diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
index 8cfca3c..ccc3d2c 100644
--- a/policy/modules/apps/userhelper.if
+++ b/policy/modules/apps/userhelper.if
@@ -180,25 +180,6 @@ template(`userhelper_per_role_template',`
optional_policy(`
nscd_socket_use($1_userhelper_t)
')
-
- ifdef(`TODO',`
- allow $1_userhelper_t xdm_t:fd use;
- allow $1_userhelper_t xdm_var_run_t:dir search;
- allow $1_userhelper_t xdm_t:fifo_file { getattr read write ioctl };
-
- optional_policy(`
- allow $1_userhelper_t gphdomain:fd use;
- ')
- optional_policy(`
- domtrans_pattern($1_userhelper_t, xauth_exec_t, $1_xauth_t)
- allow $1_userhelper_t $1_xauth_home_t:file { getattr read };
- ')
- optional_policy(`
- domtrans_pattern($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
- ')
- # for when the network connection is killed
- dontaudit unpriv_userdomain $1_userhelper_t:process signal;
- ')
')
########################################
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index a8760e6..66e8548 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -851,9 +851,8 @@ interface(`kernel_rw_afs_state',`
type proc_t, proc_afs_t;
')
- read_files_pattern($1,proc_t,proc_afs_t)
-
list_dirs_pattern($1,proc_t,proc_t)
+ rw_files_pattern($1,proc_afs_t,proc_afs_t)
')
#######################################
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 9b5a9b6..5478533 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
-policy_module(kernel,1.9.0)
+policy_module(kernel,1.9.1)
########################################
#
@@ -363,7 +363,7 @@ optional_policy(`
allow kern_unconfined proc_type:{ dir file lnk_file } *;
-allow kern_unconfined sysctl_t:{ dir file } *;
+allow kern_unconfined sysctl_type:{ dir file } *;
allow kern_unconfined kernel_t:system *;
@@ -372,5 +372,3 @@ allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
-
-kernel_rw_all_sysctls(kern_unconfined)
diff --git a/policy/modules/services/fetchmail.if b/policy/modules/services/fetchmail.if
index fde49b7..d3c709e 100644
--- a/policy/modules/services/fetchmail.if
+++ b/policy/modules/services/fetchmail.if
@@ -1 +1,40 @@
## Remote-mail retrieval and forwarding utility
+
+########################################
+##
+## All of the rules required to administrate
+## an fetchmail environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the fetchmail domain.
+##
+##
+##
+##
+## The type of the user terminal.
+##
+##
+##
+#
+interface(`fetchmail_admin',`
+ gen_require(`
+ type fetchmail_t, fetchmail_etc_t;
+ type fetchmail_uidl_cache_t, fetchmail_var_run_t;
+ ')
+
+ ps_process_pattern($1, fetchmail_t)
+
+ files_list_etc($1)
+ manage_files_pattern($1, fetchmail_etc_t, fetchmail_etc_t)
+
+ manage_files_pattern($1, fetchmail_uidl_cache_t, fetchmail_uidl_cache_t)
+
+ files_list_pids($1)
+ manage_files_pattern($1, fetchmail_var_run_t, fetchmail_var_run_t)
+')
diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
index 15e7cb3..0f58ecd 100644
--- a/policy/modules/services/fetchmail.te
+++ b/policy/modules/services/fetchmail.te
@@ -1,5 +1,5 @@
-policy_module(fetchmail,1.5.0)
+policy_module(fetchmail,1.5.1)
########################################
#
diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te
index 13affb0..7908ac8 100644
--- a/policy/modules/services/openct.te
+++ b/policy/modules/services/openct.te
@@ -1,5 +1,5 @@
-policy_module(openct,1.2.0)
+policy_module(openct,1.2.1)
########################################
#
@@ -22,7 +22,8 @@ dontaudit openct_t self:capability sys_tty_config;
allow openct_t self:process signal_perms;
manage_files_pattern(openct_t,openct_var_run_t,openct_var_run_t)
-files_pid_filetrans(openct_t,openct_var_run_t,file)
+manage_sock_files_pattern(openct_t,openct_var_run_t,openct_var_run_t)
