trunk: 3 patches from dan.

policy/modules/kernel/corenetwork.te.in

@@ -1,5 +1,5 @@
 
-policy_module(corenetwork, 1.2.20)
+policy_module(corenetwork, 1.2.21)
 
 ########################################
 #
@@ -75,6 +75,7 @@ network_port(amavisd_send, tcp,10025,s0)
 network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0) 
 network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
+network_port(audit, tcp,60,s0)
 network_port(auth, tcp,113,s0)
 network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
 type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict

policy/modules/services/kerberos.if

@@ -313,7 +313,7 @@ interface(`kerberos_admin',`
 		type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
 		type krb5kdc_principal_t, krb5kdc_tmp_t;
 		type krb5kdc_var_run_t, krb5_host_rcache_t;
-		type kadmind_spool_t, kadmind_var_lib_t, kpropd_t;
+		type kpropd_t;
 	')
 
 	allow $1 kadmind_t:process { ptrace signal_perms };
@@ -333,15 +333,9 @@ interface(`kerberos_admin',`
 	logging_list_logs($1)
 	admin_pattern($1, kadmind_log_t)
 
-	files_list_spool($1)
-	admin_pattern($1, kadmind_spool_t)
-
 	files_list_tmp($1)
 	admin_pattern($1, kadmind_tmp_t)
 
-	files_list_var_lib($1)
-	admin_pattern($1, kadmind_var_lib_t)
-
 	files_list_pids($1)
 	admin_pattern($1, kadmind_var_run_t)
 

policy/modules/services/sasl.fc

@@ -1,3 +1,4 @@
+/etc/rc\.d/init\.d/sasl	--	gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0)
 
 #
 # /usr

policy/modules/services/sasl.if

@@ -34,14 +34,20 @@ interface(`sasl_connect',`
 interface(`sasl_admin',`
 	gen_require(`
 		type saslauthd_t, saslauthd_tmp_t, saslauthd_var_run_t;
+		type saslauthd_initrc_exec_t;
 	')
 
 	allow $1 saslauthd_t:process { ptrace signal_perms getattr };
 	ps_process_pattern($1, saslauthd_t)
-	        
+
+	init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 saslauthd_initrc_exec_t system_r;
+	allow $2 system_r;
+
 	files_list_tmp($1)
-	manage_files_pattern($1, saslauthd_tmp_t, saslauthd_tmp_t)
+	admin_pattern($1, saslauthd_tmp_t)
 
 	files_list_pids($1)
-	manage_files_pattern($1, saslauthd_var_run_t, saslauthd_var_run_t)
+	admin_pattern($1, saslauthd_var_run_t)
 ')

policy/modules/services/sasl.te

@@ -1,5 +1,5 @@
 
-policy_module(sasl, 1.9.0)
+policy_module(sasl, 1.9.1)
 
 ########################################
 #
@@ -17,6 +17,9 @@ type saslauthd_t;
 type saslauthd_exec_t;
 init_daemon_domain(saslauthd_t, saslauthd_exec_t)
 
+type saslauthd_initrc_exec_t;
+init_script_file(saslauthd_initrc_exec_t)
+
 type saslauthd_tmp_t;
 files_tmp_file(saslauthd_tmp_t)
 
@@ -99,7 +102,7 @@ tunable_policy(`allow_saslauthd_read_shadow',`
 ')
 
 optional_policy(`
-	kerberos_read_keytab(saslauthd_t)
+	kerberos_keytab_template(saslauthd, saslauthd_t)
 ')
 
 optional_policy(`

policy/modules/services/snort.fc

@@ -1,6 +1,9 @@
+/etc/rc\.d/init\.d/snortd --	gen_context(system_u:object_r:snort_initrc_exec_t,s0)
+/etc/snort(/.*)?		gen_context(system_u:object_r:snort_etc_t,s0)
 
-/etc/snort(/.*)?	gen_context(system_u:object_r:snort_etc_t,s0)
+/usr/s?bin/snort	--	gen_context(system_u:object_r:snort_exec_t,s0)
+/usr/sbin/snort-plain	--	gen_context(system_u:object_r:snort_exec_t,s0)
 
-/usr/s?bin/snort --	gen_context(system_u:object_r:snort_exec_t,s0)
+/var/log/snort(/.*)?		gen_context(system_u:object_r:snort_log_t,s0)
 
-/var/log/snort(/.*)?	gen_context(system_u:object_r:snort_log_t,s0)
+/var/run/snort.*	--	gen_context(system_u:object_r:snort_var_run_t,s0)

policy/modules/services/snort.if

@@ -1 +1,60 @@
 ## <summary>Snort network intrusion detection system</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run snort.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`snort_domtrans',`
+	gen_require(`
+		type snort_t, snort_exec_t;
+	')
+
+	domtrans_pattern($1, snort_exec_t, snort_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an snort environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the snort domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`snort_admin',`
+	gen_require(`
+		type snort_t, snort_var_run_t, snort_log_t;
+		type snort_initrc_exec_t;
+	')
+
+	allow $1 snort_t:process { ptrace signal_perms };
+	ps_process_pattern($1, snort_t)
+
+	init_labeled_script_domtrans($1, snort_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 snort_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	admin_pattern($1, snort_etc_t)
+	files_search_etc($1)
+
+	admin_pattern($1, snort_log_t)
+	logging_search_logs($1)
+
+	admin_pattern($1, snort_var_run_t)
+	files_search_pids($1)
+')

policy/modules/services/snort.te

@@ -1,5 +1,5 @@
 
-policy_module(snort, 1.5.0)
+policy_module(snort, 1.5.1)
 
