Changeset 2832

Timestamp:

10/10/08 14:13:21 (2 months ago)

Author:

cpebenito

Message:

rbacsep: update to trunk 2831.

Files:

• branches/rbacsep/Changelog (modified) (1 diff)
• branches/rbacsep/policy/modules/admin/certwatch.te (modified) (2 diffs)
• branches/rbacsep/policy/modules/admin/firstboot.te (modified) (2 diffs)
• branches/rbacsep/policy/modules/admin/kismet.te (modified) (3 diffs)
• branches/rbacsep/policy/modules/admin/logrotate.te (modified) (4 diffs)
• branches/rbacsep/policy/modules/admin/readahead.te (modified) (2 diffs)
• branches/rbacsep/policy/modules/admin/vpn.if (modified) (1 diff)
• branches/rbacsep/policy/modules/admin/vpn.te (modified) (3 diffs)
• branches/rbacsep/policy/modules/kernel/corenetwork.te.in (modified) (3 diffs)
• branches/rbacsep/policy/modules/kernel/selinux.if (modified) (1 diff)
• branches/rbacsep/policy/modules/kernel/selinux.te (modified) (1 diff)
• branches/rbacsep/policy/modules/kernel/storage.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/kernel/storage.te (modified) (1 diff)
• branches/rbacsep/policy/modules/roles/auditadm.te (modified) (1 diff)
• branches/rbacsep/policy/modules/roles/secadm.te (modified) (1 diff)
• branches/rbacsep/policy/modules/roles/staff.te (modified) (1 diff)
• branches/rbacsep/policy/modules/roles/sysadm.te (modified) (1 diff)
• branches/rbacsep/policy/modules/roles/unprivuser.te (modified) (1 diff)
• branches/rbacsep/policy/modules/services/amavis.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/amavis.if (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/amavis.te (modified) (3 diffs)
• branches/rbacsep/policy/modules/services/apache.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/apcupsd.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/apcupsd.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/apcupsd.te (modified) (4 diffs)
• branches/rbacsep/policy/modules/services/automount.fc (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/automount.if (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/automount.te (modified) (7 diffs)
• branches/rbacsep/policy/modules/services/bitlbee.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/bitlbee.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/bitlbee.te (modified) (5 diffs)
• branches/rbacsep/policy/modules/services/canna.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/canna.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/canna.te (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/ddclient.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/ddclient.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/ddclient.te (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/dictd.fc (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/dictd.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/dictd.te (modified) (3 diffs)
• branches/rbacsep/policy/modules/services/fail2ban.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/fail2ban.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/fail2ban.te (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/ftp.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/ftp.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/ftp.te (modified) (5 diffs)
• branches/rbacsep/policy/modules/services/inn.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/inn.if (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/inn.te (modified) (3 diffs)
• branches/rbacsep/policy/modules/services/jabber.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/jabber.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/jabber.te (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/kerberos.fc (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/kerberos.if (modified) (5 diffs)
• branches/rbacsep/policy/modules/services/kerberos.te (modified) (15 diffs)
• branches/rbacsep/policy/modules/services/ldap.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/ldap.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/ldap.te (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/memcached.fc (copied) (copied from trunk/policy/modules/services/memcached.fc)
• branches/rbacsep/policy/modules/services/memcached.if (copied) (copied from trunk/policy/modules/services/memcached.if)
• branches/rbacsep/policy/modules/services/memcached.te (copied) (copied from trunk/policy/modules/services/memcached.te)
• branches/rbacsep/policy/modules/services/ntp.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/ntp.te (modified) (1 diff)
• branches/rbacsep/policy/modules/services/oident.fc (copied) (copied from trunk/policy/modules/services/oident.fc) (1 diff)
• branches/rbacsep/policy/modules/services/oident.if (copied) (copied from trunk/policy/modules/services/oident.if) (2 diffs)
• branches/rbacsep/policy/modules/services/oident.te (copied) (copied from trunk/policy/modules/services/oident.te) (2 diffs)
• branches/rbacsep/policy/modules/services/openvpn.fc (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/openvpn.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/openvpn.te (modified) (5 diffs)
• branches/rbacsep/policy/modules/services/postfixpolicyd.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/postfixpolicyd.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/postfixpolicyd.te (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/radius.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/radius.if (modified) (3 diffs)
• branches/rbacsep/policy/modules/services/radius.te (modified) (8 diffs)
• branches/rbacsep/policy/modules/services/radvd.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/radvd.if (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/radvd.te (modified) (3 diffs)
• branches/rbacsep/policy/modules/services/rpcbind.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/rwho.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/rwho.if (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/rwho.te (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/sasl.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/sasl.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/sasl.te (modified) (3 diffs)
• branches/rbacsep/policy/modules/services/smartmon.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/smartmon.if (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/smartmon.te (modified) (4 diffs)
• branches/rbacsep/policy/modules/services/snort.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/snort.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/snort.te (modified) (5 diffs)
• branches/rbacsep/policy/modules/services/soundserver.fc (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/soundserver.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/soundserver.te (modified) (5 diffs)
• branches/rbacsep/policy/modules/services/squid.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/squid.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/squid.te (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/tftp.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/tftp.te (modified) (5 diffs)
• branches/rbacsep/policy/modules/services/tor.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/tor.if (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/tor.te (modified) (5 diffs)
• branches/rbacsep/policy/modules/services/uucp.if (modified) (1 diff)
• branches/rbacsep/policy/modules/services/uucp.te (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/xserver.te (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/zabbix.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/zabbix.if (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/zabbix.te (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/zebra.fc (modified) (1 diff)
• branches/rbacsep/policy/modules/services/zebra.if (modified) (2 diffs)
• branches/rbacsep/policy/modules/services/zebra.te (modified) (4 diffs)
• branches/rbacsep/policy/modules/system/logging.if (modified) (6 diffs)
• branches/rbacsep/policy/modules/system/logging.te (modified) (5 diffs)
• branches/rbacsep/policy/modules/system/selinuxutil.if (modified) (1 diff)
• branches/rbacsep/policy/modules/system/selinuxutil.te (modified) (1 diff)
• branches/rbacsep/policy/support/file_patterns.spt (modified) (1 diff)

