[selinux-policy: 663/3172] more upstream merging

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:02:14 UTC 2010 

commit cf6a7d8993931146ccb462868e1ddf1052e1dc5b
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Sep 16 21:20:37 2005 +0000

    more upstream merging

 refpolicy/policy/modules/admin/netutils.te     |   18 +++++--
 refpolicy/policy/modules/admin/rpm.te          |    5 ++-
 refpolicy/policy/modules/admin/tmpreaper.te    |    1 +
 refpolicy/policy/modules/kernel/devices.if     |   70 ++++++++++++++++++++++++
 refpolicy/policy/modules/kernel/filesystem.if  |   17 ++++++
 refpolicy/policy/modules/kernel/kernel.te      |   10 ++++
 refpolicy/policy/modules/services/cron.te      |    6 ++-
 refpolicy/policy/modules/services/rsync.te     |    2 +-
 refpolicy/policy/modules/services/samba.te     |    1 +
 refpolicy/policy/modules/services/ssh.if       |    2 +
 refpolicy/policy/modules/system/authlogin.if   |   18 ++++++
 refpolicy/policy/modules/system/authlogin.te   |    2 +
 refpolicy/policy/modules/system/lvm.te         |    5 +-
 refpolicy/policy/modules/system/miscfiles.if   |   49 ++++++++++++++++-
 refpolicy/policy/modules/system/modutils.te    |    9 ++-
 refpolicy/policy/modules/system/mount.te       |    2 +-
 refpolicy/policy/modules/system/pcmcia.if      |   29 ++++++-----
 refpolicy/policy/modules/system/selinuxutil.te |    5 ++
 strict/domains/misc/kernel.te                  |    9 +++-
 strict/domains/program/crond.te                |    5 +-
 strict/domains/program/lvm.te                  |    3 +-
 strict/domains/program/modutil.te              |    1 +
 strict/domains/program/mount.te                |    2 +-
 strict/domains/program/mysqld.te               |    3 +
 strict/domains/program/pamconsole.te           |    2 +-
 strict/domains/program/ping.te                 |    7 ++-
 strict/domains/program/portmap.te              |    2 +-
 strict/domains/program/restorecon.te           |    8 ++-
 strict/domains/program/rpm.te                  |    3 +-
 strict/domains/program/rsync.te                |    2 +-
 strict/domains/program/samba.te                |    1 +
 strict/domains/program/ssh.te                  |    3 +
 strict/domains/program/tmpreaper.te            |    4 +-
 strict/macros/core_macros.te                   |    1 +
 strict/macros/global_macros.te                 |   24 ++++++++
 strict/macros/network_macros.te                |    4 +-
 36 files changed, 289 insertions(+), 46 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index 3579887..01b3216 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -121,9 +121,18 @@ sysnet_dns_name_resolve(ping_t)
 
 logging_send_syslog_msg(ping_t)
 
-tunable_policy(`user_ping',`
+ifdef(`hide_broken_symptoms',`
+	init_dontaudit_use_fd(ping_t)
+')
+
+ifdef(`targeted_policy',`
 	term_use_all_user_ttys(ping_t)
 	term_use_all_user_ptys(ping_t)
+',`
+	tunable_policy(`user_ping',`
+		term_use_all_user_ttys(ping_t)
+		term_use_all_user_ptys(ping_t)
+	')
 ')
 
 optional_policy(`nis.te',`
@@ -134,6 +143,10 @@ optional_policy(`nscd.te',`
 	nscd_use_socket(ping_t)
 ')
 
+optional_policy(`pcmcia.te',`
+	pcmcia_use_cardmgr_fd(ping_t)
+')
+
 optional_policy(`sysnetwork.te',`
 	optional_policy(`hotplug.te',`
 		hotplug_use_fd(ping_t)
@@ -146,9 +159,6 @@ tunable_policy(`user_ping',`
 	domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
 	ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
 ')
-ifdef(`cardmgr.te',`
-	allow ping_t cardmgr_t:fd use;
-')
 ') dnl end TODO
 
 ########################################
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index 13cad13..bb43066 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -6,10 +6,11 @@ policy_module(rpm,1.0)
 # Declarations
 #
 
