- Update to upstream

2010-01-08 22:03:53 +00:00 · 2010-01-08 22:03:53 +00:00 · 468fe0b647
commit 468fe0b647
parent 352dafd046
3 changed files with 174 additions and 37 deletions
--- a/.cvsignore
+++ b/.cvsignore
@ -196,3 +196,4 @@ serefpolicy-3.7.2.tgz
 serefpolicy-3.7.3.tgz
 serefpolicy-3.7.4.tgz
 serefpolicy-3.7.5.tgz
+serefpolicy-3.7.6.tgz
--- a/policy-F13.patch
+++ b/policy-F13.patch
@ -437,7 +437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.6/policy/modules/admin/prelink.te
 --- nsaserefpolicy/policy/modules/admin/prelink.te	2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.6/policy/modules/admin/prelink.te	2010-01-07 15:28:30.000000000 -0500
+++ serefpolicy-3.7.6/policy/modules/admin/prelink.te	2010-01-08 12:08:33.000000000 -0500
@@ -21,8 +21,21 @@
 type prelink_tmp_t;
 files_tmp_file(prelink_tmp_t)
@ -501,7 +501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
 
 optional_policy(`
 	amanda_manage_lib(prelink_t)
-@@ -99,5 +117,57 @@
+@@ -99,5 +117,58 @@
 ')
 
 optional_policy(`
@ -524,6 +524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
 +allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt };
 +
 +domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
+allow prelink_cron_system_t prelink_t:process noatsecure;  
 +
 +read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
 +allow prelink_cron_system_t prelink_cache_t:file unlink;
@ -5985,7 +5986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
 #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.6/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2009-11-20 10:51:41.000000000 -0500
-+++ serefpolicy-3.7.6/policy/modules/kernel/devices.fc	2010-01-07 15:28:30.000000000 -0500
+++ serefpolicy-3.7.6/policy/modules/kernel/devices.fc	2010-01-08 15:36:31.000000000 -0500
@@ -16,13 +16,16 @@
 /dev/audio.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/autofs.*		-c	gen_context(system_u:object_r:autofs_device_t,s0)
@ -6011,9 +6012,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 /dev/usb.+		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/usblp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 ifdef(`distro_suse', `
+@@ -159,6 +163,8 @@
+ /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
+ /dev/usb/scanner.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
+ 
+/dev/uio[0-9]+      -c  gen_context(system_u:object_r:userio_device_t,s0)
+
+ /dev/xen/blktap.*	-c	gen_context(system_u:object_r:xen_device_t,s0)
+ /dev/xen/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.6/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.6/policy/modules/kernel/devices.if	2010-01-07 15:28:30.000000000 -0500
+++ serefpolicy-3.7.6/policy/modules/kernel/devices.if	2010-01-08 15:36:31.000000000 -0500
@@ -801,6 +801,24 @@
 
 ########################################
@ -6114,10 +6124,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 ##	Mount a usbfs filesystem.
 ## </summary>
 ## <param name="domain">
+@@ -3703,6 +3775,24 @@
+ 	getattr_chr_files_pattern($1, device_t, v4l_device_t)
+ ')
+ 
+######################################
+## <summary>
+##  Read or write userio device.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`dev_rw_userio_dev',`
+    gen_require(`
+        type device_t, userio_device_t;
+    ')
+
+    rw_chr_files_pattern($1, device_t, userio_device_t)
+')
+
+ ########################################
+ ## <summary>
+ ##	Do not audit attempts to get the attributes
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.6/policy/modules/kernel/devices.te
 --- nsaserefpolicy/policy/modules/kernel/devices.te	2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.6/policy/modules/kernel/devices.te	2010-01-07 15:28:30.000000000 -0500
-@@ -227,6 +227,12 @@
+++ serefpolicy-3.7.6/policy/modules/kernel/devices.te	2010-01-08 15:36:31.000000000 -0500
+@@ -227,11 +227,23 @@
 genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)
 
 #
@ -6130,6 +6165,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 # usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+
 #
 type usb_device_t;
+ dev_node(usb_device_t)
+ 
+#
+# userio_device_t is the type for /dev/uio[0-9]+
+#
+type userio_device_t;
+dev_node(userio_device_t)
+
+ type v4l_device_t;
+ dev_node(v4l_device_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.6/policy/modules/kernel/domain.if
 --- nsaserefpolicy/policy/modules/kernel/domain.if	2009-07-14 14:19:57.000000000 -0400
 +++ serefpolicy-3.7.6/policy/modules/kernel/domain.if	2010-01-07 15:28:30.000000000 -0500
@ -10009,7 +10055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
 ##	All of the rules required to administrate 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.6/policy/modules/services/abrt.te
 --- nsaserefpolicy/policy/modules/services/abrt.te	2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.6/policy/modules/services/abrt.te	2010-01-07 15:28:30.000000000 -0500
+++ serefpolicy-3.7.6/policy/modules/services/abrt.te	2010-01-08 08:37:25.000000000 -0500
@@ -33,12 +33,24 @@
 type abrt_var_run_t;
 files_pid_file(abrt_var_run_t)
@ -10057,7 +10103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
 files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
 
