From a62c6405ccb5bf8078ee8a3264671a8c135cc61e Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 2 Feb 2010 16:41:03 +0000 Subject: [PATCH] - Lots of fixes found in F12 --- modules-minimum.conf | 7 + modules-targeted.conf | 7 + policy-F13.patch | 1686 ++++++++++++++++++++++++++--------------- selinux-policy.spec | 7 +- sources | 2 +- 5 files changed, 1102 insertions(+), 607 deletions(-) diff --git a/modules-minimum.conf b/modules-minimum.conf index 35181dcb..6543a87e 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -1589,6 +1589,13 @@ tgtd = module # udev = base +# Layer: services +# Module: usbmuxd +# +# Daemon for communicating with Apple's iPod Touch and iPhone +# +usbmuxd = module + # Layer: system # Module: userdomain # diff --git a/modules-targeted.conf b/modules-targeted.conf index 35181dcb..6543a87e 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1589,6 +1589,13 @@ tgtd = module # udev = base +# Layer: services +# Module: usbmuxd +# +# Daemon for communicating with Apple's iPod Touch and iPhone +# +usbmuxd = module + # Layer: system # Module: userdomain # diff --git a/policy-F13.patch b/policy-F13.patch index 732e5cfd..2c8fb1df 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -1,6 +1,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.8/Makefile --- nsaserefpolicy/Makefile 2009-08-18 11:41:14.000000000 -0400 -+++ serefpolicy-3.7.8/Makefile 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/Makefile 2010-02-02 10:31:03.000000000 -0500 @@ -244,7 +244,7 @@ appdir := $(contextpath) user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) @@ -12,7 +12,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.8/M all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.8/policy/global_tunables --- nsaserefpolicy/policy/global_tunables 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.8/policy/global_tunables 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/global_tunables 2010-02-02 10:31:03.000000000 -0500 @@ -61,15 +61,6 @@ ## @@ -50,7 +50,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.7.8/policy/modules/admin/alsa.te --- nsaserefpolicy/policy/modules/admin/alsa.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/admin/alsa.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/alsa.te 2010-02-02 10:31:03.000000000 -0500 @@ -51,6 +51,8 @@ files_read_etc_files(alsa_t) files_read_usr_files(alsa_t) @@ -62,7 +62,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te init_use_fds(alsa_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.7.8/policy/modules/admin/anaconda.te --- nsaserefpolicy/policy/modules/admin/anaconda.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/admin/anaconda.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/anaconda.te 2010-02-02 10:31:03.000000000 -0500 @@ -31,6 +31,7 @@ modutils_domtrans_insmod(anaconda_t) @@ -82,7 +82,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.7.8/policy/modules/admin/brctl.te --- nsaserefpolicy/policy/modules/admin/brctl.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/admin/brctl.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/brctl.te 2010-02-02 10:31:03.000000000 -0500 @@ -21,7 +21,7 @@ allow brctl_t self:unix_dgram_socket create_socket_perms; allow brctl_t self:tcp_socket create_socket_perms; @@ -94,7 +94,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.t diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.7.8/policy/modules/admin/certwatch.te --- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/admin/certwatch.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/certwatch.te 2010-02-02 10:31:03.000000000 -0500 @@ -36,7 +36,7 @@ miscfiles_read_localization(certwatch_t) @@ -106,7 +106,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwat apache_exec_modules(certwatch_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.7.8/policy/modules/admin/consoletype.te --- nsaserefpolicy/policy/modules/admin/consoletype.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/admin/consoletype.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/consoletype.te 2010-02-02 10:31:03.000000000 -0500 @@ -10,7 +10,6 @@ type consoletype_exec_t; application_executable_file(consoletype_exec_t) @@ -125,7 +125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.7.8/policy/modules/admin/dmesg.fc --- nsaserefpolicy/policy/modules/admin/dmesg.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/admin/dmesg.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/dmesg.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,2 +1,4 @@ /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) @@ -133,7 +133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.f +/usr/sbin/mcelog -- gen_context(system_u:object_r:dmesg_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.7.8/policy/modules/admin/dmesg.te --- nsaserefpolicy/policy/modules/admin/dmesg.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/admin/dmesg.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/dmesg.te 2010-02-02 10:31:03.000000000 -0500 @@ -9,6 +9,7 @@ type dmesg_t; type dmesg_exec_t; @@ -177,7 +177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.t +dev_read_raw_memory(dmesg_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.8/policy/modules/admin/firstboot.te --- nsaserefpolicy/policy/modules/admin/firstboot.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/admin/firstboot.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/firstboot.te 2010-02-02 10:31:03.000000000 -0500 @@ -91,8 +91,12 @@ userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) @@ -202,7 +202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.7.8/policy/modules/admin/kismet.te --- nsaserefpolicy/policy/modules/admin/kismet.te 2009-11-25 15:15:48.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/admin/kismet.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/kismet.te 2010-02-02 10:31:03.000000000 -0500 @@ -45,6 +45,7 @@ manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t) manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t) @@ -231,7 +231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.8/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/admin/logrotate.te 2010-01-21 14:59:24.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/logrotate.te 2010-02-02 10:31:03.000000000 -0500 @@ -32,7 +32,7 @@ # Change ownership on log files. allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; @@ -312,7 +312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.7.8/policy/modules/admin/logwatch.te --- nsaserefpolicy/policy/modules/admin/logwatch.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/admin/logwatch.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/logwatch.te 2010-02-02 10:31:03.000000000 -0500 @@ -93,6 +93,13 @@ sysnet_exec_ifconfig(logwatch_t) @@ -335,7 +335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.7.8/policy/modules/admin/mrtg.te --- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/admin/mrtg.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/mrtg.te 2010-02-02 10:31:03.000000000 -0500 @@ -116,6 +116,7 @@ userdom_use_user_terminals(mrtg_t) userdom_dontaudit_read_user_home_content_files(mrtg_t) @@ -346,7 +346,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.8/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/admin/netutils.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/netutils.te 2010-02-02 10:31:03.000000000 -0500 @@ -44,6 +44,7 @@ allow netutils_t self:packet_socket create_socket_perms; allow netutils_t self:udp_socket create_socket_perms; @@ -374,7 +374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil term_use_all_user_ptys(traceroute_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.te serefpolicy-3.7.8/policy/modules/admin/portage.te --- nsaserefpolicy/policy/modules/admin/portage.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/admin/portage.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/portage.te 2010-02-02 10:31:03.000000000 -0500 @@ -196,7 +196,7 @@ # - for rsync and distfile fetching # @@ -386,7 +386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage allow portage_fetch_t self:tcp_socket create_stream_socket_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.7.8/policy/modules/admin/prelink.fc --- nsaserefpolicy/policy/modules/admin/prelink.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/admin/prelink.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/prelink.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,3 +1,4 @@ +/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0) @@ -394,7 +394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.7.8/policy/modules/admin/prelink.if --- nsaserefpolicy/policy/modules/admin/prelink.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/admin/prelink.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/prelink.if 2010-02-02 10:31:03.000000000 -0500 @@ -21,6 +21,25 @@ ######################################## @@ -437,7 +437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.8/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/admin/prelink.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/prelink.te 2010-02-02 10:31:03.000000000 -0500 @@ -21,8 +21,21 @@ type prelink_tmp_t; files_tmp_file(prelink_tmp_t) @@ -493,15 +493,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink libs_manage_ld_so(prelink_t) libs_relabel_ld_so(prelink_t) libs_manage_shared_libs(prelink_t) -@@ -89,6 +106,7 @@ +@@ -89,6 +106,8 @@ miscfiles_read_localization(prelink_t) userdom_use_user_terminals(prelink_t) +userdom_manage_user_home_content(prelink_t) ++userdom_execmod_user_home_files(prelink_t) optional_policy(` amanda_manage_lib(prelink_t) -@@ -99,5 +117,58 @@ +@@ -99,5 +118,58 @@ ') optional_policy(` @@ -562,7 +563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.8/policy/modules/admin/readahead.te --- nsaserefpolicy/policy/modules/admin/readahead.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/admin/readahead.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/readahead.te 2010-02-02 10:31:03.000000000 -0500 @@ -52,6 +52,7 @@ files_list_non_security(readahead_t) @@ -573,7 +574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahe files_dontaudit_getattr_all_sockets(readahead_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.8/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/admin/rpm.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/rpm.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,18 +1,19 @@ /bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -626,7 +627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.8/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/admin/rpm.if 2010-01-28 10:15:39.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/rpm.if 2010-02-02 10:31:03.000000000 -0500 @@ -13,11 +13,34 @@ interface(`rpm_domtrans',` gen_require(` @@ -1039,7 +1040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.8/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/admin/rpm.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/rpm.te 2010-02-02 10:31:03.000000000 -0500 @@ -15,6 +15,9 @@ domain_interactive_fd(rpm_t) role system_r types rpm_t; @@ -1316,7 +1317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te java_domtrans_unconfined(rpm_script_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.7.8/policy/modules/admin/shorewall.fc --- nsaserefpolicy/policy/modules/admin/shorewall.fc 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/admin/shorewall.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/shorewall.fc 2010-02-02 10:31:03.000000000 -0500 @@ -4,8 +4,11 @@ /etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) /etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) @@ -1332,7 +1333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa +/var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.7.8/policy/modules/admin/shorewall.if --- nsaserefpolicy/policy/modules/admin/shorewall.if 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/admin/shorewall.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/shorewall.if 2010-02-02 10:31:03.000000000 -0500 @@ -75,6 +75,46 @@ rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) ') @@ -1382,7 +1383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa ## All of the rules required to administrate diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.8/policy/modules/admin/shorewall.te --- nsaserefpolicy/policy/modules/admin/shorewall.te 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/admin/shorewall.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/shorewall.te 2010-02-02 10:31:03.000000000 -0500 @@ -29,6 +29,9 @@ type shorewall_var_lib_t; files_type(shorewall_var_lib_t) @@ -1415,7 +1416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.7.8/policy/modules/admin/smoltclient.fc --- nsaserefpolicy/policy/modules/admin/smoltclient.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/admin/smoltclient.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/smoltclient.fc 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,4 @@ + +/usr/share/smolt/client/sendProfile.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0) @@ -1423,12 +1424,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltcl + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.if serefpolicy-3.7.8/policy/modules/admin/smoltclient.if --- nsaserefpolicy/policy/modules/admin/smoltclient.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/admin/smoltclient.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/smoltclient.if 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1 @@ +## The Fedora hardware profiler client diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.7.8/policy/modules/admin/smoltclient.te --- nsaserefpolicy/policy/modules/admin/smoltclient.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/admin/smoltclient.te 2010-01-27 09:39:20.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/smoltclient.te 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,66 @@ +policy_module(smoltclient,1.0.0) + @@ -1498,7 +1499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltcl +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.8/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/admin/sudo.if 2010-01-21 15:18:30.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/sudo.if 2010-02-02 10:31:03.000000000 -0500 @@ -66,8 +66,8 @@ allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; allow $1_sudo_t self:unix_dgram_socket sendto; @@ -1545,7 +1546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.8/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/admin/tmpreaper.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/tmpreaper.te 2010-02-02 10:31:03.000000000 -0500 @@ -42,6 +42,7 @@ cron_system_entry(tmpreaper_t, tmpreaper_exec_t) @@ -1580,7 +1581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.7.8/policy/modules/admin/usermanage.if --- nsaserefpolicy/policy/modules/admin/usermanage.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/admin/usermanage.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/usermanage.if 2010-02-02 10:31:03.000000000 -0500 @@ -113,6 +113,12 @@ files_search_usr($1) corecmd_search_bin($1) @@ -1608,7 +1609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.8/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/admin/usermanage.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/usermanage.te 2010-02-02 10:31:03.000000000 -0500 @@ -82,6 +82,7 @@ selinux_compute_relabel_context(chfn_t) selinux_compute_user_contexts(chfn_t) @@ -1740,7 +1741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.7.8/policy/modules/admin/vbetool.te --- nsaserefpolicy/policy/modules/admin/vbetool.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/admin/vbetool.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/vbetool.te 2010-02-02 10:31:03.000000000 -0500 @@ -15,15 +15,20 @@ # Local policy # @@ -1775,7 +1776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.8/policy/modules/admin/vpn.te --- nsaserefpolicy/policy/modules/admin/vpn.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/admin/vpn.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/vpn.te 2010-02-02 10:31:03.000000000 -0500 @@ -46,6 +46,7 @@ kernel_read_system_state(vpnc_t) kernel_read_network_state(vpnc_t) @@ -1797,13 +1798,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te dbus_system_bus_client(vpnc_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.7.8/policy/modules/apps/chrome.fc --- nsaserefpolicy/policy/modules/apps/chrome.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/chrome.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/chrome.fc 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.8/policy/modules/apps/chrome.if --- nsaserefpolicy/policy/modules/apps/chrome.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/chrome.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/chrome.if 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,86 @@ + +## policy for chrome @@ -1893,7 +1894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.8/policy/modules/apps/chrome.te --- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/chrome.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/chrome.te 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,82 @@ +policy_module(chrome,1.0.0) + @@ -1979,7 +1980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.7.8/policy/modules/apps/cpufreqselector.te --- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/cpufreqselector.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/cpufreqselector.te 2010-02-02 10:31:03.000000000 -0500 @@ -26,7 +26,7 @@ dev_rw_sysfs(cpufreqselector_t) @@ -1991,12 +1992,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqs dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.7.8/policy/modules/apps/execmem.fc --- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/execmem.fc 2010-01-18 15:18:03.000000000 -0500 -@@ -0,0 +1,42 @@ ++++ serefpolicy-3.7.8/policy/modules/apps/execmem.fc 2010-02-02 10:31:03.000000000 -0500 +@@ -0,0 +1,43 @@ +/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/mutter -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0) @@ -2037,7 +2039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. +/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.8/policy/modules/apps/execmem.if --- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/execmem.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/execmem.if 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,103 @@ +## execmem domain + @@ -2144,7 +2146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.7.8/policy/modules/apps/execmem.te --- nsaserefpolicy/policy/modules/apps/execmem.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/execmem.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/execmem.te 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,11 @@ + +policy_module(execmem, 1.0.0) @@ -2159,14 +2161,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.7.8/policy/modules/apps/firewallgui.fc --- nsaserefpolicy/policy/modules/apps/firewallgui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/firewallgui.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/firewallgui.fc 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,3 @@ + +/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.7.8/policy/modules/apps/firewallgui.if --- nsaserefpolicy/policy/modules/apps/firewallgui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/firewallgui.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/firewallgui.if 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,23 @@ + +## policy for firewallgui @@ -2193,8 +2195,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.8/policy/modules/apps/firewallgui.te --- nsaserefpolicy/policy/modules/apps/firewallgui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/firewallgui.te 2010-01-18 15:18:03.000000000 -0500 -@@ -0,0 +1,62 @@ ++++ serefpolicy-3.7.8/policy/modules/apps/firewallgui.te 2010-02-02 10:31:03.000000000 -0500 +@@ -0,0 +1,66 @@ + +policy_module(firewallgui,1.0.0) + @@ -2254,12 +2256,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall +iptables_initrc_domtrans(firewallgui_t) + +optional_policy(` ++ gnome_read_gconf_home_files(firewallgui_t) ++') ++ ++optional_policy(` + policykit_dbus_chat(firewallgui_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.7.8/policy/modules/apps/gitosis.if --- nsaserefpolicy/policy/modules/apps/gitosis.if 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/gitosis.if 2010-01-26 09:29:35.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/gitosis.if 2010-02-02 10:31:03.000000000 -0500 @@ -43,3 +43,47 @@ role $2 types gitosis_t; ') @@ -2310,7 +2316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.8/policy/modules/apps/gnome.fc --- nsaserefpolicy/policy/modules/apps/gnome.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/gnome.fc 2010-01-21 11:03:33.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/gnome.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,8 +1,25 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) @@ -2341,7 +2347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.8/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/gnome.if 2010-01-25 12:24:02.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/gnome.if 2010-02-02 10:31:03.000000000 -0500 @@ -74,6 +74,24 @@ ######################################## @@ -2580,7 +2586,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.7.8/policy/modules/apps/gnome.te --- nsaserefpolicy/policy/modules/apps/gnome.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/gnome.te 2010-01-21 11:01:47.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/gnome.te 2010-02-02 10:31:03.000000000 -0500 @@ -7,18 +7,33 @@ # @@ -2731,7 +2737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.7.8/policy/modules/apps/gpg.fc --- nsaserefpolicy/policy/modules/apps/gpg.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/gpg.fc 2010-01-18 15:36:53.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/gpg.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,4 +1,5 @@ HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) +/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) @@ -2740,7 +2746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.8/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/gpg.te 2010-01-18 15:47:52.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/gpg.te 2010-02-02 10:31:03.000000000 -0500 @@ -130,10 +130,10 @@ xserver_rw_xdm_pipes(gpg_t) ') @@ -2758,7 +2764,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.7.8/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/java.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/java.fc 2010-02-02 10:31:03.000000000 -0500 @@ -2,15 +2,17 @@ # /opt # @@ -2801,7 +2807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc +/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.7.8/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2009-08-18 11:41:14.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/java.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/java.if 2010-02-02 10:31:03.000000000 -0500 @@ -30,6 +30,7 @@ allow java_t $2:unix_stream_socket connectto; @@ -2946,7 +2952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.8/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/java.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/java.te 2010-02-02 10:31:03.000000000 -0500 @@ -20,6 +20,8 @@ typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t }; typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t }; @@ -2994,19 +3000,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.7.8/policy/modules/apps/kdumpgui.fc --- nsaserefpolicy/policy/modules/apps/kdumpgui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/kdumpgui.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/kdumpgui.fc 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/share/system-config-kdump/system-config-kdump-backend.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.7.8/policy/modules/apps/kdumpgui.if --- nsaserefpolicy/policy/modules/apps/kdumpgui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/kdumpgui.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/kdumpgui.if 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,2 @@ +## system-config-kdump policy + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.8/policy/modules/apps/kdumpgui.te --- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/kdumpgui.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/kdumpgui.te 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,64 @@ +policy_module(kdumpgui,1.0.0) + @@ -3074,13 +3080,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.7.8/policy/modules/apps/livecd.fc --- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/livecd.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/livecd.fc 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.7.8/policy/modules/apps/livecd.if --- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/livecd.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/livecd.if 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,52 @@ + +## policy for livecd @@ -3136,7 +3142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.7.8/policy/modules/apps/livecd.te --- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/livecd.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/livecd.te 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,27 @@ +policy_module(livecd, 1.0.0) + @@ -3167,7 +3173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.t + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.7.8/policy/modules/apps/loadkeys.te --- nsaserefpolicy/policy/modules/apps/loadkeys.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/loadkeys.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/loadkeys.te 2010-02-02 10:31:03.000000000 -0500 @@ -40,8 +40,12 @@ miscfiles_read_localization(loadkeys_t) @@ -3184,13 +3190,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.fc serefpolicy-3.7.8/policy/modules/apps/mono.fc --- nsaserefpolicy/policy/modules/apps/mono.