All of lore.kernel.org
 help / color / mirror / Atom feed
* latest diff
@ 2005-03-19  6:53 Daniel J Walsh
  2005-03-19 16:14 ` Christopher J. PeBenito
  2005-03-21 19:40 ` James Carter
  0 siblings, 2 replies; 19+ messages in thread
From: Daniel J Walsh @ 2005-03-19  6:53 UTC (permalink / raw)
  To: Jim Carter, SELinux

[-- Attachment #1: Type: text/plain, Size: 510 bytes --]

Several Ivan Cleanups of x_client_macro, tvtime,  mozilla, mplayer

Some cleanup of the dovecot policy, adding keys

I think we can remove the hostname policy, it adds little value.  I 
added don't audit sys_admin to dhcpc
which is triggered by hostname being run by dhcp.  Code seems to work 
without allowing this privs.  I
think it would work fine without hostname policy.  I think we could 
probably get rid of consoletype also.

Moved arpwatch out of mta.te

Add syslogng support to syslog.te

Dan

-- 



[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 21332 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.23.3/domains/program/crond.te
--- nsapolicy/domains/program/crond.te	2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.3/domains/program/crond.te	2005-03-19 01:46:00.333925920 -0500
@@ -205,11 +205,11 @@
 r_dir_file(system_crond_t, file_context_t)
 can_getsecurity(system_crond_t)
 }
-allow system_crond_t removable_t:filesystem { getattr };
+allow system_crond_t removable_t:filesystem getattr;
 #
 # Required for webalizer
 #
 ifdef(`apache.te', `
 allow system_crond_t httpd_log_t:file { getattr read };
 ')
-dontaudit crond_t self:capability { sys_tty_config };
+dontaudit crond_t self:capability sys_tty_config;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/logrotate.te policy-1.23.3/domains/program/logrotate.te
--- nsapolicy/domains/program/logrotate.te	2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.3/domains/program/logrotate.te	2005-03-19 01:46:00.333925920 -0500
@@ -128,7 +128,7 @@
 
 allow logrotate_t fs_t:filesystem getattr;
 can_exec(logrotate_t, shell_exec_t)
-can_exec(logrotate_t, hostname_exec_t)
+ifdef(`hostname.te', `can_exec(logrotate_t, hostname_exec_t)')
 can_exec(logrotate_t,logfile)
 allow logrotate_t net_conf_t:file { getattr read };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.23.3/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te	2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.3/domains/program/syslogd.te	2005-03-19 01:46:00.334925768 -0500
@@ -36,7 +36,7 @@
 allow syslogd_t etc_t:file r_file_perms;
 
 # Use capabilities.
-allow syslogd_t self:capability { dac_override net_bind_service sys_resource sys_tty_config };
+allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config };
 
 # Modify/create log files.
 create_append_log_file(syslogd_t, var_log_t)
@@ -103,5 +103,14 @@
 allow syslogd_t { tmpfs_t devpts_t }:dir search;
 dontaudit syslogd_t unlabeled_t:file read;
 dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
-allow syslogd_t self:capability net_admin;
 allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
+ifdef(`targeted_policy', `
+allow syslogd_t var_run_t:fifo_file { ioctl read write };
+')
+
+bool use_syslogng false;
+
+if (use_syslogng) {
+allow syslogd_t proc_kmsg_t:file write;
+allow syslogd_t self:capability { sys_admin chown };
+}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/arpwatch.te policy-1.23.3/domains/program/unused/arpwatch.te
--- nsapolicy/domains/program/unused/arpwatch.te	2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.3/domains/program/unused/arpwatch.te	2005-03-19 01:46:00.335925616 -0500
@@ -40,3 +40,9 @@
 allow initrc_t arpwatch_data_t:file create;
 ')dnl end distro_gentoo
 
+# why is mail delivered to a directory of type arpwatch_data_t?
+allow mta_delivery_agent arpwatch_data_t:dir search;
+allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms;
+ifdef(`hide_broken_symptoms', `
+dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write };
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/consoletype.te policy-1.23.3/domains/program/unused/consoletype.te
--- nsapolicy/domains/program/unused/consoletype.te	2005-03-15 08:02:23.000000000 -0500
+++ policy-1.23.3/domains/program/unused/consoletype.te	2005-03-19 01:46:00.335925616 -0500
@@ -22,6 +22,7 @@
 domain_auto_trans(initrc_t, consoletype_exec_t, consoletype_t)
 
 allow consoletype_t tty_device_t:chr_file { getattr ioctl write };
+allow consoletype_t devtty_t:chr_file { read write };
 allow consoletype_t initrc_devpts_t:chr_file { read write getattr ioctl };
 
 ifdef(`xdm.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.3/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.3/domains/program/unused/cups.te	2005-03-19 01:46:00.336925464 -0500
@@ -71,6 +71,8 @@
 can_exec(cupsd_t, cupsd_exec_t)
 allow cupsd_t cupsd_exec_t:dir search;
 allow cupsd_t cupsd_exec_t:lnk_file read;
+allow cupsd_t reserved_port_t:tcp_socket name_bind;
+dontaudit cupsd_t reserved_port_type:tcp_socket name_bind;
 
 allow cupsd_t self:unix_stream_socket create_socket_perms;
 allow cupsd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.23.3/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te	2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.3/domains/program/unused/dhcpc.te	2005-03-19 01:46:00.337925312 -0500
@@ -86,6 +86,7 @@
 
 # Use capabilities
 allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config };
+dontaudit dhcpc_t self:capability sys_admin;
 
 # for access("/etc/bashrc", X_OK) on Red Hat
 dontaudit dhcpc_t self:capability { dac_read_search sys_module };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.23.3/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te	2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.3/domains/program/unused/dovecot.te	2005-03-19 01:46:00.337925312 -0500
@@ -3,13 +3,19 @@
 # Author:  Russell Coker <russell@coker.com.au>
 # X-Debian-Packages: dovecot-imapd, dovecot-pop3d
 
+#
+# Main dovecot daemon
+#
 daemon_domain(dovecot, `, privhome')
+etc_domain(dovecot);
 
 allow dovecot_t dovecot_var_run_t:sock_file create_file_perms;
 
 can_exec(dovecot_t, dovecot_exec_t)
 
 type dovecot_cert_t, file_type, sysadmfile;
+type dovecot_passwd_t, file_type, sysadmfile;
+type dovecot_spool_t, file_type, sysadmfile;
 
 allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
 allow dovecot_t self:process setrlimit;
@@ -25,9 +31,10 @@
 can_exec(dovecot_t, bin_t)
 
 allow dovecot_t pop_port_t:tcp_socket name_bind;
-allow dovecot_t urandom_device_t:chr_file read;
+allow dovecot_t urandom_device_t:chr_file { getattr read };
 allow dovecot_t cert_t:dir search;
 allow dovecot_t dovecot_cert_t:file { getattr read };
+allow dovecot_t cert_t:dir search;
 
 allow dovecot_t { self proc_t }:file { getattr read };
 allow dovecot_t self:fifo_file rw_file_perms;
@@ -36,11 +43,17 @@
 
 allow dovecot_t tmp_t:dir search;
 rw_dir_file(dovecot_t, mail_spool_t)
+create_dir_file(dovecot_t, dovecot_spool_t)
+create_dir_file(mta_delivery_agent, dovecot_spool_t)
 allow dovecot_t mail_spool_t:lnk_file read;
 allow dovecot_t var_spool_t:dir { search };
 
+#
+# Dovecot auth daemon
+#
 daemon_sub_domain(dovecot_t, dovecot_auth, `, auth_chkpwd')
 allow dovecot_auth_t self:process { fork signal_perms };
+allow dovecot_auth_t self:capability { setgid setuid };
 allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
 allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
 allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
@@ -50,6 +63,6 @@
 allow dovecot_auth_t { self proc_t }:file { getattr read };
 read_locale(dovecot_auth_t)
 read_sysctl(dovecot_auth_t)
-allow dovecot_auth_t sysctl_t:dir search;
+allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
 dontaudit dovecot_auth_t selinux_config_t:dir search;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/firstboot.te policy-1.23.3/domains/program/unused/firstboot.te
--- nsapolicy/domains/program/unused/firstboot.te	2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.3/domains/program/unused/firstboot.te	2005-03-19 01:46:00.338925160 -0500
@@ -107,8 +107,10 @@
 
 allow firstboot_t var_run_t:dir getattr;
 allow firstboot_t var_t:dir getattr;
+ifdef(`hostname.te', `
 allow hostname_t devtty_t:chr_file { read write };
 allow hostname_t firstboot_t:fd use;
+')
 ifdef(`iptables.te', `
 allow iptables_t devtty_t:chr_file { read write };
 allow iptables_t firstboot_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/games.te policy-1.23.3/domains/program/unused/games.te
--- nsapolicy/domains/program/unused/games.te	2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.3/domains/program/unused/games.te	2005-03-19 01:46:00.354922728 -0500
@@ -13,5 +13,8 @@
 rw_dir_create_file(games_t, games_data_t)
 r_dir_file(initrc_t, games_data_t)
 
+# Run in user_t
+bool disable_games_trans false;
+
 # Everything else is in the x_client_domain macro in
 # macros/program/x_client_macros.te.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mozilla.te policy-1.23.3/domains/program/unused/mozilla.te
--- nsapolicy/domains/program/unused/mozilla.te	2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.3/domains/program/unused/mozilla.te	2005-03-19 01:46:00.355922576 -0500
@@ -14,5 +14,8 @@
 # Allow mozilla to write files in the user home directory
 bool mozilla_writehome false;
 
+# Run in user_t
+bool disable_mozilla_trans false;
+
 # Everything else is in the mozilla_domain macro in
 # macros/program/mozilla_macros.te.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mrtg.te policy-1.23.3/domains/program/unused/mrtg.te
--- nsapolicy/domains/program/unused/mrtg.te	2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.3/domains/program/unused/mrtg.te	2005-03-19 01:46:00.355922576 -0500
@@ -94,5 +94,5 @@
 dontaudit mrtg_t root_t:lnk_file getattr;
 
 allow mrtg_t self:capability { setgid setuid };
-can_exec(mrtg_t, hostname_exec_t)
+ifdef(`hostname.te', `can_exec(mrtg_t, hostname_exec_t)')
 allow mrtg_t var_spool_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.23.3/domains/program/unused/mta.te
--- nsapolicy/domains/program/unused/mta.te	2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.3/domains/program/unused/mta.te	2005-03-19 01:46:00.357922272 -0500
@@ -59,15 +59,6 @@
 allow { system_mail_t mta_user_agent } privmail:fifo_file { read write };
 allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write };
 
-ifdef(`arpwatch.te', `
-# why is mail delivered to a directory of type arpwatch_data_t?
-allow mta_delivery_agent arpwatch_data_t:dir search;
-allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms;
-ifdef(`hide_broken_symptoms', `
-dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write };
-')
-')dnl end if arpwatch.te
-
 allow mta_delivery_agent home_root_t:dir { getattr search };
 
 # for /var/spool/mail
@@ -81,4 +72,4 @@
 allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read };
 
 allow system_mail_t etc_runtime_t:file { getattr read };
-allow system_mail_t urandom_device_t:chr_file read;
+allow system_mail_t { random_device_t urandom_device_t }:chr_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dovecot.fc policy-1.23.3/file_contexts/program/dovecot.fc
--- nsapolicy/file_contexts/program/dovecot.fc	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.3/file_contexts/program/dovecot.fc	2005-03-19 01:46:00.357922272 -0500
@@ -1,4 +1,6 @@
 # for Dovecot POP and IMAP server
+/etc/dovecot.conf.*			system_u:object_r:dovecot_etc_t
+/etc/dovecot.passwd.*			system_u:object_r:dovecot_passwd_t
 /usr/sbin/dovecot		--	system_u:object_r:dovecot_exec_t
 ifdef(`distro_redhat', `
 /usr/libexec/dovecot/dovecot-auth --	system_u:object_r:dovecot_auth_exec_t
@@ -10,3 +12,4 @@
 /usr/share/ssl/private/dovecot\.pem --	system_u:object_r:dovecot_cert_t
 /var/run/dovecot(-login)?(/.*)?		system_u:object_r:dovecot_var_run_t
 /usr/lib(64)?/dovecot/.+	--		system_u:object_r:bin_t
+/var/spool/dovecot(/.*)?		system_u:object_r:dovecot_spool_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.23.3/macros/program/games_domain.te
--- nsapolicy/macros/program/games_domain.te	2005-03-11 15:31:07.000000000 -0500
+++ policy-1.23.3/macros/program/games_domain.te	2005-03-19 01:46:00.358922120 -0500
@@ -10,7 +10,23 @@
 #
 #
 define(`games_domain', `
-x_client_domain($1, `games', `, transitionbool')
+
+type $1_games_t, domain, nscd_client_domain;
+
+# Type transition
+if (! disable_games_trans) {
+domain_auto_trans($1_t, games_exec_t, $1_games_t)
+}
+role $1_r types $1_games_t;
+
+# X access, Private tmp
+x_client_domain($1, games)
+tmp_domain($1_games)
+
+# Games seem to need this
+if (allow_execmem) {
+allow $1_games_t self:process execmem;
+}
 
 allow $1_games_t var_t:dir { search getattr };
 rw_dir_create_file($1_games_t, games_data_t)
@@ -29,7 +45,6 @@
 
 dontaudit $1_games_t sysctl_t:dir search;
 
-tmp_domain($1_games)
 allow $1_games_t urandom_device_t:chr_file { getattr ioctl read };
 ifdef(`xdm.te', `
 allow $1_games_t xdm_tmp_t:dir rw_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.3/macros/program/gift_macros.te
--- nsapolicy/macros/program/gift_macros.te	2005-03-14 14:50:45.000000000 -0500
+++ policy-1.23.3/macros/program/gift_macros.te	2005-03-19 01:46:00.358922120 -0500
@@ -12,20 +12,18 @@
 
 define(`gift_domain', `
 
-# Connect to X
-x_client_domain($1, gift, `')	
-
-# Transition
+# Type transition
+type $1_gift_t, domain, nscd_client_domain;
 domain_auto_trans($1_t, gift_exec_t, $1_gift_t)
-can_exec($1_gift_t, gift_exec_t)
 role $1_r types $1_gift_t;
 
+# X access, Home access
+x_client_domain($1, gift)
+home_domain($1, gift)
+
 # Self permissions
 allow $1_gift_t self:process getsched;
 
-# Home files
-home_domain($1, gift)
-
 # Fonts, icons
 r_dir_file($1_gift_t, usr_t)
 r_dir_file($1_gift_t, fonts_t)
@@ -56,7 +54,7 @@
 
 # giftui looks in .icons, .themes, .fonts-cache.
 dontaudit $1_gift_t $1_home_t:dir { getattr read search };
-dontaudit $1_gift_t $1_home_t:file { getattr read };
+dontaudit $1_gift_t $1_home_t:file { getattr read unlink };
 
 ') dnl gift_domain
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.3/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2005-03-11 15:31:07.000000000 -0500
+++ policy-1.23.3/macros/program/mozilla_macros.te	2005-03-19 01:46:00.359921968 -0500
@@ -16,12 +16,16 @@
 # provided separately in domains/program/mozilla.te. 
 #
 define(`mozilla_domain',`
-x_client_domain($1, mozilla, `, web_client_domain, privlog, transitionbool')
+type $1_mozilla_t, domain, web_client_domain, privlog;
 
-# Configuration
-home_domain($1, mozilla)
+# Type transition
+if (! disable_mozilla_trans) {
+domain_auto_trans($1_t, mozilla_exec_t, $1_mozilla_t)
+}
+role $1_r types $1_mozilla_t;
 
-# Allow mozilla to browse files
+home_domain($1, mozilla)
+x_client_domain($1, mozilla)
 file_browse_domain($1_mozilla_t)
 
 allow $1_mozilla_t sound_device_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mplayer_macros.te policy-1.23.3/macros/program/mplayer_macros.te
--- nsapolicy/macros/program/mplayer_macros.te	2005-03-15 08:02:24.000000000 -0500
+++ policy-1.23.3/macros/program/mplayer_macros.te	2005-03-19 01:46:00.360921816 -0500
@@ -64,13 +64,15 @@
 
 define(`mplayer_domain',`
 
-# Derive from X client domain
-x_client_domain($1, `mplayer', `')
+type $1_mplayer_t, domain;
 
-# Mplayer configuration here
-home_domain($1, mplayer)
+# Type transition
+domain_auto_trans($1_t, mplayer_exec_t, $1_mplayer_t)
+role $1_r types $1_mplayer_t;
 
-# Allow mplayer to browse files
+# Home access, X access, Browse files
+home_domain($1, mplayer)
+x_client_domain($1, mplayer)
 file_browse_domain($1_mplayer_t)
 
 # Mplayer common stuff
@@ -85,6 +87,9 @@
 # Read home directory content
 r_dir_file($1_mplayer_t, $1_home_t);
 
+# Read CDs
+r_dir_file($1_mplayer_t, removable_t);
+
 # Legacy domain issues
 if (allow_mplayer_execstack) {
 allow $1_mplayer_t $1_mplayer_tmpfs_t:file execute;
@@ -101,12 +106,11 @@
 # FIXME: privhome temporarily removed...
 type $1_mencoder_t, domain;
 
-# Transition
+# Type transition
 domain_auto_trans($1_t, mencoder_exec_t, $1_mencoder_t)
-can_exec($1_mencoder_t, mencoder_exec_t)
 role $1_r types $1_mencoder_t;
 
-# Read home config
+# Access mplayer home domain
 home_domain_access($1_mencoder_t, $1, mplayer)
 
 # Mplayer common stuff
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/screen_macros.te policy-1.23.3/macros/program/screen_macros.te
--- nsapolicy/macros/program/screen_macros.te	2005-03-11 15:31:07.000000000 -0500
+++ policy-1.23.3/macros/program/screen_macros.te	2005-03-19 01:46:00.360921816 -0500
@@ -21,7 +21,7 @@
 ifdef(`screen.te', `
 define(`screen_domain',`
 # Derived domain based on the calling user domain and the program.
-type $1_screen_t, domain, privlog, privfd;
+type $1_screen_t, domain, privlog, privfd, nscd_client_domain;
 
 # Transition from the user domain to this domain.
 domain_auto_trans($1_t, screen_exec_t, $1_screen_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/tvtime_macros.te policy-1.23.3/macros/program/tvtime_macros.te
--- nsapolicy/macros/program/tvtime_macros.te	2005-03-11 15:31:07.000000000 -0500
+++ policy-1.23.3/macros/program/tvtime_macros.te	2005-03-19 01:46:00.361921664 -0500
@@ -19,16 +19,22 @@
 ifdef(`tvtime.te', `
 define(`tvtime_domain',`
 
+# Type transition
+type $1_tvtime_t, domain, nscd_client_domain;
+domain_auto_trans($1_t, tvtime_exec_t, $1_tvtime_t)
+role $1_r types $1_tvtime_t;
+
+# Home access, X access
 home_domain($1, tvtime)
+tmp_domain($1_tvtime, `', `{ file dir fifo_file }')
 x_client_domain($1, tvtime)
 
 allow $1_tvtime_t urandom_device_t:chr_file read;
 allow $1_tvtime_t clock_device_t:chr_file { ioctl read };
 allow $1_tvtime_t kernel_t:system ipc_info;
-allow $1_tvtime_t sound_device_t:chr_file read;
+allow $1_tvtime_t sound_device_t:chr_file { ioctl read };
 allow $1_tvtime_t $1_home_t:dir { getattr read search };
 allow $1_tvtime_t $1_home_t:file { getattr read };
-tmp_domain($1_tvtime)
 allow $1_tvtime_t self:capability { setuid sys_nice sys_resource };
 allow $1_tvtime_t self:process setsched;
 allow $1_tvtime_t usr_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.23.3/macros/program/x_client_macros.te
--- nsapolicy/macros/program/x_client_macros.te	2005-03-11 15:31:07.000000000 -0500
+++ policy-1.23.3/macros/program/x_client_macros.te	2005-03-19 01:46:00.361921664 -0500
@@ -37,39 +37,11 @@
 ')
 
 #
-# x_client_domain(domain_prefix)
+# x_client_domain(user, app)
 #
-# Define a derived domain for an X program when executed by
-# a user domain.  
-#
-# The type declaration for the executable type for this program ($2_exec_t)
-# must be provided separately!
-#
-# The first parameter is the base name for the domain/role (EG user or sysadm)
-# The second parameter is the program name (EG $2)
-# The third parameter is the attributes for the domain (if any)
+# Defines common X access rules for the user_app_t domain
 #
 define(`x_client_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_$2_t, domain, nscd_client_domain $3;
-
-ifelse(index(`$3', `transitionbool'), -1, `
-domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
-can_exec($1_$2_t, $2_exec_t)
-', `
-# Only do it once
-ifelse($1, user, `
-bool disable_$2 false;
-')
-# Transition from the user domain to the derived domain.
-if (! disable_$2) {
-domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
-can_exec($1_$2_t, $2_exec_t)
-}
-')
-
-# The user role is authorized for this domain.
-role $1_r types $1_$2_t;
 
 # This domain is granted permissions common to most domains (including can_net)
 can_network($1_$2_t)
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.3/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.3/tunables/distro.tun	2005-03-19 01:46:00.362921512 -0500
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.3/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.3/tunables/tunable.tun	2005-03-19 01:46:00.362921512 -0500
@@ -1,27 +1,27 @@
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

^ permalink raw reply	[flat|nested] 19+ messages in thread
* Latest diff.
@ 2005-03-22 18:24 Daniel J Walsh
  2005-03-22 20:20 ` Daniel J Walsh
  2005-03-23 18:25 ` James Carter
  0 siblings, 2 replies; 19+ messages in thread
From: Daniel J Walsh @ 2005-03-22 18:24 UTC (permalink / raw)
  To: Jim Carter, SELinux

[-- Attachment #1: Type: text/plain, Size: 1179 bytes --]

Fixed assert.te to allow unrestricted domains full access.

Added httpd_unconfined_t so that if a user has a script that can not run 
under SELinux protection, he can label just this script
with httpd_unconfined_script_t and it will run in an unconfined domain.  
The rest of the scripts and httpd itself will run under
normal apache policy. I am not sure if we want this protected via a 
boolean or not.  The user has to set httpd_unconfined_script_t on
a script for it to take place.  Maybe should be placed under a boolean.  
This is better than the current solution which is to turn off
protection for all of apache.

Merged in changes to get ready for name_connect.

Also added liberal allow rules for all domains that
have can_network or can_network_tcp.  Allowing them to connect to port_type.
I need help from people to go through these network controls and tighten 
them up.   IE we need to specify the only ports that
dhcp, or named or xserver etc can connect to.

Alot of port_type definitions need to be moved out of their individual 
te files into types/network.te

I also changed can_kerberos, can_portmap, can_resolv, can_ldap to use 
the named ports.

Dan

-- 



[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 55490 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/assert.te policy-1.23.4/assert.te
--- nsapolicy/assert.te	2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.4/assert.te	2005-03-22 12:36:49.000000000 -0500
@@ -30,56 +30,56 @@
 # Verify that only the insmod_t and kernel_t domains 
 # have the sys_module capability.
 #
-neverallow {domain -unrestricted -insmod_t -kernel_t ifdef(`howl.te', `-howl_t') } self:capability sys_module;
+neverallow {domain -insmod_t -kernel_t ifdef(`howl.te', `-howl_t') -unrestricted } self:capability sys_module;
 
 #
 # Verify that executable types, the system dynamic loaders, and the
 # system shared libraries can only be modified by administrators.
 #
-neverallow {domain  -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin} { exec_type ld_so_t shlib_t }:file { write append unlink rename };
-neverallow {domain  ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin } { exec_type ld_so_t shlib_t }:file relabelto;
+neverallow {domain  -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { exec_type ld_so_t shlib_t }:file { write append unlink rename };
+neverallow {domain  ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin -unrestricted } { exec_type ld_so_t shlib_t }:file relabelto;
 
 #
 # Verify that only appropriate domains can access /etc/shadow
-neverallow { domain -auth -auth_write } shadow_t:file ~getattr;
-neverallow { domain -auth_write } shadow_t:file ~r_file_perms;
+neverallow { domain -auth -auth_write -unrestricted } shadow_t:file ~getattr;
+neverallow { domain -auth_write -unrestricted } shadow_t:file ~r_file_perms;
 
 #
 # Verify that only appropriate domains can write to /etc (IE mess with
 # /etc/passwd)
-neverallow {domain -auth_write -etc_writer } etc_t:dir ~rw_dir_perms;
-neverallow {domain -auth_write -etc_writer } etc_t:lnk_file ~r_file_perms;
-neverallow {domain -auth_write -etc_writer } etc_t:file ~{ execute_no_trans rx_file_perms };
+neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:dir ~rw_dir_perms;
+neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:lnk_file ~r_file_perms;
+neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:file ~{ execute_no_trans rx_file_perms };
 
 #
 # Verify that other system software can only be modified by administrators.
 #
-neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin } { lib_t bin_t sbin_t }:dir { add_name remove_name rename };
-neverallow { domain -kernel_t -admin } { lib_t bin_t sbin_t }:file { write append unlink rename };
+neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { lib_t bin_t sbin_t }:dir { add_name remove_name rename };
+neverallow { domain -kernel_t -admin -unrestricted } { lib_t bin_t sbin_t }:file { write append unlink rename };
 
 #
 # Verify that only certain domains have access to the raw disk devices.
 #
-neverallow { domain -fs_domain } fixed_disk_device_t:devfile_class_set { read write append };
+neverallow { domain -fs_domain -unrestricted } fixed_disk_device_t:devfile_class_set { read write append };
 
 #
 # Verify that only the X server and klogd have access to memory devices.
 #
-neverallow { domain -privmem } memory_device_t:devfile_class_set { read write append };
+neverallow { domain -privmem -unrestricted } memory_device_t:devfile_class_set { read write append };
 
 #
 # Verify that only domains with the privlog attribute can actually syslog
 #
-neverallow { domain -unrestricted -privlog } devlog_t:sock_file { read write append };
+neverallow { domain -privlog -unrestricted } devlog_t:sock_file { read write append };
 
 #
 # Verify that /proc/kmsg is only accessible to klogd.
 #
 ifdef(`klogd.te', `
-neverallow {domain -unrestricted -klogd_t } proc_kmsg_t:file ~stat_file_perms;
+neverallow {domain -klogd_t -unrestricted } proc_kmsg_t:file ~stat_file_perms;
 ', `
 ifdef(`syslogd.te', `
-neverallow {domain -unrestricted -syslogd_t } proc_kmsg_t:file ~stat_file_perms;
+neverallow {domain -syslogd_t -unrestricted } proc_kmsg_t:file ~stat_file_perms;
 ')dnl end if syslogd
 ')dnl end if klogd
 
@@ -93,14 +93,14 @@
 # Verify that sysctl variables are only changeable
 # by initrc and administrators.
 #
-neverallow { domain -initrc_t -admin -kernel_t -insmod_t } sysctl_t:file { write append };
-neverallow { domain -initrc_t -admin } sysctl_fs_t:file { write append };
-neverallow { domain -admin -sysctl_kernel_writer } sysctl_kernel_t:file { write append };
-neverallow { domain -initrc_t -admin -sysctl_net_writer } sysctl_net_t:file { write append };
-neverallow { domain -initrc_t -admin } sysctl_net_unix_t:file { write append };
-neverallow { domain -initrc_t -admin } sysctl_vm_t:file { write append };
-neverallow { domain -initrc_t -admin } sysctl_dev_t:file { write append };
-neverallow { domain -initrc_t -admin } sysctl_modprobe_t:file { write append };
+neverallow { domain -initrc_t -admin -kernel_t -insmod_t -unrestricted } sysctl_t:file { write append };
+neverallow { domain -initrc_t -admin -unrestricted } sysctl_fs_t:file { write append };
+neverallow { domain -admin -sysctl_kernel_writer -unrestricted } sysctl_kernel_t:file { write append };
+neverallow { domain -initrc_t -admin -sysctl_net_writer -unrestricted } sysctl_net_t:file { write append };
+neverallow { domain -initrc_t -admin -unrestricted } sysctl_net_unix_t:file { write append };
+neverallow { domain -initrc_t -admin -unrestricted } sysctl_vm_t:file { write append };
+neverallow { domain -initrc_t -admin -unrestricted } sysctl_dev_t:file { write append };
+neverallow { domain -initrc_t -admin -unrestricted } sysctl_modprobe_t:file { write append };
 
 #
 # Verify that certain domains are limited to only being
@@ -146,13 +146,13 @@
 #
 # Verify that only the admin domains and initrc_t have setenforce.
 #
-neverallow { domain -admin -initrc_t } security_t:security setenforce;
+neverallow { domain -admin -initrc_t -unrestricted } security_t:security setenforce;
 
 #
 # Verify that only the kernel and load_policy_t have load_policy.
 #
 
-neverallow { domain -unrestricted -kernel_t -load_policy_t } security_t:security load_policy;
+neverallow { domain -kernel_t -load_policy_t -unrestricted } security_t:security load_policy;
 
 #
 # for gross mistakes in policy
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.23.4/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te	2005-03-15 08:02:23.000000000 -0500
+++ policy-1.23.4/domains/program/initrc.te	2005-03-22 12:36:49.000000000 -0500
@@ -17,6 +17,7 @@
 role system_r types initrc_t;
 uses_shlib(initrc_t);
 can_network(initrc_t)
+allow initrc_t port_type:tcp_socket name_connect;
 can_ypbind(initrc_t)
 type initrc_exec_t, file_type, sysadmfile, exec_type;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.23.4/domains/program/mount.te
--- nsapolicy/domains/program/mount.te	2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.4/domains/program/mount.te	2005-03-22 13:15:17.428871544 -0500
@@ -62,9 +62,12 @@
 
 allow mount_t root_t:filesystem unmount;
 
