diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
index aac7ac8..7d37828 100644
--- a/policy/modules/admin/alsa.te
+++ b/policy/modules/admin/alsa.te
@@ -1,5 +1,5 @@
-policy_module(alsa, 1.5.0)
+policy_module(alsa, 1.5.1)
########################################
#
@@ -48,9 +48,12 @@ corecmd_exec_bin(alsa_t)
files_search_home(alsa_t)
files_read_etc_files(alsa_t)
+files_read_usr_files(alsa_t)
auth_use_nsswitch(alsa_t)
+init_use_fds(alsa_t)
+
libs_use_ld_so(alsa_t)
libs_use_shared_libs(alsa_t)
diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
index 06730e5..f2742b5 100644
--- a/policy/modules/admin/amanda.te
+++ b/policy/modules/admin/amanda.te
@@ -1,5 +1,5 @@
-policy_module(amanda, 1.9.2)
+policy_module(amanda, 1.9.3)
#######################################
#
@@ -129,6 +129,8 @@ corenet_udp_sendrecv_all_ports(amanda_t)
corenet_tcp_bind_all_nodes(amanda_t)
corenet_udp_bind_all_nodes(amanda_t)
corenet_tcp_bind_all_rpc_ports(amanda_t)
+corenet_tcp_bind_generic_port(amanda_t)
+corenet_dontaudit_tcp_bind_all_ports(amanda_t)
dev_getattr_all_blk_files(amanda_t)
dev_getattr_all_chr_files(amanda_t)
diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te
index df797ad..a9d92a4 100644
--- a/policy/modules/admin/mrtg.te
+++ b/policy/modules/admin/mrtg.te
@@ -1,5 +1,5 @@
-policy_module(mrtg, 1.4.0)
+policy_module(mrtg, 1.4.1)
########################################
#
@@ -78,6 +78,7 @@ dev_read_sysfs(mrtg_t)
dev_read_urand(mrtg_t)
domain_use_interactive_fds(mrtg_t)
+domain_dontaudit_search_all_domains_state(mrtg_t)
files_read_usr_files(mrtg_t)
files_search_var(mrtg_t)
@@ -92,6 +93,7 @@ files_read_etc_files(mrtg_t)
fs_search_auto_mountpoints(mrtg_t)
fs_getattr_xattr_fs(mrtg_t)
+fs_list_inotifyfs(mrtg_t)
term_dontaudit_use_console(mrtg_t)
@@ -101,6 +103,8 @@ init_use_script_ptys(mrtg_t)
init_read_utmp(mrtg_t)
init_dontaudit_write_utmp(mrtg_t)
+auth_use_nsswitch(mrtg_t)
+
libs_read_lib_files(mrtg_t)
libs_use_ld_so(mrtg_t)
libs_use_shared_libs(mrtg_t)
@@ -111,12 +115,10 @@ miscfiles_read_localization(mrtg_t)
selinux_dontaudit_getattr_dir(mrtg_t)
-# Use the network.
-sysnet_read_config(mrtg_t)
-
userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
sysadm_use_terms(mrtg_t)
+sysadm_dontaudit_read_home_content_files(mrtg_t)
ifdef(`enable_mls',`
corenet_udp_sendrecv_lo_if(mrtg_t)
@@ -140,14 +142,6 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(mrtg_t)
-')
-
-optional_policy(`
- nscd_dontaudit_search_pid(mrtg_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(mrtg_t)
')
@@ -162,10 +156,3 @@ optional_policy(`
optional_policy(`
udev_read_db(mrtg_t)
')
-
-ifdef(`TODO',`
- # should not need this!