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/mono.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/mono.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1 +1 @@ -/usr/bin/mono -- gen_context(system_u:object_r:mono_exec_t,s0) +/usr/bin/mono.* -- gen_context(system_u:object_r:mono_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.8/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/mono.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/mono.if 2010-02-02 10:31:03.000000000 -0500 @@ -21,6 +21,105 @@ ######################################## @@ -3308,7 +3314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if corecmd_search_bin($1) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.7.8/policy/modules/apps/mono.te --- nsaserefpolicy/policy/modules/apps/mono.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/mono.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/mono.te 2010-02-02 10:31:03.000000000 -0500 @@ -15,7 +15,7 @@ # Local policy # @@ -3334,7 +3340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.7.8/policy/modules/apps/mozilla.fc --- nsaserefpolicy/policy/modules/apps/mozilla.fc 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/mozilla.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/mozilla.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,6 +1,7 @@ HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) @@ -3353,7 +3359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.7.8/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/mozilla.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/mozilla.if 2010-02-02 10:31:03.000000000 -0500 @@ -48,6 +48,12 @@ mozilla_dbus_chat($2) @@ -3401,7 +3407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.8/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/mozilla.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/mozilla.te 2010-02-02 10:31:03.000000000 -0500 @@ -91,6 +91,7 @@ corenet_raw_sendrecv_generic_node(mozilla_t) corenet_tcp_sendrecv_http_port(mozilla_t) @@ -3462,7 +3468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.7.8/policy/modules/apps/nsplugin.fc --- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/nsplugin.fc 2010-01-21 11:02:11.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/nsplugin.fc 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,10 @@ +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) @@ -3476,7 +3482,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.8/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/nsplugin.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/nsplugin.if 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,321 @@ + +## policy for nsplugin @@ -3801,7 +3807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.8/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/nsplugin.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/nsplugin.te 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,296 @@ + +policy_module(nsplugin, 1.0.0) @@ -4101,14 +4107,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.7.8/policy/modules/apps/openoffice.fc --- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/openoffice.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/openoffice.fc 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,3 @@ +/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) +/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.7.8/policy/modules/apps/openoffice.if --- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/openoffice.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/openoffice.if 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,92 @@ +## Openoffice + @@ -4204,7 +4210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.7.8/policy/modules/apps/openoffice.te --- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/openoffice.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/openoffice.te 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,11 @@ + +policy_module(openoffice, 1.0.0) @@ -4219,7 +4225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi +application_domain(openoffice_t, openoffice_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.7.8/policy/modules/apps/podsleuth.te --- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/podsleuth.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/podsleuth.te 2010-02-02 10:31:03.000000000 -0500 @@ -50,6 +50,7 @@ fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file }) @@ -4245,7 +4251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut dbus_system_bus_client(podsleuth_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.7.8/policy/modules/apps/ptchown.if --- nsaserefpolicy/policy/modules/apps/ptchown.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/ptchown.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/ptchown.if 2010-02-02 10:31:03.000000000 -0500 @@ -18,3 +18,27 @@ domtrans_pattern($1, ptchown_exec_t, ptchown_t) ') @@ -4276,15 +4282,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.7.8/policy/modules/apps/pulseaudio.fc --- nsaserefpolicy/policy/modules/apps/pulseaudio.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/pulseaudio.fc 2010-01-18 15:18:03.000000000 -0500 -@@ -1 +1,4 @@ - /usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) -+ ++++ serefpolicy-3.7.8/policy/modules/apps/pulseaudio.fc 2010-02-02 10:31:03.000000000 -0500 +@@ -1 +1,7 @@ +HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) +HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0) ++ ++/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0) ++ + /usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.8/policy/modules/apps/pulseaudio.if --- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/pulseaudio.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/pulseaudio.if 2010-02-02 10:31:03.000000000 -0500 @@ -40,7 +40,7 @@ userdom_manage_tmpfs_role($1, pulseaudio_t) @@ -4294,23 +4303,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud ') ######################################## -@@ -144,3 +144,61 @@ - allow pulseaudio_t $1:process signull; - allow $1 pulseaudio_t:unix_stream_socket connectto; - ') -+ -+######################################## -+## +@@ -127,7 +127,7 @@ + + ######################################## + ## +-## pulsaudio connection template. +## read pulseaudio homedir content -+## -+## -+## -+## The type of the user domain. -+## -+## -+# + ## + ## + ## +@@ -135,12 +135,72 @@ + ## + ## + # +-interface(`pulseaudio_stream_connect',` +template(`pulseaudio_read_home',` -+ gen_require(` + gen_require(` +- type pulseaudio_t; + type pulseaudio_home_t; + ') + @@ -4332,8 +4341,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud +template(`pulseaudio_manage_home',` + gen_require(` + type pulseaudio_home_t; -+ ') -+ + ') + + manage_dirs_pattern($1, pulseaudio_home_t, pulseaudio_home_t) + manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) + manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) @@ -4356,20 +4365,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud + + allow $1 pulseaudio_home_t:dir setattr; +') ++ ++##################################### ++## ++## Connect to pulseaudio over a unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pulseaudio_stream_connect',` ++ gen_require(` ++ type pulseaudio_t, pulseaudio_var_run_t; ++ ') ++ ++ files_search_pids($1) + allow $1 pulseaudio_t:process signull; + allow pulseaudio_t $1:process signull; +- allow $1 pulseaudio_t:unix_stream_socket connectto; ++ stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.8/policy/modules/apps/pulseaudio.te --- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/pulseaudio.te 2010-01-18 15:18:03.000000000 -0500 -@@ -11,6 +11,9 @@ ++++ serefpolicy-3.7.8/policy/modules/apps/pulseaudio.te 2010-02-02 10:31:03.000000000 -0500 +@@ -11,6 +11,12 @@ application_domain(pulseaudio_t, pulseaudio_exec_t) role system_r types pulseaudio_t; ++type pulseaudio_var_run_t; ++files_pid_file(pulseaudio_var_run_t) ++ +type pulseaudio_home_t; +userdom_user_home_content(pulseaudio_home_t) + ######################################## # # pulseaudio local policy -@@ -18,7 +21,7 @@ +@@ -18,7 +24,7 @@ allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull }; allow pulseaudio_t self:fifo_file rw_file_perms; @@ -4378,7 +4413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms }; allow pulseaudio_t self:tcp_socket create_stream_socket_perms; allow pulseaudio_t self:udp_socket create_socket_perms; -@@ -26,6 +29,7 @@ +@@ -26,6 +32,7 @@ can_exec(pulseaudio_t, pulseaudio_exec_t) @@ -4386,7 +4421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud kernel_read_system_state(pulseaudio_t) kernel_read_kernel_sysctls(pulseaudio_t) -@@ -63,12 +67,17 @@ +@@ -63,12 +70,22 @@ miscfiles_read_localization(pulseaudio_t) optional_policy(` @@ -4394,6 +4429,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud + bluetooth_stream_connect(pulseaudio_t) ') ++manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) ++manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) ++manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) ++files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file }) ++ +userdom_search_user_home_dirs(pulseaudio_t) +manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) +manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) @@ -4405,7 +4445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud optional_policy(` consolekit_dbus_chat(pulseaudio_t) -@@ -88,6 +97,10 @@ +@@ -88,6 +105,10 @@ ') optional_policy(` @@ -4416,7 +4456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud policykit_domtrans_auth(pulseaudio_t) policykit_read_lib(pulseaudio_t) policykit_read_reload(pulseaudio_t) -@@ -98,6 +111,8 @@ +@@ -98,6 +119,8 @@ ') optional_policy(` @@ -4427,7 +4467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.7.8/policy/modules/apps/qemu.fc --- nsaserefpolicy/policy/modules/apps/qemu.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/qemu.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/qemu.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,2 +1,2 @@ -/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) -/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) @@ -4435,7 +4475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc +/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.8/policy/modules/apps/qemu.if --- nsaserefpolicy/policy/modules/apps/qemu.if 2009-08-31 13:44:40.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/qemu.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/qemu.if 2010-02-02 10:31:03.000000000 -0500 @@ -40,6 +40,10 @@ qemu_domtrans($1) @@ -4638,7 +4678,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.8/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/qemu.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/qemu.te 2010-02-02 10:31:03.000000000 -0500 @@ -13,15 +13,46 @@ ## gen_tunable(qemu_full_network, false) @@ -4749,18 +4789,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.7.8/policy/modules/apps/sambagui.fc --- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/sambagui.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/sambagui.fc 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1 @@ +/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.7.8/policy/modules/apps/sambagui.if --- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/sambagui.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/sambagui.if 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,2 @@ +## system-config-samba policy + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.8/policy/modules/apps/sambagui.te --- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/sambagui.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/sambagui.te 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,61 @@ +policy_module(sambagui,1.0.0) + @@ -4825,12 +4865,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.8/policy/modules/apps/sandbox.fc --- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/sandbox.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/sandbox.fc 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1 @@ +# No types are sandbox_exec_t diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.8/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/sandbox.if 2010-01-18 17:36:16.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/sandbox.if 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,225 @@ + +## policy for sandbox @@ -5059,8 +5099,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.8/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/sandbox.te 2010-01-22 08:46:11.000000000 -0500 -@@ -0,0 +1,345 @@ ++++ serefpolicy-3.7.8/policy/modules/apps/sandbox.te 2010-02-02 10:31:03.000000000 -0500 +@@ -0,0 +1,349 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -5309,6 +5349,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +kernel_dontaudit_search_kernel_sysctl(sandbox_web_client_t) + +dev_read_rand(sandbox_web_client_t) ++dev_write_sound(sandbox_web_client_t) ++dev_read_sound(sandbox_web_client_t) + +# Browse the web, connect to printer +corenet_all_recvfrom_unlabeled(sandbox_web_client_t) @@ -5349,6 +5391,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +selinux_compute_user_contexts(sandbox_web_client_t) +seutil_read_default_contexts(sandbox_web_client_t) + ++userdom_rw_user_tmpfs_files(sandbox_web_client_t) ++ +optional_policy(` + nsplugin_read_rw_files(sandbox_web_client_t) + nsplugin_rw_exec(sandbox_web_client_t) @@ -5408,7 +5452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.7.8/policy/modules/apps/screen.if --- nsaserefpolicy/policy/modules/apps/screen.if 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/screen.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/screen.if 2010-02-02 10:31:03.000000000 -0500 @@ -141,6 +141,7 @@ userdom_create_user_pty($1_screen_t) userdom_user_home_domtrans($1_screen_t, $3) @@ -5419,7 +5463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.i fs_cifs_domtrans($1_screen_t, $3) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.fc serefpolicy-3.7.8/policy/modules/apps/sectoolm.fc --- nsaserefpolicy/policy/modules/apps/sectoolm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/sectoolm.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/sectoolm.fc 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,6 @@ + +/usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0) @@ -5429,14 +5473,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm +/var/log/sectool\.log -- gen_context(system_u:object_r:sectool_var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.if serefpolicy-3.7.8/policy/modules/apps/sectoolm.if --- nsaserefpolicy/policy/modules/apps/sectoolm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/sectoolm.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/sectoolm.if 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,3 @@ + +## policy for sectool-mechanism + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.te serefpolicy-3.7.8/policy/modules/apps/sectoolm.te --- nsaserefpolicy/policy/modules/apps/sectoolm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/sectoolm.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/sectoolm.te 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,118 @@ + +policy_module(sectoolm,1.0.0) @@ -5558,7 +5602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.8/policy/modules/apps/seunshare.if --- nsaserefpolicy/policy/modules/apps/seunshare.if 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/seunshare.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/seunshare.if 2010-02-02 10:31:03.000000000 -0500 @@ -44,6 +44,8 @@ allow $1 seunshare_t:process signal_perms; @@ -5570,7 +5614,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar dontaudit seunshare_t $1:udp_socket rw_socket_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.8/policy/modules/apps/seunshare.te --- nsaserefpolicy/policy/modules/apps/seunshare.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/seunshare.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/seunshare.te 2010-02-02 10:31:03.000000000 -0500 @@ -15,9 +15,8 @@ # # seunshare local policy @@ -5584,7 +5628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar allow seunshare_t self:unix_stream_socket create_stream_socket_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.7.8/policy/modules/apps/slocate.te --- nsaserefpolicy/policy/modules/apps/slocate.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/slocate.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/slocate.te 2010-02-02 10:31:03.000000000 -0500 @@ -50,6 +50,7 @@ fs_getattr_all_symlinks(locate_t) fs_list_all(locate_t) @@ -5595,7 +5639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate. auth_use_nsswitch(locate_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.7.8/policy/modules/apps/vmware.if --- nsaserefpolicy/policy/modules/apps/vmware.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/vmware.if 2010-01-25 10:36:28.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/vmware.if 2010-02-02 10:31:03.000000000 -0500 @@ -84,3 +84,22 @@ logging_search_logs($1) append_files_pattern($1, vmware_log_t, vmware_log_t) @@ -5619,9 +5663,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.i + can_exec($1, vmware_host_exec_t) +') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.8/policy/modules/apps/vmware.te +--- nsaserefpolicy/policy/modules/apps/vmware.te 2009-11-17 10:54:26.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/vmware.te 2010-02-02 10:31:03.000000000 -0500 +@@ -29,6 +29,10 @@ + type vmware_host_exec_t; + init_daemon_domain(vmware_host_t, vmware_host_exec_t) + ++type vmware_host_tmp_t; ++files_tmp_file(vmware_host_tmp_t) ++ubac_constrained(vmware_host_tmp_t) ++ + type vmware_host_pid_t alias vmware_var_run_t; + files_pid_file(vmware_host_pid_t) + +@@ -80,6 +84,11 @@ + # cjp: the ro and rw files should be split up + manage_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t) + ++manage_dirs_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t) ++manage_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t) ++manage_sock_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t) ++files_tmp_filetrans(vmware_host_t, vmware_host_tmp_t, { file dir }) ++ + manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t) + manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t) + files_pid_filetrans(vmware_host_t, vmware_var_run_t, { file sock_file }) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.7.8/policy/modules/apps/wine.fc --- nsaserefpolicy/policy/modules/apps/wine.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/wine.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/wine.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,4 +1,22 @@ -/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) +/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) @@ -5650,7 +5720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc -/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.7.8/policy/modules/apps/wine.if --- nsaserefpolicy/policy/modules/apps/wine.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/wine.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/wine.if 2010-02-02 10:31:03.000000000 -0500 @@ -43,3 +43,121 @@ wine_domtrans($1) role $2 types wine_t; @@ -5775,7 +5845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.7.8/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/wine.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/wine.te 2010-02-02 10:31:03.000000000 -0500 @@ -1,6 +1,14 @@ policy_module(wine, 1.6.0) @@ -5849,7 +5919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.8/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/kernel/corecommands.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/kernel/corecommands.fc 2010-02-02 10:31:03.000000000 -0500 @@ -44,15 +44,17 @@ /etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0) /etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0) @@ -5922,7 +5992,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco +/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.8/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/kernel/corecommands.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/kernel/corecommands.if 2010-02-02 10:31:03.000000000 -0500 @@ -893,6 +893,7 @@ read_lnk_files_pattern($1, bin_t, bin_t) @@ -5965,9 +6035,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.7.8/policy/modules/kernel/corenetwork.if.in +--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.8/policy/modules/kernel/corenetwork.if.in 2010-02-02 10:31:03.000000000 -0500 +@@ -1705,6 +1705,24 @@ + + ######################################## + ## ++## dontaudit Read and write the TUN/TAP virtual network device. ++## ++## ++## ++## The domain allowed access. ++## ++## ++# ++interface(`corenet_dontaudit_rw_tun_tap_dev',` ++ gen_require(` ++ type tun_tap_device_t; ++ ') ++ ++ dontaudit $1 tun_tap_device_t:chr_file { read write }; ++') ++ ++######################################## ++## + ## Getattr the point-to-point device. + ## + ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.8/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/kernel/corenetwork.te.in 2010-01-21 14:22:12.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/kernel/corenetwork.te.in 2010-02-02 10:31:03.000000000 -0500 @@ -65,6 +65,7 @@ type server_packet_t, packet_type, server_packet_type; @@ -6121,7 +6219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.8/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-11-20 10:51:41.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/kernel/devices.fc 2010-01-27 11:30:22.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/kernel/devices.fc 2010-02-02 10:31:03.000000000 -0500 @@ -16,13 +16,16 @@ /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0) @@ -6139,7 +6237,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/event.* -c gen_context(system_u:object_r:event_device_t,s0) /dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0) -@@ -101,6 +104,7 @@ +@@ -80,6 +83,7 @@ + /dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0) + /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) + /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) ++/dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0) + /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0) + /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0) +@@ -101,6 +105,7 @@ /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) /dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) @@ -6147,7 +6253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) -@@ -159,6 +163,8 @@ +@@ -159,6 +164,8 @@ /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0) @@ -6158,7 +6264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.8/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/kernel/devices.if 2010-01-27 11:29:35.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/kernel/devices.if 2010-02-02 10:31:03.000000000 -0500 @@ -801,6 +801,24 @@ ######################################## @@ -6286,7 +6392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Do not audit attempts to get the attributes diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.8/policy/modules/kernel/devices.te --- nsaserefpolicy/policy/modules/kernel/devices.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/kernel/devices.te 2010-01-27 11:29:16.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/kernel/devices.te 2010-02-02 10:31:03.000000000 -0500 @@ -232,6 +232,18 @@ type usb_device_t; dev_node(usb_device_t) @@ -6308,7 +6414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.8/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/kernel/domain.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/kernel/domain.if 2010-02-02 10:31:03.000000000 -0500 @@ -44,34 +44,6 @@ interface(`domain_type',` # start with basic domain @@ -6540,7 +6646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.8/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/kernel/domain.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/kernel/domain.te 2010-02-02 10:31:03.000000000 -0500 @@ -5,6 +5,21 @@ # # Declarations @@ -6699,7 +6805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.8/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/kernel/files.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/kernel/files.fc 2010-02-02 10:31:03.000000000 -0500 @@ -18,6 +18,7 @@ /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0) /halt -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -6744,7 +6850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /var/lib/nfs/rpc_pipefs(/.*)? <> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.8/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/kernel/files.if 2010-01-28 08:42:36.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/kernel/files.if 2010-02-02 10:31:03.000000000 -0500 @@ -932,10 +932,8 @@ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -7184,7 +7290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ') -@@ -5215,3 +5497,192 @@ +@@ -5215,3 +5497,212 @@ typeattribute $1 files_unconfined_type; ') @@ -7377,9 +7483,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + + dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms; +') ++ ++######################################## ++## ++## Do not audit attempts to read or write ++## all leaked files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_dontaudit_leaks',` ++ gen_require(` ++ attribute file_type; ++ ') ++ ++ dontaudit $1 file_type:file rw_inherited_file_perms; ++ dontaudit $1 file_type:lnk_file { read }; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.8/policy/modules/kernel/files.te --- nsaserefpolicy/policy/modules/kernel/files.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/kernel/files.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/kernel/files.te 2010-02-02 10:31:03.000000000 -0500 @@ -12,6 +12,7 @@ attribute mountpoint; attribute pidfile; @@ -7422,7 +7548,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.8/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/kernel/filesystem.