diff --git a/refpolicy/policy/mcs b/refpolicy/policy/mcs
index ce5ad18..9a39f46 100644
--- a/refpolicy/policy/mcs
+++ b/refpolicy/policy/mcs
@@ -137,15 +137,24 @@ level s0:c0.c255;
# Only files are constrained by MCS at this stage.
#
mlsconstrain file { write setattr append unlink link rename
- create ioctl lock execute } (h1 dom h2);
+ ioctl lock execute relabelfrom } (h1 dom h2);
+
+mlsconstrain file { create relabelto } ((h1 dom h2) and (l2 eq h2));
mlsconstrain file { read } ((h1 dom h2) or
( t1 == mlsfileread ));
# new file labels must be dominated by the relabeling subject clearance
-mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto }
+mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
( h1 dom h2 );
+mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
+ (( h1 dom h2 ) and ( l2 eq h2 ));
+
+mlsconstrain process { ptrace } ( h1 dom h2 );
+
+mlsconstrain process { sigkill sigstop } ( h1 dom h2 ) or
+ ( t1 == mcskillall );
define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append
link unlink rename relabelfrom relabelto }')
diff --git a/refpolicy/policy/modules/admin/prelink.te b/refpolicy/policy/modules/admin/prelink.te
index 3433cda..0c30116 100644
--- a/refpolicy/policy/modules/admin/prelink.te
+++ b/refpolicy/policy/modules/admin/prelink.te
@@ -1,5 +1,5 @@
-policy_module(prelink,1.0.2)
+policy_module(prelink,1.0.3)
########################################
#
@@ -74,6 +74,7 @@ libs_relabel_shared_libs(prelink_t)
libs_use_lib_files(prelink_t)
libs_manage_lib_files(prelink_t)
libs_relabel_lib_files(prelink_t)
+libs_delete_lib_symlinks(prelink_t)
miscfiles_read_localization(prelink_t)
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 01e8551..917c544 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -2313,6 +2313,25 @@ interface(`dev_write_urand',`
########################################
##
+## Read and write generic the USB devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_rw_generic_usb_dev',`
+ gen_require(`
+ type usb_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 usb_device_t:chr_file { read write };
+')
+
+########################################
+##
## Mount a usbfs filesystem.
##
##
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index 1e3008f..0827543 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
-policy_module(devices,1.0.1)
+policy_module(devices,1.0.2)
########################################
#
diff --git a/refpolicy/policy/modules/kernel/mcs.fc b/refpolicy/policy/modules/kernel/mcs.fc
index e69de29..fa8a4b1 100644
--- a/refpolicy/policy/modules/kernel/mcs.fc
+++ b/refpolicy/policy/modules/kernel/mcs.fc
@@ -0,0 +1 @@
+# no MCS file contexts
diff --git a/refpolicy/policy/modules/kernel/mcs.if b/refpolicy/policy/modules/kernel/mcs.if
index e69de29..1ceab9f 100644
--- a/refpolicy/policy/modules/kernel/mcs.if
+++ b/refpolicy/policy/modules/kernel/mcs.if
@@ -0,0 +1,23 @@
+## Multicategory security policy
+##
+## Contains attributes used in MCS policy.
+##
+
+########################################
+##
+## This domain is allowed to sigkill and sigstop
+## all domains regardless of their MCS level.
+##
+##
+##
+## Domain target for user exemption.
+##
+##
+#
+interface(`mcs_killall',`
+ gen_require(`
+ attribute mcskillall;
+ ')
+
+ typeattribute $1 mcskillall;
+')
diff --git a/refpolicy/policy/modules/kernel/mcs.te b/refpolicy/policy/modules/kernel/mcs.te
index e69de29..260d950 100644
--- a/refpolicy/policy/modules/kernel/mcs.te
+++ b/refpolicy/policy/modules/kernel/mcs.te
@@ -0,0 +1,47 @@
+
+policy_module(mcs,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute mcskillall;
+
+########################################
+#
+# THIS IS A HACK
+#
+# Only the base module can have range_transitions, so we
+# temporarily have to break encapsulation to work around this.
+#
+
+type auditd_exec_t;
+type crond_exec_t;
+type cupsd_exec_t;
+type getty_t;
+type init_t;
+type init_exec_t;
+type initrc_t;
+type initrc_exec_t;
+type login_exec_t;
+type sshd_exec_t;
+type su_exec_t;
+type udev_exec_t;
+type unconfined_t;
+type xdm_exec_t;
+
+ifdef(`enable_mcs',`
+range_transition getty_t login_exec_t s0 - s0:c0.c255;
+range_transition init_t xdm_exec_t s0 - s0:c0.c255;
+range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
+range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
+range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
+range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
+range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
+range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
+
+# these might be targeted_policy only
+range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
+range_transition unconfined_t initrc_exec_t s0;
+')
diff --git a/refpolicy/policy/modules/kernel/mls.te b/refpolicy/policy/modules/kernel/mls.te
index 0b66165..c7b119b 100644
--- a/refpolicy/policy/modules/kernel/mls.te
+++ b/refpolicy/policy/modules/kernel/mls.te
@@ -1,5 +1,5 @@
-policy_module(mls,1.2.1)
+policy_module(mls,1.2.2)
########################################
#
@@ -53,38 +53,10 @@ attribute mlsrangetrans;
#
# Only the base module can have range_transitions, so we
# temporarily have to break encapsulation to work around this.
+# Other types are declared in the mcs module.
