Re: Patches without the can_network patch.

[Daniel J Walsh <dwalsh@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 238 bytes --]

Latest policy-small patch.   Many changes to make targeted policy work
better.

Lots of changes to apache policy.

Check out the changes to core_macros for create/rw socket_perms.  Maybe 
more acceptable. :^)

Many other minor changes.



[-- Attachment #2: policy-small.patch --]
[-- Type: text/x-patch, Size: 35491 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.19.2/domains/program/ldconfig.te
--- nsapolicy/domains/program/ldconfig.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.2/domains/program/ldconfig.te	2004-11-18 08:48:23.918139878 -0500
@@ -8,7 +8,7 @@
 #
 # Rules for the ldconfig_t domain.
 #
-type ldconfig_t, domain, privlog;
+type ldconfig_t, domain, privlog, etc_writer;
 type ldconfig_exec_t, file_type, sysadmfile, exec_type;
 
 role sysadm_r types ldconfig_t;
@@ -26,7 +26,7 @@
 allow ldconfig_t lib_t:lnk_file create_lnk_perms;
 
 allow ldconfig_t userdomain:fd use;
-allow ldconfig_t etc_t:file { getattr read };
+allow ldconfig_t etc_t:file { getattr read unlink };
 allow ldconfig_t etc_t:lnk_file read;
 
 allow ldconfig_t fs_t:filesystem getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.19.2/domains/program/login.te
--- nsapolicy/domains/program/login.te	2004-11-18 08:13:57.000000000 -0500
+++ policy-1.19.2/domains/program/login.te	2004-11-18 08:48:23.919139766 -0500
@@ -182,6 +182,9 @@
 # Allow setting of attributes on sound devices.
 allow local_login_t sound_device_t:chr_file { getattr setattr };
 
+# Allow setting of attributes on power management devices.
+allow local_login_t power_device_t:chr_file { getattr setattr };
+
 #################################
 #
 # Rules for the remote_login_t domain.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/acct.te policy-1.19.2/domains/program/unused/acct.te
--- nsapolicy/domains/program/unused/acct.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.2/domains/program/unused/acct.te	2004-11-18 08:48:23.919139766 -0500
@@ -63,8 +63,7 @@
 
 ifdef(`logrotate.te', `
 domain_auto_trans(logrotate_t, acct_exec_t, acct_t)
-allow logrotate_t acct_data_t:dir search;
-allow logrotate_t acct_data_t:file { create_file_perms };
+rw_dir_create_file(logrotate_t, acct_data_t)
 can_exec(logrotate_t, acct_data_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.19.2/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2004-11-18 08:13:57.000000000 -0500
+++ policy-1.19.2/domains/program/unused/apache.te	2004-11-18 08:50:10.113157831 -0500
@@ -32,6 +32,9 @@
 # Run SSI execs in system CGI script domain.
 bool httpd_ssi_exec false;
 
+# Allow http daemon to communicate with the TTY
+bool httpd_tty_comm false;
+
 #########################################################
 # Apache types
 #########################################################
@@ -239,10 +242,12 @@
 # connect to mysql
 ifdef(`mysqld.te', `
 can_unix_connect(httpd_php_t, mysqld_t)
+can_unix_connect(httpd_t, mysqld_t)
 allow httpd_php_t mysqld_var_run_t:dir search;
 allow httpd_php_t mysqld_var_run_t:sock_file write;
 allow httpd_t mysqld_db_t:dir search;
 allow httpd_t mysqld_db_t:sock_file rw_file_perms;
+allow httpd_t mysqld_var_run_t:sock_file rw_file_perms;
 ')
 allow httpd_t bin_t:dir search;
 allow httpd_t sbin_t:dir search;
@@ -297,6 +302,7 @@
 #
 type httpd_runtime_t, file_type, sysadmfile;
 file_type_auto_trans(httpd_t, httpd_log_t, httpd_runtime_t, file)
+allow httpd_sys_script_t httpd_runtime_t:file { getattr append };
 ') dnl distro_redhat
 #
 # Customer reported the following
@@ -306,9 +312,28 @@
 dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
 ')
 
