cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[Thomas Bleher]

[-- Attachment #1: Type: text/plain, Size: 916 bytes --]

cdrecord deadlocks linux 2.6.8.1:

I have just written selinux policy for cdrecord. While writing this 
policy cdrecord constantly locked up the computer (even in permissive
mode). When booting with selinux=0 the problem went away.

After digging around for a while, the following seems to be happening:
* cdrecord calls sched_setscheduler()
* setscheduler (in kernel/sched.c) asks for CAP_SYS_NICE
* cdrecord doesn't have this capability
* selinux generates an audit message ==> deadlock

When I grant cdrecord CAP_SYS_NICE everything works fine.
I think SELinux shouldn't generate a log message in this case; like it
is already suppressed for setsched.

To test, add the attached policy, remove sys_nice from the allowed caps
and simply call cdrecord without parameters.

Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #2: cdrecord.patch --]
[-- Type: text/plain, Size: 3021 bytes --]

diff -urN orig/domains/program/unused/cdrecord.te mod/domains/program/unused/cdrecord.te
--- orig/domains/program/unused/cdrecord.te	1970-01-01 01:00:00.000000000 +0100
+++ mod/domains/program/unused/cdrecord.te	2004-10-18 14:32:37.237650320 +0200
@@ -0,0 +1,9 @@
+# DESC cdrecord - record audio or data Compact Disks or Digital Versatile Disks from a master
+#
+# Author: Thomas Bleher <ThomasBleher@gmx.de>
+
+# Type for the cdrecord excutable.
+type cdrecord_exec_t, file_type, sysadmfile, exec_type;
+
+# everything else is in the cdrecord_domain macros in
+# macros/program/cdrecord_macros.te.
diff -urN orig/file_contexts/program/cdrecord.fc mod/file_contexts/program/cdrecord.fc
--- orig/file_contexts/program/cdrecord.fc	1970-01-01 01:00:00.000000000 +0100
+++ mod/file_contexts/program/cdrecord.fc	2004-10-18 14:32:49.467791056 +0200
@@ -0,0 +1,2 @@
+# cdrecord
+/usr/bin/cdrecord	--	system_u:object_r:cdrecord_exec_t
diff -urN orig/macros/base_user_macros.te mod/macros/base_user_macros.te
--- orig/macros/base_user_macros.te	2004-10-14 12:42:18.000000000 +0200
+++ mod/macros/base_user_macros.te	2004-10-18 14:33:47.317996488 +0200
@@ -167,6 +167,7 @@
 ifdef(`irc.te', `irc_domain($1)')
 ifdef(`using_spamassassin', `spamassassin_domain($1)')
 ifdef(`uml.te', `uml_domain($1)')
+ifdef(`cdrecord.te', `cdrecord_domain($1)')
 
 # Instantiate a derived domain for user cron jobs.
 ifdef(`crond.te', `crond_domain($1)')
diff -urN orig/macros/program/cdrecord_macros.te mod/macros/program/cdrecord_macros.te
--- orig/macros/program/cdrecord_macros.te	1970-01-01 01:00:00.000000000 +0100
+++ mod/macros/program/cdrecord_macros.te	2004-10-18 14:33:00.562104464 +0200
@@ -0,0 +1,42 @@
+# macros for the cdrecord domain
+# Author: Thomas Bleher <ThomasBleher@gmx.de>
+
+define(`cdrecord_domain', `
+type $1_cdrecord_t, domain;
+
+domain_auto_trans($1_t, cdrecord_exec_t, $1_cdrecord_t)
+
+# The user role is authorized for this domain.
+role $1_r types $1_cdrecord_t;
+
+uses_shlib($1_cdrecord_t)
+
+# allow ps to show cdrecord and allow the user to kill it 
+can_ps($1_t, $1_cdrecord_t)
+allow $1_t $1_cdrecord_t:process signal;
+
+# write to the user domain tty.
+allow $1_cdrecord_t $1_tty_device_t:chr_file rw_file_perms;
+allow $1_cdrecord_t $1_devpts_t:chr_file rw_file_perms;
+allow $1_cdrecord_t privfd:fd use;
+
+allow $1_cdrecord_t home_root_t:dir { search };
+
+# allow cdrecord to read user files
+r_dir_file($1_cdrecord_t, { $1_home_t $1_tmp_t })
+ifdef(`nfs_home_dirs', `
+r_dir_file($1_cdrecord_t, nfs_t)
+')dnl end if nfs_home_dirs
+
+# allow searching for cdrom-drive
+allow $1_cdrecord_t device_t:dir { getattr search };
+allow $1_cdrecord_t device_t:lnk_file { getattr read };
+
+# allow cdrecord to write the CD
+allow $1_cdrecord_t removable_device_t:blk_file { getattr ioctl read };
+allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl };
+
+allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid };
+allow $1_cdrecord_t self:process { getsched setsched };
+
+')

Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[Stephen Smalley]

On Mon, 2004-10-18 at 08:43, Thomas Bleher wrote:
> cdrecord deadlocks linux 2.6.8.1:
> 
> I have just written selinux policy for cdrecord. While writing this 
> policy cdrecord constantly locked up the computer (even in permissive
> mode). When booting with selinux=0 the problem went away.
> 
> After digging around for a while, the following seems to be happening:
> * cdrecord calls sched_setscheduler()
> * setscheduler (in kernel/sched.c) asks for CAP_SYS_NICE
> * cdrecord doesn't have this capability
> * selinux generates an audit message ==> deadlock
> 
> When I grant cdrecord CAP_SYS_NICE everything works fine.
> I think SELinux shouldn't generate a log message in this case; like it
> is already suppressed for setsched.
> 
> To test, add the attached policy, remove sys_nice from the allowed caps
> and simply call cdrecord without parameters.

Suppressing auditing entirely is undesirable as it makes policy
debugging very difficult.  I think we need to either:
a) Add a flag to avc_audit(), optionally passed via avc_audit_data, that
tells it to use audit_log_end_irq() so that it merely enqueues the audit
message for later processing, and change capable and setscheduler hooks
to pass this flag, or 
b) Move the security checks in setscheduler outside of the runqueue
lock, then just recheck that no security-relevant conditions changed
after taking the lock.

Thoughts?

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[James Morris]

On Mon, 18 Oct 2004, Stephen Smalley wrote:

> a) Add a flag to avc_audit(), optionally passed via avc_audit_data, that
> tells it to use audit_log_end_irq() so that it merely enqueues the audit
> message for later processing, and change capable and setscheduler hooks
> to pass this flag, or 
> b) Move the security checks in setscheduler outside of the runqueue
> lock, then just recheck that no security-relevant conditions changed
> after taking the lock.

A seems simpler, but perhaps better to do via a wrapper function.


- James
-- 
James Morris
<jmorris@redhat.com>



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[Chris Wright]

* James Morris (jmorris@redhat.com) wrote:
> On Mon, 18 Oct 2004, Stephen Smalley wrote:
> 
> > a) Add a flag to avc_audit(), optionally passed via avc_audit_data, that
> > tells it to use audit_log_end_irq() so that it merely enqueues the audit
> > message for later processing, and change capable and setscheduler hooks
> > to pass this flag, or 
> > b) Move the security checks in setscheduler outside of the runqueue
> > lock, then just recheck that no security-relevant conditions changed
> > after taking the lock.
> 
> A seems simpler, but perhaps better to do via a wrapper function.

I agree, esp. since the policy value can change.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[Stephen Smalley]

On Mon, 2004-10-18 at 13:02, Crispin Cowan wrote:
> We (Immunix) discovered this bug a few weeks ago. At first we thought it 
> was a bug in our SubDomain module, but then determined that any attempt 
> to printk from within the scheduler hook was at risk of locking the kernel.
> 
> John Johansen (cc'd) has prepared a patch that fixes the problem, and we 
> just yesterday sent it to Andrea Arcangeli (scheduler maintainer) for 
> comment.
> 
> JJ, you wanna share your patch with the LSM list?

Does the patch address both the security_task_setscheduler() hook call
and the capable(CAP_SYS_NICE) calls by the setscheduler function? 
SELinux was already suppressing audit from its setscheduler hook to
avoid this deadlock, but was not doing so for the CAP_SYS_NICE check.
  
-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[Chris Wright]

* Crispin Cowan (crispin@immunix.com) wrote:
> We (Immunix) discovered this bug a few weeks ago. At first we thought it 
> was a bug in our SubDomain module, but then determined that any attempt 
> to printk from within the scheduler hook was at risk of locking the kernel.
> 
> John Johansen (cc'd) has prepared a patch that fixes the problem, and we 
> just yesterday sent it to Andrea Arcangeli (scheduler maintainer) for 
> comment.

Andrea isn't the scheduler maintainer.

> JJ, you wanna share your patch with the LSM list?

That would be nice.  Why wasn't that done in the first place?

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[Stephen Smalley]

On Mon, 2004-10-18 at 17:40, John Johansen wrote:
> The patch to setscheduler moves the locking of the runqueue, until after
> the calls to capable and security_task_setscheduler, so it fixes both of
> them.  I believe this to be safe, but it really needs vetting by a
> scheduler person.

I think that you need to hold the lock when extracting p->policy, and if
you drop the lock for the security checks, you need to recheck that
p->policy hasn't changed after you re-take the lock.  Advantage of your
approach (with those fixes) is that no special handling is required by
capable(CAP_SYS_NICE) and security_task_setscheduler hook
implementations; they can audit immediately.  But given that the audit
framework does support deferred auditing via audit_log_end_irq, I'm not
sure that this is going to be compelling upstream, as it makes
setscheduler() very convoluted.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[Chris Wright]

* Stephen Smalley (sds@epoch.ncsc.mil) wrote:
> On Mon, 2004-10-18 at 17:40, John Johansen wrote:
> > The patch to setscheduler moves the locking of the runqueue, until after
> > the calls to capable and security_task_setscheduler, so it fixes both of
> > them.  I believe this to be safe, but it really needs vetting by a
> > scheduler person.
> 
> I think that you need to hold the lock when extracting p->policy, and if
> you drop the lock for the security checks, you need to recheck that
> p->policy hasn't changed after you re-take the lock.  Advantage of your
> approach (with those fixes) is that no special handling is required by
> capable(CAP_SYS_NICE) and security_task_setscheduler hook
> implementations; they can audit immediately.  But given that the audit
> framework does support deferred auditing via audit_log_end_irq, I'm not
> sure that this is going to be compelling upstream, as it makes
> setscheduler() very convoluted.

Yup, I agree.  That's what I was referring to yesterday (policy can change
comment).  John, I didn't realize you had sent this to me earlier.
That, as well as this email never came to my inbox (only got this one
via the list).  I wonder if you need to do some envelope masquerading?

I imagine this looks suspect to our spam filters "Received: from ortho.site..."

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[Stephen Smalley]

On Tue, 2004-10-19 at 08:14, Stephen Smalley wrote:
> I think that you need to hold the lock when extracting p->policy, and if
> you drop the lock for the security checks, you need to recheck that
> p->policy hasn't changed after you re-take the lock.  Advantage of your
> approach (with those fixes) is that no special handling is required by
> capable(CAP_SYS_NICE) and security_task_setscheduler hook
> implementations; they can audit immediately.  But given that the audit
> framework does support deferred auditing via audit_log_end_irq, I'm not
> sure that this is going to be compelling upstream, as it makes
> setscheduler() very convoluted.

Hmmm...may have spoken too soon; looks like audit_log_end_irq can
deadlock too when the runqueue lock is held.  Only option is to disable
auditing of CAP_SYS_NICE and setscheduler?  Very unpleasant.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[Chris Wright]

* Stephen Smalley (sds@epoch.ncsc.mil) wrote:
> On Tue, 2004-10-19 at 08:14, Stephen Smalley wrote:
> > I think that you need to hold the lock when extracting p->policy, and if
> > you drop the lock for the security checks, you need to recheck that
> > p->policy hasn't changed after you re-take the lock.  Advantage of your
> > approach (with those fixes) is that no special handling is required by
> > capable(CAP_SYS_NICE) and security_task_setscheduler hook
> > implementations; they can audit immediately.  But given that the audit
> > framework does support deferred auditing via audit_log_end_irq, I'm not
> > sure that this is going to be compelling upstream, as it makes
> > setscheduler() very convoluted.
> 
> Hmmm...may have spoken too soon; looks like audit_log_end_irq can
> deadlock too when the runqueue lock is held.  Only option is to disable
> auditing of CAP_SYS_NICE and setscheduler?  Very unpleasant.

I assume this is due to wakeup code putting smth. on the runqueue?

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[James Morris]

On Tue, 19 Oct 2004, Chris Wright wrote:

> > Hmmm...may have spoken too soon; looks like audit_log_end_irq can
> > deadlock too when the runqueue lock is held.  Only option is to disable
> > auditing of CAP_SYS_NICE and setscheduler?  Very unpleasant.
> 
> I assume this is due to wakeup code putting smth. on the runqueue?

This shouldn't happen from interrupt.


- James
-- 
James Morris
<jmorris@redhat.com>



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[Chris Wright]

* James Morris (jmorris@redhat.com) wrote:
> On Tue, 19 Oct 2004, Chris Wright wrote:
> 
> > > Hmmm...may have spoken too soon; looks like audit_log_end_irq can
> > > deadlock too when the runqueue lock is held.  Only option is to disable
> > > auditing of CAP_SYS_NICE and setscheduler?  Very unpleasant.
> > 
> > I assume this is due to wakeup code putting smth. on the runqueue?
> 
> This shouldn't happen from interrupt.

The conosole semaphore isn't normal, iirc.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[Stephen Smalley]

On Tue, 2004-10-19 at 14:36, James Morris wrote:
> On Tue, 19 Oct 2004, Chris Wright wrote:
> 
> > > Hmmm...may have spoken too soon; looks like audit_log_end_irq can
> > > deadlock too when the runqueue lock is held.  Only option is to disable
> > > auditing of CAP_SYS_NICE and setscheduler?  Very unpleasant.
> > 
> > I assume this is due to wakeup code putting smth. on the runqueue?
> 
> This shouldn't happen from interrupt.

setscheduler() isn't being called from interrupt.  I changed the SELinux
setscheduler hook to call a wrapper function to use audit_log_irq_end(),
and exercising it immediately deadlocked the system. 
audit_log_irq_end() -> tasklet_schedule() -> raise_softirq_irqoff() ->
wakeup_softirqd() -> wake_up_process() is my current working guess,
couldn't get a dump after the lockup.  No response to sysrq-t.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[Chris Wright]

* Stephen Smalley (sds@epoch.ncsc.mil) wrote:
> setscheduler() isn't being called from interrupt.  I changed the SELinux
> setscheduler hook to call a wrapper function to use audit_log_irq_end(),
> and exercising it immediately deadlocked the system. 
> audit_log_irq_end() -> tasklet_schedule() -> raise_softirq_irqoff() ->
> wakeup_softirqd() -> wake_up_process() is my current working guess,
> couldn't get a dump after the lockup.  No response to sysrq-t.

Can you trigger NMI?  Although i'm sure it's wakeup putting smth. on
runqueue.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[Stephen Smalley]

On Tue, 2004-10-19 at 15:02, Chris Wright wrote:
> Can you trigger NMI?  Although i'm sure it's wakeup putting smth. on
> runqueue.

Not on this particular machine; NMI not supported for it.  Migrating to
different hardware to re-test.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[Chris Wright]

* Stephen Smalley (sds@epoch.ncsc.mil) wrote:
> On Tue, 2004-10-19 at 15:02, Chris Wright wrote:
> > Can you trigger NMI?  Although i'm sure it's wakeup putting smth. on
> > runqueue.
> 
> Not on this particular machine; NMI not supported for it.  Migrating to
> different hardware to re-test.

Thanks, I had same problem (NMI not supported).
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[Stephen Smalley]

On Tue, 2004-10-19 at 15:20, Chris Wright wrote:
> > Not on this particular machine; NMI not supported for it.  Migrating to
> > different hardware to re-test.
> 
> Thanks, I had same problem (NMI not supported).

NMI Watchdog detected LOCKUP on CPU1, eip c030f99c, registers:
Modules linked in: md5 ipv6 parport_pc lp parport autofs4 nfs lockd sunrpc micro code dm_mod button battery ac uhci_hcd ehci_hcd snd_intel8x0 snd_ac97_codec snd_ pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc gameport snd_mpu401_uart snd_rawmidi snd_seq_device snd soundcore e1000 floppy ext3 jbd
CPU:    1
EIP:    0060:[<c030f99c>]    Not tainted VLI
EFLAGS: 00000086   (2.6.9-selinux1)
EIP is at _spin_lock+0x1c/0x50
eax: c1810060   ebx: c1810060   ecx: 00000000   edx: c1818060
esi: c1818060   edi: c18189c0   ebp: f70cfdf8   esp: f70cfdec
ds: 007b   es: 007b   ss: 0068
Process sshd (pid: 3325, threadinfo=f70cf000 task=c1a76890)
Stack: 00000020 c1810060 c1810060 f70cfe08 c012186b c1810060 c1818060 f70cfe34
       c0122314 00000002 00000065 00000001 00000000 00000001 00000001 c18189c0
       01419f60 799ab680 f70cfea4 c030ece0 c01483c7 00000001 c0363480 00000282
Call Trace:
 [<c0108e5a>] show_stack+0x7a/0x90
 [<c0108fe2>] show_registers+0x152/0x1d0
 [<c0109cf0>] die_nmi+0x50/0x80
 [<c011c2f7>] nmi_watchdog_tick+0x97/0xc0
 [<c0109d80>] default_do_nmi+0x60/0x100
 [<c0109e6f>] do_nmi+0x3f/0x50
 [<c0108b51>] nmi_stack_correct+0x1e/0x2e
 [<c012186b>] double_lock_balance+0x3b/0x50
 [<c0122314>] load_balance_newidle+0x54/0x90
 [<c030ece0>] schedule+0x760/0xb70
 [<c030f557>] schedule_timeout+0x67/0xc0
 [<c0176ada>] do_select+0x26a/0x2a0
 [<c0176d81>] sys_select+0x241/0x4f0
 [<c0107f11>] sysenter_past_esp+0x52/0x71
Code: 5d 89 c8 c3 8d 74 26 00 8d bc 27 00 00 00 00 55 89 e5 53 83 ec 08 89 c3 81  78 04 ad 4e ad de 75 14 f0 fe 0b 79 09 f3 90 80 3b 00 <7e> f9 eb f2 83 c4 08 5b  5d c3 c7 04 24 f3 4e 32 c0 8b 45 04 89
console shuts up ...

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[Stephen Smalley]

On Tue, 2004-10-19 at 16:09, Stephen Smalley wrote:
> NMI Watchdog detected LOCKUP on CPU1, eip c030f99c, registers:

Sorry, that one wasn't very useful.  Re-tried, got a nicer one.
Not sure why the audit_log_end_irq calls don't show up in the call
trace.

NMI Watchdog detected LOCKUP on CPU0, eip c030f99c, registers:
Modules linked in: md5 ipv6 parport_pc lp parport autofs4 nfs lockd
sunrpc microcode dm_mod button battery ac uhci_hcd ehci_hcd snd_intel8x0
snd_ac97_codec snd_pcm_oss snd_mixer_oss snd_pcm snd_timer
snd_page_alloc gameport snd_mpu401_uart snd_rawmidi snd_seq_device snd
soundcore e1000 floppy ext3 jbd
CPU:    0
EIP:    0060:[<c030f99c>]    Not tainted VLI
EFLAGS: 00000086   (2.6.9-selinux1)
EIP is at _spin_lock+0x1c/0x50
eax: c1810060   ebx: c1810060   ecx: 00000000   edx: f7a67e48
esi: c1810060   edi: f7f45630   ebp: f7a67df8   esp: f7a67dec
ds: 007b   es: 007b   ss: 0068
Process source (pid: 3589, threadinfo=f7a67000 task=f78d8d70)
Stack: ffffffff fffffffd c03fe100 f7a67e10 c0120806 f7a67e48 f7a67000
00000046
       00000001 f7a67e58 c0120ed1 c0141faf f7a67e50 f7a67e4c c032d4a9
000002ab
       f7d92800 00000000 f7a67e3c c0142025 00000000 0000000f f7f45630
00000086
Call Trace:
 [<c0108e5a>] show_stack+0x7a/0x90
 [<c0108fe2>] show_registers+0x152/0x1d0
 [<c0109cf0>] die_nmi+0x50/0x80
 [<c011c2f7>] nmi_watchdog_tick+0x97/0xc0
 [<c0109d80>] default_do_nmi+0x60/0x100
 [<c0109e6f>] do_nmi+0x3f/0x50
 [<c0108b51>] nmi_stack_correct+0x1e/0x2e
 [<c0120806>] task_rq_lock+0x36/0x70
 [<c0120ed1>] try_to_wake_up+0x21/0x2a0
 [<c012b72d>] __tasklet_schedule+0x7d/0x80
 [<c01b8a5b>] avc_audit_helper+0x14b/0xb90
 [<c01b9513>] avc_audit_irq+0x33/0x40
 [<c01b9e0a>] avc_has_perm_irq+0x5a/0x69
 [<c01be630>] selinux_task_setscheduler+0x40/0x50
 [<c0122fd6>] setscheduler+0x126/0x220
 [<c0107f11>] sysenter_past_esp+0x52/0x71
Code: 5d 89 c8 c3 8d 74 26 00 8d bc 27 00 00 00 00 55 89 e5 53 83 ec 08
89 c3 81 78 04 ad 4e ad de 75 14 f0 fe 0b 79 09 f3 90 80 3b 00 <7e> f9
eb f2 83 c4 08 5b 5d c3 c7 04 24 f3 4e 32 c0 8b 45 04 89
console shuts up ...

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[James Morris]

On Tue, 19 Oct 2004, Stephen Smalley wrote:

> On Tue, 2004-10-19 at 16:09, Stephen Smalley wrote:
> > NMI Watchdog detected LOCKUP on CPU1, eip c030f99c, registers:
> 
> Sorry, that one wasn't very useful.  Re-tried, got a nicer one.
> Not sure why the audit_log_end_irq calls don't show up in the call
> trace.

Yes, it's the runqueue lock.  One simple possibility would be to convert
the audit code over to use the keventd workqueue, and use
schedule_delayed_work() to kick the audit logging via a timer in this
case.


- James
-- 
James Morris
<jmorris@redhat.com>



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[Chris Wright]

* James Morris (jmorris@redhat.com) wrote:
> On Tue, 19 Oct 2004, Stephen Smalley wrote:
> 
> > On Tue, 2004-10-19 at 16:09, Stephen Smalley wrote:
> > > NMI Watchdog detected LOCKUP on CPU1, eip c030f99c, registers:
> > 
> > Sorry, that one wasn't very useful.  Re-tried, got a nicer one.
> > Not sure why the audit_log_end_irq calls don't show up in the call
> > trace.
> 
> Yes, it's the runqueue lock.  One simple possibility would be to convert
> the audit code over to use the keventd workqueue, and use
> schedule_delayed_work() to kick the audit logging via a timer in this
> case.

Yeah, guess that would work, but it's not that nice a solution ;-/

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[Stephen Smalley]

On Tue, 2004-10-19 at 17:09, Chris Wright wrote:
> * James Morris (jmorris@redhat.com) wrote:
> > Yes, it's the runqueue lock.  One simple possibility would be to convert
> > the audit code over to use the keventd workqueue, and use
> > schedule_delayed_work() to kick the audit logging via a timer in this
> > case.
> 
> Yeah, guess that would work, but it's not that nice a solution ;-/

And requiring security modules to special case CAP_SYS_NICE auditing in
their capable() hooks and any auditing in their setscheduler() hooks
seems very unpleasant anyway.  I'd actually favor one of:
- Fix John's setscheduler patch to hold the lock while extracting
p->policy, drop it for the security checks, re-take the lock, and verify
that p->policy hasn't changed (if it has, bail with EPERM, as I can't
see any legitimate reason for such a race other than an intentional
malicious attempt to exploit it), or
- Add a separate post hook to setscheduler after locks are dropped, and
do all auditing from it.  Likely requires changing existing setscheduler
hook to return some state to pass along to the post hook for auditing in
addition to the error code itself.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[Stephen Smalley]

On Wed, 2004-10-20 at 08:23, Stephen Smalley wrote:
> - Add a separate post hook to setscheduler after locks are dropped, and
> do all auditing from it.  Likely requires changing existing setscheduler
> hook to return some state to pass along to the post hook for auditing in
> addition to the error code itself.

And this would presumably mean moving the entire set of security checks
into the setscheduler hook, so that we could handle the capable() check
similarly, i.e. we would use a special non-auditing form of capable
within the setscheduler hook, and then return state to be passed to the
post hook for audit generation.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[Stephen Smalley]

On Wed, 2004-10-20 at 11:49, John Johansen wrote:
> sigh it seems I posted the wrong patch file the one that got posted is
> the one where I threw up my hands and swore about having to break the
> lock as Stephan suggests.
> 
> The actual patch adds an extra lock (I liked that a little better than
> breaking the rq lock) in setscheduler and around the other points that
> call __setschedule.

Not sure I understand - can you post the correct patch?

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[Chris Wright]

* John Johansen (johansen@immunix.com) wrote:
> sigh it seems I posted the wrong patch file the one that got posted is
> the one where I threw up my hands and swore about having to break the
> lock as Stephan suggests.
> 
> The actual patch adds an extra lock (I liked that a little better than
> breaking the rq lock) in setscheduler and around the other points that
> call __setschedule.

Hmm, I didn't see this patch, but it's sounding like it won't fly.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[Chris Wright]

* Stephen Smalley (sds@epoch.ncsc.mil) wrote:
> On Tue, 2004-10-19 at 17:09, Chris Wright wrote:
> > * James Morris (jmorris@redhat.com) wrote:
> > > Yes, it's the runqueue lock.  One simple possibility would be to convert
> > > the audit code over to use the keventd workqueue, and use
> > > schedule_delayed_work() to kick the audit logging via a timer in this
> > > case.
> > 
> > Yeah, guess that would work, but it's not that nice a solution ;-/
> 
> And requiring security modules to special case CAP_SYS_NICE auditing in
> their capable() hooks and any auditing in their setscheduler() hooks
> seems very unpleasant anyway.  I'd actually favor one of:
> - Fix John's setscheduler patch to hold the lock while extracting
> p->policy, drop it for the security checks, re-take the lock, and verify
> that p->policy hasn't changed (if it has, bail with EPERM, as I can't
> see any legitimate reason for such a race other than an intentional
> malicious attempt to exploit it), or

Unfortunately, policy < 0 is not really POSIX compliant, but it's
documented behaviour, so changing this would change the ABI, and could
break something.  Otherwise, the simplest would be remove that bit
altogether.  Don't think we need to hold lock while sampling the value,
since it should be processor word-sized value, nothing odd on loading
should happen.  It's possible to loop and recheck, but w/out convincing
oneself that livelock is not possible, -EPERM and return seems quite
valid for this very unlikely case.  Untested patch below.

===== kernel/sched.c 1.367 vs edited =====
--- 1.367/kernel/sched.c	2004-10-18 22:26:52 -07:00
+++ edited/kernel/sched.c	2004-10-20 10:26:19 -07:00
@@ -3038,7 +3038,7 @@
 {
 	struct sched_param lp;
 	int retval = -EINVAL;
-	int oldprio;
+	int oldprio, oldpolicy;
 	prio_array_t *array;
 	unsigned long flags;
 	runqueue_t *rq;
@@ -3060,23 +3060,18 @@
 
 	retval = -ESRCH;
 	if (!p)
-		goto out_unlock_tasklist;
-
-	/*
-	 * To be able to change p->policy safely, the apropriate
-	 * runqueue lock must be held.
-	 */
-	rq = task_rq_lock(p, &flags);
+		goto out_unlock;
 
+	/* double check policy once rq lock held */
+	oldpolicy = p->policy;
 	if (policy < 0)
-		policy = p->policy;
+		policy = oldpolicy;
 	else {
 		retval = -EINVAL;
 		if (policy != SCHED_FIFO && policy != SCHED_RR &&
 				policy != SCHED_NORMAL)
 			goto out_unlock;
 	}
-
 	/*
 	 * Valid priorities for SCHED_FIFO and SCHED_RR are
 	 * 1..MAX_USER_RT_PRIO-1, valid priority for SCHED_NORMAL is 0.
@@ -3098,7 +3093,15 @@
 	retval = security_task_setscheduler(p, policy, &lp);
 	if (retval)
 		goto out_unlock;
-
+	/*
+	 * To be able to change p->policy safely, the apropriate
+	 * runqueue lock must be held.
+	 */
+	rq = task_rq_lock(p, &flags);
+	/* recheck policy now with rq lock held */
+	retval = -EPERM;
+	if (unlikely(oldpolicy != p->policy))
+		goto out_unlock_rq;
 	array = p->array;
 	if (array)
 		deactivate_task(p, task_rq(p));
@@ -3118,12 +3121,10 @@
 		} else if (TASK_PREEMPTS_CURR(p, rq))
 			resched_task(rq->curr);
 	}
-
-out_unlock:
+out_unlock_rq:
 	task_rq_unlock(rq, &flags);
-out_unlock_tasklist:
+out_unlock:
 	read_unlock_irq(&tasklist_lock);
-
 out_nounlock:
 	return retval;
 }

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[Stephen Smalley]

On Wed, 2004-10-20 at 13:41, Chris Wright wrote:
> Unfortunately, policy < 0 is not really POSIX compliant, but it's
> documented behaviour, so changing this would change the ABI, and could
> break something.  Otherwise, the simplest would be remove that bit
> altogether.  Don't think we need to hold lock while sampling the value,
> since it should be processor word-sized value, nothing odd on loading
> should happen.  It's possible to loop and recheck, but w/out convincing
> oneself that livelock is not possible, -EPERM and return seems quite
> valid for this very unlikely case.  Untested patch below.

Works for me.  However, the test may be overly strong, e.g. if policy >=
0 on entry, then oldpolicy isn't used, and we don't care whether it
stayed the same, right?

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[Chris Wright]

* Stephen Smalley (sds@epoch.ncsc.mil) wrote:
> Works for me.  However, the test may be overly strong, e.g. if policy >=
> 0 on entry, then oldpolicy isn't used, and we don't care whether it
> stayed the same, right?

Heh, I figured you'd mention that ;-)  It's basically what the old behaviour is,
when rq_lock serialized it.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)

[Luke Kenneth Casson Leighton]

ah ha!  thomas, thank you v. much: i [badly] hacked up something
for k3b to use some time ago.

On Mon, Oct 18, 2004 at 02:43:32PM +0200, Thomas Bleher wrote:

> I have just written selinux policy for cdrecord. While writing this 
> policy cdrecord constantly locked up the computer (even in permissive
> mode). When booting with selinux=0 the problem went away.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

cdrecord patch [was: Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)]

[Thomas Bleher]

[-- Attachment #1.1: Type: text/plain, Size: 941 bytes --]

* Luke Kenneth Casson Leighton <lkcl@lkcl.net> [2004-10-18 17:47]:
> ah ha!  thomas, thank you v. much: i [badly] hacked up something
> for k3b to use some time ago.
> 
> On Mon, Oct 18, 2004 at 02:43:32PM +0200, Thomas Bleher wrote:
> 
> > I have just written selinux policy for cdrecord. While writing this 
> > policy cdrecord constantly locked up the computer (even in permissive
> > mode). When booting with selinux=0 the problem went away.

Attached is an updated policy for inclusion into CVS. The previous
version missed some permissions. With the current version I have
successfully burnt a CD in enforcing mode.

Thomas

PS: This patch uses the can_resmgrd_connect() macro which was posted a
while but is not yet in CVS. It can be removed if the other patch is not
merged.

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #1.2: cdrecord.patch --]
[-- Type: text/plain, Size: 3412 bytes --]

diff -urN orig/domains/program/unused/cdrecord.te mod/domains/program/unused/cdrecord.te
--- orig/domains/program/unused/cdrecord.te	1970-01-01 01:00:00.000000000 +0100
+++ mod/domains/program/unused/cdrecord.te	2004-10-18 23:51:18.000000000 +0200
@@ -0,0 +1,10 @@
+# DESC cdrecord - record audio or data Compact Disks or Digital Versatile Disks from a master
+#
+# Author: Thomas Bleher <ThomasBleher@gmx.de>
+
+# Type for the cdrecord excutable.
+type cdrecord_exec_t, file_type, sysadmfile, exec_type;
+
+# everything else is in the cdrecord_domain macros in
+# macros/program/cdrecord_macros.te.
+
diff -urN orig/file_contexts/program/cdrecord.fc mod/file_contexts/program/cdrecord.fc
--- orig/file_contexts/program/cdrecord.fc	1970-01-01 01:00:00.000000000 +0100
+++ mod/file_contexts/program/cdrecord.fc	2004-10-18 23:51:44.000000000 +0200
@@ -0,0 +1,3 @@
+# cdrecord
+/usr/bin/cdrecord	--	system_u:object_r:cdrecord_exec_t
+
diff -urN orig/macros/base_user_macros.te mod/macros/base_user_macros.te
--- orig/macros/base_user_macros.te	2004-10-18 23:50:53.000000000 +0200
+++ mod/macros/base_user_macros.te	2004-10-18 23:37:59.000000000 +0200
@@ -167,6 +167,7 @@
 ifdef(`irc.te', `irc_domain($1)')
 ifdef(`using_spamassassin', `spamassassin_domain($1)')
 ifdef(`uml.te', `uml_domain($1)')
+ifdef(`cdrecord.te', `cdrecord_domain($1)')
 
 # Instantiate a derived domain for user cron jobs.
 ifdef(`crond.te', `crond_domain($1)')
diff -urN orig/macros/program/cdrecord_macros.te mod/macros/program/cdrecord_macros.te
--- orig/macros/program/cdrecord_macros.te	1970-01-01 01:00:00.000000000 +0100
+++ mod/macros/program/cdrecord_macros.te	2004-10-18 23:51:36.000000000 +0200
@@ -0,0 +1,51 @@
+# macros for the cdrecord domain
+# Author: Thomas Bleher <ThomasBleher@gmx.de>
+
+define(`cdrecord_domain', `
+type $1_cdrecord_t, domain, privlog;
+
+domain_auto_trans($1_t, cdrecord_exec_t, $1_cdrecord_t)
+
+# The user role is authorized for this domain.
+role $1_r types $1_cdrecord_t;
+
+uses_shlib($1_cdrecord_t)
+read_locale($1_cdrecord_t)
+
+# allow ps to show cdrecord and allow the user to kill it 
+can_ps($1_t, $1_cdrecord_t)
+allow $1_t $1_cdrecord_t:process signal;
+
+# write to the user domain tty.
+allow $1_cdrecord_t $1_tty_device_t:chr_file rw_file_perms;
+allow $1_cdrecord_t $1_devpts_t:chr_file rw_file_perms;
+allow $1_cdrecord_t privfd:fd use;
+
+allow $1_cdrecord_t $1_t:unix_stream_socket { getattr read write };
+
+allow $1_cdrecord_t self:unix_dgram_socket create_socket_perms;
+allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms;
+
+can_resmgrd_connect($1_cdrecord_t)
+
+allow $1_cdrecord_t home_root_t:dir { search };
+
+# allow cdrecord to read user files
+r_dir_file($1_cdrecord_t, { $1_home_t $1_tmp_t })
+ifdef(`nfs_home_dirs', `
+r_dir_file($1_cdrecord_t, nfs_t)
+')dnl end if nfs_home_dirs
+
+# allow searching for cdrom-drive
+allow $1_cdrecord_t device_t:dir { getattr search };
+allow $1_cdrecord_t device_t:lnk_file { getattr read };
+
+# allow cdrecord to write the CD
+allow $1_cdrecord_t removable_device_t:blk_file { getattr read write ioctl };
+allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl };
+
+allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid };
+allow $1_cdrecord_t self:process { getsched setsched fork };
+
+')
+

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: cdrecord patch [was: Re: cdrecord deadlocks linux 2.6.8.1 (problem in setscheduler)]

[James Carter]

Merged.

On Mon, 2004-10-18 at 17:58, Thomas Bleher wrote:
> * Luke Kenneth Casson Leighton <lkcl@lkcl.net> [2004-10-18 17:47]:
> > ah ha!  thomas, thank you v. much: i [badly] hacked up something
> > for k3b to use some time ago.
> > 
> > On Mon, Oct 18, 2004 at 02:43:32PM +0200, Thomas Bleher wrote:
> > 
> > > I have just written selinux policy for cdrecord. While writing this 
> > > policy cdrecord constantly locked up the computer (even in permissive
> > > mode). When booting with selinux=0 the problem went away.
> 
> Attached is an updated policy for inclusion into CVS. The previous
> version missed some permissions. With the current version I have
> successfully burnt a CD in enforcing mode.
> 
> Thomas
> 
> PS: This patch uses the can_resmgrd_connect() macro which was posted a
> while but is not yet in CVS. It can be removed if the other patch is not
> merged.
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Patch to make can_network stronger and remove nscd tunable.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1 bytes --]



[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 91959 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.17.36/domains/program/crond.te
--- nsapolicy/domains/program/crond.te	2004-10-19 16:03:04.000000000 -0400
+++ policy-1.17.36/domains/program/crond.te	2004-10-28 09:05:15.000000000 -0400
@@ -24,6 +24,7 @@
 # Type for temporary files.
 tmp_domain(crond)
 can_ypbind(crond_t)
+allow crond_t self:{ tcp_socket udp_socket } connect;
 
 crond_domain(system)
 
@@ -114,6 +115,10 @@
 # Use capabilities.
 allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };
 
+allow crond_t krb5_conf_t:file { getattr read };
+dontaudit crond_t krb5_conf_t:file { write };
+allow crond_t urandom_device_t:chr_file { getattr read };
+
 # Read the system crontabs.
 allow system_crond_t system_cron_spool_t:file r_file_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.17.36/domains/program/login.te
--- nsapolicy/domains/program/login.te	2004-10-19 16:03:05.000000000 -0400
+++ policy-1.17.36/domains/program/login.te	2004-10-28 17:14:48.000000000 -0400
@@ -21,6 +21,8 @@
 dontaudit $1_login_t shadow_t:file { getattr read };
 
 general_domain_access($1_login_t);
+allow $1_login_t self:{ tcp_socket udp_socket } create_socket_perms;
+can_network($1_login_t) 
 
 # Read system information files in /proc.
 allow $1_login_t proc_t:dir r_dir_perms;
@@ -81,9 +83,9 @@
 ')
 allow $1_login_t mnt_t:dir r_dir_perms;
 
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 r_dir_file($1_login_t, nfs_t)
-')dnl end if nfs_home_dirs
+}
 
 # FIXME: what is this for?
 ifdef(`xdm.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/logrotate.te policy-1.17.36/domains/program/logrotate.te
--- nsapolicy/domains/program/logrotate.te	2004-09-02 14:45:45.000000000 -0400
+++ policy-1.17.36/domains/program/logrotate.te	2004-10-28 09:05:15.000000000 -0400
@@ -13,7 +13,7 @@
 # logrotate_t is the domain for the logrotate program.
 # logrotate_exec_t is the type of the corresponding program.
 #
-type logrotate_t, domain, privowner, privmail, priv_system_role;
+type logrotate_t, domain, privowner, privmail, priv_system_role, nscd_client_domain;
 role system_r types logrotate_t;
 role sysadm_r types logrotate_t;
 uses_shlib(logrotate_t);
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.17.36/domains/program/mount.te
--- nsapolicy/domains/program/mount.te	2004-10-09 21:06:13.000000000 -0400
+++ policy-1.17.36/domains/program/mount.te	2004-10-28 09:05:15.000000000 -0400
@@ -11,7 +11,7 @@
 
 type mount_exec_t, file_type, sysadmfile, exec_type;
 
-mount_domain(sysadm, mount, `, fs_domain')
+mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain')
 mount_loopback_privs(sysadm, mount)
 role sysadm_r types mount_t;
 role system_r types mount_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.17.36/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te	2004-10-27 14:32:48.000000000 -0400
+++ policy-1.17.36/domains/program/ssh.te	2004-10-28 09:05:15.000000000 -0400
@@ -69,17 +69,18 @@
 allow $1_t urandom_device_t:chr_file { getattr read };
 
 can_network($1_t)
+allow $1_t self:{ udp_socket tcp_socket } connect;
 
-allow $1_t self:capability { sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
+allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
 allow $1_t { home_root_t home_dir_type }:dir { search getattr };
 can_ypbind($1_t)
-if (nfs_home_dirs) {
+if (use_nfs_home_dirs) {
 ifdef(`automount.te', `
 allow $1_t autofs_t:dir { search getattr };
 ')
 allow $1_t nfs_t:dir { search getattr };
 allow $1_t nfs_t:file { getattr read };
-} dnl end if nfs_home_dirs
+} dnl end if use_nfs_home_dirs
 
 ifdef(`single_userdomain', `
 if (ssh_sysadm_login) {
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.17.36/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te	2004-10-27 14:32:48.000000000 -0400
+++ policy-1.17.36/domains/program/syslogd.te	2004-10-28 09:05:15.000000000 -0400
@@ -96,4 +96,4 @@
 dontaudit syslogd_t file_t:dir search;
 allow syslogd_t { tmpfs_t devpts_t }:dir { search };
 dontaudit syslogd_t unlabeled_t:file read;
-dontaudit syslogd_t devpts_t:chr_file getattr;
+dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/acct.te policy-1.17.36/domains/program/unused/acct.te
--- nsapolicy/domains/program/unused/acct.te	2004-10-19 16:03:05.000000000 -0400
+++ policy-1.17.36/domains/program/unused/acct.te	2004-10-28 09:05:15.000000000 -0400
@@ -63,6 +63,7 @@
 
 ifdef(`logrotate.te', `
 domain_auto_trans(logrotate_t, acct_exec_t, acct_t)
+allow logrotate_t acct_data_t:dir { search };
 allow logrotate_t acct_data_t:file { create_file_perms };
 ')
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.17.36/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2004-10-27 14:32:48.000000000 -0400
+++ policy-1.17.36/domains/program/unused/apache.te	2004-10-28 09:05:15.000000000 -0400
@@ -61,7 +61,7 @@
 
 # httpd_exec_t is the type give to the httpd executable.
 #
-daemon_domain(httpd, `, privmail')
+daemon_domain(httpd, `, privmail, nscd_client_domain')
 
 can_exec(httpd_t, httpd_exec_t)
 file_type_auto_trans(httpd_t, var_run_t, httpd_var_run_t, sock_file)
@@ -136,6 +136,7 @@
 
 can_network(httpd_t)
 can_ypbind(httpd_t)
+allow httpd_t self:{ tcp_socket udp_socket } connect;
 
 ###################
 # Allow httpd to search users diretories
@@ -249,7 +250,7 @@
 allow httpd_t autofs_t:dir { search getattr };
 allow httpd_suexec_t autofs_t:dir { search getattr };
 ')
-if (nfs_home_dirs && httpd_enable_homedirs) {
+if (use_nfs_home_dirs && httpd_enable_homedirs) {
 r_dir_file(httpd_t, nfs_t)
 r_dir_file(httpd_suexec_t, nfs_t)
 can_exec(httpd_suexec_t, nfs_t)
@@ -298,5 +299,6 @@
 # Customer reported the following
 #
 ifdef(`snmpd.te', `
+dontaudit httpd_t snmpd_var_lib_t:dir { search };
 dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.17.36/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te	2004-09-09 16:22:12.000000000 -0400
+++ policy-1.17.36/domains/program/unused/apmd.te	2004-10-28 16:31:24.000000000 -0400
@@ -9,7 +9,7 @@
 #
 # Rules for the apmd_t domain.
 #
-daemon_domain(apmd, `, privmodule')
+daemon_domain(apmd, `, privmodule, nscd_client_domain')
 
