From 59c6413a3719d782fc21bd0b10dc259e132ab148 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 12 Mar 2008 01:00:13 +0000 Subject: [PATCH] - Allow init to transition to initrc_t on shell exec. - Fix init to be able to sendto init_t. - Allow syslog to connect to mysql - Allow lvm to manage its own fifo_files - Allow bugzilla to use ldap - More mls fixes --- policy-20071130.patch | 345 +++++++++++++++++++++++++++--------------- 1 file changed, 223 insertions(+), 122 deletions(-) diff --git a/policy-20071130.patch b/policy-20071130.patch index e9c02a46..5603dc94 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -8483,7 +8483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-02-29 13:36:51.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-03-11 19:28:21.000000000 -0400 @@ -20,6 +20,8 @@ # Declarations # @@ -8975,7 +8975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -724,3 +859,46 @@ +@@ -724,3 +859,47 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -9013,6 +9013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +mta_send_mail(httpd_bugzilla_script_t) + +sysnet_read_config(httpd_bugzilla_script_t) ++sysnet_use_ldap(httpd_bugzilla_script_t) + +optional_policy(` + mysql_search_db(httpd_bugzilla_script_t) @@ -19545,6 +19546,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remo userdom_use_unpriv_users_fds(remote_login_t) userdom_search_all_users_home_content(remote_login_t) # Only permit unprivileged user domains to be entered via rlogin, +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.3.1/policy/modules/services/rhgb.te +--- nsaserefpolicy/policy/modules/services/rhgb.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/rhgb.te 2008-03-11 20:07:53.000000000 -0400 +@@ -92,6 +92,7 @@ + term_getattr_pty_fs(rhgb_t) + + init_write_initctl(rhgb_t) ++init_chat(rhgb_t) + + libs_use_ld_so(rhgb_t) + libs_use_shared_libs(rhgb_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-3.3.1/policy/modules/services/ricci.if --- nsaserefpolicy/policy/modules/services/ricci.if 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/ricci.if 2008-02-26 08:29:22.000000000 -0500 @@ -20154,8 +20166,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +/etc/rc.d/init.d/smb -- gen_context(system_u:object_r:samba_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.3.1/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/samba.if 2008-02-26 21:19:09.000000000 -0500 -@@ -63,6 +63,25 @@ ++++ serefpolicy-3.3.1/policy/modules/services/samba.if 2008-03-11 17:56:00.000000000 -0400 +@@ -52,6 +52,25 @@ + ## + ## + # ++interface(`samba_domtrans_smb',` ++ gen_require(` ++ type smbd_t, smbd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1,smbd_exec_t,smbd_t) ++') ++ ++######################################## ++## ++## Execute samba net in the samba_net domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# + interface(`samba_domtrans_net',` + gen_require(` + type samba_net_t, samba_net_exec_t; +@@ -63,6 +82,25 @@ ######################################## ## @@ -20181,7 +20219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ## Execute samba net in the samba_net domain, and ## allow the specified role the samba_net domain. ## -@@ -95,6 +114,38 @@ +@@ -95,6 +133,38 @@ ######################################## ## @@ -20220,7 +20258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ## Execute smbmount in the smbmount domain. ## ## -@@ -331,6 +382,25 @@ +@@ -331,6 +401,25 @@ ######################################## ## @@ -20246,7 +20284,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ## Allow the specified domain to ## read and write samba /var files. ## -@@ -348,6 +418,7 @@ +@@ -348,6 +437,7 @@ files_search_var($1) files_search_var_lib($1) manage_files_pattern($1,samba_var_t,samba_var_t) @@ -20254,7 +20292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') ######################################## -@@ -492,3 +563,221 @@ +@@ -492,3 +582,221 @@ allow $1 samba_var_t:dir search_dir_perms; stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t) ') @@ -21371,7 +21409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.3.1/policy/modules/services/smartmon.te --- nsaserefpolicy/policy/modules/services/smartmon.te 2008-02-15 09:52:56.