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/kernel/filesystem.if 2010-02-02 10:31:03.000000000 -0500 @@ -906,7 +906,7 @@ type cifs_t; ') @@ -7518,7 +7644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Mount a XENFS filesystem. ## ## -@@ -4181,3 +4237,175 @@ +@@ -4181,3 +4237,194 @@ relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs) ') @@ -7694,9 +7820,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy + write_files_pattern($1, cgroup_t, cgroup_t) +') + ++######################################## ++## ++## Do not audit attempts to read or write ++## all leaked filesystems files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_dontaudit_leaks',` ++ gen_require(` ++ attribute filesystem_type; ++ ') ++ ++ dontaudit $1 filesystem_type:file rw_inherited_file_perms; ++ dontaudit $1 filesystem_type:lnk_file { read }; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.8/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/kernel/filesystem.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/kernel/filesystem.te 2010-02-02 10:31:03.000000000 -0500 @@ -29,6 +29,7 @@ fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0); fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0); @@ -7756,7 +7901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy # nfs_t is the default type for NFS file systems diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.8/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/kernel/kernel.if 2010-01-27 11:28:51.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/kernel/kernel.if 2010-02-02 10:31:03.000000000 -0500 @@ -1849,7 +1849,7 @@ ') @@ -7842,7 +7987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.8/policy/modules/kernel/kernel.te --- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/kernel/kernel.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/kernel/kernel.te 2010-02-02 10:31:03.000000000 -0500 @@ -64,6 +64,15 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) @@ -7924,7 +8069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel +files_boot(kernel_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.8/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/kernel/selinux.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/kernel/selinux.if 2010-02-02 10:31:03.000000000 -0500 @@ -40,7 +40,7 @@ # because of this statement, any module which @@ -7984,7 +8129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.7.8/policy/modules/kernel/storage.fc --- nsaserefpolicy/policy/modules/kernel/storage.fc 2009-11-20 10:51:41.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/kernel/storage.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/kernel/storage.fc 2010-02-02 10:31:03.000000000 -0500 @@ -14,6 +14,7 @@ /dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) @@ -7995,7 +8140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag /dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.7.8/policy/modules/kernel/storage.if --- nsaserefpolicy/policy/modules/kernel/storage.if 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/kernel/storage.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/kernel/storage.if 2010-02-02 10:31:03.000000000 -0500 @@ -304,6 +304,7 @@ dev_list_all_dev_nodes($1) @@ -8006,7 +8151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.8/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/kernel/terminal.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/kernel/terminal.if 2010-02-02 10:31:03.000000000 -0500 @@ -273,9 +273,11 @@ interface(`term_dontaudit_use_console',` gen_require(` @@ -8073,7 +8218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.8/policy/modules/roles/guest.te --- nsaserefpolicy/policy/modules/roles/guest.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/roles/guest.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/roles/guest.te 2010-02-02 10:31:03.000000000 -0500 @@ -16,7 +16,11 @@ # @@ -8090,7 +8235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.t +gen_user(guest_u, user, guest_r, s0, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.8/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/roles/staff.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/roles/staff.te 2010-02-02 10:31:03.000000000 -0500 @@ -10,161 +10,121 @@ userdom_unpriv_user_template(staff) @@ -8297,7 +8442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.8/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/roles/sysadm.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/roles/sysadm.te 2010-02-02 10:31:03.000000000 -0500 @@ -15,7 +15,7 @@ role sysadm_r; @@ -8610,8 +8755,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.7.8/policy/modules/roles/unconfineduser.fc --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/roles/unconfineduser.fc 2010-01-18 15:18:03.000000000 -0500 -@@ -0,0 +1,8 @@ ++++ serefpolicy-3.7.8/policy/modules/roles/unconfineduser.fc 2010-02-02 10:31:03.000000000 -0500 +@@ -0,0 +1,10 @@ +# Add programs here which should not be confined by SELinux +# e.g.: +# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) @@ -8620,9 +8765,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) +/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) + ++/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0) ++/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.8/policy/modules/roles/unconfineduser.if --- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/roles/unconfineduser.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/roles/unconfineduser.if 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,667 @@ +## Unconfiend user role + @@ -9293,7 +9440,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.8/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/roles/unconfineduser.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/roles/unconfineduser.te 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,445 @@ +policy_module(unconfineduser, 1.0.0) + @@ -9742,7 +9889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.8/policy/modules/roles/unprivuser.te --- nsaserefpolicy/policy/modules/roles/unprivuser.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/roles/unprivuser.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/roles/unprivuser.te 2010-02-02 10:31:03.000000000 -0500 @@ -14,96 +14,19 @@ userdom_unpriv_user_template(user) @@ -9893,7 +10040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.8/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/roles/xguest.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/roles/xguest.te 2010-02-02 10:31:03.000000000 -0500 @@ -15,7 +15,7 @@ ## @@ -10011,7 +10158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. +gen_user(xguest_u, user, xguest_r, s0, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.8/policy/modules/services/abrt.fc --- nsaserefpolicy/policy/modules/services/abrt.fc 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/abrt.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/abrt.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,11 +1,17 @@ /etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) /etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) @@ -10033,8 +10180,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt +/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.8/policy/modules/services/abrt.if --- nsaserefpolicy/policy/modules/services/abrt.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/abrt.if 2010-01-18 15:18:03.000000000 -0500 -@@ -19,6 +19,24 @@ ++++ serefpolicy-3.7.8/policy/modules/services/abrt.if 2010-02-02 10:31:03.000000000 -0500 +@@ -19,6 +19,29 @@ domtrans_pattern($1, abrt_exec_t, abrt_t) ') @@ -10054,12 +10201,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt + ') + + domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t) ++ ++ifdef(`hide_broken_symptoms', ` ++ dontaudit abrt_helper_t $1:socket_class_set { read write }; ++ fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) ++') +') + ###################################### ## ## Execute abrt -@@ -56,6 +74,32 @@ +@@ -56,6 +79,32 @@ read_files_pattern($1, abrt_etc_t, abrt_etc_t) ') @@ -10092,7 +10244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt ###################################### ## ## Read abrt logs. -@@ -75,6 +119,101 @@ +@@ -75,6 +124,101 @@ read_files_pattern($1, abrt_var_log_t, abrt_var_log_t) ') @@ -10196,7 +10348,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt ## All of the rules required to administrate diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.8/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/abrt.te 2010-01-26 14:15:44.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/abrt.te 2010-02-02 10:31:03.000000000 -0500 @@ -33,12 +33,24 @@ type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -10388,7 +10540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.7.8/policy/modules/services/afs.fc --- nsaserefpolicy/policy/modules/services/afs.fc 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/afs.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/afs.fc 2010-02-02 10:31:03.000000000 -0500 @@ -22,10 +22,10 @@ /usr/sbin/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) @@ -10403,7 +10555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs. /vicepb gen_context(system_u:object_r:afs_files_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.7.8/policy/modules/services/afs.te --- nsaserefpolicy/policy/modules/services/afs.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/afs.te 2010-01-19 16:52:29.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/afs.te 2010-02-02 10:31:03.000000000 -0500 @@ -71,8 +71,8 @@ # afs client local policy # @@ -10426,7 +10578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs. # AFS bossserver local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.7.8/policy/modules/services/aiccu.fc --- nsaserefpolicy/policy/modules/services/aiccu.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/aiccu.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/aiccu.fc 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,5 @@ + +/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0) @@ -10435,7 +10587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc +/var/run/aiccu.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.7.8/policy/modules/services/aiccu.if --- nsaserefpolicy/policy/modules/services/aiccu.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/aiccu.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/aiccu.if 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,119 @@ + +## policy for aiccu @@ -10558,7 +10710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.7.8/policy/modules/services/aiccu.te --- nsaserefpolicy/policy/modules/services/aiccu.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/aiccu.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/aiccu.te 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,41 @@ +policy_module(aiccu,1.0.0) + @@ -10603,7 +10755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc +files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir }) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.8/policy/modules/services/aisexec.fc --- nsaserefpolicy/policy/modules/services/aisexec.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/aisexec.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/aisexec.fc 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,12 @@ + +/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:aisexec_initrc_exec_t,s0) @@ -10619,7 +10771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise +/var/run/cman_.* -s gen_context(system_u:object_r:aisexec_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.7.8/policy/modules/services/aisexec.if --- nsaserefpolicy/policy/modules/services/aisexec.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/aisexec.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/aisexec.if 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,106 @@ +## SELinux policy for Aisexec Cluster Engine + @@ -10729,7 +10881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.8/policy/modules/services/aisexec.te --- nsaserefpolicy/policy/modules/services/aisexec.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/aisexec.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/aisexec.te 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,112 @@ + +policy_module(aisexec,1.0.0) @@ -10845,8 +10997,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.7.8/policy/modules/services/amavis.te --- nsaserefpolicy/policy/modules/services/amavis.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/amavis.te 2010-01-18 15:18:03.000000000 -0500 -@@ -143,6 +143,7 @@ ++++ serefpolicy-3.7.8/policy/modules/services/amavis.te 2010-02-02 10:31:03.000000000 -0500 +@@ -138,11 +138,13 @@ + + auth_dontaudit_read_shadow(amavis_t) + ++init_read_utmp(amavis_t) + init_stream_connect_script(amavis_t) + logging_send_syslog_msg(amavis_t) miscfiles_read_localization(amavis_t) @@ -10856,8 +11014,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav sysnet_use_ldap(amavis_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.8/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/apache.fc 2010-01-27 15:19:37.000000000 -0500 -@@ -2,12 +2,17 @@ ++++ serefpolicy-3.7.8/policy/modules/services/apache.fc 2010-02-02 10:31:03.000000000 -0500 +@@ -2,12 +2,19 @@ /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) @@ -10872,20 +11030,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) ++/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) ++ /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) +/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -@@ -21,10 +26,16 @@ +@@ -21,10 +28,16 @@ /usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) /usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +/usr/lib(64)?/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) - ++ +/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -+ + +/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) @@ -10894,7 +11054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) -@@ -32,14 +43,28 @@ +@@ -32,14 +45,28 @@ /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') @@ -10923,7 +11083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -@@ -47,16 +72,21 @@ +@@ -47,16 +74,21 @@ /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) @@ -10945,7 +11105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ifdef(`distro_debian', ` /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ') -@@ -64,11 +94,33 @@ +@@ -64,11 +96,34 @@ /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -10974,6 +11134,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + +/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) + ++/var/lib/koji(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) +/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) + +/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) @@ -10982,7 +11143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.8/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2009-07-28 15:51:13.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/apache.if 2010-01-22 10:26:09.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/apache.if 2010-02-02 10:31:03.000000000 -0500 @@ -13,21 +13,17 @@ # template(`apache_content_template',` @@ -11144,7 +11305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_cgi',` -@@ -149,9 +133,13 @@ +@@ -149,14 +133,19 @@ # privileged users run the script: domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) @@ -11158,7 +11319,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms; -@@ -173,50 +161,7 @@ + allow httpd_$1_script_t self:process { setsched signal_perms }; + allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms; ++ allow httpd_$1_script_t self:unix_dgram_socket create_socket_perms; + + allow httpd_$1_script_t httpd_t:fd use; + allow httpd_$1_script_t httpd_t:process sigchld; +@@ -173,50 +162,7 @@ libs_read_lib_files(httpd_$1_script_t) miscfiles_read_localization(httpd_$1_script_t) @@ -11210,7 +11377,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -227,15 +172,13 @@ +@@ -227,15 +173,13 @@ optional_policy(` postgresql_unpriv_client(httpd_$1_script_t) @@ -11228,7 +11395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -258,8 +201,8 @@ +@@ -258,8 +202,8 @@ attribute httpdcontent; type httpd_user_content_t, httpd_user_htaccess_t; type httpd_user_script_t, httpd_user_script_exec_t; @@ -11239,7 +11406,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') role $1 types httpd_user_script_t; -@@ -268,26 +211,26 @@ +@@ -268,26 +212,26 @@ allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom }; @@ -11286,7 +11453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) -@@ -365,6 +308,24 @@ +@@ -365,6 +309,24 @@ domtrans_pattern($1, httpd_exec_t, httpd_t) ') @@ -11311,7 +11478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## ## ## Send a null signal to apache. -@@ -441,6 +402,25 @@ +@@ -441,6 +403,25 @@ ######################################## ## ## Do not audit attempts to read and write Apache @@ -11337,7 +11504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## TCP sockets. ## ## -@@ -503,6 +483,105 @@ +@@ -503,6 +484,105 @@ ######################################## ## @@ -11443,7 +11610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Allow the specified domain to read ## apache configuration files. ## -@@ -579,7 +658,7 @@ +@@ -579,7 +659,7 @@ ## ## ## @@ -11452,7 +11619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## ## ## -@@ -715,6 +794,7 @@ +@@ -715,6 +795,7 @@ ') allow $1 httpd_modules_t:dir list_dir_perms; @@ -11460,7 +11627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -758,6 +838,27 @@ +@@ -758,6 +839,27 @@ ######################################## ## @@ -11488,7 +11655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Allow the specified domain to manage ## apache system content files. ## -@@ -782,6 +883,32 @@ +@@ -782,6 +884,32 @@ ######################################## ## @@ -11521,7 +11688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Execute all web scripts in the system ## script domain. ## -@@ -791,16 +918,18 @@ +@@ -791,16 +919,18 @@ ## ## # @@ -11544,7 +11711,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -859,6 +988,8 @@ +@@ -859,6 +989,8 @@ ## ## # @@ -11553,7 +11720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac interface(`apache_run_all_scripts',` gen_require(` attribute httpd_exec_scripts, httpd_script_domains; -@@ -884,7 +1015,7 @@ +@@ -884,7 +1016,7 @@ type httpd_squirrelmail_t; ') @@ -11562,7 +11729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -1043,6 +1174,44 @@ +@@ -1043,6 +1175,44 @@ ######################################## ## @@ -11607,7 +11774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## All of the rules required to administrate an apache environment ## ## -@@ -1072,11 +1241,17 @@ +@@ -1072,11 +1242,17 @@ type httpd_modules_t, httpd_lock_t; type httpd_var_run_t, httpd_php_tmp_t; type httpd_suexec_tmp_t, httpd_tmp_t; @@ -11625,7 +11792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac apache_manage_all_content($1) miscfiles_manage_public_files($1) -@@ -1096,12 +1271,78 @@ +@@ -1096,12 +1272,78 @@ kernel_search_proc($1) allow $1 httpd_t:dir list_dir_perms; @@ -11707,7 +11874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.8/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/apache.te 2010-01-27 08:23:39.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/apache.te 2010-02-02 10:31:03.000000000 -0500 @@ -19,6 +19,8 @@ # Declarations # @@ -12559,7 +12726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.7.8/policy/modules/services/apm.te --- nsaserefpolicy/policy/modules/services/apm.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/apm.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/apm.te 2010-02-02 10:31:03.000000000 -0500 @@ -223,6 +223,10 @@ unconfined_domain(apmd_t) ') @@ -12573,7 +12740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm. xserver_domtrans(apmd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.8/policy/modules/services/arpwatch.te --- nsaserefpolicy/policy/modules/services/arpwatch.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/arpwatch.te 2010-01-27 11:31:50.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/arpwatch.te 2010-02-02 10:31:03.000000000 -0500 @@ -34,6 +34,7 @@ allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms }; allow arpwatch_t self:udp_socket create_socket_perms; @@ -12600,7 +12767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw fs_search_auto_mountpoints(arpwatch_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.8/policy/modules/services/asterisk.if --- nsaserefpolicy/policy/modules/services/asterisk.if 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/asterisk.if 2010-01-21 14:59:59.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/asterisk.if 2010-02-02 10:31:03.000000000 -0500 @@ -2,8 +2,28 @@ ##################################### @@ -12681,7 +12848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.8/policy/modules/services/asterisk.te --- nsaserefpolicy/policy/modules/services/asterisk.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/asterisk.te 2010-01-21 14:23:14.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/asterisk.te 2010-02-02 10:31:03.000000000 -0500 @@ -40,12 +40,13 @@ # @@ -12782,7 +12949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.7.8/policy/modules/services/automount.te --- nsaserefpolicy/policy/modules/services/automount.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/automount.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/automount.te 2010-02-02 10:31:03.000000000 -0500 @@ -75,6 +75,7 @@ fs_mount_all_fs(automount_t) @@ -12801,7 +12968,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.7.8/policy/modules/services/avahi.fc --- nsaserefpolicy/policy/modules/services/avahi.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/avahi.fc 2010-01-18 17:04:50.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/avahi.fc 2010-02-02 10:31:03.000000000 -0500 @@ -6,4 +6,4 @@ /var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0) @@ -12810,7 +12977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah +/var/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.8/policy/modules/services/avahi.te --- nsaserefpolicy/policy/modules/services/avahi.te 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/avahi.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/avahi.te 2010-02-02 10:31:03.000000000 -0500 @@ -24,7 +24,7 @@ # Local policy # @@ -12857,7 +13024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.8/policy/modules/services/bind.if --- nsaserefpolicy/policy/modules/services/bind.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/bind.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/bind.if 2010-02-02 10:31:03.000000000 -0500 @@ -2,6 +2,25 @@ ######################################## @@ -12956,7 +13123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind allow $2 system_r; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.7.8/policy/modules/services/bluetooth.te --- nsaserefpolicy/policy/modules/services/bluetooth.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/bluetooth.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/bluetooth.te 2010-02-02 10:31:03.000000000 -0500 @@ -96,6 +96,7 @@ kernel_read_system_state(bluetooth_t) kernel_read_network_state(bluetooth_t) @@ -12967,7 +13134,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue corenet_all_recvfrom_netlabel(bluetooth_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-3.7.8/policy/modules/services/ccs.fc --- nsaserefpolicy/policy/modules/services/ccs.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/ccs.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/ccs.fc 2010-02-02 10:31:03.000000000 -0500 @@ -2,9 +2,5 @@ /sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0) @@ -12982,7 +13149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs. +/var/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.8/policy/modules/services/ccs.te --- nsaserefpolicy/policy/modules/services/ccs.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/ccs.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/ccs.te 2010-02-02 10:31:03.000000000 -0500 @@ -10,23 +10,21 @@ type ccs_exec_t; init_daemon_domain(ccs_t, ccs_exec_t) @@ -13068,7 +13235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs. files_manage_isid_type_files(ccs_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.7.8/policy/modules/services/certmaster.fc --- nsaserefpolicy/policy/modules/services/certmaster.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/certmaster.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/certmaster.fc 2010-02-02 10:31:03.000000000 -0500 @@ -3,5 +3,6 @@ /usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0) @@ -13078,7 +13245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert /var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.fc serefpolicy-3.7.8/policy/modules/services/certmonger.fc --- nsaserefpolicy/policy/modules/services/certmonger.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/certmonger.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/certmonger.fc 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,6 @@ +/etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0) + @@ -13088,7 +13255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert +/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.7.8/policy/modules/services/certmonger.if --- nsaserefpolicy/policy/modules/services/certmonger.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/certmonger.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/certmonger.if 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,217 @@ + +## Certificate status monitor and PKI enrollment client @@ -13309,7 +13476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.8/policy/modules/services/certmonger.te --- nsaserefpolicy/policy/modules/services/certmonger.