- New permissions for syslog

- New labels for /lib/upstart
2010-07-26 20:32:18 +00:00 · 2010-07-26 20:32:18 +00:00 · 8d55a410dc
commit 8d55a410dc
parent f3fc10528f
5 changed files with 362 additions and 82 deletions
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@ -968,6 +968,13 @@ mls = base
 # 
 mock = module
 # Layer: services
 # Module: mojomojo
 #
 # Wiki server
 # 
 mojomojo = module
 # Layer: system
 # Module: modutils
 #
--- a/modules-mls.conf
+++ b/modules-mls.conf
@ -920,6 +920,13 @@ modemmanager = module
 # 
 modutils = base
 # Layer: services
 # Module: mojomojo
 #
 # Wiki server
 # 
 mojomojo = module
 # Layer: apps
 # Module: mono
 #
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -968,6 +968,13 @@ mls = base
 # 
 mock = module
 # Layer: services
 # Module: mojomojo
 #
 # Wiki server
 # 
 mojomojo = module
 # Layer: system
 # Module: modutils
 #
--- a/policy-F14.patch
+++ b/policy-F14.patch
@ -339,8 +339,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.te serefpolicy-3.8.8/policy/modules/admin/accountsd.te
 --- nsaserefpolicy/policy/modules/admin/accountsd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/admin/accountsd.te	2010-07-20 10:46:10.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/admin/accountsd.te	2010-07-26 13:19:45.000000000 -0400
-@@ -0,0 +1,62 @@
+@@ -0,0 +1,64 @@
 +policy_module(accountsd,1.0.0)
 +
 +########################################
@ -351,6 +351,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account
 +type accountsd_t;
 +type accountsd_exec_t;
 +dbus_system_domain(accountsd_t, accountsd_exec_t)
 +init_daemon_domain(accountsd_t, accountsd_exec_t)
 +role system_r types accountsd_t;
 +
 +type accountsd_var_lib_t;
 +files_type(accountsd_var_lib_t)
@ -6230,7 +6232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
 		dbus_session_bus_client($1_wm_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2010-06-08 10:35:48.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc	2010-07-20 11:36:00.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc	2010-07-26 07:56:45.000000000 -0400
@@ -9,8 +9,10 @@
 /bin/bash2			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/fish			--	gen_context(system_u:object_r:shell_exec_t,s0)
@ -6252,7 +6254,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 /etc/profile.d(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /etc/xen/qemu-ifup		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/xen/scripts(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-@@ -145,6 +150,10 @@
+@@ -126,6 +131,7 @@
 /lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0)
 /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
 ')
 +/lib/upstart(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 #
 # /sbin
@@ -145,6 +151,10 @@
 /opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
@ -6263,7 +6273,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 ifdef(`distro_gentoo',`
 /opt/RealPlayer/realplay(\.bin)?	gen_context(system_u:object_r:bin_t,s0)
 /opt/RealPlayer/postint(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-@@ -169,6 +178,7 @@
+@@ -169,6 +179,7 @@
 /usr/lib/fence(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/pgsql/test/regress/.*\.sh --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/qt.*/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
@ -6271,7 +6281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/apt/methods.+	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/ConsoleKit/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-@@ -228,6 +238,8 @@
+@@ -228,6 +239,8 @@
 /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/e16/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
@ -6280,7 +6290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,6 +326,7 @@
+@@ -314,6 +327,7 @@
 /usr/share/texmf/web2c/mktexdir	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/texmf/web2c/mktexnam	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/texmf/web2c/mktexupd	--	gen_context(system_u:object_r:bin_t,s0)
@ -6288,7 +6298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 ')
 ifdef(`distro_suse', `
-@@ -340,3 +353,24 @@
+@@ -340,3 +354,24 @@
 ifdef(`distro_suse',`
 /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
 ')
@ -6509,7 +6519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +/sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.8.8/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2010-06-08 10:35:48.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/devices.if	2010-07-20 11:30:38.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/kernel/devices.if	2010-07-26 14:00:19.000000000 -0400
@@ -606,6 +606,24 @@
 ########################################
@ -6662,7 +6672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 allow devices_unconfined_type mtrr_device_t:file *;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.8.8/policy/modules/kernel/domain.if