+can_portmap(mount_t)
+
 ifdef(`portmap.te', `
 # for nfs
 can_network(mount_t)
+allow mount_t port_type:tcp_socket name_connect;
 can_ypbind(mount_t)
 allow mount_t port_t:{ tcp_socket udp_socket } name_bind;
 allow mount_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/netutils.te policy-1.23.4/domains/program/netutils.te
--- nsapolicy/domains/program/netutils.te	2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.4/domains/program/netutils.te	2005-03-22 12:36:49.000000000 -0500
@@ -16,6 +16,7 @@
 
 uses_shlib(netutils_t)
 can_network(netutils_t)
+allow netutils_t port_type:tcp_socket name_connect;
 can_ypbind(netutils_t)
 tmp_domain(netutils)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.23.4/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te	2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.4/domains/program/ssh.te	2005-03-22 12:36:49.000000000 -0500
@@ -69,6 +69,7 @@
 allow $1_t urandom_device_t:chr_file { getattr read };
 
 can_network($1_t)
+allow $1_t port_type:tcp_socket name_connect;
 
 allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
 allow $1_t { home_root_t home_dir_type }:dir { search getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amavis.te policy-1.23.4/domains/program/unused/amavis.te
--- nsapolicy/domains/program/unused/amavis.te	2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.4/domains/program/unused/amavis.te	2005-03-22 12:36:49.000000000 -0500
@@ -27,6 +27,7 @@
 
 # networking
 can_network(amavisd_t)
+allow amavisd_t port_type:tcp_socket name_connect;
 can_ypbind(amavisd_t);
 can_tcp_connect(mail_server_sender, amavisd_t);
 can_tcp_connect(amavisd_t, mail_server_domain)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.4/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2005-03-15 08:02:23.000000000 -0500
+++ policy-1.23.4/domains/program/unused/apache.te	2005-03-22 12:36:49.000000000 -0500
@@ -42,6 +42,9 @@
 # Allow http daemon to communicate with the TTY
 bool httpd_tty_comm false;
 
+# Allow http daemon to tcp connect 
+bool httpd_can_network_connect false;
+
 #########################################################
 # Apache types
 #########################################################
@@ -119,7 +122,11 @@
 allow httpd_suexec_t bin_t:lnk_file read;
 can_exec(httpd_suexec_t, { bin_t shell_exec_t })
 
+if (httpd_can_network_connect) {
 can_network(httpd_suexec_t)
+allow httpd_suexec_t port_type:tcp_socket name_connect;
+}
+
 can_ypbind(httpd_suexec_t)
 allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl };
 
@@ -145,6 +152,7 @@
 allow httpd_t bin_t:lnk_file read;
 
 can_network(httpd_t)
+allow httpd_t port_type:tcp_socket name_connect;
 can_ypbind(httpd_t)
 
 ###################
@@ -352,3 +360,8 @@
 allow httpd_sys_script_t var_lib_t:dir search;
 dontaudit httpd_t selinux_config_t:dir search;
 r_dir_file(httpd_t, cert_t)
+
+type httpd_unconfined_script_exec_t, file_type, sysadmfile, customizable;
+type httpd_unconfined_t, domain;
+unconfined_domain(httpd_unconfined_t)
+domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/backup.te policy-1.23.4/domains/program/unused/backup.te
--- nsapolicy/domains/program/unused/backup.te	2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.4/domains/program/unused/backup.te	2005-03-22 12:36:49.000000000 -0500
@@ -27,6 +27,7 @@
 allow backup_t urandom_device_t:chr_file read;
 
 can_network_client(backup_t)
+allow backup_t port_type:tcp_socket name_connect;
 can_ypbind(backup_t)
 uses_shlib(backup_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/canna.te policy-1.23.4/domains/program/unused/canna.te
--- nsapolicy/domains/program/unused/canna.te	2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.4/domains/program/unused/canna.te	2005-03-22 12:36:49.000000000 -0500
@@ -29,6 +29,7 @@
 rw_dir_create_file(canna_t, canna_var_lib_t)
 
 can_network_tcp(canna_t)
+allow canna_t port_type:tcp_socket name_connect;
 can_ypbind(canna_t)
 
 allow userdomain canna_var_run_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/clockspeed.te policy-1.23.4/domains/program/unused/clockspeed.te
--- nsapolicy/domains/program/unused/clockspeed.te	2005-03-15 12:54:54.000000000 -0500
+++ policy-1.23.4/domains/program/unused/clockspeed.te	2005-03-22 12:36:49.000000000 -0500
@@ -8,6 +8,7 @@
 daemon_base_domain(clockspeed)
 var_lib_domain(clockspeed)
 can_network(clockspeed_t)
+allow clockspeed_t port_type:tcp_socket name_connect;
 read_locale(clockspeed_t)
 
 allow clockspeed_t self:capability { sys_time net_bind_service };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.4/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2005-03-21 22:32:18.000000000 -0500
+++ policy-1.23.4/domains/program/unused/cups.te	2005-03-22 12:36:49.000000000 -0500
@@ -19,6 +19,7 @@
 typealias cupsd_rw_etc_t alias etc_cupsd_rw_t;
 
 can_network(cupsd_t)
+allow cupsd_t port_type:tcp_socket name_connect;
 logdir_domain(cupsd)
 
 tmp_domain(cupsd)
@@ -200,6 +201,7 @@
 file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
 
 can_network_tcp(cupsd_config_t)
+allow cupsd_config_t port_type:tcp_socket name_connect;
 can_tcp_connect(cupsd_config_t, cupsd_t)
 allow cupsd_config_t self:fifo_file rw_file_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.23.4/domains/program/unused/cyrus.te
--- nsapolicy/domains/program/unused/cyrus.te	2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.4/domains/program/unused/cyrus.te	2005-03-22 12:36:49.000000000 -0500
@@ -18,6 +18,7 @@
 allow initrc_su_t cyrus_var_lib_t:dir search;
 
 can_network(cyrus_t)
+allow cyrus_t port_type:tcp_socket name_connect;
 can_ypbind(cyrus_t)
 can_exec(cyrus_t, bin_t)
 allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ddclient.te policy-1.23.4/domains/program/unused/ddclient.te
--- nsapolicy/domains/program/unused/ddclient.te	2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.4/domains/program/unused/ddclient.te	2005-03-22 12:36:49.000000000 -0500
@@ -32,6 +32,7 @@
 
 # network-related goodies
 can_network_client(ddclient_t)
+allow ddclient_t port_type:tcp_socket name_connect;
 allow ddclient_t self:unix_dgram_socket create_socket_perms;
 allow ddclient_t self:unix_stream_socket create_socket_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/devfsd.te policy-1.23.4/domains/program/unused/devfsd.te
--- nsapolicy/domains/program/unused/devfsd.te	2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.4/domains/program/unused/devfsd.te	2005-03-22 12:36:49.000000000 -0500
@@ -90,4 +90,5 @@
 
 # for nss-ldap etc
 can_network_client_tcp(devfsd_t)
+allow devfsd_t port_type:tcp_socket name_connect;
 can_ypbind(devfsd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.23.4/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te	2005-03-21 22:32:18.000000000 -0500
+++ policy-1.23.4/domains/program/unused/dhcpc.te	2005-03-22 12:36:49.000000000 -0500
@@ -23,6 +23,7 @@
 allow dhcpc_t urandom_device_t:chr_file read;
 
 can_network(dhcpc_t)
+allow dhcpc_t port_type:tcp_socket name_connect;
 can_ypbind(dhcpc_t)
 allow dhcpc_t self:unix_dgram_socket create_socket_perms;
 allow dhcpc_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpd.te policy-1.23.4/domains/program/unused/dhcpd.te
--- nsapolicy/domains/program/unused/dhcpd.te	2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.4/domains/program/unused/dhcpd.te	2005-03-22 12:36:49.000000000 -0500
@@ -30,6 +30,7 @@
 
 # Use the network.
 can_network(dhcpd_t)
+allow dhcpd_t port_type:tcp_socket name_connect;
 can_ypbind(dhcpd_t)
 allow dhcpd_t self:unix_dgram_socket create_socket_perms;
 allow dhcpd_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/djbdns.te policy-1.23.4/domains/program/unused/djbdns.te
--- nsapolicy/domains/program/unused/djbdns.te	2005-03-15 12:54:54.000000000 -0500
+++ policy-1.23.4/domains/program/unused/djbdns.te	2005-03-22 12:36:49.000000000 -0500
@@ -15,6 +15,7 @@
 domain_auto_trans( svc_run_t, djbdns_$1_exec_t, djbdns_$1_t)
 svc_ipc_domain(djbdns_$1_t)
 can_network(djbdns_$1_t)
+allow djbdns_$1_t port_type:tcp_socket name_connect;
 allow djbdns_$1_t dns_port_t:{ udp_socket tcp_socket } name_bind;
 allow djbdns_$1_t port_t:udp_socket name_bind;
 r_dir_file(djbdns_$1_t, djbdns_$1_conf_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.23.4/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te	2005-03-21 22:32:18.000000000 -0500
+++ policy-1.23.4/domains/program/unused/dovecot.te	2005-03-22 12:36:49.000000000 -0500
@@ -20,6 +20,7 @@
 allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
 allow dovecot_t self:process setrlimit;
 can_network_tcp(dovecot_t)
+allow dovecot_t port_type:tcp_socket name_connect;
 can_ypbind(dovecot_t)
 allow dovecot_t self:unix_dgram_socket create_socket_perms;
 allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dpkg.te policy-1.23.4/domains/program/unused/dpkg.te
--- nsapolicy/domains/program/unused/dpkg.te	2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.4/domains/program/unused/dpkg.te	2005-03-22 12:36:49.000000000 -0500
@@ -322,6 +322,7 @@
 allow apt_t self:process { signal sigchld fork };
 allow apt_t sysadm_t:process sigchld;
 can_network({ apt_t dpkg_t })
+allow { apt_t dpkg_t } port_type:tcp_socket name_connect;
 can_ypbind({ apt_t dpkg_t })
 
 allow { apt_t dpkg_t } var_t:dir { search getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/fetchmail.te policy-1.23.4/domains/program/unused/fetchmail.te
--- nsapolicy/domains/program/unused/fetchmail.te	2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.4/domains/program/unused/fetchmail.te	2005-03-22 12:36:49.000000000 -0500
@@ -18,6 +18,8 @@
 
 # network-related goodies
 can_network(fetchmail_t)
+allow fetchmail_t port_type:tcp_socket name_connect;
+
 allow fetchmail_t self:unix_dgram_socket create_socket_perms;
 allow fetchmail_t self:unix_stream_socket create_stream_socket_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.23.4/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te	2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.4/domains/program/unused/ftpd.te	2005-03-22 12:36:49.000000000 -0500
@@ -16,6 +16,7 @@
 typealias ftpd_etc_t alias etc_ftpd_t;
 
 can_network(ftpd_t)
+allow ftpd_t port_type:tcp_socket name_connect;
 allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
 allow ftpd_t self:unix_stream_socket create_socket_perms;
 allow ftpd_t self:process { getcap setcap setsched setrlimit };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/i18n_input.te policy-1.23.4/domains/program/unused/i18n_input.te
--- nsapolicy/domains/program/unused/i18n_input.te	2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.4/domains/program/unused/i18n_input.te	2005-03-22 12:36:49.000000000 -0500
@@ -10,6 +10,7 @@
 
 can_exec(i18n_input_t, i18n_input_exec_t)
 can_network(i18n_input_t)
+allow i18n_input_t port_type:tcp_socket name_connect;
 can_ypbind(i18n_input_t)
 
 can_tcp_connect(userdomain, i18n_input_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/inetd.te policy-1.23.4/domains/program/unused/inetd.te
--- nsapolicy/domains/program/unused/inetd.te	2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.4/domains/program/unused/inetd.te	2005-03-22 12:36:49.000000000 -0500
@@ -20,6 +20,7 @@
 daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
 
 can_network(inetd_t)
+allow inetd_t port_type:tcp_socket name_connect;
 allow inetd_t self:unix_dgram_socket create_socket_perms;
 allow inetd_t self:unix_stream_socket create_socket_perms;
 allow inetd_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/innd.te policy-1.23.4/domains/program/unused/innd.te
--- nsapolicy/domains/program/unused/innd.te	2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.4/domains/program/unused/innd.te	2005-03-22 12:36:49.000000000 -0500
@@ -29,6 +29,7 @@
 allow innd_t var_spool_t:dir { getattr search };
 
 can_network(innd_t)
+allow innd_t port_type:tcp_socket name_connect;
 can_ypbind(innd_t)
 
 can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } )
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lpd.te policy-1.23.4/domains/program/unused/lpd.te
--- nsapolicy/domains/program/unused/lpd.te	2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.4/domains/program/unused/lpd.te	2005-03-22 12:36:49.000000000 -0500
@@ -37,6 +37,7 @@
 role system_r types checkpc_t;
 uses_shlib(checkpc_t)
 can_network_client(checkpc_t)
+allow checkpc_t port_type:tcp_socket name_connect;
 can_ypbind(checkpc_t)
 log_domain(checkpc)
 type checkpc_exec_t, file_type, sysadmfile, exec_type;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mailman.te policy-1.23.4/domains/program/unused/mailman.te
--- nsapolicy/domains/program/unused/mailman.te	2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.4/domains/program/unused/mailman.te	2005-03-22 12:36:49.000000000 -0500
@@ -30,6 +30,7 @@
 allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
 allow mailman_$1_t fs_t:filesystem getattr;
 can_network(mailman_$1_t)
+allow mailman_$1_t port_type:tcp_socket name_connect;
 can_ypbind(mailman_$1_t)
 allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms;
 allow mailman_$1_t var_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mrtg.te policy-1.23.4/domains/program/unused/mrtg.te
--- nsapolicy/domains/program/unused/mrtg.te	2005-03-21 22:32:19.000000000 -0500
+++ policy-1.23.4/domains/program/unused/mrtg.te	2005-03-22 12:36:49.000000000 -0500
@@ -32,6 +32,7 @@
 
 # Use the network.
 can_network_client(mrtg_t)
+allow mrtg_t port_type:tcp_socket name_connect;
 can_ypbind(mrtg_t)
 
 allow mrtg_t self:fifo_file { getattr read write ioctl };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.23.4/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te	2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.4/domains/program/unused/named.te	2005-03-22 12:36:49.000000000 -0500
@@ -54,6 +54,7 @@
 
 #Named can use network
 can_network(named_t)
+allow named_t port_type:tcp_socket name_connect;
 can_ypbind(named_t)
 # allow UDP transfer to/from any program
 can_udp_send(domain, named_t)
@@ -103,6 +104,7 @@
 domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t)
 uses_shlib(ndc_t)
 can_network_client_tcp(ndc_t)
+allow ndc_t port_type:tcp_socket name_connect;
 can_ypbind(ndc_t)
 can_resolve(ndc_t)
 read_locale(ndc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nessusd.te policy-1.23.4/domains/program/unused/nessusd.te
--- nsapolicy/domains/program/unused/nessusd.te	2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.4/domains/program/unused/nessusd.te	2005-03-22 12:36:49.000000000 -0500
@@ -23,6 +23,7 @@
 
 # Use the network.
 can_network(nessusd_t)
+allow nessusd_t port_type:tcp_socket name_connect;
 can_ypbind(nessusd_t)
 allow nessusd_t self:unix_stream_socket create_socket_perms;
 #allow nessusd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.23.4/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te	2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.4/domains/program/unused/nscd.te	2005-03-22 12:36:49.000000000 -0500
@@ -23,6 +23,7 @@
 allow nscd_t etc_t:file r_file_perms;
 allow nscd_t etc_t:lnk_file read;
 can_network_client(nscd_t)
+allow nscd_t port_type:tcp_socket name_connect;
 can_ypbind(nscd_t)
 
 file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nsd.te policy-1.23.4/domains/program/unused/nsd.te
--- nsapolicy/domains/program/unused/nsd.te	2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.4/domains/program/unused/nsd.te	2005-03-22 12:36:49.000000000 -0500
@@ -20,6 +20,7 @@
 role system_r types nsd_crond_t;
 uses_shlib(nsd_crond_t)
 can_network_client(nsd_crond_t)
+allow nsd_crond_t port_type:tcp_socket name_connect;
 can_ypbind(nsd_crond_t)
 allow nsd_crond_t self:unix_dgram_socket create_socket_perms;
 allow nsd_crond_t self:process { fork signal_perms };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.23.4/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te	2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.4/domains/program/unused/ntpd.te	2005-03-22 12:36:49.000000000 -0500
@@ -41,6 +41,7 @@
 
 # Use the network.
 can_network(ntpd_t)
+allow ntpd_t port_type:tcp_socket name_connect;
 can_ypbind(ntpd_t)
 allow ntpd_t ntp_port_t:udp_socket name_bind;
 allow ntpd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nx_server.te policy-1.23.4/domains/program/unused/nx_server.te
--- nsapolicy/domains/program/unused/nx_server.te	2005-03-15 12:54:54.000000000 -0500
+++ policy-1.23.4/domains/program/unused/nx_server.te	2005-03-22 12:36:49.000000000 -0500
@@ -46,6 +46,7 @@
 ssh_domain(nx_server)
 
 can_network_client(nx_server_t)
+allow nx_server_t port_type:tcp_socket name_connect;
 
 allow nx_server_t devtty_t:chr_file { read write };
 allow nx_server_t sysctl_kernel_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.23.4/domains/program/unused/ping.te
--- nsapolicy/domains/program/unused/ping.te	2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.4/domains/program/unused/ping.te	2005-03-22 12:36:49.000000000 -0500
@@ -32,6 +32,7 @@
 
 uses_shlib(ping_t)
 can_network_client(ping_t)
+allow ping_t port_type:tcp_socket name_connect;
 can_ypbind(ping_t)
 allow ping_t etc_t:file { getattr read };
 allow ping_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.23.4/domains/program/unused/portmap.te
--- nsapolicy/domains/program/unused/portmap.te	2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.4/domains/program/unused/portmap.te	2005-03-22 12:36:49.000000000 -0500
@@ -14,12 +14,11 @@
 daemon_domain(portmap, `, nscd_client_domain')
 
 can_network(portmap_t)
+allow portmap_t port_type:tcp_socket name_connect;
 can_ypbind(portmap_t)
 allow portmap_t self:unix_dgram_socket create_socket_perms;
 allow portmap_t self:unix_stream_socket create_stream_socket_perms;
 
-type portmap_port_t, port_type, reserved_port_type;
-
 tmp_domain(portmap)
 
 allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind;
@@ -62,6 +61,7 @@
 allow portmap_helper_t { var_run_t initrc_var_run_t } :file rw_file_perms;
 allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
 can_network(portmap_helper_t)
+allow portmap_helper_t port_type:tcp_socket name_connect;
 can_ypbind(portmap_helper_t)
 dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms;
 allow portmap_helper_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postfix.te policy-1.23.4/domains/program/unused/postfix.te
--- nsapolicy/domains/program/unused/postfix.te	2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.4/domains/program/unused/postfix.te	2005-03-22 12:36:49.000000000 -0500
@@ -120,6 +120,7 @@
 allow postfix_master_t postfix_private_t:sock_file create_file_perms;
 allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
 can_network(postfix_master_t)
+allow postfix_master_t port_type:tcp_socket name_connect;
 can_ypbind(postfix_master_t)
 allow postfix_master_t smtp_port_t:tcp_socket name_bind;
 allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
@@ -155,6 +156,7 @@
 allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
 allow postfix_$1_t self:capability { setuid setgid dac_override };
 can_network_client(postfix_$1_t)
+allow postfix_$1_t port_type:tcp_socket name_connect;
 can_ypbind(postfix_$1_t)
 ')
 
@@ -345,5 +347,6 @@
 allow postfix_map_t self:unix_dgram_socket create_socket_perms;
 dontaudit postfix_map_t var_t:dir search;
 can_network_server(postfix_map_t)
+allow postfix_map_t port_type:tcp_socket name_connect;
 allow postfix_local_t mail_spool_t:dir { remove_name };
 allow postfix_local_t mail_spool_t:file { unlink };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/privoxy.te policy-1.23.4/domains/program/unused/privoxy.te
--- nsapolicy/domains/program/unused/privoxy.te	2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.4/domains/program/unused/privoxy.te	2005-03-22 12:36:49.000000000 -0500
@@ -17,6 +17,7 @@
 
 # Use the network.
 can_network(privoxy_t)
+allow privoxy_t port_type:tcp_socket name_connect;
 allow privoxy_t port_t:{ tcp_socket udp_socket } name_bind;
 allow privoxy_t etc_t:file { getattr read };
 allow privoxy_t self:capability { setgid setuid };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.23.4/domains/program/unused/rhgb.te
--- nsapolicy/domains/program/unused/rhgb.te	2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.4/domains/program/unused/rhgb.te	2005-03-22 12:36:49.000000000 -0500
@@ -40,6 +40,7 @@
 dontaudit rhgb_t var_run_t:dir search;
 
 can_network_client(rhgb_t)
+allow rhgb_t port_type:tcp_socket name_connect;
 can_ypbind(rhgb_t)
 
 # for fonts
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.23.4/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te	2005-03-15 08:02:23.000000000 -0500
+++ policy-1.23.4/domains/program/unused/rpcd.te	2005-03-22 12:36:49.000000000 -0500
@@ -13,6 +13,7 @@
 define(`rpc_domain', `
 daemon_base_domain($1)
 can_network($1_t)
+allow $1_t port_type:tcp_socket name_connect;
 can_ypbind($1_t)
 allow $1_t etc_t:file { getattr read };
 read_locale($1_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.23.4/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te	2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.4/domains/program/unused/rpm.te	2005-03-22 12:36:49.000000000 -0500
@@ -31,6 +31,7 @@
 log_domain(rpm)
 
 can_network(rpm_t)
+allow rpm_t port_type:tcp_socket name_connect;
 can_ypbind(rpm_t)
 
 # Allow the rpm domain to execute other programs
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.23.4/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te	2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.4/domains/program/unused/samba.te	2005-03-22 12:36:49.000000000 -0500
@@ -153,6 +153,7 @@
 
 # Networking
 can_network(smbmount_t)
+allow smbmount_t port_type:tcp_socket name_connect;
 can_ypbind(smbmount_t)
 allow smbmount_t self:unix_dgram_socket create_socket_perms;
 allow smbmount_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.23.4/domains/program/unused/sendmail.te
--- nsapolicy/domains/program/unused/sendmail.te	2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.4/domains/program/unused/sendmail.te	2005-03-22 12:36:49.000000000 -0500
@@ -26,6 +26,7 @@
 
 # Use the network.
 can_network(sendmail_t)
+allow sendmail_t port_type:tcp_socket name_connect;
 can_ypbind(sendmail_t)
 
 allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slapd.te policy-1.23.4/domains/program/unused/slapd.te
--- nsapolicy/domains/program/unused/slapd.te	2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.4/domains/program/unused/slapd.te	2005-03-22 13:20:35.314545576 -0500
@@ -12,7 +12,6 @@
 #
 daemon_domain(slapd)
 
-type ldap_port_t, port_type, reserved_port_type;
 allow slapd_t ldap_port_t:tcp_socket name_bind;
 
 etc_domain(slapd)
@@ -24,6 +23,7 @@
 
 # Use the network.
 can_network(slapd_t)
+allow slapd_t port_type:tcp_socket name_connect;
 can_ypbind(slapd_t)
 allow slapd_t self:fifo_file { read write };
 allow slapd_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.23.4/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te	2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.4/domains/program/unused/squid.te	2005-03-22 12:36:49.000000000 -0500
@@ -53,6 +53,7 @@
 
 # Use the network
 can_network(squid_t)
+allow squid_t port_type:tcp_socket name_connect;
 can_ypbind(squid_t)
 can_tcp_connect(web_client_domain, squid_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/stunnel.te policy-1.23.4/domains/program/unused/stunnel.te
--- nsapolicy/domains/program/unused/stunnel.te	2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.4/domains/program/unused/stunnel.te	2005-03-22 12:36:49.000000000 -0500
@@ -8,6 +8,7 @@
 daemon_domain(stunnel)
 
 can_network(stunnel_t)
+allow stunnel_t port_type:tcp_socket name_connect;
 
 allow stunnel_t self:capability { setgid setuid sys_chroot };
 allow stunnel_t self:fifo_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/traceroute.te policy-1.23.4/domains/program/unused/traceroute.te
--- nsapolicy/domains/program/unused/traceroute.te	2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.4/domains/program/unused/traceroute.te	2005-03-22 12:36:49.000000000 -0500
@@ -19,6 +19,7 @@
 in_user_role(traceroute_t)
 uses_shlib(traceroute_t)
 can_network_client(traceroute_t)
+allow traceroute_t port_type:tcp_socket name_connect;
 can_ypbind(traceroute_t)
 allow traceroute_t node_t:rawip_socket node_bind;
 type traceroute_exec_t, file_type, sysadmfile, exec_type;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ucspi-tcp.te policy-1.23.4/domains/program/unused/ucspi-tcp.te
--- nsapolicy/domains/program/unused/ucspi-tcp.te	2005-03-15 12:54:54.000000000 -0500
+++ policy-1.23.4/domains/program/unused/ucspi-tcp.te	2005-03-22 12:36:49.000000000 -0500
@@ -9,6 +9,7 @@
 
 daemon_base_domain(utcpserver)
 can_network(utcpserver_t)
+allow utcpserver_t port_type:tcp_socket name_connect;
 
 #reads /etc/nsswitch.conf and resolv.conf
 allow utcpserver_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/uwimapd.te policy-1.23.4/domains/program/unused/uwimapd.te
--- nsapolicy/domains/program/unused/uwimapd.te	2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.4/domains/program/unused/uwimapd.te	2005-03-22 12:36:49.000000000 -0500
@@ -9,6 +9,7 @@
 tmp_domain(imapd)
 
 can_network_server_tcp(imapd_t)
+allow imapd_t port_type:tcp_socket name_connect;
 
 #declare our own services
 allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/vpnc.te policy-1.23.4/domains/program/unused/vpnc.te
--- nsapolicy/domains/program/unused/vpnc.te	2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.4/domains/program/unused/vpnc.te	2005-03-22 12:36:49.000000000 -0500
@@ -16,6 +16,7 @@
 
 # Use the network.
 can_network(vpnc_t)
+allow vpnc_t port_type:tcp_socket name_connect;
 can_ypbind(vpnc_t)
 allow vpnc_t self:socket create_socket_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/watchdog.te policy-1.23.4/domains/program/unused/watchdog.te
--- nsapolicy/domains/program/unused/watchdog.te	2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.4/domains/program/unused/watchdog.te	2005-03-22 12:36:49.000000000 -0500
@@ -24,6 +24,7 @@
 allow watchdog_t self:fifo_file rw_file_perms;
 allow watchdog_t self:unix_stream_socket create_socket_perms;
 can_network(watchdog_t)
+allow watchdog_t port_type:tcp_socket name_connect;
 can_ypbind(watchdog_t)
 allow watchdog_t bin_t:dir search;
 allow watchdog_t bin_t:lnk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.23.4/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te	2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.4/domains/program/unused/winbind.te	2005-03-22 12:36:49.000000000 -0500
@@ -13,6 +13,7 @@
 allow winbind_t etc_t:file r_file_perms;
 allow winbind_t etc_t:lnk_file read;
 can_network(winbind_t)
+allow winbind_t port_type:tcp_socket name_connect;
 ifdef(`samba.te', `', `
 type samba_etc_t, file_type, sysadmfile, usercanread;
 type samba_log_t, file_type, sysadmfile, logfile;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.23.4/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te	2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.4/domains/program/unused/xdm.te	2005-03-22 12:36:49.000000000 -0500
@@ -46,6 +46,7 @@
 allow xdm_t default_context_t:{ file lnk_file } { read getattr };
 
 can_network(xdm_t)
+allow xdm_t port_type:tcp_socket name_connect;
 allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow xdm_t self:unix_dgram_socket create_socket_perms;
 allow xdm_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypbind.te policy-1.23.4/domains/program/unused/ypbind.te
--- nsapolicy/domains/program/unused/ypbind.te	2005-03-15 08:02:23.000000000 -0500
+++ policy-1.23.4/domains/program/unused/ypbind.te	2005-03-22 12:36:49.000000000 -0500
@@ -20,6 +20,7 @@
 
 # Use the network.
 can_network(ypbind_t)
+allow ypbind_t port_type:tcp_socket name_connect;
 allow ypbind_t port_t:{ tcp_socket udp_socket } name_bind;
 
 allow ypbind_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/flask/access_vectors policy-1.23.4/flask/access_vectors
--- nsapolicy/flask/access_vectors	2005-02-24 14:51:10.000000000 -0500
+++ policy-1.23.4/flask/access_vectors	2005-03-22 12:36:49.000000000 -0500
@@ -161,6 +161,7 @@
 	newconn
 	acceptfrom
 	node_bind
+	name_connect
 }
 
 class udp_socket
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.23.4/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2005-03-15 08:02:24.000000000 -0500
+++ policy-1.23.4/macros/base_user_macros.te	2005-03-22 12:36:49.000000000 -0500
@@ -213,6 +213,7 @@
 
 # Use the network.
 can_network($1_t)
+allow $1_t port_type:tcp_socket name_connect;
 can_ypbind($1_t)
 
 ifdef(`pamconsole.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.23.4/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2005-03-11 15:31:07.000000000 -0500
+++ policy-1.23.4/macros/global_macros.te	2005-03-22 12:36:49.000000000 -0500
@@ -679,6 +679,7 @@
 allow $1 node_type:node *;
 allow $1 netif_type:netif *;
 allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg };
+allow $1 port_type:tcp_socket name_connect;
 
