From 5e44eb86576de4c96b4d484a9827b6ad5dcc5596 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh
Date: Sat, 14 Nov 2009 05:18:01 +0000
Subject: [PATCH] - Update to upstream
---
.cvsignore | 1 +
nsadiff | 2 +-
policy-F12.patch => policy-F13.patch | 8272 ++++++++++++++++++++------
selinux-policy.spec | 9 +-
sources | 2 +-
5 files changed, 6477 insertions(+), 1809 deletions(-)
rename policy-F12.patch => policy-F13.patch (79%)
diff --git a/.cvsignore b/.cvsignore
index ec10d57c..88b45151 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -190,3 +190,4 @@ serefpolicy-3.6.29.tgz
serefpolicy-3.6.30.tgz
serefpolicy-3.6.31.tgz
serefpolicy-3.6.32.tgz
+serefpolicy-3.6.33.tgz
diff --git a/nsadiff b/nsadiff
index 294aa387..3fe694eb 100755
--- a/nsadiff
+++ b/nsadiff
@@ -1 +1 @@
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.6.32 > /tmp/diff
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.6.33 > /tmp/diff
diff --git a/policy-F12.patch b/policy-F13.patch
similarity index 79%
rename from policy-F12.patch
rename to policy-F13.patch
index 257543d1..8a5d85b6 100644
--- a/policy-F12.patch
+++ b/policy-F13.patch
@@ -1,6 +1,6 @@
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.32/Makefile
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.33/Makefile
--- nsaserefpolicy/Makefile 2009-08-18 11:41:14.000000000 -0400
-+++ serefpolicy-3.6.32/Makefile 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/Makefile 2009-11-12 14:26:53.000000000 -0500
@@ -244,7 +244,7 @@
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
@@ -10,10 +10,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Mak
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.6.32/policy/flask/access_vectors
---- nsaserefpolicy/policy/flask/access_vectors 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/flask/access_vectors 2009-09-18 16:41:29.000000000 -0400
-@@ -349,6 +349,7 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.6.33/policy/flask/access_vectors
+--- nsaserefpolicy/policy/flask/access_vectors 2009-11-12 12:51:51.000000000 -0500
++++ serefpolicy-3.6.33/policy/flask/access_vectors 2009-11-12 14:26:53.000000000 -0500
+@@ -376,6 +376,7 @@
syslog_read
syslog_mod
syslog_console
@@ -21,9 +21,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
}
#
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.32/policy/global_tunables
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.33/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/global_tunables 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/global_tunables 2009-11-12 14:26:53.000000000 -0500
@@ -61,15 +61,6 @@
##
@@ -59,45 +59,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+##
+gen_tunable(mmap_low_allowed, false)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.32/policy/mcs
---- nsaserefpolicy/policy/mcs 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/mcs 2009-09-16 10:03:08.000000000 -0400
-@@ -66,8 +66,8 @@
- #
- # Note that getattr on files is always permitted.
- #
--mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
-- ( h1 dom h2 );
-+mlsconstrain { file chr_file blk_file lnk_file } { write setattr append unlink link rename ioctl lock execute relabelfrom }
-+ (( h1 dom h2 ) or ( t1 == mlsfilewrite ));
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.6.33/policy/modules/admin/alsa.te
+--- nsaserefpolicy/policy/modules/admin/alsa.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/admin/alsa.te 2009-11-12 15:17:26.000000000 -0500
+@@ -51,6 +51,8 @@
+ files_read_etc_files(alsa_t)
+ files_read_usr_files(alsa_t)
- mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
- (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
-@@ -75,7 +75,7 @@
- # New filesystem object labels must be dominated by the relabeling subject
- # clearance, also the objects are single-level.
- mlsconstrain file { create relabelto }
-- (( h1 dom h2 ) and ( l2 eq h2 ));
-+ ((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 == mlsfilewrite ));
++term_dontaudit_use_console(alsa_t)
++
+ auth_use_nsswitch(alsa_t)
- # At this time we do not restrict "ps" type operations via MCS. This
- # will probably change in future.
-@@ -84,10 +84,10 @@
-
- # new file labels must be dominated by the relabeling subject clearance
- mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
-- ( h1 dom h2 );
-+ (( h1 dom h2 ) or ( t1 == mlsfilewrite ));
-
- mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
-- (( h1 dom h2 ) and ( l2 eq h2 ));
-+ ((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 == mlsfilewrite ));
-
- mlsconstrain process { transition dyntransition }
- (( h1 dom h2 ) or ( t1 == mcssetcats ));
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.32/policy/modules/admin/anaconda.te
+ init_use_fds(alsa_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.33/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/anaconda.te 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/admin/anaconda.te 2009-11-12 14:26:53.000000000 -0500
@@ -31,6 +31,7 @@
modutils_domtrans_insmod(anaconda_t)
@@ -115,9 +91,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.6.32/policy/modules/admin/brctl.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.6.33/policy/modules/admin/brctl.te
--- nsaserefpolicy/policy/modules/admin/brctl.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/brctl.te 2009-09-21 08:25:17.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/admin/brctl.te 2009-11-12 14:26:53.000000000 -0500
@@ -21,7 +21,7 @@
allow brctl_t self:unix_dgram_socket create_socket_perms;
allow brctl_t self:tcp_socket create_socket_perms;
@@ -127,9 +103,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_network_state(brctl_t)
kernel_read_sysctl(brctl_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.32/policy/modules/admin/certwatch.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.33/policy/modules/admin/certwatch.te
--- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/certwatch.te 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/admin/certwatch.te 2009-11-12 14:26:53.000000000 -0500
@@ -36,7 +36,7 @@
miscfiles_read_localization(certwatch_t)
@@ -139,17 +115,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
apache_exec_modules(certwatch_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.6.32/policy/modules/admin/dmesg.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.6.33/policy/modules/admin/consoletype.te
+--- nsaserefpolicy/policy/modules/admin/consoletype.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/admin/consoletype.te 2009-11-12 14:26:53.000000000 -0500
+@@ -84,6 +84,7 @@
+ optional_policy(`
+ hal_dontaudit_use_fds(consoletype_t)
+ hal_dontaudit_rw_pipes(consoletype_t)
++ hal_dontaudit_rw_dgram_sockets(consoletype_t)
+ ')
+
+ optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.6.33/policy/modules/admin/dmesg.fc
--- nsaserefpolicy/policy/modules/admin/dmesg.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/dmesg.fc 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/admin/dmesg.fc 2009-11-12 14:26:53.000000000 -0500
@@ -1,2 +1,4 @@
/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
+
+/usr/sbin/mcelog -- gen_context(system_u:object_r:dmesg_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.32/policy/modules/admin/dmesg.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.33/policy/modules/admin/dmesg.te
--- nsaserefpolicy/policy/modules/admin/dmesg.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/dmesg.te 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/admin/dmesg.te 2009-11-12 14:26:53.000000000 -0500
@@ -9,6 +9,7 @@
type dmesg_t;
type dmesg_exec_t;
@@ -184,9 +171,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(dmesg_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.6.32/policy/modules/admin/firstboot.te
+@@ -57,3 +62,6 @@
+ optional_policy(`
+ udev_read_db(dmesg_t)
+ ')
++
++#mcelog needs
++dev_read_raw_memory(dmesg_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.6.33/policy/modules/admin/firstboot.te
--- nsaserefpolicy/policy/modules/admin/firstboot.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/firstboot.te 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/admin/firstboot.te 2009-11-12 14:26:53.000000000 -0500
@@ -91,8 +91,12 @@
userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
@@ -209,9 +203,44 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.32/policy/modules/admin/logrotate.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.fc serefpolicy-3.6.33/policy/modules/admin/kismet.fc
+--- nsaserefpolicy/policy/modules/admin/kismet.fc 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/admin/kismet.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -1,3 +1,5 @@
++HOME_DIR/\.kismet(/.*)? gen_context(system_u:object_r:kismet_home_t,s0)
++
+ /usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0)
+ /var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0)
+ /var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.33/policy/modules/admin/kismet.te
+--- nsaserefpolicy/policy/modules/admin/kismet.te 2009-08-31 13:30:04.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/admin/kismet.te 2009-11-12 14:26:53.000000000 -0500
+@@ -26,6 +26,9 @@
+ type kismet_var_run_t;
+ files_pid_file(kismet_var_run_t)
+
++type kismet_home_t;
++userdom_user_home_content(kismet_home_t)
++
+ ########################################
+ #
+ # kismet local policy
+@@ -59,6 +62,12 @@
+ allow kismet_t kismet_var_run_t:dir manage_dir_perms;
+ files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir })
+
++manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t)
++manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
++manage_lnk_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
++userdom_search_user_home_dirs(kismet_t)
++userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir })
++
+ kernel_search_debugfs(kismet_t)
+ kernel_read_system_state(kismet_t)
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.33/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/logrotate.te 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/admin/logrotate.te 2009-11-12 14:26:53.000000000 -0500
@@ -32,7 +32,7 @@
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
@@ -232,10 +261,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cron_system_entry(logrotate_t, logrotate_exec_t)
cron_search_spool(logrotate_t)
-@@ -149,6 +150,10 @@
+@@ -149,6 +150,14 @@
')
optional_policy(`
++ asterisk_stream_connect(logrotate_t)
++')
++
++optional_policy(`
+ bind_manage_cache(logrotate_t)
+')
+
@@ -243,7 +276,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
consoletype_exec(logrotate_t)
')
-@@ -183,6 +188,10 @@
+@@ -183,6 +192,10 @@
')
optional_policy(`
@@ -254,18 +287,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
slrnpull_manage_spool(logrotate_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.32/policy/modules/admin/logwatch.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.33/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/logwatch.te 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/admin/logwatch.te 2009-11-12 14:26:53.000000000 -0500
@@ -136,4 +136,5 @@
optional_policy(`
samba_read_log(logwatch_t)
+ samba_read_share_files(logwatch_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.32/policy/modules/admin/mrtg.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.33/policy/modules/admin/mrtg.te
--- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/mrtg.te 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/admin/mrtg.te 2009-11-12 14:26:53.000000000 -0500
@@ -116,6 +116,7 @@
userdom_use_user_terminals(mrtg_t)
userdom_dontaudit_read_user_home_content_files(mrtg_t)
@@ -274,10 +307,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
netutils_domtrans_ping(mrtg_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.32/policy/modules/admin/netutils.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.33/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/netutils.te 2009-09-16 10:03:08.000000000 -0400
-@@ -85,6 +85,7 @@
++++ serefpolicy-3.6.33/policy/modules/admin/netutils.te 2009-11-12 14:26:53.000000000 -0500
+@@ -44,6 +44,7 @@
+ allow netutils_t self:packet_socket create_socket_perms;
+ allow netutils_t self:udp_socket create_socket_perms;
+ allow netutils_t self:tcp_socket create_stream_socket_perms;
++allow netutils_t self:socket create_socket_perms;
+
+ manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
+ manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
+@@ -85,6 +86,7 @@
miscfiles_read_localization(netutils_t)
@@ -285,9 +326,224 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_use_user_terminals(netutils_t)
userdom_use_all_users_fds(netutils_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.te serefpolicy-3.6.32/policy/modules/admin/portage.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ntop.fc serefpolicy-3.6.33/policy/modules/admin/ntop.fc
+--- nsaserefpolicy/policy/modules/admin/ntop.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/admin/ntop.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,5 @@
++/etc/rc\.d/init\.d/ntop -- gen_context(system_u:object_r:ntop_initrc_exec_t,s0)
++
++/usr/sbin/ntop -- gen_context(system_u:object_r:ntop_exec_t,s0)
++
++/var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ntop.if serefpolicy-3.6.33/policy/modules/admin/ntop.if
+--- nsaserefpolicy/policy/modules/admin/ntop.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/admin/ntop.if 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,158 @@
++
++## policy for ntop
++
++########################################
++##
++## Execute a domain transition to run ntop.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ntop_domtrans',`
++ gen_require(`
++ type ntop_t, ntop_exec_t;
++ ')
++
++ domtrans_pattern($1,ntop_exec_t,ntop_t)
++')
++
++
++########################################
++##
++## Execute ntop server in the ntop domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`ntop_initrc_domtrans',`
++ gen_require(`
++ type ntop_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1,ntop_initrc_exec_t)
++')
++
++########################################
++##
++## Search ntop lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ntop_search_lib',`
++ gen_require(`
++ type ntop_var_lib_t;
++ ')
++
++ allow $1 ntop_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read ntop lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ntop_read_lib_files',`
++ gen_require(`
++ type ntop_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, ntop_var_lib_t, ntop_var_lib_t)
++')
++
++########################################
++##
++## Create, read, write, and delete
++## ntop lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ntop_manage_lib_files',`
++ gen_require(`
++ type ntop_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, ntop_var_lib_t, ntop_var_lib_t)
++')
++
++########################################
++##
++## Manage ntop var_lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ntop_manage_var_lib',`
++ gen_require(`
++ type ntop_var_lib_t;
++ ')
++
++ manage_dirs_pattern($1,ntop_var_lib_t,ntop_var_lib_t)
++ manage_files_pattern($1,ntop_var_lib_t,ntop_var_lib_t)
++ manage_lnk_files_pattern($1,ntop_var_lib_t,ntop_var_lib_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an ntop environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`ntop_admin',`
++ gen_require(`
++ type ntop_t;
++ ')
++
++ allow $1 ntop_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, ntop_t, ntop_t)
++
++
++ gen_require(`
++ type ntop_initrc_exec_t;
++ ')
++
++ # Allow ntop_t to restart the apache service
++ ntop_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 ntop_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ ntop_manage_var_lib($1)
++
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ntop.te serefpolicy-3.6.33/policy/modules/admin/ntop.te
+--- nsaserefpolicy/policy/modules/admin/ntop.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/admin/ntop.te 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,40 @@
++policy_module(ntop,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type ntop_t;
++type ntop_exec_t;
++init_daemon_domain(ntop_t, ntop_exec_t)
++
++permissive ntop_t;
++
++type ntop_initrc_exec_t;
++init_script_file(ntop_initrc_exec_t)
++
++type ntop_var_lib_t;
++files_type(ntop_var_lib_t)
++
++########################################
++#
++# ntop local policy
++#
++allow ntop_t self:capability { setgid setuid };
++allow ntop_t self:fifo_file manage_file_perms;
++allow ntop_t self:unix_stream_socket create_stream_socket_perms;
++
++# Init script handling
++domain_use_interactive_fds(ntop_t)
++
++files_read_etc_files(ntop_t)
++
++manage_dirs_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t)
++manage_files_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t)
++files_var_lib_filetrans(ntop_t, ntop_var_lib_t, { file dir } )
++
++auth_use_nsswitch(ntop_t)
++
++miscfiles_read_localization(ntop_t)
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.te serefpolicy-3.6.33/policy/modules/admin/portage.te
--- nsaserefpolicy/policy/modules/admin/portage.te 2009-08-18 18:39:50.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/portage.te 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/admin/portage.te 2009-11-12 14:26:53.000000000 -0500
@@ -196,7 +196,7 @@
# - for rsync and distfile fetching
#
@@ -297,9 +553,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow portage_fetch_t self:process signal;
allow portage_fetch_t self:unix_stream_socket create_socket_perms;
allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.32/policy/modules/admin/prelink.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.33/policy/modules/admin/prelink.if
--- nsaserefpolicy/policy/modules/admin/prelink.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/prelink.if 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/admin/prelink.if 2009-11-12 14:26:53.000000000 -0500
@@ -151,11 +151,11 @@
##
##
@@ -314,10 +570,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
+ relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.32/policy/modules/admin/prelink.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.33/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/prelink.te 2009-09-16 10:03:08.000000000 -0400
-@@ -89,6 +89,7 @@
++++ serefpolicy-3.6.33/policy/modules/admin/prelink.te 2009-11-12 14:26:53.000000000 -0500
+@@ -80,6 +80,7 @@
+ selinux_get_enforce_mode(prelink_t)
+
+ libs_exec_ld_so(prelink_t)
++libs_legacy_use_shared_libs(prelink_t)
+ libs_manage_ld_so(prelink_t)
+ libs_relabel_ld_so(prelink_t)
+ libs_manage_shared_libs(prelink_t)
+@@ -89,6 +90,7 @@
miscfiles_read_localization(prelink_t)
userdom_use_user_terminals(prelink_t)
@@ -325,9 +589,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
amanda_manage_lib(prelink_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.32/policy/modules/admin/readahead.te
+@@ -99,5 +101,9 @@
+ ')
+
+ optional_policy(`
++ rpm_manage_tmp_files(prelink_t)
++')
++
++optional_policy(`
+ unconfined_domain(prelink_t)
+ ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.33/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/readahead.te 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/admin/readahead.te 2009-11-12 14:26:53.000000000 -0500
@@ -52,6 +52,7 @@
files_list_non_security(readahead_t)
@@ -336,10 +610,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_create_boot_flag(readahead_t)
files_getattr_all_pipes(readahead_t)
files_dontaudit_getattr_all_sockets(readahead_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.32/policy/modules/admin/rpm.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.33/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/rpm.fc 2009-09-24 11:56:43.000000000 -0400
-@@ -1,17 +1,17 @@
++++ serefpolicy-3.6.33/policy/modules/admin/rpm.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -1,18 +1,18 @@
/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -357,11 +631,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
+-/usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
- /usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0)
ifdef(`distro_redhat', `
+ /usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -21,15 +21,23 @@
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -386,9 +662,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# SuSE
ifdef(`distro_suse', `
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.33/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-09-29 16:46:01.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/admin/rpm.if 2009-11-12 14:26:53.000000000 -0500
@@ -13,11 +13,34 @@
interface(`rpm_domtrans',`
gen_require(`
@@ -436,7 +712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_run_loadpolicy(rpm_script_t, $2)
seutil_run_semanage(rpm_script_t, $2)
seutil_run_setfiles(rpm_script_t, $2)
-@@ -146,6 +174,35 @@
+@@ -146,6 +174,40 @@
########################################
##
@@ -458,11 +734,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+
+ dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms;
++ dontaudit $1 rpm_t:tcp_socket rw_socket_perms;
++ dontaudit $1 rpm_t:unix_dgram_socket rw_socket_perms;
++ dontaudit $1 rpm_t:shm rw_shm_perms;
++
+ dontaudit $1 rpm_script_t:fd use;
+ dontaudit $1 rpm_script_t:fifo_file rw_fifo_file_perms;
++
+ dontaudit $1 rpm_var_run_t:file write_file_perms;
++
+ dontaudit $1 rpm_tmp_t:file rw_file_perms;
-+ dontaudit $1 rpm_t:shm rw_shm_perms;
+ dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
+ dontaudit $1 rpm_tmpfs_t:file write_file_perms;
+')
@@ -472,7 +753,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Send and receive messages from
## rpm over dbus.
##
-@@ -167,6 +224,48 @@
+@@ -167,6 +229,68 @@
########################################
##
@@ -516,12 +797,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow rpm_script_t $1:dbus send_msg;
+')
+
++#####################################
++##
++## Allow the specified domain to append
++## to rpm log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rpm_append_log',`
++ gen_require(`
++ type rpm_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, rpm_log_t, rpm_log_t)
++')
++
+########################################
+##
## Create, read, write, and delete the RPM log.
##
##
-@@ -186,6 +285,24 @@
+@@ -186,6 +310,24 @@
########################################
##
@@ -546,7 +847,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Inherit and use file descriptors from RPM scripts.
##
##
-@@ -219,7 +336,51 @@
+@@ -219,7 +361,51 @@
')
files_search_tmp($1)
@@ -598,7 +899,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -241,6 +402,25 @@
+@@ -241,6 +427,25 @@
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -624,7 +925,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -265,6 +445,47 @@
+@@ -265,6 +470,48 @@
########################################
##
@@ -663,6 +964,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+
+ files_search_var_lib($1)
++ manage_dirs_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+ manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+ manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+')
@@ -672,11 +974,64 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to create, read,
## write, and delete the RPM package database.
##
-@@ -283,3 +504,46 @@
+@@ -283,3 +530,99 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
+
++#####################################
++##
++## Read rpm pid files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rpm_read_pid_files',`
++ gen_require(`
++ type rpm_var_run_t;
++ ')
++
++ read_files_pattern($1,rpm_var_run_t,rpm_var_run_t)
++')
++
++#####################################
++##
++## Create, read, write, and delete rpm pid files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rpm_manage_pid_files',`
++ gen_require(`
++ type rpm_var_run_t;
++ ')
++
++ manage_files_pattern($1,rpm_var_run_t,rpm_var_run_t)
++')
++
++######################################
++##
++## Create files in /var/run with the rpm pid file type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rpm_pid_filetrans',`
++ gen_require(`
++ type rpm_var_run_t;
++ ')
++
++ files_pid_filetrans($1, rpm_var_run_t, file)
++')
+
+########################################
+##
@@ -719,9 +1074,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 rpm_t:process signull;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.32/policy/modules/admin/rpm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.33/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/rpm.te 2009-09-24 11:56:31.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/admin/rpm.te 2009-11-12 14:26:53.000000000 -0500
@@ -15,6 +15,9 @@
domain_interactive_fd(rpm_t)
role system_r types rpm_t;
@@ -794,22 +1149,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_all_executables(rpm_t)
-@@ -108,12 +130,14 @@
+@@ -108,12 +130,15 @@
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t)
+dev_read_raw_memory(rpm_t)
#devices_manage_all_device_types(rpm_t)
++fs_getattr_all_fs(rpm_t)
++fs_getattr_all_dirs(rpm_t)
++fs_list_inotifyfs(rpm_t)
fs_manage_nfs_dirs(rpm_t)
fs_manage_nfs_files(rpm_t)
fs_manage_nfs_symlinks(rpm_t)
- fs_getattr_all_fs(rpm_t)
-+fs_getattr_all_dirs(rpm_t)
+-fs_getattr_all_fs(rpm_t)
fs_search_auto_mountpoints(rpm_t)
mls_file_read_all_levels(rpm_t)
-@@ -132,6 +156,8 @@
+@@ -132,6 +157,8 @@
# for installing kernel packages
storage_raw_read_fixed_disk(rpm_t)
@@ -818,7 +1175,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_relabel_all_files_except_shadow(rpm_t)
auth_manage_all_files_except_shadow(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
-@@ -155,6 +181,7 @@
+@@ -155,6 +182,7 @@
files_exec_etc_files(rpm_t)
init_domtrans_script(rpm_t)
@@ -826,7 +1183,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
-@@ -174,17 +201,28 @@
+@@ -174,44 +202,41 @@
')
optional_policy(`
@@ -835,28 +1192,48 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
+- prelink_domtrans(rpm_t)
+ networkmanager_dbus_chat(rpm_t)
-+ ')
-+
-+ optional_policy(`
-+ dbus_system_domain(rpm_t, rpm_exec_t)
-+ ')
-+')
-+
-+optional_policy(`
- prelink_domtrans(rpm_t)
')
optional_policy(`
- unconfined_domain(rpm_t)
-+ unconfined_domain_noaudit(rpm_t)
- # yum-updatesd requires this
- unconfined_dbus_chat(rpm_t)
-+ unconfined_dbus_chat(rpm_script_t)
+- # yum-updatesd requires this
+- unconfined_dbus_chat(rpm_t)
++ dbus_system_domain(rpm_t, rpm_exec_t)
')
- ifdef(`TODO',`
-@@ -210,8 +248,8 @@
+-ifdef(`TODO',`
+-# read/write/create any files in the system
+-dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
+-allow rpm_t ttyfile:chr_file unlink;
+-
+-# needs rw permission to the directory for an rpm package that includes a mount
+-# point
+-allow rpm_t fs_type:dir { setattr rw_dir_perms };
+-
+-allow rpm_t mount_t:tcp_socket write;
++ optional_policy(`
++ dbus_system_domain(rpm_t, debuginfo_exec_t)
++ ')
++')
+
+-allow rpm_t rpc_pipefs_t:dir search;
++optional_policy(`
++ prelink_domtrans(rpm_t)
++')
+
+ optional_policy(`
+-allow rpm_t sysadm_gph_t:fd use;
++ unconfined_domain_noaudit(rpm_t)
++ # yum-updatesd requires this
++ unconfined_dbus_chat(rpm_t)
++ unconfined_dbus_chat(rpm_script_t)
+ ')
+-') dnl endif TODO
+
+ ########################################
+ #
# rpm-script Local policy
#
@@ -867,7 +1244,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
-@@ -222,12 +260,15 @@
+@@ -222,12 +247,15 @@
allow rpm_script_t self:sem create_sem_perms;
allow rpm_script_t self:msgq create_msgq_perms;
allow rpm_script_t self:msg { send receive };
@@ -883,7 +1260,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
-@@ -239,6 +280,9 @@
+@@ -239,6 +267,9 @@
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
@@ -893,15 +1270,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_list_sysfs(rpm_script_t)
-@@ -255,6 +299,7 @@
+@@ -254,7 +285,9 @@
+ fs_getattr_xattr_fs(rpm_script_t)
fs_mount_xattr_fs(rpm_script_t)
fs_unmount_xattr_fs(rpm_script_t)
++fs_search_all(rpm_script_t)
fs_search_auto_mountpoints(rpm_script_t)
+fs_getattr_all_fs(rpm_script_t)
mcs_killall(rpm_script_t)
mcs_ptrace_all(rpm_script_t)
-@@ -272,14 +317,19 @@
+@@ -272,14 +305,19 @@
storage_raw_read_fixed_disk(rpm_script_t)
storage_raw_write_fixed_disk(rpm_script_t)
@@ -921,15 +1300,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
-@@ -291,6 +341,7 @@
+@@ -291,8 +329,10 @@
files_exec_etc_files(rpm_script_t)
files_read_etc_runtime_files(rpm_script_t)
files_exec_usr_files(rpm_script_t)
+files_relabel_all_files(rpm_script_t)
init_domtrans_script(rpm_script_t)
++init_chat(rpm_script_t)
-@@ -308,12 +359,15 @@
+ libs_exec_ld_so(rpm_script_t)
+ libs_exec_lib_files(rpm_script_t)
+@@ -308,12 +348,15 @@
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
@@ -945,7 +1327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -326,13 +380,22 @@
+@@ -326,13 +369,22 @@
')
optional_policy(`
@@ -969,9 +1351,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.6.32/policy/modules/admin/shorewall.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.6.33/policy/modules/admin/shorewall.fc
+--- nsaserefpolicy/policy/modules/admin/shorewall.fc 2009-09-09 09:23:16.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/admin/shorewall.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -4,8 +4,9 @@
+ /etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
+ /etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
+
+-/sbin/shorewall -- gen_context(system_u:object_r:shorewall_exec_t,s0)
++/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0)
+ /sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
+
+ /var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
++/var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+ /var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.6.33/policy/modules/admin/shorewall.if
--- nsaserefpolicy/policy/modules/admin/shorewall.if 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/shorewall.if 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/admin/shorewall.if 2009-11-12 14:26:53.000000000 -0500
@@ -75,6 +75,46 @@
rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
')
@@ -1019,9 +1415,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#######################################
##
## All of the rules required to administrate
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.6.32/policy/modules/admin/shorewall.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.6.33/policy/modules/admin/shorewall.te
--- nsaserefpolicy/policy/modules/admin/shorewall.te 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/shorewall.te 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/admin/shorewall.te 2009-11-12 14:26:53.000000000 -0500
@@ -80,6 +80,8 @@
sysnet_domtrans_ifconfig(shorewall_t)
@@ -1031,23 +1427,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
iptables_domtrans(shorewall_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.6.32/policy/modules/admin/smoltclient.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.6.33/policy/modules/admin/smoltclient.fc
--- nsaserefpolicy/policy/modules/admin/smoltclient.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/admin/smoltclient.fc 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/admin/smoltclient.fc 2009-11-12 14:26:53.000000000 -0500
@@ -0,0 +1,4 @@
+
+/usr/share/smolt/client/sendProfile.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0)
+
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.if serefpolicy-3.6.32/policy/modules/admin/smoltclient.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.if serefpolicy-3.6.33/policy/modules/admin/smoltclient.if
--- nsaserefpolicy/policy/modules/admin/smoltclient.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/admin/smoltclient.if 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/admin/smoltclient.if 2009-11-12 14:26:53.000000000 -0500
@@ -0,0 +1 @@
+## The Fedora hardware profiler client
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.6.32/policy/modules/admin/smoltclient.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.6.33/policy/modules/admin/smoltclient.te
--- nsaserefpolicy/policy/modules/admin/smoltclient.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/admin/smoltclient.te 2009-09-16 10:03:08.000000000 -0400
-@@ -0,0 +1,67 @@
++++ serefpolicy-3.6.33/policy/modules/admin/smoltclient.te 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,66 @@
+policy_module(smoltclient,1.0.0)
+
+########################################
@@ -1072,7 +1468,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+allow smoltclient_t self:fifo_file rw_fifo_file_perms;
+allow smoltclient_t self:tcp_socket create_socket_perms;
+allow smoltclient_t self:udp_socket create_socket_perms;
-+allow smoltclient_t self:netlink_route_socket r_netlink_socket_perms;
+
+can_exec(smoltclient_t, smoltclient_tmp_t)
+manage_dirs_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t)
@@ -1088,10 +1483,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+corenet_tcp_connect_http_port(smoltclient_t)
+
-+dev_read_urand(smoltclient_t)
++auth_use_nsswitch(smoltclient_t)
++
+dev_read_sysfs(smoltclient_t)
+
+fs_getattr_all_fs(smoltclient_t)
++fs_getattr_all_dirs(smoltclient_t)
+
+files_getattr_generic_locks(smoltclient_t)
+files_read_etc_files(smoltclient_t)
@@ -1099,8 +1496,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+miscfiles_read_localization(smoltclient_t)
+
-+sysnet_read_config(smoltclient_t)
-+
+optional_policy(`
+ dbus_system_bus_client(smoltclient_t)
+')
@@ -1115,9 +1510,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+permissive smoltclient_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.32/policy/modules/admin/sudo.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.33/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/sudo.if 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/admin/sudo.if 2009-11-12 14:26:53.000000000 -0500
@@ -66,8 +66,8 @@
allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
allow $1_sudo_t self:unix_dgram_socket sendto;
@@ -1162,10 +1557,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.32/policy/modules/admin/tmpreaper.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.33/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/tmpreaper.te 2009-09-16 10:03:08.000000000 -0400
-@@ -52,6 +52,10 @@
++++ serefpolicy-3.6.33/policy/modules/admin/tmpreaper.te 2009-11-12 14:26:53.000000000 -0500
+@@ -42,6 +42,7 @@
+ cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
+
+ ifdef(`distro_redhat',`
++ userdom_list_user_home_content(tmpreaper_t)
+ userdom_delete_user_home_content_dirs(tmpreaper_t)
+ userdom_delete_user_home_content_files(tmpreaper_t)
+ userdom_delete_user_home_content_symlinks(tmpreaper_t)
+@@ -52,6 +53,10 @@
')
optional_policy(`
@@ -1176,9 +1579,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kismet_manage_log(tmpreaper_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tzdata.te serefpolicy-3.6.32/policy/modules/admin/tzdata.te
+@@ -60,5 +65,9 @@
+ ')
+
+ optional_policy(`
++ rpm_read_cache(tmpreaper_t)
++')
++
++optional_policy(`
+ unconfined_domain(tmpreaper_t)
+ ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tzdata.te serefpolicy-3.6.33/policy/modules/admin/tzdata.te
--- nsaserefpolicy/policy/modules/admin/tzdata.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/tzdata.te 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/admin/tzdata.te 2009-11-12 14:26:53.000000000 -0500
@@ -19,6 +19,8 @@
files_read_etc_files(tzdata_t)
files_search_spool(tzdata_t)
@@ -1188,10 +1601,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_dontaudit_list_ptys(tzdata_t)
locallogin_dontaudit_use_fds(tzdata_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.6.32/policy/modules/admin/usermanage.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.6.33/policy/modules/admin/usermanage.if
--- nsaserefpolicy/policy/modules/admin/usermanage.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/usermanage.if 2009-09-16 10:03:08.000000000 -0400
-@@ -274,6 +274,11 @@
++++ serefpolicy-3.6.33/policy/modules/admin/usermanage.if 2009-11-12 14:26:53.000000000 -0500
+@@ -113,6 +113,12 @@
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, passwd_exec_t, passwd_t)
++
++ifdef(`hide_broken_symptoms', `
++ dontaudit passwd_t $1:unix_stream_socket rw_socket_perms;
++ dontaudit passwd_t $1:unix_dgram_socket rw_socket_perms;
++ dontaudit passwd_t $1:tcp_socket rw_socket_perms;
++')
+ ')
+
+ ########################################
+@@ -274,6 +280,11 @@
usermanage_domtrans_useradd($1)
role $2 types useradd_t;
@@ -1203,10 +1629,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
nscd_run(useradd_t, $2)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.32/policy/modules/admin/usermanage.te
---- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/usermanage.te 2009-09-16 10:03:08.000000000 -0400
-@@ -197,6 +197,7 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.33/policy/modules/admin/usermanage.te
+--- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-11-12 12:51:51.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/admin/usermanage.te 2009-11-12 14:26:53.000000000 -0500
+@@ -82,6 +82,7 @@
+ selinux_compute_relabel_context(chfn_t)
+ selinux_compute_user_contexts(chfn_t)
+
++term_use_console(chfn_t)
+ term_use_all_user_ttys(chfn_t)
+ term_use_all_user_ptys(chfn_t)
+
+@@ -197,6 +198,7 @@
selinux_compute_relabel_context(groupadd_t)
selinux_compute_user_contexts(groupadd_t)
@@ -1214,7 +1648,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_use_all_user_ttys(groupadd_t)
term_use_all_user_ptys(groupadd_t)
-@@ -209,6 +210,7 @@
+@@ -209,6 +211,7 @@
files_manage_etc_files(groupadd_t)
files_relabel_etc_files(groupadd_t)
files_read_etc_runtime_files(groupadd_t)
@@ -1222,7 +1656,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}.
corecmd_exec_bin(groupadd_t)
-@@ -218,14 +220,11 @@
+@@ -218,14 +221,11 @@
miscfiles_read_localization(groupadd_t)
@@ -1239,7 +1673,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_read_config(groupadd_t)
-@@ -329,6 +328,7 @@
+@@ -292,6 +292,7 @@
+ selinux_compute_relabel_context(passwd_t)
+ selinux_compute_user_contexts(passwd_t)
+
++term_use_console(passwd_t)
+ term_use_all_user_ttys(passwd_t)
+ term_use_all_user_ptys(passwd_t)
+
+@@ -333,6 +334,7 @@
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -1247,7 +1689,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
nscd_domtrans(passwd_t)
-@@ -446,6 +446,7 @@
+@@ -382,6 +384,7 @@
+ fs_getattr_xattr_fs(sysadm_passwd_t)
+ fs_search_auto_mountpoints(sysadm_passwd_t)
+
++term_use_console(sysadm_passwd_t)
+ term_use_all_user_ttys(sysadm_passwd_t)
+ term_use_all_user_ptys(sysadm_passwd_t)
+
+@@ -450,6 +453,7 @@
corecmd_exec_bin(useradd_t)
domain_use_interactive_fds(useradd_t)
@@ -1255,7 +1705,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_manage_etc_files(useradd_t)
files_search_var_lib(useradd_t)
-@@ -465,18 +466,16 @@
+@@ -469,18 +473,16 @@
selinux_compute_relabel_context(useradd_t)
selinux_compute_user_contexts(useradd_t)
@@ -1278,7 +1728,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
init_use_fds(useradd_t)
init_rw_utmp(useradd_t)
-@@ -494,10 +493,8 @@
+@@ -498,10 +500,8 @@
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
@@ -1290,7 +1740,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mta_manage_spool(useradd_t)
-@@ -521,6 +518,12 @@
+@@ -525,6 +525,12 @@
')
optional_policy(`
@@ -1300,13 +1750,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+optional_policy(`
- rpm_use_fds(useradd_t)
- rpm_rw_pipes(useradd_t)
+ puppet_rw_tmp(useradd_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.32/policy/modules/admin/vbetool.te
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.33/policy/modules/admin/vbetool.te
--- nsaserefpolicy/policy/modules/admin/vbetool.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/vbetool.te 2009-09-16 10:03:08.000000000 -0400
-@@ -15,15 +15,22 @@
++++ serefpolicy-3.6.33/policy/modules/admin/vbetool.te 2009-11-12 14:26:53.000000000 -0500
+@@ -15,15 +15,20 @@
# Local policy
#
@@ -1325,13 +1775,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+domain_mmap_low_type(vbetool_t)
+tunable_policy(`mmap_low_allowed',`
domain_mmap_low(vbetool_t)
-+', `
-+dontaudit vbetool_t self:memprotect mmap_zero;
+')
term_use_unallocated_ttys(vbetool_t)
-@@ -34,3 +41,8 @@
+@@ -34,3 +39,8 @@
hal_write_log(vbetool_t)
hal_dontaudit_append_lib_files(vbetool_t)
')
@@ -1340,9 +1788,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_exec_pid(vbetool_t)
+ xserver_write_pid(vbetool_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/calamaris.te serefpolicy-3.6.32/policy/modules/apps/calamaris.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.6.33/policy/modules/admin/vpn.te
+--- nsaserefpolicy/policy/modules/admin/vpn.te 2009-08-31 13:30:04.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/admin/vpn.te 2009-11-12 14:26:53.000000000 -0500
+@@ -46,6 +46,7 @@
+ kernel_read_system_state(vpnc_t)
+ kernel_read_network_state(vpnc_t)
+ kernel_read_all_sysctls(vpnc_t)
++kernel_request_load_module(vpnc_t)
+ kernel_rw_net_sysctls(vpnc_t)
+
+ corenet_all_recvfrom_unlabeled(vpnc_t)
+@@ -98,6 +99,7 @@
+ logging_dontaudit_search_logs(vpnc_t)
+
+ miscfiles_read_localization(vpnc_t)
++miscfiles_read_home_certs(vpnc_t)
+
+ seutil_dontaudit_search_config(vpnc_t)
+ seutil_use_newrole_fds(vpnc_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/calamaris.te serefpolicy-3.6.33/policy/modules/apps/calamaris.te
--- nsaserefpolicy/policy/modules/apps/calamaris.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/calamaris.te 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/calamaris.te 2009-11-12 14:26:53.000000000 -0500
@@ -59,12 +59,12 @@
libs_read_lib_files(calamaris_t)
@@ -1365,9 +1832,180 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-optional_policy(`
- nis_use_ypbind(calamaris_t)
-')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.32/policy/modules/apps/cpufreqselector.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.6.33/policy/modules/apps/chrome.fc
+--- nsaserefpolicy/policy/modules/apps/chrome.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/apps/chrome.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,2 @@
++
++/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.6.33/policy/modules/apps/chrome.if
+--- nsaserefpolicy/policy/modules/apps/chrome.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/apps/chrome.if 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,85 @@
++
++## policy for chrome
++
++########################################
++##
++## Execute a domain transition to run chrome_sandbox.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`chrome_domtrans_sandbox',`
++ gen_require(`
++ type chrome_sandbox_t, chrome_sandbox_exec_t;
++ ')
++
++ domtrans_pattern($1,chrome_sandbox_exec_t,chrome_sandbox_t)
++')
++
++
++########################################
++##
++## Execute chrome_sandbox in the chrome_sandbox domain, and
++## allow the specified role the chrome_sandbox domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the chrome_sandbox domain.
++##
++##
++#
++interface(`chrome_run_sandbox',`
++ gen_require(`
++ type chrome_sandbox_t;
++ ')
++
++ chrome_domtrans_sandbox($1)
++ role $2 types chrome_sandbox_t;
++')
++
++########################################
++##
++## Role access for chrome sandbox
++##
++##
++##
++## Role allowed access
++##
++##
++##
++##
++## User domain for the role
++##
++##
++#
++interface(`chrome_role',`
++ gen_require(`
++ type chrome_sandbox_t;
++ type chrome_sandbox_tmpfs_t;
++ ')
++
++ role $1 types chrome_sandbox_t;
++
++ chrome_domtrans_sandbox($2)
++
++ ps_process_pattern($2, chrome_sandbox_t)
++ allow $2 chrome_sandbox_t:process signal_perms;
++
++ allow chrome_sandbox_t $2:unix_dgram_socket { read write };
++ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
++ allow chrome_sandbox_t $2:unix_stream_socket { read write };
++ allow $2 chrome_sandbox_t:unix_stream_socket { read write };
++
++ allow $2 chrome_sandbox_t:shm rw_shm_perms;
++
++ allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.6.33/policy/modules/apps/chrome.te
+--- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/apps/chrome.te 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,72 @@
++policy_module(chrome,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type chrome_sandbox_t;
++type chrome_sandbox_exec_t;
++application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
++role system_r types chrome_sandbox_t;
++
++type chrome_sandbox_tmp_t;
++files_tmp_file(chrome_sandbox_tmp_t)
++
++type chrome_sandbox_tmpfs_t;
++files_tmpfs_file(chrome_sandbox_tmpfs_t)
++ubac_constrained(chrome_sandbox_tmpfs_t)
++
++permissive chrome_sandbox_t;
++
++########################################
++#
++# chrome_sandbox local policy
++#
++allow chrome_sandbox_t self:capability { setuid sys_admin dac_override sys_chroot chown fsetid setgid };
++allow chrome_sandbox_t self:process { signal_perms setrlimit execmem };
++allow chrome_sandbox_t self:fifo_file manage_file_perms;
++allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
++allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
++allow chrome_sandbox_t self:shm create_shm_perms;
++
++manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
++manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
++files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
++
++manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
++fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file)
++
++kernel_read_kernel_sysctls(chrome_sandbox_t)
++
++corecmd_exec_bin(chrome_sandbox_t)
++
++dev_read_urand(chrome_sandbox_t)
++
++files_read_etc_files(chrome_sandbox_t)
++
++userdom_rw_user_tmpfs_files(chrome_sandbox_t)
++userdom_use_user_ptys(chrome_sandbox_t)
++userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
++
++miscfiles_read_localization(chrome_sandbox_t)
++miscfiles_read_fonts(chrome_sandbox_t)
++
++optional_policy(`
++ xserver_read_home_fonts(chrome_sandbox_t)
++')
++
++optional_policy(`
++ execmem_exec(chrome_sandbox_t)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_dontaudit_append_nfs_files(chrome_sandbox_t)
++ fs_dontaudit_read_nfs_files(chrome_sandbox_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
++ fs_dontaudit_read_cifs_files(chrome_sandbox_t)
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.33/policy/modules/apps/cpufreqselector.te
--- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/cpufreqselector.te 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/cpufreqselector.te 2009-11-12 14:26:53.000000000 -0500
@@ -26,7 +26,7 @@
dev_rw_sysfs(cpufreqselector_t)
@@ -1377,24 +2015,189 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.6.32/policy/modules/apps/firewallgui.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.6.33/policy/modules/apps/execmem.fc
+--- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/apps/execmem.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,40 @@
++/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/skype -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/sbin/vboxadd-service -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/sbin/VBox.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++
++ifdef(`distro_gentoo',`
++/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
++')
++/usr/lib(64)?/chromium-browser/chromium-browser gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib64/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0)
++
++/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/libexec/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib(64)?/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib(64)/virtualbox/VirtualBox -- gen_context(system_u:object_r:execmem_exec_t,s0)
++
++/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
++
++/opt/real/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
++
++/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
++
++/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0)
++
++/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Updater -- gen_context(system_u:object_r:execmem_exec_t,s0)
++
++/opt/likewise/bin/domainjoin-cli -- gen_context(system_u:object_r:execmem_exec_t,s0)
++
++/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.6.33/policy/modules/apps/execmem.if
+--- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/apps/execmem.if 2009-11-12 14:41:22.000000000 -0500
+@@ -0,0 +1,102 @@
++## execmem domain
++
++########################################
++##
++## Execute the execmem program in the execmem domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`execmem_exec',`
++ gen_require(`
++ type execmem_exec_t;
++ ')
++
++ can_exec($1, execmem_exec_t)
++')
++
++#######################################
++##
++## The role template for the execmem module.
++##
++##
++##
++## This template creates a derived domains which are used
++## for execmem applications.
++##
++##
++##
++##
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++##
++##
++##
++##
++## The role associated with the user domain.
++##
++##
++##
++##
++## The type of the user domain.
++##
++##
++#
++template(`execmem_role_template',`
++ gen_require(`
++ type execmem_exec_t;
++ ')
++
++ type $1_execmem_t;
++ domain_type($1_execmem_t)
++ domain_entry_file($1_execmem_t, execmem_exec_t)
++ role $2 types $1_execmem_t;
++
++ userdom_unpriv_usertype($1, $1_execmem_t)
++ userdom_manage_tmp_role($2, $1_execmem_t)
++ userdom_manage_tmpfs_role($2, $1_execmem_t)
++
++ allow $1_execmem_t self:process { execmem execstack };
++ allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
++ mozilla_execmod_user_home_files($1_execmem_t)
++
++ domtrans_pattern($3, execmem_exec_t, $1_execmem_t)
++
++ files_execmod_tmp($1_execmem_t)
++
++ optional_policy(`
++ chrome_role($2, $1_execmem_t)
++ ')
++
++ optional_policy(`
++ xserver_common_app($1_execmem_t)
++ xserver_role($2, $1_execmem_t)
++ ')
++')
++
++########################################
++##
++## Execute a execmem_exec file
++## in the specified domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the new process.