 --- nsaserefpolicy/policy/modules/kernel/domain.if	2010-03-18 06:48:09.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/domain.if	2010-07-20 10:46:10.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/kernel/domain.if	2010-07-23 08:55:47.000000000 -0400
@@ -611,7 +611,7 @@
 ########################################
@ -7014,7 +7024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 +/nsr/logs(/.*)?						gen_context(system_u:object_r:var_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.8.8/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/files.if	2010-07-20 13:55:05.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/kernel/files.if	2010-07-26 13:59:34.000000000 -0400
@@ -1053,10 +1053,8 @@
 	relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
 	relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@ -7265,7 +7275,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ########################################
 ## <summary>
 ##	Do not audit attempts to search
-@@ -5522,6 +5687,7 @@
+@@ -5505,6 +5670,26 @@
 ########################################
 ## <summary>
 +##	manage all pidfile directories
 +##	in the /var/run directory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`files_manage_all_pids_dirs',`
 +	gen_require(`
 +		attribute pidfile;
 +	')
 +
 +	manage_dirs_pattern($1,pidfile,pidfile)
 +')
 +
 +
 +########################################
 +## <summary>
 ##	Read all process ID files.
 ## </summary>
 ## <param name="domain">
@@ -5522,6 +5707,7 @@
 	list_dirs_pattern($1, var_t, pidfile)
 	read_files_pattern($1, pidfile, pidfile)
@ -7273,7 +7310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ')
 ########################################
-@@ -5807,3 +5973,229 @@
+@@ -5807,3 +5993,229 @@
 	typeattribute $1 files_unconfined_type;
 ')
@ -7537,6 +7574,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 files_type(etc_runtime_t)
 #Temporarily in policy until FC5 dissappears
 typealias etc_runtime_t alias firstboot_rw_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.8.8/policy/modules/kernel/filesystem.fc
 --- nsaserefpolicy/policy/modules/kernel/filesystem.fc	2010-06-08 10:35:48.000000000 -0400
 +++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.fc	2010-07-26 14:44:11.000000000 -0400
@@ -1,3 +1,3 @@
 /dev/shm	-d	gen_context(system_u:object_r:tmpfs_t,s0)
 -/cgroup		-d	gen_context(system_u:object_r:cgroup_t,s0)
 +/cgroup(/.*)? 	 	gen_context(system_u:object_r:cgroup_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.8.8/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2010-07-14 11:21:53.000000000 -0400
 +++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.if	2010-07-21 11:43:41.000000000 -0400
@ -7941,7 +7986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
 # Unlabeled process local policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.8.8/policy/modules/kernel/selinux.if
 --- nsaserefpolicy/policy/modules/kernel/selinux.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/selinux.if	2010-07-20 10:46:10.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/kernel/selinux.if	2010-07-26 13:20:35.000000000 -0400
@@ -40,7 +40,7 @@
 	# because of this statement, any module which
@ -8001,7 +8046,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.8.8/policy/modules/kernel/storage.fc
 --- nsaserefpolicy/policy/modules/kernel/storage.fc	2010-06-04 17:11:28.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/storage.fc	2010-07-21 10:39:42.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/kernel/storage.fc	2010-07-23 09:57:06.000000000 -0400
@@ -5,7 +5,7 @@
 /dev/n?osst[0-3].*	-c	gen_context(system_u:object_r:tape_device_t,s0)
 /dev/n?pt[0-9]+		-c	gen_context(system_u:object_r:tape_device_t,s0)
 /dev/n?tpqic[12].*	-c	gen_context(system_u:object_r:tape_device_t,s0)
 -/dev/[shmx]d[^/]*	-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 +/dev/[shmvx]d[^/]*	-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/aztcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/bpcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/bsg/.+		-c	gen_context(system_u:object_r:scsi_generic_device_t,s0)
@@ -77,3 +77,6 @@
 /dev/scramdisk/.*	-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@ -10478,13 +10532,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
 # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.8.8/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc	2010-04-06 15:15:38.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/apache.fc	2010-07-22 11:54:47.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/apache.fc	2010-07-23 06:10:20.000000000 -0400
-@@ -20,11 +20,11 @@
+@@ -24,7 +24,6 @@
