diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 4b11b16..7566bba 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -10,6 +10,7 @@
apt (Erich Schubert)
clamav (Erich Schubert)
dpkg (Erich Schubert)
+ ethereal
evolution
mozilla
mplayer
diff --git a/refpolicy/policy/modules/apps/ethereal.fc b/refpolicy/policy/modules/apps/ethereal.fc
new file mode 100644
index 0000000..12ae276
--- /dev/null
+++ b/refpolicy/policy/modules/apps/ethereal.fc
@@ -0,0 +1,7 @@
+
+/usr/sbin/ethereal.* -- gen_context(system_u:object_r:ethereal_exec_t,s0)
+/usr/sbin/tethereal.* -- gen_context(system_u:object_r:tethereal_exec_t,s0)
+
+ifdef(`strict_policy',`
+HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ROLE_ethereal_home_t,s0)
+')
diff --git a/refpolicy/policy/modules/apps/ethereal.if b/refpolicy/policy/modules/apps/ethereal.if
new file mode 100644
index 0000000..87af193
--- /dev/null
+++ b/refpolicy/policy/modules/apps/ethereal.if
@@ -0,0 +1,303 @@
+## Ethereal packet capture tool.
+
+#######################################
+##
+## The per user domain template for the ethereal module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for ethereal packet capture tool.
+##
+##
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+#
+template(`ethereal_per_userdomain_template',`
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ # Type for program
+ type $1_ethereal_t;
+ domain_type($1_ethereal_t)
+ domain_entry_file($1_ethereal_t,ethereal_exec_t)
+ role $3 types $1_ethereal_t;
+
+ type $1_ethereal_home_t alias $1_ethereal_rw_t;
+ files_poly_member($1_ethereal_home_t)
+ userdom_user_home_content($1,$1_ethereal_home_t)
+
+ type $1_ethereal_tmp_t;
+ files_tmp_file($1_ethereal_tmp_t)
+
+ type $1_ethereal_tmpfs_t;
+ files_tmpfs_file($1_ethereal_tmpfs_t)
+
+ ##############################
+ #
+ # Local Policy
+ #
+
+ allow $1_ethereal_t self:capability { net_admin net_raw setgid };
+ allow $1_ethereal_t self:process { signal getsched };
+ allow $1_ethereal_t self:fifo_file { getattr read write };
+ allow $1_ethereal_t self:shm destroy;
+ allow $1_ethereal_t self:shm create_shm_perms;
+ allow $1_ethereal_t self:netlink_route_socket { nlmsg_read create_socket_perms };
+ allow $1_ethereal_t self:packet_socket { setopt bind ioctl getopt create read };
+ allow $1_ethereal_t self:tcp_socket create_socket_perms;
+ allow $1_ethereal_t self:udp_socket create_socket_perms;
+
+ # Store temporary files
+ allow $1_ethereal_t $1_ethereal_tmp_t:dir create_dir_perms;
+ allow $1_ethereal_t $1_ethereal_tmp_t:file create_file_perms;
+ files_tmp_filetrans($1_ethereal_t, $1_ethereal_tmp_t, { dir file })
+
+ # Re-execute itself (why?)
+ can_exec($1_ethereal_t, ethereal_exec_t)
+ corecmd_search_sbin($1_ethereal_t)
+
+ # /home/.ethereal
+ allow $1_ethereal_t $1_ethereal_home_t:dir manage_dir_perms;
+ allow $1_ethereal_t $1_ethereal_home_t:file manage_file_perms;
+ allow $1_ethereal_t $1_ethereal_home_t:lnk_file create_lnk_perms;
+ userdom_user_home_dir_filetrans($1,$1_ethereal_t,$1_ethereal_home_t,dir)
+
+ allow $1_ethereal_t $1_ethereal_tmpfs_t:dir manage_dir_perms;
+ allow $1_ethereal_t $1_ethereal_tmpfs_t:file manage_file_perms;
+ allow $1_ethereal_t $1_ethereal_tmpfs_t:lnk_file create_lnk_perms;
+ allow $1_ethereal_t $1_ethereal_tmpfs_t:sock_file manage_file_perms;
+ allow $1_ethereal_t $1_ethereal_tmpfs_t:fifo_file manage_file_perms;
+ fs_tmpfs_filetrans($1_ethereal_t,$1_ethereal_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+ domain_auto_trans($2, ethereal_exec_t, $1_ethereal_t)
+ allow $1_ethereal_t $2:fd use;
+ allow $1_ethereal_t $2:process sigchld;
+
+ allow $2 $1_ethereal_home_t:dir manage_dir_perms;
+ allow $2 $1_ethereal_home_t:file manage_file_perms;
+ allow $2 $1_ethereal_home_t:lnk_file create_lnk_perms;
+ allow $2 $1_ethereal_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+
+ kernel_read_kernel_sysctls($1_ethereal_t)
