[selinux-policy: 1933/3172] trunk: a pile of misc fixes, mainly sync xml docs with interface implementation.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:52:04 UTC 2010 

commit 8f3a0a95e07cfacdb21a2e13ac311673ea06bd16
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu May 15 13:10:34 2008 +0000

    trunk: a pile of misc fixes, mainly sync xml docs with interface implementation.

 policy/modules/admin/portage.if       |    9 +++
 policy/modules/apps/awstats.if        |    1 +
 policy/modules/apps/ethereal.if       |    5 --
 policy/modules/apps/evolution.if      |   19 ++++++-
 policy/modules/apps/wireshark.if      |    5 --
 policy/modules/kernel/corecommands.if |   23 +++++++-
 policy/modules/kernel/domain.if       |    5 ++
 policy/modules/kernel/files.if        |   14 +++++-
 policy/modules/kernel/filesystem.if   |   96 ++++++++++++++++++++++++++++++++-
 policy/modules/kernel/terminal.if     |    2 +
 policy/modules/services/fetchmail.if  |   10 ----
 policy/modules/services/mta.if        |    5 ++
 policy/modules/services/ppp.if        |   37 ++++++++-----
 policy/modules/services/privoxy.if    |   10 ----
 policy/modules/services/radius.if     |   28 +++-------
 policy/modules/services/radvd.if      |   10 ----
 policy/modules/services/rwho.if       |   10 ----
 policy/modules/services/sasl.if       |   10 ----
 policy/modules/services/smartmon.if   |   10 ----
 policy/modules/services/snmp.if       |   24 +++------
 policy/modules/services/tftp.if       |   22 ++------
 policy/modules/services/tor.if        |   14 +----
 policy/modules/services/uucp.if       |   32 ++++-------
 policy/modules/services/zabbix.if     |   10 ----
 policy/modules/services/zebra.if      |   10 ----
 policy/modules/system/logging.if      |   34 +-----------
 policy/modules/system/miscfiles.if    |    1 +
 policy/modules/system/modutils.if     |    2 +-
 policy/modules/system/selinuxutil.if  |    4 +-
 policy/modules/system/userdomain.if   |   12 ++---
 30 files changed, 236 insertions(+), 238 deletions(-)
---
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 2c06304..ffa8e29 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -92,6 +92,8 @@ interface(`portage_compile_domain',`
 
 	gen_require(`
 		class dbus send_msg;
+		type portage_devpts_t, portage_log_t, portage_tmp_t;
+		type portage_tmpfs_t;
 	')
 
 	allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
@@ -219,6 +221,10 @@ interface(`portage_compile_domain',`
 ## </param>
 #
 interface(`portage_fetch_domain',`
+	gen_require(`
+		type portage_cache_t, portage_conf_t, portage_ebuild_t;
+		type portage_tmp_t, portage_fetch_tmp_t;
+	')
 
 	allow $1 self:capability { dac_override fowner fsetid };
 	allow $1 self:process signal;
@@ -290,6 +296,9 @@ interface(`portage_fetch_domain',`
 ## </param>
 #
 interface(`portage_main_domain',`
+	gen_require(`
+		type portage_log_t, portage_tmp_t;
+	')
 
 	# - setfscreate for merging to live fs
 	# - setexec to run portage fetch
diff --git a/policy/modules/apps/awstats.if b/policy/modules/apps/awstats.if
index 83a657e..5a2b1b5 100644
--- a/policy/modules/apps/awstats.if
+++ b/policy/modules/apps/awstats.if
@@ -34,6 +34,7 @@ interface(`awstats_rw_pipes',`
 interface(`awstats_cgi_exec',`
 	gen_require(`
 		type httpd_awstats_script_exec_t;
+		type httpd_awstats_content_t;
 	')
 
