[selinux-policy: 746/3172] more merging from 1.27.1-15

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:09:19 UTC 2010 

commit 65a2523024aee7dd977aaffe078a7a79796f6fff
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Oct 14 18:22:30 2005 +0000

    more merging from 1.27.1-15

 strict/domains/program/bluetooth.te        |   63 +++++++-
 strict/domains/program/crond.te            |    5 +-
 strict/domains/program/dhcpc.te            |    2 +-
 strict/domains/program/fsadm.te            |    3 +
 strict/domains/program/ftpd.te             |    6 +-
 strict/domains/program/hald.te             |    3 +-
 strict/domains/program/login.te            |    5 +
 strict/domains/program/modutil.te          |    3 +-
 strict/domains/program/mysqld.te           |    2 +-
 strict/domains/program/named.te            |    9 +-
 strict/domains/program/restorecon.te       |    1 +
 strict/file_contexts/distros.fc            |  266 ++++++++++++++--------------
 strict/file_contexts/program/bluetooth.fc  |    3 +
 strict/file_contexts/program/dhcpc.fc      |    2 +
 strict/file_contexts/program/dhcpd.fc      |    1 +
 strict/file_contexts/program/ftpd.fc       |    5 +-
 strict/file_contexts/program/ipsec.fc      |    1 +
 strict/file_contexts/program/mdadm.fc      |    2 +-
 strict/file_contexts/program/postgresql.fc |    2 +-
 strict/file_contexts/program/rpm.fc        |    6 +-
 strict/file_contexts/program/rsync.fc      |    2 +-
 strict/file_contexts/program/xdm.fc        |    2 +-
 strict/file_contexts/program/ypserv.fc     |    1 +
 strict/file_contexts/types.fc              |    2 +
 strict/macros/base_user_macros.te          |    6 +
 strict/macros/program/apache_macros.te     |    1 +
 strict/macros/program/cdrecord_macros.te   |    2 +-
 strict/macros/program/mta_macros.te        |    2 +-
 strict/macros/program/newrole_macros.te    |    2 +
 strict/macros/program/su_macros.te         |    2 +-
 30 files changed, 259 insertions(+), 153 deletions(-)
---
diff --git a/strict/domains/program/bluetooth.te b/strict/domains/program/bluetooth.te
index fc09db6..c25544d 100644
--- a/strict/domains/program/bluetooth.te
+++ b/strict/domains/program/bluetooth.te
@@ -11,16 +11,23 @@
 daemon_domain(bluetooth)
 
 file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file)
+file_type_auto_trans(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
 
 tmp_domain(bluetooth)
+var_lib_domain(bluetooth)
 
 # Use capabilities.
+allow bluetooth_t self:file read;
 allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
+allow bluetooth_t self:process getsched;
+allow bluetooth_t proc_t:file { getattr read };
+
+allow bluetooth_t self:shm create_shm_perms;
 
 lock_domain(bluetooth)
 
 # Use the network.
-can_network_server(bluetooth_t)
+can_network(bluetooth_t)
 can_ypbind(bluetooth_t)
 ifdef(`dbusd.te', `
 dbusd_client(system, bluetooth)
@@ -35,6 +42,7 @@ dontaudit bluetooth_t sysadm_devpts_t:chr_file { read write };
 
 # bluetooth_conf_t is the type of the /etc/bluetooth dir.
 type bluetooth_conf_t, file_type, sysadmfile;
+type bluetooth_conf_rw_t, file_type, sysadmfile;
 
 # Read /etc/bluetooth
 allow bluetooth_t bluetooth_conf_t:dir search;
@@ -44,5 +52,56 @@ allow initrc_t usbfs_t:file { getattr read };
 allow bluetooth_t usbfs_t:dir r_dir_perms;
 allow bluetooth_t usbfs_t:file rw_file_perms; 
 allow bluetooth_t bin_t:dir search;
-can_exec(bluetooth_t, bin_t)
+can_exec(bluetooth_t, { bin_t shell_exec_t })
+allow bluetooth_t bin_t:lnk_file read;
+
+#Handle bluetooth serial devices
+allow bluetooth_t tty_device_t:chr_file rw_file_perms;
+allow bluetooth_t self:fifo_file rw_file_perms;
+allow bluetooth_t { etc_t etc_runtime_t }:file { getattr read };
+r_dir_file(bluetooth_t, fonts_t)
+allow bluetooth_t urandom_device_t:chr_file r_file_perms;
+allow bluetooth_t usr_t:file { getattr read };
+
+application_domain(bluetooth_helper, `, nscd_client_domain')
+domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
+role system_r types bluetooth_helper_t;
+read_locale(bluetooth_helper_t) 
+typeattribute bluetooth_helper_t unrestricted;
+r_dir_file(bluetooth_helper_t, domain)
+allow bluetooth_helper_t bin_t:dir { getattr search };
+can_exec(bluetooth_helper_t, { bin_t shell_exec_t })
+allow bluetooth_helper_t bin_t:lnk_file read;
+allow bluetooth_helper_t self:capability sys_nice;
+allow bluetooth_helper_t self:fifo_file rw_file_perms;
+allow bluetooth_helper_t self:process fork;
+allow bluetooth_helper_t self:shm create_shm_perms;
+allow bluetooth_helper_t self:unix_stream_socket create_stream_socket_perms;
+allow bluetooth_helper_t { etc_t etc_runtime_t }:file { getattr read };
+r_dir_file(bluetooth_helper_t, fonts_t)
+r_dir_file(bluetooth_helper_t, proc_t)
+read_sysctl(bluetooth_helper_t)
+allow bluetooth_helper_t tmp_t:dir search;
+allow bluetooth_helper_t usr_t:file { getattr read };
+allow bluetooth_helper_t home_dir_type:dir search;
+ifdef(`xserver.te', `
+allow bluetooth_helper_t xserver_log_t:dir search;
+allow bluetooth_helper_t xserver_log_t:file { getattr read };
+')
+ifdef(`targeted_policy', `
+allow bluetooth_helper_t tmp_t:sock_file { read write };
+allow bluetooth_helper_t tmpfs_t:file { read write };
+allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
+allow bluetooth_t unconfined_t:dbus send_msg;
+allow unconfined_t bluetooth_t:dbus send_msg;
+', `
+ifdef(`xdm.te', `
+allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write };
+')
+allow bluetooth_t unpriv_userdomain:dbus send_msg;
+allow unpriv_userdomain bluetooth_t:dbus send_msg;
+')
+allow bluetooth_helper_t bluetooth_t:socket { read write };
 