- dontaudit mrtg_t { staff_home_dir_t sysadm_home_dir_t }:dir { search read getattr };
- dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr;
- dontaudit mrtg_t root_t:lnk_file getattr;
-')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 506b222..fffc473 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,5 +1,5 @@
-policy_module(netutils, 1.6.1)
+policy_module(netutils, 1.6.2)
########################################
#
@@ -50,6 +50,7 @@ manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
kernel_search_proc(netutils_t)
+kernel_read_sysctl(netutils_t)
corenet_all_recvfrom_unlabeled(netutils_t)
corenet_all_recvfrom_netlabel(netutils_t)
@@ -78,6 +79,8 @@ files_dontaudit_search_var(netutils_t)
init_use_fds(netutils_t)
init_use_script_ptys(netutils_t)
+auth_use_nsswitch(netutils_t)
+
libs_use_ld_so(netutils_t)
libs_use_shared_libs(netutils_t)
@@ -85,8 +88,6 @@ logging_send_syslog_msg(netutils_t)
miscfiles_read_localization(netutils_t)
-sysnet_read_config(netutils_t)
-
userdom_use_all_users_fds(netutils_t)
optional_policy(`
@@ -94,6 +95,10 @@ optional_policy(`
')
optional_policy(`
+ vmware_append_log(netutils_t)
+')
+
+optional_policy(`
xen_append_log(netutils_t)
')
@@ -107,12 +112,14 @@ dontaudit ping_t self:capability sys_tty_config;
allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
+allow ping_t self:netlink_route_socket create_netlink_socket_perms;
corenet_all_recvfrom_unlabeled(ping_t)
corenet_all_recvfrom_netlabel(ping_t)
corenet_tcp_sendrecv_all_if(ping_t)
corenet_raw_sendrecv_all_if(ping_t)
corenet_raw_sendrecv_all_nodes(ping_t)
+corenet_raw_bind_all_nodes(ping_t)
corenet_tcp_sendrecv_all_nodes(ping_t)
corenet_tcp_sendrecv_all_ports(ping_t)
@@ -123,6 +130,8 @@ domain_use_interactive_fds(ping_t)
files_read_etc_files(ping_t)
files_dontaudit_search_var(ping_t)
+auth_use_nsswitch(ping_t)
+
libs_use_ld_so(ping_t)
libs_use_shared_libs(ping_t)
@@ -130,9 +139,6 @@ logging_send_syslog_msg(ping_t)
miscfiles_read_localization(ping_t)
-sysnet_read_config(ping_t)
-sysnet_dns_name_resolve(ping_t)
-
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
')
@@ -143,14 +149,6 @@ tunable_policy(`user_ping',`
')
optional_policy(`
- nis_use_ypbind(ping_t)
-')
-
-optional_policy(`
- nscd_socket_use(ping_t)
-')
-
-optional_policy(`
pcmcia_use_cardmgr_fds(ping_t)
')
@@ -166,7 +164,6 @@ optional_policy(`
allow traceroute_t self:capability { net_admin net_raw setuid setgid };
allow traceroute_t self:rawip_socket create_socket_perms;
allow traceroute_t self:packet_socket create_socket_perms;
-allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow traceroute_t self:udp_socket create_socket_perms;
kernel_read_system_state(traceroute_t)
@@ -200,6 +197,8 @@ files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
+auth_use_nsswitch(traceroute_t)
+
libs_use_ld_so(traceroute_t)
libs_use_shared_libs(traceroute_t)
@@ -212,17 +211,7 @@ dev_read_rand(traceroute_t)
dev_read_urand(traceroute_t)
files_read_usr_files(traceroute_t)
-sysnet_read_config(traceroute_t)
-
tunable_policy(`user_ping',`
term_use_all_user_ttys(traceroute_t)
term_use_all_user_ptys(traceroute_t)
')
-
-optional_policy(`
- nis_use_ypbind(traceroute_t)
-')
-
-optional_policy(`
- nscd_socket_use(traceroute_t)
-')
diff --git a/policy/modules/admin/vpn.fc b/policy/modules/admin/vpn.fc
index 7409148..076dcc3 100644
--- a/policy/modules/admin/vpn.fc
+++ b/policy/modules/admin/vpn.fc
@@ -6,6 +6,8 @@
#
# /usr
#
+/usr/bin/openconnect -- gen_context(system_u:object_r:vpnc_exec_t,s0)
+
/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0)
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
index 06d3ab2..7eb40c3 100644
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
@@ -1,5 +1,5 @@
-policy_module(vpn, 1.8.1)
+policy_module(vpn, 1.8.2)
########################################
#
@@ -23,7 +23,7 @@ files_pid_file(vpnc_var_run_t)
#
allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw };
-allow vpnc_t self:process getsched;
+allow vpnc_t self:process { getsched signal };
allow vpnc_t self:fifo_file rw_fifo_file_perms;
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
allow vpnc_t self:tcp_socket create_stream_socket_perms;
@@ -44,7 +44,7 @@ files_pid_filetrans(vpnc_t, vpnc_var_run_t, { file dir})
kernel_read_system_state(vpnc_t)
kernel_read_network_state(vpnc_t)
-kernel_read_kernel_sysctls(vpnc_t)
+kernel_read_all_sysctls(vpnc_t)
kernel_rw_net_sysctls(vpnc_t)
corenet_all_recvfrom_unlabeled(vpnc_t)
diff --git a/policy/modules/services/cvs.fc b/policy/modules/services/cvs.fc
index 689a960..48a30de 100644
--- a/policy/modules/services/cvs.fc
+++ b/policy/modules/services/cvs.fc
@@ -5,3 +5,6 @@
/var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
+#CVSWeb file context
+/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
+/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if
index 997973d..33b5d01 100644
--- a/policy/modules/services/cvs.if
+++ b/policy/modules/services/cvs.if
@@ -69,4 +69,12 @@ interface(`cvs_admin',`
domain_system_change_exemption($1)
role_transition $2 cvs_initrc_exec_t system_r;
allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, cvs_tmp_t)
+
+ admin_pattern($1, cvs_data_t)
+
+ files_list_pids($1)
+ admin_pattern($1, cvs_var_run_t)
')
diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
index 3930262..62be9d8 100644
--- a/policy/modules/services/cvs.te
+++ b/policy/modules/services/cvs.te
@@ -1,5 +1,5 @@
-policy_module(cvs, 1.6.1)
+policy_module(cvs, 1.6.2)
########################################
#
@@ -99,7 +99,20 @@ tunable_policy(`allow_cvs_read_shadow',`
')
optional_policy(`
- kerberos_read_keytab(cvs_t)
+ kerberos_keytab_template(cvs, cvs_t)
kerberos_read_config(cvs_t)
kerberos_dontaudit_write_config(cvs_t)
')
+
+########################################
+#
+# CVSWeb policy
+#
+
+optional_policy(`
+ apache_content_template(cvs)
+
+ read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
+ manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+')
diff --git a/policy/modules/services/cyrus.fc b/policy/modules/services/cyrus.fc
index 86a9d7e..445d93d 100644
--- a/policy/modules/services/cyrus.fc
+++ b/policy/modules/services/cyrus.fc
@@ -1,3 +1,4 @@
+/etc/rc\.d/init\.d/cyrus -- gen_context(system_u:object_r:cyrus_initrc_exec_t,s0)
/usr/lib(64)?/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0)
diff --git a/policy/modules/services/cyrus.if b/policy/modules/services/cyrus.if
index 2d80a28..2bf2146 100644
--- a/policy/modules/services/cyrus.if
+++ b/policy/modules/services/cyrus.if
@@ -39,3 +39,46 @@ interface(`cyrus_stream_connect',`
files_search_var_lib($1)
stream_connect_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t, cyrus_t)
')
+
+########################################
+##
+## All of the rules required to administrate
+## an cyrus environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the cyrus domain.
