fix several modular build problems

refpolicy/policy/modules/admin/logrotate.te

@@ -1,5 +1,5 @@
 
-policy_module(logrotate,1.0)
+policy_module(logrotate,1.0.1)
 
 ########################################
 #
@@ -148,6 +148,10 @@ optional_policy(`consoletype',`
 
 ')
 
+optional_policy(`cups',`
+	cups_domtrans(logrotate_t)
+')
+
 optional_policy(`hostname',`
 	hostname_exec(logrotate_t)
 ')

refpolicy/policy/modules/admin/rpm.if

@@ -151,6 +151,7 @@ interface(`rpm_read_db',`
 		type rpm_var_lib_t;
 	')
 
+	files_search_var_lib($1)
 	allow $1 rpm_var_lib_t:dir r_dir_perms;
 	allow $1 rpm_var_lib_t:file { getattr read };
 	allow $1 rpm_var_lib_t:lnk_file r_file_perms;
@@ -169,8 +170,8 @@ interface(`rpm_manage_db',`
 		type rpm_var_lib_t;
 	')
 
+	files_search_var_lib($1)
 	allow $1 rpm_var_lib_t:dir rw_dir_perms;
 	allow $1 rpm_var_lib_t:file { getattr create read write append unlink };
 	allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
 ')
-

refpolicy/policy/modules/admin/updfstab.if

@@ -22,3 +22,22 @@ interface(`updfstab_domtrans',`
 	allow updfstab_t $1:fifo_file rw_file_perms;
 	allow updfstab_t $1:process sigchld;
 ')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	updfstab over dbus.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`updfstab_dbus_chat',`
+	gen_require(`
+		type updfstab_t;
+		class dbus send_msg;
+	')
+
+	allow $1 updfstab_t:dbus send_msg;
+	allow updfstab_t $1:dbus send_msg;
+')

refpolicy/policy/modules/admin/updfstab.te

@@ -1,5 +1,5 @@
 
-policy_module(updfstab,1.0.1)
+policy_module(updfstab,1.0.2)
 
 ########################################
 #
@@ -100,6 +100,7 @@ optional_policy(`dbus',`
 
 optional_policy(`hal',`
 	hal_stream_connect(updfstab_t)
+	hal_dbus_chat(updfstab_t)
 ')
 
 optional_policy(`modutils',`
@@ -123,8 +124,3 @@ optional_policy(`udev',`
 ifdef(`TODO',`
 allow updfstab_t tmpfs_t:dir getattr;
 ')
-
-optional_policy(`dbus',`
-	allow initrc_t updfstab_t:dbus send_msg;
-	allow updfstab_t initrc_t:dbus send_msg;
-')

refpolicy/policy/modules/kernel/devices.if

@@ -824,6 +824,44 @@ interface(`dev_dontaudit_rw_cardmgr',`
 	dontaudit $1 cardmgr_dev_t:chr_file { read write };
 ')
 
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	the PCMCIA card manager device.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_manage_cardmgr',`
+	gen_require(`
+		type device_t, cardmgr_dev_t;
+	')
+
+	allow $1 device_t:dir rw_dir_perms;
+	allow $1 cardmgr_dev_t:{ chr_file blk_file } manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	the PCMCIA card manager device
+##	with the correct type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_create_cardmgr',`
+	gen_require(`
+		type device_t, cardmgr_dev_t;
+	')
+
+	allow $1 device_t:dir rw_dir_perms;
+	allow $1 cardmgr_dev_t:{ chr_file blk_file } manage_file_perms;
+	type_transition $1 device_t:{ chr_file blk_file } cardmgr_dev_t;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of the CPU

refpolicy/policy/modules/kernel/filesystem.if

@@ -1679,6 +1679,22 @@ interface(`fs_write_ramfs_pipe',`
 	allow $1 ramfs_t:fifo_file write;
 ')
 
+########################################
+## <summary>
+##	Read and write a named pipe on a ramfs filesystem.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_rw_ramfs_pipe',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	allow $1 ramfs_t:fifo_file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Write to named socket on a ramfs filesystem.
@@ -2049,6 +2065,23 @@ interface(`fs_create_tmpfs_data',`
 	')
 ')
 
+########################################
+## <summary>
+##	Read and write generic tmpfs files.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`fs_rw_tmpfs_file',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	fs_search_tmpfs($1)
+	allow $1 tmpfs_t:file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read and write character nodes on tmpfs filesystems.