 # for SSP
 allow apmd_t urandom_device_t:chr_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/arpwatch.te policy-1.17.36/domains/program/unused/arpwatch.te
--- nsapolicy/domains/program/unused/arpwatch.te	2004-10-19 16:03:05.000000000 -0400
+++ policy-1.17.36/domains/program/unused/arpwatch.te	2004-10-28 16:34:05.000000000 -0400
@@ -9,10 +9,10 @@
 #
 # arpwatch_exec_t is the type of the arpwatch executable.
 #
-daemon_domain(arpwatch, `, privmail')
+daemon_domain(arpwatch, `, privmail, nscd_client_domain')
 type arpwatch_data_t, file_type, sysadmfile;
 allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms;
-allow arpwatch_t self:capability { net_admin net_raw };
+allow arpwatch_t self:capability { net_admin net_raw net_bind_service };
 allow arpwatch_t self:udp_socket create_socket_perms;
 allow arpwatch_t self:unix_dgram_socket create_socket_perms;
 allow arpwatch_t arpwatch_t:capability { setgid setuid };
@@ -25,10 +25,15 @@
 allow arpwatch_t netif_lo_t:netif { udp_send };
 allow arpwatch_t sbin_t:dir { search };
 allow arpwatch_t sbin_t:lnk_file { read };
-can_network(arpwatch_t)
+can_tcp_network(arpwatch_t)
 can_ypbind(arpwatch_t)
+allow arpwatch_t self:tcp_socket connect;
+
+ifdef(`mta.te', `
 allow system_mail_t arpwatch_tmp_t:file rw_file_perms;
+allow system_mail_t arpwatch_data_t:dir { getattr search };
+')
 ifdef(`postfix.te', `
 allow postfix_local_t arpwatch_data_t:dir { search };
 ')
-
+allow arpwatch_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/automount.te policy-1.17.36/domains/program/unused/automount.te
--- nsapolicy/domains/program/unused/automount.te	2004-09-01 13:00:25.000000000 -0400
+++ policy-1.17.36/domains/program/unused/automount.te	2004-10-28 09:05:15.000000000 -0400
@@ -9,7 +9,7 @@
 #
 # Rules for the automount_t domain.
 #
-daemon_domain(automount)
+daemon_domain(automount, `, nscd_client_domain')
 
 etc_domain(automount)
 
@@ -26,7 +26,7 @@
 allow automount_t { etc_t etc_runtime_t }:file { getattr read };
 allow automount_t proc_t:file { getattr read };
 allow automount_t self:process { setpgid setsched };
-allow automount_t self:capability { sys_nice };
+allow automount_t self:capability { sys_nice net_bind_service };
 allow automount_t self:unix_stream_socket create_socket_perms;
 allow automount_t self:unix_dgram_socket create_socket_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.17.36/domains/program/unused/bluetooth.te
--- nsapolicy/domains/program/unused/bluetooth.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.17.36/domains/program/unused/bluetooth.te	2004-10-28 09:05:15.000000000 -0400
@@ -22,7 +22,7 @@
 # Use the network.
 can_network(bluetooth_t)
 can_ypbind(bluetooth_t)
-dbusd_client(system, bluetooth_t)
+dbusd_client(system, bluetooth)
 allow bluetooth_t self:socket { create setopt ioctl bind listen };
 allow bluetooth_t self:unix_dgram_socket create_socket_perms;
 allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/canna.te policy-1.17.36/domains/program/unused/canna.te
--- nsapolicy/domains/program/unused/canna.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.17.36/domains/program/unused/canna.te	2004-10-28 09:05:15.000000000 -0400
@@ -8,7 +8,7 @@
 #
 # Rules for the canna_t domain.
 #
-daemon_domain(canna)
+daemon_domain(canna, `, nscd_client_domain' )
 
 file_type_auto_trans(canna_t, var_run_t, canna_var_run_t, sock_file)
 
@@ -28,8 +28,9 @@
 
 rw_dir_create_file(canna_t, canna_var_lib_t)
 
-can_network(canna_t)
+can_tcp_network(canna_t)
 can_ypbind(canna_t)
+allow canna_t self:tcp_socket connect;
 
 allow userdomain canna_var_run_t:dir search;
 allow userdomain canna_var_run_t:sock_file write;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cardmgr.te policy-1.17.36/domains/program/unused/cardmgr.te
--- nsapolicy/domains/program/unused/cardmgr.te	2004-09-27 20:48:35.000000000 -0400
+++ policy-1.17.36/domains/program/unused/cardmgr.te	2004-10-28 17:16:53.000000000 -0400
@@ -9,7 +9,7 @@
 #
 # Rules for the cardmgr_t domain.
 #
-daemon_domain(cardmgr, `, privmodule')
+daemon_domain(cardmgr, `, privmodule, nscd_client_domain')
 
 # for SSP
 allow cardmgr_t urandom_device_t:chr_file read;
@@ -82,3 +82,7 @@
 dontaudit insmod_t cardmgr_dev_t:chr_file { read write };
 dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write };
 ')
+ifdef(`hald.te', `
+rw_dir_file(hald_t, cardmgr_var_run_t)
+allow hald_t cardmgr_var_run_t:chr_file create_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/consoletype.te policy-1.17.36/domains/program/unused/consoletype.te
--- nsapolicy/domains/program/unused/consoletype.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.17.36/domains/program/unused/consoletype.te	2004-10-28 09:05:15.000000000 -0400
@@ -59,3 +59,5 @@
 ')
 dontaudit consoletype_t proc_t:file { read };
 dontaudit consoletype_t root_t:file { read };
+allow consoletype_t crond_t:fifo_file { read };
+allow consoletype_t fs_t:filesystem { getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cpuspeed.te policy-1.17.36/domains/program/unused/cpuspeed.te
--- nsapolicy/domains/program/unused/cpuspeed.te	2004-03-17 13:26:05.000000000 -0500
+++ policy-1.17.36/domains/program/unused/cpuspeed.te	2004-10-28 09:05:15.000000000 -0400
@@ -8,3 +8,5 @@
 allow cpuspeed_t sysfs_t:file rw_file_perms;
 allow cpuspeed_t proc_t:dir r_dir_perms;
 allow cpuspeed_t proc_t:file { getattr read };
+allow cpuspeed_t etc_runtime_t:file { getattr read };
+allow cpuspeed_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.36/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.17.36/domains/program/unused/cups.te	2004-10-28 09:05:15.000000000 -0400
@@ -20,6 +20,8 @@
 
 can_network(cupsd_t)
 can_ypbind(cupsd_t)
+allow cupsd_t self:{ tcp_socket udp_socket } connect;
+
 logdir_domain(cupsd)
 
 tmp_domain(cupsd)
@@ -167,8 +169,7 @@
 ifdef(`hald.te', `
 
 # CUPS configuration daemon
-daemon_domain(cupsd_config)
-
+daemon_domain(cupsd_config, `, nscd_client_domain')
 allow cupsd_config_t devpts_t:dir search;
 
 ifdef(`distro_redhat', `
@@ -188,7 +189,7 @@
 allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
 allow cupsd_config_t cupsd_t:dir { search };
 
-allow cupsd_config_t self:capability { chown };
+allow cupsd_config_t self:capability { chown sys_tty_config };
 
 rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
 rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
@@ -199,9 +200,11 @@
 
 allow cupsd_config_t self:unix_stream_socket create_socket_perms;
 ifdef(`dbusd.te', `
-dbusd_client(system, cupsd_t)
-dbusd_client(system, cupsd_config_t)
+dbusd_client(system, cupsd)
+dbusd_client(system, cupsd_config)
 allow cupsd_config_t userdomain:dbus { send_msg };
+allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc };
+allow cupsd_t system_dbusd_t:dbus { send_msg };
 allow userdomain cupsd_config_t:dbus { send_msg };
 allow cupsd_config_t hald_t:dbus { send_msg };
 allow hald_t cupsd_config_t:dbus { send_msg };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.17.36/domains/program/unused/cyrus.te
--- nsapolicy/domains/program/unused/cyrus.te	2004-05-04 15:35:53.000000000 -0400
+++ policy-1.17.36/domains/program/unused/cyrus.te	2004-10-28 09:05:15.000000000 -0400
@@ -5,7 +5,7 @@
 
 # cyrusd_exec_t is the type of the cyrusd executable.
 # cyrusd_key_t is the type of the cyrus private key files
-daemon_domain(cyrus)
+daemon_domain(cyrus, `, nscd_client_domain')
 role cyrus_r types cyrus_t;
 
 general_domain_access(cyrus_t)
@@ -20,6 +20,7 @@
 
 can_network(cyrus_t)
 can_ypbind(cyrus_t)
+allow cyrus_t self:{ tcp_socket udp_socket } connect;
 can_exec(cyrus_t, bin_t)
 allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
 allow cyrus_t cyrus_var_lib_t:{file sock_file } create_file_perms;
@@ -45,3 +46,4 @@
 allow system_crond_t cyrus_var_lib_t:file create_file_perms;
 allow system_crond_su_t cyrus_var_lib_t:dir { search };
 ')
+allow cyrus_t mail_port_t:tcp_socket { name_bind };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbskkd.te policy-1.17.36/domains/program/unused/dbskkd.te
--- nsapolicy/domains/program/unused/dbskkd.te	2004-10-06 09:18:32.000000000 -0400
+++ policy-1.17.36/domains/program/unused/dbskkd.te	2004-10-28 09:05:15.000000000 -0400
@@ -9,5 +9,6 @@
 #
 # dbskkd_exec_t is the type of the dbskkd executable.
 #
+# Depends: inetd.te
 
 inetd_child_domain(dbskkd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.17.36/domains/program/unused/dbusd.te
--- nsapolicy/domains/program/unused/dbusd.te	2004-09-09 16:22:12.000000000 -0400
+++ policy-1.17.36/domains/program/unused/dbusd.te	2004-10-28 09:05:15.000000000 -0400
@@ -11,8 +11,9 @@
 ')
 
 # dac_override: /var/run/dbus is owned by messagebus on Debian
-allow system_dbusd_t self:capability { dac_override setgid setuid };
+allow system_dbusd_t self:capability { dac_override setgid setuid net_bind_service };
 can_ypbind(system_dbusd_t)
+allow system_dbusd_t self:tcp_socket connect;
 
 # I expect we need more than this
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.17.36/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.17.36/domains/program/unused/dhcpc.te	2004-10-28 09:05:15.000000000 -0400
@@ -17,13 +17,14 @@
 #
 type dhcpc_port_t, port_type, reserved_port_type;
 
-daemon_domain(dhcpc)
+daemon_domain(dhcpc, `, nscd_client_domain')
 
 # for SSP
 allow dhcpc_t urandom_device_t:chr_file read;
 
 can_network(dhcpc_t)
 can_ypbind(dhcpc_t)
+allow dhcpc_t self:tcp_socket connect;
 allow dhcpc_t self:unix_dgram_socket create_socket_perms;
 allow dhcpc_t self:unix_stream_socket create_socket_perms;
 allow dhcpc_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dictd.te policy-1.17.36/domains/program/unused/dictd.te
--- nsapolicy/domains/program/unused/dictd.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.17.36/domains/program/unused/dictd.te	2004-10-28 09:05:15.000000000 -0400
@@ -28,7 +28,7 @@
 allow dictd_t var_lib_dictd_t:dir r_dir_perms;
 allow dictd_t var_lib_dictd_t:file r_file_perms;
 
-allow dictd_t self:capability { setuid setgid };
+allow dictd_t self:capability { setuid setgid net_bind_service };
 
 allow dictd_t usr_t:file r_file_perms;
 
@@ -45,5 +45,6 @@
 can_network(dictd_t)
 can_ypbind(dictd_t)
 can_tcp_connect(userdomain, dictd_t)
+allow dictd_t self:tcp_socket connect;
 
 allow dictd_t fs_t:filesystem getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.17.36/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.17.36/domains/program/unused/dovecot.te	2004-10-28 09:05:15.000000000 -0400
@@ -3,7 +3,7 @@
 # Author:  Russell Coker <russell@coker.com.au>
 # X-Debian-Packages: dovecot-imapd, dovecot-pop3d
 
-daemon_domain(dovecot, `, privhome')
+daemon_domain(dovecot, `, privhome, nscd_client_domain')
 
 allow dovecot_t dovecot_var_run_t:sock_file create_file_perms;
 
@@ -15,6 +15,8 @@
 allow dovecot_t self:process { setrlimit };
 can_network(dovecot_t)
 can_ypbind(dovecot_t)
+allow dovecot_t self:tcp_socket connect;
+
 allow dovecot_t self:unix_dgram_socket create_socket_perms;
 allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
 can_unix_connect(dovecot_t, self)
@@ -34,7 +36,7 @@
 dontaudit dovecot_t krb5_conf_t:file { write };
 allow dovecot_t krb5_conf_t:file { getattr read };
 
-daemon_sub_domain(dovecot_t, dovecot_auth, `, auth')
+daemon_sub_domain(dovecot_t, dovecot_auth, `, auth, nscd_client_domain')
 allow dovecot_auth_t self:process { fork signal_perms };
 allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
 allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.17.36/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te	2004-10-27 14:32:48.000000000 -0400
+++ policy-1.17.36/domains/program/unused/ftpd.te	2004-10-28 09:05:15.000000000 -0400
@@ -4,6 +4,7 @@
 #           Russell Coker <russell@coker.com.au>
 # X-Debian-Packages: proftpd-common bsd-ftpd ftpd vsftpd
 #
+# Depends: inetd.te
 
 #################################
 #
@@ -11,12 +12,13 @@
 #
 type ftp_port_t, port_type, reserved_port_type;
 type ftp_data_port_t, port_type, reserved_port_type;
-daemon_domain(ftpd, `, auth_chkpwd')
+daemon_domain(ftpd, `, auth_chkpwd, nscd_client_domain')
 etc_domain(ftpd)
 typealias ftpd_etc_t alias etc_ftpd_t;
 
 can_network(ftpd_t)
 can_ypbind(ftpd_t)
+allow ftpd_t self:udp_socket connect;
 allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
 allow ftpd_t self:unix_stream_socket create_socket_perms;
 allow ftpd_t self:process { getcap setcap setsched setrlimit };
@@ -32,11 +34,13 @@
 
 ifdef(`crond.te', `
 system_crond_entry(ftpd_exec_t, ftpd_t)
+allow system_crond_t xferlog_t:file r_file_perms;
 can_exec(ftpd_t, { sbin_t shell_exec_t })
 allow ftpd_t usr_t:file { getattr read };
 ')
 
 allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
+allow ftpd_t port_t:tcp_socket { name_bind };
 
 # Allow ftpd to run directly without inetd.
 bool ftpd_is_daemon false;
@@ -97,7 +101,7 @@
 # Allow ftp to read/write files in the user home directories.
 bool ftp_home_dir false;
 
-if (ftp_home_dir && nfs_home_dirs) {
+if (ftp_home_dir && use_nfs_home_dirs) {
 allow ftpd_t nfs_t:dir r_dir_perms;
 allow ftpd_t nfs_t:file r_file_perms;
 # dont allow access to /home
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.17.36/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2004-11-01 11:04:36.492173950 -0500
+++ policy-1.17.36/domains/program/unused/hald.te	2004-10-28 17:16:42.000000000 -0400
@@ -19,8 +19,8 @@
 allow hald_t self:unix_dgram_socket create_socket_perms;
 
 ifdef(`dbusd.te', `
-allow hald_t system_dbusd_t:dbus { acquire_svc };
-dbusd_client(system, hald_t)
+allow hald_t system_dbusd_t:dbus { acquire_svc send_msg };
+dbusd_client(system, hald)
 ')
 
 allow hald_t { self proc_t }:file { getattr read };
@@ -31,12 +31,13 @@
 
 allow hald_t bin_t:file { getattr };
 allow hald_t self:netlink_route_socket r_netlink_socket_perms;
-allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search };
+allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
 can_network(hald_t)
 can_ypbind(hald_t)
 
 allow hald_t device_t:lnk_file read;
 allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl };
+allow hald_t removable_device_t:blk_file { write };
 allow hald_t event_device_t:chr_file { getattr read ioctl };
 allow hald_t printer_device_t:chr_file rw_file_perms;
 allow hald_t urandom_device_t:chr_file { read };
@@ -60,7 +61,11 @@
 allow hald_t usbfs_t:dir search;
 allow hald_t usbfs_t:file { getattr read };
 allow hald_t bin_t:lnk_file read;
-r_dir_file(hald_t, { selinux_config_t default_context_t } )
+dontaudit hald_t selinux_config_t:dir { search };
 allow hald_t initrc_t:dbus { send_msg };
 allow initrc_t hald_t:dbus { send_msg };
 allow hald_t etc_runtime_t:file rw_file_perms;
+allow hald_t var_lib_t:dir search;
+allow hald_t device_t:dir { create_dir_perms };
+allow hald_t { device_t }:{ chr_file } { create_file_perms };
+tmp_domain(hald)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.17.36/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te	2004-09-30 20:48:48.000000000 -0400
+++ policy-1.17.36/domains/program/unused/hotplug.te	2004-10-28 09:05:15.000000000 -0400
@@ -151,7 +151,7 @@
 
 can_network(hotplug_t)
 can_ypbind(hotplug_t)
-dbusd_client(system, hotplug_t)
+dbusd_client(system, hotplug)
 
 # Allow hotplug (including /sbin/ifup-local) to start/stop services and # run sendmail -q
 domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/i18n_input.te policy-1.17.36/domains/program/unused/i18n_input.te
--- nsapolicy/domains/program/unused/i18n_input.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.17.36/domains/program/unused/i18n_input.te	2004-10-28 16:33:27.000000000 -0400
@@ -6,11 +6,12 @@
 type i18n_input_port_t, port_type;
 
 # Establish i18n_input as a daemon
-daemon_domain(i18n_input)
+daemon_domain(i18n_input, `, nscd_client_domain')
 
 can_exec(i18n_input_t, i18n_input_exec_t)
 can_network(i18n_input_t)
 can_ypbind(i18n_input_t)
+allow i18n_input_t self:udp_socket connect;
 
 can_tcp_connect(userdomain, i18n_input_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/inetd.te policy-1.17.36/domains/program/unused/inetd.te
--- nsapolicy/domains/program/unused/inetd.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.17.36/domains/program/unused/inetd.te	2004-10-28 09:05:15.000000000 -0400
@@ -21,6 +21,8 @@
 daemon_domain(inetd, `, nscd_client_domain ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
 
 can_network(inetd_t)
+allow inetd_t self:udp_socket connect;
+
 allow inetd_t self:unix_dgram_socket create_socket_perms;
 allow inetd_t self:unix_stream_socket create_socket_perms;
 allow inetd_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/innd.te policy-1.17.36/domains/program/unused/innd.te
--- nsapolicy/domains/program/unused/innd.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.17.36/domains/program/unused/innd.te	2004-10-28 17:16:26.000000000 -0400
@@ -12,7 +12,7 @@
 
 
 # need privmail attribute so innd can access system_mail_t
-daemon_domain(innd, `, privmail')
+daemon_domain(innd, `, privmail, nscd_client_domain')
 
 # allow innd to create files and directories of type news_spool_t
 create_dir_file(innd_t, news_spool_t)
@@ -30,6 +30,7 @@
 
 can_network(innd_t)
 can_ypbind(innd_t)
+allow innd_t self:udp_socket connect;
 
 can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } )
 allow innd_t self:unix_dgram_socket create_socket_perms;
@@ -64,6 +65,9 @@
 
 ifdef(`crond.te', `
 system_crond_entry(innd_exec_t, innd_t)
+allow system_crond_t innd_etc_t:file { getattr read };
+rw_dir_create_file(system_crond_t, innd_log_t)
+rw_dir_create_file(system_crond_t, innd_var_run_t)
 ')
 ifdef(`syslogd.te', `
 allow syslogd_t innd_log_t:dir search;
@@ -71,6 +75,5 @@
 ')
 allow innd_t self:file { getattr read };
 dontaudit innd_t selinux_config_t:dir { search };
-allow system_crond_t innd_etc_t:file { getattr read };
 allow innd_t bin_t:lnk_file { read };
 allow innd_t sbin_t:lnk_file { read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ipsec.te policy-1.17.36/domains/program/unused/ipsec.te
--- nsapolicy/domains/program/unused/ipsec.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.17.36/domains/program/unused/ipsec.te	2004-10-28 09:05:15.000000000 -0400
@@ -25,7 +25,7 @@
 # lots of strange stuff for the ipsec_var_run_t - need to check it
 var_run_domain(ipsec)
 
-type ipsec_mgmt_t, domain, privlog, admin, privmodule;
+type ipsec_mgmt_t, domain, privlog, admin, privmodule, nscd_client_domain;
 type ipsec_mgmt_exec_t, file_type, sysadmfile, exec_type;
 domain_auto_trans(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
 file_type_auto_trans(ipsec_mgmt_t, var_run_t, ipsec_var_run_t, sock_file)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ktalkd.te policy-1.17.36/domains/program/unused/ktalkd.te
--- nsapolicy/domains/program/unused/ktalkd.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.17.36/domains/program/unused/ktalkd.te	2004-10-28 09:05:15.000000000 -0400
@@ -2,6 +2,7 @@
 #
 # Author:  Dan Walsh <dwalsh@redhat.com>
 #
+# Depends: inetd.te
 
 #################################
 #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.17.36/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.17.36/domains/program/unused/kudzu.te	2004-10-28 09:05:15.000000000 -0400
@@ -13,7 +13,7 @@
 allow kudzu_t ramfs_t:dir search;
 allow kudzu_t ramfs_t:sock_file write;
 allow kudzu_t etc_t:file { getattr read };
-allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config };
+allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
 allow kudzu_t modules_conf_t:file { getattr read };
 allow kudzu_t modules_object_t:dir r_dir_perms;
 allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
@@ -80,7 +80,8 @@
 allow kudzu_t sysfs_t:lnk_file read;
 file_type_auto_trans(kudzu_t, etc_t, etc_runtime_t, file)
 allow kudzu_t tape_device_t:chr_file r_file_perms;
-allow kudzu_t tmp_t:dir { search };
+tmp_domain(kudzu)
+file_type_auto_trans(kudzu_t, tmp_t, kudzu_tmp_t, chr_file)
 
 # for file systems that are not yet mounted
 dontaudit kudzu_t file_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mailman.te policy-1.17.36/domains/program/unused/mailman.te
--- nsapolicy/domains/program/unused/mailman.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.17.36/domains/program/unused/mailman.te	2004-10-28 14:35:22.000000000 -0400
@@ -20,7 +20,7 @@
 can_exec_any(mailman_$1_t)
 allow mailman_$1_t { proc_t sysctl_t sysctl_kernel_t }:dir search;
 allow mailman_$1_t { proc_t sysctl_kernel_t }:file { read getattr };
-allow mailman_$1_t var_lib_t:dir { getattr search };
+allow mailman_$1_t var_lib_t:dir { getattr search read };
 allow mailman_$1_t var_lib_t:lnk_file read;
 allow mailman_$1_t device_t:dir search;
 allow mailman_$1_t etc_runtime_t:file { read getattr };
@@ -30,12 +30,16 @@
 allow mailman_$1_t fs_t:filesystem getattr;
 can_network(mailman_$1_t)
 can_ypbind(mailman_$1_t)
+allow mailman_$1_t self:udp_socket connect;
 allow mailman_$1_t self:unix_stream_socket create_socket_perms;
 allow mailman_$1_t var_t:dir r_dir_perms;
 ')
 
-mailman_domain(queue, `, auth_chkpwd')
+mailman_domain(queue, `, auth_chkpwd, nscd_client_domain')
 can_tcp_connect(mailman_queue_t, mail_server_domain)
+allow mailman_queue_t self:tcp_socket connect;
+
+dontaudit mailman_queue_t src_t:dir { search };
 
 can_exec(mailman_queue_t, su_exec_t)
 allow mailman_queue_t self:capability { setgid setuid };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mdadm.te policy-1.17.36/domains/program/unused/mdadm.te
--- nsapolicy/domains/program/unused/mdadm.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.17.36/domains/program/unused/mdadm.te	2004-10-28 09:05:15.000000000 -0400
@@ -40,4 +40,4 @@
 dontaudit mdadm_t tmpfs_t:dir r_dir_perms;
 dontaudit mdadm_t initctl_t:fifo_file { getattr };
 var_run_domain(mdadm)
-allow mdadm_t var_t:dir { getattr };
+allow mdadm_t var_t:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mysqld.te policy-1.17.36/domains/program/unused/mysqld.te
--- nsapolicy/domains/program/unused/mysqld.te	2004-10-09 21:06:14.000000000 -0400
+++ policy-1.17.36/domains/program/unused/mysqld.te	2004-10-28 09:05:15.000000000 -0400
@@ -10,7 +10,7 @@
 #
 # mysqld_exec_t is the type of the mysqld executable.
 #
-daemon_domain(mysqld)
+daemon_domain(mysqld, `, nscd_client_domain' )
 
 type mysqld_port_t, port_type;
 allow mysqld_t mysqld_port_t:tcp_socket name_bind;
@@ -35,7 +35,7 @@
 
 allow initrc_t mysqld_log_t:file { write append setattr ioctl };
 
-allow mysqld_t self:capability { dac_override setgid setuid };
+allow mysqld_t self:capability { dac_override setgid setuid net_bind_service };
 allow mysqld_t self:process getsched;
 
 allow mysqld_t proc_t:file { getattr read };
@@ -46,6 +46,7 @@
 
 can_network(mysqld_t)
 can_ypbind(mysqld_t)
+allow mysqld_t self:tcp_socket connect;
 
 # read config files
 r_dir_file(initrc_t, mysqld_etc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.17.36/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.17.36/domains/program/unused/named.te	2004-10-28 09:05:15.000000000 -0400
@@ -19,7 +19,7 @@
 file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file)
 
 # ndc_t is the domain for the ndc program
-type ndc_t, domain, privlog;
+type ndc_t, domain, privlog, nscd_client_domain;
 role sysadm_r types ndc_t;
 role system_r types ndc_t;
 
@@ -52,6 +52,8 @@
 #Named can use network
 can_network(named_t)
 can_ypbind(named_t)
+allow named_t self:tcp_socket connect;
+
 # allow UDP transfer to/from any program
 can_udp_send(domain, named_t)
 can_udp_send(named_t, domain)
@@ -102,6 +104,7 @@
 uses_shlib(ndc_t)
 can_network(ndc_t)
 can_ypbind(ndc_t)
+allow ndc_t self:tcp_socket connect;
 read_locale(ndc_t)
 can_tcp_connect(ndc_t, named_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.17.36/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te	2004-10-27 14:32:48.000000000 -0400
+++ policy-1.17.36/domains/program/unused/nscd.te	2004-10-28 09:05:15.000000000 -0400
@@ -24,6 +24,7 @@
 allow nscd_t etc_t:lnk_file read;
 can_network(nscd_t)
 can_ypbind(nscd_t)
+allow nscd_t self:{ tcp_socket udp_socket } connect;
 
 file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file)
 
@@ -53,7 +54,7 @@
 allow nscd_t self:process { getattr setsched };
 allow nscd_t self:unix_dgram_socket create_socket_perms;
 allow nscd_t self:fifo_file { read write };
-allow nscd_t self:capability { kill setgid setuid net_bind_service net_admin };
+allow nscd_t self:capability { kill setgid setuid net_bind_service net_admin sys_tty_config };
 
 # for when /etc/passwd has just been updated and has the wrong type
 allow nscd_t shadow_t:file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.17.36/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.17.36/domains/program/unused/ntpd.te	2004-10-28 09:05:15.000000000 -0400
@@ -12,6 +12,9 @@
 type ntp_drift_t, file_type, sysadmfile;
 type ntp_port_t, port_type, reserved_port_type;
 
+type ntpdate_exec_t, file_type, sysadmfile, exec_type;
+domain_auto_trans(initrc_t, ntpdate_exec_t, ntpd_t)
+
 logdir_domain(ntpd)
 
 allow ntpd_t var_lib_t:dir r_dir_perms;
@@ -36,6 +39,7 @@
 # Use the network.
 can_network(ntpd_t)
 can_ypbind(ntpd_t)
+allow ntpd_t self:{ tcp_socket udp_socket } connect;
 allow ntpd_t ntp_port_t:udp_socket name_bind;
 allow ntpd_t self:unix_dgram_socket create_socket_perms;
 allow ntpd_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.17.36/domains/program/unused/ping.te
--- nsapolicy/domains/program/unused/ping.te	2004-06-16 13:33:36.000000000 -0400
+++ policy-1.17.36/domains/program/unused/ping.te	2004-10-28 09:05:15.000000000 -0400
@@ -35,6 +35,7 @@
 can_ypbind(ping_t)
 allow ping_t etc_t:file { getattr read };
 allow ping_t self:unix_stream_socket create_socket_perms;
+allow ping_t self:{ tcp_socket udp_socket } connect;
 
 # Let ping create raw ICMP packets.
 allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
@@ -43,7 +44,7 @@
 allow ping_t node_type:node { rawip_send rawip_recv };
 
 # Use capabilities.
-allow ping_t self:capability { net_raw setuid };
+allow ping_t self:capability { net_raw setuid net_bind_service };
 
 # Access the terminal.
 allow ping_t admin_tty_type:chr_file rw_file_perms;
@@ -55,3 +56,5 @@
 # it tries to access /var/run
 dontaudit ping_t var_t:dir search;
 
+dontaudit ping_t devtty_t:chr_file { read write };
+dontaudit ping_t ping_t:capability { sys_tty_config };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.17.36/domains/program/unused/portmap.te
--- nsapolicy/domains/program/unused/portmap.te	2004-10-09 21:06:14.000000000 -0400
+++ policy-1.17.36/domains/program/unused/portmap.te	2004-10-31 06:59:56.000000000 -0500
@@ -23,6 +23,7 @@
 tmp_domain(portmap)
 
 allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind;
+dontaudit portmap_t reserved_port_type:tcp_socket name_bind;
 
 # portmap binds to arbitary ports
 allow portmap_t port_t:{ udp_socket tcp_socket } name_bind;
@@ -51,4 +52,4 @@
 
 # Use capabilities
 allow portmap_t self:capability { net_bind_service setuid setgid };
-
+allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postfix.te policy-1.17.36/domains/program/unused/postfix.te
--- nsapolicy/domains/program/unused/postfix.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.17.36/domains/program/unused/postfix.te	2004-10-28 09:05:15.000000000 -0400
@@ -66,7 +66,7 @@
 ifdef(`crond.te',
 `allow system_mail_t crond_t:tcp_socket { read write create };')
 
-postfix_domain(master, `, mail_server_domain')
+postfix_domain(master, `, mail_server_domain, nscd_client_domain')
 rhgb_domain(postfix_master_t)
 
 read_sysctl(postfix_master_t)
@@ -119,6 +119,8 @@
 allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
 can_network(postfix_master_t)
 can_ypbind(postfix_master_t)
+allow postfix_master_t self:{ tcp_socket udp_socket } connect;
+
 allow postfix_master_t smtp_port_t:tcp_socket name_bind;
 allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
 allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
@@ -155,9 +157,10 @@
 postfix_domain($1, `$2')
 domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
 allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
-allow postfix_$1_t self:capability { setuid setgid dac_override };
+allow postfix_$1_t self:capability { setuid setgid dac_override net_bind_service };
 can_network(postfix_$1_t)
 can_ypbind(postfix_$1_t)
+allow postfix_$1_t self:{ tcp_socket udp_socket } connect;
 ')
 
 postfix_server_domain(smtp, `, mail_server_sender')
@@ -207,7 +210,7 @@
 can_exec(postfix_local_t, shell_exec_t)
 
 define(`postfix_public_domain',`
-postfix_server_domain($1)
+postfix_server_domain($1, `$2')
 allow postfix_$1_t postfix_public_t:dir search;
 ')
 
@@ -286,7 +289,7 @@
 allow postfix_postdrop_t self:udp_socket create_socket_perms;
 allow postfix_postdrop_t self:capability sys_resource;
 
-postfix_public_domain(pickup)
+postfix_public_domain(pickup, `, nscd_client_domain' )
 allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms;
 allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms;
 allow postfix_pickup_t postfix_private_t:dir search;
@@ -297,7 +300,7 @@
 allow postfix_pickup_t postfix_spool_maildrop_t:file unlink;
 allow postfix_pickup_t self:tcp_socket create_socket_perms;
 
-postfix_public_domain(qmgr)
+postfix_public_domain(qmgr, `, nscd_client_domain' )
 allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms;
 allow postfix_qmgr_t postfix_public_t:sock_file write;
 allow postfix_qmgr_t postfix_private_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.17.36/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.17.36/domains/program/unused/postgresql.te	2004-10-28 09:05:15.000000000 -0400
@@ -11,8 +11,10 @@
 # postgresql_exec_t is the type of the postgresql executable.
 #
 type postgresql_port_t, port_type;
-daemon_domain(postgresql)
+daemon_domain(postgresql, `, nscd_client_domain ' )
 allow initrc_t postgresql_exec_t:lnk_file read;
+allow postgresql_t usr_t:file { getattr read };
+allow postgresql_t self:udp_socket connect;
 
 allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/privoxy.te policy-1.17.36/domains/program/unused/privoxy.te
--- nsapolicy/domains/program/unused/privoxy.te	2004-03-17 13:26:05.000000000 -0500
+++ policy-1.17.36/domains/program/unused/privoxy.te	2004-10-28 09:05:15.000000000 -0400
@@ -8,7 +8,7 @@
 #
 # Rules for the privoxy_t domain.
 #
-daemon_domain(privoxy)
+daemon_domain(privoxy, `, nscd_client_domain')
 
 logdir_domain(privoxy)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/radius.te policy-1.17.36/domains/program/unused/radius.te
--- nsapolicy/domains/program/unused/radius.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.17.36/domains/program/unused/radius.te	2004-10-28 09:05:15.000000000 -0400
@@ -12,7 +12,7 @@
 #
 type radius_port_t, port_type;
 type radacct_port_t, port_type;
-daemon_domain(radiusd, `, auth')
+daemon_domain(radiusd, `, auth, nscd_client_domain')
 
 etcdir_domain(radiusd)
 typealias radiusd_etc_t alias etc_radiusd_t;
@@ -48,11 +48,12 @@
 allow radiusd_t self:fifo_file rw_file_perms;
 # fsetid is for gzip which needs it when run from scripts
 # gzip also needs chown access to preserve GID for radwtmp files
-allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
+allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config net_bind_service };
 
 can_network(radiusd_t)
 can_ypbind(radiusd_t)
 allow radiusd_t { radius_port_t radacct_port_t }:udp_socket name_bind;
+allow radiusd_t self:tcp_socket connect;
 
 # for RADIUS proxy port
 allow radiusd_t port_t:udp_socket name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.17.36/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.17.36/domains/program/unused/rpcd.te	2004-10-28 09:05:15.000000000 -0400
@@ -11,9 +11,10 @@
 # Rules for the rpcd_t and nfsd_t domain.
 #
 define(`rpc_domain', `
-daemon_base_domain($1)
+daemon_base_domain($1, `, nscd_client_domain' )
 can_network($1_t)
 can_ypbind($1_t)
+allow $1_t self:{ udp_socket tcp_socket } connect;
 allow $1_t etc_t:file { getattr read };
 read_locale($1_t)
 allow $1_t self:capability net_bind_service;
@@ -24,6 +25,7 @@
 allow $1_t var_lib_nfs_t:file create_file_perms;
 # do not log when it tries to bind to a port belonging to another domain
 dontaudit $1_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
+allow $1_t reserved_port_t:{ udp_socket tcp_socket } { name_bind };
 allow $1_t self:netlink_route_socket r_netlink_socket_perms;
 allow $1_t self:unix_dgram_socket create_socket_perms;
 allow $1_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rshd.te policy-1.17.36/domains/program/unused/rshd.te
--- nsapolicy/domains/program/unused/rshd.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.17.36/domains/program/unused/rshd.te	2004-10-28 09:05:15.000000000 -0400
@@ -34,5 +34,7 @@
 allow rshd_t krb5_conf_t:file { getattr read };
 dontaudit rshd_t krb5_conf_t:file write;
 allow rshd_t tmp_t:dir { search };
+ifdef(`rlogind.te', `
 allow rshd_t rlogind_tmp_t:file rw_file_perms;
+')
 allow rshd_t urandom_device_t:chr_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.17.36/domains/program/unused/rsync.te
--- nsapolicy/domains/program/unused/rsync.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.17.36/domains/program/unused/rsync.te	2004-10-28 09:05:15.000000000 -0400
@@ -2,6 +2,7 @@
 #
 # Author:  Dan Walsh <dwalsh@redhat.com>
 #
+# Depends: inetd.te
 
 #################################
 #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.17.36/domains/program/unused/sendmail.te
--- nsapolicy/domains/program/unused/sendmail.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.17.36/domains/program/unused/sendmail.te	2004-10-28 09:05:15.000000000 -0400
@@ -27,6 +27,7 @@
 # Use the network.
 can_network(sendmail_t)
 can_ypbind(sendmail_t)
+allow sendmail_t self:{ tcp_socket udp_socket } connect;
 
 allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
 allow sendmail_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slapd.te policy-1.17.36/domains/program/unused/slapd.te
--- nsapolicy/domains/program/unused/slapd.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.17.36/domains/program/unused/slapd.te	2004-10-28 09:05:15.000000000 -0400
@@ -10,7 +10,7 @@
 #
 # slapd_exec_t is the type of the slapd executable.
 #
-daemon_domain(slapd)
+daemon_domain(slapd, `, nscd_client_domain' )
 
 type ldap_port_t, port_type, reserved_port_type;
 allow slapd_t ldap_port_t:tcp_socket name_bind;
@@ -30,6 +30,7 @@
 allow slapd_t self:unix_dgram_socket create_socket_perms;
 # allow any domain to connect to the LDAP server
 can_tcp_connect(domain, slapd_t)
+allow slapd_t self:{ tcp_socket udp_socket } connect;
 
 # Use capabilities  should not need kill...
 allow slapd_t self:capability { kill setgid setuid net_bind_service net_raw };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slocate.te policy-1.17.36/domains/program/unused/slocate.te
--- nsapolicy/domains/program/unused/slocate.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.17.36/domains/program/unused/slocate.te	2004-10-28 09:05:15.000000000 -0400
@@ -9,7 +9,7 @@
 #
 # locate_exec_t is the type of the locate executable.
 #
-daemon_base_domain(locate)
+daemon_base_domain(locate, `, nscd_client_domain' )
 
 allow locate_t fs_t:filesystem getattr;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.17.36/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te	2004-10-09 21:06:15.000000000 -0400
+++ policy-1.17.36/domains/program/unused/snmpd.te	2004-10-28 09:05:15.000000000 -0400
@@ -8,13 +8,14 @@
 #
 # Rules for the snmpd_t domain.
 #
-daemon_domain(snmpd)
+daemon_domain(snmpd, `, nscd_client_domain' )
 
 #temp
 allow snmpd_t var_t:dir getattr;
 
 can_network(snmpd_t)
 can_ypbind(snmpd_t)
+allow snmpd_t self:{ tcp_socket udp_socket } connect;
 
 type snmp_port_t, port_type, reserved_port_type;
 allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind;
@@ -38,7 +39,7 @@
 allow snmpd_t self:unix_dgram_socket create_socket_perms;
 allow snmpd_t self:unix_stream_socket create_socket_perms;
 allow snmpd_t etc_t:lnk_file read;
-allow snmpd_t { etc_t etc_runtime_t }:file { getattr read };
+allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms;
 allow snmpd_t urandom_device_t:chr_file read;
 allow snmpd_t self:capability { dac_override kill net_bind_service net_admin sys_nice sys_tty_config };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/spamd.te policy-1.17.36/domains/program/unused/spamd.te
--- nsapolicy/domains/program/unused/spamd.te	2004-10-27 14:32:49.000000000 -0400
+++ policy-1.17.36/domains/program/unused/spamd.te	2004-10-28 16:33:17.000000000 -0400
@@ -5,7 +5,7 @@
 # Depends: spamassassin.te
 #
 
-daemon_domain(spamd)
+daemon_domain(spamd, `, nscd_client_domain' )
 
 tmp_domain(spamd)
 
@@ -24,7 +24,9 @@
 dontaudit spamd_t sysadm_home_dir_t:dir getattr;
 
 can_network(spamd_t)
+allow spamd_t self:udp_socket connect;
 allow spamd_t self:capability { net_bind_service };
+allow spamd_t self:tcp_socket connect;
 
 allow spamd_t proc_t:file { getattr read };
 
@@ -59,7 +61,7 @@
 allow spamd_t autofs_t:dir { search getattr };
 ')
 
-if (nfs_home_dirs) {
+if (use_nfs_home_dirs) {
 allow spamd_t nfs_t:dir rw_dir_perms;
 allow spamd_t nfs_t:file create_file_perms;
 }
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.17.36/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te	2004-10-27 14:32:49.000000000 -0400
+++ policy-1.17.36/domains/program/unused/squid.te	2004-10-28 09:05:15.000000000 -0400
@@ -56,6 +56,7 @@
 can_network(squid_t)
 can_ypbind(squid_t)
 can_tcp_connect(web_client_domain, squid_t)
+allow squid_t self:{ tcp_socket udp_socket } connect;
 
 # tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts)
 allow squid_t http_cache_port_t:tcp_socket name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/swat.te policy-1.17.36/domains/program/unused/swat.te
--- nsapolicy/domains/program/unused/swat.te	2004-10-06 09:18:32.000000000 -0400
+++ policy-1.17.36/domains/program/unused/swat.te	2004-10-28 09:05:15.000000000 -0400
@@ -2,6 +2,7 @@
 #
 # Author:  Dan Walsh <dwalsh@redhat.com>
 #
+# Depends: inetd.te
 
 #################################
 #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/traceroute.te policy-1.17.36/domains/program/unused/traceroute.te
--- nsapolicy/domains/program/unused/traceroute.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.17.36/domains/program/unused/traceroute.te	2004-10-28 13:35:45.000000000 -0400
@@ -20,6 +20,7 @@
 uses_shlib(traceroute_t)
 can_network(traceroute_t)
 can_ypbind(traceroute_t)
+allow traceroute_t self:{ tcp_socket udp_socket } connect;
 allow traceroute_t node_t:rawip_socket node_bind;
 type traceroute_exec_t, file_type, sysadmfile, exec_type;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.36/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.17.36/domains/program/unused/udev.te	2004-10-28 09:05:15.000000000 -0400
@@ -81,6 +81,7 @@
 ifdef(`xdm.te', `
 allow udev_t xdm_var_run_t:file { getattr read };
 ')
+dontaudit udev_t staff_home_dir_t:dir { search };
 
 ifdef(`hotplug.te', `
 r_dir_file(udev_t, hotplug_etc_t)
@@ -108,7 +109,7 @@
 
 allow udev_t udev_helper_exec_t:dir r_dir_perms;
 
-dbusd_client(system, udev_t)
+dbusd_client(system, udev)
 
 allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms };
 allow udev_t sysctl_dev_t:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/updfstab.te policy-1.17.36/domains/program/unused/updfstab.te
--- nsapolicy/domains/program/unused/updfstab.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.17.36/domains/program/unused/updfstab.te	2004-10-28 09:05:15.000000000 -0400
@@ -28,7 +28,10 @@
 
 read_locale(updfstab_t)
 
-dbusd_client(system, updfstab_t)
+ifdef(`dbusd.te', `
+dbusd_client(system, updfstab)
+allow updfstab_t system_dbusd_t:dbus { send_msg };
+')
 
 # not sure what the sysctl_kernel_t file is, or why it wants to write it, so
 # I will not allow it
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/vpnc.te policy-1.17.36/domains/program/unused/vpnc.te
--- nsapolicy/domains/program/unused/vpnc.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.17.36/domains/program/unused/vpnc.te	2004-10-28 09:05:15.000000000 -0400
@@ -10,13 +10,15 @@
 # vpnc_t is the domain for the vpnc program.
 # vpnc_exec_t is the type of the vpnc executable.
 #
-daemon_domain(vpnc)
+daemon_domain(vpnc, `, nscd_client_domain' )
 
 allow vpnc_t { random_device_t urandom_device_t }:chr_file read;
 
 # Use the network.
 can_network(vpnc_t)
 can_ypbind(vpnc_t)
+allow vpnc_t self:udp_socket connect;
+allow vpnc_t self:socket create_socket_perms;
 
 # Use capabilities.
 allow vpnc_t self:capability { net_admin ipc_lock net_bind_service net_raw };
@@ -28,3 +30,13 @@
 allow vpnc_t self:unix_dgram_socket create_socket_perms;
 allow vpnc_t self:unix_stream_socket create_socket_perms;
 allow vpnc_t admin_tty_type:chr_file rw_file_perms;
+allow vpnc_t self:socket connect;
+allow vpnc_t port_t:udp_socket { name_bind };
+allow vpnc_t etc_runtime_t:file { getattr read };
+allow vpnc_t proc_t:file { getattr read };
+dontaudit vpnc_t selinux_config_t:dir search;
+can_exec(vpnc_t, {bin_t sbin_t ifconfig_exec_t shell_exec_t })
+allow vpnc_t sysctl_net_t:dir { search };
+allow vpnc_t sbin_t:dir { search };
+allow vpnc_t bin_t:dir { search };
+allow vpnc_t bin_t:lnk_file { read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.17.36/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te	2004-11-01 11:04:36.821136743 -0500
+++ policy-1.17.36/domains/program/unused/xdm.te	2004-10-28 09:05:15.000000000 -0400
@@ -47,6 +47,7 @@
 
 can_network(xdm_t)
 can_ypbind(xdm_t)
+allow xdm_t self:udp_socket connect;
 allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow xdm_t self:unix_dgram_socket create_socket_perms;
 allow xdm_t self:fifo_file rw_file_perms;
@@ -277,7 +277,7 @@
 allow xdm_xserver_t user_home_type:dir search;
 allow xdm_xserver_t user_home_type:file { getattr read };
 