+dontaudit bluetooth_helper_t default_t:dir { read search };
+dontaudit bluetooth_helper_t { devtty_t ttyfile }:chr_file { read write };
diff --git a/strict/domains/program/crond.te b/strict/domains/program/crond.te
index ceb0a45..4649348 100644
--- a/strict/domains/program/crond.te
+++ b/strict/domains/program/crond.te
@@ -44,7 +44,7 @@ allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
 read_locale(crond_t)
 
 # Use capabilities.
-allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice };
+allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice audit_control };
 dontaudit crond_t self:capability sys_resource;
 
 # Get security policy decisions.
@@ -208,4 +208,7 @@ dontaudit system_crond_t removable_t:filesystem getattr;
 dontaudit crond_t self:capability sys_tty_config;
 ifdef(`apache.te', `
 allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read };
+allow system_crond_t httpd_modules_t:lnk_file read;
+# Needed for certwatch
+can_exec(system_crond_t, httpd_modules_t)
 ')
diff --git a/strict/domains/program/dhcpc.te b/strict/domains/program/dhcpc.te
index c12bc42..2fff8f5 100644
--- a/strict/domains/program/dhcpc.te
+++ b/strict/domains/program/dhcpc.te
@@ -135,7 +135,6 @@ allow dhcpc_t { userdomain kernel_t }:fd use;
 allow dhcpc_t home_root_t:dir search;
 allow initrc_t dhcpc_state_t:file { getattr read };
 dontaudit dhcpc_t var_lock_t:dir search;
-dontaudit dhcpc_t selinux_config_t:dir search;
 allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms;
 dontaudit dhcpc_t domain:dir getattr;
 allow dhcpc_t initrc_var_run_t:file rw_file_perms;
@@ -146,6 +145,7 @@ can_exec(dhcpc_t, initrc_exec_t)
 ifdef(`ypbind.te', `
 domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t)
 allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink };
+allow dhcpc_t ypbind_t:process signal;
 ')
 ifdef(`ntpd.te', `
 domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t)
diff --git a/strict/domains/program/fsadm.te b/strict/domains/program/fsadm.te
index d5a6220..1d01c3d 100644
--- a/strict/domains/program/fsadm.te
+++ b/strict/domains/program/fsadm.te
@@ -118,3 +118,6 @@ allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
 allow fsadm_t usbfs_t:dir { getattr search };
 allow fsadm_t ramfs_t:fifo_file rw_file_perms;
 allow fsadm_t device_type:chr_file getattr;
+
+# for tune2fs
+allow fsadm_t file_type:dir { getattr search };
diff --git a/strict/domains/program/ftpd.te b/strict/domains/program/ftpd.te
index ab5101e..b20252b 100644
--- a/strict/domains/program/ftpd.te
+++ b/strict/domains/program/ftpd.te
@@ -99,9 +99,11 @@ bool ftp_home_dir false;
 
 if (ftp_home_dir) {
 # allow access to /home
-allow ftpd_t home_root_t:dir { getattr search };
-allow ftpd_t home_dir_type:dir r_dir_perms;
+allow ftpd_t home_root_t:dir r_dir_perms;
 create_dir_file(ftpd_t, home_type)
+ifdef(`targeted_policy', `
+file_type_auto_trans(ftpd_t, user_home_dir_t, user_home_t)
+')
 }
 if (use_nfs_home_dirs && ftp_home_dir) {
 	r_dir_file(ftpd_t, nfs_t)
diff --git a/strict/domains/program/hald.te b/strict/domains/program/hald.te
index 9792bee..a51709a 100644
--- a/strict/domains/program/hald.te
+++ b/strict/domains/program/hald.te
@@ -24,7 +24,8 @@ dbusd_client(system, hald)
 allow hald_t self:dbus send_msg;
 ')
 
-allow hald_t { self proc_t }:file { getattr read };
+allow hald_t self:file { getattr read };
+allow hald_t proc_t:file rw_file_perms;
 
 allow hald_t { bin_t sbin_t }:dir search;
 allow hald_t self:fifo_file rw_file_perms;
diff --git a/strict/domains/program/login.te b/strict/domains/program/login.te
index f0fb1cb..289879b 100644
--- a/strict/domains/program/login.te
+++ b/strict/domains/program/login.te
@@ -62,6 +62,11 @@ can_exec($1_login_t, pam_exec_t)
 
 ifdef(`pamconsole.te', `
 rw_dir_create_file($1_login_t, pam_var_console_t)
+domain_auto_trans($1_login_t, pam_console_exec_t, pam_console_t)
+')
+
+ifdef(`alsa.te', `
+domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
 ')
 
 # Use capabilities
diff --git a/strict/domains/program/modutil.te b/strict/domains/program/modutil.te
index 27d960a..f69f2bb 100644
--- a/strict/domains/program/modutil.te
+++ b/strict/domains/program/modutil.te
@@ -140,8 +140,9 @@ allow insmod_t initrc_t:fifo_file { getattr read write };
 
 allow insmod_t fs_t:filesystem getattr;
 allow insmod_t sysfs_t:dir search;
-allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:dir search;
+allow insmod_t { usbfs_t usbdevfs_t }:dir search;
 allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:filesystem mount;
+r_dir_file(insmod_t, debugfs_t)
 
