From 8152a78836b59f0e611d16fc794fc475bd01772d Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Apr 04 2008 17:08:34 +0000
Subject: trunk: 7 patches from dan.


---

diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
index 8cfca3c..ccc3d2c 100644
--- a/policy/modules/apps/userhelper.if
+++ b/policy/modules/apps/userhelper.if
@@ -180,25 +180,6 @@ template(`userhelper_per_role_template',`
 	optional_policy(`
 		nscd_socket_use($1_userhelper_t)
 	')
-
-	ifdef(`TODO',`
-		allow $1_userhelper_t xdm_t:fd use;
-		allow $1_userhelper_t xdm_var_run_t:dir search;
-		allow $1_userhelper_t xdm_t:fifo_file { getattr read write ioctl };
-
-		optional_policy(`
-			allow $1_userhelper_t gphdomain:fd use;
-		')
-		optional_policy(`
-			domtrans_pattern($1_userhelper_t, xauth_exec_t, $1_xauth_t)
-			allow $1_userhelper_t $1_xauth_home_t:file { getattr read };
-		')
-		optional_policy(`
-			domtrans_pattern($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
-		')
-		# for when the network connection is killed
-		dontaudit unpriv_userdomain $1_userhelper_t:process signal;
-	')
 ')
 
 ########################################
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index a8760e6..66e8548 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -851,9 +851,8 @@ interface(`kernel_rw_afs_state',`
 		type proc_t, proc_afs_t;
 	')
 
-	read_files_pattern($1,proc_t,proc_afs_t)
-
 	list_dirs_pattern($1,proc_t,proc_t)
+	rw_files_pattern($1,proc_afs_t,proc_afs_t)
 ')
 
 #######################################
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 9b5a9b6..5478533 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
 
-policy_module(kernel,1.9.0)
+policy_module(kernel,1.9.1)
 
 ########################################
 #
@@ -363,7 +363,7 @@ optional_policy(`
 
 allow kern_unconfined proc_type:{ dir file lnk_file } *;
 
-allow kern_unconfined sysctl_t:{ dir file } *;
+allow kern_unconfined sysctl_type:{ dir file } *;
 
 allow kern_unconfined kernel_t:system *;
 
@@ -372,5 +372,3 @@ allow kern_unconfined unlabeled_t:filesystem *;
 allow kern_unconfined unlabeled_t:association *;
 allow kern_unconfined unlabeled_t:packet *;
 allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
-
-kernel_rw_all_sysctls(kern_unconfined)
diff --git a/policy/modules/services/fetchmail.if b/policy/modules/services/fetchmail.if
index fde49b7..d3c709e 100644
--- a/policy/modules/services/fetchmail.if
+++ b/policy/modules/services/fetchmail.if
@@ -1 +1,40 @@
 ## <summary>Remote-mail retrieval and forwarding utility</summary>
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an fetchmail environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the fetchmail domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fetchmail_admin',`
+	gen_require(`
+		type fetchmail_t, fetchmail_etc_t;
+		type fetchmail_uidl_cache_t, fetchmail_var_run_t;
+	')
+
+	ps_process_pattern($1, fetchmail_t)
+
+	files_list_etc($1)
+	manage_files_pattern($1, fetchmail_etc_t, fetchmail_etc_t)
+
+	manage_files_pattern($1, fetchmail_uidl_cache_t, fetchmail_uidl_cache_t)
+
+	files_list_pids($1)
+	manage_files_pattern($1, fetchmail_var_run_t, fetchmail_var_run_t)
+')
diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
index 15e7cb3..0f58ecd 100644
--- a/policy/modules/services/fetchmail.te
+++ b/policy/modules/services/fetchmail.te
@@ -1,5 +1,5 @@
 
-policy_module(fetchmail,1.5.0)
+policy_module(fetchmail,1.5.1)
 
 ########################################
 #
diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te
index 13affb0..7908ac8 100644
--- a/policy/modules/services/openct.te
+++ b/policy/modules/services/openct.te
@@ -1,5 +1,5 @@
 
-policy_module(openct,1.2.0)
+policy_module(openct,1.2.1)
 
 ########################################
 #
@@ -22,7 +22,8 @@ dontaudit openct_t self:capability sys_tty_config;
 allow openct_t self:process signal_perms;
 
 manage_files_pattern(openct_t,openct_var_run_t,openct_var_run_t)
-files_pid_filetrans(openct_t,openct_var_run_t,file)
+manage_sock_files_pattern(openct_t,openct_var_run_t,openct_var_run_t)
+files_pid_filetrans(openct_t,openct_var_run_t,{ file sock_file })
 
 kernel_read_kernel_sysctls(openct_t)
 kernel_list_proc(openct_t)
diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
index cc7d67d..3cb9992 100644
--- a/policy/modules/services/pegasus.te
+++ b/policy/modules/services/pegasus.te
@@ -1,5 +1,5 @@
 
