From e2b84ef79a811e248ec2d0e6ccd69650cc660714 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Sep 28 2006 14:37:29 +0000
Subject: patch from dan Mon, 25 Sep 2006 15:46:40 -0400


---

diff --git a/Changelog b/Changelog
index 1d127e0..e0f065b 100644
--- a/Changelog
+++ b/Changelog
@@ -71,6 +71,7 @@
 	Tue, 05 Sep 2006
 	Wed, 20 Sep 2006
 	Fri, 22 Sep 2006
+	Mon, 25 Sep 2006
 - Added modules:
 	afs
 	amavis (Erich Schubert)
@@ -107,6 +108,7 @@
 	ntop
 	nx
 	oav
+	oddjob (Dan Walsh)
 	openca
 	openvpn (Petre Rodan)
 	perdition
diff --git a/policy/modules/admin/prelink.if b/policy/modules/admin/prelink.if
index 899fc9d..28052a3 100644
--- a/policy/modules/admin/prelink.if
+++ b/policy/modules/admin/prelink.if
@@ -78,6 +78,7 @@ interface(`prelink_delete_cache',`
 	')
 
 	allow $1 prelink_cache_t:file unlink;
+	files_rw_etc_dirs($1)
 ')
 
 ########################################
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
index 7b5c3f4..9bc6486 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -1,5 +1,5 @@
 
-policy_module(prelink,1.1.6)
+policy_module(prelink,1.1.7)
 
 ########################################
 #
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
index d635ec2..4a4e731 100644
--- a/policy/modules/admin/readahead.te
+++ b/policy/modules/admin/readahead.te
@@ -1,5 +1,5 @@
 
-policy_module(readahead,1.2.2)
+policy_module(readahead,1.2.3)
 
 ########################################
 #
@@ -36,6 +36,8 @@ dev_getattr_all_chr_files(readahead_t)
 dev_getattr_all_blk_files(readahead_t)
 dev_dontaudit_read_all_blk_files(readahead_t)
 dev_dontaudit_getattr_memory_dev(readahead_t)
+dev_dontaudit_getattr_nvram(readahead_t)
+storage_dontaudit_getattr_fixed_disk_dev(readahead_t)
 
 domain_use_interactive_fds(readahead_t)
 
diff --git a/policy/modules/apps/slocate.te b/policy/modules/apps/slocate.te
index f5f337d..800117c 100644
--- a/policy/modules/apps/slocate.te
+++ b/policy/modules/apps/slocate.te
@@ -1,5 +1,5 @@
 
-policy_module(slocate,1.1.0)
+policy_module(slocate,1.1.1)
 
 #################################
 #
@@ -45,6 +45,7 @@ files_read_etc_files(locate_t)
 files_dontaudit_getattr_all_dirs(locate_t)
 
 fs_getattr_xattr_fs(locate_t)
+fs_getattr_rpc_pipefs(locate_t)
 
 libs_use_shared_libs(locate_t)
 libs_use_ld_so(locate_t)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 918657b..9ff2160 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3211,3 +3211,23 @@ interface(`dev_unconfined',`
 
 	typeattribute $1 devices_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	dontaudit getattr generic files in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_generic_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:dir search;
+	dontaudit $1 device_t:file getattr;
+')
+
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 9564c3d..9a74b47 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
 
-policy_module(devices,1.1.23)
+policy_module(devices,1.1.24)
 
 ########################################
 #
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 1aa4279..c4bb816 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1765,6 +1765,24 @@ interface(`files_list_etc',`
 
 ########################################
 ## <summary>
+##	Add and remove entries from /etc directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_rw_etc_dirs',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Read generic files in /etc.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index a1f2e79..94fe78d 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
 
-policy_module(files,1.2.19)
+policy_module(files,1.2.20)
 
 ########################################
 #
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index fe25a50..8812f7e 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -1,5 +1,5 @@
 
-policy_module(cron,1.3.14)
+policy_module(cron,1.3.15)
 
 gen_require(`
 	class passwd rootok;
@@ -17,6 +17,14 @@ corecmd_executable_file(anacron_exec_t)
 type cron_spool_t;
 files_type(cron_spool_t)
 
+# var/lib files
+type cron_var_lib_t;
+files_type(cron_var_lib_t)
+
+# var/log files
+type cron_log_t;
+logging_log_file(cron_log_t)
+
 type crond_t;
 # real declaration moved to mls until
 # range_transition works in loadable modules
@@ -228,6 +236,16 @@ optional_policy(`
 # System cron process domain
 #
 
