- Allow svirt_t to stream_connect to virtd_t

2009-08-04 08:54:56 +00:00 · 2009-08-04 08:54:56 +00:00 · 4c8c1814a9
parent 947b439e10
commit 4c8c1814a9
1 changed files with 186 additions and 54 deletions
--- a/policy-F12.patch
+++ b/policy-F12.patch
@ -4272,7 +4272,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.26/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/kernel/devices.fc	2009-07-30 15:33:08.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/kernel/devices.fc	2009-08-03 06:30:31.000000000 -0400
@@ -47,8 +47,10 @@
 /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/kmsg		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@ -4284,9 +4284,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /dev/lircm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/logibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
+@@ -82,6 +84,7 @@
+ /dev/radio.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/random		-c	gen_context(system_u:object_r:random_device_t,s0)
+ /dev/raw1394.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/rfkill		-c	gen_context(system_u:object_r:wireless_device_t,s0)
+ /dev/(misc/)?rtc[0-9]*	-c	gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/sequencer		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/sequencer2		-c	gen_context(system_u:object_r:sound_device_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.26/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/kernel/devices.if	2009-07-30 15:33:08.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/kernel/devices.if	2009-08-03 06:30:19.000000000 -0400
@@ -1655,6 +1655,78 @@
 
 ########################################
@ -4428,7 +4436,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 ## <summary>
 ##	Read the lvm comtrol device.
-@@ -2268,6 +2395,25 @@
+@@ -2232,6 +2359,24 @@
+ 
+ ########################################
+ ## <summary>
+##	Read and write the the wireless device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_wireless',`
+	gen_require(`
+		type device_t, wireless_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, wireless_device_t)
+')
+
+########################################
+## <summary>
+ ##	Get the attributes of the null device nodes.
+ ## </summary>
+ ## <param name="domain">
+@@ -2268,6 +2413,25 @@
 
 ########################################
 ## <summary>
@ -4456,7 +4489,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.26/policy/modules/kernel/devices.te
 --- nsaserefpolicy/policy/modules/kernel/devices.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/kernel/devices.te	2009-07-30 15:33:08.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/kernel/devices.te	2009-08-03 06:30:00.000000000 -0400
@@ -84,6 +84,13 @@
 dev_node(kmsg_device_t)
 
@ -4484,9 +4517,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # Type for /dev/mapper/control
 #
 type lvm_control_t;
+@@ -224,6 +237,12 @@
+ type watchdog_device_t;
+ dev_node(watchdog_device_t)
+ 
+#
+# wireless control devices 
+#
+type wireless_device_t;
+dev_node(wireless_device_t)
+
+ type xen_device_t;
+ dev_node(xen_device_t)
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.26/policy/modules/kernel/domain.if
 --- nsaserefpolicy/policy/modules/kernel/domain.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/kernel/domain.if	2009-07-30 15:33:08.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/kernel/domain.if	2009-08-03 08:04:07.000000000 -0400
@@ -44,34 +44,6 @@
 interface(`domain_type',`
 	# start with basic domain
@ -8774,7 +8820,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## </summary>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.26/policy/modules/services/bluetooth.te
 --- nsaserefpolicy/policy/modules/services/bluetooth.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/bluetooth.te	2009-07-30 15:33:08.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/services/bluetooth.te	2009-08-03 06:30:22.000000000 -0400
@@ -64,6 +64,7 @@
 allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow bluetooth_t self:tcp_socket create_stream_socket_perms;
@ -8783,6 +8829,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
 
+@@ -111,6 +112,7 @@
+ dev_rw_generic_usb_dev(bluetooth_t)
+ dev_read_urand(bluetooth_t)
+ dev_rw_input_dev(bluetooth_t)
+dev_rw_wireless(bluetooth_t)
+ 
+ fs_getattr_all_fs(bluetooth_t)
+ fs_search_auto_mountpoints(bluetooth_t)
+@@ -154,6 +156,10 @@
+ 	')
+ 
+ 	optional_policy(`
+		networkmanager_dbus_chat(bluetooth_t)
+	')
+
+	optional_policy(`
+ 		pulseaudio_dbus_chat(bluetooth_t)
+ 	')
+ ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.26/policy/modules/services/certmaster.te
 --- nsaserefpolicy/policy/modules/services/certmaster.te	2009-07-14 14:19:57.000000000 -0400
 +++ serefpolicy-3.6.26/policy/modules/services/certmaster.te	2009-07-30 15:33:08.000000000 -0400
@ -11092,17 +11157,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.26/policy/modules/services/mysql.te
 --- nsaserefpolicy/policy/modules/services/mysql.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/mysql.te	2009-07-30 15:33:09.000000000 -0400
-@@ -136,6 +136,8 @@
+++ serefpolicy-3.6.26/policy/modules/services/mysql.te	2009-08-03 08:06:57.000000000 -0400
+@@ -136,7 +136,12 @@
 
 domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
 
 +allow mysqld_safe_t mysqld_var_run_t:sock_file unlink;
 +
 allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
+
+domain_getattr_all_domains(mysqld_safe_t)
+
 logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
 