-if (nfs_home_dirs) {
+if (use_nfs_home_dirs) {
 ifdef(`automount.te', `
 allow { xdm_t xdm_xserver_t } autofs_t:dir { search getattr };
 ')
@@ -287,7 +287,7 @@
 }
 
 # for .dmrc
-allow xdm_t user_home_dir_type:dir search;
+allow xdm_t user_home_dir_type:dir { getattr search };
 allow xdm_t user_home_type:file { getattr read };
 
 allow xdm_t mnt_t:dir { getattr read search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xfs.te policy-1.17.36/domains/program/unused/xfs.te
--- nsapolicy/domains/program/unused/xfs.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.17.36/domains/program/unused/xfs.te	2004-10-28 09:05:15.000000000 -0400
@@ -12,7 +12,7 @@
 # xfs_t is the domain of the X font server.
 # xfs_exec_t is the type of the xfs executable.
 #
-daemon_domain(xfs)
+daemon_domain(xfs, `, nscd_client_domain' )
 
 # for /tmp/.font-unix/fs7100
 ifdef(`distro_debian', `
@@ -29,8 +29,10 @@
 allow xfs_t self:process setpgid;
 can_ypbind(xfs_t)
 
+allow xfs_t self:tcp_socket connect;
+
 # Use capabilities.
-allow xfs_t self:capability { setgid setuid };
+allow xfs_t self:capability { setgid setuid net_bind_service };
 
 # Bind to /tmp/.font-unix/fs-1.
 allow xfs_t xfs_tmp_t:unix_stream_socket name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypbind.te policy-1.17.36/domains/program/unused/ypbind.te
--- nsapolicy/domains/program/unused/ypbind.te	2004-10-14 23:25:19.000000000 -0400
+++ policy-1.17.36/domains/program/unused/ypbind.te	2004-10-28 16:11:51.000000000 -0400
@@ -10,9 +10,7 @@
 #
 # Rules for the ypbind_t domain.
 #
-daemon_domain(ypbind)
-
-bool allow_ypbind true;
+daemon_domain(ypbind, `, nscd_client_domain' )
 
 tmp_domain(ypbind)
 
@@ -22,6 +20,7 @@
 # Use the network.
 can_network(ypbind_t)
 allow ypbind_t port_t:{ tcp_socket udp_socket } name_bind;
+allow ypbind_t self:{ tcp_socket udp_socket } connect;
 
 allow ypbind_t self:fifo_file rw_file_perms;
 
@@ -39,5 +38,5 @@
 allow ypbind_t etc_t:file { getattr read };
 allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
 allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
-allow ypbind_t reserved_port_t:tcp_socket { name_bind };
-allow ypbind_t reserved_port_t:udp_socket { name_bind };
+allow ypbind_t reserved_port_t:{ tcp_socket udp_socket } { name_bind };
+dontaudit ypbind_t reserved_port_type:{udp_socket tcp_socket} { name_bind };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypserv.te policy-1.17.36/domains/program/unused/ypserv.te
--- nsapolicy/domains/program/unused/ypserv.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.17.36/domains/program/unused/ypserv.te	2004-10-28 16:12:37.000000000 -0400
@@ -40,3 +40,4 @@
 allow rpcd_t ypserv_conf_t:file { getattr read };
 ')
 allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } { name_bind };
+dontaudit ypserv_t reserved_port_type:{ tcp_socket udp_socket } { name_bind };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/zebra.te policy-1.17.36/domains/program/unused/zebra.te
--- nsapolicy/domains/program/unused/zebra.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.17.36/domains/program/unused/zebra.te	2004-10-28 09:05:15.000000000 -0400
@@ -5,7 +5,7 @@
 #
 type zebra_port_t, port_type;
 
-daemon_domain(zebra, `, sysctl_net_writer')
+daemon_domain(zebra, `, sysctl_net_writer, nscd_client_domain')
 type zebra_conf_t, file_type, sysadmfile;
 r_dir_file({ initrc_t zebra_t }, zebra_conf_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.17.36/domains/user.te
--- nsapolicy/domains/user.te	2004-10-27 14:32:48.000000000 -0400
+++ policy-1.17.36/domains/user.te	2004-10-28 09:05:44.000000000 -0400
@@ -8,13 +8,16 @@
 bool user_dmesg false;
 
 # Support NFS home directories
-bool nfs_home_dirs false;
+bool use_nfs_home_dirs false;
 
 # Allow users to run TCP servers (bind to ports and accept connection from
 # the same domain and outside users)  disabling this forces FTP passive mode
 # and may change other protocols 
 bool user_tcp_server false;
 
+# Allow system to run with NIS
+bool allow_ypbind false;
+
 # Allow users to rw usb devices
 bool user_rw_usb false;
 
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ntpd.fc policy-1.17.36/file_contexts/program/ntpd.fc
--- nsapolicy/file_contexts/program/ntpd.fc	2004-10-09 21:06:15.000000000 -0400
+++ policy-1.17.36/file_contexts/program/ntpd.fc	2004-10-28 09:05:15.000000000 -0400
@@ -3,7 +3,7 @@
 /etc/ntp(d)?\.conf		--	system_u:object_r:net_conf_t
 /etc/ntp/step-tickers		--	system_u:object_r:net_conf_t
 /usr/sbin/ntpd			--	system_u:object_r:ntpd_exec_t
-/usr/sbin/ntpdate		--	system_u:object_r:ntpd_exec_t
+/usr/sbin/ntpdate		--	system_u:object_r:ntpdate_exec_t
 /var/log/ntpstats(/.*)?			system_u:object_r:ntpd_log_t
 /var/log/ntpd.*			--	system_u:object_r:ntpd_log_t
 /var/log/xntpd.*		--	system_u:object_r:ntpd_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/vpnc.fc policy-1.17.36/file_contexts/program/vpnc.fc
--- nsapolicy/file_contexts/program/vpnc.fc	2004-10-05 10:43:34.000000000 -0400
+++ policy-1.17.36/file_contexts/program/vpnc.fc	2004-10-28 09:05:15.000000000 -0400
@@ -1,2 +1,3 @@
 # vpnc
 /usr/sbin/vpnc		--	system_u:object_r:vpnc_exec_t
+/sbin/vpnc		--	system_u:object_r:vpnc_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.17.36/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2004-10-27 14:32:49.000000000 -0400
+++ policy-1.17.36/file_contexts/types.fc	2004-10-29 11:57:08.000000000 -0400
@@ -339,7 +339,8 @@
 /usr/inclu.e(/.*)?		system_u:object_r:usr_t
 /usr/libexec(/.*)?		system_u:object_r:bin_t
 /usr/src(/.*)?			system_u:object_r:src_t
-/usr/tmp(/.*)?			system_u:object_r:tmp_t
+/usr/tmp		-d	system_u:object_r:tmp_t
+/usr/tmp/.*			<<none>>
 /usr/man(/.*)?			system_u:object_r:man_t
 /usr/share/man(/.*)?		system_u:object_r:man_t
 /usr/share/mc/extfs/.*	--	system_u:object_r:bin_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/admin_macros.te policy-1.17.36/macros/admin_macros.te
--- nsapolicy/macros/admin_macros.te	2004-10-01 15:05:32.000000000 -0400
+++ policy-1.17.36/macros/admin_macros.te	2004-10-28 11:33:38.000000000 -0400
@@ -195,4 +195,5 @@
 
 # for lsof
 allow $1_t domain:socket_class_set getattr;
+allow $1_t eventpollfs_t:file getattr;
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.17.36/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2004-11-01 11:04:37.640044119 -0500
+++ policy-1.17.36/macros/base_user_macros.te	2004-10-28 13:18:07.000000000 -0400
@@ -47,8 +47,10 @@
 
 # open office is looking for the following
 dontaudit $1_t dri_device_t:chr_file rw_file_perms;
-# Do not flood message log, if the user does ls /dev 
+# Do not flood message log, if the user does ls -lR /
 dontaudit $1_t dev_fs:dir_file_class_set getattr;
+dontaudit $1_t sysadmfile:file getattr;
+dontaudit $1_t sysadmfile:dir read;
 
 # allow ptrace
 can_ptrace($1_t, $1_t)
@@ -61,7 +63,7 @@
 ifdef(`automount.te', `
 allow $1_t autofs_t:dir { search getattr };
 ')dnl end if automount.te
-if (nfs_home_dirs) {
+if (use_nfs_home_dirs) {
 create_dir_file($1_t, nfs_t)
 can_exec($1_t, nfs_t)
 allow $1_t nfs_t:{ sock_file fifo_file } create_file_perms;
@@ -193,11 +192,23 @@
 # Use the network.
 can_network($1_t)
 can_ypbind($1_t)
+allow $1_t self:{ tcp_socket udp_socket } connect;
+
+ifdef(`pamconsole.te', `
+allow $1_t pam_var_console_t:dir { search };
+')
+
+allow $1_t var_lock_t:dir { search };
 
 # Grant permissions to access the system DBus
 ifdef(`dbusd.te', `
-dbusd_client(system, $1_t)
-dbusd_client($1, $1_t)
+dbusd_client(system, $1)
+can_network($1_dbusd_t)
+allow user_dbusd_t reserved_port_t:tcp_socket { name_bind };
+
+allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
+dbusd_client($1, $1)
+allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc };
 dbusd_domain($1)
 ifdef(`hald.te', `
 allow $1_t hald_t:dbus { send_msg };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.17.36/macros/core_macros.te
--- nsapolicy/macros/core_macros.te	2004-09-22 16:19:13.000000000 -0400
+++ policy-1.17.36/macros/core_macros.te	2004-10-28 09:05:15.000000000 -0400
@@ -132,22 +132,32 @@
 #
 # Permissions for using sockets.
 # 
-define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
+define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind getopt setopt shutdown }')
 
 #
 # Permissions for creating and using sockets.
 # 
-define(`create_socket_perms', `{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
+define(`connected_socket_perms', `{ create rw_socket_perms }')
+
+#
+# Permissions for creating, connecting and using sockets.
+# 
+define(`create_socket_perms', `{ connected_socket_perms connect }')
 
 #
 # Permissions for using stream sockets.
 # 
-define(`rw_stream_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }')
+define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
+
+#
+# Permissions for creating and using stream sockets.
+# 
+define(`connected_stream_socket_perms', `{ create rw_stream_socket_perms }')
 
 #
 # Permissions for creating and using stream sockets.
 # 
-define(`create_stream_socket_perms', `{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }')
+define(`create_stream_socket_perms', `{ connect connected_stream_socket_perms }')
 
 
 #
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.17.36/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.17.36/macros/global_macros.te	2004-10-28 09:05:15.000000000 -0400
@@ -118,64 +118,6 @@
 
 #################################
 #
-# can_network(domain)
-#
-# Permissions for accessing the network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network',`
-#
-# Allow the domain to create and use UDP and TCP sockets.
-# Other kinds of sockets must be separately authorized for use.
-allow $1 self:udp_socket create_socket_perms;
-allow $1 self:tcp_socket create_stream_socket_perms;
-
-#
-# Allow the domain to send or receive using any network interface.
-# netif_type is a type attribute for all network interface types.
-#
-allow $1 netif_type:netif { tcp_send udp_send rawip_send };
-allow $1 netif_type:netif { tcp_recv udp_recv rawip_recv };
-
-#
-# Allow the domain to send to or receive from any node.
-# node_type is a type attribute for all node types.
-#
-allow $1 node_type:node { tcp_send udp_send rawip_send };
-allow $1 node_type:node { tcp_recv udp_recv rawip_recv };
-
-#
-# Allow the domain to send to or receive from any port.
-# port_type is a type attribute for all port types.
-#
-allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg };
-
-#
-# Allow the domain to send NFS client requests via the socket
-# created by mount.
-#
-allow $1 mount_t:udp_socket rw_socket_perms;
-
-#
-# Bind to the default port type.
-# Other port types must be separately authorized.
-#
-#allow $1 port_t:udp_socket name_bind;
-#allow $1 port_t:tcp_socket name_bind;
-
-# XXX Allow binding to any node type.  Remove once
-# individual rules have been added to all domains that 
-# bind sockets. 
-allow $1 node_type: { tcp_socket udp_socket } node_bind;
-#
-# Allow access to network files including /etc/resolv.conf
-#
-allow $1 net_conf_t:file r_file_perms;
-')dnl end can_network definition
-
-#################################
-#
 # can_sysctl(domain)
 #
 # Permissions for modifying sysctl parameters.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.17.36/macros/network_macros.te
--- nsapolicy/macros/network_macros.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.36/macros/network_macros.te	2004-10-28 11:37:50.000000000 -0400
@@ -0,0 +1,94 @@
+#################################
+#
+# can_network(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`base_can_network',`
+#
+# Allow the domain to create and use $2 sockets.
+# Other kinds of sockets must be separately authorized for use.
+allow $1 self:$2_socket connected_socket_perms;
+
+#
+# Allow the domain to send or receive using any network interface.
+# netif_type is a type attribute for all network interface types.
+#
+allow $1 netif_type:netif { $2_send rawip_send };
+allow $1 netif_type:netif { $2_recv rawip_recv };
+
+#
+# Allow the domain to send to or receive from any node.
+# node_type is a type attribute for all node types.
+#
+allow $1 node_type:node { $2_send rawip_send };
+allow $1 node_type:node { $2_recv rawip_recv };
+
+#
+# Allow the domain to send to or receive from any port.
+# port_type is a type attribute for all port types.
+#
+ifelse($3, `', `
+allow $1 port_type:{ $2_socket } { send_msg recv_msg };
+', `
+allow $1 $3:{ $2_socket } { send_msg recv_msg };
+')
+
+# XXX Allow binding to any node type.  Remove once
+# individual rules have been added to all domains that 
+# bind sockets. 
+allow $1 node_type: { $2_socket } node_bind;
+#
+# Allow access to network files including /etc/resolv.conf
+#
+allow $1 net_conf_t:file r_file_perms;
+')dnl end can_network definition
+
+#################################
+#
+# can_tcp_network(domain)
+#
+# Permissions for accessing a tcp network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_tcp_network',`
+base_can_network($1, tcp, `$2')
+allow $1 self:tcp_socket { listen accept };
+')
+
+#################################
+#
+# can_udp_network(domain)
+#
+# Permissions for accessing a udp network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_udp_network',`
+base_can_network($1, udp, `$2')
+')
+
+#################################
+#
+# can_network(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network',`
+
+can_tcp_network($1)
+can_udp_network($1)
+
+#
+# Allow the domain to send NFS client requests via the socket
+# created by mount.
+#
+allow $1 mount_t:udp_socket rw_socket_perms;
+
+')dnl end can_network definition
+
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/crond_macros.te policy-1.17.36/macros/program/crond_macros.te
--- nsapolicy/macros/program/crond_macros.te	2004-09-02 14:45:47.000000000 -0400
+++ policy-1.17.36/macros/program/crond_macros.te	2004-10-28 09:05:15.000000000 -0400
@@ -20,7 +20,7 @@
 define(`crond_domain',`
 # Derived domain for user cron jobs, user user_crond_domain if not system
 ifelse(`system', `$1', `
-type $1_crond_t, domain, privlog, privmail;
+type $1_crond_t, domain, privlog, privmail, nscd_client_domain;
 ', `
 type $1_crond_t, domain, user_crond_domain;
 
@@ -68,6 +68,7 @@
 # This domain is granted permissions common to most domains.
 can_network($1_crond_t)
 can_ypbind($1_crond_t)
+allow $1_crond_t self:{ tcp_socket udp_socket } connect;
 r_dir_file($1_crond_t, self)
 allow $1_crond_t self:fifo_file rw_file_perms;
 allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.17.36/macros/program/dbusd_macros.te
--- nsapolicy/macros/program/dbusd_macros.te	2004-10-07 08:02:02.000000000 -0400
+++ policy-1.17.36/macros/program/dbusd_macros.te	2004-10-29 14:29:32.000000000 -0400
@@ -24,6 +24,7 @@
 domain_auto_trans($1_t, dbusd_exec_t, $1_dbusd_t)
 read_locale($1_dbusd_t)
 allow $1_t $1_dbusd_t:process { sigkill signal };
+allow $1_dbusd_t self:process { sigkill signal };
 dontaudit $1_dbusd_t var_t:dir { getattr search };
 ')dnl end ifdef single_userdomain
 ')dnl end ifelse system
@@ -50,26 +51,44 @@
 r_dir_file($1_dbusd_t, pam_var_console_t)
 ')
 
+allow $1_dbusd_t self:dbus { send_msg acquire_svc };
+
 ')dnl end dbusd_domain definition
 
-# dbusd_client(dbus_type, domain)
-# Example: dbusd_client_domain(system, user_t)
+# dbusd_client(dbus_type, domain_prefix)
+# Example: dbusd_client_domain(system, user)
 #
-# Grant permissions for connecting to the specified DBus type
-# from domain.
+# Define a new derived domain for connecting to dbus_type
+# from domain_prefix_t. 
 define(`dbusd_client',`')
 ifdef(`dbusd.te',`
 undefine(`dbusd_client')
 define(`dbusd_client',`
+
+# Derived type used for connection
+type $2_dbusd_$1_t;
+type_change $2_t $1_dbusd_t:dbus $2_dbusd_$1_t;
+
 # For connecting to the bus
-allow $2 $1_dbusd_t:unix_stream_socket { connectto };
+allow $2_t $1_dbusd_t:unix_stream_socket { connectto };
 ifelse(`system', `$1', `
-allow { $2 } { var_run_t system_dbusd_var_run_t }:dir search;
-allow { $2 } system_dbusd_var_run_t:sock_file { write };
+allow { $2_t } { var_run_t system_dbusd_var_run_t }:dir search;
+allow { $2_t } system_dbusd_var_run_t:sock_file { write };
 ',`
 ') dnl endif system
 # SE-DBus specific permissions
-allow $2 { $1_dbusd_t self }:dbus { send_msg };
-allow $2 $1_dbusd_t:dbus { acquire_svc };
+allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus { send_msg };
+') dnl endif dbusd.te
+')
+
+# can_dbusd_converse(dbus_type, domain_prefix_a, domain_prefix_b)
+# Example: can_dbusd_converse(system, hald, updfstab)
+# Example: can_dbusd_converse(session, user, user)
+define(`can_dbusd_converse',`')
+ifdef(`dbusd.te',`
+undefine(`can_dbusd_converse')
+define(`can_dbusd_converse',`
+allow $2_dbusd_$1_t $3_dbusd_$1_t:dbus { send_msg };
+allow $3_dbusd_$1_t $2_dbusd_$1_t:dbus { send_msg };
 ') dnl endif dbusd.te
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_agent_macros.te policy-1.17.36/macros/program/gpg_agent_macros.te
--- nsapolicy/macros/program/gpg_agent_macros.te	2004-09-20 15:41:01.000000000 -0400
+++ policy-1.17.36/macros/program/gpg_agent_macros.te	2004-10-28 09:05:15.000000000 -0400
@@ -48,11 +48,11 @@
 # read ~/.gnupg
 allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
 r_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 r_dir_file($1_gpg_agent_t, nfs_t)
 # write ~/.xsession-errors
 allow $1_gpg_agent_t nfs_t:file write;
-')
+}
 
 allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms;
 allow $1_gpg_agent_t self:fifo_file { getattr read write };
@@ -107,12 +107,12 @@
 # wants to put some lock files into the user home dir, seems to work fine without
 dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
 dontaudit $1_gpg_pinentry_t $1_home_t:file write;
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
 allow $1_gpg_pinentry_t nfs_t:file { getattr read };
 dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
 dontaudit $1_gpg_pinentry_t nfs_t:file write;
-')dnl end if nfs_home_dirs
+} dnl end if use_nfs_home_dirs
 
 # read /etc/X11/qtrc
 allow $1_gpg_pinentry_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_macros.te policy-1.17.36/macros/program/gpg_macros.te
--- nsapolicy/macros/program/gpg_macros.te	2004-08-27 09:30:30.000000000 -0400
+++ policy-1.17.36/macros/program/gpg_macros.te	2004-10-28 09:05:15.000000000 -0400
@@ -83,9 +83,9 @@
 # allow the usual access to /tmp
 file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)
 
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 create_dir_file($1_gpg_t, nfs_t)
-')dnl end if nfs_home_dirs
+}dnl end if use_nfs_home_dirs
 
 allow $1_gpg_t self:capability { ipc_lock setuid };
 allow $1_gpg_t devtty_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gph_macros.te policy-1.17.36/macros/program/gph_macros.te
--- nsapolicy/macros/program/gph_macros.te	2004-03-17 13:26:06.000000000 -0500
+++ policy-1.17.36/macros/program/gph_macros.te	2004-10-28 09:05:15.000000000 -0400
@@ -25,7 +25,7 @@
 undefine(`gph_domain')
 define(`gph_domain',`
 # Derived domain based on the calling user domain and the program.
-type $1_gph_t, domain, gphdomain;
+type $1_gph_t, domain, gphdomain, nscd_client_domain;
 
 # Transition from the user domain to the derived domain.
 domain_auto_trans($1_t, gph_exec_t, $1_gph_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/lpr_macros.te policy-1.17.36/macros/program/lpr_macros.te
--- nsapolicy/macros/program/lpr_macros.te	2004-07-26 16:16:11.000000000 -0400
+++ policy-1.17.36/macros/program/lpr_macros.te	2004-10-28 09:05:15.000000000 -0400
@@ -80,9 +80,9 @@
 allow $1_lpr_t { home_root_t $1_home_t $1_home_dir_t }:dir search;  
 allow $1_lpr_t $1_home_t:{ file lnk_file } r_file_perms;  
 
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 r_dir_file($1_lpr_t, nfs_t)
-')dnl end if nfs_home_dirs
+} dnl end if use_nfs_home_dirs
 
 # Read and write shared files in the spool directory.
 allow $1_lpr_t print_spool_t:file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mount_macros.te policy-1.17.36/macros/program/mount_macros.te
--- nsapolicy/macros/program/mount_macros.te	2004-10-19 16:03:08.000000000 -0400
+++ policy-1.17.36/macros/program/mount_macros.te	2004-10-28 09:05:15.000000000 -0400
@@ -67,9 +67,11 @@
 ifdef(`gnome-pty-helper.te', `allow $2_t $1_gph_t:fd use;')
 
 ifdef(`distro_redhat',`
+ifdef(`pamconsole.te',`
 r_dir_file($2_t,pam_var_console_t)
 # mount config by default sets fscontext=removable_t
 allow $2_t dosfs_t:filesystem { relabelfrom };
+') dnl end pamconsole.te
 ') dnl end distro_redhat
 ') dnl end mount_domain
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.17.36/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2004-10-19 16:03:08.000000000 -0400
+++ policy-1.17.36/macros/program/mozilla_macros.te	2004-10-28 09:05:15.000000000 -0400
@@ -16,11 +16,8 @@
 # provided separately in domains/program/mozilla.te. 
 #
 define(`mozilla_domain',`
-ifdef(`single_userdomain', `
-typealias $1_home_t alias { $1_home_mozilla_rw_t $1_home_mozilla_ro_t };
-typealias $1_t alias $1_mozilla_t;
-', `
 x_client_domain($1, mozilla, `, web_client_domain, privlog')
+allow $1_mozilla_t self:{ tcp_socket udp_socket } { connect };
 
 allow $1_mozilla_t sound_device_t:chr_file rw_file_perms;
 
@@ -40,9 +37,9 @@
 allow $1_t $1_mozilla_rw_t:sock_file create_file_perms;
 can_unix_connect($1_t, $1_mozilla_t)
 
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 create_dir_file($1_mozilla_t, nfs_t)
-')dnl end if nfs_home_dirs
+} dnl end if use_nfs_home_dirs
 ifdef(`automount.te', `
 allow $1_mozilla_t autofs_t:dir { search getattr };
 ')dnl end if automount
@@ -123,6 +120,5 @@
 allow $1_mozilla_t xdm_tmp_t:file { getattr read };
 allow $1_mozilla_t xdm_tmp_t:sock_file { write };
 ')dnl end if xdm.te
-')dnl end ifdef single_userdomain
 ')dnl end mozilla macro
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mta_macros.te policy-1.17.36/macros/program/mta_macros.te
--- nsapolicy/macros/program/mta_macros.te	2004-07-26 16:16:11.000000000 -0400
+++ policy-1.17.36/macros/program/mta_macros.te	2004-10-28 09:05:15.000000000 -0400
@@ -37,6 +37,7 @@
 can_ypbind($1_mail_t)
 allow $1_mail_t self:unix_dgram_socket create_socket_perms;
 allow $1_mail_t self:unix_stream_socket create_socket_perms;
+allow $1_mail_t self:{ tcp_socket udp_socket } connect;
 
 read_locale($1_mail_t)
 read_sysctl($1_mail_t)
@@ -96,9 +97,9 @@
 # Create dead.letter in user home directories.
 file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
 
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 rw_dir_create_file($1_mail_t, nfs_t)
-')dnl end if nfs_home_dirs
+} dnl end if use_nfs_home_dirs
 
 # if you do not want to allow dead.letter then use the following instead
 #allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/newrole_macros.te policy-1.17.36/macros/program/newrole_macros.te
--- nsapolicy/macros/program/newrole_macros.te	2004-11-01 11:04:37.852020143 -0500
+++ policy-1.17.36/macros/program/newrole_macros.te	2004-10-27 14:38:36.000000000 -0400
@@ -23,6 +23,9 @@
 # for when the user types "exec newrole" at the command line
 allow $1_t privfd:process sigchld;
 
+type $1_exec_t, file_type, exec_type, sysadmfile;
+domain_auto_trans(userdomain, $1_exec_t, $1_t)
+
 # Inherit descriptors from the current session.
 allow $1_t privfd:fd use;
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/screen_macros.te policy-1.17.36/macros/program/screen_macros.te
--- nsapolicy/macros/program/screen_macros.te	2004-11-01 11:04:37.855019804 -0500
+++ policy-1.17.36/macros/program/screen_macros.te	2004-10-28 09:05:15.000000000 -0400
@@ -42,11 +42,7 @@
 allow $1_screen_t urandom_device_t:chr_file read;
 
 # Revert to the user domain when a shell is executed.
-domain_auto_trans($1_screen_t, { shell_exec_t bin_t }, $1_t)
-domain_auto_trans($1_screen_t, $1_home_t, $1_t)
-ifdef(`nfs_home_dirs', `
-domain_auto_trans($1_screen_t, nfs_t, $1_t)
-')
+domain_auto_trans($1_screen_t, shell_exec_t, $1_t)
 
 # Inherit and use descriptors from gnome-pty-helper.
 ifdef(`gnome-pty-helper.te', `allow $1_screen_t $1_gph_t:fd use;')
@@ -54,9 +50,9 @@
 allow $1_screen_t $1_home_screen_t:{ file lnk_file } r_file_perms;
 allow $1_t $1_home_screen_t:file { create_file_perms relabelfrom relabelto };
 allow $1_t $1_home_screen_t:lnk_file { create_lnk_perms relabelfrom relabelto };
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 r_dir_file($1_screen_t, nfs_t)
-')dnl end if nfs_home_dirs
+} dnl end if use_nfs_home_dirs
 
 allow $1_screen_t privfd:fd use;
 
@@ -104,6 +100,7 @@
 allow $1_screen_t self:unix_stream_socket create_socket_perms;
 allow $1_screen_t self:unix_dgram_socket create_socket_perms;
 
+can_exec($1_screen_t, shell_exec_t)
 allow $1_screen_t bin_t:dir search;
 allow $1_screen_t bin_t:lnk_file read;
 read_locale($1_screen_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_agent_macros.te policy-1.17.36/macros/program/ssh_agent_macros.te
--- nsapolicy/macros/program/ssh_agent_macros.te	2004-10-07 08:02:03.000000000 -0400
+++ policy-1.17.36/macros/program/ssh_agent_macros.te	2004-10-28 09:05:15.000000000 -0400
@@ -37,12 +37,12 @@
 can_ps($1_t, $1_ssh_agent_t)
 
 can_ypbind($1_ssh_agent_t)
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 ifdef(`automount.te', `
 allow $1_ssh_agent_t autofs_t:dir { search getattr };
 ')
 rw_dir_create_file($1_ssh_agent_t, nfs_t)
-')dnl end nfs_home_dirs
+} dnl end use_nfs_home_dirs
 
 uses_shlib($1_ssh_agent_t)
 read_locale($1_ssh_agent_t)
@@ -70,9 +70,9 @@
 
 # transition back to normal privs upon exec
 domain_auto_trans($1_ssh_agent_t, { bin_t shell_exec_t $1_home_t }, $1_t)
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 domain_auto_trans($1_ssh_agent_t, nfs_t, $1_t)
-')
+}
 allow $1_ssh_agent_t bin_t:dir search;
 
 # allow reading of /usr/bin/X11 (is a symlink)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.17.36/macros/program/ssh_macros.te
--- nsapolicy/macros/program/ssh_macros.te	2004-10-14 23:25:20.000000000 -0400
+++ policy-1.17.36/macros/program/ssh_macros.te	2004-10-28 09:05:15.000000000 -0400
@@ -20,20 +20,16 @@
 undefine(`ssh_domain')
 ifdef(`ssh.te', `
 define(`ssh_domain',`
-ifdef(`single_userdomain', `
-typealias $1_home_t alias $1_home_ssh_t;
-typealias $1_t alias $1_ssh_t;
-', `
 # Derived domain based on the calling user domain and the program.
-type $1_ssh_t, domain, privlog;
+type $1_ssh_t, domain, privlog, nscd_client_domain;
 type $1_home_ssh_t, file_type, homedirfile, sysadmfile;
 
 ifdef(`automount.te', `
 allow $1_ssh_t autofs_t:dir { search getattr };
 ')
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 create_dir_file($1_ssh_t, nfs_t)
-')dnl end if nfs_home_dirs
+} dnl end if use_nfs_home_dirs
 
 # Transition from the user domain to the derived domain.
 domain_auto_trans($1_t, ssh_exec_t, $1_ssh_t)
@@ -88,6 +84,7 @@
 # to access the network.
 can_network($1_ssh_t)
 can_ypbind($1_ssh_t)
+allow $1_ssh_t self:{ tcp_socket udp_socket } connect;
 
 # Use capabilities.
 allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
@@ -164,7 +161,6 @@
 allow $1_ssh_t krb5_conf_t:file { getattr read };
 dontaudit $1_ssh_t krb5_conf_t:file { write };
 ')dnl end if xdm.te
-')dnl end if single_userdomain
 ')dnl end macro definition
 
 ', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/sudo_macros.te policy-1.17.36/macros/program/sudo_macros.te
--- nsapolicy/macros/program/sudo_macros.te	2004-11-01 11:04:37.875017542 -0500
+++ policy-1.17.36/macros/program/sudo_macros.te	2004-10-27 14:38:36.000000000 -0400
@@ -31,4 +31,5 @@
 rw_dir_create_file($1_sudo_t, $1_tmp_t)
 rw_dir_create_file($1_sudo_t, $1_home_t)
 domain_auto_trans($1_t, sudo_exec_t, $1_sudo_t)
+r_dir_file($1_sudo_t, selinux_config_t)
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.17.36/macros/program/su_macros.te
--- nsapolicy/macros/program/su_macros.te	2004-10-26 10:58:57.000000000 -0400
+++ policy-1.17.36/macros/program/su_macros.te	2004-10-28 09:05:15.000000000 -0400
@@ -62,7 +62,7 @@
 ')
 
 # Use capabilities.
-allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override sys_nice sys_resource };
 dontaudit $1_su_t self:capability sys_tty_config;
 #
 # Caused by su - init scripts
@@ -137,16 +137,16 @@
 ifdef(`automount.te', `
 allow $1_su_t autofs_t:dir { search getattr };
 ')
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 allow $1_su_t nfs_t:dir search;
-')dnl end if nfs_home_dirs
+} dnl end if use_nfs_home_dirs
 
 # Modify .Xauthority file (via xauth program).
 ifdef(`single_userdomain', `
 file_type_auto_trans($1_su_t, $1_home_dir_t, $1_home_t, file)
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 rw_dir_create_file($1_su_t, nfs_t)
-')
+}
 ', `
 ifdef(`xauth.te', `
 file_type_auto_trans($1_su_t, staff_home_dir_t, staff_home_xauth_t, file)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/tvtime_macros.te policy-1.17.36/macros/program/tvtime_macros.te
--- nsapolicy/macros/program/tvtime_macros.te	2004-10-05 14:52:36.000000000 -0400
+++ policy-1.17.36/macros/program/tvtime_macros.te	2004-10-28 09:05:15.000000000 -0400
@@ -33,7 +33,9 @@
 allow $1_tvtime_t self:capability { setuid sys_nice sys_resource };
 allow $1_tvtime_t self:process { setsched };
 allow $1_tvtime_t usr_t:file { getattr read };
+ifdef(`xdm.te', `
 allow $1_tvtime_t xdm_tmp_t:dir { search };
+')
 
 ')dnl end tvtime_domain
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/userhelper_macros.te policy-1.17.36/macros/program/userhelper_macros.te
--- nsapolicy/macros/program/userhelper_macros.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.17.36/macros/program/userhelper_macros.te	2004-10-28 15:05:06.000000000 -0400
@@ -14,10 +14,7 @@
 # provided separately in domains/program/userhelper.te. 
 #
 define(`userhelper_domain',`
-ifdef(`single_userdomain', `
-typealias $1_t alias $1_userhelper_t;
-', `
-type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser;
+type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser, nscd_client_domain;
 
 in_user_role($1_userhelper_t)
 role sysadm_r types $1_userhelper_t;
@@ -142,7 +139,9 @@
 domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
 allow $1_userhelper_t $1_home_xauth_t:file { getattr read };
 ')
+
+ifdef(`pamconsole.te', `
 allow $1_userhelper_t pam_var_console_t:dir { search };
+')
 
-')dnl end ifdef single_userdomain
 ')dnl end userhelper macro
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xauth_macros.te policy-1.17.36/macros/program/xauth_macros.te
--- nsapolicy/macros/program/xauth_macros.te	2004-06-16 13:33:38.000000000 -0400
+++ policy-1.17.36/macros/program/xauth_macros.te	2004-10-28 09:05:15.000000000 -0400
@@ -87,12 +87,12 @@
 tmp_domain($1_xauth)
 allow $1_xauth_t $1_tmp_t:file { getattr ioctl read };
 
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 ifdef(`automount.te', `
 allow $1_xauth_t autofs_t:dir { search getattr };
 ')
 rw_dir_create_file($1_xauth_t, nfs_t)
-')dnl end nfs_home_dirs
+} dnl end use_nfs_home_dirs
 ')dnl end ifdef single_userdomain
 ')dnl end xauth_domain macro
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.17.36/macros/program/xserver_macros.te
--- nsapolicy/macros/program/xserver_macros.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.17.36/macros/program/xserver_macros.te	2004-10-29 14:45:28.000000000 -0400
@@ -25,14 +25,15 @@
 define(`xserver_domain',`
 # Derived domain based on the calling user domain and the program.
 ifdef(`distro_redhat', `
-type $1_xserver_t, domain, privlog, privmem, privmodule;
+type $1_xserver_t, domain, privlog, privmem, privmodule, nscd_client_domain;
 allow $1_xserver_t sysctl_modprobe_t:file { getattr read };
+ifdef(`rpm.te', `
 allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr };
 allow $1_xserver_t rpm_tmpfs_t:file { read write };
 allow $1_xserver_t rpm_t:fd { use };
-
+')
 ', `
-type $1_xserver_t, domain, privlog, privmem;
+type $1_xserver_t, domain, privlog, privmem, nscd_client_domain;
 ')
 
 # for SSP
@@ -51,6 +52,7 @@
 uses_shlib($1_xserver_t)
 can_network($1_xserver_t)
 can_ypbind($1_xserver_t)
+allow $1_xserver_t self:udp_socket connect;
 allow $1_xserver_t xserver_port_t:tcp_socket name_bind;
 
 # for access within the domain
@@ -148,6 +150,7 @@
 allow xdm_xserver_t xdm_t:process signal;
 allow xdm_xserver_t xdm_t:shm rw_shm_perms;
 allow xdm_t xdm_xserver_t:shm rw_shm_perms;
+dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
 ')
 ', `
 allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ypbind_macros.te policy-1.17.36/macros/program/ypbind_macros.te
--- nsapolicy/macros/program/ypbind_macros.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.17.36/macros/program/ypbind_macros.te	2004-10-28 09:05:15.000000000 -0400
@@ -10,6 +10,8 @@
 ifdef(`ypbind.te', `
 if (allow_ypbind) {
 uncond_can_ypbind($1)
+} else {
+dontaudit $1 var_yp_t:dir { search };
 }
 ') dnl ypbind.te
 ') dnl can_ypbind
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.17.36/macros/user_macros.te
--- nsapolicy/macros/user_macros.te	2004-10-19 16:03:08.000000000 -0400
+++ policy-1.17.36/macros/user_macros.te	2004-10-29 14:51:09.000000000 -0400
@@ -103,16 +103,12 @@
 dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file {getattr read};
 
 ifdef(`xdm.te', `
-ifdef(`single_userdomain', `
-file_type_auto_trans(xdm_t, $1_home_dir_t, $1_home_t, file)
-', `
 allow xdm_t $1_home_t:lnk_file read;
 allow xdm_t $1_home_t:dir search;
 #
 # Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp
 # 
 dontaudit xdm_t $1_home_t:file rw_file_perms;
-')dnl end else single_userdomain
 ')dnl end ifdef xdm.te
 
 ifdef(`ftpd.te', `
@@ -151,11 +147,6 @@
 # Stat lost+found.
 allow $1_t lost_found_t:dir getattr;
 
-# Read the /tmp directory and any /tmp files with the base type.
-# Temporary files created at runtime will typically use derived types.
-allow $1_t tmp_t:dir r_dir_perms;
-allow $1_t tmp_t:{ file lnk_file } r_file_perms;
-
 # Read /var, /var/spool, /var/run.
 allow $1_t var_t:dir r_dir_perms;
 allow $1_t var_t:notdevfile_class_set r_file_perms;
@@ -233,9 +224,11 @@
 allow $1_mount_t iso9660_t:filesystem { relabelfrom };
 allow $1_mount_t removable_t:filesystem { mount relabelto };
 allow $1_mount_t removable_t:dir { mounton };
+ifdef(`xdm.te', `
 allow $1_mount_t xdm_t:fd { use };
 allow $1_mount_t xdm_t:fifo_file { write };
 ')
+')
 
 #
 # Rules used to associate a homedir as a mountpoint
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.17.36/net_contexts
--- nsapolicy/net_contexts	2004-10-19 16:03:01.000000000 -0400
+++ policy-1.17.36/net_contexts	2004-10-28 09:05:15.000000000 -0400
@@ -143,12 +143,12 @@
 ')
 ifdef(`asterisk.te', `
 portcon tcp 1720 system_u:object_r:asterisk_port_t
-portcon tcp 2000 system_u:object_r:asterisk_port_t
 portcon udp 2427 system_u:object_r:asterisk_port_t
 portcon udp 2727 system_u:object_r:asterisk_port_t
 portcon udp 4569 system_u:object_r:asterisk_port_t
 portcon udp 5060 system_u:object_r:asterisk_port_t
 ')
+portcon tcp 2000 system_u:object_r:mail_port_t
 ifdef(`zebra.te', `portcon tcp 2601 system_u:object_r:zebra_port_t')
 ifdef(`dictd.te', `portcon tcp 2628 system_u:object_r:dict_port_t')
 ifdef(`mysqld.te', `portcon tcp 3306 system_u:object_r:mysqld_port_t')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.17.36/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te	2004-10-27 14:32:49.000000000 -0400
+++ policy-1.17.36/targeted/domains/unconfined.te	2004-10-28 09:05:57.000000000 -0400
@@ -40,5 +40,9 @@
 allow unlabeled_t self:filesystem { associate };
 
 # Support NFS home directories
-bool nfs_home_dirs false;
+bool use_nfs_home_dirs false;
+
+# Allow system to run with NIS
+bool allow_ypbind false;
+
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.36/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
+++ policy-1.17.36/tunables/distro.tun	2004-10-28 09:05:15.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.36/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-10-27 14:32:49.000000000 -0400
+++ policy-1.17.36/tunables/tunable.tun	2004-10-28 09:05:15.000000000 -0400
@@ -1,33 +1,30 @@
 # Allow all domains to connect to nscd
 dnl define(`nscd_all_connect')
 
-# Allow users to control network interfaces (also needs USERCTL=true)
-dnl define(`user_net_control')
-
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.17.36/types/network.te
--- nsapolicy/types/network.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.17.36/types/network.te	2004-10-28 09:05:15.000000000 -0400
@@ -59,6 +59,11 @@
 #
 
 #
+# mail_port_t is for generic mail ports shared by different mail servers
+#
+type mail_port_t, port_type;
+
+#
 # port_t is the default type of INET port numbers.
 # The *_port_t types are used for specific port
 # numbers in net_contexts or net_contexts.mls.

Re: Patch to make can_network stronger and remove nscd tunable.

[Russell Coker]

On Tue, 2 Nov 2004 03:18, Daniel J Walsh <dwalsh@redhat.com> wrote:

+allow crond_t self:{ tcp_socket udp_socket } connect;

crond.te has no can_network() invocation.  Maybe we should have the following 
in the definition of uncond_can_ypbind():
allow $1 self:{ tcp_socket udp_socket } connect;

It seems that cnan_ypbind() is the only network use in crond.te.


-allow dictd_t self:capability { setuid setgid };
+allow dictd_t self:capability { setuid setgid net_bind_service };

dictd_t is not permitted to bind to any low ports.  How does it need 
net_bind_service capability?

+allow hald_t { device_t }:{ chr_file } { create_file_perms };

Three sets of redundant braces.  Why does it need to create character device 
nodes anyway?  We have udev to do that!

+file_type_auto_trans(kudzu_t, tmp_t, kudzu_tmp_t, chr_file)

Why is kudzu creating device nodes under /tmp?  This sounds like a bug in 
kudzu to me.

+dontaudit mailman_queue_t src_t:dir { search };

I've filed a bugzilla about that one:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=137863

We should have ifdef(`hide_broken_symptoms', around it too.

-allow mysqld_t self:capability { dac_override setgid setuid };
+allow mysqld_t self:capability { dac_override setgid setuid 
net_bind_service };

Why does mysqld_t need name_bind_service?  It doesn't seem to be allowed to 
bind to any low ports anyway.

-allow postfix_$1_t self:capability { setuid setgid dac_override };
+allow postfix_$1_t self:capability { setuid setgid dac_override 
net_bind_service };

What is this for?  Which Postfix programs need such access?  Maybe you should 
have net_bind_service inside the can_ypbind() macro or something.  Normal 
Postfix operation does not need such a change.

-allow radiusd_t self:capability { chown dac_override fsetid kill setgid 
setuid sys_resource sys_tty_config };
+allow radiusd_t self:capability { chown dac_override fsetid kill setgid 
setuid sys_resource sys_tty_config net_bind_service };

Once again, this should not be needed.


If every instance of daemon_domain() is going to get nscd_client_domain added, 
then perhaps we should just change the definition of daemon_domain() 
accordingly?


Why isn't allow $1 self:{ tcp_socket udp_socket } connect; in can_network()?



I think that some structural changes need to be made before any of the changes 
in this can go in the CVS.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to make can_network stronger and remove nscd tunable.

[Daniel J Walsh]

Russell Coker wrote:

>On Tue, 2 Nov 2004 03:18, Daniel J Walsh <dwalsh@redhat.com> wrote:
>
>+allow crond_t self:{ tcp_socket udp_socket } connect;
>
>crond.te has no can_network() invocation.  Maybe we should have the following 
>in the definition of uncond_can_ypbind():
>allow $1 self:{ tcp_socket udp_socket } connect;
>
>It seems that cnan_ypbind() is the only network use in crond.te.
>
>  
>
Ok I will change.

>-allow dictd_t self:capability { setuid setgid };
>+allow dictd_t self:capability { setuid setgid net_bind_service };
>
>dictd_t is not permitted to bind to any low ports.  How does it need 
>net_bind_service capability?
>
>  
>
Maybe ypbind also.

>+allow hald_t { device_t }:{ chr_file } { create_file_perms };
>
>Three sets of redundant braces.  Why does it need to create character device 
>nodes anyway?  We have udev to do that!
>
>  
>
Hal creates a device when using cardmgr. pcmcia currently does not work 
with udev.

>+file_type_auto_trans(kudzu_t, tmp_t, kudzu_tmp_t, chr_file)
>
>Why is kudzu creating device nodes under /tmp?  This sounds like a bug in 
>kudzu to me.
>  
>
I think cardmgr again.

