diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index c66ebbb..7f96e01 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -81,7 +81,7 @@ template(`apache_content_template',`
allow httpd_$1_script_t httpd_$1_script_rw_t:lnk_file create_lnk_perms;
allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file create_file_perms;
allow httpd_$1_script_t httpd_$1_script_rw_t:fifo_file create_file_perms;
- files_create_tmp_files(httpd_$1_script_t,httpd_$1_script_rw_t,{ file lnk_file sock_file fifo_file })
+ files_create_tmp_files(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file })
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index 03f5f29..570ef7a 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -130,6 +130,7 @@ allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_co
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
+allow httpd_t self:sock_file r_file_perms;
allow httpd_t self:fifo_file rw_file_perms;
allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms;
@@ -384,6 +385,7 @@ optional_policy(`mailman.te',`
mailman_signal_cgi(httpd_t)
mailman_domtrans_cgi(httpd_t)
# should have separate types for public and private archives
+ mailman_search_data(httpd_t)
mailman_read_archive(httpd_t)
')
diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te
index b45c65a..ce2cfb9 100644
--- a/refpolicy/policy/modules/services/finger.te
+++ b/refpolicy/policy/modules/services/finger.te
@@ -7,7 +7,7 @@ policy_module(finger,1.0)
#
type fingerd_t;
type fingerd_exec_t;
-init_system_domain(fingerd_t,fingerd_exec_t)
+init_daemon_domain(fingerd_t,fingerd_exec_t)
inetd_tcp_service_domain(fingerd_t,fingerd_exec_t)
type fingerd_etc_t;
diff --git a/refpolicy/policy/modules/services/inetd.if b/refpolicy/policy/modules/services/inetd.if
index b144729..d03e202 100644
--- a/refpolicy/policy/modules/services/inetd.if
+++ b/refpolicy/policy/modules/services/inetd.if
@@ -36,7 +36,10 @@ interface(`inetd_core_service_domain',`
# this regex is a hack, since it assumes there is a
# _t at the end of the domain type. If there is no _t
# at the end of the type, it returns empty!
- bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
+ ifdef(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'),`',`
+ bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
+ define(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'))
+ ')
if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
# can_exec(inetd_t,$2)
# cjp: this must be wrong
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index d24fa6c..9c55937 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -183,6 +183,7 @@ allow inetd_child_t inetd_child_tmp_t:file create_file_perms;
files_create_tmp_files(inetd_child_t, inetd_child_tmp_t, { file dir })
allow inetd_child_t inetd_child_var_run_t:file create_file_perms;
+allow inetd_child_t inetd_child_var_run_t:dir rw_dir_perms;
files_create_pid(inetd_child_t,inetd_child_var_run_t)
kernel_read_kernel_sysctl(inetd_child_t)
diff --git a/refpolicy/policy/modules/services/mailman.if b/refpolicy/policy/modules/services/mailman.if
index 0d86f24..d099648 100644
--- a/refpolicy/policy/modules/services/mailman.if
+++ b/refpolicy/policy/modules/services/mailman.if
@@ -182,7 +182,7 @@ interface(`mailman_search_data',`
type mailman_data_t;
')
- allow $1 mailman_data_t:dir search;
+ allow $1 mailman_data_t:dir search_dir_perms;
')
#######################################
diff --git a/refpolicy/policy/modules/services/tftp.te b/refpolicy/policy/modules/services/tftp.te
index 93fc7f5..91c71d5 100644
--- a/refpolicy/policy/modules/services/tftp.te
+++ b/refpolicy/policy/modules/services/tftp.te
@@ -8,7 +8,7 @@ policy_module(tftp,1.0)
type tftpd_t;
type tftpd_exec_t;
-init_system_domain(tftpd_t,tftpd_exec_t)
+init_daemon_domain(tftpd_t,tftpd_exec_t)
inetd_udp_service_domain(tftpd_t,tftpd_exec_t)
type tftpd_var_run_t;
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index a7e665b..b21d713 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -989,7 +989,7 @@ interface(`domain_unconfined',`
# domain_trans(source_domain,entrypoint_file,target_domain)
#
template(`domain_trans',`
- allow $1 $2:file rx_file_perms;
+ allow $1 $2:file { getattr read execute };
allow $1 $3:process transition;
dontaudit $1 $3:process { noatsecure siginh rlimitinh };
')
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 8b05c41..23912ec 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -187,6 +187,7 @@ optional_policy(`sysnetwork.te',`
optional_policy(`udev.te', `
udev_domtrans(hotplug_t)
+ udev_helper_domtrans(hotplug_t)
udev_read_db(hotplug_t)
')
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index d4b8319..4c92dfa 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -88,7 +88,10 @@ interface(`init_daemon_domain',`
# this regex is a hack, since it assumes there is a
# _t at the end of the domain type. If there is no _t
# at the end of the type, it returns empty!
- bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
+ ifdef(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'),`',`
+ bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
+ define(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'))
+ ')
if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
can_exec(initrc_t,$2)
can_exec(direct_run_init,$2)
diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if
index b15f3a2..01d1920 100644
--- a/refpolicy/policy/modules/system/udev.if
+++ b/refpolicy/policy/modules/system/udev.if
@@ -11,9 +11,6 @@
interface(`udev_domtrans',`
gen_require(`
type udev_t, udev_exec_t;
- class process sigchld;
- class fd use;
- class fifo_file rw_file_perms;
')
domain_auto_trans($1, udev_exec_t, udev_t)
@@ -26,6 +23,27 @@ interface(`udev_domtrans',`
########################################
##
+## Execute a udev helper in the udev domain.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`udev_helper_domtrans',`
+ gen_require(`
+ type udev_t, udev_helper_exec_t;
+ ')
+
+ domain_auto_trans($1, udev_helper_exec_t, udev_t)
+
+ allow $1 udev_t:fd use;
+ allow udev_t $1:fd use;
+ allow udev_t $1:fifo_file rw_file_perms;
+ allow udev_t $1:process sigchld;
+')
+
+########################################
+##
## Allow process to read udev process state.
##
##
@@ -54,7 +72,6 @@ interface(`udev_read_state',`
interface(`udev_dontaudit_use_fd',`
gen_require(`
type udev_t;
- class fd use;
')
dontaudit $1 udev_t:fd use;
@@ -72,7 +89,6 @@ interface(`udev_dontaudit_use_fd',`
interface(`udev_dontaudit_rw_unix_dgram_socket',`
gen_require(`
type udev_t;
- class unix_dgram_socket { read write };
')
dontaudit $1 udev_t:unix_dgram_socket { read write };
@@ -89,7 +105,6 @@ interface(`udev_dontaudit_rw_unix_dgram_socket',`
interface(`udev_read_db',`
gen_require(`
type udev_tdb_t;
- class file r_file_perms;
')
dev_list_all_dev_nodes($1)
@@ -107,10 +122,8 @@ interface(`udev_read_db',`
interface(`udev_rw_db',`
gen_require(`
type udev_tdb_t;
- class file rw_file_perms;
')
dev_list_all_dev_nodes($1)
allow $1 udev_tdb_t:file rw_file_perms;
')
-