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/certmonger.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/certmonger.te 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,74 @@ +policy_module(certmonger,1.0.0) + @@ -13387,7 +13554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.8/policy/modules/services/cgroup.fc --- nsaserefpolicy/policy/modules/services/cgroup.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/cgroup.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/cgroup.fc 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t, s0) +/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t, s0) @@ -13398,7 +13565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro +/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.8/policy/modules/services/cgroup.if --- nsaserefpolicy/policy/modules/services/cgroup.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/cgroup.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/cgroup.if 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,35 @@ +## Control group rules engine daemon. +## @@ -13437,7 +13604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.8/policy/modules/services/cgroup.te --- nsaserefpolicy/policy/modules/services/cgroup.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/cgroup.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/cgroup.te 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,87 @@ +policy_module(cgroup, 1.0.0) + @@ -13528,8 +13695,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro +kernel_read_system_state(cgconfigparser_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.7.8/policy/modules/services/chronyd.fc --- nsaserefpolicy/policy/modules/services/chronyd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/chronyd.fc 2010-01-18 15:18:03.000000000 -0500 -@@ -0,0 +1,11 @@ ++++ serefpolicy-3.7.8/policy/modules/services/chronyd.fc 2010-02-02 10:31:03.000000000 -0500 +@@ -0,0 +1,13 @@ ++/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0) ++ + +/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) + @@ -13543,8 +13712,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.8/policy/modules/services/chronyd.if --- nsaserefpolicy/policy/modules/services/chronyd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/chronyd.if 2010-01-18 15:18:03.000000000 -0500 -@@ -0,0 +1,105 @@ ++++ serefpolicy-3.7.8/policy/modules/services/chronyd.if 2010-02-02 10:31:03.000000000 -0500 +@@ -0,0 +1,106 @@ +## chrony background daemon + +##################################### @@ -13624,7 +13793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro + gen_require(` + type chronyd_t, chronyd_var_log_t; + type chronyd_var_run_t, chronyd_var_lib_t; -+ type chronyd_initrc_exec_t; ++ type chronyd_initrc_exec_t, chronyd_keys_t; + ') + + allow $1 chronyd_t:process { ptrace signal_perms }; @@ -13647,13 +13816,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro + files_search_tmp($1) + admin_pattern($1, chronyd_tmp_t) + ++ admin_pattern($1, chronyd_keys_t) +') + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.8/policy/modules/services/chronyd.te --- nsaserefpolicy/policy/modules/services/chronyd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/chronyd.te 2010-01-18 15:18:03.000000000 -0500 -@@ -0,0 +1,67 @@ ++++ serefpolicy-3.7.8/policy/modules/services/chronyd.te 2010-02-02 10:31:03.000000000 -0500 +@@ -0,0 +1,76 @@ +policy_module(chronyd,1.0.0) + +######################################## @@ -13668,6 +13838,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro +type chronyd_initrc_exec_t; +init_script_file(chronyd_initrc_exec_t) + ++type chronyd_keys_t; ++files_type(chronyd_keys_t) ++ +# var/lib files +type chronyd_var_lib_t; +files_type(chronyd_var_lib_t) @@ -13686,13 +13859,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro +# chronyd local policy +# + -+allow chronyd_t self:capability { setuid setgid sys_time }; -+allow chronyd_t self:process { getcap setcap }; ++allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time }; ++allow chronyd_t self:process { getcap setcap setrlimit }; + +allow chronyd_t self:udp_socket create_socket_perms; +allow chronyd_t self:unix_dgram_socket create_socket_perms; ++allow chronyd_t self:shm create_shm_perms; ++ ++allow chronyd_t chronyd_keys_t:file read_file_perms; + +# chronyd var/lib files ++manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) +manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) +manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) +files_var_lib_filetrans(chronyd_t,chronyd_var_lib_t, { file dir }) @@ -13720,10 +13897,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro + +miscfiles_read_localization(chronyd_t) + -+permissive chronyd_t; ++optional_policy(` ++ gpsd_rw_shm(chronyd_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.8/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/clamav.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/clamav.te 2010-02-02 10:31:03.000000000 -0500 @@ -57,6 +57,7 @@ # @@ -13749,7 +13928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.8/policy/modules/services/clogd.fc --- nsaserefpolicy/policy/modules/services/clogd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/clogd.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/clogd.fc 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,4 @@ + +/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0) @@ -13757,7 +13936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog +/var/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.8/policy/modules/services/clogd.if --- nsaserefpolicy/policy/modules/services/clogd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/clogd.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/clogd.if 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,98 @@ +## clogd - clustered mirror log server + @@ -13859,7 +14038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.7.8/policy/modules/services/clogd.te --- nsaserefpolicy/policy/modules/services/clogd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/clogd.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/clogd.te 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,62 @@ + +policy_module(clogd,1.0.0) @@ -13925,7 +14104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.7.8/policy/modules/services/cobbler.fc --- nsaserefpolicy/policy/modules/services/cobbler.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/cobbler.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/cobbler.fc 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,9 @@ +/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0) +/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0) @@ -13938,7 +14117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb +/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:httpd_cobbler_content_rw_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.8/policy/modules/services/cobbler.if --- nsaserefpolicy/policy/modules/services/cobbler.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/cobbler.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/cobbler.if 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,186 @@ +## Cobbler installation server. +## @@ -14128,7 +14307,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.8/policy/modules/services/cobbler.te --- nsaserefpolicy/policy/modules/services/cobbler.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/cobbler.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/cobbler.te 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,127 @@ + +policy_module(cobbler, 1.0.0) @@ -14259,7 +14438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb +manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.8/policy/modules/services/consolekit.fc --- nsaserefpolicy/policy/modules/services/consolekit.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/consolekit.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/consolekit.fc 2010-02-02 10:31:03.000000000 -0500 @@ -2,4 +2,5 @@ /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) @@ -14269,7 +14448,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons +/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.8/policy/modules/services/consolekit.if --- nsaserefpolicy/policy/modules/services/consolekit.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/consolekit.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/consolekit.if 2010-02-02 10:31:03.000000000 -0500 @@ -57,3 +57,42 @@ read_files_pattern($1, consolekit_log_t, consolekit_log_t) files_search_pids($1) @@ -14315,7 +14494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.8/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/consolekit.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/consolekit.te 2010-02-02 10:31:03.000000000 -0500 @@ -21,7 +21,7 @@ # consolekit local policy # @@ -14391,7 +14570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.7.8/policy/modules/services/corosync.fc --- nsaserefpolicy/policy/modules/services/corosync.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/corosync.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/corosync.fc 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,13 @@ + +/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0) @@ -14408,7 +14587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.8/policy/modules/services/corosync.if --- nsaserefpolicy/policy/modules/services/corosync.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/corosync.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/corosync.if 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,108 @@ +## SELinux policy for Corosync Cluster Engine + @@ -14520,7 +14699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.8/policy/modules/services/corosync.te --- nsaserefpolicy/policy/modules/services/corosync.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/corosync.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/corosync.te 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,108 @@ + +policy_module(corosync,1.0.0) @@ -14632,7 +14811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.8/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/cron.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/cron.fc 2010-02-02 10:31:03.000000000 -0500 @@ -14,7 +14,7 @@ /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) @@ -14652,7 +14831,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron +/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.8/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/cron.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/cron.if 2010-02-02 10:31:03.000000000 -0500 @@ -12,6 +12,10 @@ ## # @@ -14796,16 +14975,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.8/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/cron.te 2010-01-18 15:18:03.000000000 -0500 -@@ -38,6 +38,7 @@ ++++ serefpolicy-3.7.8/policy/modules/services/cron.te 2010-02-02 10:31:03.000000000 -0500 +@@ -38,8 +38,10 @@ type cron_var_lib_t; files_type(cron_var_lib_t) +# var/lib files type cron_var_run_t; files_type(cron_var_run_t) ++mta_system_content(crond_var_run_t) -@@ -64,6 +65,8 @@ + # var/log files + type cron_log_t; +@@ -64,9 +66,12 @@ type crond_tmp_t; files_tmp_file(crond_tmp_t) @@ -14814,7 +14996,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron type crond_var_run_t; files_pid_file(crond_var_run_t) -@@ -80,6 +83,7 @@ ++mta_system_content(crond_var_run_t) + + type crontab_exec_t; + application_executable_file(crontab_exec_t) +@@ -80,6 +85,7 @@ typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; @@ -14822,7 +15008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron type system_cron_spool_t, cron_spool_type; files_type(system_cron_spool_t) -@@ -88,6 +92,7 @@ +@@ -88,6 +94,7 @@ init_daemon_domain(system_cronjob_t, anacron_exec_t) corecmd_shell_entry_type(system_cronjob_t) role system_r types system_cronjob_t; @@ -14830,7 +15016,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron type system_cronjob_lock_t alias system_crond_lock_t; files_lock_file(system_cronjob_lock_t) -@@ -110,6 +115,13 @@ +@@ -110,6 +117,13 @@ files_type(user_cron_spool_t) ubac_constrained(user_cron_spool_t) @@ -14844,7 +15030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ######################################## # # Admin crontab local policy -@@ -139,7 +151,7 @@ +@@ -139,7 +153,7 @@ allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search }; dontaudit crond_t self:capability { sys_resource sys_tty_config }; @@ -14853,7 +15039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron allow crond_t self:process { setexec setfscreate }; allow crond_t self:fd use; allow crond_t self:fifo_file rw_fifo_file_perms; -@@ -194,6 +206,8 @@ +@@ -194,6 +208,8 @@ corecmd_read_bin_symlinks(crond_t) domain_use_interactive_fds(crond_t) @@ -14862,7 +15048,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron files_read_usr_files(crond_t) files_read_etc_runtime_files(crond_t) -@@ -209,7 +223,9 @@ +@@ -209,7 +225,9 @@ auth_use_nsswitch(crond_t) @@ -14872,7 +15058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) -@@ -220,8 +236,10 @@ +@@ -220,8 +238,10 @@ userdom_use_unpriv_users_fds(crond_t) # Not sure why this is needed userdom_list_user_home_dirs(crond_t) @@ -14883,7 +15069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ifdef(`distro_debian',` # pam_limits is used -@@ -241,8 +259,12 @@ +@@ -241,8 +261,12 @@ ') ') @@ -14898,7 +15084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -251,6 +273,20 @@ +@@ -251,6 +275,20 @@ ') optional_policy(` @@ -14919,7 +15105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron amanda_search_var_lib(crond_t) ') -@@ -260,6 +296,8 @@ +@@ -260,6 +298,8 @@ optional_policy(` hal_dbus_chat(crond_t) @@ -14928,7 +15114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -302,10 +340,17 @@ +@@ -302,10 +342,17 @@ # This is to handle /var/lib/misc directory. Used currently # by prelink var/lib files for cron @@ -14947,7 +15133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that -@@ -325,6 +370,7 @@ +@@ -325,6 +372,7 @@ allow system_cronjob_t crond_t:fd use; allow system_cronjob_t crond_t:fifo_file rw_file_perms; allow system_cronjob_t crond_t:process sigchld; @@ -14955,7 +15141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron # Write /var/lock/makewhatis.lock. allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; -@@ -336,9 +382,13 @@ +@@ -336,9 +384,13 @@ filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) @@ -14970,7 +15156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) -@@ -361,6 +411,7 @@ +@@ -361,6 +413,7 @@ dev_getattr_all_blk_files(system_cronjob_t) dev_getattr_all_chr_files(system_cronjob_t) dev_read_urand(system_cronjob_t) @@ -14978,7 +15164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron fs_getattr_all_fs(system_cronjob_t) fs_getattr_all_files(system_cronjob_t) -@@ -387,6 +438,7 @@ +@@ -387,6 +440,7 @@ # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. files_manage_generic_spool(system_cronjob_t) @@ -14986,7 +15172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron init_use_script_fds(system_cronjob_t) init_read_utmp(system_cronjob_t) -@@ -411,6 +463,8 @@ +@@ -411,6 +465,8 @@ ifdef(`distro_redhat', ` # Run the rpm program in the rpm_t domain. Allow creation of RPM log files @@ -14995,7 +15181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron # via redirection of standard out. optional_policy(` rpm_manage_log(system_cronjob_t) -@@ -435,6 +489,7 @@ +@@ -435,6 +491,7 @@ apache_read_config(system_cronjob_t) apache_read_log(system_cronjob_t) apache_read_sys_content(system_cronjob_t) @@ -15003,7 +15189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -442,6 +497,14 @@ +@@ -442,6 +499,14 @@ ') optional_policy(` @@ -15018,7 +15204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ftp_read_log(system_cronjob_t) ') -@@ -456,11 +519,16 @@ +@@ -456,11 +521,16 @@ ') optional_policy(` @@ -15035,7 +15221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -476,7 +544,7 @@ +@@ -476,7 +546,7 @@ prelink_manage_lib(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_read_cache(system_cronjob_t) @@ -15044,7 +15230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -491,6 +559,7 @@ +@@ -491,6 +561,7 @@ optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -15052,7 +15238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -498,6 +567,9 @@ +@@ -498,6 +569,9 @@ ') optional_policy(` @@ -15064,7 +15250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.8/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/cups.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/cups.fc 2010-02-02 10:31:03.000000000 -0500 @@ -13,10 +13,14 @@ /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) @@ -15113,7 +15299,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.8/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/cups.te 2010-01-18 17:30:30.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/cups.te 2010-02-02 10:31:03.000000000 -0500 @@ -23,6 +23,9 @@ type cupsd_initrc_exec_t; init_script_file(cupsd_initrc_exec_t) @@ -15266,18 +15452,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups optional_policy(` hal_dbus_chat(cupsd_config_t) -@@ -446,6 +472,10 @@ +@@ -432,6 +458,10 @@ + ') + + optional_policy(` ++ gnome_dontaudit_search_config(cupsd_config_t) ++') ++ ++optional_policy(` + hal_domtrans(cupsd_config_t) + hal_read_tmp_files(cupsd_config_t) + hal_dontaudit_use_fds(hplip_t) +@@ -446,6 +476,11 @@ ') optional_policy(` + policykit_dbus_chat(cupsd_config_t) ++ userdom_read_all_users_state(cupsd_config_t) +') + +optional_policy(` rpm_read_db(cupsd_config_t) ') -@@ -457,6 +487,10 @@ +@@ -457,6 +492,10 @@ udev_read_db(cupsd_config_t) ') @@ -15288,7 +15486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ######################################## # # Cups lpd support -@@ -520,6 +554,7 @@ +@@ -520,6 +559,7 @@ logging_send_syslog_msg(cupsd_lpd_t) miscfiles_read_localization(cupsd_lpd_t) @@ -15296,7 +15494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups cups_stream_connect(cupsd_lpd_t) -@@ -542,6 +577,8 @@ +@@ -542,6 +582,8 @@ manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir }) @@ -15305,7 +15503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups kernel_read_system_state(cups_pdf_t) files_read_etc_files(cups_pdf_t) -@@ -556,11 +593,15 @@ +@@ -556,11 +598,15 @@ miscfiles_read_fonts(cups_pdf_t) userdom_home_filetrans_user_home_dir(cups_pdf_t) @@ -15321,7 +15519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(cups_pdf_t) -@@ -601,6 +642,9 @@ +@@ -601,6 +647,9 @@ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) @@ -15331,7 +15529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file ) -@@ -627,6 +671,7 @@ +@@ -627,6 +676,7 @@ corenet_tcp_connect_ipp_port(hplip_t) corenet_sendrecv_hplip_client_packets(hplip_t) corenet_receive_hplip_server_packets(hplip_t) @@ -15341,7 +15539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups dev_rw_printer(hplip_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.7.8/policy/modules/services/cvs.te --- nsaserefpolicy/policy/modules/services/cvs.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/cvs.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/cvs.te 2010-02-02 10:31:03.000000000 -0500 @@ -112,4 +112,5 @@ read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) @@ -15350,7 +15548,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs. ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.8/policy/modules/services/cyrus.te --- nsaserefpolicy/policy/modules/services/cyrus.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/cyrus.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/cyrus.te 2010-02-02 10:31:03.000000000 -0500 @@ -75,6 +75,7 @@ corenet_tcp_bind_mail_port(cyrus_t) corenet_tcp_bind_lmtp_port(cyrus_t) @@ -15369,7 +15567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru snmp_stream_connect(cyrus_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.8/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/dbus.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/dbus.if 2010-02-02 10:31:03.000000000 -0500 @@ -42,8 +42,10 @@ gen_require(` class dbus { send_msg acquire_svc }; @@ -15504,7 +15702,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.8/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/dbus.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/dbus.te 2010-02-02 10:31:03.000000000 -0500 @@ -86,6 +86,7 @@ dev_read_sysfs(system_dbusd_t) @@ -15565,7 +15763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.fc serefpolicy-3.7.8/policy/modules/services/denyhosts.fc --- nsaserefpolicy/policy/modules/services/denyhosts.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/denyhosts.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/denyhosts.fc 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/denyhosts -- gen_context(system_u:object_r:denyhosts_initrc_exec_t, s0) + @@ -15576,7 +15774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny +/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.8/policy/modules/services/denyhosts.if --- nsaserefpolicy/policy/modules/services/denyhosts.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/denyhosts.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/denyhosts.if 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,90 @@ +## Deny Hosts. +## @@ -15670,7 +15868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.8/policy/modules/services/denyhosts.te --- nsaserefpolicy/policy/modules/services/denyhosts.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/denyhosts.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/denyhosts.te 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,72 @@ + +policy_module(denyhosts, 1.0.0) @@ -15746,7 +15944,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.8/policy/modules/services/devicekit.fc --- nsaserefpolicy/policy/modules/services/devicekit.fc 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/devicekit.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/devicekit.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,8 +1,11 @@ /usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) /usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) @@ -15761,7 +15959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi +/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.8/policy/modules/services/devicekit.if --- nsaserefpolicy/policy/modules/services/devicekit.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/devicekit.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/devicekit.if 2010-02-02 10:31:03.000000000 -0500 @@ -139,6 +139,26 @@ ######################################## @@ -15791,7 +15989,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.8/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/devicekit.te 2010-01-27 08:37:23.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/devicekit.te 2010-02-02 10:44:35.000000000 -0500 @@ -42,6 +42,8 @@ files_read_etc_files(devicekit_t) @@ -15813,7 +16011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) -@@ -71,29 +75,55 @@ +@@ -71,29 +75,58 @@ manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) @@ -15824,6 +16022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi + +kernel_getattr_message_if(devicekit_disk_t) +kernel_read_fs_sysctls(devicekit_disk_t) ++kernel_read_network_state(devicekit_disk_t) kernel_read_software_raid_state(devicekit_disk_t) +kernel_read_system_state(devicekit_disk_t) +kernel_request_load_module(devicekit_disk_t) @@ -15836,14 +16035,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi dev_rw_sysfs(devicekit_disk_t) dev_read_urand(devicekit_disk_t) dev_getattr_usbfs_dirs(devicekit_disk_t) +- +dev_manage_generic_files(devicekit_disk_t) +dev_getattr_all_chr_files(devicekit_disk_t) - ++dev_getattr_mtrr_dev(devicekit_disk_t) ++ +domain_getattr_all_pipes(devicekit_disk_t) +domain_getattr_all_sockets(devicekit_disk_t) +domain_getattr_all_stream_sockets(devicekit_disk_t) +domain_read_all_domains_state(devicekit_disk_t) + ++files_dontaudit_read_all_symlinks(devicekit_disk_t) +files_getattr_all_sockets(devicekit_disk_t) +files_getattr_all_mountpoints(devicekit_disk_t) +files_getattr_all_files(devicekit_disk_t) @@ -15870,7 +16072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi auth_use_nsswitch(devicekit_disk_t) miscfiles_read_localization(devicekit_disk_t) -@@ -102,6 +132,16 @@ +@@ -102,6 +135,16 @@ userdom_search_user_home_dirs(devicekit_disk_t) optional_policy(` @@ -15887,7 +16089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi fstools_domtrans(devicekit_disk_t) ') -@@ -110,6 +150,7 @@ +@@ -110,6 +153,7 @@ ') optional_policy(` @@ -15895,7 +16097,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi policykit_domtrans_auth(devicekit_disk_t) policykit_read_lib(devicekit_disk_t) policykit_read_reload(devicekit_disk_t) -@@ -120,18 +161,12 @@ +@@ -120,18 +164,12 @@ ') optional_policy(` @@ -15917,7 +16119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi ') ######################################## -@@ -139,9 +174,11 @@ +@@ -139,9 +177,11 @@ # DeviceKit-Power local policy # @@ -15930,7 +16132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) -@@ -151,6 +188,7 @@ +@@ -151,6 +191,7 @@ kernel_read_system_state(devicekit_power_t) kernel_rw_hotplug_sysctls(devicekit_power_t) kernel_rw_kernel_sysctl(devicekit_power_t) @@ -15938,7 +16140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi corecmd_exec_bin(devicekit_power_t) corecmd_exec_shell(devicekit_power_t) -@@ -159,6 +197,7 @@ +@@ -159,6 +200,7 @@ domain_read_all_domains_state(devicekit_power_t) @@ -15946,7 +16148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi dev_rw_generic_usb_dev(devicekit_power_t) dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) -@@ -167,12 +206,17 @@ +@@ -167,12 +209,17 @@ files_read_etc_files(devicekit_power_t) files_read_usr_files(devicekit_power_t) @@ -15964,7 +16166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi userdom_read_all_users_state(devicekit_power_t) optional_policy(` -@@ -180,6 +224,10 @@ +@@ -180,6 +227,10 @@ ') optional_policy(` @@ -15975,7 +16177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi dbus_system_bus_client(devicekit_power_t) allow devicekit_power_t devicekit_t:dbus send_msg; -@@ -203,17 +251,23 @@ +@@ -203,17 +254,23 @@ optional_policy(` hal_domtrans_mac(devicekit_power_t) @@ -16001,7 +16203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.7.8/policy/modules/services/dhcp.if --- nsaserefpolicy/policy/modules/services/dhcp.if 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/dhcp.