 # Bind to any network address.
 allow $1 port_type:{ tcp_socket udp_socket } name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.23.4/macros/network_macros.te
--- nsapolicy/macros/network_macros.te	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.4/macros/network_macros.te	2005-03-22 13:16:42.530934064 -0500
@@ -155,14 +155,18 @@
 ')dnl end can_network definition
 
 define(`can_resolve',`
-ifdef(`use_dns',`
 can_network_udp($1, `dns_port_t')
 ')
+
+define(`can_portmap',`
+can_network_client($1, `portmap_port_t')
+allow $1 portmap_port_t:tcp_socket name_connect;
 ')
 
 define(`can_ldap',`
 ifdef(`slapd.te',`
 can_network_client_tcp($1, `ldap_port_t')
+allow $1 ldap_port_t:tcp_socket name_connect;
 ')
 ')
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.23.4/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te	2005-03-11 15:31:07.000000000 -0500
+++ policy-1.23.4/macros/program/apache_macros.te	2005-03-22 12:36:49.000000000 -0500
@@ -29,7 +29,6 @@
 allow httpd_$1_script_t httpd_t:fd use;
 allow httpd_$1_script_t httpd_t:process sigchld;
 
-can_network(httpd_$1_script_t)
 allow httpd_$1_script_t { usr_t lib_t }:file { getattr read ioctl };
 allow httpd_$1_script_t usr_t:lnk_file { getattr read };
 
@@ -49,6 +48,12 @@
 allow httpd_$1_script_t device_t:dir { getattr search };
 allow httpd_$1_script_t null_device_t:chr_file rw_file_perms;
 }
+
+if (httpd_enable_cgi && httpd_can_network_connect) {
+can_network(httpd_$1_script_t)
+allow httpd_$1_script_t port_type:tcp_socket name_connect;
+}
+
 ifdef(`ypbind.te', `
 if (httpd_enable_cgi && allow_ypbind) {
 uncond_can_ypbind(httpd_$1_script_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chroot_macros.te policy-1.23.4/macros/program/chroot_macros.te
--- nsapolicy/macros/program/chroot_macros.te	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.4/macros/program/chroot_macros.te	2005-03-22 12:36:49.000000000 -0500
@@ -119,6 +119,7 @@
 can_create_pty($2)
 can_create_pty($2_super)
 can_network({ $2_t $2_super_t })
+allow { $2_t $2_super_t } port_type:tcp_socket name_connect;
 allow { $2_t $2_super_t } null_device_t:chr_file rw_file_perms;
 allow $2_super_t { $2_rw_t $2_ro_t }:{ dir file } mounton;
 allow { $2_t $2_super_t } self:capability { dac_override kill };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/crond_macros.te policy-1.23.4/macros/program/crond_macros.te
--- nsapolicy/macros/program/crond_macros.te	2005-03-11 15:31:07.000000000 -0500
+++ policy-1.23.4/macros/program/crond_macros.te	2005-03-22 12:36:49.000000000 -0500
@@ -67,6 +67,7 @@
 
 # This domain is granted permissions common to most domains.
 can_network($1_crond_t)
+allow $1_crond_t port_type:tcp_socket name_connect;
 can_ypbind($1_crond_t)
 r_dir_file($1_crond_t, self)
 allow $1_crond_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.4/macros/program/gift_macros.te
--- nsapolicy/macros/program/gift_macros.te	2005-03-21 22:32:19.000000000 -0500
+++ policy-1.23.4/macros/program/gift_macros.te	2005-03-22 12:36:49.000000000 -0500
@@ -34,6 +34,7 @@
 
 # Connect to gift daemon
 can_network($1_gift_t)
+allow $1_gift_t port_type:tcp_socket name_connect;
 
 # Read /proc/meminfo
 allow $1_gift_t proc_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_macros.te policy-1.23.4/macros/program/gpg_macros.te
--- nsapolicy/macros/program/gpg_macros.te	2005-03-11 15:31:07.000000000 -0500
+++ policy-1.23.4/macros/program/gpg_macros.te	2005-03-22 12:36:49.000000000 -0500
@@ -25,6 +25,7 @@
 domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t)
 
 can_network($1_gpg_t)
+allow $1_gpg_t port_type:tcp_socket name_connect;
 can_ypbind($1_gpg_t)
 
 # for a bug in kmail
@@ -130,6 +131,7 @@
 allow $1_gpg_helper_t $1_t:fifo_file write;
 # get keys from the network
 can_network_client($1_gpg_helper_t)
+allow $1_gpg_helper_t port_type:tcp_socket name_connect;
 allow $1_gpg_helper_t etc_t:file { getattr read };
 allow $1_gpg_helper_t urandom_device_t:chr_file read;
 allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/irc_macros.te policy-1.23.4/macros/program/irc_macros.te
--- nsapolicy/macros/program/irc_macros.te	2005-03-11 15:31:07.000000000 -0500
+++ policy-1.23.4/macros/program/irc_macros.te	2005-03-22 12:36:49.000000000 -0500
@@ -46,6 +46,7 @@
 
 # Use the network.
 can_network_client($1_irc_t)
+allow $1_irc_t port_type:tcp_socket name_connect;
 can_ypbind($1_irc_t)
 
 allow $1_irc_t usr_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/java_macros.te policy-1.23.4/macros/program/java_macros.te
--- nsapolicy/macros/program/java_macros.te	2005-03-11 15:31:07.000000000 -0500
+++ policy-1.23.4/macros/program/java_macros.te	2005-03-22 12:36:49.000000000 -0500
@@ -29,6 +29,7 @@
 
 # This domain is granted permissions common to most domains (including can_net)
 can_network_client($1_javaplugin_t)
+allow $1_javaplugin_t port_type:tcp_socket name_connect;
 can_ypbind($1_javaplugin_t)
 allow $1_javaplugin_t self:process { fork signal_perms getsched setsched };
 allow $1_javaplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/kerberos_macros.te policy-1.23.4/macros/program/kerberos_macros.te
--- nsapolicy/macros/program/kerberos_macros.te	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.4/macros/program/kerberos_macros.te	2005-03-22 12:36:49.000000000 -0500
@@ -2,6 +2,7 @@
 ifdef(`kerberos.te',`
 if (allow_kerberos) {
 can_network_client($1, `kerberos_port_t')
+allow $1 kerberos_port_t:tcp_socket name_connect;
 can_resolve($1)
 }
 ') dnl kerberos.te
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/lpr_macros.te policy-1.23.4/macros/program/lpr_macros.te
--- nsapolicy/macros/program/lpr_macros.te	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.4/macros/program/lpr_macros.te	2005-03-22 12:36:49.000000000 -0500
@@ -35,6 +35,7 @@
 
 # This domain is granted permissions common to most domains (including can_net)
 can_network_client($1_lpr_t)
+allow $1_lpr_t port_type:tcp_socket name_connect;
 can_ypbind($1_lpr_t)
 
 # Use capabilities.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mta_macros.te policy-1.23.4/macros/program/mta_macros.te
--- nsapolicy/macros/program/mta_macros.te	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.4/macros/program/mta_macros.te	2005-03-22 12:36:49.000000000 -0500
@@ -34,6 +34,7 @@
 
 uses_shlib($1_mail_t)
 can_network_client_tcp($1_mail_t)
+allow $1_mail_t port_type:tcp_socket name_connect;
 can_resolve($1_mail_t)
 can_ypbind($1_mail_t)
 allow $1_mail_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/screen_macros.te policy-1.23.4/macros/program/screen_macros.te
--- nsapolicy/macros/program/screen_macros.te	2005-03-21 22:32:20.000000000 -0500
+++ policy-1.23.4/macros/program/screen_macros.te	2005-03-22 12:36:49.000000000 -0500
@@ -81,6 +81,7 @@
 
 allow $1_screen_t tmp_t:dir search;
 can_network($1_screen_t)
+allow $1_screen_t port_type:tcp_socket name_connect;
 can_ypbind($1_screen_t)
 
 # get stats
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/spamassassin_macros.te policy-1.23.4/macros/program/spamassassin_macros.te
--- nsapolicy/macros/program/spamassassin_macros.te	2005-03-11 15:31:07.000000000 -0500
+++ policy-1.23.4/macros/program/spamassassin_macros.te	2005-03-22 12:36:49.000000000 -0500
@@ -86,6 +86,7 @@
 # set tunable if you have spamassassin do DNS lookups
 if (spamassasin_can_network) {
 can_network($1_spamassassin_t)
+allow $1_spamassassin_t port_type:tcp_socket name_connect;
 }
 if (spamassasin_can_network && allow_ypbind) {
 uncond_can_ypbind($1_spamassassin_t)
@@ -96,6 +97,7 @@
 ifdef(`spamc.te',`
 spamassassin_program_domain($1, spamc)
 can_network($1_spamc_t)
+allow $1_spamc_t port_type:tcp_socket name_connect;
 can_ypbind($1_spamc_t)
 
 # Allow connecting to a local spamd
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.23.4/macros/program/ssh_macros.te
--- nsapolicy/macros/program/ssh_macros.te	2005-03-11 15:31:07.000000000 -0500
+++ policy-1.23.4/macros/program/ssh_macros.te	2005-03-22 12:36:49.000000000 -0500
@@ -80,6 +80,7 @@
 # Grant permissions needed to create TCP and UDP sockets and
 # to access the network.
 can_network_client_tcp($1_ssh_t)
+allow $1_ssh_t port_type:tcp_socket name_connect;
 can_resolve($1_ssh_t)
 can_ypbind($1_ssh_t)
 can_kerberos($1_ssh_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/uml_macros.te policy-1.23.4/macros/program/uml_macros.te
--- nsapolicy/macros/program/uml_macros.te	2005-03-11 15:31:07.000000000 -0500
+++ policy-1.23.4/macros/program/uml_macros.te	2005-03-22 12:36:49.000000000 -0500
@@ -91,6 +91,7 @@
 
 # Use the network.
 can_network($1_uml_t)
+allow $1_uml_t port_type:tcp_socket name_connect;
 can_ypbind($1_uml_t)
 
 # for xterm
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.23.4/macros/program/x_client_macros.te
--- nsapolicy/macros/program/x_client_macros.te	2005-03-21 22:32:20.000000000 -0500
+++ policy-1.23.4/macros/program/x_client_macros.te	2005-03-22 12:36:49.000000000 -0500
@@ -45,6 +45,7 @@
 
 # This domain is granted permissions common to most domains (including can_net)
 can_network($1_$2_t)
+allow $1_$2_t port_type:tcp_socket name_connect;
 can_ypbind($1_$2_t)
 allow $1_$2_t self:process { fork signal_perms getsched };
 allow $1_$2_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.23.4/macros/program/xserver_macros.te
--- nsapolicy/macros/program/xserver_macros.te	2005-03-11 15:31:07.000000000 -0500
+++ policy-1.23.4/macros/program/xserver_macros.te	2005-03-22 12:36:49.000000000 -0500
@@ -57,6 +57,7 @@
 }
 
 can_network($1_xserver_t)
+allow $1_xserver_t port_type:tcp_socket name_connect;
 can_ypbind($1_xserver_t)
 allow $1_xserver_t xserver_port_t:tcp_socket name_bind;
 
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/httpd_selinux.8 policy-1.23.4/man/man8/httpd_selinux.8
--- nsapolicy/man/man8/httpd_selinux.8	2005-02-24 14:51:10.000000000 -0500
+++ policy-1.23.4/man/man8/httpd_selinux.8	2005-03-22 12:36:49.000000000 -0500
@@ -36,8 +36,13 @@
 httpd_sys_script_ra_t 
 .br
 - Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access.
-.SH NOTE
 
+httpd_unconfined_script_exec_t  
+.br 
+- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options.  It is better to use this script rather than turning off SELinux protection for httpd.
+.br
+
+.SH NOTE
 With certain policies you can define addional file contexts based on roles like user or staff.  httpd_user_script_exec_t can be defined where it would only have access to "user" contexts.
 
 .SH BOOLEANS
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.23.4/net_contexts
--- nsapolicy/net_contexts	2005-03-17 10:18:56.000000000 -0500
+++ policy-1.23.4/net_contexts	2005-03-22 13:17:58.111444080 -0500
@@ -49,10 +49,9 @@
 portcon tcp 465 system_u:object_r:smtp_port_t
 portcon tcp 587 system_u:object_r:smtp_port_t
 ')
-ifdef(`use_dns', `
 portcon udp 53 system_u:object_r:dns_port_t
 portcon tcp 53 system_u:object_r:dns_port_t
-')
+
 ifdef(`use_dhcpd', `portcon udp 67  system_u:object_r:dhcpd_port_t')
 ifdef(`dhcpc.te', `portcon udp 68  system_u:object_r:dhcpc_port_t')
 ifdef(`tftpd.te', `portcon udp 69  system_u:object_r:tftp_port_t')
@@ -66,10 +65,9 @@
 portcon tcp 109 system_u:object_r:pop_port_t
 portcon tcp 110 system_u:object_r:pop_port_t
 ')
-ifdef(`portmap.te', `
 portcon udp 111 system_u:object_r:portmap_port_t
 portcon tcp 111 system_u:object_r:portmap_port_t
-')
+
 ifdef(`innd.te', `portcon tcp 119 system_u:object_r:innd_port_t')
 ifdef(`ntpd.te', `portcon udp 123 system_u:object_r:ntp_port_t')
 ifdef(`samba.te', `
@@ -93,12 +91,12 @@
 ifdef(`comsat.te', `
 portcon udp 512 system_u:object_r:comsat_port_t
 ')
-ifdef(`slapd.te', `
+
 portcon tcp 389 system_u:object_r:ldap_port_t
 portcon udp 389 system_u:object_r:ldap_port_t
 portcon tcp 636 system_u:object_r:ldap_port_t
 portcon udp 636 system_u:object_r:ldap_port_t
-')
+
 ifdef(`rlogind.te', `portcon tcp 513 system_u:object_r:rlogind_port_t')
 ifdef(`rshd.te', `portcon tcp 514 system_u:object_r:rsh_port_t')
 ifdef(`lpd.te', `portcon tcp 515 system_u:object_r:printer_port_t')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.4/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.4/tunables/distro.tun	2005-03-22 12:36:49.000000000 -0500
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.4/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.4/tunables/tunable.tun	2005-03-22 12:36:49.000000000 -0500
@@ -1,27 +1,27 @@
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.23.4/types/file.te
--- nsapolicy/types/file.te	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.4/types/file.te	2005-03-22 12:36:49.000000000 -0500
@@ -271,15 +271,15 @@
 # the default file system type.
 #
 allow { file_type device_type ttyfile } fs_t:filesystem associate;
-ifdef(`distro_redhat', `
-allow { dev_fs ttyfile } tmpfs_t:filesystem associate;
-')
 
 # Allow the pty to be associated with the file system.
 allow devpts_t self:filesystem associate;
 
 type tmpfs_t, file_type, sysadmfile, fs_type;
-allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate;
+allow { tmpfs_t tmpfile } tmpfs_t:filesystem associate;
+ifdef(`distro_redhat', `
+allow { dev_fs ttyfile } tmpfs_t:filesystem associate;
+')
 
 type autofs_t, fs_type, noexattrfile, sysadmfile;
 allow autofs_t self:filesystem associate;
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.23.4/types/network.te
--- nsapolicy/types/network.te	2005-03-17 10:18:58.000000000 -0500
+++ policy-1.23.4/types/network.te	2005-03-22 13:21:11.619026456 -0500
@@ -22,14 +22,7 @@
 #
 # Defines used by the te files need to be defined outside of net_constraints
 #
-ifdef(`named.te', `define(`use_dns')')
-ifdef(`nsd.te', `define(`use_dns')')
-ifdef(`tinydns.te', `define(`use_dns')')
-ifdef(`dnsmasq.te', `define(`use_dns')')
-ifdef(`djbdns.te', `define(`use_dns')')
-ifdef(`use_dns', `
 type dns_port_t, port_type;
-')
 
 ifdef(`dhcpd.te', `define(`use_dhcpd')')
 ifdef(`dnsmasq.te', `define(`use_dhcpd')')
@@ -82,6 +75,16 @@
 type kerberos_master_port_t, port_type;
 
 #
+# Ports used to communicate with portmap server
+#
+type portmap_port_t, port_type, reserved_port_type;
+
+#
+# Ports used to communicate with ldap server
+#
+type ldap_port_t, port_type, reserved_port_type;
+
+#
 # port_t is the default type of INET port numbers.
 # The *_port_t types are used for specific port
 # numbers in net_contexts or net_contexts.mls.

^ permalink raw reply	[flat|nested] 19+ messages in thread
* Latest Diff
@ 2005-05-19 18:51 Daniel J Walsh
  2005-05-19 21:36 ` Ivan Gyurdiev
  0 siblings, 1 reply; 19+ messages in thread
From: Daniel J Walsh @ 2005-05-19 18:51 UTC (permalink / raw)
  To: SELinux, Jim Carter

[-- Attachment #1: Type: text/plain, Size: 1977 bytes --]

Added attribute privkmsg for all domains that need to read kernel messages.

Added secadmfile for all files that only the secadm_r can deal with.

Added From Ivan:
        mount_point attribute to indicate files/directories that can be 
mounted on.
        read_fonts
        fontconfig
        getattr patches
        gift patches



Added several fixes from Russell
        Procmail, setfiles from initrc,
        lost+found changes

Changed a bunch of ":file read" -> ":file {getattr read }"

Don't transition to depmod from uncofined_t for targeted

ssh needs to be able to append to faillog, Needs to check shells in /sbin

Remove use_syslogng boolean.

Multiple fixes to amanda.

Fixes to anaconda domain so it will run in targeted policy

Allow httpd_suexec_t to run on homedirs.

Allow acpid to write to /proc/power

Fixes to automout domain

Move ipp_port_t into common area so other domains can work with it.

Rearrange cups.te ifdef(`hald.te', `  ...

Add ddcprobe.te

Fix move of cert file to /etc/pki and fix ability for certain domains to 
read cert files.

Fix ftpd.te (Needed ability to rw home dirs and auth_control capability)

Remove some "user_" domain stuff that leaked into domains/program tree.

Hal needs more privs.

Hotplug needs more privs

Many fixes for lvm.te to make lvm work.  Also added clvmd domain.

Allow mysql to setsched

Fixes for gssd domain (needs setuid and access to rpc_pipefs)

smb needs to communicate with cups.

Move

-file_type_auto_trans(sysadm_xauth_t, staff_home_dir_t, staff_home_xauth_t)

to

user.te

Handle creation of flag files in /  (poweroff, .autorelabel, .autofsck ...)
 
Change
+/etc/sysconfig/network-scripts/ifcfg-.+ -- system_u:object_r:net_conf_t

So that NetworkManager can rewrite them.

Fixes for bluetooth

Got a little more liberal with definitions of shlib_t under /usr/lib, 
/opt and /usr/local

Fix some of the man pages

Allow snmpd to read /proc/XXX/cmdline




































-- 



[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 97726 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/assert.te policy-1.23.16/assert.te
--- nsapolicy/assert.te	2005-04-27 10:28:48.000000000 -0400
+++ policy-1.23.16/assert.te	2005-05-18 15:50:12.000000000 -0400
@@ -75,13 +75,7 @@
 #
 # Verify that /proc/kmsg is only accessible to klogd.
 #
-ifdef(`klogd.te', `
-neverallow {domain -klogd_t -unrestricted } proc_kmsg_t:file ~stat_file_perms;
-', `
-ifdef(`syslogd.te', `
-neverallow {domain -syslogd_t -unrestricted } proc_kmsg_t:file ~stat_file_perms;
-')dnl end if syslogd
-')dnl end if klogd
+neverallow {domain -privkmsg -unrestricted } proc_kmsg_t:file ~stat_file_perms;
 
 #
 # Verify that /proc/kcore is inaccessible.
diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.23.16/attrib.te
--- nsapolicy/attrib.te	2005-05-07 00:41:08.000000000 -0400
+++ policy-1.23.16/attrib.te	2005-05-18 15:50:12.000000000 -0400
@@ -121,6 +121,13 @@
 # tagged with this attribute.
 attribute privmem;
 
+# The privkmsg attribute identifies every domain that can 
+# read kernel messages (/proc/kmsg)
+# This attribute is used in the TE assertions to verify
+# that such access is limited to domains that are explicitly
+# tagged with this attribute.
+attribute privkmsg;
+
 # The privfd attribute identifies every domain that should have
 # file handles inherited widely (IE sshd_t and getty_t).
 attribute privfd;
@@ -258,6 +265,11 @@
 # in TE rules to grant such access for administrator domains.
 attribute sysadmfile;
 
+# The secadmfile attribute identifies all types assigned to files 
+# that should be only accessible to security administrators.  It is used
+# in TE rules to grant such access for security administrator domains.
+attribute secadmfile;
+
 # The fs_type attribute identifies all types assigned to filesystems
 # (not limited to persistent filesystems).
 # It is used in TE rules to permit certain domains to mount
@@ -265,6 +277,12 @@
 # overall filesystem statistics.
 attribute fs_type;
 
+# The mount_point attribute identifies all types that can serve
+# as a mount point (for the mount binary). It is used in the mount 
+# policy to grant mounton permission, and in other domains to grant 
+# getattr permission over all the mount points.
+attribute mount_point;
+
 # The exec_type attribute identifies all types assigned
 # to entrypoint executables for domains.  This attribute is 
 # used in TE rules and assertions that should be applied to all 
diff --exclude-from=exclude -N -u -r nsapolicy/constraints policy-1.23.16/constraints
--- nsapolicy/constraints	2005-02-24 14:51:10.000000000 -0500
+++ policy-1.23.16/constraints	2005-05-18 15:50:12.000000000 -0400
@@ -61,6 +61,10 @@
 ')
 ifdef(`userhelper.te', 
 	`or (t1 == userhelperdomain)')
+ifdef(`postfix.te', `
+ifdef(`direct_sysadm_daemon',
+	`or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )')
+')
 	 or (t1 == priv_system_role and r2 == system_r )
         );
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.23.16/domains/program/crond.te
--- nsapolicy/domains/program/crond.te	2005-04-27 10:28:48.000000000 -0400
+++ policy-1.23.16/domains/program/crond.te	2005-05-18 15:50:12.000000000 -0400
@@ -37,7 +37,7 @@
 
 # read files in /etc
 allow system_crond_t etc_t:file r_file_perms;
-allow system_crond_t etc_runtime_t:file read;
+allow system_crond_t etc_runtime_t:file { getattr read };
 
 allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.23.16/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te	2005-05-02 14:06:54.000000000 -0400
+++ policy-1.23.16/domains/program/fsadm.te	2005-05-18 15:50:12.000000000 -0400
@@ -29,6 +29,7 @@
 
 # for /dev/shm
 allow fsadm_t tmpfs_t:dir { getattr search };
+allow fsadm_t tmpfs_t:file { read write };
 
 base_file_read_access(fsadm_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.23.16/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te	2005-05-16 11:28:11.000000000 -0400
+++ policy-1.23.16/domains/program/initrc.te	2005-05-18 15:50:12.000000000 -0400
@@ -131,7 +131,7 @@
 # Update /var/log/wtmp and /var/log/dmesg.
 allow initrc_t wtmp_t:file { setattr rw_file_perms };
 allow initrc_t var_log_t:dir rw_dir_perms;
-allow initrc_t var_log_t:file { setattr rw_file_perms };
+allow initrc_t var_log_t:file create_file_perms;
 allow initrc_t lastlog_t:file { setattr rw_file_perms };
 allow initrc_t logfile:file { read append };
 
@@ -153,9 +153,6 @@
 # Kill all processes.
 allow initrc_t domain:process signal_perms;
 
-# Read and unlink /var/run/*.pid files.
-allow initrc_t pidfile:file { getattr read unlink };
-
 # Write to /dev/urandom.
 allow initrc_t { random_device_t urandom_device_t }:chr_file rw_file_perms;
 
@@ -229,9 +226,13 @@
 allow initrc_t { home_root_t home_type }:dir r_dir_perms;
 allow initrc_t home_type:file r_file_perms;
 
+# Read and unlink /var/run/*.pid files.
+allow initrc_t pidfile:file { getattr read unlink };
+
 # for system start scripts
 allow initrc_t pidfile:dir { rmdir rw_dir_perms };
 allow initrc_t pidfile:sock_file unlink;
+
 rw_dir_create_file(initrc_t, var_lib_t)
 
 # allow start scripts to clean /tmp
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.23.16/domains/program/init.te
--- nsapolicy/domains/program/init.te	2005-05-02 14:06:54.000000000 -0400
+++ policy-1.23.16/domains/program/init.te	2005-05-19 09:58:14.000000000 -0400
@@ -142,6 +142,6 @@
 # file descriptors inherited from the rootfs.
 dontaudit init_t root_t:{ file chr_file } { read write }; 
 ifdef(`targeted_policy', `
-typeattribute init_t unrestricted;
+unconfined_domain(init_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/klogd.te policy-1.23.16/domains/program/klogd.te
--- nsapolicy/domains/program/klogd.te	2005-05-02 14:06:54.000000000 -0400
+++ policy-1.23.16/domains/program/klogd.te	2005-05-18 15:50:12.000000000 -0400
@@ -8,7 +8,7 @@
 #
 # Rules for the klogd_t domain.
 #
-daemon_domain(klogd, `, privmem')
+daemon_domain(klogd, `, privmem, privkmsg')
 
 tmp_domain(klogd)
 allow klogd_t proc_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.23.16/domains/program/ldconfig.te
--- nsapolicy/domains/program/ldconfig.te	2005-04-27 10:28:49.000000000 -0400
+++ policy-1.23.16/domains/program/ldconfig.te	2005-05-18 15:50:12.000000000 -0400
@@ -39,7 +39,7 @@
 ')
 
 allow ldconfig_t { var_t var_lib_t }:dir search;
-allow ldconfig_t proc_t:file read;
+allow ldconfig_t proc_t:file { getattr read };
 ifdef(`hide_broken_symptoms', `
 ifdef(`unconfined.te',`
 dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.23.16/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te	2005-05-07 00:41:09.000000000 -0400
+++ policy-1.23.16/domains/program/modutil.te	2005-05-18 15:50:12.000000000 -0400
@@ -30,7 +30,9 @@
 domain_auto_trans(initrc_t, depmod_exec_t, depmod_t)
 allow depmod_t { bin_t sbin_t }:dir search;
 can_exec(depmod_t, depmod_exec_t)
+ifdef(`targeted_policy', `', `
 domain_auto_trans(sysadm_t, depmod_exec_t, depmod_t)
+')
 
 # Inherit and use descriptors from init and login programs.
 allow depmod_t { init_t privfd }:fd use;
@@ -115,6 +117,7 @@
 allow insmod_t { var_t var_log_t }:dir search;
 ifdef(`xserver.te', `
 allow insmod_t xserver_log_t:file getattr;
+allow insmod_t xserver_misc_device_t:chr_file { read write };
 ')
 rw_dir_create_file(insmod_t, var_log_ksyms_t)
 allow insmod_t { etc_t etc_runtime_t }:file { getattr read };
@@ -150,7 +153,7 @@
 allow insmod_t mtrr_device_t:file write;
 
 # Read /proc/sys/kernel/hotplug.
-allow insmod_t sysctl_hotplug_t:file read;
+allow insmod_t sysctl_hotplug_t:file { getattr read };
 
 allow insmod_t device_t:dir read;
 allow insmod_t devpts_t:dir { getattr search };
@@ -229,5 +232,3 @@
 
 tmp_domain(update_modules)
 ')dnl end IS_INITRD
-
-
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.23.16/domains/program/mount.te
--- nsapolicy/domains/program/mount.te	2005-05-02 14:06:54.000000000 -0400
+++ policy-1.23.16/domains/program/mount.te	2005-05-18 15:50:12.000000000 -0400
@@ -37,29 +37,9 @@
 
 # Mount, remount and unmount file systems.
 allow mount_t fs_type:filesystem mount_fs_perms;
-allow mount_t default_t:dir mounton;
-allow mount_t file_t:dir mounton;
-allow mount_t usr_t:dir mounton;
-allow mount_t src_t:dir mounton;
-allow mount_t var_t:dir mounton;
-allow mount_t proc_t:dir mounton;
-allow mount_t root_t:dir mounton;
-allow mount_t home_root_t:dir mounton;
-allow mount_t tmp_t:dir mounton;
-allow mount_t mnt_t:dir mounton;
-allow mount_t devpts_t:dir mounton;
-allow mount_t usbdevfs_t:dir mounton;
-allow mount_t sysfs_t:dir mounton;
-allow mount_t nfs_t:dir mounton;
+allow mount_t mount_point:dir mounton;
 allow mount_t nfs_t:dir search;
-# nfsv4 has a filesystem to mount for its userspace daemons
-allow mount_t var_lib_nfs_t:dir mounton;
-
-# On some RedHat systems, /boot is a mount point
-allow mount_t boot_t:dir mounton;
-allow mount_t device_t:dir mounton;
-# mount binfmt_misc on /proc/sys/fs/binfmt_misc
-allow mount_t sysctl_t:dir { mounton search };
+allow mount_t sysctl_t:dir search;
 
 allow mount_t root_t:filesystem unmount;
 
@@ -99,11 +79,7 @@
 allow mount_t userdomain:fd use;
 can_exec(mount_t, { sbin_t bin_t })
 allow mount_t device_t:dir r_dir_perms;
-ifdef(`distro_redhat', `
 allow mount_t tmpfs_t:chr_file { read write };
-allow mount_t tmpfs_t:dir mounton;
-')
-
 
 # tries to read /init
 dontaudit mount_t root_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/passwd.te policy-1.23.16/domains/program/passwd.te
--- nsapolicy/domains/program/passwd.te	2005-04-27 10:28:49.000000000 -0400
+++ policy-1.23.16/domains/program/passwd.te	2005-05-18 15:50:12.000000000 -0400
@@ -145,6 +145,7 @@
 
 # make sure that getcon succeeds
 allow passwd_t userdomain:dir search;
-allow passwd_t userdomain:file read;
+allow passwd_t userdomain:file { getattr read };
 allow passwd_t userdomain:process getattr;
 
+allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.23.16/domains/program/restorecon.te
--- nsapolicy/domains/program/restorecon.te	2005-05-07 00:41:09.000000000 -0400
+++ policy-1.23.16/domains/program/restorecon.te	2005-05-18 15:50:12.000000000 -0400
@@ -51,8 +51,8 @@
 allow restorecon_t fs_t:filesystem getattr;
 allow restorecon_t fs_type:dir r_dir_perms;
 