+files_pid_filetrans(openct_t,openct_var_run_t,{ file sock_file })
kernel_read_kernel_sysctls(openct_t)
kernel_list_proc(openct_t)
diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
index cc7d67d..3cb9992 100644
--- a/policy/modules/services/pegasus.te
+++ b/policy/modules/services/pegasus.te
@@ -1,5 +1,5 @@
-policy_module(pegasus,1.5.0)
+policy_module(pegasus,1.5.1)
########################################
#
@@ -42,6 +42,7 @@ allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
+manage_dirs_pattern(pegasus_t,pegasus_data_t,pegasus_data_t)
manage_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t)
manage_lnk_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t)
filetrans_pattern(pegasus_t,pegasus_conf_t,pegasus_data_t,{ file dir })
@@ -113,19 +114,17 @@ libs_use_ld_so(pegasus_t)
libs_use_shared_libs(pegasus_t)
logging_send_audit_msgs(pegasus_t)
+logging_send_syslog_msg(pegasus_t)
miscfiles_read_localization(pegasus_t)
sysnet_read_config(pegasus_t)
+sysnet_domtrans_ifconfig(pegasus_t)
userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
userdom_dontaudit_search_sysadm_home_dirs(pegasus_t)
optional_policy(`
- logging_send_syslog_msg(pegasus_t)
-')
-
-optional_policy(`
rpm_exec(pegasus_t)
')
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
index 6f6ea20..f5c7110 100644
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@@ -1,5 +1,5 @@
-policy_module(rlogin,1.6.0)
+policy_module(rlogin,1.6.1)
########################################
#
@@ -61,6 +61,8 @@ corenet_udp_sendrecv_all_ports(rlogind_t)
dev_read_urand(rlogind_t)
+domain_interactive_fd(rlogind_t)
+
fs_getattr_xattr_fs(rlogind_t)
fs_search_auto_mountpoints(rlogind_t)
@@ -82,23 +84,20 @@ logging_send_syslog_msg(rlogind_t)
miscfiles_read_localization(rlogind_t)
-seutil_dontaudit_search_config(rlogind_t)
+seutil_read_config(rlogind_t)
userdom_setattr_unpriv_users_ptys(rlogind_t)
# cjp: this is egregious
userdom_read_all_users_home_content_files(rlogind_t)
remotelogin_domtrans(rlogind_t)
+remotelogin_signal(rlogind_t)
optional_policy(`
+ kerberos_use(rlogind_t)
kerberos_read_keytab(rlogind_t)
')
optional_policy(`
tcpd_wrapped_domain(rlogind_t, rlogind_exec_t)
')
-
-ifdef(`TODO',`
-# Allow krb5 rlogind to use fork and open /dev/tty for use
-allow rlogind_t userpty_type:chr_file setattr;
-')
diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te
index 37acb56..1ae1cab 100644
--- a/policy/modules/services/telnet.te
+++ b/policy/modules/services/telnet.te
@@ -1,5 +1,5 @@
-policy_module(telnet,1.6.0)
+policy_module(telnet,1.6.1)
########################################
#
@@ -59,6 +59,8 @@ corenet_udp_sendrecv_all_ports(telnetd_t)
dev_read_urand(telnetd_t)
+domain_interactive_fd(telnetd_t)
+
fs_getattr_xattr_fs(telnetd_t)
auth_rw_login_records(telnetd_t)
@@ -66,6 +68,7 @@ auth_use_nsswitch(telnetd_t)
corecmd_search_bin(telnetd_t)
+files_read_usr_files(telnetd_t)
files_read_etc_files(telnetd_t)
files_read_etc_runtime_files(telnetd_t)
# for identd; cjp: this should probably only be inetd_child rules?
@@ -80,17 +83,21 @@ logging_send_syslog_msg(telnetd_t)
miscfiles_read_localization(telnetd_t)
-seutil_dontaudit_search_config(telnetd_t)
+seutil_read_config(telnetd_t)
remotelogin_domtrans(telnetd_t)
-# for identd; cjp: this should probably only be inetd_child rules?
+userdom_search_unpriv_users_home_dirs(telnetd_t)
+
optional_policy(`
kerberos_use(telnetd_t)
kerberos_read_keytab(telnetd_t)
')
-ifdef(`TODO',`
-# Allow krb5 telnetd to use fork and open /dev/tty for use
-allow telnetd_t userpty_type:chr_file setattr;
+tunable_policy(`use_nfs_home_dirs',`
+ fs_search_nfs(telnetd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_search_cifs(telnetd_t)
')