trunk: 8 patches from dan.

policy/modules/admin/alsa.te

@@ -1,5 +1,5 @@
 
-policy_module(alsa, 1.5.0)
+policy_module(alsa, 1.5.1)
 
 ########################################
 #
@@ -48,9 +48,12 @@ corecmd_exec_bin(alsa_t)
 
 files_search_home(alsa_t)
 files_read_etc_files(alsa_t)
+files_read_usr_files(alsa_t)
 
 auth_use_nsswitch(alsa_t)
 
+init_use_fds(alsa_t)
+
 libs_use_ld_so(alsa_t)
 libs_use_shared_libs(alsa_t)
 

policy/modules/admin/amanda.te

@@ -1,5 +1,5 @@
 
-policy_module(amanda, 1.9.2)
+policy_module(amanda, 1.9.3)
 
 #######################################
 #
@@ -129,6 +129,8 @@ corenet_udp_sendrecv_all_ports(amanda_t)
 corenet_tcp_bind_all_nodes(amanda_t)
 corenet_udp_bind_all_nodes(amanda_t)
 corenet_tcp_bind_all_rpc_ports(amanda_t)
+corenet_tcp_bind_generic_port(amanda_t)
+corenet_dontaudit_tcp_bind_all_ports(amanda_t)
 
 dev_getattr_all_blk_files(amanda_t)
 dev_getattr_all_chr_files(amanda_t)

policy/modules/admin/mrtg.te

@@ -1,5 +1,5 @@
 
-policy_module(mrtg, 1.4.0)
+policy_module(mrtg, 1.4.1)
 
 ########################################
 #
@@ -78,6 +78,7 @@ dev_read_sysfs(mrtg_t)
 dev_read_urand(mrtg_t)
 
 domain_use_interactive_fds(mrtg_t)
+domain_dontaudit_search_all_domains_state(mrtg_t)
 
 files_read_usr_files(mrtg_t)
 files_search_var(mrtg_t)
@@ -92,6 +93,7 @@ files_read_etc_files(mrtg_t)
 
 fs_search_auto_mountpoints(mrtg_t)
 fs_getattr_xattr_fs(mrtg_t)
+fs_list_inotifyfs(mrtg_t)
 
 term_dontaudit_use_console(mrtg_t)
 
@@ -101,6 +103,8 @@ init_use_script_ptys(mrtg_t)
 init_read_utmp(mrtg_t)
 init_dontaudit_write_utmp(mrtg_t)
 
+auth_use_nsswitch(mrtg_t)
+
 libs_read_lib_files(mrtg_t)
 libs_use_ld_so(mrtg_t)
 libs_use_shared_libs(mrtg_t)
@@ -111,12 +115,10 @@ miscfiles_read_localization(mrtg_t)
 
 selinux_dontaudit_getattr_dir(mrtg_t)
 
-# Use the network.
-sysnet_read_config(mrtg_t)
-
 userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
 
 sysadm_use_terms(mrtg_t)
+sysadm_dontaudit_read_home_content_files(mrtg_t)
 
 ifdef(`enable_mls',`
 	corenet_udp_sendrecv_lo_if(mrtg_t)
@@ -139,14 +141,6 @@ optional_policy(`
 	hostname_exec(mrtg_t)
 ')
 
-optional_policy(`
-	nis_use_ypbind(mrtg_t)
-')
-
-optional_policy(`
-	nscd_dontaudit_search_pid(mrtg_t)
-')
-
 optional_policy(`
 	seutil_sigchld_newrole(mrtg_t)
 ')
@@ -162,10 +156,3 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(mrtg_t)
 ')
-
-ifdef(`TODO',`
-	# should not need this!
-	dontaudit mrtg_t { staff_home_dir_t sysadm_home_dir_t }:dir { search read getattr };
-	dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr;
-	dontaudit mrtg_t root_t:lnk_file getattr;
-')

policy/modules/admin/netutils.te

@@ -1,5 +1,5 @@
 
-policy_module(netutils, 1.6.1)
+policy_module(netutils, 1.6.2)
 
 ########################################
 #
@@ -50,6 +50,7 @@ manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
 files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
 
 kernel_search_proc(netutils_t)
+kernel_read_sysctl(netutils_t)
 
 corenet_all_recvfrom_unlabeled(netutils_t)
 corenet_all_recvfrom_netlabel(netutils_t)
@@ -78,6 +79,8 @@ files_dontaudit_search_var(netutils_t)
 init_use_fds(netutils_t)
 init_use_script_ptys(netutils_t)
 
+auth_use_nsswitch(netutils_t)
+
 libs_use_ld_so(netutils_t)
 libs_use_shared_libs(netutils_t)
 
@@ -85,14 +88,16 @@ logging_send_syslog_msg(netutils_t)
 
 miscfiles_read_localization(netutils_t)
 
-sysnet_read_config(netutils_t)
-
 userdom_use_all_users_fds(netutils_t)
 
 optional_policy(`
 	nis_use_ypbind(netutils_t)
 ')
 