-# Running squirrelmail requires this permissions
+#
+# The following is needed to make squirrelmail work
+type httpd_squirrelmail_t, file_type, sysadmfile;
+create_dir_file(httpd_t, httpd_squirrelmail_t)
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
 ifdef(`mta.te', `
-allow system_mail_t httpd_log_t:file { append getattr };
-allow system_mail_t httpd_sys_script_rw_t:file { append read };
-allow system_mail_t httpd_t:tcp_socket { read write };
+dontaudit system_mail_t httpd_log_t:file { append getattr };
+allow system_mail_t httpd_squirrelmail_t:file { append read };
+dontaudit system_mail_t httpd_t:tcp_socket { read write };
+')
+
+application_domain(httpd_helper)
+role system_r types httpd_helper_t;
+domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
+
+allow httpd_helper_t devpts_t:dir { search };
+allow httpd_helper_t devtty_t:chr_file rw_file_perms;
+allow httpd_helper_t httpd_config_t:file { getattr read };
+allow httpd_helper_t httpd_log_t:file { append };
+if (httpd_tty_comm) {
+ifdef(`targeted_policy', `
+allow { httpd_helper_t httpd_t } devpts_t:chr_file { read write };
 ')
+allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write };
+}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.19.2/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.2/domains/program/unused/apmd.te	2004-11-18 08:48:23.920139653 -0500
@@ -114,7 +114,10 @@
 allow consoletype_t apmd_t:fifo_file write;
 ')
 ifdef(`mount.te', `allow mount_t apmd_t:fd use;')
-ifdef(`crond.te', `domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t)')
+ifdef(`crond.te', `
+domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t)
+allow apmd_t crond_t:fifo_file { getattr read write ioctl };
+')
 
 ifdef(`mta.te', `
 domain_auto_trans(apmd_t, sendmail_exec_t, system_mail_t) 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/consoletype.te policy-1.19.2/domains/program/unused/consoletype.te
--- nsapolicy/domains/program/unused/consoletype.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.2/domains/program/unused/consoletype.te	2004-11-18 08:48:23.921139540 -0500
@@ -59,5 +59,6 @@
 ')
 dontaudit consoletype_t proc_t:file read;
 dontaudit consoletype_t root_t:file read;
-allow consoletype_t crond_t:fifo_file read;
+allow consoletype_t crond_t:fifo_file { read getattr ioctl };
+allow consoletype_t system_crond_t:fd use;
 allow consoletype_t fs_t:filesystem getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.19.2/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2004-11-18 08:13:57.000000000 -0500
+++ policy-1.19.2/domains/program/unused/cups.te	2004-11-18 08:51:22.563983161 -0500
@@ -59,7 +60,6 @@
 
 allow cupsd_t { etc_t etc_runtime_t }:file { getattr read ioctl };
 can_exec(cupsd_t, initrc_exec_t)
-can_exec(cupsd_t, hostname_exec_t)
 allow cupsd_t proc_t:file r_file_perms;
 allow cupsd_t proc_t:dir r_dir_perms;
 allow cupsd_t self:file { getattr read };
@@ -185,7 +185,7 @@
 allow cupsd_config_t cupsd_var_run_t:file { getattr read };
 allow cupsd_config_t cupsd_t:process { signal };
 allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
-allow cupsd_config_t cupsd_t:dir search;
+r_dir_file(cupsd_config_t, cupsd_t)
 
 allow cupsd_config_t self:capability chown;
 
@@ -212,8 +212,17 @@
 ')
 
 can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t })
+ifdef(`hostname.te', `
+can_exec(cupsd_t, hostname_exec_t)
+can_exec(cupsd_config_t, hostname_exec_t)
+')
 allow cupsd_config_t { bin_t sbin_t }:dir { search getattr };
 allow cupsd_config_t { bin_t sbin_t }:lnk_file read;
+# killall causes the following
+dontaudit cupsd_config_t domain:dir { getattr search };
+dontaudit cupsd_config_t selinux_config_t:dir search;
+
+can_exec(cupsd_config_t, cupsd_config_exec_t) 
 
 allow cupsd_config_t usr_t:file { getattr read };
 allow cupsd_config_t var_lib_t:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.19.2/domains/program/unused/cyrus.te
--- nsapolicy/domains/program/unused/cyrus.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.2/domains/program/unused/cyrus.te	2004-11-18 08:51:47.260196672 -0500
@@ -45,3 +45,4 @@
 allow system_crond_t cyrus_var_lib_t:file create_file_perms;
 allow system_crond_su_t cyrus_var_lib_t:dir search;
 ')
+allow cyrus_t mail_port_t:tcp_socket name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpd.te policy-1.19.2/domains/program/unused/dhcpd.te
--- nsapolicy/domains/program/unused/dhcpd.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.19.2/domains/program/unused/dhcpd.te	2004-11-18 08:53:24.057275000 -0500
@@ -33,6 +33,7 @@
 can_ypbind(dhcpd_t)
 allow dhcpd_t self:unix_dgram_socket create_socket_perms;
 allow dhcpd_t self:unix_stream_socket create_socket_perms;
+allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow dhcpd_t var_lib_t:dir search;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.19.2/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te	2004-11-18 08:13:58.000000000 -0500
+++ policy-1.19.2/domains/program/unused/ftpd.te	2004-11-18 08:54:09.695125653 -0500
@@ -31,11 +31,13 @@
 