-type rpm_t; #, admin, privmem, priv_system_role;
+type rpm_t; #, priv_system_role;
 type rpm_exec_t;
 init_system_domain(rpm_t,rpm_exec_t)
 domain_obj_id_change_exempt(rpm_t)
+domain_role_change_exempt(rpm_t)
 domain_wide_inherit_fd(rpm_t)
 role system_r types rpm_t;
 
@@ -179,6 +180,8 @@ optional_policy(`nis.te',`
 ')
 
 ifdef(`TODO',`
+# cjp: this seems way out of place
+role sysadm_r types initrc_t;
 
 type_transition rpm_t tmpfs_t:{ dir file lnk_file sock_file fifo_file } rpm_tmpfs_t;
 
diff --git a/refpolicy/policy/modules/admin/tmpreaper.te b/refpolicy/policy/modules/admin/tmpreaper.te
index a2afcf3..c236076 100644
--- a/refpolicy/policy/modules/admin/tmpreaper.te
+++ b/refpolicy/policy/modules/admin/tmpreaper.te
@@ -37,6 +37,7 @@ libs_use_shared_libs(tmpreaper_t)
 logging_send_syslog_msg(tmpreaper_t)
 
 miscfiles_read_localization(tmpreaper_t)
+miscfiles_delete_man_pages(tmpreaper_t)
 
 cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
 
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 978c2b0..4953fae 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -675,6 +675,38 @@ interface(`dev_setattr_all_chr_files',`
 
 ########################################
 ## <summary>
+##	Dontaudit read on all block file device nodes.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`dev_dontaudit_read_all_blk_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	dontaudit $1 device_node:blk_file { getattr read };
+')
+
+########################################
+## <summary>
+##	Dontaudit read on all character file device nodes.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`dev_dontaudit_read_all_chr_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	dontaudit $1 device_node:chr_file { getattr read };
+')
+
+########################################
+## <summary>
 ##	Read, write, create, and delete all block device files.
 ## </summary>
 ## <param name="domain">
@@ -2171,6 +2203,44 @@ interface(`dev_dontaudit_setattr_video_dev',`
 
 ########################################
 ## <summary>
+##	Get the attributes of X server miscellaneous devices.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_getattr_xserver_misc_dev',`
+	gen_require(`
+		type device_t, xserver_misc_device_t;
+		class dir r_dir_perms;
+		class chr_file getattr;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 xserver_misc_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Set the attributes of X server miscellaneous devices.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_setattr_xserver_misc_dev',`
+	gen_require(`
+		type device_t, xserver_misc_device_t;
+		class dir r_dir_perms;
+		class chr_file setattr;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 xserver_misc_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
 ##	Read and write to the zero device (/dev/zero).
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index a3c784f..e987e51 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -1969,6 +1969,23 @@ interface(`fs_set_all_quotas',`
 
 ########################################
 ## <summary>
+##	Relabelfrom all filesystems.
+## </summary>
+## <param name="domain">
+##	The type of the domain doing the
+##	getattr on the filesystem.
+## </param>
+#
+interface(`fs_relabelfrom_all_fs',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	allow $1 filesystem_type:filesystem relabelfrom;
+')
+
+########################################
+## <summary>
 ##	List all directories with a filesystem type.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index d4d9bf7..78e4cfe 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -203,6 +203,16 @@ files_list_etc(kernel_t)
 files_list_home(kernel_t)
 files_read_usr_files(kernel_t)
 
+ifdef(`TODO',`
+ifdef(`targeted_policy', `
+unconfined_domain(kernel_t)
+')
+ifdef(`mls_policy', `
+# run init with maximum MLS range
+range_transition kernel_t init_exec_t s0 - s9:c0.c127;
+')
+') dnl end TODO
+
 ########################################
 #
 # Unlabeled process local policy
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index f8dd882..d33b92d 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -287,7 +287,7 @@ logging_read_generic_logs(system_crond_t)
 logging_send_syslog_msg(system_crond_t)
 
 miscfiles_read_localization(system_crond_t)
-miscfiles_read_man_pages(system_crond_t)
+miscfiles_manage_man_pages(system_crond_t)
 
 seutil_read_config(system_crond_t)
 