+optional_policy(`
+	vmware_append_log(netutils_t)
+')
+
 optional_policy(`
 	xen_append_log(netutils_t)
 ')
@@ -107,12 +112,14 @@ dontaudit ping_t self:capability sys_tty_config;
 allow ping_t self:tcp_socket create_socket_perms;
 allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
 allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
+allow ping_t self:netlink_route_socket create_netlink_socket_perms;
 
 corenet_all_recvfrom_unlabeled(ping_t)
 corenet_all_recvfrom_netlabel(ping_t)
 corenet_tcp_sendrecv_all_if(ping_t)
 corenet_raw_sendrecv_all_if(ping_t)
 corenet_raw_sendrecv_all_nodes(ping_t)
+corenet_raw_bind_all_nodes(ping_t)
 corenet_tcp_sendrecv_all_nodes(ping_t)
 corenet_tcp_sendrecv_all_ports(ping_t)
 
@@ -123,6 +130,8 @@ domain_use_interactive_fds(ping_t)
 files_read_etc_files(ping_t)
 files_dontaudit_search_var(ping_t)
 
+auth_use_nsswitch(ping_t)
+
 libs_use_ld_so(ping_t)
 libs_use_shared_libs(ping_t)
 
@@ -130,9 +139,6 @@ logging_send_syslog_msg(ping_t)
 
 miscfiles_read_localization(ping_t)
 
-sysnet_read_config(ping_t)
-sysnet_dns_name_resolve(ping_t)
-
 ifdef(`hide_broken_symptoms',`
 	init_dontaudit_use_fds(ping_t)
 ')
@@ -142,14 +148,6 @@ tunable_policy(`user_ping',`
 	term_use_all_user_ptys(ping_t)
 ')
 
-optional_policy(`
-	nis_use_ypbind(ping_t)
-')
-
-optional_policy(`
-	nscd_socket_use(ping_t)
-')
-
 optional_policy(`
 	pcmcia_use_cardmgr_fds(ping_t)
 ')
@@ -166,7 +164,6 @@ optional_policy(`
 allow traceroute_t self:capability { net_admin net_raw setuid setgid };
 allow traceroute_t self:rawip_socket create_socket_perms;
 allow traceroute_t self:packet_socket create_socket_perms;
-allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
 allow traceroute_t self:udp_socket create_socket_perms;
 
 kernel_read_system_state(traceroute_t)
@@ -200,6 +197,8 @@ files_dontaudit_search_var(traceroute_t)
 
 init_use_fds(traceroute_t)
 
+auth_use_nsswitch(traceroute_t)
+
 libs_use_ld_so(traceroute_t)
 libs_use_shared_libs(traceroute_t)
 
@@ -212,17 +211,7 @@ dev_read_rand(traceroute_t)
 dev_read_urand(traceroute_t)
 files_read_usr_files(traceroute_t)
 
-sysnet_read_config(traceroute_t)
-
 tunable_policy(`user_ping',`
 	term_use_all_user_ttys(traceroute_t)
 	term_use_all_user_ptys(traceroute_t)
 ')
-
-optional_policy(`
-	nis_use_ypbind(traceroute_t)
-')
-
-optional_policy(`
-	nscd_socket_use(traceroute_t)
-')

policy/modules/admin/vpn.fc

@@ -6,6 +6,8 @@
 #
 # /usr
 #
+/usr/bin/openconnect	--	gen_context(system_u:object_r:vpnc_exec_t,s0)
+
 /usr/sbin/vpnc		--	gen_context(system_u:object_r:vpnc_exec_t,s0)
 
 /var/run/vpnc(/.*)?		gen_context(system_u:object_r:vpnc_var_run_t,s0)

policy/modules/admin/vpn.te

@@ -1,5 +1,5 @@
 
-policy_module(vpn, 1.8.1)
+policy_module(vpn, 1.8.2)
 
 ########################################
 #
@@ -23,7 +23,7 @@ files_pid_file(vpnc_var_run_t)
 #
 
 allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw };
-allow vpnc_t self:process getsched;
+allow vpnc_t self:process { getsched signal };
 allow vpnc_t self:fifo_file rw_fifo_file_perms;
 allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
 allow vpnc_t self:tcp_socket create_stream_socket_perms;
@@ -44,7 +44,7 @@ files_pid_filetrans(vpnc_t, vpnc_var_run_t, { file dir})
 
 kernel_read_system_state(vpnc_t)
 kernel_read_network_state(vpnc_t)
-kernel_read_kernel_sysctls(vpnc_t)
+kernel_read_all_sysctls(vpnc_t)
 kernel_rw_net_sysctls(vpnc_t)
 
 corenet_all_recvfrom_unlabeled(vpnc_t)

policy/modules/services/cvs.fc

@@ -5,3 +5,6 @@
 
 /var/cvs(/.*)?		gen_context(system_u:object_r:cvs_data_t,s0)
 
