[selinux-policy: 746/3172] more merging from 1.27.1-15
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:09:19 UTC 2010
commit 65a2523024aee7dd977aaffe078a7a79796f6fff
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Oct 14 18:22:30 2005 +0000
more merging from 1.27.1-15
strict/domains/program/bluetooth.te | 63 +++++++-
strict/domains/program/crond.te | 5 +-
strict/domains/program/dhcpc.te | 2 +-
strict/domains/program/fsadm.te | 3 +
strict/domains/program/ftpd.te | 6 +-
strict/domains/program/hald.te | 3 +-
strict/domains/program/login.te | 5 +
strict/domains/program/modutil.te | 3 +-
strict/domains/program/mysqld.te | 2 +-
strict/domains/program/named.te | 9 +-
strict/domains/program/restorecon.te | 1 +
strict/file_contexts/distros.fc | 266 ++++++++++++++--------------
strict/file_contexts/program/bluetooth.fc | 3 +
strict/file_contexts/program/dhcpc.fc | 2 +
strict/file_contexts/program/dhcpd.fc | 1 +
strict/file_contexts/program/ftpd.fc | 5 +-
strict/file_contexts/program/ipsec.fc | 1 +
strict/file_contexts/program/mdadm.fc | 2 +-
strict/file_contexts/program/postgresql.fc | 2 +-
strict/file_contexts/program/rpm.fc | 6 +-
strict/file_contexts/program/rsync.fc | 2 +-
strict/file_contexts/program/xdm.fc | 2 +-
strict/file_contexts/program/ypserv.fc | 1 +
strict/file_contexts/types.fc | 2 +
strict/macros/base_user_macros.te | 6 +
strict/macros/program/apache_macros.te | 1 +
strict/macros/program/cdrecord_macros.te | 2 +-
strict/macros/program/mta_macros.te | 2 +-
strict/macros/program/newrole_macros.te | 2 +
strict/macros/program/su_macros.te | 2 +-
30 files changed, 259 insertions(+), 153 deletions(-)
---
diff --git a/strict/domains/program/bluetooth.te b/strict/domains/program/bluetooth.te
index fc09db6..c25544d 100644
--- a/strict/domains/program/bluetooth.te
+++ b/strict/domains/program/bluetooth.te
@@ -11,16 +11,23 @@
daemon_domain(bluetooth)
file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file)
+file_type_auto_trans(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
tmp_domain(bluetooth)
+var_lib_domain(bluetooth)
# Use capabilities.
+allow bluetooth_t self:file read;
allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
+allow bluetooth_t self:process getsched;
+allow bluetooth_t proc_t:file { getattr read };
+
+allow bluetooth_t self:shm create_shm_perms;
lock_domain(bluetooth)
# Use the network.
-can_network_server(bluetooth_t)
+can_network(bluetooth_t)
can_ypbind(bluetooth_t)
ifdef(`dbusd.te', `
dbusd_client(system, bluetooth)
@@ -35,6 +42,7 @@ dontaudit bluetooth_t sysadm_devpts_t:chr_file { read write };
# bluetooth_conf_t is the type of the /etc/bluetooth dir.
type bluetooth_conf_t, file_type, sysadmfile;
+type bluetooth_conf_rw_t, file_type, sysadmfile;
# Read /etc/bluetooth
allow bluetooth_t bluetooth_conf_t:dir search;
@@ -44,5 +52,56 @@ allow initrc_t usbfs_t:file { getattr read };
allow bluetooth_t usbfs_t:dir r_dir_perms;
allow bluetooth_t usbfs_t:file rw_file_perms;
allow bluetooth_t bin_t:dir search;
-can_exec(bluetooth_t, bin_t)
+can_exec(bluetooth_t, { bin_t shell_exec_t })
+allow bluetooth_t bin_t:lnk_file read;
+
+#Handle bluetooth serial devices
+allow bluetooth_t tty_device_t:chr_file rw_file_perms;
+allow bluetooth_t self:fifo_file rw_file_perms;
+allow bluetooth_t { etc_t etc_runtime_t }:file { getattr read };
+r_dir_file(bluetooth_t, fonts_t)
+allow bluetooth_t urandom_device_t:chr_file r_file_perms;
+allow bluetooth_t usr_t:file { getattr read };
+
+application_domain(bluetooth_helper, `, nscd_client_domain')
+domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
+role system_r types bluetooth_helper_t;
+read_locale(bluetooth_helper_t)
+typeattribute bluetooth_helper_t unrestricted;
+r_dir_file(bluetooth_helper_t, domain)
+allow bluetooth_helper_t bin_t:dir { getattr search };
+can_exec(bluetooth_helper_t, { bin_t shell_exec_t })
+allow bluetooth_helper_t bin_t:lnk_file read;
+allow bluetooth_helper_t self:capability sys_nice;
+allow bluetooth_helper_t self:fifo_file rw_file_perms;
+allow bluetooth_helper_t self:process fork;
+allow bluetooth_helper_t self:shm create_shm_perms;
+allow bluetooth_helper_t self:unix_stream_socket create_stream_socket_perms;
+allow bluetooth_helper_t { etc_t etc_runtime_t }:file { getattr read };
+r_dir_file(bluetooth_helper_t, fonts_t)
+r_dir_file(bluetooth_helper_t, proc_t)
+read_sysctl(bluetooth_helper_t)
+allow bluetooth_helper_t tmp_t:dir search;
+allow bluetooth_helper_t usr_t:file { getattr read };
+allow bluetooth_helper_t home_dir_type:dir search;
+ifdef(`xserver.te', `
+allow bluetooth_helper_t xserver_log_t:dir search;
+allow bluetooth_helper_t xserver_log_t:file { getattr read };
+')
+ifdef(`targeted_policy', `
+allow bluetooth_helper_t tmp_t:sock_file { read write };
+allow bluetooth_helper_t tmpfs_t:file { read write };
+allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
+allow bluetooth_t unconfined_t:dbus send_msg;
+allow unconfined_t bluetooth_t:dbus send_msg;
+', `
+ifdef(`xdm.te', `
+allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write };
+')
+allow bluetooth_t unpriv_userdomain:dbus send_msg;
+allow unpriv_userdomain bluetooth_t:dbus send_msg;
+')
+allow bluetooth_helper_t bluetooth_t:socket { read write };
+dontaudit bluetooth_helper_t default_t:dir { read search };
+dontaudit bluetooth_helper_t { devtty_t ttyfile }:chr_file { read write };
diff --git a/strict/domains/program/crond.te b/strict/domains/program/crond.te