@@ -311,6 +311,10 @@ tunable_policy(`cron_can_relabel',`
 	seutil_read_file_contexts(system_crond_t)
 ')
 
+optional_policy(`mysql.te',`
+	mysql_read_config(system_crond_t)
+')
+
 optional_policy(`nis.te',`
 	nis_use_ypbind(system_crond_t)
 ')
diff --git a/refpolicy/policy/modules/services/rsync.te b/refpolicy/policy/modules/services/rsync.te
index 10fc119..1ad01fb 100644
--- a/refpolicy/policy/modules/services/rsync.te
+++ b/refpolicy/policy/modules/services/rsync.te
@@ -88,5 +88,5 @@ optional_policy(`nscd.te',`
 ')
 
 ifdef(`TODO',`
-r_dir_file(rsync_t, ftpd_anon_t)
+anonymous_domain(rsync)
 ') dnl end TODO
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index daf9875..03bc86d 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -279,6 +279,7 @@ ifdef(`TODO',`
 optional_policy(`rhgb.te',`
 	rhgb_domain(smbd_t)
 ')
+anonymous_domain(smbd)
 can_winbind(smbd_t)
 ')
 
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index 6fab73a..ca7b37e 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -438,8 +438,10 @@ template(`ssh_server_template', `
 	auth_domtrans_chk_passwd($1_t)
 	auth_rw_login_records($1_t)
 	auth_rw_lastlog($1_t)
+	auth_append_faillog($1_t)
 
 	corecmd_read_bin_symlink($1_t)
+	corecmd_getattr_bin_file($1_t)
 	# for sshd subsystems, such as sftp-server.
 	corecmd_getattr_bin_file($1_t)
 
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 3bfa449..20850a0 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -381,6 +381,24 @@ interface(`auth_relabelto_shadow',`
 ')
 
 #######################################
+## <summary>
+##	Append to the login failure log.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`auth_append_faillog',`
+	gen_require(`
+		type faillog_t;
+		class file { getattr append };
+	')
+
+	logging_search_logs($1)
+	allow $1 faillog_t:file { getattr append };
+')
+
+#######################################
 #
 # auth_rw_faillog(domain)
 #
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 0769638..e1fb21d 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -167,6 +167,8 @@ dev_getattr_snd_dev(pam_console_t)
 dev_setattr_snd_dev(pam_console_t)
 dev_getattr_video_dev(pam_console_t)
 dev_setattr_video_dev(pam_console_t)
+dev_getattr_xserver_misc_dev(pam_console_t)
+dev_setattr_xserver_misc_dev(pam_console_t)
 
 fs_search_auto_mountpoints(pam_console_t)
 
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index f16a8bf..c6de011 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -186,8 +186,8 @@ dev_read_sysfs(sysfs_t)
 # perhaps this should be blk_files?
 dev_relabel_generic_symlinks(lvm_t)
 # LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
-dev_dontaudit_getattr_all_chr_files(lvm_t)
-dev_dontaudit_getattr_all_blk_files(lvm_t)
+dev_dontaudit_read_all_chr_files(lvm_t)
+dev_dontaudit_read_all_blk_files(lvm_t)
 dev_dontaudit_getattr_generic_chr_file(lvm_t)
 dev_dontaudit_getattr_generic_blk_file(lvm_t)
 dev_dontaudit_getattr_generic_pipe(lvm_t)
@@ -264,4 +264,5 @@ optional_policy(`gnome-pty-helper.te', `
 optional_policy(`rhgb.te',`
 rhgb_domain(lvm_t)
 ')
+dontaudit lvm_t xconsole_device_t:fifo_file getattr;
 ') dnl end TODO
diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if
index b86b245..7a553a1 100644
--- a/refpolicy/policy/modules/system/miscfiles.if
+++ b/refpolicy/policy/modules/system/miscfiles.if
@@ -70,10 +70,10 @@ interface(`miscfiles_legacy_read_localization',`
 
 ########################################
 ## <summary>
-##	Allow process to read man pages
+##	Read man pages
 ## </summary>
 ## <param name="domain">
-##	Type type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`miscfiles_read_man_pages',`
@@ -92,6 +92,51 @@ interface(`miscfiles_read_man_pages',`
 