branches/rbacsep/Changelog

@@ -15 +15 @@
-- Added modules:
-        cyphesis (Dan Walsh)
+        memcached (Dan Walsh)
+        oident (Dominick Grift)
-        w3c (Dan Walsh)
-

branches/rbacsep/policy/modules/admin/certwatch.te

@@ -16 +16 @@
-# Local policy
-#
+allow certwatch_t self:capability sys_nice;
+allow certwatch_t self:process { setsched getsched };
+
+dev_read_urand(certwatch_t)
-
-files_read_etc_files(certwatch_t)
+files_read_usr_files(certwatch_t)
+files_read_usr_symlinks(certwatch_t)
+files_list_tmp(certwatch_t)
+
+fs_list_inotifyfs(certwatch_t)
-
-libs_use_ld_so(certwatch_t)
@@ -27 +36 @@
-miscfiles_read_localization(certwatch_t)
-
-
+
+
+
-
-optional_policy(`
-        cron_system_entry(certwatch_t, certwatch_exec_t)
-')
+
+optional_policy(`
+        pcscd_stream_connect(certwatch_t)
+        pcscd_read_pub_files(certwatch_t)
+')

branches/rbacsep/policy/modules/admin/firstboot.te

@@ -1 +1 @@
-
-2
+3
-
-gen_require(`
@@ -121 +121 @@
-optional_policy(`
-        xserver_rw_shm(firstboot_t)
+        xserver_unconfined(firstboot_t)
-')
-
-ifdef(`TODO',`
-allow firstboot_t proc_t:file write;
-
-ifdef(`printconf.te', `
-        can_exec(firstboot_t, printconf_t)
-')
-
-ifdef(`userhelper.te', `
-        role system_r types sysadm_userhelper_t;
-        domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
-')
-') dnl end TODO