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/dhcp.if 2010-02-02 10:31:03.000000000 -0500 @@ -2,6 +2,25 @@ ######################################## @@ -16030,7 +16232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.8/policy/modules/services/dnsmasq.fc --- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/dnsmasq.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/dnsmasq.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,3 +1,4 @@ +/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0) /etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0) @@ -16038,7 +16240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.7.8/policy/modules/services/dnsmasq.if --- nsaserefpolicy/policy/modules/services/dnsmasq.if 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/dnsmasq.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/dnsmasq.if 2010-02-02 10:31:03.000000000 -0500 @@ -136,6 +136,44 @@ ######################################## @@ -16086,7 +16288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.8/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/dnsmasq.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/dnsmasq.te 2010-02-02 10:31:03.000000000 -0500 @@ -13,6 +13,9 @@ type dnsmasq_initrc_exec_t; init_script_file(dnsmasq_initrc_exec_t) @@ -16136,7 +16338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.7.8/policy/modules/services/dovecot.fc --- nsaserefpolicy/policy/modules/services/dovecot.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/dovecot.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/dovecot.fc 2010-02-02 10:31:03.000000000 -0500 @@ -34,6 +34,7 @@ /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) @@ -16147,7 +16349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.8/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/dovecot.te 2010-01-27 10:51:08.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/dovecot.te 2010-02-02 10:31:03.000000000 -0500 @@ -73,14 +73,21 @@ can_exec(dovecot_t, dovecot_exec_t) @@ -16252,7 +16454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.7.8/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/exim.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/exim.te 2010-02-02 10:31:03.000000000 -0500 @@ -192,6 +192,10 @@ ') @@ -16266,7 +16468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.8/policy/modules/services/fail2ban.if --- nsaserefpolicy/policy/modules/services/fail2ban.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/fail2ban.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/fail2ban.if 2010-02-02 10:31:03.000000000 -0500 @@ -98,6 +98,46 @@ allow $1 fail2ban_var_run_t:file read_file_perms; ') @@ -16338,7 +16540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.7.8/policy/modules/services/fetchmail.te --- nsaserefpolicy/policy/modules/services/fetchmail.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/fetchmail.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/fetchmail.te 2010-02-02 10:31:03.000000000 -0500 @@ -48,6 +48,7 @@ kernel_dontaudit_read_system_state(fetchmail_t) @@ -16349,7 +16551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetc corenet_all_recvfrom_netlabel(fetchmail_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.8/policy/modules/services/fprintd.te --- nsaserefpolicy/policy/modules/services/fprintd.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/fprintd.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/fprintd.te 2010-02-02 10:31:03.000000000 -0500 @@ -55,4 +55,6 @@ policykit_read_lib(fprintd_t) policykit_dbus_chat(fprintd_t) @@ -16359,7 +16561,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fpri + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.7.8/policy/modules/services/ftp.if --- nsaserefpolicy/policy/modules/services/ftp.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/ftp.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/ftp.if 2010-02-02 10:31:03.000000000 -0500 @@ -115,6 +115,44 @@ role $2 types ftpdctl_t; ') @@ -16407,7 +16609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. ## All of the rules required to administrate diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.8/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/ftp.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/ftp.te 2010-02-02 10:31:03.000000000 -0500 @@ -41,11 +41,51 @@ ## @@ -16656,7 +16858,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.8/policy/modules/services/git.fc --- nsaserefpolicy/policy/modules/services/git.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/git.fc 2010-01-21 08:33:33.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/git.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,3 +1,16 @@ -/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0) -/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) @@ -16679,7 +16881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.8/policy/modules/services/git.if --- nsaserefpolicy/policy/modules/services/git.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/git.if 2010-01-21 14:00:18.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/git.if 2010-02-02 10:31:03.000000000 -0500 @@ -1 +1,535 @@ -## GIT revision control system +## Git - Fast Version Control System. @@ -17219,7 +17421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.8/policy/modules/services/git.te --- nsaserefpolicy/policy/modules/services/git.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/git.te 2010-01-21 13:49:27.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/git.te 2010-02-02 10:31:03.000000000 -0500 @@ -1,9 +1,182 @@ -policy_module(git, 1.0) @@ -17408,7 +17610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. +#gen_user(git_shell_u, user, git_shell_r, s0, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.8/policy/modules/services/gpsd.te --- nsaserefpolicy/policy/modules/services/gpsd.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/gpsd.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/gpsd.te 2010-02-02 10:31:03.000000000 -0500 @@ -25,7 +25,7 @@ # gpsd local policy # @@ -17420,7 +17622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto }; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.7.8/policy/modules/services/hal.fc --- nsaserefpolicy/policy/modules/services/hal.fc 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/hal.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/hal.fc 2010-02-02 10:31:03.000000000 -0500 @@ -26,6 +26,7 @@ /var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) /var/run/pm-utils(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) @@ -17431,7 +17633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. /var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.7.8/policy/modules/services/hal.if --- nsaserefpolicy/policy/modules/services/hal.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/hal.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/hal.if 2010-02-02 10:31:03.000000000 -0500 @@ -413,3 +413,21 @@ files_search_pids($1) manage_files_pattern($1, hald_var_run_t, hald_var_run_t) @@ -17456,7 +17658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.8/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/hal.te 2010-01-27 13:13:18.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/hal.te 2010-02-02 10:31:03.000000000 -0500 @@ -55,6 +55,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -17626,7 +17828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl.te serefpolicy-3.7.8/policy/modules/services/howl.te --- nsaserefpolicy/policy/modules/services/howl.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/howl.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/howl.te 2010-02-02 10:31:03.000000000 -0500 @@ -30,7 +30,7 @@ kernel_read_network_state(howl_t) @@ -17638,7 +17840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.8/policy/modules/services/kerberos.if --- nsaserefpolicy/policy/modules/services/kerberos.if 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/kerberos.if 2010-01-22 09:59:42.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/kerberos.if 2010-02-02 10:31:03.000000000 -0500 @@ -74,7 +74,7 @@ ') @@ -17661,7 +17863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb allow $1 self:udp_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.8/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/kerberos.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/kerberos.te 2010-02-02 10:31:03.000000000 -0500 @@ -112,6 +112,7 @@ kernel_read_kernel_sysctls(kadmind_t) @@ -17681,7 +17883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.7.8/policy/modules/services/ksmtuned.fc --- nsaserefpolicy/policy/modules/services/ksmtuned.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/ksmtuned.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/ksmtuned.fc 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,5 @@ +/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0) + @@ -17690,7 +17892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt +/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.7.8/policy/modules/services/ksmtuned.if --- nsaserefpolicy/policy/modules/services/ksmtuned.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/ksmtuned.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/ksmtuned.if 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,76 @@ + +## policy for Kernel Samepage Merging (KSM) Tuning Daemon @@ -17770,7 +17972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.7.8/policy/modules/services/ksmtuned.te --- nsaserefpolicy/policy/modules/services/ksmtuned.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/ksmtuned.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/ksmtuned.te 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,44 @@ +policy_module(ksmtuned,1.0.0) + @@ -17818,7 +18020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt +miscfiles_read_localization(ksmtuned_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.7.8/policy/modules/services/ktalk.te --- nsaserefpolicy/policy/modules/services/ktalk.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/ktalk.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/ktalk.te 2010-02-02 10:31:03.000000000 -0500 @@ -69,6 +69,7 @@ files_read_etc_files(ktalkd_t) @@ -17829,7 +18031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktal diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.7.8/policy/modules/services/ldap.fc --- nsaserefpolicy/policy/modules/services/ldap.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/ldap.fc 2010-01-27 15:28:08.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/ldap.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,8 +1,12 @@ /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) @@ -17858,7 +18060,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap +/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.7.8/policy/modules/services/ldap.if --- nsaserefpolicy/policy/modules/services/ldap.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/ldap.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/ldap.if 2010-02-02 10:31:03.000000000 -0500 @@ -1,5 +1,43 @@ ## OpenLDAP directory server @@ -17905,7 +18107,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap ## Read the contents of the OpenLDAP diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.7.8/policy/modules/services/ldap.te --- nsaserefpolicy/policy/modules/services/ldap.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/ldap.te 2010-01-28 08:13:48.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/ldap.te 2010-02-02 10:31:03.000000000 -0500 @@ -28,6 +28,9 @@ type slapd_replog_t; files_type(slapd_replog_t) @@ -17929,17 +18131,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir }) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.8/policy/modules/services/lircd.te --- nsaserefpolicy/policy/modules/services/lircd.te 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/lircd.te 2010-01-18 15:18:03.000000000 -0500 -@@ -26,6 +26,8 @@ ++++ serefpolicy-3.7.8/policy/modules/services/lircd.te 2010-02-02 10:31:03.000000000 -0500 +@@ -24,8 +24,11 @@ + # lircd local policy + # - allow lircd_t self:process signal; +-allow lircd_t self:process signal; ++allow lircd_t self:capability { chown kill sys_admin }; ++allow lircd_t self:process { fork signal }; allow lircd_t self:unix_dgram_socket create_socket_perms; -+allow lircd_t self:fifo_file rw_file_perms; ++allow lircd_t self:fifo_file rw_fifo_file_perms; +allow lircd_t self:tcp_socket create_stream_socket_perms; # etc file read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t) -@@ -34,21 +36,31 @@ +@@ -34,21 +37,31 @@ manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file }) @@ -17976,7 +18182,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.7.8/policy/modules/services/mailman.fc --- nsaserefpolicy/policy/modules/services/mailman.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/mailman.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/mailman.fc 2010-02-02 11:12:02.000000000 -0500 +@@ -1,4 +1,4 @@ +-/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) ++/usr/lib(64)?/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) + /usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) + + /var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) @@ -25,10 +25,10 @@ ifdef(`distro_redhat', ` /etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) @@ -17994,7 +18206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.7.8/policy/modules/services/memcached.te --- nsaserefpolicy/policy/modules/services/memcached.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/memcached.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/memcached.te 2010-02-02 10:31:03.000000000 -0500 @@ -22,9 +22,12 @@ # @@ -18027,7 +18239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memc +term_dontaudit_use_console(memcached_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.8/policy/modules/services/modemmanager.te --- nsaserefpolicy/policy/modules/services/modemmanager.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/modemmanager.te 2010-01-27 08:38:46.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/modemmanager.te 2010-02-02 10:31:03.000000000 -0500 @@ -16,8 +16,8 @@ # # ModemManager local policy @@ -18049,7 +18261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mode miscfiles_read_localization(modemmanager_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.8/policy/modules/services/mta.fc --- nsaserefpolicy/policy/modules/services/mta.fc 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/mta.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/mta.fc 2010-02-02 10:31:03.000000000 -0500 @@ -13,6 +13,8 @@ /usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) @@ -18061,7 +18273,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.8/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/mta.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/mta.if 2010-02-02 10:31:03.000000000 -0500 @@ -335,6 +335,7 @@ # apache should set close-on-exec apache_dontaudit_rw_stream_sockets($1) @@ -18117,7 +18329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.8/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/mta.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/mta.te 2010-02-02 10:31:03.000000000 -0500 @@ -63,6 +63,8 @@ can_exec(system_mail_t, mta_exec_type) @@ -18163,7 +18375,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -185,6 +195,10 @@ +@@ -126,6 +136,7 @@ + + optional_policy(` + fail2ban_append_log(system_mail_t) ++ fail2ban_dontaudit_leaks(system_mail_t) + ') + + optional_policy(` +@@ -185,6 +196,10 @@ ') optional_policy(` @@ -18174,7 +18394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. smartmon_read_tmp_files(system_mail_t) ') -@@ -216,6 +230,7 @@ +@@ -216,6 +231,7 @@ create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -18184,7 +18404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.8/policy/modules/services/munin.fc --- nsaserefpolicy/policy/modules/services/munin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/munin.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/munin.fc 2010-02-02 10:31:03.000000000 -0500 @@ -9,3 +9,6 @@ /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) /var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) @@ -18194,7 +18414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.8/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/munin.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/munin.te 2010-02-02 10:31:03.000000000 -0500 @@ -33,7 +33,7 @@ # Local policy # @@ -18224,7 +18444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.7.8/policy/modules/services/mysql.if --- nsaserefpolicy/policy/modules/services/mysql.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/mysql.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/mysql.if 2010-02-02 10:31:03.000000000 -0500 @@ -1,5 +1,43 @@ ## Policy for MySQL @@ -18271,7 +18491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq ## Send a generic signal to MySQL. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.8/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/mysql.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/mysql.te 2010-02-02 10:31:03.000000000 -0500 @@ -1,6 +1,13 @@ policy_module(mysql, 1.11.1) @@ -18336,7 +18556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq mysql_write_log(mysqld_safe_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.8/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/nagios.fc 2010-01-27 08:48:15.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/nagios.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,16 +1,85 @@ /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) /etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) @@ -18430,7 +18650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.8/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/nagios.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/nagios.if 2010-02-02 10:31:03.000000000 -0500 @@ -64,7 +64,7 @@ ######################################## @@ -18588,7 +18808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.8/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/nagios.te 2010-01-27 08:54:01.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/nagios.te 2010-02-02 10:31:03.000000000 -0500 @@ -6,17 +6,23 @@ # Declarations # @@ -18904,7 +19124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.7.8/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/networkmanager.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/networkmanager.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,12 +1,28 @@ +/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0) +/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) @@ -18936,7 +19156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.8/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/networkmanager.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/networkmanager.if 2010-02-02 10:31:03.000000000 -0500 @@ -118,6 +118,24 @@ ######################################## @@ -19015,7 +19235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.8/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/networkmanager.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/networkmanager.te 2010-02-02 10:31:03.000000000 -0500 @@ -19,6 +19,9 @@ type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) @@ -19043,12 +19263,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw allow NetworkManager_t self:tcp_socket create_stream_socket_perms; allow NetworkManager_t self:udp_socket create_socket_perms; allow NetworkManager_t self:packet_socket create_socket_perms; -@@ -51,8 +55,13 @@ +@@ -51,8 +55,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) -rw_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) -files_search_tmp(NetworkManager_t) ++can_exec(NetworkManager_t, NetworkManager_tmp_t) +manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) +manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) +files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) @@ -19059,7 +19280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) -@@ -62,7 +71,9 @@ +@@ -62,7 +72,9 @@ kernel_read_system_state(NetworkManager_t) kernel_read_network_state(NetworkManager_t) kernel_read_kernel_sysctls(NetworkManager_t) @@ -19070,7 +19291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw corenet_all_recvfrom_unlabeled(NetworkManager_t) corenet_all_recvfrom_netlabel(NetworkManager_t) -@@ -81,13 +92,18 @@ +@@ -81,13 +93,18 @@ corenet_sendrecv_isakmp_server_packets(NetworkManager_t) corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) corenet_sendrecv_all_client_packets(NetworkManager_t) @@ -19089,7 +19310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw mls_file_read_all_levels(NetworkManager_t) -@@ -98,15 +114,20 @@ +@@ -98,15 +115,20 @@ domain_use_interactive_fds(NetworkManager_t) domain_read_confined_domains_state(NetworkManager_t) @@ -19111,7 +19332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw logging_send_syslog_msg(NetworkManager_t) miscfiles_read_localization(NetworkManager_t) -@@ -116,25 +137,40 @@ +@@ -116,25 +138,40 @@ seutil_read_config(NetworkManager_t) @@ -19159,7 +19380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -146,8 +182,25 @@ +@@ -146,8 +183,25 @@ ') optional_policy(` @@ -19187,7 +19408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -155,23 +208,51 @@ +@@ -155,23 +209,51 @@ ') optional_policy(` @@ -19242,7 +19463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -179,12 +260,15 @@ +@@ -179,12 +261,15 @@ ') optional_policy(` @@ -19260,7 +19481,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.7.8/policy/modules/services/nis.fc --- nsaserefpolicy/policy/modules/services/nis.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/nis.fc 2010-01-28 10:40:55.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/nis.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,4 +1,7 @@ - +/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) @@ -19281,7 +19502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. +/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.7.8/policy/modules/services/nis.if --- nsaserefpolicy/policy/modules/services/nis.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/nis.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/nis.if 2010-02-02 10:31:03.000000000 -0500 @@ -28,7 +28,7 @@ type var_yp_t; ') @@ -19425,7 +19646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.7.8/policy/modules/services/nis.te --- nsaserefpolicy/policy/modules/services/nis.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/nis.te 2010-01-28 10:38:39.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/nis.te 2010-02-02 10:31:03.000000000 -0500 @@ -13,6 +13,9 @@ type ypbind_exec_t; init_daemon_domain(ypbind_t, ypbind_exec_t) @@ -19490,7 +19711,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.7.8/policy/modules/services/nscd.if --- nsaserefpolicy/policy/modules/services/nscd.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/nscd.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/nscd.if 2010-02-02 10:31:03.000000000 -0500 @@ -121,6 +121,24 @@ ######################################## @@ -19527,7 +19748,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.7.8/policy/modules/services/nscd.te --- nsaserefpolicy/policy/modules/services/nscd.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/nscd.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/nscd.te 2010-02-02 10:31:03.000000000 -0500 @@ -1,10 +1,17 @@ -policy_module(nscd, 1.10.0) @@ -19574,7 +19795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.fc serefpolicy-3.7.8/policy/modules/services/ntop.fc --- nsaserefpolicy/policy/modules/services/ntop.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/ntop.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/ntop.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,7 +1,6 @@ /etc/ntop(/.*)? gen_context(system_u:object_r:ntop_etc_t,s0) @@ -19585,7 +19806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop /var/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.7.8/policy/modules/services/ntop.te --- nsaserefpolicy/policy/modules/services/ntop.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/ntop.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/ntop.te 2010-02-02 10:31:03.000000000 -0500 @@ -11,12 +11,12 @@ init_daemon_domain(ntop_t, ntop_exec_t) application_domain(ntop_t, ntop_exec_t) @@ -19678,7 +19899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.7.8/policy/modules/services/ntp.te --- nsaserefpolicy/policy/modules/services/ntp.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/ntp.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/ntp.te 2010-02-02 10:31:03.000000000 -0500 @@ -100,6 +100,8 @@ fs_getattr_all_fs(ntpd_t) @@ -19690,7 +19911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.fc serefpolicy-3.7.8/policy/modules/services/nut.fc --- nsaserefpolicy/policy/modules/services/nut.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/nut.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/nut.fc 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,16 @@ + +/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0) @@ -19710,7 +19931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.if serefpolicy-3.7.8/policy/modules/services/nut.if --- nsaserefpolicy/policy/modules/services/nut.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/nut.