 ########################################
 ## <summary>
+##	Delete man pages
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+# cjp: added for tmpreaper
+#
+interface(`miscfiles_delete_man_pages',`
+	gen_require(`
+		type man_t;
+		class dir { setattr rw_dir_perms rmdir };
+		class file { getattr unlink };
+		class lnk_file { getattr unlink };
+	')
+
+	files_search_usr($1)
+	allow $1 man_t:dir { setattr rw_dir_perms rmdir };
+	allow $1 man_t:file { getattr unlink };
+	allow $1 man_t:lnk_file { getattr unlink };
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete man pages
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`miscfiles_manage_man_pages',`
+	gen_require(`
+		type man_t;
+		class dir create_dir_perms;
+		class file create_file_perms;
+		class lnk_file r_file_perms;
+	')
+
+	files_search_usr($1)
+	allow $1 man_t:dir create_dir_perms;
+	allow $1 man_t:file create_file_perms;
+	allow $1 man_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read TeX data
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index ae357bf..ad198c2 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -127,9 +127,12 @@ optional_policy(`rpm.te',`
 	rpm_rw_pipe(insmod_t)
 ')
 
-#optional_policy(`xserver.te',`
-#	xserver_getattr_log(insmod_t)
-#')
+ifdef(`TODO',`
+optional_policy(`xserver.te',`
+	xserver_getattr_log(insmod_t)
+	allow insmod_t xserver_misc_device_t:chr_file { read write };
+')
+')
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 4e5d709..09570be 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -43,7 +43,7 @@ fs_getattr_xattr_fs(mount_t)
 fs_mount_all_fs(mount_t)
 fs_unmount_all_fs(mount_t)
 fs_remount_all_fs(mount_t)
-fs_relabelfrom_xattr_fs(mount_t)
+fs_relabelfrom_all_fs(mount_t)
 fs_search_auto_mountpoints(mount_t)
 fs_use_tmpfs_chr_dev(mount_t)
 
diff --git a/refpolicy/policy/modules/system/pcmcia.if b/refpolicy/policy/modules/system/pcmcia.if
index 96cddbf..c86414e 100644
--- a/refpolicy/policy/modules/system/pcmcia.if
+++ b/refpolicy/policy/modules/system/pcmcia.if
@@ -11,9 +11,6 @@
 interface(`pcmcia_domtrans_cardmgr',`
 	gen_require(`
 		type cardmgr_t, cardmgr_exec_t;
-		class process sigchld;
-		class fd use;
-		class fifo_file rw_file_perms;
 	')
 
 	domain_auto_trans($1,cardmgr_exec_t,cardmgr_t)
@@ -26,6 +23,22 @@ interface(`pcmcia_domtrans_cardmgr',`
 
 ########################################
 ## <summary>
+##	Inherit and use file descriptors from cardmgr.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`pcmcia_use_cardmgr_fd',`
+	gen_require(`
+		type cardmgr_t;
+	')
+
+	allow $1 cardmgr_t:fd use;
+')
+
+########################################
+## <summary>
 ##	Execute cardctl in the cardmgr domain.
 ## </summary>
 ## <param name="domain">
@@ -35,9 +48,6 @@ interface(`pcmcia_domtrans_cardmgr',`
 interface(`pcmcia_domtrans_cardctl',`
 	gen_require(`
 		type cardmgr_t, cardctl_exec_t;
-		class process sigchld;
-		class fd use;
-		class fifo_file rw_file_perms;
 	')
 
 	domain_auto_trans($1,cardctl_exec_t,cardmgr_t)
@@ -66,7 +76,6 @@ interface(`pcmcia_domtrans_cardctl',`
 interface(`pcmcia_run_cardctl',`
 	gen_require(`
 		type cardmgr_t;
-		class chr_file rw_term_perms;
 	')
 
 	pcmcia_domtrans_cardctl($1)
@@ -85,8 +94,6 @@ interface(`pcmcia_run_cardctl',`
 interface(`pcmcia_read_pid',`
 	gen_require(`
 		type cardmgr_var_run_t;
-		class dir r_dir_perms;
-		class file r_file_perms;
 	')
 
