- Allow hal/pm-utils to look at /var/run/video.rom

- Add ulogd policy
2008-11-05 18:26:36 +00:00 · 2008-11-05 18:26:36 +00:00 · 6a09cfb688
commit 6a09cfb688
parent 411a424e1c
6 changed files with 400 additions and 53 deletions
--- a/booleans-minimum.conf
+++ b/booleans-minimum.conf
@ -229,7 +229,7 @@ user_rw_noexattrfile=true
 # Allow qemu to connect fully to the network
 # 
-allow_qemu_full_network=true
+qemu_full_network=true
 # Allow nsplugin execmem/execstack for bad plugins
 # 
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@ -229,7 +229,7 @@ user_rw_noexattrfile=true
 # Allow qemu to connect fully to the network
 # 
-allow_qemu_full_network=true
+qemu_full_network=true
 # Allow nsplugin execmem/execstack for bad plugins
 # 
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@ -1293,6 +1293,13 @@ userdomain = base
 # 
 unconfined = module
 # Layer: services
 # Module: ulogd
 #
 # 
 # 
 ulogd = module
 # Layer: apps
 # Module: wine
 #
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -1293,6 +1293,13 @@ userdomain = base
 # 
 unconfined = module
 # Layer: services
 # Module: ulogd
 #
 # 
 # 
 ulogd = module
 # Layer: apps
 # Module: wine
 #
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@ -16212,7 +16212,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.5.13/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/hal.te	2008-10-28 10:56:19.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/hal.te	2008-11-04 13:26:50.000000000 -0500
@@ -49,6 +49,9 @@
 type hald_var_lib_t;
 files_type(hald_var_lib_t)
@ -16244,13 +16244,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	rpc_search_nfs_state_data(hald_t)
 ')
-@@ -300,12 +310,16 @@
+@@ -300,12 +310,20 @@
 	vbetool_domtrans(hald_t)
 ')
 +optional_policy(`
 +	virt_manage_images(hald_t)
 +')
 +
 +optional_policy(`
 +	xserver_read_pid(hald_t)
 +')
 +
 ########################################
 #
@ -16262,7 +16266,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow hald_acl_t self:process { getattr signal };
 allow hald_acl_t self:fifo_file rw_fifo_file_perms;
-@@ -344,13 +358,22 @@
+@@ -344,13 +362,22 @@
 libs_use_ld_so(hald_acl_t)
 libs_use_shared_libs(hald_acl_t)
@ -16285,7 +16289,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
 allow hald_t hald_mac_t:process signal;
 allow hald_mac_t hald_t:unix_stream_socket connectto;
-@@ -359,6 +382,8 @@
+@@ -359,6 +386,8 @@
 manage_files_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t)
 files_search_var_lib(hald_mac_t)
@ -16294,7 +16298,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 kernel_read_system_state(hald_mac_t)
 dev_read_raw_memory(hald_mac_t)
-@@ -366,6 +391,9 @@
+@@ -366,6 +395,9 @@
 dev_read_sysfs(hald_mac_t)
 files_read_usr_files(hald_mac_t)
@ -16304,7 +16308,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 libs_use_ld_so(hald_mac_t)
 libs_use_shared_libs(hald_mac_t)
-@@ -388,6 +416,8 @@
+@@ -388,6 +420,8 @@
 manage_files_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t)
 files_search_var_lib(hald_sonypic_t)
@ -16313,7 +16317,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_read_usr_files(hald_sonypic_t)
 libs_use_ld_so(hald_sonypic_t)
-@@ -408,6 +438,8 @@
+@@ -408,6 +442,8 @@
 manage_files_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t)
 files_search_var_lib(hald_keymap_t)
@ -16322,7 +16326,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dev_rw_input_dev(hald_keymap_t)
 files_read_usr_files(hald_keymap_t)