 /srv/gallery2(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /usr/bin/htsslpass 		--	gen_context(system_u:object_r:httpd_helper_exec_t,s0)
 +/usr/bin/mojomojo_fastcgi\.pl 	--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 /usr/bin/mongrel_rails		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/lib/apache-ssl/.+		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/lib/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@ -10492,7 +10541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 /usr/lib(64)?/apache(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
 /usr/lib(64)?/apache2/modules(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
 /usr/lib(64)?/apache(2)?/suexec(2)? --	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-@@ -43,10 +43,10 @@
+@@ -43,7 +42,6 @@
 /usr/sbin/httpd2-.*		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 ')
@ -10500,11 +10549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 /usr/share/drupal(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /usr/share/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /usr/share/icecast(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/usr/share/mojomojo/root(/.*)? 		gen_context(system_u:object_r:httpd_sys_content_t,s0)
+@@ -74,6 +72,7 @@
 /usr/share/mythweb(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /usr/share/mythweb/mythweb\.pl		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 /usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -74,6 +74,7 @@
 /var/lib/cacti/rra(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/lib/dav(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
@ -10512,7 +10557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 /var/lib/drupal(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/lib/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/lib/httpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
-@@ -86,7 +87,6 @@
+@@ -86,7 +85,6 @@
 /var/log/cgiwrap\.log.*		--	gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/httpd(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
@ -10520,7 +10565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ifdef(`distro_debian', `
 /var/log/horde2(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -109,3 +109,17 @@
+@@ -109,3 +107,16 @@
 /var/www/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 /var/www/icons(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/www/perl(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@ -10532,7 +10577,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +/var/www/gallery/albums(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +
 +/var/lib/koji(/.*)? 			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/var/lib/mojomojo(/.*)?  		gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
 +/var/lib/rt3/data/RT-Shredder(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
 +
 +/var/www/svn(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@ -10540,7 +10584,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +/var/www/svn/conf(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.8.8/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2010-04-06 15:15:38.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/apache.if	2010-07-21 11:17:41.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/apache.if	2010-07-23 08:55:49.000000000 -0400
@@ -13,17 +13,13 @@
 #
 template(`apache_content_template',`
@ -12025,8 +12069,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugz
 +/var/lib/bugzilla(/.*)?			gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.if serefpolicy-3.8.8/policy/modules/services/bugzilla.if
 --- nsaserefpolicy/policy/modules/services/bugzilla.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/bugzilla.if	2010-07-20 10:46:10.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/bugzilla.if	2010-07-23 06:11:39.000000000 -0400
-@@ -0,0 +1,39 @@
+@@ -0,0 +1,81 @@
 +## <summary>Bugzilla server</summary>
 +
 +########################################
@ -12066,6 +12110,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugz
 +
 +	dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
 +')
 +
 +########################################
 +## <summary>
 +##	All of the rules required to administrate 
 +##	an bugzilla environment
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <param name="role">
 +##	<summary>
 +##	The role to be allowed to manage the bugzilla domain.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
 +interface(`bugzilla_admin',`
 +	gen_require(`
 +		type httpd_bugzilla_script_t;
 +		type httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
 +		type httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t;
 +		type httpd_bugzilla_script_exec_t, httpd_bugzilla_htaccess_t;
 +	')
 +
 +	allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
