diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index efcf513..c10c3df 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -2,6 +2,7 @@
build phase instead of during the generation phase.
- DISTRO=redhat now implies DIRECT_INITRC=y.
- Added policies:
+ amanda
canna
cyrus
dovecot
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 4e9b0e3..cd7d478 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -1395,6 +1395,23 @@ interface(`kernel_rw_unlabeled_dir',`
########################################
##
+## Do not audit attempts by caller to get the
+## attributes of an unlabeled file.
+##
+##
+## The process type not to audit.
+##
+#
+interface(`kernel_dontaudit_getattr_unlabeled_file',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:file getattr;
+')
+
+########################################
+##
## Do not audit attempts by caller to get attributes for
## unlabeled block devices.
##
@@ -1408,7 +1425,7 @@ interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',`
class blk_file getattr;
')
- allow $1 unlabeled_t:blk_file getattr;
+ dontaudit $1 unlabeled_t:blk_file getattr;
')
########################################
diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te
index d209a85..5646bb2 100644
--- a/refpolicy/policy/modules/services/bind.te
+++ b/refpolicy/policy/modules/services/bind.te
@@ -1,5 +1,5 @@
-policy_module(bind,1.0)
+policy_module(bind,0.9)
########################################
#
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index 6ec899b..12292ac 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -71,6 +71,8 @@ corenet_udp_bind_all_nodes(inetd_t)
corenet_tcp_connect_all_ports(inetd_t)
# listen on service ports:
+corenet_tcp_bind_amanda_port(inetd_t)
+corenet_udp_bind_amanda_port(inetd_t)
corenet_tcp_bind_auth_port(inetd_t)
#corenet_udp_bind_comsat_port(inetd_t)
corenet_tcp_bind_dbskkd_port(inetd_t)
@@ -123,6 +125,10 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_file(inetd_t)
')
+optional_policy(`amanda.te',`
+ amanda_search_lib(inetd_t)
+')
+
optional_policy(`mount.te',`
mount_send_nfs_client_request(inetd_t)
')
diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te
index 5a6992b..e4d64c3 100644
--- a/refpolicy/policy/modules/services/networkmanager.te
+++ b/refpolicy/policy/modules/services/networkmanager.te
@@ -1,5 +1,5 @@
-policy_module(networkmanager,1.0)
+policy_module(networkmanager,0.9)
########################################
#
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 90d5c0d..914fb0e 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -618,6 +618,40 @@ interface(`files_dontaudit_getattr_non_security_sockets',`
########################################
##
+## Read all block nodes with file types.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`files_read_all_blk_nodes',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir search;
+ allow $1 file_type:blk_file { getattr read };
+')
+
+########################################
+##
+## Read all character nodes with file types.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`files_read_all_chr_nodes',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir search;
+ allow $1 file_type:chr_file { getattr read };
+')
+
+########################################
+##
## Relabel all files on the filesystem, except
## the listed exceptions.
##
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 1b2cbc1..0f01873 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -1803,6 +1803,87 @@ interface(`userdom_dontaudit_list_sysadm_home_dir',`
########################################
##
+## Create objects in sysadm home directories
+## with automatic file type transition.
+##
+##
+## Domain allowed access.
+##
+##
+## The class of the object to be created.
+## If not specified, file is used.
+##
+#
+interface(`userdom_create_sysadm_home',`
+ ifdef(`targeted_policy',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ allow $1 user_home_dir_t:dir rw_dir_perms;
+ ifelse(`$2',`',`
+ ifelse(`$3',`',`
+ type_transition $1 user_home_dir_t:file user_home_t;
+ ',`
+ type_transition $1 user_home_dir_t:$3 user_home_t;
+ ')
+ ',`
+ ifelse(`$3',`',`
+ type_transition $1 user_home_dir_t:file $2;
+ ',`
+ type_transition $1 user_home_dir_t:$3 $2;
+ ')
+ ')
+ ',`
+ gen_require(`
+ type sysadm_home_dir_t, sysadm_home_t;
+ ')
+
+ allow $1 sysadm_home_dir_t:dir rw_dir_perms;
+
+ ifelse(`$2',`',`
+ ifelse(`$3',`',`
+ type_transition $1 sysadm_home_dir_t:file sysadm_home_t;
+ ',`
+ type_transition $1 sysadm_home_dir_t:$3 sysadm_home_t;
+ ')
+ ',`
+ ifelse(`$3',`',`
+ type_transition $1 sysadm_home_dir_t:file $2;
+ ',`
+ type_transition $1 sysadm_home_dir_t:$3 $2;
+ ')
+ ')
+ ')
+')
+
+########################################
+##
+## Search the sysadm users home sub directories.
+##
+##
+## Domain to not audit.
+##
+#
+interface(`userdom_search_sysadm_home_subdirs',`
+ ifdef(`targeted_policy',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
+
+ ',`
+ gen_require(`
+ type sysadm_home_dir_t, sysadm_home_t;
+ ')
+
+ allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms;
+ ')
+')
+
+########################################
+##
## Read files in the sysadm users home directory.
##
##
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index b14131b..87a536a 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -121,6 +121,10 @@ ifdef(`targeted_policy',`
domain_ptrace_all_domains(sysadm_t)
')
+ optional_policy(`amanda.te',`
+ amanda_run_recover(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
optional_policy(`apache.te',`
apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
#apache_run_all_scripts(sysadm_t,sysadm_r)