 ########################################
 #
@@ -11,7 +11,10 @@ type snort_exec_t;
 init_daemon_domain(snort_t, snort_exec_t)
 
 type snort_etc_t;
-files_type(snort_etc_t)
+files_config_file(snort_etc_t)
+
+type snort_initrc_exec_t;
+init_script_file(snort_initrc_exec_t)
 
 type snort_log_t;
 logging_log_file(snort_log_t)
@@ -34,6 +37,8 @@ allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read wr
 allow snort_t self:tcp_socket create_stream_socket_perms;
 allow snort_t self:udp_socket create_socket_perms;
 allow snort_t self:packet_socket create_socket_perms;
+# Snort IPS node. unverified.
+allow snort_t self:netlink_firewall_socket { bind create getattr };
 
 allow snort_t snort_etc_t:dir list_dir_perms;
 allow snort_t snort_etc_t:file read_file_perms;
@@ -67,6 +72,8 @@ corenet_tcp_sendrecv_all_ports(snort_t)
 corenet_udp_sendrecv_all_ports(snort_t)
 
 dev_read_sysfs(snort_t)
+dev_read_rand(snort_t)
+dev_read_urand(snort_t)
 
 domain_use_interactive_fds(snort_t)
 
@@ -76,6 +83,8 @@ files_dontaudit_read_etc_runtime_files(snort_t)
 fs_getattr_all_fs(snort_t)
 fs_search_auto_mountpoints(snort_t)
 
+init_read_utmp(snort_t)
+
 libs_use_ld_so(snort_t)
 libs_use_shared_libs(snort_t)
 

policy/modules/system/logging.if

@@ -847,6 +847,7 @@ interface(`logging_admin_audit',`
 	gen_require(`
 		type auditd_t, auditd_etc_t, auditd_log_t;
 		type auditd_var_run_t;
+		type auditd_initrc_exec_t;
 	')
 
 	allow $1 auditd_t:process { ptrace signal_perms };
@@ -862,6 +863,11 @@ interface(`logging_admin_audit',`
 	manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
 
 	logging_run_auditctl($1, $2, $3)
+
+	init_labeled_script_domtrans($1, auditd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 auditd_initrc_exec_t system_r;
+	allow $2 system_r;
 ')
 
 ########################################
@@ -874,6 +880,11 @@ interface(`logging_admin_audit',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	User role allowed access.
+##	</summary>
+## </param>
 ## <rolecap/>
 #
 interface(`logging_admin_syslog',`
@@ -882,6 +893,7 @@ interface(`logging_admin_syslog',`
 		type syslogd_tmp_t, syslogd_var_lib_t;
 		type syslogd_var_run_t, klogd_var_run_t;
 		type klogd_tmp_t, var_log_t;
+		type syslogd_initrc_exec_t;
 	')
 
 	allow $1 syslogd_t:process { ptrace signal_perms };
@@ -909,6 +921,11 @@ interface(`logging_admin_syslog',`
 	manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
 
 	logging_manage_all_logs($1)
+
+	init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 syslogd_initrc_exec_t system_r;
+	allow $2 system_r;
 ')
 
 ########################################
@@ -935,5 +952,5 @@ interface(`logging_admin_syslog',`
 #
 interface(`logging_admin',`
 	logging_admin_audit($1, $2, $3)
-	logging_admin_syslog($1)
+	logging_admin_syslog($1, $2)
 ')

policy/modules/system/logging.te

@@ -1,5 +1,5 @@
 
-policy_module(logging, 1.11.4)
+policy_module(logging, 1.11.5)
 
 ########################################
 #
@@ -130,6 +130,7 @@ allow auditd_t self:process { signal_perms setpgid setsched };
 allow auditd_t self:file { getattr read write };
 allow auditd_t self:unix_dgram_socket create_socket_perms;
 allow auditd_t self:fifo_file rw_file_perms;
+allow auditd_t self:tcp_socket create_stream_socket_perms;
 
 allow auditd_t auditd_etc_t:dir list_dir_perms;
 allow auditd_t auditd_etc_t:file read_file_perms;
@@ -151,9 +152,19 @@ dev_read_sysfs(auditd_t)
 
 fs_getattr_all_fs(auditd_t)
 fs_search_auto_mountpoints(auditd_t)
+fs_rw_anon_inodefs_files(auditd_t)
 
 selinux_search_fs(auditctl_t)
 
+corenet_all_recvfrom_unlabeled(auditd_t)
+corenet_all_recvfrom_netlabel(auditd_t)
+corenet_tcp_sendrecv_generic_if(auditd_t)
+corenet_tcp_sendrecv_all_nodes(auditd_t)
+corenet_tcp_sendrecv_all_ports(auditd_t)
+corenet_tcp_bind_all_nodes(auditd_t)
+corenet_tcp_bind_audit_port(auditd_t)
+corenet_sendrecv_audit_server_packets(auditd_t)
+
 # Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
 # Probably want a transition, and a new auditd_helper app
 corecmd_exec_bin(auditd_t)
@@ -236,6 +247,8 @@ logging_send_syslog_msg(audisp_t)
 
 miscfiles_read_localization(audisp_t)
 
+sysnet_dns_name_resolve(audisp_t)
+
 ########################################
 #
 # Audit remote logger local policy
@@ -247,6 +260,8 @@ corenet_all_recvfrom_unlabeled(audisp_remote_t)
 corenet_all_recvfrom_netlabel(audisp_remote_t)
 corenet_tcp_sendrecv_all_if(audisp_remote_t)
 corenet_tcp_sendrecv_all_nodes(audisp_remote_t)
+corenet_tcp_connect_audit_port(audisp_remote_t)
+corenet_sendrecv_audit_client_packets(audisp_remote_t)
 
 files_read_etc_files(audisp_remote_t)