 +	ps_process_pattern($1, httpd_bugzilla_script_t)
 +
 +	files_list_tmps($1)
 +	admin_pattern($1, httpd_bugzilla_tmp_t)
 +
 +	files_search_var_lib(httpd_bugzilla_script_t)
 +
 +	apache_search_sys_content($1)
 +	admin_pattern($1, httpd_bugzilla_script_exec_t)
 +	admin_pattern($1, httpd_bugzilla_script_t)
 +	admin_pattern($1, httpd_bugzilla_content_t)
 +	admin_pattern($1, httpd_bugzilla_htaccess_t)
 +	admin_pattern($1, httpd_bugzilla_rw_content_t)
 +	admin_pattern($1, httpd_bugzilla_ra_content_t)
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.te serefpolicy-3.8.8/policy/modules/services/bugzilla.te
 --- nsaserefpolicy/policy/modules/services/bugzilla.te	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.8.8/policy/modules/services/bugzilla.te	2010-07-20 10:46:10.000000000 -0400
@ -13130,7 +13216,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.8.8/policy/modules/services/cobbler.te
 --- nsaserefpolicy/policy/modules/services/cobbler.te	2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cobbler.te	2010-07-20 10:46:10.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/cobbler.te	2010-07-22 16:37:05.000000000 -0400
@@ -1,3 +1,4 @@
 +
 policy_module(cobbler, 1.1.0)
@ -13225,7 +13311,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
 append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
 create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
-@@ -52,39 +92,92 @@
+@@ -52,39 +92,93 @@
 setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
 logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
@ -13268,6 +13354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
 +files_read_etc_runtime_files(cobblerd_t)
 files_read_usr_files(cobblerd_t)
 files_list_boot(cobblerd_t)
 +files_read_boot_files(cobblerd_t)
 files_list_tmp(cobblerd_t)
 -# read /etc/nsswitch.conf
 -files_read_etc_files(cobblerd_t)
@ -13322,7 +13409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
 optional_policy(`
 	bind_read_config(cobblerd_t)
 	bind_write_config(cobblerd_t)
-@@ -95,6 +188,10 @@
+@@ -95,6 +189,10 @@
 ')
 optional_policy(`
@ -13333,7 +13420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
 	dhcpd_domtrans(cobblerd_t)
 	dhcpd_initrc_domtrans(cobblerd_t)
 ')
-@@ -110,12 +207,20 @@
+@@ -110,12 +208,20 @@
 ')
 optional_policy(`
@ -13357,7 +13444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
 ')
 ########################################
-@@ -123,6 +228,18 @@
+@@ -123,6 +229,18 @@
 # Cobbler web local policy.
 #
@ -13594,7 +13681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 +/var/log/mcelog.*		--	gen_context(system_u:object_r:cron_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.8.8/policy/modules/services/cron.if
 --- nsaserefpolicy/policy/modules/services/cron.if	2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cron.if	2010-07-21 08:55:04.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/cron.if	2010-07-23 08:29:53.000000000 -0400
@@ -12,6 +12,10 @@
 ## </param>
 #
@ -13637,7 +13724,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 	tunable_policy(`fcron_crond',`
 		# fcron wants an instant update of a crontab change for the administrator
-@@ -154,27 +164,14 @@
+@@ -106,6 +116,8 @@
 interface(`cron_role',`
 	gen_require(`
 		type cronjob_t, crontab_t, crontab_exec_t;
 +		type user_cron_spool_t;
 +		type crond_t;
 	')
 	role $1 types { cronjob_t crontab_t };
@@ -116,6 +128,12 @@
 	# Transition from the user domain to the derived domain.
 	domtrans_pattern($2, crontab_exec_t, crontab_t)
 +	allow crond_t $2:process transition;
 +	allow $2 crond_t:process sigchld;
 +
 +	# needs to be authorized SELinux context for cron
 +	allow $2 user_cron_spool_t:file entrypoint;
 +
 	# crontab shows up in user ps
 	ps_process_pattern($2, crontab_t)
 	allow $2 crontab_t:process signal;
@@ -154,27 +172,14 @@
 #
 interface(`cron_unconfined_role',`
 	gen_require(`
@ -13667,7 +13776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 	optional_policy(`
 		gen_require(`
 			class dbus send_msg;
-@@ -408,7 +405,43 @@
+@@ -408,7 +413,43 @@
 		type crond_t;
 	')
@ -13712,7 +13821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 ')
 ########################################
-@@ -554,7 +587,7 @@
+@@ -554,7 +595,7 @@
 		type system_cronjob_t;
 	')
@ -13721,7 +13830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 ')
 ########################################
-@@ -587,11 +620,14 @@
+@@ -587,11 +628,14 @@
 #
 interface(`cron_read_system_job_tmp_files',`
 	gen_require(`
@ -13737,7 +13846,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 ')
 ########################################
-@@ -627,7 +663,48 @@
+@@ -627,7 +671,48 @@
 interface(`cron_dontaudit_write_system_job_tmp_files',`
 	gen_require(`
 		type system_cronjob_tmp_t;
@ -15958,6 +16067,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.
