hald

hald

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 253 bytes --]

hald is a daemon that manages hardware via dbus, which is now a
mandatory feature of the latest rawhide.

I have attached the main policy files for it and a patch for a couple of
other programs which it depends on along with many other trivial
patches.

[-- Attachment #2: hald.te --]
[-- Type: text/plain, Size: 1003 bytes --]

#DESC hald - server for device info
#
# Author:  Russell Coker <rcoker@redhat.com>
# X-Debian-Packages: 
#

#################################
#
# Rules for the hald_t domain.
#
# hald_exec_t is the type of the hald executable.
#
daemon_domain(hald, `, dbus_client_domain')

allow hald_t etc_t:file { getattr read };
allow hald_t self:unix_stream_socket create_stream_socket_perms;

allow hald_t dbusd_t:dbus { acquire_svc };

allow hald_t self:file { getattr read };

allow hald_t { bin_t sbin_t }:dir search;
allow hald_t hald_t:fifo_file rw_file_perms;
allow hald_t usr_t:file { getattr read };

allow hald_t bin_t:file { getattr };
allow hald_t self:netlink_route_socket r_netlink_socket_perms;
allow hald_t self:capability { net_admin sys_admin };
can_network(hald_t)

ifdef(`updfstab.te', `domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)')
ifdef(`udev.te', `domain_auto_trans(hald_t, udev_exec_t, udev_t)')

allow hald_t usbdevfs_t:dir search;
allow hald_t usbdevfs_t:file { getattr read };

[-- Attachment #3: hald.fc --]
[-- Type: text/plain, Size: 87 bytes --]

# hald - hardware informationd daemon
/usr/sbin/hald		--	system_u:object_r:hald_exec_t

[-- Attachment #4: diff --]
[-- Type: text/x-patch, Size: 54445 bytes --]

diff -ru /usr/src/se/policy/domains/program/crond.te ./domains/program/crond.te
--- /usr/src/se/policy/domains/program/crond.te	2004-08-04 20:26:43.000000000 +1000
+++ ./domains/program/crond.te	2004-08-15 15:47:49.000000000 +1000
@@ -148,7 +148,7 @@
 
 # Stat any file and search any directory for find.
 allow system_crond_t { root_dir_type file_type fs_type }:notdevfile_class_set getattr;
-allow system_crond_t device_type:{ chr_file blk_file dir } getattr;
+allow system_crond_t device_type:{ chr_file blk_file } getattr;
 allow system_crond_t file_type:dir { read search getattr };
 
 # Create temporary files.
diff -ru /usr/src/se/policy/domains/program/mount.te ./domains/program/mount.te
--- /usr/src/se/policy/domains/program/mount.te	2004-05-30 16:26:57.000000000 +1000
+++ ./domains/program/mount.te	2004-08-17 13:39:04.000000000 +1000
@@ -30,6 +30,7 @@
 # Access disk devices.
 allow mount_t fixed_disk_device_t:devfile_class_set rw_file_perms;
 allow mount_t removable_device_t:devfile_class_set rw_file_perms;
+allow mount_t device_t:lnk_file read;
 
 # for when /etc/mtab loses its type
 allow mount_t file_t:file { getattr read unlink };
diff -ru /usr/src/se/policy/domains/program/unused/cardmgr.te ./domains/program/unused/cardmgr.te
--- /usr/src/se/policy/domains/program/unused/cardmgr.te	2004-08-02 16:59:48.000000000 +1000
+++ ./domains/program/unused/cardmgr.te	2004-07-22 00:13:24.000000000 +1000
@@ -35,10 +35,7 @@
 allow cardmgr_t self:unix_stream_socket create_socket_perms;
 allow cardmgr_t self:fifo_file rw_file_perms;
 
-file_type_auto_trans(cardmgr_t, { cardmgr_var_run_t var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
-
-# Create stab file and device nodes.
-file_type_auto_trans(cardmgr_t, var_lib_t, cardmgr_dev_t, { blk_file chr_file })
+# Create stab file
 var_lib_domain(cardmgr)
 
 # for /var/lib/misc/pcmcia-scheme
@@ -47,17 +44,14 @@
 
 # Create device files in /tmp.
 type cardmgr_dev_t, file_type, sysadmfile, tmpfile, device_type;
-allow cardmgr_t cardmgr_dev_t:chr_file create_file_perms;
-
 ifdef(`tmpreaper.te', `
 allow tmpreaper_t cardmgr_dev_t:chr_file { getattr unlink };
 ')
+file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
 
 # Create symbolic links in /dev.
 type cardmgr_lnk_t, file_type, sysadmfile;
-type_transition cardmgr_t device_t:lnk_file cardmgr_lnk_t;
-allow cardmgr_t device_t:dir rw_dir_perms;
-allow cardmgr_t cardmgr_lnk_t:lnk_file create_lnk_perms;
+file_type_auto_trans(cardmgr_t, device_t, cardmgr_lnk_t, lnk_file)
 
 # Run a shell, normal commands, /etc/pcmcia scripts. 
 can_exec_any(cardmgr_t)
diff -ru /usr/src/se/policy/domains/program/unused/clamav.te ./domains/program/unused/clamav.te
--- /usr/src/se/policy/domains/program/unused/clamav.te	2004-06-17 15:10:39.000000000 +1000
+++ ./domains/program/unused/clamav.te	2004-08-16 20:14:39.000000000 +1000
@@ -25,7 +25,7 @@
 can_network(freshclam_t)
 
 # Access virus signatures
-allow freshclam_t var_lib_t:dir search;
+allow freshclam_t { var_t var_lib_t }:dir search;
 rw_dir_create_file(freshclam_t, clamav_var_lib_t)
 
 allow freshclam_t devtty_t:chr_file { read write };
@@ -36,6 +36,9 @@
 allow freshclam_t urandom_device_t:chr_file { getattr read };
 dontaudit freshclam_t urandom_device_t:chr_file ioctl;
 
+# for nscd
+dontaudit freshclam_t var_run_t:dir search;
+
 # setuid/getuid used (although maybe not required...)
 allow freshclam_t self:capability { setgid setuid };
 
@@ -50,7 +53,7 @@
 allow freshclam_t self:fifo_file rw_file_perms;
 
 # Log files for freshclam executable
-log_domain(freshclam)
+logdir_domain(freshclam)
 allow initrc_t freshclam_log_t:file append;
 
 system_crond_entry(freshclam_exec_t, freshclam_t)
@@ -66,10 +69,11 @@
 daemon_domain(clamd)
 
 tmp_domain(clamd)
+logdir_domain(clamd)
 
 file_type_auto_trans(clamd_t, var_run_t, clamd_var_run_t, sock_file)
 
-allow clamd_t self:capability kill;
+allow clamd_t self:capability { kill setgid setuid };
 
 allow clamd_t var_lib_t:dir search;
 r_dir_file(clamd_t, clamav_var_lib_t)
diff -ru /usr/src/se/policy/domains/program/unused/courier.te ./domains/program/unused/courier.te
--- /usr/src/se/policy/domains/program/unused/courier.te	2004-03-18 15:36:08.000000000 +1100
+++ ./domains/program/unused/courier.te	2004-08-11 17:53:19.000000000 +1000
@@ -6,6 +6,7 @@
 
 # Type for files created during execution of courier.
 type courier_var_run_t, file_type, sysadmfile, pidfile;
+type courier_var_lib_t, file_type, sysadmfile;
 
 type courier_etc_t, file_type, sysadmfile;
 typealias courier_etc_t alias etc_courier_t;
@@ -73,6 +74,8 @@
 allow courier_authdaemon_t tmp_t:dir getattr;
 allow courier_authdaemon_t self:file { getattr read };
 read_locale(courier_authdaemon_t)
+can_exec(courier_authdaemon_t, courier_exec_t)
+dontaudit courier_authdaemon_t selinux_config_t:dir search;
 
 # for SSP
 allow courier_authdaemon_t urandom_device_t:chr_file read;
@@ -85,7 +88,7 @@
 allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config };
 
 courier_domain(tcpd)
-allow courier_tcpd_t self:capability net_bind_service;
+allow courier_tcpd_t self:capability { kill net_bind_service };
 allow courier_tcpd_t pop_port_t:tcp_socket name_bind;
 allow courier_tcpd_t sbin_t:dir search;
 allow courier_tcpd_t var_lib_t:dir search;
@@ -97,6 +100,7 @@
 allow courier_authdaemon_t courier_tcpd_t:process sigchld;
 
 can_tcp_connect(userdomain, courier_tcpd_t)
+rw_dir_create_file(courier_tcpd_t, courier_var_lib_t)
 
 # domain for pop and imap
 courier_domain(pop)
@@ -111,6 +115,9 @@
 allow courier_pop_t courier_authdaemon_t:process sigchld;
 domain_auto_trans(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t)
 
+# inherits file handle - should it?
+allow courier_pop_t courier_var_lib_t:file { read write };
+
 # do the actual work (read the Maildir)
 # imap needs to write files
 allow courier_pop_t home_root_t:dir { getattr search };
diff -ru /usr/src/se/policy/domains/program/unused/dpkg.te ./domains/program/unused/dpkg.te
--- /usr/src/se/policy/domains/program/unused/dpkg.te	2004-07-13 09:08:00.000000000 +1000
+++ ./domains/program/unused/dpkg.te	2004-08-03 12:23:33.000000000 +1000
@@ -18,7 +18,7 @@
 
 tmp_domain(dpkg)
 can_setfscreate(dpkg_t)
-can_exec(dpkg_t, { dpkg_exec_t bin_t shell_exec_t dpkg_tmp_t ls_exec_t dpkg_var_lib_t dpkg_etc_t sbin_t lib_t })
+can_exec(dpkg_t, { dpkg_exec_t bin_t shell_exec_t dpkg_tmp_t ls_exec_t dpkg_var_lib_t dpkg_etc_t sbin_t lib_t fsadm_exec_t })
 
 ifdef(`load_policy.te', `
 domain_auto_trans(dpkg_t, load_policy_exec_t, load_policy_t)
@@ -34,6 +34,9 @@
 ifdef(`mta.te', `
 allow system_mail_t dpkg_tmp_t:file { getattr read };
 ')
+ifdef(`logrotate.te', `
+allow logrotate_t dpkg_var_lib_t:file create_file_perms;
+')
 