++##
++##
++#
++interface(`execmem_domtrans',`
++ gen_require(`
++ type execmem_exec_t;
++ ')
++
++ domtrans_pattern($1, execmem_exec_t, $2)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.6.33/policy/modules/apps/execmem.te
+--- nsaserefpolicy/policy/modules/apps/execmem.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/apps/execmem.te 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,11 @@
++
++policy_module(execmem, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type execmem_exec_t alias unconfined_execmem_exec_t;
++application_executable_file(execmem_exec_t)
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.6.33/policy/modules/apps/firewallgui.fc
--- nsaserefpolicy/policy/modules/apps/firewallgui.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/firewallgui.fc 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/firewallgui.fc 2009-11-12 14:26:53.000000000 -0500
@@ -0,0 +1,3 @@
+
+/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.6.32/policy/modules/apps/firewallgui.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.6.33/policy/modules/apps/firewallgui.if
--- nsaserefpolicy/policy/modules/apps/firewallgui.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/firewallgui.if 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/firewallgui.if 2009-11-12 14:26:53.000000000 -0500
@@ -0,0 +1,3 @@
+
+## policy for firewallgui
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.6.32/policy/modules/apps/firewallgui.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.6.33/policy/modules/apps/firewallgui.te
--- nsaserefpolicy/policy/modules/apps/firewallgui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/firewallgui.te 2009-09-16 10:03:08.000000000 -0400
-@@ -0,0 +1,63 @@
++++ serefpolicy-3.6.33/policy/modules/apps/firewallgui.te 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,64 @@
+
+policy_module(firewallgui,1.0.0)
+
@@ -1448,6 +2251,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+dev_read_sysfs(firewallgui_t)
+
+nscd_dontaudit_search_pid(firewallgui_t)
++nscd_socket_use(firewallgui_t)
+
+miscfiles_read_localization(firewallgui_t)
+
@@ -1458,9 +2262,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ policykit_dbus_chat(firewallgui_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.32/policy/modules/apps/gitosis.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.33/policy/modules/apps/gitosis.if
--- nsaserefpolicy/policy/modules/apps/gitosis.if 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/gitosis.if 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/gitosis.if 2009-11-12 14:26:53.000000000 -0500
@@ -43,3 +43,48 @@
role $2 types gitosis_t;
')
@@ -1510,15 +2314,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.32/policy/modules/apps/gnome.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.33/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/gnome.fc 2009-09-16 10:03:08.000000000 -0400
-@@ -1,8 +1,16 @@
++++ serefpolicy-3.6.33/policy/modules/apps/gnome.fc 2009-11-12 14:29:53.000000000 -0500
+@@ -1,8 +1,18 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
-+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
++HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
++HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
++HOME_DIR/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0)
+HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
@@ -1532,14 +2338,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
+
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.32/policy/modules/apps/gnome.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.33/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/gnome.if 2009-09-16 10:03:08.000000000 -0400
-@@ -89,5 +89,175 @@
++++ serefpolicy-3.6.33/policy/modules/apps/gnome.if 2009-11-12 14:33:12.000000000 -0500
+@@ -84,10 +84,180 @@
+ #
+ interface(`gnome_manage_config',`
+ gen_require(`
+- type gnome_home_t;
++ attribute gnome_home_type;
+ ')
- allow $1 gnome_home_t:dir manage_dir_perms;
- allow $1 gnome_home_t:file manage_file_perms;
-+ allow $1 gnome_home_t:lnk_file manage_lnk_file_perms;
+- allow $1 gnome_home_t:dir manage_dir_perms;
+- allow $1 gnome_home_t:file manage_file_perms;
++ allow $1 gnome_home_type:dir manage_dir_perms;
++ allow $1 gnome_home_type:file manage_file_perms;
++ allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
userdom_search_user_home_dirs($1)
')
+
@@ -1579,12 +2393,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#
+template(`gnome_read_config',`
+ gen_require(`
-+ type gnome_home_t;
++ attribute gnome_home_type;
+ ')
+
-+ list_dirs_pattern($1, gnome_home_t, gnome_home_t)
-+ read_files_pattern($1, gnome_home_t, gnome_home_t)
-+ read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
++ list_dirs_pattern($1, gnome_home_type, gnome_home_type)
++ read_files_pattern($1, gnome_home_type, gnome_home_type)
++ read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
+')
+
+########################################
@@ -1705,23 +2519,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#
+interface(`gnome_stream_connect',`
+ gen_require(`
-+ type gnome_home_t;
++ attribute gnome_home_type;
+ ')
+
+ # Connect to pulseaudit server
-+ stream_connect_pattern($1, gnome_home_t, gnome_home_t, $2)
++ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.32/policy/modules/apps/gnome.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.33/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/gnome.te 2009-09-18 08:09:19.000000000 -0400
-@@ -9,16 +9,18 @@
++++ serefpolicy-3.6.33/policy/modules/apps/gnome.te 2009-11-12 14:32:22.000000000 -0500
+@@ -7,18 +7,30 @@
+ #
+
attribute gnomedomain;
++attribute gnome_home_type;
type gconf_etc_t;
-files_type(gconf_etc_t)
+files_config_file(gconf_etc_t)
- type gconf_home_t;
+-type gconf_home_t;
++type data_home_t, gnome_home_type;
++userdom_user_home_content(data_home_t)
++
++type config_home_t, gnome_home_type;
++userdom_user_home_content(config_home_t)
++
++type cache_home_t, gnome_home_type;
++userdom_user_home_content(cache_home_t)
++
++type gconf_home_t, gnome_home_type;
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
+typealias gconf_home_t alias unconfined_gconf_home_t;
@@ -1734,7 +2561,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_tmp_file(gconf_tmp_t)
ubac_constrained(gconf_tmp_t)
-@@ -32,8 +34,17 @@
+@@ -32,8 +44,17 @@
type gnome_home_t;
typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
@@ -1752,7 +2579,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
# Local Policy
-@@ -73,3 +84,89 @@
+@@ -73,3 +94,89 @@
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -1842,9 +2669,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ policykit_read_lib(gnomesystemmm_t)
+ policykit_read_reload(gnomesystemmm_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.32/policy/modules/apps/gpg.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.33/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/gpg.te 2009-09-21 09:16:56.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/gpg.te 2009-11-12 14:26:53.000000000 -0500
@@ -104,12 +104,19 @@
auth_use_nsswitch(gpg_t)
@@ -1889,9 +2716,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_common_app(gpg_pinentry_t)
')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.32/policy/modules/apps/java.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.33/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/java.fc 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/java.fc 2009-11-12 14:26:53.000000000 -0500
@@ -2,15 +2,16 @@
# /opt
#
@@ -1912,7 +2739,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
-@@ -20,5 +21,11 @@
+@@ -20,5 +21,12 @@
/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -1926,9 +2753,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.32/policy/modules/apps/java.if
++/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.33/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2009-08-18 11:41:14.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/java.if 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/java.if 2009-11-12 14:26:53.000000000 -0500
@@ -30,6 +30,7 @@
allow java_t $2:unix_stream_socket connectto;
@@ -1937,7 +2765,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -71,24 +72,128 @@
+@@ -71,24 +72,131 @@
########################################
##
@@ -2057,6 +2885,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1_java_t self:process { ptrace signal getsched execmem execstack };
+ allow $3 $1_java_t:process { getattr ptrace noatsecure signal_perms };
++ dontaudit $1_java_t $3:tcp_socket { read write };
+
+ domtrans_pattern($3, java_exec_t, $1_java_t)
+ dev_dontaudit_append_rand($1_java_t)
@@ -2064,14 +2893,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ fs_dontaudit_rw_tmpfs_files($1_java_t)
+ corecmd_bin_domtrans($1_java_t, $1_t)
+
++ files_execmod_all_files($1_java_t)
++
+ optional_policy(`
+ xserver_common_app($1_java_t)
+ xserver_role($1_r, $1_java_t)
+ ')
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.32/policy/modules/apps/java.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.33/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2009-08-18 11:41:14.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/java.te 2009-09-18 17:16:51.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/java.te 2009-11-12 14:26:53.000000000 -0500
@@ -20,6 +20,8 @@
typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
@@ -2081,7 +2912,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type java_tmp_t;
files_tmp_file(java_tmp_t)
ubac_constrained(java_tmp_t)
-@@ -80,6 +82,7 @@
+@@ -32,9 +34,6 @@
+ typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t };
+ typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t };
+
+-type unconfined_java_t;
+-init_system_domain(unconfined_java_t, java_exec_t)
+-
+ ########################################
+ #
+ # Local policy
+@@ -80,6 +79,7 @@
dev_write_sound(java_t)
dev_read_urand(java_t)
dev_read_rand(java_t)
@@ -2089,7 +2930,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(java_t)
files_read_usr_files(java_t)
-@@ -131,6 +134,7 @@
+@@ -131,20 +131,9 @@
')
optional_policy(`
@@ -2097,40 +2938,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
')
-@@ -143,8 +147,18 @@
- # execheap is needed for itanium/BEA jrocket
- allow unconfined_java_t self:process { execstack execmem execheap };
+-########################################
+-#
+-# Unconfined java local policy
+-#
+-
+-optional_policy(`
+- # execheap is needed for itanium/BEA jrocket
+- allow unconfined_java_t self:process { execstack execmem execheap };
-+ files_execmod_all_files(unconfined_java_t)
-+
- init_dbus_chat_script(unconfined_java_t)
+- init_dbus_chat_script(unconfined_java_t)
- unconfined_domain_noaudit(unconfined_java_t)
- unconfined_dbus_chat(unconfined_java_t)
-+ optional_policy(`
-+ hal_dbus_chat(unconfined_java_t)
-+')
-+
-+ optional_policy(`
-+ rpm_domtrans(unconfined_java_t)
- ')
-+')
-+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.6.32/policy/modules/apps/kdumpgui.fc
+- unconfined_domain_noaudit(unconfined_java_t)
+- unconfined_dbus_chat(unconfined_java_t)
+-')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.6.33/policy/modules/apps/kdumpgui.fc
--- nsaserefpolicy/policy/modules/apps/kdumpgui.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/kdumpgui.fc 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/kdumpgui.fc 2009-11-12 14:26:53.000000000 -0500
@@ -0,0 +1,2 @@
+
+/usr/share/system-config-kdump/system-config-kdump-backend.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.6.32/policy/modules/apps/kdumpgui.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.6.33/policy/modules/apps/kdumpgui.if
--- nsaserefpolicy/policy/modules/apps/kdumpgui.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/kdumpgui.if 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/kdumpgui.if 2009-11-12 14:26:53.000000000 -0500
@@ -0,0 +1,2 @@
+## system-config-kdump policy
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.6.32/policy/modules/apps/kdumpgui.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.6.33/policy/modules/apps/kdumpgui.te
--- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/kdumpgui.te 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/kdumpgui.te 2009-11-12 14:26:53.000000000 -0500
@@ -0,0 +1,65 @@
+policy_module(kdumpgui,1.0.0)
+
@@ -2197,16 +3033,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+permissive kdumpgui_t;
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.6.32/policy/modules/apps/livecd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.6.33/policy/modules/apps/livecd.fc
--- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/livecd.fc 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/livecd.fc 2009-11-12 14:26:53.000000000 -0500
@@ -0,0 +1,2 @@
+
+/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.6.32/policy/modules/apps/livecd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.6.33/policy/modules/apps/livecd.if
--- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/livecd.if 2009-09-16 10:03:08.000000000 -0400
-@@ -0,0 +1,50 @@
++++ serefpolicy-3.6.33/policy/modules/apps/livecd.if 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,52 @@
+
+## policy for livecd
+
@@ -2255,12 +3091,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ role $2 types livecd_t;
+
+ seutil_run_setfiles_mac(livecd_t, $2)
++ usermanage_run_passwd(livecd_t, $2)
++ usermanage_run_chfn(livecd_t, $2)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.6.32/policy/modules/apps/livecd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.6.33/policy/modules/apps/livecd.te
--- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/livecd.te 2009-09-16 10:03:08.000000000 -0400
-@@ -0,0 +1,26 @@
++++ serefpolicy-3.6.33/policy/modules/apps/livecd.te 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,27 @@
+policy_module(livecd, 1.0.0)
+
+########################################
@@ -2287,9 +3125,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+seutil_domtrans_setfiles_mac(livecd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.32/policy/modules/apps/mono.if
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.6.33/policy/modules/apps/loadkeys.te
+--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/loadkeys.te 2009-11-12 14:26:53.000000000 -0500
+@@ -40,8 +40,12 @@
+ miscfiles_read_localization(loadkeys_t)
+
+ userdom_use_user_ttys(loadkeys_t)
+-userdom_list_user_home_dirs(loadkeys_t)
++userdom_list_user_home_content(loadkeys_t)
+
+ optional_policy(`
+ nscd_dontaudit_search_pid(loadkeys_t)
+ ')
++
++ifdef(`hide_broken_symptoms',`
++ dev_dontaudit_rw_lvm_control_dev(loadkeys_t)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.fc serefpolicy-3.6.33/policy/modules/apps/mono.fc
+--- nsaserefpolicy/policy/modules/apps/mono.fc 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/mono.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -1 +1 @@
+-/usr/bin/mono -- gen_context(system_u:object_r:mono_exec_t,s0)
++/usr/bin/mono.* -- gen_context(system_u:object_r:mono_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.33/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/mono.if 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/mono.if 2009-11-12 14:26:53.000000000 -0500
@@ -21,6 +21,105 @@
########################################
@@ -2405,9 +3267,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
corecmd_search_bin($1)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.32/policy/modules/apps/mono.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.33/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/mono.te 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/mono.te 2009-11-12 14:26:53.000000000 -0500
@@ -15,7 +15,7 @@
# Local policy
#
@@ -2431,9 +3293,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ xserver_rw_shm(mono_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.32/policy/modules/apps/mozilla.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.33/policy/modules/apps/mozilla.fc
--- nsaserefpolicy/policy/modules/apps/mozilla.fc 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.fc 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/mozilla.fc 2009-11-12 14:26:53.000000000 -0500
@@ -1,6 +1,7 @@
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -2442,9 +3304,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.32/policy/modules/apps/mozilla.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.33/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.if 2009-09-23 19:27:38.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/mozilla.if 2009-11-12 14:26:53.000000000 -0500
@@ -45,6 +45,18 @@
relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
@@ -2472,10 +3334,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_search_user_home_dirs($1)
')
-@@ -88,6 +101,25 @@
+@@ -88,6 +101,61 @@
########################################
##
++## Write mozilla home directory content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mozilla_execmod_user_home_files',`
++ gen_require(`
++ type mozilla_home_t;
++ ')
++
++ allow $1 mozilla_home_t:file execmod;
++')
++
++########################################
++##
+## Dontaudit attempts to write mozilla home directory content
+##
+##
@@ -2494,13 +3374,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+########################################
++##
++## Dontaudit attempts to read/write mozilla home directory content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mozilla_dontaudit_rw_user_home_files',`
++ gen_require(`
++ type mozilla_home_t;
++ ')
++
++ dontaudit $1 mozilla_home_t:file { read write };
++')
++
++########################################
+##
## Run mozilla in the mozilla domain.
##
##
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.32/policy/modules/apps/mozilla.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.33/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.te 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/mozilla.te 2009-11-12 14:26:53.000000000 -0500
@@ -59,6 +59,7 @@
manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
@@ -2526,7 +3424,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_runtime_files(mozilla_t)
files_read_usr_files(mozilla_t)
files_read_etc_files(mozilla_t)
-@@ -129,6 +133,7 @@
+@@ -129,21 +133,18 @@
fs_rw_tmpfs_files(mozilla_t)
term_dontaudit_getattr_pty_dirs(mozilla_t)
@@ -2534,7 +3432,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(mozilla_t)
-@@ -138,12 +143,7 @@
++miscfiles_dontaudit_setattr_fonts(mozilla_t)
+ miscfiles_read_fonts(mozilla_t)
+ miscfiles_read_localization(mozilla_t)
+
# Browse the web, connect to printer
sysnet_dns_name_resolve(mozilla_t)
@@ -2548,7 +3449,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
-@@ -231,11 +231,15 @@
+@@ -231,11 +232,15 @@
optional_policy(`
dbus_system_bus_client(mozilla_t)
dbus_session_bus_client(mozilla_t)
@@ -2564,7 +3465,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -256,5 +260,10 @@
+@@ -256,5 +261,10 @@
')
optional_policy(`
@@ -2575,25 +3476,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
thunderbird_domtrans(mozilla_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.32/policy/modules/apps/nsplugin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.33/policy/modules/apps/nsplugin.fc
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.fc 2009-09-16 10:03:08.000000000 -0400
-@@ -0,0 +1,12 @@
++++ serefpolicy-3.6.33/policy/modules/apps/nsplugin.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,11 @@
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0)
-+HOME_DIR/\.config/totem(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
-+HOME_DIR/\.config/gxine(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+
+/usr/bin/nspluginscan -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
++/usr/bin/nspluginviewer -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.32/policy/modules/apps/nsplugin.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.33/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.if 2009-09-29 16:37:24.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/nsplugin.if 2009-11-12 14:26:53.000000000 -0500
@@ -0,0 +1,323 @@
+
+## policy for nsplugin
@@ -2918,10 +3818,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.32/policy/modules/apps/nsplugin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.33/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.te 2009-09-24 11:43:03.000000000 -0400
-@@ -0,0 +1,294 @@
++++ serefpolicy-3.6.33/policy/modules/apps/nsplugin.te 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,295 @@
+
+policy_module(nsplugin, 1.0.0)
+
@@ -3166,6 +4066,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+miscfiles_read_fonts(nsplugin_config_t)
+
+userdom_search_user_home_content(nsplugin_config_t)
++userdom_read_user_home_content_symlinks(nsplugin_config_t)
+userdom_read_user_home_content_files(nsplugin_config_t)
+userdom_dontaudit_search_admin_dir(nsplugin_config_t)
+
@@ -3216,16 +4117,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.6.32/policy/modules/apps/openoffice.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.6.33/policy/modules/apps/openoffice.fc
--- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/openoffice.fc 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/openoffice.fc 2009-11-12 14:26:53.000000000 -0500
@@ -0,0 +1,3 @@
+/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.32/policy/modules/apps/openoffice.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.33/policy/modules/apps/openoffice.if
--- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/openoffice.if 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/openoffice.if 2009-11-12 14:26:53.000000000 -0500
@@ -0,0 +1,93 @@
+## Openoffice
+
@@ -3320,9 +4221,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_common_x_domain_template($1, $1_openoffice_t)
+ ')
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.6.32/policy/modules/apps/openoffice.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.6.33/policy/modules/apps/openoffice.te
--- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/openoffice.te 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/openoffice.te 2009-11-12 14:26:53.000000000 -0500
@@ -0,0 +1,11 @@
+
+policy_module(openoffice, 1.0.0)
@@ -3335,9 +4236,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+type openoffice_t;
+type openoffice_exec_t;
+application_domain(openoffice_t, openoffice_exec_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.33/policy/modules/apps/podsleuth.te
+--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/podsleuth.te 2009-11-12 14:26:53.000000000 -0500
+@@ -71,6 +71,8 @@
+
+ sysnet_dns_name_resolve(podsleuth_t)
+
++userdom_signal_unpriv_users(podsleuth_t)
++
+ optional_policy(`
+ dbus_system_bus_client(podsleuth_t)
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.33/policy/modules/apps/pulseaudio.if
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if 2009-09-29 15:46:25.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/pulseaudio.if 2009-11-12 14:26:53.000000000 -0500
@@ -40,7 +40,7 @@
userdom_manage_tmpfs_role($1, pulseaudio_t)
@@ -3347,9 +4260,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.33/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/pulseaudio.te 2009-11-12 14:26:53.000000000 -0500
@@ -26,6 +26,7 @@
can_exec(pulseaudio_t, pulseaudio_exec_t)
@@ -3358,7 +4271,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(pulseaudio_t)
kernel_read_kernel_sysctls(pulseaudio_t)
-@@ -88,6 +89,10 @@
+@@ -63,12 +64,17 @@
+ miscfiles_read_localization(pulseaudio_t)
+
+ optional_policy(`
++ bluetooth_stream_connect(pulseaudio_t)
++')
++
++optional_policy(`
+ gnome_manage_config(pulseaudio_t)
+ ')
+
+ optional_policy(`
+ dbus_system_bus_client(pulseaudio_t)
+ dbus_session_bus_client(pulseaudio_t)
++ dbus_connect_session_bus(pulseaudio_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(pulseaudio_t)
+@@ -88,6 +94,10 @@
')
optional_policy(`
@@ -3369,23 +4300,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
policykit_domtrans_auth(pulseaudio_t)
policykit_read_lib(pulseaudio_t)
policykit_read_reload(pulseaudio_t)
-@@ -100,4 +105,5 @@
+@@ -100,4 +110,5 @@
optional_policy(`
xserver_manage_xdm_tmp_files(pulseaudio_t)
xserver_read_xdm_lib_files(pulseaudio_t)
+ xserver_common_app(pulseaudio_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.32/policy/modules/apps/qemu.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.33/policy/modules/apps/qemu.fc
--- nsaserefpolicy/policy/modules/apps/qemu.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/qemu.fc 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/qemu.fc 2009-11-12 14:26:53.000000000 -0500
@@ -1,2 +1,2 @@
-/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
-/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.32/policy/modules/apps/qemu.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.33/policy/modules/apps/qemu.if
--- nsaserefpolicy/policy/modules/apps/qemu.if 2009-08-31 13:44:40.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/qemu.if 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/qemu.if 2009-11-12 14:26:53.000000000 -0500
@@ -40,6 +40,10 @@
qemu_domtrans($1)
@@ -3397,7 +4328,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -211,3 +215,189 @@
+@@ -211,3 +215,188 @@
# xserver_xdm_rw_shm($1_t)
')
')
@@ -3586,10 +4517,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
+')
-+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.32/policy/modules/apps/qemu.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.33/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/qemu.te 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/qemu.te 2009-11-12 14:26:53.000000000 -0500
@@ -13,15 +13,46 @@
##
gen_tunable(qemu_full_network, false)
@@ -3697,21 +4627,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ role unconfined_r types qemu_unconfined_t;
allow qemu_unconfined_t self:process { execstack execmem };
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.6.32/policy/modules/apps/sambagui.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.6.33/policy/modules/apps/sambagui.fc
--- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/sambagui.fc 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/sambagui.fc 2009-11-12 14:26:53.000000000 -0500
@@ -0,0 +1 @@
+/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.6.32/policy/modules/apps/sambagui.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.6.33/policy/modules/apps/sambagui.if
--- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/sambagui.if 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/sambagui.if 2009-11-12 14:26:53.000000000 -0500
@@ -0,0 +1,2 @@
+## system-config-samba policy
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.32/policy/modules/apps/sambagui.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.33/policy/modules/apps/sambagui.te
--- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/sambagui.te 2009-09-16 10:03:08.000000000 -0400
-@@ -0,0 +1,56 @@
++++ serefpolicy-3.6.33/policy/modules/apps/sambagui.te 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,59 @@
+policy_module(sambagui,1.0.0)
+
+########################################
@@ -3729,6 +4659,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#
+
+allow sambagui_t self:fifo_file rw_fifo_file_perms;
++allow sambagui_t self:unix_dgram_socket create_socket_perms;
+
+# handling with samba conf files
+samba_append_log(sambagui_t)
@@ -3751,6 +4682,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+auth_use_nsswitch(sambagui_t)
+
++logging_send_syslog_msg(sambagui_t)
++
+miscfiles_read_localization(sambagui_t)
+
+# read meminfo
@@ -3768,15 +4701,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ policykit_dbus_chat(sambagui_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.6.32/policy/modules/apps/sandbox.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.6.33/policy/modules/apps/sandbox.fc
--- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.fc 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/sandbox.fc 2009-11-12 14:26:53.000000000 -0500
@@ -0,0 +1 @@
+# No types are sandbox_exec_t
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.33/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2009-09-23 19:34:36.000000000 -0400
-@@ -0,0 +1,182 @@
++++ serefpolicy-3.6.33/policy/modules/apps/sandbox.if 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,184 @@
+
+## policy for sandbox
+
@@ -3808,6 +4741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
+ role $2 types sandbox_domain;
+ allow sandbox_domain $1:process sigchld;
++ allow sandbox_domain $1:fifo_file rw_fifo_file_perms;
+
+ allow $1 sandbox_x_domain:process { signal_perms transition };
+ dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
@@ -3816,7 +4750,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ role $2 types sandbox_xserver_t;
+ allow $1 sandbox_xserver_t:process signal_perms;
+
-+ allow sandbox_x_domain $1:process sigchld;
++ allow sandbox_x_domain $1:process { sigchld signal };
+ allow sandbox_x_domain sandbox_x_domain:process signal;
+ # Dontaudit leaked file descriptors
+ dontaudit sandbox_x_domain $1:fifo_file rw_fifo_file_perms;
@@ -3828,7 +4762,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ manage_sock_files_pattern($1, sandbox_file_type, sandbox_file_type);
+ manage_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type);
+ manage_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type);
-+ allow $1 sandbox_file_type:dir relabelto;
++ relabel_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
++ relabel_files_pattern($1, sandbox_file_type, sandbox_file_type)
+')
+
+########################################
@@ -3959,10 +4894,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.33/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2009-09-27 09:28:35.000000000 -0400
-@@ -0,0 +1,329 @@
++++ serefpolicy-3.6.33/policy/modules/apps/sandbox.te 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,331 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -4102,6 +5037,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+files_search_home(sandbox_x_domain)
+files_dontaudit_list_tmp(sandbox_x_domain)
+
++kernel_read_network_state(sandbox_x_domain)
+kernel_read_system_state(sandbox_x_domain)
+
+corecmd_exec_all_executables(sandbox_x_domain)
@@ -4153,11 +5089,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+files_search_home(sandbox_x_t)
+userdom_use_user_ptys(sandbox_x_t)
+
-+optional_policy(`
-+ mozilla_dontaudit_manage_user_home_files(sandbox_x_t)
-+')
-+
-+
+########################################
+#
+# sandbox_x_client_t local policy
@@ -4285,6 +5216,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+seutil_read_default_contexts(sandbox_net_client_t)
+
+optional_policy(`
++ mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
++ mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
++ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
++')
++
++optional_policy(`
+ nsplugin_read_rw_files(sandbox_web_client_t)
+ nsplugin_rw_exec(sandbox_web_client_t)
+')
@@ -4292,10 +5229,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ hal_dbus_chat(sandbox_net_client_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.32/policy/modules/apps/screen.if
---- nsaserefpolicy/policy/modules/apps/screen.if 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/screen.if 2009-09-16 10:03:08.000000000 -0400
-@@ -79,6 +79,11 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.33/policy/modules/apps/screen.if
+--- nsaserefpolicy/policy/modules/apps/screen.if 2009-11-12 12:51:51.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/apps/screen.if 2009-11-12 14:26:53.000000000 -0500
+@@ -80,6 +80,11 @@
relabel_files_pattern($3, screen_home_t, screen_home_t)
relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
@@ -4307,149 +5244,201 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state($1_screen_t)
kernel_read_kernel_sysctls($1_screen_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.fc serefpolicy-3.6.32/policy/modules/apps/seunshare.fc
---- nsaserefpolicy/policy/modules/apps/seunshare.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/seunshare.fc 2009-09-16 10:03:08.000000000 -0400
-@@ -0,0 +1,2 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.fc serefpolicy-3.6.33/policy/modules/apps/sectoolm.fc
+--- nsaserefpolicy/policy/modules/apps/sectoolm.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/apps/sectoolm.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,6 @@
+
-+/usr/sbin/seunshare -- gen_context(system_u:object_r:seunshare_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.6.32/policy/modules/apps/seunshare.if
---- nsaserefpolicy/policy/modules/apps/seunshare.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/seunshare.if 2009-09-23 19:34:12.000000000 -0400
-@@ -0,0 +1,81 @@
++/usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0)
+
-+## policy for seunshare
++/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0)
+
-+########################################
-+##
-+## Execute a domain transition to run seunshare.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`seunshare_domtrans',`
-+ gen_require(`
-+ type seunshare_t;
-+ type seunshare_exec_t;
-+ ')
++/var/log/sectool\.log -- gen_context(system_u:object_r:sectool_var_log_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.if serefpolicy-3.6.33/policy/modules/apps/sectoolm.if
+--- nsaserefpolicy/policy/modules/apps/sectoolm.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/apps/sectoolm.if 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,3 @@
+
-+ domtrans_pattern($1,seunshare_exec_t,seunshare_t)
-+ allow $1 seunshare_t:process signal_perms;
-+')
++## policy for sectool-mechanism
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.te serefpolicy-3.6.33/policy/modules/apps/sectoolm.te
+--- nsaserefpolicy/policy/modules/apps/sectoolm.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/apps/sectoolm.te 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,120 @@
+
-+########################################
-+##
-+## Execute seunshare in the seunshare domain, and
-+## allow the specified role the seunshare domain.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+##
-+##
-+## The role to be allowed the seunshare domain.
-+##
-+##
-+#
-+interface(`seunshare_run',`
-+ gen_require(`
-+ type seunshare_t;
-+ ')
-+
-+ seunshare_domtrans($1)
-+ sandbox_transition(seunshare_t, $2)
-+ role $2 types seunshare_t;
-+
-+ # leaks from firefox
-+ dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
-+ dontaudit seunshare_t $1:udp_socket rw_socket_perms;
-+')
-+
-+########################################
-+##
-+## Role access for seunshare
-+##
-+##
-+##
-+## Role allowed access
-+##
-+##
-+##
-+##
-+## User domain for the role
-+##
-+##
-+#
-+interface(`seunshare_role',`
-+ gen_require(`
-+ type seunshare_t;
-+ ')
-+
-+ role $2 types seunshare_t;
-+
-+ seunshare_domtrans($1)
-+
-+ ps_process_pattern($2, seunshare_t)
-+ allow $2 seunshare_t:process signal;
-+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.6.32/policy/modules/apps/seunshare.te
---- nsaserefpolicy/policy/modules/apps/seunshare.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/seunshare.te 2009-09-23 19:28:08.000000000 -0400
-@@ -0,0 +1,45 @@
-+policy_module(seunshare,1.0.0)
++policy_module(sectoolm,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
-+type seunshare_t;
-+type seunshare_exec_t;
-+application_domain(seunshare_t, seunshare_exec_t)
-+role system_r types seunshare_t;
++type sectoolm_t;
++type sectoolm_exec_t;
++dbus_system_domain(sectoolm_t, sectoolm_exec_t)
+
-+permissive seunshare_t;
++# /var/lib files
++type sectool_var_lib_t;
++files_type(sectool_var_lib_t)
++
++# log files
++type sectool_var_log_t;
++logging_log_file(sectool_var_log_t)
++
++# tmp files
++type sectool_tmp_t;
++files_tmp_file(sectool_tmp_t)
++
++permissive sectoolm_t;
+
+########################################
+#
-+# seunshare local policy
++# sectool local policy
+#
+
-+allow seunshare_t self:process { fork setexec signal };
-+allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
-+allow seunshare_t self:process { getcap setcap };
++allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace };
++allow sectoolm_t self:process { getcap getsched signull setsched };
++dontaudit sectoolm_t self:process { execstack execmem };
+
-+allow seunshare_t self:fifo_file rw_file_perms;
-+allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
++allow sectoolm_t self:fifo_file rw_fifo_file_perms;
++allow sectoolm_t self:unix_dgram_socket { create_socket_perms sendto };
+
-+corecmd_exec_shell(seunshare_t)
-+corecmd_exec_bin(seunshare_t)
++# tmp files
++manage_dirs_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
++manage_files_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
++files_tmp_filetrans(sectoolm_t, sectool_tmp_t, { file dir })
+
-+files_read_etc_files(seunshare_t)
-+files_mounton_all_poly_members(seunshare_t)
++# var/lib files
++manage_files_pattern(sectoolm_t, sectool_var_lib_t,sectool_var_lib_t)
++manage_dirs_pattern(sectoolm_t, sectool_var_lib_t,sectool_var_lib_t)
++files_var_lib_filetrans(sectoolm_t,sectool_var_lib_t, { file dir })
+
-+fs_list_inotifyfs(seunshare_t)
++# log files
++manage_files_pattern(sectoolm_t, sectool_var_log_t,sectool_var_log_t)
++logging_log_filetrans(sectoolm_t,sectool_var_log_t,{ file })
+
-+auth_use_nsswitch(seunshare_t)
++corecmd_exec_bin(sectoolm_t)
++corecmd_exec_shell(sectoolm_t)
+
-+logging_send_syslog_msg(seunshare_t)
++kernel_read_net_sysctls(sectoolm_t)
++kernel_read_network_state(sectoolm_t)
++kernel_read_kernel_sysctls(sectoolm_t)
+
-+miscfiles_read_localization(seunshare_t)
++dev_read_sysfs(sectoolm_t)
++dev_read_urand(sectoolm_t)
+
-+userdom_use_user_terminals(seunshare_t)
++dev_getattr_all_blk_files(sectoolm_t)
++dev_getattr_all_chr_files(sectoolm_t)
++
++# selinux test
++selinux_validate_context(sectoolm_t)
++
++fs_getattr_all_fs(sectoolm_t)
++fs_list_noxattr_fs(sectoolm_t)
++
++files_getattr_all_pipes(sectoolm_t)
++files_getattr_all_sockets(sectoolm_t)
++files_read_all_files(sectoolm_t)
++files_read_all_symlinks(sectoolm_t)
++
++auth_use_nsswitch(sectoolm_t)
++
++libs_exec_ld_so(sectoolm_t)
++
++logging_send_syslog_msg(sectoolm_t)
++
++# tcp_wrappers test
++application_exec_all(sectoolm_t)
++
++domain_getattr_all_domains(sectoolm_t)
++domain_read_all_domains_state(sectoolm_t)
++
++userdom_users_dgram_send(sectoolm_t)
++userdom_dgram_send(sectoolm_t)
++userdom_manage_user_tmp_sockets(sectoolm_t)
++
++# tests related to network
++hostname_exec(sectoolm_t)
++iptables_domtrans(sectoolm_t)
++sysnet_domtrans_ifconfig(sectoolm_t)
+
+optional_policy(`
-+ mozilla_dontaudit_manage_user_home_files(seunshare_t)
++ mount_exec(sectoolm_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.32/policy/modules/apps/vmware.te
++
++optional_policy(`
++ policykit_dbus_chat(sectoolm_t)
++')
++
++# suid test using
++# rpm -Vf option
++optional_policy(`
++ prelink_domtrans(sectoolm_t)
++')
++
++optional_policy(`
++ rpm_exec(sectoolm_t)
++ rpm_append_log(sectoolm_t)
++ rpm_manage_pid_files(sectoolm_t)
++ rpm_pid_filetrans(sectoolm_t)
++ rpm_dontaudit_manage_db(sectoolm_t)
++')
++
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.6.33/policy/modules/apps/seunshare.if
+--- nsaserefpolicy/policy/modules/apps/seunshare.if 2009-11-12 12:51:51.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/apps/seunshare.if 2009-11-12 14:26:53.000000000 -0500
+@@ -41,6 +41,16 @@
+
+ seunshare_domtrans($1)
+ role $2 types seunshare_t;
++
++ allow $1 seunshare_t:process signal_perms;
++
++ sandbox_transition(seunshare_t, $2)
++
++ifdef(`hide_broken_symptoms', `
++ dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
++ dontaudit seunshare_t $1:udp_socket rw_socket_perms;
++ dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms;
++')
+ ')
+
+ ########################################
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.6.33/policy/modules/apps/seunshare.te
+--- nsaserefpolicy/policy/modules/apps/seunshare.te 2009-11-12 12:51:51.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/apps/seunshare.te 2009-11-12 14:26:53.000000000 -0500
+@@ -15,9 +15,8 @@
+ #
+ # seunshare local policy
+ #
+-
+-allow seunshare_t self:capability setpcap;
+-allow seunshare_t self:process { setexec signal getcap setcap };
++allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
++allow seunshare_t self:process { fork setexec signal getcap setcap };
+
+ allow seunshare_t self:fifo_file rw_file_perms;
+ allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
+@@ -30,6 +29,15 @@
+
+ auth_use_nsswitch(seunshare_t)
+
++logging_send_syslog_msg(seunshare_t)
++
+ miscfiles_read_localization(seunshare_t)
+
+ userdom_use_user_terminals(seunshare_t)
++
++ifdef(`hide_broken_symptoms', `
++ fs_dontaudit_rw_anon_inodefs_files(seunshare_t)
++ optional_policy(`
++ mozilla_dontaudit_manage_user_home_files(seunshare_t)
++ ')
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.33/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/vmware.te 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/vmware.te 2009-11-12 14:26:53.000000000 -0500
@@ -157,6 +157,7 @@
optional_policy(`
xserver_read_tmp_files(vmware_host_t)
@@ -4458,9 +5447,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
ifdef(`TODO',`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.6.32/policy/modules/apps/wine.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.6.33/policy/modules/apps/wine.fc
--- nsaserefpolicy/policy/modules/apps/wine.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/wine.fc 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/wine.fc 2009-11-12 14:26:53.000000000 -0500
@@ -1,4 +1,22 @@
-/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
@@ -4487,10 +5476,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-/opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
-/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.32/policy/modules/apps/wine.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.33/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/wine.if 2009-09-16 10:03:08.000000000 -0400
-@@ -43,3 +43,62 @@
++++ serefpolicy-3.6.33/policy/modules/apps/wine.if 2009-11-12 14:26:53.000000000 -0500
+@@ -43,3 +43,118 @@
wine_domtrans($1)
role $2 types wine_t;
')
@@ -4553,9 +5542,65 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ relabel_files_pattern($2, wine_home_t, wine_home_t)
+ relabel_lnk_files_pattern($2, wine_home_t, wine_home_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.32/policy/modules/apps/wine.te
++
++#######################################
++##
++## The role template for the wine module.
++##
++##
++##
++## This template creates a derived domains which are used
++## for wine applications.
++##
++##
++##
++##
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++##
++##
++##
++##
++## The role associated with the user domain.
++##
++##
++##
++##
++## The type of the user domain.
++##
++##
++#
++template(`wine_role_template',`
++ gen_require(`
++ type wine_exec_t;
++ ')
++
++ type $1_wine_t;
++ domain_type($1_wine_t)
++ domain_entry_file($1_wine_t, wine_exec_t)
++ role $2 types $1_wine_t;
++
++ userdom_unpriv_usertype($1, $1_wine_t)
++ userdom_manage_tmpfs_role($2, $1_wine_t)
++
++ domain_mmap_low_type($1_wine_t)
++ tunable_policy(`mmap_low_allowed',`
++ domain_mmap_low($1_wine_t)
++ ')
++
++ allow $1_wine_t self:process { execmem execstack };
++ allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms };
++ domtrans_pattern($3, wine_exec_t, $1_wine_t)
++ corecmd_bin_domtrans($1_wine_t, $1_t)
++
++ optional_policy(`
++ xserver_common_app($1_wine_t)
++ xserver_role($1_r, $1_wine_t)
++ ')
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.33/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/wine.te 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/apps/wine.te 2009-11-12 14:26:53.000000000 -0500
@@ -9,20 +9,46 @@
type wine_t;
type wine_exec_t;
@@ -4607,16 +5652,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_common_app(wine_t)
+ xserver_rw_shm(wine_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.33/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-07-30 13:09:10.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2009-09-16 10:03:08.000000000 -0400
-@@ -1,4 +1,4 @@
--
-+c
- #
- # /bin
- #
-@@ -54,6 +54,7 @@
++++ serefpolicy-3.6.33/policy/modules/kernel/corecommands.fc 2009-11-12 15:56:19.000000000 -0500
+@@ -54,6 +53,7 @@
/etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cron.monthly/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -4624,7 +5663,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0)
-@@ -125,6 +126,7 @@
+@@ -125,6 +125,7 @@
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
@@ -4632,7 +5671,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
# /opt
-@@ -142,6 +144,9 @@
+@@ -135,13 +136,15 @@
+
+ /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+-/opt/real/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
+ ifdef(`distro_gentoo',`
+ /opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
+ /opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -4642,16 +5688,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
# /usr
#
-@@ -221,6 +226,8 @@
+@@ -211,6 +214,8 @@
+ /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
++/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
+@@ -221,6 +226,9 @@
/usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -263,6 +270,7 @@
+@@ -263,6 +271,7 @@
/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -4659,7 +5715,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0)
-@@ -315,3 +323,21 @@
+@@ -315,3 +324,21 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -4681,9 +5737,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.32/policy/modules/kernel/corecommands.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.33/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.if 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/kernel/corecommands.if 2009-11-12 14:36:41.000000000 -0500
@@ -893,6 +893,7 @@
read_lnk_files_pattern($1, bin_t, bin_t)
@@ -4726,9 +5782,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern($1, bin_t, exec_type)
manage_lnk_files_pattern($1, bin_t, bin_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in
---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2009-09-17 15:45:09.000000000 -0400
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.33/policy/modules/kernel/corenetwork.te.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-11-12 12:51:51.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/kernel/corenetwork.te.in 2009-11-12 14:26:53.000000000 -0500
@@ -65,6 +65,7 @@
type server_packet_t, packet_type, server_packet_type;
@@ -4737,7 +5793,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
network_port(afs_ka, udp,7004,s0)
network_port(afs_pt, udp,7002,s0)
-@@ -87,17 +88,21 @@
+@@ -75,7 +76,7 @@
+ network_port(amavisd_send, tcp,10025,s0)
+ network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0)
+ network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
+-network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
++network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
+ network_port(audit, tcp,60,s0)
+ network_port(auth, tcp,113,s0)
+ network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
+@@ -87,26 +88,33 @@
network_port(comsat, udp,512,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0)
@@ -4746,8 +5811,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dccm, tcp,5679,s0, udp,5679,s0)
-network_port(dhcpc, udp,68,s0)
-+network_port(dhcpc, udp,68,s0, tcp,68,s0)
- network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
+-network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
++network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,547,s0, tcp, 547,s0)
++network_port(dhcpd, udp,67,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
@@ -4759,8 +5825,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+network_port(ftps, tcp,990,s0, udp,990,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
network_port(giftd, tcp,1213,s0)
++network_port(git, tcp,9418,s0, udp,9418,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
-@@ -107,6 +112,8 @@
+ network_port(gpsd, tcp,2947,s0)
+ network_port(hddtemp, tcp,7634,s0)
+-network_port(howl, tcp,5335,s0, udp,5353,s0)
++network_port(howl, tcp,5353,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
@@ -4769,7 +5839,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-@@ -129,7 +136,7 @@
+@@ -129,7 +137,7 @@
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
network_port(lmtp, tcp,24,s0, udp,24,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
@@ -4778,7 +5848,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
-@@ -147,6 +154,12 @@
+@@ -138,7 +146,7 @@
+ network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
+ portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
+ network_port(nessus, tcp,1241,s0)
+-network_port(netsupport, tcp,5405,s0, udp,5405,s0)
++network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
+ network_port(nmbd, udp,137,s0, udp,138,s0)
+ network_port(ntp, udp,123,s0)
+ network_port(ocsp, tcp,9080,s0)
+@@ -147,12 +155,19 @@
network_port(pegasus_https, tcp,5989,s0)
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
@@ -4791,8 +5870,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
-@@ -173,27 +186,33 @@
+ network_port(postgresql, tcp,5432,s0)
+ network_port(postgrey, tcp,60000,s0)
+ network_port(prelude, tcp,4690,s0, udp,4690,s0)
++network_port(presence, tcp,5298,s0, udp,5298,s0)
+ network_port(printer, tcp,515,s0)
+ network_port(ptal, tcp,5703,s0)
+ network_port(pulseaudio, tcp,4713,s0)
+@@ -172,29 +187,37 @@
+ network_port(rsync, tcp,873,s0, udp,873,s0)
+ network_port(rwho, udp,513,s0)
network_port(sap, tcp,9875,s0, udp,9875,s0)
++network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
@@ -4801,7 +5890,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
network_port(spamd, tcp,783,s0)
network_port(speech, tcp,8036,s0)
- network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
+-network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
++network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0, tcp,9000,s0) # snmp and htcp
network_port(ssh, tcp,22,s0)
+network_port(streaming, tcp, 1755, s0, udp, 1755, s0)
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
@@ -4815,10 +5905,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(transproxy, tcp,8081,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
++network_port(ups, tcp,3493,s0)
network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
++network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
+network_port(virt_migration, tcp,49152,s0)
+portcon tcp 49153-49216 gen_context(system_u:object_r:virt_migration_port_t,s0)
-+network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(vnc, tcp,5900,s0)
+# Reserve 100 ports for vnc/virt machines
+portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t,s0)
@@ -4828,7 +5919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -222,6 +241,8 @@
+@@ -223,6 +246,8 @@
type node_t, node_type;
sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
@@ -4837,9 +5928,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# network_node examples:
#network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.33/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2009-09-29 07:50:28.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/kernel/devices.fc 2009-11-12 14:26:53.000000000 -0500
@@ -47,8 +47,10 @@
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@@ -4868,7 +5959,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
/dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
/dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -148,6 +151,8 @@
+@@ -139,8 +142,11 @@
+
+ /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0)
+
++/dev/modem -c gen_context(system_u:object_r:modem_device_t,s0)
+ /dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+
++/dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0)
++
+ /dev/pts(/.*)? <>
+
+ /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
+@@ -148,6 +154,8 @@
/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -4877,7 +5980,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -168,6 +173,7 @@
+@@ -168,6 +176,7 @@
ifdef(`distro_redhat',`
# originally from named.fc
@@ -4885,9 +5988,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.33/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2009-09-30 13:17:45.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/kernel/devices.if 2009-11-12 14:26:53.000000000 -0500
@@ -1692,6 +1692,78 @@
########################################
@@ -5029,7 +6132,112 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
##
## Read the lvm comtrol device.
-@@ -2305,6 +2432,25 @@
+@@ -1818,6 +1945,25 @@
+
+ ########################################
+ ##
++## Do not audit attempts to read and write lvm control device.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_dontaudit_rw_lvm_control_dev',`
++ gen_require(`
++ type lvm_control_t;
++ ')
++
++ dontaudit $1 lvm_control_t:chr_file rw_file_perms;
++')
++
++
++########################################
++##
+ ## dontaudit getattr raw memory devices (e.g. /dev/mem).
+ ##
+ ##
+@@ -2046,6 +2192,78 @@
+
+ ########################################
+ ##
++## Get the attributes of the modem devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_getattr_modem_dev',`
++ gen_require(`
++ type device_t, modem_device_t;
++ ')
++
++ getattr_chr_files_pattern($1, device_t, modem_device_t)
++')
++
++########################################
++##
++## Set the attributes of the modem devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_setattr_modem_dev',`
++ gen_require(`
++ type device_t, modem_device_t;
++ ')
++
++ setattr_chr_files_pattern($1, device_t, modem_device_t)
++')
++
++########################################
++##
++## Read the modem devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_read_modem',`
++ gen_require(`
++ type device_t, modem_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, modem_device_t)
++')
++
++########################################
++##
++## Read and write to modem devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_modem',`
++ gen_require(`
++ type device_t, modem_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, modem_device_t)
++')
++
++########################################
++##
+ ## Get the attributes of the mouse devices.
+ ##
+ ##
+@@ -2305,6 +2523,25 @@
########################################
##
@@ -5055,7 +6263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read and write to the null device (/dev/null).
##
##
-@@ -3599,6 +3745,24 @@
+@@ -3599,6 +3836,24 @@
########################################
##
@@ -5080,9 +6288,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read and write Xen devices.
##
##
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.32/policy/modules/kernel/devices.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.33/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.te 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/kernel/devices.te 2009-11-12 14:26:53.000000000 -0500
@@ -84,6 +84,13 @@
dev_node(kmsg_device_t)
@@ -5110,7 +6318,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Type for /dev/mapper/control
#
type lvm_control_t;
-@@ -224,6 +237,12 @@
+@@ -110,6 +123,12 @@
+ dev_node(misc_device_t)
+
+ #
++# A general type for modem devices.
++#
++type modem_device_t;
++dev_node(modem_device_t)
++
++#
+ # A more general type for mouse devices.
+ #
+ type mouse_device_t;
+@@ -224,6 +243,12 @@
type watchdog_device_t;
dev_node(watchdog_device_t)
@@ -5123,9 +6344,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type xen_device_t;
dev_node(xen_device_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.32/policy/modules/kernel/domain.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.33/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/domain.if 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/kernel/domain.if 2009-11-12 14:26:53.000000000 -0500
@@ -44,34 +44,6 @@
interface(`domain_type',`
# start with basic domain
@@ -5325,9 +6546,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 unconfined_domain_type:process signal;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.32/policy/modules/kernel/domain.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.33/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/domain.te 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/kernel/domain.te 2009-11-13 11:32:05.000000000 -0500
@@ -5,6 +5,13 @@
#
# Declarations
@@ -5398,7 +6619,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -153,3 +174,66 @@
+@@ -153,3 +174,71 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -5423,6 +6644,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+# these seem questionable:
+
+optional_policy(`
++ abrt_signull(domain)
++ abrt_domtrans_helper(domain)
++')
++
++optional_policy(`
+ rpm_use_fds(domain)
+ rpm_read_pipes(domain)
+ rpm_dontaudit_leaks(domain)
@@ -5465,9 +6691,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ userdom_relabelto_user_home_dirs(polydomain)
+ userdom_relabelto_user_home_files(polydomain)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.32/policy/modules/kernel/files.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.33/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/files.fc 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/kernel/files.fc 2009-11-12 14:26:53.000000000 -0500
@@ -18,6 +18,7 @@
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -5485,22 +6711,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
/var/lib/nfs/rpc_pipefs(/.*)? <>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if
---- nsaserefpolicy/policy/modules/kernel/files.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-09-18 21:30:50.000000000 -0400
-@@ -110,6 +110,11 @@
- ##
- #
- interface(`files_config_file',`
-+ gen_require(`
-+ attribute etcfile;
-+ ')
-+
-+ typeattribute $1 etcfile;
- files_type($1)
- ')
-
-@@ -928,10 +933,8 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.33/policy/modules/kernel/files.if
+--- nsaserefpolicy/policy/modules/kernel/files.if 2009-11-12 13:24:12.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/kernel/files.if 2009-11-12 14:26:53.000000000 -0500
+@@ -932,10 +932,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -5513,7 +6727,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1331,6 +1334,24 @@
+@@ -1154,6 +1152,26 @@
+ allow $1 file_type:filesystem unmount;
+ ')
+
++########################################
++##
++## Read config files in /etc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_read_config_files',`
++ gen_require(`
++ attribute configfile;
++ ')
++
++ allow $1 configfile:dir list_dir_perms;
++ read_files_pattern($1, configfile, configfile)
++ read_lnk_files_pattern($1, configfile, configfile)
++')
++
+ #############################################
+ ##
+ ## Manage all configuration directories on filesystem
+@@ -1411,6 +1429,24 @@
########################################
##
@@ -5538,7 +6779,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Remove entries from the root directory.