 	allow $1 httpd_awstats_content_t:dir search_dir_perms;
diff --git a/policy/modules/apps/ethereal.if b/policy/modules/apps/ethereal.if
index b9b8c36..93092bc 100644
--- a/policy/modules/apps/ethereal.if
+++ b/policy/modules/apps/ethereal.if
@@ -192,11 +192,6 @@ template(`ethereal_per_role_template',`
 ##	is the prefix for user_t).
 ##	</summary>
 ## </param>
-## <param name="user_domain">
-##	<summary>
-##	The type of the user domain.
-##	</summary>
-## </param>
 #
 template(`ethereal_admin_template',`
 	gen_require(`
diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if
index 8a7abdb..384734d 100644
--- a/policy/modules/apps/evolution.if
+++ b/policy/modules/apps/evolution.if
@@ -809,7 +809,12 @@ template(`evolution_per_role_template',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="object">
+## <param name="file_type">
+##	<summary>
+##	Private file type.
+##	</summary>
+## </param>
+## <param name="class">
 ##	<summary>
 ##	The object class of the object being created.  If
 ##	no class is specified, dir will be used.
@@ -864,6 +869,12 @@ template(`evolution_stream_connect',`
 ##	Send and receive messages from
 ##	evolution over dbus.
 ## </summary>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
@@ -885,6 +896,12 @@ interface(`evolution_dbus_chat',`
 ##	Send and receive messages from
 ##	evolution_alarm over dbus.
 ## </summary>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
diff --git a/policy/modules/apps/wireshark.if b/policy/modules/apps/wireshark.if
index 3d2b8e4..449a07a 100644
--- a/policy/modules/apps/wireshark.if
+++ b/policy/modules/apps/wireshark.if
@@ -192,11 +192,6 @@ template(`wireshark_per_role_template',`
 ##	is the prefix for user_t).
 ##	</summary>
 ## </param>
-## <param name="user_domain">
-##	<summary>
-##	The type of the user domain.
-##	</summary>
-## </param>
 #
 template(`wireshark_admin_template',`
 	gen_require(`
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 1da9eb0..b2a5773 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -199,6 +199,25 @@ interface(`corecmd_getattr_bin_files',`
 
 ########################################
 ## <summary>
+##	Get the attributes of files in bin directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_dontaudit_getattr_bin_files',`
+	gen_require(`
+		type bin_t;
+	')
+
+	dontaudit $1 bin_t:dir search_dir_perms;
+	dontaudit $1 bin_t:file getattr_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read files in bin directories.
 ## </summary>
 ## <param name="domain">
@@ -685,7 +704,7 @@ interface(`corecmd_mmap_sbin_files',`
 ## </param>
 #
 interface(`corecmd_sbin_domtrans',`
-	corecmd_bin_domtrans($1,$2,$3)
+	corecmd_bin_domtrans($1,$2)
 	refpolicywarn(`$0() has been deprecated, please use corecmd_bin_domtrans() instead.')
 ')
 
@@ -726,7 +745,7 @@ interface(`corecmd_sbin_domtrans',`
 ## </param>
 #
 interface(`corecmd_sbin_spec_domtrans',`
-	corecmd_bin_spec_domtrans($1,$2,$3)
+	corecmd_bin_spec_domtrans($1,$2)
 	refpolicywarn(`$0() has been deprecated, please use corecmd_bin_spec_domtrans() instead.')
 ')
 
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 78a953b..46ca635 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -1219,6 +1219,11 @@ interface(`domain_mmap_all_entry_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="target_domain">
+##	<summary>
+##      The type of the new process.
+##	</summary>
+## </param>
 #
 # cjp: added for userhelper
 interface(`domain_entry_file_spec_domtrans',`
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 7f06066..9978ceb 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -4208,7 +4208,7 @@ interface(`files_getattr_generic_locks',`
 #
 interface(`files_manage_generic_locks',`
 	gen_require(`
-		type var_lock_t;
+		type var_t, var_lock_t;
 	')
 
 	allow $1 var_t:dir search_dir_perms;
@@ -4229,6 +4229,7 @@ interface(`files_manage_generic_locks',`
 interface(`files_delete_all_locks',`
 	gen_require(`
 		attribute lockfile;
+		type var_t;
 	')
 
 	allow $1 var_t:dir search_dir_perms;
@@ -4659,6 +4660,17 @@ interface(`files_manage_generic_spool',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="file">
+##	<summary>
+##	Type to which the created node will be transitioned.
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Object class(es) (single or set including {}) for which this
+##	the transition will occur.
+##	</summary>
+## </param>
 #
 interface(`files_spool_filetrans',`
 	gen_require(`
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 20902e6..df40869 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -779,6 +779,25 @@ interface(`fs_read_noxattr_fs_symlinks',`
 ########################################
 ## <summary>
 ##	Do not audit attempts to read
+##	dirs on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_list_cifs_dirs',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	dontaudit $1 cifs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read
 ##	files on a CIFS or SMB filesystem.
 ## </summary>
 ## <param name="domain">
@@ -835,6 +854,44 @@ interface(`fs_read_cifs_symlinks',`
 
