[selinux-policy: 744/3172] more merging from 1.27.1-15

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:09:08 UTC 2010 

commit d8636fc937b9572da099316b2b031951dea89bdf
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Oct 14 17:55:40 2005 +0000

    more merging from 1.27.1-15

 refpolicy/policy/modules/admin/rpm.fc            |    4 +
 refpolicy/policy/modules/admin/su.if             |    8 +-
 refpolicy/policy/modules/admin/sudo.if           |    9 +-
 refpolicy/policy/modules/kernel/kernel.if        |   42 ++++++++-
 refpolicy/policy/modules/kernel/terminal.fc      |    1 +
 refpolicy/policy/modules/services/bind.te        |   12 +++
 refpolicy/policy/modules/services/bluetooth.fc   |    3 +
 refpolicy/policy/modules/services/bluetooth.te   |  113 +++++++++++++++++++++-
 refpolicy/policy/modules/services/cron.te        |    8 ++-
 refpolicy/policy/modules/services/dhcp.fc        |    1 +
 refpolicy/policy/modules/services/ftp.fc         |    1 +
 refpolicy/policy/modules/services/ftp.te         |   15 +++-
 refpolicy/policy/modules/services/hal.te         |    1 +
 refpolicy/policy/modules/services/mysql.te       |   10 ++-
 refpolicy/policy/modules/services/nis.if         |   18 ++++-
 refpolicy/policy/modules/services/remotelogin.te |    5 +
 refpolicy/policy/modules/system/corecommands.fc  |    2 +
 refpolicy/policy/modules/system/files.if         |   28 +++++-
 refpolicy/policy/modules/system/fstools.te       |    2 +
 refpolicy/policy/modules/system/ipsec.fc         |    2 +
 refpolicy/policy/modules/system/locallogin.te    |    5 +
 refpolicy/policy/modules/system/miscfiles.fc     |    1 +
 refpolicy/policy/modules/system/modutils.te      |    2 +-
 refpolicy/policy/modules/system/selinuxutil.te   |    6 +-
 refpolicy/policy/modules/system/sysnetwork.fc    |    2 +
 refpolicy/policy/modules/system/sysnetwork.te    |    1 +
 refpolicy/policy/modules/system/userdomain.te    |    2 +-
 27 files changed, 276 insertions(+), 28 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/rpm.fc b/refpolicy/policy/modules/admin/rpm.fc
index 37e4561..7bbff29 100644
--- a/refpolicy/policy/modules/admin/rpm.fc
+++ b/refpolicy/policy/modules/admin/rpm.fc
@@ -30,3 +30,7 @@ ifdef(`distro_suse', `
 /var/lib/YaST2(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
 /var/log/YaST2(/.*)?			gen_context(system_u:object_r:rpm_log_t,s0)
 ')
+
+ifdef(`enable_mls',`
+/sbin/cpio			--	gen_context(system_u:object_r:rpm_exec_t,s0)
+')
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index 2b1a7c5..6b99dec 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -87,6 +87,7 @@ template(`su_per_userdomain_template',`
 
 	auth_domtrans_user_chk_passwd($1_su_t,$1)
 	auth_dontaudit_read_shadow($1_su_t)
+	auth_use_nsswitch($1_su_t)
 
 	domain_wide_inherit_fd($1_su_t)
 
@@ -109,8 +110,7 @@ template(`su_per_userdomain_template',`
 
 	userdom_use_user_terminals($1,$1_su_t)
 
-	if(secure_mode)
-	{
+	if(secure_mode) {
 		# Only allow transitions to unprivileged user domains.
 		userdom_spec_domtrans_unpriv_users($1_su_t)
 	} else {
@@ -134,10 +134,6 @@ template(`su_per_userdomain_template',`
 		kerberos_use($1_su_t)
 	')
 