-@@ -419,4 +451,4 @@
+@@ -419,4 +455,4 @@
 # This is caused by a bug in hald and PolicyKit.  
 # Should be removed when this is fixed
@ -18611,16 +18615,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	openct_signull(pcscd_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.5.13/policy/modules/services/pegasus.te
 --- nsaserefpolicy/policy/modules/services/pegasus.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/pegasus.te	2008-10-28 10:56:19.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/pegasus.te	2008-11-04 12:06:18.000000000 -0500
-@@ -66,6 +66,7 @@
+@@ -30,7 +30,7 @@
 # Local policy
 #
 -allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service };
 +allow pegasus_t self:capability { chown ipc_lock sys_nice setuid setgid dac_override net_bind_service };
 dontaudit pegasus_t self:capability sys_tty_config;
 allow pegasus_t self:process signal;
 allow pegasus_t self:fifo_file rw_fifo_file_perms;
@@ -66,6 +66,8 @@
 kernel_read_system_state(pegasus_t)
 kernel_search_vm_sysctl(pegasus_t)
 kernel_read_net_sysctls(pegasus_t)
 +kernel_read_xen_state(pegasus_t)
 +kernel_write_xen_state(pegasus_t)
 corenet_all_recvfrom_unlabeled(pegasus_t)
 corenet_all_recvfrom_netlabel(pegasus_t)
-@@ -96,13 +97,12 @@
+@@ -96,13 +98,12 @@
 auth_use_nsswitch(pegasus_t)
 auth_domtrans_chk_passwd(pegasus_t)
@ -18636,7 +18650,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_read_var_lib_symlinks(pegasus_t)
 hostname_exec(pegasus_t)
-@@ -118,7 +118,6 @@
+@@ -118,7 +119,6 @@
 miscfiles_read_localization(pegasus_t)
@ -18644,6 +18658,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 sysnet_domtrans_ifconfig(pegasus_t)
 userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
@@ -130,6 +130,14 @@
 ')
 optional_policy(`
 +	samba_manage_config(pegasus_t)
 +')
 +
 +optional_policy(`
 +	ssh_exec(pegasus_t)
 +')
 +
 +optional_policy(`
 	seutil_sigchld_newrole(pegasus_t)
 	seutil_dontaudit_read_config(pegasus_t)
 ')
@@ -141,3 +149,13 @@
 optional_policy(`
 	unconfined_signull(pegasus_t)
 ')
 +
 +optional_policy(`
 +	virt_domtrans(pegasus_t)
 +	virt_manage_config(pegasus_t)
 +')
 +
 +optional_policy(`
 +	xen_stream_connect(pegasus_t)
 +	xen_stream_connect_xenstore(pegasus_t)
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.5.13/policy/modules/services/polkit.fc
 --- nsaserefpolicy/policy/modules/services/polkit.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.5.13/policy/modules/services/polkit.fc	2008-10-28 10:56:19.000000000 -0400
@ -18896,8 +18939,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.5.13/policy/modules/services/polkit.te
 --- nsaserefpolicy/policy/modules/services/polkit.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/services/polkit.te	2008-11-04 09:58:08.000000000 -0500
+++ serefpolicy-3.5.13/policy/modules/services/polkit.te	2008-11-05 11:49:03.000000000 -0500
-@@ -0,0 +1,231 @@
+@@ -0,0 +1,232 @@
 +policy_module(polkit_auth, 1.0.0)
 +
 +########################################
@ -19062,6 +19105,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +logging_send_syslog_msg(polkit_grant_t)
 +
 +polkit_domtrans_auth(polkit_grant_t)
 +polkit_domtrans_resolve(polkit_grant_t)
 +
 +manage_files_pattern(polkit_grant_t, polkit_var_run_t, polkit_var_run_t)
 +
@ -21627,7 +21671,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.5.13/policy/modules/services/samba.if
 --- nsaserefpolicy/policy/modules/services/samba.if	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/samba.if	2008-11-04 10:21:25.000000000 -0500
+++ serefpolicy-3.5.13/policy/modules/services/samba.if	2008-11-04 11:57:02.000000000 -0500
@@ -44,6 +44,44 @@
 ########################################
@ -22020,7 +22064,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.5.13/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2008-10-16 17:21:16.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/samba.te	2008-10-28 10:56:19.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/samba.te	2008-11-05 12:55:21.000000000 -0500
@@ -66,6 +66,13 @@
 ## </desc>
 gen_tunable(samba_share_nfs, false)
@ -22203,7 +22247,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -452,6 +493,7 @@
+@@ -379,8 +420,10 @@
 tunable_policy(`samba_export_all_ro',`
