_network_connect) {
-can_network(httpd_$1_script_t)
+can_network_client(httpd_$1_script_t)
 allow httpd_$1_script_t port_type:tcp_socket name_connect;
 }
 
@@ -83,7 +83,9 @@
 # Allow the script interpreters to run the scripts.  So
 # the perl executable will be able to run a perl script
 #########################################################################
+allow httpd_$1_script_t httpd_$1_script_exec_t:dir r_dir_perms;
 can_exec_any(httpd_$1_script_t)
+
 allow httpd_$1_script_t etc_t:file { getattr read };
 dontaudit httpd_$1_script_t selinux_config_t:dir search;
 
@@ -193,4 +195,11 @@
 create_dir_file($1_crond_t, httpd_$1_content_t)
 ')
 
+ifdef(`ftpd.te', `
+if (ftp_home_dir) {
+create_dir_file(ftpd_t, httpd_$1_content_t)
+}
+')
+
+
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/cdrecord_macros.te policy-1.27.1/macros/program/cdrecord_macros.te
--- nsapolicy/macros/program/cdrecord_macros.te	2005-09-16 11:17:11.000000000 -0400
+++ policy-1.27.1/macros/program/cdrecord_macros.te	2005-09-16 11:35:39.000000000 -0400
@@ -41,7 +41,7 @@
 
 allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
 allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill };
-allow $1_cdrecord_t $1_devpts_t:chr_file rw_file_perms;
+can_access_pty($1_cdrecord_t, $1)
 allow $1_cdrecord_t $1_home_t:dir search;
 allow $1_cdrecord_t $1_home_dir_t:dir r_dir_perms;
 allow $1_cdrecord_t $1_home_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/i18n_input_macros.te policy-1.27.1/macros/program/i18n_input_macros.te
--- nsapolicy/macros/program/i18n_input_macros.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.27.1/macros/program/i18n_input_macros.te	2005-09-16 11:35:39.000000000 -0400
@@ -0,0 +1,21 @@
+#
+# Macros for i18n_input
+#
+
+#
+# Authors:  Dan Walsh <dwalsh@redhat.com> 
+#
+
+#
+# i18n_input_domain(domain)
+#
+ifdef(`i18n_input.te', `
+define(`i18n_input_domain', `
+allow i18n_input_t $1_home_dir_t:dir { getattr search };
+r_dir_file(i18n_input_t, $1_home_t)
+if (use_nfs_home_dirs) { r_dir_file(i18n_input_t, nfs_t) }
+if (use_samba_home_dirs) { r_dir_file(i18n_input_t, cifs_t) }
+')
+')
+
+
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mta_macros.te policy-1.27.1/macros/program/mta_macros.te
--- nsapolicy/macros/program/mta_macros.te	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/macros/program/mta_macros.te	2005-09-16 11:35:39.000000000 -0400
@@ -34,7 +34,7 @@
 
 uses_shlib($1_mail_t)
 can_network_client_tcp($1_mail_t)
-allow $1_mail_t port_type:tcp_socket name_connect;
+allow $1_mail_t { smtp_port_t port_type }:tcp_socket name_connect;
 can_resolve($1_mail_t)
 can_ypbind($1_mail_t)
 allow $1_mail_t self:unix_dgram_socket create_socket_perms;
@@ -68,7 +68,7 @@
 allow system_mail_t system_crond_tmp_t:file { read getattr ioctl };
 allow mta_user_agent system_crond_tmp_t:file { read getattr };
 ')
-allow system_mail_t initrc_devpts_t:chr_file { read write getattr };
+can_access_pty(system_mail_t, initrc)
 
 ', `
 # For when the user wants to send mail via port 25 localhost
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/pyzor_macros.te policy-1.27.1/macros/program/pyzor_macros.te
--- nsapolicy/macros/program/pyzor_macros.te	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/macros/program/pyzor_macros.te	2005-09-16 11:35:39.000000000 -0400
@@ -64,6 +64,6 @@
 
 # Allow pyzor to be run by hand.  Needed by any action other than
 # invocation from a spam filter.
-allow $1_pyzor_t $1_devpts_t:chr_file rw_file_perms;
+can_access_pty($1_pyzor_t, $1)
 allow $1_pyzor_t sshd_t:fd use;
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/razor_macros.te policy-1.27.1/macros/program/razor_macros.te
--- nsapolicy/macros/program/razor_macros.te	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/macros/program/razor_macros.te	2005-09-16 11:35:39.000000000 -0400
@@ -70,6 +70,6 @@
 
 # Allow razor to be run by hand.  Needed by any action other than
 # invocation from a spam filter.
-allow $1_razor_t $1_devpts_t:chr_file rw_file_perms;
+can_access_pty($1_razor_t, $1)
 allow $1_razor_t sshd_t:fd use;
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.27.1/macros/program/su_macros.te
--- nsapolicy/macros/program/su_macros.te	2005-09-16 11:17:12.000000000 -0400
+++ policy-1.27.1/macros/program/su_macros.te	2005-09-16 11:35:39.000000000 -0400
@@ -54,7 +54,7 @@
 allow $1_su_t self:process { setsched setrlimit };
 allow $1_su_t device_t:dir search;
 allow $1_su_t self:process { fork sigchld };
-can_ypbind($1_su_t)
+nsswitch_domain($1_su_t)
 r_dir_file($1_su_t, selinux_config_t)
 
 dontaudit $1_su_t shadow_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/uml_macros.te policy-1.27.1/macros/program/uml_macros.te
--- nsapolicy/macros/program/uml_macros.te	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/macros/program/uml_macros.te	2005-09-16 11:35:39.000000000 -0400
@@ -81,7 +81,7 @@
 allow uml_net_t $1_uml_t:unix_stream_socket { read write };
 allow uml_net_t $1_uml_t:unix_dgram_socket { read write };
 dontaudit uml_net_t privfd:fd use;
-allow uml_net_t $1_uml_devpts_t:chr_file { read write };
+can_access_pty(uml_net_t, $1_uml)
 dontaudit uml_net_t $1_uml_rw_t:dir { getattr search };
 ')dnl end ifdef uml_net.te
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.27.1/macros/user_macros.te
--- nsapolicy/macros/user_macros.te	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/macros/user_macros.te	2005-09-16 11:35:39.000000000 -0400
@@ -121,6 +121,7 @@
 # user domains.
 ifelse($1, sysadm, `',`
 ifdef(`apache.te', `apache_user_domain($1)')
+ifdef(`i18n_input.te', `i18n_input_domain($1)')
 ')
 ifdef(`slocate.te', `locate_domain($1)')
 ifdef(`lockdev.te', `lockdev_domain($1)')
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.27.1/Makefile
--- nsapolicy/Makefile	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/Makefile	2005-09-16 11:36:31.000000000 -0400
@@ -16,7 +16,7 @@
 MLS=n
 
 # Set to y if MCS is enabled in the policy
-MCS=n
+MCS=y
 
 FLASKDIR = flask/
 PREFIX = /usr
@@ -29,15 +29,10 @@
 VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
 PREVERS := 19
 KERNVERS := $(shell cat /selinux/policyvers)
+MLSENABLED := $(shell cat /selinux/mls)
 POLICYVER := policy.$(VERS)
 TOPDIR = $(DESTDIR)/etc/selinux
 TYPE=strict
-ifeq ($(MLS),y)
-TYPE=mls
-endif
-ifeq ($(MCS),y)
-TYPE=mcs
-endif
 
 INSTALLDIR = $(TOPDIR)/$(TYPE)
 POLICYPATH = $(INSTALLDIR)/policy
@@ -89,8 +84,12 @@
 all:  policy
 
 tmp/valid_fc: $(LOADPATH) $(FC) 
+ifeq ($(CHECKPOLMLS), -M)
+ifeq ($(MLSENABLED),1)
 	@echo "Validating file contexts files ..."	
 	$(SETFILES) -q -c $(LOADPATH) $(FC)
+endif
+endif
 	@touch tmp/valid_fc
 
 install: $(FCPATH) $(APPFILES) $(ROOTFILES) $(USERPATH)/local.users
@@ -160,7 +159,7 @@
 	@mkdir -p $(POLICYPATH)
 	$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
 ifneq ($(VERS),$(PREVERS))
-	$(CHECKPOLICY) -c $(PREVERS) -o $(POLICYPATH)/policy.$(PREVERS) policy.conf
+	$(CHECKPOLICY) $(CHECKPOLMLS) -c $(PREVERS) -o $(POLICYPATH)/policy.$(PREVERS) policy.conf
 endif
 
 # Note: Can't use install, so not sure how to deal with mode, user, and group
@@ -170,8 +169,12 @@
 
 $(POLICYVER):  policy.conf $(FC) $(CHECKPOLICY)
 	$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
+ifeq ($(CHECKPOLMLS), -M)
+ifeq (1, $(MLSENABLED))
 	@echo "Validating file contexts files ..."
 	$(SETFILES) -q -c $(POLICYVER) $(FC)
+endif
+endif
 
 reload tmp/load: $(LOADPATH) 
 	@echo "Loading Policy ..."
@@ -355,10 +358,9 @@
 	@for file in $(USER_FILES); do \
 		echo "Converting $$file"; \
 		sed -r -e 's/\;/ level s0 range s0;/' $$file | \
-		sed -r -e 's/(user (root|system_u).*);/\1 - s0:c0.c127;/' > $$file.new; \
+		sed -r -e 's/(user (user_u|root|system_u).*);/\1 - s0:c0.c127;/' > $$file.new; \
 		mv $$file.new $$file; \
 	done
-	@sed -e '/sid kernel/s/s0/s0 - s0:c0.c127/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts
 	@echo "Enabling MCS in the Makefile"
 	@sed "s/MCS=y/MCS=y/" Makefile > Makefile.new
 	@mv Makefile.new Makefile
diff --exclude-from=exclude -N -u -r nsapolicy/mcs policy-1.27.1/mcs
--- nsapolicy/mcs	2005-09-15 16:13:03.000000000 -0400
+++ policy-1.27.1/mcs	2005-09-16 11:35:39.000000000 -0400
@@ -200,9 +200,23 @@
 #
 # Only files are constrained by MCS at this stage.
 #
-mlsconstrain file { read write setattr append unlink link rename
+mlsconstrain file { write setattr append unlink link rename
 		    create ioctl lock execute } (h1 dom h2);
 
+mlsconstrain file { read } ((h1 dom h2) or 
+			    ( t1 == mlsfileread ));
+
+
+# new file labels must be dominated by the relabeling subject's clearance
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto }
+	( h1 dom h2 );
+
+define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append 
+link unlink rename relabelfrom relabelto }')
+
+define(`nogetattr_dir_perms', `{ create read lock setattr ioctl link unlink 
+rename search add_name remove_name reparent write rmdir relabelfrom 
+relabelto }')
 
 # XXX
 #
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.27.1/net_contexts
--- nsapolicy/net_contexts	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/net_contexts	2005-09-16 11:35:39.000000000 -0400
@@ -50,6 +50,10 @@
 portcon tcp 53 system_u:object_r:dns_port_t
 
 portcon udp 67  system_u:object_r:dhcpd_port_t
+portcon udp 647  system_u:object_r:dhcpd_port_t
+portcon tcp 647  system_u:object_r:dhcpd_port_t
+portcon udp 847  system_u:object_r:dhcpd_port_t
+portcon tcp 847  system_u:object_r:dhcpd_port_t
 portcon udp 68  system_u:object_r:dhcpc_port_t
 portcon udp 70 system_u:object_r:gopher_port_t
 portcon tcp 70 system_u:object_r:gopher_port_t
@@ -164,6 +168,8 @@
 portcon tcp 50000 system_u:object_r:hplip_port_t
 portcon tcp 50002 system_u:object_r:hplip_port_t
 portcon tcp 5900  system_u:object_r:vnc_port_t 
+portcon tcp 5988  system_u:object_r:pegasus_http_port_t
+portcon tcp 5989  system_u:object_r:pegasus_https_port_t
 portcon tcp 6000  system_u:object_r:xserver_port_t
 portcon tcp 6001  system_u:object_r:xserver_port_t
 portcon tcp 6002  system_u:object_r:xserver_port_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/appconfig/root_default_contexts policy-1.27.1/targeted/appconfig/root_default_contexts
--- nsapolicy/targeted/appconfig/root_default_contexts	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/targeted/appconfig/root_default_contexts	2005-09-16 11:35:39.000000000 -0400
@@ -1,2 +1,6 @@
 system_r:unconfined_t	system_r:unconfined_t
 system_r:initrc_t	system_r:unconfined_t
+system_r:local_login_t system_r:unconfined_t
+system_r:remote_login_t system_r:unconfined_t
+system_r:rshd_t		system_r:unconfined_t
+system_r:crond_t	system_r:unconfined_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/ssh.te policy-1.27.1/targeted/domains/program/ssh.te
--- nsapolicy/targeted/domains/program/ssh.te	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/targeted/domains/program/ssh.te	2005-09-16 11:35:39.000000000 -0400
@@ -17,3 +17,6 @@
 type sshd_key_t, file_type, sysadmfile;
 type sshd_var_run_t, file_type, sysadmfile;
 domain_auto_trans(initrc_t, sshd_exec_t, sshd_t)
+ifdef(`use_mcs', `
+range_transition initrc_t sshd_exec_t s0 - s0:c0.c127;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/xdm.te policy-1.27.1/targeted/domains/program/xdm.te
--- nsapolicy/targeted/domains/program/xdm.te	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/targeted/domains/program/xdm.te	2005-09-16 11:35:39.000000000 -0400
@@ -20,3 +20,7 @@
 type xdm_tmp_t, file_type, sysadmfile;
 domain_auto_trans(initrc_t, xdm_exec_t, xdm_t)
 domain_auto_trans(init_t, xdm_exec_t, xdm_t)
+ifdef(`use_mcs', `
+range_transition init_t xdm_exec_t s0 - s0:c0.c127;
+range_transition initrc_t xdm_exec_t s0 - s0:c0.c127;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.27.1/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/targeted/domains/unconfined.te	2005-09-16 11:35:39.000000000 -0400
@@ -7,15 +7,14 @@
 type unconfined_t, domain, privuser, privhome, privrole, privowner, admin, auth_write, fs_domain, privmem;
 role system_r types unconfined_t;
 role user_r types unconfined_t;
-role sysadm_r types unconfined_t;
 unconfined_domain(unconfined_t)
 allow domain unconfined_t:fd use;
 allow domain unconfined_t:process sigchld;
 
 # Define some type aliases to help with compatibility with
 # macros and domains from the "strict" policy.
-typealias bin_t alias su_exec_t;
 typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
+
 typeattribute tty_device_t admin_tty_type;
 typeattribute devpts_t admin_tty_type;
 
@@ -63,6 +62,7 @@
 bool use_samba_home_dirs false;
 
 ifdef(`samba.te', `samba_domain(user)')
+ifdef(`i18n_input.te', `i18n_input_domain(user)')
 
 # Allow system to run with NIS
 bool allow_ypbind false;
@@ -77,3 +77,14 @@
 allow domain self:process execmem;
 }
 
+#Removing i18n_input from targeted for now, since wants to read users homedirs
+typealias bin_t alias i18n_input_exec_t;
+typealias unconfined_t alias i18n_input_t;
+typealias var_run_t alias i18n_input_var_run_t;
+# Needed to get su working
+bool secure_mode false;
+typealias unconfined_t alias { sysadm_chkpwd_t };
+typealias tmp_t alias { sysadm_tmp_t sshd_tmp_t };
+su_domain(sysadm)
+typeattribute sysadm_su_t unrestricted;
+role system_r types sysadm_su_t;
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.27.1/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/tunables/distro.tun	2005-09-16 11:35:39.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.27.1/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/tunables/tunable.tun	2005-09-16 11:35:39.000000000 -0400
@@ -1,5 +1,5 @@
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
 dnl define(`unlimitedUtils')
@@ -17,7 +17,7 @@
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.27.1/types/file.te
--- nsapolicy/types/file.te	2005-09-16 11:17:12.000000000 -0400
+++ policy-1.27.1/types/file.te	2005-09-16 11:35:39.000000000 -0400
@@ -307,8 +307,7 @@
 type hugetlbfs_t, mount_point, fs_type,  sysadmfile;
 allow hugetlbfs_t self:filesystem associate;
 
-type mqueue_t, mount_point, fs_type,  sysadmfile;
-allow mqueue_t self:filesystem associate;
+typealias file_t alias  mqueue_t;
 
 # udev_runtime_t is the type of the udev table file
 type udev_runtime_t, file_type, sysadmfile;
@@ -325,6 +324,9 @@
 type inotifyfs_t, fs_type, sysadmfile;
 allow inotifyfs_t self:filesystem associate;
 
+type capifs_t, fs_type, sysadmfile;
+allow capifs_t self:filesystem associate;
+
 # removable_t is the default type of all removable media
 type removable_t, file_type, sysadmfile, usercanread;
 allow removable_t self:filesystem associate;
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.27.1/types/network.te
--- nsapolicy/types/network.te	2005-09-16 11:17:12.000000000 -0400
+++ policy-1.27.1/types/network.te	2005-09-16 11:35:39.000000000 -0400
@@ -120,6 +120,8 @@
 type zebra_port_t, port_type;
 type i18n_input_port_t, port_type;
 type vnc_port_t, port_type;
+type pegasus_http_port_t, port_type;
+type pegasus_https_port_t, port_type;
 type openvpn_port_t, port_type;
 type clamd_port_t, port_type, reserved_port_type;
 type transproxy_port_t, port_type;
diff --exclude-from=exclude -N -u -r nsapolicy/types/security.te policy-1.27.1/types/security.te
--- nsapolicy/types/security.te	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/types/security.te	2005-09-16 11:35:39.000000000 -0400
@@ -19,6 +19,10 @@
 # the security server policy configuration.
 #
 type policy_config_t, file_type, secadmfile;
+# Since libselinux attempts to read these by default, most domains 
+# do not need it.
+dontaudit domain selinux_config_t:dir search;
+dontaudit domain selinux_config_t:file { getattr read };
 
 #
 # policy_src_t is the type of the policy source

Re: Latest Diffs

[James Carter]

Merged.

On Fri, 2005-09-16 at 13:43 -0400, Daniel J Walsh wrote:
> Add can_access_pty macro to handle pty output.
> 
> FIxes to make initrc scripts work
> 
> Allow login to work with pam_console and alsa
> 
> mcs transition rules
> 
> Allow users to interact with alsa.
> 
> Many fixes for amanda
> 
> added nsswithch_domain for any apps that communicate using nsswitch. 
> Consolodates can_ypbind, can_ldap, can_resolve, can_winbind.
> 
> Allow httpd to run as relay.
> 
> FIxes for apmd and audit, bluetooth and automount
> 
> More features for hplip under cups.
> 
> dovecot needs to be able to write to mail_spool_t
> 
> mysql can connect out to other mysql ports.
> 
> 
> Added openct, pegusus, readahead policies, roundup
> 
> Allow squid to relay additional protocols.
> 
> Remove mqueue genfscon entry
> 
> Change makefile to default to MCS policy.
> 
> Add dhcpd and pegasus ports
> 
> remove sysadm_r role from unconfined_t
> 
> Add capifs_t support.

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest Diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1617 bytes --]

Remove nfs_export_all_rw tunable in kernel.te (This is now a boolean).

Add audit_control to cron.

fsadm needs DAC capabilities for manipulating removable media (ZIP drives).

passwd needs access to sysctl

Lots of changes to alsa domain for strict policy.  Allowing it to 
communicate with userspace

Add new domain anonymous_domain so domains can share the ftpd_anon_t and 
ftpd_anon_rw_t types.  (ftpd, rsync, httpd, smbd)

Eliminate a few more transition of sysadm_t (unconfined_t) to domains 
for targeted policy.

Bluetooth needs to run helper apps in bin_t.

Add certwatch domain.

Cups confing needs to communicate with itself using unix_dgram_sockets.

Allow cvs to use kerberos.

Allow cyrus to use saslaudthd.

Fixes for latest version of dbus.

Allow NetworkManager and dhcpc to better communicate using dbus.

Cleanup firstboot.

Fixes for ipsec to allow netlink_route_socket and additional privs of 
unix_dgram_socketet.

Allow networkmanager to communicate with isakmp_port and use vpnc.


Lots of fixed for pppd and pptp.

Allow samba to commucate with smbd_port_t

Fixes for saslauthd.  Needs to be able to communicate with mysql.

Change vpnc to application_domain.

Several updates to file_contexts.

Created authentication_domain for anything that supports 
pam_authentication. 

Fixed for ethereal domain to handle fallback with new version of userhelper.

Allow evolution to read cert files.

Allow userspace to kill thunderbird

Add mcs stuff to Makefile.

Remove netifcon calls and default to netif_t.  So that we can start 
isolation individual ethernet devices.






















-- 



[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 62391 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.25.4/domains/misc/kernel.te
--- nsapolicy/domains/misc/kernel.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.4/domains/misc/kernel.te	2005-08-11 23:07:13.000000000 -0400
@@ -11,7 +11,7 @@
 # kernel_t is the domain of kernel threads.
 # It is also the target type when checking permissions in the system class.
 # 
-type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod ifdef(`nfs_export_all_rw',`,etc_writer'), privrangetrans ;
+type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod, etc_writer, privrangetrans ;
 role system_r types kernel_t;
 general_domain_access(kernel_t)
 general_proc_read_access(kernel_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.25.4/domains/program/crond.te
--- nsapolicy/domains/program/crond.te	2005-08-11 06:57:10.000000000 -0400
+++ policy-1.25.4/domains/program/crond.te	2005-08-11 23:07:13.000000000 -0400
@@ -44,7 +44,7 @@
 read_locale(crond_t)
 
 # Use capabilities.
-allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice };
+allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice audit_control };
 dontaudit crond_t self:capability sys_resource;
 
 # Get security policy decisions.
@@ -207,5 +207,8 @@
 #
 ifdef(`apache.te', `
 allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read };
+allow system_crond_t httpd_modules_t:lnk_file read;
 ')
 dontaudit crond_t self:capability sys_tty_config;
+# Needed for certwatch
+can_exec(system_crond_t, httpd_modules_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.25.4/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te	2005-08-11 06:57:12.000000000 -0400
+++ policy-1.25.4/domains/program/fsadm.te	2005-08-11 23:07:13.000000000 -0400
@@ -64,7 +64,7 @@
 allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read };
 
 # Use capabilities.  ipc_lock is for losetup
-allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config };
+allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search };
 
 # Write to /etc/mtab.
 file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file)
@@ -117,3 +117,4 @@
 allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
 allow fsadm_t usbfs_t:dir { getattr search };
 allow fsadm_t ramfs_t:fifo_file rw_file_perms;
+allow fsadm_t device_type:chr_file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/hostname.te policy-1.25.4/domains/program/hostname.te
--- nsapolicy/domains/program/hostname.te	2005-05-02 14:06:54.000000000 -0400
+++ policy-1.25.4/domains/program/hostname.te	2005-08-11 23:07:13.000000000 -0400
@@ -25,3 +25,4 @@
 allow hostname_t tmpfs_t:chr_file rw_file_perms;
 ')
 allow hostname_t initrc_devpts_t:chr_file { read write };
+allow hostname_t initrc_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.25.4/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te	2005-08-11 06:57:13.000000000 -0400
+++ policy-1.25.4/domains/program/ifconfig.te	2005-08-11 23:07:13.000000000 -0400
@@ -34,7 +34,7 @@
 allow ifconfig_t self:socket create_socket_perms;
 
 # Use capabilities.
-allow ifconfig_t self:capability net_admin;
+allow ifconfig_t self:capability { net_raw net_admin };
 dontaudit ifconfig_t self:capability sys_module;
 allow ifconfig_t self:capability sys_tty_config;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.25.4/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te	2005-08-11 06:57:13.000000000 -0400
+++ policy-1.25.4/domains/program/initrc.te	2005-08-11 23:07:13.000000000 -0400
@@ -319,3 +319,6 @@
 ')
 allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
 allow initrc_t device_t:lnk_file create_file_perms;
+ifdef(`dbusd.te', `
+allow initrc_t system_dbusd_var_run_t:sock_file write;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/passwd.te policy-1.25.4/domains/program/passwd.te
--- nsapolicy/domains/program/passwd.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.4/domains/program/passwd.te	2005-08-11 23:07:13.000000000 -0400
@@ -64,6 +64,7 @@
 dontaudit $1_t { proc_t device_t }:dir { search read };
 
 allow $1_t device_t:dir getattr;
+read_sysctl($1_t)
 ')
 
 #################################
@@ -152,5 +153,5 @@
 
 ifdef(`targeted_policy', `
 role system_r types sysadm_passwd_t;
-allow sysadm_passwd_t devpts_t:chr_file { read write };
+allow sysadm_passwd_t devpts_t:chr_file rw_file_perms;
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/alsa.te policy-1.25.4/domains/program/unused/alsa.te
--- nsapolicy/domains/program/unused/alsa.te	2005-07-05 15:25:45.000000000 -0400
+++ policy-1.25.4/domains/program/unused/alsa.te	2005-08-11 23:07:13.000000000 -0400
@@ -6,12 +6,17 @@
 type alsa_t, domain, privlog, daemon;
 type alsa_exec_t, file_type, sysadmfile, exec_type;
 uses_shlib(alsa_t)
-allow alsa_t self:sem  create_sem_perms;
-allow alsa_t self:shm  create_shm_perms;
+allow alsa_t { unpriv_userdomain self }:sem  create_sem_perms;
+allow alsa_t { unpriv_userdomain self }:shm  create_shm_perms;
 allow alsa_t self:unix_stream_socket create_stream_socket_perms;
+allow alsa_t self:unix_dgram_socket create_socket_perms;
+allow unpriv_userdomain alsa_t:sem { unix_read unix_write associate read write };
 type alsa_etc_rw_t, file_type, sysadmfile, usercanread;
 rw_dir_create_file(alsa_t,alsa_etc_rw_t)
 allow alsa_t self:capability { setgid setuid ipc_owner };
+dontaudit alsa_t self:capability sys_admin;
 allow alsa_t devpts_t:chr_file { read write };
 allow alsa_t etc_t:file { getattr read };
 domain_auto_trans(pam_console_t, alsa_exec_t, alsa_t)
+role system_r types alsa_t;
+read_locale(alsa_t) 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.25.4/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.4/domains/program/unused/apache.te	2005-08-11 23:07:13.000000000 -0400
@@ -222,6 +222,9 @@
 # Creation of lock files for apache2
 lock_domain(httpd)
 
+# Allow apache to used ftpd_anon_t
+anonymous_domain(httpd)
+
 # connect to mysql
 ifdef(`mysqld.te', `
 can_unix_connect(httpd_php_t, mysqld_t)
@@ -300,7 +303,7 @@
 ##################################################
 
 if (httpd_tty_comm) {
-allow { httpd_t httpd_helper_t } devpts_t:dir { search };
+allow { httpd_t httpd_helper_t } devpts_t:dir search;
 ifdef(`targeted_policy', `
 allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file { read write };
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.25.4/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te	2005-08-11 06:57:15.000000000 -0400
+++ policy-1.25.4/domains/program/unused/apmd.te	2005-08-11 23:07:13.000000000 -0400
@@ -16,7 +16,9 @@
 
 type apm_t, domain, privlog;
 type apm_exec_t, file_type, sysadmfile, exec_type;
+ifdef(`targeted_policy', `', `
 domain_auto_trans(sysadm_t, apm_exec_t, apm_t)
+')
 uses_shlib(apm_t)
 allow apm_t privfd:fd use;
 allow apm_t admin_tty_type:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/backup.te policy-1.25.4/domains/program/unused/backup.te
--- nsapolicy/domains/program/unused/backup.te	2005-04-27 10:28:49.000000000 -0400
+++ policy-1.25.4/domains/program/unused/backup.te	2005-08-11 23:07:13.000000000 -0400
@@ -16,7 +16,9 @@
 role system_r types backup_t;
 role sysadm_r types backup_t;
 
+ifdef(`targeted_policy', `', `
 domain_auto_trans(sysadm_t, backup_exec_t, backup_t)
+')
 allow backup_t privfd:fd use;
 ifdef(`crond.te', `
 system_crond_entry(backup_exec_t, backup_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.25.4/domains/program/unused/bluetooth.te
--- nsapolicy/domains/program/unused/bluetooth.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.4/domains/program/unused/bluetooth.te	2005-08-12 07:55:43.000000000 -0400
@@ -43,3 +43,6 @@
 allow initrc_t usbfs_t:file { getattr read };
 allow bluetooth_t usbfs_t:dir r_dir_perms;
 allow bluetooth_t usbfs_t:file rw_file_perms; 
+allow bluetooth_t bin_t:dir search;
+can_exec(bluetooth_t, bin_t)
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bootloader.te policy-1.25.4/domains/program/unused/bootloader.te
--- nsapolicy/domains/program/unused/bootloader.te	2005-04-27 10:28:49.000000000 -0400
+++ policy-1.25.4/domains/program/unused/bootloader.te	2005-08-11 23:07:13.000000000 -0400
@@ -24,7 +24,9 @@
 # for nscd
 dontaudit bootloader_t var_run_t:dir search;
 
+ifdef(`targeted_policy', `', `
 domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)
+')
 allow bootloader_t { initrc_t privfd }:fd use;
 
 tmp_domain(bootloader, `, device_type', { dir file lnk_file chr_file blk_file })
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cardmgr.te policy-1.25.4/domains/program/unused/cardmgr.te
--- nsapolicy/domains/program/unused/cardmgr.te	2005-05-02 14:06:54.000000000 -0400
+++ policy-1.25.4/domains/program/unused/cardmgr.te	2005-08-11 23:07:13.000000000 -0400
@@ -15,7 +15,9 @@
 allow cardmgr_t urandom_device_t:chr_file read;
 
 type cardctl_exec_t, file_type, sysadmfile, exec_type;
+ifdef(`targeted_policy', `', `
 domain_auto_trans(sysadm_t, cardctl_exec_t, cardmgr_t)
+')
 role sysadm_r types cardmgr_t;
 allow cardmgr_t admin_tty_type:chr_file { read write };
 
@@ -85,3 +87,4 @@
 rw_dir_file(hald_t, cardmgr_var_run_t)
 allow hald_t cardmgr_var_run_t:chr_file create_file_perms;
 ')
+allow cardmgr_t device_t:lnk_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/certwatch.te policy-1.25.4/domains/program/unused/certwatch.te
--- nsapolicy/domains/program/unused/certwatch.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.25.4/domains/program/unused/certwatch.te	2005-08-11 23:07:13.000000000 -0400
@@ -0,0 +1,11 @@
+#DESC certwatch - generate SSL certificate expiry warnings
+#
+# Domains for the certwatch process 
+# Authors:  Dan Walsh <dwalsh@redhat.com>,
+#
+application_domain(certwatch)
+role system_r types certwatch_t;
+r_dir_file(certwatch_t, cert_t)
+can_exec(certwatch_t, httpd_modules_t)
+system_crond_entry(certwatch_exec_t, certwatch_t)
+read_locale(certwatch_t) 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/clockspeed.te policy-1.25.4/domains/program/unused/clockspeed.te
--- nsapolicy/domains/program/unused/clockspeed.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.4/domains/program/unused/clockspeed.te	2005-08-11 23:07:13.000000000 -0400
@@ -21,5 +21,6 @@
 
 # sysadm can play with clockspeed
 role sysadm_r types clockspeed_t;
+ifdef(`targeted_policy', `', `
 domain_auto_trans( sysadm_t, clockspeed_exec_t, clockspeed_t)
-
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.25.4/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.4/domains/program/unused/cups.te	2005-08-11 23:07:13.000000000 -0400
@@ -245,6 +245,7 @@
 allow cupsd_config_t self:fifo_file rw_file_perms;
 
 allow cupsd_config_t self:unix_stream_socket create_socket_perms;
+allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
 ifdef(`dbusd.te', `
 dbusd_client(system, cupsd_config)
 allow cupsd_config_t userdomain:dbus send_msg;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cvs.te policy-1.25.4/domains/program/unused/cvs.te
--- nsapolicy/domains/program/unused/cvs.te	2005-08-11 06:57:15.000000000 -0400
+++ policy-1.25.4/domains/program/unused/cvs.te	2005-08-11 23:07:13.000000000 -0400
@@ -15,12 +15,14 @@
 typeattribute cvs_t privmail;
 typeattribute cvs_t auth_chkpwd;
 
-type cvs_data_t, file_type, sysadmfile;
+type cvs_data_t, file_type, sysadmfile, customizable;
 create_dir_file(cvs_t, cvs_data_t)
 can_exec(cvs_t, { bin_t sbin_t shell_exec_t })
+allow cvs_t bin_t:dir search;
+allow cvs_t { bin_t sbin_t }:lnk_file read;
 allow cvs_t etc_runtime_t:file { getattr read };
 allow system_mail_t cvs_data_t:file { getattr read };
 dontaudit cvs_t devtty_t:chr_file { read write };
-allow cvs_t default_t:dir search;
-allow cvs_t default_t:lnk_file read;
-
+# Allow kerberos to work
+allow cvs_t { krb5_keytab_t krb5_conf_t }:file r_file_perms;
+dontaudit cvs_t krb5_conf_t:file write;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.25.4/domains/program/unused/cyrus.te
--- nsapolicy/domains/program/unused/cyrus.te	2005-08-11 06:57:15.000000000 -0400
+++ policy-1.25.4/domains/program/unused/cyrus.te	2005-08-11 23:07:13.000000000 -0400
@@ -20,7 +20,7 @@
 can_ypbind(cyrus_t)
 can_exec(cyrus_t, bin_t)
 allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
-allow cyrus_t cyrus_var_lib_t:{file sock_file } create_file_perms;
+allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms;
 allow cyrus_t etc_t:file { getattr read };
 allow cyrus_t lib_t:file { execute execute_no_trans getattr read };
 read_locale(cyrus_t)
@@ -42,3 +42,11 @@
 create_dir_file(cyrus_t, mail_spool_t)
 allow cyrus_t var_spool_t:dir search;
 
+ifdef(`saslaudthd.te', `
+allow cyrus_t saslauthd_var_run_t:dir search;
+allow cyrus_t saslauthd_var_run_t:sock_file { read write };
+allow cyrus_t saslauthd_t:unix_stream_socket { connectto };
+')
+
+r_dir_file(cyrus_t, cert_t)
+allow cyrus_t { urandom_device_t random_device_t }:chr_file { read getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.25.4/domains/program/unused/dbusd.te
--- nsapolicy/domains/program/unused/dbusd.te	2005-04-27 10:28:50.000000000 -0400
+++ policy-1.25.4/domains/program/unused/dbusd.te	2005-08-11 23:07:13.000000000 -0400
@@ -17,4 +17,9 @@
 # I expect we need more than this
 
 allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc };
+allow initrc_t system_dbusd_t:unix_stream_socket connectto;
+allow initrc_t system_dbusd_var_run_t:sock_file write;
 
+can_exec(system_dbusd_t, sbin_t)
+allow system_dbusd_t self:fifo_file { read write };
+allow system_dbusd_t self:unix_stream_socket connectto;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ddclient.te policy-1.25.4/domains/program/unused/ddclient.te
--- nsapolicy/domains/program/unused/ddclient.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.4/domains/program/unused/ddclient.te	2005-08-11 23:07:13.000000000 -0400
@@ -38,5 +38,7 @@
 
 # allow access to ddclient.conf and ddclient.cache
 allow ddclient_t ddclient_etc_t:file r_file_perms;
-allow ddclient_t ddclient_var_t:dir rw_dir_perms;
-allow ddclient_t ddclient_var_t:file create_file_perms;
+file_type_auto_trans(ddclient_t, var_t, ddclient_var_t)
+dontaudit ddclient_t devpts_t:dir search;
+dontaudit ddclient_t { devtty_t admin_tty_type user_tty_type }:chr_file rw_file_perms;
+dontaudit httpd_t selinux_config_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.25.4/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.4/domains/program/unused/dhcpc.te	2005-08-11 23:07:13.000000000 -0400
@@ -156,6 +156,6 @@
 domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
 allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg };
 allow dhcpc_t self:dbus send_msg;
-allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
-allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
+allow { unconfined_t NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
+allow dhcpc_t { unconfined_t NetworkManager_t initrc_t }:dbus send_msg;
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/firstboot.te policy-1.25.4/domains/program/unused/firstboot.te
--- nsapolicy/domains/program/unused/firstboot.te	2005-06-01 06:11:22.000000000 -0400
+++ policy-1.25.4/domains/program/unused/firstboot.te	2005-08-11 23:07:13.000000000 -0400
@@ -57,9 +57,6 @@
 # Allow write to utmp file
 allow firstboot_t initrc_var_run_t:file write;
 
-allow firstboot_t krb5_conf_t:file { getattr read };
-allow firstboot_t net_conf_t:file { getattr read };
-
 ifdef(`samba.te', `
 rw_dir_file(firstboot_t, samba_etc_t)
 ')
@@ -95,10 +92,6 @@
 allow firstboot_t modules_conf_t:file { getattr read };
 allow firstboot_t modules_dep_t:file { getattr read };
 allow firstboot_t modules_object_t:dir search;
-allow firstboot_t net_conf_t:file rw_file_perms;
-allow firstboot_t netif_lo_t:netif { tcp_recv tcp_send };
-allow firstboot_t node_t:node { tcp_recv tcp_send };
-
 allow firstboot_t port_t:tcp_socket { recv_msg send_msg };
 allow firstboot_t proc_t:lnk_file read;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.25.4/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.4/domains/program/unused/ftpd.te	2005-08-11 23:07:13.000000000 -0400
@@ -110,9 +110,5 @@
 	r_dir_file(ftpd_t, cifs_t)
 }
 dontaudit ftpd_t selinux_config_t:dir search;
-#
-# Type for access to anon ftp
-#
-r_dir_file(ftpd_t,ftpd_anon_t)
-type ftpd_anon_rw_t, file_type, sysadmfile, customizable;
-create_dir_file(ftpd_t,ftpd_anon_rw_t)
+anonymous_domain(ftpd)
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.25.4/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2005-08-11 06:57:15.000000000 -0400
+++ policy-1.25.4/domains/program/unused/hald.te	2005-08-11 23:07:13.000000000 -0400
@@ -47,6 +47,7 @@
 allow hald_t printer_device_t:chr_file rw_file_perms;
 allow hald_t urandom_device_t:chr_file read;
 allow hald_t mouse_device_t:chr_file r_file_perms;
+allow hald_t device_type:chr_file getattr;
 
 can_getsecurity(hald_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hwclock.te policy-1.25.4/domains/program/unused/hwclock.te
--- nsapolicy/domains/program/unused/hwclock.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.4/domains/program/unused/hwclock.te	2005-08-11 23:07:13.000000000 -0400
@@ -17,7 +17,9 @@
 #
 daemon_base_domain(hwclock)
 role sysadm_r types hwclock_t;
+ifdef(`targeted_policy', `', `
 domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
+')
 type adjtime_t, file_type, sysadmfile;
 
 allow hwclock_t fs_t:filesystem getattr;
@@ -44,3 +46,4 @@
 
 # for when /usr is not mounted
 dontaudit hwclock_t file_t:dir search;
+allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ipsec.te policy-1.25.4/domains/program/unused/ipsec.te
--- nsapolicy/domains/program/unused/ipsec.te	2005-04-27 10:28:51.000000000 -0400
+++ policy-1.25.4/domains/program/unused/ipsec.te	2005-08-11 23:07:13.000000000 -0400
@@ -60,8 +60,8 @@
 # it in its own domain?)
 can_exec(ipsec_mgmt_t, bin_t)
 # logger, running in ipsec_mgmt_t needs to use sockets
-allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
-allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
+allow ipsec_mgmt_t self:unix_dgram_socket create_socket_perms;
+allow ipsec_mgmt_t ipsec_t:unix_dgram_socket create_socket_perms;
 
 # also need to run things like whack and shell scripts
 can_exec(ipsec_mgmt_t, ipsec_exec_t)
@@ -169,7 +169,7 @@
 # Pluto needs network access
 can_network_server(ipsec_t)
 can_ypbind(ipsec_t)
-allow ipsec_t self:unix_dgram_socket { create connect write };
+allow ipsec_t self:unix_dgram_socket create_socket_perms;
 
 # for sleep
 allow ipsec_mgmt_t fs_t:filesystem getattr;
@@ -211,6 +211,7 @@
 allow ipsec_mgmt_t self:key_socket { create setopt };
 can_exec(ipsec_mgmt_t, initrc_exec_t)
 allow ipsec_t self:netlink_xfrm_socket create_socket_perms;
+allow ipsec_t self:netlink_route_socket r_netlink_socket_perms;
 read_locale(ipsec_t)
 ifdef(`consoletype.te', `
 can_exec(ipsec_mgmt_t, consoletype_exec_t )
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.25.4/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te	2005-08-11 06:57:15.000000000 -0400
+++ policy-1.25.4/domains/program/unused/kudzu.te	2005-08-11 23:07:13.000000000 -0400
@@ -48,7 +48,9 @@
 allow kudzu_t { tty_device_t devtty_t admin_tty_type }:chr_file rw_file_perms;
 
 role sysadm_r types kudzu_t;
+ifdef(`targeted_policy', `', `
 domain_auto_trans(sysadm_t, kudzu_exec_t, kudzu_t)
+')
 ifdef(`anaconda.te', `
 domain_auto_trans(anaconda_t, kudzu_exec_t, kudzu_t)
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.25.4/domains/program/unused/mta.te
--- nsapolicy/domains/program/unused/mta.te	2005-08-11 06:57:15.000000000 -0400
+++ policy-1.25.4/domains/program/unused/mta.te	2005-08-11 23:07:13.000000000 -0400
@@ -22,7 +22,7 @@
 # rules are currently defined in sendmail.te, but it is not included in 
 # targeted policy.  We could move these rules permanantly here.
 ifdef(`postfix.te', `', `can_exec_any(system_mail_t)')
-allow system_mail_t self:dir { search };
+allow system_mail_t self:dir search;
 allow system_mail_t self:lnk_file read;
 r_dir_file(system_mail_t, { proc_t proc_net_t })
 allow system_mail_t fs_t:filesystem getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.25.4/domains/program/unused/NetworkManager.te
--- nsapolicy/domains/program/unused/NetworkManager.te	2005-08-11 06:57:14.000000000 -0400
+++ policy-1.25.4/domains/program/unused/NetworkManager.te	2005-08-11 23:07:13.000000000 -0400
@@ -15,12 +15,12 @@
 
 can_network(NetworkManager_t)
 allow NetworkManager_t port_type:tcp_socket name_connect;
-allow NetworkManager_t dhcpc_port_t:udp_socket name_bind;
+allow NetworkManager_t { isakmp_port_t dhcpc_port_t }:udp_socket name_bind;
 allow NetworkManager_t dhcpc_t:process signal;
 
 can_ypbind(NetworkManager_t)
 uses_shlib(NetworkManager_t)
-allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module};
+allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module ipc_lock};
 
 allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read };
 
@@ -93,6 +93,9 @@
 
 domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
 allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms;
+# allow vpnc connections
+allow NetworkManager_t self:rawip_socket create_socket_perms;
+allow NetworkManager_t tun_tap_device_t:chr_file rw_file_perms;
 
 domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t)
 domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.25.4/domains/program/unused/ping.te
--- nsapolicy/domains/program/unused/ping.te	2005-08-11 06:57:15.000000000 -0400
+++ policy-1.25.4/domains/program/unused/ping.te	2005-08-11 23:07:13.000000000 -0400
@@ -17,7 +17,9 @@
 in_user_role(ping_t)
 type ping_exec_t, file_type, sysadmfile, exec_type;
 
-ifdef(`targeted_policy', `', `
+ifdef(`targeted_policy', `
+	allow ping_t { devpts_t ttyfile ptyfile }:chr_file rw_file_perms;
+', `
 bool user_ping false;
 
 if (user_ping) {
@@ -42,9 +44,6 @@
 # Let ping create raw ICMP packets.
 allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
 
-allow ping_t netif_type:netif { rawip_send rawip_recv };
-allow ping_t node_type:node { rawip_send rawip_recv };
-
 # Use capabilities.
 allow ping_t self:capability { net_raw setuid };
 
@@ -52,11 +51,13 @@
 allow ping_t admin_tty_type:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;')
 allow ping_t privfd:fd use;
-
 dontaudit ping_t fs_t:filesystem getattr;
 
 # it tries to access /var/run
 dontaudit ping_t var_t:dir search;
 dontaudit ping_t devtty_t:chr_file { read write };
 dontaudit ping_t self:capability sys_tty_config;
+ifdef(`hide_broken_symptoms', `
+allow ping_t init_t:fd use;
+')
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.25.4/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te	2005-08-11 06:57:15.000000000 -0400
+++ policy-1.25.4/domains/program/unused/postgresql.te	2005-08-11 23:07:13.000000000 -0400
@@ -110,8 +110,8 @@
 allow postgresql_t self:sem create_sem_perms;
 
 allow postgresql_t initrc_var_run_t:file { getattr read lock };
-dontaudit postgresql_t selinux_config_t:dir { search };
-allow postgresql_t mail_spool_t:dir { search };
+dontaudit postgresql_t selinux_config_t:dir search;
+allow postgresql_t mail_spool_t:dir search;
 lock_domain(postgresql)
 can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } )
 ifdef(`apache.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.25.4/domains/program/unused/pppd.te
--- nsapolicy/domains/program/unused/pppd.te	2005-08-11 06:57:15.000000000 -0400
+++ policy-1.25.4/domains/program/unused/pppd.te	2005-08-11 23:07:13.000000000 -0400
@@ -32,12 +32,9 @@
 log_domain(pppd)
 
 # Use the network.
-can_network(pppd_t)
+can_network_server(pppd_t)
 can_ypbind(pppd_t)
 
-allow pppd_t fingerd_port_t:tcp_socket name_connect;
-
-
 # Use capabilities.
 allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
 lock_domain(pppd)
@@ -55,8 +52,6 @@
 
 # allow running ip-up and ip-down scripts and running chat.
 can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t })
-can_exec(pppd_t, pppd_etc_rw_t)
-can_exec(pppd_t, hostname_exec_t)
 allow pppd_t { bin_t sbin_t }:dir search;
 allow pppd_t { sbin_t bin_t }:lnk_file read;
 
@@ -115,7 +110,6 @@
 domain_auto_trans(pppd_t, insmod_exec_t, insmod_t)
 ')
 }
-domain_auto_trans(pppd_t, named_exec_t, named_t)
 
 daemon_domain(pptp)
 can_network_client_tcp(pptp_t)
@@ -136,4 +130,17 @@
 allow pptp_t self:fifo_file { read write };
 allow pptp_t ptmx_t:chr_file rw_file_perms;
 log_domain(pptp)
+
+# Fix sockets
+allow pptp_t pptp_var_run_t:sock_file create_file_perms;
+
+# Allow pptp to append to pppd log files
 allow pptp_t pppd_log_t:file append;
+
+ifdef(`named.te', `
+dontaudit ndc_t pppd_t:fd use;
+')
+
+# Allow /etc/ppp/ip-{up,down} to run most anything
+type pppd_script_exec_t, file_type, sysadmfile;
+domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rlogind.te policy-1.25.4/domains/program/unused/rlogind.te
--- nsapolicy/domains/program/unused/rlogind.te	2005-08-11 06:57:15.000000000 -0400
+++ policy-1.25.4/domains/program/unused/rlogind.te	2005-08-11 23:07:13.000000000 -0400
@@ -35,4 +35,4 @@
 allow rlogind_t default_t:dir search;
 typealias rlogind_port_t alias rlogin_port_t;
 read_sysctl(rlogind_t);
-allow rlogind_t krb5_keytab_t:file { getattr read };
+allow rlogind_t krb5_keytab_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.25.4/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.4/domains/program/unused/rpm.te	2005-08-11 23:07:13.000000000 -0400
@@ -114,7 +114,7 @@
 
 allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
 
-type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, priv_system_role;
+type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, privrole, priv_system_role;
 # policy for rpm scriptlet
 role system_r types rpm_script_t;
 uses_shlib(rpm_script_t)
@@ -194,6 +194,7 @@
 
 domain_auto_trans(rpm_script_t, ldconfig_exec_t, ldconfig_t)
 domain_auto_trans(rpm_script_t, depmod_exec_t, depmod_t)
+role sysadm_r types initrc_t;
 domain_auto_trans(rpm_script_t, initrc_exec_t, initrc_t)
 ifdef(`bootloader.te', `
 domain_auto_trans(rpm_script_t, bootloader_exec_t, bootloader_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.25.4/domains/program/unused/rsync.te
--- nsapolicy/domains/program/unused/rsync.te	2005-04-27 10:28:52.000000000 -0400
+++ policy-1.25.4/domains/program/unused/rsync.te	2005-08-11 23:07:13.000000000 -0400
@@ -14,4 +14,6 @@
 inetd_child_domain(rsync)
 type rsync_data_t, file_type, sysadmfile;
 r_dir_file(rsync_t, rsync_data_t)
-r_dir_file(rsync_t, ftpd_anon_t)
+anonymous_domain(rsync)
+
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.25.4/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.4/domains/program/unused/samba.te	2005-08-11 23:07:13.000000000 -0400
@@ -50,7 +50,7 @@
 can_ldap(smbd_t)
 can_kerberos(smbd_t)
 can_winbind(smbd_t)
-allow smbd_t ipp_port_t:tcp_socket name_connect;
+allow smbd_t { smbd_port_t ipp_port_t }:tcp_socket name_connect;
 
 allow smbd_t urandom_device_t:chr_file { getattr read };
 
@@ -79,6 +79,7 @@
 
 # Access Samba shares.
 create_dir_file(smbd_t, samba_share_t)
+anonymous_domain(smbd)
 
 ifdef(`logrotate.te', `
 # the application should be changed
@@ -189,6 +190,8 @@
 ')
 # Derive from app. domain. Transition from mount.
 application_domain(samba_net, `, nscd_client_domain')
+role system_r types samba_net_t;
+in_user_role(samba_net_t)
 file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file)
 read_locale(samba_net_t) 
 allow samba_net_t samba_etc_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/saslauthd.te policy-1.25.4/domains/program/unused/saslauthd.te
--- nsapolicy/domains/program/unused/saslauthd.te	2005-07-19 10:57:05.000000000 -0400
+++ policy-1.25.4/domains/program/unused/saslauthd.te	2005-08-11 23:07:13.000000000 -0400
@@ -9,6 +9,7 @@
 allow saslauthd_t self:unix_dgram_socket create_socket_perms;
 allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
 allow saslauthd_t saslauthd_var_run_t:sock_file create_file_perms;
+allow saslauthd_t var_lib_t:dir search;
 
 allow saslauthd_t etc_t:dir { getattr search };
 allow saslauthd_t etc_t:file r_file_perms;
@@ -29,3 +30,12 @@
 if (allow_saslauthd_read_shadow) {
 allow saslauthd_t shadow_t:file r_file_perms;
 }
+dontaudit saslauthd_t selinux_config_t:dir search;
+dontaudit saslauthd_t selinux_config_t:file { getattr read };
+
+
+dontaudit saslauthd_t initrc_t:unix_stream_socket connectto;
+ifdef(`mysqld.te', `
+allow saslauthd_t mysqld_db_t:dir search;
+allow saslauthd_t mysqld_var_run_t:sock_file rw_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slocate.te policy-1.25.4/domains/program/unused/slocate.te
--- nsapolicy/domains/program/unused/slocate.te	2005-04-27 10:28:53.000000000 -0400
+++ policy-1.25.4/domains/program/unused/slocate.te	2005-08-11 23:07:13.000000000 -0400
@@ -10,7 +10,8 @@
 # locate_exec_t is the type of the locate executable.
 #
 daemon_base_domain(locate)
-
+role system_r types locate_t;
+role sysadm_r types locate_t;
 allow locate_t fs_t:filesystem getattr;
 
 ifdef(`crond.te', `
@@ -23,6 +24,7 @@
 allow locate_t { userpty_type admin_tty_type }:chr_file rw_file_perms;
 
 allow locate_t { fs_type file_type }:dir r_dir_perms;
+dontaudit locate_t sysctl_t:dir getattr;
 allow locate_t file_type:lnk_file r_file_perms;
 allow locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } getattr;
 dontaudit locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.25.4/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te	2005-08-11 06:57:15.000000000 -0400
+++ policy-1.25.4/domains/program/unused/udev.te	2005-08-11 23:07:13.000000000 -0400
@@ -33,7 +33,7 @@
 allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
 allow udev_t self:unix_dgram_socket create_socket_perms;
 allow udev_t self:fifo_file rw_file_perms;
-allow udev_t self:netlink_kobject_uevent_socket { create bind read }; 
+allow udev_t self:netlink_kobject_uevent_socket { create bind read setopt }; 
 allow udev_t device_t:file { unlink rw_file_perms };
 allow udev_t device_t:sock_file create_file_perms;
 allow udev_t device_t:lnk_file create_lnk_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/vpnc.te policy-1.25.4/domains/program/unused/vpnc.te
--- nsapolicy/domains/program/unused/vpnc.te	2005-08-11 06:57:15.000000000 -0400
+++ policy-1.25.4/domains/program/unused/vpnc.te	2005-08-12 07:29:25.000000000 -0400
@@ -10,9 +10,9 @@
 # vpnc_t is the domain for the vpnc program.
 # vpnc_exec_t is the type of the vpnc executable.
 #
-daemon_domain(vpnc, `, sysctl_net_writer')
+application_domain(vpnc, `, sysctl_net_writer, nscd_client_domain')
 
-allow vpnc_t { random_device_t urandom_device_t }:chr_file read;
+allow vpnc_t { random_device_t urandom_device_t }:chr_file { getattr read };
 
 # Use the network.
 can_network(vpnc_t)
@@ -31,7 +31,7 @@
 allow vpnc_t self:rawip_socket create_socket_perms;
 allow vpnc_t self:unix_dgram_socket create_socket_perms;
 allow vpnc_t self:unix_stream_socket create_socket_perms;
-allow vpnc_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
+allow vpnc_t { devtty_t user_tty_type admin_tty_type }:chr_file rw_file_perms;
 allow vpnc_t port_t:udp_socket name_bind;
 allow vpnc_t etc_runtime_t:file { getattr read };
 allow vpnc_t proc_t:file { getattr read };
@@ -42,6 +42,8 @@
 allow vpnc_t sbin_t:dir search;
 allow vpnc_t bin_t:dir search;
 allow vpnc_t bin_t:lnk_file read;
+allow vpnc_t self:dir search;
+r_dir_file(vpnc_t, proc_t)
 r_dir_file(vpnc_t, proc_net_t)
 tmp_domain(vpnc)
 allow vpnc_t self:fifo_file { getattr ioctl read write };
@@ -49,3 +51,12 @@
 allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
 file_type_auto_trans(vpnc_t, etc_t, net_conf_t, file)
 allow vpnc_t etc_t:file { execute execute_no_trans ioctl };
+dontaudit vpnc_t home_root_t:dir search;
+dontaudit vpnc_t user_home_dir_type:dir search;
+var_run_domain(vpnc)
+allow vpnc_t userdomain:fd use;
+r_dir_file(vpnc_t, sysfs_t)
+allow vpnc_t self:process { fork sigchld };
+read_locale(vpnc_t)
+read_sysctl(vpnc_t)
+allow vpnc_t fs_t:filesystem getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/useradd.te policy-1.25.4/domains/program/useradd.te
--- nsapolicy/domains/program/useradd.te	2005-04-27 10:28:49.000000000 -0400
+++ policy-1.25.4/domains/program/useradd.te	2005-08-11 23:07:13.000000000 -0400
@@ -102,3 +102,4 @@
 allow useradd_t default_context_t:dir search;
 allow useradd_t file_context_t:dir search;
 allow useradd_t file_context_t:file { getattr read };
+allow useradd_t var_lib_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.25.4/file_contexts/program/apache.fc
--- nsapolicy/file_contexts/program/apache.fc	2005-07-19 10:57:05.000000000 -0400
+++ policy-1.25.4/file_contexts/program/apache.fc	2005-08-11 23:07:13.000000000 -0400
@@ -7,6 +7,8 @@
 /var/www/perl(/.*)?		system_u:object_r:httpd_sys_script_exec_t
 /var/www/icons(/.*)?		system_u:object_r:httpd_sys_content_t
 /var/cache/httpd(/.*)?		system_u:object_r:httpd_cache_t
+/var/cache/php-eaccelerator(/.*)? system_u:object_r:httpd_cache_t
+/var/cache/php-mmcache(/.*)?	system_u:object_r:httpd_cache_t
 /etc/httpd		-d	system_u:object_r:httpd_config_t
 /etc/httpd/conf.*		system_u:object_r:httpd_config_t
 /etc/httpd/logs			system_u:object_r:httpd_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/certwatch.fc policy-1.25.4/file_contexts/program/certwatch.fc
--- nsapolicy/file_contexts/program/certwatch.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.25.4/file_contexts/program/certwatch.fc	2005-08-11 23:07:13.000000000 -0400
@@ -0,0 +1,3 @@
+# certwatch.fc
+/usr/bin/certwatch	-- system_u:object_r:certwatch_exec_t
+
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.25.4/file_contexts/program/cups.fc
--- nsapolicy/file_contexts/program/cups.fc	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.4/file_contexts/program/cups.fc	2005-08-11 23:07:13.000000000 -0400
@@ -5,6 +5,7 @@
 /var/cache/alchemist/printconf.* system_u:object_r:cupsd_rw_etc_t
 /etc/cups/client\.conf	--	system_u:object_r:etc_t
 /etc/cups/cupsd\.conf.* --	system_u:object_r:cupsd_rw_etc_t
+/etc/cups/classes\.conf.* --	system_u:object_r:cupsd_rw_etc_t
 /etc/cups/lpoptions	--	system_u:object_r:cupsd_rw_etc_t
 /etc/cups/printers\.conf.* --	system_u:object_r:cupsd_rw_etc_t
 /etc/cups/ppd/.*	--	system_u:object_r:cupsd_rw_etc_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/postgresql.fc policy-1.25.4/file_contexts/program/postgresql.fc
--- nsapolicy/file_contexts/program/postgresql.fc	2005-03-11 15:31:06.000000000 -0500
+++ policy-1.25.4/file_contexts/program/postgresql.fc	2005-08-11 23:07:13.000000000 -0400
@@ -14,3 +14,7 @@
 /usr/lib/pgsql/test/regress/.*\.so	-- system_u:object_r:shlib_t
 /usr/lib/pgsql/test/regress/.*\.sh	-- system_u:object_r:bin_t
 /usr/lib/pgsql/test/regress/pg_regress	-- system_u:object_r:postgresql_exec_t
+ifdef(`distro_redhat', `
+/usr/share/jonas/pgsql(/.*)?       system_u:object_r:postgresql_db_t
+/var/log/rhdb/rhdb(/.*)?           system_u:object_r:postgresql_log_t 
+')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/pppd.fc policy-1.25.4/file_contexts/program/pppd.fc
--- nsapolicy/file_contexts/program/pppd.fc	2005-08-11 06:57:15.000000000 -0400
+++ policy-1.25.4/file_contexts/program/pppd.fc	2005-08-11 23:07:13.000000000 -0400
@@ -13,9 +13,13 @@
 /var/run/(i)?ppp.*pid	--	system_u:object_r:pppd_var_run_t
 /var/log/ppp-connect-errors.* -- system_u:object_r:pppd_log_t
 /var/log/ppp/.*	--	system_u:object_r:pppd_log_t
-/etc/ppp/ip-down.*	--	system_u:object_r:bin_t
-/etc/ppp/ip-up.*	--	system_u:object_r:bin_t
-/etc/ppp/ipv6-up	--	system_u:object_r:bin_t
-/etc/ppp/ipv6-down	--	system_u:object_r:bin_t
+/etc/ppp/ip-down\..*	--	system_u:object_r:bin_t
+/etc/ppp/ip-up\..*	--	system_u:object_r:bin_t
+/etc/ppp/ipv6-up\..*	--	system_u:object_r:bin_t
+/etc/ppp/ipv6-down\..*	--	system_u:object_r:bin_t
 /etc/ppp/plugins/rp-pppoe\.so 	--	system_u:object_r:shlib_t
-/etc/ppp/resolv\.conf 	--   system_u:object_r:pppd_etc_rw_t
+/etc/ppp/resolv\.conf 	--	system_u:object_r:pppd_etc_rw_t
+# Fix pptp sockets
+/var/run/pptp(/.*)?	--	system_u:object_r:pptp_var_run_t
+# Fix /etc/ppp {up,down} family scripts (see man pppd)
+/etc/ppp/(auth|ip(v6|x)?)-(up|down)	--	system_u:object_r:pppd_script_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/radvd.fc policy-1.25.4/file_contexts/program/radvd.fc
--- nsapolicy/file_contexts/program/radvd.fc	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.25.4/file_contexts/program/radvd.fc	2005-08-15 10:01:10.000000000 -0400
@@ -2,3 +2,4 @@
 /etc/radvd\.conf	--	system_u:object_r:radvd_etc_t
 /usr/sbin/radvd		--	system_u:object_r:radvd_exec_t
 /var/run/radvd\.pid	--	system_u:object_r:radvd_var_run_t
+/var/run/radvd(/.*)?		system_u:object_r:radvd_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.25.4/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.4/file_contexts/types.fc	2005-08-11 23:07:13.000000000 -0400
@@ -503,8 +503,8 @@
 /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird --      system_u:object_r:bin_t
 /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- system_u:object_r:bin_t
 /usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- system_u:object_r:bin_t
-/usr/lib(64)?/[^/]*thunderbird[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t
-/usr/lib(64)?/[^/]*thunderbird[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t
+/usr/lib(64)?/[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t
+/usr/lib(64)?/[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t
 
 #
 # /srv
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.25.4/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2005-08-11 06:57:18.000000000 -0400
+++ policy-1.25.4/macros/base_user_macros.te	2005-08-11 23:07:13.000000000 -0400
@@ -21,8 +21,8 @@
 type $1_untrusted_content_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile, customizable, polymember;
 
 # Allow user to relabel untrusted content
-allow $1_t $1_untrusted_content_t:{ dir file } { getattr unlink relabelto relabelfrom };
-allow $1_t $1_untrusted_content_tmp_t:{ dir file } { getattr unlink relabelto relabelfrom };
+allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
+allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
 
 # Read content
 read_content($1_t, $1)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.25.4/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2005-08-11 06:57:18.000000000 -0400
+++ policy-1.25.4/macros/global_macros.te	2005-08-11 23:07:13.000000000 -0400
@@ -595,6 +595,18 @@
 ')dnl end polyinstantiater
 
 # 
+# Domain that is allow to read anonymous data off the network
+# without providing authentication.
+# Also define boolean to allow anonymous writing
+#
+define(`anonymous_domain', `
+r_dir_file($1_t, ftpd_anon_t)
+bool allow_$1_anon_write false;
+if (allow_$1_anon_write) {
+create_dir_file($1_t,ftpd_anon_rw_t)
+}
+')
+# 
 # Define a domain that can do anything, so that it is
 # effectively unconfined by the SELinux policy.  This
 # means that it is only restricted by the normal Linux 
@@ -727,3 +739,15 @@
 allow $1 removable_t:filesystem getattr;
 
 ')
+
+define(`authentication_domain', `
+can_ypbind($1)
+can_kerberos($1)
+can_ldap($1)
+can_resolve($1)
+can_winbind($1)
+r_dir_file($1, cert_t)
+allow $1 { random_device_t urandom_device_t }:chr_file { getattr read };
+allow $1 self:capability { audit_write audit_control };
+dontaudit $1 shadow_t:file { getattr read };
+')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.25.4/macros/network_macros.te
--- nsapolicy/macros/network_macros.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.4/macros/network_macros.te	2005-08-11 23:07:13.000000000 -0400
@@ -16,9 +16,7 @@
 # Allow the domain to send or receive using any network interface.
 # netif_type is a type attribute for all network interface types.
 #
-allow $1 netif_type:netif { $2_send rawip_send };
-allow $1 netif_type:netif { $2_recv rawip_recv };
-
+allow $1 netif_t:netif { $2_recv $2_send rawip_send rawip_recv };
 #
 # Allow the domain to send to or receive from any node.
 # node_type is a type attribute for all node types.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.25.4/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.4/macros/program/apache_macros.te	2005-08-11 23:07:13.000000000 -0400
@@ -23,6 +23,7 @@
 domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
 allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
 allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms;
+allow httpd_t httpd_$1_script_exec_t:file r_file_perms;
 
 allow httpd_$1_script_t httpd_t:fd use;
 allow httpd_$1_script_t httpd_t:process sigchld;
@@ -101,7 +102,9 @@
 read_fonts(httpd_$1_script_t)
 r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t)
 create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t)
+allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file rw_file_perms;
 ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
+anonymous_domain(httpd_$1_script)
 
 if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
 create_dir_file(httpd_$1_script_t, httpdcontent)
@@ -136,9 +139,10 @@
 if (httpd_builtin_scripting) {
 r_dir_file(httpd_t, httpd_$1_script_ro_t)
 create_dir_file(httpd_t, httpd_$1_script_rw_t)
+allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms;
 ra_dir_file(httpd_t, httpd_$1_script_ra_t)
-}
 r_dir_file(httpd_t, httpd_$1_content_t)
+}
 
 ')
 define(`apache_user_domain', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/cdrecord_macros.te policy-1.25.4/macros/program/cdrecord_macros.te
--- nsapolicy/macros/program/cdrecord_macros.te	2005-08-11 06:57:18.000000000 -0400
+++ policy-1.25.4/macros/program/cdrecord_macros.te	2005-08-11 23:07:13.000000000 -0400
@@ -27,16 +27,8 @@
 
 can_resmgrd_connect($1_cdrecord_t)
 
-allow $1_cdrecord_t { tmp_t home_root_t }:dir search;
+read_content($1_cdrecord_t, $1, cdrecord) 
 
-# allow cdrecord to read user files
-r_dir_file($1_cdrecord_t, { $1_home_t $1_tmp_t })
-if (use_nfs_home_dirs) {
-r_dir_file($1_cdrecord_t, nfs_t)
-}
-if (use_samba_home_dirs) {
-r_dir_file($1_cdrecord_t, cifs_t)
-}
 allow $1_cdrecord_t etc_t:file { getattr read };
 
 # allow searching for cdrom-drive
@@ -50,6 +42,8 @@
 allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
 allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill };
 allow $1_cdrecord_t $1_devpts_t:chr_file rw_file_perms;
-read_content($1_cdrecord_t, $1)
+allow $1_cdrecord_t $1_home_t:dir search;
+allow $1_cdrecord_t $1_home_dir_t:dir r_dir_perms;
+allow $1_cdrecord_t $1_home_t:file r_file_perms;
 ')
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.25.4/macros/program/chkpwd_macros.te
--- nsapolicy/macros/program/chkpwd_macros.te	2005-07-19 10:57:05.000000000 -0400
+++ policy-1.25.4/macros/program/chkpwd_macros.te	2005-08-11 23:07:13.000000000 -0400
@@ -23,28 +23,15 @@
 allow $1_chkpwd_t proc_t:file read;
 
 can_getcon($1_chkpwd_t)
-can_ypbind($1_chkpwd_t)
-can_kerberos($1_chkpwd_t)
-can_ldap($1_chkpwd_t)
-can_resolve($1_chkpwd_t)
+authentication_domain($1_chkpwd_t)
 
 ifelse($1, system, `
 domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
 allow auth_chkpwd sbin_t:dir search;
 allow auth_chkpwd self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-allow auth_chkpwd self:capability { audit_write audit_control };
 
 dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
-dontaudit auth_chkpwd shadow_t:file { getattr read };
-can_ypbind(auth_chkpwd)
-can_kerberos(auth_chkpwd)
-can_ldap(auth_chkpwd)
-ifdef(`winbind.te', `
-r_dir_file(auth_chkpwd, winbind_var_run_t)
-')
-r_dir_file(auth_chkpwd, cert_t)
-r_dir_file($1_chkpwd_t, cert_t)
-allow $1_chkpwd_t { random_device_t urandom_device_t }:chr_file { getattr read };
+authentication_domain(auth_chkpwd)
 ', `
 domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
 allow $1_t sbin_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ethereal_macros.te policy-1.25.4/macros/program/ethereal_macros.te
--- nsapolicy/macros/program/ethereal_macros.te	2005-07-05 15:25:49.000000000 -0400
+++ policy-1.25.4/macros/program/ethereal_macros.te	2005-08-11 23:07:13.000000000 -0400
@@ -38,11 +38,10 @@
 role $1_r types $1_ethereal_t;
 
 # Manual transition from userhelper 
-# FIXME: Need to handle the fallback case, which requires userhelper support
 ifdef(`userhelper.te', `
-allow userhelperdomain sysadm_ethereal_t:process { transition siginh rlimitinh noatsecure };
-allow sysadm_ethereal_t userhelperdomain:fd use;
-allow sysadm_ethereal_t userhelperdomain:process sigchld;
+allow userhelperdomain $1_ethereal_t:process { transition siginh rlimitinh noatsecure };
+allow $1_ethereal_t userhelperdomain:fd use;
+allow $1_ethereal_t userhelperdomain:process sigchld;
 ') dnl userhelper
 
 # X, GNOME
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/evolution_macros.te policy-1.25.4/macros/program/evolution_macros.te
--- nsapolicy/macros/program/evolution_macros.te	2005-08-11 06:57:18.000000000 -0400
+++ policy-1.25.4/macros/program/evolution_macros.te	2005-08-11 23:07:13.000000000 -0400
@@ -64,7 +64,7 @@
 allow $1_evolution_server_t ldap_port_t:tcp_socket name_connect;
 
 # Look in /etc/pki
-allow $1_evolution_server_t cert_t:dir r_dir_perms;
+r_dir_file($1_evolution_server_t, cert_t)
 
 ') dnl evolution_data_server
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mail_client_macros.te policy-1.25.4/macros/program/mail_client_macros.te
--- nsapolicy/macros/program/mail_client_macros.te	2005-08-11 06:57:18.000000000 -0400
+++ policy-1.25.4/macros/program/mail_client_macros.te	2005-08-11 23:07:13.000000000 -0400
@@ -54,10 +54,15 @@
 ') 
 ifdef(`dbusd.te', `
 dbusd_client(system, $1)
+allow $1_t system_dbusd_t:dbus send_msg;
 dbusd_client($2, $1)
 allow $1_t $2_dbusd_t:dbus send_msg;
 ifdef(`cups.te', `
 allow cupsd_t $1_t:dbus send_msg;
 ') 
 ') 
+# Allow the user domain to signal/ps.
+can_ps($2_t, $1_t)
+allow $2_t $1_t:process signal_perms;
+
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.25.4/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2005-08-11 06:57:18.000000000 -0400
+++ policy-1.25.4/macros/program/mozilla_macros.te	2005-08-11 23:07:13.000000000 -0400
@@ -139,7 +139,14 @@
 }
 allow $1_mozilla_t texrel_shlib_t:file execmod;
 
+ifdef(`dbusd.te', `
 dbusd_client(system, $1_mozilla)
+allow $1_mozilla_t system_dbusd_t:dbus send_msg;
+ifdef(`cups.te', `
+allow cupsd_t $1_mozilla_t:dbus send_msg;
+')
+')
+
 ifdef(`apache.te', `
 ifelse($1, sysadm, `', `
 r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t })
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/spamassassin_macros.te policy-1.25.4/macros/program/spamassassin_macros.te
--- nsapolicy/macros/program/spamassassin_macros.te	2005-08-11 06:57:18.000000000 -0400
+++ policy-1.25.4/macros/program/spamassassin_macros.te	2005-08-12 08:02:44.000000000 -0400
@@ -85,7 +85,7 @@
 spamassassin_agent_privs($1_spamassassin_t, $1)
 
 can_resolve($1_spamassassin_t)
-# set tunable if you give spamassassin full network access.
+# set tunable if you have spamassassin do DNS lookups
 if (spamassasin_can_network) {
 can_network($1_spamassassin_t)
 allow $1_spamassassin_t port_type:tcp_socket name_connect;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.25.4/macros/program/su_macros.te
--- nsapolicy/macros/program/su_macros.te	2005-05-25 11:28:11.000000000 -0400
+++ policy-1.25.4/macros/program/su_macros.te	2005-08-11 23:07:13.000000000 -0400
@@ -23,9 +23,13 @@
 
 define(`su_restricted_domain', `
 # Derived domain based on the calling user domain and the program.
-ifdef(`support_polyinstantiation', `
-type $1_su_t, domain, privlog, privrole, privuser, privowner, privfd, nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;',`
 type $1_su_t, domain, privlog, privrole, privuser, privowner, privfd, nscd_client_domain;
+ifdef(`support_polyinstantiation', `
+typeattribute $1_su_t mlsfileread;
+typeattribute $1_su_t mlsfilewrite;
+typeattribute $1_su_t mlsfileupgrade;
+typeattribute $1_su_t mlsfiledowngrade;
+typeattribute $1_su_t mlsprocsetsl;
 ')
 
 # for SSP
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/thunderbird_macros.te policy-1.25.4/macros/program/thunderbird_macros.te
--- nsapolicy/macros/program/thunderbird_macros.te	2005-08-11 06:57:18.000000000 -0400
+++ policy-1.25.4/macros/program/thunderbird_macros.te	2005-08-11 23:07:13.000000000 -0400
@@ -38,6 +38,7 @@
 x_client_domain($1_thunderbird, $1)
 mail_client_domain($1_thunderbird, $1)
 
+allow $1_thunderbird_t self:process signull;
 allow $1_thunderbird_t fs_t:filesystem getattr;
 
 # GNOME support
@@ -54,9 +55,6 @@
 can_network_client_tcp($1_thunderbird_t, http_port_t) 
 allow $1_thunderbird_t http_port_t:tcp_socket name_connect;
 
-allow $1_thunderbird_t self:process { execheap execstack };
-if (allow_execmem) {
-allow $1_thunderbird_t self:process execmem;
-}
+allow $1_thunderbird_t self:process { execheap execmem execstack };
 
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.25.4/Makefile
--- nsapolicy/Makefile	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.4/Makefile	2005-08-11 23:14:04.000000000 -0400
@@ -15,6 +15,9 @@
 # Set to y if MLS is enabled in the policy.
 MLS=n
 
+# Set to y if MCS is enabled in the policy
+MCS=n
+
 FLASKDIR = flask/
 PREFIX = /usr
 BINDIR = $(PREFIX)/bin
@@ -24,14 +27,18 @@
 GENHOMEDIRCON = $(SBINDIR)/genhomedircon
 SETFILES = $(SBINDIR)/setfiles
 VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
+PREVERS := 19
 KERNVERS := $(shell cat /selinux/policyvers)
 POLICYVER := policy.$(VERS)
 TOPDIR = $(DESTDIR)/etc/selinux
+TYPE=strict
 ifeq ($(MLS),y)
 TYPE=mls
-else
-TYPE=strict
 endif
+ifeq ($(MCS),y)
+TYPE=mcs
+endif
+
 INSTALLDIR = $(TOPDIR)/$(TYPE)
 POLICYPATH = $(INSTALLDIR)/policy
 SRCPATH = $(INSTALLDIR)/src
@@ -54,6 +61,10 @@
 POLICYFILES += mls
 CHECKPOLMLS += -M
 endif
+ifeq ($(MCS), y)
+POLICYFILES += mcs
+CHECKPOLMLS += -M
+endif
 DEFCONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts
 POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES)
 POLICYFILES += $(USER_FILES)
@@ -148,8 +159,10 @@
 	@echo "Compiling policy ..."
 	@mkdir -p $(POLICYPATH)
 	$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
-ifneq ($(MLS),y)
+ifneq ($(VERS),$(PREVERS))
+	$(CHECKPOLICY) -c $(PREVERS) -o $(POLICYPATH)/policy.$(PREVERS) policy.conf
 endif
+
 # Note: Can't use install, so not sure how to deal with mode, user, and group
 #	other than by default.
 