 mta_send_mail(innd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.8.8/policy/modules/services/kerberos.fc
 --- nsaserefpolicy/policy/modules/services/kerberos.fc	2009-07-23 14:11:04.000000000 -0400
 +++ serefpolicy-3.8.8/policy/modules/services/kerberos.fc	2010-07-23 06:51:35.000000000 -0400
@@ -8,7 +8,7 @@
 /etc/krb5kdc/kadm5\.keytab 	--	gen_context(system_u:object_r:krb5_keytab_t,s0)
 /etc/krb5kdc/principal.*		gen_context(system_u:object_r:krb5kdc_principal_t,s0)
 -/etc/rc\.d/init\.d/kadmind	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/kadmin 	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/kprop	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/krb524d	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/krb5kdc	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.8.8/policy/modules/services/kerberos.te
 --- nsaserefpolicy/policy/modules/services/kerberos.te	2010-06-18 13:07:19.000000000 -0400
 +++ serefpolicy-3.8.8/policy/modules/services/kerberos.te	2010-07-20 10:46:10.000000000 -0400
@ -16702,6 +16823,111 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mode
 +optional_policy(`
 	udev_read_db(modemmanager_t)
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mojomojo.fc serefpolicy-3.8.8/policy/modules/services/mojomojo.fc
 --- nsaserefpolicy/policy/modules/services/mojomojo.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.8.8/policy/modules/services/mojomojo.fc	2010-07-23 06:06:40.000000000 -0400
@@ -0,0 +1,5 @@
 +/usr/bin/mojomojo_fastcgi\.pl	--	gen_context(system_u:object_r:httpd_mojomojo_script_exec_t,s0)
 +
 +/usr/share/mojomojo/root(/.*)? 		gen_context(system_u:object_r:httpd_mojomojo_content_t,s0)
 +
 +/var/lib/mojomojo(/.*)?  		gen_context(system_u:object_r:httpd_mojomojo_rw_content_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mojomojo.if serefpolicy-3.8.8/policy/modules/services/mojomojo.if
 --- nsaserefpolicy/policy/modules/services/mojomojo.if	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.8.8/policy/modules/services/mojomojo.if	2010-07-23 06:39:20.000000000 -0400
@@ -0,0 +1,43 @@
 +## <summary>Mojomojo server</summary>
 +
 +########################################
 +## <summary>
 +##	All of the rules required to administrate 
 +##	an mojomojo environment
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <param name="role">
 +##	<summary>
 +##	The role to be allowed to manage the mojomojo domain.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
 +interface(`mojomojo_admin',`
 +	gen_require(`
 +		type httpd_mojomojo_script_t;
 +		type httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t;
 +		type httpd_mojomojo_rw_content_t, httpd_mojomojo_tmp_t;
 +		type httpd_mojomojo_script_exec_t, httpd_mojomojo_htaccess_t;
 +	')
 +
 +	allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms };
 +	ps_process_pattern($1, httpd_mojomojo_script_t)
 +
 +	files_list_tmp($1)
 +	admin_pattern($1, httpd_mojomojo_tmp_t)
 +
 +	files_search_var_lib(httpd_mojomojo_script_t)
 +
 +	apache_search_sys_content($1)
 +	admin_pattern($1, httpd_mojomojo_script_exec_t)
 +	admin_pattern($1, httpd_mojomojo_script_t)
 +	admin_pattern($1, httpd_mojomojo_content_t)
 +	admin_pattern($1, httpd_mojomojo_htaccess_t)
 +	admin_pattern($1, httpd_mojomojo_rw_content_t)
 +	admin_pattern($1, httpd_mojomojo_ra_content_t)
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mojomojo.te serefpolicy-3.8.8/policy/modules/services/mojomojo.te
 --- nsaserefpolicy/policy/modules/services/mojomojo.te	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.8.8/policy/modules/services/mojomojo.te	2010-07-23 06:08:31.000000000 -0400
@@ -0,0 +1,45 @@
 +policy_module(mojomojo, 1.0)
 +
 +########################################
 +#
 +# Declarations
 +#
 +
 +apache_content_template(mojomojo)
 +
 +type httpd_mojomojo_tmp_t;
 +files_tmp_file(httpd_mojomojo_tmp_t)
 +
 +########################################
