diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index b257b2b..7ea3893 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -183,7 +183,7 @@ interface(`term_dontaudit_use_console',`
type console_device_t;
')
- dontaudit $1 console_device_t:chr_file { read write };
+ dontaudit $1 console_device_t:chr_file rw_file_perms;
')
########################################
@@ -364,11 +364,10 @@ interface(`term_dontaudit_use_generic_pty',`
interface(`term_use_controlling_term',`
gen_require(`
type devtty_t;
- class chr_file { getattr read write ioctl };
')
dev_list_all_dev_nodes($1)
- allow $1 devtty_t:chr_file { getattr read write ioctl };
+ allow $1 devtty_t:chr_file { rw_term_perms lock append };
')
########################################
@@ -668,11 +667,10 @@ interface(`term_write_unallocated_ttys',`
interface(`term_use_unallocated_tty',`
gen_require(`
type tty_device_t;
- class chr_file { getattr read write ioctl };
')
dev_list_all_dev_nodes($1)
- allow $1 tty_device_t:chr_file { getattr read write ioctl };
+ allow $1 tty_device_t:chr_file { rw_term_perms lock append };
')
########################################
diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te
index 75c64f0..761c12e 100644
--- a/refpolicy/policy/modules/services/apm.te
+++ b/refpolicy/policy/modules/services/apm.te
@@ -142,7 +142,7 @@ miscfiles_read_localization(apmd_t)
modutils_domtrans_insmod(apmd_t)
modutils_read_module_conf(apmd_t)
-seutil_dontaudit_search_config(apmd_t)
+seutil_dontaudit_read_config(apmd_t)
userdom_dontaudit_use_unpriv_user_fd(apmd_t)
userdom_dontaudit_search_sysadm_home_dir(apmd_t)
@@ -191,6 +191,10 @@ optional_policy(`clock.te',`
clock_rw_adjtime(apmd_t)
')
+optional_policy(`cron.te',`
+ cron_domtrans_anacron_system_job(apmd_t)
+')
+
optional_policy(`logrotate.te',`
logrotate_use_fd(apmd_t)
')
@@ -221,7 +225,6 @@ ifdef(`TODO',`
allow apmd_t proc_t:file write;
allow apmd_t user_tty_type:chr_file { ioctl read getattr lock write append };
optional_policy(`cron.te',`
- domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t)
allow apmd_t crond_t:fifo_file { getattr read write ioctl };
')
diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te
index 68478f7..5ecf6cd 100644
--- a/refpolicy/policy/modules/services/bluetooth.te
+++ b/refpolicy/policy/modules/services/bluetooth.te
@@ -161,9 +161,10 @@ optional_policy(`rhgb.te',`
#
allow bluetooth_helper_t self:capability sys_nice;
+allow bluetooth_helper_t self:process getsched;
allow bluetooth_helper_t self:fifo_file rw_file_perms;
allow bluetooth_helper_t self:shm create_shm_perms;
-allow bluetooth_helper_t self:unix_stream_socket create_stream_socket_perms;
+allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow bluetooth_helper_t bluetooth_t:socket { read write };
diff --git a/refpolicy/policy/modules/services/canna.te b/refpolicy/policy/modules/services/canna.te
index 62e42d2..f6e399e 100644
--- a/refpolicy/policy/modules/services/canna.te
+++ b/refpolicy/policy/modules/services/canna.te
@@ -33,7 +33,7 @@ allow canna_t self:unix_dgram_socket create_stream_socket_perms;
allow canna_t self:tcp_socket create_stream_socket_perms;
allow canna_t canna_log_t:file create_file_perms;
-allow canna_t canna_log_t:dir rw_dir_perms;
+allow canna_t canna_log_t:dir { rw_dir_perms setattr };
logging_create_log(canna_t,canna_log_t,{ file dir })
allow canna_t canna_var_lib_t:dir create_dir_perms;
@@ -54,6 +54,7 @@ corenet_tcp_sendrecv_all_if(canna_t)
corenet_raw_sendrecv_all_if(canna_t)
corenet_tcp_sendrecv_all_nodes(canna_t)
corenet_raw_sendrecv_all_nodes(canna_t)
+corenet_tcp_sendrecv_all_ports(canna_t)
corenet_tcp_bind_all_nodes(canna_t)
corenet_tcp_connect_all_ports(canna_t)
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index eade946..2f1179c 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -324,7 +324,7 @@ interface(`cron_system_entry',`
allow $1 system_crond_t:fifo_file rw_file_perms;
allow $1 system_crond_t:process sigchld;
- allow $1 crond_t:fifo_file { getattr read write ioctl };
+ allow $1 crond_t:fifo_file rw_file_perms;
allow $1 crond_t:fd use;
allow $1 crond_t:process sigchld;
')
@@ -418,6 +418,27 @@ interface(`cron_search_spool',`
########################################
##
+## Execute APM in the apm domain.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`cron_domtrans_anacron_system_job',`
+ gen_require(`
+ type system_crond_t, anacron_exec_t;
+ ')
+
+ domain_auto_trans($1,anacron_exec_t,system_crond_t)
+
+ allow $1 system_crond_t:fd use;
+ allow system_crond_t $1:fd use;
+ allow system_crond_t $1:fifo_file rw_file_perms;
+ allow system_crond_t $1:process sigchld;
+')