 ########################################
 ## <summary>
+##	Read named pipes
+##	on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_cifs_named_pipes',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	read_fifo_files_pattern($1,cifs_t,cifs_t)
+')
+
+########################################
+## <summary>
+##	Read named pipes
+##	on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_cifs_named_sockets',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	read_sock_files_pattern($1,cifs_t,cifs_t)
+')
+
+########################################
+## <summary>
 ##	Execute files on a CIFS or SMB
 ##	network filesystem, in the caller
 ##	domain.
@@ -1647,6 +1704,43 @@ interface(`fs_read_nfs_symlinks',`
 	read_lnk_files_pattern($1,nfs_t,nfs_t)
 ')
 
+#########################################
+## <summary>
+##	Read named sockets on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_nfs_named_sockets',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	read_sock_files_pattern($1,nfs_t,nfs_t)
+')
+
+#########################################
+## <summary>
+##  Read named pipes on a NFS network filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_read_nfs_named_pipes',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	read_fifo_files_pattern($1,nfs_t,nfs_t)
+')
+
 ########################################
 ## <summary>
 ##	Read directories of RPC file system pipes.
@@ -2611,7 +2705,7 @@ interface(`fs_getattr_rpc_pipefs',`
 #
 interface(`fs_rw_rpc_named_pipes',`
 	gen_require(`
-		type nfs_t;
+		type rpc_pipefs_t;
 	')
 
 	allow $1 rpc_pipefs_t:fifo_file { read write };
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index b702156..3c9ebcb 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -625,6 +625,7 @@ interface(`term_dontaudit_use_ptmx',`
 interface(`term_getattr_all_user_ptys',`
 	gen_require(`
 		attribute ptynode;
+		type devpts_t;
 	')
 
 	dev_list_all_dev_nodes($1)
@@ -667,6 +668,7 @@ interface(`term_dontaudit_getattr_all_user_ptys',`
 interface(`term_setattr_all_user_ptys',`
 	gen_require(`
 		attribute ptynode;
+		type devpts_t;
 	')
 
 	dev_list_all_dev_nodes($1)
diff --git a/policy/modules/services/fetchmail.if b/policy/modules/services/fetchmail.if
index d3c709e..ac888be 100644
--- a/policy/modules/services/fetchmail.if
+++ b/policy/modules/services/fetchmail.if
@@ -10,16 +10,6 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the fetchmail domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`fetchmail_admin',`
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index c000e40..1708315 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -293,6 +293,11 @@ template(`mta_admin_template',`
 ##	Type to be used as a mail server domain.
 ##	</summary>
 ## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
 #
 interface(`mta_mailserver',`
 	gen_require(`
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index 8954ba6..da7d140 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -102,6 +102,16 @@ interface(`ppp_domtrans',`
 ##	 Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the ppp domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the ppp domain to use.
+##	</summary>
+## </param>
 ## <rolecap/>
 #
 interface(`ppp_run_cond',`
@@ -126,6 +136,16 @@ interface(`ppp_run_cond',`
 ##	 Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the ppp domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the ppp domain to use.
+##	</summary>
+## </param>
 ## <rolecap/>
 #
 interface(`ppp_run',`
@@ -280,23 +300,13 @@ interface(`ppp_pid_filetrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the ppp domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`ppp_admin',`
 	gen_require(`
 		type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t;
-		type pppd_etc_t, pppd_script_t, pppd_secret_t;
-		type pppd_etc_rw_t, pppd_var_lib_t, pppd_var_run_t;
+		type pppd_etc_t, pppd_secret_t;
+		type pppd_etc_rw_t, pppd_var_run_t;
 
 		type pptp_t, pptp_log_t, pptp_var_run_t;
 	')
@@ -319,9 +329,6 @@ interface(`ppp_admin',`
 
 	manage_files_pattern($1, pppd_secret_t, pppd_secret_t)
 