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/nut.if 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,58 @@ +## SELinux policy for NUT - Network UPS Tools + @@ -19772,7 +19993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.8/policy/modules/services/nut.te --- nsaserefpolicy/policy/modules/services/nut.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/nut.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/nut.te 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,188 @@ + +policy_module(nut, 1.0.0) @@ -19964,7 +20185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.7.8/policy/modules/services/nx.fc --- nsaserefpolicy/policy/modules/services/nx.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/nx.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/nx.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,7 +1,15 @@ /opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) @@ -19984,7 +20205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.f /usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.7.8/policy/modules/services/nx.if --- nsaserefpolicy/policy/modules/services/nx.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/nx.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/nx.if 2010-02-02 10:31:03.000000000 -0500 @@ -17,3 +17,70 @@ spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t) @@ -20058,7 +20279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.7.8/policy/modules/services/nx.te --- nsaserefpolicy/policy/modules/services/nx.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/nx.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/nx.te 2010-02-02 10:31:03.000000000 -0500 @@ -25,6 +25,12 @@ type nx_server_var_run_t; files_pid_file(nx_server_var_run_t) @@ -20095,7 +20316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.t diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.8/policy/modules/services/oddjob.if --- nsaserefpolicy/policy/modules/services/oddjob.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/oddjob.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/oddjob.if 2010-02-02 10:31:03.000000000 -0500 @@ -44,6 +44,7 @@ ') @@ -20106,7 +20327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.7.8/policy/modules/services/oddjob.te --- nsaserefpolicy/policy/modules/services/oddjob.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/oddjob.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/oddjob.te 2010-02-02 10:31:03.000000000 -0500 @@ -100,8 +100,7 @@ # Add/remove user home directories @@ -20120,7 +20341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.8/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/openvpn.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/openvpn.te 2010-02-02 10:31:03.000000000 -0500 @@ -41,7 +41,7 @@ # openvpn local policy # @@ -20158,7 +20379,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open userdom_use_user_terminals(openvpn_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.7.8/policy/modules/services/pcscd.if --- nsaserefpolicy/policy/modules/services/pcscd.if 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/pcscd.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/pcscd.if 2010-02-02 10:31:03.000000000 -0500 @@ -39,6 +39,44 @@ ######################################## @@ -20206,7 +20427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcsc ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.8/policy/modules/services/pegasus.te --- nsaserefpolicy/policy/modules/services/pegasus.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/pegasus.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/pegasus.te 2010-02-02 10:31:03.000000000 -0500 @@ -30,7 +30,7 @@ # Local policy # @@ -20280,7 +20501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.fc serefpolicy-3.7.8/policy/modules/services/plymouth.fc --- nsaserefpolicy/policy/modules/services/plymouth.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/plymouth.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/plymouth.fc 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,5 @@ +/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t, s0) +/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t, s0) @@ -20289,7 +20510,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym +/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.if serefpolicy-3.7.8/policy/modules/services/plymouth.if --- nsaserefpolicy/policy/modules/services/plymouth.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/plymouth.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/plymouth.if 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,322 @@ +## policy for plymouthd + @@ -20615,7 +20836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.7.8/policy/modules/services/plymouth.te --- nsaserefpolicy/policy/modules/services/plymouth.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/plymouth.te 2010-01-27 10:37:10.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/plymouth.te 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,101 @@ +policy_module(plymouthd, 1.0.0) + @@ -20720,7 +20941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.7.8/policy/modules/services/policykit.fc --- nsaserefpolicy/policy/modules/services/policykit.fc 2009-08-18 11:41:14.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/policykit.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/policykit.fc 2010-02-02 10:31:03.000000000 -0500 @@ -6,10 +6,13 @@ /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) /usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) @@ -20738,7 +20959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.7.8/policy/modules/services/policykit.if --- nsaserefpolicy/policy/modules/services/policykit.if 2009-08-18 18:39:50.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/policykit.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/policykit.if 2010-02-02 10:31:03.000000000 -0500 @@ -17,12 +17,37 @@ class dbus send_msg; ') @@ -20837,7 +21058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.8/policy/modules/services/policykit.te --- nsaserefpolicy/policy/modules/services/policykit.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/policykit.te 2010-01-28 09:30:05.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/policykit.te 2010-02-02 10:31:03.000000000 -0500 @@ -36,11 +36,12 @@ # policykit local policy # @@ -20917,12 +21138,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) -@@ -92,21 +118,25 @@ +@@ -92,21 +118,29 @@ manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) -kernel_read_system_state(policykit_auth_t) -- ++dev_read_video_dev(policykit_auth_t) + files_read_etc_files(policykit_auth_t) files_read_usr_files(policykit_auth_t) +files_search_home(policykit_auth_t) @@ -20937,8 +21159,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli miscfiles_read_localization(policykit_auth_t) +miscfiles_read_fonts(policykit_auth_t) ++miscfiles_setattr_fonts_cache_dirs(policykit_auth_t) userdom_dontaudit_read_user_home_content_files(policykit_auth_t) ++userdom_read_admin_home_files(policykit_auth_t) optional_policy(` - dbus_system_bus_client(policykit_auth_t) @@ -20946,7 +21170,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli dbus_session_bus_client(policykit_auth_t) optional_policy(` -@@ -119,6 +149,14 @@ +@@ -119,6 +153,14 @@ hal_read_state(policykit_auth_t) ') @@ -20961,7 +21185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli ######################################## # # polkit_grant local policy -@@ -126,7 +164,8 @@ +@@ -126,7 +168,8 @@ allow policykit_grant_t self:capability setuid; allow policykit_grant_t self:process getattr; @@ -20971,7 +21195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; -@@ -156,9 +195,12 @@ +@@ -156,9 +199,12 @@ userdom_read_all_users_state(policykit_grant_t) optional_policy(` @@ -20985,7 +21209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli consolekit_dbus_chat(policykit_grant_t) ') ') -@@ -170,7 +212,8 @@ +@@ -170,7 +216,8 @@ allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace }; allow policykit_resolve_t self:process getattr; @@ -20997,7 +21221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.7.8/policy/modules/services/portreserve.te --- nsaserefpolicy/policy/modules/services/portreserve.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/portreserve.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/portreserve.te 2010-02-02 10:31:03.000000000 -0500 @@ -21,6 +21,7 @@ # Portreserve local policy # @@ -21017,7 +21241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port corenet_tcp_bind_generic_node(portreserve_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.8/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/postfix.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/postfix.fc 2010-02-02 10:31:03.000000000 -0500 @@ -29,12 +29,10 @@ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) @@ -21033,7 +21257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.8/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/postfix.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/postfix.if 2010-02-02 10:31:03.000000000 -0500 @@ -46,6 +46,7 @@ allow postfix_$1_t postfix_etc_t:dir list_dir_perms; @@ -21282,7 +21506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.8/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/postfix.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/postfix.te 2010-02-02 10:31:03.000000000 -0500 @@ -6,6 +6,15 @@ # Declarations # @@ -21685,7 +21909,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.7.8/policy/modules/services/postgresql.fc --- nsaserefpolicy/policy/modules/services/postgresql.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/postgresql.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/postgresql.fc 2010-02-02 10:31:03.000000000 -0500 @@ -2,6 +2,8 @@ # /etc # @@ -21725,7 +21949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.7.8/policy/modules/services/postgresql.if --- nsaserefpolicy/policy/modules/services/postgresql.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/postgresql.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/postgresql.if 2010-02-02 10:31:03.000000000 -0500 @@ -125,6 +125,23 @@ typeattribute $1 sepgsql_table_type; ') @@ -21799,7 +22023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.8/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/postgresql.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/postgresql.te 2010-02-02 10:31:03.000000000 -0500 @@ -32,6 +32,9 @@ type postgresql_etc_t; files_config_file(postgresql_etc_t) @@ -21844,9 +22068,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post miscfiles_read_localization(postgresql_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.7.8/policy/modules/services/ppp.fc +--- nsaserefpolicy/policy/modules/services/ppp.fc 2009-07-23 14:11:04.000000000 -0400 ++++ serefpolicy-3.7.8/policy/modules/services/ppp.fc 2010-02-02 10:31:03.000000000 -0500 +@@ -3,6 +3,7 @@ + # + /etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) + ++/root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0) + /etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0) + /etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) + /etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0) +@@ -34,3 +35,4 @@ + + /var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0) + /var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.8/policy/modules/services/ppp.if --- nsaserefpolicy/policy/modules/services/ppp.if 2010-01-18 15:04:31.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/ppp.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/ppp.if 2010-02-02 10:31:03.000000000 -0500 @@ -182,6 +182,10 @@ ppp_domtrans($1) role $2 types pppd_t; @@ -21860,8 +22100,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.7.8/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2010-01-18 15:04:31.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/ppp.te 2010-01-18 15:18:03.000000000 -0500 -@@ -193,6 +193,8 @@ ++++ serefpolicy-3.7.8/policy/modules/services/ppp.te 2010-02-02 10:31:03.000000000 -0500 +@@ -66,14 +66,17 @@ + type pptp_var_run_t; + files_pid_file(pptp_var_run_t) + ++type pppd_home_t; ++files_type(pppd_secret_t) ++ + ######################################## + # + # PPPD Local policy + # + +-allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override }; ++allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override }; + dontaudit pppd_t self:capability sys_tty_config; +-allow pppd_t self:process signal; ++allow pppd_t self:process { getsched signal }; + allow pppd_t self:fifo_file rw_fifo_file_perms; + allow pppd_t self:socket create_socket_perms; + allow pppd_t self:unix_dgram_socket create_socket_perms; +@@ -193,6 +196,8 @@ optional_policy(` mta_send_mail(pppd_t) @@ -21870,7 +22130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. ') optional_policy(` -@@ -289,6 +291,7 @@ +@@ -289,6 +294,7 @@ userdom_dontaudit_use_unpriv_user_fds(pptp_t) userdom_dontaudit_search_user_home_dirs(pptp_t) @@ -21880,7 +22140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. consoletype_exec(pppd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.7.8/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/prelude.te 2010-01-26 09:32:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/prelude.te 2010-02-02 10:31:03.000000000 -0500 @@ -90,6 +90,7 @@ corenet_tcp_bind_prelude_port(prelude_t) corenet_tcp_connect_prelude_port(prelude_t) @@ -21900,7 +22160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel auth_use_nsswitch(prelude_lml_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.8/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/procmail.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/procmail.te 2010-02-02 10:31:03.000000000 -0500 @@ -22,7 +22,7 @@ # Local policy # @@ -21950,7 +22210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.te serefpolicy-3.7.8/policy/modules/services/puppet.te --- nsaserefpolicy/policy/modules/services/puppet.te 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/puppet.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/puppet.te 2010-02-02 10:31:03.000000000 -0500 @@ -17,6 +17,7 @@ type puppet_t; type puppet_exec_t; @@ -21969,7 +22229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp init_script_file(puppetmaster_initrc_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.8/policy/modules/services/pyzor.fc --- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/pyzor.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/pyzor.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,6 +1,10 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) +/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) @@ -21983,7 +22243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.7.8/policy/modules/services/pyzor.if --- nsaserefpolicy/policy/modules/services/pyzor.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/pyzor.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/pyzor.if 2010-02-02 10:31:03.000000000 -0500 @@ -88,3 +88,50 @@ corecmd_search_bin($1) can_exec($1, pyzor_exec_t) @@ -22037,7 +22297,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.7.8/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/pyzor.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/pyzor.te 2010-02-02 10:31:03.000000000 -0500 @@ -6,6 +6,38 @@ # Declarations # @@ -22104,7 +22364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.8/policy/modules/services/razor.fc --- nsaserefpolicy/policy/modules/services/razor.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/razor.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/razor.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,3 +1,4 @@ +/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) @@ -22112,7 +22372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.7.8/policy/modules/services/razor.if --- nsaserefpolicy/policy/modules/services/razor.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/razor.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/razor.if 2010-02-02 10:31:03.000000000 -0500 @@ -157,3 +157,45 @@ domtrans_pattern($1, razor_exec_t, razor_t) @@ -22161,7 +22421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.7.8/policy/modules/services/razor.te --- nsaserefpolicy/policy/modules/services/razor.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/razor.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/razor.te 2010-02-02 10:31:03.000000000 -0500 @@ -6,6 +6,32 @@ # Declarations # @@ -22215,7 +22475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.if serefpolicy-3.7.8/policy/modules/services/rdisc.if --- nsaserefpolicy/policy/modules/services/rdisc.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/rdisc.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/rdisc.if 2010-02-02 10:31:03.000000000 -0500 @@ -1 +1,20 @@ ## Network router discovery daemon + @@ -22239,7 +22499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdis +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.8/policy/modules/services/rgmanager.fc --- nsaserefpolicy/policy/modules/services/rgmanager.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/rgmanager.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/rgmanager.fc 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,8 @@ + +/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) @@ -22251,7 +22511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.8/policy/modules/services/rgmanager.if --- nsaserefpolicy/policy/modules/services/rgmanager.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/rgmanager.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/rgmanager.if 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,59 @@ +## SELinux policy for rgmanager + @@ -22271,7 +22531,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma + ') + + corecmd_search_bin($1) -+ domrans_pattern($1,rgmanager_exec_t,rgmanager_t) ++ domtrans_pattern($1,rgmanager_exec_t,rgmanager_t) + +') + @@ -22314,7 +22574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.8/policy/modules/services/rgmanager.te --- nsaserefpolicy/policy/modules/services/rgmanager.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/rgmanager.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/rgmanager.te 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,186 @@ + +policy_module(rgmanager,1.0.0) @@ -22504,8 +22764,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.8/policy/modules/services/rhcs.fc --- nsaserefpolicy/policy/modules/services/rhcs.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/rhcs.fc 2010-01-18 15:18:03.000000000 -0500 -@@ -0,0 +1,22 @@ ++++ serefpolicy-3.7.8/policy/modules/services/rhcs.fc 2010-02-02 10:31:03.000000000 -0500 +@@ -0,0 +1,24 @@ ++/dev/misc/dlm.* -- gen_context(system_u:object_r:dlm_control_dev_t,s0) + +/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) +/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0) @@ -22528,9 +22789,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0) +/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) +/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.8/policy/modules/services/rhcs.if --- nsaserefpolicy/policy/modules/services/rhcs.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/rhcs.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/rhcs.if 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,367 @@ +## SELinux policy for RHCS - Red Hat Cluster Suite + @@ -22901,8 +23163,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.8/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/rhcs.te 2010-01-18 15:18:03.000000000 -0500 -@@ -0,0 +1,410 @@ ++++ serefpolicy-3.7.8/policy/modules/services/rhcs.te 2010-02-02 10:31:26.000000000 -0500 +@@ -0,0 +1,422 @@ + +policy_module(rhcs,1.0.0) + @@ -22933,6 +23195,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +type dlm_controld_tmpfs_t; +files_tmpfs_file(dlm_controld_tmpfs_t) + ++type dlm_control_dev_t; ++dev_node(dlm_control_dev_t) + +type fenced_t; +type fenced_exec_t; @@ -23017,6 +23281,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +allow dlm_controld_t self:unix_dgram_socket { create_socket_perms }; +allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms; + ++allow dlm_controld_t dlm_control_dev_t:chr_file rw_chr_file_perms; ++ +manage_dirs_pattern(dlm_controld_t, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t) +manage_files_pattern(dlm_controld_t, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t) +fs_tmpfs_filetrans(dlm_controld_t, dlm_controld_tmpfs_t,{ dir file }) @@ -23051,6 +23317,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs + +miscfiles_read_localization(dlm_controld_t) + ++optional_policy(` ++ corosync_stream_connect(dlm_controld_t) ++') ++ +####################################### +# +# fenced local policy @@ -23183,6 +23453,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +miscfiles_read_localization(gfs_controld_t) + +optional_policy(` ++ corosync_stream_connect(gfs_controld_t) ++') ++ ++optional_policy(` + lvm_exec(gfs_controld_t) + dev_rw_lvm_control(gfs_controld_t) +') @@ -23315,7 +23589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.8/policy/modules/services/ricci.te --- nsaserefpolicy/policy/modules/services/ricci.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/ricci.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/ricci.te 2010-02-02 10:31:03.000000000 -0500 @@ -194,10 +194,13 @@ # ricci_modcluster local policy # @@ -23407,7 +23681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.7.8/policy/modules/services/rpc.fc --- nsaserefpolicy/policy/modules/services/rpc.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/rpc.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/rpc.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,6 +1,10 @@ # # /etc @@ -23421,7 +23695,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.8/policy/modules/services/rpc.if --- nsaserefpolicy/policy/modules/services/rpc.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/rpc.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/rpc.if 2010-02-02 10:31:03.000000000 -0500 @@ -54,7 +54,7 @@ allow $1_t self:unix_dgram_socket create_socket_perms; allow $1_t self:unix_stream_socket create_stream_socket_perms; @@ -23511,7 +23785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ## Read NFS exported content. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.8/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/rpc.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/rpc.te 2010-02-02 10:31:03.000000000 -0500 @@ -37,8 +37,14 @@ # rpc_exec_t is the type of rpc daemon programs. rpc_domain_template(rpcd) @@ -23627,7 +23901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.7.8/policy/modules/services/rsync.fc --- nsaserefpolicy/policy/modules/services/rsync.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/rsync.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/rsync.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,3 +1,4 @@ +/etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0) @@ -23635,7 +23909,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.7.8/policy/modules/services/rsync.if --- nsaserefpolicy/policy/modules/services/rsync.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/rsync.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/rsync.if 2010-02-02 10:31:03.000000000 -0500 @@ -103,3 +103,41 @@ can_exec($1, rsync_exec_t) @@ -23680,7 +23954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.7.8/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/rsync.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/rsync.te 2010-02-02 10:31:03.000000000 -0500 @@ -8,6 +8,13 @@ ## @@ -23740,7 +24014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn auth_can_read_shadow_passwords(rsync_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.7.8/policy/modules/services/rtkit.if --- nsaserefpolicy/policy/modules/services/rtkit.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/rtkit.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/rtkit.if 2010-02-02 10:31:03.000000000 -0500 @@ -38,3 +38,23 @@ allow $1 rtkit_daemon_t:dbus send_msg; allow rtkit_daemon_t $1:dbus send_msg; @@ -23767,7 +24041,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.7.8/policy/modules/services/rtkit.te --- nsaserefpolicy/policy/modules/services/rtkit.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/rtkit.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/rtkit.te 2010-02-02 10:31:03.000000000 -0500 @@ -17,9 +17,11 @@ allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace }; @@ -23791,7 +24065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki policykit_dbus_chat(rtkit_daemon_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.8/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/samba.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/samba.fc 2010-02-02 10:31:03.000000000 -0500 @@ -51,3 +51,7 @@ /var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) @@ -23802,7 +24076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.8/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/samba.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/samba.if 2010-02-02 10:31:03.000000000 -0500 @@ -62,6 +62,25 @@ ######################################## @@ -24018,7 +24292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.8/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/samba.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/samba.te 2010-02-02 10:31:03.000000000 -0500 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -24070,10 +24344,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb # Allow samba to list mnt_t for potential mounted dirs files_list_mnt(smbd_t) -@@ -338,9 +351,12 @@ +@@ -337,10 +350,13 @@ + miscfiles_read_public_files(smbd_t) userdom_use_unpriv_users_fds(smbd_t) - userdom_dontaudit_search_user_home_dirs(smbd_t) +-userdom_dontaudit_search_user_home_dirs(smbd_t) ++userdom_search_user_home_content(smbd_t) +userdom_signal_all_users(smbd_t) usermanage_read_crack_db(smbd_t) @@ -24301,7 +24577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.8/policy/modules/services/sasl.te --- nsaserefpolicy/policy/modules/services/sasl.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/sasl.