>+dontaudit mailman_queue_t src_t:dir { search };
>
>I've filed a bugzilla about that one:
>https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=137863
>
>We should have ifdef(`hide_broken_symptoms', around it too.
>
>-allow mysqld_t self:capability { dac_override setgid setuid };
>+allow mysqld_t self:capability { dac_override setgid setuid 
>net_bind_service };
>
>Why does mysqld_t need name_bind_service?  It doesn't seem to be allowed to 
>bind to any low ports anyway.
>
>  
>
ypbind.

>-allow postfix_$1_t self:capability { setuid setgid dac_override };
>+allow postfix_$1_t self:capability { setuid setgid dac_override 
>net_bind_service };
>
>What is this for?  Which Postfix programs need such access?  Maybe you should 
>have net_bind_service inside the can_ypbind() macro or something.  Normal 
>Postfix operation does not need such a change.
>allow postfi
>  
>
ypbind.

I will add

allow $1_t self:capability net_bind_service; to ypbind.

>-allow radiusd_t self:capability { chown dac_override fsetid kill setgid 
>setuid sys_resource sys_tty_config };
>+allow radiusd_t self:capability { chown dac_override fsetid kill setgid 
>setuid sys_resource sys_tty_config net_bind_service };
>
>Once again, this should not be needed.
>
>
>If every instance of daemon_domain() is going to get nscd_client_domain added, 
>then perhaps we should just change the definition of daemon_domain() 
>accordingly?
>
>
>Why isn't allow $1 self:{ tcp_socket udp_socket } connect; in can_network()?
>
>
>  
>
Because we don't want all network daemons to be able to connect out.

>I think that some structural changes need to be made before any of the changes 
>in this can go in the CVS.
>
>  
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to make can_network stronger and remove nscd tunable.

[Stephen Smalley]

On Tue, 2004-11-02 at 09:30, Daniel J Walsh wrote:
> ypbind.
> 
> I will add
> 
> allow $1_t self:capability net_bind_service; to ypbind.

Will it work without the permission, e.g. if you just dontaudit the
permission?

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to make can_network stronger and remove nscd tunable.

[Daniel J Walsh]

Stephen Smalley wrote:

>On Tue, 2004-11-02 at 09:30, Daniel J Walsh wrote:
>  
>
>>ypbind.
>>
>>I will add
>>
>>allow $1_t self:capability net_bind_service; to ypbind.
>>    
>>
>
>Will it work without the permission, e.g. if you just dontaudit the
>permission?
>
>  
>
Don't know I will try.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to make can_network stronger and remove nscd tunable.

[Daniel J Walsh]

I can change daemon_core_domain to define domain types with
nscd_client_domain,

Does anyone have a problem with that?

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to make can_network stronger and remove nscd tunable.

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 1206 bytes --]

On Wed, 3 Nov 2004 01:50, Daniel J Walsh <dwalsh@redhat.com> wrote:
> I can change daemon_core_domain to define domain types with
> nscd_client_domain,

How about doing something like the attached patch first.

Then you can enable nscd access for the daemon attribute.  This means that 
someone who wants to restrict nscd access (customisations by a user or 
changes that we make later on) can use { daemon -whatever }.

Also we could potentially have another attribute not_nscd_client_domain which 
can be used to instantiate a daemon which should not have nscd access.

When making changes of this nature we don't want to make it unreasonably 
difficult to remove access for domains that should not have it, and we also 
want to keep the policy as simple as possible as ease of reading the policy 
is (IMHO) a very major factor in keeping the quality high.  I believe that a 
change such as I suggest meets these goals well and has no disadvantages.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 945 bytes --]

--- /usr/src/se/policy/macros/global_macros.te	2004-10-14 10:10:03.000000000 +1000
+++ macros/global_macros.te	2004-11-03 02:32:03.000000000 +1100
@@ -269,7 +269,7 @@
 # Author:  Russell Coker <russell@coker.com.au>
 #
 define(`daemon_core_rules', `
-type $1_t, domain, privlog $2;
+type $1_t, domain, privlog, daemon $2;
 type $1_exec_t, file_type, sysadmfile, exec_type;
 
 role system_r types $1_t;
--- /usr/src/se/policy/attrib.te	2004-11-02 21:17:55.000000000 +1100
+++ attrib.te	2004-11-03 02:33:36.000000000 +1100
@@ -44,6 +44,10 @@
 # init to kill all processes.
 attribute domain;
 
+# The daemon attribute identifies domains for system processes created via
+# the daemon_domain, daemon_base_domain, and init_service_domain macros.
+attribute daemon;
+
 # The privuser attribute identifies every domain that can 
 # change its SELinux user identity.  This attribute is used 
 # in the constraints configuration.  NOTE:  This attribute

Re: Patch to make can_network stronger and remove nscd tunable.

[Russell Coker]

On Wed, 3 Nov 2004 01:30, Daniel J Walsh <dwalsh@redhat.com> wrote:
> >dictd_t is not permitted to bind to any low ports.  How does it need
> >net_bind_service capability?
>
> Maybe ypbind also.

OK.  If you change the ypbind macro then things should be fine in that regard.

> >+allow hald_t { device_t }:{ chr_file } { create_file_perms };
> >
> >Three sets of redundant braces.  Why does it need to create character
> > device nodes anyway?  We have udev to do that!
>
> Hal creates a device when using cardmgr. pcmcia currently does not work
> with udev.
>
> >+file_type_auto_trans(kudzu_t, tmp_t, kudzu_tmp_t, chr_file)
> >
> >Why is kudzu creating device nodes under /tmp?  This sounds like a bug in
> >kudzu to me.
>
> I think cardmgr again.

Are they executing cardmgr or cardctl?  If so then there should be a 
domain_auto_trans() rule to get it running in cardmgr_t, doing otherwise may 
interfere with other cardmgr operations later.

I'm surprised that I haven't seen this though as I've got a couple of laptops 
tracking rawhide.  Did you boot with a PCMCIA/Cardbus card installed?  Is 
there anything unusual about your setup?  What model of laptop?

> >Why isn't allow $1 self:{ tcp_socket udp_socket } connect; in
> > can_network()?
>
> Because we don't want all network daemons to be able to connect out.

Then we should have two macros, one that allows outbound connections and one 
that doesn't.  Increasing the line count in most domains that have network 
access does no good.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to make can_network stronger and remove nscd tunable.

[Daniel J Walsh]

Russell Coker wrote:

>On Wed, 3 Nov 2004 01:30, Daniel J Walsh <dwalsh@redhat.com> wrote:
>  
>
>>>dictd_t is not permitted to bind to any low ports.  How does it need
>>>net_bind_service capability?
>>>      
>>>
>>Maybe ypbind also.
>>    
>>
>
>OK.  If you change the ypbind macro then things should be fine in that regard.
>
>  
>
>>>+allow hald_t { device_t }:{ chr_file } { create_file_perms };
>>>
>>>Three sets of redundant braces.  Why does it need to create character
>>>device nodes anyway?  We have udev to do that!
>>>      
>>>
>>Hal creates a device when using cardmgr. pcmcia currently does not work
>>with udev.
>>
>>    
>>
>>>+file_type_auto_trans(kudzu_t, tmp_t, kudzu_tmp_t, chr_file)
>>>
>>>Why is kudzu creating device nodes under /tmp?  This sounds like a bug in
>>>kudzu to me.
>>>      
>>>
>>I think cardmgr again.
>>    
>>
>
>Are they executing cardmgr or cardctl?  If so then there should be a 
>domain_auto_trans() rule to get it running in cardmgr_t, doing otherwise may 
>interfere with other cardmgr operations later.
>
>I'm surprised that I haven't seen this though as I've got a couple of laptops 
>tracking rawhide.  Did you boot with a PCMCIA/Cardbus card installed?  Is 
>there anything unusual about your setup?  What model of laptop?
>  
>
ibm thinkpad.  I have booted with it in and without it, also have 
started and stopped hal which causes the problem.

>  
>
>>>Why isn't allow $1 self:{ tcp_socket udp_socket } connect; in
>>>can_network()?
>>>      
>>>
>>Because we don't want all network daemons to be able to connect out.
>>    
>>
>
>Then we should have two macros, one that allows outbound connections and one 
>that doesn't.  Increasing the line count in most domains that have network 
>access does no good.
>
>  
>
I wanted to treat connect the same way we treat name_bind.  Basically 
you need to explicitly state whether a network daemon is inbout, 
outbound or both.  If we want to add all the macros fine, but having 
can_network default to allowing connect is too loose, think of spammers.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to make can_network stronger and remove nscd tunable.

[Russell Coker]

On Wednesday 03 November 2004 02:55, Daniel J Walsh <dwalsh@redhat.com> wrote:
> >Then we should have two macros, one that allows outbound connections and
> > one that doesn't.  Increasing the line count in most domains that have
> > network access does no good.
>
> I wanted to treat connect the same way we treat name_bind.  Basically
> you need to explicitly state whether a network daemon is inbout,
> outbound or both.  If we want to add all the macros fine, but having
> can_network default to allowing connect is too loose, think of spammers.

We have to have more macros.  There is no reason for not having all network 
access for a process in a single line in a .te file.  Having multiple lines 
for this makes it more difficult to read and gives more errors.

The question is, do we have can_network() do what it has always done, or do we 
have the new macro give the current functionality of can_network() and have 
can_network() not permit connections.

We don't want to apply a change to all the .te files related to can_network() 
until we resolve this issue.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to make can_network stronger and remove nscd tunable.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 82 bytes --]

Updated with Russell's "daemon" change and other fixes.

How does this look?

Dan

[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 82747 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.17.37/attrib.te
--- nsapolicy/attrib.te	2004-10-27 14:32:48.000000000 -0400
+++ policy-1.17.37/attrib.te	2004-11-02 10:49:43.993757923 -0500
@@ -44,6 +44,10 @@
 # init to kill all processes.
 attribute domain;
 
+# The daemon attribute identifies domains for system processes created via
+# the daemon_domain, daemon_base_domain, and init_service_domain macros.
+attribute daemon;
+
 # The privuser attribute identifies every domain that can 
 # change its SELinux user identity.  This attribute is used 
 # in the constraints configuration.  NOTE:  This attribute
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.17.37/domains/program/crond.te
--- nsapolicy/domains/program/crond.te	2004-10-19 16:03:04.000000000 -0400
+++ policy-1.17.37/domains/program/crond.te	2004-11-02 10:30:33.000000000 -0500
@@ -114,6 +114,10 @@
 # Use capabilities.
 allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };
 
+allow crond_t krb5_conf_t:file { getattr read };
+dontaudit crond_t krb5_conf_t:file { write };
+allow crond_t urandom_device_t:chr_file { getattr read };
+
 # Read the system crontabs.
 allow system_crond_t system_cron_spool_t:file r_file_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.17.37/domains/program/login.te
--- nsapolicy/domains/program/login.te	2004-10-19 16:03:05.000000000 -0400
+++ policy-1.17.37/domains/program/login.te	2004-11-02 10:30:33.000000000 -0500
@@ -21,6 +21,8 @@
 dontaudit $1_login_t shadow_t:file { getattr read };
 
 general_domain_access($1_login_t);
+can_network($1_login_t) 
+allow $1_login_t self:{ tcp_socket udp_socket } connect;
 
 # Read system information files in /proc.
 allow $1_login_t proc_t:dir r_dir_perms;
@@ -81,9 +83,9 @@
 ')
 allow $1_login_t mnt_t:dir r_dir_perms;
 
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 r_dir_file($1_login_t, nfs_t)
-')dnl end if nfs_home_dirs
+}
 
 # FIXME: what is this for?
 ifdef(`xdm.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/logrotate.te policy-1.17.37/domains/program/logrotate.te
--- nsapolicy/domains/program/logrotate.te	2004-09-02 14:45:45.000000000 -0400
+++ policy-1.17.37/domains/program/logrotate.te	2004-11-02 10:30:33.000000000 -0500
@@ -13,7 +13,7 @@
 # logrotate_t is the domain for the logrotate program.
 # logrotate_exec_t is the type of the corresponding program.
 #
-type logrotate_t, domain, privowner, privmail, priv_system_role;
+type logrotate_t, domain, privowner, privmail, priv_system_role, nscd_client_domain;
 role system_r types logrotate_t;
 role sysadm_r types logrotate_t;
 uses_shlib(logrotate_t);
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.17.37/domains/program/mount.te
--- nsapolicy/domains/program/mount.te	2004-10-09 21:06:13.000000000 -0400
+++ policy-1.17.37/domains/program/mount.te	2004-11-02 10:30:33.000000000 -0500
@@ -11,7 +11,7 @@
 
 type mount_exec_t, file_type, sysadmfile, exec_type;
 
-mount_domain(sysadm, mount, `, fs_domain')
+mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain')
 mount_loopback_privs(sysadm, mount)
 role sysadm_r types mount_t;
 role system_r types mount_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.17.37/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te	2004-10-27 14:32:48.000000000 -0400
+++ policy-1.17.37/domains/program/ssh.te	2004-11-02 10:30:33.000000000 -0500
@@ -69,17 +69,18 @@
 allow $1_t urandom_device_t:chr_file { getattr read };
 
 can_network($1_t)
+allow $1_t self:{ udp_socket tcp_socket } connect;
 
-allow $1_t self:capability { sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
+allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
 allow $1_t { home_root_t home_dir_type }:dir { search getattr };
 can_ypbind($1_t)
-if (nfs_home_dirs) {
+if (use_nfs_home_dirs) {
 ifdef(`automount.te', `
 allow $1_t autofs_t:dir { search getattr };
 ')
 allow $1_t nfs_t:dir { search getattr };
 allow $1_t nfs_t:file { getattr read };
-} dnl end if nfs_home_dirs
+} dnl end if use_nfs_home_dirs
 
 ifdef(`single_userdomain', `
 if (ssh_sysadm_login) {
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.17.37/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te	2004-10-27 14:32:48.000000000 -0400
+++ policy-1.17.37/domains/program/syslogd.te	2004-11-02 10:30:33.000000000 -0500
@@ -96,4 +96,4 @@
 dontaudit syslogd_t file_t:dir search;
 allow syslogd_t { tmpfs_t devpts_t }:dir { search };
 dontaudit syslogd_t unlabeled_t:file read;
-dontaudit syslogd_t devpts_t:chr_file getattr;
+dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/acct.te policy-1.17.37/domains/program/unused/acct.te
--- nsapolicy/domains/program/unused/acct.te	2004-10-19 16:03:05.000000000 -0400
+++ policy-1.17.37/domains/program/unused/acct.te	2004-11-02 10:30:33.000000000 -0500
@@ -63,6 +63,7 @@
 
 ifdef(`logrotate.te', `
 domain_auto_trans(logrotate_t, acct_exec_t, acct_t)
+allow logrotate_t acct_data_t:dir { search };
 allow logrotate_t acct_data_t:file { create_file_perms };
 ')
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.17.37/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2004-10-27 14:32:48.000000000 -0400
+++ policy-1.17.37/domains/program/unused/apache.te	2004-11-02 10:30:33.000000000 -0500
@@ -136,6 +136,7 @@
 
 can_network(httpd_t)
 can_ypbind(httpd_t)
+allow httpd_t self:{ tcp_socket udp_socket } connect;
 
 ###################
 # Allow httpd to search users diretories
@@ -249,7 +250,7 @@
 allow httpd_t autofs_t:dir { search getattr };
 allow httpd_suexec_t autofs_t:dir { search getattr };
 ')
-if (nfs_home_dirs && httpd_enable_homedirs) {
+if (use_nfs_home_dirs && httpd_enable_homedirs) {
 r_dir_file(httpd_t, nfs_t)
 r_dir_file(httpd_suexec_t, nfs_t)
 can_exec(httpd_suexec_t, nfs_t)
@@ -298,5 +299,6 @@
 # Customer reported the following
 #
 ifdef(`snmpd.te', `
+dontaudit httpd_t snmpd_var_lib_t:dir { search };
 dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/arpwatch.te policy-1.17.37/domains/program/unused/arpwatch.te
--- nsapolicy/domains/program/unused/arpwatch.te	2004-10-19 16:03:05.000000000 -0400
+++ policy-1.17.37/domains/program/unused/arpwatch.te	2004-11-02 10:30:33.000000000 -0500
@@ -25,10 +25,15 @@
 allow arpwatch_t netif_lo_t:netif { udp_send };
 allow arpwatch_t sbin_t:dir { search };
 allow arpwatch_t sbin_t:lnk_file { read };
-can_network(arpwatch_t)
+can_tcp_network(arpwatch_t)
 can_ypbind(arpwatch_t)
+allow arpwatch_t self:tcp_socket connect;
+
+ifdef(`mta.te', `
 allow system_mail_t arpwatch_tmp_t:file rw_file_perms;
+allow system_mail_t arpwatch_data_t:dir { getattr search };
+')
 ifdef(`postfix.te', `
 allow postfix_local_t arpwatch_data_t:dir { search };
 ')
-
+allow arpwatch_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.17.37/domains/program/unused/bluetooth.te
--- nsapolicy/domains/program/unused/bluetooth.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.17.37/domains/program/unused/bluetooth.te	2004-11-02 10:30:33.000000000 -0500
@@ -22,7 +22,7 @@
 # Use the network.
 can_network(bluetooth_t)
 can_ypbind(bluetooth_t)
-dbusd_client(system, bluetooth_t)
+dbusd_client(system, bluetooth)
 allow bluetooth_t self:socket { create setopt ioctl bind listen };
 allow bluetooth_t self:unix_dgram_socket create_socket_perms;
 allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/canna.te policy-1.17.37/domains/program/unused/canna.te
--- nsapolicy/domains/program/unused/canna.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.17.37/domains/program/unused/canna.te	2004-11-02 10:30:33.000000000 -0500
@@ -28,8 +28,9 @@
 
 rw_dir_create_file(canna_t, canna_var_lib_t)
 
-can_network(canna_t)
+can_tcp_network(canna_t)
 can_ypbind(canna_t)
+allow canna_t self:tcp_socket connect;
 
 allow userdomain canna_var_run_t:dir search;
 allow userdomain canna_var_run_t:sock_file write;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cardmgr.te policy-1.17.37/domains/program/unused/cardmgr.te
--- nsapolicy/domains/program/unused/cardmgr.te	2004-09-27 20:48:35.000000000 -0400
+++ policy-1.17.37/domains/program/unused/cardmgr.te	2004-11-02 10:30:33.000000000 -0500
@@ -82,3 +82,7 @@
 dontaudit insmod_t cardmgr_dev_t:chr_file { read write };
 dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write };
 ')
+ifdef(`hald.te', `
+rw_dir_file(hald_t, cardmgr_var_run_t)
+allow hald_t cardmgr_var_run_t:chr_file create_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/consoletype.te policy-1.17.37/domains/program/unused/consoletype.te
--- nsapolicy/domains/program/unused/consoletype.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.17.37/domains/program/unused/consoletype.te	2004-11-02 10:30:33.000000000 -0500
@@ -59,3 +59,5 @@
 ')
 dontaudit consoletype_t proc_t:file { read };
 dontaudit consoletype_t root_t:file { read };
+allow consoletype_t crond_t:fifo_file { read };
+allow consoletype_t fs_t:filesystem { getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cpuspeed.te policy-1.17.37/domains/program/unused/cpuspeed.te
--- nsapolicy/domains/program/unused/cpuspeed.te	2004-03-17 13:26:05.000000000 -0500
+++ policy-1.17.37/domains/program/unused/cpuspeed.te	2004-11-02 10:30:33.000000000 -0500
@@ -8,3 +8,5 @@
 allow cpuspeed_t sysfs_t:file rw_file_perms;
 allow cpuspeed_t proc_t:dir r_dir_perms;
 allow cpuspeed_t proc_t:file { getattr read };
+allow cpuspeed_t etc_runtime_t:file { getattr read };
+allow cpuspeed_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.37/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.17.37/domains/program/unused/cups.te	2004-11-02 10:30:33.000000000 -0500
@@ -20,6 +20,8 @@
 
 can_network(cupsd_t)
 can_ypbind(cupsd_t)
+allow cupsd_t self:{ tcp_socket udp_socket } connect;
+
 logdir_domain(cupsd)
 
 tmp_domain(cupsd)
@@ -188,7 +190,7 @@
 allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
 allow cupsd_config_t cupsd_t:dir { search };
 
-allow cupsd_config_t self:capability { chown };
+allow cupsd_config_t self:capability { chown sys_tty_config };
 
 rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
 rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
@@ -199,9 +201,11 @@
 
 allow cupsd_config_t self:unix_stream_socket create_socket_perms;
 ifdef(`dbusd.te', `
-dbusd_client(system, cupsd_t)
-dbusd_client(system, cupsd_config_t)
+dbusd_client(system, cupsd)
+dbusd_client(system, cupsd_config)
 allow cupsd_config_t userdomain:dbus { send_msg };
+allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc };
+allow cupsd_t system_dbusd_t:dbus { send_msg };
 allow userdomain cupsd_config_t:dbus { send_msg };
 allow cupsd_config_t hald_t:dbus { send_msg };
 allow hald_t cupsd_config_t:dbus { send_msg };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.17.37/domains/program/unused/cyrus.te
--- nsapolicy/domains/program/unused/cyrus.te	2004-05-04 15:35:53.000000000 -0400
+++ policy-1.17.37/domains/program/unused/cyrus.te	2004-11-02 10:30:33.000000000 -0500
@@ -20,6 +20,7 @@
 
 can_network(cyrus_t)
 can_ypbind(cyrus_t)
+allow cyrus_t self:{ tcp_socket udp_socket } connect;
 can_exec(cyrus_t, bin_t)
 allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
 allow cyrus_t cyrus_var_lib_t:{file sock_file } create_file_perms;
@@ -45,3 +46,4 @@
 allow system_crond_t cyrus_var_lib_t:file create_file_perms;
 allow system_crond_su_t cyrus_var_lib_t:dir { search };
 ')
+allow cyrus_t mail_port_t:tcp_socket { name_bind };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbskkd.te policy-1.17.37/domains/program/unused/dbskkd.te
--- nsapolicy/domains/program/unused/dbskkd.te	2004-10-06 09:18:32.000000000 -0400
+++ policy-1.17.37/domains/program/unused/dbskkd.te	2004-11-02 10:30:33.000000000 -0500
@@ -9,5 +9,6 @@
 #
 # dbskkd_exec_t is the type of the dbskkd executable.
 #
+# Depends: inetd.te
 
 inetd_child_domain(dbskkd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.17.37/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.17.37/domains/program/unused/dhcpc.te	2004-11-02 10:30:33.000000000 -0500
@@ -24,6 +24,7 @@
 
 can_network(dhcpc_t)
 can_ypbind(dhcpc_t)
+allow dhcpc_t self:tcp_socket connect;
 allow dhcpc_t self:unix_dgram_socket create_socket_perms;
 allow dhcpc_t self:unix_stream_socket create_socket_perms;
 allow dhcpc_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.17.37/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.17.37/domains/program/unused/dovecot.te	2004-11-02 10:30:33.000000000 -0500
@@ -15,6 +15,8 @@
 allow dovecot_t self:process { setrlimit };
 can_network(dovecot_t)
 can_ypbind(dovecot_t)
+allow dovecot_t self:tcp_socket connect;
+
 allow dovecot_t self:unix_dgram_socket create_socket_perms;
 allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
 can_unix_connect(dovecot_t, self)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.17.37/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te	2004-10-27 14:32:48.000000000 -0400
+++ policy-1.17.37/domains/program/unused/ftpd.te	2004-11-02 10:30:33.000000000 -0500
@@ -4,6 +4,7 @@
 #           Russell Coker <russell@coker.com.au>
 # X-Debian-Packages: proftpd-common bsd-ftpd ftpd vsftpd
 #
+# Depends: inetd.te
 
 #################################
 #
@@ -17,6 +18,7 @@
 
 can_network(ftpd_t)
 can_ypbind(ftpd_t)
+allow ftpd_t self:udp_socket connect;
 allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
 allow ftpd_t self:unix_stream_socket create_socket_perms;
 allow ftpd_t self:process { getcap setcap setsched setrlimit };
@@ -32,11 +34,13 @@
 
 ifdef(`crond.te', `
 system_crond_entry(ftpd_exec_t, ftpd_t)
+allow system_crond_t xferlog_t:file r_file_perms;
 can_exec(ftpd_t, { sbin_t shell_exec_t })
 allow ftpd_t usr_t:file { getattr read };
 ')
 
 allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
+allow ftpd_t port_t:tcp_socket { name_bind };
 
 # Allow ftpd to run directly without inetd.
 bool ftpd_is_daemon false;
@@ -97,7 +101,7 @@
 # Allow ftp to read/write files in the user home directories.
 bool ftp_home_dir false;
 
-if (ftp_home_dir && nfs_home_dirs) {
+if (ftp_home_dir && use_nfs_home_dirs) {
 allow ftpd_t nfs_t:dir r_dir_perms;
 allow ftpd_t nfs_t:file r_file_perms;
 # dont allow access to /home
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.17.37/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2004-11-01 11:04:36.000000000 -0500
+++ policy-1.17.37/domains/program/unused/hald.te	2004-11-02 10:30:33.000000000 -0500
@@ -19,8 +19,8 @@
 allow hald_t self:unix_dgram_socket create_socket_perms;
 
 ifdef(`dbusd.te', `
-allow hald_t system_dbusd_t:dbus { acquire_svc };
-dbusd_client(system, hald_t)
+allow hald_t system_dbusd_t:dbus { acquire_svc send_msg };
+dbusd_client(system, hald)
 ')
 
 allow hald_t { self proc_t }:file { getattr read };
@@ -31,12 +31,13 @@
 
 allow hald_t bin_t:file { getattr };
 allow hald_t self:netlink_route_socket r_netlink_socket_perms;
-allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search };
+allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
 can_network(hald_t)
 can_ypbind(hald_t)
 
 allow hald_t device_t:lnk_file read;
 allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl };
+allow hald_t removable_device_t:blk_file { write };
 allow hald_t event_device_t:chr_file { getattr read ioctl };
 allow hald_t printer_device_t:chr_file rw_file_perms;
 allow hald_t urandom_device_t:chr_file { read };
@@ -60,7 +61,11 @@
 allow hald_t usbfs_t:dir search;
 allow hald_t usbfs_t:file { getattr read };
 allow hald_t bin_t:lnk_file read;
-r_dir_file(hald_t, { selinux_config_t default_context_t } )
+dontaudit hald_t selinux_config_t:dir { search };
 allow hald_t initrc_t:dbus { send_msg };
 allow initrc_t hald_t:dbus { send_msg };
 allow hald_t etc_runtime_t:file rw_file_perms;
+allow hald_t var_lib_t:dir search;
+allow hald_t device_t:dir { create_dir_perms };
+allow hald_t { device_t }:{ chr_file } { create_file_perms };
+tmp_domain(hald)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.17.37/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te	2004-09-30 20:48:48.000000000 -0400
+++ policy-1.17.37/domains/program/unused/hotplug.te	2004-11-02 10:30:33.000000000 -0500
@@ -151,7 +151,7 @@
 
 can_network(hotplug_t)
 can_ypbind(hotplug_t)
-dbusd_client(system, hotplug_t)
+dbusd_client(system, hotplug)
 
 # Allow hotplug (including /sbin/ifup-local) to start/stop services and # run sendmail -q
 domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/i18n_input.te policy-1.17.37/domains/program/unused/i18n_input.te
--- nsapolicy/domains/program/unused/i18n_input.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.17.37/domains/program/unused/i18n_input.te	2004-11-02 10:30:33.000000000 -0500
@@ -11,6 +11,7 @@
 can_exec(i18n_input_t, i18n_input_exec_t)
 can_network(i18n_input_t)
 can_ypbind(i18n_input_t)
+allow i18n_input_t self:udp_socket connect;
 
 can_tcp_connect(userdomain, i18n_input_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/inetd.te policy-1.17.37/domains/program/unused/inetd.te
--- nsapolicy/domains/program/unused/inetd.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.17.37/domains/program/unused/inetd.te	2004-11-02 10:35:25.000000000 -0500
@@ -18,9 +18,11 @@
 # Rules for the inetd_t domain.
 #
 
-daemon_domain(inetd, `, nscd_client_domain ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
+daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
 
 can_network(inetd_t)
+allow inetd_t self:udp_socket connect;
+
 allow inetd_t self:unix_dgram_socket create_socket_perms;
 allow inetd_t self:unix_stream_socket create_socket_perms;
 allow inetd_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/innd.te policy-1.17.37/domains/program/unused/innd.te
--- nsapolicy/domains/program/unused/innd.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.17.37/domains/program/unused/innd.te	2004-11-02 10:30:33.000000000 -0500
@@ -30,6 +30,7 @@
 
 can_network(innd_t)
 can_ypbind(innd_t)
+allow innd_t self:udp_socket connect;
 
 can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } )
 allow innd_t self:unix_dgram_socket create_socket_perms;
@@ -64,6 +65,9 @@
 
 ifdef(`crond.te', `
 system_crond_entry(innd_exec_t, innd_t)
+allow system_crond_t innd_etc_t:file { getattr read };
+rw_dir_create_file(system_crond_t, innd_log_t)
+rw_dir_create_file(system_crond_t, innd_var_run_t)
 ')
 ifdef(`syslogd.te', `
 allow syslogd_t innd_log_t:dir search;
@@ -71,6 +75,5 @@
 ')
 allow innd_t self:file { getattr read };
 dontaudit innd_t selinux_config_t:dir { search };
-allow system_crond_t innd_etc_t:file { getattr read };
 allow innd_t bin_t:lnk_file { read };
 allow innd_t sbin_t:lnk_file { read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ipsec.te policy-1.17.37/domains/program/unused/ipsec.te
--- nsapolicy/domains/program/unused/ipsec.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.17.37/domains/program/unused/ipsec.te	2004-11-02 10:30:33.000000000 -0500
@@ -25,7 +25,7 @@
 # lots of strange stuff for the ipsec_var_run_t - need to check it
 var_run_domain(ipsec)
 
-type ipsec_mgmt_t, domain, privlog, admin, privmodule;
+type ipsec_mgmt_t, domain, privlog, admin, privmodule, nscd_client_domain;
 type ipsec_mgmt_exec_t, file_type, sysadmfile, exec_type;
 domain_auto_trans(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
 file_type_auto_trans(ipsec_mgmt_t, var_run_t, ipsec_var_run_t, sock_file)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ktalkd.te policy-1.17.37/domains/program/unused/ktalkd.te
--- nsapolicy/domains/program/unused/ktalkd.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.17.37/domains/program/unused/ktalkd.te	2004-11-02 10:30:33.000000000 -0500
@@ -2,6 +2,7 @@
 #
 # Author:  Dan Walsh <dwalsh@redhat.com>
 #
+# Depends: inetd.te
 
 #################################
 #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.17.37/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.17.37/domains/program/unused/kudzu.te	2004-11-02 10:30:33.000000000 -0500
@@ -13,7 +13,7 @@
 allow kudzu_t ramfs_t:dir search;
 allow kudzu_t ramfs_t:sock_file write;
 allow kudzu_t etc_t:file { getattr read };
-allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config };
+allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
 allow kudzu_t modules_conf_t:file { getattr read };
 allow kudzu_t modules_object_t:dir r_dir_perms;
 allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
@@ -80,7 +80,8 @@
 allow kudzu_t sysfs_t:lnk_file read;
 file_type_auto_trans(kudzu_t, etc_t, etc_runtime_t, file)
 allow kudzu_t tape_device_t:chr_file r_file_perms;
-allow kudzu_t tmp_t:dir { search };
+tmp_domain(kudzu)
+file_type_auto_trans(kudzu_t, tmp_t, kudzu_tmp_t, chr_file)
 
 # for file systems that are not yet mounted
 dontaudit kudzu_t file_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mailman.te policy-1.17.37/domains/program/unused/mailman.te
--- nsapolicy/domains/program/unused/mailman.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.17.37/domains/program/unused/mailman.te	2004-11-02 10:30:33.000000000 -0500
@@ -20,7 +20,7 @@
 can_exec_any(mailman_$1_t)
 allow mailman_$1_t { proc_t sysctl_t sysctl_kernel_t }:dir search;
 allow mailman_$1_t { proc_t sysctl_kernel_t }:file { read getattr };
-allow mailman_$1_t var_lib_t:dir { getattr search };
+allow mailman_$1_t var_lib_t:dir { getattr search read };
 allow mailman_$1_t var_lib_t:lnk_file read;
 allow mailman_$1_t device_t:dir search;
 allow mailman_$1_t etc_runtime_t:file { read getattr };
@@ -30,13 +30,16 @@
 allow mailman_$1_t fs_t:filesystem getattr;
 can_network(mailman_$1_t)
 can_ypbind(mailman_$1_t)
+allow mailman_$1_t self:udp_socket connect;
 allow mailman_$1_t self:unix_stream_socket create_socket_perms;
 allow mailman_$1_t var_t:dir r_dir_perms;
 ')
 
-mailman_domain(queue, `, auth_chkpwd')
+mailman_domain(queue, `, auth_chkpwd, nscd_client_domain')
 can_tcp_connect(mailman_queue_t, mail_server_domain)
+allow mailman_queue_t self:tcp_socket connect;
 
+dontaudit mailman_queue_t src_t:dir { search };
 can_exec(mailman_queue_t, su_exec_t)
 allow mailman_queue_t self:capability { setgid setuid };
 allow mailman_queue_t self:fifo_file rw_file_perms;
@@ -72,8 +75,9 @@
 domain_auto_trans({ httpd_t httpd_suexec_t }, mailman_cgi_exec_t, mailman_cgi_t)
 # should have separate types for public and private archives
 r_dir_file(httpd_t, mailman_archive_t)
-allow httpd_t mailman_data_t:dir search;
-r_dir_file(mailman_cgi_t, mailman_archive_t)
+allow httpd_t mailman_data_t:dir { getattr search };
+rw_dir_file(mailman_cgi_t, mailman_archive_t)
+allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
 
 dontaudit mailman_cgi_t httpd_log_t:file append;
 allow httpd_t mailman_cgi_t:process signal;
@@ -83,6 +87,8 @@
 allow mailman_cgi_t httpd_sys_script_t:dir search;
 allow mailman_cgi_t devtty_t:chr_file { read write };
 allow mailman_cgi_t self:process { fork sigchld };
+allow mailman_cgi_t var_spool_t:dir { search };
+dontaudit mailman_cgi_t src_t:dir { search };
 ')
 
 allow mta_delivery_agent mailman_data_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mdadm.te policy-1.17.37/domains/program/unused/mdadm.te
--- nsapolicy/domains/program/unused/mdadm.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.17.37/domains/program/unused/mdadm.te	2004-11-02 10:30:33.000000000 -0500
@@ -40,4 +40,4 @@
 dontaudit mdadm_t tmpfs_t:dir r_dir_perms;
 dontaudit mdadm_t initctl_t:fifo_file { getattr };
 var_run_domain(mdadm)
-allow mdadm_t var_t:dir { getattr };
+allow mdadm_t var_t:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.17.37/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.17.37/domains/program/unused/named.te	2004-11-02 10:30:33.000000000 -0500
@@ -19,7 +19,7 @@
 file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file)
 
 # ndc_t is the domain for the ndc program
-type ndc_t, domain, privlog;
+type ndc_t, domain, privlog, nscd_client_domain;
 role sysadm_r types ndc_t;
 role system_r types ndc_t;
 
@@ -52,6 +52,8 @@
 #Named can use network
 can_network(named_t)
 can_ypbind(named_t)
+allow named_t self:tcp_socket connect;
+
 # allow UDP transfer to/from any program
 can_udp_send(domain, named_t)
 can_udp_send(named_t, domain)
@@ -102,6 +104,7 @@
 uses_shlib(ndc_t)
 can_network(ndc_t)
 can_ypbind(ndc_t)
+allow ndc_t self:tcp_socket connect;
 read_locale(ndc_t)
 can_tcp_connect(ndc_t, named_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.17.37/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te	2004-10-27 14:32:48.000000000 -0400
+++ policy-1.17.37/domains/program/unused/nscd.te	2004-11-02 10:48:45.133415384 -0500
@@ -5,7 +5,7 @@
 #
 define(`nscd_socket_domain', `
 can_unix_connect($1, nscd_t)
-allow nscd_client_domain nscd_var_run_t:sock_file rw_file_perms;
+allow $1 nscd_var_run_t:sock_file rw_file_perms;
 allow $1 { var_run_t var_t }:dir search;
 allow $1 nscd_t:nscd { getpwd getgrp gethost };
 dontaudit $1 nscd_t:fd { use };
@@ -18,23 +18,20 @@
 # Rules for the nscd_t domain.
 #
 # nscd is both the client program and the daemon.
-daemon_domain(nscd, `, userspace_objmgr, nscd_client_domain')
+daemon_domain(nscd, `, userspace_objmgr')
 
 allow nscd_t etc_t:file r_file_perms;
 allow nscd_t etc_t:lnk_file read;
 can_network(nscd_t)
 can_ypbind(nscd_t)
+allow nscd_t self:{ tcp_socket udp_socket } connect;
 
 file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file)
 
 allow nscd_t self:unix_stream_socket create_stream_socket_perms;
 
-# Clients that can get information via the socket interface.
-ifdef(`nscd_all_connect', `
-nscd_socket_domain(domain)
-', `
 nscd_socket_domain(nscd_client_domain)
-')dnl nscd_all_connect
+nscd_socket_domain(daemon)
 
 # Clients that are allowed to map the database via a fd obtained from nscd.
 nscd_socket_domain(nscd_shmem_domain)
@@ -53,7 +50,7 @@
 allow nscd_t self:process { getattr setsched };
 allow nscd_t self:unix_dgram_socket create_socket_perms;
 allow nscd_t self:fifo_file { read write };
-allow nscd_t self:capability { kill setgid setuid net_bind_service net_admin };
+allow nscd_t self:capability { kill setgid setuid net_bind_service net_admin sys_tty_config };
 
 # for when /etc/passwd has just been updated and has the wrong type
 allow nscd_t shadow_t:file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.17.37/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.17.37/domains/program/unused/ntpd.te	2004-11-02 10:30:33.000000000 -0500
@@ -12,6 +12,9 @@
 type ntp_drift_t, file_type, sysadmfile;
 type ntp_port_t, port_type, reserved_port_type;
 
+type ntpdate_exec_t, file_type, sysadmfile, exec_type;
+domain_auto_trans(initrc_t, ntpdate_exec_t, ntpd_t)
+
 logdir_domain(ntpd)
 
 allow ntpd_t var_lib_t:dir r_dir_perms;
@@ -36,6 +39,7 @@
 # Use the network.
 can_network(ntpd_t)
 can_ypbind(ntpd_t)
+allow ntpd_t self:{ tcp_socket udp_socket } connect;
 allow ntpd_t ntp_port_t:udp_socket name_bind;
 allow ntpd_t self:unix_dgram_socket create_socket_perms;
 allow ntpd_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.17.37/domains/program/unused/ping.te
--- nsapolicy/domains/program/unused/ping.te	2004-06-16 13:33:36.000000000 -0400
+++ policy-1.17.37/domains/program/unused/ping.te	2004-11-02 10:30:33.000000000 -0500
@@ -35,6 +35,7 @@
 can_ypbind(ping_t)
 allow ping_t etc_t:file { getattr read };
 allow ping_t self:unix_stream_socket create_socket_perms;
+allow ping_t self:{ tcp_socket udp_socket } connect;
 
 # Let ping create raw ICMP packets.
 allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
@@ -55,3 +56,5 @@
 # it tries to access /var/run
 dontaudit ping_t var_t:dir search;
 
+dontaudit ping_t devtty_t:chr_file { read write };
+dontaudit ping_t ping_t:capability { sys_tty_config };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.17.37/domains/program/unused/portmap.te
--- nsapolicy/domains/program/unused/portmap.te	2004-10-09 21:06:14.000000000 -0400
+++ policy-1.17.37/domains/program/unused/portmap.te	2004-11-02 10:30:33.000000000 -0500
@@ -23,6 +23,7 @@
 tmp_domain(portmap)
 
 allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind;
+dontaudit portmap_t reserved_port_type:tcp_socket name_bind;
 
 # portmap binds to arbitary ports
 allow portmap_t port_t:{ udp_socket tcp_socket } name_bind;
@@ -51,4 +52,4 @@
 
 # Use capabilities
 allow portmap_t self:capability { net_bind_service setuid setgid };
-
+allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postfix.te policy-1.17.37/domains/program/unused/postfix.te
--- nsapolicy/domains/program/unused/postfix.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.17.37/domains/program/unused/postfix.te	2004-11-02 10:30:33.000000000 -0500
@@ -119,6 +119,8 @@
 allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
 can_network(postfix_master_t)
 can_ypbind(postfix_master_t)
+allow postfix_master_t self:{ tcp_socket udp_socket } connect;
+
 allow postfix_master_t smtp_port_t:tcp_socket name_bind;
 allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
 allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.17.37/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.17.37/domains/program/unused/postgresql.te	2004-11-02 10:30:33.000000000 -0500
@@ -13,6 +13,8 @@
 type postgresql_port_t, port_type;
 daemon_domain(postgresql)
 allow initrc_t postgresql_exec_t:lnk_file read;
+allow postgresql_t usr_t:file { getattr read };
+allow postgresql_t self:udp_socket connect;
 
 allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.17.37/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.17.37/domains/program/unused/rpcd.te	2004-11-02 10:30:33.000000000 -0500
@@ -14,6 +14,7 @@
 daemon_base_domain($1)
 can_network($1_t)
 can_ypbind($1_t)
+allow $1_t self:{ udp_socket tcp_socket } connect;
 allow $1_t etc_t:file { getattr read };
 read_locale($1_t)
 allow $1_t self:capability net_bind_service;
@@ -24,6 +25,7 @@
 allow $1_t var_lib_nfs_t:file create_file_perms;
 # do not log when it tries to bind to a port belonging to another domain
 dontaudit $1_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
+allow $1_t reserved_port_t:{ udp_socket tcp_socket } { name_bind };
 allow $1_t self:netlink_route_socket r_netlink_socket_perms;
 allow $1_t self:unix_dgram_socket create_socket_perms;
 allow $1_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rshd.te policy-1.17.37/domains/program/unused/rshd.te
--- nsapolicy/domains/program/unused/rshd.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.17.37/domains/program/unused/rshd.te	2004-11-02 10:30:33.000000000 -0500
@@ -34,5 +34,7 @@
 allow rshd_t krb5_conf_t:file { getattr read };
 dontaudit rshd_t krb5_conf_t:file write;
 allow rshd_t tmp_t:dir { search };
+ifdef(`rlogind.te', `
 allow rshd_t rlogind_tmp_t:file rw_file_perms;
+')
 allow rshd_t urandom_device_t:chr_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.17.37/domains/program/unused/rsync.te
--- nsapolicy/domains/program/unused/rsync.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.17.37/domains/program/unused/rsync.te	2004-11-02 10:30:33.000000000 -0500
@@ -2,6 +2,7 @@
 #
 # Author:  Dan Walsh <dwalsh@redhat.com>
 #
+# Depends: inetd.te
 
 #################################
 #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.17.37/domains/program/unused/sendmail.te
--- nsapolicy/domains/program/unused/sendmail.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.17.37/domains/program/unused/sendmail.te	2004-11-02 10:30:33.000000000 -0500
@@ -27,6 +27,7 @@
 # Use the network.
 can_network(sendmail_t)
 can_ypbind(sendmail_t)
+allow sendmail_t self:{ tcp_socket udp_socket } connect;
 
 allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
 allow sendmail_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slapd.te policy-1.17.37/domains/program/unused/slapd.te
--- nsapolicy/domains/program/unused/slapd.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.17.37/domains/program/unused/slapd.te	2004-11-02 10:30:33.000000000 -0500
@@ -30,6 +30,7 @@
 allow slapd_t self:unix_dgram_socket create_socket_perms;
 # allow any domain to connect to the LDAP server
 can_tcp_connect(domain, slapd_t)
+allow slapd_t self:{ tcp_socket udp_socket } connect;
 
 # Use capabilities  should not need kill...
 allow slapd_t self:capability { kill setgid setuid net_bind_service net_raw };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.17.37/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te	2004-10-09 21:06:15.000000000 -0400
+++ policy-1.17.37/domains/program/unused/snmpd.te	2004-11-02 10:30:33.000000000 -0500
@@ -15,6 +15,7 @@
 
 can_network(snmpd_t)
 can_ypbind(snmpd_t)
+allow snmpd_t self:{ tcp_socket udp_socket } connect;
 
 type snmp_port_t, port_type, reserved_port_type;
 allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind;
@@ -38,7 +39,7 @@
 allow snmpd_t self:unix_dgram_socket create_socket_perms;
 allow snmpd_t self:unix_stream_socket create_socket_perms;
 allow snmpd_t etc_t:lnk_file read;
-allow snmpd_t { etc_t etc_runtime_t }:file { getattr read };
+allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms;
 allow snmpd_t urandom_device_t:chr_file read;
 allow snmpd_t self:capability { dac_override kill net_bind_service net_admin sys_nice sys_tty_config };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/spamd.te policy-1.17.37/domains/program/unused/spamd.te
--- nsapolicy/domains/program/unused/spamd.te	2004-10-27 14:32:49.000000000 -0400
+++ policy-1.17.37/domains/program/unused/spamd.te	2004-11-02 10:30:33.000000000 -0500
@@ -24,6 +24,7 @@
 dontaudit spamd_t sysadm_home_dir_t:dir getattr;
 
 can_network(spamd_t)
+allow spamd_t self:{ tcp_socket udp_socket } connect;
 allow spamd_t self:capability { net_bind_service };
 
 allow spamd_t proc_t:file { getattr read };
@@ -59,7 +60,7 @@
 allow spamd_t autofs_t:dir { search getattr };
 ')
 