index ceb0a45..4649348 100644
--- a/strict/domains/program/crond.te
+++ b/strict/domains/program/crond.te
@@ -44,7 +44,7 @@ allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
read_locale(crond_t)
# Use capabilities.
-allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice };
+allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice audit_control };
dontaudit crond_t self:capability sys_resource;
# Get security policy decisions.
@@ -208,4 +208,7 @@ dontaudit system_crond_t removable_t:filesystem getattr;
dontaudit crond_t self:capability sys_tty_config;
ifdef(`apache.te', `
allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read };
+allow system_crond_t httpd_modules_t:lnk_file read;
+# Needed for certwatch
+can_exec(system_crond_t, httpd_modules_t)
')
diff --git a/strict/domains/program/dhcpc.te b/strict/domains/program/dhcpc.te
index c12bc42..2fff8f5 100644
--- a/strict/domains/program/dhcpc.te
+++ b/strict/domains/program/dhcpc.te
@@ -135,7 +135,6 @@ allow dhcpc_t { userdomain kernel_t }:fd use;
allow dhcpc_t home_root_t:dir search;
allow initrc_t dhcpc_state_t:file { getattr read };
dontaudit dhcpc_t var_lock_t:dir search;
-dontaudit dhcpc_t selinux_config_t:dir search;
allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms;
dontaudit dhcpc_t domain:dir getattr;
allow dhcpc_t initrc_var_run_t:file rw_file_perms;
@@ -146,6 +145,7 @@ can_exec(dhcpc_t, initrc_exec_t)
ifdef(`ypbind.te', `
domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t)
allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink };
+allow dhcpc_t ypbind_t:process signal;
')
ifdef(`ntpd.te', `
domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t)
diff --git a/strict/domains/program/fsadm.te b/strict/domains/program/fsadm.te
index d5a6220..1d01c3d 100644
--- a/strict/domains/program/fsadm.te
+++ b/strict/domains/program/fsadm.te
@@ -118,3 +118,6 @@ allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
allow fsadm_t usbfs_t:dir { getattr search };
allow fsadm_t ramfs_t:fifo_file rw_file_perms;
allow fsadm_t device_type:chr_file getattr;
+
+# for tune2fs
+allow fsadm_t file_type:dir { getattr search };
diff --git a/strict/domains/program/ftpd.te b/strict/domains/program/ftpd.te
index ab5101e..b20252b 100644
--- a/strict/domains/program/ftpd.te
+++ b/strict/domains/program/ftpd.te
@@ -99,9 +99,11 @@ bool ftp_home_dir false;
if (ftp_home_dir) {
# allow access to /home
-allow ftpd_t home_root_t:dir { getattr search };
-allow ftpd_t home_dir_type:dir r_dir_perms;
+allow ftpd_t home_root_t:dir r_dir_perms;
create_dir_file(ftpd_t, home_type)
+ifdef(`targeted_policy', `
+file_type_auto_trans(ftpd_t, user_home_dir_t, user_home_t)
+')
}
if (use_nfs_home_dirs && ftp_home_dir) {
r_dir_file(ftpd_t, nfs_t)
diff --git a/strict/domains/program/hald.te b/strict/domains/program/hald.te
index 9792bee..a51709a 100644
--- a/strict/domains/program/hald.te
+++ b/strict/domains/program/hald.te
@@ -24,7 +24,8 @@ dbusd_client(system, hald)
allow hald_t self:dbus send_msg;
')
-allow hald_t { self proc_t }:file { getattr read };
+allow hald_t self:file { getattr read };
+allow hald_t proc_t:file rw_file_perms;
allow hald_t { bin_t sbin_t }:dir search;
allow hald_t self:fifo_file rw_file_perms;
diff --git a/strict/domains/program/login.te b/strict/domains/program/login.te
index f0fb1cb..289879b 100644
--- a/strict/domains/program/login.te
+++ b/strict/domains/program/login.te
@@ -62,6 +62,11 @@ can_exec($1_login_t, pam_exec_t)
ifdef(`pamconsole.te', `
rw_dir_create_file($1_login_t, pam_var_console_t)
+domain_auto_trans($1_login_t, pam_console_exec_t, pam_console_t)
+')
+
+ifdef(`alsa.te', `
+domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
')
# Use capabilities
diff --git a/strict/domains/program/modutil.te b/strict/domains/program/modutil.te
index 27d960a..f69f2bb 100644
--- a/strict/domains/program/modutil.te
+++ b/strict/domains/program/modutil.te
@@ -140,8 +140,9 @@ allow insmod_t initrc_t:fifo_file { getattr read write };
allow insmod_t fs_t:filesystem getattr;
allow insmod_t sysfs_t:dir search;
-allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:dir search;
+allow insmod_t { usbfs_t usbdevfs_t }:dir search;
allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:filesystem mount;
+r_dir_file(insmod_t, debugfs_t)
# Rules for /proc/sys/kernel/tainted
read_sysctl(insmod_t)
diff --git a/strict/domains/program/mysqld.te b/strict/domains/program/mysqld.te
index 8a96d2a..2047b44 100644
--- a/strict/domains/program/mysqld.te
+++ b/strict/domains/program/mysqld.te
@@ -42,7 +42,7 @@ allow mysqld_t proc_t:file { getattr read };
create_dir_file(mysqld_t, mysqld_db_t)
allow mysqld_t var_lib_t:dir { getattr search };
-can_network_server(mysqld_t)
+can_network(mysqld_t)
can_ypbind(mysqld_t)
# read config files
diff --git a/strict/domains/program/named.te b/strict/domains/program/named.te
index 04c0712..08d6718 100644
--- a/strict/domains/program/named.te
+++ b/strict/domains/program/named.te
@@ -36,7 +36,7 @@ allow named_t sbin_t:dir search;
allow named_t self:process { setsched setcap setrlimit };
# A type for configuration files of named.
-type named_conf_t, file_type, sysadmfile;
+type named_conf_t, file_type, sysadmfile, mount_point;
# for primary zone files
type named_zone_t, file_type, sysadmfile;
@@ -101,6 +101,13 @@ allow named_t random_device_t:chr_file r_file_perms;
# Use a pipe created by self.
allow named_t self:fifo_file rw_file_perms;