-allow restorecon_t etc_runtime_t:file read;
-allow restorecon_t etc_t:file read;
+allow restorecon_t etc_runtime_t:file { getattr read };
+allow restorecon_t etc_t:file { getattr read };
 allow restorecon_t proc_t:file { getattr read };
 dontaudit restorecon_t proc_t:lnk_file { getattr read };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/setfiles.te policy-1.23.16/domains/program/setfiles.te
--- nsapolicy/domains/program/setfiles.te	2005-05-16 11:28:11.000000000 -0400
+++ policy-1.23.16/domains/program/setfiles.te	2005-05-18 15:50:12.000000000 -0400
@@ -19,6 +19,9 @@
 role sysadm_r types setfiles_t;
 role secadm_r types setfiles_t;
 
+ifdef(`distro_redhat', `
+domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t)
+')
 allow setfiles_t initrc_devpts_t:chr_file { read write ioctl };
 allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl };
 
@@ -26,9 +29,6 @@
 
 domain_auto_trans(secadmin, setfiles_exec_t, setfiles_t)
 allow setfiles_t { userdomain privfd initrc_t init_t }:fd use;
-ifdef(`distro_redhat', `
-domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t)
-')
 
 uses_shlib(setfiles_t)
 allow setfiles_t self:capability { dac_override dac_read_search fowner };
@@ -56,8 +56,8 @@
 
 read_locale(setfiles_t)
 
-allow setfiles_t etc_runtime_t:file read;
-allow setfiles_t etc_t:file read;
+allow setfiles_t etc_runtime_t:file { getattr read };
+allow setfiles_t etc_t:file { getattr read };
 allow setfiles_t proc_t:file { getattr read };
 dontaudit setfiles_t proc_t:lnk_file { getattr read };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.23.16/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te	2005-04-27 10:28:49.000000000 -0400
+++ policy-1.23.16/domains/program/ssh.te	2005-05-18 15:50:12.000000000 -0400
@@ -229,3 +229,5 @@
 allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
 allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write };
 allow ssh_keygen_t urandom_device_t:chr_file { getattr read };
+allow sshd_t faillog_t:file { append getattr };
+allow sshd_t sbin_t:file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.23.16/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te	2005-04-27 10:28:49.000000000 -0400
+++ policy-1.23.16/domains/program/syslogd.te	2005-05-18 15:50:12.000000000 -0400
@@ -14,9 +14,9 @@
 # by syslogd.
 #
 ifdef(`klogd.te', `
-daemon_domain(syslogd)
+daemon_domain(syslogd, `, privkmsg')
 ', `
-daemon_domain(syslogd, `, privmem')
+daemon_domain(syslogd, `, privmem, privkmsg')
 ')
 
 # can_network is for the UDP socket
@@ -95,16 +95,13 @@
 #
 dontaudit syslogd_t file_t:dir search;
 allow syslogd_t { tmpfs_t devpts_t }:dir search;
-dontaudit syslogd_t unlabeled_t:file read;
+dontaudit syslogd_t unlabeled_t:file { getattr read };
 dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
 allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
 ifdef(`targeted_policy', `
 allow syslogd_t var_run_t:fifo_file { ioctl read write };
 ')
 
-bool use_syslogng false;
-
-if (use_syslogng) {
 # Allow access to /proc/kmsg for syslog-ng
 allow syslogd_t proc_t:dir search;
 allow syslogd_t proc_kmsg_t:file { getattr read };
@@ -113,4 +110,3 @@
 allow syslogd_t var_log_t:dir { create setattr };
 allow syslogd_t syslogd_port_t:tcp_socket name_bind;
 allow syslogd_t rsh_port_t:tcp_socket name_connect;
-}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.23.16/domains/program/unused/amanda.te
--- nsapolicy/domains/program/unused/amanda.te	2005-05-02 14:06:54.000000000 -0400
+++ policy-1.23.16/domains/program/unused/amanda.te	2005-05-18 15:50:12.000000000 -0400
@@ -303,11 +303,11 @@
 
 allow amanda_t file_type:dir {getattr read search };
 allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read };
-allow amanda_t fixed_disk_device_t:blk_file getattr;
+allow amanda_t device_type:{ blk_file chr_file } getattr;
 dontaudit amanda_t file_type:sock_file getattr;
 logdir_domain(amanda)
 
-dontaudit amanda_t autofs_t:dir { getattr read };
+dontaudit amanda_t autofs_t:dir { getattr read search };
 dontaudit amanda_t binfmt_misc_fs_t:dir getattr;
 dontaudit amanda_t nfs_t:dir { getattr read };
 dontaudit amanda_t proc_t:dir read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amavis.te policy-1.23.16/domains/program/unused/amavis.te
--- nsapolicy/domains/program/unused/amavis.te	2005-05-07 00:41:09.000000000 -0400
+++ policy-1.23.16/domains/program/unused/amavis.te	2005-05-18 15:50:12.000000000 -0400
@@ -23,7 +23,7 @@
 daemon_domain(amavisd)
 tmp_domain(amavisd)
 
-allow initrc_t amavisd_etc_t:file read;
+allow initrc_t amavisd_etc_t:file { getattr read };
 allow initrc_t amavisd_lib_t:dir { search read write rmdir remove_name unlink };
 allow initrc_t amavisd_lib_t:file unlink;
 allow initrc_t amavisd_var_run_t:dir setattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/anaconda.te policy-1.23.16/domains/program/unused/anaconda.te
--- nsapolicy/domains/program/unused/anaconda.te	2005-04-27 10:28:49.000000000 -0400
+++ policy-1.23.16/domains/program/unused/anaconda.te	2005-05-18 15:50:12.000000000 -0400
@@ -17,13 +17,17 @@
 role system_r types ldconfig_t;
 domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t)
 
+ifdef(`su.te', `
 role system_r types sysadm_su_t;
 domain_auto_trans(anaconda_t, su_exec_t, sysadm_su_t)
+')
 
 # Run other rc scripts in the anaconda_t domain.
 domain_auto_trans(anaconda_t, initrc_exec_t, initrc_t)
 
+ifdef(`dmesg.te', `
 domain_auto_trans(anaconda_t, dmesg_exec_t, dmesg_t)
+')
 
 ifdef(`distro_redhat', `
 file_type_auto_trans(anaconda_t, boot_t, boot_runtime_t, file)
@@ -44,4 +48,6 @@
 role system_r types sysadm_ssh_agent_t;
 domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
 ')
+ifdef(`passwd.te', `
 domain_auto_trans(anaconda_t , admin_passwd_exec_t, sysadm_passwd_t)
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.16/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2005-05-02 14:06:54.000000000 -0400
+++ policy-1.23.16/domains/program/unused/apache.te	2005-05-19 07:29:44.000000000 -0400
@@ -54,15 +54,6 @@
 #
 type httpd_config_t, file_type, sysadmfile;
 
-append_logdir_domain(httpd)
-#can read /etc/httpd/logs
-allow httpd_t httpd_log_t:lnk_file read;
-
-# For /etc/init.d/apache2 reload
-can_tcp_connect(httpd_t, httpd_t)
-
-can_tcp_connect(web_client_domain, httpd_t)
-
 # httpd_modules_t is the type given to module files (libraries) 
 # that come with Apache /etc/httpd/modules and /usr/lib/apache
 #
@@ -75,7 +66,16 @@
 
 # httpd_exec_t is the type give to the httpd executable.
 #
-daemon_domain(httpd, `, privmail')
+daemon_domain(httpd, `, privmail, nscd_client_domain')
+
+append_logdir_domain(httpd)
+#can read /etc/httpd/logs
+allow httpd_t httpd_log_t:lnk_file read;
+
+# For /etc/init.d/apache2 reload
+can_tcp_connect(httpd_t, httpd_t)
+
+can_tcp_connect(web_client_domain, httpd_t)
 
 can_exec(httpd_t, httpd_exec_t)
 file_type_auto_trans(httpd_t, var_run_t, httpd_var_run_t, sock_file)
@@ -233,7 +233,8 @@
 allow httpd_t bin_t:dir search;
 allow httpd_t sbin_t:dir search;
 allow httpd_t httpd_log_t:dir remove_name;
-r_dir_file(httpd_t, fonts_t)
+
+read_fonts(httpd_t)
 
 allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
 
@@ -256,8 +257,7 @@
 typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
 
 if (httpd_enable_homedirs) {
-allow httpd_sys_script_t user_home_dir_t:dir { getattr search };
-allow httpd_t user_home_dir_t:dir { getattr search };
+allow { httpd_t httpd_sys_script_t httpd_suexec_t } user_home_dir_t:dir { getattr search };
 }
 ') dnl targeted policy
 
@@ -323,7 +323,7 @@
 # own user ID
 #
 daemon_sub_domain(httpd_t, httpd_suexec, `, transitionbool')
-allow httpd_t httpd_suexec_exec_t:file read;
+allow httpd_t httpd_suexec_exec_t:file { getattr read };
 
 #########################################################
 # Permissions for running child processes and scripts
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.23.16/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te	2005-05-07 00:41:09.000000000 -0400
+++ policy-1.23.16/domains/program/unused/apmd.te	2005-05-18 15:50:12.000000000 -0400
@@ -32,6 +32,8 @@
 allow apmd_t device_t:lnk_file read;
 allow apmd_t proc_t:file { getattr read };
 can_sysctl(apmd_t)
+allow apmd_t sysfs_t:file write;
+
 allow apmd_t self:unix_dgram_socket create_socket_perms;
 allow apmd_t self:unix_stream_socket create_stream_socket_perms;
 allow apmd_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.23.16/domains/program/unused/auditd.te
--- nsapolicy/domains/program/unused/auditd.te	2005-05-07 00:41:09.000000000 -0400
+++ policy-1.23.16/domains/program/unused/auditd.te	2005-05-18 15:50:12.000000000 -0400
@@ -23,12 +23,10 @@
 rw_dir_create_file(auditd_t, auditd_log_t)
 
 can_exec(auditd_t, init_exec_t)
-
-can_exec(auditd_t, init_exec_t)
 allow auditd_t initctl_t:fifo_file write;
 
 type auditctl_t, domain, privlog;
-type auditctl_exec_t, file_type, sysadmfile;
+type auditctl_exec_t, file_type, exec_type, sysadmfile;
 uses_shlib(auditctl_t)
 allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
 allow auditctl_t self:capability { audit_write audit_control };
@@ -53,7 +51,11 @@
 dontaudit auditctl_t local_login_t:fd use;
 allow auditctl_t proc_t:dir search;
 allow auditctl_t sysctl_kernel_t:dir search;
-allow auditctl_t sysctl_kernel_t:file read;
+allow auditctl_t sysctl_kernel_t:file { getattr read };
 allow auditd_t self:process setsched;
 dontaudit auditctl_t init_t:fd use; 
 allow auditctl_t initrc_devpts_t:chr_file { read write };
+allow auditd_t self:file { getattr read };
+ifdef(`rpm.te', `
+allow auditctl_t rpm_script_t:fd use;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/automount.te policy-1.23.16/domains/program/unused/automount.te
--- nsapolicy/domains/program/unused/automount.te	2005-05-07 00:41:09.000000000 -0400
+++ policy-1.23.16/domains/program/unused/automount.te	2005-05-18 15:50:12.000000000 -0400
@@ -25,7 +25,7 @@
 
 allow automount_t { etc_t etc_runtime_t }:file { getattr read };
 allow automount_t proc_t:file { getattr read };
-allow automount_t self:process { setpgid setsched };
+allow automount_t self:process { getpgid setpgid setsched };
 allow automount_t self:capability { sys_nice dac_override };
 allow automount_t self:unix_stream_socket create_socket_perms;
 allow automount_t self:unix_dgram_socket create_socket_perms;
@@ -63,7 +63,7 @@
 allow userdomain autofs_t:dir r_dir_perms;
 allow kernel_t autofs_t:dir { getattr ioctl read search };
 
-allow automount_t home_root_t:dir getattr;
+allow automount_t { boot_t home_root_t }:dir getattr;
 allow automount_t mnt_t:dir { getattr search };
 
 can_exec(initrc_t, automount_etc_t)
@@ -71,4 +71,5 @@
 # Need something like the following
 # file_type_auto_trans(automount_t, file_type, automount_tmp_t, dir)
 
-
+allow automount_t var_lib_t:dir search;
+allow automount_t var_lib_nfs_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.23.16/domains/program/unused/bluetooth.te
--- nsapolicy/domains/program/unused/bluetooth.te	2005-04-27 10:28:49.000000000 -0400
+++ policy-1.23.16/domains/program/unused/bluetooth.te	2005-05-18 15:50:12.000000000 -0400
@@ -39,4 +39,6 @@
 allow bluetooth_t bluetooth_conf_t:dir search;
 allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
 #/usr/sbin/hid2hci causes the following
-allow initrc_t usbfs_t:file { read };
+allow initrc_t usbfs_t:file { getattr read };
+allow bluetooth_t usbfs_t:dir r_dir_perms;
+allow bluetooth_t usbfs_t:file rw_file_perms; 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.16/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2005-05-07 00:41:09.000000000 -0400
+++ policy-1.23.16/domains/program/unused/cups.te	2005-05-19 10:56:19.000000000 -0400
@@ -11,7 +11,6 @@
 # cupsd_t is the domain of cupsd.
 # cupsd_exec_t is the type of the cupsd executable.
 #
-type ipp_port_t, port_type, reserved_port_type;
 daemon_domain(cupsd, `, auth_chkpwd, nscd_client_domain')
 etcdir_domain(cupsd)
 type cupsd_rw_etc_t, file_type, sysadmfile, usercanread;
@@ -82,6 +81,11 @@
 allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config };
 dontaudit cupsd_t self:capability net_admin;
 
+#
+# /usr/lib/cups/backend/serial needs sys_admin
+# Need new context to run under???
+allow cupsd_t self:capability sys_admin;
+
 allow cupsd_t self:process setsched;
 
 # for /var/lib/defoma
@@ -111,7 +115,7 @@
 can_exec(cupsd_t, { shell_exec_t bin_t sbin_t })
 
 # They will also invoke ghostscript, which needs to read fonts
-r_dir_file(cupsd_t, fonts_t)
+read_fonts(cupsd_t)
 
 # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
 allow cupsd_t lib_t:file { read getattr };
@@ -173,8 +177,6 @@
 allow cupsd_t userdomain:dbus send_msg;
 ')
 
-ifdef(`hald.te', `
-
 # CUPS configuration daemon
 daemon_domain(cupsd_config)
 
@@ -202,6 +204,7 @@
 rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
 rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
 file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
+file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, file)
 
 can_network_tcp(cupsd_config_t)
 can_ypbind(cupsd_config_t)
@@ -214,13 +217,23 @@
 dbusd_client(system, cupsd_config)
 allow cupsd_config_t userdomain:dbus send_msg;
 allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc };
-allow cupsd_t hald_t:dbus send_msg;
 allow userdomain cupsd_config_t:dbus send_msg;
+')dnl end if dbusd.te
+
+ifdef(`hald.te', `
+
+ifdef(`dbusd.te', `
+allow cupsd_t hald_t:dbus send_msg;
 allow cupsd_config_t hald_t:dbus send_msg;
-allow hald_t cupsd_config_t:dbus send_msg;
 allow hald_t cupsd_t:dbus send_msg;
 ')dnl end if dbusd.te
 
+allow hald_t cupsd_config_t:process signal;
+domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t)
+
+') dnl end if hald.te
+
+
 can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t })
 ifdef(`hostname.te', `
 can_exec(cupsd_t, hostname_exec_t)
@@ -241,7 +254,6 @@
 
 allow cupsd_config_t urandom_device_t:chr_file { getattr read };
 
-domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t)
 ifdef(`logrotate.te', `
 allow cupsd_config_t logrotate_t:fd use;
 ')dnl end if logrotate.te
@@ -252,10 +264,11 @@
 
 # Alternatives asks for this
 allow cupsd_config_t initrc_exec_t:file getattr;
-') dnl end if hald.te
 ifdef(`targeted_policy', `
 can_unix_connect(cupsd_t, initrc_t)
 allow cupsd_t initrc_t:dbus send_msg;
 allow initrc_t cupsd_t:dbus send_msg;
-allow cupsd_t unconfined_t:dbus send_msg;
+allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg;
+allow unconfined_t cupsd_config_t:dbus send_msg;
+allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read;
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ddcprobe.te policy-1.23.16/domains/program/unused/ddcprobe.te
--- nsapolicy/domains/program/unused/ddcprobe.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.16/domains/program/unused/ddcprobe.te	2005-05-18 15:50:12.000000000 -0400
@@ -0,0 +1,42 @@
+#DESC ddcprobe - output ddcprobe results from kudzu
+#
+# Author: dan walsh <dwalsh@redhat.com>
+#
+
+type ddcprobe_t, domain, privmem;
+type ddcprobe_exec_t, file_type, exec_type, sysadmfile;
+
+# Allow execution by the sysadm
+role sysadm_r types ddcprobe_t;
+role system_r types ddcprobe_t;
+domain_auto_trans(sysadm_t, ddcprobe_exec_t, ddcprobe_t)
+
+uses_shlib(ddcprobe_t)
+
+# Allow terminal access
+access_terminal(ddcprobe_t, sysadm)
+
+# Allow ddcprobe to read /dev/mem
+allow ddcprobe_t memory_device_t:chr_file read;
+allow ddcprobe_t memory_device_t:chr_file { execute write };
+allow ddcprobe_t self:process execmem;
+allow ddcprobe_t zero_device_t:chr_file { execute read };
+
+allow ddcprobe_t proc_t:dir search;
+allow ddcprobe_t proc_t:file { getattr read };
+can_exec(ddcprobe_t, sbin_t)
+allow ddcprobe_t user_tty_type:chr_file rw_file_perms;
+allow ddcprobe_t userdomain:fd use;
+read_sysctl(ddcprobe_t)
+allow ddcprobe_t urandom_device_t:chr_file { getattr read };
+allow ddcprobe_t { bin_t sbin_t }:dir r_dir_perms;
+allow ddcprobe_t self:capability { sys_rawio sys_admin };
+
+allow ddcprobe_t { etc_t etc_runtime_t }:file { getattr read };
+allow ddcprobe_t kudzu_exec_t:file getattr;
+allow ddcprobe_t lib_t:file { getattr read };
+read_locale(ddcprobe_t)
+allow ddcprobe_t modules_object_t:dir search;
+allow ddcprobe_t modules_dep_t:file { getattr read };
+allow ddcprobe_t usr_t:file { getattr read };
+allow ddcprobe_t kernel_t:system syslog_console;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpd.te policy-1.23.16/domains/program/unused/dhcpd.te
--- nsapolicy/domains/program/unused/dhcpd.te	2005-04-27 10:28:50.000000000 -0400
+++ policy-1.23.16/domains/program/unused/dhcpd.te	2005-05-18 15:50:12.000000000 -0400
@@ -15,7 +15,7 @@
 # dhcpd_exec_t is the type of the dhcpdd executable.
 # The dhcpd_t can be used for other DHCPC related files as well.
 #
-daemon_domain(dhcpd)
+daemon_domain(dhcpd, `, nscd_client_domain')
 
 allow dhcpd_t dhcpd_port_t:udp_socket name_bind;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.23.16/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te	2005-04-27 10:28:50.000000000 -0400
+++ policy-1.23.16/domains/program/unused/dovecot.te	2005-05-18 15:50:12.000000000 -0400
@@ -34,8 +34,7 @@
 allow dovecot_t pop_port_t:tcp_socket name_bind;
 allow dovecot_t urandom_device_t:chr_file { getattr read };
 allow dovecot_t cert_t:dir search;
-allow dovecot_t dovecot_cert_t:file { getattr read };
-allow dovecot_t cert_t:dir search;
+r_dir_file(dovecot_t, dovecot_cert_t)
 
 allow dovecot_t { self proc_t }:file { getattr read };
 allow dovecot_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/fontconfig.te policy-1.23.16/domains/program/unused/fontconfig.te
--- nsapolicy/domains/program/unused/fontconfig.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.16/domains/program/unused/fontconfig.te	2005-05-18 15:50:12.000000000 -0400
@@ -0,0 +1,7 @@
+#
+# Fontconfig related types 
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+# Look in fontconfig_macros.te
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.23.16/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te	2005-04-27 10:28:50.000000000 -0400
+++ policy-1.23.16/domains/program/unused/ftpd.te	2005-05-18 15:50:12.000000000 -0400
@@ -9,7 +9,7 @@
 #
 # Rules for the ftpd_t domain 
 #
-daemon_domain(ftpd, `, auth_chkpwd')
+daemon_domain(ftpd, `, auth_chkpwd, nscd_client_domain')
 etc_domain(ftpd)
 
 can_network(ftpd_t)
@@ -69,7 +69,7 @@
 tmpfs_domain(ftpd)
 
 # Use capabilities.
-allow ftpd_t self:capability { chown fowner fsetid setgid setuid net_bind_service sys_chroot sys_nice sys_resource };
+allow ftpd_t self:capability { chown fowner fsetid setgid setuid net_bind_service sys_chroot sys_nice sys_resource audit_control };
 
 # Append to /var/log/wtmp.
 allow ftpd_t wtmp_t:file { getattr append };
@@ -100,6 +100,8 @@
 if (ftp_home_dir) {
 # allow access to /home
 allow ftpd_t home_root_t:dir { getattr search };
+allow ftpd_t home_dir_type:dir r_dir_perms;
+create_dir_file(ftpd_t, home_type)
 }
 if (use_nfs_home_dirs && ftp_home_dir) {
 	r_dir_file(ftpd_t, nfs_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/gpg.te policy-1.23.16/domains/program/unused/gpg.te
--- nsapolicy/domains/program/unused/gpg.te	2005-04-27 10:28:50.000000000 -0400
+++ policy-1.23.16/domains/program/unused/gpg.te	2005-05-18 15:50:12.000000000 -0400
@@ -8,7 +8,7 @@
 type gpg_exec_t, file_type, sysadmfile, exec_type;
 type gpg_helper_exec_t, file_type, sysadmfile, exec_type;
 
-allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search;
+allow sysadm_gpg_t { home_root_t user_home_dir_type }:dir search;
 allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
 
 # Allow gpg exec stack
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.16/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2005-05-07 00:41:09.000000000 -0400
+++ policy-1.23.16/domains/program/unused/hald.te	2005-05-18 15:50:12.000000000 -0400
@@ -36,7 +36,7 @@
 
 allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow hald_t self:netlink_route_socket r_netlink_socket_perms;
-allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
+allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
 can_network_server(hald_t)
 can_ypbind(hald_t)
 
@@ -64,10 +64,8 @@
 ifdef(`hotplug.te', `
 r_dir_file(hald_t, hotplug_etc_t)
 ')
-allow hald_t usbdevfs_t:dir search;
-allow hald_t usbdevfs_t:file { getattr read };
-allow hald_t usbfs_t:dir search;
-allow hald_t usbfs_t:file { getattr read };
+allow hald_t fs_type:dir { search getattr };
+allow hald_t { usbdevfs_t usbfs_t }:file { getattr read };
 allow hald_t bin_t:lnk_file read;
 r_dir_file(hald_t, { selinux_config_t default_context_t } )
 allow hald_t initrc_t:dbus send_msg;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.23.16/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te	2005-05-07 00:41:09.000000000 -0400
+++ policy-1.23.16/domains/program/unused/hotplug.te	2005-05-18 15:50:12.000000000 -0400
@@ -29,7 +29,7 @@
 
 # get info from /proc
 r_dir_file(hotplug_t, proc_t)
-allow hotplug_t self:file { getattr read };
+allow hotplug_t self:file { getattr read ioctl };
 
 allow hotplug_t devtty_t:chr_file rw_file_perms;
 
@@ -129,7 +129,7 @@
 allow hotplug_t lib_t:file { getattr read };
 
 allow hotplug_t self:capability { net_admin sys_tty_config mknod };
-allow hotplug_t sysfs_t:dir { getattr read search };
+allow hotplug_t sysfs_t:dir { getattr read search write };
 allow hotplug_t sysfs_t:file { getattr read };
 allow hotplug_t sysfs_t:lnk_file { getattr read };
 allow hotplug_t udev_runtime_t:file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.23.16/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te	2005-05-16 11:28:12.000000000 -0400
+++ policy-1.23.16/domains/program/unused/kudzu.te	2005-05-18 15:50:12.000000000 -0400
@@ -26,7 +26,6 @@
 allow kudzu_t mouse_device_t:chr_file { read write };
 allow kudzu_t proc_net_t:dir r_dir_perms;
 allow kudzu_t { proc_net_t proc_t }:file { getattr read };
-allow kudzu_t proc_t:lnk_file getattr;
 allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
 allow kudzu_t scsi_generic_device_t:chr_file r_file_perms;
 allow kudzu_t { bin_t sbin_t }:dir { getattr search };
@@ -109,3 +108,4 @@
 ')
 
 allow kudzu_t initrc_t:unix_stream_socket connectto;
+allow kudzu_t net_conf_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lpd.te policy-1.23.16/domains/program/unused/lpd.te
--- nsapolicy/domains/program/unused/lpd.te	2005-04-27 10:28:51.000000000 -0400
+++ policy-1.23.16/domains/program/unused/lpd.te	2005-05-18 15:50:12.000000000 -0400
@@ -20,7 +20,7 @@
 
 allow lpd_t lpd_var_run_t:sock_file create_file_perms;
 
-r_dir_file(lpd_t, fonts_t)
+read_fonts(lpd_t)
 
 type printer_t, file_type, sysadmfile, dev_fs;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lvm.te policy-1.23.16/domains/program/unused/lvm.te
--- nsapolicy/domains/program/unused/lvm.te	2005-05-07 00:41:09.000000000 -0400
+++ policy-1.23.16/domains/program/unused/lvm.te	2005-05-18 15:50:12.000000000 -0400
@@ -18,7 +18,6 @@
 type lvm_metadata_t, file_type, sysadmfile;
 type lvm_control_t, device_type, dev_fs;
 etcdir_domain(lvm)
-allow lvm_t var_t:dir search;
 lock_domain(lvm)
 allow lvm_t lvm_lock_t:dir rw_dir_perms;
 
@@ -35,7 +34,7 @@
 allow lvm_t self:unix_dgram_socket create_socket_perms;
 
 r_dir_file(lvm_t, proc_t)
-allow lvm_t self:file r_file_perms;
+allow lvm_t self:file rw_file_perms;
 
 # Read system variables in /proc/sys
 read_sysctl(lvm_t)
@@ -65,7 +64,7 @@
 allow lvm_t { random_device_t urandom_device_t }:chr_file { getattr read ioctl };
 
 # DAC overrides and mknod for modifying /dev entries (vgmknodes)
-allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod };
+allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice sys_resource mknod };
 
 # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
 file_type_auto_trans(lvm_t, { etc_t lvm_etc_t }, lvm_metadata_t, file)
@@ -108,7 +107,7 @@
 ')
 dontaudit lvm_t initctl_t:fifo_file getattr;
 allow lvm_t sbin_t:dir search;
-dontaudit lvm_t sbin_t:file getattr;
+dontaudit lvm_t sbin_t:file { getattr read };
 allow lvm_t lvm_control_t:chr_file rw_file_perms;
 allow initrc_t lvm_control_t:chr_file { getattr read unlink };
 allow initrc_t device_t:chr_file create;
@@ -122,3 +121,18 @@
 
 # it has no reason to need this
 dontaudit lvm_t proc_kcore_t:file getattr;
+allow lvm_t var_t:dir { search getattr };
+allow lvm_t ramfs_t:filesystem unmount;
+
+# cluster LVM daemon
+daemon_domain(clvmd)
+can_network(clvmd_t)
+can_ypbind(clvmd_t)
+allow clvmd_t self:capability net_bind_service;
+allow clvmd_t self:socket create_socket_perms;
+allow clvmd_t self:fifo_file { read write };
+allow clvmd_t self:file { getattr read };
+allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow clvmd_t reserved_port_t:tcp_socket name_bind;
+dontaudit clvmd_t reserved_port_type:tcp_socket name_bind;
+dontaudit clvmd_t selinux_config_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mrtg.te policy-1.23.16/domains/program/unused/mrtg.te
--- nsapolicy/domains/program/unused/mrtg.te	2005-04-27 10:28:51.000000000 -0400
+++ policy-1.23.16/domains/program/unused/mrtg.te	2005-05-18 15:50:12.000000000 -0400
@@ -81,7 +81,7 @@
 