-	optional_policy(`nis.te',`
-		nis_use_ypbind($1_su_t)
-	')
-
 	optional_policy(`nscd.te',`
 		nscd_use_socket($1_su_t)
 	')
diff --git a/refpolicy/policy/modules/admin/sudo.if b/refpolicy/policy/modules/admin/sudo.if
index 0509092..f202e08 100644
--- a/refpolicy/policy/modules/admin/sudo.if
+++ b/refpolicy/policy/modules/admin/sudo.if
@@ -59,14 +59,15 @@ template(`sudo_per_userdomain_template',`
 	allow $1_sudo_t self:process { setexec setrlimit };
 	allow $1_sudo_t self:fd use;
 	allow $1_sudo_t self:fifo_file rw_file_perms;
-	allow $1_sudo_t self:unix_dgram_socket create_socket_perms;
-	allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
-	allow $1_sudo_t self:unix_dgram_socket sendto;
-	allow $1_sudo_t self:unix_stream_socket connectto;
 	allow $1_sudo_t self:shm create_shm_perms;
 	allow $1_sudo_t self:sem create_sem_perms;
 	allow $1_sudo_t self:msgq create_msgq_perms;
 	allow $1_sudo_t self:msg { send receive };
+	allow $1_sudo_t self:unix_dgram_socket create_socket_perms;
+	allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
+	allow $1_sudo_t self:unix_dgram_socket sendto;
+	allow $1_sudo_t self:unix_stream_socket connectto;
+	allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
 
 	# Enter this derived domain from the user domain
 	domain_auto_trans($2, sudo_exec_t, $1_sudo_t)
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 6e63f7a..58d5924 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -425,6 +425,24 @@ interface(`kernel_search_debugfs',`
 
 ########################################
 ## <summary>
+##	Read information from the debugging filesystem.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`kernel_read_debugfs',`
+	gen_require(`
+		type debugfs_t;
+	')
+
+	allow $1 debugfs_t:dir r_file_perms;
+	allow $1 debugfs_t:file r_file_perms;
+	allow $1 debugfs_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
 ##	Get the attributes of the proc filesystem.
 ## </summary>
 ## <param name="domain">
@@ -504,9 +522,6 @@ interface(`kernel_read_proc_symlinks',`
 interface(`kernel_read_system_state',`
 	gen_require(`
 		type proc_t;
-		class dir r_dir_perms;
-		class lnk_file { getattr read };
-		class file r_file_perms;
 	')
 
 	allow $1 proc_t:dir r_dir_perms;
@@ -516,6 +531,27 @@ interface(`kernel_read_system_state',`
 
 ########################################
 ## <summary>
+##	Write to generic proc entries.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: this should probably go away.  any
+# file thats writable in proc should really
+# have its own label.
+#
+interface(`kernel_write_proc_file',`
+	gen_require(`
+		type proc_t;
+	')
+
+	allow $1 proc_t:dir search;
+	allow $1 proc_t:file write;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts by caller to
 ##	read system state information in proc.
 ## </summary>
diff --git a/refpolicy/policy/modules/kernel/terminal.fc b/refpolicy/policy/modules/kernel/terminal.fc
index 49dafec..e43d08c 100644
--- a/refpolicy/policy/modules/kernel/terminal.fc
+++ b/refpolicy/policy/modules/kernel/terminal.fc
@@ -11,6 +11,7 @@
 /dev/ip2[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/isdn.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)
+/dev/rfcomm[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/tty		-c	gen_context(system_u:object_r:devtty_t,s0)
 /dev/ttySG.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 
diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te
index b853c52..4760266 100644
--- a/refpolicy/policy/modules/services/bind.te
+++ b/refpolicy/policy/modules/services/bind.te
@@ -21,6 +21,7 @@ init_system_domain(named_t,named_checkconf_exec_t)
 # A type for configuration files of named.
 type named_conf_t;
 files_type(named_conf_t)
+files_mountpoint(named_conf_t)
 
 # for secondary zone files
 type named_cache_t;
@@ -149,6 +150,17 @@ ifdef(`targeted_policy',`
 	#dontaudit ndc_t unlabeled_t:file { getattr read };	
 ')
 
