- Allow init to transition to initrc_t on shell exec.

- Fix init to be able to sendto init_t.
- Allow syslog to connect to mysql
- Allow lvm to manage its own fifo_files
- Allow bugzilla to use ldap
- More mls fixes
This commit is contained in:
Daniel J Walsh 2008-03-12 01:00:13 +00:00
parent 110bce3a29
commit 59c6413a37

View File

@ -8483,7 +8483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-02-29 13:36:51.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-03-11 19:28:21.000000000 -0400
@@ -20,6 +20,8 @@
# Declarations
#
@ -8975,7 +8975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
@@ -724,3 +859,46 @@
@@ -724,3 +859,47 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@ -9013,6 +9013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+mta_send_mail(httpd_bugzilla_script_t)
+
+sysnet_read_config(httpd_bugzilla_script_t)
+sysnet_use_ldap(httpd_bugzilla_script_t)
+
+optional_policy(`
+ mysql_search_db(httpd_bugzilla_script_t)
@ -19545,6 +19546,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remo
userdom_use_unpriv_users_fds(remote_login_t)
userdom_search_all_users_home_content(remote_login_t)
# Only permit unprivileged user domains to be entered via rlogin,
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.3.1/policy/modules/services/rhgb.te
--- nsaserefpolicy/policy/modules/services/rhgb.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/rhgb.te 2008-03-11 20:07:53.000000000 -0400
@@ -92,6 +92,7 @@
term_getattr_pty_fs(rhgb_t)
init_write_initctl(rhgb_t)
+init_chat(rhgb_t)
libs_use_ld_so(rhgb_t)
libs_use_shared_libs(rhgb_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-3.3.1/policy/modules/services/ricci.if
--- nsaserefpolicy/policy/modules/services/ricci.if 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/ricci.if 2008-02-26 08:29:22.000000000 -0500
@ -20154,8 +20166,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+/etc/rc.d/init.d/smb -- gen_context(system_u:object_r:samba_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.3.1/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/samba.if 2008-02-26 21:19:09.000000000 -0500
@@ -63,6 +63,25 @@
+++ serefpolicy-3.3.1/policy/modules/services/samba.if 2008-03-11 17:56:00.000000000 -0400
@@ -52,6 +52,25 @@
## </summary>
## </param>
#
+interface(`samba_domtrans_smb',`
+ gen_require(`
+ type smbd_t, smbd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1,smbd_exec_t,smbd_t)
+')
+
+########################################
+## <summary>
+## Execute samba net in the samba_net domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
interface(`samba_domtrans_net',`
gen_require(`
type samba_net_t, samba_net_exec_t;