 # for open office
 can_exec(dpkg_t, usr_t)
@@ -129,6 +132,7 @@
 domain_auto_trans(dpkg_t, checkpolicy_exec_t, checkpolicy_t)
 role system_r types checkpolicy_t;
 allow checkpolicy_t initrc_t:fd use;
+allow checkpolicy_t initrc_t:fifo_file write;
 allow checkpolicy_t initrc_devpts_t:chr_file { read write };
 ')
 ifdef(`amavis.te', `
@@ -316,7 +320,7 @@
 allow apt_t usr_t:lnk_file read;
 
 # allow /var/cache/apt/archives to be owned by non-root
-allow apt_t self:capability { chown dac_override fsetid };
+allow apt_t self:capability { chown dac_override fowner fsetid };
 
 can_exec(apt_t, { apt_exec_t bin_t sbin_t shell_exec_t })
 allow apt_t { bin_t sbin_t }:dir search;
diff -ru /usr/src/se/policy/domains/program/unused/fingerd.te ./domains/program/unused/fingerd.te
--- /usr/src/se/policy/domains/program/unused/fingerd.te	2004-03-18 15:36:08.000000000 +1100
+++ ./domains/program/unused/fingerd.te	2004-08-15 14:06:58.000000000 +1000
@@ -21,6 +21,7 @@
 
 log_domain(fingerd)
 system_crond_entry(fingerd_exec_t, fingerd_t)
+ifdef(`logrotate.te', `can_exec(fingerd_t, logrotate_exec_t)')
 
 allow fingerd_t fingerd_port_t:tcp_socket name_bind;
 ifdef(`inetd.te', `
diff -ru /usr/src/se/policy/domains/program/unused/hwclock.te ./domains/program/unused/hwclock.te
--- /usr/src/se/policy/domains/program/unused/hwclock.te	2004-03-18 15:36:08.000000000 +1100
+++ ./domains/program/unused/hwclock.te	2004-07-27 17:04:10.000000000 +1000
@@ -44,3 +44,6 @@
 ifdef(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;')
 
 read_locale(hwclock_t)
+
+# for when /usr is not mounted
+dontaudit hwclock_t file_t:dir search;
diff -ru /usr/src/se/policy/domains/program/unused/inetd.te ./domains/program/unused/inetd.te
--- /usr/src/se/policy/domains/program/unused/inetd.te	2004-07-13 09:08:00.000000000 +1000
+++ ./domains/program/unused/inetd.te	2004-08-11 12:59:19.000000000 +1000
@@ -110,6 +110,7 @@
 allow inetd_child_t inetd_t:tcp_socket rw_stream_socket_perms;
 
 # for identd
+allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 allow inetd_child_t self:capability { setuid setgid };
 allow inetd_child_t home_root_t:dir { search };
 allow inetd_child_t self:dir { search };
diff -ru /usr/src/se/policy/domains/program/unused/lpd.te ./domains/program/unused/lpd.te
--- /usr/src/se/policy/domains/program/unused/lpd.te	2004-03-27 00:46:44.000000000 +1100
+++ ./domains/program/unused/lpd.te	2004-08-10 17:39:12.000000000 +1000
@@ -13,22 +13,23 @@
 # lpd_t is the domain of lpd.
 # lpd_exec_t is the type of the lpd executable.
 # printer_t is the type of the Unix domain socket created
-# by lpd.  printer_device_t is for /dev/lp0
+# by lpd.
 #
 type printer_port_t, port_type;
 daemon_domain(lpd)
 
 allow lpd_t lpd_var_run_t:sock_file create_file_perms;
 
+r_dir_file(lpd_t, fonts_t)
+
 type printer_t, file_type, sysadmfile;
-type printer_device_t, file_type, device_type;
 
 type printconf_t, file_type, sysadmfile;   # Type for files in /usr/share/printconf.
 
 tmp_domain(lpd);
 
 # for postscript include files
-allow lpd_t usr_t:file { getattr read };
+allow lpd_t usr_t:{ file lnk_file } { getattr read };
 
 # Allow checkpc to access the lpd spool so it can check & fix it.
 # This requires that /usr/sbin/checkpc have type checkpc_t.
diff -ru /usr/src/se/policy/domains/program/unused/lvm.te ./domains/program/unused/lvm.te
--- /usr/src/se/policy/domains/program/unused/lvm.te	2004-08-15 15:45:15.000000000 +1000
+++ ./domains/program/unused/lvm.te	2004-08-15 00:16:59.000000000 +1000
@@ -26,6 +26,7 @@
 # but runs as the identity of the sysadmin
 daemon_base_domain(lvm, `, fs_domain, privowner')
 role sysadm_r types lvm_t;
+domain_auto_trans(sysadm_t, lvm_exec_t, lvm_t)
 
 # LVM will complain a lot if it cannot set its priority.
 allow lvm_t self:process { setsched };
@@ -42,6 +43,8 @@
 # Read /sys/block. Device mapper metadata is kept there.
 r_dir_file(lvm_t, sysfs_t) 
 
+allow lvm_t fs_t:filesystem getattr;
+
 # Read configuration files in /etc.
 allow lvm_t { etc_t etc_runtime_t }:file { getattr read };
 
@@ -67,7 +70,7 @@
 # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
 file_type_auto_trans(lvm_t, { etc_t lvm_etc_t }, lvm_metadata_t, file)
 
-allow lvm_t lvm_metadata_t:dir r_dir_perms;
+allow lvm_t lvm_metadata_t:dir rw_dir_perms;
 
 # Inherit and use descriptors from init.
 allow lvm_t init_t:fd use;
@@ -96,23 +99,25 @@
 
 # LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
 dontaudit lvm_t device_type:{ chr_file blk_file } getattr;
+dontaudit lvm_t ttyfile:chr_file getattr;
 dontaudit lvm_t device_t:{ fifo_file dir chr_file blk_file } getattr;
 dontaudit lvm_t devpts_t:dir { getattr read };
 ifdef(`gpm.te', `
 dontaudit lvm_t gpmctl_t:sock_file getattr;
 ')
 dontaudit lvm_t initctl_t:fifo_file getattr;
+allow lvm_t sbin_t:dir search;
 dontaudit lvm_t sbin_t:file getattr;
 allow lvm_t lvm_control_t:chr_file rw_file_perms;
 allow initrc_t lvm_control_t:chr_file { getattr unlink };
 allow initrc_t device_t:chr_file create;
 dontaudit lvm_t var_run_t:dir getattr;
 
-allow lvm_t tmpfs_t:dir getattr;
-dontaudit lvm_t device_t:dir r_dir_perms;
+# for when /usr is not mounted
+dontaudit lvm_t file_t:dir search;
+
+allow lvm_t tmpfs_t:dir r_dir_perms;
 r_dir_file(lvm_t, selinux_config_t)
-allow lvm_t var_run_t:dir { search };
-ifdef(`cups.te', `
-dontaudit lvm_t ptal_var_run_t:dir { getattr };
-')
 
+# it has no reason to need this
+dontaudit lvm_t proc_kcore_t:file getattr;
diff -ru /usr/src/se/policy/domains/program/unused/mailman.te ./domains/program/unused/mailman.te
--- /usr/src/se/policy/domains/program/unused/mailman.te	2004-06-17 15:10:40.000000000 +1000
+++ ./domains/program/unused/mailman.te	2004-08-17 13:12:21.000000000 +1000
@@ -8,13 +8,11 @@
 
 type mailman_log_t, file_type, sysadmfile, logfile;
 type mailman_lock_t, file_type, sysadmfile, lockfile;
-role mailman_r types user_crond_t;
 
 define(`mailman_domain', `
 type mailman_$1_t, domain, privlog $2;
 type mailman_$1_exec_t, file_type, sysadmfile, exec_type;
 role system_r types mailman_$1_t;
-allow mailman_$1_t var_t:dir search;
 file_type_auto_trans(mailman_$1_t, var_log_t, mailman_log_t, file)
 allow mailman_$1_t mailman_log_t:dir rw_dir_perms;
 rw_dir_create_file(mailman_$1_t, mailman_data_t)
@@ -28,10 +26,11 @@
 allow mailman_$1_t etc_runtime_t:file { read getattr };
 read_locale(mailman_$1_t)
 file_type_auto_trans(mailman_$1_t, var_lock_t, mailman_lock_t, file)
+allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
 allow mailman_$1_t fs_t:filesystem getattr;
 can_network(mailman_$1_t)
 allow mailman_$1_t self:unix_stream_socket create_socket_perms;
-allow mailman_$1_t var_t:dir { getattr search };
+allow mailman_$1_t var_t:dir r_dir_perms;
 ')
 
 mailman_domain(queue, `, auth_chkpwd')
@@ -41,6 +40,14 @@
 allow mailman_queue_t self:capability { setgid setuid };
 allow mailman_queue_t self:fifo_file rw_file_perms;
 dontaudit mailman_queue_t var_run_t:dir search;
+allow mailman_queue_t proc_t:lnk_file { getattr read };
+
+# for su
+dontaudit mailman_queue_t selinux_config_t:dir search;
+allow mailman_queue_t self:dir search;
+allow mailman_queue_t self:file { getattr read };
+allow mailman_queue_t self:unix_dgram_socket create_socket_perms;
+allow mailman_queue_t self:lnk_file { getattr read };
 