refpolicy/policy/modules/kernel/kernel.te

@@ -21,6 +21,15 @@ attribute proc_type;
 # sysctls
 attribute sysctl_type;
 
+role system_r;
+role sysadm_r;
+role staff_r;
+role user_r;
+
+ifdef(`enable_mls',`
+	role secadm_r;
+')
+
 #
 # kernel_t is the domain of kernel threads.
 # It is also the target type when checking permissions in the system class.

refpolicy/policy/modules/services/apache.if

@@ -703,3 +703,19 @@ interface(`apache_append_squirrelmail_data',`
 
 	allow $1 httpd_squirrelmail_t:file { getattr append };
 ')
+
+########################################
+## <summary>
+##	Search system script state directory.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`apache_search_sys_script_state',`
+	gen_require(`
+		type httpd_sys_script_t;
+	')
+
+	allow $1 httpd_sys_script_t:dir search;
+')

refpolicy/policy/modules/services/apm.if

@@ -97,7 +97,7 @@ interface(`apm_append_log',`
 #
 interface(`apm_stream_connect',`
 	gen_require(`
-		type apmd_t;
+		type apmd_t, apmd_var_run_t;
 	')
 
 	files_search_pids($1)

refpolicy/policy/modules/services/avahi.if

@@ -1 +1,20 @@
 ## <summary>mDNS/DNS-SD daemon implementing Apple ZeroConf architecture</summary>
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	avahi over dbus.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`avahi_dbus_chat',`
+	gen_require(`
+		type avahi_t;
+		class dbus send_msg;
+	')
+
+	allow $1 avahi_t:dbus send_msg;
+	allow avahi_t $1:dbus send_msg;
+')

refpolicy/policy/modules/services/avahi.te

@@ -1,5 +1,5 @@
 
-policy_module(avahi,1.0.1)
+policy_module(avahi,1.0.2)
 
 ########################################
 #
@@ -90,10 +90,6 @@ optional_policy(`dbus',`
 	dbus_system_bus_client_template(avahi,avahi_t)
 	dbus_connect_system_bus(avahi_t)
 	dbus_send_system_bus_msg(avahi_t)
-
-	# FIXME:
-	allow avahi_t unconfined_t:dbus send_msg;
-	allow unconfined_t avahi_t:dbus send_msg;
 ')
 
 optional_policy(`nis',`
@@ -107,4 +103,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(avahi_t)
 ')
-

refpolicy/policy/modules/services/bind.te

@@ -289,9 +289,9 @@ optional_policy(`networkmanager',`
 	')
 
 #	optional_policy(`dbus',`
-#		gen_require(`
-#			class dbus send_msg;
-#		')
+		gen_require(`
+			class dbus send_msg;
+		')
 
 		allow NetworkManager_t named_t:dbus send_msg;
 		allow named_t NetworkManager_t:dbus send_msg;

refpolicy/policy/modules/services/cups.if

@@ -1,5 +1,26 @@
 ## <summary>Common UNIX printing system</summary>
 
+########################################
+## <summary>
+##	Execute cups in the cups domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`cups_domtrans',`
+	gen_require(`
+		type cupsd_t, cupsd_exec_t;
+	')
+
+	domain_auto_trans($1,cupsd_exec_t,cupsd_t)
+
+	allow $1 cupsd_t:fd use;
+	allow cupsd_t $1:fd use;
+	allow cupsd_t $1:fifo_file rw_file_perms;
+	allow cupsd_t $1:process sigchld;
+')
+
 ########################################
 ## <summary>
 ##	Execute cups_config in the cups_config domain.
@@ -21,6 +42,42 @@ interface(`cups_domtrans_config',`
 	allow cupsd_config_t $1:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Send generic signals to the cups
+##	configuration daemon.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`cups_signal_config',`
+	gen_require(`
+		type cupsd_config_t;
+	')
+
+	allow $1 cupsd_config_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	cupsd_config over dbus.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`cups_dbus_chat_config',`
+	gen_require(`
+		type cupsd_config_t;
+		class dbus send_msg;
+	')
+
+	allow $1 cupsd_config_t:dbus send_msg;
+	allow cupsd_config_t $1:dbus send_msg;
+')
+
 ########################################
 ## <summary>
 ##	Read cups-writable configuration files.
@@ -38,3 +95,39 @@ interface(`cups_read_rw_config',`
 	allow $1 cupsd_etc_t:dir search_dir_perms;
 	allow $1 cupsd_rw_etc_t:file { getattr read };
 ')
+
+########################################
+## <summary>
+##	Read cups log files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`cups_read_log',`
+	gen_require(`
+		type cupsd_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 cupsd_log_t:file { getattr read };
+')
+
+########################################
+## <summary>
+##	Connect to ptal over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`cups_stream_connect_ptal',`
+	gen_require(`
+		type ptal_t, ptal_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 ptal_var_run_t:dir search;
+	allow $1 ptal_var_run_t:sock_file write;
+	allow $1 ptal_t:unix_stream_socket connectto;
+')

