diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc
index ed6561f..6ea513d 100644
--- a/policy/modules/services/ppp.fc
+++ b/policy/modules/services/ppp.fc
@@ -25,7 +25,7 @@
#
# /var
#
-/var/run/(i)?ppp.*pid -- gen_context(system_u:object_r:pppd_var_run_t,s0)
+/var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0)
/var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0)
/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
# Fix pptp sockets
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index 1eca6bd..5db34a3 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -269,3 +269,66 @@ interface(`ppp_pid_filetrans',`
files_pid_filetrans($1,pppd_var_run_t,file)
')
+
+########################################
+##
+## All of the rules required to administrate
+## an ppp environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the ppp domain.
+##
+##
+##
+##
+## The type of the user terminal.
+##
+##
+##
+#
+interface(`ppp_admin',`
+ gen_require(`
+ type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t;
+ type pppd_etc_t, pppd_script_t, pppd_secret_t;
+ type pppd_etc_rw_t, pppd_var_lib_t, pppd_var_run_t;
+
+ type pptp_t, pptp_log_t, pptp_var_run_t;
+ ')
+
+ allow $1 pppd_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, pppd_t)
+
+ files_list_tmp($1)
+ manage_files_pattern($1, pppd_tmp_t, pppd_tmp_t)
+
+ logging_list_logs($1)
+ manage_files_pattern($1, pppd_log_t, pppd_log_t)
+
+ manage_files_pattern($1, pppd_lock_t, pppd_lock_t)
+
+ files_list_etc($1)
+ manage_files_pattern($1, pppd_etc_t, pppd_etc_t)
+
+ manage_files_pattern($1, pppd_etc_rw_t, pppd_etc_rw_t)
+
+ manage_files_pattern($1, pppd_secret_t, pppd_secret_t)
+
+ files_list_var_lib($1)
+ manage_files_pattern($1, pppd_var_lib_t, pppd_var_lib_t)
+
+ files_list_pids($1)
+ manage_files_pattern($1, pppd_var_run_t), pppd_var_run_t
+
+ allow $1 pptp_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, pptp_t)
+
+ manage_files_pattern($1, pptp_log_t, pptp_log_t)
+
+ manage_files_pattern($1, pptp_var_run_t, pptp_var_run_t)
+')
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index ba7a6c1..15699e6 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -1,5 +1,5 @@
-policy_module(ppp,1.6.0)
+policy_module(ppp,1.6.1)
########################################
#
@@ -162,6 +162,8 @@ files_read_etc_files(pppd_t)
init_read_utmp(pppd_t)
init_dontaudit_write_utmp(pppd_t)
+auth_use_nsswitch(pppd_t)
+
libs_use_ld_so(pppd_t)
libs_use_shared_libs(pppd_t)
@@ -197,14 +199,6 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(pppd_t)
-')
-
-optional_policy(`
- nscd_socket_use(pppd_t)
-')
-
-optional_policy(`
postfix_domtrans_master(pppd_t)
')
@@ -221,8 +215,9 @@ optional_policy(`
# PPTP Local policy
#
-dontaudit pptp_t self:capability sys_tty_config;
allow pptp_t self:capability net_raw;
+dontaudit pptp_t self:capability sys_tty_config;
+allow pptp_t self:process signal;
allow pptp_t self:fifo_file { read write };
allow pptp_t self:unix_dgram_socket create_socket_perms;
allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
diff --git a/policy/modules/services/privoxy.if b/policy/modules/services/privoxy.if
index 26d15d7..f1be394 100644
--- a/policy/modules/services/privoxy.if
+++ b/policy/modules/services/privoxy.if
@@ -1 +1,42 @@
## Privacy enhancing web proxy.
+
+########################################
+##
+## All of the rules required to administrate
+## an privoxy environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the privoxy domain.
+##
+##
+##
+##
+## The type of the user terminal.
+##
+##
+##
+#
+interface(`privoxy_admin',`
+ gen_require(`
+ type privoxy_t, privoxy_log_t;
+ type privoxy_etc_rw_t, privoxy_var_run_t;
+ ')
+
+ allow $1 privoxy_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, privoxy_t)
+
+ logging_list_logs($1)
+ manage_files_pattern($1, privoxy_log_t, privoxy_log_t)
+
+ files_list_etc($1)
+ manage_files_pattern($1, privoxy_etc_rw_t, privoxy_etc_rw_t)
+
+ files_list_pids($1)
+ manage_files_pattern($1, privoxy_var_run_t, privoxy_var_run_t)
+')
diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te
index b559c41..a5b089e 100644
--- a/policy/modules/services/privoxy.te
+++ b/policy/modules/services/privoxy.te
@@ -1,5 +1,5 @@
-policy_module(privoxy,1.5.0)
+policy_module(privoxy,1.5.1)
########################################
#
diff --git a/policy/modules/services/radius.if b/policy/modules/services/radius.if
index 3d684f3..0e8fab2 100644
--- a/policy/modules/services/radius.if
+++ b/policy/modules/services/radius.if
@@ -13,3 +13,49 @@
interface(`radius_use',`
refpolicywarn(`$0($*) has been deprecated.')