+# Enable named dbus support:
+ifdef(`dbusd.te', `
+dbusd_client(system, named)
+allow named_t system_dbusd_t:dbus { acquire_svc send_msg };
+allow named_t self:dbus send_msg;
+')
+
# Set own capabilities.
#A type for /usr/sbin/ndc
type ndc_exec_t, file_type,sysadmfile, exec_type;
diff --git a/strict/domains/program/restorecon.te b/strict/domains/program/restorecon.te
index dc58221..52fff2f 100644
--- a/strict/domains/program/restorecon.te
+++ b/strict/domains/program/restorecon.te
@@ -63,3 +63,4 @@ allow restorecon_t kernel_t:fd use;
allow restorecon_t kernel_t:fifo_file { read write };
allow restorecon_t kernel_t:unix_dgram_socket { read write };
r_dir_file(restorecon_t, { selinux_config_t file_context_t default_context_t } )
+allow restorecon_t autofs_t:dir search;
diff --git a/strict/file_contexts/distros.fc b/strict/file_contexts/distros.fc
index 33c7f5e..6024f6a 100644
--- a/strict/file_contexts/distros.fc
+++ b/strict/file_contexts/distros.fc
@@ -1,67 +1,67 @@
ifdef(`distro_redhat', `
-/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- system_u:object_r:bin_t:s0
-/etc/sysconfig/networking/profiles/.*/resolv\.conf -- system_u:object_r:net_conf_t:s0
-/etc/sysconfig/network-scripts/.*resolv\.conf -- system_u:object_r:net_conf_t:s0
-/usr/share/rhn/rhn_applet/applet\.py -- system_u:object_r:bin_t:s0
-/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- system_u:object_r:shlib_t:s0
-/usr/share/rhn/rhn_applet/needed-packages\.py -- system_u:object_r:bin_t:s0
-/usr/share/authconfig/authconfig-gtk\.py -- system_u:object_r:bin_t:s0
-/usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t:s0
-/usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t:s0
-/usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t:s0
-/usr/share/system-logviewer/system-logviewer\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-lvm/system-config-lvm.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-date/system-config-date\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t:s0
-/usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t:s0
-/usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t:s0
-/usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t:s0
-/usr/share/system-config-netboot/system-config-netboot\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-netboot/pxeos\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-netboot/pxeboot\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-nfs/system-config-nfs\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t:s0
-/usr/share/system-config-samba/system-config-samba\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-services/serviceconf\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t:s0
-/usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t:s0
-/usr/share/switchdesk/switchdesk-gui\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-network/neat-control\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-nfs/nfs-export\.py -- system_u:object_r:bin_t:s0
-/usr/share/pydict/pydict\.py -- system_u:object_r:bin_t:s0
-/usr/share/cvs/contrib/rcs2log -- system_u:object_r:bin_t:s0
-/usr/share/pwlib/make/ptlib-config -- system_u:object_r:bin_t:s0
-/usr/share/texmf/web2c/mktexdir -- system_u:object_r:bin_t:s0
-/usr/share/texmf/web2c/mktexnam -- system_u:object_r:bin_t:s0
-/usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t:s0
-/etc/rhgb(/.*)? -d system_u:object_r:mnt_t:s0
-/usr/share/ssl/misc(/.*)? system_u:object_r:bin_t:s0
+/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- system_u:object_r:bin_t
+/etc/sysconfig/networking/profiles/.*/resolv\.conf -- system_u:object_r:net_conf_t
+/etc/sysconfig/network-scripts/.*resolv\.conf -- system_u:object_r:net_conf_t
+/usr/share/rhn/rhn_applet/applet\.py -- system_u:object_r:bin_t
+/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- system_u:object_r:shlib_t
+/usr/share/rhn/rhn_applet/needed-packages\.py -- system_u:object_r:bin_t
+/usr/share/authconfig/authconfig-gtk\.py -- system_u:object_r:bin_t
+/usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t
+/usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t
+/usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t
+/usr/share/system-logviewer/system-logviewer\.py -- system_u:object_r:bin_t
+/usr/share/system-config-lvm/system-config-lvm.py -- system_u:object_r:bin_t
+/usr/share/system-config-date/system-config-date\.py -- system_u:object_r:bin_t
+/usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t
+/usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t
+/usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t
+/usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t
+/usr/share/system-config-netboot/system-config-netboot\.py -- system_u:object_r:bin_t
+/usr/share/system-config-netboot/pxeos\.py -- system_u:object_r:bin_t
+/usr/share/system-config-netboot/pxeboot\.py -- system_u:object_r:bin_t
+/usr/share/system-config-nfs/system-config-nfs\.py -- system_u:object_r:bin_t
+/usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t
+/usr/share/system-config-samba/system-config-samba\.py -- system_u:object_r:bin_t
+/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- system_u:object_r:bin_t
+/usr/share/system-config-services/serviceconf\.py -- system_u:object_r:bin_t
+/usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t
+/usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t
+/usr/share/switchdesk/switchdesk-gui\.py -- system_u:object_r:bin_t