@@ -63,6 +82,25 @@
########################################
## <summary>
@ -20181,7 +20219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
## Execute samba net in the samba_net domain, and
## allow the specified role the samba_net domain.
## </summary>
@@ -95,6 +114,38 @@
@@ -95,6 +133,38 @@
########################################
## <summary>
@ -20220,7 +20258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
## Execute smbmount in the smbmount domain.
## </summary>
## <param name="domain">
@@ -331,6 +382,25 @@
@@ -331,6 +401,25 @@
########################################
## <summary>
@ -20246,7 +20284,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
## Allow the specified domain to
## read and write samba /var files.
## </summary>
@@ -348,6 +418,7 @@
@@ -348,6 +437,7 @@
files_search_var($1)
files_search_var_lib($1)
manage_files_pattern($1,samba_var_t,samba_var_t)
@ -20254,7 +20292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
########################################
@@ -492,3 +563,221 @@
@@ -492,3 +582,221 @@
allow $1 samba_var_t:dir search_dir_perms;
stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
')
@ -21371,7 +21409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.3.1/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2008-02-15 09:52:56.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/smartmon.te 2008-02-26 08:29:22.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/smartmon.te 2008-03-11 18:55:46.000000000 -0400
@@ -16,6 +16,9 @@
type fsdaemon_tmp_t;
files_tmp_file(fsdaemon_tmp_t)
@ -21382,6 +21420,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar
########################################
#
# Local policy
@@ -62,6 +65,7 @@
fs_search_auto_mountpoints(fsdaemon_t)
mls_file_read_all_levels(fsdaemon_t)
+mls_file_write_all_levels(fsdaemon_t)
storage_raw_read_fixed_disk(fsdaemon_t)
storage_raw_write_fixed_disk(fsdaemon_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.3.1/policy/modules/services/snmp.fc
--- nsaserefpolicy/policy/modules/services/snmp.fc 2007-06-19 16:23:06.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/snmp.fc 2008-02-26 08:29:22.000000000 -0500
@ -23383,7 +23429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-10 16:54:19.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-11 19:56:07.000000000 -0400
@@ -12,9 +12,15 @@
## </summary>
## </param>
@ -23468,7 +23514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files($1_xserver_t)
files_read_etc_runtime_files($1_xserver_t)
@@ -140,12 +159,16 @@
@@ -140,26 +159,37 @@
fs_getattr_xattr_fs($1_xserver_t)
fs_search_nfs($1_xserver_t)
fs_search_auto_mountpoints($1_xserver_t)
@ -23486,7 +23532,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
term_setattr_unallocated_ttys($1_xserver_t)
term_use_unallocated_ttys($1_xserver_t)
@@ -153,13 +176,17 @@
+ mls_file_read_to_clearance($1_xserver_t)
+ mls_file_write_to_clearance($1_xserver_t)
+
libs_use_ld_so($1_xserver_t)
libs_use_shared_libs($1_xserver_t)
logging_send_syslog_msg($1_xserver_t)
@ -23505,7 +23554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow $1_xserver_t self:process { execmem execheap execstack };
@@ -169,6 +196,46 @@
@@ -169,6 +199,46 @@
allow $1_xserver_t self:process { execmem execheap execstack };
')
@ -23552,7 +23601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
apm_stream_connect($1_xserver_t)
')
@@ -223,8 +290,10 @@
@@ -223,8 +293,10 @@
template(`xserver_per_role_template',`
gen_require(`
@ -23565,7 +23614,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
##############################
@@ -232,189 +301,119 @@
@@ -232,189 +304,119 @@
# Declarations
#
@ -23704,15 +23753,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
- allow $1_xauth_t self:process signal;
- allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
-
- allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans($1,$1_xauth_t,$1_xauth_home_t,file)
-
- manage_dirs_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
- manage_files_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
- files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
-
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
-
- allow $2 $1_xauth_t:process signal;
@ -23726,10 +23775,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
-
- allow xdm_t $1_xauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file)
-
- domain_use_interactive_fds($1_xauth_t)
+ ps_process_pattern($2,xauth_t)
- domain_use_interactive_fds($1_xauth_t)
-
- files_read_etc_files($1_xauth_t)
- files_search_pids($1_xauth_t)
-
@ -23779,47 +23828,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# allow ps to show iceauth
- ps_process_pattern($2,$1_iceauth_t)
+ ps_process_pattern($2,iceauth_t)
+
+ allow $2 user_iceauth_home_t:file manage_file_perms;