 # for uptime
 allow mrtg_t var_run_t:dir search;
-allow mrtg_t initrc_var_run_t:file read;
+allow mrtg_t initrc_var_run_t:file { getattr read };
 dontaudit mrtg_t initrc_var_run_t:file { write lock };
 allow mrtg_t etc_runtime_t:file { getattr read };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.23.16/domains/program/unused/mta.te
--- nsapolicy/domains/program/unused/mta.te	2005-04-27 10:28:51.000000000 -0400
+++ policy-1.23.16/domains/program/unused/mta.te	2005-05-18 15:50:12.000000000 -0400
@@ -23,6 +23,7 @@
 # targeted policy.  We could move these rules permanantly here.
 ifdef(`postfix.te', `', `can_exec_any(system_mail_t)')
 allow system_mail_t self:dir { search };
+allow system_mail_t self:lnk_file read;
 r_dir_file(system_mail_t, { proc_t proc_net_t })
 allow system_mail_t fs_t:filesystem getattr;
 allow system_mail_t { var_t var_spool_t }:dir getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mysqld.te policy-1.23.16/domains/program/unused/mysqld.te
--- nsapolicy/domains/program/unused/mysqld.te	2005-04-27 10:28:51.000000000 -0400
+++ policy-1.23.16/domains/program/unused/mysqld.te	2005-05-18 15:50:12.000000000 -0400
@@ -35,7 +35,7 @@
 allow initrc_t mysqld_log_t:file { write append setattr ioctl };
 
 allow mysqld_t self:capability { dac_override setgid setuid net_bind_service };
-allow mysqld_t self:process getsched;
+allow mysqld_t self:process { setsched getsched };
 
 allow mysqld_t proc_t:file { getattr read };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nx_server.te policy-1.23.16/domains/program/unused/nx_server.te
--- nsapolicy/domains/program/unused/nx_server.te	2005-04-27 10:28:52.000000000 -0400
+++ policy-1.23.16/domains/program/unused/nx_server.te	2005-05-18 15:50:12.000000000 -0400
@@ -51,7 +51,7 @@
 
 allow nx_server_t devtty_t:chr_file { read write };
 allow nx_server_t sysctl_kernel_t:dir search;
-allow nx_server_t sysctl_kernel_t:file read;
+allow nx_server_t sysctl_kernel_t:file { getattr read };
 allow nx_server_t urandom_device_t:chr_file read;
 # for reading the config files; maybe a separate type, 
 # but users need to be able to also read the config
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.23.16/domains/program/unused/pamconsole.te
--- nsapolicy/domains/program/unused/pamconsole.te	2005-05-07 00:41:09.000000000 -0400
+++ policy-1.23.16/domains/program/unused/pamconsole.te	2005-05-18 15:50:12.000000000 -0400
@@ -46,4 +46,5 @@
 allow pam_console_t xdm_var_run_t:file { getattr read };
 ')
 allow initrc_t pam_var_console_t:dir rw_dir_perms;
+allow initrc_t pam_var_console_t:file unlink;
 allow pam_console_t file_context_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.23.16/domains/program/unused/pppd.te
--- nsapolicy/domains/program/unused/pppd.te	2005-04-27 10:28:52.000000000 -0400
+++ policy-1.23.16/domains/program/unused/pppd.te	2005-05-18 15:50:12.000000000 -0400
@@ -46,7 +46,7 @@
 ifdef(`postfix.te', `
 allow pppd_t postfix_etc_t:dir search;
 allow pppd_t postfix_etc_t:file r_file_perms;
-allow pppd_t postfix_master_exec_t:file read;
+allow pppd_t postfix_master_exec_t:file { getattr read };
 allow postfix_postqueue_t pppd_t:fd use;
 allow postfix_postqueue_t pppd_t:process sigchld;
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/procmail.te policy-1.23.16/domains/program/unused/procmail.te
--- nsapolicy/domains/program/unused/procmail.te	2005-04-27 10:28:52.000000000 -0400
+++ policy-1.23.16/domains/program/unused/procmail.te	2005-05-18 15:50:12.000000000 -0400
@@ -57,6 +57,9 @@
 
 # for spamassasin
 allow procmail_t usr_t:file { getattr ioctl read };
+ifdef(`spamassassin.te', `
+can_exec(procmail_t, spamassassin_exec_t)
+')
 
 # Search /var/run.
 allow procmail_t var_run_t:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/qmail.te policy-1.23.16/domains/program/unused/qmail.te
--- nsapolicy/domains/program/unused/qmail.te	2005-04-27 10:28:52.000000000 -0400
+++ policy-1.23.16/domains/program/unused/qmail.te	2005-05-18 15:50:12.000000000 -0400
@@ -82,7 +82,7 @@
 allow qmail_rspawn_t { bin_t sbin_t }:dir search;
 
 qmaild_sub_domain(qmail_rspawn_t, qmail_remote)
-allow qmail_rspawn_t qmail_remote_exec_t:file read;
+allow qmail_rspawn_t qmail_remote_exec_t:file { getattr read };
 can_network_server(qmail_remote_t)
 can_ypbind(qmail_remote_t)
 allow qmail_remote_t qmail_spool_t:dir search;
@@ -96,10 +96,10 @@
 
 # privhome will do until we get a separate maildir type
 qmaild_sub_domain(qmail_lspawn_t, qmail_local, `, privhome, mta_delivery_agent')
-allow qmail_lspawn_t qmail_local_exec_t:file read;
+allow qmail_lspawn_t qmail_local_exec_t:file { getattr read };
 allow qmail_local_t self:process { fork signal_perms };
 domain_auto_trans(qmail_local_t, qmail_queue_exec_t, qmail_queue_t)
-allow qmail_local_t qmail_queue_exec_t:file read;
+allow qmail_local_t qmail_queue_exec_t:file { getattr read };
 allow qmail_local_t qmail_spool_t:file { ioctl read };
 allow qmail_local_t self:fifo_file write;
 allow qmail_local_t sbin_t:dir search;
@@ -128,7 +128,7 @@
 can_ypbind(qmail_tcp_env_t)
 
 qmaild_sub_domain(qmail_tcp_env_t, qmail_smtpd)
-allow qmail_tcp_env_t qmail_smtpd_exec_t:file read;
+allow qmail_tcp_env_t qmail_smtpd_exec_t:file { getattr read };
 can_network_server(qmail_smtpd_t)
 can_ypbind(qmail_smtpd_t)
 allow qmail_smtpd_t inetd_t:fd use;
@@ -139,7 +139,7 @@
 allow qmail_smtpd_t self:tcp_socket create_socket_perms;
 allow qmail_smtpd_t sbin_t:dir search;
 domain_auto_trans(qmail_smtpd_t, qmail_queue_exec_t, qmail_queue_t)
-allow qmail_smtpd_t qmail_queue_exec_t:file read;
+allow qmail_smtpd_t qmail_queue_exec_t:file { getattr read };
 
 qmaild_sub_domain(user_mail_domain, qmail_inject, `, mta_user_agent')
 allow qmail_inject_t self:process { fork signal_perms };
@@ -158,7 +158,7 @@
 qmaild_sub_domain(qmail_inject_t, qmail_queue, `, mta_user_agent')
 role sysadm_r types qmail_queue_t;
 in_user_role(qmail_queue_t)
-allow qmail_inject_t qmail_queue_exec_t:file read;
+allow qmail_inject_t qmail_queue_exec_t:file { getattr read };
 rw_dir_create_file(qmail_queue_t, qmail_spool_t)
 allow qmail_queue_t qmail_spool_t:fifo_file { read write };
 allow qmail_queue_t { qmail_start_t qmail_lspawn_t }:fd use;
@@ -171,10 +171,10 @@
 allow qmail_queue_t sysadm_t:fd use;
 allow qmail_queue_t sysadm_t:fifo_file write;
 
-allow user_crond_t qmail_etc_t:dir search;
-allow user_crond_t qmail_etc_t:file read;
+allow user_crond_domain qmail_etc_t:dir search;
+allow user_crond_domain qmail_etc_t:file { getattr read };
 
-qmaild_sub_domain(user_crond_t, qmail_serialmail)
+qmaild_sub_domain(user_crond_domain, qmail_serialmail)
 in_user_role(qmail_serialmail_t)
 can_network_server(qmail_serialmail_t)
 can_ypbind(qmail_serialmail_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.23.16/domains/program/unused/rhgb.te
--- nsapolicy/domains/program/unused/rhgb.te	2005-04-27 10:28:52.000000000 -0400
+++ policy-1.23.16/domains/program/unused/rhgb.te	2005-05-18 15:50:12.000000000 -0400
@@ -43,9 +43,6 @@
 allow rhgb_t port_type:tcp_socket name_connect;
 can_ypbind(rhgb_t)
 
-# for fonts
-allow rhgb_t usr_t:{ file lnk_file } { getattr read };
-
 # for running setxkbmap
 r_dir_file(rhgb_t, xkb_var_lib_t)
 
@@ -68,8 +65,7 @@
 tmpfs_domain(rhgb)
 allow xdm_xserver_t rhgb_tmpfs_t:file { read write };
 
-allow rhgb_t fonts_t:dir { getattr read search };
-allow rhgb_t fonts_t:file { getattr read };
+read_fonts(rhgb_t)
 
 # for nscd
 dontaudit rhgb_t var_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.23.16/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te	2005-04-27 10:28:52.000000000 -0400
+++ policy-1.23.16/domains/program/unused/rpcd.te	2005-05-18 15:50:12.000000000 -0400
@@ -140,3 +140,6 @@
 r_dir_file(gssd_t, proc_net_t)
 allow gssd_t rpc_pipefs_t:dir r_dir_perms;
 allow gssd_t rpc_pipefs_t:sock_file { read write };
+allow gssd_t rpc_pipefs_t:file r_file_perms;
+allow gssd_t self:capability setuid;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.23.16/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te	2005-05-02 14:06:54.000000000 -0400
+++ policy-1.23.16/domains/program/unused/samba.te	2005-05-18 15:50:12.000000000 -0400
@@ -46,7 +46,8 @@
 allow smbd_t self:capability { setgid setuid sys_resource net_bind_service lease dac_override dac_read_search };
 
 # Use the network.
-can_network_server(smbd_t)
+can_network(smbd_t)
+allow smbd_t ipp_port_t:tcp_socket name_connect;
 
 allow smbd_t urandom_device_t:chr_file { getattr read };
 
@@ -108,6 +109,7 @@
 allow nmbd_t samba_log_t:file { create ra_file_perms };
 allow nmbd_t var_log_t:dir search;
 allow nmbd_t samba_log_t:dir ra_dir_perms;
+allow nmbd_t etc_t:file { getattr read };
 ifdef(`cups.te', `
 allow smbd_t cupsd_rw_etc_t:file { getattr read };
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/saslauthd.te policy-1.23.16/domains/program/unused/saslauthd.te
--- nsapolicy/domains/program/unused/saslauthd.te	2005-04-27 10:28:52.000000000 -0400
+++ policy-1.23.16/domains/program/unused/saslauthd.te	2005-05-18 15:50:12.000000000 -0400
@@ -15,7 +15,7 @@
 allow saslauthd_t net_conf_t:file r_file_perms;
 
 allow saslauthd_t self:file r_file_perms;
-allow saslauthd_t proc_t:file read;
+allow saslauthd_t proc_t:file { getattr read };
 
 allow saslauthd_t urandom_device_t:chr_file { getattr read }; 
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slapd.te policy-1.23.16/domains/program/unused/slapd.te
--- nsapolicy/domains/program/unused/slapd.te	2005-04-27 10:28:53.000000000 -0400
+++ policy-1.23.16/domains/program/unused/slapd.te	2005-05-19 10:23:01.000000000 -0400
@@ -31,7 +31,7 @@
 can_tcp_connect(domain, slapd_t)
 
 # Use capabilities  should not need kill...
-allow slapd_t self:capability { kill setgid setuid net_bind_service net_raw };
+allow slapd_t self:capability { kill setgid setuid net_bind_service net_raw dac_override dac_read_search };
 allow slapd_t self:process setsched;
 
 allow slapd_t proc_t:file r_file_perms;
@@ -49,7 +49,7 @@
 allow slapd_t etc_runtime_t:file { getattr read };
 
 # for startup script
-allow initrc_t slapd_etc_t:file read;
+allow initrc_t slapd_etc_t:file { getattr read };
 
 allow slapd_t etc_t:dir r_dir_perms;
 
@@ -58,3 +58,4 @@
 allow slapd_t usr_t:file { read getattr };
 allow slapd_t urandom_device_t:chr_file { getattr read };
 allow slapd_t self:netlink_route_socket r_netlink_socket_perms;
+r_dir_file(slapd_t, cert_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.23.16/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te	2005-05-02 14:06:54.000000000 -0400
+++ policy-1.23.16/domains/program/unused/snmpd.te	2005-05-19 11:34:15.000000000 -0400
@@ -8,7 +8,7 @@
 #
 # Rules for the snmpd_t domain.
 #
-daemon_domain(snmpd)
+daemon_domain(snmpd, `, nscd_client_domain')
 
 #temp
 allow snmpd_t var_t:dir getattr;
@@ -78,6 +78,7 @@
 allow snmpd_t proc_net_t:dir search;
 allow snmpd_t proc_net_t:file r_file_perms;
 
-dontaudit snmpd_t domain:dir { getattr search };
+allow snmpd_t domain:dir { getattr search };
+allow snmpd_t domain:file { getattr read };
 
 dontaudit snmpd_t selinux_config_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snort.te policy-1.23.16/domains/program/unused/snort.te
--- nsapolicy/domains/program/unused/snort.te	2005-04-27 10:28:53.000000000 -0400
+++ policy-1.23.16/domains/program/unused/snort.te	2005-05-18 15:50:12.000000000 -0400
@@ -28,6 +28,6 @@
 allow snort_t self:unix_stream_socket create_socket_perms;
 
 # for start script
-allow initrc_t snort_etc_t:file read;
+allow initrc_t snort_etc_t:file { getattr read };
 
-dontaudit snort_t { etc_runtime_t proc_t }:file read;
+dontaudit snort_t { etc_runtime_t proc_t }:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sxid.te policy-1.23.16/domains/program/unused/sxid.te
--- nsapolicy/domains/program/unused/sxid.te	2005-04-27 10:28:53.000000000 -0400
+++ policy-1.23.16/domains/program/unused/sxid.te	2005-05-18 15:50:12.000000000 -0400
@@ -31,7 +31,7 @@
 allow sxid_t { device_t device_type }:{ chr_file blk_file } getattr;
 allow sxid_t ttyfile:chr_file getattr;
 allow sxid_t file_type:dir { getattr read search };
-allow sxid_t sysadmfile:file read;
+allow sxid_t sysadmfile:file { getattr read };
 allow sxid_t fs_type:dir { getattr read search };
 
 # Use the network.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.23.16/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te	2005-05-07 00:41:10.000000000 -0400
+++ policy-1.23.16/domains/program/unused/udev.te	2005-05-18 15:50:12.000000000 -0400
@@ -142,3 +142,4 @@
 ifdef(`unlimitedUtils', `
 unconfined_domain(udev_t) 
 ')
+dontaudit hostname_t udev_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/uml_net.te policy-1.23.16/domains/program/unused/uml_net.te
--- nsapolicy/domains/program/unused/uml_net.te	2005-04-27 10:28:53.000000000 -0400
+++ policy-1.23.16/domains/program/unused/uml_net.te	2005-05-18 15:50:12.000000000 -0400
@@ -15,7 +15,7 @@
 uses_shlib(uml_net_t)
 allow uml_net_t devtty_t:chr_file { read write };
 allow uml_net_t etc_runtime_t:file { getattr read };
-allow uml_net_t etc_t:file read;
+allow uml_net_t etc_t:file { getattr read };
 allow uml_net_t { proc_t sysctl_t sysctl_net_t }:dir search;
 allow uml_net_t proc_t:file { getattr read };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.23.16/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te	2005-04-27 10:28:54.000000000 -0400
+++ policy-1.23.16/domains/program/unused/winbind.te	2005-05-19 07:32:26.000000000 -0400
@@ -8,7 +8,7 @@
 # Declarations for winbind
 #
 
-daemon_domain(winbind, `, privhome, auth_chkpwd')
+daemon_domain(winbind, `, privhome, auth_chkpwd, nscd_client_domain')
 log_domain(winbind)
 allow winbind_t etc_t:file r_file_perms;
 allow winbind_t etc_t:lnk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xauth.te policy-1.23.16/domains/program/unused/xauth.te
--- nsapolicy/domains/program/unused/xauth.te	2005-04-27 10:28:54.000000000 -0400
+++ policy-1.23.16/domains/program/unused/xauth.te	2005-05-18 15:50:12.000000000 -0400
@@ -9,7 +9,5 @@
 #
 type xauth_exec_t, file_type, sysadmfile, exec_type;
 
-file_type_auto_trans(sysadm_xauth_t, staff_home_dir_t, staff_home_xauth_t)
-
 # Everything else is in the xauth_domain macro in
 # macros/program/xauth_macros.te.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.23.16/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te	2005-05-07 00:41:11.000000000 -0400
+++ policy-1.23.16/domains/program/unused/xdm.te	2005-05-18 15:50:12.000000000 -0400
@@ -78,7 +78,7 @@
 allow unpriv_userdomain xdm_xserver_t:unix_stream_socket connectto;
 allow unpriv_userdomain xdm_xserver_t:shm r_shm_perms;
 allow unpriv_userdomain xdm_xserver_t:fd use;
-allow unpriv_userdomain xdm_xserver_tmpfs_t:file read;
+allow unpriv_userdomain xdm_xserver_tmpfs_t:file { getattr read };
 allow xdm_xserver_t unpriv_userdomain:shm rw_shm_perms;
 allow xdm_xserver_t unpriv_userdomain:fd use;
 
@@ -96,7 +96,7 @@
 allow sysadm_t xdm_xserver_t:unix_stream_socket connectto;
 allow sysadm_t xdm_xserver_t:shm r_shm_perms;
 allow sysadm_t xdm_xserver_t:fd use;
-allow sysadm_t xdm_xserver_tmpfs_t:file read;
+allow sysadm_t xdm_xserver_tmpfs_t:file { getattr read };
 allow xdm_xserver_t sysadm_t:shm rw_shm_perms;
 allow xdm_xserver_t sysadm_t:fd use;
 }
@@ -145,7 +145,7 @@
 allow { xdm_t unpriv_userdomain } xdm_xserver_t:unix_stream_socket connectto;
 allow { xdm_t unpriv_userdomain } xdm_xserver_t:shm rw_shm_perms;
 allow { xdm_t unpriv_userdomain } xdm_xserver_t:fd use;
-allow { xdm_t unpriv_userdomain } xdm_xserver_tmpfs_t:file read;
+allow { xdm_t unpriv_userdomain } xdm_xserver_tmpfs_t:file { getattr read };
 allow xdm_xserver_t { xdm_t unpriv_userdomain }:shm rw_shm_perms;
 allow xdm_xserver_t { xdm_t unpriv_userdomain }:fd use;
 
@@ -225,7 +225,9 @@
 
 # Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
 allow xdm_t usr_t:{ lnk_file file } { getattr read };
-r_dir_file(xdm_t, fonts_t)
+
+# Read fonts
+read_fonts(xdm_t)
 
 # Do not audit attempts to write to index files under /usr
 dontaudit xdm_t usr_t:file write;
@@ -265,7 +267,7 @@
 
 # Insert video drivers.  
 allow xdm_xserver_t self:capability mknod;
-allow xdm_xserver_t sysctl_modprobe_t:file read;
+allow xdm_xserver_t sysctl_modprobe_t:file { getattr read };
 domain_auto_trans(xdm_xserver_t, insmod_exec_t, insmod_t)
 allow insmod_t xdm_t:fd use;
 allow insmod_t xserver_log_t:file write;
@@ -317,18 +319,17 @@
 rw_dir_create_file(xdm_t, pam_var_console_t)
 ')
 
-allow xdm_t var_log_t:file read;
+allow xdm_t var_log_t:file { getattr read };
 allow xdm_t self:capability { sys_nice sys_rawio net_bind_service };
 allow xdm_t self:process setrlimit;
 allow xdm_t wtmp_t:file { getattr read };
 
 domain_auto_trans(initrc_t, xserver_exec_t, xdm_xserver_t)
 #
-# Poweroff wants to create the /root/poweroff directory when run from xdm
-# Seems to work without it.
+# Poweroff wants to create the /poweroff file when run from xdm
 #
-dontaudit xdm_t root_t:dir { add_name write };
-dontaudit xdm_t root_t:file create;
+file_type_auto_trans(xdm_t, root_t, etc_runtime_t, file)
+
 #
 # xdm tries to bind to biff_port_t
 #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xfs.te policy-1.23.16/domains/program/unused/xfs.te
--- nsapolicy/domains/program/unused/xfs.te	2005-04-27 10:28:54.000000000 -0400
+++ policy-1.23.16/domains/program/unused/xfs.te	2005-05-18 15:50:12.000000000 -0400
@@ -37,9 +37,8 @@
 allow xfs_t self:unix_stream_socket create_stream_socket_perms;
 allow xfs_t self:unix_dgram_socket create_socket_perms;
 
-# Read /usr/X11R6/lib/X11/fonts/.* and /usr/share/fonts/.*
-allow xfs_t fonts_t:dir search;
-allow xfs_t fonts_t:file { getattr read };
+# Read fonts
+read_fonts(xfs_t)
 
 # Unlink the xfs socket.
 allow initrc_t xfs_tmp_t:dir rw_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/yam.te policy-1.23.16/domains/program/unused/yam.te
--- nsapolicy/domains/program/unused/yam.te	2005-05-06 16:46:27.000000000 -0400
+++ policy-1.23.16/domains/program/unused/yam.te	2005-05-18 15:50:12.000000000 -0400
@@ -125,7 +125,7 @@
 allow yam_crond_t default_t:dir search;
 
 # Don't know why init tries to read this.
-allow initrc_t yam_etc_t:file read;
+allow initrc_t yam_etc_t:file { getattr read };
 
 
 ##########
diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.23.16/domains/user.te
--- nsapolicy/domains/user.te	2005-05-02 14:06:54.000000000 -0400
+++ policy-1.23.16/domains/user.te	2005-05-18 15:50:12.000000000 -0400
@@ -78,6 +78,12 @@
 dontaudit $1_su_t { sysadm_home_t staff_home_t }:dir rw_dir_perms;
 dontaudit $1_su_t { sysadm_home_t staff_home_t }:file create_file_perms;
 ') dnl ifdef su.te
+ifdef(`xauth.te', `
+file_type_auto_trans($1_xauth_t, sysadm_home_dir_t, sysadm_home_xauth_t,file)
+')
+ifdef(`userhelper.te', `
+file_type_auto_trans($1_userhelper_t, sysadm_home_dir_t, sysadm_home_xauth_t,file)
+')
 ')
 
 # Privileged user domain
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.16/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc	2005-05-07 00:41:12.000000000 -0400
+++ policy-1.23.16/file_contexts/distros.fc	2005-05-18 15:50:12.000000000 -0400
@@ -1,6 +1,7 @@
 ifdef(`distro_redhat', `
 /usr/share/system-config-network(/netconfig)?/[^/]+\.py -- system_u:object_r:bin_t
 /etc/sysconfig/networking/profiles/.*/resolv\.conf -- system_u:object_r:net_conf_t
+/etc/sysconfig/network-scripts/ifcfg-.+ -- system_u:object_r:net_conf_t
 /etc/sysconfig/network-scripts/.*resolv\.conf -- system_u:object_r:net_conf_t
 /usr/share/rhn/rhn_applet/applet\.py -- system_u:object_r:bin_t
 /usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- system_u:object_r:shlib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/bluetooth.fc policy-1.23.16/file_contexts/program/bluetooth.fc
--- nsapolicy/file_contexts/program/bluetooth.fc	2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.16/file_contexts/program/bluetooth.fc	2005-05-18 15:50:12.000000000 -0400
@@ -4,4 +4,5 @@
 /usr/sbin/hcid		--	system_u:object_r:bluetooth_exec_t
 /usr/sbin/sdpd		--	system_u:object_r:bluetooth_exec_t
 /usr/sbin/hciattach	--	system_u:object_r:bluetooth_exec_t
-/var/run/sdp		--	system_u:object_r:bluetooth_var_run_t
+/var/run/sdp		-s	system_u:object_r:bluetooth_var_run_t
+/usr/sbin/hid2hci	--	system_u:object_r:bluetooth_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ddcprobe.fc policy-1.23.16/file_contexts/program/ddcprobe.fc
--- nsapolicy/file_contexts/program/ddcprobe.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.16/file_contexts/program/ddcprobe.fc	2005-05-18 15:50:12.000000000 -0400
@@ -0,0 +1 @@
+/usr/sbin/ddcprobe      --		system_u:object_r:ddcprobe_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dovecot.fc policy-1.23.16/file_contexts/program/dovecot.fc
--- nsapolicy/file_contexts/program/dovecot.fc	2005-03-21 22:32:19.000000000 -0500
+++ policy-1.23.16/file_contexts/program/dovecot.fc	2005-05-18 15:50:12.000000000 -0400
@@ -10,6 +10,7 @@
 ')
 /usr/share/ssl/certs/dovecot\.pem --	system_u:object_r:dovecot_cert_t
 /usr/share/ssl/private/dovecot\.pem --	system_u:object_r:dovecot_cert_t
+/etc/pki/dovecot(/.*)?			system_u:object_r:dovecot_cert_t
 /var/run/dovecot(-login)?(/.*)?		system_u:object_r:dovecot_var_run_t
 /usr/lib(64)?/dovecot/.+	--		system_u:object_r:bin_t
 /var/spool/dovecot(/.*)?		system_u:object_r:dovecot_spool_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/fontconfig.fc policy-1.23.16/file_contexts/program/fontconfig.fc
--- nsapolicy/file_contexts/program/fontconfig.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.16/file_contexts/program/fontconfig.fc	2005-05-18 15:50:12.000000000 -0400
@@ -0,0 +1,2 @@
+HOME_DIR/\.fonts(/.*)?				system_u:object_r:ROLE_fonts_t	
+HOME_DIR/\.fonts.cache-1		--	system_u:object_r:ROLE_fonts_cache_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/initrc.fc policy-1.23.16/file_contexts/program/initrc.fc
--- nsapolicy/file_contexts/program/initrc.fc	2005-04-14 15:01:54.000000000 -0400
+++ policy-1.23.16/file_contexts/program/initrc.fc	2005-05-18 15:50:12.000000000 -0400
@@ -38,5 +38,11 @@
 /etc/nohotplug		--	system_u:object_r:etc_runtime_t
 ifdef(`distro_redhat', `
 /halt			--	system_u:object_r:etc_runtime_t
+/fastboot 		--	system_u:object_r:etc_runtime_t
+/fsckoptions 		--	system_u:object_r:etc_runtime_t
+/forcefsck 		--	system_u:object_r:etc_runtime_t
+/poweroff		--	system_u:object_r:etc_runtime_t
 /\.autofsck		--	system_u:object_r:etc_runtime_t
+/\.autorelabel		--	system_u:object_r:etc_runtime_t
 ')
+
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/lvm.fc policy-1.23.16/file_contexts/program/lvm.fc
--- nsapolicy/file_contexts/program/lvm.fc	2005-05-02 14:06:56.000000000 -0400
+++ policy-1.23.16/file_contexts/program/lvm.fc	2005-05-18 15:50:12.000000000 -0400
@@ -65,3 +65,5 @@
 /sbin/pvs          --      system_u:object_r:lvm_exec_t
 /sbin/vgs          --      system_u:object_r:lvm_exec_t
 /sbin/multipathd   --      system_u:object_r:lvm_exec_t
+/var/cache/multipathd(/.*)? system_u:object_r:lvm_metadata_t
+/usr/sbin/clvmd   --      system_u:object_r:clvmd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ntpd.fc policy-1.23.16/file_contexts/program/ntpd.fc
--- nsapolicy/file_contexts/program/ntpd.fc	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.16/file_contexts/program/ntpd.fc	2005-05-18 15:50:12.000000000 -0400
@@ -1,7 +1,7 @@
 /var/lib/ntp(/.*)?			system_u:object_r:ntp_drift_t
 /etc/ntp/data(/.*)?			system_u:object_r:ntp_drift_t
-/etc/ntp(d)?\.conf(.sv)?	--	system_u:object_r:net_conf_t
-/etc/ntp/step-tickers		--	system_u:object_r:net_conf_t
+/etc/ntp(d)?\.conf.*	--	system_u:object_r:net_conf_t
+/etc/ntp/step-tickers.*		--	system_u:object_r:net_conf_t
 /usr/sbin/ntpd			--	system_u:object_r:ntpd_exec_t
 /usr/sbin/ntpdate		--	system_u:object_r:ntpdate_exec_t
 /var/log/ntpstats(/.*)?			system_u:object_r:ntpd_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/traceroute.fc policy-1.23.16/file_contexts/program/traceroute.fc
--- nsapolicy/file_contexts/program/traceroute.fc	2005-05-16 11:28:12.000000000 -0400
+++ policy-1.23.16/file_contexts/program/traceroute.fc	2005-05-18 15:50:12.000000000 -0400
@@ -1,9 +1,6 @@
 # traceroute
 /bin/traceroute.*	--	system_u:object_r:traceroute_exec_t
 /bin/tracepath.*	--	system_u:object_r:traceroute_exec_t
-ifdef(`rdisc.te', `', `
-/sbin/rdisc		--	system_u:object_r:traceroute_exec_t
-')
 /usr/(s)?bin/traceroute.* --	system_u:object_r:traceroute_exec_t
 /usr/bin/lft		--	system_u:object_r:traceroute_exec_t
 /usr/bin/nmap		--	system_u:object_r:traceroute_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.23.16/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2005-05-07 00:41:12.000000000 -0400
+++ policy-1.23.16/file_contexts/types.fc	2005-05-18 15:50:12.000000000 -0400
@@ -58,7 +58,7 @@
 
 #
 # Mount points; do not relabel subdirectories, since
-# we don not want to change any removable media by default.
+# we do not want to change any removable media by default.
 /mnt(/[^/]*)?		-d	system_u:object_r:mnt_t
 /mnt/[^/]*/.*			<<none>>
 /media(/[^/]*)?		-d	system_u:object_r:mnt_t
@@ -262,7 +262,7 @@
 #
 /opt(/.*)?			system_u:object_r:usr_t
 /opt/.*/lib(64)?(/.*)?				system_u:object_r:lib_t
-/opt/.*/lib(64)?/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
+/opt/.*/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
 /opt/.*/libexec(/.*)?	system_u:object_r:bin_t
 /opt/.*/bin(/.*)?		system_u:object_r:bin_t
 /opt/.*/sbin(/.*)?		system_u:object_r:sbin_t
@@ -357,6 +357,7 @@
 
 # nvidia share libraries
 /usr(/.*)?/nvidia/.*\.so(\..*)?	-- system_u:object_r:texrel_shlib_t
+/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)*	--	system_u:object_r:texrel_shlib_t
 /usr/X11R6/lib/libXvMCNVIDIA\.so.* 	-- system_u:object_r:texrel_shlib_t
 