+/usr/share/system-config-network/neat-control\.py -- system_u:object_r:bin_t
+/usr/share/system-config-nfs/nfs-export\.py -- system_u:object_r:bin_t
+/usr/share/pydict/pydict\.py -- system_u:object_r:bin_t
+/usr/share/cvs/contrib/rcs2log -- system_u:object_r:bin_t
+/usr/share/pwlib/make/ptlib-config -- system_u:object_r:bin_t
+/usr/share/texmf/web2c/mktexdir -- system_u:object_r:bin_t
+/usr/share/texmf/web2c/mktexnam -- system_u:object_r:bin_t
+/usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t
+/etc/rhgb(/.*)? -d system_u:object_r:mnt_t
+/usr/share/ssl/misc(/.*)? system_u:object_r:bin_t
#
# /emul/ia32-linux/usr
#
-/emul(/.*)? system_u:object_r:usr_t:s0
-/emul/ia32-linux/usr(/.*)?/lib(/.*)? system_u:object_r:lib_t:s0
-/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
-/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
-/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t:s0
-/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t:s0
-/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t:s0
-/emul/ia32-linux/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t:s0
-/emul/ia32-linux/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t:s0
-/emul/ia32-linux/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t:s0
-/emul/ia32-linux/usr/libexec(/.*)? system_u:object_r:bin_t:s0
+/emul(/.*)? system_u:object_r:usr_t
+/emul/ia32-linux/usr(/.*)?/lib(/.*)? system_u:object_r:lib_t
+/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t
+/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t
+/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
+/emul/ia32-linux/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t
+/emul/ia32-linux/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t
+/emul/ia32-linux/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t
+/emul/ia32-linux/usr/libexec(/.*)? system_u:object_r:bin_t
# /emul/ia32-linux/lib
-/emul/ia32-linux/lib(/.*)? system_u:object_r:lib_t:s0
-/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
-/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t:s0
+/emul/ia32-linux/lib(/.*)? system_u:object_r:lib_t
+/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t
# /emul/ia32-linux/bin
-/emul/ia32-linux/bin(/.*)? system_u:object_r:bin_t:s0
+/emul/ia32-linux/bin(/.*)? system_u:object_r:bin_t
# /emul/ia32-linux/sbin
-/emul/ia32-linux/sbin(/.*)? system_u:object_r:sbin_t:s0
+/emul/ia32-linux/sbin(/.*)? system_u:object_r:sbin_t
ifdef(`dbusd.te', `', `
-/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t:s0
+/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t
')
# The following are libraries with text relocations in need of execmod permissions
@@ -69,96 +69,96 @@ ifdef(`dbusd.te', `', `
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
-/usr/lib/gstreamer-.*/libgstffmpeg\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/gstreamer-.*/libgstmms\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libg\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libglide3\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libdv\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/helix/plugins/oggfformat\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/helix/plugins/theorarend\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/helix/plugins/vorbisrend\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/helix/codecs/colorcvt\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/helix/codecs/cvt1\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libSDL-.*\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/X11R6/lib/modules/dri/.*\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/X11R6/lib/libOSMesa\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/X11R6/lib/libfglrx_gamma\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libHermes\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/valgrind/hp2ps -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/valgrind/stage2 -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/valgrind/vg.*\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/libxpcom_core.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/program(/.*)? system_u:object_r:bin_t:s0
-/usr/lib/.*/program/.*\.so.* system_u:object_r:shlib_t:s0
-/usr/lib/.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/program/libswd680li\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib(64)?/.*/program/librecentfile\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib(64)?/.*/program/libsvx680li\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib(64)?/.*/program/libsoffice\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/gstreamer-.*/libgstffmpeg\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/gstreamer-.*/libgstmms\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t
+/usr/lib/libg\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t
+/usr/lib/libglide3\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/lib/libdv\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/lib/helix/plugins/oggfformat\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/helix/plugins/theorarend\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/helix/plugins/vorbisrend\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/helix/codecs/colorcvt\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/helix/codecs/cvt1\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/libSDL-.*\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/X11R6/lib/modules/dri/.*\.so -- system_u:object_r:texrel_shlib_t
