From 127d617b31eb8ec94b030b51dc4983ece6326fc0 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <pebenito@gentoo.org>
Date: Thu, 14 Apr 2011 11:36:56 -0400
Subject: [PATCH] Pull in some changes from Fedora policy system layer.

---
 policy/modules/services/tgtd.if     | 34 +++++++---
 policy/modules/services/tgtd.te     |  2 +-
 policy/modules/system/fstools.te    | 27 ++++++--
 policy/modules/system/hotplug.te    | 10 +--
 policy/modules/system/ipsec.fc      |  3 +
 policy/modules/system/ipsec.if      | 96 +++++++++++++++++++++++++++++
 policy/modules/system/ipsec.te      | 48 +++++++++++----
 policy/modules/system/iptables.fc   |  6 ++
 policy/modules/system/iptables.if   |  4 ++
 policy/modules/system/iptables.te   | 12 +++-
 policy/modules/system/iscsi.if      | 18 ++++++
 policy/modules/system/iscsi.te      | 10 +--
 policy/modules/system/libraries.fc  | 10 +--
 policy/modules/system/libraries.if  | 38 ++++++++++++
 policy/modules/system/libraries.te  |  2 +-
 policy/modules/system/locallogin.fc |  1 +
 policy/modules/system/locallogin.te |  9 +--
 policy/modules/system/logging.fc    | 19 +++---
 policy/modules/system/logging.if    | 19 ++++++
 policy/modules/system/logging.te    | 18 +++++-
 20 files changed, 331 insertions(+), 55 deletions(-)

diff --git a/policy/modules/services/tgtd.if b/policy/modules/services/tgtd.if
index b113b410f..c2ed23a8b 100644
--- a/policy/modules/services/tgtd.if
+++ b/policy/modules/services/tgtd.if
@@ -11,18 +11,36 @@
 
 #####################################
 ## <summary>
-##      Allow read and write access to tgtd semaphores.
+##	Allow read and write access to tgtd semaphores.
 ## </summary>
 ## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
+##	<summary>
+##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`tgtd_rw_semaphores',`
-        gen_require(`
-                type tgtd_t;
-        ')
+	gen_require(`
+		type tgtd_t;
+	')
 
-        allow $1 tgtd_t:sem rw_sem_perms;
+	allow $1 tgtd_t:sem rw_sem_perms;
+')
+
+######################################
+## <summary>
+##	Manage tgtd sempaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tgtd_manage_semaphores',`
+	gen_require(`
+		type tgtd_t;
+	')
+
+	allow $1 tgtd_t:sem create_sem_perms;
 ')
diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te
index aa0cc4565..665bf7c96 100644
--- a/policy/modules/services/tgtd.te
+++ b/policy/modules/services/tgtd.te
@@ -1,4 +1,4 @@
-policy_module(tgtd, 1.1.0)
+policy_module(tgtd, 1.1.1)
 
 ########################################
 #
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index a442acc77..c28da1c45 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,4 +1,4 @@
-policy_module(fstools, 1.14.0)
+policy_module(fstools, 1.14.1)
 
 ########################################
 #
@@ -55,6 +55,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon };
 
 kernel_read_system_state(fsadm_t)
 kernel_read_kernel_sysctls(fsadm_t)
+kernel_request_load_module(fsadm_t)
 # Allow console log change (updfstab)
 kernel_change_ring_buffer_level(fsadm_t)
 # mkreiserfs needs this
@@ -78,6 +79,7 @@ dev_dontaudit_getattr_generic_files(fsadm_t)
 # mkreiserfs and other programs need this for UUID
 dev_read_rand(fsadm_t)
 dev_read_urand(fsadm_t)
+dev_write_kmsg(fsadm_t)
 # Recreate /dev/cdrom.
 dev_manage_generic_symlinks(fsadm_t)
 # fdisk needs this for early boot
@@ -85,7 +87,7 @@ dev_manage_generic_blk_files(fsadm_t)
 # Access to /initrd devices
 dev_search_usbfs(fsadm_t)
 # for swapon
-dev_read_sysfs(fsadm_t)
+dev_rw_sysfs(fsadm_t)
 # Access to /initrd devices
 dev_getattr_usbfs_dirs(fsadm_t)
 # Access to /dev/mapper/control
@@ -114,6 +116,7 @@ fs_rw_tmpfs_files(fsadm_t)
 # remount file system to apply changes
 fs_remount_xattr_fs(fsadm_t)
 # for /dev/shm
+fs_list_auto_mountpoints(fsadm_t)
 fs_search_tmpfs(fsadm_t)
 fs_getattr_tmpfs_dirs(fsadm_t)
 fs_read_tmpfs_symlinks(fsadm_t)
@@ -142,9 +145,6 @@ logging_send_syslog_msg(fsadm_t)
 