 # libGL
@@ -383,6 +384,9 @@
 /usr/local/src(/.*)?		system_u:object_r:src_t
 /usr/local/man(/.*)?		system_u:object_r:man_t
 /usr/local/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
+/usr(/local)?/lib/wine/.*\.so   --	system_u:object_r:texrel_shlib_t
+/usr(/local)?/lib/libfame-.*\.so.*    --	system_u:object_r:texrel_shlib_t
+
 
 #
 # /usr/X11R6/man
@@ -440,14 +444,23 @@
 #
 # Lost and found directories.
 #
-/lost\+found(/.*)?		system_u:object_r:lost_found_t
-/usr/lost\+found(/.*)?		system_u:object_r:lost_found_t
-/boot/lost\+found(/.*)?		system_u:object_r:lost_found_t
-HOME_ROOT/lost\+found(/.*)?	system_u:object_r:lost_found_t
-/var/lost\+found(/.*)?		system_u:object_r:lost_found_t
-/tmp/lost\+found(/.*)?		system_u:object_r:lost_found_t
-/usr/local/lost\+found(/.*)?	system_u:object_r:lost_found_t
-
+/lost\+found		-d	system_u:object_r:lost_found_t
+/lost\+found/.*			<<none>>
+/usr/lost\+found	-d	system_u:object_r:lost_found_t
+/usr/lost\+found/.*		<<none>>
+/boot/lost\+found	-d	system_u:object_r:lost_found_t
+/boot/lost\+found/.*		<<none>>
+HOME_ROOT/lost\+found	-d	system_u:object_r:lost_found_t
+HOME_ROOT/lost\+found/.*	<<none>>
+/var/lost\+found	-d	system_u:object_r:lost_found_t
+/var/lost\+found/.*		<<none>>
+/tmp/lost\+found	-d	system_u:object_r:lost_found_t
+/tmp/lost\+found/.*		<<none>>
+/var/tmp/lost\+found	-d	system_u:object_r:lost_found_t
+/var/tmp/lost\+found/.*		<<none>>
+/usr/local/lost\+found	-d	system_u:object_r:lost_found_t
+/usr/local/lost\+found/.*	<<none>>
+  
 #
 # system localization
 #
diff --exclude-from=exclude -N -u -r nsapolicy/macros/admin_macros.te policy-1.23.16/macros/admin_macros.te
--- nsapolicy/macros/admin_macros.te	2005-04-27 10:28:54.000000000 -0400
+++ policy-1.23.16/macros/admin_macros.te	2005-05-18 15:50:12.000000000 -0400
@@ -203,14 +203,9 @@
 # policy management infrastructure is in place so that an administrator
 # cannot directly manipulate policy files with arbitrary programs.
 #
-allow $1 policy_src_t:file create_file_perms;
-allow $1 policy_src_t:lnk_file create_lnk_perms;
-allow $1 policy_src_t:dir create_dir_perms;
-
-# Violates the goal of limiting write access to checkpolicy.
-# But presently necessary for installing the file_contexts file.
-create_dir_file($1, policy_config_t)
-r_dir_file($1, selinux_config_t)
+allow $1 secadmfile:file { relabelto relabelfrom create_file_perms };
+allow $1 secadmfile:lnk_file { relabelto relabelfrom create_lnk_perms };
+allow $1 secadmfile:dir { relabelto relabelfrom create_dir_perms };
 
 # Set an exec context, e.g. for runcon.
 can_setexec($1)
@@ -218,9 +213,5 @@
 # Set a context other than the default one for newly created files.
 can_setfscreate($1)
 
-create_dir_file($1, { default_context_t file_context_t selinux_config_t })
-
-allow $1 { default_context_t file_context_t selinux_config_t }:file { relabelfrom relabelto };
-
 ') 
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.23.16/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2005-05-02 14:06:57.000000000 -0400
+++ policy-1.23.16/macros/base_user_macros.te	2005-05-19 10:43:06.000000000 -0400
@@ -68,14 +68,21 @@
 allow $1_t dri_device_t:chr_file getattr;
 dontaudit $1_t dri_device_t:chr_file rw_file_perms;
 
-file_browse_domain($1_t)
+# Supress ls denials:
+# getattr() - ls -l
+# search_dir() - symlink path resolution
+# read_dir() - deep ls: ls parent/...
+
+dontaudit_getattr($1_t)
+dontaudit_search_dir($1_t)
+dontaudit_read_dir($1_t)
 
 # allow ptrace
 can_ptrace($1_t, $1_t)
 
 # Create, access, and remove files in home directory.
 file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t)
-allow $1_t $1_home_t:notdevfile_class_set { relabelfrom relabelto };
+allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto };
 can_setfscreate($1_t)
 
 allow $1_t autofs_t:dir { search getattr };
@@ -191,6 +198,8 @@
 ifdef(`mplayer.te', `mplayer_domains($1)')
 ifdef(`gift.te', `gift_domains($1)')
 
+fontconfig_domain($1)
+
 # Instantiate a derived domain for user cron jobs.
 ifdef(`crond.te', `crond_domain($1)')
 
@@ -350,6 +359,9 @@
 allow $1_t default_t:notdevfile_class_set r_file_perms;
 }
 
+# Read mime types
+read_fonts($1_t, $1)
+
 read_sysctl($1_t);
 
 #
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.23.16/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2005-05-07 00:41:12.000000000 -0400
+++ policy-1.23.16/macros/global_macros.te	2005-05-18 15:50:12.000000000 -0400
@@ -156,7 +156,6 @@
 r_dir_file($1, locale_t)
 ')
 
-
 ###################################
 #
 # access_terminal(domain, typeprefix)
@@ -620,23 +619,25 @@
 allow $1_t etc_t:dir r_dir_perms;
 ')
 
-# Do not flood message log, if the user does a browse
-define(`file_browse_domain', `
+# Dontaudit macros to prevent flooding the log
 
-# Regular files/directories that are not security sensitive
+define(`dontaudit_getattr', `
 dontaudit $1 file_type - secure_file_type:dir_file_class_set getattr; 
-dontaudit $1 file_type - secure_file_type:dir { read search };
-
-# /dev
-dontaudit $1 dev_fs:dir_file_class_set getattr;
-dontaudit $1 dev_fs:dir { read search };
-
-# /proc
-dontaudit $1 sysctl_t:dir_file_class_set getattr;
-dontaudit $1 proc_fs:dir { read search };
-
-')dnl end file_browse_domain
-
+dontaudit $1 unlabeled_t:dir_file_class_set getattr;
+dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr;
+')dnl end dontaudit_getattr 
+
+define(`dontaudit_search_dir', `
+dontaudit $1 file_type - secure_file_type:dir search;
+dontaudit $1 unlabeled_t:dir search;
+dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search;
+')dnl end dontaudit_search_dir
+
+define(`dontaudit_read_dir', `
+dontaudit $1 file_type - secure_file_type:dir read;
+dontaudit $1 unlabeled_t:dir read;
+dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read;
+')dnl end dontaudit_read_dir
 
 # Define legacy_domain  for legacy binaries (java)
 # "legacy" binary == lacks PT_GNU_STACK header, i.e. built with an old
@@ -762,3 +763,12 @@
 ')
 
 ')dnl end unconfined_domain
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+# read_fonts(domain, role_prefix) - 
+#         allow domain to read fonts, optionally per/user
+#  
+define(`read_fonts', `
+r_dir_file($1, fonts_t)
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.23.16/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te	2005-04-27 10:28:54.000000000 -0400
+++ policy-1.23.16/macros/program/apache_macros.te	2005-05-18 15:50:12.000000000 -0400
@@ -101,7 +101,7 @@
 # Allow the scripts to read, read/write, append to the specified directories
 # or files
 ############################################################################
-r_dir_file(httpd_$1_script_t, fonts_t)
+read_fonts(httpd_$1_script_t)
 r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t)
 create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t)
 ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/fontconfig_macros.te policy-1.23.16/macros/program/fontconfig_macros.te
--- nsapolicy/macros/program/fontconfig_macros.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.16/macros/program/fontconfig_macros.te	2005-05-18 15:50:12.000000000 -0400
@@ -0,0 +1,24 @@
+#
+# Fontconfig related types 
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+# fontconfig_domain(role_prefix) - create fontconfig domain
+#
+# read_fonts(domain, role_prefix) - 
+#         allow domain to read fonts, optionally per/user
+#  
+# dontaudit_home_fonts(domain, role_prefix) - 
+#	block the denials of home fonts - hack for X
+
+define(`fontconfig_domain', `
+
+type $1_fonts_t, file_type, $1_file_type, sysadmfile, customizable;
+type $1_fonts_cache_t, file_type, $1_file_type, sysadmfile;
+
+allow $1_t $1_fonts_cache_t:file create_file_perms;
+create_dir_file($1_t, $1_fonts_t)
+
+') dnl gnome_domain
+
+
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.16/macros/program/gift_macros.te
--- nsapolicy/macros/program/gift_macros.te	2005-04-27 10:28:54.000000000 -0400
+++ policy-1.23.16/macros/program/gift_macros.te	2005-05-18 15:50:12.000000000 -0400
@@ -17,9 +17,10 @@
 domain_auto_trans($1_t, gift_exec_t, $1_gift_t)
 role $1_r types $1_gift_t;
 
-# X access, Home files 
+# X access, Home files, /tmp
 x_client_domain($1_gift, $1)
 home_domain($1, gift)
+tmp_domain($1_gift)
 
 uses_shlib($1_gift_t)
 read_locale($1_gift_t)
@@ -32,6 +33,7 @@
 
 # Self permissions
 allow $1_gift_t self:process getsched;
+allow $1_gift_t self:fifo_file { read write };
 
 # Fonts, icons
 r_dir_file($1_gift_t, usr_t)
@@ -104,7 +106,7 @@
 home_domain_access($1_giftd_t, $1, gift)
 	
 # Allow networking
-allow $1_giftd_t port_t:tcp_socket name_bind;
+allow $1_giftd_t port_t:tcp_socket { name_bind name_connect };
 allow $1_giftd_t port_t:udp_socket name_bind;
 can_network_server($1_giftd_t)
 can_network_client($1_giftd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_agent_macros.te policy-1.23.16/macros/program/gpg_agent_macros.te
--- nsapolicy/macros/program/gpg_agent_macros.te	2005-05-16 11:28:12.000000000 -0400
+++ policy-1.23.16/macros/program/gpg_agent_macros.te	2005-05-18 15:50:12.000000000 -0400
@@ -88,7 +88,7 @@
 allow { $1_gpg_agent_t $1_gpg_pinentry_t } xdm_t:fd use;
 ')dnl end ig xdm.te
 
-r_dir_file($1_gpg_pinentry_t, fonts_t)
+read_fonts($1_gpg_pinentry_t, $1)
 # read kde font cache
 allow $1_gpg_pinentry_t usr_t:file { getattr read };
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/irc_macros.te policy-1.23.16/macros/program/irc_macros.te
--- nsapolicy/macros/program/irc_macros.te	2005-04-27 10:28:55.000000000 -0400
+++ policy-1.23.16/macros/program/irc_macros.te	2005-05-18 15:50:12.000000000 -0400
@@ -66,7 +66,7 @@
 dontaudit $1_irc_t var_run_t:dir search;
 
 # allow utmp access
-allow $1_irc_t initrc_var_run_t:file read;
+allow $1_irc_t initrc_var_run_t:file { getattr read };
 dontaudit $1_irc_t initrc_var_run_t:file lock;
 
 # access files under /tmp
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/java_macros.te policy-1.23.16/macros/program/java_macros.te
--- nsapolicy/macros/program/java_macros.te	2005-04-27 10:28:55.000000000 -0400
+++ policy-1.23.16/macros/program/java_macros.te	2005-05-18 15:50:12.000000000 -0400
@@ -4,7 +4,7 @@
 # Macros for javaplugin (java plugin) domains.
 #
 #
-# javaplugin_domain(domain_prefix, user)
+# javaplugin_domain(domain_prefix, role)
 #
 # Define a derived domain for the javaplugin program when executed by
 # a web browser.  
@@ -44,7 +44,8 @@
 allow $1_javaplugin_t sysctl_vm_t:dir search;
 
 tmp_domain($1_javaplugin)
-r_dir_file($1_javaplugin_t,{ fonts_t usr_t etc_t })
+read_fonts($1_javaplugin_t, $2)
+r_dir_file($1_javaplugin_t,{ usr_t etc_t })
 
 # Search bin directory under javaplugin for javaplugin executable
 allow $1_javaplugin_t bin_t:dir search;
@@ -91,7 +92,4 @@
 dontaudit $1_javaplugin_t tmpfs_t:file { execute read write };
 dontaudit $1_javaplugin_t $1_home_t:file { execute setattr };
 
-# Do not audit read/getattr of .fonts-cache-1
-dontaudit $1_javaplugin_t $1_home_t:file { read getattr };
-
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.16/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2005-05-02 14:06:57.000000000 -0400
+++ policy-1.23.16/macros/program/mozilla_macros.te	2005-05-18 15:50:12.000000000 -0400
@@ -16,7 +16,8 @@
 # provided separately in domains/program/mozilla.te. 
 #
 define(`mozilla_domain',`
-type $1_mozilla_t, domain, web_client_domain, privlog;
+
+type $1_mozilla_t, domain, web_client_domain, nscd_client_domain, privlog;
 
 # Type transition
 if (! disable_mozilla_trans) {
@@ -28,8 +29,12 @@
 home_domain($1, mozilla)
 x_client_domain($1_mozilla, $1)
 
-# Browse files
-file_browse_domain($1_mozilla_t)
+# GNOME Open/Save As dialogs
+dontaudit_getattr($1_mozilla_t)
+dontaudit_search_dir($1_mozilla_t)
+
+# Look for plugins 
+allow $1_mozilla_t bin_t:dir { getattr read search };
 
 can_network_client($1_mozilla_t)
 allow $1_mozilla_t ftp_port_t:tcp_socket name_connect;
@@ -54,6 +59,12 @@
 allow $1_mozilla_t self:process { fork signal_perms setrlimit setsched getsched };
 
 allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read };
+
+# Access /proc
+allow $1_mozilla_t proc_t:dir search;
+allow $1_mozilla_t proc_t:file { getattr read };
+allow $1_mozilla_t proc_t:lnk_file read;
+
 allow $1_mozilla_t var_lib_t:file { getattr read };
 allow $1_mozilla_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read };
 allow $1_mozilla_t self:socket create_socket_perms;
@@ -66,8 +77,6 @@
 can_exec($1_mozilla_t, bin_t)
 allow $1_mozilla_t bin_t:lnk_file read;
 allow $1_mozilla_t device_t:dir r_dir_perms;
-allow $1_mozilla_t proc_t:file { getattr read };
-allow $1_mozilla_t proc_t:lnk_file read;
 allow $1_mozilla_t self:dir search;
 allow $1_mozilla_t self:lnk_file read;
 r_dir_file($1_mozilla_t, proc_net_t)
@@ -87,20 +96,6 @@
 # Execute downloaded programs.
 can_exec($1_mozilla_t, $1_mozilla_tmp_t)
 
-# Use printer
-ifdef(`lpr.te', `
-domain_auto_trans($1_mozilla_t, lpr_exec_t, $1_lpr_t)
-
-# Print document
-allow $1_lpr_t $1_mozilla_tmp_t:file rw_file_perms;
-
-# Suppress history.fop denial
-dontaudit $1_lpr_t $1_mozilla_home_t:file { read write };
-
-dontaudit $1_lpr_t $1_mozilla_t:tcp_socket { read write };
-dontaudit $1_lpr_t $1_mozilla_t:unix_stream_socket { read write };
-')
-
 # ORBit sockets
 file_type_auto_trans($1_mozilla_t, $1_tmp_t, $1_mozilla_tmp_t)
 can_unix_connect($1_t, $1_mozilla_t)
@@ -144,6 +139,21 @@
 javaplugin_domain($1_mozilla, $1)
 ')
 
+
+# Use printer
+ifdef(`lpr.te', `
+domain_auto_trans($1_mozilla_t, lpr_exec_t, $1_lpr_t)
+
+# Print document
+allow $1_lpr_t $1_mozilla_tmp_t:file rw_file_perms;
+
+# Suppress history.fop denial
+dontaudit $1_lpr_t $1_mozilla_home_t:file { read write };
+
+dontaudit $1_lpr_t $1_mozilla_t:tcp_socket { read write };
+dontaudit $1_lpr_t $1_mozilla_t:unix_stream_socket { read write };
+')
+
 # Mplayer plugin
 ifdef(`mplayer.te', `
 domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t)
@@ -151,9 +161,10 @@
 # Read mozilla content in /tmp
 r_dir_file($1_mplayer_t, $1_mozilla_tmp_t);
 
-# FIXME: why does it need this?
+# Suppress history.fop denial
 dontaudit $1_mplayer_t $1_mozilla_home_t:file write;
-allow $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
+
+dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
 ')dnl end if mplayer.te  
 
 if (allow_execmem) {
@@ -162,6 +173,7 @@
 if (allow_execmod) {
 allow $1_mozilla_t texrel_shlib_t:file execmod;
 }
+
 dbusd_client(system, $1_mozilla)
 ifdef(`apache.te', `
 ifelse($1, sysadm, `', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mplayer_macros.te policy-1.23.16/macros/program/mplayer_macros.te
--- nsapolicy/macros/program/mplayer_macros.te	2005-04-27 10:28:55.000000000 -0400
+++ policy-1.23.16/macros/program/mplayer_macros.te	2005-05-18 15:50:12.000000000 -0400
@@ -6,9 +6,9 @@
 # mplayer_domains(user) declares domains for mplayer, gmplayer,
 # and mencoder
 
-##############################################
-#    mplayer_common(user, mplayer domain)    #
-##############################################
+#####################################################
+#    mplayer_common(role_prefix, mplayer_domain)    #
+#####################################################
 
 define(`mplayer_common',`
 
@@ -62,32 +62,32 @@
 }
 ')
 
-############################
-#  mplayer_domain(user)    #
-############################
+###################################
+#  mplayer_domain(role_prefix)    #
+###################################
 
 define(`mplayer_domain',`
 
-type $1_mplayer_t, domain;
+type $1_mplayer_t, domain, nscd_client_domain;
 
 # Type transition
 domain_auto_trans($1_t, mplayer_exec_t, $1_mplayer_t)
 role $1_r types $1_mplayer_t;
 
-# Home access, X access, Browse files
+# Home access, X access
 home_domain($1, mplayer)
 x_client_domain($1_mplayer, $1)
-file_browse_domain($1_mplayer_t)
 
 # Mplayer common stuff
 mplayer_common($1, mplayer)
 
 # Fork 
 allow $1_mplayer_t self:process { fork signal_perms getsched };
+allow $1_mplayer_t self:fifo_file rw_file_perms;
 
 # Audio, alsa.conf
 allow $1_mplayer_t sound_device_t:chr_file rw_file_perms;
-allow $1_mplayer_t etc_t:file read;
+allow $1_mplayer_t etc_t:file { getattr read };
 
 # RTC clock 
 allow $1_mplayer_t clock_device_t:chr_file { ioctl read };
@@ -101,11 +101,30 @@
 allow $1_mplayer_t $1_mplayer_tmpfs_t:file execute;
 }
 
+#======gmplayer gui==========#
+# File dialogs
+dontaudit_getattr($1_mplayer_t)
+dontaudit_read_dir($1_mplayer_t)
+dontaudit_search_dir($1_mplayer_t)
+
+# Unfortunately the ancient file dialog starts in /
+allow $1_mplayer_t home_root_t:dir read;
+
+# Read /etc/mtab
+allow $1_mplayer_t etc_runtime_t:file { read getattr };
+
+# Run bash/sed (??) 
+allow $1_mplayer_t bin_t:dir search;
+allow $1_mplayer_t bin_t:lnk_file read;
+can_exec($1_mplayer_t, bin_t)
+can_exec($1_mplayer_t, shell_exec_t)
+#============================#
+
 ') dnl end mplayer_domain
 
-############################
-#  mencoder_domain(user)   #
-############################
+###################################
+#  mencoder_domain(role_prefix)   #
+###################################
 
 define(`mencoder_domain',`
 
@@ -125,7 +144,7 @@
 ') dnl end mencoder_domain
 
 #############################
-#  mplayer_domains(user)    #
+#  mplayer_domains(role)    #
 #############################
 
 define(`mplayer_domains', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/userhelper_macros.te policy-1.23.16/macros/program/userhelper_macros.te
--- nsapolicy/macros/program/userhelper_macros.te	2005-04-27 10:28:55.000000000 -0400
+++ policy-1.23.16/macros/program/userhelper_macros.te	2005-05-18 15:50:12.000000000 -0400
@@ -96,7 +96,7 @@
 allow $1_userhelper_t fs_t:filesystem getattr;
 
 # for some PAM modules and for cwd
-dontaudit $1_userhelper_t { home_root_t home_type }:dir search;
+allow $1_userhelper_t { home_root_t $1_home_dir_t }:dir search;
 
 allow $1_userhelper_t proc_t:dir search;
 allow $1_userhelper_t proc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.23.16/macros/program/x_client_macros.te
--- nsapolicy/macros/program/x_client_macros.te	2005-04-27 10:28:55.000000000 -0400
+++ policy-1.23.16/macros/program/x_client_macros.te	2005-05-18 15:50:12.000000000 -0400
@@ -74,7 +74,7 @@
 allow $1_t self:shm create_shm_perms;
 
 # allow X client to read all font files
-r_dir_file($1_t, fonts_t)
+read_fonts($1_t, $2)
 
 # Allow connections to X server.
 ifdef(`xserver.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.23.16/Makefile
--- nsapolicy/Makefile	2005-05-16 11:28:11.000000000 -0400
+++ policy-1.23.16/Makefile	2005-05-18 15:50:12.000000000 -0400
@@ -220,8 +220,8 @@
 $(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd
 	@echo "Building file contexts files..."
 	@m4 $(M4PARAM) $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) > $@.tmp
-	@grep -v -e HOME -e ROLE $@.tmp > $@
-	@grep -e HOME -e ROLE $@.tmp  > $(HOMEDIR_TEMPLATE)
+	@grep -v -e HOME -e ROLE -e USER $@.tmp > $@
+	@grep -e HOME -e ROLE -e USER $@.tmp  > $(HOMEDIR_TEMPLATE)
 	@-rm $@.tmp
 
 # Create a tags-file for the policy:
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/ftpd_selinux.8 policy-1.23.16/man/man8/ftpd_selinux.8
--- nsapolicy/man/man8/ftpd_selinux.8	2005-03-11 15:31:07.000000000 -0500
+++ policy-1.23.16/man/man8/ftpd_selinux.8	2005-05-18 15:50:12.000000000 -0400
@@ -43,7 +43,7 @@
 .TP
 setsebool -P ftpd_disable_trans 1
 .br
-system vsftpd restart
+service vsftpd restart
 .TP
 system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
 .SH AUTHOR	
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/httpd_selinux.8 policy-1.23.16/man/man8/httpd_selinux.8
--- nsapolicy/man/man8/httpd_selinux.8	2005-05-02 14:06:57.000000000 -0400
+++ policy-1.23.16/man/man8/httpd_selinux.8	2005-05-18 15:50:12.000000000 -0400
@@ -101,7 +101,7 @@
 
 setsebool -P httpd_disable_trans 1
 .br
-system httpd restart
+service httpd restart
 
 .TP
 system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/kerberos_selinux.8 policy-1.23.16/man/man8/kerberos_selinux.8
--- nsapolicy/man/man8/kerberos_selinux.8	2005-02-24 14:51:10.000000000 -0500
+++ policy-1.23.16/man/man8/kerberos_selinux.8	2005-05-18 15:50:12.000000000 -0400
@@ -16,11 +16,11 @@
 
 setsebool -P krb5kdc_disable_trans 1
 .br
-system krb5kdc restart
+service krb5kdc restart
 .br
 setsebool -P kadmind_disable_trans booleans 1
 .br
-system kadmind restart
+service kadmind restart
 
 .TP
 system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/named_selinux.8 policy-1.23.16/man/man8/named_selinux.8
--- nsapolicy/man/man8/named_selinux.8	2005-02-24 14:51:10.000000000 -0500
+++ policy-1.23.16/man/man8/named_selinux.8	2005-05-18 15:50:12.000000000 -0400
@@ -17,7 +17,7 @@
 .TP
 setsebool -P named_disable_trans 1
 .br
-system named restart
+service named restart
 .TP
 system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
 .SH AUTHOR	
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/rsync_selinux.8 policy-1.23.16/man/man8/rsync_selinux.8
--- nsapolicy/man/man8/rsync_selinux.8	2005-02-24 14:51:10.000000000 -0500
+++ policy-1.23.16/man/man8/rsync_selinux.8	2005-05-18 15:50:12.000000000 -0400
@@ -25,7 +25,7 @@
 .TP
 setsebool -P rsync_disable_trans 1
 .br
-system xinetd restart
+service xinetd restart
 .TP
 system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
 .SH AUTHOR	
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/samba_selinux.8 policy-1.23.16/man/man8/samba_selinux.8
--- nsapolicy/man/man8/samba_selinux.8	2005-02-24 14:51:10.000000000 -0500
+++ policy-1.23.16/man/man8/samba_selinux.8	2005-05-18 15:50:12.000000000 -0400
@@ -41,7 +41,7 @@
 
 setsebool -P smbd_disable_trans 1
 .br
-system smb restart
+service smb restart
 .TP
 system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
 .SH AUTHOR	
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.23.16/net_contexts
--- nsapolicy/net_contexts	2005-05-16 11:28:11.000000000 -0400
+++ policy-1.23.16/net_contexts	2005-05-18 15:50:12.000000000 -0400
@@ -106,10 +106,8 @@
 portcon udp 517 system_u:object_r:ktalkd_port_t
 portcon udp 518 system_u:object_r:ktalkd_port_t
 ')
-ifdef(`cups.te', `
 portcon tcp 631 system_u:object_r:ipp_port_t
 portcon udp 631 system_u:object_r:ipp_port_t
-')
 portcon tcp 88 system_u:object_r:kerberos_port_t
 portcon udp 88 system_u:object_r:kerberos_port_t
 portcon tcp 464 system_u:object_r:kerberos_admin_port_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/assert.te policy-1.23.16/targeted/assert.te
--- nsapolicy/targeted/assert.te	2005-04-27 10:28:56.000000000 -0400
+++ policy-1.23.16/targeted/assert.te	2005-05-19 11:37:34.000000000 -0400
@@ -25,7 +25,7 @@
 neverallow { domain -unrestricted } unconfined_t:process ~sigchld;
 
 # Confined domains must never see unconfined domain's /proc/pid entries.
-neverallow { domain -unrestricted } unconfined_t:dir { getattr search };
+neverallow { domain -unrestricted -snmpd_t } unconfined_t:dir { getattr search };
 
 #
 # Verify that every type that can be entered by
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.23.16/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te	2005-05-02 14:06:57.000000000 -0400
+++ policy-1.23.16/targeted/domains/unconfined.te	2005-05-18 15:50:12.000000000 -0400
@@ -77,3 +77,8 @@
 
 # allow reading of default file context
 bool read_default_t true;
+
+if (allow_execmem) {
+allow domain self:process execmem;
+}
+
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.16/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.16/tunables/distro.tun	2005-05-18 15:50:12.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.16/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-04-14 15:01:54.000000000 -0400
+++ policy-1.23.16/tunables/tunable.tun	2005-05-18 15:50:12.000000000 -0400
@@ -2,7 +2,7 @@
 dnl define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
 dnl define(`unlimitedUtils')
@@ -20,7 +20,7 @@
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
diff --exclude-from=exclude -N -u -r nsapolicy/types/device.te policy-1.23.16/types/device.te
--- nsapolicy/types/device.te	2005-04-27 10:28:56.000000000 -0400
+++ policy-1.23.16/types/device.te	2005-05-18 15:50:12.000000000 -0400
@@ -10,7 +10,7 @@
 #
 # device_t is the type of /dev.
 #
-type device_t, file_type, dev_fs;
+type device_t, file_type, mount_point, dev_fs;
 
 #
 # null_device_t is the type of /dev/null.
diff --exclude-from=exclude -N -u -r nsapolicy/types/devpts.te policy-1.23.16/types/devpts.te
--- nsapolicy/types/devpts.te	2005-04-27 10:28:56.000000000 -0400
+++ policy-1.23.16/types/devpts.te	2005-05-18 15:50:12.000000000 -0400
@@ -16,6 +16,6 @@
 # devpts_t is the type of the devpts file system and 
 # the type of the root directory of the file system.
 #
-type devpts_t, fs_type;
+type devpts_t, mount_point, fs_type;
 
 
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.23.16/types/file.te
--- nsapolicy/types/file.te	2005-05-07 00:41:13.000000000 -0400
+++ policy-1.23.16/types/file.te	2005-05-18 15:50:12.000000000 -0400
@@ -23,37 +23,37 @@
 type eventpollfs_t, fs_type;
 type futexfs_t, fs_type;
 type bdev_t, fs_type;
-type usbfs_t, fs_type;
+type usbfs_t, mount_point, fs_type;
 type nfsd_fs_t, fs_type;
 type rpc_pipefs_t, fs_type;
-type binfmt_misc_fs_t, fs_type;
+type binfmt_misc_fs_t, mount_point, fs_type;
 
 #
 # file_t is the default type of a file that has not yet been
 # assigned an extended attribute (EA) value (when using a filesystem
 # that supports EAs).
 #
-type file_t, file_type, sysadmfile;
+type file_t, file_type, mount_point, sysadmfile;
 
 # default_t is the default type for files that do not
 # match any specification in the file_contexts configuration
 # other than the generic /.* specification.
-type default_t, file_type, sysadmfile;
+type default_t, file_type, mount_point, sysadmfile;
 
 #
 # root_t is the type for the root directory.
 #
-type root_t, file_type, sysadmfile;
+type root_t, file_type, mount_point, sysadmfile;
 
 #
 # mnt_t is the type for mount points such as /mnt/cdrom
-type mnt_t, file_type, sysadmfile;
+type mnt_t, file_type, mount_point, sysadmfile;
 