-policy_module(pegasus,1.5.0)
+policy_module(pegasus,1.5.1)
 
 ########################################
 #
@@ -42,6 +42,7 @@ allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
 allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
 
+manage_dirs_pattern(pegasus_t,pegasus_data_t,pegasus_data_t)
 manage_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t)
 manage_lnk_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t)
 filetrans_pattern(pegasus_t,pegasus_conf_t,pegasus_data_t,{ file dir })
@@ -113,19 +114,17 @@ libs_use_ld_so(pegasus_t)
 libs_use_shared_libs(pegasus_t)
 
 logging_send_audit_msgs(pegasus_t)
+logging_send_syslog_msg(pegasus_t)
 
 miscfiles_read_localization(pegasus_t)
 
 sysnet_read_config(pegasus_t)
+sysnet_domtrans_ifconfig(pegasus_t)
 
 userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
 userdom_dontaudit_search_sysadm_home_dirs(pegasus_t)
 
 optional_policy(`
-	logging_send_syslog_msg(pegasus_t)
-')
-
-optional_policy(`
 	rpm_exec(pegasus_t)
 ')
 
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
index 6f6ea20..f5c7110 100644
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@@ -1,5 +1,5 @@
 
-policy_module(rlogin,1.6.0)
+policy_module(rlogin,1.6.1)
 
 ########################################
 #
@@ -61,6 +61,8 @@ corenet_udp_sendrecv_all_ports(rlogind_t)
 
 dev_read_urand(rlogind_t)
 
+domain_interactive_fd(rlogind_t)
+
 fs_getattr_xattr_fs(rlogind_t)
 fs_search_auto_mountpoints(rlogind_t)
 
@@ -82,23 +84,20 @@ logging_send_syslog_msg(rlogind_t)
 
 miscfiles_read_localization(rlogind_t)
 
-seutil_dontaudit_search_config(rlogind_t)
+seutil_read_config(rlogind_t)
 
 userdom_setattr_unpriv_users_ptys(rlogind_t)
 # cjp: this is egregious
 userdom_read_all_users_home_content_files(rlogind_t)
 
 remotelogin_domtrans(rlogind_t)
+remotelogin_signal(rlogind_t)
 
 optional_policy(`
+	kerberos_use(rlogind_t)
 	kerberos_read_keytab(rlogind_t)
 ')
 
 optional_policy(`
 	tcpd_wrapped_domain(rlogind_t, rlogind_exec_t)
 ')
-
-ifdef(`TODO',`
-# Allow krb5 rlogind to use fork and open /dev/tty for use
-allow rlogind_t userpty_type:chr_file setattr;
-')
diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te
index 37acb56..1ae1cab 100644
--- a/policy/modules/services/telnet.te
+++ b/policy/modules/services/telnet.te
@@ -1,5 +1,5 @@
 
-policy_module(telnet,1.6.0)
+policy_module(telnet,1.6.1)
 
 ########################################
 #
@@ -59,6 +59,8 @@ corenet_udp_sendrecv_all_ports(telnetd_t)
 
 dev_read_urand(telnetd_t)
 
+domain_interactive_fd(telnetd_t)
+
 fs_getattr_xattr_fs(telnetd_t)
 
 auth_rw_login_records(telnetd_t)
@@ -66,6 +68,7 @@ auth_use_nsswitch(telnetd_t)
 
 corecmd_search_bin(telnetd_t)
 
+files_read_usr_files(telnetd_t)
 files_read_etc_files(telnetd_t)
 files_read_etc_runtime_files(telnetd_t)
 # for identd; cjp: this should probably only be inetd_child rules?
@@ -80,17 +83,21 @@ logging_send_syslog_msg(telnetd_t)
 
 miscfiles_read_localization(telnetd_t)
 
-seutil_dontaudit_search_config(telnetd_t)
+seutil_read_config(telnetd_t)
 
 remotelogin_domtrans(telnetd_t)
 
-# for identd; cjp: this should probably only be inetd_child rules?
+userdom_search_unpriv_users_home_dirs(telnetd_t)
+
 optional_policy(`
 	kerberos_use(telnetd_t)
 	kerberos_read_keytab(telnetd_t)
 ')
 
-ifdef(`TODO',`
-# Allow krb5 telnetd to use fork and open /dev/tty for use
-allow telnetd_t userpty_type:chr_file setattr;
+tunable_policy(`use_nfs_home_dirs',`
+	fs_search_nfs(telnetd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_search_cifs(telnetd_t)
 ')