 miscfiles_read_localization(fsadm_t)
 
-modutils_read_module_config(fsadm_t)
-modutils_read_module_deps(fsadm_t)
-
 seutil_read_config(fsadm_t)
 
 userdom_use_user_terminals(fsadm_t)
@@ -165,6 +165,19 @@ optional_policy(`
 	cron_system_entry(fsadm_t, fsadm_exec_t)
 ')
 
+optional_policy(`
+	hal_dontaudit_write_log(fsadm_t)
+')
+
+optional_policy(`
+	livecd_rw_tmp_files(fsadm_t)
+')
+
+optional_policy(`
+	modutils_read_module_config(fsadm_t)
+	modutils_read_module_deps(fsadm_t)
+')
+
 optional_policy(`
 	nis_use_ypbind(fsadm_t)
 ')
@@ -174,6 +187,10 @@ optional_policy(`
 	rhgb_stub(fsadm_t)
 ')
 
+optional_policy(`
+	udev_read_db(fsadm_t)
+')
+
 optional_policy(`
 	xen_append_log(fsadm_t)
 	xen_rw_image_files(fsadm_t)
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
index 882c6a246..1a3d970b5 100644
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
@@ -1,4 +1,4 @@
-policy_module(hotplug, 1.14.0)
+policy_module(hotplug, 1.14.1)
 
 ########################################
 #
@@ -105,9 +105,6 @@ libs_read_lib_files(hotplug_t)
 miscfiles_read_hwdata(hotplug_t)
 miscfiles_read_localization(hotplug_t)
 
-modutils_domtrans_insmod(hotplug_t)
-modutils_read_module_deps(hotplug_t)
-
 seutil_dontaudit_search_config(hotplug_t)
 
 sysnet_read_config(hotplug_t)
@@ -153,6 +150,11 @@ optional_policy(`
 	iptables_domtrans(hotplug_t)
 ')
 
+optional_policy(`
+	modutils_domtrans_insmod(hotplug_t)
+	modutils_read_module_deps(hotplug_t)
+')
+
 optional_policy(`
 	mount_domtrans(hotplug_t)
 ')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index 07eba2b45..fb09b9ee6 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -25,6 +25,7 @@
 /usr/libexec/ipsec/klipsdebug	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/pluto	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/nm-openswan-service -- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 
 /usr/local/lib(64)?/ipsec/eroute --	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
@@ -35,6 +36,8 @@
 /usr/sbin/racoon		--	gen_context(system_u:object_r:racoon_exec_t,s0)
 /usr/sbin/setkey		--	gen_context(system_u:object_r:setkey_exec_t,s0)
 
+/var/lock/subsys/ipsec		--	gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
+
 /var/log/pluto\.log		--	gen_context(system_u:object_r:ipsec_log_t,s0)
 
 /var/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index 8232f911b..0d4c8d35e 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -37,6 +37,24 @@ interface(`ipsec_stream_connect',`
 	stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
 ')
 
+########################################
+## <summary>
+##	Execute ipsec in the ipsec mgmt domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipsec_domtrans_mgmt',`
+	gen_require(`
+		type ipsec_mgmt_t, ipsec_mgmt_exec_t;
+	')
+
+	domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t)
+')
+
 ########################################
 ## <summary>
 ##	Connect to racoon using a unix domain stream socket.
@@ -92,6 +110,84 @@ interface(`ipsec_exec_mgmt',`
 	can_exec($1, ipsec_exec_t)
 ')
 
