diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index dd4cd30..d64682f 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -124,7 +124,12 @@ userdom_dontaudit_list_admin_dir(logrotate_t)
cron_system_entry(logrotate_t, logrotate_exec_t)
cron_search_spool(logrotate_t)
-mta_send_mail(logrotate_t)
+#mta_send_mail(logrotate_t)
+mta_base_mail_template(logrotate)
+mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
+role system_r types logrotate_mail_t;
+logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
ifdef(`distro_debian', `
allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
index b09816f..4e92e87 100644
--- a/policy/modules/apps/chrome.te
+++ b/policy/modules/apps/chrome.te
@@ -80,12 +80,13 @@ optional_policy(`
')
tunable_policy(`use_nfs_home_dirs',`
- fs_dontaudit_append_nfs_files(chrome_sandbox_t)
- fs_dontaudit_read_nfs_files(chrome_sandbox_t)
- fs_dontaudit_read_nfs_symlinks(chrome_sandbox_t)
+ fs_search_nfs(chrome_sandbox_t)
+ fs_read_inherited_nfs_files(chrome_sandbox_t)
+ fs_read_nfs_symlinks(chrome_sandbox_t)
')
tunable_policy(`use_samba_home_dirs',`
+ fs_search_cifs(chrome_sandbox_t)
+ fs_read_inherited_cifs_files(chrome_sandbox_t)
fs_dontaudit_append_cifs_files(chrome_sandbox_t)
- fs_dontaudit_read_cifs_files(chrome_sandbox_t)
')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 4eecefb..51d47a0 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1235,6 +1235,24 @@ interface(`fs_dontaudit_append_cifs_files',`
########################################
##
+## Read inherited files on a CIFS or SMB filesystem.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`fs_read_inherited_cifs_files',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:file read_inherited_file_perms;
+')
+
+########################################
+##
## Do not audit attempts to read or
## write files on a CIFS or SMB filesystem.
##
@@ -2536,6 +2554,24 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
##
+## Read inherited files on a NFS filesystem.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`fs_read_inherited_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:file read_inherited_file_perms;
+')
+
+########################################
+##
## Do not audit attempts to read or
## write files on a NFS filesystem.
##
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index b0d95d4..571c76e 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -153,6 +153,10 @@ optional_policy(`
')
optional_policy(`
+ vnstatd_read_lib_files(staff_t)
+')
+
+optional_policy(`
webadm_role_change(staff_r)
')
diff --git a/policy/modules/services/aiccu.te b/policy/modules/services/aiccu.te
index d21aa69..416c49e 100644
--- a/policy/modules/services/aiccu.te
+++ b/policy/modules/services/aiccu.te
@@ -23,7 +23,7 @@ files_pid_file(aiccu_var_run_t)
# aiccu local policy
#
-allow aiccu_t self:capability { kill net_admin };
+allow aiccu_t self:capability { kill net_admin net_raw };
dontaudit aiccu_t self:capability sys_tty_config;
allow aiccu_t self:process signal;
allow aiccu_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index ff1a1c9..45f5a6f 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -328,6 +328,10 @@ optional_policy(`
udev_read_db(crond_t)
')
+optional_policy(`
+ vnstatd_search_lib(crond_t)
+')
+
########################################
#
# System cron process domain
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 87fc055..7852441 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -169,6 +169,7 @@ template(`dbus_role_template',`
')
optional_policy(`
+ xserver_search_xdm_lib($1_dbusd_t)
xserver_use_xdm_fds($1_dbusd_t)
xserver_rw_xdm_pipes($1_dbusd_t)
')
diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc
index a8676c7..d862e7e 100644
--- a/policy/modules/services/rhcs.fc
+++ b/policy/modules/services/rhcs.fc
@@ -8,6 +8,7 @@
/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
+/var/lib/cluster(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
/var/log/cluster/.*\.*log <>
