diff --git a/refpolicy/policy/modules/admin/rpm.fc b/refpolicy/policy/modules/admin/rpm.fc
index 37e4561..7bbff29 100644
--- a/refpolicy/policy/modules/admin/rpm.fc
+++ b/refpolicy/policy/modules/admin/rpm.fc
@@ -30,3 +30,7 @@ ifdef(`distro_suse', `
/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0)
')
+
+ifdef(`enable_mls',`
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
+')
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index 2b1a7c5..6b99dec 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -87,6 +87,7 @@ template(`su_per_userdomain_template',`
auth_domtrans_user_chk_passwd($1_su_t,$1)
auth_dontaudit_read_shadow($1_su_t)
+ auth_use_nsswitch($1_su_t)
domain_wide_inherit_fd($1_su_t)
@@ -109,8 +110,7 @@ template(`su_per_userdomain_template',`
userdom_use_user_terminals($1,$1_su_t)
- if(secure_mode)
- {
+ if(secure_mode) {
# Only allow transitions to unprivileged user domains.
userdom_spec_domtrans_unpriv_users($1_su_t)
} else {
@@ -134,10 +134,6 @@ template(`su_per_userdomain_template',`
kerberos_use($1_su_t)
')
- optional_policy(`nis.te',`
- nis_use_ypbind($1_su_t)
- ')
-
optional_policy(`nscd.te',`
nscd_use_socket($1_su_t)
')
diff --git a/refpolicy/policy/modules/admin/sudo.if b/refpolicy/policy/modules/admin/sudo.if
index 0509092..f202e08 100644
--- a/refpolicy/policy/modules/admin/sudo.if
+++ b/refpolicy/policy/modules/admin/sudo.if
@@ -59,14 +59,15 @@ template(`sudo_per_userdomain_template',`
allow $1_sudo_t self:process { setexec setrlimit };
allow $1_sudo_t self:fd use;
allow $1_sudo_t self:fifo_file rw_file_perms;
- allow $1_sudo_t self:unix_dgram_socket create_socket_perms;
- allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_sudo_t self:unix_dgram_socket sendto;
- allow $1_sudo_t self:unix_stream_socket connectto;
allow $1_sudo_t self:shm create_shm_perms;
allow $1_sudo_t self:sem create_sem_perms;
allow $1_sudo_t self:msgq create_msgq_perms;
allow $1_sudo_t self:msg { send receive };
+ allow $1_sudo_t self:unix_dgram_socket create_socket_perms;
+ allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_sudo_t self:unix_dgram_socket sendto;
+ allow $1_sudo_t self:unix_stream_socket connectto;
+ allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
# Enter this derived domain from the user domain
domain_auto_trans($2, sudo_exec_t, $1_sudo_t)
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 6e63f7a..58d5924 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -425,6 +425,24 @@ interface(`kernel_search_debugfs',`
########################################
##
+## Read information from the debugging filesystem.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`kernel_read_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ allow $1 debugfs_t:dir r_file_perms;
+ allow $1 debugfs_t:file r_file_perms;
+ allow $1 debugfs_t:lnk_file { getattr read };
+')
+
+########################################
+##
## Get the attributes of the proc filesystem.
##
##
@@ -504,9 +522,6 @@ interface(`kernel_read_proc_symlinks',`
interface(`kernel_read_system_state',`
gen_require(`
type proc_t;
- class dir r_dir_perms;
- class lnk_file { getattr read };
- class file r_file_perms;
')
allow $1 proc_t:dir r_dir_perms;
@@ -516,6 +531,27 @@ interface(`kernel_read_system_state',`
########################################
##
+## Write to generic proc entries.
+##
+##
+## Domain allowed access.
+##
+#
+# cjp: this should probably go away. any
+# file thats writable in proc should really
+# have its own label.
