diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te
index ec78261..61bd502 100644
--- a/policy/modules/admin/kudzu.te
+++ b/policy/modules/admin/kudzu.te
@@ -1,5 +1,5 @@
-policy_module(kudzu, 1.6.1)
+policy_module(kudzu, 1.6.2)
########################################
#
@@ -21,8 +21,8 @@ files_pid_file(kudzu_var_run_t)
# Local policy
#
-allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
-dontaudit kudzu_t self:capability { sys_ptrace sys_tty_config };
+allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod };
+dontaudit kudzu_t self:capability sys_tty_config;
allow kudzu_t self:process { signal_perms execmem };
allow kudzu_t self:fifo_file rw_fifo_file_perms;
allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -68,6 +68,7 @@ mls_file_write_all_levels(kudzu_t)
modutils_read_module_deps(kudzu_t)
modutils_read_module_config(kudzu_t)
modutils_rename_module_config(kudzu_t)
+modutils_delete_module_config(kudzu_t)
storage_read_scsi_generic(kudzu_t)
storage_read_tape(kudzu_t)
@@ -103,6 +104,8 @@ files_dontaudit_search_isid_type_dirs(kudzu_t)
init_use_fds(kudzu_t)
init_use_script_ptys(kudzu_t)
init_stream_connect_script(kudzu_t)
+init_read_state(kudzu_t)
+init_ptrace(kudzu_t)
# kudzu will telinit to make init re-read
# the inittab after configuring serial consoles
init_telinit(kudzu_t)
diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
index 213bebf..9a70378 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -1,5 +1,5 @@
-policy_module(courier, 1.5.1)
+policy_module(courier, 1.5.2)
########################################
#
@@ -27,7 +27,7 @@ type courier_var_run_t;
files_pid_file(courier_var_run_t)
type courier_exec_t;
-files_type(courier_exec_t)
+mta_agent_executable(courier_exec_t)
courier_domain_template(sqwebmail)
typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t;
diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc
index 3bd68bb..16ec200 100644
--- a/policy/modules/services/mta.fc
+++ b/policy/modules/services/mta.fc
@@ -1,3 +1,4 @@
+/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 7399a58..a47a55d 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -311,6 +311,44 @@ interface(`mta_mailserver',`
########################################
##
+## Make the specified type a MTA executable file.
+##
+##
+##
+## Type to be used as a mail client.
+##
+##
+#
+interface(`mta_agent_executable',`
+ gen_require(`
+ attribute mta_exec_type;
+ ')
+
+ typeattribute $1 mta_exec_type;
+
+ application_executable_file($1)
+')
+
+########################################
+##
+## Make the specified type by a system MTA.
+##
+##
+##
+## Type to be used as a mail client.
+##
+##
+#
+interface(`mta_system_content',`
+ gen_require(`
+ attribute mailcontent_type;
+ ')
+
+ typeattribute $1 mailcontent_type;
+')
+
+########################################
+##
## Modified mailserver interface for
## sendmail daemon use.
##
@@ -440,16 +478,12 @@ interface(`mta_mailserver_user_agent',`
interface(`mta_send_mail',`
gen_require(`
attribute mta_user_agent;
- type system_mail_t, sendmail_exec_t;
+ type system_mail_t;
+ attribute mta_exec_type;
')
- allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms;
- domain_auto_trans($1, sendmail_exec_t, system_mail_t)
-
- allow $1 system_mail_t:fd use;
- allow system_mail_t $1:fd use;
- allow system_mail_t $1:fifo_file rw_file_perms;
- allow system_mail_t $1:process sigchld;
+ allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
+ domtrans_pattern($1, mta_exec_type, system_mail_t)
allow mta_user_agent $1:fd use;
allow mta_user_agent $1:process sigchld;
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index f31347d..a0f10f8 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -1,11 +1,13 @@
-policy_module(mta, 1.10.0)
+policy_module(mta, 1.10.1)
########################################
#
# Declarations
#
+attribute mailcontent_type;
+attribute mta_exec_type;
attribute mta_user_agent;
attribute mailserver_delivery;
attribute mailserver_domain;
@@ -20,13 +22,13 @@ type etc_mail_t;
files_config_file(etc_mail_t)
type mqueue_spool_t;
-files_type(mqueue_spool_t)
+files_mountpoint(mqueue_spool_t)
type mail_spool_t;
-files_type(mail_spool_t)
+files_mountpoint(mail_spool_t)
type sendmail_exec_t;
-application_executable_file(sendmail_exec_t)
+mta_agent_executable(sendmail_exec_t)
mta_base_mail_template(system)
role system_r types system_mail_t;
@@ -41,6 +43,10 @@ allow system_mail_t self:capability { dac_override };
read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
+allow system_mail_t mta_exec_type:file entrypoint;
+
+allow system_mail_t mailcontent_type:file read_file_perms;
+
kernel_read_system_state(system_mail_t)
kernel_read_network_state(system_mail_t)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 3cdd56a..e6e831c 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -731,6 +731,46 @@ interface(`init_run_daemon',`
dontaudit direct_init $3:chr_file rw_file_perms;
')
+
+########################################
+##
+## Read the process state (/proc/pid) of init.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_read_state',`
+ gen_require(`
+ attribute init_t;
+ ')
+
+ allow $1 init_t:dir search_dir_perms;
+ allow $1 init_t:file read_file_perms;
+ allow $1 init_t:lnk_file read_file_perms;
+')
+
+########################################
+##
+## Ptrace init
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`init_ptrace',`
+ gen_require(`
+ attribute init_t;
+ ')
+
+ allow $1 init_t:process ptrace;
+')
+
########################################
##
## Write an init script unnamed pipe.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index ebc586d..751a0f7 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init, 1.11.2)
+policy_module(init, 1.11.3)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 095bd1e..73b4e08 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -66,6 +66,25 @@ interface(`modutils_rename_module_config',`
########################################
##
+## Unlink a file with the configuration options used when
+## loading modules.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`modutils_delete_module_config',`
+ gen_require(`
+ type modules_conf_t;
+ ')
+
+ allow $1 modules_conf_t:file unlink;
+')
+
+########################################
+##
## Unconditionally execute insmod in the insmod domain.
##
##
@@ -275,6 +294,8 @@ interface(`modutils_run_update_mods',`
modutils_domtrans_update_mods($1)
role $2 types update_modules_t;
allow update_modules_t $3:chr_file rw_term_perms;
+
+ modutils_run_insmod(update_modules_t, $2, $3)
')
########################################
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 34279f5..9fd705d 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,5 +1,5 @@
-policy_module(modutils, 1.7.0)
+policy_module(modutils, 1.7.1)
gen_require(`
bool secure_mode_insmod;