 	files_search_pids($1)
@@ -106,8 +113,6 @@ interface(`pcmcia_read_pid',`
 interface(`pcmcia_manage_pid',`
 	gen_require(`
 		type cardmgr_var_run_t;
-		class dir rw_dir_perms;
-		class file create_file_perms;
 	')
 
 	files_search_pids($1)
@@ -127,8 +132,6 @@ interface(`pcmcia_manage_pid',`
 interface(`pcmcia_manage_runtime_chr',`
 	gen_require(`
 		type cardmgr_var_run_t;
-		class dir rw_dir_perms;
-		class chr_file create_file_perms;
 	')
 
 	files_search_pids($1)
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index cc19cb5..ea798ea 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -288,6 +288,8 @@ selinux_compute_relabel_context(restorecon_t)
 selinux_compute_user_contexts(restorecon_t)
 
 term_use_unallocated_tty(restorecon_t)
+term_use_all_user_ttys(restorecon_t)
+term_use_all_user_ptys(restorecon_t)
 
 init_use_fd(restorecon_t)
 init_use_script_pty(restorecon_t)
@@ -332,6 +334,9 @@ ifdef(`TODO',`
 # for upgrading glibc and other shared objects - without this the upgrade
 # scripts will put things in a state such that restorecon can not be run!
 allow restorecon_t lib_t:file { read execute };
+ifdef(`dpkg.te', `
+domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t)
+')
 ') dnl endif TODO
 
 #################################
diff --git a/strict/domains/misc/kernel.te b/strict/domains/misc/kernel.te
index 3901bc4..640309a 100644
--- a/strict/domains/misc/kernel.te
+++ b/strict/domains/misc/kernel.te
@@ -28,6 +28,11 @@ allow kernel_t { usbfs_t usbdevfs_t }:dir search;
 # Run init in the init_t domain.
 domain_auto_trans(kernel_t, init_exec_t, init_t)
 
+ifdef(`mls_policy', `
+# run init with maximum MLS range
+range_transition kernel_t init_exec_t s0 - s9:c0.c127;
+')
+
 # Share state with the init process.
 allow kernel_t init_t:process share;
 
@@ -65,4 +70,6 @@ can_loadpol(kernel_t)
 # /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
 can_exec(kernel_t, bin_t)
 
-
+ifdef(`targeted_policy', `
+unconfined_domain(kernel_t)
+')
diff --git a/strict/domains/program/crond.te b/strict/domains/program/crond.te
index 43d6bbe..536824f 100644
--- a/strict/domains/program/crond.te
+++ b/strict/domains/program/crond.te
@@ -128,9 +128,8 @@ allow system_crond_t var_lib_t:dir rw_dir_perms;
 allow system_crond_t var_lib_t:file create_file_perms;
 
 # Update whatis files.
-allow system_crond_t catman_t:dir create_dir_perms;
-allow system_crond_t catman_t:file create_file_perms;
-allow system_crond_t man_t:file r_file_perms;
+allow system_crond_t man_t:dir create_dir_perms;
+allow system_crond_t man_t:file create_file_perms;
 allow system_crond_t man_t:lnk_file read;
 
 # Write /var/lock/makewhatis.lock.
diff --git a/strict/domains/program/lvm.te b/strict/domains/program/lvm.te
index b3df265..c5ce785 100644
--- a/strict/domains/program/lvm.te
+++ b/strict/domains/program/lvm.te
@@ -97,10 +97,11 @@ allow lvm_t devpts_t:dir { search getattr read };
 read_locale(lvm_t)
 
 # LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
-dontaudit lvm_t device_type:{ chr_file blk_file } getattr;
+dontaudit lvm_t device_type:{ chr_file blk_file } { getattr read };
 dontaudit lvm_t ttyfile:chr_file getattr;
 dontaudit lvm_t device_t:{ fifo_file dir chr_file blk_file } getattr;
 dontaudit lvm_t devpts_t:dir { getattr read };
+dontaudit lvm_t xconsole_device_t:fifo_file getattr;
 
 ifdef(`gpm.te', `
 dontaudit lvm_t gpmctl_t:sock_file getattr;
diff --git a/strict/domains/program/modutil.te b/strict/domains/program/modutil.te
index 64028d6..dbdae1b 100644
--- a/strict/domains/program/modutil.te
+++ b/strict/domains/program/modutil.te
@@ -116,6 +116,7 @@ allow insmod_t modules_object_t:file write;
 allow insmod_t { var_t var_log_t }:dir search;
 ifdef(`xserver.te', `
 allow insmod_t xserver_log_t:file getattr;
+allow insmod_t xserver_misc_device_t:chr_file { read write };
 ')
 rw_dir_create_file(insmod_t, var_log_ksyms_t)
 allow insmod_t { etc_t etc_runtime_t }:file { getattr read };
diff --git a/strict/domains/program/mount.te b/strict/domains/program/mount.te
index 9efd6a4..ab6c359 100644
--- a/strict/domains/program/mount.te
+++ b/strict/domains/program/mount.te
@@ -68,7 +68,7 @@ rhgb_domain(mount_t)
 # for localization
 allow mount_t lib_t:file { getattr read };
 allow mount_t autofs_t:dir read;
-allow mount_t fs_t:filesystem relabelfrom;
+allow mount_t fs_type:filesystem relabelfrom;
 #
 # This rule needs to be generalized.  Only admin, initrc should have it.
 #
diff --git a/strict/domains/program/mysqld.te b/strict/domains/program/mysqld.te
index 1bd9073..ea0315b 100644
--- a/strict/domains/program/mysqld.te
+++ b/strict/domains/program/mysqld.te
@@ -88,4 +88,7 @@ allow userdomain mysqld_var_run_t:sock_file write;
 }
 ')
 
+ifdef(`crond.te', `
+allow system_crond_t mysqld_etc_t:file { getattr read };
+')
 allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
diff --git a/strict/domains/program/pamconsole.te b/strict/domains/program/pamconsole.te
index cbb84af..ed85882 100644
--- a/strict/domains/program/pamconsole.te
+++ b/strict/domains/program/pamconsole.te
@@ -30,7 +30,7 @@ r_dir_file(pam_console_t, pam_var_console_t)
 allow pam_console_t device_t:dir { getattr read };
 allow pam_console_t device_t:lnk_file { getattr read };
 # mouse_device_t is for joy sticks
-allow pam_console_t { framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t power_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr };
+allow pam_console_t { xserver_misc_device_t framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t power_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr };
 allow pam_console_t { removable_device_t fixed_disk_device_t }:blk_file { getattr setattr };
 
 allow pam_console_t mnt_t:dir r_dir_perms;
diff --git a/strict/domains/program/ping.te b/strict/domains/program/ping.te
index 3a54e81..c0c664f 100644
--- a/strict/domains/program/ping.te
+++ b/strict/domains/program/ping.te
@@ -17,7 +17,9 @@ role system_r types ping_t;
 in_user_role(ping_t)
 type ping_exec_t, file_type, sysadmfile, exec_type;
 
-ifdef(`targeted_policy', `', `
+ifdef(`targeted_policy', `
+	allow ping_t { devpts_t ttyfile ptyfile }:chr_file rw_file_perms;
+', `
 bool user_ping false;
 
 if (user_ping) {
@@ -55,4 +57,7 @@ dontaudit ping_t fs_t:filesystem getattr;
 dontaudit ping_t var_t:dir search;
 dontaudit ping_t devtty_t:chr_file { read write };
 dontaudit ping_t self:capability sys_tty_config;
+ifdef(`hide_broken_symptoms', `
+allow ping_t init_t:fd use;
+')
 
diff --git a/strict/domains/program/portmap.te b/strict/domains/program/portmap.te
index adc364d..54cad6f 100644
--- a/strict/domains/program/portmap.te
+++ b/strict/domains/program/portmap.te
@@ -58,7 +58,7 @@ role system_r types portmap_helper_t;
 domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t)
 dontaudit portmap_helper_t self:capability { net_admin };
 allow portmap_helper_t self:capability { net_bind_service };
-allow portmap_helper_t { var_run_t initrc_var_run_t } :file rw_file_perms;
+allow portmap_helper_t initrc_var_run_t:file rw_file_perms;
 file_type_auto_trans(portmap_helper_t, var_run_t, portmap_var_run_t, file)
 allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
 can_network(portmap_helper_t)
diff --git a/strict/domains/program/restorecon.te b/strict/domains/program/restorecon.te
index 058dcd1..0e3a278 100644
--- a/strict/domains/program/restorecon.te
+++ b/strict/domains/program/restorecon.te
@@ -17,11 +17,12 @@ type restorecon_exec_t, file_type, sysadmfile, exec_type;
 
