diff --git a/.cvsignore b/.cvsignore
index b9326c7e..fb7870a5 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -119,3 +119,4 @@ serefpolicy-2.6.3.tgz
serefpolicy-2.6.4.tgz
serefpolicy-2.6.5.tgz
serefpolicy-3.0.1.tgz
+serefpolicy-3.0.2.tgz
diff --git a/policy-20070525.patch b/policy-20070703.patch
similarity index 79%
rename from policy-20070525.patch
rename to policy-20070703.patch
index d86d80cb..5a9e6fe7 100644
--- a/policy-20070525.patch
+++ b/policy-20070703.patch
@@ -1,14 +1,14 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/guest_u_default_contexts serefpolicy-3.0.1/config/appconfig-strict-mls/guest_u_default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/guest_u_default_contexts serefpolicy-3.0.2/config/appconfig-strict-mls/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-strict-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/config/appconfig-strict-mls/guest_u_default_contexts 2007-06-26 07:57:11.000000000 -0400
++++ serefpolicy-3.0.2/config/appconfig-strict-mls/guest_u_default_contexts 2007-07-03 13:08:19.000000000 -0400
@@ -0,0 +1,4 @@
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
+system_r:sshd_t:s0 guest_r:guest_t:s0
+system_r:crond_t:s0 guest_r:guest_crond_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/staff_u_default_contexts serefpolicy-3.0.1/config/appconfig-strict-mls/staff_u_default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/staff_u_default_contexts serefpolicy-3.0.2/config/appconfig-strict-mls/staff_u_default_contexts
--- nsaserefpolicy/config/appconfig-strict-mls/staff_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/config/appconfig-strict-mls/staff_u_default_contexts 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/config/appconfig-strict-mls/staff_u_default_contexts 2007-07-03 13:08:19.000000000 -0400
@@ -0,0 +1,9 @@
+system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:remote_login_t:s0 staff_r:staff_t:s0
@@ -19,9 +19,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/
+staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/user_u_default_contexts serefpolicy-3.0.1/config/appconfig-strict-mls/user_u_default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/user_u_default_contexts serefpolicy-3.0.2/config/appconfig-strict-mls/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-strict-mls/user_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/config/appconfig-strict-mls/user_u_default_contexts 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/config/appconfig-strict-mls/user_u_default_contexts 2007-07-03 13:08:19.000000000 -0400
@@ -0,0 +1,7 @@
+system_r:local_login_t:s0 user_r:user_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0
@@ -30,38 +30,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/
+system_r:xdm_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0 user_r:user_t:s0
+user_r:user_sudo_t:s0 user_r:user_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mcs/default_type serefpolicy-3.0.1/config/appconfig-targeted-mcs/default_type
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mcs/default_type serefpolicy-3.0.2/config/appconfig-targeted-mcs/default_type
--- nsaserefpolicy/config/appconfig-targeted-mcs/default_type 2007-05-25 09:09:09.000000000 -0400
-+++ serefpolicy-3.0.1/config/appconfig-targeted-mcs/default_type 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/config/appconfig-targeted-mcs/default_type 2007-07-03 13:08:19.000000000 -0400
@@ -1 +1,4 @@
system_r:unconfined_t
+sysadm_r:sysadm_t
+staff_r:staff_t
+user_r:user_t
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mcs/guest_u_default_contexts serefpolicy-3.0.1/config/appconfig-targeted-mcs/guest_u_default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mcs/guest_u_default_contexts serefpolicy-3.0.2/config/appconfig-targeted-mcs/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-targeted-mcs/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/config/appconfig-targeted-mcs/guest_u_default_contexts 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/config/appconfig-targeted-mcs/guest_u_default_contexts 2007-07-03 13:08:19.000000000 -0400
@@ -0,0 +1,4 @@
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
+system_r:sshd_t:s0 guest_r:guest_t:s0
+system_r:crond_t:s0 guest_r:guest_crond_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mcs/initrc_context serefpolicy-3.0.1/config/appconfig-targeted-mcs/initrc_context
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mcs/initrc_context serefpolicy-3.0.2/config/appconfig-targeted-mcs/initrc_context
--- nsaserefpolicy/config/appconfig-targeted-mcs/initrc_context 2007-05-25 09:09:09.000000000 -0400
-+++ serefpolicy-3.0.1/config/appconfig-targeted-mcs/initrc_context 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/config/appconfig-targeted-mcs/initrc_context 2007-07-03 13:08:19.000000000 -0400
@@ -1 +1 @@
-user_u:system_r:initrc_t:s0
+system_u:system_r:initrc_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mcs/seusers serefpolicy-3.0.1/config/appconfig-targeted-mcs/seusers
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mcs/seusers serefpolicy-3.0.2/config/appconfig-targeted-mcs/seusers
--- nsaserefpolicy/config/appconfig-targeted-mcs/seusers 2007-05-31 15:35:39.000000000 -0400
-+++ serefpolicy-3.0.1/config/appconfig-targeted-mcs/seusers 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/config/appconfig-targeted-mcs/seusers 2007-07-03 13:08:19.000000000 -0400
@@ -1,2 +1,2 @@
root:root:s0-mcs_systemhigh
-__default__:user_u:s0
+__default__:system_u:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mcs/staff_u_default_contexts serefpolicy-3.0.1/config/appconfig-targeted-mcs/staff_u_default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mcs/staff_u_default_contexts serefpolicy-3.0.2/config/appconfig-targeted-mcs/staff_u_default_contexts
--- nsaserefpolicy/config/appconfig-targeted-mcs/staff_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/config/appconfig-targeted-mcs/staff_u_default_contexts 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/config/appconfig-targeted-mcs/staff_u_default_contexts 2007-07-03 13:08:19.000000000 -0400
@@ -0,0 +1,9 @@
+system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:remote_login_t:s0 staff_r:staff_t:s0
@@ -72,9 +72,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mc
+staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mcs/user_u_default_contexts serefpolicy-3.0.1/config/appconfig-targeted-mcs/user_u_default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mcs/user_u_default_contexts serefpolicy-3.0.2/config/appconfig-targeted-mcs/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-targeted-mcs/user_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/config/appconfig-targeted-mcs/user_u_default_contexts 2007-07-02 10:59:10.000000000 -0400
++++ serefpolicy-3.0.2/config/appconfig-targeted-mcs/user_u_default_contexts 2007-07-03 13:08:19.000000000 -0400
@@ -0,0 +1,7 @@
+system_r:local_login_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
+system_r:remote_login_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
@@ -83,9 +83,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mc
+system_r:xdm_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
+user_r:user_sudo_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.0.1/Makefile
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.0.2/Makefile
--- nsaserefpolicy/Makefile 2007-05-29 13:53:56.000000000 -0400
-+++ serefpolicy-3.0.1/Makefile 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/Makefile 2007-07-03 13:08:19.000000000 -0400
@@ -158,8 +158,18 @@
headerdir = $(modpkgdir)/include
docsdir = $(prefix)/share/doc/$(PKGNAME)
@@ -115,9 +115,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.0.1/M
M4PARAM += -D enable_mcs
CHECKPOLICY += -M
CHECKMODULE += -M
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 serefpolicy-3.0.1/man/man8/ftpd_selinux.8
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 serefpolicy-3.0.2/man/man8/ftpd_selinux.8
--- nsaserefpolicy/man/man8/ftpd_selinux.8 2007-05-25 09:09:10.000000000 -0400
-+++ serefpolicy-3.0.1/man/man8/ftpd_selinux.8 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/man/man8/ftpd_selinux.8 2007-07-03 13:08:19.000000000 -0400
@@ -12,7 +12,7 @@
.TP
chcon -R -t public_content_t /var/ftp
@@ -127,9 +127,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 sere
.TP
chcon -t public_content_rw_t /var/ftp/incoming
.TP
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.0.1/policy/flask/access_vectors
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.0.2/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2007-06-19 16:23:34.000000000 -0400
-+++ serefpolicy-3.0.1/policy/flask/access_vectors 2007-06-26 16:20:20.000000000 -0400
++++ serefpolicy-3.0.2/policy/flask/access_vectors 2007-07-03 13:08:19.000000000 -0400
@@ -598,6 +598,8 @@
shmempwd
shmemgrp
@@ -148,14 +148,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors
}
class key
-@@ -653,3 +657,4 @@
- {
- mmap_zero
- }
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.0.1/policy/global_tunables
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.0.2/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.1/policy/global_tunables 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/global_tunables 2007-07-03 13:08:19.000000000 -0400
@@ -133,3 +133,10 @@
##
gen_tunable(write_untrusted_content,false)
@@ -167,9 +162,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
+##
+gen_tunable(allow_console_login,false)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.0.1/policy/mls
---- nsaserefpolicy/policy/mls 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.1/policy/mls 2007-06-19 17:06:27.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.0.2/policy/mls
+--- nsaserefpolicy/policy/mls 2007-07-03 07:06:36.000000000 -0400
++++ serefpolicy-3.0.2/policy/mls 2007-07-03 13:08:19.000000000 -0400
@@ -89,12 +89,14 @@
mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
(( l1 eq l2 ) or
@@ -209,7 +204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.0.1
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
-@@ -177,8 +191,9 @@
+@@ -177,17 +191,17 @@
( t1 == mlsnetread ));
# the socket "write" ops
@@ -221,7 +216,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.0.1
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ));
-@@ -274,7 +289,8 @@
+-# used by netlabel to restrict normal domains to same level connections unless the connection is unlabeled
++# used by netlabel to restrict normal domains to same level connections
+ mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
+ (( l1 eq l2 ) or
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+- ( t1 == mlsnetread ) or
+- ( t2 == unlabeled_t ));
++ ( t1 == mlsnetread ));
+
+ # these access vectors have no MLS restrictions
+ # { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
+@@ -275,7 +289,8 @@
# the netif/node "write" ops (implicit single level socket doing the write)
mlsconstrain { netif node } { tcp_send udp_send rawip_send }
@@ -231,7 +237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.0.1
# these access vectors have no MLS restrictions
# node enforce_dest
-@@ -581,7 +597,8 @@
+@@ -582,7 +597,8 @@
( t2 == unlabeled_t ));
mlsconstrain association { sendto }
@@ -241,9 +247,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.0.1
( t2 == unlabeled_t ));
mlsconstrain association { polmatch }
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-3.0.1/policy/modules/admin/acct.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-3.0.2/policy/modules/admin/acct.te
--- nsaserefpolicy/policy/modules/admin/acct.te 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/admin/acct.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/admin/acct.te 2007-07-03 13:08:19.000000000 -0400
@@ -9,6 +9,7 @@
type acct_t;
type acct_exec_t;
@@ -252,9 +258,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te
type acct_data_t;
logging_log_file(acct_data_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.0.1/policy/modules/admin/alsa.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.0.2/policy/modules/admin/alsa.fc
--- nsaserefpolicy/policy/modules/admin/alsa.fc 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/admin/alsa.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/admin/alsa.fc 2007-07-03 13:08:19.000000000 -0400
@@ -1,4 +1,7 @@
/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
@@ -263,9 +269,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
+/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.0.1/policy/modules/admin/alsa.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.0.2/policy/modules/admin/alsa.te
--- nsaserefpolicy/policy/modules/admin/alsa.te 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/admin/alsa.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/admin/alsa.te 2007-07-03 13:08:19.000000000 -0400
@@ -20,20 +20,24 @@
# Local policy
#
@@ -309,45 +315,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
+ hal_write_log(alsa_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-3.0.1/policy/modules/admin/amanda.te
---- nsaserefpolicy/policy/modules/admin/amanda.te 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/admin/amanda.te 2007-06-19 17:06:27.000000000 -0400
-@@ -70,7 +70,7 @@
-
- allow amanda_t self:capability { chown dac_override setuid kill };
- allow amanda_t self:process { setpgid signal };
--allow amanda_t self:fifo_file { getattr read write ioctl lock };
-+allow amanda_t self:fifo_file rw_fifo_file_perms;
- allow amanda_t self:unix_stream_socket create_stream_socket_perms;
- allow amanda_t self:unix_dgram_socket create_socket_perms;
- allow amanda_t self:tcp_socket create_stream_socket_perms;
-@@ -85,18 +85,22 @@
-
- # access to amandas data structure
- allow amanda_t amanda_data_t:dir { read search write };
--allow amanda_t amanda_data_t:file { read write };
-+allow amanda_t amanda_data_t:file manage_file_perms;
-
- # access to amanda_dumpdates_t
- allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
-
- can_exec(amanda_t,amanda_exec_t)
-+can_exec(amanda_t,amanda_inetd_exec_t)
-
- # access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
- allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
- allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
- allow amanda_t amanda_gnutarlists_t:lnk_file manage_file_perms;
-
-+manage_dirs_pattern(amanda_t,amanda_var_lib_t,amanda_var_lib_t)
-+manage_files_pattern(amanda_t,amanda_var_lib_t,amanda_var_lib_t)
-+
- manage_files_pattern(amanda_t,amanda_log_t,amanda_log_t)
- manage_dirs_pattern(amanda_t,amanda_log_t,amanda_log_t)
- logging_log_filetrans(amanda_t,amanda_log_t,{ file dir })
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.0.1/policy/modules/admin/anaconda.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.0.2/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/admin/anaconda.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/admin/anaconda.te 2007-07-03 13:08:19.000000000 -0400
@@ -37,10 +37,6 @@
userdom_generic_user_home_dir_filetrans_generic_user_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
@@ -359,9 +329,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond
kudzu_domtrans(anaconda_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-3.0.1/policy/modules/admin/bootloader.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-3.0.2/policy/modules/admin/bootloader.te
--- nsaserefpolicy/policy/modules/admin/bootloader.te 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/admin/bootloader.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/admin/bootloader.te 2007-07-03 13:08:19.000000000 -0400
@@ -182,6 +182,7 @@
optional_policy(`
@@ -370,9 +340,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloa
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.0.1/policy/modules/admin/consoletype.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.0.2/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/admin/consoletype.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/admin/consoletype.te 2007-07-03 13:08:19.000000000 -0400
@@ -8,12 +8,21 @@
type consoletype_t;
@@ -417,9 +387,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console
logrotate_dontaudit_use_fds(consoletype_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.0.1/policy/modules/admin/kudzu.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.0.2/policy/modules/admin/kudzu.te
--- nsaserefpolicy/policy/modules/admin/kudzu.te 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/admin/kudzu.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/admin/kudzu.te 2007-07-03 13:08:19.000000000 -0400
@@ -21,8 +21,8 @@
# Local policy
#
@@ -456,9 +426,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.t
ifdef(`TODO',`
allow kudzu_t modules_conf_t:file unlink;
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.0.1/policy/modules/admin/logrotate.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.0.2/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2007-06-19 16:23:35.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/admin/logrotate.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/admin/logrotate.te 2007-07-03 13:08:20.000000000 -0400
@@ -75,11 +75,13 @@
mls_file_read_up(logrotate_t)
mls_file_write_down(logrotate_t)
@@ -497,9 +467,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
slrnpull_manage_spool(logrotate_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.0.1/policy/modules/admin/logwatch.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.0.2/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/admin/logwatch.te 2007-06-21 13:45:59.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/admin/logwatch.te 2007-07-03 13:08:20.000000000 -0400
@@ -30,7 +30,6 @@
allow logwatch_t self:process signal;
allow logwatch_t self:fifo_file rw_file_perms;
@@ -550,9 +520,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
samba_read_log(logwatch_t)
+ samba_read_share_files(logwatch_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.0.1/policy/modules/admin/netutils.te
---- nsaserefpolicy/policy/modules/admin/netutils.te 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/admin/netutils.te 2007-06-19 17:06:27.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.0.2/policy/modules/admin/netutils.te
+--- nsaserefpolicy/policy/modules/admin/netutils.te 2007-07-03 07:06:36.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/admin/netutils.te 2007-07-03 13:08:20.000000000 -0400
@@ -29,6 +29,7 @@
type traceroute_t;
type traceroute_exec_t;
@@ -561,9 +531,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
role system_r types traceroute_t;
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.0.1/policy/modules/admin/prelink.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.0.2/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/admin/prelink.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/admin/prelink.te 2007-07-03 13:08:20.000000000 -0400
@@ -26,7 +26,7 @@
# Local policy
#
@@ -596,17 +566,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
optional_policy(`
amanda_manage_lib(prelink_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.fc serefpolicy-3.0.1/policy/modules/admin/readahead.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.fc serefpolicy-3.0.2/policy/modules/admin/readahead.fc
--- nsaserefpolicy/policy/modules/admin/readahead.fc 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/admin/readahead.fc 2007-06-21 13:48:19.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/admin/readahead.fc 2007-07-03 13:08:20.000000000 -0400
@@ -2,3 +2,4 @@
# /usr
#
/usr/sbin/readahead -- gen_context(system_u:object_r:readahead_exec_t,s0)
+/etc/readahead.d(/.*)? gen_context(system_u:object_r:readahead_etc_rw_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.if serefpolicy-3.0.1/policy/modules/admin/readahead.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.if serefpolicy-3.0.2/policy/modules/admin/readahead.if
--- nsaserefpolicy/policy/modules/admin/readahead.if 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/admin/readahead.if 2007-06-21 05:28:20.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/admin/readahead.if 2007-07-03 13:08:20.000000000 -0400
@@ -1 +1,20 @@
## Readahead, read files into page cache for improved performance
+
@@ -628,9 +598,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahe
+ corecmd_search_bin($1)
+ domtrans_pattern($1,readahead_exec_t,readahead_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.0.1/policy/modules/admin/readahead.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.0.2/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/admin/readahead.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/admin/readahead.te 2007-07-03 13:08:20.000000000 -0400
@@ -13,14 +13,20 @@
type readahead_var_run_t;
files_pid_file(readahead_var_run_t)
@@ -670,9 +640,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahe
+optional_policy(`
+ logging_dontaudit_search_audit_config(readahead_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.0.1/policy/modules/admin/rpm.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.0.2/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/admin/rpm.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/admin/rpm.fc 2007-07-03 13:08:20.000000000 -0400
@@ -21,6 +21,9 @@
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -683,9 +653,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
')
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.0.1/policy/modules/admin/rpm.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.0.2/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/admin/rpm.if 2007-06-21 09:42:50.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/admin/rpm.if 2007-07-03 13:08:20.000000000 -0400
@@ -210,6 +210,24 @@
########################################
@@ -808,9 +778,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
+
+ dontaudit $1 rpm_tmp_t:file rw_file_perms;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.0.1/policy/modules/admin/rpm.te
---- nsaserefpolicy/policy/modules/admin/rpm.te 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/admin/rpm.te 2007-06-22 11:15:22.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.0.2/policy/modules/admin/rpm.te
+--- nsaserefpolicy/policy/modules/admin/rpm.te 2007-07-03 07:06:36.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/admin/rpm.te 2007-07-03 13:08:20.000000000 -0400
@@ -9,6 +9,8 @@
type rpm_t;
type rpm_exec_t;
@@ -820,14 +790,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
domain_obj_id_change_exemption(rpm_t)
domain_role_change_exemption(rpm_t)
domain_system_change_exemption(rpm_t)
-@@ -366,3 +368,4 @@
- usermanage_domtrans_groupadd(rpm_script_t)
- usermanage_domtrans_useradd(rpm_script_t)
- ')
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.0.1/policy/modules/admin/sudo.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.0.2/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/admin/sudo.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/admin/sudo.if 2007-07-03 13:08:20.000000000 -0400
@@ -69,7 +69,6 @@
allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
allow $1_sudo_t self:unix_dgram_socket sendto;
@@ -874,9 +839,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
nis_use_ypbind($1_sudo_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.0.1/policy/modules/admin/su.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.0.2/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/admin/su.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/admin/su.if 2007-07-03 13:08:20.000000000 -0400
@@ -41,12 +41,11 @@
allow $2 $1_su_t:process signal;
@@ -969,9 +934,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
ifdef(`TODO',`
allow $1_su_t $1_home_t:file manage_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.if serefpolicy-3.0.1/policy/modules/admin/tmpreaper.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.if serefpolicy-3.0.2/policy/modules/admin/tmpreaper.if
--- nsaserefpolicy/policy/modules/admin/tmpreaper.if 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/admin/tmpreaper.if 2007-06-21 05:40:18.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/admin/tmpreaper.if 2007-07-03 13:08:20.000000000 -0400