+ allow $2 user_iceauth_home_t:file { relabelfrom relabelto };
- allow $2 $1_iceauth_home_t:file manage_file_perms;
- allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
+ userdom_use_user_terminals($1,iceauth_t)
+ allow $2 user_iceauth_home_t:file manage_file_perms;
+ allow $2 user_iceauth_home_t:file { relabelfrom relabelto };
- allow xdm_t $1_iceauth_home_t:file read_file_perms;
+ userdom_use_user_terminals($1,iceauth_t)
- fs_search_auto_mountpoints($1_iceauth_t)
+ optional_policy(`
+ xserver_read_user_iceauth($1, $2)
+ ')
- fs_search_auto_mountpoints($1_iceauth_t)
- libs_use_ld_so($1_iceauth_t)
- libs_use_shared_libs($1_iceauth_t)
+ ##############################
+ #
+ # User X object manager local policy
+ #
- libs_use_ld_so($1_iceauth_t)
- libs_use_shared_libs($1_iceauth_t)
- userdom_use_user_terminals($1,$1_iceauth_t)
+ # Device rules
+ allow xdm_x_domain $2:x_device { getattr setattr setfocus grab bell };
- userdom_use_user_terminals($1,$1_iceauth_t)
+ allow $2 { input_xevent_t }:x_event send;
+ allow $2 { x_rootwindow_t xdm_x_domain }:x_drawable send;
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files($1_iceauth_t)
- ')
+ mls_xwin_read_to_clearance($2)
+ allow $2 { input_xevent_t }:x_event send;
+ allow $2 { x_rootwindow_t xdm_x_domain }:x_drawable send;
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files($1_iceauth_t)
- ')
+ mls_xwin_read_to_clearance($2)
+
+ xserver_user_x_domain_template($1,$1_t,$1_t,$1_tmpfs_t)
')
#######################################
@@ -521,19 +520,18 @@
@@ -521,19 +523,18 @@
## </param>
#
template(`xserver_user_client_template',`
@ -23847,7 +23896,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
@@ -542,25 +540,542 @@
@@ -542,25 +543,541 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@ -23974,7 +24023,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ type screensaver_xext_t, unknown_xext_t, x_rootscreen_t;
+ type disallowed_xext_t;
+ type output_xext_t;
+ type accelgraphics_xext_t, xdm_xserver_t;
+
+ attribute x_server_domain, x_domain;
+ attribute xproperty_type;
@ -24009,7 +24057,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ allow $1 std_xext_t:x_extension query;
+ allow $1 x_rootwindow_t:x_drawable { get_property getattr };
+
+
+ # Hacks
+ # everyone can get the input focus of everyone else
+ # this is a fundamental brokenness in the X protocol
@ -24083,10 +24130,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
+ # X Input
+ # can receive own events
+ allow $1 input_xevent_t:{ x_event x_synthetic_event } receive;
+ allow $1 input_xevent_t:{ x_event x_synthetic_event } { send receive };
+ allow $1 $1:{ x_event x_synthetic_event } { send receive };
+ allow $1 default_xevent_t:x_event receive;
+ allow $1 default_xevent_t:x_synthetic_event send;
+ allow $1 default_xevent_t:x_synthetic_event { receive send };
+
+
+ # can receive certain root window events
+ allow $1 focus_xevent_t:x_event receive;
@ -24396,7 +24444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
')
@@ -593,26 +1107,44 @@
@@ -593,26 +1110,44 @@
#
template(`xserver_use_user_fonts',`
gen_require(`
@ -24448,14 +24496,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Transition to a user Xauthority domain.
## </summary>
## <desc>
@@ -638,10 +1170,77 @@
@@ -638,10 +1173,77 @@
#
template(`xserver_domtrans_user_xauth',`
gen_require(`
- type $1_xauth_t, xauth_exec_t;
+ type xauth_exec_t, xauth_t;
+ ')
+
')
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
+')
+
@ -24520,15 +24569,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+template(`xserver_read_user_iceauth',`
+ gen_require(`
+ type user_iceauth_home_t;
')
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
+ ')
+
+ # Read .Iceauthority file
+ allow $2 user_iceauth_home_t:file { getattr read };
')
########################################
@@ -671,10 +1270,10 @@
@@ -671,10 +1273,10 @@
#
template(`xserver_user_home_dir_filetrans_user_xauth',`
gen_require(`
@ -24541,7 +24589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
@@ -760,7 +1359,7 @@
@@ -760,7 +1362,7 @@
type xconsole_device_t;
')
@ -24550,7 +24598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
@@ -860,6 +1459,25 @@
@@ -860,6 +1462,25 @@
########################################
## <summary>
@ -24576,7 +24624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Read xdm-writable configuration files.
## </summary>
## <param name="domain">
@@ -914,6 +1532,7 @@
@@ -914,6 +1535,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@ -24584,7 +24632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
@@ -955,6 +1574,24 @@
@@ -955,6 +1577,24 @@
########################################
## <summary>
@ -24609,7 +24657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Execute the X server in the XDM X server domain.