-if (nfs_home_dirs) {
+if (use_nfs_home_dirs) {
 allow spamd_t nfs_t:dir rw_dir_perms;
 allow spamd_t nfs_t:file create_file_perms;
 }
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.17.37/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te	2004-10-27 14:32:49.000000000 -0400
+++ policy-1.17.37/domains/program/unused/squid.te	2004-11-02 10:30:33.000000000 -0500
@@ -56,6 +56,7 @@
 can_network(squid_t)
 can_ypbind(squid_t)
 can_tcp_connect(web_client_domain, squid_t)
+allow squid_t self:{ tcp_socket udp_socket } connect;
 
 # tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts)
 allow squid_t http_cache_port_t:tcp_socket name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/swat.te policy-1.17.37/domains/program/unused/swat.te
--- nsapolicy/domains/program/unused/swat.te	2004-10-06 09:18:32.000000000 -0400
+++ policy-1.17.37/domains/program/unused/swat.te	2004-11-02 10:30:33.000000000 -0500
@@ -2,6 +2,7 @@
 #
 # Author:  Dan Walsh <dwalsh@redhat.com>
 #
+# Depends: inetd.te
 
 #################################
 #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/traceroute.te policy-1.17.37/domains/program/unused/traceroute.te
--- nsapolicy/domains/program/unused/traceroute.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.17.37/domains/program/unused/traceroute.te	2004-11-02 10:30:33.000000000 -0500
@@ -20,6 +20,7 @@
 uses_shlib(traceroute_t)
 can_network(traceroute_t)
 can_ypbind(traceroute_t)
+allow traceroute_t self:{ tcp_socket udp_socket } connect;
 allow traceroute_t node_t:rawip_socket node_bind;
 type traceroute_exec_t, file_type, sysadmfile, exec_type;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.37/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.17.37/domains/program/unused/udev.te	2004-11-02 10:30:33.000000000 -0500
@@ -81,6 +81,7 @@
 ifdef(`xdm.te', `
 allow udev_t xdm_var_run_t:file { getattr read };
 ')
+dontaudit udev_t staff_home_dir_t:dir { search };
 
 ifdef(`hotplug.te', `
 r_dir_file(udev_t, hotplug_etc_t)
@@ -108,7 +109,7 @@
 
 allow udev_t udev_helper_exec_t:dir r_dir_perms;
 
-dbusd_client(system, udev_t)
+dbusd_client(system, udev)
 
 allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms };
 allow udev_t sysctl_dev_t:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/updfstab.te policy-1.17.37/domains/program/unused/updfstab.te
--- nsapolicy/domains/program/unused/updfstab.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.17.37/domains/program/unused/updfstab.te	2004-11-02 10:30:33.000000000 -0500
@@ -28,7 +28,10 @@
 
 read_locale(updfstab_t)
 
-dbusd_client(system, updfstab_t)
+ifdef(`dbusd.te', `
+dbusd_client(system, updfstab)
+allow updfstab_t system_dbusd_t:dbus { send_msg };
+')
 
 # not sure what the sysctl_kernel_t file is, or why it wants to write it, so
 # I will not allow it
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/vpnc.te policy-1.17.37/domains/program/unused/vpnc.te
--- nsapolicy/domains/program/unused/vpnc.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.17.37/domains/program/unused/vpnc.te	2004-11-02 10:30:33.000000000 -0500
@@ -17,6 +17,8 @@
 # Use the network.
 can_network(vpnc_t)
 can_ypbind(vpnc_t)
+allow vpnc_t self:udp_socket connect;
+allow vpnc_t self:socket create_socket_perms;
 
 # Use capabilities.
 allow vpnc_t self:capability { net_admin ipc_lock net_bind_service net_raw };
@@ -28,3 +30,12 @@
 allow vpnc_t self:unix_dgram_socket create_socket_perms;
 allow vpnc_t self:unix_stream_socket create_socket_perms;
 allow vpnc_t admin_tty_type:chr_file rw_file_perms;
+allow vpnc_t port_t:udp_socket { name_bind };
+allow vpnc_t etc_runtime_t:file { getattr read };
+allow vpnc_t proc_t:file { getattr read };
+dontaudit vpnc_t selinux_config_t:dir search;
+can_exec(vpnc_t, {bin_t sbin_t ifconfig_exec_t shell_exec_t })
+allow vpnc_t sysctl_net_t:dir { search };
+allow vpnc_t sbin_t:dir { search };
+allow vpnc_t bin_t:dir { search };
+allow vpnc_t bin_t:lnk_file { read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.17.37/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te	2004-11-01 11:04:36.000000000 -0500
+++ policy-1.17.37/domains/program/unused/xdm.te	2004-11-02 10:30:33.000000000 -0500
@@ -47,6 +47,7 @@
 
 can_network(xdm_t)
 can_ypbind(xdm_t)
+allow xdm_t self:udp_socket connect;
 allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow xdm_t self:unix_dgram_socket create_socket_perms;
 allow xdm_t self:fifo_file rw_file_perms;
@@ -277,7 +278,7 @@
 allow xdm_xserver_t user_home_type:dir search;
 allow xdm_xserver_t user_home_type:file { getattr read };
 
-if (nfs_home_dirs) {
+if (use_nfs_home_dirs) {
 ifdef(`automount.te', `
 allow { xdm_t xdm_xserver_t } autofs_t:dir { search getattr };
 ')
@@ -287,7 +288,7 @@
 }
 
 # for .dmrc
-allow xdm_t user_home_dir_type:dir search;
+allow xdm_t user_home_dir_type:dir { getattr search };
 allow xdm_t user_home_type:file { getattr read };
 
 allow xdm_t mnt_t:dir { getattr read search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypbind.te policy-1.17.37/domains/program/unused/ypbind.te
--- nsapolicy/domains/program/unused/ypbind.te	2004-10-14 23:25:19.000000000 -0400
+++ policy-1.17.37/domains/program/unused/ypbind.te	2004-11-02 10:30:33.000000000 -0500
@@ -12,8 +12,6 @@
 #
 daemon_domain(ypbind)
 
-bool allow_ypbind true;
-
 tmp_domain(ypbind)
 
 # Use capabilities.
@@ -22,6 +20,7 @@
 # Use the network.
 can_network(ypbind_t)
 allow ypbind_t port_t:{ tcp_socket udp_socket } name_bind;
+allow ypbind_t self:{ tcp_socket udp_socket } connect;
 
 allow ypbind_t self:fifo_file rw_file_perms;
 
@@ -39,5 +38,5 @@
 allow ypbind_t etc_t:file { getattr read };
 allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
 allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
-allow ypbind_t reserved_port_t:tcp_socket { name_bind };
-allow ypbind_t reserved_port_t:udp_socket { name_bind };
+allow ypbind_t reserved_port_t:{ tcp_socket udp_socket } { name_bind };
+dontaudit ypbind_t reserved_port_type:{udp_socket tcp_socket} { name_bind };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypserv.te policy-1.17.37/domains/program/unused/ypserv.te
--- nsapolicy/domains/program/unused/ypserv.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.17.37/domains/program/unused/ypserv.te	2004-11-02 10:30:33.000000000 -0500
@@ -40,3 +40,4 @@
 allow rpcd_t ypserv_conf_t:file { getattr read };
 ')
 allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } { name_bind };
+dontaudit ypserv_t reserved_port_type:{ tcp_socket udp_socket } { name_bind };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.17.37/domains/user.te
--- nsapolicy/domains/user.te	2004-10-27 14:32:48.000000000 -0400
+++ policy-1.17.37/domains/user.te	2004-11-02 10:30:33.000000000 -0500
@@ -8,13 +8,16 @@
 bool user_dmesg false;
 
 # Support NFS home directories
-bool nfs_home_dirs false;
+bool use_nfs_home_dirs false;
 
 # Allow users to run TCP servers (bind to ports and accept connection from
 # the same domain and outside users)  disabling this forces FTP passive mode
 # and may change other protocols 
 bool user_tcp_server false;
 
+# Allow system to run with NIS
+bool allow_ypbind false;
+
 # Allow users to rw usb devices
 bool user_rw_usb false;
 
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mailman.fc policy-1.17.37/file_contexts/program/mailman.fc
--- nsapolicy/file_contexts/program/mailman.fc	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.17.37/file_contexts/program/mailman.fc	2004-11-02 10:30:33.000000000 -0500
@@ -1,25 +1,24 @@
 # mailman list server
+/var/lib/mailman(/.*)?		   system_u:object_r:mailman_data_t
 /var/log/mailman(/.*)?		   system_u:object_r:mailman_log_t
 /usr/lib/mailman/cron/.*	-- system_u:object_r:mailman_queue_exec_t
 /usr/lib/mailman/bin/mailmanctl -- system_u:object_r:mailman_mail_exec_t
+/var/run/mailman(/.*)?		   system_u:object_r:mailman_lock_t
+/var/lib/mailman/archives(/.*)?	system_u:object_r:mailman_archive_t
 
 ifdef(`distro_debian', `
 /usr/lib/cgi-bin/mailman/.* -- system_u:object_r:mailman_cgi_exec_t
 /usr/lib/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t
 /usr/mailman/mail/wrapper 	-- system_u:object_r:mailman_mail_exec_t
-/var/lib/mailman(/.*)?	   system_u:object_r:mailman_data_t
-/var/lib/mailman/archives(/.*)?	system_u:object_r:mailman_archive_t
 /etc/cron\.daily/mailman 	-- system_u:object_r:mailman_queue_exec_t
 /etc/cron\.monthly/mailman 	-- system_u:object_r:mailman_queue_exec_t
 ')
 
 ifdef(`distro_redhat', `
-/usr/lib/mailman/cgi-bin/.*	-- system_u:object_r:mailman_cgi_exec_t
-/var/mailman(/.*)?		   system_u:object_r:mailman_data_t
-/var/mailman/locks(/.*)?	   system_u:object_r:mailman_lock_t
-/var/mailman/archives(/.*)?	   system_u:object_r:mailman_archive_t
+/usr/lib/mailman/cgi-bin/.*	 -- system_u:object_r:mailman_cgi_exec_t
+/var/lock/mailman(/.*)?		    system_u:object_r:mailman_lock_t
 /usr/lib/mailman/scripts/mailman -- system_u:object_r:mailman_mail_exec_t
-/usr/lib/mailman/bin/qrunner  	-- system_u:object_r:mailman_queue_exec_t
-/var/mailman/lists(/.*)?	system_u:object_r:mailman_data_t
-/var/mailman/logs(/.*)?		   system_u:object_r:mailman_log_t
+/usr/lib/mailman/bin/qrunner  	 -- system_u:object_r:mailman_queue_exec_t
+/etc/mailman(/.*)?		   system_u:object_r:mailman_data_t
+/var/spool/mailman(/.*)?	   system_u:object_r:mailman_data_t
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ntpd.fc policy-1.17.37/file_contexts/program/ntpd.fc
--- nsapolicy/file_contexts/program/ntpd.fc	2004-10-09 21:06:15.000000000 -0400
+++ policy-1.17.37/file_contexts/program/ntpd.fc	2004-11-02 10:30:33.000000000 -0500
@@ -3,7 +3,7 @@
 /etc/ntp(d)?\.conf		--	system_u:object_r:net_conf_t
 /etc/ntp/step-tickers		--	system_u:object_r:net_conf_t
 /usr/sbin/ntpd			--	system_u:object_r:ntpd_exec_t
-/usr/sbin/ntpdate		--	system_u:object_r:ntpd_exec_t
+/usr/sbin/ntpdate		--	system_u:object_r:ntpdate_exec_t
 /var/log/ntpstats(/.*)?			system_u:object_r:ntpd_log_t
 /var/log/ntpd.*			--	system_u:object_r:ntpd_log_t
 /var/log/xntpd.*		--	system_u:object_r:ntpd_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/vpnc.fc policy-1.17.37/file_contexts/program/vpnc.fc
--- nsapolicy/file_contexts/program/vpnc.fc	2004-10-05 10:43:34.000000000 -0400
+++ policy-1.17.37/file_contexts/program/vpnc.fc	2004-11-02 10:30:33.000000000 -0500
@@ -1,2 +1,3 @@
 # vpnc
 /usr/sbin/vpnc		--	system_u:object_r:vpnc_exec_t
+/sbin/vpnc		--	system_u:object_r:vpnc_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.17.37/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2004-10-27 14:32:49.000000000 -0400
+++ policy-1.17.37/file_contexts/types.fc	2004-11-02 10:30:33.000000000 -0500
@@ -339,7 +339,8 @@
 /usr/inclu.e(/.*)?		system_u:object_r:usr_t
 /usr/libexec(/.*)?		system_u:object_r:bin_t
 /usr/src(/.*)?			system_u:object_r:src_t
-/usr/tmp(/.*)?			system_u:object_r:tmp_t
+/usr/tmp		-d	system_u:object_r:tmp_t
+/usr/tmp/.*			<<none>>
 /usr/man(/.*)?			system_u:object_r:man_t
 /usr/share/man(/.*)?		system_u:object_r:man_t
 /usr/share/mc/extfs/.*	--	system_u:object_r:bin_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/admin_macros.te policy-1.17.37/macros/admin_macros.te
--- nsapolicy/macros/admin_macros.te	2004-10-01 15:05:32.000000000 -0400
+++ policy-1.17.37/macros/admin_macros.te	2004-11-02 10:30:33.000000000 -0500
@@ -195,4 +195,5 @@
 
 # for lsof
 allow $1_t domain:socket_class_set getattr;
+allow $1_t eventpollfs_t:file getattr;
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.17.37/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2004-11-01 11:04:37.000000000 -0500
+++ policy-1.17.37/macros/base_user_macros.te	2004-11-02 10:30:33.000000000 -0500
@@ -47,8 +47,10 @@
 
 # open office is looking for the following
 dontaudit $1_t dri_device_t:chr_file rw_file_perms;
-# Do not flood message log, if the user does ls /dev 
+# Do not flood message log, if the user does ls -lR /
 dontaudit $1_t dev_fs:dir_file_class_set getattr;
+dontaudit $1_t sysadmfile:file getattr;
+dontaudit $1_t sysadmfile:dir read;
 
 # allow ptrace
 can_ptrace($1_t, $1_t)
@@ -61,7 +63,7 @@
 ifdef(`automount.te', `
 allow $1_t autofs_t:dir { search getattr };
 ')dnl end if automount.te
-if (nfs_home_dirs) {
+if (use_nfs_home_dirs) {
 create_dir_file($1_t, nfs_t)
 can_exec($1_t, nfs_t)
 allow $1_t nfs_t:{ sock_file fifo_file } create_file_perms;
@@ -193,11 +195,23 @@
 # Use the network.
 can_network($1_t)
 can_ypbind($1_t)
+allow $1_t self:{ tcp_socket udp_socket } connect;
+
+ifdef(`pamconsole.te', `
+allow $1_t pam_var_console_t:dir { search };
+')
+
+allow $1_t var_lock_t:dir { search };
 
 # Grant permissions to access the system DBus
 ifdef(`dbusd.te', `
-dbusd_client(system, $1_t)
-dbusd_client($1, $1_t)
+dbusd_client(system, $1)
+can_network($1_dbusd_t)
+allow user_dbusd_t reserved_port_t:tcp_socket { name_bind };
+
+allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
+dbusd_client($1, $1)
+allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc };
 dbusd_domain($1)
 ifdef(`hald.te', `
 allow $1_t hald_t:dbus { send_msg };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.17.37/macros/core_macros.te
--- nsapolicy/macros/core_macros.te	2004-09-22 16:19:13.000000000 -0400
+++ policy-1.17.37/macros/core_macros.te	2004-11-02 10:30:33.000000000 -0500
@@ -132,22 +132,32 @@
 #
 # Permissions for using sockets.
 # 
-define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
+define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind getopt setopt shutdown }')
 
 #
 # Permissions for creating and using sockets.
 # 
-define(`create_socket_perms', `{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
+define(`connected_socket_perms', `{ create rw_socket_perms }')
+
+#
+# Permissions for creating, connecting and using sockets.
+# 
+define(`create_socket_perms', `{ connected_socket_perms connect }')
 
 #
 # Permissions for using stream sockets.
 # 
-define(`rw_stream_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }')
+define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
+
+#
+# Permissions for creating and using stream sockets.
+# 
+define(`connected_stream_socket_perms', `{ create rw_stream_socket_perms }')
 
 #
 # Permissions for creating and using stream sockets.
 # 
-define(`create_stream_socket_perms', `{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }')
+define(`create_stream_socket_perms', `{ connect connected_stream_socket_perms }')
 
 
 #
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.17.37/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.17.37/macros/global_macros.te	2004-11-02 10:47:33.864476332 -0500
@@ -118,64 +118,6 @@
 
 #################################
 #
-# can_network(domain)
-#
-# Permissions for accessing the network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network',`
-#
-# Allow the domain to create and use UDP and TCP sockets.
-# Other kinds of sockets must be separately authorized for use.
-allow $1 self:udp_socket create_socket_perms;
-allow $1 self:tcp_socket create_stream_socket_perms;
-
-#
-# Allow the domain to send or receive using any network interface.
-# netif_type is a type attribute for all network interface types.
-#
-allow $1 netif_type:netif { tcp_send udp_send rawip_send };
-allow $1 netif_type:netif { tcp_recv udp_recv rawip_recv };
-
-#
-# Allow the domain to send to or receive from any node.
-# node_type is a type attribute for all node types.
-#
-allow $1 node_type:node { tcp_send udp_send rawip_send };
-allow $1 node_type:node { tcp_recv udp_recv rawip_recv };
-
-#
-# Allow the domain to send to or receive from any port.
-# port_type is a type attribute for all port types.
-#
-allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg };
-
-#
-# Allow the domain to send NFS client requests via the socket
-# created by mount.
-#
-allow $1 mount_t:udp_socket rw_socket_perms;
-
-#
-# Bind to the default port type.
-# Other port types must be separately authorized.
-#
-#allow $1 port_t:udp_socket name_bind;
-#allow $1 port_t:tcp_socket name_bind;
-
-# XXX Allow binding to any node type.  Remove once
-# individual rules have been added to all domains that 
-# bind sockets. 
-allow $1 node_type: { tcp_socket udp_socket } node_bind;
-#
-# Allow access to network files including /etc/resolv.conf
-#
-allow $1 net_conf_t:file r_file_perms;
-')dnl end can_network definition
-
-#################################
-#
 # can_sysctl(domain)
 #
 # Permissions for modifying sysctl parameters.
@@ -269,7 +211,7 @@
 # Author:  Russell Coker <russell@coker.com.au>
 #
 define(`daemon_core_rules', `
-type $1_t, domain, privlog $2;
+type $1_t, domain, privlog, daemon $2;
 type $1_exec_t, file_type, sysadmfile, exec_type;
 
 role system_r types $1_t;
@@ -416,7 +358,7 @@
 define(`daemon_sub_domain', `
 # $1 is the parent domain (or domains), $2_t is the child domain,
 # and $3 is any attributes to apply to the child
-type $2_t, domain, privlog $3;
+type $2_t, domain, privlog, daemon $3;
 type $2_exec_t, file_type, sysadmfile, exec_type;
 
 role system_r types $2_t;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.17.37/macros/network_macros.te
--- nsapolicy/macros/network_macros.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.37/macros/network_macros.te	2004-11-02 10:30:33.000000000 -0500
@@ -0,0 +1,94 @@
+#################################
+#
+# can_network(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`base_can_network',`
+#
+# Allow the domain to create and use $2 sockets.
+# Other kinds of sockets must be separately authorized for use.
+allow $1 self:$2_socket connected_socket_perms;
+
+#
+# Allow the domain to send or receive using any network interface.
+# netif_type is a type attribute for all network interface types.
+#
+allow $1 netif_type:netif { $2_send rawip_send };
+allow $1 netif_type:netif { $2_recv rawip_recv };
+
+#
+# Allow the domain to send to or receive from any node.
+# node_type is a type attribute for all node types.
+#
+allow $1 node_type:node { $2_send rawip_send };
+allow $1 node_type:node { $2_recv rawip_recv };
+
+#
+# Allow the domain to send to or receive from any port.
+# port_type is a type attribute for all port types.
+#
+ifelse($3, `', `
+allow $1 port_type:{ $2_socket } { send_msg recv_msg };
+', `
+allow $1 $3:{ $2_socket } { send_msg recv_msg };
+')
+
+# XXX Allow binding to any node type.  Remove once
+# individual rules have been added to all domains that 
+# bind sockets. 
+allow $1 node_type: { $2_socket } node_bind;
+#
+# Allow access to network files including /etc/resolv.conf
+#
+allow $1 net_conf_t:file r_file_perms;
+')dnl end can_network definition
+
+#################################
+#
+# can_tcp_network(domain)
+#
+# Permissions for accessing a tcp network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_tcp_network',`
+base_can_network($1, tcp, `$2')
+allow $1 self:tcp_socket { listen accept };
+')
+
+#################################
+#
+# can_udp_network(domain)
+#
+# Permissions for accessing a udp network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_udp_network',`
+base_can_network($1, udp, `$2')
+')
+
+#################################
+#
+# can_network(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network',`
+
+can_tcp_network($1)
+can_udp_network($1)
+
+#
+# Allow the domain to send NFS client requests via the socket
+# created by mount.
+#
+allow $1 mount_t:udp_socket rw_socket_perms;
+
+')dnl end can_network definition
+
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/crond_macros.te policy-1.17.37/macros/program/crond_macros.te
--- nsapolicy/macros/program/crond_macros.te	2004-09-02 14:45:47.000000000 -0400
+++ policy-1.17.37/macros/program/crond_macros.te	2004-11-02 10:30:33.000000000 -0500
@@ -20,7 +20,7 @@
 define(`crond_domain',`
 # Derived domain for user cron jobs, user user_crond_domain if not system
 ifelse(`system', `$1', `
-type $1_crond_t, domain, privlog, privmail;
+type $1_crond_t, domain, privlog, privmail, nscd_client_domain;
 ', `
 type $1_crond_t, domain, user_crond_domain;
 
@@ -68,6 +68,7 @@
 # This domain is granted permissions common to most domains.
 can_network($1_crond_t)
 can_ypbind($1_crond_t)
+allow $1_crond_t self:{ tcp_socket udp_socket } connect;
 r_dir_file($1_crond_t, self)
 allow $1_crond_t self:fifo_file rw_file_perms;
 allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.17.37/macros/program/dbusd_macros.te
--- nsapolicy/macros/program/dbusd_macros.te	2004-10-07 08:02:02.000000000 -0400
+++ policy-1.17.37/macros/program/dbusd_macros.te	2004-11-02 10:30:33.000000000 -0500
@@ -24,6 +24,7 @@
 domain_auto_trans($1_t, dbusd_exec_t, $1_dbusd_t)
 read_locale($1_dbusd_t)
 allow $1_t $1_dbusd_t:process { sigkill signal };
+allow $1_dbusd_t self:process { sigkill signal };
 dontaudit $1_dbusd_t var_t:dir { getattr search };
 ')dnl end ifdef single_userdomain
 ')dnl end ifelse system
@@ -50,26 +51,44 @@
 r_dir_file($1_dbusd_t, pam_var_console_t)
 ')
 
+allow $1_dbusd_t self:dbus { send_msg acquire_svc };
+
 ')dnl end dbusd_domain definition
 
-# dbusd_client(dbus_type, domain)
-# Example: dbusd_client_domain(system, user_t)
+# dbusd_client(dbus_type, domain_prefix)
+# Example: dbusd_client_domain(system, user)
 #
-# Grant permissions for connecting to the specified DBus type
-# from domain.
+# Define a new derived domain for connecting to dbus_type
+# from domain_prefix_t. 
 define(`dbusd_client',`')
 ifdef(`dbusd.te',`
 undefine(`dbusd_client')
 define(`dbusd_client',`
+
+# Derived type used for connection
+type $2_dbusd_$1_t;
+type_change $2_t $1_dbusd_t:dbus $2_dbusd_$1_t;
+
 # For connecting to the bus
-allow $2 $1_dbusd_t:unix_stream_socket { connectto };
+allow $2_t $1_dbusd_t:unix_stream_socket { connectto };
 ifelse(`system', `$1', `
-allow { $2 } { var_run_t system_dbusd_var_run_t }:dir search;
-allow { $2 } system_dbusd_var_run_t:sock_file { write };
+allow { $2_t } { var_run_t system_dbusd_var_run_t }:dir search;
+allow { $2_t } system_dbusd_var_run_t:sock_file { write };
 ',`
 ') dnl endif system
 # SE-DBus specific permissions
-allow $2 { $1_dbusd_t self }:dbus { send_msg };
-allow $2 $1_dbusd_t:dbus { acquire_svc };
+allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus { send_msg };
+') dnl endif dbusd.te
+')
+
+# can_dbusd_converse(dbus_type, domain_prefix_a, domain_prefix_b)
+# Example: can_dbusd_converse(system, hald, updfstab)
+# Example: can_dbusd_converse(session, user, user)
+define(`can_dbusd_converse',`')
+ifdef(`dbusd.te',`
+undefine(`can_dbusd_converse')
+define(`can_dbusd_converse',`
+allow $2_dbusd_$1_t $3_dbusd_$1_t:dbus { send_msg };
+allow $3_dbusd_$1_t $2_dbusd_$1_t:dbus { send_msg };
 ') dnl endif dbusd.te
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_agent_macros.te policy-1.17.37/macros/program/gpg_agent_macros.te
--- nsapolicy/macros/program/gpg_agent_macros.te	2004-09-20 15:41:01.000000000 -0400
+++ policy-1.17.37/macros/program/gpg_agent_macros.te	2004-11-02 10:30:33.000000000 -0500
@@ -48,11 +48,11 @@
 # read ~/.gnupg
 allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
 r_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 r_dir_file($1_gpg_agent_t, nfs_t)
 # write ~/.xsession-errors
 allow $1_gpg_agent_t nfs_t:file write;
-')
+}
 
 allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms;
 allow $1_gpg_agent_t self:fifo_file { getattr read write };
@@ -107,12 +107,12 @@
 # wants to put some lock files into the user home dir, seems to work fine without
 dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
 dontaudit $1_gpg_pinentry_t $1_home_t:file write;
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
 allow $1_gpg_pinentry_t nfs_t:file { getattr read };
 dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
 dontaudit $1_gpg_pinentry_t nfs_t:file write;
-')dnl end if nfs_home_dirs
+} dnl end if use_nfs_home_dirs
 
 # read /etc/X11/qtrc
 allow $1_gpg_pinentry_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_macros.te policy-1.17.37/macros/program/gpg_macros.te
--- nsapolicy/macros/program/gpg_macros.te	2004-08-27 09:30:30.000000000 -0400
+++ policy-1.17.37/macros/program/gpg_macros.te	2004-11-02 10:30:33.000000000 -0500
@@ -83,9 +83,9 @@
 # allow the usual access to /tmp
 file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)
 
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 create_dir_file($1_gpg_t, nfs_t)
-')dnl end if nfs_home_dirs
+}dnl end if use_nfs_home_dirs
 
 allow $1_gpg_t self:capability { ipc_lock setuid };
 allow $1_gpg_t devtty_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gph_macros.te policy-1.17.37/macros/program/gph_macros.te
--- nsapolicy/macros/program/gph_macros.te	2004-03-17 13:26:06.000000000 -0500
+++ policy-1.17.37/macros/program/gph_macros.te	2004-11-02 10:30:33.000000000 -0500
@@ -25,7 +25,7 @@
 undefine(`gph_domain')
 define(`gph_domain',`
 # Derived domain based on the calling user domain and the program.
-type $1_gph_t, domain, gphdomain;
+type $1_gph_t, domain, gphdomain, nscd_client_domain;
 
 # Transition from the user domain to the derived domain.
 domain_auto_trans($1_t, gph_exec_t, $1_gph_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/inetd_macros.te policy-1.17.37/macros/program/inetd_macros.te
--- nsapolicy/macros/program/inetd_macros.te	2004-10-09 21:06:15.000000000 -0400
+++ policy-1.17.37/macros/program/inetd_macros.te	2004-11-02 10:30:33.000000000 -0500
@@ -8,7 +8,7 @@
 # programs.
 #
 define(`inetd_child_domain', `
-type $1_t, domain, privlog;
+type $1_t, domain, privlog, nscd_client_domain;
 role system_r types $1_t;
 
 domain_auto_trans(inetd_t, $1_exec_t, $1_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/lpr_macros.te policy-1.17.37/macros/program/lpr_macros.te
--- nsapolicy/macros/program/lpr_macros.te	2004-07-26 16:16:11.000000000 -0400
+++ policy-1.17.37/macros/program/lpr_macros.te	2004-11-02 10:30:33.000000000 -0500
@@ -80,9 +80,9 @@
 allow $1_lpr_t { home_root_t $1_home_t $1_home_dir_t }:dir search;  
 allow $1_lpr_t $1_home_t:{ file lnk_file } r_file_perms;  
 
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 r_dir_file($1_lpr_t, nfs_t)
-')dnl end if nfs_home_dirs
+} dnl end if use_nfs_home_dirs
 
 # Read and write shared files in the spool directory.
 allow $1_lpr_t print_spool_t:file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mount_macros.te policy-1.17.37/macros/program/mount_macros.te
--- nsapolicy/macros/program/mount_macros.te	2004-10-19 16:03:08.000000000 -0400
+++ policy-1.17.37/macros/program/mount_macros.te	2004-11-02 10:30:33.000000000 -0500
@@ -67,9 +67,11 @@
 ifdef(`gnome-pty-helper.te', `allow $2_t $1_gph_t:fd use;')
 
 ifdef(`distro_redhat',`
+ifdef(`pamconsole.te',`
 r_dir_file($2_t,pam_var_console_t)
 # mount config by default sets fscontext=removable_t
 allow $2_t dosfs_t:filesystem { relabelfrom };
+') dnl end pamconsole.te
 ') dnl end distro_redhat
 ') dnl end mount_domain
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.17.37/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2004-10-19 16:03:08.000000000 -0400
+++ policy-1.17.37/macros/program/mozilla_macros.te	2004-11-02 10:30:33.000000000 -0500
@@ -16,11 +16,8 @@
 # provided separately in domains/program/mozilla.te. 
 #
 define(`mozilla_domain',`
-ifdef(`single_userdomain', `
-typealias $1_home_t alias { $1_home_mozilla_rw_t $1_home_mozilla_ro_t };
-typealias $1_t alias $1_mozilla_t;
-', `
 x_client_domain($1, mozilla, `, web_client_domain, privlog')
+allow $1_mozilla_t self:{ tcp_socket udp_socket } { connect };
 
 allow $1_mozilla_t sound_device_t:chr_file rw_file_perms;
 
@@ -40,9 +37,9 @@
 allow $1_t $1_mozilla_rw_t:sock_file create_file_perms;
 can_unix_connect($1_t, $1_mozilla_t)
 
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 create_dir_file($1_mozilla_t, nfs_t)
-')dnl end if nfs_home_dirs
+} dnl end if use_nfs_home_dirs
 ifdef(`automount.te', `
 allow $1_mozilla_t autofs_t:dir { search getattr };
 ')dnl end if automount
@@ -116,6 +113,7 @@
 # Eliminate errors from scanning with the 
 #
 dontaudit $1_mozilla_t file_type:dir getattr;
+allow $1_mozilla_t self:sem create_sem_perms;
 
 ifdef(`xdm.te', `
 allow $1_mozilla_t xdm_t:fifo_file { write read };
@@ -123,6 +121,5 @@
 allow $1_mozilla_t xdm_tmp_t:file { getattr read };
 allow $1_mozilla_t xdm_tmp_t:sock_file { write };
 ')dnl end if xdm.te
-')dnl end ifdef single_userdomain
 ')dnl end mozilla macro
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mta_macros.te policy-1.17.37/macros/program/mta_macros.te
--- nsapolicy/macros/program/mta_macros.te	2004-07-26 16:16:11.000000000 -0400
+++ policy-1.17.37/macros/program/mta_macros.te	2004-11-02 10:30:33.000000000 -0500
@@ -37,6 +37,7 @@
 can_ypbind($1_mail_t)
 allow $1_mail_t self:unix_dgram_socket create_socket_perms;
 allow $1_mail_t self:unix_stream_socket create_socket_perms;
+allow $1_mail_t self:{ tcp_socket udp_socket } connect;
 
 read_locale($1_mail_t)
 read_sysctl($1_mail_t)
@@ -96,9 +97,9 @@
 # Create dead.letter in user home directories.
 file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
 
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 rw_dir_create_file($1_mail_t, nfs_t)
-')dnl end if nfs_home_dirs
+} dnl end if use_nfs_home_dirs
 
 # if you do not want to allow dead.letter then use the following instead
 #allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/screen_macros.te policy-1.17.37/macros/program/screen_macros.te
--- nsapolicy/macros/program/screen_macros.te	2004-11-01 11:04:37.000000000 -0500
+++ policy-1.17.37/macros/program/screen_macros.te	2004-11-02 10:30:33.000000000 -0500
@@ -54,9 +54,9 @@
 allow $1_screen_t $1_home_screen_t:{ file lnk_file } r_file_perms;
 allow $1_t $1_home_screen_t:file { create_file_perms relabelfrom relabelto };
 allow $1_t $1_home_screen_t:lnk_file { create_lnk_perms relabelfrom relabelto };
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 r_dir_file($1_screen_t, nfs_t)
-')dnl end if nfs_home_dirs
+} dnl end if use_nfs_home_dirs
 
 allow $1_screen_t privfd:fd use;
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_agent_macros.te policy-1.17.37/macros/program/ssh_agent_macros.te
--- nsapolicy/macros/program/ssh_agent_macros.te	2004-10-07 08:02:03.000000000 -0400
+++ policy-1.17.37/macros/program/ssh_agent_macros.te	2004-11-02 10:30:33.000000000 -0500
@@ -37,12 +37,12 @@
 can_ps($1_t, $1_ssh_agent_t)
 
 can_ypbind($1_ssh_agent_t)
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 ifdef(`automount.te', `
 allow $1_ssh_agent_t autofs_t:dir { search getattr };
 ')
 rw_dir_create_file($1_ssh_agent_t, nfs_t)
-')dnl end nfs_home_dirs
+} dnl end use_nfs_home_dirs
 
 uses_shlib($1_ssh_agent_t)
 read_locale($1_ssh_agent_t)
@@ -70,9 +70,9 @@
 
 # transition back to normal privs upon exec
 domain_auto_trans($1_ssh_agent_t, { bin_t shell_exec_t $1_home_t }, $1_t)
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 domain_auto_trans($1_ssh_agent_t, nfs_t, $1_t)
-')
+}
 allow $1_ssh_agent_t bin_t:dir search;
 
 # allow reading of /usr/bin/X11 (is a symlink)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.17.37/macros/program/ssh_macros.te
--- nsapolicy/macros/program/ssh_macros.te	2004-10-14 23:25:20.000000000 -0400
+++ policy-1.17.37/macros/program/ssh_macros.te	2004-11-02 10:30:33.000000000 -0500
@@ -20,20 +20,16 @@
 undefine(`ssh_domain')
 ifdef(`ssh.te', `
 define(`ssh_domain',`
-ifdef(`single_userdomain', `
-typealias $1_home_t alias $1_home_ssh_t;
-typealias $1_t alias $1_ssh_t;
-', `
 # Derived domain based on the calling user domain and the program.
-type $1_ssh_t, domain, privlog;
+type $1_ssh_t, domain, privlog, nscd_client_domain;
 type $1_home_ssh_t, file_type, homedirfile, sysadmfile;
 
 ifdef(`automount.te', `
 allow $1_ssh_t autofs_t:dir { search getattr };
 ')
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 create_dir_file($1_ssh_t, nfs_t)
-')dnl end if nfs_home_dirs
+} dnl end if use_nfs_home_dirs
 
 # Transition from the user domain to the derived domain.
 domain_auto_trans($1_t, ssh_exec_t, $1_ssh_t)
@@ -88,6 +84,7 @@
 # to access the network.
 can_network($1_ssh_t)
 can_ypbind($1_ssh_t)
+allow $1_ssh_t self:{ tcp_socket udp_socket } connect;
 
 # Use capabilities.
 allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
@@ -164,7 +161,6 @@
 allow $1_ssh_t krb5_conf_t:file { getattr read };
 dontaudit $1_ssh_t krb5_conf_t:file { write };
 ')dnl end if xdm.te
-')dnl end if single_userdomain
 ')dnl end macro definition
 
 ', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/sudo_macros.te policy-1.17.37/macros/program/sudo_macros.te
--- nsapolicy/macros/program/sudo_macros.te	2004-11-01 11:04:37.000000000 -0500
+++ policy-1.17.37/macros/program/sudo_macros.te	2004-11-02 10:30:33.000000000 -0500
@@ -31,4 +31,5 @@
 rw_dir_create_file($1_sudo_t, $1_tmp_t)
 rw_dir_create_file($1_sudo_t, $1_home_t)
 domain_auto_trans($1_t, sudo_exec_t, $1_sudo_t)
+r_dir_file($1_sudo_t, selinux_config_t)
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.17.37/macros/program/su_macros.te
--- nsapolicy/macros/program/su_macros.te	2004-10-26 10:58:57.000000000 -0400
+++ policy-1.17.37/macros/program/su_macros.te	2004-11-02 10:30:33.000000000 -0500
@@ -137,16 +137,16 @@
 ifdef(`automount.te', `
 allow $1_su_t autofs_t:dir { search getattr };
 ')
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 allow $1_su_t nfs_t:dir search;
-')dnl end if nfs_home_dirs
+} dnl end if use_nfs_home_dirs
 
 # Modify .Xauthority file (via xauth program).
 ifdef(`single_userdomain', `
 file_type_auto_trans($1_su_t, $1_home_dir_t, $1_home_t, file)
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 rw_dir_create_file($1_su_t, nfs_t)
-')
+}
 ', `
 ifdef(`xauth.te', `
 file_type_auto_trans($1_su_t, staff_home_dir_t, staff_home_xauth_t, file)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/tvtime_macros.te policy-1.17.37/macros/program/tvtime_macros.te
--- nsapolicy/macros/program/tvtime_macros.te	2004-10-05 14:52:36.000000000 -0400
+++ policy-1.17.37/macros/program/tvtime_macros.te	2004-11-02 10:30:33.000000000 -0500
@@ -33,7 +33,9 @@
 allow $1_tvtime_t self:capability { setuid sys_nice sys_resource };
 allow $1_tvtime_t self:process { setsched };
 allow $1_tvtime_t usr_t:file { getattr read };
+ifdef(`xdm.te', `
 allow $1_tvtime_t xdm_tmp_t:dir { search };
+')
 
 ')dnl end tvtime_domain
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/userhelper_macros.te policy-1.17.37/macros/program/userhelper_macros.te
--- nsapolicy/macros/program/userhelper_macros.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.17.37/macros/program/userhelper_macros.te	2004-11-02 10:30:33.000000000 -0500
@@ -14,10 +14,7 @@
 # provided separately in domains/program/userhelper.te. 
 #
 define(`userhelper_domain',`
-ifdef(`single_userdomain', `
-typealias $1_t alias $1_userhelper_t;
-', `
-type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser;
+type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser, nscd_client_domain;
 
 in_user_role($1_userhelper_t)
 role sysadm_r types $1_userhelper_t;
@@ -142,7 +139,9 @@
 domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
 allow $1_userhelper_t $1_home_xauth_t:file { getattr read };
 ')
+
+ifdef(`pamconsole.te', `
 allow $1_userhelper_t pam_var_console_t:dir { search };
+')
 
-')dnl end ifdef single_userdomain
 ')dnl end userhelper macro
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xauth_macros.te policy-1.17.37/macros/program/xauth_macros.te
--- nsapolicy/macros/program/xauth_macros.te	2004-06-16 13:33:38.000000000 -0400
+++ policy-1.17.37/macros/program/xauth_macros.te	2004-11-02 10:30:33.000000000 -0500
@@ -87,12 +87,12 @@
 tmp_domain($1_xauth)
 allow $1_xauth_t $1_tmp_t:file { getattr ioctl read };
 
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 ifdef(`automount.te', `
 allow $1_xauth_t autofs_t:dir { search getattr };
 ')
 rw_dir_create_file($1_xauth_t, nfs_t)
-')dnl end nfs_home_dirs
+} dnl end use_nfs_home_dirs
 ')dnl end ifdef single_userdomain
 ')dnl end xauth_domain macro
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.17.37/macros/program/xserver_macros.te
--- nsapolicy/macros/program/xserver_macros.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.17.37/macros/program/xserver_macros.te	2004-11-02 10:30:33.000000000 -0500
@@ -25,14 +25,15 @@
 define(`xserver_domain',`
 # Derived domain based on the calling user domain and the program.
 ifdef(`distro_redhat', `
-type $1_xserver_t, domain, privlog, privmem, privmodule;
+type $1_xserver_t, domain, privlog, privmem, privmodule, nscd_client_domain;
 allow $1_xserver_t sysctl_modprobe_t:file { getattr read };
+ifdef(`rpm.te', `
 allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr };
 allow $1_xserver_t rpm_tmpfs_t:file { read write };
 allow $1_xserver_t rpm_t:fd { use };
-
+')
 ', `
-type $1_xserver_t, domain, privlog, privmem;
+type $1_xserver_t, domain, privlog, privmem, nscd_client_domain;
 ')
 
 # for SSP
@@ -51,6 +52,7 @@
 uses_shlib($1_xserver_t)
 can_network($1_xserver_t)
 can_ypbind($1_xserver_t)
+allow $1_xserver_t self:udp_socket connect;
 allow $1_xserver_t xserver_port_t:tcp_socket name_bind;
 
 # for access within the domain
@@ -148,6 +150,7 @@
 allow xdm_xserver_t xdm_t:process signal;
 allow xdm_xserver_t xdm_t:shm rw_shm_perms;
 allow xdm_t xdm_xserver_t:shm rw_shm_perms;
+dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
 ')
 ', `
 allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ypbind_macros.te policy-1.17.37/macros/program/ypbind_macros.te
--- nsapolicy/macros/program/ypbind_macros.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.17.37/macros/program/ypbind_macros.te	2004-11-02 10:30:33.000000000 -0500
@@ -4,12 +4,16 @@
 can_network($1)
 r_dir_file($1,var_yp_t)
 allow $1 { reserved_port_t port_t }:{ tcp_socket udp_socket } name_bind;
+allow $1 self:{ tcp_socket udp_socket } connect;
+dontaudit $1 self:capability net_bind_service;
 ')
 
 define(`can_ypbind', `
 ifdef(`ypbind.te', `
 if (allow_ypbind) {
 uncond_can_ypbind($1)
+} else {
+dontaudit $1 var_yp_t:dir { search };
 }
 ') dnl ypbind.te
 ') dnl can_ypbind
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.17.37/macros/user_macros.te
--- nsapolicy/macros/user_macros.te	2004-10-19 16:03:08.000000000 -0400
+++ policy-1.17.37/macros/user_macros.te	2004-11-02 10:30:33.000000000 -0500
@@ -103,16 +103,12 @@
 dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file {getattr read};
 
 ifdef(`xdm.te', `
-ifdef(`single_userdomain', `
-file_type_auto_trans(xdm_t, $1_home_dir_t, $1_home_t, file)
-', `
 allow xdm_t $1_home_t:lnk_file read;
 allow xdm_t $1_home_t:dir search;
 #
 # Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp
 # 
 dontaudit xdm_t $1_home_t:file rw_file_perms;
-')dnl end else single_userdomain
 ')dnl end ifdef xdm.te
 
 ifdef(`ftpd.te', `
@@ -151,11 +147,6 @@
 # Stat lost+found.
 allow $1_t lost_found_t:dir getattr;
 
-# Read the /tmp directory and any /tmp files with the base type.
-# Temporary files created at runtime will typically use derived types.
-allow $1_t tmp_t:dir r_dir_perms;
-allow $1_t tmp_t:{ file lnk_file } r_file_perms;
-
 # Read /var, /var/spool, /var/run.
 allow $1_t var_t:dir r_dir_perms;
 allow $1_t var_t:notdevfile_class_set r_file_perms;
@@ -233,9 +224,11 @@
 allow $1_mount_t iso9660_t:filesystem { relabelfrom };
 allow $1_mount_t removable_t:filesystem { mount relabelto };
 allow $1_mount_t removable_t:dir { mounton };
+ifdef(`xdm.te', `
 allow $1_mount_t xdm_t:fd { use };
 allow $1_mount_t xdm_t:fifo_file { write };
 ')
+')
 
 #
 # Rules used to associate a homedir as a mountpoint
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.17.37/net_contexts
--- nsapolicy/net_contexts	2004-10-19 16:03:01.000000000 -0400
+++ policy-1.17.37/net_contexts	2004-11-02 10:30:33.000000000 -0500
@@ -143,12 +143,12 @@
 ')
 ifdef(`asterisk.te', `
 portcon tcp 1720 system_u:object_r:asterisk_port_t
-portcon tcp 2000 system_u:object_r:asterisk_port_t
 portcon udp 2427 system_u:object_r:asterisk_port_t
 portcon udp 2727 system_u:object_r:asterisk_port_t
 portcon udp 4569 system_u:object_r:asterisk_port_t
 portcon udp 5060 system_u:object_r:asterisk_port_t
 ')
+portcon tcp 2000 system_u:object_r:mail_port_t
 ifdef(`zebra.te', `portcon tcp 2601 system_u:object_r:zebra_port_t')
 ifdef(`dictd.te', `portcon tcp 2628 system_u:object_r:dict_port_t')
 ifdef(`mysqld.te', `portcon tcp 3306 system_u:object_r:mysqld_port_t')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.17.37/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te	2004-10-27 14:32:49.000000000 -0400
+++ policy-1.17.37/targeted/domains/unconfined.te	2004-11-02 10:30:33.000000000 -0500
@@ -40,5 +40,9 @@
 allow unlabeled_t self:filesystem { associate };
 
 # Support NFS home directories
-bool nfs_home_dirs false;
+bool use_nfs_home_dirs false;
+
+# Allow system to run with NIS
+bool allow_ypbind false;
+
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.37/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
+++ policy-1.17.37/tunables/distro.tun	2004-11-02 10:30:33.000000000 -0500
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.37/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-10-27 14:32:49.000000000 -0400
+++ policy-1.17.37/tunables/tunable.tun	2004-11-02 10:30:47.000000000 -0500
@@ -1,33 +1,27 @@
-# Allow all domains to connect to nscd
-dnl define(`nscd_all_connect')
-
-# Allow users to control network interfaces (also needs USERCTL=true)
-dnl define(`user_net_control')
-
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.17.37/types/file.te
--- nsapolicy/types/file.te	2004-10-19 16:03:09.000000000 -0400
+++ policy-1.17.37/types/file.te	2004-11-02 10:30:33.000000000 -0500
@@ -302,3 +302,4 @@
 # removable_t is the default type of all removable media
 type removable_t, file_type, sysadmfile, usercanread;
 allow removable_t self:filesystem associate;
+allow file_type removable_t:filesystem associate;
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.17.37/types/network.te
--- nsapolicy/types/network.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.17.37/types/network.te	2004-11-02 10:30:33.000000000 -0500
@@ -59,6 +59,11 @@
 #
 
 #
+# mail_port_t is for generic mail ports shared by different mail servers
+#
+type mail_port_t, port_type;
+
+#
 # port_t is the default type of INET port numbers.
 # The *_port_t types are used for specific port
 # numbers in net_contexts or net_contexts.mls.

