- Fix munin log,

- Eliminate duplicate mozilla file context - fix wpa_supplicant spec
2007-12-31 21:06:02 +00:00 · 2007-12-31 21:06:02 +00:00 · e0c99a57ed
commit e0c99a57ed
parent 88ae3f5e0c
1 changed files with 311 additions and 96 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -3463,8 +3463,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc	2007-12-19 05:38:08.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc	2007-12-31 11:50:26.000000000 -0500
-@@ -127,6 +127,8 @@
+@@ -7,6 +7,7 @@
 /bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/bash2			--	gen_context(system_u:object_r:shell_exec_t,s0)
 +/usr/bin/git-shell		--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/ksh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/sash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/tcsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -58,6 +59,8 @@
 /etc/netplug\.d(/.*)? 	 		gen_context(system_u:object_r:bin_t,s0)
 +/etc/NetworkManager/dispatcher.d(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 +
 /etc/ppp/ip-down\..*		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/ppp/ip-up\..*		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/ppp/ipv6-up\..*		--	gen_context(system_u:object_r:bin_t,s0)
@@ -127,6 +130,8 @@
 /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
 ')
@ -3473,7 +3490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 #
 # /usr
 #
-@@ -147,7 +149,7 @@
+@@ -147,7 +152,7 @@
 /usr/lib(64)?/cups/backend(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/cups/cgi-bin/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/cups/daemon(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
@ -3482,7 +3499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 /usr/lib(64)?/cyrus-imapd/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -186,6 +188,8 @@
+@@ -186,6 +191,8 @@
 /usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/local/Printer/[^/]*/lpd(/.*)?     	gen_context(system_u:object_r:bin_t,s0)
@ -3504,16 +3521,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2007-11-29 13:29:34.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in	2007-12-19 05:38:08.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in	2007-12-31 07:12:10.000000000 -0500
-@@ -122,6 +122,7 @@
+@@ -122,6 +122,8 @@
 network_port(mmcc, tcp,5050,s0, udp,5050,s0)
 network_port(monopd, tcp,1234,s0)
 network_port(msnp, tcp,1863,s0, udp,1863,s0)
 +network_port(munin, tcp,4949,s0, udp,4949,s0)
 +network_port(mythtv, tcp,6543,s0, udp,6543,s0)
 network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
 portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
 network_port(nessus, tcp,1241,s0)
-@@ -133,6 +134,7 @@
+@@ -133,6 +135,7 @@
 network_port(pegasus_http, tcp,5988,s0)
 network_port(pegasus_https, tcp,5989,s0)
 network_port(postfix_policyd, tcp,10031,s0)
@ -3523,7 +3541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
 network_port(postgresql, tcp,5432,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.2.5/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/kernel/devices.fc	2007-12-19 05:38:08.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/kernel/devices.fc	2007-12-31 08:18:04.000000000 -0500
@@ -22,6 +22,7 @@
 /dev/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
 /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
@ -3532,7 +3550,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 /dev/fw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/hiddev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/hidraw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
-@@ -33,6 +34,7 @@
+@@ -29,10 +30,13 @@
 /dev/hw_random		-c	gen_context(system_u:object_r:random_device_t,s0)
 /dev/hwrng		-c	gen_context(system_u:object_r:random_device_t,s0)
 /dev/i915		-c	gen_context(system_u:object_r:dri_device_t,s0)
 +/dev/ipmi[0-9]+		-c	gen_context(system_u:object_r:ipmi_device_t,s0)
 +/dev/ipmi/[0-9]+	-c	gen_context(system_u:object_r:ipmi_device_t,s0)
 /dev/irlpt[0-9]+	-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/kmsg		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@ -3702,8 +3726,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.2.5/policy/modules/kernel/devices.te