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index fec701f..8dac607 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -350,6 +350,7 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
selinux_validate_context(virtd_t)
diff --git a/policy/modules/services/vnstatd.fc b/policy/modules/services/vnstatd.fc
new file mode 100644
index 0000000..7667c31
--- /dev/null
+++ b/policy/modules/services/vnstatd.fc
@@ -0,0 +1,6 @@
+
+/usr/bin/vnstat -- gen_context(system_u:object_r:vnstat_exec_t,s0)
+
+/usr/sbin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0)
+
+/var/lib/vnstat(/.*)? gen_context(system_u:object_r:vnstatd_var_lib_t,s0)
diff --git a/policy/modules/services/vnstatd.if b/policy/modules/services/vnstatd.if
new file mode 100644
index 0000000..85dba86
--- /dev/null
+++ b/policy/modules/services/vnstatd.if
@@ -0,0 +1,150 @@
+
+## policy for vnstatd
+
+
+########################################
+##
+## Execute a domain transition to run vnstatd.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vnstatd_domtrans',`
+ gen_require(`
+ type vnstatd_t, vnstatd_exec_t;
+ ')
+
+ domtrans_pattern($1, vnstatd_exec_t, vnstatd_t)
+')
+
+
+
+########################################
+##
+## Execute a domain transition to run vnstat.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vnstatd_domtrans_vnstat',`
+ gen_require(`
+ type vnstat_t, vnstat_exec_t;
+ ')
+
+ domtrans_pattern($1, vnstat_exec_t, vnstat_t)
+')
+
+########################################
+##
+## Search vnstatd lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vnstatd_search_lib',`
+ gen_require(`
+ type vnstatd_var_lib_t;
+ ')
+
+ allow $1 vnstatd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read vnstatd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vnstatd_read_lib_files',`
+ gen_require(`
+ type vnstatd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## vnstatd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vnstatd_manage_lib_files',`
+ gen_require(`
+ type vnstatd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+')
+
+########################################
+##
+## Manage vnstatd lib dirs files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vnstatd_manage_lib_dirs',`
+ gen_require(`
+ type vnstatd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an vnstatd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`vnstatd_admin',`
+ gen_require(`
+ type vnstatd_t;
+ type vnstatd_var_lib_t;
+ ')
+
+ allow $1 vnstatd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, vnstatd_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, vnstatd_var_lib_t)
+
+')
diff --git a/policy/modules/services/vnstatd.if~ b/policy/modules/services/vnstatd.if~
new file mode 100644
index 0000000..85dba86
--- /dev/null
+++ b/policy/modules/services/vnstatd.if~
@@ -0,0 +1,150 @@
+
+## policy for vnstatd
+
+
+########################################
+##
+## Execute a domain transition to run vnstatd.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vnstatd_domtrans',`
+ gen_require(`
+ type vnstatd_t, vnstatd_exec_t;
+ ')
+
+ domtrans_pattern($1, vnstatd_exec_t, vnstatd_t)
+')
+
+
+
+########################################
+##
+## Execute a domain transition to run vnstat.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vnstatd_domtrans_vnstat',`
+ gen_require(`
+ type vnstat_t, vnstat_exec_t;
+ ')
+
+ domtrans_pattern($1, vnstat_exec_t, vnstat_t)
+')
+
+########################################
+##
+## Search vnstatd lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vnstatd_search_lib',`
+ gen_require(`
+ type vnstatd_var_lib_t;
+ ')
+
+ allow $1 vnstatd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read vnstatd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vnstatd_read_lib_files',`
+ gen_require(`
+ type vnstatd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## vnstatd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vnstatd_manage_lib_files',`
+ gen_require(`
+ type vnstatd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+')