@@ -162,7 +175,11 @@
 
 reload tmp/load: $(LOADPATH) 
 	@echo "Loading Policy ..."
+ifeq ($(VERS), $(KERNVERS))
 	$(LOADPOLICY) $(LOADPATH)
+else
+	$(LOADPOLICY) $(POLICYPATH)/policy.$(PREVERS)
+endif
 	touch tmp/load
 
 load: tmp/load $(FCPATH) 
@@ -328,3 +345,22 @@
 	@sed "s/MLS=n/MLS=y/" Makefile > Makefile.new
 	@mv Makefile.new Makefile
 	@echo "Done"
+
+mcsconvert: 
+	@for file in $(CONTEXTFILES); do \
+		echo "Converting $$file"; \
+		sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \
+		mv $$file.new $$file; \
+	done
+	@for file in $(USER_FILES); do \
+		echo "Converting $$file"; \
+		sed -r -e 's/\;/ level s0 range s0;/' $$file | \
+		sed -r -e 's/(user (root|system_u).*);/\1 - s0:c0.c127;/' > $$file.new; \
+		mv $$file.new $$file; \
+	done
+	@sed -e '/sid kernel/s/s0/s0 - s0:c0.c127/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts
+	@echo "Enabling MCS in the Makefile"
+	@sed "s/MCS=y/MCS=y/" Makefile > Makefile.new
+	@mv Makefile.new Makefile
+	@echo "Done"
+
diff --exclude-from=exclude -N -u -r nsapolicy/mcs policy-1.25.4/mcs
--- nsapolicy/mcs	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.25.4/mcs	2005-08-11 23:15:17.000000000 -0400
@@ -0,0 +1,212 @@
+#
+# Define sensitivities 
+#
+# Each sensitivity has a name and zero or more aliases.
+#
+# MCS is single-sensitivity.
+#
+sensitivity s0;
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0;
+category c1;
+category c2;
+category c3;
+category c4;
+category c5;
+category c6;
+category c7;
+category c8;
+category c9;
+category c10;
+category c11;
+category c12;
+category c13;
+category c14;
+category c15;
+category c16;
+category c17;
+category c18;
+category c19;
+category c20;
+category c21;
+category c22;
+category c23;
+category c24;
+category c25;
+category c26;
+category c27;
+category c28;
+category c29;
+category c30;
+category c31;
+category c32;
+category c33;
+category c34;
+category c35;
+category c36;
+category c37;
+category c38;
+category c39;
+category c40;
+category c41;
+category c42;
+category c43;
+category c44;
+category c45;
+category c46;
+category c47;
+category c48;
+category c49;
+category c50;
+category c51;
+category c52;
+category c53;
+category c54;
+category c55;
+category c56;
+category c57;
+category c58;
+category c59;
+category c60;
+category c61;
+category c62;
+category c63;
+category c64;
+category c65;
+category c66;
+category c67;
+category c68;
+category c69;
+category c70;
+category c71;
+category c72;
+category c73;
+category c74;
+category c75;
+category c76;
+category c77;
+category c78;
+category c79;
+category c80;
+category c81;
+category c82;
+category c83;
+category c84;
+category c85;
+category c86;
+category c87;
+category c88;
+category c89;
+category c90;
+category c91;
+category c92;
+category c93;
+category c94;
+category c95;
+category c96;
+category c97;
+category c98;
+category c99;
+category c100;
+category c101;
+category c102;
+category c103;
+category c104;
+category c105;
+category c106;
+category c107;
+category c108;
+category c109;
+category c110;
+category c111;
+category c112;
+category c113;
+category c114;
+category c115;
+category c116;
+category c117;
+category c118;
+category c119;
+category c120;
+category c121;
+category c122;
+category c123;
+category c124;
+category c125;
+category c126;
+category c127;
+
+
+#
+# Each MCS level specifies a sensitivity and zero or more categories which may
+# be associated with that sensitivity.
+#
+level s0:c0.c127;
+
+#
+# Define the MCS policy
+#
+# mlsconstrain class_set perm_set expression ;
+#
+# mlsvalidatetrans class_set expression ;
+#
+# expression : ( expression )
+#	     | not expression
+#	     | expression and expression
+#	     | expression or expression
+#	     | u1 op u2
+#	     | r1 role_mls_op r2
+#	     | t1 op t2
+#	     | l1 role_mls_op l2
+#	     | l1 role_mls_op h2
+#	     | h1 role_mls_op l2
+#	     | h1 role_mls_op h2
+#	     | l1 role_mls_op h1
+#	     | l2 role_mls_op h2
+#	     | u1 op names
+#	     | u2 op names
+#	     | r1 op names
+#	     | r2 op names
+#	     | t1 op names
+#	     | t2 op names
+#	     | u3 op names (NOTE: this is only available for mlsvalidatetrans)
+#	     | r3 op names (NOTE: this is only available for mlsvalidatetrans)
+#	     | t3 op names (NOTE: this is only available for mlsvalidatetrans)
+#
+# op : == | !=
+# role_mls_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name
+#
+
+#
+# MCS policy for the file classes
+#
+# Constrain file access so that the high range of the process dominates
+# the high range of the file.  We use the high range of the process so
+# that processes can always simply run at s0.
+#
+# Only files are constrained by MCS at this stage.
+#
+mlsconstrain file { read write setattr append unlink link rename
+		    create ioctl lock execute } (h1 dom h2);
+
+
+# XXX
+#
+# For some reason, we need to reference the mlsfileread attribute
+# or we get a build error.  Below is a dummy entry to do this.
+mlsconstrain xextension query ( t1 == mlsfileread );
+
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.25.4/net_contexts
--- nsapolicy/net_contexts	2005-08-11 06:57:10.000000000 -0400
+++ policy-1.25.4/net_contexts	2005-08-11 23:07:13.000000000 -0400
@@ -223,14 +223,6 @@
 #
 # interface netif_context default_msg_context
 #
-netifcon lo system_u:object_r:netif_lo_t system_u:object_r:unlabeled_t
-netifcon eth0 system_u:object_r:netif_eth0_t system_u:object_r:unlabeled_t
-netifcon eth1 system_u:object_r:netif_eth1_t system_u:object_r:unlabeled_t
-netifcon eth2 system_u:object_r:netif_eth2_t system_u:object_r:unlabeled_t
-netifcon ippp0 system_u:object_r:netif_ippp0_t system_u:object_r:unlabeled_t
-netifcon ipsec0 system_u:object_r:netif_ipsec0_t system_u:object_r:unlabeled_t
-netifcon ipsec1 system_u:object_r:netif_ipsec1_t system_u:object_r:unlabeled_t
-netifcon ipsec2 system_u:object_r:netif_ipsec2_t system_u:object_r:unlabeled_t
 
 # Nodes (default = initial SID "node")
 #
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.25.4/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.25.4/tunables/distro.tun	2005-08-11 23:07:13.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.25.4/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-08-11 06:57:20.000000000 -0400
+++ policy-1.25.4/tunables/tunable.tun	2005-08-11 23:07:13.000000000 -0400
@@ -1,5 +1,5 @@
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
 dnl define(`unlimitedUtils')
@@ -17,7 +17,7 @@
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.25.4/types/file.te
--- nsapolicy/types/file.te	2005-08-11 06:57:20.000000000 -0400
+++ policy-1.25.4/types/file.te	2005-08-11 23:07:13.000000000 -0400
@@ -333,6 +333,7 @@
 
 # Type for anonymous FTP data, used by ftp and rsync
 type ftpd_anon_t, file_type, sysadmfile, customizable;
+type ftpd_anon_rw_t, file_type, sysadmfile, customizable;
 
 allow customizable self:filesystem associate;
 
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.25.4/types/network.te
--- nsapolicy/types/network.te	2005-08-11 06:57:20.000000000 -0400
+++ policy-1.25.4/types/network.te	2005-08-11 23:07:13.000000000 -0400
@@ -74,15 +74,6 @@
 # interfaces in net_contexts or net_contexts.mls.
 #
 type netif_t, netif_type;
-type netif_eth0_t, netif_type;
-type netif_eth1_t, netif_type;
-type netif_eth2_t, netif_type;
-type netif_lo_t, netif_type;
-type netif_ippp0_t, netif_type;
-
-type netif_ipsec0_t, netif_type;
-type netif_ipsec1_t, netif_type;
-type netif_ipsec2_t, netif_type;
 
 #
 # node_t is the default type of network nodes.

Latest diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1281 bytes --]

Allow fsadm_t to look at console_device
Dontaudit system_crond_t looking at removable_t.  We are removing access 
to removable_t devices from userspace for mls
policy to help get lspp approval.

Allow getty to run pppd


initrc needs to write to default_t while booting.

Change insmod to nscd_client_domain

Apm needs more access to proc_t

Lots of fixes for cvs domain.

Cyrus needs access to mail spool directotry

Add disable booleans to evolution and thunderbird.  (Both are still a 
pain to run under strict policy.  OpenOffice launch is painfull)

Hal needs to run umount

Hotplug requires sys_rawio

Kudzu needs additional access

Mailer needs to getattr random devices

Network manager needs to communicate with userspace via dbus.
Also needs read access to dhcpc info

remove user_ping boolean from targeted policy (not used)

Lots of fixes for pppd and added pptp domain

Squid and windbind_helper need to communicate

udev needs sys_rawio, and to be able to write to sysfs_t

Additional rules to get vpnc to run under strict policy

Open office has some more texrel_shlib_t files

Add hugetlbfs and mqueue file systems

Many fixes for strict policy gnome, gnome_vfs, thunderbird, evolution

Add isakmp_port for vpnc

Remove user_can_mount tunable.















-- 



[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 38145 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.25.3/domains/program/crond.te
--- nsapolicy/domains/program/crond.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.3/domains/program/crond.te	2005-07-19 15:41:44.000000000 -0400
@@ -201,7 +201,7 @@
 r_dir_file(system_crond_t, file_context_t)
 can_getsecurity(system_crond_t)
 }
-allow system_crond_t removable_t:filesystem getattr;
+dontaudit system_crond_t removable_t:filesystem getattr;
 #
 # Required for webalizer
 #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.25.3/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.3/domains/program/fsadm.te	2005-07-19 15:41:44.000000000 -0400
@@ -102,7 +102,7 @@
 allow fsadm_t kernel_t:system syslog_console;
 
 # Access terminals.
-allow fsadm_t { initrc_devpts_t admin_tty_type devtty_t }:chr_file rw_file_perms;
+allow fsadm_t { initrc_devpts_t admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
 allow fsadm_t privfd:fd use;
 allow fsadm_t devpts_t:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/getty.te policy-1.25.3/domains/program/getty.te
--- nsapolicy/domains/program/getty.te	2005-07-12 08:50:42.000000000 -0400
+++ policy-1.25.3/domains/program/getty.te	2005-07-19 15:41:44.000000000 -0400
@@ -29,7 +29,7 @@
 read_locale(getty_t)
 
 # Run login in local_login_t domain.
-allow getty_t bin_t:dir search;
+allow getty_t { sbin_t bin_t }:dir search;
 domain_auto_trans(getty_t, login_exec_t, local_login_t)
 
 # Write to /var/run/utmp.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.25.3/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te	2005-07-19 10:57:05.000000000 -0400
+++ policy-1.25.3/domains/program/ifconfig.te	2005-07-19 15:41:44.000000000 -0400
@@ -36,6 +36,7 @@
 # Use capabilities.
 allow ifconfig_t self:capability net_admin;
 dontaudit ifconfig_t self:capability sys_module;
+allow ifconfig_t self:capability sys_tty_config;
 
 # Inherit and use descriptors from init.
 allow ifconfig_t { kernel_t init_t }:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.25.3/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.3/domains/program/initrc.te	2005-07-19 15:41:44.000000000 -0400
@@ -123,7 +123,7 @@
 allow initrc_t file_t:dir { read search getattr mounton };
 
 # during boot up initrc needs to do the following
-allow initrc_t default_t:dir { read search getattr mounton };
+allow initrc_t default_t:dir { write read search getattr mounton };
 
 # rhgb-console writes to ramfs
 allow initrc_t ramfs_t:fifo_file write;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.25.3/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.3/domains/program/modutil.te	2005-07-19 15:41:44.000000000 -0400
@@ -72,7 +72,7 @@
 # Rules for the insmod_t domain.
 #
 
-type insmod_t, domain, privlog, sysctl_kernel_writer, privmem, privsysmod ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' ), mlsfilewrite
+type insmod_t, domain, privlog, sysctl_kernel_writer, privmem, privsysmod ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' ), mlsfilewrite, nscd_client_domain
 ;
 role system_r types insmod_t;
 role sysadm_r types insmod_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.25.3/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.3/domains/program/unused/apmd.te	2005-07-19 15:41:44.000000000 -0400
@@ -23,7 +23,7 @@
 allow apm_t device_t:dir search;
 allow apm_t self:capability { dac_override sys_admin };
 allow apm_t proc_t:dir search;
-allow apm_t proc_t:file { read getattr };
+allow apm_t proc_t:file r_file_perms;
 allow apm_t fs_t:filesystem getattr;
 allow apm_t apm_bios_t:chr_file rw_file_perms;
 role sysadm_r types apm_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cvs.te policy-1.25.3/domains/program/unused/cvs.te
--- nsapolicy/domains/program/unused/cvs.te	2005-04-27 10:28:50.000000000 -0400
+++ policy-1.25.3/domains/program/unused/cvs.te	2005-07-19 15:41:44.000000000 -0400
@@ -12,5 +12,15 @@
 #
 
 inetd_child_domain(cvs, tcp)
+typeattribute cvs_t privmail;
+typeattribute cvs_t auth_chkpwd;
+
 type cvs_data_t, file_type, sysadmfile;
 create_dir_file(cvs_t, cvs_data_t)
+can_exec(cvs_t, { bin_t sbin_t shell_exec_t })
+allow cvs_t etc_runtime_t:file { getattr read };
+allow system_mail_t cvs_data_t:file { getattr read };
+dontaudit cvs_t devtty_t:chr_file { read write };
+allow cvs_t default_t:dir search;
+allow cvs_t default_t:lnk_file read;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.25.3/domains/program/unused/cyrus.te
--- nsapolicy/domains/program/unused/cyrus.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.3/domains/program/unused/cyrus.te	2005-07-19 15:41:44.000000000 -0400
@@ -40,4 +40,5 @@
 allow system_crond_t cyrus_var_lib_t:file create_file_perms;
 ')
 create_dir_file(cyrus_t, mail_spool_t)
+allow cyrus_t var_spool_t:dir search;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/evolution.te policy-1.25.3/domains/program/unused/evolution.te
--- nsapolicy/domains/program/unused/evolution.te	2005-07-05 15:25:46.000000000 -0400
+++ policy-1.25.3/domains/program/unused/evolution.te	2005-07-19 15:41:44.000000000 -0400
@@ -11,3 +11,4 @@
 type evolution_exchange_exec_t, file_type, exec_type, sysadmfile;
 
 # Everything else is in macros/evolution_macros.te
+bool disable_evolution_trans false;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.25.3/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.3/domains/program/unused/hald.te	2005-07-19 15:41:44.000000000 -0400
@@ -96,3 +96,7 @@
 allow unconfined_t hald_t:dbus send_msg;
 allow hald_t unconfined_t:dbus send_msg;
 ')
+ifdef(`mount.te', `
+domain_auto_trans(hald_t, mount_exec_t, mount_t)
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.25.3/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.3/domains/program/unused/hotplug.te	2005-07-19 15:41:44.000000000 -0400
@@ -128,7 +128,7 @@
 # Read /usr/lib/gconv/.*
 allow hotplug_t lib_t:file { getattr read };
 
-allow hotplug_t self:capability { net_admin sys_tty_config mknod };
+allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
 allow hotplug_t sysfs_t:dir { getattr read search write };
 allow hotplug_t sysfs_t:file rw_file_perms;
 allow hotplug_t sysfs_t:lnk_file { getattr read };
@@ -159,3 +159,4 @@
 allow { insmod_t kernel_t } hotplug_etc_t:dir { search getattr };
 allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
 
+dontaudit hotplug_t selinux_config_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.25.3/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te	2005-05-25 11:28:10.000000000 -0400
+++ policy-1.25.3/domains/program/unused/kudzu.te	2005-07-19 15:41:44.000000000 -0400
@@ -20,7 +20,7 @@
 allow kudzu_t ramfs_t:dir search;
 allow kudzu_t ramfs_t:sock_file write;
 allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
-allow kudzu_t modules_conf_t:file { getattr read };
+allow kudzu_t modules_conf_t:file { getattr read unlink };
 allow kudzu_t modules_object_t:dir r_dir_perms;
 allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
 allow kudzu_t mouse_device_t:chr_file { read write };
@@ -38,7 +38,7 @@
 allow kudzu_t usbdevfs_t:file { getattr read };
 allow kudzu_t usbfs_t:dir search;
 allow kudzu_t usbfs_t:file { getattr read };
-allow kudzu_t var_t:dir search;
+var_run_domain(kudzu)
 allow kudzu_t kernel_t:system syslog_console;
 allow kudzu_t self:udp_socket { create ioctl };
 allow kudzu_t var_lock_t:dir search;
@@ -109,3 +109,4 @@
 
 allow kudzu_t initrc_t:unix_stream_socket connectto;
 allow kudzu_t net_conf_t:file { getattr read };
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lvm.te policy-1.25.3/domains/program/unused/lvm.te
--- nsapolicy/domains/program/unused/lvm.te	2005-05-25 11:28:10.000000000 -0400
+++ policy-1.25.3/domains/program/unused/lvm.te	2005-07-19 15:41:44.000000000 -0400
@@ -97,7 +97,7 @@
 read_locale(lvm_t)
 
 # LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
-dontaudit lvm_t device_type:{ chr_file blk_file } getattr;
+dontaudit lvm_t device_type:{ chr_file blk_file } { getattr read };
 dontaudit lvm_t ttyfile:chr_file getattr;
 dontaudit lvm_t device_t:{ fifo_file dir chr_file blk_file } getattr;
 dontaudit lvm_t devpts_t:dir { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.25.3/domains/program/unused/mta.te
--- nsapolicy/domains/program/unused/mta.te	2005-05-25 11:28:10.000000000 -0400
+++ policy-1.25.3/domains/program/unused/mta.te	2005-07-19 15:41:44.000000000 -0400
@@ -71,4 +71,4 @@
 allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read };
 
 allow system_mail_t etc_runtime_t:file { getattr read };
-allow system_mail_t { random_device_t urandom_device_t }:chr_file read;
+allow system_mail_t { random_device_t urandom_device_t }:chr_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.25.3/domains/program/unused/NetworkManager.te
--- nsapolicy/domains/program/unused/NetworkManager.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.3/domains/program/unused/NetworkManager.te	2005-07-19 15:41:44.000000000 -0400
@@ -62,6 +62,8 @@
 allow NetworkManager_t unconfined_t:dbus send_msg;
 allow unconfined_t NetworkManager_t:dbus send_msg;
 ')
+allow NetworkManager_t userdomain:dbus send_msg;
+allow userdomain NetworkManager_t:dbus send_msg;
 ')
 
 allow NetworkManager_t usr_t:file { getattr read };
@@ -98,3 +100,9 @@
 domain_auto_trans(NetworkManager_t, vpnc_exec_t, vpnc_t)
 ')
 
+ifdef(`dhcpc.te', `
+allow NetworkManager_t dhcp_state_t:dir search;
+allow NetworkManager_t dhcpc_var_run_t:file { getattr read unlink };
+')
+allow NetworkManager_t var_lib_t:dir search;
+dontaudit NetworkManager_t user_tty_type:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.25.3/domains/program/unused/pamconsole.te
--- nsapolicy/domains/program/unused/pamconsole.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.3/domains/program/unused/pamconsole.te	2005-07-19 15:41:44.000000000 -0400
@@ -19,7 +19,7 @@
 allow pam_console_t self:capability { chown fowner fsetid };
 
 # Allow access to /dev/console through the fd:
-allow pam_console_t console_device_t:chr_file { read write };
+allow pam_console_t console_device_t:chr_file { read write setattr };
 allow pam_console_t { kernel_t init_t }:fd use;
 
 # for /var/run/console.lock checking
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.25.3/domains/program/unused/ping.te
--- nsapolicy/domains/program/unused/ping.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.3/domains/program/unused/ping.te	2005-07-19 15:41:44.000000000 -0400
@@ -17,6 +17,7 @@
 in_user_role(ping_t)
 type ping_exec_t, file_type, sysadmfile, exec_type;
 
+ifdef(`targeted_policy', `', `
 bool user_ping false;
 
 if (user_ping) {
@@ -25,6 +26,7 @@
 	allow ping_t { ttyfile ptyfile }:chr_file rw_file_perms;
 	ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
 }
+')
 
 # Transition into this domain when you run this program.
 domain_auto_trans(sysadm_t, ping_exec_t, ping_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.25.3/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.3/domains/program/unused/postgresql.te	2005-07-19 15:41:44.000000000 -0400
@@ -67,6 +67,7 @@
 can_tcp_connect(userdomain, postgresql_t)
 allow userdomain postgresql_t:unix_stream_socket connectto;
 allow userdomain postgresql_var_run_t:sock_file write;
+allow userdomain postgresql_tmp_t:sock_file write;
 }
 ')
 ifdef(`consoletype.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.25.3/domains/program/unused/pppd.te
--- nsapolicy/domains/program/unused/pppd.te	2005-07-19 10:57:05.000000000 -0400
+++ policy-1.25.3/domains/program/unused/pppd.te	2005-07-19 15:41:44.000000000 -0400
@@ -32,9 +32,12 @@
 log_domain(pppd)
 
 # Use the network.
-can_network_server(pppd_t)
+can_network(pppd_t)
 can_ypbind(pppd_t)
 
+allow pppd_t fingerd_port_t:tcp_socket name_connect;
+
+
 # Use capabilities.
 allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
 lock_domain(pppd)
@@ -52,6 +55,8 @@
 
 # allow running ip-up and ip-down scripts and running chat.
 can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t })
+can_exec(pppd_t, pppd_etc_rw_t)
+can_exec(pppd_t, hostname_exec_t)
 allow pppd_t { bin_t sbin_t }:dir search;
 allow pppd_t { sbin_t bin_t }:lnk_file read;
 
@@ -110,3 +115,25 @@
 domain_auto_trans(pppd_t, insmod_exec_t, insmod_t)
 ')
 }
+domain_auto_trans(pppd_t, named_exec_t, named_t)
+
+daemon_domain(pptp)
+can_network_client_tcp(pptp_t)
+allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect;
+can_exec(pptp_t, hostname_exec_t)
+domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
+allow pptp_t self:rawip_socket create_socket_perms;
+allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow pptp_t self:unix_dgram_socket create_socket_perms;
+can_exec(pptp_t, pppd_etc_rw_t)
+allow pptp_t devpts_t:chr_file ioctl;
+r_dir_file(pptp_t, pppd_etc_rw_t)
+r_dir_file(pptp_t, pppd_etc_t)
+allow pptp_t devpts_t:dir search;
+allow pppd_t devpts_t:chr_file ioctl;
+allow pppd_t pptp_t:process signal;
+allow pptp_t self:capability net_raw;
+allow pptp_t self:fifo_file { read write };
+allow pptp_t ptmx_t:chr_file rw_file_perms;
+log_domain(pptp)
+allow pptp_t pppd_log_t:file append;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rlogind.te policy-1.25.3/domains/program/unused/rlogind.te
--- nsapolicy/domains/program/unused/rlogind.te	2005-04-27 10:28:52.000000000 -0400
+++ policy-1.25.3/domains/program/unused/rlogind.te	2005-07-19 15:41:44.000000000 -0400
@@ -35,3 +35,4 @@
 allow rlogind_t default_t:dir search;
 typealias rlogind_port_t alias rlogin_port_t;
 read_sysctl(rlogind_t);
+allow rlogind_t krb5_keytab_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.25.3/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.3/domains/program/unused/squid.te	2005-07-19 15:41:44.000000000 -0400
@@ -80,4 +80,5 @@
 r_dir_file(squid_t, cert_t)
 ifdef(`winbind.te', `
 domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t)
+allow winbind_helper_t squid_t:tcp_socket rw_socket_perms;
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/thunderbird.te policy-1.25.3/domains/program/unused/thunderbird.te
--- nsapolicy/domains/program/unused/thunderbird.te	2005-07-05 15:25:47.000000000 -0400
+++ policy-1.25.3/domains/program/unused/thunderbird.te	2005-07-19 15:41:44.000000000 -0400
@@ -7,3 +7,4 @@
 type thunderbird_exec_t, file_type, exec_type, sysadmfile;
 
 # Everything else is in macros/thunderbird_macros.te
+bool disable_thunderbird_trans false;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.25.3/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.3/domains/program/unused/udev.te	2005-07-19 15:41:44.000000000 -0400
@@ -28,11 +28,12 @@
 type udev_tdb_t, file_type, sysadmfile, dev_fs;
 typealias udev_tdb_t alias udev_tbl_t;
 file_type_auto_trans(udev_t, device_t, udev_tdb_t, file)
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin };
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin sys_rawio };
 allow udev_t self:file { getattr read };
 allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
 allow udev_t self:unix_dgram_socket create_socket_perms;
 allow udev_t self:fifo_file rw_file_perms;
+allow udev_t self:netlink_kobject_uevent_socket { create bind read }; 
 allow udev_t device_t:file { unlink rw_file_perms };
 allow udev_t device_t:sock_file create_file_perms;
 allow udev_t device_t:lnk_file create_lnk_perms;
@@ -53,7 +54,7 @@
 allow udev_t bin_t:lnk_file read;
 can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } )
 can_exec(udev_t, udev_exec_t)
-r_dir_file(udev_t, sysfs_t)
+rw_dir_file(udev_t, sysfs_t)
 allow udev_t sysadm_tty_device_t:chr_file { read write };
 
 # to read the file_contexts file
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/vpnc.te policy-1.25.3/domains/program/unused/vpnc.te
--- nsapolicy/domains/program/unused/vpnc.te	2005-04-27 10:28:54.000000000 -0400
+++ policy-1.25.3/domains/program/unused/vpnc.te	2005-07-19 15:41:44.000000000 -0400
@@ -10,13 +10,15 @@
 # vpnc_t is the domain for the vpnc program.
 # vpnc_exec_t is the type of the vpnc executable.
 #
-daemon_domain(vpnc)
+daemon_domain(vpnc, `, sysctl_net_writer')
 
 allow vpnc_t { random_device_t urandom_device_t }:chr_file read;
 
 # Use the network.
 can_network(vpnc_t)
 allow vpnc_t port_type:tcp_socket name_connect;
+allow vpnc_t isakmp_port_t:udp_socket name_bind;
+
 can_ypbind(vpnc_t)
 allow vpnc_t self:socket create_socket_perms;
 
@@ -29,14 +31,23 @@
 allow vpnc_t self:rawip_socket create_socket_perms;
 allow vpnc_t self:unix_dgram_socket create_socket_perms;
 allow vpnc_t self:unix_stream_socket create_socket_perms;
-allow vpnc_t admin_tty_type:chr_file rw_file_perms;
+allow vpnc_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
 allow vpnc_t port_t:udp_socket name_bind;
 allow vpnc_t etc_runtime_t:file { getattr read };
 allow vpnc_t proc_t:file { getattr read };
 dontaudit vpnc_t selinux_config_t:dir search;
 can_exec(vpnc_t, {bin_t sbin_t ifconfig_exec_t shell_exec_t })
 allow vpnc_t sysctl_net_t:dir search;
+allow vpnc_t sysctl_net_t:file write;
 allow vpnc_t sbin_t:dir search;
 allow vpnc_t bin_t:dir search;
 allow vpnc_t bin_t:lnk_file read;
 r_dir_file(vpnc_t, proc_net_t)
+tmp_domain(vpnc)
+allow vpnc_t self:fifo_file { getattr ioctl read write };
+allow vpnc_t self:file { getattr read };
+allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
+file_type_auto_trans(vpnc_t, etc_t, net_conf_t, file)
+allow vpnc_t etc_t:file { execute execute_no_trans ioctl };
+allow vpnc_t user_home_dir_t:dir search;
+allow vpnc_t user_home_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.25.3/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te	2005-07-19 10:57:05.000000000 -0400
+++ policy-1.25.3/domains/program/unused/winbind.te	2005-07-19 15:41:44.000000000 -0400
@@ -37,6 +37,7 @@
 allow initrc_t winbind_var_run_t:file r_file_perms;
 
 application_domain(winbind_helper, `, nscd_client_domain')
+role system_r types winbind_helper_t;
 access_terminal(winbind_helper_t, sysadm)
 read_locale(winbind_helper_t) 
 r_dir_file(winbind_helper_t, samba_etc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.25.3/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.3/file_contexts/distros.fc	2005-07-19 15:41:44.000000000 -0400
@@ -84,15 +84,21 @@
 /usr/lib/libSDL-.*\.so.*			-- system_u:object_r:texrel_shlib_t
 /usr/X11R6/lib/modules/dri/.*\.so		-- system_u:object_r:texrel_shlib_t
 /usr/X11R6/lib/libOSMesa\.so.*			-- system_u:object_r:texrel_shlib_t
+/usr/X11R6/lib/libfglrx_gamma\.so.* 		--  system_u:object_r:texrel_shlib_t
 /usr/lib/libHermes\.so.*			-- system_u:object_r:texrel_shlib_t
 /usr/lib/valgrind/hp2ps				-- system_u:object_r:texrel_shlib_t
 /usr/lib/valgrind/stage2			-- system_u:object_r:texrel_shlib_t
 /usr/lib/valgrind/vg.*\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program(/.*)?			system_u:object_r:bin_t
+/usr/lib/.*/program/.*\.so.*			system_u:object_r:shlib_t
 /usr/lib/.*/program/libicudata\.so.*		-- system_u:object_r:texrel_shlib_t
 /usr/lib/.*/program/libsts645li\.so		-- system_u:object_r:texrel_shlib_t
 /usr/lib/.*/program/libvclplug_gen645li\.so	-- system_u:object_r:texrel_shlib_t
 /usr/lib/.*/program/libwrp645li\.so		-- system_u:object_r:texrel_shlib_t
 /usr/lib/.*/program/libswd680li\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib(64)?/.*/program/librecentfile\.so 	--  system_u:object_r:texrel_shlib_t
+/usr/lib(64)?/.*/program/libsvx680li\.so	--  system_u:object_r:texrel_shlib_t
+/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so  	--  system_u:object_r:texrel_shlib_t
 
 # Fedora Extras packages: ladspa, imlib2, ocaml
 /usr/lib/ladspa/analogue_osc_1416\.so		-- system_u:object_r:texrel_shlib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/pppd.fc policy-1.25.3/file_contexts/program/pppd.fc
--- nsapolicy/file_contexts/program/pppd.fc	2005-06-01 06:11:22.000000000 -0400
+++ policy-1.25.3/file_contexts/program/pppd.fc	2005-07-19 15:41:44.000000000 -0400
@@ -1,5 +1,6 @@
 # pppd
 /usr/sbin/pppd		--	system_u:object_r:pppd_exec_t
+/usr/sbin/pptp 		--	system_u:object_r:pptp_exec_t
 /usr/sbin/ipppd		--	system_u:object_r:pppd_exec_t
 /dev/ppp		-c	system_u:object_r:ppp_device_t
 /dev/pppox.*		-c	system_u:object_r:ppp_device_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/vpnc.fc policy-1.25.3/file_contexts/program/vpnc.fc
--- nsapolicy/file_contexts/program/vpnc.fc	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.25.3/file_contexts/program/vpnc.fc	2005-07-19 15:41:44.000000000 -0400
@@ -1,3 +1,4 @@
 # vpnc
 /usr/sbin/vpnc		--	system_u:object_r:vpnc_exec_t
 /sbin/vpnc		--	system_u:object_r:vpnc_exec_t
+/etc/vpnc/vpnc-script	--	system_u:object_r:bin_t
diff --exclude-from=exclude -N -u -r nsapolicy/genfs_contexts policy-1.25.3/genfs_contexts
--- nsapolicy/genfs_contexts	2005-05-07 00:41:08.000000000 -0400
+++ policy-1.25.3/genfs_contexts	2005-07-19 15:41:44.000000000 -0400
@@ -92,6 +92,9 @@
 genfscon afs /				system_u:object_r:nfs_t
 
 genfscon debugfs /			system_u:object_r:debugfs_t
+genfscon inotifyfs /			system_u:object_r:inotifyfs_t
+genfscon hugetlbfs /			system_u:object_r:hugetlbfs_t
+genfscon mqueue /			system_u:object_r:mqueue_t
 
 # needs more work
 genfscon eventpollfs / system_u:object_r:eventpollfs_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/admin_macros.te policy-1.25.3/macros/admin_macros.te
--- nsapolicy/macros/admin_macros.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.3/macros/admin_macros.te	2005-07-19 15:41:44.000000000 -0400
@@ -32,6 +32,7 @@
 
 # Inherit rules for ordinary users.
 base_user_domain($1)
+access_removable_media($1_t)
 
 allow $1_t self:capability setuid;
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.25.3/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.3/macros/base_user_macros.te	2005-07-19 15:41:44.000000000 -0400
@@ -101,18 +101,6 @@
 r_dir_file($1_t, default_context_t)
 r_dir_file($1_t, file_context_t)
 
-can_exec($1_t, { removable_t noexattrfile } )
-if (user_rw_noexattrfile) {
-create_dir_file($1_t, noexattrfile)
-create_dir_file($1_t, removable_t)
-# Write floppies 
-allow $1_t removable_device_t:blk_file rw_file_perms;
-allow $1_t usbtty_device_t:chr_file write;
-} else {
-r_dir_file($1_t, noexattrfile)
-r_dir_file($1_t, removable_t)
-allow $1_t removable_device_t:blk_file r_file_perms;
-}
 allow $1_t usbtty_device_t:chr_file read;
 
 # GNOME checks for usb and other devices
@@ -342,7 +330,6 @@
 
 # Get attributes of file systems.
 allow $1_t fs_type:filesystem getattr;
-allow $1_t removable_t:filesystem getattr;
 
 # Read and write /dev/tty and /dev/null.
 allow $1_t devtty_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/content_macros.te policy-1.25.3/macros/content_macros.te
--- nsapolicy/macros/content_macros.te	2005-07-05 15:25:48.000000000 -0400
+++ policy-1.25.3/macros/content_macros.te	2005-07-19 15:41:44.000000000 -0400
@@ -55,7 +55,10 @@
 ifelse($3, `', `', 
 `if ($3_read_content) {')
 allow $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
-r_dir_file($1, { removable_t $2_tmp_t $2_home_t } )
+r_dir_file($1, { $2_tmp_t $2_home_t } )
+ifdef(`mls_policy', `', `
+r_dir_file($1, removable_t)
+')
 
 ifelse($3, `', `', 
 `} else {
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.25.3/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.3/macros/global_macros.te	2005-07-19 15:41:44.000000000 -0400
@@ -708,3 +708,22 @@
 ')
 
 ')dnl end unconfined_domain
+
+
+define(`access_removable_media', `
+
+can_exec($1, { removable_t noexattrfile } )
+if (user_rw_noexattrfile) {
+create_dir_file($1, noexattrfile)
+create_dir_file($1, removable_t)
+# Write floppies 
+allow $1 removable_device_t:blk_file rw_file_perms;
+allow $1 usbtty_device_t:chr_file write;
+} else {
+r_dir_file($1, noexattrfile)
+r_dir_file($1, removable_t)
+allow $1 removable_device_t:blk_file r_file_perms;
+}
+allow $1 removable_t:filesystem getattr;
+
+')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/cdrecord_macros.te policy-1.25.3/macros/program/cdrecord_macros.te
--- nsapolicy/macros/program/cdrecord_macros.te	2005-05-02 14:06:57.000000000 -0400
+++ policy-1.25.3/macros/program/cdrecord_macros.te	2005-07-19 15:43:50.000000000 -0400
@@ -47,8 +47,11 @@
 allow $1_cdrecord_t removable_device_t:blk_file { getattr read write ioctl };
 allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl };
 
-allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid };
+allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
 allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill };
-
+allow $1_cdrecord_t $1_devpts_t:chr_file rw_file_perms;
+allow $1_cdrecord_t $1_home_t:dir search;
+allow $1_cdrecord_t $1_home_dir_t:dir r_dir_perms;
+allow $1_cdrecord_t $1_home_t:file r_file_perms;
 ')
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/evolution_macros.te policy-1.25.3/macros/program/evolution_macros.te
--- nsapolicy/macros/program/evolution_macros.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.3/macros/program/evolution_macros.te	2005-07-19 15:43:41.000000000 -0400
@@ -37,7 +37,9 @@
 type $1_evolution_server_t, domain, nscd_client_domain;
 
 # Transition from user type
+if (! disable_evolution_trans) {
 domain_auto_trans($1_t, evolution_server_exec_t, $1_evolution_server_t)
+}
 role $1_r types $1_evolution_server_t;
 
 # Evolution common stuff
@@ -168,12 +170,9 @@
 domain_auto_trans($1_t, evolution_exec_t, $1_evolution_t)
 role $1_r types $1_evolution_t;
 
-# X, mail, evolution, Dbus common stuff 
+# X, mail, evolution common stuff 
 x_client_domain($1_evolution, $1)
 mail_client_domain($1_evolution, $1)
-dbusd_client(system, $1_evolution)
-dbusd_client($1, $1_evolution)
-allow $1_evolution_t $1_dbusd_t:dbus send_msg;
 gnome_file_dialog($1_evolution, $1)
 evolution_common($1_evolution, $1)
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gconf_macros.te policy-1.25.3/macros/program/gconf_macros.te
--- nsapolicy/macros/program/gconf_macros.te	2005-07-05 15:25:49.000000000 -0400
+++ policy-1.25.3/macros/program/gconf_macros.te	2005-07-19 15:41:44.000000000 -0400
@@ -33,6 +33,7 @@
 
 ifdef(`xdm.te', `
 can_pipe_xdm($1_gconfd_t)
+allow xdm_t $1_gconfd_t:process signal;
 ')
 
 ') dnl gconf_domain
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gnome_vfs_macros.te policy-1.25.3/macros/program/gnome_vfs_macros.te
--- nsapolicy/macros/program/gnome_vfs_macros.te	2005-07-05 15:25:49.000000000 -0400
+++ policy-1.25.3/macros/program/gnome_vfs_macros.te	2005-07-19 15:43:32.000000000 -0400
@@ -16,6 +16,11 @@
 # GNOME, dbus
 gnome_application($1_gnome_vfs, $1)
 dbusd_client(system, $1_gnome_vfs)
+allow $1_gnome_vfs_t system_dbusd_t:dbus send_msg;
+ifdef(`hald.te', `
+allow $1_gnome_vfs_t hald_t:dbus send_msg;
+allow hald_t $1_gnome_vfs_t:dbus send_msg;
+')
 
 # Transition from user type
 domain_auto_trans($1_t, gnome_vfs_exec_t, $1_gnome_vfs_t)
@@ -34,6 +39,7 @@
 
 # Search libexec (??)
 allow $1_gnome_vfs_t bin_t:dir search;
+can_exec($1_gnome_vfs_t, bin_t)
 
 ') dnl gnome_vfs_domain
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mail_client_macros.te policy-1.25.3/macros/program/mail_client_macros.te
--- nsapolicy/macros/program/mail_client_macros.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.3/macros/program/mail_client_macros.te	2005-07-19 15:42:58.000000000 -0400
@@ -11,7 +11,9 @@
 define(`mail_client_domain', `
 
 # Allow netstat
-allow $1_t bin_t:dir search;
+# Startup shellscripts
+allow $1_t bin_t:dir r_dir_perms;
+allow $1_t bin_t:lnk_file r_file_perms;
 can_exec($1_t, bin_t)
 r_dir_file($1_t, proc_net_t)
 allow $1_t sysctl_net_t:dir search;
@@ -50,5 +52,12 @@
 can_exec($1_t, shell_exec_t)
 domain_auto_trans($1_t, mozilla_exec_t, $2_mozilla_t)
 ') 
-
+ifdef(`dbusd.te', `
+dbusd_client(system, $1)
+dbusd_client($2, $1)
+allow $1_t $2_dbusd_t:dbus send_msg;
+ifdef(`cups.te', `
+allow cupsd_t $1_t:dbus send_msg;
+') 
+') 
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.25.3/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.3/macros/program/mozilla_macros.te	2005-07-19 15:43:10.000000000 -0400
@@ -130,8 +130,12 @@
 domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
 ') dnl if evolution.te
 
+ifdef(`thunderbird.te', `
+domain_auto_trans($1_mozilla_t, thunderbird_exec_t, $1_thunderbird_t)
+') dnl if evolution.te
+
 if (allow_execmem) {
-allow $1_mozilla_t self:process execmem;
+allow $1_mozilla_t self:process { execmem execstack };
 }
 allow $1_mozilla_t texrel_shlib_t:file execmod;
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/thunderbird_macros.te policy-1.25.3/macros/program/thunderbird_macros.te
--- nsapolicy/macros/program/thunderbird_macros.te	2005-07-05 15:25:49.000000000 -0400
+++ policy-1.25.3/macros/program/thunderbird_macros.te	2005-07-19 15:42:51.000000000 -0400
@@ -18,15 +18,11 @@
 type $1_thunderbird_t, domain, nscd_client_domain;
 
 # Transition from user type
+if (! disable_thunderbird_trans) {
 domain_auto_trans($1_t, thunderbird_exec_t, $1_thunderbird_t)
+}
 role $1_r types $1_thunderbird_t;
 
-# Startup shellscripts
-allow $1_thunderbird_t bin_t:dir r_dir_perms;
-allow $1_thunderbird_t bin_t:lnk_file r_file_perms;
-can_exec($1_thunderbird_t, bin_t)
-can_exec($1_thunderbird_t, shell_exec_t)
-
 # FIXME: Why does it try to do that?
 dontaudit $1_thunderbird_t evolution_exec_t:file { getattr execute };
 
@@ -42,10 +38,13 @@
 x_client_domain($1_thunderbird, $1)
 mail_client_domain($1_thunderbird, $1)
 
+allow $1_thunderbird_t fs_t:filesystem getattr;
+
 # GNOME support
 ifdef(`gnome.te', `
 gnome_application($1_thunderbird, $1)
 gnome_file_dialog($1_thunderbird, $1)
+allow $1_thunderbird_t $1_gnome_settings_t:file { read write };
 ')
 
 # Access ~/.thunderbird
@@ -54,4 +53,7 @@
 # RSS feeds
 can_network_client_tcp($1_thunderbird_t, http_port_t) 
 allow $1_thunderbird_t http_port_t:tcp_socket name_connect;
+
+allow $1_thunderbird_t self:process { execheap execmem execstack };
+
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.25.3/macros/user_macros.te
--- nsapolicy/macros/user_macros.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.3/macros/user_macros.te	2005-07-19 15:41:44.000000000 -0400
@@ -102,6 +102,9 @@
 ')
 
 base_user_domain($1)
+ifdef(`mls_policy', `', `
+access_removable_media($1_t)
+')
 
 # do not allow privhome access to sysadm_home_dir_t
 file_type_auto_trans(privhome, $1_home_dir_t, $1_home_t)
@@ -304,21 +307,6 @@
 dontaudit $1_t init_t:fd use;
 dontaudit $1_t initrc_t:fd use;
 allow $1_t initrc_t:fifo_file write;
-ifdef(`user_can_mount', `
-#
-#  Allow users to mount file systems like floppies and cdrom
-#
-mount_domain($1, $1_mount, `, fs_domain')
-r_dir_file($1_t, mnt_t)
-allow $1_mount_t device_t:lnk_file read;
-allow $1_mount_t removable_device_t:blk_file read;
-allow $1_mount_t iso9660_t:filesystem relabelfrom;
-allow $1_mount_t removable_t:filesystem { mount relabelto };
-allow $1_mount_t removable_t:dir mounton;
-ifdef(`xdm.te', `
-can_pipe_xdm($1_mount_t)
-')
-')
 
 #
 # Rules used to associate a homedir as a mountpoint
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.25.3/net_contexts
--- nsapolicy/net_contexts	2005-07-12 08:50:42.000000000 -0400
+++ policy-1.25.3/net_contexts	2005-07-19 15:41:44.000000000 -0400
@@ -45,6 +45,7 @@
 portcon tcp 465 system_u:object_r:smtp_port_t
 portcon tcp 587 system_u:object_r:smtp_port_t
 
+portcon udp 500 system_u:object_r:isakmp_port_t
 portcon udp 53 system_u:object_r:dns_port_t
 portcon tcp 53 system_u:object_r:dns_port_t
 
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/crond.te policy-1.25.3/targeted/domains/program/crond.te
--- nsapolicy/targeted/domains/program/crond.te	2005-06-29 16:36:19.000000000 -0400
+++ policy-1.25.3/targeted/domains/program/crond.te	2005-07-19 15:41:44.000000000 -0400
@@ -11,7 +11,7 @@
 # This domain is defined just for targeted policy.
 #
 type crond_exec_t, file_type, sysadmfile, exec_type;
-type crond_t, domain, privuser, privrole, privowner;
+type crond_t, domain, privuser, privrole, privfd, privowner;
 typealias crond_t alias system_crond_t;
 type anacron_exec_t, file_type, sysadmfile, exec_type;
 type system_crond_tmp_t, file_type, tmpfile, sysadmfile;
@@ -20,11 +20,14 @@
 role system_r types crond_t;
 domain_auto_trans(initrc_t, crond_exec_t, crond_t)
 domain_auto_trans(initrc_t, anacron_exec_t, crond_t)
-unconfined_domain(crond_t)
 # Access log files
 file_type_auto_trans(crond_t, user_home_dir_t, user_home_t)
 file_type_auto_trans(crond_t, tmp_t, system_crond_tmp_t)
+var_run_domain(crond)
+
+ifdef(`targeted_policy', `
+unconfined_domain(crond_t)
 allow crond_t initrc_t:dbus send_msg;
 allow crond_t unconfined_t:dbus send_msg;
 allow crond_t unconfined_t:process transition;
-var_run_domain(crond)
+')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.25.3/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.25.3/tunables/distro.tun	2005-07-19 15:41:44.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.25.3/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-05-25 11:28:11.000000000 -0400
+++ policy-1.25.3/tunables/tunable.tun	2005-07-19 15:41:44.000000000 -0400
@@ -1,8 +1,5 @@
-# Allow users to execute the mount command
-dnl define(`user_can_mount')
-
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
 dnl define(`unlimitedUtils')
@@ -20,7 +17,7 @@
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.25.3/types/file.te
--- nsapolicy/types/file.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.3/types/file.te	2005-07-19 15:41:44.000000000 -0400
@@ -304,6 +304,12 @@
 type dosfs_t, fs_type, noexattrfile, sysadmfile;
 allow dosfs_t self:filesystem associate;
 
+type hugetlbfs_t, mount_point, fs_type,  sysadmfile;
+allow hugetlbfs_t self:filesystem associate;
+
+type mqueue_t, mount_point, fs_type,  sysadmfile;
+allow mqueue_t self:filesystem associate;
+
 # udev_runtime_t is the type of the udev table file
 type udev_runtime_t, file_type, sysadmfile;
 
@@ -316,6 +322,9 @@
 type debugfs_t, fs_type, sysadmfile;
 allow debugfs_t self:filesystem associate;
 
+type inotifyfs_t, fs_type, sysadmfile;
+allow inotifyfs_t self:filesystem associate;
+
 # removable_t is the default type of all removable media
 type removable_t, file_type, sysadmfile, usercanread;
 allow removable_t self:filesystem associate;
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.25.3/types/network.te
--- nsapolicy/types/network.te	2005-07-12 08:50:44.000000000 -0400
+++ policy-1.25.3/types/network.te	2005-07-19 15:41:44.000000000 -0400
@@ -22,6 +22,7 @@
 type http_port_t, port_type, reserved_port_type;
 type ipp_port_t, port_type, reserved_port_type;
 type gopher_port_t, port_type, reserved_port_type;
+type isakmp_port_t, port_type, reserved_port_type;
 
 allow web_client_domain { http_cache_port_t http_port_t }:tcp_socket name_connect;
 type pop_port_t, port_type, reserved_port_type;

Re: Latest diffs

[Ivan Gyurdiev]

> rogram/initrc.te policy-1.25.3/domains/program/initrc.te
> --- nsapolicy/domains/program/initrc.te	2005-07-06 17:15:06.000000000 -0400
> +++ policy-1.25.3/domains/program/initrc.te	2005-07-19 15:41:44.000000000 -0400
> @@ -123,7 +123,7 @@
>  allow initrc_t file_t:dir { read search getattr mounton };
>  
>  # during boot up initrc needs to do the following
> -allow initrc_t default_t:dir { read search getattr mounton };
> +allow initrc_t default_t:dir { write read search getattr mounton };

Why does it need to do that?

> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.25.3/domains/program/unused/hald.te
> --- nsapolicy/domains/program/unused/hald.te	2005-07-12 08:50:43.000000000 -0400
> +++ policy-1.25.3/domains/program/unused/hald.te	2005-07-19 15:41:44.000000000 -0400
> @@ -96,3 +96,7 @@
>  allow unconfined_t hald_t:dbus send_msg;
>  allow hald_t unconfined_t:dbus send_msg;
>  ')
> +ifdef(`mount.te', `
> +domain_auto_trans(hald_t, mount_exec_t, mount_t)
> +')
> +

That doesn't allow it to mount whatever it wants?

> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.25.3/domains/program/unused/hotplug.te
> --- nsapolicy/domains/program/unused/hotplug.te	2005-07-12 08:50:43.000000000 -0400
> +++ policy-1.25.3/domains/program/unused/hotplug.te	2005-07-19 15:41:44.000000000 -0400
> @@ -128,7 +128,7 @@
>  # Read /usr/lib/gconv/.*
>  allow hotplug_t lib_t:file { getattr read };
>  
> -allow hotplug_t self:capability { net_admin sys_tty_config mknod };
> +allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };

Why do we keep needing that? 
Isn't this a dangerous capability?
I thought it was established that only dmidecode needs this.

> +can_network_client_tcp(pptp_t)
> +allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect;

Why does it need name_connect on a reserved port?
If it's reserved, shouldn't it have a type declared for it?

> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.25.3/domains/program/unused/udev.te
> --- nsapolicy/domains/program/unused/udev.te	2005-07-06 17:15:07.000000000 -0400
> +++ policy-1.25.3/domains/program/unused/udev.te	2005-07-19 15:41:44.000000000 -0400
> @@ -28,11 +28,12 @@
>  type udev_tdb_t, file_type, sysadmfile, dev_fs;
>  typealias udev_tdb_t alias udev_tbl_t;
>  file_type_auto_trans(udev_t, device_t, udev_tdb_t, file)
> -allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin };
> +allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin sys_rawio };

Also looks dangerous - rawio.

> +allow vpnc_t user_home_dir_t:dir search;
> +allow vpnc_t user_home_t:dir search;

?

> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/cdrecord_macros.te policy-1.25.3/macros/program/cdrecord_macros.te
> --- nsapolicy/macros/program/cdrecord_macros.te	2005-05-02 14:06:57.000000000 -0400
> +++ policy-1.25.3/macros/program/cdrecord_macros.te	2005-07-19 15:43:50.000000000 -0400
> @@ -47,8 +47,11 @@
>  allow $1_cdrecord_t removable_device_t:blk_file { getattr read write ioctl };
>  allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl };
>  
> -allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid };
> +allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
>  allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill };
> -
> +allow $1_cdrecord_t $1_devpts_t:chr_file rw_file_perms;
> +allow $1_cdrecord_t $1_home_t:dir search;
> +allow $1_cdrecord_t $1_home_dir_t:dir r_dir_perms;
> +allow $1_cdrecord_t $1_home_t:file r_file_perms;
>  ')

Same here... why is cdrecord reading the user's private documents.

> +allow $1_thunderbird_t fs_t:filesystem getattr;

Why does it need to do that?

>  # GNOME support
>  ifdef(`gnome.te', `
>  gnome_application($1_thunderbird, $1)
>  gnome_file_dialog($1_thunderbird, $1)
> +allow $1_thunderbird_t $1_gnome_settings_t:file { read write };

That needs to be labeled something other than $1_gnome_settings_t.
Which file is this? gnome_settings_t is the fallback type,
we should be moving away from that, and towards specific
labeling.

>  ')
>  
>  # Access ~/.thunderbird
> @@ -54,4 +53,7 @@
>  # RSS feeds
>  can_network_client_tcp($1_thunderbird_t, http_port_t) 
>  allow $1_thunderbird_t http_port_t:tcp_socket name_connect;
> +
> +allow $1_thunderbird_t self:process { execheap execmem execstack };
> +

Execmem is dangerous.

-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Daniel J Walsh]

Ivan Gyurdiev wrote:

>>rogram/initrc.te policy-1.25.3/domains/program/initrc.te
>>--- nsapolicy/domains/program/initrc.te	2005-07-06 17:15:06.000000000 -0400
>>+++ policy-1.25.3/domains/program/initrc.te	2005-07-19 15:41:44.000000000 -0400
>>@@ -123,7 +123,7 @@
>> allow initrc_t file_t:dir { read search getattr mounton };
>> 
>> # during boot up initrc needs to do the following
>>-allow initrc_t default_t:dir { read search getattr mounton };
>>+allow initrc_t default_t:dir { write read search getattr mounton };
>>    
>>
>
>Why does it need to do that?
>
>  
>
Not sure.  Happens in strict policy.

>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.25.3/domains/program/unused/hald.te
>>--- nsapolicy/domains/program/unused/hald.te	2005-07-12 08:50:43.000000000 -0400
>>+++ policy-1.25.3/domains/program/unused/hald.te	2005-07-19 15:41:44.000000000 -0400
>>@@ -96,3 +96,7 @@
>> allow unconfined_t hald_t:dbus send_msg;
>> allow hald_t unconfined_t:dbus send_msg;
>> ')
>>+ifdef(`mount.te', `
>>+domain_auto_trans(hald_t, mount_exec_t, mount_t)
>>+')
>>+
>>    
>>
>
>That doesn't allow it to mount whatever it wants?
>
>  
>
It is required to unmount removable_t

>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.25.3/domains/program/unused/hotplug.te
>>--- nsapolicy/domains/program/unused/hotplug.te	2005-07-12 08:50:43.000000000 -0400
>>+++ policy-1.25.3/domains/program/unused/hotplug.te	2005-07-19 15:41:44.000000000 -0400
>>@@ -128,7 +128,7 @@
>> # Read /usr/lib/gconv/.*
>> allow hotplug_t lib_t:file { getattr read };
>> 
>>-allow hotplug_t self:capability { net_admin sys_tty_config mknod };
>>+allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
>>    
>>
>
>Why do we keep needing that? 
>Isn't this a dangerous capability?
>I thought it was established that only dmidecode needs this.
>  
>
Trying to get prism54 card at boot.

Jul 17 17:46:56 bureau kernel: audit(1121615214.230:2): avc:  denied  { search }
for  pid=1782 comm="cp" name="selinux" dev=dm-0 ino=27656630
scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:selinux_config_t
tclass=dir
Jul 17 17:46:56 bureau kernel: audit(1121615214.237:3): avc:  denied  {
sys_rawio } for  pid=1782 comm="cp" capability=17
scontext=system_u:system_r:hotplug_t tcontext=system_u:system_r:hotplug_t
tclass=capability
Jul 17 17:46:56 bureau kernel: prism54: request_firmware() failed for 'isl3890'
Jul 17 17:46:56 bureau kernel: eth0: could not upload firmware ('isl3890')
Jul 17 17:46:56 bureau kernel: eth0: islpci_reset: failure
Jul 17 17:46:56 bureau kernel: audit(1121615214.293:4): avc:  denied  {
sys_tty_config } for  pid=1779 comm="ip" capability=26
scontext=system_u:system_r:ifconfig_t tcontext=system_u:system_r:ifconfig_t
tclass=capability



>  
>
>>+can_network_client_tcp(pptp_t)
>>+allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect;
>>    
>>
>
>Why does it need name_connect on a reserved port?
>If it's reserved, shouldn't it have a type declared for it?
>
>  
>
pptp can be setup to forward multiple connections.

>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.25.3/domains/program/unused/udev.te
>>--- nsapolicy/domains/program/unused/udev.te	2005-07-06 17:15:07.000000000 -0400
>>+++ policy-1.25.3/domains/program/unused/udev.te	2005-07-19 15:41:44.000000000 -0400
>>@@ -28,11 +28,12 @@
>> type udev_tdb_t, file_type, sysadmfile, dev_fs;
>> typealias udev_tdb_t alias udev_tbl_t;
>> file_type_auto_trans(udev_t, device_t, udev_tdb_t, file)
>>-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin };
>>+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin sys_rawio };
>>    
>>
>
>Also looks dangerous - rawio.
>
>  
>
>>+allow vpnc_t user_home_dir_t:dir search;
>>+allow vpnc_t user_home_t:dir search;
>>    
>>
>
>?
>  
>
Should remove.

>  
>
>>diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/cdrecord_macros.te policy-1.25.3/macros/program/cdrecord_macros.te
>>--- nsapolicy/macros/program/cdrecord_macros.te	2005-05-02 14:06:57.000000000 -0400
>>+++ policy-1.25.3/macros/program/cdrecord_macros.te	2005-07-19 15:43:50.000000000 -0400
>>@@ -47,8 +47,11 @@
>> allow $1_cdrecord_t removable_device_t:blk_file { getattr read write ioctl };
>> allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl };
>> 
>>-allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid };
>>+allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
>> allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill };
>>-
>>+allow $1_cdrecord_t $1_devpts_t:chr_file rw_file_perms;
>>+allow $1_cdrecord_t $1_home_t:dir search;
>>+allow $1_cdrecord_t $1_home_dir_t:dir r_dir_perms;
>>+allow $1_cdrecord_t $1_home_t:file r_file_perms;
>> ')
>>    
>>
>
>Same here... why is cdrecord reading the user's private documents.
>
>  
>
Usually if you are creating a cd, it will be from your home dir.

>>+allow $1_thunderbird_t fs_t:filesystem getattr;
>>    
>>
>
>Why does it need to do that?
>  
>
Don't know.  Probably checking filesystems in mtab

>  
>
>> # GNOME support
>> ifdef(`gnome.te', `
>> gnome_application($1_thunderbird, $1)
>> gnome_file_dialog($1_thunderbird, $1)
>>+allow $1_thunderbird_t $1_gnome_settings_t:file { read write };
>>    
>>
>
>That needs to be labeled something other than $1_gnome_settings_t.
>Which file is this? gnome_settings_t is the fallback type,
>we should be moving away from that, and towards specific
>labeling.
>
>  
>
Don't know but needed to work.  You can remove it to see which file.

>> ')
>> 
>> # Access ~/.thunderbird
>>@@ -54,4 +53,7 @@
>> # RSS feeds
>> can_network_client_tcp($1_thunderbird_t, http_port_t) 
>> allow $1_thunderbird_t http_port_t:tcp_socket name_connect;
>>+
>>+allow $1_thunderbird_t self:process { execheap execmem execstack };
>>+
>>    
>>
>
>Execmem is dangerous.
>
>  
>
Maybe but thunderbird does not run without it.


-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Ivan Gyurdiev]

> >>+allow $1_cdrecord_t $1_devpts_t:chr_file rw_file_perms;
> >>+allow $1_cdrecord_t $1_home_t:dir search;
> >>+allow $1_cdrecord_t $1_home_dir_t:dir r_dir_perms;
> >>+allow $1_cdrecord_t $1_home_t:file r_file_perms;
> >> ')
> >>    
> >>
> >
> >Same here... why is cdrecord reading the user's private documents.
> >
> >  
> >
> Usually if you are creating a cd, it will be from your home dir.

Then cdrecord should be using the read_content macros.

> >>+allow $1_thunderbird_t fs_t:filesystem getattr;
> >>    
> >>
> >
> >Why does it need to do that?
> >  
> >
> Don't know.  Probably checking filesystems in mtab

Is this statfs() related? 
We need to implement a macro for statfs, since the same code can be
found in: gnome_vfs, samba, daemon_core_domain (or daemon_* something),
and now you're saying thunderbird does something similar. In most of
those cases the code is incomplete, and doesn't quite work. 

-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Daniel J Walsh]

Ivan Gyurdiev wrote:

>>>>+allow $1_cdrecord_t $1_devpts_t:chr_file rw_file_perms;
>>>>+allow $1_cdrecord_t $1_home_t:dir search;
>>>>+allow $1_cdrecord_t $1_home_dir_t:dir r_dir_perms;
>>>>+allow $1_cdrecord_t $1_home_t:file r_file_perms;
>>>>')
>>>>   
>>>>
>>>>        
>>>>
>>>Same here... why is cdrecord reading the user's private documents.
>>>
>>> 
>>>
>>>      
>>>
>>Usually if you are creating a cd, it will be from your home dir.
>>    
>>
>
>Then cdrecord should be using the read_content macros.
>
>  
>
Ok changed to read_content.  (too many booleans...)

>>>>+allow $1_thunderbird_t fs_t:filesystem getattr;
>>>>   
>>>>
>>>>        
>>>>
>>>Why does it need to do that?
>>> 
>>>
>>>      
>>>
>>Don't know.  Probably checking filesystems in mtab
>>    
>>
>
>Is this statfs() related? 
>We need to implement a macro for statfs, since the same code can be
>found in: gnome_vfs, samba, daemon_core_domain (or daemon_* something),
>and now you're saying thunderbird does something similar. In most of
>those cases the code is incomplete, and doesn't quite work. 
>
>  
>


-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Ivan Gyurdiev]

> Ok changed to read_content.  (too many booleans...)

The boolean prefix is optional...


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Casey Schaufler]

--- Daniel J Walsh <dwalsh@redhat.com> wrote:

> We are removing access 
> to removable_t devices from userspace for mls
> policy to help get lspp approval.

Microsoft took an awful lot of grief for
doing that in their first C2 evaluation.
What requirement is the sticky issue?



Casey Schaufler
casey@schaufler-ca.com


		
____________________________________________________
Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs 
 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Latest diffs

[Frank Mayer]

>> We are removing access
>> to removable_t devices from userspace for mls policy to help get lspp
>> approval.
> 
> Microsoft took an awful lot of grief for doing that in their first C2
> evaluation. What requirement is the sticky issue?

Hmmmm it's been a while but I'm don't recall removable media being a big
issue for any of the NT kernel evaluations...the only issue as I recall, and
this from memory form 13 or so years ago so take it with a grain a salt, was
ensuring that permission could be granted/removed which resulted in Registry
keys being added (i.e., the devices had ACLs but no UI to change them).

In any case, an LSPP evaluation is different. I presume the reasoning has to
do with label integrity and label exporting; non-issues for a C2/CAPP
evaluation.
Frank



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Latest diffs

[Casey Schaufler]

--- Frank Mayer <mayerf@tresys.com> wrote:
 
> In any case, an LSPP evaluation is different.

Yes indeed.

> I presume the reasoning has to
> do with label integrity and label exporting;

Those requirements can be meet fairly
simply, although it can take a bit of effort
to explain that you have meet them. Any
file system format with xattr based labels
should be a slam-dunk. For SELinux you will
no doubt have to include the policy files on
the file system as well, and compare them with
the system "live" policy files to ensure that
they are compatable. But the "same media"
requirement oughtn't be too big a challenge.

> non-issues for a C2/CAPP evaluation.

Truth.