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/smartmon.te 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/smartmon.te 2008-03-11 18:55:46.000000000 -0400 @@ -16,6 +16,9 @@ type fsdaemon_tmp_t; files_tmp_file(fsdaemon_tmp_t) @@ -21382,6 +21420,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar ######################################## # # Local policy +@@ -62,6 +65,7 @@ + fs_search_auto_mountpoints(fsdaemon_t) + + mls_file_read_all_levels(fsdaemon_t) ++mls_file_write_all_levels(fsdaemon_t) + + storage_raw_read_fixed_disk(fsdaemon_t) + storage_raw_write_fixed_disk(fsdaemon_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.3.1/policy/modules/services/snmp.fc --- nsaserefpolicy/policy/modules/services/snmp.fc 2007-06-19 16:23:06.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/services/snmp.fc 2008-02-26 08:29:22.000000000 -0500 @@ -23383,7 +23429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-10 16:54:19.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-11 19:56:07.000000000 -0400 @@ -12,9 +12,15 @@ ## ## @@ -23468,7 +23514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files($1_xserver_t) files_read_etc_runtime_files($1_xserver_t) -@@ -140,12 +159,16 @@ +@@ -140,26 +159,37 @@ fs_getattr_xattr_fs($1_xserver_t) fs_search_nfs($1_xserver_t) fs_search_auto_mountpoints($1_xserver_t) @@ -23486,7 +23532,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser term_setattr_unallocated_ttys($1_xserver_t) term_use_unallocated_ttys($1_xserver_t) -@@ -153,13 +176,17 @@ ++ mls_file_read_to_clearance($1_xserver_t) ++ mls_file_write_to_clearance($1_xserver_t) ++ + libs_use_ld_so($1_xserver_t) libs_use_shared_libs($1_xserver_t) logging_send_syslog_msg($1_xserver_t) @@ -23505,7 +23554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow $1_xserver_t self:process { execmem execheap execstack }; -@@ -169,6 +196,46 @@ +@@ -169,6 +199,46 @@ allow $1_xserver_t self:process { execmem execheap execstack }; ') @@ -23552,7 +23601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` apm_stream_connect($1_xserver_t) ') -@@ -223,8 +290,10 @@ +@@ -223,8 +293,10 @@ template(`xserver_per_role_template',` gen_require(` @@ -23565,7 +23614,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ############################## -@@ -232,189 +301,119 @@ +@@ -232,189 +304,119 @@ # Declarations # @@ -23704,15 +23753,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser - allow $1_xauth_t self:process signal; - allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms; -+ domtrans_pattern($2, xauth_exec_t, xauth_t) - +- - allow $1_xauth_t $1_xauth_home_t:file manage_file_perms; - userdom_user_home_dir_filetrans($1,$1_xauth_t,$1_xauth_home_t,file) - - manage_dirs_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t) - manage_files_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t) - files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir }) -- ++ domtrans_pattern($2, xauth_exec_t, xauth_t) + - domtrans_pattern($2, xauth_exec_t, $1_xauth_t) - - allow $2 $1_xauth_t:process signal; @@ -23726,10 +23775,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser - - allow xdm_t $1_xauth_home_t:file manage_file_perms; - userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file) -- -- domain_use_interactive_fds($1_xauth_t) + ps_process_pattern($2,xauth_t) +- domain_use_interactive_fds($1_xauth_t) +- - files_read_etc_files($1_xauth_t) - files_search_pids($1_xauth_t) - @@ -23779,47 +23828,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # allow ps to show iceauth - ps_process_pattern($2,$1_iceauth_t) + ps_process_pattern($2,iceauth_t) -+ -+ allow $2 user_iceauth_home_t:file manage_file_perms; -+ allow $2 user_iceauth_home_t:file { relabelfrom relabelto }; - allow $2 $1_iceauth_home_t:file manage_file_perms; - allow $2 $1_iceauth_home_t:file { relabelfrom relabelto }; -+ userdom_use_user_terminals($1,iceauth_t) ++ allow $2 user_iceauth_home_t:file manage_file_perms; ++ allow $2 user_iceauth_home_t:file { relabelfrom relabelto }; - allow xdm_t $1_iceauth_home_t:file read_file_perms; ++ userdom_use_user_terminals($1,iceauth_t) + +- fs_search_auto_mountpoints($1_iceauth_t) + optional_policy(` + xserver_read_user_iceauth($1, $2) + ') -- fs_search_auto_mountpoints($1_iceauth_t) +- libs_use_ld_so($1_iceauth_t) +- libs_use_shared_libs($1_iceauth_t) + ############################## + # + # User X object manager local policy + # -- libs_use_ld_so($1_iceauth_t) -- libs_use_shared_libs($1_iceauth_t) +- userdom_use_user_terminals($1,$1_iceauth_t) + # Device rules + allow xdm_x_domain $2:x_device { getattr setattr setfocus grab bell }; -- userdom_use_user_terminals($1,$1_iceauth_t) -+ allow $2 { input_xevent_t }:x_event send; -+ allow $2 { x_rootwindow_t xdm_x_domain }:x_drawable send; - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files($1_iceauth_t) - ') -+ mls_xwin_read_to_clearance($2) ++ allow $2 { input_xevent_t }:x_event send; ++ allow $2 { x_rootwindow_t xdm_x_domain }:x_drawable send; - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files($1_iceauth_t) - ') ++ mls_xwin_read_to_clearance($2) ++ + xserver_user_x_domain_template($1,$1_t,$1_t,$1_tmpfs_t) ') ####################################### -@@ -521,19 +520,18 @@ +@@ -521,19 +523,18 @@ ## # template(`xserver_user_client_template',` @@ -23847,7 +23896,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -542,25 +540,542 @@ +@@ -542,25 +543,541 @@ allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; @@ -23974,7 +24023,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + type screensaver_xext_t, unknown_xext_t, x_rootscreen_t; + type disallowed_xext_t; + type output_xext_t; -+ type accelgraphics_xext_t, xdm_xserver_t; + + attribute x_server_domain, x_domain; + attribute xproperty_type; @@ -24009,7 +24057,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + allow $1 std_xext_t:x_extension query; + allow $1 x_rootwindow_t:x_drawable { get_property getattr }; + -+ + # Hacks + # everyone can get the input focus of everyone else + # this is a fundamental brokenness in the X protocol @@ -24083,10 +24130,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + + # X Input + # can receive own events -+ allow $1 input_xevent_t:{ x_event x_synthetic_event } receive; ++ allow $1 input_xevent_t:{ x_event x_synthetic_event } { send receive }; + allow $1 $1:{ x_event x_synthetic_event } { send receive }; + allow $1 default_xevent_t:x_event receive; -+ allow $1 default_xevent_t:x_synthetic_event send; ++ allow $1 default_xevent_t:x_synthetic_event { receive send }; ++ + + # can receive certain root window events + allow $1 focus_xevent_t:x_event receive; @@ -24396,7 +24444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ') -@@ -593,26 +1107,44 @@ +@@ -593,26 +1110,44 @@ # template(`xserver_use_user_fonts',` gen_require(` @@ -24448,14 +24496,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -638,10 +1170,77 @@ +@@ -638,10 +1173,77 @@ # template(`xserver_domtrans_user_xauth',` gen_require(` - type $1_xauth_t, xauth_exec_t; + type xauth_exec_t, xauth_t; -+ ') -+ + ') + +- domtrans_pattern($2, xauth_exec_t, $1_xauth_t) + domtrans_pattern($2, xauth_exec_t, xauth_t) +') + @@ -24520,15 +24569,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +template(`xserver_read_user_iceauth',` + gen_require(` + type user_iceauth_home_t; - ') - -- domtrans_pattern($2, xauth_exec_t, $1_xauth_t) ++ ') ++ + # Read .Iceauthority file + allow $2 user_iceauth_home_t:file { getattr read }; ') ######################################## -@@ -671,10 +1270,10 @@ +@@ -671,10 +1273,10 @@ # template(`xserver_user_home_dir_filetrans_user_xauth',` gen_require(` @@ -24541,7 +24589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -760,7 +1359,7 @@ +@@ -760,7 +1362,7 @@ type xconsole_device_t; ') @@ -24550,7 +24598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -860,6 +1459,25 @@ +@@ -860,6 +1462,25 @@ ######################################## ## @@ -24576,7 +24624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Read xdm-writable configuration files. ## ## -@@ -914,6 +1532,7 @@ +@@ -914,6 +1535,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t) @@ -24584,7 +24632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -955,6 +1574,24 @@ +@@ -955,6 +1577,24 @@ ######################################## ## @@ -24609,7 +24657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Execute the X server in the XDM X server domain. ## ## -@@ -965,15 +1602,47 @@ +@@ -965,15 +1605,47 @@ # interface(`xserver_domtrans_xdm_xserver',` gen_require(` @@ -24658,7 +24706,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1123,7 +1792,7 @@ +@@ -1123,7 +1795,7 @@ type xdm_xserver_tmp_t; ') @@ -24667,7 +24715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1312,3 +1981,83 @@ +@@ -1312,3 +1984,83 @@ files_search_tmp($1) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') @@ -24753,7 +24801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-10 14:23:28.