+
+########################################
+##
+## Manage vnstatd lib dirs files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`vnstatd_manage_lib_dirs',`
+ gen_require(`
+ type vnstatd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an vnstatd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`vnstatd_admin',`
+ gen_require(`
+ type vnstatd_t;
+ type vnstatd_var_lib_t;
+ ')
+
+ allow $1 vnstatd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, vnstatd_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, vnstatd_var_lib_t)
+
+')
diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te
new file mode 100644
index 0000000..db526e6
--- /dev/null
+++ b/policy/modules/services/vnstatd.te
@@ -0,0 +1,69 @@
+policy_module(vnstatd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type vnstatd_t;
+type vnstatd_exec_t;
+init_daemon_domain(vnstatd_t, vnstatd_exec_t)
+
+permissive vnstatd_t;
+
+type vnstatd_var_lib_t;
+files_type(vnstatd_var_lib_t)
+
+type vnstat_t;
+type vnstat_exec_t;
+application_domain(vnstat_t, vnstat_exec_t)
+cron_system_entry(vnstat_t, vnstat_exec_t)
+
+########################################
+#
+# vnstatd local policy
+#
+allow vnstatd_t self:process { fork signal };
+
+allow vnstatd_t self:fifo_file rw_fifo_file_perms;
+allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file } )
+
+domain_use_interactive_fds(vnstatd_t)
+
+files_read_etc_files(vnstatd_t)
+
+logging_send_syslog_msg(vnstatd_t)
+
+miscfiles_read_localization(vnstatd_t)
+
+########################################
+#
+# vnstat local policy
+#
+allow vnstat_t self:process { signal };
+
+allow vnstat_t self:fifo_file rw_fifo_file_perms;
+allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file } )
+
+kernel_read_network_state(vnstat_t)
+kernel_read_system_state(vnstat_t)
+
+domain_use_interactive_fds(vnstat_t)
+
+files_read_etc_files(vnstat_t)
+
+fs_getattr_xattr_fs(vnstat_t)
+
+logging_send_syslog_msg(vnstat_t)
+
+miscfiles_read_localization(vnstat_t)
+
+
diff --git a/policy/modules/services/vnstatd.te~ b/policy/modules/services/vnstatd.te~
new file mode 100644
index 0000000..0c18b5b
--- /dev/null
+++ b/policy/modules/services/vnstatd.te~
@@ -0,0 +1,76 @@
+policy_module(vnstatd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type vnstatd_t;
+type vnstatd_exec_t;
+init_daemon_domain(vnstatd_t, vnstatd_exec_t)
+
+permissive vnstatd_t;
+
+type vnstatd_var_lib_t;
+files_type(vnstatd_var_lib_t)
+
+type vnstat_t;
+domain_type(vnstat_t)
+type vnstat_exec_t;
+domain_entry_file(vnstat_t, vnstat_exec_t)
+cron_system_entry(vnstat_t, vnstat_exec_t)
+
+########################################
+#
+# vnstatd local policy
+#
+allow vnstatd_t self:process { fork signal };
+
+allow vnstatd_t self:fifo_file rw_fifo_file_perms;
+allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file } )
+
+domain_use_interactive_fds(vnstatd_t)
+
+files_read_etc_files(vnstatd_t)
+
+logging_send_syslog_msg(vnstatd_t)
+
+miscfiles_read_localization(vnstatd_t)
+
+########################################
+#
+# vnstat local policy
+#
+allow vnstat_t self:process { signal };
+
+allow vnstat_t self:fifo_file rw_fifo_file_perms;
+allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file } )
+
+kernel_read_network_state(vnstat_t)
+kernel_read_system_state(vnstat_t)
+
+domain_use_interactive_fds(vnstat_t)
+
+files_read_etc_files(vnstat_t)
+
+fs_getattr_xattr_fs(vnstat_t)
+
+logging_send_syslog_msg(vnstat_t)
+
+miscfiles_read_localization(vnstat_t)
+
+optional_policy(`
+ gen_require(`
+ type crond_t;
+ ')
+ vnstatd_search_lib(crond_t)
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 5fbf38f..29d5384 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -352,8 +352,9 @@ fs_dontaudit_leaks(xauth_t)
fs_getattr_all_fs(xauth_t)
fs_search_auto_mountpoints(xauth_t)
-# cjp: why?
-term_use_ptmx(xauth_t)
+# Probably a leak
+term_dontaudit_use_ptmx(xauth_t)
+term_dontaudit_use_console(xauth_t)
auth_use_nsswitch(xauth_t)