+# This is to handle creation of files in /var/log directory.
+#  Used currently by rpm script log files
+allow system_crond_t cron_log_t:file manage_file_perms;
+logging_log_filetrans(system_crond_t,cron_log_t,file)
+
+# This is to handle /var/lib/misc directory.  Used currently
+# by prelink var/lib files for cron 
+allow system_crond_t cron_var_lib_t:file manage_file_perms;
+files_var_lib_filetrans(system_crond_t,cron_var_lib_t,file)
+
 optional_policy(`
 	# cjp: why?
 	squid_domtrans(system_crond_t)
diff --git a/policy/modules/services/lpd.fc b/policy/modules/services/lpd.fc
index adef45f..27b5e8f 100644
--- a/policy/modules/services/lpd.fc
+++ b/policy/modules/services/lpd.fc
@@ -6,13 +6,18 @@
 #
 # /usr
 #
-/usr/sbin/checkpc	--	gen_context(system_u:object_r:checkpc_exec_t,s0)
-/usr/sbin/lpd		--	gen_context(system_u:object_r:lpd_exec_t,s0)
-/usr/share/printconf/.* --	gen_context(system_u:object_r:printconf_t,s0)
 /usr/bin/lp(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 /usr/bin/lpr(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 /usr/bin/lpq(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 /usr/bin/lprm(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpstat(\.cups)? --	gen_context(system_u:object_r:lpr_exec_t,s0)
+
+/usr/sbin/checkpc	--	gen_context(system_u:object_r:checkpc_exec_t,s0)
+/usr/sbin/lpd		--	gen_context(system_u:object_r:lpd_exec_t,s0)
+/usr/sbin/lpadmin	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/sbin/lpc(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
+
+/usr/share/printconf/.* --	gen_context(system_u:object_r:printconf_t,s0)
 
 #
 # /var
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index 615069a..0521124 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -1,5 +1,5 @@
 
-policy_module(lpd,1.2.7)
+policy_module(lpd,1.2.8)
 
 ########################################
 #
diff --git a/policy/modules/services/oddjob.fc b/policy/modules/services/oddjob.fc
new file mode 100644
index 0000000..da4e864
--- /dev/null
+++ b/policy/modules/services/oddjob.fc
@@ -0,0 +1,5 @@
+/usr/lib/oddjob/mkhomedir	--	gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+
+/usr/sbin/oddjobd		--	gen_context(system_u:object_r:oddjob_exec_t,s0)
+
+/var/run/oddjobd.pid			gen_context(system_u:object_r:oddjob_var_run_t,s0)
diff --git a/policy/modules/services/oddjob.if b/policy/modules/services/oddjob.if
new file mode 100644
index 0000000..7696c78
--- /dev/null
+++ b/policy/modules/services/oddjob.if
@@ -0,0 +1,96 @@
+## <summary>
+##	Oddjob provides a mechanism by which unprivileged applications can
+##	request that specified privileged operations be performed on their
+##	behalf.
+## </summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run oddjob.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`oddjob_domtrans',`
+	gen_require(`
+		type oddjob_t, oddjob_exec_t;
+	')
+
+	domain_auto_trans($1,oddjob_exec_t,oddjob_t)
+	allow oddjob_t $1:fd use;
+	allow oddjob_t $1:fifo_file rw_file_perms;
+	allow oddjob_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Make the specified program domain accessable
+##	from the oddjob.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process to transition to.
+##	</summary>
+## </param>
+## <param name="entrypoint">
+##	<summary>
+##	The type of the file used as an entrypoint to this domain.
+##	</summary>
+## </param>
+#
+interface(`oddjob_system_entry',`
+	gen_require(`
+		type oddjob_t;
+	')
+
+	domain_auto_trans(oddjob_t, $2, $1)
+	allow $1 oddjob_t:fd use;
+	allow $1 oddjob_t:fifo_file rw_file_perms;
+	allow $1 oddjob_t:process sigchld;
+')
+
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	oddjob over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`oddjob_dbus_chat',`
+	gen_require(`
+		type oddjob_t;
+		class dbus send_msg;
+	')
+
+	allow $1 oddjob_t:dbus send_msg;
+	allow oddjob_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run oddjob_mkhomedir.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`oddjob_domtrans_mkhomedir',`
+	gen_require(`
+		type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t;
+	')
+
+	domain_auto_trans($1,oddjob_mkhomedir_exec_t,oddjob_mkhomedir_t)
+	allow oddjob_mkhomedir_t $1:fd use;
+	allow oddjob_mkhomedir_t $1:fifo_file rw_file_perms;
+	allow oddjob_mkhomedir_t $1:process sigchld;
+')
diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te
new file mode 100644
index 0000000..b31120f
--- /dev/null
+++ b/policy/modules/services/oddjob.te
@@ -0,0 +1,85 @@
+
+policy_module(oddjob,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type oddjob_t;
+type oddjob_exec_t;
+domain_type(oddjob_t)
+init_daemon_domain(oddjob_t, oddjob_exec_t)
+
+type oddjob_mkhomedir_t;
+type oddjob_mkhomedir_exec_t;
+domain_type(oddjob_mkhomedir_t)
+init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+
+# pid files
+type oddjob_var_run_t;
+files_pid_file(oddjob_var_run_t)
+
+########################################
+#
+# oddjob local policy
+#
+
+allow oddjob_t self:capability { audit_write setgid } ;
+allow oddjob_t self:process setexec;
+allow oddjob_t self:fifo_file { read write };
+allow oddjob_t self:unix_stream_socket create_stream_socket_perms;
+
+allow oddjob_t oddjob_var_run_t:file manage_file_perms;
+allow oddjob_t oddjob_var_run_t:sock_file manage_file_perms;
+allow oddjob_t oddjob_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(oddjob_t,oddjob_var_run_t, { file sock_file })
+
+kernel_read_system_state(oddjob_t)
+
+corecmd_search_sbin(oddjob_t)
+corecmd_exec_shell(oddjob_t)
+
+selinux_compute_create_context(oddjob_t)
+
+files_read_etc_files(oddjob_t)
+
+libs_use_ld_so(oddjob_t)
+libs_use_shared_libs(oddjob_t)
+
+miscfiles_read_localization(oddjob_t)
+
+init_dontaudit_use_fds(oddjob_t)
+
+locallogin_dontaudit_use_fds(oddjob_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_generic_ptys(oddjob_t)
+	term_dontaudit_use_unallocated_ttys(oddjob_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client_template(oddjob,oddjob_t)
+	dbus_send_system_bus(oddjob_t)
+	dbus_connect_system_bus(oddjob_t)
+')
+
+optional_policy(`
+	unconfined_domtrans(oddjob_t)
+')
+
+########################################
+#
+# oddjob_mkhomedir local policy
+#
+
+allow oddjob_mkhomedir_t self:fifo_file { read write };
+allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(oddjob_mkhomedir_t)
+
+libs_use_ld_so(oddjob_mkhomedir_t)
+libs_use_shared_libs(oddjob_mkhomedir_t)
+
+miscfiles_read_localization(oddjob_mkhomedir_t)
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
index 37a1f90..cf1b8d9 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -1,5 +1,5 @@
 