 +#
 +# mojomojo local policy
 +#
 +
 +allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
 +
 +manage_dirs_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
 +manage_files_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
 +files_tmp_filetrans(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, { file dir })
 +
 +corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
 +corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t)
 +
 +corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
 +corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t)
 +
 +corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
 +corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
 +
 +files_search_var_lib(httpd_mojomojo_script_t)
 +
 +mta_send_mail(httpd_mojomojo_script_t)
 +
 +sysnet_dns_name_resolve(httpd_mojomojo_script_t)
 +
 +optional_policy(`
 +	mysql_stream_connect(httpd_mojomojo_script_t)
 +')
 +
 +optional_policy(`
 +	postgresql_stream_connect(httpd_mojomojo_script_t)
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.fc serefpolicy-3.8.8/policy/modules/services/mpd.fc
 --- nsaserefpolicy/policy/modules/services/mpd.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.8.8/policy/modules/services/mpd.fc	2010-07-20 10:46:10.000000000 -0400
@ -17749,7 +17975,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.8.8/policy/modules/services/nis.fc
 --- nsaserefpolicy/policy/modules/services/nis.fc	2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nis.fc	2010-07-20 10:46:10.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/nis.fc	2010-07-23 09:52:27.000000000 -0400
@@ -1,5 +1,5 @@
 /etc/rc\.d/init\.d/ypbind	--	gen_context(system_u:object_r:ypbind_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/yppasswd	--	gen_context(system_u:object_r:nis_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/yppasswdd	--	gen_context(system_u:object_r:nis_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/ypserv	--	gen_context(system_u:object_r:nis_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/ypxfrd	--	gen_context(system_u:object_r:nis_initrc_exec_t,s0)
 /etc/ypserv\.conf	--	gen_context(system_u:object_r:ypserv_conf_t,s0)
@@ -11,6 +11,7 @@
 /usr/sbin/rpc\.yppasswdd --	gen_context(system_u:object_r:yppasswdd_exec_t,s0)
@ -22976,6 +23209,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varn
 #######################################
 ## <summary>
 ##	Read varnish logs.
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.te serefpolicy-3.8.8/policy/modules/services/varnishd.te
 --- nsaserefpolicy/policy/modules/services/varnishd.te	2010-06-18 13:07:19.000000000 -0400
 +++ serefpolicy-3.8.8/policy/modules/services/varnishd.te	2010-07-26 07:45:50.000000000 -0400
@@ -50,7 +50,7 @@
 # varnishd local policy
 #
 -allow varnishd_t self:capability { dac_override ipc_lock setuid setgid };
 +allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
 allow varnishd_t self:process signal;
 allow varnishd_t self:fifo_file rw_fifo_file_perms;
 allow varnishd_t self:tcp_socket create_stream_socket_perms;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.8.8/policy/modules/services/vhostmd.if
 --- nsaserefpolicy/policy/modules/services/vhostmd.if	2010-03-29 15:04:22.000000000 -0400
 +++ serefpolicy-3.8.8/policy/modules/services/vhostmd.if	2010-07-21 11:07:39.000000000 -0400
@ -26448,7 +26693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.8.8/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2010-07-14 11:21:53.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/init.te	2010-07-22 12:34:15.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/system/init.te	2010-07-26 14:00:27.000000000 -0400
@@ -16,6 +16,27 @@
 ## </desc>
 gen_tunable(init_upstart, false)
@ -26560,7 +26805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 	corecmd_shell_domtrans(init_t, initrc_t)