##
##
-@@ -1715,6 +1736,25 @@
+@@ -1567,6 +1603,25 @@
+
+ ########################################
+ ##
++## read files in the /boot directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_read_boot_files',`
++ gen_require(`
++ type boot_t;
++ ')
++
++ manage_files_pattern($1, boot_t, boot_t)
++')
++
++########################################
++##
+ ## Create, read, write, and delete files
+ ## in the /boot directory.
+ ##
+@@ -1795,6 +1850,25 @@
########################################
##
@@ -5564,36 +6831,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Mount a filesystem on a directory with the default file type.
##
##
-@@ -1931,6 +1971,28 @@
+@@ -2030,6 +2104,8 @@
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
+ files_read_etc_runtime_files($1)
+ files_read_config_files($1)
-+')
-+
-+########################################
-+##
-+## Read config files in /etc.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_config_files',`
-+ gen_require(`
-+ attribute etcfile;
-+ ')
-+
-+ allow $1 etcfile:dir list_dir_perms;
-+ read_files_pattern($1, etcfile, etcfile)
-+ read_lnk_files_pattern($1, etcfile, etcfile)
')
########################################
-@@ -2418,6 +2480,11 @@
+@@ -2517,6 +2593,11 @@
')
delete_files_pattern($1, file_t, file_t)
@@ -5605,7 +6852,40 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3449,6 +3516,24 @@
+@@ -3419,6 +3500,32 @@
+
+ ########################################
+ ##
++## Allow shared library text relocations in tmp files.
++##
++##
++##
++## Allow shared library text relocations in tmp files.
++##
++##
++## This is added to support java policy.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_execmod_tmp',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file execmod;
++')
++
++########################################
++##
+ ## Manage temporary files and directories in /tmp.
+ ##
+ ##
+@@ -3548,6 +3655,24 @@
########################################
##
@@ -5630,7 +6910,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read all tmp files.
##
##
-@@ -3515,6 +3600,8 @@
+@@ -3614,6 +3739,8 @@
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -5639,7 +6919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3623,7 +3710,12 @@
+@@ -3722,7 +3849,12 @@
type usr_t;
')
@@ -5653,7 +6933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3662,6 +3754,7 @@
+@@ -3761,6 +3893,7 @@
allow $1 usr_t:dir list_dir_perms;
read_files_pattern($1, usr_t, usr_t)
read_lnk_files_pattern($1, usr_t, usr_t)
@@ -5661,7 +6941,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -4188,6 +4281,24 @@
+@@ -4906,6 +5039,24 @@
########################################
##
@@ -5683,10 +6963,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+########################################
+##
- ## Search the /var/lib directory.
+ ## Search the contents of generic spool
+ ## directories (/var/spool).
##
- ##
-@@ -4955,7 +5066,7 @@
+@@ -5072,7 +5223,7 @@
selinux_compute_member($1)
# Need sys_admin capability for mounting
@@ -5695,7 +6975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Need to give access to the directories to be polyinstantiated
allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-@@ -4977,12 +5088,15 @@
+@@ -5094,12 +5245,15 @@
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -5712,7 +6992,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -5003,3 +5117,173 @@
+@@ -5120,3 +5274,173 @@
typeattribute $1 files_unconfined_type;
')
@@ -5886,10 +7166,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+ allow $1 file_type:file entrypoint;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.32/policy/modules/kernel/files.te
---- nsaserefpolicy/policy/modules/kernel/files.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/files.te 2009-09-16 10:03:08.000000000 -0400
-@@ -42,6 +42,7 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.33/policy/modules/kernel/files.te
+--- nsaserefpolicy/policy/modules/kernel/files.te 2009-11-12 12:51:51.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/kernel/files.te 2009-11-12 14:26:53.000000000 -0500
+@@ -43,6 +43,7 @@
#
type boot_t;
files_mountpoint(boot_t)
@@ -5897,18 +7177,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# default_t is the default type for files that do not
# match any specification in the file_contexts configuration
-@@ -52,7 +53,9 @@
+@@ -53,7 +54,7 @@
#
# etc_t is the type of the system etc directories.
#
-type etc_t;
-+attribute etcfile;
-+
-+type etc_t, etcfile;
++type etc_t, configfile;
files_type(etc_t)
# compatibility aliases for removed types:
typealias etc_t alias automount_etc_t;
-@@ -193,6 +196,7 @@
+@@ -194,6 +195,7 @@
fs_associate_noxattr(file_type)
fs_associate_tmpfs(file_type)
fs_associate_ramfs(file_type)
@@ -5916,16 +7194,52 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.32/policy/modules/kernel/filesystem.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.33/policy/modules/kernel/filesystem.fc
--- nsaserefpolicy/policy/modules/kernel/filesystem.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.fc 2009-09-16 10:03:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/kernel/filesystem.fc 2009-11-12 14:26:53.000000000 -0500
@@ -1 +1 @@
-# This module currently does not have any file contexts.
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.32/policy/modules/kernel/filesystem.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.33/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2009-09-16 15:58:43.000000000 -0400
-@@ -1149,6 +1149,44 @@
++++ serefpolicy-3.6.33/policy/modules/kernel/filesystem.if 2009-11-12 14:26:53.000000000 -0500
+@@ -290,7 +290,7 @@
+
+ ########################################
+ ##
+-## Read and write files on anon_inodefs
++## Dontaudit Read and write files on anon_inodefs
+ ## file systems.
+ ##
+ ##
+@@ -310,6 +310,26 @@
+
+ ########################################
+ ##
++## Dontaudit Read and write files on anon_inodefs
++## file systems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_dontaudit_rw_anon_inodefs_files',`
++ gen_require(`
++ type anon_inodefs_t;
++
++ ')
++
++ dontaudit $1 anon_inodefs_t:file { read write };
++')
++
++########################################
++##
+ ## Mount an automount pseudo filesystem.
+ ##
+ ##
+@@ -1149,6 +1169,44 @@
domain_auto_transition_pattern($1, cifs_t, $2)
')
@@ -5970,7 +7284,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
##
## Mount a DOS filesystem, such as
-@@ -1537,6 +1575,24 @@
+@@ -1537,6 +1595,24 @@
########################################
##
@@ -5995,7 +7309,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Search inotifyfs filesystem.
##
##
-@@ -2542,6 +2598,42 @@
+@@ -2542,6 +2618,42 @@
########################################
##
@@ -6038,7 +7352,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read and write NFS server files.
##
##
-@@ -3971,3 +4063,122 @@
+@@ -3971,3 +4083,122 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
')
@@ -6161,19 +7475,53 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ dontaudit $1 xenfs_t:file manage_file_perms;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.6.32/policy/modules/kernel/filesystem.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.6.33/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.te 2009-09-16 10:03:09.000000000 -0400
-@@ -93,7 +93,7 @@
++++ serefpolicy-3.6.33/policy/modules/kernel/filesystem.te 2009-11-13 15:47:18.000000000 -0500
+@@ -29,6 +29,7 @@
+ fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
++fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
+@@ -93,7 +94,9 @@
type hugetlbfs_t;
fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
-genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0)
++files_type(hugetlbfs_t)
++files_poly_parent(hugetlbfs_t)
+fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
type ibmasmfs_t;
fs_type(ibmasmfs_t)
-@@ -250,9 +250,13 @@
+@@ -171,6 +174,7 @@
+ fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);
+ fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0);
+ fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
++fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0);
+
+ allow tmpfs_t noxattrfs:filesystem associate;
+
+@@ -200,6 +204,7 @@
+ #
+ type dosfs_t;
+ fs_noxattr_type(dosfs_t)
++files_mountpoint(dosfs_t)
+ allow dosfs_t fs_t:filesystem associate;
+ genfscon fat / gen_context(system_u:object_r:dosfs_t,s0)
+ genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0)
+@@ -223,6 +228,7 @@
+ #
+ type iso9660_t;
+ fs_noxattr_type(iso9660_t)
++files_mountpoint(iso9660_t)
+ genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0)
+ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+
+@@ -250,9 +256,13 @@
genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -6188,9 +7536,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Rules for all filesystem types
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.32/policy/modules/kernel/kernel.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.33/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/kernel.if 2009-09-21 08:19:13.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/kernel/kernel.if 2009-11-12 14:26:53.000000000 -0500
@@ -485,6 +485,25 @@
########################################
@@ -6217,7 +7565,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Get information on all System V IPC objects.
##
##
-@@ -1807,7 +1826,7 @@
+@@ -922,6 +941,28 @@
+
+ ########################################
+ ##
++## Allows caller to read th core kernel interface.
++##
++##
++##
++## The process type getting the attibutes.
++##
++##
++#
++interface(`kernel_read_core_if',`
++ gen_require(`
++ type proc_t, proc_kcore_t;
++ attribute can_dump_kernel;
++ ')
++
++ read_files_pattern($1, proc_t, proc_kcore_t)
++ list_dirs_pattern($1, proc_t, proc_t)
++
++ typeattribute $1 can_dump_kernel;
++')
++
++########################################
++##
+ ## Do not audit attempts to get the attributes of
+ ## core kernel interfaces.
+ ##
+@@ -1807,7 +1848,7 @@
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -6226,7 +7603,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2621,6 +2640,24 @@
+@@ -2621,6 +2662,24 @@
########################################
##
@@ -6251,7 +7628,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Unconfined access to kernel module resources.
##
##
-@@ -2636,3 +2673,22 @@
+@@ -2636,3 +2695,22 @@
typeattribute $1 kern_unconfined;
')
@@ -6274,10 +7651,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 kernel_t:unix_stream_socket connectto;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.32/policy/modules/kernel/kernel.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.33/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/kernel.te 2009-09-16 10:03:09.000000000 -0400
-@@ -63,6 +63,15 @@
++++ serefpolicy-3.6.33/policy/modules/kernel/kernel.te 2009-11-12 14:26:53.000000000 -0500
+@@ -9,6 +9,7 @@
+ # assertion related attributes
+ attribute can_load_kernmodule;
+ attribute can_receive_kernel_messages;
++attribute can_dump_kernel;
+
+ neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module;
+
+@@ -63,6 +64,15 @@
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
#
@@ -6293,7 +7678,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# kvmFS
#
-@@ -165,6 +174,7 @@
+@@ -90,7 +100,7 @@
+
+ # /proc kcore: inaccessible
+ type proc_kcore_t, proc_type;
+-neverallow ~kern_unconfined proc_kcore_t:file ~getattr;
++neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~getattr;
+ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
+
+ type proc_mdstat_t, proc_type;
+@@ -165,6 +175,7 @@
#
type unlabeled_t;
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -6301,7 +7695,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -255,7 +265,8 @@
+@@ -255,7 +266,8 @@
selinux_load_policy(kernel_t)
@@ -6311,7 +7705,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -269,6 +280,8 @@
+@@ -269,6 +281,8 @@
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -6320,7 +7714,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mcs_process_set_categories(kernel_t)
-@@ -276,12 +289,18 @@
+@@ -276,12 +290,18 @@
mls_process_write_down(kernel_t)
mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
@@ -6339,7 +7733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
hotplug_search_config(kernel_t)
')
-@@ -355,7 +374,11 @@
+@@ -355,7 +375,11 @@
')
optional_policy(`
@@ -6352,15 +7746,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -387,3 +410,5 @@
+@@ -387,3 +411,5 @@
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
+
+files_boot(kernel_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.32/policy/modules/kernel/selinux.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.33/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/selinux.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/kernel/selinux.if 2009-11-12 14:26:53.000000000 -0500
@@ -40,7 +40,7 @@
# because of this statement, any module which
@@ -6418,9 +7812,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ fs_type($1)
+ mls_trusted_object($1)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.6.32/policy/modules/kernel/storage.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.6.33/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/storage.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/kernel/storage.fc 2009-11-12 14:26:53.000000000 -0500
@@ -28,6 +28,7 @@
/dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0)
/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
@@ -6429,9 +7823,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.6.32/policy/modules/kernel/storage.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.6.33/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/storage.if 2009-09-23 10:29:31.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/kernel/storage.if 2009-11-12 14:26:53.000000000 -0500
@@ -266,6 +266,7 @@
dev_list_all_dev_nodes($1)
@@ -6449,9 +7843,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.6.32/policy/modules/kernel/terminal.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.6.33/policy/modules/kernel/terminal.fc
--- nsaserefpolicy/policy/modules/kernel/terminal.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/terminal.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/kernel/terminal.fc 2009-11-12 14:26:53.000000000 -0500
@@ -13,6 +13,7 @@
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
@@ -6460,9 +7854,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.32/policy/modules/kernel/terminal.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.33/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/kernel/terminal.if 2009-11-12 14:26:53.000000000 -0500
@@ -196,7 +196,7 @@
dev_list_all_dev_nodes($1)
@@ -6534,9 +7928,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
##
## Read and write the controlling
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-3.6.32/policy/modules/kernel/terminal.te
+@@ -991,10 +1029,12 @@
+ interface(`term_use_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
++ type console_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tty_device_t:chr_file rw_chr_file_perms;
++ allow $1 console_device_t:chr_file rw_chr_file_perms;
+ ')
+
+ ########################################
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-3.6.33/policy/modules/kernel/terminal.te
--- nsaserefpolicy/policy/modules/kernel/terminal.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/terminal.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/kernel/terminal.te 2009-11-12 14:26:53.000000000 -0500
@@ -44,6 +44,7 @@
type ptmx_t;
dev_node(ptmx_t)
@@ -6545,9 +7952,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
# tty_device_t is the type of /dev/*tty*
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.32/policy/modules/roles/guest.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.33/policy/modules/roles/guest.te
--- nsaserefpolicy/policy/modules/roles/guest.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/roles/guest.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/roles/guest.te 2009-11-12 14:26:53.000000000 -0500
@@ -16,7 +16,11 @@
#
@@ -6562,33 +7969,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+gen_user(guest_u, user, guest_r, s0, s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.32/policy/modules/roles/staff.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.33/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/roles/staff.te 2009-09-16 10:03:09.000000000 -0400
-@@ -15,156 +15,109 @@
++++ serefpolicy-3.6.33/policy/modules/roles/staff.te 2009-11-12 14:26:53.000000000 -0500
+@@ -10,161 +10,117 @@
+
+ userdom_unpriv_user_template(staff)
+
++# needed for sandbox
++allow staff_t self:process setexec;
++
+ ########################################
+ #
# Local policy
#
-optional_policy(`
- apache_role(staff_r, staff_t)
-')
-+kernel_read_ring_buffer(staff_t)
-+kernel_getattr_core_if(staff_t)
-+kernel_getattr_message_if(staff_t)
-+kernel_read_software_raid_state(staff_t)
-
+-
-optional_policy(`
- auth_role(staff_r, staff_t)
-')
-+auth_domtrans_pam_console(staff_t)
-
+-
-optional_policy(`
- auditadm_role_change(staff_r)
-')
-+seutil_run_newrole(staff_t, staff_r)
-+netutils_run_ping(staff_t, staff_r)
-
- optional_policy(`
+-
+-optional_policy(`
- bluetooth_role(staff_r, staff_t)
-')
-
@@ -6615,16 +8023,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-optional_policy(`
- games_role(staff_r, staff_t)
-')
--
++kernel_read_ring_buffer(staff_t)
++kernel_getattr_core_if(staff_t)
++kernel_getattr_message_if(staff_t)
++kernel_read_software_raid_state(staff_t)
+
-optional_policy(`
- gift_role(staff_r, staff_t)
-')
--
++auth_domtrans_pam_console(staff_t)
+
-optional_policy(`
- gnome_role(staff_r, staff_t)
-')
--
--optional_policy(`
++seutil_run_newrole(staff_t, staff_r)
++netutils_run_ping(staff_t, staff_r)
+
+ optional_policy(`
- gpg_role(staff_r, staff_t)
+ sudo_role_template(staff, staff_r, staff_t)
')
@@ -6760,9 +8175,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- xserver_role(staff_r, staff_t)
+ virt_stream_connect(staff_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.32/policy/modules/roles/sysadm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.33/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/roles/sysadm.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/roles/sysadm.te 2009-11-12 14:26:53.000000000 -0500
@@ -15,7 +15,7 @@
role sysadm_r;
@@ -6772,7 +8187,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifndef(`enable_mls',`
userdom_security_admin_template(sysadm_t, sysadm_r)
-@@ -35,6 +35,7 @@
+@@ -35,10 +35,13 @@
ubac_fd_exempt(sysadm_t)
init_exec(sysadm_t)
@@ -6780,7 +8195,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
-@@ -70,7 +71,6 @@
+ userdom_home_filetrans_user_home_dir(sysadm_t)
++userdom_manage_user_tmp_chr_files(sysadm_t)
++userdom_manage_user_tmp_blk_files(sysadm_t)
+
+ ifdef(`direct_sysadm_daemon',`
+ optional_policy(`
+@@ -70,7 +73,6 @@
apache_run_helper(sysadm_t, sysadm_r)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
@@ -6788,7 +8209,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -87,10 +87,6 @@
+@@ -87,10 +89,6 @@
')
optional_policy(`
@@ -6799,7 +8220,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
backup_run(sysadm_t, sysadm_r)
')
-@@ -99,18 +95,10 @@
+@@ -99,18 +97,10 @@
')
optional_policy(`
@@ -6818,7 +8239,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -127,7 +115,7 @@
+@@ -127,7 +117,7 @@
')
optional_policy(`
@@ -6827,7 +8248,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -135,10 +123,6 @@
+@@ -135,10 +125,6 @@
')
optional_policy(`
@@ -6838,7 +8259,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dcc_run_cdcc(sysadm_t, sysadm_r)
dcc_run_client(sysadm_t, sysadm_r)
dcc_run_dbclean(sysadm_t, sysadm_r)
-@@ -166,10 +150,6 @@
+@@ -166,10 +152,6 @@
')
optional_policy(`
@@ -6849,7 +8270,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
firstboot_run(sysadm_t, sysadm_r)
')
-@@ -178,22 +158,6 @@
+@@ -178,22 +160,6 @@
')
optional_policy(`
@@ -6872,7 +8293,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hostname_run(sysadm_t, sysadm_r)
')
-@@ -205,6 +169,8 @@
+@@ -205,6 +171,8 @@
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -6881,7 +8302,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -212,11 +178,7 @@
+@@ -212,11 +180,7 @@
')
optional_policy(`
@@ -6894,7 +8315,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -228,10 +190,6 @@
+@@ -228,10 +192,6 @@
')
optional_policy(`
@@ -6905,7 +8326,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logrotate_run(sysadm_t, sysadm_r)
')
-@@ -255,14 +213,6 @@
+@@ -255,14 +215,6 @@
')
optional_policy(`
@@ -6920,7 +8341,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mta_role(sysadm_r, sysadm_t)
')
-@@ -290,11 +240,6 @@
+@@ -290,11 +242,6 @@
')
optional_policy(`
@@ -6932,7 +8353,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
pcmcia_run_cardctl(sysadm_t, sysadm_r)
')
-@@ -308,7 +253,7 @@
+@@ -308,7 +255,7 @@
')
optional_policy(`
@@ -6941,7 +8362,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -320,10 +265,6 @@
+@@ -320,10 +267,6 @@
')
optional_policy(`
@@ -6952,7 +8373,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rpc_domtrans_nfsd(sysadm_t)
')
-@@ -332,10 +273,6 @@
+@@ -332,10 +275,6 @@
')
optional_policy(`
@@ -6963,7 +8384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rsync_exec(sysadm_t)
')
-@@ -345,10 +282,6 @@
+@@ -345,10 +284,6 @@
')
optional_policy(`
@@ -6974,7 +8395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
secadm_role_change(sysadm_r)
')
-@@ -358,35 +291,15 @@
+@@ -358,35 +293,15 @@
')
optional_policy(`
@@ -7010,7 +8431,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r)
tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -394,18 +307,10 @@
+@@ -394,18 +309,10 @@
')
optional_policy(`
@@ -7029,7 +8450,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_domtrans(sysadm_t)
')
-@@ -418,17 +323,13 @@
+@@ -418,17 +325,13 @@
')
optional_policy(`
@@ -7048,7 +8469,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -440,13 +341,12 @@
+@@ -440,13 +343,12 @@
')
optional_policy(`
@@ -7066,49 +8487,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+init_script_role_transition(sysadm_r)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.33/policy/modules/roles/unconfineduser.fc
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc 2009-09-16 10:03:09.000000000 -0400
-@@ -0,0 +1,36 @@
++++ serefpolicy-3.6.33/policy/modules/roles/unconfineduser.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,8 @@
+# Add programs here which should not be confined by SELinux
+# e.g.:
+# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
-+/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
-+/usr/sbin/vboxadd-service -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib(64)/virtualbox/VirtualBox -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+ifdef(`distro_gentoo',`
-+/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+')
-+/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+
+/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+
-+/usr/lib64/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib/opera/[^/]*/works -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib/opera/[^/]*/opera -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib(64)?/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.32/policy/modules/roles/unconfineduser.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.33/policy/modules/roles/unconfineduser.if
--- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/roles/unconfineduser.if 2009-11-12 14:41:36.000000000 -0500
@@ -0,0 +1,638 @@
+## Unconfiend user role
+
@@ -7669,10 +9062,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+interface(`unconfined_execmem_domtrans',`
+
+ gen_require(`
-+ type unconfined_execmem_t, execmem_exec_t;
++ type unconfined_execmem_t;
+ ')
+
-+ domtrans_pattern($1, execmem_exec_t, unconfined_execmem_t)
++ execmem_domtrans($1, unconfined_execmem_t)
+')
+
+########################################
@@ -7748,10 +9141,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 unconfined_r;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.33/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-09-20 08:49:01.000000000 -0400
-@@ -0,0 +1,402 @@
++++ serefpolicy-3.6.33/policy/modules/roles/unconfineduser.te 2009-11-12 15:05:29.000000000 -0500
+@@ -0,0 +1,430 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -7789,6 +9182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+userdom_manage_tmp_role(unconfined_r, unconfined_t)
+userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
+userdom_execmod_user_home_files(unconfined_t)
++userdom_unpriv_usertype(unconfined, unconfined_t)
+
+type unconfined_exec_t;
+init_system_domain(unconfined_t, unconfined_exec_t)
@@ -7801,14 +9195,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+role system_r types unconfined_t;
+typealias unconfined_t alias { unconfined_dbusd_t unconfined_crontab_t };
+
-+type unconfined_execmem_t;
-+type execmem_exec_t;
-+init_system_domain(unconfined_execmem_t, execmem_exec_t)
-+role unconfined_r types unconfined_execmem_t;
-+typealias execmem_exec_t alias unconfined_execmem_exec_t;
-+userdom_unpriv_usertype(unconfined, unconfined_execmem_t)
-+userdom_manage_tmpfs_role(unconfined_r, unconfined_execmem_t)
-+
+type unconfined_notrans_t;
+type unconfined_notrans_exec_t;
+init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t)
@@ -7824,8 +9210,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+allow unconfined_t self:system syslog_read;
+dontaudit unconfined_t self:capability sys_module;
+
-+domtrans_pattern(unconfined_t, execmem_exec_t, unconfined_execmem_t)
-+
+files_create_boot_flag(unconfined_t)
+files_create_default_dir(unconfined_t)
+
@@ -7873,18 +9257,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+optional_policy(`
-+ loadkeys_run(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
+ gen_require(`
+ attribute unconfined_usertype;
+ ')
+
+ nsplugin_role_notrans(unconfined_r, unconfined_usertype)
+ tunable_policy(`allow_unconfined_nsplugin_transition',`
-+ nsplugin_domtrans(unconfined_execmem_t)
-+ nsplugin_domtrans_config(unconfined_execmem_t)
+ nsplugin_domtrans(unconfined_t)
+ nsplugin_domtrans_config(unconfined_t)
+ ')
@@ -7916,6 +9294,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+optional_policy(`
++ chrome_role(unconfined_r, unconfined_t)
++')
++
++optional_policy(`
+ init_dbus_chat_script(unconfined_t)
+
+ dbus_stub(unconfined_t)
@@ -7978,7 +9360,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+optional_policy(`
-+ java_run_unconfined(unconfined_t, unconfined_r)
++ java_role_template(unconfined, unconfined_r, unconfined_t)
++ role system_r types unconfined_java_t;
++
++ files_execmod_all_files(unconfined_java_t)
++
++ init_dbus_chat_script(unconfined_java_t)
++
++ unconfined_domain_noaudit(unconfined_java_t)
++ unconfined_dbus_chat(unconfined_java_t)
++ optional_policy(`
++ hal_dbus_chat(unconfined_java_t)
++ ')
++
++ optional_policy(`
++ rpm_domtrans(unconfined_java_t)
++ ')
+')
+
+optional_policy(`
@@ -8038,7 +9435,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+optional_policy(`
+ rtkit_daemon_system_domain(unconfined_t)
-+ rtkit_daemon_system_domain(unconfined_execmem_t)
+')
+
+optional_policy(`
@@ -8067,6 +9463,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+optional_policy(`
++ vbetool_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
+ vpn_run(unconfined_t, unconfined_r)
+')
+
@@ -8079,7 +9479,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+optional_policy(`
++ xserver_run(unconfined_t, unconfined_r)
+ xserver_rw_shm(unconfined_t)
++ xserver_run_xauth(unconfined_t, unconfined_r)
+')
+
+########################################
@@ -8087,12 +9489,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+# Unconfined Execmem Local policy
+#
+
-+allow unconfined_execmem_t self:process { execstack execmem };
++optional_policy(`
++execmem_role_template(unconfined, unconfined_r, unconfined_t)
++typealias unconfined_execmem_t alias execmem_t;
+unconfined_domain_noaudit(unconfined_execmem_t)
+allow unconfined_execmem_t unconfined_t:process transition;
+rpm_transition_script(unconfined_execmem_t)
+
+optional_policy(`
++ sandbox_transition(unconfined_execmem_t, unconfined_r)
++')
++optional_policy(`
++ tunable_policy(`allow_unconfined_nsplugin_transition',`
++ nsplugin_domtrans(unconfined_execmem_t)
++ nsplugin_domtrans_config(unconfined_execmem_t)
++ ')
++')
++
++optional_policy(`
+ init_dbus_chat_script(unconfined_execmem_t)
+ dbus_system_bus_client(unconfined_execmem_t)
+ unconfined_dbus_chat(unconfined_execmem_t)
@@ -8103,12 +9517,38 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ avahi_dbus_chat(unconfined_execmem_t)
+')
+
-+ optional_policy(`
-+ hal_dbus_chat(unconfined_execmem_t)
++optional_policy(`
++ hal_dbus_chat(unconfined_execmem_t)
++')
++optional_policy(`
++ gen_require(`
++ type mplayer_exec_t;
++ type unconfined_execmem_t;
+ ')
++ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t)
++')
+
+optional_policy(`
-+ xserver_rw_shm(unconfined_execmem_t)
++tunable_policy(`allow_unconfined_nsplugin_transition',`', `
++ gen_require(`
++ type mozilla_exec_t;
++ type unconfined_execmem_t;
++ type nsplugin_exec_t;
++ ')
++ domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t)
++ domtrans_pattern(unconfined_t, nsplugin_exec_t, unconfined_execmem_t)
++')
++')
++
++optional_policy(`
++ gen_require(`
++ type openoffice_exec_t;
++ type unconfined_execmem_t;
++ ')
++ domtrans_pattern(unconfined_t, openoffice_exec_t, unconfined_execmem_t)
++')
++
++
+')
+
+########################################
@@ -8124,26 +9564,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+domain_ptrace_all_domains(unconfined_notrans_t)
+
+optional_policy(`
-+ gen_require(`
-+ type mplayer_exec_t;
-+ ')
-+ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t)
-+')
-+
-+optional_policy(`
-+tunable_policy(`allow_unconfined_nsplugin_transition',`', `
-+ gen_require(`
-+ type mozilla_exec_t;
-+ ')
-+ domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t)
-+')
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type openoffice_exec_t;
-+ ')
-+ domtrans_pattern(unconfined_t, openoffice_exec_t, unconfined_execmem_t)
++ policykit_role(unconfined_r, unconfined_notrans_t)
+')
+
+########################################
@@ -8154,10 +9575,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.32/policy/modules/roles/unprivuser.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.33/policy/modules/roles/unprivuser.te
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/roles/unprivuser.te 2009-09-16 10:03:09.000000000 -0400
-@@ -14,142 +14,21 @@
++++ serefpolicy-3.6.33/policy/modules/roles/unprivuser.te 2009-11-12 14:26:53.000000000 -0500
+@@ -14,96 +14,19 @@
userdom_unpriv_user_template(user)
optional_policy(`
@@ -8177,10 +9598,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
- cdrecord_role(user_r, user_t)
-+ sandbox_transition(user_t, user_r)
- ')
-
- optional_policy(`
+-')
+-
+-optional_policy(`
- cron_role(user_r, user_t)
-')
-
@@ -8255,13 +9675,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-
-optional_policy(`
- rssh_role(user_r, user_t)
--')
--
--optional_policy(`
-- screen_role_template(user, user_r, user_t)
--')
--
--optional_policy(`
++ sandbox_transition(user_t, user_r)
+ ')
+
+ optional_policy(`
+@@ -111,45 +34,5 @@
+ ')
+
+ optional_policy(`
- spamassassin_role(user_r, user_t)
-')
-
@@ -8305,10 +9726,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- xserver_role(user_r, user_t)
+ setroubleshoot_dontaudit_stream_connect(user_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.32/policy/modules/roles/xguest.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.33/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2009-09-16 10:03:09.000000000 -0400
-@@ -36,11 +36,17 @@
++++ serefpolicy-3.6.33/policy/modules/roles/xguest.te 2009-11-12 14:26:53.000000000 -0500
+@@ -31,16 +31,37 @@
+
+ userdom_restricted_xwindows_user_template(xguest)
+
++ifndef(`enable_mls',`
++ fs_exec_noxattr(xguest_t)
++
++ tunable_policy(`user_rw_noexattrfile',`
++ fs_manage_noxattr_fs_files(xguest_t)
++ fs_manage_noxattr_fs_dirs(xguest_t)
++ # Write floppies
++ storage_raw_read_removable_device(xguest_t)
++ storage_raw_write_removable_device(xguest_t)
++ ',`
++ storage_raw_read_removable_device(xguest_t)
++ ')
++')
++storage_rw_fuse(xguest_t)
++
+ ########################################
+ #
# Local policy
#
@@ -8326,7 +9767,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_dontaudit_getattr_boot_dirs(xguest_t)
files_search_mnt(xguest_t)
-@@ -67,7 +73,11 @@
+@@ -49,6 +70,7 @@
+ fs_manage_noxattr_fs_dirs(xguest_t)
+ fs_getattr_noxattr_fs(xguest_t)
+ fs_read_noxattr_fs_symlinks(xguest_t)
++ fs_mount_fusefs(xguest_t)
+
+ auth_list_pam_console_data(xguest_t)
+
+@@ -67,7 +89,11 @@
')
optional_policy(`
@@ -8339,7 +9788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -75,9 +85,13 @@
+@@ -75,9 +101,16 @@
')
optional_policy(`
@@ -8349,27 +9798,96 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
tunable_policy(`xguest_connect_network',`
networkmanager_dbus_chat(xguest_t)
++ networkmanager_read_var_lib_files(xguest_t)
++ corenet_tcp_connect_pulseaudio_port(xguest_t)
++ corenet_tcp_connect_ipp_port(xguest_t)
')
')
-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.6.32/policy/modules/services/abrt.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.6.33/policy/modules/services/abrt.fc
--- nsaserefpolicy/policy/modules/services/abrt.fc 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.fc 2009-09-16 10:03:09.000000000 -0400
-@@ -1,7 +1,7 @@
++++ serefpolicy-3.6.33/policy/modules/services/abrt.fc 2009-11-13 11:25:52.000000000 -0500
+@@ -1,11 +1,15 @@
/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
-/usr/sbin/abrt -- gen_context(system_u:object_r:abrt_exec_t,s0)
-+/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
++/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
++
++/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
++/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.6.32/policy/modules/services/abrt.if
+ /var/log/abrt-logger -- gen_context(system_u:object_r:abrt_var_log_t,s0)
+
+ /var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+ /var/run/abrt\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
++/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.6.33/policy/modules/services/abrt.if
--- nsaserefpolicy/policy/modules/services/abrt.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.if 2009-09-17 15:49:39.000000000 -0400
-@@ -75,6 +75,27 @@
++++ serefpolicy-3.6.33/policy/modules/services/abrt.if 2009-11-13 11:25:29.000000000 -0500
+@@ -19,6 +19,24 @@
+ domtrans_pattern($1, abrt_exec_t, abrt_t)
+ ')
+
++#####################################
++##
++## Execute abrt-helper in the abrt-helper domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`abrt_domtrans_helper',`
++ gen_require(`
++ type abrt_helper_t, abrt_helper_exec_t;
++ ')
++
++ domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
++')
++
+ ######################################
+ ##
+ ## Execute abrt
+@@ -56,6 +74,32 @@
+ read_files_pattern($1, abrt_etc_t, abrt_etc_t)
+ ')
+
++########################################
++##
++## Execute abrt helper in the abrt_helper domain, and
++## allow the specified role the abrt_helper domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++##
++##
++## The role to be allowed the abrt_helper domain.
++##
++##
++##
++#
++interface(`abrt_run_helper',`
++ gen_require(`
++ type abrt_helper_t;
++ ')
++
++ abrt_domtrans_helper($1)
++ role $2 types abrt_helper_t;
++')
++
+ ######################################
+ ##
+ ## Read abrt logs.
+@@ -75,6 +119,64 @@
read_files_pattern($1, abrt_var_log_t, abrt_var_log_t)
')
@@ -8393,37 +9911,147 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 abrt_t:dbus send_msg;
+ allow abrt_t $1:dbus send_msg;
+')
++
++########################################
++##
++## Send and receive messages from
++## abrt over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`abrt_cache_manage',`
++ gen_require(`
++ type abrt_var_cache_t;
++ ')
++
++ manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
++')
++
++########################################
++##
++## Send a null signal to abrt.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`abrt_signull',`
++ gen_require(`
++ type abrt_t;
++ ')
++
++ allow $1 abrt_t:process signull;
++')
+
#####################################
##
## All of the rules required to administrate
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.33/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-09-29 16:46:09.000000000 -0400
-@@ -75,6 +75,7 @@
++++ serefpolicy-3.6.33/policy/modules/services/abrt.te 2009-11-13 11:25:18.000000000 -0500
+@@ -33,12 +33,23 @@
+ type abrt_var_run_t;
+ files_pid_file(abrt_var_run_t)
+
++# type needed to allow all domains
++# to handle /var/cache/abrt
++type abrt_helper_t;
++type abrt_helper_exec_t;
++application_domain(abrt_helper_t, abrt_helper_exec_t)
++role system_r types abrt_helper_t;
++
++ifdef(`enable_mcs',`
++ init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
++')
++
+ ########################################
+ #
+ # abrt local policy
+ #
+
+-allow abrt_t self:capability { setuid setgid sys_nice dac_override };
++allow abrt_t self:capability { chown setuid setgid sys_nice dac_override };
+ allow abrt_t self:process { signal signull setsched getsched };
+
+ allow abrt_t self:fifo_file rw_fifo_file_perms;
+@@ -60,13 +71,15 @@
+ files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
+
+ # abrt var/cache files
+-manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+ manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
++manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
++manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+ files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
+
+ # abrt pid files
+-manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+ manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
++manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
++manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+ files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
+
+ kernel_read_ring_buffer(abrt_t)
+@@ -75,11 +88,17 @@
corecmd_exec_bin(abrt_t)
corecmd_exec_shell(abrt_t)
+corecmd_read_all_executables(abrt_t)
corenet_tcp_connect_http_port(abrt_t)
++corenet_tcp_connect_ftp_port(abrt_t)
++corenet_tcp_connect_all_ports(abrt_t)
-@@ -105,13 +106,22 @@
- dbus_system_bus_client(abrt_t)
- ')
+ dev_read_urand(abrt_t)
++domain_read_all_domains_state(abrt_t)
++domain_signull_all_domains(abrt_t)
++
+ files_getattr_all_files(abrt_t)
+ files_read_etc_files(abrt_t)
+ files_read_usr_files(abrt_t)
+@@ -96,22 +115,59 @@
+ miscfiles_read_certs(abrt_t)
+ miscfiles_read_localization(abrt_t)
+
+-# to run bugzilla plugin
+-# read ~/.abrt/Bugzilla.conf
+-userdom_read_user_home_content_files(abrt_t)
++userdom_dontaudit_read_user_home_content_files(abrt_t)
++
+optional_policy(`
-+ nsplugin_read_rw_files(abrt_t)
++ dbus_system_domain(abrt_t, abrt_exec_t)
+')
+
++optional_policy(`
++ nsplugin_read_rw_files(abrt_t)
++ nsplugin_read_home(abrt_t)
++')
+
+ optional_policy(`
+- dbus_connect_system_bus(abrt_t)
+- dbus_system_bus_client(abrt_t)
++ policykit_dbus_chat(abrt_t)
++ policykit_domtrans_auth(abrt_t)
++ policykit_read_lib(abrt_t)
++ policykit_read_reload(abrt_t)
+ ')
+
# to install debuginfo packages
optional_policy(`
- rpm_manage_db(abrt_t)
- rpm_domtrans(abrt_t)
+ rpm_manage_cache(abrt_t)
+ rpm_read_db(abrt_t)
++ rpm_read_pid_files(abrt_t)
++ rpm_exec(abrt_t)
+ rpm_dontaudit_manage_db(abrt_t)
-+ rpm_domtrans_debuginfo(abrt_t)
+ rpm_signull(abrt_t)
')
@@ -8432,10 +10060,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
sendmail_domtrans(abrt_t)
')
+
++optional_policy(`
++ sssd_stream_connect(abrt_t)
++')
++
+permissive abrt_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.6.32/policy/modules/services/afs.fc
++
++########################################
++#
++# abrt--helper local policy
++#
++
++allow abrt_helper_t self:capability { setgid };
++read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t)
++
++manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
++manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
++manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
++files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
++
++files_read_etc_files(abrt_helper_t)
++
++permissive abrt_helper_t;
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.6.33/policy/modules/services/afs.fc
--- nsaserefpolicy/policy/modules/services/afs.fc 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/afs.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/afs.fc 2009-11-12 14:26:53.000000000 -0500
@@ -25,6 +25,7 @@
/usr/vice/etc/afsd -- gen_context(system_u:object_r:afs_exec_t,s0)
@@ -8444,9 +10094,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/vicepa gen_context(system_u:object_r:afs_files_t,s0)
/vicepb gen_context(system_u:object_r:afs_files_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.6.32/policy/modules/services/afs.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.6.33/policy/modules/services/afs.te
--- nsaserefpolicy/policy/modules/services/afs.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/afs.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/afs.te 2009-11-13 08:49:52.000000000 -0500
+@@ -71,7 +71,7 @@
+ # afs client local policy
+ #
+
+-allow afs_t self:capability { sys_nice sys_tty_config };
++allow afs_t self:capability { sys_admin sys_nice sys_tty_config };
+ allow afs_t self:process setsched;
+ allow afs_t self:udp_socket create_socket_perms;
+ allow afs_t self:fifo_file rw_file_perms;
@@ -83,6 +83,7 @@
files_mounton_mnt(afs_t)
@@ -8455,9 +10114,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_rw_etc_runtime_files(afs_t)
fs_getattr_xattr_fs(afs_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.6.32/policy/modules/services/aisexec.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.6.33/policy/modules/services/aisexec.fc
--- nsaserefpolicy/policy/modules/services/aisexec.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/aisexec.fc 2009-09-29 09:58:56.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/aisexec.fc 2009-11-12 14:26:53.000000000 -0500
@@ -0,0 +1,12 @@
+
+/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:aisexec_initrc_exec_t,s0)
@@ -8471,9 +10130,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0)
+
+/var/run/cman_.* -s gen_context(system_u:object_r:aisexec_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.6.32/policy/modules/services/aisexec.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.6.33/policy/modules/services/aisexec.if
--- nsaserefpolicy/policy/modules/services/aisexec.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/aisexec.if 2009-09-29 09:58:56.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/aisexec.if 2009-11-12 14:26:53.000000000 -0500
@@ -0,0 +1,106 @@
+## SELinux policy for Aisexec Cluster Engine
+
@@ -8581,9 +10240,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ admin_pattern($1, aisexec_tmpfs_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.6.32/policy/modules/services/aisexec.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.6.33/policy/modules/services/aisexec.te
--- nsaserefpolicy/policy/modules/services/aisexec.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/aisexec.te 2009-09-29 09:58:56.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/aisexec.te 2009-11-12 14:26:53.000000000 -0500
@@ -0,0 +1,112 @@
+
+policy_module(aisexec,1.0.0)
@@ -8697,9 +10356,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+groupd_rw_semaphores(aisexec_t)
+groupd_rw_shm(aisexec_t)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.6.32/policy/modules/services/amavis.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.6.33/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/amavis.te 2009-09-28 09:36:06.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/amavis.te 2009-11-12 14:26:53.000000000 -0500
@@ -103,6 +103,8 @@
kernel_dontaudit_read_proc_symlinks(amavis_t)
kernel_dontaudit_read_system_state(amavis_t)
@@ -8709,10 +10368,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# find perl
corecmd_exec_bin(amavis_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.32/policy/modules/services/apache.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.33/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2009-09-28 16:53:33.000000000 -0400
-@@ -1,12 +1,13 @@
++++ serefpolicy-3.6.33/policy/modules/services/apache.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -1,12 +1,15 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -8725,24 +10384,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
++/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -22,6 +23,7 @@
+@@ -21,10 +24,13 @@
+ /usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
/usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
++/usr/lib(64)?/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-@@ -32,12 +34,17 @@
++/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
+ /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
+ /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+
+@@ -32,12 +38,19 @@
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
+/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -8750,20 +10418,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
++/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -47,6 +54,7 @@
+@@ -46,7 +59,9 @@
+ /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-@@ -50,8 +58,10 @@
+@@ -50,13 +65,17 @@
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -8774,7 +10445,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -64,11 +74,34 @@
+ /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+ /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++
+ ifdef(`distro_debian', `
+ /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+ ')
+@@ -64,11 +83,33 @@
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -8799,6 +10477,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_rw_t,s0)
+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
++/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
++
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+
+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -8807,12 +10487,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
-+
-+
-+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.33/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/apache.if 2009-09-29 07:46:30.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/apache.if 2009-11-12 14:26:53.000000000 -0500
@@ -13,21 +13,16 @@
#
template(`apache_content_template',`
@@ -9416,9 +11093,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+ typeattribute $1 httpd_rw_content;
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.33/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/apache.te 2009-11-12 14:26:53.000000000 -0500
@@ -19,6 +19,8 @@
# Declarations
#
@@ -9692,7 +11369,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+##
+gen_tunable(allow_httpd_mod_auth_pam, false)
+
-+tunable_policy(`allow_httpd_mod_auth_pam',`
+ tunable_policy(`allow_httpd_mod_auth_pam',`
+- auth_domtrans_chk_passwd(httpd_t)
+ auth_domtrans_chkpwd(httpd_t)
+')
+
@@ -9703,8 +11381,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+##
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
+optional_policy(`
- tunable_policy(`allow_httpd_mod_auth_pam',`
-- auth_domtrans_chk_passwd(httpd_t)
++tunable_policy(`allow_httpd_mod_auth_pam',`
+ samba_domtrans_winbind_helper(httpd_t)
')
')
@@ -9809,10 +11486,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -451,6 +583,10 @@
+@@ -451,6 +583,14 @@
')
optional_policy(`
++ cobbler_search_lib(httpd_t)
++')
++
++optional_policy(`
+ cvs_read_data(httpd_t)
+')
+
@@ -9820,7 +11501,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cron_system_entry(httpd_t, httpd_exec_t)
')
-@@ -459,8 +595,13 @@
+@@ -459,8 +599,13 @@
')
optional_policy(`
@@ -9836,7 +11517,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -468,22 +609,18 @@
+@@ -468,22 +613,19 @@
mailman_domtrans_cgi(httpd_t)
# should have separate types for public and private archives
mailman_search_data(httpd_t)
@@ -9858,10 +11539,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
nagios_read_config(httpd_t)
- nagios_domtrans_cgi(httpd_t)
++ nagios_read_log(httpd_t)
')
optional_policy(`
-@@ -494,12 +631,23 @@
+@@ -494,12 +636,23 @@
')
optional_policy(`
@@ -9885,7 +11567,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -508,6 +656,7 @@
+@@ -508,6 +661,7 @@
')
optional_policy(`
@@ -9893,7 +11575,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -535,6 +684,23 @@
+@@ -535,6 +689,23 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -9917,7 +11599,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Apache PHP script local policy
-@@ -564,20 +730,25 @@
+@@ -564,20 +735,25 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -9949,7 +11631,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -595,23 +766,24 @@
+@@ -595,23 +771,24 @@
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
@@ -9978,7 +11660,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -624,6 +796,7 @@
+@@ -624,6 +801,7 @@
logging_send_syslog_msg(httpd_suexec_t)
miscfiles_read_localization(httpd_suexec_t)
@@ -9986,7 +11668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
-@@ -631,22 +804,30 @@
+@@ -631,22 +809,31 @@
corenet_all_recvfrom_unlabeled(httpd_suexec_t)
corenet_all_recvfrom_netlabel(httpd_suexec_t)
@@ -10014,6 +11696,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
++ manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
')
-
@@ -10024,7 +11707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -672,15 +853,14 @@
+@@ -672,15 +859,14 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -10043,7 +11726,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
dontaudit httpd_sys_script_t httpd_config_t:dir search;
-@@ -699,12 +879,24 @@
+@@ -699,12 +885,24 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -10070,7 +11753,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -712,6 +904,35 @@
+@@ -712,6 +910,35 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -10106,7 +11789,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -724,6 +945,10 @@
+@@ -724,6 +951,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -10117,7 +11800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -735,6 +960,8 @@
+@@ -735,6 +966,8 @@
# httpd_rotatelogs local policy
#
@@ -10126,7 +11809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -754,6 +981,12 @@
+@@ -754,11 +987,88 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -10139,10 +11822,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
# allow accessing files/dirs below the users home dir
-@@ -762,3 +995,74 @@
- userdom_search_user_home_dirs(httpd_suexec_t)
- userdom_search_user_home_dirs(httpd_user_script_t)
- ')
+ tunable_policy(`httpd_enable_homedirs',`
+- userdom_search_user_home_dirs(httpd_t)
+- userdom_search_user_home_dirs(httpd_suexec_t)
+- userdom_search_user_home_dirs(httpd_user_script_t)
++ userdom_search_user_home_content(httpd_t)
++ userdom_search_user_home_content(httpd_suexec_t)
++ userdom_search_user_home_content(httpd_user_script_t)
++')
+
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_user_script_t)
@@ -10196,7 +11883,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+optional_policy(`
+ postgresql_stream_connect(httpd_bugzilla_script_t)
-+')
+ ')
+
+manage_dirs_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content)
+manage_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content)
@@ -10214,9 +11901,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.32/policy/modules/services/apm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.33/policy/modules/services/apm.te
--- nsaserefpolicy/policy/modules/services/apm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/apm.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/apm.te 2009-11-12 14:26:53.000000000 -0500
@@ -60,7 +60,7 @@
# mknod: controlling an orderly resume of PCMCIA requires creating device
# nodes 254,{0,1,2} for some reason.
@@ -10226,10 +11913,68 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
allow apmd_t self:unix_dgram_socket create_socket_perms;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.32/policy/modules/services/automount.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.6.33/policy/modules/services/asterisk.if
+--- nsaserefpolicy/policy/modules/services/asterisk.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/asterisk.if 2009-11-12 14:26:53.000000000 -0500
+@@ -1,5 +1,26 @@
+ ## Asterisk IP telephony server
+
++#####################################
++##
++## Connect to asterisk over a unix domain
++## stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`asterisk_stream_connect',`
++ gen_require(`
++ type asterisk_t, asterisk_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t)
++')
++
++
+ ########################################
+ ##
+ ## All of the rules required to administrate
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.6.33/policy/modules/services/asterisk.te
+--- nsaserefpolicy/policy/modules/services/asterisk.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/asterisk.te 2009-11-12 14:26:53.000000000 -0500
+@@ -34,6 +34,8 @@
+ type asterisk_var_run_t;
+ files_pid_file(asterisk_var_run_t)
+
++permissive asterisk_t;
++
+ ########################################
+ #
+ # Local policy
+@@ -97,6 +99,7 @@
+ corenet_udp_bind_generic_node(asterisk_t)
+ corenet_tcp_bind_asterisk_port(asterisk_t)
+ corenet_udp_bind_asterisk_port(asterisk_t)
++corenet_udp_bind_sip_port(asterisk_t)
+ corenet_sendrecv_asterisk_server_packets(asterisk_t)
+ # for VOIP voice channels.