-@@ -152,7 +154,7 @@
+ kernel_read_system_state(mysqld_safe_t) 
+@@ -152,7 +157,7 @@
 
 miscfiles_read_localization(mysqld_safe_t) 
 
@ -12408,7 +12477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /var/lib/PolicyKit(/.*)?			gen_context(system_u:object_r:policykit_var_lib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.6.26/policy/modules/services/policykit.if
 --- nsaserefpolicy/policy/modules/services/policykit.if	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/policykit.if	2009-07-30 15:33:09.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/services/policykit.if	2009-08-03 06:44:10.000000000 -0400
@@ -17,6 +17,8 @@
 		class dbus send_msg;
 	')
@ -12418,7 +12487,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	allow $1 policykit_t:dbus send_msg;
 	allow policykit_t $1:dbus send_msg;
 ')
-@@ -167,7 +169,7 @@
+@@ -41,7 +43,6 @@
+ 
+ ########################################
+ ## <summary>
+-##	Execute a policy_auth in the policy_auth domain, and
+ ##	allow the specified role the policy_auth domain,
+ ## </summary>
+ ## <param name="domain">
+@@ -167,7 +168,7 @@
 
 	domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t)
 
@ -12427,7 +12504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -206,4 +208,30 @@
+@@ -206,4 +207,47 @@
 
 	files_search_var_lib($1)
 	read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
@ -12457,10 +12534,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	policykit_read_lib($2)
 +	policykit_read_reload($2)
 +	policykit_dbus_chat($2)
+')
+########################################
+## <summary>
+##	Send generic signal to policy_auth
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`policykit_signal_auth',`
+	gen_require(`
+		type policykit_auth_t;
+	')
+
+	allow $1 policykit_auth_t:process signal;
 ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.26/policy/modules/services/policykit.te
 --- nsaserefpolicy/policy/modules/services/policykit.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/policykit.te	2009-07-30 15:33:09.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/services/policykit.te	2009-08-03 06:50:17.000000000 -0400
@@ -38,9 +38,10 @@
 
 allow policykit_t self:capability { setgid setuid };
@ -12500,7 +12594,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # polkit_auth local policy
-@@ -77,7 +89,8 @@
+@@ -77,12 +89,15 @@
 
 allow policykit_auth_t self:capability setgid;
 allow policykit_auth_t self:process getattr;
@ -12510,27 +12604,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
 allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
 
-@@ -104,6 +117,8 @@
+policykit_dbus_chat(policykit_auth_t)
+
+ can_exec(policykit_auth_t, policykit_auth_exec_t)
+-corecmd_search_bin(policykit_auth_t)
+corecmd_exec_bin(policykit_auth_t)
+ 
+ rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
+ 
+@@ -104,6 +119,7 @@
 userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
 
 optional_policy(`
 +	dbus_system_domain( policykit_auth_t, policykit_auth_exec_t)
-+
 	dbus_session_bus_client(policykit_auth_t)
 
 	optional_policy(`
-@@ -116,6 +131,10 @@
+@@ -116,6 +132,13 @@
 	hal_read_state(policykit_auth_t)
 ')
 
 +optional_policy(`
+	xserver_stream_connect(policykit_auth_t)
 +	xserver_xdm_append_log(policykit_auth_t)
+	xserver_read_xdm_pid(policykit_auth_t)
+	xserver_search_xdm_lib(policykit_auth_t)
 +')
 +
 ########################################
 #
 # polkit_grant local policy
-@@ -123,7 +142,8 @@
+@@ -123,7 +146,8 @@
 
 allow policykit_grant_t self:capability setuid;
 allow policykit_grant_t self:process getattr;
@ -12540,7 +12644,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
 allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
 
-@@ -153,9 +173,12 @@
+@@ -153,9 +177,12 @@
 userdom_read_all_users_state(policykit_grant_t)
 
 optional_policy(`
@ -12554,7 +12658,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 		consolekit_dbus_chat(policykit_grant_t)
 	')
 ')
-@@ -167,7 +190,8 @@
+@@ -167,7 +194,8 @@
 
 allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
 allow policykit_resolve_t self:process getattr;
@ -13686,8 +13790,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.26/policy/modules/services/ricci.te
 --- nsaserefpolicy/policy/modules/services/ricci.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/ricci.te	2009-07-30 15:33:09.000000000 -0400
-@@ -440,6 +440,10 @@
+++ serefpolicy-3.6.26/policy/modules/services/ricci.te	2009-08-03 07:21:27.000000000 -0400
+@@ -264,6 +264,7 @@
+ allow ricci_modclusterd_t self:socket create_socket_perms;
+ 
+ allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
+allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
+ 
+ # log files
+ allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
+@@ -440,6 +441,10 @@
 files_read_usr_files(ricci_modstorage_t)
 files_read_kernel_modules(ricci_modstorage_t)
 