-	files_list_var_lib($1)
-	manage_files_pattern($1, pppd_var_lib_t, pppd_var_lib_t)
-
 	files_list_pids($1)
 	manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
 
diff --git a/policy/modules/services/privoxy.if b/policy/modules/services/privoxy.if
index f1be394..af6312e 100644
--- a/policy/modules/services/privoxy.if
+++ b/policy/modules/services/privoxy.if
@@ -10,16 +10,6 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the privoxy domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`privoxy_admin',`
diff --git a/policy/modules/services/radius.if b/policy/modules/services/radius.if
index 0e8fab2..b8a1477 100644
--- a/policy/modules/services/radius.if
+++ b/policy/modules/services/radius.if
@@ -24,38 +24,28 @@ interface(`radius_use',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the radius domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`radius_admin',`
 	gen_require(`
-		type radius_t, radius_etc_t, radius_log_t;
-		type radius_etc_rw_t, radius_var_lib_t, radius_var_run_t;
+		type radiusd_t, radiusd_etc_t, radiusd_log_t;
+		type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t;
 	')
 
-	allow $1 radius_t:process { ptrace signal_perms getattr };
-	ps_process_pattern($1, radius_t)
+	allow $1 radiusd_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, radiusd_t)
 
 	files_list_etc($1)
-	manage_files_pattern($1, radius_etc_t, radius_etc_t)
+	manage_files_pattern($1, radiusd_etc_t, radiusd_etc_t)
 
 	logging_list_logs($1)
-	manage_files_pattern($1, radius_log_t, radius_log_t)
+	manage_files_pattern($1, radiusd_log_t, radiusd_log_t)
 
-	manage_files_pattern($1, radius_etc_rw_t, radius_etc_rw_t)
+	manage_files_pattern($1, radiusd_etc_rw_t, radiusd_etc_rw_t)
 
 	files_list_var_lib($1)
-	manage_files_pattern($1, radius_var_lib_t, radius_var_lib_t)
+	manage_files_pattern($1, radiusd_var_lib_t, radiusd_var_lib_t)
 
 	files_list_pids($1)
-	manage_files_pattern($1, radius_var_run_t, radius_var_run_t)
+	manage_files_pattern($1, radiusd_var_run_t, radiusd_var_run_t)
 ')
diff --git a/policy/modules/services/radvd.if b/policy/modules/services/radvd.if
index a24aefc..596e3f4 100644
--- a/policy/modules/services/radvd.if
+++ b/policy/modules/services/radvd.if
@@ -10,16 +10,6 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the radvd domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`radvd_admin',`
diff --git a/policy/modules/services/rwho.if b/policy/modules/services/rwho.if
index 0f8dad6..d177de4 100644
--- a/policy/modules/services/rwho.if
+++ b/policy/modules/services/rwho.if
@@ -126,16 +126,6 @@ interface(`rwho_manage_spool_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the rwho domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`rwho_admin',`
diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if
index f5041ae..01ef9cc 100644
--- a/policy/modules/services/sasl.if
+++ b/policy/modules/services/sasl.if
@@ -29,16 +29,6 @@ interface(`sasl_connect',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the sasl domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`sasl_admin',`
diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if
index f52f7e7..56e1f72 100644
--- a/policy/modules/services/smartmon.if
+++ b/policy/modules/services/smartmon.if
@@ -28,16 +28,6 @@ interface(`smartmon_read_tmp_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the smartmon domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`smartmon_admin',`
diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
index 579ab1b..2539d93 100644
--- a/policy/modules/services/snmp.if
+++ b/policy/modules/services/snmp.if
@@ -95,33 +95,23 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the snmp domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`snmp_admin',`
 	gen_require(`
-		type snmp_t, snmp_log_t;
-		type snmp_var_lib_t, snmp_var_run_t;
+		type snmpd_t, snmpd_log_t;
+		type snmpd_var_lib_t, snmpd_var_run_t;
 	')
 