## </summary>
## <param name="domain">
@@ -965,15 +1602,47 @@
@@ -965,15 +1605,47 @@
#
interface(`xserver_domtrans_xdm_xserver',`
gen_require(`
@ -24658,7 +24706,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
@@ -1123,7 +1792,7 @@
@@ -1123,7 +1795,7 @@
type xdm_xserver_tmp_t;
')
@ -24667,7 +24715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
@@ -1312,3 +1981,83 @@
@@ -1312,3 +1984,83 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@ -24753,7 +24801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-10 14:23:28.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-11 19:35:25.000000000 -0400
@@ -8,6 +8,14 @@
## <desc>
@ -24896,7 +24944,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
init_system_domain(xdm_xserver_t,xserver_exec_t)
ifdef(`enable_mcs',`
@@ -95,8 +191,9 @@
@@ -86,6 +182,11 @@
init_ranged_daemon_domain(xdm_t,xdm_exec_t,s0 - mcs_systemhigh)
')
+ifdef(`enable_mls',`
+ init_ranged_domain(xdm_t,xdm_exec_t,s0 - mls_systemhigh)
+ init_ranged_daemon_domain(xdm_t,xdm_exec_t,s0 - mls_systemhigh)
+')
+
optional_policy(`
prelink_object_file(xkb_var_lib_t)
')
@@ -95,8 +196,9 @@
# XDM Local policy
#
@ -24908,7 +24968,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
@@ -109,6 +206,8 @@
@@ -109,6 +211,8 @@
allow xdm_t self:key { search link write };
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
@ -24917,7 +24977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
@@ -131,15 +230,22 @@
@@ -131,15 +235,22 @@
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@ -24941,7 +25001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
@@ -153,6 +259,7 @@
@@ -153,6 +264,7 @@
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
@ -24949,7 +25009,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
@@ -173,6 +280,8 @@
@@ -173,6 +285,8 @@
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
@ -24958,7 +25018,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
@@ -184,6 +293,7 @@
@@ -184,6 +298,7 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_all_nodes(xdm_t)
corenet_udp_bind_all_nodes(xdm_t)
@ -24966,7 +25026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
corenet_tcp_connect_all_ports(xdm_t)
corenet_sendrecv_all_client_packets(xdm_t)
# xdm tries to bind to biff_port_t
@@ -196,6 +306,7 @@
@@ -196,6 +311,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@ -24974,7 +25034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
@@ -208,8 +319,8 @@
@@ -208,8 +324,8 @@
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
@ -24985,7 +25045,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_getattr_power_mgmt_dev(xdm_t)
dev_setattr_power_mgmt_dev(xdm_t)
@@ -226,6 +337,7 @@
@@ -226,6 +342,7 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@ -24993,7 +25053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
fs_getattr_all_fs(xdm_t)
fs_search_auto_mountpoints(xdm_t)
@@ -237,6 +349,7 @@
@@ -237,6 +354,7 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@ -25001,7 +25061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
term_setattr_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
@@ -245,6 +358,7 @@
@@ -245,6 +363,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@ -25009,7 +25069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
@@ -256,12 +370,11 @@
@@ -256,12 +375,11 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
@ -25023,7 +25083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
userdom_create_all_users_keys(xdm_t)
@@ -270,8 +383,13 @@
@@ -270,8 +388,13 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@ -25037,7 +25097,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
@@ -304,7 +422,11 @@
@@ -304,7 +427,11 @@
')
optional_policy(`
@ -25050,7 +25110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
@@ -312,6 +434,23 @@
@@ -312,6 +439,23 @@
')
optional_policy(`
@ -25074,7 +25134,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
@@ -322,6 +461,10 @@
@@ -322,6 +466,10 @@
')
optional_policy(`
@ -25085,7 +25145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
loadkeys_exec(xdm_t)
')
@@ -335,6 +478,11 @@
@@ -335,6 +483,11 @@
')
optional_policy(`
@ -25097,7 +25157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
seutil_sigchld_newrole(xdm_t)
')
@@ -343,8 +491,8 @@
@@ -343,8 +496,8 @@
')
optional_policy(`
@ -25107,7 +25167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
@@ -380,7 +528,7 @@
@@ -380,7 +533,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@ -25116,7 +25176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
@@ -392,6 +540,15 @@
@@ -392,6 +545,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@ -25132,7 +25192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
@@ -404,9 +561,17 @@
@@ -404,9 +566,17 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@ -25150,7 +25210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_xserver_t)
fs_manage_nfs_files(xdm_xserver_t)
@@ -420,6 +585,22 @@
@@ -420,6 +590,22 @@
')
optional_policy(`
@ -25173,7 +25233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
resmgr_stream_connect(xdm_t)
')
@@ -429,47 +610,139 @@
@@ -429,47 +615,139 @@
')
optional_policy(`
@ -25223,21 +25283,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