 # some of the following could probably be changed to dontaudit, someone who
 # knows mailman well should test this out and send the changes
@@ -83,10 +90,6 @@
 allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
 
 system_crond_entry(mailman_queue_exec_t, mailman_queue_t)
-type mailman_t, domain;
-role mailman_r types mailman_t;
-allow mailman_t mailman_log_t:file { append getattr read };
-
 allow mailman_queue_t devtty_t:chr_file { read write };
 allow mailman_queue_t self:process { fork signal sigchld };
 
diff -ru /usr/src/se/policy/domains/program/unused/mrtg.te ./domains/program/unused/mrtg.te
--- /usr/src/se/policy/domains/program/unused/mrtg.te	2004-08-02 16:59:49.000000000 +1000
+++ ./domains/program/unused/mrtg.te	2004-08-03 13:07:52.000000000 +1000
@@ -20,7 +20,8 @@
 allow system_crond_t mrtg_log_t:file { create append getattr };
 ')
 
-allow mrtg_t usr_t:file { getattr read };
+allow mrtg_t usr_t:{ file lnk_file } { getattr read };
+dontaudit mrtg_t usr_t:file ioctl;
 
 logdir_domain(mrtg)
 etcdir_domain(mrtg)
diff -ru /usr/src/se/policy/domains/program/unused/mysqld.te ./domains/program/unused/mysqld.te
--- /usr/src/se/policy/domains/program/unused/mysqld.te	2004-08-02 16:59:49.000000000 +1000
+++ ./domains/program/unused/mysqld.te	2004-08-16 20:32:14.000000000 +1000
@@ -34,14 +34,14 @@
 
 allow initrc_t mysqld_log_t:file { write append setattr ioctl };
 
-allow mysqld_t self:capability { setgid setuid };
+allow mysqld_t self:capability { dac_override setgid setuid };
 allow mysqld_t self:process getsched;
 
 allow mysqld_t proc_t:file { getattr read };
 
 # Allow access to the mysqld databases
 create_dir_file(mysqld_t, mysqld_db_t)
-allow mysqld_t var_lib_t:dir search;
+allow mysqld_t var_lib_t:dir { getattr search };
 
 can_network(mysqld_t)
 
diff -ru /usr/src/se/policy/domains/program/unused/named.te ./domains/program/unused/named.te
--- /usr/src/se/policy/domains/program/unused/named.te	2004-08-15 15:45:15.000000000 +1000
+++ ./domains/program/unused/named.te	2004-08-14 17:00:44.000000000 +1000
@@ -30,12 +29,12 @@
 
 # A type for configuration files of named.
 type named_conf_t, file_type, sysadmfile;
-type rndc_conf_t, file_type, sysadmfile;
+typealias named_conf_t alias rndc_conf_t;
 
 # for primary zone files
 type named_zone_t, file_type, sysadmfile;
 
-# for named.ca root hints file
+# for secondary zone files
 type named_cache_t, file_type, sysadmfile;
 
 # Use capabilities. Surplus capabilities may be allowed.
diff -ru /usr/src/se/policy/domains/program/unused/nsd.te ./domains/program/unused/nsd.te
--- /usr/src/se/policy/domains/program/unused/nsd.te	2004-07-08 13:09:34.000000000 +1000
+++ ./domains/program/unused/nsd.te	2004-08-17 09:04:48.000000000 +1000
@@ -12,6 +12,9 @@
 
 daemon_domain(nsd)
 
+# a type for nsd.db
+type nsd_db_t, file_type, sysadmfile;
+
 # for zone update cron job
 type nsd_crond_t, domain, privlog;
 role system_r types nsd_crond_t;
@@ -21,6 +24,7 @@
 allow nsd_crond_t self:process { fork signal_perms };
 system_crond_entry(nsd_exec_t, nsd_crond_t)
 allow nsd_crond_t { proc_t etc_runtime_t }:file { getattr read };
+allow nsd_crond_t proc_t:lnk_file { getattr read };
 allow nsd_crond_t { bin_t sbin_t }:dir search;
 can_exec(nsd_crond_t, { nsd_exec_t bin_t sbin_t shell_exec_t })
 allow nsd_crond_t { bin_t sbin_t shell_exec_t }:file getattr;
@@ -28,14 +32,16 @@
 read_locale(nsd_crond_t)
 allow nsd_crond_t self:fifo_file rw_file_perms;
 # kill capability for root cron job and non-root daemon
-allow nsd_crond_t self:capability kill;
+allow nsd_crond_t self:capability { dac_override kill };
 allow nsd_crond_t nsd_t:process signal;
 dontaudit nsd_crond_t sysadm_home_dir_t:dir { search getattr };
 dontaudit nsd_crond_t self:capability sys_nice;
 dontaudit nsd_crond_t domain:dir search;
 allow nsd_crond_t self:process { setsched };
+can_ps(nsd_crond_t, nsd_t)
 
 file_type_auto_trans(nsd_crond_t, nsd_conf_t, nsd_zone_t, file)
+file_type_auto_trans({ nsd_t nsd_crond_t }, nsd_zone_t, nsd_db_t, file)
 allow nsd_crond_t var_lib_t:dir search;
 
 allow nsd_crond_t nsd_conf_t:file { getattr read ioctl };
@@ -66,7 +72,7 @@
 can_exec(nsd_t, { nsd_exec_t bin_t })
 
 # Use capabilities.  chown is for chowning /var/run/nsd.pid
-allow nsd_t self:capability { chown setuid setgid net_bind_service };
+allow nsd_t self:capability { dac_override chown setuid setgid net_bind_service };
 
 allow nsd_t etc_t:{ file lnk_file } { getattr read };
 
diff -ru /usr/src/se/policy/domains/program/unused/ntpd.te ./domains/program/unused/ntpd.te
--- /usr/src/se/policy/domains/program/unused/ntpd.te	2004-08-06 19:08:12.000000000 +1000
+++ ./domains/program/unused/ntpd.te	2004-08-05 13:40:26.000000000 +1000
@@ -19,6 +19,9 @@
 allow ntpd_t ntp_drift_t:dir rw_dir_perms;
 allow ntpd_t ntp_drift_t:file create_file_perms;
 
+# for SSP
+allow ntpd_t urandom_device_t:chr_file read;
+
 allow ntpd_t self:capability { setgid setuid sys_time net_bind_service ipc_lock };
 allow ntpd_t self:process { setcap setsched };
 # ntpdate wants sys_nice
@@ -54,7 +57,7 @@
 allow ntpd_t sysctl_kernel_t:file read;
 allow ntpd_t proc_t:file r_file_perms;
 allow ntpd_t sysadm_home_dir_t:dir r_dir_perms;
-allow ntpd_t self:file read;
+allow ntpd_t self:file { getattr read };
 dontaudit ntpd_t domain:dir search;
 ')
 
diff -ru /usr/src/se/policy/domains/program/unused/portslave.te ./domains/program/unused/portslave.te
--- /usr/src/se/policy/domains/program/unused/portslave.te	2004-03-18 15:36:09.000000000 +1100
+++ ./domains/program/unused/portslave.te	2004-08-07 01:40:57.000000000 +1000
@@ -27,6 +27,9 @@
 read_locale(portslave_t)
 r_dir_file(portslave_t, portslave_etc_t)
 
+allow portslave_t pppd_etc_t:dir r_dir_perms;
+allow portslave_t pppd_etc_rw_t:file { getattr read };
+
 allow portslave_t proc_t:file { getattr read };
 
 allow portslave_t { var_t var_log_t devpts_t }:dir search;
@@ -43,8 +46,8 @@
 ')
 # for rlogin etc
 can_exec(portslave_t, { bin_t ssh_exec_t })
-# for rlogin
-allow portslave_t self:capability net_bind_service;
+# net_bind_service for rlogin
+allow portslave_t self:capability { net_bind_service sys_tty_config };
 # for ssh
 allow portslave_t urandom_device_t:chr_file read;
 ifdef(`sshd.te', `can_tcp_connect(portslave_t, sshd_t)')
@@ -56,6 +59,9 @@
 # for ~/.ppprc - if it actually exists then you need some policy to read it
 allow portslave_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
 
+# for ctlportslave
+dontaudit portslave_t self:capability sys_admin;
+
 file_type_auto_trans(portslave_t, var_run_t, pppd_var_run_t, file)
 can_exec(portslave_t, { etc_t shell_exec_t })
 
diff -ru /usr/src/se/policy/domains/program/unused/postfix.te ./domains/program/unused/postfix.te
--- /usr/src/se/policy/domains/program/unused/postfix.te	2004-06-30 13:03:15.000000000 +1000
+++ ./domains/program/unused/postfix.te	2004-08-04 15:38:54.000000000 +1000
@@ -42,8 +42,7 @@
 allow postfix_$1_t self:unix_stream_socket connectto;
 
 allow postfix_$1_t { sbin_t bin_t }:dir r_dir_perms;
-allow postfix_$1_t bin_t:lnk_file r_file_perms;
-allow postfix_$1_t usr_t:lnk_file r_file_perms;
+allow postfix_$1_t { bin_t usr_t }:lnk_file { getattr read };
 allow postfix_$1_t shell_exec_t:file rx_file_perms;
 allow postfix_$1_t { var_t var_spool_t }:dir { search getattr };
 allow postfix_$1_t postfix_exec_t:file rx_file_perms;
@@ -334,4 +333,7 @@
 dontaudit postfix_map_t proc_t:dir { getattr read search };
 dontaudit postfix_map_t local_login_t:fd { use };
 allow postfix_master_t postfix_map_exec_t:file rx_file_perms;
-
+read_locale(postfix_map_t)
+allow postfix_map_t self:capability setgid;
+allow postfix_map_t self:unix_dgram_socket create_socket_perms;
+dontaudit postfix_map_t var_t:dir search;
diff -ru /usr/src/se/policy/domains/program/unused/postgresql.te ./domains/program/unused/postgresql.te
--- /usr/src/se/policy/domains/program/unused/postgresql.te	2004-08-02 16:59:50.000000000 +1000
+++ ./domains/program/unused/postgresql.te	2004-07-08 17:43:23.000000000 +1000
@@ -24,8 +24,8 @@
 
 dontaudit postgresql_t sysadm_home_dir_t:dir search;
 