-	allow $1 snmp_t:process { ptrace signal_perms getattr };
-	ps_process_pattern($1, snmp_t)
+	allow $1 snmpd_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, snmpd_t)
 	        
 	logging_list_logs($1)
-	manage_files_pattern($1, snmp_log_t, snmp_log_t)
+	manage_files_pattern($1, snmpd_log_t, snmpd_log_t)
 
 	files_list_var_lib($1)
-	manage_files_pattern($1, snmp_var_lib_t, snmp_var_lib_t)
+	manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
 
 	files_list_pids($1)
-	manage_files_pattern($1, snmp_var_run_t, snmp_var_run_t)
+	manage_files_pattern($1, snmpd_var_run_t, snmpd_var_run_t)
 ')
diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if
index 2adcb52..4357c1c 100644
--- a/policy/modules/services/tftp.if
+++ b/policy/modules/services/tftp.if
@@ -10,31 +10,21 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the tftp domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`tftp_admin',`
 	gen_require(`
-		type tftp_t, tftpdir_t;
-		type tftp_rw_t, tftp_var_run_t;
+		type tftpd_t, tftpdir_t;
+		type tftpdir_rw_t, tftpd_var_run_t;
 	')
 
-	allow $1 tftp_t:process { ptrace signal_perms getattr };
-	ps_process_pattern($1, tftp_t)
+	allow $1 tftpd_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, tftpd_t)
 	        
-	manage_files_pattern($1, tftp_rw_t, tftp_rw_t)
+	manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
 
 	manage_files_pattern($1, tftpdir_t, tftpdir_t)
 
 	files_list_pids($1)
-	manage_files_pattern($1, tftp_var_run_t, tftp_var_run_t)
+	manage_files_pattern($1, tftpd_var_run_t, tftpd_var_run_t)
 ')
diff --git a/policy/modules/services/tor.if b/policy/modules/services/tor.if
index 513fb4d..15146c0 100644
--- a/policy/modules/services/tor.if
+++ b/policy/modules/services/tor.if
@@ -28,21 +28,11 @@ interface(`tor_domtrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the tor domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`tor_admin',`
 	gen_require(`
-		type tor_t, tor_log_t, tor_etc_t;
+		type tor_t, tor_var_log_t, tor_etc_t;
 		type tor_var_lib_t, tor_var_run_t;
 	')
 
@@ -50,7 +40,7 @@ interface(`tor_admin',`
 	ps_process_pattern($1, tor_t)
 	        
 	logging_list_logs($1)
-	manage_files_pattern($1, tor_log_t, tor_log_t)
+	manage_files_pattern($1, tor_var_log_t, tor_var_log_t)
 
 	files_list_etc($1)
 	manage_files_pattern($1, tor_etc_t, tor_etc_t)
diff --git a/policy/modules/services/uucp.if b/policy/modules/services/uucp.if
index 699fc79..12d11f6 100644
--- a/policy/modules/services/uucp.if
+++ b/policy/modules/services/uucp.if
@@ -71,41 +71,31 @@ interface(`uucp_domtrans_uux',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the uucp domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`uucp_admin',`
 	gen_require(`
-		type uucp_t, uucp_tmp_t, uucp_log_t;
-		type uucp_spool_t, uucp_ro_t, uucp_rw_t;
-		type uucp_var_run_t;
+		type uucpd_t, uucpd_tmp_t, uucpd_log_t;
+		type uucpd_spool_t, uucpd_ro_t, uucpd_rw_t;
+		type uucpd_var_run_t;
 	')
 
-	allow $1 uucp_t:process { ptrace signal_perms getattr };
-	ps_process_pattern($1, uucp_t)
+	allow $1 uucpd_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, uucpd_t)
 	        
 	files_list_tmp($1)
-	manage_files_pattern($1, uucp_tmp_t, uucp_tmp_t)
+	manage_files_pattern($1, uucpd_tmp_t, uucpd_tmp_t)
 
 	logging_list_logs($1)
-	manage_files_pattern($1, uucp_log_t, uucp_log_t)
+	manage_files_pattern($1, uucpd_log_t, uucpd_log_t)
 
 	files_list_spool($1)
-	manage_files_pattern($1, uucp_spool_t, uucp_spool_t)
+	manage_files_pattern($1, uucpd_spool_t, uucpd_spool_t)
 
-	manage_files_pattern($1, uucp_rw_t, uucp_rw_t)
+	manage_files_pattern($1, uucpd_rw_t, uucpd_rw_t)
 