 # Rules for /proc/sys/kernel/tainted
 read_sysctl(insmod_t)
diff --git a/strict/domains/program/mysqld.te b/strict/domains/program/mysqld.te
index 8a96d2a..2047b44 100644
--- a/strict/domains/program/mysqld.te
+++ b/strict/domains/program/mysqld.te
@@ -42,7 +42,7 @@ allow mysqld_t proc_t:file { getattr read };
 create_dir_file(mysqld_t, mysqld_db_t)
 allow mysqld_t var_lib_t:dir { getattr search };
 
-can_network_server(mysqld_t)
+can_network(mysqld_t)
 can_ypbind(mysqld_t)
 
 # read config files
diff --git a/strict/domains/program/named.te b/strict/domains/program/named.te
index 04c0712..08d6718 100644
--- a/strict/domains/program/named.te
+++ b/strict/domains/program/named.te
@@ -36,7 +36,7 @@ allow named_t sbin_t:dir search;
 allow named_t self:process { setsched setcap setrlimit };
 
 # A type for configuration files of named.
-type named_conf_t, file_type, sysadmfile;
+type named_conf_t, file_type, sysadmfile, mount_point;
 
 # for primary zone files
 type named_zone_t, file_type, sysadmfile;
@@ -101,6 +101,13 @@ allow named_t random_device_t:chr_file r_file_perms;
 # Use a pipe created by self.
 allow named_t self:fifo_file rw_file_perms;
 