 --- nsaserefpolicy/policy/modules/kernel/devices.te	2007-12-19 05:32:07.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/kernel/devices.te	2007-12-19 05:38:08.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/kernel/devices.te	2007-12-31 08:18:37.000000000 -0500
-@@ -72,6 +72,13 @@
+@@ -66,12 +66,25 @@
 dev_node(framebuf_device_t)
 #
 +# Type for /dev/ipmi/0
 +#
 +type ipmi_device_t;
 +dev_node(ipmi_device_t)
 +
 +#
 # Type for /dev/kmsg
 #
 type kmsg_device_t;
 dev_node(kmsg_device_t)
 #
@ -4137,7 +4173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +/etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.2.5/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2007-10-23 17:17:42.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/apache.if	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/apache.if	2007-12-31 07:06:22.000000000 -0500
@@ -18,10 +18,6 @@
 		attribute httpd_script_exec_type;
 		type httpd_t, httpd_suexec_t, httpd_log_t;
@ -4166,7 +4202,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 	kernel_dontaudit_search_sysctl(httpd_$1_script_t)
 	kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
-@@ -120,10 +115,6 @@
+@@ -96,6 +91,7 @@
 	dev_read_urand(httpd_$1_script_t)
 	corecmd_exec_all_executables(httpd_$1_script_t)
 +	application_exec_all(httpd_$1_script_t)
 	files_exec_etc_files(httpd_$1_script_t)
 	files_read_etc_files(httpd_$1_script_t)
@@ -120,10 +116,6 @@
 		can_exec(httpd_$1_script_t, httpdcontent)
 	')
@ -4177,7 +4221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 	# Allow the web server to run scripts and serve pages
 	tunable_policy(`httpd_builtin_scripting',`
 		manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
-@@ -177,48 +168,6 @@
+@@ -177,48 +169,6 @@
 		miscfiles_read_localization(httpd_$1_script_t)
 	')
@ -4226,7 +4270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 	optional_policy(`
 		tunable_policy(`httpd_enable_cgi && allow_ypbind',`
 			nis_use_ypbind_uncond(httpd_$1_script_t)
-@@ -267,7 +216,7 @@
+@@ -267,7 +217,7 @@
 		attribute httpdcontent, httpd_script_domains;
 		attribute httpd_exec_scripts, httpd_user_content_type;
 		attribute httpd_user_script_exec_type;
@ -4235,7 +4279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 	')
 	apache_content_template($1)
-@@ -331,6 +280,7 @@
+@@ -331,6 +281,7 @@
 		userdom_search_user_home_dirs($1,httpd_t)
 		userdom_search_user_home_dirs($1,httpd_suexec_t)
 		userdom_search_user_home_dirs($1,httpd_$1_script_t)
@ -4243,7 +4287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 	')
 ')
-@@ -352,12 +302,11 @@
+@@ -352,12 +303,11 @@
 #
 template(`apache_read_user_scripts',`
 	gen_require(`
@ -4260,7 +4304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 ########################################
-@@ -378,12 +327,12 @@
+@@ -378,12 +328,12 @@
 #
 template(`apache_read_user_content',`
 	gen_require(`
@ -4277,7 +4321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 ########################################
-@@ -761,6 +710,7 @@
+@@ -761,6 +711,7 @@
 	')
 	allow $1 httpd_modules_t:dir list_dir_perms;
@ -4285,7 +4329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 ########################################
-@@ -845,6 +795,10 @@
+@@ -845,6 +796,10 @@
 		type httpd_sys_script_t;
 	')
@ -4296,7 +4340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 	tunable_policy(`httpd_enable_cgi && httpd_unified',`
 		domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
 	')
-@@ -932,7 +886,7 @@
+@@ -932,7 +887,7 @@
 		type httpd_squirrelmail_t;
 	')
@ -4305,7 +4349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 ########################################
-@@ -1088,3 +1042,138 @@
+@@ -1088,3 +1043,138 @@
 	allow httpd_t $1:process signal;
 ')
@ -4446,7 +4490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.2.5/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/apache.te	2007-12-26 19:16:19.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/apache.te	2007-12-31 07:20:25.000000000 -0500
@@ -20,6 +20,8 @@
 # Declarations
 #
@ -4559,7 +4603,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 corenet_all_recvfrom_unlabeled(httpd_t)