refpolicy/policy/modules/services/cups.te

@@ -1,5 +1,5 @@
 
-policy_module(cups,1.0)
+policy_module(cups,1.0.1)
 
 ########################################
 #
@@ -149,6 +149,7 @@ fs_search_auto_mountpoints(cupsd_t)
 term_dontaudit_use_console(cupsd_t)
 
 auth_domtrans_chk_passwd(cupsd_t)
+auth_dontaudit_read_pam_pid(cupsd_t)
 
 # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
 corecmd_exec_shell(cupsd_t)
@@ -187,7 +188,7 @@ seutil_dontaudit_read_config(cupsd_t)
 sysnet_read_config(cupsd_t)
 
 userdom_dontaudit_use_unpriv_user_fd(cupsd_t)
-userdom_dontaudit_search_sysadm_home_dir(cupsd_t)
+userdom_dontaudit_search_all_users_home(cupsd_t)
 
 # Write to /var/spool/cups.
 lpd_manage_spool(cupsd_t)
@@ -198,17 +199,30 @@ ifdef(`targeted_policy',`
 	files_dontaudit_read_root_file(cupsd_t)
 ')
 
+optional_policy(`cron',`
+	cron_use_fd(cupsd_t)
+	cron_read_pipe(cupsd_t)
+')
+
 optional_policy(`dbus',`
 	dbus_system_bus_client_template(cupsd,cupsd_t)
 	dbus_send_system_bus_msg(cupsd_t)
 
-	allow cupsd_t userdomain:dbus send_msg;
+	userdom_dbus_send_all_users(cupsd_t)
+
+	optional_policy(`hal',`
+		hal_dbus_chat(cupsd_t)
+	')
 ')
 
 optional_policy(`hostname',`
 	hostname_exec(cupsd_t)
 ')
 
+optional_policy(`inetd',`
+	inetd_core_service_domain(cupsd_t,cupsd_exec_t,cupsd_t)
+')
+
 optional_policy(`mount',`
 	mount_send_nfs_client_request(cupsd_t)
 ')
@@ -217,6 +231,15 @@ optional_policy(`nscd',`
 	nscd_use_socket(cupsd_t)
 ')
 
+optional_policy(`portmap',`
+	portmap_udp_sendrecv(cupsd_t)
+')
+
+optional_policy(`samba',`
+	samba_rw_var_files(cupsd_t)
+	# cjp: rw_dir_perms was here, but doesnt make sense
+')
+
 optional_policy(`selinuxutil',`
 	seutil_sigchld_newrole(cupsd_t)
 ')
@@ -241,56 +264,18 @@ allow cupsd_t devpts_t:dir search;
 dontaudit cupsd_t random_device_t:chr_file ioctl;
 
 # temporary solution, we need something better
-allow cupsd_t serial_device:chr_file rw_file_perms;
-
-optional_policy(`logrotate',`
-	domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t)
-')
-
-optional_policy(`inetd',`
-domain_auto_trans(inetd_t, cupsd_exec_t, cupsd_t)
-')
+#allow cupsd_t serial_device:chr_file rw_file_perms;
 
 # for /etc/printcap
 dontaudit cupsd_t etc_t:file write;
 
-
-
-
-
-# Send to portmap.
-optional_policy(`portmap', `
-allow cupsd_t portmap_t:udp_socket sendto;
-allow portmap_t cupsd_t:udp_socket recvfrom;
-allow portmap_t cupsd_t:udp_socket sendto;
-allow cupsd_t portmap_t:udp_socket recvfrom;
-')
-
-
-
-
-
 #
 # Satisfy readahead
 #
-allow initrc_t cupsd_log_t:file { getattr read };
 allow cupsd_t var_t:dir { getattr read search };
 allow cupsd_t var_t:file r_file_perms;
 allow cupsd_t var_t:lnk_file { getattr read };
 