@@ -2,6 +2,25 @@
########################################
@@ -998,9 +963,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap
## Execute tmpreaper in the caller domain.
##
##
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.0.1/policy/modules/admin/usermanage.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.0.2/policy/modules/admin/usermanage.if
--- nsaserefpolicy/policy/modules/admin/usermanage.if 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/admin/usermanage.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/admin/usermanage.if 2007-07-03 13:08:20.000000000 -0400
@@ -278,5 +278,5 @@
type crack_db_t;
')
@@ -1008,9 +973,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
- allow $1 crack_db_t:file read_file_perms;
+ read_files_pattern($1,crack_db_t,crack_db_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.0.1/policy/modules/admin/usermanage.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.0.2/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/admin/usermanage.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/admin/usermanage.te 2007-07-03 13:08:20.000000000 -0400
@@ -99,6 +99,7 @@
dev_read_urand(chfn_t)
@@ -1152,18 +1117,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
rpm_rw_pipes(useradd_t)
+ rpm_dontaudit_rw_tmp_files(useradd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.0.1/policy/modules/admin/vbetool.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.0.2/policy/modules/admin/vbetool.te
--- nsaserefpolicy/policy/modules/admin/vbetool.te 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/admin/vbetool.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/admin/vbetool.te 2007-07-03 13:08:20.000000000 -0400
@@ -32,4 +32,5 @@
optional_policy(`
hal_rw_pid_files(vbetool_t)
+ hal_write_log(vbetool_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ada.if serefpolicy-3.0.1/policy/modules/apps/ada.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ada.if serefpolicy-3.0.2/policy/modules/apps/ada.if
--- nsaserefpolicy/policy/modules/apps/ada.if 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/apps/ada.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/apps/ada.if 2007-07-03 13:08:20.000000000 -0400
@@ -18,3 +18,34 @@
corecmd_search_bin($1)
domtrans_pattern($1, ada_exec_t, ada_t)
@@ -1199,9 +1164,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ada.if s
+ role $2 types ada_t;
+ allow ada_t $3:chr_file rw_term_perms;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/games.fc serefpolicy-3.0.1/policy/modules/apps/games.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/games.fc serefpolicy-3.0.2/policy/modules/apps/games.fc
--- nsaserefpolicy/policy/modules/apps/games.fc 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/apps/games.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/apps/games.fc 2007-07-03 13:08:20.000000000 -0400
@@ -1,22 +1,16 @@
#
# /usr
@@ -1228,9 +1193,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/games.fc
/usr/bin/micq -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/blackjack -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/gataxx -- gen_context(system_u:object_r:games_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.0.1/policy/modules/apps/gnome.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.0.2/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/apps/gnome.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/apps/gnome.if 2007-07-03 13:08:20.000000000 -0400
@@ -35,6 +35,7 @@
template(`gnome_per_role_template',`
gen_require(`
@@ -1290,10 +1255,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
##
##
## This is a templated interface, and should only
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.1/policy/modules/apps/java.if
---- nsaserefpolicy/policy/modules/apps/java.if 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/apps/java.if 2007-06-19 17:06:27.000000000 -0400
-@@ -220,3 +220,66 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.2/policy/modules/apps/java.if
+--- nsaserefpolicy/policy/modules/apps/java.if 2007-07-03 07:05:43.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/apps/java.if 2007-07-03 13:08:20.000000000 -0400
+@@ -221,3 +221,66 @@
corecmd_search_bin($1)
domtrans_pattern($1, java_exec_t, java_t)
')
@@ -1360,9 +1325,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if
+ role $2 types java_t;
+ allow java_t $3:chr_file rw_term_perms;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.0.1/policy/modules/apps/loadkeys.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.0.2/policy/modules/apps/loadkeys.te
--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/apps/loadkeys.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/apps/loadkeys.te 2007-07-03 13:08:20.000000000 -0400
@@ -40,3 +40,8 @@
locallogin_use_fds(loadkeys_t)
@@ -1372,9 +1337,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys
+ nscd_dontaudit_search_pid(loadkeys_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.0.1/policy/modules/apps/mono.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.0.2/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/apps/mono.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/apps/mono.if 2007-07-03 13:08:20.000000000 -0400
@@ -18,3 +18,52 @@
corecmd_search_bin($1)
domtrans_pattern($1, mono_exec_t, mono_t)
@@ -1428,9 +1393,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if
+ role $2 types mono_t;
+ allow mono_t $3:chr_file rw_term_perms;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.1/policy/modules/apps/mozilla.if
---- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-06-11 16:05:29.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/apps/mozilla.if 2007-06-19 17:06:27.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.2/policy/modules/apps/mozilla.if
+--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-07-03 07:05:43.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/apps/mozilla.if 2007-07-03 13:08:20.000000000 -0400
@@ -53,6 +53,14 @@
type $1_mozilla_tmpfs_t;
files_tmpfs_file($1_mozilla_tmpfs_t)
@@ -1487,7 +1452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
# Unrestricted inheritance from the caller.
allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
-@@ -170,6 +196,8 @@
+@@ -171,6 +197,8 @@
fs_list_inotifyfs($1_mozilla_t)
fs_rw_tmpfs_files($1_mozilla_t)
@@ -1496,7 +1461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
term_dontaudit_getattr_pty_dirs($1_mozilla_t)
libs_use_ld_so($1_mozilla_t)
-@@ -185,12 +213,9 @@
+@@ -186,12 +214,9 @@
sysnet_dns_name_resolve($1_mozilla_t)
sysnet_read_config($1_mozilla_t)
@@ -1512,7 +1477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
-@@ -212,133 +237,6 @@
+@@ -213,133 +238,6 @@
fs_manage_cifs_symlinks($1_mozilla_t)
')
@@ -1646,7 +1611,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
optional_policy(`
apache_read_user_scripts($1,$1_mozilla_t)
apache_read_user_content($1,$1_mozilla_t)
-@@ -362,6 +260,7 @@
+@@ -363,6 +261,7 @@
optional_policy(`
gnome_stream_connect_gconf_template($1,$1_mozilla_t)
@@ -1654,7 +1619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
')
optional_policy(`
-@@ -385,25 +284,6 @@
+@@ -386,25 +285,6 @@
thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
')
@@ -1680,7 +1645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
')
########################################
-@@ -576,3 +456,27 @@
+@@ -577,3 +457,27 @@
allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
')
@@ -1708,9 +1673,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
+
+ allow $2 $1_mozilla_t:unix_stream_socket connectto;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.0.1/policy/modules/apps/mozilla.te
---- nsaserefpolicy/policy/modules/apps/mozilla.te 2007-06-11 16:05:29.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/apps/mozilla.te 2007-06-19 17:06:27.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.0.2/policy/modules/apps/mozilla.te
+--- nsaserefpolicy/policy/modules/apps/mozilla.te 2007-07-03 07:05:43.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/apps/mozilla.te 2007-07-03 13:08:20.000000000 -0400
@@ -6,13 +6,6 @@
# Declarations
#
@@ -1725,9 +1690,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
type mozilla_conf_t;
files_config_file(mozilla_conf_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.0.1/policy/modules/apps/slocate.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.0.2/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te 2007-06-15 14:54:31.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/apps/slocate.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/apps/slocate.te 2007-07-03 13:08:20.000000000 -0400
@@ -29,6 +29,8 @@
manage_dirs_pattern(locate_t,locate_var_lib_t,locate_var_lib_t)
manage_files_pattern(locate_t,locate_var_lib_t,locate_var_lib_t)
@@ -1737,40 +1702,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.
kernel_read_system_state(locate_t)
kernel_dontaudit_search_sysctl(locate_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-3.0.1/policy/modules/apps/thunderbird.if
---- nsaserefpolicy/policy/modules/apps/thunderbird.if 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/apps/thunderbird.if 2007-06-19 17:06:27.000000000 -0400
-@@ -104,6 +104,7 @@
-
- # Startup shellscript
- corecmd_exec_shell($1_thunderbird_t)
-+ corecmd_exec_bin($1_thunderbird_t)
-
- corenet_non_ipsec_sendrecv($1_thunderbird_t)
- corenet_tcp_sendrecv_generic_if($1_thunderbird_t)
-@@ -162,7 +163,9 @@
- userdom_manage_user_tmp_sockets($1,$1_thunderbird_t)
- # .kde/....gtkrc
- userdom_read_user_home_content_files($1,$1_thunderbird_t)
--
-+ userdom_dontaudit_use_user_terminals($1,$1_thunderbird_t)
-+ userdom_user_home_dir_filetrans($1,$1_thunderbird_t, $1_thunderbird_home_t,dir)
-+
- xserver_user_client_template($1,$1_thunderbird_t,$1_thunderbird_tmpfs_t)
- xserver_read_xdm_tmp_files($1_thunderbird_t)
- xserver_dontaudit_getattr_xdm_tmp_sockets($1_thunderbird_t)
-@@ -299,7 +302,7 @@
- files_tmp_filetrans($1_thunderbird_t,$1_untrusted_content_tmp_t,dir)
- userdom_manage_user_untrusted_content_files($1,$1_thunderbird_t)
- userdom_manage_user_untrusted_content_tmp_files($1, $1_thunderbird_t)
-- userdom_user_home_dir_filetrans($1,$1_thunderbird_t,$1_untrusted_content_tmp_t, { file dir })
-+ userdom_user_home_dir_filetrans($1,$1_thunderbird_t,$1_untrusted_content_tmp_t, file)
- userdom_user_home_content_filetrans($1,$1_thunderbird_t,$1_untrusted_content_tmp_t, { file dir })
- ',`
- files_dontaudit_list_home($1_thunderbird_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.0.1/policy/modules/apps/userhelper.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.0.2/policy/modules/apps/userhelper.if
--- nsaserefpolicy/policy/modules/apps/userhelper.if 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/apps/userhelper.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/apps/userhelper.if 2007-07-03 13:08:20.000000000 -0400
@@ -131,6 +131,7 @@
term_use_all_user_ptys($1_userhelper_t)
@@ -1779,9 +1713,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
auth_manage_pam_pid($1_userhelper_t)
auth_manage_var_auth($1_userhelper_t)
auth_search_pam_console_data($1_userhelper_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.0.1/policy/modules/apps/vmware.fc
---- nsaserefpolicy/policy/modules/apps/vmware.fc 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/apps/vmware.fc 2007-06-21 05:45:56.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.0.2/policy/modules/apps/vmware.fc
+--- nsaserefpolicy/policy/modules/apps/vmware.fc 2007-07-03 07:05:43.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/apps/vmware.fc 2007-07-03 13:08:20.000000000 -0400
@@ -23,6 +23,7 @@
/usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
@@ -1790,9 +1724,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.f
/usr/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.0.1/policy/modules/apps/vmware.te
---- nsaserefpolicy/policy/modules/apps/vmware.te 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/apps/vmware.te 2007-07-01 21:06:08.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.0.2/policy/modules/apps/vmware.te
+--- nsaserefpolicy/policy/modules/apps/vmware.te 2007-07-03 07:05:43.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/apps/vmware.te 2007-07-03 13:08:20.000000000 -0400
@@ -29,7 +29,7 @@
allow vmware_host_t self:capability { setuid net_raw };
@@ -1802,7 +1736,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t
allow vmware_host_t self:fifo_file rw_fifo_file_perms;
allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
allow vmware_host_t self:rawip_socket create_socket_perms;
-@@ -55,6 +55,8 @@
+@@ -56,6 +56,8 @@
corenet_tcp_sendrecv_all_ports(vmware_host_t)
corenet_udp_sendrecv_all_ports(vmware_host_t)
corenet_raw_bind_all_nodes(vmware_host_t)
@@ -1811,9 +1745,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t
corenet_tcp_connect_all_ports(vmware_host_t)
corenet_sendrecv_all_client_packets(vmware_host_t)
corenet_sendrecv_all_server_packets(vmware_host_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.0.1/policy/modules/apps/wine.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.0.2/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/apps/wine.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/apps/wine.if 2007-07-03 13:08:20.000000000 -0400
@@ -18,3 +18,34 @@
corecmd_search_bin($1)
domtrans_pattern($1, wine_exec_t, wine_t)
@@ -1849,9 +1783,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if
+ role $2 types wine_t;
+ allow wine_t $3:chr_file rw_term_perms;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.1/policy/modules/kernel/corecommands.fc
---- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/kernel/corecommands.fc 2007-06-21 06:07:11.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.2/policy/modules/kernel/corecommands.fc
+--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-07-03 07:05:38.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/kernel/corecommands.fc 2007-07-03 13:08:20.000000000 -0400
@@ -36,6 +36,11 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -1864,7 +1798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0)
-@@ -216,6 +221,7 @@
+@@ -217,6 +222,7 @@
/usr/share/system-config-network/neat-control\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-nfs/nfs-export\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-nfs/system-config-nfs\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -1872,51 +1806,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -244,6 +250,7 @@
- /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
- /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib64/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
-
- /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
- /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -252,3 +259,5 @@
- ifdef(`distro_suse',`
- /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
- ')
-+/usr/lib/vmware-tools/sbin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.0.1/policy/modules/kernel/corecommands.if
---- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/kernel/corecommands.if 2007-06-19 17:06:27.000000000 -0400
-@@ -980,3 +980,23 @@
-
- mmap_files_pattern($1,bin_t,exec_type)
- ')
-+
-+########################################
-+##
-+## dontaudit checking for execute privs on all executables
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`corecmd_dontaudit_exec_all_executables',`
-+ gen_require(`
-+ attribute exec_type;
-+ ')
-+
-+ dontaudit $1 exec_type:file execute;
-+')
-+
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.1/policy/modules/kernel/corenetwork.te.in
---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-05-30 11:47:28.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/kernel/corenetwork.te.in 2007-06-20 15:42:14.000000000 -0400
-@@ -48,6 +48,11 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.2/policy/modules/kernel/corenetwork.te.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-07-03 07:05:38.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/kernel/corenetwork.te.in 2007-07-03 13:08:20.000000000 -0400
+@@ -55,6 +55,11 @@
type reserved_port_t, port_type, reserved_port_type;
#
@@ -1928,7 +1821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
# server_packet_t is the default type of IPv4 and IPv6 server packets.
#
type server_packet_t, packet_type, server_packet_type;
-@@ -86,10 +91,10 @@
+@@ -93,10 +98,10 @@
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
network_port(howl, tcp,5335,s0, udp,5353,s0)
@@ -1941,7 +1834,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(innd, tcp,119,s0)
network_port(ipp, tcp,631,s0, udp,631,s0)
network_port(ircd, tcp,6667,s0)
-@@ -101,12 +106,13 @@
+@@ -108,12 +113,13 @@
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
@@ -1957,7 +1850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(nessus, tcp,1241,s0)
network_port(netsupport, tcp,5405,s0, udp,5405,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
-@@ -154,12 +160,15 @@
+@@ -161,12 +167,15 @@
network_port(uucpd, tcp,540,s0)
network_port(vnc, tcp,5900,s0)
network_port(xen, tcp,8002,s0)
@@ -1974,9 +1867,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
portcon tcp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.1/policy/modules/kernel/devices.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.2/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-06-15 14:54:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/kernel/devices.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/kernel/devices.fc 2007-07-03 13:08:20.000000000 -0400
@@ -127,3 +127,7 @@
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -1985,9 +1878,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
+/etc/udev/devices -d gen_context(system_u:object_r:device_t,s0)
+/lib/udev/devices -d gen_context(system_u:object_r:device_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.1/policy/modules/kernel/devices.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.2/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-06-15 14:54:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/kernel/devices.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/kernel/devices.if 2007-07-03 13:08:20.000000000 -0400
@@ -2803,6 +2803,24 @@
########################################
@@ -2013,9 +1906,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Do not audit attempts to get the attributes
## of a directory in the usb filesystem.
##
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.0.1/policy/modules/kernel/domain.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.0.2/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2007-06-19 16:23:34.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/kernel/domain.if 2007-06-22 14:11:30.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/kernel/domain.if 2007-07-03 13:08:20.000000000 -0400
@@ -45,6 +45,11 @@
# start with basic domain
domain_base_type($1)
@@ -2057,9 +1950,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+
+ allow $1 domain:association { sendto recvfrom };
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.1/policy/modules/kernel/domain.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.2/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-06-19 16:23:34.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/kernel/domain.te 2007-06-22 14:10:08.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/kernel/domain.te 2007-07-03 13:08:20.000000000 -0400
@@ -6,6 +6,29 @@
# Declarations
#
@@ -2116,28 +2009,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+ ipsec_labeled(domain)
+ ')
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.0.1/policy/modules/kernel/files.fc
---- nsaserefpolicy/policy/modules/kernel/files.fc 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/kernel/files.fc 2007-06-19 17:06:27.000000000 -0400
-@@ -45,7 +45,6 @@
- /etc -d gen_context(system_u:object_r:etc_t,s0)
- /etc/.* gen_context(system_u:object_r:etc_t,s0)
- /etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
--/etc/asound\.state -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -54,6 +53,7 @@
- /etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
- /etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
-+/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.1/policy/modules/kernel/files.if
---- nsaserefpolicy/policy/modules/kernel/files.if 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/kernel/files.if 2007-06-19 17:06:27.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.2/policy/modules/kernel/files.if
+--- nsaserefpolicy/policy/modules/kernel/files.if 2007-07-03 07:05:38.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/kernel/files.if 2007-07-03 13:08:20.000000000 -0400
@@ -343,8 +343,7 @@
########################################
@@ -2188,46 +2062,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -987,7 +1003,7 @@
- attribute file_type;
- ')
-
-- dontaudit $1 file_type:dir search;
-+ dontaudit $1 file_type:dir search_dir_perms;
- ')
-
- ########################################
-@@ -1315,7 +1331,7 @@
- type boot_t;
- ')
-
-- dontaudit $1 boot_t:dir search;
-+ dontaudit $1 boot_t:dir search_dir_perms;
- ')
-
- ########################################
-@@ -3305,6 +3321,42 @@
+@@ -3323,6 +3339,24 @@
########################################
##
-+## Add and remove entries from /usr directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_rw_usr_dirs',`
-+ gen_require(`
-+ type usr_t;
-+ ')
-+
-+ allow $1 usr_t:dir rw_dir_perms;
-+')
-+
-+########################################
-+##
+## Create, read, write, and delete files in the /usr directory.
+##
+##
@@ -2249,50 +2087,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Get the attributes of files in /usr.
##
##
-@@ -3381,6 +3433,24 @@
+@@ -3381,7 +3415,7 @@
########################################
##
-+## Relabel a file from the type used in /usr.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabelfrom_usr_files',`
-+ gen_require(`
-+ type usr_t;
-+ ')
-+
-+ relabelfrom_files_pattern($1,usr_t,usr_t)
-+')
-+
-+########################################
-+##
- ## Read symbolic links in /usr.
+-## Create, read, write, and delete files in the /usr directory.
++## Relabel a file to the type used in /usr.
##
##
-@@ -3632,7 +3702,7 @@
- type var_t;
+ ##
+@@ -3389,17 +3423,17 @@
+ ##
+ ##
+ #
+-interface(`files_manage_usr_files',`
++interface(`files_relabelto_usr_files',`
+ gen_require(`
+ type usr_t;
')
-- dontaudit $1 var_t:dir search;
-+ dontaudit $1 var_t:dir search_dir_perms;
+- manage_files_pattern($1, usr_t, usr_t)
++ relabelto_files_pattern($1,usr_t,usr_t)
')
########################################
-@@ -3988,7 +4058,7 @@
- type var_lock_t;
+ ##
+-## Relabel a file to the type used in /usr.
++## Relabel a file from the type used in /usr.
+ ##
+ ##
+ ##
+@@ -3407,12 +3441,12 @@
+ ##
+ ##
+ #
+-interface(`files_relabelto_usr_files',`
++interface(`files_relabelfrom_usr_files',`
+ gen_require(`
+ type usr_t;
')
-- dontaudit $1 var_lock_t:dir search;
-+ dontaudit $1 var_lock_t:dir search_dir_perms;
+- relabelto_files_pattern($1,usr_t,usr_t)
++ relabelfrom_files_pattern($1,usr_t,usr_t)
')
########################################
-@@ -4007,7 +4077,7 @@
+@@ -4043,7 +4077,7 @@
type var_t, var_lock_t;
')
@@ -2301,16 +2141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -4176,7 +4246,7 @@
- type var_run_t;
- ')
-
-- dontaudit $1 var_run_t:dir search;
-+ dontaudit $1 var_run_t:dir search_dir_perms;
- ')
-
- ########################################
-@@ -4524,6 +4594,8 @@
+@@ -4560,6 +4594,8 @@
# Need to give access to /selinux/member
selinux_compute_member($1)
@@ -2319,7 +2150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
# Need sys_admin capability for mounting
allow $1 self:capability { chown fsetid sys_admin };
-@@ -4546,6 +4618,8 @@
+@@ -4582,6 +4618,8 @@
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -2328,7 +2159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -4583,3 +4657,28 @@
+@@ -4619,3 +4657,28 @@
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
')
@@ -2357,175 +2188,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+ allow $1 root_t:dir rw_dir_perms;
+ allow $1 root_t:file { create getattr write };
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.1/policy/modules/kernel/filesystem.if
---- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/kernel/filesystem.if 2007-07-01 21:12:31.000000000 -0400
-@@ -1096,6 +1096,24 @@
-
- ########################################
- ##
-+## Search dosfs filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_search_dos',`
-+ gen_require(`
-+ type dosfs_t;
-+ ')
-+
-+ allow $1 dosfs_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
- ## Read files on a DOS filesystem.
- ##
- ##
-@@ -1291,6 +1309,26 @@
-
- ########################################
- ##
-+## Read files on an iso9660 filesystem, which
-+## is usually used on CDs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_getattr_iso9660_files',`
-+ gen_require(`
-+ type iso9660_t;
-+ ')
-+
-+ allow $1 iso9660_t:dir list_dir_perms;
-+ allow $1 iso9660_t:file getattr;
-+')
-+
-+########################################
-+##
- ## Mount a NFS filesystem.
- ##
- ##
-@@ -3420,3 +3458,22 @@
- relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs)
- relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs)
- ')
-+
-+
-+########################################
-+##
-+## Mount an fuse filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_mount_fusefs',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ allow $1 fusefs_t:filesystem mount;
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.1/policy/modules/kernel/filesystem.te
---- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/kernel/filesystem.te 2007-06-19 17:06:27.000000000 -0400
-@@ -54,17 +54,29 @@
-
- type capifs_t;
- fs_type(capifs_t)
-+files_mountpoint(capifs_t)
- genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
-
- type configfs_t;
- fs_type(configfs_t)
- genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
-
-+type cpusetfs_t;
-+fs_type(cpusetfs_t)
-+allow cpusetfs_t self:filesystem associate;
-+genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0)
-+
- type eventpollfs_t;
- fs_type(eventpollfs_t)
- # change to task SID 20060628
- #genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0)
-
-+type fusefs_t;
-+fs_noxattr_type(fusefs_t)
-+allow fusefs_t self:filesystem associate;
-+genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
-+genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
-+
- type futexfs_t;
- fs_type(futexfs_t)
- genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
-@@ -83,6 +95,11 @@
- fs_type(inotifyfs_t)
- genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
-
-+type mvfs_t;
-+fs_noxattr_type(mvfs_t)
-+allow mvfs_t self:filesystem associate;
-+genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
-+
- type nfsd_fs_t;
- fs_type(nfsd_fs_t)
- genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
-@@ -105,6 +122,16 @@
- genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0)
- files_mountpoint(rpc_pipefs_t)
-
-+type spufs_t;
-+fs_type(spufs_t)
-+genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
-+files_mountpoint(spufs_t)
-+
-+type vxfs_t;
-+fs_noxattr_type(vxfs_t)
-+files_mountpoint(vxfs_t)
-+genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
-+
- #
- # tmpfs_t is the type for tmpfs filesystems
- #
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.1/policy/modules/kernel/kernel.if
---- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/kernel/kernel.if 2007-06-22 13:42:39.000000000 -0400
-@@ -1122,6 +1122,24 @@
-
- ########################################
- ##
-+## Do not audit attempts to read all proc files
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`kernel_dontaudit_read_all_proc',`
-+ gen_require(`
-+ attribute proc_type;
-+ ')
-+
-+ dontaudit $1 proc_type:file r_file_perms;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts by caller to search
- ## the base directory of sysctls.
- ##
-@@ -1848,6 +1866,26 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.2/policy/modules/kernel/kernel.if
+--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-07-03 07:05:38.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/kernel/kernel.if 2007-07-03 13:08:20.000000000 -0400
+@@ -1848,6 +1848,27 @@
########################################
##
@@ -2547,58 +2213,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
+ read_lnk_files_pattern($1,unlabeled_t,unlabeled_t)
+')
+
++
+########################################
+##
## Do not audit attempts to list unlabeled directories.
##
##
-@@ -2158,9 +2196,6 @@
- ')
-
- allow $1 unlabeled_t:association { sendto recvfrom };
--
-- # temporary hack until labeling on packets is supported
-- allow $1 unlabeled_t:packet { send recv };
- ')
-
- ########################################
-@@ -2426,3 +2461,23 @@
-
- typeattribute $1 kern_unconfined;
- ')
-+
-+
-+########################################
-+##
-+## Do not audit attempts by caller to read sysct types
-+##
-+##
-+##
-+## The process type not to audit.