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-11 19:35:25.000000000 -0400 @@ -8,6 +8,14 @@ ## @@ -24896,7 +24944,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser init_system_domain(xdm_xserver_t,xserver_exec_t) ifdef(`enable_mcs',` -@@ -95,8 +191,9 @@ +@@ -86,6 +182,11 @@ + init_ranged_daemon_domain(xdm_t,xdm_exec_t,s0 - mcs_systemhigh) + ') + ++ifdef(`enable_mls',` ++ init_ranged_domain(xdm_t,xdm_exec_t,s0 - mls_systemhigh) ++ init_ranged_daemon_domain(xdm_t,xdm_exec_t,s0 - mls_systemhigh) ++') ++ + optional_policy(` + prelink_object_file(xkb_var_lib_t) + ') +@@ -95,8 +196,9 @@ # XDM Local policy # @@ -24908,7 +24968,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t self:fifo_file rw_fifo_file_perms; allow xdm_t self:shm create_shm_perms; allow xdm_t self:sem create_sem_perms; -@@ -109,6 +206,8 @@ +@@ -109,6 +211,8 @@ allow xdm_t self:key { search link write }; allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; @@ -24917,7 +24977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -131,15 +230,22 @@ +@@ -131,15 +235,22 @@ manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) @@ -24941,7 +25001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t xdm_xserver_t:process signal; allow xdm_t xdm_xserver_t:unix_stream_socket connectto; -@@ -153,6 +259,7 @@ +@@ -153,6 +264,7 @@ allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xdm_xserver_t:shm rw_shm_perms; @@ -24949,7 +25009,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) -@@ -173,6 +280,8 @@ +@@ -173,6 +285,8 @@ corecmd_exec_shell(xdm_t) corecmd_exec_bin(xdm_t) @@ -24958,7 +25018,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser corenet_all_recvfrom_unlabeled(xdm_t) corenet_all_recvfrom_netlabel(xdm_t) -@@ -184,6 +293,7 @@ +@@ -184,6 +298,7 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_all_nodes(xdm_t) corenet_udp_bind_all_nodes(xdm_t) @@ -24966,7 +25026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser corenet_tcp_connect_all_ports(xdm_t) corenet_sendrecv_all_client_packets(xdm_t) # xdm tries to bind to biff_port_t -@@ -196,6 +306,7 @@ +@@ -196,6 +311,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -24974,7 +25034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -208,8 +319,8 @@ +@@ -208,8 +324,8 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -24985,7 +25045,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_getattr_power_mgmt_dev(xdm_t) dev_setattr_power_mgmt_dev(xdm_t) -@@ -226,6 +337,7 @@ +@@ -226,6 +342,7 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -24993,7 +25053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser fs_getattr_all_fs(xdm_t) fs_search_auto_mountpoints(xdm_t) -@@ -237,6 +349,7 @@ +@@ -237,6 +354,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -25001,7 +25061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -245,6 +358,7 @@ +@@ -245,6 +363,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -25009,7 +25069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -256,12 +370,11 @@ +@@ -256,12 +375,11 @@ libs_exec_lib_files(xdm_t) logging_read_generic_logs(xdm_t) @@ -25023,7 +25083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_dontaudit_search_sysadm_home_dirs(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -270,8 +383,13 @@ +@@ -270,8 +388,13 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -25037,7 +25097,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_t) -@@ -304,7 +422,11 @@ +@@ -304,7 +427,11 @@ ') optional_policy(` @@ -25050,7 +25110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -312,6 +434,23 @@ +@@ -312,6 +439,23 @@ ') optional_policy(` @@ -25074,7 +25134,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Talk to the console mouse