+optional_policy(`dbus.te',`
+	gen_require(`
+		class dbus send_msg;
+	')
+
+	allow named_t self:dbus send_msg;
+	dbus_system_bus_client_template(named,named_t)
+	dbus_connect_system_bus(named_t)
+	dbus_send_system_bus_msg(named_t)
+')
+
 optional_policy(`nis.te',`
 	nis_use_ypbind(named_t)
 ')
diff --git a/refpolicy/policy/modules/services/bluetooth.fc b/refpolicy/policy/modules/services/bluetooth.fc
index f61784d..611008a 100644
--- a/refpolicy/policy/modules/services/bluetooth.fc
+++ b/refpolicy/policy/modules/services/bluetooth.fc
@@ -2,10 +2,12 @@
 # /etc
 #
 /etc/bluetooth(/.*)?		gen_context(system_u:object_r:bluetooth_conf_t,s0)
+/etc/bluetooth/link_key		gen_context(system_u:object_r:bluetooth_conf_rw_t,s0)
 
 #
 # /usr
 #
+/usr/bin/blue.*pin	--	gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
 /usr/bin/rfcomm		--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 
 /usr/sbin/hciattach	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
@@ -16,4 +18,5 @@
 #
 # /var
 #
+/var/lib/bluetooth(/.*)?	gen_context(system_u:object_r:bluetooth_var_lib_t,s0)
 /var/run/sdp		-s	gen_context(system_u:object_r:bluetooth_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te
index 0c237cc..68478f7 100644
--- a/refpolicy/policy/modules/services/bluetooth.te
+++ b/refpolicy/policy/modules/services/bluetooth.te
@@ -12,31 +12,53 @@ init_daemon_domain(bluetooth_t,bluetooth_exec_t)
 type bluetooth_conf_t;
 files_type(bluetooth_conf_t)
 
+type bluetooth_conf_rw_t;
+files_type(bluetooth_conf_rw_t)
+
+type bluetooth_helper_t;
+type bluetooth_helper_exec_t;
+domain_type(bluetooth_helper_t)
+domain_entry_file(bluetooth_helper_t,bluetooth_helper_exec_t)
+role system_r types bluetooth_helper_t;
+
 type bluetooth_lock_t;
 files_lock_file(bluetooth_lock_t)
 
 type bluetooth_tmp_t;
 files_tmp_file(bluetooth_tmp_t)
 
+type bluetooth_var_lib_t;
+files_type(bluetooth_var_lib_t)
+
 type bluetooth_var_run_t;
 files_pid_file(bluetooth_var_run_t)
 
 ########################################
 #
-# Local policy
+# Bluetooth services local policy
 #
+
 allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
 dontaudit bluetooth_t self:capability sys_tty_config;
-allow bluetooth_t self:process signal_perms;
+allow bluetooth_t self:process { getsched signal_perms };
+allow bluetooth_t self:fifo_file rw_file_perms;
+allow bluetooth_t self:shm create_shm_perms;
 allow bluetooth_t self:socket create_stream_socket_perms;
 allow bluetooth_t self:unix_dgram_socket create_socket_perms;
 allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
 allow bluetooth_t self:tcp_socket { create_stream_socket_perms connect };
 allow bluetooth_t self:udp_socket create_socket_perms;
 
-allow bluetooth_t bluetooth_conf_t:dir search;
+allow bluetooth_t bluetooth_conf_t:dir rw_dir_perms;
 allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
 
+allow bluetooth_t bluetooth_conf_rw_t:dir create_dir_perms;
+allow bluetooth_t bluetooth_conf_rw_t:file create_file_perms;
+allow bluetooth_t bluetooth_conf_rw_t:lnk_file create_lnk_perms;
+allow bluetooth_t bluetooth_conf_rw_t:sock_file create_file_perms;
+allow bluetooth_t bluetooth_conf_rw_t:fifo_file create_file_perms;
+type_transition bluetooth_t bluetooth_conf_t:{ file lnk_file sock_file fifo_file } bluetooth_conf_rw_t;
+
 allow bluetooth_t bluetooth_lock_t:file create_file_perms;
 files_create_lock(bluetooth_t,bluetooth_lock_t)
 
@@ -44,14 +66,17 @@ allow bluetooth_t bluetooth_tmp_t:dir create_dir_perms;
 allow bluetooth_t bluetooth_tmp_t:file create_file_perms;
 files_create_tmp_files(bluetooth_t, bluetooth_tmp_t, { file dir })
 