 kernel_read_ring_buffer(abrt_t)
-@@ -75,18 +90,36 @@
+@@ -75,18 +90,37 @@
 
 corecmd_exec_bin(abrt_t)
 corecmd_exec_shell(abrt_t)
@ -10067,6 +10113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
 +corenet_tcp_connect_ftp_port(abrt_t)
 +corenet_tcp_connect_all_ports(abrt_t)
 
+dev_getattr_all_chr_files(abrt_t)
 dev_read_urand(abrt_t)
 +dev_rw_sysfs(abrt_t)
 +dev_dontaudit_read_memory_dev(abrt_t)
@ -10094,7 +10141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
 
 sysnet_read_config(abrt_t)
 
-@@ -96,22 +129,93 @@
+@@ -96,22 +130,93 @@
 miscfiles_read_certs(abrt_t)
 miscfiles_read_localization(abrt_t)
 
@ -14695,7 +14742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +/usr/local/linuxprinter/ppd(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.6/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.6/policy/modules/services/cups.te	2010-01-07 15:28:30.000000000 -0500
+++ serefpolicy-3.7.6/policy/modules/services/cups.te	2010-01-08 11:58:33.000000000 -0500
@@ -23,6 +23,9 @@
 type cupsd_initrc_exec_t;
 init_script_file(cupsd_initrc_exec_t)
@ -14870,7 +14917,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 ########################################
 #
 # Cups lpd support
-@@ -542,6 +576,8 @@
+@@ -520,6 +554,7 @@
+ logging_send_syslog_msg(cupsd_lpd_t)
+ 
+ miscfiles_read_localization(cupsd_lpd_t)
+miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
+ 
+ cups_stream_connect(cupsd_lpd_t)
+ 
+@@ -542,6 +577,8 @@
 manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
 files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
 
@ -14879,7 +14934,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 kernel_read_system_state(cups_pdf_t)
 
 files_read_etc_files(cups_pdf_t)
-@@ -556,11 +592,15 @@
+@@ -556,11 +593,15 @@
 miscfiles_read_fonts(cups_pdf_t)
 
 userdom_home_filetrans_user_home_dir(cups_pdf_t)
@ -14895,7 +14950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(cups_pdf_t)
-@@ -601,6 +641,9 @@
+@@ -601,6 +642,9 @@
 read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
 files_search_etc(hplip_t)
 
@ -14905,7 +14960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
 files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
 
-@@ -627,6 +670,7 @@
+@@ -627,6 +671,7 @@
 corenet_tcp_connect_ipp_port(hplip_t)
 corenet_sendrecv_hplip_client_packets(hplip_t)
 corenet_receive_hplip_server_packets(hplip_t)
@ -15365,7 +15420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
 ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.6/policy/modules/services/devicekit.te
 --- nsaserefpolicy/policy/modules/services/devicekit.te	2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.6/policy/modules/services/devicekit.te	2010-01-07 15:28:30.000000000 -0500
+++ serefpolicy-3.7.6/policy/modules/services/devicekit.te	2010-01-08 09:11:11.000000000 -0500
@@ -42,6 +42,8 @@
 
 files_read_etc_files(devicekit_t)
@ -15380,7 +15435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
 #
 
 -allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio };
-+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
 +allow devicekit_disk_t self:process signal_perms;
 allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
 +allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
@ -15832,7 +15887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.6/policy/modules/services/fail2ban.if
 --- nsaserefpolicy/policy/modules/services/fail2ban.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.6/policy/modules/services/fail2ban.if	2010-01-07 15:28:30.000000000 -0500
+++ serefpolicy-3.7.6/policy/modules/services/fail2ban.if	2010-01-08 09:57:24.000000000 -0500
@@ -98,6 +98,46 @@
 	allow $1 fail2ban_var_run_t:file read_file_perms;
 ')
@ -15880,6 +15935,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
 ########################################
 ## <summary>
 ##	All of the rules required to administrate 
+@@ -135,3 +175,21 @@
+ 	files_list_pids($1)
+ 	admin_pattern($1, fail2ban_var_run_t)
+ ')
+
+########################################
+## <summary>
+##	Read and write to an fail2ban unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fail2ban_rw_stream_sockets',`
+	gen_require(`
+		type fail2ban_t;
+	')
+
+	allow $1 fail2ban_t:unix_stream_socket { getattr read write ioctl };
+')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.7.6/policy/modules/services/fetchmail.te
 --- nsaserefpolicy/policy/modules/services/fetchmail.te	2010-01-07 14:53:53.000000000 -0500
 +++ serefpolicy-3.7.6/policy/modules/services/fetchmail.te	2010-01-07 15:28:30.000000000 -0500
@ -23415,7 +23492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.6/policy/modules/services/sendmail.if
 --- nsaserefpolicy/policy/modules/services/sendmail.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.6/policy/modules/services/sendmail.if	2010-01-07 15:28:30.000000000 -0500
+++ serefpolicy-3.7.6/policy/modules/services/sendmail.if	2010-01-08 09:57:13.000000000 -0500
@@ -59,20 +59,20 @@
 