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/sasl.te 2010-02-02 10:31:03.000000000 -0500 @@ -31,7 +31,7 @@ # Local policy # @@ -24366,7 +24642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.8/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/sendmail.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/sendmail.if 2010-02-02 10:31:03.000000000 -0500 @@ -277,3 +277,22 @@ sendmail_domtrans_unconfined($1) role $2 types unconfined_sendmail_t; @@ -24392,7 +24668,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.8/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/sendmail.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/sendmail.te 2010-02-02 10:31:03.000000000 -0500 @@ -30,7 +30,7 @@ # @@ -24473,7 +24749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.7.8/policy/modules/services/setroubleshoot.fc --- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/setroubleshoot.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/setroubleshoot.fc 2010-02-02 10:31:03.000000000 -0500 @@ -5,3 +5,5 @@ /var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) @@ -24482,7 +24758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr +/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.8/policy/modules/services/setroubleshoot.if --- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/setroubleshoot.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/setroubleshoot.if 2010-02-02 10:31:03.000000000 -0500 @@ -16,8 +16,8 @@ ') @@ -24622,7 +24898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.8/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/setroubleshoot.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/setroubleshoot.te 2010-02-02 10:31:03.000000000 -0500 @@ -22,13 +22,19 @@ type setroubleshoot_var_run_t; files_pid_file(setroubleshoot_var_run_t) @@ -24684,7 +24960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) -@@ -94,23 +113,77 @@ +@@ -94,23 +113,75 @@ locallogin_dontaudit_use_fds(setroubleshootd_t) @@ -24701,16 +24977,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) optional_policy(` -+ locate_read_lib_files(setroubleshootd_t) -+ ') -+ -+ optional_policy(` - dbus_system_bus_client(setroubleshootd_t) - dbus_connect_system_bus(setroubleshootd_t) -+ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) +- dbus_system_bus_client(setroubleshootd_t) +- dbus_connect_system_bus(setroubleshootd_t) ++ locate_read_lib_files(setroubleshootd_t) ') optional_policy(` ++ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) ++') ++ ++optional_policy(` + rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) rpm_dontaudit_manage_db(setroubleshootd_t) @@ -24766,7 +25042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.7.8/policy/modules/services/snmp.if --- nsaserefpolicy/policy/modules/services/snmp.if 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/snmp.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/snmp.if 2010-02-02 10:31:03.000000000 -0500 @@ -69,6 +69,24 @@ ######################################## @@ -24794,7 +25070,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.8/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/snmp.te 2010-01-19 08:13:42.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/snmp.te 2010-02-02 10:31:03.000000000 -0500 @@ -25,7 +25,7 @@ # # Local policy @@ -24806,7 +25082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp allow snmpd_t self:fifo_file rw_fifo_file_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.8/policy/modules/services/snort.te --- nsaserefpolicy/policy/modules/services/snort.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/snort.te 2010-01-27 11:31:24.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/snort.te 2010-02-02 10:31:03.000000000 -0500 @@ -37,6 +37,7 @@ allow snort_t self:tcp_socket create_stream_socket_perms; allow snort_t self:udp_socket create_socket_perms; @@ -24841,7 +25117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.8/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/spamassassin.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/spamassassin.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,15 +1,26 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) @@ -24873,7 +25149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.8/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/spamassassin.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/spamassassin.if 2010-02-02 10:31:03.000000000 -0500 @@ -111,6 +111,45 @@ ') @@ -25002,7 +25278,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.8/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/spamassassin.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/spamassassin.te 2010-02-02 10:31:03.000000000 -0500 @@ -20,6 +20,35 @@ ## gen_tunable(spamd_enable_home_dirs, true) @@ -25307,7 +25583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.8/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/squid.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/squid.te 2010-02-02 10:31:03.000000000 -0500 @@ -67,7 +67,9 @@ can_exec(squid_t, squid_exec_t) @@ -25338,7 +25614,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi -') dnl end TODO diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.8/policy/modules/services/ssh.fc --- nsaserefpolicy/policy/modules/services/ssh.fc 2010-01-18 15:04:31.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/ssh.fc 2010-01-18 15:27:58.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/ssh.fc 2010-02-02 10:31:03.000000000 -0500 @@ -14,3 +14,5 @@ /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) @@ -25347,7 +25623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. +/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.8/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2010-01-18 15:04:31.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/ssh.if 2010-01-18 15:23:05.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/ssh.if 2010-02-02 10:31:03.000000000 -0500 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -25496,7 +25772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ## Delete from the ssh temp files. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.8/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2010-01-18 15:04:31.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/ssh.te 2010-01-18 15:26:09.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/ssh.te 2010-02-02 10:31:03.000000000 -0500 @@ -111,9 +111,10 @@ manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -25632,7 +25908,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. # Relabel and access ptys created by sshd diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.7.8/policy/modules/services/sssd.fc --- nsaserefpolicy/policy/modules/services/sssd.fc 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/sssd.fc 2010-01-19 10:48:54.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/sssd.fc 2010-02-02 10:31:03.000000000 -0500 @@ -4,6 +4,8 @@ /var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) @@ -25644,7 +25920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd /var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.8/policy/modules/services/sssd.if --- nsaserefpolicy/policy/modules/services/sssd.if 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/sssd.if 2010-01-22 09:59:38.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/sssd.if 2010-02-02 10:31:03.000000000 -0500 @@ -38,6 +38,25 @@ ######################################## @@ -25725,7 +26001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.8/policy/modules/services/sssd.te --- nsaserefpolicy/policy/modules/services/sssd.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/sssd.te 2010-01-19 10:48:27.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/sssd.te 2010-02-02 10:31:03.000000000 -0500 @@ -13,6 +13,9 @@ type sssd_initrc_exec_t; init_script_file(sssd_initrc_exec_t) @@ -25774,7 +26050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd dbus_connect_system_bus(sssd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.8/policy/modules/services/sysstat.te --- nsaserefpolicy/policy/modules/services/sysstat.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/sysstat.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/sysstat.te 2010-02-02 10:31:03.000000000 -0500 @@ -19,14 +19,15 @@ # Local policy # @@ -25795,7 +26071,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/syss # get info from /proc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.7.8/policy/modules/services/telnet.te --- nsaserefpolicy/policy/modules/services/telnet.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/telnet.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/telnet.te 2010-02-02 10:31:03.000000000 -0500 @@ -85,6 +85,7 @@ remotelogin_domtrans(telnetd_t) @@ -25806,7 +26082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln kerberos_keytab_template(telnetd, telnetd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.if serefpolicy-3.7.8/policy/modules/services/tftp.if --- nsaserefpolicy/policy/modules/services/tftp.if 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/tftp.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/tftp.if 2010-02-02 10:31:03.000000000 -0500 @@ -2,6 +2,44 @@ ######################################## @@ -25854,7 +26130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.7.8/policy/modules/services/tftp.te --- nsaserefpolicy/policy/modules/services/tftp.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/tftp.te 2010-01-18 18:12:28.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/tftp.te 2010-02-02 10:31:03.000000000 -0500 @@ -50,9 +50,8 @@ manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t) files_pid_filetrans(tftpd_t, tftpd_var_run_t, file) @@ -25868,7 +26144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp corenet_all_recvfrom_netlabel(tftpd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.if serefpolicy-3.7.8/policy/modules/services/tgtd.if --- nsaserefpolicy/policy/modules/services/tgtd.if 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/tgtd.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/tgtd.if 2010-02-02 10:31:03.000000000 -0500 @@ -9,3 +9,20 @@ ##

## @@ -25892,7 +26168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.7.8/policy/modules/services/tgtd.te --- nsaserefpolicy/policy/modules/services/tgtd.te 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/tgtd.te 2010-01-26 08:47:40.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/tgtd.te 2010-02-02 10:31:03.000000000 -0500 @@ -60,7 +60,7 @@ files_read_etc_files(tgtd_t) @@ -25904,7 +26180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.8/policy/modules/services/tor.te --- nsaserefpolicy/policy/modules/services/tor.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/tor.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/tor.te 2010-02-02 10:31:03.000000000 -0500 @@ -6,6 +6,14 @@ # Declarations # @@ -25938,7 +26214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.7.8/policy/modules/services/tuned.te --- nsaserefpolicy/policy/modules/services/tuned.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/tuned.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/tuned.te 2010-02-02 10:31:03.000000000 -0500 @@ -27,6 +27,7 @@ files_pid_filetrans(tuned_t, tuned_var_run_t, file) @@ -25947,9 +26223,108 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune kernel_read_system_state(tuned_t) kernel_read_network_state(tuned_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.8/policy/modules/services/usbmuxd.fc +--- nsaserefpolicy/policy/modules/services/usbmuxd.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/usbmuxd.fc 2010-02-02 10:31:03.000000000 -0500 +@@ -0,0 +1,4 @@ ++ ++/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0) ++ ++/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0) +\ No newline at end of file +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.if serefpolicy-3.7.8/policy/modules/services/usbmuxd.if +--- nsaserefpolicy/policy/modules/services/usbmuxd.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/usbmuxd.if 2010-02-02 10:31:03.000000000 -0500 +@@ -0,0 +1,39 @@ ++## Daemon for communicating with Apple's iPod Touch and iPhone ++ ++######################################## ++## ++## Execute a domain transition to run usbmuxd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`usbmuxd_domtrans',` ++ gen_require(` ++ type usbmuxd_t, usbmuxd_exec_t; ++ ') ++ ++ domtrans_pattern($1, usbmuxd_exec_t, usbmuxd_t) ++') ++ ++##################################### ++## ++## Connect to usbmuxd over a unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`usbmuxd_stream_connect',` ++ gen_require(` ++ type usbmuxd_t, usbmuxd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.7.8/policy/modules/services/usbmuxd.te +--- nsaserefpolicy/policy/modules/services/usbmuxd.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/usbmuxd.te 2010-02-02 10:31:03.000000000 -0500 +@@ -0,0 +1,43 @@ ++policy_module(usbmuxd,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type usbmuxd_t; ++type usbmuxd_exec_t; ++application_domain(usbmuxd_t, usbmuxd_exec_t) ++ ++type usbmuxd_var_run_t; ++files_pid_file(usbmuxd_var_run_t) ++ ++permissive usbmuxd_t; ++ ++######################################## ++# ++# usbmuxd local policy ++# ++ ++allow usbmuxd_t self:capability { kill setgid setuid }; ++allow usbmuxd_t self:process { fork }; ++ ++# Init script handling ++domain_use_interactive_fds(usbmuxd_t) ++ ++# internal communication is often done using fifo and unix sockets. ++allow usbmuxd_t self:fifo_file rw_fifo_file_perms; ++allow usbmuxd_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) ++manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) ++manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) ++files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file }) ++ ++files_read_etc_files(usbmuxd_t) ++ ++miscfiles_read_localization(usbmuxd_t) ++ ++auth_use_nsswitch(usbmuxd_t) ++ ++logging_send_syslog_msg(usbmuxd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.8/policy/modules/services/uucp.te --- nsaserefpolicy/policy/modules/services/uucp.te 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/uucp.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/uucp.te 2010-02-02 10:31:03.000000000 -0500 @@ -1,5 +1,5 @@ -policy_module(uucp, 1.10.1) @@ -25976,7 +26351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.fc serefpolicy-3.7.8/policy/modules/services/vhostmd.fc --- nsaserefpolicy/policy/modules/services/vhostmd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/vhostmd.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/vhostmd.fc 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,6 @@ + +/usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0) @@ -25986,7 +26361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.7.8/policy/modules/services/vhostmd.if --- nsaserefpolicy/policy/modules/services/vhostmd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/vhostmd.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/vhostmd.if 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,228 @@ + +## policy for vhostmd @@ -26218,7 +26593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.7.8/policy/modules/services/vhostmd.te --- nsaserefpolicy/policy/modules/services/vhostmd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/vhostmd.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/vhostmd.te 2010-02-02 10:31:03.000000000 -0500 @@ -0,0 +1,84 @@ + +policy_module(vhostmd,1.0.0) @@ -26306,7 +26681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.8/policy/modules/services/virt.fc --- nsaserefpolicy/policy/modules/services/virt.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/virt.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/virt.fc 2010-02-02 10:31:03.000000000 -0500 @@ -4,9 +4,26 @@ /etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) /etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) @@ -26336,7 +26711,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.8/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/virt.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/virt.if 2010-02-02 10:31:03.000000000 -0500 @@ -136,7 +136,7 @@ ') @@ -26592,7 +26967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.8/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/virt.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/virt.te 2010-02-02 10:31:03.000000000 -0500 @@ -8,6 +8,13 @@ ## @@ -27017,7 +27392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.7.8/policy/modules/services/w3c.te --- nsaserefpolicy/policy/modules/services/w3c.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/w3c.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/w3c.te 2010-02-02 10:31:03.000000000 -0500 @@ -8,11 +8,18 @@ apache_content_template(w3c_validator) @@ -27039,7 +27414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c. corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.8/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/xserver.fc 2010-01-28 08:44:25.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/xserver.fc 2010-02-02 10:31:03.000000000 -0500 @@ -3,12 +3,21 @@ # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) @@ -27101,7 +27476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) ifdef(`distro_debian', ` -@@ -89,17 +94,40 @@ +@@ -89,17 +94,42 @@ /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) @@ -27132,6 +27507,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/slim\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) ++/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) ++/var/run/lxdm(/*.)? gen_context(system_u:object_r:xdm_var_run_t,s0) + +/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0) +/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) @@ -27147,7 +27524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.8/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/xserver.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/xserver.if 2010-02-02 10:31:03.000000000 -0500 @@ -19,7 +19,7 @@ interface(`xserver_restricted_role',` gen_require(` @@ -27611,7 +27988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.8/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/xserver.te 2010-01-28 08:43:20.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/xserver.te 2010-02-02 10:31:03.000000000 -0500 @@ -36,6 +36,13 @@ ## @@ -27774,7 +28151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(iceauth_t) -@@ -250,30 +274,49 @@ +@@ -250,30 +274,52 @@ fs_manage_cifs_files(iceauth_t) ') @@ -27816,19 +28193,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser -userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file) - domain_use_interactive_fds(xauth_t) ++domain_dontaudit_leaks(xauth_t) files_read_etc_files(xauth_t) +files_read_usr_files(xauth_t) files_search_pids(xauth_t) +files_dontaudit_getattr_all_dirs(xauth_t) ++files_dontaudit_leaks(xauth_t) +files_var_lib_filetrans(xauth_t, xauth_home_t, file) -fs_getattr_xattr_fs(xauth_t) ++fs_dontaudit_leaks(xauth_t) +fs_getattr_all_fs(xauth_t) fs_search_auto_mountpoints(xauth_t) # cjp: why? -@@ -283,6 +326,14 @@ +@@ -283,6 +329,14 @@ userdom_use_user_terminals(xauth_t) userdom_read_user_tmp_files(xauth_t) @@ -27843,7 +28223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_xdm_tmp_files(xauth_t) -@@ -294,6 +345,15 @@ +@@ -294,6 +348,15 @@ fs_manage_cifs_files(xauth_t) ') @@ -27859,7 +28239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) -@@ -305,20 +365,31 @@ +@@ -305,20 +368,31 @@ # XDM Local policy # @@ -27894,7 +28274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -334,22 +405,40 @@ +@@ -334,22 +408,40 @@ manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) @@ -27938,7 +28318,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t xserver_t:process signal; allow xdm_t xserver_t:unix_stream_socket connectto; -@@ -363,6 +452,7 @@ +@@ -363,6 +455,7 @@ allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xserver_t:shm rw_shm_perms; @@ -27946,7 +28326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -371,10 +461,14 @@ +@@ -371,10 +464,14 @@ delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -27962,7 +28342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state(xdm_t) kernel_read_kernel_sysctls(xdm_t) -@@ -394,11 +488,13 @@ +@@ -394,11 +491,13 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -27976,7 +28356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -406,6 +502,7 @@ +@@ -406,6 +505,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -27984,7 +28364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -414,18 +511,21 @@ +@@ -414,18 +514,21 @@ dev_getattr_misc_dev(xdm_t) dev_setattr_misc_dev(xdm_t) dev_dontaudit_rw_misc(xdm_t) @@ -28009,7 +28389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -436,9 +536,15 @@ +@@ -436,9 +539,15 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -28025,7 +28405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -447,6 +553,7 @@ +@@ -447,6 +556,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -28033,7 +28413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -455,6 +562,7 @@ +@@ -455,6 +565,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -28041,7 +28421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -465,10 +573,12 @@ +@@ -465,10 +576,12 @@ logging_read_generic_logs(xdm_t) @@ -28056,7 +28436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -477,6 +587,11 @@ +@@ -477,6 +590,11 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -28068,7 +28448,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -509,10 +624,12 @@ +@@ -509,10 +627,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -28081,7 +28461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -520,12 +637,49 @@ +@@ -520,12 +640,49 @@ ') optional_policy(` @@ -28131,7 +28511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser hostname_exec(xdm_t) ') -@@ -543,9 +697,42 @@ +@@ -543,9 +700,43 @@ ') optional_policy(` @@ -28154,6 +28534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +optional_policy(` + pulseaudio_exec(xdm_t) + pulseaudio_dbus_chat(xdm_t) ++ pulseaudio_stream_connect(xdm_t) +') + +optional_policy(` @@ -28174,7 +28555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` seutil_sigchld_newrole(xdm_t) ') -@@ -555,8 +742,9 @@ +@@ -555,8 +746,9 @@ ') optional_policy(` @@ -28186,7 +28567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -565,7 +753,6 @@ +@@ -565,7 +757,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -28194,7 +28575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -576,6 +763,10 @@ +@@ -576,6 +767,10 @@ ') optional_policy(` @@ -28205,7 +28586,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xfs_stream_connect(xdm_t) ') -@@ -600,10 +791,9 @@ +@@ -600,10 +795,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -28217,7 +28598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -615,6 +805,18 @@ +@@ -615,6 +809,18 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -28236,7 +28617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -634,12 +836,19 @@ +@@ -634,12 +840,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -28258,7 +28639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -673,7 +882,6 @@ +@@ -673,7 +886,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -28266,7 +28647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -683,9 +891,12 @@ +@@ -683,9 +895,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -28280,7 +28661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -700,8 +911,12 @@ +@@ -700,8 +915,12 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -28293,7 +28674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -723,6 +938,7 @@ +@@ -723,6 +942,7 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -28301,7 +28682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser modutils_domtrans_insmod(xserver_t) -@@ -779,12 +995,20 @@ +@@ -779,12 +999,20 @@ ') optional_policy(` @@ -28323,7 +28704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser unconfined_domtrans(xserver_t) ') -@@ -811,7 +1035,7 @@ +@@ -811,7 +1039,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -28332,7 +28713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -832,9 +1056,14 @@ +@@ -832,9 +1060,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -28347,7 +28728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -849,11 +1078,14 @@ +@@ -849,11 +1082,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -28364,7 +28745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -1000,17 +1232,32 @@ +@@ -1000,17 +1236,32 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -28411,7 +28792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.7.8/policy/modules/services/zebra.if --- nsaserefpolicy/policy/modules/services/zebra.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/zebra.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/zebra.if 2010-02-02 10:31:03.000000000 -0500 @@ -24,6 +24,26 @@ ######################################## @@ -28441,7 +28822,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.8/policy/modules/system/application.te --- nsaserefpolicy/policy/modules/system/application.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/application.te 2010-01-21 15:16:58.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/application.te 2010-02-02 10:31:03.000000000 -0500 @@ -7,6 +7,13 @@ # Executables to be run by user attribute application_exec_type; @@ -28458,7 +28839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic ssh_rw_stream_sockets(application_domain_type) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.8/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/authlogin.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/authlogin.fc 2010-02-02 10:31:03.000000000 -0500 @@ -7,12 +7,10 @@ /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) @@ -28486,7 +28867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.8/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/authlogin.