+allow bluetooth_t bluetooth_var_lib_t:file create_file_perms;
+allow bluetooth_t bluetooth_var_lib_t:dir create_dir_perms;
+files_create_var_lib(bluetooth_t,bluetooth_var_lib_t)
+
 allow bluetooth_t bluetooth_var_run_t:dir rw_dir_perms;
 allow bluetooth_t bluetooth_var_run_t:file create_file_perms;
 allow bluetooth_t bluetooth_var_run_t:sock_file create_file_perms;
 files_create_pid(bluetooth_t, bluetooth_var_run_t, { file sock_file })
 
 kernel_read_kernel_sysctl(bluetooth_t)
-kernel_list_proc(bluetooth_t)
-kernel_read_proc_symlinks(bluetooth_t)
+kernel_read_system_state(bluetooth_t)
 
 corenet_tcp_sendrecv_all_if(bluetooth_t)
 corenet_udp_sendrecv_all_if(bluetooth_t)
@@ -66,16 +91,24 @@ corenet_udp_sendrecv_all_ports(bluetooth_t)
 
 dev_read_sysfs(bluetooth_t)
 dev_rw_usbfs(bluetooth_t)
+dev_read_urand(bluetooth_t)
 
 fs_getattr_all_fs(bluetooth_t)
 fs_search_auto_mountpoints(bluetooth_t)
 
 term_dontaudit_use_console(bluetooth_t)
+#Handle bluetooth serial devices
+term_use_unallocated_tty(bluetooth_t)
 
 corecmd_exec_bin(bluetooth_t)
+corecmd_exec_shell(bluetooth_t)
 
 domain_use_wide_inherit_fd(bluetooth_t)
 
+files_read_etc_files(bluetooth_t)
+files_read_etc_runtime_files(bluetooth_t)
+files_read_usr_files(bluetooth_t)
+
 init_use_fd(bluetooth_t)
 init_use_script_pty(bluetooth_t)
 
@@ -85,6 +118,7 @@ libs_use_shared_libs(bluetooth_t)
 logging_send_syslog_msg(bluetooth_t)
 
 miscfiles_read_localization(bluetooth_t)
+miscfiles_read_fonts(bluetooth_t)
 
 sysnet_read_config(bluetooth_t)
 
@@ -119,4 +153,73 @@ ifdef(`TODO',`
 optional_policy(`rhgb.te',`
 	rhgb_domain(bluetooth_t)
 ')
+') dnl end TOOD
+
+########################################
+#
+# Bluetooth helper local policy
+#
+
+allow bluetooth_helper_t self:capability sys_nice;
+allow bluetooth_helper_t self:fifo_file rw_file_perms;
+allow bluetooth_helper_t self:shm create_shm_perms;
+allow bluetooth_helper_t self:unix_stream_socket create_stream_socket_perms;
+
+allow bluetooth_helper_t bluetooth_t:socket { read write };
+
+kernel_read_system_state(bluetooth_helper_t)
+kernel_read_kernel_sysctl(bluetooth_helper_t)
+
+term_dontaudit_use_all_user_ttys(bluetooth_helper_t)
+
+corecmd_exec_bin(bluetooth_helper_t)
+corecmd_exec_shell(bluetooth_helper_t)
+
+domain_read_all_domains_state(bluetooth_helper_t)
+
+files_read_etc_files(bluetooth_helper_t)
+files_read_etc_runtime_files(bluetooth_helper_t)
+files_read_usr_files(bluetooth_helper_t)
+files_dontaudit_list_default(bluetooth_helper_t)
+
+libs_use_ld_so(bluetooth_helper_t)
+libs_use_shared_libs(bluetooth_helper_t)
+
+miscfiles_read_localization(bluetooth_helper_t) 
+miscfiles_read_fonts(bluetooth_helper_t)
+
+optional_policy(`nscd.te',`
+	nscd_use_socket(bluetooth_helper_t)
+')
+
+ifdef(`TODO',`
+domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
+
+# a "run" interface needs to be
+# added, and have sysadm_t use it
+# in a optional_policy block.
+
+allow bluetooth_helper_t tmp_t:dir search;
+
+allow bluetooth_helper_t home_dir_type:dir search;
+
+ifdef(`xserver.te', `
+	allow bluetooth_helper_t xserver_log_t:dir search;
+	allow bluetooth_helper_t xserver_log_t:file { getattr read };
+')
+
+ifdef(`targeted_policy', `
+	allow bluetooth_helper_t tmp_t:sock_file { read write };
+	allow bluetooth_helper_t tmpfs_t:file { read write };
+	allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
+	allow bluetooth_t unconfined_t:dbus send_msg;
+	allow unconfined_t bluetooth_t:dbus send_msg;
+', `
+	ifdef(`xdm.te', `
+		allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write };
+	')
+
+	allow bluetooth_t unpriv_userdomain:dbus send_msg;
+	allow unpriv_userdomain bluetooth_t:dbus send_msg;
 ')
+') dnl end TODO
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 3dc798a..4457dc0 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -51,7 +51,7 @@ files_tmp_file(system_crond_tmp_t)
 # Cron Local policy
 #
 
-allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
+allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control };
 dontaudit crond_t self:capability { sys_resource sys_tty_config };
 allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow crond_t self:process { setexec setfscreate };
@@ -182,6 +182,12 @@ rhgb_domain(crond_t)
 # crond tries to search /root.  Not sure why.
 allow crond_t sysadm_home_dir_t:dir r_dir_perms;
 
+ifdef(`apache.te',`
+allow system_crond_t httpd_modules_t:lnk_file read;
+# Needed for certwatch
+can_exec(system_crond_t, httpd_modules_t)
+')
+
 # to search /home
 allow crond_t user_home_dir_type:dir r_dir_perms;
 ') dnl endif TODO
diff --git a/refpolicy/policy/modules/services/dhcp.fc b/refpolicy/policy/modules/services/dhcp.fc
index c7a11b2..4d40b6b 100644
--- a/refpolicy/policy/modules/services/dhcp.fc
+++ b/refpolicy/policy/modules/services/dhcp.fc
@@ -1,6 +1,7 @@
 
 /usr/sbin/dhcpd.*		--	gen_context(system_u:object_r:dhcpd_exec_t,s0)
 
+/var/lib/dhcpd(/.*)?			gen_context(system_u:object_r:dhcpd_state_t,s0)
 /var/lib/dhcp(3)?/dhcpd\.leases.* --	gen_context(system_u:object_r:dhcpd_state_t,s0)
 
 /var/run/dhcpd\.pid		--	gen_context(system_u:object_r:dhcpd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/ftp.fc b/refpolicy/policy/modules/services/ftp.fc
index f5b01d9..926bef8 100644
--- a/refpolicy/policy/modules/services/ftp.fc
+++ b/refpolicy/policy/modules/services/ftp.fc
@@ -22,5 +22,6 @@
 /var/run/proftpd/proftpd\.scoreboard -- gen_context(system_u:object_r:ftpd_var_run_t,s0)
 
 /var/log/muddleftpd\.log.* --	gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/vsftpd.*	--	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/xferlog.*	--	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/xferreport.*	--	gen_context(system_u:object_r:xferlog_t,s0)
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index 32eda81..fb89452 100644
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -133,11 +133,15 @@ tunable_policy(`allow_ftpd_anon_write',`
 
 tunable_policy(`ftp_home_dir',`
 	# allow access to /home
-	files_getattr_home_dir(ftpd_t)
+	files_list_home(ftpd_t)
 	userdom_read_all_user_files(ftpd_t)
 	userdom_manage_all_user_dirs(ftpd_t)
 	userdom_manage_all_user_files(ftpd_t)
 	userdom_manage_all_user_symlinks(ftpd_t)
+
+	ifdef(`targeted_policy',`
+		userdom_create_user_home(ftpd_t,{ dir file lnk_file sock_file fifo_file })
+	')
 ')
 