 corenet_all_recvfrom_netlabel(httpd_t)
-@@ -335,6 +370,10 @@
+@@ -315,9 +350,7 @@
 auth_use_nsswitch(httpd_t)
 -# execute perl
 -corecmd_exec_bin(httpd_t)
 -corecmd_exec_shell(httpd_t)
 +application_exec_all(httpd_t)
 domain_use_interactive_fds(httpd_t)
@@ -335,6 +368,10 @@
 files_read_var_lib_symlinks(httpd_t)
 fs_search_auto_mountpoints(httpd_sys_script_t)
@ -4570,7 +4625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 libs_use_ld_so(httpd_t)
 libs_use_shared_libs(httpd_t)
-@@ -351,8 +390,6 @@
+@@ -351,8 +388,6 @@
 userdom_use_unpriv_users_fds(httpd_t)
@ -4579,7 +4634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`allow_httpd_anon_write',`
 	miscfiles_manage_public_files(httpd_t)
 ') 
-@@ -361,6 +398,13 @@
+@@ -361,6 +396,13 @@
 #
 # We need optionals to be able to be within booleans to make this work
 #
@ -4593,7 +4648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`allow_httpd_mod_auth_pam',`
 	auth_domtrans_chk_passwd(httpd_t)
 ')
-@@ -370,6 +414,16 @@
+@@ -370,6 +412,16 @@
 	corenet_tcp_connect_all_ports(httpd_t)
 ')
@ -4610,7 +4665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_can_network_relay',`
 	# allow httpd to work as a relay
 	corenet_tcp_connect_gopher_port(httpd_t)
-@@ -382,6 +436,10 @@
+@@ -382,6 +434,10 @@
 	corenet_sendrecv_http_cache_client_packets(httpd_t)
 ')
@ -4621,7 +4676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
-@@ -399,11 +457,21 @@
+@@ -399,11 +455,21 @@
 	fs_read_nfs_symlinks(httpd_t)
 ')
@ -4643,18 +4698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_ssi_exec',`
 	corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
 	allow httpd_sys_script_t httpd_t:fd use;
-@@ -425,6 +493,10 @@
+@@ -437,8 +503,14 @@
 ')
 optional_policy(`
 +	application_exec(httpd_t)
 +')
 +
 +optional_policy(`
 	calamaris_read_www_files(httpd_t)
 ')
@@ -437,8 +509,14 @@
 ')
 optional_policy(`
@ -4670,7 +4714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 optional_policy(`
-@@ -450,19 +528,13 @@
+@@ -450,19 +522,13 @@
 ')
 optional_policy(`
@ -4691,7 +4735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 optional_policy(`
-@@ -472,13 +544,14 @@
+@@ -472,13 +538,14 @@
 	openca_kill(httpd_t)
 ')
@ -4710,7 +4754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 optional_policy(`
-@@ -486,6 +559,7 @@
+@@ -486,6 +553,7 @@
 ')
 optional_policy(`
@ -4718,7 +4762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
 	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
 ')
-@@ -521,6 +595,13 @@
+@@ -521,6 +589,13 @@
 	userdom_use_sysadm_terms(httpd_helper_t)
 ')
@ -4732,7 +4776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ########################################
 #
 # Apache PHP script local policy
-@@ -550,18 +631,24 @@
+@@ -550,18 +625,24 @@
 fs_search_auto_mountpoints(httpd_php_t)
@ -4760,7 +4804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 ########################################
-@@ -585,6 +672,8 @@
+@@ -585,6 +666,8 @@
 manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
 files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@ -4769,7 +4813,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 kernel_read_kernel_sysctls(httpd_suexec_t)
 kernel_list_proc(httpd_suexec_t)
 kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -638,6 +727,12 @@
+@@ -593,9 +676,7 @@
 fs_search_auto_mountpoints(httpd_suexec_t)
 -# for shell scripts
 -corecmd_exec_bin(httpd_suexec_t)
 -corecmd_exec_shell(httpd_suexec_t)
 +application_exec_all(httpd_suexec_t)
 files_read_etc_files(httpd_suexec_t)
 files_read_usr_files(httpd_suexec_t)
@@ -638,6 +719,12 @@
 	fs_exec_nfs_files(httpd_suexec_t)
 ')
@ -4782,7 +4837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_suexec_t)
 	fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -655,10 +750,6 @@
+@@ -655,10 +742,6 @@
 	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
 ')
@ -4793,7 +4848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ########################################
 #
 # Apache system script local policy
-@@ -668,7 +759,8 @@
+@@ -668,7 +751,8 @@
 dontaudit httpd_sys_script_t httpd_config_t:dir search;