 ifdef(`crond.te', `
 system_crond_entry(ftpd_exec_t, ftpd_t)
+allow system_crond_t xferlog_t:file r_file_perms;
 can_exec(ftpd_t, { sbin_t shell_exec_t })
 allow ftpd_t usr_t:file { getattr read };
 ')
 
 allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
+allow ftpd_t port_t:tcp_socket name_bind;
 
 # Allow ftpd to run directly without inetd.
 bool ftpd_is_daemon false;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/innd.te policy-1.19.2/domains/program/unused/innd.te
--- nsapolicy/domains/program/unused/innd.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.19.2/domains/program/unused/innd.te	2004-11-18 08:54:50.625507454 -0500
@@ -64,6 +64,9 @@
 
 ifdef(`crond.te', `
 system_crond_entry(innd_exec_t, innd_t)
+allow system_crond_t innd_etc_t:file { getattr read };
+rw_dir_create_file(system_crond_t, innd_log_t)
+rw_dir_create_file(system_crond_t, innd_var_run_t)
 ')
 ifdef(`syslogd.te', `
 allow syslogd_t innd_log_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.19.2/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.2/domains/program/unused/kudzu.te	2004-11-18 08:48:23.921139540 -0500
@@ -21,7 +21,7 @@
 allow kudzu_t proc_t:file { getattr read };
 allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
 allow kudzu_t scsi_generic_device_t:chr_file r_file_perms;
-allow kudzu_t { bin_t sbin_t }:dir search;
+allow kudzu_t { bin_t sbin_t }:dir { getattr search };
 allow kudzu_t { bin_t sbin_t }:lnk_file read;
 allow kudzu_t { sysctl_t sysctl_kernel_t }:dir search;
 allow kudzu_t sysctl_dev_t:dir { getattr search read };
@@ -85,3 +85,7 @@
 
 # for file systems that are not yet mounted
 dontaudit kudzu_t file_t:dir search;
+ifdef(`lpd.te', `
+allow kudzu_t printconf_t:file { getattr read };
+')
+allow kudzu_t zero_device_t:chr_file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.19.2/domains/program/unused/mta.te
--- nsapolicy/domains/program/unused/mta.te	2004-10-09 21:06:14.000000000 -0400
+++ policy-1.19.2/domains/program/unused/mta.te	2004-11-18 08:48:23.922139427 -0500
@@ -20,6 +20,7 @@
 # "mail user@domain"
 mail_domain(system)
 
+ifelse(`targeted-policy', `', `
 ifdef(`sendmail.te', `
 # sendmail has an ugly design, the one process parses input from the user and
 # then does system things with it.
@@ -32,11 +33,13 @@
 # allow the sysadmin to do "mail someone < /home/user/whatever"
 allow sysadm_mail_t user_home_dir_type:dir search;
 r_dir_file(sysadm_mail_t, user_home_type)
-
+')
 # for a mail server process that does things in response to a user command
 allow mta_user_agent userdomain:process sigchld;
 allow mta_user_agent { userdomain privfd }:fd use;
+ifdef(`crond.te', `
 allow mta_user_agent crond_t:process sigchld;
+')
 allow mta_user_agent sysadm_t:fifo_file { read write };
 
 allow { system_mail_t mta_user_agent } privmail:fd use;
@@ -57,3 +60,13 @@
 allow mta_delivery_agent devtty_t:chr_file rw_file_perms;
 allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read };
 
+# rules are currently defined in sendmail.te, but it is not included in 
+# targeted policy.  We could move these rules permanantly here.
+ifdef(`targeted_policy', `
+allow system_mail_t self:dir { search };
+allow system_mail_t proc_t:dir search;
+allow system_mail_t proc_t:{ file lnk_file } { getattr read };
+allow system_mail_t fs_t:filesystem getattr;
+allow system_mail_t { var_t var_spool_t }:dir getattr;
+create_dir_file( system_mail_t, mqueue_spool_t)
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.19.2/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te	2004-11-05 23:24:16.000000000 -0500
+++ policy-1.19.2/domains/program/unused/named.te	2004-11-18 08:55:41.707743815 -0500
@@ -77,6 +77,7 @@
 
 allow named_t self:unix_stream_socket create_stream_socket_perms;
 allow named_t self:unix_dgram_socket create_socket_perms;
+allow named_t self:netlink_route_socket r_netlink_socket_perms;
 