branches/rbacsep/policy/modules/admin/kismet.te

@@ -1 +1 @@
-
-2
+3
-
-########################################
@@ -27 +27 @@
-
-allow kismet_t self:capability { net_admin net_raw setuid setgid };
+allow kismet_t self:fifo_file rw_file_perms;
-allow kismet_t self:packet_socket create_socket_perms;
+allow kismet_t self:unix_dgram_socket create_socket_perms;
+allow kismet_t self:unix_stream_socket create_stream_socket_perms;
-
-manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
@@ -41 +44 @@
-files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir })
-
+kernel_search_debugfs(kismet_t)
+
-corecmd_exec_bin(kismet_t)
-

branches/rbacsep/policy/modules/admin/logrotate.te

@@ -1 +1 @@
-
-2
+3
-
-########################################
@@ -98 +98 @@
-files_read_etc_runtime_files(logrotate_t)
-files_read_all_pids(logrotate_t)
+files_search_all(logrotate_t)
-# Write to /var/spool/slrnpull - should be moved into its own type.
-files_manage_generic_spool(logrotate_t)
@@ -168 +169 @@
-
-optional_policy(`
-exec
+domtrans
-        mailman_search_data(logrotate_t)
-        mailman_manage_log(logrotate_t)
@@ -190 +191 @@
-
-optional_policy(`
-
-
+
-')

branches/rbacsep/policy/modules/admin/readahead.te

@@ -1 +1 @@
-
-1
+2
-
-########################################
@@ -23 +23 @@
-#
-
-
+fowner 
-dontaudit readahead_t self:capability sys_tty_config;
-allow readahead_t self:process signal_perms;

branches/rbacsep/policy/modules/admin/vpn.if

@@ -49 +49 @@
-        role $2 types vpnc_t;
-        allow vpnc_t $3:chr_file rw_term_perms;
+        sysnet_run_ifconfig(vpnc_t, $2, $3)
-')
-

branches/rbacsep/policy/modules/admin/vpn.te

@@ -1 +1 @@
-
-0
+1
-
-########################################
@@ -23 +23 @@
-#
-
-
+read_search dac_
-allow vpnc_t self:process getsched;
-
+
+
-allow vpnc_t self:tcp_socket create_stream_socket_perms;
-allow vpnc_t self:udp_socket create_socket_perms;
@@ -103 +104 @@
-seutil_use_newrole_fds(vpnc_t)
-
-sysnet_domtrans_ifconfig(vpnc_t)
-sysnet_etc_filetrans_config(vpnc_t)
-sysnet_manage_config(vpnc_t)

branches/rbacsep/policy/modules/kernel/corenetwork.te.in

@@ -1 +1 @@
-
-19
+21
-
-########################################
@@ -76 +76 @@
-network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
-network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
+network_port(audit, tcp,60,s0)
-network_port(auth, tcp,113,s0)
-network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
@@ -122 +123 @@
-network_port(lmtp, tcp,24,s0, udp,24,s0)
-network_port(mail, tcp,2000,s0)
+network_port(memcache, tcp,11211,s0, udp,11211,s0)
-network_port(mmcc, tcp,5050,s0, udp,5050,s0)
-network_port(monopd, tcp,1234,s0)

branches/rbacsep/policy/modules/kernel/selinux.if

@@ -363 +363 @@
-########################################
-## <summary>
+##      Do not audit attempts to validate security contexts.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_dontaudit_validate_context',`
+        gen_require(`
+                type security_t;
+        ')
+
+        dontaudit $1 security_t:dir list_dir_perms;
+        dontaudit $1 security_t:file { getattr read write };
+        dontaudit $1 security_t:security check_context;
+')
+
+########################################
+## <summary>
-##      Allows caller to compute an access vector.
-## </summary>

branches/rbacsep/policy/modules/kernel/selinux.te

@@ -1 +1 @@
-
-0
+1
-
-########################################

branches/rbacsep/policy/modules/kernel/storage.fc

@@ -28 +28 @@
-/dev/megadev.*          -c      gen_context(system_u:object_r:removable_device_t,s0)
-/dev/mmcblk.*           -b      gen_context(system_u:object_r:removable_device_t,s0)
+/dev/mspblk.*           -b      gen_context(system_u:object_r:removable_device_t,s0)
-/dev/nb[^/]+            -b      gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-/dev/optcd              -b      gen_context(system_u:object_r:removable_device_t,s0)