+#
+interface(`kernel_write_proc_file',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 proc_t:file write;
+')
+
+########################################
+##
## Do not audit attempts by caller to
## read system state information in proc.
##
diff --git a/refpolicy/policy/modules/kernel/terminal.fc b/refpolicy/policy/modules/kernel/terminal.fc
index 49dafec..e43d08c 100644
--- a/refpolicy/policy/modules/kernel/terminal.fc
+++ b/refpolicy/policy/modules/kernel/terminal.fc
@@ -11,6 +11,7 @@
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
+/dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te
index b853c52..4760266 100644
--- a/refpolicy/policy/modules/services/bind.te
+++ b/refpolicy/policy/modules/services/bind.te
@@ -21,6 +21,7 @@ init_system_domain(named_t,named_checkconf_exec_t)
# A type for configuration files of named.
type named_conf_t;
files_type(named_conf_t)
+files_mountpoint(named_conf_t)
# for secondary zone files
type named_cache_t;
@@ -149,6 +150,17 @@ ifdef(`targeted_policy',`
#dontaudit ndc_t unlabeled_t:file { getattr read };
')
+optional_policy(`dbus.te',`
+ gen_require(`
+ class dbus send_msg;
+ ')
+
+ allow named_t self:dbus send_msg;
+ dbus_system_bus_client_template(named,named_t)
+ dbus_connect_system_bus(named_t)
+ dbus_send_system_bus_msg(named_t)
+')
+
optional_policy(`nis.te',`
nis_use_ypbind(named_t)
')
diff --git a/refpolicy/policy/modules/services/bluetooth.fc b/refpolicy/policy/modules/services/bluetooth.fc
index f61784d..611008a 100644
--- a/refpolicy/policy/modules/services/bluetooth.fc
+++ b/refpolicy/policy/modules/services/bluetooth.fc
@@ -2,10 +2,12 @@
# /etc
#
/etc/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_conf_t,s0)
+/etc/bluetooth/link_key gen_context(system_u:object_r:bluetooth_conf_rw_t,s0)
#
# /usr
#
+/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
@@ -16,4 +18,5 @@
#
# /var
#
+/var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0)
/var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te
index 0c237cc..68478f7 100644
--- a/refpolicy/policy/modules/services/bluetooth.te
+++ b/refpolicy/policy/modules/services/bluetooth.te
@@ -12,31 +12,53 @@ init_daemon_domain(bluetooth_t,bluetooth_exec_t)
type bluetooth_conf_t;
files_type(bluetooth_conf_t)
+type bluetooth_conf_rw_t;
+files_type(bluetooth_conf_rw_t)
+
+type bluetooth_helper_t;
+type bluetooth_helper_exec_t;
+domain_type(bluetooth_helper_t)
+domain_entry_file(bluetooth_helper_t,bluetooth_helper_exec_t)
+role system_r types bluetooth_helper_t;
+
type bluetooth_lock_t;
files_lock_file(bluetooth_lock_t)
type bluetooth_tmp_t;
files_tmp_file(bluetooth_tmp_t)
+type bluetooth_var_lib_t;
+files_type(bluetooth_var_lib_t)
+
type bluetooth_var_run_t;
files_pid_file(bluetooth_var_run_t)
########################################
#
-# Local policy
+# Bluetooth services local policy
#
+
allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
dontaudit bluetooth_t self:capability sys_tty_config;
-allow bluetooth_t self:process signal_perms;
+allow bluetooth_t self:process { getsched signal_perms };
+allow bluetooth_t self:fifo_file rw_file_perms;
+allow bluetooth_t self:shm create_shm_perms;
allow bluetooth_t self:socket create_stream_socket_perms;
allow bluetooth_t self:unix_dgram_socket create_socket_perms;
allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
allow bluetooth_t self:tcp_socket { create_stream_socket_perms connect };
allow bluetooth_t self:udp_socket create_socket_perms;
-allow bluetooth_t bluetooth_conf_t:dir search;
+allow bluetooth_t bluetooth_conf_t:dir rw_dir_perms;
allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