+ corenet_tcp_bind_generic_port(asterisk_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.33/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/automount.te 2009-09-16 10:03:09.000000000 -0400
-@@ -129,6 +129,7 @@
++++ serefpolicy-3.6.33/policy/modules/services/automount.te 2009-11-12 14:26:53.000000000 -0500
+@@ -75,6 +75,7 @@
+
+ fs_mount_all_fs(automount_t)
+ fs_unmount_all_fs(automount_t)
++fs_search_all(automount_t)
+
+ corecmd_exec_bin(automount_t)
+ corecmd_exec_shell(automount_t)
+@@ -129,6 +130,7 @@
fs_unmount_autofs(automount_t)
fs_mount_autofs(automount_t)
fs_manage_autofs_symlinks(automount_t)
@@ -10237,9 +11982,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
storage_rw_fuse(automount_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.32/policy/modules/services/bind.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.33/policy/modules/services/avahi.te
+--- nsaserefpolicy/policy/modules/services/avahi.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/avahi.te 2009-11-12 14:26:53.000000000 -0500
+@@ -24,7 +24,7 @@
+ # Local policy
+ #
+
+-allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot };
++allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin setuid sys_chroot };
+ dontaudit avahi_t self:capability sys_tty_config;
+ allow avahi_t self:process { setrlimit signal_perms getcap setcap };
+ allow avahi_t self:fifo_file rw_fifo_file_perms;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.33/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/bind.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/bind.if 2009-11-12 14:26:53.000000000 -0500
@@ -235,7 +235,7 @@
########################################
@@ -10301,12 +12058,58 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
## an bind environment
##
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.32/policy/modules/services/bluetooth.te
---- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/bluetooth.te 2009-09-22 20:55:58.000000000 -0400
-@@ -56,7 +56,7 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.6.33/policy/modules/services/bitlbee.te
+--- nsaserefpolicy/policy/modules/services/bitlbee.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/bitlbee.te 2009-11-12 14:26:53.000000000 -0500
+@@ -68,6 +68,8 @@
+ # MSN can use passport auth, which is over http:
+ corenet_tcp_connect_http_port(bitlbee_t)
+ corenet_tcp_sendrecv_http_port(bitlbee_t)
++corenet_tcp_connect_http_cache_port(bitlbee_t)
++corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
- allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw sys_tty_config ipc_lock };
+ dev_read_rand(bitlbee_t)
+ dev_read_urand(bitlbee_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.6.33/policy/modules/services/bluetooth.if
+--- nsaserefpolicy/policy/modules/services/bluetooth.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/bluetooth.if 2009-11-12 14:26:53.000000000 -0500
+@@ -153,6 +153,27 @@
+ dontaudit $1 bluetooth_helper_t:file { read getattr };
+ ')
+
++#####################################
++##
++## Connect to bluetooth over a unix domain
++## stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`bluetooth_stream_connect',`
++ gen_require(`
++ type bluetooth_t, bluetooth_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 bluetooth_t:socket rw_socket_perms;
++ stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
++')
++
+ ########################################
+ ##
+ ## All of the rules required to administrate
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.33/policy/modules/services/bluetooth.te
+--- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/bluetooth.te 2009-11-12 14:26:53.000000000 -0500
+@@ -54,9 +54,9 @@
+ # Bluetooth services local policy
+ #
+
+-allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw sys_tty_config ipc_lock };
++allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_tty_config ipc_lock };
dontaudit bluetooth_t self:capability sys_tty_config;
-allow bluetooth_t self:process { getsched signal_perms };
+allow bluetooth_t self:process { getcap setcap getsched signal_perms };
@@ -10348,10 +12151,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
pulseaudio_dbus_chat(bluetooth_t)
')
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-3.6.32/policy/modules/services/ccs.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-3.6.33/policy/modules/services/ccs.fc
--- nsaserefpolicy/policy/modules/services/ccs.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/ccs.fc 2009-09-29 15:31:19.000000000 -0400
-@@ -2,9 +2,4 @@
++++ serefpolicy-3.6.33/policy/modules/services/ccs.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -2,9 +2,5 @@
/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
@@ -10359,11 +12162,99 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-
-/var/lib/openais(/.*)? gen_context(system_u:object_r:ccs_var_lib_t,s0)
-
- /var/run/cluster(/.*)? gen_context(system_u:object_r:ccs_var_run_t,s0)
+-/var/run/cluster(/.*)? gen_context(system_u:object_r:ccs_var_run_t,s0)
-/var/run/cman_.* -s gen_context(system_u:object_r:ccs_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.32/policy/modules/services/certmaster.te
++/var/run/cluster/ccsd\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0)
++/var/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.6.33/policy/modules/services/ccs.te
+--- nsaserefpolicy/policy/modules/services/ccs.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/ccs.te 2009-11-12 14:26:53.000000000 -0500
+@@ -10,23 +10,21 @@
+ type ccs_exec_t;
+ init_daemon_domain(ccs_t, ccs_exec_t)
+
+-# conf files
+ type cluster_conf_t;
+ files_type(cluster_conf_t)
+
+-# tmp files
+ type ccs_tmp_t;
+ files_tmp_file(ccs_tmp_t)
+
+-# log files
+-type ccs_var_log_t;
+-logging_log_file(ccs_var_log_t)
++type ccs_tmpfs_t;
++files_tmpfs_file(ccs_tmpfs_t)
+
+-# var lib files
+ type ccs_var_lib_t;
+ logging_log_file(ccs_var_lib_t)
+
+-# pid files
++type ccs_var_log_t;
++logging_log_file(ccs_var_log_t)
++
+ type ccs_var_run_t;
+ files_pid_file(ccs_var_run_t)
+
+@@ -35,7 +33,7 @@
+ # ccs local policy
+ #
+
+-allow ccs_t self:capability { ipc_lock sys_nice sys_resource sys_admin };
++allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
+ allow ccs_t self:process { signal setrlimit setsched };
+ dontaudit ccs_t self:process ptrace;
+ allow ccs_t self:fifo_file rw_fifo_file_perms;
+@@ -55,23 +53,29 @@
+ manage_files_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t)
+ files_tmp_filetrans(ccs_t, ccs_tmp_t, { file dir })
+
+-# log files
+-manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+-manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+-allow ccs_t ccs_var_log_t:dir setattr;
+-logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
++manage_dirs_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
++manage_files_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
++fs_tmpfs_filetrans(ccs_t, ccs_tmpfs_t,{ dir file })
+
+ # var lib files
+ manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
+ manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
+ files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })
+
++# log files
++manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
++manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
++allow ccs_t ccs_var_log_t:dir setattr;
++logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
++
+ # pid file
+ manage_dirs_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
+ manage_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
+ manage_sock_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
+ files_pid_filetrans(ccs_t, ccs_var_run_t, { dir file sock_file })
+
++aisexec_stream_connect(ccs_t)
++
+ kernel_read_kernel_sysctls(ccs_t)
+
+ corecmd_list_bin(ccs_t)
+@@ -104,6 +108,9 @@
+
+ sysnet_dns_name_resolve(ccs_t)
+
++userdom_manage_unpriv_user_shared_mem(ccs_t)
++userdom_manage_unpriv_user_semaphores(ccs_t)
++
+ ifdef(`hide_broken_symptoms', `
+ corecmd_dontaudit_write_bin_dirs(ccs_t)
+ files_manage_isid_type_files(ccs_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.33/policy/modules/services/certmaster.te
--- nsaserefpolicy/policy/modules/services/certmaster.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/certmaster.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/certmaster.te 2009-11-12 14:26:53.000000000 -0500
@@ -30,7 +30,7 @@
# certmaster local policy
#
@@ -10373,9 +12264,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow certmaster_t self:tcp_socket create_stream_socket_perms;
# config files
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.6.32/policy/modules/services/chronyd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.6.33/policy/modules/services/chronyd.fc
--- nsaserefpolicy/policy/modules/services/chronyd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/chronyd.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/chronyd.fc 2009-11-12 14:26:53.000000000 -0500
@@ -0,0 +1,11 @@
+
+/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
@@ -10388,9 +12279,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.6.32/policy/modules/services/chronyd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.6.33/policy/modules/services/chronyd.if
--- nsaserefpolicy/policy/modules/services/chronyd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/chronyd.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/chronyd.if 2009-11-12 14:26:53.000000000 -0500
@@ -0,0 +1,105 @@
+## chrony background daemon
+
@@ -10497,9 +12388,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.6.32/policy/modules/services/chronyd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.6.33/policy/modules/services/chronyd.te
--- nsaserefpolicy/policy/modules/services/chronyd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/chronyd.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/chronyd.te 2009-11-12 14:26:53.000000000 -0500
@@ -0,0 +1,67 @@
+policy_module(chronyd,1.0.0)
+
@@ -10568,9 +12459,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+miscfiles_read_localization(chronyd_t)
+
+permissive chronyd_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.32/policy/modules/services/clamav.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.33/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/clamav.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/clamav.te 2009-11-12 14:26:53.000000000 -0500
@@ -117,9 +117,9 @@
logging_send_syslog_msg(clamd_t)
@@ -10612,16 +12503,192 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
apache_read_sys_content(clamscan_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.6.32/policy/modules/services/cobbler.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.6.33/policy/modules/services/clogd.fc
+--- nsaserefpolicy/policy/modules/services/clogd.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/services/clogd.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,4 @@
++
++/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0)
++
++/var/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.6.33/policy/modules/services/clogd.if
+--- nsaserefpolicy/policy/modules/services/clogd.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/services/clogd.if 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,98 @@
++## clogd - clustered mirror log server
++
++######################################
++##
++## Execute a domain transition to run clogd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`clogd_domtrans',`
++ gen_require(`
++ type clogd_t, clogd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1,clogd_exec_t,clogd_t)
++
++')
++
++#####################################
++##
++## Connect to clogd over a unix domain
++## stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`clogd_stream_connect',`
++ gen_require(`
++ type clogd_t, clogd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, clogd_var_run_t, clogd_var_run_t, clogd_t)
++')
++
++#####################################
++##
++## Manage clogd tmpfs files.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`clogd_manage_tmpfs_files',`
++ gen_require(`
++ type clogd_tmpfs_t;
++ ')
++
++ fs_search_tmpfs($1)
++ manage_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
++ manage_lnk_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
++')
++
++#####################################
++##
++## Allow read and write access to clogd semaphores.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`clogd_rw_semaphores',`
++ gen_require(`
++ type clogd_t;
++ ')
++
++ allow $1 clogd_t:sem { rw_sem_perms destroy };
++')
++
++########################################
++##
++## Read and write to group shared memory.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`clogd_rw_shm',`
++ gen_require(`
++ type clogd_t;
++ ')
++
++ allow $1 clogd_t:shm { rw_shm_perms destroy };
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.6.33/policy/modules/services/clogd.te
+--- nsaserefpolicy/policy/modules/services/clogd.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/services/clogd.te 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,62 @@
++
++policy_module(clogd,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type clogd_t;
++type clogd_exec_t;
++init_daemon_domain(clogd_t, clogd_exec_t)
++
++type clogd_tmpfs_t;
++files_tmpfs_file(clogd_tmpfs_t)
++
++# pid files
++type clogd_var_run_t;
++files_pid_file(clogd_var_run_t)
++
++permissive clogd_t;
++
++########################################
++#
++# clogd local policy
++#
++
++allow clogd_t self:capability { net_admin mknod };
++allow clogd_t self:process { signal };
++
++allow clogd_t self:sem create_sem_perms;
++allow clogd_t self:shm create_shm_perms;
++allow clogd_t self:netlink_socket create_socket_perms;
++allow clogd_t self:unix_dgram_socket create_socket_perms;
++
++manage_dirs_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t)
++manage_files_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t)
++fs_tmpfs_filetrans(clogd_t, clogd_tmpfs_t,{ dir file })
++
++# pid files
++manage_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
++manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
++files_pid_filetrans(clogd_t,clogd_var_run_t, { file })
++
++aisexec_stream_connect(clogd_t)
++
++dev_manage_generic_blk_files(clogd_t)
++
++storage_raw_read_fixed_disk(clogd_t)
++storage_raw_write_fixed_disk(clogd_t)
++
++libs_use_ld_so(clogd_t)
++libs_use_shared_libs(clogd_t)
++
++logging_send_syslog_msg(clogd_t)
++
++miscfiles_read_localization(clogd_t)
++
++optional_policy(`
++ dev_read_lvm_control(clogd_t)
++')
++
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.6.33/policy/modules/services/cobbler.fc
--- nsaserefpolicy/policy/modules/services/cobbler.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/cobbler.fc 2009-09-28 09:37:48.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/cobbler.fc 2009-11-12 14:26:53.000000000 -0500
@@ -0,0 +1,2 @@
+
+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.6.32/policy/modules/services/cobbler.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.6.33/policy/modules/services/cobbler.if
--- nsaserefpolicy/policy/modules/services/cobbler.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/cobbler.if 2009-09-28 09:39:30.000000000 -0400
-@@ -0,0 +1,24 @@
++++ serefpolicy-3.6.33/policy/modules/services/cobbler.if 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,44 @@
+##
+## Cobbler var_lib_t
+##
@@ -10646,18 +12713,48 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ files_search_var_lib($1)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.6.32/policy/modules/services/cobbler.te
++
++########################################
++##
++## Read cobbler lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cobbler_search_lib',`
++ gen_require(`
++ type cobbler_var_lib_t;
++ ')
++
++ allow $1 cobbler_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.6.33/policy/modules/services/cobbler.te
--- nsaserefpolicy/policy/modules/services/cobbler.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/cobbler.te 2009-09-28 09:36:27.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/cobbler.te 2009-11-12 14:26:53.000000000 -0500
@@ -0,0 +1,5 @@
+
+policy_module(cobbler, 1.10.0)
+
+type cobbler_var_lib_t;
+files_type(cobbler_var_lib_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.32/policy/modules/services/consolekit.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.6.33/policy/modules/services/consolekit.fc
+--- nsaserefpolicy/policy/modules/services/consolekit.fc 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/consolekit.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -2,4 +2,5 @@
+
+ /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
+ /var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
+-/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
++
++/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.33/policy/modules/services/consolekit.if
--- nsaserefpolicy/policy/modules/services/consolekit.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/consolekit.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/consolekit.if 2009-11-12 14:26:53.000000000 -0500
@@ -57,3 +57,42 @@
read_files_pattern($1, consolekit_log_t, consolekit_log_t)
files_search_pids($1)
@@ -10701,10 +12798,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.32/policy/modules/services/consolekit.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.33/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2009-09-16 10:03:09.000000000 -0400
-@@ -62,12 +62,15 @@
++++ serefpolicy-3.6.33/policy/modules/services/consolekit.te 2009-11-12 14:26:53.000000000 -0500
+@@ -21,7 +21,7 @@
+ # consolekit local policy
+ #
+
+-allow consolekit_t self:capability { setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
++allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
+ allow consolekit_t self:process { getsched signal };
+ allow consolekit_t self:fifo_file rw_fifo_file_perms;
+ allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
+@@ -59,15 +59,19 @@
+ term_use_all_terms(consolekit_t)
+
+ auth_use_nsswitch(consolekit_t)
++auth_manage_pam_console_data(consolekit_t)
init_telinit(consolekit_t)
init_rw_utmp(consolekit_t)
@@ -10720,7 +12830,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_dontaudit_read_user_home_content_files(consolekit_t)
userdom_read_user_tmp_files(consolekit_t)
-@@ -84,9 +87,12 @@
+@@ -84,9 +88,12 @@
')
optional_policy(`
@@ -10734,7 +12844,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hal_dbus_chat(consolekit_t)
')
-@@ -100,6 +106,7 @@
+@@ -100,6 +107,7 @@
')
optional_policy(`
@@ -10742,7 +12852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
policykit_domtrans_auth(consolekit_t)
policykit_read_lib(consolekit_t)
policykit_read_reload(consolekit_t)
-@@ -108,10 +115,19 @@
+@@ -108,10 +116,21 @@
optional_policy(`
xserver_read_xdm_pid(consolekit_t)
xserver_read_user_xauth(consolekit_t)
@@ -10754,6 +12864,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
+ udev_domtrans(consolekit_t)
++ udev_read_db(consolekit_t)
++ udev_signal(consolekit_t)
+')
+
+optional_policy(`
@@ -10762,9 +12874,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_stream_connect(consolekit_t)
')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.6.32/policy/modules/services/corosync.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.6.33/policy/modules/services/corosync.fc
--- nsaserefpolicy/policy/modules/services/corosync.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/corosync.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/corosync.fc 2009-11-12 14:26:53.000000000 -0500
@@ -0,0 +1,13 @@
+
+/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
@@ -10779,9 +12891,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.6.32/policy/modules/services/corosync.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.6.33/policy/modules/services/corosync.if
--- nsaserefpolicy/policy/modules/services/corosync.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/corosync.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/corosync.if 2009-11-12 14:26:53.000000000 -0500
@@ -0,0 +1,108 @@
+## SELinux policy for Corosync Cluster Engine
+
@@ -10891,10 +13003,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.6.32/policy/modules/services/corosync.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.6.33/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/corosync.te 2009-09-16 10:03:09.000000000 -0400
-@@ -0,0 +1,109 @@
++++ serefpolicy-3.6.33/policy/modules/services/corosync.te 2009-11-12 15:10:07.000000000 -0500
+@@ -0,0 +1,107 @@
+
+policy_module(corosync,1.0.0)
+
@@ -10935,7 +13047,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#
+
+allow corosync_t self:capability { sys_nice sys_resource ipc_lock };
-+allow corosync_t self:process { setsched signal };
++allow corosync_t self:process { setrlimit setsched signal };
+
+allow corosync_t self:fifo_file rw_fifo_file_perms;
+allow corosync_t self:sem create_sem_perms;
@@ -10968,20 +13080,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+manage_sock_files_pattern(corosync_t, corosync_var_run_t,corosync_var_run_t)
+files_pid_filetrans(corosync_t,corosync_var_run_t, { file sock_file })
+
++kernel_read_system_state(corosync_t)
++
+corenet_udp_bind_netsupport_port(corosync_t)
+
+corecmd_exec_bin(corosync_t)
+
-+kernel_read_system_state(corosync_t)
++dev_read_urand(corosync_t)
+
+files_manage_mounttab(corosync_t)
+
+auth_use_nsswitch(corosync_t)
+
-+dev_read_urand(corosync_t)
-+
-+libs_use_ld_so(corosync_t)
-+libs_use_shared_libs(corosync_t)
+miscfiles_read_localization(corosync_t)
+
+init_rw_script_tmp_files(corosync_t)
@@ -11004,9 +13114,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+permissive corosync_t;
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.32/policy/modules/services/courier.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.33/policy/modules/services/courier.if
--- nsaserefpolicy/policy/modules/services/courier.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/courier.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/courier.if 2009-11-12 14:26:53.000000000 -0500
@@ -179,6 +179,24 @@
########################################
@@ -11032,9 +13142,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read and write to courier spool pipes.
##
##
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.32/policy/modules/services/courier.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.33/policy/modules/services/courier.te
--- nsaserefpolicy/policy/modules/services/courier.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/courier.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/courier.te 2009-11-12 14:26:53.000000000 -0500
@@ -10,6 +10,7 @@
type courier_etc_t;
@@ -11043,9 +13153,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
courier_domain_template(pcp)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.32/policy/modules/services/cron.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.33/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/cron.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/cron.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -14,7 +14,7 @@
+ /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+ /var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+ /var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+-/var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
+ /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
+ /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+
@@ -45,3 +45,7 @@
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
@@ -11054,9 +13173,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
+
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.32/policy/modules/services/cron.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.33/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/cron.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/cron.if 2009-11-12 14:26:53.000000000 -0500
@@ -12,6 +12,10 @@
##
#
@@ -11124,6 +13243,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
role system_r types $1;
')
+@@ -408,7 +404,7 @@
+ type crond_t;
+ ')
+
+- allow $1 crond_t:fifo_file { getattr read write };
++ allow $1 crond_t:fifo_file rw_fifo_file_perms;
+ ')
+
+ ########################################
@@ -587,11 +583,14 @@
#
interface(`cron_read_system_job_tmp_files',`
@@ -11189,9 +13317,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.32/policy/modules/services/cron.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.33/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/cron.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/cron.te 2009-11-12 14:26:53.000000000 -0500
@@ -38,6 +38,7 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -11448,9 +13576,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_domain(system_cronjob_t)
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.32/policy/modules/services/cups.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.33/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/cups.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/cups.fc 2009-11-12 14:26:53.000000000 -0500
@@ -13,10 +13,14 @@
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
@@ -11494,9 +13622,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.33/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/cups.te 2009-09-30 10:20:40.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/cups.te 2009-11-12 14:26:53.000000000 -0500
@@ -23,6 +23,9 @@
type cupsd_initrc_exec_t;
init_script_file(cupsd_initrc_exec_t)
@@ -11542,7 +13670,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(cupsd_t)
corenet_all_recvfrom_netlabel(cupsd_t)
-@@ -250,6 +260,7 @@
+@@ -171,6 +181,7 @@
+ corenet_udp_bind_generic_node(cupsd_t)
+ corenet_tcp_bind_ipp_port(cupsd_t)
+ corenet_udp_bind_ipp_port(cupsd_t)
++corenet_udp_bind_howl_port(cupsd_t)
+ corenet_tcp_bind_reserved_port(cupsd_t)
+ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
+ corenet_tcp_bind_all_rpc_ports(cupsd_t)
+@@ -250,6 +261,7 @@
miscfiles_read_localization(cupsd_t)
# invoking ghostscript needs to read fonts
miscfiles_read_fonts(cupsd_t)
@@ -11550,7 +13686,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_read_config(cupsd_t)
sysnet_exec_ifconfig(cupsd_t)
-@@ -327,7 +338,7 @@
+@@ -317,6 +329,10 @@
+ ')
+
+ optional_policy(`
++ snmp_read_snmp_var_lib_files(cupsd_t)
++')
++
++optional_policy(`
+ udev_read_db(cupsd_t)
+ ')
+
+@@ -327,7 +343,7 @@
allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
dontaudit cupsd_config_t self:capability sys_tty_config;
@@ -11559,15 +13706,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
-@@ -407,6 +418,7 @@
+@@ -407,6 +423,7 @@
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
-+userdom_read_user_tmp_files(cupsd_config_t)
++userdom_rw_user_tmp_files(cupsd_config_t)
cups_stream_connect(cupsd_config_t)
-@@ -419,12 +431,15 @@
+@@ -419,12 +436,15 @@
')
optional_policy(`
@@ -11585,7 +13732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
hal_dbus_chat(cupsd_config_t)
-@@ -446,6 +461,10 @@
+@@ -446,6 +466,10 @@
')
optional_policy(`
@@ -11596,7 +13743,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rpm_read_db(cupsd_config_t)
')
-@@ -542,6 +561,8 @@
+@@ -542,6 +566,8 @@
manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
@@ -11605,7 +13752,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(cups_pdf_t)
files_read_etc_files(cups_pdf_t)
-@@ -601,6 +622,9 @@
+@@ -556,11 +582,15 @@
+ miscfiles_read_fonts(cups_pdf_t)
+
+ userdom_home_filetrans_user_home_dir(cups_pdf_t)
++userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir })
+ userdom_manage_user_home_content_dirs(cups_pdf_t)
+ userdom_manage_user_home_content_files(cups_pdf_t)
+
+ lpd_manage_spool(cups_pdf_t)
+
++optional_policy(`
++ gnome_read_config(cups_pdf_t)
++')
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(cups_pdf_t)
+@@ -601,6 +631,9 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
@@ -11615,18 +13778,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.32/policy/modules/services/cvs.te
+@@ -627,6 +660,7 @@
+ corenet_tcp_connect_ipp_port(hplip_t)
+ corenet_sendrecv_hplip_client_packets(hplip_t)
+ corenet_receive_hplip_server_packets(hplip_t)
++corenet_udp_bind_howl_port(hplip_t)
+
+ dev_read_sysfs(hplip_t)
+ dev_rw_printer(hplip_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.33/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/cvs.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/cvs.te 2009-11-12 14:26:53.000000000 -0500
@@ -112,4 +112,5 @@
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.6.32/policy/modules/services/cyrus.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.6.33/policy/modules/services/cyrus.te
--- nsaserefpolicy/policy/modules/services/cyrus.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/cyrus.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/cyrus.te 2009-11-12 14:26:53.000000000 -0500
@@ -137,6 +137,7 @@
optional_policy(`
snmp_read_snmp_var_lib_files(cyrus_t)
@@ -11635,9 +13806,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.32/policy/modules/services/dbus.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.33/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/dbus.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/dbus.if 2009-11-12 14:26:53.000000000 -0500
@@ -42,8 +42,10 @@
gen_require(`
class dbus { send_msg acquire_svc };
@@ -11763,9 +13934,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.32/policy/modules/services/dbus.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.33/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2009-08-18 18:39:50.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/dbus.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/dbus.te 2009-11-12 14:26:53.000000000 -0500
@@ -86,6 +86,7 @@
dev_read_sysfs(system_dbusd_t)
@@ -11818,9 +13989,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.32/policy/modules/services/dcc.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.33/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/dcc.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/dcc.te 2009-11-12 14:26:53.000000000 -0500
@@ -130,11 +130,13 @@
# Access files in /var/dcc. The map file can be updated
@@ -11847,9 +14018,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
spamassassin_read_spamd_tmp_files(dcc_client_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.6.32/policy/modules/services/ddclient.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.6.33/policy/modules/services/ddclient.if
--- nsaserefpolicy/policy/modules/services/ddclient.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/ddclient.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/ddclient.if 2009-11-12 14:26:53.000000000 -0500
@@ -21,6 +21,31 @@
########################################
@@ -11882,18 +14053,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
## an ddclient environment
##
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.32/policy/modules/services/devicekit.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.33/policy/modules/services/devicekit.fc
--- nsaserefpolicy/policy/modules/services/devicekit.fc 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/devicekit.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/devicekit.fc 2009-11-12 14:26:53.000000000 -0500
@@ -5,4 +5,4 @@
/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
-/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.32/policy/modules/services/devicekit.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.33/policy/modules/services/devicekit.if
--- nsaserefpolicy/policy/modules/services/devicekit.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/devicekit.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/devicekit.if 2009-11-12 14:26:53.000000000 -0500
@@ -139,6 +139,26 @@
########################################
@@ -11930,9 +14101,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
allow $1 devicekit_t:process { ptrace signal_perms getattr };
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.32/policy/modules/services/devicekit.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.33/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/devicekit.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/devicekit.te 2009-11-14 00:17:30.000000000 -0500
@@ -36,12 +36,15 @@
manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
@@ -11962,17 +14133,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
-@@ -71,7 +77,9 @@
+@@ -71,7 +77,10 @@
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
+kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_software_raid_state(devicekit_disk_t)
+kernel_read_system_state(devicekit_disk_t)
++kernel_request_load_module(devicekit_disk_t)
kernel_setsched(devicekit_disk_t)
corecmd_exec_bin(devicekit_disk_t)
-@@ -79,21 +87,34 @@
+@@ -79,21 +88,35 @@
dev_rw_sysfs(devicekit_disk_t)
dev_read_urand(devicekit_disk_t)
dev_getattr_usbfs_dirs(devicekit_disk_t)
@@ -11997,6 +14169,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_mount_all_fs(devicekit_disk_t)
fs_unmount_all_fs(devicekit_disk_t)
-fs_manage_fusefs_dirs(devicekit_disk_t)
++fs_search_all(devicekit_disk_t)
storage_raw_read_fixed_disk(devicekit_disk_t)
storage_raw_write_fixed_disk(devicekit_disk_t)
@@ -12008,7 +14181,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(devicekit_disk_t)
miscfiles_read_localization(devicekit_disk_t)
-@@ -110,6 +131,7 @@
+@@ -110,6 +133,7 @@
')
optional_policy(`
@@ -12016,10 +14189,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
policykit_domtrans_auth(devicekit_disk_t)
policykit_read_lib(devicekit_disk_t)
policykit_read_reload(devicekit_disk_t)
-@@ -134,14 +156,22 @@
+@@ -134,14 +158,26 @@
udev_read_db(devicekit_disk_t)
')
++
++optional_policy(`
++ virt_read_images(devicekit_disk_t)
++')
+
+optional_policy(`
+ unconfined_domain(devicekit_t)
@@ -12040,7 +14217,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
-@@ -151,6 +181,7 @@
+@@ -151,6 +187,7 @@
kernel_read_system_state(devicekit_power_t)
kernel_rw_hotplug_sysctls(devicekit_power_t)
kernel_rw_kernel_sysctl(devicekit_power_t)
@@ -12048,7 +14225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t)
-@@ -159,6 +190,7 @@
+@@ -159,6 +196,7 @@
domain_read_all_domains_state(devicekit_power_t)
@@ -12056,7 +14233,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
-@@ -167,12 +199,17 @@
+@@ -167,12 +205,17 @@
files_read_etc_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
@@ -12074,7 +14251,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_read_all_users_state(devicekit_power_t)
optional_policy(`
-@@ -180,8 +217,11 @@
+@@ -180,8 +223,11 @@
')
optional_policy(`
@@ -12087,7 +14264,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow devicekit_power_t devicekit_t:dbus send_msg;
optional_policy(`
-@@ -203,17 +243,23 @@
+@@ -203,17 +249,23 @@
optional_policy(`
hal_domtrans_mac(devicekit_power_t)
@@ -12111,9 +14288,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.32/policy/modules/services/dnsmasq.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.33/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/dnsmasq.te 2009-09-28 09:39:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/dnsmasq.te 2009-11-12 14:26:53.000000000 -0500
@@ -83,6 +83,18 @@
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
@@ -12133,9 +14310,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(dnsmasq_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.33/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2009-09-29 16:39:40.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/dovecot.te 2009-11-13 11:27:22.000000000 -0500
+@@ -56,7 +56,7 @@
+
+ allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
+ dontaudit dovecot_t self:capability sys_tty_config;
+-allow dovecot_t self:process { setrlimit signal_perms };
++allow dovecot_t self:process { setrlimit signal_perms getcap setcap };
+ allow dovecot_t self:fifo_file rw_fifo_file_perms;
+ allow dovecot_t self:tcp_socket create_stream_socket_perms;
+ allow dovecot_t self:unix_dgram_socket create_socket_perms;
@@ -103,6 +103,7 @@
dev_read_urand(dovecot_t)
@@ -12153,7 +14339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-@@ -220,9 +221,15 @@
+@@ -220,15 +221,23 @@
')
optional_policy(`
@@ -12169,9 +14355,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# dovecot deliver local policy
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.32/policy/modules/services/exim.te
+ #
+ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
+
++allow dovecot_deliver_t dovecot_t:process signull;
++
+ allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
+ allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+
+@@ -260,3 +269,14 @@
+ optional_policy(`
+ mta_manage_spool(dovecot_deliver_t)
+ ')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_manage_nfs_files(dovecot_deliver_t)
++ fs_manage_nfs_symlinks(dovecot_deliver_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_files(dovecot_deliver_t)
++ fs_manage_cifs_symlinks(dovecot_deliver_t)
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.33/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/exim.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/exim.te 2009-11-12 14:26:53.000000000 -0500
@@ -111,6 +111,7 @@
files_search_var(exim_t)
files_read_etc_files(exim_t)
@@ -12191,9 +14400,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
spamassassin_exec(exim_t)
spamassassin_exec_client(exim_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.6.32/policy/modules/services/fail2ban.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.6.33/policy/modules/services/fail2ban.te
--- nsaserefpolicy/policy/modules/services/fail2ban.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/fail2ban.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/fail2ban.te 2009-11-12 14:26:53.000000000 -0500
@@ -33,6 +33,7 @@
allow fail2ban_t self:process signal;
allow fail2ban_t self:fifo_file rw_fifo_file_perms;
@@ -12202,9 +14411,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow fail2ban_t self:tcp_socket create_stream_socket_perms;
# log files
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.32/policy/modules/services/fetchmail.te
+@@ -79,6 +80,7 @@
+ auth_use_nsswitch(fail2ban_t)
+
+ logging_read_all_logs(fail2ban_t)
++logging_send_syslog_msg(fail2ban_t)
+
+ miscfiles_read_localization(fail2ban_t)
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.33/policy/modules/services/fetchmail.te
--- nsaserefpolicy/policy/modules/services/fetchmail.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/fetchmail.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/fetchmail.te 2009-11-12 14:26:53.000000000 -0500
@@ -47,6 +47,8 @@
kernel_read_proc_symlinks(fetchmail_t)
kernel_dontaudit_read_system_state(fetchmail_t)
@@ -12214,9 +14431,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(fetchmail_t)
corenet_all_recvfrom_netlabel(fetchmail_t)
corenet_tcp_sendrecv_generic_if(fetchmail_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.32/policy/modules/services/fprintd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.33/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/fprintd.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/fprintd.te 2009-11-12 14:26:53.000000000 -0500
@@ -37,6 +37,8 @@
files_read_etc_files(fprintd_t)
files_read_usr_files(fprintd_t)
@@ -12234,9 +14451,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
policykit_domtrans_auth(fprintd_t)
')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.32/policy/modules/services/ftp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.33/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/ftp.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/ftp.te 2009-11-12 14:26:53.000000000 -0500
@@ -41,6 +41,13 @@
##
@@ -12251,7 +14468,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Allow ftp to read and write files in the user home directories
##
##
-@@ -78,6 +85,14 @@
+@@ -78,12 +85,20 @@
type xferlog_t;
logging_log_file(xferlog_t)
@@ -12266,6 +14483,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# ftpd local policy
+ #
+
+-allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
++allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_admin sys_nice sys_resource };
+ dontaudit ftpd_t self:capability sys_tty_config;
+ allow ftpd_t self:process signal_perms;
+ allow ftpd_t self:process { getcap setcap setsched setrlimit };
@@ -92,6 +107,8 @@
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
@@ -12353,9 +14577,491 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(ftpd_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.te serefpolicy-3.6.32/policy/modules/services/gpm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.6.33/policy/modules/services/git.fc
+--- nsaserefpolicy/policy/modules/services/git.fc 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/git.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -1,3 +1,9 @@
+ /var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
+-/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
+ /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
++
++/srv/git(/.*)? gen_context(system_u:object_r:git_data_t, s0)
++
++/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t, s0)
++
++# Conflict with Fedora cgit fc spec.
++/var/lib/git(/.*)? gen_context(system_u:object_r:git_data_t, s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.6.33/policy/modules/services/git.if
+--- nsaserefpolicy/policy/modules/services/git.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/git.if 2009-11-12 14:26:53.000000000 -0500
+@@ -1 +1,285 @@
+-## GIT revision control system
++## Git daemon is a really simple server for Git repositories.
++##
++##
++## A really simple TCP git daemon that normally listens on
++## port DEFAULT_GIT_PORT aka 9418. It waits for a
++## connection asking for a service, and will serve that
++## service if it is enabled.
++##
++##
++## It verifies that the directory has the magic file
++## git-daemon-export-ok, and it will refuse to export any
++## git directory that has not explicitly been marked for
++## export this way (unless the --export-all parameter is
++## specified). If you pass some directory paths as
++## git-daemon arguments, you can further restrict the
++## offers to a whitelist comprising of those.
++##
++##
++## By default, only upload-pack service is enabled, which
++## serves git-fetch-pack and git-ls-remote clients, which
++## are invoked from git-fetch, git-pull, and git-clone.
++##
++##
++## This is ideally suited for read-only updates, i.e.,
++## pulling from git repositories.
++##
++##
++## An upload-archive also exists to serve git-archive.
++##
++##
++
++#######################################
++##
++## Role access for Git daemon session.
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++##
++## User domain for the role.
++##
++##
++#
++interface(`git_session_role', `
++ gen_require(`
++ type gitd_session_t, gitd_exec_t, git_home_t;
++ ')
++
++ ########################################
++ #
++ # Git daemon session data declarations.
++ #
++
++ ##
++ ##
++ ## Allow transitions to the Git daemon
++ ## session domain.
++ ##
++ ##
++ gen_tunable(gitd_session_transition, false)
++
++ role $1 types gitd_session_t;
++
++ ########################################
++ #
++ # Git daemon session data policy.
++ #
++
++ tunable_policy(`gitd_session_transition', `
++ domtrans_pattern($2, gitd_exec_t, gitd_session_t)
++ ', `
++ can_exec($2, gitd_exec_t)
++ ')
++
++ allow $2 gitd_session_t:process { ptrace signal_perms };
++ ps_process_pattern($2, gitd_session_t)
++
++ exec_files_pattern($2, git_home_t, git_home_t)
++ manage_dirs_pattern($2, git_home_t, git_home_t)
++ manage_files_pattern($2, git_home_t, git_home_t)
++
++ relabel_dirs_pattern($2, git_home_t, git_home_t)
++ relabel_files_pattern($2, git_home_t, git_home_t)
++')
++
++########################################
++##
++## Allow the specified domain to execute
++## Git daemon data files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`git_execute_data_files', `
++ gen_require(`
++ type git_data_t;
++ ')
++
++ exec_files_pattern($1, git_data_t, git_data_t)
++ files_search_var($1)
++')
++
++########################################
++##
++## Allow the specified domain to manage
++## Git daemon data content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`git_manage_data_content', `
++ gen_require(`
++ type git_data_t;
++ ')
++
++ manage_dirs_pattern($1, git_data_t, git_data_t)
++ manage_files_pattern($1, git_data_t, git_data_t)
++ files_search_var($1)
++')
++
++########################################
++##
++## Allow the specified domain to manage
++## Git daemon home content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`git_manage_home_content', `
++ gen_require(`
++ type git_home_t;
++ ')
++
++ manage_dirs_pattern($1, git_home_t, git_home_t)
++ manage_files_pattern($1, git_home_t, git_home_t)
++ files_search_home($1)
++')
++
++########################################
++##
++## Allow the specified domain to read
++## Git daemon home content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`git_read_home_content', `
++ gen_require(`
++ type git_home_t;
++ ')
++
++ list_dirs_pattern($1, git_home_t, git_home_t)
++ read_files_pattern($1, git_home_t, git_home_t)
++ files_search_home($1)
++')
++
++########################################
++##
++## Allow the specified domain to read
++## Git daemon data content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`git_read_data_content', `
++ gen_require(`
++ type git_data_t;
++ ')
++
++ list_dirs_pattern($1, git_data_t, git_data_t)
++ read_files_pattern($1, git_data_t, git_data_t)
++ files_search_var($1)
++')
++
++########################################
++##
++## Allow the specified domain to relabel
++## Git daemon data content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`git_relabel_data_content', `
++ gen_require(`
++ type git_data_t;
++ ')
++
++ relabel_dirs_pattern($1, git_data_t, git_data_t)
++ relabel_files_pattern($1, git_data_t, git_data_t)
++ files_search_var($1)
++')
++
++########################################
++##
++## Allow the specified domain to relabel
++## Git daemon home content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`git_relabel_home_content', `
++ gen_require(`
++ type git_home_t;
++ ')
++
++ relabel_dirs_pattern($1, git_home_t, git_home_t)
++ relabel_files_pattern($1, git_home_t, git_home_t)
++ files_search_home($1)
++')
++
++########################################
++##
++## All of the rules required to administrate an
++## Git daemon system environment
++##
++##
++##
++## Prefix of the domain. Example, user would be
++## the prefix for the user_t domain.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed to manage the Git daemon domain.
++##
++##
++##
++#
++interface(`git_system_admin', `
++ gen_require(`
++ type gitd_t, gitd_exec_t;
++ ')
++
++ allow $1 gitd_t:process { getattr ptrace signal_perms };
++ ps_process_pattern($1, gitd_t)
++
++ kernel_search_proc($1)
++
++ manage_files_pattern($1, gitd_exec_t, gitd_exec_t)
++
++ # This will not work since git-shell needs to execute gitd content thus public content files.
++ # There is currently no clean way to execute public content files.
++ # miscfiles_manage_public_files($1)
++
++ git_manage_data_content($1)
++ git_relabel_data_content($1)
++
++ seutil_domtrans_setfiles($1)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.6.33/policy/modules/services/git.te
+--- nsaserefpolicy/policy/modules/services/git.te 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/git.te 2009-11-12 14:26:53.000000000 -0500
+@@ -1,9 +1,173 @@
+
+ policy_module(git, 1.0)
+
++attribute gitd_type;
++attribute git_content_type;
++
++########################################
++#
++# Git daemon system private declarations.
++#
++
++##
++##
++## Allow Git daemon system to search home directories.
++##
++##
++gen_tunable(git_system_enable_homedirs, false)
++
++##
++##
++## Allow Git daemon system to access cifs file systems.
++##
++##
++gen_tunable(git_system_use_cifs, false)
++
++##
++##
++## Allow Git daemon system to access nfs file systems.
++##
++##
++gen_tunable(git_system_use_nfs, false)
++
++########################################
++#
++# Git daemon global private declarations.
++#
++type gitd_exec_t;
++
++type gitd_t, gitd_type;
++inetd_service_domain(gitd_t, gitd_exec_t)
++role system_r types gitd_t;
++
++type git_data_t, git_content_type;
++files_type(git_data_t)
++
++permissive gitd_t;
++
++########################################
++#
++# Git daemon session session private declarations.
++#
++
++##
++##
++## Allow Git daemon session to bind
++## tcp sockets to all unreserved ports.
++##
++##
++gen_tunable(git_session_bind_all_unreserved_ports, false)
++
++type gitd_session_t, gitd_type;
++application_domain(gitd_session_t, gitd_exec_t)
++ubac_constrained(gitd_session_t)
++
++type git_home_t, git_content_type;
++userdom_user_home_content(git_home_t)
++
++permissive gitd_session_t;
++
++########################################
++#
++# Git daemon global private policy.
++#
++
++allow gitd_type self:fifo_file rw_fifo_file_perms;
++allow gitd_type self:tcp_socket create_socket_perms;
++allow gitd_type self:udp_socket create_socket_perms;
++allow gitd_type self:unix_dgram_socket create_socket_perms;
++
++corenet_all_recvfrom_netlabel(gitd_type)
++corenet_all_recvfrom_unlabeled(gitd_type)
++
++corenet_tcp_sendrecv_all_if(gitd_type)
++corenet_tcp_sendrecv_all_nodes(gitd_type)
++corenet_tcp_sendrecv_all_ports(gitd_type)
++
++corenet_tcp_bind_all_nodes(gitd_type)
++corenet_tcp_bind_git_port(gitd_type)
++
++corecmd_exec_bin(gitd_type)
++
++files_read_etc_files(gitd_type)
++files_read_usr_files(gitd_type)
++
++fs_search_auto_mountpoints(gitd_type)
++
++kernel_read_system_state(gitd_type)
++
++logging_send_syslog_msg(gitd_type)
++
++auth_use_nsswitch(gitd_type)
++
++miscfiles_read_localization(gitd_type)
++
++########################################
++#
++# Git daemon system repository private policy.
++#
++
++list_dirs_pattern(gitd_t, git_content_type, git_content_type)
++read_files_pattern(gitd_t, git_content_type, git_content_type)
++files_search_var(gitd_t)
++
++# This will not work since git-shell needs to execute gitd content thus public content files.
++# There is currently no clean way to execute public content files.
++# miscfiles_read_public_files(gitd_t)
++
++tunable_policy(`git_system_enable_homedirs', `
++ userdom_search_user_home_dirs(gitd_t)
++')
++
++tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', `
++ fs_list_nfs(gitd_t)
++ fs_read_nfs_files(gitd_t)
++')
++
++tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', `
++ fs_list_cifs(gitd_t)
++ fs_read_cifs_files(gitd_t)
++')
++
++tunable_policy(`git_system_use_cifs', `
++ fs_list_cifs(gitd_t)
++ fs_read_cifs_files(gitd_t)
++')
++
++tunable_policy(`git_system_use_nfs', `
++ fs_list_nfs(gitd_t)
++ fs_read_nfs_files(gitd_t)
++')
++
++########################################
++#
++# Git daemon session repository private policy.