Casey Schaufler
casey@schaufler-ca.com

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Daniel J Walsh]

Casey Schaufler wrote:

>--- Frank Mayer <mayerf@tresys.com> wrote:
> 
>  
>
>>In any case, an LSPP evaluation is different.
>>    
>>
>
>Yes indeed.
>
>  
>
>>I presume the reasoning has to
>>do with label integrity and label exporting;
>>    
>>
>
>Those requirements can be meet fairly
>simply, although it can take a bit of effort
>to explain that you have meet them. Any
>file system format with xattr based labels
>should be a slam-dunk. For SELinux you will
>no doubt have to include the policy files on
>the file system as well, and compare them with
>the system "live" policy files to ensure that
>they are compatable. But the "same media"
>requirement oughtn't be too big a challenge.
>
>  
>
Auditing movement of labeled files to non labeled media.

Dan

>>non-issues for a C2/CAPP evaluation.
>>    
>>
>
>Truth.
>
>
>Casey Schaufler
>casey@schaufler-ca.com
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam?  Yahoo! Mail has the best spam protection around 
>http://mail.yahoo.com 
>  
>


-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Casey Schaufler]

--- Daniel J Walsh <dwalsh@redhat.com> wrote:


> Auditing movement of labeled files to non labeled
> media.

Is your non-labeled media a file system or
a character device? This issue ought to come
up with them thar "legacy" file systems we've
been discussing of late, too.



Casey Schaufler
casey@schaufler-ca.com

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest Diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 447 bytes --]

Added auth_bool attribute to allow domains read access to shadow_t if a 
boolean is set.
saslauthd needs such a boolean.

Allow pppd to insmod kernel modules for modems.

radvd fixes.

Allow nfs to export noexattrfile types.


Fixes for winbind to read/write /tmp files

Change apachectl to initrc_exec_t to properly start apache domain.

iiimd.bin name change

unix_chpwd needs access to cert files and random devices to use encryption




-- 



[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 8780 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/assert.te policy-1.25.2/assert.te
--- nsapolicy/assert.te	2005-05-25 11:28:09.000000000 -0400
+++ policy-1.25.2/assert.te	2005-07-12 16:12:07.000000000 -0400
@@ -41,7 +41,7 @@
 
 #
 # Verify that only appropriate domains can access /etc/shadow
-neverallow { domain -auth -auth_write -unrestricted } shadow_t:file ~getattr;
+neverallow { domain -auth_bool -auth -auth_write -unrestricted } shadow_t:file ~getattr;
 neverallow { domain -auth_write -unrestricted } shadow_t:file ~r_file_perms;
 
 #
diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.25.2/attrib.te
--- nsapolicy/attrib.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.2/attrib.te	2005-07-12 16:12:07.000000000 -0400
@@ -141,6 +141,10 @@
 # to read /etc/shadow, and grants the permission.
 attribute auth;
 
+# The auth_bool attribute identifies every domain that can 
+# read /etc/shadow if its boolean is set;
+attribute auth_bool;
+
 # The auth_write attribute identifies every domain that can have write or
 # relabel access to /etc/shadow, but does not grant it.
 attribute auth_write;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.25.2/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te	2005-05-07 00:41:08.000000000 -0400
+++ policy-1.25.2/domains/program/ifconfig.te	2005-07-12 16:12:07.000000000 -0400
@@ -26,6 +26,7 @@
 ')
 
 # for /sbin/ip
+allow ifconfig_t self:packet_socket create_socket_perms;
 allow ifconfig_t self:netlink_route_socket rw_netlink_socket_perms;
 allow ifconfig_t self:tcp_socket { create ioctl };
 allow ifconfig_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.25.2/domains/program/unused/pppd.te
--- nsapolicy/domains/program/unused/pppd.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.2/domains/program/unused/pppd.te	2005-07-12 16:12:07.000000000 -0400
@@ -102,3 +102,11 @@
 allow pppd_t self:netlink_route_socket r_netlink_socket_perms;
 allow pppd_t initrc_var_run_t:file r_file_perms;
 dontaudit pppd_t initrc_var_run_t:file { lock write };
+
+# pppd needs to load kernel modules for certain modems
+bool pppd_can_insmod false;
+if (pppd_can_insmod) {
+ifdef(`modutil.te', `
+domain_auto_trans(pppd_t, insmod_exec_t, insmod_t)
+')
+}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/radvd.te policy-1.25.2/domains/program/unused/radvd.te
--- nsapolicy/domains/program/unused/radvd.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.2/domains/program/unused/radvd.te	2005-07-12 16:12:07.000000000 -0400
@@ -15,15 +15,15 @@
 
 allow radvd_t self:{ rawip_socket unix_dgram_socket } rw_socket_perms;
 
-allow radvd_t self:capability { net_raw setgid };
+allow radvd_t self:capability { setgid setuid net_raw setgid };
 allow radvd_t self:{ unix_dgram_socket rawip_socket } create;
 allow radvd_t self:unix_stream_socket create_socket_perms;
 
 can_network_server(radvd_t)
 can_ypbind(radvd_t)
 
-allow radvd_t proc_t:dir r_dir_perms;
-allow radvd_t proc_t:file { getattr read };
+allow radvd_t { proc_t proc_net_t }:dir r_dir_perms;
+allow radvd_t { proc_t proc_net_t }:file { getattr read };
 allow radvd_t etc_t:lnk_file read;
 
 allow radvd_t sysctl_net_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.25.2/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.2/domains/program/unused/rpcd.te	2005-07-12 16:12:07.000000000 -0400
@@ -93,7 +93,8 @@
 bool nfs_export_all_rw false;
 
 if(nfs_export_all_rw) {
-allow nfsd_t { file_type -shadow_t }:dir r_dir_perms;
+allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms;
+r_dir_file(kernel_t, noexattrfile)
 create_dir_file(kernel_t,{ file_type -shadow_t })
 }
 
@@ -102,8 +103,8 @@
 bool nfs_export_all_ro false;
 
 if(nfs_export_all_ro) {
-allow nfsd_t { file_type -shadow_t }:dir r_dir_perms;
-r_dir_file(kernel_t,{ file_type -shadow_t })
+allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms;
+r_dir_file(kernel_t,{ noexattrfile file_type -shadow_t })
 }
 
 allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/saslauthd.te policy-1.25.2/domains/program/unused/saslauthd.te
--- nsapolicy/domains/program/unused/saslauthd.te	2005-05-25 11:28:10.000000000 -0400
+++ policy-1.25.2/domains/program/unused/saslauthd.te	2005-07-12 16:12:07.000000000 -0400
@@ -3,7 +3,7 @@
 # Author: Colin Walters <walters@verbum.org>
 #
 
-daemon_domain(saslauthd, `, auth_chkpwd')
+daemon_domain(saslauthd, `, auth_chkpwd, auth_bool')
 
 allow saslauthd_t self:fifo_file { read write };
 allow saslauthd_t self:unix_dgram_socket create_socket_perms;
@@ -21,3 +21,11 @@
 
 # Needs investigation
 dontaudit saslauthd_t home_root_t:dir getattr;
+can_network_client_tcp(saslauthd_t)
+allow saslauthd_t pop_port_t:tcp_socket name_connect;
+
+bool allow_saslauthd_read_shadow false;
+
+if (allow_saslauthd_read_shadow) {
+allow saslauthd_t shadow_t:file r_file_perms;
+}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.25.2/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.2/domains/program/unused/winbind.te	2005-07-12 16:12:07.000000000 -0400
@@ -10,6 +10,7 @@
 
 daemon_domain(winbind, `, privhome, auth_chkpwd, nscd_client_domain')
 log_domain(winbind)
+tmp_domain(winbind)
 allow winbind_t etc_t:file r_file_perms;
 allow winbind_t etc_t:lnk_file read;
 can_network(winbind_t)
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.25.2/file_contexts/program/apache.fc
--- nsapolicy/file_contexts/program/apache.fc	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.2/file_contexts/program/apache.fc	2005-07-12 16:12:07.000000000 -0400
@@ -50,3 +50,5 @@
 ifdef(`targeted_policy', `', `
 /var/spool/cron/apache		-- 	system_u:object_r:user_cron_spool_t
 ')
+/usr/sbin/apachectl		-- 	system_u:object_r:initrc_exec_t
+
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/i18n_input.fc policy-1.25.2/file_contexts/program/i18n_input.fc
--- nsapolicy/file_contexts/program/i18n_input.fc	2005-05-02 14:06:56.000000000 -0400
+++ policy-1.25.2/file_contexts/program/i18n_input.fc	2005-07-12 16:12:07.000000000 -0400
@@ -1,7 +1,7 @@
 # i18n_input.fc
 /usr/sbin/htt                   --     system_u:object_r:i18n_input_exec_t
 /usr/sbin/htt_server            --     system_u:object_r:i18n_input_exec_t
-/usr/bin/iiimd		        --     system_u:object_r:i18n_input_exec_t
+/usr/bin/iiimd\.bin	        --     system_u:object_r:i18n_input_exec_t
 /usr/bin/httx                   --     system_u:object_r:i18n_input_exec_t
 /usr/bin/htt_xbe                --     system_u:object_r:i18n_input_exec_t
 /usr/bin/iiimx                  --     system_u:object_r:i18n_input_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.25.2/macros/program/chkpwd_macros.te
--- nsapolicy/macros/program/chkpwd_macros.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.2/macros/program/chkpwd_macros.te	2005-07-12 16:12:07.000000000 -0400
@@ -42,6 +42,9 @@
 ifdef(`winbind.te', `
 r_dir_file(auth_chkpwd, winbind_var_run_t)
 ')
+r_dir_file(auth_chkpwd, cert_t)
+r_dir_file($1_chkpwd_t, cert_t)
+allow $1_chkpwd_t { random_device_t urandom_device_t }:chr_file { getattr read };
 ', `
 domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
 allow $1_t sbin_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.25.2/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.25.2/tunables/distro.tun	2005-07-12 16:12:07.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.25.2/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-05-25 11:28:11.000000000 -0400
+++ policy-1.25.2/tunables/tunable.tun	2005-07-12 16:12:07.000000000 -0400
@@ -2,7 +2,7 @@
 dnl define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
 dnl define(`unlimitedUtils')
@@ -20,7 +20,7 @@
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.

Latest diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1130 bytes --]

Add boolean to allow sysadm_t to ptrace and debug apps.

Allow getty to start up pppd connections

Change to allow auth_chkpwd the audit_control capability

Stop transitioning from unconfined_t to netutils for target

fixes to make passwd and associated utilities work in targeted policy

Since Russell eliminate catman_t context, tmpreaper needs to handle man_t

Allow httpd to communicate with ldap.

Add additiona capabilities to apm and apmd.

Allow apmd to execute hwclock.

Cups needs to audit messages

Fixes for hplip and cupsd_lpd_t

Allow cyrus to bind to pop and mail ports.

Allow dovecot access to cert_t files

hald needs better access to usbfs

Hotplug needs sigpgid and to read netlink_route_sockets.

Additional fixes for pppd.

Allow prelink execheap execmem and execstack by default

Add can_winbind boolean and functions to better handle samba and winbind 
communications.

Add transitional bool functions for nfs daemons

Allow squid to communicate with winbind.

Fix file_context for /opt

Eliminate allow_execmod checks around texrel_shlib_t libraries.

Add additional ports for http














 

-- 



[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 39731 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/admin.te policy-1.25.1/domains/admin.te
--- nsapolicy/domains/admin.te	2005-04-27 10:28:48.000000000 -0400
+++ policy-1.25.1/domains/admin.te	2005-07-07 15:44:45.000000000 -0400
@@ -36,3 +36,8 @@
 typeattribute secadm_tty_device_t admin_tty_type;
 typeattribute secadm_devpts_t admin_tty_type;
 
+bool allow_ptrace false;
+
+if (allow_ptrace) {
+can_ptrace(sysadm_t, domain)
+}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/getty.te policy-1.25.1/domains/program/getty.te
--- nsapolicy/domains/program/getty.te	2005-05-02 14:06:54.000000000 -0400
+++ policy-1.25.1/domains/program/getty.te	2005-07-07 15:44:45.000000000 -0400
@@ -52,3 +52,10 @@
 # for mgetty
 var_run_domain(getty)
 allow getty_t self:capability { fowner fsetid };
+
+#
+# getty needs to be able to run pppd
+#
+ifdef(`pppd.te', `
+domain_auto_trans(getty_t, pppd_exec_t, pppd_t)
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.25.1/domains/program/login.te
--- nsapolicy/domains/program/login.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.1/domains/program/login.te	2005-07-07 15:44:45.000000000 -0400
@@ -65,7 +65,7 @@
 ')
 
 # Use capabilities
-allow $1_login_t self:capability { audit_control dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
+allow $1_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
 allow $1_login_t self:process setrlimit;
 dontaudit $1_login_t sysfs_t:dir search;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/netutils.te policy-1.25.1/domains/program/netutils.te
--- nsapolicy/domains/program/netutils.te	2005-04-27 10:28:49.000000000 -0400
+++ policy-1.25.1/domains/program/netutils.te	2005-07-07 15:44:45.000000000 -0400
@@ -21,7 +21,9 @@
 tmp_domain(netutils)
 
 domain_auto_trans(initrc_t, netutils_exec_t, netutils_t)
+ifdef(`targeted_policy', `', `
 domain_auto_trans(sysadm_t, netutils_exec_t, netutils_t)
+')
 
 # Inherit and use descriptors from init.
 allow netutils_t { userdomain init_t }:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/passwd.te policy-1.25.1/domains/program/passwd.te
--- nsapolicy/domains/program/passwd.te	2005-05-25 11:28:09.000000000 -0400
+++ policy-1.25.1/domains/program/passwd.te	2005-07-07 15:44:45.000000000 -0400
@@ -149,3 +149,8 @@
 allow passwd_t userdomain:process getattr;
 
 allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+ifdef(`targeted_policy', `
+role system_r types sysadm_passwd_t;
+allow sysadm_passwd_t devpts_t:chr_file { read write };
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.25.1/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.1/domains/program/ssh.te	2005-07-07 15:44:45.000000000 -0400
@@ -73,7 +73,7 @@
 allow $1_t port_type:tcp_socket name_connect;
 can_kerberos($1_t)
 
-allow $1_t self:capability { audit_control kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
+allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
 allow $1_t { home_root_t home_dir_type }:dir { search getattr };
 if (use_nfs_home_dirs) {
 allow $1_t autofs_t:dir { search getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/tmpreaper.te policy-1.25.1/domains/program/tmpreaper.te
--- nsapolicy/domains/program/tmpreaper.te	2005-04-27 10:28:49.000000000 -0400
+++ policy-1.25.1/domains/program/tmpreaper.te	2005-07-07 15:44:45.000000000 -0400
@@ -16,8 +16,8 @@
 system_crond_entry(tmpreaper_exec_t, tmpreaper_t)
 uses_shlib(tmpreaper_t)
 # why does it need setattr?
-allow tmpreaper_t tmpfile:dir { setattr rw_dir_perms rmdir };
-allow tmpreaper_t tmpfile:notdevfile_class_set { getattr unlink };
+allow tmpreaper_t { man_t tmpfile }:dir { setattr rw_dir_perms rmdir };
+allow tmpreaper_t { man_t tmpfile }:notdevfile_class_set { getattr unlink };
 allow tmpreaper_t { home_type file_t }:notdevfile_class_set { getattr unlink };
 allow tmpreaper_t self:process { fork sigchld };
 allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.25.1/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.1/domains/program/unused/apache.te	2005-07-07 15:44:45.000000000 -0400
@@ -114,6 +114,7 @@
 can_kerberos(httpd_t)
 can_resolve(httpd_t)
 can_ypbind(httpd_t)
+can_ldap(httpd_t)
 allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
 
 if (httpd_can_network_connect) {
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.25.1/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.1/domains/program/unused/apmd.te	2005-07-07 15:44:45.000000000 -0400
@@ -21,7 +21,7 @@
 allow apm_t privfd:fd use;
 allow apm_t admin_tty_type:chr_file rw_file_perms;
 allow apm_t device_t:dir search;
-allow apm_t self:capability sys_admin;
+allow apm_t self:capability { dac_override sys_admin };
 allow apm_t proc_t:dir search;
 allow apm_t proc_t:file { read getattr };
 allow apm_t fs_t:filesystem getattr;
@@ -54,7 +54,7 @@
 allow apmd_t self:process getsession;
 
 # Use capabilities.
-allow apmd_t self:capability { sys_admin sys_nice sys_time };
+allow apmd_t self:capability { sys_admin sys_nice sys_time kill };
 
 # controlling an orderly resume of PCMCIA requires creating device
 # nodes 254,{0,1,2} for some reason.
@@ -69,7 +69,10 @@
 # apmd calls hwclock.sh on suspend and resume
 allow apmd_t clock_device_t:chr_file r_file_perms;
 ifdef(`hwclock.te', `
+domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
 allow apmd_t adjtime_t:file rw_file_perms;
+allow hwclock_t apmd_log_t:file append;
+allow hwclock_t apmd_t:unix_stream_socket { read write };
 ')
 
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.25.1/domains/program/unused/bluetooth.te
--- nsapolicy/domains/program/unused/bluetooth.te	2005-05-25 11:28:09.000000000 -0400
+++ policy-1.25.1/domains/program/unused/bluetooth.te	2005-07-07 15:44:45.000000000 -0400
@@ -26,7 +26,8 @@
 dbusd_client(system, bluetooth)
 allow bluetooth_t system_dbusd_t:dbus send_msg;
 ')
-allow bluetooth_t self:socket { create setopt ioctl bind listen };
+allow bluetooth_t self:socket create_stream_socket_perms;
+
 allow bluetooth_t self:unix_dgram_socket create_socket_perms;
 allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.25.1/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.1/domains/program/unused/cups.te	2005-07-07 15:44:45.000000000 -0400
@@ -77,7 +77,7 @@
 allow cupsd_t self:fifo_file rw_file_perms;
 
 # Use capabilities.
-allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config };
+allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
 dontaudit cupsd_t self:capability net_admin;
 
 #
@@ -125,7 +125,9 @@
 #
 # lots of errors generated requiring the following
 #
-allow cupsd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms };
+
 #
 # Satisfy readahead
 #
@@ -175,6 +177,7 @@
 daemon_domain(hplip)
 etcdir_domain(hplip)
 allow hplip_t etc_t:file r_file_perms;
+allow hplip_t etc_runtime_t:file { read getattr };
 allow hplip_t printer_device_t:chr_file rw_file_perms;
 allow cupsd_t hplip_var_run_t:file { read getattr };
 allow hplip_t cupsd_etc_t:dir search;
@@ -305,4 +308,5 @@
 inetd_child_domain(cupsd_lpd)
 allow inetd_t printer_port_t:tcp_socket name_bind;
 r_dir_file(cupsd_lpd_t, cupsd_etc_t)
+r_dir_file(cupsd_lpd_t, cupsd_rw_etc_t)
 allow cupsd_lpd_t ipp_port_t:tcp_socket name_connect;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.25.1/domains/program/unused/cyrus.te
--- nsapolicy/domains/program/unused/cyrus.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.1/domains/program/unused/cyrus.te	2005-07-07 15:44:45.000000000 -0400
@@ -26,9 +26,7 @@
 read_locale(cyrus_t)
 read_sysctl(cyrus_t)
 tmp_domain(cyrus)
-ifdef(`use_pop', `
-allow cyrus_t pop_port_t:tcp_socket name_bind;
-')
+allow cyrus_t { mail_port_t pop_port_t }:tcp_socket name_bind;
 allow cyrus_t proc_t:dir search;
 allow cyrus_t proc_t:file { getattr read };
 allow cyrus_t sysadm_devpts_t:chr_file { read write };
@@ -41,6 +39,5 @@
 allow system_crond_t cyrus_var_lib_t:dir rw_dir_perms;
 allow system_crond_t cyrus_var_lib_t:file create_file_perms;
 ')
-allow cyrus_t mail_port_t:tcp_socket name_bind;
 create_dir_file(cyrus_t, mail_spool_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.25.1/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.1/domains/program/unused/dhcpc.te	2005-07-07 15:44:45.000000000 -0400
@@ -153,6 +153,7 @@
 domain_auto_trans(sysadm_t, dhcpc_exec_t, dhcpc_t)
 ifdef(`dbusd.te', `
 dbusd_client(system, dhcpc)
+domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
 allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg };
 allow dhcpc_t self:dbus send_msg;
 allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.25.1/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.1/domains/program/unused/dovecot.te	2005-07-07 15:44:45.000000000 -0400
@@ -35,6 +35,7 @@
 allow dovecot_t urandom_device_t:chr_file { getattr read };
 allow dovecot_t cert_t:dir search;
 r_dir_file(dovecot_t, dovecot_cert_t)
+r_dir_file(dovecot_t, cert_t)
 
 allow dovecot_t { self proc_t }:file { getattr read };
 allow dovecot_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.25.1/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te	2005-05-25 11:28:09.000000000 -0400
+++ policy-1.25.1/domains/program/unused/ftpd.te	2005-07-07 15:44:45.000000000 -0400
@@ -69,7 +69,7 @@
 tmpfs_domain(ftpd)
 
 # Use capabilities.
-allow ftpd_t self:capability { chown fowner fsetid setgid setuid net_bind_service sys_chroot sys_nice sys_resource audit_control };
+allow ftpd_t self:capability { chown fowner fsetid setgid setuid net_bind_service sys_chroot sys_nice sys_resource };
 
 # Append to /var/log/wtmp.
 allow ftpd_t wtmp_t:file { getattr append };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.25.1/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2005-05-25 11:28:10.000000000 -0400
+++ policy-1.25.1/domains/program/unused/hald.te	2005-07-07 15:44:45.000000000 -0400
@@ -65,7 +65,8 @@
 r_dir_file(hald_t, hotplug_etc_t)
 ')
 allow hald_t fs_type:dir { search getattr };
-allow hald_t { usbdevfs_t usbfs_t }:file { getattr read };
+allow hald_t usbfs_t:dir r_dir_perms;
+allow hald_t { usbdevfs_t usbfs_t }:file rw_file_perms;
 allow hald_t bin_t:lnk_file read;
 r_dir_file(hald_t, { selinux_config_t default_context_t } )
 allow hald_t initrc_t:dbus send_msg;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.25.1/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.1/domains/program/unused/hotplug.te	2005-07-07 15:44:45.000000000 -0400
@@ -65,7 +65,7 @@
 allow hotplug_t etc_t:dir r_dir_perms;
 allow hotplug_t etc_t:{ file lnk_file } r_file_perms;
 
-allow hotplug_t kernel_t:process sigchld;
+allow hotplug_t kernel_t:process { sigchld setpgid };
 
 ifdef(`distro_redhat', `
 allow hotplug_t var_lock_t:dir search;
@@ -157,3 +157,5 @@
 ')
 
 allow { insmod_t kernel_t } hotplug_etc_t:dir { search getattr };
+allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hwclock.te policy-1.25.1/domains/program/unused/hwclock.te
--- nsapolicy/domains/program/unused/hwclock.te	2005-04-27 10:28:51.000000000 -0400
+++ policy-1.25.1/domains/program/unused/hwclock.te	2005-07-07 15:44:45.000000000 -0400
@@ -19,9 +19,6 @@
 role sysadm_r types hwclock_t;
 domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
 type adjtime_t, file_type, sysadmfile;
-ifdef(`apmd.te', `
-domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
-')
 
 allow hwclock_t fs_t:filesystem getattr;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/iceauth.te policy-1.25.1/domains/program/unused/iceauth.te
--- nsapolicy/domains/program/unused/iceauth.te	2005-07-05 15:25:46.000000000 -0400
+++ policy-1.25.1/domains/program/unused/iceauth.te	2005-07-07 15:44:45.000000000 -0400
@@ -6,7 +6,7 @@
 #
 # iceauth_exec_t is the type of the xauth executable.
 #
-type iceauth_exec_t, file_type, sysadmfile;
+type iceauth_exec_t, file_type, exec_type, sysadmfile;
 
 # Everything else is in the iceauth_domain macro in
 # macros/program/iceauth_macros.te.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.25.1/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/domains/program/unused/nscd.te	2005-07-07 15:44:45.000000000 -0400
@@ -75,3 +75,4 @@
 allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
 log_domain(nscd)
 r_dir_file(nscd_t, cert_t)
+allow nscd_t tun_tap_device_t:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.25.1/domains/program/unused/pppd.te
--- nsapolicy/domains/program/unused/pppd.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/domains/program/unused/pppd.te	2005-07-07 15:44:45.000000000 -0400
@@ -36,8 +36,7 @@
 can_ypbind(pppd_t)
 
 # Use capabilities.
-allow pppd_t self:capability { net_admin setuid setgid fsetid };
-
+allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
 lock_domain(pppd)
 
 # Access secret files
@@ -93,7 +92,7 @@
 # for pppoe
 can_create_pty(pppd)
 allow pppd_t self:file { read getattr };
-allow pppd_t self:capability { fowner net_raw };
+
 allow pppd_t self:packet_socket create_socket_perms;
 
 file_type_auto_trans(pppd_t, etc_t, net_conf_t, file)
@@ -101,3 +100,5 @@
 allow pppd_t sysctl_net_t:dir search;
 allow pppd_t sysctl_net_t:file r_file_perms;
 allow pppd_t self:netlink_route_socket r_netlink_socket_perms;
+allow pppd_t initrc_var_run_t:file r_file_perms;
+dontaudit pppd_t initrc_var_run_t:file { lock write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/prelink.te policy-1.25.1/domains/program/unused/prelink.te
--- nsapolicy/domains/program/unused/prelink.te	2005-04-27 10:28:52.000000000 -0400
+++ policy-1.25.1/domains/program/unused/prelink.te	2005-07-07 15:44:45.000000000 -0400
@@ -11,13 +11,8 @@
 #
 daemon_base_domain(prelink, `, admin, privowner')
 
-if (allow_execmem) {
-allow prelink_t self:process execmem;
-}
-if (allow_execmod) {
+allow prelink_t self:process { execheap execmem execstack };
 allow prelink_t texrel_shlib_t:file execmod;
-}
-
 allow prelink_t fs_t:filesystem getattr;
 
 ifdef(`crond.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/procmail.te policy-1.25.1/domains/program/unused/procmail.te
--- nsapolicy/domains/program/unused/procmail.te	2005-05-25 11:28:10.000000000 -0400
+++ policy-1.25.1/domains/program/unused/procmail.te	2005-07-07 15:44:45.000000000 -0400
@@ -20,6 +20,7 @@
 allow procmail_t device_t:dir search;
 can_network_server(procmail_t)
 can_ypbind(procmail_t)
+can_winbind(procmail_t)
 
 allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/radvd.te policy-1.25.1/domains/program/unused/radvd.te
--- nsapolicy/domains/program/unused/radvd.te	2005-04-27 10:28:52.000000000 -0400
+++ policy-1.25.1/domains/program/unused/radvd.te	2005-07-07 15:44:45.000000000 -0400
@@ -15,11 +15,12 @@
 
 allow radvd_t self:{ rawip_socket unix_dgram_socket } rw_socket_perms;
 
-allow radvd_t self:capability net_raw;
+allow radvd_t self:capability { net_raw setgid };
 allow radvd_t self:{ unix_dgram_socket rawip_socket } create;
 allow radvd_t self:unix_stream_socket create_socket_perms;
 
 can_network_server(radvd_t)
+can_ypbind(radvd_t)
 
 allow radvd_t proc_t:dir r_dir_perms;
 allow radvd_t proc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.25.1/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/domains/program/unused/rpcd.te	2005-07-07 15:44:45.000000000 -0400
@@ -11,7 +11,11 @@
 # Rules for the rpcd_t and nfsd_t domain.
 #
 define(`rpc_domain', `
+ifdef(`targeted_policy', `
+daemon_base_domain($1, `, transitionbool')
+', `
 daemon_base_domain($1)
+')
 can_network($1_t)
 allow $1_t port_type:tcp_socket name_connect;
 can_ypbind($1_t)
@@ -114,7 +118,7 @@
 allow nfsd_t var_run_t:dir search;
 
 allow nfsd_t self:capability { sys_admin sys_resource };
-allow nfsd_t fs_t:filesystem getattr;
+allow nfsd_t fs_type:filesystem getattr;
 
 can_udp_send(nfsd_t, portmap_t)
 can_udp_send(portmap_t, nfsd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.25.1/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te	2005-04-27 10:28:52.000000000 -0400
+++ policy-1.25.1/domains/program/unused/rpm.te	2005-07-07 15:44:45.000000000 -0400
@@ -253,4 +253,7 @@
 typeattribute rpm_script_t auth_write;
 unconfined_domain(rpm_script_t)
 ')
+if (allow_execmem) {
+allow rpm_script_t self:process execmem;
+}
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.25.1/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/domains/program/unused/samba.te	2005-07-07 15:44:45.000000000 -0400
@@ -47,6 +47,9 @@
 
 # Use the network.
 can_network(smbd_t)
+can_ldap(smbd_t)
+can_kerberos(smbd_t)
+can_winbind(smbd_t)
 allow smbd_t ipp_port_t:tcp_socket name_connect;
 
 allow smbd_t urandom_device_t:chr_file { getattr read };
@@ -61,8 +64,10 @@
 
 # Permissions for Samba cache files in /var/cache/samba and /var/lib/samba
 allow smbd_t var_lib_t:dir search;
-allow smbd_t samba_var_t:dir create_dir_perms;
-allow smbd_t samba_var_t:file create_file_perms;
+create_dir_file(smbd_t, samba_var_t)
+
+# Needed for shared printers
+allow smbd_t var_spool_t:dir search;
 
 # Permissions to write log files.
 allow smbd_t samba_log_t:file { create ra_file_perms };
@@ -182,3 +187,28 @@
 allow smbmount_t userdomain:fd use;
 allow smbmount_t local_login_t:fd use;
 ')
+# Derive from app. domain. Transition from mount.
+application_domain(samba_net, `, nscd_client_domain')
+file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file)
+read_locale(samba_net_t) 
+allow samba_net_t samba_etc_t:file r_file_perms;
+r_dir_file(samba_net_t, samba_var_t)
+can_network_udp(samba_net_t)
+access_terminal(samba_net_t, sysadm)
+allow samba_net_t self:unix_dgram_socket create_socket_perms;
+allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
+rw_dir_create_file(samba_net_t, samba_var_t)
+allow samba_net_t etc_t:file { getattr read };
+can_network_client(samba_net_t)
+allow samba_net_t smbd_port_t:tcp_socket name_connect;
+can_ldap(samba_net_t)
+can_kerberos(samba_net_t)
+allow samba_net_t urandom_device_t:chr_file r_file_perms;
+allow samba_net_t proc_t:dir search;
+allow samba_net_t proc_t:lnk_file read;
+allow samba_net_t self:dir search;
+allow samba_net_t self:file read;
+allow samba_net_t self:process signal;
+tmp_domain(samba_net)
+dontaudit samba_net_t sysadm_home_dir_t:dir search;
+allow samba_net_t privfd:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.25.1/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/domains/program/unused/squid.te	2005-07-07 15:44:45.000000000 -0400
@@ -78,3 +78,6 @@
 #squid requires the following when run in diskd mode, the recommended setting
 allow squid_t tmpfs_t:file { read write };
 r_dir_file(squid_t, cert_t)
+ifdef(`winbind.te', `
+domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t)
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.25.1/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te	2005-05-25 11:28:10.000000000 -0400
+++ policy-1.25.1/domains/program/unused/winbind.te	2005-07-07 15:44:45.000000000 -0400
@@ -22,7 +22,7 @@
 type samba_var_t, file_type, sysadmfile;
 type samba_secrets_t, file_type, sysadmfile;
 ')
-rw_dir_file(winbind_t, samba_etc_t)
+file_type_auto_trans(winbind_t, samba_etc_t, samba_secrets_t, file)
 rw_dir_create_file(winbind_t, samba_log_t)
 allow winbind_t samba_secrets_t:file rw_file_perms;
 allow winbind_t self:unix_dgram_socket create_socket_perms;
@@ -33,3 +33,15 @@
 can_kerberos(winbind_t)
 allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
 allow winbind_t winbind_var_run_t:sock_file create_file_perms;
+allow initrc_t winbind_var_run_t:file r_file_perms;
+
+application_domain(winbind_helper, `, nscd_client_domain')
+access_terminal(winbind_helper_t, sysadm)
+read_locale(winbind_helper_t) 
+r_dir_file(winbind_helper_t, samba_etc_t)
+r_dir_file(winbind_t, samba_etc_t)
+allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
+allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
+allow winbind_helper_t winbind_var_run_t:dir r_dir_perms;
+can_winbind(winbind_helper_t)
+allow winbind_helper_t privfd:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.25.1/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/domains/program/unused/xdm.te	2005-07-07 15:44:45.000000000 -0400
@@ -69,7 +69,7 @@
 
 #
 # Use capabilities.
-allow xdm_t self:capability { audit_control setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner };
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner };
 
 allow xdm_t { urandom_device_t random_device_t }:chr_file { getattr read ioctl };
 
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.25.1/file_contexts/program/cups.fc
--- nsapolicy/file_contexts/program/cups.fc	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/file_contexts/program/cups.fc	2005-07-07 15:44:45.000000000 -0400
@@ -41,3 +41,5 @@
 /usr/share/hplip/hpssd.py	--	system_u:object_r:hplip_exec_t
 /usr/share/foomatic/db/oldprinterids 	--	system_u:object_r:cupsd_rw_etc_t
 /var/cache/foomatic(/.*)? 	--	system_u:object_r:cupsd_rw_etc_t
+/var/run/hp.*\.pid		--	system_u:object_r:hplip_var_run_t
+/var/run/hp.*\.port		--	system_u:object_r:hplip_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rpcd.fc policy-1.25.1/file_contexts/program/rpcd.fc
--- nsapolicy/file_contexts/program/rpcd.fc	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.25.1/file_contexts/program/rpcd.fc	2005-07-07 15:44:45.000000000 -0400
@@ -1,6 +1,6 @@
 # RPC daemons
 /sbin/rpc\..*		--	system_u:object_r:rpcd_exec_t
-/usr/sbin/rpc\..*	--	system_u:object_r:rpcd_exec_t
+/usr/sbin/rpc.idmapd	--	system_u:object_r:rpcd_exec_t
 /usr/sbin/rpc\.nfsd	--	system_u:object_r:nfsd_exec_t
 /usr/sbin/exportfs	--	system_u:object_r:nfsd_exec_t
 /usr/sbin/rpc\.gssd	--	system_u:object_r:gssd_exec_t
@@ -9,3 +9,4 @@
 /var/run/rpc\.statd\.pid	--	system_u:object_r:rpcd_var_run_t
 /var/run/rpc\.statd(/.*)?	system_u:object_r:rpcd_var_run_t
 /etc/exports		--	system_u:object_r:exports_t
+
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/samba.fc policy-1.25.1/file_contexts/program/samba.fc
--- nsapolicy/file_contexts/program/samba.fc	2005-02-24 14:51:08.000000000 -0500
+++ policy-1.25.1/file_contexts/program/samba.fc	2005-07-07 15:44:45.000000000 -0400
@@ -1,6 +1,7 @@
 # samba scripts
 /usr/sbin/smbd		--	system_u:object_r:smbd_exec_t
 /usr/sbin/nmbd		--	system_u:object_r:nmbd_exec_t
+/usr/bin/net		--	system_u:object_r:samba_net_exec_t
 /etc/samba(/.*)?		system_u:object_r:samba_etc_t
 /var/log/samba(/.*)?		system_u:object_r:samba_log_t
 /var/cache/samba(/.*)?		system_u:object_r:samba_var_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/winbind.fc policy-1.25.1/file_contexts/program/winbind.fc
--- nsapolicy/file_contexts/program/winbind.fc	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.25.1/file_contexts/program/winbind.fc	2005-07-07 15:44:45.000000000 -0400
@@ -8,3 +8,4 @@
 /var/cache/samba(/.*)?		system_u:object_r:samba_var_t
 ')
 /var/cache/samba/winbindd_privileged(/.*)?	system_u:object_r:winbind_var_run_t
+/usr/bin/ntlm_auth --	system_u:object_r:winbind_helper_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.25.1/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/file_contexts/types.fc	2005-07-07 15:44:45.000000000 -0400
@@ -261,13 +261,13 @@
 # /opt
 #
 /opt(/.*)?			system_u:object_r:usr_t
-/opt/.*/lib(64)?(/.*)?				system_u:object_r:lib_t
-/opt/.*/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
-/opt/.*/libexec(/.*)?	system_u:object_r:bin_t
-/opt/.*/bin(/.*)?		system_u:object_r:bin_t
-/opt/.*/sbin(/.*)?		system_u:object_r:sbin_t
-/opt/.*/man(/.*)?		system_u:object_r:man_t
-/opt/.*/var/lib(64)?(/.*)?		system_u:object_r:var_lib_t
+/opt(/.*)?/lib(64)?(/.*)?				system_u:object_r:lib_t
+/opt(/.*)?/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
+/opt(/.*)?/libexec(/.*)?	system_u:object_r:bin_t
+/opt(/.*)?/bin(/.*)?		system_u:object_r:bin_t
+/opt(/.*)?/sbin(/.*)?		system_u:object_r:sbin_t
+/opt(/.*)?/man(/.*)?		system_u:object_r:man_t
+/opt(/.*)?/var/lib(64)?(/.*)?		system_u:object_r:var_lib_t
 
 #
 # /etc
diff --exclude-from=exclude -N -u -r nsapolicy/macros/admin_macros.te policy-1.25.1/macros/admin_macros.te
--- nsapolicy/macros/admin_macros.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/macros/admin_macros.te	2005-07-07 15:44:45.000000000 -0400
@@ -49,9 +49,6 @@
 # Allow system log read
 allow $1_t kernel_t:system syslog_read;
 
-# Allow autrace
-# allow sysadm_t self:netlink_audit_socket nlmsg_readpriv;
-
 # Use capabilities other than sys_module.
 allow $1_t self:capability ~sys_module;
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.25.1/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/macros/base_user_macros.te	2005-07-07 15:44:45.000000000 -0400
@@ -63,10 +63,8 @@
 allow $1_t self:process execstack;
 }
 
-if (allow_execmod) {
 # Allow text relocations on system shared libraries, e.g. libGL.
 allow $1_t texrel_shlib_t:file execmod;
-}
 
 #
 # kdeinit wants this access
@@ -244,6 +242,7 @@
 can_network($1_t)
 allow $1_t port_type:tcp_socket name_connect;
 can_ypbind($1_t)
+can_winbind($1_t)
 
 ifdef(`pamconsole.te', `
 allow $1_t pam_var_console_t:dir search;
@@ -349,7 +348,7 @@
 allow $1_t devtty_t:chr_file rw_file_perms;
 allow $1_t null_device_t:chr_file rw_file_perms;
 allow $1_t zero_device_t:chr_file { rw_file_perms execute };
-allow $1_t { random_device_t urandom_device_t }:chr_file { getattr read ioctl };
+allow $1_t { random_device_t urandom_device_t }:chr_file ra_file_perms;
 #
 # Added to allow reading of cdrom
 #
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.25.1/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/macros/global_macros.te	2005-07-07 15:44:45.000000000 -0400
@@ -106,6 +106,7 @@
 allow $1 ld_so_t:lnk_file r_file_perms;
 allow $1 { texrel_shlib_t shlib_t }:file rx_file_perms;
 allow $1 { texrel_shlib_t shlib_t }:lnk_file r_file_perms;
+allow $1 texrel_shlib_t:file execmod;
 allow $1 ld_so_cache_t:file r_file_perms;
 allow $1 device_t:dir search;
 allow $1 null_device_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.25.1/macros/network_macros.te
--- nsapolicy/macros/network_macros.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/macros/network_macros.te	2005-07-07 15:44:45.000000000 -0400
@@ -168,3 +168,10 @@
 allow $1 ldap_port_t:tcp_socket name_connect;
 ')
 
+define(`can_winbind',`
+ifdef(`winbind.te', `
+allow $1 winbind_var_run_t:dir { getattr search };
+allow $1 winbind_t:unix_stream_socket connectto;
+allow $1 winbind_var_run_t:sock_file { getattr read write };
+')
+')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.25.1/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/macros/program/apache_macros.te	2005-07-07 15:44:45.000000000 -0400
@@ -78,9 +78,6 @@
 
 allow httpd_$1_script_t { urandom_device_t random_device_t }:chr_file r_file_perms;
 
-# for nscd
-dontaudit httpd_$1_script_t var_t:dir search;
-
 ###########################################################################
 # Allow the script interpreters to run the scripts.  So
 # the perl executable will be able to run a perl script
@@ -108,6 +105,7 @@
 
 if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
 create_dir_file(httpd_$1_script_t, httpdcontent)
+can_exec(httpd_$1_script_t, httpdcontent)
 }
 
 #
@@ -126,6 +124,7 @@
 ############################################
 # Allow scripts to append to http logs
 #########################################
+allow httpd_$1_script_t { var_t var_log_t httpd_log_t }:dir  search;
 allow httpd_$1_script_t httpd_log_t:file { getattr append };
 
 # apache should set close-on-exec
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.25.1/macros/program/chkpwd_macros.te
--- nsapolicy/macros/program/chkpwd_macros.te	2005-06-01 06:11:23.000000000 -0400
+++ policy-1.25.1/macros/program/chkpwd_macros.te	2005-07-07 15:44:45.000000000 -0400
@@ -32,9 +32,16 @@
 domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
 allow auth_chkpwd sbin_t:dir search;
 allow auth_chkpwd self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow auth_chkpwd self:capability { audit_write audit_control };
+
 dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
 dontaudit auth_chkpwd shadow_t:file { getattr read };
 can_ypbind(auth_chkpwd)
+can_kerberos(auth_chkpwd)
+can_ldap(auth_chkpwd)
+ifdef(`winbind.te', `
+r_dir_file(auth_chkpwd, winbind_var_run_t)
+')
 ', `
 domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
 allow $1_t sbin_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.25.1/macros/program/dbusd_macros.te
--- nsapolicy/macros/program/dbusd_macros.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/macros/program/dbusd_macros.te	2005-07-07 15:44:45.000000000 -0400
@@ -37,7 +37,7 @@
 allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
 
 allow $1_dbusd_t urandom_device_t:chr_file { getattr read };
-allow $1_dbusd_t self:file { getattr read };
+allow $1_dbusd_t self:file { getattr read write };
 allow $1_dbusd_t proc_t:file read;
 
 can_getsecurity($1_dbusd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/evolution_macros.te policy-1.25.1/macros/program/evolution_macros.te
--- nsapolicy/macros/program/evolution_macros.te	2005-07-05 15:25:49.000000000 -0400
+++ policy-1.25.1/macros/program/evolution_macros.te	2005-07-07 15:44:45.000000000 -0400
@@ -221,12 +221,6 @@
 domain_auto_trans($1_evolution_t, spamassassin_exec_t, $1_spamassassin_t)
 ') dnl spamassasin.te
 
-### Start links in web browser
-ifdef(`mozilla.te', `
-can_exec($1_evolution_t, shell_exec_t)
-domain_auto_trans($1_evolution_t, mozilla_exec_t, $1_mozilla_t)
-') dnl mozilla.te
-
 ') dnl evolution_domain
 
 #################################
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.25.1/macros/program/games_domain.te
--- nsapolicy/macros/program/games_domain.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/macros/program/games_domain.te	2005-07-07 15:44:45.000000000 -0400
@@ -33,10 +33,7 @@
 allow $1_games_t self:process execmem;
 }
 
-if (allow_execmod) {
 allow $1_games_t texrel_shlib_t:file execmod;
-}
-
 allow $1_games_t var_t:dir { search getattr };
 rw_dir_create_file($1_games_t, games_data_t)
 allow $1_games_t sound_device_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/java_macros.te policy-1.25.1/macros/program/java_macros.te
--- nsapolicy/macros/program/java_macros.te	2005-06-01 06:11:23.000000000 -0400
+++ policy-1.25.1/macros/program/java_macros.te	2005-07-07 15:44:45.000000000 -0400
@@ -52,9 +52,7 @@
 can_exec($1_javaplugin_t, java_exec_t)
 
 # libdeploy.so legacy
-if (allow_execmod) {
 allow $1_javaplugin_t texrel_shlib_t:file execmod;
-}
 if (allow_execmem) {
 allow $1_javaplugin_t self:process execmem;
 }
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mail_client_macros.te policy-1.25.1/macros/program/mail_client_macros.te
--- nsapolicy/macros/program/mail_client_macros.te	2005-07-05 15:25:49.000000000 -0400
+++ policy-1.25.1/macros/program/mail_client_macros.te	2005-07-07 15:44:45.000000000 -0400
@@ -21,8 +21,8 @@
 
 # Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
 can_ypbind($1_t)
-can_network_client_tcp($1_t, { pop_port_t smtp_port_t ifdef(`innd.te', `innd_port_t') ldap_port_t ipp_port_t })
-allow $1_t { pop_port_t smtp_port_t ifdef(`innd.te', `innd_port_t') ldap_port_t ipp_port_t }:tcp_socket name_connect;
+can_network_client_tcp($1_t, { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t })
+allow $1_t { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t }:tcp_socket name_connect;
 
 # Allow printing the mail
 ifdef(`cups.te',`
@@ -45,4 +45,10 @@
 allow $1_t $2_gpg_t:process signal;
 ')
 
+# Start links in web browser
+ifdef(`mozilla.te', `
+can_exec($1_t, shell_exec_t)
+domain_auto_trans($1_t, mozilla_exec_t, $2_mozilla_t)
+') 
+
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.25.1/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/macros/program/mozilla_macros.te	2005-07-07 15:44:45.000000000 -0400
@@ -133,9 +133,7 @@
 if (allow_execmem) {
 allow $1_mozilla_t self:process execmem;
 }
-if (allow_execmod) {
 allow $1_mozilla_t texrel_shlib_t:file execmod;
-}
 
 dbusd_client(system, $1_mozilla)
 ifdef(`apache.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mplayer_macros.te policy-1.25.1/macros/program/mplayer_macros.te
--- nsapolicy/macros/program/mplayer_macros.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/macros/program/mplayer_macros.te	2005-07-07 15:44:45.000000000 -0400
@@ -44,8 +44,8 @@
 
 if (allow_execmod) {
 allow $1_$2_t zero_device_t:chr_file execmod;
-allow $1_$2_t texrel_shlib_t:file execmod;
 }
+allow $1_$2_t texrel_shlib_t:file execmod;
 
 # Access to DVD/CD/V4L
 allow $1_$2_t device_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.25.1/macros/program/xserver_macros.te
--- nsapolicy/macros/program/xserver_macros.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/macros/program/xserver_macros.te	2005-07-07 15:44:45.000000000 -0400
@@ -52,9 +52,7 @@
 
 uses_shlib($1_xserver_t)
 
-if (allow_execmod) {
 allow $1_xserver_t texrel_shlib_t:file execmod;
-}
 
 can_network($1_xserver_t)
 allow $1_xserver_t port_type:tcp_socket name_connect;
@@ -64,11 +62,9 @@
 # for access within the domain
 general_domain_access($1_xserver_t)
 
-if (allow_execmem) {
 allow $1_xserver_t self:process execmem;
 # Until the X module loader is fixed.
 allow $1_xserver_t self:process execheap;
-}
 
 allow $1_xserver_t etc_runtime_t:file { getattr read };
 
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.25.1/net_contexts
--- nsapolicy/net_contexts	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.1/net_contexts	2005-07-07 15:44:45.000000000 -0400
@@ -58,6 +58,8 @@
 
 portcon tcp 80  system_u:object_r:http_port_t
 portcon tcp 443  system_u:object_r:http_port_t
+portcon tcp 488  system_u:object_r:http_port_t
+portcon tcp 8008  system_u:object_r:http_port_t
 
 portcon tcp 106 system_u:object_r:pop_port_t
 portcon tcp 109 system_u:object_r:pop_port_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.25.1/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/targeted/domains/unconfined.te	2005-07-07 15:44:45.000000000 -0400
@@ -72,3 +72,8 @@
 
 # allow reading of default file context
 bool read_default_t true;
+
+if (allow_execmem) {
+allow domain self:process execmem;
+}
+
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.25.1/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.25.1/tunables/distro.tun	2005-07-07 15:44:45.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.25.1/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-05-25 11:28:11.000000000 -0400
+++ policy-1.25.1/tunables/tunable.tun	2005-07-07 15:44:45.000000000 -0400
@@ -2,7 +2,7 @@
 dnl define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
 dnl define(`unlimitedUtils')
@@ -20,7 +20,7 @@
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.25.1/types/network.te
--- nsapolicy/types/network.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/types/network.te	2005-07-07 15:44:45.000000000 -0400
@@ -158,7 +158,6 @@
 type snmp_port_t, port_type, reserved_port_type;
 type biff_port_t, port_type, reserved_port_type;
 type hplip_port_t, port_type;
-type cipe_port_t, port_type;
 
 #inetd_child_ports
 

latest diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 664 bytes --]

Allow kernel to read sysfs files and directories

Don't transition to fsadm_t fom unconfined_t (sysadm_t) in targeted policy.

Add support for debugfs in modutil.

More fixes for amanda.  Change dump to fsadm_exec_t

Fixed for audit daemon

Allow automount to create and delete directories in /root and /home dirs.

Move can_ypbind to chkpwd_macro.te  (If you are need to authenticate via 
yppasswd...)

Allow squid to use cert files

Cups/ptal/foomatic fixes

Begin adding support for Ivan's Font Config stuff.

Allow useradd to create additional files and types via the skell mechanism

Fix crond for targeted to define system_crond_tmp_t as a tempfile



-- 



[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 20327 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.23.17/domains/misc/kernel.te
--- nsapolicy/domains/misc/kernel.te	2005-05-07 00:41:08.000000000 -0400
+++ policy-1.23.17/domains/misc/kernel.te	2005-05-25 11:41:56.000000000 -0400
@@ -22,8 +22,8 @@
 # Use capabilities.
 allow kernel_t self:capability *;
 
-allow kernel_t sysfs_t:dir search;
-allow kernel_t { usbfs_t usbdevfs_t sysfs_t }:dir search;
+r_dir_file(kernel_t, sysfs_t)
+allow kernel_t { usbfs_t usbdevfs_t }:dir search;
 
 # Run init in the init_t domain.
 domain_auto_trans(kernel_t, init_exec_t, init_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.23.17/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te	2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.17/domains/program/fsadm.te	2005-05-25 11:41:56.000000000 -0400
@@ -47,8 +47,9 @@
 
 type fsadm_exec_t, file_type, sysadmfile, exec_type;
 domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t)
+ifdef(`targeted_policy', `', `
 domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t)
-
+')
 tmp_domain(fsadm)
 
 # remount file system to apply changes
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.23.17/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te	2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.17/domains/program/modutil.te	2005-05-25 11:41:56.000000000 -0400
@@ -138,8 +138,8 @@
 
 allow insmod_t fs_t:filesystem getattr;
 allow insmod_t sysfs_t:dir search;
-allow insmod_t { usbfs_t usbdevfs_t }:dir search;
-allow insmod_t { usbfs_t usbdevfs_t }:filesystem mount;
+allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:dir search;
+allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:filesystem mount;
 
 # Rules for /proc/sys/kernel/tainted
 read_sysctl(insmod_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.23.17/domains/program/unused/amanda.te
--- nsapolicy/domains/program/unused/amanda.te	2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.17/domains/program/unused/amanda.te	2005-05-25 11:41:56.000000000 -0400
@@ -31,7 +31,7 @@
 # General declarations
 ######################
 
-type amanda_t, domain, privlog, auth, nscd_client_domain ;
+type amanda_t, domain, privlog, auth, nscd_client_domain;
 role system_r types amanda_t;
 
 # type for the amanda executables
@@ -157,7 +157,7 @@
 allow amanda_t bin_t:file { execute execute_no_trans };
 
 allow amanda_t self:capability { chown dac_override setuid };
-allow amanda_t self:process { fork sigchld };
+allow amanda_t self:process { fork sigchld setpgid signal };
 allow amanda_t self:unix_dgram_socket create;
 
 
@@ -234,7 +234,7 @@
 
 uses_shlib(amanda_recover_t)
 allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal };
-allow amanda_recover_t self:capability { fowner fsetid setgid setuid chown dac_override net_bind_service };
+allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service };
 allow amanda_recover_t shell_exec_t:file { execute execute_no_trans getattr read };
 allow amanda_recover_t privfd:fd use;
 
@@ -304,6 +304,8 @@
 allow amanda_t file_type:dir {getattr read search };
 allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read };
 allow amanda_t device_type:{ blk_file chr_file } getattr;
+domain_auto_trans(amanda_t, fsadm_exec_t, fsadm_t)
+
 dontaudit amanda_t file_type:sock_file getattr;
 logdir_domain(amanda)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.23.17/domains/program/unused/auditd.te
--- nsapolicy/domains/program/unused/auditd.te	2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.17/domains/program/unused/auditd.te	2005-05-25 11:41:56.000000000 -0400
@@ -15,6 +15,8 @@
 allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
 allow auditd_t self:unix_dgram_socket create_socket_perms;
 allow auditd_t self:capability { audit_write audit_control sys_nice };
+allow auditd_t self:process setsched;
+allow auditd_t self:file { getattr read };
 allow auditd_t etc_t:file { getattr read };
 
 # Do not use logdir_domain since this is a security file
@@ -35,15 +37,17 @@
 
 type auditd_etc_t, file_type, secure_file_type;
 allow { auditd_t auditctl_t } auditd_etc_t:file r_file_perms;
+allow initrc_t auditd_etc_t:file r_file_perms;
 
 role secadm_r types auditctl_t;
 role sysadm_r types auditctl_t;
 audit_manager_domain(secadm_t)
 
+ifdef(`targeted_policy', `', `
 ifdef(`separate_secadm', `', `
 audit_manager_domain(sysadm_t)
+') 
 ')
-allow initrc_t auditd_etc_t:file r_file_perms;
 
 role system_r types auditctl_t;
 domain_auto_trans(initrc_t, auditctl_exec_t, auditctl_t)
@@ -52,11 +56,6 @@
 allow auditctl_t proc_t:dir search;
 allow auditctl_t sysctl_kernel_t:dir search;
 allow auditctl_t sysctl_kernel_t:file { getattr read };
-allow auditd_t self:process setsched;
 dontaudit auditctl_t init_t:fd use; 
-allow auditctl_t privfd:fd use;
 allow auditctl_t initrc_devpts_t:chr_file { read write };
-allow auditd_t self:file { getattr read };
-ifdef(`rpm.te', `
-allow auditctl_t rpm_script_t:fd use;
-')
+allow auditctl_t privfd:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/automount.te policy-1.23.17/domains/program/unused/automount.te
--- nsapolicy/domains/program/unused/automount.te	2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.17/domains/program/unused/automount.te	2005-05-25 11:41:56.000000000 -0400
@@ -68,8 +68,8 @@
 
 can_exec(initrc_t, automount_etc_t)
 
-# Need something like the following
-# file_type_auto_trans(automount_t, file_type, automount_tmp_t, dir)
+# Allow automount to create and delete directories in / and /home
+file_type_auto_trans(automount_t, { root_t home_root_t }, automount_tmp_t, dir)
 
 allow automount_t var_lib_t:dir search;
 allow automount_t var_lib_nfs_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.17/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.17/domains/program/unused/cups.te	2005-05-26 11:59:14.000000000 -0400
@@ -16,7 +16,6 @@
 type cupsd_rw_etc_t, file_type, sysadmfile, usercanread;
 
 can_network(cupsd_t)
-can_ypbind(cupsd_t)
 allow cupsd_t port_type:tcp_socket name_connect;
 logdir_domain(cupsd)
 
@@ -148,16 +147,16 @@
 etcdir_domain(ptal)
 
 file_type_auto_trans(ptal_t, var_run_t, ptal_var_run_t)
-allow ptal_t self:capability chown;
+allow ptal_t self:capability { chown sys_rawio };
 allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
 allow ptal_t self:unix_stream_socket { listen accept };
 allow ptal_t self:fifo_file rw_file_perms;
 allow ptal_t device_t:dir read;
-allow ptal_t printer_device_t:chr_file { ioctl read write };
+allow ptal_t printer_device_t:chr_file rw_file_perms;
 allow initrc_t printer_device_t:chr_file getattr;
 allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
 r_dir_file(ptal_t, usbdevfs_t)
-r_dir_file(ptal_t, usbfs_t)
+rw_dir_file(ptal_t, usbfs_t)
 allow cupsd_t ptal_var_run_t:sock_file { write setattr };
 allow cupsd_t ptal_t:unix_stream_socket connectto;
 allow cupsd_t ptal_var_run_t:dir search;
@@ -166,6 +165,7 @@
 allow initrc_t ptal_var_run_t:dir rmdir;
 allow initrc_t ptal_var_run_t:fifo_file unlink;
 
+
 dontaudit cupsd_t selinux_config_t:dir search;
 dontaudit cupsd_t selinux_config_t:file { getattr read };
 
@@ -181,6 +181,7 @@
 daemon_domain(cupsd_config)
 
 allow cupsd_config_t devpts_t:dir search;
+allow cupsd_config_t devpts_t:chr_file { getattr ioctl };
 
 ifdef(`distro_redhat', `
 ifdef(`rpm.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/firstboot.te policy-1.23.17/domains/program/unused/firstboot.te
--- nsapolicy/domains/program/unused/firstboot.te	2005-04-27 10:28:50.000000000 -0400
+++ policy-1.23.17/domains/program/unused/firstboot.te	2005-05-25 11:41:56.000000000 -0400
@@ -10,7 +10,7 @@
 #
 # firstboot_exec_t is the type of the firstboot executable.
 #
-application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privlog, privowner, privmodule, sysctl_kernel_writer')
+application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, privuser, sysctl_kernel_writer')
 type firstboot_rw_t, file_type, sysadmfile;
 role system_r types firstboot_t;
 
@@ -29,8 +29,10 @@
 file_type_auto_trans(firstboot_t, etc_t, firstboot_rw_t, file)
 
 can_exec_any(firstboot_t)
+ifdef(`useradd.te',`
 domain_auto_trans(firstboot_t, useradd_exec_t, useradd_t)
 domain_auto_trans(firstboot_t, groupadd_exec_t, groupadd_t)
+')
 allow firstboot_t etc_runtime_t:file { getattr read };
 
 r_dir_file(firstboot_t, etc_t)
@@ -130,4 +132,7 @@
 # The big hammer
 #
 unconfined_domain(firstboot_t) 
+ifdef(`targeted_policy', `
+allow firstboot_t unconfined_t:process transition;
+')
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/fontconfig.te policy-1.23.17/domains/program/unused/fontconfig.te
--- nsapolicy/domains/program/unused/fontconfig.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.17/domains/program/unused/fontconfig.te	2005-05-25 11:41:56.000000000 -0400
@@ -0,0 +1,7 @@
+#
+# Fontconfig related types 
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+# Look in fontconfig_macros.te
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.23.17/domains/program/unused/rhgb.te
--- nsapolicy/domains/program/unused/rhgb.te	2005-05-25 11:28:10.000000000 -0400
+++ policy-1.23.17/domains/program/unused/rhgb.te	2005-05-25 11:41:56.000000000 -0400
@@ -43,6 +43,8 @@
 allow rhgb_t port_type:tcp_socket name_connect;
 can_ypbind(rhgb_t)
 
+allow rhgb_t usr_t:{ file lnk_file } { getattr read };
+
 # for running setxkbmap
 r_dir_file(rhgb_t, xkb_var_lib_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rshd.te policy-1.23.17/domains/program/unused/rshd.te
--- nsapolicy/domains/program/unused/rshd.te	2005-04-27 10:28:52.000000000 -0400
+++ policy-1.23.17/domains/program/unused/rshd.te	2005-05-25 11:41:56.000000000 -0400
@@ -25,8 +25,6 @@
 can_network_server(rshd_t)
 allow rshd_t rsh_port_t:tcp_socket name_bind;
 
-can_ypbind(rshd_t)
-
 allow rshd_t etc_t:file { getattr read };
 read_locale(rshd_t)
 allow rshd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.23.17/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te	2005-05-02 14:06:54.000000000 -0400
+++ policy-1.23.17/domains/program/unused/squid.te	2005-05-25 11:41:56.000000000 -0400
@@ -28,7 +28,7 @@
 # type for /var/cache/squid
 type squid_cache_t, file_type, sysadmfile;
 
-allow squid_t self:capability { setgid setuid net_bind_service };
+allow squid_t self:capability { setgid setuid net_bind_service dac_override };
 allow squid_t { etc_t etc_runtime_t }:file r_file_perms;
 allow squid_t etc_t:lnk_file read;
 allow squid_t self:unix_stream_socket create_socket_perms;
@@ -76,3 +76,4 @@
 
 #squid requires the following when run in diskd mode, the recommended setting
 allow squid_t tmpfs_t:file { read write };
+r_dir_file(squid_t, cert_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.23.17/domains/user.te
--- nsapolicy/domains/user.te	2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.17/domains/user.te	2005-05-26 13:10:53.000000000 -0400
@@ -80,11 +80,11 @@
 ') dnl ifdef su.te
 ifdef(`xauth.te', `
 file_type_auto_trans($1_xauth_t, sysadm_home_dir_t, sysadm_home_xauth_t,file)
-')
 ifdef(`userhelper.te', `
 file_type_auto_trans($1_userhelper_t, sysadm_home_dir_t, sysadm_home_xauth_t,file)
-')
-')
+') dnl userhelper.te 
+') dnl xauth.te 
+') dnl reach_sysadm
 
 # Privileged user domain
 undefine(`priv_user')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.23.17/file_contexts/program/cups.fc
--- nsapolicy/file_contexts/program/cups.fc	2005-05-07 00:41:12.000000000 -0400
+++ policy-1.23.17/file_contexts/program/cups.fc	2005-05-26 11:58:32.000000000 -0400
@@ -32,6 +32,8 @@
 /usr/lib(64)?/cups/cgi-bin/.* --	system_u:object_r:bin_t
 /usr/sbin/ptal-printd	--	system_u:object_r:ptal_exec_t
 /usr/sbin/ptal-mlcd	--	system_u:object_r:ptal_exec_t
+/usr/sbin/ptal-photod	--	system_u:object_r:ptal_exec_t
 /var/run/ptal-printd(/.*)?	system_u:object_r:ptal_var_run_t
 /var/run/ptal-mlcd(/.*)?	system_u:object_r:ptal_var_run_t
 /usr/share/foomatic/db/oldprinterids 	--	system_u:object_r:cupsd_rw_etc_t
+/var/cache/foomatic(/.*)? 	--	system_u:object_r:cupsd_rw_etc_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/fontconfig.fc policy-1.23.17/file_contexts/program/fontconfig.fc
--- nsapolicy/file_contexts/program/fontconfig.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.17/file_contexts/program/fontconfig.fc	2005-05-25 11:41:56.000000000 -0400
@@ -0,0 +1,2 @@
+HOME_DIR/\.fonts(/.*)?				system_u:object_r:ROLE_fonts_t	
+HOME_DIR/\.fonts.cache-1		--	system_u:object_r:ROLE_fonts_cache_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/fsadm.fc policy-1.23.17/file_contexts/program/fsadm.fc
--- nsapolicy/file_contexts/program/fsadm.fc	2005-04-14 15:01:54.000000000 -0400
+++ policy-1.23.17/file_contexts/program/fsadm.fc	2005-05-25 11:41:56.000000000 -0400
@@ -19,6 +19,7 @@
 /sbin/parted		--	system_u:object_r:fsadm_exec_t
 /sbin/tune2fs		--	system_u:object_r:fsadm_exec_t
 /sbin/dumpe2fs		--	system_u:object_r:fsadm_exec_t
+/sbin/dump		--	system_u:object_r:fsadm_exec_t
 /sbin/swapon.*		--	system_u:object_r:fsadm_exec_t
 /sbin/hdparm		--	system_u:object_r:fsadm_exec_t
 /sbin/raidstart		--	system_u:object_r:fsadm_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.23.17/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2005-05-25 11:28:10.000000000 -0400
+++ policy-1.23.17/file_contexts/types.fc	2005-05-25 11:41:56.000000000 -0400
@@ -358,8 +358,9 @@
 # nvidia share libraries
 /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
 /usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
+/usr(/.*)?/nvidia/.*\.so(\..*)?	-- system_u:object_r:texrel_shlib_t
+/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)*	--	system_u:object_r:texrel_shlib_t
 /usr/X11R6/lib/libXvMCNVIDIA\.so.* 	-- system_u:object_r:texrel_shlib_t
-/usr/lib(64)?/(tls/)?libnvidia-tls\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
 
 # libGL
 /usr/X11R6/lib/libGL\.so.* 	-- system_u:object_r:texrel_shlib_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.23.17/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2005-05-25 11:28:10.000000000 -0400
+++ policy-1.23.17/macros/base_user_macros.te	2005-05-25 11:41:56.000000000 -0400
@@ -198,6 +198,8 @@
 ifdef(`mplayer.te', `mplayer_domains($1)')
 ifdef(`gift.te', `gift_domains($1)')
 
+fontconfig_domain($1)
+
 # Instantiate a derived domain for user cron jobs.
 ifdef(`crond.te', `crond_domain($1)')
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.23.17/macros/program/chkpwd_macros.te
--- nsapolicy/macros/program/chkpwd_macros.te	2005-05-02 14:06:57.000000000 -0400
+++ policy-1.23.17/macros/program/chkpwd_macros.te	2005-05-25 11:41:56.000000000 -0400
@@ -34,6 +34,7 @@
 allow auth_chkpwd self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
 dontaudit auth_chkpwd shadow_t:file { getattr read };
+can_ypbind(auth_chkpwd)
 ', `
 domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
 allow $1_t sbin_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/fontconfig_macros.te policy-1.23.17/macros/program/fontconfig_macros.te
--- nsapolicy/macros/program/fontconfig_macros.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.17/macros/program/fontconfig_macros.te	2005-05-25 11:41:56.000000000 -0400
@@ -0,0 +1,24 @@
+#
+# Fontconfig related types 
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+# fontconfig_domain(role_prefix) - create fontconfig domain
+#
+# read_fonts(domain, role_prefix) - 
+#         allow domain to read fonts, optionally per/user
+#  
+# dontaudit_home_fonts(domain, role_prefix) - 
+#	block the denials of home fonts - hack for X
+
+define(`fontconfig_domain', `
+
+type $1_fonts_t, file_type, $1_file_type, sysadmfile, customizable;
+type $1_fonts_cache_t, file_type, $1_file_type, sysadmfile;
+
+allow $1_t $1_fonts_cache_t:file create_file_perms;
+create_dir_file($1_t, $1_fonts_t)
+
+') dnl gnome_domain
+
+
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.17/macros/program/gift_macros.te
--- nsapolicy/macros/program/gift_macros.te	2005-05-25 11:28:10.000000000 -0400
+++ policy-1.23.17/macros/program/gift_macros.te	2005-05-25 11:41:56.000000000 -0400
@@ -56,6 +56,7 @@
 allow $1_gift_t etc_runtime_t:file { getattr read };
 
 # Tmp/ORBit
+tmp_domain($1_gift)
 file_type_auto_trans($1_gift_t, $1_tmp_t, $1_gift_tmp_t)
 can_unix_connect($1_t, $1_gift_t)
 can_unix_connect($1_gift_t, $1_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/java_macros.te policy-1.23.17/macros/program/java_macros.te
--- nsapolicy/macros/program/java_macros.te	2005-05-25 11:28:10.000000000 -0400
+++ policy-1.23.17/macros/program/java_macros.te	2005-05-25 11:41:56.000000000 -0400
@@ -92,7 +92,4 @@
 dontaudit $1_javaplugin_t tmpfs_t:file { execute read write };
 dontaudit $1_javaplugin_t $1_home_t:file { execute setattr };
 
-# Do not audit read/getattr of .fonts-cache-1
-dontaudit $1_javaplugin_t $1_home_t:file { read getattr };
-
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.23.17/macros/user_macros.te
--- nsapolicy/macros/user_macros.te	2005-05-25 11:28:10.000000000 -0400
+++ policy-1.23.17/macros/user_macros.te	2005-05-25 11:41:56.000000000 -0400
@@ -172,6 +172,12 @@
 
 attribute $1_file_type;
 
+ifdef(`useradd.te', `
+# Useradd relabels /etc/skel files so needs these privs 
+allow useradd_t $1_file_type:dir create_dir_perms;
+allow useradd_t $1_file_type:notdevfile_class_set create_file_perms;
+')
+
 can_exec($1_t, usr_t)
 
 # Read directories and files with the readable_t type.
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/crond.te policy-1.23.17/targeted/domains/program/crond.te
--- nsapolicy/targeted/domains/program/crond.te	2005-05-02 07:37:54.000000000 -0400
+++ policy-1.23.17/targeted/domains/program/crond.te	2005-05-25 11:41:56.000000000 -0400
@@ -14,7 +14,7 @@
 type crond_t, domain, privuser, privrole, privowner;
 typealias crond_t alias system_crond_t;
 type anacron_exec_t, file_type, sysadmfile, exec_type;
-type system_crond_tmp_t, file_type, sysadmfile;
+type system_crond_tmp_t, file_type, tmpfile, sysadmfile;
 type system_cron_spool_t, file_type, sysadmfile;
 type sysadm_cron_spool_t, file_type, sysadmfile;
 type crond_log_t, file_type, sysadmfile;
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.17/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.17/tunables/distro.tun	2005-05-25 11:41:56.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.17/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-05-25 11:28:11.000000000 -0400
+++ policy-1.23.17/tunables/tunable.tun	2005-05-25 11:41:56.000000000 -0400
@@ -2,7 +2,7 @@
 dnl define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
 dnl define(`unlimitedUtils')
@@ -20,7 +20,7 @@
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.

Latest diffs.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1493 bytes --]

Many changes made allow targeted policy to run closer to strict.  Almost 
all of non-userspace is now protected via SELinux.

Run kernel in unconfined_domain for targeted.  (Might be necessary for 
strict).

move user_ttyfile_stat boolean out of getty and into user.te

Small fixes to support mgetty

A couple of changes to allow policy upgrades to this policy.  
(syslog_mod changes).