@ -4803,7 +4858,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
 read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -682,15 +774,44 @@
+@@ -682,15 +766,44 @@
 # Should we add a boolean?
 apache_domtrans_rotatelogs(httpd_sys_script_t)
@ -4815,15 +4870,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 +tunable_policy(`httpd_use_nfs', `
 	fs_read_nfs_files(httpd_sys_script_t)
 	fs_read_nfs_symlinks(httpd_sys_script_t)
 ')
 +tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
 +	fs_read_nfs_files(httpd_sys_script_t)
 +	fs_read_nfs_symlinks(httpd_sys_script_t)
 +')
 +
 +tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
 	fs_read_nfs_files(httpd_sys_script_t)
 	fs_read_nfs_symlinks(httpd_sys_script_t)
 ')
 +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
 +	allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
 +	allow httpd_sys_script_t self:udp_socket create_socket_perms;
@ -4849,7 +4904,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_sys_script_t)
 	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -700,9 +821,15 @@
+@@ -700,9 +813,15 @@
 	clamav_domtrans_clamscan(httpd_sys_script_t)
 ')
@ -4865,7 +4920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 ########################################
-@@ -724,3 +851,46 @@
+@@ -724,3 +843,46 @@
 logging_search_logs(httpd_rotatelogs_t)
 miscfiles_read_localization(httpd_rotatelogs_t)
@ -5091,7 +5146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
 optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.2.5/policy/modules/services/clamav.fc
 --- nsaserefpolicy/policy/modules/services/clamav.fc	2007-09-05 15:24:44.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/clamav.fc	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/clamav.fc	2007-12-31 09:05:46.000000000 -0500
@@ -5,16 +5,18 @@
 /usr/bin/freshclam		--	gen_context(system_u:object_r:freshclam_exec_t,s0)
@ -5108,9 +5163,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
 -/var/log/clamav			-d	gen_context(system_u:object_r:clamd_var_log_t,s0)
 -/var/log/clamav/clamav.*	--	gen_context(system_u:object_r:clamd_var_log_t,s0)
-+/var/log/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_log_t,s0)
+/var/log/clamav.*			gen_context(system_u:object_r:clamd_var_log_t,s0)
 /var/log/clamav/freshclam.*	--	gen_context(system_u:object_r:freshclam_var_log_t,s0)
-+/var/log/clamav.milter		--	gen_context(system_u:object_r:clamd_var_log_t,s0)
+/var/log/clamd.*			gen_context(system_u:object_r:clamd_var_log_t,s0)
 /var/spool/amavisd/clamd\.sock	-s	gen_context(system_u:object_r:clamd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.2.5/policy/modules/services/clamav.te
@ -5208,7 +5263,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 +/var/lib/misc(/.*)?			gen_context(system_u:object_r:system_crond_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.2.5/policy/modules/services/cron.if
 --- nsaserefpolicy/policy/modules/services/cron.if	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/cron.if	2007-12-20 14:02:12.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/cron.if	2007-12-31 15:17:06.000000000 -0500
@@ -35,38 +35,23 @@
 #
 template(`cron_per_role_template',`
@ -7254,9 +7309,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
 ')
 optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.2.5/policy/modules/services/lpd.if
 --- nsaserefpolicy/policy/modules/services/lpd.if	2007-11-16 13:45:14.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/services/lpd.if	2007-12-31 06:40:50.000000000 -0500
@@ -336,10 +336,8 @@
 	')
 	files_search_spool($1)
 +	manage_dirs_pattern($1,print_spool_t,print_spool_t)
 	manage_files_pattern($1,print_spool_t,print_spool_t)
 -
 -	# cjp: cups wants setattr
 -	allow $1 print_spool_t:dir setattr;
 ')
 ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.2.5/policy/modules/services/mailman.if
 --- nsaserefpolicy/policy/modules/services/mailman.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/mailman.if	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mailman.if	2007-12-31 14:18:13.000000000 -0500
@@ -211,6 +211,7 @@
 		type mailman_data_t;
 	')
@ -7265,6 +7335,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
 	manage_files_pattern($1,mailman_data_t,mailman_data_t)
 ')
@@ -252,6 +253,25 @@
 #######################################
 ## <summary>
 +##	read
 +##	mailman logs.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`mailman_read_log',`
 +	gen_require(`
 +		type mailman_log_t;
 +	')
 +
 +	read_files_pattern($1,mailman_log_t,mailman_log_t)
 +')
 +
 +#######################################
 +## <summary>
 ##	Append to mailman logs.
 ## </summary>
 ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.2.5/policy/modules/services/mailman.te
 --- nsaserefpolicy/policy/modules/services/mailman.te	2007-12-19 05:32:17.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/services/mailman.te	2007-12-19 05:38:09.000000000 -0500
@ -7644,18 +7740,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.2.5/policy/modules/services/munin.fc
 --- nsaserefpolicy/policy/modules/services/munin.fc	2007-04-30 10:41:38.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/munin.fc	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/munin.fc	2007-12-31 05:55:51.000000000 -0500
-@@ -8,4 +8,5 @@
+@@ -6,6 +6,7 @@
 /usr/share/munin/plugins/.*	--	gen_context(system_u:object_r:munin_exec_t,s0)
 /var/lib/munin(/.*)?			gen_context(system_u:object_r:munin_var_lib_t,s0)
- /var/log/munin.*		--	gen_context(system_u:object_r:munin_log_t,s0)
+-/var/log/munin.*		--	gen_context(system_u:object_r:munin_log_t,s0)
 +/var/log/munin.*			gen_context(system_u:object_r:munin_log_t,s0)
 /var/run/munin(/.*)?			gen_context(system_u:object_r:munin_var_run_t,s0)
 -/var/www/munin(/.*)?			gen_context(system_u:object_r:munin_var_lib_t,s0)
 +/var/www/html/munin(/.*)?		gen_context(system_u:object_r:httpd_munin_content_t,s0)
 +/var/www/html/munin/cgi(/.*)?		gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.2.5/policy/modules/services/munin.te
 --- nsaserefpolicy/policy/modules/services/munin.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/munin.te	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/munin.te	2007-12-31 06:15:20.000000000 -0500
-@@ -37,6 +37,9 @@
+@@ -37,14 +37,18 @@
 allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
 allow munin_t self:tcp_socket create_stream_socket_perms;
 allow munin_t self:udp_socket create_socket_perms;
@ -7665,7 +7764,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
 allow munin_t munin_etc_t:dir list_dir_perms;
 read_files_pattern(munin_t,munin_etc_t,munin_etc_t)
-@@ -73,6 +76,7 @@
+ read_lnk_files_pattern(munin_t,munin_etc_t,munin_etc_t)
 files_search_etc(munin_t)
 -allow munin_t munin_log_t:file manage_file_perms;
 -logging_log_filetrans(munin_t,munin_log_t,file)
 +manage_dirs_pattern(munin_t, munin_log_t,  munin_log_t)
 +manage_files_pattern(munin_t, munin_log_t,  munin_log_t)
 +logging_log_filetrans(munin_t,munin_log_t,{ file dir })
 manage_dirs_pattern(munin_t,munin_tmp_t,munin_tmp_t)
 manage_files_pattern(munin_t,munin_tmp_t,munin_tmp_t)
@@ -73,6 +77,7 @@
 corenet_udp_sendrecv_all_nodes(munin_t)
 corenet_tcp_sendrecv_all_ports(munin_t)
 corenet_udp_sendrecv_all_ports(munin_t)
@ -7673,7 +7783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
 dev_read_sysfs(munin_t)
 dev_read_urand(munin_t)
-@@ -91,6 +95,7 @@
+@@ -91,6 +96,7 @@
 logging_send_syslog_msg(munin_t)
@ -7681,7 +7791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
 miscfiles_read_localization(munin_t)
 sysnet_read_config(munin_t)