-+##
-+##
-+#
-+interface(`kernel_dontaudit_read_all_sysctls',`
-+ gen_require(`
-+ attribute sysctl_type;
-+ ')
-+
-+ dontaudit $1 sysctl_type:file read;
-+')
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.0.1/policy/modules/kernel/kernel.te
---- nsaserefpolicy/policy/modules/kernel/kernel.te 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/kernel/kernel.te 2007-06-19 17:06:27.000000000 -0400
-@@ -146,6 +146,8 @@
- type unlabeled_t;
- sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-
-+corenet_non_ipsec_sendrecv(unlabeled_t)
-+
- # These initial sids are no longer used, and can be removed:
- sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
- sid file_labels gen_context(system_u:object_r:unlabeled_t,s0)
-@@ -275,6 +277,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.0.2/policy/modules/kernel/kernel.te
+--- nsaserefpolicy/policy/modules/kernel/kernel.te 2007-07-03 07:05:38.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/kernel/kernel.te 2007-07-03 13:08:20.000000000 -0400
+@@ -275,6 +275,7 @@
optional_policy(`
logging_send_syslog_msg(kernel_t)
@@ -2606,20 +2230,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
')
optional_policy(`
-@@ -341,6 +344,10 @@
- # Unlabeled process local policy
- #
-
-+ifdef(`targeted_policy',`
-+ allow unlabeled_t self:filesystem associate;
-+')
-+
- optional_policy(`
- # If you load a new policy that removes active domains, processes can
- # get stuck if you do not allow unlabeled processes to signal init.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.if serefpolicy-3.0.1/policy/modules/kernel/mls.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.if serefpolicy-3.0.2/policy/modules/kernel/mls.if
--- nsaserefpolicy/policy/modules/kernel/mls.if 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/kernel/mls.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/kernel/mls.if 2007-07-03 13:08:20.000000000 -0400
@@ -154,6 +154,26 @@
########################################
##
@@ -2647,9 +2260,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.if
## for writing to sockets at any level.
##
##
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-3.0.1/policy/modules/kernel/mls.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-3.0.2/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/kernel/mls.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/kernel/mls.te 2007-07-03 13:08:20.000000000 -0400
@@ -18,6 +18,7 @@
attribute mlsnetreadtoclr;
attribute mlsnetwrite;
@@ -2667,55 +2280,62 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te
attribute mlstrustedobject;
attribute privrangetrans;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.0.1/policy/modules/kernel/selinux.if
---- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/kernel/selinux.if 2007-06-27 10:07:44.000000000 -0400
-@@ -51,6 +51,44 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.0.2/policy/modules/kernel/selinux.if
+--- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-07-03 07:05:38.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/kernel/selinux.if 2007-07-03 13:08:20.000000000 -0400
+@@ -32,20 +32,21 @@
########################################
##
+-## Get the attributes of the selinuxfs filesystem
+## Do not audit attempts to get the
-+## attributes of the selinuxfs filesystem
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`selinux_dontaudit_getattr_fs',`
-+ gen_require(`
-+ type security_t;
-+ ')
-+
-+ dontaudit $1 security_t:filesystem getattr;
-+')
-+
-+########################################
-+##
-+## Allow domain to get the
-+## attributes of the selinuxfs filesystem
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`selinux_getattr_fs',`
-+ gen_require(`
-+ type security_t;
-+ ')
-+
-+ allow $1 security_t:filesystem getattr;
-+')
-+
-+########################################
-+##
- ## Search selinuxfs.
++## attributes of the selinuxfs directory.
##
##
-@@ -101,6 +139,7 @@
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`selinux_getattr_fs',`
++interface(`selinux_dontaudit_getattr_dir',`
+ gen_require(`
+ type security_t;
+ ')
+
+- allow $1 security_t:filesystem getattr;
++ dontaudit $1 security_t:dir getattr;
+ ')
+
+ ########################################
+@@ -69,8 +70,8 @@
+
+ ########################################
+ ##
+-## Do not audit attempts to get the
+-## attributes of the selinuxfs directory.
++## Allow domain to get the
++## attributes of the selinuxfs filesystem
+ ##
+ ##
+ ##
+@@ -78,12 +79,12 @@
+ ##
+ ##
+ #
+-interface(`selinux_dontaudit_getattr_dir',`
++interface(`selinux_getattr_fs',`
+ gen_require(`
+ type security_t;
+ ')
+
+- dontaudit $1 security_t:dir getattr;
++ allow $1 security_t:filesystem getattr;
+ ')
+
+ ########################################
+@@ -138,6 +139,7 @@
type security_t;
')
@@ -2723,7 +2343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
dontaudit $1 security_t:dir search_dir_perms;
dontaudit $1 security_t:file { getattr read };
')
-@@ -122,6 +161,7 @@
+@@ -159,6 +161,7 @@
type security_t;
')
@@ -2731,9 +2351,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read };
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.0.1/policy/modules/kernel/storage.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.0.2/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2007-06-15 14:54:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/kernel/storage.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/kernel/storage.if 2007-07-03 13:08:20.000000000 -0400
@@ -100,6 +100,7 @@
dev_list_all_dev_nodes($1)
@@ -2750,9 +2370,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
typeattribute $1 fixed_disk_raw_write;
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-3.0.1/policy/modules/kernel/terminal.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-3.0.2/policy/modules/kernel/terminal.te
--- nsaserefpolicy/policy/modules/kernel/terminal.te 2007-06-15 14:54:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/kernel/terminal.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/kernel/terminal.te 2007-07-03 13:08:20.000000000 -0400
@@ -28,9 +28,15 @@
type devpts_t;
files_mountpoint(devpts_t)
@@ -2780,36 +2400,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
#
# usbtty_device_t is the type of /dev/usr/tty*
#
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-3.0.1/policy/modules/services/amavis.if
---- nsaserefpolicy/policy/modules/services/amavis.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/amavis.if 2007-06-21 05:35:11.000000000 -0400
-@@ -167,3 +167,22 @@
- allow $1 amavis_var_run_t:file setattr;
- files_search_pids($1)
- ')
-+
-+########################################
-+##
-+## Set the create of amavis var run files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`amavis_create_pid_files',`
-+ gen_require(`
-+ type amavis_var_run_t;
-+ ')
-+
-+ allow $1 amavis_var_run_t:file create_file_perms;
-+ files_search_pids($1)
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.0.1/policy/modules/services/amavis.te
---- nsaserefpolicy/policy/modules/services/amavis.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/amavis.te 2007-06-21 05:35:33.000000000 -0400
-@@ -165,6 +165,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.0.2/policy/modules/services/amavis.te
+--- nsaserefpolicy/policy/modules/services/amavis.te 2007-07-03 07:06:26.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/amavis.te 2007-07-03 13:08:20.000000000 -0400
+@@ -166,6 +166,7 @@
optional_policy(`
pyzor_domtrans(amavis_t)
@@ -2817,9 +2411,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.0.1/policy/modules/services/apache.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.0.2/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/apache.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/apache.fc 2007-07-03 13:08:20.000000000 -0400
@@ -16,7 +16,6 @@
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -2840,9 +2434,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+#viewvc file context
+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t, s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.1/policy/modules/services/apache.if
---- nsaserefpolicy/policy/modules/services/apache.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/apache.if 2007-06-19 17:06:27.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.2/policy/modules/services/apache.if
+--- nsaserefpolicy/policy/modules/services/apache.if 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/apache.if 2007-07-03 13:08:20.000000000 -0400
@@ -18,10 +18,6 @@
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
@@ -2865,7 +2459,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
-@@ -177,46 +169,6 @@
+@@ -177,48 +169,6 @@
miscfiles_read_localization(httpd_$1_script_t)
')
@@ -2873,7 +2467,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
- allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
- allow httpd_$1_script_t self:udp_socket create_socket_perms;
-
-- corenet_non_ipsec_sendrecv(httpd_$1_script_t)
+- corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
+- corenet_all_recvfrom_netlabel(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
- corenet_udp_sendrecv_all_if(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
@@ -2892,7 +2487,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
- allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
- allow httpd_$1_script_t self:udp_socket create_socket_perms;
-
-- corenet_non_ipsec_sendrecv(httpd_$1_script_t)
+- corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
+- corenet_all_recvfrom_netlabel(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
- corenet_udp_sendrecv_all_if(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
@@ -2912,7 +2508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
optional_policy(`
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
nis_use_ypbind_uncond(httpd_$1_script_t)
-@@ -268,8 +220,11 @@
+@@ -270,8 +220,11 @@
')
apache_content_template($1)
@@ -2925,7 +2521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
userdom_user_home_content($1,httpd_$1_content_t)
role $3 types httpd_$1_script_t;
-@@ -434,6 +389,24 @@
+@@ -436,6 +389,24 @@
########################################
##
@@ -2950,7 +2546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Inherit and use file descriptors from Apache.
##
##
-@@ -752,6 +725,7 @@
+@@ -754,6 +725,7 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -2958,7 +2554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -836,6 +810,10 @@
+@@ -838,6 +810,10 @@
type httpd_sys_script_t;
')
@@ -2969,7 +2565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
')
-@@ -923,7 +901,7 @@
+@@ -925,7 +901,7 @@
type httpd_squirrelmail_t;
')
@@ -2978,7 +2574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -1000,3 +978,140 @@
+@@ -1002,3 +978,140 @@
allow $1 httpd_sys_script_t:dir search_dir_perms;
')
@@ -3119,9 +2715,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.1/policy/modules/services/apache.te
---- nsaserefpolicy/policy/modules/services/apache.te 2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/apache.te 2007-07-02 12:44:51.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.2/policy/modules/services/apache.te
+--- nsaserefpolicy/policy/modules/services/apache.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/apache.te 2007-07-03 13:08:20.000000000 -0400
@@ -47,6 +47,13 @@
## Allow http daemon to tcp connect
##
@@ -3202,9 +2798,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
kernel_read_system_state(httpd_t)
+kernel_search_network_sysctl(httpd_t)
- corenet_non_ipsec_sendrecv(httpd_t)
- corenet_tcp_sendrecv_all_if(httpd_t)
-@@ -329,6 +367,9 @@
+ corenet_all_recvfrom_unlabeled(httpd_t)
+ corenet_all_recvfrom_netlabel(httpd_t)
+@@ -330,6 +368,9 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -3214,7 +2810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -347,7 +388,13 @@
+@@ -348,7 +389,13 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -3229,7 +2825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
-@@ -359,6 +406,7 @@
+@@ -360,6 +407,7 @@
#
tunable_policy(`allow_httpd_mod_auth_pam',`
auth_domtrans_chk_passwd(httpd_t)
@@ -3237,7 +2833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -366,6 +414,16 @@
+@@ -367,6 +415,16 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -3254,7 +2850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_can_network_connect_db',`
# allow httpd to connect to mysql/posgresql
corenet_tcp_connect_postgresql_port(httpd_t)
-@@ -386,6 +444,17 @@
+@@ -387,6 +445,17 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
@@ -3272,7 +2868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
-@@ -403,11 +472,21 @@
+@@ -404,11 +473,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -3294,7 +2890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -605,6 +684,10 @@
+@@ -606,6 +685,10 @@
miscfiles_read_localization(httpd_suexec_t)
@@ -3305,7 +2901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
allow httpd_suexec_t self:udp_socket create_socket_perms;
-@@ -618,10 +701,13 @@
+@@ -620,10 +703,13 @@
corenet_udp_sendrecv_all_ports(httpd_suexec_t)
corenet_tcp_connect_all_ports(httpd_suexec_t)
corenet_sendrecv_all_client_packets(httpd_suexec_t)
@@ -3320,7 +2916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
-@@ -632,6 +718,12 @@
+@@ -634,6 +720,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -3333,7 +2929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -670,7 +762,8 @@
+@@ -672,7 +764,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -3343,7 +2939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -684,15 +777,64 @@
+@@ -686,15 +779,66 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -3372,7 +2968,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
+
-+ corenet_non_ipsec_sendrecv(httpd_sys_script_t)
++ corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
++ corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_if(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t)
@@ -3389,7 +2986,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
+
-+ corenet_non_ipsec_sendrecv(httpd_sys_script_t)
++ corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
++ corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_if(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t)
@@ -3409,7 +3007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -709,6 +851,19 @@
+@@ -711,6 +855,19 @@
########################################
#
@@ -3429,7 +3027,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# httpd_rotatelogs local policy
#
-@@ -726,3 +881,19 @@
+@@ -728,3 +885,19 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -3449,9 +3047,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ postgresql_stream_connect(httpd_bugzilla_script_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.0.1/policy/modules/services/apcupsd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.0.2/policy/modules/services/apcupsd.fc
--- nsaserefpolicy/policy/modules/services/apcupsd.fc 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/apcupsd.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/apcupsd.fc 2007-07-03 13:08:20.000000000 -0400
@@ -3,3 +3,8 @@
/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
@@ -3461,9 +3059,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
+/var/www/apcupsd/upsfstats.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsimage.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsstats.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.0.1/policy/modules/services/apcupsd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.0.2/policy/modules/services/apcupsd.if
--- nsaserefpolicy/policy/modules/services/apcupsd.if 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/apcupsd.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/apcupsd.if 2007-07-03 13:08:20.000000000 -0400
@@ -79,3 +79,25 @@
allow $1 apcupsd_log_t:dir list_dir_perms;
allow $1 apcupsd_log_t:file { getattr append };
@@ -3490,9 +3088,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
+ allow httpd_apcupsd_cgi_script_t $1:fifo_file rw_file_perms;
+ allow httpd_apcupsd_cgi_script_t $1:process sigchld;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.0.1/policy/modules/services/apcupsd.te
---- nsaserefpolicy/policy/modules/services/apcupsd.te 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/apcupsd.te 2007-06-27 08:33:56.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.0.2/policy/modules/services/apcupsd.te
+--- nsaserefpolicy/policy/modules/services/apcupsd.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/apcupsd.te 2007-07-03 13:08:20.000000000 -0400
@@ -16,6 +16,9 @@
type apcupsd_log_t;
logging_log_file(apcupsd_log_t)
@@ -3524,10 +3122,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
+corecmd_exec_bin(apcupsd_t)
+corecmd_exec_shell(apcupsd_t)
+
- corenet_non_ipsec_sendrecv(apcupsd_t)
+ corenet_all_recvfrom_unlabeled(apcupsd_t)
+ corenet_all_recvfrom_netlabel(apcupsd_t)
corenet_tcp_sendrecv_generic_if(apcupsd_t)
- corenet_tcp_sendrecv_all_nodes(apcupsd_t)
-@@ -46,6 +56,7 @@
+@@ -47,6 +57,7 @@
corenet_tcp_bind_all_nodes(apcupsd_t)
corenet_tcp_bind_apcupsd_port(apcupsd_t)
corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
@@ -3535,7 +3133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
dev_rw_generic_usb_dev(apcupsd_t)
-@@ -55,9 +66,52 @@
+@@ -56,9 +67,53 @@
files_read_etc_files(apcupsd_t)
files_search_locks(apcupsd_t)
@@ -3575,7 +3173,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
+
+# Default Networking
+sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t)
-+corenet_non_ipsec_sendrecv(httpd_apcupsd_cgi_script_t)
++corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
++corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
+
+allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
+corenet_tcp_sendrecv_all_if(httpd_apcupsd_cgi_script_t)
@@ -3588,9 +3187,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
+corenet_udp_sendrecv_all_nodes(httpd_apcupsd_cgi_script_t)
+corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.te serefpolicy-3.0.1/policy/modules/services/audioentropy.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.te serefpolicy-3.0.2/policy/modules/services/audioentropy.te
--- nsaserefpolicy/policy/modules/services/audioentropy.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/audioentropy.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/audioentropy.te 2007-07-03 13:08:20.000000000 -0400
@@ -18,7 +18,7 @@
# Local policy
#
@@ -3609,9 +3208,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audi
dev_read_sound(entropyd_t)
fs_getattr_all_fs(entropyd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.0.1/policy/modules/services/automount.te
---- nsaserefpolicy/policy/modules/services/automount.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/automount.te 2007-07-01 21:23:33.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.0.2/policy/modules/services/automount.te
+--- nsaserefpolicy/policy/modules/services/automount.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/automount.te 2007-07-03 13:08:20.000000000 -0400
@@ -69,6 +69,7 @@
files_mounton_all_mountpoints(automount_t)
files_mount_all_file_type_fs(automount_t)
@@ -3620,7 +3219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
fs_mount_all_fs(automount_t)
fs_unmount_all_fs(automount_t)
-@@ -98,6 +99,7 @@
+@@ -99,6 +100,7 @@
dev_read_sysfs(automount_t)
# for SSP
@@ -3628,7 +3227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
dev_read_urand(automount_t)
domain_use_interactive_fds(automount_t)
-@@ -146,10 +148,6 @@
+@@ -147,10 +149,6 @@
userdom_dontaudit_search_sysadm_home_dirs(automount_t)
optional_policy(`
@@ -3639,10 +3238,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
bind_search_cache(automount_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.0.1/policy/modules/services/avahi.te
---- nsaserefpolicy/policy/modules/services/avahi.te 2007-06-15 14:54:33.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/avahi.te 2007-06-27 10:05:15.000000000 -0400
-@@ -56,6 +56,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.0.2/policy/modules/services/avahi.te
+--- nsaserefpolicy/policy/modules/services/avahi.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/avahi.te 2007-07-03 13:08:20.000000000 -0400
+@@ -57,6 +57,7 @@
fs_getattr_all_fs(avahi_t)
fs_search_auto_mountpoints(avahi_t)
@@ -3650,9 +3249,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
domain_use_interactive_fds(avahi_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.0.1/policy/modules/services/bind.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.0.2/policy/modules/services/bind.fc
--- nsaserefpolicy/policy/modules/services/bind.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/bind.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/bind.fc 2007-07-03 13:08:20.000000000 -0400
@@ -45,4 +45,6 @@
/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
@@ -3660,10 +3259,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
+/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.0.1/policy/modules/services/bind.te
---- nsaserefpolicy/policy/modules/services/bind.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/bind.te 2007-07-02 11:10:15.000000000 -0400
-@@ -118,6 +118,11 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.0.2/policy/modules/services/bind.te
+--- nsaserefpolicy/policy/modules/services/bind.te 2007-07-03 07:06:26.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/bind.te 2007-07-03 13:08:20.000000000 -0400
+@@ -119,6 +119,11 @@
corenet_sendrecv_dns_client_packets(named_t)
corenet_sendrecv_rndc_server_packets(named_t)
corenet_sendrecv_rndc_client_packets(named_t)
@@ -3675,7 +3274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
dev_read_sysfs(named_t)
dev_read_rand(named_t)
-@@ -230,6 +235,7 @@
+@@ -232,6 +237,7 @@
corenet_tcp_sendrecv_all_nodes(ndc_t)
corenet_tcp_sendrecv_all_ports(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t)
@@ -3683,21 +3282,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
corenet_sendrecv_rndc_client_packets(ndc_t)
fs_getattr_xattr_fs(ndc_t)
-@@ -257,6 +263,10 @@
- allow ndc_t named_conf_t:dir search;
- ')
-
-+ifdef(`targeted_policy',`
-+ kernel_dontaudit_read_unlabeled_files(ndc_t)
-+')
-+
- optional_policy(`
- nis_use_ypbind(ndc_t)
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.0.1/policy/modules/services/bluetooth.te
---- nsaserefpolicy/policy/modules/services/bluetooth.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/bluetooth.te 2007-06-21 05:58:59.000000000 -0400
-@@ -133,6 +133,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.0.2/policy/modules/services/bluetooth.te
+--- nsaserefpolicy/policy/modules/services/bluetooth.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/bluetooth.te 2007-07-03 13:08:20.000000000 -0400
+@@ -134,6 +134,7 @@
dbus_system_bus_client_template(bluetooth,bluetooth_t)
dbus_connect_system_bus(bluetooth_t)
dbus_send_system_bus(bluetooth_t)
@@ -3705,7 +3293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
')
optional_policy(`
-@@ -195,26 +196,26 @@
+@@ -196,26 +197,26 @@
sysnet_read_config(bluetooth_helper_t)
@@ -3748,18 +3336,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.0.1/policy/modules/services/clamav.te
---- nsaserefpolicy/policy/modules/services/clamav.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/clamav.te 2007-06-19 17:06:27.000000000 -0400
-@@ -121,6 +121,7 @@
- amavis_read_lib_files(clamd_t)
- amavis_read_spool_files(clamd_t)
- amavis_spool_filetrans(clamd_t,clamd_var_run_t,sock_file)
-+ amavis_create_pid_files(clamd_t)
+@@ -232,3 +233,7 @@
+ optional_policy(`
+ ppp_domtrans(bluetooth_t)
')
-
- ########################################
-@@ -205,9 +206,12 @@
++
++optional_policy(`
++ xserver_stream_connect_xdm(bluetooth_helper_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.0.2/policy/modules/services/clamav.te
+--- nsaserefpolicy/policy/modules/services/clamav.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/clamav.te 2007-07-03 13:08:20.000000000 -0400
+@@ -208,9 +208,12 @@
files_tmp_filetrans(clamscan_t,clamscan_tmp_t,{ file dir })
# var/lib files together with clamd
@@ -3773,7 +3361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
kernel_read_kernel_sysctls(clamscan_t)
files_read_etc_files(clamscan_t)
-@@ -225,3 +229,7 @@
+@@ -228,3 +231,7 @@
optional_policy(`
apache_read_sys_content(clamscan_t)
')
@@ -3781,9 +3369,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
+optional_policy(`
+ mailscanner_manage_spool(clamscan_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.0.1/policy/modules/services/consolekit.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.0.2/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/consolekit.te 2007-06-23 06:03:21.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/consolekit.te 2007-07-03 13:08:20.000000000 -0400
@@ -10,7 +10,6 @@
type consolekit_exec_t;
init_daemon_domain(consolekit_t, consolekit_exec_t)
@@ -3842,9 +3430,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
+ unconfined_ptrace(consolekit_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.0.1/policy/modules/services/courier.te
---- nsaserefpolicy/policy/modules/services/courier.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/courier.te 2007-06-19 17:06:27.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.0.2/policy/modules/services/courier.te
+--- nsaserefpolicy/policy/modules/services/courier.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/courier.te 2007-07-03 13:08:20.000000000 -0400
@@ -58,6 +58,7 @@
files_getattr_tmp_dirs(courier_authdaemon_t)
@@ -3853,9 +3441,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cour
libs_read_lib_files(courier_authdaemon_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.0.1/policy/modules/services/cron.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.0.2/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/cron.fc 2007-06-21 05:43:06.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/cron.fc 2007-07-03 13:08:20.000000000 -0400
@@ -17,6 +17,8 @@
/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -3870,9 +3458,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.0.1/policy/modules/services/cron.if
---- nsaserefpolicy/policy/modules/services/cron.if 2007-06-15 14:54:33.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/cron.if 2007-06-19 17:06:27.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.0.2/policy/modules/services/cron.if
+--- nsaserefpolicy/policy/modules/services/cron.if 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/cron.if 2007-07-03 13:08:20.000000000 -0400
@@ -35,6 +35,7 @@
#
template(`cron_per_role_template',`
@@ -3899,7 +3487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
-@@ -134,55 +133,38 @@
+@@ -135,55 +134,38 @@
miscfiles_read_localization($1_crond_t)
@@ -3963,7 +3551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
##############################
#
-@@ -195,6 +177,7 @@
+@@ -196,6 +178,7 @@
# Transition from the user domain to the derived domain.
domtrans_pattern($2, crontab_exec_t, $1_crontab_t)
@@ -3971,7 +3559,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
# crontab shows up in user ps
ps_process_pattern($2,$1_crontab_t)