+
+########################################
+##
## Inherit and use a file descriptor
## from system cron jobs.
##
diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te
index 78c88d1..31c7581 100644
--- a/refpolicy/policy/modules/services/dovecot.te
+++ b/refpolicy/policy/modules/services/dovecot.te
@@ -75,6 +75,7 @@ corenet_tcp_sendrecv_all_nodes(dovecot_t)
corenet_raw_sendrecv_all_nodes(dovecot_t)
corenet_tcp_sendrecv_all_ports(dovecot_t)
corenet_tcp_bind_all_nodes(dovecot_t)
+corenet_tcp_connect_all_ports(dovecot_t)
dev_read_sysfs(dovecot_t)
dev_read_urand(dovecot_t)
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index d6db068..504e104 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -823,10 +823,9 @@ interface(`files_create_root',`
interface(`files_dontaudit_read_root_file',`
gen_require(`
type root_t;
- class file read;
')
- dontaudit $1 root_t:file read;
+ dontaudit $1 root_t:file { getattr read };
')
########################################
@@ -2150,7 +2149,7 @@ interface(`files_search_var',`
type var_t;
')
- allow $1 var_t:dir search;
+ allow $1 var_t:dir search_dir_perms;
')
########################################
@@ -2215,11 +2214,9 @@ interface(`files_manage_var_dirs',`
interface(`files_read_var_files',`
gen_require(`
type var_t;
- class dir search;
- class file r_file_perms;
')
- allow $1 var_t:dir search;
+ allow $1 var_t:dir search_dir_perms;
allow $1 var_t:file r_file_perms;
')
@@ -2253,11 +2250,9 @@ interface(`files_manage_var_files',`
interface(`files_read_var_symlink',`
gen_require(`
type var_t;
- class dir search;
- class lnk_file { getattr read };
')
- allow $1 var_t:dir search;
+ allow $1 var_t:dir search_dir_perms;
allow $1 var_t:lnk_file { getattr read };
')
@@ -2273,8 +2268,6 @@ interface(`files_read_var_symlink',`
interface(`files_manage_var_symlinks',`
gen_require(`
type var_t;
- class dir rw_dir_perms;
- class lnk_file create_lnk_perms;
')
allow $1 var_t:dir rw_dir_perms;
@@ -2321,10 +2314,9 @@ interface(`files_create_var',`
interface(`files_getattr_var_lib_dir',`
gen_require(`
type var_t, var_lib_t;
- class dir getattr;
')
- allow $1 var_t:dir search;
+ allow $1 var_t:dir search_dir_perms;
allow $1 var_lib_t:dir getattr;
')
@@ -2339,10 +2331,9 @@ interface(`files_getattr_var_lib_dir',`
interface(`files_search_var_lib',`
gen_require(`
type var_t, var_lib_t;
- class dir search;
')
- allow $1 { var_t var_lib_t }:dir search;
+ allow $1 { var_t var_lib_t }:dir search_dir_perms;
')
########################################
@@ -2356,10 +2347,9 @@ interface(`files_search_var_lib',`
interface(`files_list_var_lib',`
gen_require(`
type var_t, var_lib_t;
- class dir r_dir_perms;
')
- allow $1 var_t:dir search;
+ allow $1 var_t:dir search_dir_perms;
allow $1 var_lib_t:dir r_dir_perms;
')
@@ -2383,7 +2373,7 @@ interface(`files_create_var_lib',`
class dir rw_dir_perms;
')
- allow $1 var_t:dir search;
+ allow $1 var_t:dir search_dir_perms;
allow $1 var_lib_t:dir rw_dir_perms;
ifelse(`$3',`',`
@@ -2406,7 +2396,7 @@ interface(`files_read_var_lib_files',`
type var_t, var_lib_t;
')
- allow $1 { var_t var_lib_t }:dir search;
+ allow $1 { var_t var_lib_t }:dir search_dir_perms;
allow $1 var_lib_t:file r_file_perms;
')
@@ -2423,7 +2413,7 @@ interface(`files_read_var_lib_symlinks',`
type var_t, var_lib_t;
')
- allow $1 { var_t var_lib_t }:dir search;
+ allow $1 { var_t var_lib_t }:dir search_dir_perms;
allow $1 var_lib_t:lnk_file { getattr read };
')
@@ -2434,11 +2424,9 @@ interface(`files_read_var_lib_symlinks',`
interface(`files_manage_urandom_seed',`
gen_require(`
type var_t, var_lib_t;
- class dir rw_file_perms;
- class file { getattr create read write setattr unlink };
')
- allow $1 var_t:dir search;
+ allow $1 var_t:dir search_dir_perms;
allow $1 var_lib_t:dir rw_dir_perms;
allow $1 var_lib_t:file { getattr create read write setattr unlink };
')
@@ -2449,12 +2437,10 @@ interface(`files_manage_urandom_seed',`
#
interface(`files_search_locks',`
gen_require(`
- type var_t;
- type var_lock_t;
- class dir search;
+ type var_t, var_lock_t;
')
- allow $1 { var_t var_lock_t }:dir search;
+ allow $1 { var_t var_lock_t }:dir search_dir_perms;
')
########################################
@@ -2488,7 +2474,7 @@ interface(`files_rw_locks_dir',`
type var_t, var_lock_t;
')
- allow $1 var_t:dir search;
+ allow $1 var_t:dir search_dir_perms;
allow $1 var_lock_t:dir rw_dir_perms;
')