-@@ -118,3 +123,9 @@
+@@ -118,3 +124,9 @@
 optional_policy(`
 	udev_read_db(munin_t)
 ')
@ -7785,8 +7895,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.2.5/policy/modules/services/mysql.te
 --- nsaserefpolicy/policy/modules/services/mysql.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/mysql.te	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mysql.te	2007-12-31 06:59:38.000000000 -0500
-@@ -25,6 +25,9 @@
+@@ -1,4 +1,3 @@
 -
 policy_module(mysql,1.6.0)
 ########################################
@@ -25,6 +24,9 @@
 type mysqld_tmp_t;
 files_tmp_file(mysqld_tmp_t)
@ -7796,6 +7911,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
 ########################################
 #
 # Local policy
@@ -33,7 +35,8 @@
 allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
 dontaudit mysqld_t self:capability sys_tty_config;
 allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
 -allow mysqld_t self:fifo_file { read write };
 +allow mysqld_t self:fifo_file rw_fifo_file_perms;
 +allow mysqld_t self:shm create_shm_file_perms;
 allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
 allow mysqld_t self:tcp_socket create_stream_socket_perms;
 allow mysqld_t self:udp_socket create_socket_perms;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.2.5/policy/modules/services/nagios.fc
 --- nsaserefpolicy/policy/modules/services/nagios.fc	2006-11-16 17:15:20.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/services/nagios.fc	2007-12-19 05:38:09.000000000 -0500
@ -7948,12 +8073,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
 #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.2.5/policy/modules/services/networkmanager.fc
 --- nsaserefpolicy/policy/modules/services/networkmanager.fc	2007-09-12 10:34:18.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.fc	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.fc	2007-12-31 08:48:44.000000000 -0500
-@@ -5,3 +5,4 @@
+@@ -1,7 +1,9 @@
 /usr/s?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 /usr/s?bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 +/usr/sbin/NetworkManagerDispatcher	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 /var/run/NetworkManager\.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-+/var/log/wpa_supplicant\.log	--	gen_context(system_u:object_r:NetworkManager_log_t,s0)
+/var/log/wpa_supplicant\.log.*	--	gen_context(system_u:object_r:NetworkManager_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.2.5/policy/modules/services/networkmanager.if
 --- nsaserefpolicy/policy/modules/services/networkmanager.if	2007-06-12 10:15:45.000000000 -0400
 +++ serefpolicy-3.2.5/policy/modules/services/networkmanager.if	2007-12-31 08:55:52.000000000 -0500
@@ -97,3 +97,21 @@
 	allow $1 NetworkManager_t:dbus send_msg;
 	allow NetworkManager_t $1:dbus send_msg;
 ')
 +
 +########################################
 +## <summary>
 +##	Send a generic signal to NetworkManager
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`networkmanager_signal',`
 +	gen_require(`
 +		type NetworkManager_t;
 +	')
 +
 +	allow $1 NetworkManager_t:process signal;
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.5/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2007-12-19 05:32:17.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/services/networkmanager.te	2007-12-26 20:31:36.000000000 -0500
@ -8687,7 +8842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.2.5/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/postfix.te	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/postfix.te	2007-12-31 14:18:01.000000000 -0500
@@ -6,6 +6,14 @@
 # Declarations
 #
@ -8758,15 +8913,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 mta_read_aliases(postfix_local_t)
 mta_delete_spool(postfix_local_t)