Remove false check for rhgb.te from init.te

Allow users to mount on src_t

Small fixes for amanda

Add tmpfile attribute to  amavisd_quaranteen

Add transitionbool to daemon_sub_domain, mainly to turn off httpd_suexec 
transitioning.

Allow apmd_t to do it's thing on targeted policy.

Auditd fixes by Paul Moore.

Allow cardmgr_t to work on targeted policy

Implement web_client_domain name_connect rules;

Cleanup of consoletype.te for targeted.  I think this domain needs some 
review.

Add yp support for cups.

Remove some garbarge from cyrus.te

Allow hald to run on targeted domain

Allow hotplug to run on targeted domain

Fixes for latest version of NetworkManager.  Have not changed the case.  
I have no opinion on it.

Fixed and cleanup of ntpd.te

Fixes for initrc writing samba_etc_t

Change don't to "do not"

Cleanup compat.te for targetd policy

Several changes for file_context for FC4

Remove hotplug, udev, initial_sid_contexts from targeted directory.  We 
are going to use the real ones.

kernel now runs as root:system_r:kernel_t in targeted policy just like 
strict









-- 



[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 49247 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.23.13/domains/misc/kernel.te
--- nsapolicy/domains/misc/kernel.te	2005-04-27 10:28:48.000000000 -0400
+++ policy-1.23.13/domains/misc/kernel.te	2005-04-26 10:00:08.000000000 -0400
@@ -63,4 +63,6 @@
 # /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
 can_exec(kernel_t, bin_t)
 
-
+ifdef(`targeted_policy', `
+unconfined_domain(kernel_t)
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.23.13/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te	2005-04-27 10:28:49.000000000 -0400
+++ policy-1.23.13/domains/program/fsadm.te	2005-04-25 15:18:00.000000000 -0400
@@ -100,7 +100,7 @@
 allow fsadm_t kernel_t:system syslog_console;
 
 # Access terminals.
-allow fsadm_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+allow fsadm_t { initrc_devpts_t admin_tty_type devtty_t }:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
 allow fsadm_t privfd:fd use;
 allow fsadm_t devpts_t:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/getty.te policy-1.23.13/domains/program/getty.te
--- nsapolicy/domains/program/getty.te	2005-04-27 10:28:49.000000000 -0400
+++ policy-1.23.13/domains/program/getty.te	2005-04-25 15:18:00.000000000 -0400
@@ -23,18 +23,9 @@
 allow getty_t self:unix_dgram_socket create_socket_perms;
 allow getty_t self:unix_stream_socket create_socket_perms;
 
-# to allow w to display everyone...
-bool user_ttyfile_stat false;
-if (user_ttyfile_stat) {
-allow userdomain ttyfile:chr_file getattr;
-}
-
 # Use capabilities.
 allow getty_t self:capability { dac_override chown sys_resource sys_tty_config };
 
-# fbgetty needs fsetid for some reason
-#allow getty_t self:capability fsetid;
-
 read_locale(getty_t)
 
 # Run login in local_login_t domain.
@@ -51,10 +42,13 @@
 # Chown, chmod, read and write ttys.
 allow getty_t tty_device_t:chr_file { setattr rw_file_perms };
 allow getty_t ttyfile:chr_file { setattr rw_file_perms };
-allow getty_t initrc_devpts_t:chr_file rw_file_perms; 
+dontaudit getty_t initrc_devpts_t:chr_file rw_file_perms; 
 
 # for error condition handling
 allow getty_t fs_t:filesystem getattr;
 
 lock_domain(getty)
 r_dir_file(getty_t, sysfs_t)
+# for mgetty
+var_run_domain(getty)
+allow getty_t self:capability { fowner fsetid };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/hostname.te policy-1.23.13/domains/program/hostname.te
--- nsapolicy/domains/program/hostname.te	2005-04-27 10:28:49.000000000 -0400
+++ policy-1.23.13/domains/program/hostname.te	2005-04-25 15:48:24.000000000 -0400
@@ -24,3 +24,4 @@
 ifdef(`distro_redhat', `
 allow hostname_t tmpfs_t:chr_file rw_file_perms;
 ')
+allow hostname_t initrc_devpts_t:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.23.13/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te	2005-04-27 10:28:49.000000000 -0400
+++ policy-1.23.13/domains/program/initrc.te	2005-04-25 15:18:00.000000000 -0400
@@ -253,6 +253,7 @@
 allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
 allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
 domain_trans(initrc_t, shell_exec_t, unconfined_t)
+allow initrc_t unconfined_t:system syslog_mod;
 ', `
 run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t)
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.23.13/domains/program/init.te
--- nsapolicy/domains/program/init.te	2005-04-27 10:28:49.000000000 -0400
+++ policy-1.23.13/domains/program/init.te	2005-04-27 16:52:24.000000000 -0400
@@ -82,6 +82,7 @@
 # Modify utmp.
 allow init_t var_run_t:file rw_file_perms;
 allow init_t initrc_var_run_t:file { setattr rw_file_perms };
+can_unix_connect(init_t, initrc_t)
 
 # For /var/run/shutdown.pid.
 var_run_domain(init)
@@ -131,10 +132,9 @@
 
 allow init_t lib_t:file { getattr read };
 
-ifdef(`rhgb.te', `
 allow init_t devtty_t:chr_file { read write };
 allow init_t ramfs_t:dir search;
-')
+allow init_t ramfs_t:sock_file write;
 r_dir_file(init_t, sysfs_t)
 
 r_dir_file(init_t, selinux_config_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/klogd.te policy-1.23.13/domains/program/klogd.te
--- nsapolicy/domains/program/klogd.te	2005-04-27 10:28:49.000000000 -0400
+++ policy-1.23.13/domains/program/klogd.te	2005-04-25 15:18:00.000000000 -0400
@@ -43,3 +43,6 @@
 # Read /boot/System.map*
 allow klogd_t system_map_t:file r_file_perms;
 allow klogd_t boot_t:dir r_dir_perms;
+ifdef(`targeted_policy', `
+allow klogd_t unconfined_t:system syslog_mod;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/load_policy.te policy-1.23.13/domains/program/load_policy.te
--- nsapolicy/domains/program/load_policy.te	2005-04-27 10:28:49.000000000 -0400
+++ policy-1.23.13/domains/program/load_policy.te	2005-04-25 15:18:00.000000000 -0400
@@ -39,6 +39,7 @@
 # only allow read of policy config files
 allow load_policy_t policy_src_t:dir search;
 r_dir_file(load_policy_t, policy_config_t)
+r_dir_file(load_policy_t, selinux_config_t)
 
 # directory search permissions for path to binary policy files
 allow load_policy_t root_t:dir search;
@@ -57,5 +58,3 @@
 allow load_policy_t fs_t:filesystem getattr;
 
 read_locale(load_policy_t)
-r_dir_file(load_policy_t, selinux_config_t)
-allow load_policy_t proc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.23.13/domains/program/mount.te
--- nsapolicy/domains/program/mount.te	2005-04-27 10:28:49.000000000 -0400
+++ policy-1.23.13/domains/program/mount.te	2005-04-27 10:42:39.000000000 -0400
@@ -40,6 +40,7 @@
 allow mount_t default_t:dir mounton;
 allow mount_t file_t:dir mounton;
 allow mount_t usr_t:dir mounton;
+allow mount_t src_t:dir mounton;
 allow mount_t var_t:dir mounton;
 allow mount_t proc_t:dir mounton;
 allow mount_t root_t:dir mounton;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.23.13/domains/program/unused/amanda.te
--- nsapolicy/domains/program/unused/amanda.te	2005-04-27 10:28:49.000000000 -0400
+++ policy-1.23.13/domains/program/unused/amanda.te	2005-04-26 12:02:46.000000000 -0400
@@ -303,6 +303,7 @@
 
 allow amanda_t file_type:dir {getattr read search };
 allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read };
+allow amanda_t fixed_disk_device_t:blk_file getattr;
 dontaudit amanda_t file_type:sock_file getattr;
 logdir_domain(amanda)
 
@@ -310,6 +311,7 @@
 dontaudit amanda_t binfmt_misc_fs_t:dir getattr;
 dontaudit amanda_t nfs_t:dir { getattr read };
 dontaudit amanda_t proc_t:dir read;
+dontaudit amanda_t proc_t:lnk_file read;
 dontaudit amanda_t rpc_pipefs_t:dir { getattr read };
 dontaudit amanda_t security_t:dir { getattr read };
 dontaudit amanda_t sysfs_t:dir { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amavis.te policy-1.23.13/domains/program/unused/amavis.te
--- nsapolicy/domains/program/unused/amavis.te	2005-04-27 10:28:49.000000000 -0400
+++ policy-1.23.13/domains/program/unused/amavis.te	2005-04-25 15:18:00.000000000 -0400
@@ -13,7 +13,7 @@
 type amavisd_lib_t, file_type, sysadmfile;
 
 # Virus and spam found and quarantined.
-type amavisd_quarantine_t, file_type, sysadmfile;
+type amavisd_quarantine_t, file_type, sysadmfile, tmpfile;
 
 # Differentiate between the port where amavisd receives mail, and the
 # port where it returns cleaned mail back to the MTA.
@@ -118,8 +118,3 @@
 dontaudit amavisd_t shadow_t:file { getattr read };
 dontaudit amavisd_t sysadm_devpts_t:chr_file { read write };
 
-# Tmp reaper
-ifdef(`tmpreaper.te', `
-allow tmpreaper_t amavisd_quarantine_t:dir { read search getattr setattr unlink };
-allow tmpreaper_t amavisd_quarantine_t:file getattr;
-')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.13/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2005-04-27 10:28:49.000000000 -0400
+++ policy-1.23.13/domains/program/unused/apache.te	2005-04-25 15:18:00.000000000 -0400
@@ -290,7 +290,7 @@
 allow httpd_helper_t httpd_log_t:file { append };
 
 ########################################
-# When the admin starts the server, the server wants to acess
+# When the admin starts the server, the server wants to access
 # the TTY or PTY associated with the session. The httpd appears
 # to run correctly without this permission, so the permission
 # are dontaudited here. 
@@ -322,7 +322,7 @@
 # The following are types for SUEXEC,which runs user scripts as their
 # own user ID
 #
-daemon_sub_domain(httpd_t, httpd_suexec)
+daemon_sub_domain(httpd_t, httpd_suexec, `, transitionbool')
 allow httpd_t httpd_suexec_exec_t:file read;
 
 #########################################################
@@ -361,12 +361,6 @@
 allow httpd_suexec_t autofs_t:dir { search getattr };
 tmp_domain(httpd_suexec)
 
-ifdef(`mta.te', `
-# apache should set close-on-exec
-dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
-dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
-')
-
 if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
 domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
 domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
@@ -374,7 +368,6 @@
 if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
 domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
 create_dir_file(httpd_t, httpdcontent)
-can_exec(httpd_t, httpdcontent )
 }
 if (httpd_enable_cgi) {
 domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
@@ -396,9 +389,10 @@
 r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
 
 ifdef(`mta.te', `
+# apache should set close-on-exec
+dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
+dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
 dontaudit system_mail_t httpd_log_t:file { append getattr };
 allow system_mail_t httpd_squirrelmail_t:file { append read };
 dontaudit system_mail_t httpd_t:tcp_socket { read write };
 ')
-
-allow httpd_t var_t:file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.23.13/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te	2005-04-27 10:28:49.000000000 -0400
+++ policy-1.23.13/domains/program/unused/apmd.te	2005-04-25 16:03:20.000000000 -0400
@@ -108,6 +108,7 @@
 #
 # Allow it to run killof5 and pidof
 #
+typeattribute apmd_t unrestricted;
 r_dir_file(apmd_t, domain)
 
 # Same for apm/acpid scripts
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.23.13/domains/program/unused/auditd.te
--- nsapolicy/domains/program/unused/auditd.te	2005-04-27 10:28:49.000000000 -0400
+++ policy-1.23.13/domains/program/unused/auditd.te	2005-04-25 15:18:00.000000000 -0400
@@ -2,6 +2,8 @@
 #
 # Authors: Colin Walters <walters@verbum.org>
 #
+# Some fixes by Paul Moore <paul.moore@hp.com>
+# 
 define(`audit_manager_domain', `
 allow $1 auditd_etc_t:file rw_file_perms;
 create_dir_file($1, auditd_log_t)
@@ -15,10 +17,10 @@
 allow auditd_t self:capability { audit_write audit_control sys_nice };
 allow auditd_t etc_t:file { getattr read };
 
-# Don't use logdir_domain since this is a security file
+# Do not use logdir_domain since this is a security file
 type auditd_log_t, file_type, secure_file_type;
-file_type_auto_trans(auditd_t, var_log_t, auditd_log_t, file)
-allow auditd_t auditd_log_t:dir { setattr rw_dir_perms };
+allow auditd_t var_log_t:dir search;
+rw_dir_create_file(auditd_t, auditd_log_t)
 
 can_exec(auditd_t, init_exec_t)
 
@@ -43,7 +45,14 @@
 ifdef(`separate_secadm', `', `
 audit_manager_domain(sysadm_t)
 ')
+allow initrc_t auditd_etc_t:file r_file_perms;
+
+role system_r types auditctl_t;
+domain_auto_trans(initrc_t, auditctl_exec_t, auditctl_t)
+
 dontaudit auditctl_t local_login_t:fd use;
 allow auditctl_t proc_t:dir search;
 allow auditctl_t sysctl_kernel_t:dir search;
 allow auditctl_t sysctl_kernel_t:file read;
+allow auditd_t self:process setsched;
+dontaudit auditctl_t init_t:fd use; 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cardmgr.te policy-1.23.13/domains/program/unused/cardmgr.te
--- nsapolicy/domains/program/unused/cardmgr.te	2005-04-27 10:28:49.000000000 -0400
+++ policy-1.23.13/domains/program/unused/cardmgr.te	2005-04-26 09:57:58.000000000 -0400
@@ -61,7 +61,9 @@
 allow cardmgr_t proc_t:file { getattr read ioctl };
 
 # Read /proc/PID directories for all domains (for fuser).
-can_ps(cardmgr_t, domain)
+can_ps(cardmgr_t, domain -unrestricted)
+dontaudit cardmgr_t unrestricted:dir search;
+
 allow cardmgr_t device_type:{ chr_file blk_file } getattr;
 allow cardmgr_t ttyfile:chr_file getattr;
 dontaudit cardmgr_t ptyfile:chr_file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/clamav.te policy-1.23.13/domains/program/unused/clamav.te
--- nsapolicy/domains/program/unused/clamav.te	2005-04-27 10:28:50.000000000 -0400
+++ policy-1.23.13/domains/program/unused/clamav.te	2005-04-25 15:18:00.000000000 -0400
@@ -22,7 +22,7 @@
 # Freshclam
 #
 
-daemon_base_domain(freshclam)
+daemon_base_domain(freshclam, `, web_client_domain')
 read_locale(freshclam_t)
 
 # not sure why it needs this
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/consoletype.te policy-1.23.13/domains/program/unused/consoletype.te
--- nsapolicy/domains/program/unused/consoletype.te	2005-04-27 10:28:50.000000000 -0400
+++ policy-1.23.13/domains/program/unused/consoletype.te	2005-04-25 15:18:00.000000000 -0400
@@ -19,29 +19,28 @@
 uses_shlib(consoletype_t)
 general_domain_access(consoletype_t)
 
+ifdef(`targeted_policy', `', `
 domain_auto_trans(initrc_t, consoletype_exec_t, consoletype_t)
 
-allow consoletype_t tty_device_t:chr_file { getattr ioctl write };
-allow consoletype_t devtty_t:chr_file { read write };
-allow consoletype_t initrc_devpts_t:chr_file { read write getattr ioctl };
-
 ifdef(`xdm.te', `
 domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t)
 allow consoletype_t xdm_tmp_t:file { read write };
 ')
 
-allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use;
-allow consoletype_t admin_tty_type:chr_file rw_file_perms;
 ifdef(`hotplug.te', `
 domain_auto_trans(hotplug_t, consoletype_exec_t, consoletype_t)
 ')
+')
+
+allow consoletype_t {admin_tty_type tty_device_t devtty_t initrc_devpts_t }:chr_file rw_file_perms;
+
+allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use;
 
 # Use capabilities.
 allow consoletype_t self:capability sys_admin;
 
 allow consoletype_t console_device_t:chr_file { getattr ioctl read write };
 allow consoletype_t initrc_t:fifo_file write;
-allow consoletype_t tty_device_t:chr_file read;
 allow consoletype_t nfs_t:file write;
 allow consoletype_t sysadm_t:fifo_file rw_file_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.13/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2005-04-27 10:28:50.000000000 -0400
+++ policy-1.23.13/domains/program/unused/cups.te	2005-04-25 15:18:00.000000000 -0400
@@ -17,6 +17,7 @@
 type cupsd_rw_etc_t, file_type, sysadmfile, usercanread;
 
 can_network(cupsd_t)
+can_ypbind(cupsd_t)
 allow cupsd_t port_type:tcp_socket name_connect;
 logdir_domain(cupsd)
 
@@ -203,6 +204,7 @@
 file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
 
 can_network_tcp(cupsd_config_t)
+can_ypbind(cupsd_config_t)
 allow cupsd_config_t port_type:tcp_socket name_connect;
 can_tcp_connect(cupsd_config_t, cupsd_t)
 allow cupsd_config_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.23.13/domains/program/unused/cyrus.te
--- nsapolicy/domains/program/unused/cyrus.te	2005-04-27 10:28:50.000000000 -0400
+++ policy-1.23.13/domains/program/unused/cyrus.te	2005-04-26 11:29:42.000000000 -0400
@@ -15,8 +15,6 @@
 allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
 allow cyrus_t self:process setrlimit;
 
-allow initrc_su_t cyrus_var_lib_t:dir search;
-
 can_network(cyrus_t)
 allow cyrus_t port_type:tcp_socket name_connect;
 can_ypbind(cyrus_t)
@@ -35,7 +33,6 @@
 allow cyrus_t proc_t:file { getattr read };
 allow cyrus_t sysadm_devpts_t:chr_file { read write };
 
-allow cyrus_t staff_t:fd use;
 allow cyrus_t var_lib_t:dir search;
 
 allow cyrus_t etc_runtime_t:file { read getattr };
@@ -43,6 +40,5 @@
 system_crond_entry(cyrus_exec_t, cyrus_t)
 allow system_crond_t cyrus_var_lib_t:dir rw_dir_perms;
 allow system_crond_t cyrus_var_lib_t:file create_file_perms;
-allow system_crond_su_t cyrus_var_lib_t:dir search;
 ')
 allow cyrus_t mail_port_t:tcp_socket name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.13/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2005-04-27 10:28:51.000000000 -0400
+++ policy-1.23.13/domains/program/unused/hald.te	2005-04-25 15:18:00.000000000 -0400
@@ -93,3 +93,7 @@
 ifdef(`lvm.te', `
 allow hald_t lvm_control_t:chr_file r_file_perms;
 ')
+ifdef(`targeted_policy', `
+allow unconfined_t hald_t:dbus send_msg;
+allow hald_t unconfined_t:dbus send_msg;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.23.13/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te	2005-04-27 10:28:51.000000000 -0400
+++ policy-1.23.13/domains/program/unused/hotplug.te	2005-04-25 15:18:00.000000000 -0400
@@ -83,7 +83,9 @@
 allow hotplug_t self:file getattr;
 
 domain_auto_trans(kernel_t, hotplug_exec_t, hotplug_t)
+ifdef(`mount.te', `
 domain_auto_trans(hotplug_t, mount_exec_t, mount_t)
+')
 domain_auto_trans(hotplug_t, ifconfig_exec_t, ifconfig_t)
 ifdef(`updfstab.te', `
 domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t)
@@ -154,10 +156,4 @@
 domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t) 
 ')
 
-allow restorecon_t hotplug_t:fd use;
-
-ifdef(`unlimitedUtils', `
-unconfined_domain(hotplug_t) 
-')
-
 allow kernel_t hotplug_etc_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.23.13/domains/program/unused/NetworkManager.te
--- nsapolicy/domains/program/unused/NetworkManager.te	2005-04-27 10:28:49.000000000 -0400
+++ policy-1.23.13/domains/program/unused/NetworkManager.te	2005-04-27 16:52:07.000000000 -0400
@@ -35,11 +35,14 @@
 #
 # Communicate with Caching Name Server
 #
+ifdef(`named.te', `
 allow NetworkManager_t named_zone_t:dir search;
 rw_dir_create_file(NetworkManager_t, named_cache_t)
 domain_auto_trans(NetworkManager_t, named_exec_t, named_t)
 allow named_t NetworkManager_t:udp_socket { read write };
+allow named_t NetworkManager_t:netlink_route_socket { read write };
 allow NetworkManager_t named_t:process signal;
+')
 
 allow NetworkManager_t selinux_config_t:dir search;
 allow NetworkManager_t selinux_config_t:file { getattr read };
@@ -87,3 +90,4 @@
 domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
 allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms;
 
+domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.23.13/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te	2005-04-27 10:28:52.000000000 -0400
+++ policy-1.23.13/domains/program/unused/ntpd.te	2005-04-27 08:00:35.000000000 -0400
@@ -14,7 +14,6 @@
 
 type ntpdate_exec_t, file_type, sysadmfile, exec_type;
 domain_auto_trans(initrc_t, ntpdate_exec_t, ntpd_t)
-allow sysadm_t ntp_port_t:udp_socket name_bind;
 
 logdir_domain(ntpd)
 
@@ -26,7 +25,7 @@
 allow ntpd_t ntp_drift_t:file create_file_perms;
 
 # for SSP
-allow ntpd_t urandom_device_t:chr_file read;
+allow ntpd_t urandom_device_t:chr_file { getattr read };
 
 allow ntpd_t self:capability { kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot };
 dontaudit ntpd_t self:capability { net_admin };
@@ -45,6 +44,7 @@
 allow ntpd_t ntp_port_t:tcp_socket name_connect;
 can_ypbind(ntpd_t)
 allow ntpd_t ntp_port_t:udp_socket name_bind;
+allow sysadm_t ntp_port_t:udp_socket name_bind;
 allow ntpd_t self:unix_dgram_socket create_socket_perms;
 allow ntpd_t self:unix_stream_socket create_socket_perms;
 allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
@@ -85,4 +85,5 @@
 allow ntpd_t winbind_var_run_t:dir r_dir_perms;
 allow ntpd_t winbind_var_run_t:sock_file rw_file_perms;
 ')
-allow sysadm_t ntp_port_t:udp_socket name_bind;
+# For clock devices like wwvb1
+allow ntpd_t device_t:lnk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.23.13/domains/program/unused/portmap.te
--- nsapolicy/domains/program/unused/portmap.te	2005-04-27 10:28:52.000000000 -0400
+++ policy-1.23.13/domains/program/unused/portmap.te	2005-04-25 15:18:00.000000000 -0400
@@ -58,13 +58,14 @@
 domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t)
 dontaudit portmap_helper_t self:capability { net_admin };
 allow portmap_helper_t self:capability { net_bind_service };
-allow portmap_helper_t { var_run_t initrc_var_run_t } :file rw_file_perms;
+allow portmap_helper_t initrc_var_run_t:file rw_file_perms;
+file_type_auto_trans(portmap_helper_t, var_run_t, portmap_var_run_t, file)
 allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
 can_network(portmap_helper_t)
 allow portmap_helper_t port_type:tcp_socket name_connect;
 can_ypbind(portmap_helper_t)
 dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms;
 allow portmap_helper_t etc_t:file { getattr read };
-dontaudit portmap_helper_t userdomain:fd use;
+dontaudit portmap_helper_t { userdomain privfd }:fd use;
 allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
 dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.23.13/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te	2005-04-27 10:28:52.000000000 -0400
+++ policy-1.23.13/domains/program/unused/samba.te	2005-04-25 15:18:58.000000000 -0400
@@ -133,6 +133,7 @@
 # Access samba config
 allow smbmount_t samba_etc_t:file r_file_perms;
 allow smbmount_t samba_etc_t:dir r_dir_perms;
+allow initrc_t samba_etc_t:file rw_file_perms;
 
 # Write samba log
 allow smbmount_t samba_log_t:file create_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.23.13/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te	2005-04-27 10:28:53.000000000 -0400
+++ policy-1.23.13/domains/program/unused/snmpd.te	2005-04-26 15:34:21.000000000 -0400
@@ -37,7 +37,7 @@
 allow snmpd_t self:unix_stream_socket create_socket_perms;
 allow snmpd_t etc_t:lnk_file read;
 allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms;
-allow snmpd_t urandom_device_t:chr_file read;
+allow snmpd_t { random_device_t urandom_device_t }:chr_file { getattr read };
 allow snmpd_t self:capability { dac_override kill net_bind_service net_admin sys_nice sys_tty_config };
 
 allow snmpd_t proc_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.23.13/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te	2005-04-27 10:28:53.000000000 -0400
+++ policy-1.23.13/domains/program/unused/squid.te	2005-04-25 15:18:00.000000000 -0400
@@ -55,9 +55,7 @@
 can_network(squid_t)
 if (squid_connect_any) {
 allow squid_t port_type:tcp_socket name_connect;
-} else {
-allow squid_t { http_port_t http_cache_port_t }:tcp_socket name_connect;
-}
+} 
 can_ypbind(squid_t)
 can_tcp_connect(web_client_domain, squid_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/tinydns.te policy-1.23.13/domains/program/unused/tinydns.te
--- nsapolicy/domains/program/unused/tinydns.te	2005-04-27 10:28:53.000000000 -0400
+++ policy-1.23.13/domains/program/unused/tinydns.te	2005-04-25 15:18:00.000000000 -0400
@@ -36,7 +36,7 @@
 can_udp_send(domain, tinydns_t)
 can_udp_send(tinydns_t, domain)
 # tinydns itself doesn't do zone transfers
-# so we don't need to have it tcp_connect
+# so we do not need to have it tcp_connect
 
 #read configuration files
 r_dir_file(tinydns_t, tinydns_conf_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.23.13/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te	2005-04-27 10:28:53.000000000 -0400
+++ policy-1.23.13/domains/program/unused/udev.te	2005-04-25 21:41:17.000000000 -0400
@@ -33,7 +33,7 @@
 allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
 allow udev_t self:unix_dgram_socket create_socket_perms;
 allow udev_t self:fifo_file rw_file_perms;
-allow udev_t device_t:file rw_file_perms;
+allow udev_t device_t:file { unlink rw_file_perms };
 allow udev_t device_t:sock_file create_file_perms;
 allow udev_t device_t:lnk_file create_lnk_perms;
 allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
@@ -76,7 +76,6 @@
 allow udev_t initrc_var_run_t:file r_file_perms;
 dontaudit udev_t initrc_var_run_t:file write;
 
-domain_auto_trans(initrc_t, udev_exec_t, udev_t)
 domain_auto_trans(kernel_t, udev_exec_t, udev_t)
 domain_auto_trans(udev_t, restorecon_exec_t, restorecon_t)
 ifdef(`hide_broken_symptoms', `
@@ -87,7 +86,6 @@
 ifdef(`xdm.te', `
 allow udev_t xdm_var_run_t:file { getattr read };
 ')
-dontaudit udev_t staff_home_dir_t:dir search;
 
 ifdef(`hotplug.te', `
 r_dir_file(udev_t, hotplug_etc_t)
@@ -140,3 +138,7 @@
 ')
 r_dir_file(udev_t, domain)
 allow udev_t modules_dep_t:file r_file_perms;
+
+ifdef(`unlimitedUtils', `
+unconfined_domain(udev_t) 
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/webalizer.te policy-1.23.13/domains/program/unused/webalizer.te
--- nsapolicy/domains/program/unused/webalizer.te	2005-04-27 10:28:54.000000000 -0400
+++ policy-1.23.13/domains/program/unused/webalizer.te	2005-04-25 15:18:00.000000000 -0400
@@ -4,7 +4,7 @@
 #
 # Depends: apache.te
 
-application_domain(webalizer)
+application_domain(webalizer, `, nscd_client_domain')
 # to use from cron
 system_crond_entry(webalizer_exec_t,webalizer_t)
 role system_r types webalizer_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.23.13/domains/user.te
--- nsapolicy/domains/user.te	2005-04-27 10:28:48.000000000 -0400
+++ policy-1.23.13/domains/user.te	2005-04-25 15:18:00.000000000 -0400
@@ -132,3 +132,10 @@
 # "ps aux" and "ls -l /dev/pts" make too much noise without this
 dontaudit unpriv_userdomain ptyfile:chr_file getattr;
 
+# to allow w to display everyone...
+bool user_ttyfile_stat false;
+
+if (user_ttyfile_stat) {
+allow userdomain ttyfile:chr_file getattr;
+}
+
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.13/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc	2005-04-20 15:40:35.000000000 -0400
+++ policy-1.23.13/file_contexts/distros.fc	2005-04-25 15:18:00.000000000 -0400
@@ -37,6 +37,7 @@
 /usr/share/texmf/web2c/mktexupd	--	system_u:object_r:bin_t
 /usr/share/ssl/certs(/.*)?		system_u:object_r:cert_t
 /usr/share/ssl/private(/.*)?		system_u:object_r:cert_t
+/etc/pki(/.*)?		system_u:object_r:cert_t
 /usr/share/ssl/misc(/.*)?		system_u:object_r:bin_t
 #
 # /emul/ia32-linux/usr
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.23.13/file_contexts/program/apache.fc
--- nsapolicy/file_contexts/program/apache.fc	2005-04-20 15:40:35.000000000 -0400
+++ policy-1.23.13/file_contexts/program/apache.fc	2005-04-26 11:39:32.000000000 -0400
@@ -47,3 +47,6 @@
 /var/lib/htdig(/.*)?		system_u:object_r:httpd_sys_content_t
 /etc/htdig(/.*)?		system_u:object_r:httpd_sys_content_t
 /var/spool/gosa(/.*)?		system_u:object_r:httpd_sys_script_rw_t
+ifdef(`targeted_policy', `', `
+/var/spool/cron/apache		-- 	system_u:object_r:user_cron_spool_t
+')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/compat.fc policy-1.23.13/file_contexts/program/compat.fc
--- nsapolicy/file_contexts/program/compat.fc	2005-04-20 08:58:41.000000000 -0400
+++ policy-1.23.13/file_contexts/program/compat.fc	2005-04-27 17:13:39.000000000 -0400
@@ -1,19 +1,23 @@
+ifdef(`setfiles.te', `', `
 # setfiles
 /usr/sbin/setfiles.*	--	system_u:object_r:setfiles_exec_t
+')
 
+ifdef(`mount.te', `', `
 # mount
 /bin/mount.*			--	system_u:object_r:mount_exec_t
 /bin/umount.*			--	system_u:object_r:mount_exec_t
-# restorecon
-/sbin/restorecon	--	system_u:object_r:restorecon_exec_t
-/bin/hostname		--	system_u:object_r:hostname_exec_t
-# consoletype
-/sbin/consoletype	--	system_u:object_r:consoletype_exec_t
+')
+ifdef(`loadkeys.te', `', `
 # loadkeys
 /bin/unikeys		--	system_u:object_r:loadkeys_exec_t
 /bin/loadkeys		--	system_u:object_r:loadkeys_exec_t
+')
+ifdef(`dmesg.te', `', `
 # dmesg
 /bin/dmesg	--	system_u:object_r:dmesg_exec_t
+')
+ifdef(`fsadm.te', `', `
 # fs admin utilities
 /sbin/fsck.*		--	system_u:object_r:fsadm_exec_t
 /sbin/mkfs.*		--	system_u:object_r:fsadm_exec_t
@@ -50,6 +54,9 @@
 /sbin/partx		--	system_u:object_r:fsadm_exec_t
 /usr/bin/partition_uuid	--	system_u:object_r:fsadm_exec_t
 /sbin/partprobe		--	system_u:object_r:fsadm_exec_t
+')
+ifdef(`kudzu.te', `', `
 # kudzu
 /usr/sbin/kudzu	--	system_u:object_r:kudzu_exec_t
 /sbin/kmodule	--	system_u:object_r:kudzu_exec_t
+')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/crack.fc policy-1.23.13/file_contexts/program/crack.fc
--- nsapolicy/file_contexts/program/crack.fc	2005-04-20 15:40:35.000000000 -0400
+++ policy-1.23.13/file_contexts/program/crack.fc	2005-04-26 10:25:01.000000000 -0400
@@ -1,4 +1,5 @@
 # crack - for password checking
+/usr/sbin/cracklib-[a-z]*	--	system_u:object_r:crack_exec_t
 /usr/sbin/crack_[a-z]*	--	system_u:object_r:crack_exec_t
 /var/cache/cracklib(/.*)?	system_u:object_r:crack_db_t
 /usr/lib(64)?/cracklib_dict.* --	system_u:object_r:crack_db_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/getty.fc policy-1.23.13/file_contexts/program/getty.fc
--- nsapolicy/file_contexts/program/getty.fc	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.13/file_contexts/program/getty.fc	2005-04-25 15:18:00.000000000 -0400
@@ -1,3 +1,5 @@
 # getty
 /sbin/.*getty		--	system_u:object_r:getty_exec_t
 /etc/mgetty(/.*)?		system_u:object_r:getty_etc_t
+/var/run/mgetty\.pid.*	--	system_u:object_r:getty_var_run_t
+/var/log/mgetty\.log.*	--	system_u:object_r:getty_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/i18n_input.fc policy-1.23.13/file_contexts/program/i18n_input.fc
--- nsapolicy/file_contexts/program/i18n_input.fc	2005-04-25 14:48:59.000000000 -0400
+++ policy-1.23.13/file_contexts/program/i18n_input.fc	2005-04-27 10:30:39.000000000 -0400
@@ -4,5 +4,8 @@
 /usr/bin/iiimd		        --     system_u:object_r:i18n_input_exec_t
 /usr/bin/httx                   --     system_u:object_r:i18n_input_exec_t
 /usr/bin/htt_xbe                --     system_u:object_r:i18n_input_exec_t
+/usr/bin/iiimx                  --     system_u:object_r:i18n_input_exec_t
+/usr/lib/iiim/iiim-xbe          --     system_u:object_r:i18n_input_exec_t
 /usr/lib(64)?/im/.*\.so.*       --     system_u:object_r:shlib_t
+/usr/lib(64)?/iiim/.*\.so.*     --     system_u:object_r:shlib_t
 /var/run/iiim(/.*)?		       system_u:object_r:i18n_input_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/lvm.fc policy-1.23.13/file_contexts/program/lvm.fc
--- nsapolicy/file_contexts/program/lvm.fc	2005-04-20 15:40:35.000000000 -0400
+++ policy-1.23.13/file_contexts/program/lvm.fc	2005-04-25 15:41:19.000000000 -0400
@@ -12,7 +12,6 @@
 /etc/lvm/lock(/.*)?		system_u:object_r:lvm_lock_t
 /var/lock/lvm(/.*)?		system_u:object_r:lvm_lock_t
 /dev/lvm		-c	system_u:object_r:fixed_disk_device_t
-/dev/mapper/.*		-b	system_u:object_r:fixed_disk_device_t
 /dev/mapper/control	-c	system_u:object_r:lvm_control_t
 /lib/lvm-10/.*		--	system_u:object_r:lvm_exec_t
 /lib/lvm-200/.*		--	system_u:object_r:lvm_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/portmap.fc policy-1.23.13/file_contexts/program/portmap.fc
--- nsapolicy/file_contexts/program/portmap.fc	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.13/file_contexts/program/portmap.fc	2005-04-25 15:18:00.000000000 -0400
@@ -7,3 +7,4 @@
 /usr/sbin/pmap_dump	--	system_u:object_r:portmap_helper_exec_t
 /usr/sbin/pmap_set	--	system_u:object_r:portmap_helper_exec_t
 ')
+/var/run/portmap.upgrade-state -- system_u:object_r:portmap_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/traceroute.fc policy-1.23.13/file_contexts/program/traceroute.fc
--- nsapolicy/file_contexts/program/traceroute.fc	2005-04-25 14:48:59.000000000 -0400
+++ policy-1.23.13/file_contexts/program/traceroute.fc	2005-04-25 15:18:00.000000000 -0400
@@ -2,7 +2,6 @@
 /bin/traceroute.*	--	system_u:object_r:traceroute_exec_t
 /bin/tracepath.*	--	system_u:object_r:traceroute_exec_t
 /sbin/rdisc		--	system_u:object_r:traceroute_exec_t
-/sbin/arping		--	system_u:object_r:traceroute_exec_t
 /usr/(s)?bin/traceroute.* --	system_u:object_r:traceroute_exec_t
 /usr/bin/lft		--	system_u:object_r:traceroute_exec_t
 /usr/bin/nmap		--	system_u:object_r:traceroute_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/webalizer.fc policy-1.23.13/file_contexts/program/webalizer.fc
--- nsapolicy/file_contexts/program/webalizer.fc	2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.13/file_contexts/program/webalizer.fc	2005-04-25 15:18:00.000000000 -0400
@@ -1 +1,3 @@
 #
+/usr/bin/webalizer	--	system_u:object_r:webalizer_exec_t
+/var/lib/webalizer(/.*)		system_u:object_r:webalizer_var_lib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.23.13/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2005-04-20 15:40:35.000000000 -0400
+++ policy-1.23.13/file_contexts/types.fc	2005-04-26 08:20:01.000000000 -0400
@@ -58,7 +58,7 @@
 
 #
 # Mount points; do not relabel subdirectories, since
-# we don't want to change any removable media by default.
+# we don not want to change any removable media by default.
 /mnt(/[^/]*)?		-d	system_u:object_r:mnt_t
 /mnt/[^/]*/.*			<<none>>
 /media(/[^/]*)?		-d	system_u:object_r:mnt_t
@@ -157,6 +157,7 @@
 /dev/i2o/hd[^/]*	-b	system_u:object_r:fixed_disk_device_t
 /dev/ubd[^/]*		-b	system_u:object_r:fixed_disk_device_t
 /dev/cciss/[^/]*	-b	system_u:object_r:fixed_disk_device_t
+/dev/mapper/.*		-b	system_u:object_r:fixed_disk_device_t
 /dev/ida/[^/]*	-b	system_u:object_r:fixed_disk_device_t
 /dev/dasd[^/]*	-b	system_u:object_r:fixed_disk_device_t
 /dev/flash[^/]*	-b	system_u:object_r:fixed_disk_device_t
@@ -461,6 +462,11 @@
 /usr/share/gnucash/finance-quote-helper -- system_u:object_r:bin_t
 
 #
+# Turboprint
+#
+/usr/share/turboprint/lib(/.*)? 	--     system_u:object_r:bin_t
+
+#
 # initrd mount point, only used during boot
 #
 /initrd			-d	system_u:object_r:root_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.23.13/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2005-04-27 10:28:54.000000000 -0400
+++ policy-1.23.13/macros/base_user_macros.te	2005-04-25 15:18:00.000000000 -0400
@@ -317,7 +317,7 @@
 allow $1_t devtty_t:chr_file rw_file_perms;
 allow $1_t null_device_t:chr_file rw_file_perms;
 allow $1_t zero_device_t:chr_file { rw_file_perms execute };
-allow $1_t { random_device_t urandom_device_t }:chr_file { getattr read ioctl };
+allow $1_t { random_device_t urandom_device_t }:chr_file ra_file_perms;
 #
 # Added to allow reading of cdrom
 #
diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.23.13/macros/core_macros.te
--- nsapolicy/macros/core_macros.te	2005-04-27 10:28:54.000000000 -0400
+++ policy-1.23.13/macros/core_macros.te	2005-04-25 15:18:00.000000000 -0400
@@ -361,6 +361,7 @@
 # Get the selinuxfs mount point via /proc/self/mounts.
 allow $1 proc_t:dir search;
 allow $1 proc_t:lnk_file read;
+allow $1 proc_t:file { getattr read };
 allow $1 self:dir search;
 allow $1 self:file { getattr read };
 # Access selinuxfs.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.23.13/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2005-04-27 10:28:54.000000000 -0400
+++ policy-1.23.13/macros/global_macros.te	2005-04-25 15:18:00.000000000 -0400
@@ -406,8 +406,19 @@
 
 role system_r types $2_t;
 
+ifelse(index(`$3',`transitionbool'), -1, `
+
+domain_auto_trans($1, $2_exec_t, $2_t)
+
+', `
+
+bool $2_disable_trans false;
+
+if (! $2_disable_trans) {
 domain_auto_trans($1, $2_exec_t, $2_t)
+}
 
+');
 # Inherit and use descriptors from parent.
 allow $2_t $1:fd use;
 allow $2_t $1:process sigchld;
@@ -712,6 +723,7 @@
 if (allow_execmod) {
 # Allow text relocations on system shared libraries, e.g. libGL.
 allow $1 texrel_shlib_t:file execmod;
+allow $1 home_type:file execmod;
 }
 
 # Create/access any System V IPC objects.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/cdrecord_macros.te policy-1.23.13/macros/program/cdrecord_macros.te
--- nsapolicy/macros/program/cdrecord_macros.te	2005-04-27 10:28:54.000000000 -0400
+++ policy-1.23.13/macros/program/cdrecord_macros.te	2005-04-25 15:18:00.000000000 -0400
@@ -40,7 +40,7 @@
 allow $1_cdrecord_t etc_t:file { getattr read };
 
 # allow searching for cdrom-drive
-allow $1_cdrecord_t device_t:dir { getattr search };
+allow $1_cdrecord_t device_t:dir r_dir_perms;
 allow $1_cdrecord_t device_t:lnk_file { getattr read };
 
 # allow cdrecord to write the CD
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.13/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2005-04-27 10:28:55.000000000 -0400
+++ policy-1.23.13/macros/program/mozilla_macros.te	2005-04-25 15:18:00.000000000 -0400
@@ -32,7 +32,7 @@
 file_browse_domain($1_mozilla_t)
 
 can_network_client($1_mozilla_t)
-allow $1_mozilla_t { ftp_port_t http_port_t }:tcp_socket name_connect;
+allow $1_mozilla_t ftp_port_t:tcp_socket name_connect;
 #allow $1_mozilla_t port_type:tcp_socket name_connect;
 
 uses_shlib($1_mozilla_t)
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/httpd_selinux.8 policy-1.23.13/man/man8/httpd_selinux.8
--- nsapolicy/man/man8/httpd_selinux.8	2005-04-07 22:22:56.000000000 -0400
+++ policy-1.23.13/man/man8/httpd_selinux.8	2005-04-25 15:18:00.000000000 -0400
@@ -90,6 +90,12 @@
 setsebool -P httpd_can_network_connect 1
 
 .TP
+You can disable suexec transition, set httpd_suexec_disable_trans deny this
+.br
+
+setsebool -P httpd_suexec_disable_trans 1
+
+.TP
 You can disable SELinux protection for the httpd daemon by executing:
 .br
 
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/appconfig/default_contexts policy-1.23.13/targeted/appconfig/default_contexts
--- nsapolicy/targeted/appconfig/default_contexts	2005-02-24 14:51:10.000000000 -0500
+++ policy-1.23.13/targeted/appconfig/default_contexts	2005-04-25 15:18:00.000000000 -0400
@@ -1,5 +1,6 @@
 system_r:unconfined_t	system_r:unconfined_t
 system_r:initrc_t	system_r:unconfined_t
+system_r:local_login_t system_r:unconfined_t
 system_r:remote_login_t system_r:unconfined_t
 system_r:rshd_t		system_r:unconfined_t
 system_r:crond_t	system_r:unconfined_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/compat.te policy-1.23.13/targeted/domains/program/compat.te
--- nsapolicy/targeted/domains/program/compat.te	2005-04-27 10:28:56.000000000 -0400
+++ policy-1.23.13/targeted/domains/program/compat.te	2005-04-26 11:45:35.000000000 -0400
@@ -1,8 +1,3 @@
-typealias sbin_t alias setfiles_exec_t;
 typealias bin_t alias mount_exec_t;
-typealias sbin_t alias restorecon_exec_t;
-typealias sbin_t alias consoletype_exec_t;
-typealias bin_t alias loadkeys_exec_t;
 typealias bin_t alias dmesg_exec_t;
-typealias sbin_t alias fsadm_exec_t;
-typealias sbin_t alias kudzu_exec_t;
+typealias bin_t alias loadkeys_exec_t;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/crond.te policy-1.23.13/targeted/domains/program/crond.te
--- nsapolicy/targeted/domains/program/crond.te	2005-04-27 10:28:56.000000000 -0400
+++ policy-1.23.13/targeted/domains/program/crond.te	2005-04-26 08:38:04.000000000 -0400
@@ -18,7 +18,6 @@
 type system_cron_spool_t, file_type, sysadmfile;
 type sysadm_cron_spool_t, file_type, sysadmfile;
 type crond_log_t, file_type, sysadmfile;
-type crond_var_run_t, file_type, sysadmfile;
 role system_r types crond_t;
 domain_auto_trans(initrc_t, crond_exec_t, crond_t)
 domain_auto_trans(initrc_t, anacron_exec_t, crond_t)
@@ -30,3 +29,4 @@
 allow crond_t initrc_t:dbus send_msg;
 allow crond_t unconfined_t:dbus send_msg;
 allow crond_t unconfined_t:process transition;
+var_run_domain(crond)
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/hotplug.te policy-1.23.13/targeted/domains/program/hotplug.te
--- nsapolicy/targeted/domains/program/hotplug.te	2005-04-27 10:28:56.000000000 -0400
+++ policy-1.23.13/targeted/domains/program/hotplug.te	1969-12-31 19:00:00.000000000 -0500
@@ -1,17 +0,0 @@
-#DESC Hotplug - Hardware event manager
-#
-# Authors:  Daniel Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the hotplug domain.
-#
-# hotplug_exec_t is the type of the /sbin/hotplug and other programs.
-# This domain is defined just for targeted policy to allow easy conversion to
-# strict policy.  
-#
-type hotplug_t, domain;
-type hotplug_exec_t, file_type, sysadmfile, exec_type;
-typealias var_run_t alias hotplug_var_run_t;
-typealias etc_t alias hotplug_etc_t;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/sendmail.te policy-1.23.13/targeted/domains/program/sendmail.te
--- nsapolicy/targeted/domains/program/sendmail.te	2005-04-27 10:28:56.000000000 -0400
+++ policy-1.23.13/targeted/domains/program/sendmail.te	2005-04-25 16:05:32.000000000 -0400
@@ -12,6 +12,7 @@
 #
 type sendmail_exec_t, file_type, sysadmfile, exec_type;
 type sendmail_log_t, file_type, sysadmfile;
-type sendmail_var_run_t, file_type, sysadmfile;
 type etc_mail_t, file_type, sysadmfile;
 domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t)
+var_run_domain(sendmail)
+
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/udev.te policy-1.23.13/targeted/domains/program/udev.te
--- nsapolicy/targeted/domains/program/udev.te	2005-04-27 10:28:56.000000000 -0400
+++ policy-1.23.13/targeted/domains/program/udev.te	1969-12-31 19:00:00.000000000 -0500
@@ -1,17 +0,0 @@
-#DESC udev - Linux configurable dynamic device naming support
-#
-# Authors:  Daniel Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the udev domain.
-#
-# udev_exec_t is the type of the /sbin/udev and other programs.
-# This domain is defined just for targeted policy to allow easy conversion to
-# strict policy.  
-#
-type udev_exec_t, file_type, sysadmfile, exec_type;
-type udev_helper_exec_t, file_type, sysadmfile, exec_type;
-type udev_tdb_t, file_type, sysadmfile, dev_fs;
-typealias udev_tdb_t alias udev_tbl_t;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/xdm.te policy-1.23.13/targeted/domains/program/xdm.te
--- nsapolicy/targeted/domains/program/xdm.te	2005-04-27 10:28:56.000000000 -0400
+++ policy-1.23.13/targeted/domains/program/xdm.te	2005-04-25 15:18:00.000000000 -0400
@@ -20,3 +20,4 @@
 type xdm_var_lib_t, file_type, sysadmfile;
 type xdm_tmp_t, file_type, sysadmfile;
 domain_auto_trans(initrc_t, xdm_exec_t, xdm_t)
+domain_auto_trans(init_t, xdm_exec_t, xdm_t)
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.23.13/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te	2005-04-27 10:28:56.000000000 -0400
+++ policy-1.23.13/targeted/domains/unconfined.te	2005-04-25 15:18:00.000000000 -0400
@@ -15,7 +15,7 @@
 # Define some type aliases to help with compatibility with
 # macros and domains from the "strict" policy.
 typealias bin_t alias su_exec_t;
-typealias unconfined_t alias { kernel_t logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
+typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
 typeattribute tty_device_t admin_tty_type;
 typeattribute devpts_t admin_tty_type;
 
@@ -42,6 +42,7 @@
 attribute sysadm_file_type;
 
 allow unconfined_t unlabeled_t:filesystem *;
+allow unconfined_t self:system syslog_read;
 allow unlabeled_t self:filesystem associate;
 
 # Support NFS home directories
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/initial_sid_contexts policy-1.23.13/targeted/initial_sid_contexts
--- nsapolicy/targeted/initial_sid_contexts	2005-02-24 14:51:10.000000000 -0500
+++ policy-1.23.13/targeted/initial_sid_contexts	1969-12-31 19:00:00.000000000 -0500
@@ -1,47 +0,0 @@
-# FLASK
-
-#
-# Define the security context for each initial SID
-# sid sidname   context
-
-# Initial state is unconfined in the relaxed policy.
-sid kernel	user_u:system_r:unconfined_t
-sid security	system_u:object_r:security_t
-sid unlabeled	system_u:object_r:unlabeled_t
-sid fs		system_u:object_r:fs_t
-sid file	system_u:object_r:file_t
-# Persistent label mapping is gone.  This initial SID can be removed.
-sid file_labels	system_u:object_r:unlabeled_t
-# init_t is still used, but an initial SID is no longer required.
-sid init	system_u:object_r:unlabeled_t
-# any_socket is no longer used.
-sid any_socket 	system_u:object_r:unlabeled_t
-sid port	system_u:object_r:port_t
-sid netif	system_u:object_r:netif_t
-# netmsg is no longer used.
-sid netmsg	system_u:object_r:unlabeled_t
-sid node	system_u:object_r:node_t
-# These sockets are now labeled with the kernel SID,
-# and do not require their own initial SIDs.
-sid igmp_packet system_u:object_r:unlabeled_t
-sid icmp_socket system_u:object_r:unlabeled_t
-sid tcp_socket  system_u:object_r:unlabeled_t
-# Most of the sysctl SIDs are now computed at runtime
-# from genfs_contexts, so the corresponding initial SIDs
-# are no longer required.
-sid sysctl_modprobe	system_u:object_r:unlabeled_t
-# But we still need the base sysctl initial SID as a default.
-sid sysctl	system_u:object_r:sysctl_t
-sid sysctl_fs	system_u:object_r:unlabeled_t
-sid sysctl_kernel	system_u:object_r:unlabeled_t
-sid sysctl_net	system_u:object_r:unlabeled_t
-sid sysctl_net_unix	system_u:object_r:unlabeled_t
-sid sysctl_vm	system_u:object_r:unlabeled_t
-sid sysctl_dev	system_u:object_r:unlabeled_t
-# No longer used, can be removed.
-sid kmod	system_u:object_r:unlabeled_t
-sid policy	system_u:object_r:unlabeled_t
-sid scmp_packet	system_u:object_r:unlabeled_t
-sid devnull	system_u:object_r:null_device_t
-
-# FLASK
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.13/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.13/tunables/distro.tun	2005-04-25 15:18:00.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.13/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-04-14 15:01:54.000000000 -0400
+++ policy-1.23.13/tunables/tunable.tun	2005-04-25 15:18:00.000000000 -0400
@@ -2,7 +2,7 @@
 dnl define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
 dnl define(`unlimitedUtils')
@@ -20,11 +20,11 @@
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.23.13/types/network.te
--- nsapolicy/types/network.te	2005-04-27 10:28:56.000000000 -0400
+++ policy-1.23.13/types/network.te	2005-04-25 15:18:00.000000000 -0400
@@ -31,6 +31,7 @@
 type http_cache_port_t, port_type, reserved_port_type;
 type http_port_t, port_type, reserved_port_type;
 
+allow web_client_domain { http_cache_port_t http_port_t }:tcp_socket name_connect;
 ifdef(`cyrus.te', `define(`use_pop')')
 ifdef(`courier.te', `define(`use_pop')')
 ifdef(`perdition.te', `define(`use_pop')')

Latest diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 588 bytes --]

Some cleanups in strict to handle turning off unlimitedRC

Add CVS and uucpd policy.  These need work if someone want s to play 
with them.

Added audit_control to login domains to handle pam_loginuid.so

Fixes for syslogng

Cleanup of auditd.te

Netlink changes to handle new auditing pam modules

Fix locations of acrobat

Handle /srv file systems

Add Russell's Compat stuff to make transitioning from targeted to strict 
cleaner

Change location of crack lib

Minor fixes to tighten up name_connect

Eliminate sysadmfile from policy files to separate sysadm_t from secadm_t




-- 



[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 35491 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.23.11/domains/program/crond.te
--- nsapolicy/domains/program/crond.te	2005-03-21 22:32:18.000000000 -0500
+++ policy-1.23.11/domains/program/crond.te	2005-04-14 15:20:16.000000000 -0400
@@ -88,6 +88,8 @@
 
 system_crond_entry(rpm_exec_t, rpm_t)
 allow system_crond_t rpm_log_t:file create_file_perms;
+#read ahead wants to read this
+allow initrc_t system_cron_spool_t:file { getattr read };
 ')
 ')
 
@@ -210,6 +212,6 @@
 # Required for webalizer
 #
 ifdef(`apache.te', `
-allow system_crond_t httpd_log_t:file { getattr read };
+allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read };
 ')
 dontaudit crond_t self:capability sys_tty_config;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/cvs.te policy-1.23.11/domains/program/cvs.te
--- nsapolicy/domains/program/cvs.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.11/domains/program/cvs.te	2005-04-14 15:20:16.000000000 -0400
@@ -0,0 +1,16 @@
+#DESC cvs - Concurrent Versions System
+#
+# Author:  Dan Walsh <dwalsh@redhat.com>
+#
+# Depends: inetd.te
+
+#################################
+#
+# Rules for the cvs_t domain.
+#
+# cvs_exec_t is the type of the cvs executable.
+#
+
+inetd_child_domain(cvs, tcp)
+type cvs_data_t, file_type, sysadmfile;
+create_dir_file(cvs_t, cvs_data_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.23.11/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te	2005-03-24 08:58:25.000000000 -0500
+++ policy-1.23.11/domains/program/initrc.te	2005-04-14 15:30:19.000000000 -0400
@@ -12,7 +12,7 @@
 # initrc_exec_t is the type of the init program.
 #
 # do not use privmail for sendmail as it creates a type transition conflict
-type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain;
+type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain;
 
 role system_r types initrc_t;
 uses_shlib(initrc_t);
@@ -195,10 +195,8 @@
 allow initrc_t tmpfs_t:chr_file rw_file_perms;
 allow initrc_t tmpfs_t:dir r_dir_perms;
 
-ifdef(`distro_redhat', ` 
 # Allow initrc domain to set the enforcing flag.
 can_setenforce(initrc_t)
-')
 
 #
 # readahead asks for these
@@ -209,6 +207,7 @@
 # for /halt /.autofsck and other flag files
 file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file)
 
+file_type_auto_trans(initrc_t, device_t, fixed_disk_device_t, blk_file)
 ')dnl end distro_redhat
 
 allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
@@ -310,3 +309,4 @@
 domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
 ')
 allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
+allow initrc_t device_t:lnk_file create_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/load_policy.te policy-1.23.11/domains/program/load_policy.te
--- nsapolicy/domains/program/load_policy.te	2005-04-14 15:01:53.000000000 -0400
+++ policy-1.23.11/domains/program/load_policy.te	2005-04-14 15:20:16.000000000 -0400
@@ -58,3 +58,4 @@
 
 read_locale(load_policy_t)
 r_dir_file(load_policy_t, selinux_config_t)
+allow load_policy_t proc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.23.11/domains/program/login.te
--- nsapolicy/domains/program/login.te	2005-04-04 10:21:10.000000000 -0400
+++ policy-1.23.11/domains/program/login.te	2005-04-14 15:20:16.000000000 -0400
@@ -65,7 +65,7 @@
 ')
 
 # Use capabilities
-allow $1_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
+allow $1_login_t self:capability { audit_control dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
 allow $1_login_t self:process setrlimit;
 dontaudit $1_login_t sysfs_t:dir search;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.23.11/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te	2005-04-14 15:01:53.000000000 -0400
+++ policy-1.23.11/domains/program/modutil.te	2005-04-14 15:20:16.000000000 -0400
@@ -54,6 +54,7 @@
 # Read module objects.
 allow depmod_t modules_object_t:dir r_dir_perms;
 allow depmod_t modules_object_t:{ file lnk_file } r_file_perms;
+allow depmod_t modules_object_t:file unlink;
 
 # Access terminals.
 allow depmod_t { console_device_t initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.23.11/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te	2005-04-04 10:21:10.000000000 -0400
+++ policy-1.23.11/domains/program/ssh.te	2005-04-14 15:20:16.000000000 -0400
@@ -71,7 +71,7 @@
 can_network($1_t)
 allow $1_t port_type:tcp_socket name_connect;
 
-allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
+allow $1_t self:capability { audit_control kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
 allow $1_t { home_root_t home_dir_type }:dir { search getattr };
 if (use_nfs_home_dirs) {
 allow $1_t autofs_t:dir { search getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.23.11/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te	2005-04-04 10:21:10.000000000 -0400
+++ policy-1.23.11/domains/program/syslogd.te	2005-04-14 15:20:16.000000000 -0400
@@ -111,4 +111,6 @@
 allow syslogd_t kernel_t:system { syslog_mod syslog_console };
 allow syslogd_t self:capability { sys_admin chown fsetid };
 allow syslogd_t var_log_t:dir { create setattr };
+allow syslogd_t syslogd_port_t:tcp_socket name_bind;
+allow syslogd_t rsh_port_t:tcp_socket name_connect;
 }
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.11/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2005-04-07 22:22:55.000000000 -0400
+++ policy-1.23.11/domains/program/unused/apache.te	2005-04-14 15:20:16.000000000 -0400
@@ -401,3 +401,4 @@
 dontaudit system_mail_t httpd_t:tcp_socket { read write };
 ')
 
+allow httpd_t var_t:file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.23.11/domains/program/unused/auditd.te
--- nsapolicy/domains/program/unused/auditd.te	2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.11/domains/program/unused/auditd.te	2005-04-14 15:20:16.000000000 -0400
@@ -2,11 +2,33 @@
 #
 # Authors: Colin Walters <walters@verbum.org>
 #
+define(`audit_manager_domain', `
+allow $1 auditd_etc_t:file rw_file_perms;
+create_dir_file($1, auditd_log_t)
+')
+
+type auditd_etc_t, file_type, secure_file_type;
 
 daemon_domain(auditd)
-allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
+
+allow auditd_t self:netlink_audit_socket create_netlink_socket_perms;
 allow auditd_t self:capability { audit_write audit_control };
 allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms;
 allow auditd_t self:unix_dgram_socket create_socket_perms;
 allow auditd_t etc_t:file { getattr read };
-log_domain(auditd)
+
+# Don't use logdir_domain since this is a security file
+type auditd_log_t, file_type, secure_file_type;
+file_type_auto_trans(auditd_t, var_log_t, auditd_log_t, file)
+allow auditd_t auditd_log_t:dir { setattr rw_dir_perms };
+
+can_exec(auditd_t, init_exec_t)
+allow auditd_t auditd_etc_t:file r_file_perms;
+
+audit_manager_domain(secadm_t)
+
+ifdef(`separate_secadm', `', `
+audit_manager_domain(sysadm_t)
+')
+can_exec(auditd_t, init_exec_t)
+allow auditd_t initctl_t:fifo_file write;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.11/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2005-04-14 15:01:53.000000000 -0400
+++ policy-1.23.11/domains/program/unused/cups.te	2005-04-14 15:20:16.000000000 -0400
@@ -166,7 +166,11 @@
 
 allow cupsd_t printconf_t:file { getattr read };
 
+ifdef(`dbusd.te', `
 dbusd_client(system, cupsd)
+allow cupsd_t system_dbusd_t:dbus send_msg;
+allow cupsd_t userdomain:dbus send_msg;
+')
 
 ifdef(`hald.te', `
 
@@ -208,12 +212,10 @@
 dbusd_client(system, cupsd_config)
 allow cupsd_config_t userdomain:dbus send_msg;
 allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc };
-allow cupsd_t system_dbusd_t:dbus send_msg;
+allow cupsd_t hald_t:dbus send_msg;
 allow userdomain cupsd_config_t:dbus send_msg;
 allow cupsd_config_t hald_t:dbus send_msg;
 allow hald_t cupsd_config_t:dbus send_msg;
-allow cupsd_t userdomain:dbus send_msg;
-allow cupsd_t hald_t:dbus send_msg;
 allow hald_t cupsd_t:dbus send_msg;
 ')dnl end if dbusd.te
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dmidecode.te policy-1.23.11/domains/program/unused/dmidecode.te
--- nsapolicy/domains/program/unused/dmidecode.te	2005-04-07 13:17:30.000000000 -0400
+++ policy-1.23.11/domains/program/unused/dmidecode.te	2005-04-14 15:20:16.000000000 -0400
@@ -8,6 +8,7 @@
 
 # Allow execution by the sysadm
 role sysadm_r types dmidecode_t;
+role system_r types dmidecode_t;
 domain_auto_trans(sysadm_t, dmidecode_exec_t, dmidecode_t)
 
 uses_shlib(dmidecode_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.23.11/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te	2005-04-14 15:01:53.000000000 -0400
+++ policy-1.23.11/domains/program/unused/ftpd.te	2005-04-14 15:23:37.000000000 -0400
@@ -9,8 +9,6 @@
 #
 # Rules for the ftpd_t domain 
 #
-type ftp_port_t, port_type, reserved_port_type;
-type ftp_data_port_t, port_type, reserved_port_type;
 daemon_domain(ftpd, `, auth_chkpwd')
 etc_domain(ftpd)
 
@@ -113,7 +111,6 @@
 #
 # Type for access to anon ftp
 #
-type ftpd_anon_t, file_type, sysadmfile, customizable;
 r_dir_file(ftpd_t,ftpd_anon_t)
 type ftpd_anon_rw_t, file_type, sysadmfile, customizable;
 create_dir_file(ftpd_t,ftpd_anon_rw_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.23.11/domains/program/unused/NetworkManager.te
--- nsapolicy/domains/program/unused/NetworkManager.te	2005-04-14 15:01:53.000000000 -0400
+++ policy-1.23.11/domains/program/unused/NetworkManager.te	2005-04-14 15:20:16.000000000 -0400
@@ -53,6 +53,10 @@
 ')
 allow NetworkManager_t initrc_t:dbus send_msg;
 allow initrc_t NetworkManager_t:dbus send_msg;
+ifdef(`targeted_policy', `
+allow NetworkManager_t unconfined_t:dbus send_msg;
+allow unconfined_t NetworkManager_t:dbus send_msg;
+')
 ')
 
 allow NetworkManager_t usr_t:file { getattr read };
@@ -70,6 +74,7 @@
 
 allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read };
 allow NetworkManager_t proc_t:file { getattr read };
+r_dir_file(NetworkManager_t, proc_net_t)
 
 allow NetworkManager_t { domain -unrestricted }:dir search;
 allow NetworkManager_t { domain -unrestricted }:file { getattr read };
@@ -80,3 +85,5 @@
 allow NetworkManager_t initrc_var_run_t:file { getattr read };
 
 domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
+allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.23.11/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.11/domains/program/unused/ntpd.te	2005-04-14 15:20:16.000000000 -0400
@@ -84,4 +84,4 @@
 allow ntpd_t winbind_var_run_t:dir r_dir_perms;
 allow ntpd_t winbind_var_run_t:sock_file rw_file_perms;
 ')
-
+allow sysadm_t ntp_port_t:udp_socket name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/publicfile.te policy-1.23.11/domains/program/unused/publicfile.te
--- nsapolicy/domains/program/unused/publicfile.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.11/domains/program/unused/publicfile.te	2005-04-14 15:20:16.000000000 -0400
@@ -6,12 +6,6 @@
 # this policy depends on ucspi-tcp
 #
 
-ifdef(`ftpd.te', `
-', `
-type ftp_port_t, port_type, reserved_port_type;
-type ftp_data_port_t, port_type, reserved_port_type;
-')
-
 daemon_domain(publicfile)
 type publicfile_content_t, file_type, sysadmfile;
 domain_auto_trans(initrc_t, publicfile_exec_t, publicfile_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rshd.te policy-1.23.11/domains/program/unused/rshd.te
--- nsapolicy/domains/program/unused/rshd.te	2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.11/domains/program/unused/rshd.te	2005-04-14 15:20:16.000000000 -0400
@@ -9,7 +9,6 @@
 #
 # Rules for the rshd_t domain.
 #
-type rsh_port_t, port_type, reserved_port_type;
 daemon_sub_domain(inetd_t, rshd, `, auth_chkpwd, privuser, privrole')
 
 ifdef(`tcpd.te', `
@@ -24,8 +23,7 @@
 
 # Use the network.
 can_network_server(rshd_t)
-allow rshd_t reserved_port_t:tcp_socket name_bind;
-dontaudit rshd_t reserved_port_type:tcp_socket name_bind;
+allow rshd_t rsh_port_t:tcp_socket name_bind;
 
 can_ypbind(rshd_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.23.11/domains/program/unused/rsync.te
--- nsapolicy/domains/program/unused/rsync.te	2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.11/domains/program/unused/rsync.te	2005-04-14 15:20:16.000000000 -0400
@@ -14,6 +14,4 @@
 inetd_child_domain(rsync)
 type rsync_data_t, file_type, sysadmfile;
 r_dir_file(rsync_t, rsync_data_t)
-ifdef(`ftpd.te', `
 r_dir_file(rsync_t, ftpd_anon_t)
-')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.23.11/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te	2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.11/domains/program/unused/xdm.te	2005-04-14 15:20:16.000000000 -0400
@@ -69,7 +69,7 @@
 
 #
 # Use capabilities.
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner };
+allow xdm_t self:capability { audit_control setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner };
 
 allow xdm_t { urandom_device_t random_device_t }:chr_file { getattr read ioctl };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/useradd.te policy-1.23.11/domains/program/useradd.te
--- nsapolicy/domains/program/useradd.te	2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.11/domains/program/useradd.te	2005-04-14 15:20:16.000000000 -0400
@@ -98,3 +98,7 @@
 allow groupadd_t self:process setrlimit;
 allow groupadd_t initrc_var_run_t:file r_file_perms;
 dontaudit groupadd_t initrc_var_run_t:file write;
+
+allow useradd_t default_context_t:dir search;
+allow useradd_t file_context_t:dir search;
+allow useradd_t file_context_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/uucpd.te policy-1.23.11/domains/program/uucpd.te
--- nsapolicy/domains/program/uucpd.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.11/domains/program/uucpd.te	2005-04-14 15:20:16.000000000 -0400
@@ -0,0 +1,24 @@
+#DESC uucpd - UUCP file transfer daemon
+#
+# Author:  Dan Walsh <dwalsh@redhat.com>
+#
+# Depends: inetd.te
+
+#################################
+#
+# Rules for the uucpd_t domain.
+#
+# uucpd_exec_t is the type of the uucpd executable.
+#
+
+inetd_child_domain(uucpd, tcp)
+type uucpd_rw_t, file_type, sysadmfile;
+type uucpd_ro_t, file_type, sysadmfile;
+type uucpd_spool_t, file_type, sysadmfile;
+create_dir_file(uucpd_t, uucpd_rw_t)
+r_dir_file(uucpd_t, uucpd_ro_t)
+allow uucpd_t sbin_t:dir search;
+can_exec(uucpd_t, sbin_t)
+logdir_domain(uucpd)
+allow uucpd_t var_spool_t:dir search;
+create_dir_file(uucpd_t, uucpd_spool_t)
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.11/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc	2005-04-14 15:01:54.000000000 -0400
+++ policy-1.23.11/file_contexts/distros.fc	2005-04-14 15:20:16.000000000 -0400
@@ -150,9 +150,9 @@
 # Java, Sun Microsystems (JPackage SRPM)
 /usr/.*/jre/lib/i386/libdeploy.so		-- system_u:object_r:texrel_shlib_t
 
-/usr(/.*)?/Acrobat5/Reader/intellinux/plug_ins/.*\.api	-- system_u:object_r:shlib_t
-/usr(/.*)?/Acrobat5/Reader/intellinux/plug_ins/AcroForm\.api	-- system_u:object_r:texrel_shlib_t
-/usr(/.*)?/Acrobat5/Reader/intellinux/plug_ins/EScript\.api	-- system_u:object_r:texrel_shlib_t
+/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api	-- system_u:object_r:shlib_t
+/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api	-- system_u:object_r:texrel_shlib_t
+/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api	-- system_u:object_r:texrel_shlib_t
 
 ')
 