-optional_policy(`samba',`
-# cjp: rw_dir_perms here doesnt make sense
-allow cupsd_t samba_var_t:dir rw_dir_perms;
-allow cupsd_t samba_var_t:file rw_file_perms;
-allow cupsd_t samba_var_t:lnk_file { getattr read };
-allow smbd_t cupsd_etc_t:dir search;
-')
-
-optional_policy(`authlogin',`
-dontaudit cupsd_t pam_var_run_t:file { getattr read };
-')
-dontaudit cupsd_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
-
 ########################################
 #
 # PTAL local policy
@@ -358,7 +343,7 @@ miscfiles_read_localization(ptal_t)
 sysnet_read_config(ptal_t)
 
 userdom_dontaudit_use_unpriv_user_fd(ptal_t)
-userdom_dontaudit_search_sysadm_home_dir(ptal_t)
+userdom_dontaudit_search_all_users_home(ptal_t)
 
 ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_tty(ptal_t)
@@ -374,14 +359,8 @@ optional_policy(`udev',`
 	udev_read_db(ptal_t)
 ')
 
-allow userdomain ptal_t:unix_stream_socket connectto;
-allow userdomain ptal_var_run_t:sock_file write;
-allow userdomain ptal_var_run_t:dir search;
-
 allow initrc_t printer_device_t:chr_file getattr;
 
-dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
-
 allow initrc_t ptal_var_run_t:dir rmdir;
 allow initrc_t ptal_var_run_t:fifo_file unlink;
 
@@ -555,6 +534,8 @@ corecmd_exec_sbin(cupsd_config_t)
 corecmd_exec_shell(cupsd_config_t)
 
 domain_use_wide_inherit_fd(cupsd_config_t)
+# killall causes the following
+domain_dontaudit_search_all_domains_state(cupsd_config_t)
 
 files_read_usr_files(cupsd_config_t)
 files_read_etc_files(cupsd_config_t)
@@ -577,12 +558,35 @@ sysnet_read_config(cupsd_config_t)
 userdom_dontaudit_use_unpriv_user_fd(cupsd_config_t)
 userdom_dontaudit_search_sysadm_home_dir(cupsd_config_t)
 
+ifdef(`distro_redhat',`
+	init_getattr_script_entry_file(cupsd_config_t)
+
+	optional_policy(`rpm',`
+		rpm_read_db(cupsd_config_t)
+	')
+')
+
 ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_tty(cupsd_config_t)
 	term_dontaudit_use_generic_pty(cupsd_config_t)
 	files_dontaudit_read_root_file(cupsd_config_t)
 ')
 
+optional_policy(`cron',`
+	cron_use_system_job_fd(cupsd_config_t)
+	cron_read_pipe(cupsd_config_t)
+')
+
+optional_policy(`dbus',`
+	dbus_system_bus_client_template(cupsd_config,cupsd_config_t)
+	dbus_connect_system_bus(cupsd_config_t)
+	dbus_send_system_bus_msg(cupsd_config_t)
+
+	optional_policy(`hal',`
+		hal_dbus_chat(cupsd_config_t)
+	')
+')
+
 optional_policy(`hal',`
 	hal_domtrans(cupsd_config_t)
 ')
@@ -603,6 +607,10 @@ optional_policy(`nscd',`
 	nscd_use_socket(cupsd_config_t)
 ')
 
+optional_policy(`rpm',`
+	rpm_read_db(cupsd_config_t)
+')
+
 optional_policy(`selinuxutil',`
 	seutil_sigchld_newrole(cupsd_config_t)
 ')
@@ -611,49 +619,10 @@ optional_policy(`udev',`
 	udev_read_db(cupsd_config_t)
 ')
 
-allow cupsd_config_t devpts_t:dir search;
-allow cupsd_config_t devpts_t:chr_file { getattr ioctl };
-
-ifdef(`distro_redhat', `
-	optional_policy(`rpm',`
-		allow cupsd_config_t rpm_var_lib_t:dir { getattr search };
-		allow cupsd_config_t rpm_var_lib_t:file { getattr read };
-	')
-	allow cupsd_config_t initrc_exec_t:file getattr;
-')
-
 allow cupsd_config_t var_t:lnk_file read;
 