@ -16957,7 +17069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.26/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/xserver.if	2009-07-30 15:33:09.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/services/xserver.if	2009-08-03 06:49:41.000000000 -0400
@@ -90,7 +90,7 @@
 	allow $2 xauth_home_t:file manage_file_perms;
 	allow $2 xauth_home_t:file { relabelfrom relabelto };
@ -17105,7 +17217,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -756,7 +757,26 @@
+@@ -756,7 +757,44 @@
 	')
 
 	files_search_pids($1)
@ -17130,10 +17242,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	files_search_pids($1)
 +	manage_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
+')
+
+########################################
+## <summary>
+##	Search XDM var lib dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_search_xdm_lib',`
+	gen_require(`
+		type xdm_var_lib_t;
+	')
+
+	allow $1 xdm_var_lib_t:dir search_dir_perms;
 ')
 
 ########################################
-@@ -779,6 +799,50 @@
+@@ -779,6 +817,50 @@
 
 ########################################
 ## <summary>
@ -17184,7 +17314,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Make an X session script an entrypoint for the specified domain.
 ## </summary>
 ## <param name="domain">
-@@ -797,6 +861,24 @@
+@@ -797,6 +879,24 @@
 
 ########################################
 ## <summary>
@ -17209,7 +17339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Execute an X session in the target domain.  This
 ##	is an explicit transition, requiring the
 ##	caller to use setexeccon().
-@@ -872,6 +954,27 @@
+@@ -872,6 +972,27 @@
 
 ########################################
 ## <summary>
@ -17237,7 +17367,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Do not audit attempts to write the X server
 ##	log files.
 ## </summary>
-@@ -1018,10 +1121,11 @@
+@@ -1018,10 +1139,11 @@
 #
 interface(`xserver_domtrans',`
 	gen_require(`
@ -17250,7 +17380,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	domtrans_pattern($1, xserver_exec_t, xserver_t)
 ')
 
-@@ -1159,6 +1263,276 @@
+@@ -1159,6 +1281,276 @@
 
 ########################################
 ## <summary>
@ -17527,7 +17657,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Interface to provide X object permissions on a given X server to
 ##	an X client domain.  Gives the domain complete control over the
 ##	display.
-@@ -1172,7 +1546,103 @@
+@@ -1172,7 +1564,103 @@
 interface(`xserver_unconfined',`
 	gen_require(`
 		attribute xserver_unconfined_type;
@ -17564,7 +17694,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	allow $2 $1:x_drawable all_x_drawable_perms;
 +	allow $1 $2:x_resource all_x_resource_perms;
 +	allow $2 $1:x_resource all_x_resource_perms;
-+')
+ ')
 +
 +#######################################
 +## <summary>
@ -17589,7 +17719,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		class x_selection all_x_selection_perms;
 +		class x_event all_x_event_perms;
 +		class x_synthetic_event all_x_synthetic_event_perms;
- ')
+')
 +
 +	# Type attributes
 +	typeattribute $1 x_domain;
@ -17633,7 +17763,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.26/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/xserver.te	2009-07-30 15:33:09.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/services/xserver.te	2009-08-03 06:43:20.000000000 -0400
@@ -34,6 +34,13 @@
 
 ## <desc>
@ -18060,7 +18190,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	hostname_exec(xdm_t)
 ')
 
-@@ -542,6 +650,29 @@
+@@ -542,6 +650,30 @@
 ')
 
 optional_policy(`
@ -18068,6 +18198,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	policykit_domtrans_auth(xdm_t)
 +	policykit_read_lib(xdm_t)
 +	policykit_read_reload(xdm_t)
+	policykit_signal_auth(xdm_t)
 +')
 +
 +optional_policy(`
@ -18090,7 +18221,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	seutil_sigchld_newrole(xdm_t)
 ')
 
-@@ -550,8 +681,9 @@
+@@ -550,8 +682,9 @@
 ')
 
 optional_policy(`
@ -18102,7 +18233,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	ifndef(`distro_redhat',`
 		allow xdm_t self:process { execheap execmem };
-@@ -560,7 +692,6 @@
+@@ -560,7 +693,6 @@
 	ifdef(`distro_rhel4',`
 		allow xdm_t self:process { execheap execmem };
 	')
@ -18110,7 +18241,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 optional_policy(`
 	userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +702,10 @@
+@@ -571,6 +703,10 @@
 ')
 
 optional_policy(`
@ -18121,7 +18252,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	xfs_stream_connect(xdm_t)
 ')
 