-@@ -205,9 +188,6 @@
+@@ -206,9 +189,6 @@
# Allow crond to read those crontabs in cron spool.
allow crond_t $1_cron_spool_t:file manage_file_perms;
@@ -3981,7 +3569,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
# create files in /var/spool/cron
manage_files_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t)
filetrans_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t,file)
-@@ -243,10 +223,12 @@
+@@ -244,10 +224,12 @@
userdom_manage_user_tmp_dirs($1,$1_crontab_t)
userdom_manage_user_tmp_files($1,$1_crontab_t)
@@ -3994,9 +3582,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.0.1/policy/modules/services/cron.te
---- nsaserefpolicy/policy/modules/services/cron.te 2007-06-15 14:54:33.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/cron.te 2007-06-22 08:57:00.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.0.2/policy/modules/services/cron.te
+--- nsaserefpolicy/policy/modules/services/cron.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/cron.te 2007-07-03 13:08:20.000000000 -0400
@@ -50,6 +50,7 @@
type crond_tmp_t;
@@ -4152,7 +3740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
kernel_read_kernel_sysctls(system_crond_t)
kernel_read_system_state(system_crond_t)
-@@ -325,7 +373,7 @@
+@@ -326,7 +374,7 @@
init_read_utmp(system_crond_t)
init_dontaudit_rw_utmp(system_crond_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
@@ -4161,7 +3749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
libs_use_ld_so(system_crond_t)
libs_use_shared_libs(system_crond_t)
-@@ -333,6 +381,7 @@
+@@ -334,6 +382,7 @@
libs_exec_ld_so(system_crond_t)
logging_read_generic_logs(system_crond_t)
@@ -4169,7 +3757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
logging_send_syslog_msg(system_crond_t)
miscfiles_read_localization(system_crond_t)
-@@ -383,6 +432,14 @@
+@@ -384,6 +433,14 @@
')
optional_policy(`
@@ -4184,7 +3772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
mrtg_append_create_logs(system_crond_t)
')
-@@ -413,6 +470,10 @@
+@@ -414,6 +471,10 @@
')
optional_policy(`
@@ -4195,7 +3783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
samba_read_config(system_crond_t)
samba_read_log(system_crond_t)
#samba_read_secrets(system_crond_t)
-@@ -423,6 +484,10 @@
+@@ -424,6 +485,10 @@
')
optional_policy(`
@@ -4206,7 +3794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
# cjp: why?
squid_domtrans(system_crond_t)
')
-@@ -432,9 +497,14 @@
+@@ -433,9 +498,14 @@
')
optional_policy(`
@@ -4222,9 +3810,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
ifdef(`TODO',`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.0.1/policy/modules/services/cups.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.0.2/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/cups.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/cups.fc 2007-07-03 13:08:20.000000000 -0400
@@ -8,6 +8,7 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -4233,9 +3821,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.1/policy/modules/services/cups.te
---- nsaserefpolicy/policy/modules/services/cups.te 2007-06-15 14:54:33.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/cups.te 2007-07-01 21:17:10.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.2/policy/modules/services/cups.te
+--- nsaserefpolicy/policy/modules/services/cups.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/cups.te 2007-07-03 13:08:20.000000000 -0400
@@ -81,12 +81,11 @@
# /usr/lib/cups/backend/serial needs sys_admin(?!)
allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
@@ -4250,7 +3838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
allow cupsd_t self:tcp_socket create_stream_socket_perms;
allow cupsd_t self:udp_socket create_socket_perms;
allow cupsd_t self:appletalk_socket create_socket_perms;
-@@ -149,14 +148,16 @@
+@@ -150,14 +149,16 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -4268,7 +3856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
dev_getattr_printer_dev(cupsd_t)
domain_read_all_domains_state(cupsd_t)
-@@ -175,6 +176,7 @@
+@@ -176,6 +177,7 @@
term_search_ptys(cupsd_t)
auth_domtrans_chk_passwd(cupsd_t)
@@ -4276,7 +3864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
auth_dontaudit_read_pam_pid(cupsd_t)
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
-@@ -222,6 +224,7 @@
+@@ -223,6 +225,7 @@
sysnet_read_config(cupsd_t)
@@ -4284,7 +3872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_all_users_home_content(cupsd_t)
-@@ -233,10 +236,28 @@
+@@ -234,10 +237,28 @@
')
optional_policy(`
@@ -4313,7 +3901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
cron_system_entry(cupsd_t, cupsd_exec_t)
')
-@@ -249,6 +270,10 @@
+@@ -250,6 +271,10 @@
optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -4324,7 +3912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
')
optional_policy(`
-@@ -264,16 +289,16 @@
+@@ -265,16 +290,16 @@
')
optional_policy(`
@@ -4345,7 +3933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
seutil_sigchld_newrole(cupsd_t)
')
-@@ -377,6 +402,14 @@
+@@ -379,6 +404,14 @@
')
optional_policy(`
@@ -4360,7 +3948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-@@ -558,7 +591,7 @@
+@@ -562,7 +595,7 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -4369,9 +3957,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.0.1/policy/modules/services/cvs.te
---- nsaserefpolicy/policy/modules/services/cvs.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/cvs.te 2007-07-01 21:58:10.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.0.2/policy/modules/services/cvs.te
+--- nsaserefpolicy/policy/modules/services/cvs.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/cvs.te 2007-07-03 13:08:20.000000000 -0400
@@ -16,6 +16,7 @@
type cvs_t;
type cvs_exec_t;
@@ -4380,7 +3968,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
role system_r types cvs_t;
type cvs_data_t; # customizable
-@@ -67,6 +68,7 @@
+@@ -68,6 +69,7 @@
fs_getattr_xattr_fs(cvs_t)
auth_domtrans_chk_passwd(cvs_t)
@@ -4388,7 +3976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
corecmd_exec_bin(cvs_t)
corecmd_exec_shell(cvs_t)
-@@ -80,6 +82,7 @@
+@@ -81,6 +83,7 @@
libs_use_shared_libs(cvs_t)
logging_send_syslog_msg(cvs_t)
@@ -4396,9 +3984,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
miscfiles_read_localization(cvs_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.1/policy/modules/services/dbus.if
---- nsaserefpolicy/policy/modules/services/dbus.if 2007-06-15 14:54:33.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/dbus.if 2007-06-19 17:06:27.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.2/policy/modules/services/dbus.if
+--- nsaserefpolicy/policy/modules/services/dbus.if 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/dbus.if 2007-07-03 13:08:20.000000000 -0400
@@ -50,6 +50,12 @@
##
#
@@ -4420,7 +4008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
allow $1_dbusd_t self:file { getattr read write };
allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
allow $1_dbusd_t self:dbus { send_msg acquire_svc };
-@@ -134,6 +141,17 @@
+@@ -135,6 +142,17 @@
selinux_compute_relabel_context($1_dbusd_t)
selinux_compute_user_contexts($1_dbusd_t)
@@ -4438,7 +4026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
auth_read_pam_console_data($1_dbusd_t)
libs_use_ld_so($1_dbusd_t)
-@@ -204,6 +222,7 @@
+@@ -205,6 +223,7 @@
# For connecting to the bus
files_search_pids($2)
stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t)
@@ -4446,10 +4034,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
')
#######################################
-@@ -273,6 +292,31 @@
+@@ -271,6 +290,32 @@
+ allow $2 $1_dbusd_t:dbus send_msg;
+ ')
- ########################################
- ##
++
++########################################
++##
+## connectto a message on user/application specific DBUS.
+##
+##
@@ -4473,12 +4064,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+')
+
+
-+########################################
-+##
+ ########################################
+ ##
## Read dbus configuration.
- ##
- ##
-@@ -286,6 +330,7 @@
+@@ -286,6 +331,7 @@
type dbusd_etc_t;
')
@@ -4486,7 +4075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
allow $1 dbusd_etc_t:file read_file_perms;
')
-@@ -346,3 +391,23 @@
+@@ -346,3 +392,23 @@
allow $1 system_dbusd_t:dbus *;
')
@@ -4510,10 +4099,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.0.1/policy/modules/services/dhcp.te
---- nsaserefpolicy/policy/modules/services/dhcp.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/dhcp.te 2007-06-19 17:06:27.000000000 -0400
-@@ -113,6 +113,8 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.0.2/policy/modules/services/dhcp.te
+--- nsaserefpolicy/policy/modules/services/dhcp.te 2007-07-03 07:06:26.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/dhcp.te 2007-07-03 13:08:20.000000000 -0400
+@@ -114,6 +114,8 @@
dbus_system_bus_client_template(dhcpd,dhcpd_t)
dbus_connect_system_bus(dhcpd_t)
dbus_send_system_bus(dhcpd_t)
@@ -4522,9 +4111,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.0.1/policy/modules/services/dovecot.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.0.2/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/dovecot.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/dovecot.fc 2007-07-03 13:08:20.000000000 -0400
@@ -17,10 +17,12 @@
ifdef(`distro_debian', `
@@ -4538,9 +4127,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
')
#
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.0.1/policy/modules/services/dovecot.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.0.2/policy/modules/services/dovecot.if
--- nsaserefpolicy/policy/modules/services/dovecot.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/dovecot.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/dovecot.if 2007-07-03 13:08:20.000000000 -0400
@@ -18,3 +18,43 @@
manage_files_pattern($1,dovecot_spool_t,dovecot_spool_t)
manage_lnk_files_pattern($1,dovecot_spool_t,dovecot_spool_t)
@@ -4585,9 +4174,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+ domtrans_pattern($1,dovecot_deliver_exec_t,dovecot_deliver_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.0.1/policy/modules/services/dovecot.te
---- nsaserefpolicy/policy/modules/services/dovecot.te 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/dovecot.te 2007-06-19 17:06:27.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.0.2/policy/modules/services/dovecot.te
+--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/dovecot.te 2007-07-03 13:08:20.000000000 -0400
@@ -15,6 +15,12 @@
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -4619,7 +4208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)
-@@ -110,9 +116,6 @@
+@@ -111,9 +117,6 @@
miscfiles_read_certs(dovecot_t)
miscfiles_read_localization(dovecot_t)
@@ -4629,7 +4218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
userdom_dontaudit_search_sysadm_home_dirs(dovecot_t)
userdom_priveleged_home_dir_manager(dovecot_t)
-@@ -124,10 +127,6 @@
+@@ -125,10 +128,6 @@
')
optional_policy(`
@@ -4640,7 +4229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
seutil_sigchld_newrole(dovecot_t)
')
-@@ -144,33 +143,39 @@
+@@ -145,33 +144,39 @@
# dovecot auth local policy
#
@@ -4682,7 +4271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
files_read_usr_symlinks(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
-@@ -184,12 +189,41 @@
+@@ -185,12 +190,41 @@
seutil_dontaudit_search_config(dovecot_auth_t)
@@ -4727,9 +4316,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+optional_policy(`
+ mta_manage_spool(dovecot_deliver_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.0.1/policy/modules/services/ftp.te
---- nsaserefpolicy/policy/modules/services/ftp.te 2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/ftp.te 2007-06-26 07:22:44.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.0.2/policy/modules/services/ftp.te
+--- nsaserefpolicy/policy/modules/services/ftp.te 2007-07-03 07:06:26.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/ftp.te 2007-07-03 13:08:20.000000000 -0400
@@ -88,6 +88,7 @@
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
@@ -4738,7 +4327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
allow ftpd_t ftpd_etc_t:file read_file_perms;
-@@ -156,6 +157,7 @@
+@@ -157,6 +158,7 @@
auth_use_nsswitch(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t)
@@ -4746,7 +4335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
# Append to /var/log/wtmp.
auth_append_login_records(ftpd_t)
#kerberized ftp requires the following
-@@ -167,7 +169,9 @@
+@@ -168,7 +170,9 @@
libs_use_ld_so(ftpd_t)
libs_use_shared_libs(ftpd_t)
@@ -4756,7 +4345,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
miscfiles_read_localization(ftpd_t)
miscfiles_read_public_files(ftpd_t)
-@@ -216,6 +220,14 @@
+@@ -217,6 +221,14 @@
userdom_manage_all_users_home_content_dirs(ftpd_t)
userdom_manage_all_users_home_content_files(ftpd_t)
userdom_manage_all_users_home_content_symlinks(ftpd_t)
@@ -4771,9 +4360,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.0.1/policy/modules/services/hal.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.0.2/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/hal.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/hal.fc 2007-07-03 13:08:20.000000000 -0400
@@ -8,9 +8,14 @@
/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
@@ -4789,9 +4378,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
+
+/var/log/pm-suspend.log gen_context(system_u:object_r:hald_log_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.0.1/policy/modules/services/hal.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.0.2/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/hal.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/hal.if 2007-07-03 13:08:20.000000000 -0400
@@ -208,3 +208,98 @@
files_search_pids($1)
allow $1 hald_var_run_t:file rw_file_perms;
@@ -4891,9 +4480,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
+ allow $1 hald_t:process ptrace;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.1/policy/modules/services/hal.te
---- nsaserefpolicy/policy/modules/services/hal.te 2007-06-15 14:54:33.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/hal.te 2007-06-21 05:59:49.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.2/policy/modules/services/hal.te
+--- nsaserefpolicy/policy/modules/services/hal.te 2007-07-03 07:06:26.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/hal.te 2007-07-03 13:08:20.000000000 -0400
@@ -22,6 +22,12 @@
type hald_log_t;
files_type(hald_log_t)
@@ -4915,7 +4504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
kernel_rw_kernel_sysctl(hald_t)
kernel_read_fs_sysctls(hald_t)
kernel_rw_irq_sysctls(hald_t)
-@@ -113,6 +120,9 @@
+@@ -114,6 +121,9 @@
dev_rw_power_management(hald_t)
# hal is now execing pm-suspend
dev_rw_sysfs(hald_t)
@@ -4925,7 +4514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
domain_use_interactive_fds(hald_t)
domain_read_all_domains_state(hald_t)
-@@ -130,6 +140,7 @@
+@@ -131,6 +141,7 @@
files_create_boot_flag(hald_t)
files_getattr_all_dirs(hald_t)
files_read_kernel_img(hald_t)
@@ -4933,7 +4522,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
fs_getattr_all_fs(hald_t)
fs_search_all(hald_t)
-@@ -179,6 +190,7 @@
+@@ -180,6 +191,7 @@
seutil_read_config(hald_t)
seutil_read_default_contexts(hald_t)
@@ -4941,7 +4530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
sysnet_read_config(hald_t)
-@@ -186,6 +198,7 @@
+@@ -187,6 +199,7 @@
userdom_dontaudit_search_sysadm_home_dirs(hald_t)
optional_policy(`
@@ -4949,7 +4538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
alsa_read_rw_config(hald_t)
')
-@@ -227,6 +240,10 @@
+@@ -228,6 +241,10 @@
optional_policy(`
networkmanager_dbus_chat(hald_t)
')
@@ -4960,7 +4549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
')
optional_policy(`
-@@ -295,7 +312,10 @@
+@@ -296,7 +313,10 @@
corecmd_exec_bin(hald_acl_t)
dev_getattr_all_chr_files(hald_acl_t)
@@ -4971,7 +4560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
dev_setattr_sound_dev(hald_acl_t)
dev_setattr_generic_usb_dev(hald_acl_t)
dev_setattr_usbfs_files(hald_acl_t)
-@@ -357,3 +377,25 @@
+@@ -358,3 +378,25 @@
libs_use_shared_libs(hald_sonypic_t)
miscfiles_read_localization(hald_sonypic_t)
@@ -4997,17 +4586,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
+miscfiles_read_localization(hald_keymap_t)
+
+dev_rw_input_dev(hald_keymap_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.0.1/policy/modules/services/inetd.te
---- nsaserefpolicy/policy/modules/services/inetd.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/inetd.te 2007-06-19 17:06:27.000000000 -0400
-@@ -79,17 +79,21 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.0.2/policy/modules/services/inetd.te
+--- nsaserefpolicy/policy/modules/services/inetd.te 2007-07-03 07:06:26.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/inetd.te 2007-07-03 13:08:20.000000000 -0400
+@@ -80,16 +80,21 @@
corenet_udp_bind_comsat_port(inetd_t)
corenet_tcp_bind_dbskkd_port(inetd_t)
corenet_udp_bind_dbskkd_port(inetd_t)
+corenet_tcp_bind_ftp_port(inetd_t)
corenet_udp_bind_ftp_port(inetd_t)
corenet_tcp_bind_inetd_child_port(inetd_t)
--corenet_tcp_bind_inetd_child_port(inetd_t)
+corenet_udp_bind_inetd_child_port(inetd_t)
corenet_udp_bind_ktalkd_port(inetd_t)
corenet_tcp_bind_printer_port(inetd_t)
@@ -5023,7 +4611,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
corenet_udp_bind_tftp_port(inetd_t)
corenet_tcp_bind_ssh_port(inetd_t)
-@@ -135,8 +139,8 @@
+@@ -135,14 +140,19 @@
mls_fd_use_all_levels(inetd_t)
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
@@ -5033,7 +4621,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
sysnet_read_config(inetd_t)
-@@ -177,6 +181,9 @@
+ userdom_dontaudit_use_unpriv_user_fds(inetd_t)
+ userdom_dontaudit_search_sysadm_home_dirs(inetd_t)
+
++ifdef(`enable_mls',`
++ corenet_tcp_recv_netlabel(inetd_t)
++ corenet_udp_recv_netlabel(inetd_t)
++')
++
+ optional_policy(`
+ amanda_search_lib(inetd_t)
+ ')
+@@ -172,6 +182,9 @@
# for identd
allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow inetd_child_t self:capability { setuid setgid };
@@ -5043,10 +4642,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
files_search_home(inetd_child_t)
manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.0.1/policy/modules/services/kerberos.if
---- nsaserefpolicy/policy/modules/services/kerberos.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/kerberos.if 2007-06-19 17:06:27.000000000 -0400
-@@ -33,43 +33,10 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.0.2/policy/modules/services/kerberos.if
+--- nsaserefpolicy/policy/modules/services/kerberos.if 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/kerberos.if 2007-07-03 13:08:20.000000000 -0400
+@@ -33,44 +33,10 @@
#
interface(`kerberos_use',`
gen_require(`
@@ -5065,7 +4664,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
- allow $1 self:tcp_socket create_socket_perms;
- allow $1 self:udp_socket create_socket_perms;
-
-- corenet_non_ipsec_sendrecv($1)
+- corenet_all_recvfrom_unlabeled($1)
+- corenet_all_recvfrom_netlabel($1)
- corenet_tcp_sendrecv_all_if($1)
- corenet_udp_sendrecv_all_if($1)
- corenet_tcp_sendrecv_all_nodes($1)
@@ -5092,9 +4692,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.0.1/policy/modules/services/kerberos.te
---- nsaserefpolicy/policy/modules/services/kerberos.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/kerberos.te 2007-06-22 13:46:36.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.0.2/policy/modules/services/kerberos.te
+--- nsaserefpolicy/policy/modules/services/kerberos.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/kerberos.te 2007-07-03 13:08:20.000000000 -0400
@@ -5,6 +5,7 @@
#
# Declarations
@@ -5109,9 +4709,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
kernel_read_proc_symlinks(kadmind_t)
+kernel_read_system_state(kadmind_t)
- corenet_non_ipsec_sendrecv(kadmind_t)
- corenet_tcp_sendrecv_all_if(kadmind_t)
-@@ -117,6 +119,9 @@
+ corenet_all_recvfrom_unlabeled(kadmind_t)
+ corenet_all_recvfrom_netlabel(kadmind_t)
+@@ -118,6 +120,9 @@
domain_use_interactive_fds(kadmind_t)
files_read_etc_files(kadmind_t)
@@ -5121,7 +4721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
libs_use_ld_so(kadmind_t)
libs_use_shared_libs(kadmind_t)
-@@ -126,6 +131,7 @@
+@@ -127,6 +132,7 @@
miscfiles_read_localization(kadmind_t)
sysnet_read_config(kadmind_t)
@@ -5129,7 +4729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
-@@ -221,6 +227,7 @@
+@@ -223,6 +229,7 @@
miscfiles_read_localization(krb5kdc_t)
sysnet_read_config(krb5kdc_t)
@@ -5137,7 +4737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
-@@ -236,3 +243,36 @@
+@@ -238,3 +245,37 @@
optional_policy(`
udev_read_db(krb5kdc_t)
')
@@ -5152,7 +4752,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
+ allow kerberosclient self:tcp_socket create_socket_perms;
+ allow kerberosclient self:udp_socket create_socket_perms;
+
-+ corenet_non_ipsec_sendrecv(kerberosclient)
++ corenet_all_recvfrom_unlabeled(kerberosclient)
++ corenet_all_recvfrom_netlabel(kerberosclient)
+ corenet_tcp_sendrecv_all_if(kerberosclient)
+ corenet_udp_sendrecv_all_if(kerberosclient)
+ corenet_tcp_sendrecv_all_nodes(kerberosclient)
@@ -5174,27 +4775,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
+ pcscd_stream_connect(kerberosclient)
+ ')
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.0.1/policy/modules/services/ldap.te
---- nsaserefpolicy/policy/modules/services/ldap.te 2007-06-15 14:54:33.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/ldap.te 2007-06-19 17:06:27.000000000 -0400
-@@ -116,6 +116,13 @@
- userdom_dontaudit_use_unpriv_user_fds(slapd_t)
- userdom_dontaudit_search_sysadm_home_dirs(slapd_t)
-
-+ifdef(`targeted_policy',`
-+ userdom_search_generic_user_home_dirs(slapd_t)
-+ #need to be able to read ldif files created by root
-+ # cjp: fix to not use templated interface:
-+ userdom_read_user_home_content_files(user,slapd_t)
-+')
-+
- optional_policy(`
- kerberos_use(slapd_t)
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.0.1/policy/modules/services/lpd.if
---- nsaserefpolicy/policy/modules/services/lpd.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/lpd.if 2007-06-19 17:06:27.000000000 -0400
-@@ -394,3 +394,22 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.0.2/policy/modules/services/lpd.if
+--- nsaserefpolicy/policy/modules/services/lpd.if 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/lpd.if 2007-07-03 13:08:20.000000000 -0400
+@@ -395,3 +395,22 @@
domtrans_pattern($2, lpr_exec_t, $1_lpr_t)
')
@@ -5217,9 +4801,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.