-optional_policy(`dbus',`
-	dbus_system_bus_client_template(cupsd_config,cupsd_config_t)
-	dbus_connect_system_bus(cupsd_config_t)
-	dbus_send_system_bus_msg(cupsd_config_t)
-
-	allow cupsd_config_t userdomain:dbus send_msg;
-	allow userdomain cupsd_config_t:dbus send_msg;
-')
-
-optional_policy(`hal', `
-	optional_policy(`dbus',`
-		allow { cupsd_t cupsd_config_t } hald_t:dbus send_msg;
-		allow hald_t { cupsd_t cupsd_config_t }:dbus send_msg;
-	')
-
-	allow hald_t cupsd_config_t:process signal;
-')
-
-# killall causes the following
-dontaudit cupsd_config_t domain:dir { getattr search };
-
-allow cupsd_config_t var_lib_t:dir { getattr search };
-allow cupsd_config_t rpm_var_lib_t:file { getattr read };
 allow cupsd_config_t printconf_t:file { getattr read };
 
-allow cupsd_config_t system_crond_t:fd use;
-allow cupsd_config_t crond_t:fifo_file r_file_perms;
-allow cupsd_t crond_t:fifo_file read;
-allow cupsd_t crond_t:fd use;
-
 # Alternatives asks for this
 allow cupsd_config_t initrc_exec_t:file getattr;
 
@@ -664,6 +633,7 @@ ifdef(`targeted_policy', `
 	allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg;
 	allow unconfined_t cupsd_config_t:dbus send_msg;
 	allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read;
+	term_use_generic_pty(cupsd_config_t)
 ')
 
 ########################################

refpolicy/policy/modules/services/finger.te

@@ -100,6 +100,9 @@ miscfiles_read_localization(fingerd_t)
 userdom_read_unpriv_user_home_files(fingerd_t)
 userdom_dontaudit_use_unpriv_user_fd(fingerd_t)
 userdom_dontaudit_search_sysadm_home_dir(fingerd_t)
+# stop it accessing sub-directories, prevents checking a Maildir for new mail,
+# have to change this when we create a type for Maildir
+userdom_dontaudit_search_user_home_dirs(fingerd_t)
 
 ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_tty(fingerd_t)
@@ -130,7 +133,3 @@ optional_policy(`selinuxutil',`
 optional_policy(`udev',`
 	udev_read_db(fingerd_t)
 ')
-
-# stop it accessing sub-directories, prevents checking a Maildir for new mail,
-# have to change this when we create a type for Maildir
-dontaudit fingerd_t user_home_t:dir search;

refpolicy/policy/modules/services/hal.te

@@ -1,5 +1,5 @@
 
-policy_module(hal,1.0.1)
+policy_module(hal,1.0.2)
 
 ########################################
 #
@@ -134,6 +134,7 @@ optional_policy(`apm',`
 
 optional_policy(`cups',`
 	cups_domtrans_config(hald_t)
+	cups_signal_config(hald_t)
 ')
 
 optional_policy(`dbus',`
@@ -187,21 +188,4 @@ optional_policy(`updfstab',`
 
 ifdef(`TODO',`
 allow hald_t device_t:dir create_dir_perms;
-
-optional_policy(`hald',`
-allow udev_t hald_t:unix_dgram_socket sendto;
-')
 ') dnl end TODO
-
-ifdef(`targeted_policy', `
-allow unconfined_t hald_t:dbus send_msg;
-allow hald_t unconfined_t:dbus send_msg;
-')
-
-optional_policy(`updfstab',`
-	allow updfstab_t hald_t:dbus send_msg;
-	allow hald_t updfstab_t:dbus send_msg;
-')
-
-allow hald_t initrc_t:dbus send_msg;
-allow initrc_t hald_t:dbus send_msg;

refpolicy/policy/modules/services/mailman.te

@@ -51,9 +51,7 @@ optional_policy(`apache',`
 	apache_sigchld(mailman_cgi_t)
 	apache_use_fd(mailman_cgi_t)
 	apache_dontaudit_append_log(mailman_cgi_t)
-
-	# FIXME:
-	allow mailman_cgi_t httpd_sys_script_t:dir search;
+	apache_search_sys_script_state(mailman_cgi_t)
 ')
 
 ########################################

refpolicy/policy/modules/services/mta.if

@@ -36,6 +36,11 @@ interface(`mta_stub',`
 #
 template(`mta_base_mail_template',`
 