Re: Patch to make can_network stronger and remove nscd tunable.

[Thomas Bleher]

[-- Attachment #1: Type: text/plain, Size: 5955 bytes --]

* Daniel J Walsh <dwalsh@redhat.com> [2004-11-02 18:35]:
> Updated with Russell's "daemon" change and other fixes.
> 
> How does this look?

First off, it would be nice if you could split your patches into
logically independant pieces, makes it much easier to read.

I think there need to be some changes (comments below) but the
nfs_home_dirs-related stuff should be merged as soon as possible.
Currently it is broken in cvs because only some parts have been
converted from tunable to boolean.

> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.17.37/domains/program/crond.te
> --- nsapolicy/domains/program/crond.te	2004-10-19 16:03:04.000000000 -0400
> +++ policy-1.17.37/domains/program/crond.te	2004-11-02 10:30:33.000000000 -0500
> @@ -114,6 +114,10 @@
> +allow crond_t krb5_conf_t:file { getattr read };
> +dontaudit crond_t krb5_conf_t:file { write };

If we are going to add this to more domains we should add a macro IMHO
like can_krb5_connect() or something. I do not know much about kerberos,
but I think most kerberized apps will need similar permissions which
should only be granted if kerberos is used.

> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.17.37/domains/program/login.te
> --- nsapolicy/domains/program/login.te	2004-10-19 16:03:05.000000000 -0400
> +++ policy-1.17.37/domains/program/login.te	2004-11-02 10:30:33.000000000 -0500
> @@ -21,6 +21,8 @@
>  dontaudit $1_login_t shadow_t:file { getattr read };
>  
>  general_domain_access($1_login_t);
> +can_network($1_login_t) 
> +allow $1_login_t self:{ tcp_socket udp_socket } connect;

Huh? Where does this come from? Cannot see this in the cvs policy. If
this is needed because of kerberos it should be ifdef'ed.

> -ifdef(`nfs_home_dirs', `
> +if (use_nfs_home_dirs) {
>  r_dir_file($1_login_t, nfs_t)
> -')dnl end if nfs_home_dirs
> +}

This should go into CVS ASAP, as mentioned above.

> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/acct.te policy-1.17.37/domains/program/unused/acct.te
> --- nsapolicy/domains/program/unused/acct.te	2004-10-19 16:03:05.000000000 -0400
> +++ policy-1.17.37/domains/program/unused/acct.te	2004-11-02 10:30:33.000000000 -0500
> @@ -63,6 +63,7 @@
>  
>  ifdef(`logrotate.te', `
>  domain_auto_trans(logrotate_t, acct_exec_t, acct_t)
> +allow logrotate_t acct_data_t:dir { search };
>  allow logrotate_t acct_data_t:file { create_file_perms };

allow logrotate_t acct_data_t:dir search;
allow logrotate_t acct_data_t:file create_file_perms;

This makes it easier to read, IMHO.

> --- nsapolicy/domains/program/unused/ftpd.te	2004-10-27 14:32:48.000000000 -0400
> +++ policy-1.17.37/domains/program/unused/ftpd.te	2004-11-02 10:30:33.000000000 -0500
> @@ -4,6 +4,7 @@
>  #           Russell Coker <russell@coker.com.au>
>  # X-Debian-Packages: proftpd-common bsd-ftpd ftpd vsftpd
>  #
> +# Depends: inetd.te

Not true. There is a boolean ftpd_is_daemon which governs this.
Current policy needed inetd.te to compile but I think this is an error
in the policy. The following patch should fix it:

--- ftpd.te.orig	2004-11-03 00:37:16.000000000 +0100
+++ ftpd.te	2004-11-03 00:39:33.000000000 +0100
@@ -44,8 +44,6 @@
 rw_dir_create_file(ftpd_t, var_lock_t)
 allow ftpd_t ftp_port_t:tcp_socket name_bind;
 can_tcp_connect(userdomain, ftpd_t)
-# Allows it to check exec privs on daemon
-allow inetd_t ftpd_exec_t:file x_file_perms;
 }
 ifdef(`inetd.te', `
 if (!ftpd_is_daemon) {
  
>  allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
> +allow ftpd_t port_t:tcp_socket { name_bind };

I confess I am not too familiar with ftp, but does it really need to
bind to arbitrary ports, seems excessive and unneeded (and is not
granted in current policy as far as I can see)

> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.17.37/domains/program/unused/ping.te
> --- nsapolicy/domains/program/unused/ping.te	2004-06-16 13:33:36.000000000 -0400
> +++ policy-1.17.37/domains/program/unused/ping.te	2004-11-02 10:30:33.000000000 -0500
> @@ -55,3 +56,5 @@
>  # it tries to access /var/run
>  dontaudit ping_t var_t:dir search;
>  
> +dontaudit ping_t devtty_t:chr_file { read write };
> +dontaudit ping_t ping_t:capability { sys_tty_config };

        dontaudit ping_t self:capability sys_tty_config;

is nicer.

> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mailman.fc policy-1.17.37/file_contexts/program/mailman.fc
> --- nsapolicy/file_contexts/program/mailman.fc	2004-10-13 22:41:58.000000000 -0400
> +++ policy-1.17.37/file_contexts/program/mailman.fc	2004-11-02 10:30:33.000000000 -0500
[...]
> +/usr/lib/mailman/bin/qrunner  	 -- system_u:object_r:mailman_queue_exec_t
> +/etc/mailman(/.*)?		   system_u:object_r:mailman_data_t
> +/var/spool/mailman(/.*)?	   system_u:object_r:mailman_data_t

Sorry, I do not know mailman at all, so please excuse my ignorance.
But does mailman really have to write to /etc/mailman, which is
presumably it's configuration data? This is not nice at all.


> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.17.37/macros/program/ssh_macros.te
> --- nsapolicy/macros/program/ssh_macros.te	2004-10-14 23:25:20.000000000 -0400
> +++ policy-1.17.37/macros/program/ssh_macros.te	2004-11-02 10:30:33.000000000 -0500
> @@ -20,20 +20,16 @@
>  undefine(`ssh_domain')
>  ifdef(`ssh.te', `
>  define(`ssh_domain',`
> -ifdef(`single_userdomain', `
> -typealias $1_home_t alias $1_home_ssh_t;
> -typealias $1_t alias $1_ssh_t;
> -', `

Ahh, nice to see single_userdomain finally gone.

There were a few other superfluous braces, but the rest looks fine.

Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Patch to make can_network stronger and remove nscd tunable.

[Russell Coker]

On Wednesday 03 November 2004 11:07, Thomas Bleher 
<bleher@informatik.uni-muenchen.de> wrote:
> allow logrotate_t acct_data_t:dir search;
> allow logrotate_t acct_data_t:file create_file_perms;

I don't think that is correct either.  If you only have search access to a 
directory then you can not create a file inside it...

> >  allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
> > +allow ftpd_t port_t:tcp_socket { name_bind };
>
> I confess I am not too familiar with ftp, but does it really need to
> bind to arbitrary ports, seems excessive and unneeded (and is not
> granted in current policy as far as I can see)

I guess that would be for active FTP.  It's ugly but I don't think that we 
have a choice.

> > +/usr/lib/mailman/bin/qrunner    --
> > system_u:object_r:mailman_queue_exec_t +/etc/mailman(/.*)?    
> > system_u:object_r:mailman_data_t
> > +/var/spool/mailman(/.*)?    system_u:object_r:mailman_data_t
>
> Sorry, I do not know mailman at all, so please excuse my ignorance.
> But does mailman really have to write to /etc/mailman, which is
> presumably it's configuration data? This is not nice at all.

It shouldn't be necessary, and isn't unless mailman has changed recently.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to make can_network stronger and remove nscd tunable.

[Daniel J Walsh]

Thomas Bleher wrote:

>* Daniel J Walsh <dwalsh@redhat.com> [2004-11-02 18:35]:
>  
>
>>Updated with Russell's "daemon" change and other fixes.
>>
>>How does this look?
>>    
>>
>
>First off, it would be nice if you could split your patches into
>logically independant pieces, makes it much easier to read.
>
>I think there need to be some changes (comments below) but the
>nfs_home_dirs-related stuff should be merged as soon as possible.
>Currently it is broken in cvs because only some parts have been
>converted from tunable to boolean.
>
>  
>
Point taken.

>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.17.37/domains/program/crond.te
>>--- nsapolicy/domains/program/crond.te	2004-10-19 16:03:04.000000000 -0400
>>+++ policy-1.17.37/domains/program/crond.te	2004-11-02 10:30:33.000000000 -0500
>>@@ -114,6 +114,10 @@
>>+allow crond_t krb5_conf_t:file { getattr read };
>>+dontaudit crond_t krb5_conf_t:file { write };
>>    
>>
>
>If we are going to add this to more domains we should add a macro IMHO
>like can_krb5_connect() or something. I do not know much about kerberos,
>but I think most kerberized apps will need similar permissions which
>should only be granted if kerberos is used.
>
>  
>
I can run through the policy code an do this.

>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.17.37/domains/program/login.te
>>--- nsapolicy/domains/program/login.te	2004-10-19 16:03:05.000000000 -0400
>>+++ policy-1.17.37/domains/program/login.te	2004-11-02 10:30:33.000000000 -0500
>>@@ -21,6 +21,8 @@
>> dontaudit $1_login_t shadow_t:file { getattr read };
>> 
>> general_domain_access($1_login_t);
>>+can_network($1_login_t) 
>>+allow $1_login_t self:{ tcp_socket udp_socket } connect;
>>    
>>
>
>Huh? Where does this come from? Cannot see this in the cvs policy. If
>this is needed because of kerberos it should be ifdef'ed.
>
>  
>
Alot of pam protocols are going to require this kerberos, ldap, NIS 
(can_ypbind gives us this though).

>>-ifdef(`nfs_home_dirs', `
>>+if (use_nfs_home_dirs) {
>> r_dir_file($1_login_t, nfs_t)
>>-')dnl end if nfs_home_dirs
>>+}
>>    
>>
>
>This should go into CVS ASAP, as mentioned above.
>
>  
>
>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/acct.te policy-1.17.37/domains/program/unused/acct.te
>>--- nsapolicy/domains/program/unused/acct.te	2004-10-19 16:03:05.000000000 -0400
>>+++ policy-1.17.37/domains/program/unused/acct.te	2004-11-02 10:30:33.000000000 -0500
>>@@ -63,6 +63,7 @@
>> 
>> ifdef(`logrotate.te', `
>> domain_auto_trans(logrotate_t, acct_exec_t, acct_t)
>>+allow logrotate_t acct_data_t:dir { search };
>> allow logrotate_t acct_data_t:file { create_file_perms };
>>    
>>
>
>allow logrotate_t acct_data_t:dir search;
>allow logrotate_t acct_data_t:file create_file_perms;
>
>This makes it easier to read, IMHO.
>
>  
>
>>--- nsapolicy/domains/program/unused/ftpd.te	2004-10-27 14:32:48.000000000 -0400
>>+++ policy-1.17.37/domains/program/unused/ftpd.te	2004-11-02 10:30:33.000000000 -0500
>>@@ -4,6 +4,7 @@
>> #           Russell Coker <russell@coker.com.au>
>> # X-Debian-Packages: proftpd-common bsd-ftpd ftpd vsftpd
>> #
>>+# Depends: inetd.te
>>    
>>
>
>Not true. There is a boolean ftpd_is_daemon which governs this.
>Current policy needed inetd.te to compile but I think this is an error
>in the policy. The following patch should fix it:
>  
>
Correct

>--- ftpd.te.orig	2004-11-03 00:37:16.000000000 +0100
>+++ ftpd.te	2004-11-03 00:39:33.000000000 +0100
>@@ -44,8 +44,6 @@
> rw_dir_create_file(ftpd_t, var_lock_t)
> allow ftpd_t ftp_port_t:tcp_socket name_bind;
> can_tcp_connect(userdomain, ftpd_t)
>-# Allows it to check exec privs on daemon
>-allow inetd_t ftpd_exec_t:file x_file_perms;
> }
> ifdef(`inetd.te', `
> if (!ftpd_is_daemon) {
>  
>  
>
>> allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
>>+allow ftpd_t port_t:tcp_socket { name_bind };
>>    
>>
>
>I confess I am not too familiar with ftp, but does it really need to
>bind to arbitrary ports, seems excessive and unneeded (and is not
>granted in current policy as far as I can see)
>
>  
>
This is caused by ypbind and should be removed.  can_ypbind now has this.

>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.17.37/domains/program/unused/ping.te
>>--- nsapolicy/domains/program/unused/ping.te	2004-06-16 13:33:36.000000000 -0400
>>+++ policy-1.17.37/domains/program/unused/ping.te	2004-11-02 10:30:33.000000000 -0500
>>@@ -55,3 +56,5 @@
>> # it tries to access /var/run
>> dontaudit ping_t var_t:dir search;
>> 
>>+dontaudit ping_t devtty_t:chr_file { read write };
>>+dontaudit ping_t ping_t:capability { sys_tty_config };
>>    
>>
>
>        dontaudit ping_t self:capability sys_tty_config;
>
>is nicer.
>
>  
>
>>diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mailman.fc policy-1.17.37/file_contexts/program/mailman.fc
>>--- nsapolicy/file_contexts/program/mailman.fc	2004-10-13 22:41:58.000000000 -0400
>>+++ policy-1.17.37/file_contexts/program/mailman.fc	2004-11-02 10:30:33.000000000 -0500
>>    
>>
>[...]
>  
>
>>+/usr/lib/mailman/bin/qrunner  	 -- system_u:object_r:mailman_queue_exec_t
>>+/etc/mailman(/.*)?		   system_u:object_r:mailman_data_t
>>+/var/spool/mailman(/.*)?	   system_u:object_r:mailman_data_t
>>    
>>
>
>Sorry, I do not know mailman at all, so please excuse my ignorance.
>But does mailman really have to write to /etc/mailman, which is
>presumably it's configuration data? This is not nice at all.
>
>  
>
The problem here is that the administration of the config files is done 
though cgi scripts, so /etc/mailman
currently is managable via mailman_cgi_t.  Maybe we need a rewrite of 
mailman to add a mailman_conf_t or
some such.  But mailman_cgi_t still needs to manipulate both the 
mailman_conf_t and mailman_data_t.

Dan

>  
>
>>diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.17.37/macros/program/ssh_macros.te
>>--- nsapolicy/macros/program/ssh_macros.te	2004-10-14 23:25:20.000000000 -0400
>>+++ policy-1.17.37/macros/program/ssh_macros.te	2004-11-02 10:30:33.000000000 -0500
>>@@ -20,20 +20,16 @@
>> undefine(`ssh_domain')
>> ifdef(`ssh.te', `
>> define(`ssh_domain',`
>>-ifdef(`single_userdomain', `
>>-typealias $1_home_t alias $1_home_ssh_t;
>>-typealias $1_t alias $1_ssh_t;
>>-', `
>>    
>>
>
>Ahh, nice to see single_userdomain finally gone.
>
>There were a few other superfluous braces, but the rest looks fine.
>
>Thomas
>
>  
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to make can_network stronger and remove nscd tunable.

[Russell Coker]

On Wednesday 03 November 2004 02:56, Daniel J Walsh <dwalsh@redhat.com> wrote:
> Updated with Russell's "daemon" change and other fixes.
>
> How does this look?

+can_network($1_login_t) 
+allow $1_login_t self:{ tcp_socket udp_socket } connect;

local_login_t does not need network access unless you use NIS or similar.  
can_ypbind() may be appropriate, but no other rules for network access for 
$1_login_t.

Your patch is allowing many domains access to { tcp_socket udp_socket } 
connect which have no need for network connections other than ypbind.  It's 
probably best to just add this to can_ypbind and not add it to ANY daemon 
policy except for daemons which obviously need it.  Otherwise this change 
will make the policy weaker overall by explicitely adding permissions where 
they are not needed.  If we don't have the time to do this properly right now 
then we should leave can_network as it is until we have more time to work on 
it.

Probably the best thing to do is to merge a patch that doesn't allow such 
access to any daemon apart from the most obvious cases (EG allowing a mail 
server to make TCP connections).  Things will work for the binary policy in 
Fedora as NIS support is enabled.  Then we can spend the next couple of 
months testing out all the daemons and submitting patches for exactly the 
connection access that is required.


+mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain')

What does mount do that requires nscd access?

Why does user_ssh_t require kill capability?

Does dhcpc_t require TCP connection access when there is no NIS?

Does innd_t require UDP connection access when there is no NIS?


sys_tty_config capability is another thing that should go into 
daemon_base_domain(), but as a dontaudit.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to make can_network stronger and remove nscd tunable.

[Daniel J Walsh]

Russell Coker wrote:

>On Wednesday 03 November 2004 02:56, Daniel J Walsh <dwalsh@redhat.com> wrote:
>  
>
>>Updated with Russell's "daemon" change and other fixes.
>>
>>How does this look?
>>    
>>
>
>+can_network($1_login_t) 
>+allow $1_login_t self:{ tcp_socket udp_socket } connect;
>
>local_login_t does not need network access unless you use NIS or similar.  
>can_ypbind() may be appropriate, but no other rules for network access for 
>$1_login_t.
>
>Your patch is allowing many domains access to { tcp_socket udp_socket } 
>connect which have no need for network connections other than ypbind.  It's 
>probably best to just add this to can_ypbind and not add it to ANY daemon 
>policy except for daemons which obviously need it.  Otherwise this change 
>will make the policy weaker overall by explicitely adding permissions where 
>they are not needed.  If we don't have the time to do this properly right now 
>then we should leave can_network as it is until we have more time to work on 
>it.
>
>  
>
Not true.  pam_kerberos, pam_ldap require network access.  login already 
has can_ypbind, which
used to be turned on by default.  Now there is a boolean to turn it off. 
and it is off by default, because it
gives too many privs.  The problem is that these other protocols are 
also allowed/required.   So this policy
is actually  tighter since the allow_ypbind is now off.

>Probably the best thing to do is to merge a patch that doesn't allow such 
>access to any daemon apart from the most obvious cases (EG allowing a mail 
>server to make TCP connections).  Things will work for the binary policy in 
>Fedora as NIS support is enabled.  Then we can spend the next couple of 
>months testing out all the daemons and submitting patches for exactly the 
>connection access that is required.
>
>
>+mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain')
>
>What does mount do that requires nscd access?
>
>  
>
NFS Mounts probably.

>Why does user_ssh_t require kill capability?
>
>Does dhcpc_t require TCP connection access when there is no NIS?
>
>  
>
Not sure.

>Does innd_t require UDP connection access when there is no NIS?
>
>
>  
>
Probably not.

>sys_tty_config capability is another thing that should go into 
>daemon_base_domain(), but as a dontaudit.
>
>  
>
Ok.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to make can_network stronger and remove nscd tunable.

[Colin Walters]

On Wed, 2004-11-03 at 11:23 -0500, Daniel J Walsh wrote:

> Not true.  pam_kerberos, pam_ldap require network access.

I still think we should be expressing this at a higher level - these
PAM-related permissions seem more logically a part of the "auth"
attribute, not individual daemon domains.  In particular, using
pam_kerberos for some daemon domains but not others would be unusual -
Kerberos really only has value if you're using it for every login.
Similarly for pam_ldap.

Once we have Russell's change to add the "daemon" attribute, I think
that can_ypbind should be keyed off that too, rather than being
something we add to essentially every daemon domain's .te file.  If you
want to use YP, you're going to want it everywhere.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to make can_network stronger and remove nscd tunable.

[Colin Walters]

On Wed, 2004-11-03 at 13:45 -0500, Colin Walters wrote:

> Once we have Russell's change to add the "daemon" attribute, I think
> that can_ypbind should be keyed off that too, rather than being
> something we add to essentially every daemon domain's .te file.  If you
> want to use YP, you're going to want it everywhere.

I take this back - there are daemons that don't need to get user
attributes, and there are other programs besides daemons that need to
use YP.

But I do hope we can push PAM-related permissions into the auth or
auth_chkpwd attributes; when I was trying to set up my FC2 server to use
Kerberos I had to modify individual daemon domains.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to make can_network stronger and remove nscd tunable.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 448 bytes --]

Another pass at the patch.

Sorry about having them all together,  tried to break it apart but it 
would take forever.

Moved can_kerberos to chkpwd_macros so all auth_chkpwd functions
automatically get can_kerberos and can_ypbind.   Might add a boolean for
can_kerberos or maybe just can_network_auth and eliminate can_network
from auth_chkpwd.

Removed the rest of single_userdomain

Colins patch of dbus

Cleanup of nfs_home_dir to boolean

Dan

[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 101888 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.18.1/attrib.te
--- nsapolicy/attrib.te	2004-10-27 14:32:48.000000000 -0400
+++ policy-1.18.1/attrib.te	2004-11-03 17:45:15.652295757 -0500
@@ -44,6 +44,10 @@
 # init to kill all processes.
 attribute domain;
 
+# The daemon attribute identifies domains for system processes created via
+# the daemon_domain, daemon_base_domain, and init_service_domain macros.
+attribute daemon;
+
 # The privuser attribute identifies every domain that can 
 # change its SELinux user identity.  This attribute is used 
 # in the constraints configuration.  NOTE:  This attribute
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.18.1/domains/program/crond.te
--- nsapolicy/domains/program/crond.te	2004-10-19 16:03:04.000000000 -0400
+++ policy-1.18.1/domains/program/crond.te	2004-11-03 17:45:15.652295757 -0500
@@ -23,7 +23,6 @@
 
 # Type for temporary files.
 tmp_domain(crond)
-can_ypbind(crond_t)
 
 crond_domain(system)
 
@@ -114,6 +113,8 @@
 # Use capabilities.
 allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };
 
+allow crond_t urandom_device_t:chr_file { getattr read };
+
 # Read the system crontabs.
 allow system_crond_t system_cron_spool_t:file r_file_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.18.1/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te	2004-10-19 16:03:05.000000000 -0400
+++ policy-1.18.1/domains/program/initrc.te	2004-11-03 17:45:15.653295644 -0500
@@ -303,8 +303,8 @@
 ')
 
 # for lsof in shutdown scripts
-allow initrc_t krb5_conf_t:file read;
-dontaudit initrc_t krb5_conf_t:file write;
+can_kerberos(initrc_t)
+
 #
 # Wants to remove udev.tbl
 #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.18.1/domains/program/login.te
--- nsapolicy/domains/program/login.te	2004-10-19 16:03:05.000000000 -0400
+++ policy-1.18.1/domains/program/login.te	2004-11-03 17:45:15.654295531 -0500
@@ -21,6 +21,8 @@
 dontaudit $1_login_t shadow_t:file { getattr read };
 
 general_domain_access($1_login_t);
+can_network($1_login_t) 
+allow $1_login_t self:{ tcp_socket udp_socket } connect;
 
 # Read system information files in /proc.
 allow $1_login_t proc_t:dir r_dir_perms;
@@ -81,9 +83,9 @@
 ')
 allow $1_login_t mnt_t:dir r_dir_perms;
 
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 r_dir_file($1_login_t, nfs_t)
-')dnl end if nfs_home_dirs
+}
 
 # FIXME: what is this for?
 ifdef(`xdm.te', `
@@ -117,8 +119,6 @@
 allow $1_login_t mail_spool_t:file getattr;
 allow $1_login_t mail_spool_t:lnk_file read;
 
-dontaudit $1_login_t krb5_conf_t:file { write };
-allow $1_login_t krb5_conf_t:file { getattr read };
 # Get security policy decisions.
 can_getsecurity($1_login_t)
 
@@ -127,8 +127,6 @@
 allow $1_login_t default_context_t:dir { search };
 r_dir_file($1_login_t, selinux_config_t)
 
-can_ypbind($1_login_t)
-
 allow $1_login_t mouse_device_t:chr_file { getattr setattr };
 dontaudit $1_login_t init_t:fd { use };
 ')dnl end login_domain macro
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/logrotate.te policy-1.18.1/domains/program/logrotate.te
--- nsapolicy/domains/program/logrotate.te	2004-09-02 14:45:45.000000000 -0400
+++ policy-1.18.1/domains/program/logrotate.te	2004-11-03 17:45:15.655295418 -0500
@@ -13,7 +13,7 @@
 # logrotate_t is the domain for the logrotate program.
 # logrotate_exec_t is the type of the corresponding program.
 #
-type logrotate_t, domain, privowner, privmail, priv_system_role;
+type logrotate_t, domain, privowner, privmail, priv_system_role, nscd_client_domain;
 role system_r types logrotate_t;
 role sysadm_r types logrotate_t;
 uses_shlib(logrotate_t);
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.18.1/domains/program/mount.te
--- nsapolicy/domains/program/mount.te	2004-10-09 21:06:13.000000000 -0400
+++ policy-1.18.1/domains/program/mount.te	2004-11-03 17:45:15.655295418 -0500
@@ -11,7 +11,7 @@
 
 type mount_exec_t, file_type, sysadmfile, exec_type;
 
-mount_domain(sysadm, mount, `, fs_domain')
+mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain')
 mount_loopback_privs(sysadm, mount)
 role sysadm_r types mount_t;
 role system_r types mount_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.18.1/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te	2004-10-27 14:32:48.000000000 -0400
+++ policy-1.18.1/domains/program/ssh.te	2004-11-03 17:45:15.656295305 -0500
@@ -69,27 +69,17 @@
 allow $1_t urandom_device_t:chr_file { getattr read };
 
 can_network($1_t)
+allow $1_t self:{ udp_socket tcp_socket } connect;
 
-allow $1_t self:capability { sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
+allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
 allow $1_t { home_root_t home_dir_type }:dir { search getattr };
-can_ypbind($1_t)
-if (nfs_home_dirs) {
+if (use_nfs_home_dirs) {
 ifdef(`automount.te', `
 allow $1_t autofs_t:dir { search getattr };
 ')
 allow $1_t nfs_t:dir { search getattr };
 allow $1_t nfs_t:file { getattr read };
-} dnl end if nfs_home_dirs
-
-ifdef(`single_userdomain', `
-if (ssh_sysadm_login) {
-allow $1_t home_type:dir { getattr search };
-allow $1_t home_type:file { getattr read };
-} else {
-allow $1_t user_home_type:dir { getattr search };
-allow $1_t user_home_type:file { getattr read };
-} dnl end ssh sysadm login
-')dnl end single userdomain
+} dnl end if use_nfs_home_dirs
 
 # Set exec context.
 can_setexec($1_t)
@@ -223,8 +213,6 @@
 ifdef(`automount.te', `
 allow sshd_t autofs_t:dir { search };
 ')
-dontaudit sshd_t krb5_conf_t:file { write };
-allow sshd_t krb5_conf_t:file { getattr read };
 
 # ssh_keygen_t is the type of the ssh-keygen program when run at install time
 # and by sysadm_t
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.18.1/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te	2004-10-27 14:32:48.000000000 -0400
+++ policy-1.18.1/domains/program/syslogd.te	2004-11-03 17:45:15.656295305 -0500
@@ -54,6 +54,8 @@
 allow privlog devlog_t:sock_file rw_file_perms;
 can_unix_send(privlog,syslogd_t)
 can_unix_connect(privlog,syslogd_t)
+allow syslogd_t self:{ tcp_socket udp_socket } connect;
+
 # allow /dev/log to be a link elsewhere for chroot setup
 allow privlog devlog_t:lnk_file read;
 
@@ -96,4 +98,4 @@
 dontaudit syslogd_t file_t:dir search;
 allow syslogd_t { tmpfs_t devpts_t }:dir { search };
 dontaudit syslogd_t unlabeled_t:file read;
-dontaudit syslogd_t devpts_t:chr_file getattr;
+dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/acct.te policy-1.18.1/domains/program/unused/acct.te
--- nsapolicy/domains/program/unused/acct.te	2004-10-19 16:03:05.000000000 -0400
+++ policy-1.18.1/domains/program/unused/acct.te	2004-11-03 17:45:15.657295192 -0500
@@ -63,6 +63,8 @@
 
 ifdef(`logrotate.te', `
 domain_auto_trans(logrotate_t, acct_exec_t, acct_t)
+allow logrotate_t acct_data_t:dir { search };
 allow logrotate_t acct_data_t:file { create_file_perms };
+can_exec(logrotate_t, acct_data_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/anaconda.te policy-1.18.1/domains/program/unused/anaconda.te
--- nsapolicy/domains/program/unused/anaconda.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.18.1/domains/program/unused/anaconda.te	2004-11-03 17:45:15.658295079 -0500
@@ -242,8 +242,7 @@
 ifdef(`udev.te', `
 domain_auto_trans(anaconda_t, udev_exec_t, udev_t)
 ')
-allow anaconda_t krb5_conf_t:file read;
-dontaudit anaconda_t krb5_conf_t:file write;
+can_kerberos(anaconda_t)
 
 ifdef(`ssh-agent.te', `
 role system_r types sysadm_ssh_agent_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.18.1/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2004-10-27 14:32:48.000000000 -0400
+++ policy-1.18.1/domains/program/unused/apache.te	2004-11-03 17:45:15.658295079 -0500
@@ -136,6 +136,7 @@
 
 can_network(httpd_t)
 can_ypbind(httpd_t)
+allow httpd_t self:{ tcp_socket udp_socket } connect;
 
 ###################
 # Allow httpd to search users diretories
@@ -249,7 +250,7 @@
 allow httpd_t autofs_t:dir { search getattr };
 allow httpd_suexec_t autofs_t:dir { search getattr };
 ')
-if (nfs_home_dirs && httpd_enable_homedirs) {
+if (use_nfs_home_dirs && httpd_enable_homedirs) {
 r_dir_file(httpd_t, nfs_t)
 r_dir_file(httpd_suexec_t, nfs_t)
 can_exec(httpd_suexec_t, nfs_t)
@@ -269,8 +270,7 @@
 ##################################################
 dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
 
-allow httpd_t krb5_conf_t:file { getattr read };
-dontaudit httpd_t krb5_conf_t:file { write };
+can_kerberos(httpd_t)
 
 ifdef(`targeted_policy', `
 typealias httpd_sys_content_t alias httpd_user_content_t;
@@ -298,5 +298,6 @@
 # Customer reported the following
 #
 ifdef(`snmpd.te', `
+dontaudit httpd_t snmpd_var_lib_t:dir { search };
 dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/arpwatch.te policy-1.18.1/domains/program/unused/arpwatch.te
--- nsapolicy/domains/program/unused/arpwatch.te	2004-10-19 16:03:05.000000000 -0400
+++ policy-1.18.1/domains/program/unused/arpwatch.te	2004-11-03 17:45:15.659294966 -0500
@@ -25,10 +25,15 @@
 allow arpwatch_t netif_lo_t:netif { udp_send };
 allow arpwatch_t sbin_t:dir { search };
 allow arpwatch_t sbin_t:lnk_file { read };
-can_network(arpwatch_t)
+can_tcp_network(arpwatch_t)
 can_ypbind(arpwatch_t)
+allow arpwatch_t self:tcp_socket connect;
+
+ifdef(`mta.te', `
 allow system_mail_t arpwatch_tmp_t:file rw_file_perms;
+allow system_mail_t arpwatch_data_t:dir { getattr search };
+')
 ifdef(`postfix.te', `
 allow postfix_local_t arpwatch_data_t:dir { search };
 ')
-
+allow arpwatch_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.18.1/domains/program/unused/bluetooth.te
--- nsapolicy/domains/program/unused/bluetooth.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.18.1/domains/program/unused/bluetooth.te	2004-11-03 17:45:15.659294966 -0500
@@ -22,7 +22,7 @@
 # Use the network.
 can_network(bluetooth_t)
 can_ypbind(bluetooth_t)
-dbusd_client(system, bluetooth_t)
+dbusd_client(system, bluetooth)
 allow bluetooth_t self:socket { create setopt ioctl bind listen };
 allow bluetooth_t self:unix_dgram_socket create_socket_perms;
 allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bootloader.te policy-1.18.1/domains/program/unused/bootloader.te
--- nsapolicy/domains/program/unused/bootloader.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.18.1/domains/program/unused/bootloader.te	2004-11-03 17:45:15.660294853 -0500
@@ -10,7 +10,7 @@
 #
 # bootloader_exec_t is the type of the bootloader executable.
 #
-type bootloader_t, domain, privlog, privmem, fs_domain ifdef(`direct_sysadm_daemon', `, priv_system_role');
+type bootloader_t, domain, privlog, privmem, fs_domain, nscd_client_domain ifdef(`direct_sysadm_daemon', `, priv_system_role');
 type bootloader_exec_t, file_type, sysadmfile, exec_type;
 etc_domain(bootloader)
 typealias bootloader_etc_t alias etc_bootloader_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/canna.te policy-1.18.1/domains/program/unused/canna.te
--- nsapolicy/domains/program/unused/canna.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.18.1/domains/program/unused/canna.te	2004-11-03 17:45:15.661294740 -0500
@@ -28,8 +28,9 @@
 
 rw_dir_create_file(canna_t, canna_var_lib_t)
 
-can_network(canna_t)
+can_tcp_network(canna_t)
 can_ypbind(canna_t)
+allow canna_t self:tcp_socket connect;
 
 allow userdomain canna_var_run_t:dir search;
 allow userdomain canna_var_run_t:sock_file write;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cardmgr.te policy-1.18.1/domains/program/unused/cardmgr.te
--- nsapolicy/domains/program/unused/cardmgr.te	2004-09-27 20:48:35.000000000 -0400
+++ policy-1.18.1/domains/program/unused/cardmgr.te	2004-11-03 17:45:15.661294740 -0500
@@ -82,3 +82,7 @@
 dontaudit insmod_t cardmgr_dev_t:chr_file { read write };
 dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write };
 ')
+ifdef(`hald.te', `
+rw_dir_file(hald_t, cardmgr_var_run_t)
+allow hald_t cardmgr_var_run_t:chr_file create_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/consoletype.te policy-1.18.1/domains/program/unused/consoletype.te
--- nsapolicy/domains/program/unused/consoletype.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.18.1/domains/program/unused/consoletype.te	2004-11-03 17:45:15.662294627 -0500
@@ -59,3 +59,5 @@
 ')
 dontaudit consoletype_t proc_t:file { read };
 dontaudit consoletype_t root_t:file { read };
+allow consoletype_t crond_t:fifo_file { read };
+allow consoletype_t fs_t:filesystem { getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/courier.te policy-1.18.1/domains/program/unused/courier.te
--- nsapolicy/domains/program/unused/courier.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.18.1/domains/program/unused/courier.te	2004-11-03 17:45:15.662294627 -0500
@@ -47,7 +47,6 @@
 
 # Use the network.
 can_network(courier_$1_t)
-can_ypbind(courier_$1_t)
 allow courier_$1_t self:fifo_file { read write getattr };
 allow courier_$1_t self:unix_stream_socket create_stream_socket_perms;
 allow courier_$1_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cpuspeed.te policy-1.18.1/domains/program/unused/cpuspeed.te
--- nsapolicy/domains/program/unused/cpuspeed.te	2004-03-17 13:26:05.000000000 -0500
+++ policy-1.18.1/domains/program/unused/cpuspeed.te	2004-11-03 17:45:15.663294514 -0500
@@ -8,3 +8,5 @@
 allow cpuspeed_t sysfs_t:file rw_file_perms;
 allow cpuspeed_t proc_t:dir r_dir_perms;
 allow cpuspeed_t proc_t:file { getattr read };
+allow cpuspeed_t etc_runtime_t:file { getattr read };
+allow cpuspeed_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.18.1/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.18.1/domains/program/unused/cups.te	2004-11-03 17:45:15.663294514 -0500
@@ -19,7 +19,8 @@
 typealias cupsd_rw_etc_t alias etc_cupsd_rw_t;
 
 can_network(cupsd_t)
-can_ypbind(cupsd_t)
+allow cupsd_t self:{ tcp_socket udp_socket } connect;
+
 logdir_domain(cupsd)
 
 tmp_domain(cupsd)
@@ -199,9 +200,11 @@
 
 allow cupsd_config_t self:unix_stream_socket create_socket_perms;
 ifdef(`dbusd.te', `
-dbusd_client(system, cupsd_t)
-dbusd_client(system, cupsd_config_t)
+dbusd_client(system, cupsd)
+dbusd_client(system, cupsd_config)
 allow cupsd_config_t userdomain:dbus { send_msg };
+allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc };
+allow cupsd_t system_dbusd_t:dbus { send_msg };
 allow userdomain cupsd_config_t:dbus { send_msg };
 allow cupsd_config_t hald_t:dbus { send_msg };
 allow hald_t cupsd_config_t:dbus { send_msg };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.18.1/domains/program/unused/cyrus.te
--- nsapolicy/domains/program/unused/cyrus.te	2004-05-04 15:35:53.000000000 -0400
+++ policy-1.18.1/domains/program/unused/cyrus.te	2004-11-03 17:45:15.664294401 -0500
@@ -20,6 +20,7 @@
 
 can_network(cyrus_t)
 can_ypbind(cyrus_t)
+allow cyrus_t self:{ tcp_socket udp_socket } connect;
 can_exec(cyrus_t, bin_t)
 allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
 allow cyrus_t cyrus_var_lib_t:{file sock_file } create_file_perms;
@@ -45,3 +46,4 @@
 allow system_crond_t cyrus_var_lib_t:file create_file_perms;
 allow system_crond_su_t cyrus_var_lib_t:dir { search };
 ')
+allow cyrus_t mail_port_t:tcp_socket { name_bind };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbskkd.te policy-1.18.1/domains/program/unused/dbskkd.te
--- nsapolicy/domains/program/unused/dbskkd.te	2004-10-06 09:18:32.000000000 -0400
+++ policy-1.18.1/domains/program/unused/dbskkd.te	2004-11-03 17:45:15.664294401 -0500
@@ -9,5 +9,6 @@
 #
 # dbskkd_exec_t is the type of the dbskkd executable.
 #
+# Depends: inetd.te
 
 inetd_child_domain(dbskkd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.18.1/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.18.1/domains/program/unused/dhcpc.te	2004-11-03 17:45:15.665294288 -0500
@@ -24,6 +24,7 @@
 
 can_network(dhcpc_t)
 can_ypbind(dhcpc_t)
+allow dhcpc_t self:tcp_socket connect;
 allow dhcpc_t self:unix_dgram_socket create_socket_perms;
 allow dhcpc_t self:unix_stream_socket create_socket_perms;
 allow dhcpc_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpd.te policy-1.18.1/domains/program/unused/dhcpd.te
--- nsapolicy/domains/program/unused/dhcpd.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.18.1/domains/program/unused/dhcpd.te	2004-11-03 17:45:15.665294288 -0500
@@ -31,6 +31,7 @@
 # Use the network.
 can_network(dhcpd_t)
 can_ypbind(dhcpd_t)
+allow dhcpd_t self:tcp_socket connect;
 allow dhcpd_t self:unix_dgram_socket create_socket_perms;
 allow dhcpd_t self:unix_stream_socket create_socket_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.18.1/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.18.1/domains/program/unused/dovecot.te	2004-11-03 17:45:15.666294175 -0500
@@ -15,6 +15,8 @@
 allow dovecot_t self:process { setrlimit };
 can_network(dovecot_t)
 can_ypbind(dovecot_t)
+allow dovecot_t self:tcp_socket connect;
+
 allow dovecot_t self:unix_dgram_socket create_socket_perms;
 allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
 can_unix_connect(dovecot_t, self)
@@ -31,8 +33,7 @@
 allow dovecot_t { self proc_t }:file { getattr read };
 allow dovecot_t self:fifo_file rw_file_perms;
 
-dontaudit dovecot_t krb5_conf_t:file { write };
-allow dovecot_t krb5_conf_t:file { getattr read };
+can_kerberos(dovecot_t)
 
 daemon_sub_domain(dovecot_t, dovecot_auth, `, auth')
 allow dovecot_auth_t self:process { fork signal_perms };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/firstboot.te policy-1.18.1/domains/program/unused/firstboot.te
--- nsapolicy/domains/program/unused/firstboot.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.18.1/domains/program/unused/firstboot.te	2004-11-03 17:45:15.667294062 -0500
@@ -55,8 +55,7 @@
 # Allow write to utmp file
 allow firstboot_t initrc_var_run_t:file { write };
 
-allow firstboot_t krb5_conf_t:file { getattr read };
-allow firstboot_t net_conf_t:file { getattr read };
+can_kerberos(firstboot_t)
 
 ifdef(`samba.te', `
 rw_dir_file(firstboot_t, samba_etc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.18.1/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te	2004-10-27 14:32:48.000000000 -0400
+++ policy-1.18.1/domains/program/unused/ftpd.te	2004-11-03 17:45:15.667294062 -0500
@@ -4,6 +4,7 @@
 #           Russell Coker <russell@coker.com.au>
 # X-Debian-Packages: proftpd-common bsd-ftpd ftpd vsftpd
 #
+# Depends: inetd.te
 
 #################################
 #
@@ -16,7 +17,7 @@
 typealias ftpd_etc_t alias etc_ftpd_t;
 
 can_network(ftpd_t)
-can_ypbind(ftpd_t)
+allow ftpd_t self:udp_socket connect;
 allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
 allow ftpd_t self:unix_stream_socket create_socket_perms;
 allow ftpd_t self:process { getcap setcap setsched setrlimit };
@@ -32,11 +33,13 @@
 
 ifdef(`crond.te', `
 system_crond_entry(ftpd_exec_t, ftpd_t)
+allow system_crond_t xferlog_t:file r_file_perms;
 can_exec(ftpd_t, { sbin_t shell_exec_t })
 allow ftpd_t usr_t:file { getattr read };
 ')
 
 allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
+allow ftpd_t port_t:tcp_socket { name_bind };
 