 tunable_policy(`ftpd_is_daemon',`
@@ -198,4 +202,13 @@ ifdef(`TODO',`
 optional_policy(`rhgb.te',`
 	rhgb_domain(ftpd_t)
 ')
+
+# cjp: this was in base user macro, but we cannot
+# use typeattribute ftpd_t privhome; interface
+# since typeattribute doesnt work in conditionals
+ifdef(`ftpd.te' , `
+if (ftpd_is_daemon) {
+file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
+}
+')
 ')
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 0eff9fd..edbd64b 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -42,6 +42,7 @@ files_create_pid(hald_t,hald_var_run_t)
 kernel_read_system_state(hald_t)
 kernel_read_network_state(hald_t)
 kernel_read_kernel_sysctl(hald_t)
+kernel_write_proc_file(hald_t)
 
 corenet_tcp_sendrecv_all_if(hald_t)
 corenet_raw_sendrecv_all_if(hald_t)
diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te
index 49f0f9e..80d986a 100644
--- a/refpolicy/policy/modules/services/mysql.te
+++ b/refpolicy/policy/modules/services/mysql.te
@@ -37,7 +37,7 @@ allow mysqld_t self:fifo_file { read write };
 allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
 allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
 allow mysqld_t self:tcp_socket create_stream_socket_perms;
-allow mysqld_t self:tcp_socket connected_socket_perms;
+allow mysqld_t self:udp_socket create_socket_perms;
 
 allow mysqld_t mysqld_db_t:dir create_dir_perms;
 allow mysqld_t mysqld_db_t:file create_file_perms;
@@ -62,11 +62,15 @@ kernel_read_proc_symlinks(mysqld_t)
 kernel_read_system_state(mysqld_t)
 
 corenet_tcp_sendrecv_all_if(mysqld_t)
+corenet_udp_sendrecv_all_if(mysqld_t)
 corenet_raw_sendrecv_all_if(mysqld_t)
 corenet_tcp_sendrecv_all_nodes(mysqld_t)
+corenet_udp_sendrecv_all_nodes(mysqld_t)
 corenet_raw_sendrecv_all_nodes(mysqld_t)
 corenet_tcp_sendrecv_all_ports(mysqld_t)
+corenet_udp_sendrecv_all_ports(mysqld_t)
 corenet_tcp_bind_all_nodes(mysqld_t)
+corenet_udp_bind_all_nodes(mysqld_t)
 corenet_tcp_bind_mysqld_port(mysqld_t)
 corenet_tcp_connect_mysqld_port(mysqld_t)
 
@@ -110,6 +114,10 @@ ifdef(`targeted_policy',`
 	files_dontaudit_read_root_file(mysqld_t)
 ')
 
+optional_policy(`mount.te',`
+	mount_send_nfs_client_request(mysqld_t)
+')
+
 optional_policy(`nis.te',`
 	nis_use_ypbind(mysqld_t)
 ')
diff --git a/refpolicy/policy/modules/services/nis.if b/refpolicy/policy/modules/services/nis.if
index 6a4c53d..8c9428a 100644
--- a/refpolicy/policy/modules/services/nis.if
+++ b/refpolicy/policy/modules/services/nis.if
@@ -121,6 +121,22 @@ interface(`nis_use_ypbind',`
 
 ########################################
 ## <summary>
+##	Send generic signals to ypbind.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`nis_signal_ypbind',`
+	gen_require(`
+		type ypbind_t;
+	')
+
+	allow $1 ypbind_t:process signal;
+')
+
+########################################
+## <summary>
 ##	Send UDP network traffic to NIS clients.
 ## </summary>
 ## <param name="domain">
@@ -129,7 +145,7 @@ interface(`nis_use_ypbind',`
 #
 interface(`nis_list_var_yp',`
 	gen_require(`
-		type ypbind_t;
+		type var_yp_t;
 	')
 
 	files_search_var($1)
diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te
index 0aa6e98..91f1140 100644
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ b/refpolicy/policy/modules/services/remotelogin.te
@@ -69,6 +69,7 @@ auth_rw_lastlog(remote_login_t)
 auth_rw_faillog(remote_login_t)
 auth_exec_pam(remote_login_t)
 auth_manage_pam_console_data(remote_login_t)
+auth_domtrans_pam_console(remote_login_t)
 
 corecmd_list_bin(remote_login_t)
 corecmd_list_sbin(remote_login_t)
@@ -170,6 +171,10 @@ optional_policy(`remotelogin.te',`
 # Login can polyinstantiate
 polyinstantiater(remote_login_t)
 