+
+ can_exec($1,lpr_exec_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.0.1/policy/modules/services/mailman.te
---- nsaserefpolicy/policy/modules/services/mailman.te 2007-06-15 14:54:33.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/mailman.te 2007-06-19 17:06:27.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.0.2/policy/modules/services/mailman.te
+--- nsaserefpolicy/policy/modules/services/mailman.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/mailman.te 2007-07-03 13:08:20.000000000 -0400
@@ -96,6 +96,7 @@
kernel_read_proc_symlinks(mailman_queue_t)
@@ -5228,15 +4812,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
files_dontaudit_search_pids(mailman_queue_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.0.1/policy/modules/services/mailscanner.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.0.2/policy/modules/services/mailscanner.fc
--- nsaserefpolicy/policy/modules/services/mailscanner.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/services/mailscanner.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/mailscanner.fc 2007-07-03 13:08:20.000000000 -0400
@@ -0,0 +1,2 @@
+/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mailscanner_spool_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.0.1/policy/modules/services/mailscanner.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.0.2/policy/modules/services/mailscanner.if
--- nsaserefpolicy/policy/modules/services/mailscanner.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/services/mailscanner.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/mailscanner.if 2007-07-03 13:08:20.000000000 -0400
@@ -0,0 +1,59 @@
+## Anti-Virus and Anti-Spam Filter
+
@@ -5297,19 +4881,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
+ files_search_spool($1)
+ manage_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.0.1/policy/modules/services/mailscanner.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.0.2/policy/modules/services/mailscanner.te
--- nsaserefpolicy/policy/modules/services/mailscanner.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/services/mailscanner.te 2007-06-19 17:11:15.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/mailscanner.te 2007-07-03 13:08:20.000000000 -0400
@@ -0,0 +1,5 @@
+
+policy_module(mailscanner,1.0.0)
+
+type mailscanner_spool_t;
+files_type(mailscanner_spool_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.1/policy/modules/services/mta.if
---- nsaserefpolicy/policy/modules/services/mta.if 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/mta.if 2007-06-19 17:06:27.000000000 -0400
-@@ -392,6 +392,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.2/policy/modules/services/mta.if
+--- nsaserefpolicy/policy/modules/services/mta.if 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/mta.if 2007-07-03 13:08:20.000000000 -0400
+@@ -393,6 +393,7 @@
allow $1 mail_spool_t:dir list_dir_perms;
create_files_pattern($1,mail_spool_t,mail_spool_t)
read_files_pattern($1,mail_spool_t,mail_spool_t)
@@ -5317,9 +4901,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
create_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.1/policy/modules/services/mta.te
---- nsaserefpolicy/policy/modules/services/mta.te 2007-06-15 14:54:33.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/mta.te 2007-06-19 17:06:27.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.2/policy/modules/services/mta.te
+--- nsaserefpolicy/policy/modules/services/mta.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/mta.te 2007-07-03 13:08:20.000000000 -0400
@@ -27,6 +27,7 @@
type sendmail_exec_t;
@@ -5366,48 +4950,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
# apache should set close-on-exec
apache_dontaudit_append_log(system_mail_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.0.1/policy/modules/services/nagios.te
---- nsaserefpolicy/policy/modules/services/nagios.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/nagios.te 2007-06-19 17:06:27.000000000 -0400
-@@ -73,8 +73,10 @@
- corenet_udp_sendrecv_all_nodes(nagios_t)
- corenet_tcp_sendrecv_all_ports(nagios_t)
- corenet_udp_sendrecv_all_ports(nagios_t)
-+corenet_tcp_connect_all_ports(nagios_t)
-
- dev_read_sysfs(nagios_t)
-+dev_read_urand(nagios_t)
-
- domain_use_interactive_fds(nagios_t)
- # for ps
-@@ -97,8 +99,6 @@
-
- miscfiles_read_localization(nagios_t)
-
--sysnet_read_config(nagios_t)
--
- userdom_dontaudit_use_unpriv_user_fds(nagios_t)
- userdom_dontaudit_search_sysadm_home_dirs(nagios_t)
-
-@@ -108,14 +108,10 @@
- netutils_domtrans_ping(nagios_t)
- netutils_signal_ping(nagios_t)
- netutils_kill_ping(nagios_t)
--
-- # cjp: leaked file descriptors:
-- #dontaudit ping_t nagios_etc_t:file read;
-- #dontaudit ping_t nagios_log_t:fifo_file read;
- ')
-
- optional_policy(`
-- nis_use_ypbind(nagios_t)
-+ auth_use_nsswitch(nagios_t)
- ')
-
- optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.0.1/policy/modules/services/networkmanager.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.0.2/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/networkmanager.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/networkmanager.fc 2007-07-03 13:08:20.000000000 -0400
@@ -1,5 +1,6 @@
/usr/(s)?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
@@ -5415,19 +4960,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.1/policy/modules/services/networkmanager.te
---- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-06-15 14:54:33.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/networkmanager.te 2007-06-21 06:00:26.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.2/policy/modules/services/networkmanager.te
+--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/networkmanager.te 2007-07-03 13:08:20.000000000 -0400
@@ -41,6 +41,8 @@
kernel_read_kernel_sysctls(NetworkManager_t)
kernel_load_module(NetworkManager_t)
+can_exec(NetworkManager_t, NetworkManager_exec_t)
+
- corenet_non_ipsec_sendrecv(NetworkManager_t)
+ corenet_all_recvfrom_unlabeled(NetworkManager_t)
+ corenet_all_recvfrom_netlabel(NetworkManager_t)
corenet_tcp_sendrecv_all_if(NetworkManager_t)
- corenet_udp_sendrecv_all_if(NetworkManager_t)
-@@ -135,6 +137,7 @@
+@@ -136,6 +138,7 @@
dbus_system_bus_client_template(NetworkManager,NetworkManager_t)
dbus_connect_system_bus(NetworkManager_t)
dbus_send_system_bus(NetworkManager_t)
@@ -5435,7 +4980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
-@@ -151,6 +154,11 @@
+@@ -152,6 +155,11 @@
')
optional_policy(`
@@ -5447,7 +4992,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
ppp_domtrans(NetworkManager_t)
ppp_read_pid_files(NetworkManager_t)
ppp_signal(NetworkManager_t)
-@@ -165,6 +173,7 @@
+@@ -166,6 +174,7 @@
')
optional_policy(`
@@ -5455,9 +5000,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
# Read gnome-keyring
unconfined_read_home_content_files(NetworkManager_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.0.1/policy/modules/services/nis.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.0.2/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/nis.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/nis.fc 2007-07-03 13:08:20.000000000 -0400
@@ -4,6 +4,7 @@
/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
@@ -5466,10 +5011,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.0.1/policy/modules/services/nis.if
---- nsaserefpolicy/policy/modules/services/nis.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/nis.if 2007-06-19 17:06:27.000000000 -0400
-@@ -48,8 +48,8 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.0.2/policy/modules/services/nis.if
+--- nsaserefpolicy/policy/modules/services/nis.if 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/nis.if 2007-07-03 13:08:20.000000000 -0400
+@@ -49,8 +49,8 @@
corenet_udp_bind_all_nodes($1)
corenet_tcp_bind_generic_port($1)
corenet_udp_bind_generic_port($1)
@@ -5480,10 +5025,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
corenet_dontaudit_tcp_bind_all_ports($1)
corenet_dontaudit_udp_bind_all_ports($1)
corenet_tcp_connect_portmap_port($1)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.0.1/policy/modules/services/nis.te
---- nsaserefpolicy/policy/modules/services/nis.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/nis.te 2007-06-28 07:25:31.000000000 -0400
-@@ -112,6 +112,14 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.0.2/policy/modules/services/nis.te
+--- nsaserefpolicy/policy/modules/services/nis.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/nis.te 2007-07-03 13:08:20.000000000 -0400
+@@ -113,6 +113,14 @@
userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
userdom_dontaudit_search_sysadm_home_dirs(ypbind_t)
@@ -5498,7 +5043,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
optional_policy(`
seutil_sigchld_newrole(ypbind_t)
')
-@@ -125,6 +133,7 @@
+@@ -126,6 +134,7 @@
# yppasswdd local policy
#
@@ -5506,7 +5051,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
dontaudit yppasswdd_t self:capability sys_tty_config;
allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
allow yppasswdd_t self:process { setfscreate signal_perms };
-@@ -154,8 +163,8 @@
+@@ -156,8 +165,8 @@
corenet_udp_sendrecv_all_ports(yppasswdd_t)
corenet_tcp_bind_all_nodes(yppasswdd_t)
corenet_udp_bind_all_nodes(yppasswdd_t)
@@ -5517,7 +5062,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
corenet_sendrecv_generic_server_packets(yppasswdd_t)
-@@ -244,6 +253,8 @@
+@@ -247,6 +256,8 @@
corenet_udp_bind_all_nodes(ypserv_t)
corenet_tcp_bind_reserved_port(ypserv_t)
corenet_udp_bind_reserved_port(ypserv_t)
@@ -5526,7 +5071,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
corenet_sendrecv_generic_server_packets(ypserv_t)
-@@ -311,6 +322,8 @@
+@@ -315,6 +326,8 @@
corenet_udp_bind_all_nodes(ypxfr_t)
corenet_tcp_bind_reserved_port(ypxfr_t)
corenet_udp_bind_reserved_port(ypxfr_t)
@@ -5535,9 +5080,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
corenet_tcp_connect_all_ports(ypxfr_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.0.1/policy/modules/services/nscd.te
---- nsaserefpolicy/policy/modules/services/nscd.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/nscd.te 2007-07-02 11:38:32.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.0.2/policy/modules/services/nscd.te
+--- nsaserefpolicy/policy/modules/services/nscd.te 2007-07-03 07:06:26.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/nscd.te 2007-07-03 13:08:20.000000000 -0400
@@ -28,14 +28,14 @@
# Local policy
#
@@ -5556,7 +5101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
allow nscd_t self:tcp_socket create_socket_perms;
allow nscd_t self:udp_socket create_socket_perms;
-@@ -72,6 +72,8 @@
+@@ -73,6 +73,8 @@
corenet_udp_sendrecv_all_nodes(nscd_t)
corenet_tcp_sendrecv_all_ports(nscd_t)
corenet_udp_sendrecv_all_ports(nscd_t)
@@ -5565,7 +5110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
corenet_tcp_connect_all_ports(nscd_t)
corenet_sendrecv_all_client_packets(nscd_t)
corenet_rw_tun_tap_dev(nscd_t)
-@@ -92,6 +94,7 @@
+@@ -93,6 +95,7 @@
libs_use_ld_so(nscd_t)
libs_use_shared_libs(nscd_t)
@@ -5573,7 +5118,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
logging_send_syslog_msg(nscd_t)
miscfiles_read_localization(nscd_t)
-@@ -113,3 +116,12 @@
+@@ -114,3 +117,12 @@
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
xen_append_log(nscd_t)
')
@@ -5586,10 +5131,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.0.1/policy/modules/services/ntp.te
---- nsaserefpolicy/policy/modules/services/ntp.te 2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/ntp.te 2007-06-19 17:06:27.000000000 -0400
-@@ -125,6 +125,10 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.0.2/policy/modules/services/ntp.te
+--- nsaserefpolicy/policy/modules/services/ntp.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/ntp.te 2007-07-03 13:08:20.000000000 -0400
+@@ -126,6 +126,10 @@
')
optional_policy(`
@@ -5600,9 +5145,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
seutil_sigchld_newrole(ntpd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.if serefpolicy-3.0.1/policy/modules/services/openvpn.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.if serefpolicy-3.0.2/policy/modules/services/openvpn.if
--- nsaserefpolicy/policy/modules/services/openvpn.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/openvpn.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/openvpn.if 2007-07-03 13:08:20.000000000 -0400
@@ -22,3 +22,71 @@
read_files_pattern($1,openvpn_etc_t,openvpn_etc_t)
read_lnk_files_pattern($1,openvpn_etc_t,openvpn_etc_t)
@@ -5675,9 +5220,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
+
+ allow $1 openvpn_t:process signal;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.0.1/policy/modules/services/openvpn.te
---- nsaserefpolicy/policy/modules/services/openvpn.te 2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/openvpn.te 2007-07-02 12:46:29.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.0.2/policy/modules/services/openvpn.te
+--- nsaserefpolicy/policy/modules/services/openvpn.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/openvpn.te 2007-07-03 13:08:20.000000000 -0400
@@ -6,6 +6,13 @@
# Declarations
#
@@ -5703,7 +5248,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
kernel_read_kernel_sysctls(openvpn_t)
kernel_read_net_sysctls(openvpn_t)
-@@ -66,6 +73,7 @@
+@@ -67,6 +74,7 @@
corenet_udp_bind_openvpn_port(openvpn_t)
corenet_sendrecv_openvpn_server_packets(openvpn_t)
corenet_rw_tun_tap_dev(openvpn_t)
@@ -5711,7 +5256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
dev_search_sysfs(openvpn_t)
dev_read_rand(openvpn_t)
-@@ -80,10 +88,23 @@
+@@ -81,10 +89,23 @@
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
@@ -5735,9 +5280,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
+ unconfined_use_terminals(openvpn_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-3.0.1/policy/modules/services/pegasus.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-3.0.2/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/pegasus.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/pegasus.if 2007-07-03 13:08:20.000000000 -0400
@@ -1 +1,19 @@
## The Open Group Pegasus CIM/WBEM Server.
+
@@ -5758,10 +5303,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
+
+ domtrans_pattern($1,pegasus_exec_t,pegasus_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.0.1/policy/modules/services/pegasus.te
---- nsaserefpolicy/policy/modules/services/pegasus.te 2007-06-15 14:54:33.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/pegasus.te 2007-06-19 17:06:27.000000000 -0400
-@@ -94,13 +94,13 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.0.2/policy/modules/services/pegasus.te
+--- nsaserefpolicy/policy/modules/services/pegasus.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/pegasus.te 2007-07-03 13:08:20.000000000 -0400
+@@ -95,13 +95,13 @@
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -5778,7 +5323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
files_read_var_lib_symlinks(pegasus_t)
hostname_exec(pegasus_t)
-@@ -112,19 +112,17 @@
+@@ -113,19 +113,17 @@
libs_use_shared_libs(pegasus_t)
logging_send_audit_msgs(pegasus_t)
@@ -5800,10 +5345,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
rpm_exec(pegasus_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portslave.te serefpolicy-3.0.1/policy/modules/services/portslave.te
---- nsaserefpolicy/policy/modules/services/portslave.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/portslave.te 2007-06-19 17:06:27.000000000 -0400
-@@ -84,6 +84,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portslave.te serefpolicy-3.0.2/policy/modules/services/portslave.te
+--- nsaserefpolicy/policy/modules/services/portslave.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/portslave.te 2007-07-03 13:08:20.000000000 -0400
+@@ -85,6 +85,7 @@
auth_rw_login_records(portslave_t)
auth_domtrans_chk_passwd(portslave_t)
@@ -5811,9 +5356,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port
init_rw_utmp(portslave_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.0.1/policy/modules/services/postfix.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.0.2/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/postfix.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/postfix.fc 2007-07-03 13:08:20.000000000 -0400
@@ -14,6 +14,7 @@
/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
@@ -5822,9 +5367,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
', `
/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.0.1/policy/modules/services/postfix.if
---- nsaserefpolicy/policy/modules/services/postfix.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/postfix.if 2007-06-19 17:06:27.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.0.2/policy/modules/services/postfix.if
+--- nsaserefpolicy/policy/modules/services/postfix.if 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/postfix.if 2007-07-03 13:08:20.000000000 -0400
@@ -118,6 +118,8 @@
allow postfix_$1_t self:udp_socket create_socket_perms;
@@ -5832,9 +5377,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+ #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
+ allow postfix_$1_t postfix_master_t:file read;
- corenet_non_ipsec_sendrecv(postfix_$1_t)
- corenet_tcp_sendrecv_all_if(postfix_$1_t)
-@@ -131,10 +133,8 @@
+ corenet_all_recvfrom_unlabeled(postfix_$1_t)
+ corenet_all_recvfrom_netlabel(postfix_$1_t)
+@@ -132,10 +134,8 @@
corenet_tcp_connect_all_ports(postfix_$1_t)
corenet_sendrecv_all_client_packets(postfix_$1_t)
@@ -5846,7 +5391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
')
-@@ -268,6 +268,42 @@
+@@ -269,6 +269,42 @@
########################################
##
@@ -5889,7 +5434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
## Do not audit attempts to use
## postfix master process file
## file descriptors.
-@@ -433,6 +469,25 @@
+@@ -434,6 +470,25 @@
########################################
##
@@ -5915,7 +5460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
## Execute postfix user mail programs
## in their respective domains.
##
-@@ -449,3 +504,22 @@
+@@ -450,3 +505,22 @@
typeattribute $1 postfix_user_domtrans;
')
@@ -5938,9 +5483,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+ allow $1 postfix_private_t:dir list_dir_perms;
+ create_sock_files_pattern($1,postfix_private_t,postfix_private_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.0.1/policy/modules/services/postfix.te
---- nsaserefpolicy/policy/modules/services/postfix.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/postfix.te 2007-06-22 09:40:18.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.0.2/policy/modules/services/postfix.te
+--- nsaserefpolicy/policy/modules/services/postfix.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/postfix.te 2007-07-03 13:08:20.000000000 -0400
@@ -84,6 +84,12 @@
type postfix_var_run_t;
files_pid_file(postfix_var_run_t)
@@ -5954,7 +5499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix master process local policy
-@@ -169,6 +175,12 @@
+@@ -170,6 +176,12 @@
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
@@ -5967,7 +5512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
optional_policy(`
cyrus_stream_connect(postfix_master_t)
')
-@@ -179,6 +191,10 @@
+@@ -180,6 +192,10 @@
')
optional_policy(`
@@ -5978,7 +5523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
nis_use_ypbind(postfix_master_t)
')
-@@ -376,7 +392,7 @@
+@@ -378,7 +394,7 @@
# Postfix pipe local policy
#
@@ -5987,7 +5532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)
-@@ -385,6 +401,10 @@
+@@ -387,6 +403,10 @@
rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
optional_policy(`
@@ -5998,7 +5543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
procmail_domtrans(postfix_pipe_t)
')
-@@ -425,6 +445,11 @@
+@@ -427,6 +447,11 @@
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
@@ -6010,7 +5555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
optional_policy(`
ppp_use_fds(postfix_postqueue_t)
ppp_sigchld(postfix_postqueue_t)
-@@ -504,8 +529,6 @@
+@@ -506,8 +531,6 @@
# Postfix smtp delivery local policy
#
@@ -6019,7 +5564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
# connect to master process
stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
-@@ -513,6 +536,8 @@
+@@ -515,6 +538,8 @@
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -6028,7 +5573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
')
-@@ -537,9 +562,45 @@
+@@ -539,9 +564,45 @@
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
@@ -6074,9 +5619,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+# For reading spamassasin
+mta_read_config(postfix_virtual_t)
+mta_manage_spool(postfix_virtual_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.0.1/policy/modules/services/procmail.te
---- nsaserefpolicy/policy/modules/services/procmail.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/procmail.te 2007-06-19 17:06:27.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.0.2/policy/modules/services/procmail.te
+--- nsaserefpolicy/policy/modules/services/procmail.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/procmail.te 2007-07-03 13:08:20.000000000 -0400
@@ -10,6 +10,7 @@
type procmail_exec_t;
domain_type(procmail_t)
@@ -6094,14 +5639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
kernel_read_system_state(procmail_t)
kernel_read_kernel_sysctls(procmail_t)
-@@ -101,9 +104,16 @@
- ')
-
- optional_policy(`
-+ nis_use_ypbind(procmail_t)
-+')
-+
-+optional_policy(`
+@@ -109,6 +112,9 @@
# for a bug in the postfix local program
postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
postfix_dontaudit_use_fds(procmail_t)
@@ -6111,13 +5649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
')
optional_policy(`
-@@ -119,8 +129,13 @@
-
- optional_policy(`
- corenet_udp_bind_generic_port(procmail_t)
-+ corenet_dontaudit_udp_bind_all_ports(procmail_t)
-
- spamassassin_exec(procmail_t)
+@@ -130,3 +136,7 @@
spamassassin_exec_client(procmail_t)
spamassassin_read_lib_files(procmail_t)
')
@@ -6125,22 +5657,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
+optional_policy(`
+ mailscanner_read_spool(procmail_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.0.1/policy/modules/services/pyzor.te
---- nsaserefpolicy/policy/modules/services/pyzor.te 2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/pyzor.te 2007-06-19 17:06:27.000000000 -0400
-@@ -54,6 +54,11 @@
- corenet_udp_sendrecv_all_nodes(pyzor_t)
- corenet_udp_sendrecv_all_ports(pyzor_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.0.2/policy/modules/services/pyzor.if
+--- nsaserefpolicy/policy/modules/services/pyzor.if 2007-06-11 16:05:30.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/pyzor.if 2007-07-03 14:03:52.000000000 -0400
+@@ -25,16 +25,16 @@
+ #
+ template(`pyzor_per_role_template',`
+ gen_require(`
+- type pyzord_t;
++ type pyzor_t;
+ ')
-+corenet_tcp_sendrecv_all_if(pyzor_t)
-+corenet_tcp_sendrecv_all_nodes(pyzor_t)
-+corenet_tcp_sendrecv_all_ports(pyzor_t)
-+corenet_tcp_connect_http_port(pyzor_t)
-+
- dev_read_urand(pyzor_t)
+ type $1_pyzor_home_t;
+ userdom_user_home_content($1,$1_pyzor_home_t)
- files_read_etc_files(pyzor_t)
-@@ -67,12 +72,18 @@
+- manage_dirs_pattern(pyzord_t,$1_pyzor_home_t,$1_pyzor_home_t)
+- manage_files_pattern(pyzord_t,$1_pyzor_home_t,$1_pyzor_home_t)
+- manage_lnk_files_pattern(pyzord_t,$1_pyzor_home_t,$1_pyzor_home_t)
+- userdom_user_home_dir_filetrans($1,pyzord_t,$1_pyzor_home_t,{ dir file lnk_file })
++ manage_dirs_pattern(pyzor_t,$1_pyzor_home_t,$1_pyzor_home_t)
++ manage_files_pattern(pyzor_t,$1_pyzor_home_t,$1_pyzor_home_t)
++ manage_lnk_files_pattern(pyzor_t,$1_pyzor_home_t,$1_pyzor_home_t)
++ userdom_user_home_dir_filetrans($1,pyzor_t,$1_pyzor_home_t,{ dir file lnk_file })
+ ')
+
+ ########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.0.2/policy/modules/services/pyzor.te
+--- nsaserefpolicy/policy/modules/services/pyzor.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/pyzor.te 2007-07-03 13:08:20.000000000 -0400
+@@ -71,6 +71,11 @@
userdom_dontaudit_search_sysadm_home_dirs(pyzor_t)
@@ -6152,14 +5697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
optional_policy(`
amavis_manage_lib_files(pyzor_t)
amavis_manage_spool_files(pyzor_t)
- ')
-
- optional_policy(`
-+ spamassassin_signal_spamd(pyzor_t)
- spamassassin_read_spamd_tmp_files(pyzor_t)
- ')
-
-@@ -128,6 +139,10 @@
+@@ -134,6 +139,10 @@
mta_manage_spool(pyzord_t)
@@ -6170,10 +5708,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
optional_policy(`
logging_send_syslog_msg(pyzord_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.0.1/policy/modules/services/radius.te
---- nsaserefpolicy/policy/modules/services/radius.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/radius.te 2007-06-19 17:06:27.000000000 -0400
-@@ -81,6 +81,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.0.2/policy/modules/services/radius.te
+--- nsaserefpolicy/policy/modules/services/radius.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/radius.te 2007-07-03 13:08:20.000000000 -0400
+@@ -82,6 +82,7 @@
auth_read_shadow(radiusd_t)
auth_domtrans_chk_passwd(radiusd_t)
@@ -6181,18 +5719,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi
corecmd_exec_bin(radiusd_t)
corecmd_exec_shell(radiusd_t)
-@@ -124,3 +125,7 @@
- optional_policy(`
- udev_read_db(radiusd_t)
- ')
-+
-+optional_policy(`
-+ samba_read_var_files(radiusd_t)
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.0.1/policy/modules/services/rhgb.te
---- nsaserefpolicy/policy/modules/services/rhgb.te 2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/rhgb.te 2007-06-19 17:06:27.000000000 -0400
-@@ -108,6 +108,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.0.2/policy/modules/services/rhgb.te
+--- nsaserefpolicy/policy/modules/services/rhgb.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/rhgb.te 2007-07-03 13:08:20.000000000 -0400
+@@ -109,6 +109,7 @@
userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
userdom_dontaudit_search_sysadm_home_dirs(rhgb_t)
@@ -6200,10 +5730,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb
xserver_read_xdm_xserver_tmp_files(rhgb_t)
xserver_kill_xdm_xserver(rhgb_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.0.1/policy/modules/services/ricci.te