+allow bluetooth_t bluetooth_conf_rw_t:dir create_dir_perms;
+allow bluetooth_t bluetooth_conf_rw_t:file create_file_perms;
+allow bluetooth_t bluetooth_conf_rw_t:lnk_file create_lnk_perms;
+allow bluetooth_t bluetooth_conf_rw_t:sock_file create_file_perms;
+allow bluetooth_t bluetooth_conf_rw_t:fifo_file create_file_perms;
+type_transition bluetooth_t bluetooth_conf_t:{ file lnk_file sock_file fifo_file } bluetooth_conf_rw_t;
+
allow bluetooth_t bluetooth_lock_t:file create_file_perms;
files_create_lock(bluetooth_t,bluetooth_lock_t)
@@ -44,14 +66,17 @@ allow bluetooth_t bluetooth_tmp_t:dir create_dir_perms;
allow bluetooth_t bluetooth_tmp_t:file create_file_perms;
files_create_tmp_files(bluetooth_t, bluetooth_tmp_t, { file dir })
+allow bluetooth_t bluetooth_var_lib_t:file create_file_perms;
+allow bluetooth_t bluetooth_var_lib_t:dir create_dir_perms;
+files_create_var_lib(bluetooth_t,bluetooth_var_lib_t)
+
allow bluetooth_t bluetooth_var_run_t:dir rw_dir_perms;
allow bluetooth_t bluetooth_var_run_t:file create_file_perms;
allow bluetooth_t bluetooth_var_run_t:sock_file create_file_perms;
files_create_pid(bluetooth_t, bluetooth_var_run_t, { file sock_file })
kernel_read_kernel_sysctl(bluetooth_t)
-kernel_list_proc(bluetooth_t)
-kernel_read_proc_symlinks(bluetooth_t)
+kernel_read_system_state(bluetooth_t)
corenet_tcp_sendrecv_all_if(bluetooth_t)
corenet_udp_sendrecv_all_if(bluetooth_t)
@@ -66,16 +91,24 @@ corenet_udp_sendrecv_all_ports(bluetooth_t)
dev_read_sysfs(bluetooth_t)
dev_rw_usbfs(bluetooth_t)
+dev_read_urand(bluetooth_t)
fs_getattr_all_fs(bluetooth_t)
fs_search_auto_mountpoints(bluetooth_t)
term_dontaudit_use_console(bluetooth_t)
+#Handle bluetooth serial devices
+term_use_unallocated_tty(bluetooth_t)
corecmd_exec_bin(bluetooth_t)
+corecmd_exec_shell(bluetooth_t)
domain_use_wide_inherit_fd(bluetooth_t)
+files_read_etc_files(bluetooth_t)
+files_read_etc_runtime_files(bluetooth_t)
+files_read_usr_files(bluetooth_t)
+
init_use_fd(bluetooth_t)
init_use_script_pty(bluetooth_t)
@@ -85,6 +118,7 @@ libs_use_shared_libs(bluetooth_t)
logging_send_syslog_msg(bluetooth_t)
miscfiles_read_localization(bluetooth_t)
+miscfiles_read_fonts(bluetooth_t)
sysnet_read_config(bluetooth_t)
@@ -119,4 +153,73 @@ ifdef(`TODO',`
optional_policy(`rhgb.te',`
rhgb_domain(bluetooth_t)
')
+') dnl end TOOD
+
+########################################
+#
+# Bluetooth helper local policy
+#
+
+allow bluetooth_helper_t self:capability sys_nice;
+allow bluetooth_helper_t self:fifo_file rw_file_perms;
+allow bluetooth_helper_t self:shm create_shm_perms;
+allow bluetooth_helper_t self:unix_stream_socket create_stream_socket_perms;
+
+allow bluetooth_helper_t bluetooth_t:socket { read write };
+
+kernel_read_system_state(bluetooth_helper_t)
+kernel_read_kernel_sysctl(bluetooth_helper_t)
+
+term_dontaudit_use_all_user_ttys(bluetooth_helper_t)
+
+corecmd_exec_bin(bluetooth_helper_t)
+corecmd_exec_shell(bluetooth_helper_t)
+
+domain_read_all_domains_state(bluetooth_helper_t)
+
+files_read_etc_files(bluetooth_helper_t)
+files_read_etc_runtime_files(bluetooth_helper_t)
+files_read_usr_files(bluetooth_helper_t)
+files_dontaudit_list_default(bluetooth_helper_t)
+
+libs_use_ld_so(bluetooth_helper_t)
+libs_use_shared_libs(bluetooth_helper_t)
+
+miscfiles_read_localization(bluetooth_helper_t)
+miscfiles_read_fonts(bluetooth_helper_t)
+
+optional_policy(`nscd.te',`
+ nscd_use_socket(bluetooth_helper_t)
+')
+
+ifdef(`TODO',`
+domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
+
+# a "run" interface needs to be
+# added, and have sysadm_t use it
+# in a optional_policy block.