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.23.11/file_contexts/program/apache.fc
--- nsapolicy/file_contexts/program/apache.fc	2005-04-14 15:01:54.000000000 -0400
+++ policy-1.23.11/file_contexts/program/apache.fc	2005-04-14 15:20:16.000000000 -0400
@@ -1,6 +1,7 @@
 # apache
 HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t
 /var/www(/.*)?			system_u:object_r:httpd_sys_content_t
+/srv/([^/]*/)?www(/.*)?		system_u:object_r:httpd_sys_content_t
 /var/www/cgi-bin(/.*)?		system_u:object_r:httpd_sys_script_exec_t
 /usr/lib/cgi-bin(/.*)?		system_u:object_r:httpd_sys_script_exec_t
 /var/www/perl(/.*)?		system_u:object_r:httpd_sys_script_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/auditd.fc policy-1.23.11/file_contexts/program/auditd.fc
--- nsapolicy/file_contexts/program/auditd.fc	2005-04-14 15:01:54.000000000 -0400
+++ policy-1.23.11/file_contexts/program/auditd.fc	2005-04-14 15:20:16.000000000 -0400
@@ -1,4 +1,8 @@
 # auditd
-/sbin/auditd		--	system_u:object_r:auditd_exec_t
 /sbin/auditctl		--	system_u:object_r:auditd_exec_t
-/var/log/audit(/.*)? 	 	system_u:object_r:auditd_log_t
+/sbin/auditd		--	system_u:object_r:auditd_exec_t
+/var/log/audit.log 	-- 	system_u:object_r:auditd_log_t
+/var/log/audit(/.*)?  	 	system_u:object_r:auditd_log_t
+/etc/auditd.conf	--	system_u:object_r:auditd_etc_t
+/etc/audit.rules	--	system_u:object_r:auditd_etc_t
+
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/compat.fc policy-1.23.11/file_contexts/program/compat.fc
--- nsapolicy/file_contexts/program/compat.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.11/file_contexts/program/compat.fc	2005-04-14 15:20:16.000000000 -0400
@@ -0,0 +1,55 @@
+# setfiles
+/usr/sbin/setfiles.*	--	system_u:object_r:setfiles_exec_t
+
+# mount
+/bin/mount.*			--	system_u:object_r:mount_exec_t
+/bin/umount.*			--	system_u:object_r:mount_exec_t
+# restorecon
+/sbin/restorecon	--	system_u:object_r:restorecon_exec_t
+/bin/hostname		--	system_u:object_r:hostname_exec_t
+# consoletype
+/sbin/consoletype	--	system_u:object_r:consoletype_exec_t
+# loadkeys
+/bin/unikeys		--	system_u:object_r:loadkeys_exec_t
+/bin/loadkeys		--	system_u:object_r:loadkeys_exec_t
+# dmesg
+/bin/dmesg	--	system_u:object_r:dmesg_exec_t
+# fs admin utilities
+/sbin/fsck.*		--	system_u:object_r:fsadm_exec_t
+/sbin/mkfs.*		--	system_u:object_r:fsadm_exec_t
+/sbin/e2fsck		--	system_u:object_r:fsadm_exec_t
+/sbin/mkdosfs		--	system_u:object_r:fsadm_exec_t
+/sbin/dosfsck		--	system_u:object_r:fsadm_exec_t
+/sbin/reiserfs(ck|tune)	--	system_u:object_r:fsadm_exec_t
+/sbin/mkreiserfs	--	system_u:object_r:fsadm_exec_t
+/sbin/resize.*fs	--	system_u:object_r:fsadm_exec_t
+/sbin/e2label		--	system_u:object_r:fsadm_exec_t
+/sbin/findfs		--	system_u:object_r:fsadm_exec_t
+/sbin/mkfs		--	system_u:object_r:fsadm_exec_t
+/sbin/mke2fs		--	system_u:object_r:fsadm_exec_t
+/sbin/mkswap		--	system_u:object_r:fsadm_exec_t
+/sbin/scsi_info		--	system_u:object_r:fsadm_exec_t
+/sbin/sfdisk		--	system_u:object_r:fsadm_exec_t
+/sbin/cfdisk		--	system_u:object_r:fsadm_exec_t
+/sbin/fdisk		--	system_u:object_r:fsadm_exec_t
+/sbin/parted		--	system_u:object_r:fsadm_exec_t
+/sbin/tune2fs		--	system_u:object_r:fsadm_exec_t
+/sbin/dumpe2fs		--	system_u:object_r:fsadm_exec_t
+/sbin/swapon.*		--	system_u:object_r:fsadm_exec_t
+/sbin/hdparm		--	system_u:object_r:fsadm_exec_t
+/sbin/raidstart		--	system_u:object_r:fsadm_exec_t
+/sbin/mkraid		--	system_u:object_r:fsadm_exec_t
+/sbin/blockdev		--	system_u:object_r:fsadm_exec_t
+/sbin/losetup.*		--	system_u:object_r:fsadm_exec_t
+/sbin/jfs_.*		--	system_u:object_r:fsadm_exec_t
+/sbin/lsraid		--	system_u:object_r:fsadm_exec_t
+/usr/sbin/smartctl	--	system_u:object_r:fsadm_exec_t
+/sbin/install-mbr	--	system_u:object_r:fsadm_exec_t
+/usr/bin/scsi_unique_id	--	system_u:object_r:fsadm_exec_t
+/usr/bin/raw		--	system_u:object_r:fsadm_exec_t
+/sbin/partx		--	system_u:object_r:fsadm_exec_t
+/usr/bin/partition_uuid	--	system_u:object_r:fsadm_exec_t
+/sbin/partprobe		--	system_u:object_r:fsadm_exec_t
+# kudzu
+/usr/sbin/kudzu	--	system_u:object_r:kudzu_exec_t
+/sbin/kmodule	--	system_u:object_r:kudzu_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/crack.fc policy-1.23.11/file_contexts/program/crack.fc
--- nsapolicy/file_contexts/program/crack.fc	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.11/file_contexts/program/crack.fc	2005-04-14 15:20:16.000000000 -0400
@@ -2,3 +2,4 @@
 /usr/sbin/crack_[a-z]*	--	system_u:object_r:crack_exec_t
 /var/cache/cracklib(/.*)?	system_u:object_r:crack_db_t
 /usr/lib(64)?/cracklib_dict.* --	system_u:object_r:crack_db_t
+/usr/share/cracklib(/.*)?	system_u:object_r:crack_db_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cvs.fc policy-1.23.11/file_contexts/program/cvs.fc
--- nsapolicy/file_contexts/program/cvs.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.11/file_contexts/program/cvs.fc	2005-04-14 15:20:16.000000000 -0400
@@ -0,0 +1,2 @@
+# cvs program
+/usr/bin/cvs	--	system_u:object_r:cvs_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ftpd.fc policy-1.23.11/file_contexts/program/ftpd.fc
--- nsapolicy/file_contexts/program/ftpd.fc	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.11/file_contexts/program/ftpd.fc	2005-04-14 15:20:16.000000000 -0400
@@ -13,3 +13,4 @@
 /var/log/xferreport.*	--	system_u:object_r:xferlog_t
 /etc/cron\.monthly/proftpd --	system_u:object_r:ftpd_exec_t
 /var/ftp(/.*)?			system_u:object_r:ftpd_anon_t
+/srv/([^/]*/)?ftp(/.*)?		system_u:object_r:ftpd_anon_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/i18n_input.fc policy-1.23.11/file_contexts/program/i18n_input.fc
--- nsapolicy/file_contexts/program/i18n_input.fc	2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.11/file_contexts/program/i18n_input.fc	2005-04-14 15:20:16.000000000 -0400
@@ -1,6 +1,7 @@
 # i18n_input.fc
 /usr/sbin/htt                   --     system_u:object_r:i18n_input_exec_t
 /usr/sbin/htt_server            --     system_u:object_r:i18n_input_exec_t
+/usr/sbin/iiimd		        --     system_u:object_r:i18n_input_exec_t
 /usr/bin/httx                   --     system_u:object_r:i18n_input_exec_t
 /usr/bin/htt_xbe                --     system_u:object_r:i18n_input_exec_t
 /usr/lib(64)?/im/.*\.so.*       --     system_u:object_r:shlib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/lvm.fc policy-1.23.11/file_contexts/program/lvm.fc
--- nsapolicy/file_contexts/program/lvm.fc	2005-04-14 15:01:54.000000000 -0400
+++ policy-1.23.11/file_contexts/program/lvm.fc	2005-04-14 15:20:16.000000000 -0400
@@ -65,3 +65,4 @@
 /sbin/pvremove     --      system_u:object_r:lvm_exec_t
 /sbin/pvs          --      system_u:object_r:lvm_exec_t
 /sbin/vgs          --      system_u:object_r:lvm_exec_t
+/sbin/multipathd   --      system_u:object_r:lvm_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rsync.fc policy-1.23.11/file_contexts/program/rsync.fc
--- nsapolicy/file_contexts/program/rsync.fc	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.11/file_contexts/program/rsync.fc	2005-04-14 15:20:16.000000000 -0400
@@ -1,2 +1,3 @@
 # rsync program
 /usr/bin/rsync	--	system_u:object_r:rsync_exec_t
+/srv/([^/]*/)?rsync(/.*)?	system_u:object_r:ftpd_anon_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/uucpd.fc policy-1.23.11/file_contexts/program/uucpd.fc
--- nsapolicy/file_contexts/program/uucpd.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.11/file_contexts/program/uucpd.fc	2005-04-14 15:20:16.000000000 -0400
@@ -0,0 +1,5 @@
+# uucico program
+/usr/sbin/uucico	--	system_u:object_r:uucpd_exec_t
+/var/spool/uucp(/.*)?		system_u:object_r:uucpd_spool_t
+/var/spool/uucppublic(/.*)?	system_u:object_r:uucpd_spool_t
+/var/log/uucp(/.*)?		system_u:object_r:uucpd_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.23.11/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2005-04-14 15:01:54.000000000 -0400
+++ policy-1.23.11/file_contexts/types.fc	2005-04-14 15:20:16.000000000 -0400
@@ -478,3 +478,9 @@
 /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- system_u:object_r:bin_t
 /usr/lib(64)?/[^/]*thunderbird[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t
 /usr/lib(64)?/[^/]*thunderbird[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t
+
+#
+# /srv
+#
+/srv(/.*)?			system_u:object_r:var_t
+
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.23.11/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te	2005-04-07 22:22:55.000000000 -0400
+++ policy-1.23.11/macros/program/apache_macros.te	2005-04-14 15:20:16.000000000 -0400
@@ -39,7 +39,7 @@
 allow httpd_$1_script_t fs_t:filesystem getattr;
 allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
 
-allow httpd_$1_script_t { self proc_t }:file { getattr read };
+allow httpd_$1_script_t { self proc_t }:file r_file_perms;
 allow httpd_$1_script_t { self proc_t }:dir r_dir_perms;
 allow httpd_$1_script_t { self proc_t }:lnk_file read;
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.23.11/macros/program/chkpwd_macros.te
--- nsapolicy/macros/program/chkpwd_macros.te	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.11/macros/program/chkpwd_macros.te	2005-04-14 15:20:16.000000000 -0400
@@ -35,6 +35,7 @@
 can_kerberos(auth_chkpwd)
 can_ldap(auth_chkpwd)
 can_resolve(auth_chkpwd)
+allow auth_chkpwd self:netlink_audit_socket create_netlink_socket_perms;
 ', `
 domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
 allow $1_t sbin_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.11/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2005-04-07 22:22:55.000000000 -0400
+++ policy-1.23.11/macros/program/mozilla_macros.te	2005-04-14 15:20:16.000000000 -0400
@@ -31,7 +31,10 @@
 # Browse files
 file_browse_domain($1_mozilla_t)
 
-can_network($1_mozilla_t)
+can_network_client($1_mozilla_t)
+allow $1_mozilla_t { ftp_port_t http_port_t }:tcp_socket name_connect;
+#allow $1_mozilla_t port_type:tcp_socket name_connect;
+
 uses_shlib($1_mozilla_t)
 read_locale($1_mozilla_t)
 read_sysctl($1_mozilla_t)
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.23.11/Makefile
--- nsapolicy/Makefile	2005-04-14 15:01:52.000000000 -0400
+++ policy-1.23.11/Makefile	2005-04-14 15:20:16.000000000 -0400
@@ -163,7 +163,7 @@
 	@echo "Validating file contexts files ..."
 	$(SETFILES) -q -c $(POLICYVER) $(FC)
 
-reload tmp/load: $(FCPATH) $(LOADPATH)
+reload tmp/load: $(LOADPATH) 
 	@echo "Loading Policy ..."
 ifeq ($(VERS), $(KERNVERS))
 	$(LOADPOLICY) $(LOADPATH)
@@ -172,7 +172,7 @@
 endif
 	touch tmp/load
 
-load: tmp/load
+load: tmp/load $(FCPATH) 
 
 enableaudit: policy.conf 
 	grep -v dontaudit policy.conf > policy.audit
@@ -213,8 +213,8 @@
 $(FCPATH): tmp/valid_fc $(USERPATH)/system.users  $(APPDIR)/customizable_types
 	@echo "Installing file contexts files..."
 	@mkdir -p $(CONTEXTPATH)/files
-	install -m 644 $(FC) $(FCPATH)
 	install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
+	install -m 644 $(FC) $(FCPATH)
 	@$(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD)
 
 $(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.23.11/net_contexts
--- nsapolicy/net_contexts	2005-04-06 06:57:43.000000000 -0400
+++ policy-1.23.11/net_contexts	2005-04-14 15:20:16.000000000 -0400
@@ -38,10 +38,8 @@
 portcon udp 892 system_u:object_r:inetd_child_port_t
 portcon tcp 2105 system_u:object_r:inetd_child_port_t
 ')
-ifdef(`use_ftpd', `
 portcon tcp 20 system_u:object_r:ftp_data_port_t
 portcon tcp 21 system_u:object_r:ftp_port_t
-')
 ifdef(`ssh.te', `portcon tcp 22 system_u:object_r:ssh_port_t')
 ifdef(`inetd.te', `portcon tcp 23 system_u:object_r:telnetd_port_t')
 
@@ -98,7 +96,8 @@
 portcon udp 636 system_u:object_r:ldap_port_t
 
 ifdef(`rlogind.te', `portcon tcp 513 system_u:object_r:rlogind_port_t')
-ifdef(`rshd.te', `portcon tcp 514 system_u:object_r:rsh_port_t')
+portcon tcp 514 system_u:object_r:rsh_port_t
+
 ifdef(`lpd.te', `portcon tcp 515 system_u:object_r:printer_port_t')
 ifdef(`syslogd.te', `
 portcon udp 514 system_u:object_r:syslogd_port_t
@@ -121,6 +120,13 @@
 portcon tcp 4444 system_u:object_r:kerberos_master_port_t
 portcon udp 4444 system_u:object_r:kerberos_master_port_t
 ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t')
+ifdef(`uucpd.te', `
+portcon tcp 540 system_u:object_r:uucpd_port_t
+')
+ifdef(`cvs.te', `
+portcon tcp 2401 system_u:object_r:cvs_port_t
+portcon udp 2401 system_u:object_r:cvs_port_t
+')
 ifdef(`rsync.te', `
 portcon tcp 873 system_u:object_r:rsync_port_t
 portcon udp 873 system_u:object_r:rsync_port_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/compat.te policy-1.23.11/targeted/domains/program/compat.te
--- nsapolicy/targeted/domains/program/compat.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.11/targeted/domains/program/compat.te	2005-04-14 15:20:16.000000000 -0400
@@ -0,0 +1,9 @@
+typealias sbin_t alias setfiles_exec_t;
+typealias bin_t alias mount_exec_t;
+typealias sbin_t alias restorecon_exec_t;
+typealias bin_t alias hostname_exec_t;
+typealias sbin_t alias consoletype_exec_t;
+typealias bin_t alias loadkeys_exec_t;
+typealias bin_t alias dmesg_exec_t;
+typealias sbin_t alias fsadm_exec_t;
+typealias sbin_t alias kudzu_exec_t;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.23.11/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te	2005-02-24 14:51:10.000000000 -0500
+++ policy-1.23.11/targeted/domains/unconfined.te	2005-04-14 15:20:16.000000000 -0400
@@ -15,11 +15,9 @@
 # Define some type aliases to help with compatibility with
 # macros and domains from the "strict" policy.
 typealias bin_t alias su_exec_t;
-typealias unconfined_t alias { kernel_t logrotate_t sendmail_t sshd_t sysadm_t rpm_t rpm_script_t xdm_t };
-define(`admin_tty_type', `{ tty_device_t devpts_t }')
-
-#type of rundir to communicate with dbus
-type system_dbusd_var_run_t, file_type, sysadmfile;
+typealias unconfined_t alias { kernel_t logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
+typeattribute tty_device_t admin_tty_type;
+typeattribute devpts_t admin_tty_type;
 
 # User home directory type.
 type user_home_t, file_type, sysadmfile, home_type;
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.11/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.11/tunables/distro.tun	2005-04-14 15:20:16.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.11/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-04-14 15:01:54.000000000 -0400
+++ policy-1.23.11/tunables/tunable.tun	2005-04-14 15:21:06.000000000 -0400
@@ -2,7 +2,7 @@
 dnl define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
 dnl define(`unlimitedUtils')
@@ -20,11 +20,11 @@
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.23.11/types/file.te
--- nsapolicy/types/file.te	2005-04-14 15:01:54.000000000 -0400
+++ policy-1.23.11/types/file.te	2005-04-14 15:20:16.000000000 -0400
@@ -318,4 +318,5 @@
 allow file_type removable_t:filesystem associate;
 allow file_type noexattrfile:filesystem associate;
 
-
+# Type for anonymous FTP data, used by ftp and rsync
+type ftpd_anon_t, file_type, sysadmfile, customizable;
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.23.11/types/network.te
--- nsapolicy/types/network.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.11/types/network.te	2005-04-14 15:20:16.000000000 -0400
@@ -22,6 +22,7 @@
 #
 # Defines used by the te files need to be defined outside of net_constraints
 #
+type rsh_port_t, port_type, reserved_port_type;
 type dns_port_t, port_type, reserved_port_type;
 type smtp_port_t, port_type, reserved_port_type;
 type dhcpd_port_t, port_type, reserved_port_type;
@@ -39,12 +40,9 @@
 ifdef(`use_pop', `
 type pop_port_t, port_type, reserved_port_type;
 ')
-ifdef(`ftpd.te', `
-define(`use_ftpd')
-')
-ifdef(`publicfile.te', `
-define(`use_ftpd')
-')
+
+type ftp_port_t, port_type, reserved_port_type;
+type ftp_data_port_t, port_type, reserved_port_type;
 
 ifdef(`dhcpd.te', `define(`use_pxe')')
 ifdef(`pxe.te', `define(`use_pxe')')
diff --exclude-from=exclude -N -u -r nsapolicy/types/security.te policy-1.23.11/types/security.te
--- nsapolicy/types/security.te	2005-03-11 15:31:07.000000000 -0500
+++ policy-1.23.11/types/security.te	2005-04-14 15:20:16.000000000 -0400
@@ -24,20 +24,20 @@
 # policy_src_t is the type of the policy source
 # files.
 #
-type policy_src_t, file_type, sysadmfile;
+type policy_src_t, file_type;
 
 
 #
 # default_context_t is the type applied to 
 # /etc/selinux/*/contexts/*
 #
-type default_context_t, file_type, sysadmfile, login_contexts;
+type default_context_t, file_type, login_contexts;
 
 #
 # file_context_t is the type applied to 
 # /etc/selinux/*/contexts/files
 #
-type file_context_t, file_type, sysadmfile;
+type file_context_t, file_type;
 
 #
 # no_access_t is the type for objects that should
@@ -49,6 +49,6 @@
 # selinux_config_t is the type applied to 
 # /etc/selinux/config
 #
-type selinux_config_t, file_type, sysadmfile;
+type selinux_config_t, file_type;
 
 

Re: Latest diffs

[Russell Coker]

On Friday 15 April 2005 06:49, Daniel J Walsh <dwalsh@redhat.com> wrote:
> Some cleanups in strict to handle turning off unlimitedRC

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te 
policy-1.23.11/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te 2005-03-24 08:58:25.000000000 -0500
+++ policy-1.23.11/domains/program/initrc.te    2005-04-14 15:30:19.000000000 
-0400
@@ -12,7 +12,7 @@
 # initrc_exec_t is the type of the init program.
 #
 # do not use privmail for sendmail as it creates a type transition conflict
-type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, 
auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', 
`', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, 
nscd_client_domain;
+type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, 
auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', 
`', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, 
nscd_client_domain;
 
 role system_r types initrc_t;
 uses_shlib(initrc_t);

Note that the above is needed for the following command:
echo "raidautorun /dev/md0" | nash --quiet

Below are the relevant bits from the strace output:
mknod("/dev/md0", S_IFBLK|0600, makedev(9, 0)) = 0
open("/dev/md0", O_RDWR)                = 0
ioctl(0, 0x914, 0)                      = 0

What does ioctl 0x914 do?  Is there a better way we can manage the device node 
creation?  Can udev create it?

@@ -195,10 +195,8 @@
 allow initrc_t tmpfs_t:chr_file rw_file_perms;
 allow initrc_t tmpfs_t:dir r_dir_perms;
 
-ifdef(`distro_redhat', ` 
 # Allow initrc domain to set the enforcing flag.
 can_setenforce(initrc_t)
-')
 
 #
 # readahead asks for these

I don't think that we can count on all distributions needing init scripts that 
toggle between permissive and enforcing modes, so this conditional should 
remain in.

@@ -209,6 +207,7 @@
 # for /halt /.autofsck and other flag files
 file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file)
 
+file_type_auto_trans(initrc_t, device_t, fixed_disk_device_t, blk_file)
 ')dnl end distro_redhat
 
 allow initrc_t system_map_t:{ file lnk_file } r_file_perms;

Probably should have a comment for this, something like the following:
# This is so that nash can create /dev/md0 for RAID device auto-detection.

Also should have ifdef(`distro_redhat' around it as only Red Hat has nash.

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/load_policy.te 
policy-1.23.11/domains/program/load_policy.te
--- nsapolicy/domains/program/load_policy.te    2005-04-14 15:01:53.000000000 
-0400
+++ policy-1.23.11/domains/program/load_policy.te       2005-04-14 
15:20:16.000000000 -0400
@@ -58,3 +58,4 @@
 
 read_locale(load_policy_t)
 r_dir_file(load_policy_t, selinux_config_t)
+allow load_policy_t proc_t:file { getattr read };

I think it's best to add this to the can_loadpol() macro to make things 
clearer.

> Added audit_control to login domains to handle pam_loginuid.so
>
> Fixes for syslogng

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te 
policy-1.23.11/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te        2005-04-04 10:21:10.000000000 
-0400
+++ policy-1.23.11/domains/program/syslogd.te   2005-04-14 15:20:16.000000000 
-0400
@@ -111,4 +111,6 @@
 allow syslogd_t kernel_t:system { syslog_mod syslog_console };
 allow syslogd_t self:capability { sys_admin chown fsetid };
 allow syslogd_t var_log_t:dir { create setattr };
+allow syslogd_t syslogd_port_t:tcp_socket name_bind;
+allow syslogd_t rsh_port_t:tcp_socket name_connect;
 }

What is this about?  We don't have a syslogd_port_t label on a TCP port, and 
AFAIK syslogd doesn't use TCP anyway.

Why would a syslogd want to connect to a rsh server?


diff --exclude-from=exclude -N -u -r 
nsapolicy/domains/program/unused/apache.te 
policy-1.23.11/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te  2005-04-07 22:22:55.000000000 
-0400
+++ policy-1.23.11/domains/program/unused/apache.te     2005-04-14 
15:20:16.000000000 -0400
@@ -401,3 +401,4 @@
 dontaudit system_mail_t httpd_t:tcp_socket { read write };
 ')
 
+allow httpd_t var_t:file read;

I don't think that httpd_t needs to access var_t:file.  If it did then it 
would certainly need more than just read access.


+# Don't use logdir_domain since this is a security file
+type auditd_log_t, file_type, secure_file_type;
+file_type_auto_trans(auditd_t, var_log_t, auditd_log_t, file)
+allow auditd_t auditd_log_t:dir { setattr rw_dir_perms };

We should have the following instead:

# Do not use logdir_domain since this is a security file
type auditd_log_t, file_type, secure_file_type;
allow auditd_t var_log_t:dir search;
rw_dir_create_file(auditd_t, auditd_log_t)

Apostrophies are bad.  We want to limit where auditd_t can write to as much as 
possible.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Daniel J Walsh]

Russell Coker wrote:

>On Friday 15 April 2005 06:49, Daniel J Walsh <dwalsh@redhat.com> wrote:
>  
>
>>Some cleanups in strict to handle turning off unlimitedRC
>>    
>>
>
>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te 
>policy-1.23.11/domains/program/initrc.te
>--- nsapolicy/domains/program/initrc.te 2005-03-24 08:58:25.000000000 -0500
>+++ policy-1.23.11/domains/program/initrc.te    2005-04-14 15:30:19.000000000 
>-0400
>@@ -12,7 +12,7 @@
> # initrc_exec_t is the type of the init program.
> #
> # do not use privmail for sendmail as it creates a type transition conflict
>-type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, 
>auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', 
>`', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, 
>nscd_client_domain;
>+type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, 
>auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', 
>`', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, 
>nscd_client_domain;
> 
> role system_r types initrc_t;
> uses_shlib(initrc_t);
>
>Note that the above is needed for the following command:
>echo "raidautorun /dev/md0" | nash --quiet
>
>Below are the relevant bits from the strace output:
>mknod("/dev/md0", S_IFBLK|0600, makedev(9, 0)) = 0
>open("/dev/md0", O_RDWR)                = 0
>ioctl(0, 0x914, 0)                      = 0
>
>What does ioctl 0x914 do?  Is there a better way we can manage the device node 
>creation?  Can udev create it?
>
>  
>
We should create a bugzilla for it.

>@@ -195,10 +195,8 @@
> allow initrc_t tmpfs_t:chr_file rw_file_perms;
> allow initrc_t tmpfs_t:dir r_dir_perms;
> 
>-ifdef(`distro_redhat', ` 
> # Allow initrc domain to set the enforcing flag.
> can_setenforce(initrc_t)
>-')
> 
> #
> # readahead asks for these
>
>I don't think that we can count on all distributions needing init scripts that 
>toggle between permissive and enforcing modes, so this conditional should 
>remain in.
>
>  
>
This was already within a block of ifdef(distro_redhat)

>@@ -209,6 +207,7 @@
> # for /halt /.autofsck and other flag files
> file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file)
> 
>+file_type_auto_trans(initrc_t, device_t, fixed_disk_device_t, blk_file)
> ')dnl end distro_redhat
> 
> allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
>
>Probably should have a comment for this, something like the following:
># This is so that nash can create /dev/md0 for RAID device auto-detection.
>
>Also should have ifdef(`distro_redhat' around it as only Red Hat has nash.
>
>  
>
It is notice the next line.

>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/load_policy.te 
>policy-1.23.11/domains/program/load_policy.te
>--- nsapolicy/domains/program/load_policy.te    2005-04-14 15:01:53.000000000 
>-0400
>+++ policy-1.23.11/domains/program/load_policy.te       2005-04-14 
>15:20:16.000000000 -0400
>@@ -58,3 +58,4 @@
> 
> read_locale(load_policy_t)
> r_dir_file(load_policy_t, selinux_config_t)
>+allow load_policy_t proc_t:file { getattr read };
>
>I think it's best to add this to the can_loadpol() macro to make things 
>clearer.
>
>  
>
I don't think it is necessary now that the is_selinux_enabled call has 
been removed.

>>Added audit_control to login domains to handle pam_loginuid.so
>>
>>Fixes for syslogng
>>    
>>
>
>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te 
>policy-1.23.11/domains/program/syslogd.te
>--- nsapolicy/domains/program/syslogd.te        2005-04-04 10:21:10.000000000 
>-0400
>+++ policy-1.23.11/domains/program/syslogd.te   2005-04-14 15:20:16.000000000 
>-0400
>@@ -111,4 +111,6 @@
> allow syslogd_t kernel_t:system { syslog_mod syslog_console };
> allow syslogd_t self:capability { sys_admin chown fsetid };
> allow syslogd_t var_log_t:dir { create setattr };
>+allow syslogd_t syslogd_port_t:tcp_socket name_bind;
>+allow syslogd_t rsh_port_t:tcp_socket name_connect;
> }
>
>What is this about?  We don't have a syslogd_port_t label on a TCP port, and 
>AFAIK syslogd doesn't use TCP anyway.
>
>  
>
syslogng uses tcp and it uses the rsh_port_t.  The syslogd_port_t line 
should be removed.

>Why would a syslogd want to connect to a rsh server?
>
>
>  
>
shell           514/tcp         cmd             # no passwords used
syslog        514/udp

syslog-ng defaults to port 514 for tcp connections.


>diff --exclude-from=exclude -N -u -r 
>nsapolicy/domains/program/unused/apache.te 
>policy-1.23.11/domains/program/unused/apache.te
>--- nsapolicy/domains/program/unused/apache.te  2005-04-07 22:22:55.000000000 
>-0400
>+++ policy-1.23.11/domains/program/unused/apache.te     2005-04-14 
>15:20:16.000000000 -0400
>@@ -401,3 +401,4 @@
> dontaudit system_mail_t httpd_t:tcp_socket { read write };
> ')
> 
>+allow httpd_t var_t:file read;
>
>I don't think that httpd_t needs to access var_t:file.  If it did then it 
>would certainly need more than just read access.
>
>
>+# Don't use logdir_domain since this is a security file
>+type auditd_log_t, file_type, secure_file_type;
>+file_type_auto_trans(auditd_t, var_log_t, auditd_log_t, file)
>+allow auditd_t auditd_log_t:dir { setattr rw_dir_perms };
>
>We should have the following instead:
>
># Do not use logdir_domain since this is a security file
>type auditd_log_t, file_type, secure_file_type;
>allow auditd_t var_log_t:dir search;
>rw_dir_create_file(auditd_t, auditd_log_t)
>
>Apostrophies are bad.  We want to limit where auditd_t can write to as much as 
>possible.
>
>  
>


-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Daniel J Walsh]

Russell Coker wrote:

>On Friday 15 April 2005 06:49, Daniel J Walsh <dwalsh@redhat.com> wrote:
>  
>
>>Some cleanups in strict to handle turning off unlimitedRC
>>    
>>
>
>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te 
>policy-1.23.11/domains/program/initrc.te
>--- nsapolicy/domains/program/initrc.te 2005-03-24 08:58:25.000000000 -0500
>+++ policy-1.23.11/domains/program/initrc.te    2005-04-14 15:30:19.000000000 
>-0400
>@@ -12,7 +12,7 @@
> # initrc_exec_t is the type of the init program.
> #
> # do not use privmail for sendmail as it creates a type transition conflict
>-type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, 
>auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', 
>`', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, 
>nscd_client_domain;
>+type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, 
>auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', 
>`', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, 
>nscd_client_domain;
> 
> role system_r types initrc_t;
> uses_shlib(initrc_t);
>
>Note that the above is needed for the following command:
>echo "raidautorun /dev/md0" | nash --quiet
>
>Below are the relevant bits from the strace output:
>mknod("/dev/md0", S_IFBLK|0600, makedev(9, 0)) = 0
>open("/dev/md0", O_RDWR)                = 0
>ioctl(0, 0x914, 0)                      = 0
>
>  
>
>What does ioctl 0x914 do?  Is there a better way we can manage the device node 
>creation?  Can udev create it?
>  
>
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=155556

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 725 bytes --]

Added secure_file_type attribute

Added dnssec for dns key files to be shared between named and dhcpd.

Added java vm policy

lots of new textrel_shlib_t specs

Fixes to mailman policy to allow creation of new lists

Add mplayer policy

Fixes to make postfix work in targeted policy.

Fixes to allow nmap to run under traceroute policy

Addition of file_browse_domain macro.

Added access_terminal macro

Added legacy_domain macro

Stop httpd_sys_script_t from transitioning in targeted policy if 
httpd_disable_trans is set.

Cleanup tmpreaper, additional tmpfile file_contexts.

Fixes for execmem and execmod

Fixes to Makefile to create homedir_template

Fixed to unconfined.te for targeted to allow sigchld and fd use




[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 67695 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.21.12/attrib.te
--- nsapolicy/attrib.te	2005-02-09 15:01:31.000000000 -0500
+++ policy-1.21.12/attrib.te	2005-02-10 15:21:08.000000000 -0500
@@ -221,6 +221,11 @@
 # appropriate.
 attribute file_type;
 
+# The secure_file_type attribute identifies files 
+# which will be treated with a higer level of security.
+# Most domains will be prevented from manipulating files in this domain
+attribute secure_file_type;
+
 # The device_type attribute identifies all types assigned to device nodes
 attribute device_type;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.21.12/domains/program/ldconfig.te
--- nsapolicy/domains/program/ldconfig.te	2005-02-10 14:48:38.000000000 -0500
+++ policy-1.21.12/domains/program/ldconfig.te	2005-02-10 15:21:08.000000000 -0500
@@ -38,14 +38,14 @@
 dontaudit ldconfig_t httpd_modules_t:dir search;
 ')
 
-ifdef(`distro_suse', `
-# because of libraries in /var/lib/samba/bin
 allow ldconfig_t { var_t var_lib_t }:dir search;
-')
-
 allow ldconfig_t proc_t:file read;
 ifdef(`hide_broken_symptoms', `
 ifdef(`unconfined.te',`
 dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
-')
+');
 ')dnl end hide_broken_symptoms
+ifdef(`targeted_policy', `
+allow ldconfig_t lib_t:file r_file_perms;
+unconfined_domain(ldconfig_t) 
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.21.12/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te	2005-02-09 15:01:28.000000000 -0500
+++ policy-1.21.12/domains/program/syslogd.te	2005-02-10 15:21:08.000000000 -0500
@@ -103,3 +103,5 @@
 allow syslogd_t { tmpfs_t devpts_t }:dir search;
 dontaudit syslogd_t unlabeled_t:file read;
 dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
+allow syslogd_t self:capability net_admin;
+allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/tmpreaper.te policy-1.21.12/domains/program/tmpreaper.te
--- nsapolicy/domains/program/tmpreaper.te	2005-02-10 14:48:38.000000000 -0500
+++ policy-1.21.12/domains/program/tmpreaper.te	2005-02-10 15:21:08.000000000 -0500
@@ -28,15 +28,6 @@
 r_dir_file(tmpreaper_t, var_lib_t)
 allow tmpreaper_t device_t:dir { getattr search };
 allow tmpreaper_t urandom_device_t:chr_file { getattr read };
-rw_dir_file(tmpreaper_t, var_spool_t)
-allow tmpreaper_t var_spool_t:dir setattr;
-allow tmpreaper_t print_spool_t:dir setattr;
-rw_dir_file(tmpreaper_t, print_spool_t)
 
-ifdef(`distro_redhat', `
-# for the Red Hat tmpreaper program which also manages tetex indexes
-create_dir_file(tmpreaper_t, tetex_data_t)
-allow tmpreaper_t catman_t:dir setattr;
-')
 read_locale(tmpreaper_t)
-
+dontaudit tmpreaper_t init_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.21.12/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2005-02-10 14:48:39.000000000 -0500
+++ policy-1.21.12/domains/program/unused/apache.te	2005-02-10 15:21:08.000000000 -0500
@@ -305,7 +305,7 @@
 # mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
 # This is a bug but it still exists in FC2
 #
-type httpd_runtime_t, file_type, sysadmfile;
+typealias httpd_log_t  alias httpd_runtime_t;
 allow { httpd_t httpd_sys_script_t } httpd_runtime_t:file { getattr append };
 ') dnl distro_redhat
 #
@@ -322,7 +322,7 @@
 create_dir_file(httpd_t, httpd_squirrelmail_t)
 allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
 # File Type of squirrelmail attachments
-type squirrelmail_spool_t, file_type, sysadmfile;
+type squirrelmail_spool_t, file_type, sysadmfile, tmpfile;
 allow httpd_t var_spool_t:dir { getattr search };
 create_dir_file(httpd_t, squirrelmail_spool_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cardmgr.te policy-1.21.12/domains/program/unused/cardmgr.te
--- nsapolicy/domains/program/unused/cardmgr.te	2005-02-09 15:01:29.000000000 -0500
+++ policy-1.21.12/domains/program/unused/cardmgr.te	2005-02-10 15:21:08.000000000 -0500
@@ -44,9 +44,6 @@
 
 # Create device files in /tmp.
 type cardmgr_dev_t, file_type, sysadmfile, tmpfile, device_type, dev_fs;
-ifdef(`tmpreaper.te', `
-allow tmpreaper_t cardmgr_dev_t:chr_file { getattr unlink };
-')
 file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
 
 # Create symbolic links in /dev.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.21.12/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2005-02-10 14:48:39.000000000 -0500
+++ policy-1.21.12/domains/program/unused/cups.te	2005-02-10 15:21:08.000000000 -0500
@@ -33,10 +33,8 @@
 # temporary solution, we need something better
 allow cupsd_t serial_device:chr_file rw_file_perms;
 
-ifdef(`usbmodules.te', `
 r_dir_file(cupsd_t, usbdevfs_t)
 r_dir_file(cupsd_t, usbfs_t)
-')
 
 ifdef(`logrotate.te', `
 domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpd.te policy-1.21.12/domains/program/unused/dhcpd.te
--- nsapolicy/domains/program/unused/dhcpd.te	2005-02-09 15:01:28.000000000 -0500
+++ policy-1.21.12/domains/program/unused/dhcpd.te	2005-02-10 15:21:08.000000000 -0500
@@ -75,3 +75,8 @@
 ')
 r_dir_file(dhcpd_t, usr_t)
 allow dhcpd_t { urandom_device_t random_device_t }:chr_file r_file_perms;
+
+ifdef(`named.te', `
+allow dhcpd_t { named_conf_t named_zone_t }:dir search;
+allow dhcpd_t dnssec_t:file { getattr read };
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.21.12/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te	2005-02-10 14:48:39.000000000 -0500
+++ policy-1.21.12/domains/program/unused/ftpd.te	2005-02-10 15:21:08.000000000 -0500
@@ -90,9 +90,7 @@
 
 dontaudit ftpd_t sysadm_home_dir_t:dir getattr;
 dontaudit ftpd_t selinux_config_t:dir search;
-ifdef(`automount.te', `
 allow ftpd_t autofs_t:dir search;
-')
 allow ftpd_t self:file { getattr read };
 tmp_domain(ftpd)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/java.te policy-1.21.12/domains/program/unused/java.te
--- nsapolicy/domains/program/unused/java.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.21.12/domains/program/unused/java.te	2005-02-10 15:21:08.000000000 -0500
@@ -0,0 +1,14 @@
+#DESC Java VM 
+#
+# Authors: Dan Walsh <dwalsh@redhat.com> 
+# X-Debian-Packages: java
+#
+
+# Type for the netscape, java or other browser executables.
+type java_exec_t, file_type, sysadmfile, exec_type;
+
+# Allow java to read files in the user home directory
+bool disable_java false;
+
+# Everything else is in the java_domain macro in
+# macros/program/java_macros.te.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kerberos.te policy-1.21.12/domains/program/unused/kerberos.te
--- nsapolicy/domains/program/unused/kerberos.te	2005-02-09 15:01:29.000000000 -0500
+++ policy-1.21.12/domains/program/unused/kerberos.te	2005-02-10 15:21:08.000000000 -0500
@@ -23,7 +23,7 @@
 can_exec(kadmind_t, kadmind_exec_t)
 
 # types for general configuration files in /etc
-type krb5_keytab_t, file_type, sysadmfile;
+type krb5_keytab_t, file_type, sysadmfile, secure_file_type;
 
 # types for KDC configs and principal file(s)
 type krb5kdc_conf_t, file_type, sysadmfile;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mailman.te policy-1.21.12/domains/program/unused/mailman.te
--- nsapolicy/domains/program/unused/mailman.te	2005-02-09 15:01:28.000000000 -0500
+++ policy-1.21.12/domains/program/unused/mailman.te	2005-02-10 15:21:08.000000000 -0500
@@ -20,7 +20,7 @@
 can_exec_any(mailman_$1_t)
 allow mailman_$1_t { proc_t sysctl_t sysctl_kernel_t }:dir search;
 allow mailman_$1_t { proc_t sysctl_kernel_t }:file { read getattr };
-allow mailman_$1_t var_lib_t:dir { getattr search read };
+allow mailman_$1_t var_lib_t:dir r_dir_perms;
 allow mailman_$1_t var_lib_t:lnk_file read;
 allow mailman_$1_t device_t:dir search;
 allow mailman_$1_t etc_runtime_t:file { read getattr };
@@ -29,8 +29,10 @@
 allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
 allow mailman_$1_t fs_t:filesystem getattr;
 can_network(mailman_$1_t)
-allow mailman_$1_t self:unix_stream_socket create_socket_perms;
+can_ypbind(mailman_$1_t)
+allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms;
 allow mailman_$1_t var_t:dir r_dir_perms;
+tmp_domain(mailman_$1)
 ')
 
 mailman_domain(queue, `, auth_chkpwd, nscd_client_domain')
@@ -71,7 +73,7 @@
 domain_auto_trans({ httpd_t httpd_suexec_t }, mailman_cgi_exec_t, mailman_cgi_t)
 # should have separate types for public and private archives
 r_dir_file(httpd_t, mailman_archive_t)
-rw_dir_create_file(mailman_cgi_t, mailman_archive_t)
+create_dir_file(mailman_cgi_t, mailman_archive_t)
 allow httpd_t mailman_data_t:dir { getattr search };
 
 dontaudit mailman_cgi_t httpd_log_t:file append;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mplayer.te policy-1.21.12/domains/program/unused/mplayer.te
--- nsapolicy/domains/program/unused/mplayer.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.21.12/domains/program/unused/mplayer.te	2005-02-10 15:21:08.000000000 -0500
@@ -0,0 +1,12 @@
+#DESC mplayer - media player 
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+# Type for the mplayer executable.
+type mplayer_exec_t, file_type, exec_type, sysadmfile;
+type mencoder_exec_t, file_type, exec_type, sysadmfile;
+type mplayer_etc_t, file_type, sysadmfile;
+
+# Everything else is in the mplayer_domain macro in
+# macros/program/mplayer_macros.te.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.21.12/domains/program/unused/mta.te
--- nsapolicy/domains/program/unused/mta.te	2005-02-09 15:01:28.000000000 -0500
+++ policy-1.21.12/domains/program/unused/mta.te	2005-02-10 15:21:08.000000000 -0500
@@ -20,7 +20,9 @@
 # "mail user@domain"
 mail_domain(system)
 
-ifdef(`targeted_policy', `', `
+ifdef(`targeted_policy', `
+ifdef(`postfix.te', `', `can_exec_any(system_mail_t)')
+', `
 ifdef(`sendmail.te', `
 # sendmail has an ugly design, the one process parses input from the user and
 # then does system things with it.
@@ -73,11 +75,11 @@
 # targeted policy.  We could move these rules permanantly here.
 ifdef(`targeted_policy', `
 allow system_mail_t self:dir { search };
-allow system_mail_t proc_t:dir search;
-allow system_mail_t proc_t:{ file lnk_file } { getattr read };
+r_dir_file(system_mail_t, { proc_t proc_net_t })
 allow system_mail_t fs_t:filesystem getattr;
 allow system_mail_t { var_t var_spool_t }:dir getattr;
 create_dir_file( system_mail_t, mqueue_spool_t)
+allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
 ')
 allow system_mail_t etc_runtime_t:file { getattr read };
 allow system_mail_t urandom_device_t:chr_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.21.12/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te	2005-02-10 14:48:39.000000000 -0500
+++ policy-1.21.12/domains/program/unused/named.te	2005-02-10 15:21:08.000000000 -0500
@@ -42,6 +42,10 @@
 # for secondary zone files
 type named_cache_t, file_type, sysadmfile;
 
+# for DNSSEC key files
+type dnssec_t, file_type, sysadmfile, secure_file_type;
+allow { ndc_t named_t } dnssec_t:file { getattr read };
+
 # Use capabilities. Surplus capabilities may be allowed.
 allow named_t self:capability { chown dac_override fowner setgid setuid net_bind_service sys_chroot sys_nice sys_resource };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.21.12/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te	2005-02-10 14:48:39.000000000 -0500
+++ policy-1.21.12/domains/program/unused/nscd.te	2005-02-10 15:21:08.000000000 -0500
@@ -72,4 +72,4 @@
 allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
 allow nscd_t tmp_t:dir { search getattr };
 allow nscd_t tmp_t:lnk_file read;
-allow nscd_t urandom_device_t:chr_file { getattr read };
+allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.21.12/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te	2005-02-10 14:48:40.000000000 -0500
+++ policy-1.21.12/domains/program/unused/samba.te	2005-02-10 15:21:08.000000000 -0500
@@ -164,9 +164,8 @@
 r_dir_file(smbmount_t, proc_t)
 
 # Fork smbmnt 
-# FIXME: label bin_t as more restricted type?
 allow smbmount_t bin_t:dir r_dir_perms;
-can_exec(smbmount_t,bin_t)
+can_exec(smbmount_t, smbmount_exec_t)
 allow smbmount_t self:process { fork signal_perms };
 
 # Mount 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/traceroute.te policy-1.21.12/domains/program/unused/traceroute.te
--- nsapolicy/domains/program/unused/traceroute.te	2005-02-09 15:01:29.000000000 -0500
+++ policy-1.21.12/domains/program/unused/traceroute.te	2005-02-10 15:21:08.000000000 -0500
@@ -39,8 +39,8 @@
 
 # for lft
 allow traceroute_t self:packet_socket create_socket_perms;
-allow traceroute_t proc_t:dir search;
-allow traceroute_t proc_t:file { getattr read };
+r_dir_file(traceroute_t, proc_t)
+r_dir_file(traceroute_t, proc_net_t)
 
 # Access the terminal.
 allow traceroute_t admin_tty_type:chr_file rw_file_perms;
@@ -58,3 +58,8 @@
 	allow traceroute_t { ttyfile ptyfile }:chr_file rw_file_perms;
 }
 ')
+#rules needed for nmap
+allow traceroute_t { urandom_device_t random_device_t }:chr_file r_file_perms;
+allow traceroute_t usr_t:file { getattr read };
+read_locale(traceroute_t)
+dontaudit traceroute_t userdomain:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.21.12/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc	2005-02-09 15:01:44.000000000 -0500
+++ policy-1.21.12/file_contexts/distros.fc	2005-02-10 17:31:57.000000000 -0500
@@ -36,6 +36,7 @@
 /usr/share/texmf/web2c/mktexnam	--	system_u:object_r:bin_t
 /usr/share/texmf/web2c/mktexupd	--	system_u:object_r:bin_t
 /usr/share/ssl/certs(/.*)?		system_u:object_r:cert_t
+/usr/share/ssl/private(/.*)?		system_u:object_r:cert_t
 /usr/share/ssl/misc(/.*)?		system_u:object_r:bin_t
 #
 # /emul/ia32-linux/usr
@@ -64,8 +65,81 @@
 /var/run/dbus(/.*)?            system_u:object_r:system_dbusd_var_run_t
 ')
 
-/usr/lib/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t
-/usr/X11R6/lib/modules/dri/.*\.so -- system_u:object_r:texrel_shlib_t
+# The following are libraries with text relocations in need of execmod permissions
+# Some of them should be fixed and removed from this list
+
+# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
+# 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs
+/usr/lib/gstreamer-.*/libgstffmpeg\.so.*  -- system_u:object_r:texrel_shlib_t
+/usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/gstreamer-.*/libgstmms\.so 	 -- system_u:object_r:texrel_shlib_t
+/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 		-- system_u:object_r:texrel_shlib_t
+/usr/lib/libg\+\+\.so\.2\.7\.2\.8		-- system_u:object_r:texrel_shlib_t
+/usr/lib/libglide3\.so.* 			-- system_u:object_r:texrel_shlib_t
+/usr/lib/libdv\.so.* 				-- system_u:object_r:texrel_shlib_t
+/usr/lib/helix/plugins/oggfformat\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/helix/plugins/theorarend\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/helix/plugins/vorbisrend\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/helix/codecs/colorcvt\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/helix/codecs/cvt1\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/libSDL-.*\.so.*			-- system_u:object_r:texrel_shlib_t
+/usr/X11R6/lib/modules/dri/.*\.so		-- system_u:object_r:texrel_shlib_t
+/usr/X11R6/lib/libOSMesa\.so.*			-- system_u:object_r:texrel_shlib_t
+/usr/lib/libHermes\.so.*			-- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/libpthread\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/vgpreload_addrcheck\.so	-- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/vgpreload_memcheck\.so	-- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/vgskin_addrcheck\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/vgskin_cachegrind\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/vgskin_callgrind\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/vgskin_corecheck\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/vgskin_helgrind\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/vgskin_lackey\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/vgskin_massif\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/vgskin_memcheck\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/vgskin_none\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/ooo-.*/program/libicudata\.so.*	-- system_u:object_r:texrel_shlib_t
+/usr/lib/ooo-.*/program/libsts645li\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/ooo-.*/program/libvclplug_gen645li\.so	-- system_u:object_r:texrel_shlib_t
+/usr/lib/ooo-.*/program/libwrp645li\.so		-- system_u:object_r:texrel_shlib_t
+# Fedora Extras packages: ladspa, imlib2, ocaml
+/usr/lib/ladspa/analogue_osc_1416\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/bandpass_a_iir_1893\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/bandpass_iir_1892\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/butterworth_1902\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/fm_osc_1415\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/gsm_1215\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/gverb_1216\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/hermes_filter_1200\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/highpass_iir_1890\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/lowpass_iir_1891\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/notch_iir_1894\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/pitch_scale_1193\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/pitch_scale_1194\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/sc1_1425\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/sc2_1426\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/sc3_1427\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/sc4_1882\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/se4_1883\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/libImlib2\.so.* 			-- system_u:object_r:texrel_shlib_t
+/usr/lib/ocaml/stublibs/dllnums\.so		-- system_u:object_r:texrel_shlib_t
+
+# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
+/usr/lib/xmms/Input/libmpg123\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/libpostproc\.so.*			-- system_u:object_r:texrel_shlib_t
+/usr/lib/libavformat-.*\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/libavcodec-.*\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/libxvidcore\.so.*			-- system_u:object_r:texrel_shlib_t
+/usr/lib/xine/plugins/.*\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/libgsm\.so.*				-- system_u:object_r:texrel_shlib_t
+/usr/lib/libmp3lame\.so.*			-- system_u:object_r:texrel_shlib_t
+
+# Flash plugin, Macromedia
+HOME_DIR/.*/plugins/libflashplayer\.so.*	-- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/plugins/libflashplayer\.so.*	-- system_u:object_r:texrel_shlib_t
+
+# Jai, Sun Microsystems (Jpackage SPRM)
+/usr/lib/libmlib_jai\.so			-- system_u:object_r:texrel_shlib_t
 
 ')
 
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/java.fc policy-1.21.12/file_contexts/program/java.fc
--- nsapolicy/file_contexts/program/java.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.21.12/file_contexts/program/java.fc	2005-02-10 15:21:08.000000000 -0500
@@ -0,0 +1,2 @@
+#  java
+/usr(/.*)?/bin/java.* --	system_u:object_r:java_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mozilla.fc policy-1.21.12/file_contexts/program/mozilla.fc
--- nsapolicy/file_contexts/program/mozilla.fc	2005-02-09 15:01:30.000000000 -0500
+++ policy-1.21.12/file_contexts/program/mozilla.fc	2005-02-10 15:21:08.000000000 -0500
@@ -7,6 +7,7 @@
 HOME_DIR/\.gconf(/.*)?		system_u:object_r:ROLE_mozilla_rw_t
 HOME_DIR/\.gnome2/epiphany(/.*)? system_u:object_r:ROLE_mozilla_rw_t
 HOME_DIR/My.Downloads(/.*)?	system_u:object_r:ROLE_mozilla_rw_t
+HOME_DIR/\.java(/.*)?		system_u:object_r:ROLE_mozilla_rw_t
 /usr/bin/netscape	--	system_u:object_r:mozilla_exec_t
 /usr/bin/mozilla	--	system_u:object_r:mozilla_exec_t
 /usr/bin/mozilla-snapshot --	system_u:object_r:mozilla_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mplayer.fc policy-1.21.12/file_contexts/program/mplayer.fc
--- nsapolicy/file_contexts/program/mplayer.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.21.12/file_contexts/program/mplayer.fc	2005-02-10 15:21:08.000000000 -0500
@@ -0,0 +1,6 @@
+# mplayer
+/usr/bin/mplayer	--	   	system_u:object_r:mplayer_exec_t
+/usr/bin/mencoder	--	   	system_u:object_r:mencoder_exec_t
+
+/etc/mplayer(/.*)?		system_u:object_r:mplayer_etc_t
+HOME_DIR/\.mplayer(/.*)?        system_u:object_r:ROLE_mplayer_rw_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mta.fc policy-1.21.12/file_contexts/program/mta.fc
--- nsapolicy/file_contexts/program/mta.fc	2005-02-09 15:01:29.000000000 -0500
+++ policy-1.21.12/file_contexts/program/mta.fc	2005-02-10 15:21:08.000000000 -0500
@@ -5,3 +5,8 @@
 /etc/aliases\.db	--	system_u:object_r:etc_aliases_t
 /var/spool/mail(/.*)?		system_u:object_r:mail_spool_t
 /var/mail(/.*)?			system_u:object_r:mail_spool_t
+ifdef(`postfix.te', `', `
+/usr/sbin/sendmail.postfix --	system_u:object_r:sendmail_exec_t
+/var/spool/postfix(/.*)?		system_u:object_r:mail_spool_t
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/named.fc policy-1.21.12/file_contexts/program/named.fc
--- nsapolicy/file_contexts/program/named.fc	2005-02-09 15:01:30.000000000 -0500
+++ policy-1.21.12/file_contexts/program/named.fc	2005-02-10 15:21:08.000000000 -0500
@@ -14,6 +14,7 @@
 ') dnl distro_debian
 
 /etc/rndc.*		--	system_u:object_r:named_conf_t
+/etc/rndc.key  		-- 	system_u:object_r:dnssec_t
 /usr/sbin/named      	--	system_u:object_r:named_exec_t
 /usr/sbin/r?ndc		--	system_u:object_r:ndc_exec_t
 /var/run/ndc		-s	system_u:object_r:named_var_run_t
@@ -26,8 +27,8 @@
 /var/named/chroot/dev/null   -c	system_u:object_r:null_device_t
 /var/named/chroot/dev/random -c	system_u:object_r:random_device_t
 /var/named/chroot/dev/zero -c	system_u:object_r:zero_device_t
-/var/named/chroot/etc/named\.conf -- system_u:object_r:named_conf_t
-/var/named/chroot/etc/rndc.* -- system_u:object_r:named_conf_t
+/var/named/chroot/etc(/.*)? 	system_u:object_r:named_conf_t
+/var/named/chroot/etc/rndc.key  -- system_u:object_r:dnssec_t
 /var/named/chroot/var/run/named.* system_u:object_r:named_var_run_t
 /var/named/chroot/var/tmp(/.*)? system_u:object_r:named_cache_t
 /var/named/chroot/var/named(/.*)?	system_u:object_r:named_zone_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/postfix.fc policy-1.21.12/file_contexts/program/postfix.fc
--- nsapolicy/file_contexts/program/postfix.fc	2005-02-09 15:01:30.000000000 -0500
+++ policy-1.21.12/file_contexts/program/postfix.fc	2005-02-10 15:21:08.000000000 -0500
@@ -28,17 +28,12 @@
 /usr/sbin/postsuper	--	system_u:object_r:postfix_master_exec_t
 /usr/sbin/rmail		--	system_u:object_r:sendmail_exec_t
 /usr/sbin/sendmail.postfix --	system_u:object_r:sendmail_exec_t
-/var/spool/postfix(/[^/]+)?	system_u:object_r:postfix_spool_t
-/var/spool/postfix/active(/.*)?	system_u:object_r:postfix_spool_t
-/var/spool/postfix/hold(/.*)?	system_u:object_r:postfix_spool_t
-/var/spool/postfix/incoming(/.*)? system_u:object_r:postfix_spool_t
-/var/spool/postfix/corrupt(/.*)? system_u:object_r:postfix_spool_t
+/var/spool/postfix(/.*)?	system_u:object_r:postfix_spool_t
 /var/spool/postfix/maildrop(/.*)? system_u:object_r:postfix_spool_maildrop_t
 /var/spool/postfix/pid	-d	system_u:object_r:var_run_t
 /var/spool/postfix/pid/.*	system_u:object_r:postfix_var_run_t
 /var/spool/postfix/private(/.*)? system_u:object_r:postfix_private_t
 /var/spool/postfix/public(/.*)? system_u:object_r:postfix_public_t
-/var/spool/postfix/defer(red)?(/.*)? system_u:object_r:postfix_spool_t
 /var/spool/postfix/bounce(/.*)? system_u:object_r:postfix_spool_bounce_t
 /var/spool/postfix/flush(/.*)?	system_u:object_r:postfix_spool_flush_t
 /var/spool/postfix/etc(/.*)?	system_u:object_r:etc_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/samba.fc policy-1.21.12/file_contexts/program/samba.fc
--- nsapolicy/file_contexts/program/samba.fc	2005-02-09 15:01:45.000000000 -0500
+++ policy-1.21.12/file_contexts/program/samba.fc	2005-02-10 15:21:08.000000000 -0500
@@ -20,5 +20,6 @@
 /var/run/samba/nmbd\.pid --	system_u:object_r:nmbd_var_run_t
 /var/spool/samba(/.*)?		system_u:object_r:samba_var_t
 ifdef(`mount.te', `
-/usr/bin/smbmount		system_u:object_r:smbmount_exec_t
+/usr/bin/smbmount	--	system_u:object_r:smbmount_exec_t
+/usr/bin/smbmnt		--	system_u:object_r:smbmount_exec_t
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/udev.fc policy-1.21.12/file_contexts/program/udev.fc
--- nsapolicy/file_contexts/program/udev.fc	2005-02-09 15:01:30.000000000 -0500
+++ policy-1.21.12/file_contexts/program/udev.fc	2005-02-10 15:21:08.000000000 -0500
@@ -6,6 +6,7 @@
 /usr/bin/udevinfo --	system_u:object_r:udev_exec_t
 /etc/dev\.d/.+	--	system_u:object_r:udev_helper_exec_t
 /etc/udev/scripts/.+	-- system_u:object_r:udev_helper_exec_t
+/etc/udev/devices/.*    system_u:object_r:device_t
 /etc/hotplug\.d/default/udev.* -- system_u:object_r:udev_helper_exec_t
 /dev/udev\.tbl	--	system_u:object_r:udev_tbl_t
 /dev/\.udev\.tdb(/.*)?	--	system_u:object_r:udev_tdb_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.21.12/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2005-02-10 14:48:40.000000000 -0500
+++ policy-1.21.12/file_contexts/types.fc	2005-02-10 15:21:08.000000000 -0500
@@ -357,6 +357,9 @@
 /usr(/.*)?/nvidia/.*\.so(\..*)?	-- system_u:object_r:texrel_shlib_t
 /usr/X11R6/lib/libXvMCNVIDIA\.so.* 	-- system_u:object_r:texrel_shlib_t
 
+# libGL
+/usr/X11R6/lib/libGL\.so.* 	-- system_u:object_r:texrel_shlib_t
+
 ifdef(`distro_debian', `
 /usr/share/selinux(/.*)?	system_u:object_r:policy_src_t
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/local.users policy-1.21.12/local.users
--- nsapolicy/local.users	2005-02-10 14:48:33.000000000 -0500
+++ policy-1.21.12/local.users	2005-02-10 17:07:17.000000000 -0500
@@ -14,4 +14,8 @@
 # The MLS default level and allowed range should only be specified if 
 # MLS was enabled in the policy.
 
+# sample for administrative user
+# user jadmin roles { staff_r sysadm_r system_r };
 
+# sample for regular user
+#user jdoe roles { user_r }; 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.21.12/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2005-02-10 14:48:42.000000000 -0500
+++ policy-1.21.12/macros/base_user_macros.te	2005-02-10 15:21:08.000000000 -0500
@@ -54,15 +54,15 @@
 # for eject
 allow $1_t fixed_disk_device_t:blk_file getattr;
 
-allow $1_t fs_type:dir { getattr };
+allow $1_t fs_type:dir getattr;
+
+allow $1_t event_device_t:chr_file { getattr read ioctl };
 
 # open office is looking for the following
 allow $1_t dri_device_t:chr_file getattr;
 dontaudit $1_t dri_device_t:chr_file rw_file_perms;
-# Do not flood message log, if the user does ls -lR /
-dontaudit $1_t dev_fs:dir_file_class_set getattr;
-dontaudit $1_t sysadmfile:file getattr;
-dontaudit $1_t sysadmfile:dir read;
+
+file_browse_domain($1_t)
 
 # allow ptrace
 can_ptrace($1_t, $1_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.21.12/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2005-02-09 15:01:45.000000000 -0500
+++ policy-1.21.12/macros/global_macros.te	2005-02-10 17:16:28.000000000 -0500
@@ -157,6 +157,19 @@
 ')
 
 
+###################################
+#
+# access_terminal(domain, typeprefix)
+#
+# Permissions for accessing the terminal
+#
+define(`access_terminal', `
+allow $1 $2_tty_device_t:chr_file { read write getattr };
+allow $1 devtty_t:chr_file { read write getattr };
+allow $1 devpts_t:dir { read search getattr };
+allow $1 $2_devpts_t:chr_file { read write getattr };
+') 
+
 #
 # general_proc_read_access(domain)
 #
@@ -491,6 +504,43 @@
 allow $1_t etc_t:dir r_dir_perms;
 ')
 
+# Do not flood message log, if the user does a browse
+define(`file_browse_domain', `
+
+# Regular files/directories that are not security sensitive
+dontaudit $1 file_type - secure_file_type:dir_file_class_set getattr; 
+dontaudit $1 file_type - secure_file_type:dir { read search };
+
+cc# /dev
+dontaudit $1 dev_fs:dir_file_class_set getattr;
+dontaudit $1 dev_fs:dir { read search };
+
+# /proc
+dontaudit $1 sysctl_t:dir_file_class_set getattr;
+dontaudit $1 proc_fs:dir { read search };
+
+')dnl end file_browse_domain
+
+
+# Define legacy_domain  for legacy binaries (java)
+# "legacy" binary == lacks PT_GNU_STACK header, i.e. built with an old
+# toolchain.  They cause the kernel to automatically start translating all
+# read protection requests to read|execute for backward compatibility on
+# x86.  They will all need execmem and execmod, including execmod to
+# shlib_t and ld_so_t unlike non-legacy binaries.
+
+define(`legacy_domain', `
+bool allow_$1_legacy false;
+if (allow_$1_legacy && allow_execmem) {
+allow $1_t self:process { execmem };
+}
+if (allow_$1_legacy && allow_execmod) {
+#Required when starting with /lib/tls/libc-
+allow $1_t { texrel_shlib_t shlib_t }:file execmod;
+allow $1_t ld_so_t:file execmod;
+}
+')
+
 # 
 # Define a domain that can do anything, so that it is
 # effectively unconfined by the SELinux policy.  This
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.21.12/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te	2005-02-09 15:01:45.000000000 -0500
+++ policy-1.21.12/macros/program/apache_macros.te	2005-02-10 15:21:09.000000000 -0500
@@ -128,12 +128,16 @@
 #
 # If a user starts a script by hand it gets the proper context
 #
+if (httpd_enable_cgi ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
 domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+}
 role sysadm_r types httpd_$1_script_t;
 ', `
 
+if (httpd_enable_cgi ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
 # If a user starts a script by hand it gets the proper context
 domain_auto_trans($1_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+}
 role $1_r types httpd_$1_script_t;
 
 #######################################
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/cdrecord_macros.te policy-1.21.12/macros/program/cdrecord_macros.te
--- nsapolicy/macros/program/cdrecord_macros.te	2005-02-09 15:01:31.000000000 -0500
+++ policy-1.21.12/macros/program/cdrecord_macros.te	2005-02-10 17:17:06.000000000 -0500
@@ -17,8 +17,7 @@
 allow $1_t $1_cdrecord_t:process signal;
 
 # write to the user domain tty.
-allow $1_cdrecord_t $1_tty_device_t:chr_file rw_file_perms;
-allow $1_cdrecord_t $1_devpts_t:chr_file rw_file_perms;
+access_terminal($1_cdrecord_t, $1)
 allow $1_cdrecord_t privfd:fd use;
 
 allow $1_cdrecord_t $1_t:unix_stream_socket { getattr read write ioctl };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.21.12/macros/program/chkpwd_macros.te
--- nsapolicy/macros/program/chkpwd_macros.te	2005-02-09 15:01:31.000000000 -0500
+++ policy-1.21.12/macros/program/chkpwd_macros.te	2005-02-10 17:17:06.000000000 -0500
@@ -43,8 +43,7 @@
 role $1_r types $1_chkpwd_t;
 
 # Write to the user domain tty.
-allow $1_chkpwd_t $1_tty_device_t:chr_file rw_file_perms;
-allow $1_chkpwd_t $1_devpts_t:chr_file rw_file_perms;
+access_terminal($1_chkpwd_t, $1)
 
 allow $1_chkpwd_t privfd:fd use;
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/clamav_macros.te policy-1.21.12/macros/program/clamav_macros.te
--- nsapolicy/macros/program/clamav_macros.te	2005-02-09 15:01:31.000000000 -0500
+++ policy-1.21.12/macros/program/clamav_macros.te	2005-02-10 17:17:06.000000000 -0500
@@ -48,8 +48,7 @@
 clamscan_domain($1)
 role $1_r types $1_clamscan_t;
 domain_auto_trans($1_t, clamscan_exec_t, $1_clamscan_t)
-allow $1_clamscan_t $1_tty_device_t:chr_file rw_file_perms;
-allow $1_clamscan_t $1_devpts_t:chr_file rw_file_perms;
+access_terminal($1_clamscan_t, $1)
 r_dir_file($1_clamscan_t,$1_home_t);
 r_dir_file($1_clamscan_t,$1_home_dir_t);
 allow $1_clamscan_t $1_home_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/crontab_macros.te policy-1.21.12/macros/program/crontab_macros.te
--- nsapolicy/macros/program/crontab_macros.te	2005-02-09 15:01:31.000000000 -0500
+++ policy-1.21.12/macros/program/crontab_macros.te	2005-02-10 17:17:06.000000000 -0500
@@ -87,8 +87,7 @@
 
 # Access terminals.
 allow $1_crontab_t device_t:dir search;
-allow $1_crontab_t $1_tty_device_t:chr_file rw_file_perms;
-allow $1_crontab_t $1_devpts_t:chr_file rw_file_perms;
+access_terminal($1_crontab_t, $1);
 
 allow $1_crontab_t fs_t:filesystem getattr;
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_agent_macros.te policy-1.21.12/macros/program/gpg_agent_macros.te
--- nsapolicy/macros/program/gpg_agent_macros.te	2005-02-09 15:01:31.000000000 -0500
+++ policy-1.21.12/macros/program/gpg_agent_macros.te	2005-02-10 17:17:06.000000000 -0500
@@ -25,9 +25,7 @@
 allow $1_gpg_agent_t xdm_t:fd use;
 
 # Write to the user domain tty.
-allow $1_gpg_agent_t $1_tty_device_t:chr_file rw_file_perms;
-allow $1_gpg_agent_t $1_devpts_t:chr_file rw_file_perms;
-allow $1_gpg_agent_t devtty_t:chr_file { read write };
+access_terminal($1_gpg_agent_t, $1)
 
 # Allow the user shell to signal the gpg-agent program.
 allow $1_t $1_gpg_agent_t:process { signal sigkill };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_macros.te policy-1.21.12/macros/program/gpg_macros.te
--- nsapolicy/macros/program/gpg_macros.te	2005-02-09 15:01:31.000000000 -0500
+++ policy-1.21.12/macros/program/gpg_macros.te	2005-02-10 17:17:06.000000000 -0500
@@ -43,8 +43,7 @@
 allow $1_gpg_t self:unix_stream_socket create_stream_socket_perms;
 allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
 
-allow $1_gpg_t devpts_t:dir search;
-allow $1_gpg_t { $1_devpts_t $1_tty_device_t }:chr_file rw_file_perms;
+access_terminal($1_gpg_t, $1)
 ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
 
 # Inherit and use descriptors
@@ -84,7 +83,6 @@
 }
 
 allow $1_gpg_t self:capability { ipc_lock setuid };
-allow $1_gpg_t devtty_t:chr_file rw_file_perms;
 rw_dir_create_file($1_gpg_t, $1_file_type)
 
 allow $1_gpg_t { etc_t usr_t }:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/irc_macros.te policy-1.21.12/macros/program/irc_macros.te
--- nsapolicy/macros/program/irc_macros.te	2005-02-09 15:01:31.000000000 -0500
+++ policy-1.21.12/macros/program/irc_macros.te	2005-02-10 17:17:06.000000000 -0500
@@ -47,14 +47,13 @@
 
 allow $1_irc_t usr_t:file { getattr read };
 
+access_terminal($1_irc_t, $1)
 uses_shlib($1_irc_t)
 allow $1_irc_t etc_t:file { read getattr };
 read_locale($1_irc_t)
 allow $1_irc_t fs_t:filesystem getattr;
 allow $1_irc_t var_t:dir search;
-allow $1_irc_t devpts_t:dir { getattr read search };
 allow $1_irc_t device_t:dir search;
-allow $1_irc_t devtty_t:chr_file rw_file_perms;
 allow $1_irc_t self:unix_stream_socket create_stream_socket_perms;
 allow $1_irc_t privfd:fd use;
 allow $1_irc_t proc_t:dir search;
@@ -62,10 +61,6 @@
 allow $1_irc_t self:dir search;
 dontaudit $1_irc_t var_run_t:dir search;
 