+ kernel_read_system_state($1_ethereal_t)
+ kernel_read_sysctl($1_ethereal_t)
+
+ corecmd_search_bin($1_ethereal_t)
+
+ corenet_tcp_connect_generic_port($1_ethereal_t)
+ corenet_tcp_sendrecv_generic_if($1_ethereal_t)
+
+ dev_read_urand($1_ethereal_t)
+
+ files_read_etc_files($1_ethereal_t)
+ files_read_usr_files($1_ethereal_t)
+
+ fs_list_inotifyfs($1_ethereal_t)
+ fs_search_auto_mountpoints($1_ethereal_t)
+
+ libs_read_lib_files($1_ethereal_t)
+ libs_use_ld_so($1_ethereal_t)
+ libs_use_shared_libs($1_ethereal_t)
+
+ miscfiles_read_fonts($1_ethereal_t)
+ miscfiles_read_localization($1_ethereal_t)
+
+ seutil_use_newrole_fds($1_ethereal_t)
+
+ sysnet_read_config($1_ethereal_t)
+
+ userdom_manage_user_home_content_files($1,$1_ethereal_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1_ethereal_t)
+ fs_manage_nfs_files($1_ethereal_t)
+ fs_manage_nfs_symlinks($1_ethereal_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs($1_ethereal_t)
+ fs_manage_cifs_files($1_ethereal_t)
+ fs_manage_cifs_symlinks($1_ethereal_t)
+ ')
+
+ optional_policy(`nscd',`
+ nscd_socket_use($1_ethereal_t)
+ ')
+
+ # Manual transition from userhelper
+ optional_policy(`userhelper', `
+ userhelper_use_user_fd($1,$1_ethereal_t)
+ userhelper_sigchld_user($1,$1_ethereal_t)
+ ')
+
+ optional_policy(`xserver',`
+ xserver_user_client_template($1,$1_ethereal_t,$1_ethereal_tmpfs_t)
+ xserver_create_xdm_tmp_sockets($1_ethereal_t)
+ ')
+
+ ifdef(`TODO',`
+ # Why does it write this?
+ optional_policy(`snmpd.te', `
+ dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write;
+ ')
+ #TODO
+ gnome_application($1_ethereal, $1)
+ gnome_file_dialog($1_ethereal, $1)
+ # FIXME: policy is incomplete
+ ')
+
+')
+
+#######################################
+##
+## The administrative functions template for the ethereal module.
+##
+##
+##
+## This template creates rules for administrating ethereal,
+## allowing the specified user to manage ethereal files.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+template(`tethereal_admin_template',`
+ gen_require(`
+ type $1_ethereal_t;
+ ')
+
+ # Create various types of sockets
+ allow $1_ethereal_t self:netlink_route_socket create_netlink_socket_perms;
+ allow $1_ethereal_t self:udp_socket create_socket_perms;
+ allow $1_ethereal_t self:packet_socket create_socket_perms;
+ allow $1_ethereal_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_ethereal_t self:tcp_socket create_socket_perms;
+
+ userdom_use_user_terminals($1,$1_ethereal_t)
+ # Ethereal tries to write to user terminal
+ userdom_dontaudit_use_user_terminals($1,$1_ethereal_t)
+')
+
+########################################
+##
+## Run ethereal in ethereal domain.
+##
+##
+##
+## Run ethereal in ethereal domain.
+##
+##
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+template(`ethereal_domtrans_user_ethereal',`
+ gen_require(`
+ type $1_ethereal_t, ethereal_exec_t;
+ ')
+
+ domain_auto_trans($2,ethereal_exec_t,$1_ethereal_t)
+
+ allow $2 $1_ethereal_t:fd use;
+ allow $1_ethereal_t $2:fd use;
+ allow $1_ethereal_t $2:fifo_file rw_file_perms;
+ allow $1_ethereal_t $2:process sigchld;
+')
+
+########################################
+##
+## Run tethereal in the tethereal domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+template(`ethereal_domtrans_tethereal',`
+ gen_require(`
+ type tethereal_t, tethereal_exec_t;
+ ')
+
+ domain_auto_trans($1,tethereal_exec_t,tethereal_t)
+
+ allow $1 tethereal_t:fd use;
+ allow tethereal_t $1:fd use;
+ allow tethereal_t $1:fifo_file rw_file_perms;
+ allow tethereal_t $1:process sigchld;
+')
+
+########################################
+##
+## Execute tethereal in the tethereal domain, and
+## allow the specified role the tethereal domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed the tethereal domain.
+##
+##
+##
+##
+## The type of the terminal allow the tethereal domain to use.