+
+allow bluetooth_helper_t tmp_t:dir search;
+
+allow bluetooth_helper_t home_dir_type:dir search;
+
+ifdef(`xserver.te', `
+ allow bluetooth_helper_t xserver_log_t:dir search;
+ allow bluetooth_helper_t xserver_log_t:file { getattr read };
+')
+
+ifdef(`targeted_policy', `
+ allow bluetooth_helper_t tmp_t:sock_file { read write };
+ allow bluetooth_helper_t tmpfs_t:file { read write };
+ allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
+ allow bluetooth_t unconfined_t:dbus send_msg;
+ allow unconfined_t bluetooth_t:dbus send_msg;
+', `
+ ifdef(`xdm.te', `
+ allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write };
+ ')
+
+ allow bluetooth_t unpriv_userdomain:dbus send_msg;
+ allow unpriv_userdomain bluetooth_t:dbus send_msg;
')
+') dnl end TODO
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 3dc798a..4457dc0 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -51,7 +51,7 @@ files_tmp_file(system_crond_tmp_t)
# Cron Local policy
#
-allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
+allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
@@ -182,6 +182,12 @@ rhgb_domain(crond_t)
# crond tries to search /root. Not sure why.
allow crond_t sysadm_home_dir_t:dir r_dir_perms;
+ifdef(`apache.te',`
+allow system_crond_t httpd_modules_t:lnk_file read;
+# Needed for certwatch
+can_exec(system_crond_t, httpd_modules_t)
+')
+
# to search /home
allow crond_t user_home_dir_type:dir r_dir_perms;
') dnl endif TODO
diff --git a/refpolicy/policy/modules/services/dhcp.fc b/refpolicy/policy/modules/services/dhcp.fc
index c7a11b2..4d40b6b 100644
--- a/refpolicy/policy/modules/services/dhcp.fc
+++ b/refpolicy/policy/modules/services/dhcp.fc
@@ -1,6 +1,7 @@
/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
+/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/ftp.fc b/refpolicy/policy/modules/services/ftp.fc
index f5b01d9..926bef8 100644
--- a/refpolicy/policy/modules/services/ftp.fc
+++ b/refpolicy/policy/modules/services/ftp.fc
@@ -22,5 +22,6 @@
/var/run/proftpd/proftpd\.scoreboard -- gen_context(system_u:object_r:ftpd_var_run_t,s0)
/var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index 32eda81..fb89452 100644
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -133,11 +133,15 @@ tunable_policy(`allow_ftpd_anon_write',`
tunable_policy(`ftp_home_dir',`
# allow access to /home
- files_getattr_home_dir(ftpd_t)
+ files_list_home(ftpd_t)
userdom_read_all_user_files(ftpd_t)
userdom_manage_all_user_dirs(ftpd_t)
userdom_manage_all_user_files(ftpd_t)
userdom_manage_all_user_symlinks(ftpd_t)
+
+ ifdef(`targeted_policy',`
+ userdom_create_user_home(ftpd_t,{ dir file lnk_file sock_file fifo_file })
+ ')
')
tunable_policy(`ftpd_is_daemon',`
@@ -198,4 +202,13 @@ ifdef(`TODO',`
optional_policy(`rhgb.te',`
rhgb_domain(ftpd_t)
')
+
+# cjp: this was in base user macro, but we cannot
+# use typeattribute ftpd_t privhome; interface
+# since typeattribute doesnt work in conditionals
+ifdef(`ftpd.te' , `
+if (ftpd_is_daemon) {
+file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
+}
+')
')
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 0eff9fd..edbd64b 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -42,6 +42,7 @@ files_create_pid(hald_t,hald_var_run_t)
kernel_read_system_state(hald_t)
kernel_read_network_state(hald_t)
kernel_read_kernel_sysctl(hald_t)
+kernel_write_proc_file(hald_t)
corenet_tcp_sendrecv_all_if(hald_t)
corenet_raw_sendrecv_all_if(hald_t)
diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te
index 49f0f9e..80d986a 100644
--- a/refpolicy/policy/modules/services/mysql.te
+++ b/refpolicy/policy/modules/services/mysql.te
@@ -37,7 +37,7 @@ allow mysqld_t self:fifo_file { read write };
allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
allow mysqld_t self:tcp_socket create_stream_socket_perms;
-allow mysqld_t self:tcp_socket connected_socket_perms;
