diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 6b226d2..fb77e18 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -276,6 +276,7 @@ allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit e
allow passwd_t self:process { setrlimit setfscreate };
allow passwd_t self:fd use;
allow passwd_t self:fifo_file rw_file_perms;
+allow passwd_t self:sock_file r_file_perms;
allow passwd_t self:unix_dgram_socket create_socket_perms;
allow passwd_t self:unix_stream_socket create_stream_socket_perms;
allow passwd_t self:unix_dgram_socket sendto;
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index aa11b47..08b43f0 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -1345,6 +1345,23 @@ interface(`dev_rw_mouse',`
########################################
##
+## Get the attributes of the mtrr device.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_getattr_mtrr',`
+ gen_require(`
+ type device_t, mtrr_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 mtrr_device_t:chr_file getattr;
+')
+
+########################################
+##
## Read the mtrr device.
##
##
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 935f1ba..1c35439 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -78,10 +78,6 @@ allow crond_t self:msg { send receive };
allow crond_t crond_var_run_t:file create_file_perms;
files_create_pid(crond_t,crond_var_run_t)
-allow crond_t crond_tmp_t:dir create_dir_perms;
-allow crond_t crond_tmp_t:file create_file_perms;
-files_create_tmp_files(crond_t, crond_tmp_t, { file dir })
-
allow crond_t cron_spool_t:dir rw_dir_perms;
allow crond_t cron_spool_t:file r_file_perms;
allow crond_t system_cron_spool_t:dir r_dir_perms;
@@ -145,6 +141,13 @@ ifdef(`distro_redhat', `
')
ifdef(`targeted_policy',`
+ allow crond_t system_crond_tmp_t:dir create_dir_perms;
+ allow crond_t system_crond_tmp_t:file create_file_perms;
+ allow crond_t system_crond_tmp_t:lnk_file create_lnk_perms;
+ allow crond_t system_crond_tmp_t:sock_file create_file_perms;
+ allow crond_t system_crond_tmp_t:fifo_file create_file_perms;
+ files_create_tmp_files(crond_t,system_crond_tmp_t,{ dir file lnk_file sock_file fifo_file })
+
unconfined_domain_template(crond_t)
# cjp: fix this to generic_user interfaces
@@ -154,6 +157,10 @@ ifdef(`targeted_policy',`
userdom_manage_user_home_subdir_pipes(user,crond_t)
userdom_manage_user_home_subdir_sockets(user,crond_t)
userdom_create_user_home(user,crond_t,{ dir file lnk_file fifo_file sock_file })
+',`
+ allow crond_t crond_tmp_t:dir create_dir_perms;
+ allow crond_t crond_tmp_t:file create_file_perms;
+ files_create_tmp_files(crond_t, crond_tmp_t, { file dir })
')
tunable_policy(`fcron_crond', `
@@ -224,7 +231,7 @@ optional_policy(`squid.te',`
')
ifdef(`targeted_policy',`
- # cjp: fix:
+ # cjp: FIXME
allow crond_t unconfined_t:process transition;
',`
allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index d8fc342..b3517f7 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -316,7 +316,7 @@ allow ptal_t ptal_var_run_t:file create_file_perms;
allow ptal_t ptal_var_run_t:lnk_file create_lnk_perms;
allow ptal_t ptal_var_run_t:sock_file create_file_perms;
allow ptal_t ptal_var_run_t:fifo_file create_file_perms;
-files_create_pid(ptal_t,ptal_var_run_t,{ file lnk_file sock_file fifo_file })
+files_create_pid(ptal_t,ptal_var_run_t,{ dir file lnk_file sock_file fifo_file })
allow ptal_t ptal_var_run_t:file create_file_perms;
allow ptal_t ptal_var_run_t:dir rw_dir_perms;
diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te
index 3a23b3b..672ef1c 100644
--- a/refpolicy/policy/modules/services/ldap.te
+++ b/refpolicy/policy/modules/services/ldap.te
@@ -58,6 +58,7 @@ allow slapd_t slapd_tmp_t:file create_file_perms;
files_create_tmp_files(slapd_t, slapd_tmp_t, { file dir })
allow slapd_t slapd_var_run_t:file create_file_perms;
+allow slapd_t slapd_var_run_t:dir rw_dir_perms;
files_create_pid(slapd_t,slapd_var_run_t)
kernel_read_system_state(slapd_t)
diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te
index 91f1140..ae4d994 100644
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ b/refpolicy/policy/modules/services/remotelogin.te
@@ -28,6 +28,7 @@ allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrl
allow remote_login_t self:process { setrlimit setexec };
allow remote_login_t self:fd use;
allow remote_login_t self:fifo_file rw_file_perms;
+allow remote_login_t self:sock_file r_file_perms;
allow remote_login_t self:unix_dgram_socket create_socket_perms;
allow remote_login_t self:unix_stream_socket create_stream_socket_perms;
allow remote_login_t self:unix_dgram_socket sendto;
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index 87cb644..7702c76 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -330,6 +330,7 @@ allow smbd_t mtrr_device_t:file getattr;
#
# nmbd Local policy
#
+
dontaudit nmbd_t self:capability sys_tty_config;
allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow nmbd_t self:fd use;
@@ -345,6 +346,7 @@ allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow nmbd_t nmbd_var_run_t:file create_file_perms;
+allow nmbd_t nmbd_var_run_t:dir rw_dir_perms;
files_create_pid(nmbd_t,nmbd_var_run_t)
allow nmbd_t samba_etc_t:dir { search getattr };
@@ -378,6 +380,7 @@ corenet_udp_bind_all_nodes(nmbd_t)
corenet_udp_bind_nmbd_port(nmbd_t)
dev_read_sysfs(nmbd_t)
+dev_getattr_mtrr(nmbd_t)
fs_getattr_all_fs(nmbd_t)
fs_search_auto_mountpoints(nmbd_t)
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index fe5626d..3d6e691 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -40,10 +40,12 @@ files_pid_file(udev_var_run_t)
#
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_nice };
+dontaudit udev_t self:capability sys_tty_config;
allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
allow udev_t self:fifo_file rw_file_perms;
+allow udev_t self:sock_file r_file_perms;
allow udev_t self:shm create_shm_perms;
allow udev_t self:sem create_sem_perms;
allow udev_t self:msgq create_msgq_perms;
@@ -66,8 +68,9 @@ allow udev_t udev_etc_t:file r_file_perms;
allow udev_t udev_tbl_t:file create_file_perms;
dev_create_dev_node(udev_t,udev_tbl_t,file)
-allow udev_t udev_var_run_t:dir rw_dir_perms;
allow udev_t udev_var_run_t:file create_file_perms;
+allow udev_t udev_var_run_t:dir rw_dir_perms;
+files_create_pid(udev_t,udev_var_run_t)
kernel_read_system_state(udev_t)
kernel_getattr_core(udev_t)
@@ -154,6 +157,9 @@ ifdef(`distro_redhat',`
')
ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_tty(udev_t)
+ term_dontaudit_use_generic_pty(udev_t)
+
unconfined_domain_template(udev_t)
')
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 2affdb7..ab9c9c6 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -46,6 +46,10 @@ ifdef(`targeted_policy',`
amanda_domtrans_recover(unconfined_t)
')
+ optional_policy(`apache.te',`
+ apache_domtrans_helper(unconfined_t)
+ ')
+
optional_policy(`bind.te',`
bind_domtrans_ndc(unconfined_t)
')