+/usr/X11R6/lib/libOSMesa\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/X11R6/lib/libfglrx_gamma\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/lib/libHermes\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/hp2ps -- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/stage2 -- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/vg.*\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/libxpcom_core.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program(/.*)? system_u:object_r:bin_t
+/usr/lib/.*/program/.*\.so.* system_u:object_r:shlib_t
+/usr/lib/.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program/libswd680li\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib(64)?/.*/program/librecentfile\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib(64)?/.*/program/libsvx680li\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib(64)?/.*/program/libsoffice\.so -- system_u:object_r:texrel_shlib_t
# Fedora Extras packages: ladspa, imlib2, ocaml
-/usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/bandpass_a_iir_1893\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/bandpass_iir_1892\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/butterworth_1902\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/fm_osc_1415\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/gsm_1215\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/gverb_1216\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/hermes_filter_1200\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/highpass_iir_1890\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/lowpass_iir_1891\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/notch_iir_1894\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/pitch_scale_1193\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/pitch_scale_1194\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/sc1_1425\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/sc2_1426\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/sc3_1427\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/sc4_1882\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/se4_1883\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libImlib2\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ocaml/stublibs/dllnums\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/httpd/modules/libphp5\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/php/modules/.*\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/bandpass_a_iir_1893\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/bandpass_iir_1892\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/butterworth_1902\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/fm_osc_1415\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/gsm_1215\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/gverb_1216\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/hermes_filter_1200\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/highpass_iir_1890\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/lowpass_iir_1891\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/notch_iir_1894\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/pitch_scale_1193\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/pitch_scale_1194\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/sc1_1425\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/sc2_1426\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/sc3_1427\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/sc4_1882\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/se4_1883\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/libImlib2\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/lib/ocaml/stublibs/dllnums\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/httpd/modules/libphp5\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/php/modules/.*\.so -- system_u:object_r:texrel_shlib_t
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
-/usr/lib/xmms/Input/libmpg123\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libpostproc\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libavformat-.*\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libavcodec-.*\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libxvidcore\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/xine/plugins/.*\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libgsm\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libmp3lame\.so.* -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/xmms/Input/libmpg123\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/libpostproc\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/lib/libavformat-.*\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/libavcodec-.*\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/libxvidcore\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/lib/xine/plugins/.*\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/libgsm\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/lib/libmp3lame\.so.* -- system_u:object_r:texrel_shlib_t
# Flash plugin, Macromedia
-HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t:s0
+HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t