+	gen_require(`
+		attribute user_mail_domain;
+		type sendmail_exec_t;
+	')
+
 	##############################
 	#
 	# $1_mail_t declarations
@@ -45,12 +50,8 @@ template(`mta_base_mail_template',`
 	domain_type($1_mail_t)
 	domain_entry_file($1_mail_t,sendmail_exec_t)
 
-	optional_policy(`sendmail',`
-		type $1_mail_tmp_t;
-		files_tmp_file($1_mail_tmp_t)
-
-		sendmail_stub($1_mail_t)
-	')
+	type $1_mail_tmp_t;
+	files_tmp_file($1_mail_tmp_t)
 
 	##############################
 	#
@@ -107,6 +108,10 @@ template(`mta_base_mail_template',`
 	')
 
 	optional_policy(`sendmail',`
+		gen_require(`
+			type etc_mail_t, mail_spool_t, mqueue_spool_t;
+		')
+
 		allow $1_mail_t $1_mail_tmp_t:dir create_dir_perms;
 		allow $1_mail_t $1_mail_tmp_t:file create_file_perms;
 		files_create_tmp_files($1_mail_t, $1_mail_tmp_t, { file dir })
@@ -166,7 +171,8 @@ template(`mta_base_mail_template',`
 #
 template(`mta_per_userdomain_template',`
 	gen_require(`
-		attribute mailserver_domain, mta_user_agent, user_mail_domain;
+		attribute mailserver_domain, mta_user_agent;
+		attribute mailserver_delivery, user_mail_domain;
 		type sendmail_exec_t;
 	')
 

refpolicy/policy/modules/services/procmail.te

@@ -6,8 +6,7 @@ policy_module(procmail,1.0.0)
 # Declarations
 #
 
-# privhome only works until we define a different type for maildir
-type procmail_t, privhome;
+type procmail_t;
 type procmail_exec_t;
 domain_type(procmail_t)
 domain_entry_file(procmail_t,procmail_exec_t)
@@ -61,6 +60,7 @@ libs_use_shared_libs(procmail_t)
 
 miscfiles_read_localization(procmail_t)
 
+# only works until we define a different type for maildir
 userdom_priveleged_home_dir_manager(procmail_t)
 # Do not audit attempts to access /root.
 userdom_dontaudit_search_sysadm_home_dir(procmail_t)

refpolicy/policy/modules/services/radius.if

@@ -10,7 +10,7 @@
 #
 interface(`radius_use',`
 	gen_require(`
-		type radius_t;
+		type radiusd_t;
 	')
 
 	allow $1 radiusd_t:udp_socket sendto;

refpolicy/policy/modules/services/samba.if

@@ -213,6 +213,25 @@ interface(`samba_search_var',`
 	allow $1 samba_var_t:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to
+##	read and write samba /var files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`samba_rw_var_files',`
+	gen_require(`
+		type samba_var_t;
+	')
+
+	files_search_var($1)
+	allow $1 samba_var_t:dir search_dir_perms;
+	allow $1 samba_var_t:file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to write to smbmount tcp sockets.

refpolicy/policy/modules/system/authlogin.if

@@ -559,8 +559,6 @@ interface(`auth_exec_pam',`
 interface(`auth_read_pam_pid',`
 	gen_require(`
 		type pam_var_run_t;
-		class dir r_dir_perms;
-		class file r_file_perms;
 	')
 
 	files_search_var($1)
@@ -569,6 +567,22 @@ interface(`auth_read_pam_pid',`
 	allow $1 pam_var_run_t:file r_file_perms;
 ')
 
+#######################################
+## <summary>
+##	Do not audit attemps to read PAM pid files.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`auth_dontaudit_read_pam_pid',`
+	gen_require(`
+		type pam_var_run_t;
+	')
+
+	dontaudit $1 pam_var_run_t:file { getattr read };
+')
+
 ########################################
 ## <summary>
 ##	Delete pam PID files.

refpolicy/policy/modules/system/domain.if

@@ -471,6 +471,7 @@ interface(`domain_kill_all_domains',`
 	allow $1 domain:process sigkill;
 	allow $1 self:capability kill;
 ')
+
 ########################################
 ## <summary>
 ##	Search the process state directory (/proc/pid) of all domains.
@@ -489,6 +490,23 @@ interface(`domain_search_all_domains_state',`
 	allow $1 domain:dir search;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to search the process
+##	state directory (/proc/pid) of all domains.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`domain_dontaudit_search_all_domains_state',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read the process state (/proc/pid) of all domains.