-@@ -587,10 +722,9 @@
+@@ -587,10 +723,9 @@
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
 
@ -18133,7 +18264,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow xserver_t self:fd use;
 allow xserver_t self:fifo_file rw_fifo_file_perms;
 allow xserver_t self:sock_file read_sock_file_perms;
-@@ -602,9 +736,11 @@
+@@ -602,9 +737,11 @@
 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xserver_t self:tcp_socket create_stream_socket_perms;
 allow xserver_t self:udp_socket create_socket_perms;
@ -18145,7 +18276,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
 
-@@ -616,13 +752,14 @@
+@@ -616,13 +753,14 @@
 type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
 
 allow xserver_t { rootwindow_t x_domain }:x_drawable send;
@ -18161,7 +18292,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +772,19 @@
+@@ -635,9 +773,19 @@
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
 
@ -18181,7 +18312,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 kernel_read_system_state(xserver_t)
 kernel_read_device_sysctls(xserver_t)
-@@ -680,9 +827,12 @@
+@@ -680,9 +828,12 @@
 dev_rw_xserver_misc(xserver_t)
 # read events - the synaptics touchpad driver reads raw events
 dev_rw_input_dev(xserver_t)
@ -18195,7 +18326,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 files_read_etc_files(xserver_t)
 files_read_etc_runtime_files(xserver_t)
-@@ -697,8 +847,12 @@
+@@ -697,8 +848,12 @@
 fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
@ -18208,7 +18339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 selinux_validate_context(xserver_t)
 selinux_compute_access_vector(xserver_t)
-@@ -720,6 +874,7 @@
+@@ -720,6 +875,7 @@
 
 miscfiles_read_localization(xserver_t)
 miscfiles_read_fonts(xserver_t)
@ -18216,7 +18347,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 modutils_domtrans_insmod(xserver_t)
 
-@@ -742,7 +897,7 @@
+@@ -742,7 +898,7 @@
 ')
 
 ifdef(`enable_mls',`
@ -18225,7 +18356,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
 ')
 
-@@ -774,12 +929,20 @@
+@@ -774,12 +930,20 @@
 ')
 
 optional_policy(`
@ -18247,7 +18378,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	unconfined_domtrans(xserver_t)
 ')
 
-@@ -806,7 +969,7 @@
+@@ -806,7 +970,7 @@
 allow xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xserver_t xdm_var_lib_t:dir search;
 
@ -18256,7 +18387,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 # Label pid and temporary files with derived types.
 manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -827,9 +990,14 @@
+@@ -827,9 +991,14 @@
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -18271,7 +18402,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xserver_t)
 	fs_manage_nfs_files(xserver_t)
-@@ -844,11 +1012,14 @@
+@@ -844,11 +1013,14 @@
 
 optional_policy(`
 	dbus_system_bus_client(xserver_t)
@ -18287,7 +18418,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -881,6 +1052,8 @@
+@@ -881,6 +1053,8 @@
 # X Server
 # can read server-owned resources
 allow x_domain xserver_t:x_resource read;
@ -18296,7 +18427,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # can mess with own clients
 allow x_domain self:x_client { manage destroy };
 
-@@ -905,6 +1078,8 @@
+@@ -905,6 +1079,8 @@
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
 
@ -18305,7 +18436,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # X Colormaps
 # can use the default colormap
 allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -972,17 +1147,49 @@
+@@ -972,17 +1148,49 @@
 allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
 allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
 
@ -19738,7 +19869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +miscfiles_read_localization(iscsid_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.26/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/system/libraries.fc	2009-07-30 16:27:55.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/system/libraries.fc	2009-08-03 07:56:50.000000000 -0400
@@ -60,12 +60,15 @@
 #
 # /opt
@ -19925,7 +20056,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ') dnl end distro_redhat
 
 #
-@@ -304,10 +294,91 @@
+@@ -304,10 +294,92 @@
 
 /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? --	gen_context(system_u:object_r:lib_t,s0)
 
@ -19958,6 +20089,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/lib(64)?/nspluginwrapper/np.*\.so	-- gen_context(system_u:object_r:lib_t,s0)
 +
 +/usr/lib/oracle/.*/lib/libnnz.*\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/oracle(64)?/.*/lib/libclntsh\.so(\.[^/]*)*	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
 +/opt/(.*/)?oracle/(.*/)?libnnz.*\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib(64)?/libnnz11.so(\.[^/]*)*	gen_context(system_u:object_r:textrel_shlib_t,s0)