-# quiet ps
-dontaudit postgresql_t domain:dir getattr;
+# quiet ps and killall
+dontaudit postgresql_t domain:dir { getattr search };
 
 # for currect directory of scripts
 allow postgresql_t { var_spool_t cron_spool_t }:dir search;
@@ -56,8 +56,17 @@
 
 allow postgresql_t self:shm create_shm_perms;
 
+ifdef(`user_db_connect', `
 # allow any user domain to connect to the database server
 can_tcp_connect(userdomain, postgresql_t)
+allow userdomain postgresql_t:unix_stream_socket connectto;
+allow userdomain postgresql_var_run_t:sock_file write;
+')
+
+ifdef(`consoletype.te', `
+can_exec(postgresql_t, consoletype_exec_t)
+')
+
 allow postgresql_t postgresql_port_t:tcp_socket name_bind;
 
 allow postgresql_t { proc_t self }:file { getattr read };
@@ -85,12 +94,9 @@
 
 can_exec(postgresql_t, { postgresql_exec_t bin_t sbin_t ls_exec_t su_exec_t shell_exec_t etc_t })
 allow postgresql_t { bin_t sbin_t }:dir search;
-allow postgresql_t bin_t:lnk_file read;
+allow postgresql_t { bin_t sbin_t }:lnk_file read;
 allow postgresql_t postgresql_exec_t:lnk_file read;
 
 allow postgresql_t self:sem create_sem_perms;
 
 allow postgresql_t initrc_var_run_t:file { getattr read lock };
-
-allow userdomain postgresql_t:unix_stream_socket connectto;
-allow userdomain postgresql_var_run_t:sock_file write;
diff -ru /usr/src/se/policy/domains/program/unused/pppd.te ./domains/program/unused/pppd.te
--- /usr/src/se/policy/domains/program/unused/pppd.te	2004-05-30 16:26:58.000000000 +1000
+++ ./domains/program/unused/pppd.te	2004-07-05 22:55:21.000000000 +1000
@@ -95,4 +95,3 @@
 
 file_type_auto_trans(pppd_t, etc_t, net_conf_t, file)
 tmp_domain(pppd)
-allow pppd_t var_run_t:file { getattr read };
diff -ru /usr/src/se/policy/domains/program/unused/qmail.te ./domains/program/unused/qmail.te
--- /usr/src/se/policy/domains/program/unused/qmail.te	2004-03-27 00:46:44.000000000 +1100
+++ ./domains/program/unused/qmail.te	2004-08-02 14:20:36.000000000 +1000
@@ -22,7 +22,7 @@
 daemon_sub_domain($1, $2, `$3')
 allow $2_t qmail_etc_t:dir { getattr search };
 allow $2_t qmail_etc_t:{ lnk_file file } { getattr read };
-allow $2_t var_spool_t:dir search;
+allow $2_t { var_t var_spool_t }:dir search;
 allow $2_t console_device_t:chr_file rw_file_perms;
 allow $2_t fs_t:filesystem getattr;
 ')
diff -ru /usr/src/se/policy/domains/program/unused/radius.te ./domains/program/unused/radius.te
--- /usr/src/se/policy/domains/program/unused/radius.te	2004-06-17 15:10:40.000000000 +1000
+++ ./domains/program/unused/radius.te	2004-08-03 12:21:33.000000000 +1000
@@ -59,6 +59,9 @@
 ifdef(`snmpd.te', `
 can_tcp_connect(radiusd_t, snmpd_t)
 ')
+ifdef(`logrotate.te', `
+can_exec(radiusd_t, logrotate_exec_t)
+')
 can_udp_send(sysadm_t, radiusd_t)
 can_udp_send(radiusd_t, sysadm_t)
 
diff -ru /usr/src/se/policy/domains/program/unused/rpcd.te ./domains/program/unused/rpcd.te
--- /usr/src/se/policy/domains/program/unused/rpcd.te	2004-08-02 16:59:50.000000000 +1000
+++ ./domains/program/unused/rpcd.te	2004-08-16 20:22:50.000000000 +1000
@@ -30,9 +30,9 @@
 #
 rpc_domain(rpcd)
 var_run_domain(rpcd)
-#can_udp_send({ init_t initrc_t }, rpcd_t)
-#can_udp_send(rpcd_t, { init_t initrc_t })
-#allow init_t rpcd_t:udp_socket write;
+
+# for rpc.rquotad
+allow rpcd_t sysctl_t:dir r_dir_perms;
 
 allow rpcd_t self:unix_dgram_socket create_socket_perms;
 allow rpcd_t self:unix_stream_socket create_socket_perms;
@@ -51,10 +51,12 @@
 allow rpcd_t rpcd_var_run_t:dir { setattr rw_dir_perms };
 r_dir_file(rpcd_t, var_yp_t);
 
-ifdef(`redhat', `
+ifdef(`redhat', `
 allow rpcd_t self:capability { chown dac_override setgid setuid };
 # for /etc/rc.d/init.d/nfs to create /etc/exports
 allow initrc_t exports_t:file rw_file_perms;
+', `
+allow initrc_t exports_t:file r_file_perms;
 ')
 
 allow rpcd_t self:file { getattr read };
@@ -66,10 +68,14 @@
 #can_udp_send(rpcd_t, kernel_t)
 
 rpc_domain(nfsd)
+domain_auto_trans(sysadm_t, nfsd_exec_t, nfsd_t)
+role sysadm_r types nfsd_t;
+
 # for /proc/fs/nfs/exports - should we have a new type?
 allow nfsd_t proc_t:file r_file_perms;
 allow nfsd_t self:unix_dgram_socket create_socket_perms;
 allow nfsd_t self:unix_stream_socket create_stream_socket_perms;
+allow nfsd_t exports_t:file { getattr read };
 
 allow nfsd_t nfsd_fs_t:filesystem mount;
 allow nfsd_t nfsd_fs_t:dir search;
@@ -115,4 +121,3 @@
 # for exportfs and rpc.mountd
 allow nfsd_t tmp_t:dir getattr;
 r_dir_file(rpcd_t, rpc_pipefs_t)
-allow nfsd_t exports_t:file { getattr read };
diff -ru /usr/src/se/policy/domains/program/unused/rpm.te ./domains/program/unused/rpm.te
--- /usr/src/se/policy/domains/program/unused/rpm.te	2004-08-15 15:45:15.000000000 +1000
+++ ./domains/program/unused/rpm.te	2004-08-14 23:12:02.000000000 +1000
@@ -91,9 +90,9 @@
 general_domain_access(rpm_script_t)
 
 # read/write/create any files in the system
-allow rpm_t { file_type -shadow_t }:{ file lnk_file dir fifo_file sock_file chr_file blk_file } { relabelfrom relabelto };
+allow rpm_t { file_type -shadow_t }:{ file lnk_file dir fifo_file sock_file } { relabelfrom relabelto };
 allow rpm_t { file_type - shadow_t }:dir create_dir_perms;
-allow rpm_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file chr_file blk_file } create_file_perms;
+allow rpm_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms;
 allow rpm_t sysfs_t:filesystem getattr;
 allow rpm_t tmpfs_t:filesystem getattr;
 dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
@@ -108,7 +107,7 @@
 can_getsecurity({ rpm_t rpm_script_t })
 dontaudit rpm_t shadow_t:file { getattr read };
 allow rpm_t urandom_device_t:chr_file read;
-allow rpm_script_t { device_t device_type }:{ chr_file blk_file } create_file_perms;
+allow rpm_t { device_t device_type }:{ chr_file blk_file } { create_file_perms relabelfrom relabelto };
 allow rpm_script_t tty_device_t:chr_file getattr;
 allow rpm_script_t devpts_t:dir { search };
 allow rpm_script_t {devpts_t devtty_t}:chr_file rw_file_perms;
diff -ru /usr/src/se/policy/domains/program/unused/samba.te ./domains/program/unused/samba.te
--- /usr/src/se/policy/domains/program/unused/samba.te	2004-06-17 15:10:40.000000000 +1000
+++ ./domains/program/unused/samba.te	2004-08-11 12:15:00.000000000 +1000
@@ -71,6 +71,8 @@
 allow smbd_t var_log_t:dir search;
 allow smbd_t samba_log_t:dir ra_dir_perms;
 
+allow smbd_t usr_t:file { getattr read };
+
 # Access Samba shares.
 allow smbd_t samba_share_t:dir create_dir_perms;
 allow smbd_t samba_share_t:file create_file_perms;
@@ -105,6 +107,8 @@
 allow nmbd_t samba_var_t:dir { write remove_name add_name lock getattr search };
 allow nmbd_t samba_var_t:file { lock unlink create write setattr read getattr rename };
 