-# Write to the user domain tty.
-allow $1_irc_t $1_tty_device_t:chr_file rw_file_perms;
-allow $1_irc_t $1_devpts_t:chr_file rw_file_perms;
-
 # allow utmp access
 allow $1_irc_t initrc_var_run_t:file read;
 dontaudit $1_irc_t initrc_var_run_t:file lock;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/java_macros.te policy-1.21.12/macros/program/java_macros.te
--- nsapolicy/macros/program/java_macros.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.21.12/macros/program/java_macros.te	2005-02-10 15:21:09.000000000 -0500
@@ -0,0 +1,117 @@
+#
+# Macros for java/java (or other browser) domains.
+#
+
+#
+# Authors:  Dan Walsh <dwalsh@redhat.com> and Timothy Fraser 
+#
+
+#
+# java_domain(domain_prefix, user)
+#
+# Define a derived domain for the java/java program when executed by
+# a web browser.  
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/java.te. 
+#
+define(`java_domain',`
+type $1_java_t, domain, privlog , nscd_client_domain, transitionbool;
+
+# The user role is authorized for this domain.
+role $2_r types $1_java_t;
+domain_auto_trans($1_t, java_exec_t, $1_java_t)
+
+allow $1_java_t sound_device_t:chr_file rw_file_perms;
+# Unrestricted inheritance from the caller.
+allow $1_t $1_java_t:process { noatsecure siginh rlimitinh };
+allow $1_java_t $1_t:process signull;
+
+can_unix_connect($1_java_t, $1_t)
+allow $1_java_t $1_t:unix_stream_socket { read write };
+
+# This domain is granted permissions common to most domains (including can_net)
+can_network_client($1_java_t)
+can_ypbind($1_java_t)
+allow $1_java_t self:process { fork signal_perms getsched setsched };
+allow $1_java_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow $1_java_t self:fifo_file rw_file_perms;
+allow $1_java_t etc_runtime_t:file { getattr read };
+allow $1_java_t fs_t:filesystem getattr;
+read_locale($1_java_t)
+r_dir_file($1_java_t, { proc_t proc_net_t })
+allow $1_java_t self:dir search;
+allow $1_java_t self:lnk_file read;
+allow $1_java_t self:file { getattr read };
+
+read_sysctl($1_java_t)
+
+tmp_domain($1_java)
+r_dir_file($1_java_t,{ fonts_t usr_t etc_t })
+
+# Search bin directory under java for java executable
+allow $1_java_t bin_t:dir search;
+can_exec($1_java_t, java_exec_t)
+
+# Allow connections to X server.
+ifdef(`xserver.te', `
+
+ifdef(`xdm.te', `
+# for when /tmp/.X11-unix is created by the system
+allow $1_java_t xdm_xserver_tmp_t:dir search;
+allow $1_java_t xdm_t:fifo_file rw_file_perms;
+allow $1_java_t xdm_tmp_t:dir search;
+allow $1_java_t xdm_tmp_t:sock_file write;
+')
+
+ifdef(`startx.te', `
+# for when /tmp/.X11-unix is created by the X server
+allow $1_java_t $2_xserver_tmp_t:dir search;
+
+# for /tmp/.X0-lock
+allow $1_java_t $2_xserver_tmp_t:file getattr;
+
+allow $1_java_t $2_xserver_tmp_t:sock_file rw_file_perms;
+can_unix_connect($1_java_t, $2_xserver_t)
+')dnl end startx
+
+can_unix_connect($1_java_t, xdm_xserver_t)
+allow xdm_xserver_t $1_java_t:fd use;
+allow xdm_xserver_t $1_java_t:shm { associate getattr read unix_read };
+dontaudit xdm_xserver_t $1_java_t:shm { unix_write write };
+
+')dnl end xserver
+
+allow $1_java_t self:shm create_shm_perms;
+
+legacy_domain($1_java)
+
+uses_shlib($1_java_t)
+read_locale($1_java_t)
+rw_dir_file($1_java_t, $1_rw_t)
+
+allow $1_java_t ld_so_cache_t:file execute;
+allow $1_java_t lib_t:file execute;
+allow $1_java_t locale_t:file execute;
+allow $1_java_t $1_java_tmp_t:file execute;
+
+allow $1_java_t { random_device_t urandom_device_t }:chr_file ra_file_perms;
+
+allow $1_java_t home_root_t:dir { getattr search };
+file_type_auto_trans($1_java_t, $2_home_dir_t, $1_rw_t)
+allow $1_java_t $2_home_xauth_t:file { getattr read };
+allow $1_java_t $2_tmp_t:sock_file write;
+allow $1_java_t $2_t:fd use;
+
+allow $1_java_t var_t:dir getattr;
+allow $1_java_t var_lib_t:dir { getattr search };
+
+dontaudit $1_java_t fonts_t:file execute;
+dontaudit $1_java_t sound_device_t:chr_file execute;
+dontaudit $1_java_t $2_devpts_t:chr_file { read write };
+dontaudit $1_java_t sysadm_devpts_t:chr_file { read write };
+dontaudit $1_java_t devtty_t:chr_file { read write };
+dontaudit $1_java_t tmpfs_t:file { execute read write };
+dontaudit $1_java_t $1_rw_t:file { execute setattr };
+
+')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/lockdev_macros.te policy-1.21.12/macros/program/lockdev_macros.te
--- nsapolicy/macros/program/lockdev_macros.te	2005-02-09 15:01:31.000000000 -0500
+++ policy-1.21.12/macros/program/lockdev_macros.te	2005-02-10 17:17:06.000000000 -0500
@@ -36,7 +36,7 @@
 
 allow $1_lockdev_t device_t:dir search;
 allow $1_lockdev_t null_device_t:chr_file rw_file_perms;
-allow $1_lockdev_t { $1_tty_device_t $1_devpts_t }:chr_file rw_file_perms;
+access_terminal($1_lockdev_t, $1)
 dontaudit $1_lockdev_t root_t:dir search;
 
 uses_shlib($1_lockdev_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/lpr_macros.te policy-1.21.12/macros/program/lpr_macros.te
--- nsapolicy/macros/program/lpr_macros.te	2005-02-09 15:01:31.000000000 -0500
+++ policy-1.21.12/macros/program/lpr_macros.te	2005-02-10 17:17:06.000000000 -0500
@@ -64,8 +64,7 @@
 allow $1_lpr_t device_t:dir search;
 
 # Access the terminal.
-allow $1_lpr_t $1_tty_device_t:chr_file rw_file_perms;
-allow $1_lpr_t $1_devpts_t:chr_file rw_file_perms;
+access_terminal($1_lpr_t, $1)
 
 # Inherit and use descriptors from gnome-pty-helper.
 ifdef(`gnome-pty-helper.te', `allow $1_lpr_t $1_gph_t:fd use;')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mount_macros.te policy-1.21.12/macros/program/mount_macros.te
--- nsapolicy/macros/program/mount_macros.te	2005-02-09 15:01:31.000000000 -0500
+++ policy-1.21.12/macros/program/mount_macros.te	2005-02-10 17:17:06.000000000 -0500
@@ -62,8 +62,7 @@
 allow $2_t sbin_t:dir search;
 
 # Access the terminal.
-allow $2_t $1_tty_device_t:chr_file { getattr read write ioctl };
-allow $2_t $1_devpts_t:chr_file { getattr read write };
+access_terminal($2_t, $1)
 ifdef(`gnome-pty-helper.te', `allow $2_t $1_gph_t:fd use;')
 allow $2_t var_t:dir search;
 allow $2_t var_run_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.21.12/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2005-02-09 15:01:45.000000000 -0500
+++ policy-1.21.12/macros/program/mozilla_macros.te	2005-02-10 15:21:09.000000000 -0500
@@ -18,6 +18,9 @@
 define(`mozilla_domain',`
 x_client_domain($1, mozilla, `, web_client_domain, privlog, transitionbool')
 
+# Allow mozilla to browse files
+file_browse_domain($1_mozilla_t)
+
 allow $1_mozilla_t sound_device_t:chr_file rw_file_perms;
 
 # Unrestricted inheritance from the caller.
@@ -50,18 +53,16 @@
 allow $1_mozilla_t devpts_t:dir r_dir_perms;
 allow $1_mozilla_t proc_t:file { getattr read };
 r_dir_file($1_mozilla_t, proc_net_t)
-dontaudit $1_mozilla_t tty_device_t:chr_file getattr;
-
-dontaudit $1_mozilla_t proc_t:dir read;
 
 allow $1_mozilla_t { var_t var_lib_t }:dir search;
-dontaudit $1_mozilla_t var_run_t:dir { getattr search };
+
+# interacting with gstreamer
+r_dir_file($1_mozilla_t, var_t)
 
 # Execute downloaded programs.
 can_exec($1_mozilla_t, $1_mozilla_rw_t)
 
-dontaudit $1_mozilla_t tmpfile:dir { setattr getattr search };
-dontaudit $1_mozilla_t tmpfile:{ file fifo_file sock_file } getattr;
+dontaudit $1_mozilla_t tmpfile:dir setattr;
 
 # Use printer
 ifdef(`lpr.te', `
@@ -78,14 +79,13 @@
 # access to the users home directories.
 #
 if (mozilla_readhome || mozilla_writehome) {
-r_dir_file($1_mozilla_t, $1_home_t)
-dontaudit $1_mozilla_t $1_file_type:{ file dir } getattr;
-file_type_auto_trans($1_mozilla_t, tmp_t, $1_tmp_t)
+r_dir_file($1_mozilla_t, { $1_home_t $1_tmp_t })
 } else {
-file_type_auto_trans($1_mozilla_t, tmp_t, $1_mozilla_rw_t)
-dontaudit $1_mozilla_t $1_home_t:dir { setattr read search getattr };
-dontaudit $1_mozilla_t $1_home_t:file { setattr getattr };
+dontaudit $1_mozilla_t $1_home_t:dir setattr;
+dontaudit $1_mozilla_t $1_home_t:file setattr;
 }
+file_type_auto_trans($1_mozilla_t, tmp_t, $1_mozilla_rw_t)
+file_type_auto_trans($1_mozilla_t, $1_tmp_t, $1_mozilla_rw_t)
 
 if (mozilla_writehome) {
 file_type_auto_trans($1_mozilla_t, $1_home_t, $1_mozilla_rw_t)
@@ -96,7 +96,6 @@
 allow $1_mozilla_t $1_t:unix_stream_socket connectto;
 allow $1_mozilla_t sysctl_net_t:dir search;
 allow $1_mozilla_t sysctl_t:dir search;
-dontaudit $1_mozilla_t boot_t:dir getattr;
 ifdef(`cups.te', `
 allow $1_mozilla_t cupsd_etc_t:dir search;
 allow $1_mozilla_t cupsd_rw_etc_t:file { getattr read };
@@ -104,32 +103,25 @@
 allow $1_mozilla_t $1_t:tcp_socket { read write };
 
 allow $1_mozilla_t mozilla_conf_t:file r_file_perms;
-dontaudit $1_mozilla_t bin_t:dir getattr;
 dontaudit $1_mozilla_t port_type:tcp_socket name_bind;
 dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
-# running mplayer within firefox asks for this
-allow $1_mozilla_t clock_device_t:chr_file r_file_perms;
 # Mozilla tries to delete .fonts.cache-1
 dontaudit $1_mozilla_t $1_home_t:file unlink;
-dontaudit $1_mozilla_t tmpfile:file getattr;
-#
-# Eliminate errors from scanning with the 
-#
-dontaudit $1_mozilla_t file_type:dir getattr;
 allow $1_mozilla_t self:sem create_sem_perms;
 
-dontaudit $1_mozilla_t selinux_config_t:dir search;
-
 #
 # Rules needed to run java apps
-#
-allow $1_mozilla_t ld_so_cache_t:file execute;
-allow $1_mozilla_t locale_t:file execute;
-dontaudit $1_mozilla_t device_type:{ chr_file file } execute;
-dontaudit $1_t ld_so_cache_t:file execute;
-dontaudit $1_t locale_t:file execute;
 
-dontaudit $1_mozilla_t selinux_config_t:dir search;
+java_domain($1_mozilla, $1)
+
+# Mplayer plugin
+ifdef(`mplayer.te', `
+domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t)
+# Read temporary content - mozilla saves stuff there
+r_dir_file($1_mplayer_t, $1_mozilla_rw_t);
+dontaudit $1_mplayer_t $1_mozilla_rw_t:file write;
+allow $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
+')dnl end if mplayer.te  
 
 ifdef(`xdm.te', `
 allow $1_mozilla_t xdm_t:fifo_file { write read };
@@ -137,5 +129,13 @@
 allow $1_mozilla_t xdm_tmp_t:file { getattr read };
 allow $1_mozilla_t xdm_tmp_t:sock_file write;
 ')dnl end if xdm.te
+if (allow_execmem) {
+allow $1_mozilla_t self:process { execmem };
+}
+if (allow_execmod) {
+allow $1_mozilla_t texrel_shlib_t:file execmod;
+}
+dbusd_client(system, $1_mozilla)
+
 ')dnl end mozilla macro
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mplayer_macros.te policy-1.21.12/macros/program/mplayer_macros.te
--- nsapolicy/macros/program/mplayer_macros.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.21.12/macros/program/mplayer_macros.te	2005-02-10 17:18:57.000000000 -0500
@@ -0,0 +1,115 @@
+#
+# Macros for mplayer
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+#
+# mplayer_domain(domain_prefix)
+# mencoder_domain(domain_prefix)
+
+################################################
+#    mplayer_common(prefix, mplayer domain)    #
+################################################
+
+define(`mplayer_common',`
+
+# Home directory stuff
+if (use_nfs_home_dirs) {
+create_dir_file($1_$2_t, nfs_t)
+}
+if (use_samba_home_dirs) {
+create_dir_file($1_$2_t, cifs_t)
+}
+allow $1_$2_t autofs_t:dir { search getattr };
+
+# Read local config
+r_dir_file($1_$2_t, $1_mplayer_rw_t)
+
+# Read global config
+r_dir_file($1_$2_t, mplayer_etc_t)
+
+# Read data in /usr/share (fonts, icons..)
+r_dir_file($1_$2_t, usr_t)
+
+# Read /proc files and directories
+# Necessary for /proc/meminfo, /proc/cpuinfo, etc..
+allow $1_$2_t proc_t:dir search;
+allow $1_$2_t proc_t:file { getattr read };
+
+# Sysctl on kernel version 
+allow $1_$2_t sysctl_kernel_t:dir search;
+allow $1_$2_t sysctl_kernel_t:file { getattr read };
+
+# Allow ps, shared libs, locale, terminal access
+can_ps($1_t, $1_$2_t)
+uses_shlib($1_$2_t)
+read_locale($1_$2_t)
+access_terminal($1_$2_t, $1)
+
+# Required for win32 binary loader 
+allow $1_$2_t zero_device_t:chr_file { read write execute };
+if (allow_execmem) {
+allow $1_$2_t self:process execmem;
+}
+
+if (allow_execmod) {
+allow $1_$2_t zero_device_t:chr_file execmod;
+allow $1_$2_t texrel_shlib_t:file execmod;
+}
+
+# Access to DVD/CD/V4L
+allow $1_$2_t device_t:dir r_dir_perms;
+allow $1_$2_t device_t:lnk_file { getattr read };
+allow $1_$2_t removable_device_t:blk_file { getattr read };
+allow $1_$2_t v4l_device_t:chr_file { getattr read };
+')
+
+##############################
+#  mplayer_domain(prefix)    #
+##############################
+
+define(`mplayer_domain',`
+
+# Derive from X client domain
+x_client_domain($1, `mplayer', `')
+
+# Allow mplayer to browse files
+file_browse_domain($1_mplayer_t)
+
+# Mplayer common stuff
+mplayer_common($1, mplayer)
+
+# Additional rules for search /tmp/.X11-unix
+ifdef(`xdm.te', `
+allow $1_mplayer_t xdm_tmp_t:dir search;
+')dnl end if xdm.te
+
+# Audio
+allow $1_mplayer_t sound_device_t:chr_file rw_file_perms;
+
+# RTC clock 
+allow $1_mplayer_t clock_device_t:chr_file { ioctl read };
+
+# Read home directory content
+r_dir_file($1_mplayer_t, $1_home_t);
+
+') dnl end mplayer_domain
+
+##############################
+#  mencoder_domain(prefix)   #
+##############################
+
+define(`mencoder_domain',`
+
+# Privhome type transitions to $1_home_t in home dir.
+type $1_mencoder_t, domain, privhome;
+
+# Transition
+domain_auto_trans($1_t, mencoder_exec_t, $1_mencoder_t)
+can_exec($1_mencoder_t, mencoder_exec_t)
+role $1_r types $1_mencoder_t;
+
+# Mplayer common stuff
+mplayer_common($1, mencoder)
+
+') dnl end mencoder_domain
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mta_macros.te policy-1.21.12/macros/program/mta_macros.te
--- nsapolicy/macros/program/mta_macros.te	2005-02-09 15:01:31.000000000 -0500
+++ policy-1.21.12/macros/program/mta_macros.te	2005-02-10 17:17:06.000000000 -0500
@@ -87,10 +87,9 @@
 
 allow mta_user_agent $1_tmp_t:file { read getattr };
 
-allow mta_user_agent { $1_devpts_t $1_tty_device_t }:chr_file { getattr read write };
-
 # Write to the user domain tty.
-allow $1_mail_t { $1_tty_device_t $1_devpts_t devtty_t }:chr_file rw_file_perms;
+access_terminal(mta_user_agent, $1)
+access_terminal($1_mail_t, $1)
 
 # Inherit and use descriptors from gnome-pty-helper.
 ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/samba_macros.te policy-1.21.12/macros/program/samba_macros.te
--- nsapolicy/macros/program/samba_macros.te	2005-02-10 14:48:42.000000000 -0500
+++ policy-1.21.12/macros/program/samba_macros.te	2005-02-10 15:21:09.000000000 -0500
@@ -21,6 +21,7 @@
 if ( samba_enable_home_dirs ) {
 allow smbd_t home_root_t:dir r_dir_perms;
 file_type_auto_trans(smbd_t, $1_home_dir_t, $1_home_t)
+dontaudit smbd_t $1_file_type:dir_file_class_set getattr;
 }
 ')
 ', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/slocate_macros.te policy-1.21.12/macros/program/slocate_macros.te
--- nsapolicy/macros/program/slocate_macros.te	2005-02-09 15:01:31.000000000 -0500
+++ policy-1.21.12/macros/program/slocate_macros.te	2005-02-10 17:17:06.000000000 -0500
@@ -47,10 +47,7 @@
 allow $1_t $1_locate_t:process signal;
 
 uses_shlib($1_locate_t)
-
-# Write to the user domain tty.
-allow $1_locate_t $1_tty_device_t:chr_file rw_file_perms;
-allow $1_locate_t $1_devpts_t:chr_file rw_file_perms;
+access_terminal($1_locate_t, $1)
 
 allow $1_locate_t { home_root_t $1_home_dir_t $1_file_type }:dir { getattr search };
 allow $1_locate_t $1_file_type:{ file lnk_file } { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_agent_macros.te policy-1.21.12/macros/program/ssh_agent_macros.te
--- nsapolicy/macros/program/ssh_agent_macros.te	2005-02-09 15:01:45.000000000 -0500
+++ policy-1.21.12/macros/program/ssh_agent_macros.te	2005-02-10 17:17:06.000000000 -0500
@@ -27,9 +27,7 @@
 allow $1_ssh_agent_t privfd:fd use;
 
 # Write to the user domain tty.
-allow $1_ssh_agent_t $1_tty_device_t:chr_file rw_file_perms;
-allow $1_ssh_agent_t $1_devpts_t:chr_file rw_file_perms;
-allow $1_ssh_agent_t devtty_t:chr_file { read write };
+access_terminal($1_ssh_agent_t, $1)
 
 # Allow the user shell to signal the ssh program.
 allow $1_t $1_ssh_agent_t:process signal;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.21.12/macros/program/ssh_macros.te
--- nsapolicy/macros/program/ssh_macros.te	2005-02-09 15:01:45.000000000 -0500
+++ policy-1.21.12/macros/program/ssh_macros.te	2005-02-10 17:17:06.000000000 -0500
@@ -52,9 +52,6 @@
 
 base_file_read_access($1_ssh_t)
 
-# Read the devpts root directory.
-allow $1_ssh_t devpts_t:dir r_dir_perms;
-
 # Read /var.
 allow $1_ssh_t var_t:dir r_dir_perms;
 allow $1_ssh_t var_t:notdevfile_class_set r_file_perms;
@@ -77,8 +74,7 @@
 # Read /dev/urandom.
 allow $1_ssh_t urandom_device_t:chr_file r_file_perms;
 
-# Read and write /dev/tty and /dev/null.
-allow $1_ssh_t devtty_t:chr_file rw_file_perms;
+# Read and write /dev/null.
 allow $1_ssh_t { null_device_t zero_device_t }:chr_file rw_file_perms;
 
 # Grant permissions needed to create TCP and UDP sockets and
@@ -127,8 +123,7 @@
 ifdef(`gnome-pty-helper.te', `allow $1_ssh_t $1_gph_t:fd use;')
 
 # Write to the user domain tty.
-allow $1_ssh_t $1_tty_device_t:chr_file rw_file_perms;
-allow $1_ssh_t $1_devpts_t:chr_file rw_file_perms;
+access_terminal($1_ssh_t, $1)
 
 # Allow the user shell to signal the ssh program.
 allow $1_t $1_ssh_t:process signal;
@@ -151,6 +146,11 @@
 ssh_agent_domain($1)
 ')dnl end if ssh_agent.te
 
+#allow ssh to access keys stored on removable media
+# Should we have a boolean around this?
+allow $1_ssh_t mnt_t:dir search;
+r_dir_file($1_ssh_t, removable_t) 
+
 ifdef(`xdm.te', `
 # should be able to remove these two later
 allow $1_ssh_t xdm_xserver_tmp_t:sock_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.21.12/macros/program/su_macros.te
--- nsapolicy/macros/program/su_macros.te	2005-02-09 15:01:45.000000000 -0500
+++ policy-1.21.12/macros/program/su_macros.te	2005-02-10 17:17:06.000000000 -0500
@@ -99,7 +99,7 @@
 }
 
 # Relabel ttys and ptys.
-allow $1_su_t { device_t devpts_t }:dir { getattr read search };
+allow $1_su_t device_t:dir { getattr read search };
 allow $1_su_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
 
 # Close and re-open ttys and ptys to get the fd into the correct domain.
@@ -121,9 +121,8 @@
 role $1_r types $1_su_t;
 
 # Write to the user domain tty.
-allow $1_su_t $1_tty_device_t:chr_file rw_file_perms;
-allow $1_su_t $1_devpts_t:chr_file rw_file_perms;
-allow $1_su_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file { getattr ioctl };
+access_terminal($1_su_t, $1)
+allow $1_su_t { $1_devpts_t $1_tty_device_t }:chr_file ioctl;
 
 allow $1_su_t { home_root_t $1_home_dir_t }:dir search;
 allow $1_su_t $1_home_t:file create_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/uml_macros.te policy-1.21.12/macros/program/uml_macros.te
--- nsapolicy/macros/program/uml_macros.te	2005-02-09 15:01:31.000000000 -0500
+++ policy-1.21.12/macros/program/uml_macros.te	2005-02-10 17:17:06.000000000 -0500
@@ -110,7 +110,6 @@
 dontaudit $1_uml_t initrc_var_run_t:file { write lock };
 
 allow $1_uml_t device_t:dir search;
-allow $1_uml_t devtty_t:chr_file rw_file_perms;
 allow $1_uml_t self:unix_stream_socket create_stream_socket_perms;
 allow $1_uml_t self:unix_dgram_socket create_socket_perms;
 allow $1_uml_t privfd:fd use;
@@ -121,8 +120,7 @@
 allow $1_uml_t proc_t:file write;
 
 # Write to the user domain tty.
-allow $1_uml_t $1_tty_device_t:chr_file rw_file_perms;
-allow $1_uml_t $1_devpts_t:chr_file rw_file_perms;
+access_terminal($1_uml_t, $1)
 
 # access config files
 allow $1_uml_t home_root_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xauth_macros.te policy-1.21.12/macros/program/xauth_macros.te
--- nsapolicy/macros/program/xauth_macros.te	2005-02-09 15:01:45.000000000 -0500
+++ policy-1.21.12/macros/program/xauth_macros.te	2005-02-10 17:17:06.000000000 -0500
@@ -66,8 +66,7 @@
 allow $1_xauth_t fs_t:filesystem getattr;
 
 # Write to the user domain tty.
-allow $1_xauth_t $1_tty_device_t:chr_file rw_file_perms;
-allow $1_xauth_t $1_devpts_t:chr_file rw_file_perms;
+access_terminal($1_xauth_t, $1)
 
 # Scan /var/run.
 allow $1_xauth_t var_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.21.12/macros/program/x_client_macros.te
--- nsapolicy/macros/program/x_client_macros.te	2005-02-09 15:01:45.000000000 -0500
+++ policy-1.21.12/macros/program/x_client_macros.te	2005-02-10 17:17:06.000000000 -0500
@@ -57,9 +57,9 @@
 allow $1_$2_t etc_runtime_t:file { getattr read };
 allow $1_$2_t etc_t:lnk_file read;
 allow $1_$2_t fs_t:filesystem getattr;
+access_terminal($1_$2_t, $1)
 read_locale($1_$2_t)
 r_dir_file($1_$2_t, readable_t)
-allow $1_$2_t devtty_t:chr_file { read write };
 allow $1_$2_t proc_t:dir search;
 allow $1_$2_t proc_t:lnk_file read;
 allow $1_$2_t self:dir search;
@@ -143,11 +143,6 @@
 can_tcp_connect($1_$2_t, sshd_t)
 ')
 
-# Access the terminal.
-allow $1_$2_t devpts_t:dir search;
-allow $1_$2_t $1_tty_device_t:chr_file rw_file_perms;
-allow $1_$2_t $1_devpts_t:chr_file rw_file_perms;
-
 # Read the home directory, e.g. for .Xauthority and to get to config files
 allow $1_$2_t home_root_t:dir { search getattr };
 file_type_auto_trans($1_$2_t, $1_home_dir_t, $1_$2_rw_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.21.12/macros/program/xserver_macros.te
--- nsapolicy/macros/program/xserver_macros.te	2005-02-09 15:01:45.000000000 -0500
+++ policy-1.21.12/macros/program/xserver_macros.te	2005-02-10 15:21:09.000000000 -0500
@@ -51,6 +51,11 @@
 can_exec($1_xserver_t, xserver_exec_t)
 
 uses_shlib($1_xserver_t)
+
+if (allow_execmod) {
+allow $1_xserver_t texrel_shlib_t:file execmod;
+}
+
 can_network($1_xserver_t)
 can_ypbind($1_xserver_t)
 allow $1_xserver_t xserver_port_t:tcp_socket name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.21.12/macros/user_macros.te
--- nsapolicy/macros/user_macros.te	2005-02-09 15:01:45.000000000 -0500
+++ policy-1.21.12/macros/user_macros.te	2005-02-10 15:21:09.000000000 -0500
@@ -34,21 +34,11 @@
 # do not allow privhome access to sysadm_home_dir_t
 file_type_auto_trans(privhome, $1_home_dir_t, $1_home_t)
 
-# for ifconfig which is run all the time
-dontaudit $1_t sysctl_t:dir search;
-
-# for ls -l /proc
-dontaudit $1_t { sysctl_irq_t sysctl_t }:dir getattr;
-dontaudit $1_t proc_fs:file getattr;
-
 allow $1_t boot_t:dir { getattr search };
-dontaudit $1_t boot_t:dir read;
-dontaudit $1_t boot_t:lnk_file { getattr read };
-dontaudit $1_t boot_t:file { getattr read };
+dontaudit $1_t boot_t:lnk_file read;
+dontaudit $1_t boot_t:file read;
 allow $1_t system_map_t:file { getattr read };
 
-dontaudit $1_t security_t:dir getattr;
-
 # Instantiate derived domains for a number of programs.
 # These derived domains encode both information about the calling
 # user domain and the program, and allow us to maintain separation
@@ -94,11 +84,8 @@
 dontaudit $1_t initrc_var_run_t:file write;
 
 
-# do not audit getattr on tmpfile, otherwise ls -l /tmp fills the logs
-dontaudit $1_t tmpfile:dir_file_class_set getattr;
-
-# do not audit getattr on disk devices, otherwise KDE fills the logs
-dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file {getattr read};
+# do not audit read on disk devices
+dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;
 
 ifdef(`xdm.te', `
 allow xdm_t $1_home_t:lnk_file read;
@@ -193,12 +180,7 @@
 # $1_t is also granted permissions specific to user domains.
 user_domain($1)
 
-dontaudit $1_t sysadm_home_t:dir { read search getattr };
-dontaudit $1_t sysadm_home_t:file { read getattr append };
-ifdef(`distro_redhat', `
-# gam_server fires off these when exploring with mozilla/nautilous
-dontaudit $1_t file_type:dir getattr;
-')
+dontaudit $1_t sysadm_home_t:file { read append };
 
 ifdef(`syslogd.te', `
 # Some programs that are left in $1_t will try to connect
@@ -208,8 +190,6 @@
 dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
 ')
 
-# stop warnings about "ls -l" on directories with unlabelled files
-dontaudit $1_t default_t:{ dir file lnk_file } getattr;
 # Stop warnings about access to /dev/console
 dontaudit $1_t init_t:fd use;
 dontaudit $1_t initrc_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.21.12/Makefile
--- nsapolicy/Makefile	2005-02-10 14:48:31.000000000 -0500
+++ policy-1.21.12/Makefile	2005-02-10 17:03:19.000000000 -0500
@@ -36,6 +36,7 @@
 CONTEXTPATH = $(INSTALLDIR)/contexts
 LOADPATH = $(POLICYPATH)/$(POLICYVER)
 FCPATH = $(CONTEXTPATH)/files/file_contexts
+HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
 
 ALL_PROGRAM_MACROS := $(wildcard macros/program/*.te)
 ALL_MACROS := $(ALL_PROGRAM_MACROS) $(wildcard macros/*.te)
@@ -50,16 +51,19 @@
 POLICYFILES += mls
 CHECKPOLMLS += -M
 endif
+DEFCONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts
 POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES)
 POLICYFILES += $(USER_FILES)
 POLICYFILES += $(wildcard $(USERPATH)/local.users)
 POLICYFILES += constraints
-POLICYFILES += initial_sid_contexts fs_use genfs_contexts net_contexts
-CONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts
+POLICYFILES += $(DEFCONTEXTFILES)
+CONTEXTFILES = $(DEFCONTEXTFILES)
+POLICY_DIRS = domains/program domains/misc
 
 UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
 
 FC = file_contexts/file_contexts
+HOMEDIR_TEMPLATE = file_contexts/homedir_template
 FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) file_contexts/distros.fc $(wildcard file_contexts/misc/*.fc)
 CONTEXTFILES += $(FCFILES)
 
@@ -170,9 +174,9 @@
 	grep -v dontaudit policy.conf > policy.audit
 	mv policy.audit policy.conf
 
-policy.conf: $(POLICYFILES) 
+policy.conf: $(POLICYFILES) $(POLICY_DIRS)
 	mkdir -p tmp
-	m4 $(M4PARAM) -Imacros -s $^ > $@.tmp
+	m4 $(M4PARAM) -Imacros -s $(POLICYFILES) > $@.tmp
 	mv $@.tmp $@
 
 install-src: 
@@ -204,14 +208,15 @@
 $(FCPATH): $(FC) 
 	@mkdir -p $(CONTEXTPATH)/files
 	install -m 644 $(FC) $(FCPATH)
+	install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
+	genhomedircon
 
 $(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd
 	@echo "Building file_contexts ..."
 	@m4 $(M4PARAM) $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) > $@.tmp
-	@grep -v "^/root" $@.tmp > $@.root
-	@/usr/sbin/genhomedircon . $@.root  > $@
-	@grep "^/root" $@.tmp >> $@
-	@-rm $@.tmp $@.root
+	@grep -v -e HOME -e ROLE $@.tmp > $@
+	@grep -e HOME -e ROLE $@.tmp  > $(HOMEDIR_TEMPLATE)
+	@-rm $@.tmp
 
 # Create a tags-file for the policy:
 # we need exuberant ctags; unfortunately it is named differently on different distros, sigh...
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.21.12/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te	2005-02-09 15:01:45.000000000 -0500
+++ policy-1.21.12/targeted/domains/unconfined.te	2005-02-10 16:23:56.000000000 -0500
@@ -9,6 +9,8 @@
 role user_r types unconfined_t;
 role sysadm_r types unconfined_t;
 unconfined_domain(unconfined_t)
+allow domain $1:fd use;
+allow domain $1:process sigchld;
 
 # Define some type aliases to help with compatibility with
 # macros and domains from the "strict" policy.
@@ -37,6 +39,9 @@
 user_typealias(sysadm)
 user_typealias(staff)
 user_typealias(user)
+attribute user_file_type;
+attribute staff_file_type;
+attribute sysadm_file_type;
 
 allow unconfined_t unlabeled_t:filesystem *;
 allow unlabeled_t self:filesystem associate;
@@ -45,14 +50,18 @@
 bool use_nfs_home_dirs false;
 
 # Allow execution of anonymous mappings, e.g. executable stack.
-bool allow_execmem false;
+bool allow_execmem true;
 
 # Support Share libraries with Text Relocation
-bool allow_execmod false;
+bool allow_execmod true;
 
 # Support SAMBA home directories
 bool use_samba_home_dirs false;
 
+if (allow_execmod) {
+allow $1 shlib_t:file execmod;
+}
+
 ifdef(`samba.te', `samba_domain(user)')
 
 # Allow system to run with NIS
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.21.12/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2005-02-09 15:01:31.000000000 -0500
+++ policy-1.21.12/tunables/distro.tun	2005-02-10 15:21:09.000000000 -0500
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.21.12/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-02-09 15:01:31.000000000 -0500
+++ policy-1.21.12/tunables/tunable.tun	2005-02-10 15:21:09.000000000 -0500
@@ -1,27 +1,27 @@
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.21.12/types/file.te
--- nsapolicy/types/file.te	2005-02-09 15:01:45.000000000 -0500
+++ policy-1.21.12/types/file.te	2005-02-10 15:21:09.000000000 -0500
@@ -87,7 +87,7 @@
 #
 # shadow_t is the type of the /etc/shadow file
 #
-type shadow_t, file_type;
+type shadow_t, file_type, secure_file_type;
 allow auth shadow_t:file { getattr read };
 
 #
@@ -151,7 +151,7 @@
 #
 # cert_t is the type of files in the system certs directories.
 #
-type cert_t, file_type, sysadmfile;
+type cert_t, file_type, sysadmfile, secure_file_type;
 
 #
 # ls_exec_t is the type of the ls program.
@@ -192,8 +192,8 @@
 type var_lock_t, file_type, sysadmfile, lockfile;
 type var_lib_t, file_type, sysadmfile;
 # for /var/{spool,lib}/texmf index files
-type tetex_data_t, file_type, sysadmfile;
-type var_spool_t, file_type, sysadmfile;
+type tetex_data_t, file_type, sysadmfile, tmpfile;
+type var_spool_t, file_type, sysadmfile, tmpfile;
 type var_yp_t, file_type, sysadmfile;
 
 # Type for /var/log/ksyms.
@@ -223,7 +223,7 @@
 #
 # print_spool_t is the type for /var/spool/lpd and /var/spool/cups.
 #
-type print_spool_t, file_type, sysadmfile;
+type print_spool_t, file_type, sysadmfile, tmpfile;
 
 #
 # mail_spool_t is the type for /var/spool/mail.

Latest diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 836 bytes --]

Changes include

removal of ifdef automount.te
autofs is defined outside of automount.te so this is not necassary and 
was causing targeted policy problems.

Introduction of texrel_shlib_t which define shlib_t libraries that use 
text relocation (execmod).  I have only labeled a few of these so far,
as Red Hat is working to clean these up.  Also using a boolean to turn 
this feature off allow_execmod

Changes to make smbmount work

Fixes for tmpreaper

Changed postgres helper apps back to default context, running them in 
postgresql breaks alot.

Added HelixPlayer file_context

Modified the Makefile so that it defaults to
make -> make policy

make load and make reload no longer install the context files, only make 
install does.

This prevents people from overwriting the system context files if they 
have modified them.





[-- Attachment #2: policy-20050128.patch --]
[-- Type: text/x-patch, Size: 32345 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.21.5/domains/program/login.te
--- nsapolicy/domains/program/login.te	2005-01-28 11:50:48.000000000 -0500
+++ policy-1.21.5/domains/program/login.te	2005-01-28 14:02:57.000000000 -0500
@@ -73,9 +73,7 @@
 # Set exec context.
 can_setexec($1_login_t)
 
-ifdef(`automount.te', `
 allow $1_login_t autofs_t:dir { search read getattr };
-')
 allow $1_login_t mnt_t:dir r_dir_perms;
 
 if (use_nfs_home_dirs) {
@@ -128,6 +126,11 @@
 
 allow $1_login_t mouse_device_t:chr_file { getattr setattr };
 
+ifdef(`targeted_policy',`
+unconfined_domain($1_login_t)
+domain_auto_trans($1_login_t, shell_exec_t, unconfined_t)
+')
+
 ')dnl end login_domain macro
 #################################
 #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.21.5/domains/program/mount.te
--- nsapolicy/domains/program/mount.te	2005-01-24 16:57:04.000000000 -0500
+++ policy-1.21.5/domains/program/mount.te	2005-01-28 14:02:57.000000000 -0500
@@ -49,6 +49,7 @@
 allow mount_t devpts_t:dir mounton;
 allow mount_t usbdevfs_t:dir mounton;
 allow mount_t sysfs_t:dir mounton;
+allow mount_t binfmt_misc_fs_t:dir mounton;
 allow mount_t nfs_t:dir mounton;
 allow mount_t nfs_t:dir search;
 # nfsv4 has a filesystem to mount for its userspace daemons
@@ -83,9 +84,7 @@
 
 # for localization
 allow mount_t lib_t:file { getattr read };
-ifdef(`automount.te', `
 allow mount_t autofs_t:dir read;
-')
 allow mount_t fs_t:filesystem relabelfrom;
 #
 # This rule needs to be generalized.  Only admin, initrc should have it.
@@ -101,5 +100,13 @@
 allow mount_t tmpfs_t:chr_file { read write };
 allow mount_t tmpfs_t:dir mounton;
 ')
+
+
 # tries to read /init
 dontaudit mount_t root_t:file {getattr read };
+dontaudit mount_t root_t:file read;
+
+allow kernel_t mount_t:tcp_socket { read write };
+allow mount_t self:capability { setgid setuid };
+allow user_t mount_t:tcp_socket write;
+allow mount_t proc_t:lnk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.21.5/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te	2005-01-24 12:08:36.000000000 -0500
+++ policy-1.21.5/domains/program/ssh.te	2005-01-28 14:02:57.000000000 -0500
@@ -73,9 +73,7 @@
 allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
 allow $1_t { home_root_t home_dir_type }:dir { search getattr };
 if (use_nfs_home_dirs) {
-ifdef(`automount.te', `
 allow $1_t autofs_t:dir { search getattr };
-')
 allow $1_t nfs_t:dir { search getattr };
 allow $1_t nfs_t:file { getattr read };
 }
@@ -213,11 +211,6 @@
 can_exec(sshd_t, pam_exec_t)
 ')
 
-
-ifdef(`automount.te', `
-allow sshd_t autofs_t:dir search;
-')
-
 # ssh_keygen_t is the type of the ssh-keygen program when run at install time
 # and by sysadm_t
 daemon_base_domain(ssh_keygen)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/tmpreaper.te policy-1.21.5/domains/program/tmpreaper.te
--- nsapolicy/domains/program/tmpreaper.te	2005-01-20 15:55:02.000000000 -0500
+++ policy-1.21.5/domains/program/tmpreaper.te	2005-01-28 14:02:57.000000000 -0500
@@ -30,6 +30,8 @@
 allow tmpreaper_t urandom_device_t:chr_file { getattr read };
 rw_dir_file(tmpreaper_t, var_spool_t)
 allow tmpreaper_t var_spool_t:dir setattr;
+allow tmpreaper_t print_spool_t:dir setattr;
+rw_dir_file(tmpreaper_t, print_spool_t)
 
 ifdef(`distro_redhat', `
 # for the Red Hat tmpreaper program which also manages tetex indexes
@@ -37,4 +39,4 @@
 allow tmpreaper_t catman_t:dir setattr;
 ')
 read_locale(tmpreaper_t)
-
+dontaudit tmpreaper_t init_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.21.5/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2005-01-24 12:08:36.000000000 -0500
+++ policy-1.21.5/domains/program/unused/apache.te	2005-01-28 14:02:57.000000000 -0500
@@ -264,10 +264,9 @@
 
 allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
 
-ifdef(`automount.te', `
 allow httpd_t autofs_t:dir { search getattr };
 allow httpd_suexec_t autofs_t:dir { search getattr };
-')
+
 if (use_nfs_home_dirs && httpd_enable_homedirs) {
 httpd_home_dirs(nfs_t)
 }
@@ -315,6 +314,8 @@
 ifdef(`snmpd.te', `
 dontaudit httpd_t snmpd_var_lib_t:dir search;
 dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
+', `
+dontaudit httpd_t usr_t:dir write;
 ')
 
 type httpd_squirrelmail_t, file_type, sysadmfile;
@@ -347,3 +348,4 @@
 
 read_sysctl(httpd_sys_script_t)
 allow httpd_sys_script_t var_lib_t:dir search;
+dontaudit httpd_t selinux_config_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.21.5/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te	2005-01-20 15:55:04.000000000 -0500
+++ policy-1.21.5/domains/program/unused/dhcpc.te	2005-01-28 14:02:57.000000000 -0500
@@ -128,3 +128,5 @@
 dontaudit dhcpc_t var_lock_t:dir search;
 dontaudit dhcpc_t selinux_config_t:dir search;
 allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms;
+dontaudit dhcpc_t domain:dir getattr;
+allow dhcpc_t initrc_var_run_t:file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.21.5/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te	2005-01-24 12:08:36.000000000 -0500
+++ policy-1.21.5/domains/program/unused/ftpd.te	2005-01-28 14:02:57.000000000 -0500
@@ -87,9 +87,7 @@
 
 dontaudit ftpd_t sysadm_home_dir_t:dir getattr;
 dontaudit ftpd_t selinux_config_t:dir search;
-ifdef(`automount.te', `
 allow ftpd_t autofs_t:dir search;
-')
 allow ftpd_t self:file { getattr read };
 tmp_domain(ftpd)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.21.5/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te	2005-01-20 15:55:07.000000000 -0500
+++ policy-1.21.5/domains/program/unused/kudzu.te	2005-01-28 14:02:57.000000000 -0500
@@ -94,3 +94,7 @@
 ')
 allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms;
 dontaudit kudzu_t src_t:dir search;
+ifdef(`xserver.te', `
+allow kudzu_t xserver_exec_t:file getattr;
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/prelink.te policy-1.21.5/domains/program/unused/prelink.te
--- nsapolicy/domains/program/unused/prelink.te	2005-01-20 15:55:09.000000000 -0500
+++ policy-1.21.5/domains/program/unused/prelink.te	2005-01-28 14:02:57.000000000 -0500
@@ -12,7 +12,7 @@
 daemon_base_domain(prelink, `, admin')
 
 allow prelink_t self:process execmem;
-allow prelink_t shlib_t:file execmod;
+allow prelink_t { texrel_shlib_t shlib_t }:file execmod;
 
 allow prelink_t fs_t:filesystem getattr;
 
@@ -32,7 +32,7 @@
 allow prelink_t file_type:dir rw_dir_perms;
 allow prelink_t file_type:lnk_file r_file_perms;
 allow prelink_t file_type:file getattr;
-allow prelink_t { ifdef(`amanda.te', `amanda_usr_lib_t') admin_passwd_exec_t ifdef(`apache.te', `httpd_modules_t') ifdef(`xserver.te', `var_lib_xkb_t') ld_so_t su_exec_t shlib_t sbin_t bin_t lib_t exec_type }:file { create_file_perms execute relabelto relabelfrom };
+allow prelink_t { ifdef(`amanda.te', `amanda_usr_lib_t') admin_passwd_exec_t ifdef(`apache.te', `httpd_modules_t') ifdef(`xserver.te', `var_lib_xkb_t') ld_so_t su_exec_t texrel_shlib_t shlib_t sbin_t bin_t lib_t exec_type }:file { create_file_perms execute relabelto relabelfrom };
 allow prelink_t ld_so_t:file execute_no_trans;
 
 allow prelink_t self:capability { chown dac_override fowner fsetid };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.21.5/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te	2005-01-24 12:08:36.000000000 -0500
+++ policy-1.21.5/domains/program/unused/rpm.te	2005-01-28 14:02:57.000000000 -0500
@@ -75,11 +75,9 @@
 # bash tries ioctl for some reason
 dontaudit initrc_t pidfile:file ioctl;
 
-ifdef(`automount.te', `
 allow rpm_t autofs_t:dir { search getattr };
 allow rpm_t autofs_t:filesystem getattr;
 allow rpm_script_t autofs_t:dir { search getattr };
-')
 allow rpm_t devpts_t:dir { setattr r_dir_perms };
 allow rpm_t { devpts_t proc_t usbdevfs_t fs_t }:filesystem getattr;
 dontaudit rpm_t security_t:filesystem getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.21.5/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te	2005-01-28 11:50:49.000000000 -0500
+++ policy-1.21.5/domains/program/unused/samba.te	2005-01-28 14:02:57.000000000 -0500
@@ -120,3 +120,36 @@
 # Support Samba sharing of home directories
 bool samba_enable_home_dirs false;
 
+ifdef(`mount.te', `
+#
+# Domain for running smbmount
+#
+application_domain(smbmount, `, fs_domain, nscd_client_domain');
+can_network(smbmount_t)
+can_ypbind(smbmount_t)
+allow smbmount_t cifs_t:dir r_dir_perms;
+allow smbmount_t self:unix_dgram_socket create_socket_perms;
+allow smbmount_t samba_etc_t:file r_file_perms;
+allow smbmount_t samba_log_t:dir r_dir_perms;
+allow smbmount_t samba_log_t:file ra_file_perms;
+rw_dir_create_file(smbmount_t, samba_var_t)
+domain_auto_trans(mount_t, smbmount_exec_t, smbmount_t)
+r_dir_file(smbmount_t, proc_t)
+allow smbmount_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown };
+allow smbmount_t self:process { fork signal_perms };
+file_type_auto_trans(smbmount_t, etc_t, etc_runtime_t, file)
+allow smbmount_t cifs_t:dir mounton;
+allow smbmount_t cifs_t:dir search;
+allow smbmount_t mnt_t:dir mounton;
+read_locale(smbmount_t)
+allow smbmount_t userdomain:fd use;
+allow smbmount_t self:unix_stream_socket create_socket_perms;
+can_exec(smbmount_t, bin_t)
+allow kernel_t smbmount_t:tcp_socket { read write };
+allow smbmount_t file_type:filesystem { unmount mount relabelto };
+allow smbmount_t local_login_t:fd use;
+allow smbmount_t mnt_t:dir { search getattr };
+allow smbmount_t samba_etc_t:dir search;
+allow smbmount_t sysadm_tty_device_t:chr_file { read write };
+allow smbmount_t etc_t:file { getattr read };
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/spamd.te policy-1.21.5/domains/program/unused/spamd.te
--- nsapolicy/domains/program/unused/spamd.te	2005-01-24 12:08:36.000000000 -0500
+++ policy-1.21.5/domains/program/unused/spamd.te	2005-01-28 14:02:57.000000000 -0500
@@ -55,9 +55,7 @@
 
 system_crond_entry(spamd_exec_t, spamd_t)
 
-ifdef(`automount.te', `
 allow spamd_t autofs_t:dir { search getattr };
-')
 
 if (use_nfs_home_dirs) {
 allow spamd_t nfs_t:dir rw_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.21.5/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te	2005-01-24 16:57:05.000000000 -0500
+++ policy-1.21.5/domains/program/unused/xdm.te	2005-01-28 14:02:57.000000000 -0500
@@ -282,9 +282,7 @@
 allow xdm_xserver_t user_home_type:file { getattr read };
 
 if (use_nfs_home_dirs) {
-ifdef(`automount.te', `
 allow { xdm_t xdm_xserver_t } autofs_t:dir { search getattr };
-')
 allow { xdm_t xdm_xserver_t } nfs_t:dir create_dir_perms;
 allow { xdm_t xdm_xserver_t } nfs_t:{file lnk_file} create_file_perms;
 can_exec(xdm_t, nfs_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.21.5/domains/user.te
--- nsapolicy/domains/user.te	2005-01-24 12:08:35.000000000 -0500
+++ policy-1.21.5/domains/user.te	2005-01-28 14:02:57.000000000 -0500
@@ -10,6 +10,9 @@
 # Support NFS home directories
 bool use_nfs_home_dirs false;
 
+# Support Share libraries with Text Relocation
+bool allow_execmod false;
+
 # Support SAMBA home directories
 bool use_samba_home_dirs false;
 
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.21.5/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc	2005-01-28 11:50:49.000000000 -0500
+++ policy-1.21.5/file_contexts/distros.fc	2005-01-28 14:02:57.000000000 -0500
@@ -63,6 +63,10 @@
 ifdef(`dbusd.te', `', `
 /var/run/dbus(/.*)?            system_u:object_r:system_dbusd_var_run_t
 ')
+
+/usr/lib/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/X11R6/lib/modules/dri/.*\.so -- system_u:object_r:texrel_shlib_t
+
 ')
 
 ifdef(`distro_suse', `
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/initrc.fc policy-1.21.5/file_contexts/program/initrc.fc
--- nsapolicy/file_contexts/program/initrc.fc	2005-01-20 15:55:17.000000000 -0500
+++ policy-1.21.5/file_contexts/program/initrc.fc	2005-01-28 14:40:08.000000000 -0500
@@ -30,9 +30,7 @@
 
 # run_init
 /usr/sbin/run_init	--	system_u:object_r:run_init_exec_t
-ifdef(`distro_debian', `
 /usr/sbin/open_init_pty	--	system_u:object_r:initrc_exec_t
-')
 /etc/nologin.*		--	system_u:object_r:etc_runtime_t
 /etc/nohotplug		--	system_u:object_r:etc_runtime_t
 ifdef(`distro_redhat', `
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/postgresql.fc policy-1.21.5/file_contexts/program/postgresql.fc
--- nsapolicy/file_contexts/program/postgresql.fc	2005-01-24 16:57:05.000000000 -0500
+++ policy-1.21.5/file_contexts/program/postgresql.fc	2005-01-28 14:02:57.000000000 -0500
@@ -1,18 +1,8 @@
-# postgresql - ldap server
+# postgresql - database server
 /usr/lib(64)?/postgresql/bin/.* --	system_u:object_r:postgresql_exec_t
 /usr/bin/postgres	--	system_u:object_r:postgresql_exec_t
-/usr/bin/pg_dump	--	system_u:object_r:postgresql_exec_t
-/usr/bin/pg_dumpall	--	system_u:object_r:postgresql_exec_t
-/usr/bin/pg_resetxlog	--	system_u:object_r:postgresql_exec_t
 /usr/bin/initdb		--	system_u:object_r:postgresql_exec_t
 
-# not sure whether the following binaries need labelling
-/usr/bin/createlang	--	system_u:object_r:postgresql_exec_t
-/usr/bin/droplang	--	system_u:object_r:postgresql_exec_t
-/usr/bin/pg_encoding	--	system_u:object_r:postgresql_exec_t
-/usr/bin/pg_id		--	system_u:object_r:postgresql_exec_t
-/usr/bin/pg_restore	--	system_u:object_r:postgresql_exec_t
-
 /var/lib/postgres(ql)?(/.*)? 	system_u:object_r:postgresql_db_t
 /var/lib/pgsql/data(/.*)?	system_u:object_r:postgresql_db_t
 /var/run/postgresql(/.*)?	system_u:object_r:postgresql_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/samba.fc policy-1.21.5/file_contexts/program/samba.fc
--- nsapolicy/file_contexts/program/samba.fc	2005-01-20 15:55:19.000000000 -0500
+++ policy-1.21.5/file_contexts/program/samba.fc	2005-01-28 14:02:57.000000000 -0500
@@ -19,3 +19,6 @@
 /var/run/samba/smbd\.pid --	system_u:object_r:smbd_var_run_t
 /var/run/samba/nmbd\.pid --	system_u:object_r:nmbd_var_run_t
 /var/spool/samba(/.*)?		system_u:object_r:samba_var_t
+ifdef(`mount.te', `
+/usr/bin/smbmount		system_u:object_r:smbmount_exec_t
+')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.21.5/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2005-01-24 16:57:05.000000000 -0500
+++ policy-1.21.5/file_contexts/types.fc	2005-01-28 14:02:57.000000000 -0500
@@ -336,6 +336,7 @@
 /usr(/.*)?/java/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
 /usr(/.*)?/java/.*\.jar	--	system_u:object_r:shlib_t
 /usr(/.*)?/java/.*\.jsa	--	system_u:object_r:shlib_t
+/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
 /usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
 /usr(/.*)?/bin(/.*)?		system_u:object_r:bin_t
 /usr(/.*)?/Bin(/.*)?		system_u:object_r:bin_t
@@ -350,6 +351,11 @@
 /usr/share/man(/.*)?		system_u:object_r:man_t
 /usr/share/mc/extfs/.*	--	system_u:object_r:bin_t
 /usr/share(/.*)?/lib(64)?(/.*)?	system_u:object_r:usr_t
+
+# nvidia share libraries
+/usr(/.*)?/nvidia/.*\.so(\..*)?	-- system_u:object_r:texrel_shlib_t
+/usr/X11R6/lib/libXvMCNVIDIA\.so.* 	-- system_u:object_r:texrel_shlib_t
+
 ifdef(`distro_debian', `
 /usr/share/selinux(/.*)?	system_u:object_r:policy_src_t
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.21.5/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2005-01-24 12:08:37.000000000 -0500
+++ policy-1.21.5/macros/base_user_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -42,8 +42,10 @@
 # Allow loading DSOs that require executable stack.
 allow $1_t self:process execmem;
 
+if (allow_execmod) {
 # Allow text relocations on system shared libraries, e.g. libGL.
 allow $1_t shlib_t:file execmod;
+}
 
 #
 # kdeinit wants this access
@@ -73,9 +75,7 @@
 allow $1_t $1_home_t:notdevfile_class_set { relabelfrom relabelto };
 can_setfscreate($1_t)
 
-ifdef(`automount.te', `
 allow $1_t autofs_t:dir { search getattr };
-')dnl end if automount.te
 
 if (use_nfs_home_dirs) {
 network_home_dir($1_t, nfs_t)
@@ -85,6 +85,7 @@
 network_home_dir($1_t, cifs_t)
 }
 
+can_exec($1_t, { removable_t noexattrfile } )
 if (user_rw_noexattrfile) {
 create_dir_file($1_t, noexattrfile)
 create_dir_file($1_t, removable_t)
@@ -93,6 +94,7 @@
 allow $1_t usbtty_device_t:chr_file write;
 } else {
 r_dir_file($1_t, noexattrfile)
+r_dir_file($1_t, removable_t)
 allow $1_t removable_device_t:blk_file r_file_perms;
 }
 allow $1_t usbtty_device_t:chr_file read;
@@ -281,6 +283,7 @@
 ifdef(`xserver.te', `
 # for /tmp/.ICE-unix
 file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
+allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
 ')
 
 ifdef(`xdm.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.21.5/macros/core_macros.te
--- nsapolicy/macros/core_macros.te	2005-01-20 15:55:21.000000000 -0500
+++ policy-1.21.5/macros/core_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -692,7 +692,5 @@
 # eventually this should become can_nsswitch
 #
 can_ypbind($1)
-ifdef(`automount.te', `
 allow $1 autofs_t:dir { search getattr };
-')
 ')dnl end general_domain_access
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.21.5/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2005-01-24 12:08:37.000000000 -0500
+++ policy-1.21.5/macros/global_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -104,8 +104,11 @@
 allow $1 ld_so_t:file rx_file_perms;
 #allow $1 ld_so_t:file execute_no_trans;
 allow $1 ld_so_t:lnk_file r_file_perms;
-allow $1 shlib_t:file rx_file_perms;
-allow $1 shlib_t:lnk_file r_file_perms;
+allow $1 { texrel_shlib_t shlib_t }:file rx_file_perms;
+allow $1 { texrel_shlib_t shlib_t }:lnk_file r_file_perms;
+if (allow_execmod) {
+allow $1 texrel_shlib_t:file execmod;
+}
 allow $1 ld_so_cache_t:file r_file_perms;
 allow $1 device_t:dir search;
 allow $1 null_device_t:chr_file rw_file_perms;
@@ -252,9 +255,7 @@
 
 r_dir_file($1_t, sysfs_t) 
 
-ifdef(`automount.te', `
 allow $1_t autofs_t:dir { search getattr };
-')dnl end if automount.te
 ifdef(`targeted_policy', `
 dontaudit $1_t { tty_device_t devpts_t }:chr_file { read write };
 dontaudit $1_t root_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.21.5/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te	2005-01-24 12:08:37.000000000 -0500
+++ policy-1.21.5/macros/program/apache_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -19,6 +19,7 @@
 # Type that CGI scripts run as
 type httpd_$1_script_t, domain, privmail, nscd_client_domain;
 role system_r types httpd_$1_script_t;
+uses_shlib(httpd_$1_script_t)
 
 if (httpd_enable_cgi) {
 domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
@@ -28,7 +29,6 @@
 allow httpd_$1_script_t httpd_t:fd use;
 allow httpd_$1_script_t httpd_t:process sigchld;
 
-uses_shlib(httpd_$1_script_t)
 can_network(httpd_$1_script_t)
 allow httpd_$1_script_t { usr_t lib_t }:file { getattr read ioctl };
 allow httpd_$1_script_t usr_t:lnk_file { getattr read };
@@ -41,7 +41,6 @@
 read_locale(httpd_$1_script_t)
 allow httpd_$1_script_t fs_t:filesystem getattr;
 allow httpd_$1_script_t self:unix_stream_socket create_socket_perms;
-allow httpd_$1_script_t httpd_t:unix_stream_socket { read write };
 
 allow httpd_$1_script_t { self proc_t }:file { getattr read };
 allow httpd_$1_script_t { self proc_t }:dir r_dir_perms;
@@ -117,6 +116,7 @@
 domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
 domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
 create_dir_file(httpd_t, httpdcontent)
+can_exec(httpd_t, httpdcontent )
 ', `
 can_exec(httpd_$1_script_t, httpdcontent )
 domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.21.5/macros/program/dbusd_macros.te
--- nsapolicy/macros/program/dbusd_macros.te	2005-01-20 15:55:23.000000000 -0500
+++ policy-1.21.5/macros/program/dbusd_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -14,7 +14,7 @@
 typealias system_dbusd_t alias dbusd_t;
 type etc_dbusd_t, file_type, sysadmfile;
 ',`
-type $1_dbusd_t, domain, privlog, userspace_objmgr;
+type $1_dbusd_t, domain, privlog, nscd_client_domain, userspace_objmgr;
 role $1_r types $1_dbusd_t;
 domain_auto_trans($1_t, system_dbusd_exec_t, $1_dbusd_t)
 read_locale($1_dbusd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.21.5/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2005-01-28 11:50:50.000000000 -0500
+++ policy-1.21.5/macros/program/mozilla_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -25,7 +25,7 @@
 allow $1_mozilla_t $1_t:process signull;
 
 # Set resource limits and scheduling info.
-allow $1_mozilla_t self:process { setrlimit setsched };
+allow $1_mozilla_t self:process { execmem setrlimit setsched };
 
 allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read };
 allow $1_mozilla_t var_lib_t:file { getattr read };
@@ -43,9 +43,7 @@
 if (use_samba_home_dirs) {
 create_dir_file($1_mozilla_t, cifs_t)
 }
-ifdef(`automount.te', `
 allow $1_mozilla_t autofs_t:dir { search getattr };
-')dnl end if automount
 
 # for bash
 allow $1_mozilla_t device_t:dir r_dir_perms;
@@ -127,7 +125,7 @@
 #
 allow $1_mozilla_t ld_so_cache_t:file execute;
 allow $1_mozilla_t locale_t:file execute;
-dontaudit $1_mozilla_t device_type:{ chr_file file } execute;
+dontaudit $1_mozilla_t *:{ chr_file file } execute;
 dontaudit $1_t ld_so_cache_t:file execute;
 dontaudit $1_t locale_t:file execute;
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/newrole_macros.te policy-1.21.5/macros/program/newrole_macros.te
--- nsapolicy/macros/program/newrole_macros.te	2005-01-20 15:55:25.000000000 -0500
+++ policy-1.21.5/macros/program/newrole_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -46,9 +46,7 @@
 
 can_setexec($1_t)
 
-ifdef(`automount.te', `
 allow $1_t autofs_t:dir search;
-')
 
 # Use capabilities.
 allow $1_t self:capability { setuid setgid net_bind_service dac_override };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_agent_macros.te policy-1.21.5/macros/program/ssh_agent_macros.te
--- nsapolicy/macros/program/ssh_agent_macros.te	2005-01-24 12:08:37.000000000 -0500
+++ policy-1.21.5/macros/program/ssh_agent_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -38,9 +38,7 @@
 
 can_ypbind($1_ssh_agent_t)
 if (use_nfs_home_dirs) {
-ifdef(`automount.te', `
 allow $1_ssh_agent_t autofs_t:dir { search getattr };
-')
 rw_dir_create_file($1_ssh_agent_t, nfs_t)
 }
 if (use_samba_home_dirs) {
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.21.5/macros/program/ssh_macros.te
--- nsapolicy/macros/program/ssh_macros.te	2005-01-24 12:08:37.000000000 -0500
+++ policy-1.21.5/macros/program/ssh_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -24,9 +24,7 @@
 type $1_ssh_t, domain, privlog, nscd_client_domain;
 type $1_home_ssh_t, file_type, $1_file_type, sysadmfile;
 
-ifdef(`automount.te', `
 allow $1_ssh_t autofs_t:dir { search getattr };
-')
 if (use_nfs_home_dirs) {
 create_dir_file($1_ssh_t, nfs_t)
 }
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.21.5/macros/program/su_macros.te
--- nsapolicy/macros/program/su_macros.te	2005-01-24 12:08:37.000000000 -0500
+++ policy-1.21.5/macros/program/su_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -133,9 +133,7 @@
 dontaudit $1_su_t home_dir_type:dir { search write };
 ')
 
-ifdef(`automount.te', `
 allow $1_su_t autofs_t:dir { search getattr };
-')
 if (use_nfs_home_dirs) {
 allow $1_su_t nfs_t:dir search;
 }
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/userhelper_macros.te policy-1.21.5/macros/program/userhelper_macros.te
--- nsapolicy/macros/program/userhelper_macros.te	2005-01-20 15:55:26.000000000 -0500
+++ policy-1.21.5/macros/program/userhelper_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -115,9 +115,7 @@
 
 allow $1_userhelper_t urandom_device_t:chr_file { getattr read };
 
-ifdef(`automount.te', `
 allow $1_userhelper_t autofs_t:dir search;
-')
 allow $1_userhelper_t sysctl_t:dir search;
 role system_r types $1_userhelper_t;
 r_dir_file($1_userhelper_t, nfs_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xauth_macros.te policy-1.21.5/macros/program/xauth_macros.te
--- nsapolicy/macros/program/xauth_macros.te	2005-01-24 12:08:37.000000000 -0500
+++ policy-1.21.5/macros/program/xauth_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -81,9 +81,7 @@
 allow $1_xauth_t $1_tmp_t:file { getattr ioctl read };
 
 if (use_nfs_home_dirs) {
-ifdef(`automount.te', `
 allow $1_xauth_t autofs_t:dir { search getattr };
-')
 rw_dir_create_file($1_xauth_t, nfs_t)
 }
 if (use_samba_home_dirs) {
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.21.5/macros/program/x_client_macros.te
--- nsapolicy/macros/program/x_client_macros.te	2005-01-28 11:50:50.000000000 -0500
+++ policy-1.21.5/macros/program/x_client_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -23,7 +23,7 @@
 #
 define(`x_client_domain',`
 # Derived domain based on the calling user domain and the program.
-type $1_$2_t, domain $3;
+type $1_$2_t, domain, nscd_client_domain $3;
 # Type for files that are writeable by this domain.
 type $1_$2_rw_t, file_type, $1_file_type, sysadmfile, tmpfile;
 # Type for files that are read-only for this domain
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.21.5/macros/user_macros.te
--- nsapolicy/macros/user_macros.te	2005-01-20 15:55:22.000000000 -0500
+++ policy-1.21.5/macros/user_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -126,10 +126,6 @@
 undefine(`full_user_role')
 define(`full_user_role', `
 
-# certain apps ask for this priv kdesu, fetchmail
-# dac controls force the user to only lower priority
-allow $1_t self:process setrlimit;
-
 # user_t/$1_t is an unprivileged users domain.
 type $1_t, domain, userdomain, unpriv_userdomain, web_client_domain, nscd_client_domain, privfd;
 
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.21.5/Makefile
--- nsapolicy/Makefile	2005-01-28 11:50:46.000000000 -0500
+++ policy-1.21.5/Makefile	2005-01-28 14:16:21.000000000 -0500
@@ -3,7 +3,7 @@
 #
 # Targets:
 # 
-# install - compile and install the policy configuration.
+# install - compile and install the policy configuration, and context files.
 # load    - compile, install, and load the policy configuration.
 # reload  - compile, install, and load/reload the policy configuration.
 # relabel - relabel filesystems based on the file contexts configuration.
@@ -60,7 +60,7 @@
 
 ROOTFILES = $(addprefix $(APPDIR)/users/,root)
 
-all:  install
+all:  policy
 
 tmp/valid_fc: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH) $(USERPATH)/system.users $(USERPATH)/local.users
 	@echo "Validating file_contexts ..."	
@@ -81,10 +81,9 @@
 
 $(USERPATH)/local.users: local.users
 	@mkdir -p $(USERPATH)
-	m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USERPATH)/local.users | sed 's/^user/#user/g' > tmp/local.users
+	m4 $(ALL_TUNABLES) tmp/program_used_flags.te local.users | sed 's/^user/#user/g' > tmp/local.users
 	install -m 644 tmp/local.users $@
 
-
 $(CONTEXTPATH)/files/media: appconfig/media
 	mkdir -p $(CONTEXTPATH)/files/
 	install -m 644 $< $@
@@ -145,7 +144,7 @@
 	@echo "Validating file_contexts ..."
 	$(SETFILES) -q -c $(POLICYVER) $(FC)
 
-reload tmp/load: install
+reload tmp/load: $(FCPATH) $(LOADPATH)
 ifeq ($(VERS), $(KERNVERS))
 	$(LOADPOLICY) $(LOADPATH)
 else
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/crond.te policy-1.21.5/targeted/domains/program/crond.te
--- nsapolicy/targeted/domains/program/crond.te	2005-01-24 16:57:06.000000000 -0500
+++ policy-1.21.5/targeted/domains/program/crond.te	2005-01-28 14:02:57.000000000 -0500
@@ -12,12 +12,18 @@
 #
 type crond_exec_t, file_type, sysadmfile, exec_type;
 type crond_t, domain;
-type system_crond_t, domain;
+typealias crond_t alias system_crond_t;
 type anacron_exec_t, file_type, sysadmfile, exec_type;
 type system_crond_tmp_t, file_type, sysadmfile;
 type system_cron_spool_t, file_type, sysadmfile;
 type sysadm_cron_spool_t, file_type, sysadmfile;
 type crond_log_t, file_type, sysadmfile;
 type crond_var_run_t, file_type, sysadmfile;
+role system_r types system_crond_t;
 domain_auto_trans(initrc_t, crond_exec_t, crond_t)
 domain_auto_trans(initrc_t, anacron_exec_t, crond_t)
+unconfined_domain(crond_t)
+# Access log files
+file_type_auto_trans(crond_t, var_log_t, crond_log_t, file)
+file_type_auto_trans(crond_t, user_home_dir_t, user_home_t)
+file_type_auto_trans(crond_t, tmp_t, system_crond_tmp_t)
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.21.5/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te	2005-01-28 11:50:50.000000000 -0500
+++ policy-1.21.5/targeted/domains/unconfined.te	2005-01-28 14:02:57.000000000 -0500
@@ -44,6 +44,9 @@
 # Support NFS home directories
 bool use_nfs_home_dirs false;
 
+# Support Share libraries with Text Relocation
+bool allow_execmod false;
+
 # Support SAMBA home directories
 bool use_samba_home_dirs false;
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.21.5/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
+++ policy-1.21.5/tunables/distro.tun	2005-01-28 14:02:57.000000000 -0500
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.21.5/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-01-20 15:55:28.000000000 -0500
+++ policy-1.21.5/tunables/tunable.tun	2005-01-28 14:02:57.000000000 -0500
@@ -1,27 +1,27 @@
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.21.5/types/file.te
--- nsapolicy/types/file.te	2005-01-20 15:55:28.000000000 -0500
+++ policy-1.21.5/types/file.te	2005-01-28 14:02:57.000000000 -0500
@@ -127,9 +127,18 @@
 # shlib_t is the type of shared objects in the system lib
 # directories.
 #
+ifdef(`targeted_policy', `
+typealias lib_t alias shlib_t;
+', `
 type shlib_t, file_type, sysadmfile;
+')
 
 #
+# texrel_shlib_t is the type of shared objects in the system lib
+# directories, which require text relocation.
+#
+type texrel_shlib_t, file_type, sysadmfile;
+
 # ld_so_t is the type of the system dynamic loaders.
 #
 type ld_so_t, file_type, sysadmfile;

Re: Latest diffs

[James Carter]

Merged.  Some comments below.

On Fri, 2005-01-28 at 14:48, Daniel J Walsh wrote:
> Changes include
> 
> removal of ifdef automount.te
> autofs is defined outside of automount.te so this is not necassary and 
> was causing targeted policy problems.
> 
> Introduction of texrel_shlib_t which define shlib_t libraries that use 
> text relocation (execmod).  I have only labeled a few of these so far,
> as Red Hat is working to clean these up.  Also using a boolean to turn 
> this feature off allow_execmod
> 
> Changes to make smbmount work
> 
> Fixes for tmpreaper
> 
> Changed postgres helper apps back to default context, running them in 
> postgresql breaks alot.
> 
> Added HelixPlayer file_context
> 
> Modified the Makefile so that it defaults to
> make -> make policy
> 
> make load and make reload no longer install the context files, only make 
> install does.
> 
> This prevents people from overwriting the system context files if they 
> have modified them.
> 

> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.21.5/macros/program/mozilla_macros.te
> --- nsapolicy/macros/program/mozilla_macros.te	2005-01-28 11:50:50.000000000 -0500
> +++ policy-1.21.5/macros/program/mozilla_macros.te	2005-01-28 14:02:57.000000000 -0500
> @@ -25,7 +25,7 @@
>  allow $1_mozilla_t $1_t:process signull;
>  
>  # Set resource limits and scheduling info.
> -allow $1_mozilla_t self:process { setrlimit setsched };
> +allow $1_mozilla_t self:process { execmem setrlimit setsched };
>  
>  allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read };
>  allow $1_mozilla_t var_lib_t:file { getattr read };
Didn't merge this.