branches/rbacsep/policy/modules/kernel/storage.te

@@ -1 +1 @@
-
-1
+2
-
-########################################

branches/rbacsep/policy/modules/roles/auditadm.te

@@ -117 +117 @@
-
-optional_policy(`
+        oidentd_manage_user_content(auditadm_t)
+        oidentd_relabel_user_content(auditadm_t)
+')
+
+optional_policy(`
-        pyzor_role(auditadm_r, auditadm_t)
-')

branches/rbacsep/policy/modules/roles/secadm.te

@@ -130 +130 @@
-
-optional_policy(`
+        oidentd_manage_user_content(secadm_t)
+        oidentd_relabel_user_content(secadm_t)
+')
+
+optional_policy(`
-        pyzor_role(secadm_r, secadm_t)
-')

branches/rbacsep/policy/modules/roles/staff.te

@@ -97 +97 @@
-
-optional_policy(`
+        oidentd_manage_user_content(staff_t)
+        oidentd_relabel_user_content(staff_t)
+')
+
+optional_policy(`
-        pyzor_role(staff_r, staff_t)
-')

branches/rbacsep/policy/modules/roles/sysadm.te

@@ -287 +287 @@
-
-optional_policy(`
+        oidentd_manage_user_content(sysadm_t)
+        oidentd_relabel_user_content(sysadm_t)
+')
+
+optional_policy(`
-        pcmcia_run_cardctl(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
-')

branches/rbacsep/policy/modules/roles/unprivuser.te

@@ -91 +91 @@
-
-optional_policy(`
+        oidentd_manage_user_content(user_t)
+        oidentd_relabel_user_content(user_t)
+')
+
+optional_policy(`
-        pyzor_role(user_r, user_t)
-')

branches/rbacsep/policy/modules/services/amavis.fc

@@ -1 +1 @@
-
-/etc/amavis\.conf               --      gen_context(system_u:object_r:amavis_etc_t,s0)
-
+
+
-
-/usr/sbin/amavisd.*             --      gen_context(system_u:object_r:amavis_exec_t,s0)
+/usr/lib(64)?/AntiVir/antivir   --      gen_context(system_u:object_r:amavis_exec_t,s0)
-
-ifdef(`distro_debian',`

branches/rbacsep/policy/modules/services/amavis.if

@@ -198 +198 @@
-##      </summary>
-## </param>
+## <param name="role">
+##      <summary>
+##      Role allowed access.
+##      </summary>
+## </param>
-## <rolecap/>
-#
@@ -205 +210 @@
-                type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t;
-                type amavis_etc_t, amavis_quarantine_t;
+                type amavis_initrc_exec_t;
-        ')
-
-        allow $1 amavis_t:process { ptrace signal_perms };
-        ps_process_pattern($1, amavis_t)
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-        files_list_tmp($1)
-
-
-
-
-
-
+
+
+
+
-
-        logging_list_logs($1)
-
-
-
-
-
-
-
+
-
-        files_list_pids($1)
-manage_files_pattern($1, amavis_var_run_t
-
+admin_pattern($1
+

branches/rbacsep/policy/modules/services/amavis.te

@@ -1 +1 @@
-
-0
+1
-
-########################################
@@ -14 +14 @@
-# configuration files
-type amavis_etc_t;
-
+
+
+
+
-
-# pid files
@@ -57 +60 @@
-read_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t)
-read_lnk_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t)
+
+can_exec(amavis_t, amavis_exec_t)
-
-# mail quarantine

branches/rbacsep/policy/modules/services/apache.fc

@@ -17 +17 @@
-/usr/lib/apache-ssl/.+          --      gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/lib/cgi-bin(/.*)?                  gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/squid/cachemgr\.cgi    --      gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/lib(64)?/apache(/.*)?              gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib(64)?/apache2/modules(/.*)?     gen_context(system_u:object_r:httpd_modules_t,s0)

branches/rbacsep/policy/modules/services/apcupsd.fc

@@ +1 @@
+/etc/rc\.d/init\.d/apcupsd      --      gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
+
-ifdef(`distro_debian',`
-/sbin/apcupsd                   --      gen_context(system_u:object_r:apcupsd_exec_t,s0)