refpolicy/policy/modules/system/fstools.te

@@ -1,5 +1,5 @@
 
-policy_module(fstools,1.0)
+policy_module(fstools,1.0.1)
 
 ########################################
 #
@@ -72,6 +72,8 @@ dev_getattr_usbfs_dir(fsadm_t)
 
 fs_search_auto_mountpoints(fsadm_t)
 fs_getattr_xattr_fs(fsadm_t)
+fs_rw_ramfs_pipe(fsadm_t)
+fs_rw_tmpfs_file(fsadm_t)
 # remount file system to apply changes
 fs_remount_xattr_fs(fsadm_t)
 # for /dev/shm
@@ -155,10 +157,3 @@ optional_policy(`cron',`
 optional_policy(`nis',`
 	nis_use_ypbind(fsadm_t)
 ')
-
-ifdef(`TODO',`
-ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
-') dnl end TODO
-
-allow fsadm_t tmpfs_t:file { read write };
-allow fsadm_t ramfs_t:fifo_file rw_file_perms;

refpolicy/policy/modules/system/init.if

@@ -475,6 +475,23 @@ interface(`init_dontaudit_unix_connect_script',`
 	dontaudit $1 initrc_t:unix_stream_socket connectto;
 ')
 
+########################################
+## <summary>
+##	Get the attribute of init script entrypoint files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`init_getattr_script_entry_file',`
+	gen_require(`
+		type initrc_exec_t;
+	')
+
+	files_list_etc($1)
+	allow $1 initrc_exec_t:file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Read init scripts.

refpolicy/policy/modules/system/init.te

@@ -1,5 +1,5 @@
 
-policy_module(init,1.0.1)
+policy_module(init,1.0.2)
 
 gen_require(`
 	class passwd rootok;
@@ -494,6 +494,10 @@ optional_policy(`cpucontrol',`
 	dev_getattr_cpu(initrc_t)
 ')
 
+optional_policy(`cups',`
+	cups_read_log(initrc_t)
+')
+
 optional_policy(`dbus',`
 	dbus_connect_system_bus(initrc_t)
 	dbus_send_system_bus_msg(initrc_t)
@@ -502,6 +506,10 @@ optional_policy(`dbus',`
 	optional_policy(`networkmanager',`
 		networkmanager_dbus_chat(initrc_t)
 	')
+
+	optional_policy(`updfstab',`
+		updfstab_dbus_chat(initrc_t)
+	')
 ')
 
 optional_policy(`ftp',`

refpolicy/policy/modules/system/modutils.te

@@ -1,6 +1,10 @@
 
 policy_module(modutils,1.0)
 
+gen_require(`
+	bool secure_mode_insmod;
+')
+
 ########################################
 #
 # Declarations

refpolicy/policy/modules/system/pcmcia.te

@@ -55,6 +55,8 @@ kernel_dontaudit_getattr_message_if(cardmgr_t)
 bootloader_search_kernel_modules(cardmgr_t)
 
 dev_read_sysfs(cardmgr_t)
+dev_manage_cardmgr(cardmgr_t)
+dev_create_cardmgr(cardmgr_t)
 dev_getattr_all_chr_files(cardmgr_t)
 dev_getattr_all_blk_files(cardmgr_t)
 # for SSP
@@ -149,6 +151,5 @@ optional_policy(`udev',`
 
 # Create device files in /tmp.
 # cjp: why is this created all over the place?
-allow cardmgr_t cardmgr_dev_t:{ chr_file blk_file } manage_file_perms;
-allow cardmgr_t { var_run_t cardmgr_var_run_t device_t tmp_t }:dir rw_dir_perms;
-type_transition cardmgr_t { var_run_t cardmgr_var_run_t device_t tmp_t }:{ chr_file blk_file } cardmgr_dev_t;
+allow cardmgr_t { var_run_t cardmgr_var_run_t tmp_t }:dir rw_dir_perms;
+type_transition cardmgr_t { var_run_t cardmgr_var_run_t tmp_t }:{ chr_file blk_file } cardmgr_dev_t;

refpolicy/policy/modules/system/selinuxutil.te

@@ -13,6 +13,18 @@ gen_require(`
 attribute can_write_binary_policy;
 attribute can_relabelto_binary_policy;
 
