diff --git a/refpolicy/policy/modules/admin/rpm.fc b/refpolicy/policy/modules/admin/rpm.fc
index fe84747..4fa7216 100644
--- a/refpolicy/policy/modules/admin/rpm.fc
+++ b/refpolicy/policy/modules/admin/rpm.fc
@@ -14,8 +14,10 @@
ifdef(`distro_redhat', `
/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if
index 9523976..af76502 100644
--- a/refpolicy/policy/modules/admin/rpm.if
+++ b/refpolicy/policy/modules/admin/rpm.if
@@ -71,6 +71,7 @@ interface(`rpm_run',`
rpm_domtrans($1)
role $2 types rpm_t;
role $2 types rpm_script_t;
+ seutil_run_loadpol(rpm_script_t,$2,$3)
allow rpm_t $3:chr_file rw_term_perms;
')
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index a882b96..852982a 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -1,5 +1,5 @@
-policy_module(rpm,1.2.0)
+policy_module(rpm,1.2.1)
########################################
#
@@ -288,6 +288,7 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
+term_use_all_terms(rpm_script_t)
auth_dontaudit_getattr_shadow(rpm_script_t)
# ideally we would not need this
diff --git a/refpolicy/policy/modules/apps/mono.te b/refpolicy/policy/modules/apps/mono.te
index 6ca236f..a0a06c9 100644
--- a/refpolicy/policy/modules/apps/mono.te
+++ b/refpolicy/policy/modules/apps/mono.te
@@ -1,5 +1,5 @@
-policy_module(mono,1.0.0)
+policy_module(mono,1.0.1)
########################################
#
@@ -18,7 +18,7 @@ domain_entry_file(mono_t,mono_exec_t)
#
ifdef(`targeted_policy',`
- allow mono_t self:process execheap;
+ allow mono_t self:process { execheap execmem };
unconfined_domain_template(mono_t)
role system_r types mono_t;
')
diff --git a/refpolicy/policy/modules/kernel/files.fc b/refpolicy/policy/modules/kernel/files.fc
index 37aab17..3316660 100644
--- a/refpolicy/policy/modules/kernel/files.fc
+++ b/refpolicy/policy/modules/kernel/files.fc
@@ -126,6 +126,11 @@ HOME_ROOT/lost\+found/.* <<none>>
/mnt/[^/]*/.* <<none>>
#
+# /net
+#
+/net -d gen_context(system_u:object_r:mnt_t,s0)
+
+#
# /opt
#
/opt(/.*)? gen_context(system_u:object_r:usr_t,s0)
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index 103260c..9d9a127 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -321,7 +321,7 @@ interface(`files_list_non_security',`
attribute file_type, security_file_type;
')
- dontaudit $1 { file_type -security_file_type }:dir r_dir_perms;
+ allow $1 { file_type -security_file_type }:dir r_dir_perms;
')
########################################
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index d8fb574..38358ae 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -971,6 +971,22 @@ interface(`fs_read_eventpollfs',`
########################################
## <summary>
+## Search inotifyfs filesystem.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`fs_search_inotifyfs',`
+ gen_require(`
+ type inotifyfs_t;
+ ')
+
+ allow $1 inotifyfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## Mount an iso9660 filesystem, which
## is usually used on CDs.
## </summary>
diff --git a/refpolicy/policy/modules/kernel/storage.fc b/refpolicy/policy/modules/kernel/storage.fc
index d3cc161..b4b34f4 100644
--- a/refpolicy/policy/modules/kernel/storage.fc
+++ b/refpolicy/policy/modules/kernel/storage.fc
@@ -42,8 +42,8 @@ ifdef(`distro_redhat', `
/dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0)
/dev/ub[a-z] -b gen_context(system_u:object_r:removable_device_t,s15:c0.c255)
-
/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/xvd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index 53a4dc1..39f0aa0 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -1,5 +1,5 @@
-policy_module(cups,1.2.0)
+policy_module(cups,1.2.1)
########################################
#
@@ -148,6 +148,7 @@ fs_getattr_all_fs(cupsd_t)
fs_search_auto_mountpoints(cupsd_t)
term_dontaudit_use_console(cupsd_t)
+term_write_unallocated_ttys(cupsd_t)
auth_domtrans_chk_passwd(cupsd_t)
auth_dontaudit_read_pam_pid(cupsd_t)
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 07a9fb2..8c476b2 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
-policy_module(hal,1.2.1)
+policy_module(hal,1.2.2)
########################################
#
@@ -116,6 +116,8 @@ term_dontaudit_use_unallocated_tty(hald_t)
init_use_fd(hald_t)
init_use_script_pty(hald_t)
init_domtrans_script(hald_t)
+init_write_initctl(hald_t)
+init_read_utmp(hald_t)
libs_use_ld_so(hald_t)
libs_use_shared_libs(hald_t)
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index 55f1cc5..1d68157 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -1,5 +1,5 @@
-policy_module(locallogin,1.1.1)
+policy_module(locallogin,1.1.2)
########################################
#
@@ -239,6 +239,7 @@ allow sulogin_t self:msg { send receive };
kernel_read_system_state(sulogin_t)
fs_search_auto_mountpoints(sulogin_t)
+fs_use_tmpfs_chr_dev(sulogin_t)
files_read_etc_files(sulogin_t)