 # Read sysctl kernel variables.
 allow named_t sysctl_t:dir r_dir_perms;
@@ -149,7 +150,7 @@
 allow ndc_t named_zone_t:file getattr;
 dontaudit ndc_t sysadm_home_t:dir { getattr search read };
 ')
-allow ndc_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
 dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl };
 # Allow init script to cp localtime to named_conf_t
 allow initrc_t named_conf_t:file { write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.19.2/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te	2004-11-18 08:13:58.000000000 -0500
+++ policy-1.19.2/domains/program/unused/ntpd.te	2004-11-18 09:16:48.946760475 -0500
@@ -42,18 +42,18 @@
 allow ntpd_t ntp_port_t:udp_socket name_bind;
 allow ntpd_t self:unix_dgram_socket create_socket_perms;
 allow ntpd_t self:unix_stream_socket create_socket_perms;
+allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
 
 # so the start script can change firewall entries
 allow initrc_t net_conf_t:file { getattr read ioctl };
 
 # for cron jobs
 # system_crond_t is not right, cron is not doing what it should
-ifdef(`crond.te', `
-system_crond_entry(ntpd_exec_t, ntpd_t)
+ifdef(`crond.te', `system_crond_entry(ntpd_exec_t, ntpd_t)')
 can_exec(ntpd_t, initrc_exec_t)
 allow ntpd_t self:fifo_file { read write getattr };
 allow ntpd_t etc_runtime_t:file r_file_perms;
-can_exec(ntpd_t, { bin_t shell_exec_t sbin_t ls_exec_t logrotate_exec_t ntpd_exec_t })
+can_exec(ntpd_t, { bin_t shell_exec_t sbin_t ls_exec_t ntpd_exec_t })
 allow ntpd_t { sbin_t bin_t }:dir search;
 allow ntpd_t bin_t:lnk_file read;
 allow ntpd_t sysctl_kernel_t:dir search;
@@ -63,7 +63,6 @@
 allow ntpd_t self:file { getattr read };
 dontaudit ntpd_t domain:dir search;
 ifdef(`logrotate.te', `can_exec(ntpd_t, logrotate_exec_t)')
-')
 
 allow ntpd_t devtty_t:chr_file rw_file_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.19.2/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te	2004-11-18 08:13:58.000000000 -0500
+++ policy-1.19.2/domains/program/unused/postgresql.te	2004-11-18 08:57:40.718315780 -0500
@@ -42,10 +42,11 @@
 
 logdir_domain(postgresql)
 
+ifdef(`crond.te', `
 # allow crond to find /usr/lib/postgresql/bin/do.maintenance
 allow crond_t postgresql_db_t:dir search;
-
 system_crond_entry(postgresql_exec_t, postgresql_t)
+')
 
 tmp_domain(postgresql);
 file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.19.2/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.2/domains/program/unused/rpcd.te	2004-11-18 08:58:17.120208533 -0500
@@ -24,6 +24,7 @@
 allow $1_t var_lib_nfs_t:file create_file_perms;
 # do not log when it tries to bind to a port belonging to another domain
 dontaudit $1_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
+allow $1_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
 allow $1_t self:netlink_route_socket r_netlink_socket_perms;
 allow $1_t self:unix_dgram_socket create_socket_perms;
 allow $1_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.19.2/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.2/domains/program/unused/snmpd.te	2004-11-18 08:58:52.256244113 -0500
@@ -38,7 +38,7 @@
 allow snmpd_t self:unix_dgram_socket create_socket_perms;
 allow snmpd_t self:unix_stream_socket create_socket_perms;
 allow snmpd_t etc_t:lnk_file read;
-allow snmpd_t { etc_t etc_runtime_t }:file { getattr read };
+allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms;
 allow snmpd_t urandom_device_t:chr_file read;
 allow snmpd_t self:capability { dac_override kill net_bind_service net_admin sys_nice sys_tty_config };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.19.2/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.2/domains/program/unused/squid.te	2004-11-18 08:59:29.988986705 -0500
@@ -62,10 +62,12 @@
 