++#
++
++list_dirs_pattern(gitd_session_t, git_home_t, git_home_t)
++read_files_pattern(gitd_session_t, git_home_t, git_home_t)
++userdom_search_user_home_dirs(gitd_session_t)
++
++userdom_use_user_terminals(gitd_session_t)
++
++tunable_policy(`git_session_bind_all_unreserved_ports', `
++ corenet_tcp_bind_all_unreserved_ports(gitd_session_t)
++')
++
++tunable_policy(`use_nfs_home_dirs', `
++ fs_list_nfs(gitd_session_t)
++ fs_read_nfs_files(gitd_session_t)
++')
++
++tunable_policy(`use_samba_home_dirs', `
++ fs_list_cifs(gitd_session_t)
++ fs_read_cifs_files(gitd_session_t)
++')
++
+ ########################################
+ #
+-# Declarations
++# cgi git Declarations
+ #
+
+ apache_content_template(git)
++git_read_data_content(httpd_git_script_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.te serefpolicy-3.6.33/policy/modules/services/gpm.te
--- nsaserefpolicy/policy/modules/services/gpm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/gpm.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/gpm.te 2009-11-12 14:26:53.000000000 -0500
@@ -27,7 +27,8 @@
# Local policy
#
@@ -12366,9 +15072,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow gpm_t self:unix_stream_socket create_stream_socket_perms;
allow gpm_t gpm_conf_t:dir list_dir_perms;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.32/policy/modules/services/gpsd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.33/policy/modules/services/gpsd.fc
--- nsaserefpolicy/policy/modules/services/gpsd.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/gpsd.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/gpsd.fc 2009-11-12 14:26:53.000000000 -0500
@@ -1 +1,6 @@
+/etc/rc\.d/init\.d/gpsd -- gen_context(system_u:object_r:gpsd_initrc_exec_t,s0)
+
@@ -12376,9 +15082,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/var/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0)
+/var/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.6.32/policy/modules/services/gpsd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.6.33/policy/modules/services/gpsd.if
--- nsaserefpolicy/policy/modules/services/gpsd.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/gpsd.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/gpsd.if 2009-11-12 14:26:53.000000000 -0500
@@ -33,11 +33,6 @@
## The role to be allowed the gpsd domain.
##
@@ -12424,9 +15130,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
+ read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.32/policy/modules/services/gpsd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.33/policy/modules/services/gpsd.te
--- nsaserefpolicy/policy/modules/services/gpsd.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/gpsd.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/gpsd.te 2009-11-12 14:26:53.000000000 -0500
@@ -11,15 +11,21 @@
application_domain(gpsd_t, gpsd_exec_t)
init_daemon_domain(gpsd_t, gpsd_exec_t)
@@ -12468,9 +15174,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- ntpd_rw_shm(gpsd_t)
+ ntp_rw_shm(gpsd_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.6.32/policy/modules/services/hal.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.6.33/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/hal.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/hal.fc 2009-11-12 14:26:53.000000000 -0500
@@ -26,6 +26,7 @@
/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
/var/run/pm-utils(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
@@ -12479,9 +15185,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_gentoo',`
/var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.32/policy/modules/services/hal.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.33/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/hal.if 2009-09-24 14:39:22.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/hal.if 2009-11-12 14:26:53.000000000 -0500
@@ -413,3 +413,21 @@
files_search_pids($1)
manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
@@ -12504,9 +15210,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ dontaudit $1 hald_t:unix_dgram_socket { read write };
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.32/policy/modules/services/hal.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.33/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/hal.te 2009-09-23 10:21:23.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/hal.te 2009-11-12 14:26:53.000000000 -0500
@@ -55,6 +55,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -12539,7 +15245,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_getattr_all_mountpoints(hald_t)
mls_file_read_all_levels(hald_t)
-@@ -202,8 +212,10 @@
+@@ -197,13 +207,16 @@
+ miscfiles_read_hwdata(hald_t)
+
+ modutils_domtrans_insmod(hald_t)
++modutils_read_module_deps(hald_t)
+
+ seutil_read_config(hald_t)
seutil_read_default_contexts(hald_t)
seutil_read_file_contexts(hald_t)
@@ -12551,7 +15263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_dontaudit_use_unpriv_user_fds(hald_t)
userdom_dontaudit_search_user_home_dirs(hald_t)
-@@ -290,6 +302,7 @@
+@@ -290,6 +303,7 @@
')
optional_policy(`
@@ -12559,7 +15271,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
policykit_domtrans_auth(hald_t)
policykit_domtrans_resolve(hald_t)
policykit_read_lib(hald_t)
-@@ -321,6 +334,10 @@
+@@ -321,6 +335,10 @@
virt_manage_images(hald_t)
')
@@ -12570,7 +15282,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Hal acl local policy
-@@ -341,6 +358,7 @@
+@@ -341,6 +359,7 @@
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
@@ -12578,7 +15290,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(hald_acl_t)
-@@ -357,6 +375,8 @@
+@@ -357,6 +376,8 @@
files_read_usr_files(hald_acl_t)
files_read_etc_files(hald_acl_t)
@@ -12587,7 +15299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
storage_getattr_removable_dev(hald_acl_t)
storage_setattr_removable_dev(hald_acl_t)
storage_getattr_fixed_disk_dev(hald_acl_t)
-@@ -369,6 +389,7 @@
+@@ -369,6 +390,7 @@
miscfiles_read_localization(hald_acl_t)
optional_policy(`
@@ -12595,7 +15307,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
policykit_domtrans_auth(hald_acl_t)
policykit_read_lib(hald_acl_t)
policykit_read_reload(hald_acl_t)
-@@ -450,12 +471,16 @@
+@@ -450,12 +472,16 @@
miscfiles_read_localization(hald_keymap_t)
@@ -12614,7 +15326,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow hald_dccm_t self:process getsched;
allow hald_dccm_t self:tcp_socket create_stream_socket_perms;
allow hald_dccm_t self:udp_socket create_socket_perms;
-@@ -469,10 +494,22 @@
+@@ -469,10 +495,22 @@
manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
files_search_var_lib(hald_dccm_t)
@@ -12637,7 +15349,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(hald_dccm_t)
corenet_all_recvfrom_netlabel(hald_dccm_t)
corenet_tcp_sendrecv_generic_if(hald_dccm_t)
-@@ -484,6 +521,7 @@
+@@ -484,6 +522,7 @@
corenet_tcp_bind_generic_node(hald_dccm_t)
corenet_udp_bind_generic_node(hald_dccm_t)
corenet_udp_bind_dhcpc_port(hald_dccm_t)
@@ -12645,7 +15357,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_dccm_port(hald_dccm_t)
logging_send_syslog_msg(hald_dccm_t)
-@@ -491,3 +529,7 @@
+@@ -491,3 +530,7 @@
files_read_usr_files(hald_dccm_t)
miscfiles_read_localization(hald_dccm_t)
@@ -12653,9 +15365,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ dbus_system_bus_client(hald_dccm_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl.te serefpolicy-3.6.32/policy/modules/services/howl.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl.te serefpolicy-3.6.33/policy/modules/services/howl.te
--- nsaserefpolicy/policy/modules/services/howl.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/howl.te 2009-09-21 08:23:32.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/howl.te 2009-11-12 14:26:53.000000000 -0500
@@ -30,7 +30,7 @@
kernel_read_network_state(howl_t)
@@ -12665,10 +15377,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_list_proc(howl_t)
kernel_read_proc_symlinks(howl_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.6.32/policy/modules/services/inetd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.fc serefpolicy-3.6.33/policy/modules/services/inetd.fc
+--- nsaserefpolicy/policy/modules/services/inetd.fc 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/inetd.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -9,4 +9,4 @@
+
+ /var/log/(x)?inetd\.log -- gen_context(system_u:object_r:inetd_log_t,s0)
+
+-/var/run/inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0)
++/var/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.6.33/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/inetd.te 2009-09-16 10:03:09.000000000 -0400
-@@ -138,6 +138,8 @@
++++ serefpolicy-3.6.33/policy/modules/services/inetd.te 2009-11-12 14:26:53.000000000 -0500
+@@ -104,6 +104,8 @@
+ corenet_tcp_bind_telnetd_port(inetd_t)
+ corenet_udp_bind_tftp_port(inetd_t)
+ corenet_tcp_bind_ssh_port(inetd_t)
++corenet_tcp_bind_git_port(inetd_t)
++corenet_udp_bind_git_port(inetd_t)
+
+ # service port packets:
+ corenet_sendrecv_amanda_server_packets(inetd_t)
+@@ -138,6 +140,8 @@
files_read_etc_files(inetd_t)
files_read_etc_runtime_files(inetd_t)
@@ -12677,9 +15407,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(inetd_t)
miscfiles_read_localization(inetd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/irqbalance.te serefpolicy-3.6.32/policy/modules/services/irqbalance.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/irqbalance.te serefpolicy-3.6.33/policy/modules/services/irqbalance.te
--- nsaserefpolicy/policy/modules/services/irqbalance.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/irqbalance.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/irqbalance.te 2009-11-12 14:26:53.000000000 -0500
@@ -18,11 +18,11 @@
# Local policy
#
@@ -12694,10 +15424,44 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
files_pid_filetrans(irqbalance_t, irqbalance_var_run_t, file)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.32/policy/modules/services/kerberos.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.33/policy/modules/services/kerberos.if
+--- nsaserefpolicy/policy/modules/services/kerberos.if 2009-07-23 14:11:04.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/kerberos.if 2009-11-13 11:27:57.000000000 -0500
+@@ -74,7 +74,7 @@
+ ')
+
+ files_search_etc($1)
+- allow $1 krb5_conf_t:file read_file_perms;
++ read_files_pattern($1, krb5_conf_t, krb5_conf_t)
+ dontaudit $1 krb5_conf_t:file write;
+ dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
+ dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
+@@ -84,6 +84,10 @@
+ selinux_dontaudit_validate_context($1)
+ seutil_dontaudit_read_file_contexts($1)
+
++ optional_policy(`
++ sssd_read_config_files($1)
++ ')
++
+ tunable_policy(`allow_kerberos',`
+ allow $1 self:tcp_socket create_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.33/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/kerberos.te 2009-09-16 10:03:09.000000000 -0400
-@@ -277,6 +277,8 @@
++++ serefpolicy-3.6.33/policy/modules/services/kerberos.te 2009-11-13 08:15:23.000000000 -0500
+@@ -110,8 +110,9 @@
+ manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t)
+ files_pid_filetrans(kadmind_t, kadmind_var_run_t, file)
+
+-kernel_read_kernel_sysctls(kadmind_t)
+ kernel_list_proc(kadmind_t)
++kernel_read_kernel_sysctls(kadmind_t)
++kernel_read_network_state(kadmind_t)
+ kernel_read_proc_symlinks(kadmind_t)
+ kernel_read_system_state(kadmind_t)
+
+@@ -277,6 +278,8 @@
#
allow kpropd_t self:capability net_bind_service;
@@ -12706,7 +15470,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow kpropd_t self:fifo_file rw_file_perms;
allow kpropd_t self:unix_stream_socket create_stream_socket_perms;
allow kpropd_t self:tcp_socket create_stream_socket_perms;
-@@ -286,8 +288,13 @@
+@@ -286,8 +289,13 @@
allow kpropd_t krb5_keytab_t:file read_file_perms;
manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t)
@@ -12721,7 +15485,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(kpropd_t)
-@@ -303,10 +310,14 @@
+@@ -303,10 +311,14 @@
files_read_etc_files(kpropd_t)
files_search_tmp(kpropd_t)
@@ -12736,9 +15500,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
sysnet_dns_name_resolve(kpropd_t)
kerberos_use(kpropd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.32/policy/modules/services/kerneloops.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.33/policy/modules/services/kerneloops.te
--- nsaserefpolicy/policy/modules/services/kerneloops.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/kerneloops.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/kerneloops.te 2009-11-12 14:26:53.000000000 -0500
@@ -22,7 +22,7 @@
#
@@ -12748,9 +15512,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow kerneloops_t self:fifo_file rw_file_perms;
manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.32/policy/modules/services/ktalk.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.33/policy/modules/services/ktalk.te
--- nsaserefpolicy/policy/modules/services/ktalk.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/ktalk.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/ktalk.te 2009-11-12 14:26:53.000000000 -0500
@@ -69,6 +69,7 @@
files_read_etc_files(ktalkd_t)
@@ -12759,18 +15523,87 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(ktalkd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.32/policy/modules/services/lircd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.fc serefpolicy-3.6.33/policy/modules/services/lircd.fc
+--- nsaserefpolicy/policy/modules/services/lircd.fc 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/lircd.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -6,3 +6,5 @@
+ /usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
+
+ /var/run/lircd\.pid gen_context(system_u:object_r:lircd_var_run_t,s0)
++/var/run/lircd(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0)
++/var/run/lirc(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.if serefpolicy-3.6.33/policy/modules/services/lircd.if
+--- nsaserefpolicy/policy/modules/services/lircd.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/lircd.if 2009-11-12 14:26:53.000000000 -0500
+@@ -32,12 +32,11 @@
+ #
+ interface(`lircd_stream_connect',`
+ gen_require(`
+- type lircd_sock_t, lircd_t;
++ type lircd_var_run_t, lircd_t;
+ ')
+
+- allow $1 lircd_t:unix_stream_socket connectto;
+- allow $1 lircd_sock_t:sock_file write_sock_file_perms;
+ files_search_pids($1)
++ stream_connect_pattern($1, lircd_var_run_t, lircd_var_run_t, lircd_t)
+ ')
+
+ #######################################
+@@ -77,7 +76,7 @@
+ #
+ interface(`lircd_admin',`
+ gen_require(`
+- type lircd_t, lircd_var_run_t, lircd_sock_t;
++ type lircd_t, lircd_var_run_t;
+ type lircd_initrc_exec_t, lircd_etc_t;
+ ')
+
+@@ -94,6 +93,4 @@
+
+ files_search_pids($1)
+ admin_pattern($1, lircd_var_run_t)
+-
+- admin_pattern($1, lircd_sock_t)
+ ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.33/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/lircd.te 2009-09-16 10:03:09.000000000 -0400
-@@ -42,7 +42,18 @@
++++ serefpolicy-3.6.33/policy/modules/services/lircd.te 2009-11-12 14:26:53.000000000 -0500
+@@ -16,13 +16,9 @@
+ type lircd_etc_t;
+ files_type(lircd_etc_t)
+
+-type lircd_var_run_t;
++type lircd_var_run_t alias lircd_sock_t;
+ files_pid_file(lircd_var_run_t)
+
+-# type for lircd /dev/ sock file
+-type lircd_sock_t;
+-files_type(lircd_sock_t)
+-
+ ########################################
+ #
+ # lircd local policy
+@@ -34,15 +30,26 @@
+ # etc file
+ read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
+
+-# pid file
+ manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
+ manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
++manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
+ files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file })
+
# /dev/lircd socket
- manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t)
- dev_filetrans(lircd_t, lircd_sock_t, sock_file )
+-manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t)
+-dev_filetrans(lircd_t, lircd_sock_t, sock_file )
++dev_filetrans(lircd_t, lircd_var_run_t, sock_file )
+dev_read_generic_usb_dev(lircd_t)
-+
+dev_filetrans_lirc(lircd_t)
+dev_rw_lirc(lircd_t)
+dev_rw_input_dev(lircd_t)
++
++term_use_ptmx(lircd_t)
logging_send_syslog_msg(lircd_t)
@@ -12781,9 +15614,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
miscfiles_read_localization(lircd_t)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.32/policy/modules/services/mailman.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.33/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/mailman.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/mailman.te 2009-11-12 14:26:53.000000000 -0500
@@ -78,6 +78,10 @@
mta_dontaudit_rw_queue(mailman_mail_t)
@@ -12795,9 +15628,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cron_read_pipes(mailman_mail_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.32/policy/modules/services/memcached.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.33/policy/modules/services/memcached.te
--- nsaserefpolicy/policy/modules/services/memcached.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/memcached.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/memcached.te 2009-11-12 14:26:53.000000000 -0500
@@ -44,6 +44,8 @@
files_read_etc_files(memcached_t)
@@ -12807,19 +15640,68 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization(memcached_t)
sysnet_dns_name_resolve(memcached_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.32/policy/modules/services/mta.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.6.33/policy/modules/services/milter.if
+--- nsaserefpolicy/policy/modules/services/milter.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/milter.if 2009-11-12 14:26:53.000000000 -0500
+@@ -35,6 +35,8 @@
+ # Create other data files and directories in the data directory
+ manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
+
++ files_read_etc_files($1_milter_t)
++
+ miscfiles_read_localization($1_milter_t)
+
+ logging_send_syslog_msg($1_milter_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.6.33/policy/modules/services/modemmanager.te
+--- nsaserefpolicy/policy/modules/services/modemmanager.te 2009-09-16 09:09:20.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/modemmanager.te 2009-11-12 14:26:53.000000000 -0500
+@@ -16,7 +16,7 @@
+ #
+ # ModemManager local policy
+ #
+-
++allow modemmanager_t self:process signal;
+ allow modemmanager_t self:fifo_file rw_file_perms;
+ allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
+ allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
+@@ -24,6 +24,7 @@
+ kernel_read_system_state(modemmanager_t)
+
+ dev_read_sysfs(modemmanager_t)
++dev_rw_modem(modemmanager_t)
+
+ files_read_etc_files(modemmanager_t)
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.33/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/mta.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/mta.fc 2009-11-12 14:26:53.000000000 -0500
@@ -26,3 +26,5 @@
/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
+/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.32/policy/modules/services/mta.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.33/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/mta.if 2009-09-21 09:15:52.000000000 -0400
-@@ -311,6 +311,7 @@
++++ serefpolicy-3.6.33/policy/modules/services/mta.if 2009-11-12 14:26:53.000000000 -0500
+@@ -69,6 +69,7 @@
+ can_exec($1_mail_t, sendmail_exec_t)
+ allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms;
+
++ kernel_read_system_state($1_mail_t)
+ kernel_read_kernel_sysctls($1_mail_t)
+
+ corenet_all_recvfrom_unlabeled($1_mail_t)
+@@ -87,6 +88,8 @@
+ # It wants to check for nscd
+ files_dontaudit_search_pids($1_mail_t)
+
++ init_dontaudit_rw_utmp($1_mail_t)
++
+ auth_use_nsswitch($1_mail_t)
+
+ logging_send_syslog_msg($1_mail_t)
+@@ -311,6 +314,7 @@
allow $1 mail_spool_t:dir list_dir_perms;
create_files_pattern($1, mail_spool_t, mail_spool_t)
read_files_pattern($1, mail_spool_t, mail_spool_t)
@@ -12827,7 +15709,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
create_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
-@@ -351,6 +352,7 @@
+@@ -351,6 +355,7 @@
# apache should set close-on-exec
apache_dontaudit_rw_stream_sockets($1)
apache_dontaudit_rw_sys_script_stream_sockets($1)
@@ -12835,15 +15717,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -471,6 +473,7 @@
+@@ -376,7 +381,7 @@
+
+ allow mta_user_agent $1:fd use;
+ allow mta_user_agent $1:process sigchld;
+- allow mta_user_agent $1:fifo_file { read write };
++ allow mta_user_agent $1:fifo_file rw_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -470,7 +475,8 @@
+ type etc_mail_t;
')
- write_files_pattern($1, etc_mail_t, etc_mail_t)
+- write_files_pattern($1, etc_mail_t, etc_mail_t)
++ manage_files_pattern($1, etc_mail_t, etc_mail_t)
+ allow $1 etc_mail_t:file setattr;
')
########################################
-@@ -694,7 +697,7 @@
+@@ -694,7 +700,7 @@
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
allow $1 mail_spool_t:file setattr;
@@ -12852,9 +15745,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.32/policy/modules/services/mta.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.33/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/mta.te 2009-09-22 20:56:19.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/mta.te 2009-11-12 14:26:53.000000000 -0500
@@ -27,6 +27,9 @@
type mail_spool_t;
files_mountpoint(mail_spool_t)
@@ -12865,19 +15758,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type sendmail_exec_t;
mta_agent_executable(sendmail_exec_t)
-@@ -57,8 +60,11 @@
+@@ -57,8 +60,10 @@
can_exec(system_mail_t, mta_exec_type)
+-kernel_read_system_state(system_mail_t)
+files_read_all_tmp_files(system_mail_t)
+
- kernel_read_system_state(system_mail_t)
kernel_read_network_state(system_mail_t)
+kernel_request_load_module(system_mail_t)
dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
-@@ -72,16 +78,21 @@
+@@ -72,16 +77,21 @@
userdom_use_user_terminals(system_mail_t)
userdom_dontaudit_search_user_home_dirs(system_mail_t)
@@ -12899,7 +15792,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -100,6 +111,7 @@
+@@ -100,6 +110,7 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
@@ -12907,7 +15800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -178,6 +190,10 @@
+@@ -178,6 +189,10 @@
')
optional_policy(`
@@ -12918,7 +15811,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
smartmon_read_tmp_files(system_mail_t)
')
-@@ -197,6 +213,25 @@
+@@ -197,6 +212,25 @@
')
')
@@ -12944,9 +15837,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# User send mail local policy
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.32/policy/modules/services/munin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.33/policy/modules/services/munin.fc
--- nsaserefpolicy/policy/modules/services/munin.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/munin.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/munin.fc 2009-11-12 14:26:53.000000000 -0500
@@ -9,3 +9,6 @@
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
@@ -12954,9 +15847,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.32/policy/modules/services/munin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.33/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/munin.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/munin.te 2009-11-12 14:26:53.000000000 -0500
@@ -33,7 +33,7 @@
# Local policy
#
@@ -12974,9 +15867,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.32/policy/modules/services/mysql.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.33/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/mysql.te 2009-11-12 14:26:53.000000000 -0500
@@ -136,7 +136,12 @@
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
@@ -12985,7 +15878,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
+
-+domain_getattr_all_domains(mysqld_safe_t)
++domain_read_all_domains_state(mysqld_safe_t)
+
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
@@ -12999,22 +15892,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mysql_read_config(mysqld_safe_t)
mysql_search_pid_files(mysqld_safe_t)
mysql_write_log(mysqld_safe_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.33/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2009-09-16 10:03:09.000000000 -0400
-@@ -1,16 +1,21 @@
++++ serefpolicy-3.6.33/policy/modules/services/nagios.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -1,16 +1,22 @@
/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
- /usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
- /usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
+-/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+-/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
++/usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
++/usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-/usr/lib(64)?/cgi-bin/netsaint/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
-/usr/lib(64)?/nagios/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+/usr/lib(64)?/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib(64)?/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++#/usr/lib(64)?/nagios/plugins(/.*)? gen_context(system_u:object_r:nagios_plugin_exec_t,s0)
/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
@@ -13027,9 +15923,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
+/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.32/policy/modules/services/nagios.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.33/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/nagios.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/nagios.if 2009-11-12 14:26:53.000000000 -0500
@@ -64,7 +64,7 @@
########################################
@@ -13062,7 +15958,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
##
-@@ -92,10 +91,63 @@
+@@ -92,10 +91,82 @@
##
##
#
@@ -13078,6 +15974,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ files_search_spool($1)
+')
+
++######################################
++##
++## Read nagios logs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`nagios_read_log',`
++ gen_require(`
++ type nagios_var_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, nagios_var_log_t, nagios_var_log_t)
++')
++
+########################################
+##
+## All of the rules required to administrate
@@ -13129,9 +16044,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ admin_pattern($1, nrpe_etc_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.33/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/nagios.te 2009-11-12 14:26:53.000000000 -0500
@@ -10,13 +10,12 @@
type nagios_exec_t;
init_daemon_domain(nagios_t, nagios_exec_t)
@@ -13159,7 +16074,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type nrpe_t;
type nrpe_exec_t;
init_daemon_domain(nrpe_t, nrpe_exec_t)
-@@ -60,6 +62,8 @@
+@@ -33,6 +35,9 @@
+ type nrpe_etc_t;
+ files_config_file(nrpe_etc_t)
+
++type nrpe_var_run_t;
++files_pid_file(nrpe_var_run_t)
++
+ ########################################
+ #
+ # Nagios local policy
+@@ -60,6 +65,8 @@
manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
files_pid_filetrans(nagios_t, nagios_var_run_t, file)
@@ -13168,7 +16093,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(nagios_t)
kernel_read_kernel_sysctls(nagios_t)
-@@ -127,39 +131,34 @@
+@@ -127,52 +134,57 @@
#
# Nagios CGI local policy
#
@@ -13178,46 +16103,46 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-allow nagios_cgi_t self:process signal_perms;
-allow nagios_cgi_t self:fifo_file rw_fifo_file_perms;
-+allow httpd_nagios_script_t self:process signal_perms;
-
+-
-read_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
-+read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
-+read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
++allow httpd_nagios_script_t self:process signal_perms;
-allow nagios_cgi_t nagios_etc_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
-+files_search_spool(httpd_nagios_script_t)
-+rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t)
++read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
++read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
-allow nagios_cgi_t nagios_log_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
++files_search_spool(httpd_nagios_script_t)
++rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t)
+
+-kernel_read_system_state(nagios_cgi_t)
+allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
--kernel_read_system_state(nagios_cgi_t)
+-corecmd_exec_bin(nagios_cgi_t)
+allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
--corecmd_exec_bin(nagios_cgi_t)
-+kernel_read_system_state(httpd_nagios_script_t)
-
-domain_dontaudit_read_all_domains_state(nagios_cgi_t)
-+domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
++kernel_read_system_state(httpd_nagios_script_t)
-files_read_etc_files(nagios_cgi_t)
-files_read_etc_runtime_files(nagios_cgi_t)
-files_read_kernel_symbol_table(nagios_cgi_t)
-+files_read_etc_runtime_files(httpd_nagios_script_t)
-+files_read_kernel_symbol_table(httpd_nagios_script_t)
++domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
-logging_send_syslog_msg(nagios_cgi_t)
-logging_search_logs(nagios_cgi_t)
--
++files_read_etc_runtime_files(httpd_nagios_script_t)
++files_read_kernel_symbol_table(httpd_nagios_script_t)
+
-miscfiles_read_localization(nagios_cgi_t)
-
-optional_policy(`
@@ -13227,9 +16152,42 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.32/policy/modules/services/networkmanager.fc
+ # Nagios remote plugin executor local policy
+ #
+
++allow nrpe_t self:capability {setuid setgid};
+ dontaudit nrpe_t self:capability sys_tty_config;
+ allow nrpe_t self:process { setpgid signal_perms };
+ allow nrpe_t self:fifo_file rw_fifo_file_perms;
++allow nrpe_t self:tcp_socket create_stream_socket_perms;
+
+-allow nrpe_t nrpe_etc_t:file read_file_perms;
++read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t)
+ files_search_etc(nrpe_t)
+
++manage_files_pattern(nrpe_t, nrpe_var_run_t, nrpe_var_run_t)
++files_pid_filetrans(nrpe_t,nrpe_var_run_t,file)
++files_read_etc_files(nrpe_t)
++
++corenet_tcp_bind_generic_node(nrpe_t)
++corenet_tcp_bind_inetd_child_port(nrpe_t)
++corenet_sendrecv_unlabeled_packets(nrpe_t)
++
+ kernel_read_system_state(nrpe_t)
+ kernel_read_kernel_sysctls(nrpe_t)
+
+@@ -192,6 +204,8 @@
+
+ miscfiles_read_localization(nrpe_t)
+
++sysnet_read_config(nrpe_t)
++
+ userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
+
+ optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.33/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.fc 2009-09-29 08:08:44.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/networkmanager.fc 2009-11-12 14:26:53.000000000 -0500
@@ -1,12 +1,26 @@
+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0)
+/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -13257,9 +16215,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.32/policy/modules/services/networkmanager.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.33/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/networkmanager.if 2009-11-12 14:26:53.000000000 -0500
@@ -118,6 +118,24 @@
########################################
@@ -13285,13 +16243,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read NetworkManager PID files.
##
##
-@@ -134,3 +152,30 @@
+@@ -134,3 +152,50 @@
files_search_pids($1)
allow $1 NetworkManager_var_run_t:file read_file_perms;
')
+
+########################################
+##
++## Read NetworkManager PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`networkmanager_read_var_lib_files',`
++ gen_require(`
++ type NetworkManager_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
++ read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
++')
++
++########################################
++##
+## Execute NetworkManager in the NetworkManager domain, and
+## allow the specified role the NetworkManager domain.
+##
@@ -13316,9 +16294,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ role $2 types NetworkManager_t;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.32/policy/modules/services/networkmanager.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.33/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te 2009-09-24 20:38:43.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/networkmanager.te 2009-11-12 14:26:53.000000000 -0500
@@ -19,6 +19,9 @@
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
@@ -13557,9 +16535,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.32/policy/modules/services/nis.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.33/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/nis.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/nis.fc 2009-11-12 14:26:53.000000000 -0500
@@ -1,4 +1,7 @@
-
+/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0)
@@ -13569,9 +16547,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0)
/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.6.32/policy/modules/services/nis.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.6.33/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/nis.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/nis.if 2009-11-12 14:26:53.000000000 -0500
@@ -28,7 +28,7 @@
type var_yp_t;
')
@@ -13713,9 +16691,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ role $2 types ypbind_t;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.32/policy/modules/services/nis.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.33/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/nis.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/nis.te 2009-11-12 14:26:53.000000000 -0500
@@ -13,6 +13,9 @@
type ypbind_exec_t;
init_daemon_domain(ypbind_t, ypbind_exec_t)
@@ -13765,10 +16743,52 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_all_rpc_ports(ypxfr_t)
corenet_udp_bind_all_rpc_ports(ypxfr_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.32/policy/modules/services/nscd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.33/policy/modules/services/nscd.if
+--- nsaserefpolicy/policy/modules/services/nscd.if 2009-09-16 09:09:20.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/nscd.if 2009-11-12 14:26:53.000000000 -0500
+@@ -121,6 +121,24 @@
+
+ ########################################
+ ##
++## Use nscd services
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`nscd_use',`
++ tunable_policy(`nscd_use_shm',`
++ nscd_shm_use($1)
++ ',`
++ nscd_socket_use($1)
++ ')
++')
++
++########################################
++##
+ ## Use NSCD services by mapping the database from
+ ## an inherited NSCD file descriptor.
+ ##
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.33/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/nscd.te 2009-09-16 10:03:09.000000000 -0400
-@@ -91,6 +91,7 @@
++++ serefpolicy-3.6.33/policy/modules/services/nscd.te 2009-11-12 14:26:53.000000000 -0500
+@@ -5,6 +5,13 @@
+ class nscd all_nscd_perms;
+ ')
+
++##
++##
++## Allow confined applications to use nscd shared memory.
++##
++##
++gen_tunable(nscd_use_shm, false)
++
+ ########################################
+ #
+ # Declarations
+@@ -91,6 +98,7 @@
selinux_compute_relabel_context(nscd_t)
selinux_compute_user_contexts(nscd_t)
domain_use_interactive_fds(nscd_t)
@@ -13776,7 +16796,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(nscd_t)
files_read_generic_tmp_symlinks(nscd_t)
-@@ -128,3 +129,12 @@
+@@ -128,3 +136,12 @@
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
xen_append_log(nscd_t)
')
@@ -13789,9 +16809,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.6.32/policy/modules/services/nslcd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.6.33/policy/modules/services/nslcd.if
--- nsaserefpolicy/policy/modules/services/nslcd.if 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/nslcd.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/nslcd.if 2009-11-12 14:26:53.000000000 -0500
@@ -94,6 +94,7 @@
interface(`nslcd_admin',`
gen_require(`
@@ -13812,9 +16832,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ manage_lnk_files_pattern($1,nslcd_var_run_t,nslcd_var_run_t)
')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.32/policy/modules/services/ntp.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.33/policy/modules/services/ntp.if
--- nsaserefpolicy/policy/modules/services/ntp.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/ntp.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/ntp.if 2009-11-12 14:26:53.000000000 -0500
@@ -37,6 +37,32 @@
########################################
@@ -13882,9 +16902,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
## an ntp environment
##
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.32/policy/modules/services/ntp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.33/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/ntp.te 2009-09-21 08:21:35.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/ntp.te 2009-11-12 14:26:53.000000000 -0500
@@ -41,10 +41,11 @@
# sys_resource and setrlimit is for locking memory
@@ -13931,9 +16951,258 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.6.32/policy/modules/services/nx.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.fc serefpolicy-3.6.33/policy/modules/services/nut.fc
+--- nsaserefpolicy/policy/modules/services/nut.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/services/nut.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,15 @@
++
++/usr/sbin/upsd -- gen_context(system_u:object_r:upsd_exec_t,s0)
++
++/usr/sbin/upsmon -- gen_context(system_u:object_r:upsmon_exec_t,s0)
++
++/sbin/upsdrvctl -- gen_context(system_u:object_r:upsdrvctl_exec_t,s0)
++
++/var/run/nut/upsdrvctl\.pid -- gen_context(system_u:object_r:upsdrvctl_var_run_t,s0)
++
++/var/run/nut/upsd\.pid -- gen_context(system_u:object_r:upsd_var_run_t,s0)
++
++/var/run/nut/upsmon\.pid -- gen_context(system_u:object_r:upsmon_var_run_t,s0)
++
++/var/run/nut/usbhid-ups-myups\.pid -- gen_context(system_u:object_r:upsdrvctl_var_run_t,s0)
++/var/run/nut/usbhid-ups-myups -s gen_context(system_u:object_r:upsdrvctl_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.if serefpolicy-3.6.33/policy/modules/services/nut.if
+--- nsaserefpolicy/policy/modules/services/nut.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/services/nut.if 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,82 @@
++## SELinux policy for nut - Network UPS Tools
++
++#####################################
++##
++## Execute a domain transition to run upsd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`upsd_domtrans',`
++ gen_require(`
++ type upsd_t, upsd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1,upsd_exec_t,upsd_t)
++
++')
++
++####################################
++##
++## Execute a domain transition to run upsmon.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`upsmon_domtrans',`
++ gen_require(`
++ type upsmon_t, upsmon_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1,upsmon_exec_t,upsmon_t)
++
++')
++
++####################################
++##
++## Execute a domain transition to run upsdrvctl.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`upsdrvctl_domtrans',`
++ gen_require(`
++ type upsdrvctl_t, upsdrvctl_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1,upsdrvctl_exec_t,upsdrvctl_t)
++
++')
++
++####################################
++##
++## Connect to upsdrvctl over a unix domain
++## stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`upsdrvctl_stream_connect',`
++ gen_require(`
++ type upsdrvctl_t, upsdrvctl_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, upsdrvctl_var_run_t, upsdrvctl_var_run_t, upsdrvctl_t)
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.6.33/policy/modules/services/nut.te
+--- nsaserefpolicy/policy/modules/services/nut.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/services/nut.te 2009-11-13 15:33:43.000000000 -0500
+@@ -0,0 +1,140 @@
++
++policy_module(nut,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type upsd_t;
++type upsd_exec_t;
++init_daemon_domain(upsd_t,upsd_exec_t)
++
++type upsd_var_run_t;
++files_pid_file(upsd_var_run_t)
++
++type upsmon_t;
++type upsmon_exec_t;
++init_daemon_domain(upsmon_t,upsmon_exec_t)
++
++type upsmon_var_run_t;
++files_pid_file(upsmon_var_run_t)
++
++type upsdrvctl_t;
++type upsdrvctl_exec_t;
++init_daemon_domain(upsdrvctl_t, upsdrvctl_exec_t)
++
++type upsdrvctl_var_run_t;
++files_pid_file(upsdrvctl_var_run_t)
++
++permissive upsd_t;
++permissive upsdrvctl_t;
++permissive upsmon_t;
++
++#######################################
++#
++# upsd local policy
++#
++
++allow upsd_t self:capability { setuid setgid };
++
++allow upsd_t self:unix_dgram_socket { create_socket_perms sendto };
++allow upsd_t self:tcp_socket create_stream_socket_perms;
++
++# pid file
++manage_files_pattern(upsd_t, upsd_var_run_t, upsd_var_run_t)
++manage_dirs_pattern(upsd_t, upsd_var_run_t, upsd_var_run_t)
++manage_sock_files_pattern(upsd_t, upsd_var_run_t, upsd_var_run_t)
++files_pid_filetrans(upsd_t, upsd_var_run_t, { file })
++
++rw_files_pattern(upsd_t, upsdrvctl_var_run_t, upsdrvctl_var_run_t)
++
++corenet_tcp_bind_ups_port(upsd_t)
++corenet_tcp_bind_generic_node(upsd_t)
++
++kernel_read_kernel_sysctls(upsd_t)
++
++files_read_etc_files(upsd_t)
++files_read_usr_files(upsd_t)
++
++auth_use_nsswitch(upsd_t)
++
++sysnet_read_config(upsd_t)
++
++logging_send_syslog_msg(upsd_t)
++
++miscfiles_read_localization(upsd_t)
++
++optional_policy(`
++ upsdrvctl_stream_connect(upsd_t)
++')
++
++######################################
++#
++# upsmon local policy
++#
++
++allow upsmon_t self:capability { dac_override setuid setgid };
++
++allow upsmon_t self:fifo_file rw_fifo_file_perms;
++allow upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
++allow upsmon_t self:tcp_socket create_stream_socket_perms;
++
++# pid file
++manage_files_pattern(upsmon_t, upsmon_var_run_t, upsmon_var_run_t)
++manage_dirs_pattern(upsmon_t, upsmon_var_run_t, upsmon_var_run_t)
++files_pid_filetrans(upsmon_t, upsmon_var_run_t, { file })
++
++rw_sock_files_pattern(upsmon_t,upsd_var_run_t,upsd_var_run_t)
++
++corenet_tcp_connect_ups_port(upsmon_t)
++
++corecmd_exec_bin(upsmon_t)
++corecmd_exec_shell(upsmon_t)
++
++kernel_read_kernel_sysctls(upsmon_t)
++kernel_read_system_state(upsmon_t)
++
++files_read_etc_files(upsmon_t)
++
++auth_use_nsswitch(upsmon_t)
++
++init_read_utmp(upsmon_t)
++
++logging_send_syslog_msg(upsmon_t)
++
++miscfiles_read_localization(upsmon_t)
++
++######################################
++#
++# ups local policy
++#
++
++allow upsdrvctl_t self:capability { dac_override kill setuid setgid };
++allow upsdrvctl_t self:process { signal signull };
++
++allow upsdrvctl_t self:fifo_file rw_fifo_file_perms;
++allow upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
++
++# pid file
++manage_files_pattern(upsdrvctl_t, upsdrvctl_var_run_t, upsdrvctl_var_run_t)
++manage_dirs_pattern(upsdrvctl_t, upsdrvctl_var_run_t, upsdrvctl_var_run_t)
++manage_sock_files_pattern(upsdrvctl_t, upsdrvctl_var_run_t, upsdrvctl_var_run_t)
++files_pid_filetrans(upsdrvctl_t, upsdrvctl_var_run_t, { file sock_file })
++
++corecmd_exec_bin(upsdrvctl_t)
++
++kernel_read_kernel_sysctls(upsdrvctl_t)
++
++dev_rw_generic_usb_dev(upsdrvctl_t)
++
++term_use_unallocated_ttys(upsdrvctl_t)
++
++files_read_etc_files(upsdrvctl_t)
++
++sysnet_read_config(upsdrvctl_t)
++
++logging_send_syslog_msg(upsdrvctl_t)
++
++miscfiles_read_localization(upsdrvctl_t)
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.6.33/policy/modules/services/nx.fc
--- nsaserefpolicy/policy/modules/services/nx.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/nx.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/nx.fc 2009-11-12 14:26:53.000000000 -0500
@@ -1,6 +1,7 @@
/opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
@@ -13942,9 +17211,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.6.32/policy/modules/services/nx.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.6.33/policy/modules/services/nx.if
--- nsaserefpolicy/policy/modules/services/nx.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/nx.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/nx.if 2009-11-12 14:26:53.000000000 -0500
@@ -17,3 +17,22 @@
spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t)
@@ -13968,9 +17237,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+ read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.32/policy/modules/services/nx.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.33/policy/modules/services/nx.te
--- nsaserefpolicy/policy/modules/services/nx.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/nx.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/nx.te 2009-11-12 14:26:53.000000000 -0500
@@ -25,6 +25,9 @@
type nx_server_var_run_t;
files_pid_file(nx_server_var_run_t)
@@ -13991,9 +17260,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(nx_server_t)
kernel_read_kernel_sysctls(nx_server_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.32/policy/modules/services/oddjob.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.33/policy/modules/services/oddjob.if
--- nsaserefpolicy/policy/modules/services/oddjob.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/oddjob.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/oddjob.if 2009-11-12 14:26:53.000000000 -0500
@@ -44,6 +44,7 @@
')
@@ -14002,9 +17271,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.32/policy/modules/services/openvpn.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.33/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/openvpn.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/openvpn.te 2009-11-12 14:26:53.000000000 -0500
@@ -100,6 +100,8 @@
files_read_etc_files(openvpn_t)
files_read_etc_runtime_files(openvpn_t)
@@ -14014,9 +17283,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.32/policy/modules/services/pcscd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.6.33/policy/modules/services/pcscd.if
+--- nsaserefpolicy/policy/modules/services/pcscd.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/pcscd.if 2009-11-12 14:26:53.000000000 -0500
+@@ -53,6 +53,5 @@
+ ')
+
+ files_search_pids($1)
+- allow $1 pcscd_var_run_t:sock_file write;
+- allow $1 pcscd_t:unix_stream_socket connectto;
++ stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t)
+ ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.33/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/pcscd.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/pcscd.te 2009-11-12 14:26:53.000000000 -0500
@@ -29,6 +29,7 @@
manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
@@ -14025,7 +17305,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
-@@ -46,6 +47,8 @@
+@@ -40,12 +41,15 @@
+ corenet_tcp_connect_http_port(pcscd_t)
+
+ dev_rw_generic_usb_dev(pcscd_t)
++dev_rw_smartcard(pcscd_t)
+ dev_rw_usbfs(pcscd_t)
+ dev_search_sysfs(pcscd_t)
+
files_read_etc_files(pcscd_t)
files_read_etc_runtime_files(pcscd_t)
@@ -14034,9 +17321,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_use_unallocated_ttys(pcscd_t)
term_dontaudit_getattr_pty_dirs(pcscd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.32/policy/modules/services/pegasus.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.33/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/pegasus.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/pegasus.te 2009-11-12 14:26:53.000000000 -0500
@@ -30,7 +30,7 @@
# Local policy
#
@@ -14108,18 +17395,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xen_stream_connect(pegasus_t)
+ xen_stream_connect_xenstore(pegasus_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.fc serefpolicy-3.6.32/policy/modules/services/plymouth.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.fc serefpolicy-3.6.33/policy/modules/services/plymouth.fc
--- nsaserefpolicy/policy/modules/services/plymouth.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/plymouth.fc 2009-09-30 13:21:52.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/plymouth.fc 2009-11-12 14:26:53.000000000 -0500
@@ -0,0 +1,5 @@
+/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t, s0)
+/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t, s0)
+/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t, s0)
+/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t, s0)
+/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.if serefpolicy-3.6.32/policy/modules/services/plymouth.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.if serefpolicy-3.6.33/policy/modules/services/plymouth.if
--- nsaserefpolicy/policy/modules/services/plymouth.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/plymouth.if 2009-09-30 13:20:45.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/plymouth.if 2009-11-12 14:26:53.000000000 -0500
@@ -0,0 +1,286 @@
+## policy for plymouthd
+
@@ -14407,10 +17694,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 plymouthd_t:unix_stream_socket connectto;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.6.32/policy/modules/services/plymouth.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.6.33/policy/modules/services/plymouth.te
--- nsaserefpolicy/policy/modules/services/plymouth.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2009-09-30 13:18:14.000000000 -0400
-@@ -0,0 +1,86 @@
++++ serefpolicy-3.6.33/policy/modules/services/plymouth.te 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,97 @@
+policy_module(plymouthd, 1.0.0)
+
+########################################
@@ -14455,9 +17742,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(plymouthd_t)
++kernel_request_load_module(plymouthd_t)
++kernel_change_ring_buffer_level(plymouthd_t)
+
+dev_rw_dri(plymouthd_t)
+dev_read_sysfs(plymouthd_t)
++dev_read_framebuffer(plymouthd_t)
++dev_write_framebuffer(plymouthd_t)
+
+domain_use_interactive_fds(plymouthd_t)
+
@@ -14497,9 +17788,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+miscfiles_read_localization(plymouth_t)
+
+plymouth_stream_connect(plymouth_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.6.32/policy/modules/services/policykit.fc
++
++ifdef(`hide_broken_symptoms', `
++optional_policy(`
++ hal_dontaudit_write_log(plymouth_t)
++ hal_dontaudit_rw_pipes(plymouth_t)
++')
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.6.33/policy/modules/services/policykit.fc
--- nsaserefpolicy/policy/modules/services/policykit.fc 2009-08-18 11:41:14.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/policykit.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/policykit.fc 2009-11-12 14:26:53.000000000 -0500
@@ -6,10 +6,13 @@
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
@@ -14515,9 +17813,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.6.32/policy/modules/services/policykit.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.6.33/policy/modules/services/policykit.if
--- nsaserefpolicy/policy/modules/services/policykit.if 2009-08-18 18:39:50.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/policykit.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/policykit.if 2009-11-12 14:26:53.000000000 -0500
@@ -17,6 +17,8 @@
class dbus send_msg;
')
@@ -14585,9 +17883,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 policykit_auth_t:process signal;
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.32/policy/modules/services/policykit.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.33/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-08-18 11:41:14.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2009-09-18 17:05:02.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/policykit.te 2009-11-12 14:26:53.000000000 -0500
@@ -36,11 +36,12 @@
# policykit local policy
#
@@ -14605,7 +17903,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
policykit_domtrans_auth(policykit_t)
-@@ -62,27 +63,46 @@
+@@ -57,32 +58,52 @@
+ manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+ files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
+
++kernel_read_system_state(policykit_t)
+ kernel_read_kernel_sysctls(policykit_t)
+
files_read_etc_files(policykit_t)
files_read_usr_files(policykit_t)
@@ -14656,7 +17960,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
-@@ -92,12 +112,14 @@
+@@ -92,12 +113,14 @@
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
@@ -14673,7 +17977,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(policykit_auth_t)
-@@ -106,7 +128,7 @@
+@@ -106,7 +129,7 @@
userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
optional_policy(`
@@ -14682,7 +17986,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -119,6 +141,14 @@
+@@ -119,6 +142,14 @@
hal_read_state(policykit_auth_t)
')
@@ -14697,7 +18001,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# polkit_grant local policy
-@@ -126,7 +156,8 @@
+@@ -126,7 +157,8 @@
allow policykit_grant_t self:capability setuid;
allow policykit_grant_t self:process getattr;
@@ -14707,7 +18011,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -156,9 +187,12 @@
+@@ -156,9 +188,12 @@
userdom_read_all_users_state(policykit_grant_t)
optional_policy(`
@@ -14721,7 +18025,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -170,7 +204,8 @@
+@@ -170,7 +205,8 @@
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
allow policykit_resolve_t self:process getattr;
@@ -14731,9 +18035,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.32/policy/modules/services/postfix.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.33/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/postfix.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/postfix.fc 2009-11-12 14:26:53.000000000 -0500
@@ -29,12 +29,10 @@
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
@@ -14747,9 +18051,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.32/policy/modules/services/postfix.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.33/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/postfix.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/postfix.if 2009-11-12 14:26:53.000000000 -0500
@@ -46,6 +46,7 @@
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
@@ -14996,9 +18300,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ role $2 types postfix_postdrop_t;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.33/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2009-09-29 17:17:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/postfix.te 2009-11-12 14:26:53.000000000 -0500
@@ -6,6 +6,15 @@
# Declarations
#
@@ -15159,7 +18463,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -240,11 +268,16 @@
+@@ -240,11 +268,18 @@
manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
@@ -15169,6 +18473,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(postfix_cleanup_t)
++mta_read_aliases(postfix_cleanup_t)
++
+optional_policy(`
+ mailman_read_data_files(postfix_cleanup_t)
+')
@@ -15176,7 +18482,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Postfix local local policy
-@@ -253,10 +286,6 @@
+@@ -253,10 +288,6 @@
allow postfix_local_t self:fifo_file rw_fifo_file_perms;
allow postfix_local_t self:process { setsched setrlimit };
@@ -15187,7 +18493,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# connect to master process
stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
-@@ -270,18 +299,29 @@
+@@ -270,18 +301,29 @@
files_read_etc_files(postfix_local_t)
@@ -15217,7 +18523,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -292,8 +332,7 @@
+@@ -292,8 +334,7 @@
#
# Postfix map local policy
#
@@ -15227,7 +18533,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
-@@ -340,14 +379,15 @@
+@@ -340,14 +381,15 @@
miscfiles_read_localization(postfix_map_t)
@@ -15247,7 +18553,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Postfix pickup local policy
-@@ -372,6 +412,7 @@
+@@ -372,6 +414,7 @@
#
allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
@@ -15255,7 +18561,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -379,6 +420,12 @@
+@@ -379,6 +422,12 @@
rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
@@ -15268,7 +18574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
procmail_domtrans(postfix_pipe_t)
')
-@@ -388,6 +435,15 @@
+@@ -388,6 +437,15 @@
')
optional_policy(`
@@ -15284,7 +18590,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
uucp_domtrans_uux(postfix_pipe_t)
')
-@@ -415,6 +471,10 @@
+@@ -415,6 +473,10 @@
mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
optional_policy(`
@@ -15295,7 +18601,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
-@@ -424,8 +484,11 @@
+@@ -424,8 +486,11 @@
')
optional_policy(`
@@ -15309,7 +18615,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -451,6 +514,15 @@
+@@ -451,6 +516,15 @@
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
@@ -15325,7 +18631,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Postfix qmgr local policy
-@@ -464,6 +536,7 @@
+@@ -464,6 +538,7 @@
manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
@@ -15333,7 +18639,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
-@@ -505,7 +578,7 @@
+@@ -505,7 +580,7 @@
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -15342,7 +18648,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
-@@ -535,9 +608,18 @@
+@@ -535,9 +610,18 @@
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -15361,7 +18667,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mailman_read_data_files(postfix_smtpd_t)
')
-@@ -559,20 +641,22 @@
+@@ -559,20 +643,22 @@
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
@@ -15389,20 +18695,49 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+userdom_manage_user_home_content(postfix_virtual_t)
+userdom_home_filetrans_user_home_dir(postfix_virtual_t)
+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.32/policy/modules/services/postgresql.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.33/policy/modules/services/postgresql.fc
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/postgresql.fc 2009-09-16 10:03:09.000000000 -0400
-@@ -2,6 +2,7 @@
++++ serefpolicy-3.6.33/policy/modules/services/postgresql.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -2,6 +2,8 @@
# /etc
#
/etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
+/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
++/etc/sysconfig/pgsql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
#
# /usr
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.32/policy/modules/services/postgresql.if
+@@ -9,13 +11,11 @@
+ /usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+ /usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+
+-/usr/lib/pgsql/test/regres(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+-/usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+-
+-/usr/lib(64)?/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/lib(64)?/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
++/usr/lib(64)?/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+
+ ifdef(`distro_debian', `
+-/usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/lib(64)?/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+ ')
+
+ ifdef(`distro_redhat', `
+@@ -38,8 +38,6 @@
+ /var/log/postgresql(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
+ /var/log/sepostgresql\.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0)
+
+-ifdef(`distro_redhat', `
+-/var/log/rhdb/rhdb(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
+-')
+-
+ /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
++
++/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.33/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/postgresql.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/postgresql.if 2009-11-12 14:26:53.000000000 -0500
@@ -384,3 +384,46 @@
typeattribute $1 sepgsql_unconfined_type;
@@ -15450,9 +18785,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ admin_pattern($1, postgresql_tmp_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.32/policy/modules/services/postgresql.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.33/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/postgresql.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/postgresql.te 2009-11-12 14:26:53.000000000 -0500
@@ -32,6 +32,9 @@
type postgresql_etc_t;
files_config_file(postgresql_etc_t)
@@ -15497,9 +18832,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization(postgresql_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.32/policy/modules/services/ppp.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.33/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/ppp.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/ppp.if 2009-11-12 14:26:53.000000000 -0500
@@ -177,10 +177,16 @@
interface(`ppp_run',`
gen_require(`
@@ -15517,9 +18852,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.32/policy/modules/services/ppp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.33/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/ppp.te 2009-09-21 08:21:54.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/ppp.te 2009-11-12 14:26:53.000000000 -0500
@@ -38,7 +38,7 @@
files_type(pppd_etc_rw_t)
@@ -15571,20 +18906,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hostname_exec(pptp_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.32/policy/modules/services/prelude.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.33/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/prelude.te 2009-09-18 21:24:50.000000000 -0400
-@@ -123,6 +123,7 @@
++++ serefpolicy-3.6.33/policy/modules/services/prelude.te 2009-11-12 14:26:53.000000000 -0500
+@@ -122,7 +122,8 @@
+ #
# prelude_audisp local policy
#
- allow prelude_audisp_t self:capability dac_override;
+-allow prelude_audisp_t self:capability dac_override;
++allow prelude_audisp_t self:capability { dac_override ipc_lock setpcap };
+allow prelude_audisp_t self:process { getcap setcap };
allow prelude_audisp_t self:fifo_file rw_file_perms;
allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms;
allow prelude_audisp_t self:unix_dgram_socket create_socket_perms;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.32/policy/modules/services/privoxy.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.6.33/policy/modules/services/privoxy.fc
+--- nsaserefpolicy/policy/modules/services/privoxy.fc 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/privoxy.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -1,6 +1,5 @@
+
+-/etc/privoxy/user\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
+-/etc/privoxy/default\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
++/etc/privoxy/[^/]*\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
+ /etc/rc\.d/init\.d/privoxy -- gen_context(system_u:object_r:privoxy_initrc_exec_t,s0)
+
+ /usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.33/policy/modules/services/privoxy.te
--- nsaserefpolicy/policy/modules/services/privoxy.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/privoxy.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/privoxy.te 2009-11-12 14:26:53.000000000 -0500
@@ -47,9 +47,8 @@
manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t)
files_pid_filetrans(privoxy_t, privoxy_var_run_t, file)
@@ -15596,9 +18944,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(privoxy_t)
corenet_all_recvfrom_netlabel(privoxy_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.32/policy/modules/services/procmail.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.33/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/procmail.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/procmail.te 2009-11-12 14:26:53.000000000 -0500
@@ -22,7 +22,7 @@
# Local policy
#
@@ -15646,9 +18994,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.32/policy/modules/services/pyzor.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.33/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/pyzor.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/pyzor.fc 2009-11-12 14:26:53.000000000 -0500
@@ -1,6 +1,10 @@
/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
+/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
@@ -15660,9 +19008,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.32/policy/modules/services/pyzor.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.33/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/pyzor.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/pyzor.if 2009-11-12 14:26:53.000000000 -0500
@@ -88,3 +88,50 @@
corecmd_search_bin($1)
can_exec($1, pyzor_exec_t)
@@ -15714,9 +19062,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.32/policy/modules/services/pyzor.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.33/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/pyzor.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/pyzor.te 2009-11-12 14:26:53.000000000 -0500
@@ -6,6 +6,38 @@
# Declarations
#
@@ -15781,9 +19129,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_dontaudit_search_user_home_dirs(pyzor_t)
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.6.32/policy/modules/services/radvd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.6.33/policy/modules/services/radvd.te
--- nsaserefpolicy/policy/modules/services/radvd.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/radvd.te 2009-09-21 22:37:52.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/radvd.te 2009-11-12 14:26:53.000000000 -0500
@@ -41,6 +41,7 @@
kernel_rw_net_sysctls(radvd_t)
kernel_read_network_state(radvd_t)
@@ -15792,17 +19140,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(radvd_t)
corenet_all_recvfrom_netlabel(radvd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.6.32/policy/modules/services/razor.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.6.33/policy/modules/services/razor.fc
--- nsaserefpolicy/policy/modules/services/razor.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/razor.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/razor.fc 2009-11-12 14:26:53.000000000 -0500
@@ -1,3 +1,4 @@
+/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.32/policy/modules/services/razor.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.33/policy/modules/services/razor.if
--- nsaserefpolicy/policy/modules/services/razor.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/razor.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/razor.if 2009-11-12 14:26:53.000000000 -0500
@@ -157,3 +157,45 @@
domtrans_pattern($1, razor_exec_t, razor_t)
@@ -15849,9 +19197,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.32/policy/modules/services/razor.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.33/policy/modules/services/razor.te
--- nsaserefpolicy/policy/modules/services/razor.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/razor.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/razor.te 2009-11-12 14:26:53.000000000 -0500
@@ -6,6 +6,32 @@
# Declarations
#
@@ -15903,20 +19251,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.6.32/policy/modules/services/rgmanager.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.6.33/policy/modules/services/rgmanager.fc
--- nsaserefpolicy/policy/modules/services/rgmanager.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/rgmanager.fc 2009-09-16 10:03:09.000000000 -0400
-@@ -0,0 +1,6 @@
++++ serefpolicy-3.6.33/policy/modules/services/rgmanager.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,8 @@
+
+/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+
+/var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
+
+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.6.32/policy/modules/services/rgmanager.if
++
++/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.6.33/policy/modules/services/rgmanager.if
--- nsaserefpolicy/policy/modules/services/rgmanager.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/rgmanager.if 2009-09-16 10:03:09.000000000 -0400
-@@ -0,0 +1,40 @@
++++ serefpolicy-3.6.33/policy/modules/services/rgmanager.if 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,59 @@
+## SELinux policy for rgmanager
+
+#######################################
@@ -15957,10 +19307,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 rgmanager_t:sem { unix_read unix_write associate read write };
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.6.32/policy/modules/services/rgmanager.te
++########################################
++##
++## Connect to rgmanager over an unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rgmanager_stream_connect',`
++ gen_require(`
++ type rgmanager_t, rgmanager_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t)
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.6.33/policy/modules/services/rgmanager.te
--- nsaserefpolicy/policy/modules/services/rgmanager.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/rgmanager.te 2009-09-16 10:03:09.000000000 -0400
-@@ -0,0 +1,54 @@
++++ serefpolicy-3.6.33/policy/modules/services/rgmanager.te 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,83 @@
+
+policy_module(rgmanager,1.0.0)
+
@@ -15974,6 +19343,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+domain_type(rgmanager_t)
+init_daemon_domain(rgmanager_t, rgmanager_exec_t)
+
++# tmp files
++type rgmanager_tmp_t;
++files_tmp_file(rgmanager_tmp_t)
++
+# log files
+type rgmanager_var_log_t;
+logging_log_file(rgmanager_var_log_t)
@@ -15988,13 +19361,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#
+
+allow rgmanager_t self:capability { sys_nice ipc_lock };
-+allow rgmanager_t self:process setsched;
++allow rgmanager_t self:process { setsched signal ptrace };
+
+allow rgmanager_t self:fifo_file rw_fifo_file_perms;
+allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
+allow rgmanager_t self:unix_dgram_socket create_socket_perms;
+allow rgmanager_t self:tcp_socket create_stream_socket_perms;
+
++# tmp files
++manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
++manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
++files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir })
++
+# log files
+manage_files_pattern(rgmanager_t, rgmanager_var_log_t,rgmanager_var_log_t)
+logging_log_filetrans(rgmanager_t,rgmanager_var_log_t,{ file })
@@ -16002,7 +19380,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+# pid file
+manage_files_pattern(rgmanager_t, rgmanager_var_run_t,rgmanager_var_run_t)
+manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
-+files_pid_filetrans(rgmanager_t,rgmanager_var_run_t, { file })
++files_pid_filetrans(rgmanager_t,rgmanager_var_run_t, { file sock_file })
++
++aisexec_stream_connect(rgmanager_t)
++groupd_stream_connect(rgmanager_t)
++
++corecmd_exec_bin(rgmanager_t)
++corecmd_exec_sbin(rgmanager_t)
++corecmd_exec_shell(rgmanager_t)
++consoletype_exec(rgmanager_t)
++
++kernel_search_debugfs(rgmanager_t)
++
++fs_getattr_xattr_fs(rgmanager_t)
++
++# need to write to /dev/misc/dlm-control
++dev_manage_generic_chr_files(rgmanager_t)
++dev_search_sysfs(rgmanager_t)
+
+auth_use_nsswitch(rgmanager_t)
+
@@ -16015,10 +19409,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+permissive rgmanager_t;
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.6.32/policy/modules/services/rhcs.fc
++optional_policy(`
++ ccs_stream_connect(rgmanager_t)
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.6.33/policy/modules/services/rhcs.fc
--- nsaserefpolicy/policy/modules/services/rhcs.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/rhcs.fc 2009-09-25 16:23:28.000000000 -0400
-@@ -0,0 +1,21 @@
++++ serefpolicy-3.6.33/policy/modules/services/rhcs.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,22 @@
+
+/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
@@ -16028,6 +19426,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
+/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
++/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+
+/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
@@ -16040,12 +19439,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
+/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
+/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.6.32/policy/modules/services/rhcs.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.6.33/policy/modules/services/rhcs.if
--- nsaserefpolicy/policy/modules/services/rhcs.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/rhcs.if 2009-09-25 16:23:28.000000000 -0400
-@@ -0,0 +1,309 @@
++++ serefpolicy-3.6.33/policy/modules/services/rhcs.if 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,348 @@
+## SELinux policy for RHCS - Red Hat Cluster Suite
+
++######################################
++##
++## Execute a domain transition to run groupd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`groupd_domtrans',`
++ gen_require(`
++ type groupd_t, groupd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1,groupd_exec_t,groupd_t)
++')
++
+#####################################
+##
+## Connect to groupd over a unix domain
@@ -16353,10 +19771,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 gfs_controld_t:shm { rw_shm_perms destroy };
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.6.32/policy/modules/services/rhcs.te
++######################################
++##
++## Execute a domain transition to run qdiskd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`qdiskd_domtrans',`
++ gen_require(`
++ type qdiskd_t, qdiskd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1,qdiskd_exec_t,qdiskd_t)
++')
++
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.6.33/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/rhcs.te 2009-09-25 16:23:28.000000000 -0400
-@@ -0,0 +1,340 @@
++++ serefpolicy-3.6.33/policy/modules/services/rhcs.te 2009-11-12 14:26:53.000000000 -0500
+@@ -0,0 +1,394 @@
+
+policy_module(rhcs,1.0.0)
+
@@ -16365,6 +19803,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+# Declarations
+#
+
++##
++##
++## Allow fenced domain to connect to the network using TCP.