# because file systems are not mounted:
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index ce7a596..7ae0e5d 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -1,5 +1,5 @@
-policy_module(modutils,1.0.0)
+policy_module(modutils,1.0.1)
gen_require(`
bool secure_mode_insmod;
@@ -113,6 +113,8 @@ logging_search_logs(insmod_t)
miscfiles_read_localization(insmod_t)
+seutil_read_file_contexts(insmod_t)
+
if( ! secure_mode_insmod ) {
kernel_domtrans_to(insmod_t,insmod_exec_t)
}
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 6cb043e..ba76789 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
-policy_module(selinuxutil,1.1.1)
+policy_module(selinuxutil,1.1.2)
gen_require(`
bool secure_mode;
@@ -414,7 +414,7 @@ ifdef(`targeted_policy',`',`
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
- allow run_init_t self:netlink_audit_socket { create bind write nlmsg_read read };
+ allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index 6812ad1..cc1be10 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -1,5 +1,5 @@
-policy_module(udev,1.2.0)
+policy_module(udev,1.2.1)
########################################
#
@@ -90,6 +90,7 @@ dev_rw_generic_file(udev_t)
dev_delete_generic_file(udev_t)
fs_getattr_all_fs(udev_t)
+fs_search_inotifyfs(udev_t)
selinux_get_fs_mount(udev_t)
selinux_validate_context(udev_t)
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index 3a10295..fdb3987 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -54,8 +54,13 @@ template(`unconfined_domain_template',`
tunable_policy(`allow_execmem && allow_execstack',`
# Allow making the stack executable via mprotect.
allow $1 self:process execstack;
+ ', `
+ # These are fairly common but seem to be harmless
+ # caused by using shared libraries built with old tool chains
+ dontaudit $1 self:process execstack;
')
+
optional_policy(`authlogin',`
auth_unconfined($1)
')
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index d5d0110..0ca10fc 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
-policy_module(unconfined,1.2.1)
+policy_module(unconfined,1.2.2)
########################################
#
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 10ea2a7..bcfeb15 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -848,9 +848,6 @@ template(`admin_user_template',`
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
- selinux_set_enforce_mode($1_t)
- selinux_set_boolean($1_t)
- selinux_set_parameters($1_t)
# Get security policy decisions:
selinux_get_fs_mount($1_t)
selinux_validate_context($1_t)
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 3cd7f1d..92d9aa6 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,1.2.4)
+policy_module(userdomain,1.2.5)
gen_require(`
role sysadm_r, staff_r, user_r;
@@ -156,14 +156,21 @@ ifdef(`targeted_policy',`
mls_process_read_up(sysadm_t)
- logging_read_audit_log(sysadm_t)
-
ifdef(`direct_sysadm_daemon',`
optional_policy(`init',`
init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
')
')
+ ifdef(`enable_mls',`
+ logging_read_audit_log(secadm_t)
+ logging_domtrans_auditctl(secadm_t)
+ mls_process_read_up(secadm_t)
+ ', `
+ logging_domtrans_auditctl(sysadm_t)
+ logging_read_audit_log(sysadm_t)
+ ')
+
tunable_policy(`allow_ptrace',`
domain_ptrace_all_domains(sysadm_t)
')
@@ -205,12 +212,20 @@ ifdef(`targeted_policy',`
optional_policy(`consoletype',`
consoletype_exec(sysadm_t)
+
+ ifdef(`enable_mls',`
+ consoletype_exec(secadm_t)
+ ')
')
optional_policy(`ddcprobe',`
ddcprobe_run(sysadm_t,sysadm_r,admin_terminal)
')
+ optional_policy(`dmesg',`
+ dmesg_exec(sysadm_t)
+ ')
+
optional_policy(`dmidecode',`
dmidecode_run(sysadm_t,sysadm_r,admin_terminal)
')
@@ -320,13 +335,27 @@ ifdef(`targeted_policy',`
')
optional_policy(`selinuxutil',`
- seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal)
- seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal)
seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal)
- seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
-
- ifdef(`targeted_policy',`',`
- seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
+ seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
+
+ ifdef(`enable_mls',`
+ selinux_set_enforce_mode(secadm_t)
+ selinux_set_boolean(secadm_t)
+ selinux_set_parameters(secadm_t)
+
+ seutil_manage_binary_pol(secadm_t)
+ seutil_run_checkpol(secadm_t,secadm_r,admin_terminal)
+ seutil_run_loadpol(secadm_t,secadm_r,admin_terminal)
+ seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
+ ', `
+ selinux_set_enforce_mode(sysadm_t)
+ selinux_set_boolean(sysadm_t)
+ selinux_set_parameters(sysadm_t)
+
+ seutil_manage_binary_pol(sysadm_t)
+ seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal)
+ seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal)
+ seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
')
')