+########################################
+## <summary>
+##	Send ipsec mgmt a general signal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`ipsec_signal_mgmt',`
+	gen_require(`
+		type ipsec_mgmt_t;
+	')
+
+	allow $1 ipsec_mgmt_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send ipsec mgmt a null signal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`ipsec_signull_mgmt',`
+	gen_require(`
+		type ipsec_mgmt_t;
+	')
+
+	allow $1 ipsec_mgmt_t:process signull;
+')
+
+########################################
+## <summary>
+##	Send ipsec mgmt a kill signal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`ipsec_kill_mgmt',`
+	gen_require(`
+		type ipsec_mgmt_t;
+	')
+
+	allow $1 ipsec_mgmt_t:process sigkill;
+')
+
+######################################
+## <summary>
+##	Send and receive messages from
+##	ipsec-mgmt over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipsec_mgmt_dbus_chat',`
+	gen_require(`
+		type ipsec_mgmt_t;
+		class dbus send_msg;
+	')
+
+	allow $1 ipsec_mgmt_t:dbus send_msg;
+	allow ipsec_mgmt_t $1:dbus send_msg;
+')
+
 ########################################
 ## <summary>
 ##	Read the IPSEC configuration
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 98d60815c..55a6cd8ce 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,4 +1,4 @@
-policy_module(ipsec, 1.11.1)
+policy_module(ipsec, 1.11.2)
 
 ########################################
 #
@@ -73,7 +73,7 @@ role system_r types setkey_t;
 #
 
 allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
-dontaudit ipsec_t self:capability sys_tty_config;
+dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
 allow ipsec_t self:process { getcap setcap getsched signal setsched };
 allow ipsec_t self:tcp_socket create_stream_socket_perms;
 allow ipsec_t self:udp_socket create_socket_perms;
@@ -95,9 +95,10 @@ manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
 manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
 files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file })
 
+manage_dirs_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
 manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
 manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
-files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file })
+files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file })
 
 can_exec(ipsec_t, ipsec_mgmt_exec_t)
 
@@ -108,8 +109,8 @@ can_exec(ipsec_t, ipsec_mgmt_exec_t)
 corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
 allow ipsec_mgmt_t ipsec_t:fd use;
 allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
-dontaudit ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
-allow ipsec_mgmt_t ipsec_t:process sigchld;
+allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
+allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
 
 kernel_read_kernel_sysctls(ipsec_t)
 kernel_list_proc(ipsec_t)
@@ -150,6 +151,7 @@ domain_use_interactive_fds(ipsec_t)
 files_list_tmp(ipsec_t)
 files_read_etc_files(ipsec_t)
 files_read_usr_files(ipsec_t)
+files_dontaudit_search_home(ipsec_t)
 
 fs_getattr_all_fs(ipsec_t)
 fs_search_auto_mountpoints(ipsec_t)
@@ -185,8 +187,8 @@ optional_policy(`
 #
 
 allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
-dontaudit ipsec_mgmt_t self:capability sys_tty_config;
-allow ipsec_mgmt_t self:process { getsched ptrace setrlimit signal };
+dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config };
+allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
 allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
 allow ipsec_mgmt_t self:udp_socket create_socket_perms;
@@ -225,7 +227,6 @@ allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
 
 manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
 manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
-files_etc_filetrans(ipsec_mgmt_t, ipsec_key_file_t, file)
 
 # whack needs to connect to pluto
 stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
@@ -258,7 +259,7 @@ dev_read_urand(ipsec_mgmt_t)
 
 domain_use_interactive_fds(ipsec_mgmt_t)
 # denials when ps tries to search /proc. Do not audit these denials.
-domain_dontaudit_list_all_domains_state(ipsec_mgmt_t)
+domain_dontaudit_read_all_domains_state(ipsec_mgmt_t)
 # suppress audit messages about unnecessary socket access
 # cjp: this seems excessive
 domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
@@ -278,6 +279,9 @@ fs_list_tmpfs(ipsec_mgmt_t)
 term_use_console(ipsec_mgmt_t)
 term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
 