server. gpm_stream_connect(xdm_t) gpm_setattr_gpmctl(xdm_t) -@@ -322,6 +461,10 @@ +@@ -322,6 +466,10 @@ ') optional_policy(` @@ -25085,7 +25145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser loadkeys_exec(xdm_t) ') -@@ -335,6 +478,11 @@ +@@ -335,6 +483,11 @@ ') optional_policy(` @@ -25097,7 +25157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser seutil_sigchld_newrole(xdm_t) ') -@@ -343,8 +491,8 @@ +@@ -343,8 +496,8 @@ ') optional_policy(` @@ -25107,7 +25167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -380,7 +528,7 @@ +@@ -380,7 +533,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -25116,7 +25176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) -@@ -392,6 +540,15 @@ +@@ -392,6 +545,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -25132,7 +25192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -404,9 +561,17 @@ +@@ -404,9 +566,17 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_unpriv_users_home_content_files(xdm_xserver_t) @@ -25150,7 +25210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_xserver_t) fs_manage_nfs_files(xdm_xserver_t) -@@ -420,6 +585,22 @@ +@@ -420,6 +590,22 @@ ') optional_policy(` @@ -25173,7 +25233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser resmgr_stream_connect(xdm_t) ') -@@ -429,47 +610,139 @@ +@@ -429,47 +615,139 @@ ') optional_policy(` @@ -25223,21 +25283,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + +tunable_policy(`allow_xserver_execmem', ` + allow xdm_xserver_t self:process { execheap execmem execstack }; - ') - ++') ++ +ifndef(`distro_redhat',` + allow xdm_xserver_t self:process { execheap execmem }; +') + +ifdef(`distro_rhel4',` + allow xdm_xserver_t self:process { execheap execmem }; -+') -+ + ') + +############################## # -# Wants to delete .xsession-errors file +# xauth_t Local policy -+# + # +-allow xdm_t user_home_type:file unlink; +domtrans_pattern(xdm_xserver_t, xauth_exec_t, xauth_t) + +userdom_user_home_dir_filetrans(user,xauth_t,user_xauth_home_t,file) @@ -25284,10 +25345,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + +############################## # --allow xdm_t user_home_type:file unlink; +-# Should fix exec of pam_timestamp_check is not closing xdm file descriptor +# iceauth_t Local policy # --# Should fix exec of pam_timestamp_check is not closing xdm file descriptor +-allow pam_t xdm_t:fifo_file { getattr ioctl write }; +-') dnl end TODO + +allow iceauth_t user_iceauth_home_t:file manage_file_perms; +userdom_user_home_dir_filetrans($1,iceauth_t,user_iceauth_home_t,file) @@ -25311,9 +25373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +userdom_sysadm_home_dir_filetrans(xauth_t, admin_xauth_home_t, file) + +######################################## - # --allow pam_t xdm_t:fifo_file { getattr ioctl write }; --') dnl end TODO ++# +# Rules for unconfined access to this module +# + @@ -25744,7 +25804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.3.1/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2008-02-19 17:24:26.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-03-05 15:46:36.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-03-11 17:52:13.000000000 -0400 @@ -59,6 +59,9 @@ type utempter_exec_t; application_domain(utempter_t,utempter_exec_t) @@ -25944,7 +26004,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ') -@@ -463,11 +470,13 @@ +@@ -463,11 +470,12 @@ interface(`init_telinit',` gen_require(` type initctl_t; @@ -25955,7 +26015,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i allow $1 initctl_t:fifo_file rw_fifo_file_perms; - + allow $1 init_t:unix_dgram_socket sendto; -+ allow init_t $1:unix_dgram_socket sendto; init_exec($1) ') @@ -26270,7 +26329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2008-02-26 08:17:43.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-03-07 16:07:39.