last misc stuff

More tiny patches.  Note that this and the other 2 patches I just sent are not
dependent on each other, please apply any that you like.

policy/modules/admin/apt.fc

@@ -1,9 +1,12 @@
 /etc/cron\.daily/apt	--	gen_context(system_u:object_r:apt_exec_t,s0)
 
-ifndef(`distro_redhat',`
+/usr/bin/apt		--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/bin/apt-get	--	gen_context(system_u:object_r:apt_exec_t,s0)
-/usr/bin/apt-shell	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/bin/aptitude	--	gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)
+
+ifndef(`distro_redhat',`
+/usr/bin/apt-shell	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/sbin/synaptic	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/lib/packagekit/packagekitd	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /var/cache/PackageKit(/.*)?	gen_context(system_u:object_r:apt_var_cache_t,s0)

policy/modules/admin/backup.te

@@ -65,6 +65,8 @@ auth_read_shadow(backup_t)
 
 logging_send_syslog_msg(backup_t)
 
+miscfiles_read_localization(backup_t)
+
 sysnet_read_config(backup_t)
 
 userdom_use_user_terminals(backup_t)

policy/modules/admin/dpkg.te

@@ -316,6 +316,10 @@ optional_policy(`
 	devicekit_dbus_chat_power(dpkg_script_t)
 ')
 
+optional_policy(`
+	init_dbus_chat(dpkg_script_t)
+')
+
 optional_policy(`
 	modutils_run(dpkg_script_t, dpkg_roles)
 ')

policy/modules/admin/logrotate.te

@@ -92,6 +92,8 @@ fs_search_auto_mountpoints(logrotate_t)
 fs_getattr_xattr_fs(logrotate_t)
 fs_list_inotifyfs(logrotate_t)
 fs_getattr_tmpfs(logrotate_t)
+# killall reads nsfs files
+fs_read_nsfs_files(logrotate_t)
 
 mls_file_read_all_levels(logrotate_t)
 mls_file_write_all_levels(logrotate_t)

policy/modules/admin/usermanage.te

@@ -189,7 +189,7 @@ optional_policy(`
 #
 
 allow groupadd_t self:capability { audit_write chown dac_override fsetid kill setuid sys_resource };
-dontaudit groupadd_t self:capability { fsetid sys_tty_config };
+dontaudit groupadd_t self:capability { fsetid net_admin sys_tty_config };
 allow groupadd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 allow groupadd_t self:fd use;
 allow groupadd_t self:fifo_file rw_fifo_file_perms;
@@ -251,6 +251,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
 # for when /root is the cwd
 userdom_dontaudit_search_user_home_dirs(groupadd_t)
 
+optional_policy(`
+	dbus_system_bus_client(groupadd_t)
+')
+
 optional_policy(`
 	dpkg_use_fds(groupadd_t)
 	dpkg_rw_pipes(groupadd_t)
@@ -269,6 +273,10 @@ optional_policy(`
 	rpm_rw_pipes(groupadd_t)
 ')
 
+optional_policy(`
+	unconfined_use_fds(groupadd_t)
+')
+
 ########################################
 #
 # Passwd local policy
@@ -446,7 +454,7 @@ optional_policy(`
 #
 
 allow useradd_t self:capability { chown dac_override fowner fsetid kill setuid sys_resource };
-dontaudit useradd_t self:capability sys_tty_config;
+dontaudit useradd_t self:capability { net_admin sys_tty_config };
 allow useradd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 allow useradd_t self:fd use;
 allow useradd_t self:fifo_file rw_fifo_file_perms;
@@ -537,6 +545,10 @@ optional_policy(`
 	apache_manage_all_user_content(useradd_t)
 ')
 