+auth_dontaudit_read_login_records(ipsec_mgmt_t)
+
+init_read_utmp(ipsec_mgmt_t)
 init_use_script_ptys(ipsec_mgmt_t)
 init_exec_script_files(ipsec_mgmt_t)
 init_use_fds(ipsec_mgmt_t)
@@ -287,11 +291,11 @@ logging_send_syslog_msg(ipsec_mgmt_t)
 
 miscfiles_read_localization(ipsec_mgmt_t)
 
-modutils_domtrans_insmod(ipsec_mgmt_t)
-
 seutil_dontaudit_search_config(ipsec_mgmt_t)
 
+sysnet_manage_config(ipsec_mgmt_t)
 sysnet_domtrans_ifconfig(ipsec_mgmt_t)
+sysnet_etc_filetrans_config(ipsec_mgmt_t)
 
 userdom_use_user_terminals(ipsec_mgmt_t)
 
@@ -299,6 +303,27 @@ optional_policy(`
 	consoletype_exec(ipsec_mgmt_t)
 ')
 
+optional_policy(`
+	hostname_exec(ipsec_mgmt_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(ipsec_mgmt_t)
+	dbus_connect_system_bus(ipsec_mgmt_t)
+
+	optional_policy(`
+		networkmanager_dbus_chat(ipsec_mgmt_t)
+	')
+')
+
+optional_policy(`
+	iptables_domtrans(ipsec_mgmt_t)
+')
+
+optional_policy(`
+	modutils_domtrans_insmod(ipsec_mgmt_t)
+')
+
 optional_policy(`
 	nscd_socket_use(ipsec_mgmt_t)
 ')
@@ -412,6 +437,7 @@ domain_ipsec_setcontext_all_domains(setkey_t)
 files_read_etc_files(setkey_t)
 
 init_dontaudit_use_fds(setkey_t)
+init_read_script_tmp_files(setkey_t)
 
 # allow setkey to set the context for ipsec SAs and policy.
 corenet_setcontext_all_spds(setkey_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 13f62a6ee..05fb3648e 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -1,11 +1,17 @@
 /etc/rc\.d/init\.d/ip6?tables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ebtables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
 /etc/sysconfig/ip6?tables.*	--	gen_context(system_u:object_r:iptables_conf_t,s0)
 /etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
 
+/sbin/ebtables			--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ebtables-restore		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /sbin/ip6?tables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /sbin/ip6?tables-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /sbin/ip6?tables-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ipvsadm			--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ipvsadm-restore		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ipvsadm-save		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 
 /usr/sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/iptables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 5c94dfeef..7ba53db30 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -17,6 +17,10 @@ interface(`iptables_domtrans',`
 
 	corecmd_search_bin($1)
 	domtrans_pattern($1, iptables_exec_t, iptables_t)
+
+	ifdef(`hide_broken_symptoms', `
+		dontaudit iptables_t $1:socket_class_set { read write };
+	')
 ')
 
 ########################################
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 8dbb3a1bc..f3e1b57e9 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -1,4 +1,4 @@
-policy_module(iptables, 1.11.1)
+policy_module(iptables, 1.11.2)
 
 ########################################
 #
@@ -31,6 +31,7 @@ allow iptables_t self:capability { dac_read_search dac_override net_admin net_ra
 dontaudit iptables_t self:capability sys_tty_config;
 allow iptables_t self:fifo_file rw_fifo_file_perms;
 allow iptables_t self:process { sigchld sigkill sigstop signull signal };
+allow iptables_t self:netlink_socket create_socket_perms;
 allow iptables_t self:rawip_socket create_socket_perms;
 
 manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
@@ -52,6 +53,10 @@ kernel_read_kernel_sysctls(iptables_t)
 kernel_read_modprobe_sysctls(iptables_t)
 kernel_use_fds(iptables_t)
 