 ########################################
@ -23590,7 +23667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.6/policy/modules/services/sendmail.te
 --- nsaserefpolicy/policy/modules/services/sendmail.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.6/policy/modules/services/sendmail.te	2010-01-07 15:28:30.000000000 -0500
+++ serefpolicy-3.7.6/policy/modules/services/sendmail.te	2010-01-08 09:55:32.000000000 -0500
@@ -20,13 +20,17 @@
 mta_mailserver_delivery(sendmail_t)
 mta_mailserver_sender(sendmail_t)
@ -23650,7 +23727,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 
 auth_use_nsswitch(sendmail_t)
 
-@@ -89,23 +100,46 @@
+@@ -89,23 +100,47 @@
 libs_read_lib_files(sendmail_t)
 
 logging_send_syslog_msg(sendmail_t)
@ -23692,6 +23769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 +
 +optional_policy(`
 +	fail2ban_read_lib_files(sendmail_t)
+	fail2ban_rw_stream_sockets(sendmail_t)
 +')
 +
 +optional_policy(`
@ -23699,7 +23777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 ')
 
 optional_policy(`
-@@ -113,13 +147,20 @@
+@@ -113,13 +148,20 @@
 ')
 
 optional_policy(`
@ -23721,7 +23799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 ')
 
 optional_policy(`
-@@ -127,24 +168,29 @@
+@@ -127,24 +169,29 @@
 ')
 
 optional_policy(`
@ -29582,11 +29660,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
 	udev_read_db(iptables_t)
 ')
 +
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.7.6/policy/modules/system/iscsi.fc
+--- nsaserefpolicy/policy/modules/system/iscsi.fc	2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.6/policy/modules/system/iscsi.fc	2010-01-08 15:36:31.000000000 -0500
+@@ -1,4 +1,6 @@
+-/sbin/iscsid		--	gen_context(system_u:object_r:iscsid_exec_t,s0)
+
+/sbin/brcm_iscsiuio     --  gen_context(system_u:object_r:iscsid_exec_t,s0)
+/sbin/iscsid		    --	gen_context(system_u:object_r:iscsid_exec_t,s0)
+ 
+ /var/lib/iscsi(/.*)?		gen_context(system_u:object_r:iscsi_var_lib_t,s0)
+ /var/lock/iscsi(/.*)?		gen_context(system_u:object_r:iscsi_lock_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.7.6/policy/modules/system/iscsi.te
 --- nsaserefpolicy/policy/modules/system/iscsi.te	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.6/policy/modules/system/iscsi.te	2010-01-07 15:28:30.000000000 -0500
-@@ -69,11 +69,18 @@
+++ serefpolicy-3.7.6/policy/modules/system/iscsi.te	2010-01-08 15:37:25.000000000 -0500
+@@ -35,10 +35,13 @@
+ allow iscsid_t self:unix_dgram_socket create_socket_perms;
+ allow iscsid_t self:sem create_sem_perms;
+ allow iscsid_t self:shm create_shm_perms;
+-allow iscsid_t self:netlink_socket create_socket_perms;
+allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms; 
+ allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms;
+allow iscsid_t self:netlink_socket create_socket_perms;
+ allow iscsid_t self:tcp_socket create_stream_socket_perms;
+ 
+can_exec(iscsid_t, iscsid_exec_t)
+
+ manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
+ files_lock_filetrans(iscsid_t, iscsi_lock_t, file)
+ 
+@@ -54,6 +57,7 @@
+ manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t)
+ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
+ 
+kernel_read_network_state(iscsid_t)
+ kernel_read_system_state(iscsid_t)
+ kernel_search_debugfs(iscsid_t)
+ 
+@@ -67,13 +71,21 @@
+ corenet_tcp_connect_isns_port(iscsid_t)
+ 
 dev_rw_sysfs(iscsid_t)
+dev_rw_userio_dev(iscsid_t)
 
 domain_use_interactive_fds(iscsid_t)
 +domain_dontaudit_read_all_domains_state(iscsid_t)
@ -29606,7 +29721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.6/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.6/policy/modules/system/libraries.fc	2010-01-07 15:28:30.000000000 -0500
+++ serefpolicy-3.7.6/policy/modules/system/libraries.fc	2010-01-08 09:16:04.000000000 -0500
@@ -60,12 +60,15 @@
 #
 # /opt
@ -29823,7 +29938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
 ') dnl end distro_redhat
 