++##
++##
++gen_tunable(fenced_can_network_connect, false)
++
+type dlm_controld_t;
+type dlm_controld_exec_t;
+init_daemon_domain(dlm_controld_t, dlm_controld_exec_t)
@@ -16503,7 +19948,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+# fenced local policy
+#
+
-+allow fenced_t self:capability { sys_nice sys_resource };
++allow fenced_t self:capability { sys_nice sys_rawio sys_resource };
+allow fenced_t self:process { setsched getsched };
+
+allow fenced_t self:fifo_file rw_fifo_file_perms;
@@ -16532,7 +19977,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+manage_files_pattern(fenced_t, fenced_var_run_t,fenced_var_run_t)
+manage_sock_files_pattern(fenced_t, fenced_var_run_t, fenced_var_run_t)
+manage_fifo_files_pattern(fenced_t, fenced_var_run_t, fenced_var_run_t)
-+files_pid_filetrans(fenced_t,fenced_var_run_t, { file })
++files_pid_filetrans(fenced_t,fenced_var_run_t, { file fifo_file })
+
+stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
+aisexec_stream_connect(fenced_t)
@@ -16540,9 +19985,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+corecmd_exec_bin(fenced_t)
+
-+dev_list_sysfs(fenced_t)
++dev_read_sysfs(fenced_t)
+dev_read_urand(fenced_t)
+
++storage_raw_read_fixed_disk(fenced_t)
++storage_raw_write_fixed_disk(fenced_t)
++storage_raw_read_removable_device(fenced_t)
++
+auth_use_nsswitch(fenced_t)
+
+files_read_usr_symlinks(fenced_t)
@@ -16554,6 +20003,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+miscfiles_read_localization(fenced_t)
+
++tunable_policy(`fenced_can_network_connect',`
++ corenet_tcp_connect_all_ports(fenced_t)
++')
++
++optional_policy(`
++ ccs_read_config(fenced_t)
++')
++
++optional_policy(`
++ lvm_domtrans(fenced_t)
++ lvm_read_config(fenced_t)
++')
++
+######################################
+#
+# gfs_controld local policy
@@ -16591,6 +20053,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+kernel_read_system_state(gfs_controld_t)
+
++storage_getattr_removable_dev(gfs_controld_t)
++
+dev_manage_generic_chr_files(gfs_controld_t)
+#dev_read_sysfs(gfs_controld_t)
+dev_rw_sysfs(gfs_controld_t)
@@ -16604,6 +20068,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+miscfiles_read_localization(gfs_controld_t)
+
++optional_policy(`
++ lvm_exec(gfs_controld_t)
++ dev_rw_lvm_control(gfs_controld_t)
++')
++
+#######################################
+#
+# groupd local policy
@@ -16657,8 +20126,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+allow qdiskd_t self:process setsched;
+
+allow qdiskd_t self:sem create_sem_perms;
++allow qdiskd_t self:udp_socket create_socket_perms;
++allow qdiskd_t self:udp_socket create_socket_perms;
+allow qdiskd_t self:unix_dgram_socket create_socket_perms;
-+allow qdiskd_t self:fifo_file rw_fifo_file_perms;
+allow qdiskd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t)
@@ -16683,11 +20153,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+aisexec_stream_connect(qdiskd_t)
+ccs_stream_connect(qdiskd_t)
+
-+kernel_read_system_state(qdiskd_t)
++corecmd_exec_shell(qdiskd_t)
+
++kernel_read_system_state(qdiskd_t)
++kernel_read_software_raid_state(qdiskd_t)
++
++dev_read_sysfs(qdiskd_t)
++dev_list_all_dev_nodes(qdiskd_t)
++dev_getattr_all_blk_files(qdiskd_t)
++dev_getattr_all_chr_files(qdiskd_t)
++dev_manage_generic_blk_files(qdiskd_t)
++dev_manage_generic_chr_files(qdiskd_t)
++
++storage_raw_read_removable_device(qdiskd_t)
++storage_raw_write_removable_device(qdiskd_t)
+storage_raw_read_fixed_disk(qdiskd_t)
+storage_raw_write_fixed_disk(qdiskd_t)
+
++domain_dontaudit_getattr_all_pipes(qdiskd_t)
++domain_dontaudit_getattr_all_sockets(qdiskd_t)
++
++auth_use_nsswitch(qdiskd_t)
++
+files_read_etc_files(qdiskd_t)
+
+libs_use_ld_so(qdiskd_t)
@@ -16697,10 +20184,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+miscfiles_read_localization(qdiskd_t)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.32/policy/modules/services/ricci.te
++optional_policy(`
++ netutils_domtrans_ping(qdiskd_t)
++')
++
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.33/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/ricci.te 2009-09-29 09:58:56.000000000 -0400
-@@ -227,6 +227,10 @@
++++ serefpolicy-3.6.33/policy/modules/services/ricci.te 2009-11-12 14:26:53.000000000 -0500
+@@ -194,10 +194,13 @@
+ # ricci_modcluster local policy
+ #
+
+-allow ricci_modcluster_t self:capability sys_nice;
++allow ricci_modcluster_t self:capability { net_bind_service sys_nice };
+ allow ricci_modcluster_t self:process setsched;
+ allow ricci_modcluster_t self:fifo_file rw_fifo_file_perms;
+
++corenet_tcp_bind_cluster_port(ricci_modclusterd_t)
++corenet_tcp_bind_reserved_port(ricci_modclusterd_t)
++
+ kernel_read_kernel_sysctls(ricci_modcluster_t)
+ kernel_read_system_state(ricci_modcluster_t)
+
+@@ -227,6 +230,10 @@
ricci_stream_connect_modclusterd(ricci_modcluster_t)
optional_policy(`
@@ -16711,7 +20218,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ccs_stream_connect(ricci_modcluster_t)
ccs_domtrans(ricci_modcluster_t)
ccs_manage_config(ricci_modcluster_t)
-@@ -264,6 +268,7 @@
+@@ -245,6 +252,10 @@
+ ')
+
+ optional_policy(`
++ rgmanager_stream_connect(ricci_modclusterd_t)
++')
++
++optional_policy(`
+ # XXX This has got to go.
+ unconfined_domain(ricci_modcluster_t)
+ ')
+@@ -264,6 +275,7 @@
allow ricci_modclusterd_t self:socket create_socket_perms;
allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
@@ -16719,7 +20237,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# log files
allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
-@@ -306,6 +311,10 @@
+@@ -306,12 +318,20 @@
sysnet_dns_name_resolve(ricci_modclusterd_t)
optional_policy(`
@@ -16730,7 +20248,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ccs_domtrans(ricci_modclusterd_t)
ccs_stream_connect(ricci_modclusterd_t)
ccs_read_config(ricci_modclusterd_t)
-@@ -440,6 +449,10 @@
+ ')
+
+ optional_policy(`
++ rgmanager_stream_connect(ricci_modclusterd_t)
++')
++
++optional_policy(`
+ unconfined_use_fds(ricci_modclusterd_t)
+ ')
+
+@@ -440,6 +460,10 @@
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
@@ -16741,7 +20269,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
storage_raw_read_fixed_disk(ricci_modstorage_t)
term_dontaudit_use_console(ricci_modstorage_t)
-@@ -457,6 +470,10 @@
+@@ -457,6 +481,10 @@
mount_domtrans(ricci_modstorage_t)
optional_policy(`
@@ -16752,9 +20280,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ccs_stream_connect(ricci_modstorage_t)
ccs_read_config(ricci_modstorage_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.6.32/policy/modules/services/rpcbind.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.6.33/policy/modules/services/rpcbind.if
--- nsaserefpolicy/policy/modules/services/rpcbind.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/rpcbind.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/rpcbind.if 2009-11-12 14:26:53.000000000 -0500
@@ -97,6 +97,26 @@
########################################
@@ -16782,9 +20310,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
## an rpcbind environment
##
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.32/policy/modules/services/rpc.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.6.33/policy/modules/services/rpcbind.te
+--- nsaserefpolicy/policy/modules/services/rpcbind.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/rpcbind.te 2009-11-12 14:26:53.000000000 -0500
+@@ -42,6 +42,7 @@
+
+ kernel_read_system_state(rpcbind_t)
+ kernel_read_network_state(rpcbind_t)
++kernel_request_load_module(rpcbind_t)
+
+ corenet_all_recvfrom_unlabeled(rpcbind_t)
+ corenet_all_recvfrom_netlabel(rpcbind_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.33/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/rpc.if 2009-09-25 10:42:34.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/rpc.if 2009-11-12 14:26:53.000000000 -0500
@@ -54,7 +54,7 @@
allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
@@ -16813,9 +20352,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole($1_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.32/policy/modules/services/rpc.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.33/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/rpc.te 2009-09-25 10:42:43.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/rpc.te 2009-11-12 14:26:53.000000000 -0500
@@ -53,7 +53,7 @@
# RPC local policy
#
@@ -16888,7 +20427,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(gssd_t)
auth_manage_cache(gssd_t)
-@@ -199,6 +211,8 @@
+@@ -199,10 +211,13 @@
mount_signal(gssd_t)
@@ -16897,9 +20436,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_user_tmp(gssd_t)
userdom_read_user_tmp_files(gssd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.32/policy/modules/services/rsync.te
+ userdom_read_user_tmp_symlinks(gssd_t)
++ userdom_dontaudit_write_user_tmp_files(gssd_t)
+ ')
+
+ optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.33/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/rsync.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/rsync.te 2009-11-12 14:26:53.000000000 -0500
@@ -8,6 +8,13 @@
##
@@ -16942,9 +20486,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
auth_can_read_shadow_passwords(rsync_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.6.32/policy/modules/services/rtkit.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.6.33/policy/modules/services/rtkit.if
--- nsaserefpolicy/policy/modules/services/rtkit.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/rtkit.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/rtkit.if 2009-11-12 14:26:53.000000000 -0500
@@ -38,3 +38,23 @@
allow $1 rtkit_daemon_t:dbus send_msg;
allow rtkit_daemon_t $1:dbus send_msg;
@@ -16969,9 +20513,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow rtkit_daemon_t $1:process { getsched setsched };
+ rtkit_daemon_dbus_chat($1)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.6.32/policy/modules/services/rtkit.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.6.33/policy/modules/services/rtkit.te
--- nsaserefpolicy/policy/modules/services/rtkit.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/rtkit.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/rtkit.te 2009-11-12 14:26:53.000000000 -0500
@@ -17,9 +17,11 @@
allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace };
@@ -16984,9 +20528,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_read_all_domains_state(rtkit_daemon_t)
fs_rw_anon_inodefs_files(rtkit_daemon_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.32/policy/modules/services/samba.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.33/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/samba.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/samba.fc 2009-11-12 14:26:53.000000000 -0500
@@ -51,3 +51,7 @@
/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
@@ -16995,9 +20539,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ifndef(`enable_mls',`
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.32/policy/modules/services/samba.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.33/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/samba.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/samba.if 2009-11-12 14:26:53.000000000 -0500
@@ -62,6 +62,25 @@
########################################
@@ -17170,9 +20714,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
admin_pattern($1, winbind_var_run_t)
+ admin_pattern($1, samba_unconfined_script_exec_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.33/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/samba.te 2009-09-17 14:03:16.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/samba.te 2009-11-12 14:26:53.000000000 -0500
@@ -66,6 +66,13 @@
##
gen_tunable(samba_share_nfs, false)
@@ -17404,9 +20948,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+',`
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.32/policy/modules/services/sasl.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.33/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/sasl.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/sasl.te 2009-11-12 14:26:53.000000000 -0500
@@ -31,7 +31,7 @@
# Local policy
#
@@ -17469,9 +21013,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(saslauthd_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.32/policy/modules/services/sendmail.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.33/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/sendmail.if 2009-09-29 17:16:32.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/sendmail.if 2009-11-12 14:26:53.000000000 -0500
@@ -59,20 +59,20 @@
########################################
@@ -17644,9 +21188,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 sendmail_t:fifo_file rw_fifo_file_perms;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.32/policy/modules/services/sendmail.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.33/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/sendmail.te 2009-09-21 08:22:05.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/sendmail.te 2009-11-12 14:26:53.000000000 -0500
@@ -20,13 +20,17 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -17822,18 +21366,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
-') dnl end TODO
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.6.32/policy/modules/services/setroubleshoot.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.6.33/policy/modules/services/setroubleshoot.fc
--- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/setroubleshoot.fc 2009-11-12 14:26:53.000000000 -0500
@@ -5,3 +5,5 @@
/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
+
+/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.32/policy/modules/services/setroubleshoot.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.33/policy/modules/services/setroubleshoot.if
--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.if 2009-09-24 14:40:15.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/setroubleshoot.if 2009-11-12 14:26:53.000000000 -0500
@@ -16,8 +16,8 @@
')
@@ -17845,7 +21389,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -36,6 +36,102 @@
+@@ -36,6 +36,123 @@
type setroubleshootd_t, setroubleshoot_var_run_t;
')
@@ -17877,6 +21421,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+########################################
+##
++## dontaudit send and receive messages from
++## setroubleshoot over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`setroubleshoot_dontaudit_dbus_chat',`
++ gen_require(`
++ type setroubleshootd_t;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 setroubleshootd_t:dbus send_msg;
++ dontaudit setroubleshootd_t $1:dbus send_msg;
++')
++
++########################################
++##
+## Send and receive messages from
+## setroubleshoot over dbus.
+##
@@ -17949,9 +21514,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ files_list_pids($1)
+ admin_pattern($1, setroubleshoot_var_run_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.33/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te 2009-09-24 14:38:01.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/setroubleshoot.te 2009-11-12 14:26:53.000000000 -0500
@@ -22,13 +22,19 @@
type setroubleshoot_var_run_t;
files_pid_file(setroubleshoot_var_run_t)
@@ -17993,7 +21558,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ dev_getattr_all_chr_files(setroubleshootd_t)
domain_dontaudit_search_all_domains_state(setroubleshootd_t)
-+ domain_signull_all_domains(setroubleshootd_t)
++domain_signull_all_domains(setroubleshootd_t)
files_read_usr_files(setroubleshootd_t)
files_read_etc_files(setroubleshootd_t)
@@ -18013,7 +21578,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
-@@ -94,23 +113,72 @@
+@@ -94,23 +113,76 @@
locallogin_dontaudit_use_fds(setroubleshootd_t)
@@ -18040,7 +21605,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-+ rpm_signull(setroubleshootd_t)
++ rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
rpm_use_script_fds(setroubleshootd_t)
@@ -18055,13 +21620,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms;
+allow setroubleshoot_fixit_t self:unix_dgram_socket create_socket_perms;
+
++allow setroubleshoot_fixit_t setroubleshootd_t:process signull;
++
+setroubleshoot_dbus_chat(setroubleshoot_fixit_t)
+setroubleshoot_stream_connect(setroubleshoot_fixit_t)
+
+corecmd_exec_bin(setroubleshoot_fixit_t)
+corecmd_exec_shell(setroubleshoot_fixit_t)
+
-+seutil_domtrans_restorecon(setroubleshoot_fixit_t)
++seutil_domtrans_setfiles(setroubleshoot_fixit_t)
++seutil_domtrans_setsebool(setroubleshoot_fixit_t)
+
+files_read_usr_files(setroubleshoot_fixit_t)
+files_read_etc_files(setroubleshoot_fixit_t)
@@ -18077,6 +21645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+miscfiles_read_localization(setroubleshoot_fixit_t)
+
+userdom_dontaudit_search_admin_dir(setroubleshoot_fixit_t)
++userdom_signull_unpriv_users(setroubleshoot_fixit_t)
+
+optional_policy(`
+ rpm_signull(setroubleshoot_fixit_t)
@@ -18088,9 +21657,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ policykit_dbus_chat(setroubleshoot_fixit_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.32/policy/modules/services/smartmon.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.33/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/smartmon.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/smartmon.te 2009-11-12 14:26:53.000000000 -0500
@@ -19,14 +19,18 @@
type fsdaemon_tmp_t;
files_tmp_file(fsdaemon_tmp_t)
@@ -18151,9 +21720,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.6.32/policy/modules/services/snmp.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.6.33/policy/modules/services/snmp.if
--- nsaserefpolicy/policy/modules/services/snmp.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/snmp.if 2009-09-16 12:22:59.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/snmp.if 2009-11-12 14:26:53.000000000 -0500
@@ -50,6 +50,24 @@
########################################
@@ -18206,9 +21775,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
##
## All of the rules required to administrate
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.32/policy/modules/services/snmp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.33/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/snmp.te 2009-09-29 17:04:42.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/snmp.te 2009-11-12 14:26:53.000000000 -0500
@@ -27,7 +27,7 @@
#
allow snmpd_t self:capability { dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
@@ -18227,9 +21796,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_list_sysfs(snmpd_t)
dev_read_sysfs(snmpd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.32/policy/modules/services/spamassassin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.33/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.fc 2009-09-24 13:21:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/spamassassin.fc 2009-11-12 14:26:53.000000000 -0500
@@ -1,15 +1,26 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
@@ -18259,9 +21828,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.32/policy/modules/services/spamassassin.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.33/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/spamassassin.if 2009-11-12 14:26:53.000000000 -0500
@@ -111,6 +111,27 @@
')
@@ -18370,9 +21939,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ files_list_pids($1)
+ admin_pattern($1, spamd_var_run_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.32/policy/modules/services/spamassassin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.33/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.te 2009-09-24 13:20:36.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/spamassassin.te 2009-11-12 14:26:53.000000000 -0500
@@ -20,6 +20,35 @@
##
gen_tunable(spamd_enable_home_dirs, true)
@@ -18490,11 +22059,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
-@@ -246,9 +307,15 @@
+@@ -246,9 +307,16 @@
files_dontaudit_search_var(spamc_t)
# cjp: this may be removable:
files_list_home(spamc_t)
+files_list_var_lib(spamc_t)
++list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
+read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
+
+fs_search_auto_mountpoints(spamc_t)
@@ -18506,7 +22076,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
-@@ -256,27 +323,40 @@
+@@ -256,27 +324,40 @@
sysnet_read_config(spamc_t)
@@ -18553,7 +22123,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -288,7 +368,7 @@
+@@ -288,7 +369,7 @@
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -18562,7 +22132,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -304,10 +384,17 @@
+@@ -304,10 +385,17 @@
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
@@ -18581,7 +22151,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -316,10 +403,12 @@
+@@ -316,10 +404,12 @@
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -18595,7 +22165,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
kernel_read_all_sysctls(spamd_t)
-@@ -369,22 +458,27 @@
+@@ -369,22 +459,27 @@
init_dontaudit_rw_utmp(spamd_t)
@@ -18627,7 +22197,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_manage_cifs_files(spamd_t)
')
-@@ -402,23 +496,16 @@
+@@ -402,23 +497,16 @@
optional_policy(`
dcc_domtrans_client(spamd_t)
@@ -18652,7 +22222,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
postfix_read_config(spamd_t)
')
-@@ -433,6 +520,10 @@
+@@ -433,6 +521,10 @@
optional_policy(`
razor_domtrans(spamd_t)
@@ -18663,7 +22233,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -445,5 +536,9 @@
+@@ -445,5 +537,9 @@
')
optional_policy(`
@@ -18673,9 +22243,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
udev_read_db(spamd_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.32/policy/modules/services/squid.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.33/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/squid.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/squid.te 2009-11-12 14:26:53.000000000 -0500
@@ -67,7 +67,9 @@
can_exec(squid_t, squid_exec_t)
@@ -18704,18 +22274,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-#squid requires the following when run in diskd mode, the recommended setting
-allow squid_t tmpfs_t:file { read write };
-') dnl end TODO
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.32/policy/modules/services/ssh.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.33/policy/modules/services/ssh.fc
--- nsaserefpolicy/policy/modules/services/ssh.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/ssh.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/ssh.fc 2009-11-12 14:26:53.000000000 -0500
@@ -14,3 +14,5 @@
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
+
+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.32/policy/modules/services/ssh.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.33/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/ssh.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/ssh.if 2009-11-12 14:26:53.000000000 -0500
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -18830,15 +22400,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
term_create_pty($1_t,$1_devpts_t)
-@@ -206,6 +198,7 @@
+@@ -206,6 +198,8 @@
allow $1_t sshd_key_t:file read_file_perms;
kernel_read_kernel_sysctls($1_t)
+ kernel_read_network_state($1_t)
++ kernel_request_load_module(ssh_t)
corenet_all_recvfrom_unlabeled($1_t)
corenet_all_recvfrom_netlabel($1_t)
-@@ -221,7 +214,12 @@
+@@ -221,7 +215,12 @@
corenet_udp_bind_generic_node($1_t)
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_all_ports($1_t)
@@ -18851,7 +22422,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_dontaudit_getattr_all_fs($1_t)
-@@ -237,18 +235,23 @@
+@@ -237,18 +236,23 @@
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
@@ -18877,7 +22448,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`use_samba_home_dirs',`
-@@ -257,15 +260,11 @@
+@@ -257,15 +261,11 @@
optional_policy(`
kerberos_use($1_t)
@@ -18895,7 +22466,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -337,6 +336,7 @@
+@@ -337,6 +337,7 @@
allow ssh_t $3:unix_stream_socket connectto;
# user can manage the keys and config
@@ -18903,7 +22474,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern($3, home_ssh_t, home_ssh_t)
manage_lnk_files_pattern($3, home_ssh_t, home_ssh_t)
manage_sock_files_pattern($3, home_ssh_t, home_ssh_t)
-@@ -446,6 +446,24 @@
+@@ -446,6 +447,24 @@
########################################
##
@@ -18928,7 +22499,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read a ssh server unnamed pipe.
##
##
-@@ -461,6 +479,23 @@
+@@ -461,6 +480,23 @@
allow $1 sshd_t:fifo_file { getattr read };
')
@@ -18952,7 +22523,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
##
-@@ -603,3 +638,83 @@
+@@ -603,3 +639,83 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
@@ -19036,9 +22607,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ files_search_pids($1)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.33/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2009-09-21 08:22:14.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/ssh.te 2009-11-12 14:26:53.000000000 -0500
@@ -41,6 +41,9 @@
files_tmp_file(sshd_tmp_t)
files_poly_parent(sshd_tmp_t)
@@ -19230,18 +22801,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(ssh_keygen_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.32/policy/modules/services/sssd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.33/policy/modules/services/sssd.fc
--- nsaserefpolicy/policy/modules/services/sssd.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/sssd.fc 2009-09-16 10:03:09.000000000 -0400
-@@ -1,4 +1,4 @@
++++ serefpolicy-3.6.33/policy/modules/services/sssd.fc 2009-11-13 10:59:21.000000000 -0500
+@@ -1,6 +1,9 @@
-/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.32/policy/modules/services/sssd.if
+ /var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
++
++/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
++
+ /var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.33/policy/modules/services/sssd.if
--- nsaserefpolicy/policy/modules/services/sssd.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/sssd.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/sssd.if 2009-11-13 11:16:42.000000000 -0500
@@ -12,12 +12,32 @@
#
interface(`sssd_domtrans',`
@@ -19276,7 +22852,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
##
## Read sssd PID files.
-@@ -116,6 +136,27 @@
+@@ -96,6 +116,25 @@
+
+ ########################################
+ ##
++## Read sssd config files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sssd_read_config_files',`
++ gen_require(`
++ type sssd_config_t;
++ ')
++
++ sssd_search_lib($1)
++ read_files_pattern($1, sssd_config_t, sssd_config_t)
++')
++
++########################################
++##
+ ## Create, read, write, and delete
+ ## sssd lib files.
+ ##
+@@ -116,6 +155,27 @@
########################################
##
@@ -19304,10 +22906,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Send and receive messages from
## sssd over dbus.
##
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.32/policy/modules/services/sssd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.33/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/sssd.te 2009-09-16 10:03:09.000000000 -0400
-@@ -23,7 +23,7 @@
++++ serefpolicy-3.6.33/policy/modules/services/sssd.te 2009-11-13 10:59:01.000000000 -0500
+@@ -16,6 +16,9 @@
+ type sssd_var_lib_t;
+ files_type(sssd_var_lib_t)
+
++type sssd_var_log_t;
++logging_log_file(sssd_var_log_t)
++
+ type sssd_var_run_t;
+ files_pid_file(sssd_var_run_t)
+
+@@ -23,7 +26,7 @@
#
# sssd local policy
#
@@ -19316,7 +22928,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow sssd_t self:process { setsched signal getsched };
allow sssd_t self:fifo_file rw_file_perms;
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -37,6 +37,8 @@
+@@ -33,10 +36,15 @@
+ manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+ files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
+
++manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
++logging_log_filetrans(sssd_t, sssd_var_log_t, file)
++
+ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
@@ -19325,7 +22944,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(sssd_t)
corecmd_exec_bin(sssd_t)
-@@ -58,6 +60,8 @@
+@@ -58,6 +66,8 @@
miscfiles_read_localization(sssd_t)
@@ -19334,9 +22953,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
dbus_system_bus_client(sssd_t)
dbus_connect_system_bus(sssd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.6.32/policy/modules/services/sysstat.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.6.33/policy/modules/services/sysstat.te
--- nsaserefpolicy/policy/modules/services/sysstat.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/sysstat.te 2009-09-29 17:13:34.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/sysstat.te 2009-11-12 14:26:53.000000000 -0500
@@ -19,14 +19,15 @@
# Local policy
#
@@ -19355,9 +22974,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
# get info from /proc
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.32/policy/modules/services/uucp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-3.6.33/policy/modules/services/tftp.fc
+--- nsaserefpolicy/policy/modules/services/tftp.fc 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/tftp.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -5,4 +5,4 @@
+ /tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
+ /tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0)
+
+-/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_t,s0)
++/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.6.33/policy/modules/services/tuned.te
+--- nsaserefpolicy/policy/modules/services/tuned.te 2009-11-12 12:51:51.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/services/tuned.te 2009-11-12 14:26:53.000000000 -0500
+@@ -16,12 +16,14 @@
+ type tuned_var_run_t;
+ files_pid_file(tuned_var_run_t)
+
++permissive tuned_t;
++
+ ########################################
+ #
+ # tuned local policy
+ #
+
+-dontaudit tuned_t self:capability dac_override;
++dontaudit tuned_t self:capability { dac_override sys_tty_config };
+
+ manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
+ files_pid_filetrans(tuned_t, tuned_var_run_t, file)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.33/policy/modules/services/uucp.te
--- nsaserefpolicy/policy/modules/services/uucp.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/uucp.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/uucp.te 2009-11-12 14:26:53.000000000 -0500
@@ -95,6 +95,8 @@
files_search_home(uucpd_t)
files_search_spool(uucpd_t)
@@ -19386,10 +23033,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.32/policy/modules/services/virt.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.33/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/virt.fc 2009-09-16 10:03:09.000000000 -0400
-@@ -8,5 +8,17 @@
++++ serefpolicy-3.6.33/policy/modules/services/virt.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -8,5 +8,18 @@
/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
@@ -19399,6 +23046,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
++/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+
+HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
+HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
@@ -19407,9 +23055,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0)
+
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.32/policy/modules/services/virt.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.33/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/virt.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/virt.if 2009-11-12 14:26:53.000000000 -0500
@@ -136,7 +136,7 @@
')
@@ -19450,10 +23098,55 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs($1)
-@@ -312,6 +314,41 @@
+@@ -304,8 +306,79 @@
+ ')
- ########################################
- ##
+ tunable_policy(`virt_use_samba',`
+- fs_manage_nfs_files($1)
+ fs_manage_cifs_files($1)
++ fs_manage_cifs_files($1)
++ fs_read_cifs_symlinks($1)
++ ')
++')
++
++########################################
++##
++## Allow domain to read virt image files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`virt_read_images',`
++ gen_require(`
++ type virt_var_lib_t;
++ attribute virt_image_type;
++ ')
++
++ virt_search_lib($1)
++ allow $1 virt_image_type:dir list_dir_perms;
++ list_dirs_pattern($1, virt_image_type, virt_image_type)
++ read_files_pattern($1, virt_image_type, virt_image_type)
++ read_lnk_files_pattern($1, virt_image_type, virt_image_type)
++ read_blk_files_pattern($1, virt_image_type, virt_image_type)
++
++ tunable_policy(`virt_use_nfs',`
++ fs_list_nfs($1)
++ fs_read_nfs_files($1)
++ fs_read_nfs_symlinks($1)
++ ')
++
++ tunable_policy(`virt_use_samba',`
++ fs_list_cifs($1)
++ fs_read_cifs_files($1)
++ fs_read_cifs_symlinks($1)
++ ')
++')
++
++########################################
++##
+## Allow domain to manage virt image files
+##
+##
@@ -19472,7 +23165,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ list_dirs_pattern($1, virt_content_t, virt_content_t)
+ read_files_pattern($1, virt_content_t, virt_content_t)
+ read_lnk_files_pattern($1, virt_content_t, virt_content_t)
-+ rw_blk_files_pattern($1, virt_content_t, virt_content_t)
++ read_blk_files_pattern($1, virt_content_t, virt_content_t)
+
+ tunable_policy(`virt_use_nfs',`
+ fs_list_nfs($1)
@@ -19483,16 +23176,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ tunable_policy(`virt_use_samba',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
-+ fs_read_cifs_symlinks($1)
-+ ')
-+')
-+
-+########################################
-+##
- ## All of the rules required to administrate
- ## an virt environment
- ##
-@@ -346,3 +383,79 @@
+ fs_read_cifs_symlinks($1)
+ ')
+ ')
+@@ -346,3 +419,95 @@
virt_manage_log($1)
')
@@ -19510,6 +23197,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#
+template(`virt_domain_template',`
+ gen_require(`
++ type virtd_t;
+ attribute virt_image_type;
+ attribute virt_domain;
+ ')
@@ -19530,6 +23218,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ files_type($1_image_t)
+ dev_node($1_image_t)
+
++ type $1_var_run_t;
++ files_pid_file($1_var_run_t)
++
+ manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
+ manage_files_pattern($1_t, $1_image_t, $1_image_t)
+ read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
@@ -19545,6 +23236,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
+
++ stream_connect_pattern(virtd_t, $1_var_run_t, $1_var_run_t, virt_domain)
++ manage_dirs_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
++ manage_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
++ manage_sock_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
++
++ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
++ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
++ manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
++ manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
++ files_pid_filetrans($1_t, $1_var_run_t, { dir file })
++ stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t)
++
+ optional_policy(`
+ xserver_rw_shm($1_t)
+ xserver_common_app($1_t)
@@ -19572,9 +23275,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ manage_files_pattern($1, svirt_cache_t, svirt_cache_t)
+ manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.33/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/virt.te 2009-09-21 08:22:24.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/virt.te 2009-11-13 08:13:08.000000000 -0500
@@ -20,6 +20,28 @@
##
gen_tunable(virt_use_samba, false)
@@ -19620,7 +23323,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type virt_log_t;
logging_log_file(virt_log_t)
-@@ -48,27 +75,58 @@
+@@ -48,27 +75,55 @@
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@@ -19637,9 +23340,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+type svirt_cache_t;
+files_type(svirt_cache_t)
-+
-+type svirt_var_run_t;
-+files_pid_file(svirt_var_run_t)
+
########################################
#
@@ -19648,16 +23348,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace };
-allow virtd_t self:process { getsched sigkill signal execmem };
+-allow virtd_t self:fifo_file rw_file_perms;
+allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched };
+
- allow virtd_t self:fifo_file rw_file_perms;
++allow virtd_t self:fifo_file rw_fifo_file_perms;
allow virtd_t self:unix_stream_socket create_stream_socket_perms;
allow virtd_t self:tcp_socket create_stream_socket_perms;
- allow virtd_t self:tun_socket create;
-
-+allow virtd_t virt_domain:process { setsched transition signal signull sigkill };
+-allow virtd_t self:tun_socket create;
++allow virtd_t self:tun_socket create_socket_perms;
+
++allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
+
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
@@ -19681,7 +23383,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -86,7 +144,8 @@
+@@ -76,6 +131,7 @@
+
+ manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+ manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
++manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+ files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir })
+
+ manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -86,7 +142,8 @@
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
@@ -19691,7 +23401,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -97,30 +156,55 @@
+@@ -97,30 +154,50 @@
corenet_tcp_sendrecv_generic_node(virtd_t)
corenet_tcp_sendrecv_all_ports(virtd_t)
corenet_tcp_bind_generic_node(virtd_t)
@@ -19727,17 +23437,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+# Manages /etc/sysconfig/system-config-firewall
+iptables_manage_config(virtd_t)
+files_manage_etc_files(virtd_t)
-+
-+modutils_read_module_deps(virtd_t)
-+modutils_read_module_config(virtd_t)
fs_list_auto_mountpoints(virtd_t)
+fs_getattr_xattr_fs(virtd_t)
+fs_rw_anon_inodefs_files(virtd_t)
+fs_list_inotifyfs(virtd_t)
-+modutils_manage_module_config(virtd_t)
-+
+storage_manage_fixed_disk(virtd_t)
+storage_relabel_fixed_disk(virtd_t)
storage_raw_write_removable_device(virtd_t)
@@ -19750,8 +23455,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
-@@ -130,7 +214,14 @@
+@@ -128,9 +205,22 @@
+ miscfiles_read_localization(virtd_t)
+ miscfiles_read_certs(virtd_t)
++modutils_read_module_deps(virtd_t)
++modutils_read_module_config(virtd_t)
++modutils_manage_module_config(virtd_t)
++
logging_send_syslog_msg(virtd_t)
+sysnet_domtrans_ifconfig(virtd_t)
@@ -19762,10 +23473,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+userdom_list_user_home_content(virtd_t)
userdom_read_all_users_state(virtd_t)
+userdom_read_user_home_content_files(virtd_t)
++userdom_relabel_user_home_files(virtd_t)
++userdom_setattr_user_home_content_files(virtd_t)
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -168,22 +259,36 @@
+@@ -168,22 +258,36 @@
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
@@ -19776,10 +23489,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
iptables_domtrans(virtd_t)
+ iptables_initrc_domtrans(virtd_t)
-+')
-+
-+optional_policy(`
-+ kerberos_keytab_template(virtd, virtd_t)
')
-#optional_policy(`
@@ -19787,6 +23496,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-# polkit_domtrans_resolve(virtd_t)
-#')
+optional_policy(`
++ kerberos_keytab_template(virtd, virtd_t)
++')
+
+ optional_policy(`
+- qemu_domtrans(virtd_t)
+ lvm_domtrans(virtd_t)
+')
+
@@ -19796,9 +23510,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ policykit_domtrans_resolve(virtd_t)
+ policykit_read_lib(virtd_t)
+')
-
- optional_policy(`
-- qemu_domtrans(virtd_t)
++
++optional_policy(`
+ qemu_spec_domtrans(virtd_t, svirt_t)
qemu_read_state(virtd_t)
qemu_signal(virtd_t)
@@ -19807,7 +23520,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -196,8 +301,160 @@
+@@ -196,8 +300,150 @@
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
@@ -19822,9 +23535,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_domain(virtd_t)
')
+
-+manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
-+manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
-+
+########################################
+#
+# svirt local policy
@@ -19833,13 +23543,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
+files_var_filetrans(svirt_t, svirt_cache_t, { file dir })
+
-+manage_dirs_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
-+manage_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
-+manage_sock_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
-+manage_lnk_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
-+files_pid_filetrans(svirt_t, svirt_var_run_t, { dir file })
-+stream_connect_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t, virtd_t)
-+
+read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t)
+
+allow svirt_t svirt_image_t:dir search_dir_perms;
@@ -19854,14 +23557,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+userdom_search_user_home_content(svirt_t)
+userdom_read_all_users_state(svirt_t)
+
-+append_files_pattern(svirt_t, virt_log_t, virt_log_t)
-+append_files_pattern(svirt_t, virt_var_lib_t, virt_var_lib_t)
-+
+allow svirt_t self:udp_socket create_socket_perms;
+
-+corecmd_exec_bin(svirt_t)
-+corecmd_exec_shell(svirt_t)
-+
+corenet_udp_sendrecv_generic_if(svirt_t)
+corenet_udp_sendrecv_generic_node(svirt_t)
+corenet_udp_sendrecv_all_ports(svirt_t)
@@ -19873,6 +23570,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ dev_rw_printer(svirt_t)
+')
+
++dev_read_sysfs(svirt_t)
++
+tunable_policy(`virt_manage_sysfs',`
+ dev_rw_sysfs(svirt_t)
+')
@@ -19915,10 +23614,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
+allow virt_domain self:tcp_socket create_stream_socket_perms;
+
-+stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
++append_files_pattern(virt_domain, virt_log_t, virt_log_t)
++append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
+
+kernel_read_system_state(virt_domain)
+
++corecmd_exec_bin(virt_domain)
++corecmd_exec_shell(virt_domain)
++
+corenet_all_recvfrom_unlabeled(virt_domain)
+corenet_all_recvfrom_netlabel(virt_domain)
+corenet_tcp_sendrecv_generic_if(virt_domain)
@@ -19968,9 +23671,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ virt_read_content(virt_domain)
+ virt_stream_connect(virt_domain)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.32/policy/modules/services/w3c.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.33/policy/modules/services/w3c.te
--- nsaserefpolicy/policy/modules/services/w3c.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/w3c.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/w3c.te 2009-11-12 14:26:53.000000000 -0500
@@ -8,11 +8,18 @@
apache_content_template(w3c_validator)
@@ -19990,16 +23693,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.33/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2009-09-25 10:58:35.000000000 -0400
-@@ -3,12 +3,17 @@
++++ serefpolicy-3.6.33/policy/modules/services/xserver.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -3,12 +3,19 @@
#
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0)
HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0)
++HOME_DIR/\.DCOP.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
++HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
@@ -20011,7 +23716,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
# /dev
#
-@@ -32,11 +37,6 @@
+@@ -32,11 +39,6 @@
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -20023,7 +23728,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
# /opt
#
-@@ -61,7 +61,9 @@
+@@ -47,10 +49,10 @@
+ # /tmp
+ #
+
+-/tmp/\.ICE-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
++/tmp/\.ICE-unix -d gen_context(system_u:object_r:xserver_tmp_t,s0)
+ /tmp/\.ICE-unix/.* -s <>
+ /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
+-/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
++/tmp/\.X11-unix -d gen_context(system_u:object_r:xserver_tmp_t,s0)
+ /tmp/\.X11-unix/.* -s <>
+
+ #
+@@ -61,7 +63,9 @@
/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
@@ -20033,7 +23751,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
ifdef(`distro_debian', `
-@@ -89,16 +91,28 @@
+@@ -89,16 +93,31 @@
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
@@ -20044,15 +23762,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
++/var/cache/gdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
++
+/var/log/gdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
-
-+/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0)
+
++/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0)
+
+/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/kdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/gdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -20065,10 +23786,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_suse',`
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.32/policy/modules/services/xserver.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.33/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-09-09 15:37:17.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2009-09-16 10:03:09.000000000 -0400
-@@ -211,6 +211,7 @@
++++ serefpolicy-3.6.33/policy/modules/services/xserver.if 2009-11-12 14:26:53.000000000 -0500
+@@ -74,6 +74,12 @@
+
+ domtrans_pattern($2, iceauth_exec_t, iceauth_t)
+
++ifdef(`hide_broken_symptoms', `
++ dontaudit iceauth_t $2:unix_stream_socket rw_socket_perms;
++ dontaudit iceauth_t $2:tcp_socket rw_socket_perms;
++ fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
++')
++
+ allow $2 iceauth_home_t:file read_file_perms;
+
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
+@@ -89,8 +95,8 @@
+ # for when /tmp/.X11-unix is created by the system
+ allow $2 xdm_t:fd use;
+ allow $2 xdm_t:fifo_file { getattr read write ioctl };
+- allow $2 xdm_tmp_t:dir search;
+- allow $2 xdm_tmp_t:sock_file { read write };
++ allow $2 xserver_tmp_t:dir search;
++ allow $2 xserver_tmp_t:sock_file { read write };
+ dontaudit $2 xdm_t:tcp_socket { read write };
+
+ # Client read xserver shm
+@@ -211,6 +217,7 @@
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
@@ -20076,7 +23821,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -245,7 +246,7 @@
+@@ -245,7 +252,7 @@
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -20085,7 +23830,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -308,12 +309,12 @@
+@@ -299,7 +306,7 @@
+ interface(`xserver_user_client',`
+ refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
+ gen_require(`
+- type xdm_t, xdm_tmp_t;
++ type xdm_t, xserver_tmp_t;
+ type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
+ ')
+
+@@ -308,14 +315,14 @@
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -20097,11 +23851,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for when /tmp/.X11-unix is created by the system
allow $1 xdm_t:fd use;
- allow $1 xdm_t:fifo_file { getattr read write ioctl };
+- allow $1 xdm_tmp_t:dir search;
+- allow $1 xdm_tmp_t:sock_file { read write };
+ allow $1 xdm_t:fifo_file rw_fifo_file_perms;
- allow $1 xdm_tmp_t:dir search;
- allow $1 xdm_tmp_t:sock_file { read write };
++ allow $1 xserver_tmp_t:dir search;
++ allow $1 xserver_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -367,7 +368,6 @@
+
+ # Allow connections to X server.