+#
+# selinux_config_t is the type applied to
+# /etc/selinux/config
+#
+# cjp: this is out of order due to rules
+# in the domain_type interface
+# (fix dup decl)
+type selinux_config_t;
+files_type(selinux_config_t)
+kernel_list_from(selinux_config_t)
+kernel_read_file_from(selinux_config_t)
+
 type checkpolicy_t, can_write_binary_policy;
 domain_type(checkpolicy_t)
 role system_r types checkpolicy_t;
@@ -81,15 +93,6 @@ domain_type(run_init_t)
 type run_init_exec_t;
 domain_entry_file(run_init_t,run_init_exec_t)
 
-#
-# selinux_config_t is the type applied to
-# /etc/selinux/config
-#
-type selinux_config_t;
-files_type(selinux_config_t)
-kernel_list_from(selinux_config_t)
-kernel_read_file_from(selinux_config_t)
-
 type setfiles_t, can_relabelto_binary_policy;
 domain_obj_id_change_exempt(setfiles_t)
 domain_type(setfiles_t)

refpolicy/policy/modules/system/sysnetwork.te

@@ -173,8 +173,12 @@ optional_policy(`dbus',`
 
 	domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
 
-	allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
-	allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
+	allow initrc_t dhcpc_t:dbus send_msg;
+	allow dhcpc_t initrc_t:dbus send_msg;
+
+	optional_policy(`networkmanager',`
+		networkmanager_dbus_chat(dhcpc_t)
+	')
 
 	ifdef(`unconfined.te', `
 		allow unconfined_t dhcpc_t:dbus send_msg;

refpolicy/policy/modules/system/udev.te

@@ -1,5 +1,5 @@
 
-policy_module(udev,1.0)
+policy_module(udev,1.0.1)
 
 ########################################
 #
@@ -176,6 +176,10 @@ optional_policy(`dbus',`
 	dbus_system_bus_client_template(udev,udev_t)
 ')
 
+optional_policy(`hal',`
+	hal_dgram_sendto(udev_t)
+')
+
 optional_policy(`hotplug',`
 	hotplug_read_config(udev_t)
 ')
@@ -192,8 +196,8 @@ optional_policy(`sysnetwork',`
 	sysnet_domtrans_dhcpc(udev_t)
 ')
 
-#optional_policy(`xserver',`
-#	xserver_read_xdm_pid(udev_t)
+#optional_policy(`xdm',`
+#	xdm_read_pid(udev_t)
 #')
 
 ifdef(`TODO',`

refpolicy/policy/modules/system/unconfined.te

@@ -1,5 +1,5 @@
 
-policy_module(unconfined,1.0.2)
+policy_module(unconfined,1.0.3)
 
 ########################################
 #
@@ -60,6 +60,14 @@ ifdef(`targeted_policy',`
 	optional_policy(`dbus',`
 		dbus_stub(unconfined_t)
 
+		optional_policy(`avahi',`
+			avahi_dbus_chat(unconfined_t)
+		')
+
+		optional_policy(`hal',`
+			hal_dbus_chat(unconfined_t)
+		')
+
 		optional_policy(`networkmanager',`
 			networkmanager_dbus_chat(unconfined_t)
 		')

refpolicy/policy/modules/system/userdomain.if

@@ -322,9 +322,17 @@ template(`base_user_template',`
 		canna_stream_connect($1_t)
 	')
 
+	optional_policy(`cups',`
+		cups_stream_connect_ptal($1_t)
+	')
+
 	optional_policy(`dbus',`
 		dbus_system_bus_client_template($1,$1_t)
 
+		optional_policy(`cups',`
+			cups_dbus_chat_config($1_t)
+		')
+
 		optional_policy(`hal',`
 			hal_dbus_chat($1_t)
 		')
@@ -2569,7 +2577,7 @@ interface(`userdom_signal_all_users',`
 ##	Domain allowed access.
 ## </param>
 #
-interface(`userdom_sigcld_all_users',`
+interface(`userdom_sigchld_all_users',`
 	gen_require(`
 		attribute userdomain;
 	')
@@ -2577,6 +2585,23 @@ interface(`userdom_sigcld_all_users',`
 	allow $1 userdomain:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Send a dbus message to all user domains.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_dbus_send_all_users',`
+	gen_require(`
+		attribute userdomain;
+		class dbus send_msg;
+	')
+
+	allow $1 userdomain:dbus send_msg;
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to user domains.