 # Allow ftpd to run directly without inetd.
 bool ftpd_is_daemon false;
@@ -85,9 +88,7 @@
 allow ftpd_t proc_t:file { getattr read };
 
 dontaudit ftpd_t sysadm_home_dir_t:dir getattr;
-dontaudit ftpd_t krb5_conf_t:file { write };
 dontaudit ftpd_t selinux_config_t:dir search;
-allow ftpd_t krb5_conf_t:file { getattr read };
 ifdef(`automount.te', `
 allow ftpd_t autofs_t:dir { search };
 ')
@@ -97,7 +98,7 @@
 # Allow ftp to read/write files in the user home directories.
 bool ftp_home_dir false;
 
-if (ftp_home_dir && nfs_home_dirs) {
+if (ftp_home_dir && use_nfs_home_dirs) {
 allow ftpd_t nfs_t:dir r_dir_perms;
 allow ftpd_t nfs_t:file r_file_perms;
 # dont allow access to /home
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.18.1/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2004-11-01 11:04:36.000000000 -0500
+++ policy-1.18.1/domains/program/unused/hald.te	2004-11-03 17:45:15.668293949 -0500
@@ -19,8 +19,8 @@
 allow hald_t self:unix_dgram_socket create_socket_perms;
 
 ifdef(`dbusd.te', `
-allow hald_t system_dbusd_t:dbus { acquire_svc };
-dbusd_client(system, hald_t)
+allow hald_t system_dbusd_t:dbus { acquire_svc send_msg };
+dbusd_client(system, hald)
 ')
 
 allow hald_t { self proc_t }:file { getattr read };
@@ -31,12 +31,13 @@
 
 allow hald_t bin_t:file { getattr };
 allow hald_t self:netlink_route_socket r_netlink_socket_perms;
-allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search };
+allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
 can_network(hald_t)
 can_ypbind(hald_t)
 
 allow hald_t device_t:lnk_file read;
 allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl };
+allow hald_t removable_device_t:blk_file { write };
 allow hald_t event_device_t:chr_file { getattr read ioctl };
 allow hald_t printer_device_t:chr_file rw_file_perms;
 allow hald_t urandom_device_t:chr_file { read };
@@ -60,7 +61,11 @@
 allow hald_t usbfs_t:dir search;
 allow hald_t usbfs_t:file { getattr read };
 allow hald_t bin_t:lnk_file read;
-r_dir_file(hald_t, { selinux_config_t default_context_t } )
+dontaudit hald_t selinux_config_t:dir { search };
 allow hald_t initrc_t:dbus { send_msg };
 allow initrc_t hald_t:dbus { send_msg };
 allow hald_t etc_runtime_t:file rw_file_perms;
+allow hald_t var_lib_t:dir search;
+allow hald_t device_t:dir { create_dir_perms };
+allow hald_t { device_t }:{ chr_file } { create_file_perms };
+tmp_domain(hald)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.18.1/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te	2004-09-30 20:48:48.000000000 -0400
+++ policy-1.18.1/domains/program/unused/hotplug.te	2004-11-03 17:45:15.669293836 -0500
@@ -151,7 +151,7 @@
 
 can_network(hotplug_t)
 can_ypbind(hotplug_t)
-dbusd_client(system, hotplug_t)
+dbusd_client(system, hotplug)
 
 # Allow hotplug (including /sbin/ifup-local) to start/stop services and # run sendmail -q
 domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/i18n_input.te policy-1.18.1/domains/program/unused/i18n_input.te
--- nsapolicy/domains/program/unused/i18n_input.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.18.1/domains/program/unused/i18n_input.te	2004-11-03 17:45:15.669293836 -0500
@@ -11,6 +11,7 @@
 can_exec(i18n_input_t, i18n_input_exec_t)
 can_network(i18n_input_t)
 can_ypbind(i18n_input_t)
+allow i18n_input_t self:udp_socket connect;
 
 can_tcp_connect(userdomain, i18n_input_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/inetd.te policy-1.18.1/domains/program/unused/inetd.te
--- nsapolicy/domains/program/unused/inetd.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.18.1/domains/program/unused/inetd.te	2004-11-03 17:45:15.670293723 -0500
@@ -18,9 +18,11 @@
 # Rules for the inetd_t domain.
 #
 
-daemon_domain(inetd, `, nscd_client_domain ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
+daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
 
 can_network(inetd_t)
+allow inetd_t self:udp_socket connect;
+
 allow inetd_t self:unix_dgram_socket create_socket_perms;
 allow inetd_t self:unix_stream_socket create_socket_perms;
 allow inetd_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/innd.te policy-1.18.1/domains/program/unused/innd.te
--- nsapolicy/domains/program/unused/innd.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.18.1/domains/program/unused/innd.te	2004-11-03 17:45:15.670293723 -0500
@@ -30,6 +30,7 @@
 
 can_network(innd_t)
 can_ypbind(innd_t)
+allow innd_t self:udp_socket connect;
 
 can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } )
 allow innd_t self:unix_dgram_socket create_socket_perms;
@@ -64,6 +65,9 @@
 
 ifdef(`crond.te', `
 system_crond_entry(innd_exec_t, innd_t)
+allow system_crond_t innd_etc_t:file { getattr read };
+rw_dir_create_file(system_crond_t, innd_log_t)
+rw_dir_create_file(system_crond_t, innd_var_run_t)
 ')
 ifdef(`syslogd.te', `
 allow syslogd_t innd_log_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ipsec.te policy-1.18.1/domains/program/unused/ipsec.te
--- nsapolicy/domains/program/unused/ipsec.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.18.1/domains/program/unused/ipsec.te	2004-11-03 17:45:15.671293610 -0500
@@ -25,7 +25,7 @@
 # lots of strange stuff for the ipsec_var_run_t - need to check it
 var_run_domain(ipsec)
 
-type ipsec_mgmt_t, domain, privlog, admin, privmodule;
+type ipsec_mgmt_t, domain, privlog, admin, privmodule, nscd_client_domain;
 type ipsec_mgmt_exec_t, file_type, sysadmfile, exec_type;
 domain_auto_trans(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
 file_type_auto_trans(ipsec_mgmt_t, var_run_t, ipsec_var_run_t, sock_file)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ktalkd.te policy-1.18.1/domains/program/unused/ktalkd.te
--- nsapolicy/domains/program/unused/ktalkd.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.18.1/domains/program/unused/ktalkd.te	2004-11-03 17:45:15.671293610 -0500
@@ -2,6 +2,7 @@
 #
 # Author:  Dan Walsh <dwalsh@redhat.com>
 #
+# Depends: inetd.te
 
 #################################
 #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.18.1/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.18.1/domains/program/unused/kudzu.te	2004-11-03 17:45:15.672293497 -0500
@@ -13,7 +13,7 @@
 allow kudzu_t ramfs_t:dir search;
 allow kudzu_t ramfs_t:sock_file write;
 allow kudzu_t etc_t:file { getattr read };
-allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config };
+allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
 allow kudzu_t modules_conf_t:file { getattr read };
 allow kudzu_t modules_object_t:dir r_dir_perms;
 allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
@@ -80,7 +80,8 @@
 allow kudzu_t sysfs_t:lnk_file read;
 file_type_auto_trans(kudzu_t, etc_t, etc_runtime_t, file)
 allow kudzu_t tape_device_t:chr_file r_file_perms;
-allow kudzu_t tmp_t:dir { search };
+tmp_domain(kudzu)
+file_type_auto_trans(kudzu_t, tmp_t, kudzu_tmp_t, chr_file)
 
 # for file systems that are not yet mounted
 dontaudit kudzu_t file_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mailman.te policy-1.18.1/domains/program/unused/mailman.te
--- nsapolicy/domains/program/unused/mailman.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.18.1/domains/program/unused/mailman.te	2004-11-03 17:45:15.673293384 -0500
@@ -20,7 +20,7 @@
 can_exec_any(mailman_$1_t)
 allow mailman_$1_t { proc_t sysctl_t sysctl_kernel_t }:dir search;
 allow mailman_$1_t { proc_t sysctl_kernel_t }:file { read getattr };
-allow mailman_$1_t var_lib_t:dir { getattr search };
+allow mailman_$1_t var_lib_t:dir { getattr search read };
 allow mailman_$1_t var_lib_t:lnk_file read;
 allow mailman_$1_t device_t:dir search;
 allow mailman_$1_t etc_runtime_t:file { read getattr };
@@ -29,14 +29,16 @@
 allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
 allow mailman_$1_t fs_t:filesystem getattr;
 can_network(mailman_$1_t)
-can_ypbind(mailman_$1_t)
+allow mailman_$1_t self:udp_socket connect;
 allow mailman_$1_t self:unix_stream_socket create_socket_perms;
 allow mailman_$1_t var_t:dir r_dir_perms;
 ')
 
-mailman_domain(queue, `, auth_chkpwd')
+mailman_domain(queue, `, auth_chkpwd, nscd_client_domain')
 can_tcp_connect(mailman_queue_t, mail_server_domain)
+allow mailman_queue_t self:tcp_socket connect;
 
+dontaudit mailman_queue_t src_t:dir { search };
 can_exec(mailman_queue_t, su_exec_t)
 allow mailman_queue_t self:capability { setgid setuid };
 allow mailman_queue_t self:fifo_file rw_file_perms;
@@ -72,8 +74,9 @@
 domain_auto_trans({ httpd_t httpd_suexec_t }, mailman_cgi_exec_t, mailman_cgi_t)
 # should have separate types for public and private archives
 r_dir_file(httpd_t, mailman_archive_t)
-allow httpd_t mailman_data_t:dir search;
-r_dir_file(mailman_cgi_t, mailman_archive_t)
+allow httpd_t mailman_data_t:dir { getattr search };
+rw_dir_file(mailman_cgi_t, mailman_archive_t)
+allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
 
 dontaudit mailman_cgi_t httpd_log_t:file append;
 allow httpd_t mailman_cgi_t:process signal;
@@ -83,6 +86,8 @@
 allow mailman_cgi_t httpd_sys_script_t:dir search;
 allow mailman_cgi_t devtty_t:chr_file { read write };
 allow mailman_cgi_t self:process { fork sigchld };
+allow mailman_cgi_t var_spool_t:dir { search };
+dontaudit mailman_cgi_t src_t:dir { search };
 ')
 
 allow mta_delivery_agent mailman_data_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mdadm.te policy-1.18.1/domains/program/unused/mdadm.te
--- nsapolicy/domains/program/unused/mdadm.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.18.1/domains/program/unused/mdadm.te	2004-11-03 17:45:15.673293384 -0500
@@ -40,4 +40,4 @@
 dontaudit mdadm_t tmpfs_t:dir r_dir_perms;
 dontaudit mdadm_t initctl_t:fifo_file { getattr };
 var_run_domain(mdadm)
-allow mdadm_t var_t:dir { getattr };
+allow mdadm_t var_t:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.18.1/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.18.1/domains/program/unused/named.te	2004-11-03 17:45:15.674293271 -0500
@@ -19,7 +19,7 @@
 file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file)
 
 # ndc_t is the domain for the ndc program
-type ndc_t, domain, privlog;
+type ndc_t, domain, privlog, nscd_client_domain;
 role sysadm_r types ndc_t;
 role system_r types ndc_t;
 
@@ -52,6 +52,8 @@
 #Named can use network
 can_network(named_t)
 can_ypbind(named_t)
+allow named_t self:tcp_socket connect;
+
 # allow UDP transfer to/from any program
 can_udp_send(domain, named_t)
 can_udp_send(named_t, domain)
@@ -102,6 +104,7 @@
 uses_shlib(ndc_t)
 can_network(ndc_t)
 can_ypbind(ndc_t)
+allow ndc_t self:tcp_socket connect;
 read_locale(ndc_t)
 can_tcp_connect(ndc_t, named_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.18.1/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te	2004-10-27 14:32:48.000000000 -0400
+++ policy-1.18.1/domains/program/unused/nscd.te	2004-11-03 17:45:15.675293158 -0500
@@ -5,7 +5,7 @@
 #
 define(`nscd_socket_domain', `
 can_unix_connect($1, nscd_t)
-allow nscd_client_domain nscd_var_run_t:sock_file rw_file_perms;
+allow $1 nscd_var_run_t:sock_file rw_file_perms;
 allow $1 { var_run_t var_t }:dir search;
 allow $1 nscd_t:nscd { getpwd getgrp gethost };
 dontaudit $1 nscd_t:fd { use };
@@ -18,23 +18,20 @@
 # Rules for the nscd_t domain.
 #
 # nscd is both the client program and the daemon.
-daemon_domain(nscd, `, userspace_objmgr, nscd_client_domain')
+daemon_domain(nscd, `, userspace_objmgr')
 
 allow nscd_t etc_t:file r_file_perms;
 allow nscd_t etc_t:lnk_file read;
 can_network(nscd_t)
 can_ypbind(nscd_t)
+allow nscd_t self:{ tcp_socket udp_socket } connect;
 
 file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file)
 
 allow nscd_t self:unix_stream_socket create_stream_socket_perms;
 
-# Clients that can get information via the socket interface.
-ifdef(`nscd_all_connect', `
-nscd_socket_domain(domain)
-', `
 nscd_socket_domain(nscd_client_domain)
-')dnl nscd_all_connect
+nscd_socket_domain(daemon)
 
 # Clients that are allowed to map the database via a fd obtained from nscd.
 nscd_socket_domain(nscd_shmem_domain)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.18.1/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.18.1/domains/program/unused/ntpd.te	2004-11-03 17:45:15.675293158 -0500
@@ -12,6 +12,9 @@
 type ntp_drift_t, file_type, sysadmfile;
 type ntp_port_t, port_type, reserved_port_type;
 
+type ntpdate_exec_t, file_type, sysadmfile, exec_type;
+domain_auto_trans(initrc_t, ntpdate_exec_t, ntpd_t)
+
 logdir_domain(ntpd)
 
 allow ntpd_t var_lib_t:dir r_dir_perms;
@@ -36,6 +39,7 @@
 # Use the network.
 can_network(ntpd_t)
 can_ypbind(ntpd_t)
+allow ntpd_t self:{ tcp_socket udp_socket } connect;
 allow ntpd_t ntp_port_t:udp_socket name_bind;
 allow ntpd_t self:unix_dgram_socket create_socket_perms;
 allow ntpd_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.18.1/domains/program/unused/ping.te
--- nsapolicy/domains/program/unused/ping.te	2004-06-16 13:33:36.000000000 -0400
+++ policy-1.18.1/domains/program/unused/ping.te	2004-11-03 17:45:15.676293045 -0500
@@ -35,6 +35,7 @@
 can_ypbind(ping_t)
 allow ping_t etc_t:file { getattr read };
 allow ping_t self:unix_stream_socket create_socket_perms;
+allow ping_t self:{ tcp_socket udp_socket } connect;
 
 # Let ping create raw ICMP packets.
 allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
@@ -55,3 +56,5 @@
 # it tries to access /var/run
 dontaudit ping_t var_t:dir search;
 
+dontaudit ping_t devtty_t:chr_file { read write };
+dontaudit ping_t ping_t:capability { sys_tty_config };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.18.1/domains/program/unused/portmap.te
--- nsapolicy/domains/program/unused/portmap.te	2004-10-09 21:06:14.000000000 -0400
+++ policy-1.18.1/domains/program/unused/portmap.te	2004-11-03 17:45:15.676293045 -0500
@@ -23,6 +23,7 @@
 tmp_domain(portmap)
 
 allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind;
+dontaudit portmap_t reserved_port_type:tcp_socket name_bind;
 
 # portmap binds to arbitary ports
 allow portmap_t port_t:{ udp_socket tcp_socket } name_bind;
@@ -51,4 +52,4 @@
 
 # Use capabilities
 allow portmap_t self:capability { net_bind_service setuid setgid };
-
+allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postfix.te policy-1.18.1/domains/program/unused/postfix.te
--- nsapolicy/domains/program/unused/postfix.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.18.1/domains/program/unused/postfix.te	2004-11-03 17:45:15.677292933 -0500
@@ -119,6 +119,8 @@
 allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
 can_network(postfix_master_t)
 can_ypbind(postfix_master_t)
+allow postfix_master_t self:{ tcp_socket udp_socket } connect;
+
 allow postfix_master_t smtp_port_t:tcp_socket name_bind;
 allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
 allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.18.1/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.18.1/domains/program/unused/postgresql.te	2004-11-03 17:45:15.678292820 -0500
@@ -13,6 +13,8 @@
 type postgresql_port_t, port_type;
 daemon_domain(postgresql)
 allow initrc_t postgresql_exec_t:lnk_file read;
+allow postgresql_t usr_t:file { getattr read };
+allow postgresql_t self:udp_socket connect;
 
 allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rlogind.te policy-1.18.1/domains/program/unused/rlogind.te
--- nsapolicy/domains/program/unused/rlogind.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.18.1/domains/program/unused/rlogind.te	2004-11-03 17:45:15.678292820 -0500
@@ -14,7 +14,6 @@
 role system_r types rlogind_t;
 uses_shlib(rlogind_t)
 can_network(rlogind_t)
-can_ypbind(rlogind_t)
 type rlogind_exec_t, file_type, sysadmfile, exec_type;
 domain_auto_trans(inetd_t, rlogind_exec_t, rlogind_t)
 ifdef(`tcpd.te', `
@@ -75,8 +74,6 @@
 # Modify /var/log/wtmp.
 allow rlogind_t var_log_t:dir search;
 allow rlogind_t wtmp_t:file rw_file_perms;
-allow rlogind_t krb5_conf_t:file { getattr read };
-dontaudit rlogind_t krb5_conf_t:file write;
 allow rlogind_t urandom_device_t:chr_file { getattr read };
 dontaudit rlogind_t selinux_config_t:dir search;
 allow rlogind_t staff_home_dir_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.18.1/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.18.1/domains/program/unused/rpcd.te	2004-11-03 17:45:15.679292707 -0500
@@ -14,6 +14,7 @@
 daemon_base_domain($1)
 can_network($1_t)
 can_ypbind($1_t)
+allow $1_t self:{ udp_socket tcp_socket } connect;
 allow $1_t etc_t:file { getattr read };
 read_locale($1_t)
 allow $1_t self:capability net_bind_service;
@@ -24,6 +25,7 @@
 allow $1_t var_lib_nfs_t:file create_file_perms;
 # do not log when it tries to bind to a port belonging to another domain
 dontaudit $1_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
+allow $1_t reserved_port_t:{ udp_socket tcp_socket } { name_bind };
 allow $1_t self:netlink_route_socket r_netlink_socket_perms;
 allow $1_t self:unix_dgram_socket create_socket_perms;
 allow $1_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.18.1/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.18.1/domains/program/unused/rpm.te	2004-11-03 17:45:15.679292707 -0500
@@ -184,11 +184,9 @@
 
 allow rpm_script_t urandom_device_t:chr_file read;
 
-ifdef(`single_userdomain', `', `
 ifdef(`ssh-agent.te', `
 domain_auto_trans(rpm_script_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
 ')
-')dnl end if single_userdomain
 
 ifdef(`useradd.te', `
 domain_auto_trans(rpm_script_t, useradd_exec_t, useradd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rshd.te policy-1.18.1/domains/program/unused/rshd.te
--- nsapolicy/domains/program/unused/rshd.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.18.1/domains/program/unused/rshd.te	2004-11-03 17:45:15.680292594 -0500
@@ -31,8 +31,9 @@
 allow rshd_t self:unix_dgram_socket create_socket_perms;
 allow rshd_t self:unix_stream_socket create_stream_socket_perms;
 allow rshd_t { home_root_t home_dir_type }:dir { search getattr };
-allow rshd_t krb5_conf_t:file { getattr read };
-dontaudit rshd_t krb5_conf_t:file write;
+can_kerberos(rshd_t)
 allow rshd_t tmp_t:dir { search };
+ifdef(`rlogind.te', `
 allow rshd_t rlogind_tmp_t:file rw_file_perms;
+')
 allow rshd_t urandom_device_t:chr_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.18.1/domains/program/unused/rsync.te
--- nsapolicy/domains/program/unused/rsync.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.18.1/domains/program/unused/rsync.te	2004-11-03 17:45:15.680292594 -0500
@@ -2,6 +2,7 @@
 #
 # Author:  Dan Walsh <dwalsh@redhat.com>
 #
+# Depends: inetd.te
 
 #################################
 #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.18.1/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.18.1/domains/program/unused/samba.te	2004-11-03 17:45:15.681292481 -0500
@@ -49,7 +49,6 @@
 
 # Use the network.
 can_network(smbd_t)
-can_ypbind(smbd_t)
 
 allow smbd_t urandom_device_t:chr_file { getattr read };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.18.1/domains/program/unused/sendmail.te
--- nsapolicy/domains/program/unused/sendmail.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.18.1/domains/program/unused/sendmail.te	2004-11-03 17:45:15.681292481 -0500
@@ -27,6 +27,7 @@
 # Use the network.
 can_network(sendmail_t)
 can_ypbind(sendmail_t)
+allow sendmail_t self:{ tcp_socket udp_socket } connect;
 
 allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
 allow sendmail_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slapd.te policy-1.18.1/domains/program/unused/slapd.te
--- nsapolicy/domains/program/unused/slapd.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.18.1/domains/program/unused/slapd.te	2004-11-03 17:45:15.682292368 -0500
@@ -30,6 +30,7 @@
 allow slapd_t self:unix_dgram_socket create_socket_perms;
 # allow any domain to connect to the LDAP server
 can_tcp_connect(domain, slapd_t)
+allow slapd_t self:{ tcp_socket udp_socket } connect;
 
 # Use capabilities  should not need kill...
 allow slapd_t self:capability { kill setgid setuid net_bind_service net_raw };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slocate.te policy-1.18.1/domains/program/unused/slocate.te
--- nsapolicy/domains/program/unused/slocate.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.18.1/domains/program/unused/slocate.te	2004-11-03 17:45:15.682292368 -0500
@@ -70,3 +70,6 @@
 typealias sysadm_t alias sysadm_locate_t;
 
 allow locate_t userdomain:fd { use };
+ifdef(`cardmgr.te', `
+allow locate_t cardmgr_var_run_t:chr_file getattr;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.18.1/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te	2004-10-09 21:06:15.000000000 -0400
+++ policy-1.18.1/domains/program/unused/snmpd.te	2004-11-03 17:45:15.683292255 -0500
@@ -15,6 +15,7 @@
 
 can_network(snmpd_t)
 can_ypbind(snmpd_t)
+allow snmpd_t self:{ tcp_socket udp_socket } connect;
 
 type snmp_port_t, port_type, reserved_port_type;
 allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind;
@@ -38,7 +39,7 @@
 allow snmpd_t self:unix_dgram_socket create_socket_perms;
 allow snmpd_t self:unix_stream_socket create_socket_perms;
 allow snmpd_t etc_t:lnk_file read;
-allow snmpd_t { etc_t etc_runtime_t }:file { getattr read };
+allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms;
 allow snmpd_t urandom_device_t:chr_file read;
 allow snmpd_t self:capability { dac_override kill net_bind_service net_admin sys_nice sys_tty_config };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/spamd.te policy-1.18.1/domains/program/unused/spamd.te
--- nsapolicy/domains/program/unused/spamd.te	2004-10-27 14:32:49.000000000 -0400
+++ policy-1.18.1/domains/program/unused/spamd.te	2004-11-03 17:45:15.684292142 -0500
@@ -24,6 +24,7 @@
 dontaudit spamd_t sysadm_home_dir_t:dir getattr;
 
 can_network(spamd_t)
+allow spamd_t self:{ tcp_socket udp_socket } connect;
 allow spamd_t self:capability { net_bind_service };
 
 allow spamd_t proc_t:file { getattr read };
@@ -59,7 +60,7 @@
 allow spamd_t autofs_t:dir { search getattr };
 ')
 
-if (nfs_home_dirs) {
+if (use_nfs_home_dirs) {
 allow spamd_t nfs_t:dir rw_dir_perms;
 allow spamd_t nfs_t:file create_file_perms;
 }
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.18.1/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te	2004-10-27 14:32:49.000000000 -0400
+++ policy-1.18.1/domains/program/unused/squid.te	2004-11-03 17:45:15.684292142 -0500
@@ -56,6 +56,7 @@
 can_network(squid_t)
 can_ypbind(squid_t)
 can_tcp_connect(web_client_domain, squid_t)
+allow squid_t self:{ tcp_socket udp_socket } connect;
 
 # tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts)
 allow squid_t http_cache_port_t:tcp_socket name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/swat.te policy-1.18.1/domains/program/unused/swat.te
--- nsapolicy/domains/program/unused/swat.te	2004-10-06 09:18:32.000000000 -0400
+++ policy-1.18.1/domains/program/unused/swat.te	2004-11-03 17:45:15.685292029 -0500
@@ -2,6 +2,7 @@
 #
 # Author:  Dan Walsh <dwalsh@redhat.com>
 #
+# Depends: inetd.te
 
 #################################
 #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/traceroute.te policy-1.18.1/domains/program/unused/traceroute.te
--- nsapolicy/domains/program/unused/traceroute.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.18.1/domains/program/unused/traceroute.te	2004-11-03 17:45:15.685292029 -0500
@@ -20,6 +20,7 @@
 uses_shlib(traceroute_t)
 can_network(traceroute_t)
 can_ypbind(traceroute_t)
+allow traceroute_t self:{ tcp_socket udp_socket } connect;
 allow traceroute_t node_t:rawip_socket node_bind;
 type traceroute_exec_t, file_type, sysadmfile, exec_type;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.18.1/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.18.1/domains/program/unused/udev.te	2004-11-03 17:45:15.686291916 -0500
@@ -81,6 +81,7 @@
 ifdef(`xdm.te', `
 allow udev_t xdm_var_run_t:file { getattr read };
 ')
+dontaudit udev_t staff_home_dir_t:dir { search };
 
 ifdef(`hotplug.te', `
 r_dir_file(udev_t, hotplug_etc_t)
@@ -108,7 +109,7 @@
 
 allow udev_t udev_helper_exec_t:dir r_dir_perms;
 
-dbusd_client(system, udev_t)
+dbusd_client(system, udev)
 
 allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms };
 allow udev_t sysctl_dev_t:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/updfstab.te policy-1.18.1/domains/program/unused/updfstab.te
--- nsapolicy/domains/program/unused/updfstab.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.18.1/domains/program/unused/updfstab.te	2004-11-03 17:45:15.686291916 -0500
@@ -28,7 +28,10 @@
 
 read_locale(updfstab_t)
 
-dbusd_client(system, updfstab_t)
+ifdef(`dbusd.te', `
+dbusd_client(system, updfstab)
+allow updfstab_t system_dbusd_t:dbus { send_msg };
+')
 
 # not sure what the sysctl_kernel_t file is, or why it wants to write it, so
 # I will not allow it
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/uwimapd.te policy-1.18.1/domains/program/unused/uwimapd.te
--- nsapolicy/domains/program/unused/uwimapd.te	2004-07-12 09:47:00.000000000 -0400
+++ policy-1.18.1/domains/program/unused/uwimapd.te	2004-11-03 17:45:15.687291803 -0500
@@ -9,7 +9,6 @@
 tmp_domain(imapd)
 
 can_network(imapd_t)
-can_ypbind(imapd_t)
 
 #declare our own services
 allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/vpnc.te policy-1.18.1/domains/program/unused/vpnc.te
--- nsapolicy/domains/program/unused/vpnc.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.18.1/domains/program/unused/vpnc.te	2004-11-03 17:45:15.687291803 -0500
@@ -17,6 +17,8 @@
 # Use the network.
 can_network(vpnc_t)
 can_ypbind(vpnc_t)
+allow vpnc_t self:udp_socket connect;
+allow vpnc_t self:socket create_socket_perms;
 
 # Use capabilities.
 allow vpnc_t self:capability { net_admin ipc_lock net_bind_service net_raw };
@@ -28,3 +30,12 @@
 allow vpnc_t self:unix_dgram_socket create_socket_perms;
 allow vpnc_t self:unix_stream_socket create_socket_perms;
 allow vpnc_t admin_tty_type:chr_file rw_file_perms;
+allow vpnc_t port_t:udp_socket { name_bind };
+allow vpnc_t etc_runtime_t:file { getattr read };
+allow vpnc_t proc_t:file { getattr read };
+dontaudit vpnc_t selinux_config_t:dir search;
+can_exec(vpnc_t, {bin_t sbin_t ifconfig_exec_t shell_exec_t })
+allow vpnc_t sysctl_net_t:dir { search };
+allow vpnc_t sbin_t:dir { search };
+allow vpnc_t bin_t:dir { search };
+allow vpnc_t bin_t:lnk_file { read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.18.1/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te	2004-11-01 11:04:36.000000000 -0500
+++ policy-1.18.1/domains/program/unused/xdm.te	2004-11-03 17:45:15.688291690 -0500
@@ -46,7 +46,7 @@
 allow xdm_t default_context_t:file { read getattr };
 
 can_network(xdm_t)
-can_ypbind(xdm_t)
+allow xdm_t self:udp_socket connect;
 allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow xdm_t self:unix_dgram_socket create_socket_perms;
 allow xdm_t self:fifo_file rw_file_perms;
@@ -277,7 +277,7 @@
 allow xdm_xserver_t user_home_type:dir search;
 allow xdm_xserver_t user_home_type:file { getattr read };
 
-if (nfs_home_dirs) {
+if (use_nfs_home_dirs) {
 ifdef(`automount.te', `
 allow { xdm_t xdm_xserver_t } autofs_t:dir { search getattr };
 ')
@@ -287,7 +287,7 @@
 }
 
 # for .dmrc
-allow xdm_t user_home_dir_type:dir search;
+allow xdm_t user_home_dir_type:dir { getattr search };
 allow xdm_t user_home_type:file { getattr read };
 
 allow xdm_t mnt_t:dir { getattr read search };
@@ -309,8 +309,6 @@
 ')
 
 allow xdm_t var_log_t:file { read };
-dontaudit xdm_t krb5_conf_t:file { write };
-allow xdm_t krb5_conf_t:file { getattr read };
 allow xdm_t self:capability { sys_nice sys_rawio net_bind_service };
 allow xdm_t self:process { setrlimit };
 allow xdm_t wtmp_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypbind.te policy-1.18.1/domains/program/unused/ypbind.te
--- nsapolicy/domains/program/unused/ypbind.te	2004-10-14 23:25:19.000000000 -0400
+++ policy-1.18.1/domains/program/unused/ypbind.te	2004-11-03 17:45:15.689291577 -0500
@@ -12,8 +12,6 @@
 #
 daemon_domain(ypbind)
 
-bool allow_ypbind true;
-
 tmp_domain(ypbind)
 
 # Use capabilities.
@@ -22,6 +20,7 @@
 # Use the network.
 can_network(ypbind_t)
 allow ypbind_t port_t:{ tcp_socket udp_socket } name_bind;
+allow ypbind_t self:{ tcp_socket udp_socket } connect;
 
 allow ypbind_t self:fifo_file rw_file_perms;
 
@@ -39,5 +38,5 @@
 allow ypbind_t etc_t:file { getattr read };
 allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
 allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
-allow ypbind_t reserved_port_t:tcp_socket { name_bind };
-allow ypbind_t reserved_port_t:udp_socket { name_bind };
+allow ypbind_t reserved_port_t:{ tcp_socket udp_socket } { name_bind };
+dontaudit ypbind_t reserved_port_type:{udp_socket tcp_socket} { name_bind };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypserv.te policy-1.18.1/domains/program/unused/ypserv.te
--- nsapolicy/domains/program/unused/ypserv.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.18.1/domains/program/unused/ypserv.te	2004-11-03 17:45:15.689291577 -0500
@@ -40,3 +40,4 @@
 allow rpcd_t ypserv_conf_t:file { getattr read };
 ')
 allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } { name_bind };
+dontaudit ypserv_t reserved_port_type:{ tcp_socket udp_socket } { name_bind };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/useradd.te policy-1.18.1/domains/program/useradd.te
--- nsapolicy/domains/program/useradd.te	2004-08-05 15:33:08.000000000 -0400
+++ policy-1.18.1/domains/program/useradd.te	2004-11-03 17:45:15.690291464 -0500
@@ -13,7 +13,7 @@
 # groupadd_t is for adding groups (can not create home dirs)
 #
 define(`user_group_add_program', `
-type $1_t, domain, privlog, auth_write, privowner;
+type $1_t, domain, privlog, auth_write, privowner, nscd_client_domain;
 role sysadm_r types $1_t;
 role system_r types $1_t;
 
@@ -25,7 +25,7 @@
 domain_auto_trans(initrc_t, $1_exec_t, $1_t)
 
 # Use capabilities.
-allow $1_t self:capability { dac_override chown };
+allow $1_t self:capability { dac_override chown kill };
 
 # Allow access to context for shadow file
 can_getsecurity($1_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.18.1/domains/user.te
--- nsapolicy/domains/user.te	2004-10-27 14:32:48.000000000 -0400
+++ policy-1.18.1/domains/user.te	2004-11-03 17:45:15.690291464 -0500
@@ -8,13 +8,16 @@
 bool user_dmesg false;
 
 # Support NFS home directories
-bool nfs_home_dirs false;
+bool use_nfs_home_dirs false;
 
 # Allow users to run TCP servers (bind to ports and accept connection from
 # the same domain and outside users)  disabling this forces FTP passive mode
 # and may change other protocols 
 bool user_tcp_server false;
 
+# Allow system to run with NIS
+bool allow_ypbind false;
+
 # Allow users to rw usb devices
 bool user_rw_usb false;
 
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/innd.fc policy-1.18.1/file_contexts/program/innd.fc
--- nsapolicy/file_contexts/program/innd.fc	2004-10-19 16:03:07.000000000 -0400
+++ policy-1.18.1/file_contexts/program/innd.fc	2004-11-03 17:45:15.691291351 -0500
@@ -27,7 +27,6 @@
 /usr/lib(64)?/news/bin/grephistory	--	system_u:object_r:innd_exec_t
 /usr/lib(64)?/news/bin/inews	--	system_u:object_r:innd_exec_t
 /usr/lib(64)?/news/bin/innconfval	--	system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/innd	--	system_u:object_r:innd_exec_t
 /usr/lib(64)?/news/bin/inndf	--	system_u:object_r:innd_exec_t
 /usr/lib(64)?/news/bin/inndstart	--	system_u:object_r:innd_exec_t
 /usr/lib(64)?/news/bin/innfeed	--	system_u:object_r:innd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mailman.fc policy-1.18.1/file_contexts/program/mailman.fc
--- nsapolicy/file_contexts/program/mailman.fc	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.18.1/file_contexts/program/mailman.fc	2004-11-03 17:45:15.691291351 -0500
@@ -1,25 +1,24 @@
 # mailman list server
+/var/lib/mailman(/.*)?		   system_u:object_r:mailman_data_t
 /var/log/mailman(/.*)?		   system_u:object_r:mailman_log_t
 /usr/lib/mailman/cron/.*	-- system_u:object_r:mailman_queue_exec_t
 /usr/lib/mailman/bin/mailmanctl -- system_u:object_r:mailman_mail_exec_t
+/var/run/mailman(/.*)?		   system_u:object_r:mailman_lock_t
+/var/lib/mailman/archives(/.*)?	system_u:object_r:mailman_archive_t
 
 ifdef(`distro_debian', `
 /usr/lib/cgi-bin/mailman/.* -- system_u:object_r:mailman_cgi_exec_t
 /usr/lib/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t
 /usr/mailman/mail/wrapper 	-- system_u:object_r:mailman_mail_exec_t
-/var/lib/mailman(/.*)?	   system_u:object_r:mailman_data_t
-/var/lib/mailman/archives(/.*)?	system_u:object_r:mailman_archive_t
 /etc/cron\.daily/mailman 	-- system_u:object_r:mailman_queue_exec_t
 /etc/cron\.monthly/mailman 	-- system_u:object_r:mailman_queue_exec_t
 ')
 
 ifdef(`distro_redhat', `
-/usr/lib/mailman/cgi-bin/.*	-- system_u:object_r:mailman_cgi_exec_t
-/var/mailman(/.*)?		   system_u:object_r:mailman_data_t
-/var/mailman/locks(/.*)?	   system_u:object_r:mailman_lock_t
-/var/mailman/archives(/.*)?	   system_u:object_r:mailman_archive_t
+/usr/lib/mailman/cgi-bin/.*	 -- system_u:object_r:mailman_cgi_exec_t
+/var/lock/mailman(/.*)?		    system_u:object_r:mailman_lock_t
 /usr/lib/mailman/scripts/mailman -- system_u:object_r:mailman_mail_exec_t
-/usr/lib/mailman/bin/qrunner  	-- system_u:object_r:mailman_queue_exec_t
-/var/mailman/lists(/.*)?	system_u:object_r:mailman_data_t
-/var/mailman/logs(/.*)?		   system_u:object_r:mailman_log_t
+/usr/lib/mailman/bin/qrunner  	 -- system_u:object_r:mailman_queue_exec_t
+/etc/mailman(/.*)?		   system_u:object_r:mailman_data_t
+/var/spool/mailman(/.*)?	   system_u:object_r:mailman_data_t
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ntpd.fc policy-1.18.1/file_contexts/program/ntpd.fc
--- nsapolicy/file_contexts/program/ntpd.fc	2004-10-09 21:06:15.000000000 -0400
+++ policy-1.18.1/file_contexts/program/ntpd.fc	2004-11-03 17:45:15.692291238 -0500
@@ -3,7 +3,7 @@
 /etc/ntp(d)?\.conf		--	system_u:object_r:net_conf_t
 /etc/ntp/step-tickers		--	system_u:object_r:net_conf_t
 /usr/sbin/ntpd			--	system_u:object_r:ntpd_exec_t
-/usr/sbin/ntpdate		--	system_u:object_r:ntpd_exec_t
+/usr/sbin/ntpdate		--	system_u:object_r:ntpdate_exec_t
 /var/log/ntpstats(/.*)?			system_u:object_r:ntpd_log_t
 /var/log/ntpd.*			--	system_u:object_r:ntpd_log_t
 /var/log/xntpd.*		--	system_u:object_r:ntpd_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/vpnc.fc policy-1.18.1/file_contexts/program/vpnc.fc
--- nsapolicy/file_contexts/program/vpnc.fc	2004-10-05 10:43:34.000000000 -0400
+++ policy-1.18.1/file_contexts/program/vpnc.fc	2004-11-03 17:45:15.692291238 -0500
@@ -1,2 +1,3 @@
 # vpnc
 /usr/sbin/vpnc		--	system_u:object_r:vpnc_exec_t
+/sbin/vpnc		--	system_u:object_r:vpnc_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.18.1/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2004-10-27 14:32:49.000000000 -0400
+++ policy-1.18.1/file_contexts/types.fc	2004-11-03 17:45:15.693291125 -0500
@@ -339,7 +339,8 @@
 /usr/inclu.e(/.*)?		system_u:object_r:usr_t
 /usr/libexec(/.*)?		system_u:object_r:bin_t
 /usr/src(/.*)?			system_u:object_r:src_t
-/usr/tmp(/.*)?			system_u:object_r:tmp_t
+/usr/tmp		-d	system_u:object_r:tmp_t
+/usr/tmp/.*			<<none>>
 /usr/man(/.*)?			system_u:object_r:man_t
 /usr/share/man(/.*)?		system_u:object_r:man_t
 /usr/share/mc/extfs/.*	--	system_u:object_r:bin_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/admin_macros.te policy-1.18.1/macros/admin_macros.te
--- nsapolicy/macros/admin_macros.te	2004-10-01 15:05:32.000000000 -0400
+++ policy-1.18.1/macros/admin_macros.te	2004-11-03 17:45:15.694291012 -0500
@@ -195,4 +195,5 @@
 
 # for lsof
 allow $1_t domain:socket_class_set getattr;
+allow $1_t eventpollfs_t:file getattr;
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.18.1/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2004-11-01 11:04:37.000000000 -0500
+++ policy-1.18.1/macros/base_user_macros.te	2004-11-03 17:45:15.695290899 -0500
@@ -47,8 +47,10 @@
 
 # open office is looking for the following
 dontaudit $1_t dri_device_t:chr_file rw_file_perms;
-# Do not flood message log, if the user does ls /dev 
+# Do not flood message log, if the user does ls -lR /
 dontaudit $1_t dev_fs:dir_file_class_set getattr;
+dontaudit $1_t sysadmfile:file getattr;
+dontaudit $1_t sysadmfile:dir read;
 
 # allow ptrace
 can_ptrace($1_t, $1_t)
@@ -61,7 +63,7 @@
 ifdef(`automount.te', `
 allow $1_t autofs_t:dir { search getattr };
 ')dnl end if automount.te
-if (nfs_home_dirs) {
+if (use_nfs_home_dirs) {
 create_dir_file($1_t, nfs_t)
 can_exec($1_t, nfs_t)
 allow $1_t nfs_t:{ sock_file fifo_file } create_file_perms;
@@ -193,11 +195,23 @@
 # Use the network.
 can_network($1_t)
 can_ypbind($1_t)
+allow $1_t self:{ tcp_socket udp_socket } connect;
+
+ifdef(`pamconsole.te', `
+allow $1_t pam_var_console_t:dir { search };
+')
+
+allow $1_t var_lock_t:dir { search };
 
 # Grant permissions to access the system DBus
 ifdef(`dbusd.te', `
-dbusd_client(system, $1_t)
-dbusd_client($1, $1_t)
+dbusd_client(system, $1)
+can_network($1_dbusd_t)
+allow user_dbusd_t reserved_port_t:tcp_socket { name_bind };
+
+allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
+dbusd_client($1, $1)
+allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc };
 dbusd_domain($1)
 ifdef(`hald.te', `
 allow $1_t hald_t:dbus { send_msg };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.18.1/macros/core_macros.te
--- nsapolicy/macros/core_macros.te	2004-09-22 16:19:13.000000000 -0400
+++ policy-1.18.1/macros/core_macros.te	2004-11-03 17:45:15.696290786 -0500
@@ -132,22 +132,32 @@
 #
 # Permissions for using sockets.
 # 
-define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
+define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind getopt setopt shutdown }')
 
 #
 # Permissions for creating and using sockets.
 # 
-define(`create_socket_perms', `{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
+define(`connected_socket_perms', `{ create rw_socket_perms }')
+
+#
+# Permissions for creating, connecting and using sockets.
+# 
+define(`create_socket_perms', `{ connected_socket_perms connect }')
 
 #
 # Permissions for using stream sockets.
 # 
-define(`rw_stream_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }')
+define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
+
+#
+# Permissions for creating and using stream sockets.
+# 
+define(`connected_stream_socket_perms', `{ create rw_stream_socket_perms }')
 
 #
 # Permissions for creating and using stream sockets.
 # 
-define(`create_stream_socket_perms', `{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }')
+define(`create_stream_socket_perms', `{ connect connected_stream_socket_perms }')
 
 
 #
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.18.1/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.18.1/macros/global_macros.te	2004-11-03 17:45:15.697290673 -0500
@@ -118,64 +118,6 @@
 
 #################################
 #
-# can_network(domain)
-#
-# Permissions for accessing the network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network',`
-#
-# Allow the domain to create and use UDP and TCP sockets.
-# Other kinds of sockets must be separately authorized for use.
-allow $1 self:udp_socket create_socket_perms;
-allow $1 self:tcp_socket create_stream_socket_perms;
-
-#
-# Allow the domain to send or receive using any network interface.
-# netif_type is a type attribute for all network interface types.
-#
-allow $1 netif_type:netif { tcp_send udp_send rawip_send };
-allow $1 netif_type:netif { tcp_recv udp_recv rawip_recv };
-
-#
-# Allow the domain to send to or receive from any node.
-# node_type is a type attribute for all node types.
-#
-allow $1 node_type:node { tcp_send udp_send rawip_send };
-allow $1 node_type:node { tcp_recv udp_recv rawip_recv };
-
-#
-# Allow the domain to send to or receive from any port.
-# port_type is a type attribute for all port types.
-#
-allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg };
-
-#
-# Allow the domain to send NFS client requests via the socket
-# created by mount.
-#
-allow $1 mount_t:udp_socket rw_socket_perms;
-
-#
-# Bind to the default port type.
-# Other port types must be separately authorized.
-#
-#allow $1 port_t:udp_socket name_bind;
-#allow $1 port_t:tcp_socket name_bind;
-
-# XXX Allow binding to any node type.  Remove once
-# individual rules have been added to all domains that 
-# bind sockets. 
-allow $1 node_type: { tcp_socket udp_socket } node_bind;
-#
-# Allow access to network files including /etc/resolv.conf
-#
-allow $1 net_conf_t:file r_file_perms;
-')dnl end can_network definition
-
-#################################
-#
 # can_sysctl(domain)
 #
 # Permissions for modifying sysctl parameters.
@@ -269,8 +211,9 @@
 # Author:  Russell Coker <russell@coker.com.au>
 #
 define(`daemon_core_rules', `
-type $1_t, domain, privlog $2;
+type $1_t, domain, privlog, daemon $2;
 type $1_exec_t, file_type, sysadmfile, exec_type;
+dontaudit $1_t self:capability sys_tty_config;
 
 role system_r types $1_t;
 