@@ -2498,13 +2484,10 @@ interface(`files_rw_locks_dir',`
#
interface(`files_getattr_generic_locks',`
gen_require(`
- type var_t;
- type var_lock_t;
- class dir r_dir_perms;
- class file getattr;
+ type var_t, var_lock_t;
')
- allow $1 var_t:dir search;
+ allow $1 var_t:dir search_dir_perms;
allow $1 var_lock_t:dir r_dir_perms;
allow $1 var_lock_t:file getattr;
')
@@ -2516,8 +2499,6 @@ interface(`files_getattr_generic_locks',`
interface(`files_manage_generic_locks',`
gen_require(`
type var_lock_t;
- class dir { getattr search create read write setattr add_name remove_name rmdir };
- class file { getattr create read write setattr unlink };
')
allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir };
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 29fe566..c8df5f1 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -610,11 +610,10 @@ interface(`init_unix_connect_script',`
interface(`init_use_script_pty',`
gen_require(`
type initrc_devpts_t;
- class chr_file rw_term_perms;
')
term_list_ptys($1)
- allow $1 initrc_devpts_t:chr_file rw_term_perms;
+ allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
')
########################################
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index d1a0700..f226777 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -35,8 +35,13 @@ files_type(shlib_t)
# texrel_shlib_t is the type of shared objects in the system lib
# directories, which require text relocation.
#
-type texrel_shlib_t;
-files_type(texrel_shlib_t)
+
+ifdef(`targeted_policy',`
+ typealias lib_t alias texrel_shlib_t;
+',`
+ type texrel_shlib_t;
+ files_type(texrel_shlib_t)
+')
kernel_use_ld_so_from(lib_t,ld_so_t,ld_so_cache_t)
kernel_use_shared_libs_from(lib_t,{ shlib_t texrel_shlib_t })
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 36fd3bd..77a1e1a 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -150,10 +150,6 @@ userdom_dontaudit_search_sysadm_home_dir(auditd_t)
# cjp: this is questionable
userdom_use_sysadm_tty(auditd_t)
-ifdef(`targeted_policy',`
- unconfined_domain_template(auditd_t)
-')
-
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(auditd_t)
')
diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te
index 9e919ff..b1ba783 100644
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ b/refpolicy/policy/modules/system/pcmcia.te
@@ -32,9 +32,10 @@ domain_entry_file(cardmgr_t,cardctl_exec_t)
# Use capabilities (net_admin for route), setuid for cardctl
allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
dontaudit cardmgr_t self:capability sys_tty_config;
+allow cardmgr_t self:process signal_perms;
+allow cardmgr_t self:fifo_file rw_file_perms;
allow cardmgr_t self:unix_dgram_socket create_socket_perms;
allow cardmgr_t self:unix_stream_socket create_socket_perms;
-allow cardmgr_t self:fifo_file rw_file_perms;
allow cardmgr_t cardmgr_lnk_t:lnk_file create_lnk_perms;
dev_create_dev_node(cardmgr_t,cardmgr_lnk_t,lnk_file)
@@ -124,6 +125,7 @@ ifdef(`targeted_policy', `
')
optional_policy(`selinuxutils.te',`
+ seutil_dontaudit_read_config(cardmgr_t)
seutil_sigchld_newrole(cardmgr_t)
')
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index 3c5b3cc..3498ce3 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -486,8 +486,6 @@ interface(`seutil_dontaudit_search_config',`
interface(`seutil_dontaudit_read_config',`
gen_require(`
type selinux_config_t;
- class dir search;
- class file { getattr read };
')
dontaudit $1 selinux_config_t:dir search;
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index dfe9c8b..b14131b 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -65,6 +65,7 @@ ifdef(`targeted_policy',`
# dont need to use the full role_change()
allow sysadm_r system_r;
+ allow sysadm_r user_r;
allow user_r system_r;
allow user_r sysadm_r;
allow system_r sysadm_r;
diff --git a/refpolicy/policy/support/obj_perm_sets.spt b/refpolicy/policy/support/obj_perm_sets.spt
index 03fcb24..458c17c 100644
--- a/refpolicy/policy/support/obj_perm_sets.spt
+++ b/refpolicy/policy/support/obj_perm_sets.spt
@@ -194,7 +194,7 @@ define(`create_shm_perms', `{ associate getattr setattr create destroy read writ
#
# Directory
#
-define(`search_dir_perms',`{ search }')
+define(`search_dir_perms',`{ getattr search }')
define(`getattr_dir_perms',`{ getattr }')
define(`setattr_dir_perms',`{ setattr }')
define(`list_dir_perms',`{ getattr search read lock ioctl }')