 ',`
 	# Run the shell in the sysadm role for single-user mode.
-@@ -185,15 +216,61 @@
+@@ -185,15 +216,64 @@
 	sysadm_shell_domtrans(init_t)
 ')
@ -26580,10 +26825,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 +
 +	dev_write_kmsg(init_t)
 +	dev_rw_autofs(init_t)
-+	dev_rw_generic_chr_files(init_t)
+	dev_manage_generic_dirs(init_t)
 +	dev_create_generic_dirs(init_t)
 +
 +	files_mounton_all_mountpoints(init_t)
 +	files_manage_all_pids_dirs(init_t)
 +
 +	fs_manage_cgroup_dirs(init_t)
 +	fs_manage_tmpfs_dirs(init_t)
@ -26593,8 +26838,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 +	fs_write_cgroup_files(init_t)
 +
 +	selinux_compute_create_context(init_t)
 +	selinux_validate_context(init_t)
 +
 +	init_read_script_state(init_t)
 +
 +	seutil_read_file_contexts(init_t)
 +')
 +
 optional_policy(`
@ -26622,7 +26870,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 	nscd_socket_use(init_t)
 ')
-@@ -211,7 +288,7 @@
+@@ -211,7 +291,7 @@
 #
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -26631,7 +26879,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
-@@ -240,6 +317,7 @@
+@@ -240,6 +320,7 @@
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -26639,7 +26887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 can_exec(initrc_t, initrc_tmp_t)
 manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -257,11 +335,22 @@
+@@ -257,11 +338,22 @@
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -26662,7 +26910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 corecmd_exec_all_executables(initrc_t)
-@@ -297,11 +386,13 @@
+@@ -297,11 +389,13 @@
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -26676,7 +26924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
-@@ -320,8 +411,10 @@
+@@ -320,8 +414,10 @@
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -26688,7 +26936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 files_delete_all_pids(initrc_t)
 files_delete_all_pid_dirs(initrc_t)
 files_read_etc_files(initrc_t)
-@@ -337,6 +430,8 @@
+@@ -337,6 +433,8 @@
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -26697,7 +26945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 fs_delete_cgroup_dirs(initrc_t)
 fs_list_cgroup_dirs(initrc_t)
-@@ -350,6 +445,8 @@
+@@ -350,6 +448,8 @@
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -26706,7 +26954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 # initrc_t needs to do a pidof which requires ptrace
 mcs_ptrace_all(initrc_t)
-@@ -362,6 +459,7 @@
+@@ -362,6 +462,7 @@
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -26714,7 +26962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 selinux_get_enforce_mode(initrc_t)
-@@ -393,13 +491,14 @@
+@@ -393,13 +494,14 @@
 miscfiles_read_localization(initrc_t)
 # slapd needs to read cert files from its initscript
@ -26730,7 +26978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 userdom_read_user_home_content_files(initrc_t)
 # Allow access to the sysadm TTYs. Note that this will give access to the
 # TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -472,7 +571,7 @@
+@@ -472,7 +574,7 @@
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -26739,7 +26987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 	files_dontaudit_read_root_files(initrc_t)
 	# These seem to be from the initrd
-@@ -518,6 +617,19 @@
+@@ -518,6 +620,19 @@
 	optional_policy(`
 		bind_manage_config_dirs(initrc_t)
 		bind_write_config(initrc_t)
@ -26759,7 +27007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 	')
 	optional_policy(`
-@@ -525,10 +637,17 @@
+@@ -525,10 +640,17 @@
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -26777,7 +27025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 	')
 	optional_policy(`
-@@ -543,6 +662,35 @@
+@@ -543,6 +665,35 @@
 	')
 ')
@ -26813,7 +27061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -555,6 +703,8 @@
+@@ -555,6 +706,8 @@
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -26822,7 +27070,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 ')
 optional_policy(`
-@@ -571,6 +721,7 @@
+@@ -571,6 +724,7 @@
 optional_policy(`
 	cgroup_stream_connect(initrc_t)
@ -26830,7 +27078,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 ')
 optional_policy(`
-@@ -583,6 +734,11 @@
+@@ -583,6 +737,11 @@
 ')
 optional_policy(`
@ -26842,7 +27090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 	dev_getattr_printer_dev(initrc_t)
 	cups_read_log(initrc_t)
-@@ -599,6 +755,7 @@
+@@ -599,6 +758,7 @@
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -26850,7 +27098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 	optional_policy(`