 	fs_read_noxattr_fs_files(smbd_t) 
 +	auth_read_all_dirs_except_shadow(smbd_t)
 	auth_read_all_files_except_shadow(smbd_t)
 	fs_read_noxattr_fs_files(nmbd_t) 
 +	auth_read_all_dirs_except_shadow(nmbd_t)
 	auth_read_all_files_except_shadow(nmbd_t)
 ')
@@ -452,6 +495,7 @@
 dev_getattr_mtrr_dev(nmbd_t)
 fs_getattr_all_fs(nmbd_t)
@ -22211,7 +22266,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 fs_search_auto_mountpoints(nmbd_t)
 domain_use_interactive_fds(nmbd_t)
-@@ -536,6 +578,7 @@
+@@ -536,6 +580,7 @@
 storage_raw_write_fixed_disk(smbmount_t)
 term_list_ptys(smbmount_t)
@ -22219,7 +22274,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corecmd_list_bin(smbmount_t)
-@@ -547,32 +590,46 @@
+@@ -547,32 +592,46 @@
 auth_use_nsswitch(smbmount_t)
@ -22272,7 +22327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
-@@ -592,6 +649,9 @@
+@@ -592,6 +651,9 @@
 files_pid_filetrans(swat_t, swat_var_run_t, file)
 allow swat_t winbind_exec_t:file mmap_file_perms;
@ -22282,7 +22337,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 kernel_read_kernel_sysctls(swat_t)
 kernel_read_system_state(swat_t)
-@@ -616,10 +676,12 @@
+@@ -616,10 +678,12 @@
 dev_read_urand(swat_t)
@ -22295,7 +22350,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 auth_domtrans_chk_passwd(swat_t)
 auth_use_nsswitch(swat_t)
-@@ -628,6 +690,7 @@
+@@ -628,6 +692,7 @@
 libs_use_shared_libs(swat_t)
 logging_send_syslog_msg(swat_t)
@ -22303,7 +22358,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 logging_search_logs(swat_t)
 miscfiles_read_localization(swat_t)
-@@ -645,6 +708,17 @@
+@@ -645,6 +710,17 @@
 	kerberos_use(swat_t)
 ')
@ -22321,7 +22376,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Winbind local policy
-@@ -694,6 +768,8 @@
+@@ -694,6 +770,8 @@
 manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
 files_pid_filetrans(winbind_t, winbind_var_run_t, file)
@ -22330,7 +22385,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 kernel_read_kernel_sysctls(winbind_t)
 kernel_list_proc(winbind_t)
 kernel_read_proc_symlinks(winbind_t)
-@@ -780,8 +856,13 @@
+@@ -780,8 +858,13 @@
 miscfiles_read_localization(winbind_helper_t) 
 optional_policy(`
@ -22344,7 +22399,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -790,6 +871,16 @@
+@@ -790,6 +873,16 @@
 #
 optional_policy(`
@ -22361,7 +22416,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	type samba_unconfined_script_t;
 	type samba_unconfined_script_exec_t;
 	domain_type(samba_unconfined_script_t)
-@@ -800,9 +891,46 @@
+@@ -800,9 +893,46 @@
 	allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
 	allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@ -24432,6 +24487,209 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow tor_t self:fifo_file rw_fifo_file_perms;
 allow tor_t self:unix_stream_socket create_stream_socket_perms;
 allow tor_t self:netlink_route_socket r_netlink_socket_perms;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.fc serefpolicy-3.5.13/policy/modules/services/ulogd.fc
 --- nsaserefpolicy/policy/modules/services/ulogd.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.5.13/policy/modules/services/ulogd.fc	2008-11-05 12:14:57.000000000 -0500
@@ -0,0 +1,10 @@
 +
 +/etc/rc\.d/init\.d/ulogd                --              gen_context(system_u:object_r:ulogd_initrc_exec_t,s0)
 +
 +/etc/ulogd.conf                         --          	gen_context(system_u:object_r:ulogd_etc_t,s0)
 +
 +/usr/lib/ulogd(/.*)?					gen_context(system_u:object_r:ulogd_modules_t,s0)	
 +
 +/usr/sbin/ulogd				--		gen_context(system_u:object_r:ulogd_exec_t,s0)
 +
 +/var/log/ulogd(/.*)?					gen_context(system_u:object_r:ulogd_var_log_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.if serefpolicy-3.5.13/policy/modules/services/ulogd.if
 --- nsaserefpolicy/policy/modules/services/ulogd.if	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.5.13/policy/modules/services/ulogd.if	2008-11-05 12:14:57.000000000 -0500
@@ -0,0 +1,127 @@
 +## <summary>policy for ulogd</summary>
 +
 +########################################
 +## <summary>
 +##	Execute a domain transition to run ulogd.
 +## </summary>
 +## <param name="domain">
 +## <summary>
 +##	Domain allowed to transition.
