From 1f11ac90eea851f7aff95327b345855e35ff6c74 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Oct 14 2005 20:03:50 +0000
Subject: more merging



---

diff --git a/strict/domains/program/dovecot.te b/strict/domains/program/dovecot.te
index 07f0f6f..eb7a30e 100644
--- a/strict/domains/program/dovecot.te
+++ b/strict/domains/program/dovecot.te
@@ -43,7 +43,9 @@ allow dovecot_t self:fifo_file rw_file_perms;
 can_kerberos(dovecot_t)
 
 allow dovecot_t tmp_t:dir search;
-rw_dir_file(dovecot_t, mail_spool_t)
+rw_dir_create_file(dovecot_t, mail_spool_t)
+
+
 create_dir_file(dovecot_t, dovecot_spool_t)
 create_dir_file(mta_delivery_agent, dovecot_spool_t)
 allow dovecot_t mail_spool_t:lnk_file read;
diff --git a/strict/domains/program/pppd.te b/strict/domains/program/pppd.te
index c2dc6e7..8499da7 100644
--- a/strict/domains/program/pppd.te
+++ b/strict/domains/program/pppd.te
@@ -14,7 +14,7 @@
 #
 bool pppd_for_user false;
 
-daemon_domain(pppd, `, privmail')
+daemon_domain(pppd, `, privmail, privsysmod, nscd_client_domain')
 type pppd_secret_t, file_type, sysadmfile;
 
 # Define a separate type for /etc/ppp
@@ -36,7 +36,7 @@ can_network_server(pppd_t)
 can_ypbind(pppd_t)
 
 # Use capabilities.
-allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
+allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override sys_module };
 lock_domain(pppd)
 
 # Access secret files
@@ -54,6 +54,7 @@ allow postfix_postqueue_t pppd_t:process sigchld;
 can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t })
 allow pppd_t { bin_t sbin_t }:dir search;
 allow pppd_t { sbin_t bin_t }:lnk_file read;
+allow ifconfig_t pppd_t:fd use;
 
 # Access /dev/ppp.
 allow pppd_t ppp_device_t:chr_file rw_file_perms;
@@ -111,7 +112,7 @@ domain_auto_trans(pppd_t, insmod_exec_t, insmod_t)
 ')
 }
 
-daemon_domain(pptp)
+daemon_domain(pptp, `, nscd_client_domain')
 can_network_client_tcp(pptp_t)
 allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect;
 can_exec(pptp_t, hostname_exec_t)
@@ -144,3 +145,4 @@ dontaudit ndc_t pppd_t:fd use;
 # Allow /etc/ppp/ip-{up,down} to run most anything
 type pppd_script_exec_t, file_type, sysadmfile;
 domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
+allow pppd_t initrc_t:process noatsecure;
diff --git a/strict/file_contexts/program/pppd.fc b/strict/file_contexts/program/pppd.fc
index a16da2a..02ae668 100644
--- a/strict/file_contexts/program/pppd.fc
+++ b/strict/file_contexts/program/pppd.fc
@@ -20,6 +20,6 @@
 /etc/ppp/plugins/rp-pppoe\.so 	--	system_u:object_r:shlib_t
 /etc/ppp/resolv\.conf 	--	system_u:object_r:pppd_etc_rw_t
 # Fix pptp sockets
-/var/run/pptp(/.*)?	--	system_u:object_r:pptp_var_run_t
+/var/run/pptp(/.*)?		system_u:object_r:pptp_var_run_t
 # Fix /etc/ppp {up,down} family scripts (see man pppd)
 /etc/ppp/(auth|ip(v6|x)?)-(up|down)	--	system_u:object_r:pppd_script_exec_t