# Jai, Sun Microsystems (Jpackage SPRM)
-/usr/lib/libmlib_jai\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libdivxdecore.so.0 -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libdivxencore.so.0 -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libmlib_jai\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/libdivxdecore.so.0 -- system_u:object_r:texrel_shlib_t
+/usr/lib/libdivxencore.so.0 -- system_u:object_r:texrel_shlib_t
# Java, Sun Microsystems (JPackage SRPM)
-/usr/.*/jre/lib/i386/libdeploy.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/.*/jre/lib/i386/libdeploy.so -- system_u:object_r:texrel_shlib_t
-/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t:s0
-/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- system_u:object_r:texrel_shlib_t:s0
-/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api -- system_u:object_r:texrel_shlib_t:s0
-/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl -- system_u:object_r:texrel_shlib_t:s0
+/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t
+/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- system_u:object_r:texrel_shlib_t
+/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api -- system_u:object_r:texrel_shlib_t
+/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl -- system_u:object_r:texrel_shlib_t
')
ifdef(`distro_suse', `
-/var/lib/samba/bin/.+ system_u:object_r:bin_t:s0
-/var/lib/samba/bin/.*\.so(\.[^/]*)* -l system_u:object_r:lib_t:s0
-/usr/lib/samba/classic/.* -- system_u:object_r:bin_t:s0
-/usr/lib/samba/classic/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
-/success -- system_u:object_r:etc_runtime_t:s0
-/etc/defkeymap\.map -- system_u:object_r:etc_runtime_t:s0
+/var/lib/samba/bin/.+ system_u:object_r:bin_t
+/var/lib/samba/bin/.*\.so(\.[^/]*)* -l system_u:object_r:lib_t
+/usr/lib/samba/classic/.* -- system_u:object_r:bin_t
+/usr/lib/samba/classic/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+/success -- system_u:object_r:etc_runtime_t
+/etc/defkeymap\.map -- system_u:object_r:etc_runtime_t
')
diff --git a/strict/file_contexts/program/bluetooth.fc b/strict/file_contexts/program/bluetooth.fc
index 69fecd7..da6b056 100644
--- a/strict/file_contexts/program/bluetooth.fc
+++ b/strict/file_contexts/program/bluetooth.fc
@@ -1,8 +1,11 @@
# bluetooth
/etc/bluetooth(/.*)? system_u:object_r:bluetooth_conf_t
+/etc/bluetooth/link_key system_u:object_r:bluetooth_conf_rw_t
/usr/bin/rfcomm -- system_u:object_r:bluetooth_exec_t
/usr/sbin/hcid -- system_u:object_r:bluetooth_exec_t
/usr/sbin/sdpd -- system_u:object_r:bluetooth_exec_t
/usr/sbin/hciattach -- system_u:object_r:bluetooth_exec_t
/var/run/sdp -s system_u:object_r:bluetooth_var_run_t
/usr/sbin/hid2hci -- system_u:object_r:bluetooth_exec_t
+/usr/bin/blue.*pin -- system_u:object_r:bluetooth_helper_exec_t
+/var/lib/bluetooth(/.*)? system_u:object_r:bluetooth_var_lib_t
diff --git a/strict/file_contexts/program/dhcpc.fc b/strict/file_contexts/program/dhcpc.fc
index 1390839..a035faa 100644
--- a/strict/file_contexts/program/dhcpc.fc
+++ b/strict/file_contexts/program/dhcpc.fc
@@ -4,9 +4,11 @@
/etc/dhclient.*conf -- system_u:object_r:dhcp_etc_t
/etc/dhclient-script -- system_u:object_r:dhcp_etc_t
/sbin/dhcpcd -- system_u:object_r:dhcpc_exec_t
+/sbin/dhcdbd -- system_u:object_r:dhcpc_exec_t
/sbin/dhclient.* -- system_u:object_r:dhcpc_exec_t
/var/lib/dhcp(3)?/dhclient.* system_u:object_r:dhcpc_state_t
/var/lib/dhcpcd(/.*)? system_u:object_r:dhcpc_state_t
+/var/lib/dhclient(/.*)? system_u:object_r:dhcpc_state_t
/var/run/dhclient.*\.pid -- system_u:object_r:dhcpc_var_run_t
/var/run/dhclient.*\.leases -- system_u:object_r:dhcpc_var_run_t
# pump
diff --git a/strict/file_contexts/program/dhcpd.fc b/strict/file_contexts/program/dhcpd.fc
index 3e010c3..d26d56d 100644
--- a/strict/file_contexts/program/dhcpd.fc
+++ b/strict/file_contexts/program/dhcpd.fc
@@ -13,6 +13,7 @@ ifdef(`distro_gentoo', `
/etc/dhcp -d system_u:object_r:dhcp_etc_t
/etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t
/var/lib/dhcp -d system_u:object_r:dhcp_state_t
+/var/lib/dhcpd(/.*)? system_u:object_r:dhcpd_state_t
/var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t
/var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t
diff --git a/strict/file_contexts/program/ftpd.fc b/strict/file_contexts/program/ftpd.fc
index 6865fc5..c75f7f1 100644
--- a/strict/file_contexts/program/ftpd.fc
+++ b/strict/file_contexts/program/ftpd.fc
@@ -10,7 +10,8 @@
/var/run/proftpd/proftpd\.scoreboard -- system_u:object_r:ftpd_var_run_t
/var/log/muddleftpd\.log.* -- system_u:object_r:xferlog_t
/var/log/xferlog.* -- system_u:object_r:xferlog_t
+/var/log/vsftpd.* -- system_u:object_r:xferlog_t
/var/log/xferreport.* -- system_u:object_r:xferlog_t
/etc/cron\.monthly/proftpd -- system_u:object_r:ftpd_exec_t
-/var/ftp(/.*)? system_u:object_r:ftpd_anon_t
-/srv/([^/]*/)?ftp(/.*)? system_u:object_r:ftpd_anon_t
+/var/ftp(/.*)? system_u:object_r:public_content_t
+/srv/([^/]*/)?ftp(/.*)? system_u:object_r:public_content_t
diff --git a/strict/file_contexts/program/ipsec.fc b/strict/file_contexts/program/ipsec.fc
index 7df06bb..e915b75 100644
--- a/strict/file_contexts/program/ipsec.fc
+++ b/strict/file_contexts/program/ipsec.fc
@@ -21,6 +21,7 @@
/usr/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t
/usr/local/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t
/var/run/pluto(/.*)? system_u:object_r:ipsec_var_run_t
+/var/racoon(/.*)? system_u:object_r:ipsec_var_run_t
# Kame
/usr/sbin/racoon -- system_u:object_r:ipsec_exec_t
diff --git a/strict/file_contexts/program/mdadm.fc b/strict/file_contexts/program/mdadm.fc