+allow mysqld_t self:udp_socket create_socket_perms;
allow mysqld_t mysqld_db_t:dir create_dir_perms;
allow mysqld_t mysqld_db_t:file create_file_perms;
@@ -62,11 +62,15 @@ kernel_read_proc_symlinks(mysqld_t)
kernel_read_system_state(mysqld_t)
corenet_tcp_sendrecv_all_if(mysqld_t)
+corenet_udp_sendrecv_all_if(mysqld_t)
corenet_raw_sendrecv_all_if(mysqld_t)
corenet_tcp_sendrecv_all_nodes(mysqld_t)
+corenet_udp_sendrecv_all_nodes(mysqld_t)
corenet_raw_sendrecv_all_nodes(mysqld_t)
corenet_tcp_sendrecv_all_ports(mysqld_t)
+corenet_udp_sendrecv_all_ports(mysqld_t)
corenet_tcp_bind_all_nodes(mysqld_t)
+corenet_udp_bind_all_nodes(mysqld_t)
corenet_tcp_bind_mysqld_port(mysqld_t)
corenet_tcp_connect_mysqld_port(mysqld_t)
@@ -110,6 +114,10 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_file(mysqld_t)
')
+optional_policy(`mount.te',`
+ mount_send_nfs_client_request(mysqld_t)
+')
+
optional_policy(`nis.te',`
nis_use_ypbind(mysqld_t)
')
diff --git a/refpolicy/policy/modules/services/nis.if b/refpolicy/policy/modules/services/nis.if
index 6a4c53d..8c9428a 100644
--- a/refpolicy/policy/modules/services/nis.if
+++ b/refpolicy/policy/modules/services/nis.if
@@ -121,6 +121,22 @@ interface(`nis_use_ypbind',`
########################################
##
+## Send generic signals to ypbind.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`nis_signal_ypbind',`
+ gen_require(`
+ type ypbind_t;
+ ')
+
+ allow $1 ypbind_t:process signal;
+')
+
+########################################
+##
## Send UDP network traffic to NIS clients.
##
##
@@ -129,7 +145,7 @@ interface(`nis_use_ypbind',`
#
interface(`nis_list_var_yp',`
gen_require(`
- type ypbind_t;
+ type var_yp_t;
')
files_search_var($1)
diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te
index 0aa6e98..91f1140 100644
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ b/refpolicy/policy/modules/services/remotelogin.te
@@ -69,6 +69,7 @@ auth_rw_lastlog(remote_login_t)
auth_rw_faillog(remote_login_t)
auth_exec_pam(remote_login_t)
auth_manage_pam_console_data(remote_login_t)
+auth_domtrans_pam_console(remote_login_t)
corecmd_list_bin(remote_login_t)
corecmd_list_sbin(remote_login_t)
@@ -170,6 +171,10 @@ optional_policy(`remotelogin.te',`
# Login can polyinstantiate
polyinstantiater(remote_login_t)
+ifdef(`alsa.te', `
+domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
+')
+
allow remote_login_t userpty_type:chr_file { setattr write };
allow remote_login_t ptyfile:chr_file { getattr ioctl };
diff --git a/refpolicy/policy/modules/system/corecommands.fc b/refpolicy/policy/modules/system/corecommands.fc
index ef74be1..cdfb1f4 100644
--- a/refpolicy/policy/modules/system/corecommands.fc
+++ b/refpolicy/policy/modules/system/corecommands.fc
@@ -110,3 +110,5 @@ ifdef(`distro_suse',`
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/var/ftp/bin/ls -- gen_context(system_u:object_r:ls_exec_t,s0)
+
+/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 8fe9c87..d6db068 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -20,8 +20,13 @@
##
########################################
-#
-# files_type(type)
+##
+## Make the specified type usable for files
+## in a filesystem.
+##
+##
+## Type to be used for files.
+##
#
interface(`files_type',`
gen_require(`
@@ -221,6 +226,9 @@ interface(`files_tmpfs_file',`
## Domain allowed access.
##
#
+# cjp: this is an odd interface, because to getattr
+# all dirs, you need to search all the parent directories
+#
interface(`files_getattr_all_dirs',`
gen_require(`
attribute file_type;
@@ -250,6 +258,22 @@ interface(`files_dontaudit_getattr_all_dirs',`
########################################
##
+## Search all directories.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`files_search_all',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir { getattr search };
+')