---- nsaserefpolicy/policy/modules/services/ricci.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/ricci.te 2007-06-19 17:06:27.000000000 -0400
-@@ -137,6 +137,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.0.2/policy/modules/services/ricci.te
+--- nsaserefpolicy/policy/modules/services/ricci.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/ricci.te 2007-07-03 13:08:20.000000000 -0400
+@@ -138,6 +138,7 @@
files_create_boot_flag(ricci_t)
auth_domtrans_chk_passwd(ricci_t)
@@ -6211,7 +5741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
auth_append_login_records(ricci_t)
init_dontaudit_stream_connect_script(ricci_t)
-@@ -320,6 +321,10 @@
+@@ -321,6 +322,10 @@
')
optional_policy(`
@@ -6222,10 +5752,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
unconfined_use_fds(ricci_modclusterd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.0.1/policy/modules/services/rlogin.te
---- nsaserefpolicy/policy/modules/services/rlogin.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/rlogin.te 2007-06-19 17:06:27.000000000 -0400
-@@ -64,6 +64,7 @@
+@@ -349,6 +354,7 @@
+
+ miscfiles_read_localization(ricci_modlog_t)
+
++
+ optional_policy(`
+ nscd_dontaudit_search_pid(ricci_modlog_t)
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.0.2/policy/modules/services/rlogin.te
+--- nsaserefpolicy/policy/modules/services/rlogin.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/rlogin.te 2007-07-03 13:08:20.000000000 -0400
+@@ -65,6 +65,7 @@
fs_search_auto_mountpoints(rlogind_t)
auth_domtrans_chk_passwd(rlogind_t)
@@ -6233,211 +5771,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog
auth_rw_login_records(rlogind_t)
auth_use_nsswitch(rlogind_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.0.1/policy/modules/services/rpcbind.fc
---- nsaserefpolicy/policy/modules/services/rpcbind.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/services/rpcbind.fc 2007-06-19 17:06:27.000000000 -0400
-@@ -0,0 +1,6 @@
-+
-+/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
-+/var/run/rpcbind.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
-+/var/run/rpc.statd.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
-+/var/run/rpcbind.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0)
-+/var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.0.1/policy/modules/services/rpcbind.if
---- nsaserefpolicy/policy/modules/services/rpcbind.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/services/rpcbind.if 2007-06-19 17:06:27.000000000 -0400
-@@ -0,0 +1,104 @@
-+
-+## policy for rpcbind
-+
-+########################################
-+##
-+## Execute a domain transition to run rpcbind.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`rpcbind_domtrans',`
-+ gen_require(`
-+ type rpcbind_t, rpcbind_exec_t;
-+ ')
-+
-+ domain_auto_trans($1,rpcbind_exec_t,rpcbind_t)
-+
-+ allow rpcbind_t $1:fd use;
-+ allow rpcbind_t $1:fifo_file rw_file_perms;
-+ allow rpcbind_t $1:process sigchld;
-+')
-+
-+########################################
-+##
-+## Read rpcbind PID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rpcbind_read_pid_files',`
-+ gen_require(`
-+ type rpcbind_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 rpcbind_var_run_t:file r_file_perms;
-+')
-+
-+
-+########################################
-+##
-+## Search rpcbind lib directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rpcbind_search_lib',`
-+ gen_require(`
-+ type rpcbind_var_lib_t;
-+ ')
-+
-+ allow $1 rpcbind_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Read rpcbind lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rpcbind_read_lib_files',`
-+ gen_require(`
-+ type rpcbind_var_lib_t;
-+ ')
-+
-+ allow $1 rpcbind_var_lib_t:file r_file_perms;
-+ allow $1 rpcbind_var_lib_t:dir list_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete
-+## rpcbind lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rpcbind_manage_lib_files',`
-+ gen_require(`
-+ type rpcbind_var_lib_t;
-+ ')
-+
-+ allow $1 rpcbind_var_lib_t:file manage_file_perms;
-+ allow $1 rpcbind_var_lib_t:dir rw_dir_perms;
-+ files_search_var_lib($1)
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.0.1/policy/modules/services/rpcbind.te
---- nsaserefpolicy/policy/modules/services/rpcbind.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/services/rpcbind.te 2007-06-19 17:06:27.000000000 -0400
-@@ -0,0 +1,79 @@
-+policy_module(rpcbind,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type rpcbind_t;
-+type rpcbind_exec_t;
-+domain_type(rpcbind_t)
-+init_daemon_domain(rpcbind_t, rpcbind_exec_t)
-+
-+# pid files
-+type rpcbind_var_run_t;
-+files_pid_file(rpcbind_var_run_t)
-+
-+# var/lib files
-+type rpcbind_var_lib_t;
-+files_type(rpcbind_var_lib_t)
-+
-+########################################
-+#
-+# rpcbind local policy
-+#
-+
-+# Init script handling
-+init_use_fds(rpcbind_t)
-+init_use_script_ptys(rpcbind_t)
-+domain_use_interactive_fds(rpcbind_t)
-+
-+allow rpcbind_t self:capability { sys_tty_config setuid };
-+allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
-+allow rpcbind_t self:udp_socket listen;
-+allow rpcbind_t self:tcp_socket create_stream_socket_perms;
-+allow rpcbind_t self:fifo_file rw_file_perms;
-+allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
-+
-+# pid file
-+allow rpcbind_t rpcbind_var_run_t:file manage_file_perms;
-+allow rpcbind_t rpcbind_var_run_t:sock_file manage_sock_file_perms;
-+allow rpcbind_t rpcbind_var_run_t:dir rw_dir_perms;
-+files_pid_filetrans(rpcbind_t,rpcbind_var_run_t, { file sock_file })
-+
-+# var/lib files for rpcbind
-+allow rpcbind_t rpcbind_var_lib_t:file manage_file_perms;
-+allow rpcbind_t rpcbind_var_lib_t:sock_file manage_sock_file_perms;
-+allow rpcbind_t rpcbind_var_lib_t:dir manage_dir_perms;
-+files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file })
-+
-+corenet_non_ipsec_sendrecv(rpcbind_t)
-+corenet_tcp_sendrecv_all_if(rpcbind_t)
-+corenet_tcp_sendrecv_all_nodes(rpcbind_t)
-+corenet_tcp_sendrecv_all_ports(rpcbind_t)
-+corenet_tcp_bind_all_nodes(rpcbind_t)
-+corenet_tcp_bind_portmap_port(rpcbind_t)
-+
-+allow rpcbind_t self:udp_socket create_socket_perms;
-+corenet_udp_sendrecv_all_if(rpcbind_t)
-+corenet_udp_sendrecv_all_nodes(rpcbind_t)
-+corenet_udp_sendrecv_all_ports(rpcbind_t)
-+corenet_udp_bind_all_nodes(rpcbind_t)
-+corenet_udp_bind_portmap_port(rpcbind_t)
-+corenet_udp_bind_all_rpc_ports(rpcbind_t)
-+
-+files_read_etc_files(rpcbind_t)
-+
-+kernel_read_network_state(rpcbind_t)
-+
-+libs_use_ld_so(rpcbind_t)
-+libs_use_shared_libs(rpcbind_t)
-+
-+logging_send_syslog_msg(rpcbind_t)
-+
-+miscfiles_read_localization(rpcbind_t)
-+
-+sysnet_dns_name_resolve(rpcbind_t)
-+
-+
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.0.1/policy/modules/services/rpc.if
---- nsaserefpolicy/policy/modules/services/rpc.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/rpc.if 2007-06-19 17:06:27.000000000 -0400
-@@ -89,8 +89,11 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.0.2/policy/modules/services/rpc.if
+--- nsaserefpolicy/policy/modules/services/rpc.if 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/rpc.if 2007-07-03 13:08:20.000000000 -0400
+@@ -81,6 +81,7 @@
+ corenet_tcp_bind_all_nodes($1_t)
+ corenet_udp_bind_all_nodes($1_t)
+ corenet_tcp_bind_reserved_port($1_t)
++ corenet_tcp_bind_reserved_port($1_t)
+ corenet_tcp_connect_all_ports($1_t)
+ corenet_sendrecv_portmap_client_packets($1_t)
+ # do not log when it tries to bind to a port belonging to another domain
+@@ -89,8 +90,11 @@
# bind to arbitary unused ports
corenet_tcp_bind_generic_port($1_t)
corenet_udp_bind_generic_port($1_t)
@@ -6450,9 +5795,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
fs_rw_rpc_named_pipes($1_t)
fs_search_auto_mountpoints($1_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.1/policy/modules/services/rpc.te
---- nsaserefpolicy/policy/modules/services/rpc.te 2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/rpc.te 2007-06-27 10:08:39.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.2/policy/modules/services/rpc.te
+--- nsaserefpolicy/policy/modules/services/rpc.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/rpc.te 2007-07-03 13:08:20.000000000 -0400
@@ -76,9 +76,11 @@
miscfiles_read_certs(rpcd_t)
@@ -6495,10 +5840,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_unpriv_users_tmp(gssd_t)
userdom_read_unpriv_users_tmp_files(gssd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.0.1/policy/modules/services/rshd.te
---- nsaserefpolicy/policy/modules/services/rshd.te 2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/rshd.te 2007-06-19 17:06:27.000000000 -0400
-@@ -44,6 +44,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.0.2/policy/modules/services/rshd.te
+--- nsaserefpolicy/policy/modules/services/rshd.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/rshd.te 2007-07-03 13:08:20.000000000 -0400
+@@ -45,6 +45,7 @@
selinux_compute_user_contexts(rshd_t)
auth_domtrans_chk_passwd(rshd_t)
@@ -6506,16 +5851,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
corecmd_read_bin_symlinks(rshd_t)
-@@ -84,6 +85,5 @@
+@@ -85,6 +86,5 @@
')
optional_policy(`
- unconfined_domain(rshd_t)
unconfined_shell_domtrans(rshd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.0.1/policy/modules/services/rsync.te
---- nsaserefpolicy/policy/modules/services/rsync.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/rsync.te 2007-06-19 17:06:27.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.0.2/policy/modules/services/rsync.te
+--- nsaserefpolicy/policy/modules/services/rsync.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/rsync.te 2007-07-03 13:08:20.000000000 -0400
@@ -17,6 +17,7 @@
type rsync_t;
type rsync_exec_t;
@@ -6524,17 +5869,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
role system_r types rsync_t;
type rsync_data_t;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.fc serefpolicy-3.0.1/policy/modules/services/rwho.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.fc serefpolicy-3.0.2/policy/modules/services/rwho.fc
--- nsaserefpolicy/policy/modules/services/rwho.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/rwho.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/rwho.fc 2007-07-03 13:08:20.000000000 -0400
@@ -1,3 +1,4 @@
/usr/sbin/rwhod -- gen_context(system_u:object_r:rwho_exec_t,s0)
/var/spool/rwho(/.*)? gen_context(system_u:object_r:rwho_spool_t,s0)
+/var/log/rwhod(/.*)? gen_context(system_u:object_r:rwho_log_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.if serefpolicy-3.0.1/policy/modules/services/rwho.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.if serefpolicy-3.0.2/policy/modules/services/rwho.if
--- nsaserefpolicy/policy/modules/services/rwho.if 2007-06-15 14:54:33.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/rwho.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/rwho.if 2007-07-03 13:08:20.000000000 -0400
@@ -72,6 +72,47 @@
type rwho_spool_t;
')
@@ -6584,9 +5929,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho
+ logging_search_logs($1)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.te serefpolicy-3.0.1/policy/modules/services/rwho.te
---- nsaserefpolicy/policy/modules/services/rwho.te 2007-06-15 14:54:33.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/rwho.te 2007-06-19 17:06:27.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.te serefpolicy-3.0.2/policy/modules/services/rwho.te
+--- nsaserefpolicy/policy/modules/services/rwho.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/rwho.te 2007-07-03 13:08:20.000000000 -0400
@@ -10,10 +10,12 @@
type rwho_exec_t;
init_daemon_domain(rwho_t, rwho_exec_t)
@@ -6611,10 +5956,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho
+
kernel_read_system_state(rwho_t)
- corenet_non_ipsec_sendrecv(rwho_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.0.1/policy/modules/services/samba.fc
+ corenet_all_recvfrom_unlabeled(rwho_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.0.2/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2007-06-19 16:23:34.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/samba.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/samba.fc 2007-07-03 13:08:20.000000000 -0400
@@ -30,6 +30,8 @@
/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
@@ -6624,9 +5969,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.0.1/policy/modules/services/samba.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.0.2/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2007-06-19 16:23:35.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/samba.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/samba.if 2007-07-03 13:08:20.000000000 -0400
@@ -349,6 +349,7 @@
files_search_var($1)
files_search_var_lib($1)
@@ -6688,10 +6033,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+ read_files_pattern($1, samba_share_t, samba_share_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.1/policy/modules/services/samba.te
---- nsaserefpolicy/policy/modules/services/samba.te 2007-06-19 16:23:35.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/samba.te 2007-06-27 14:15:13.000000000 -0400
-@@ -189,6 +189,8 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.2/policy/modules/services/samba.te
+--- nsaserefpolicy/policy/modules/services/samba.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/samba.te 2007-07-03 13:08:20.000000000 -0400
+@@ -190,6 +190,8 @@
miscfiles_read_localization(samba_net_t)
@@ -6700,7 +6045,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
sysnet_read_config(samba_net_t)
sysnet_use_ldap(samba_net_t)
-@@ -225,8 +227,8 @@
+@@ -226,8 +228,8 @@
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
@@ -6711,7 +6056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow smbd_t samba_log_t:dir setattr;
dontaudit smbd_t samba_log_t:dir remove_name;
-@@ -296,6 +298,7 @@
+@@ -298,6 +300,7 @@
auth_use_nsswitch(smbd_t)
auth_domtrans_chk_passwd(smbd_t)
@@ -6719,7 +6064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -348,6 +351,10 @@
+@@ -350,6 +353,10 @@
')
optional_policy(`
@@ -6730,7 +6075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
')
-@@ -529,6 +536,7 @@
+@@ -533,6 +540,7 @@
storage_raw_write_fixed_disk(smbmount_t)
term_list_ptys(smbmount_t)
@@ -6738,7 +6083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
corecmd_list_bin(smbmount_t)
-@@ -552,6 +560,11 @@
+@@ -556,6 +564,11 @@
sysnet_read_config(smbmount_t)
userdom_use_all_users_fds(smbmount_t)
@@ -6750,7 +6095,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
optional_policy(`
nis_use_ypbind(smbmount_t)
-@@ -623,6 +636,7 @@
+@@ -628,6 +641,7 @@
fs_getattr_xattr_fs(swat_t)
auth_domtrans_chk_passwd(swat_t)
@@ -6758,7 +6103,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
libs_use_ld_so(swat_t)
libs_use_shared_libs(swat_t)
-@@ -704,6 +718,8 @@
+@@ -672,7 +686,6 @@
+ allow winbind_t self:fifo_file { read write };
+ allow winbind_t self:unix_dgram_socket create_socket_perms;
+ allow winbind_t self:unix_stream_socket create_stream_socket_perms;
+-allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
+ allow winbind_t self:tcp_socket create_stream_socket_perms;
+ allow winbind_t self:udp_socket create_socket_perms;
+
+@@ -709,6 +722,8 @@
manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
files_pid_filetrans(winbind_t,winbind_var_run_t,file)
@@ -6767,18 +6120,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
kernel_read_kernel_sysctls(winbind_t)
kernel_list_proc(winbind_t)
kernel_read_proc_symlinks(winbind_t)
-@@ -728,6 +744,7 @@
+@@ -733,7 +748,9 @@
+ fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
++auth_use_nsswitch(winbind_t)
auth_domtrans_chk_passwd(winbind_t)
+auth_domtrans_upd_passwd(winbind_t)
domain_use_interactive_fds(winbind_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.0.1/policy/modules/services/sasl.te
---- nsaserefpolicy/policy/modules/services/sasl.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/sasl.te 2007-06-19 17:06:27.000000000 -0400
-@@ -63,6 +63,7 @@
+@@ -746,9 +763,6 @@
+
+ miscfiles_read_localization(winbind_t)
+
+-sysnet_read_config(winbind_t)
+-sysnet_dns_name_resolve(winbind_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(winbind_t)
+ userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
+ userdom_priveleged_home_dir_manager(winbind_t)
+@@ -758,10 +772,6 @@
+ ')
+
+ optional_policy(`
+- nscd_socket_use(winbind_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(winbind_t)
+ ')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.0.2/policy/modules/services/sasl.te
+--- nsaserefpolicy/policy/modules/services/sasl.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/sasl.te 2007-07-03 13:08:20.000000000 -0400
+@@ -64,6 +64,7 @@
selinux_compute_access_vector(saslauthd_t)
auth_domtrans_chk_passwd(saslauthd_t)
@@ -6786,9 +6162,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl
auth_use_nsswitch(saslauthd_t)
domain_use_interactive_fds(saslauthd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.0.1/policy/modules/services/setroubleshoot.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.0.2/policy/modules/services/setroubleshoot.if
--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/setroubleshoot.if 2007-06-21 11:54:56.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/setroubleshoot.if 2007-07-03 13:08:20.000000000 -0400
@@ -19,3 +19,22 @@
allow $1 setroubleshoot_var_run_t:sock_file write;
allow $1 setroubleshootd_t:unix_stream_socket connectto;
@@ -6812,10 +6188,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
+ dontaudit $1 setroubleshoot_var_run_t:sock_file write;
+ dontaudit $1 setroubleshootd_t:unix_stream_socket connectto;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.0.1/policy/modules/services/setroubleshoot.te
---- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/setroubleshoot.te 2007-06-19 17:06:27.000000000 -0400
-@@ -75,6 +75,9 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.0.2/policy/modules/services/setroubleshoot.te
+--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-07-03 07:06:26.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/setroubleshoot.te 2007-07-03 13:08:20.000000000 -0400
+@@ -76,6 +76,9 @@
files_getattr_all_dirs(setroubleshootd_t)
files_getattr_all_files(setroubleshootd_t)
@@ -6825,10 +6201,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.0.1/policy/modules/services/smartmon.te
---- nsaserefpolicy/policy/modules/services/smartmon.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/smartmon.te 2007-06-19 17:06:27.000000000 -0400
-@@ -60,6 +60,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.0.2/policy/modules/services/smartmon.te
+--- nsaserefpolicy/policy/modules/services/smartmon.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/smartmon.te 2007-07-03 13:08:20.000000000 -0400
+@@ -61,6 +61,7 @@
fs_search_auto_mountpoints(fsdaemon_t)
mls_file_read_up(fsdaemon_t)
@@ -6836,9 +6212,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar
storage_raw_read_fixed_disk(fsdaemon_t)
storage_raw_write_fixed_disk(fsdaemon_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.0.1/policy/modules/services/snmp.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.0.2/policy/modules/services/snmp.fc
--- nsaserefpolicy/policy/modules/services/snmp.fc 2007-06-19 16:23:35.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/snmp.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/snmp.fc 2007-07-03 13:08:20.000000000 -0400
@@ -1,3 +1,10 @@
+
+#
@@ -6850,9 +6226,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp
#
# /usr
#
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.0.1/policy/modules/services/spamassassin.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.0.2/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/spamassassin.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/spamassassin.fc 2007-07-03 13:08:20.000000000 -0400
@@ -10,3 +10,9 @@
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
@@ -6863,9 +6239,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.0.1/policy/modules/services/spamassassin.te
---- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-06-15 14:54:33.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/spamassassin.te 2007-06-19 17:06:27.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.0.2/policy/modules/services/spamassassin.te
+--- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/spamassassin.te 2007-07-03 13:08:20.000000000 -0400
@@ -22,7 +22,7 @@
# spamassassin client executable
@@ -6895,19 +6271,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.0.1/policy/modules/services/squid.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.0.2/policy/modules/services/squid.fc
--- nsaserefpolicy/policy/modules/services/squid.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/squid.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/squid.fc 2007-07-03 13:08:20.000000000 -0400
@@ -12,3 +12,5 @@
/var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
+/usr/lib64/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.0.1/policy/modules/services/squid.te
---- nsaserefpolicy/policy/modules/services/squid.te 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/squid.te 2007-07-01 21:13:36.000000000 -0400
-@@ -108,6 +108,8 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.0.2/policy/modules/services/squid.te
+--- nsaserefpolicy/policy/modules/services/squid.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/squid.te 2007-07-03 13:08:20.000000000 -0400
+@@ -109,6 +109,8 @@
fs_getattr_all_fs(squid_t)
fs_search_auto_mountpoints(squid_t)
@@ -6916,7 +6292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
selinux_dontaudit_getattr_dir(squid_t)
-@@ -175,7 +177,11 @@
+@@ -176,7 +178,12 @@
udev_read_db(squid_t)
')
@@ -6930,12 +6306,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
+ squid_read_config(httpd_squid_script_t)
+ allow httpd_squid_script_t self:tcp_socket create_socket_perms;
+ sysnet_read_config(httpd_squid_script_t)
-+ corenet_non_ipsec_sendrecv(httpd_squid_script_t)
++ corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
++ corenet_all_recvfrom_netlabel(httpd_squid_script_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.0.1/policy/modules/services/ssh.if
---- nsaserefpolicy/policy/modules/services/ssh.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/ssh.if 2007-06-21 12:35:37.000000000 -0400
-@@ -202,6 +202,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.0.2/policy/modules/services/ssh.if
+--- nsaserefpolicy/policy/modules/services/ssh.if 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/ssh.if 2007-07-03 13:08:20.000000000 -0400
+@@ -203,6 +203,7 @@
#
template(`ssh_per_role_template',`
gen_require(`
@@ -6943,7 +6320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
type ssh_agent_exec_t, ssh_keysign_exec_t;
')
-@@ -709,3 +710,42 @@
+@@ -711,3 +712,42 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
@@ -6986,9 +6363,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+ dontaudit $2 $1_ssh_agent_t:fd use;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.0.1/policy/modules/services/ssh.te
---- nsaserefpolicy/policy/modules/services/ssh.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/ssh.te 2007-06-19 17:06:27.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.0.2/policy/modules/services/ssh.te
+--- nsaserefpolicy/policy/modules/services/ssh.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/ssh.te 2007-07-03 13:08:20.000000000 -0400
@@ -24,11 +24,11 @@
# Type for the ssh-agent executable.
@@ -7003,7 +6380,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
type ssh_keygen_t;
type ssh_keygen_exec_t;
-@@ -119,7 +119,12 @@
+@@ -100,6 +100,11 @@
+ userdom_use_unpriv_users_ptys(sshd_t)
+ ')
+
++
++optional_policy(`
++ xserver_getattr_xauth(sshd_t)
++')
++
+ optional_policy(`
+ daemontools_service_domain(sshd_t, sshd_exec_t)
+ ')
+@@ -119,7 +124,12 @@
')
optional_policy(`
@@ -7017,10 +6406,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
ifdef(`TODO',`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwimap.te serefpolicy-3.0.1/policy/modules/services/uwimap.te
---- nsaserefpolicy/policy/modules/services/uwimap.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/uwimap.te 2007-06-19 17:06:27.000000000 -0400
-@@ -63,6 +63,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwimap.te serefpolicy-3.0.2/policy/modules/services/uwimap.te
+--- nsaserefpolicy/policy/modules/services/uwimap.te 2007-07-03 07:06:26.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/uwimap.te 2007-07-03 13:08:20.000000000 -0400
+@@ -64,6 +64,7 @@
fs_search_auto_mountpoints(imapd_t)
auth_domtrans_chk_passwd(imapd_t)
@@ -7028,20 +6417,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwim
libs_use_ld_so(imapd_t)
libs_use_shared_libs(imapd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.fc serefpolicy-3.0.1/policy/modules/services/w3c.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.fc serefpolicy-3.0.2/policy/modules/services/w3c.fc
--- nsaserefpolicy/policy/modules/services/w3c.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/services/w3c.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/w3c.fc 2007-07-03 13:08:20.000000000 -0400
@@ -0,0 +1,2 @@
+/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0)
+/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.if serefpolicy-3.0.1/policy/modules/services/w3c.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.if serefpolicy-3.0.2/policy/modules/services/w3c.if
--- nsaserefpolicy/policy/modules/services/w3c.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/services/w3c.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/w3c.if 2007-07-03 13:08:20.000000000 -0400
@@ -0,0 +1 @@
+## W3C
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.0.1/policy/modules/services/w3c.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.0.2/policy/modules/services/w3c.te
--- nsaserefpolicy/policy/modules/services/w3c.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/services/w3c.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/w3c.te 2007-07-03 13:08:20.000000000 -0400
@@ -0,0 +1,14 @@
+policy_module(w3c,1.2.1)
+
@@ -7057,9 +6446,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.
+corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
+
+miscfiles_read_certs(httpd_w3c_validator_script_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.0.1/policy/modules/services/xserver.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.0.2/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/xserver.fc 2007-06-21 11:16:21.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/xserver.fc 2007-07-03 13:08:20.000000000 -0400
@@ -92,6 +92,7 @@
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
@@ -7068,29 +6457,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.1/policy/modules/services/xserver.if
---- nsaserefpolicy/policy/modules/services/xserver.if 2007-06-15 14:54:33.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/xserver.if 2007-06-22 14:11:27.000000000 -0400
-@@ -83,6 +83,8 @@
- manage_files_pattern($1_xserver_t,xserver_log_t,xserver_log_t)
- logging_log_filetrans($1_xserver_t,xserver_log_t,file)
-
-+ domain_mmap_low($1_xserver_t)
-+
- kernel_read_system_state($1_xserver_t)
- kernel_read_device_sysctls($1_xserver_t)
- kernel_read_modprobe_sysctls($1_xserver_t)
-@@ -229,7 +231,8 @@
-
- gen_require(`
- type iceauth_exec_t, xauth_exec_t;
-- attribute fonts_type, fonts_cache_type, fonts_config_type;
-+ attribute fonts_cache_type, fonts_config_type;
-+ attribute fonts_type;
- ')
-
- ##############################
-@@ -349,9 +352,6 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.2/policy/modules/services/xserver.if
+--- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/xserver.if 2007-07-03 13:08:20.000000000 -0400
+@@ -353,9 +353,6 @@
# allow ps to show xauth
ps_process_pattern($2,$1_xauth_t)
@@ -7100,7 +6470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t $1_xauth_home_t:file manage_file_perms;
userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file)
-@@ -383,6 +383,14 @@
+@@ -387,6 +384,14 @@
')
optional_policy(`
@@ -7115,7 +6485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
nis_use_ypbind($1_xauth_t)
')
-@@ -533,16 +541,14 @@
+@@ -537,16 +542,14 @@
gen_require(`
type xdm_t, xdm_tmp_t;
@@ -7134,7 +6504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -561,16 +567,36 @@
+@@ -565,16 +568,36 @@
userdom_dontaudit_write_user_home_content_files($1,$2)
xserver_ro_session_template(xdm,$2,$3)
@@ -7173,7 +6543,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -655,6 +681,73 @@
+@@ -626,6 +649,24 @@
+
+ ########################################
+ ##
++## Get the attributes of xauth executable
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_getattr_xauth',`
++ gen_require(`
++ type xauth_exec_t;
++ ')
++
++ allow $1 xauth_exec_t:file getattr;
++')
++
++########################################
++##
+ ## Transition to a user Xauthority domain.
+ ##
+ ##
+@@ -659,6 +700,73 @@
########################################
##
@@ -7247,7 +6642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Transition to a user Xauthority domain.
##
##
-@@ -1132,7 +1225,7 @@
+@@ -1136,7 +1244,7 @@
type xdm_xserver_tmp_t;
')
@@ -7256,9 +6651,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.1/policy/modules/services/xserver.te
---- nsaserefpolicy/policy/modules/services/xserver.te 2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/xserver.te 2007-07-02 12:10:01.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.2/policy/modules/services/xserver.te
+--- nsaserefpolicy/policy/modules/services/xserver.te 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/services/xserver.te 2007-07-03 13:08:20.000000000 -0400
@@ -16,6 +16,13 @@
##
@@ -7294,7 +6689,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -245,6 +256,7 @@
+@@ -246,6 +257,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -7302,7 +6697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -256,6 +268,7 @@
+@@ -257,6 +269,7 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
@@ -7310,7 +6705,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
miscfiles_read_localization(xdm_t)
miscfiles_read_fonts(xdm_t)
-@@ -270,6 +283,10 @@
+@@ -271,6 +284,10 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -7321,7 +6716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
-@@ -305,6 +322,8 @@
+@@ -306,6 +323,8 @@
optional_policy(`
consolekit_dbus_chat(xdm_t)
@@ -7330,7 +6725,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -347,12 +366,8 @@
+@@ -348,12 +367,8 @@
')
optional_policy(`
@@ -7344,7 +6739,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
-@@ -424,6 +439,10 @@
+@@ -425,6 +440,10 @@
')
optional_policy(`
@@ -7355,7 +6750,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
resmgr_stream_connect(xdm_t)
')
-@@ -433,47 +452,15 @@
+@@ -434,47 +453,15 @@
')
optional_policy(`
@@ -7410,14 +6805,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
-#
-allow pam_t xdm_t:fifo_file { getattr ioctl write };
-') dnl end TODO
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.fc serefpolicy-3.0.1/policy/modules/system/application.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.fc serefpolicy-3.0.2/policy/modules/system/application.fc
--- nsaserefpolicy/policy/modules/system/application.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/system/application.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/application.fc 2007-07-03 13:08:20.000000000 -0400
@@ -0,0 +1 @@
+# No application file contexts.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.0.1/policy/modules/system/application.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.0.2/policy/modules/system/application.if
--- nsaserefpolicy/policy/modules/system/application.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/system/application.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/application.if 2007-07-03 13:08:20.000000000 -0400
@@ -0,0 +1,104 @@
+## Policy for application domains
+
@@ -7523,9 +6918,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic
+ application_executable_file($2)
+ domain_entry_file($1,$2)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.0.1/policy/modules/system/application.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.0.2/policy/modules/system/application.te
--- nsaserefpolicy/policy/modules/system/application.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/system/application.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/application.te 2007-07-03 13:08:20.000000000 -0400
@@ -0,0 +1,14 @@
+
+policy_module(application,1.0.0)
@@ -7541,9 +6936,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic
+ ssh_rw_stream_sockets(application_domain_type)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.0.1/policy/modules/system/authlogin.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.0.2/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/authlogin.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/authlogin.fc 2007-07-03 13:08:20.000000000 -0400
@@ -14,6 +14,7 @@
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
@@ -7552,9 +6947,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
ifdef(`distro_suse', `
/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.1/policy/modules/system/authlogin.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.2/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/authlogin.if 2007-06-27 10:19:29.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/authlogin.if 2007-07-03 13:08:20.000000000 -0400
@@ -27,7 +27,8 @@
domain_type($1_chkpwd_t)
domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
@@ -7804,9 +7199,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+ auth_dontaudit_read_shadow($1)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.1/policy/modules/system/authlogin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.2/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/authlogin.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/authlogin.te 2007-07-03 13:08:20.000000000 -0400
@@ -9,6 +9,13 @@
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
@@ -7870,9 +7265,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+optional_policy(`
+ nscd_socket_use(updpwd_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.0.1/policy/modules/system/fstools.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.0.2/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/fstools.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/fstools.fc 2007-07-03 13:08:20.000000000 -0400
@@ -20,7 +20,6 @@
/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -7881,9 +7276,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.0.1/policy/modules/system/fstools.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.0.2/policy/modules/system/fstools.if
--- nsaserefpolicy/policy/modules/system/fstools.if 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/fstools.if 2007-06-27 08:13:43.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/fstools.if 2007-07-03 13:08:20.000000000 -0400
@@ -124,3 +124,22 @@
allow $1 swapfile_t:file getattr;
@@ -7907,9 +7302,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
+ allow $1 fsdaemon_t:fifo_file read_fifo_file_perms;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.0.1/policy/modules/system/fstools.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.0.2/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/fstools.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/fstools.te 2007-07-03 13:08:20.000000000 -0400
@@ -9,6 +9,7 @@
type fsadm_t;
type fsadm_exec_t;
@@ -7918,9 +7313,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
role system_r types fsadm_t;
type fsadm_log_t;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.fc serefpolicy-3.0.1/policy/modules/system/fusermount.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.fc serefpolicy-3.0.2/policy/modules/system/fusermount.fc
--- nsaserefpolicy/policy/modules/system/fusermount.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/system/fusermount.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/fusermount.fc 2007-07-03 13:08:20.000000000 -0400
@@ -0,0 +1,6 @@
+# fusermount executable will have:
+# label: system_u:object_r:fusermount_exec_t
@@ -7928,9 +7323,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fuserm
+# MCS categories:
+
+/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.if serefpolicy-3.0.1/policy/modules/system/fusermount.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.if serefpolicy-3.0.2/policy/modules/system/fusermount.if
--- nsaserefpolicy/policy/modules/system/fusermount.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/system/fusermount.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/fusermount.if 2007-07-03 13:08:20.000000000 -0400
@@ -0,0 +1,41 @@
+## policy for fusermount
+
@@ -7974,9 +7369,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fuserm
+ allow $1 fusermount_t:fd use;
+')
\ No newline at end of file
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.te serefpolicy-3.0.1/policy/modules/system/fusermount.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.te serefpolicy-3.0.2/policy/modules/system/fusermount.te
--- nsaserefpolicy/policy/modules/system/fusermount.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/system/fusermount.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/fusermount.te 2007-07-03 13:08:20.000000000 -0400
@@ -0,0 +1,46 @@
+policy_module(fusermount,1.0.0)
+
@@ -8024,9 +7419,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fuserm
+ mount_ntfs_rw_stream_sockets(fusermount_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.0.1/policy/modules/system/getty.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.0.2/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/getty.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/getty.te 2007-07-03 13:08:20.000000000 -0400
@@ -33,7 +33,8 @@
#
@@ -8037,9 +7432,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.
dontaudit getty_t self:capability sys_tty_config;
allow getty_t self:process { getpgid setpgid getsession signal_perms };
allow getty_t self:fifo_file rw_fifo_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.0.1/policy/modules/system/hostname.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.0.2/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/hostname.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/hostname.te 2007-07-03 13:08:20.000000000 -0400
@@ -8,8 +8,12 @@
type hostname_t;
@@ -8066,9 +7461,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(hostname_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.0.1/policy/modules/system/init.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.0.2/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/init.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/init.if 2007-07-03 13:08:20.000000000 -0400
@@ -194,11 +194,14 @@
gen_require(`
type initrc_t;
@@ -8136,9 +7531,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+
+ allow $1 init_t:process ptrace;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.1/policy/modules/system/init.te
---- nsaserefpolicy/policy/modules/system/init.te 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/init.te 2007-06-22 11:29:08.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.2/policy/modules/system/init.te
+--- nsaserefpolicy/policy/modules/system/init.te 2007-07-03 07:06:32.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/init.te 2007-07-03 13:08:20.000000000 -0400
@@ -10,6 +10,20 @@
# Declarations
#
@@ -8188,7 +7583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
can_exec(initrc_t,initrc_exec_t)
-@@ -500,6 +513,39 @@
+@@ -501,6 +514,39 @@
')
optional_policy(`
@@ -8228,7 +7623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
')
-@@ -630,12 +676,6 @@
+@@ -631,12 +677,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -8241,7 +7636,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ifdef(`distro_redhat',`
-@@ -701,6 +741,9 @@
+@@ -702,6 +742,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -8251,9 +7646,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.0.1/policy/modules/system/ipsec.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.0.2/policy/modules/system/ipsec.if
--- nsaserefpolicy/policy/modules/system/ipsec.if 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/ipsec.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/ipsec.if 2007-07-03 13:08:20.000000000 -0400
@@ -114,6 +114,26 @@
########################################
@@ -8281,9 +7676,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
## Execute racoon in the racoon domain.
##
##
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.0.1/policy/modules/system/ipsec.te
---- nsaserefpolicy/policy/modules/system/ipsec.te 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/ipsec.te 2007-06-19 17:06:27.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.0.2/policy/modules/system/ipsec.te
+--- nsaserefpolicy/policy/modules/system/ipsec.te 2007-07-03 07:06:32.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/ipsec.te 2007-07-03 13:08:20.000000000 -0400
@@ -283,6 +283,7 @@
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
@@ -8292,9 +7687,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# manage pid file
manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.0.1/policy/modules/system/iptables.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.0.2/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/iptables.te 2007-06-25 06:54:25.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/iptables.te 2007-07-03 13:08:20.000000000 -0400
@@ -62,6 +62,7 @@
init_use_script_ptys(iptables_t)
# to allow rules to be saved on reboot:
@@ -8303,9 +7698,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
libs_use_ld_so(iptables_t)
libs_use_shared_libs(iptables_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.1/policy/modules/system/libraries.fc
---- nsaserefpolicy/policy/modules/system/libraries.fc 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/libraries.fc 2007-06-26 06:05:08.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.2/policy/modules/system/libraries.fc
+--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-07-03 07:06:32.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/libraries.fc 2007-07-03 13:08:20.000000000 -0400
@@ -158,8 +158,11 @@
/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -8318,7 +7713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -257,6 +260,8 @@
+@@ -261,6 +264,8 @@
/usr/lib(64)?/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -8327,7 +7722,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# vmware
-@@ -309,3 +314,7 @@
+@@ -313,3 +318,7 @@
/var/spool/postfix/lib(64)?/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
/var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
/var/spool/postfix/lib(64)?/devfsd/.+\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
@@ -8335,9 +7730,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+/usr/lib/mozilla/plugins/libvlcplugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/mozilla/plugins/libvlcplugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.1/policy/modules/system/libraries.te
---- nsaserefpolicy/policy/modules/system/libraries.te 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/libraries.te 2007-06-21 09:35:55.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.2/policy/modules/system/libraries.te
+--- nsaserefpolicy/policy/modules/system/libraries.te 2007-07-03 07:06:32.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/libraries.te 2007-07-03 13:08:20.000000000 -0400
@@ -97,6 +97,11 @@
')
')
@@ -8357,9 +7752,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+ # smart package manager needs the following for the same reason
+ rpm_rw_tmp_files(ldconfig_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.0.1/policy/modules/system/locallogin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.0.2/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/locallogin.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/locallogin.te 2007-07-03 13:08:20.000000000 -0400
@@ -48,6 +48,8 @@
allow local_login_t self:msgq create_msgq_perms;
allow local_login_t self:msg { send receive };
@@ -8428,9 +7823,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
#################################
#
# Sulogin local policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.0.1/policy/modules/system/logging.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.0.2/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/logging.fc 2007-06-27 10:17:24.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/logging.fc 2007-07-03 13:08:20.000000000 -0400
@@ -1,6 +1,6 @@
-
/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
@@ -8445,18 +7840,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/var/log/syslog-ng(/.*)? -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.1/policy/modules/system/logging.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.2/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/logging.if 2007-06-27 15:41:00.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/logging.if 2007-07-03 13:08:20.000000000 -0400
@@ -33,8 +33,13 @@
##
#
interface(`logging_send_audit_msgs',`
+ gen_require(`
-+ attribute can_send_audit_msg;
++ attribute can_send_audit_msgs;
+ ')
+
-+ typeattribute $1 can_send_audit_msg;
++ typeattribute $1 can_send_audit_msgs;
allow $1 self:capability audit_write;
- allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+ allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
@@ -8589,10 +7984,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+interface(`logging_set_loginuid',`
+ gen_require(`
+ attribute can_set_loginuid;
-+ attribute can_send_audit_msg;
++ attribute can_send_audit_msgs;
+ ')
+
-+ typeattribute $1 can_set_loginuid, can_send_audit_msg;
++ typeattribute $1 can_set_loginuid, can_send_audit_msgs;
+
+ allow $1 self:capability audit_control;
+ allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
@@ -8611,10 +8006,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+interface(`logging_set_audit',`
+ gen_require(`
+ attribute can_set_audit;
-+ attribute can_send_audit_msg;
++ attribute can_send_audit_msgs;
+ ')
+
-+ typeattribute $1 can_set_audit, can_send_audit_msg;
++ typeattribute $1 can_set_audit, can_send_audit_msgs;
+ allow $1 self:capability { audit_write audit_control };
+ allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+')
@@ -8663,19 +8058,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+ gen_require(`
+ attribute can_set_audit;
+ attribute can_set_auditctl;
-+ attribute can_send_audit_msg;
++ attribute can_send_audit_msgs;
+ attribute can_set_loginuid;
+ ')
+
+ typeattribute $1 can_set_loginuid;
+ typeattribute $1 can_set_audit;
+ typeattribute $1 can_set_auditctl;
-+ typeattribute $1 can_send_audit_msg;
++ typeattribute $1 can_send_audit_msgs;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.1/policy/modules/system/logging.te
---- nsaserefpolicy/policy/modules/system/logging.te 2007-06-15 14:54:33.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/logging.te 2007-06-27 10:16:37.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.2/policy/modules/system/logging.te
+--- nsaserefpolicy/policy/modules/system/logging.te 2007-07-03 07:06:32.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/logging.te 2007-07-03 13:08:20.000000000 -0400
@@ -7,10 +7,15 @@
#
@@ -8683,7 +8078,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+attribute can_set_audit;
+attribute can_set_auditctl;
+attribute can_set_loginuid;
-+attribute can_send_audit_msg;
++attribute can_send_audit_msgs;
type auditctl_t;
type auditctl_exec_t;
@@ -8715,8 +8110,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+neverallow ~{ can_set_loginuid can_set_audit } self:capability audit_control;
+neverallow ~can_set_audit self:netlink_audit_socket nlmsg_write;
+neverallow ~can_set_auditctl self:netlink_audit_socket nlmsg_readpriv;
-+neverallow ~can_send_audit_msg self:capability audit_write;
-+neverallow ~can_send_audit_msg self:netlink_audit_socket nlmsg_relay;
++neverallow ~can_send_audit_msgs self:capability audit_write;
++neverallow ~can_send_audit_msgs self:netlink_audit_socket nlmsg_relay;
+
########################################
#
@@ -8797,7 +8192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
allow syslogd_t syslogd_var_run_t:file manage_file_perms;
files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
-@@ -313,6 +339,7 @@
+@@ -314,6 +340,7 @@
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
@@ -8805,9 +8200,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
files_read_etc_runtime_files(syslogd_t)
# /initrd is not umounted before minilog starts
files_dontaudit_search_isid_type_dirs(syslogd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.0.1/policy/modules/system/lvm.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.0.2/policy/modules/system/lvm.fc
--- nsaserefpolicy/policy/modules/system/lvm.fc 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/lvm.fc 2007-07-02 16:25:30.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/lvm.fc 2007-07-03 13:08:20.000000000 -0400
@@ -15,6 +15,7 @@
#
/etc/lvm(/.*)? gen_context(system_u:object_r:lvm_etc_t,s0)
@@ -8816,9 +8211,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc
/etc/lvm/archive(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/etc/lvm/backup(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/etc/lvm/lock(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.0.1/policy/modules/system/lvm.te
---- nsaserefpolicy/policy/modules/system/lvm.te 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/lvm.te 2007-06-19 17:06:27.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.0.2/policy/modules/system/lvm.te
+--- nsaserefpolicy/policy/modules/system/lvm.te 2007-07-03 07:06:32.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/lvm.te 2007-07-03 13:08:20.000000000 -0400
@@ -16,6 +16,7 @@
type lvm_t;
type lvm_exec_t;
@@ -8827,7 +8222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
# needs privowner because it assigns the identity system_u to device nodes
# but runs as the identity of the sysadmin
domain_obj_id_change_exemption(lvm_t)
-@@ -149,7 +150,9 @@
+@@ -150,7 +151,9 @@
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
# rawio needed for dmraid
@@ -8838,7 +8233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
-@@ -227,6 +230,8 @@
+@@ -228,6 +231,8 @@
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -8847,7 +8242,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
fs_getattr_xattr_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
-@@ -245,6 +250,7 @@
+@@ -246,6 +251,7 @@
storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
@@ -8855,7 +8250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
term_getattr_all_user_ttys(lvm_t)
term_list_ptys(lvm_t)
-@@ -292,5 +298,15 @@
+@@ -293,5 +299,15 @@
')
optional_policy(`
@@ -8871,9 +8266,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
+ xen_dontaudit_rw_unix_stream_sockets(lvm_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.0.1/policy/modules/system/miscfiles.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.0.2/policy/modules/system/miscfiles.fc
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/miscfiles.fc 2007-06-21 06:25:16.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/miscfiles.fc 2007-07-03 13:08:20.000000000 -0400
@@ -66,6 +66,7 @@
/var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
@@ -8882,9 +8277,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.1/policy/modules/system/modutils.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.2/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/modutils.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/modutils.te 2007-07-03 13:08:20.000000000 -0400
@@ -43,7 +43,7 @@
# insmod local policy
#
@@ -8968,18 +8363,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.0.1/policy/modules/system/mount.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.0.2/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/mount.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/mount.fc 2007-07-03 13:08:20.000000000 -0400
@@ -1,4 +1,3 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/mount.ntfs-3g -- gen_context(system_u:object_r:mount_ntfs_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.0.1/policy/modules/system/mount.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.0.2/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/mount.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/mount.if 2007-07-03 13:08:20.000000000 -0400
@@ -171,3 +171,40 @@
role $2 types unconfined_mount_t;
allow unconfined_mount_t $3:chr_file rw_file_perms;
@@ -9021,9 +8416,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+
+ allow $1 mount_ntfs_t:unix_stream_socket { read write };
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.1/policy/modules/system/mount.te
---- nsaserefpolicy/policy/modules/system/mount.te 2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/mount.te 2007-07-01 20:53:16.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.2/policy/modules/system/mount.te
+--- nsaserefpolicy/policy/modules/system/mount.te 2007-07-03 07:06:32.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/mount.te 2007-07-03 13:08:20.000000000 -0400
@@ -8,6 +8,13 @@
##
@@ -9074,16 +8469,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
allow mount_t mount_loopback_t:file read_file_perms;
allow mount_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -52,6 +62,8 @@
+@@ -52,6 +62,7 @@
kernel_read_system_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
kernel_dontaudit_getattr_core_if(mount_t)
+kernel_search_debugfs(mount_t)
-+kernel_read_unlabeled_state(mount_t)
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
-@@ -102,6 +114,8 @@
+@@ -102,6 +113,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -9092,7 +8486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
libs_use_ld_so(mount_t)
libs_use_shared_libs(mount_t)
-@@ -128,10 +142,15 @@
+@@ -128,10 +141,15 @@
')
')
@@ -9109,7 +8503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -201,4 +220,53 @@
+@@ -202,4 +220,53 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
@@ -9163,9 +8557,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+ hal_rw_pipes(mount_ntfs_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlabel.te serefpolicy-3.0.1/policy/modules/system/netlabel.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlabel.te serefpolicy-3.0.2/policy/modules/system/netlabel.te
--- nsaserefpolicy/policy/modules/system/netlabel.te 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/netlabel.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/netlabel.te 2007-07-03 13:08:20.000000000 -0400
@@ -20,6 +20,8 @@
allow netlabel_mgmt_t self:capability net_admin;
allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
@@ -9175,9 +8569,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlab
kernel_read_network_state(netlabel_mgmt_t)
libs_use_ld_so(netlabel_mgmt_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.0.1/policy/modules/system/raid.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.0.2/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/raid.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/raid.te 2007-07-03 13:08:20.000000000 -0400
@@ -19,7 +19,7 @@
# Local policy
#
@@ -9187,9 +8581,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t
dontaudit mdadm_t self:capability sys_tty_config;
allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
allow mdadm_t self:fifo_file rw_fifo_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.0.1/policy/modules/system/selinuxutil.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.0.2/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/selinuxutil.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/selinuxutil.fc 2007-07-03 13:08:20.000000000 -0400
@@ -40,6 +40,7 @@
/usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
@@ -9198,9 +8592,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
#
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.1/policy/modules/system/selinuxutil.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.2/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/selinuxutil.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/selinuxutil.if 2007-07-03 13:08:20.000000000 -0400
@@ -432,6 +432,7 @@
role $2 types run_init_t;
allow run_init_t $3:chr_file rw_term_perms;
@@ -9209,9 +8603,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.1/policy/modules/system/selinuxutil.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.2/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/selinuxutil.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/selinuxutil.te 2007-07-03 13:08:20.000000000 -0400
@@ -24,11 +24,9 @@
files_type(selinux_config_t)
@@ -9382,19 +8776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -504,11 +530,6 @@
- # Handle pp files created in homedir and /tmp
- userdom_read_sysadm_home_content_files(semanage_t)
- userdom_read_sysadm_tmp_files(semanage_t)
--
-- optional_policy(`
-- unconfined_read_home_content_files(semanage_t)
-- unconfined_read_tmp_files(semanage_t)
-- ')
- ')
-
- ########################################
-@@ -524,6 +545,8 @@
+@@ -524,6 +550,8 @@
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
@@ -9403,15 +8785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
kernel_read_system_state(setfiles_t)
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
kernel_relabelfrom_unlabeled_files(setfiles_t)
-@@ -534,12 +557,15 @@
- kernel_rw_pipes(setfiles_t)
- kernel_rw_unix_dgram_sockets(setfiles_t)
- kernel_dontaudit_list_all_proc(setfiles_t)
-+kernel_dontaudit_read_all_proc(setfiles_t)
- kernel_dontaudit_list_all_sysctls(setfiles_t)
-+kernel_dontaudit_read_all_sysctls(setfiles_t)
-
- dev_relabel_all_dev_nodes(setfiles_t)
+@@ -540,6 +568,7 @@
fs_getattr_xattr_fs(setfiles_t)
fs_list_all(setfiles_t)
@@ -9419,7 +8793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
fs_search_auto_mountpoints(setfiles_t)
fs_relabelfrom_noxattr_fs(setfiles_t)
-@@ -595,6 +621,10 @@
+@@ -595,6 +624,10 @@
ifdef(`hide_broken_symptoms',`
optional_policy(`
@@ -9430,10 +8804,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
udev_dontaudit_rw_dgram_sockets(setfiles_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.0.1/policy/modules/system/sysnetwork.if
---- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/sysnetwork.if 2007-06-22 11:38:09.000000000 -0400
-@@ -520,6 +520,8 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.0.2/policy/modules/system/sysnetwork.if
+--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-07-03 07:06:32.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/sysnetwork.if 2007-07-03 13:08:20.000000000 -0400
+@@ -522,6 +522,8 @@
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
@@ -9442,10 +8816,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.0.1/policy/modules/system/sysnetwork.te
---- nsaserefpolicy/policy/modules/system/sysnetwork.te 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/sysnetwork.te 2007-06-19 17:06:27.000000000 -0400
-@@ -158,6 +158,10 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.0.2/policy/modules/system/sysnetwork.te
+--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2007-07-03 07:06:32.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/sysnetwork.te 2007-07-03 13:08:20.000000000 -0400
+@@ -159,6 +159,10 @@
dbus_connect_system_bus(dhcpc_t)
dbus_send_system_bus(dhcpc_t)
@@ -9456,7 +8830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
optional_policy(`
networkmanager_dbus_chat(dhcpc_t)
')
-@@ -205,6 +209,7 @@
+@@ -206,6 +210,7 @@
# dhclient sometimes starts ntpd
init_exec_script_files(dhcpc_t)
ntp_domtrans(dhcpc_t)
@@ -9464,7 +8838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
optional_policy(`
-@@ -215,6 +220,7 @@
+@@ -216,6 +221,7 @@
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -9472,7 +8846,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
optional_policy(`
-@@ -279,6 +285,8 @@
+@@ -280,6 +286,8 @@
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
@@ -9481,9 +8855,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
term_dontaudit_use_all_user_ttys(ifconfig_t)
term_dontaudit_use_all_user_ptys(ifconfig_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.1/policy/modules/system/udev.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.2/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/udev.te 2007-06-28 07:26:24.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/udev.te 2007-07-03 13:08:20.000000000 -0400
@@ -68,8 +68,9 @@
allow udev_t udev_tbl_t:file manage_file_perms;
dev_filetrans(udev_t,udev_tbl_t,file)
@@ -9572,9 +8946,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.1/policy/modules/system/unconfined.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.2/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/unconfined.if 2007-07-02 12:39:12.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/unconfined.if 2007-07-03 13:08:20.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -9738,9 +9112,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+
+ allow $1 unconfined_terminal:chr_file rw_term_perms;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.1/policy/modules/system/unconfined.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.2/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/unconfined.te 2007-06-26 07:04:16.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/unconfined.te 2007-07-03 13:08:20.000000000 -0400
@@ -5,30 +5,36 @@
#
# Declarations
@@ -9904,15 +9278,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -232,3 +203,5 @@
+@@ -229,6 +200,12 @@
+ unconfined_dbus_chat(unconfined_execmem_t)
+
+ optional_policy(`
++ avahi_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
hal_dbus_chat(unconfined_execmem_t)
')
')
+
+corecmd_exec_all_executables(unconfined_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.1/policy/modules/system/userdomain.if
---- nsaserefpolicy/policy/modules/system/userdomain.if 2007-06-19 16:23:35.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/userdomain.if 2007-06-26 07:46:18.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.2/policy/modules/system/userdomain.if
+--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-07-03 07:06:32.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/userdomain.if 2007-07-03 14:20:25.000000000 -0400
@@ -62,6 +62,10 @@
allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
@@ -9950,7 +9331,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
tunable_policy(`use_nfs_home_dirs',`
fs_list_nfs_dirs($1_t)
fs_read_nfs_files($1_t)
-@@ -579,29 +579,26 @@
+@@ -555,6 +555,12 @@
+ corenet_udp_sendrecv_all_ports($1_t)
+ corenet_tcp_connect_all_ports($1_t)
+ corenet_sendrecv_all_client_packets($1_t)
++
++ ifdef(`enable_mls',`
++ # netlabel/CIPSO labeled networking
++ corenet_tcp_recv_netlabel($1_t)
++ corenet_udp_recv_netlabel($1_t)
++ ')
+ ')
+
+ #######################################
+@@ -574,29 +580,26 @@
type $1_t, $1_tmpfs_t;
')
@@ -10000,7 +9394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -677,67 +674,39 @@
+@@ -672,67 +675,39 @@
attribute unpriv_userdomain;
')
@@ -10071,7 +9465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_exec_etc_files($1_t)
files_search_locks($1_t)