 #
-@@ -307,10 +317,131 @@
+@@ -307,10 +317,132 @@
 
 /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? --	gen_context(system_u:object_r:lib_t,s0)
 
@ -29936,6 +30051,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
 +
 +/usr/lib(64)?/nmm/liba52\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/lampp/lib/libct\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lampp/lib/.*\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/VirtualBox(/.*)?/VBox.*\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
 +/usr/lib(64)?/chromium-browser/.*\.so 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -30385,7 +30501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.6/policy/modules/system/miscfiles.if
 --- nsaserefpolicy/policy/modules/system/miscfiles.if	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.6/policy/modules/system/miscfiles.if	2010-01-07 15:28:30.000000000 -0500
+++ serefpolicy-3.7.6/policy/modules/system/miscfiles.if	2010-01-08 11:59:54.000000000 -0500
@@ -73,7 +73,8 @@
 #
 interface(`miscfiles_read_fonts',`
@ -30407,7 +30523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
 ')
 
 ########################################
-@@ -167,6 +172,32 @@
+@@ -167,6 +172,51 @@
 	manage_dirs_pattern($1, fonts_t, fonts_t)
 	manage_files_pattern($1, fonts_t, fonts_t)
 	manage_lnk_files_pattern($1, fonts_t, fonts_t)
@ -30416,6 +30532,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
 +
 +########################################
 +## <summary>
+##	Set the attributes on a fonts cache directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_setattr_fonts_cache_dirs',`
+	gen_require(`
+		type fonts_cache_t;
+	')
+
+	allow $1 fonts_cache_t:dir setattr;
+')
+
+########################################
+## <summary>
 +##	Create, read, write, and delete fonts cache.
 +## </summary>
 +## <param name="domain">
@ -30427,7 +30562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
 +#
 +interface(`miscfiles_manage_fonts_cache',`
 +	gen_require(`
-+		type fonts_t;
+		type fonts_cache_t;
 +	')
 +
 +	# cjp: fonts can be in either of these dirs
@ -32190,7 +32325,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 -')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.6/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.6/policy/modules/system/unconfined.if	2010-01-07 15:28:30.000000000 -0500
+++ serefpolicy-3.7.6/policy/modules/system/unconfined.if	2010-01-08 10:06:25.000000000 -0500
@@ -12,14 +12,13 @@
 #
 interface(`unconfined_domain_noaudit',`
@ -32207,7 +32342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 	allow $1 self:fifo_file manage_fifo_file_perms;
 
 	# Transition to myself, to make get_ordered_context_list happy.
-@@ -27,12 +26,13 @@
+@@ -27,12 +26,14 @@
 
 	# Write access is for setting attributes under /proc/self/attr.
 	allow $1 self:file rw_file_perms;
@ -32222,10 +32357,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +	allow $1 self:dbus all_dbus_perms;
 +	allow $1 self:passwd all_passwd_perms;
 +	allow $1 self:association all_association_perms;
+	allow $1 self:socket_class_set create_socket_perms;
 
 	kernel_unconfined($1)
 	corenet_unconfined($1)
-@@ -44,6 +44,16 @@
+@@ -44,6 +45,16 @@
 	fs_unconfined($1)
 	selinux_unconfined($1)
 
@ -32242,7 +32378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 	tunable_policy(`allow_execheap',`
 		# Allow making the stack executable via mprotect.
 		allow $1 self:process execheap;
-@@ -57,8 +67,8 @@
+@@ -57,8 +68,8 @@
 
 	tunable_policy(`allow_execstack',`
 		# Allow making the stack executable via mprotect;
@ -32253,7 +32389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 #		auditallow $1 self:process execstack;
 	')
 
-@@ -69,6 +79,7 @@
+@@ -69,6 +80,7 @@
 	optional_policy(`
 		# Communicate via dbusd.
 		dbus_system_bus_unconfined($1)
@ -32261,7 +32397,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 	')
 
 	optional_policy(`
-@@ -111,16 +122,16 @@
+@@ -111,16 +123,16 @@
 ## </param>
 #
 interface(`unconfined_domain',`
@ -32282,7 +32418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 ########################################
-@@ -173,411 +184,3 @@
+@@ -173,411 +185,3 @@
 	refpolicywarn(`$0($1) has been deprecated.')
 ')
 
--- a/2
+++ b/2
@ -1,2 +1,2 @@
 3651679c4b12a31d2ba5f4305bba5540  config.tgz
-d3b12775aaeafb96c96a6a74e85e96ba  serefpolicy-3.7.5.tgz
+0e56f0205d64ac083d61ec1d15873df7  serefpolicy-3.7.6.tgz