branches/rbacsep/policy/modules/services/apcupsd.if

@@ -98 +98 @@
-        domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
-')
+
+########################################
+## <summary>
+##      All of the rules required to administrate 
+##      an apcupsd environment
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      The role to be allowed to manage the apcupsd domain.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apcupsd_admin',`
+        gen_require(`
+                type apcupsd_t,  apcupsd_tmp_t;
+                type apcupsd_log_t, apcupsd_lock_t;
+                type apcupsd_var_run_t, apcupsd_initrc_exec_t;
+        ')
+
+        allow $1 apcupsd_t:process { ptrace signal_perms };
+        ps_process_pattern($1, apcupsd_t)
+
+        init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
+        domain_system_change_exemption($1)
+        role_transition $2 apcupsd_initrc_exec_t system_r;
+        allow $2 system_r;
+
+        files_list_var($1)
+        admin_pattern($1, apcupsd_lock_t)
+
+        logging_list_logs($1)
+        admin_pattern($1, apcupsd_log_t)
+
+        files_list_tmp($1)
+        admin_pattern($1, apcupsd_tmp_t)
+
+        files_list_pids($1)
+        admin_pattern($1, apcupsd_var_run_t)
+')

branches/rbacsep/policy/modules/services/apcupsd.te

@@ -1 +1 @@
-
-1
+2
-
-########################################
@@ -13 +13 @@
-type apcupsd_lock_t;
-files_lock_file(apcupsd_lock_t)
+
+type apcupsd_initrc_exec_t;
+init_script_file(apcupsd_initrc_exec_t)
-
-type apcupsd_log_t;
@@ -87 +90 @@
-miscfiles_read_localization(apcupsd_t)
-
+sysnet_dns_name_resolve(apcupsd_t)
+
+userdom_use_user_ttys(apcupsd_t)
+
-optional_policy(`
-        hostname_exec(apcupsd_t)
@@ -93 +100 @@
-optional_policy(`
-        mta_send_mail(apcupsd_t)
+        mta_system_content(apcupsd_tmp_t)
-')
-

branches/rbacsep/policy/modules/services/automount.fc

@@ -3 +3 @@
-#
-/etc/apm/event\.d/autofs --     gen_context(system_u:object_r:automount_exec_t,s0)
+/etc/rc\.d/init\.d/autofs       --      gen_context(system_u:object_r:automount_initrc_exec_t,s0)
-
-#
@@ -13 +14 @@
-#
-
-(/.*)?
+.*

branches/rbacsep/policy/modules/services/automount.if

@@ -59 +59 @@
-########################################
-## <summary>
+##      Do not audit attempts to file descriptors for automount.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`automount_dontaudit_use_fds',`
+        gen_require(`
+                type automount_t;
+        ')
+
+        dontaudit $1 automount_t:fd use;
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to write automount daemon unnamed pipes.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`automount_dontaudit_write_pipes',`
+        gen_require(`
+                type automount_t;
+        ')
+
+        dontaudit $1 automount_t:fifo_file write;
+')
+
+########################################
+## <summary>
-##      Do not audit attempts to get the attributes
-##      of automount temporary directories.
@@ -75 +111 @@
-        dontaudit $1 automount_tmp_t:dir getattr;
-')
+
+########################################
+## <summary>
+##      All of the rules required to administrate 
+##      an automount environment
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      The role to be allowed to manage the automount domain.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`automount_admin',`
+        gen_require(`
+                type automount_t, automount_lock_t, automount_tmp_t;
+                type automount_var_run_t, automount_initrc_exec_t;
+        ')
+
+        allow $1 automount_t:process { ptrace signal_perms getattr };
+        ps_process_pattern($1, automount_t)
+
+        init_labeled_script_domtrans($1, automount_initrc_exec_t)
+        domain_system_change_exemption($1)
+        role_transition $2 automount_initrc_exec_t system_r;
+        allow $2 system_r;
+
+        files_list_var($1)
+        admin_pattern($1, automount_lock_t)
+
+        files_list_tmp($1)
+        admin_pattern($1, automount_tmp_t)
+
+        files_list_pids($1)
+        admin_pattern($1, automount_var_run_t)
+')