+# needed by ipvsadm
+corecmd_exec_bin(iptables_t)
+corecmd_exec_shell(iptables_t)
+
 corenet_relabelto_all_packets(iptables_t)
 corenet_dontaudit_rw_tun_tap_dev(iptables_t)
 
@@ -88,6 +93,10 @@ sysnet_dns_name_resolve(iptables_t)
 userdom_use_user_terminals(iptables_t)
 userdom_use_all_users_fds(iptables_t)
 
+ifdef(`hide_broken_symptoms',`
+	dev_dontaudit_write_mtrr(iptables_t)
+')
+
 optional_policy(`
 	fail2ban_append_log(iptables_t)
 ')
@@ -125,6 +134,7 @@ optional_policy(`
 optional_policy(`
 	shorewall_read_tmp_files(iptables_t)
 	shorewall_rw_lib_files(iptables_t)
+	shorewall_read_config(iptables_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/system/iscsi.if b/policy/modules/system/iscsi.if
index 663a47b08..4cae92acc 100644
--- a/policy/modules/system/iscsi.if
+++ b/policy/modules/system/iscsi.if
@@ -18,6 +18,24 @@ interface(`iscsid_domtrans',`
 	domtrans_pattern($1, iscsid_exec_t, iscsid_t)
 ')
 
+########################################
+## <summary>
+##	Manage iscsid sempaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`iscsi_manage_semaphores',`
+	gen_require(`
+		type iscsid_t;
+	')
+
+	allow $1 iscsid_t:sem create_sem_perms;
+')
+
 ########################################
 ## <summary>
 ##	Connect to ISCSI using a unix domain stream socket.
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
index 1d1c39962..ddbd8bee6 100644
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
@@ -1,4 +1,4 @@
-policy_module(iscsi, 1.7.0)
+policy_module(iscsi, 1.7.1)
 
 ########################################
 #
@@ -31,6 +31,7 @@ files_pid_file(iscsi_var_run_t)
 #
 
 allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource };
+dontaudit iscsid_t self:capability sys_ptrace;
 allow iscsid_t self:process { setrlimit setsched signal };
 allow iscsid_t self:fifo_file rw_fifo_file_perms;
 allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -38,14 +39,15 @@ allow iscsid_t self:unix_dgram_socket create_socket_perms;
 allow iscsid_t self:sem create_sem_perms;
 allow iscsid_t self:shm create_shm_perms;
 allow iscsid_t self:netlink_socket create_socket_perms;
-allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms; 
+allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms;
 allow iscsid_t self:tcp_socket create_stream_socket_perms;
 
 can_exec(iscsid_t, iscsid_exec_t)
 
+manage_dirs_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
 manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
-files_lock_filetrans(iscsid_t, iscsi_lock_t, file)
+files_lock_filetrans(iscsid_t, iscsi_lock_t, { dir file })
 
 manage_files_pattern(iscsid_t, iscsi_log_t, iscsi_log_t)
 logging_log_filetrans(iscsid_t, iscsi_log_t, file)
@@ -91,5 +93,5 @@ logging_send_syslog_msg(iscsid_t)
 miscfiles_read_localization(iscsid_t)
 
 optional_policy(`
-	tgtd_rw_semaphores(iscsid_t)
+	tgtd_manage_semaphores(iscsid_t)
 ')
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 9df8c4da5..560dc4815 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -90,6 +90,7 @@ ifdef(`distro_gentoo',`
 ')
 
 ifdef(`distro_redhat',`
+/opt/Adobe.*/libcurl\.so 		-- 	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /opt/Adobe(/.*?)/nppdf\.so 		-- 	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0)
@@ -198,8 +199,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* --	gen_context(system_u:object_r:textrel_shlib_t
 /usr/lib/libFLAC\.so.*			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/libfglrx_gamma\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/mozilla/plugins/nppdf\.so 	-- 	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/maxima/[^/]+/binary-gcl/maxima	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib64/maxima/[^/]+/binary-gcl/maxima --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/mozilla/plugins/libvlcplugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/nx/libXcomp\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/nx/libjpeg\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -208,6 +207,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* --	gen_context(system_u:object_r:textrel_shlib_t
 