+#CVSWeb file context
+/usr/share/cvsweb/cvsweb\.cgi	--	gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
+/var/www/cgi-bin/cvsweb\.cgi	--	gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)

policy/modules/services/cvs.if

@@ -69,4 +69,12 @@ interface(`cvs_admin',`
 	domain_system_change_exemption($1)
 	role_transition $2 cvs_initrc_exec_t system_r;
 	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, cvs_tmp_t)
+
+	admin_pattern($1, cvs_data_t)
+
+	files_list_pids($1)
+	admin_pattern($1, cvs_var_run_t)
 ')

policy/modules/services/cvs.te

@@ -1,5 +1,5 @@
 
-policy_module(cvs, 1.6.1)
+policy_module(cvs, 1.6.2)
 
 ########################################
 #
@@ -99,7 +99,20 @@ tunable_policy(`allow_cvs_read_shadow',`
 ')
 
 optional_policy(`
-	kerberos_read_keytab(cvs_t)
+	kerberos_keytab_template(cvs, cvs_t)
 	kerberos_read_config(cvs_t)
 	kerberos_dontaudit_write_config(cvs_t)
 ')
+
+########################################
+#
+# CVSWeb policy
+#
+
+optional_policy(`
+	apache_content_template(cvs)
+
+	read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
+	manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+	manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+')

policy/modules/services/cyrus.fc

@@ -1,3 +1,4 @@
+/etc/rc\.d/init\.d/cyrus		--	gen_context(system_u:object_r:cyrus_initrc_exec_t,s0)
 
 /usr/lib(64)?/cyrus-imapd/cyrus-master	--	gen_context(system_u:object_r:cyrus_exec_t,s0)
 

policy/modules/services/cyrus.if

@@ -39,3 +39,46 @@ interface(`cyrus_stream_connect',`
 	files_search_var_lib($1)
 	stream_connect_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t, cyrus_t)
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an cyrus environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the cyrus domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`cyrus_admin',`
+	gen_require(`
+		type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t;
+		type cyrus_var_run_t, cyrus_initrc_exec_t;
+	')
+
+	allow $1 cyrus_t:process { ptrace signal_perms };
+	ps_process_pattern($1, cyrus_t)
+
+	init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 cyrus_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, cyrus_tmp_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, cyrus_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, cyrus_var_run_t)
+')
+
+

policy/modules/services/cyrus.te

@@ -1,5 +1,5 @@
 
-policy_module(cyrus, 1.6.0)
+policy_module(cyrus, 1.6.1)
 
 ########################################
 #
@@ -10,6 +10,9 @@ type cyrus_t;
 type cyrus_exec_t;
 init_daemon_domain(cyrus_t, cyrus_exec_t)
 
+type cyrus_initrc_exec_t;
+init_script_file(cyrus_initrc_exec_t)
+
 type cyrus_tmp_t;
 files_tmp_file(cyrus_tmp_t)
 
@@ -120,7 +123,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	kerberos_use(cyrus_t)
+	kerberos_keytab_template(cyrus, cyrus_t)
 ')
 
 optional_policy(`

policy/modules/services/kerneloops.fc

@@ -1 +1,3 @@
+/etc/rc\.d/init\.d/kerneloops	--	gen_context(system_u:object_r:kerneloops_initrc_exec_t,s0)
+
 /usr/sbin/kerneloops	--	gen_context(system_u:object_r:kerneloops_exec_t,s0)

policy/modules/services/kerneloops.if

@@ -71,13 +71,23 @@ interface(`kerneloops_dontaudit_dbus_chat',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the kerneloops domain.
+##	</summary>
+## </param>
 ## <rolecap/>
 #
 interface(`kerneloops_admin',`
 	gen_require(`
-		type kerneloops_t;
+		type kerneloops_t, kerneloops_initrc_exec_t;
 	')
 
 	allow $1 kerneloops_t:process { ptrace signal_perms };
 	ps_process_pattern($1, kerneloops_t)
+
+	init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 kerneloops_initrc_exec_t system_r;
+	allow $2 system_r;
 ')

policy/modules/services/kerneloops.te

@@ -1,5 +1,5 @@
 
-policy_module(kerneloops, 1.0.0)
+policy_module(kerneloops, 1.0.1)
 
 ########################################
 #
@@ -10,14 +10,18 @@ type kerneloops_t;
 type kerneloops_exec_t;
 init_daemon_domain(kerneloops_t, kerneloops_exec_t)
 
+type kerneloops_initrc_exec_t;
+init_script_file(kerneloops_initrc_exec_t)
+
 ########################################
 #
 # kerneloops local policy
 #
 
 allow kerneloops_t self:capability sys_nice;
-allow kerneloops_t self:process { setsched getsched };
+allow kerneloops_t self:process { setsched getsched signal };
 allow kerneloops_t self:fifo_file rw_file_perms;
+allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms;
 
 kernel_read_ring_buffer(kerneloops_t)