 +## </summary>
 +## </param>
 +#
 +interface(`ulogd_domtrans',`
 +	gen_require(`
 +		type ulogd_t, ulogd_exec_t;
 +	')
 +
 +	domtrans_pattern($1,ulogd_exec_t,ulogd_t)
 +')
 +
 +########################################
 +## <summary>
 +##      Allow the specified domain to read
 +##      ulogd configuration files.
 +## </summary>
 +## <param name="domain">
 +##      <summary>
 +##      Domain allowed access.
 +##      </summary>
 +## </param>
 +## <rolecap/>
 +##
 +#
 +interface(`ulogd_read_config',`
 +        gen_require(`
 +                type ulogd_etc_t;
 +        ')
 +
 +        files_search_etc($1)
 +        read_files_pattern($1, ulogd_etc_t, ulogd_etc_t)
 +')
 +
 +########################################
 +## <summary>
 +##      Allow the specified domain to read ulogd's log files.
 +## </summary>
 +## <param name="domain">
 +##      <summary>
 +##      Domain allowed access.
 +##      </summary>
 +## </param>
 +## <rolecap/>
 +##
 +#
 +interface(`ulogd_read_log',`
 +        gen_require(`
 +                type ulogd_var_log_t;
 +        ')
 +
 +        logging_search_logs($1)
 +        allow $1 ulogd_var_log_t:dir list_dir_perms;
 +        read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t)
 +')
 +
 +########################################
 +## <summary>
 +##      Allow the specified domain to append to ulogd's log files.
 +## </summary>
 +## <param name="domain">
 +##      <summary>
 +##      Domain allowed access.
 +##      </summary>
 +## </param>
 +## <rolecap/>
 +##
 +#
 +interface(`ulogd_append_log',`
 +        gen_require(`
 +                type ulogd_var_log_t;
 +        ')
 +
 +        logging_search_logs($1)
 +        allow $1 ulogd_var_log_t:dir list_dir_perms;
 +        allow $1 ulogd_var_log_t:file append_file_perms;
 +')
 +
 +########################################
 +## <summary>
 +##      All of the rules required to administrate 
 +##      an ulogd environment
 +## </summary>
 +## <param name="domain">
 +##      <summary>
 +##      Domain allowed access.
 +##      </summary>
 +## </param>
 +## <param name="role">
 +##      <summary>
 +##      The role to be allowed to manage the syslog domain.
 +##      </summary>
 +## </param>
 +## <rolecap/>
 +#
 +interface(`ulogd_admin',`
 +        gen_require(`
 +                type ulogd_t, ulogd_etc_t;
 +                type ulogd_var_log_t, ulogd_initrc_exec_t;
 +		type ulogd_modules_t;
 +        ')
 +
 +        allow $1 ulogd_t:process { ptrace signal_perms };
 +        ps_process_pattern($1, ulogd_t)
 +
 +        init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
 +        domain_system_change_exemption($1)
 +        role_transition $2 ulogd_initrc_exec_t system_r;
 +        allow $2 system_r;
 +
 +	files_search_etc($1)
 +        admin_pattern($1, ulogd_etc_t)
 +
 +        logging_list_logs($1)
 +        admin_pattern($1, ulogd_var_log_t)
 +
 +        files_search_usr($1)
 +        admin_pattern($1, ulogd_modules_t)
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.5.13/policy/modules/services/ulogd.te
 --- nsaserefpolicy/policy/modules/services/ulogd.te	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.5.13/policy/modules/services/ulogd.te	2008-11-05 12:14:57.000000000 -0500
@@ -0,0 +1,54 @@
 +policy_module(ulogd,1.0.0)
 +
 +########################################
 +#
 +# Declarations
 +#
 +
 +type ulogd_t;
 +type ulogd_exec_t;
 +init_daemon_domain(ulogd_t, ulogd_exec_t)
 +
 +type ulogd_initrc_exec_t;
 +init_script_file(ulogd_initrc_exec_t)
 +
 +# /usr/lib files
 +type ulogd_modules_t;
 +files_type(ulogd_modules_t)
 +
 +# config files
 +type ulogd_etc_t;
 +files_type(ulogd_etc_t)
 +
 +# log files
 +type ulogd_var_log_t;
 +logging_log_file(ulogd_var_log_t)
 +
 +########################################
 +
 +#
 +# ulogd local policy
 +#
 +
 +allow ulogd_t self:capability net_admin;
 +allow ulogd_t self:netlink_nflog_socket create_socket_perms;
 +
 +# config files
 +read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