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-03-11 18:57:27.000000000 -0400 @@ -10,6 +10,20 @@ # Declarations # @@ -26333,6 +26392,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # is ~sys_module really needed? observed: # sys_boot # sys_tty_config +@@ -86,7 +112,7 @@ + # Re-exec itself + can_exec(init_t,init_exec_t) + +-allow init_t initrc_t:unix_stream_socket connectto; ++allow init_t initrc_t:unix_stream_socket { connectto rw_stream_socket_perms }; + + # For /var/run/shutdown.pid. + allow init_t init_var_run_t:file manage_file_perms; @@ -102,8 +128,11 @@ kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -26354,7 +26422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; ') -@@ -163,22 +194,31 @@ +@@ -163,22 +194,25 @@ fs_tmpfs_filetrans(init_t,initctl_t,fifo_file) ') @@ -26382,18 +26450,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t -optional_policy(` - unconfined_domain(init_t) +ifndef(`distro_ubuntu',` -+# Run the shell in the unconfined_t or sysadm_t domain for single-user mode. -+ifdef(`enable_mls',` -+ userdom_shell_domtrans_sysadm(init_t) -+',` -+ optional_policy(` -+ unconfined_shell_domtrans(init_t) -+ ') -+') ++ corecmd_shell_domtrans(init_t,initrc_t) ++ corecmd_shell_entry_type(initrc_t) ') ######################################## -@@ -187,7 +227,7 @@ +@@ -187,7 +221,7 @@ # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -26402,7 +26464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; -@@ -201,10 +241,9 @@ +@@ -201,10 +235,9 @@ allow initrc_t initrc_devpts_t:chr_file rw_term_perms; term_create_pty(initrc_t,initrc_devpts_t) @@ -26415,7 +26477,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t) manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t) -@@ -283,7 +322,6 @@ +@@ -257,7 +290,7 @@ + dev_read_sound_mixer(initrc_t) + dev_write_sound_mixer(initrc_t) + dev_setattr_all_chr_files(initrc_t) +-dev_read_lvm_control(initrc_t) ++dev_rw_lvm_control(initrc_t) + dev_delete_lvm_control_dev(initrc_t) + dev_manage_generic_symlinks(initrc_t) + dev_manage_generic_files(initrc_t) +@@ -283,7 +316,6 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) @@ -26423,7 +26494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t selinux_get_enforce_mode(initrc_t) -@@ -496,6 +534,31 @@ +@@ -496,6 +528,31 @@ ') ') @@ -26455,7 +26526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -559,14 +622,6 @@ +@@ -559,14 +616,6 @@ ') optional_policy(` @@ -26470,7 +26541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ftp_read_config(initrc_t) ') -@@ -639,12 +694,6 @@ +@@ -639,12 +688,6 @@ mta_read_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') @@ -26483,7 +26554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ifdef(`distro_redhat',` -@@ -705,6 +754,9 @@ +@@ -705,6 +748,9 @@ # why is this needed: rpm_manage_db(initrc_t) @@ -26493,7 +26564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -717,9 +769,11 @@ +@@ -717,9 +763,11 @@ squid_manage_logs(initrc_t) ') @@ -26508,7 +26579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -738,6 +792,11 @@ +@@ -738,6 +786,11 @@ uml_setattr_util_sockets(initrc_t) ') @@ -26520,7 +26591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` unconfined_domain(initrc_t) -@@ -752,6 +811,10 @@ +@@ -752,6 +805,10 @@ ') optional_policy(` @@ -26531,7 +26602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t vmware_read_system_config(initrc_t) vmware_append_system_config(initrc_t) ') -@@ -774,3 +837,4 @@ +@@ -774,3 +831,4 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -26927,7 +26998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.3.1/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2008-02-26 08:17:43.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-03-10 12:22:41.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-03-11 20:22:56.000000000 -0400 @@ -61,10 +61,24 @@ logging_log_file(var_log_t) files_mountpoint(var_log_t) @@ -27007,15 +27078,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin # manage temporary files manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t) manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t) -@@ -327,6 +349,7 @@ +@@ -327,6 +349,8 @@ # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) corenet_tcp_connect_syslogd_port(syslogd_t) +corenet_tcp_connect_postgresql_port(syslogd_t) ++corenet_tcp_connect_mysqld_port(syslogd_t) # syslog-ng can send or receive logs corenet_sendrecv_syslogd_client_packets(syslogd_t) -@@ -344,14 +367,14 @@ +@@ -339,19 +363,20 @@ + domain_use_interactive_fds(syslogd_t) + + files_read_etc_files(syslogd_t) ++files_read_usr_files(syslogd_t) + files_read_var_files(syslogd_t) + files_read_etc_runtime_files(syslogd_t) # /initrd