+
+########################################
+##
## List the contents of all directories.
##
##
diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te
index 635e6c5..5a92e15 100644
--- a/refpolicy/policy/modules/system/fstools.te
+++ b/refpolicy/policy/modules/system/fstools.te
@@ -112,6 +112,8 @@ files_rw_isid_type_dir(fsadm_t)
files_rw_isid_type_blk_node(fsadm_t)
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
+# for tune2fs
+files_search_all(fsadm_t)
init_use_fd(fsadm_t)
init_use_script_pty(fsadm_t)
diff --git a/refpolicy/policy/modules/system/ipsec.fc b/refpolicy/policy/modules/system/ipsec.fc
index ffe8566..f0aa1f1 100644
--- a/refpolicy/policy/modules/system/ipsec.fc
+++ b/refpolicy/policy/modules/system/ipsec.fc
@@ -29,4 +29,6 @@
/usr/sbin/racoon -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/sbin/setkey -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
+
/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index 554404c..78267cd 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -113,6 +113,7 @@ auth_rw_lastlog(local_login_t)
auth_rw_faillog(local_login_t)
auth_exec_pam(local_login_t)
auth_manage_pam_console_data(local_login_t)
+auth_domtrans_pam_console(local_login_t)
corecmd_list_bin(local_login_t)
corecmd_list_sbin(local_login_t)
@@ -221,6 +222,10 @@ optional_policy(`locallogin.te',`
')
# Login can polyinstantiate
polyinstantiater(local_login_t)
+
+ifdef(`alsa.te', `
+domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
+')
') dnl endif TODO
#################################
diff --git a/refpolicy/policy/modules/system/miscfiles.fc b/refpolicy/policy/modules/system/miscfiles.fc
index 5327fda..92c7e5c 100644
--- a/refpolicy/policy/modules/system/miscfiles.fc
+++ b/refpolicy/policy/modules/system/miscfiles.fc
@@ -30,6 +30,7 @@
/usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
/usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+/usr/share/hwdata(/.*)? gen_context(system_u:object_r:hwdata_t,s0)
/usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
/usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index f8652d9..9959852 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -53,7 +53,7 @@ can_exec(insmod_t, insmod_exec_t)
kernel_load_module(insmod_t)
kernel_read_system_state(insmod_t)
kernel_mount_debugfs(insmod_t)
-kernel_search_debugfs(insmod_t)
+kernel_read_debugfs(insmod_t)
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctl(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 4afa29b..0006949 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -188,12 +188,13 @@ allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
allow newrole_t self:fifo_file rw_file_perms;
-allow newrole_t self:unix_dgram_socket sendto;
-allow newrole_t self:unix_stream_socket connectto;
allow newrole_t self:shm create_shm_perms;
allow newrole_t self:sem create_sem_perms;
allow newrole_t self:msgq create_msgq_perms;
allow newrole_t self:msg { send receive };
+allow newrole_t self:unix_dgram_socket sendto;
+allow newrole_t self:unix_stream_socket connectto;
+allow newrole_t self:netlink_audit_socket { create bind write nlmsg_read read };
allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms;
allow newrole_t { selinux_config_t default_context_t }:file r_file_perms;
@@ -287,6 +288,7 @@ kernel_read_system_state(restorecon_t)
dev_rw_generic_file(restorecon_t)
fs_getattr_xattr_fs(restorecon_t)
+fs_search_auto_mountpoints(restorecon_t)
mls_file_read_up(restorecon_t)
mls_file_write_down(restorecon_t)
diff --git a/refpolicy/policy/modules/system/sysnetwork.fc b/refpolicy/policy/modules/system/sysnetwork.fc
index fe1511a..4511dc4 100644
--- a/refpolicy/policy/modules/system/sysnetwork.fc
+++ b/refpolicy/policy/modules/system/sysnetwork.fc
@@ -21,6 +21,7 @@
# /sbin
#
/sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
+/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
@@ -45,5 +46,6 @@
/var/lib/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
+/var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/run/dhclient.*\.pid -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
/var/run/dhclient.*\.leases -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 9cac143..df4f089 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -181,6 +181,7 @@ optional_policy(`netutils.te',`
optional_policy(`nis.te',`
nis_use_ypbind(dhcpc_t)
+ nis_signal_ypbind(dhcpc_t)
# dhclient sometimes starts ypbind
init_exec_script(dhcpc_t)
#nis_domtrans_ypbind(dhcpc_t)
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 0d885fc..45dafca 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -57,7 +57,7 @@ ifdef(`targeted_policy',`
type user_home_t alias { staff_home_t sysadm_home_t }, home_type;
files_type(user_home_t)
- type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type;
+ type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type;
files_type(user_home_dir_t)
unconfined_role(user_r)