+tunable_policy(`allow_xserver_execmem', `
+ allow xdm_xserver_t self:process { execheap execmem execstack };
')
+')
+
+ifndef(`distro_redhat',`
+ allow xdm_xserver_t self:process { execheap execmem };
+')
+
+ifdef(`distro_rhel4',`
+ allow xdm_xserver_t self:process { execheap execmem };
+')
+
')
+##############################
#
-# Wants to delete .xsession-errors file
+# xauth_t Local policy
+#
#
-allow xdm_t user_home_type:file unlink;
+domtrans_pattern(xdm_xserver_t, xauth_exec_t, xauth_t)
+
+userdom_user_home_dir_filetrans(user,xauth_t,user_xauth_home_t,file)
@ -25284,10 +25345,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
+##############################
#
-allow xdm_t user_home_type:file unlink;
-# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
+# iceauth_t Local policy
#
-# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
-allow pam_t xdm_t:fifo_file { getattr ioctl write };
-') dnl end TODO
+
+allow iceauth_t user_iceauth_home_t:file manage_file_perms;
+userdom_user_home_dir_filetrans($1,iceauth_t,user_iceauth_home_t,file)
@ -25311,9 +25373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+userdom_sysadm_home_dir_filetrans(xauth_t, admin_xauth_home_t, file)
+
+########################################
#
-allow pam_t xdm_t:fifo_file { getattr ioctl write };
-') dnl end TODO
+#
+# Rules for unconfined access to this module
+#
+
@ -25744,7 +25804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.3.1/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2008-02-19 17:24:26.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-03-05 15:46:36.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-03-11 17:52:13.000000000 -0400
@@ -59,6 +59,9 @@
type utempter_exec_t;
application_domain(utempter_t,utempter_exec_t)
@ -25944,7 +26004,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
')
@@ -463,11 +470,13 @@
@@ -463,11 +470,12 @@
interface(`init_telinit',`
gen_require(`
type initctl_t;
@ -25955,7 +26015,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
allow $1 initctl_t:fifo_file rw_fifo_file_perms;
-
+ allow $1 init_t:unix_dgram_socket sendto;
+ allow init_t $1:unix_dgram_socket sendto;
init_exec($1)
')
@ -26270,7 +26329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2008-02-26 08:17:43.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-03-07 16:07:39.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-03-11 18:57:27.000000000 -0400
@@ -10,6 +10,20 @@
# Declarations
#
@ -26333,6 +26392,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
@@ -86,7 +112,7 @@
# Re-exec itself
can_exec(init_t,init_exec_t)
-allow init_t initrc_t:unix_stream_socket connectto;
+allow init_t initrc_t:unix_stream_socket { connectto rw_stream_socket_perms };
# For /var/run/shutdown.pid.
allow init_t init_var_run_t:file manage_file_perms;
@@ -102,8 +128,11 @@
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@ -26354,7 +26422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
@@ -163,22 +194,31 @@
@@ -163,22 +194,25 @@
fs_tmpfs_filetrans(init_t,initctl_t,fifo_file)
')
@ -26382,18 +26450,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
-optional_policy(`
- unconfined_domain(init_t)
+ifndef(`distro_ubuntu',`
+# Run the shell in the unconfined_t or sysadm_t domain for single-user mode.
+ifdef(`enable_mls',`
+ userdom_shell_domtrans_sysadm(init_t)
+',`
+ optional_policy(`
+ unconfined_shell_domtrans(init_t)
+ ')
+')
+ corecmd_shell_domtrans(init_t,initrc_t)
+ corecmd_shell_entry_type(initrc_t)
')
########################################
@@ -187,7 +227,7 @@
@@ -187,7 +221,7 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -26402,7 +26464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
@@ -201,10 +241,9 @@
@@ -201,10 +235,9 @@
allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
term_create_pty(initrc_t,initrc_devpts_t)
@ -26415,7 +26477,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
@@ -283,7 +322,6 @@
@@ -257,7 +290,7 @@
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
-dev_read_lvm_control(initrc_t)
+dev_rw_lvm_control(initrc_t)
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
@@ -283,7 +316,6 @@
mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
@ -26423,7 +26494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
selinux_get_enforce_mode(initrc_t)
@@ -496,6 +534,31 @@
@@ -496,6 +528,31 @@
')
')
@ -26455,7 +26526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
@@ -559,14 +622,6 @@
@@ -559,14 +616,6 @@
')
optional_policy(`
@ -26470,7 +26541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ftp_read_config(initrc_t)
')
@@ -639,12 +694,6 @@
@@ -639,12 +688,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@ -26483,7 +26554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ifdef(`distro_redhat',`
@@ -705,6 +754,9 @@
@@ -705,6 +748,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@ -26493,7 +26564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
@@ -717,9 +769,11 @@
@@ -717,9 +763,11 @@
squid_manage_logs(initrc_t)
')
@ -26508,7 +26579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
@@ -738,6 +792,11 @@
@@ -738,6 +786,11 @@
uml_setattr_util_sockets(initrc_t)
')