 #
 # home_root_t is the type for the directory where user home directories
 # are created
 #
-type home_root_t, file_type, sysadmfile;
+type home_root_t, file_type, mount_point, sysadmfile;
 
 #
 # lost_found_t is the type for the lost+found directories.
@@ -64,7 +64,7 @@
 # boot_t is the type for files in /boot,
 # including the kernel.
 #
-type boot_t, file_type, sysadmfile;
+type boot_t, file_type, mount_point, sysadmfile;
 # system_map_t is for the system.map files in /boot
 type system_map_t, file_type, sysadmfile;
 
@@ -77,7 +77,7 @@
 #
 # tmp_t is the type of /tmp and /var/tmp.
 #
-type tmp_t, file_type, sysadmfile, tmpfile;
+type tmp_t, file_type, mount_point, sysadmfile, tmpfile;
 
 #
 # etc_t is the type of the system etc directories.
@@ -171,17 +171,17 @@
 #
 # usr_t is the type for /usr.
 #
-type usr_t, file_type, sysadmfile;
+type usr_t, file_type, mount_point, sysadmfile;
 
 #
 # src_t is the type of files in the system src directories.
 #
-type src_t, file_type, sysadmfile;
+type src_t, file_type, mount_point, sysadmfile;
 
 #
 # var_t is the type for /var.
 #
-type var_t, file_type,  sysadmfile;
+type var_t, file_type, mount_point, sysadmfile;
 
 #
 # Types for subdirectories of /var.
@@ -190,7 +190,7 @@
 type var_log_t, file_type, sysadmfile, logfile;
 type faillog_t, file_type, sysadmfile, logfile;
 type var_lock_t, file_type, sysadmfile, lockfile;
-type var_lib_t, file_type, sysadmfile;
+type var_lib_t, mount_point, file_type, sysadmfile;
 # for /var/{spool,lib}/texmf index files
 type tetex_data_t, file_type, sysadmfile, tmpfile;
 type var_spool_t, file_type, sysadmfile, tmpfile;
@@ -203,7 +203,7 @@
 type lastlog_t, file_type, sysadmfile, logfile;
 
 # Type for /var/lib/nfs.
-type var_lib_nfs_t, file_type, sysadmfile, usercanread;
+type var_lib_nfs_t, file_type, mount_point, sysadmfile, usercanread;
 
 #
 # wtmp_t is the type of /var/log/wtmp.
@@ -275,9 +275,9 @@
 # Allow the pty to be associated with the file system.
 allow devpts_t self:filesystem associate;
 
-type tmpfs_t, file_type, sysadmfile, fs_type;
-allow { tmpfs_t tmpfile } tmpfs_t:filesystem associate;
-allow tmpfile tmp_t:filesystem associate;
+type tmpfs_t, file_type, mount_point, sysadmfile, fs_type;
+allow { logfile tmpfs_t tmpfile home_type } tmpfs_t:filesystem associate;
+allow { logfile tmpfile home_type } tmp_t:filesystem associate;
 ifdef(`distro_redhat', `
 allow { dev_fs ttyfile } { tmpfs_t tmp_t }:filesystem associate;
 ')
@@ -285,10 +285,10 @@
 type autofs_t, fs_type, noexattrfile, sysadmfile;
 allow autofs_t self:filesystem associate;
 
-type usbdevfs_t, fs_type, noexattrfile, sysadmfile;
+type usbdevfs_t, fs_type, mount_point, noexattrfile, sysadmfile;
 allow usbdevfs_t self:filesystem associate;
 
-type sysfs_t, fs_type,  sysadmfile;
+type sysfs_t, mount_point, fs_type,  sysadmfile;
 allow sysfs_t self:filesystem associate;
 
 type iso9660_t, fs_type, noexattrfile, sysadmfile;
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.23.16/types/network.te
--- nsapolicy/types/network.te	2005-05-02 14:06:57.000000000 -0400
+++ policy-1.23.16/types/network.te	2005-05-18 15:50:12.000000000 -0400
@@ -30,6 +30,7 @@
 type nmbd_port_t, port_type, reserved_port_type;
 type http_cache_port_t, port_type, reserved_port_type;
 type http_port_t, port_type, reserved_port_type;
+type ipp_port_t, port_type, reserved_port_type;
 
 allow web_client_domain { http_cache_port_t http_port_t }:tcp_socket name_connect;
 ifdef(`cyrus.te', `define(`use_pop')')
diff --exclude-from=exclude -N -u -r nsapolicy/types/nfs.te policy-1.23.16/types/nfs.te
--- nsapolicy/types/nfs.te	2005-04-27 10:28:56.000000000 -0400
+++ policy-1.23.16/types/nfs.te	2005-05-18 15:50:12.000000000 -0400
@@ -13,7 +13,7 @@
 # The nfs_*_t types are used for specific NFS
 # servers in net_contexts or net_contexts.mls.
 #
-type nfs_t, fs_type;
+type nfs_t, mount_point, fs_type;
 
 #
 # Allow NFS files to be associated with an NFS file system.
diff --exclude-from=exclude -N -u -r nsapolicy/types/procfs.te policy-1.23.16/types/procfs.te
--- nsapolicy/types/procfs.te	2005-04-27 10:28:56.000000000 -0400
+++ policy-1.23.16/types/procfs.te	2005-05-18 15:50:12.000000000 -0400
@@ -14,7 +14,7 @@
 # proc_mdstat_t is the type of /proc/mdstat.
 # proc_net_t is the type of /proc/net.
 #
-type proc_t, fs_type, proc_fs;
+type proc_t, fs_type, mount_point, proc_fs;
 type proc_kmsg_t, proc_fs;
 type proc_kcore_t, proc_fs;
 type proc_mdstat_t, proc_fs;
@@ -35,7 +35,7 @@
 # These types are applied to both the entries in
 # /proc/sys and the corresponding sysctl parameters.
 #
-type sysctl_t, sysctl_type;
+type sysctl_t, mount_point, sysctl_type;
 type sysctl_fs_t, sysctl_type;
 type sysctl_kernel_t, sysctl_type;
 type sysctl_modprobe_t, sysctl_type;
diff --exclude-from=exclude -N -u -r nsapolicy/types/security.te policy-1.23.16/types/security.te
--- nsapolicy/types/security.te	2005-04-27 10:28:56.000000000 -0400
+++ policy-1.23.16/types/security.te	2005-05-18 15:50:12.000000000 -0400
@@ -12,32 +12,32 @@
 # the permissions in the security class.  It is also
 # applied to selinuxfs inodes.
 #
-type security_t, fs_type;
+type security_t, mount_point, fs_type;
 
 #
 # policy_config_t is the type of /etc/security/selinux/*
 # the security server policy configuration.
 #
-type policy_config_t, file_type;
+type policy_config_t, file_type, secadmfile;
 
 #
 # policy_src_t is the type of the policy source
 # files.
 #
-type policy_src_t, file_type;
+type policy_src_t, file_type, secadmfile;
 
 
 #
 # default_context_t is the type applied to 
 # /etc/selinux/*/contexts/*
 #
-type default_context_t, file_type, login_contexts;
+type default_context_t, file_type, login_contexts, secadmfile;
 
 #
 # file_context_t is the type applied to 
 # /etc/selinux/*/contexts/files
 #
-type file_context_t, file_type;
+type file_context_t, file_type, secadmfile;
 
 #
 # no_access_t is the type for objects that should
@@ -49,6 +49,6 @@
 # selinux_config_t is the type applied to 
 # /etc/selinux/config
 #
-type selinux_config_t, file_type;
+type selinux_config_t, file_type, secadmfile;
 
 

^ permalink raw reply	[flat|nested] 19+ messages in thread
* latest diff
@ 2006-01-17  4:06 Daniel J Walsh
  2006-01-17 18:35 ` Christopher J. PeBenito
  0 siblings, 1 reply; 19+ messages in thread
From: Daniel J Walsh @ 2006-01-17  4:06 UTC (permalink / raw)
  To: Christopher J. PeBenito, SE Linux

[-- Attachment #1: Type: text/plain, Size: 1267 bytes --]

Fixes for man pages

Kudzu needs to write to some MLS files

Added some additional dontaudit rules for readahead

gij is another java executable.

Added wine policy to mimic java.


Do we need one for mono?  Or do we change java policy to 
unconfined_execmem policy?

Do you have a problem with my range_transition rules?

How about the cron ones?  Is this happening in some other way?

Cron wants to update utmp file.

Is the a problem with the hal changes?

+allow system_mail_t eventpollfs_t:file r_file_perms;
I got bug reports on the above.  I have no idea why.

Removed some TODO, that I believe were caused by old bugs.

I still think running hostname policy for anything other than init and 
dhcpc is a bad idea.

libflashplayer.so looks like it moved up a level.

Russell changed the way restorecon and setfiles worked using a fifo to 
communicate between processes.

+    domain_dontaudit_read_all_domains_state($1)
was added to unconfined_t to eliminate AVC messages created by running 
top when logged in on a MCS machine.  If you are running unconfined_t:s0 
and run top you will not be able to read all the processes running at 
s0-s0:c0.c255

Userdomain needs to be able to read /home directory.

Do you have a problem with the MLS gen_user stuff?





[-- Attachment #2: policy-20060104.patch --]
[-- Type: text/x-patch, Size: 22542 bytes --]

diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.1.11/Makefile
--- nsaserefpolicy/Makefile	2006-01-13 09:48:25.000000000 -0500
+++ serefpolicy-2.1.11/Makefile	2006-01-16 22:32:53.000000000 -0500
@@ -92,7 +92,7 @@
 
 # enable MLS if requested.
 ifneq ($(findstring -mls,$(TYPE)),)
-	override M4PARAM += -D enable_mls
+	override M4PARAM += -D enable_mls -D separate_secadm
 	override CHECKPOLICY += -M
 	override CHECKMODULE += -M
 endif
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 serefpolicy-2.1.11/man/man8/ftpd_selinux.8
--- nsaserefpolicy/man/man8/ftpd_selinux.8	2006-01-06 17:55:17.000000000 -0500
+++ serefpolicy-2.1.11/man/man8/ftpd_selinux.8	2006-01-16 22:32:53.000000000 -0500
@@ -16,9 +16,9 @@
 .TP
 chcon -t public_content_rw_t /var/ftp/incoming
 .TP
-You must also turn on the boolean allow_ftp_anon_write.
+You must also turn on the boolean allow_ftpd_anon_write.
 .TP
-setsebool -P allow_ftp_anon_write=1
+setsebool -P allow_ftpd_anon_write=1
 .TP
 If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
 .TP
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-2.1.11/policy/modules/admin/kudzu.te
--- nsaserefpolicy/policy/modules/admin/kudzu.te	2006-01-13 17:06:02.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/admin/kudzu.te	2006-01-16 22:32:53.000000000 -0500
@@ -63,6 +63,7 @@
 fs_write_ramfs_socket(kudzu_t)
 
 mls_file_read_up(kudzu_t)
+mls_file_write_down(kudzu_t)
 
 modutils_read_mods_deps(kudzu_t)
 modutils_read_module_conf(kudzu_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-2.1.11/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te	2006-01-13 17:06:02.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/admin/readahead.te	2006-01-16 22:32:53.000000000 -0500
@@ -35,6 +35,7 @@
 dev_getattr_all_chr_files(readahead_t)
 dev_getattr_all_blk_files(readahead_t)
 dev_dontaudit_read_all_blk_files(readahead_t)
+dev_dontaudit_getattr_memory_device(readahead_t)
 
 domain_use_wide_inherit_fd(readahead_t)
 
@@ -46,6 +47,7 @@
 fs_search_auto_mountpoints(readahead_t)
 fs_getattr_all_pipes(readahead_t)
 fs_getattr_all_files(readahead_t)
+fs_search_ramfs(readahead_t)
 
 term_dontaudit_use_console(readahead_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.1.11/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc	2006-01-12 18:28:45.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/apps/java.fc	2006-01-16 22:32:53.000000000 -0500
@@ -2,3 +2,5 @@
 # /usr
 #
 /usr(/.*)?/bin/java.* 	--	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gij	--	gen_context(system_u:object_r:java_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-2.1.11/policy/modules/apps/wine.fc
--- nsaserefpolicy/policy/modules/apps/wine.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/apps/wine.fc	2006-01-16 22:32:53.000000000 -0500
@@ -0,0 +1,2 @@
+/usr/bin/wine	--	gen_context(system_u:object_r:wine_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-2.1.11/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/apps/wine.if	2006-01-16 22:32:53.000000000 -0500
@@ -0,0 +1,23 @@
+## <summary>Load keyboard mappings.</summary>
+
+########################################
+## <summary>
+##	Execute the wine program in the wine domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`wine_domtrans',`
+	gen_require(`
+		type wine_t, wine_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domain_auto_trans($1, wine_exec_t, wine_t)
+
+	allow $1 wine_t:fd use;
+	allow wine_t $1:fd use;
+	allow wine_t $1:fifo_file rw_file_perms;
+	allow wine_t $1:process sigchld;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-2.1.11/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/apps/wine.te	2006-01-16 22:32:53.000000000 -0500
@@ -0,0 +1,27 @@
+policy_module(wine,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type wine_t;
+domain_type(wine_t)
+
+type wine_exec_t;
+domain_entry_file(wine_t,wine_exec_t)
+
+
+########################################
+#
+# Local policy
+#
+
+ifdef(`targeted_policy',`
+	allow wine_t self:process execmem;
+	unconfined_domain_template(wine_t)
+	unconfined_domtrans(wine_t)
+	role system_r types wine_t;
+	allow wine_t file_type:file execmod;
+
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.1.11/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if	2006-01-13 17:06:03.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/kernel/devices.if	2006-01-16 22:32:53.000000000 -0500
@@ -2248,3 +2248,19 @@
 	typeattribute $1 memory_raw_write, memory_raw_read;
 ')
 
+########################################
+## <summary>
+##	dontaudit getattr raw memory devices (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_dontaudit_getattr_memory_device',`
+	gen_require(`
+		type memory_device_t;
+	')
+
+	dontaudit $1 memory_device_t:chr_file getattr;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.1.11/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if	2006-01-13 17:06:04.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/kernel/filesystem.if	2006-01-16 22:32:53.000000000 -0500
@@ -2282,6 +2282,26 @@
 
 ########################################
 ## <summary>
+##	dontaudit Read and write character nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+	gen_require(`
+		type tmpfs_t;
+		class dir r_dir_perms; 
+		class chr_file rw_file_perms;
+	')
+
+	dontaudit $1 tmpfs_t:dir r_dir_perms;
+	dontaudit $1 tmpfs_t:chr_file rw_file_perms;
+')
+
+
+########################################
+## <summary>
 ##	Relabel character nodes on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.1.11/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te	2006-01-09 11:32:53.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/kernel/mls.te	2006-01-16 22:32:53.000000000 -0500
@@ -82,9 +82,11 @@
 # these might be targeted_policy only
 range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
 range_transition unconfined_t initrc_exec_t s0;
+range_transition unconfined_t ping_exec_t s0;
 ')
 
 ifdef(`enable_mls',`
 # run init with maximum MLS range
 range_transition kernel_t init_exec_t s0 - s15:c0.c255;
+range_transition initrc_t auditd_exec_t s15:c0.c255;
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.1.11/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te	2006-01-16 22:19:19.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/services/apache.te	2006-01-16 22:32:53.000000000 -0500
@@ -693,3 +693,8 @@
 optional_policy(`nscd',`
 	nscd_use_socket(httpd_unconfined_script_t)
 ')
+
+optional_policy(`crond',`
+	cron_system_entry(httpd_t, httpd_exec_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-2.1.11/policy/modules/services/apm.te
--- nsaserefpolicy/policy/modules/services/apm.te	2006-01-13 17:06:04.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/services/apm.te	2006-01-16 22:32:53.000000000 -0500
@@ -196,6 +196,7 @@
 ')
 
 optional_policy(`cron',`
+	cron_system_entry(apmd_t, apmd_exec_t)
 	cron_domtrans_anacron_system_job(apmd_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.1.11/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te	2006-01-13 17:06:04.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/services/automount.te	2006-01-16 22:32:53.000000000 -0500
@@ -108,6 +108,7 @@
 fs_manage_auto_mountpoints(automount_t)
 
 term_dontaudit_use_console(automount_t)
+term_dontaudit_getattr_pty_dir(automount_t)
 
 init_use_fd(automount_t)
 init_use_script_pty(automount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.1.11/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te	2006-01-16 22:19:19.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/services/cron.te	2006-01-16 22:32:53.000000000 -0500
@@ -120,7 +120,7 @@
 
 init_use_fd(crond_t)
 init_use_script_pty(crond_t)
-init_read_script_pid(crond_t)
+init_rw_script_pid(crond_t)
 
 libs_use_ld_so(crond_t)
 libs_use_shared_libs(crond_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.1.11/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te	2006-01-13 17:06:04.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/services/cups.te	2006-01-16 22:32:53.000000000 -0500
@@ -201,8 +201,7 @@
 ')
 
 optional_policy(`cron',`
-	cron_use_fd(cupsd_t)
-	cron_read_pipe(cupsd_t)
+	cron_system_entry(cupsd_t, cupsd_exec_t)
 ')
 
 optional_policy(`dbus',`
@@ -580,8 +579,7 @@
 ')
 
 optional_policy(`cron',`
-	cron_use_system_job_fd(cupsd_config_t)
-	cron_read_pipe(cupsd_config_t)
+	cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
 ')
 
 optional_policy(`dbus',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.1.11/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te	2006-01-13 17:06:05.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/services/dovecot.te	2006-01-16 22:32:53.000000000 -0500
@@ -95,6 +95,7 @@
 files_read_etc_files(dovecot_t)
 files_search_spool(dovecot_t)
 files_search_tmp(dovecot_t)
+files_search_tmp(dovecot_auth_t)
 files_dontaudit_list_default(dovecot_t)
 
 init_use_fd(dovecot_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.1.11/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te	2006-01-13 17:06:05.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/services/hal.te	2006-01-16 22:39:09.000000000 -0500
@@ -48,8 +48,13 @@
 kernel_read_network_state(hald_t)
 kernel_read_kernel_sysctl(hald_t)
 kernel_read_fs_sysctl(hald_t)
+
 kernel_write_proc_file(hald_t)
 
+mls_file_read_up(hald_t)
+
+bootloader_getattr_boot_dir(hald_t)
+
 corecmd_exec_bin(hald_t)
 corecmd_exec_sbin(hald_t)
 
@@ -82,8 +87,8 @@
 files_exec_etc_files(hald_t)
 files_read_etc_files(hald_t)
 files_rw_etc_runtime_files(hald_t)
-files_search_mnt(hald_t)
 files_manage_mnt_dirs(hald_t)
+files_manage_mnt_files(hald_t)
 files_search_var_lib(hald_t)
 files_read_usr_files(hald_t)
 # hal is now execing pm-suspend
@@ -158,6 +163,7 @@
 	dbus_system_bus_client_template(hald,hald_t)
 	dbus_send_system_bus_msg(hald_t)
 	dbus_connect_system_bus(hald_t)
+	allow hald_t self:dbus send_msg;
 
 	init_dbus_chat_script(hald_t)
 
@@ -212,3 +218,7 @@
 optional_policy(`vbetool',`
 	vbetool_domtrans(hald_t)
 ')
+
+optional_policy(`bind',`
+	bind_search_cache(hald_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.1.11/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te	2006-01-16 22:19:19.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/services/mta.te	2006-01-16 22:32:53.000000000 -0500
@@ -46,6 +46,7 @@
 
 allow system_mail_t etc_mail_t:dir { getattr search };
 allow system_mail_t etc_mail_t:file r_file_perms;
+allow system_mail_t eventpollfs_t:file r_file_perms;
 
 kernel_read_system_state(system_mail_t)
 kernel_read_network_state(system_mail_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-2.1.11/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te	2006-01-16 22:19:19.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/services/sendmail.te	2006-01-16 22:32:53.000000000 -0500
@@ -17,6 +17,7 @@
 
 type sendmail_t;
 mta_sendmail_mailserver(sendmail_t)
+mta_read_config(sendmail_t)
 mta_mailserver_delivery(sendmail_t)
 mta_mailserver_sender(sendmail_t)
 
@@ -53,6 +54,7 @@
 corenet_udp_bind_all_nodes(sendmail_t)
 corenet_tcp_bind_smtp_port(sendmail_t)
 corenet_tcp_connect_all_ports(sendmail_t)
+allow sendmail_t self:udp_socket create_socket_perms;
 
 dev_read_urand(sendmail_t)
 dev_read_sysfs(sendmail_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.1.11/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if	2006-01-13 17:06:08.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/system/authlogin.if	2006-01-16 22:32:53.000000000 -0500
@@ -1075,3 +1075,16 @@
 	typeattribute $1 can_write_shadow_passwords;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
+#######################################
+#
+# auth_setattr_login_records(domain)
+#
+interface(`auth_setattr_login_records',`
+	gen_require(`
+		type wtmp_t;
+		class file setattr;
+	')
+
+	allow $1 wtmp_t:file setattr;
+	logging_search_logs($1)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.1.11/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te	2006-01-13 17:06:08.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/system/authlogin.te	2006-01-16 22:32:53.000000000 -0500
@@ -129,14 +129,6 @@
 	nscd_use_socket(pam_t)
 ')
 
-ifdef(`TODO',`
-ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
-# Supress xdm denial
-ifdef(`xdm.te', `
-dontaudit pam_t xdm_t:fd use;
-') dnl ifdef
-') dnl endif TODO
-
 ########################################
 #
 # PAM console local policy
@@ -223,6 +215,10 @@
 	userdom_dontaudit_use_sysadm_terms(pam_console_t)
 ')
 
+optional_policy(`alsa',`
+	alsa_domtrans(pam_console_t)
+')
+
 ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_tty(pam_console_t)
 	term_dontaudit_use_generic_pty(pam_console_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.1.11/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te	2005-12-09 23:35:06.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/system/hostname.te	2006-01-16 22:32:53.000000000 -0500
@@ -29,6 +29,7 @@
 
 fs_getattr_xattr_fs(hostname_t)
 fs_search_auto_mountpoints(hostname_t)
+fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
 
 term_dontaudit_use_console(hostname_t)
 term_use_all_user_ttys(hostname_t)
@@ -55,35 +56,6 @@
 sysnet_read_config(hostname_t)
 sysnet_dns_name_resolve(hostname_t)
 
-userdom_use_all_user_fd(hostname_t)
 
-ifdef(`distro_redhat', `
-	fs_use_tmpfs_chr_dev(hostname_t)
-')
-
-ifdef(`targeted_policy', `
-	term_dontaudit_use_unallocated_tty(hostname_t)
-	term_dontaudit_use_generic_pty(hostname_t)
-	files_dontaudit_read_root_file(hostname_t)
-')
-
-optional_policy(`firstboot',`
-	firstboot_use_fd(hostname_t)
-')
-
-optional_policy(`hotplug',`
-	hotplug_dontaudit_use_fd(hostname_t)
-')
-
-optional_policy(`nscd',`
-	nscd_use_socket(hostname_t)
-')
-
-optional_policy(`selinuxutil',`
-	seutil_sigchld_newrole(hostname_t)
-')
-
-optional_policy(`udev',`
-	udev_dontaudit_use_fd(hostname_t)
-	udev_read_db(hostname_t)
-')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.1.11/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te	2006-01-16 22:19:19.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/system/init.te	2006-01-16 22:32:53.000000000 -0500
@@ -298,6 +298,7 @@
 term_reset_tty_labels(initrc_t)
 
 auth_rw_login_records(initrc_t)
+auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
 auth_delete_pam_pid(initrc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.1.11/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc	2006-01-13 09:48:27.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/system/libraries.fc	2006-01-16 22:32:53.000000000 -0500
@@ -158,7 +158,7 @@
 
 # Flash plugin, Macromedia
 HOME_DIR/.*/plugins/libflashplayer\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # Jai, Sun Microsystems (Jpackage SPRM)
 /usr/lib(64)?/libmlib_jai\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.1.11/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te	2006-01-13 17:06:08.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/system/lvm.te	2006-01-16 22:32:53.000000000 -0500
@@ -209,6 +209,7 @@
 storage_manage_fixed_disk(lvm_t)
 
 term_dontaudit_getattr_all_user_ttys(lvm_t)
+term_dontaudit_getattr_pty_dir(lvm_t)
 
 corecmd_search_sbin(lvm_t)
 corecmd_dontaudit_getattr_sbin_file(lvm_t)
@@ -260,10 +261,3 @@
 	udev_read_db(lvm_t)
 ')
 
-ifdef(`TODO',`
-# it has no reason to need this
-allow lvm_t var_t:dir { search getattr };
-allow lvm_t ramfs_t:filesystem unmount;
-
-dontaudit lvm_t xconsole_device_t:fifo_file getattr;
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.1.11/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te	2006-01-13 17:06:08.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/system/mount.te	2006-01-16 22:32:53.000000000 -0500
@@ -32,6 +32,7 @@
 
 dev_getattr_all_blk_files(mount_t)
 dev_list_all_dev_nodes(mount_t)
+dev_rw_lvm_control(mount_t)
 
 storage_raw_read_fixed_disk(mount_t)
 storage_raw_write_fixed_disk(mount_t)
@@ -46,7 +47,7 @@
 fs_search_auto_mountpoints(mount_t)
 fs_use_tmpfs_chr_dev(mount_t)
 
-term_use_console(mount_t)
+term_use_all_terms(mount_t)
 
 # required for mount.smbfs
 corecmd_exec_sbin(mount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.1.11/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te	2006-01-16 22:19:19.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/system/selinuxutil.te	2006-01-16 22:32:53.000000000 -0500
@@ -316,6 +316,7 @@
 #
 
 allow restorecon_t self:capability { dac_override dac_read_search fowner };
+allow restorecon_t self:fifo_file rw_file_perms;
 
 allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
 allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
@@ -414,6 +415,7 @@
 	allow run_init_t self:capability setuid;
 	allow run_init_t self:fifo_file rw_file_perms;
 	allow run_init_t self:netlink_audit_socket { create bind write nlmsg_read read };
+	domain_auto_trans(run_init_t,initrc_exec_t,initrc_t)
 
 	# often the administrator runs such programs from a directory that is owned
 	# by a different user or has restrictive SE permissions, do not want to audit
@@ -469,6 +471,7 @@
 #
 
 allow setfiles_t self:capability { dac_override dac_read_search fowner };
+allow setfiles_t self:fifo_file rw_file_perms;
 
 allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
 allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.1.11/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if	2006-01-16 22:19:19.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/system/unconfined.if	2006-01-16 22:32:53.000000000 -0500
@@ -33,6 +33,7 @@
 	corenet_unconfined($1)
 	dev_unconfined($1)
 	domain_unconfined($1)
+	domain_dontaudit_read_all_domains_state($1)
 	files_unconfined($1)
 	fs_unconfined($1)
 	selinux_unconfined($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.1.11/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if	2006-01-16 22:19:19.000000000 -0500
+++ serefpolicy-2.1.11/policy/modules/system/userdomain.if	2006-01-16 22:32:53.000000000 -0500
@@ -103,6 +103,7 @@
 	# execute files in the home directory
 	can_exec($1_t,$1_home_t)
 
+	allow $1_t home_root_t:dir { getattr search };
 	# full control of the home directory
 	allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto };
 	allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.1.11/policy/users
--- nsaserefpolicy/policy/users	2005-12-05 22:35:02.000000000 -0500
+++ serefpolicy-2.1.11/policy/users	2006-01-16 22:32:53.000000000 -0500
@@ -26,7 +26,9 @@
 ifdef(`targeted_policy',`
 gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
-gen_user(user_u, user_r, s0, s0 - s15:c0.c255, c0.c255)
+gen_user(user_u, user_r, s0, s0 - s0, c0)
+gen_user(staff_u, staff_r secadm_r sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
+gen_user(sysadm_u, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
 ')
 
 #
@@ -40,8 +42,8 @@
 	gen_user(root, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
 	ifdef(`direct_sysadm_daemon',`
-		gen_user(root, sysadm_r staff_r system_r, s0, s0 - s15:c0.c255, c0.c255)
+		gen_user(root, sysadm_r staff_r secadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 	',`
-		gen_user(root, sysadm_r staff_r, s0, s0 - s15:c0.c255, c0.c255)
+		gen_user(root, sysadm_r staff_r secadm_r , s0, s0 - s15:c0.c255, c0.c255)
 	')
 ')

^ permalink raw reply	[flat|nested] 19+ messages in thread
* Latest  Diff
@ 2006-01-24 21:58 Daniel J Walsh
  2006-01-25 18:41 ` Christopher J. PeBenito
  0 siblings, 1 reply; 19+ messages in thread
From: Daniel J Walsh @ 2006-01-24 21:58 UTC (permalink / raw)
  To: Christopher J. PeBenito, SE Linux

[-- Attachment #1: Type: text/plain, Size: 1031 bytes --]

Alsa wants access to tty.
Also need to transiton from locallogin not pam_console.

kudzu wants to look at removable devices

prelink is writing files to /var/lib/misc
Also wants to read etc_t

readahead wants to read kcore and is not allowed to on MLS machine

lvm is putting up a symlink in tmpfs_t which a few domains want to read.

tmpreaper wants to look in the print spooler

slocate needs access to shared libraries, and localization files

automount wants to mount on /misc

cups seems to be looking for serial printers ???

dbus moved

I put some fixes in in order to build a default modules.conf file for 
strict policy.  Still needs lots of loving...

sulogin needs nscd

fixes for syslogd to work over the network

insmod needs to read file_context in order to setup removable_t

I want to eliminate sysadm_t from running "entry_point" applications.  
If a sysadm accidently starts a daemon, it will run under sysadm_t which 
could have dire ramifications in MLS/Strict policy

Fixes for users file for strict policy




[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 17006 bytes --]