 /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libgpac\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libglide3\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libglide3-v[0-9]*\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/helix/plugins/[^/]*\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -247,6 +247,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* --	gen_context(system_u:object_r:textrel_shlib_t
 /usr/lib(64)?/ladspa/sc3_1427\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/ladspa/sc4_1882\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/ladspa/se4_1883\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/sane/libsane-epkowa\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/ocaml/stublibs/dllnums\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
@@ -304,11 +305,6 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
 /usr/lib/acroread/(.*/)?ADMPlugin\.apl	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/.*/program(/.*)?\.so			gen_context(system_u:object_r:lib_t,s0)
 /usr/lib64/.*/program(/.*)?\.so			gen_context(system_u:object_r:lib_t,s0)
-/usr/lib(64)?/pgsql/.*\.so.*		--	gen_context(system_u:object_r:lib_t,s0)
-/usr/lib(64)?/pgsql/test/regress/.*\.so.* --	gen_context(system_u:object_r:lib_t,s0)
-
-/usr/share/hplip/prnt/plugins(/.*)?		gen_context(system_u:object_r:lib_t,s0)
-/usr/share/squeezeboxserver/CPAN/arch/.+\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 ') dnl end distro_redhat
 
 #
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index d97d16da8..808ba93eb 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -44,6 +44,26 @@ interface(`libs_run_ldconfig',`
 	role $2 types ldconfig_t;
 ')
 
+########################################
+## <summary>
+##	Execute ldconfig in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`libs_exec_ldconfig',`
+	gen_require(`
+		type ldconfig_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, ldconfig_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	Use the dynamic link/loader for automatic loading
@@ -231,6 +251,24 @@ interface(`libs_manage_lib_dirs',`
 	allow $1 lib_t:dir manage_dir_perms;
 ')
 
+########################################
+## <summary>
+##	dontaudit attempts to setattr on library files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`libs_dontaudit_setattr_lib_files',`
+	gen_require(`
+		type lib_t;
+	')
+
+	dontaudit $1 lib_t:file setattr;
+')
+
 ########################################
 ## <summary>
 ##	Read files in the library directories, such
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index bf416a430..e5836d3c4 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -1,4 +1,4 @@
-policy_module(libraries, 2.7.0)
+policy_module(libraries, 2.7.1)
 
 ########################################
 #
diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc
index 757058361..be6a81b80 100644
--- a/policy/modules/system/locallogin.fc
+++ b/policy/modules/system/locallogin.fc
@@ -1,2 +1,3 @@
 
 /sbin/sulogin		--	gen_context(system_u:object_r:sulogin_exec_t,s0)
+/sbin/sushell		--	gen_context(system_u:object_r:sulogin_exec_t,s0)
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 2b7e5f3f0..a0b379db9 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -1,4 +1,4 @@
-policy_module(locallogin, 1.10.1)
+policy_module(locallogin, 1.10.2)
 
 ########################################
 #
@@ -185,7 +185,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	unconfined_domain(local_login_t)
+	unconfined_shell_domtrans(local_login_t)
 ')
 
 optional_policy(`
@@ -198,13 +198,14 @@ optional_policy(`
 ')
 
 #################################
-# 
+#
 # Sulogin local policy
 #
 
+allow sulogin_t self:capability dac_override;
 allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow sulogin_t self:fd use;
-allow sulogin_t self:fifo_file rw_file_perms;
+allow sulogin_t self:fifo_file rw_fifo_file_perms;
 allow sulogin_t self:unix_dgram_socket create_socket_perms;
 allow sulogin_t self:unix_stream_socket create_stream_socket_perms;
 allow sulogin_t self:unix_dgram_socket sendto;
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 571599b50..02f4c97ef 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -25,6 +25,7 @@
 /usr/sbin/syslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 
 /var/lib/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+/var/lib/r?syslog(/.*)?		gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 /var/lib/syslog-ng.persist --	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 
 ifdef(`distro_suse', `
@@ -37,13 +38,14 @@ ifdef(`distro_suse', `
 