+##
+##
+#
+interface(`ethereal_run_tethereal',`
+ gen_require(`
+ type tethereal_t;
+ ')
+
+ ethereal_domtrans_tethereal($1)
+ role $2 types tethereal_t;
+ allow tethereal_t $3:chr_file rw_term_perms;
+')
diff --git a/refpolicy/policy/modules/apps/ethereal.te b/refpolicy/policy/modules/apps/ethereal.te
new file mode 100644
index 0000000..5d9c713
--- /dev/null
+++ b/refpolicy/policy/modules/apps/ethereal.te
@@ -0,0 +1,57 @@
+
+policy_module(ethereal,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ethereal_exec_t;
+files_type(ethereal_exec_t)
+
+type tethereal_t;
+type tethereal_exec_t;
+domain_type(tethereal_t)
+domain_entry_file(tethereal_t,tethereal_exec_t)
+
+type tethereal_tmp_t;
+files_tmp_file(tethereal_tmp_t)
+
+########################################
+#
+# Tethereal policy
+#
+
+allow tethereal_t tethereal_t : capability { dac_override dac_read_search setgid setuid net_raw };
+allow tethereal_t self:unix_stream_socket create_stream_socket_perms;
+allow tethereal_t self:netlink_route_socket create_netlink_socket_perms;
+allow tethereal_t self:packet_socket create_socket_perms;
+allow tethereal_t self:tcp_socket create_socket_perms;
+allow tethereal_t self:udp_socket create_socket_perms;
+
+# Store temporary files
+allow tethereal_t tethereal_tmp_t:dir create_dir_perms;
+allow tethereal_t tethereal_tmp_t:file create_file_perms;
+files_tmp_filetrans(tethereal_t, tethereal_tmp_t, { dir file })
+
+# /proc
+kernel_read_all_sysctls(tethereal_t)
+kernel_read_system_state(tethereal_t)
+
+# Read ethereal files in /usr
+files_read_usr_files(tethereal_t)
+# /etc/nsswitch.conf
+files_read_etc_files(tethereal_t)
+
+libs_use_ld_so(tethereal_t)
+libs_use_shared_libs(tethereal_t)
+
+miscfiles_read_localization(tethereal_t)
+
+seutil_use_newrole_fds(tethereal_t)
+
+sysnet_dns_name_resolve(tethereal_t)
+
+optional_policy(`nscd',`
+ nscd_socket_use(tethereal_t)
+')
diff --git a/refpolicy/policy/modules/apps/userhelper.if b/refpolicy/policy/modules/apps/userhelper.if
index e5aa700..a8bda8c 100644
--- a/refpolicy/policy/modules/apps/userhelper.if
+++ b/refpolicy/policy/modules/apps/userhelper.if
@@ -174,6 +174,9 @@ template(`userhelper_per_userdomain_template',`
userdom_entry_spec_domtrans_sysadm($1_userhelper_t)
')
+ optional_policy(`ethereal',`
+ ethereal_domtrans_user_ethereal($1,$1_userhelper_t)
+ ')
optional_policy(`logging',`
logging_send_syslog_msg($1_userhelper_t)
@@ -243,3 +246,48 @@ interface(`userhelper_dontaudit_search_config',`
dontaudit $1 userhelper_conf_t:dir search_dir_perms;
')
+
+########################################
+##
+## Allow domain to use userhelper file descriptor.
+##
+##
+##
+## The prefix of the domain, example user is the prefix of user_t.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+template(`userhelper_use_user_fd',`
+ gen_require(`
+ type $1_userhelper_t;
+ ')
+
+ allow $2 $1_userhelper_t:fd use;
+')
+########################################
+##
+## Allow domain to send sigchld to userhelper.
+##
+##
+##
+## The prefix of the domain, example user is the prefix of user_t.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+template(`userhelper_sigchld_user',`
+ gen_require(`
+ type $1_userhelper_t;
+ ')
+
+ allow $2 $1_userhelper_t:process sigchld;
+')
diff --git a/refpolicy/policy/modules/apps/userhelper.te b/refpolicy/policy/modules/apps/userhelper.te
index 22cae2e..af82043 100644
--- a/refpolicy/policy/modules/apps/userhelper.te
+++ b/refpolicy/policy/modules/apps/userhelper.te
@@ -1,5 +1,5 @@
-policy_module(userhelper,1.0.0)
+policy_module(userhelper,1.0.1)
########################################
#
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 04e03b9..986dbde 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -894,6 +894,10 @@ template(`admin_user_template',`
cron_admin_template($1,$1_t,$1_r)
')
+ optional_policy(`ethereal',`
+ tethereal_admin_template($1,$1_t,$1_r)
+ ')
+
optional_policy(`lpd',`
lpr_admin_template($1,$1_t,$1_r)
')
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 286f55f..28a3474 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,1.3.3)
+policy_module(userdomain,1.3.4)
gen_require(`
role sysadm_r, staff_r, user_r;
@@ -256,6 +256,10 @@ ifdef(`targeted_policy',`
dpkg_run(sysadm_t,sysadm_r,admin_terminal)
')
+ optional_policy(`ethereal',`
+ ethereal_run_tethereal(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
optional_policy(`firstboot',`
firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t)
')