+@@ -367,7 +374,6 @@
type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
type xevent_t, client_xevent_t;
@@ -20109,7 +23867,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
attribute xproperty_type;
attribute xevent_type;
attribute input_xevent_type;
-@@ -376,6 +376,8 @@
+@@ -376,6 +382,8 @@
class x_property all_x_property_perms;
class x_event all_x_event_perms;
class x_synthetic_event all_x_synthetic_event_perms;
@@ -20118,7 +23876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
##############################
-@@ -383,20 +385,11 @@
+@@ -383,20 +391,11 @@
# Local Policy
#
@@ -20139,7 +23897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive;
allow $2 $1_property_xevent_t:{ x_event x_synthetic_event } receive;
allow $2 $1_focus_xevent_t:{ x_event x_synthetic_event } receive;
-@@ -409,8 +402,10 @@
+@@ -409,8 +408,10 @@
type_transition $2 manage_xevent_t:x_event $1_manage_xevent_t;
type_transition $2 client_xevent_t:x_event $1_client_xevent_t;
type_transition $2 xevent_t:x_event $1_default_xevent_t;
@@ -20151,9 +23909,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -486,11 +481,12 @@
+@@ -484,13 +485,14 @@
+ #
+ template(`xserver_user_x_domain_template',`
gen_require(`
- type xdm_t, xdm_tmp_t;
+- type xdm_t, xdm_tmp_t;
++ type xdm_t, xserver_tmp_t;
type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
+ class x_screen all_x_screen_perms;
')
@@ -20167,16 +23928,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Read .Xauthority file
allow $2 xauth_home_t:file read_file_perms;
-@@ -498,7 +494,7 @@
+@@ -498,9 +500,9 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
- allow $2 xdm_t:fifo_file { getattr read write ioctl };
+- allow $2 xdm_tmp_t:dir search_dir_perms;
+- allow $2 xdm_tmp_t:sock_file { read write };
+ allow $2 xdm_t:fifo_file rw_fifo_file_perms;
- allow $2 xdm_tmp_t:dir search_dir_perms;
- allow $2 xdm_tmp_t:sock_file { read write };
++ allow $2 xserver_tmp_t:dir search_dir_perms;
++ allow $2 xserver_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
-@@ -526,6 +522,10 @@
+
+ # Allow connections to X server.
+@@ -526,6 +528,10 @@
allow $2 xserver_t:shm rw_shm_perms;
allow $2 xserver_tmpfs_t:file rw_file_perms;
')
@@ -20187,7 +23952,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -728,7 +728,7 @@
+@@ -585,6 +591,12 @@
+ ')
+
+ domtrans_pattern($1, xauth_exec_t, xauth_t)
++
++ifdef(`hide_broken_symptoms', `
++ dontaudit xauth_t $1:unix_stream_socket rw_socket_perms;
++ dontaudit xauth_t $1:tcp_socket rw_socket_perms;
++ fs_dontaudit_rw_anon_inodefs_files(xauth_t)
++')
+ ')
+
+ ########################################
+@@ -728,7 +740,7 @@
type xdm_t;
')
@@ -20196,15 +23974,51 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -827,6 +827,7 @@
+@@ -764,11 +776,11 @@
+ #
+ interface(`xserver_stream_connect_xdm',`
+ gen_require(`
+- type xdm_t, xdm_tmp_t;
++ type xdm_t, xserver_tmp_t;
+ ')
+
files_search_tmp($1)
- allow $1 xdm_tmp_t:dir list_dir_perms;
- create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
-+ allow $1 xdm_tmp_t:sock_file unlink;
+- stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
++ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xdm_t)
')
########################################
-@@ -845,7 +846,44 @@
+@@ -802,10 +814,10 @@
+ #
+ interface(`xserver_setattr_xdm_tmp_dirs',`
+ gen_require(`
+- type xdm_tmp_t;
++ type xserver_tmp_t;
+ ')
+
+- allow $1 xdm_tmp_t:dir setattr;
++ allow $1 xserver_tmp_t:dir setattr;
+ ')
+
+ ########################################
+@@ -821,12 +833,13 @@
+ #
+ interface(`xserver_create_xdm_tmp_sockets',`
+ gen_require(`
+- type xdm_tmp_t;
++ type xserver_tmp_t;
+ ')
+
+ files_search_tmp($1)
+- allow $1 xdm_tmp_t:dir list_dir_perms;
+- create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
++ allow $1 xserver_tmp_t:dir list_dir_perms;
++ create_sock_files_pattern($1, xserver_tmp_t, xserver_tmp_t)
++ allow $1 xserver_tmp_t:sock_file unlink;
+ ')
+
+ ########################################
+@@ -845,7 +858,44 @@
')
files_search_pids($1)
@@ -20250,7 +24064,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -868,6 +906,50 @@
+@@ -868,6 +918,75 @@
########################################
##
@@ -20297,11 +24111,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+########################################
++##
++## Execute xsever in the xserver domain, and
++## allow the specified role the xserver domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++##
++##
++## The role to be allowed the xserver domain.
++##
++##
++#
++interface(`xserver_run_xauth',`
++ gen_require(`
++ type xauth_t;
++ ')
++
++ xserver_domtrans_xauth($1)
++ role $2 types xauth_t;
++')
++
++########################################
+##
## Make an X session script an entrypoint for the specified domain.
##
##
-@@ -886,6 +968,24 @@
+@@ -886,6 +1005,24 @@
########################################
##
@@ -20326,7 +24165,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Execute an X session in the target domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
-@@ -961,6 +1061,27 @@
+@@ -961,6 +1098,27 @@
########################################
##
@@ -20354,7 +24193,77 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to write the X server
## log files.
##
-@@ -1107,10 +1228,11 @@
+@@ -1014,11 +1172,11 @@
+ #
+ interface(`xserver_read_xdm_tmp_files',`
+ gen_require(`
+- type xdm_tmp_t;
++ type xserver_tmp_t;
+ ')
+
+ files_search_tmp($1)
+- read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
++ read_files_pattern($1, xserver_tmp_t, xserver_tmp_t)
+ ')
+
+ ########################################
+@@ -1033,11 +1191,11 @@
+ #
+ interface(`xserver_dontaudit_read_xdm_tmp_files',`
+ gen_require(`
+- type xdm_tmp_t;
++ type xserver_tmp_t;
+ ')
+
+- dontaudit $1 xdm_tmp_t:dir search_dir_perms;
+- dontaudit $1 xdm_tmp_t:file read_file_perms;
++ dontaudit $1 xserver_tmp_t:dir search_dir_perms;
++ dontaudit $1 xserver_tmp_t:file read_file_perms;
+ ')
+
+ ########################################
+@@ -1052,11 +1210,11 @@
+ #
+ interface(`xserver_rw_xdm_tmp_files',`
+ gen_require(`
+- type xdm_tmp_t;
++ type xserver_tmp_t;
+ ')
+
+- allow $1 xdm_tmp_t:dir search_dir_perms;
+- allow $1 xdm_tmp_t:file rw_file_perms;
++ allow $1 xserver_tmp_t:dir search_dir_perms;
++ allow $1 xserver_tmp_t:file rw_file_perms;
+ ')
+
+ ########################################
+@@ -1071,10 +1229,10 @@
+ #
+ interface(`xserver_manage_xdm_tmp_files',`
+ gen_require(`
+- type xdm_tmp_t;
++ type xserver_tmp_t;
+ ')
+
+- manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
++ manage_files_pattern($1, xserver_tmp_t, xserver_tmp_t)
+ ')
+
+ ########################################
+@@ -1089,10 +1247,10 @@
+ #
+ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+ gen_require(`
+- type xdm_tmp_t;
++ type xserver_tmp_t;
+ ')
+
+- dontaudit $1 xdm_tmp_t:sock_file getattr;
++ dontaudit $1 xserver_tmp_t:sock_file getattr;
+ ')
+
+ ########################################
+@@ -1107,10 +1265,11 @@
#
interface(`xserver_domtrans',`
gen_require(`
@@ -20367,7 +24276,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domtrans_pattern($1, xserver_exec_t, xserver_t)
')
-@@ -1248,6 +1370,278 @@
+@@ -1248,6 +1407,278 @@
########################################
##
@@ -20521,7 +24430,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#
+interface(`xserver_use_xdm',`
+ gen_require(`
-+ type xdm_t, xdm_tmp_t;
++ type xdm_t, xserver_tmp_t;
+ type xdm_xproperty_t;
+ type xdm_home_t;
+ class x_client all_x_client_perms;
@@ -20646,7 +24555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain complete control over the
## display.
-@@ -1261,7 +1655,103 @@
+@@ -1261,7 +1692,103 @@
interface(`xserver_unconfined',`
gen_require(`
attribute xserver_unconfined_type;
@@ -20655,7 +24564,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
typeattribute $1 xserver_unconfined_type;
+ typeattribute $1 x_domain;
-+')
+ ')
+
+########################################
+##
@@ -20683,7 +24592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $2 $1:x_drawable all_x_drawable_perms;
+ allow $1 $2:x_resource all_x_resource_perms;
+ allow $2 $1:x_resource all_x_resource_perms;
- ')
++')
+
+#######################################
+##
@@ -20750,9 +24659,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow xdm_t $1:dbus send_msg;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.33/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-09-30 13:28:34.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/services/xserver.te 2009-11-12 14:26:53.000000000 -0500
@@ -34,6 +34,13 @@
##
@@ -20848,20 +24757,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type xdm_var_lib_t;
files_type(xdm_var_lib_t)
-@@ -174,6 +185,12 @@
+@@ -174,13 +185,21 @@
type xdm_var_run_t;
files_pid_file(xdm_var_run_t)
+-type xdm_tmp_t;
+-files_tmp_file(xdm_tmp_t)
+-typealias xdm_tmp_t alias ice_tmp_t;
+type xserver_var_lib_t;
+files_type(xserver_var_lib_t)
+
+type xserver_var_run_t;
+files_pid_file(xserver_var_run_t)
-+
- type xdm_tmp_t;
- files_tmp_file(xdm_tmp_t)
- typealias xdm_tmp_t alias ice_tmp_t;
-@@ -181,6 +198,12 @@
+
type xdm_tmpfs_t;
files_tmpfs_file(xdm_tmpfs_t)
@@ -20874,7 +24782,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# type for /var/lib/xkb
type xkb_var_lib_t;
files_type(xkb_var_lib_t)
-@@ -202,8 +225,8 @@
+@@ -196,14 +215,14 @@
+ ubac_constrained(xserver_t)
+
+ type xserver_tmp_t;
+-typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t };
++typealias xserver_tmp_t alias { xdm_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t };
+ typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
+ files_tmp_file(xserver_tmp_t)
ubac_constrained(xserver_tmp_t)
type xserver_tmpfs_t;
@@ -20885,7 +24800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_tmpfs_file(xserver_tmpfs_t)
ubac_constrained(xserver_tmpfs_t)
-@@ -250,19 +273,21 @@
+@@ -250,23 +269,28 @@
# Xauth local policy
#
@@ -20893,6 +24808,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xauth_t self:process signal;
allow xauth_t self:unix_stream_socket create_stream_socket_perms;
++allow xauth_t xdm_t:process sigchld;
++
allow xauth_t xauth_home_t:file manage_file_perms;
userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
+userdom_admin_home_dir_filetrans(xauth_t, xauth_home_t, file)
@@ -20910,7 +24827,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_use_interactive_fds(xauth_t)
files_read_etc_files(xauth_t)
-@@ -300,20 +325,31 @@
+ files_search_pids(xauth_t)
++files_dontaudit_getattr_all_dirs(xauth_t)
+
+ fs_getattr_xattr_fs(xauth_t)
+ fs_search_auto_mountpoints(xauth_t)
+@@ -279,6 +303,11 @@
+ userdom_use_user_terminals(xauth_t)
+ userdom_read_user_tmp_files(xauth_t)
+
++ifdef(`hide_broken_symptoms', `
++ userdom_manage_user_home_content_files(xauth_t)
++ userdom_manage_user_tmp_files(xauth_t)
++')
++
+ xserver_rw_xdm_tmp_files(xauth_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+@@ -289,6 +318,11 @@
+ fs_manage_cifs_files(xauth_t)
+ ')
+
++ifdef(`hide_broken_symptoms', `
++ term_dontaudit_use_unallocated_ttys(xauth_t)
++ dev_dontaudit_rw_dri(xauth_t)
++')
++
+ optional_policy(`
+ ssh_sigchld(xauth_t)
+ ssh_read_pipes(xauth_t)
+@@ -300,20 +334,31 @@
# XDM Local policy
#
@@ -20932,7 +24878,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xdm_t self:appletalk_socket create_socket_perms;
allow xdm_t self:key { search link write };
-+allow xdm_t xauth_home_t:file rw_file_perms;
++allow xdm_t xauth_home_t:file manage_file_perms;
+
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
@@ -20945,12 +24891,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -329,22 +365,39 @@
- manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
- manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
- files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
-+relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
-+relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+@@ -325,26 +370,43 @@
+ # this is ugly, daemons should not create files under /etc!
+ manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)
+
+-manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+-manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+-manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+-files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
++manage_dirs_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
++manage_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
++manage_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
++files_tmp_filetrans(xdm_t, xserver_tmp_t, { file dir sock_file })
++relabelfrom_dirs_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
++relabelfrom_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
@@ -20988,7 +24942,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xdm_t xserver_t:process signal;
allow xdm_t xserver_t:unix_stream_socket connectto;
-@@ -358,6 +411,7 @@
+@@ -358,6 +420,7 @@
allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xserver_t:shm rw_shm_perms;
@@ -20996,7 +24950,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -366,10 +420,14 @@
+@@ -366,10 +429,14 @@
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -21012,7 +24966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(xdm_t)
kernel_read_kernel_sysctls(xdm_t)
-@@ -389,11 +447,13 @@
+@@ -389,11 +456,13 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -21026,7 +24980,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -401,6 +461,7 @@
+@@ -401,6 +470,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -21034,7 +24988,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -413,14 +474,17 @@
+@@ -413,14 +483,17 @@
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
@@ -21054,7 +25008,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -431,9 +495,13 @@
+@@ -431,9 +504,13 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -21068,7 +25022,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,6 +510,7 @@
+@@ -442,6 +519,7 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -21076,7 +25030,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_setattr_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
-@@ -450,6 +519,7 @@
+@@ -450,6 +528,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -21084,11 +25038,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -460,10 +530,11 @@
+@@ -460,10 +539,12 @@
logging_read_generic_logs(xdm_t)
+miscfiles_dontaudit_write_fonts(xdm_t)
++miscfiles_search_man_pages(xdm_t)
miscfiles_read_localization(xdm_t)
miscfiles_read_fonts(xdm_t)
-
@@ -21098,17 +25053,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,6 +543,9 @@
+@@ -472,6 +553,10 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
++userdom_stream_connect(xdm_t)
+userdom_manage_user_tmp_dirs(xdm_t)
+userdom_manage_user_tmp_sockets(xdm_t)
+userdom_manage_tmpfs_role(system_r, xdm_t)
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -504,10 +578,12 @@
+@@ -504,10 +589,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@@ -21121,7 +25077,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -515,12 +591,46 @@
+@@ -515,12 +602,47 @@
')
optional_policy(`
@@ -21129,6 +25085,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ dbus_role_template(xdm, system_r, xdm_t)
+
+ dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms;
++ xserver_xdm_append_log(xdm_dbusd_t)
+
+ corecmd_bin_entry_type(xdm_t)
+
@@ -21168,7 +25125,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hostname_exec(xdm_t)
')
-@@ -542,6 +652,38 @@
+@@ -542,6 +664,38 @@
')
optional_policy(`
@@ -21207,7 +25164,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(xdm_t)
')
-@@ -550,8 +692,9 @@
+@@ -550,8 +704,9 @@
')
optional_policy(`
@@ -21219,7 +25176,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -560,7 +703,6 @@
+@@ -560,7 +715,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -21227,7 +25184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +713,10 @@
+@@ -571,6 +725,10 @@
')
optional_policy(`
@@ -21238,7 +25195,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xfs_stream_connect(xdm_t)
')
-@@ -587,10 +733,9 @@
+@@ -587,10 +745,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -21250,7 +25207,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -602,9 +747,12 @@
+@@ -602,9 +759,12 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -21263,7 +25220,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
-@@ -616,13 +764,14 @@
+@@ -616,13 +776,14 @@
type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
allow xserver_t { rootwindow_t x_domain }:x_drawable send;
@@ -21279,7 +25236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +784,19 @@
+@@ -635,9 +796,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -21299,7 +25256,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -671,7 +830,6 @@
+@@ -671,7 +842,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -21307,7 +25264,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -681,9 +839,12 @@
+@@ -681,9 +851,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -21321,7 +25278,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -698,8 +859,12 @@
+@@ -698,8 +871,12 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -21334,7 +25291,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -721,6 +886,7 @@
+@@ -721,6 +898,7 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -21342,7 +25299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
modutils_domtrans_insmod(xserver_t)
-@@ -743,7 +909,7 @@
+@@ -743,7 +921,7 @@
')
ifdef(`enable_mls',`
@@ -21351,7 +25308,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
-@@ -775,12 +941,20 @@
+@@ -775,12 +953,20 @@
')
optional_policy(`
@@ -21373,7 +25330,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_domtrans(xserver_t)
')
-@@ -807,7 +981,7 @@
+@@ -807,12 +993,12 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -21381,8 +25338,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
# Label pid and temporary files with derived types.
- manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -828,9 +1002,14 @@
+-manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+-manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+-manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
++manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
++manage_lnk_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
++manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
+
+ # Run xkbcomp.
+ allow xserver_t xkb_var_lib_t:lnk_file read;
+@@ -828,9 +1014,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -21397,7 +25362,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -845,11 +1024,14 @@
+@@ -845,11 +1036,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -21413,7 +25378,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -882,6 +1064,8 @@
+@@ -882,6 +1076,8 @@
# X Server
# can read server-owned resources
allow x_domain xserver_t:x_resource read;
@@ -21422,7 +25387,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# can mess with own clients
allow x_domain self:x_client { manage destroy };
-@@ -906,6 +1090,8 @@
+@@ -906,6 +1102,8 @@
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -21431,7 +25396,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# X Colormaps
# can use the default colormap
allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -973,17 +1159,49 @@
+@@ -973,17 +1171,49 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -21493,9 +25458,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-#
-allow xdm_t user_home_type:file unlink;
-') dnl end TODO
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.6.32/policy/modules/system/application.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.6.33/policy/modules/system/application.if
--- nsaserefpolicy/policy/modules/system/application.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/application.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/application.if 2009-11-12 14:26:53.000000000 -0500
@@ -2,7 +2,7 @@
########################################
@@ -21527,9 +25492,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 application_domain_type:process signull;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.32/policy/modules/system/application.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.33/policy/modules/system/application.te
--- nsaserefpolicy/policy/modules/system/application.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/application.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/application.te 2009-11-12 14:26:53.000000000 -0500
@@ -7,7 +7,18 @@
# Executables to be run by user
attribute application_exec_type;
@@ -21549,9 +25514,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ sudo_sigchld(application_domain_type)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.32/policy/modules/system/authlogin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.33/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/authlogin.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/authlogin.fc 2009-11-12 14:26:53.000000000 -0500
@@ -7,12 +7,10 @@
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
@@ -21577,9 +25542,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.32/policy/modules/system/authlogin.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.33/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/authlogin.if 2009-09-21 08:40:36.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/authlogin.if 2009-11-13 11:28:07.000000000 -0500
@@ -40,17 +40,76 @@
##
##
@@ -21666,7 +25631,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for fingerprint readers
dev_rw_input_dev($1)
dev_rw_generic_usb_dev($1)
-@@ -86,27 +143,44 @@
+@@ -86,27 +143,45 @@
mls_process_set_level($1)
mls_fd_share_all_levels($1)
@@ -21687,6 +25652,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- logging_send_audit_msgs($1)
- logging_send_syslog_msg($1)
logging_set_loginuid($1)
++ logging_set_tty_audit($1)
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -21724,7 +25690,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -258,6 +332,7 @@
+@@ -258,6 +333,7 @@
type auth_cache_t;
')
@@ -21732,7 +25698,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern($1, auth_cache_t, auth_cache_t)
')
-@@ -305,19 +380,16 @@
+@@ -305,19 +381,16 @@
dev_read_rand($1)
dev_read_urand($1)
@@ -21757,7 +25723,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -328,6 +400,29 @@
+@@ -328,6 +401,29 @@
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -21787,7 +25753,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -352,6 +447,7 @@
+@@ -352,6 +448,7 @@
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -21795,7 +25761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1129,6 +1225,32 @@
+@@ -1129,6 +1226,32 @@
########################################
##
@@ -21828,7 +25794,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Manage all files on the filesystem, except
## the shadow passwords and listed exceptions.
##
-@@ -1254,6 +1376,25 @@
+@@ -1254,6 +1377,25 @@
########################################
##
@@ -21854,7 +25820,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to write to
## login records files.
##
-@@ -1395,6 +1536,14 @@
+@@ -1395,16 +1537,33 @@
')
optional_policy(`
@@ -21869,28 +25835,38 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
nis_use_ypbind($1)
')
-@@ -1403,8 +1552,17 @@
- ')
-
optional_policy(`
+- nscd_socket_use($1)
++ nscd_use($1)
++ ')
++
++ optional_policy(`
+ nslcd_stream_connect($1)
+ ')
+
+ optional_policy(`
+ sssd_stream_connect($1)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
samba_stream_connect_winbind($1)
samba_read_var_files($1)
+ samba_dontaudit_write_var_files($1)
')
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.32/policy/modules/system/authlogin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.33/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/authlogin.te 2009-09-16 10:03:09.000000000 -0400
-@@ -125,9 +125,18 @@
++++ serefpolicy-3.6.33/policy/modules/system/authlogin.te 2009-11-12 14:26:53.000000000 -0500
+@@ -103,6 +103,7 @@
+
+ fs_dontaudit_getattr_xattr_fs(chkpwd_t)
+
++term_dontaudit_use_console(chkpwd_t)
+ term_dontaudit_use_unallocated_ttys(chkpwd_t)
+ term_dontaudit_use_generic_ptys(chkpwd_t)
+
+@@ -125,9 +126,18 @@
')
optional_policy(`
@@ -21909,15 +25885,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# PAM local policy
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.32/policy/modules/system/fstools.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.33/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/fstools.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/fstools.fc 2009-11-12 14:26:53.000000000 -0500
@@ -1,4 +1,3 @@
-/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -21,7 +20,6 @@
+@@ -6,6 +5,7 @@
+ /sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -21,7 +21,6 @@
/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -21925,9 +25909,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.32/policy/modules/system/fstools.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.33/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/fstools.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/fstools.te 2009-11-13 07:59:52.000000000 -0500
@@ -118,6 +118,8 @@
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dirs(fsadm_t)
@@ -21957,9 +25941,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xen_append_log(fsadm_t)
+ xen_rw_image_files(fsadm_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.32/policy/modules/system/init.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.33/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/init.fc 2009-09-18 09:48:19.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/init.fc 2009-11-12 14:26:53.000000000 -0500
@@ -4,10 +4,10 @@
/etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -21983,18 +25967,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
# /var
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.32/policy/modules/system/init.if
---- nsaserefpolicy/policy/modules/system/init.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/init.if 2009-09-16 10:03:09.000000000 -0400
-@@ -174,6 +174,7 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.33/policy/modules/system/init.if
+--- nsaserefpolicy/policy/modules/system/init.if 2009-11-12 12:51:51.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/system/init.if 2009-11-12 14:26:53.000000000 -0500
+@@ -162,6 +162,7 @@
+ gen_require(`
+ attribute direct_run_init, direct_init, direct_init_entry;
+ type initrc_t;
++ type init_t;
+ role system_r;
+ attribute daemon;
+ ')
+@@ -174,6 +175,11 @@
role system_r types $1;
domtrans_pattern(initrc_t,$2,$1)
+ allow initrc_t $1:process siginh;
++
++ # Handle upstart direct transition to a executable
++ domtrans_pattern(init_t,$2,$1)
++ allow init_t $1:process siginh;
# daemons started from init will
# inherit fds from init for the console
-@@ -272,6 +273,7 @@
+@@ -272,6 +278,7 @@
role system_r types $1;
domtrans_pattern(initrc_t,$2,$1)
@@ -22002,7 +25998,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
-@@ -280,6 +282,36 @@
+@@ -280,6 +287,36 @@
kernel_dontaudit_use_fds($1)
')
')
@@ -22039,7 +26035,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -546,7 +578,7 @@
+@@ -546,7 +583,7 @@
# upstart uses a datagram socket instead of initctl pipe
allow $1 self:unix_dgram_socket create_socket_perms;
@@ -22048,7 +26044,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -619,18 +651,19 @@
+@@ -619,18 +656,19 @@
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -22072,7 +26068,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -646,23 +679,43 @@
+@@ -646,19 +684,39 @@
#
interface(`init_domtrans_script',`
gen_require(`
@@ -22093,11 +26089,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
- ')
- ')
-
- ########################################
- ##
++ ')
++')
++
++########################################
++##
+## Execute a file in a bin directory
+## in the initrc_t domain
+##
@@ -22110,17 +26106,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
-+ ')
+ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
-+')
-+
-+########################################
-+##
- ## Execute a init script in a specified domain.
- ##
- ##
-@@ -904,6 +957,24 @@
+ ')
+
+ ########################################
+@@ -923,6 +981,24 @@
allow $1 init_script_file_type:file read_file_perms;
')
@@ -22145,7 +26137,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
##
## Execute all init scripts in the caller domain.
-@@ -1123,7 +1194,7 @@
+@@ -1142,7 +1218,7 @@
type initrc_t;
')
@@ -22154,7 +26146,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1291,6 +1362,25 @@
+@@ -1310,6 +1386,25 @@
########################################
##
@@ -22180,7 +26172,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Create files in a init script
## temporary data directory.
##
-@@ -1521,3 +1611,51 @@
+@@ -1540,3 +1635,51 @@
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -22232,9 +26224,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 init_t:unix_dgram_socket sendto;
+ allow init_t $1:unix_dgram_socket sendto;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te
---- nsaserefpolicy/policy/modules/system/init.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/init.te 2009-09-16 10:03:09.000000000 -0400
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.33/policy/modules/system/init.te
+--- nsaserefpolicy/policy/modules/system/init.te 2009-11-12 12:51:51.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/system/init.te 2009-11-12 14:26:53.000000000 -0500
@@ -17,6 +17,20 @@
##
gen_tunable(init_upstart, false)
@@ -22359,7 +26351,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
init_write_initctl(initrc_t)
-@@ -249,10 +287,15 @@
+@@ -246,13 +284,19 @@
+ kernel_clear_ring_buffer(initrc_t)
+ kernel_get_sysvipc_info(initrc_t)
+ kernel_read_all_sysctls(initrc_t)
++kernel_request_load_module(initrc_t)
kernel_rw_all_sysctls(initrc_t)
# for lsof which is used by alsa shutdown:
kernel_dontaudit_getattr_message_if(initrc_t)
@@ -22377,7 +26373,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(initrc_t)
corenet_all_recvfrom_netlabel(initrc_t)
-@@ -272,16 +315,63 @@
+@@ -272,16 +316,63 @@
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
@@ -22442,7 +26438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -291,7 +381,7 @@
+@@ -291,7 +382,7 @@
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -22451,7 +26447,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -306,14 +396,15 @@
+@@ -306,14 +397,15 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -22469,7 +26465,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_exec_etc_files(initrc_t)
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
-@@ -324,48 +415,16 @@
+@@ -324,48 +416,16 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -22522,7 +26518,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(initrc_t)
logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
-@@ -374,19 +433,22 @@
+@@ -374,19 +434,22 @@
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -22546,7 +26542,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -422,8 +484,6 @@
+@@ -422,16 +485,12 @@
# init scripts touch this
clock_dontaudit_write_adjtime(initrc_t)
@@ -22555,7 +26551,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for integrated run_init to read run_init_type.
# happens during boot (/sbin/rc execs init scripts)
seutil_read_default_contexts(initrc_t)
-@@ -450,11 +510,9 @@
+
+ # /lib/rcscripts/net/system.sh rewrites resolv.conf :(
+- sysnet_create_config(initrc_t)
+- sysnet_write_config(initrc_t)
+- sysnet_setattr_config(initrc_t)
++ sysnet_manage_config(initrc_t)
+
+ optional_policy(`
+ arpwatch_manage_data_files(initrc_t)
+@@ -450,11 +509,9 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -22568,7 +26573,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# These seem to be from the initrd
# during device initialization:
dev_create_generic_dirs(initrc_t)
-@@ -464,6 +522,7 @@
+@@ -464,6 +521,7 @@
storage_raw_read_fixed_disk(initrc_t)
storage_raw_write_fixed_disk(initrc_t)
@@ -22576,7 +26581,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
# wants to read /.fonts directory
-@@ -492,11 +551,17 @@
+@@ -492,11 +550,17 @@
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -22594,7 +26599,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -515,6 +580,33 @@
+@@ -515,6 +579,33 @@
')
')
@@ -22628,7 +26633,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -567,10 +659,19 @@
+@@ -567,10 +658,19 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -22648,7 +26653,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -590,6 +691,10 @@
+@@ -590,6 +690,10 @@
')
optional_policy(`
@@ -22659,7 +26664,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_usbfs(initrc_t)
# init scripts run /etc/hotplug/usb.rc
-@@ -646,20 +751,20 @@
+@@ -646,20 +750,20 @@
')
optional_policy(`
@@ -22686,7 +26691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
ifdef(`distro_redhat',`
-@@ -668,6 +773,7 @@
+@@ -668,6 +772,7 @@
mysql_stream_connect(initrc_t)
mysql_write_log(initrc_t)
@@ -22694,7 +26699,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -696,7 +802,6 @@
+@@ -700,7 +805,6 @@
')
optional_policy(`
@@ -22702,7 +26707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -718,8 +823,6 @@
+@@ -722,8 +826,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -22711,7 +26716,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -732,13 +835,16 @@
+@@ -736,13 +838,16 @@
squid_manage_logs(initrc_t)
')
@@ -22728,7 +26733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -747,6 +853,7 @@
+@@ -751,6 +856,7 @@
optional_policy(`
udev_rw_db(initrc_t)
@@ -22736,7 +26741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -754,6 +861,15 @@
+@@ -758,6 +864,15 @@
')
optional_policy(`
@@ -22752,13 +26757,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_domain(initrc_t)
ifdef(`distro_redhat',`
-@@ -764,6 +880,13 @@
+@@ -768,6 +883,21 @@
optional_policy(`
mono_domtrans(initrc_t)
')
+
+ # Allow SELinux aware applications to request rpm_script_t execution
+ rpm_transition_script(initrc_t)
++
++
++ optional_policy(`
++ gen_require(`
++ type unconfined_execmem_t, execmem_exec_t;
++ ')
++ init_system_domain(unconfined_execmem_t, execmem_exec_t)
++ ')
+')
+
+optional_policy(`
@@ -22766,7 +26779,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -789,3 +912,31 @@
+@@ -793,3 +923,31 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -22798,9 +26811,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ fail2ban_read_lib_files(daemon)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.6.32/policy/modules/system/ipsec.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.6.33/policy/modules/system/ipsec.fc
--- nsaserefpolicy/policy/modules/system/ipsec.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/ipsec.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/ipsec.fc 2009-11-13 08:03:05.000000000 -0500
@@ -1,3 +1,6 @@
+/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
@@ -22808,9 +26821,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
/etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
/etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.6.32/policy/modules/system/ipsec.if
+@@ -34,6 +37,8 @@
+
+ /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
+
++/var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
++
+ /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
++/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
+
+-/var/run/racoon.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.6.33/policy/modules/system/ipsec.if
--- nsaserefpolicy/policy/modules/system/ipsec.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/ipsec.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/ipsec.if 2009-11-12 14:26:53.000000000 -0500
@@ -229,3 +229,28 @@
ipsec_domtrans_setkey($1)
role $2 types setkey_t;
@@ -22840,9 +26863,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ipsec_domtrans_racoon($1)
+ role $2 types racoon_t;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.32/policy/modules/system/ipsec.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.33/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/ipsec.te 2009-11-13 08:03:41.000000000 -0500
@@ -6,6 +6,13 @@
# Declarations
#
@@ -22867,7 +26890,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# type for file(s) containing ipsec keys - RSA or preshared
type ipsec_key_file_t;
files_type(ipsec_key_file_t)
-@@ -43,6 +53,9 @@
+@@ -22,6 +32,9 @@
+ # Default type for IPSEC SPD entries
+ type ipsec_spd_t;
+
++type ipsec_log_t;
++logging_log_file(ipsec_log_t)
++
+ # type for runtime files, including pluto.ctl
+ type ipsec_var_run_t;
+ files_pid_file(ipsec_var_run_t)
+@@ -43,6 +56,9 @@
init_daemon_domain(racoon_t, racoon_exec_t)
role system_r types racoon_t;
@@ -22877,7 +26910,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type setkey_t;
type setkey_exec_t;
init_system_domain(setkey_t, setkey_exec_t)
-@@ -53,21 +66,23 @@
+@@ -53,21 +69,23 @@
# ipsec Local policy
#
@@ -22885,7 +26918,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice };
dontaudit ipsec_t self:capability sys_tty_config;
-allow ipsec_t self:process { signal setsched };
-+allow ipsec_t self:process { getsched signal setsched };
++allow ipsec_t self:process { getcap setcap getsched signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:udp_socket create_socket_perms;
allow ipsec_t self:key_socket create_socket_perms;
@@ -22904,7 +26937,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
-@@ -82,7 +97,7 @@
+@@ -82,16 +100,17 @@
# so try flipping back into the ipsec_mgmt_t domain
corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
allow ipsec_mgmt_t ipsec_t:fd use;
@@ -22912,8 +26945,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
allow ipsec_mgmt_t ipsec_t:process sigchld;
- kernel_read_kernel_sysctls(ipsec_t)
-@@ -120,7 +135,9 @@
+-kernel_read_kernel_sysctls(ipsec_t)
+ kernel_list_proc(ipsec_t)
++kernel_read_kernel_sysctls(ipsec_t)
+ kernel_read_proc_symlinks(ipsec_t)
+ # allow pluto to access /proc/net/ipsec_eroute;
+ kernel_read_system_state(ipsec_t)
+ kernel_read_network_state(ipsec_t)
+ kernel_read_software_raid_state(ipsec_t)
++kernel_request_load_module(ipsec_t)
+ kernel_getattr_core_if(ipsec_t)
+ kernel_getattr_message_if(ipsec_t)
+
+@@ -120,7 +139,9 @@
domain_use_interactive_fds(ipsec_t)
@@ -22923,7 +26967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
-@@ -154,12 +171,12 @@
+@@ -154,16 +175,19 @@
#
allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
@@ -22938,7 +26982,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
-@@ -241,6 +258,7 @@
+
++manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t)
++logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
++
+ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
+ files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
+
+@@ -241,6 +265,7 @@
init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
@@ -22946,7 +26997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(ipsec_mgmt_t)
-@@ -280,6 +298,13 @@
+@@ -280,6 +305,13 @@
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
allow racoon_t self:key_socket create_socket_perms;
@@ -22960,7 +27011,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# manage pid file
manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
-@@ -297,6 +322,13 @@
+@@ -297,6 +329,13 @@
kernel_read_system_state(racoon_t)
kernel_read_network_state(racoon_t)
@@ -22974,7 +27025,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(racoon_t)
corenet_tcp_sendrecv_all_if(racoon_t)
corenet_udp_sendrecv_all_if(racoon_t)
-@@ -314,6 +346,8 @@
+@@ -314,6 +353,8 @@
files_read_etc_files(racoon_t)
@@ -22983,7 +27034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# allow racoon to use avc_has_perm to check context on proposed SA
selinux_compute_access_vector(racoon_t)
-@@ -328,6 +362,14 @@
+@@ -328,6 +369,14 @@
miscfiles_read_localization(racoon_t)
@@ -22998,7 +27049,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Setkey local policy
-@@ -347,6 +389,7 @@
+@@ -347,6 +396,7 @@
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
@@ -23006,9 +27057,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.32/policy/modules/system/iptables.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.33/policy/modules/system/iptables.fc
--- nsaserefpolicy/policy/modules/system/iptables.fc 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/iptables.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/iptables.fc 2009-11-12 14:26:53.000000000 -0500
@@ -1,7 +1,16 @@
-/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
@@ -23030,9 +27081,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.6.32/policy/modules/system/iptables.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.6.33/policy/modules/system/iptables.if
--- nsaserefpolicy/policy/modules/system/iptables.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/iptables.if 2009-09-16 12:21:50.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/iptables.if 2009-11-12 14:26:53.000000000 -0500
@@ -19,6 +19,24 @@
domtrans_pattern($1, iptables_exec_t, iptables_t)
')
@@ -23141,9 +27192,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.32/policy/modules/system/iptables.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.33/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/iptables.te 2009-09-21 08:19:48.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/iptables.te 2009-11-12 14:26:53.000000000 -0500
@@ -11,6 +11,12 @@
init_system_domain(iptables_t, iptables_exec_t)
role system_r types iptables_t;
@@ -23194,9 +27245,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rhgb_dontaudit_use_ptys(iptables_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.6.32/policy/modules/system/iscsi.if
+@@ -108,5 +123,10 @@
+ ')
+
+ optional_policy(`
++ shorewall_rw_var_lib(iptables_t)
++')
++
++optional_policy(`
+ udev_read_db(iptables_t)
+ ')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.6.33/policy/modules/system/iscsi.if
--- nsaserefpolicy/policy/modules/system/iscsi.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/iscsi.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/iscsi.if 2009-11-12 14:26:53.000000000 -0500
@@ -17,3 +17,43 @@
domtrans_pattern($1, iscsid_exec_t, iscsid_t)
@@ -23241,9 +27303,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ stream_connect_pattern($1,iscsi_var_lib_t,iscsi_var_lib_t,iscsid_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.32/policy/modules/system/iscsi.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.33/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/iscsi.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/iscsi.te 2009-11-12 14:26:53.000000000 -0500
@@ -55,6 +55,7 @@
files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
@@ -23267,9 +27329,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-sysnet_dns_name_resolve(iscsid_t)
+miscfiles_read_localization(iscsid_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.te serefpolicy-3.6.33/policy/modules/system/kdump.te
+--- nsaserefpolicy/policy/modules/system/kdump.te 2009-09-09 09:23:16.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/kdump.te 2009-11-12 14:26:53.000000000 -0500
+@@ -21,7 +21,7 @@
+ # kdump local policy
+ #
+
+-allow kdump_t self:capability { sys_boot dac_override };
++allow kdump_t self:capability { sys_boot sys_rawio dac_override };
+
+ read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
+
+@@ -29,8 +29,11 @@
+ files_read_kernel_img(kdump_t)
+
+ kernel_read_system_state(kdump_t)
++kernel_read_core_if(kdump_t)
+
+ dev_read_framebuffer(kdump_t)
+ dev_read_sysfs(kdump_t)
+
+ term_use_console(kdump_t)
++
++permissive kdump_t;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.33/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/libraries.fc 2009-11-12 14:26:53.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
@@ -23319,7 +27405,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
-@@ -115,27 +120,30 @@
+@@ -115,27 +120,37 @@
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -23330,8 +27416,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib64/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/catalyst/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libADM5avcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib64/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -23347,6 +27438,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -23358,7 +27451,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -143,11 +151,8 @@
+@@ -143,11 +158,8 @@
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -23370,7 +27463,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -168,12 +173,12 @@
+@@ -168,12 +180,12 @@
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
@@ -23385,7 +27478,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -185,15 +190,10 @@
+@@ -185,15 +197,10 @@
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -23402,7 +27495,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -228,31 +228,17 @@
+@@ -228,31 +235,17 @@
/usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -23438,7 +27531,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -268,8 +254,8 @@
+@@ -268,8 +261,8 @@
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -23449,7 +27542,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -295,6 +281,8 @@
+@@ -295,6 +288,8 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -23458,7 +27551,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') dnl end distro_redhat
#
-@@ -307,10 +295,96 @@
+@@ -307,10 +302,102 @@
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
@@ -23469,12 +27562,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
+/usr/share/hplip/prnt/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
++/usr/share/squeezeboxserver/CPAN/arch/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
+
-+/usr/lib(64)?/libmythavcodec-[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libmyth[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -23487,6 +27581,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0)
+
@@ -23517,6 +27612,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/usr/lib(64)?/yafaray/libDarkSky.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
++/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/libADM5avformat\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libADM_coreImage\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
+ifdef(`fixed',`
+/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -23525,8 +27627,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/libavutil.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -23534,9 +27634,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/X11R6/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -23555,10 +27653,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.32/policy/modules/system/libraries.if
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.33/policy/modules/system/libraries.if
--- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/libraries.if 2009-09-16 10:03:09.000000000 -0400
-@@ -247,7 +247,7 @@
++++ serefpolicy-3.6.33/policy/modules/system/libraries.if 2009-11-12 14:26:53.000000000 -0500
+@@ -17,6 +17,7 @@
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ldconfig_exec_t, ldconfig_t)
++ allow $1 ldconfig_t:process noatsecure;
+ ')
+
+ ########################################
+@@ -247,7 +248,7 @@
type lib_t;
')
@@ -23567,7 +27674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
list_dirs_pattern($1, lib_t, lib_t)
read_files_pattern($1, lib_t, lib_t)
read_lnk_files_pattern($1, lib_t, lib_t)
-@@ -401,7 +401,7 @@
+@@ -401,7 +402,7 @@
type lib_t, textrel_shlib_t;
')
@@ -23576,9 +27683,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $1 lib_t:dir list_dir_perms;
read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.32/policy/modules/system/libraries.te
---- nsaserefpolicy/policy/modules/system/libraries.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/libraries.te 2009-09-16 11:55:28.000000000 -0400
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.33/policy/modules/system/libraries.te
+--- nsaserefpolicy/policy/modules/system/libraries.te 2009-11-12 12:51:51.000000000 -0500
++++ serefpolicy-3.6.33/policy/modules/system/libraries.te 2009-11-12 14:26:53.000000000 -0500
@@ -58,11 +58,11 @@
# ldconfig local policy
#
@@ -23593,7 +27700,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)
manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
-@@ -76,16 +76,21 @@
+@@ -76,21 +76,27 @@
fs_getattr_xattr_fs(ldconfig_t)
@@ -23615,7 +27722,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization(ldconfig_t)
-@@ -100,6 +105,10 @@
+ logging_send_syslog_msg(ldconfig_t)
+
++term_use_console(ldconfig_t)
+ userdom_use_user_terminals(ldconfig_t)
+ userdom_use_all_users_fds(ldconfig_t)
+
+@@ -100,6 +106,10 @@
')
')
@@ -23626,7 +27739,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`hide_broken_symptoms',`
optional_policy(`
unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
-@@ -123,3 +132,7 @@
+@@ -127,3 +137,7 @@
# blow up.
rpm_manage_script_tmp_files(ldconfig_t)
')
@@ -23634,9 +27747,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ unconfined_domain(ldconfig_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.32/policy/modules/system/locallogin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.33/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/locallogin.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/locallogin.te 2009-11-12 14:26:53.000000000 -0500
+@@ -33,7 +33,7 @@
+ # Local login local policy
+ #
+
+-allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
++allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
+ allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow local_login_t self:process { setrlimit setexec };
+ allow local_login_t self:fd use;
@@ -74,6 +74,7 @@
dev_setattr_power_mgmt_dev(local_login_t)
dev_getattr_sound_dev(local_login_t)
@@ -23716,9 +27838,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-optional_policy(`
- nscd_socket_use(sulogin_t)
-')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.32/policy/modules/system/logging.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.33/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/logging.fc 2009-09-29 07:51:07.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/logging.fc 2009-11-12 14:26:53.000000000 -0500
@@ -51,17 +51,21 @@
ifdef(`distro_redhat',`
@@ -23745,10 +27867,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.32/policy/modules/system/logging.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.33/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/logging.if 2009-09-21 08:38:49.000000000 -0400
-@@ -624,7 +624,7 @@
++++ serefpolicy-3.6.33/policy/modules/system/logging.if 2009-11-12 14:26:53.000000000 -0500
+@@ -69,6 +69,20 @@
+
+ ########################################
+ ##
++## Set tty auditing
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`logging_set_tty_audit',`
++ allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_tty_audit };
++')
++
++########################################
++##
+ ## Set up audit
+ ##
+ ##
+@@ -624,7 +638,7 @@
')
files_search_var($1)
@@ -23757,7 +27900,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -708,6 +708,8 @@
+@@ -708,6 +722,8 @@
files_search_var($1)
manage_files_pattern($1, logfile, logfile)
read_lnk_files_pattern($1, logfile, logfile)
@@ -23766,9 +27909,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.32/policy/modules/system/logging.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.33/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/logging.te 2009-09-29 07:52:08.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/logging.te 2009-11-12 14:26:53.000000000 -0500
@@ -123,10 +123,10 @@
allow auditd_t self:capability { chown fsetid sys_nice sys_resource };
@@ -23876,9 +28019,62 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
inn_manage_log(syslogd_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.32/policy/modules/system/lvm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.6.33/policy/modules/system/lvm.if
+--- nsaserefpolicy/policy/modules/system/lvm.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/lvm.if 2009-11-12 14:26:53.000000000 -0500
+@@ -21,6 +21,26 @@
+
+ ########################################
+ ##
++## Execute lvm programs in the caller domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`lvm_exec',`
++ gen_require(`
++ type lvm_exec_t;
++ ')
++
++ corecmd_search_sbin($1)
++ can_exec($1, lvm_exec_t)
++
++')
++
++########################################
++##
+ ## Execute lvm programs in the lvm domain.