> @@ -127,7 +125,7 @@
>  #
>  allow $1_mozilla_t ld_so_cache_t:file execute;
>  allow $1_mozilla_t locale_t:file execute;
> -dontaudit $1_mozilla_t device_type:{ chr_file file } execute;
> +dontaudit $1_mozilla_t *:{ chr_file file } execute;
>  dontaudit $1_t ld_so_cache_t:file execute;
>  dontaudit $1_t locale_t:file execute;
Can we be a little bit more specific here?

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Stephen Smalley]

After Jim's merge of some of your changes, I've committed the patch
below, which introduces an allow_execmem boolean for all execmem allow
rules, wraps some additional execmod allow rules with your boolean,
removes execmod permission to shlib_t entirely (should only be allowed
to texrel_shlib_t except for special domains for programs like java),
and assigns texrel_shlib_t to libGL.  Actually, some of the individual
execmod allow rules may now be redundant with the conditional rule you
put in uses_shlib.  I think that we may need to further break up these
booleans to allow certain programs to have these permissions without
granting them more widely.

Index: policy/domains/user.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/user.te,v
retrieving revision 1.31
diff -u -r1.31 user.te
--- policy/domains/user.te	1 Feb 2005 18:39:50 -0000	1.31
+++ policy/domains/user.te	1 Feb 2005 18:48:31 -0000
@@ -10,6 +10,9 @@
 # Support NFS home directories
 bool use_nfs_home_dirs false;
 
+# Allow execution of anonymous mappings, e.g. executable stack.
+bool allow_execmem false;
+
 # Support Share libraries with Text Relocation
 bool allow_execmod false;
 
Index: policy/domains/program/modutil.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/modutil.te,v
retrieving revision 1.30
diff -u -r1.30 modutil.te
--- policy/domains/program/modutil.te	21 Jan 2005 20:03:06 -0000	1.30
+++ policy/domains/program/modutil.te	1 Feb 2005 19:04:21 -0000
@@ -124,7 +124,7 @@
 allow insmod_t self:rawip_socket create_socket_perms;
 allow insmod_t self:capability { dac_override kill net_raw sys_module sys_tty_config };
 allow insmod_t domain:process signal;
-allow insmod_t self:process { fork signal_perms execmem };
+allow insmod_t self:process { fork signal_perms };
 allow insmod_t device_t:dir search;
 allow insmod_t etc_runtime_t:file { getattr read };
 
Index: policy/domains/program/unused/kudzu.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/kudzu.te,v
retrieving revision 1.21
diff -u -r1.21 kudzu.te
--- policy/domains/program/unused/kudzu.te	1 Feb 2005 18:39:51 -0000	1.21
+++ policy/domains/program/unused/kudzu.te	1 Feb 2005 19:03:36 -0000
@@ -11,7 +11,9 @@
 allow kudzu_t etc_runtime_t:file rw_file_perms;
 
 # for kmodule
+if (allow_execmem) {
 allow kudzu_t self:process execmem;
+}
 allow kudzu_t zero_device_t:chr_file rx_file_perms;
 allow kudzu_t memory_device_t:chr_file { read write execute };
 
Index: policy/domains/program/unused/prelink.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/prelink.te,v
retrieving revision 1.17
diff -u -r1.17 prelink.te
--- policy/domains/program/unused/prelink.te	1 Feb 2005 18:39:51 -0000	1.17
+++ policy/domains/program/unused/prelink.te	1 Feb 2005 18:46:21 -0000
@@ -11,8 +11,12 @@
 #
 daemon_base_domain(prelink, `, admin')
 
+if (allow_execmem) {
 allow prelink_t self:process execmem;
-allow prelink_t { texrel_shlib_t shlib_t }:file execmod;
+}
+if (allow_execmod) {
+allow prelink_t texrel_shlib_t:file execmod;
+}
 
 allow prelink_t fs_t:filesystem getattr;
 
Index: policy/domains/program/unused/udev.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/udev.te,v
retrieving revision 1.38
diff -u -r1.38 udev.te
--- policy/domains/program/unused/udev.te	24 Jan 2005 19:00:42 -0000	1.38
+++ policy/domains/program/unused/udev.te	1 Feb 2005 19:03:20 -0000
@@ -13,8 +13,10 @@
 
 general_domain_access(udev_t)
 
+if (allow_execmem) {
 # for alsactl
 allow udev_t self:process execmem;
+}
 
 etc_domain(udev)
 typealias udev_etc_t alias etc_udev_t;
Index: policy/file_contexts/types.fc
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/file_contexts/types.fc,v
retrieving revision 1.70
diff -u -r1.70 types.fc
--- policy/file_contexts/types.fc	1 Feb 2005 18:39:51 -0000	1.70
+++ policy/file_contexts/types.fc	1 Feb 2005 18:45:11 -0000
@@ -356,6 +356,9 @@
 /usr(/.*)?/nvidia/.*\.so(\..*)?	-- system_u:object_r:texrel_shlib_t
 /usr/X11R6/lib/libXvMCNVIDIA\.so.* 	-- system_u:object_r:texrel_shlib_t
 
+# libGL
+/usr/X11R6/lib/libGL\.so.* 	-- system_u:object_r:texrel_shlib_t
+
 ifdef(`distro_debian', `
 /usr/share/selinux(/.*)?	system_u:object_r:policy_src_t
 ')
Index: policy/macros/base_user_macros.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/base_user_macros.te,v
retrieving revision 1.44
diff -u -r1.44 base_user_macros.te
--- policy/macros/base_user_macros.te	1 Feb 2005 18:39:52 -0000	1.44
+++ policy/macros/base_user_macros.te	1 Feb 2005 18:49:51 -0000
@@ -39,12 +39,14 @@
 # Grant permissions within the domain.
 general_domain_access($1_t)
 
+if (allow_execmem) {
 # Allow loading DSOs that require executable stack.
 allow $1_t self:process execmem;
+}
 
 if (allow_execmod) {
 # Allow text relocations on system shared libraries, e.g. libGL.
-allow $1_t shlib_t:file execmod;
+allow $1_t texrel_shlib_t:file execmod;
 }
 
 #
Index: policy/macros/program/xserver_macros.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/program/xserver_macros.te,v
retrieving revision 1.41
diff -u -r1.41 xserver_macros.te
--- policy/macros/program/xserver_macros.te	20 Dec 2004 21:26:20 -0000	1.41
+++ policy/macros/program/xserver_macros.te	1 Feb 2005 19:02:41 -0000
@@ -58,7 +58,9 @@
 # for access within the domain
 general_domain_access($1_xserver_t)
 
+if (allow_execmem) {
 allow $1_xserver_t self:process execmem;
+}
 
 allow $1_xserver_t etc_runtime_t:file { getattr read };
 
Index: policy/targeted/domains/unconfined.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/targeted/domains/unconfined.te,v
retrieving revision 1.25
diff -u -r1.25 unconfined.te
--- policy/targeted/domains/unconfined.te	1 Feb 2005 18:39:53 -0000	1.25
+++ policy/targeted/domains/unconfined.te	1 Feb 2005 18:47:44 -0000
@@ -44,6 +44,9 @@
 # Support NFS home directories
 bool use_nfs_home_dirs false;
 
+# Allow execution of anonymous mappings, e.g. executable stack.
+bool allow_execmem false;
+
 # Support Share libraries with Text Relocation
 bool allow_execmod false;
 

  
-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Ivan Gyurdiev]

> +# libGL
> +/usr/X11R6/lib/libGL\.so.* 	-- system_u:object_r:texrel_shlib_t
> +

How about those:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=145067

-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Stephen Smalley]

On Tue, 2005-02-01 at 16:41, Ivan Gyurdiev wrote:
> > +# libGL
> > +/usr/X11R6/lib/libGL\.so.* 	-- system_u:object_r:texrel_shlib_t
> > +
> 
> How about those:
> 
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=145067

Dan has already marked certain shared objects with texrel_shlib_t in his
diffs; I was only adding libGL because I was also changing an existing
execmod allow rule for it to use the new texrel_shlib_t type.  I think
that the shared objects you originally listed are being reviewed by Red
Hat and some of them will be fixed, as not all of them truly require
text relocations.

-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Stephen Smalley]

On Tue, 2005-02-01 at 14:48, Stephen Smalley wrote:
> After Jim's merge of some of your changes, I've committed the patch
> below, which introduces an allow_execmem boolean for all execmem allow
> rules, wraps some additional execmod allow rules with your boolean,
> removes execmod permission to shlib_t entirely (should only be allowed
> to texrel_shlib_t except for special domains for programs like java),
> and assigns texrel_shlib_t to libGL.  Actually, some of the individual
> execmod allow rules may now be redundant with the conditional rule you
> put in uses_shlib.  I think that we may need to further break up these
> booleans to allow certain programs to have these permissions without
> granting them more widely.

BTW, I think that putting the conditional rule in uses_shlib() is likely
not what you want, as it means that if you allow execmod at all to
texrel_shlib_t, you essentially allow it for all domains.  In practice,
I think you will only want to allow it where needed, and especially not
for daemon domains.  Hence, I would recommend removing it from
uses_shlib() and instead add it selectively to domains that have a
legitimate need, as has already been done for a few cases as well as the
user domains.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Stephen Smalley]

On Wed, 2005-02-02 at 08:08, Stephen Smalley wrote:
> BTW, I think that putting the conditional rule in uses_shlib() is likely
> not what you want, as it means that if you allow execmod at all to
> texrel_shlib_t, you essentially allow it for all domains.  In practice,
> I think you will only want to allow it where needed, and especially not
> for daemon domains.  Hence, I would recommend removing it from
> uses_shlib() and instead add it selectively to domains that have a
> legitimate need, as has already been done for a few cases as well as the
> user domains.

Patch below committed.  We can add such conditional rules to individual
domain .te files as needed.  unconfined_t is already exempt.  daemon
domains should likely never have such permission.

Index: policy/macros/global_macros.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/global_macros.te,v
retrieving revision 1.75
diff -u -r1.75 global_macros.te
--- policy/macros/global_macros.te	1 Feb 2005 18:39:52 -0000	1.75
+++ policy/macros/global_macros.te	2 Feb 2005 13:13:06 -0000
@@ -106,9 +106,6 @@
 allow $1 ld_so_t:lnk_file r_file_perms;
 allow $1 { texrel_shlib_t shlib_t }:file rx_file_perms;
 allow $1 { texrel_shlib_t shlib_t }:lnk_file r_file_perms;
-if (allow_execmod) {
-allow $1 texrel_shlib_t:file execmod;
-}
 allow $1 ld_so_cache_t:file r_file_perms;
 allow $1 device_t:dir search;
 allow $1 null_device_t:chr_file rw_file_perms;

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 159 bytes --]

Added mplayer policy

Switched /u?dev back to /dev since this is no longer needed.

more fixes for smbmount.

Made some of the changes Stephen suggested.

Dan

[-- Attachment #2: policy-20050201.patch --]
[-- Type: text/x-patch, Size: 29816 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.21.7/domains/program/mount.te
--- nsapolicy/domains/program/mount.te	2005-02-01 15:08:35.000000000 -0500
+++ policy-1.21.7/domains/program/mount.te	2005-02-02 08:27:37.000000000 -0500
@@ -49,7 +49,6 @@
 allow mount_t devpts_t:dir mounton;
 allow mount_t usbdevfs_t:dir mounton;
 allow mount_t sysfs_t:dir mounton;
-allow mount_t binfmt_misc_fs_t:dir mounton;
 allow mount_t nfs_t:dir mounton;
 allow mount_t nfs_t:dir search;
 # nfsv4 has a filesystem to mount for its userspace daemons
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.21.7/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2005-02-01 15:08:36.000000000 -0500
+++ policy-1.21.7/domains/program/unused/apache.te	2005-02-02 08:27:37.000000000 -0500
@@ -349,3 +349,4 @@
 read_sysctl(httpd_sys_script_t)
 allow httpd_sys_script_t var_lib_t:dir search;
 dontaudit httpd_t selinux_config_t:dir search;
+r_dir_file(httpd_t, cert_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/i18n_input.te policy-1.21.7/domains/program/unused/i18n_input.te
--- nsapolicy/domains/program/unused/i18n_input.te	2005-01-31 10:02:05.000000000 -0500
+++ policy-1.21.7/domains/program/unused/i18n_input.te	2005-02-02 08:27:37.000000000 -0500
@@ -25,4 +25,5 @@
 allow i18n_input_t etc_t:file r_file_perms;
 allow i18n_input_t self:unix_dgram_socket create_socket_perms;
 allow i18n_input_t self:unix_stream_socket create_stream_socket_perms;
+allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms;
 allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mplayer.te policy-1.21.7/domains/program/unused/mplayer.te
--- nsapolicy/domains/program/unused/mplayer.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.21.7/domains/program/unused/mplayer.te	2005-02-02 08:27:37.000000000 -0500
@@ -0,0 +1,12 @@
+#DESC mplayer - media player 
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+# Type for the mplayer executable.
+type mplayer_exec_t, file_type, exec_type, sysadmfile;
+type mencoder_exec_t, file_type, exec_type, sysadmfile;
+type mplayer_etc_t, file_type, sysadmfile;
+
+# Everything else is in the mplayer_domain macro in
+# macros/program/mplayer_macros.te.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.21.7/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te	2005-02-01 15:08:38.000000000 -0500
+++ policy-1.21.7/domains/program/unused/samba.te	2005-02-02 08:27:37.000000000 -0500
@@ -124,32 +124,65 @@
 #
 # Domain for running smbmount
 #
-application_domain(smbmount, `, fs_domain, nscd_client_domain');
+
+# Derive from app. domain. Transition from mount.
+application_domain(smbmount, `, fs_domain, nscd_client_domain')
+domain_auto_trans(mount_t, smbmount_exec_t, smbmount_t)
+
+# Capabilities
+# FIXME: is all of this really necessary?
+allow smbmount_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown };
+
+# Access samba config
+allow smbmount_t samba_etc_t:file r_file_perms;
+allow smbmount_t samba_etc_t:dir r_dir_perms;
+
+# Write samba log
+allow smbmount_t samba_log_t:file create_file_perms;
+allow smbmount_t samba_log_t:dir r_dir_perms; 
+
+# Write stuff in var
+allow smbmount_t var_log_t:dir r_dir_perms;
+rw_dir_create_file(smbmount_t, samba_var_t)
+
+# Access mtab
+file_type_auto_trans(smbmount_t, etc_t, etc_runtime_t, file)
+
+# Read nsswitch.conf
+allow smbmount_t etc_t:file r_file_perms;
+
+# Networking
 can_network(smbmount_t)
 can_ypbind(smbmount_t)
-allow smbmount_t cifs_t:dir r_dir_perms;
 allow smbmount_t self:unix_dgram_socket create_socket_perms;
-allow smbmount_t samba_etc_t:file r_file_perms;
-allow smbmount_t samba_log_t:dir r_dir_perms;
-allow smbmount_t samba_log_t:file ra_file_perms;
-rw_dir_create_file(smbmount_t, samba_var_t)
-domain_auto_trans(mount_t, smbmount_exec_t, smbmount_t)
+allow smbmount_t self:unix_stream_socket create_socket_perms;
+allow kernel_t smbmount_t:tcp_socket { read write };
+allow userdomain smbmount_t:tcp_socket write;
+
+# Proc
+# FIXME: is this necessary?
 r_dir_file(smbmount_t, proc_t)
-allow smbmount_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown };
+
+# Fork smbmnt 
+# FIXME: label bin_t as more restricted type?
+allow smbmount_t bin_t:dir r_dir_perms;
+can_exec(smbmount_t,bin_t)
 allow smbmount_t self:process { fork signal_perms };
-file_type_auto_trans(smbmount_t, etc_t, etc_runtime_t, file)
-allow smbmount_t cifs_t:dir mounton;
-allow smbmount_t cifs_t:dir search;
+
+# Mount 
+allow smbmount_t cifs_t:filesystem mount_fs_perms;
+allow smbmount_t cifs_t:dir r_dir_perms;
+allow smbmount_t mnt_t:dir r_dir_perms;
 allow smbmount_t mnt_t:dir mounton;
-read_locale(smbmount_t)
+
+# Terminal
+read_locale(smbmount_t) 
+allow smbmount_t devtty_t:chr_file rw_file_perms;
+allow smbmount_t devpts_t:dir r_dir_perms;
+allow smbmount_t devpts_t:chr_file rw_file_perms;
+allow smbmount_t sysadm_tty_device_t:chr_file rw_file_perms;
+allow smbmount_t sysadm_devpts_t:chr_file rw_file_perms;
+#FIXME: what about user_tty_device_t, user_devpts_t?
 allow smbmount_t userdomain:fd use;
-allow smbmount_t self:unix_stream_socket create_socket_perms;
-can_exec(smbmount_t, bin_t)
-allow kernel_t smbmount_t:tcp_socket { read write };
-allow smbmount_t file_type:filesystem { unmount mount relabelto };
 allow smbmount_t local_login_t:fd use;
-allow smbmount_t mnt_t:dir { search getattr };
-allow smbmount_t samba_etc_t:dir search;
-allow smbmount_t sysadm_tty_device_t:chr_file { read write };
-allow smbmount_t etc_t:file { getattr read };
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mplayer.fc policy-1.21.7/file_contexts/program/mplayer.fc
--- nsapolicy/file_contexts/program/mplayer.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.21.7/file_contexts/program/mplayer.fc	2005-02-02 08:27:37.000000000 -0500
@@ -0,0 +1,6 @@
+# mplayer
+/usr/bin/mplayer	--	   	system_u:object_r:mplayer_exec_t
+/usr/bin/mencoder	--	   	system_u:object_r:mencoder_exec_t
+
+/etc/mplayer(/.*)?		system_u:object_r:mplayer_etc_t
+HOME_DIR/\.mplayer(/.*)?        system_u:object_r:ROLE_mplayer_rw_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.21.7/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2005-02-02 08:11:42.000000000 -0500
+++ policy-1.21.7/file_contexts/types.fc	2005-02-02 08:27:37.000000000 -0500
@@ -115,34 +115,34 @@
 #
 # /dev
 #
-/u?dev(/.*)?			system_u:object_r:device_t
-/u?dev/pts(/.*)?		<<none>>
-/u?dev/cpu/.*		-c	system_u:object_r:cpu_device_t
-/u?dev/microcode	-c	system_u:object_r:cpu_device_t
-/u?dev/MAKEDEV		--	system_u:object_r:sbin_t
-/u?dev/null		-c	system_u:object_r:null_device_t
-/u?dev/full		-c	system_u:object_r:null_device_t
-/u?dev/zero		-c	system_u:object_r:zero_device_t
-/u?dev/console		-c	system_u:object_r:console_device_t
-/u?dev/xconsole		-p	system_u:object_r:xconsole_device_t
-/u?dev/(kmem|mem|port)	-c	system_u:object_r:memory_device_t
-/u?dev/nvram		-c	system_u:object_r:memory_device_t
-/u?dev/random		-c	system_u:object_r:random_device_t
-/u?dev/urandom		-c	system_u:object_r:urandom_device_t
-/u?dev/capi.*		-c	system_u:object_r:tty_device_t
-/u?dev/dcbri[0-9]+	-c	system_u:object_r:tty_device_t
-/u?dev/irlpt[0-9]+	-c	system_u:object_r:printer_device_t
-/u?dev/ircomm[0-9]+	-c	system_u:object_r:tty_device_t
-/u?dev/isdn.*		-c	system_u:object_r:tty_device_t
-/u?dev/.*tty[^/]*	-c	system_u:object_r:tty_device_t
-/u?dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f]	-c system_u:object_r:bsdpty_device_t
-/u?dev/cu.*		-c	system_u:object_r:tty_device_t
-/u?dev/vcs[^/]*		-c	system_u:object_r:tty_device_t
-/u?dev/ip2[^/]*		-c	system_u:object_r:tty_device_t
-/u?dev/hvc.*		-c	system_u:object_r:tty_device_t
-/u?dev/hvsi.*		-c	system_u:object_r:tty_device_t
-/u?dev/ttySG.*		-c	system_u:object_r:tty_device_t
-/u?dev/tty		-c	system_u:object_r:devtty_t
+/dev(/.*)?			system_u:object_r:device_t
+/dev/pts(/.*)?		<<none>>
+/dev/cpu/.*		-c	system_u:object_r:cpu_device_t
+/dev/microcode	-c	system_u:object_r:cpu_device_t
+/dev/MAKEDEV		--	system_u:object_r:sbin_t
+/dev/null		-c	system_u:object_r:null_device_t
+/dev/full		-c	system_u:object_r:null_device_t
+/dev/zero		-c	system_u:object_r:zero_device_t
+/dev/console		-c	system_u:object_r:console_device_t
+/dev/xconsole		-p	system_u:object_r:xconsole_device_t
+/dev/(kmem|mem|port)	-c	system_u:object_r:memory_device_t
+/dev/nvram		-c	system_u:object_r:memory_device_t
+/dev/random		-c	system_u:object_r:random_device_t
+/dev/urandom		-c	system_u:object_r:urandom_device_t
+/dev/capi.*		-c	system_u:object_r:tty_device_t
+/dev/dcbri[0-9]+	-c	system_u:object_r:tty_device_t
+/dev/irlpt[0-9]+	-c	system_u:object_r:printer_device_t
+/dev/ircomm[0-9]+	-c	system_u:object_r:tty_device_t
+/dev/isdn.*		-c	system_u:object_r:tty_device_t
+/dev/.*tty[^/]*	-c	system_u:object_r:tty_device_t
+/dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f]	-c system_u:object_r:bsdpty_device_t
+/dev/cu.*		-c	system_u:object_r:tty_device_t
+/dev/vcs[^/]*		-c	system_u:object_r:tty_device_t
+/dev/ip2[^/]*		-c	system_u:object_r:tty_device_t
+/dev/hvc.*		-c	system_u:object_r:tty_device_t
+/dev/hvsi.*		-c	system_u:object_r:tty_device_t
+/dev/ttySG.*		-c	system_u:object_r:tty_device_t
+/dev/tty		-c	system_u:object_r:devtty_t
 /dev/lp.*		-c	system_u:object_r:printer_device_t
 /dev/par.*		-c	system_u:object_r:printer_device_t
 /dev/usb/lp.*		-c	system_u:object_r:printer_device_t
@@ -150,103 +150,103 @@
 ifdef(`distro_redhat', `
 /dev/root		-b	system_u:object_r:fixed_disk_device_t
 ')
-/u?dev/[shmx]d[^/]*	-b	system_u:object_r:fixed_disk_device_t
-/u?dev/dm-[0-9]+	-b	system_u:object_r:fixed_disk_device_t
-/u?dev/sg[0-9]+		-c	system_u:object_r:scsi_generic_device_t
-/u?dev/rd.*		-b	system_u:object_r:fixed_disk_device_t
-/u?dev/i2o/hd[^/]*	-b	system_u:object_r:fixed_disk_device_t
-/u?dev/ubd[^/]*		-b	system_u:object_r:fixed_disk_device_t
-/u?dev/cciss/[^/]*	-b	system_u:object_r:fixed_disk_device_t
-/u?dev/ida/[^/]*	-b	system_u:object_r:fixed_disk_device_t
-/u?dev/dasd[^/]*	-b	system_u:object_r:fixed_disk_device_t
-/u?dev/flash[^/]*	-b	system_u:object_r:fixed_disk_device_t
-/u?dev/nb[^/]+		-b	system_u:object_r:fixed_disk_device_t
-/u?dev/ataraid/.*	-b	system_u:object_r:fixed_disk_device_t
-/u?dev/loop.*		-b	system_u:object_r:fixed_disk_device_t
-/u?dev/net/.*		-c	system_u:object_r:tun_tap_device_t
-/u?dev/ram.*		-b	system_u:object_r:fixed_disk_device_t
-/u?dev/rawctl		-c	system_u:object_r:fixed_disk_device_t
-/u?dev/raw/raw[0-9]+	-c	system_u:object_r:fixed_disk_device_t
-/u?dev/scramdisk/.*	-b	system_u:object_r:fixed_disk_device_t
-/u?dev/initrd		-b	system_u:object_r:fixed_disk_device_t
-/u?dev/jsfd		-b	system_u:object_r:fixed_disk_device_t
-/u?dev/js.*		-c	system_u:object_r:mouse_device_t
-/u?dev/jsflash		-c	system_u:object_r:fixed_disk_device_t
-/u?dev/s(cd|r)[^/]*	-b	system_u:object_r:removable_device_t
-/u?dev/usb/rio500	-c	system_u:object_r:removable_device_t
-/u?dev/fd[^/]+		-b	system_u:object_r:removable_device_t
+/dev/[shmx]d[^/]*	-b	system_u:object_r:fixed_disk_device_t
+/dev/dm-[0-9]+	-b	system_u:object_r:fixed_disk_device_t
+/dev/sg[0-9]+		-c	system_u:object_r:scsi_generic_device_t
+/dev/rd.*		-b	system_u:object_r:fixed_disk_device_t
+/dev/i2o/hd[^/]*	-b	system_u:object_r:fixed_disk_device_t
+/dev/ubd[^/]*		-b	system_u:object_r:fixed_disk_device_t
+/dev/cciss/[^/]*	-b	system_u:object_r:fixed_disk_device_t
+/dev/ida/[^/]*	-b	system_u:object_r:fixed_disk_device_t
+/dev/dasd[^/]*	-b	system_u:object_r:fixed_disk_device_t
+/dev/flash[^/]*	-b	system_u:object_r:fixed_disk_device_t
+/dev/nb[^/]+		-b	system_u:object_r:fixed_disk_device_t
+/dev/ataraid/.*	-b	system_u:object_r:fixed_disk_device_t
+/dev/loop.*		-b	system_u:object_r:fixed_disk_device_t
+/dev/net/.*		-c	system_u:object_r:tun_tap_device_t
+/dev/ram.*		-b	system_u:object_r:fixed_disk_device_t
+/dev/rawctl		-c	system_u:object_r:fixed_disk_device_t
+/dev/raw/raw[0-9]+	-c	system_u:object_r:fixed_disk_device_t
+/dev/scramdisk/.*	-b	system_u:object_r:fixed_disk_device_t
+/dev/initrd		-b	system_u:object_r:fixed_disk_device_t
+/dev/jsfd		-b	system_u:object_r:fixed_disk_device_t
+/dev/js.*		-c	system_u:object_r:mouse_device_t
+/dev/jsflash		-c	system_u:object_r:fixed_disk_device_t
+/dev/s(cd|r)[^/]*	-b	system_u:object_r:removable_device_t
+/dev/usb/rio500	-c	system_u:object_r:removable_device_t
+/dev/fd[^/]+		-b	system_u:object_r:removable_device_t
 # I think a parallel port disk is a removable device...
-/u?dev/pd[a-d][^/]*	-b	system_u:object_r:removable_device_t
-/u?dev/p[fg][0-3]	-b	system_u:object_r:removable_device_t
-/u?dev/aztcd		-b	system_u:object_r:removable_device_t
-/u?dev/bpcd		-b	system_u:object_r:removable_device_t
-/u?dev/gscd		-b	system_u:object_r:removable_device_t
-/u?dev/hitcd		-b	system_u:object_r:removable_device_t
-/u?dev/pcd[0-3]		-b	system_u:object_r:removable_device_t
-/u?dev/mcdx?		-b	system_u:object_r:removable_device_t
-/u?dev/cdu.*		-b	system_u:object_r:removable_device_t
-/u?dev/cm20.*		-b	system_u:object_r:removable_device_t
-/u?dev/optcd		-b	system_u:object_r:removable_device_t
-/u?dev/sbpcd.*		-b	system_u:object_r:removable_device_t
-/u?dev/sjcd		-b	system_u:object_r:removable_device_t
-/u?dev/sonycd		-b	system_u:object_r:removable_device_t
+/dev/pd[a-d][^/]*	-b	system_u:object_r:removable_device_t
+/dev/p[fg][0-3]	-b	system_u:object_r:removable_device_t
+/dev/aztcd		-b	system_u:object_r:removable_device_t
+/dev/bpcd		-b	system_u:object_r:removable_device_t
+/dev/gscd		-b	system_u:object_r:removable_device_t
+/dev/hitcd		-b	system_u:object_r:removable_device_t
+/dev/pcd[0-3]		-b	system_u:object_r:removable_device_t
+/dev/mcdx?		-b	system_u:object_r:removable_device_t
+/dev/cdu.*		-b	system_u:object_r:removable_device_t
+/dev/cm20.*		-b	system_u:object_r:removable_device_t
+/dev/optcd		-b	system_u:object_r:removable_device_t
+/dev/sbpcd.*		-b	system_u:object_r:removable_device_t
+/dev/sjcd		-b	system_u:object_r:removable_device_t
+/dev/sonycd		-b	system_u:object_r:removable_device_t
 # parallel port ATAPI generic device
-/u?dev/pg[0-3]		-c	system_u:object_r:removable_device_t
-/u?dev/rtc		-c	system_u:object_r:clock_device_t
-/u?dev/psaux		-c	system_u:object_r:mouse_device_t
-/u?dev/atibm		-c	system_u:object_r:mouse_device_t
-/u?dev/logibm		-c	system_u:object_r:mouse_device_t
-/u?dev/.*mouse.*	-c	system_u:object_r:mouse_device_t
-/u?dev/input/.*mouse.*	-c	system_u:object_r:mouse_device_t
-/u?dev/input/event.*	-c	system_u:object_r:event_device_t
-/u?dev/input/mice	-c	system_u:object_r:mouse_device_t
-/u?dev/input/js.*	-c	system_u:object_r:mouse_device_t
-/u?dev/ptmx		-c	system_u:object_r:ptmx_t
-/u?dev/sequencer	-c	system_u:object_r:misc_device_t
-/u?dev/fb[0-9]*		-c	system_u:object_r:framebuf_device_t
-/u?dev/apm_bios		-c	system_u:object_r:apm_bios_t
-/u?dev/cpu/mtrr		-c	system_u:object_r:mtrr_device_t
-/u?dev/pmu		-c	system_u:object_r:power_device_t
-/u?dev/(radio|video|vbi|vtx).* -c	system_u:object_r:v4l_device_t
-/u?dev/winradio.	-c	system_u:object_r:v4l_device_t
-/u?dev/vttuner		-c	system_u:object_r:v4l_device_t
-/u?dev/tlk[0-3]		-c	system_u:object_r:v4l_device_t
-/u?dev/adsp		-c	system_u:object_r:sound_device_t
-/u?dev/mixer.*		-c	system_u:object_r:sound_device_t
-/u?dev/dsp.*		-c	system_u:object_r:sound_device_t
-/u?dev/audio.*		-c	system_u:object_r:sound_device_t
-/u?dev/r?midi.*		-c	system_u:object_r:sound_device_t
-/u?dev/sequencer2	-c	system_u:object_r:sound_device_t
-/u?dev/smpte.*		-c	system_u:object_r:sound_device_t
-/u?dev/sndstat		-c	system_u:object_r:sound_device_t
-/u?dev/beep		-c	system_u:object_r:sound_device_t
-/u?dev/patmgr[01]	-c	system_u:object_r:sound_device_t
-/u?dev/mpu401.*		-c	system_u:object_r:sound_device_t
-/u?dev/srnd[0-7]	-c	system_u:object_r:sound_device_t
-/u?dev/aload.*		-c	system_u:object_r:sound_device_t
-/u?dev/amidi.*		-c	system_u:object_r:sound_device_t
-/u?dev/amixer.*		-c	system_u:object_r:sound_device_t
-/u?dev/snd/.*		-c	system_u:object_r:sound_device_t
-/u?dev/n?[hs]t[0-9].*	-c	system_u:object_r:tape_device_t
-/u?dev/n?(raw)?[qr]ft[0-3] -c	system_u:object_r:tape_device_t
-/u?dev/n?z?qft[0-3]	-c	system_u:object_r:tape_device_t
-/u?dev/n?tpqic[12].*	-c	system_u:object_r:tape_device_t
-/u?dev/ht[0-1]		-b	system_u:object_r:tape_device_t
-/u?dev/n?osst[0-3].*	-c	system_u:object_r:tape_device_t
-/u?dev/n?pt[0-9]+	-c	system_u:object_r:tape_device_t
-/u?dev/tape.*		-c	system_u:object_r:tape_device_t
+/dev/pg[0-3]		-c	system_u:object_r:removable_device_t
+/dev/rtc		-c	system_u:object_r:clock_device_t
+/dev/psaux		-c	system_u:object_r:mouse_device_t
+/dev/atibm		-c	system_u:object_r:mouse_device_t
+/dev/logibm		-c	system_u:object_r:mouse_device_t
+/dev/.*mouse.*	-c	system_u:object_r:mouse_device_t
+/dev/input/.*mouse.*	-c	system_u:object_r:mouse_device_t
+/dev/input/event.*	-c	system_u:object_r:event_device_t
+/dev/input/mice	-c	system_u:object_r:mouse_device_t
+/dev/input/js.*	-c	system_u:object_r:mouse_device_t
+/dev/ptmx		-c	system_u:object_r:ptmx_t
+/dev/sequencer	-c	system_u:object_r:misc_device_t
+/dev/fb[0-9]*		-c	system_u:object_r:framebuf_device_t
+/dev/apm_bios		-c	system_u:object_r:apm_bios_t
+/dev/cpu/mtrr		-c	system_u:object_r:mtrr_device_t
+/dev/pmu		-c	system_u:object_r:power_device_t
+/dev/(radio|video|vbi|vtx).* -c	system_u:object_r:v4l_device_t
+/dev/winradio.	-c	system_u:object_r:v4l_device_t
+/dev/vttuner		-c	system_u:object_r:v4l_device_t
+/dev/tlk[0-3]		-c	system_u:object_r:v4l_device_t
+/dev/adsp		-c	system_u:object_r:sound_device_t
+/dev/mixer.*		-c	system_u:object_r:sound_device_t
+/dev/dsp.*		-c	system_u:object_r:sound_device_t
+/dev/audio.*		-c	system_u:object_r:sound_device_t
+/dev/r?midi.*		-c	system_u:object_r:sound_device_t
+/dev/sequencer2	-c	system_u:object_r:sound_device_t
+/dev/smpte.*		-c	system_u:object_r:sound_device_t
+/dev/sndstat		-c	system_u:object_r:sound_device_t
+/dev/beep		-c	system_u:object_r:sound_device_t
+/dev/patmgr[01]	-c	system_u:object_r:sound_device_t
+/dev/mpu401.*		-c	system_u:object_r:sound_device_t
+/dev/srnd[0-7]	-c	system_u:object_r:sound_device_t
+/dev/aload.*		-c	system_u:object_r:sound_device_t
+/dev/amidi.*		-c	system_u:object_r:sound_device_t
+/dev/amixer.*		-c	system_u:object_r:sound_device_t
+/dev/snd/.*		-c	system_u:object_r:sound_device_t
+/dev/n?[hs]t[0-9].*	-c	system_u:object_r:tape_device_t
+/dev/n?(raw)?[qr]ft[0-3] -c	system_u:object_r:tape_device_t
+/dev/n?z?qft[0-3]	-c	system_u:object_r:tape_device_t
+/dev/n?tpqic[12].*	-c	system_u:object_r:tape_device_t
+/dev/ht[0-1]		-b	system_u:object_r:tape_device_t
+/dev/n?osst[0-3].*	-c	system_u:object_r:tape_device_t
+/dev/n?pt[0-9]+	-c	system_u:object_r:tape_device_t
+/dev/tape.*		-c	system_u:object_r:tape_device_t
 ifdef(`distro_suse', `
-/u?dev/usbscanner	-c	system_u:object_r:scanner_device_t
+/dev/usbscanner	-c	system_u:object_r:scanner_device_t
 ')
-/u?dev/usb/scanner.*	-c	system_u:object_r:scanner_device_t
-/u?dev/usb/dc2xx.*	-c	system_u:object_r:scanner_device_t
-/u?dev/usb/mdc800.*	-c	system_u:object_r:scanner_device_t
-/u?dev/usb/tty.*	-c	system_u:object_r:usbtty_device_t
-/u?dev/mmetfgrab	-c	system_u:object_r:scanner_device_t
-/u?dev/nvidia.*		-c	system_u:object_r:xserver_misc_device_t
-/u?dev/dri/.+		-c	system_u:object_r:dri_device_t
-/u?dev/radeon		-c	system_u:object_r:dri_device_t
-/u?dev/agpgart		-c	system_u:object_r:agp_device_t
+/dev/usb/scanner.*	-c	system_u:object_r:scanner_device_t
+/dev/usb/dc2xx.*	-c	system_u:object_r:scanner_device_t
+/dev/usb/mdc800.*	-c	system_u:object_r:scanner_device_t
+/dev/usb/tty.*	-c	system_u:object_r:usbtty_device_t
+/dev/mmetfgrab	-c	system_u:object_r:scanner_device_t
+/dev/nvidia.*		-c	system_u:object_r:xserver_misc_device_t
+/dev/dri/.+		-c	system_u:object_r:dri_device_t
+/dev/radeon		-c	system_u:object_r:dri_device_t
+/dev/agpgart		-c	system_u:object_r:agp_device_t
 
 #
 # Misc
@@ -333,10 +333,11 @@
 /usr(/.*)?			system_u:object_r:usr_t
 /usr(/.*)?/lib(64)?(/.*)?	system_u:object_r:lib_t
 /usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
-/usr(/.*)?/java/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
+/usr/lib/win32/.*	--	system_u:object_r:shlib_t
+/usr(/.*)?/java/.*\.so(\.[^/]*)*	--	system_u:object_r:texrel_shlib_t
 /usr(/.*)?/java/.*\.jar	--	system_u:object_r:shlib_t
 /usr(/.*)?/java/.*\.jsa	--	system_u:object_r:shlib_t
-/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
+/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)*	--	system_u:object_r:texrel_shlib_t
 /usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
 /usr(/.*)?/bin(/.*)?		system_u:object_r:bin_t
 /usr(/.*)?/Bin(/.*)?		system_u:object_r:bin_t
@@ -356,9 +357,6 @@
 /usr(/.*)?/nvidia/.*\.so(\..*)?	-- system_u:object_r:texrel_shlib_t
 /usr/X11R6/lib/libXvMCNVIDIA\.so.* 	-- system_u:object_r:texrel_shlib_t
 
-# libGL
-/usr/X11R6/lib/libGL\.so.* 	-- system_u:object_r:texrel_shlib_t
-
 ifdef(`distro_debian', `
 /usr/share/selinux(/.*)?	system_u:object_r:policy_src_t
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.21.7/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2005-02-02 08:11:43.000000000 -0500
+++ policy-1.21.7/macros/base_user_macros.te	2005-02-02 08:27:37.000000000 -0500
@@ -187,6 +187,10 @@
 ifdef(`using_spamassassin', `spamassassin_domain($1)')
 ifdef(`uml.te', `uml_domain($1)')
 ifdef(`cdrecord.te', `cdrecord_domain($1)')
+ifdef(`mplayer.te', `
+mplayer_domain($1)
+mencoder_domain($1)
+')
 
 # Instantiate a derived domain for user cron jobs.
 ifdef(`crond.te', `crond_domain($1)')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.21.7/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2005-02-01 15:08:42.000000000 -0500
+++ policy-1.21.7/macros/global_macros.te	2005-02-02 08:27:37.000000000 -0500
@@ -106,9 +106,6 @@
 allow $1 ld_so_t:lnk_file r_file_perms;
 allow $1 { texrel_shlib_t shlib_t }:file rx_file_perms;
 allow $1 { texrel_shlib_t shlib_t }:lnk_file r_file_perms;
-if (allow_execmod) {
-allow $1 texrel_shlib_t:file execmod;
-}
 allow $1 ld_so_cache_t:file r_file_perms;
 allow $1 device_t:dir search;
 allow $1 null_device_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.21.7/macros/program/games_domain.te
--- nsapolicy/macros/program/games_domain.te	2005-01-31 10:02:06.000000000 -0500
+++ policy-1.21.7/macros/program/games_domain.te	2005-02-02 08:27:37.000000000 -0500
@@ -39,7 +39,6 @@
 allow $1_games_t var_lib_t:dir search;
 r_dir_file($1_games_t, man_t)
 allow $1_games_t proc_t:file { read getattr };
-dontaudit $1_games_t devpts_t:dir search;
 ifdef(`mozilla.te', ` 
 dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mplayer_macros.te policy-1.21.7/macros/program/mplayer_macros.te
--- nsapolicy/macros/program/mplayer_macros.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.21.7/macros/program/mplayer_macros.te	2005-02-02 08:28:15.000000000 -0500
@@ -0,0 +1,117 @@
+#
+# Macros for mplayer
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+#
+# mplayer_domain(domain_prefix)
+# mencoder_domain(domain_prefix)
+
+################################################
+#    mplayer_common(prefix, mplayer domain)    #
+################################################
+
+define(`mplayer_common',`
+
+# Home directory stuff
+if (use_nfs_home_dirs) {
+create_dir_file($1_$2_t, nfs_t)
+}
+if (use_samba_home_dirs) {
+create_dir_file($1_$2_t, cifs_t)
+}
+allow $1_$2_t autofs_t:dir { search getattr };
+
+# Read local config
+r_dir_file($1_$2_t, $1_mplayer_rw_t)
+
+# Read global config
+r_dir_file($1_$2_t, mplayer_etc_t)
+
+# Read data in /usr/share (fonts, icons..)
+r_dir_file($1_$2_t, usr_t)
+
+# Read /proc files and directories
+# Necessary for /proc/meminfo, /proc/cpuinfo, etc..
+allow $1_$2_t proc_t:dir search;
+allow $1_$2_t proc_t:file { getattr read };
+
+# Sysctl on kernel version 
+allow $1_$2_t sysctl_kernel_t:dir search;
+allow $1_$2_t sysctl_kernel_t:file { getattr read };
+
+# allow ps
+can_ps($1_t, $1_$2_t)
+
+# uses shared libraries
+uses_shlib($1_$2_t)
+
+# localization
+read_locale($1_$2_t)
+
+# Access the terminal.
+allow $1_$2_t devpts_t:dir { search };
+allow $1_$2_t $1_tty_device_t:chr_file rw_file_perms;
+allow $1_$2_t $1_devpts_t:chr_file rw_file_perms;
+
+# Required for win32 binary loader 
+allow $1_$2_t zero_device_t:chr_file { read write execute };
+if (allow_execmem) {
+allow $1_$2_t self:process { execmem };
+}
+
+# Access to DVD/CD/V4L
+allow $1_$2_t device_t:dir r_dir_perms;
+allow $1_$2_t device_t:lnk_file { getattr read };
+allow $1_$2_t removable_device_t:blk_file { getattr read };
+allow $1_$2_t v4l_device_t:chr_file { getattr read };
+')
+
+##############################
+#  mplayer_domain(prefix)    #
+##############################
+
+define(`mplayer_domain',`
+
+# Derive from X client domain
+x_client_domain($1, `mplayer', `')
+
+# Mplayer common stuff
+mplayer_common($1, mplayer)
+
+# Additional rules for search /tmp/.X11-unix
+ifdef(`xdm.te', `
+allow $1_mplayer_t xdm_tmp_t:dir search;
+')dnl end if xdm.te
+
+# Prevent getattr denials on restricted types when browsing with gmplayer
+dontaudit $1_mplayer_t file_type:dir_file_class_set { getattr };
+
+# Audio
+allow $1_mplayer_t sound_device_t:chr_file rw_file_perms;
+
+# RTC clock 
+allow $1_mplayer_t clock_device_t:chr_file { ioctl read };
+
+# Read home directory content
+r_dir_file($1_mplayer_t, $1_home_t);
+') dnl end mplayer_domain
+
+##############################
+#  mencoder_domain(prefix)   #
+##############################
+
+define(`mencoder_domain',`
+
+# Privhome type transitions to $1_home_t in home dir.
+type $1_mencoder_t, domain, privhome;
+
+# Transition
+domain_auto_trans($1_t, mencoder_exec_t, $1_mencoder_t)
+can_exec($1_mencoder_t, mencoder_exec_t)
+role $1_r types $1_mencoder_t;
+
+# Mplayer common stuff
+mplayer_common($1, mencoder)
+
+') dnl end mencoder_domain
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/samba_macros.te policy-1.21.7/macros/program/samba_macros.te
--- nsapolicy/macros/program/samba_macros.te	2005-01-31 10:02:06.000000000 -0500
+++ policy-1.21.7/macros/program/samba_macros.te	2005-02-02 08:27:37.000000000 -0500
@@ -19,6 +19,7 @@
 ifdef(`samba.te', `
 define(`samba_domain',`
 if ( samba_enable_home_dirs ) {
+allow smbd_t home_root_t:dir r_dir_perms;
 file_type_auto_trans(smbd_t, $1_home_dir_t, $1_home_t)
 }
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/appconfig/default_contexts policy-1.21.7/targeted/appconfig/default_contexts
--- nsapolicy/targeted/appconfig/default_contexts	2005-01-31 10:02:06.000000000 -0500
+++ policy-1.21.7/targeted/appconfig/default_contexts	2005-02-02 08:27:37.000000000 -0500
@@ -2,3 +2,4 @@
 system_r:initrc_t	system_r:unconfined_t
 system_r:remote_login_t system_r:unconfined_t
 system_r:rshd_t		system_r:unconfined_t
+system_r:crond_t	system_r:unconfined_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/crond.te policy-1.21.7/targeted/domains/program/crond.te
--- nsapolicy/targeted/domains/program/crond.te	2005-02-01 15:08:45.000000000 -0500
+++ policy-1.21.7/targeted/domains/program/crond.te	2005-02-02 08:27:37.000000000 -0500
@@ -11,7 +11,7 @@
 # This domain is defined just for targeted policy.
 #
 type crond_exec_t, file_type, sysadmfile, exec_type;
-type crond_t, domain;
+type crond_t, domain, privuser, privrole, privowner;
 typealias crond_t alias system_crond_t;
 type anacron_exec_t, file_type, sysadmfile, exec_type;
 type system_crond_tmp_t, file_type, sysadmfile;
@@ -19,7 +19,7 @@
 type sysadm_cron_spool_t, file_type, sysadmfile;
 type crond_log_t, file_type, sysadmfile;
 type crond_var_run_t, file_type, sysadmfile;
-role system_r types system_crond_t;
+role system_r types crond_t;
 domain_auto_trans(initrc_t, crond_exec_t, crond_t)
 domain_auto_trans(initrc_t, anacron_exec_t, crond_t)
 unconfined_domain(crond_t)
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.21.7/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2005-01-31 10:02:06.000000000 -0500
+++ policy-1.21.7/tunables/distro.tun	2005-02-02 08:27:37.000000000 -0500
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.21.7/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-01-31 10:02:06.000000000 -0500
+++ policy-1.21.7/tunables/tunable.tun	2005-02-02 08:27:37.000000000 -0500
@@ -1,27 +1,27 @@
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

Re: Latest diffs

[Ivan Gyurdiev]

On Wed, 2005-02-02 at 08:32 -0500, Daniel J Walsh wrote:
> -if (allow_execmod) {
> -allow $1 texrel_shlib_t:file execmod;
> -}

... X needs execmod, and this change breaks it:

audit(1107469036.956:0): avc:  denied  { execmod } for  pid=3383 comm=X
path=/usr/lib/nvidia/tls/libnvidia-tls.so.1.0.6629 dev=dm-0 ino=519237
scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:object_r:texrel_shlib_t tclass=file

Also, mozilla needs execmem. What's going on with this - I've
seen it sent twice and rejected twice... 

audit(1107476807.924:0): avc:  denied  { execmem } for  pid=3828
comm=firefox-bin scontext=user_u:user_r:user_mozilla_t
tcontext=user_u:user_r:user_mozilla_t tclass=process

-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Stephen Smalley]

On Thu, 2005-02-03 at 19:58, Ivan Gyurdiev wrote:
> On Wed, 2005-02-02 at 08:32 -0500, Daniel J Walsh wrote:
> > -if (allow_execmod) {
> > -allow $1 texrel_shlib_t:file execmod;
> > -}
> 
> ... X needs execmod, and this change breaks it:
> 
> audit(1107469036.956:0): avc:  denied  { execmod } for  pid=3383 comm=X
> path=/usr/lib/nvidia/tls/libnvidia-tls.so.1.0.6629 dev=dm-0 ino=519237
> scontext=system_u:system_r:xdm_xserver_t
> tcontext=system_u:object_r:texrel_shlib_t tclass=file

To be precise, X needs execmod when using nvidia, right?  Not everyone
using X needs it (I don't).  In any event, we want the execmod rules to
be added to the individual domain .te files, not put in a global macro
used by everything, and only allowed as needed.  Further, I'd ultimately
like to have separate booleans for different sets of execmem/execmod
permissions so that we can allow certain programs to have them while
preventing others.

> Also, mozilla needs execmem. What's going on with this - I've
> seen it sent twice and rejected twice... 
> 
> audit(1107476807.924:0): avc:  denied  { execmem } for  pid=3828
> comm=firefox-bin scontext=user_u:user_r:user_mozilla_t
> tcontext=user_u:user_r:user_mozilla_t tclass=process

Think hard about whether you want to expose your browser in this
manner.  Not sure why you are getting execmem in firefox itself; I would
have expected it only in plugins like java (which should be moved into
their own domain).  Even if this is _truly_ needed, it should definitely
be under a separate boolean of its own, as this is clearly a
network-exposed app that is highly at risk to malicious input.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Ivan Gyurdiev]

> To be precise, X needs execmod when using nvidia, right?  Not everyone
> using X needs it (I don't).  In any event, we want the execmod rules to
> be added to the individual domain .te files, not put in a global macro
> used by everything, and only allowed as needed.

Right. I was suggesting it be added to x_server_domain, not global.
I think it's only needed for nvidia.

-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Stephen Smalley]

On Fri, 2005-02-04 at 07:42, Ivan Gyurdiev wrote:
> > To be precise, X needs execmod when using nvidia, right?  Not everyone
> > using X needs it (I don't).  In any event, we want the execmod rules to
> > be added to the individual domain .te files, not put in a global macro
> > used by everything, and only allowed as needed.
> 
> Right. I was suggesting it be added to x_server_domain, not global.
> I think it's only needed for nvidia.

Yes, adding it to the xserver_domain macro would be reasonable, under a
boolean as usual.  Might be a candidate for its own boolean as well, as
it can also be exposed remotely and subversion of X is fatal.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Daniel J Walsh]

Ivan Gyurdiev wrote:

>On Wed, 2005-02-02 at 08:32 -0500, Daniel J Walsh wrote:
>  
>
>>-if (allow_execmod) {
>>-allow $1 texrel_shlib_t:file execmod;
>>-}
>>    
>>
>
>... X needs execmod, and this change breaks it:
>
>audit(1107469036.956:0): avc:  denied  { execmod } for  pid=3383 comm=X
>path=/usr/lib/nvidia/tls/libnvidia-tls.so.1.0.6629 dev=dm-0 ino=519237
>scontext=system_u:system_r:xdm_xserver_t
>tcontext=system_u:object_r:texrel_shlib_t tclass=file
>
>Also, mozilla needs execmem. What's going on with this - I've
>seen it sent twice and rejected twice... 
>
>audit(1107476807.924:0): avc:  denied  { execmem } for  pid=3828
>comm=firefox-bin scontext=user_u:user_r:user_mozilla_t
>tcontext=user_u:user_r:user_mozilla_t tclass=process
>
>  
>
You need to set the boolean

setsebool -P allow_execmod 1
 On fresh installs this will be in there. 

Why should we have the boolean if we know that X will require it always?

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Stephen Smalley]

On Fri, 2005-02-04 at 08:59, Daniel J Walsh wrote:
> You need to set the boolean
> 
> setsebool -P allow_execmod 1
>  On fresh installs this will be in there. 
> 
> Why should we have the boolean if we know that X will require it always?

- It is only needed for certain drivers, e.g. nvidia, and not others (I
don't need it for my machine), and
- It represents a security risk to allow it, especially since X is
highly privileged.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Ivan Gyurdiev]

On Fri, 2005-02-04 at 09:10 -0500, Stephen Smalley wrote:
> On Fri, 2005-02-04 at 08:59, Daniel J Walsh wrote:
> > You need to set the boolean
> > 
> > setsebool -P allow_execmod 1
> >  On fresh installs this will be in there. 

Right, but the boolean is for user_t, and not for X.
For X the whole execmod rule was removed, which is why I get denials.


-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Ivan Gyurdiev]

On Fri, 2005-02-04 at 10:28 -0500, Ivan Gyurdiev wrote:
> On Fri, 2005-02-04 at 09:10 -0500, Stephen Smalley wrote:
> > On Fri, 2005-02-04 at 08:59, Daniel J Walsh wrote:
> > > You need to set the boolean
> > > 
> > > setsebool -P allow_execmod 1
> > >  On fresh installs this will be in there. 
> 
> Right, but the boolean is for user_t, and not for X.
> For X the whole execmod rule was removed, which is why I get denials.

And now execmod denials for user_mozilla_t and flash are back again.
Those in addition to the mozilla execmem denials I posted about earlier.

-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Richard Hally]

Stephen Smalley wrote:

>On Fri, 2005-02-04 at 08:59, Daniel J Walsh wrote:
>  
>
>>You need to set the boolean
>>
>>setsebool -P allow_execmod 1
>> On fresh installs this will be in there. 
>>
>>Why should we have the boolean if we know that X will require it always?
>>    
>>
>
>- It is only needed for certain drivers, e.g. nvidia, and not others (I
>don't need it for my machine), and
>- It represents a security risk to allow it, especially since X is
>highly privileged.
>
>  
>
FWIW, It looks to me that the problem with X not starting is not just 
with "legacy" (or third party) drivers or "old toolchains". I am 
running  current rawhide(as of 2/5/05) with no other addons(like nvidia) 
and X does not start  in enforcing(current strict policy1.21.8-4). If 
it's an "old toolchain" problem then it is a Red Hat (Fedora) toolchain 
that needs to be updated...
Richard Hally


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Stephen Smalley]

On Mon, 2005-02-07 at 14:33, Richard Hally wrote:
> FWIW, It looks to me that the problem with X not starting is not just 
> with "legacy" (or third party) drivers or "old toolchains". I am 
> running  current rawhide(as of 2/5/05) with no other addons(like nvidia) 
> and X does not start  in enforcing(current strict policy1.21.8-4). If 
> it's an "old toolchain" problem then it is a Red Hat (Fedora) toolchain 
> that needs to be updated...

I think you misunderstood.  The particular execmod rule in question had
to do with the nvidia driver, and isn't always needed.  In any event,
you may need to enable the allow_execmem boolean for X to work, and you
will likely need to enable the allow_execmod boolean as well for the
desktop due to dependencies on libGL by many desktop applications.
 
-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[James Carter]

Merged.

On Wed, 2005-02-02 at 08:32, Daniel J Walsh wrote:
> Added mplayer policy
> 
> Switched /u?dev back to /dev since this is no longer needed.
> 
> more fixes for smbmount.
> 
> Made some of the changes Stephen suggested.
> 
> Dan

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

latest diffs.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 295 bytes --]

Removed more tunables
use_games not needed, if you do not want games, don't include games.te
Added boolean disable_games to disable games transition.

Change nfs_home_dirs to a boolean.

Change user_net_control to a boolean.

Turn off nscd_all_connect (Hopefully eliminate).

Cleanup nscd.

Dan

[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 20872 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.17.34/attrib.te
--- nsapolicy/attrib.te	2004-10-09 21:06:13.000000000 -0400
+++ policy-1.17.34/attrib.te	2004-10-25 16:45:50.000000000 -0400
@@ -400,4 +400,6 @@
 # For clients of nscd that can use shmem interface.
 attribute nscd_shmem_domain;
 
+# For labeling of content for httpd
+attribute httpdcontent;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.17.34/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te	2004-10-19 16:03:05.000000000 -0400
+++ policy-1.17.34/domains/program/ssh.te	2004-10-25 17:03:53.000000000 -0400
@@ -73,13 +73,13 @@
 allow $1_t self:capability { sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
 allow $1_t { home_root_t home_dir_type }:dir { search getattr };
 can_ypbind($1_t)
-ifdef(`nfs_home_dirs', `
+if (nfs_home_dirs) {
 ifdef(`automount.te', `
 allow $1_t autofs_t:dir { search getattr };
 ')
 allow $1_t nfs_t:dir { search getattr };
 allow $1_t nfs_t:file { getattr read };
-')dnl end if nfs_home_dirs
+} dnl end if nfs_home_dirs
 
 ifdef(`single_userdomain', `
 if (ssh_sysadm_login) {
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.17.34/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te	2004-10-19 16:03:05.000000000 -0400
+++ policy-1.17.34/domains/program/syslogd.te	2004-10-25 16:45:50.000000000 -0400
@@ -96,3 +96,4 @@
 dontaudit syslogd_t file_t:dir search;
 allow syslogd_t { tmpfs_t devpts_t }:dir { search };
 dontaudit syslogd_t unlabeled_t:file read;
+dontaudit syslogd_t devpts_t:chr_file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.17.34/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2004-10-14 23:25:17.000000000 -0400
+++ policy-1.17.34/domains/program/unused/apache.te	2004-10-25 17:04:37.000000000 -0400
@@ -21,6 +21,8 @@
 ###############################################################################
 type http_port_t, port_type, reserved_port_type;
 
+bool httpd_unified false;
+
 # Allow httpd cgi support
 bool httpd_enable_cgi false;
 
@@ -130,7 +132,7 @@
 
 # execute perl
 allow httpd_t { bin_t sbin_t }:dir r_dir_perms;
-can_exec(httpd_t, bin_t)
+can_exec(httpd_t, { bin_t sbin_t })
 
 can_network(httpd_t)
 can_ypbind(httpd_t)
@@ -247,13 +249,12 @@
 allow httpd_t autofs_t:dir { search getattr };
 allow httpd_suexec_t autofs_t:dir { search getattr };
 ')
-ifdef(`nfs_home_dirs', `
-if (httpd_enable_homedirs) {
+if (nfs_home_dirs && httpd_enable_homedirs) {
 r_dir_file(httpd_t, nfs_t)
 r_dir_file(httpd_suexec_t, nfs_t)
 can_exec(httpd_suexec_t, nfs_t)
 }
-')dnl end if nfs_home_dirs
+
 
 #
 # Allow users to mount additional directories as http_source
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.17.34/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.17.34/domains/program/unused/ftpd.te	2004-10-25 17:05:40.000000000 -0400
@@ -96,13 +96,12 @@
 
 # Allow ftp to read/write files in the user home directories.
 bool ftp_home_dir false;
-if (ftp_home_dir) {
-ifdef(`nfs_home_dirs', `
+
+if (ftp_home_dir && nfs_home_dirs) {
 allow ftpd_t nfs_t:dir r_dir_perms;
 allow ftpd_t nfs_t:file r_file_perms;
 # dont allow access to /home
 dontaudit ftpd_t home_root_t:dir { getattr search };
-')dnl end if nfs_home_dirs
 } 
 else 
 {
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.17.34/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.17.34/domains/program/unused/nscd.te	2004-10-25 16:45:50.000000000 -0400
@@ -3,7 +3,16 @@
 # Author:  Russell Coker <russell@coker.com.au>
 # X-Debian-Packages: nscd
 #
-
+define(`nscd_socket_domain', `
+can_unix_connect($1, nscd_t)
+allow nscd_client_domain nscd_var_run_t:sock_file rw_file_perms;
+allow $1 { var_run_t var_t }:dir search;
+allow $1 nscd_t:nscd { getpwd getgrp gethost };
+dontaudit $1 nscd_t:fd { use };
+dontaudit $1 nscd_var_run_t:dir { search getattr };
+dontaudit $1 nscd_var_run_t:file { getattr read };
+dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
+')
 #################################
 #
 # Rules for the nscd_t domain.
@@ -22,31 +31,17 @@
 
 # Clients that can get information via the socket interface.
 ifdef(`nscd_all_connect', `
-can_unix_connect(domain, nscd_t)
-allow domain nscd_var_run_t:sock_file rw_file_perms;
-allow domain { var_run_t var_t }:dir search;
-allow domain nscd_t:nscd { getpwd getgrp gethost };
-dontaudit domain nscd_t:fd { use };
-dontaudit domain nscd_var_run_t:file { getattr read };
-dontaudit domain nscd_t:nscd { shmempwd shmemgrp shmemhost };
+nscd_socket_domain(domain)
 ', `
-can_unix_connect(nscd_client_domain, nscd_t)
-allow nscd_client_domain nscd_var_run_t:sock_file rw_file_perms;
-allow nscd_client_domain { var_run_t var_t }:dir search;
-allow nscd_client_domain nscd_t:nscd { getpwd getgrp gethost };
-dontaudit nscd_client_domain nscd_t:fd { use };
-dontaudit nscd_client_domain nscd_var_run_t:file { getattr read };
-dontaudit nscd_client_domain nscd_t:nscd { shmempwd  shmemgrp shmemhost };
+nscd_socket_domain(nscd_client_domain)
 ')dnl nscd_all_connect
 
 # Clients that are allowed to map the database via a fd obtained from nscd.
-can_unix_connect(nscd_shmem_domain, nscd_t)
-allow nscd_shmem_domain nscd_var_run_t:sock_file rw_file_perms;
-allow nscd_shmem_domain { var_run_t var_t }:dir search;
+nscd_socket_domain(nscd_shmem_domain)
+allow nscd_shmem_domain nscd_var_run_t:dir r_dir_perms;
 allow nscd_shmem_domain nscd_t:nscd { shmempwd shmemgrp shmemhost };
 # Receive fd from nscd and map the backing file with read access.
 allow nscd_shmem_domain nscd_t:fd use;
-allow nscd_shmem_domain nscd_var_run_t:file r_file_perms;
 
 # For client program operation, invoked from sysadm_t.
 # Transition occurs to nscd_t due to direct_sysadm_daemon. 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/spamd.te policy-1.17.34/domains/program/unused/spamd.te
--- nsapolicy/domains/program/unused/spamd.te	2004-10-09 21:06:15.000000000 -0400
+++ policy-1.17.34/domains/program/unused/spamd.te	2004-10-25 17:06:54.000000000 -0400
@@ -58,10 +58,11 @@
 ifdef(`automount.te', `
 allow spamd_t autofs_t:dir { search getattr };
 ')
-ifdef(`nfs_home_dirs', `
+
+if (nfs_home_dirs) {
 allow spamd_t nfs_t:dir rw_dir_perms;
 allow spamd_t nfs_t:file create_file_perms;
-')dnl end if nfs_home_dirs
+}
 
 allow spamd_t home_root_t:dir { getattr };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.17.34/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.17.34/domains/program/unused/squid.te	2004-10-25 16:45:50.000000000 -0400
@@ -18,6 +18,7 @@
 
 allow { squid_t initrc_t } squid_conf_t:file r_file_perms;
 allow squid_t squid_conf_t:dir r_dir_perms;
+allow squid_t squid_conf_t:lnk_file read;
 
 logdir_domain(squid)
 typealias squid_log_t alias var_log_squid_t;
@@ -27,7 +28,7 @@
 # type for /var/cache/squid
 type squid_cache_t, file_type, sysadmfile;
 
-allow squid_t self:capability { setgid setuid };
+allow squid_t self:capability { setgid setuid net_bind_service };
 allow squid_t { etc_t etc_runtime_t }:file r_file_perms;
 allow squid_t etc_t:lnk_file read;
 allow squid_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/usernetctl.te policy-1.17.34/domains/program/unused/usernetctl.te
--- nsapolicy/domains/program/unused/usernetctl.te	2004-05-27 14:52:35.000000000 -0400
+++ policy-1.17.34/domains/program/unused/usernetctl.te	2004-10-25 16:52:33.000000000 -0400
@@ -4,10 +4,13 @@
 
 type usernetctl_exec_t, file_type, sysadmfile, exec_type;
 
-ifdef(`user_net_control',`
 type usernetctl_t, domain, privfd;
 
+if (user_net_control) {
 domain_auto_trans(userdomain, usernetctl_exec_t, usernetctl_t)
+} else {
+can_exec(userdomain, usernetctl_exec_t)
+}
 in_user_role(usernetctl_t)
 role sysadm_r types usernetctl_t;
 
@@ -58,7 +61,4 @@
 allow usernetctl_t { var_t var_run_t }:dir { getattr read search };
 allow usernetctl_t etc_runtime_t:file r_file_perms;
 allow usernetctl_t net_conf_t:file r_file_perms;
-',`
-can_exec(userdomain, usernetctl_exec_t)
-')
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.17.34/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.17.34/domains/program/unused/xdm.te	2004-10-25 17:07:13.000000000 -0400
@@ -276,14 +276,14 @@
 allow xdm_xserver_t user_home_type:dir search;
 allow xdm_xserver_t user_home_type:file { getattr read };
 
-ifdef(`nfs_home_dirs', `
+if (nfs_home_dirs) {
 ifdef(`automount.te', `
 allow { xdm_t xdm_xserver_t } autofs_t:dir { search getattr };
 ')
 allow { xdm_t xdm_xserver_t } nfs_t:dir create_dir_perms;
 allow { xdm_t xdm_xserver_t } nfs_t:{file lnk_file} create_file_perms;
 can_exec(xdm_t, nfs_t)
-')dnl end if nfs_home_dirs
+}
 
 # for .dmrc
 allow xdm_t user_home_dir_type:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.17.34/domains/user.te
--- nsapolicy/domains/user.te	2004-10-14 23:25:17.000000000 -0400
+++ policy-1.17.34/domains/user.te	2004-10-25 17:27:38.000000000 -0400
@@ -7,6 +7,9 @@
 # Allow users to read system messages.
 bool user_dmesg false;
 
+# Support NFS home directories
+bool nfs_home_dirs false;
+
 # Allow users to run TCP servers (bind to ports and accept connection from
 # the same domain and outside users)  disabling this forces FTP passive mode
 # and may change other protocols 
@@ -15,6 +18,12 @@
 # Allow users to rw usb devices
 bool user_rw_usb false;
 
+# Allow users to control network interfaces (also needs USERCTL=true)
+bool user_net_control false;
+
+# Disable games transitions
+bool disable_games false;
+
 # Allow regular users direct mouse access 
 bool user_direct_mouse false;
 
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/named.fc policy-1.17.34/file_contexts/program/named.fc
--- nsapolicy/file_contexts/program/named.fc	2004-09-09 16:22:13.000000000 -0400
+++ policy-1.17.34/file_contexts/program/named.fc	2004-10-25 16:45:50.000000000 -0400
@@ -18,7 +18,7 @@
 /usr/sbin/r?ndc		--	system_u:object_r:ndc_exec_t
 /var/run/ndc		-s	system_u:object_r:named_var_run_t
 /var/run/bind(/.*)?		system_u:object_r:named_var_run_t
-/var/run/named.*		system_u:object_r:named_var_run_t
+/var/run/named(/.*)?		system_u:object_r:named_var_run_t
 /usr/sbin/lwresd	--	system_u:object_r:named_exec_t
 ifdef(`distro_redhat', `
 /var/named/named\.ca	--	system_u:object_r:named_conf_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/nscd.fc policy-1.17.34/file_contexts/program/nscd.fc
--- nsapolicy/file_contexts/program/nscd.fc	2003-11-26 13:01:07.000000000 -0500
+++ policy-1.17.34/file_contexts/program/nscd.fc	2004-10-25 16:45:50.000000000 -0400
@@ -2,3 +2,5 @@
 /usr/sbin/nscd		--	system_u:object_r:nscd_exec_t
 /var/run/\.nscd_socket	-s	system_u:object_r:nscd_var_run_t
 /var/run/nscd\.pid	--	system_u:object_r:nscd_var_run_t
+/var/db/nscd(/.*)?		system_u:object_r:nscd_var_run_t
+/var/run/nscd(/.*)?		system_u:object_r:nscd_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/pppd.fc policy-1.17.34/file_contexts/program/pppd.fc
--- nsapolicy/file_contexts/program/pppd.fc	2004-07-12 12:15:22.000000000 -0400
+++ policy-1.17.34/file_contexts/program/pppd.fc	2004-10-25 16:45:50.000000000 -0400
@@ -5,6 +5,7 @@
 /dev/pppox.*		-c	system_u:object_r:ppp_device_t
 /dev/ippp.*		-c	system_u:object_r:ppp_device_t
 /var/run/pppd\.tdb	--	system_u:object_r:pppd_var_run_t
+/var/run/ppp(/.*)?		system_u:object_r:pppd_var_run_t
 /etc/ppp		-d	system_u:object_r:pppd_etc_t
 /etc/ppp/.*		--	system_u:object_r:pppd_etc_rw_t
 /etc/ppp/.*secrets	--	system_u:object_r:pppd_secret_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.17.34/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2004-10-14 23:25:19.000000000 -0400
+++ policy-1.17.34/file_contexts/types.fc	2004-10-25 16:45:50.000000000 -0400
@@ -266,11 +266,13 @@
 # /etc
 #
 /etc(/.*)?			system_u:object_r:etc_t
+/var/db/.*\.db		--	system_u:object_r:etc_t
 /etc/\.pwd\.lock	--	system_u:object_r:shadow_t
 /etc/passwd\.lock	--	system_u:object_r:shadow_t
 /etc/group\.lock	--	system_u:object_r:shadow_t
 /etc/shadow.*		--	system_u:object_r:shadow_t
 /etc/gshadow.*		--	system_u:object_r:shadow_t
+/var/db/shadow.*	--	system_u:object_r:shadow_t
 /etc/blkid\.tab		--	system_u:object_r:etc_runtime_t
 /etc/fstab\.REVOKE	--	system_u:object_r:etc_runtime_t
 /etc/HOSTNAME		--	system_u:object_r:etc_runtime_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.17.34/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2004-10-19 16:03:08.000000000 -0400
+++ policy-1.17.34/macros/base_user_macros.te	2004-10-25 17:00:17.000000000 -0400
@@ -58,10 +58,10 @@
 allow $1_t $1_home_t:notdevfile_class_set { relabelfrom relabelto };
 can_setfscreate($1_t)
 
-ifdef(`nfs_home_dirs', `
 ifdef(`automount.te', `
 allow $1_t autofs_t:dir { search getattr };
 ')dnl end if automount.te
+ifdef(`nfs_home_dirs', `
 create_dir_file($1_t, nfs_t)
 can_exec($1_t, nfs_t)
 allow $1_t nfs_t:{ sock_file fifo_file } create_file_perms;
@@ -158,7 +158,7 @@
 ifdef(`screen.te', `screen_domain($1)')
 ifdef(`tvtime.te', `tvtime_domain($1)')
 ifdef(`mozilla.te', `mozilla_domain($1)')
-ifdef(`use_games', `ifdef(`games.te', `games_domain($1)')')
+ifdef(`games.te', `games_domain($1)')
 ifdef(`gpg.te', `gpg_domain($1)')
 ifdef(`xauth.te', `xauth_domain($1)')
 ifdef(`startx.te', `xserver_domain($1)')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.17.34/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te	2004-10-14 23:25:20.000000000 -0400
+++ policy-1.17.34/macros/program/apache_macros.te	2004-10-25 16:45:50.000000000 -0400
@@ -1,26 +1,9 @@
 
 define(`apache_domain', `
 
-undefine(`apache_single_user')
-ifdef(`single_userdomain', `
-ifelse($1, sys, `', `
-define(`apache_single_user')
-')dnl end if
-')dnl end ifdef single_userdomain
-
-ifdef(`apache_single_user', `
-typealias $1_home_t alias httpd_$1_content_t;
-typealias $1_home_t alias httpd_$1_htaccess_t;
-typealias $1_home_t alias httpd_$1_script_exec_t;
-typealias $1_home_t alias httpd_$1_script_ro_t;
-typealias $1_home_t alias httpd_$1_script_rw_t;
-typealias $1_home_t alias httpd_$1_script_ra_t;
-file_type_auto_trans(httpd_$1_script_t, tmp_t, $1_tmp_t)
-', `
-
 #This type is for webpages
 #
-type httpd_$1_content_t, file_type, homedirfile, sysadmfile;
+type httpd_$1_content_t, file_type, homedirfile, httpdcontent, sysadmfile;
 ifelse($1, sys, `
 typealias httpd_sys_content_t alias httpd_sysadm_content_t;
 ')
@@ -29,6 +12,8 @@
 #
 type httpd_$1_htaccess_t, file_type, sysadmfile;
 
+# This type is used for executable scripts files
+#
 type httpd_$1_script_exec_t, file_type, sysadmfile;
 
 # Type that CGI scripts run as
@@ -72,10 +57,10 @@
 # The following are the only areas that 
 # scripts can read, read/write, or append to
 #
-type httpd_$1_script_ro_t, file_type, sysadmfile;
-type httpd_$1_script_rw_t, file_type, sysadmfile;
+type httpd_$1_script_ro_t, file_type, httpdcontent, sysadmfile;
+type httpd_$1_script_rw_t, file_type, httpdcontent, sysadmfile;
+type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile;
 file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
-type httpd_$1_script_ra_t, file_type, sysadmfile;
 
 ifdef(`slocate.te', `
 ifelse($1, `sys', `', `
@@ -113,6 +98,7 @@
 # Allow the script process to search the cgi directory, and users directory
 ##############################################################################
 allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr };
+can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
 allow httpd_$1_script_t home_root_t:dir { getattr search };
 allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search };
 
@@ -124,6 +110,18 @@
 create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t)
 ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
 
+if (httpd_enable_cgi) && (httpd_unified) {
+ifelse($1, sys, `
+domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
+domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
+', `
+create_dir_file(httpd_$1_script_t, httpdcontent)
+can_exec(httpd_$1_script_t, httpdcontent )
+domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
+')
+}
+
 ifelse($1, sys, `
 #
 # If a user starts a script by hand it gets the proper context
@@ -132,7 +130,6 @@
 role sysadm_r types httpd_$1_script_t;
 ', `
 
-ifdef(`single_userdomain', `', `
 # If a user starts a script by hand it gets the proper context
 domain_auto_trans($1_t, httpd_$1_script_exec_t, httpd_$1_script_t)
 role $1_r types httpd_$1_script_t;
@@ -161,7 +158,6 @@
 
 create_dir_file($1_t, { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t })
 allow $1_t { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:{ file dir lnk_file } { relabelto relabelfrom };
-')dnl end ifdef single_userdomain
 
 # allow accessing files/dirs below the users home dir
 if (httpd_enable_homedirs) {
@@ -184,5 +180,4 @@
 #########################################
 allow httpd_$1_script_t httpd_log_t:file append;
 
-')dnl end apache_single_user
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.17.34/macros/program/x_client_macros.te
--- nsapolicy/macros/program/x_client_macros.te	2004-09-10 10:45:57.000000000 -0400
+++ policy-1.17.34/macros/program/x_client_macros.te	2004-10-25 16:45:50.080029701 -0400
@@ -36,8 +36,15 @@
 ')
 
 # Transition from the user domain to the derived domain.
+ifelse($2, games, `
+if (! disable_games) {
 domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
 can_exec($1_$2_t, $2_exec_t)
+}
+', `
+domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
+can_exec($1_$2_t, $2_exec_t)
+')
 
 # The user role is authorized for this domain.
 role $1_r types $1_$2_t;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.17.34/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te	2004-10-14 23:25:21.000000000 -0400
+++ policy-1.17.34/targeted/domains/unconfined.te	2004-10-25 17:27:45.000000000 -0400
@@ -38,3 +38,7 @@
 
 allow unconfined_t unlabeled_t:filesystem *;
 allow unlabeled_t self:filesystem { associate };
+
+# Support NFS home directories
+bool nfs_home_dirs false;
+
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.34/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
+++ policy-1.17.34/tunables/distro.tun	2004-10-25 16:45:50.080029701 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.34/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-10-14 23:25:21.000000000 -0400
+++ policy-1.17.34/tunables/tunable.tun	2004-10-25 17:11:52.768849890 -0400
@@ -1,39 +1,30 @@
 # Allow all domains to connect to nscd
 dnl define(`nscd_all_connect')
 
-# Allow users to control network interfaces (also needs USERCTL=true)
-dnl define(`user_net_control')
-
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
-
-# Support NFS home directories
-dnl define(`nfs_home_dirs')
-
-# Allow users to run games
-dnl define(`use_games')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

Re: latest diffs.