+ifdef(`alsa.te', `
+domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
+')
+
 allow remote_login_t userpty_type:chr_file { setattr write };
 allow remote_login_t ptyfile:chr_file { getattr ioctl };
 
diff --git a/refpolicy/policy/modules/system/corecommands.fc b/refpolicy/policy/modules/system/corecommands.fc
index ef74be1..cdfb1f4 100644
--- a/refpolicy/policy/modules/system/corecommands.fc
+++ b/refpolicy/policy/modules/system/corecommands.fc
@@ -110,3 +110,5 @@ ifdef(`distro_suse',`
 
 /var/ftp/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /var/ftp/bin/ls		--	gen_context(system_u:object_r:ls_exec_t,s0)
+
+/usr/lib/yp/.+		--	gen_context(system_u:object_r:bin_t,s0)
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 8fe9c87..d6db068 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -20,8 +20,13 @@
 ## </required>
 
 ########################################
-#
-# files_type(type)
+## <summary>
+##	Make the specified type usable for files
+##	in a filesystem.
+## </summary>
+## <param name="type">
+##	Type to be used for files.
+## </param>
 #
 interface(`files_type',`
 	gen_require(`
@@ -221,6 +226,9 @@ interface(`files_tmpfs_file',`
 ##	Domain allowed access.
 ## </param>
 #
+# cjp: this is an odd interface, because to getattr
+# all dirs, you need to search all the parent directories
+#
 interface(`files_getattr_all_dirs',`
 	gen_require(`
 		attribute file_type;
@@ -250,6 +258,22 @@ interface(`files_dontaudit_getattr_all_dirs',`
 
 ########################################
 ## <summary>
+##	Search all directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_search_all',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:dir { getattr search };
+')
+
+########################################
+## <summary>
 ##	List the contents of all directories.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te
index 635e6c5..5a92e15 100644
--- a/refpolicy/policy/modules/system/fstools.te
+++ b/refpolicy/policy/modules/system/fstools.te
@@ -112,6 +112,8 @@ files_rw_isid_type_dir(fsadm_t)
 files_rw_isid_type_blk_node(fsadm_t)
 # Recreate /mnt/cdrom.
 files_manage_mnt_dirs(fsadm_t)
+# for tune2fs
+files_search_all(fsadm_t)
 
 init_use_fd(fsadm_t)
 init_use_script_pty(fsadm_t)
diff --git a/refpolicy/policy/modules/system/ipsec.fc b/refpolicy/policy/modules/system/ipsec.fc
index ffe8566..f0aa1f1 100644
--- a/refpolicy/policy/modules/system/ipsec.fc
+++ b/refpolicy/policy/modules/system/ipsec.fc
@@ -29,4 +29,6 @@
 /usr/sbin/racoon		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/sbin/setkey		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 
+/var/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
+
 /var/run/pluto(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index 554404c..78267cd 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -113,6 +113,7 @@ auth_rw_lastlog(local_login_t)
 auth_rw_faillog(local_login_t)
 auth_exec_pam(local_login_t)
 auth_manage_pam_console_data(local_login_t)
+auth_domtrans_pam_console(local_login_t)
 
 corecmd_list_bin(local_login_t)
 corecmd_list_sbin(local_login_t)
@@ -221,6 +222,10 @@ optional_policy(`locallogin.te',`
 ')
 # Login can polyinstantiate
 polyinstantiater(local_login_t)
+
+ifdef(`alsa.te', `
+domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
+')
 ') dnl endif TODO
 
 #################################
diff --git a/refpolicy/policy/modules/system/miscfiles.fc b/refpolicy/policy/modules/system/miscfiles.fc
index 5327fda..92c7e5c 100644
--- a/refpolicy/policy/modules/system/miscfiles.fc
+++ b/refpolicy/policy/modules/system/miscfiles.fc
@@ -30,6 +30,7 @@
 