+allow nmbd_t usr_t:file { getattr read };
+
 # Permissions to write log files.
 allow nmbd_t samba_log_t:file { create ra_file_perms };
 allow nmbd_t var_log_t:dir search;
diff -ru /usr/src/se/policy/domains/program/unused/slapd.te ./domains/program/unused/slapd.te
--- /usr/src/se/policy/domains/program/unused/slapd.te	2004-06-17 15:10:40.000000000 +1000
+++ ./domains/program/unused/slapd.te	2004-07-08 23:43:44.000000000 +1000
@@ -33,7 +33,6 @@
 # Use capabilities  should not need kill...
 allow slapd_t self:capability { kill setgid setuid net_bind_service net_raw };
 allow slapd_t self:process setsched;
-allow slapd_t staff_home_dir_t:dir { search };
 
 allow slapd_t proc_t:file r_file_perms;
 
diff -ru /usr/src/se/policy/domains/program/unused/spamd.te ./domains/program/unused/spamd.te
--- /usr/src/se/policy/domains/program/unused/spamd.te	2004-05-12 05:10:41.000000000 +1000
+++ ./domains/program/unused/spamd.te	2004-07-16 12:30:05.000000000 +1000
@@ -40,7 +40,7 @@
 allow spamd_t etc_mail_t:dir { getattr read search };
 allow spamd_t etc_mail_t:file { getattr ioctl read };
 ')
-allow spamd_t { etc_t etc_runtime_t }:file { getattr read };
+allow spamd_t { etc_t etc_runtime_t }:file { getattr ioctl read };
 
 ifdef(`amavis.te', `
 # for bayes tokens
@@ -50,6 +50,7 @@
 
 allow spamd_t sysctl_kernel_t:file { getattr read };
 allow spamd_t usr_t:file { getattr ioctl read };
+allow spamd_t usr_t:lnk_file { getattr read };
 allow spamd_t urandom_device_t:chr_file { getattr read };
 
 system_crond_entry(spamd_exec_t, spamd_t)
diff -ru /usr/src/se/policy/domains/program/unused/squid.te ./domains/program/unused/squid.te
--- /usr/src/se/policy/domains/program/unused/squid.te	2004-07-08 13:09:34.000000000 +1000
+++ ./domains/program/unused/squid.te	2004-07-11 19:26:53.000000000 +1000
@@ -46,8 +46,7 @@
 
 # Grant permissions to create, access, and delete cache files.
 # No type transitions required, as the files inherit the parent directory type.
-allow squid_t squid_cache_t:dir create_dir_perms;
-allow squid_t squid_cache_t:{ file lnk_file } create_file_perms;
+create_dir_file(squid_t, squid_cache_t)
 ifdef(`logrotate.te',
 `domain_auto_trans(logrotate_t, squid_exec_t, squid_t)')
 ifdef(`crond.te', `domain_auto_trans(system_crond_t, squid_exec_t, squid_t)')
diff -ru /usr/src/se/policy/domains/program/unused/sxid.te ./domains/program/unused/sxid.te
--- /usr/src/se/policy/domains/program/unused/sxid.te	2004-02-03 14:20:17.000000000 +1100
+++ ./domains/program/unused/sxid.te	2004-08-09 10:22:42.000000000 +1000
@@ -27,8 +27,9 @@
 
 log_domain(sxid)
 
-allow sxid_t file_type:dir_file_class_set getattr;
-allow sxid_t file_type:dir { read search };
+allow sxid_t file_type:notdevfile_class_set getattr;
+allow sxid_t { device_t device_type }:{ chr_file blk_file } getattr;
+allow sxid_t file_type:dir { getattr read search };
 allow sxid_t sysadmfile:file read;
 allow sxid_t root_dir_type:dir { getattr read search };
 
@@ -37,7 +38,7 @@
 allow sxid_t self:fifo_file rw_file_perms;
 allow sxid_t self:unix_stream_socket create_socket_perms;
 
-allow sxid_t { proc_t self }:file { read getattr };
+allow sxid_t { proc_t self }:{ file lnk_file } { read getattr };
 allow sxid_t { sysctl_kernel_t sysctl_t }:dir search;
 allow sxid_t sysctl_kernel_t:file read;
 allow sxid_t devtty_t:chr_file rw_file_perms;
diff -ru /usr/src/se/policy/domains/program/unused/udev.te ./domains/program/unused/udev.te
--- /usr/src/se/policy/domains/program/unused/udev.te	2004-08-08 22:16:27.000000000 +1000
+++ ./domains/program/unused/udev.te	2004-08-17 10:55:18.000000000 +1000
@@ -32,10 +32,11 @@
 allow udev_t device_t:blk_file create_file_perms;
 allow udev_t device_t:chr_file create_file_perms;
 allow udev_t device_t:sock_file create_file_perms;
+allow udev_t device_t:lnk_file create_file_perms;
 allow udev_t etc_t:file { getattr read };
 allow udev_t { bin_t sbin_t }:dir r_dir_perms;
-allow udev_t { sbin_t bin_t }:lnk_file read;
-can_exec(udev_t, { shell_exec_t bin_t sbin_t } )
+allow udev_t { bin_t sbin_t }:lnk_file read;
+can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } )
 can_exec(udev_t, udev_exec_t)
 r_dir_file(udev_t, sysfs_t)
 allow udev_t sysadm_tty_device_t:chr_file { read write };
diff -ru /usr/src/se/policy/domains/program/unused/uml.te ./domains/program/unused/uml.te
--- /usr/src/se/policy/domains/program/unused/uml.te	2004-03-04 07:53:51.000000000 +1100
+++ ./domains/program/unused/uml.te	2004-08-16 20:11:41.000000000 +1000
@@ -10,4 +10,5 @@
 allow uml_switch_t self:unix_dgram_socket create_socket_perms;
 allow uml_switch_t self:unix_stream_socket create_stream_socket_perms;
 allow uml_switch_t uml_switch_var_run_t:sock_file create_file_perms;
+allow initrc_t uml_switch_var_run_t:sock_file setattr;
 rw_dir_create_file(initrc_t, uml_switch_var_run_t)
diff -ru /usr/src/se/policy/domains/program/unused/updfstab.te ./domains/program/unused/updfstab.te
--- /usr/src/se/policy/domains/program/unused/updfstab.te	2004-03-18 15:36:09.000000000 +1100
+++ ./domains/program/unused/updfstab.te	2004-08-17 13:10:58.000000000 +1000
@@ -3,7 +3,7 @@
 # Author:  Russell Coker <russell@coker.com.au>
 #
 
-daemon_base_domain(updfstab, `, fs_domain, etc_writer')
+daemon_base_domain(updfstab, `, fs_domain, etc_writer, dbus_client_domain')
 
 rw_dir_create_file(updfstab_t, etc_t)
 create_dir_file(updfstab_t, mnt_t)
@@ -37,6 +37,8 @@
 
 allow updfstab_t kernel_t:fd use;
 
+allow updfstab_t self:unix_stream_socket create_stream_socket_perms;
+
 ifdef(`modutil.te', `
 dnl domain_auto_trans(updfstab_t, insmod_exec_t, insmod_t)
 can_exec(updfstab_t, insmod_exec_t)
diff -ru /usr/src/se/policy/domains/program/unused/zebra.te ./domains/program/unused/zebra.te
--- /usr/src/se/policy/domains/program/unused/zebra.te	2004-08-02 16:59:51.000000000 +1000
+++ ./domains/program/unused/zebra.te	2004-07-16 23:19:25.000000000 +1000
@@ -3,17 +3,17 @@
 # Author:  Russell Coker <russell@coker.com.au>
 # X-Debian-Packages: zebra
 #
-
 type zebra_port_t, port_type;
+
 daemon_domain(zebra, `, sysctl_net_writer')
 type zebra_conf_t, file_type, sysadmfile;
 r_dir_file({ initrc_t zebra_t }, zebra_conf_t)
 
 can_network(zebra_t)
 allow zebra_t { etc_t etc_runtime_t }:file { getattr read };
-allow zebra_t zebra_port_t:tcp_socket name_bind;
 
-allow zebra_t self:capability { net_admin net_bind_service };
+allow zebra_t self:process setcap;
+allow zebra_t self:capability { setgid setuid net_bind_service net_admin net_raw };
 file_type_auto_trans(zebra_t, var_run_t, zebra_var_run_t, sock_file)
 
 logdir_domain(zebra)
@@ -22,7 +22,11 @@
 type zebra_tmp_t, file_type, sysadmfile, tmpfile;
 file_type_auto_trans(zebra_t, tmp_t, zebra_tmp_t, sock_file)
 
-allow zebra_t self:unix_stream_socket create_stream_socket_perms;
+allow zebra_t self:unix_dgram_socket create_socket_perms;
+allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow zebra_t self:rawip_socket create_socket_perms;
+allow zebra_t self:netlink_route_socket r_netlink_socket_perms;
+allow zebra_t zebra_port_t:tcp_socket name_bind;
 