 		consolekit_dbus_chat(initrc_t)
-@@ -700,7 +857,12 @@
+@@ -700,7 +860,12 @@
 ')
 optional_policy(`
@ -26863,7 +27111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
-@@ -723,6 +885,10 @@
+@@ -723,6 +888,10 @@
 ')
 optional_policy(`
@ -26874,7 +27122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -765,8 +931,6 @@
+@@ -765,8 +934,6 @@
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
@ -26883,7 +27131,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 ')
 optional_policy(`
-@@ -779,10 +943,12 @@
+@@ -779,10 +946,12 @@
 	squid_manage_logs(initrc_t)
 ')
@ -26896,7 +27144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -804,11 +970,19 @@
+@@ -804,11 +973,19 @@
 ')
 optional_policy(`
@ -26917,7 +27165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 	ifdef(`distro_redhat',`
 		# system-config-services causes avc messages that should be dontaudited
-@@ -818,6 +992,25 @@
+@@ -818,6 +995,25 @@
 	optional_policy(`
 		mono_domtrans(initrc_t)
 	')
@ -26943,7 +27191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 ')
 optional_policy(`
-@@ -843,3 +1036,55 @@
+@@ -843,3 +1039,55 @@
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -27900,7 +28148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 	domain_system_change_exemption($1)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.8.8/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2010-07-14 11:21:53.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/logging.te	2010-07-20 10:46:11.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/system/logging.te	2010-07-26 07:54:12.000000000 -0400
@@ -60,6 +60,7 @@
 type syslogd_t;
 type syslogd_exec_t;
@ -27971,7 +28219,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 sysnet_dns_name_resolve(audisp_remote_t)
 ########################################
-@@ -372,6 +394,11 @@
+@@ -369,9 +391,15 @@
 manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
 +manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
 manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
 files_search_var_lib(syslogd_t)
@ -27983,7 +28235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 # manage pid file
 manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
 files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -412,6 +439,7 @@
+@@ -412,6 +440,7 @@
 dev_filetrans(syslogd_t, devlog_t, sock_file)
 dev_read_sysfs(syslogd_t)
@ -27991,7 +28243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 domain_use_interactive_fds(syslogd_t)
-@@ -488,6 +516,10 @@
+@@ -488,6 +517,10 @@
 ')
 optional_policy(`
@ -28480,7 +28732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.8.8/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/mount.te	2010-07-20 10:46:11.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/system/mount.te	2010-07-22 16:44:21.000000000 -0400
@@ -17,8 +17,15 @@
 init_system_domain(mount_t, mount_exec_t)
 role system_r types mount_t;
@ -28521,7 +28773,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 # setuid/setgid needed to mount cifs 
 -allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
 +allow mount_t self:capability { fsetid ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid };
-+allow mount_t self:process { getcap getsched ptrace setcap signal };
+allow mount_t self:process { getcap getsched ptrace setcap setrlimit signal };
 +allow mount_t self:fifo_file rw_fifo_file_perms;
 +allow mount_t self:unix_stream_socket create_stream_socket_perms;
 +allow mount_t self:unix_dgram_socket create_socket_perms; 
@ -28830,7 +29082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 +/etc/share/selinux/mls(/.*)?		gen_context(system_u:object_r:semanage_store_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.8.8/policy/modules/system/selinuxutil.if
 --- nsaserefpolicy/policy/modules/system/selinuxutil.if	2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.if	2010-07-20 10:46:11.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.if	2010-07-26 13:21:09.000000000 -0400
@@ -361,6 +361,27 @@
 ########################################
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.8.8
-Release: 3%{?dist}
+Release: 5%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -469,6 +469,13 @@ exit 0
 %endif
 %changelog
 * Mon Jul 26 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-5
 - New permissions for syslog
 - New labels for /lib/upstart
 * Fri Jul 23 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-4
 - Add mojomojo policy
 * Thu Jul 22 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-3
 - Allow systemd to setsockcon on sockets to immitate other services