#
-type auditd_exec_t;
-type crond_exec_t;
-type cupsd_exec_t;
-type getty_t;
-type init_t;
-type init_exec_t;
-type initrc_t;
-type initrc_exec_t;
-type login_exec_t;
type lvm_exec_t;
-type sshd_exec_t;
-type su_exec_t;
-type udev_exec_t;
-type unconfined_t;
-type xdm_exec_t;
-
-ifdef(`enable_mcs',`
-range_transition getty_t login_exec_t s0 - s0:c0.c255;
-range_transition init_t xdm_exec_t s0 - s0:c0.c255;
-range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
-range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
-range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
-range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
-range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
-range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
-
-# these might be targeted_policy only
-range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
-range_transition unconfined_t initrc_exec_t s0;
-')
ifdef(`enable_mls',`
range_transition initrc_t auditd_exec_t s15:c0.c255;
diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te
index b8305fd..706f5d3 100644
--- a/refpolicy/policy/modules/services/bluetooth.te
+++ b/refpolicy/policy/modules/services/bluetooth.te
@@ -1,5 +1,5 @@
-policy_module(bluetooth,1.1.0)
+policy_module(bluetooth,1.1.1)
########################################
#
@@ -101,6 +101,7 @@ corenet_udp_bind_all_nodes(bluetooth_t)
dev_read_sysfs(bluetooth_t)
dev_rw_usbfs(bluetooth_t)
+dev_rw_generic_usb_dev(bluetooth_t)
dev_read_urand(bluetooth_t)
fs_getattr_all_fs(bluetooth_t)
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 8e85e00..59f8012 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
-policy_module(hal,1.2.4)
+policy_module(hal,1.2.5)
########################################
#
@@ -128,10 +128,13 @@ libs_exec_ld_so(hald_t)
libs_exec_lib_files(hald_t)
logging_send_syslog_msg(hald_t)
+logging_search_logs(hald_t)
miscfiles_read_localization(hald_t)
miscfiles_read_hwdata(hald_t)
+modutils_domtrans_insmod(hald_t)
+
seutil_read_config(hald_t)
seutil_read_default_contexts(hald_t)
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 91c90a8..11a75c3 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
-policy_module(mta,1.2.1)
+policy_module(mta,1.2.2)
########################################
#
@@ -44,6 +44,9 @@ role system_r types system_mail_t;
# System mail local policy
#
+# newalias required this, not sure if it is needed in 'if' file
+allow system_mail_t self:capability { dac_override };
+
allow system_mail_t etc_mail_t:dir { getattr search };
allow system_mail_t etc_mail_t:file r_file_perms;
diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te
index d257644..6613400 100644
--- a/refpolicy/policy/modules/services/networkmanager.te
+++ b/refpolicy/policy/modules/services/networkmanager.te
@@ -1,5 +1,5 @@
-policy_module(networkmanager,1.2.2)
+policy_module(networkmanager,1.2.3)
########################################
#
@@ -22,7 +22,7 @@ allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_overrid
dontaudit NetworkManager_t self:capability sys_tty_config;
allow NetworkManager_t self:process { setcap getsched signal_perms };
allow NetworkManager_t self:fifo_file rw_file_perms;
-allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
+allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te
index f54a670..b323e6d 100644
--- a/refpolicy/policy/modules/services/postfix.te
+++ b/refpolicy/policy/modules/services/postfix.te
@@ -1,5 +1,5 @@
-policy_module(postfix,1.1.1)
+policy_module(postfix,1.1.2)
########################################
#
@@ -273,6 +273,8 @@ allow postfix_local_t postfix_spool_t:file rw_file_perms;
corecmd_exec_shell(postfix_local_t)
corecmd_exec_bin(postfix_local_t)
+files_read_etc_files(postfix_local_t)
+
mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
@@ -395,6 +397,8 @@ allow postfix_pipe_t self:fifo_file { read write };
allow postfix_pipe_t postfix_private_t:dir search;
allow postfix_pipe_t postfix_private_t:sock_file write;
+allow postfix_pipe_t postfix_public_t:fifo_file { getattr write };
+
allow postfix_pipe_t postfix_spool_t:dir search;
allow postfix_pipe_t postfix_spool_t:file rw_file_perms;
diff --git a/refpolicy/policy/modules/system/init.fc b/refpolicy/policy/modules/system/init.fc
index 8a11fb6..4515bbb 100644
--- a/refpolicy/policy/modules/system/init.fc
+++ b/refpolicy/policy/modules/system/init.fc
@@ -22,7 +22,8 @@ ifdef(`targeted_policy', `', `
#
# /sbin
#
-/sbin/init -- gen_context(system_u:object_r:init_exec_t,s0)
+/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
+
ifdef(`distro_gentoo', `
/sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 2df8025..a66c750 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.2.2)
+policy_module(init,1.2.3)
gen_require(`
class passwd rootok;
@@ -155,6 +155,8 @@ libs_rw_ld_so_cache(init_t)
logging_send_syslog_msg(init_t)
logging_rw_generic_logs(init_t)
+mcs_killall(init_t)
+
mls_file_read_up(init_t)
mls_file_write_down(init_t)
mls_rangetrans_target(init_t)
@@ -360,6 +362,8 @@ miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
miscfiles_read_certs(initrc_t)
+mcs_killall(initrc_t)
+
mls_file_read_up(initrc_t)
mls_file_write_down(initrc_t)
mls_process_read_up(initrc_t)
diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if
index a53d338..4bcd938 100644
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@@ -281,7 +281,7 @@ interface(`libs_manage_lib_files',`
type lib_t;
')
- allow $1 lib_t:dir search_dir_perms;
+ allow $1 lib_t:dir rw_dir_perms;
allow $1 lib_t:file manage_file_perms;
')
@@ -327,6 +327,26 @@ interface(`libs_relabel_lib_files',`
########################################
##
+## Delete generic symlinks in library directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+# cjp: added for prelink
+interface(`libs_delete_lib_symlinks',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ allow $1 lib_t:dir { getattr search read write remove_name };
+ allow $1 lib_t:lnk_file unlink;
+')
+
+########################################
+##
## Create, read, write, and delete shared libraries.
##
##
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index d701311..1ad32c8 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -1,5 +1,5 @@
-policy_module(libraries,1.2.1)
+policy_module(libraries,1.2.2)
########################################
#
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index 606c511..70792e9 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -586,6 +586,28 @@ interface(`seutil_read_file_contexts',`
')
########################################
+##
+## Read and write the file_contexts files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`seutil_rw_file_contexts',`
+ gen_require(`
+ type selinux_config_t, file_context_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search;
+ allow $1 file_context_t:dir r_dir_perms;
+ allow $1 file_context_t:file rw_file_perms;
+ allow $1 file_context_t:lnk_file { getattr read };
+')
+
+########################################
#
# seutil_read_bin_policy(domain)
#
@@ -683,4 +705,3 @@ interface(`seutil_manage_src_policy',`
allow $1 policy_src_t:dir create_dir_perms;
allow $1 policy_src_t:file create_file_perms;
')
-
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 9a7e3b9..02db437 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
-policy_module(selinuxutil,1.1.4)
+policy_module(selinuxutil,1.1.5)
gen_require(`
bool secure_mode;
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index e63d827..bc32cd7 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -55,10 +55,11 @@ interface(`unconfined_domain_noaudit',`
tunable_policy(`allow_execmem && allow_execstack',`
# Allow making the stack executable via mprotect.
allow $1 self:process execstack;
+ auditallow $1 self:process execstack;
', `
# These are fairly common but seem to be harmless
# caused by using shared libraries built with old tool chains
- dontaudit $1 self:process execstack;
+ #dontaudit $1 self:process execstack;
')
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 4eeced6..596ba65 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
-policy_module(unconfined,1.2.4)
+policy_module(unconfined,1.2.5)
########################################
#
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index ac593ef..33ef4fc 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,1.2.7)
+policy_module(userdomain,1.2.8)
gen_require(`
role sysadm_r, staff_r, user_r;
@@ -165,9 +165,13 @@ ifdef(`targeted_policy',`
')
ifdef(`enable_mls',`
+ corecmd_exec_shell(secadm_t)
+ mls_process_read_up(secadm_t)
+ mls_file_write_down(secadm_t)
+ mls_file_upgrade(secadm_t)
+ mls_file_downgrade(secadm_t)
logging_read_audit_log(secadm_t)
logging_domtrans_auditctl(secadm_t)
- mls_process_read_up(secadm_t)
userdom_dontaudit_append_staff_home_files(secadm_t)
', `
logging_domtrans_auditctl(sysadm_t)
@@ -354,6 +358,7 @@ ifdef(`targeted_policy',`
seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal)
seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal)
seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
+ seutil_run_restorecon(secadm_t,secadm_r,admin_terminal)
', `
selinux_set_enforce_mode(sysadm_t)
selinux_set_boolean(sysadm_t)