+# Enable named dbus support:
+ifdef(`dbusd.te', `
+dbusd_client(system, named)
+allow named_t system_dbusd_t:dbus { acquire_svc send_msg };
+allow named_t self:dbus send_msg;
+')
+
 # Set own capabilities.
 #A type for /usr/sbin/ndc
 type ndc_exec_t, file_type,sysadmfile, exec_type;
diff --git a/strict/domains/program/restorecon.te b/strict/domains/program/restorecon.te
index dc58221..52fff2f 100644
--- a/strict/domains/program/restorecon.te
+++ b/strict/domains/program/restorecon.te
@@ -63,3 +63,4 @@ allow restorecon_t kernel_t:fd use;
 allow restorecon_t kernel_t:fifo_file { read write };
 allow restorecon_t kernel_t:unix_dgram_socket { read write };
 r_dir_file(restorecon_t, { selinux_config_t file_context_t default_context_t } )
+allow restorecon_t autofs_t:dir search;
diff --git a/strict/file_contexts/distros.fc b/strict/file_contexts/distros.fc
index 33c7f5e..6024f6a 100644
--- a/strict/file_contexts/distros.fc
+++ b/strict/file_contexts/distros.fc
@@ -1,67 +1,67 @@
 ifdef(`distro_redhat', `
-/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- system_u:object_r:bin_t:s0
-/etc/sysconfig/networking/profiles/.*/resolv\.conf -- system_u:object_r:net_conf_t:s0
-/etc/sysconfig/network-scripts/.*resolv\.conf -- system_u:object_r:net_conf_t:s0
-/usr/share/rhn/rhn_applet/applet\.py -- system_u:object_r:bin_t:s0
-/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- system_u:object_r:shlib_t:s0
-/usr/share/rhn/rhn_applet/needed-packages\.py	--	system_u:object_r:bin_t:s0
-/usr/share/authconfig/authconfig-gtk\.py -- system_u:object_r:bin_t:s0
-/usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t:s0
-/usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t:s0
-/usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t:s0
-/usr/share/system-logviewer/system-logviewer\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-lvm/system-config-lvm.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-date/system-config-date\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t:s0
-/usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t:s0
-/usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t:s0
-/usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t:s0
-/usr/share/system-config-netboot/system-config-netboot\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-netboot/pxeos\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-netboot/pxeboot\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-nfs/system-config-nfs\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t:s0
-/usr/share/system-config-samba/system-config-samba\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-services/serviceconf\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t:s0
-/usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t:s0
-/usr/share/switchdesk/switchdesk-gui\.py	--	system_u:object_r:bin_t:s0
-/usr/share/system-config-network/neat-control\.py	--	system_u:object_r:bin_t:s0
-/usr/share/system-config-nfs/nfs-export\.py	--	system_u:object_r:bin_t:s0
-/usr/share/pydict/pydict\.py	--	system_u:object_r:bin_t:s0
-/usr/share/cvs/contrib/rcs2log	--	system_u:object_r:bin_t:s0
-/usr/share/pwlib/make/ptlib-config --	system_u:object_r:bin_t:s0
-/usr/share/texmf/web2c/mktexdir	--	system_u:object_r:bin_t:s0
-/usr/share/texmf/web2c/mktexnam	--	system_u:object_r:bin_t:s0
-/usr/share/texmf/web2c/mktexupd	--	system_u:object_r:bin_t:s0
-/etc/rhgb(/.*)?		-d		system_u:object_r:mnt_t:s0
-/usr/share/ssl/misc(/.*)?		system_u:object_r:bin_t:s0
+/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- system_u:object_r:bin_t
+/etc/sysconfig/networking/profiles/.*/resolv\.conf -- system_u:object_r:net_conf_t
+/etc/sysconfig/network-scripts/.*resolv\.conf -- system_u:object_r:net_conf_t
+/usr/share/rhn/rhn_applet/applet\.py -- system_u:object_r:bin_t
+/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- system_u:object_r:shlib_t
+/usr/share/rhn/rhn_applet/needed-packages\.py	--	system_u:object_r:bin_t
+/usr/share/authconfig/authconfig-gtk\.py -- system_u:object_r:bin_t
+/usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t
+/usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t
+/usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t
+/usr/share/system-logviewer/system-logviewer\.py -- system_u:object_r:bin_t
+/usr/share/system-config-lvm/system-config-lvm.py -- system_u:object_r:bin_t
+/usr/share/system-config-date/system-config-date\.py -- system_u:object_r:bin_t
+/usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t
+/usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t
+/usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t
+/usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t
+/usr/share/system-config-netboot/system-config-netboot\.py -- system_u:object_r:bin_t
+/usr/share/system-config-netboot/pxeos\.py -- system_u:object_r:bin_t
+/usr/share/system-config-netboot/pxeboot\.py -- system_u:object_r:bin_t
+/usr/share/system-config-nfs/system-config-nfs\.py -- system_u:object_r:bin_t
+/usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t
+/usr/share/system-config-samba/system-config-samba\.py -- system_u:object_r:bin_t
+/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- system_u:object_r:bin_t
+/usr/share/system-config-services/serviceconf\.py -- system_u:object_r:bin_t
+/usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t
+/usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t
+/usr/share/switchdesk/switchdesk-gui\.py	--	system_u:object_r:bin_t
+/usr/share/system-config-network/neat-control\.py	--	system_u:object_r:bin_t
+/usr/share/system-config-nfs/nfs-export\.py	--	system_u:object_r:bin_t
+/usr/share/pydict/pydict\.py	--	system_u:object_r:bin_t
+/usr/share/cvs/contrib/rcs2log	--	system_u:object_r:bin_t
+/usr/share/pwlib/make/ptlib-config --	system_u:object_r:bin_t
+/usr/share/texmf/web2c/mktexdir	--	system_u:object_r:bin_t
+/usr/share/texmf/web2c/mktexnam	--	system_u:object_r:bin_t
+/usr/share/texmf/web2c/mktexupd	--	system_u:object_r:bin_t
+/etc/rhgb(/.*)?		-d		system_u:object_r:mnt_t
+/usr/share/ssl/misc(/.*)?		system_u:object_r:bin_t
 #
 # /emul/ia32-linux/usr
 #
-/emul(/.*)?				system_u:object_r:usr_t:s0
-/emul/ia32-linux/usr(/.*)?/lib(/.*)?		system_u:object_r:lib_t:s0
-/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)*		--	system_u:object_r:shlib_t:s0
-/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t:s0
-/emul/ia32-linux/usr(/.*)?/java/.*\.jar	--	system_u:object_r:shlib_t:s0
-/emul/ia32-linux/usr(/.*)?/java/.*\.jsa	--	system_u:object_r:shlib_t:s0
-/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t:s0
-/emul/ia32-linux/usr(/.*)?/bin(/.*)?		system_u:object_r:bin_t:s0
-/emul/ia32-linux/usr(/.*)?/Bin(/.*)?		system_u:object_r:bin_t:s0
-/emul/ia32-linux/usr(/.*)?/sbin(/.*)?		system_u:object_r:sbin_t:s0
-/emul/ia32-linux/usr/libexec(/.*)?		system_u:object_r:bin_t:s0
+/emul(/.*)?				system_u:object_r:usr_t
+/emul/ia32-linux/usr(/.*)?/lib(/.*)?		system_u:object_r:lib_t
+/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)*		--	system_u:object_r:shlib_t
+/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
+/emul/ia32-linux/usr(/.*)?/java/.*\.jar	--	system_u:object_r:shlib_t
+/emul/ia32-linux/usr(/.*)?/java/.*\.jsa	--	system_u:object_r:shlib_t
+/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
+/emul/ia32-linux/usr(/.*)?/bin(/.*)?		system_u:object_r:bin_t
+/emul/ia32-linux/usr(/.*)?/Bin(/.*)?		system_u:object_r:bin_t
+/emul/ia32-linux/usr(/.*)?/sbin(/.*)?		system_u:object_r:sbin_t
+/emul/ia32-linux/usr/libexec(/.*)?		system_u:object_r:bin_t
 # /emul/ia32-linux/lib
-/emul/ia32-linux/lib(/.*)?					system_u:object_r:lib_t:s0
-/emul/ia32-linux/lib/.*\.so(\.[^/]*)*		--	system_u:object_r:shlib_t:s0
-/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)*	--	system_u:object_r:ld_so_t:s0
+/emul/ia32-linux/lib(/.*)?					system_u:object_r:lib_t
+/emul/ia32-linux/lib/.*\.so(\.[^/]*)*		--	system_u:object_r:shlib_t
+/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)*	--	system_u:object_r:ld_so_t
 # /emul/ia32-linux/bin
-/emul/ia32-linux/bin(/.*)?			system_u:object_r:bin_t:s0
+/emul/ia32-linux/bin(/.*)?			system_u:object_r:bin_t
 # /emul/ia32-linux/sbin
-/emul/ia32-linux/sbin(/.*)?			system_u:object_r:sbin_t:s0
+/emul/ia32-linux/sbin(/.*)?			system_u:object_r:sbin_t
 
 ifdef(`dbusd.te', `', `
-/var/run/dbus(/.*)?            system_u:object_r:system_dbusd_var_run_t:s0
+/var/run/dbus(/.*)?            system_u:object_r:system_dbusd_var_run_t
 ')
 
 # The following are libraries with text relocations in need of execmod permissions
@@ -69,96 +69,96 @@ ifdef(`dbusd.te', `', `
 
 # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
 # 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
-/usr/lib/gstreamer-.*/libgstffmpeg\.so.*  -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/gstreamer-.*/libgstmms\.so 	 -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 		-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libg\+\+\.so\.2\.7\.2\.8		-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libglide3\.so.* 			-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libdv\.so.* 				-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/helix/plugins/oggfformat\.so		-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/helix/plugins/theorarend\.so		-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/helix/plugins/vorbisrend\.so		-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/helix/codecs/colorcvt\.so		-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/helix/codecs/cvt1\.so			-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libSDL-.*\.so.*			-- system_u:object_r:texrel_shlib_t:s0
-/usr/X11R6/lib/modules/dri/.*\.so		-- system_u:object_r:texrel_shlib_t:s0
-/usr/X11R6/lib/libOSMesa\.so.*			-- system_u:object_r:texrel_shlib_t:s0
-/usr/X11R6/lib/libfglrx_gamma\.so.* 		--  system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libHermes\.so.*			-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/valgrind/hp2ps				-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/valgrind/stage2			-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/valgrind/vg.*\.so			-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/libxpcom_core.so			-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/program(/.*)?			system_u:object_r:bin_t:s0
-/usr/lib/.*/program/.*\.so.*			system_u:object_r:shlib_t:s0
-/usr/lib/.*/program/libicudata\.so.*		-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/program/libsts645li\.so		-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/program/libvclplug_gen645li\.so	-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/program/libwrp645li\.so		-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/program/libswd680li\.so		-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib(64)?/.*/program/librecentfile\.so 	--  system_u:object_r:texrel_shlib_t:s0
-/usr/lib(64)?/.*/program/libsvx680li\.so	--  system_u:object_r:texrel_shlib_t:s0
-/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so  	--  system_u:object_r:texrel_shlib_t:s0
-/usr/lib(64)?/.*/program/libsoffice\.so  	--  system_u:object_r:texrel_shlib_t:s0
+/usr/lib/gstreamer-.*/libgstffmpeg\.so.*  -- system_u:object_r:texrel_shlib_t
+/usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/gstreamer-.*/libgstmms\.so 	 -- system_u:object_r:texrel_shlib_t
+/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 		-- system_u:object_r:texrel_shlib_t
+/usr/lib/libg\+\+\.so\.2\.7\.2\.8		-- system_u:object_r:texrel_shlib_t
+/usr/lib/libglide3\.so.* 			-- system_u:object_r:texrel_shlib_t
+/usr/lib/libdv\.so.* 				-- system_u:object_r:texrel_shlib_t
+/usr/lib/helix/plugins/oggfformat\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/helix/plugins/theorarend\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/helix/plugins/vorbisrend\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/helix/codecs/colorcvt\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/helix/codecs/cvt1\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/libSDL-.*\.so.*			-- system_u:object_r:texrel_shlib_t
+/usr/X11R6/lib/modules/dri/.*\.so		-- system_u:object_r:texrel_shlib_t
+/usr/X11R6/lib/libOSMesa\.so.*			-- system_u:object_r:texrel_shlib_t
+/usr/X11R6/lib/libfglrx_gamma\.so.* 		--  system_u:object_r:texrel_shlib_t
+/usr/lib/libHermes\.so.*			-- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/hp2ps				-- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/stage2			-- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/vg.*\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/libxpcom_core.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program(/.*)?			system_u:object_r:bin_t
+/usr/lib/.*/program/.*\.so.*			system_u:object_r:shlib_t
+/usr/lib/.*/program/libicudata\.so.*		-- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program/libsts645li\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program/libvclplug_gen645li\.so	-- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program/libwrp645li\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program/libswd680li\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib(64)?/.*/program/librecentfile\.so 	--  system_u:object_r:texrel_shlib_t
+/usr/lib(64)?/.*/program/libsvx680li\.so	--  system_u:object_r:texrel_shlib_t
+/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so  	--  system_u:object_r:texrel_shlib_t
+/usr/lib(64)?/.*/program/libsoffice\.so  	--  system_u:object_r:texrel_shlib_t
 
 # Fedora Extras packages: ladspa, imlib2, ocaml
-/usr/lib/ladspa/analogue_osc_1416\.so		-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/bandpass_a_iir_1893\.so		-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/bandpass_iir_1892\.so		-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/butterworth_1902\.so		-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/fm_osc_1415\.so			-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/gsm_1215\.so			-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/gverb_1216\.so			-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/hermes_filter_1200\.so		-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/highpass_iir_1890\.so		-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/lowpass_iir_1891\.so		-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/notch_iir_1894\.so		-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/pitch_scale_1193\.so		-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/pitch_scale_1194\.so		-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/sc1_1425\.so			-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/sc2_1426\.so			-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/sc3_1427\.so			-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/sc4_1882\.so			-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/se4_1883\.so			-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libImlib2\.so.* 			-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ocaml/stublibs/dllnums\.so		-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/httpd/modules/libphp5\.so		-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/php/modules/.*\.so			-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/analogue_osc_1416\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/bandpass_a_iir_1893\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/bandpass_iir_1892\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/butterworth_1902\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/fm_osc_1415\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/gsm_1215\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/gverb_1216\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/hermes_filter_1200\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/highpass_iir_1890\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/lowpass_iir_1891\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/notch_iir_1894\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/pitch_scale_1193\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/pitch_scale_1194\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/sc1_1425\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/sc2_1426\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/sc3_1427\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/sc4_1882\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/se4_1883\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/libImlib2\.so.* 			-- system_u:object_r:texrel_shlib_t
+/usr/lib/ocaml/stublibs/dllnums\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/httpd/modules/libphp5\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/php/modules/.*\.so			-- system_u:object_r:texrel_shlib_t
 
 # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
-/usr/lib/xmms/Input/libmpg123\.so		-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libpostproc\.so.*			-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libavformat-.*\.so			-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libavcodec-.*\.so			-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libxvidcore\.so.*			-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/xine/plugins/.*\.so			-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libgsm\.so.*				-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libmp3lame\.so.*			-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/xmms/Input/libmpg123\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/libpostproc\.so.*			-- system_u:object_r:texrel_shlib_t
+/usr/lib/libavformat-.*\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/libavcodec-.*\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/libxvidcore\.so.*			-- system_u:object_r:texrel_shlib_t
+/usr/lib/xine/plugins/.*\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/libgsm\.so.*				-- system_u:object_r:texrel_shlib_t
+/usr/lib/libmp3lame\.so.*			-- system_u:object_r:texrel_shlib_t
 
 # Flash plugin, Macromedia
-HOME_DIR/.*/plugins/libflashplayer\.so.*	-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/plugins/libflashplayer\.so.*	-- system_u:object_r:texrel_shlib_t:s0
+HOME_DIR/.*/plugins/libflashplayer\.so.*	-- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/plugins/libflashplayer\.so.*	-- system_u:object_r:texrel_shlib_t
 