+optional_policy(`
+	dbus_system_bus_client(useradd_t)
+')
+
 optional_policy(`
 	dpkg_use_fds(useradd_t)
 	dpkg_rw_pipes(useradd_t)
@@ -560,3 +572,7 @@ optional_policy(`
 	rpm_use_fds(useradd_t)
 	rpm_rw_pipes(useradd_t)
 ')
+
+optional_policy(`
+	unconfined_use_fds(useradd_t)
+')

policy/modules/apps/syncthing.te

@@ -65,7 +65,3 @@ userdom_user_content_access_template(syncthing, syncthing_t)
 
 userdom_use_user_terminals(syncthing_t)
 
-optional_policy(`
-	# temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
-	networkmanager_read_pid_files(syncthing_t)
-')

policy/modules/kernel/corecommands.fc

@@ -181,6 +181,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/ConsoleKit/run-session.d(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ConsoleKit/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/courier(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/crda/setregdomain	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/cups(/.*)? 			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/cyrus/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/cyrus-imapd/.*		--	gen_context(system_u:object_r:bin_t,s0)
@@ -215,6 +216,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/rpm/rpmk		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/rpm/rpmq		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/rsyslog/rsyslog-rotate --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/selinux/hll/pp		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sftp-server		--	gen_context(system_u:object_r:bin_t,s0)
@@ -319,6 +321,7 @@ ifdef(`distro_gentoo',`
 /usr/share/sandbox/sandboxX.sh	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/sectool/.*\.py	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/smartmontools/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall/configpath	--	gen_context(system_u:object_r:bin_t,s0)

policy/modules/system/locallogin.te

@@ -34,7 +34,7 @@ role system_r types sulogin_t;
 
 allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
 dontaudit local_login_t self:capability net_admin;
-allow local_login_t self:process { setexec setrlimit setsched };
+allow local_login_t self:process { getcap setcap setexec setrlimit setsched };
 allow local_login_t self:fd use;
 allow local_login_t self:fifo_file rw_fifo_file_perms;
 allow local_login_t self:sock_file read_sock_file_perms;
@@ -127,6 +127,7 @@ init_dontaudit_use_fds(local_login_t)
 
 miscfiles_read_localization(local_login_t)
 
+userdom_manage_all_users_keys(local_login_t)
 userdom_spec_domtrans_all_users(local_login_t)
 userdom_signal_all_users(local_login_t)
 userdom_search_user_home_content(local_login_t)

policy/modules/system/selinuxutil.te

@@ -606,6 +606,7 @@ files_read_usr_symlinks(setfiles_t)
 files_dontaudit_read_all_symlinks(setfiles_t)
 
 fs_getattr_all_xattr_fs(setfiles_t)
+fs_getattr_cgroup(setfiles_t)
 fs_getattr_nfs(setfiles_t)
 fs_getattr_pstore_dirs(setfiles_t)
 fs_getattr_pstorefs(setfiles_t)

policy/modules/system/sysnetwork.te

@@ -68,6 +68,7 @@ exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
 allow dhcpc_t dhcp_state_t:file read_file_perms;
 manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
 filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
+allow dhcpc_t dhcpc_state_t:file map;
 
 # create pid file
 manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
@@ -339,6 +340,8 @@ init_use_script_ptys(ifconfig_t)
 
 logging_send_syslog_msg(ifconfig_t)
 
+# dhclient reads /etc/ssl
+miscfiles_read_generic_certs(dhcpc_t)
 miscfiles_read_localization(ifconfig_t)
 
 seutil_use_runinit_fds(ifconfig_t)

policy/modules/system/udev.te

@@ -305,10 +305,6 @@ optional_policy(`
 	devicekit_dgram_send(udev_t)
 ')
 
-optional_policy(`
-	lvm_domtrans(udev_t)
-')
-
 optional_policy(`
 	fstools_domtrans(udev_t)
 ')
@@ -327,6 +323,10 @@ optional_policy(`
 	hotplug_search_pids(udev_t)
 ')
 
+optional_policy(`
+	iptables_domtrans(udev_t)
+')
+
 optional_policy(`
 	lvm_domtrans(udev_t)
 ')