')
+
+########################################
+##
+## All of the rules required to administrate
+## an radius environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the radius domain.
+##
+##
+##
+##
+## The type of the user terminal.
+##
+##
+##
+#
+interface(`radius_admin',`
+ gen_require(`
+ type radius_t, radius_etc_t, radius_log_t;
+ type radius_etc_rw_t, radius_var_lib_t, radius_var_run_t;
+ ')
+
+ allow $1 radius_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, radius_t)
+
+ files_list_etc($1)
+ manage_files_pattern($1, radius_etc_t, radius_etc_t)
+
+ logging_list_logs($1)
+ manage_files_pattern($1, radius_log_t, radius_log_t)
+
+ manage_files_pattern($1, radius_etc_rw_t, radius_etc_rw_t)
+
+ files_list_var_lib($1)
+ manage_files_pattern($1, radius_var_lib_t, radius_var_lib_t)
+
+ files_list_pids($1)
+ manage_files_pattern($1, radius_var_run_t, radius_var_run_t)
+')
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
index 4b136ff..aefd4fc 100644
--- a/policy/modules/services/radius.te
+++ b/policy/modules/services/radius.te
@@ -1,5 +1,5 @@
-policy_module(radius,1.6.0)
+policy_module(radius,1.6.1)
########################################
#
diff --git a/policy/modules/services/radvd.if b/policy/modules/services/radvd.if
index 6fe38b7..a24aefc 100644
--- a/policy/modules/services/radvd.if
+++ b/policy/modules/services/radvd.if
@@ -1 +1,39 @@
## IPv6 router advertisement daemon
+
+########################################
+##
+## All of the rules required to administrate
+## an radvd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the radvd domain.
+##
+##
+##
+##
+## The type of the user terminal.
+##
+##
+##
+#
+interface(`radvd_admin',`
+ gen_require(`
+ type radvd_t, radvd_etc_t;
+ type radvd_var_run_t;
+ ')
+
+ allow $1 radvd_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, radvd_t)
+
+ files_list_etc($1)
+ manage_files_pattern($1, radvd_etc_t, radvd_etc_t)
+
+ files_list_pids($1)
+ manage_files_pattern($1, radvd_var_run_t, radvd_var_run_t)
+')
diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te
index 09b7a5c..0673169 100644
--- a/policy/modules/services/radvd.te
+++ b/policy/modules/services/radvd.te
@@ -1,5 +1,5 @@
-policy_module(radvd,1.6.0)
+policy_module(radvd,1.6.1)
########################################
#
diff --git a/policy/modules/services/remotelogin.if b/policy/modules/services/remotelogin.if
index 3b86750..3bfd4ec 100644
--- a/policy/modules/services/remotelogin.if
+++ b/policy/modules/services/remotelogin.if
@@ -18,3 +18,20 @@ interface(`remotelogin_domtrans',`
auth_domtrans_login_program($1,remote_login_t)
')
+########################################
+##
+## allow Domain to signal remote login domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`remotelogin_signal',`
+ gen_require(`
+ type remote_login_t;
+ ')
+
+ allow $1 remote_login_t:process signal;
+')
diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te
index 4bb6b1c..72cdcd8 100644
--- a/policy/modules/services/remotelogin.te
+++ b/policy/modules/services/remotelogin.te
@@ -1,5 +1,5 @@
-policy_module(remotelogin,1.4.0)
+policy_module(remotelogin,1.4.1)
########################################
#
diff --git a/policy/modules/services/rwho.if b/policy/modules/services/rwho.if
index fa303f7..0f8dad6 100644
--- a/policy/modules/services/rwho.if
+++ b/policy/modules/services/rwho.if
@@ -115,3 +115,40 @@ interface(`rwho_manage_spool_files',`
manage_files_pattern($1,rwho_spool_t,rwho_spool_t)
files_search_spool($1)
')
+
+########################################
+##
+## All of the rules required to administrate
+## an rwho environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the rwho domain.
+##
+##
+##
+##
+## The type of the user terminal.