[James Carter]

Merged.

Changed the "ifdef(`nfs_home_dirs', `" in base_user_macros.te to "if
(nfs_home_dirs)" which is obviously what you meant.

On Mon, 2004-10-25 at 17:40, Daniel J Walsh wrote:
> Removed more tunables
> use_games not needed, if you do not want games, don't include games.te
> Added boolean disable_games to disable games transition.
> 
> Change nfs_home_dirs to a boolean.
> 
> Change user_net_control to a boolean.
> 
> Turn off nscd_all_connect (Hopefully eliminate).
> 
> Cleanup nscd.
> 
> Dan
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 155 bytes --]

Added boolean for httpd_unified

Added boolean for disable_games

Fixes for squid and new nscd problems.

Fixes for file_contexts on /var/run directories.

[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 12722 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.17.33/attrib.te
--- nsapolicy/attrib.te	2004-10-09 21:06:13.000000000 -0400
+++ policy-1.17.33/attrib.te	2004-10-19 17:00:46.000000000 -0400
@@ -400,4 +400,6 @@
 # For clients of nscd that can use shmem interface.
 attribute nscd_shmem_domain;
 
+# For labeling of content for httpd
+attribute httpdcontent;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.17.33/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te	2004-10-19 16:03:05.000000000 -0400
+++ policy-1.17.33/domains/program/syslogd.te	2004-10-20 10:46:38.653452761 -0400
@@ -96,3 +96,4 @@
 dontaudit syslogd_t file_t:dir search;
 allow syslogd_t { tmpfs_t devpts_t }:dir { search };
 dontaudit syslogd_t unlabeled_t:file read;
+dontaudit syslogd_t devpts_t:chr_file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.17.33/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2004-10-14 23:25:17.000000000 -0400
+++ policy-1.17.33/domains/program/unused/apache.te	2004-10-19 17:00:14.000000000 -0400
@@ -21,6 +21,8 @@
 ###############################################################################
 type http_port_t, port_type, reserved_port_type;
 
+bool httpd_unified false;
+
 # Allow httpd cgi support
 bool httpd_enable_cgi false;
 
@@ -130,7 +132,7 @@
 
 # execute perl
 allow httpd_t { bin_t sbin_t }:dir r_dir_perms;
-can_exec(httpd_t, bin_t)
+can_exec(httpd_t, { bin_t sbin_t })
 
 can_network(httpd_t)
 can_ypbind(httpd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.17.33/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.17.33/domains/program/unused/nscd.te	2004-10-19 16:54:22.000000000 -0400
@@ -27,10 +27,12 @@
 allow domain { var_run_t var_t }:dir search;
 allow domain nscd_t:nscd { getpwd getgrp gethost };
 dontaudit domain nscd_t:fd { use };
+dontaudit domain nscd_var_run_t:dir { search getattr };
 dontaudit domain nscd_var_run_t:file { getattr read };
 dontaudit domain nscd_t:nscd { shmempwd shmemgrp shmemhost };
 ', `
 can_unix_connect(nscd_client_domain, nscd_t)
+allow nscd_client_domain nscd_var_run_t:dir r_dir_perms;
 allow nscd_client_domain nscd_var_run_t:sock_file rw_file_perms;
 allow nscd_client_domain { var_run_t var_t }:dir search;
 allow nscd_client_domain nscd_t:nscd { getpwd getgrp gethost };
@@ -41,6 +43,7 @@
 
 # Clients that are allowed to map the database via a fd obtained from nscd.
 can_unix_connect(nscd_shmem_domain, nscd_t)
+allow nscd_shmem_domain nscd_var_run_t:dir r_dir_perms;
 allow nscd_shmem_domain nscd_var_run_t:sock_file rw_file_perms;
 allow nscd_shmem_domain { var_run_t var_t }:dir search;
 allow nscd_shmem_domain nscd_t:nscd { shmempwd shmemgrp shmemhost };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.17.33/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.17.33/domains/program/unused/squid.te	2004-10-20 10:49:03.047157346 -0400
@@ -18,6 +18,7 @@
 
 allow { squid_t initrc_t } squid_conf_t:file r_file_perms;
 allow squid_t squid_conf_t:dir r_dir_perms;
+allow squid_t squid_conf_t:lnk_file read;
 
 logdir_domain(squid)
 typealias squid_log_t alias var_log_squid_t;
@@ -27,7 +28,7 @@
 # type for /var/cache/squid
 type squid_cache_t, file_type, sysadmfile;
 
-allow squid_t self:capability { setgid setuid };
+allow squid_t self:capability { setgid setuid net_bind_service };
 allow squid_t { etc_t etc_runtime_t }:file r_file_perms;
 allow squid_t etc_t:lnk_file read;
 allow squid_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.17.33/domains/user.te
--- nsapolicy/domains/user.te	2004-10-14 23:25:17.000000000 -0400
+++ policy-1.17.33/domains/user.te	2004-10-20 10:57:19.233222439 -0400
@@ -15,6 +15,9 @@
 # Allow users to rw usb devices
 bool user_rw_usb false;
 
+# Disable games transitions
+bool disable_games false;
+
 # Allow regular users direct mouse access 
 bool user_direct_mouse false;
 
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/named.fc policy-1.17.33/file_contexts/program/named.fc
--- nsapolicy/file_contexts/program/named.fc	2004-09-09 16:22:13.000000000 -0400
+++ policy-1.17.33/file_contexts/program/named.fc	2004-10-19 16:26:50.000000000 -0400
@@ -18,7 +18,7 @@
 /usr/sbin/r?ndc		--	system_u:object_r:ndc_exec_t
 /var/run/ndc		-s	system_u:object_r:named_var_run_t
 /var/run/bind(/.*)?		system_u:object_r:named_var_run_t
-/var/run/named.*		system_u:object_r:named_var_run_t
+/var/run/named(/.*)?		system_u:object_r:named_var_run_t
 /usr/sbin/lwresd	--	system_u:object_r:named_exec_t
 ifdef(`distro_redhat', `
 /var/named/named\.ca	--	system_u:object_r:named_conf_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/nscd.fc policy-1.17.33/file_contexts/program/nscd.fc
--- nsapolicy/file_contexts/program/nscd.fc	2003-11-26 13:01:07.000000000 -0500
+++ policy-1.17.33/file_contexts/program/nscd.fc	2004-10-19 16:26:50.000000000 -0400
@@ -2,3 +2,5 @@
 /usr/sbin/nscd		--	system_u:object_r:nscd_exec_t
 /var/run/\.nscd_socket	-s	system_u:object_r:nscd_var_run_t
 /var/run/nscd\.pid	--	system_u:object_r:nscd_var_run_t
+/var/db/nscd(/.*)?		system_u:object_r:nscd_var_run_t
+/var/run/nscd(/.*)?		system_u:object_r:nscd_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/pppd.fc policy-1.17.33/file_contexts/program/pppd.fc
--- nsapolicy/file_contexts/program/pppd.fc	2004-07-12 12:15:22.000000000 -0400
+++ policy-1.17.33/file_contexts/program/pppd.fc	2004-10-19 16:26:50.000000000 -0400
@@ -5,6 +5,7 @@
 /dev/pppox.*		-c	system_u:object_r:ppp_device_t
 /dev/ippp.*		-c	system_u:object_r:ppp_device_t
 /var/run/pppd\.tdb	--	system_u:object_r:pppd_var_run_t
+/var/run/ppp(/.*)?		system_u:object_r:pppd_var_run_t
 /etc/ppp		-d	system_u:object_r:pppd_etc_t
 /etc/ppp/.*		--	system_u:object_r:pppd_etc_rw_t
 /etc/ppp/.*secrets	--	system_u:object_r:pppd_secret_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.17.33/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te	2004-10-14 23:25:20.000000000 -0400
+++ policy-1.17.33/macros/program/apache_macros.te	2004-10-19 16:58:32.000000000 -0400
@@ -1,26 +1,9 @@
 
 define(`apache_domain', `
 
-undefine(`apache_single_user')
-ifdef(`single_userdomain', `
-ifelse($1, sys, `', `
-define(`apache_single_user')
-')dnl end if
-')dnl end ifdef single_userdomain
-
-ifdef(`apache_single_user', `
-typealias $1_home_t alias httpd_$1_content_t;
-typealias $1_home_t alias httpd_$1_htaccess_t;
-typealias $1_home_t alias httpd_$1_script_exec_t;
-typealias $1_home_t alias httpd_$1_script_ro_t;
-typealias $1_home_t alias httpd_$1_script_rw_t;
-typealias $1_home_t alias httpd_$1_script_ra_t;
-file_type_auto_trans(httpd_$1_script_t, tmp_t, $1_tmp_t)
-', `
-
 #This type is for webpages
 #
-type httpd_$1_content_t, file_type, homedirfile, sysadmfile;
+type httpd_$1_content_t, file_type, homedirfile, httpdcontent, sysadmfile;
 ifelse($1, sys, `
 typealias httpd_sys_content_t alias httpd_sysadm_content_t;
 ')
@@ -29,6 +12,8 @@
 #
 type httpd_$1_htaccess_t, file_type, sysadmfile;
 
+# This type is used for executable scripts files
+#
 type httpd_$1_script_exec_t, file_type, sysadmfile;
 
 # Type that CGI scripts run as
@@ -72,10 +57,10 @@
 # The following are the only areas that 
 # scripts can read, read/write, or append to
 #
-type httpd_$1_script_ro_t, file_type, sysadmfile;
-type httpd_$1_script_rw_t, file_type, sysadmfile;
+type httpd_$1_script_ro_t, file_type, httpdcontent, sysadmfile;
+type httpd_$1_script_rw_t, file_type, httpdcontent, sysadmfile;
+type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile;
 file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
-type httpd_$1_script_ra_t, file_type, sysadmfile;
 
 ifdef(`slocate.te', `
 ifelse($1, `sys', `', `
@@ -113,6 +98,7 @@
 # Allow the script process to search the cgi directory, and users directory
 ##############################################################################
 allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr };
+can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
 allow httpd_$1_script_t home_root_t:dir { getattr search };
 allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search };
 
@@ -124,6 +110,18 @@
 create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t)
 ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
 
+if (httpd_enable_cgi) && (httpd_unified) {
+ifelse($1, sys, `
+domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
+domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
+', `
+create_dir_file(httpd_$1_script_t, httpdcontent)
+can_exec(httpd_$1_script_t, httpdcontent )
+domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
+')
+}
+
 ifelse($1, sys, `
 #
 # If a user starts a script by hand it gets the proper context
@@ -132,7 +130,6 @@
 role sysadm_r types httpd_$1_script_t;
 ', `
 
-ifdef(`single_userdomain', `', `
 # If a user starts a script by hand it gets the proper context
 domain_auto_trans($1_t, httpd_$1_script_exec_t, httpd_$1_script_t)
 role $1_r types httpd_$1_script_t;
@@ -161,7 +158,6 @@
 
 create_dir_file($1_t, { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t })
 allow $1_t { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:{ file dir lnk_file } { relabelto relabelfrom };
-')dnl end ifdef single_userdomain
 
 # allow accessing files/dirs below the users home dir
 if (httpd_enable_homedirs) {
@@ -184,5 +180,4 @@
 #########################################
 allow httpd_$1_script_t httpd_log_t:file append;
 
-')dnl end apache_single_user
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.17.33/macros/program/x_client_macros.te
--- nsapolicy/macros/program/x_client_macros.te	2004-09-10 10:45:57.000000000 -0400
+++ policy-1.17.33/macros/program/x_client_macros.te	2004-10-20 10:56:22.716592051 -0400
@@ -36,8 +36,15 @@
 ')
 
 # Transition from the user domain to the derived domain.
+ifelse($2, games, `
+if (! disable_games) {
 domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
 can_exec($1_$2_t, $2_exec_t)
+}
+', `
+domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
+can_exec($1_$2_t, $2_exec_t)
+')
 
 # The user role is authorized for this domain.
 role $1_r types $1_$2_t;
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.33/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
+++ policy-1.17.33/tunables/distro.tun	2004-10-19 16:26:50.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.33/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-10-14 23:25:21.000000000 -0400
+++ policy-1.17.33/tunables/tunable.tun	2004-10-19 16:26:50.000000000 -0400
@@ -1,39 +1,39 @@
 # Allow all domains to connect to nscd
-dnl define(`nscd_all_connect')
+define(`nscd_all_connect')
 
 # Allow users to control network interfaces (also needs USERCTL=true)
 dnl define(`user_net_control')
 
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Support NFS home directories
-dnl define(`nfs_home_dirs')
+define(`nfs_home_dirs')
 
 # Allow users to run games
-dnl define(`use_games')
+define(`use_games')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

Re: Latest diffs

[Colin Walters]

On Wed, 2004-10-20 at 11:24 -0400, Daniel J Walsh wrote:

> +domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)

Hm, this change seems a bit asymmetric; we don't give other userdomains
the ability to directly execute their own scripts
(httpd_staff_script_exec_t), right?  If we're going to allow this, we
should probably do it in apache_macros.te too.




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Russell Coker]

On Thu, 21 Oct 2004 05:18, Colin Walters <walters@verbum.org> wrote:
> On Wed, 2004-10-20 at 11:24 -0400, Daniel J Walsh wrote:
> > +domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
>
> Hm, this change seems a bit asymmetric; we don't give other userdomains
> the ability to directly execute their own scripts
> (httpd_staff_script_exec_t), right?  If we're going to allow this, we
> should probably do it in apache_macros.te too.

>From apache_macros.te in CVS:

ifelse($1, sys, `
#
# If a user starts a script by hand it gets the proper context
#
domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t)
role sysadm_r types httpd_$1_script_t;
', `

ifdef(`single_userdomain', `', `
# If a user starts a script by hand it gets the proper context
domain_auto_trans($1_t, httpd_$1_script_exec_t, httpd_$1_script_t)
role $1_r types httpd_$1_script_t;

The difference is that Dan is having the domain_auto_trans operate on 
httpdcontent instead of just the script_exec_t.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest Diffs.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 136 bytes --]

We now have named booleans working with named master updates.

Added can_ypbind to lots of te files to support NIS environments.

Dan



[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 41282 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.17.3/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te	2004-08-24 20:21:25.000000000 -0400
+++ policy-1.17.3/domains/program/modutil.te	2004-08-24 15:39:13.000000000 -0400
@@ -78,6 +78,7 @@
 unconfined_domain(insmod_t) 
 ')
 can_network(insmod_t)
+can_ypbind(insmod_t)
 in_user_role(insmod_t)
 uses_shlib(insmod_t)
 read_locale(insmod_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.17.3/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te	2004-08-24 09:21:09.000000000 -0400
+++ policy-1.17.3/domains/program/syslogd.te	2004-08-24 15:39:33.000000000 -0400
@@ -21,6 +21,7 @@
 
 # can_network is for the UDP socket
 can_network(syslogd_t)
+can_ypbind(syslogd_t)
 
 r_dir_file(syslogd_t, sysfs_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.17.3/domains/program/unused/amanda.te
--- nsapolicy/domains/program/unused/amanda.te	2004-05-11 13:55:39.000000000 -0400
+++ policy-1.17.3/domains/program/unused/amanda.te	2004-08-24 15:23:43.000000000 -0400
@@ -172,6 +172,7 @@
 ###################################
 
 can_network(amanda_t);
+can_ypbind(amanda_t);
 
 allow amanda_t self:fifo_file { getattr read write ioctl lock };
 allow amanda_t self:unix_stream_socket { connect create read write };
@@ -248,6 +249,7 @@
 #############################################
 
 can_network(amanda_recover_t);
+can_ypbind(amanda_recover_t);
 
 allow amanda_recover_t self:fifo_file { getattr ioctl read write };
 allow amanda_recover_t self:unix_stream_socket { connect create read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amavis.te policy-1.17.3/domains/program/unused/amavis.te
--- nsapolicy/domains/program/unused/amavis.te	2004-08-22 20:55:01.000000000 -0400
+++ policy-1.17.3/domains/program/unused/amavis.te	2004-08-24 15:23:57.000000000 -0400
@@ -27,6 +27,7 @@
 
 # networking
 can_network(amavisd_t)
+can_ypbind(amavisd_t);
 can_tcp_connect(mail_server_sender, amavisd_t);
 can_tcp_connect(amavisd_t, mail_server_domain)
 allow amavisd_t amavis_port_t:tcp_socket name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/asterisk.te policy-1.17.3/domains/program/unused/asterisk.te
--- nsapolicy/domains/program/unused/asterisk.te	2004-08-06 08:23:51.000000000 -0400
+++ policy-1.17.3/domains/program/unused/asterisk.te	2004-08-24 15:24:13.000000000 -0400
@@ -24,6 +24,7 @@
 allow asterisk_t var_spool_t:dir search;
 
 can_network(asterisk_t)
+can_ypbind(asterisk_t)
 allow asterisk_t etc_t:file { getattr read };
 
 allow asterisk_t self:unix_stream_socket { connectto create_stream_socket_perms };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/backup.te policy-1.17.3/domains/program/unused/backup.te
--- nsapolicy/domains/program/unused/backup.te	2004-08-22 20:55:01.000000000 -0400
+++ policy-1.17.3/domains/program/unused/backup.te	2004-08-24 15:24:26.000000000 -0400
@@ -27,6 +27,7 @@
 allow backup_t urandom_device_t:chr_file read;
 
 can_network(backup_t)
+can_ypbind(backup_t)
 uses_shlib(backup_t)
 
 allow backup_t devtty_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.17.3/domains/program/unused/bluetooth.te
--- nsapolicy/domains/program/unused/bluetooth.te	2004-08-22 20:55:01.000000000 -0400
+++ policy-1.17.3/domains/program/unused/bluetooth.te	2004-08-24 15:24:39.000000000 -0400
@@ -21,6 +21,7 @@
 
 # Use the network.
 can_network(bluetooth_t)
+can_ypbind(bluetooth_t)
 allow bluetooth_t self:socket { create setopt ioctl bind listen };
 allow bluetooth_t self:unix_dgram_socket create_socket_perms;
 allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/calamaris.te policy-1.17.3/domains/program/unused/calamaris.te
--- nsapolicy/domains/program/unused/calamaris.te	2004-08-22 20:55:01.000000000 -0400
+++ policy-1.17.3/domains/program/unused/calamaris.te	2004-08-24 15:24:54.000000000 -0400
@@ -60,6 +60,7 @@
 dontaudit calamaris_t etc_t:file ioctl;
 dontaudit calamaris_t sysadm_home_dir_t:dir { getattr search };
 can_network(calamaris_t)
+can_ypbind(calamaris_t)
 ifdef(`named.te', `
 can_udp_send(calamaris_t, named_t)
 can_udp_send(named_t, calamaris_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ciped.te policy-1.17.3/domains/program/unused/ciped.te
--- nsapolicy/domains/program/unused/ciped.te	2004-02-02 10:17:22.000000000 -0500
+++ policy-1.17.3/domains/program/unused/ciped.te	2004-08-24 15:25:13.000000000 -0400
@@ -8,6 +8,7 @@
 type cipe_port_t, port_type;
 
 can_network(ciped_t)
+can_ypbind(ciped_t)
 allow ciped_t cipe_port_t:udp_socket name_bind;
 
 allow ciped_t devpts_t:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/clamav.te policy-1.17.3/domains/program/unused/clamav.te
--- nsapolicy/domains/program/unused/clamav.te	2004-08-22 20:55:01.000000000 -0400
+++ policy-1.17.3/domains/program/unused/clamav.te	2004-08-24 15:25:24.000000000 -0400
@@ -23,6 +23,7 @@
 allow freshclam_t sysctl_kernel_t:file { getattr read };
 
 can_network(freshclam_t)
+can_ypbind(freshclam_t)
 
 # Access virus signatures
 allow freshclam_t { var_t var_lib_t }:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/courier.te policy-1.17.3/domains/program/unused/courier.te
--- nsapolicy/domains/program/unused/courier.te	2004-08-22 20:55:01.000000000 -0400
+++ policy-1.17.3/domains/program/unused/courier.te	2004-08-24 15:25:38.000000000 -0400
@@ -47,6 +47,7 @@
 
 # Use the network.
 can_network(courier_$1_t)
+can_ypbind(courier_$1_t)
 allow courier_$1_t self:fifo_file { read write getattr };
 allow courier_$1_t self:unix_stream_socket create_stream_socket_perms;
 allow courier_$1_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ddt-client.te policy-1.17.3/domains/program/unused/ddt-client.te
--- nsapolicy/domains/program/unused/ddt-client.te	2004-06-16 13:37:32.000000000 -0400
+++ policy-1.17.3/domains/program/unused/ddt-client.te	2004-08-24 15:25:57.000000000 -0400
@@ -24,6 +24,7 @@
 
 # Use the network.
 can_network(ddt_client_t)
+can_ypbind(ddt_client_t)
 allow ddt_client_t self:unix_stream_socket create_socket_perms;
 allow ddt_client_t self:unix_dgram_socket create_socket_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/devfsd.te policy-1.17.3/domains/program/unused/devfsd.te
--- nsapolicy/domains/program/unused/devfsd.te	2004-08-22 20:55:01.000000000 -0400
+++ policy-1.17.3/domains/program/unused/devfsd.te	2004-08-24 15:26:10.000000000 -0400
@@ -90,4 +90,5 @@
 
 # for nss-ldap etc
 can_network(devfsd_t)
+can_ypbind(devfsd_t)
 allow devfsd_t self:tcp_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.17.3/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te	2004-08-22 20:55:01.000000000 -0400
+++ policy-1.17.3/domains/program/unused/dhcpc.te	2004-08-24 14:40:38.000000000 -0400
@@ -23,6 +23,7 @@
 allow dhcpc_t urandom_device_t:chr_file read;
 
 can_network(dhcpc_t)
+can_ypbind(dhcpc_t)
 allow dhcpc_t self:unix_dgram_socket create_socket_perms;
 allow dhcpc_t self:unix_stream_socket create_socket_perms;
 allow dhcpc_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpd.te policy-1.17.3/domains/program/unused/dhcpd.te
--- nsapolicy/domains/program/unused/dhcpd.te	2004-07-08 09:50:26.000000000 -0400
+++ policy-1.17.3/domains/program/unused/dhcpd.te	2004-08-25 11:07:37.147621196 -0400
@@ -30,6 +30,7 @@
 
 # Use the network.
 can_network(dhcpd_t)
+can_ypbind(dhcpd_t)
 allow dhcpd_t self:unix_dgram_socket create_socket_perms;
 allow dhcpd_t self:unix_stream_socket create_socket_perms;
 
@@ -64,3 +65,4 @@
 
 # allow reading /proc
 allow dhcpd_t proc_t:{ file lnk_file } r_file_perms;
+tmp_domain(dhcpd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dictd.te policy-1.17.3/domains/program/unused/dictd.te
--- nsapolicy/domains/program/unused/dictd.te	2004-03-17 13:26:05.000000000 -0500
+++ policy-1.17.3/domains/program/unused/dictd.te	2004-08-24 15:26:27.000000000 -0400
@@ -43,6 +43,7 @@
 allow dictd_t self:unix_stream_socket create_stream_socket_perms;
 
 can_network(dictd_t)
+can_ypbind(dictd_t)
 can_tcp_connect(userdomain, dictd_t)
 
 allow dictd_t fs_t:filesystem getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/distcc.te policy-1.17.3/domains/program/unused/distcc.te
--- nsapolicy/domains/program/unused/distcc.te	2004-07-28 16:04:18.000000000 -0400
+++ policy-1.17.3/domains/program/unused/distcc.te	2004-08-24 15:26:40.000000000 -0400
@@ -5,6 +5,7 @@
 
 daemon_domain(distccd)
 can_network(distccd_t)
+can_ypbind(distccd_t)
 log_domain(distccd)
 tmp_domain(distccd)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dnsmasq.te policy-1.17.3/domains/program/unused/dnsmasq.te
--- nsapolicy/domains/program/unused/dnsmasq.te	2004-07-07 16:46:41.000000000 -0400
+++ policy-1.17.3/domains/program/unused/dnsmasq.te	2004-08-24 15:26:54.000000000 -0400
@@ -17,6 +17,7 @@
 
 # network-related goodies
 can_network(dnsmasq_t)
+can_ypbind(dnsmasq_t)
 allow dnsmasq_t self:packet_socket create_socket_perms;
 allow dnsmasq_t self:unix_dgram_socket create_socket_perms;
 allow dnsmasq_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.17.3/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te	2004-06-25 06:22:39.000000000 -0400
+++ policy-1.17.3/domains/program/unused/dovecot.te	2004-08-24 15:27:10.000000000 -0400
@@ -14,6 +14,7 @@
 allow dovecot_t self:capability { chown net_bind_service setgid setuid sys_chroot dac_override dac_read_search };
 allow dovecot_t self:process { setrlimit };
 can_network(dovecot_t)
+can_ypbind(dovecot_t)
 allow dovecot_t self:unix_dgram_socket create_socket_perms;
 allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
 can_unix_connect(dovecot_t, self)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dpkg.te policy-1.17.3/domains/program/unused/dpkg.te
--- nsapolicy/domains/program/unused/dpkg.te	2004-08-22 20:55:01.000000000 -0400
+++ policy-1.17.3/domains/program/unused/dpkg.te	2004-08-24 15:27:37.000000000 -0400
@@ -327,6 +327,7 @@
 allow apt_t self:process { signal sigchld fork };
 allow apt_t sysadm_t:process sigchld;
 can_network({ apt_t dpkg_t })
+can_ypbind({ apt_t dpkg_t })
 
 allow { apt_t dpkg_t } var_t:dir { search getattr };
 dontaudit apt_t { fs_type file_type }:dir getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/fingerd.te policy-1.17.3/domains/program/unused/fingerd.te
--- nsapolicy/domains/program/unused/fingerd.te	2004-08-22 20:55:01.000000000 -0400
+++ policy-1.17.3/domains/program/unused/fingerd.te	2004-08-24 15:27:49.000000000 -0400
@@ -48,6 +48,7 @@
 
 # Use the network.
 can_network(fingerd_t)
+can_ypbind(fingerd_t)
 
 allow fingerd_t self:unix_dgram_socket create_socket_perms;
 allow fingerd_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/gatekeeper.te policy-1.17.3/domains/program/unused/gatekeeper.te
--- nsapolicy/domains/program/unused/gatekeeper.te	2004-06-16 13:37:32.000000000 -0400
+++ policy-1.17.3/domains/program/unused/gatekeeper.te	2004-08-24 15:28:06.000000000 -0400
@@ -24,6 +24,7 @@
 
 # Use the network.
 can_network(gatekeeper_t)
+can_ypbind(gatekeeper_t)
 allow gatekeeper_t gatekeeper_port_t:{ udp_socket tcp_socket } name_bind;
 allow gatekeeper_t self:unix_stream_socket create_socket_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.17.3/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2004-08-24 20:21:28.000000000 -0400
+++ policy-1.17.3/domains/program/unused/hald.te	2004-08-24 15:28:18.000000000 -0400
@@ -27,6 +27,7 @@
 allow hald_t self:netlink_route_socket r_netlink_socket_perms;
 allow hald_t self:capability { net_admin sys_admin };
 can_network(hald_t)
+can_ypbind(hald_t)
 
 ifdef(`updfstab.te', `domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)')
 ifdef(`udev.te', `domain_auto_trans(hald_t, udev_exec_t, udev_t)')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.17.3/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te	2004-08-24 20:21:28.000000000 -0400
+++ policy-1.17.3/domains/program/unused/hotplug.te	2004-08-24 15:28:30.000000000 -0400
@@ -136,6 +136,7 @@
 file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file)
 
 can_network(hotplug_t)
+can_ypbind(hotplug_t)
 
 # Allow hotplug (including /sbin/ifup-local) to start/stop services and # run sendmail -q
 domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/howl.te policy-1.17.3/domains/program/unused/howl.te
--- nsapolicy/domains/program/unused/howl.te	2004-08-06 08:23:51.000000000 -0400
+++ policy-1.17.3/domains/program/unused/howl.te	2004-08-24 15:28:44.000000000 -0400
@@ -1,6 +1,7 @@
 daemon_domain(howl)
 allow howl_t proc_t:file { getattr read };
 can_network(howl_t)
+can_ypbind(howl_t)
 allow howl_t self:capability net_admin;
 
 allow howl_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/i18n_input.te policy-1.17.3/domains/program/unused/i18n_input.te
--- nsapolicy/domains/program/unused/i18n_input.te	2004-06-16 13:38:16.000000000 -0400
+++ policy-1.17.3/domains/program/unused/i18n_input.te	2004-08-24 15:28:55.000000000 -0400
@@ -10,6 +10,7 @@
 
 can_exec(i18n_input_t, i18n_input_exec_t)
 can_network(i18n_input_t)
+can_ypbind(i18n_input_t)
 
 ## No Unix Socket Connection at the moment
 ##
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/innd.te policy-1.17.3/domains/program/unused/innd.te
--- nsapolicy/domains/program/unused/innd.te	2004-06-16 13:37:32.000000000 -0400
+++ policy-1.17.3/domains/program/unused/innd.te	2004-08-24 15:29:20.000000000 -0400
@@ -29,6 +29,7 @@
 allow innd_t var_spool_t:dir { getattr search };
 
 can_network(innd_t)
+can_ypbind(innd_t)
 
 can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } )
 allow innd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ipsec.te policy-1.17.3/domains/program/unused/ipsec.te
--- nsapolicy/domains/program/unused/ipsec.te	2004-06-16 13:37:32.000000000 -0400
+++ policy-1.17.3/domains/program/unused/ipsec.te	2004-08-24 15:29:32.000000000 -0400
@@ -169,6 +169,7 @@
 
 # Pluto needs network access
 can_network(ipsec_t)
+can_ypbind(ipsec_t)
 allow ipsec_t ipsec_t:unix_dgram_socket { create connect write };
 
 # for sleep
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ircd.te policy-1.17.3/domains/program/unused/ircd.te
--- nsapolicy/domains/program/unused/ircd.te	2004-03-17 13:26:05.000000000 -0500
+++ policy-1.17.3/domains/program/unused/ircd.te	2004-08-24 15:29:46.000000000 -0400
@@ -24,6 +24,7 @@
 
 # Use the network.
 can_network(ircd_t)
+can_ypbind(ircd_t)
 #allow ircd_t self:fifo_file { read write };
 allow ircd_t self:unix_stream_socket create_socket_perms;
 allow ircd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/jabberd.te policy-1.17.3/domains/program/unused/jabberd.te
--- nsapolicy/domains/program/unused/jabberd.te	2004-03-17 13:26:05.000000000 -0500
+++ policy-1.17.3/domains/program/unused/jabberd.te	2004-08-24 15:29:58.000000000 -0400
@@ -20,6 +20,7 @@
 allow jabberd_t random_device_t:file r_file_perms;
 
 can_network(jabberd_t)
+can_ypbind(jabberd_t)
 
 allow jabberd_t self:unix_dgram_socket create_socket_perms;
 allow jabberd_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kerberos.te policy-1.17.3/domains/program/unused/kerberos.te
--- nsapolicy/domains/program/unused/kerberos.te	2004-06-24 08:50:07.000000000 -0400
+++ policy-1.17.3/domains/program/unused/kerberos.te	2004-08-24 15:30:30.000000000 -0400
@@ -38,8 +38,8 @@
 allow kadmind_t self:capability { setuid setgid net_bind_service chown fowner dac_override sys_nice };
 
 # krb5kdc and kadmind can use network
-can_network(krb5kdc_t)
-can_network(kadmind_t)
+can_network( { krb5kdc_t kadmind_t } )
+can_ypbind( { krb5kdc_t kadmind_t } )
 
 # allow UDP transfer to/from any program
 can_udp_send(kerberos_port_t, krb5kdc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lpd.te policy-1.17.3/domains/program/unused/lpd.te
--- nsapolicy/domains/program/unused/lpd.te	2004-08-22 20:55:01.000000000 -0400
+++ policy-1.17.3/domains/program/unused/lpd.te	2004-08-24 15:30:51.000000000 -0400
@@ -37,6 +37,7 @@
 role system_r types checkpc_t;
 uses_shlib(checkpc_t)
 can_network(checkpc_t)
+can_ypbind(checkpc_t)
 log_domain(checkpc)
 type checkpc_exec_t, file_type, sysadmfile, exec_type;
 domain_auto_trans(initrc_t, checkpc_exec_t, checkpc_t)
@@ -103,6 +104,7 @@
 
 # Use the network.
 can_network(lpd_t)
+can_ypbind(lpd_t)
 allow lpd_t self:fifo_file rw_file_perms;
 allow lpd_t self:unix_stream_socket create_stream_socket_perms;
 allow lpd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lrrd.te policy-1.17.3/domains/program/unused/lrrd.te
--- nsapolicy/domains/program/unused/lrrd.te	2004-03-17 13:26:05.000000000 -0500
+++ policy-1.17.3/domains/program/unused/lrrd.te	2004-08-24 15:31:02.000000000 -0400
@@ -59,6 +59,7 @@
 can_unix_connect(lrrd_t, lrrd_t)
 can_unix_send(lrrd_t, lrrd_t)
 can_network(lrrd_t)
+can_ypbind(lrrd_t)
 
 ifdef(`logrotate.te', `
 r_dir_file(logrotate_t, lrrd_etc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mailman.te policy-1.17.3/domains/program/unused/mailman.te
--- nsapolicy/domains/program/unused/mailman.te	2004-08-22 20:55:01.000000000 -0400
+++ policy-1.17.3/domains/program/unused/mailman.te	2004-08-24 15:31:17.000000000 -0400
@@ -29,6 +29,7 @@
 allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
 allow mailman_$1_t fs_t:filesystem getattr;
 can_network(mailman_$1_t)
+can_ypbind(mailman_$1_t)
 allow mailman_$1_t self:unix_stream_socket create_socket_perms;
 allow mailman_$1_t var_t:dir r_dir_perms;
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/monopd.te policy-1.17.3/domains/program/unused/monopd.te
--- nsapolicy/domains/program/unused/monopd.te	2004-03-23 15:58:08.000000000 -0500
+++ policy-1.17.3/domains/program/unused/monopd.te	2004-08-24 15:31:33.000000000 -0400
@@ -16,6 +16,7 @@
 
 # Use the network.
 can_network(monopd_t)
+can_ypbind(monopd_t)
 
 type monopd_port_t, port_type;
 allow monopd_t monopd_port_t:tcp_socket name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mrtg.te policy-1.17.3/domains/program/unused/mrtg.te
--- nsapolicy/domains/program/unused/mrtg.te	2004-08-22 20:55:01.000000000 -0400
+++ policy-1.17.3/domains/program/unused/mrtg.te	2004-08-24 15:31:46.000000000 -0400
@@ -32,6 +32,7 @@
 
 # Use the network.
 can_network(mrtg_t)
+can_ypbind(mrtg_t)
 
 allow mrtg_t self:fifo_file { getattr read write ioctl };
 allow mrtg_t { admin_tty_type devtty_t }:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mysqld.te policy-1.17.3/domains/program/unused/mysqld.te
--- nsapolicy/domains/program/unused/mysqld.te	2004-08-22 20:55:01.000000000 -0400
+++ policy-1.17.3/domains/program/unused/mysqld.te	2004-08-24 15:31:59.000000000 -0400
@@ -44,6 +44,7 @@
 allow mysqld_t var_lib_t:dir { getattr search };
 
 can_network(mysqld_t)
+can_ypbind(mysqld_t)
 
 # read config files
 r_dir_file(initrc_t, mysqld_etc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nagios.te policy-1.17.3/domains/program/unused/nagios.te
--- nsapolicy/domains/program/unused/nagios.te	2004-06-16 13:38:16.000000000 -0400
+++ policy-1.17.3/domains/program/unused/nagios.te	2004-08-24 15:32:14.000000000 -0400
@@ -42,6 +42,7 @@
 allow nagios_t proc_t:file { getattr read };
 
 can_network(nagios_t)
+can_ypbind(nagios_t)
 
 # read config files
 allow nagios_t { etc_t etc_runtime_t }:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.17.3/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te	2004-08-22 20:55:02.000000000 -0400
+++ policy-1.17.3/domains/program/unused/named.te	2004-08-25 11:05:14.054851490 -0400
@@ -32,10 +32,10 @@
 type named_conf_t, file_type, sysadmfile;
 typealias named_conf_t alias rndc_conf_t;
 
-# for zone files
+# for primary zone files
 type named_zone_t, file_type, sysadmfile;
 
-# named.ca files
+# for secondary zone files
 type named_cache_t, file_type, sysadmfile;
 
 # Use capabilities. Surplus capabilities may be allowed.
@@ -68,7 +68,8 @@
 #read zone files
 r_dir_file(named_t, named_zone_t)
 
-r_dir_file(named_t, named_cache_t)
+#write cache for secondary zones
+rw_dir_create_file(named_t, named_cache_t)
 
 allow named_t self:unix_stream_socket create_stream_socket_perms;
 allow named_t self:unix_dgram_socket create_socket_perms;
@@ -100,7 +101,14 @@
 can_ypbind(ndc_t)
 read_locale(ndc_t)
 can_tcp_connect(ndc_t, named_t)
-allow { named_t ndc_t initrc_t } rndc_conf_t:file { getattr read };
+dontaudit ndc_t unlabeled_t:file read;
+allow ndc_t var_t:dir search;
+
+# for /etc/rndc.key
+ifdef(`distro_redhat', `
+allow { ndc_t initrc_t } named_conf_t:dir search;
+')
+allow { ndc_t initrc_t } named_conf_t:file { getattr read };
 
 allow ndc_t etc_t:dir r_dir_perms;
 allow ndc_t etc_t:file r_file_perms;
@@ -138,8 +146,6 @@
 allow ndc_t named_var_run_t:file getattr;
 allow ndc_t named_zone_t:dir { read getattr };
 allow ndc_t named_zone_t:file getattr;
-create_dir_file(ndc_t, named_zone_t)
 dontaudit ndc_t sysadm_home_t:dir { getattr search read };
 ')
 allow ndc_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
-dontaudit named_t devpts_t:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nessusd.te policy-1.17.3/domains/program/unused/nessusd.te
--- nsapolicy/domains/program/unused/nessusd.te	2004-06-16 13:37:32.000000000 -0400
+++ policy-1.17.3/domains/program/unused/nessusd.te	2004-08-24 15:32:29.000000000 -0400
@@ -23,6 +23,7 @@
 
 # Use the network.
 can_network(nessusd_t)
+can_ypbind(nessusd_t)
 allow nessusd_t self:unix_stream_socket create_socket_perms;
 #allow nessusd_t self:unix_dgram_socket create_socket_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nsd.te policy-1.17.3/domains/program/unused/nsd.te
--- nsapolicy/domains/program/unused/nsd.te	2004-08-22 20:55:02.000000000 -0400
+++ policy-1.17.3/domains/program/unused/nsd.te	2004-08-24 15:32:51.000000000 -0400
@@ -20,6 +20,7 @@
 role system_r types nsd_crond_t;
 uses_shlib(nsd_crond_t)
 can_network(nsd_crond_t)
+can_ypbind(nsd_crond_t)
 allow nsd_crond_t self:unix_dgram_socket create_socket_perms;
 allow nsd_crond_t self:process { fork signal_perms };
 system_crond_entry(nsd_exec_t, nsd_crond_t)
@@ -78,6 +79,7 @@
 
 # nsd can use network
 can_network(nsd_t)
+can_ypbind(nsd_t)
 # allow client access from caching BIND
 ifdef(`named.te', `
 can_udp_send(named_t, nsd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.17.3/domains/program/unused/portmap.te
--- nsapolicy/domains/program/unused/portmap.te	2004-08-06 09:52:51.000000000 -0400
+++ policy-1.17.3/domains/program/unused/portmap.te	2004-08-24 15:33:22.000000000 -0400
@@ -14,6 +14,7 @@
 daemon_domain(portmap)
 
 can_network(portmap_t)
+can_ypbind(portmap_t)
 allow portmap_t self:unix_dgram_socket create_socket_perms;
 allow portmap_t self:unix_stream_socket create_stream_socket_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postfix.te policy-1.17.3/domains/program/unused/postfix.te
--- nsapolicy/domains/program/unused/postfix.te	2004-08-22 20:55:02.000000000 -0400
+++ policy-1.17.3/domains/program/unused/postfix.te	2004-08-24 15:33:43.000000000 -0400
@@ -111,6 +111,7 @@
 allow postfix_master_t postfix_private_t:sock_file create_file_perms;
 allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
 can_network(postfix_master_t)
+can_ypbind(postfix_master_t)
 allow postfix_master_t smtp_port_t:tcp_socket name_bind;
 allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
 allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
@@ -149,6 +150,7 @@
 allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
 allow postfix_$1_t self:capability { setuid setgid dac_override };
 can_network(postfix_$1_t)
+can_ypbind(postfix_$1_t)
 ')
 
 postfix_server_domain(smtp, `, mail_server_sender')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgrey.te policy-1.17.3/domains/program/unused/postgrey.te
--- nsapolicy/domains/program/unused/postgrey.te	2004-08-06 08:23:51.000000000 -0400
+++ policy-1.17.3/domains/program/unused/postgrey.te	2004-08-24 15:33:58.000000000 -0400
@@ -18,6 +18,7 @@
 etcdir_domain(postgrey)
 
 can_network(postgrey_t)
+can_ypbind(postgrey_t)
 allow postgrey_t postgrey_port_t:tcp_socket name_bind;
 allow postgrey_t self:unix_stream_socket create_stream_socket_perms;
 allow postgrey_t proc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.17.3/domains/program/unused/pppd.te
--- nsapolicy/domains/program/unused/pppd.te	2004-08-22 20:55:02.000000000 -0400
+++ policy-1.17.3/domains/program/unused/pppd.te	2004-08-24 15:34:10.000000000 -0400
@@ -31,6 +31,7 @@
 
 # Use the network.
 can_network(pppd_t)
+can_ypbind(pppd_t)
 
 # Use capabilities.
 allow pppd_t self:capability { net_admin setuid setgid fsetid };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/qmail.te policy-1.17.3/domains/program/unused/qmail.te
--- nsapolicy/domains/program/unused/qmail.te	2004-08-22 20:55:02.000000000 -0400
+++ policy-1.17.3/domains/program/unused/qmail.te	2004-08-24 15:35:03.000000000 -0400
@@ -85,6 +85,7 @@
 qmaild_sub_domain(qmail_rspawn_t, qmail_remote)
 allow qmail_rspawn_t qmail_remote_exec_t:file read;
 can_network(qmail_remote_t)
+can_ypbind(qmail_remote_t)
 allow qmail_remote_t qmail_spool_t:dir search;
 allow qmail_remote_t qmail_spool_t:file rw_file_perms;
 allow qmail_remote_t self:tcp_socket create_socket_perms;
@@ -125,10 +126,12 @@
 allow qmail_tcp_env_t inetd_t:process sigchld;
 allow qmail_tcp_env_t sbin_t:dir search;
 can_network(qmail_tcp_env_t)
+can_ypbind(qmail_tcp_env_t)
 
 qmaild_sub_domain(qmail_tcp_env_t, qmail_smtpd)
 allow qmail_tcp_env_t qmail_smtpd_exec_t:file read;
 can_network(qmail_smtpd_t)
+can_ypbind(qmail_smtpd_t)
 allow qmail_smtpd_t inetd_t:fd use;
 allow qmail_smtpd_t inetd_t:tcp_socket { read write };
 allow qmail_smtpd_t inetd_t:process sigchld;
@@ -175,6 +178,7 @@
 qmaild_sub_domain(user_crond_t, qmail_serialmail)
 in_user_role(qmail_serialmail_t)
 can_network(qmail_serialmail_t)
+can_ypbind(qmail_serialmail_t)
 can_exec(qmail_serialmail_t, qmail_serialmail_exec_t)
 allow qmail_serialmail_t self:process { fork signal_perms };
 allow qmail_serialmail_t proc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/radius.te policy-1.17.3/domains/program/unused/radius.te
--- nsapolicy/domains/program/unused/radius.te	2004-08-22 20:55:02.000000000 -0400
+++ policy-1.17.3/domains/program/unused/radius.te	2004-08-24 15:35:16.000000000 -0400
@@ -51,6 +51,7 @@
 allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
 
 can_network(radiusd_t)
+can_ypbind(radiusd_t)
 allow radiusd_t { radius_port_t radacct_port_t }:udp_socket name_bind;
 
 # for RADIUS proxy port
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.17.3/domains/program/unused/rhgb.te
--- nsapolicy/domains/program/unused/rhgb.te	2004-08-18 07:50:46.000000000 -0400
+++ policy-1.17.3/domains/program/unused/rhgb.te	2004-08-24 15:35:28.000000000 -0400
@@ -39,6 +39,7 @@
 dontaudit rhgb_t var_run_t:dir { search };
 
 can_network(rhgb_t)
+can_ypbind(rhgb_t)
 
 # for fonts
 allow rhgb_t usr_t:{ file lnk_file } { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.17.3/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te	2004-08-24 20:21:30.000000000 -0400
+++ policy-1.17.3/domains/program/unused/rpm.te	2004-08-24 15:35:49.000000000 -0400
@@ -33,6 +33,7 @@
 log_domain(rpm)
 
 can_network(rpm_t)
+can_ypbind(rpm_t)
 
 # Allow the rpm domain to execute other programs
 can_exec_any(rpm_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rshd.te policy-1.17.3/domains/program/unused/rshd.te
--- nsapolicy/domains/program/unused/rshd.te	2003-10-02 09:40:03.000000000 -0400
+++ policy-1.17.3/domains/program/unused/rshd.te	2004-08-24 15:36:06.000000000 -0400
@@ -24,4 +24,5 @@
 
 # Use the network.
 can_network(rshd_t)
+can_ypbind(rshd_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slapd.te policy-1.17.3/domains/program/unused/slapd.te
--- nsapolicy/domains/program/unused/slapd.te	2004-08-22 20:55:02.000000000 -0400
+++ policy-1.17.3/domains/program/unused/slapd.te	2004-08-24 15:36:23.000000000 -0400
@@ -24,6 +24,7 @@
 
 # Use the network.
 can_network(slapd_t)
+can_ypbind(slapd_t)
 allow slapd_t self:fifo_file { read write };
 allow slapd_t self:unix_stream_socket create_socket_perms;
 allow slapd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.17.3/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te	2004-08-22 20:55:02.000000000 -0400
+++ policy-1.17.3/domains/program/unused/snmpd.te	2004-08-24 15:36:35.000000000 -0400
@@ -14,6 +14,7 @@
 allow snmpd_t var_t:dir getattr;
 
 can_network(snmpd_t)
+can_ypbind(snmpd_t)
 
 type snmp_port_t, port_type;
 allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/tcpd.te policy-1.17.3/domains/program/unused/tcpd.te
--- nsapolicy/domains/program/unused/tcpd.te	2004-07-27 09:27:33.000000000 -0400
+++ policy-1.17.3/domains/program/unused/tcpd.te	2004-08-24 15:36:55.000000000 -0400
@@ -22,6 +22,7 @@
 dontaudit tcpd_t var_t:dir search;
 
 can_network(tcpd_t)
+can_ypbind(tcpd_t)
 allow tcpd_t self:unix_dgram_socket create_socket_perms;
 allow tcpd_t self:unix_stream_socket create_socket_perms;
 allow tcpd_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/traceroute.te policy-1.17.3/domains/program/unused/traceroute.te
--- nsapolicy/domains/program/unused/traceroute.te	2004-07-27 09:27:33.000000000 -0400
+++ policy-1.17.3/domains/program/unused/traceroute.te	2004-08-24 15:37:08.000000000 -0400
@@ -19,6 +19,7 @@
 in_user_role(traceroute_t)
 uses_shlib(traceroute_t)
 can_network(traceroute_t)
+can_ypbind(traceroute_t)
 allow traceroute_t node_t:rawip_socket node_bind;
 type traceroute_exec_t, file_type, sysadmfile, exec_type;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.3/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te	2004-08-18 07:50:46.000000000 -0400
+++ policy-1.17.3/domains/program/unused/udev.te	2004-08-24 11:31:34.000000000 -0400
@@ -37,6 +37,8 @@
 allow udev_t { sbin_t bin_t }:lnk_file read;
 can_exec(udev_t, { shell_exec_t bin_t sbin_t } )
 can_exec(udev_t, udev_exec_t)
+can_exec(udev_t, hostname_exec_t)
+can_exec(udev_t, iptables_exec_t)
 r_dir_file(udev_t, sysfs_t)
 allow udev_t sysadm_tty_device_t:chr_file { read write };
 allow udev_t { device_t device_type }:{chr_file blk_file} { relabelfrom relabelto create_file_perms };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/watchdog.te policy-1.17.3/domains/program/unused/watchdog.te
--- nsapolicy/domains/program/unused/watchdog.te	2004-06-16 13:37:32.000000000 -0400
+++ policy-1.17.3/domains/program/unused/watchdog.te	2004-08-24 15:37:32.000000000 -0400
@@ -24,6 +24,7 @@
 allow watchdog_t self:fifo_file rw_file_perms;
 allow watchdog_t self:unix_stream_socket create_socket_perms;
 can_network(watchdog_t)
+can_ypbind(watchdog_t)
 allow watchdog_t self:udp_socket create_socket_perms;
 allow watchdog_t bin_t:dir search;
 allow watchdog_t bin_t:lnk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xprint.te policy-1.17.3/domains/program/unused/xprint.te
--- nsapolicy/domains/program/unused/xprint.te	2004-06-16 13:37:32.000000000 -0400
+++ policy-1.17.3/domains/program/unused/xprint.te	2004-08-24 15:37:55.000000000 -0400
@@ -30,6 +30,7 @@
 
 # Use the network.
 can_network(xprint_t)
+can_ypbind(xprint_t)
 allow xprint_t self:fifo_file rw_file_perms;
 allow xprint_t self:unix_stream_socket create_stream_socket_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/zebra.te policy-1.17.3/domains/program/unused/zebra.te
--- nsapolicy/domains/program/unused/zebra.te	2004-08-22 20:55:02.000000000 -0400
+++ policy-1.17.3/domains/program/unused/zebra.te	2004-08-24 15:37:46.000000000 -0400
@@ -10,6 +10,7 @@
 r_dir_file({ initrc_t zebra_t }, zebra_conf_t)
 
 can_network(zebra_t)
+can_ypbind(zebra_t)
 allow zebra_t { etc_t etc_runtime_t }:file { getattr read };
 
 allow zebra_t self:process setcap;
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/named.fc policy-1.17.3/file_contexts/program/named.fc
--- nsapolicy/file_contexts/program/named.fc	2004-08-17 07:46:24.000000000 -0400
+++ policy-1.17.3/file_contexts/program/named.fc	2004-08-25 11:12:35.118746147 -0400
@@ -1,28 +1,34 @@
 # named
-/var/named(/.*)?      		system_u:object_r:named_zone_t
-/var/named/named.ca     --	system_u:object_r:named_cache_t
+/var/named(/.*)?		system_u:object_r:named_zone_t
+/var/named/slaves(/.*)?		system_u:object_r:named_cache_t
+/var/named/data(/.*)?		system_u:object_r:named_cache_t
 /etc/named\.conf	--	system_u:object_r:named_conf_t
-/etc/named\.custom	--	system_u:object_r:named_conf_t
-/etc/rndc.*		--	system_u:object_r:rndc_conf_t
+
+ifdef(`distro_debian', `
+/etc/bind(/.*)?			system_u:object_r:named_zone_t
+/etc/bind/named\.conf	--	system_u:object_r:named_conf_t
+/etc/bind/rndc\.key	--	system_u:object_r:named_conf_t
+/var/cache/bind(/.*)?		system_u:object_r:named_cache_t
+') dnl distro_debian
+
+/etc/rndc.*		--	system_u:object_r:named_conf_t
 /usr/sbin/named.*      	--	system_u:object_r:named_exec_t
 /usr/sbin/r?ndc		--	system_u:object_r:ndc_exec_t
 /var/run/ndc		-s	system_u:object_r:named_var_run_t
+/var/run/bind(/.*)?		system_u:object_r:named_var_run_t
 /var/run/named.*		system_u:object_r:named_var_run_t
 /usr/sbin/lwresd	--	system_u:object_r:named_exec_t
-/var/named/chroot	-d    	system_u:object_r:root_t
-/var/named/chroot/dev(/.*)?    	system_u:object_r:device_t
+ifdef(`distro_redhat', `
+/var/named/named\.ca	--	system_u:object_r:named_conf_t
+/var/named/chroot(/.*)?		system_u:object_r:named_conf_t
 /var/named/chroot/dev/null   -c	system_u:object_r:null_device_t
-/var/named/chroot/dev/zero   -c	system_u:object_r:zero_device_t
 /var/named/chroot/dev/random -c	system_u:object_r:random_device_t
-/var/named/chroot/etc(/.*)?    	system_u:object_r:etc_t
 /var/named/chroot/etc/named\.conf -- system_u:object_r:named_conf_t
-/var/named/chroot/etc/named\.custom -- system_u:object_r:named_conf_t
-/var/named/chroot/etc/rndc.* -- system_u:object_r:rndc_conf_t
-/var/named/chroot/var(/.*)?	system_u:object_r:var_t
-/var/named/chroot/var/named(/.*)?   		system_u:object_r:named_zone_t
-/var/named/chroot/var/named/named.ca    system_u:object_r:named_cache_t
-/var/named/chroot/var/run(/.*)?	system_u:object_r:var_run_t
+/var/named/chroot/etc/rndc.* -- system_u:object_r:named_conf_t
 /var/named/chroot/var/run/named.* system_u:object_r:named_var_run_t
-/var/named/chroot/var/tmp	-d system_u:object_r:tmp_t
-
-
+/var/named/chroot/var/tmp(/.*)? system_u:object_r:named_cache_t
+/var/named/chroot/var/named(/.*)?	system_u:object_r:named_zone_t
+/var/named/chroot/var/named/slaves(/.*)? system_u:object_r:named_cache_t
+/var/named/chroot/var/named/data(/.*)? system_u:object_r:named_cache_t
+/var/named/chroot/var/named/named\.ca	--	system_u:object_r:named_conf_t
+') dnl distro_redhat
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.17.3/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2004-08-23 14:05:46.000000000 -0400
+++ policy-1.17.3/macros/global_macros.te	2004-08-25 11:07:23.120212255 -0400
@@ -292,7 +292,11 @@
 ifdef(`automount.te', `
 allow $1_t autofs_t:dir { search getattr };
 ')dnl end if automount.te
-
+ifdef(`targeted_policy', `
+dontaudit $1_t devpts_t:chr_file { read write };
+dontaudit $1_t unlabeled_t:file read;
+')dnl end if targeted_policy
+ 
 ')dnl end macro daemon_core_rules
 
 #######################
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_macros.te policy-1.17.3/macros/program/gpg_macros.te
--- nsapolicy/macros/program/gpg_macros.te	2004-08-22 20:55:02.000000000 -0400
+++ policy-1.17.3/macros/program/gpg_macros.te	2004-08-24 15:40:43.000000000 -0400
@@ -32,6 +32,7 @@
 domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t)
 
 can_network($1_gpg_t)
+can_ypbind($1_gpg_t)
 
 # for a bug in kmail
 dontaudit $1_gpg_t $1_t:unix_stream_socket { getattr read write };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/spamassassin_macros.te policy-1.17.3/macros/program/spamassassin_macros.te
--- nsapolicy/macros/program/spamassassin_macros.te	2004-05-04 15:35:54.000000000 -0400
+++ policy-1.17.3/macros/program/spamassassin_macros.te	2004-08-24 15:43:36.000000000 -0400
@@ -87,8 +87,11 @@
 
 spamassassin_agent_privs($1_spamassassin_t, $1)
 
-# Uncomment if you have spamassassin do DNS lookups
-#can_network($1_spamassassin_t)
+# set tunable if you have spamassassin do DNS lookups
+ifdef(`spamassasin_can_network', `
+can_network($1_spamassassin_t)
+can_ypbind($1_spamassassin_t)
+')
 
 ###
 # Define the domain for /usr/bin/spamc
@@ -96,6 +99,7 @@
 ifdef(`spamc.te',`
 spamassassin_program_domain($1, spamc)
 can_network($1_spamc_t)
+can_ypbind($1_spamc_t)
 
 # Allow connecting to a local spamd
 ifdef(`spamd.te',`
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.3/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-22 20:55:02.000000000 -0400
+++ policy-1.17.3/tunables/distro.tun	2004-08-24 10:46:58.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.3/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-08-02 15:14:25.000000000 -0400
+++ policy-1.17.3/tunables/tunable.tun	2004-08-24 15:43:29.000000000 -0400
@@ -5,40 +5,40 @@
 dnl define(`user_net_control')
 
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Support NFS home directories
-dnl define(`nfs_home_dirs')
+define(`nfs_home_dirs')
 
 # Allow users to run games
-dnl define(`use_games')
+define(`use_games')
 
 # Allow ypbind to run with NIS
-dnl define(`allow_ypbind')
+define(`allow_ypbind')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow sysadm_t to do almost everything
 dnl define(`unrestricted_admin')
 
 # Allow the read/write/create on any NFS file system
-dnl define(`nfs_export_all_rw')
+define(`nfs_export_all_rw')
 
 # Allow users to unrestricted access
 dnl define(`unlimitedUsers')
@@ -48,9 +48,11 @@
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.
 dnl define(`unlimitedInetd')
 
+# Allow spamassasin to do DNS lookups
+dnl define(`spamassasin_can_network')

Re: Latest Diffs.

[James Carter]

Thanks.  Merged with some slight variations in named.te as follows.

On Wed, 2004-08-25 at 11:21, Daniel J Walsh wrote:
> We now have named booleans working with named master updates.
> 
> Added can_ypbind to lots of te files to support NIS environments.
> 
> Dan
> 
> 
> 
> ______________________________________________________________________
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.17.3/domains/program/unused/named.te
> --- nsapolicy/domains/program/unused/named.te	2004-08-22 20:55:02.000000000 -0400
> +++ policy-1.17.3/domains/program/unused/named.te	2004-08-25 11:05:14.054851490 -0400
> @@ -32,10 +32,10 @@
>  type named_conf_t, file_type, sysadmfile;
>  typealias named_conf_t alias rndc_conf_t;
>  
> -# for zone files
> +# for primary zone files
>  type named_zone_t, file_type, sysadmfile;
>  
> -# named.ca files
> +# for secondary zone files
>  type named_cache_t, file_type, sysadmfile;
>  
>  # Use capabilities. Surplus capabilities may be allowed.
> @@ -68,7 +68,8 @@
>  #read zone files
>  r_dir_file(named_t, named_zone_t)
>  
> -r_dir_file(named_t, named_cache_t)
> +#write cache for secondary zones
> +rw_dir_create_file(named_t, named_cache_t)
>  
>  allow named_t self:unix_stream_socket create_stream_socket_perms;
>  allow named_t self:unix_dgram_socket create_socket_perms;
> @@ -100,7 +101,14 @@
>  can_ypbind(ndc_t)
>  read_locale(ndc_t)
>  can_tcp_connect(ndc_t, named_t)
> -allow { named_t ndc_t initrc_t } rndc_conf_t:file { getattr read };
> +dontaudit ndc_t unlabeled_t:file read;
Didn't include the above line

> +allow ndc_t var_t:dir search;
added:
allow ndc_t var_run_t:dir search;
and put both statements just before this statement:
allow ndc_t named_var_run_t:sock_file rw_file_perms;

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Diffs.

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 527 bytes --]

On Fri, 27 Aug 2004 23:52, James Carter <jwcart2@epoch.ncsc.mil> wrote:
> Thanks.  Merged with some slight variations in named.te as follows.

Please include the following change.  AFAIK only Red Hat has /var/named.  
Debian uses /var/cache/named and /etc/bind/named.conf.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: named.diff --]
[-- Type: text/x-diff, Size: 533 bytes --]

--- /usr/src/se/policy/file_contexts/program/named.fc	2004-08-28 12:05:10.000000000 +1000
+++ file_contexts/program/named.fc	2004-08-28 22:53:56.000000000 +1000
@@ -1,8 +1,10 @@
 # named
+ifdef(`distro_redhat', `
 /var/named(/.*)?		system_u:object_r:named_zone_t
 /var/named/slaves(/.*)?		system_u:object_r:named_cache_t
 /var/named/data(/.*)?		system_u:object_r:named_cache_t
 /etc/named\.conf	--	system_u:object_r:named_conf_t
+') dnl end distro_redhat
 
 ifdef(`distro_debian', `
 /etc/bind(/.*)?			system_u:object_r:named_zone_t

Re: Latest Diffs.

[James Carter]

Merged.

On Sat, 2004-08-28 at 08:55, Russell Coker wrote:
> On Fri, 27 Aug 2004 23:52, James Carter <jwcart2@epoch.ncsc.mil> wrote:
> > Thanks.  Merged with some slight variations in named.te as follows.
> 
> Please include the following change.  AFAIK only Red Hat has /var/named.  
> Debian uses /var/cache/named and /etc/bind/named.conf.
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Diffs.

[Russell Coker]

On Thu, 26 Aug 2004 01:21, Daniel J Walsh <dwalsh@redhat.com> wrote:
> We now have named booleans working with named master updates.
>
> Added can_ypbind to lots of te files to support NIS environments.

If we are going to add can_ypbind() to every daemon domain then why not put it 
in daemon_core_rules()?

We don't want to have duplicate policy in all .te files, that makes it harder 
to read and analyse, increases errors (both omitting needed access and 
permitting unwanted access).

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Diffs.

[Daniel J Walsh]

Russell Coker wrote:

>On Thu, 26 Aug 2004 01:21, Daniel J Walsh <dwalsh@redhat.com> wrote:
>  
>
>>We now have named booleans working with named master updates.
>>
>>Added can_ypbind to lots of te files to support NIS environments.
>>    
>>
>
>If we are going to add can_ypbind() to every daemon domain then why not put it 
>in daemon_core_rules()?
>
>We don't want to have duplicate policy in all .te files, that makes it harder 
>to read and analyse, increases errors (both omitting needed access and 
>permitting unwanted access).
>
>  
>
I originally argued that can_ypbind should be part of can_network and 
should continue to be.
You have a boolean to turn off the ypbind, but if you run a network 
application on a ypbind served
machine you will hit many avc message about NIS.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Diffs.

[Stephen Smalley]

On Mon, 2004-08-30 at 09:54, Daniel J Walsh wrote:
> I originally argued that can_ypbind should be part of can_network and 
> should continue to be.
> You have a boolean to turn off the ypbind, but if you run a network 
> application on a ypbind served
> machine you will hit many avc message about NIS.

Adding can_ypbind to can_network isn't necessarily sufficient, as a
program may not be a networking application at all (e.g. ls) and yet end
up pulling in NIS tables for a passwd lookup or similar.  You would get
fairly wide coverage by adding it to can_network, but not necessarily
complete coverage.  No easy answers; life would be easier if nscd were
used by default and gated all of these lookups.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.