 # to allow running programs from /usr/lib/squid (IE unlinkd)
 # also allow exec()ing itself
-can_exec(squid_t, { lib_t squid_exec_t } )
+can_exec(squid_t, { lib_t squid_exec_t bin_t sbin_t } )
 allow squid_t { bin_t sbin_t }:dir search;
+allow squid_t { bin_t sbin_t }:lnk_file read;
 
 dontaudit squid_t { home_root_t security_t devpts_t }:dir getattr;
 ifdef(`targeted_policy', `
 dontaudit squid_t tty_device_t:chr_file { read write };
 ')
+allow squid_t urandom_device_t:chr_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/vpnc.te policy-1.19.2/domains/program/unused/vpnc.te
--- nsapolicy/domains/program/unused/vpnc.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.19.2/domains/program/unused/vpnc.te	2004-11-18 09:17:37.765252256 -0500
@@ -17,6 +17,7 @@
 # Use the network.
 can_network(vpnc_t)
 can_ypbind(vpnc_t)
+allow vpnc_t self:socket create_socket_perms;
 
 # Use capabilities.
 allow vpnc_t self:capability { net_admin ipc_lock net_bind_service net_raw };
@@ -28,3 +29,12 @@
 allow vpnc_t self:unix_dgram_socket create_socket_perms;
 allow vpnc_t self:unix_stream_socket create_socket_perms;
 allow vpnc_t admin_tty_type:chr_file rw_file_perms;
+allow vpnc_t port_t:udp_socket name_bind;
+allow vpnc_t etc_runtime_t:file { getattr read };
+allow vpnc_t proc_t:file { getattr read };
+dontaudit vpnc_t selinux_config_t:dir search;
+can_exec(vpnc_t, {bin_t sbin_t ifconfig_exec_t shell_exec_t })
+allow vpnc_t sysctl_net_t:dir search;
+allow vpnc_t sbin_t:dir search;
+allow vpnc_t bin_t:dir search;
+allow vpnc_t bin_t:lnk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.19.2/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te	2004-11-18 08:13:58.000000000 -0500
+++ policy-1.19.2/domains/program/unused/xdm.te	2004-11-18 09:01:02.054598887 -0500
@@ -241,6 +241,9 @@
 # Access sound device.
 allow xdm_t sound_device_t:chr_file { setattr getattr };
 
+# Allow setting of attributes on power management devices.
+allow xdm_t power_device_t:chr_file { getattr setattr };
+
 # Run the X server in a derived domain.
 xserver_domain(xdm)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.19.2/domains/user.te
--- nsapolicy/domains/user.te	2004-11-18 08:13:57.000000000 -0500
+++ policy-1.19.2/domains/user.te	2004-11-18 08:48:23.922139427 -0500
@@ -18,6 +18,9 @@
 # Allow system to run with NIS
 bool allow_ypbind false;
 
+# Allow system to run with kerberos
+bool allow_kerberos false;
+
 # Allow users to rw usb devices
 bool user_rw_usb false;
 
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.19.2/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc	2004-10-06 16:21:13.000000000 -0400
+++ policy-1.19.2/file_contexts/distros.fc	2004-11-18 08:48:23.923139314 -0500
@@ -30,5 +30,6 @@
 /usr/share/system-config-nfs/nfs-export.py	--	system_u:object_r:bin_t
 /usr/share/pydict/pydict.py	--	system_u:object_r:bin_t
 /usr/share/cvs/contrib/rcs2log	--	system_u:object_r:bin_t
+/usr/share/pwlib/make/ptlib-config --	system_u:object_r:bin_t
 ')
 