# Check to see if cdrom is mounted
-@@ -750,12 +719,6 @@
+@@ -745,12 +720,6 @@
# Stat lost+found.
files_getattr_lost_found_dirs($1_t)
@@ -10084,7 +9478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
selinux_validate_context($1_t)
-@@ -768,31 +731,16 @@
+@@ -763,31 +732,16 @@
storage_getattr_fixed_disk_dev($1_t)
auth_read_login_records($1_t)
@@ -10118,7 +9512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
seutil_exec_checkpolicy($1_t)
seutil_exec_setfiles($1_t)
-@@ -807,19 +755,12 @@
+@@ -802,19 +756,12 @@
files_read_default_symlinks($1_t)
files_read_default_sockets($1_t)
files_read_default_pipes($1_t)
@@ -10138,7 +9532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
alsa_read_rw_config($1_t)
')
-@@ -834,34 +775,14 @@
+@@ -829,34 +776,14 @@
')
optional_policy(`
@@ -10173,7 +9567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
optional_policy(`
-@@ -889,17 +810,19 @@
+@@ -884,17 +811,19 @@
')
optional_policy(`
@@ -10199,7 +9593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
optional_policy(`
-@@ -913,16 +836,6 @@
+@@ -908,16 +837,6 @@
')
optional_policy(`
@@ -10216,7 +9610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
resmgr_stream_connect($1_t)
')
-@@ -932,11 +845,6 @@
+@@ -927,11 +846,6 @@
')
optional_policy(`
@@ -10228,7 +9622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
samba_stream_connect_winbind($1_t)
')
-@@ -967,21 +875,122 @@
+@@ -962,21 +876,122 @@
##
##
#
@@ -10357,7 +9751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
-@@ -990,15 +999,45 @@
+@@ -985,15 +1000,45 @@
typeattribute $1_tmp_t user_tmpfile;
typeattribute $1_tty_device_t user_ttynode;
@@ -10407,7 +9801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1038,14 +1077,6 @@
+@@ -1033,14 +1078,6 @@
')
optional_policy(`
@@ -10422,7 +9816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
')
-@@ -1059,12 +1090,8 @@
+@@ -1054,12 +1091,8 @@
setroubleshoot_stream_connect($1_t)
')
@@ -10436,7 +9830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Do not audit write denials to /etc/ld.so.cache.
dontaudit $1_t ld_so_cache_t:file write;
-@@ -1107,6 +1134,8 @@
+@@ -1102,6 +1135,8 @@
class passwd { passwd chfn chsh rootok crontab };
')
@@ -10445,7 +9839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##############################
#
# Declarations
-@@ -1132,7 +1161,7 @@
+@@ -1127,7 +1162,7 @@
# $1_t local policy
#
@@ -10454,7 +9848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow $1_t self:process { setexec setfscreate };
# Set password information for other users.
-@@ -1144,8 +1173,6 @@
+@@ -1139,8 +1174,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -10463,7 +9857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -3083,7 +3110,7 @@
+@@ -3078,7 +3111,7 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -10472,7 +9866,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -5553,6 +5580,26 @@
+@@ -5323,7 +5356,7 @@
+ attribute user_tmpfile;
+ ')
+
+- allow $1 user_tmpfile:file { read getattr };
++ allow $1 user_tmpfile:file r_file_perms;
+ ')
+
+ ########################################
+@@ -5548,6 +5581,26 @@
########################################
##
@@ -10499,7 +9902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Unconfined access to user domains. (Deprecated)
##
##
-@@ -5564,3 +5611,124 @@
+@@ -5559,3 +5612,124 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -10624,9 +10027,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ allow $1 user_home_type:file unlink;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.1/policy/modules/system/userdomain.te
---- nsaserefpolicy/policy/modules/system/userdomain.te 2007-06-19 16:23:35.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/userdomain.te 2007-06-19 17:06:27.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.2/policy/modules/system/userdomain.te
+--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-07-03 07:06:32.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/userdomain.te 2007-07-03 13:08:20.000000000 -0400
@@ -74,6 +74,9 @@
# users home directory contents
attribute home_type;
@@ -10769,140 +10172,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+tunable_policy(`allow_console_login', `
+ term_use_console(userdomain)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.0.1/policy/modules/system/xen.if
---- nsaserefpolicy/policy/modules/system/xen.if 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/xen.if 2007-06-19 17:06:27.000000000 -0400
-@@ -72,12 +72,34 @@
- ')
-
- logging_search_logs($1)
-+ allow $1 xend_var_log_t:dir search_dir_perms;
- allow $1 xend_var_log_t:file { getattr append };
- dontaudit $1 xend_var_log_t:file write;
- ')
-
- ########################################
- ##
-+## Allow the specified domain to manage
-+## xend log files.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`xen_manage_log',`
-+ gen_require(`
-+ type var_log_t, xend_var_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1,xend_var_log_t,xend_var_log_t)
-+ manage_files_pattern($1,xend_var_log_t,xend_var_log_t)
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to read and write
- ## Xen unix domain stream sockets. These
- ## are leaked file descriptors.
-@@ -151,3 +173,25 @@
-
- domtrans_pattern($1,xm_exec_t,xm_t)
- ')
-+
-+########################################
-+##
-+## Allow the specified domain to read
-+## xend image files.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`xen_read_image_files',`
-+ gen_require(`
-+ type xen_image_t, xend_var_lib_t;
-+ ')
-+
-+ files_list_var_lib($1)
-+ allow $1 xend_var_lib_t:dir search_dir_perms;
-+ read_files_pattern($1,xen_image_t,xen_image_t)
-+')
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.0.1/policy/modules/system/xen.te
---- nsaserefpolicy/policy/modules/system/xen.te 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/xen.te 2007-06-19 17:06:27.000000000 -0400
-@@ -25,6 +25,10 @@
- domain_type(xend_t)
- init_daemon_domain(xend_t, xend_exec_t)
-
-+# tmp files
-+type xend_tmp_t;
-+files_tmp_file(xend_tmp_t)
-+
- # var/lib files
- type xend_var_lib_t;
- files_type(xend_var_lib_t)
-@@ -88,6 +92,7 @@
- allow xend_t xen_image_t:dir list_dir_perms;
- manage_dirs_pattern(xend_t,xen_image_t,xen_image_t)
- manage_files_pattern(xend_t,xen_image_t,xen_image_t)
-+read_lnk_files_pattern(xend_t,xen_image_t,xen_image_t)
- rw_blk_files_pattern(xend_t,xen_image_t,xen_image_t)
-
- allow xend_t xenctl_t:fifo_file manage_file_perms;
-@@ -97,7 +102,8 @@
- allow xend_t xend_var_run_t:dir setattr;
- manage_files_pattern(xend_t,xend_var_run_t,xend_var_run_t)
- manage_sock_files_pattern(xend_t,xend_var_run_t,xend_var_run_t)
--files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file })
-+manage_fifo_files_pattern(xend_t,xend_var_run_t,xend_var_run_t)
-+files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file fifo_file })
-
- # log files
- allow xend_t xend_var_log_t:dir setattr;
-@@ -105,6 +111,10 @@
- manage_sock_files_pattern(xend_t,xend_var_log_t,xend_var_log_t)
- logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir })
-
-+manage_files_pattern(xend_t,xend_tmp_t,xend_tmp_t)
-+manage_dirs_pattern(xend_t,xend_tmp_t,xend_tmp_t)
-+files_tmp_filetrans(xend_t, xend_tmp_t, { file dir })
-+
- # var/lib files for xend
- manage_dirs_pattern(xend_t,xend_var_lib_t,xend_var_lib_t)
- manage_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t)
-@@ -165,8 +175,13 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.0.2/policy/modules/system/xen.te
+--- nsaserefpolicy/policy/modules/system/xen.te 2007-07-03 07:06:32.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/system/xen.te 2007-07-03 13:08:20.000000000 -0400
+@@ -176,6 +176,7 @@
files_manage_etc_runtime_files(xend_t)
files_etc_filetrans_etc_runtime(xend_t,file)
files_read_usr_files(xend_t)
+files_read_default_symlinks(xend_t)
-+
-+#tunable_policy(`xen_use_raw_disk',`
-+ storage_raw_read_fixed_disk(xend_t)
-+ storage_raw_write_fixed_disk(xend_t)
-+#')
--storage_raw_read_fixed_disk(xend_t)
- storage_raw_read_removable_device(xend_t)
-
- term_getattr_all_user_ptys(xend_t)
-@@ -195,6 +210,10 @@
-
- xen_stream_connect_xenstore(xend_t)
-
-+lvm_domtrans(xend_t)
-+
-+mount_domtrans(xend_t)
-+
- netutils_domtrans(xend_t)
-
- optional_policy(`
-@@ -241,7 +260,7 @@
+ storage_raw_read_fixed_disk(xend_t)
+ storage_raw_write_fixed_disk(xend_t)
+@@ -257,7 +258,7 @@
miscfiles_read_localization(xenconsoled_t)
@@ -10911,32 +10192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
xen_stream_connect_xenstore(xenconsoled_t)
########################################
-@@ -275,6 +294,12 @@
-
- files_read_usr_files(xenstored_t)
-
-+#tunable_policy(`xen_use_raw_disk',`
-+ storage_raw_read_fixed_disk(xenstored_t)
-+ storage_raw_write_fixed_disk(xenstored_t)
-+#')
-+storage_raw_read_removable_device(xenstored_t)
-+
- term_use_generic_ptys(xenstored_t)
- term_use_console(xenconsoled_t)
-
-@@ -308,6 +333,11 @@
-
- allow xm_t xen_image_t:dir rw_dir_perms;
- allow xm_t xen_image_t:file read_file_perms;
-+allow xm_t xen_image_t:blk_file r_file_perms;
-+
-+#tunable_policy(`xen_use_raw_disk',`
-+ storage_raw_read_fixed_disk(xm_t)
-+#')
-
- kernel_read_system_state(xm_t)
- kernel_read_kernel_sysctls(xm_t)
-@@ -343,3 +373,13 @@
+@@ -366,3 +367,13 @@
xen_append_log(xm_t)
xen_stream_connect(xm_t)
xen_stream_connect_xenstore(xm_t)
@@ -10950,19 +10206,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
+fs_write_nfs_files(xend_t)
+fs_read_nfs_files(xend_t)
+fs_read_nfs_symlinks(xend_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.fc serefpolicy-3.0.1/policy/modules/users/guest.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.fc serefpolicy-3.0.2/policy/modules/users/guest.fc
--- nsaserefpolicy/policy/modules/users/guest.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/users/guest.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/users/guest.fc 2007-07-03 13:08:20.000000000 -0400
@@ -0,0 +1 @@
+# No guest file contexts.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.if serefpolicy-3.0.1/policy/modules/users/guest.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.if serefpolicy-3.0.2/policy/modules/users/guest.if
--- nsaserefpolicy/policy/modules/users/guest.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/users/guest.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/users/guest.if 2007-07-03 13:08:20.000000000 -0400
@@ -0,0 +1 @@
+## Policy for guest user
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.0.1/policy/modules/users/guest.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.0.2/policy/modules/users/guest.te
--- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/users/guest.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/users/guest.te 2007-07-03 13:08:20.000000000 -0400
@@ -0,0 +1,127 @@
+policy_module(guest,1.0.0)
+
@@ -11091,19 +10347,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.t
+
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.0.1/policy/modules/users/logadm.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.0.2/policy/modules/users/logadm.fc
--- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/users/logadm.fc 2007-06-27 10:17:08.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/users/logadm.fc 2007-07-03 13:08:20.000000000 -0400
@@ -0,0 +1 @@
+# No logadm file contexts.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.if serefpolicy-3.0.1/policy/modules/users/logadm.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.if serefpolicy-3.0.2/policy/modules/users/logadm.if
--- nsaserefpolicy/policy/modules/users/logadm.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/users/logadm.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/users/logadm.if 2007-07-03 13:08:20.000000000 -0400
@@ -0,0 +1 @@
+## Policy for logadm user
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.te serefpolicy-3.0.1/policy/modules/users/logadm.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.te serefpolicy-3.0.2/policy/modules/users/logadm.te
--- nsaserefpolicy/policy/modules/users/logadm.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/users/logadm.te 2007-06-27 15:31:15.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/users/logadm.te 2007-07-03 13:08:20.000000000 -0400
@@ -0,0 +1,33 @@
+policy_module(logadm,1.0.0)
+
@@ -11138,24 +10394,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.
+
+files_dontaudit_search_all_dirs(logadm_t)
+files_dontaudit_getattr_all_files(logadm_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/metadata.xml serefpolicy-3.0.1/policy/modules/users/metadata.xml
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/metadata.xml serefpolicy-3.0.2/policy/modules/users/metadata.xml
--- nsaserefpolicy/policy/modules/users/metadata.xml 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/users/metadata.xml 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/users/metadata.xml 2007-07-03 13:08:20.000000000 -0400
@@ -0,0 +1 @@
+Policy modules for users
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.fc serefpolicy-3.0.1/policy/modules/users/webadm.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.fc serefpolicy-3.0.2/policy/modules/users/webadm.fc
--- nsaserefpolicy/policy/modules/users/webadm.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/users/webadm.fc 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/users/webadm.fc 2007-07-03 13:08:20.000000000 -0400
@@ -0,0 +1 @@
+# No webadm file contexts.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.if serefpolicy-3.0.1/policy/modules/users/webadm.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.if serefpolicy-3.0.2/policy/modules/users/webadm.if
--- nsaserefpolicy/policy/modules/users/webadm.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/users/webadm.if 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/users/webadm.if 2007-07-03 13:08:20.000000000 -0400
@@ -0,0 +1 @@
+## Policy for webadm user
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.0.1/policy/modules/users/webadm.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.0.2/policy/modules/users/webadm.te
--- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/users/webadm.te 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/modules/users/webadm.te 2007-07-03 13:08:20.000000000 -0400
@@ -0,0 +1,70 @@
+policy_module(webadm,1.0.0)
+
@@ -11227,9 +10483,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.
+allow webadm_t gadmin_t:dir getattr;
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.0.1/policy/support/obj_perm_sets.spt
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.0.2/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.1/policy/support/obj_perm_sets.spt 2007-06-21 13:44:03.000000000 -0400
++++ serefpolicy-3.0.2/policy/support/obj_perm_sets.spt 2007-07-03 13:08:20.000000000 -0400
@@ -201,7 +201,7 @@
define(`search_dir_perms',`{ getattr search }')
define(`list_dir_perms',`{ getattr search read lock ioctl }')
@@ -11262,9 +10518,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets
+define(`all_association', `{ sendto recvfrom setcontext polmatch } ')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.0.1/policy/users
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.0.2/policy/users
--- nsaserefpolicy/policy/users 2007-05-31 15:36:08.000000000 -0400
-+++ serefpolicy-3.0.1/policy/users 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/policy/users 2007-07-03 13:08:20.000000000 -0400
@@ -16,7 +16,7 @@
# and a user process should never be assigned the system user
# identity.
@@ -11283,9 +10539,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.0
gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.0.1/Rules.modular
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.0.2/Rules.modular
--- nsaserefpolicy/Rules.modular 2007-05-25 09:09:10.000000000 -0400
-+++ serefpolicy-3.0.1/Rules.modular 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/Rules.modular 2007-07-03 13:08:20.000000000 -0400
@@ -167,7 +167,7 @@
# these have to run individually because order matters:
$(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
@@ -11312,9 +10568,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.
# Clean the sources
#
clean:
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.0.1/support/Makefile.devel
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.0.2/support/Makefile.devel
--- nsaserefpolicy/support/Makefile.devel 2007-05-29 13:53:56.000000000 -0400
-+++ serefpolicy-3.0.1/support/Makefile.devel 2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.2/support/Makefile.devel 2007-07-03 13:08:20.000000000 -0400
@@ -24,7 +24,7 @@
XMLLINT := $(BINDIR)/xmllint
diff --git a/selinux-policy.spec b/selinux-policy.spec
index eb01761e..e0401e59 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -16,12 +16,12 @@
%define CHECKPOLICYVER 2.0.3-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.0.1
-Release: 6%{?dist}
+Version: 3.0.2
+Release: 1%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
-patch: policy-20070525.patch
+patch: policy-20070703.patch
Source1: modules-targeted.conf
Source2: booleans-targeted.conf
Source3: Makefile.devel
@@ -293,6 +293,7 @@ SELinux Reference policy targeted base module.
exit 0
%triggerpostun targeted -- selinux-policy-targeted < 3.0.1
+setsebool -P use_nfs_home_dirs=1
semanage login -m -s "system_u" __default__ 2> /dev/null
semanage user -a -P unconfined -R "unconfined_r system_r" unconfined_u 2> /dev/null
restorecon -R /root 2> /dev/null
diff --git a/sources b/sources
index d4500e03..4cbcc28f 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-15e7cf49d82f31ea9b50c3520399c22d serefpolicy-3.0.1.tgz
+7487348a6530067125f23316f43ff369 serefpolicy-3.0.2.tgz