 /usr/share/fonts(/.*)?		gen_context(system_u:object_r:fonts_t,s0)
 /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+/usr/share/hwdata(/.*)?		gen_context(system_u:object_r:hwdata_t,s0)
 /usr/share/locale(/.*)?		gen_context(system_u:object_r:locale_t,s0)
 /usr/share/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
 /usr/share/zoneinfo(/.*)?	gen_context(system_u:object_r:locale_t,s0)
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index f8652d9..9959852 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -53,7 +53,7 @@ can_exec(insmod_t, insmod_exec_t)
 kernel_load_module(insmod_t)
 kernel_read_system_state(insmod_t)
 kernel_mount_debugfs(insmod_t)
-kernel_search_debugfs(insmod_t)
+kernel_read_debugfs(insmod_t)
 # Rules for /proc/sys/kernel/tainted
 kernel_read_kernel_sysctl(insmod_t)
 kernel_rw_kernel_sysctl(insmod_t)
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 4afa29b..0006949 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -188,12 +188,13 @@ allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit
 allow newrole_t self:process setexec;
 allow newrole_t self:fd use;
 allow newrole_t self:fifo_file rw_file_perms;
-allow newrole_t self:unix_dgram_socket sendto;
-allow newrole_t self:unix_stream_socket connectto;
 allow newrole_t self:shm create_shm_perms;
 allow newrole_t self:sem create_sem_perms;
 allow newrole_t self:msgq create_msgq_perms;
 allow newrole_t self:msg { send receive };
+allow newrole_t self:unix_dgram_socket sendto;
+allow newrole_t self:unix_stream_socket connectto;
+allow newrole_t self:netlink_audit_socket { create bind write nlmsg_read read };
 
 allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms;
 allow newrole_t { selinux_config_t default_context_t }:file r_file_perms;
@@ -287,6 +288,7 @@ kernel_read_system_state(restorecon_t)
 dev_rw_generic_file(restorecon_t)
 
 fs_getattr_xattr_fs(restorecon_t)
+fs_search_auto_mountpoints(restorecon_t)
 
 mls_file_read_up(restorecon_t)
 mls_file_write_down(restorecon_t)
diff --git a/refpolicy/policy/modules/system/sysnetwork.fc b/refpolicy/policy/modules/system/sysnetwork.fc
index fe1511a..4511dc4 100644
--- a/refpolicy/policy/modules/system/sysnetwork.fc
+++ b/refpolicy/policy/modules/system/sysnetwork.fc
@@ -21,6 +21,7 @@
 # /sbin
 #
 /sbin/dhclient.*	--	gen_context(system_u:object_r:dhcpc_exec_t,s0)
+/sbin/dhcdbd		--	gen_context(system_u:object_r:dhcpc_exec_t,s0)
 /sbin/dhcpcd		--	gen_context(system_u:object_r:dhcpc_exec_t,s0)
 /sbin/ethtool		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /sbin/ifconfig		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
@@ -45,5 +46,6 @@
 /var/lib/dhcp3?/dhclient.*	gen_context(system_u:object_r:dhcpc_state_t,s0)
 /var/lib/dhcpcd(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
 
+/var/lib/dhclient(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
 /var/run/dhclient.*\.pid --	gen_context(system_u:object_r:dhcpc_var_run_t,s0)
 /var/run/dhclient.*\.leases --	gen_context(system_u:object_r:dhcpc_var_run_t,s0)
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 9cac143..df4f089 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -181,6 +181,7 @@ optional_policy(`netutils.te',`
 
 optional_policy(`nis.te',`
 	nis_use_ypbind(dhcpc_t)
+	nis_signal_ypbind(dhcpc_t)
 	# dhclient sometimes starts ypbind
 	init_exec_script(dhcpc_t)
 	#nis_domtrans_ypbind(dhcpc_t)
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 0d885fc..45dafca 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -57,7 +57,7 @@ ifdef(`targeted_policy',`
 	type user_home_t alias { staff_home_t sysadm_home_t }, home_type;
 	files_type(user_home_t)
 
-	type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type;
+	type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type;
 	files_type(user_home_dir_t)
 
 	unconfined_role(user_r)

More information about the scm-commits mailing list