 # Jai, Sun Microsystems (Jpackage SPRM)
-/usr/lib/libmlib_jai\.so			-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libdivxdecore.so.0			-- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libdivxencore.so.0			-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libmlib_jai\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/libdivxdecore.so.0			-- system_u:object_r:texrel_shlib_t
+/usr/lib/libdivxencore.so.0			-- system_u:object_r:texrel_shlib_t
 
 # Java, Sun Microsystems (JPackage SRPM)
-/usr/.*/jre/lib/i386/libdeploy.so		-- system_u:object_r:texrel_shlib_t:s0
+/usr/.*/jre/lib/i386/libdeploy.so		-- system_u:object_r:texrel_shlib_t
 
-/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api	-- system_u:object_r:shlib_t:s0
-/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api	-- system_u:object_r:texrel_shlib_t:s0
-/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api	-- system_u:object_r:texrel_shlib_t:s0
-/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl  --  system_u:object_r:texrel_shlib_t:s0
+/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api	-- system_u:object_r:shlib_t
+/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api	-- system_u:object_r:texrel_shlib_t
+/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api	-- system_u:object_r:texrel_shlib_t
+/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl  --  system_u:object_r:texrel_shlib_t
 ')
 
 ifdef(`distro_suse', `
-/var/lib/samba/bin/.+					system_u:object_r:bin_t:s0
-/var/lib/samba/bin/.*\.so(\.[^/]*)*		-l	system_u:object_r:lib_t:s0
-/usr/lib/samba/classic/.*			--	system_u:object_r:bin_t:s0
-/usr/lib/samba/classic/[^/]*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t:s0
-/success					--	system_u:object_r:etc_runtime_t:s0
-/etc/defkeymap\.map				--	system_u:object_r:etc_runtime_t:s0
+/var/lib/samba/bin/.+					system_u:object_r:bin_t
+/var/lib/samba/bin/.*\.so(\.[^/]*)*		-l	system_u:object_r:lib_t
+/usr/lib/samba/classic/.*			--	system_u:object_r:bin_t
+/usr/lib/samba/classic/[^/]*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
+/success					--	system_u:object_r:etc_runtime_t
+/etc/defkeymap\.map				--	system_u:object_r:etc_runtime_t
 ')
diff --git a/strict/file_contexts/program/bluetooth.fc b/strict/file_contexts/program/bluetooth.fc
index 69fecd7..da6b056 100644
--- a/strict/file_contexts/program/bluetooth.fc
+++ b/strict/file_contexts/program/bluetooth.fc
@@ -1,8 +1,11 @@
 # bluetooth
 /etc/bluetooth(/.*)?		system_u:object_r:bluetooth_conf_t
+/etc/bluetooth/link_key		system_u:object_r:bluetooth_conf_rw_t
 /usr/bin/rfcomm		--	system_u:object_r:bluetooth_exec_t
 /usr/sbin/hcid		--	system_u:object_r:bluetooth_exec_t
 /usr/sbin/sdpd		--	system_u:object_r:bluetooth_exec_t
 /usr/sbin/hciattach	--	system_u:object_r:bluetooth_exec_t
 /var/run/sdp		-s	system_u:object_r:bluetooth_var_run_t
 /usr/sbin/hid2hci	--	system_u:object_r:bluetooth_exec_t
+/usr/bin/blue.*pin	--	system_u:object_r:bluetooth_helper_exec_t
+/var/lib/bluetooth(/.*)?	system_u:object_r:bluetooth_var_lib_t
diff --git a/strict/file_contexts/program/dhcpc.fc b/strict/file_contexts/program/dhcpc.fc
index 1390839..a035faa 100644
--- a/strict/file_contexts/program/dhcpc.fc
+++ b/strict/file_contexts/program/dhcpc.fc
@@ -4,9 +4,11 @@
 /etc/dhclient.*conf	--	system_u:object_r:dhcp_etc_t
 /etc/dhclient-script	--	system_u:object_r:dhcp_etc_t
 /sbin/dhcpcd		--	system_u:object_r:dhcpc_exec_t
+/sbin/dhcdbd		--	system_u:object_r:dhcpc_exec_t
 /sbin/dhclient.*	--	system_u:object_r:dhcpc_exec_t
 /var/lib/dhcp(3)?/dhclient.*	system_u:object_r:dhcpc_state_t
 /var/lib/dhcpcd(/.*)?		system_u:object_r:dhcpc_state_t
+/var/lib/dhclient(/.*)?		system_u:object_r:dhcpc_state_t
 /var/run/dhclient.*\.pid --	system_u:object_r:dhcpc_var_run_t
 /var/run/dhclient.*\.leases --	system_u:object_r:dhcpc_var_run_t
 # pump
diff --git a/strict/file_contexts/program/dhcpd.fc b/strict/file_contexts/program/dhcpd.fc
index 3e010c3..d26d56d 100644
--- a/strict/file_contexts/program/dhcpd.fc
+++ b/strict/file_contexts/program/dhcpd.fc
@@ -13,6 +13,7 @@ ifdef(`distro_gentoo', `
 /etc/dhcp			-d	system_u:object_r:dhcp_etc_t
 /etc/dhcp(/.*)?			--	system_u:object_r:dhcp_etc_t
 /var/lib/dhcp			-d 	system_u:object_r:dhcp_state_t
+/var/lib/dhcpd(/.*)?			system_u:object_r:dhcpd_state_t
 /var/lib/dhcp/dhcpd\.leases.* 	--	system_u:object_r:dhcpd_state_t
 /var/run/dhcp/dhcpd\.pid     	--	system_u:object_r:dhcpd_var_run_t
 