 role system_r types restorecon_t;
 role sysadm_r types restorecon_t;
+role secadm_r types restorecon_t;
 
 allow restorecon_t initrc_devpts_t:chr_file { read write ioctl };
-allow restorecon_t { tty_device_t admin_tty_type }:chr_file { read write ioctl };
+allow restorecon_t { tty_device_t admin_tty_type user_tty_type devtty_t }:chr_file { read write ioctl };
 
-domain_auto_trans({ initrc_t sysadm_t }, restorecon_exec_t, restorecon_t)
+domain_auto_trans({ initrc_t sysadm_t secadm_t }, restorecon_exec_t, restorecon_t)
 allow restorecon_t { userdomain init_t privfd }:fd use;
 
 uses_shlib(restorecon_t)
@@ -44,6 +45,9 @@ allow restorecon_t { device_t device_type }:{ chr_file blk_file } { getattr rela
 ifdef(`distro_redhat', `
 allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto };
 ')
+ifdef(`dpkg.te', `
+domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t)
+')
 
 allow restorecon_t ptyfile:chr_file getattr;
 
diff --git a/strict/domains/program/rpm.te b/strict/domains/program/rpm.te
index e245f57..8405e84 100644
--- a/strict/domains/program/rpm.te
+++ b/strict/domains/program/rpm.te
@@ -114,7 +114,7 @@ allow rpm_script_t {devpts_t devtty_t}:chr_file rw_file_perms;
 
 allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
 
-type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, priv_system_role;
+type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, privrole, priv_system_role;
 # policy for rpm scriptlet
 role system_r types rpm_script_t;
 uses_shlib(rpm_script_t)
@@ -194,6 +194,7 @@ domain_auto_trans(rpm_script_t, restorecon_exec_t, restorecon_t)
 
 domain_auto_trans(rpm_script_t, ldconfig_exec_t, ldconfig_t)
 domain_auto_trans(rpm_script_t, depmod_exec_t, depmod_t)
+role sysadm_r types initrc_t;
 domain_auto_trans(rpm_script_t, initrc_exec_t, initrc_t)
 ifdef(`bootloader.te', `
 domain_auto_trans(rpm_script_t, bootloader_exec_t, bootloader_t)
diff --git a/strict/domains/program/rsync.te b/strict/domains/program/rsync.te
index c7d5378..8786fb8 100644
--- a/strict/domains/program/rsync.te
+++ b/strict/domains/program/rsync.te
@@ -14,6 +14,6 @@
 inetd_child_domain(rsync)
 type rsync_data_t, file_type, sysadmfile;
 r_dir_file(rsync_t, rsync_data_t)
-r_dir_file(rsync_t, ftpd_anon_t)
+anonymous_domain(rsync)
 
 
diff --git a/strict/domains/program/samba.te b/strict/domains/program/samba.te
index a1570b6..1ce50e5 100644
--- a/strict/domains/program/samba.te
+++ b/strict/domains/program/samba.te
@@ -79,6 +79,7 @@ allow smbd_t usr_t:file { getattr read };
 
 # Access Samba shares.
 create_dir_file(smbd_t, samba_share_t)
+anonymous_domain(smbd)
 
 ifdef(`logrotate.te', `
 # the application should be changed
diff --git a/strict/domains/program/ssh.te b/strict/domains/program/ssh.te
index 221ec7a..28c9bea 100644
--- a/strict/domains/program/ssh.te
+++ b/strict/domains/program/ssh.te
@@ -115,6 +115,9 @@ can_create_pty($1, `, server_pty')
 allow $1_t $1_devpts_t:chr_file { setattr getattr relabelfrom };
 dontaudit sshd_t userpty_type:chr_file relabelfrom;
 