 # For reading spamassasin
-@@ -285,6 +306,7 @@
+@@ -285,6 +306,8 @@
 optional_policy(`
 #	for postalias
 	mailman_manage_data_files(postfix_local_t)
 +	mailman_append_log(postfix_local_t)
 +	mailman_read_log(postfix_local_t)
 ')
 optional_policy(`
-@@ -295,8 +317,7 @@
+@@ -295,8 +318,7 @@
 #
 # Postfix map local policy
 #
@ -8776,7 +8932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
 allow postfix_map_t self:unix_dgram_socket create_socket_perms;
 allow postfix_map_t self:tcp_socket create_stream_socket_perms;
-@@ -346,8 +367,6 @@
+@@ -346,8 +368,6 @@
 miscfiles_read_localization(postfix_map_t)
@ -8785,7 +8941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 tunable_policy(`read_default_t',`
 	files_list_default(postfix_map_t)
 	files_read_default_files(postfix_map_t)
-@@ -360,6 +379,11 @@
+@@ -360,6 +380,11 @@
 	locallogin_dontaudit_use_fds(postfix_map_t)
 ')
@ -8797,7 +8953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 ########################################
 #
 # Postfix pickup local policy
-@@ -392,6 +416,10 @@
+@@ -392,6 +417,10 @@
 rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
 optional_policy(`
@ -8808,7 +8964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 	procmail_domtrans(postfix_pipe_t)
 ')
-@@ -400,6 +428,10 @@
+@@ -400,6 +429,10 @@
 ')
 optional_policy(`
@ -8819,7 +8975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 	uucp_domtrans_uux(postfix_pipe_t)
 ')
-@@ -532,9 +564,6 @@
+@@ -532,9 +565,6 @@
 # connect to master process
 stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
@ -8829,7 +8985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 # for prng_exch
 allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
 allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
-@@ -557,6 +586,10 @@
+@@ -557,6 +587,10 @@
 	sasl_connect(postfix_smtpd_t)
 ')
@ -8957,8 +9113,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
 # Fix pptp sockets
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.2.5/policy/modules/services/ppp.te
 --- nsaserefpolicy/policy/modules/services/ppp.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/ppp.te	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/ppp.te	2007-12-31 08:54:45.000000000 -0500
-@@ -194,6 +194,8 @@
+@@ -162,6 +162,8 @@
 init_read_utmp(pppd_t)
 init_dontaudit_write_utmp(pppd_t)
 +auth_use_nsswitch(pppd_t)
 +
 libs_use_ld_so(pppd_t)
 libs_use_shared_libs(pppd_t)
@@ -194,14 +196,12 @@
 optional_policy(`
 	mta_send_mail(pppd_t)
@ -8967,6 +9132,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
 ')
 optional_policy(`
 -	nis_use_ypbind(pppd_t)
 -')
 -
 -optional_policy(`
 -	nscd_socket_use(pppd_t)
 +	NetworkManager_signal(pppd_t)
 ')
 optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.2.5/policy/modules/services/procmail.if
 --- nsaserefpolicy/policy/modules/services/procmail.if	2007-01-02 12:57:43.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/services/procmail.if	2007-12-31 15:18:55.000000000 -0500
@@ -39,3 +39,22 @@
 	corecmd_search_bin($1)
 	can_exec($1,procmail_exec_t)
 ')
 +
 +########################################
 +## <summary>
 +##	Read procmail tmp files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`procmail_read_tmp_files',`
 +	gen_require(`
 +		type procmail_tmp_t;
 +	')
 +
 +	files_search_tmp($1)
 +	allow $1 procmail_tmp_t:file read_file_perms;
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.5/policy/modules/services/procmail.te
 --- nsaserefpolicy/policy/modules/services/procmail.te	2007-12-19 05:32:17.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/services/procmail.te	2007-12-26 18:16:54.000000000 -0500
@ -9025,7 +9225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
 ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.2.5/policy/modules/services/pyzor.te