 +
 +# modules for ulogd
 +list_dirs_pattern(ulogd_t,ulogd_modules_t,ulogd_modules_t)
 +mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
 +
 +# log files
 +manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
 +logging_log_filetrans(ulogd_t,ulogd_var_log_t, file )
 +
 +files_search_etc(ulogd_t)
 +
 +libs_use_ld_so(ulogd_t)
 +libs_use_shared_libs(ulogd_t)
 +
 +miscfiles_read_localization(ulogd_t)
 +
 +permissive ulogd_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.5.13/policy/modules/services/virt.fc
 --- nsaserefpolicy/policy/modules/services/virt.fc	2008-08-07 11:15:11.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/services/virt.fc	2008-10-28 10:56:19.000000000 -0400
@ -24445,8 +24703,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.5.13/policy/modules/services/virt.if
 --- nsaserefpolicy/policy/modules/services/virt.if	2008-10-14 11:58:09.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/virt.if	2008-10-28 10:56:19.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/virt.if	2008-11-04 11:58:23.000000000 -0500
-@@ -78,6 +78,24 @@
+@@ -41,6 +41,27 @@
 ########################################
 ## <summary>
 +##	manage virt config files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`virt_manage_config',`
 +	gen_require(`
 +		type virt_etc_t;
 +		type virt_etc_rw_t;
 +	')
 +
 +	files_search_etc($1)
 +	manage_files_pattern($1, virt_etc_t, virt_etc_t)
 +	manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
 +')
 +
 +########################################
 +## <summary>
 ##	Read virt PID files.
 ## </summary>
 ## <param name="domain">
@@ -78,6 +99,24 @@
 ########################################
 ## <summary>
@ -24471,7 +24757,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Search virt lib directories.
 ## </summary>
 ## <param name="domain">
-@@ -196,6 +214,35 @@
+@@ -196,6 +235,35 @@
 ########################################
 ## <summary>
@ -24507,7 +24793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Allow domain to manage virt image files
 ## </summary>
 ## <param name="domain">
-@@ -214,6 +261,7 @@
+@@ -214,6 +282,7 @@
 	manage_dirs_pattern($1, virt_image_t, virt_image_t)
 	manage_files_pattern($1, virt_image_t, virt_image_t)
 	read_lnk_files_pattern($1, virt_image_t, virt_image_t)
@ -24515,7 +24801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	tunable_policy(`virt_use_nfs',`
 		fs_manage_nfs_dirs($1)
-@@ -243,11 +291,17 @@
+@@ -243,11 +312,17 @@
 interface(`virt_admin',`
 	gen_require(`
 		type virtd_t;
@ -24779,7 +25065,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.13/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2008-10-08 19:00:27.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/xserver.if	2008-10-28 10:56:19.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/xserver.if	2008-11-04 13:27:32.000000000 -0500
@@ -16,6 +16,7 @@
 	gen_require(`
 		type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
@ -24990,11 +25276,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -
 -	files_read_etc_files($1_xauth_t)
 -	files_search_pids($1_xauth_t)
-+	ps_process_pattern($2,xauth_t)
+-
 -	fs_getattr_xattr_fs($1_xauth_t)
 -	fs_search_auto_mountpoints($1_xauth_t)
-
+	ps_process_pattern($2,xauth_t)
 -	# cjp: why?
 -	term_use_ptmx($1_xauth_t)
 -
@ -25586,8 +25872,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	gen_require(`
 -		type $1_xauth_t, xauth_exec_t;
 +		type xauth_t, xauth_exec_t;
-+	')
+ 	')
-+
+ 
 -	domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
 +	domtrans_pattern($2, xauth_exec_t, xauth_t)
 +')
 +
@ -25619,9 +25906,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +template(`xserver_read_user_xauth',`
 +	gen_require(`
 +		type xauth_home_t;
- 	')
+	')
- 
+
 -	domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
 +	allow $2 xauth_home_t:file read_file_perms;
 +')
 +
@ -25871,7 +26157,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Interface to provide X object permissions on a given X server to
