diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index 91737d4..8978675 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -327,6 +327,7 @@ interface(`gnome_read_gconf_config',`
allow $1 gconf_etc_t:dir list_dir_perms;
read_files_pattern($1, gconf_etc_t, gconf_etc_t)
+ files_search_etc($1)
')
#######################################
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index a738502..2bf2d69 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -5392,7 +5392,7 @@ interface(`files_getattr_generic_locks',`
#
interface(`files_delete_generic_locks',`
gen_require(`
- type var_t, var_lock_t;
+ type var_t, var_lock_t;
')
allow $1 var_t:dir search_dir_perms;
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
index 26cc64b..bc27421 100644
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
@@ -53,6 +53,25 @@ interface(`ftp_read_config',`
########################################
##
+## Execute FTP daemon entry point programs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ftp_check_exec',`
+ gen_require(`
+ type ftpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ allow $1 ftpd_exec_t:file { getattr execute };
+')
+
+########################################
+##
## Read FTP transfer logs
##
##
@@ -152,8 +171,9 @@ interface(`ftp_dyntrans_sftpd',`
interface(`ftp_admin',`
gen_require(`
type ftpd_t, ftpdctl_t, ftpd_tmp_t;
- type ftpd_etc_t, ftpd_lock_t, ftpd_initrc_exec_t;
+ type ftpd_etc_t, ftpd_lock_t;
type ftpd_var_run_t, xferlog_t;
+ type ftpd_initrc_exec_t;
')
allow $1 ftpd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 2284f4e..ce4f73b 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -6,82 +6,82 @@ policy_module(ftp, 1.12.0)
#
##
-##
-## Allow ftp servers to upload files, used for public file
-## transfer services. Directories must be labeled
-## public_content_rw_t.
-##
+##
+## Allow ftp servers to upload files, used for public file
+## transfer services. Directories must be labeled
+## public_content_rw_t.
+##
##
gen_tunable(allow_ftpd_anon_write, false)
##
-##
-## Allow ftp servers to login to local users and
-## read/write all files on the system, governed by DAC.
-##
+##
+## Allow ftp servers to login to local users and
+## read/write all files on the system, governed by DAC.
+##
##
gen_tunable(allow_ftpd_full_access, false)
##
-##
-## Allow ftp servers to use cifs
-## used for public file transfer services.
-##
+##
+## Allow ftp servers to use cifs
+## used for public file transfer services.
+##
##
gen_tunable(allow_ftpd_use_cifs, false)
##
-##
-## Allow ftp servers to use nfs
-## used for public file transfer services.
-##
+##
+## Allow ftp servers to use nfs
+## used for public file transfer services.
+##
##
gen_tunable(allow_ftpd_use_nfs, false)
##
-##
-## Allow ftp servers to use connect to mysql database
-##
+##
+## Allow ftp servers to use connect to mysql database
+##
##
gen_tunable(ftpd_connect_db, false)
##
-##
-## Allow ftp to read and write files in the user home directories
-##
+##
+## Allow ftp to read and write files in the user home directories
+##
##
gen_tunable(ftp_home_dir, false)
##
-##
-## Allow anon internal-sftp to upload files, used for
-## public file transfer services. Directories must be labeled
-## public_content_rw_t.
-##
+##
+## Allow anon internal-sftp to upload files, used for
+## public file transfer services. Directories must be labeled
+## public_content_rw_t.
+##
##
gen_tunable(sftpd_anon_write, false)
##
-##
-## Allow sftp-internal to read and write files
-## in the user home directories
-##
+##
+## Allow sftp-internal to read and write files
+## in the user home directories
+##
##
gen_tunable(sftpd_enable_homedirs, false)
##
-##
-## Allow sftp-internal to login to local users and
-## read/write all files on the system, governed by DAC.
-##
+##
+## Allow sftp-internal to login to local users and
+## read/write all files on the system, governed by DAC.
+##
##
gen_tunable(sftpd_full_access, false)
##
-##
-## Allow interlnal-sftp to read and write files
-## in the user ssh home directories.
-##
+##
+## Allow interlnal-sftp to read and write files
+## in the user ssh home directories.
+##
##
gen_tunable(sftpd_write_ssh_home, false)
diff --git a/policy/modules/services/gnomeclock.if b/policy/modules/services/gnomeclock.if
index b1f8f93..25c7ab8 100644
--- a/policy/modules/services/gnomeclock.if
+++ b/policy/modules/services/gnomeclock.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run gnomeclock.
##
##
-##
+##
## Domain allowed to transition.
-##
+##
##
#
interface(`gnomeclock_domtrans',`
diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
index 26de57a..ce32fe5 100644
--- a/policy/modules/services/hal.if
+++ b/policy/modules/services/hal.if
@@ -20,6 +20,24 @@ interface(`hal_domtrans',`
########################################
##
+## Get the attributes of a hal process.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_getattr',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ allow $1 hald_t:process getattr;
+')
+
+########################################
+##
## Read hal system state
##
##
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 57ad3d0..5865dba 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1914,26 +1914,6 @@ interface(`init_dontaudit_script_leaks',`
init_dontaudit_use_script_fds($1)
')
-
-########################################
-##
-## Allow the specified domain to connect to
-## the init process with a unix socket.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`init_stream_connect',`
- gen_require(`
- type init_t;
- ')
-
- allow $1 init_t:unix_stream_socket connectto;
-')
-
########################################
##
## Allow the specified domain to read/write to