is not umounted before minilog starts files_dontaudit_search_isid_type_dirs(syslogd_t) @@ -27032,7 +27110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin miscfiles_read_localization(syslogd_t) userdom_dontaudit_use_unpriv_user_fds(syslogd_t) -@@ -380,15 +403,11 @@ +@@ -380,15 +405,11 @@ ') optional_policy(` @@ -27050,7 +27128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') optional_policy(` -@@ -399,3 +418,37 @@ +@@ -399,3 +420,37 @@ # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -27088,9 +27166,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +logging_domtrans_audisp(auditd_t) +logging_audisp_signal(auditd_t) + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.3.1/policy/modules/system/lvm.fc +--- nsaserefpolicy/policy/modules/system/lvm.fc 2007-12-12 11:35:28.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/lvm.fc 2008-03-11 18:59:24.000000000 -0400 +@@ -55,6 +55,7 @@ + /sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/multipathd -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/sbin/multipath\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/pvchange -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/pvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/pvdata -- gen_context(system_u:object_r:lvm_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.3.1/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-02-27 23:23:39.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-03-11 19:04:42.000000000 -0400 @@ -44,9 +44,9 @@ # Cluster LVM daemon local policy # @@ -27151,7 +27240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te userdom_dontaudit_use_unpriv_user_fds(clvmd_t) userdom_dontaudit_search_sysadm_home_dirs(clvmd_t) -@@ -146,7 +159,8 @@ +@@ -146,17 +159,19 @@ # DAC overrides and mknod for modifying /dev entries (vgmknodes) # rawio needed for dmraid @@ -27161,7 +27250,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te dontaudit lvm_t self:capability sys_tty_config; allow lvm_t self:process { sigchld sigkill sigstop signull signal }; # LVM will complain a lot if it cannot set its priority. -@@ -156,7 +170,8 @@ + allow lvm_t self:process setsched; + allow lvm_t self:file rw_file_perms; +-allow lvm_t self:fifo_file rw_file_perms; ++allow lvm_t self:fifo_file manage_fifo_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -27634,8 +27726,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.f +/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.3.1/policy/modules/system/qemu.if --- nsaserefpolicy/policy/modules/system/qemu.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2008-03-10 10:10:04.000000000 -0400 -@@ -0,0 +1,294 @@ ++++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2008-03-11 17:53:51.000000000 -0400 +@@ -0,0 +1,303 @@ + +## policy for qemu + @@ -27885,6 +27977,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i + allow $1_t self:unix_stream_socket create_stream_socket_perms; + allow $1_t self:shm create_shm_perms; + ++ allow $1_t $1_tmp_t:dir manage_dir_perms; ++ allow $1_t $1_tmp_t:file manage_file_perms; ++ files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) ++ + corenet_all_recvfrom_unlabeled($1_t) + corenet_all_recvfrom_netlabel($1_t) + corenet_tcp_sendrecv_all_if($1_t) @@ -27903,6 +27999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i + files_read_var_files($1_t) + files_search_all($1_t) + ++ fs_list_inotify($1_t) + fs_rw_anon_inodefs_files($1_t) + fs_rw_tmpfs_files($1_t) + @@ -27924,6 +28021,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i + virt_read_config($1_t) + + optional_policy(` ++ samba_domtrans_smb($1_t) ++ ') ++ ++ optional_policy(` + xserver_stream_connect_xdm_xserver($1_t) + xserver_read_xdm_tmp_files($1_t) + xserver_xdm_rw_shm($1_t) @@ -28585,7 +28686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setran diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.3.1/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-07-16 14:09:49.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.if 2008-03-06 11:55:26.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.if 2008-03-11 19:26:26.000000000 -0400 @@ -145,6 +145,25 @@ ########################################