index 7ca9f0d..6f295ca 100644
--- a/strict/file_contexts/program/mdadm.fc
+++ b/strict/file_contexts/program/mdadm.fc
@@ -1,4 +1,4 @@
# mdadm - manage MD devices aka Linux Software Raid.
/sbin/mdmpd -- system_u:object_r:mdadm_exec_t
/sbin/mdadm -- system_u:object_r:mdadm_exec_t
-/var/run/mdadm(/.*)? system_u:object_r:mdadm_var_run_t
+/var/run/mdadm(/.*)? system_u:object_r:mdadm_var_run_t
diff --git a/strict/file_contexts/program/postgresql.fc b/strict/file_contexts/program/postgresql.fc
index b433c60..dc644c1 100644
--- a/strict/file_contexts/program/postgresql.fc
+++ b/strict/file_contexts/program/postgresql.fc
@@ -16,5 +16,5 @@
/usr/lib/pgsql/test/regress/pg_regress -- system_u:object_r:postgresql_exec_t
ifdef(`distro_redhat', `
/usr/share/jonas/pgsql(/.*)? system_u:object_r:postgresql_db_t
-/var/log/rhdb/rhdb(/.*)? system_u:object_r:postgresql_log_t
+/var/log/rhdb/rhdb(/.*)? system_u:object_r:postgresql_log_t
')
diff --git a/strict/file_contexts/program/rpm.fc b/strict/file_contexts/program/rpm.fc
index 7d60837..c659e65 100644
--- a/strict/file_contexts/program/rpm.fc
+++ b/strict/file_contexts/program/rpm.fc
@@ -5,7 +5,7 @@
/usr/bin/yum -- system_u:object_r:rpm_exec_t
/usr/bin/apt-get -- system_u:object_r:rpm_exec_t
/usr/bin/apt-shell -- system_u:object_r:rpm_exec_t
-/usr/bin/synaptic -- system_u:object_r:rpm_exec_t
+/usr/bin/synaptic -- system_u:object_r:rpm_exec_t
/usr/lib(64)?/rpm/rpmd -- system_u:object_r:bin_t
/usr/lib(64)?/rpm/rpmq -- system_u:object_r:bin_t
/usr/lib(64)?/rpm/rpmk -- system_u:object_r:bin_t
@@ -23,3 +23,7 @@ ifdef(`distro_suse', `
/var/lib/YaST2(/.*)? system_u:object_r:rpm_var_lib_t
/var/log/YaST2(/.*)? system_u:object_r:rpm_log_t
')
+
+ifdef(`mls_policy', `
+/sbin/cpio -- system_u:object_r:rpm_exec_t
+')
diff --git a/strict/file_contexts/program/rsync.fc b/strict/file_contexts/program/rsync.fc
index a146940..9bce3d5 100644
--- a/strict/file_contexts/program/rsync.fc
+++ b/strict/file_contexts/program/rsync.fc
@@ -1,3 +1,3 @@
# rsync program
/usr/bin/rsync -- system_u:object_r:rsync_exec_t
-/srv/([^/]*/)?rsync(/.*)? system_u:object_r:ftpd_anon_t
+/srv/([^/]*/)?rsync(/.*)? system_u:object_r:public_content_t
diff --git a/strict/file_contexts/program/xdm.fc b/strict/file_contexts/program/xdm.fc
index 6ee91a1..16c2d7d 100644
--- a/strict/file_contexts/program/xdm.fc
+++ b/strict/file_contexts/program/xdm.fc
@@ -3,7 +3,7 @@
/usr/X11R6/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t
/opt/kde3/bin/kdm -- system_u:object_r:xdm_exec_t
/usr/bin/gpe-dm -- system_u:object_r:xdm_exec_t
-/usr/bin/gdm-binary -- system_u:object_r:xdm_exec_t
+/usr/(s)?bin/gdm-binary -- system_u:object_r:xdm_exec_t
/var/[xgk]dm(/.*)? system_u:object_r:xserver_log_t
/usr/var/[xgkw]dm(/.*)? system_u:object_r:xserver_log_t
/var/log/[kw]dm\.log -- system_u:object_r:xserver_log_t
diff --git a/strict/file_contexts/program/ypserv.fc b/strict/file_contexts/program/ypserv.fc
index 5622afb..519a5a4 100644
--- a/strict/file_contexts/program/ypserv.fc
+++ b/strict/file_contexts/program/ypserv.fc
@@ -1,3 +1,4 @@
# ypserv
/usr/sbin/ypserv -- system_u:object_r:ypserv_exec_t
+/usr/lib/yp/.+ -- system_u:object_r:bin_t
/etc/ypserv\.conf -- system_u:object_r:ypserv_conf_t
diff --git a/strict/file_contexts/types.fc b/strict/file_contexts/types.fc
index b712037..d8fe1b6 100644
--- a/strict/file_contexts/types.fc
+++ b/strict/file_contexts/types.fc
@@ -133,6 +133,7 @@ HOME_DIR/.+ system_u:object_r:ROLE_home_t
/dev/dcbri[0-9]+ -c system_u:object_r:tty_device_t
/dev/irlpt[0-9]+ -c system_u:object_r:printer_device_t
/dev/ircomm[0-9]+ -c system_u:object_r:tty_device_t
+/dev/rfcomm[0-9]+ -c system_u:object_r:tty_device_t
/dev/isdn.* -c system_u:object_r:tty_device_t