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-2.2.5/policy/modules/admin/alsa.te
--- nsaserefpolicy/policy/modules/admin/alsa.te	2006-01-12 18:28:45.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/admin/alsa.te	2006-01-24 13:48:54.000000000 -0500
@@ -34,6 +34,7 @@
 files_read_etc_files(alsa_t)
 
 term_use_generic_pty(alsa_t)
+term_dontaudit_use_unallocated_tty(alsa_t)
 
 libs_use_ld_so(alsa_t)
 libs_use_shared_libs(alsa_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-2.2.5/policy/modules/admin/kudzu.te
--- nsaserefpolicy/policy/modules/admin/kudzu.te	2006-01-17 17:08:52.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/admin/kudzu.te	2006-01-24 13:54:24.000000000 -0500
@@ -73,6 +73,7 @@
 storage_read_tape_device(kudzu_t)
 storage_raw_write_fixed_disk(kudzu_t)
 storage_raw_read_fixed_disk(kudzu_t)
+storage_raw_read_removable_device(kudzu_t)
 
 term_search_ptys(kudzu_t)
 term_dontaudit_use_console(kudzu_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-2.2.5/policy/modules/admin/prelink.fc
--- nsaserefpolicy/policy/modules/admin/prelink.fc	2006-01-11 18:41:32.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/admin/prelink.fc	2006-01-24 12:45:29.000000000 -0500
@@ -4,3 +4,4 @@
 /usr/sbin/prelink(\.bin)?	--	gen_context(system_u:object_r:prelink_exec_t,s0)
 
 /var/log/prelink\.log		--	gen_context(system_u:object_r:prelink_log_t,s0)
+/var/lib/misc/prelink\.*	--	gen_context(system_u:object_r:prelink_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.2.5/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te	2006-01-13 17:06:02.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/admin/prelink.te	2006-01-24 12:47:49.000000000 -0500
@@ -28,6 +28,7 @@
 
 allow prelink_t prelink_cache_t:file manage_file_perms;
 files_filetrans_etc(prelink_t, prelink_cache_t, file)
+files_filetrans_var_lib(prelink_t, prelink_cache_t, file)
 
 allow prelink_t prelink_log_t:dir { setattr rw_dir_perms };
 allow prelink_t prelink_log_t:file { create ra_file_perms };
@@ -58,6 +59,7 @@
 files_list_all(prelink_t)
 files_getattr_all_files(prelink_t)
 files_write_non_security_dir(prelink_t)
+files_read_etc_files(prelink_t)
 files_read_etc_runtime_files(prelink_t)
 
 fs_getattr_xattr_fs(prelink_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-2.2.5/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te	2006-01-17 17:08:52.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/admin/readahead.te	2006-01-24 16:51:20.000000000 -0500
@@ -27,7 +27,7 @@
 
 kernel_read_kernel_sysctl(readahead_t)
 kernel_read_system_state(readahead_t)
-kernel_getattr_core(readahead_t)
+kernel_dontaudit_getattr_core(readahead_t)
 
 dev_read_sysfs(readahead_t)
 dev_getattr_generic_chr_file(readahead_t)
@@ -48,6 +48,7 @@
 fs_getattr_all_pipes(readahead_t)
 fs_getattr_all_files(readahead_t)
 fs_search_ramfs(readahead_t)
+fs_read_tmpfs_symlinks(readahead_t)
 
 term_dontaudit_use_console(readahead_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-2.2.5/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te	2006-01-17 17:08:52.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/admin/tmpreaper.te	2006-01-24 12:53:38.000000000 -0500
@@ -44,6 +44,10 @@
 
 cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
 
+optional_policy(`lpd',`
+	lpd_manage_spool(tmpreaper_t)
+')
+
 ifdef(`TODO',`
 allow tmpreaper_t { home_type file_t }:notdevfile_class_set { getattr unlink };
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-2.2.5/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te	2006-01-16 13:55:42.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/apps/slocate.te	2006-01-24 13:16:12.000000000 -0500
@@ -34,13 +34,16 @@
 
 corecmd_exec_bin(locate_t)
 
+libs_use_shared_libs(locate_t)
+libs_use_ld_so(locate_t)
+
 files_list_all(locate_t)
 files_getattr_all_files(locate_t)
 files_read_etc_runtime_files(locate_t)
 files_read_etc_files(locate_t)
 
 fs_getattr_xattr_fs(locate_t)
-
+miscfiles_read_localization(locate_t)
 optional_policy(`cron',`
 	cron_system_entry(locate_t, locate_exec_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/bootloader.te serefpolicy-2.2.5/policy/modules/kernel/bootloader.te
--- nsaserefpolicy/policy/modules/kernel/bootloader.te	2006-01-19 10:00:40.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/kernel/bootloader.te	2006-01-24 12:28:24.000000000 -0500
@@ -115,6 +115,7 @@
 dev_read_raw_memory(bootloader_t)
 
 fs_getattr_xattr_fs(bootloader_t)
+fs_read_tmpfs_symlinks(bootloader_t)
 
 term_getattr_all_user_ttys(bootloader_t)
 term_dontaudit_manage_pty_dir(bootloader_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.5/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if	2006-01-19 10:00:40.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/kernel/files.if	2006-01-24 12:48:54.000000000 -0500
@@ -354,10 +354,12 @@
 		attribute file_type;
 		class dir search;
 		class file getattr;
+		class lnk_file getattr;
 	')
 
 	allow $1 file_type:dir search;
 	allow $1 file_type:file getattr;
+	allow $1 file_type:lnk_file getattr;
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.2.5/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if	2006-01-20 10:02:32.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/kernel/filesystem.if	2006-01-24 13:39:15.000000000 -0500
@@ -2295,6 +2295,23 @@
 
 ########################################
 ## <summary>
+##	Read tmpfs link files.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`fs_read_tmpfs_symlinks',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	fs_search_tmpfs($1)
+	allow $1 tmpfs_t:lnk_file read;
+')
+
+########################################
+## <summary>
 ##	Read and write character nodes on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.fc serefpolicy-2.2.5/policy/modules/services/automount.fc
--- nsaserefpolicy/policy/modules/services/automount.fc	2005-12-09 16:09:22.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/services/automount.fc	2006-01-24 11:56:59.000000000 -0500
@@ -14,3 +14,7 @@
 #
 
 /var/run/autofs(/.*)?		gen_context(system_u:object_r:automount_var_run_t,s0)
+#
+# /misc
+#
+/misc		-d 		gen_context(system_u:object_r:mnt_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.5/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te	2006-01-17 17:08:53.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/services/cups.te	2006-01-24 11:56:59.000000000 -0500
@@ -148,6 +148,7 @@
 fs_search_auto_mountpoints(cupsd_t)
 
 term_dontaudit_use_console(cupsd_t)
+term_write_unallocated_ttys(cupsd_t)
 
 auth_domtrans_chk_passwd(cupsd_t)
 auth_dontaudit_read_pam_pid(cupsd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-2.2.5/policy/modules/services/dbus.fc
--- nsaserefpolicy/policy/modules/services/dbus.fc	2005-11-14 18:24:08.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/services/dbus.fc	2006-01-24 11:56:59.000000000 -0500
@@ -1,5 +1,6 @@
 /etc/dbus-1(/.*)?		gen_context(system_u:object_r:dbusd_etc_t,s0)
 
+# Sorting does not work correctly if I combine these next two roles
 /usr/bin/dbus-daemon(-1)? --	gen_context(system_u:object_r:system_dbusd_exec_t,s0)
-
+/bin/dbus-daemon 	--	gen_context(system_u:object_r:system_dbusd_exec_t,s0)
 /var/run/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.2.5/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te	2006-01-19 10:00:41.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/services/procmail.te	2006-01-24 13:19:41.000000000 -0500
@@ -66,6 +66,7 @@
 userdom_priveleged_home_dir_manager(procmail_t)
 # Do not audit attempts to access /root.
 userdom_dontaudit_search_sysadm_home_dir(procmail_t)
+userdom_dontaudit_search_staff_home_dir(procmail_t)
 
 mta_manage_spool(procmail_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.2.5/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if	2006-01-23 08:26:51.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/services/xserver.if	2006-01-24 11:56:59.000000000 -0500
@@ -6,6 +6,9 @@
 	#
 	# Declarations
 	#
+	gen_require(`
+		type xkb_var_lib_t, xserver_log_t;
+	')
 
 	type $1_xserver_t;
 	domain_type($1_xserver_t)
@@ -202,6 +205,12 @@
 	# Declarations
 	#
 
+	gen_require(`
+		type xauth_exec_t;
+		type xserver_exec_t;
+		type iceauth_exec_t;
+	')
+
 	xserver_common_domain_template($1)
 	role $3 types $1_xserver_t;
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.2.5/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te	2006-01-19 10:00:41.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/system/authlogin.te	2006-01-24 13:17:33.000000000 -0500
@@ -221,10 +221,6 @@
 	files_dontaudit_read_root_file(pam_console_t)
 ')
 
-optional_policy(`alsa',`
-	alsa_domtrans(pam_console_t)
-')
-
 optional_policy(`gpm',`
 	gpm_getattr_gpmctl(pam_console_t)
 	gpm_setattr_gpmctl(pam_console_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.2.5/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te	2006-01-17 17:08:56.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/system/fstools.te	2006-01-24 13:39:56.000000000 -0500
@@ -81,6 +81,7 @@
 # for /dev/shm
 fs_search_tmpfs(fsadm_t)
 fs_getattr_tmpfs_dir(fsadm_t)
+fs_read_tmpfs_symlinks(fsadm_t)
 
 mls_file_write_down(fsadm_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-2.2.5/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te	2006-01-19 10:00:41.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/system/locallogin.te	2006-01-24 13:17:56.000000000 -0500
@@ -210,13 +210,13 @@
 	usermanage_read_crack_db(local_login_t)
 ')
 
+optional_policy(`alsa',`
+	alsa_domtrans(local_login_t)
+')
+
 ifdef(`TODO',`
 # Login can polyinstantiate
 polyinstantiater(local_login_t)
-
-ifdef(`alsa.te', `
-domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
-')
 ') dnl endif TODO
 
 #################################
@@ -266,6 +266,10 @@
 ifdef(`distro_suse', `define(`sulogin_no_pam')')
 ifdef(`distro_debian', `define(`sulogin_no_pam')')
 
+optional_policy(`nscd',`
+	nscd_use_socket(sulogin_t)
+')
+
 ifdef(`sulogin_no_pam', `
 	allow sulogin_t self:capability sys_tty_config;
 	init_get_process_group(sulogin_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.2.5/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te	2006-01-19 10:00:41.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/system/logging.te	2006-01-24 11:56:59.000000000 -0500
@@ -98,10 +98,12 @@
 audit_manager_domain(secadm_t)
 
 ifdef(`targeted_policy', `', `
-ifdef(`separate_secadm', `', `
+ifdef(`enable_mls', `
+audit_manager_domain(secadm_t)
+', `
 audit_manager_domain(sysadm_t)
-allow auditctl_t admin_tty_type:chr_file rw_file_perms;
 ') 
+allow auditctl_t admin_tty_type:chr_file rw_file_perms;
 ')
 ') dnl end TODO
 
@@ -272,9 +274,6 @@
 # Create and bind to /dev/log or /var/run/log.
 allow syslogd_t devlog_t:sock_file create_file_perms;
 files_filetrans_pid(syslogd_t,devlog_t,sock_file)
-# cjp: I belive these are not needed:
-allow syslogd_t devlog_t:unix_stream_socket name_bind;
-allow syslogd_t devlog_t:unix_dgram_socket name_bind;
 
 # create/append log files.
 allow syslogd_t var_log_t:dir rw_dir_perms;
@@ -325,8 +324,7 @@
 corenet_non_ipsec_sendrecv(syslogd_t)
 corenet_udp_bind_all_nodes(syslogd_t)
 corenet_tcp_bind_syslogd_port(syslogd_t)
-#cjp: why?
-corenet_tcp_connect_rsh_port(syslogd_t)
+corenet_udp_bind_syslogd_port(syslogd_t)
 
 fs_getattr_all_fs(syslogd_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.2.5/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te	2006-01-17 17:08:57.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/system/lvm.te	2006-01-24 13:39:43.000000000 -0500
@@ -198,6 +198,7 @@
 
 fs_getattr_xattr_fs(lvm_t)
 fs_search_auto_mountpoints(lvm_t)
+fs_read_tmpfs_symlinks(lvm_t)
 
 storage_relabel_fixed_disk(lvm_t)
 # LVM creates block devices in /dev/mapper or /dev/<vg>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-2.2.5/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te	2006-01-13 17:06:08.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/system/modutils.te	2006-01-24 13:41:16.000000000 -0500
@@ -113,6 +113,8 @@
 
 miscfiles_read_localization(insmod_t)
 
+seutil_read_file_contexts(insmod_t)
+
 if( ! secure_mode_insmod ) {
 	kernel_userland_entry(insmod_t,insmod_exec_t)
 }
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.5/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te	2006-01-17 17:08:57.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/system/mount.te	2006-01-24 12:28:29.000000000 -0500
@@ -46,6 +46,7 @@
 fs_relabelfrom_all_fs(mount_t)
 fs_search_auto_mountpoints(mount_t)
 fs_use_tmpfs_chr_dev(mount_t)
+fs_read_tmpfs_symlinks(mount_t)
 
 term_use_all_terms(mount_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.5/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if	2006-01-23 08:26:51.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/system/userdomain.if	2006-01-24 13:20:21.000000000 -0500
@@ -219,7 +219,7 @@
 	corecmd_exec_sbin($1_t)
 	corecmd_exec_ls($1_t)
 
-	domain_exec_all_entry_files($1_t)
+#	domain_exec_all_entry_files($1_t)
 	domain_use_wide_inherit_fd($1_t)
 	# When the user domain runs ps, there will be a number of access
 	# denials when ps tries to search /proc.  Do not audit these denials.
@@ -533,6 +533,7 @@
 
 	typeattribute $1_t unpriv_userdomain;
 	domain_wide_inherit_fd($1_t)
+	domain_exec_all_entry_files($1_t)
 
 	typeattribute $1_devpts_t user_ptynode;
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.5/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te	2006-01-19 10:00:42.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/system/userdomain.te	2006-01-24 13:52:39.000000000 -0500
@@ -145,6 +145,8 @@
 	allow sysadm_t user_home_dir_t:dir create_dir_perms;
 	files_filetrans_home(sysadm_t,user_home_dir_t)
 
+	corecmd_exec_shell(sysadm_t)
+
 	mls_process_read_up(sysadm_t)
 
 	logging_read_audit_log(sysadm_t)
@@ -214,6 +216,10 @@
 		hostname_run(sysadm_t,sysadm_r,admin_terminal)
 	')
 
+	optional_policy(`consoletype',`
+		consoletype_exec(sysadm_t)
+	')
+
 	optional_policy(`ipsec',`
 		# allow system administrator to use the ipsec script to look
 		# at things (e.g., ipsec auto --status)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.5/policy/users
--- nsaserefpolicy/policy/users	2006-01-20 10:02:31.000000000 -0500
+++ serefpolicy-2.2.5/policy/users	2006-01-24 11:56:59.000000000 -0500
@@ -27,7 +27,7 @@
 gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
 gen_user(user_u, user_r, s0, s0)
-gen_user(staff_u, staff_r secadm_r sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
+gen_user(staff_u, staff_r ifdef(`enable_mls', `secadm_r')  sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
 gen_user(sysadm_u, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
 ')
 
@@ -41,9 +41,6 @@
 ifdef(`targeted_policy',`
 	gen_user(root, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
-	ifdef(`direct_sysadm_daemon',`
-		gen_user(root, sysadm_r staff_r secadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
-	',`
-		gen_user(root, sysadm_r staff_r secadm_r , s0, s0 - s15:c0.c255, c0.c255)
-	')
+	
+	gen_user(root, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') ifdef(`direct_sysadm_daemon',`system_r'), s0, s0 - s15:c0.c255, c0.c255)
 ')

^ permalink raw reply	[flat|nested] 19+ messages in thread
* Latest diff
@ 2006-01-27  6:37 Daniel J Walsh
  2006-01-27 20:07 ` Christopher J. PeBenito
  0 siblings, 1 reply; 19+ messages in thread
From: Daniel J Walsh @ 2006-01-27  6:37 UTC (permalink / raw)
  To: Christopher J. PeBenito, SE Linux

[-- Attachment #1: Type: text/plain, Size: 1285 bytes --]

Mainly this patch splits secadm_r from sysadm_r.  Still have some 
problems.  (rpm_script_t executing load_policy is failing and I don't 
know why.  No AVC messages)

Add rpm definitions for pub and pirut.

Need to run load_policy from rpm_script in the correct role.  So added 
seutil_run_loadpol to rpm.if

rpm_script wants to output to the terminal.

Mono needs execmem.

Error in the files.if file.

inotify and udev caused audit to go nuts on MLS platform.  Wants to 
search the inotifyfs_t dir

Want to drop sensitivity level on rpm and lvm when run by kernel or 
sysadm_t at SystemHigh.

Add +/dev/xvd for Zen machines

Cups looks like it is probing all ttydevices for serial printers I guess.

Hal wants to communicate with initctl and read utmp

sulogin wants to use a tmpfs_t:chr_file if udev has not started.

Insmod reads /etc/selinux/targeted/contexts/files/media file.

Fix run_init to use netlink_audit_t

Stop auditing denials to execstack.  Too many files ask for it and it 
does not seem to break anything.  Log files are filling up with denials.

On mls machines, secadm can only run SELinux utilities and read the 
auditfiles, and is not allowed to do most of what sysadm_t can.  
Sysadm_t is not allowed to run most  SELinux utilities or read the 
auditfiles.





[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 12622 bytes --]

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.2.7/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc	2006-01-13 09:48:26.000000000 -0500
+++ serefpolicy-2.2.7/policy/modules/admin/rpm.fc	2006-01-26 17:01:26.000000000 -0500
@@ -16,6 +16,8 @@
 /usr/bin/fedora-rmdevelrpms	--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/up2date		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/rhn_check		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/pup			--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/pirut			--	gen_context(system_u:object_r:rpm_exec_t,s0)
 ')
 
 /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.2.7/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if	2006-01-04 17:28:52.000000000 -0500
+++ serefpolicy-2.2.7/policy/modules/admin/rpm.if	2006-01-26 17:01:26.000000000 -0500
@@ -71,6 +71,7 @@
 	rpm_domtrans($1)
 	role $2 types rpm_t;
 	role $2 types rpm_script_t;
+	seutil_run_loadpol(rpm_script_t,$2,$3)
 	allow rpm_t $3:chr_file rw_term_perms;
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.2.7/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te	2006-01-17 17:08:52.000000000 -0500
+++ serefpolicy-2.2.7/policy/modules/admin/rpm.te	2006-01-26 17:01:26.000000000 -0500
@@ -288,6 +288,7 @@
 
 term_getattr_unallocated_ttys(rpm_script_t)
 term_list_ptys(rpm_script_t)
+term_use_all_terms(rpm_script_t)
 
 auth_dontaudit_getattr_shadow(rpm_script_t)
 # ideally we would not need this
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.2.7/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te	2006-01-19 18:02:04.000000000 -0500
+++ serefpolicy-2.2.7/policy/modules/apps/mono.te	2006-01-26 17:01:26.000000000 -0500
@@ -18,7 +18,7 @@
 #
 
 ifdef(`targeted_policy',`
-	allow mono_t self:process execheap;
+	allow mono_t self:process { execheap execmem };
 	unconfined_domain_template(mono_t)
 	role system_r types mono_t;
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.2.7/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc	2006-01-25 15:58:58.000000000 -0500
+++ serefpolicy-2.2.7/policy/modules/kernel/files.fc	2006-01-26 17:01:26.000000000 -0500
@@ -126,6 +126,11 @@
 /mnt/[^/]*/.*			<<none>>
 
 #
+# /net
+#
+/net			-d	gen_context(system_u:object_r:mnt_t,s0)
+
+#
 # /opt
 #
 /opt(/.*)?			gen_context(system_u:object_r:usr_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.7/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if	2006-01-25 15:58:59.000000000 -0500
+++ serefpolicy-2.2.7/policy/modules/kernel/files.if	2006-01-26 17:01:26.000000000 -0500
@@ -321,7 +321,7 @@
 		attribute file_type, security_file_type;
 	')
 
-	dontaudit $1 { file_type -security_file_type }:dir r_dir_perms;
+	allow $1 { file_type -security_file_type }:dir r_dir_perms;
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.2.7/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if	2006-01-25 15:58:59.000000000 -0500
+++ serefpolicy-2.2.7/policy/modules/kernel/filesystem.if	2006-01-26 17:01:26.000000000 -0500
@@ -2855,3 +2855,22 @@
 	# and its files.
 	allow $1 filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
 ')
+
+
+########################################
+## <summary>
+##	Search inotifyfs_t filesystem 
+## </summary>
+## <param name="domain">
+##	The type of the domain performing this action.
+## </param>
+#
+interface(`fs_search_inotifyfs',`
+	gen_require(`
+		type inotifyfs_t;
+		class dir search_dir_perms;
+	')
+
+	allow $1 inotifyfs_t:dir search_dir_perms;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.2.7/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te	2006-01-17 17:08:52.000000000 -0500
+++ serefpolicy-2.2.7/policy/modules/kernel/mls.te	2006-01-26 17:01:26.000000000 -0500
@@ -86,7 +86,8 @@
 ')
 
 ifdef(`enable_mls',`
-# run init with maximum MLS range
 range_transition kernel_t init_exec_t s0 - s15:c0.c255;
+range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
 range_transition initrc_t auditd_exec_t s15:c0.c255;
+range_transition sysadm_t rpm_exec_t s0 - s15:c0.c255;
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-2.2.7/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc	2006-01-09 11:32:53.000000000 -0500
+++ serefpolicy-2.2.7/policy/modules/kernel/storage.fc	2006-01-26 17:01:26.000000000 -0500
@@ -12,6 +12,7 @@
 /dev/cm20.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/dasd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
 /dev/dm-[0-9]+		-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/xvd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
 /dev/fd[^/]+		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/flash[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
 /dev/gscd		-b	gen_context(system_u:object_r:removable_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.7/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te	2006-01-17 17:08:53.000000000 -0500
+++ serefpolicy-2.2.7/policy/modules/services/cups.te	2006-01-26 17:01:26.000000000 -0500
@@ -148,6 +148,7 @@
 fs_search_auto_mountpoints(cupsd_t)
 
 term_dontaudit_use_console(cupsd_t)
+term_write_unallocated_ttys(cupsd_t)
 
 auth_domtrans_chk_passwd(cupsd_t)
 auth_dontaudit_read_pam_pid(cupsd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.7/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te	2006-01-19 10:00:41.000000000 -0500
+++ serefpolicy-2.2.7/policy/modules/services/hal.te	2006-01-26 17:01:26.000000000 -0500
@@ -116,6 +116,8 @@
 init_use_fd(hald_t)
 init_use_script_pty(hald_t)
 init_domtrans_script(hald_t)
+init_write_initctl(hald_t)
+init_read_utmp(hald_t)
 
 libs_use_ld_so(hald_t)
 libs_use_shared_libs(hald_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-2.2.7/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te	2006-01-25 15:59:01.000000000 -0500
+++ serefpolicy-2.2.7/policy/modules/system/locallogin.te	2006-01-26 17:01:26.000000000 -0500
@@ -27,6 +27,8 @@
 domain_subj_id_change_exempt(sulogin_t)
 domain_role_change_exempt(sulogin_t)
 domain_wide_inherit_fd(sulogin_t)
+fs_use_tmpfs_chr_dev(sulogin_t)
+
 init_domain(sulogin_t,sulogin_exec_t)
 init_system_domain(sulogin_t,sulogin_exec_t)
 role system_r types sulogin_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-2.2.7/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te	2006-01-13 17:06:08.000000000 -0500
+++ serefpolicy-2.2.7/policy/modules/system/modutils.te	2006-01-26 17:01:26.000000000 -0500
@@ -113,6 +113,8 @@
 
 miscfiles_read_localization(insmod_t)
 
+seutil_read_file_contexts(insmod_t)
+
 if( ! secure_mode_insmod ) {
 	kernel_userland_entry(insmod_t,insmod_exec_t)
 }
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.7/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te	2006-01-19 10:00:41.000000000 -0500
+++ serefpolicy-2.2.7/policy/modules/system/selinuxutil.te	2006-01-26 17:01:26.000000000 -0500
@@ -414,7 +414,7 @@
 	allow run_init_t self:process setexec;
 	allow run_init_t self:capability setuid;
 	allow run_init_t self:fifo_file rw_file_perms;
-	allow run_init_t self:netlink_audit_socket { create bind write nlmsg_read read };
+	allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 
 	# often the administrator runs such programs from a directory that is owned
 	# by a different user or has restrictive SE permissions, do not want to audit
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-2.2.7/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te	2006-01-19 10:00:41.000000000 -0500
+++ serefpolicy-2.2.7/policy/modules/system/udev.te	2006-01-26 17:01:26.000000000 -0500
@@ -90,6 +90,7 @@
 dev_delete_generic_file(udev_t)
 
 fs_getattr_all_fs(udev_t)
+fs_search_inotifyfs(udev_t)
 
 selinux_get_fs_mount(udev_t)
 selinux_validate_context(udev_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.7/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if	2006-01-20 10:02:33.000000000 -0500
+++ serefpolicy-2.2.7/policy/modules/system/unconfined.if	2006-01-26 17:01:26.000000000 -0500
@@ -54,8 +54,13 @@
 	tunable_policy(`allow_execmem && allow_execstack',`
 		# Allow making the stack executable via mprotect.
 		allow $1 self:process execstack;
+	', `
+		# These are fairly common but seem to be harmless
+		# caused by using shared libraries built with old tool chains
+		dontaudit $1 self:process execstack;
 	')
 
+
 	optional_policy(`authlogin',`
 		auth_unconfined($1)
 	')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.7/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if	2006-01-26 16:54:28.000000000 -0500
+++ serefpolicy-2.2.7/policy/modules/system/userdomain.if	2006-01-26 17:01:26.000000000 -0500
@@ -848,9 +848,6 @@
 	fs_set_all_quotas($1_t)
 	fs_exec_noxattr($1_t)
 
-	selinux_set_enforce_mode($1_t)
-	selinux_set_boolean($1_t)
-	selinux_set_parameters($1_t)
 	# Get security policy decisions:
 	selinux_get_fs_mount($1_t)
 	selinux_validate_context($1_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.7/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te	2006-01-26 16:54:28.000000000 -0500
+++ serefpolicy-2.2.7/policy/modules/system/userdomain.te	2006-01-26 17:12:42.000000000 -0500
@@ -154,10 +154,16 @@
 
 	corecmd_exec_shell(sysadm_t)
 
-	mls_process_read_up(sysadm_t)
-
-	logging_read_audit_log(sysadm_t)
+	ifdef(`enable_mls',`
+		logging_read_audit_log(secadm_t)
+		logging_domtrans_auditctl(secadm_t)
+		mls_process_read_up(secadm_t)
+	', `
+		logging_domtrans_auditctl(sysadm_t)
+		logging_read_audit_log(sysadm_t)
+	')
 
+	mls_process_read_up(sysadm_t)
 	ifdef(`direct_sysadm_daemon',`
 		optional_policy(`init',`
 			init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
@@ -168,6 +174,10 @@
 		domain_ptrace_all_domains(sysadm_t)
 	')
 
+	optional_policy(`dmesg',`
+		dmesg_exec(sysadm_t)
+	')
+
 	optional_policy(`amanda',`
 		amanda_run_recover(sysadm_t,sysadm_r,admin_terminal)
 	')
@@ -205,6 +215,9 @@
 
 	optional_policy(`consoletype',`
 		consoletype_exec(sysadm_t)
+		ifdef(`enable_mls',`
+			consoletype_exec(secadm_t)
+		')
 	')
 
 	optional_policy(`ddcprobe',`
@@ -320,10 +333,24 @@
 	')
 
 	optional_policy(`selinuxutil',`
-		seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal)
-		seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal)
+		ifdef(`enable_mls',`
+			seutil_manage_binary_pol(secadm_t)
+			seutil_run_checkpol(secadm_t,secadm_r,admin_terminal)
+			seutil_run_loadpol(secadm_t,secadm_r,admin_terminal)
+			seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
+			selinux_set_enforce_mode(secadm_t)
+			selinux_set_boolean(secadm_t)
+			selinux_set_parameters(secadm_t)
+		', `
+			seutil_manage_binary_pol(sysadm_t)
+			seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal)
+			seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal)
+			seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
+			selinux_set_enforce_mode(sysadm_t)
+			selinux_set_boolean(sysadm_t)
+			selinux_set_parameters(sysadm_t)
+		')
 		seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal)
-		seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
 
 		ifdef(`targeted_policy',`',`
 			seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)

^ permalink raw reply	[flat|nested] 19+ messages in thread
end of thread, other threads:[~2006-01-28 21:17 UTC | newest]

Thread overview: 19+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-03-19  6:53 latest diff Daniel J Walsh
2005-03-19 16:14 ` Christopher J. PeBenito
2005-03-19 16:36   ` Daniel J Walsh
2005-03-23 11:10     ` Thomas Bleher
2005-03-23 13:51       ` Stephen Smalley
2005-04-20 12:22     ` Russell Coker
2005-03-21 19:40 ` James Carter
  -- strict thread matches above, loose matches on Subject: below --
2005-03-22 18:24 Latest diff Daniel J Walsh
2005-03-22 20:20 ` Daniel J Walsh
2005-03-23 18:25 ` James Carter
2005-05-19 18:51 Latest Diff Daniel J Walsh
2005-05-19 21:36 ` Ivan Gyurdiev
2006-01-17  4:06 latest diff Daniel J Walsh
2006-01-17 18:35 ` Christopher J. PeBenito
2006-01-24 21:58 Latest Diff Daniel J Walsh
2006-01-25 18:41 ` Christopher J. PeBenito
2006-01-27  6:37 Latest diff Daniel J Walsh
2006-01-27 20:07 ` Christopher J. PeBenito
2006-01-28 21:17   ` Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.