+##
+##
+##
+#
+interface(`cyrus_admin',`
+ gen_require(`
+ type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t;
+ type cyrus_var_run_t, cyrus_initrc_exec_t;
+ ')
+
+ allow $1 cyrus_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cyrus_t)
+
+ init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 cyrus_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, cyrus_tmp_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, cyrus_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, cyrus_var_run_t)
+')
+
+
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
index 566944f..977143d 100644
--- a/policy/modules/services/cyrus.te
+++ b/policy/modules/services/cyrus.te
@@ -1,5 +1,5 @@
-policy_module(cyrus, 1.6.0)
+policy_module(cyrus, 1.6.1)
########################################
#
@@ -10,6 +10,9 @@ type cyrus_t;
type cyrus_exec_t;
init_daemon_domain(cyrus_t, cyrus_exec_t)
+type cyrus_initrc_exec_t;
+init_script_file(cyrus_initrc_exec_t)
+
type cyrus_tmp_t;
files_tmp_file(cyrus_tmp_t)
@@ -120,7 +123,7 @@ optional_policy(`
')
optional_policy(`
- kerberos_use(cyrus_t)
+ kerberos_keytab_template(cyrus, cyrus_t)
')
optional_policy(`
diff --git a/policy/modules/services/kerneloops.fc b/policy/modules/services/kerneloops.fc
index ec01310..5ef261a 100644
--- a/policy/modules/services/kerneloops.fc
+++ b/policy/modules/services/kerneloops.fc
@@ -1 +1,3 @@
+/etc/rc\.d/init\.d/kerneloops -- gen_context(system_u:object_r:kerneloops_initrc_exec_t,s0)
+
/usr/sbin/kerneloops -- gen_context(system_u:object_r:kerneloops_exec_t,s0)
diff --git a/policy/modules/services/kerneloops.if b/policy/modules/services/kerneloops.if
index 096c180..fe601a6 100644
--- a/policy/modules/services/kerneloops.if
+++ b/policy/modules/services/kerneloops.if
@@ -71,13 +71,23 @@ interface(`kerneloops_dontaudit_dbus_chat',`
## Domain allowed access.
##
##
+##
+##
+## The role to be allowed to manage the kerneloops domain.
+##
+##
##
#
interface(`kerneloops_admin',`
gen_require(`
- type kerneloops_t;
+ type kerneloops_t, kerneloops_initrc_exec_t;
')
allow $1 kerneloops_t:process { ptrace signal_perms };
ps_process_pattern($1, kerneloops_t)
+
+ init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 kerneloops_initrc_exec_t system_r;
+ allow $2 system_r;
')
diff --git a/policy/modules/services/kerneloops.te b/policy/modules/services/kerneloops.te
index ef91028..9b53e9d 100644
--- a/policy/modules/services/kerneloops.te
+++ b/policy/modules/services/kerneloops.te
@@ -1,5 +1,5 @@
-policy_module(kerneloops, 1.0.0)
+policy_module(kerneloops, 1.0.1)
########################################
#
@@ -10,14 +10,18 @@ type kerneloops_t;
type kerneloops_exec_t;
init_daemon_domain(kerneloops_t, kerneloops_exec_t)
+type kerneloops_initrc_exec_t;
+init_script_file(kerneloops_initrc_exec_t)
+
########################################
#
# kerneloops local policy
#
allow kerneloops_t self:capability sys_nice;
-allow kerneloops_t self:process { setsched getsched };
+allow kerneloops_t self:process { setsched getsched signal };
allow kerneloops_t self:fifo_file rw_file_perms;
+allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms;
kernel_read_ring_buffer(kerneloops_t)