/dev/.*tty[^/]* -c system_u:object_r:tty_device_t
/dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f] -c system_u:object_r:bsdpty_device_t
@@ -485,6 +486,7 @@ HOME_ROOT/lost\+found/.* <<none>>
# Turboprint
#
/usr/share/turboprint/lib(/.*)? -- system_u:object_r:bin_t
+/usr/share/hwdata(/.*)? system_u:object_r:hwdata_t
#
# initrd mount point, only used during boot
diff --git a/strict/macros/base_user_macros.te b/strict/macros/base_user_macros.te
index 4db1e62..4c5b36a 100644
--- a/strict/macros/base_user_macros.te
+++ b/strict/macros/base_user_macros.te
@@ -40,6 +40,12 @@ file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t, { fifo_file sock_file lnk_f
allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto };
can_setfscreate($1_t)
+ifdef(`ftpd.te' , `
+if (ftpd_is_daemon) {
+file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
+}
+')
+
allow $1_t self:capability { setgid chown fowner };
dontaudit $1_t self:capability { sys_nice fsetid };
diff --git a/strict/macros/program/apache_macros.te b/strict/macros/program/apache_macros.te
index b19d3f7..ea98391 100644
--- a/strict/macros/program/apache_macros.te
+++ b/strict/macros/program/apache_macros.te
@@ -84,6 +84,7 @@ allow httpd_$1_script_t { urandom_device_t random_device_t }:chr_file r_file_per
# the perl executable will be able to run a perl script
#########################################################################
can_exec_any(httpd_$1_script_t)
+
allow httpd_$1_script_t etc_t:file { getattr read };
dontaudit httpd_$1_script_t selinux_config_t:dir search;
diff --git a/strict/macros/program/cdrecord_macros.te b/strict/macros/program/cdrecord_macros.te
index 8b94a00..fc1fc95 100644
--- a/strict/macros/program/cdrecord_macros.te
+++ b/strict/macros/program/cdrecord_macros.te
@@ -41,7 +41,7 @@ allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl };
allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill };
-allow $1_cdrecord_t $1_devpts_t:chr_file rw_file_perms;
+can_access_pty($1_cdrecord_t, $1)
allow $1_cdrecord_t $1_home_t:dir search;
allow $1_cdrecord_t $1_home_dir_t:dir r_dir_perms;
allow $1_cdrecord_t $1_home_t:file r_file_perms;
diff --git a/strict/macros/program/mta_macros.te b/strict/macros/program/mta_macros.te
index cc73d63..930d1a2 100644
--- a/strict/macros/program/mta_macros.te
+++ b/strict/macros/program/mta_macros.te
@@ -68,7 +68,7 @@ ifdef(`crond.te', `
allow system_mail_t system_crond_tmp_t:file { read getattr ioctl };
allow mta_user_agent system_crond_tmp_t:file { read getattr };
')
-allow system_mail_t initrc_devpts_t:chr_file { read write getattr };
+can_access_pty(system_mail_t, initrc)
', `
# For when the user wants to send mail via port 25 localhost
diff --git a/strict/macros/program/newrole_macros.te b/strict/macros/program/newrole_macros.te
index c7a143e..0d52282 100644
--- a/strict/macros/program/newrole_macros.te
+++ b/strict/macros/program/newrole_macros.te
@@ -20,6 +20,8 @@ uses_shlib($1_t)
read_locale($1_t)
read_sysctl($1_t)
+allow $1_t self:netlink_audit_socket { create bind write nlmsg_read read };
+
# for when the user types "exec newrole" at the command line
allow $1_t privfd:process sigchld;
diff --git a/strict/macros/program/su_macros.te b/strict/macros/program/su_macros.te
index ca2f2be..206f58e 100644
--- a/strict/macros/program/su_macros.te
+++ b/strict/macros/program/su_macros.te
@@ -54,7 +54,7 @@ allow $1_su_t proc_t:file read;
allow $1_su_t self:process { setsched setrlimit };
allow $1_su_t device_t:dir search;
allow $1_su_t self:process { fork sigchld };
-can_ypbind($1_su_t)
+nsswitch_domain($1_su_t)
r_dir_file($1_su_t, selinux_config_t)
dontaudit $1_su_t shadow_t:file { getattr read };
More information about the scm-commits
mailing list