-	manage_files_pattern($1, uucp_ro_t, uucp_ro_t)
+	manage_files_pattern($1, uucpd_ro_t, uucpd_ro_t)
 
 	files_list_pids($1)
-	manage_files_pattern($1, uucp_var_run_t, uucp_var_run_t)
+	manage_files_pattern($1, uucpd_var_run_t, uucpd_var_run_t)
 ')
diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if
index 3360078..bdd8cbc 100644
--- a/policy/modules/services/zabbix.if
+++ b/policy/modules/services/zabbix.if
@@ -87,16 +87,6 @@ interface(`zabbix_read_pid_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the zabbix domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`zabbix_admin',`
diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if
index f1af65b..bd9f6bc 100644
--- a/policy/modules/services/zebra.if
+++ b/policy/modules/services/zebra.if
@@ -32,16 +32,6 @@ interface(`zebra_read_config',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the zebra domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`zebra_admin',`
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index e566ab1..0a0163a 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -690,16 +690,6 @@ interface(`logging_manage_generic_logs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the audit domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`logging_admin_audit',`
@@ -731,16 +721,6 @@ interface(`logging_admin_audit',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the syslog domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`logging_admin_syslog',`
@@ -788,19 +768,9 @@ interface(`logging_admin_syslog',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the syslog domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`logging_admin',`
-	logging_admin_audit($1, $2, $3)
-	logging_admin_syslog($1, $2, $3)
+	logging_admin_audit($1)
+	logging_admin_syslog($1)
 ')
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index bebb25f..6b178bb 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -382,6 +382,7 @@ interface(`miscfiles_read_tetex_data',`
 interface(`miscfiles_exec_tetex_data',`
 	gen_require(`
 		type fonts_t;
+		type tetex_data_t;
 	')
 
 	files_search_var($1)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 89f7ed6..095bd1e 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -200,7 +200,7 @@ interface(`modutils_domtrans_depmod',`
 #
 interface(`modutils_run_depmod',`
 	gen_require(`
-		type depmod_t;
+		type depmod_t, insmod_t;
 	')
 
 	modutils_domtrans_depmod($1)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 7220070..9ebb939 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -817,7 +817,7 @@ interface(`seutil_read_file_contexts',`
 #
 interface(`seutil_rw_file_contexts',`
 	gen_require(`
-		type selinux_config_t, file_context_t;
+		type selinux_config_t, file_context_t, default_context_t;
 	')
 
 	files_search_etc($1)
@@ -838,7 +838,7 @@ interface(`seutil_rw_file_contexts',`
 #
 interface(`seutil_manage_file_contexts',`
 	gen_require(`
-		type selinux_config_t, file_context_t;
+		type selinux_config_t, file_context_t, default_context_t;
 	')
 
 	files_search_etc($1)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 91ef0a0..824005d 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -191,7 +191,7 @@ template(`userdom_ro_home_template',`
 		fs_read_nfs_named_sockets($1_t)
 		fs_read_nfs_named_pipes($1_t)
 	',`
-		fs_dontaudit_read_nfs_dirs($1_t)
+		fs_dontaudit_list_nfs($1_t)
 		fs_dontaudit_read_nfs_files($1_t)
 	')
 
@@ -1112,10 +1112,6 @@ template(`userdom_restricted_xwindows_user_template',`
 	')
 
 	optional_policy(`
-		mono_per_role_template($1, $1_t, $1_r)
-	')
-
-	optional_policy(`
 		setroubleshoot_dontaudit_stream_connect($1_t)
 	')
 ')
@@ -4130,8 +4126,8 @@ interface(`userdom_sysadm_sbin_spec_domtrans_to',`
 ## </param>
 #
 interface(`userdom_sysadm_entry_spec_domtrans_to',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_entry_spec_domtrans_to() instead.')
-	sysadm_entry_spec_domtrans_to($1)
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_entry_spec_domtrans() instead.')
+	sysadm_entry_spec_domtrans($1)
 ')
 
 ########################################
@@ -4850,7 +4846,7 @@ interface(`userdom_search_generic_user_home_dirs',`
 #
 interface(`userdom_generic_user_home_dir_filetrans_generic_user_home_content',`
 	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_home_dir_filetrans_home_content() instead.')
-	unprivuser_home_dir_filetrans_home_content($1)
+	unprivuser_home_dir_filetrans_home_content($1, $2)
 ')
 
 ########################################

More information about the scm-commits mailing list