 /var/log		-d	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
 /var/log/.*			gen_context(system_u:object_r:var_log_t,s0)
+/var/log/boot\.log	--	gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/messages[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/secure[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/cron[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/maillog[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/spooler[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/audit(/.*)?		gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-/var/log/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/log/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
 
 ifndef(`distro_gentoo',`
 /var/log/audit\.log	--	gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
@@ -54,18 +56,21 @@ ifdef(`distro_redhat',`
 /var/named/chroot/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
 ')
 
-/var/run/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
-/var/run/audispd_events	-s	gen_context(system_u:object_r:audisp_var_run_t,s0)
-/var/run/auditd\.pid	--	gen_context(system_u:object_r:auditd_var_run_t,s0)
-/var/run/auditd_sock	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
+/var/run/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
+/var/run/audispd_events	-s	gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh)
+/var/run/auditd\.pid	--	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
+/var/run/auditd_sock	-s	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
 /var/run/klogd\.pid	--	gen_context(system_u:object_r:klogd_var_run_t,s0)
 /var/run/log		-s	gen_context(system_u:object_r:devlog_t,s0)
 /var/run/metalog\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
-/var/run/syslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/syslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+/var/run/syslog-ng.ctl	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/syslog-ng(/.*)?	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 
+/var/spool/audit(/.*)?		gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
 /var/spool/bacula/log(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
 /var/spool/postfix/pid	-d	gen_context(system_u:object_r:var_run_t,s0)
-/var/spool/plymouth/boot.log	gen_context(system_u:object_r:var_log_t,s0)
+/var/spool/plymouth/boot\.log	gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/spool/rsyslog(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
 
 /var/tinydns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index c7cfb6234..831b909b6 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -679,6 +679,25 @@ interface(`logging_rw_generic_log_dirs',`
 	allow $1 var_log_t:dir rw_dir_perms;
 ')
 
+#######################################
+## <summary>
+##	Set attributes on all log dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_setattr_all_log_dirs',`
+	gen_require(`
+		attribute logfile;
+	')
+
+	allow $1 logfile:dir setattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the atttributes
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 03495c001..b6ec597c3 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.17.1)
+policy_module(logging, 1.17.2)
 
 ########################################
 #
@@ -19,6 +19,10 @@ type auditd_log_t;
 files_security_file(auditd_log_t)
 files_security_mountpoint(auditd_log_t)
 
+type audit_spool_t;
+files_security_file(audit_spool_t)
+files_security_mountpoint(audit_spool_t)
+
 type auditd_t;
 type auditd_exec_t;
 init_daemon_domain(auditd_t, auditd_exec_t)
@@ -55,7 +59,7 @@ type klogd_var_run_t;
 files_pid_file(klogd_var_run_t)
 
 type syslog_conf_t;
-files_type(syslog_conf_t)
+files_config_file(syslog_conf_t)
 
 type syslogd_t;
 type syslogd_exec_t;
@@ -253,7 +257,16 @@ optional_policy(`
 # Audit remote logger local policy
 #
 
+allow audisp_remote_t self:capability { setuid setpcap };
+allow audisp_remote_t self:process { getcap setcap };
 allow audisp_remote_t self:tcp_socket create_socket_perms;
+allow audisp_remote_t var_log_t:dir search_dir_perms;
+
+manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
+
+corecmd_exec_bin(audisp_remote_t)
 
 corenet_all_recvfrom_unlabeled(audisp_remote_t)
 corenet_all_recvfrom_netlabel(audisp_remote_t)
@@ -268,6 +281,7 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
 files_read_etc_files(audisp_remote_t)
 
 logging_send_syslog_msg(audisp_remote_t)
+logging_send_audit_msgs(audisp_remote_t)
 
 miscfiles_read_localization(audisp_remote_t)