@@ -416,7 +359,7 @@
 define(`daemon_sub_domain', `
 # $1 is the parent domain (or domains), $2_t is the child domain,
 # and $3 is any attributes to apply to the child
-type $2_t, domain, privlog $3;
+type $2_t, domain, privlog, daemon $3;
 type $2_exec_t, file_type, sysadmfile, exec_type;
 
 role system_r types $2_t;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.18.1/macros/network_macros.te
--- nsapolicy/macros/network_macros.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.18.1/macros/network_macros.te	2004-11-03 17:45:15.697290673 -0500
@@ -0,0 +1,100 @@
+#################################
+#
+# can_network(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`base_can_network',`
+#
+# Allow the domain to create and use $2 sockets.
+# Other kinds of sockets must be separately authorized for use.
+allow $1 self:$2_socket connected_socket_perms;
+
+#
+# Allow the domain to send or receive using any network interface.
+# netif_type is a type attribute for all network interface types.
+#
+allow $1 netif_type:netif { $2_send rawip_send };
+allow $1 netif_type:netif { $2_recv rawip_recv };
+
+#
+# Allow the domain to send to or receive from any node.
+# node_type is a type attribute for all node types.
+#
+allow $1 node_type:node { $2_send rawip_send };
+allow $1 node_type:node { $2_recv rawip_recv };
+
+#
+# Allow the domain to send to or receive from any port.
+# port_type is a type attribute for all port types.
+#
+ifelse($3, `', `
+allow $1 port_type:{ $2_socket } { send_msg recv_msg };
+', `
+allow $1 $3:{ $2_socket } { send_msg recv_msg };
+')
+
+# XXX Allow binding to any node type.  Remove once
+# individual rules have been added to all domains that 
+# bind sockets. 
+allow $1 node_type: { $2_socket } node_bind;
+#
+# Allow access to network files including /etc/resolv.conf
+#
+allow $1 net_conf_t:file r_file_perms;
+')dnl end can_network definition
+
+#################################
+#
+# can_tcp_network(domain)
+#
+# Permissions for accessing a tcp network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_tcp_network',`
+base_can_network($1, tcp, `$2')
+allow $1 self:tcp_socket { listen accept };
+')
+
+#################################
+#
+# can_udp_network(domain)
+#
+# Permissions for accessing a udp network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_udp_network',`
+base_can_network($1, udp, `$2')
+')
+
+#################################
+#
+# can_network(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network',`
+
+can_tcp_network($1)
+can_udp_network($1)
+
+#
+# Allow the domain to send NFS client requests via the socket
+# created by mount.
+#
+allow $1 mount_t:udp_socket rw_socket_perms;
+
+')dnl end can_network definition
+
+define(`can_kerberos',`
+can_tcp_network($1)
+allow $1 self:tcp_socket connect;
+dontaudit $1 krb5_conf_t:file { write };
+allow $1 krb5_conf_t:file { getattr read };
+')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.18.1/macros/program/chkpwd_macros.te
--- nsapolicy/macros/program/chkpwd_macros.te	2004-10-09 21:06:15.000000000 -0400
+++ policy-1.18.1/macros/program/chkpwd_macros.te	2004-11-03 17:45:15.698290560 -0500
@@ -28,6 +28,8 @@
 dontaudit auth_chkpwd shadow_t:file { getattr read };
 allow auth_chkpwd sbin_t:dir search;
 dontaudit $1_chkpwd_t tty_device_t:chr_file rw_file_perms;
+can_ypbind(auth_chkpwd)
+can_kerberos(auth_chkpwd)
 ', `
 domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
 allow $1_t sbin_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/crond_macros.te policy-1.18.1/macros/program/crond_macros.te
--- nsapolicy/macros/program/crond_macros.te	2004-09-02 14:45:47.000000000 -0400
+++ policy-1.18.1/macros/program/crond_macros.te	2004-11-03 17:45:15.699290447 -0500
@@ -20,7 +20,7 @@
 define(`crond_domain',`
 # Derived domain for user cron jobs, user user_crond_domain if not system
 ifelse(`system', `$1', `
-type $1_crond_t, domain, privlog, privmail;
+type $1_crond_t, domain, privlog, privmail, nscd_client_domain;
 ', `
 type $1_crond_t, domain, user_crond_domain;
 
@@ -68,6 +68,7 @@
 # This domain is granted permissions common to most domains.
 can_network($1_crond_t)
 can_ypbind($1_crond_t)
+allow $1_crond_t self:{ tcp_socket udp_socket } connect;
 r_dir_file($1_crond_t, self)
 allow $1_crond_t self:fifo_file rw_file_perms;
 allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.18.1/macros/program/dbusd_macros.te
--- nsapolicy/macros/program/dbusd_macros.te	2004-10-07 08:02:02.000000000 -0400
+++ policy-1.18.1/macros/program/dbusd_macros.te	2004-11-03 17:45:15.699290447 -0500
@@ -16,16 +16,13 @@
 typealias system_dbusd_var_run_t alias dbusd_var_run_t;
 type etc_dbusd_t, file_type, sysadmfile;
 ',`
-ifdef(`single_userdomain', `
-typealias $1_t alias $1_dbusd_t;
-', `
 type $1_dbusd_t, domain, privlog, userspace_objmgr;
 role $1_r types $1_dbusd_t;
 domain_auto_trans($1_t, dbusd_exec_t, $1_dbusd_t)
 read_locale($1_dbusd_t)
 allow $1_t $1_dbusd_t:process { sigkill signal };
+allow $1_dbusd_t self:process { sigkill signal };
 dontaudit $1_dbusd_t var_t:dir { getattr search };
-')dnl end ifdef single_userdomain
 ')dnl end ifelse system
 
 base_file_read_access($1_dbusd_t)
@@ -50,26 +47,44 @@
 r_dir_file($1_dbusd_t, pam_var_console_t)
 ')
 
+allow $1_dbusd_t self:dbus { send_msg acquire_svc };
+
 ')dnl end dbusd_domain definition
 
-# dbusd_client(dbus_type, domain)
-# Example: dbusd_client_domain(system, user_t)
+# dbusd_client(dbus_type, domain_prefix)
+# Example: dbusd_client_domain(system, user)
 #
-# Grant permissions for connecting to the specified DBus type
-# from domain.
+# Define a new derived domain for connecting to dbus_type
+# from domain_prefix_t. 
 define(`dbusd_client',`')
 ifdef(`dbusd.te',`
 undefine(`dbusd_client')
 define(`dbusd_client',`
+
+# Derived type used for connection
+type $2_dbusd_$1_t;
+type_change $2_t $1_dbusd_t:dbus $2_dbusd_$1_t;
+
 # For connecting to the bus
-allow $2 $1_dbusd_t:unix_stream_socket { connectto };
+allow $2_t $1_dbusd_t:unix_stream_socket { connectto };
 ifelse(`system', `$1', `
-allow { $2 } { var_run_t system_dbusd_var_run_t }:dir search;
-allow { $2 } system_dbusd_var_run_t:sock_file { write };
+allow { $2_t } { var_run_t system_dbusd_var_run_t }:dir search;
+allow { $2_t } system_dbusd_var_run_t:sock_file { write };
 ',`
 ') dnl endif system
 # SE-DBus specific permissions
-allow $2 { $1_dbusd_t self }:dbus { send_msg };
-allow $2 $1_dbusd_t:dbus { acquire_svc };
+allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus { send_msg };
+') dnl endif dbusd.te
+')
+
+# can_dbusd_converse(dbus_type, domain_prefix_a, domain_prefix_b)
+# Example: can_dbusd_converse(system, hald, updfstab)
+# Example: can_dbusd_converse(session, user, user)
+define(`can_dbusd_converse',`')
+ifdef(`dbusd.te',`
+undefine(`can_dbusd_converse')
+define(`can_dbusd_converse',`
+allow $2_dbusd_$1_t $3_dbusd_$1_t:dbus { send_msg };
+allow $3_dbusd_$1_t $2_dbusd_$1_t:dbus { send_msg };
 ') dnl endif dbusd.te
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.18.1/macros/program/games_domain.te
--- nsapolicy/macros/program/games_domain.te	2004-07-12 12:15:23.000000000 -0400
+++ policy-1.18.1/macros/program/games_domain.te	2004-11-03 17:45:15.700290334 -0500
@@ -10,10 +10,6 @@
 #
 #
 define(`games_domain', `
-ifdef(`single_userdomain', `
-typealias $1_t alias $1_games_t;
-typealias $1_home_t alias { $1_games_rw_t $1_games_ro_t };
-', `
 x_client_domain($1, `games')
 allow $1_games_t var_t:dir { search getattr };
 rw_dir_create_file($1_games_t, games_data_t)
@@ -50,6 +46,5 @@
 allow $1_games_t event_device_t:chr_file { getattr };
 allow $1_games_t mouse_device_t:chr_file { getattr };
 allow $1_games_t self:file { getattr read };
-')dnl end if single_userdomain
 ')dnl end macro definition
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_agent_macros.te policy-1.18.1/macros/program/gpg_agent_macros.te
--- nsapolicy/macros/program/gpg_agent_macros.te	2004-09-20 15:41:01.000000000 -0400
+++ policy-1.18.1/macros/program/gpg_agent_macros.te	2004-11-03 17:45:15.700290334 -0500
@@ -48,11 +48,11 @@
 # read ~/.gnupg
 allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
 r_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 r_dir_file($1_gpg_agent_t, nfs_t)
 # write ~/.xsession-errors
 allow $1_gpg_agent_t nfs_t:file write;
-')
+}
 
 allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms;
 allow $1_gpg_agent_t self:fifo_file { getattr read write };
@@ -107,12 +107,12 @@
 # wants to put some lock files into the user home dir, seems to work fine without
 dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
 dontaudit $1_gpg_pinentry_t $1_home_t:file write;
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
 allow $1_gpg_pinentry_t nfs_t:file { getattr read };
 dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
 dontaudit $1_gpg_pinentry_t nfs_t:file write;
-')dnl end if nfs_home_dirs
+} dnl end if use_nfs_home_dirs
 
 # read /etc/X11/qtrc
 allow $1_gpg_pinentry_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_macros.te policy-1.18.1/macros/program/gpg_macros.te
--- nsapolicy/macros/program/gpg_macros.te	2004-08-27 09:30:30.000000000 -0400
+++ policy-1.18.1/macros/program/gpg_macros.te	2004-11-03 17:45:15.701290221 -0500
@@ -18,15 +18,8 @@
 #
 define(`gpg_domain', `
 # Derived domain based on the calling user domain and the program.
-ifdef(`single_userdomain', `
-typealias $1_t alias $1_gpg_t;
-typealias $1_home_t alias $1_gpg_secret_t;
-# if we have a single user domain then gpg needs SETUID access...
-allow $1_t self:capability { setuid };
-', `
 type $1_gpg_t, domain, privlog;
 type $1_gpg_secret_t, file_type, homedirfile, sysadmfile;
-')dnl end ifdef single_userdomain
 
 # Transition from the user domain to the derived domain.
 domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t)
@@ -83,9 +76,9 @@
 # allow the usual access to /tmp
 file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)
 
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 create_dir_file($1_gpg_t, nfs_t)
-')dnl end if nfs_home_dirs
+}dnl end if use_nfs_home_dirs
 
 allow $1_gpg_t self:capability { ipc_lock setuid };
 allow $1_gpg_t devtty_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gph_macros.te policy-1.18.1/macros/program/gph_macros.te
--- nsapolicy/macros/program/gph_macros.te	2004-03-17 13:26:06.000000000 -0500
+++ policy-1.18.1/macros/program/gph_macros.te	2004-11-03 17:45:15.702290108 -0500
@@ -25,7 +25,7 @@
 undefine(`gph_domain')
 define(`gph_domain',`
 # Derived domain based on the calling user domain and the program.
-type $1_gph_t, domain, gphdomain;
+type $1_gph_t, domain, gphdomain, nscd_client_domain;
 
 # Transition from the user domain to the derived domain.
 domain_auto_trans($1_t, gph_exec_t, $1_gph_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/inetd_macros.te policy-1.18.1/macros/program/inetd_macros.te
--- nsapolicy/macros/program/inetd_macros.te	2004-10-09 21:06:15.000000000 -0400
+++ policy-1.18.1/macros/program/inetd_macros.te	2004-11-03 17:45:15.702290108 -0500
@@ -8,7 +8,7 @@
 # programs.
 #
 define(`inetd_child_domain', `
-type $1_t, domain, privlog;
+type $1_t, domain, privlog, nscd_client_domain;
 role system_r types $1_t;
 
 domain_auto_trans(inetd_t, $1_exec_t, $1_t)
@@ -43,8 +43,7 @@
 allow $1_t home_root_t:dir { search };
 allow $1_t self:dir { search };
 allow $1_t self:file { getattr read };
-allow $1_t krb5_conf_t:file r_file_perms;
-dontaudit $1_t krb5_conf_t:file write;
+can_kerberos($1_t)
 allow $1_t urandom_device_t:chr_file { getattr read };
 type $1_port_t, port_type, reserved_port_type;
 # Use sockets inherited from inetd.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/irc_macros.te policy-1.18.1/macros/program/irc_macros.te
--- nsapolicy/macros/program/irc_macros.te	2004-03-23 15:58:10.000000000 -0500
+++ policy-1.18.1/macros/program/irc_macros.te	2004-11-03 17:45:15.703289995 -0500
@@ -18,10 +18,6 @@
 undefine(`irc_domain')
 ifdef(`irc.te', `
 define(`irc_domain',`
-ifdef(`single_userdomain', `
-typealias $1_home_t alias { $1_home_irc_t $1_irc_exec_t };
-typealias $1_t alias $1_irc_t;
-', `
 # Derived domain based on the calling user domain and the program.
 type $1_irc_t, domain;
 type $1_home_irc_t, file_type, homedirfile, sysadmfile;
@@ -85,7 +81,6 @@
 
 # access files under /tmp
 file_type_auto_trans($1_irc_t, tmp_t, $1_tmp_t)
-')dnl end if single_userdomain
 
 ifdef(`ircd.te', `
 can_tcp_connect($1_irc_t, ircd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/lpr_macros.te policy-1.18.1/macros/program/lpr_macros.te
--- nsapolicy/macros/program/lpr_macros.te	2004-07-26 16:16:11.000000000 -0400
+++ policy-1.18.1/macros/program/lpr_macros.te	2004-11-03 17:45:15.703289995 -0500
@@ -18,9 +18,6 @@
 undefine(`lpr_domain')
 define(`lpr_domain',`
 # Derived domain based on the calling user domain and the program
-ifdef(`single_userdomain', `
-typealias $1_t alias $1_lpr_t;
-', `
 type $1_lpr_t, domain, privlog;
 
 # Transition from the user domain to the derived domain.
@@ -80,9 +77,9 @@
 allow $1_lpr_t { home_root_t $1_home_t $1_home_dir_t }:dir search;  
 allow $1_lpr_t $1_home_t:{ file lnk_file } r_file_perms;  
 
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 r_dir_file($1_lpr_t, nfs_t)
-')dnl end if nfs_home_dirs
+} dnl end if use_nfs_home_dirs
 
 # Read and write shared files in the spool directory.
 allow $1_lpr_t print_spool_t:file rw_file_perms;
@@ -123,6 +120,5 @@
 can_tcp_connect({ $1_lpr_t $1_t }, cupsd_t)
 ')dnl end ifdef cups.te
 
-')dnl end if single_userdomain
 ')dnl end macro definition
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mount_macros.te policy-1.18.1/macros/program/mount_macros.te
--- nsapolicy/macros/program/mount_macros.te	2004-10-19 16:03:08.000000000 -0400
+++ policy-1.18.1/macros/program/mount_macros.te	2004-11-03 17:45:15.704289882 -0500
@@ -67,9 +67,11 @@
 ifdef(`gnome-pty-helper.te', `allow $2_t $1_gph_t:fd use;')
 
 ifdef(`distro_redhat',`
+ifdef(`pamconsole.te',`
 r_dir_file($2_t,pam_var_console_t)
 # mount config by default sets fscontext=removable_t
 allow $2_t dosfs_t:filesystem { relabelfrom };
+') dnl end pamconsole.te
 ') dnl end distro_redhat
 ') dnl end mount_domain
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.18.1/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2004-10-19 16:03:08.000000000 -0400
+++ policy-1.18.1/macros/program/mozilla_macros.te	2004-11-03 17:45:15.705289769 -0500
@@ -16,11 +16,8 @@
 # provided separately in domains/program/mozilla.te. 
 #
 define(`mozilla_domain',`
-ifdef(`single_userdomain', `
-typealias $1_home_t alias { $1_home_mozilla_rw_t $1_home_mozilla_ro_t };
-typealias $1_t alias $1_mozilla_t;
-', `
 x_client_domain($1, mozilla, `, web_client_domain, privlog')
+allow $1_mozilla_t self:{ tcp_socket udp_socket } { connect };
 
 allow $1_mozilla_t sound_device_t:chr_file rw_file_perms;
 
@@ -40,9 +37,9 @@
 allow $1_t $1_mozilla_rw_t:sock_file create_file_perms;
 can_unix_connect($1_t, $1_mozilla_t)
 
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 create_dir_file($1_mozilla_t, nfs_t)
-')dnl end if nfs_home_dirs
+} dnl end if use_nfs_home_dirs
 ifdef(`automount.te', `
 allow $1_mozilla_t autofs_t:dir { search getattr };
 ')dnl end if automount
@@ -116,6 +113,7 @@
 # Eliminate errors from scanning with the 
 #
 dontaudit $1_mozilla_t file_type:dir getattr;
+allow $1_mozilla_t self:sem create_sem_perms;
 
 ifdef(`xdm.te', `
 allow $1_mozilla_t xdm_t:fifo_file { write read };
@@ -123,6 +121,5 @@
 allow $1_mozilla_t xdm_tmp_t:file { getattr read };
 allow $1_mozilla_t xdm_tmp_t:sock_file { write };
 ')dnl end if xdm.te
-')dnl end ifdef single_userdomain
 ')dnl end mozilla macro
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mta_macros.te policy-1.18.1/macros/program/mta_macros.te
--- nsapolicy/macros/program/mta_macros.te	2004-07-26 16:16:11.000000000 -0400
+++ policy-1.18.1/macros/program/mta_macros.te	2004-11-03 17:45:15.705289769 -0500
@@ -37,6 +37,7 @@
 can_ypbind($1_mail_t)
 allow $1_mail_t self:unix_dgram_socket create_socket_perms;
 allow $1_mail_t self:unix_stream_socket create_socket_perms;
+allow $1_mail_t self:{ tcp_socket udp_socket } connect;
 
 read_locale($1_mail_t)
 read_sysctl($1_mail_t)
@@ -96,9 +97,9 @@
 # Create dead.letter in user home directories.
 file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
 
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 rw_dir_create_file($1_mail_t, nfs_t)
-')dnl end if nfs_home_dirs
+} dnl end if use_nfs_home_dirs
 
 # if you do not want to allow dead.letter then use the following instead
 #allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/newrole_macros.te policy-1.18.1/macros/program/newrole_macros.te
--- nsapolicy/macros/program/newrole_macros.te	2004-11-01 11:04:37.000000000 -0500
+++ policy-1.18.1/macros/program/newrole_macros.te	2004-11-03 17:45:15.706289656 -0500
@@ -34,9 +34,6 @@
 allow $1_t bin_t:lnk_file read;
 allow $1_t shell_exec_t:file r_file_perms;
 
-can_ypbind($1_t)
-dontaudit $1_t krb5_conf_t:file { write };
-allow $1_t krb5_conf_t:file { getattr read };
 allow $1_t urandom_device_t:chr_file { getattr read };
 
 # Allow $1_t to transition to user domains.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/screen_macros.te policy-1.18.1/macros/program/screen_macros.te
--- nsapolicy/macros/program/screen_macros.te	2004-11-01 11:04:37.000000000 -0500
+++ policy-1.18.1/macros/program/screen_macros.te	2004-11-03 17:45:15.706289656 -0500
@@ -21,10 +21,6 @@
 ifdef(`screen.te', `
 define(`screen_domain',`
 # Derived domain based on the calling user domain and the program.
-ifdef(`single_userdomain', `
-typealias $1_t alias $1_screen_t;
-typealias $1_home_t alias $1_home_screen_t;
-', `
 type $1_screen_t, domain, privlog, privfd;
 type $1_home_screen_t, file_type, homedirfile, sysadmfile;
 
@@ -54,9 +50,9 @@
 allow $1_screen_t $1_home_screen_t:{ file lnk_file } r_file_perms;
 allow $1_t $1_home_screen_t:file { create_file_perms relabelfrom relabelto };
 allow $1_t $1_home_screen_t:lnk_file { create_lnk_perms relabelfrom relabelto };
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 r_dir_file($1_screen_t, nfs_t)
-')dnl end if nfs_home_dirs
+} dnl end if use_nfs_home_dirs
 
 allow $1_screen_t privfd:fd use;
 
@@ -109,7 +105,6 @@
 read_locale($1_screen_t)
 
 dontaudit $1_screen_t file_type:{ chr_file blk_file } getattr;
-')
 ')dnl end screen_domain
 
 ', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_agent_macros.te policy-1.18.1/macros/program/ssh_agent_macros.te
--- nsapolicy/macros/program/ssh_agent_macros.te	2004-10-07 08:02:03.000000000 -0400
+++ policy-1.18.1/macros/program/ssh_agent_macros.te	2004-11-03 17:45:15.707289543 -0500
@@ -37,12 +37,12 @@
 can_ps($1_t, $1_ssh_agent_t)
 
 can_ypbind($1_ssh_agent_t)
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 ifdef(`automount.te', `
 allow $1_ssh_agent_t autofs_t:dir { search getattr };
 ')
 rw_dir_create_file($1_ssh_agent_t, nfs_t)
-')dnl end nfs_home_dirs
+} dnl end use_nfs_home_dirs
 
 uses_shlib($1_ssh_agent_t)
 read_locale($1_ssh_agent_t)
@@ -70,9 +70,9 @@
 
 # transition back to normal privs upon exec
 domain_auto_trans($1_ssh_agent_t, { bin_t shell_exec_t $1_home_t }, $1_t)
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 domain_auto_trans($1_ssh_agent_t, nfs_t, $1_t)
-')
+}
 allow $1_ssh_agent_t bin_t:dir search;
 
 # allow reading of /usr/bin/X11 (is a symlink)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.18.1/macros/program/ssh_macros.te
--- nsapolicy/macros/program/ssh_macros.te	2004-10-14 23:25:20.000000000 -0400
+++ policy-1.18.1/macros/program/ssh_macros.te	2004-11-03 17:45:15.708289430 -0500
@@ -20,20 +20,16 @@
 undefine(`ssh_domain')
 ifdef(`ssh.te', `
 define(`ssh_domain',`
-ifdef(`single_userdomain', `
-typealias $1_home_t alias $1_home_ssh_t;
-typealias $1_t alias $1_ssh_t;
-', `
 # Derived domain based on the calling user domain and the program.
-type $1_ssh_t, domain, privlog;
+type $1_ssh_t, domain, privlog, nscd_client_domain;
 type $1_home_ssh_t, file_type, homedirfile, sysadmfile;
 
 ifdef(`automount.te', `
 allow $1_ssh_t autofs_t:dir { search getattr };
 ')
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 create_dir_file($1_ssh_t, nfs_t)
-')dnl end if nfs_home_dirs
+} dnl end if use_nfs_home_dirs
 
 # Transition from the user domain to the derived domain.
 domain_auto_trans($1_t, ssh_exec_t, $1_ssh_t)
@@ -88,6 +84,7 @@
 # to access the network.
 can_network($1_ssh_t)
 can_ypbind($1_ssh_t)
+allow $1_ssh_t self:{ tcp_socket udp_socket } connect;
 
 # Use capabilities.
 allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
@@ -161,10 +158,8 @@
 allow $1_ssh_t xdm_xserver_t:shm r_shm_perms;
 allow $1_ssh_t xdm_xserver_t:fd use;
 allow $1_ssh_t xdm_xserver_tmpfs_t:file read;
-allow $1_ssh_t krb5_conf_t:file { getattr read };
-dontaudit $1_ssh_t krb5_conf_t:file { write };
+can_kerberos($1_ssh_t)
 ')dnl end if xdm.te
-')dnl end if single_userdomain
 ')dnl end macro definition
 
 ', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/sudo_macros.te policy-1.18.1/macros/program/sudo_macros.te
--- nsapolicy/macros/program/sudo_macros.te	2004-11-01 11:04:37.000000000 -0500
+++ policy-1.18.1/macros/program/sudo_macros.te	2004-11-03 17:45:15.708289430 -0500
@@ -31,4 +31,5 @@
 rw_dir_create_file($1_sudo_t, $1_tmp_t)
 rw_dir_create_file($1_sudo_t, $1_home_t)
 domain_auto_trans($1_t, sudo_exec_t, $1_sudo_t)
+r_dir_file($1_sudo_t, selinux_config_t)
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.18.1/macros/program/su_macros.te
--- nsapolicy/macros/program/su_macros.te	2004-10-26 10:58:57.000000000 -0400
+++ policy-1.18.1/macros/program/su_macros.te	2004-11-03 17:45:15.709289317 -0500
@@ -87,8 +87,7 @@
 # Write to utmp.
 allow $1_su_t { var_t var_run_t }:dir search;
 allow $1_su_t initrc_var_run_t:file rw_file_perms;
-dontaudit $1_su_t krb5_conf_t:file { write };
-allow $1_su_t krb5_conf_t:file { getattr read };
+can_kerberos($1_su_t)
 ') dnl end su_restricted_domain
 
 define(`su_mini_domain', `
@@ -137,24 +136,17 @@
 ifdef(`automount.te', `
 allow $1_su_t autofs_t:dir { search getattr };
 ')
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 allow $1_su_t nfs_t:dir search;
-')dnl end if nfs_home_dirs
+} dnl end if use_nfs_home_dirs
 
 # Modify .Xauthority file (via xauth program).
-ifdef(`single_userdomain', `
-file_type_auto_trans($1_su_t, $1_home_dir_t, $1_home_t, file)
-ifdef(`nfs_home_dirs', `
-rw_dir_create_file($1_su_t, nfs_t)
-')
-', `
 ifdef(`xauth.te', `
 file_type_auto_trans($1_su_t, staff_home_dir_t, staff_home_xauth_t, file)
 file_type_auto_trans($1_su_t, user_home_dir_t, user_home_xauth_t, file)
 file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_home_xauth_t, file)
 domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t)
 ')
-')dnl end if single userdomain
 
 ifdef(`cyrus.te', `
 allow $1_su_t cyrus_var_lib_t:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/tvtime_macros.te policy-1.18.1/macros/program/tvtime_macros.te
--- nsapolicy/macros/program/tvtime_macros.te	2004-10-05 14:52:36.000000000 -0400
+++ policy-1.18.1/macros/program/tvtime_macros.te	2004-11-03 17:45:15.709289317 -0500
@@ -33,7 +33,9 @@
 allow $1_tvtime_t self:capability { setuid sys_nice sys_resource };
 allow $1_tvtime_t self:process { setsched };
 allow $1_tvtime_t usr_t:file { getattr read };
+ifdef(`xdm.te', `
 allow $1_tvtime_t xdm_tmp_t:dir { search };
+')
 
 ')dnl end tvtime_domain
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/uml_macros.te policy-1.18.1/macros/program/uml_macros.te
--- nsapolicy/macros/program/uml_macros.te	2004-07-12 12:15:23.000000000 -0400
+++ policy-1.18.1/macros/program/uml_macros.te	2004-11-03 17:45:15.710289204 -0500
@@ -19,10 +19,6 @@
 ifdef(`uml.te', `
 define(`uml_domain',`
 
-ifdef(`single_userdomain', `
-typealias $1_t alias $1_uml_t;
-typealias $1_home_t alias { $1_uml_exec_t $1_uml_ro_t $1_uml_rw_t };
-', `
 # Derived domain based on the calling user domain and the program.
 type $1_uml_t, domain;
 type $1_uml_exec_t, file_type, sysadmfile;
@@ -140,7 +136,6 @@
 
 # putting uml data under /var is usual...
 allow $1_uml_t var_t:dir search;
-')dnl end if single_userdomain
 ')dnl end macro definition
 
 ', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/userhelper_macros.te policy-1.18.1/macros/program/userhelper_macros.te
--- nsapolicy/macros/program/userhelper_macros.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.18.1/macros/program/userhelper_macros.te	2004-11-03 17:45:15.711289091 -0500
@@ -14,10 +14,7 @@
 # provided separately in domains/program/userhelper.te. 
 #
 define(`userhelper_domain',`
-ifdef(`single_userdomain', `
-typealias $1_t alias $1_userhelper_t;
-', `
-type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser;
+type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser, nscd_client_domain;
 
 in_user_role($1_userhelper_t)
 role sysadm_r types $1_userhelper_t;
@@ -126,7 +123,6 @@
 ')
 allow $1_userhelper_t sysctl_t:dir { search };
 role system_r types $1_userhelper_t;
-allow $1_userhelper_t krb5_conf_t:file { getattr read };
 r_dir_file($1_userhelper_t, nfs_t)
 
 ifdef(`xdm.te', `
@@ -142,7 +138,9 @@
 domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
 allow $1_userhelper_t $1_home_xauth_t:file { getattr read };
 ')
+
+ifdef(`pamconsole.te', `
 allow $1_userhelper_t pam_var_console_t:dir { search };
+')
 
-')dnl end ifdef single_userdomain
 ')dnl end userhelper macro
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xauth_macros.te policy-1.18.1/macros/program/xauth_macros.te
--- nsapolicy/macros/program/xauth_macros.te	2004-06-16 13:33:38.000000000 -0400
+++ policy-1.18.1/macros/program/xauth_macros.te	2004-11-03 17:45:15.711289091 -0500
@@ -18,10 +18,6 @@
 undefine(`xauth_domain')
 ifdef(`xauth.te', `
 define(`xauth_domain',`
-ifdef(`single_userdomain', `
-typealias $1_home_t alias $1_home_xauth_t;
-typealias $1_t alias $1_xauth_t;
-', `
 # Derived domain based on the calling user domain and the program.
 type $1_xauth_t, domain;
 type $1_home_xauth_t, file_type, homedirfile, sysadmfile;
@@ -87,13 +83,12 @@
 tmp_domain($1_xauth)
 allow $1_xauth_t $1_tmp_t:file { getattr ioctl read };
 
-ifdef(`nfs_home_dirs', `
+if (use_nfs_home_dirs) {
 ifdef(`automount.te', `
 allow $1_xauth_t autofs_t:dir { search getattr };
 ')
 rw_dir_create_file($1_xauth_t, nfs_t)
-')dnl end nfs_home_dirs
-')dnl end ifdef single_userdomain
+} dnl end use_nfs_home_dirs
 ')dnl end xauth_domain macro
 
 ', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.18.1/macros/program/x_client_macros.te
--- nsapolicy/macros/program/x_client_macros.te	2004-10-27 14:32:49.000000000 -0400
+++ policy-1.18.1/macros/program/x_client_macros.te	2004-11-03 17:45:15.712288978 -0500
@@ -23,17 +23,11 @@
 #
 define(`x_client_domain',`
 # Derived domain based on the calling user domain and the program.
-ifdef(`single_userdomain', `
-typealias $1_t alias $1_$2_t;
-typealias $1_home_t alias $1_$2_rw_t;
-typealias $1_home_t alias $1_$2_ro_t;
-', `
 type $1_$2_t, domain $3;
 # Type for files that are writeable by this domain.
 type $1_$2_rw_t, file_type, homedirfile, sysadmfile, tmpfile;
 # Type for files that are read-only for this domain
 type $1_$2_ro_t, file_type, homedirfile, sysadmfile;
-')
 
 # Transition from the user domain to the derived domain.
 ifelse($2, games, `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.18.1/macros/program/xserver_macros.te
--- nsapolicy/macros/program/xserver_macros.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.18.1/macros/program/xserver_macros.te	2004-11-03 17:45:15.713288865 -0500
@@ -25,14 +25,15 @@
 define(`xserver_domain',`
 # Derived domain based on the calling user domain and the program.
 ifdef(`distro_redhat', `
-type $1_xserver_t, domain, privlog, privmem, privmodule;
+type $1_xserver_t, domain, privlog, privmem, privmodule, nscd_client_domain;
 allow $1_xserver_t sysctl_modprobe_t:file { getattr read };
+ifdef(`rpm.te', `
 allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr };
 allow $1_xserver_t rpm_tmpfs_t:file { read write };
 allow $1_xserver_t rpm_t:fd { use };
-
+')
 ', `
-type $1_xserver_t, domain, privlog, privmem;
+type $1_xserver_t, domain, privlog, privmem, nscd_client_domain;
 ')
 
 # for SSP
@@ -51,6 +52,7 @@
 uses_shlib($1_xserver_t)
 can_network($1_xserver_t)
 can_ypbind($1_xserver_t)
+allow $1_xserver_t self:udp_socket connect;
 allow $1_xserver_t xserver_port_t:tcp_socket name_bind;
 
 # for access within the domain
@@ -148,6 +150,7 @@
 allow xdm_xserver_t xdm_t:process signal;
 allow xdm_xserver_t xdm_t:shm rw_shm_perms;
 allow xdm_t xdm_xserver_t:shm rw_shm_perms;
+dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
 ')
 ', `
 allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ypbind_macros.te policy-1.18.1/macros/program/ypbind_macros.te
--- nsapolicy/macros/program/ypbind_macros.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.18.1/macros/program/ypbind_macros.te	2004-11-03 17:45:15.713288865 -0500
@@ -4,12 +4,16 @@
 can_network($1)
 r_dir_file($1,var_yp_t)
 allow $1 { reserved_port_t port_t }:{ tcp_socket udp_socket } name_bind;
+allow $1 self:{ tcp_socket udp_socket } connect;
+dontaudit $1 self:capability net_bind_service;
 ')
 
 define(`can_ypbind', `
 ifdef(`ypbind.te', `
 if (allow_ypbind) {
 uncond_can_ypbind($1)
+} else {
+dontaudit $1 var_yp_t:dir { search };
 }
 ') dnl ypbind.te
 ') dnl can_ypbind
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.18.1/macros/user_macros.te
--- nsapolicy/macros/user_macros.te	2004-10-19 16:03:08.000000000 -0400
+++ policy-1.18.1/macros/user_macros.te	2004-11-03 17:45:15.714288752 -0500
@@ -16,11 +16,6 @@
 undefine(`user_domain')
 define(`user_domain', `
 # Use capabilities
-ifdef(`single_userdomain', `
-# if we have a single user domain then gpg needs SETUID access.  Also lots of
-# other things will have similar issues.
-allow $1_t self:capability setuid;
-')dnl end single_userdomain
 
 # Type for home directory.
 type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type;
@@ -62,7 +57,7 @@
 ifdef(`apache.te', `apache_domain($1)')
 ifdef(`slocate.te', `locate_domain($1)')
 
-allow $1_t krb5_conf_t:file { getattr read };
+can_kerberos($1_t)
 # allow port_t name binding for UDP because it is not very usable otherwise
 allow $1_t port_t:udp_socket name_bind;
 
@@ -103,16 +98,12 @@
 dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file {getattr read};
 
 ifdef(`xdm.te', `
-ifdef(`single_userdomain', `
-file_type_auto_trans(xdm_t, $1_home_dir_t, $1_home_t, file)
-', `
 allow xdm_t $1_home_t:lnk_file read;
 allow xdm_t $1_home_t:dir search;
 #
 # Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp
 # 
 dontaudit xdm_t $1_home_t:file rw_file_perms;
-')dnl end else single_userdomain
 ')dnl end ifdef xdm.te
 
 ifdef(`ftpd.te', `
@@ -151,11 +142,6 @@
 # Stat lost+found.
 allow $1_t lost_found_t:dir getattr;
 
-# Read the /tmp directory and any /tmp files with the base type.
-# Temporary files created at runtime will typically use derived types.
-allow $1_t tmp_t:dir r_dir_perms;
-allow $1_t tmp_t:{ file lnk_file } r_file_perms;
-
 # Read /var, /var/spool, /var/run.
 allow $1_t var_t:dir r_dir_perms;
 allow $1_t var_t:notdevfile_class_set r_file_perms;
@@ -233,9 +219,11 @@
 allow $1_mount_t iso9660_t:filesystem { relabelfrom };
 allow $1_mount_t removable_t:filesystem { mount relabelto };
 allow $1_mount_t removable_t:dir { mounton };
+ifdef(`xdm.te', `
 allow $1_mount_t xdm_t:fd { use };
 allow $1_mount_t xdm_t:fifo_file { write };
 ')
+')
 
 #
 # Rules used to associate a homedir as a mountpoint
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.18.1/net_contexts
--- nsapolicy/net_contexts	2004-10-19 16:03:01.000000000 -0400
+++ policy-1.18.1/net_contexts	2004-11-03 17:45:15.715288639 -0500
@@ -143,12 +143,12 @@
 ')
 ifdef(`asterisk.te', `
 portcon tcp 1720 system_u:object_r:asterisk_port_t
-portcon tcp 2000 system_u:object_r:asterisk_port_t
 portcon udp 2427 system_u:object_r:asterisk_port_t
 portcon udp 2727 system_u:object_r:asterisk_port_t
 portcon udp 4569 system_u:object_r:asterisk_port_t
 portcon udp 5060 system_u:object_r:asterisk_port_t
 ')
+portcon tcp 2000 system_u:object_r:mail_port_t
 ifdef(`zebra.te', `portcon tcp 2601 system_u:object_r:zebra_port_t')
 ifdef(`dictd.te', `portcon tcp 2628 system_u:object_r:dict_port_t')
 ifdef(`mysqld.te', `portcon tcp 3306 system_u:object_r:mysqld_port_t')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.18.1/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te	2004-10-27 14:32:49.000000000 -0400
+++ policy-1.18.1/targeted/domains/unconfined.te	2004-11-03 17:45:15.715288639 -0500
@@ -40,5 +40,9 @@
 allow unlabeled_t self:filesystem { associate };
 
 # Support NFS home directories
-bool nfs_home_dirs false;
+bool use_nfs_home_dirs false;
+
+# Allow system to run with NIS
+bool allow_ypbind false;
+
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.18.1/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
+++ policy-1.18.1/tunables/distro.tun	2004-11-03 17:45:15.716288526 -0500
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.18.1/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-10-27 14:32:49.000000000 -0400
+++ policy-1.18.1/tunables/tunable.tun	2004-11-03 17:45:15.716288526 -0500
@@ -1,33 +1,27 @@
-# Allow all domains to connect to nscd
-dnl define(`nscd_all_connect')
-
-# Allow users to control network interfaces (also needs USERCTL=true)
-dnl define(`user_net_control')
-
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.18.1/types/file.te
--- nsapolicy/types/file.te	2004-10-19 16:03:09.000000000 -0400
+++ policy-1.18.1/types/file.te	2004-11-03 17:45:15.717288414 -0500
@@ -302,3 +302,4 @@
 # removable_t is the default type of all removable media
 type removable_t, file_type, sysadmfile, usercanread;
 allow removable_t self:filesystem associate;
+allow file_type removable_t:filesystem associate;
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.18.1/types/network.te
--- nsapolicy/types/network.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.18.1/types/network.te	2004-11-03 17:45:15.717288414 -0500
@@ -59,6 +59,11 @@
 #
 
 #
+# mail_port_t is for generic mail ports shared by different mail servers
+#
+type mail_port_t, port_type;
+
+#
 # port_t is the default type of INET port numbers.
 # The *_port_t types are used for specific port
 # numbers in net_contexts or net_contexts.mls.

Re: Patch to make can_network stronger and remove nscd tunable.

[Thomas Bleher]

[-- Attachment #1: Type: multipart/signed, Size: 0 bytes --]

Re: Patch to make can_network stronger and remove nscd tunable.

[Stephen Smalley]

On Fri, 2004-11-05 at 08:10, Thomas Bleher wrote:
> One additional request, for the NSA team:
> Is it possible to accelerate the rate at which patches are merged?
> Right now splitting patches is tedious work because there is such a long
> period between the time a patch is submitted and the time it is merged
> (sometimes up to four weeks!). If patches were merged within one week of
> posting them (assuming there are no problems and objections), submitters
> would be encouraged to send smaller patches more often which would make
> review much easier.
> I would be very grateful if something could be done about this. Right
> now the changes I have in my local policy amount to at least ten
> patches, but I'm very reluctant to send them because there are still
> some patches pending and merging is work enough as it is.
> If patch merging could be sped up and some notification sent if a patch 
> was rejected, that would really rock!

Alternative proposal:  create a separate upstream policy tree used by
the major external contributors, and we'll follow along more slowly as
we have time to review and merge, e.g. see the earlier discussion
started by Joshua Brindle on upstream policy handling.  From our
perspective, the example policy has always only been an example, and we
don't want to be in the business of maintaining it forever.
 
-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to make can_network stronger and remove nscd tunable.

[James Carter]

On Fri, 2004-11-05 at 08:10, Thomas Bleher wrote:
> * Daniel J Walsh <dwalsh@redhat.com> [2004-11-04 16:23]:
> > Another pass at the patch.
> > 
> > Sorry about having them all together,  tried to break it apart but it 
> > would take forever.
> 
> Well, it's not _that_ bad.
> I split your patch into three pieces (attached), it was less than an
> hour of work.
> 
> * The first patch contains the nfs_home_dir cleanup and the
>   single_userdomain removal.
> 
Merged.

> * The second patch adds the daemon attribute and contains the dbus and
>   nscd related changes.
> 
Merged.

> * The third patch contains the rest.
I need to review.

> I believe the first two patches can be merged into CVS while the third
> needs more review.
> I strongly agree with Russell that we should do the can_network()
> changes the right way and not hurry anything.
> The kerberos stuff needs more changes; most people do not need kerberos,
> for them the kerberos stuff should be completely transparent.
> I hope to send a separate patch for this soon.
> 
> There are some more issues, eg:
> why does logrotate have can_exec() rights on acct_data_t? With this
> change acct_t has complete control over logrotate_t.
> I think you should annotate each change to explain why the change was
> needed.
> 
> One additional request, for the NSA team:
> Is it possible to accelerate the rate at which patches are merged?
> Right now splitting patches is tedious work because there is such a long
> period between the time a patch is submitted and the time it is merged
> (sometimes up to four weeks!). If patches were merged within one week of
> posting them (assuming there are no problems and objections), submitters
> would be encouraged to send smaller patches more often which would make
> review much easier.
> I would be very grateful if something could be done about this. Right
> now the changes I have in my local policy amount to at least ten
> patches, but I'm very reluctant to send them because there are still
> some patches pending and merging is work enough as it is.
> If patch merging could be sped up and some notification sent if a patch 
> was rejected, that would really rock!
> 
I am sorry I have taken a while to merge some patches.  If you think it
is taking too long, feel free to send me an email.
 
I will make sure that I send some sort of notification if a patch is
rejected.

Note to all:
I do try to review each patch, so smaller, easier to understand, well
explained patches are more likely to be merged faster.

> Thanks,
> Thomas
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to make can_network stronger and remove nscd tunable.

[Thomas Bleher]

* James Carter <jwcart2@epoch.ncsc.mil> [2004-11-05 22:22]:
> On Fri, 2004-11-05 at 08:10, Thomas Bleher wrote:
> > One additional request, for the NSA team:
> > Is it possible to accelerate the rate at which patches are merged?
> > Right now splitting patches is tedious work because there is such a long
> > period between the time a patch is submitted and the time it is merged
> > (sometimes up to four weeks!). If patches were merged within one week of
> > posting them (assuming there are no problems and objections), submitters
> > would be encouraged to send smaller patches more often which would make
> > review much easier.
> > I would be very grateful if something could be done about this. Right
> > now the changes I have in my local policy amount to at least ten
> > patches, but I'm very reluctant to send them because there are still
> > some patches pending and merging is work enough as it is.
> > If patch merging could be sped up and some notification sent if a patch 
> > was rejected, that would really rock!
> > 
> I am sorry I have taken a while to merge some patches.  If you think it
> is taking too long, feel free to send me an email.
>  
> I will make sure that I send some sort of notification if a patch is
> rejected.
> 
> Note to all:
> I do try to review each patch, so smaller, easier to understand, well
> explained patches are more likely to be merged faster.

Thanks for merging the patches. Let me add that your work is really
appreciated. I think it is very good that you review patches (even if it
takes some time), having someone looking over all patches makes sure
that the quality of the policy stays as high as it is.

Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.