+ ##
+ ##
+@@ -85,3 +105,22 @@
+ manage_dirs_pattern($1, lvm_etc_t, lvm_etc_t)
+ manage_files_pattern($1, lvm_etc_t, lvm_etc_t)
+ ')
++
++######################################
++##
++## Execute a domain transition to run clvmd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`lvm_clvmd_domtrans',`
++ gen_require(`
++ type clvmd_t, clvmd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1,clvmd_exec_t,clvmd_t)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.33/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/lvm.te 2009-09-29 09:58:56.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/lvm.te 2009-11-12 14:26:53.000000000 -0500
@@ -10,6 +10,9 @@
type clvmd_exec_t;
init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -23987,10 +28183,59 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
modutils_domtrans_insmod(lvm_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if
+@@ -329,6 +352,10 @@
+ ')
+
+ optional_policy(`
++ virt_manage_images(lvm_t)
++')
++
++optional_policy(`
+ xen_append_log(lvm_t)
+ xen_dontaudit_rw_unix_stream_sockets(lvm_t)
+ ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.6.33/policy/modules/system/miscfiles.fc
+--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/miscfiles.fc 2009-11-12 14:26:53.000000000 -0500
+@@ -85,3 +85,5 @@
+ /var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+ /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+ ')
++
++HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.33/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2009-09-27 09:27:40.000000000 -0400
-@@ -87,6 +87,44 @@
++++ serefpolicy-3.6.33/policy/modules/system/miscfiles.if 2009-11-12 14:26:53.000000000 -0500
+@@ -23,6 +23,28 @@
+
+ ########################################
+ ##
++## Read system SSL certificates in the users homedir.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`miscfiles_read_home_certs',`
++ gen_require(`
++ type home_cert_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ allow $1 home_cert_t:dir list_dir_perms;
++ read_files_pattern($1, home_cert_t, home_cert_t)
++ read_lnk_files_pattern($1, home_cert_t, home_cert_t)
++')
++
++########################################
++##
+ ## manange system SSL certificates.
+ ##
+ ##
+@@ -87,6 +109,44 @@
########################################
##
@@ -24035,9 +28280,56 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to write fonts.
##
##
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.fc serefpolicy-3.6.32/policy/modules/system/modutils.fc
+@@ -255,6 +315,24 @@
+
+ ########################################
+ ##
++## Allow process to search man pages.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`miscfiles_search_man_pages',`
++ gen_require(`
++ type man_t;
++ ')
++
++ allow $1 man_t:dir search_dir_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to search man pages.
+ ##
+ ##
+@@ -268,7 +346,7 @@
+ type man_t;
+ ')
+
+- dontaudit $1 man_t:dir search;
++ dontaudit $1 man_t:dir search_dir_perms;
+ ')
+
+ ########################################
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.6.33/policy/modules/system/miscfiles.te
+--- nsaserefpolicy/policy/modules/system/miscfiles.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/miscfiles.te 2009-11-12 14:26:53.000000000 -0500
+@@ -12,6 +12,9 @@
+ type cert_t;
+ files_type(cert_t)
+
++type home_cert_t;
++userdom_user_home_content(home_cert_t)
++
+ #
+ # fonts_t is the type of various font
+ # files in /usr
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.fc serefpolicy-3.6.33/policy/modules/system/modutils.fc
--- nsaserefpolicy/policy/modules/system/modutils.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/modutils.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/modutils.fc 2009-11-12 14:26:53.000000000 -0500
@@ -1,6 +1,7 @@
/etc/modules\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)
@@ -24046,9 +28338,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_gentoo',`
# gentoo init scripts still manage this file
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.6.32/policy/modules/system/modutils.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.6.33/policy/modules/system/modutils.if
--- nsaserefpolicy/policy/modules/system/modutils.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/modutils.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/modutils.if 2009-11-12 14:26:53.000000000 -0500
@@ -1,5 +1,24 @@
## Policy for kernel module utilities
@@ -24122,9 +28414,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.32/policy/modules/system/modutils.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.33/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/modutils.te 2009-09-18 09:27:21.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/modutils.te 2009-11-12 14:26:53.000000000 -0500
@@ -19,6 +19,7 @@
type insmod_exec_t;
application_domain(insmod_t, insmod_exec_t)
@@ -24142,7 +28434,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow depmod_t modules_dep_t:file manage_file_perms;
files_kernel_modules_filetrans(depmod_t, modules_dep_t, file)
-@@ -56,6 +57,7 @@
+@@ -56,12 +57,14 @@
domain_use_interactive_fds(depmod_t)
@@ -24150,7 +28442,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_kernel_symbol_table(depmod_t)
files_read_kernel_modules(depmod_t)
files_read_etc_runtime_files(depmod_t)
-@@ -83,7 +85,13 @@
+ files_read_etc_files(depmod_t)
+ files_read_usr_src_files(depmod_t)
+ files_list_usr(depmod_t)
++files_read_boot_files(depmod_t)
+
+ fs_getattr_xattr_fs(depmod_t)
+
+@@ -75,6 +78,14 @@
+ # Read System.map from home directories.
+ files_list_home(depmod_t)
+ userdom_read_user_home_content_files(depmod_t)
++userdom_manage_user_tmp_files(depmod_t)
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_read_nfs_files(depmod_t)
++')
++tunable_policy(`use_samba_home_dirs',`
++ fs_read_cifs_files(depmod_t)
++')
+
+ ifdef(`distro_ubuntu',`
+ optional_policy(`
+@@ -83,7 +94,13 @@
')
optional_policy(`
@@ -24164,7 +28478,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -91,19 +99,23 @@
+@@ -91,19 +108,23 @@
# insmod local policy
#
@@ -24190,7 +28504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_write_proc_files(insmod_t)
kernel_mount_debugfs(insmod_t)
kernel_mount_kvmfs(insmod_t)
-@@ -112,6 +124,7 @@
+@@ -112,6 +133,7 @@
kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
kernel_read_hotplug_sysctls(insmod_t)
@@ -24198,7 +28512,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(insmod_t)
corecmd_exec_shell(insmod_t)
-@@ -124,9 +137,7 @@
+@@ -124,9 +146,7 @@
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
@@ -24209,11 +28523,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
-@@ -144,11 +155,14 @@
+@@ -144,11 +164,15 @@
files_write_kernel_modules(insmod_t)
fs_getattr_xattr_fs(insmod_t)
+fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
++fs_mount_rpc_pipefs(insmod_t)
init_rw_initctl(insmod_t)
init_use_fds(insmod_t)
@@ -24224,7 +28539,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(insmod_t)
logging_search_logs(insmod_t)
-@@ -157,19 +171,31 @@
+@@ -157,19 +181,31 @@
seutil_read_file_contexts(insmod_t)
@@ -24259,7 +28574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hotplug_search_config(insmod_t)
')
-@@ -228,7 +254,7 @@
+@@ -228,7 +264,7 @@
can_exec(update_modules_t, update_modules_exec_t)
# manage module loading configuration
@@ -24268,9 +28583,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_kernel_modules_filetrans(update_modules_t, modules_conf_t, file)
files_etc_filetrans(update_modules_t, modules_conf_t, file)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.6.32/policy/modules/system/mount.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.6.33/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/mount.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/mount.fc 2009-11-12 14:26:53.000000000 -0500
@@ -1,4 +1,9 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
@@ -24282,9 +28597,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.32/policy/modules/system/mount.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.33/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/mount.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/mount.if 2009-11-12 14:26:53.000000000 -0500
@@ -84,9 +84,11 @@
interface(`mount_signal',`
gen_require(`
@@ -24297,9 +28612,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.33/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/mount.te 2009-09-21 08:19:17.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/mount.te 2009-11-13 07:48:55.000000000 -0500
@@ -18,8 +18,12 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -24330,7 +28645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# setuid/setgid needed to mount cifs
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+allow mount_t self:capability { fsetid ipc_lock sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid };
-+allow mount_t self:process { ptrace signal };
++allow mount_t self:process { getsched ptrace signal };
+allow mount_t self:fifo_file rw_fifo_file_perms;
+allow mount_t self:unix_stream_socket create_stream_socket_perms;
+allow mount_t self:unix_dgram_socket create_socket_perms;
@@ -24450,10 +28765,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -172,6 +212,21 @@
+@@ -172,6 +212,25 @@
')
optional_policy(`
++ cron_system_entry(mount_t, mount_exec_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(mount_t)
+
+ optional_policy(`
@@ -24472,7 +28791,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -179,6 +234,11 @@
+@@ -179,6 +238,11 @@
')
')
@@ -24484,7 +28803,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -186,6 +246,7 @@
+@@ -186,6 +250,7 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -24492,7 +28811,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -195,5 +256,8 @@
+@@ -195,5 +260,8 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
@@ -24502,18 +28821,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ rpc_domtrans_rpcd(unconfined_mount_t)
')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.fc serefpolicy-3.6.32/policy/modules/system/raid.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.fc serefpolicy-3.6.33/policy/modules/system/raid.fc
--- nsaserefpolicy/policy/modules/system/raid.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/raid.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/raid.fc 2009-11-12 14:26:53.000000000 -0500
@@ -3,3 +3,5 @@
/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
+
+/dev/.mdadm.map -- gen_context(system_u:object_r:mdadm_map_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.6.32/policy/modules/system/raid.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.6.33/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/raid.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/raid.te 2009-11-12 14:26:53.000000000 -0500
@@ -14,6 +14,9 @@
type mdadm_var_run_t;
files_pid_file(mdadm_var_run_t)
@@ -24541,9 +28860,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_search_auto_mountpoints(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.32/policy/modules/system/selinuxutil.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.33/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/selinuxutil.fc 2009-11-12 14:26:53.000000000 -0500
@@ -6,13 +6,13 @@
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
@@ -24583,9 +28902,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.32/policy/modules/system/selinuxutil.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.33/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.if 2009-09-24 23:11:24.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/selinuxutil.if 2009-11-12 14:26:53.000000000 -0500
@@ -351,6 +351,27 @@
########################################
@@ -24941,9 +29260,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ hotplug_use_fds($1)
+')
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.32/policy/modules/system/selinuxutil.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.33/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te 2009-09-24 14:41:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/selinuxutil.te 2009-11-12 14:26:53.000000000 -0500
@@ -23,6 +23,9 @@
type selinux_config_t;
files_type(selinux_config_t)
@@ -25041,7 +29360,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for some PAM modules and for cwd
userdom_dontaudit_search_user_home_content(newrole_t)
userdom_search_user_home_dirs(newrole_t)
-@@ -336,6 +342,8 @@
+@@ -313,6 +319,8 @@
+ kernel_rw_pipes(restorecond_t)
+ kernel_read_system_state(restorecond_t)
+
++files_dontaudit_read_all_symlinks(restorecond_t)
++
+ fs_relabelfrom_noxattr_fs(restorecond_t)
+ fs_dontaudit_list_nfs(restorecond_t)
+ fs_getattr_xattr_fs(restorecond_t)
+@@ -336,6 +344,8 @@
seutil_libselinux_linked(restorecond_t)
@@ -25050,7 +29378,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
-@@ -354,7 +362,7 @@
+@@ -354,7 +364,7 @@
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@@ -25059,7 +29387,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
-@@ -383,7 +391,6 @@
+@@ -383,7 +393,6 @@
auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
@@ -25067,7 +29395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_dontaudit_read_shadow(run_init_t)
init_spec_domtrans_script(run_init_t)
-@@ -406,6 +413,10 @@
+@@ -406,6 +415,10 @@
')
')
@@ -25078,7 +29406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -421,61 +432,22 @@
+@@ -421,61 +434,22 @@
# semodule local policy
#
@@ -25086,13 +29414,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-allow semanage_t self:unix_stream_socket create_stream_socket_perms;
-allow semanage_t self:unix_dgram_socket create_socket_perms;
-allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-+seutil_semanage_policy(semanage_t)
-+allow semanage_t self:fifo_file rw_fifo_file_perms;
-
+-
-allow semanage_t policy_config_t:file rw_file_perms;
-+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-
+-
-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file manage_file_perms;
-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
@@ -25103,9 +29427,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-corecmd_exec_bin(semanage_t)
-
-dev_read_urand(semanage_t)
--
++seutil_semanage_policy(semanage_t)
++allow semanage_t self:fifo_file rw_fifo_file_perms;
+
-domain_use_interactive_fds(semanage_t)
--
++manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
++manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+
-files_read_etc_files(semanage_t)
-files_read_etc_runtime_files(semanage_t)
-files_read_usr_files(semanage_t)
@@ -25127,13 +29455,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-auth_use_nsswitch(semanage_t)
-
-locallogin_use_fds(semanage_t)
-+# Admins are creating pp files in random locations
-+auth_read_all_files_except_shadow(semanage_t)
-
+-
-logging_send_syslog_msg(semanage_t)
-
-miscfiles_read_localization(semanage_t)
--
++# Admins are creating pp files in random locations
++auth_read_all_files_except_shadow(semanage_t)
+
-seutil_libselinux_linked(semanage_t)
seutil_manage_file_contexts(semanage_t)
seutil_manage_config(semanage_t)
@@ -25148,7 +29476,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-@@ -484,12 +456,23 @@
+@@ -484,12 +458,23 @@
files_read_var_lib_symlinks(semanage_t)
')
@@ -25172,7 +29500,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -499,111 +482,40 @@
+@@ -499,111 +484,41 @@
userdom_read_user_tmp_files(semanage_t)
')
@@ -25302,15 +29630,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
- ')
+ setroubleshoot_dontaudit_rw_dgram_sockets(setfiles_t)
++ setroubleshoot_dontaudit_rw_dgram_sockets(setsebool_t)
')
optional_policy(`
- hotplug_use_fds(setfiles_t)
+ unconfined_domain(setfiles_mac_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.6.32/policy/modules/system/setrans.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.6.33/policy/modules/system/setrans.if
--- nsaserefpolicy/policy/modules/system/setrans.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/setrans.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/setrans.if 2009-11-12 14:26:53.000000000 -0500
@@ -21,3 +21,23 @@
stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t)
files_list_pids($1)
@@ -25335,9 +29664,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ init_labeled_script_domtrans($1, setrans_initrc_exec_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.32/policy/modules/system/sysnetwork.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.33/policy/modules/system/sysnetwork.fc
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/sysnetwork.fc 2009-11-12 14:26:53.000000000 -0500
@@ -11,15 +11,20 @@
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
@@ -25366,9 +29695,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
+
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.32/policy/modules/system/sysnetwork.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.33/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/sysnetwork.if 2009-11-12 14:26:53.000000000 -0500
@@ -43,6 +43,39 @@
sysnet_domtrans_dhcpc($1)
@@ -25546,9 +29875,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ role_transition $1 dhcpc_exec_t system_r;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.32/policy/modules/system/sysnetwork.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.33/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.te 2009-09-21 08:24:25.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/sysnetwork.te 2009-11-12 14:26:53.000000000 -0500
@@ -20,6 +20,9 @@
init_daemon_domain(dhcpc_t, dhcpc_exec_t)
role system_r types dhcpc_t;
@@ -25597,7 +29926,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_etc_filetrans(dhcpc_t, net_conf_t, file)
# create temp files
-@@ -107,11 +114,13 @@
+@@ -81,6 +88,7 @@
+ kernel_read_system_state(dhcpc_t)
+ kernel_read_network_state(dhcpc_t)
+ kernel_read_kernel_sysctls(dhcpc_t)
++kernel_request_load_module(dhcpc_t)
+ kernel_use_fds(dhcpc_t)
+
+ corecmd_exec_bin(dhcpc_t)
+@@ -107,14 +115,17 @@
# for SSP:
dev_read_urand(dhcpc_t)
@@ -25612,7 +29949,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_search_home(dhcpc_t)
files_search_var_lib(dhcpc_t)
files_dontaudit_search_locks(dhcpc_t)
-@@ -183,25 +192,23 @@
++files_getattr_generic_locks(dhcpc_t)
+
+ fs_getattr_all_fs(dhcpc_t)
+ fs_search_auto_mountpoints(dhcpc_t)
+@@ -183,25 +194,23 @@
')
optional_policy(`
@@ -25646,7 +29987,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -212,6 +219,7 @@
+@@ -212,6 +221,7 @@
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -25654,7 +29995,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -223,6 +231,10 @@
+@@ -223,6 +233,10 @@
')
optional_policy(`
@@ -25665,7 +30006,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_xen_state(dhcpc_t)
kernel_write_xen_state(dhcpc_t)
xen_append_log(dhcpc_t)
-@@ -235,7 +247,6 @@
+@@ -235,7 +249,6 @@
#
allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
@@ -25673,7 +30014,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow ifconfig_t self:fd use;
allow ifconfig_t self:fifo_file rw_fifo_file_perms;
-@@ -249,6 +260,8 @@
+@@ -249,6 +262,8 @@
allow ifconfig_t self:sem create_sem_perms;
allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
@@ -25682,7 +30023,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
# for /sbin/ip
-@@ -260,7 +273,9 @@
+@@ -260,7 +275,9 @@
kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
@@ -25692,7 +30033,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_rw_net_sysctls(ifconfig_t)
corenet_rw_tun_tap_dev(ifconfig_t)
-@@ -269,15 +284,23 @@
+@@ -269,15 +286,23 @@
# for IPSEC setup:
dev_read_urand(ifconfig_t)
@@ -25717,7 +30058,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_dontaudit_read_root_files(ifconfig_t)
-@@ -294,6 +317,8 @@
+@@ -294,6 +319,8 @@
seutil_use_runinit_fds(ifconfig_t)
@@ -25726,7 +30067,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_use_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
-@@ -330,8 +355,21 @@
+@@ -330,8 +357,22 @@
')
optional_policy(`
@@ -25747,10 +30088,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ hal_dontaudit_rw_dgram_sockets(dhcpc_t)
+ hal_dontaudit_rw_pipes(ifconfig_t)
++ hal_dontaudit_rw_dgram_sockets(ifconfig_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.6.32/policy/modules/system/udev.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.6.33/policy/modules/system/udev.fc
--- nsaserefpolicy/policy/modules/system/udev.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/udev.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/udev.fc 2009-11-12 14:26:53.000000000 -0500
@@ -7,6 +7,9 @@
/etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
@@ -25761,10 +30103,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.6.32/policy/modules/system/udev.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.6.33/policy/modules/system/udev.if
--- nsaserefpolicy/policy/modules/system/udev.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/udev.if 2009-09-16 10:03:09.000000000 -0400
-@@ -168,4 +168,25 @@
++++ serefpolicy-3.6.33/policy/modules/system/udev.if 2009-11-12 14:26:53.000000000 -0500
+@@ -168,4 +168,43 @@
dev_list_all_dev_nodes($1)
allow $1 udev_tbl_t:file rw_file_perms;
@@ -25789,10 +30131,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
++')
++
++########################################
++##
++## Send signal to udev process
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`udev_signal',`
++ gen_require(`
++ type udev_t;
++ ')
++
++ allow $1 udev_t:process signal;
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.32/policy/modules/system/udev.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.33/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/udev.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/udev.te 2009-11-12 14:26:53.000000000 -0500
@@ -50,6 +50,7 @@
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -25801,7 +30161,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
-@@ -66,6 +67,7 @@
+@@ -66,9 +67,11 @@
manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
@@ -25809,7 +30169,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
kernel_read_system_state(udev_t)
-@@ -111,6 +113,7 @@
++kernel_request_load_module(udev_t)
+ kernel_getattr_core_if(udev_t)
+ kernel_use_fds(udev_t)
+ kernel_read_device_sysctls(udev_t)
+@@ -111,6 +114,7 @@
fs_getattr_all_fs(udev_t)
fs_list_inotifyfs(udev_t)
@@ -25817,7 +30181,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mcs_ptrace_all(udev_t)
-@@ -140,6 +143,7 @@
+@@ -140,6 +144,7 @@
logging_send_audit_msgs(udev_t)
miscfiles_read_localization(udev_t)
@@ -25825,7 +30189,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
modutils_domtrans_insmod(udev_t)
# read modules.inputmap:
-@@ -194,6 +198,10 @@
+@@ -194,6 +199,10 @@
')
optional_policy(`
@@ -25836,7 +30200,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
brctl_domtrans(udev_t)
')
-@@ -202,14 +210,27 @@
+@@ -202,14 +211,27 @@
')
optional_policy(`
@@ -25864,7 +30228,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
lvm_domtrans(udev_t)
')
-@@ -219,6 +240,7 @@
+@@ -219,6 +241,7 @@
optional_policy(`
hal_dgram_send(udev_t)
@@ -25872,7 +30236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -228,6 +250,10 @@
+@@ -228,6 +251,10 @@
')
optional_policy(`
@@ -25883,7 +30247,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -242,6 +268,18 @@
+@@ -242,6 +269,18 @@
')
optional_policy(`
@@ -25902,9 +30266,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_write_xen_state(udev_t)
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.6.32/policy/modules/system/unconfined.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.6.33/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/unconfined.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/unconfined.fc 2009-11-12 14:26:53.000000000 -0500
@@ -1,16 +1 @@
# Add programs here which should not be confined by SELinux
-# e.g.:
@@ -25922,9 +30286,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-ifdef(`distro_gentoo',`
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.32/policy/modules/system/unconfined.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.33/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/unconfined.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/unconfined.if 2009-11-12 14:26:53.000000000 -0500
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -26428,9 +30792,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-
- allow $1 unconfined_t:dbus acquire_svc;
-')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.32/policy/modules/system/unconfined.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.33/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2009-08-18 11:41:14.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/unconfined.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/unconfined.te 2009-11-12 14:26:53.000000000 -0500
@@ -5,227 +5,5 @@
#
# Declarations
@@ -26660,9 +31024,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- hal_dbus_chat(unconfined_execmem_t)
- ')
-')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.32/policy/modules/system/userdomain.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.33/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/userdomain.fc 2009-11-12 14:26:53.000000000 -0500
@@ -1,4 +1,8 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
@@ -26673,9 +31037,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
+HOME_DIR/\.gvfs(/.*)? <>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.33/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-09-28 10:22:23.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/userdomain.if 2009-11-13 11:30:17.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -27045,7 +31409,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
##
-@@ -420,35 +414,48 @@
+@@ -420,35 +414,58 @@
## is the prefix for user_t).
##
##
@@ -27075,7 +31439,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- dev_getattr_agp_dev($1_t)
- dev_dontaudit_rw_dri($1_t)
+ dev_getattr_agp_dev($1)
-+ dev_dontaudit_rw_dri($1)
++
++ tunable_policy(`user_direct_dri',`
++ dev_rw_dri($1)
++ ',`
++ dev_dontaudit_rw_dri($1)
++ ')
++
# GNOME checks for usb and other devices:
- dev_rw_usbfs($1_t)
+ dev_rw_usbfs($1)
@@ -27083,15 +31453,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ dev_read_video_dev($1)
+ dev_write_video_dev($1)
+ dev_rw_wireless($1)
++
++ miscfiles_dontaudit_write_fonts($1)
++
++ optional_policy(`
++ udev_read_db($1)
++ ')
- xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
- xserver_xsession_entry_type($1_t)
- xserver_dontaudit_write_log($1_t)
- xserver_stream_connect_xdm($1_t)
-+ miscfiles_dontaudit_write_fonts($1)
-+
+ optional_policy(`
-+ udev_read_db($1)
++ setroubleshoot_dontaudit_dbus_chat($1)
+ ')
+
+ optional_policy(`
@@ -27113,7 +31487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -498,7 +505,7 @@
+@@ -498,7 +515,7 @@
attribute unpriv_userdomain;
')
@@ -27122,7 +31496,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
-@@ -508,182 +515,209 @@
+@@ -508,182 +525,213 @@
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -27143,27 +31517,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ kernel_get_sysvipc_info($1_usertype)
# Find CDROM devices:
- kernel_read_device_sysctls($1_t)
+-
+- corecmd_exec_bin($1_t)
+ kernel_read_device_sysctls($1_usertype)
+ kernel_request_load_module($1_usertype)
-- corecmd_exec_bin($1_t)
-+ corenet_udp_bind_generic_node($1_usertype)
-+ corenet_udp_bind_generic_port($1_usertype)
-
- corenet_udp_bind_generic_node($1_t)
- corenet_udp_bind_generic_port($1_t)
-+ dev_read_rand($1_usertype)
-+ dev_write_sound($1_usertype)
-+ dev_read_sound($1_usertype)
-+ dev_read_sound_mixer($1_usertype)
-+ dev_write_sound_mixer($1_usertype)
++ corenet_udp_bind_generic_node($1_usertype)
++ corenet_udp_bind_generic_port($1_usertype)
- dev_read_rand($1_t)
- dev_write_sound($1_t)
- dev_read_sound($1_t)
- dev_read_sound_mixer($1_t)
- dev_write_sound_mixer($1_t)
--
++ dev_read_rand($1_usertype)
++ dev_write_sound($1_usertype)
++ dev_read_sound($1_usertype)
++ dev_read_sound_mixer($1_usertype)
++ dev_write_sound_mixer($1_usertype)
+
- files_exec_etc_files($1_t)
- files_search_locks($1_t)
+ files_exec_etc_files($1_usertype)
@@ -27227,7 +31601,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_exec_checkpolicy($1_t)
- seutil_exec_setfiles($1_t)
+ seutil_exec_setfiles($1_usertype)
-+ seutil_exec_restorecond($1_usertype)
# for when the network connection is killed
# this is needed when a login role can change
# to this one.
@@ -27236,37 +31609,41 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`user_direct_mouse',`
- dev_read_mouse($1_t)
+ dev_read_mouse($1_usertype)
++ ')
++
++ optional_policy(`
++ alsa_read_rw_config($1_usertype)
')
- tunable_policy(`user_ttyfile_stat',`
- term_getattr_all_user_ttys($1_t)
+ optional_policy(`
-+ alsa_read_rw_config($1_usertype)
- ')
-
- optional_policy(`
-- alsa_read_rw_config($1_t)
+ # Allow graphical boot to check battery lifespan
+ apm_stream_connect($1_usertype)
')
+ optional_policy(`
+- alsa_read_rw_config($1_t)
++ canna_stream_connect($1_usertype)
+ ')
+
optional_policy(`
- # Allow graphical boot to check battery lifespan
- apm_stream_connect($1_t)
-+ canna_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
++ chrome_role($1_r, $1_usertype)
+ ')
+
+ optional_policy(`
+- canna_stream_connect($1_t)
+ dbus_system_bus_client($1_usertype)
+
+ allow $1_usertype $1_usertype:dbus send_msg;
+
+ optional_policy(`
+ avahi_dbus_chat($1_usertype)
- ')
-
- optional_policy(`
-- canna_stream_connect($1_t)
++ ')
++
++ optional_policy(`
+ bluetooth_dbus_chat($1_usertype)
')
@@ -27274,35 +31651,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- dbus_system_bus_client($1_t)
+ consolekit_dbus_chat($1_usertype)
+ consolekit_read_log($1_usertype)
-+ ')
++ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1_t)
- evolution_alarm_dbus_chat($1_t)
-+ evolution_dbus_chat($1_usertype)
-+ evolution_alarm_dbus_chat($1_usertype)
++ evolution_dbus_chat($1_usertype)
++ evolution_alarm_dbus_chat($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ hal_dbus_chat($1_usertype)
++ hal_dbus_chat($1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ networkmanager_dbus_chat($1_usertype)
++ networkmanager_dbus_chat($1_usertype)
++ networkmanager_read_var_lib_files($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
-+ vpnc_dbus_chat($1_usertype)
++ vpnc_dbus_chat($1_usertype)
')
')
@@ -27389,7 +31767,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ sandbox_transition($1_t, $1_r)
++ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
@@ -27405,7 +31783,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -711,13 +745,26 @@
+@@ -711,13 +759,26 @@
userdom_base_user_template($1)
@@ -27416,7 +31794,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- userdom_manage_tmpfs_role($1_r, $1_t)
+ userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
-+
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true)
+
@@ -27427,9 +31807,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
++
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
@@ -27437,7 +31815,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_change_password_template($1)
-@@ -735,70 +782,72 @@
+@@ -735,70 +796,72 @@
allow $1_t self:context contains;
@@ -27543,24 +31921,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -835,6 +884,32 @@
- # Local policy
+@@ -826,6 +889,8 @@
+ ')
+
+ userdom_login_user_template($1)
++ allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
++ dontaudit $1_t self:netlink_audit_socket create_socket_perms;
+
+ typeattribute $1_t unpriv_userdomain;
+ domain_interactive_fd($1_t)
+@@ -836,6 +901,26 @@
#
-+ tunable_policy(`user_rw_noexattrfile',`
-+ fs_manage_noxattr_fs_files($1_usertype)
-+ fs_manage_noxattr_fs_dirs($1_usertype)
-+ fs_manage_dos_dirs($1_usertype)
-+ fs_manage_dos_files($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ optional_policy(`
+ dbus_role_template($1, $1_r, $1_usertype)
+ dbus_system_bus_client($1_usertype)
+ allow $1_usertype $1_usertype:dbus send_msg;
+
+ optional_policy(`
+ abrt_dbus_chat($1_usertype)
++ abrt_run_helper($1_usertype, $1_r)
+ ')
+
+ optional_policy(`
@@ -27573,10 +31953,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+ ')
+
- optional_policy(`
++ optional_policy(`
loadkeys_run($1_t,$1_r)
')
-@@ -865,51 +940,81 @@
+ ')
+@@ -865,51 +950,93 @@
userdom_restricted_user_template($1)
@@ -27593,12 +31974,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_role($1_r, $1_t)
- auth_search_pam_console_data($1_t)
+ auth_search_pam_console_data($1_usertype)
++
++ xserver_role($1_r, $1_t)
++ xserver_communicate($1_usertype, $1_usertype)
- dev_read_sound($1_t)
- dev_write_sound($1_t)
-+ xserver_role($1_r, $1_t)
-+ xserver_communicate($1_usertype, $1_usertype)
-+
+ dev_read_sound($1_usertype)
+ dev_write_sound($1_usertype)
# gnome keyring wants to read this.
@@ -27611,18 +31992,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ dev_read_video_dev($1_usertype)
+ dev_write_video_dev($1_usertype)
+
++ tunable_policy(`user_rw_noexattrfile',`
++ fs_manage_noxattr_fs_files($1_usertype)
++ fs_manage_noxattr_fs_dirs($1_usertype)
++ fs_manage_dos_dirs($1_usertype)
++ fs_manage_dos_files($1_usertype)
++ storage_raw_read_removable_device($1_usertype)
++ storage_raw_write_removable_device($1_usertype)
++ ')
++
+ logging_send_syslog_msg($1_usertype)
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
logging_send_audit_msgs($1_t)
selinux_get_enforce_mode($1_t)
-
-- xserver_restricted_role($1_r, $1_t)
++ seutil_exec_restorecond($1_t)
++ seutil_read_file_contexts($1_t)
++ seutil_read_default_contexts($1_t)
++
+ optional_policy(`
+ alsa_read_rw_config($1_usertype)
+ ')
-+
+
+- xserver_restricted_role($1_r, $1_t)
+ optional_policy(`
+ apache_role($1_r, $1_usertype)
+ ')
@@ -27671,7 +32064,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -943,8 +1048,8 @@
+@@ -943,8 +1070,8 @@
# Declarations
#
@@ -27681,7 +32074,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_common_user_template($1)
##############################
-@@ -953,11 +1058,12 @@
+@@ -953,58 +1080,67 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -27689,72 +32082,87 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+# corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
# Need the following rule to allow users to run vpnc
corenet_tcp_bind_xserver_port($1_t)
++ corenet_tcp_bind_all_nodes($1_usertype)
- files_exec_usr_files($1_t)
+- # cjp: why?
+- files_read_kernel_symbol_table($1_t)
+ storage_rw_fuse($1_t)
-+
- # cjp: why?
- files_read_kernel_symbol_table($1_t)
-@@ -975,36 +1081,53 @@
+- ifndef(`enable_mls',`
+- fs_exec_noxattr($1_t)
++ # Allow users to run TCP servers (bind to ports and accept connection from
++ # the same domain and outside users) disabling this forces FTP passive mode
++ # and may change other protocols
++ tunable_policy(`user_tcp_server',`
++ corenet_tcp_bind_all_unreserved_ports($1_usertype)
++ ')
+
+- tunable_policy(`user_rw_noexattrfile',`
+- fs_manage_noxattr_fs_files($1_t)
+- fs_manage_noxattr_fs_dirs($1_t)
+- # Write floppies
+- storage_raw_read_removable_device($1_t)
+- storage_raw_write_removable_device($1_t)
+- ',`
+- storage_raw_read_removable_device($1_t)
++ optional_policy(`
++ cdrecord_role($1_r, $1_t)
++ ')
++
++ optional_policy(`
++ cron_role($1_r, $1_t)
')
++
++ optional_policy(`
++ games_rw_data($1_usertype)
')
- tunable_policy(`user_dmesg',`
- kernel_read_ring_buffer($1_t)
- ',`
- kernel_dontaudit_read_ring_buffer($1_t)
-- ')
--
- # Allow users to run TCP servers (bind to ports and accept connection from
- # the same domain and outside users) disabling this forces FTP passive mode
- # and may change other protocols
- tunable_policy(`user_tcp_server',`
++ optional_policy(`
++ gpg_role($1_r, $1_usertype)
+ ')
+
+- # Allow users to run TCP servers (bind to ports and accept connection from
+- # the same domain and outside users) disabling this forces FTP passive mode
+- # and may change other protocols
+- tunable_policy(`user_tcp_server',`
- corenet_tcp_bind_generic_node($1_t)
- corenet_tcp_bind_generic_port($1_t)
-+ corenet_tcp_bind_all_nodes($1_usertype)
-+ corenet_tcp_bind_all_unreserved_ports($1_usertype)
++ optional_policy(`
++ gpm_stream_connect($1_usertype)
')
optional_policy(`
- netutils_run_ping_cond($1_t,$1_r)
- netutils_run_traceroute_cond($1_t,$1_r)
-+ cdrecord_role($1_r, $1_t)
++ execmem_role_template($1, $1_r, $1_t)
')
optional_policy(`
- postgresql_role($1_r,$1_t)
-+ cron_role($1_r, $1_t)
++ java_role_template($1, $1_r, $1_t)
')
- # Run pppd in pppd_t by default for user
optional_policy(`
- ppp_run_cond($1_t,$1_r)
-+ games_rw_data($1_usertype)
++ mono_role_template($1, $1_r, $1_t)
')
optional_policy(`
- setroubleshoot_stream_connect($1_t)
-+ gpg_role($1_r, $1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ gpm_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ java_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
-+ mono_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ mount_run($1_t, $1_r)
+ ')
+
+ optional_policy(`
++ wine_role_template($1, $1_r, $1_t)
++ ')
++
++ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
+ ')
+
@@ -27764,7 +32172,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -1040,7 +1163,7 @@
+@@ -1040,7 +1176,7 @@
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -27773,7 +32181,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
##############################
-@@ -1049,8 +1172,7 @@
+@@ -1049,8 +1185,7 @@
#
# Inherit rules for ordinary users.
@@ -27783,7 +32191,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1075,6 +1197,9 @@
+@@ -1075,6 +1210,9 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -27793,7 +32201,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1089,6 +1214,7 @@
+@@ -1089,6 +1227,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -27801,7 +32209,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1096,8 +1222,6 @@
+@@ -1096,8 +1235,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -27810,7 +32218,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1124,6 +1248,8 @@
+@@ -1124,12 +1261,11 @@
files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t)
@@ -27819,7 +32227,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
-@@ -1152,20 +1278,6 @@
+- storage_raw_read_removable_device($1_t)
+- storage_raw_write_removable_device($1_t)
+-
+ term_use_all_terms($1_t)
+
+ auth_getattr_shadow($1_t)
+@@ -1152,20 +1288,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -27840,7 +32254,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1211,6 +1323,7 @@
+@@ -1211,6 +1333,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -27848,7 +32262,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1276,11 +1389,15 @@
+@@ -1276,11 +1399,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -27864,7 +32278,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1391,12 +1508,13 @@
+@@ -1391,12 +1518,13 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -27879,7 +32293,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
##
-@@ -1429,6 +1547,14 @@
+@@ -1429,6 +1557,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -27894,7 +32308,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1444,9 +1570,11 @@
+@@ -1444,9 +1580,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -27906,7 +32320,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1503,6 +1631,25 @@
+@@ -1503,6 +1641,42 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -27928,11 +32342,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 user_home_t:file relabelto;
+')
++########################################
++##
++## Relabel user home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_relabel_user_home_files',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ allow $1 user_home_t:file { relabelto relabelfrom };
++')
+
########################################
##
## Create directories in the home dir root with
-@@ -1577,6 +1724,8 @@
+@@ -1577,6 +1751,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -27941,7 +32372,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1670,6 +1819,7 @@
+@@ -1619,6 +1795,24 @@
+
+ ########################################
+ ##
++## Set the attributes of user home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_setattr_user_home_content_files',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ allow $1 user_home_t:file setattr;
++')
++
++########################################
++##
+ ## Do not audit attempts to set the
+ ## attributes of user home files.
+ ##
+@@ -1670,6 +1864,7 @@
type user_home_dir_t, user_home_t;
')
@@ -27949,7 +32405,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1797,19 +1947,32 @@
+@@ -1686,11 +1881,11 @@
+ #
+ interface(`userdom_dontaudit_read_user_home_content_files',`
+ gen_require(`
+- type user_home_t;
++ attribute user_home_type;
+ ')
+
+- dontaudit $1 user_home_t:dir list_dir_perms;
+- dontaudit $1 user_home_t:file read_file_perms;
++ dontaudit $1 user_home_type:dir list_dir_perms;
++ dontaudit $1 user_home_type:file read_file_perms;
+ ')
+
+ ########################################
+@@ -1797,19 +1992,32 @@
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -27989,7 +32460,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1844,6 +2007,7 @@
+@@ -1844,6 +2052,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -27997,36 +32468,193 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2391,27 +2555,7 @@
+@@ -2196,7 +2405,7 @@
########################################
##
--## Read user tmpfs files.
--##
--##
--##
+-## Do not audit attempts to manage users
++## Do not audit attempts to write users
+ ## temporary files.
+ ##
+ ##
+@@ -2205,37 +2414,56 @@
+ ##
+ ##
+ #
+-interface(`userdom_dontaudit_manage_user_tmp_files',`
++interface(`userdom_dontaudit_write_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+- dontaudit $1 user_tmp_t:file manage_file_perms;
++ dontaudit $1 user_tmp_t:file write;
+ ')
+
+ ########################################
+ ##
+-## Read user temporary symbolic links.
++## Do not audit attempts to manage users
++## temporary files.
+ ##
+ ##
+ ##
-## Domain allowed access.
--##
--##
--#
--interface(`userdom_read_user_tmpfs_files',`
-- gen_require(`
-- type user_tmpfs_t;
-- ')
--
-- read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-- allow $1 user_tmpfs_t:dir list_dir_perms;
-- fs_search_tmpfs($1)
--')
--
--########################################
--##
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`userdom_read_user_tmp_symlinks',`
++interface(`userdom_dontaudit_manage_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+- read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+- allow $1 user_tmp_t:dir list_dir_perms;
+- files_search_tmp($1)
++ dontaudit $1 user_tmp_t:file manage_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete user
++## Read user temporary symbolic links.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_read_user_tmp_symlinks',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
++ allow $1 user_tmp_t:dir list_dir_perms;
++ files_search_tmp($1)
++')
++
++########################################
++##
++## Create, read, write, and delete user
+ ## temporary directories.
+ ##
+ ##
+@@ -2276,6 +2504,46 @@
+ ########################################
+ ##
+ ## Create, read, write, and delete user
++## temporary chr files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_manage_user_tmp_chr_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
++ files_search_tmp($1)
++')
++
++########################################
++##
++## Create, read, write, and delete user
++## temporary blk files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_manage_user_tmp_blk_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ manage_blk_files_pattern($1, user_tmp_t, user_tmp_t)
++ files_search_tmp($1)
++')
++
++########################################
++##
++## Create, read, write, and delete user
+ ## temporary symbolic links.
+ ##
+ ##
+@@ -2391,7 +2659,7 @@
+
+ ########################################
+ ##
-## Read user tmpfs files.
+## Read/Write user tmpfs files.
##
##
##
-@@ -2765,11 +2909,32 @@
+@@ -2399,19 +2667,21 @@
+ ##
+ ##
+ #
+-interface(`userdom_read_user_tmpfs_files',`
++interface(`userdom_rw_user_tmpfs_files',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+- read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+ allow $1 user_tmpfs_t:dir list_dir_perms;
+ fs_search_tmpfs($1)
+ ')
+
+-########################################
++
++######################################
+ ##
+-## Read user tmpfs files.
++## Manage user tmpfs files.
+ ##
+ ##
+ ##
+@@ -2419,15 +2689,14 @@
+ ##
+ ##
+ #
+-interface(`userdom_rw_user_tmpfs_files',`
++interface(`userdom_manage_user_tmpfs_files',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+- rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+- read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+- allow $1 user_tmpfs_t:dir list_dir_perms;
+- fs_search_tmpfs($1)
++ manage_dirs_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ manage_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+ ')
+
+ ########################################
+@@ -2749,7 +3018,7 @@
+
+ domain_entry_file_spec_domtrans($1, unpriv_userdomain)
+ allow unpriv_userdomain $1:fd use;
+- allow unpriv_userdomain $1:fifo_file rw_file_perms;
++ allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms;
+ allow unpriv_userdomain $1:process sigchld;
+ ')
+
+@@ -2765,11 +3034,32 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -28061,7 +32689,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2897,7 +3062,25 @@
+@@ -2897,7 +3187,43 @@
type user_tmp_t;
')
@@ -28071,6 +32699,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+########################################
+##
++## Write all inherited users files in /tmp
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_write_inherited_user_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:file write;
++')
++
++########################################
++##
+## Delete all users files in /tmp
+##
+##
@@ -28088,7 +32734,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2934,6 +3117,7 @@
+@@ -2934,6 +3260,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -28096,7 +32742,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_search_proc($1)
')
-@@ -3064,3 +3248,559 @@
+@@ -3064,3 +3391,578 @@
allow $1 userdomain:dbus send_msg;
')
@@ -28362,6 +33008,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 unpriv_userdomain:unix_dgram_socket sendto;
+')
+
++######################################
++##
++## Send a message to users over a unix domain
++## datagram socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_users_dgram_send',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:unix_dgram_socket sendto;
++')
++
+#######################################
+##
+## Allow execmod on files in homedirectory
@@ -28656,9 +33321,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 user_tmp_t:file { getattr append };
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.32/policy/modules/system/userdomain.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.33/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/userdomain.te 2009-11-12 14:26:53.000000000 -0500
@@ -8,13 +8,6 @@
##
@@ -28673,21 +33338,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Allow users to connect to PostgreSQL
##
##
-@@ -29,13 +22,6 @@
+@@ -29,10 +22,10 @@
##
##
-## Allow users to read system messages.
--##
--##
--gen_tunable(user_dmesg, false)
--
--##
--##
- ## Allow user to r/w files on filesystems
- ## that do not have extended attributes (FAT, CDROM, FLOPPY)
++## Allow regular users direct dri device access
##
-@@ -54,11 +40,20 @@
+ ##
+-gen_tunable(user_dmesg, false)
++gen_tunable(user_direct_dri, false)
+
+ ##
+ ##
+@@ -54,11 +47,20 @@
# all user domains
attribute userdomain;
@@ -28710,7 +33374,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
-@@ -72,6 +67,7 @@
+@@ -72,6 +74,7 @@
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -28718,7 +33382,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_user_home_content(user_home_t)
fs_associate_tmpfs(user_home_t)
files_associate_tmp(user_home_t)
-@@ -97,3 +93,25 @@
+@@ -97,3 +100,25 @@
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
@@ -28744,9 +33408,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+allow userdomain userdomain:process signull;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.6.32/policy/modules/system/xen.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.6.33/policy/modules/system/xen.fc
--- nsaserefpolicy/policy/modules/system/xen.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/xen.fc 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/xen.fc 2009-11-12 14:26:53.000000000 -0500
@@ -1,5 +1,7 @@
/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0)
@@ -28774,9 +33438,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
/var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.32/policy/modules/system/xen.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.33/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/xen.if 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/xen.if 2009-11-12 14:26:53.000000000 -0500
@@ -71,6 +71,8 @@
')
@@ -28827,9 +33491,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 xend_var_lib_t:dir search_dir_perms;
+ rw_files_pattern($1, xen_image_t, xen_image_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.32/policy/modules/system/xen.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.33/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/xen.te 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/modules/system/xen.te 2009-11-12 14:26:53.000000000 -0500
@@ -6,6 +6,13 @@
# Declarations
#
@@ -29021,7 +33685,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
-+allow xm_t self:process signal;
++allow xm_t self:process { getsched signal };
# internal communication is often done using fifo and unix sockets.
allow xm_t self:fifo_file rw_fifo_file_perms;
@@ -29127,9 +33791,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+manage_sock_files_pattern(evtchnd_t,evtchnd_var_run_t,evtchnd_var_run_t)
+files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt
---- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2009-09-16 10:03:09.000000000 -0400
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.33/policy/support/obj_perm_sets.spt
+--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-11-12 12:51:51.000000000 -0500
++++ serefpolicy-3.6.33/policy/support/obj_perm_sets.spt 2009-11-12 14:26:53.000000000 -0500
@@ -201,7 +201,7 @@
define(`setattr_file_perms',`{ setattr }')
define(`read_file_perms',`{ getattr open read lock ioctl }')
@@ -29162,9 +33826,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
+
+define(`manage_key_perms', `{ create link read search setattr view write } ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.32/policy/users
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.33/policy/users
--- nsaserefpolicy/policy/users 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/users 2009-09-16 10:03:09.000000000 -0400
++++ serefpolicy-3.6.33/policy/users 2009-11-12 14:26:53.000000000 -0500
@@ -25,11 +25,8 @@
# permit any access to such users, then remove this entry.
#
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b8f6dd29..6a64b711 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,12 +19,12 @@
%define CHECKPOLICYVER 2.0.16-3
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.6.32
-Release: 16%{?dist}
+Version: 3.6.33
+Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
-patch: policy-F12.patch
+patch: policy-F13.patch
Source1: modules-targeted.conf
Source2: booleans-targeted.conf
Source3: Makefile.devel
@@ -449,6 +449,9 @@ exit 0
%endif
%changelog
+* Thu Nov 12 2009 Dan Walsh 3.6.33-1
+- Update to upstream
+
* Thu Oct 1 2009 Dan Walsh 3.6.32-17
- Allow vpnc request the kernel to load modules
diff --git a/sources b/sources
index 07d51654..3e8fe507 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
3651679c4b12a31d2ba5f4305bba5540 config.tgz
-d3d5eaf6fd6ca9f09f8912d694810268 serefpolicy-3.6.32.tgz
+e82cab8a9681ae7851aec03029f68285 serefpolicy-3.6.33.tgz