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.19.2/file_contexts/program/apache.fc
--- nsapolicy/file_contexts/program/apache.fc	2004-11-18 08:13:58.000000000 -0500
+++ policy-1.19.2/file_contexts/program/apache.fc	2004-11-18 08:48:23.924139201 -0500
@@ -27,6 +27,7 @@
 /var/cache/mod_ssl(/.*)?	system_u:object_r:httpd_cache_t
 /var/run/apache(2)?.pid.* --	system_u:object_r:httpd_var_run_t
 /var/lib/httpd(/.*)?		system_u:object_r:httpd_var_lib_t
+/var/lib/php/session(/.*)?	system_u:object_r:httpd_var_run_t
 /etc/apache-ssl(2)?(/.*)?	system_u:object_r:httpd_config_t
 /usr/lib/apache-ssl(/.*)? --	system_u:object_r:httpd_exec_t
 /usr/sbin/apache-ssl(2)? --	system_u:object_r:httpd_exec_t
@@ -37,4 +38,5 @@
 # suse puts shell scripts there :-(
 /usr/share/apache2/.*	--	system_u:object_r:bin_t
 ')
-/var/lib/squirrelmail/prefs(/.*)?	system_u:object_r:httpd_sys_script_rw_t
+/var/lib/squirrelmail/prefs(/.*)?	system_u:object_r:httpd_squirrelmail_t
+/usr/bin/htsslpass --	system_u:object_r:httpd_helper_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.19.2/file_contexts/program/cups.fc
--- nsapolicy/file_contexts/program/cups.fc	2004-10-14 23:25:19.000000000 -0400
+++ policy-1.19.2/file_contexts/program/cups.fc	2004-11-18 08:48:23.924139201 -0500
@@ -1,7 +1,7 @@
 # cups printing
 /etc/cups(/.*)?			system_u:object_r:cupsd_etc_t
 /usr/share/cups(/.*)?		system_u:object_r:cupsd_etc_t
-/etc/alchemist/namespace/printconf/local.adl system_u:object_r:cupsd_rw_etc_t
+/etc/alchemist/namespace/printconf(/.*)? system_u:object_r:cupsd_rw_etc_t
 /var/cache/alchemist/printconf.* system_u:object_r:cupsd_rw_etc_t
 /etc/cups/client\.conf	--	system_u:object_r:etc_t
 /etc/cups/cupsd.conf.* --	system_u:object_r:cupsd_rw_etc_t
@@ -33,3 +33,4 @@
 /usr/sbin/ptal-mlcd	--	system_u:object_r:ptal_exec_t
 /var/run/ptal-printd(/.*)?	system_u:object_r:ptal_var_run_t
 /var/run/ptal-mlcd(/.*)?	system_u:object_r:ptal_var_run_t
+/usr/share/foomatic/db/oldprinterids 	--	system_u:object_r:cupsd_rw_etc_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/hald.fc policy-1.19.2/file_contexts/program/hald.fc
--- nsapolicy/file_contexts/program/hald.fc	2004-09-22 16:19:13.000000000 -0400
+++ policy-1.19.2/file_contexts/program/hald.fc	2004-11-18 08:48:23.925139089 -0500
@@ -3,3 +3,4 @@
 /usr/libexec/hal-hotplug-map -- system_u:object_r:hald_exec_t
 /etc/hal/device.d/printer_remove.hal -- system_u:object_r:hald_exec_t
 /etc/hal/capability.d/printer_update.hal -- system_u:object_r:hald_exec_t
+/usr/share/hal/device-manager/hal-device-manager -- system_u:object_r:bin_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/sendmail.fc policy-1.19.2/file_contexts/program/sendmail.fc
--- nsapolicy/file_contexts/program/sendmail.fc	2004-10-07 08:02:02.000000000 -0400
+++ policy-1.19.2/file_contexts/program/sendmail.fc	2004-11-18 08:48:23.925139089 -0500
@@ -1,6 +1,5 @@
 # sendmail
 /etc/mail(/.*)?				system_u:object_r:etc_mail_t
-/var/spool/(client)?mqueue(/.*)?	system_u:object_r:mqueue_spool_t
 /var/log/sendmail\.st		--	system_u:object_r:sendmail_log_t
 /var/log/mail(/.*)?			system_u:object_r:sendmail_log_t
 /var/run/sendmail.pid		--	system_u:object_r:sendmail_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.19.2/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2004-11-18 08:13:58.000000000 -0500
+++ policy-1.19.2/file_contexts/types.fc	2004-11-18 08:48:23.927138863 -0500
@@ -334,6 +334,7 @@
 /usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
 /usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
 /usr(/.*)?/bin(/.*)?		system_u:object_r:bin_t
+/usr(/.*)?/Bin(/.*)?		system_u:object_r:bin_t
 /usr(/.*)?/sbin(/.*)?		system_u:object_r:sbin_t
 /usr/etc(/.*)?			system_u:object_r:etc_t
 /usr/inclu.e(/.*)?		system_u:object_r:usr_t
@@ -392,6 +393,7 @@
 #
 /var/spool(/.*)?		system_u:object_r:var_spool_t
 /var/spool/texmf(/.*)?		system_u:object_r:tetex_data_t
+/var/spool/(client)?mqueue(/.*)?	system_u:object_r:mqueue_spool_t
 
 # 
 # /var/log
diff --exclude-from=exclude -N -u -r nsapolicy/macros/admin_macros.te policy-1.19.2/macros/admin_macros.te
--- nsapolicy/macros/admin_macros.te	2004-11-18 08:13:58.000000000 -0500
+++ policy-1.19.2/macros/admin_macros.te	2004-11-18 08:48:23.927138863 -0500
@@ -196,6 +196,11 @@
 # Grant read and write access to /dev/console.
 allow $1_t console_device_t:chr_file rw_file_perms;
 