 ##	an X client domain.  Gives the domain complete control over the
 ##	display.
-@@ -1710,8 +2020,157 @@
+@@ -1710,8 +2020,176 @@
 #
 interface(`xserver_unconfined',`
 	gen_require(`
@ -25884,6 +26170,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +########################################
 +## <summary>
 +##	Read xserver files created in /var/run
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`xserver_read_pid',`
 +	gen_require(`
 +		type xserver_var_run_t;
 +	')
 +
 +	files_search_pids($1)
 +	read_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Execute xserver files created in /var/run
 +## </summary>
 +## <param name="domain">
@ -25995,8 +26300,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +interface(`xserver_dontaudit_rw_xdm_home_files',`
 +	gen_require(`
 +		type xdm_home_t;
-+	')
+ 	')
-+
+ 
 -	typeattribute $1 xserver_unconfined_type;
 +	dontaudit $1 xdm_home_t:file rw_file_perms;
 +')
 +
@ -26015,9 +26321,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +interface(`xserver_use_xdm',`
 +	gen_require(`
 +		type xdm_t, xdm_tmp_t;
- 	')
+	')
- 
+
 -	typeattribute $1 xserver_unconfined_type;
 +	allow $1 xdm_t:fd use;
 +	allow $1 xdm_t:fifo_file rw_fifo_file_perms;
 +	dontaudit $1 xdm_t:tcp_socket { read write };
@ -27665,6 +27970,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
 +	xserver_rw_xdm_home_files(daemon)
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.5.13/policy/modules/system/ipsec.fc
 --- nsaserefpolicy/policy/modules/system/ipsec.fc	2008-08-07 11:15:12.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/system/ipsec.fc	2008-11-05 10:40:04.000000000 -0500
@@ -26,6 +26,7 @@
 /usr/local/lib(64)?/ipsec/pluto --	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/local/lib(64)?/ipsec/spi	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 +/usr/sbin/ipsec			-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 /usr/sbin/racoon		--	gen_context(system_u:object_r:racoon_exec_t,s0)
 /usr/sbin/setkey		--	gen_context(system_u:object_r:setkey_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.5.13/policy/modules/system/ipsec.te
 --- nsaserefpolicy/policy/modules/system/ipsec.te	2008-10-16 17:21:16.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/system/ipsec.te	2008-10-28 10:56:19.000000000 -0400
@ -27811,7 +28127,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2008-08-13 15:24:56.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc	2008-10-28 10:56:19.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc	2008-11-05 11:29:07.000000000 -0500
@@ -60,12 +60,15 @@
 #
 # /opt
@ -27909,7 +28225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ') dnl end distro_redhat
 #
-@@ -310,3 +329,15 @@
+@@ -310,3 +329,18 @@
 /var/spool/postfix/lib(64)?(/.*)? 		gen_context(system_u:object_r:lib_t,s0)
 /var/spool/postfix/usr(/.*)?			gen_context(system_u:object_r:lib_t,s0)
 /var/spool/postfix/lib(64)?/ld.*\.so.*	--	gen_context(system_u:object_r:ld_so_t,s0)
@ -27925,6 +28241,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/opt/novell/groupwise/client/lib/libgwapijni\.so\.1	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
 +/usr/lib(64)?/libmpeg2\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
 +/usr/lib(64)?/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib/sse2/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.5.13/policy/modules/system/libraries.te
 --- nsaserefpolicy/policy/modules/system/libraries.te	2008-10-14 11:58:09.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/system/libraries.te	2008-10-28 10:56:19.000000000 -0400
@ -33597,7 +33916,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.5.13/policy/modules/system/xen.if
 --- nsaserefpolicy/policy/modules/system/xen.if	2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/xen.if	2008-10-28 10:56:19.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/xen.if	2008-11-04 11:36:33.000000000 -0500
@@ -155,7 +155,7 @@
 	stream_connect_pattern($1,xenstored_var_run_t,xenstored_var_run_t,xenstored_t)
 ')
 -########################################
 +#######################################
 ## <summary>
 ##	Connect to xend over an unix domain stream socket.
 ## </summary>
@@ -167,11 +167,14 @@
 #
 interface(`xen_stream_connect',`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.5.13
-Release: 14%{?dist}
+Release: 15%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -457,10 +457,15 @@ exit 0
 %endif
 %changelog
 * Tue Nov 3 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-15
 - Allow hal/pm-utils to look at /var/run/video.rom
 - Add ulogd policy
 * Tue Nov 3 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-14
 - Additional fixes for cyphesis
 - Fix certmaster file context
 - Add policy for system-config-samba
 - Allow hal to read /var/run/video.rom
 * Mon Nov 3 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-13
 - Allow dhcpc to restart ypbind