+allow $1_t faillog_t:file { append getattr };
+allow $1_t sbin_t:file getattr;
+
 # Allow checking users mail at login
 allow $1_t { var_spool_t mail_spool_t }:dir search;
 allow $1_t mail_spool_t:lnk_file read;
diff --git a/strict/domains/program/tmpreaper.te b/strict/domains/program/tmpreaper.te
index 8b2111b..2373a50 100644
--- a/strict/domains/program/tmpreaper.te
+++ b/strict/domains/program/tmpreaper.te
@@ -16,8 +16,8 @@ role system_r types tmpreaper_t;
 system_crond_entry(tmpreaper_exec_t, tmpreaper_t)
 uses_shlib(tmpreaper_t)
 # why does it need setattr?
-allow tmpreaper_t tmpfile:dir { setattr rw_dir_perms rmdir };
-allow tmpreaper_t tmpfile:notdevfile_class_set { getattr unlink };
+allow tmpreaper_t { man_t tmpfile }:dir { setattr rw_dir_perms rmdir };
+allow tmpreaper_t { man_t tmpfile }:notdevfile_class_set { getattr unlink };
 allow tmpreaper_t { home_type file_t }:notdevfile_class_set { getattr unlink };
 allow tmpreaper_t self:process { fork sigchld };
 allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
diff --git a/strict/macros/core_macros.te b/strict/macros/core_macros.te
index b744fe5..4ff37c7 100644
--- a/strict/macros/core_macros.te
+++ b/strict/macros/core_macros.te
@@ -361,6 +361,7 @@ define(`can_loadpol',`
 # Get the selinuxfs mount point via /proc/self/mounts.
 allow $1 proc_t:dir search;
 allow $1 proc_t:lnk_file read;
+allow $1 proc_t:file { getattr read };
 allow $1 self:dir search;
 allow $1 self:file { getattr read };
 # Access selinuxfs.
diff --git a/strict/macros/global_macros.te b/strict/macros/global_macros.te
index b4cccc4..cdde6aa 100644
--- a/strict/macros/global_macros.te
+++ b/strict/macros/global_macros.te
@@ -595,6 +595,18 @@ allow $1 self:capability sys_admin;
 ')dnl end polyinstantiater
 
 # 
+# Domain that is allow to read anonymous data off the network
+# without providing authentication.
+# Also define boolean to allow anonymous writing
+#
+define(`anonymous_domain', `
+r_dir_file($1_t, ftpd_anon_t)
+bool allow_$1_anon_write false;
+if (allow_$1_anon_write) {
+create_dir_file($1_t,ftpd_anon_rw_t)
+}
+')
+# 
 # Define a domain that can do anything, so that it is
 # effectively unconfined by the SELinux policy.  This
 # means that it is only restricted by the normal Linux 
@@ -727,3 +739,15 @@ allow $1 removable_device_t:blk_file r_file_perms;
 allow $1 removable_t:filesystem getattr;
 
 ')
+
+define(`authentication_domain', `
+can_ypbind($1)
+can_kerberos($1)
+can_ldap($1)
+can_resolve($1)
+can_winbind($1)
+r_dir_file($1, cert_t)
+allow $1 { random_device_t urandom_device_t }:chr_file { getattr read };
+allow $1 self:capability { audit_write audit_control };
+dontaudit $1 shadow_t:file { getattr read };
+')
diff --git a/strict/macros/network_macros.te b/strict/macros/network_macros.te
index d5eaca1..0c8817a 100644
--- a/strict/macros/network_macros.te
+++ b/strict/macros/network_macros.te
@@ -16,9 +16,7 @@ allow $1 self:$2_socket connected_socket_perms;
 # Allow the domain to send or receive using any network interface.
 # netif_type is a type attribute for all network interface types.
 #
-allow $1 netif_type:netif { $2_send rawip_send };
-allow $1 netif_type:netif { $2_recv rawip_recv };
-
+allow $1 netif_t:netif { $2_recv $2_send rawip_send rawip_recv };
 #
 # Allow the domain to send to or receive from any node.
 # node_type is a type attribute for all node types.

More information about the scm-commits mailing list