+# Allow MAKEDEV to work
+allow $1_t device_t:dir rw_dir_perms;
+allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
+allow $1_t device_t:lnk_file { create read };
+
 # for lsof
 allow $1_t domain:socket_class_set getattr;
 allow $1_t eventpollfs_t:file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.19.2/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2004-11-18 08:13:58.000000000 -0500
+++ policy-1.19.2/macros/base_user_macros.te	2004-11-18 09:01:27.432735456 -0500
@@ -291,6 +291,9 @@
 # Access the sound device.
 allow $1_t sound_device_t:chr_file { getattr read write ioctl };
 
+# Access the power device.
+allow $1_t power_device_t:chr_file { getattr read write ioctl };
+
 allow $1_t var_log_t:dir { getattr search };
 dontaudit $1_t logfile:file getattr;
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.19.2/macros/core_macros.te
--- nsapolicy/macros/core_macros.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.2/macros/core_macros.te	2004-11-18 09:05:47.706368626 -0500
@@ -137,17 +137,27 @@
 #
 # Permissions for creating and using sockets.
 # 
-define(`create_socket_perms', `{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
+define(`create_socket_perms', `{ create rw_socket_perms }')
 
 #
 # Permissions for using stream sockets.
 # 
-define(`rw_stream_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }')
+define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
 
 #
 # Permissions for creating and using stream sockets.
 # 
-define(`create_stream_socket_perms', `{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }')
+define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
+
+#
+# Permissions for creating and using sockets.
+# 
+define(`connected_socket_perms', `{ create_socket_perms -connect }')
+
+#
+# Permissions for creating and using sockets.
+# 
+define(`connected_stream_socket_perms', `{ create_stream_socket_perms -connect }')
 
 
 #
@@ -158,12 +168,12 @@
 #
 # Permissions for using netlink sockets for operations that modify state.
 # 
-define(`rw_netlink_socket_perms', `{ create rw_socket_perms nlmsg_read nlmsg_write }')
+define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
 
 #
 # Permissions for using netlink sockets for operations that observe state.
 # 
-define(`r_netlink_socket_perms', `{ create rw_socket_perms nlmsg_read }')
+define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
 
 #
 # Permissions for sending all signals.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.19.2/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te	2004-11-18 08:13:58.000000000 -0500
+++ policy-1.19.2/macros/program/apache_macros.te	2004-11-18 09:06:46.828697818 -0500
@@ -110,11 +110,12 @@
 create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t)
 ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
 
-if (httpd_enable_cgi) && (httpd_unified) {
+if (httpd_enable_cgi) && (httpd_unified) ifdef(`targeted_policy', ` && ! (httpd_disable_trans)') {
 ifelse($1, sys, `
 domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
 domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
 domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
+create_dir_file(httpd_t, httpdcontent)
 ', `
 create_dir_file(httpd_$1_script_t, httpdcontent)
 can_exec(httpd_$1_script_t, httpdcontent )
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/inetd_macros.te policy-1.19.2/macros/program/inetd_macros.te
--- nsapolicy/macros/program/inetd_macros.te	2004-11-18 08:13:59.000000000 -0500
+++ policy-1.19.2/macros/program/inetd_macros.te	2004-11-18 09:07:36.065142440 -0500
@@ -44,7 +44,7 @@
 allow $1_t self:dir search;
 allow $1_t self:file { getattr read };
 can_kerberos($1_t)
-allow $1_t urandom_device_t:chr_file { getattr read };
+allow $1_t urandom_device_t:chr_file r_file_perms;
 type $1_port_t, port_type, reserved_port_type;
 # Use sockets inherited from inetd.
 ifelse($2, `', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/kerberos_macros.te policy-1.19.2/macros/program/kerberos_macros.te
--- nsapolicy/macros/program/kerberos_macros.te	2004-11-17 14:51:55.000000000 -0500
+++ policy-1.19.2/macros/program/kerberos_macros.te	2004-11-18 09:08:04.893889675 -0500
@@ -1,7 +1,9 @@
 define(`can_kerberos',`
 ifdef(`kerberos.te',`
+if (allow_kerberos) {
 can_network($1)
 dontaudit $1 krb5_conf_t:file write;
 allow $1 krb5_conf_t:file { getattr read };
+}
 ') dnl kerberos.te
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/lpr_macros.te policy-1.19.2/macros/program/lpr_macros.te
--- nsapolicy/macros/program/lpr_macros.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.2/macros/program/lpr_macros.te	2004-11-18 09:09:14.527032926 -0500
@@ -18,7 +18,7 @@
 undefine(`lpr_domain')
 define(`lpr_domain',`
 # Derived domain based on the calling user domain and the program
-type $1_lpr_t, domain, privlog;
+type $1_lpr_t, domain, privlog, nscd_client_domain;
 