+##
+##
+##
+#
+interface(`rwho_admin',`
+ gen_require(`
+ type rwho_t, rwho_log_t, rwho_spool_t;
+ ')
+
+ allow $1 rwho_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, rwho_t)
+
+ logging_list_logs($1)
+ manage_files_pattern($1, rwho_log_t, rwho_log_t)
+
+ files_list_spool($1)
+ manage_files_pattern($1, rwho_spool_t, rwho_spool_t)
+')
diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te
index 1641844..31e2d16 100644
--- a/policy/modules/services/rwho.te
+++ b/policy/modules/services/rwho.te
@@ -1,5 +1,5 @@
-policy_module(rwho,1.3.0)
+policy_module(rwho,1.3.1)
########################################
#
diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if
index 756f40a..f5041ae 100644
--- a/policy/modules/services/sasl.if
+++ b/policy/modules/services/sasl.if
@@ -18,3 +18,42 @@ interface(`sasl_connect',`
files_search_pids($1)
stream_connect_pattern($1,saslauthd_var_run_t,saslauthd_var_run_t,saslauthd_t)
')
+
+########################################
+##
+## All of the rules required to administrate
+## an sasl environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the sasl domain.
+##
+##
+##
+##
+## The type of the user terminal.
+##
+##
+##
+#
+interface(`sasl_admin',`
+ gen_require(`
+ type sasl_t;
+ type sasl_tmp_t;
+ type sasl_var_run_t;
+ ')
+
+ allow $1 sasl_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, sasl_t)
+
+ files_list_tmp($1)
+ manage_files_pattern($1, sasl_tmp_t, sasl_tmp_t)
+
+ files_list_pids($1)
+ manage_files_pattern($1, sasl_var_run_t, sasl_var_run_t)
+')
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
index c088ced..6765102 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -1,5 +1,5 @@
-policy_module(sasl,1.7.0)
+policy_module(sasl,1.7.1)
########################################
#
diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if
index c976663..f52f7e7 100644
--- a/policy/modules/services/smartmon.if
+++ b/policy/modules/services/smartmon.if
@@ -17,3 +17,40 @@ interface(`smartmon_read_tmp_files',`
allow $1 fsdaemon_tmp_t:file { getattr ioctl read };
')
+
+########################################
+##
+## All of the rules required to administrate
+## an smartmon environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the smartmon domain.
+##
+##
+##
+##
+## The type of the user terminal.
+##
+##
+##
+#
+interface(`smartmon_admin',`
+ gen_require(`
+ type smartmon_t, smartmon_tmp_t, smartmon_var_run_t;
+ ')
+
+ allow $1 smartmon_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, smartmon_t)
+
+ files_list_tmp($1)
+ manage_files_pattern($1, smartmon_tmp_t, smartmon_tmp_t)
+
+ files_list_pids($1)
+ manage_files_pattern($1, smartmon_var_run_t, smartmon_var_run_t)
+')
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
index 6e7dcb0..4541002 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -1,5 +1,5 @@
-policy_module(smartmon,1.4.0)
+policy_module(smartmon,1.4.1)
########################################
#
@@ -49,6 +49,7 @@ corenet_udp_sendrecv_all_nodes(fsdaemon_t)
corenet_udp_sendrecv_all_ports(fsdaemon_t)
dev_read_sysfs(fsdaemon_t)
+dev_read_urand(fsdaemon_t)
domain_use_interactive_fds(fsdaemon_t)
diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
index e311ba2..579ab1b 100644
--- a/policy/modules/services/snmp.if
+++ b/policy/modules/services/snmp.if
@@ -84,3 +84,44 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',`
dontaudit $1 snmpd_var_lib_t:file write;
')
+
+########################################
+##
+## All of the rules required to administrate
+## an snmp environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the snmp domain.
+##
+##
+##
+##
+## The type of the user terminal.
+##
+##
+##
+#
+interface(`snmp_admin',`
+ gen_require(`
+ type snmp_t, snmp_log_t;
+ type snmp_var_lib_t, snmp_var_run_t;
+ ')
+
+ allow $1 snmp_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, snmp_t)
+
+ logging_list_logs($1)
+ manage_files_pattern($1, snmp_log_t, snmp_log_t)
+
+ files_list_var_lib($1)
+ manage_files_pattern($1, snmp_var_lib_t, snmp_var_lib_t)
+
+ files_list_pids($1)
+ manage_files_pattern($1, snmp_var_run_t, snmp_var_run_t)
+')
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
index 27fcdd4..14f3b61 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -1,5 +1,5 @@
-policy_module(snmp,1.6.0)
+policy_module(snmp,1.6.1)
########################################
#
diff --git a/policy/modules/services/tftp.fc b/policy/modules/services/tftp.fc
index bb4a3be..72274cd 100644
--- a/policy/modules/services/tftp.fc
+++ b/policy/modules/services/tftp.fc
@@ -4,3 +4,5 @@
/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0)
+
+/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_t,s0)
diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if
index ad41363..2adcb52 100644
--- a/policy/modules/services/tftp.if
+++ b/policy/modules/services/tftp.if
@@ -1 +1,40 @@
## Trivial file transfer protocol daemon
+
+########################################
+##
+## All of the rules required to administrate
+## an tftp environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the tftp domain.