diff --git a/strict/file_contexts/program/ftpd.fc b/strict/file_contexts/program/ftpd.fc
index 6865fc5..c75f7f1 100644
--- a/strict/file_contexts/program/ftpd.fc
+++ b/strict/file_contexts/program/ftpd.fc
@@ -10,7 +10,8 @@
 /var/run/proftpd/proftpd\.scoreboard -- system_u:object_r:ftpd_var_run_t
 /var/log/muddleftpd\.log.* --	system_u:object_r:xferlog_t
 /var/log/xferlog.*	--	system_u:object_r:xferlog_t
+/var/log/vsftpd.*	--	system_u:object_r:xferlog_t
 /var/log/xferreport.*	--	system_u:object_r:xferlog_t
 /etc/cron\.monthly/proftpd --	system_u:object_r:ftpd_exec_t
-/var/ftp(/.*)?			system_u:object_r:ftpd_anon_t
-/srv/([^/]*/)?ftp(/.*)?		system_u:object_r:ftpd_anon_t
+/var/ftp(/.*)?			system_u:object_r:public_content_t
+/srv/([^/]*/)?ftp(/.*)?		system_u:object_r:public_content_t
diff --git a/strict/file_contexts/program/ipsec.fc b/strict/file_contexts/program/ipsec.fc
index 7df06bb..e915b75 100644
--- a/strict/file_contexts/program/ipsec.fc
+++ b/strict/file_contexts/program/ipsec.fc
@@ -21,6 +21,7 @@
 /usr/lib(64)?/ipsec/spi	--	system_u:object_r:ipsec_exec_t
 /usr/local/lib(64)?/ipsec/spi --	system_u:object_r:ipsec_exec_t
 /var/run/pluto(/.*)?		system_u:object_r:ipsec_var_run_t
+/var/racoon(/.*)?		system_u:object_r:ipsec_var_run_t
 
 # Kame
 /usr/sbin/racoon	--	system_u:object_r:ipsec_exec_t
diff --git a/strict/file_contexts/program/mdadm.fc b/strict/file_contexts/program/mdadm.fc
index 7ca9f0d..6f295ca 100644
--- a/strict/file_contexts/program/mdadm.fc
+++ b/strict/file_contexts/program/mdadm.fc
@@ -1,4 +1,4 @@
 # mdadm - manage MD devices aka Linux Software Raid.
 /sbin/mdmpd		--	system_u:object_r:mdadm_exec_t
 /sbin/mdadm		--	system_u:object_r:mdadm_exec_t
-/var/run/mdadm(/.*)?            system_u:object_r:mdadm_var_run_t 
+/var/run/mdadm(/.*)?            system_u:object_r:mdadm_var_run_t
diff --git a/strict/file_contexts/program/postgresql.fc b/strict/file_contexts/program/postgresql.fc
index b433c60..dc644c1 100644
--- a/strict/file_contexts/program/postgresql.fc
+++ b/strict/file_contexts/program/postgresql.fc
@@ -16,5 +16,5 @@
 /usr/lib/pgsql/test/regress/pg_regress	-- system_u:object_r:postgresql_exec_t
 ifdef(`distro_redhat', `
 /usr/share/jonas/pgsql(/.*)?       system_u:object_r:postgresql_db_t
-/var/log/rhdb/rhdb(/.*)?           system_u:object_r:postgresql_log_t 
+/var/log/rhdb/rhdb(/.*)?           system_u:object_r:postgresql_log_t
 ')
diff --git a/strict/file_contexts/program/rpm.fc b/strict/file_contexts/program/rpm.fc
index 7d60837..c659e65 100644
--- a/strict/file_contexts/program/rpm.fc
+++ b/strict/file_contexts/program/rpm.fc
@@ -5,7 +5,7 @@
 /usr/bin/yum 		--	system_u:object_r:rpm_exec_t
 /usr/bin/apt-get 	--	system_u:object_r:rpm_exec_t
 /usr/bin/apt-shell    	-- 	system_u:object_r:rpm_exec_t
-/usr/bin/synaptic   --    	system_u:object_r:rpm_exec_t 
+/usr/bin/synaptic   --    	system_u:object_r:rpm_exec_t
 /usr/lib(64)?/rpm/rpmd	-- 	system_u:object_r:bin_t
 /usr/lib(64)?/rpm/rpmq	-- 	system_u:object_r:bin_t
 /usr/lib(64)?/rpm/rpmk	-- 	system_u:object_r:bin_t
@@ -23,3 +23,7 @@ ifdef(`distro_suse', `
 /var/lib/YaST2(/.*)?			system_u:object_r:rpm_var_lib_t
 /var/log/YaST2(/.*)?			system_u:object_r:rpm_log_t
 ')
+
+ifdef(`mls_policy', `
+/sbin/cpio			--	system_u:object_r:rpm_exec_t
+')
diff --git a/strict/file_contexts/program/rsync.fc b/strict/file_contexts/program/rsync.fc
index a146940..9bce3d5 100644
--- a/strict/file_contexts/program/rsync.fc
+++ b/strict/file_contexts/program/rsync.fc
@@ -1,3 +1,3 @@
 # rsync program
 /usr/bin/rsync	--	system_u:object_r:rsync_exec_t
-/srv/([^/]*/)?rsync(/.*)?	system_u:object_r:ftpd_anon_t
+/srv/([^/]*/)?rsync(/.*)?	system_u:object_r:public_content_t
diff --git a/strict/file_contexts/program/xdm.fc b/strict/file_contexts/program/xdm.fc
index 6ee91a1..16c2d7d 100644
--- a/strict/file_contexts/program/xdm.fc
+++ b/strict/file_contexts/program/xdm.fc
@@ -3,7 +3,7 @@
 /usr/X11R6/bin/[xgkw]dm	--	system_u:object_r:xdm_exec_t
 /opt/kde3/bin/kdm	--	system_u:object_r:xdm_exec_t
 /usr/bin/gpe-dm		--	system_u:object_r:xdm_exec_t
-/usr/bin/gdm-binary	--	system_u:object_r:xdm_exec_t
+/usr/(s)?bin/gdm-binary	--	system_u:object_r:xdm_exec_t
 /var/[xgk]dm(/.*)?		system_u:object_r:xserver_log_t
 /usr/var/[xgkw]dm(/.*)?		system_u:object_r:xserver_log_t
 /var/log/[kw]dm\.log	--	system_u:object_r:xserver_log_t
diff --git a/strict/file_contexts/program/ypserv.fc b/strict/file_contexts/program/ypserv.fc
index 5622afb..519a5a4 100644
--- a/strict/file_contexts/program/ypserv.fc
+++ b/strict/file_contexts/program/ypserv.fc
@@ -1,3 +1,4 @@
 # ypserv
 /usr/sbin/ypserv		--	system_u:object_r:ypserv_exec_t
+/usr/lib/yp/.+			--	system_u:object_r:bin_t
 /etc/ypserv\.conf		--	system_u:object_r:ypserv_conf_t
diff --git a/strict/file_contexts/types.fc b/strict/file_contexts/types.fc
index b712037..d8fe1b6 100644
--- a/strict/file_contexts/types.fc
+++ b/strict/file_contexts/types.fc
@@ -133,6 +133,7 @@ HOME_DIR/.+			system_u:object_r:ROLE_home_t
 /dev/dcbri[0-9]+	-c	system_u:object_r:tty_device_t
 /dev/irlpt[0-9]+	-c	system_u:object_r:printer_device_t
 /dev/ircomm[0-9]+	-c	system_u:object_r:tty_device_t
+/dev/rfcomm[0-9]+	-c	system_u:object_r:tty_device_t
 /dev/isdn.*		-c	system_u:object_r:tty_device_t
 /dev/.*tty[^/]*	-c	system_u:object_r:tty_device_t
 /dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f]	-c system_u:object_r:bsdpty_device_t
@@ -485,6 +486,7 @@ HOME_ROOT/lost\+found/.*	<<none>>
 # Turboprint
 #
 /usr/share/turboprint/lib(/.*)? 	--     system_u:object_r:bin_t
+/usr/share/hwdata(/.*)? 	        system_u:object_r:hwdata_t
 