 # Transition from the user domain to the derived domain.
 domain_auto_trans($1_t, lpr_exec_t, $1_lpr_t)
@@ -104,6 +104,7 @@
 # Connect to lpd via a TCP socket.
 can_tcp_connect($1_lpr_t, lpd_t)
 
+allow $1_lpr_t fs_t:filesystem getattr;
 # Send SIGHUP to lpd.
 allow $1_lpr_t lpd_t:process signal;
 
@@ -120,5 +121,11 @@
 can_tcp_connect({ $1_lpr_t $1_t }, cupsd_t)
 ')dnl end ifdef cups.te
 
+ifdef(`hide_broken_symptoms', `
+# thunderbird causes these
+dontaudit $1_lpr_t $1_t:tcp_socket { read write };
+dontaudit $1_lpr_t { $1_home_t $1_tmp_t }:file write;
+')
+
 ')dnl end macro definition
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.19.2/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2004-11-18 08:13:59.000000000 -0500
+++ policy-1.19.2/macros/program/mozilla_macros.te	2004-11-18 09:10:42.462111158 -0500
@@ -105,6 +105,8 @@
 dontaudit $1_mozilla_t bin_t:dir getattr;
 dontaudit $1_mozilla_t port_type:tcp_socket name_bind;
 dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
+# running mplayer within firefox asks for this
+allow $1_mozilla_t clock_device_t:chr_file r_file_perms;
 # Mozilla tries to delete .fonts.cache-1
 dontaudit $1_mozilla_t $1_home_t:file unlink;
 dontaudit $1_mozilla_t tmpfile:file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mta_macros.te policy-1.19.2/macros/program/mta_macros.te
--- nsapolicy/macros/program/mta_macros.te	2004-11-18 08:13:59.000000000 -0500
+++ policy-1.19.2/macros/program/mta_macros.te	2004-11-18 09:11:15.394395389 -0500
@@ -61,9 +61,11 @@
 domain_auto_trans(privmail, sendmail_exec_t, system_mail_t)
 allow privmail sendmail_exec_t:lnk_file { getattr read };
 
+ifdef(`crond.te', `
 # Read cron temporary files.
 allow system_mail_t system_crond_tmp_t:file { read getattr ioctl };
 allow mta_user_agent system_crond_tmp_t:file { read getattr };
+')
 allow system_mail_t initrc_devpts_t:chr_file { read write getattr };
 
 ', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.19.2/macros/program/xserver_macros.te
--- nsapolicy/macros/program/xserver_macros.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.2/macros/program/xserver_macros.te	2004-11-18 09:12:18.809240254 -0500
@@ -27,9 +27,11 @@
 ifdef(`distro_redhat', `
 type $1_xserver_t, domain, privlog, privmem, privmodule, nscd_client_domain;
 allow $1_xserver_t sysctl_modprobe_t:file { getattr read };
+ifdef(`rpm.te', `
 allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr };
 allow $1_xserver_t rpm_tmpfs_t:file { read write };
 allow $1_xserver_t rpm_t:fd use;
+')
 
 ', `
 type $1_xserver_t, domain, privlog, privmem, nscd_client_domain;
@@ -148,6 +150,7 @@
 allow xdm_xserver_t xdm_t:process signal;
 allow xdm_xserver_t xdm_t:shm rw_shm_perms;
 allow xdm_t xdm_xserver_t:shm rw_shm_perms;
+dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
 ')
 ', `
 allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.19.2/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te	2004-11-18 08:14:00.000000000 -0500
+++ policy-1.19.2/targeted/domains/unconfined.te	2004-11-18 08:48:23.928138750 -0500
@@ -45,4 +45,7 @@
 # Allow system to run with NIS
 bool allow_ypbind false;
 
+# Allow system to run with Kerberos
+bool allow_kerberos false;
+
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.19.2/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
+++ policy-1.19.2/tunables/distro.tun	2004-11-18 08:48:23.929138637 -0500
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.19.2/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.2/tunables/tunable.tun	2004-11-18 08:48:23.929138637 -0500
@@ -1,27 +1,27 @@
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.