 allow zebra_t proc_t:file { getattr read };
 allow zebra_t { sysctl_t sysctl_net_t }:dir search;
diff -ru /usr/src/se/policy/file_contexts/program/amavis.fc ./file_contexts/program/amavis.fc
--- /usr/src/se/policy/file_contexts/program/amavis.fc	2004-06-17 15:10:42.000000000 +1000
+++ ./file_contexts/program/amavis.fc	2004-07-25 18:54:19.000000000 +1000
@@ -1,6 +1,6 @@
 # amavis
 /usr/sbin/amavisd.*		--	system_u:object_r:amavisd_exec_t
-/etc/amavisd.conf		--	system_u:object_r:amavisd_etc_t
-/var/log/amavisd.log 		--	system_u:object_r:amavisd_log_t
+/etc/amavisd\.conf		--	system_u:object_r:amavisd_etc_t
+/var/log/amavisd\.log 		--	system_u:object_r:amavisd_log_t
 /var/lib/amavis(/.*)?	 		system_u:object_r:amavisd_lib_t
 /var/run/amavis(/.*)?	 		system_u:object_r:amavisd_var_run_t
diff -ru /usr/src/se/policy/file_contexts/program/bootloader.fc ./file_contexts/program/bootloader.fc
--- /usr/src/se/policy/file_contexts/program/bootloader.fc	2004-07-15 10:22:53.000000000 +1000
+++ ./file_contexts/program/bootloader.fc	2004-07-07 21:11:42.000000000 +1000
@@ -10,4 +10,3 @@
 /sbin/ybin.*		--	system_u:object_r:bootloader_exec_t
 /etc/yaboot\.conf.*	--	system_u:object_r:bootloader_etc_t
 /boot/grub/menu.lst	--	system_u:object_r:boot_runtime_t
-/boot/grub/.*           --      system_u:object_r:boot_runtime_t
diff -ru /usr/src/se/policy/file_contexts/program/checkpolicy.fc ./file_contexts/program/checkpolicy.fc
--- /usr/src/se/policy/file_contexts/program/checkpolicy.fc	2004-06-17 15:10:42.000000000 +1000
+++ ./file_contexts/program/checkpolicy.fc	2004-07-13 13:51:11.000000000 +1000
@@ -1,3 +1,4 @@
 # checkpolicy
 /usr/bin/checkpolicy		--	system_u:object_r:checkpolicy_exec_t
+/etc/selinux/policy/policy.* -- system_u:object_r:policy_config_t
 /etc/selinux/.*/src/policy/policy.* -- system_u:object_r:policy_config_t	
diff -ru /usr/src/se/policy/file_contexts/program/clamav.fc ./file_contexts/program/clamav.fc
--- /usr/src/se/policy/file_contexts/program/clamav.fc	2004-06-17 15:10:42.000000000 +1000
+++ ./file_contexts/program/clamav.fc	2004-07-22 00:20:06.000000000 +1000
@@ -8,3 +8,5 @@
 /var/log/clamav-freshclam.log.* -- system_u:object_r:freshclam_log_t
 /var/run/clamd.ctl	-s	system_u:object_r:clamd_var_run_t
 /var/run/clamd.pid	--	system_u:object_r:clamd_var_run_t
+/var/log/clamav(/.*)?		system_u:object_r:freshclam_log_t
+/var/run/clamav(/.*)?		system_u:object_r:clamd_var_run_t
diff -ru /usr/src/se/policy/file_contexts/program/courier.fc ./file_contexts/program/courier.fc
--- /usr/src/se/policy/file_contexts/program/courier.fc	2004-07-13 09:08:03.000000000 +1000
+++ ./file_contexts/program/courier.fc	2004-08-11 15:27:04.000000000 +1000
@@ -9,6 +9,7 @@
 /usr/lib(64)?/courier/imapd		--	system_u:object_r:courier_pop_exec_t
 /usr/lib(64)?/courier/pop3d		--	system_u:object_r:courier_pop_exec_t
 /usr/lib(64)?/courier/sqwebmail/cleancache.pl -- system_u:object_r:sqwebmail_cron_exec_t
+/var/lib/courier(/.*)?			system_u:object_r:courier_var_lib_t
 /usr/bin/imapd			--	system_u:object_r:courier_pop_exec_t
 /usr/sbin/courierlogger		--	system_u:object_r:courier_exec_t
 /usr/sbin/courierldapaliasd	--	system_u:object_r:courier_exec_t
diff -ru /usr/src/se/policy/file_contexts/program/cups.fc ./file_contexts/program/cups.fc
--- /usr/src/se/policy/file_contexts/program/cups.fc	2004-08-02 16:59:52.000000000 +1000
+++ ./file_contexts/program/cups.fc	2004-07-29 16:32:38.000000000 +1000
@@ -10,8 +10,8 @@
 /etc/cups/ppd/.*	--	system_u:object_r:cupsd_rw_etc_t
 /etc/cups/certs		-d	system_u:object_r:cupsd_rw_etc_t
 /etc/cups/certs/.*	--	system_u:object_r:cupsd_rw_etc_t
-/var/lib/cups/certs     -d      system_u:object_r:cupsd_rw_etc_t
-/var/lib/cups/certs/.*  --      system_u:object_r:cupsd_rw_etc_t
+/var/lib/cups/certs	-d	system_u:object_r:cupsd_rw_etc_t
+/var/lib/cups/certs/.*	--	system_u:object_r:cupsd_rw_etc_t
 /etc/cups/ppds.dat	--	system_u:object_r:cupsd_rw_etc_t
 /etc/cups/lpoptions.* 	--	system_u:object_r:cupsd_rw_etc_t
 /etc/printcap.* 	--	system_u:object_r:cupsd_rw_etc_t
diff -ru /usr/src/se/policy/file_contexts/program/dpkg.fc ./file_contexts/program/dpkg.fc
--- /usr/src/se/policy/file_contexts/program/dpkg.fc	2004-07-13 09:08:03.000000000 +1000
+++ ./file_contexts/program/dpkg.fc	2004-07-13 13:47:33.000000000 +1000
@@ -48,3 +48,4 @@
 /usr/share/reportbug/.*	--	system_u:object_r:bin_t
 /etc/network/ifstate.*	--	system_u:object_r:etc_runtime_t
 /usr/lib/gconf2/gconfd-2 --	system_u:object_r:bin_t
+/bin/mountpoint		--	system_u:object_r:fsadm_exec_t
diff -ru /usr/src/se/policy/file_contexts/program/inetd.fc ./file_contexts/program/inetd.fc
--- /usr/src/se/policy/file_contexts/program/inetd.fc	2004-08-02 16:59:52.000000000 +1000
+++ ./file_contexts/program/inetd.fc	2004-07-21 16:59:37.000000000 +1000
@@ -4,14 +4,5 @@
 /usr/sbin/rlinetd	--	system_u:object_r:inetd_exec_t
 /usr/sbin/identd	--	system_u:object_r:inetd_child_exec_t
 /usr/sbin/in\..*d	--	system_u:object_r:inetd_child_exec_t
+/usr/sbin/stunnel	--	system_u:object_r:inetd_child_exec_t
 /var/log/(x)?inetd\.log	--	system_u:object_r:inetd_log_t
-ifdef(`redhat', `
-/usr/sbin/swat		--	system_u:object_r:inetd_child_exec_t
-/usr/sbin/in\.comsat	--	system_u:object_r:inetd_child_exec_t
-/usr/bin/fam		--	system_u:object_r:inetd_child_exec_t
-/usr/sbin/dbskkd-cdb	--	system_u:object_r:inetd_child_exec_t
-/usr/sbin/ipop2d	--	system_u:object_r:inetd_child_exec_t
-/usr/bin/ktalkd		--	system_u:object_r:inetd_child_exec_t
-/usr/sbin/ipop3d	--	system_u:object_r:inetd_child_exec_t
-/usr/bin/rsync		--	system_u:object_r:inetd_child_exec_t
-')
diff -ru /usr/src/se/policy/file_contexts/program/lpd.fc ./file_contexts/program/lpd.fc
--- /usr/src/se/policy/file_contexts/program/lpd.fc	2004-07-15 10:22:53.000000000 +1000
+++ ./file_contexts/program/lpd.fc	2004-08-10 22:12:59.000000000 +1000
@@ -1,13 +1,8 @@
 # lpd
 /dev/printer		-s	system_u:object_r:printer_t
-/dev/lp.*		-c	system_u:object_r:printer_device_t
-/dev/par.*		-c	system_u:object_r:printer_device_t
-/dev/usb/lp.*		-c	system_u:object_r:printer_device_t
-/dev/usblp.*		-c	system_u:object_r:printer_device_t
 /usr/sbin/lpd		--	system_u:object_r:lpd_exec_t
 /usr/sbin/checkpc	--	system_u:object_r:checkpc_exec_t
 /var/spool/lpd(/.*)?		system_u:object_r:print_spool_t
 /usr/share/printconf/.* --	system_u:object_r:printconf_t
 /usr/share/printconf/util/print\.py -- system_u:object_r:bin_t
 /var/run/lprng(/.*)?		system_u:object_r:lpd_var_run_t
-/var/run/lpd.*                 system_u:object_r:lpd_var_run_t
diff -ru /usr/src/se/policy/file_contexts/program/lvm.fc ./file_contexts/program/lvm.fc
--- /usr/src/se/policy/file_contexts/program/lvm.fc	2004-07-13 09:08:04.000000000 +1000
+++ ./file_contexts/program/lvm.fc	2004-08-10 21:58:29.000000000 +1000
@@ -54,7 +54,12 @@
 /sbin/vgscan.static	--	system_u:object_r:lvm_exec_t
 /sbin/vgsplit		--	system_u:object_r:lvm_exec_t
 /sbin/vgwrapper		--	system_u:object_r:lvm_exec_t
+ifdef(`redhat', `
 /usr/bin/cryptsetup	--	system_u:object_r:lvm_exec_t
+')
+ifdef(`debian', `
+/sbin/cryptsetup	--	system_u:object_r:lvm_exec_t
+')
 /sbin/dmsetup      --      system_u:object_r:lvm_exec_t
 /sbin/dmsetup.static --    system_u:object_r:lvm_exec_t
 /sbin/lvm          --      system_u:object_r:lvm_exec_t
diff -ru /usr/src/se/policy/file_contexts/program/mailman.fc ./file_contexts/program/mailman.fc