 --- nsaserefpolicy/policy/modules/services/pyzor.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/pyzor.te	2007-12-27 11:44:33.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/pyzor.te	2007-12-31 15:19:10.000000000 -0500
@@ -28,6 +28,9 @@
 type pyzor_var_lib_t;
 files_type(pyzor_var_lib_t)
@ -9045,6 +9245,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
 userdom_dontaudit_search_sysadm_home_dirs(pyzor_t)
 optional_policy(`
@@ -76,8 +81,13 @@
 ')
 optional_policy(`
 +	procmail_read_tmp_files(pyzor_t)
 +')
 +
 +optional_policy(`
 	spamassassin_signal_spamd(pyzor_t)
 	spamassassin_read_spamd_tmp_files(pyzor_t)
 +	userdom_read_user_home_content_files(unconfined,pyzor_t)
 ')
 ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.2.5/policy/modules/services/razor.fc
 --- nsaserefpolicy/policy/modules/services/razor.fc	2007-10-12 08:56:07.000000000 -0400
 +++ serefpolicy-3.2.5/policy/modules/services/razor.fc	2007-12-19 05:38:09.000000000 -0500
@ -9991,8 +10205,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.5/policy/modules/services/sendmail.te
 --- nsaserefpolicy/policy/modules/services/sendmail.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/sendmail.te	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/sendmail.te	2007-12-31 15:42:11.000000000 -0500
-@@ -20,12 +20,16 @@
+@@ -20,13 +20,17 @@
 mta_mailserver_delivery(sendmail_t)
 mta_mailserver_sender(sendmail_t)
@ -10006,10 +10220,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 #
 -allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config };
 -allow sendmail_t self:process signal;
 +allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
- allow sendmail_t self:process signal;
+allow sendmail_t self:process { signal signull };
 allow sendmail_t self:fifo_file rw_fifo_file_perms;
 allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
 allow sendmail_t self:unix_dgram_socket create_socket_perms;
@@ -47,6 +51,7 @@
 kernel_read_kernel_sysctls(sendmail_t)
 # for piping mail to a command
@ -12611,7 +12827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.5/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/libraries.fc	2007-12-27 11:40:35.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/libraries.fc	2007-12-31 05:53:37.000000000 -0500
@@ -183,6 +183,7 @@
 /usr/lib(64)?/libdv\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/helix/plugins/[^/]*\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -12620,17 +12836,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
 /usr/lib(64)?/libSDL-.*\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xorg/modules/dri/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/X11R6/lib/modules/dri/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -242,7 +243,8 @@
+@@ -242,7 +243,7 @@
 # Flash plugin, Macromedia
 HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 -HOME_DIR/.*/plugins/libflashplayer\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +HOME_DIR/.*/plugins/nppdf\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/.*/libflashplayer\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/local/(.*/)?libflashplayer\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 HOME_DIR/.*/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -292,6 +294,8 @@
+@@ -292,6 +293,8 @@
 #
 # /var
 #
@ -12639,7 +12854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
 /var/ftp/lib(64)?(/.*)?				gen_context(system_u:object_r:lib_t,s0)
 /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:ld_so_t,s0)
-@@ -304,3 +308,4 @@
+@@ -304,3 +307,4 @@
 /var/spool/postfix/lib(64)?(/.*)? 		gen_context(system_u:object_r:lib_t,s0)
 /var/spool/postfix/usr(/.*)?			gen_context(system_u:object_r:lib_t,s0)
 /var/spool/postfix/lib(64)?/ld.*\.so.*	--	gen_context(system_u:object_r:ld_so_t,s0)