 #
 # initrd mount point, only used during boot
diff --git a/strict/macros/base_user_macros.te b/strict/macros/base_user_macros.te
index 4db1e62..4c5b36a 100644
--- a/strict/macros/base_user_macros.te
+++ b/strict/macros/base_user_macros.te
@@ -40,6 +40,12 @@ file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t, { fifo_file sock_file lnk_f
 allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto };
 can_setfscreate($1_t)
 
+ifdef(`ftpd.te' , `
+if (ftpd_is_daemon) {
+file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
+}
+')
+
 allow $1_t self:capability { setgid chown fowner };
 dontaudit $1_t self:capability { sys_nice fsetid };
 
diff --git a/strict/macros/program/apache_macros.te b/strict/macros/program/apache_macros.te
index b19d3f7..ea98391 100644
--- a/strict/macros/program/apache_macros.te
+++ b/strict/macros/program/apache_macros.te
@@ -84,6 +84,7 @@ allow httpd_$1_script_t { urandom_device_t random_device_t }:chr_file r_file_per
 # the perl executable will be able to run a perl script
 #########################################################################
 can_exec_any(httpd_$1_script_t)
+
 allow httpd_$1_script_t etc_t:file { getattr read };
 dontaudit httpd_$1_script_t selinux_config_t:dir search;
 
diff --git a/strict/macros/program/cdrecord_macros.te b/strict/macros/program/cdrecord_macros.te
index 8b94a00..fc1fc95 100644
--- a/strict/macros/program/cdrecord_macros.te
+++ b/strict/macros/program/cdrecord_macros.te
@@ -41,7 +41,7 @@ allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl };
 
 allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
 allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill };
-allow $1_cdrecord_t $1_devpts_t:chr_file rw_file_perms;
+can_access_pty($1_cdrecord_t, $1)
 allow $1_cdrecord_t $1_home_t:dir search;
 allow $1_cdrecord_t $1_home_dir_t:dir r_dir_perms;
 allow $1_cdrecord_t $1_home_t:file r_file_perms;
diff --git a/strict/macros/program/mta_macros.te b/strict/macros/program/mta_macros.te
index cc73d63..930d1a2 100644
--- a/strict/macros/program/mta_macros.te
+++ b/strict/macros/program/mta_macros.te
@@ -68,7 +68,7 @@ ifdef(`crond.te', `
 allow system_mail_t system_crond_tmp_t:file { read getattr ioctl };
 allow mta_user_agent system_crond_tmp_t:file { read getattr };
 ')
-allow system_mail_t initrc_devpts_t:chr_file { read write getattr };
+can_access_pty(system_mail_t, initrc)
 
 ', `
 # For when the user wants to send mail via port 25 localhost
diff --git a/strict/macros/program/newrole_macros.te b/strict/macros/program/newrole_macros.te
index c7a143e..0d52282 100644
--- a/strict/macros/program/newrole_macros.te
+++ b/strict/macros/program/newrole_macros.te
@@ -20,6 +20,8 @@ uses_shlib($1_t)
 read_locale($1_t)
 read_sysctl($1_t)
 
+allow $1_t self:netlink_audit_socket { create bind write nlmsg_read read };
+
 # for when the user types "exec newrole" at the command line
 allow $1_t privfd:process sigchld;
 
diff --git a/strict/macros/program/su_macros.te b/strict/macros/program/su_macros.te
index ca2f2be..206f58e 100644
--- a/strict/macros/program/su_macros.te
+++ b/strict/macros/program/su_macros.te
@@ -54,7 +54,7 @@ allow $1_su_t proc_t:file read;
 allow $1_su_t self:process { setsched setrlimit };
 allow $1_su_t device_t:dir search;
 allow $1_su_t self:process { fork sigchld };
-can_ypbind($1_su_t)
+nsswitch_domain($1_su_t)
 r_dir_file($1_su_t, selinux_config_t)
 
 dontaudit $1_su_t shadow_t:file { getattr read };

More information about the scm-commits mailing list