--- /usr/src/se/policy/file_contexts/program/mailman.fc	2004-06-17 15:10:43.000000000 +1000
+++ ./file_contexts/program/mailman.fc	2004-08-16 20:01:32.000000000 +1000
@@ -1,19 +1,27 @@
 # mailman list server
-/usr/lib/cgi-bin/mailman/.* -- system_u:object_r:mailman_cgi_exec_t
 /var/log/mailman(/.*)?		   system_u:object_r:mailman_log_t
-/usr/lib/mailman/cron/qrunner -- system_u:object_r:mailman_queue_exec_t
-/var/lib/mailman(/.*)?	   system_u:object_r:mailman_data_t
-/var/lib/mailman/cron	-- system_u:object_r:bin_t
+ifdef(`debian', `
+/usr/lib/cgi-bin/mailman/.* -- system_u:object_r:mailman_cgi_exec_t
+/usr/lib/mailman/cron/.*	-- system_u:object_r:mailman_queue_exec_t
 /usr/lib/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t
+/usr/lib/mailman/bin/mailmanctl -- system_u:object_r:mailman_mail_exec_t
+/usr/mailman/mail/wrapper 	-- system_u:object_r:mailman_mail_exec_t
+/var/lib/mailman(/.*)?	   system_u:object_r:mailman_data_t
 /var/lib/mailman/archives(/.*)?	system_u:object_r:mailman_archive_t
 /etc/cron\.daily/mailman 	-- system_u:object_r:mailman_queue_exec_t
 /etc/cron\.monthly/mailman 	-- system_u:object_r:mailman_queue_exec_t
+')
+ifdef(`redhat', `
+/var/mailman/cgi-bin/.*		-- system_u:object_r:mailman_cgi_exec_t
 /var/mailman/data(/.*)?		   system_u:object_r:mailman_data_t
+/var/mailman/pythonlib(/.*)?	   system_u:object_r:mailman_data_t
+/var/mailman/Mailman(/.*)?	   system_u:object_r:mailman_data_t
 /var/mailman/locks(/.*)?	   system_u:object_r:mailman_lock_t
-/var/mailman/cron		-- system_u:object_r:bin_t
-/usr/mailman/mail/wrapper 	-- system_u:object_r:mailman_mail_exec_t
+/var/mailman/cron		-d system_u:object_r:bin_t
+/var/mailman/cron/.+		-- system_u:object_r:mailman_queue_exec_t
 /var/mailman/archives(/.*)?	   system_u:object_r:mailman_archive_t
 /var/mailman/scripts/mailman 	-- system_u:object_r:mailman_mail_exec_t
 /var/mailman/bin/qrunner     	-- system_u:object_r:mailman_queue_exec_t
 /var/mailman/cgi-bin/.* 	-- system_u:object_r:mailman_cgi_exec_t
 /var/mailman/mail/mailman 	-- system_u:object_r:mailman_mail_exec_t
+')
diff -ru /usr/src/se/policy/file_contexts/program/mount.fc ./file_contexts/program/mount.fc
--- /usr/src/se/policy/file_contexts/program/mount.fc	2004-03-27 00:46:44.000000000 +1100
+++ ./file_contexts/program/mount.fc	2004-07-13 13:50:26.000000000 +1000
@@ -1,4 +1,3 @@
 # mount
 /bin/mount.*			--	system_u:object_r:mount_exec_t
-/bin/mountpoint			--	system_u:object_r:bin_t
 /bin/umount.*			--	system_u:object_r:mount_exec_t
diff -ru /usr/src/se/policy/file_contexts/program/mysqld.fc ./file_contexts/program/mysqld.fc
--- /usr/src/se/policy/file_contexts/program/mysqld.fc	2004-07-13 09:08:05.000000000 +1000
+++ ./file_contexts/program/mysqld.fc	2004-08-16 20:13:46.000000000 +1000
@@ -7,3 +7,6 @@
 /var/lib/mysql/mysql.sock -s	system_u:object_r:mysqld_var_run_t
 /etc/my\.cnf		--	system_u:object_r:mysqld_etc_t
 /etc/mysql(/.*)?		system_u:object_r:mysqld_etc_t
+ifdef(`debian', `
+/etc/mysql/debian-start	--	system_u:object_r:bin_t
+')
diff -ru /usr/src/se/policy/file_contexts/program/nsd.fc ./file_contexts/program/nsd.fc
--- /usr/src/se/policy/file_contexts/program/nsd.fc	2004-06-17 15:10:43.000000000 +1000
+++ ./file_contexts/program/nsd.fc	2004-08-17 08:42:12.000000000 +1000
@@ -2,8 +2,9 @@
 /etc/nsd(/.*)?       		system_u:object_r:nsd_conf_t
 /etc/nsd/primary(/.*)?		system_u:object_r:nsd_zone_t
 /etc/nsd/secondary(/.*)?	system_u:object_r:nsd_zone_t
-/etc/nsd/nsd.db		--	system_u:object_r:nsd_zone_t
+/etc/nsd/nsd.db		--	system_u:object_r:nsd_db_t
 /var/lib/nsd(/.*)?		system_u:object_r:nsd_zone_t
+/var/lib/nsd/nsd.db	--	system_u:object_r:nsd_db_t
 /usr/sbin/nsd      	--	system_u:object_r:nsd_exec_t
 /usr/sbin/nsdc      	--	system_u:object_r:nsd_exec_t
 /usr/sbin/nsd-notify	--	system_u:object_r:nsd_exec_t
diff -ru /usr/src/se/policy/file_contexts/program/restorecon.fc ./file_contexts/program/restorecon.fc
--- /usr/src/se/policy/file_contexts/program/restorecon.fc	2004-06-17 15:10:43.000000000 +1000
+++ ./file_contexts/program/restorecon.fc	2004-07-05 23:13:43.000000000 +1000
@@ -1,3 +1,2 @@
 # restorecon
-/usr/sbin/restorecon	--	system_u:object_r:restorecon_exec_t
 /sbin/restorecon	--	system_u:object_r:restorecon_exec_t
diff -ru /usr/src/se/policy/file_contexts/program/udev.fc ./file_contexts/program/udev.fc
--- /usr/src/se/policy/file_contexts/program/udev.fc	2004-08-02 16:59:52.000000000 +1000
+++ ./file_contexts/program/udev.fc	2004-08-17 13:24:19.000000000 +1000
@@ -2,6 +2,8 @@
 /sbin/udevsend	--	system_u:object_r:udev_exec_t
 /sbin/udev	--	system_u:object_r:udev_exec_t
 /sbin/udevd	--	system_u:object_r:udev_exec_t
+/usr/bin/udevinfo --	system_u:object_r:udev_exec_t
 /etc/dev.d(/.*)? 	system_u:object_r:udev_helper_exec_t
 /etc/hotplug.d/default/udev.* system_u:object_r:udev_helper_exec_t
-/dev/\.udev\.tdb	--	system_u:object_r:udev_tbl_t
+/dev/udev\.tbl	--	system_u:object_r:udev_tbl_t
+/dev/\.udev\.tdb --	system_u:object_r:udev_tbl_t
diff -ru /usr/src/se/policy/file_contexts/program/updfstab.fc ./file_contexts/program/updfstab.fc
--- /usr/src/se/policy/file_contexts/program/updfstab.fc	2004-01-24 12:15:54.000000000 +1100
+++ ./file_contexts/program/updfstab.fc	2004-08-17 12:42:44.000000000 +1000
@@ -1,2 +1,3 @@
 # updfstab
 /usr/sbin/updfstab	--	system_u:object_r:updfstab_exec_t
+/usr/sbin/fstab-sync	--	system_u:object_r:updfstab_exec_t
diff -ru /usr/src/se/policy/file_contexts/program/webalizer.fc ./file_contexts/program/webalizer.fc
--- /usr/src/se/policy/file_contexts/program/webalizer.fc	2004-08-06 22:23:52.000000000 +1000
+++ ./file_contexts/program/webalizer.fc	2004-08-09 20:05:55.000000000 +1000
@@ -0,0 +1 @@
+#
diff -ru /usr/src/se/policy/file_contexts/program/zebra.fc ./file_contexts/program/zebra.fc
--- /usr/src/se/policy/file_contexts/program/zebra.fc	2004-02-03 03:58:19.000000000 +1100
+++ ./file_contexts/program/zebra.fc	2004-08-08 14:44:35.000000000 +1000
@@ -3,3 +3,5 @@
 /usr/sbin/bgpd		--	system_u:object_r:zebra_exec_t
 /var/log/zebra(/.*)?		system_u:object_r:zebra_log_t
 /etc/zebra(/.*)?		system_u:object_r:zebra_conf_t
+/var/run/.zserv		-s	system_u:object_r:zebra_var_run_t
+/var/run/.zebra		-s	system_u:object_r:zebra_var_run_t
diff -ru /usr/src/se/policy/file_contexts/types.fc ./file_contexts/types.fc
--- /usr/src/se/policy/file_contexts/types.fc	2004-08-15 15:45:16.000000000 +1000
+++ ./file_contexts/types.fc	2004-08-10 17:40:15.000000000 +1000
@@ -136,6 +136,10 @@
 /u?dev/vcs[^/]*		-c	system_u:object_r:tty_device_t
 /u?dev/ip2[^/]*		-c	system_u:object_r:tty_device_t
 /u?dev/tty		-c	system_u:object_r:devtty_t
+/dev/lp.*		-c	system_u:object_r:printer_device_t
+/dev/par.*		-c	system_u:object_r:printer_device_t
+/dev/usb/lp.*		-c	system_u:object_r:printer_device_t
+/dev/usblp.*		-c	system_u:object_r:printer_device_t
 /u?dev/[shmx]d[^/]*	-b	system_u:object_r:fixed_disk_device_t
 /u?dev/dm-[0-9]+	-b	system_u:object_r:fixed_disk_device_t
 /u?dev/sg[0-9]+		-c	system_u:object_r:scsi_generic_device_t
diff -ru /usr/src/se/policy/macros/core_macros.te ./macros/core_macros.te
--- /usr/src/se/policy/macros/core_macros.te	2004-08-15 15:45:18.000000000 +1000
+++ ./macros/core_macros.te	2004-08-10 13:37:44.000000000 +1000
@@ -156,14 +156,14 @@
 define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
 