+##
+##
+##
+##
+## The type of the user terminal.
+##
+##
+##
+#
+interface(`tftp_admin',`
+ gen_require(`
+ type tftp_t, tftpdir_t;
+ type tftp_rw_t, tftp_var_run_t;
+ ')
+
+ allow $1 tftp_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, tftp_t)
+
+ manage_files_pattern($1, tftp_rw_t, tftp_rw_t)
+
+ manage_files_pattern($1, tftpdir_t, tftpdir_t)
+
+ files_list_pids($1)
+ manage_files_pattern($1, tftp_var_run_t, tftp_var_run_t)
+')
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
index 60fffa3..9c009ef 100644
--- a/policy/modules/services/tftp.te
+++ b/policy/modules/services/tftp.te
@@ -1,5 +1,5 @@
-policy_module(tftp,1.6.0)
+policy_module(tftp,1.6.1)
########################################
#
diff --git a/policy/modules/services/tor.fc b/policy/modules/services/tor.fc
index 3ae4b72..8190cc6 100644
--- a/policy/modules/services/tor.fc
+++ b/policy/modules/services/tor.fc
@@ -1,5 +1,6 @@
/etc/tor(/.*)? gen_context(system_u:object_r:tor_etc_t,s0)
+/usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
/usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
/var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
diff --git a/policy/modules/services/tor.if b/policy/modules/services/tor.if
index 5c9fd02..513fb4d 100644
--- a/policy/modules/services/tor.if
+++ b/policy/modules/services/tor.if
@@ -17,3 +17,47 @@ interface(`tor_domtrans',`
domtrans_pattern($1,tor_exec_t,tor_t)
')
+
+########################################
+##
+## All of the rules required to administrate
+## an tor environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the tor domain.
+##
+##
+##
+##
+## The type of the user terminal.
+##
+##
+##
+#
+interface(`tor_admin',`
+ gen_require(`
+ type tor_t, tor_log_t, tor_etc_t;
+ type tor_var_lib_t, tor_var_run_t;
+ ')
+
+ allow $1 tor_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, tor_t)
+
+ logging_list_logs($1)
+ manage_files_pattern($1, tor_log_t, tor_log_t)
+
+ files_list_etc($1)
+ manage_files_pattern($1, tor_etc_t, tor_etc_t)
+
+ files_list_var_lib($1)
+ manage_files_pattern($1, tor_var_lib_t, tor_var_lib_t)
+
+ files_list_pids($1)
+ manage_files_pattern($1, tor_var_run_t, tor_var_run_t)
+')
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
index 009027b..748b764 100644
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
@@ -1,5 +1,5 @@
-policy_module(tor,1.3.0)
+policy_module(tor,1.3.1)
########################################
#
diff --git a/policy/modules/services/uucp.if b/policy/modules/services/uucp.if
index 57d483d..699fc79 100644
--- a/policy/modules/services/uucp.if
+++ b/policy/modules/services/uucp.if
@@ -60,3 +60,52 @@ interface(`uucp_domtrans_uux',`
domtrans_pattern($1,uux_exec_t,uux_t)
')
+
+########################################
+##
+## All of the rules required to administrate
+## an uucp environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the uucp domain.
+##
+##
+##
+##
+## The type of the user terminal.
+##
+##
+##
+#
+interface(`uucp_admin',`
+ gen_require(`
+ type uucp_t, uucp_tmp_t, uucp_log_t;
+ type uucp_spool_t, uucp_ro_t, uucp_rw_t;
+ type uucp_var_run_t;
+ ')
+
+ allow $1 uucp_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, uucp_t)
+
+ files_list_tmp($1)
+ manage_files_pattern($1, uucp_tmp_t, uucp_tmp_t)
+
+ logging_list_logs($1)
+ manage_files_pattern($1, uucp_log_t, uucp_log_t)
+
+ files_list_spool($1)
+ manage_files_pattern($1, uucp_spool_t, uucp_spool_t)
+
+ manage_files_pattern($1, uucp_rw_t, uucp_rw_t)
+
+ manage_files_pattern($1, uucp_ro_t, uucp_ro_t)
+
+ files_list_pids($1)
+ manage_files_pattern($1, uucp_var_run_t, uucp_var_run_t)
+')
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
index 874f0cb..8782562 100644
--- a/policy/modules/services/uucp.te
+++ b/policy/modules/services/uucp.te
@@ -1,5 +1,5 @@
-policy_module(uucp,1.6.0)
+policy_module(uucp,1.6.1)
########################################
#