@ -26520,7 +26591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
unconfined_domain(initrc_t)
@@ -752,6 +811,10 @@
@@ -752,6 +805,10 @@
')
optional_policy(`
@ -26531,7 +26602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
@@ -774,3 +837,4 @@
@@ -774,3 +831,4 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@ -26927,7 +26998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.3.1/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2008-02-26 08:17:43.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-03-10 12:22:41.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-03-11 20:22:56.000000000 -0400
@@ -61,10 +61,24 @@
logging_log_file(var_log_t)
files_mountpoint(var_log_t)
@ -27007,15 +27078,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
# manage temporary files
manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
@@ -327,6 +349,7 @@
@@ -327,6 +349,8 @@
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
corenet_tcp_connect_syslogd_port(syslogd_t)
+corenet_tcp_connect_postgresql_port(syslogd_t)
+corenet_tcp_connect_mysqld_port(syslogd_t)
# syslog-ng can send or receive logs
corenet_sendrecv_syslogd_client_packets(syslogd_t)
@@ -344,14 +367,14 @@
@@ -339,19 +363,20 @@
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
+files_read_usr_files(syslogd_t)
files_read_var_files(syslogd_t)
files_read_etc_runtime_files(syslogd_t)
# /initrd is not umounted before minilog starts
files_dontaudit_search_isid_type_dirs(syslogd_t)
@ -27032,7 +27110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
miscfiles_read_localization(syslogd_t)
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
@@ -380,15 +403,11 @@
@@ -380,15 +405,11 @@
')
optional_policy(`
@ -27050,7 +27128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
optional_policy(`
@@ -399,3 +418,37 @@
@@ -399,3 +420,37 @@
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@ -27088,9 +27166,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+logging_domtrans_audisp(auditd_t)
+logging_audisp_signal(auditd_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.3.1/policy/modules/system/lvm.fc
--- nsaserefpolicy/policy/modules/system/lvm.fc 2007-12-12 11:35:28.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/lvm.fc 2008-03-11 18:59:24.000000000 -0400
@@ -55,6 +55,7 @@
/sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/multipathd -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/multipath\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/pvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/pvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/pvdata -- gen_context(system_u:object_r:lvm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.3.1/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-02-27 23:23:39.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-03-11 19:04:42.000000000 -0400
@@ -44,9 +44,9 @@
# Cluster LVM daemon local policy
#
@ -27151,7 +27240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
userdom_dontaudit_use_unpriv_user_fds(clvmd_t)
userdom_dontaudit_search_sysadm_home_dirs(clvmd_t)
@@ -146,7 +159,8 @@
@@ -146,17 +159,19 @@
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
# rawio needed for dmraid
@ -27161,7 +27250,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
@@ -156,7 +170,8 @@
allow lvm_t self:process setsched;
allow lvm_t self:file rw_file_perms;
-allow lvm_t self:fifo_file rw_file_perms;
+allow lvm_t self:fifo_file manage_fifo_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
@ -27634,8 +27726,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.f
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.3.1/policy/modules/system/qemu.if
--- nsaserefpolicy/policy/modules/system/qemu.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2008-03-10 10:10:04.000000000 -0400
@@ -0,0 +1,294 @@
+++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2008-03-11 17:53:51.000000000 -0400
@@ -0,0 +1,303 @@
+
+## <summary>policy for qemu</summary>
+
@ -27885,6 +27977,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:shm create_shm_perms;
+
+ allow $1_t $1_tmp_t:dir manage_dir_perms;
+ allow $1_t $1_tmp_t:file manage_file_perms;
+ files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
+ corenet_tcp_sendrecv_all_if($1_t)
@ -27903,6 +27999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
+ files_read_var_files($1_t)
+ files_search_all($1_t)
+
+ fs_list_inotify($1_t)
+ fs_rw_anon_inodefs_files($1_t)
+ fs_rw_tmpfs_files($1_t)
+
@ -27924,6 +28021,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
+ virt_read_config($1_t)
+
+ optional_policy(`
+ samba_domtrans_smb($1_t)
+ ')
+
+ optional_policy(`
+ xserver_stream_connect_xdm_xserver($1_t)
+ xserver_read_xdm_tmp_files($1_t)
+ xserver_xdm_rw_shm($1_t)
@ -28585,7 +28686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setran
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.3.1/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-07-16 14:09:49.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.if 2008-03-06 11:55:26.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.if 2008-03-11 19:26:26.000000000 -0400
@@ -145,6 +145,25 @@
########################################