-policy_module(sendmail,1.2.3)
+policy_module(sendmail,1.2.4)
 
 ########################################
 #
@@ -32,6 +32,7 @@ allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
 allow sendmail_t self:unix_dgram_socket create_socket_perms;
 allow sendmail_t self:tcp_socket create_stream_socket_perms;
 allow sendmail_t self:udp_socket create_socket_perms;
+allow sendmail_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow sendmail_t sendmail_log_t:file create_file_perms;
 allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
index 3edc67a..42d2fdc 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -1,5 +1,5 @@
 
-policy_module(smartmon,1.0.2)
+policy_module(smartmon,1.0.3)
 
 ########################################
 #
@@ -60,8 +60,11 @@ files_read_etc_files(fsdaemon_t)
 fs_getattr_all_fs(fsdaemon_t)
 fs_search_auto_mountpoints(fsdaemon_t)
 
+mls_file_read_up(fsdaemon_t)
+
 storage_raw_read_fixed_disk(fsdaemon_t)
 storage_raw_write_fixed_disk(fsdaemon_t)
+storage_raw_read_removable_device(fsdaemon_t)
 
 term_dontaudit_use_console(fsdaemon_t)
 term_dontaudit_search_ptys(fsdaemon_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index f6518ec..13ed5c9 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
 
-policy_module(init,1.3.26)
+policy_module(init,1.3.27)
 
 gen_require(`
 	class passwd rootok;
@@ -580,6 +580,8 @@ optional_policy(`
 
 	cups_read_log(initrc_t)
 	cups_read_rw_config(initrc_t)
+#cups init script clears error log
+	cups_write_log(initrc_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index c172aec..836b25c 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
 
-policy_module(logging,1.3.12)
+policy_module(logging,1.3.13)
 
 ########################################
 #
@@ -18,6 +18,7 @@ files_security_file(auditd_etc_t)
 
 type auditd_log_t;
 files_security_file(auditd_log_t)
+files_mountpoint(auditd_log_t)
 
 type auditd_t;
 # real declaration moved to mls until
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index 8e18595..6350f3f 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -1,5 +1,5 @@
 
-policy_module(raid,1.0.0)
+policy_module(raid,1.0.1)
 
 ########################################
 #
@@ -29,11 +29,13 @@ files_pid_filetrans(mdadm_t,mdadm_var_run_t,file)
 kernel_read_system_state(mdadm_t)
 kernel_read_kernel_sysctls(mdadm_t)
 kernel_rw_software_raid_state(mdadm_t)
+kernel_getattr_core_if(mdadm_t)
 
 dev_read_sysfs(mdadm_t)
 # Ignore attempts to read every device file
 dev_dontaudit_getattr_all_blk_files(mdadm_t)
 dev_dontaudit_getattr_all_chr_files(mdadm_t)
+dev_dontaudit_getattr_generic_files(mdadm_t)
 
 fs_search_auto_mountpoints(mdadm_t)
 fs_dontaudit_list_tmpfs(mdadm_t)
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 6920aad..0e4271f 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
 
-policy_module(unconfined,1.3.14)
+policy_module(unconfined,1.3.15)
 
 ########################################
 #
@@ -130,6 +130,10 @@ ifdef(`targeted_policy',`
 	')
 
 	optional_policy(`
+		oddjob_domtrans_mkhomedir(unconfined_t)
+	')
+
+	optional_policy(`
 		prelink_domtrans(unconfined_t)
 	')