 #
-# Permissions for using netlink sockets for operations that modify state.
+# Permissions for using netlink sockets for operations that modify state.
 # 
-define(`rw_netlink_socket_perms', `{ rw_socket_perms nlmsg_read nlmsg_write }')
+define(`rw_netlink_socket_perms', `{ create rw_socket_perms nlmsg_read nlmsg_write }')
 
 #
-# Permissions for using netlink sockets for operations that observe state.
+# Permissions for using netlink sockets for operations that observe state.
 # 
-define(`r_netlink_socket_perms', `{ rw_socket_perms nlmsg_read }')
+define(`r_netlink_socket_perms', `{ create rw_socket_perms nlmsg_read }')
 
 #
 # Permissions for sending all signals.
diff -ru /usr/src/se/policy/macros/program/clamav_macros.te ./macros/program/clamav_macros.te
--- /usr/src/se/policy/macros/program/clamav_macros.te	2004-02-03 14:20:17.000000000 +1100
+++ ./macros/program/clamav_macros.te	2004-08-02 01:53:47.000000000 +1000
@@ -10,6 +10,7 @@
 # Define a domain that can access clamd
 #
 define(`can_clamd_connect',`
+allow $1_t clamd_var_run_t:dir search;
 allow $1_t clamd_var_run_t:sock_file { write };
 can_unix_connect($1_t, clamd_t)
 ')
diff -ru /usr/src/se/policy/macros/program/crond_macros.te ./macros/program/crond_macros.te
--- /usr/src/se/policy/macros/program/crond_macros.te	2004-06-17 15:10:45.000000000 +1000
+++ ./macros/program/crond_macros.te	2004-08-02 16:17:02.000000000 +1000
@@ -109,6 +109,8 @@
 dontaudit $1_crond_t boot_t:dir search;
 # quiet other ps operations
 dontaudit $1_crond_t domain:dir { getattr search };
+# for nscd
+dontaudit $1_crond_t var_run_t:dir search;
 ')
 
 # When system_crond_t domain executes a type $1 executable then transition to
diff -ru /usr/src/se/policy/macros/program/gpg_macros.te ./macros/program/gpg_macros.te
--- /usr/src/se/policy/macros/program/gpg_macros.te	2004-08-02 16:59:54.000000000 +1000
+++ ./macros/program/gpg_macros.te	2004-08-01 17:50:06.000000000 +1000
@@ -52,15 +52,13 @@
 allow $1_gpg_t devpts_t:dir search;
 allow $1_gpg_t { $1_devpts_t $1_tty_device_t }:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
-allow $1_gpg_t privfd:fd use;
 
 # Inherit and use descriptors
-allow $1_gpg_t $1_t:fd use;
-allow $1_gpg_t $1_t:process sigchld;
+allow $1_gpg_t { privfd $1_t }:fd use;
 allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
 
-# for ulimit -c 0
-allow $1_gpg_t self:process setrlimit;
+# setrlimit is for ulimit -c 0
+allow $1_gpg_t self:process { setrlimit setcap };
 
 # allow ps to show gpg
 can_ps($1_t, $1_gpg_t)
diff -ru /usr/src/se/policy/net_contexts ./net_contexts
--- /usr/src/se/policy/net_contexts	2004-08-02 16:59:45.000000000 +1000
+++ ./net_contexts	2004-08-06 22:52:57.000000000 +1000
@@ -195,6 +195,7 @@
 portcon tcp 10082 system_u:object_r:amandaidx_port_t
 portcon tcp 10083 system_u:object_r:amidxtape_port_t
 ')
+ifdef(`postgrey.te', `portcon tcp 60000 system_u:object_r:postgrey_port_t')
 
 # Network interfaces (default = initial SID "netif" and "netmsg")
 #
diff -ru /usr/src/se/policy/serviceusers ./serviceusers
--- /usr/src/se/policy/serviceusers	2004-04-16 00:59:52.000000000 +1000
+++ ./serviceusers	2004-07-05 23:41:30.000000000 +1000
@@ -2,5 +2,5 @@
 user cyrus roles cyrus_r;
 ')
 ifdef(`mailman.te', `
-user mailman roles mailman_r;
+#user mailman roles mailman_r;
 ')
diff -ru /usr/src/se/policy/types/device.te ./types/device.te
--- /usr/src/se/policy/types/device.te	2004-08-15 15:45:19.000000000 +1000
+++ ./types/device.te	2004-08-10 17:38:53.000000000 +1000
@@ -60,6 +60,11 @@
 type usbtty_device_t, serial_device, device_type;
 
 #
+# printer_device_t is the type for printer devices
+#
+type printer_device_t, file_type, device_type;
+
+#
 # fixed_disk_device_t is the type of 
 # /dev/hd* and /dev/sd*.
 #

Re: hald

[Luke Kenneth Casson Leighton]

On Tue, Aug 17, 2004 at 02:21:07PM +1000, Russell Coker wrote:
> hald is a daemon that manages hardware via dbus, which is now a
> mandatory feature of the latest rawhide.
 
 ah.

 is this better than the hotplug+udev mess?

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: hald

[Erich Schubert]

Hi,

>  is this better than the hotplug+udev mess?

No, you usually use udev+hotplug+hal+dbus+gnome
They play together quite nicely: when you plugin a digital camera the
notification goes all the way up to the gnome-volume-manager which
mounts the drive and asks wheter you want to download the images from
the camera.
Dbus is the notification bus. Hal is the hardware layer, feeding this
information into dbus IIRC.

Greetings,
Erich Schubert
-- 
   erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
          There are only 10 types of people in the world:           //\
          Those who understand binary and those who don't           V_/_
      Computer rechnen vor allem damit, daß der Mensch denkt.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

hald

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 347 bytes --]

Attached is a patch to make the hald from rawhide work, it's against the 
latest CVS policy.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: hald.diff --]
[-- Type: text/x-diff, Size: 1461 bytes --]

--- /usr/src/se/policy/domains/program/unused/hald.te	2004-08-25 13:21:22.000000000 +1000
+++ domains/program/unused/hald.te	2004-08-23 20:35:07.000000000 +1000
@@ -10,14 +10,15 @@
 #
 # hald_exec_t is the type of the hald executable.
 #
-daemon_domain(hald, `, dbus_client_domain')
+daemon_domain(hald, `, dbus_client_domain, fs_domain')
 
-allow hald_t etc_t:file { getattr read };
-allow hald_t self:{ unix_dgram_socket unix_stream_socket } create_stream_socket_perms;
+allow hald_t { etc_t etc_runtime_t }:file { getattr read };
+allow hald_t self:unix_stream_socket create_stream_socket_perms;
+allow hald_t self:unix_dgram_socket create_socket_perms;
 
 allow hald_t dbusd_t:dbus { acquire_svc };
 
-allow hald_t self:file { getattr read };
+allow hald_t { self proc_t }:file { getattr read };
 
 allow hald_t { bin_t sbin_t }:dir search;
 allow hald_t hald_t:fifo_file rw_file_perms;
@@ -28,8 +29,14 @@
 allow hald_t self:capability { net_admin sys_admin };
 can_network(hald_t)
 
+allow hald_t fixed_disk_device_t:blk_file { getattr read };
+allow hald_t event_device_t:chr_file { getattr read };
+
 ifdef(`updfstab.te', `domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)')
-ifdef(`udev.te', `domain_auto_trans(hald_t, udev_exec_t, udev_t)')
+ifdef(`udev.te', `
+domain_auto_trans(hald_t, udev_exec_t, udev_t)
+allow udev_t hald_t:unix_dgram_socket sendto;
+')
 
 allow hald_t usbdevfs_t:dir search;
 allow hald_t usbdevfs_t:file { getattr read };

Re: hald

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 834 bytes --]

On Wed, 25 Aug 2004 14:18, Russell Coker <russell@coker.com.au> wrote:
> Attached is a patch to make the hald from rawhide work, it's against the
> latest CVS policy.

I've attached a new version, the only difference is that ioctl access is now 
granted to fixed_disk_device_t.  Yesterday a new version of hal appeared 
which now requires ioctl access...

hal seems to be still changing rapidly, so I expect that I'll be sending many 
more patches in.  However I think it's important to get these changes into 
the CVS so more people can test it while the changes are being made.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: hald.diff --]
[-- Type: text/x-diff, Size: 1467 bytes --]

--- /usr/src/se/policy/domains/program/unused/hald.te	2004-08-25 13:21:22.000000000 +1000
+++ domains/program/unused/hald.te	2004-08-23 20:35:07.000000000 +1000
@@ -10,14 +10,15 @@
 #
 # hald_exec_t is the type of the hald executable.
 #
-daemon_domain(hald, `, dbus_client_domain')
+daemon_domain(hald, `, dbus_client_domain, fs_domain')
 
-allow hald_t etc_t:file { getattr read };
-allow hald_t self:{ unix_dgram_socket unix_stream_socket } create_stream_socket_perms;
+allow hald_t { etc_t etc_runtime_t }:file { getattr read };
+allow hald_t self:unix_stream_socket create_stream_socket_perms;
+allow hald_t self:unix_dgram_socket create_socket_perms;
 
 allow hald_t dbusd_t:dbus { acquire_svc };
 
-allow hald_t self:file { getattr read };
+allow hald_t { self proc_t }:file { getattr read };
 
 allow hald_t { bin_t sbin_t }:dir search;
 allow hald_t hald_t:fifo_file rw_file_perms;
@@ -28,8 +29,14 @@
 allow hald_t self:capability { net_admin sys_admin };
 can_network(hald_t)
 
+allow hald_t fixed_disk_device_t:blk_file { getattr read ioctl };
+allow hald_t event_device_t:chr_file { getattr read };
+
 ifdef(`updfstab.te', `domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)')
-ifdef(`udev.te', `domain_auto_trans(hald_t, udev_exec_t, udev_t)')
+ifdef(`udev.te', `
+domain_auto_trans(hald_t, udev_exec_t, udev_t)
+allow udev_t hald_t:unix_dgram_socket sendto;
+')
 
 allow hald_t usbdevfs_t:dir search;
 allow hald_t usbdevfs_t:file { getattr read };