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/authlogin.if 2010-02-02 10:31:03.000000000 -0500 @@ -40,17 +40,76 @@ ## ## @@ -28804,7 +29185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.8/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/authlogin.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/authlogin.te 2010-02-02 10:31:03.000000000 -0500 @@ -103,8 +103,10 @@ fs_dontaudit_getattr_xattr_fs(chkpwd_t) @@ -28837,7 +29218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo # PAM local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.7.8/policy/modules/system/fstools.fc --- nsaserefpolicy/policy/modules/system/fstools.fc 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/fstools.fc 2010-01-27 09:25:00.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/fstools.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,4 +1,3 @@ -/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -28857,7 +29238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.8/policy/modules/system/fstools.te --- nsaserefpolicy/policy/modules/system/fstools.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/fstools.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/fstools.te 2010-02-02 10:31:03.000000000 -0500 @@ -118,6 +118,8 @@ fs_search_tmpfs(fsadm_t) fs_getattr_tmpfs_dirs(fsadm_t) @@ -28879,7 +29260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.7.8/policy/modules/system/getty.te --- nsaserefpolicy/policy/modules/system/getty.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/getty.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/getty.te 2010-02-02 10:31:03.000000000 -0500 @@ -56,11 +56,10 @@ manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t) files_pid_filetrans(getty_t, getty_var_run_t, file) @@ -28895,9 +29276,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty. dev_read_sysfs(getty_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.7.8/policy/modules/system/hostname.te +--- nsaserefpolicy/policy/modules/system/hostname.te 2009-08-14 16:14:31.000000000 -0400 ++++ serefpolicy-3.7.8/policy/modules/system/hostname.te 2010-02-02 10:31:03.000000000 -0500 +@@ -27,15 +27,18 @@ + + dev_read_sysfs(hostname_t) + ++domain_dontaudit_leaks(hostname_t) + domain_use_interactive_fds(hostname_t) + + files_read_etc_files(hostname_t) ++files_dontaudit_leaks(hostname_t) + files_dontaudit_search_var(hostname_t) + # for when /usr is not mounted: + files_dontaudit_search_isid_type_dirs(hostname_t) + + fs_getattr_xattr_fs(hostname_t) + fs_search_auto_mountpoints(hostname_t) ++fs_dontaudit_leaks(hostname_t) + fs_dontaudit_use_tmpfs_chr_dev(hostname_t) + + term_dontaudit_use_console(hostname_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.7.8/policy/modules/system/hotplug.te --- nsaserefpolicy/policy/modules/system/hotplug.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/hotplug.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/hotplug.te 2010-02-02 10:31:03.000000000 -0500 @@ -125,6 +125,10 @@ ') @@ -28911,7 +29314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.8/policy/modules/system/init.fc --- nsaserefpolicy/policy/modules/system/init.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/init.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/init.fc 2010-02-02 10:31:03.000000000 -0500 @@ -4,10 +4,10 @@ /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -28937,7 +29340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f # /var diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.8/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/init.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/init.if 2010-02-02 10:45:19.000000000 -0500 @@ -162,6 +162,7 @@ gen_require(` attribute direct_run_init, direct_init, direct_init_entry; @@ -29037,7 +29440,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ') -@@ -646,19 +685,39 @@ +@@ -646,23 +685,43 @@ # interface(`init_domtrans_script',` gen_require(` @@ -29058,11 +29461,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; -+ ') -+') -+ -+######################################## -+## + ') + ') + + ######################################## + ## +## Execute a file in a bin directory +## in the initrc_t domain +## @@ -29075,12 +29478,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +interface(`init_bin_domtrans_spec',` + gen_require(` + type initrc_t; - ') ++ ') + + corecmd_bin_domtrans($1, initrc_t) - ') - - ######################################## ++') ++ ++######################################## ++## + ## Execute a init script in a specified domain. + ## + ## @@ -923,6 +982,24 @@ allow $1 init_script_file_type:file read_file_perms; ') @@ -29141,7 +29548,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ## Create files in a init script ## temporary data directory. ## -@@ -1540,3 +1636,51 @@ +@@ -1540,3 +1636,75 @@ ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -29193,9 +29600,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + allow $1 init_t:unix_dgram_socket sendto; + allow init_t $1:unix_dgram_socket sendto; +') ++ ++######################################## ++## ++## dontaudit read and write an leaked init scrip file descriptors ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`init_dontaudit_script_leaks',` ++ gen_require(` ++ type initrc_t; ++ ') ++ ++ dontaudit $1 initrc_t:tcp_socket { read write }; ++ dontaudit $1 initrc_t:unix_dgram_socket { read write }; ++ dontaudit $1 initrc_t:unix_stream_socket { read write }; ++ dontaudit $1 initrc_t:shm rw_shm_perms; ++ init_dontaudit_use_script_ptys($1) ++ init_dontaudit_use_script_fds($1) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.8/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/init.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/init.te 2010-02-02 10:31:03.000000000 -0500 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart, false) @@ -29801,7 +30232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.7.8/policy/modules/system/ipsec.fc --- nsaserefpolicy/policy/modules/system/ipsec.fc 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/ipsec.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/ipsec.fc 2010-02-02 10:31:03.000000000 -0500 @@ -37,6 +37,8 @@ /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) @@ -29814,7 +30245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. -/var/run/racoon.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.8/policy/modules/system/ipsec.if --- nsaserefpolicy/policy/modules/system/ipsec.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/ipsec.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/ipsec.if 2010-02-02 10:31:03.000000000 -0500 @@ -39,6 +39,25 @@ ######################################## @@ -29934,7 +30365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.8/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/ipsec.te 2010-01-27 11:40:13.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/ipsec.te 2010-02-02 10:31:03.000000000 -0500 @@ -29,9 +29,15 @@ type ipsec_key_file_t; files_type(ipsec_key_file_t) @@ -30059,7 +30490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. +userdom_read_user_tmp_files(setkey_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.8/policy/modules/system/iptables.fc --- nsaserefpolicy/policy/modules/system/iptables.fc 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/iptables.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/iptables.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,13 +1,16 @@ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) @@ -30082,7 +30513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.8/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/iptables.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/iptables.te 2010-02-02 10:31:03.000000000 -0500 @@ -14,9 +14,6 @@ type iptables_initrc_exec_t; init_script_file(iptables_initrc_exec_t) @@ -30108,7 +30539,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) files_pid_filetrans(iptables_t, iptables_var_run_t, file) -@@ -63,6 +61,7 @@ +@@ -53,6 +51,7 @@ + kernel_use_fds(iptables_t) + + corenet_relabelto_all_packets(iptables_t) ++corenet_dontaudit_rw_tun_tap_dev(iptables_t) + + dev_read_sysfs(iptables_t) + +@@ -63,6 +62,7 @@ mls_file_read_all_levels(iptables_t) term_dontaudit_use_console(iptables_t) @@ -30116,7 +30555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl domain_use_interactive_fds(iptables_t) -@@ -89,6 +88,7 @@ +@@ -89,6 +89,7 @@ optional_policy(` fail2ban_append_log(iptables_t) @@ -30124,7 +30563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl ') optional_policy(` -@@ -122,5 +122,10 @@ +@@ -122,5 +123,10 @@ ') optional_policy(` @@ -30137,19 +30576,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.7.8/policy/modules/system/iscsi.fc --- nsaserefpolicy/policy/modules/system/iscsi.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/iscsi.fc 2010-01-18 15:18:03.000000000 -0500 -@@ -1,4 +1,6 @@ ++++ serefpolicy-3.7.8/policy/modules/system/iscsi.fc 2010-02-02 10:31:03.000000000 -0500 +@@ -1,5 +1,10 @@ -/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) -+ + +-/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0) +/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) +/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) - - /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0) ++ ++/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_lock_t,s0) /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0) ++ ++/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0) ++ + /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.7.8/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/iscsi.te 2010-01-18 15:18:03.000000000 -0500 -@@ -35,10 +35,13 @@ ++++ serefpolicy-3.7.8/policy/modules/system/iscsi.te 2010-02-02 10:31:03.000000000 -0500 +@@ -14,6 +14,9 @@ + type iscsi_lock_t; + files_lock_file(iscsi_lock_t) + ++type iscsid_log_t; ++logging_log_file(iscsid_log_t) ++ + type iscsi_tmp_t; + files_tmp_file(iscsi_tmp_t) + +@@ -35,16 +38,22 @@ allow iscsid_t self:unix_dgram_socket create_socket_perms; allow iscsid_t self:sem create_sem_perms; allow iscsid_t self:shm create_shm_perms; @@ -30164,7 +30618,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t) files_lock_filetrans(iscsid_t, iscsi_lock_t, file) -@@ -54,6 +57,7 @@ +-allow iscsid_t iscsi_tmp_t:dir manage_dir_perms; +-allow iscsid_t iscsi_tmp_t:file manage_file_perms; +-fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, file ) ++manage_files_pattern(iscsid_t, iscsid_log_t, iscsid_log_t) ++logging_log_filetrans(iscsid_t, iscsid_log_t, file) ++ ++manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) ++manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) ++fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file } ) + + allow iscsid_t iscsi_var_lib_t:dir list_dir_perms; + read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) +@@ -54,6 +63,7 @@ manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t) files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) @@ -30172,7 +30638,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. kernel_read_system_state(iscsid_t) kernel_search_debugfs(iscsid_t) -@@ -67,13 +71,21 @@ +@@ -67,13 +77,21 @@ corenet_tcp_connect_isns_port(iscsid_t) dev_rw_sysfs(iscsid_t) @@ -30196,7 +30662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.8/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/libraries.fc 2010-01-26 15:36:44.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/libraries.fc 2010-02-02 10:31:03.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -30550,10 +31016,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar + +/opt/Unify/SQLBase/libgptsblmsui11\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/opt/real/RealPlayer/plugins/oggfformat\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/real/RealPlayer/plugins(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.8/policy/modules/system/libraries.if --- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/libraries.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/libraries.if 2010-02-02 10:31:03.000000000 -0500 @@ -17,6 +17,7 @@ corecmd_search_bin($1) @@ -30582,7 +31048,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.7.8/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/libraries.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/libraries.te 2010-02-02 10:31:03.000000000 -0500 @@ -58,11 +58,11 @@ # ldconfig local policy # @@ -30646,7 +31112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.8/policy/modules/system/locallogin.te --- nsaserefpolicy/policy/modules/system/locallogin.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/locallogin.te 2010-01-21 08:29:33.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/locallogin.te 2010-02-02 10:31:03.000000000 -0500 @@ -33,7 +33,7 @@ # Local login local policy # @@ -30744,8 +31210,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.8/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/logging.fc 2010-01-18 15:18:03.000000000 -0500 -@@ -51,17 +51,21 @@ ++++ serefpolicy-3.7.8/policy/modules/system/logging.fc 2010-02-02 10:31:03.000000000 -0500 +@@ -51,17 +51,22 @@ ifdef(`distro_redhat',` /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0) @@ -30771,9 +31237,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + ++/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.8/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2009-08-28 14:58:20.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/logging.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/logging.if 2010-02-02 10:31:03.000000000 -0500 @@ -69,6 +69,20 @@ ######################################## @@ -30817,7 +31284,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.8/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/logging.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/logging.te 2010-02-02 10:31:03.000000000 -0500 @@ -123,10 +123,10 @@ allow auditd_t self:capability { chown fsetid sys_nice sys_resource }; @@ -30914,7 +31381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; -@@ -461,6 +481,10 @@ +@@ -461,10 +481,18 @@ ') optional_policy(` @@ -30925,9 +31392,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin inn_manage_log(syslogd_t) ') + optional_policy(` ++ mysql_stream_connect(syslogd_t) ++') ++ ++optional_policy(` + postgresql_stream_connect(syslogd_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.8/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/lvm.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/lvm.te 2010-02-02 10:31:03.000000000 -0500 @@ -142,6 +142,10 @@ ') @@ -30968,7 +31443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.7.8/policy/modules/system/miscfiles.fc --- nsaserefpolicy/policy/modules/system/miscfiles.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/miscfiles.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/miscfiles.fc 2010-02-02 10:31:03.000000000 -0500 @@ -42,6 +42,7 @@ /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0) @@ -30988,7 +31463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.8/policy/modules/system/miscfiles.if --- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/miscfiles.if 2010-01-18 17:31:02.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/miscfiles.if 2010-02-02 10:31:03.000000000 -0500 @@ -73,7 +73,8 @@ # interface(`miscfiles_read_fonts',` @@ -31083,7 +31558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.7.8/policy/modules/system/miscfiles.te --- nsaserefpolicy/policy/modules/system/miscfiles.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/miscfiles.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/miscfiles.te 2010-02-02 10:31:03.000000000 -0500 @@ -19,6 +19,9 @@ type fonts_t; files_type(fonts_t) @@ -31096,7 +31571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.8/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/modutils.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/modutils.te 2010-02-02 10:31:03.000000000 -0500 @@ -19,6 +19,7 @@ type insmod_exec_t; application_domain(insmod_t, insmod_exec_t) @@ -31188,7 +31663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.7.8/policy/modules/system/mount.fc --- nsaserefpolicy/policy/modules/system/mount.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/mount.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/mount.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,4 +1,9 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) @@ -31202,7 +31677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.8/policy/modules/system/mount.if --- nsaserefpolicy/policy/modules/system/mount.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/mount.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/mount.if 2010-02-02 10:31:03.000000000 -0500 @@ -16,6 +16,7 @@ ') @@ -31292,7 +31767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.8/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/mount.te 2010-01-25 10:51:48.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/mount.te 2010-02-02 10:31:03.000000000 -0500 @@ -18,8 +18,15 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -31421,15 +31896,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. logging_send_syslog_msg(mount_t) -@@ -117,6 +155,7 @@ +@@ -117,6 +155,8 @@ seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) +userdom_manage_user_home_content_dirs(mount_t) ++userdom_read_user_home_content_symlinks(mount_t) ifdef(`distro_redhat',` optional_policy(` -@@ -132,10 +171,17 @@ +@@ -132,10 +172,17 @@ ') ') @@ -31447,7 +31923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -165,6 +211,8 @@ +@@ -165,6 +212,8 @@ fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -31456,7 +31932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -172,6 +220,25 @@ +@@ -172,6 +221,25 @@ ') optional_policy(` @@ -31482,7 +31958,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -179,6 +246,11 @@ +@@ -179,6 +247,11 @@ ') ') @@ -31494,7 +31970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -186,6 +258,11 @@ +@@ -186,6 +259,15 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -31502,11 +31978,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +') + +optional_policy(` ++ usbmuxd_stream_connect(mount_t) ++') ++ ++optional_policy(` + vmware_exec_host(mount_t) ') ######################################## -@@ -195,5 +272,9 @@ +@@ -195,5 +277,9 @@ optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t, file) @@ -31519,7 +31999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.7.8/policy/modules/system/raid.te --- nsaserefpolicy/policy/modules/system/raid.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/raid.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/raid.te 2010-02-02 10:31:03.000000000 -0500 @@ -51,11 +51,13 @@ dev_dontaudit_getattr_generic_chr_files(mdadm_t) dev_dontaudit_getattr_generic_blk_files(mdadm_t) @@ -31536,7 +32016,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t fs_dontaudit_list_tmpfs(mdadm_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.7.8/policy/modules/system/selinuxutil.fc --- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/selinuxutil.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/selinuxutil.fc 2010-02-02 10:31:03.000000000 -0500 @@ -6,13 +6,13 @@ /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) @@ -31578,7 +32058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.8/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/selinuxutil.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/selinuxutil.if 2010-02-02 10:31:03.000000000 -0500 @@ -351,6 +351,27 @@ ######################################## @@ -31936,7 +32416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.8/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/selinuxutil.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/selinuxutil.te 2010-02-02 10:31:03.000000000 -0500 @@ -23,6 +23,9 @@ type selinux_config_t; files_type(selinux_config_t) @@ -32322,7 +32802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.8/policy/modules/system/sysnetwork.fc --- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/sysnetwork.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/sysnetwork.fc 2010-02-02 10:31:03.000000000 -0500 @@ -11,15 +11,24 @@ /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) @@ -32364,7 +32844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.8/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/sysnetwork.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/sysnetwork.if 2010-02-02 10:31:03.000000000 -0500 @@ -43,6 +43,36 @@ sysnet_domtrans_dhcpc($1) @@ -32543,7 +33023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.8/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/sysnetwork.te 2010-01-27 11:22:49.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/sysnetwork.te 2010-02-02 10:31:03.000000000 -0500 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpc_t, dhcpc_exec_t) role system_r types dhcpc_t; @@ -32769,7 +33249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.8/policy/modules/system/udev.if --- nsaserefpolicy/policy/modules/system/udev.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/udev.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/udev.if 2010-02-02 10:31:03.000000000 -0500 @@ -186,6 +186,7 @@ dev_list_all_dev_nodes($1) @@ -32780,7 +33260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.8/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/udev.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/udev.te 2010-02-02 10:31:03.000000000 -0500 @@ -50,6 +50,7 @@ allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -32830,7 +33310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t xen_manage_log(udev_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.7.8/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/unconfined.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/unconfined.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,16 +1 @@ # Add programs here which should not be confined by SELinux -# e.g.: @@ -32850,7 +33330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.8/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/unconfined.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/unconfined.if 2010-02-02 10:31:03.000000000 -0500 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -33357,7 +33837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.7.8/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/unconfined.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/unconfined.te 2010-02-02 10:31:03.000000000 -0500 @@ -5,227 +5,5 @@ # # Declarations @@ -33589,7 +34069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.8/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/userdomain.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/userdomain.fc 2010-02-02 10:31:03.000000000 -0500 @@ -1,4 +1,11 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) @@ -33605,7 +34085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +HOME_DIR/\.gvfs(/.*)? <> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/userdomain.if 2010-01-27 11:14:58.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/userdomain.if 2010-02-02 10:31:03.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -35988,7 +36468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.8/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/userdomain.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/userdomain.te 2010-02-02 10:31:03.000000000 -0500 @@ -8,13 +8,6 @@ ## @@ -36079,7 +36559,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +allow userdomain userdomain:process signull; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.7.8/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/xen.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/xen.if 2010-02-02 10:31:03.000000000 -0500 @@ -180,6 +180,25 @@ ######################################## @@ -36108,7 +36588,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.8/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/xen.te 2010-01-25 11:49:09.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/xen.te 2010-02-02 10:31:03.000000000 -0500 @@ -85,6 +85,7 @@ type xenconsoled_t; type xenconsoled_exec_t; @@ -36188,13 +36668,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te files_search_mnt(xend_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.8/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/support/obj_perm_sets.spt 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/support/obj_perm_sets.spt 2010-02-02 10:31:03.000000000 -0500 @@ -28,7 +28,7 @@ # # All socket classes. # -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }') -+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }') ++define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }') # @@ -36252,7 +36732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.8/policy/users --- nsaserefpolicy/policy/users 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.8/policy/users 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/users 2010-02-02 10:31:03.000000000 -0500 @@ -6,7 +6,7 @@ # # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) diff --git a/selinux-policy.spec b/selinux-policy.spec index 947f49ec..c0c05c86 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.8 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -284,8 +284,6 @@ else # if first time update booleans.local needs to be copied to sandbox [ -f /etc/selinux/${SELINUXTYPE}/booleans.local ] && mv /etc/selinux/${SELINUXTYPE}/booleans.local /etc/selinux/targeted/modules/active/ [ -f /etc/selinux/${SELINUXTYPE}/seusers ] && cp -f /etc/selinux/${SELINUXTYPE}/seusers /etc/selinux/${SELINUXTYPE}/modules/active/seusers - grep -q "^SETLOCALDEFS" /etc/selinux/config || echo -n " -">> /etc/selinux/config fi exit 0 @@ -459,6 +457,9 @@ exit 0 %endif %changelog +* Mon Feb 1 2010 Dan Walsh 3.7.8-6 +- Lots of fixes found in F12 + * Thu Jan 27 2010 Dan Walsh 3.7.8-5 - Fix rpm_dontaudit_leaks diff --git a/sources b/sources index d1a2e3fe..3b5d2a75 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -3651679c4b12a31d2ba5f4305bba5540 config.tgz 6ed233bfd5c6a20877d98e74f967ce0f serefpolicy-3.7.8.tgz +4c7d323036f1662a06a7a4f2a7da57a5 config.tgz